Accepting request 539322 from home:pcerny:factory
- upgrade to 7.6p1 see main package changelog for details - Update to vanilla 7.6p1 Most important changes (more details below): * complete removal of the ancient SSHv1 protocol * sshd(8) cannot run without privilege separation * removal of suport for arcfourm blowfish and CAST ciphers and RIPE-MD160 HMAC * refuse RSA keys shorter than 1024 bits Distilled upstream log: - OpenSSH 7.3 ---- Security * sshd(8): Mitigate a potential denial-of-service attack against the system's crypt(3) function via sshd(8). An attacker could send very long passwords that would cause excessive CPU use in crypt(3). sshd(8) now refuses to accept password authentication requests of length greater than 1024 characters. Independently reported by Tomas Kuthan (Oracle), Andres Rojas and Javier Nieto. * sshd(8): Mitigate timing differences in password authentication that could be used to discern valid from invalid account names when long passwords were sent and particular password hashing algorithms are in use on the server. CVE-2016-6210, reported by EddieEzra.Harari at verint.com * ssh(1), sshd(8): Fix observable timing weakness in the CBC padding oracle countermeasures. Reported by Jean Paul Degabriele, Kenny Paterson, Torben Hansen and Martin Albrecht. Note that CBC ciphers are disabled by default and OBS-URL: https://build.opensuse.org/request/show/539322 OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=122
This commit is contained in:
parent
c84af5da00
commit
d83100ae13
@ -1,72 +0,0 @@
|
|||||||
# HG changeset patch
|
|
||||||
# Parent 9130c9e19c8a076a7f6f214070283cd3e0326894
|
|
||||||
Correctly parse DISPLAY variable for cases where it contains an IPv6 address
|
|
||||||
(which should - but not always is - in (square) brackets).
|
|
||||||
|
|
||||||
bnc#847710 - https://bugzilla.novell.com/show_bug.cgi?id=847710
|
|
||||||
|
|
||||||
diff --git a/openssh-7.2p2/channels.c b/openssh-7.2p2/channels.c
|
|
||||||
--- a/openssh-7.2p2/channels.c
|
|
||||||
+++ b/openssh-7.2p2/channels.c
|
|
||||||
@@ -4049,18 +4049,19 @@ x11_connect_display(void)
|
|
||||||
/* OK, we now have a connection to the display. */
|
|
||||||
return sock;
|
|
||||||
}
|
|
||||||
#endif
|
|
||||||
/*
|
|
||||||
* Check if it is a unix domain socket. Unix domain displays are in
|
|
||||||
* one of the following formats: unix:d[.s], :d[.s], ::d[.s]
|
|
||||||
*/
|
|
||||||
+ cp = strrchr(display, ':');
|
|
||||||
if (strncmp(display, "unix:", 5) == 0 ||
|
|
||||||
- display[0] == ':') {
|
|
||||||
+ (display[0] == ':' && ((cp - display) < 2)) ) {
|
|
||||||
/* Connect to the unix domain socket. */
|
|
||||||
if (sscanf(strrchr(display, ':') + 1, "%u", &display_number) != 1) {
|
|
||||||
error("Could not parse display number from DISPLAY: %.100s",
|
|
||||||
display);
|
|
||||||
return -1;
|
|
||||||
}
|
|
||||||
/* Create a socket. */
|
|
||||||
sock = connect_local_xsocket(display_number);
|
|
||||||
@@ -4068,30 +4069,39 @@ x11_connect_display(void)
|
|
||||||
return -1;
|
|
||||||
|
|
||||||
/* OK, we now have a connection to the display. */
|
|
||||||
return sock;
|
|
||||||
}
|
|
||||||
/*
|
|
||||||
* Connect to an inet socket. The DISPLAY value is supposedly
|
|
||||||
* hostname:d[.s], where hostname may also be numeric IP address.
|
|
||||||
+ * Note that IPv6 numberic addresses contain colons (e.g. ::1:0)
|
|
||||||
*/
|
|
||||||
strlcpy(buf, display, sizeof(buf));
|
|
||||||
- cp = strchr(buf, ':');
|
|
||||||
+ cp = strrchr(buf, ':');
|
|
||||||
if (!cp) {
|
|
||||||
error("Could not find ':' in DISPLAY: %.100s", display);
|
|
||||||
return -1;
|
|
||||||
}
|
|
||||||
*cp = 0;
|
|
||||||
/* buf now contains the host name. But first we parse the display number. */
|
|
||||||
if (sscanf(cp + 1, "%u", &display_number) != 1) {
|
|
||||||
error("Could not parse display number from DISPLAY: %.100s",
|
|
||||||
display);
|
|
||||||
return -1;
|
|
||||||
}
|
|
||||||
+
|
|
||||||
+ /* Remove brackets surrounding IPv6 addresses if there are any. */
|
|
||||||
+ if (buf[0] == '[' && (cp = strchr(buf, ']'))) {
|
|
||||||
+ *cp = 0;
|
|
||||||
+ cp = buf + 1;
|
|
||||||
+ } else {
|
|
||||||
+ cp = buf;
|
|
||||||
+ }
|
|
||||||
|
|
||||||
/* Look up the host address */
|
|
||||||
memset(&hints, 0, sizeof(hints));
|
|
||||||
hints.ai_family = IPv4or6;
|
|
||||||
hints.ai_socktype = SOCK_STREAM;
|
|
||||||
snprintf(strport, sizeof strport, "%u", 6000 + display_number);
|
|
||||||
if ((gaierr = getaddrinfo(buf, strport, &hints, &aitop)) != 0) {
|
|
||||||
error("%.100s: unknown host. (%s)", buf,
|
|
@ -1,34 +0,0 @@
|
|||||||
# HG changeset patch
|
|
||||||
# Parent 2afee80335d5ef7efcf64f3a797e9b10ce0de4ae
|
|
||||||
Do not throw away already open sockets for X11 forwarding if another socket
|
|
||||||
family is not available for bind()
|
|
||||||
|
|
||||||
diff --git a/openssh-7.2p2/channels.c b/openssh-7.2p2/channels.c
|
|
||||||
--- a/openssh-7.2p2/channels.c
|
|
||||||
+++ b/openssh-7.2p2/channels.c
|
|
||||||
@@ -3937,22 +3937,24 @@ x11_create_display_inet(int x11_display_
|
|
||||||
}
|
|
||||||
if (ai->ai_family == AF_INET6)
|
|
||||||
sock_set_v6only(sock);
|
|
||||||
if (x11_use_localhost)
|
|
||||||
channel_set_reuseaddr(sock);
|
|
||||||
if (bind(sock, ai->ai_addr, ai->ai_addrlen) < 0) {
|
|
||||||
debug2("bind port %d: %.100s", port, strerror(errno));
|
|
||||||
close(sock);
|
|
||||||
-
|
|
||||||
+ continue;
|
|
||||||
+ /* do not remove successfully opened sockets
|
|
||||||
for (n = 0; n < num_socks; n++) {
|
|
||||||
close(socks[n]);
|
|
||||||
}
|
|
||||||
num_socks = 0;
|
|
||||||
break;
|
|
||||||
+ */
|
|
||||||
}
|
|
||||||
socks[num_socks++] = sock;
|
|
||||||
if (num_socks == NUM_SOCKS)
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
freeaddrinfo(aitop);
|
|
||||||
if (num_socks > 0)
|
|
||||||
break;
|
|
@ -1,56 +0,0 @@
|
|||||||
# HG changeset patch
|
|
||||||
# Parent e7bdbc5ea8971599466becf01bff12b9fcb5df3e
|
|
||||||
Enable the seccomp-bpf sandbox on more architectures
|
|
||||||
|
|
||||||
upstream commit: b9c50614eba9d90939b2b119b6e1b7e03b462278 (7.3p1)
|
|
||||||
Author: Damien Miller <djm@mindrot.org>
|
|
||||||
Date: Fri Jul 8 13:59:13 2016 +1000
|
|
||||||
|
|
||||||
whitelist more architectures for seccomp-bpf
|
|
||||||
|
|
||||||
bz#2590 - testing and patch from Jakub Jelen
|
|
||||||
|
|
||||||
diff --git a/openssh-7.2p2/configure.ac b/openssh-7.2p2/configure.ac
|
|
||||||
--- a/openssh-7.2p2/configure.ac
|
|
||||||
+++ b/openssh-7.2p2/configure.ac
|
|
||||||
@@ -818,16 +818,40 @@ main() { if (NSVersionOfRunTimeLibrary("
|
|
||||||
seccomp_audit_arch=AUDIT_ARCH_I386
|
|
||||||
;;
|
|
||||||
arm*-*)
|
|
||||||
seccomp_audit_arch=AUDIT_ARCH_ARM
|
|
||||||
;;
|
|
||||||
aarch64*-*)
|
|
||||||
seccomp_audit_arch=AUDIT_ARCH_AARCH64
|
|
||||||
;;
|
|
||||||
+ s390x-*)
|
|
||||||
+ seccomp_audit_arch=AUDIT_ARCH_S390X
|
|
||||||
+ ;;
|
|
||||||
+ s390-*)
|
|
||||||
+ seccomp_audit_arch=AUDIT_ARCH_S390
|
|
||||||
+ ;;
|
|
||||||
+ powerpc64-*)
|
|
||||||
+ seccomp_audit_arch=AUDIT_ARCH_PPC64
|
|
||||||
+ ;;
|
|
||||||
+ powerpc64le-*)
|
|
||||||
+ seccomp_audit_arch=AUDIT_ARCH_PPC64LE
|
|
||||||
+ ;;
|
|
||||||
+ mips-*)
|
|
||||||
+ seccomp_audit_arch=AUDIT_ARCH_MIPS
|
|
||||||
+ ;;
|
|
||||||
+ mipsel-*)
|
|
||||||
+ seccomp_audit_arch=AUDIT_ARCH_MIPSEL
|
|
||||||
+ ;;
|
|
||||||
+ mips64-*)
|
|
||||||
+ seccomp_audit_arch=AUDIT_ARCH_MIPS64
|
|
||||||
+ ;;
|
|
||||||
+ mips64el-*)
|
|
||||||
+ seccomp_audit_arch=AUDIT_ARCH_MIPSEL64
|
|
||||||
+ ;;
|
|
||||||
esac
|
|
||||||
if test "x$seccomp_audit_arch" != "x" ; then
|
|
||||||
AC_MSG_RESULT(["$seccomp_audit_arch"])
|
|
||||||
AC_DEFINE_UNQUOTED([SECCOMP_AUDIT_ARCH], [$seccomp_audit_arch],
|
|
||||||
[Specify the system call convention in use])
|
|
||||||
else
|
|
||||||
AC_MSG_RESULT([architecture not supported])
|
|
||||||
fi
|
|
@ -1,129 +0,0 @@
|
|||||||
# HG changeset patch
|
|
||||||
# Parent d33bce122aa351a56ce457be35feda52171f9088
|
|
||||||
Enable DSS authentication by default to maintain compatibility with older
|
|
||||||
versions.
|
|
||||||
|
|
||||||
bsc#983784
|
|
||||||
|
|
||||||
diff --git a/openssh-7.2p2/myproposal.h b/openssh-7.2p2/myproposal.h
|
|
||||||
--- a/openssh-7.2p2/myproposal.h
|
|
||||||
+++ b/openssh-7.2p2/myproposal.h
|
|
||||||
@@ -94,21 +94,23 @@
|
|
||||||
#define KEX_CLIENT_KEX KEX_COMMON_KEX \
|
|
||||||
"diffie-hellman-group-exchange-sha1," \
|
|
||||||
"diffie-hellman-group14-sha1"
|
|
||||||
|
|
||||||
#define KEX_DEFAULT_PK_ALG \
|
|
||||||
HOSTKEY_ECDSA_CERT_METHODS \
|
|
||||||
"ssh-ed25519-cert-v01@openssh.com," \
|
|
||||||
"ssh-rsa-cert-v01@openssh.com," \
|
|
||||||
+ "ssh-dss-cert-v01@openssh.com," \
|
|
||||||
HOSTKEY_ECDSA_METHODS \
|
|
||||||
"ssh-ed25519," \
|
|
||||||
"rsa-sha2-512," \
|
|
||||||
"rsa-sha2-256," \
|
|
||||||
- "ssh-rsa"
|
|
||||||
+ "ssh-rsa," \
|
|
||||||
+ "ssh-dss"
|
|
||||||
|
|
||||||
/* the actual algorithms */
|
|
||||||
|
|
||||||
#define KEX_SERVER_ENCRYPT \
|
|
||||||
"chacha20-poly1305@openssh.com," \
|
|
||||||
"aes128-ctr,aes192-ctr,aes256-ctr" \
|
|
||||||
AESGCM_CIPHER_MODES
|
|
||||||
|
|
||||||
diff --git a/openssh-7.2p2/ssh_config.5 b/openssh-7.2p2/ssh_config.5
|
|
||||||
--- a/openssh-7.2p2/ssh_config.5
|
|
||||||
+++ b/openssh-7.2p2/ssh_config.5
|
|
||||||
@@ -887,19 +887,19 @@ Alternately if the specified value begin
|
|
||||||
character, then the specified key types will be appended to the default set
|
|
||||||
instead of replacing them.
|
|
||||||
The default for this option is:
|
|
||||||
.Bd -literal -offset 3n
|
|
||||||
ecdsa-sha2-nistp256-cert-v01@openssh.com,
|
|
||||||
ecdsa-sha2-nistp384-cert-v01@openssh.com,
|
|
||||||
ecdsa-sha2-nistp521-cert-v01@openssh.com,
|
|
||||||
ssh-ed25519-cert-v01@openssh.com,
|
|
||||||
-ssh-rsa-cert-v01@openssh.com,
|
|
||||||
+ssh-rsa-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com,
|
|
||||||
ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
|
|
||||||
-ssh-ed25519,ssh-rsa
|
|
||||||
+ssh-ed25519,ssh-rsa,ssh-dss
|
|
||||||
.Ed
|
|
||||||
.Pp
|
|
||||||
If hostkeys are known for the destination host then this default is modified
|
|
||||||
to prefer their algorithms.
|
|
||||||
.Pp
|
|
||||||
The list of available key types may also be obtained using the
|
|
||||||
.Fl Q
|
|
||||||
option of
|
|
||||||
@@ -1325,19 +1325,19 @@ Alternately if the specified value begin
|
|
||||||
character, then the key types after it will be appended to the default
|
|
||||||
instead of replacing it.
|
|
||||||
The default for this option is:
|
|
||||||
.Bd -literal -offset 3n
|
|
||||||
ecdsa-sha2-nistp256-cert-v01@openssh.com,
|
|
||||||
ecdsa-sha2-nistp384-cert-v01@openssh.com,
|
|
||||||
ecdsa-sha2-nistp521-cert-v01@openssh.com,
|
|
||||||
ssh-ed25519-cert-v01@openssh.com,
|
|
||||||
-ssh-rsa-cert-v01@openssh.com,
|
|
||||||
+ssh-rsa-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com,
|
|
||||||
ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
|
|
||||||
-ssh-ed25519,ssh-rsa
|
|
||||||
+ssh-ed25519,ssh-rsa,ssh-dss
|
|
||||||
.Ed
|
|
||||||
.Pp
|
|
||||||
The
|
|
||||||
.Fl Q
|
|
||||||
option of
|
|
||||||
.Xr ssh 1
|
|
||||||
may be used to list supported key types.
|
|
||||||
.It Cm PubkeyAuthentication
|
|
||||||
diff --git a/openssh-7.2p2/sshd_config.5 b/openssh-7.2p2/sshd_config.5
|
|
||||||
--- a/openssh-7.2p2/sshd_config.5
|
|
||||||
+++ b/openssh-7.2p2/sshd_config.5
|
|
||||||
@@ -651,19 +651,19 @@ Alternately if the specified value begin
|
|
||||||
character, then the specified key types will be appended to the default set
|
|
||||||
instead of replacing them.
|
|
||||||
The default for this option is:
|
|
||||||
.Bd -literal -offset 3n
|
|
||||||
ecdsa-sha2-nistp256-cert-v01@openssh.com,
|
|
||||||
ecdsa-sha2-nistp384-cert-v01@openssh.com,
|
|
||||||
ecdsa-sha2-nistp521-cert-v01@openssh.com,
|
|
||||||
ssh-ed25519-cert-v01@openssh.com,
|
|
||||||
-ssh-rsa-cert-v01@openssh.com,
|
|
||||||
+ssh-rsa-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com,
|
|
||||||
ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
|
|
||||||
-ssh-ed25519,ssh-rsa
|
|
||||||
+ssh-ed25519,ssh-rsa,ssh-dss
|
|
||||||
.Ed
|
|
||||||
.Pp
|
|
||||||
The
|
|
||||||
.Fl Q
|
|
||||||
option of
|
|
||||||
.Xr ssh 1
|
|
||||||
may be used to list supported key types.
|
|
||||||
.It Cm HostbasedAuthentication
|
|
||||||
@@ -743,19 +743,19 @@ environment variable.
|
|
||||||
Specifies the host key algorithms
|
|
||||||
that the server offers.
|
|
||||||
The default for this option is:
|
|
||||||
.Bd -literal -offset 3n
|
|
||||||
ecdsa-sha2-nistp256-cert-v01@openssh.com,
|
|
||||||
ecdsa-sha2-nistp384-cert-v01@openssh.com,
|
|
||||||
ecdsa-sha2-nistp521-cert-v01@openssh.com,
|
|
||||||
ssh-ed25519-cert-v01@openssh.com,
|
|
||||||
-ssh-rsa-cert-v01@openssh.com,
|
|
||||||
+ssh-rsa-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com,
|
|
||||||
ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
|
|
||||||
-ssh-ed25519,ssh-rsa
|
|
||||||
+ssh-ed25519,ssh-rsa,ssh-dss
|
|
||||||
.Ed
|
|
||||||
.Pp
|
|
||||||
The list of available key types may also be obtained using the
|
|
||||||
.Fl Q
|
|
||||||
option of
|
|
||||||
.Xr ssh 1
|
|
||||||
with an argument of
|
|
||||||
.Dq key .
|
|
@ -1,95 +0,0 @@
|
|||||||
# HG changeset patch
|
|
||||||
# Parent c43ae523939377778762e81743b77b3c75eb4bd1
|
|
||||||
Allow root login with password by default. While less secure than upstream
|
|
||||||
default of forbidding access to the root account with a password, we are
|
|
||||||
temporarily introducing this change to keep the default used in older OpenSSH
|
|
||||||
versions shipped with SLE.
|
|
||||||
|
|
||||||
diff --git a/openssh-7.2p2/servconf.c b/openssh-7.2p2/servconf.c
|
|
||||||
--- a/openssh-7.2p2/servconf.c
|
|
||||||
+++ b/openssh-7.2p2/servconf.c
|
|
||||||
@@ -233,17 +233,17 @@ fill_default_server_options(ServerOption
|
|
||||||
options->pid_file = xstrdup(_PATH_SSH_DAEMON_PID_FILE);
|
|
||||||
if (options->server_key_bits == -1)
|
|
||||||
options->server_key_bits = 1024;
|
|
||||||
if (options->login_grace_time == -1)
|
|
||||||
options->login_grace_time = 120;
|
|
||||||
if (options->key_regeneration_time == -1)
|
|
||||||
options->key_regeneration_time = 3600;
|
|
||||||
if (options->permit_root_login == PERMIT_NOT_SET)
|
|
||||||
- options->permit_root_login = PERMIT_NO_PASSWD;
|
|
||||||
+ options->permit_root_login = PERMIT_YES;
|
|
||||||
if (options->ignore_rhosts == -1)
|
|
||||||
options->ignore_rhosts = 1;
|
|
||||||
if (options->ignore_user_known_hosts == -1)
|
|
||||||
options->ignore_user_known_hosts = 0;
|
|
||||||
if (options->print_motd == -1)
|
|
||||||
options->print_motd = 1;
|
|
||||||
if (options->print_lastlog == -1)
|
|
||||||
options->print_lastlog = 1;
|
|
||||||
diff --git a/openssh-7.2p2/sshd_config b/openssh-7.2p2/sshd_config
|
|
||||||
--- a/openssh-7.2p2/sshd_config
|
|
||||||
+++ b/openssh-7.2p2/sshd_config
|
|
||||||
@@ -36,17 +36,17 @@
|
|
||||||
# Logging
|
|
||||||
# obsoletes QuietMode and FascistLogging
|
|
||||||
#SyslogFacility AUTH
|
|
||||||
#LogLevel INFO
|
|
||||||
|
|
||||||
# Authentication:
|
|
||||||
|
|
||||||
#LoginGraceTime 2m
|
|
||||||
-#PermitRootLogin prohibit-password
|
|
||||||
+#PermitRootLogin yes
|
|
||||||
#StrictModes yes
|
|
||||||
#MaxAuthTries 6
|
|
||||||
#MaxSessions 10
|
|
||||||
|
|
||||||
#RSAAuthentication yes
|
|
||||||
#PubkeyAuthentication yes
|
|
||||||
|
|
||||||
# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
|
|
||||||
diff --git a/openssh-7.2p2/sshd_config.0 b/openssh-7.2p2/sshd_config.0
|
|
||||||
--- a/openssh-7.2p2/sshd_config.0
|
|
||||||
+++ b/openssh-7.2p2/sshd_config.0
|
|
||||||
@@ -710,17 +710,17 @@ DESCRIPTION
|
|
||||||
restrictions and permit any forwarding requests. An argument of
|
|
||||||
M-bM-^@M-^\noneM-bM-^@M-^] can be used to prohibit all forwarding requests. By
|
|
||||||
default all port forwarding requests are permitted.
|
|
||||||
|
|
||||||
PermitRootLogin
|
|
||||||
Specifies whether root can log in using ssh(1). The argument
|
|
||||||
must be M-bM-^@M-^\yesM-bM-^@M-^], M-bM-^@M-^\prohibit-passwordM-bM-^@M-^], M-bM-^@M-^\without-passwordM-bM-^@M-^],
|
|
||||||
M-bM-^@M-^\forced-commands-onlyM-bM-^@M-^], or M-bM-^@M-^\noM-bM-^@M-^]. The default is
|
|
||||||
- M-bM-^@M-^\prohibit-passwordM-bM-^@M-^].
|
|
||||||
+ M-bM-^@M-^\yesM-bM-^@M-^].
|
|
||||||
|
|
||||||
If this option is set to M-bM-^@M-^\prohibit-passwordM-bM-^@M-^] or
|
|
||||||
M-bM-^@M-^\without-passwordM-bM-^@M-^], password and keyboard-interactive
|
|
||||||
authentication are disabled for root.
|
|
||||||
|
|
||||||
If this option is set to M-bM-^@M-^\forced-commands-onlyM-bM-^@M-^], root login with
|
|
||||||
public key authentication will be allowed, but only if the
|
|
||||||
command option has been specified (which may be useful for taking
|
|
||||||
diff --git a/openssh-7.2p2/sshd_config.5 b/openssh-7.2p2/sshd_config.5
|
|
||||||
--- a/openssh-7.2p2/sshd_config.5
|
|
||||||
+++ b/openssh-7.2p2/sshd_config.5
|
|
||||||
@@ -1213,17 +1213,17 @@ Specifies whether root can log in using
|
|
||||||
The argument must be
|
|
||||||
.Dq yes ,
|
|
||||||
.Dq prohibit-password ,
|
|
||||||
.Dq without-password ,
|
|
||||||
.Dq forced-commands-only ,
|
|
||||||
or
|
|
||||||
.Dq no .
|
|
||||||
The default is
|
|
||||||
-.Dq prohibit-password .
|
|
||||||
+.Dq yes .
|
|
||||||
.Pp
|
|
||||||
If this option is set to
|
|
||||||
.Dq prohibit-password
|
|
||||||
or
|
|
||||||
.Dq without-password ,
|
|
||||||
password and keyboard-interactive authentication are disabled for root.
|
|
||||||
.Pp
|
|
||||||
If this option is set to
|
|
File diff suppressed because it is too large
Load Diff
@ -1,28 +0,0 @@
|
|||||||
# HG changeset patch
|
|
||||||
# Parent 51a3a8eab1493a799c5a9df95e8e757f872886d0
|
|
||||||
Various auditing fixes to be merged into the RH-originated patch.
|
|
||||||
|
|
||||||
diff --git a/openssh-7.2p2/packet.c b/openssh-7.2p2/packet.c
|
|
||||||
--- a/openssh-7.2p2/packet.c
|
|
||||||
+++ b/openssh-7.2p2/packet.c
|
|
||||||
@@ -375,16 +375,20 @@ ssh_packet_start_discard(struct ssh *ssh
|
|
||||||
|
|
||||||
int
|
|
||||||
ssh_packet_connection_is_on_socket(struct ssh *ssh)
|
|
||||||
{
|
|
||||||
struct session_state *state = ssh->state;
|
|
||||||
struct sockaddr_storage from, to;
|
|
||||||
socklen_t fromlen, tolen;
|
|
||||||
|
|
||||||
+ /* auditing might get here without valid connection structure when
|
|
||||||
+ * destroying sensitive data on exit and thus aborting disgracefully */
|
|
||||||
+ if (!ssh)
|
|
||||||
+ return 0;
|
|
||||||
/* filedescriptors in and out are the same, so it's a socket */
|
|
||||||
if (state->connection_in == state->connection_out)
|
|
||||||
return 1;
|
|
||||||
fromlen = sizeof(from);
|
|
||||||
memset(&from, 0, sizeof(from));
|
|
||||||
if (getpeername(state->connection_in, (struct sockaddr *)&from,
|
|
||||||
&fromlen) < 0)
|
|
||||||
return 0;
|
|
@ -1,116 +0,0 @@
|
|||||||
# HG changeset patch
|
|
||||||
# Parent e6ff441d171012183f7bd37cb7399473e8376acd
|
|
||||||
Audit PRNG re-seeding
|
|
||||||
|
|
||||||
diff --git a/openssh-7.2p2/audit-bsm.c b/openssh-7.2p2/audit-bsm.c
|
|
||||||
--- a/openssh-7.2p2/audit-bsm.c
|
|
||||||
+++ b/openssh-7.2p2/audit-bsm.c
|
|
||||||
@@ -504,9 +504,15 @@ audit_destroy_sensitive_data(const char
|
|
||||||
/* not implemented */
|
|
||||||
}
|
|
||||||
|
|
||||||
void
|
|
||||||
audit_generate_ephemeral_server_key(const char *fp)
|
|
||||||
{
|
|
||||||
/* not implemented */
|
|
||||||
}
|
|
||||||
+
|
|
||||||
+void
|
|
||||||
+audit_linux_prng_seed(long bytes, const char *rf)
|
|
||||||
+{
|
|
||||||
+ /* not implemented */
|
|
||||||
+}
|
|
||||||
#endif /* BSM */
|
|
||||||
diff --git a/openssh-7.2p2/audit-linux.c b/openssh-7.2p2/audit-linux.c
|
|
||||||
--- a/openssh-7.2p2/audit-linux.c
|
|
||||||
+++ b/openssh-7.2p2/audit-linux.c
|
|
||||||
@@ -402,9 +402,31 @@ audit_generate_ephemeral_server_key(cons
|
|
||||||
}
|
|
||||||
audit_ok = audit_log_user_message(audit_fd, AUDIT_CRYPTO_KEY_USER,
|
|
||||||
buf, NULL, 0, NULL, 1);
|
|
||||||
audit_close(audit_fd);
|
|
||||||
/* do not abort if the error is EPERM and sshd is run as non root user */
|
|
||||||
if ((audit_ok < 0) && ((audit_ok != -1) || (getuid() == 0)))
|
|
||||||
error("cannot write into audit");
|
|
||||||
}
|
|
||||||
+
|
|
||||||
+void
|
|
||||||
+audit_linux_prng_seed(long bytes, const char *rf)
|
|
||||||
+{
|
|
||||||
+ char buf[AUDIT_LOG_SIZE];
|
|
||||||
+ int audit_fd, audit_ok;
|
|
||||||
+
|
|
||||||
+ snprintf(buf, sizeof(buf), "op=prng_seed kind=server bytes=%li source=%s ", bytes, rf);
|
|
||||||
+ audit_fd = audit_open();
|
|
||||||
+ if (audit_fd < 0) {
|
|
||||||
+ if (errno != EINVAL && errno != EPROTONOSUPPORT &&
|
|
||||||
+ errno != EAFNOSUPPORT)
|
|
||||||
+ error("cannot open audit");
|
|
||||||
+ return;
|
|
||||||
+ }
|
|
||||||
+ audit_ok = audit_log_user_message(audit_fd, AUDIT_CRYPTO_PARAM_CHANGE_USER,
|
|
||||||
+ buf, NULL, 0, NULL, 1);
|
|
||||||
+ audit_close(audit_fd);
|
|
||||||
+ /* do not abort if the error is EPERM and sshd is run as non root user */
|
|
||||||
+ if ((audit_ok < 0) && ((audit_ok != -1) || (getuid() == 0)))
|
|
||||||
+ error("cannot write into audit");
|
|
||||||
+}
|
|
||||||
#endif /* USE_LINUX_AUDIT */
|
|
||||||
diff --git a/openssh-7.2p2/audit.c b/openssh-7.2p2/audit.c
|
|
||||||
--- a/openssh-7.2p2/audit.c
|
|
||||||
+++ b/openssh-7.2p2/audit.c
|
|
||||||
@@ -304,10 +304,16 @@ audit_destroy_sensitive_data(const char
|
|
||||||
/*
|
|
||||||
* This will be called on generation of the ephemeral server key
|
|
||||||
*/
|
|
||||||
void
|
|
||||||
audit_generate_ephemeral_server_key(const char *)
|
|
||||||
{
|
|
||||||
debug("audit create ephemeral server key euid %d fingerprint %s", geteuid(), fp);
|
|
||||||
}
|
|
||||||
+
|
|
||||||
+void
|
|
||||||
+audit_linux_prng_seed(long bytes, const char *rf)
|
|
||||||
+{
|
|
||||||
+ debug("audit PRNG seed euid %d bytes %li source %s", geteuid(), bytes, rf);
|
|
||||||
+}
|
|
||||||
# endif /* !defined CUSTOM_SSH_AUDIT_EVENTS */
|
|
||||||
#endif /* SSH_AUDIT_EVENTS */
|
|
||||||
diff --git a/openssh-7.2p2/audit.h b/openssh-7.2p2/audit.h
|
|
||||||
--- a/openssh-7.2p2/audit.h
|
|
||||||
+++ b/openssh-7.2p2/audit.h
|
|
||||||
@@ -69,10 +69,11 @@ void audit_key(int, int *, const Key *);
|
|
||||||
void audit_unsupported(int);
|
|
||||||
void audit_kex(int, char *, char *, char *, char *);
|
|
||||||
void audit_unsupported_body(int);
|
|
||||||
void audit_kex_body(int, char *, char *, char *, char *, pid_t, uid_t);
|
|
||||||
void audit_session_key_free(int ctos);
|
|
||||||
void audit_session_key_free_body(int ctos, pid_t, uid_t);
|
|
||||||
void audit_destroy_sensitive_data(const char *, pid_t, uid_t);
|
|
||||||
void audit_generate_ephemeral_server_key(const char *);
|
|
||||||
+void audit_linux_prng_seed(long, const char *);
|
|
||||||
|
|
||||||
#endif /* _SSH_AUDIT_H */
|
|
||||||
diff --git a/openssh-7.2p2/sshd.c b/openssh-7.2p2/sshd.c
|
|
||||||
--- a/openssh-7.2p2/sshd.c
|
|
||||||
+++ b/openssh-7.2p2/sshd.c
|
|
||||||
@@ -1421,16 +1421,19 @@ server_accept_loop(int *sock_in, int *so
|
|
||||||
if (maxfd < startup_p[0])
|
|
||||||
maxfd = startup_p[0];
|
|
||||||
startups++;
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
if(!(--re_seeding_counter)) {
|
|
||||||
re_seeding_counter = RESEED_AFTER;
|
|
||||||
linux_seed();
|
|
||||||
+#ifdef SSH_AUDIT_EVENTS
|
|
||||||
+ audit_linux_prng_seed(rand_bytes, rand_file);
|
|
||||||
+#endif
|
|
||||||
}
|
|
||||||
|
|
||||||
/*
|
|
||||||
* Got connection. Fork a child to handle it, unless
|
|
||||||
* we are in debugging mode.
|
|
||||||
*/
|
|
||||||
if (debug_flag) {
|
|
||||||
/*
|
|
@ -1,300 +0,0 @@
|
|||||||
# HG changeset patch
|
|
||||||
# Parent cb502e7e796ac9289a571167a97ad9ec91562efb
|
|
||||||
CAVS test for OpenSSH's own CTR encryption mode implementation
|
|
||||||
|
|
||||||
diff --git a/openssh-7.2p2/Makefile.in b/openssh-7.2p2/Makefile.in
|
|
||||||
--- a/openssh-7.2p2/Makefile.in
|
|
||||||
+++ b/openssh-7.2p2/Makefile.in
|
|
||||||
@@ -21,16 +21,17 @@ top_srcdir=@top_srcdir@
|
|
||||||
|
|
||||||
DESTDIR=
|
|
||||||
VPATH=@srcdir@
|
|
||||||
SSH_PROGRAM=@bindir@/ssh
|
|
||||||
ASKPASS_PROGRAM=$(libexecdir)/ssh-askpass
|
|
||||||
SFTP_SERVER=$(libexecdir)/sftp-server
|
|
||||||
SSH_KEYSIGN=$(libexecdir)/ssh-keysign
|
|
||||||
SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
|
|
||||||
+CAVSTEST_CTR=$(libexecdir)/cavstest-ctr
|
|
||||||
PRIVSEP_PATH=@PRIVSEP_PATH@
|
|
||||||
SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@
|
|
||||||
STRIP_OPT=@STRIP_OPT@
|
|
||||||
TEST_SHELL=@TEST_SHELL@
|
|
||||||
|
|
||||||
PATHS= -DSSHDIR=\"$(sysconfdir)\" \
|
|
||||||
-D_PATH_SSH_PROGRAM=\"$(SSH_PROGRAM)\" \
|
|
||||||
-D_PATH_SSH_ASKPASS_DEFAULT=\"$(ASKPASS_PROGRAM)\" \
|
|
||||||
@@ -59,16 +60,18 @@ SED=@SED@
|
|
||||||
ENT=@ENT@
|
|
||||||
XAUTH_PATH=@XAUTH_PATH@
|
|
||||||
LDFLAGS=-L. -Lopenbsd-compat/ @LDFLAGS@
|
|
||||||
EXEEXT=@EXEEXT@
|
|
||||||
MANFMT=@MANFMT@
|
|
||||||
|
|
||||||
TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT)
|
|
||||||
|
|
||||||
+TARGETS += cavstest-ctr$(EXEEXT)
|
|
||||||
+
|
|
||||||
LIBOPENSSH_OBJS=\
|
|
||||||
ssh_api.o \
|
|
||||||
ssherr.o \
|
|
||||||
sshbuf.o \
|
|
||||||
sshkey.o \
|
|
||||||
sshbuf-getput-basic.o \
|
|
||||||
sshbuf-misc.o \
|
|
||||||
sshbuf-getput-crypto.o \
|
|
||||||
@@ -190,16 +193,20 @@ ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libss
|
|
||||||
$(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
|
|
||||||
|
|
||||||
sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o sftp-server.o sftp-server-main.o
|
|
||||||
$(LD) -o $@ sftp-server.o sftp-common.o sftp-server-main.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
|
|
||||||
|
|
||||||
sftp$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-client.o sftp-common.o sftp-glob.o progressmeter.o
|
|
||||||
$(LD) -o $@ progressmeter.o sftp.o sftp-client.o sftp-common.o sftp-glob.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) $(LIBEDIT)
|
|
||||||
|
|
||||||
+# FIPS tests
|
|
||||||
+cavstest-ctr$(EXEEXT): $(LIBCOMPAT) libssh.a cavstest-ctr.o
|
|
||||||
+ $(LD) -o $@ cavstest-ctr.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
|
|
||||||
+
|
|
||||||
# test driver for the loginrec code - not built by default
|
|
||||||
logintest: logintest.o $(LIBCOMPAT) libssh.a loginrec.o
|
|
||||||
$(LD) -o $@ logintest.o $(LDFLAGS) loginrec.o -lopenbsd-compat -lssh $(LIBS)
|
|
||||||
|
|
||||||
$(MANPAGES): $(MANPAGES_IN)
|
|
||||||
if test "$(MANTYPE)" = "cat"; then \
|
|
||||||
manpage=$(srcdir)/`echo $@ | sed 's/\.[1-9]\.out$$/\.0/'`; \
|
|
||||||
else \
|
|
||||||
@@ -310,16 +317,17 @@ install-files:
|
|
||||||
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-agent$(EXEEXT) $(DESTDIR)$(bindir)/ssh-agent$(EXEEXT)
|
|
||||||
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-keygen$(EXEEXT) $(DESTDIR)$(bindir)/ssh-keygen$(EXEEXT)
|
|
||||||
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-keyscan$(EXEEXT) $(DESTDIR)$(bindir)/ssh-keyscan$(EXEEXT)
|
|
||||||
$(INSTALL) -m 0755 $(STRIP_OPT) sshd$(EXEEXT) $(DESTDIR)$(sbindir)/sshd$(EXEEXT)
|
|
||||||
$(INSTALL) -m 4711 $(STRIP_OPT) ssh-keysign$(EXEEXT) $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT)
|
|
||||||
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
|
|
||||||
$(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
|
|
||||||
$(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
|
|
||||||
+ $(INSTALL) -m 0755 $(STRIP_OPT) cavstest-ctr$(EXEEXT) $(DESTDIR)$(libexecdir)/cavstest-ctr$(EXEEXT)
|
|
||||||
$(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
|
|
||||||
$(INSTALL) -m 644 scp.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1
|
|
||||||
$(INSTALL) -m 644 ssh-add.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1
|
|
||||||
$(INSTALL) -m 644 ssh-agent.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-agent.1
|
|
||||||
$(INSTALL) -m 644 ssh-keygen.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keygen.1
|
|
||||||
$(INSTALL) -m 644 ssh-keyscan.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keyscan.1
|
|
||||||
$(INSTALL) -m 644 moduli.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/moduli.5
|
|
||||||
$(INSTALL) -m 644 sshd_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/sshd_config.5
|
|
||||||
diff --git a/openssh-7.2p2/cavstest-ctr.c b/openssh-7.2p2/cavstest-ctr.c
|
|
||||||
new file mode 100644
|
|
||||||
--- /dev/null
|
|
||||||
+++ b/openssh-7.2p2/cavstest-ctr.c
|
|
||||||
@@ -0,0 +1,212 @@
|
|
||||||
+/*
|
|
||||||
+ *
|
|
||||||
+ * invocation (all of the following are equal):
|
|
||||||
+ * ./ctr-cavstest --algo aes128-ctr --key 987212980144b6a632e864031f52dacc --mode encrypt --data a6deca405eef2e8e4609abf3c3ccf4a6
|
|
||||||
+ * ./ctr-cavstest --algo aes128-ctr --key 987212980144b6a632e864031f52dacc --mode encrypt --data a6deca405eef2e8e4609abf3c3ccf4a6 --iv 00000000000000000000000000000000
|
|
||||||
+ * echo -n a6deca405eef2e8e4609abf3c3ccf4a6 | ./ctr-cavstest --algo aes128-ctr --key 987212980144b6a632e864031f52dacc --mode encrypt
|
|
||||||
+ */
|
|
||||||
+
|
|
||||||
+#include "includes.h"
|
|
||||||
+
|
|
||||||
+#include <sys/types.h>
|
|
||||||
+#include <sys/param.h>
|
|
||||||
+#include <stdarg.h>
|
|
||||||
+#include <stdio.h>
|
|
||||||
+#include <stdlib.h>
|
|
||||||
+#include <string.h>
|
|
||||||
+#include <ctype.h>
|
|
||||||
+
|
|
||||||
+#include "xmalloc.h"
|
|
||||||
+#include "log.h"
|
|
||||||
+#include "cipher.h"
|
|
||||||
+
|
|
||||||
+/* compatibility with old or broken OpenSSL versions */
|
|
||||||
+#include "openbsd-compat/openssl-compat.h"
|
|
||||||
+
|
|
||||||
+void
|
|
||||||
+usage(void)
|
|
||||||
+{
|
|
||||||
+ fprintf(stderr, "Usage: ctr-cavstest --algo <ssh-crypto-algorithm>\n"
|
|
||||||
+ " --key <hexadecimal-key> --mode <encrypt|decrypt>\n"
|
|
||||||
+ " [--iv <hexadecimal-iv>] --data <hexadecimal-data>\n\n"
|
|
||||||
+ "Hexadecimal output is printed to stdout.\n"
|
|
||||||
+ "Hexadecimal input data can be alternatively read from stdin.\n");
|
|
||||||
+ exit(1);
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+void *
|
|
||||||
+fromhex(char *hex, size_t * len)
|
|
||||||
+{
|
|
||||||
+ unsigned char *bin;
|
|
||||||
+ char *p;
|
|
||||||
+ size_t n = 0;
|
|
||||||
+ int shift = 4;
|
|
||||||
+ unsigned char out = 0;
|
|
||||||
+ unsigned char *optr;
|
|
||||||
+
|
|
||||||
+ bin = xmalloc(strlen(hex) / 2);
|
|
||||||
+ optr = bin;
|
|
||||||
+
|
|
||||||
+ for (p = hex; *p != '\0'; ++p) {
|
|
||||||
+ unsigned char c;
|
|
||||||
+
|
|
||||||
+ c = *p;
|
|
||||||
+ if (isspace(c))
|
|
||||||
+ continue;
|
|
||||||
+
|
|
||||||
+ if (c >= '0' && c <= '9') {
|
|
||||||
+ c = c - '0';
|
|
||||||
+ } else if (c >= 'A' && c <= 'F') {
|
|
||||||
+ c = c - 'A' + 10;
|
|
||||||
+ } else if (c >= 'a' && c <= 'f') {
|
|
||||||
+ c = c - 'a' + 10;
|
|
||||||
+ } else {
|
|
||||||
+ /* truncate on nonhex cipher */
|
|
||||||
+ break;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ out |= c << shift;
|
|
||||||
+ shift = (shift + 4) % 8;
|
|
||||||
+
|
|
||||||
+ if (shift) {
|
|
||||||
+ *(optr++) = out;
|
|
||||||
+ out = 0;
|
|
||||||
+ ++n;
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ *len = n;
|
|
||||||
+ return bin;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+#define READ_CHUNK 4096
|
|
||||||
+#define MAX_READ_SIZE 1024*1024*100
|
|
||||||
+char *
|
|
||||||
+read_stdin(void)
|
|
||||||
+{
|
|
||||||
+ char *buf;
|
|
||||||
+ size_t n, total = 0;
|
|
||||||
+
|
|
||||||
+ buf = xmalloc(READ_CHUNK);
|
|
||||||
+
|
|
||||||
+ do {
|
|
||||||
+ n = fread(buf + total, 1, READ_CHUNK, stdin);
|
|
||||||
+ if (n < READ_CHUNK) /* terminate on short read */
|
|
||||||
+ break;
|
|
||||||
+
|
|
||||||
+ total += n;
|
|
||||||
+ buf = xreallocarray(buf, total + READ_CHUNK, 1);
|
|
||||||
+ } while (total < MAX_READ_SIZE);
|
|
||||||
+ return buf;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+int
|
|
||||||
+main(int argc, char *argv[])
|
|
||||||
+{
|
|
||||||
+
|
|
||||||
+ struct sshcipher *c;
|
|
||||||
+ struct sshcipher_ctx cc;
|
|
||||||
+ char *algo = "aes128-ctr";
|
|
||||||
+ char *hexkey = NULL;
|
|
||||||
+ char *hexiv = "00000000000000000000000000000000";
|
|
||||||
+ char *hexdata = NULL;
|
|
||||||
+ char *p;
|
|
||||||
+ int i;
|
|
||||||
+ int encrypt = 1;
|
|
||||||
+ void *key;
|
|
||||||
+ size_t keylen;
|
|
||||||
+ void *iv;
|
|
||||||
+ size_t ivlen;
|
|
||||||
+ void *data;
|
|
||||||
+ size_t datalen;
|
|
||||||
+ void *outdata;
|
|
||||||
+
|
|
||||||
+ for (i = 1; i < argc; ++i) {
|
|
||||||
+ if (strcmp(argv[i], "--algo") == 0) {
|
|
||||||
+ algo = argv[++i];
|
|
||||||
+ } else if (strcmp(argv[i], "--key") == 0) {
|
|
||||||
+ hexkey = argv[++i];
|
|
||||||
+ } else if (strcmp(argv[i], "--mode") == 0) {
|
|
||||||
+ ++i;
|
|
||||||
+ if (argv[i] == NULL) {
|
|
||||||
+ usage();
|
|
||||||
+ }
|
|
||||||
+ if (strncmp(argv[i], "enc", 3) == 0) {
|
|
||||||
+ encrypt = 1;
|
|
||||||
+ } else if (strncmp(argv[i], "dec", 3) == 0) {
|
|
||||||
+ encrypt = 0;
|
|
||||||
+ } else {
|
|
||||||
+ usage();
|
|
||||||
+ }
|
|
||||||
+ } else if (strcmp(argv[i], "--iv") == 0) {
|
|
||||||
+ hexiv = argv[++i];
|
|
||||||
+ } else if (strcmp(argv[i], "--data") == 0) {
|
|
||||||
+ hexdata = argv[++i];
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if (hexkey == NULL || algo == NULL) {
|
|
||||||
+ usage();
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ SSLeay_add_all_algorithms();
|
|
||||||
+
|
|
||||||
+ c = cipher_by_name(algo);
|
|
||||||
+ if (c == NULL) {
|
|
||||||
+ fprintf(stderr, "Error: unknown algorithm\n");
|
|
||||||
+ return 2;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if (hexdata == NULL) {
|
|
||||||
+ hexdata = read_stdin();
|
|
||||||
+ } else {
|
|
||||||
+ hexdata = xstrdup(hexdata);
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ key = fromhex(hexkey, &keylen);
|
|
||||||
+
|
|
||||||
+ if (keylen != 16 && keylen != 24 && keylen == 32) {
|
|
||||||
+ fprintf(stderr, "Error: unsupported key length\n");
|
|
||||||
+ return 2;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ iv = fromhex(hexiv, &ivlen);
|
|
||||||
+
|
|
||||||
+ if (ivlen != 16) {
|
|
||||||
+ fprintf(stderr, "Error: unsupported iv length\n");
|
|
||||||
+ return 2;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ data = fromhex(hexdata, &datalen);
|
|
||||||
+
|
|
||||||
+ if (data == NULL || datalen == 0) {
|
|
||||||
+ fprintf(stderr, "Error: no data to encrypt/decrypt\n");
|
|
||||||
+ return 2;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ cipher_init(&cc, c, key, keylen, iv, ivlen, encrypt);
|
|
||||||
+
|
|
||||||
+ free(key);
|
|
||||||
+ free(iv);
|
|
||||||
+
|
|
||||||
+ outdata = malloc(datalen);
|
|
||||||
+ if (outdata == NULL) {
|
|
||||||
+ fprintf(stderr, "Error: memory allocation failure\n");
|
|
||||||
+ return 2;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ cipher_crypt(&cc, 0, outdata, data, datalen, 0, 0);
|
|
||||||
+
|
|
||||||
+ free(data);
|
|
||||||
+
|
|
||||||
+ cipher_cleanup(&cc);
|
|
||||||
+
|
|
||||||
+ for (p = outdata; datalen > 0; ++p, --datalen) {
|
|
||||||
+ printf("%02X", (unsigned char) *p);
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ free(outdata);
|
|
||||||
+
|
|
||||||
+ printf("\n");
|
|
||||||
+ return 0;
|
|
||||||
+}
|
|
@ -1,469 +0,0 @@
|
|||||||
# HG changeset patch
|
|
||||||
# Parent f9ffcfb88e5a9d611a61aee3571050dea67e363e
|
|
||||||
CAVS test for KDF implementation in OpenSSH
|
|
||||||
|
|
||||||
diff --git a/openssh-7.2p2/Makefile.in b/openssh-7.2p2/Makefile.in
|
|
||||||
--- a/openssh-7.2p2/Makefile.in
|
|
||||||
+++ b/openssh-7.2p2/Makefile.in
|
|
||||||
@@ -22,16 +22,17 @@ top_srcdir=@top_srcdir@
|
|
||||||
DESTDIR=
|
|
||||||
VPATH=@srcdir@
|
|
||||||
SSH_PROGRAM=@bindir@/ssh
|
|
||||||
ASKPASS_PROGRAM=$(libexecdir)/ssh-askpass
|
|
||||||
SFTP_SERVER=$(libexecdir)/sftp-server
|
|
||||||
SSH_KEYSIGN=$(libexecdir)/ssh-keysign
|
|
||||||
SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
|
|
||||||
CAVSTEST_CTR=$(libexecdir)/cavstest-ctr
|
|
||||||
+CAVSTEST_KDF=$(libexecdir)/cavstest-kdf
|
|
||||||
PRIVSEP_PATH=@PRIVSEP_PATH@
|
|
||||||
SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@
|
|
||||||
STRIP_OPT=@STRIP_OPT@
|
|
||||||
TEST_SHELL=@TEST_SHELL@
|
|
||||||
|
|
||||||
PATHS= -DSSHDIR=\"$(sysconfdir)\" \
|
|
||||||
-D_PATH_SSH_PROGRAM=\"$(SSH_PROGRAM)\" \
|
|
||||||
-D_PATH_SSH_ASKPASS_DEFAULT=\"$(ASKPASS_PROGRAM)\" \
|
|
||||||
@@ -60,17 +61,17 @@ SED=@SED@
|
|
||||||
ENT=@ENT@
|
|
||||||
XAUTH_PATH=@XAUTH_PATH@
|
|
||||||
LDFLAGS=-L. -Lopenbsd-compat/ @LDFLAGS@
|
|
||||||
EXEEXT=@EXEEXT@
|
|
||||||
MANFMT=@MANFMT@
|
|
||||||
|
|
||||||
TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT)
|
|
||||||
|
|
||||||
-TARGETS += cavstest-ctr$(EXEEXT)
|
|
||||||
+TARGETS += cavstest-ctr$(EXEEXT) cavstest-kdf$(EXEEXT)
|
|
||||||
|
|
||||||
LIBOPENSSH_OBJS=\
|
|
||||||
ssh_api.o \
|
|
||||||
ssherr.o \
|
|
||||||
sshbuf.o \
|
|
||||||
sshkey.o \
|
|
||||||
sshbuf-getput-basic.o \
|
|
||||||
sshbuf-misc.o \
|
|
||||||
@@ -197,16 +198,19 @@ sftp-server$(EXEEXT): $(LIBCOMPAT) libss
|
|
||||||
|
|
||||||
sftp$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-client.o sftp-common.o sftp-glob.o progressmeter.o
|
|
||||||
$(LD) -o $@ progressmeter.o sftp.o sftp-client.o sftp-common.o sftp-glob.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) $(LIBEDIT)
|
|
||||||
|
|
||||||
# FIPS tests
|
|
||||||
cavstest-ctr$(EXEEXT): $(LIBCOMPAT) libssh.a cavstest-ctr.o
|
|
||||||
$(LD) -o $@ cavstest-ctr.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
|
|
||||||
|
|
||||||
+cavstest-kdf$(EXEEXT): $(LIBCOMPAT) libssh.a cavstest-kdf.o
|
|
||||||
+ $(LD) -o $@ cavstest-kdf.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
|
|
||||||
+
|
|
||||||
# test driver for the loginrec code - not built by default
|
|
||||||
logintest: logintest.o $(LIBCOMPAT) libssh.a loginrec.o
|
|
||||||
$(LD) -o $@ logintest.o $(LDFLAGS) loginrec.o -lopenbsd-compat -lssh $(LIBS)
|
|
||||||
|
|
||||||
$(MANPAGES): $(MANPAGES_IN)
|
|
||||||
if test "$(MANTYPE)" = "cat"; then \
|
|
||||||
manpage=$(srcdir)/`echo $@ | sed 's/\.[1-9]\.out$$/\.0/'`; \
|
|
||||||
else \
|
|
||||||
@@ -318,16 +322,17 @@ install-files:
|
|
||||||
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-keygen$(EXEEXT) $(DESTDIR)$(bindir)/ssh-keygen$(EXEEXT)
|
|
||||||
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-keyscan$(EXEEXT) $(DESTDIR)$(bindir)/ssh-keyscan$(EXEEXT)
|
|
||||||
$(INSTALL) -m 0755 $(STRIP_OPT) sshd$(EXEEXT) $(DESTDIR)$(sbindir)/sshd$(EXEEXT)
|
|
||||||
$(INSTALL) -m 4711 $(STRIP_OPT) ssh-keysign$(EXEEXT) $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT)
|
|
||||||
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
|
|
||||||
$(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
|
|
||||||
$(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
|
|
||||||
$(INSTALL) -m 0755 $(STRIP_OPT) cavstest-ctr$(EXEEXT) $(DESTDIR)$(libexecdir)/cavstest-ctr$(EXEEXT)
|
|
||||||
+ $(INSTALL) -m 0755 $(STRIP_OPT) cavstest-kdf$(EXEEXT) $(DESTDIR)$(libexecdir)/cavstest-kdf$(EXEEXT)
|
|
||||||
$(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
|
|
||||||
$(INSTALL) -m 644 scp.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1
|
|
||||||
$(INSTALL) -m 644 ssh-add.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1
|
|
||||||
$(INSTALL) -m 644 ssh-agent.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-agent.1
|
|
||||||
$(INSTALL) -m 644 ssh-keygen.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keygen.1
|
|
||||||
$(INSTALL) -m 644 ssh-keyscan.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keyscan.1
|
|
||||||
$(INSTALL) -m 644 moduli.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/moduli.5
|
|
||||||
$(INSTALL) -m 644 sshd_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/sshd_config.5
|
|
||||||
diff --git a/openssh-7.2p2/cavstest-kdf.c b/openssh-7.2p2/cavstest-kdf.c
|
|
||||||
new file mode 100644
|
|
||||||
--- /dev/null
|
|
||||||
+++ b/openssh-7.2p2/cavstest-kdf.c
|
|
||||||
@@ -0,0 +1,382 @@
|
|
||||||
+/*
|
|
||||||
+ * Copyright (C) 2015, Stephan Mueller <smueller@chronox.de>
|
|
||||||
+ *
|
|
||||||
+ * Redistribution and use in source and binary forms, with or without
|
|
||||||
+ * modification, are permitted provided that the following conditions
|
|
||||||
+ * are met:
|
|
||||||
+ * 1. Redistributions of source code must retain the above copyright
|
|
||||||
+ * notice, and the entire permission notice in its entirety,
|
|
||||||
+ * including the disclaimer of warranties.
|
|
||||||
+ * 2. Redistributions in binary form must reproduce the above copyright
|
|
||||||
+ * notice, this list of conditions and the following disclaimer in the
|
|
||||||
+ * documentation and/or other materials provided with the distribution.
|
|
||||||
+ * 3. The name of the author may not be used to endorse or promote
|
|
||||||
+ * products derived from this software without specific prior
|
|
||||||
+ * written permission.
|
|
||||||
+ *
|
|
||||||
+ * ALTERNATIVELY, this product may be distributed under the terms of
|
|
||||||
+ * the GNU General Public License, in which case the provisions of the GPL2
|
|
||||||
+ * are required INSTEAD OF the above restrictions. (This clause is
|
|
||||||
+ * necessary due to a potential bad interaction between the GPL and
|
|
||||||
+ * the restrictions contained in a BSD-style copyright.)
|
|
||||||
+ *
|
|
||||||
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
|
|
||||||
+ * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
|
|
||||||
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, ALL OF
|
|
||||||
+ * WHICH ARE HEREBY DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE
|
|
||||||
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
|
|
||||||
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
|
|
||||||
+ * OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
|
|
||||||
+ * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
|
|
||||||
+ * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
|
||||||
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
|
|
||||||
+ * USE OF THIS SOFTWARE, EVEN IF NOT ADVISED OF THE POSSIBILITY OF SUCH
|
|
||||||
+ * DAMAGE.
|
|
||||||
+ */
|
|
||||||
+
|
|
||||||
+#include "includes.h"
|
|
||||||
+
|
|
||||||
+#include <stdio.h>
|
|
||||||
+#include <stdlib.h>
|
|
||||||
+#include <errno.h>
|
|
||||||
+#include <sys/types.h>
|
|
||||||
+#include <string.h>
|
|
||||||
+
|
|
||||||
+#include <openssl/bn.h>
|
|
||||||
+
|
|
||||||
+#include "xmalloc.h"
|
|
||||||
+#include "buffer.h"
|
|
||||||
+#include "key.h"
|
|
||||||
+#include "cipher.h"
|
|
||||||
+#include "kex.h"
|
|
||||||
+#include "packet.h"
|
|
||||||
+
|
|
||||||
+static int bin_char(unsigned char hex)
|
|
||||||
+{
|
|
||||||
+ if (48 <= hex && 57 >= hex)
|
|
||||||
+ return (hex - 48);
|
|
||||||
+ if (65 <= hex && 70 >= hex)
|
|
||||||
+ return (hex - 55);
|
|
||||||
+ if (97 <= hex && 102 >= hex)
|
|
||||||
+ return (hex - 87);
|
|
||||||
+ return 0;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+/*
|
|
||||||
+ * Convert hex representation into binary string
|
|
||||||
+ * @hex input buffer with hex representation
|
|
||||||
+ * @hexlen length of hex
|
|
||||||
+ * @bin output buffer with binary data
|
|
||||||
+ * @binlen length of already allocated bin buffer (should be at least
|
|
||||||
+ * half of hexlen -- if not, only a fraction of hexlen is converted)
|
|
||||||
+ */
|
|
||||||
+static void hex2bin(const char *hex, size_t hexlen,
|
|
||||||
+ unsigned char *bin, size_t binlen)
|
|
||||||
+{
|
|
||||||
+ size_t i = 0;
|
|
||||||
+ size_t chars = (binlen > (hexlen / 2)) ? (hexlen / 2) : binlen;
|
|
||||||
+
|
|
||||||
+ for (i = 0; i < chars; i++) {
|
|
||||||
+ bin[i] = bin_char(hex[(i*2)]) << 4;
|
|
||||||
+ bin[i] |= bin_char(hex[((i*2)+1)]);
|
|
||||||
+ }
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+/*
|
|
||||||
+ * Allocate sufficient space for binary representation of hex
|
|
||||||
+ * and convert hex into bin
|
|
||||||
+ *
|
|
||||||
+ * Caller must free bin
|
|
||||||
+ * @hex input buffer with hex representation
|
|
||||||
+ * @hexlen length of hex
|
|
||||||
+ * @bin return value holding the pointer to the newly allocated buffer
|
|
||||||
+ * @binlen return value holding the allocated size of bin
|
|
||||||
+ *
|
|
||||||
+ * return: 0 on success, !0 otherwise
|
|
||||||
+ */
|
|
||||||
+static int hex2bin_alloc(const char *hex, size_t hexlen,
|
|
||||||
+ unsigned char **bin, size_t *binlen)
|
|
||||||
+{
|
|
||||||
+ unsigned char *out = NULL;
|
|
||||||
+ size_t outlen = 0;
|
|
||||||
+
|
|
||||||
+ if (!hexlen)
|
|
||||||
+ return -EINVAL;
|
|
||||||
+
|
|
||||||
+ outlen = (hexlen + 1) / 2;
|
|
||||||
+
|
|
||||||
+ out = calloc(1, outlen);
|
|
||||||
+ if (!out)
|
|
||||||
+ return -errno;
|
|
||||||
+
|
|
||||||
+ hex2bin(hex, hexlen, out, outlen);
|
|
||||||
+ *bin = out;
|
|
||||||
+ *binlen = outlen;
|
|
||||||
+ return 0;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+static char hex_char_map_l[] = { '0', '1', '2', '3', '4', '5', '6', '7',
|
|
||||||
+ '8', '9', 'a', 'b', 'c', 'd', 'e', 'f' };
|
|
||||||
+static char hex_char_map_u[] = { '0', '1', '2', '3', '4', '5', '6', '7',
|
|
||||||
+ '8', '9', 'A', 'B', 'C', 'D', 'E', 'F' };
|
|
||||||
+static char hex_char(unsigned int bin, int u)
|
|
||||||
+{
|
|
||||||
+ if (bin < sizeof(hex_char_map_l))
|
|
||||||
+ return (u) ? hex_char_map_u[bin] : hex_char_map_l[bin];
|
|
||||||
+ return 'X';
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+/*
|
|
||||||
+ * Convert binary string into hex representation
|
|
||||||
+ * @bin input buffer with binary data
|
|
||||||
+ * @binlen length of bin
|
|
||||||
+ * @hex output buffer to store hex data
|
|
||||||
+ * @hexlen length of already allocated hex buffer (should be at least
|
|
||||||
+ * twice binlen -- if not, only a fraction of binlen is converted)
|
|
||||||
+ * @u case of hex characters (0=>lower case, 1=>upper case)
|
|
||||||
+ */
|
|
||||||
+static void bin2hex(const unsigned char *bin, size_t binlen,
|
|
||||||
+ char *hex, size_t hexlen, int u)
|
|
||||||
+{
|
|
||||||
+ size_t i = 0;
|
|
||||||
+ size_t chars = (binlen > (hexlen / 2)) ? (hexlen / 2) : binlen;
|
|
||||||
+
|
|
||||||
+ for (i = 0; i < chars; i++) {
|
|
||||||
+ hex[(i*2)] = hex_char((bin[i] >> 4), u);
|
|
||||||
+ hex[((i*2)+1)] = hex_char((bin[i] & 0x0f), u);
|
|
||||||
+ }
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+struct kdf_cavs {
|
|
||||||
+ unsigned char *K;
|
|
||||||
+ size_t Klen;
|
|
||||||
+ unsigned char *H;
|
|
||||||
+ size_t Hlen;
|
|
||||||
+ unsigned char *session_id;
|
|
||||||
+ size_t session_id_len;
|
|
||||||
+
|
|
||||||
+ unsigned int iv_len;
|
|
||||||
+ unsigned int ek_len;
|
|
||||||
+ unsigned int ik_len;
|
|
||||||
+};
|
|
||||||
+
|
|
||||||
+static int sshkdf_cavs(struct kdf_cavs *test)
|
|
||||||
+{
|
|
||||||
+ int ret = 0;
|
|
||||||
+ struct kex kex;
|
|
||||||
+ struct ssh ssh;
|
|
||||||
+ BIGNUM *Kbn = NULL;
|
|
||||||
+ int mode = 0;
|
|
||||||
+ struct newkeys *keys_client;
|
|
||||||
+ struct newkeys *keys_server;
|
|
||||||
+
|
|
||||||
+#define HEXOUTLEN 500
|
|
||||||
+ char hex[HEXOUTLEN];
|
|
||||||
+
|
|
||||||
+ memset(&ssh, 0, sizeof(struct ssh));
|
|
||||||
+ memset(&kex, 0, sizeof(struct kex));
|
|
||||||
+ ssh.kex = &kex;
|
|
||||||
+
|
|
||||||
+ Kbn = BN_new();
|
|
||||||
+ BN_bin2bn(test->K, test->Klen, Kbn);
|
|
||||||
+ if (!Kbn) {
|
|
||||||
+ printf("cannot convert K into BIGNUM\n");
|
|
||||||
+ ret = 1;
|
|
||||||
+ goto out;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ kex.session_id = test->session_id;
|
|
||||||
+ kex.session_id_len = test->session_id_len;
|
|
||||||
+
|
|
||||||
+ /* setup kex */
|
|
||||||
+
|
|
||||||
+ /* select the right hash based on struct ssh_digest digests */
|
|
||||||
+ switch (test->ik_len) {
|
|
||||||
+ case 20:
|
|
||||||
+ kex.hash_alg = 2;
|
|
||||||
+ break;
|
|
||||||
+ case 32:
|
|
||||||
+ kex.hash_alg = 3;
|
|
||||||
+ break;
|
|
||||||
+ case 48:
|
|
||||||
+ kex.hash_alg = 4;
|
|
||||||
+ break;
|
|
||||||
+ case 64:
|
|
||||||
+ kex.hash_alg = 5;
|
|
||||||
+ break;
|
|
||||||
+ default:
|
|
||||||
+ printf("Wrong hash type %u\n", test->ik_len);
|
|
||||||
+ ret = 1;
|
|
||||||
+ goto out;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ /* implement choose_enc */
|
|
||||||
+ for (mode = 0; mode < 2; mode++) {
|
|
||||||
+ kex.newkeys[mode] = calloc(1, sizeof(struct newkeys));
|
|
||||||
+ if (!kex.newkeys[mode]) {
|
|
||||||
+ printf("allocation of newkeys failed\n");
|
|
||||||
+ ret = 1;
|
|
||||||
+ goto out;
|
|
||||||
+ }
|
|
||||||
+ kex.newkeys[mode]->enc.iv_len = test->iv_len;
|
|
||||||
+ kex.newkeys[mode]->enc.key_len = test->ek_len;
|
|
||||||
+ kex.newkeys[mode]->enc.block_size = (test->iv_len == 64) ? 8 : 16;
|
|
||||||
+ kex.newkeys[mode]->mac.key_len = test->ik_len;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ /* implement kex_choose_conf */
|
|
||||||
+ kex.we_need = kex.newkeys[0]->enc.key_len;
|
|
||||||
+ if (kex.we_need < kex.newkeys[0]->enc.block_size)
|
|
||||||
+ kex.we_need = kex.newkeys[0]->enc.block_size;
|
|
||||||
+ if (kex.we_need < kex.newkeys[0]->enc.iv_len)
|
|
||||||
+ kex.we_need = kex.newkeys[0]->enc.iv_len;
|
|
||||||
+ if (kex.we_need < kex.newkeys[0]->mac.key_len)
|
|
||||||
+ kex.we_need = kex.newkeys[0]->mac.key_len;
|
|
||||||
+
|
|
||||||
+ /* MODE_OUT (1) -> server to client
|
|
||||||
+ * MODE_IN (0) -> client to server */
|
|
||||||
+ kex.server = 1;
|
|
||||||
+
|
|
||||||
+ /* do it */
|
|
||||||
+ kex_derive_keys_bn(&ssh, test->H, test->Hlen, Kbn);
|
|
||||||
+
|
|
||||||
+ keys_client = ssh.kex->newkeys[0];
|
|
||||||
+ keys_server = ssh.kex->newkeys[1];
|
|
||||||
+
|
|
||||||
+ /* get data */
|
|
||||||
+ memset(hex, 0, HEXOUTLEN);
|
|
||||||
+ bin2hex(keys_client->enc.iv, (size_t)keys_client->enc.iv_len,
|
|
||||||
+ hex, HEXOUTLEN, 0);
|
|
||||||
+ printf("Initial IV (client to server) = %s\n", hex);
|
|
||||||
+
|
|
||||||
+ memset(hex, 0, HEXOUTLEN);
|
|
||||||
+ bin2hex(keys_server->enc.iv, (size_t)keys_server->enc.iv_len,
|
|
||||||
+ hex, HEXOUTLEN, 0);
|
|
||||||
+ printf("Initial IV (server to client) = %s\n", hex);
|
|
||||||
+
|
|
||||||
+ memset(hex, 0, HEXOUTLEN);
|
|
||||||
+ bin2hex(keys_client->enc.key, (size_t)keys_client->enc.key_len,
|
|
||||||
+ hex, HEXOUTLEN, 0);
|
|
||||||
+ printf("Encryption key (client to server) = %s\n", hex);
|
|
||||||
+
|
|
||||||
+ memset(hex, 0, HEXOUTLEN);
|
|
||||||
+ bin2hex(keys_server->enc.key, (size_t)keys_server->enc.key_len,
|
|
||||||
+ hex, HEXOUTLEN, 0);
|
|
||||||
+ printf("Encryption key (server to client) = %s\n", hex);
|
|
||||||
+
|
|
||||||
+ memset(hex, 0, HEXOUTLEN);
|
|
||||||
+ bin2hex(keys_client->mac.key, (size_t)keys_client->mac.key_len,
|
|
||||||
+ hex, HEXOUTLEN, 0);
|
|
||||||
+ printf("Integrity key (client to server) = %s\n", hex);
|
|
||||||
+
|
|
||||||
+ memset(hex, 0, HEXOUTLEN);
|
|
||||||
+ bin2hex(keys_server->mac.key, (size_t)keys_server->mac.key_len,
|
|
||||||
+ hex, HEXOUTLEN, 0);
|
|
||||||
+ printf("Integrity key (server to client) = %s\n", hex);
|
|
||||||
+
|
|
||||||
+ free(keys_client);
|
|
||||||
+ free(keys_server);
|
|
||||||
+
|
|
||||||
+out:
|
|
||||||
+ if (Kbn)
|
|
||||||
+ BN_free(Kbn);
|
|
||||||
+ if (kex.newkeys[0])
|
|
||||||
+ free(kex.newkeys[0]);
|
|
||||||
+ if (kex.newkeys[1])
|
|
||||||
+ free(kex.newkeys[1]);
|
|
||||||
+ return ret;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+static void usage(void)
|
|
||||||
+{
|
|
||||||
+ fprintf(stderr, "\nOpenSSH KDF CAVS Test\n\n");
|
|
||||||
+ fprintf(stderr, "Usage:\n");
|
|
||||||
+ fprintf(stderr, "\t-K\tShared secret string\n");
|
|
||||||
+ fprintf(stderr, "\t-H\tHash string\n");
|
|
||||||
+ fprintf(stderr, "\t-s\tSession ID string\n");
|
|
||||||
+ fprintf(stderr, "\t-i\tIV length to be generated\n");
|
|
||||||
+ fprintf(stderr, "\t-e\tEncryption key length to be generated\n");
|
|
||||||
+ fprintf(stderr, "\t-m\tMAC key length to be generated\n");
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+/*
|
|
||||||
+ * Test command example:
|
|
||||||
+ * ./ssh-cavs -K 0055d50f2d163cc07cd8a93cc7c3430c30ce786b572c01ad29fec7597000cf8618d664e2ec3dcbc8bb7a1a7eb7ef67f61cdaf291625da879186ac0a5cb27af571b59612d6a6e0627344d846271959fda61c78354aa498773d59762f8ca2d0215ec590d8633de921f920d41e47b3de6ab9a3d0869e1c826d0e4adebf8e3fb646a15dea20a410b44e969f4b791ed6a67f13f1b74234004d5fa5e87eff7abc32d49bbdf44d7b0107e8f10609233b7e2b7eff74a4daf25641de7553975dac6ac1e5117df6f6dbaa1c263d23a6c3e5a3d7d49ae8a828c1e333ac3f85fbbf57b5c1a45be45e43a7be1a4707eac779b8285522d1f531fe23f890fd38a004339932b93eda4 -H d3ab91a850febb417a25d892ec48ed5952c7a5de -s d3ab91a850febb417a25d892ec48ed5952c7a5de -i 8 -e 24 -m 20
|
|
||||||
+ *
|
|
||||||
+ * Expected result for example:
|
|
||||||
+ * Initial IV (client to server) = 4bb320d1679dfd3a
|
|
||||||
+ * Encryption key (client to server) = 13048cc600b9d3cf9095aa6cf8e2ff9cf1c54ca0520c89ed
|
|
||||||
+ * Integrity key (client to server) = ecef63a092b0dcc585bdc757e01b2740af57d640
|
|
||||||
+ * Initial IV (server to client) = 43dea6fdf263a308
|
|
||||||
+ * Encryption key (server to client) = 1e483c5134e901aa11fc4e0a524e7ec7b75556148a222bb0
|
|
||||||
+ * Integrity key (server to client) = 7424b05f3c44a72b4ebd281fb71f9cbe7b64d479
|
|
||||||
+ */
|
|
||||||
+int main(int argc, char *argv[])
|
|
||||||
+{
|
|
||||||
+ struct kdf_cavs test;
|
|
||||||
+ int ret = 1;
|
|
||||||
+ int opt = 0;
|
|
||||||
+
|
|
||||||
+ memset(&test, 0, sizeof(struct kdf_cavs));
|
|
||||||
+ while((opt = getopt(argc, argv, "K:H:s:i:e:m:")) != -1)
|
|
||||||
+ {
|
|
||||||
+ size_t len = 0;
|
|
||||||
+ switch(opt)
|
|
||||||
+ {
|
|
||||||
+ /*
|
|
||||||
+ * CAVS K is MPINT
|
|
||||||
+ * we want a hex (i.e. the caller must ensure the
|
|
||||||
+ * following transformations already happened):
|
|
||||||
+ * 1. cut off first four bytes
|
|
||||||
+ * 2. if most significant bit of value is
|
|
||||||
+ * 1, prepend 0 byte
|
|
||||||
+ */
|
|
||||||
+ case 'K':
|
|
||||||
+ len = strlen(optarg);
|
|
||||||
+ ret = hex2bin_alloc(optarg, len,
|
|
||||||
+ &test.K, &test.Klen);
|
|
||||||
+ if (ret)
|
|
||||||
+ goto out;
|
|
||||||
+ break;
|
|
||||||
+ case 'H':
|
|
||||||
+ len = strlen(optarg);
|
|
||||||
+ ret = hex2bin_alloc(optarg, len,
|
|
||||||
+ &test.H, &test.Hlen);
|
|
||||||
+ if (ret)
|
|
||||||
+ goto out;
|
|
||||||
+ break;
|
|
||||||
+ case 's':
|
|
||||||
+ len = strlen(optarg);
|
|
||||||
+ ret = hex2bin_alloc(optarg, len,
|
|
||||||
+ &test.session_id,
|
|
||||||
+ &test.session_id_len);
|
|
||||||
+ if (ret)
|
|
||||||
+ goto out;
|
|
||||||
+ break;
|
|
||||||
+ case 'i':
|
|
||||||
+ test.iv_len = strtoul(optarg, NULL, 10);
|
|
||||||
+ break;
|
|
||||||
+ case 'e':
|
|
||||||
+ test.ek_len = strtoul(optarg, NULL, 10);
|
|
||||||
+ break;
|
|
||||||
+ case 'm':
|
|
||||||
+ test.ik_len = strtoul(optarg, NULL, 10);
|
|
||||||
+ break;
|
|
||||||
+ default:
|
|
||||||
+ usage();
|
|
||||||
+ goto out;
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ ret = sshkdf_cavs(&test);
|
|
||||||
+
|
|
||||||
+out:
|
|
||||||
+ if (test.session_id)
|
|
||||||
+ free(test.session_id);
|
|
||||||
+ if (test.K)
|
|
||||||
+ free(test.K);
|
|
||||||
+ if (test.H)
|
|
||||||
+ free(test.H);
|
|
||||||
+ return ret;
|
|
||||||
+
|
|
||||||
+}
|
|
@ -1,64 +0,0 @@
|
|||||||
# HG changeset patch
|
|
||||||
# Parent 4821397c95e57962905e6d47554bef9e4ea57483
|
|
||||||
disable run-time check for OpenSSL ABI by version number as that is not a
|
|
||||||
reliable indicator of ABI changes and doesn't make much sense in a
|
|
||||||
distribution package
|
|
||||||
|
|
||||||
diff --git a/openssh-7.2p2/configure.ac b/openssh-7.2p2/configure.ac
|
|
||||||
--- a/openssh-7.2p2/configure.ac
|
|
||||||
+++ b/openssh-7.2p2/configure.ac
|
|
||||||
@@ -4663,16 +4663,29 @@ AC_ARG_WITH([bsd-auth],
|
|
||||||
if test "x$withval" != "xno" ; then
|
|
||||||
AC_DEFINE([BSD_AUTH], [1],
|
|
||||||
[Define if you have BSD auth support])
|
|
||||||
BSD_AUTH_MSG=yes
|
|
||||||
fi
|
|
||||||
]
|
|
||||||
)
|
|
||||||
|
|
||||||
+# Whether we are using distribution (Open)SSL, so no runtime checks are necessary
|
|
||||||
+DISTRO_SSL=no
|
|
||||||
+AC_ARG_WITH([distro-ssl],
|
|
||||||
+ [ --with-distro-ssl Disable runtime OpenSSL version checks (good for distributions)],
|
|
||||||
+ [
|
|
||||||
+ if test "x$withval" != "xno" ; then
|
|
||||||
+ AC_DEFINE([DISTRO_SSL], [1],
|
|
||||||
+ [Define if you are using distribution SSL library and don;t expect its API/ABI to change])
|
|
||||||
+ DISTRO_SSL=yes
|
|
||||||
+ fi
|
|
||||||
+ ]
|
|
||||||
+)
|
|
||||||
+
|
|
||||||
# Where to place sshd.pid
|
|
||||||
piddir=/var/run
|
|
||||||
# make sure the directory exists
|
|
||||||
if test ! -d $piddir ; then
|
|
||||||
piddir=`eval echo ${sysconfdir}`
|
|
||||||
case $piddir in
|
|
||||||
NONE/*) piddir=`echo $piddir | sed "s~NONE~$ac_default_prefix~"` ;;
|
|
||||||
esac
|
|
||||||
diff --git a/openssh-7.2p2/entropy.c b/openssh-7.2p2/entropy.c
|
|
||||||
--- a/openssh-7.2p2/entropy.c
|
|
||||||
+++ b/openssh-7.2p2/entropy.c
|
|
||||||
@@ -209,19 +209,21 @@ rexec_recv_rng_seed(Buffer *m)
|
|
||||||
#endif /* OPENSSL_PRNG_ONLY */
|
|
||||||
|
|
||||||
void
|
|
||||||
seed_rng(void)
|
|
||||||
{
|
|
||||||
#ifndef OPENSSL_PRNG_ONLY
|
|
||||||
unsigned char buf[RANDOM_SEED_SIZE];
|
|
||||||
#endif
|
|
||||||
+#ifndef DISTRO_SSL
|
|
||||||
if (!ssh_compatible_openssl(OPENSSL_VERSION_NUMBER, SSLeay()))
|
|
||||||
fatal("OpenSSL version mismatch. Built against %lx, you "
|
|
||||||
"have %lx", (u_long)OPENSSL_VERSION_NUMBER, SSLeay());
|
|
||||||
+#endif
|
|
||||||
|
|
||||||
#ifndef OPENSSL_PRNG_ONLY
|
|
||||||
if (RAND_status() == 1) {
|
|
||||||
debug3("RNG is ready, skipping seeding");
|
|
||||||
return;
|
|
||||||
}
|
|
||||||
|
|
||||||
if (seed_from_prngd(buf, sizeof(buf)) == -1)
|
|
File diff suppressed because it is too large
Load Diff
@ -1,29 +0,0 @@
|
|||||||
# HG changeset patch
|
|
||||||
# Parent e4886597a8984ae1594b6866fe1b232370b23529
|
|
||||||
# posix threads are generally not supported nor safe
|
|
||||||
# (see upstream log from 2005-05-24)
|
|
||||||
# --used to be called '-pam-fix3'
|
|
||||||
|
|
||||||
diff --git a/openssh-7.2p2/auth-pam.c b/openssh-7.2p2/auth-pam.c
|
|
||||||
--- a/openssh-7.2p2/auth-pam.c
|
|
||||||
+++ b/openssh-7.2p2/auth-pam.c
|
|
||||||
@@ -782,17 +782,19 @@ sshpam_query(void *ctx, char **name, cha
|
|
||||||
}
|
|
||||||
if (type == PAM_SUCCESS) {
|
|
||||||
if (!sshpam_authctxt->valid ||
|
|
||||||
(sshpam_authctxt->pw->pw_uid == 0 &&
|
|
||||||
options.permit_root_login != PERMIT_YES))
|
|
||||||
fatal("Internal error: PAM auth "
|
|
||||||
"succeeded when it should have "
|
|
||||||
"failed");
|
|
||||||
+#ifndef UNSUPPORTED_POSIX_THREADS_HACK
|
|
||||||
import_environments(&buffer);
|
|
||||||
+#endif
|
|
||||||
*num = 0;
|
|
||||||
**echo_on = 0;
|
|
||||||
ctxt->pam_done = 1;
|
|
||||||
free(msg);
|
|
||||||
return (0);
|
|
||||||
}
|
|
||||||
error("PAM: %s for %s%.100s from %.100s", msg,
|
|
||||||
sshpam_authctxt->valid ? "" : "illegal user ",
|
|
@ -1,87 +0,0 @@
|
|||||||
# HG changeset patch
|
|
||||||
# Parent f19426f2fa9c634474e635bf33b86acea0518f6d
|
|
||||||
fix paths and references in sshd man pages
|
|
||||||
|
|
||||||
diff --git a/openssh-7.2p2/sshd.8 b/openssh-7.2p2/sshd.8
|
|
||||||
--- a/openssh-7.2p2/sshd.8
|
|
||||||
+++ b/openssh-7.2p2/sshd.8
|
|
||||||
@@ -901,17 +901,17 @@ See
|
|
||||||
If this file exists,
|
|
||||||
.Nm
|
|
||||||
refuses to let anyone except root log in.
|
|
||||||
The contents of the file
|
|
||||||
are displayed to anyone trying to log in, and non-root connections are
|
|
||||||
refused.
|
|
||||||
The file should be world-readable.
|
|
||||||
.Pp
|
|
||||||
-.It Pa /etc/shosts.equiv
|
|
||||||
+.It Pa /etc/ssh/shosts.equiv
|
|
||||||
This file is used in exactly the same way as
|
|
||||||
.Pa hosts.equiv ,
|
|
||||||
but allows host-based authentication without permitting login with
|
|
||||||
rlogin/rsh.
|
|
||||||
.Pp
|
|
||||||
.It Pa /etc/ssh/ssh_host_key
|
|
||||||
.It Pa /etc/ssh/ssh_host_dsa_key
|
|
||||||
.It Pa /etc/ssh/ssh_host_ecdsa_key
|
|
||||||
@@ -981,17 +981,17 @@ The content of this file is not sensitiv
|
|
||||||
.Xr scp 1 ,
|
|
||||||
.Xr sftp 1 ,
|
|
||||||
.Xr ssh 1 ,
|
|
||||||
.Xr ssh-add 1 ,
|
|
||||||
.Xr ssh-agent 1 ,
|
|
||||||
.Xr ssh-keygen 1 ,
|
|
||||||
.Xr ssh-keyscan 1 ,
|
|
||||||
.Xr chroot 2 ,
|
|
||||||
-.Xr login.conf 5 ,
|
|
||||||
+.Xr login.defs 5 ,
|
|
||||||
.Xr moduli 5 ,
|
|
||||||
.Xr sshd_config 5 ,
|
|
||||||
.Xr inetd 8 ,
|
|
||||||
.Xr sftp-server 8
|
|
||||||
.Sh AUTHORS
|
|
||||||
OpenSSH is a derivative of the original and free
|
|
||||||
ssh 1.2.12 release by Tatu Ylonen.
|
|
||||||
Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos,
|
|
||||||
diff --git a/openssh-7.2p2/sshd_config.5 b/openssh-7.2p2/sshd_config.5
|
|
||||||
--- a/openssh-7.2p2/sshd_config.5
|
|
||||||
+++ b/openssh-7.2p2/sshd_config.5
|
|
||||||
@@ -370,18 +370,17 @@ for details).
|
|
||||||
The contents of the specified file are sent to the remote user before
|
|
||||||
authentication is allowed.
|
|
||||||
If the argument is
|
|
||||||
.Dq none
|
|
||||||
then no banner is displayed.
|
|
||||||
By default, no banner is displayed.
|
|
||||||
.It Cm ChallengeResponseAuthentication
|
|
||||||
Specifies whether challenge-response authentication is allowed (e.g. via
|
|
||||||
-PAM or through authentication styles supported in
|
|
||||||
-.Xr login.conf 5 )
|
|
||||||
+PAM)
|
|
||||||
The default is
|
|
||||||
.Dq yes .
|
|
||||||
.It Cm ChrootDirectory
|
|
||||||
Specifies the pathname of a directory to
|
|
||||||
.Xr chroot 2
|
|
||||||
to after authentication.
|
|
||||||
At session startup
|
|
||||||
.Xr sshd 8
|
|
||||||
@@ -766,17 +765,17 @@ and
|
|
||||||
.Pa .shosts
|
|
||||||
files will not be used in
|
|
||||||
.Cm RhostsRSAAuthentication
|
|
||||||
or
|
|
||||||
.Cm HostbasedAuthentication .
|
|
||||||
.Pp
|
|
||||||
.Pa /etc/hosts.equiv
|
|
||||||
and
|
|
||||||
-.Pa /etc/shosts.equiv
|
|
||||||
+.Pa /etc/ssh/shosts.equiv
|
|
||||||
are still used.
|
|
||||||
The default is
|
|
||||||
.Dq yes .
|
|
||||||
.It Cm IgnoreUserKnownHosts
|
|
||||||
Specifies whether
|
|
||||||
.Xr sshd 8
|
|
||||||
should ignore the user's
|
|
||||||
.Pa ~/.ssh/known_hosts
|
|
@ -1,47 +0,0 @@
|
|||||||
# HG changeset patch
|
|
||||||
# Parent 980f301b2920c09b30577dd722546bca85d25fc1
|
|
||||||
# force PAM in defaullt install (this was removed from upstream in 3.8p1)
|
|
||||||
# bnc#46749
|
|
||||||
# --used to be called '-pam-fix2'
|
|
||||||
|
|
||||||
diff --git a/openssh-7.2p2/sshd_config b/openssh-7.2p2/sshd_config
|
|
||||||
--- a/openssh-7.2p2/sshd_config
|
|
||||||
+++ b/openssh-7.2p2/sshd_config
|
|
||||||
@@ -64,17 +64,17 @@ AuthorizedKeysFile .ssh/authorized_keys
|
|
||||||
#HostbasedAuthentication no
|
|
||||||
# Change to yes if you don't trust ~/.ssh/known_hosts for
|
|
||||||
# RhostsRSAAuthentication and HostbasedAuthentication
|
|
||||||
#IgnoreUserKnownHosts no
|
|
||||||
# Don't read the user's ~/.rhosts and ~/.shosts files
|
|
||||||
#IgnoreRhosts yes
|
|
||||||
|
|
||||||
# To disable tunneled clear text passwords, change to no here!
|
|
||||||
-#PasswordAuthentication yes
|
|
||||||
+PasswordAuthentication no
|
|
||||||
#PermitEmptyPasswords no
|
|
||||||
|
|
||||||
# Change to no to disable s/key passwords
|
|
||||||
#ChallengeResponseAuthentication yes
|
|
||||||
|
|
||||||
# Kerberos options
|
|
||||||
#KerberosAuthentication no
|
|
||||||
#KerberosOrLocalPasswd yes
|
|
||||||
@@ -89,17 +89,17 @@ AuthorizedKeysFile .ssh/authorized_keys
|
|
||||||
# and session processing. If this is enabled, PAM authentication will
|
|
||||||
# be allowed through the ChallengeResponseAuthentication and
|
|
||||||
# PasswordAuthentication. Depending on your PAM configuration,
|
|
||||||
# PAM authentication via ChallengeResponseAuthentication may bypass
|
|
||||||
# the setting of "PermitRootLogin without-password".
|
|
||||||
# If you just want the PAM account and session checks to run without
|
|
||||||
# PAM authentication, then enable this but set PasswordAuthentication
|
|
||||||
# and ChallengeResponseAuthentication to 'no'.
|
|
||||||
-#UsePAM no
|
|
||||||
+UsePAM yes
|
|
||||||
|
|
||||||
#AllowAgentForwarding yes
|
|
||||||
#AllowTcpForwarding yes
|
|
||||||
#GatewayPorts no
|
|
||||||
X11Forwarding yes
|
|
||||||
#X11DisplayOffset 10
|
|
||||||
#X11UseLocalhost yes
|
|
||||||
#PermitTTY yes
|
|
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
@ -1,29 +0,0 @@
|
|||||||
# HG changeset patch
|
|
||||||
# Parent e2f9b3303b4a4ed5d0e5f01009dd1ebea166890d
|
|
||||||
Suggest command line for removal of offending keys from known_hosts file
|
|
||||||
|
|
||||||
diff --git a/openssh-7.2p2/sshconnect.c b/openssh-7.2p2/sshconnect.c
|
|
||||||
--- a/openssh-7.2p2/sshconnect.c
|
|
||||||
+++ b/openssh-7.2p2/sshconnect.c
|
|
||||||
@@ -1086,16 +1086,21 @@ check_host_key(char *hostname, struct so
|
|
||||||
ip_found->file, ip_found->line);
|
|
||||||
}
|
|
||||||
/* The host key has changed. */
|
|
||||||
warn_changed_key(host_key);
|
|
||||||
error("Add correct host key in %.100s to get rid of this message.",
|
|
||||||
user_hostfiles[0]);
|
|
||||||
error("Offending %s key in %s:%lu", key_type(host_found->key),
|
|
||||||
host_found->file, host_found->line);
|
|
||||||
+ error("You can use following command to remove the offending key:");
|
|
||||||
+ if (host_found->file)
|
|
||||||
+ error("ssh-keygen -R %s -f %s", host, host_found->file);
|
|
||||||
+ else
|
|
||||||
+ error("ssh-keygen -R %s", host);
|
|
||||||
|
|
||||||
/*
|
|
||||||
* If strict host key checking is in use, the user will have
|
|
||||||
* to edit the key manually and we can only abort.
|
|
||||||
*/
|
|
||||||
if (options.strict_host_key_checking) {
|
|
||||||
error("%s host key for %.200s has changed and you have "
|
|
||||||
"requested strict checking.", type, host);
|
|
@ -1,33 +0,0 @@
|
|||||||
# HG changeset patch
|
|
||||||
# Parent 0f00e960e1069c6a6eec975cc184171343701077
|
|
||||||
|
|
||||||
Do not import PAM environment variables when using login, since it may have
|
|
||||||
security implications.
|
|
||||||
|
|
||||||
CVE-2015-8325
|
|
||||||
bsc#975865
|
|
||||||
|
|
||||||
Backport of upstream commit 85bdcd7c92fe7ff133bbc4e10a65c91810f88755
|
|
||||||
|
|
||||||
diff --git a/openssh-7.2p2/session.c b/openssh-7.2p2/session.c
|
|
||||||
--- a/openssh-7.2p2/session.c
|
|
||||||
+++ b/openssh-7.2p2/session.c
|
|
||||||
@@ -1351,17 +1351,17 @@ do_setup_env(Session *s, const char *she
|
|
||||||
child_set_env(&env, &envsize, "KRB5CCNAME",
|
|
||||||
s->authctxt->krb5_ccname);
|
|
||||||
#endif
|
|
||||||
#ifdef USE_PAM
|
|
||||||
/*
|
|
||||||
* Pull in any environment variables that may have
|
|
||||||
* been set by PAM.
|
|
||||||
*/
|
|
||||||
- if (options.use_pam) {
|
|
||||||
+ if (options.use_pam && !options.use_login) {
|
|
||||||
char **p;
|
|
||||||
|
|
||||||
p = fetch_pam_child_environment();
|
|
||||||
copy_environment(p, &env, &envsize);
|
|
||||||
free_pam_environment(p);
|
|
||||||
|
|
||||||
p = fetch_pam_environment();
|
|
||||||
copy_environment(p, &env, &envsize);
|
|
@ -1,66 +0,0 @@
|
|||||||
# HG changeset patch
|
|
||||||
# Parent 7c29b31d3502bbf5b80e01f8d1db8b2733a3c7f4
|
|
||||||
Add slogin back to the distribution, since it might be used downstreams
|
|
||||||
|
|
||||||
Revert of cupstream commit 69fead5d7cdaa73bdece9fcba80f8e8e70b90346
|
|
||||||
|
|
||||||
diff --git a/openssh-7.2p2/Makefile.in b/openssh-7.2p2/Makefile.in
|
|
||||||
--- a/openssh-7.2p2/Makefile.in
|
|
||||||
+++ b/openssh-7.2p2/Makefile.in
|
|
||||||
@@ -354,16 +354,20 @@ install-files:
|
|
||||||
$(INSTALL) -m 644 sftp.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/sftp.1
|
|
||||||
$(INSTALL) -m 644 sftp-server.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8
|
|
||||||
$(INSTALL) -m 644 ssh-keysign.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8
|
|
||||||
$(INSTALL) -m 644 ssh-pkcs11-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
|
|
||||||
if test ! -z "$(INSTALL_SSH_LDAP_HELPER)" ; then \
|
|
||||||
$(INSTALL) -m 644 ssh-ldap-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-ldap-helper.8 ; \
|
|
||||||
$(INSTALL) -m 644 ssh-ldap.conf.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/ssh-ldap.conf.5 ; \
|
|
||||||
fi
|
|
||||||
+ -rm -f $(DESTDIR)$(bindir)/slogin
|
|
||||||
+ ln -s ./ssh$(EXEEXT) $(DESTDIR)$(bindir)/slogin
|
|
||||||
+ -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1
|
|
||||||
+ ln -s ./ssh.1 $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1
|
|
||||||
|
|
||||||
install-sysconf:
|
|
||||||
if [ ! -d $(DESTDIR)$(sysconfdir) ]; then \
|
|
||||||
$(srcdir)/mkinstalldirs $(DESTDIR)$(sysconfdir); \
|
|
||||||
fi
|
|
||||||
@if [ ! -f $(DESTDIR)$(sysconfdir)/ssh_config ]; then \
|
|
||||||
$(INSTALL) -m 644 ssh_config.out $(DESTDIR)$(sysconfdir)/ssh_config; \
|
|
||||||
else \
|
|
||||||
@@ -415,16 +419,17 @@ uninstallall: uninstall
|
|
||||||
-rmdir $(DESTDIR)$(bindir)
|
|
||||||
-rmdir $(DESTDIR)$(sbindir)
|
|
||||||
-rmdir $(DESTDIR)$(mandir)/$(mansubdir)1
|
|
||||||
-rmdir $(DESTDIR)$(mandir)/$(mansubdir)8
|
|
||||||
-rmdir $(DESTDIR)$(mandir)
|
|
||||||
-rmdir $(DESTDIR)$(libexecdir)
|
|
||||||
|
|
||||||
uninstall:
|
|
||||||
+ -rm -f $(DESTDIR)$(bindir)/slogin
|
|
||||||
-rm -f $(DESTDIR)$(bindir)/ssh$(EXEEXT)
|
|
||||||
-rm -f $(DESTDIR)$(bindir)/scp$(EXEEXT)
|
|
||||||
-rm -f $(DESTDIR)$(bindir)/ssh-add$(EXEEXT)
|
|
||||||
-rm -f $(DESTDIR)$(bindir)/ssh-agent$(EXEEXT)
|
|
||||||
-rm -f $(DESTDIR)$(bindir)/ssh-keygen$(EXEEXT)
|
|
||||||
-rm -f $(DESTDIR)$(bindir)/ssh-keyscan$(EXEEXT)
|
|
||||||
-rm -f $(DESTDIR)$(bindir)/sftp$(EXEEXT)
|
|
||||||
-rm -f $(DESTDIR)$(sbindir)/sshd$(EXEEXT)
|
|
||||||
@@ -440,16 +445,17 @@ uninstall:
|
|
||||||
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keygen.1
|
|
||||||
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/sftp.1
|
|
||||||
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keyscan.1
|
|
||||||
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/sshd.8
|
|
||||||
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8
|
|
||||||
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8
|
|
||||||
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
|
|
||||||
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-ldap-helper.8
|
|
||||||
+ -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1
|
|
||||||
|
|
||||||
regress-prep:
|
|
||||||
[ -d `pwd`/regress ] || mkdir -p `pwd`/regress
|
|
||||||
[ -d `pwd`/regress/unittests ] || mkdir -p `pwd`/regress/unittests
|
|
||||||
[ -d `pwd`/regress/unittests/test_helper ] || \
|
|
||||||
mkdir -p `pwd`/regress/unittests/test_helper
|
|
||||||
[ -d `pwd`/regress/unittests/sshbuf ] || \
|
|
||||||
mkdir -p `pwd`/regress/unittests/sshbuf
|
|
@ -1,30 +0,0 @@
|
|||||||
# HG changeset patch
|
|
||||||
# Parent 5d3b620e9c7c42bfb1d8f24eb7e0645a55d967fa
|
|
||||||
Prevent memory depletion during key exchange
|
|
||||||
|
|
||||||
CVE-2016-8858
|
|
||||||
bsc#1005480
|
|
||||||
|
|
||||||
upstream commit ec165c392ca54317dbe3064a8c200de6531e89ad
|
|
||||||
|
|
||||||
diff --git a/openssh-7.2p2/kex.c b/openssh-7.2p2/kex.c
|
|
||||||
--- a/openssh-7.2p2/kex.c
|
|
||||||
+++ b/openssh-7.2p2/kex.c
|
|
||||||
@@ -523,16 +523,17 @@ kex_input_kexinit(int type, u_int32_t se
|
|
||||||
u_int i;
|
|
||||||
size_t dlen;
|
|
||||||
int r;
|
|
||||||
|
|
||||||
debug("SSH2_MSG_KEXINIT received");
|
|
||||||
if (kex == NULL)
|
|
||||||
return SSH_ERR_INVALID_ARGUMENT;
|
|
||||||
|
|
||||||
+ ssh_dispatch_set(ssh, SSH2_MSG_KEXINIT, NULL);
|
|
||||||
ptr = sshpkt_ptr(ssh, &dlen);
|
|
||||||
if ((r = sshbuf_put(kex->peer, ptr, dlen)) != 0)
|
|
||||||
return r;
|
|
||||||
|
|
||||||
/* discard packet */
|
|
||||||
for (i = 0; i < KEX_COOKIE_LEN; i++)
|
|
||||||
if ((r = sshpkt_get_u8(ssh, NULL)) != 0)
|
|
||||||
return r;
|
|
File diff suppressed because it is too large
Load Diff
@ -1,52 +0,0 @@
|
|||||||
# HG changeset patch
|
|
||||||
# Parent 9888bc3f536eab9f528d9c96e5e8a2501ed168f5
|
|
||||||
Limit accepted passwords length to prevent DoS by resource consumption
|
|
||||||
(via crypt() eating CPU cycles).
|
|
||||||
|
|
||||||
CVE-2016-6515
|
|
||||||
bsc#992533
|
|
||||||
|
|
||||||
upstream commit: fcd135c9df440bcd2d5870405ad3311743d78d97
|
|
||||||
|
|
||||||
diff --git a/openssh-7.2p2/auth-passwd.c b/openssh-7.2p2/auth-passwd.c
|
|
||||||
--- a/openssh-7.2p2/auth-passwd.c
|
|
||||||
+++ b/openssh-7.2p2/auth-passwd.c
|
|
||||||
@@ -61,16 +61,18 @@ extern ServerOptions options;
|
|
||||||
#ifdef HAVE_LOGIN_CAP
|
|
||||||
extern login_cap_t *lc;
|
|
||||||
#endif
|
|
||||||
|
|
||||||
|
|
||||||
#define DAY (24L * 60 * 60) /* 1 day in seconds */
|
|
||||||
#define TWO_WEEKS (2L * 7 * DAY) /* 2 weeks in seconds */
|
|
||||||
|
|
||||||
+#define MAX_PASSWORD_LEN 1024
|
|
||||||
+
|
|
||||||
void
|
|
||||||
disable_forwarding(void)
|
|
||||||
{
|
|
||||||
no_port_forwarding_flag = 1;
|
|
||||||
no_agent_forwarding_flag = 1;
|
|
||||||
no_x11_forwarding_flag = 1;
|
|
||||||
}
|
|
||||||
|
|
||||||
@@ -82,16 +84,19 @@ int
|
|
||||||
auth_password(Authctxt *authctxt, const char *password)
|
|
||||||
{
|
|
||||||
struct passwd * pw = authctxt->pw;
|
|
||||||
int result, ok = authctxt->valid;
|
|
||||||
#if defined(USE_SHADOW) && defined(HAS_SHADOW_EXPIRE)
|
|
||||||
static int expire_checked = 0;
|
|
||||||
#endif
|
|
||||||
|
|
||||||
+ if (strlen(password) > MAX_PASSWORD_LEN)
|
|
||||||
+ return 0;
|
|
||||||
+
|
|
||||||
#ifndef HAVE_CYGWIN
|
|
||||||
if (pw->pw_uid == 0 && options.permit_root_login != PERMIT_YES)
|
|
||||||
ok = 0;
|
|
||||||
#endif
|
|
||||||
if (*password == '\0' && options.permit_empty_passwd == 0)
|
|
||||||
return 0;
|
|
||||||
|
|
||||||
#ifdef KRB5
|
|
@ -1,32 +0,0 @@
|
|||||||
# HG changeset patch
|
|
||||||
# Parent b86c2190c93aeaf958c22fc7b224dcaf87100288
|
|
||||||
# HG changeset patch
|
|
||||||
# Parent b262fd34c8ecd55e93d457b3ca5593abce716856
|
|
||||||
# login-pam cannot handle the option terminator "--" as login from util-linux
|
|
||||||
# (this is correct behaviour considering its man-page), hence use option which
|
|
||||||
# selects the compile-time branch in the code which doesn't use the terminator
|
|
||||||
#
|
|
||||||
# bnc#833605
|
|
||||||
|
|
||||||
diff --git a/openssh-7.2p2/configure.ac b/openssh-7.2p2/configure.ac
|
|
||||||
--- a/openssh-7.2p2/configure.ac
|
|
||||||
+++ b/openssh-7.2p2/configure.ac
|
|
||||||
@@ -770,16 +770,18 @@ main() { if (NSVersionOfRunTimeLibrary("
|
|
||||||
AC_DEFINE([_PATH_BTMP], ["/var/log/btmp"], [log for bad login attempts])
|
|
||||||
AC_DEFINE([USE_BTMP], [1], [Use btmp to log bad logins])
|
|
||||||
;;
|
|
||||||
*-*-linux*)
|
|
||||||
no_dev_ptmx=1
|
|
||||||
use_pie=auto
|
|
||||||
check_for_libcrypt_later=1
|
|
||||||
check_for_openpty_ctty_bug=1
|
|
||||||
+ AC_DEFINE([LOGIN_NO_ENDOPT], [1],
|
|
||||||
+ [Define if your login program cannot handle end of options ("--")])
|
|
||||||
AC_DEFINE([PAM_TTY_KLUDGE], [1],
|
|
||||||
[Work around problematic Linux PAM modules handling of PAM_TTY])
|
|
||||||
AC_DEFINE([LOCKED_PASSWD_PREFIX], ["!"],
|
|
||||||
[String used in /etc/passwd to denote locked account])
|
|
||||||
AC_DEFINE([SPT_TYPE], [SPT_REUSEARGV])
|
|
||||||
AC_DEFINE([LINK_OPNOTSUPP_ERRNO], [EPERM],
|
|
||||||
[Define to whatever link() returns for "not supported"
|
|
||||||
if it doesn't return EOPNOTSUPP.])
|
|
@ -1,26 +0,0 @@
|
|||||||
# HG changeset patch
|
|
||||||
# Parent 4011d0f5c00b663976c9940dc4ef79642605cf90
|
|
||||||
Do not write a PID file when not daemonizing (e.g. when running from systemd)
|
|
||||||
|
|
||||||
diff --git a/openssh-7.2p2/sshd.c b/openssh-7.2p2/sshd.c
|
|
||||||
--- a/openssh-7.2p2/sshd.c
|
|
||||||
+++ b/openssh-7.2p2/sshd.c
|
|
||||||
@@ -2107,17 +2107,17 @@ main(int ac, char **av)
|
|
||||||
signal(SIGCHLD, main_sigchld_handler);
|
|
||||||
signal(SIGTERM, sigterm_handler);
|
|
||||||
signal(SIGQUIT, sigterm_handler);
|
|
||||||
|
|
||||||
/*
|
|
||||||
* Write out the pid file after the sigterm handler
|
|
||||||
* is setup and the listen sockets are bound
|
|
||||||
*/
|
|
||||||
- if (options.pid_file != NULL && !debug_flag) {
|
|
||||||
+ if (!no_daemon_flag && options.pid_file != NULL && !debug_flag) {
|
|
||||||
FILE *f = fopen(options.pid_file, "w");
|
|
||||||
|
|
||||||
if (f == NULL) {
|
|
||||||
error("Couldn't create pid file \"%s\": %s",
|
|
||||||
options.pid_file, strerror(errno));
|
|
||||||
} else {
|
|
||||||
fprintf(f, "%ld\n", (long) getpid());
|
|
||||||
fclose(f);
|
|
@ -1,188 +0,0 @@
|
|||||||
# HG changeset patch
|
|
||||||
# Parent e2a8c999f737bca97bbc330ce6683de842ba195e
|
|
||||||
Pre-allocare buffer for private keys data to prevent leaking of sensitive data
|
|
||||||
via heap.
|
|
||||||
|
|
||||||
CVE-2016-10011
|
|
||||||
bsc#1016369
|
|
||||||
|
|
||||||
backported upstream commit 54d022026aae4f53fa74cc636e4a032d9689b64d
|
|
||||||
backported upstream commit a9c746088787549bb5b1ae3add7d06a1b6d93d5e
|
|
||||||
|
|
||||||
diff --git a/openssh-7.2p2/authfile.c b/openssh-7.2p2/authfile.c
|
|
||||||
--- a/openssh-7.2p2/authfile.c
|
|
||||||
+++ b/openssh-7.2p2/authfile.c
|
|
||||||
@@ -95,23 +95,35 @@ sshkey_save_private(struct sshkey *key,
|
|
||||||
|
|
||||||
/* Load a key from a fd into a buffer */
|
|
||||||
int
|
|
||||||
sshkey_load_file(int fd, struct sshbuf *blob)
|
|
||||||
{
|
|
||||||
u_char buf[1024];
|
|
||||||
size_t len;
|
|
||||||
struct stat st;
|
|
||||||
- int r;
|
|
||||||
+ int r, dontmax = 0;
|
|
||||||
|
|
||||||
if (fstat(fd, &st) < 0)
|
|
||||||
return SSH_ERR_SYSTEM_ERROR;
|
|
||||||
if ((st.st_mode & (S_IFSOCK|S_IFCHR|S_IFIFO)) == 0 &&
|
|
||||||
st.st_size > MAX_KEY_FILE_SIZE)
|
|
||||||
return SSH_ERR_INVALID_FORMAT;
|
|
||||||
+ /*
|
|
||||||
+ * Pre-allocate the buffer used for the key contents and clamp its
|
|
||||||
+ * maximum size. This ensures that key contents are never leaked via
|
|
||||||
+ * implicit realloc() in the sshbuf code.
|
|
||||||
+ */
|
|
||||||
+ if ((st.st_mode & S_IFREG) == 0 || st.st_size <= 0) {
|
|
||||||
+ st.st_size = 64*1024; /* 64k should be enough for anyone :) */
|
|
||||||
+ dontmax = 1;
|
|
||||||
+ }
|
|
||||||
+ if ((r = sshbuf_allocate(blob, st.st_size)) != 0 ||
|
|
||||||
+ (dontmax && (r = sshbuf_set_max_size(blob, st.st_size)) != 0))
|
|
||||||
+ return r;
|
|
||||||
for (;;) {
|
|
||||||
if ((len = atomicio(read, fd, buf, sizeof(buf))) == 0) {
|
|
||||||
if (errno == EPIPE)
|
|
||||||
break;
|
|
||||||
r = SSH_ERR_SYSTEM_ERROR;
|
|
||||||
goto out;
|
|
||||||
}
|
|
||||||
if ((r = sshbuf_put(blob, buf, len)) != 0)
|
|
||||||
diff --git a/openssh-7.2p2/sshbuf.c b/openssh-7.2p2/sshbuf.c
|
|
||||||
--- a/openssh-7.2p2/sshbuf.c
|
|
||||||
+++ b/openssh-7.2p2/sshbuf.c
|
|
||||||
@@ -311,63 +311,73 @@ sshbuf_check_reserve(const struct sshbuf
|
|
||||||
SSHBUF_TELL("check");
|
|
||||||
/* Check that len is reasonable and that max_size + available < len */
|
|
||||||
if (len > buf->max_size || buf->max_size - len < buf->size - buf->off)
|
|
||||||
return SSH_ERR_NO_BUFFER_SPACE;
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
|
|
||||||
int
|
|
||||||
-sshbuf_reserve(struct sshbuf *buf, size_t len, u_char **dpp)
|
|
||||||
+sshbuf_allocate(struct sshbuf *buf, size_t len)
|
|
||||||
{
|
|
||||||
size_t rlen, need;
|
|
||||||
u_char *dp;
|
|
||||||
int r;
|
|
||||||
|
|
||||||
- if (dpp != NULL)
|
|
||||||
- *dpp = NULL;
|
|
||||||
-
|
|
||||||
- SSHBUF_DBG(("reserve buf = %p len = %zu", buf, len));
|
|
||||||
+ SSHBUF_DBG(("allocate buf = %p len = %zu", buf, len));
|
|
||||||
if ((r = sshbuf_check_reserve(buf, len)) != 0)
|
|
||||||
return r;
|
|
||||||
/*
|
|
||||||
* If the requested allocation appended would push us past max_size
|
|
||||||
* then pack the buffer, zeroing buf->off.
|
|
||||||
*/
|
|
||||||
sshbuf_maybe_pack(buf, buf->size + len > buf->max_size);
|
|
||||||
- SSHBUF_TELL("reserve");
|
|
||||||
- if (len + buf->size > buf->alloc) {
|
|
||||||
- /*
|
|
||||||
- * Prefer to alloc in SSHBUF_SIZE_INC units, but
|
|
||||||
- * allocate less if doing so would overflow max_size.
|
|
||||||
- */
|
|
||||||
- need = len + buf->size - buf->alloc;
|
|
||||||
- rlen = roundup(buf->alloc + need, SSHBUF_SIZE_INC);
|
|
||||||
- SSHBUF_DBG(("need %zu initial rlen %zu", need, rlen));
|
|
||||||
- if (rlen > buf->max_size)
|
|
||||||
- rlen = buf->alloc + need;
|
|
||||||
- SSHBUF_DBG(("adjusted rlen %zu", rlen));
|
|
||||||
- if ((dp = realloc(buf->d, rlen)) == NULL) {
|
|
||||||
- SSHBUF_DBG(("realloc fail"));
|
|
||||||
- if (dpp != NULL)
|
|
||||||
- *dpp = NULL;
|
|
||||||
- return SSH_ERR_ALLOC_FAIL;
|
|
||||||
- }
|
|
||||||
- buf->alloc = rlen;
|
|
||||||
- buf->cd = buf->d = dp;
|
|
||||||
- if ((r = sshbuf_check_reserve(buf, len)) < 0) {
|
|
||||||
- /* shouldn't fail */
|
|
||||||
- if (dpp != NULL)
|
|
||||||
- *dpp = NULL;
|
|
||||||
- return r;
|
|
||||||
- }
|
|
||||||
+ SSHBUF_TELL("allocate");
|
|
||||||
+ if (len + buf->size <= buf->alloc)
|
|
||||||
+ return 0; /* already have it. */
|
|
||||||
+
|
|
||||||
+ /*
|
|
||||||
+ * Prefer to alloc in SSHBUF_SIZE_INC units, but
|
|
||||||
+ * allocate less if doing so would overflow max_size.
|
|
||||||
+ */
|
|
||||||
+ need = len + buf->size - buf->alloc;
|
|
||||||
+ rlen = roundup(buf->alloc + need, SSHBUF_SIZE_INC);
|
|
||||||
+ SSHBUF_DBG(("need %zu initial rlen %zu", need, rlen));
|
|
||||||
+ if (rlen > buf->max_size)
|
|
||||||
+ rlen = buf->alloc + need;
|
|
||||||
+ SSHBUF_DBG(("adjusted rlen %zu", rlen));
|
|
||||||
+ if ((dp = realloc(buf->d, rlen)) == NULL) {
|
|
||||||
+ SSHBUF_DBG(("realloc fail"));
|
|
||||||
+ return SSH_ERR_ALLOC_FAIL;
|
|
||||||
}
|
|
||||||
+ buf->alloc = rlen;
|
|
||||||
+ buf->cd = buf->d = dp;
|
|
||||||
+ if ((r = sshbuf_check_reserve(buf, len)) < 0) {
|
|
||||||
+ /* shouldn't fail */
|
|
||||||
+ return r;
|
|
||||||
+ }
|
|
||||||
+ SSHBUF_TELL("done");
|
|
||||||
+ return 0;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+int
|
|
||||||
+sshbuf_reserve(struct sshbuf *buf, size_t len, u_char **dpp)
|
|
||||||
+{
|
|
||||||
+ u_char *dp;
|
|
||||||
+ int r;
|
|
||||||
+
|
|
||||||
+ if (dpp != NULL)
|
|
||||||
+ *dpp = NULL;
|
|
||||||
+
|
|
||||||
+ SSHBUF_DBG(("reserve buf = %p len = %zu", buf, len));
|
|
||||||
+ if ((r = sshbuf_allocate(buf, len)) != 0)
|
|
||||||
+ return r;
|
|
||||||
+
|
|
||||||
dp = buf->d + buf->size;
|
|
||||||
buf->size += len;
|
|
||||||
- SSHBUF_TELL("done");
|
|
||||||
if (dpp != NULL)
|
|
||||||
*dpp = dp;
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
|
|
||||||
int
|
|
||||||
sshbuf_consume(struct sshbuf *buf, size_t len)
|
|
||||||
{
|
|
||||||
diff --git a/openssh-7.2p2/sshbuf.h b/openssh-7.2p2/sshbuf.h
|
|
||||||
--- a/openssh-7.2p2/sshbuf.h
|
|
||||||
+++ b/openssh-7.2p2/sshbuf.h
|
|
||||||
@@ -134,16 +134,24 @@ u_char *sshbuf_mutable_ptr(const struct
|
|
||||||
* Check whether a reservation of size len will succeed in buf
|
|
||||||
* Safer to use than direct comparisons again sshbuf_avail as it copes
|
|
||||||
* with unsigned overflows correctly.
|
|
||||||
* Returns 0 on success, or a negative SSH_ERR_* error code on failure.
|
|
||||||
*/
|
|
||||||
int sshbuf_check_reserve(const struct sshbuf *buf, size_t len);
|
|
||||||
|
|
||||||
/*
|
|
||||||
+ * Preallocates len additional bytes in buf.
|
|
||||||
+ * Useful for cases where the caller knows how many bytes will ultimately be
|
|
||||||
+ * required to avoid realloc in the buffer code.
|
|
||||||
+ * Returns 0 on success, or a negative SSH_ERR_* error code on failure.
|
|
||||||
+ */
|
|
||||||
+int sshbuf_allocate(struct sshbuf *buf, size_t len);
|
|
||||||
+
|
|
||||||
+/*
|
|
||||||
* Reserve len bytes in buf.
|
|
||||||
* Returns 0 on success and a pointer to the first reserved byte via the
|
|
||||||
* optional dpp parameter or a negative * SSH_ERR_* error code on failure.
|
|
||||||
*/
|
|
||||||
int sshbuf_reserve(struct sshbuf *buf, size_t len, u_char **dpp);
|
|
||||||
|
|
||||||
/*
|
|
||||||
* Consume len bytes from the start of buf
|
|
@ -1,264 +0,0 @@
|
|||||||
# HG changeset patch
|
|
||||||
# Parent 4a254abf4ef391358257310ad2fe15c9e12dee34
|
|
||||||
Prevent user enumeration through password processing timing
|
|
||||||
CVE-2016-6210
|
|
||||||
bsc#989363
|
|
||||||
|
|
||||||
non-PAM part:
|
|
||||||
upstream commit: 9286875a73b2de7736b5e50692739d314cd8d9dc
|
|
||||||
|
|
||||||
PAM part:
|
|
||||||
upstream commit: 283b97ff33ea2c641161950849931bd578de6946
|
|
||||||
|
|
||||||
diff --git a/openssh-7.2p2/auth-pam.c b/openssh-7.2p2/auth-pam.c
|
|
||||||
--- a/openssh-7.2p2/auth-pam.c
|
|
||||||
+++ b/openssh-7.2p2/auth-pam.c
|
|
||||||
@@ -227,17 +227,16 @@ static pam_handle_t *sshpam_handle = NUL
|
|
||||||
static int sshpam_err = 0;
|
|
||||||
static int sshpam_authenticated = 0;
|
|
||||||
static int sshpam_session_open = 0;
|
|
||||||
static int sshpam_cred_established = 0;
|
|
||||||
static int sshpam_account_status = -1;
|
|
||||||
static char **sshpam_env = NULL;
|
|
||||||
static Authctxt *sshpam_authctxt = NULL;
|
|
||||||
static const char *sshpam_password = NULL;
|
|
||||||
-static char badpw[] = "\b\n\r\177INCORRECT";
|
|
||||||
|
|
||||||
/* Some PAM implementations don't implement this */
|
|
||||||
#ifndef HAVE_PAM_GETENVLIST
|
|
||||||
static char **
|
|
||||||
pam_getenvlist(pam_handle_t *pamh)
|
|
||||||
{
|
|
||||||
/*
|
|
||||||
* XXX - If necessary, we can still support envrionment passing
|
|
||||||
@@ -807,22 +806,45 @@ sshpam_query(void *ctx, char **name, cha
|
|
||||||
free(msg);
|
|
||||||
ctxt->pam_done = -1;
|
|
||||||
return (-1);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
return (-1);
|
|
||||||
}
|
|
||||||
|
|
||||||
+/*
|
|
||||||
+ * Returns a junk password of identical length to that the user supplied.
|
|
||||||
+ * Used to mitigate timing attacks against crypt(3)/PAM stacks that
|
|
||||||
+ * vary processing time in proportion to password length.
|
|
||||||
+ */
|
|
||||||
+static char *
|
|
||||||
+fake_password(const char *wire_password)
|
|
||||||
+{
|
|
||||||
+ const char junk[] = "\b\n\r\177INCORRECT";
|
|
||||||
+ char *ret = NULL;
|
|
||||||
+ size_t i, l = wire_password != NULL ? strlen(wire_password) : 0;
|
|
||||||
+
|
|
||||||
+ if (l >= INT_MAX)
|
|
||||||
+ fatal("%s: password length too long: %zu", __func__, l);
|
|
||||||
+
|
|
||||||
+ ret = xmalloc(l + 1);
|
|
||||||
+ for (i = 0; i < l; i++)
|
|
||||||
+ ret[i] = junk[i % (sizeof(junk) - 1)];
|
|
||||||
+ ret[i] = '\0';
|
|
||||||
+ return ret;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
/* XXX - see also comment in auth-chall.c:verify_response */
|
|
||||||
static int
|
|
||||||
sshpam_respond(void *ctx, u_int num, char **resp)
|
|
||||||
{
|
|
||||||
Buffer buffer;
|
|
||||||
struct pam_ctxt *ctxt = ctx;
|
|
||||||
+ char *fake;
|
|
||||||
|
|
||||||
debug2("PAM: %s entering, %u responses", __func__, num);
|
|
||||||
switch (ctxt->pam_done) {
|
|
||||||
case 1:
|
|
||||||
sshpam_authenticated = 1;
|
|
||||||
return (0);
|
|
||||||
case 0:
|
|
||||||
break;
|
|
||||||
@@ -833,18 +855,21 @@ sshpam_respond(void *ctx, u_int num, cha
|
|
||||||
error("PAM: expected one response, got %u", num);
|
|
||||||
return (-1);
|
|
||||||
}
|
|
||||||
buffer_init(&buffer);
|
|
||||||
if (sshpam_authctxt->valid &&
|
|
||||||
(sshpam_authctxt->pw->pw_uid != 0 ||
|
|
||||||
options.permit_root_login == PERMIT_YES))
|
|
||||||
buffer_put_cstring(&buffer, *resp);
|
|
||||||
- else
|
|
||||||
- buffer_put_cstring(&buffer, badpw);
|
|
||||||
+ else {
|
|
||||||
+ fake = fake_password(*resp);
|
|
||||||
+ buffer_put_cstring(&buffer, fake);
|
|
||||||
+ free(fake);
|
|
||||||
+ }
|
|
||||||
if (ssh_msg_send(ctxt->pam_psock, PAM_AUTHTOK, &buffer) == -1) {
|
|
||||||
buffer_free(&buffer);
|
|
||||||
return (-1);
|
|
||||||
}
|
|
||||||
buffer_free(&buffer);
|
|
||||||
return (1);
|
|
||||||
}
|
|
||||||
|
|
||||||
@@ -1178,41 +1203,43 @@ static struct pam_conv passwd_conv = { s
|
|
||||||
/*
|
|
||||||
* Attempt password authentication via PAM
|
|
||||||
*/
|
|
||||||
int
|
|
||||||
sshpam_auth_passwd(Authctxt *authctxt, const char *password)
|
|
||||||
{
|
|
||||||
int flags = (options.permit_empty_passwd == 0 ?
|
|
||||||
PAM_DISALLOW_NULL_AUTHTOK : 0);
|
|
||||||
+ char *fake = NULL;
|
|
||||||
|
|
||||||
if (!options.use_pam || sshpam_handle == NULL)
|
|
||||||
fatal("PAM: %s called when PAM disabled or failed to "
|
|
||||||
"initialise.", __func__);
|
|
||||||
|
|
||||||
sshpam_password = password;
|
|
||||||
sshpam_authctxt = authctxt;
|
|
||||||
|
|
||||||
/*
|
|
||||||
* If the user logging in is invalid, or is root but is not permitted
|
|
||||||
* by PermitRootLogin, use an invalid password to prevent leaking
|
|
||||||
* information via timing (eg if the PAM config has a delay on fail).
|
|
||||||
*/
|
|
||||||
if (!authctxt->valid || (authctxt->pw->pw_uid == 0 &&
|
|
||||||
options.permit_root_login != PERMIT_YES))
|
|
||||||
- sshpam_password = badpw;
|
|
||||||
+ sshpam_password = fake = fake_password(password);
|
|
||||||
|
|
||||||
sshpam_err = pam_set_item(sshpam_handle, PAM_CONV,
|
|
||||||
(const void *)&passwd_conv);
|
|
||||||
if (sshpam_err != PAM_SUCCESS)
|
|
||||||
fatal("PAM: %s: failed to set PAM_CONV: %s", __func__,
|
|
||||||
pam_strerror(sshpam_handle, sshpam_err));
|
|
||||||
|
|
||||||
sshpam_err = pam_authenticate(sshpam_handle, flags);
|
|
||||||
sshpam_password = NULL;
|
|
||||||
+ free(fake);
|
|
||||||
if (sshpam_err == PAM_SUCCESS && authctxt->valid) {
|
|
||||||
debug("PAM: password authentication accepted for %.100s",
|
|
||||||
authctxt->user);
|
|
||||||
return 1;
|
|
||||||
} else {
|
|
||||||
debug("PAM: password authentication failed for %.100s: %s",
|
|
||||||
authctxt->valid ? authctxt->user : "an illegal user",
|
|
||||||
pam_strerror(sshpam_handle, sshpam_err));
|
|
||||||
diff --git a/openssh-7.2p2/auth-passwd.c b/openssh-7.2p2/auth-passwd.c
|
|
||||||
--- a/openssh-7.2p2/auth-passwd.c
|
|
||||||
+++ b/openssh-7.2p2/auth-passwd.c
|
|
||||||
@@ -188,28 +188,32 @@ sys_auth_passwd(Authctxt *authctxt, cons
|
|
||||||
return (auth_close(as));
|
|
||||||
}
|
|
||||||
}
|
|
||||||
#elif !defined(CUSTOM_SYS_AUTH_PASSWD)
|
|
||||||
int
|
|
||||||
sys_auth_passwd(Authctxt *authctxt, const char *password)
|
|
||||||
{
|
|
||||||
struct passwd *pw = authctxt->pw;
|
|
||||||
- char *encrypted_password;
|
|
||||||
+ char *encrypted_password, *salt = NULL;
|
|
||||||
|
|
||||||
/* Just use the supplied fake password if authctxt is invalid */
|
|
||||||
char *pw_password = authctxt->valid ? shadow_pw(pw) : pw->pw_passwd;
|
|
||||||
|
|
||||||
/* Check for users with no password. */
|
|
||||||
if (strcmp(pw_password, "") == 0 && strcmp(password, "") == 0)
|
|
||||||
return (1);
|
|
||||||
|
|
||||||
- /* Encrypt the candidate password using the proper salt. */
|
|
||||||
- encrypted_password = xcrypt(password,
|
|
||||||
- (pw_password[0] && pw_password[1]) ? pw_password : "xx");
|
|
||||||
+ /*
|
|
||||||
+ * Encrypt the candidate password using the proper salt, or pass a
|
|
||||||
+ * NULL and let xcrypt pick one.
|
|
||||||
+ */
|
|
||||||
+ if (authctxt->valid && pw_password[0] && pw_password[1])
|
|
||||||
+ salt = pw_password;
|
|
||||||
+ encrypted_password = xcrypt(password, salt);
|
|
||||||
|
|
||||||
/*
|
|
||||||
* Authentication is accepted if the encrypted passwords
|
|
||||||
* are identical.
|
|
||||||
*/
|
|
||||||
return encrypted_password != NULL &&
|
|
||||||
strcmp(encrypted_password, pw_password) == 0;
|
|
||||||
}
|
|
||||||
diff --git a/openssh-7.2p2/openbsd-compat/xcrypt.c b/openssh-7.2p2/openbsd-compat/xcrypt.c
|
|
||||||
--- a/openssh-7.2p2/openbsd-compat/xcrypt.c
|
|
||||||
+++ b/openssh-7.2p2/openbsd-compat/xcrypt.c
|
|
||||||
@@ -20,16 +20,17 @@
|
|
||||||
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
|
||||||
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
|
||||||
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
||||||
*/
|
|
||||||
|
|
||||||
#include "includes.h"
|
|
||||||
|
|
||||||
#include <sys/types.h>
|
|
||||||
+#include <string.h>
|
|
||||||
#include <unistd.h>
|
|
||||||
#include <pwd.h>
|
|
||||||
|
|
||||||
# if defined(HAVE_CRYPT_H) && !defined(HAVE_SECUREWARE)
|
|
||||||
# include <crypt.h>
|
|
||||||
# endif
|
|
||||||
|
|
||||||
# ifdef __hpux
|
|
||||||
@@ -57,21 +58,54 @@
|
|
||||||
# include "md5crypt.h"
|
|
||||||
# endif
|
|
||||||
|
|
||||||
# if defined(WITH_OPENSSL) && !defined(HAVE_CRYPT) && defined(HAVE_DES_CRYPT)
|
|
||||||
# include <openssl/des.h>
|
|
||||||
# define crypt DES_crypt
|
|
||||||
# endif
|
|
||||||
|
|
||||||
+/*
|
|
||||||
+ * Pick an appropriate password encryption type and salt for the running
|
|
||||||
+ * system.
|
|
||||||
+ */
|
|
||||||
+static const char *
|
|
||||||
+pick_salt(void)
|
|
||||||
+{
|
|
||||||
+ struct passwd *pw;
|
|
||||||
+ char *passwd, *p;
|
|
||||||
+ size_t typelen;
|
|
||||||
+ static char salt[32];
|
|
||||||
+
|
|
||||||
+ if (salt[0] != '\0')
|
|
||||||
+ return salt;
|
|
||||||
+ strlcpy(salt, "xx", sizeof(salt));
|
|
||||||
+ if ((pw = getpwuid(0)) == NULL)
|
|
||||||
+ return salt;
|
|
||||||
+ passwd = shadow_pw(pw);
|
|
||||||
+ if (passwd[0] != '$' || (p = strrchr(passwd + 1, '$')) == NULL)
|
|
||||||
+ return salt; /* no $, DES */
|
|
||||||
+ typelen = p - passwd + 1;
|
|
||||||
+ strlcpy(salt, passwd, MIN(typelen, sizeof(salt)));
|
|
||||||
+ explicit_bzero(passwd, strlen(passwd));
|
|
||||||
+ return salt;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
char *
|
|
||||||
xcrypt(const char *password, const char *salt)
|
|
||||||
{
|
|
||||||
char *crypted;
|
|
||||||
|
|
||||||
+ /*
|
|
||||||
+ * If we don't have a salt we are encrypting a fake password for
|
|
||||||
+ * for timing purposes. Pick an appropriate salt.
|
|
||||||
+ */
|
|
||||||
+ if (salt == NULL)
|
|
||||||
+ salt = pick_salt();
|
|
||||||
+
|
|
||||||
# ifdef HAVE_MD5_PASSWORDS
|
|
||||||
if (is_md5_salt(salt))
|
|
||||||
crypted = md5_crypt(password, salt);
|
|
||||||
else
|
|
||||||
crypted = crypt(password, salt);
|
|
||||||
# elif defined(__hpux) && !defined(HAVE_SECUREWARE)
|
|
||||||
if (iscomsec())
|
|
||||||
crypted = bigcrypt(password, salt);
|
|
@ -1,297 +0,0 @@
|
|||||||
# HG changeset patch
|
|
||||||
# Parent 22de9aeddbde2b36da9c23475cfa5dcd42e95287
|
|
||||||
whitelist paths for loading of PKCS#11 modules in ssh-agent
|
|
||||||
|
|
||||||
CVE-2016-10009
|
|
||||||
bsc#1016366
|
|
||||||
|
|
||||||
upstream commit 786d5994da79151180cb14a6cf157ebbba61c0cc
|
|
||||||
|
|
||||||
diff --git a/openssh-7.2p2/ssh-agent.1 b/openssh-7.2p2/ssh-agent.1
|
|
||||||
--- a/openssh-7.2p2/ssh-agent.1
|
|
||||||
+++ b/openssh-7.2p2/ssh-agent.1
|
|
||||||
@@ -1,9 +1,9 @@
|
|
||||||
-.\" $OpenBSD: ssh-agent.1,v 1.62 2015/11/15 23:54:15 jmc Exp $
|
|
||||||
+.\" $OpenBSD: ssh-agent.1,v 1.63 2016/11/30 03:07:37 djm Exp $
|
|
||||||
.\"
|
|
||||||
.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
|
|
||||||
.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
|
||||||
.\" All rights reserved
|
|
||||||
.\"
|
|
||||||
.\" As far as I am concerned, the code I have written for this software
|
|
||||||
.\" can be used freely for any purpose. Any derived versions of this
|
|
||||||
.\" software must be clearly marked as such, and if the derived work is
|
|
||||||
@@ -29,29 +29,30 @@
|
|
||||||
.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
|
|
||||||
.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
|
|
||||||
.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
|
||||||
.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
|
||||||
.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
|
||||||
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
|
||||||
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
||||||
.\"
|
|
||||||
-.Dd $Mdocdate: November 15 2015 $
|
|
||||||
+.Dd $Mdocdate: November 30 2016 $
|
|
||||||
.Dt SSH-AGENT 1
|
|
||||||
.Os
|
|
||||||
.Sh NAME
|
|
||||||
.Nm ssh-agent
|
|
||||||
.Nd authentication agent
|
|
||||||
.Sh SYNOPSIS
|
|
||||||
.Nm ssh-agent
|
|
||||||
.Op Fl c | s
|
|
||||||
.Op Fl \&Dd
|
|
||||||
.Op Fl a Ar bind_address
|
|
||||||
.Op Fl E Ar fingerprint_hash
|
|
||||||
.Op Fl t Ar life
|
|
||||||
+.Op Fl P Ar pkcs11_whitelist
|
|
||||||
.Op Ar command Op Ar arg ...
|
|
||||||
.Nm ssh-agent
|
|
||||||
.Op Fl c | s
|
|
||||||
.Fl k
|
|
||||||
.Sh DESCRIPTION
|
|
||||||
.Nm
|
|
||||||
is a program to hold private keys used for public key authentication
|
|
||||||
(RSA, DSA, ECDSA, Ed25519).
|
|
||||||
@@ -116,16 +117,28 @@ Valid options are:
|
|
||||||
and
|
|
||||||
.Dq sha256 .
|
|
||||||
The default is
|
|
||||||
.Dq sha256 .
|
|
||||||
.It Fl k
|
|
||||||
Kill the current agent (given by the
|
|
||||||
.Ev SSH_AGENT_PID
|
|
||||||
environment variable).
|
|
||||||
+.It Fl P
|
|
||||||
+Specify a pattern-list of acceptable paths for PKCS#11 shared libraries
|
|
||||||
+that may be added using the
|
|
||||||
+.Fl s
|
|
||||||
+option to
|
|
||||||
+.Xr ssh-add 1 .
|
|
||||||
+The default is to allow loading PKCS#11 libraries from
|
|
||||||
+.Dq /usr/lib/*,/usr/local/lib/* .
|
|
||||||
+PKCS#11 libraries that do not match the whitelist will be refused.
|
|
||||||
+See PATTERNS in
|
|
||||||
+.Xr ssh_config 5
|
|
||||||
+for a description of pattern-list syntax.
|
|
||||||
.It Fl s
|
|
||||||
Generate Bourne shell commands on
|
|
||||||
.Dv stdout .
|
|
||||||
This is the default if
|
|
||||||
.Ev SHELL
|
|
||||||
does not look like it's a csh style of shell.
|
|
||||||
.It Fl t Ar life
|
|
||||||
Set a default value for the maximum lifetime of identities added to the agent.
|
|
||||||
diff --git a/openssh-7.2p2/ssh-agent.c b/openssh-7.2p2/ssh-agent.c
|
|
||||||
--- a/openssh-7.2p2/ssh-agent.c
|
|
||||||
+++ b/openssh-7.2p2/ssh-agent.c
|
|
||||||
@@ -78,25 +78,30 @@
|
|
||||||
#include "sshbuf.h"
|
|
||||||
#include "sshkey.h"
|
|
||||||
#include "authfd.h"
|
|
||||||
#include "compat.h"
|
|
||||||
#include "log.h"
|
|
||||||
#include "misc.h"
|
|
||||||
#include "digest.h"
|
|
||||||
#include "ssherr.h"
|
|
||||||
+#include "match.h"
|
|
||||||
|
|
||||||
#ifdef ENABLE_PKCS11
|
|
||||||
#include "ssh-pkcs11.h"
|
|
||||||
#endif
|
|
||||||
|
|
||||||
#if defined(HAVE_SYS_PRCTL_H)
|
|
||||||
#include <sys/prctl.h> /* For prctl() and PR_SET_DUMPABLE */
|
|
||||||
#endif
|
|
||||||
|
|
||||||
+#ifndef DEFAULT_PKCS11_WHITELIST
|
|
||||||
+# define DEFAULT_PKCS11_WHITELIST "/usr/lib/*,/usr/local/lib/*"
|
|
||||||
+#endif
|
|
||||||
+
|
|
||||||
typedef enum {
|
|
||||||
AUTH_UNUSED,
|
|
||||||
AUTH_SOCKET,
|
|
||||||
AUTH_CONNECTION
|
|
||||||
} sock_type;
|
|
||||||
|
|
||||||
typedef struct {
|
|
||||||
int fd;
|
|
||||||
@@ -134,16 +139,19 @@ time_t parent_alive_interval = 0;
|
|
||||||
|
|
||||||
/* pid of process for which cleanup_socket is applicable */
|
|
||||||
pid_t cleanup_pid = 0;
|
|
||||||
|
|
||||||
/* pathname and directory for AUTH_SOCKET */
|
|
||||||
char socket_name[PATH_MAX];
|
|
||||||
char socket_dir[PATH_MAX];
|
|
||||||
|
|
||||||
+/* PKCS#11 path whitelist */
|
|
||||||
+static char *pkcs11_whitelist;
|
|
||||||
+
|
|
||||||
/* locking */
|
|
||||||
#define LOCK_SIZE 32
|
|
||||||
#define LOCK_SALT_SIZE 16
|
|
||||||
#define LOCK_ROUNDS 1
|
|
||||||
int locked = 0;
|
|
||||||
char lock_passwd[LOCK_SIZE];
|
|
||||||
char lock_salt[LOCK_SALT_SIZE];
|
|
||||||
|
|
||||||
@@ -736,17 +744,17 @@ no_identities(SocketEntry *e, u_int type
|
|
||||||
fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
|
||||||
sshbuf_free(msg);
|
|
||||||
}
|
|
||||||
|
|
||||||
#ifdef ENABLE_PKCS11
|
|
||||||
static void
|
|
||||||
process_add_smartcard_key(SocketEntry *e)
|
|
||||||
{
|
|
||||||
- char *provider = NULL, *pin;
|
|
||||||
+ char *provider = NULL, *pin, canonical_provider[PATH_MAX];
|
|
||||||
int r, i, version, count = 0, success = 0, confirm = 0;
|
|
||||||
u_int seconds;
|
|
||||||
time_t death = 0;
|
|
||||||
u_char type;
|
|
||||||
struct sshkey **keys = NULL, *k;
|
|
||||||
Identity *id;
|
|
||||||
Idtab *tab;
|
|
||||||
|
|
||||||
@@ -768,29 +776,40 @@ process_add_smartcard_key(SocketEntry *e
|
|
||||||
confirm = 1;
|
|
||||||
break;
|
|
||||||
default:
|
|
||||||
error("process_add_smartcard_key: "
|
|
||||||
"Unknown constraint type %d", type);
|
|
||||||
goto send;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
+ if (realpath(provider, canonical_provider) == NULL) {
|
|
||||||
+ verbose("failed PKCS#11 add of \"%.100s\": realpath: %s",
|
|
||||||
+ provider, strerror(errno));
|
|
||||||
+ goto send;
|
|
||||||
+ }
|
|
||||||
+ if (match_pattern_list(canonical_provider, pkcs11_whitelist, 0) != 1) {
|
|
||||||
+ verbose("refusing PKCS#11 add of \"%.100s\": "
|
|
||||||
+ "provider not whitelisted", canonical_provider);
|
|
||||||
+ goto send;
|
|
||||||
+ }
|
|
||||||
+ debug("%s: add %.100s", __func__, canonical_provider);
|
|
||||||
if (lifetime && !death)
|
|
||||||
death = monotime() + lifetime;
|
|
||||||
|
|
||||||
- count = pkcs11_add_provider(provider, pin, &keys);
|
|
||||||
+ count = pkcs11_add_provider(canonical_provider, pin, &keys);
|
|
||||||
for (i = 0; i < count; i++) {
|
|
||||||
k = keys[i];
|
|
||||||
version = k->type == KEY_RSA1 ? 1 : 2;
|
|
||||||
tab = idtab_lookup(version);
|
|
||||||
if (lookup_identity(k, version) == NULL) {
|
|
||||||
id = xcalloc(1, sizeof(Identity));
|
|
||||||
id->key = k;
|
|
||||||
- id->provider = xstrdup(provider);
|
|
||||||
- id->comment = xstrdup(provider); /* XXX */
|
|
||||||
+ id->provider = xstrdup(canonical_provider);
|
|
||||||
+ id->comment = xstrdup(canonical_provider); /* XXX */
|
|
||||||
id->death = death;
|
|
||||||
id->confirm = confirm;
|
|
||||||
TAILQ_INSERT_TAIL(&tab->idlist, id, next);
|
|
||||||
tab->nentries++;
|
|
||||||
success = 1;
|
|
||||||
} else {
|
|
||||||
sshkey_free(k);
|
|
||||||
}
|
|
||||||
@@ -1171,17 +1190,17 @@ check_parent_exists(void)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
static void
|
|
||||||
usage(void)
|
|
||||||
{
|
|
||||||
fprintf(stderr,
|
|
||||||
"usage: ssh-agent [-c | -s] [-Dd] [-a bind_address] [-E fingerprint_hash]\n"
|
|
||||||
- " [-t life] [command [arg ...]]\n"
|
|
||||||
+ " [-P pkcs11_whitelist] [-t life] [command [arg ...]]\n"
|
|
||||||
" ssh-agent [-c | -s] -k\n");
|
|
||||||
exit(1);
|
|
||||||
}
|
|
||||||
|
|
||||||
int
|
|
||||||
main(int ac, char **av)
|
|
||||||
{
|
|
||||||
int c_flag = 0, d_flag = 0, D_flag = 0, k_flag = 0, s_flag = 0;
|
|
||||||
@@ -1215,31 +1234,36 @@ main(int ac, char **av)
|
|
||||||
|
|
||||||
#ifdef WITH_OPENSSL
|
|
||||||
OpenSSL_add_all_algorithms();
|
|
||||||
#endif
|
|
||||||
|
|
||||||
__progname = ssh_get_progname(av[0]);
|
|
||||||
seed_rng();
|
|
||||||
|
|
||||||
- while ((ch = getopt(ac, av, "cDdksE:a:t:")) != -1) {
|
|
||||||
+ while ((ch = getopt(ac, av, "cDdksE:a:P:t:")) != -1) {
|
|
||||||
switch (ch) {
|
|
||||||
case 'E':
|
|
||||||
fingerprint_hash = ssh_digest_alg_by_name(optarg);
|
|
||||||
if (fingerprint_hash == -1)
|
|
||||||
fatal("Invalid hash algorithm \"%s\"", optarg);
|
|
||||||
break;
|
|
||||||
case 'c':
|
|
||||||
if (s_flag)
|
|
||||||
usage();
|
|
||||||
c_flag++;
|
|
||||||
break;
|
|
||||||
case 'k':
|
|
||||||
k_flag++;
|
|
||||||
break;
|
|
||||||
+ case 'P':
|
|
||||||
+ if (pkcs11_whitelist != NULL)
|
|
||||||
+ fatal("-P option already specified");
|
|
||||||
+ pkcs11_whitelist = xstrdup(optarg);
|
|
||||||
+ break;
|
|
||||||
case 's':
|
|
||||||
if (c_flag)
|
|
||||||
usage();
|
|
||||||
s_flag++;
|
|
||||||
break;
|
|
||||||
case 'd':
|
|
||||||
if (d_flag || D_flag)
|
|
||||||
usage();
|
|
||||||
@@ -1264,16 +1288,19 @@ main(int ac, char **av)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
ac -= optind;
|
|
||||||
av += optind;
|
|
||||||
|
|
||||||
if (ac > 0 && (c_flag || k_flag || s_flag || d_flag || D_flag))
|
|
||||||
usage();
|
|
||||||
|
|
||||||
+ if (pkcs11_whitelist == NULL)
|
|
||||||
+ pkcs11_whitelist = xstrdup(DEFAULT_PKCS11_WHITELIST);
|
|
||||||
+
|
|
||||||
if (ac == 0 && !c_flag && !s_flag) {
|
|
||||||
shell = getenv("SHELL");
|
|
||||||
if (shell != NULL && (len = strlen(shell)) > 2 &&
|
|
||||||
strncmp(shell + len - 3, "csh", 3) == 0)
|
|
||||||
c_flag = 1;
|
|
||||||
}
|
|
||||||
if (k_flag) {
|
|
||||||
const char *errstr = NULL;
|
|
||||||
@@ -1411,17 +1438,17 @@ skip:
|
|
||||||
parent_alive_interval = 10;
|
|
||||||
idtab_init();
|
|
||||||
signal(SIGPIPE, SIG_IGN);
|
|
||||||
signal(SIGINT, (d_flag | D_flag) ? cleanup_handler : SIG_IGN);
|
|
||||||
signal(SIGHUP, cleanup_handler);
|
|
||||||
signal(SIGTERM, cleanup_handler);
|
|
||||||
nalloc = 0;
|
|
||||||
|
|
||||||
- if (pledge("stdio cpath unix id proc exec", NULL) == -1)
|
|
||||||
+ if (pledge("stdio rpath cpath unix id proc exec", NULL) == -1)
|
|
||||||
fatal("%s: pledge: %s", __progname, strerror(errno));
|
|
||||||
platform_pledge_agent();
|
|
||||||
|
|
||||||
while (1) {
|
|
||||||
prepare_select(&readsetp, &writesetp, &max_fd, &nalloc, &tvp);
|
|
||||||
result = select(max_fd + 1, readsetp, writesetp, NULL, tvp);
|
|
||||||
saved_errno = errno;
|
|
||||||
if (parent_alive_interval != 0)
|
|
@ -1,82 +0,0 @@
|
|||||||
# HG changeset patch
|
|
||||||
# Parent bb92b9f037cc3686a669cd84caa44a2716f34058
|
|
||||||
Date: Tue, 9 May 2017 14:27:34 -0300
|
|
||||||
|
|
||||||
[PATCH 0/3] Allow syscalls for openssl engines
|
|
||||||
From: Eduardo Barretto <ebarretto@linux.vnet.ibm.com>
|
|
||||||
To: openssh-unix-dev@mindrot.org
|
|
||||||
In order to use the OpenSSL-ibmpkcs11 engine it is needed to allow flock
|
|
||||||
and ipc calls, because this engine calls OpenCryptoki (a PKCS#11
|
|
||||||
implementation) which calls the libraries that will communicate with the
|
|
||||||
crypto cards. OpenCryptoki makes use of flock and ipc and, as of now,
|
|
||||||
this is only need on s390 architecture.
|
|
||||||
|
|
||||||
The EP11 crypto card also needs to make an ioctl call, which receives an
|
|
||||||
specific argument.
|
|
||||||
|
|
||||||
Signed-off-by: Eduardo Barretto <ebarretto@linux.vnet.ibm.com>
|
|
||||||
|
|
||||||
related to bsc#1016709
|
|
||||||
|
|
||||||
diff --git a/openssh-7.2p2/sandbox-seccomp-filter.c b/openssh-7.2p2/sandbox-seccomp-filter.c
|
|
||||||
--- a/openssh-7.2p2/sandbox-seccomp-filter.c
|
|
||||||
+++ b/openssh-7.2p2/sandbox-seccomp-filter.c
|
|
||||||
@@ -150,16 +150,19 @@ static const struct sock_filter preauth_
|
|
||||||
SC_ALLOW(stat),
|
|
||||||
#endif
|
|
||||||
#ifdef __NR_exit
|
|
||||||
SC_ALLOW(exit),
|
|
||||||
#endif
|
|
||||||
#ifdef __NR_exit_group
|
|
||||||
SC_ALLOW(exit_group),
|
|
||||||
#endif
|
|
||||||
+#if defined(__NR_flock) && defined(__s390__)
|
|
||||||
+ SC_ALLOW(flock),
|
|
||||||
+#endif
|
|
||||||
#ifdef __NR_getpgid
|
|
||||||
SC_ALLOW(getpgid),
|
|
||||||
#endif
|
|
||||||
#ifdef __NR_getpid
|
|
||||||
SC_ALLOW(getpid),
|
|
||||||
#endif
|
|
||||||
#ifdef __NR_getuid
|
|
||||||
SC_ALLOW(getuid),
|
|
||||||
@@ -180,16 +183,19 @@ static const struct sock_filter preauth_
|
|
||||||
SC_ALLOW(gettimeofday),
|
|
||||||
#endif
|
|
||||||
#ifdef SSH_AUDIT_EVENTS
|
|
||||||
SC_ALLOW(getuid),
|
|
||||||
#ifdef __NR_getuid32 /* not defined on x86_64 */
|
|
||||||
SC_ALLOW(getuid32),
|
|
||||||
#endif
|
|
||||||
#endif
|
|
||||||
+#if defined(__NR_ipc) && defined(__s390__)
|
|
||||||
+ SC_ALLOW(ipc),
|
|
||||||
+#endif
|
|
||||||
#ifdef __NR_madvise
|
|
||||||
SC_ALLOW(madvise),
|
|
||||||
#endif
|
|
||||||
#ifdef __NR_mmap
|
|
||||||
SC_ALLOW(mmap),
|
|
||||||
#endif
|
|
||||||
#ifdef __NR_mmap2
|
|
||||||
SC_ALLOW(mmap2),
|
|
||||||
@@ -233,16 +239,18 @@ static const struct sock_filter preauth_
|
|
||||||
#ifdef __NR_socketcall
|
|
||||||
SC_ALLOW_ARG(socketcall, 0, SYS_SHUTDOWN),
|
|
||||||
#endif
|
|
||||||
#ifdef __NR_ioctl
|
|
||||||
#ifdef __s390__
|
|
||||||
SC_ALLOW_ARG(ioctl, 1, Z90STAT_STATUS_MASK),
|
|
||||||
SC_ALLOW_ARG(ioctl, 1, ICARSAMODEXPO),
|
|
||||||
SC_ALLOW_ARG(ioctl, 1, ICARSACRT),
|
|
||||||
+ /* Allow ioctls for EP11 crypto card on s390 */
|
|
||||||
+ SC_ALLOW_ARG(ioctl, 1, ZSENDEP11CPRB),
|
|
||||||
#endif
|
|
||||||
#endif
|
|
||||||
|
|
||||||
/* Default deny */
|
|
||||||
BPF_STMT(BPF_RET+BPF_K, SECCOMP_FILTER_FAIL),
|
|
||||||
};
|
|
||||||
|
|
||||||
static const struct sock_fprog preauth_program = {
|
|
@ -1,100 +0,0 @@
|
|||||||
# HG changeset patch
|
|
||||||
# Parent 6d8637bec747de081eccba9874f640dcbc4fbb68
|
|
||||||
This patch enables specific ioctl calls for ICA crypto card on s390
|
|
||||||
platform. Without this patch, users using the IBMCA engine are not able
|
|
||||||
to perform ssh login as the filter blocks the communication with the
|
|
||||||
crypto card.
|
|
||||||
|
|
||||||
Signed-off-by: Harald Freudenberger <freude@linux.vnet.ibm.com>
|
|
||||||
Signed-off-by: Eduardo Barretto <ebarretto@linux.vnet.ibm.com>
|
|
||||||
|
|
||||||
bsc#1016709
|
|
||||||
|
|
||||||
Upstreamed as:
|
|
||||||
5f1596e11d55539678c41f68aed358628d33d86f
|
|
||||||
58b8cfa2a062b72139d7229ae8de567f55776f24
|
|
||||||
|
|
||||||
diff --git a/openssh-7.2p2/sandbox-seccomp-filter.c b/openssh-7.2p2/sandbox-seccomp-filter.c
|
|
||||||
--- a/openssh-7.2p2/sandbox-seccomp-filter.c
|
|
||||||
+++ b/openssh-7.2p2/sandbox-seccomp-filter.c
|
|
||||||
@@ -54,42 +54,53 @@
|
|
||||||
#include <errno.h>
|
|
||||||
#include <signal.h>
|
|
||||||
#include <stdarg.h>
|
|
||||||
#include <stddef.h> /* for offsetof */
|
|
||||||
#include <stdio.h>
|
|
||||||
#include <stdlib.h>
|
|
||||||
#include <string.h>
|
|
||||||
#include <unistd.h>
|
|
||||||
+#include <endian.h>
|
|
||||||
+
|
|
||||||
+#ifdef __s390__
|
|
||||||
+#include <asm/zcrypt.h>
|
|
||||||
+#endif
|
|
||||||
|
|
||||||
#include "log.h"
|
|
||||||
#include "ssh-sandbox.h"
|
|
||||||
#include "xmalloc.h"
|
|
||||||
|
|
||||||
/* Linux seccomp_filter sandbox */
|
|
||||||
#define SECCOMP_FILTER_FAIL SECCOMP_RET_KILL
|
|
||||||
|
|
||||||
/* Use a signal handler to emit violations when debugging */
|
|
||||||
#ifdef SANDBOX_SECCOMP_FILTER_DEBUG
|
|
||||||
# undef SECCOMP_FILTER_FAIL
|
|
||||||
# define SECCOMP_FILTER_FAIL SECCOMP_RET_TRAP
|
|
||||||
#endif /* SANDBOX_SECCOMP_FILTER_DEBUG */
|
|
||||||
|
|
||||||
/* Simple helpers to avoid manual errors (but larger BPF programs). */
|
|
||||||
+#if __BYTE_ORDER == __LITTLE_ENDIAN
|
|
||||||
+#define LO_ARG(idx) offsetof(struct seccomp_data, args[(idx)])
|
|
||||||
+#elif __BYTE_ORDER == __BIG_ENDIAN
|
|
||||||
+#define LO_ARG(idx) offsetof(struct seccomp_data, args[(idx)]) + sizeof(uint32_t)
|
|
||||||
+#else
|
|
||||||
+#error "Unknown endianness"
|
|
||||||
+#endif
|
|
||||||
#define SC_DENY(_nr, _errno) \
|
|
||||||
BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_ ## _nr, 0, 1), \
|
|
||||||
BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ERRNO|(_errno))
|
|
||||||
#define SC_ALLOW(_nr) \
|
|
||||||
BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_ ## _nr, 0, 1), \
|
|
||||||
BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW)
|
|
||||||
#define SC_ALLOW_ARG(_nr, _arg_nr, _arg_val) \
|
|
||||||
BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_ ## _nr, 0, 4), \
|
|
||||||
- /* load first syscall argument */ \
|
|
||||||
- BPF_STMT(BPF_LD+BPF_W+BPF_ABS, \
|
|
||||||
- offsetof(struct seccomp_data, args[(_arg_nr)])), \
|
|
||||||
+ /* load the syscall argument to check into accumulator */ \
|
|
||||||
+ BPF_STMT(BPF_LD+BPF_W+BPF_ABS, LO_ARG(_arg_nr)), \
|
|
||||||
BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, (_arg_val), 0, 1), \
|
|
||||||
BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW), \
|
|
||||||
/* reload syscall number; all rules expect it in accumulator */ \
|
|
||||||
BPF_STMT(BPF_LD+BPF_W+BPF_ABS, \
|
|
||||||
offsetof(struct seccomp_data, nr))
|
|
||||||
|
|
||||||
/* Syscall filtering set for preauth. */
|
|
||||||
static const struct sock_filter preauth_insns[] = {
|
|
||||||
@@ -217,16 +228,23 @@ static const struct sock_filter preauth_
|
|
||||||
SC_ALLOW(time),
|
|
||||||
#endif
|
|
||||||
#ifdef __NR_write
|
|
||||||
SC_ALLOW(write),
|
|
||||||
#endif
|
|
||||||
#ifdef __NR_socketcall
|
|
||||||
SC_ALLOW_ARG(socketcall, 0, SYS_SHUTDOWN),
|
|
||||||
#endif
|
|
||||||
+#ifdef __NR_ioctl
|
|
||||||
+#ifdef __s390__
|
|
||||||
+ SC_ALLOW_ARG(ioctl, 1, Z90STAT_STATUS_MASK),
|
|
||||||
+ SC_ALLOW_ARG(ioctl, 1, ICARSAMODEXPO),
|
|
||||||
+ SC_ALLOW_ARG(ioctl, 1, ICARSACRT),
|
|
||||||
+#endif
|
|
||||||
+#endif
|
|
||||||
|
|
||||||
/* Default deny */
|
|
||||||
BPF_STMT(BPF_RET+BPF_K, SECCOMP_FILTER_FAIL),
|
|
||||||
};
|
|
||||||
|
|
||||||
static const struct sock_fprog preauth_program = {
|
|
||||||
.len = (unsigned short)(sizeof(preauth_insns)/sizeof(preauth_insns[0])),
|
|
||||||
.filter = (struct sock_filter *)preauth_insns,
|
|
@ -1,34 +0,0 @@
|
|||||||
# HG changeset patch
|
|
||||||
# Parent b07f00d5d805c043f5bdc7b8cf6701d924879fa6
|
|
||||||
Add the 'geteuid' syscall to allowed list, since it may becalled on the
|
|
||||||
mainframes when OpenSSL is using hardware crypto accelerator via libica
|
|
||||||
(via ibmica)
|
|
||||||
|
|
||||||
bsc#1004258
|
|
||||||
|
|
||||||
diff --git a/openssh-7.2p2/sandbox-seccomp-filter.c b/openssh-7.2p2/sandbox-seccomp-filter.c
|
|
||||||
--- a/openssh-7.2p2/sandbox-seccomp-filter.c
|
|
||||||
+++ b/openssh-7.2p2/sandbox-seccomp-filter.c
|
|
||||||
@@ -148,16 +148,22 @@ static const struct sock_filter preauth_
|
|
||||||
SC_ALLOW(getpid),
|
|
||||||
#endif
|
|
||||||
#ifdef __NR_getuid
|
|
||||||
SC_ALLOW(getuid),
|
|
||||||
#endif
|
|
||||||
#ifdef __NR_getuid32
|
|
||||||
SC_ALLOW(getuid32),
|
|
||||||
#endif
|
|
||||||
+#ifdef __NR_geteuid
|
|
||||||
+ SC_ALLOW(geteuid),
|
|
||||||
+#endif
|
|
||||||
+#ifdef __NR_geteuid32
|
|
||||||
+ SC_ALLOW(geteuid32),
|
|
||||||
+#endif
|
|
||||||
#ifdef __NR_getrandom
|
|
||||||
SC_ALLOW(getrandom),
|
|
||||||
#endif
|
|
||||||
#ifdef __NR_gettimeofday
|
|
||||||
SC_ALLOW(gettimeofday),
|
|
||||||
#endif
|
|
||||||
#ifdef __NR_madvise
|
|
||||||
SC_ALLOW(madvise),
|
|
@ -1,31 +0,0 @@
|
|||||||
# HG changeset patch
|
|
||||||
# Parent d75417bf0f4d50cabd84299773bab4ac68f68caa
|
|
||||||
add 'getuid' syscall to list of allowed ones to prevent the sanboxed thread
|
|
||||||
from being killed by the seccomp filter
|
|
||||||
|
|
||||||
diff --git a/openssh-7.2p2/sandbox-seccomp-filter.c b/openssh-7.2p2/sandbox-seccomp-filter.c
|
|
||||||
--- a/openssh-7.2p2/sandbox-seccomp-filter.c
|
|
||||||
+++ b/openssh-7.2p2/sandbox-seccomp-filter.c
|
|
||||||
@@ -142,16 +142,22 @@ static const struct sock_filter preauth_
|
|
||||||
SC_ALLOW(exit_group),
|
|
||||||
#endif
|
|
||||||
#ifdef __NR_getpgid
|
|
||||||
SC_ALLOW(getpgid),
|
|
||||||
#endif
|
|
||||||
#ifdef __NR_getpid
|
|
||||||
SC_ALLOW(getpid),
|
|
||||||
#endif
|
|
||||||
+#ifdef __NR_getuid
|
|
||||||
+ SC_ALLOW(getuid),
|
|
||||||
+#endif
|
|
||||||
+#ifdef __NR_getuid32
|
|
||||||
+ SC_ALLOW(getuid32),
|
|
||||||
+#endif
|
|
||||||
#ifdef __NR_getrandom
|
|
||||||
SC_ALLOW(getrandom),
|
|
||||||
#endif
|
|
||||||
#ifdef __NR_gettimeofday
|
|
||||||
SC_ALLOW(gettimeofday),
|
|
||||||
#endif
|
|
||||||
#ifdef __NR_madvise
|
|
||||||
SC_ALLOW(madvise),
|
|
@ -1,30 +0,0 @@
|
|||||||
# HG changeset patch
|
|
||||||
# Parent 2153c4af090728c778931d2fad72d4b260294122
|
|
||||||
Allow the stat() syscall for OpenSSL re-seed patch
|
|
||||||
(which causes OpenSSL use stat() on some file)
|
|
||||||
|
|
||||||
bnc#912436
|
|
||||||
|
|
||||||
diff --git a/openssh-7.2p2/sandbox-seccomp-filter.c b/openssh-7.2p2/sandbox-seccomp-filter.c
|
|
||||||
--- a/openssh-7.2p2/sandbox-seccomp-filter.c
|
|
||||||
+++ b/openssh-7.2p2/sandbox-seccomp-filter.c
|
|
||||||
@@ -130,16 +130,19 @@ static const struct sock_filter preauth_
|
|
||||||
SC_ALLOW(brk),
|
|
||||||
#endif
|
|
||||||
#ifdef __NR_clock_gettime
|
|
||||||
SC_ALLOW(clock_gettime),
|
|
||||||
#endif
|
|
||||||
#ifdef __NR_close
|
|
||||||
SC_ALLOW(close),
|
|
||||||
#endif
|
|
||||||
+#ifdef __NR_stat
|
|
||||||
+ SC_ALLOW(stat),
|
|
||||||
+#endif
|
|
||||||
#ifdef __NR_exit
|
|
||||||
SC_ALLOW(exit),
|
|
||||||
#endif
|
|
||||||
#ifdef __NR_exit_group
|
|
||||||
SC_ALLOW(exit_group),
|
|
||||||
#endif
|
|
||||||
#ifdef __NR_getpgid
|
|
||||||
SC_ALLOW(getpgid),
|
|
@ -1,51 +0,0 @@
|
|||||||
# HG changeset patch
|
|
||||||
# Parent 4e1fd41aaa9cafe8f7b07868ac38ed4dbdf594aa
|
|
||||||
Do not allow unix socket when running without privilege separation to prevent
|
|
||||||
privilege escalation through a socket created with root: ownership.
|
|
||||||
|
|
||||||
CVE-2016-10010
|
|
||||||
bsc#1016368
|
|
||||||
|
|
||||||
backported upstream commit b737e4d7433577403a31cff6614f6a1b0b5e22f4
|
|
||||||
|
|
||||||
diff --git a/openssh-7.2p2/serverloop.c b/openssh-7.2p2/serverloop.c
|
|
||||||
--- a/openssh-7.2p2/serverloop.c
|
|
||||||
+++ b/openssh-7.2p2/serverloop.c
|
|
||||||
@@ -990,17 +990,17 @@ server_request_direct_streamlocal(void)
|
|
||||||
originator_port = packet_get_int();
|
|
||||||
packet_check_eom();
|
|
||||||
|
|
||||||
debug("server_request_direct_streamlocal: originator %s port %d, target %s",
|
|
||||||
originator, originator_port, target);
|
|
||||||
|
|
||||||
/* XXX fine grained permissions */
|
|
||||||
if ((options.allow_streamlocal_forwarding & FORWARD_LOCAL) != 0 &&
|
|
||||||
- !no_port_forwarding_flag) {
|
|
||||||
+ !no_port_forwarding_flag && use_privsep) {
|
|
||||||
c = channel_connect_to_path(target,
|
|
||||||
"direct-streamlocal@openssh.com", "direct-streamlocal");
|
|
||||||
} else {
|
|
||||||
logit("refused streamlocal port forward: "
|
|
||||||
"originator %s port %d, target %s",
|
|
||||||
originator, originator_port, target);
|
|
||||||
}
|
|
||||||
|
|
||||||
@@ -1274,17 +1274,17 @@ server_input_global_request(int type, u_
|
|
||||||
|
|
||||||
memset(&fwd, 0, sizeof(fwd));
|
|
||||||
fwd.listen_path = packet_get_string(NULL);
|
|
||||||
debug("server_input_global_request: streamlocal-forward listen path %s",
|
|
||||||
fwd.listen_path);
|
|
||||||
|
|
||||||
/* check permissions */
|
|
||||||
if ((options.allow_streamlocal_forwarding & FORWARD_REMOTE) == 0
|
|
||||||
- || no_port_forwarding_flag) {
|
|
||||||
+ || no_port_forwarding_flag || !use_privsep) {
|
|
||||||
success = 0;
|
|
||||||
packet_send_debug("Server has disabled port forwarding.");
|
|
||||||
} else {
|
|
||||||
/* Start listening on the socket */
|
|
||||||
success = channel_setup_remote_fwd_listener(
|
|
||||||
&fwd, NULL, &options.fwd_opts);
|
|
||||||
}
|
|
||||||
free(fwd.listen_path);
|
|
@ -1,461 +0,0 @@
|
|||||||
# HG changeset patch
|
|
||||||
# Parent 6ece65e11f754d75dd33d72b6f8e487a9d047f2e
|
|
||||||
# extended support for (re-)seeding the OpenSSL PRNG from /dev/random
|
|
||||||
# bnc#703221, FATE#312172
|
|
||||||
|
|
||||||
diff --git a/openssh-7.2p2/entropy.c b/openssh-7.2p2/entropy.c
|
|
||||||
--- a/openssh-7.2p2/entropy.c
|
|
||||||
+++ b/openssh-7.2p2/entropy.c
|
|
||||||
@@ -49,16 +49,17 @@
|
|
||||||
|
|
||||||
#include "ssh.h"
|
|
||||||
#include "misc.h"
|
|
||||||
#include "xmalloc.h"
|
|
||||||
#include "atomicio.h"
|
|
||||||
#include "pathnames.h"
|
|
||||||
#include "log.h"
|
|
||||||
#include "buffer.h"
|
|
||||||
+#include "openbsd-compat/port-linux.h"
|
|
||||||
|
|
||||||
/*
|
|
||||||
* Portable OpenSSH PRNG seeding:
|
|
||||||
* If OpenSSL has not "internally seeded" itself (e.g. pulled data from
|
|
||||||
* /dev/random), then collect RANDOM_SEED_SIZE bytes of randomness from
|
|
||||||
* PRNGd.
|
|
||||||
*/
|
|
||||||
#ifndef OPENSSL_PRNG_ONLY
|
|
||||||
@@ -224,16 +225,19 @@ seed_rng(void)
|
|
||||||
}
|
|
||||||
|
|
||||||
if (seed_from_prngd(buf, sizeof(buf)) == -1)
|
|
||||||
fatal("Could not obtain seed from PRNGd");
|
|
||||||
RAND_add(buf, sizeof(buf), sizeof(buf));
|
|
||||||
memset(buf, '\0', sizeof(buf));
|
|
||||||
|
|
||||||
#endif /* OPENSSL_PRNG_ONLY */
|
|
||||||
+
|
|
||||||
+ linux_seed();
|
|
||||||
+
|
|
||||||
if (RAND_status() != 1)
|
|
||||||
fatal("PRNG is not seeded");
|
|
||||||
}
|
|
||||||
|
|
||||||
#else /* WITH_OPENSSL */
|
|
||||||
|
|
||||||
/* Handled in arc4random() */
|
|
||||||
void
|
|
||||||
diff --git a/openssh-7.2p2/openbsd-compat/Makefile.in b/openssh-7.2p2/openbsd-compat/Makefile.in
|
|
||||||
--- a/openssh-7.2p2/openbsd-compat/Makefile.in
|
|
||||||
+++ b/openssh-7.2p2/openbsd-compat/Makefile.in
|
|
||||||
@@ -15,17 +15,17 @@ AR=@AR@
|
|
||||||
RANLIB=@RANLIB@
|
|
||||||
INSTALL=@INSTALL@
|
|
||||||
LDFLAGS=-L. @LDFLAGS@
|
|
||||||
|
|
||||||
OPENBSD=base64.o basename.o bcrypt_pbkdf.o bindresvport.o blowfish.o daemon.o dirname.o fmt_scaled.o getcwd.o getgrouplist.o getopt_long.o getrrsetbyname.o glob.o inet_aton.o inet_ntoa.o inet_ntop.o mktemp.o pwcache.o readpassphrase.o reallocarray.o realpath.o rresvport.o setenv.o setproctitle.o sha1.o sha2.o rmd160.o md5.o sigact.o strlcat.o strlcpy.o strmode.o strnlen.o strptime.o strsep.o strtonum.o strtoll.o strtoul.o strtoull.o timingsafe_bcmp.o vis.o blowfish.o bcrypt_pbkdf.o explicit_bzero.o
|
|
||||||
|
|
||||||
COMPAT=arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o getrrsetbyname-ldns.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-setres_id.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o kludge-fd_set.o
|
|
||||||
|
|
||||||
-PORTS=port-aix.o port-irix.o port-linux.o port-solaris.o port-tun.o port-uw.o
|
|
||||||
+PORTS=port-aix.o port-irix.o port-linux.o port-linux-prng.o port-solaris.o port-tun.o port-uw.o
|
|
||||||
|
|
||||||
.c.o:
|
|
||||||
$(CC) $(CFLAGS) $(CPPFLAGS) -c $<
|
|
||||||
|
|
||||||
all: libopenbsd-compat.a
|
|
||||||
|
|
||||||
$(COMPAT): ../config.h
|
|
||||||
$(OPENBSD): ../config.h
|
|
||||||
diff --git a/openssh-7.2p2/openbsd-compat/port-linux-prng.c b/openssh-7.2p2/openbsd-compat/port-linux-prng.c
|
|
||||||
new file mode 100644
|
|
||||||
--- /dev/null
|
|
||||||
+++ b/openssh-7.2p2/openbsd-compat/port-linux-prng.c
|
|
||||||
@@ -0,0 +1,81 @@
|
|
||||||
+/*
|
|
||||||
+ * Copyright (c) 2011 Jan F. Chadima <jchadima@redhat.com>
|
|
||||||
+ * (c) 2011 Petr Cerny <pcerny@suse.cz>
|
|
||||||
+ *
|
|
||||||
+ * Permission to use, copy, modify, and distribute this software for any
|
|
||||||
+ * purpose with or without fee is hereby granted, provided that the above
|
|
||||||
+ * copyright notice and this permission notice appear in all copies.
|
|
||||||
+ *
|
|
||||||
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
|
|
||||||
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
|
|
||||||
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
|
|
||||||
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
|
|
||||||
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
|
|
||||||
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
|
|
||||||
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
|
||||||
+ */
|
|
||||||
+
|
|
||||||
+/*
|
|
||||||
+ * Linux-specific portability code - prng support
|
|
||||||
+ */
|
|
||||||
+
|
|
||||||
+#include "includes.h"
|
|
||||||
+#include "defines.h"
|
|
||||||
+
|
|
||||||
+#include <errno.h>
|
|
||||||
+#include <stdarg.h>
|
|
||||||
+#include <string.h>
|
|
||||||
+#include <stdio.h>
|
|
||||||
+#include <openssl/rand.h>
|
|
||||||
+
|
|
||||||
+#include "log.h"
|
|
||||||
+#include "port-linux.h"
|
|
||||||
+#include "fips.h"
|
|
||||||
+
|
|
||||||
+#define RNG_BYTES_DEFAULT 6L
|
|
||||||
+#define RNG_ENV_VAR "SSH_USE_STRONG_RNG"
|
|
||||||
+
|
|
||||||
+long rand_bytes = 0;
|
|
||||||
+char *rand_file = NULL;
|
|
||||||
+
|
|
||||||
+static void
|
|
||||||
+linux_seed_init(void)
|
|
||||||
+{
|
|
||||||
+ long elen = 0;
|
|
||||||
+ char *env = getenv(RNG_ENV_VAR);
|
|
||||||
+
|
|
||||||
+ if (env) {
|
|
||||||
+ errno = 0;
|
|
||||||
+ elen = strtol(env, NULL, 10);
|
|
||||||
+ if (errno) {
|
|
||||||
+ elen = RNG_BYTES_DEFAULT;
|
|
||||||
+ debug("bogus value in the %s environment variable, "
|
|
||||||
+ "using %li bytes from /dev/random\n",
|
|
||||||
+ RNG_ENV_VAR, RNG_BYTES_DEFAULT);
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if (elen || fips_mode())
|
|
||||||
+ rand_file = "/dev/random";
|
|
||||||
+ else
|
|
||||||
+ rand_file = "/dev/urandom";
|
|
||||||
+
|
|
||||||
+ rand_bytes = MAX(elen, RNG_BYTES_DEFAULT);
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+void
|
|
||||||
+linux_seed(void)
|
|
||||||
+{
|
|
||||||
+ long len;
|
|
||||||
+ if (!rand_file)
|
|
||||||
+ linux_seed_init();
|
|
||||||
+
|
|
||||||
+ errno = 0;
|
|
||||||
+ len = RAND_load_file(rand_file, rand_bytes);
|
|
||||||
+ if (len != rand_bytes) {
|
|
||||||
+ if (errno)
|
|
||||||
+ fatal ("cannot read from %s, %s", rand_file, strerror(errno));
|
|
||||||
+ else
|
|
||||||
+ fatal ("EOF reading %s", rand_file);
|
|
||||||
+ }
|
|
||||||
+}
|
|
||||||
diff --git a/openssh-7.2p2/openbsd-compat/port-linux.h b/openssh-7.2p2/openbsd-compat/port-linux.h
|
|
||||||
--- a/openssh-7.2p2/openbsd-compat/port-linux.h
|
|
||||||
+++ b/openssh-7.2p2/openbsd-compat/port-linux.h
|
|
||||||
@@ -14,16 +14,20 @@
|
|
||||||
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
|
|
||||||
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
|
|
||||||
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
|
||||||
*/
|
|
||||||
|
|
||||||
#ifndef _PORT_LINUX_H
|
|
||||||
#define _PORT_LINUX_H
|
|
||||||
|
|
||||||
+extern long rand_bytes;
|
|
||||||
+extern char *rand_file;
|
|
||||||
+void linux_seed(void);
|
|
||||||
+
|
|
||||||
#ifdef WITH_SELINUX
|
|
||||||
int ssh_selinux_enabled(void);
|
|
||||||
void ssh_selinux_setup_pty(char *, const char *);
|
|
||||||
void ssh_selinux_setup_exec_context(char *);
|
|
||||||
void ssh_selinux_change_context(const char *);
|
|
||||||
void ssh_selinux_setfscreatecon(const char *);
|
|
||||||
#endif
|
|
||||||
|
|
||||||
diff --git a/openssh-7.2p2/ssh-add.1 b/openssh-7.2p2/ssh-add.1
|
|
||||||
--- a/openssh-7.2p2/ssh-add.1
|
|
||||||
+++ b/openssh-7.2p2/ssh-add.1
|
|
||||||
@@ -166,16 +166,30 @@ or related script.
|
|
||||||
(Note that on some machines it
|
|
||||||
may be necessary to redirect the input from
|
|
||||||
.Pa /dev/null
|
|
||||||
to make this work.)
|
|
||||||
.It Ev SSH_AUTH_SOCK
|
|
||||||
Identifies the path of a
|
|
||||||
.Ux Ns -domain
|
|
||||||
socket used to communicate with the agent.
|
|
||||||
+.It Ev SSH_USE_STRONG_RNG
|
|
||||||
+The reseeding of the OpenSSL random generator is usually done from
|
|
||||||
+.Cm /dev/urandom .
|
|
||||||
+If the
|
|
||||||
+.Cm SSH_USE_STRONG_RNG
|
|
||||||
+environment variable is set to value other than
|
|
||||||
+.Cm 0
|
|
||||||
+the OpenSSL random generator is reseeded from
|
|
||||||
+.Cm /dev/random .
|
|
||||||
+The number of bytes read is defined by the SSH_USE_STRONG_RNG value.
|
|
||||||
+Minimum is 6 bytes.
|
|
||||||
+This setting is not recommended on the computers without the hardware
|
|
||||||
+random generator because insufficient entropy causes the connection to
|
|
||||||
+be blocked until enough entropy is available.
|
|
||||||
.El
|
|
||||||
.Sh FILES
|
|
||||||
.Bl -tag -width Ds
|
|
||||||
.It Pa ~/.ssh/identity
|
|
||||||
Contains the protocol version 1 RSA authentication identity of the user.
|
|
||||||
.It Pa ~/.ssh/id_dsa
|
|
||||||
Contains the protocol version 2 DSA authentication identity of the user.
|
|
||||||
.It Pa ~/.ssh/id_ecdsa
|
|
||||||
diff --git a/openssh-7.2p2/ssh-agent.1 b/openssh-7.2p2/ssh-agent.1
|
|
||||||
--- a/openssh-7.2p2/ssh-agent.1
|
|
||||||
+++ b/openssh-7.2p2/ssh-agent.1
|
|
||||||
@@ -196,16 +196,33 @@ line terminates.
|
|
||||||
.Sh FILES
|
|
||||||
.Bl -tag -width Ds
|
|
||||||
.It Pa $TMPDIR/ssh-XXXXXXXXXX/agent.\*(Ltppid\*(Gt
|
|
||||||
.Ux Ns -domain
|
|
||||||
sockets used to contain the connection to the authentication agent.
|
|
||||||
These sockets should only be readable by the owner.
|
|
||||||
The sockets should get automatically removed when the agent exits.
|
|
||||||
.El
|
|
||||||
+.Sh ENVIRONMENT
|
|
||||||
+.Bl -tag -width Ds -compact
|
|
||||||
+.Pp
|
|
||||||
+.It Pa SSH_USE_STRONG_RNG
|
|
||||||
+The reseeding of the OpenSSL random generator is usually done from
|
|
||||||
+.Cm /dev/urandom .
|
|
||||||
+If the
|
|
||||||
+.Cm SSH_USE_STRONG_RNG
|
|
||||||
+environment variable is set to value other than
|
|
||||||
+.Cm 0
|
|
||||||
+the OpenSSL random generator is reseeded from
|
|
||||||
+.Cm /dev/random .
|
|
||||||
+The number of bytes read is defined by the SSH_USE_STRONG_RNG value.
|
|
||||||
+Minimum is 6 bytes.
|
|
||||||
+This setting is not recommended on the computers without the hardware
|
|
||||||
+random generator because insufficient entropy causes the connection to
|
|
||||||
+be blocked until enough entropy is available.
|
|
||||||
.Sh SEE ALSO
|
|
||||||
.Xr ssh 1 ,
|
|
||||||
.Xr ssh-add 1 ,
|
|
||||||
.Xr ssh-keygen 1 ,
|
|
||||||
.Xr sshd 8
|
|
||||||
.Sh AUTHORS
|
|
||||||
OpenSSH is a derivative of the original and free
|
|
||||||
ssh 1.2.12 release by Tatu Ylonen.
|
|
||||||
diff --git a/openssh-7.2p2/ssh-keygen.1 b/openssh-7.2p2/ssh-keygen.1
|
|
||||||
--- a/openssh-7.2p2/ssh-keygen.1
|
|
||||||
+++ b/openssh-7.2p2/ssh-keygen.1
|
|
||||||
@@ -841,16 +841,33 @@ on all machines
|
|
||||||
where the user wishes to log in using public key authentication.
|
|
||||||
There is no need to keep the contents of this file secret.
|
|
||||||
.Pp
|
|
||||||
.It Pa /etc/moduli
|
|
||||||
Contains Diffie-Hellman groups used for DH-GEX.
|
|
||||||
The file format is described in
|
|
||||||
.Xr moduli 5 .
|
|
||||||
.El
|
|
||||||
+.Sh ENVIRONMENT
|
|
||||||
+.Bl -tag -width Ds -compact
|
|
||||||
+.Pp
|
|
||||||
+.It Pa SSH_USE_STRONG_RNG
|
|
||||||
+The reseeding of the OpenSSL random generator is usually done from
|
|
||||||
+.Cm /dev/urandom .
|
|
||||||
+If the
|
|
||||||
+.Cm SSH_USE_STRONG_RNG
|
|
||||||
+environment variable is set to value other than
|
|
||||||
+.Cm 0
|
|
||||||
+the OpenSSL random generator is reseeded from
|
|
||||||
+.Cm /dev/random .
|
|
||||||
+The number of bytes read is defined by the SSH_USE_STRONG_RNG value.
|
|
||||||
+Minimum is 6 bytes.
|
|
||||||
+This setting is not recommended on the computers without the hardware
|
|
||||||
+random generator because insufficient entropy causes the connection to
|
|
||||||
+be blocked until enough entropy is available.
|
|
||||||
.Sh SEE ALSO
|
|
||||||
.Xr ssh 1 ,
|
|
||||||
.Xr ssh-add 1 ,
|
|
||||||
.Xr ssh-agent 1 ,
|
|
||||||
.Xr moduli 5 ,
|
|
||||||
.Xr sshd 8
|
|
||||||
.Rs
|
|
||||||
.%R RFC 4716
|
|
||||||
diff --git a/openssh-7.2p2/ssh-keysign.8 b/openssh-7.2p2/ssh-keysign.8
|
|
||||||
--- a/openssh-7.2p2/ssh-keysign.8
|
|
||||||
+++ b/openssh-7.2p2/ssh-keysign.8
|
|
||||||
@@ -75,16 +75,33 @@ must be set-uid root if host-based authe
|
|
||||||
.Pp
|
|
||||||
.It Pa /etc/ssh/ssh_host_dsa_key-cert.pub
|
|
||||||
.It Pa /etc/ssh/ssh_host_ecdsa_key-cert.pub
|
|
||||||
.It Pa /etc/ssh/ssh_host_ed25519_key-cert.pub
|
|
||||||
.It Pa /etc/ssh/ssh_host_rsa_key-cert.pub
|
|
||||||
If these files exist they are assumed to contain public certificate
|
|
||||||
information corresponding with the private keys above.
|
|
||||||
.El
|
|
||||||
+.Sh ENVIRONMENT
|
|
||||||
+.Bl -tag -width Ds -compact
|
|
||||||
+.Pp
|
|
||||||
+.It Pa SSH_USE_STRONG_RNG
|
|
||||||
+The reseeding of the OpenSSL random generator is usually done from
|
|
||||||
+.Cm /dev/urandom .
|
|
||||||
+If the
|
|
||||||
+.Cm SSH_USE_STRONG_RNG
|
|
||||||
+environment variable is set to value other than
|
|
||||||
+.Cm 0
|
|
||||||
+the OpenSSL random generator is reseeded from
|
|
||||||
+.Cm /dev/random .
|
|
||||||
+The number of bytes read is defined by the SSH_USE_STRONG_RNG value.
|
|
||||||
+Minimum is 6 bytes.
|
|
||||||
+This setting is not recommended on the computers without the hardware
|
|
||||||
+random generator because insufficient entropy causes the connection to
|
|
||||||
+be blocked until enough entropy is available.
|
|
||||||
.Sh SEE ALSO
|
|
||||||
.Xr ssh 1 ,
|
|
||||||
.Xr ssh-keygen 1 ,
|
|
||||||
.Xr ssh_config 5 ,
|
|
||||||
.Xr sshd 8
|
|
||||||
.Sh HISTORY
|
|
||||||
.Nm
|
|
||||||
first appeared in
|
|
||||||
diff --git a/openssh-7.2p2/ssh.1 b/openssh-7.2p2/ssh.1
|
|
||||||
--- a/openssh-7.2p2/ssh.1
|
|
||||||
+++ b/openssh-7.2p2/ssh.1
|
|
||||||
@@ -1411,16 +1411,30 @@ reads
|
|
||||||
and adds lines of the format
|
|
||||||
.Dq VARNAME=value
|
|
||||||
to the environment if the file exists and users are allowed to
|
|
||||||
change their environment.
|
|
||||||
For more information, see the
|
|
||||||
.Cm PermitUserEnvironment
|
|
||||||
option in
|
|
||||||
.Xr sshd_config 5 .
|
|
||||||
+.It Ev SSH_USE_STRONG_RNG
|
|
||||||
+The reseeding of the OpenSSL random generator is usually done from
|
|
||||||
+.Cm /dev/urandom .
|
|
||||||
+If the
|
|
||||||
+.Cm SSH_USE_STRONG_RNG
|
|
||||||
+environment variable is set to value other than
|
|
||||||
+.Cm 0
|
|
||||||
+the OpenSSL random generator is reseeded from
|
|
||||||
+.Cm /dev/random .
|
|
||||||
+The number of bytes read is defined by the SSH_USE_STRONG_RNG value.
|
|
||||||
+Minimum is 6 bytes.
|
|
||||||
+This setting is not recommended on the computers without the hardware
|
|
||||||
+random generator because insufficient entropy causes the connection to
|
|
||||||
+be blocked until enough entropy is available.
|
|
||||||
.Sh FILES
|
|
||||||
.Bl -tag -width Ds -compact
|
|
||||||
.It Pa ~/.rhosts
|
|
||||||
This file is used for host-based authentication (see above).
|
|
||||||
On some machines this file may need to be
|
|
||||||
world-readable if the user's home directory is on an NFS partition,
|
|
||||||
because
|
|
||||||
.Xr sshd 8
|
|
||||||
diff --git a/openssh-7.2p2/sshd.8 b/openssh-7.2p2/sshd.8
|
|
||||||
--- a/openssh-7.2p2/sshd.8
|
|
||||||
+++ b/openssh-7.2p2/sshd.8
|
|
||||||
@@ -972,16 +972,33 @@ and not group or world-writable.
|
|
||||||
.It Pa /var/run/sshd.pid
|
|
||||||
Contains the process ID of the
|
|
||||||
.Nm
|
|
||||||
listening for connections (if there are several daemons running
|
|
||||||
concurrently for different ports, this contains the process ID of the one
|
|
||||||
started last).
|
|
||||||
The content of this file is not sensitive; it can be world-readable.
|
|
||||||
.El
|
|
||||||
+.Sh ENVIRONMENT
|
|
||||||
+.Bl -tag -width Ds -compact
|
|
||||||
+.Pp
|
|
||||||
+.It Pa SSH_USE_STRONG_RNG
|
|
||||||
+The reseeding of the OpenSSL random generator is usually done from
|
|
||||||
+.Cm /dev/urandom .
|
|
||||||
+If the
|
|
||||||
+.Cm SSH_USE_STRONG_RNG
|
|
||||||
+environment variable is set to value other than
|
|
||||||
+.Cm 0
|
|
||||||
+the OpenSSL random generator is reseeded from
|
|
||||||
+.Cm /dev/random .
|
|
||||||
+The number of bytes read is defined by the SSH_USE_STRONG_RNG value.
|
|
||||||
+Minimum is 6 bytes.
|
|
||||||
+This setting is not recommended on the computers without the hardware
|
|
||||||
+random generator because insufficient entropy causes the connection to
|
|
||||||
+be blocked until enough entropy is available.
|
|
||||||
.Sh SEE ALSO
|
|
||||||
.Xr scp 1 ,
|
|
||||||
.Xr sftp 1 ,
|
|
||||||
.Xr ssh 1 ,
|
|
||||||
.Xr ssh-add 1 ,
|
|
||||||
.Xr ssh-agent 1 ,
|
|
||||||
.Xr ssh-keygen 1 ,
|
|
||||||
.Xr ssh-keyscan 1 ,
|
|
||||||
diff --git a/openssh-7.2p2/sshd.c b/openssh-7.2p2/sshd.c
|
|
||||||
--- a/openssh-7.2p2/sshd.c
|
|
||||||
+++ b/openssh-7.2p2/sshd.c
|
|
||||||
@@ -50,16 +50,18 @@
|
|
||||||
#ifdef HAVE_SYS_STAT_H
|
|
||||||
# include <sys/stat.h>
|
|
||||||
#endif
|
|
||||||
#ifdef HAVE_SYS_TIME_H
|
|
||||||
# include <sys/time.h>
|
|
||||||
#endif
|
|
||||||
#include "openbsd-compat/sys-tree.h"
|
|
||||||
#include "openbsd-compat/sys-queue.h"
|
|
||||||
+#include "openbsd-compat/port-linux.h"
|
|
||||||
+
|
|
||||||
#include <sys/wait.h>
|
|
||||||
|
|
||||||
#include <errno.h>
|
|
||||||
#include <fcntl.h>
|
|
||||||
#include <netdb.h>
|
|
||||||
#ifdef HAVE_PATHS_H
|
|
||||||
#include <paths.h>
|
|
||||||
#endif
|
|
||||||
@@ -209,16 +211,23 @@ struct {
|
|
||||||
Key **host_pubkeys; /* all public host keys */
|
|
||||||
Key **host_certificates; /* all public host certificates */
|
|
||||||
int have_ssh1_key;
|
|
||||||
int have_ssh2_key;
|
|
||||||
u_char ssh1_cookie[SSH_SESSION_KEY_LENGTH];
|
|
||||||
} sensitive_data;
|
|
||||||
|
|
||||||
/*
|
|
||||||
+ * Every RESEED_AFTERth connection triggers call to linux_seed() to re-seed the
|
|
||||||
+ * random pool.
|
|
||||||
+ */
|
|
||||||
+#define RESEED_AFTER 100
|
|
||||||
+static int re_seeding_counter = RESEED_AFTER;
|
|
||||||
+
|
|
||||||
+/*
|
|
||||||
* Flag indicating whether the RSA server key needs to be regenerated.
|
|
||||||
* Is set in the SIGALRM handler and cleared when the key is regenerated.
|
|
||||||
*/
|
|
||||||
static volatile sig_atomic_t key_do_regen = 0;
|
|
||||||
|
|
||||||
/* This is set to true when a signal is received. */
|
|
||||||
static volatile sig_atomic_t received_sighup = 0;
|
|
||||||
static volatile sig_atomic_t received_sigterm = 0;
|
|
||||||
@@ -1343,16 +1352,20 @@ server_accept_loop(int *sock_in, int *so
|
|
||||||
for (j = 0; j < options.max_startups; j++)
|
|
||||||
if (startup_pipes[j] == -1) {
|
|
||||||
startup_pipes[j] = startup_p[0];
|
|
||||||
if (maxfd < startup_p[0])
|
|
||||||
maxfd = startup_p[0];
|
|
||||||
startups++;
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
+ if(!(--re_seeding_counter)) {
|
|
||||||
+ re_seeding_counter = RESEED_AFTER;
|
|
||||||
+ linux_seed();
|
|
||||||
+ }
|
|
||||||
|
|
||||||
/*
|
|
||||||
* Got connection. Fork a child to handle it, unless
|
|
||||||
* we are in debugging mode.
|
|
||||||
*/
|
|
||||||
if (debug_flag) {
|
|
||||||
/*
|
|
||||||
* In debugging mode. Close the listening
|
|
@ -1,157 +0,0 @@
|
|||||||
# HG changeset patch
|
|
||||||
# Parent 7b45c4f3fef6836db00c5b198736cce17290c5cd
|
|
||||||
additional option for sftp-server to force file mode for new files
|
|
||||||
FATE#312774
|
|
||||||
http://lists.mindrot.org/pipermail/openssh-unix-dev/2010-November/029044.html
|
|
||||||
http://marc.info/?l=openssh-unix-dev&m=128896838930893
|
|
||||||
|
|
||||||
diff --git a/openssh-7.2p2/sftp-server.8 b/openssh-7.2p2/sftp-server.8
|
|
||||||
--- a/openssh-7.2p2/sftp-server.8
|
|
||||||
+++ b/openssh-7.2p2/sftp-server.8
|
|
||||||
@@ -33,16 +33,17 @@
|
|
||||||
.Bk -words
|
|
||||||
.Op Fl ehR
|
|
||||||
.Op Fl d Ar start_directory
|
|
||||||
.Op Fl f Ar log_facility
|
|
||||||
.Op Fl l Ar log_level
|
|
||||||
.Op Fl P Ar blacklisted_requests
|
|
||||||
.Op Fl p Ar whitelisted_requests
|
|
||||||
.Op Fl u Ar umask
|
|
||||||
+.Op Fl m Ar force_file_permissions
|
|
||||||
.Ek
|
|
||||||
.Nm
|
|
||||||
.Fl Q Ar protocol_feature
|
|
||||||
.Sh DESCRIPTION
|
|
||||||
.Nm
|
|
||||||
is a program that speaks the server side of SFTP protocol
|
|
||||||
to stdout and expects client requests from stdin.
|
|
||||||
.Nm
|
|
||||||
@@ -133,16 +134,20 @@ Places this instance of
|
|
||||||
into a read-only mode.
|
|
||||||
Attempts to open files for writing, as well as other operations that change
|
|
||||||
the state of the filesystem, will be denied.
|
|
||||||
.It Fl u Ar umask
|
|
||||||
Sets an explicit
|
|
||||||
.Xr umask 2
|
|
||||||
to be applied to newly-created files and directories, instead of the
|
|
||||||
user's default mask.
|
|
||||||
+.It Fl m Ar force_file_permissions
|
|
||||||
+Sets explicit file permissions to be applied to newly-created files instead
|
|
||||||
+of the default or client requested mode. Numeric values include:
|
|
||||||
+777, 755, 750, 666, 644, 640, etc. Option -u is ineffective if -m is set.
|
|
||||||
.El
|
|
||||||
.Pp
|
|
||||||
On some systems,
|
|
||||||
.Nm
|
|
||||||
must be able to access
|
|
||||||
.Pa /dev/log
|
|
||||||
for logging to work, and use of
|
|
||||||
.Nm
|
|
||||||
diff --git a/openssh-7.2p2/sftp-server.c b/openssh-7.2p2/sftp-server.c
|
|
||||||
--- a/openssh-7.2p2/sftp-server.c
|
|
||||||
+++ b/openssh-7.2p2/sftp-server.c
|
|
||||||
@@ -73,16 +73,20 @@ static u_int version;
|
|
||||||
static int init_done;
|
|
||||||
|
|
||||||
/* Disable writes */
|
|
||||||
static int readonly;
|
|
||||||
|
|
||||||
/* Requests that are allowed/denied */
|
|
||||||
static char *request_whitelist, *request_blacklist;
|
|
||||||
|
|
||||||
+/* Force file permissions */
|
|
||||||
+int permforce = 0;
|
|
||||||
+long permforcemode;
|
|
||||||
+
|
|
||||||
/* portable attributes, etc. */
|
|
||||||
typedef struct Stat Stat;
|
|
||||||
|
|
||||||
struct Stat {
|
|
||||||
char *name;
|
|
||||||
char *long_name;
|
|
||||||
Attrib attrib;
|
|
||||||
};
|
|
||||||
@@ -687,16 +691,20 @@ process_open(u_int32_t id)
|
|
||||||
if ((r = sshbuf_get_cstring(iqueue, &name, NULL)) != 0 ||
|
|
||||||
(r = sshbuf_get_u32(iqueue, &pflags)) != 0 || /* portable flags */
|
|
||||||
(r = decode_attrib(iqueue, &a)) != 0)
|
|
||||||
fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
|
||||||
|
|
||||||
debug3("request %u: open flags %d", id, pflags);
|
|
||||||
flags = flags_from_portable(pflags);
|
|
||||||
mode = (a.flags & SSH2_FILEXFER_ATTR_PERMISSIONS) ? a.perm : 0666;
|
|
||||||
+ if (permforce == 1) {
|
|
||||||
+ mode = permforcemode;
|
|
||||||
+ (void)umask(0); /* so umask does not interfere */
|
|
||||||
+ }
|
|
||||||
logit("open \"%s\" flags %s mode 0%o",
|
|
||||||
name, string_from_portable(pflags), mode);
|
|
||||||
if (readonly &&
|
|
||||||
((flags & O_ACCMODE) == O_WRONLY ||
|
|
||||||
(flags & O_ACCMODE) == O_RDWR)) {
|
|
||||||
verbose("Refusing open request in read-only mode");
|
|
||||||
status = SSH2_FX_PERMISSION_DENIED;
|
|
||||||
} else {
|
|
||||||
@@ -1489,17 +1497,18 @@ sftp_server_cleanup_exit(int i)
|
|
||||||
static void
|
|
||||||
sftp_server_usage(void)
|
|
||||||
{
|
|
||||||
extern char *__progname;
|
|
||||||
|
|
||||||
fprintf(stderr,
|
|
||||||
"usage: %s [-ehR] [-d start_directory] [-f log_facility] "
|
|
||||||
"[-l log_level]\n\t[-P blacklisted_requests] "
|
|
||||||
- "[-p whitelisted_requests] [-u umask]\n"
|
|
||||||
+ "[-p whitelisted_requests] [-u umask]\n\t"
|
|
||||||
+ "[-m force_file_permissions]\n"
|
|
||||||
" %s -Q protocol_feature\n",
|
|
||||||
__progname, __progname);
|
|
||||||
exit(1);
|
|
||||||
}
|
|
||||||
|
|
||||||
int
|
|
||||||
sftp_server_main(int argc, char **argv, struct passwd *user_pw)
|
|
||||||
{
|
|
||||||
@@ -1515,17 +1524,17 @@ sftp_server_main(int argc, char **argv,
|
|
||||||
|
|
||||||
ssh_malloc_init(); /* must be called before any mallocs */
|
|
||||||
__progname = ssh_get_progname(argv[0]);
|
|
||||||
log_init(__progname, log_level, log_facility, log_stderr);
|
|
||||||
|
|
||||||
pw = pwcopy(user_pw);
|
|
||||||
|
|
||||||
while (!skipargs && (ch = getopt(argc, argv,
|
|
||||||
- "d:f:l:P:p:Q:u:cehR")) != -1) {
|
|
||||||
+ "d:f:l:P:p:Q:u:m:cehR")) != -1) {
|
|
||||||
switch (ch) {
|
|
||||||
case 'Q':
|
|
||||||
if (strcasecmp(optarg, "requests") != 0) {
|
|
||||||
fprintf(stderr, "Invalid query type\n");
|
|
||||||
exit(1);
|
|
||||||
}
|
|
||||||
for (i = 0; handlers[i].handler != NULL; i++)
|
|
||||||
printf("%s\n", handlers[i].name);
|
|
||||||
@@ -1575,16 +1584,23 @@ sftp_server_main(int argc, char **argv,
|
|
||||||
case 'u':
|
|
||||||
errno = 0;
|
|
||||||
mask = strtol(optarg, &cp, 8);
|
|
||||||
if (mask < 0 || mask > 0777 || *cp != '\0' ||
|
|
||||||
cp == optarg || (mask == 0 && errno != 0))
|
|
||||||
fatal("Invalid umask \"%s\"", optarg);
|
|
||||||
(void)umask((mode_t)mask);
|
|
||||||
break;
|
|
||||||
+ case 'm':
|
|
||||||
+ permforce = 1;
|
|
||||||
+ permforcemode = strtol(optarg, &cp, 8);
|
|
||||||
+ if (permforcemode < 0 || permforcemode > 0777 || *cp != '\0' ||
|
|
||||||
+ cp == optarg || (permforcemode == 0 && errno != 0))
|
|
||||||
+ fatal("Invalid umask \"%s\"", optarg);
|
|
||||||
+ break;
|
|
||||||
case 'h':
|
|
||||||
default:
|
|
||||||
sftp_server_usage();
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
log_init(__progname, log_level, log_facility, log_stderr);
|
|
||||||
|
|
@ -1,366 +0,0 @@
|
|||||||
# HG changeset patch
|
|
||||||
# Parent fc81df6f2bf393e45e703c89976c3a0fe6e0a273
|
|
||||||
run sftp sessions inside a chroot
|
|
||||||
|
|
||||||
diff --git a/openssh-7.2p2/session.c b/openssh-7.2p2/session.c
|
|
||||||
--- a/openssh-7.2p2/session.c
|
|
||||||
+++ b/openssh-7.2p2/session.c
|
|
||||||
@@ -123,16 +123,18 @@ int do_exec(Session *, const char *);
|
|
||||||
void do_login(Session *, const char *);
|
|
||||||
#ifdef LOGIN_NEEDS_UTMPX
|
|
||||||
static void do_pre_login(Session *s);
|
|
||||||
#endif
|
|
||||||
void do_child(Session *, const char *);
|
|
||||||
void do_motd(void);
|
|
||||||
int check_quietlogin(Session *, const char *);
|
|
||||||
|
|
||||||
+int chroot_no_tree = 0;
|
|
||||||
+
|
|
||||||
static void do_authenticated1(Authctxt *);
|
|
||||||
static void do_authenticated2(Authctxt *);
|
|
||||||
|
|
||||||
static int session_pty_req(Session *);
|
|
||||||
|
|
||||||
/* import */
|
|
||||||
extern ServerOptions options;
|
|
||||||
extern char *__progname;
|
|
||||||
@@ -838,16 +840,21 @@ do_exec(Session *s, const char *command)
|
|
||||||
"subsystem '%.900s'", s->subsys);
|
|
||||||
} else if (command == NULL) {
|
|
||||||
snprintf(session_type, sizeof(session_type), "shell");
|
|
||||||
} else {
|
|
||||||
/* NB. we don't log unforced commands to preserve privacy */
|
|
||||||
snprintf(session_type, sizeof(session_type), "command");
|
|
||||||
}
|
|
||||||
|
|
||||||
+ if ((s->is_subsystem != SUBSYSTEM_INT_SFTP) && chroot_no_tree) {
|
|
||||||
+ logit("You aren't welcomed, go away!");
|
|
||||||
+ exit (1);
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
if (s->ttyfd != -1) {
|
|
||||||
tty = s->tty;
|
|
||||||
if (strncmp(tty, "/dev/", 5) == 0)
|
|
||||||
tty += 5;
|
|
||||||
}
|
|
||||||
|
|
||||||
verbose("Starting session: %s%s%s for %s from %.200s port %d id %d",
|
|
||||||
session_type,
|
|
||||||
@@ -1492,58 +1499,123 @@ do_nologin(struct passwd *pw)
|
|
||||||
while (fgets(buf, sizeof(buf), f))
|
|
||||||
fputs(buf, stderr);
|
|
||||||
fclose(f);
|
|
||||||
}
|
|
||||||
exit(254);
|
|
||||||
}
|
|
||||||
|
|
||||||
/*
|
|
||||||
+ * Test if filesystem is mounted nosuid and nodev
|
|
||||||
+ */
|
|
||||||
+
|
|
||||||
+static void
|
|
||||||
+test_nosuid (char * path, dev_t fs)
|
|
||||||
+{
|
|
||||||
+ FILE *f;
|
|
||||||
+ struct stat st;
|
|
||||||
+ char buf[4096], *s, *on, *mountpoint, *opt;
|
|
||||||
+ int nodev, nosuid;
|
|
||||||
+
|
|
||||||
+ if (!(f = popen ("/bin/mount", "r")))
|
|
||||||
+ fatal ("%s: popen(\"/bin/mount\", \"r\"): %s",
|
|
||||||
+ __func__, strerror (errno));
|
|
||||||
+ for (;;) {
|
|
||||||
+ s = fgets (buf, sizeof (buf), f);
|
|
||||||
+ if (ferror (f))
|
|
||||||
+ fatal ("%s: read from popen: %s", __func__,
|
|
||||||
+ strerror (errno));
|
|
||||||
+ if (!s) {
|
|
||||||
+ pclose (f);
|
|
||||||
+ fatal ("cannot find filesystem with the chroot directory");
|
|
||||||
+ }
|
|
||||||
+ (void) strtok (buf, " ");
|
|
||||||
+ on = strtok (NULL, " ");
|
|
||||||
+ if (strcmp (on, "on")) {
|
|
||||||
+ pclose (f);
|
|
||||||
+ fatal ("bad format of mount output");
|
|
||||||
+ }
|
|
||||||
+ mountpoint = strtok (NULL, " ");
|
|
||||||
+ if (memcmp (path, mountpoint, strlen (mountpoint)))
|
|
||||||
+ continue;
|
|
||||||
+ if (stat(mountpoint, &st) != 0) {
|
|
||||||
+ pclose (f);
|
|
||||||
+ fatal("%s: stat(\"%s\"): %s", __func__,
|
|
||||||
+ mountpoint, strerror(errno));
|
|
||||||
+ }
|
|
||||||
+ if (fs != st.st_dev)
|
|
||||||
+ continue;
|
|
||||||
+ nodev = nosuid = 0;
|
|
||||||
+ for (opt = strtok (NULL, "("); opt; opt = strtok (NULL, " ,)")) {
|
|
||||||
+ if (!strcmp (opt, "nodev"))
|
|
||||||
+ nodev = 1;
|
|
||||||
+ else if (!strcmp (opt, "nosuid"))
|
|
||||||
+ nosuid = 1;
|
|
||||||
+ else if (!strcmp (opt, "noexec"))
|
|
||||||
+ nosuid = 1;
|
|
||||||
+ if (nodev && nosuid) {
|
|
||||||
+ pclose (f);
|
|
||||||
+ return;
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+ fatal ("chroot into directory without nodev and either noexec or nosuid");
|
|
||||||
+ }
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+/*
|
|
||||||
* Chroot into a directory after checking it for safety: all path components
|
|
||||||
* must be root-owned directories with strict permissions.
|
|
||||||
*/
|
|
||||||
static void
|
|
||||||
safely_chroot(const char *path, uid_t uid)
|
|
||||||
{
|
|
||||||
const char *cp;
|
|
||||||
char component[PATH_MAX];
|
|
||||||
struct stat st;
|
|
||||||
+ int last;
|
|
||||||
|
|
||||||
if (*path != '/')
|
|
||||||
fatal("chroot path does not begin at root");
|
|
||||||
if (strlen(path) >= sizeof(component))
|
|
||||||
fatal("chroot path too long");
|
|
||||||
|
|
||||||
/*
|
|
||||||
* Descend the path, checking that each component is a
|
|
||||||
* root-owned directory with strict permissions.
|
|
||||||
*/
|
|
||||||
for (cp = path; cp != NULL;) {
|
|
||||||
- if ((cp = strchr(cp, '/')) == NULL)
|
|
||||||
+ if (last = ((cp = strchr(cp, '/')) == NULL))
|
|
||||||
strlcpy(component, path, sizeof(component));
|
|
||||||
else {
|
|
||||||
cp++;
|
|
||||||
memcpy(component, path, cp - path);
|
|
||||||
component[cp - path] = '\0';
|
|
||||||
}
|
|
||||||
|
|
||||||
debug3("%s: checking '%s'", __func__, component);
|
|
||||||
|
|
||||||
if (stat(component, &st) != 0)
|
|
||||||
fatal("%s: stat(\"%s\"): %s", __func__,
|
|
||||||
component, strerror(errno));
|
|
||||||
- if (st.st_uid != 0 || (st.st_mode & 022) != 0)
|
|
||||||
+ if ((st.st_uid != 0 || (st.st_mode & 022) != 0) && !(last && st.st_uid == uid))
|
|
||||||
fatal("bad ownership or modes for chroot "
|
|
||||||
"directory %s\"%s\"",
|
|
||||||
cp == NULL ? "" : "component ", component);
|
|
||||||
if (!S_ISDIR(st.st_mode))
|
|
||||||
fatal("chroot path %s\"%s\" is not a directory",
|
|
||||||
cp == NULL ? "" : "component ", component);
|
|
||||||
|
|
||||||
}
|
|
||||||
+ setenv ("TZ", "/etc/localtime", 0);
|
|
||||||
+ tzset();
|
|
||||||
+
|
|
||||||
+ if (st.st_uid) {
|
|
||||||
+ test_nosuid(path, st.st_dev);
|
|
||||||
+ ++chroot_no_tree;
|
|
||||||
+ }
|
|
||||||
|
|
||||||
if (chdir(path) == -1)
|
|
||||||
fatal("Unable to chdir to chroot path \"%s\": "
|
|
||||||
"%s", path, strerror(errno));
|
|
||||||
if (chroot(path) == -1)
|
|
||||||
fatal("chroot(\"%s\"): %s", path, strerror(errno));
|
|
||||||
if (chdir("/") == -1)
|
|
||||||
fatal("%s: chdir(/) after chroot: %s",
|
|
||||||
diff --git a/openssh-7.2p2/sftp-chrootenv.h b/openssh-7.2p2/sftp-chrootenv.h
|
|
||||||
new file mode 100644
|
|
||||||
--- /dev/null
|
|
||||||
+++ b/openssh-7.2p2/sftp-chrootenv.h
|
|
||||||
@@ -0,0 +1,30 @@
|
|
||||||
+/*
|
|
||||||
+ * Copyright (c) 2009 Jan F Chadima. All rights reserved.
|
|
||||||
+ *
|
|
||||||
+ * Redistribution and use in source and binary forms, with or without
|
|
||||||
+ * modification, are permitted provided that the following conditions
|
|
||||||
+ * are met:
|
|
||||||
+ * 1. Redistributions of source code must retain the above copyright
|
|
||||||
+ * notice, this list of conditions and the following disclaimer.
|
|
||||||
+ * 2. Redistributions in binary form must reproduce the above copyright
|
|
||||||
+ * notice, this list of conditions and the following disclaimer in the
|
|
||||||
+ * documentation and/or other materials provided with the distribution.
|
|
||||||
+ *
|
|
||||||
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
|
|
||||||
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
|
|
||||||
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
|
|
||||||
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
|
|
||||||
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
|
|
||||||
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
|
||||||
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
|
||||||
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
|
||||||
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
|
||||||
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
||||||
+ */
|
|
||||||
+#ifndef CHROOTENV_H
|
|
||||||
+#define CHROOTENV_H
|
|
||||||
+
|
|
||||||
+extern int chroot_no_tree;
|
|
||||||
+
|
|
||||||
+#endif
|
|
||||||
+
|
|
||||||
diff --git a/openssh-7.2p2/sftp-common.c b/openssh-7.2p2/sftp-common.c
|
|
||||||
--- a/openssh-7.2p2/sftp-common.c
|
|
||||||
+++ b/openssh-7.2p2/sftp-common.c
|
|
||||||
@@ -43,16 +43,17 @@
|
|
||||||
|
|
||||||
#include "xmalloc.h"
|
|
||||||
#include "ssherr.h"
|
|
||||||
#include "sshbuf.h"
|
|
||||||
#include "log.h"
|
|
||||||
|
|
||||||
#include "sftp.h"
|
|
||||||
#include "sftp-common.h"
|
|
||||||
+#include "sftp-chrootenv.h"
|
|
||||||
|
|
||||||
/* Clear contents of attributes structure */
|
|
||||||
void
|
|
||||||
attrib_clear(Attrib *a)
|
|
||||||
{
|
|
||||||
a->flags = 0;
|
|
||||||
a->size = 0;
|
|
||||||
a->uid = 0;
|
|
||||||
@@ -216,23 +217,23 @@ ls_file(const char *name, const struct s
|
|
||||||
int ulen, glen, sz = 0;
|
|
||||||
struct tm *ltime = localtime(&st->st_mtime);
|
|
||||||
char *user, *group;
|
|
||||||
char buf[1024], mode[11+1], tbuf[12+1], ubuf[11+1], gbuf[11+1];
|
|
||||||
char sbuf[FMT_SCALED_STRSIZE];
|
|
||||||
time_t now;
|
|
||||||
|
|
||||||
strmode(st->st_mode, mode);
|
|
||||||
- if (!remote) {
|
|
||||||
+ if (!remote && !chroot_no_tree) {
|
|
||||||
user = user_from_uid(st->st_uid, 0);
|
|
||||||
} else {
|
|
||||||
snprintf(ubuf, sizeof ubuf, "%u", (u_int)st->st_uid);
|
|
||||||
user = ubuf;
|
|
||||||
}
|
|
||||||
- if (!remote) {
|
|
||||||
+ if (!remote && !chroot_no_tree) {
|
|
||||||
group = group_from_gid(st->st_gid, 0);
|
|
||||||
} else {
|
|
||||||
snprintf(gbuf, sizeof gbuf, "%u", (u_int)st->st_gid);
|
|
||||||
group = gbuf;
|
|
||||||
}
|
|
||||||
if (ltime != NULL) {
|
|
||||||
now = time(NULL);
|
|
||||||
if (now - (365*24*60*60)/2 < st->st_mtime &&
|
|
||||||
diff --git a/openssh-7.2p2/sftp-server-main.c b/openssh-7.2p2/sftp-server-main.c
|
|
||||||
--- a/openssh-7.2p2/sftp-server-main.c
|
|
||||||
+++ b/openssh-7.2p2/sftp-server-main.c
|
|
||||||
@@ -17,22 +17,25 @@
|
|
||||||
|
|
||||||
#include "includes.h"
|
|
||||||
|
|
||||||
#include <sys/types.h>
|
|
||||||
#include <pwd.h>
|
|
||||||
#include <stdarg.h>
|
|
||||||
#include <stdio.h>
|
|
||||||
#include <unistd.h>
|
|
||||||
+//#include <time.h>
|
|
||||||
|
|
||||||
#include "log.h"
|
|
||||||
#include "sftp.h"
|
|
||||||
#include "misc.h"
|
|
||||||
#include "xmalloc.h"
|
|
||||||
|
|
||||||
+int chroot_no_tree = 0;
|
|
||||||
+
|
|
||||||
void
|
|
||||||
cleanup_exit(int i)
|
|
||||||
{
|
|
||||||
sftp_server_cleanup_exit(i);
|
|
||||||
}
|
|
||||||
|
|
||||||
int
|
|
||||||
main(int argc, char **argv)
|
|
||||||
diff --git a/openssh-7.2p2/sftp.c b/openssh-7.2p2/sftp.c
|
|
||||||
--- a/openssh-7.2p2/sftp.c
|
|
||||||
+++ b/openssh-7.2p2/sftp.c
|
|
||||||
@@ -112,16 +112,18 @@ struct complete_ctx {
|
|
||||||
char **remote_pathp;
|
|
||||||
};
|
|
||||||
|
|
||||||
int remote_glob(struct sftp_conn *, const char *, int,
|
|
||||||
int (*)(const char *, int), glob_t *); /* proto for sftp-glob.c */
|
|
||||||
|
|
||||||
extern char *__progname;
|
|
||||||
|
|
||||||
+int chroot_no_tree = 0;
|
|
||||||
+
|
|
||||||
/* Separators for interactive commands */
|
|
||||||
#define WHITESPACE " \t\r\n"
|
|
||||||
|
|
||||||
/* ls flags */
|
|
||||||
#define LS_LONG_VIEW 0x0001 /* Full view ala ls -l */
|
|
||||||
#define LS_SHORT_VIEW 0x0002 /* Single row view ala ls -1 */
|
|
||||||
#define LS_NUMERIC_VIEW 0x0004 /* Long view with numeric uid/gid */
|
|
||||||
#define LS_NAME_SORT 0x0008 /* Sort by name (default) */
|
|
||||||
diff --git a/openssh-7.2p2/sshd_config.0 b/openssh-7.2p2/sshd_config.0
|
|
||||||
--- a/openssh-7.2p2/sshd_config.0
|
|
||||||
+++ b/openssh-7.2p2/sshd_config.0
|
|
||||||
@@ -251,16 +251,24 @@ DESCRIPTION
|
|
||||||
directory on some operating systems (see sftp-server(8) for
|
|
||||||
details).
|
|
||||||
|
|
||||||
For safety, it is very important that the directory hierarchy be
|
|
||||||
prevented from modification by other processes on the system
|
|
||||||
(especially those outside the jail). Misconfiguration can lead
|
|
||||||
to unsafe environments which sshd(8) cannot detect.
|
|
||||||
|
|
||||||
+ In the special case when only sftp is used, not ssh nor scp, it
|
|
||||||
+ is possible to use ChrootDirectory %h or ChrootDirectory
|
|
||||||
+ /some/path/%u. The file system containing this directory must be
|
|
||||||
+ mounted with options nodev and either nosuid or noexec. The owner
|
|
||||||
+ of the directory should be the user. The ownership of the other
|
|
||||||
+ components of the path must fulfill the usual conditions. No adi-
|
|
||||||
+ tional files are required to be present in the directory.
|
|
||||||
+
|
|
||||||
The default is M-bM-^@M-^\noneM-bM-^@M-^], indicating not to chroot(2).
|
|
||||||
|
|
||||||
Ciphers
|
|
||||||
Specifies the ciphers allowed. Multiple ciphers must be comma-
|
|
||||||
separated. If the specified value begins with a M-bM-^@M-^X+M-bM-^@M-^Y character,
|
|
||||||
then the specified ciphers will be appended to the default set
|
|
||||||
instead of replacing them.
|
|
||||||
|
|
||||||
diff --git a/openssh-7.2p2/sshd_config.5 b/openssh-7.2p2/sshd_config.5
|
|
||||||
--- a/openssh-7.2p2/sshd_config.5
|
|
||||||
+++ b/openssh-7.2p2/sshd_config.5
|
|
||||||
@@ -424,16 +424,27 @@ for details).
|
|
||||||
.Pp
|
|
||||||
For safety, it is very important that the directory hierarchy be
|
|
||||||
prevented from modification by other processes on the system (especially
|
|
||||||
those outside the jail).
|
|
||||||
Misconfiguration can lead to unsafe environments which
|
|
||||||
.Xr sshd 8
|
|
||||||
cannot detect.
|
|
||||||
.Pp
|
|
||||||
+In the special case when only sftp is used, not ssh nor scp,
|
|
||||||
+it is possible to use
|
|
||||||
+.Cm ChrootDirectory
|
|
||||||
+%h or
|
|
||||||
+.Cm ChrootDirectory
|
|
||||||
+/some/path/%u. The file system containing this directory must be
|
|
||||||
+mounted with options nodev and either nosuid or noexec. The owner of the
|
|
||||||
+directory should be the user. The ownership of the other components of the path
|
|
||||||
+must fulfill the usual conditions. No aditional files are required to be present
|
|
||||||
+in the directory.
|
|
||||||
+.Pp
|
|
||||||
The default is
|
|
||||||
.Dq none ,
|
|
||||||
indicating not to
|
|
||||||
.Xr chroot 2 .
|
|
||||||
.It Cm Ciphers
|
|
||||||
Specifies the ciphers allowed.
|
|
||||||
Multiple ciphers must be comma-separated.
|
|
||||||
If the specified value begins with a
|
|
@ -1,87 +0,0 @@
|
|||||||
# HG changeset patch
|
|
||||||
# Parent 1b99f71db584917a37c5e9140bf63dcb860e8b59
|
|
||||||
Match hostnames in a case-insensitive manner.
|
|
||||||
|
|
||||||
bsc#1017099
|
|
||||||
|
|
||||||
diff --git a/openssh-7.2p2/readconf.c b/openssh-7.2p2/readconf.c
|
|
||||||
--- a/openssh-7.2p2/readconf.c
|
|
||||||
+++ b/openssh-7.2p2/readconf.c
|
|
||||||
@@ -526,16 +526,17 @@ execute_in_shell(const char *cmd)
|
|
||||||
* Parse and execute a Match directive.
|
|
||||||
*/
|
|
||||||
static int
|
|
||||||
match_cfg_line(Options *options, char **condition, struct passwd *pw,
|
|
||||||
const char *host_arg, const char *original_host, int post_canon,
|
|
||||||
const char *filename, int linenum)
|
|
||||||
{
|
|
||||||
char *arg, *oattrib, *attrib, *cmd, *cp = *condition, *host, *criteria;
|
|
||||||
+ char *hostlc;
|
|
||||||
const char *ruser;
|
|
||||||
int r, port, this_result, result = 1, attributes = 0, negate;
|
|
||||||
char thishost[NI_MAXHOST], shorthost[NI_MAXHOST], portstr[NI_MAXSERV];
|
|
||||||
|
|
||||||
/*
|
|
||||||
* Configuration is likely to be incomplete at this point so we
|
|
||||||
* must be prepared to use default values.
|
|
||||||
*/
|
|
||||||
@@ -546,16 +547,20 @@ match_cfg_line(Options *options, char **
|
|
||||||
} else if (options->hostname != NULL) {
|
|
||||||
/* NB. Please keep in sync with ssh.c:main() */
|
|
||||||
host = percent_expand(options->hostname,
|
|
||||||
"h", host_arg, (char *)NULL);
|
|
||||||
} else {
|
|
||||||
host = xstrdup(host_arg);
|
|
||||||
}
|
|
||||||
|
|
||||||
+ /* match_hostname() requires the hostname to be lowercase */
|
|
||||||
+ hostlc = xstrdup(host);
|
|
||||||
+ lowercase(hostlc);
|
|
||||||
+
|
|
||||||
debug2("checking match for '%s' host %s originally %s",
|
|
||||||
cp, host, original_host);
|
|
||||||
while ((oattrib = attrib = strdelim(&cp)) && *attrib != '\0') {
|
|
||||||
criteria = NULL;
|
|
||||||
this_result = 1;
|
|
||||||
if ((negate = attrib[0] == '!'))
|
|
||||||
attrib++;
|
|
||||||
/* criteria "all" and "canonical" have no argument */
|
|
||||||
@@ -584,18 +589,18 @@ match_cfg_line(Options *options, char **
|
|
||||||
}
|
|
||||||
/* All other criteria require an argument */
|
|
||||||
if ((arg = strdelim(&cp)) == NULL || *arg == '\0') {
|
|
||||||
error("Missing Match criteria for %s", attrib);
|
|
||||||
result = -1;
|
|
||||||
goto out;
|
|
||||||
}
|
|
||||||
if (strcasecmp(attrib, "host") == 0) {
|
|
||||||
- criteria = xstrdup(host);
|
|
||||||
- r = match_hostname(host, arg) == 1;
|
|
||||||
+ criteria = xstrdup(hostlc);
|
|
||||||
+ r = match_hostname(hostlc, arg) == 1;
|
|
||||||
if (r == (negate ? 1 : 0))
|
|
||||||
this_result = result = 0;
|
|
||||||
} else if (strcasecmp(attrib, "originalhost") == 0) {
|
|
||||||
criteria = xstrdup(original_host);
|
|
||||||
r = match_hostname(original_host, arg) == 1;
|
|
||||||
if (r == (negate ? 1 : 0))
|
|
||||||
this_result = result = 0;
|
|
||||||
} else if (strcasecmp(attrib, "user") == 0) {
|
|
||||||
@@ -658,16 +663,17 @@ match_cfg_line(Options *options, char **
|
|
||||||
error("One or more attributes required for Match");
|
|
||||||
result = -1;
|
|
||||||
goto out;
|
|
||||||
}
|
|
||||||
out:
|
|
||||||
if (result != -1)
|
|
||||||
debug2("match %sfound", result ? "" : "not ");
|
|
||||||
*condition = cp;
|
|
||||||
+ free(hostlc);
|
|
||||||
free(host);
|
|
||||||
return result;
|
|
||||||
}
|
|
||||||
|
|
||||||
/* Check and prepare a domain name: removes trailing '.' and lowercases */
|
|
||||||
static void
|
|
||||||
valid_domain(char *name, const char *filename, int linenum)
|
|
||||||
{
|
|
@ -1,175 +0,0 @@
|
|||||||
# HG changeset patch
|
|
||||||
# Parent 1b2dad1b57b086d094fe09327fcf1c490475a7cd
|
|
||||||
Check for invalid CIDR adress masks.
|
|
||||||
bsc#1005893
|
|
||||||
|
|
||||||
backported upstream commit: 010359b32659f455fddd2bd85fd7cc4d7a3b994a (7.4)
|
|
||||||
backported upstream commit: 1a6f9d2e2493d445cd9ee496e6e3c2a2f283f66a
|
|
||||||
backported upstream commit: fe06b68f824f8f55670442fb31f2c03526dd326c
|
|
||||||
|
|
||||||
diff --git a/openssh-7.2p2/auth.c b/openssh-7.2p2/auth.c
|
|
||||||
--- a/openssh-7.2p2/auth.c
|
|
||||||
+++ b/openssh-7.2p2/auth.c
|
|
||||||
@@ -95,16 +95,17 @@ int auth_debug_init;
|
|
||||||
* Otherwise true is returned.
|
|
||||||
*/
|
|
||||||
int
|
|
||||||
allowed_user(struct passwd * pw)
|
|
||||||
{
|
|
||||||
struct stat st;
|
|
||||||
const char *hostname = NULL, *ipaddr = NULL, *passwd = NULL;
|
|
||||||
u_int i;
|
|
||||||
+ int r;
|
|
||||||
#ifdef USE_SHADOW
|
|
||||||
struct spwd *spw = NULL;
|
|
||||||
#endif
|
|
||||||
|
|
||||||
/* Shouldn't be called if pw is NULL, but better safe than sorry... */
|
|
||||||
if (!pw || !pw->pw_name)
|
|
||||||
return 0;
|
|
||||||
|
|
||||||
@@ -183,31 +184,41 @@ allowed_user(struct passwd * pw)
|
|
||||||
if (options.num_deny_users > 0 || options.num_allow_users > 0 ||
|
|
||||||
options.num_deny_groups > 0 || options.num_allow_groups > 0) {
|
|
||||||
hostname = get_canonical_hostname(options.use_dns);
|
|
||||||
ipaddr = get_remote_ipaddr();
|
|
||||||
}
|
|
||||||
|
|
||||||
/* Return false if user is listed in DenyUsers */
|
|
||||||
if (options.num_deny_users > 0) {
|
|
||||||
- for (i = 0; i < options.num_deny_users; i++)
|
|
||||||
- if (match_user(pw->pw_name, hostname, ipaddr,
|
|
||||||
- options.deny_users[i])) {
|
|
||||||
+ for (i = 0; i < options.num_deny_users; i++) {
|
|
||||||
+ r = match_user(pw->pw_name, hostname, ipaddr,
|
|
||||||
+ options.deny_users[i]);
|
|
||||||
+ if (r < 0) {
|
|
||||||
+ fatal("Invalid DenyUsers pattern \"%.100s\"",
|
|
||||||
+ options.deny_users[i]);
|
|
||||||
+ } else if (r != 0) {
|
|
||||||
logit("User %.100s from %.100s not allowed "
|
|
||||||
"because listed in DenyUsers",
|
|
||||||
pw->pw_name, hostname);
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
+ }
|
|
||||||
}
|
|
||||||
/* Return false if AllowUsers isn't empty and user isn't listed there */
|
|
||||||
if (options.num_allow_users > 0) {
|
|
||||||
- for (i = 0; i < options.num_allow_users; i++)
|
|
||||||
- if (match_user(pw->pw_name, hostname, ipaddr,
|
|
||||||
- options.allow_users[i]))
|
|
||||||
+ for (i = 0; i < options.num_allow_users; i++) {
|
|
||||||
+ r = match_user(pw->pw_name, hostname, ipaddr,
|
|
||||||
+ options.allow_users[i]);
|
|
||||||
+ if (r < 0) {
|
|
||||||
+ fatal("Invalid AllowUsers pattern \"%.100s\"",
|
|
||||||
+ options.allow_users[i]);
|
|
||||||
+ } else if (r == 1)
|
|
||||||
break;
|
|
||||||
+ }
|
|
||||||
/* i < options.num_allow_users iff we break for loop */
|
|
||||||
if (i >= options.num_allow_users) {
|
|
||||||
logit("User %.100s from %.100s not allowed because "
|
|
||||||
"not listed in AllowUsers", pw->pw_name, hostname);
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
if (options.num_deny_groups > 0 || options.num_allow_groups > 0) {
|
|
||||||
diff --git a/openssh-7.2p2/match.c b/openssh-7.2p2/match.c
|
|
||||||
--- a/openssh-7.2p2/match.c
|
|
||||||
+++ b/openssh-7.2p2/match.c
|
|
||||||
@@ -186,41 +186,50 @@ match_hostname(const char *host, const c
|
|
||||||
* successful match.
|
|
||||||
*/
|
|
||||||
int
|
|
||||||
match_host_and_ip(const char *host, const char *ipaddr,
|
|
||||||
const char *patterns)
|
|
||||||
{
|
|
||||||
int mhost, mip;
|
|
||||||
|
|
||||||
- /* error in ipaddr match */
|
|
||||||
if ((mip = addr_match_list(ipaddr, patterns)) == -2)
|
|
||||||
- return -1;
|
|
||||||
- else if (mip == -1) /* negative ip address match */
|
|
||||||
- return 0;
|
|
||||||
+ return -1; /* error in ipaddr match */
|
|
||||||
+ else if (host == NULL || ipaddr == NULL || mip == -1)
|
|
||||||
+ return 0; /* negative ip address match, or testing pattern */
|
|
||||||
|
|
||||||
/* negative hostname match */
|
|
||||||
if ((mhost = match_hostname(host, patterns)) == -1)
|
|
||||||
return 0;
|
|
||||||
/* no match at all */
|
|
||||||
if (mhost == 0 && mip == 0)
|
|
||||||
return 0;
|
|
||||||
return 1;
|
|
||||||
}
|
|
||||||
|
|
||||||
/*
|
|
||||||
- * match user, user@host_or_ip, user@host_or_ip_list against pattern
|
|
||||||
+ * Match user, user@host_or_ip, user@host_or_ip_list against pattern.
|
|
||||||
+ * If user, host and ipaddr are all NULL then validate pattern/
|
|
||||||
+ * Returns -1 on invalid pattern, 0 on no match, 1 on match.
|
|
||||||
*/
|
|
||||||
int
|
|
||||||
match_user(const char *user, const char *host, const char *ipaddr,
|
|
||||||
const char *pattern)
|
|
||||||
{
|
|
||||||
char *p, *pat;
|
|
||||||
int ret;
|
|
||||||
|
|
||||||
+ /* test mode */
|
|
||||||
+ if (user == NULL && host == NULL && ipaddr == NULL) {
|
|
||||||
+ if ((p = strchr(pattern, '@')) != NULL &&
|
|
||||||
+ match_host_and_ip(NULL, NULL, p + 1) < 0)
|
|
||||||
+ return -1;
|
|
||||||
+ return 0;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
if ((p = strchr(pattern,'@')) == NULL)
|
|
||||||
return match_pattern(user, pattern);
|
|
||||||
|
|
||||||
pat = xstrdup(pattern);
|
|
||||||
p = strchr(pat, '@');
|
|
||||||
*p++ = '\0';
|
|
||||||
|
|
||||||
if ((ret = match_pattern(user, pat)) == 1)
|
|
||||||
diff --git a/openssh-7.2p2/servconf.c b/openssh-7.2p2/servconf.c
|
|
||||||
--- a/openssh-7.2p2/servconf.c
|
|
||||||
+++ b/openssh-7.2p2/servconf.c
|
|
||||||
@@ -1462,28 +1462,34 @@ process_server_config_line(ServerOptions
|
|
||||||
multistate_ptr = multistate_privsep;
|
|
||||||
goto parse_multistate;
|
|
||||||
|
|
||||||
case sAllowUsers:
|
|
||||||
while ((arg = strdelim(&cp)) && *arg != '\0') {
|
|
||||||
if (options->num_allow_users >= MAX_ALLOW_USERS)
|
|
||||||
fatal("%s line %d: too many allow users.",
|
|
||||||
filename, linenum);
|
|
||||||
+ if (match_user(NULL, NULL, NULL, arg) == -1)
|
|
||||||
+ fatal("%s line %d: invalid AllowUsers pattern: "
|
|
||||||
+ "\"%.100s\"", filename, linenum, arg);
|
|
||||||
if (!*activep)
|
|
||||||
continue;
|
|
||||||
options->allow_users[options->num_allow_users++] =
|
|
||||||
xstrdup(arg);
|
|
||||||
}
|
|
||||||
break;
|
|
||||||
|
|
||||||
case sDenyUsers:
|
|
||||||
while ((arg = strdelim(&cp)) && *arg != '\0') {
|
|
||||||
if (options->num_deny_users >= MAX_DENY_USERS)
|
|
||||||
fatal("%s line %d: too many deny users.",
|
|
||||||
filename, linenum);
|
|
||||||
+ if (match_user(NULL, NULL, NULL, arg) == -1)
|
|
||||||
+ fatal("%s line %d: invalid DenyUsers pattern: "
|
|
||||||
+ "\"%.100s\"", filename, linenum, arg);
|
|
||||||
if (!*activep)
|
|
||||||
continue;
|
|
||||||
options->deny_users[options->num_deny_users++] =
|
|
||||||
xstrdup(arg);
|
|
||||||
}
|
|
||||||
break;
|
|
||||||
|
|
||||||
case sAllowGroups:
|
|
@ -1,3 +0,0 @@
|
|||||||
version https://git-lfs.github.com/spec/v1
|
|
||||||
oid sha256:a72781d1a043876a224ff1b0032daa4094d87565a68528759c1c2cab5482548c
|
|
||||||
size 1499808
|
|
@ -1,14 +0,0 @@
|
|||||||
-----BEGIN PGP SIGNATURE-----
|
|
||||||
Version: GnuPG v2
|
|
||||||
|
|
||||||
iQGsBAABCgAGBQJW4HGiAAoJENPl9Wttkg0w8uUMfRnuvFkcQWBAHy+idRJoL/9W
|
|
||||||
aPis5PRMJW9ENNLUI2eiSNAhcIsAXKZXv3W2S/tuVrztwYv2+ckrlnaOg2GiMc9N
|
|
||||||
l66ZFpoZBNNPqImG88rgl28idkvGlYMwaKoE+YihPdB9BvPvHzZUEKdPtf/HsvI/
|
|
||||||
2vVTKYg2dbIb7M9h8RIXGvSW8UoGd+6pSbjnJaLHsxVsnBXk8ZYqUgq9PT+slS4d
|
|
||||||
/yp9OdZr99JcQqIFEpWs9WG93JxBbRBUif6OdymV3JAGJxfrpA0a0EPbiCNedxkY
|
|
||||||
TB+XZ53ydKx0s9Gv3k2wFfpT4VOIXvlrcPgYyTs7SVbigvT6TomNyK3TUfMQemN6
|
|
||||||
rTP4qt4b74cXne7zfcmr/Axmr3+xg1LybJn4L1IIH7TWAjj5dhPHJwqLRw3owaFB
|
|
||||||
Y8I+5ViCHGNCsBiil8oBOgdg09BITriL76Xs9WEY7+hC+FP/A286ggPDi+De3GPK
|
|
||||||
L7nB1FZgfo3gCGGJVVAH1i8P/ZZEedJHo/AXAYlNax7g6ZDkfmzt1KaVNhtoNvI=
|
|
||||||
=yfYj
|
|
||||||
-----END PGP SIGNATURE-----
|
|
@ -1,14 +1,14 @@
|
|||||||
# HG changeset patch
|
# HG changeset patch
|
||||||
# Parent 7197d7a6b7c90566c68e980b5f8b937c183e79d0
|
# Parent c004421528bc443fa9a56db1123005c92014e6b3
|
||||||
# enable trusted X11 forwarding by default in both sshd and sshsystem-wide
|
# enable trusted X11 forwarding by default in both sshd and sshsystem-wide
|
||||||
# configuration
|
# configuration
|
||||||
# bnc#50836 (was suse #35836)
|
# bnc#50836 (was suse #35836)
|
||||||
Enable Trusted X11 forwarding by default, since the security benefits of
|
Enable Trusted X11 forwarding by default, since the security benefits of
|
||||||
having it disabled are negligible these days with XI2 being widely used.
|
having it disabled are negligible these days with XI2 being widely used.
|
||||||
|
|
||||||
diff --git a/openssh-7.2p2/ssh_config b/openssh-7.2p2/ssh_config
|
diff --git a/openssh-7.6p1/ssh_config b/openssh-7.6p1/ssh_config
|
||||||
--- a/openssh-7.2p2/ssh_config
|
--- a/openssh-7.6p1/ssh_config
|
||||||
+++ b/openssh-7.2p2/ssh_config
|
+++ b/openssh-7.6p1/ssh_config
|
||||||
@@ -12,19 +12,30 @@
|
@@ -12,19 +12,30 @@
|
||||||
# Any configuration value is only changed the first time it is set.
|
# Any configuration value is only changed the first time it is set.
|
||||||
# Thus, host-specific definitions should be at the beginning of the
|
# Thus, host-specific definitions should be at the beginning of the
|
||||||
@ -33,18 +33,18 @@ diff --git a/openssh-7.2p2/ssh_config b/openssh-7.2p2/ssh_config
|
|||||||
+# expire after twenty minutes after remote login.
|
+# expire after twenty minutes after remote login.
|
||||||
+ ForwardX11Trusted yes
|
+ ForwardX11Trusted yes
|
||||||
+
|
+
|
||||||
# RhostsRSAAuthentication no
|
|
||||||
# RSAAuthentication yes
|
|
||||||
# PasswordAuthentication yes
|
# PasswordAuthentication yes
|
||||||
# HostbasedAuthentication no
|
# HostbasedAuthentication no
|
||||||
# GSSAPIAuthentication no
|
# GSSAPIAuthentication no
|
||||||
# GSSAPIDelegateCredentials no
|
# GSSAPIDelegateCredentials no
|
||||||
# BatchMode no
|
# BatchMode no
|
||||||
# CheckHostIP yes
|
# CheckHostIP yes
|
||||||
diff --git a/openssh-7.2p2/sshd_config b/openssh-7.2p2/sshd_config
|
# AddressFamily any
|
||||||
--- a/openssh-7.2p2/sshd_config
|
# ConnectTimeout 0
|
||||||
+++ b/openssh-7.2p2/sshd_config
|
diff --git a/openssh-7.6p1/sshd_config b/openssh-7.6p1/sshd_config
|
||||||
@@ -94,17 +94,17 @@ AuthorizedKeysFile .ssh/authorized_keys
|
--- a/openssh-7.6p1/sshd_config
|
||||||
|
+++ b/openssh-7.6p1/sshd_config
|
||||||
|
@@ -80,17 +80,17 @@ AuthorizedKeysFile .ssh/authorized_keys
|
||||||
# If you just want the PAM account and session checks to run without
|
# If you just want the PAM account and session checks to run without
|
||||||
# PAM authentication, then enable this but set PasswordAuthentication
|
# PAM authentication, then enable this but set PasswordAuthentication
|
||||||
# and ChallengeResponseAuthentication to 'no'.
|
# and ChallengeResponseAuthentication to 'no'.
|
||||||
@ -62,4 +62,4 @@ diff --git a/openssh-7.2p2/sshd_config b/openssh-7.2p2/sshd_config
|
|||||||
#PrintLastLog yes
|
#PrintLastLog yes
|
||||||
#TCPKeepAlive yes
|
#TCPKeepAlive yes
|
||||||
#UseLogin no
|
#UseLogin no
|
||||||
#UsePrivilegeSeparation sandbox
|
#PermitUserEnvironment no
|
95
openssh-7.6p1-allow_root_password_login.patch
Normal file
95
openssh-7.6p1-allow_root_password_login.patch
Normal file
@ -0,0 +1,95 @@
|
|||||||
|
# HG changeset patch
|
||||||
|
# Parent af43d436bc7fe818dd976c923ad99b89051eb299
|
||||||
|
Allow root login with password by default. While less secure than upstream
|
||||||
|
default of forbidding access to the root account with a password, we are
|
||||||
|
temporarily introducing this change to keep the default used in older OpenSSH
|
||||||
|
versions shipped with SLE.
|
||||||
|
|
||||||
|
diff --git a/openssh-7.6p1/servconf.c b/openssh-7.6p1/servconf.c
|
||||||
|
--- a/openssh-7.6p1/servconf.c
|
||||||
|
+++ b/openssh-7.6p1/servconf.c
|
||||||
|
@@ -218,17 +218,17 @@ fill_default_server_options(ServerOption
|
||||||
|
options->address_family = AF_UNSPEC;
|
||||||
|
if (options->listen_addrs == NULL)
|
||||||
|
add_listen_addr(options, NULL, 0);
|
||||||
|
if (options->pid_file == NULL)
|
||||||
|
options->pid_file = xstrdup(_PATH_SSH_DAEMON_PID_FILE);
|
||||||
|
if (options->login_grace_time == -1)
|
||||||
|
options->login_grace_time = 120;
|
||||||
|
if (options->permit_root_login == PERMIT_NOT_SET)
|
||||||
|
- options->permit_root_login = PERMIT_NO_PASSWD;
|
||||||
|
+ options->permit_root_login = PERMIT_YES;
|
||||||
|
if (options->ignore_rhosts == -1)
|
||||||
|
options->ignore_rhosts = 1;
|
||||||
|
if (options->ignore_user_known_hosts == -1)
|
||||||
|
options->ignore_user_known_hosts = 0;
|
||||||
|
if (options->print_motd == -1)
|
||||||
|
options->print_motd = 1;
|
||||||
|
if (options->print_lastlog == -1)
|
||||||
|
options->print_lastlog = 1;
|
||||||
|
diff --git a/openssh-7.6p1/sshd_config b/openssh-7.6p1/sshd_config
|
||||||
|
--- a/openssh-7.6p1/sshd_config
|
||||||
|
+++ b/openssh-7.6p1/sshd_config
|
||||||
|
@@ -25,17 +25,17 @@
|
||||||
|
|
||||||
|
# Logging
|
||||||
|
#SyslogFacility AUTH
|
||||||
|
#LogLevel INFO
|
||||||
|
|
||||||
|
# Authentication:
|
||||||
|
|
||||||
|
#LoginGraceTime 2m
|
||||||
|
-#PermitRootLogin prohibit-password
|
||||||
|
+#PermitRootLogin yes
|
||||||
|
#StrictModes yes
|
||||||
|
#MaxAuthTries 6
|
||||||
|
#MaxSessions 10
|
||||||
|
|
||||||
|
#PubkeyAuthentication yes
|
||||||
|
|
||||||
|
# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
|
||||||
|
# but this is overridden so installations will only check .ssh/authorized_keys
|
||||||
|
diff --git a/openssh-7.6p1/sshd_config.0 b/openssh-7.6p1/sshd_config.0
|
||||||
|
--- a/openssh-7.6p1/sshd_config.0
|
||||||
|
+++ b/openssh-7.6p1/sshd_config.0
|
||||||
|
@@ -696,17 +696,17 @@ DESCRIPTION
|
||||||
|
none can be used to prohibit all forwarding requests. The
|
||||||
|
wildcard M-bM-^@M-^X*M-bM-^@M-^Y can be used for host or port to allow all hosts or
|
||||||
|
ports, respectively. By default all port forwarding requests are
|
||||||
|
permitted.
|
||||||
|
|
||||||
|
PermitRootLogin
|
||||||
|
Specifies whether root can log in using ssh(1). The argument
|
||||||
|
must be yes, prohibit-password, without-password,
|
||||||
|
- forced-commands-only, or no. The default is prohibit-password.
|
||||||
|
+ forced-commands-only, or no. The default is yes.
|
||||||
|
|
||||||
|
If this option is set to prohibit-password or without-password,
|
||||||
|
password and keyboard-interactive authentication are disabled for
|
||||||
|
root.
|
||||||
|
|
||||||
|
If this option is set to forced-commands-only, root login with
|
||||||
|
public key authentication will be allowed, but only if the
|
||||||
|
command option has been specified (which may be useful for taking
|
||||||
|
diff --git a/openssh-7.6p1/sshd_config.5 b/openssh-7.6p1/sshd_config.5
|
||||||
|
--- a/openssh-7.6p1/sshd_config.5
|
||||||
|
+++ b/openssh-7.6p1/sshd_config.5
|
||||||
|
@@ -1188,17 +1188,17 @@ Specifies whether root can log in using
|
||||||
|
The argument must be
|
||||||
|
.Cm yes ,
|
||||||
|
.Cm prohibit-password ,
|
||||||
|
.Cm without-password ,
|
||||||
|
.Cm forced-commands-only ,
|
||||||
|
or
|
||||||
|
.Cm no .
|
||||||
|
The default is
|
||||||
|
-.Cm prohibit-password .
|
||||||
|
+.Cm yes .
|
||||||
|
.Pp
|
||||||
|
If this option is set to
|
||||||
|
.Cm prohibit-password
|
||||||
|
or
|
||||||
|
.Cm without-password ,
|
||||||
|
password and keyboard-interactive authentication are disabled for root.
|
||||||
|
.Pp
|
||||||
|
If this option is set to
|
@ -1,13 +1,13 @@
|
|||||||
# HG changeset patch
|
# HG changeset patch
|
||||||
# Parent 0bfb5dd4b190b546a3e40a59483b2b2884a47c39
|
# Parent 724c9ea86fe2c4a1f0e0d3aba168357ab1b2c3aa
|
||||||
block SIGALRM while logging through syslog to prevent deadlocks
|
block SIGALRM while logging through syslog to prevent deadlocks
|
||||||
(through grace_alarm_handler())
|
(through grace_alarm_handler())
|
||||||
|
|
||||||
bnc#57354
|
bnc#57354
|
||||||
|
|
||||||
diff --git a/openssh-7.2p2/log.c b/openssh-7.2p2/log.c
|
diff --git a/openssh-7.6p1/log.c b/openssh-7.6p1/log.c
|
||||||
--- a/openssh-7.2p2/log.c
|
--- a/openssh-7.6p1/log.c
|
||||||
+++ b/openssh-7.2p2/log.c
|
+++ b/openssh-7.6p1/log.c
|
||||||
@@ -46,16 +46,17 @@
|
@@ -46,16 +46,17 @@
|
||||||
#include <syslog.h>
|
#include <syslog.h>
|
||||||
#include <unistd.h>
|
#include <unistd.h>
|
||||||
@ -26,7 +26,7 @@ diff --git a/openssh-7.2p2/log.c b/openssh-7.2p2/log.c
|
|||||||
static char *argv0;
|
static char *argv0;
|
||||||
static log_handler_fn *log_handler;
|
static log_handler_fn *log_handler;
|
||||||
static void *log_handler_ctx;
|
static void *log_handler_ctx;
|
||||||
@@ -383,16 +384,17 @@ do_log(LogLevel level, const char *fmt,
|
@@ -396,16 +397,17 @@ do_log(LogLevel level, const char *fmt,
|
||||||
{
|
{
|
||||||
#if defined(HAVE_OPENLOG_R) && defined(SYSLOG_DATA_INIT)
|
#if defined(HAVE_OPENLOG_R) && defined(SYSLOG_DATA_INIT)
|
||||||
struct syslog_data sdata = SYSLOG_DATA_INIT;
|
struct syslog_data sdata = SYSLOG_DATA_INIT;
|
||||||
@ -44,19 +44,18 @@ diff --git a/openssh-7.2p2/log.c b/openssh-7.2p2/log.c
|
|||||||
|
|
||||||
switch (level) {
|
switch (level) {
|
||||||
case SYSLOG_LEVEL_FATAL:
|
case SYSLOG_LEVEL_FATAL:
|
||||||
@@ -441,20 +443,29 @@ do_log(LogLevel level, const char *fmt,
|
@@ -455,20 +457,28 @@ do_log(LogLevel level, const char *fmt,
|
||||||
tmp_handler = log_handler;
|
|
||||||
log_handler = NULL;
|
log_handler = NULL;
|
||||||
tmp_handler(level, fmtbuf, log_handler_ctx);
|
tmp_handler(level, fmtbuf, log_handler_ctx);
|
||||||
log_handler = tmp_handler;
|
log_handler = tmp_handler;
|
||||||
} else if (log_on_stderr) {
|
} else if (log_on_stderr) {
|
||||||
snprintf(msgbuf, sizeof msgbuf, "%s\r\n", fmtbuf);
|
snprintf(msgbuf, sizeof msgbuf, "%.*s\r\n",
|
||||||
|
(int)sizeof msgbuf - 3, fmtbuf);
|
||||||
(void)write(log_stderr_fd, msgbuf, strlen(msgbuf));
|
(void)write(log_stderr_fd, msgbuf, strlen(msgbuf));
|
||||||
} else {
|
} else {
|
||||||
+ /* Prevent a race between the grace_alarm
|
+ /* Prevent a race between the grace_alarm which writes a
|
||||||
+ * which writes a log message and terminates
|
+ * log message and terminates and main sshd code that leads
|
||||||
+ * and main sshd code that leads to deadlock
|
+ * to deadlock as syslog is not async safe.
|
||||||
+ * as syslog is not async safe.
|
|
||||||
+ */
|
+ */
|
||||||
+ sigemptyset(&nset);
|
+ sigemptyset(&nset);
|
||||||
+ sigaddset(&nset, SIGALRM);
|
+ sigaddset(&nset, SIGALRM);
|
@ -1,5 +1,5 @@
|
|||||||
# HG changeset patch
|
# HG changeset patch
|
||||||
# Parent 7b5f436e0026923299fdd1994f8da8fd9948be7c
|
# Parent a5b0f249f564de9c9efd023c6430f607d9861acd
|
||||||
|
|
||||||
Raise minimal size of DH group parameters to 2048 bits like upstream did in
|
Raise minimal size of DH group parameters to 2048 bits like upstream did in
|
||||||
7.2. 1024b values are believed to be in breaking range for state adversaries
|
7.2. 1024b values are believed to be in breaking range for state adversaries
|
||||||
@ -12,9 +12,9 @@ compliant) parameters.
|
|||||||
CVE-2015-4000 (LOGJAM)
|
CVE-2015-4000 (LOGJAM)
|
||||||
bsc#932483
|
bsc#932483
|
||||||
|
|
||||||
diff --git a/openssh-7.2p2/dh.c b/openssh-7.2p2/dh.c
|
diff --git a/openssh-7.6p1/dh.c b/openssh-7.6p1/dh.c
|
||||||
--- a/openssh-7.2p2/dh.c
|
--- a/openssh-7.6p1/dh.c
|
||||||
+++ b/openssh-7.2p2/dh.c
|
+++ b/openssh-7.6p1/dh.c
|
||||||
@@ -37,16 +37,18 @@
|
@@ -37,16 +37,18 @@
|
||||||
#include <limits.h>
|
#include <limits.h>
|
||||||
|
|
||||||
@ -34,10 +34,10 @@ diff --git a/openssh-7.2p2/dh.c b/openssh-7.2p2/dh.c
|
|||||||
const char *errstr = NULL;
|
const char *errstr = NULL;
|
||||||
long long n;
|
long long n;
|
||||||
|
|
||||||
diff --git a/openssh-7.2p2/dh.h b/openssh-7.2p2/dh.h
|
diff --git a/openssh-7.6p1/dh.h b/openssh-7.6p1/dh.h
|
||||||
--- a/openssh-7.2p2/dh.h
|
--- a/openssh-7.6p1/dh.h
|
||||||
+++ b/openssh-7.2p2/dh.h
|
+++ b/openssh-7.6p1/dh.h
|
||||||
@@ -43,16 +43,17 @@ int dh_gen_key(DH *, int);
|
@@ -45,16 +45,17 @@ int dh_gen_key(DH *, int);
|
||||||
int dh_pub_is_valid(DH *, BIGNUM *);
|
int dh_pub_is_valid(DH *, BIGNUM *);
|
||||||
|
|
||||||
u_int dh_estimate(int);
|
u_int dh_estimate(int);
|
||||||
@ -55,23 +55,23 @@ diff --git a/openssh-7.2p2/dh.h b/openssh-7.2p2/dh.h
|
|||||||
* Specifies the internal structure of the prime modulus.
|
* Specifies the internal structure of the prime modulus.
|
||||||
*/
|
*/
|
||||||
#define MODULI_TYPE_UNKNOWN (0)
|
#define MODULI_TYPE_UNKNOWN (0)
|
||||||
diff --git a/openssh-7.2p2/kexgexc.c b/openssh-7.2p2/kexgexc.c
|
diff --git a/openssh-7.6p1/kexgexc.c b/openssh-7.6p1/kexgexc.c
|
||||||
--- a/openssh-7.2p2/kexgexc.c
|
--- a/openssh-7.6p1/kexgexc.c
|
||||||
+++ b/openssh-7.2p2/kexgexc.c
|
+++ b/openssh-7.6p1/kexgexc.c
|
||||||
@@ -46,29 +46,32 @@
|
@@ -46,29 +46,32 @@
|
||||||
#include "packet.h"
|
|
||||||
#include "dh.h"
|
#include "dh.h"
|
||||||
#include "ssh2.h"
|
#include "ssh2.h"
|
||||||
#include "compat.h"
|
#include "compat.h"
|
||||||
#include "dispatch.h"
|
#include "dispatch.h"
|
||||||
#include "ssherr.h"
|
#include "ssherr.h"
|
||||||
#include "sshbuf.h"
|
#include "sshbuf.h"
|
||||||
|
#include "misc.h"
|
||||||
|
|
||||||
+/* import from dh.c */
|
+/* import from dh.c */
|
||||||
+extern int dh_grp_min;
|
+extern int dh_grp_min;
|
||||||
+
|
+
|
||||||
static int input_kex_dh_gex_group(int, u_int32_t, void *);
|
static int input_kex_dh_gex_group(int, u_int32_t, struct ssh *);
|
||||||
static int input_kex_dh_gex_reply(int, u_int32_t, void *);
|
static int input_kex_dh_gex_reply(int, u_int32_t, struct ssh *);
|
||||||
|
|
||||||
int
|
int
|
||||||
kexgex_client(struct ssh *ssh)
|
kexgex_client(struct ssh *ssh)
|
||||||
@ -87,12 +87,12 @@ diff --git a/openssh-7.2p2/kexgexc.c b/openssh-7.2p2/kexgexc.c
|
|||||||
kex->max = DH_GRP_MAX;
|
kex->max = DH_GRP_MAX;
|
||||||
kex->nbits = nbits;
|
kex->nbits = nbits;
|
||||||
if (datafellows & SSH_BUG_DHGEX_LARGE)
|
if (datafellows & SSH_BUG_DHGEX_LARGE)
|
||||||
kex->nbits = MIN(kex->nbits, 4096);
|
kex->nbits = MINIMUM(kex->nbits, 4096);
|
||||||
/* New GEX request */
|
/* New GEX request */
|
||||||
if ((r = sshpkt_start(ssh, SSH2_MSG_KEX_DH_GEX_REQUEST)) != 0 ||
|
if ((r = sshpkt_start(ssh, SSH2_MSG_KEX_DH_GEX_REQUEST)) != 0 ||
|
||||||
(r = sshpkt_put_u32(ssh, kex->min)) != 0 ||
|
(r = sshpkt_put_u32(ssh, kex->min)) != 0 ||
|
||||||
(r = sshpkt_put_u32(ssh, kex->nbits)) != 0 ||
|
(r = sshpkt_put_u32(ssh, kex->nbits)) != 0 ||
|
||||||
@@ -104,16 +107,22 @@ input_kex_dh_gex_group(int type, u_int32
|
@@ -103,16 +106,22 @@ input_kex_dh_gex_group(int type, u_int32
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
if ((r = sshpkt_get_bignum2(ssh, p)) != 0 ||
|
if ((r = sshpkt_get_bignum2(ssh, p)) != 0 ||
|
||||||
@ -115,30 +115,30 @@ diff --git a/openssh-7.2p2/kexgexc.c b/openssh-7.2p2/kexgexc.c
|
|||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
p = g = NULL; /* belong to kex->dh now */
|
p = g = NULL; /* belong to kex->dh now */
|
||||||
diff --git a/openssh-7.2p2/kexgexs.c b/openssh-7.2p2/kexgexs.c
|
diff --git a/openssh-7.6p1/kexgexs.c b/openssh-7.6p1/kexgexs.c
|
||||||
--- a/openssh-7.2p2/kexgexs.c
|
--- a/openssh-7.6p1/kexgexs.c
|
||||||
+++ b/openssh-7.2p2/kexgexs.c
|
+++ b/openssh-7.6p1/kexgexs.c
|
||||||
@@ -49,16 +49,19 @@
|
@@ -49,16 +49,19 @@
|
||||||
#ifdef GSSAPI
|
|
||||||
#include "ssh-gss.h"
|
#include "ssh-gss.h"
|
||||||
#endif
|
#endif
|
||||||
#include "monitor_wrap.h"
|
#include "monitor_wrap.h"
|
||||||
#include "dispatch.h"
|
#include "dispatch.h"
|
||||||
#include "ssherr.h"
|
#include "ssherr.h"
|
||||||
#include "sshbuf.h"
|
#include "sshbuf.h"
|
||||||
|
#include "misc.h"
|
||||||
|
|
||||||
+/* import from dh.c */
|
+/* import from dh.c */
|
||||||
+extern int dh_grp_min;
|
+extern int dh_grp_min;
|
||||||
+
|
+
|
||||||
static int input_kex_dh_gex_request(int, u_int32_t, void *);
|
static int input_kex_dh_gex_request(int, u_int32_t, struct ssh *);
|
||||||
static int input_kex_dh_gex_init(int, u_int32_t, void *);
|
static int input_kex_dh_gex_init(int, u_int32_t, struct ssh *);
|
||||||
|
|
||||||
int
|
int
|
||||||
kexgex_server(struct ssh *ssh)
|
kexgex_server(struct ssh *ssh)
|
||||||
{
|
{
|
||||||
ssh_dispatch_set(ssh, SSH2_MSG_KEX_DH_GEX_REQUEST,
|
ssh_dispatch_set(ssh, SSH2_MSG_KEX_DH_GEX_REQUEST,
|
||||||
&input_kex_dh_gex_request);
|
&input_kex_dh_gex_request);
|
||||||
@@ -78,23 +81,29 @@ input_kex_dh_gex_request(int type, u_int
|
@@ -77,23 +80,29 @@ input_kex_dh_gex_request(int type, u_int
|
||||||
if ((r = sshpkt_get_u32(ssh, &min)) != 0 ||
|
if ((r = sshpkt_get_u32(ssh, &min)) != 0 ||
|
||||||
(r = sshpkt_get_u32(ssh, &nbits)) != 0 ||
|
(r = sshpkt_get_u32(ssh, &nbits)) != 0 ||
|
||||||
(r = sshpkt_get_u32(ssh, &max)) != 0 ||
|
(r = sshpkt_get_u32(ssh, &max)) != 0 ||
|
||||||
@ -147,15 +147,15 @@ diff --git a/openssh-7.2p2/kexgexs.c b/openssh-7.2p2/kexgexs.c
|
|||||||
kex->nbits = nbits;
|
kex->nbits = nbits;
|
||||||
kex->min = min;
|
kex->min = min;
|
||||||
kex->max = max;
|
kex->max = max;
|
||||||
- min = MAX(DH_GRP_MIN, min);
|
- min = MAXIMUM(DH_GRP_MIN, min);
|
||||||
+ min = MAX(dh_grp_min, min);
|
+ min = MAXIMUM(dh_grp_min, min);
|
||||||
max = MIN(DH_GRP_MAX, max);
|
max = MINIMUM(DH_GRP_MAX, max);
|
||||||
- nbits = MAX(DH_GRP_MIN, nbits);
|
- nbits = MAXIMUM(DH_GRP_MIN, nbits);
|
||||||
+ nbits = MAX(dh_grp_min, nbits);
|
+ nbits = MAXIMUM(dh_grp_min, nbits);
|
||||||
nbits = MIN(DH_GRP_MAX, nbits);
|
nbits = MINIMUM(DH_GRP_MAX, nbits);
|
||||||
|
|
||||||
if (kex->max < kex->min || kex->nbits < kex->min ||
|
if (kex->max < kex->min || kex->nbits < kex->min ||
|
||||||
kex->max < kex->nbits) {
|
kex->max < kex->nbits || kex->max < DH_GRP_MIN) {
|
||||||
+ if (kex->nbits < kex->min && kex->nbits >= DH_GRP_MIN_RFC)
|
+ if (kex->nbits < kex->min && kex->nbits >= DH_GRP_MIN_RFC)
|
||||||
+ logit("DH parameter requested by the client (%d bits) "
|
+ logit("DH parameter requested by the client (%d bits) "
|
||||||
+ "is considered insecure. "
|
+ "is considered insecure. "
|
||||||
@ -170,10 +170,10 @@ diff --git a/openssh-7.2p2/kexgexs.c b/openssh-7.2p2/kexgexs.c
|
|||||||
kex->dh = PRIVSEP(choose_dh(min, nbits, max));
|
kex->dh = PRIVSEP(choose_dh(min, nbits, max));
|
||||||
if (kex->dh == NULL) {
|
if (kex->dh == NULL) {
|
||||||
sshpkt_disconnect(ssh, "no matching DH grp found");
|
sshpkt_disconnect(ssh, "no matching DH grp found");
|
||||||
diff --git a/openssh-7.2p2/readconf.c b/openssh-7.2p2/readconf.c
|
diff --git a/openssh-7.6p1/readconf.c b/openssh-7.6p1/readconf.c
|
||||||
--- a/openssh-7.2p2/readconf.c
|
--- a/openssh-7.6p1/readconf.c
|
||||||
+++ b/openssh-7.2p2/readconf.c
|
+++ b/openssh-7.6p1/readconf.c
|
||||||
@@ -56,16 +56,17 @@
|
@@ -61,16 +61,17 @@
|
||||||
#include "misc.h"
|
#include "misc.h"
|
||||||
#include "readconf.h"
|
#include "readconf.h"
|
||||||
#include "match.h"
|
#include "match.h"
|
||||||
@ -191,14 +191,14 @@ diff --git a/openssh-7.2p2/readconf.c b/openssh-7.2p2/readconf.c
|
|||||||
# 2. user-specific file
|
# 2. user-specific file
|
||||||
# 3. system-wide file
|
# 3. system-wide file
|
||||||
# Any configuration value is only changed the first time it is set.
|
# Any configuration value is only changed the first time it is set.
|
||||||
@@ -148,17 +149,18 @@ typedef enum {
|
@@ -161,17 +162,18 @@ typedef enum {
|
||||||
oClearAllForwardings, oNoHostAuthenticationForLocalhost,
|
|
||||||
oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
|
oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
|
||||||
oAddressFamily, oGssAuthentication, oGssDelegateCreds,
|
oAddressFamily, oGssAuthentication, oGssDelegateCreds,
|
||||||
oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
|
oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
|
||||||
oSendEnv, oControlPath, oControlMaster, oControlPersist,
|
oSendEnv, oControlPath, oControlMaster, oControlPersist,
|
||||||
oHashKnownHosts,
|
oHashKnownHosts,
|
||||||
oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand,
|
oTunnel, oTunnelDevice,
|
||||||
|
oLocalCommand, oPermitLocalCommand, oRemoteCommand,
|
||||||
oVisualHostKey,
|
oVisualHostKey,
|
||||||
- oKexAlgorithms, oIPQoS, oRequestTTY, oIgnoreUnknown, oProxyUseFdpass,
|
- oKexAlgorithms, oIPQoS, oRequestTTY, oIgnoreUnknown, oProxyUseFdpass,
|
||||||
+ oKexAlgorithms, oKexDHMin,
|
+ oKexAlgorithms, oKexDHMin,
|
||||||
@ -207,18 +207,18 @@ diff --git a/openssh-7.2p2/readconf.c b/openssh-7.2p2/readconf.c
|
|||||||
oCanonicalizeFallbackLocal, oCanonicalizePermittedCNAMEs,
|
oCanonicalizeFallbackLocal, oCanonicalizePermittedCNAMEs,
|
||||||
oStreamLocalBindMask, oStreamLocalBindUnlink, oRevokedHostKeys,
|
oStreamLocalBindMask, oStreamLocalBindUnlink, oRevokedHostKeys,
|
||||||
oFingerprintHash, oUpdateHostkeys, oHostbasedKeyTypes,
|
oFingerprintHash, oUpdateHostkeys, oHostbasedKeyTypes,
|
||||||
oPubkeyAcceptedKeyTypes,
|
oPubkeyAcceptedKeyTypes, oProxyJump,
|
||||||
oIgnoredUnknownOption, oDeprecated, oUnsupported
|
oIgnore, oIgnoredUnknownOption, oDeprecated, oUnsupported
|
||||||
} OpCodes;
|
} OpCodes;
|
||||||
|
|
||||||
@@ -260,16 +262,17 @@ static struct {
|
@@ -283,16 +285,17 @@ static struct {
|
||||||
{ "hashknownhosts", oHashKnownHosts },
|
{ "include", oInclude },
|
||||||
{ "tunnel", oTunnel },
|
{ "tunnel", oTunnel },
|
||||||
{ "tunneldevice", oTunnelDevice },
|
{ "tunneldevice", oTunnelDevice },
|
||||||
{ "localcommand", oLocalCommand },
|
{ "localcommand", oLocalCommand },
|
||||||
{ "permitlocalcommand", oPermitLocalCommand },
|
{ "permitlocalcommand", oPermitLocalCommand },
|
||||||
|
{ "remotecommand", oRemoteCommand },
|
||||||
{ "visualhostkey", oVisualHostKey },
|
{ "visualhostkey", oVisualHostKey },
|
||||||
{ "useroaming", oDeprecated },
|
|
||||||
{ "kexalgorithms", oKexAlgorithms },
|
{ "kexalgorithms", oKexAlgorithms },
|
||||||
+ { "kexdhmin", oKexDHMin },
|
+ { "kexdhmin", oKexDHMin },
|
||||||
{ "ipqos", oIPQoS },
|
{ "ipqos", oIPQoS },
|
||||||
@ -229,11 +229,11 @@ diff --git a/openssh-7.2p2/readconf.c b/openssh-7.2p2/readconf.c
|
|||||||
{ "canonicalizehostname", oCanonicalizeHostname },
|
{ "canonicalizehostname", oCanonicalizeHostname },
|
||||||
{ "canonicalizemaxdots", oCanonicalizeMaxDots },
|
{ "canonicalizemaxdots", oCanonicalizeMaxDots },
|
||||||
{ "canonicalizepermittedcnames", oCanonicalizePermittedCNAMEs },
|
{ "canonicalizepermittedcnames", oCanonicalizePermittedCNAMEs },
|
||||||
@@ -280,16 +283,19 @@ static struct {
|
@@ -304,16 +307,19 @@ static struct {
|
||||||
{ "updatehostkeys", oUpdateHostkeys },
|
|
||||||
{ "hostbasedkeytypes", oHostbasedKeyTypes },
|
{ "hostbasedkeytypes", oHostbasedKeyTypes },
|
||||||
{ "pubkeyacceptedkeytypes", oPubkeyAcceptedKeyTypes },
|
{ "pubkeyacceptedkeytypes", oPubkeyAcceptedKeyTypes },
|
||||||
{ "ignoreunknown", oIgnoreUnknown },
|
{ "ignoreunknown", oIgnoreUnknown },
|
||||||
|
{ "proxyjump", oProxyJump },
|
||||||
|
|
||||||
{ NULL, oBadOption }
|
{ NULL, oBadOption }
|
||||||
};
|
};
|
||||||
@ -249,9 +249,9 @@ diff --git a/openssh-7.2p2/readconf.c b/openssh-7.2p2/readconf.c
|
|||||||
void
|
void
|
||||||
add_local_forward(Options *options, const struct Forward *newfwd)
|
add_local_forward(Options *options, const struct Forward *newfwd)
|
||||||
{
|
{
|
||||||
@@ -1157,16 +1163,20 @@ parse_int:
|
@@ -1206,16 +1212,20 @@ parse_int:
|
||||||
filename, linenum);
|
if (*arg != '-' &&
|
||||||
if (!kex_names_valid(*arg == '+' ? arg + 1 : arg))
|
!kex_names_valid(*arg == '+' ? arg + 1 : arg))
|
||||||
fatal("%.200s line %d: Bad SSH2 KexAlgorithms '%s'.",
|
fatal("%.200s line %d: Bad SSH2 KexAlgorithms '%s'.",
|
||||||
filename, linenum, arg ? arg : "<NONE>");
|
filename, linenum, arg ? arg : "<NONE>");
|
||||||
if (*activep && options->kex_algorithms == NULL)
|
if (*activep && options->kex_algorithms == NULL)
|
||||||
@ -269,63 +269,62 @@ diff --git a/openssh-7.2p2/readconf.c b/openssh-7.2p2/readconf.c
|
|||||||
if (!arg || *arg == '\0')
|
if (!arg || *arg == '\0')
|
||||||
fatal("%.200s line %d: Missing argument.",
|
fatal("%.200s line %d: Missing argument.",
|
||||||
filename, linenum);
|
filename, linenum);
|
||||||
if (!sshkey_names_valid2(*arg == '+' ? arg + 1 : arg, 1))
|
if (*arg != '-' &&
|
||||||
@@ -1664,16 +1674,17 @@ initialize_options(Options * options)
|
@@ -1803,16 +1813,17 @@ initialize_options(Options * options)
|
||||||
|
options->port = -1;
|
||||||
options->address_family = -1;
|
options->address_family = -1;
|
||||||
options->connection_attempts = -1;
|
options->connection_attempts = -1;
|
||||||
options->connection_timeout = -1;
|
options->connection_timeout = -1;
|
||||||
options->number_of_password_prompts = -1;
|
options->number_of_password_prompts = -1;
|
||||||
options->cipher = -1;
|
|
||||||
options->ciphers = NULL;
|
options->ciphers = NULL;
|
||||||
options->macs = NULL;
|
options->macs = NULL;
|
||||||
options->kex_algorithms = NULL;
|
options->kex_algorithms = NULL;
|
||||||
+ options->kex_dhmin = -1;
|
+ options->kex_dhmin = -1;
|
||||||
options->hostkeyalgorithms = NULL;
|
options->hostkeyalgorithms = NULL;
|
||||||
options->protocol = SSH_PROTO_UNKNOWN;
|
|
||||||
options->num_identity_files = 0;
|
options->num_identity_files = 0;
|
||||||
options->num_certificate_files = 0;
|
options->num_certificate_files = 0;
|
||||||
options->hostname = NULL;
|
options->hostname = NULL;
|
||||||
options->host_key_alias = NULL;
|
options->host_key_alias = NULL;
|
||||||
options->proxy_command = NULL;
|
options->proxy_command = NULL;
|
||||||
options->user = NULL;
|
options->jump_user = NULL;
|
||||||
@@ -1805,16 +1816,23 @@ fill_default_options(Options * options)
|
options->jump_host = NULL;
|
||||||
|
@@ -1951,16 +1962,23 @@ fill_default_options(Options * options)
|
||||||
|
if (options->port == -1)
|
||||||
|
options->port = 0; /* Filled in ssh_connect. */
|
||||||
|
if (options->address_family == -1)
|
||||||
options->address_family = AF_UNSPEC;
|
options->address_family = AF_UNSPEC;
|
||||||
if (options->connection_attempts == -1)
|
if (options->connection_attempts == -1)
|
||||||
options->connection_attempts = 1;
|
options->connection_attempts = 1;
|
||||||
if (options->number_of_password_prompts == -1)
|
if (options->number_of_password_prompts == -1)
|
||||||
options->number_of_password_prompts = 3;
|
options->number_of_password_prompts = 3;
|
||||||
/* Selected in ssh_login(). */
|
|
||||||
if (options->cipher == -1)
|
|
||||||
options->cipher = SSH_CIPHER_NOT_SET;
|
|
||||||
+ if (options->kex_dhmin == -1)
|
+ if (options->kex_dhmin == -1)
|
||||||
+ options->kex_dhmin = DH_GRP_MIN_RFC;
|
+ options->kex_dhmin = DH_GRP_MIN_RFC;
|
||||||
+ else {
|
+ else {
|
||||||
+ options->kex_dhmin = MAX(options->kex_dhmin, DH_GRP_MIN_RFC);
|
+ options->kex_dhmin = MAXIMUM(options->kex_dhmin, DH_GRP_MIN_RFC);
|
||||||
+ options->kex_dhmin = MIN(options->kex_dhmin, DH_GRP_MAX);
|
+ options->kex_dhmin = MINIMUM(options->kex_dhmin, DH_GRP_MAX);
|
||||||
+ }
|
+ }
|
||||||
+ dh_grp_min = options->kex_dhmin;
|
+ dh_grp_min = options->kex_dhmin;
|
||||||
/* options->hostkeyalgorithms, default set in myproposals.h */
|
/* options->hostkeyalgorithms, default set in myproposals.h */
|
||||||
if (options->protocol == SSH_PROTO_UNKNOWN)
|
|
||||||
options->protocol = SSH_PROTO_2;
|
|
||||||
if (options->add_keys_to_agent == -1)
|
if (options->add_keys_to_agent == -1)
|
||||||
options->add_keys_to_agent = 0;
|
options->add_keys_to_agent = 0;
|
||||||
if (options->num_identity_files == 0) {
|
if (options->num_identity_files == 0) {
|
||||||
if (options->protocol & SSH_PROTO_1) {
|
add_identity_file(options, "~/", _PATH_SSH_CLIENT_ID_RSA, 0);
|
||||||
add_identity_file(options, "~/",
|
add_identity_file(options, "~/", _PATH_SSH_CLIENT_ID_DSA, 0);
|
||||||
diff --git a/openssh-7.2p2/readconf.h b/openssh-7.2p2/readconf.h
|
#ifdef OPENSSL_HAS_ECC
|
||||||
--- a/openssh-7.2p2/readconf.h
|
add_identity_file(options, "~/", _PATH_SSH_CLIENT_ID_ECDSA, 0);
|
||||||
+++ b/openssh-7.2p2/readconf.h
|
diff --git a/openssh-7.6p1/readconf.h b/openssh-7.6p1/readconf.h
|
||||||
@@ -69,16 +69,17 @@ typedef struct {
|
--- a/openssh-7.6p1/readconf.h
|
||||||
|
+++ b/openssh-7.6p1/readconf.h
|
||||||
|
@@ -64,16 +64,17 @@ typedef struct {
|
||||||
|
int connection_timeout; /* Max time (seconds) before
|
||||||
* aborting connection attempt */
|
* aborting connection attempt */
|
||||||
int number_of_password_prompts; /* Max number of password
|
int number_of_password_prompts; /* Max number of password
|
||||||
* prompts. */
|
* prompts. */
|
||||||
int cipher; /* Cipher to use. */
|
|
||||||
char *ciphers; /* SSH2 ciphers in order of preference. */
|
char *ciphers; /* SSH2 ciphers in order of preference. */
|
||||||
char *macs; /* SSH2 macs in order of preference. */
|
char *macs; /* SSH2 macs in order of preference. */
|
||||||
char *hostkeyalgorithms; /* SSH2 server key types in order of preference. */
|
char *hostkeyalgorithms; /* SSH2 server key types in order of preference. */
|
||||||
char *kex_algorithms; /* SSH2 kex methods in order of preference. */
|
char *kex_algorithms; /* SSH2 kex methods in order of preference. */
|
||||||
+ int kex_dhmin; /* minimum bit length of the DH group parameter */
|
+ int kex_dhmin; /* minimum bit length of the DH group parameter */
|
||||||
int protocol; /* Protocol in order of preference. */
|
|
||||||
char *hostname; /* Real host to connect. */
|
char *hostname; /* Real host to connect. */
|
||||||
char *host_key_alias; /* hostname alias for .ssh/known_hosts */
|
char *host_key_alias; /* hostname alias for .ssh/known_hosts */
|
||||||
char *proxy_command; /* Proxy command for connecting the host. */
|
char *proxy_command; /* Proxy command for connecting the host. */
|
||||||
@ -333,9 +332,10 @@ diff --git a/openssh-7.2p2/readconf.h b/openssh-7.2p2/readconf.h
|
|||||||
int escape_char; /* Escape character; -2 = none */
|
int escape_char; /* Escape character; -2 = none */
|
||||||
|
|
||||||
u_int num_system_hostfiles; /* Paths for /etc/ssh/ssh_known_hosts */
|
u_int num_system_hostfiles; /* Paths for /etc/ssh/ssh_known_hosts */
|
||||||
diff --git a/openssh-7.2p2/servconf.c b/openssh-7.2p2/servconf.c
|
char *system_hostfiles[SSH_MAX_HOSTS_FILES];
|
||||||
--- a/openssh-7.2p2/servconf.c
|
diff --git a/openssh-7.6p1/servconf.c b/openssh-7.6p1/servconf.c
|
||||||
+++ b/openssh-7.2p2/servconf.c
|
--- a/openssh-7.6p1/servconf.c
|
||||||
|
+++ b/openssh-7.6p1/servconf.c
|
||||||
@@ -52,16 +52,20 @@
|
@@ -52,16 +52,20 @@
|
||||||
#include "channels.h"
|
#include "channels.h"
|
||||||
#include "groupaccess.h"
|
#include "groupaccess.h"
|
||||||
@ -357,7 +357,7 @@ diff --git a/openssh-7.2p2/servconf.c b/openssh-7.2p2/servconf.c
|
|||||||
extern int use_privsep;
|
extern int use_privsep;
|
||||||
extern Buffer cfg;
|
extern Buffer cfg;
|
||||||
|
|
||||||
@@ -134,16 +138,17 @@ initialize_server_options(ServerOptions
|
@@ -129,16 +133,17 @@ initialize_server_options(ServerOptions
|
||||||
options->allow_agent_forwarding = -1;
|
options->allow_agent_forwarding = -1;
|
||||||
options->num_allow_users = 0;
|
options->num_allow_users = 0;
|
||||||
options->num_deny_users = 0;
|
options->num_deny_users = 0;
|
||||||
@ -367,7 +367,6 @@ diff --git a/openssh-7.2p2/servconf.c b/openssh-7.2p2/servconf.c
|
|||||||
options->macs = NULL;
|
options->macs = NULL;
|
||||||
options->kex_algorithms = NULL;
|
options->kex_algorithms = NULL;
|
||||||
+ options->kex_dhmin = -1;
|
+ options->kex_dhmin = -1;
|
||||||
options->protocol = SSH_PROTO_UNKNOWN;
|
|
||||||
options->fwd_opts.gateway_ports = -1;
|
options->fwd_opts.gateway_ports = -1;
|
||||||
options->fwd_opts.streamlocal_bind_mask = (mode_t)-1;
|
options->fwd_opts.streamlocal_bind_mask = (mode_t)-1;
|
||||||
options->fwd_opts.streamlocal_bind_unlink = -1;
|
options->fwd_opts.streamlocal_bind_unlink = -1;
|
||||||
@ -375,7 +374,8 @@ diff --git a/openssh-7.2p2/servconf.c b/openssh-7.2p2/servconf.c
|
|||||||
options->max_startups_begin = -1;
|
options->max_startups_begin = -1;
|
||||||
options->max_startups_rate = -1;
|
options->max_startups_rate = -1;
|
||||||
options->max_startups = -1;
|
options->max_startups = -1;
|
||||||
@@ -199,16 +204,23 @@ fill_default_server_options(ServerOption
|
options->max_authtries = -1;
|
||||||
|
@@ -195,16 +200,24 @@ fill_default_server_options(ServerOption
|
||||||
int i;
|
int i;
|
||||||
|
|
||||||
/* Portable-specific options */
|
/* Portable-specific options */
|
||||||
@ -387,19 +387,20 @@ diff --git a/openssh-7.2p2/servconf.c b/openssh-7.2p2/servconf.c
|
|||||||
+ if (options->kex_dhmin == -1)
|
+ if (options->kex_dhmin == -1)
|
||||||
+ options->kex_dhmin = DH_GRP_MIN_RFC;
|
+ options->kex_dhmin = DH_GRP_MIN_RFC;
|
||||||
+ else {
|
+ else {
|
||||||
+ options->kex_dhmin = MAX(options->kex_dhmin, DH_GRP_MIN_RFC);
|
+ options->kex_dhmin = MAXIMUM(options->kex_dhmin, DH_GRP_MIN_RFC);
|
||||||
+ options->kex_dhmin = MIN(options->kex_dhmin, DH_GRP_MAX);
|
+ options->kex_dhmin = MINIMUM(options->kex_dhmin, DH_GRP_MAX);
|
||||||
+ }
|
+ }
|
||||||
+ dh_grp_min = options->kex_dhmin;
|
+ dh_grp_min = options->kex_dhmin;
|
||||||
|
+
|
||||||
/* Standard Options */
|
/* Standard Options */
|
||||||
if (options->protocol == SSH_PROTO_UNKNOWN)
|
|
||||||
options->protocol = SSH_PROTO_2;
|
|
||||||
if (options->num_host_key_files == 0) {
|
if (options->num_host_key_files == 0) {
|
||||||
/* fill default hostkeys for protocols */
|
/* fill default hostkeys for protocols */
|
||||||
if (options->protocol & SSH_PROTO_1)
|
|
||||||
options->host_key_files[options->num_host_key_files++] =
|
options->host_key_files[options->num_host_key_files++] =
|
||||||
_PATH_HOST_KEY_FILE;
|
_PATH_HOST_RSA_KEY_FILE;
|
||||||
@@ -423,17 +435,18 @@ typedef enum {
|
options->host_key_files[options->num_host_key_files++] =
|
||||||
|
_PATH_HOST_DSA_KEY_FILE;
|
||||||
|
#ifdef OPENSSL_HAS_ECC
|
||||||
|
@@ -414,17 +427,18 @@ typedef enum {
|
||||||
sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
|
sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
|
||||||
sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
|
sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
|
||||||
sAcceptEnv, sPermitTunnel,
|
sAcceptEnv, sPermitTunnel,
|
||||||
@ -414,12 +415,12 @@ diff --git a/openssh-7.2p2/servconf.c b/openssh-7.2p2/servconf.c
|
|||||||
sAuthorizedKeysCommand, sAuthorizedKeysCommandUser,
|
sAuthorizedKeysCommand, sAuthorizedKeysCommandUser,
|
||||||
sAuthenticationMethods, sHostKeyAgent, sPermitUserRC,
|
sAuthenticationMethods, sHostKeyAgent, sPermitUserRC,
|
||||||
sStreamLocalBindMask, sStreamLocalBindUnlink,
|
sStreamLocalBindMask, sStreamLocalBindUnlink,
|
||||||
sAllowStreamLocalForwarding, sFingerprintHash,
|
sAllowStreamLocalForwarding, sFingerprintHash, sDisableForwarding,
|
||||||
sDeprecated, sUnsupported
|
sExposeAuthInfo,
|
||||||
|
sDeprecated, sIgnore, sUnsupported
|
||||||
} ServerOpCodes;
|
} ServerOpCodes;
|
||||||
|
|
||||||
#define SSHCFG_GLOBAL 0x01 /* allowed in main section of sshd_config */
|
@@ -553,16 +567,17 @@ static struct {
|
||||||
@@ -561,16 +574,17 @@ static struct {
|
|
||||||
{ "permitopen", sPermitOpen, SSHCFG_ALL },
|
{ "permitopen", sPermitOpen, SSHCFG_ALL },
|
||||||
{ "forcecommand", sForceCommand, SSHCFG_ALL },
|
{ "forcecommand", sForceCommand, SSHCFG_ALL },
|
||||||
{ "chrootdirectory", sChrootDirectory, SSHCFG_ALL },
|
{ "chrootdirectory", sChrootDirectory, SSHCFG_ALL },
|
||||||
@ -437,9 +438,9 @@ diff --git a/openssh-7.2p2/servconf.c b/openssh-7.2p2/servconf.c
|
|||||||
{ "versionaddendum", sVersionAddendum, SSHCFG_GLOBAL },
|
{ "versionaddendum", sVersionAddendum, SSHCFG_GLOBAL },
|
||||||
{ "authenticationmethods", sAuthenticationMethods, SSHCFG_ALL },
|
{ "authenticationmethods", sAuthenticationMethods, SSHCFG_ALL },
|
||||||
{ "streamlocalbindmask", sStreamLocalBindMask, SSHCFG_ALL },
|
{ "streamlocalbindmask", sStreamLocalBindMask, SSHCFG_ALL },
|
||||||
@@ -1481,16 +1495,20 @@ process_server_config_line(ServerOptions
|
@@ -1502,16 +1517,20 @@ process_server_config_line(ServerOptions
|
||||||
filename, linenum);
|
if (*arg != '-' &&
|
||||||
if (!kex_names_valid(*arg == '+' ? arg + 1 : arg))
|
!kex_names_valid(*arg == '+' ? arg + 1 : arg))
|
||||||
fatal("%s line %d: Bad SSH2 KexAlgorithms '%s'.",
|
fatal("%s line %d: Bad SSH2 KexAlgorithms '%s'.",
|
||||||
filename, linenum, arg ? arg : "<NONE>");
|
filename, linenum, arg ? arg : "<NONE>");
|
||||||
if (options->kex_algorithms == NULL)
|
if (options->kex_algorithms == NULL)
|
||||||
@ -450,17 +451,17 @@ diff --git a/openssh-7.2p2/servconf.c b/openssh-7.2p2/servconf.c
|
|||||||
+ intptr = &options->kex_dhmin;
|
+ intptr = &options->kex_dhmin;
|
||||||
+ goto parse_int;
|
+ goto parse_int;
|
||||||
+
|
+
|
||||||
case sProtocol:
|
case sSubsystem:
|
||||||
intptr = &options->protocol;
|
if (options->num_subsystems >= MAX_SUBSYSTEMS) {
|
||||||
|
fatal("%s line %d: too many subsystems defined.",
|
||||||
|
filename, linenum);
|
||||||
|
}
|
||||||
arg = strdelim(&cp);
|
arg = strdelim(&cp);
|
||||||
if (!arg || *arg == '\0')
|
if (!arg || *arg == '\0')
|
||||||
fatal("%s line %d: Missing argument.", filename, linenum);
|
fatal("%s line %d: Missing subsystem name.",
|
||||||
value = proto_spec(arg);
|
@@ -2285,16 +2304,17 @@ dump_config(ServerOptions *o)
|
||||||
if (value == SSH_PROTO_UNKNOWN)
|
#endif
|
||||||
fatal("%s line %d: Bad protocol spec '%s'.",
|
|
||||||
@@ -2247,16 +2265,17 @@ dump_config(ServerOptions *o)
|
|
||||||
dump_cfg_int(sLoginGraceTime, o->login_grace_time);
|
dump_cfg_int(sLoginGraceTime, o->login_grace_time);
|
||||||
dump_cfg_int(sKeyRegenerationTime, o->key_regeneration_time);
|
|
||||||
dump_cfg_int(sX11DisplayOffset, o->x11_display_offset);
|
dump_cfg_int(sX11DisplayOffset, o->x11_display_offset);
|
||||||
dump_cfg_int(sMaxAuthTries, o->max_authtries);
|
dump_cfg_int(sMaxAuthTries, o->max_authtries);
|
||||||
dump_cfg_int(sMaxSessions, o->max_sessions);
|
dump_cfg_int(sMaxSessions, o->max_sessions);
|
||||||
@ -473,13 +474,13 @@ diff --git a/openssh-7.2p2/servconf.c b/openssh-7.2p2/servconf.c
|
|||||||
dump_cfg_fmtint(sPermitRootLogin, o->permit_root_login);
|
dump_cfg_fmtint(sPermitRootLogin, o->permit_root_login);
|
||||||
dump_cfg_fmtint(sIgnoreRhosts, o->ignore_rhosts);
|
dump_cfg_fmtint(sIgnoreRhosts, o->ignore_rhosts);
|
||||||
dump_cfg_fmtint(sIgnoreUserKnownHosts, o->ignore_user_known_hosts);
|
dump_cfg_fmtint(sIgnoreUserKnownHosts, o->ignore_user_known_hosts);
|
||||||
dump_cfg_fmtint(sRhostsRSAAuthentication, o->rhosts_rsa_authentication);
|
|
||||||
dump_cfg_fmtint(sHostbasedAuthentication, o->hostbased_authentication);
|
dump_cfg_fmtint(sHostbasedAuthentication, o->hostbased_authentication);
|
||||||
dump_cfg_fmtint(sHostbasedUsesNameFromPacketOnly,
|
dump_cfg_fmtint(sHostbasedUsesNameFromPacketOnly,
|
||||||
diff --git a/openssh-7.2p2/servconf.h b/openssh-7.2p2/servconf.h
|
o->hostbased_uses_name_from_packet_only);
|
||||||
--- a/openssh-7.2p2/servconf.h
|
diff --git a/openssh-7.6p1/servconf.h b/openssh-7.6p1/servconf.h
|
||||||
+++ b/openssh-7.2p2/servconf.h
|
--- a/openssh-7.6p1/servconf.h
|
||||||
@@ -88,16 +88,17 @@ typedef struct {
|
+++ b/openssh-7.6p1/servconf.h
|
||||||
|
@@ -93,16 +93,17 @@ typedef struct {
|
||||||
int permit_user_rc; /* If false, deny ~/.ssh/rc execution */
|
int permit_user_rc; /* If false, deny ~/.ssh/rc execution */
|
||||||
int strict_modes; /* If true, require string home dir modes. */
|
int strict_modes; /* If true, require string home dir modes. */
|
||||||
int tcp_keep_alive; /* If true, set SO_KEEPALIVE. */
|
int tcp_keep_alive; /* If true, set SO_KEEPALIVE. */
|
||||||
@ -489,17 +490,17 @@ diff --git a/openssh-7.2p2/servconf.h b/openssh-7.2p2/servconf.h
|
|||||||
char *macs; /* Supported SSH2 macs. */
|
char *macs; /* Supported SSH2 macs. */
|
||||||
char *kex_algorithms; /* SSH2 kex methods in order of preference. */
|
char *kex_algorithms; /* SSH2 kex methods in order of preference. */
|
||||||
+ int kex_dhmin; /* minimum bit length of the DH group parameter */
|
+ int kex_dhmin; /* minimum bit length of the DH group parameter */
|
||||||
int protocol; /* Supported protocol versions. */
|
|
||||||
struct ForwardOptions fwd_opts; /* forwarding options */
|
struct ForwardOptions fwd_opts; /* forwarding options */
|
||||||
SyslogFacility log_facility; /* Facility for system logging. */
|
SyslogFacility log_facility; /* Facility for system logging. */
|
||||||
LogLevel log_level; /* Level for system logging. */
|
LogLevel log_level; /* Level for system logging. */
|
||||||
int rhosts_rsa_authentication; /* If true, permit rhosts RSA
|
|
||||||
* authentication. */
|
|
||||||
int hostbased_authentication; /* If true, permit ssh2 hostbased auth */
|
int hostbased_authentication; /* If true, permit ssh2 hostbased auth */
|
||||||
int hostbased_uses_name_from_packet_only; /* experimental */
|
int hostbased_uses_name_from_packet_only; /* experimental */
|
||||||
diff --git a/openssh-7.2p2/ssh_config b/openssh-7.2p2/ssh_config
|
char *hostbased_key_types; /* Key types allowed for hostbased */
|
||||||
--- a/openssh-7.2p2/ssh_config
|
char *hostkeyalgorithms; /* SSH2 server key types */
|
||||||
+++ b/openssh-7.2p2/ssh_config
|
int pubkey_authentication; /* If true, permit ssh2 pubkey authentication. */
|
||||||
|
diff --git a/openssh-7.6p1/ssh_config b/openssh-7.6p1/ssh_config
|
||||||
|
--- a/openssh-7.6p1/ssh_config
|
||||||
|
+++ b/openssh-7.6p1/ssh_config
|
||||||
@@ -12,16 +12,21 @@
|
@@ -12,16 +12,21 @@
|
||||||
# Any configuration value is only changed the first time it is set.
|
# Any configuration value is only changed the first time it is set.
|
||||||
# Thus, host-specific definitions should be at the beginning of the
|
# Thus, host-specific definitions should be at the beginning of the
|
||||||
@ -522,17 +523,17 @@ diff --git a/openssh-7.2p2/ssh_config b/openssh-7.2p2/ssh_config
|
|||||||
# should not forward X11 connections to your local X11-display for
|
# should not forward X11 connections to your local X11-display for
|
||||||
# security reasons: Someone stealing the authentification data on the
|
# security reasons: Someone stealing the authentification data on the
|
||||||
# remote side (the "spoofed" X-server by the remote sshd) can read your
|
# remote side (the "spoofed" X-server by the remote sshd) can read your
|
||||||
diff --git a/openssh-7.2p2/ssh_config.0 b/openssh-7.2p2/ssh_config.0
|
diff --git a/openssh-7.6p1/ssh_config.0 b/openssh-7.6p1/ssh_config.0
|
||||||
--- a/openssh-7.2p2/ssh_config.0
|
--- a/openssh-7.6p1/ssh_config.0
|
||||||
+++ b/openssh-7.2p2/ssh_config.0
|
+++ b/openssh-7.6p1/ssh_config.0
|
||||||
@@ -606,16 +606,33 @@ DESCRIPTION
|
@@ -584,16 +584,33 @@ DESCRIPTION
|
||||||
ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
|
ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
|
||||||
diffie-hellman-group-exchange-sha256,
|
diffie-hellman-group-exchange-sha256,
|
||||||
diffie-hellman-group-exchange-sha1,
|
diffie-hellman-group-exchange-sha1,
|
||||||
diffie-hellman-group14-sha1
|
diffie-hellman-group14-sha1
|
||||||
|
|
||||||
The list of available key exchange algorithms may also be
|
The list of available key exchange algorithms may also be
|
||||||
obtained using the -Q option of ssh(1) with an argument of M-bM-^@M-^\kexM-bM-^@M-^].
|
obtained using "ssh -Q kex".
|
||||||
|
|
||||||
+ KexDHMin
|
+ KexDHMin
|
||||||
+ Specifies the minimum accepted bit length of the DH group
|
+ Specifies the minimum accepted bit length of the DH group
|
||||||
@ -555,22 +556,22 @@ diff --git a/openssh-7.2p2/ssh_config.0 b/openssh-7.2p2/ssh_config.0
|
|||||||
Specifies a command to execute on the local machine after
|
Specifies a command to execute on the local machine after
|
||||||
successfully connecting to the server. The command string
|
successfully connecting to the server. The command string
|
||||||
extends to the end of the line, and is executed with the user's
|
extends to the end of the line, and is executed with the user's
|
||||||
shell. The following escape character substitutions will be
|
shell. Arguments to LocalCommand accept the tokens described in
|
||||||
performed: M-bM-^@M-^X%dM-bM-^@M-^Y (local user's home directory), M-bM-^@M-^X%hM-bM-^@M-^Y (remote host
|
the TOKENS section.
|
||||||
name), M-bM-^@M-^X%lM-bM-^@M-^Y (local host name), M-bM-^@M-^X%nM-bM-^@M-^Y (host name as provided on the
|
|
||||||
command line), M-bM-^@M-^X%pM-bM-^@M-^Y (remote port), M-bM-^@M-^X%rM-bM-^@M-^Y (remote user name) or
|
The command is run synchronously and does not have access to the
|
||||||
diff --git a/openssh-7.2p2/ssh_config.5 b/openssh-7.2p2/ssh_config.5
|
diff --git a/openssh-7.6p1/ssh_config.5 b/openssh-7.6p1/ssh_config.5
|
||||||
--- a/openssh-7.2p2/ssh_config.5
|
--- a/openssh-7.6p1/ssh_config.5
|
||||||
+++ b/openssh-7.2p2/ssh_config.5
|
+++ b/openssh-7.6p1/ssh_config.5
|
||||||
@@ -1092,16 +1092,32 @@ diffie-hellman-group14-sha1
|
@@ -1016,16 +1016,32 @@ curve25519-sha256,curve25519-sha256@libs
|
||||||
|
ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
|
||||||
|
diffie-hellman-group-exchange-sha256,
|
||||||
|
diffie-hellman-group-exchange-sha1,
|
||||||
|
diffie-hellman-group14-sha1
|
||||||
.Ed
|
.Ed
|
||||||
.Pp
|
.Pp
|
||||||
The list of available key exchange algorithms may also be obtained using the
|
The list of available key exchange algorithms may also be obtained using
|
||||||
.Fl Q
|
.Qq ssh -Q kex .
|
||||||
option of
|
|
||||||
.Xr ssh 1
|
|
||||||
with an argument of
|
|
||||||
.Dq kex .
|
|
||||||
+.It Cm KexDHMin
|
+.It Cm KexDHMin
|
||||||
+Specifies the minimum accepted bit length of the DH group
|
+Specifies the minimum accepted bit length of the DH group
|
||||||
+parameter p.
|
+parameter p.
|
||||||
@ -592,16 +593,16 @@ diff --git a/openssh-7.2p2/ssh_config.5 b/openssh-7.2p2/ssh_config.5
|
|||||||
connecting to the server.
|
connecting to the server.
|
||||||
The command string extends to the end of the line, and is executed with
|
The command string extends to the end of the line, and is executed with
|
||||||
the user's shell.
|
the user's shell.
|
||||||
The following escape character substitutions will be performed:
|
Arguments to
|
||||||
.Ql %d
|
.Cm LocalCommand
|
||||||
(local user's home directory),
|
accept the tokens described in the
|
||||||
diff --git a/openssh-7.2p2/sshd_config b/openssh-7.2p2/sshd_config
|
diff --git a/openssh-7.6p1/sshd_config b/openssh-7.6p1/sshd_config
|
||||||
--- a/openssh-7.2p2/sshd_config
|
--- a/openssh-7.6p1/sshd_config
|
||||||
+++ b/openssh-7.2p2/sshd_config
|
+++ b/openssh-7.6p1/sshd_config
|
||||||
@@ -21,16 +21,21 @@
|
@@ -15,16 +15,21 @@
|
||||||
# HostKey for protocol version 1
|
#ListenAddress 0.0.0.0
|
||||||
#HostKey /etc/ssh/ssh_host_key
|
#ListenAddress ::
|
||||||
# HostKeys for protocol version 2
|
|
||||||
#HostKey /etc/ssh/ssh_host_rsa_key
|
#HostKey /etc/ssh/ssh_host_rsa_key
|
||||||
#HostKey /etc/ssh/ssh_host_dsa_key
|
#HostKey /etc/ssh/ssh_host_dsa_key
|
||||||
#HostKey /etc/ssh/ssh_host_ecdsa_key
|
#HostKey /etc/ssh/ssh_host_ecdsa_key
|
||||||
@ -612,25 +613,25 @@ diff --git a/openssh-7.2p2/sshd_config b/openssh-7.2p2/sshd_config
|
|||||||
+# Upstream default is identical to setting this to 2048.
|
+# Upstream default is identical to setting this to 2048.
|
||||||
+#KexDHMin 1024
|
+#KexDHMin 1024
|
||||||
+
|
+
|
||||||
# Lifetime and size of ephemeral version 1 server key
|
|
||||||
#KeyRegenerationInterval 1h
|
|
||||||
#ServerKeyBits 1024
|
|
||||||
|
|
||||||
# Ciphers and keying
|
# Ciphers and keying
|
||||||
#RekeyLimit default none
|
#RekeyLimit default none
|
||||||
|
|
||||||
# Logging
|
# Logging
|
||||||
diff --git a/openssh-7.2p2/sshd_config.0 b/openssh-7.2p2/sshd_config.0
|
#SyslogFacility AUTH
|
||||||
--- a/openssh-7.2p2/sshd_config.0
|
#LogLevel INFO
|
||||||
+++ b/openssh-7.2p2/sshd_config.0
|
|
||||||
@@ -539,16 +539,33 @@ DESCRIPTION
|
# Authentication:
|
||||||
curve25519-sha256@libssh.org,
|
diff --git a/openssh-7.6p1/sshd_config.0 b/openssh-7.6p1/sshd_config.0
|
||||||
|
--- a/openssh-7.6p1/sshd_config.0
|
||||||
|
+++ b/openssh-7.6p1/sshd_config.0
|
||||||
|
@@ -532,16 +532,33 @@ DESCRIPTION
|
||||||
|
curve25519-sha256,curve25519-sha256@libssh.org,
|
||||||
ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
|
ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
|
||||||
diffie-hellman-group-exchange-sha256,
|
diffie-hellman-group-exchange-sha256,
|
||||||
diffie-hellman-group14-sha1
|
diffie-hellman-group14-sha1
|
||||||
|
|
||||||
The list of available key exchange algorithms may also be
|
The list of available key exchange algorithms may also be
|
||||||
obtained using the -Q option of ssh(1) with an argument of M-bM-^@M-^\kexM-bM-^@M-^].
|
obtained using "ssh -Q kex".
|
||||||
|
|
||||||
+ KexDHMin
|
+ KexDHMin
|
||||||
+ Specifies the minimum accepted bit length of the DH group
|
+ Specifies the minimum accepted bit length of the DH group
|
||||||
@ -649,26 +650,26 @@ diff --git a/openssh-7.2p2/sshd_config.0 b/openssh-7.2p2/sshd_config.0
|
|||||||
+ resort and all efforts should be made to fix the (broken)
|
+ resort and all efforts should be made to fix the (broken)
|
||||||
+ counterparty.
|
+ counterparty.
|
||||||
+
|
+
|
||||||
KeyRegenerationInterval
|
ListenAddress
|
||||||
In protocol version 1, the ephemeral server key is automatically
|
Specifies the local addresses sshd(8) should listen on. The
|
||||||
regenerated after this many seconds (if it has been used). The
|
following forms may be used:
|
||||||
purpose of regeneration is to prevent decrypting captured
|
|
||||||
sessions by later breaking into the machine and stealing the
|
|
||||||
keys. The key is never stored anywhere. If the value is 0, the
|
|
||||||
key is never regenerated. The default is 3600 (seconds).
|
|
||||||
|
|
||||||
diff --git a/openssh-7.2p2/sshd_config.5 b/openssh-7.2p2/sshd_config.5
|
ListenAddress host|IPv4_addr|IPv6_addr
|
||||||
--- a/openssh-7.2p2/sshd_config.5
|
ListenAddress host|IPv4_addr:port
|
||||||
+++ b/openssh-7.2p2/sshd_config.5
|
ListenAddress [host|IPv6_addr]:port
|
||||||
@@ -895,16 +895,32 @@ diffie-hellman-group14-sha1
|
|
||||||
|
diff --git a/openssh-7.6p1/sshd_config.5 b/openssh-7.6p1/sshd_config.5
|
||||||
|
--- a/openssh-7.6p1/sshd_config.5
|
||||||
|
+++ b/openssh-7.6p1/sshd_config.5
|
||||||
|
@@ -893,16 +893,32 @@ The default is:
|
||||||
|
curve25519-sha256,curve25519-sha256@libssh.org,
|
||||||
|
ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
|
||||||
|
diffie-hellman-group-exchange-sha256,
|
||||||
|
diffie-hellman-group14-sha1
|
||||||
.Ed
|
.Ed
|
||||||
.Pp
|
.Pp
|
||||||
The list of available key exchange algorithms may also be obtained using the
|
The list of available key exchange algorithms may also be obtained using
|
||||||
.Fl Q
|
.Qq ssh -Q kex .
|
||||||
option of
|
|
||||||
.Xr ssh 1
|
|
||||||
with an argument of
|
|
||||||
.Dq kex .
|
|
||||||
+.It Cm KexDHMin
|
+.It Cm KexDHMin
|
||||||
+Specifies the minimum accepted bit length of the DH group
|
+Specifies the minimum accepted bit length of the DH group
|
||||||
+parameter p.
|
+parameter p.
|
||||||
@ -685,11 +686,11 @@ diff --git a/openssh-7.2p2/sshd_config.5 b/openssh-7.2p2/sshd_config.5
|
|||||||
+security and thus should be viewed as a temporary fix of last
|
+security and thus should be viewed as a temporary fix of last
|
||||||
+resort and all efforts should be made to fix the (broken)
|
+resort and all efforts should be made to fix the (broken)
|
||||||
+counterparty.
|
+counterparty.
|
||||||
.It Cm KeyRegenerationInterval
|
.It Cm ListenAddress
|
||||||
In protocol version 1, the ephemeral server key is automatically regenerated
|
Specifies the local addresses
|
||||||
after this many seconds (if it has been used).
|
.Xr sshd 8
|
||||||
The purpose of regeneration is to prevent
|
should listen on.
|
||||||
decrypting captured sessions by later breaking into the machine and
|
The following forms may be used:
|
||||||
stealing the keys.
|
.Pp
|
||||||
The key is never stored anywhere.
|
.Bl -item -offset indent -compact
|
||||||
If the value is 0, the key is never regenerated.
|
.It
|
27
openssh-7.6p1-eal3.patch
Normal file
27
openssh-7.6p1-eal3.patch
Normal file
@ -0,0 +1,27 @@
|
|||||||
|
# HG changeset patch
|
||||||
|
# Parent 9797aecac98b26573a295fd75128b7c68dfc5aad
|
||||||
|
fix paths and references in sshd man pages
|
||||||
|
|
||||||
|
diff --git a/openssh-7.6p1/Makefile.in b/openssh-7.6p1/Makefile.in
|
||||||
|
--- a/openssh-7.6p1/Makefile.in
|
||||||
|
+++ b/openssh-7.6p1/Makefile.in
|
||||||
|
@@ -119,17 +119,18 @@ MANTYPE = @MANTYPE@
|
||||||
|
CONFIGFILES=sshd_config.out ssh_config.out moduli.out
|
||||||
|
CONFIGFILES_IN=sshd_config ssh_config moduli
|
||||||
|
|
||||||
|
PATHSUBS = \
|
||||||
|
-e 's|/etc/ssh/ssh_config|$(sysconfdir)/ssh_config|g' \
|
||||||
|
-e 's|/etc/ssh/ssh_known_hosts|$(sysconfdir)/ssh_known_hosts|g' \
|
||||||
|
-e 's|/etc/ssh/sshd_config|$(sysconfdir)/sshd_config|g' \
|
||||||
|
-e 's|/usr/libexec|$(libexecdir)|g' \
|
||||||
|
- -e 's|/etc/shosts.equiv|$(sysconfdir)/shosts.equiv|g' \
|
||||||
|
+ -e 's|login\.conf|login.defs|g' \
|
||||||
|
+ -e 's|/etc/shosts.equiv|$(sysconfdir)/ssh/shosts.equiv|g' \
|
||||||
|
-e 's|/etc/ssh/ssh_host_key|$(sysconfdir)/ssh_host_key|g' \
|
||||||
|
-e 's|/etc/ssh/ssh_host_ecdsa_key|$(sysconfdir)/ssh_host_ecdsa_key|g' \
|
||||||
|
-e 's|/etc/ssh/ssh_host_dsa_key|$(sysconfdir)/ssh_host_dsa_key|g' \
|
||||||
|
-e 's|/etc/ssh/ssh_host_rsa_key|$(sysconfdir)/ssh_host_rsa_key|g' \
|
||||||
|
-e 's|/etc/ssh/ssh_host_ed25519_key|$(sysconfdir)/ssh_host_ed25519_key|g' \
|
||||||
|
-e 's|/var/run/sshd.pid|$(piddir)/sshd.pid|g' \
|
||||||
|
-e 's|/etc/moduli|$(sysconfdir)/moduli|g' \
|
||||||
|
-e 's|/etc/ssh/moduli|$(sysconfdir)/moduli|g' \
|
28
openssh-7.6p1-enable_PAM_by_default.patch
Normal file
28
openssh-7.6p1-enable_PAM_by_default.patch
Normal file
@ -0,0 +1,28 @@
|
|||||||
|
# HG changeset patch
|
||||||
|
# Parent d47e806f23ad0649ef38b24e8cb9d5617e5d5d15
|
||||||
|
# force PAM in defaullt install (this was removed from upstream in 3.8p1)
|
||||||
|
# bnc#46749
|
||||||
|
# --used to be called '-pam-fix2'
|
||||||
|
|
||||||
|
diff --git a/openssh-7.6p1/sshd_config b/openssh-7.6p1/sshd_config
|
||||||
|
--- a/openssh-7.6p1/sshd_config
|
||||||
|
+++ b/openssh-7.6p1/sshd_config
|
||||||
|
@@ -75,17 +75,17 @@ AuthorizedKeysFile .ssh/authorized_keys
|
||||||
|
# and session processing. If this is enabled, PAM authentication will
|
||||||
|
# be allowed through the ChallengeResponseAuthentication and
|
||||||
|
# PasswordAuthentication. Depending on your PAM configuration,
|
||||||
|
# PAM authentication via ChallengeResponseAuthentication may bypass
|
||||||
|
# the setting of "PermitRootLogin without-password".
|
||||||
|
# If you just want the PAM account and session checks to run without
|
||||||
|
# PAM authentication, then enable this but set PasswordAuthentication
|
||||||
|
# and ChallengeResponseAuthentication to 'no'.
|
||||||
|
-#UsePAM no
|
||||||
|
+UsePAM yes
|
||||||
|
|
||||||
|
#AllowAgentForwarding yes
|
||||||
|
#AllowTcpForwarding yes
|
||||||
|
#GatewayPorts no
|
||||||
|
X11Forwarding yes
|
||||||
|
#X11DisplayOffset 10
|
||||||
|
#X11UseLocalhost yes
|
||||||
|
#PermitTTY yes
|
@ -1,24 +1,24 @@
|
|||||||
# HG changeset patch
|
# HG changeset patch
|
||||||
# Parent f7ba2081f120bd1e44dbe68737c898f078725aab
|
# Parent e4a7e5799420a3d4b8047c5984c75c4bd4331951
|
||||||
# -- uset do be called '-xauthlocalhostname'
|
# -- uset do be called '-xauthlocalhostname'
|
||||||
handle hostname changes when forwarding X
|
handle hostname changes when forwarding X
|
||||||
|
|
||||||
bnc#98627
|
bnc#98627
|
||||||
|
|
||||||
diff --git a/openssh-7.2p2/session.c b/openssh-7.2p2/session.c
|
diff --git a/openssh-7.6p1/session.c b/openssh-7.6p1/session.c
|
||||||
--- a/openssh-7.2p2/session.c
|
--- a/openssh-7.6p1/session.c
|
||||||
+++ b/openssh-7.2p2/session.c
|
+++ b/openssh-7.6p1/session.c
|
||||||
@@ -1154,17 +1154,17 @@ copy_environment(char **source, char ***
|
@@ -953,17 +953,17 @@ copy_environment_blacklist(char **source
|
||||||
debug3("Copy environment: %s=%s", var_name, var_val);
|
|
||||||
child_set_env(env, envsize, var_name, var_val);
|
|
||||||
|
|
||||||
free(var_name);
|
void
|
||||||
}
|
copy_environment(char **source, char ***env, u_int *envsize)
|
||||||
|
{
|
||||||
|
copy_environment_blacklist(source, env, envsize, NULL);
|
||||||
}
|
}
|
||||||
|
|
||||||
static char **
|
static char **
|
||||||
-do_setup_env(Session *s, const char *shell)
|
-do_setup_env(struct ssh *ssh, Session *s, const char *shell)
|
||||||
+do_setup_env(Session *s, const char *shell, int *env_size)
|
+do_setup_env(struct ssh *ssh, Session *s, const char *shell, int *env_size)
|
||||||
{
|
{
|
||||||
char buf[256];
|
char buf[256];
|
||||||
u_int i, envsize;
|
u_int i, envsize;
|
||||||
@ -27,7 +27,7 @@ diff --git a/openssh-7.2p2/session.c b/openssh-7.2p2/session.c
|
|||||||
#if !defined (HAVE_LOGIN_CAP) && !defined (HAVE_CYGWIN)
|
#if !defined (HAVE_LOGIN_CAP) && !defined (HAVE_CYGWIN)
|
||||||
char *path = NULL;
|
char *path = NULL;
|
||||||
#endif
|
#endif
|
||||||
@@ -1341,25 +1341,27 @@ do_setup_env(Session *s, const char *she
|
@@ -1142,25 +1142,27 @@ do_setup_env(struct ssh *ssh, Session *s
|
||||||
read_environment_file(&env, &envsize, buf);
|
read_environment_file(&env, &envsize, buf);
|
||||||
}
|
}
|
||||||
if (debug_flag) {
|
if (debug_flag) {
|
||||||
@ -56,7 +56,7 @@ diff --git a/openssh-7.2p2/session.c b/openssh-7.2p2/session.c
|
|||||||
|
|
||||||
do_xauth =
|
do_xauth =
|
||||||
s->display != NULL && s->auth_proto != NULL && s->auth_data != NULL;
|
s->display != NULL && s->auth_proto != NULL && s->auth_data != NULL;
|
||||||
@@ -1404,22 +1406,30 @@ do_rc_files(Session *s, const char *shel
|
@@ -1205,22 +1207,30 @@ do_rc_files(Session *s, const char *shel
|
||||||
"%.500s add %.100s %.100s %.100s\n",
|
"%.500s add %.100s %.100s %.100s\n",
|
||||||
options.xauth_location, s->auth_display,
|
options.xauth_location, s->auth_display,
|
||||||
s->auth_proto, s->auth_data);
|
s->auth_proto, s->auth_data);
|
||||||
@ -87,25 +87,25 @@ diff --git a/openssh-7.2p2/session.c b/openssh-7.2p2/session.c
|
|||||||
}
|
}
|
||||||
|
|
||||||
static void
|
static void
|
||||||
@@ -1681,16 +1691,17 @@ child_close_fds(void)
|
@@ -1461,16 +1471,17 @@ child_close_fds(struct ssh *ssh)
|
||||||
* ids, and executing the command or shell.
|
* ids, and executing the command or shell.
|
||||||
*/
|
*/
|
||||||
#define ARGV_MAX 10
|
#define ARGV_MAX 10
|
||||||
void
|
void
|
||||||
do_child(Session *s, const char *command)
|
do_child(struct ssh *ssh, Session *s, const char *command)
|
||||||
{
|
{
|
||||||
extern char **environ;
|
extern char **environ;
|
||||||
char **env;
|
char **env;
|
||||||
+ int env_size;
|
+ int env_size;
|
||||||
char *argv[ARGV_MAX];
|
char *argv[ARGV_MAX];
|
||||||
const char *shell, *shell0, *hostname = NULL;
|
const char *shell, *shell0;
|
||||||
struct passwd *pw = s->pw;
|
struct passwd *pw = s->pw;
|
||||||
int r = 0;
|
int r = 0;
|
||||||
|
|
||||||
/* remove hostkey from the child's memory */
|
/* remove hostkey from the child's memory */
|
||||||
destroy_sensitive_data();
|
destroy_sensitive_data();
|
||||||
|
packet_clear_keys();
|
||||||
@@ -1747,17 +1758,17 @@ do_child(Session *s, const char *command
|
@@ -1522,17 +1533,17 @@ do_child(struct ssh *ssh, Session *s, co
|
||||||
* legal, and means /bin/sh.
|
* legal, and means /bin/sh.
|
||||||
*/
|
*/
|
||||||
shell = (pw->pw_shell[0] == '\0') ? _PATH_BSHELL : pw->pw_shell;
|
shell = (pw->pw_shell[0] == '\0') ? _PATH_BSHELL : pw->pw_shell;
|
||||||
@ -114,17 +114,18 @@ diff --git a/openssh-7.2p2/session.c b/openssh-7.2p2/session.c
|
|||||||
* Make sure $SHELL points to the shell from the password file,
|
* Make sure $SHELL points to the shell from the password file,
|
||||||
* even if shell is overridden from login.conf
|
* even if shell is overridden from login.conf
|
||||||
*/
|
*/
|
||||||
- env = do_setup_env(s, shell);
|
- env = do_setup_env(ssh, s, shell);
|
||||||
+ env = do_setup_env(s, shell, &env_size);
|
+ env = do_setup_env(ssh, s, shell, &env_size);
|
||||||
|
|
||||||
#ifdef HAVE_LOGIN_CAP
|
#ifdef HAVE_LOGIN_CAP
|
||||||
shell = login_getcapstr(lc, "shell", (char *)shell, (char *)shell);
|
shell = login_getcapstr(lc, "shell", (char *)shell, (char *)shell);
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
/* we have to stash the hostname before we close our socket. */
|
/*
|
||||||
if (options.use_login)
|
* Close the connection descriptors; note that this is the child, and
|
||||||
hostname = get_remote_name_or_ip(utmp_len,
|
* the server will still have the socket open, and it is important
|
||||||
@@ -1816,17 +1827,17 @@ do_child(Session *s, const char *command
|
@@ -1586,17 +1597,17 @@ do_child(struct ssh *ssh, Session *s, co
|
||||||
|
strerror(errno));
|
||||||
}
|
}
|
||||||
if (r)
|
if (r)
|
||||||
exit(1);
|
exit(1);
|
||||||
@ -132,7 +133,6 @@ diff --git a/openssh-7.2p2/session.c b/openssh-7.2p2/session.c
|
|||||||
|
|
||||||
closefrom(STDERR_FILENO + 1);
|
closefrom(STDERR_FILENO + 1);
|
||||||
|
|
||||||
if (!options.use_login)
|
|
||||||
- do_rc_files(s, shell);
|
- do_rc_files(s, shell);
|
||||||
+ do_rc_files(s, shell, env, &env_size);
|
+ do_rc_files(s, shell, env, &env_size);
|
||||||
|
|
@ -1,11 +1,11 @@
|
|||||||
# HG changeset patch
|
# HG changeset patch
|
||||||
# Parent 79c00e0f450c33b3f545ef104112b55186290e2c
|
# Parent b26f93cf21e4cfff1212ad2e61696ad099cfaf5e
|
||||||
# set uid for functions that use it to seek in lastlog and wtmp files
|
# set uid for functions that use it to seek in lastlog and wtmp files
|
||||||
# bnc#18024 (was suse #3024)
|
# bnc#18024 (was suse #3024)
|
||||||
|
|
||||||
diff --git a/openssh-7.2p2/sshlogin.c b/openssh-7.2p2/sshlogin.c
|
diff --git a/openssh-7.6p1/sshlogin.c b/openssh-7.6p1/sshlogin.c
|
||||||
--- a/openssh-7.2p2/sshlogin.c
|
--- a/openssh-7.6p1/sshlogin.c
|
||||||
+++ b/openssh-7.2p2/sshlogin.c
|
+++ b/openssh-7.6p1/sshlogin.c
|
||||||
@@ -129,16 +129,17 @@ record_login(pid_t pid, const char *tty,
|
@@ -129,16 +129,17 @@ record_login(pid_t pid, const char *tty,
|
||||||
{
|
{
|
||||||
struct logininfo *li;
|
struct logininfo *li;
|
@ -1,14 +1,14 @@
|
|||||||
# HG changeset patch
|
# HG changeset patch
|
||||||
# Parent ac7f843cd7ebec413691d51823cdc67b611abdff
|
# Parent ee0459c1b5173da57f9b3a6e62b232dcf9b3a029
|
||||||
new option UsePAMCheckLocks to enforce checking for locked accounts while
|
new option UsePAMCheckLocks to enforce checking for locked accounts while
|
||||||
UsePAM is used
|
UsePAM is used
|
||||||
|
|
||||||
bnc#708678, FATE#312033
|
bnc#708678, FATE#312033
|
||||||
|
|
||||||
diff --git a/openssh-7.2p2/auth.c b/openssh-7.2p2/auth.c
|
diff --git a/openssh-7.6p1/auth.c b/openssh-7.6p1/auth.c
|
||||||
--- a/openssh-7.2p2/auth.c
|
--- a/openssh-7.6p1/auth.c
|
||||||
+++ b/openssh-7.2p2/auth.c
|
+++ b/openssh-7.6p1/auth.c
|
||||||
@@ -104,17 +104,17 @@ allowed_user(struct passwd * pw)
|
@@ -105,17 +105,17 @@ allowed_user(struct passwd * pw)
|
||||||
struct spwd *spw = NULL;
|
struct spwd *spw = NULL;
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
@ -27,7 +27,7 @@ diff --git a/openssh-7.2p2/auth.c b/openssh-7.2p2/auth.c
|
|||||||
#endif /* USE_SHADOW */
|
#endif /* USE_SHADOW */
|
||||||
|
|
||||||
/* grab passwd field for locked account check */
|
/* grab passwd field for locked account check */
|
||||||
@@ -124,17 +124,17 @@ allowed_user(struct passwd * pw)
|
@@ -125,17 +125,17 @@ allowed_user(struct passwd * pw)
|
||||||
#ifdef USE_LIBIAF
|
#ifdef USE_LIBIAF
|
||||||
passwd = get_iaf_password(pw);
|
passwd = get_iaf_password(pw);
|
||||||
#else
|
#else
|
||||||
@ -46,9 +46,9 @@ diff --git a/openssh-7.2p2/auth.c b/openssh-7.2p2/auth.c
|
|||||||
#endif
|
#endif
|
||||||
#ifdef LOCKED_PASSWD_PREFIX
|
#ifdef LOCKED_PASSWD_PREFIX
|
||||||
if (strncmp(passwd, LOCKED_PASSWD_PREFIX,
|
if (strncmp(passwd, LOCKED_PASSWD_PREFIX,
|
||||||
diff --git a/openssh-7.2p2/servconf.c b/openssh-7.2p2/servconf.c
|
diff --git a/openssh-7.6p1/servconf.c b/openssh-7.6p1/servconf.c
|
||||||
--- a/openssh-7.2p2/servconf.c
|
--- a/openssh-7.6p1/servconf.c
|
||||||
+++ b/openssh-7.2p2/servconf.c
|
+++ b/openssh-7.6p1/servconf.c
|
||||||
@@ -69,16 +69,17 @@ extern Buffer cfg;
|
@@ -69,16 +69,17 @@ extern Buffer cfg;
|
||||||
|
|
||||||
void
|
void
|
||||||
@ -67,7 +67,7 @@ diff --git a/openssh-7.2p2/servconf.c b/openssh-7.2p2/servconf.c
|
|||||||
options->num_queued_listens = 0;
|
options->num_queued_listens = 0;
|
||||||
options->listen_addrs = NULL;
|
options->listen_addrs = NULL;
|
||||||
options->address_family = -1;
|
options->address_family = -1;
|
||||||
@@ -195,16 +196,18 @@ assemble_algorithms(ServerOptions *o)
|
@@ -191,16 +192,18 @@ assemble_algorithms(ServerOptions *o)
|
||||||
void
|
void
|
||||||
fill_default_server_options(ServerOptions *options)
|
fill_default_server_options(ServerOptions *options)
|
||||||
{
|
{
|
||||||
@ -80,13 +80,13 @@ diff --git a/openssh-7.2p2/servconf.c b/openssh-7.2p2/servconf.c
|
|||||||
+ options->use_pam_check_locks = 0;
|
+ options->use_pam_check_locks = 0;
|
||||||
|
|
||||||
/* Standard Options */
|
/* Standard Options */
|
||||||
if (options->protocol == SSH_PROTO_UNKNOWN)
|
|
||||||
options->protocol = SSH_PROTO_2;
|
|
||||||
if (options->num_host_key_files == 0) {
|
if (options->num_host_key_files == 0) {
|
||||||
/* fill default hostkeys for protocols */
|
/* fill default hostkeys for protocols */
|
||||||
if (options->protocol & SSH_PROTO_1)
|
|
||||||
options->host_key_files[options->num_host_key_files++] =
|
options->host_key_files[options->num_host_key_files++] =
|
||||||
@@ -391,17 +394,17 @@ fill_default_server_options(ServerOption
|
_PATH_HOST_RSA_KEY_FILE;
|
||||||
|
options->host_key_files[options->num_host_key_files++] =
|
||||||
|
_PATH_HOST_DSA_KEY_FILE;
|
||||||
|
@@ -382,17 +385,17 @@ fill_default_server_options(ServerOption
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
}
|
}
|
||||||
@ -98,14 +98,14 @@ diff --git a/openssh-7.2p2/servconf.c b/openssh-7.2p2/servconf.c
|
|||||||
- sUsePAM,
|
- sUsePAM,
|
||||||
+ sUsePAM, sUsePAMChecklocks,
|
+ sUsePAM, sUsePAMChecklocks,
|
||||||
/* Standard Options */
|
/* Standard Options */
|
||||||
sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime,
|
sPort, sHostKeyFile, sLoginGraceTime,
|
||||||
sKeyRegenerationTime, sPermitRootLogin, sLogFacility, sLogLevel,
|
sPermitRootLogin, sLogFacility, sLogLevel,
|
||||||
sRhostsRSAAuthentication, sRSAAuthentication,
|
sRhostsRSAAuthentication, sRSAAuthentication,
|
||||||
sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
|
sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
|
||||||
sKerberosGetAFSToken,
|
sKerberosGetAFSToken,
|
||||||
sKerberosTgtPassing, sChallengeResponseAuthentication,
|
sKerberosTgtPassing, sChallengeResponseAuthentication,
|
||||||
sPasswordAuthentication, sKbdInteractiveAuthentication,
|
sPasswordAuthentication, sKbdInteractiveAuthentication,
|
||||||
@@ -441,18 +444,20 @@ typedef enum {
|
@@ -433,18 +436,20 @@ typedef enum {
|
||||||
static struct {
|
static struct {
|
||||||
const char *name;
|
const char *name;
|
||||||
ServerOpCodes opcode;
|
ServerOpCodes opcode;
|
||||||
@ -126,7 +126,7 @@ diff --git a/openssh-7.2p2/servconf.c b/openssh-7.2p2/servconf.c
|
|||||||
{ "hostdsakey", sHostKeyFile, SSHCFG_GLOBAL }, /* alias */
|
{ "hostdsakey", sHostKeyFile, SSHCFG_GLOBAL }, /* alias */
|
||||||
{ "hostkeyagent", sHostKeyAgent, SSHCFG_GLOBAL },
|
{ "hostkeyagent", sHostKeyAgent, SSHCFG_GLOBAL },
|
||||||
{ "pidfile", sPidFile, SSHCFG_GLOBAL },
|
{ "pidfile", sPidFile, SSHCFG_GLOBAL },
|
||||||
@@ -1005,16 +1010,19 @@ process_server_config_line(ServerOptions
|
@@ -1040,16 +1045,19 @@ process_server_config_line(ServerOptions
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -146,10 +146,10 @@ diff --git a/openssh-7.2p2/servconf.c b/openssh-7.2p2/servconf.c
|
|||||||
/* ignore ports from configfile if cmdline specifies ports */
|
/* ignore ports from configfile if cmdline specifies ports */
|
||||||
if (options->ports_from_cmdline)
|
if (options->ports_from_cmdline)
|
||||||
return 0;
|
return 0;
|
||||||
diff --git a/openssh-7.2p2/servconf.h b/openssh-7.2p2/servconf.h
|
diff --git a/openssh-7.6p1/servconf.h b/openssh-7.6p1/servconf.h
|
||||||
--- a/openssh-7.2p2/servconf.h
|
--- a/openssh-7.6p1/servconf.h
|
||||||
+++ b/openssh-7.2p2/servconf.h
|
+++ b/openssh-7.6p1/servconf.h
|
||||||
@@ -167,16 +167,17 @@ typedef struct {
|
@@ -168,16 +168,17 @@ typedef struct {
|
||||||
*/
|
*/
|
||||||
|
|
||||||
u_int num_authkeys_files; /* Files containing public keys */
|
u_int num_authkeys_files; /* Files containing public keys */
|
||||||
@ -162,22 +162,22 @@ diff --git a/openssh-7.2p2/servconf.h b/openssh-7.2p2/servconf.h
|
|||||||
|
|
||||||
int permit_tun;
|
int permit_tun;
|
||||||
|
|
||||||
int num_permitted_opens;
|
char **permitted_opens;
|
||||||
|
u_int num_permitted_opens; /* May also be one of PERMITOPEN_* */
|
||||||
|
|
||||||
char *chroot_directory;
|
char *chroot_directory;
|
||||||
char *revoked_keys_file;
|
char *revoked_keys_file;
|
||||||
char *trusted_user_ca_keys;
|
diff --git a/openssh-7.6p1/sshd_config.0 b/openssh-7.6p1/sshd_config.0
|
||||||
diff --git a/openssh-7.2p2/sshd_config.0 b/openssh-7.2p2/sshd_config.0
|
--- a/openssh-7.6p1/sshd_config.0
|
||||||
--- a/openssh-7.2p2/sshd_config.0
|
+++ b/openssh-7.6p1/sshd_config.0
|
||||||
+++ b/openssh-7.2p2/sshd_config.0
|
@@ -901,16 +901,24 @@ DESCRIPTION
|
||||||
@@ -946,16 +946,24 @@ DESCRIPTION
|
|
||||||
|
|
||||||
Because PAM challenge-response authentication usually serves an
|
Because PAM challenge-response authentication usually serves an
|
||||||
equivalent role to password authentication, you should disable
|
equivalent role to password authentication, you should disable
|
||||||
either PasswordAuthentication or ChallengeResponseAuthentication.
|
either PasswordAuthentication or ChallengeResponseAuthentication.
|
||||||
|
|
||||||
If UsePAM is enabled, you will not be able to run sshd(8) as a
|
If UsePAM is enabled, you will not be able to run sshd(8) as a
|
||||||
non-root user. The default is M-bM-^@M-^\noM-bM-^@M-^].
|
non-root user. The default is no.
|
||||||
|
|
||||||
+ UsePAMCheckLocks
|
+ UsePAMCheckLocks
|
||||||
+ When set to ``yes'', the checks whether the account has been
|
+ When set to ``yes'', the checks whether the account has been
|
||||||
@ -187,18 +187,18 @@ diff --git a/openssh-7.2p2/sshd_config.0 b/openssh-7.2p2/sshd_config.0
|
|||||||
+ to set up the session and some PAM modules will not check whether
|
+ to set up the session and some PAM modules will not check whether
|
||||||
+ the account is locked in this scenario). The default is ``no''.
|
+ the account is locked in this scenario). The default is ``no''.
|
||||||
+
|
+
|
||||||
UsePrivilegeSeparation
|
VersionAddendum
|
||||||
Specifies whether sshd(8) separates privileges by creating an
|
Optionally specifies additional text to append to the SSH
|
||||||
unprivileged child process to deal with incoming network traffic.
|
protocol banner sent by the server upon connection. The default
|
||||||
After successful authentication, another process will be created
|
is none.
|
||||||
that has the privilege of the authenticated user. The goal of
|
|
||||||
privilege separation is to prevent privilege escalation by
|
X11DisplayOffset
|
||||||
containing any corruption within the unprivileged processes. The
|
Specifies the first display number available for sshd(8)'s X11
|
||||||
argument must be M-bM-^@M-^\yesM-bM-^@M-^], M-bM-^@M-^\noM-bM-^@M-^], or M-bM-^@M-^\sandboxM-bM-^@M-^]. If
|
forwarding. This prevents sshd from interfering with real X11
|
||||||
diff --git a/openssh-7.2p2/sshd_config.5 b/openssh-7.2p2/sshd_config.5
|
diff --git a/openssh-7.6p1/sshd_config.5 b/openssh-7.6p1/sshd_config.5
|
||||||
--- a/openssh-7.2p2/sshd_config.5
|
--- a/openssh-7.6p1/sshd_config.5
|
||||||
+++ b/openssh-7.2p2/sshd_config.5
|
+++ b/openssh-7.6p1/sshd_config.5
|
||||||
@@ -1578,16 +1578,28 @@ or
|
@@ -1496,16 +1496,28 @@ or
|
||||||
.Pp
|
.Pp
|
||||||
If
|
If
|
||||||
.Cm UsePAM
|
.Cm UsePAM
|
||||||
@ -206,7 +206,7 @@ diff --git a/openssh-7.2p2/sshd_config.5 b/openssh-7.2p2/sshd_config.5
|
|||||||
.Xr sshd 8
|
.Xr sshd 8
|
||||||
as a non-root user.
|
as a non-root user.
|
||||||
The default is
|
The default is
|
||||||
.Dq no .
|
.Cm no .
|
||||||
+.It Cm UsePAMCheckLocks
|
+.It Cm UsePAMCheckLocks
|
||||||
+When set to
|
+When set to
|
||||||
+.Dq yes
|
+.Dq yes
|
||||||
@ -219,11 +219,11 @@ diff --git a/openssh-7.2p2/sshd_config.5 b/openssh-7.2p2/sshd_config.5
|
|||||||
+modules will not check whether the account is locked in this scenario). The
|
+modules will not check whether the account is locked in this scenario). The
|
||||||
+default is
|
+default is
|
||||||
+.Dq no .
|
+.Dq no .
|
||||||
.It Cm UsePrivilegeSeparation
|
.It Cm VersionAddendum
|
||||||
Specifies whether
|
Optionally specifies additional text to append to the SSH protocol banner
|
||||||
.Xr sshd 8
|
sent by the server upon connection.
|
||||||
separates privileges by creating an unprivileged child process
|
The default is
|
||||||
to deal with incoming network traffic.
|
.Cm none .
|
||||||
After successful authentication, another process will be created that has
|
.It Cm X11DisplayOffset
|
||||||
the privilege of the authenticated user.
|
Specifies the first display number available for
|
||||||
The goal of privilege separation is to prevent privilege
|
.Xr sshd 8 Ns 's
|
@ -1,12 +1,12 @@
|
|||||||
# HG changeset patch
|
# HG changeset patch
|
||||||
# Parent 787bc0aab11e5a7b6510c8dbf771958743ca25b0
|
# Parent 6dd892b74f13d258dc1bb3a70db7397dfb46c5e0
|
||||||
# use same lines naming as utempter (prevents problems with using different
|
# use same lines naming as utempter (prevents problems with using different
|
||||||
# formats in ?tmp? files)
|
# formats in ?tmp? files)
|
||||||
# --used to be called '-pts'
|
# --used to be called '-pts'
|
||||||
|
|
||||||
diff --git a/openssh-7.2p2/loginrec.c b/openssh-7.2p2/loginrec.c
|
diff --git a/openssh-7.6p1/loginrec.c b/openssh-7.6p1/loginrec.c
|
||||||
--- a/openssh-7.2p2/loginrec.c
|
--- a/openssh-7.6p1/loginrec.c
|
||||||
+++ b/openssh-7.2p2/loginrec.c
|
+++ b/openssh-7.6p1/loginrec.c
|
||||||
@@ -541,17 +541,17 @@ getlast_entry(struct logininfo *li)
|
@@ -541,17 +541,17 @@ getlast_entry(struct logininfo *li)
|
||||||
/*
|
/*
|
||||||
* 'line' string utility functions
|
* 'line' string utility functions
|
@ -1,20 +1,20 @@
|
|||||||
# HG changeset patch
|
# HG changeset patch
|
||||||
# Parent 18c2690afd988b9cb0fd0fa927d02cf5336dce9c
|
# Parent 2c6d52d1229cbfd1cd4b7b356bb649470df4d3b3
|
||||||
# --used to be called '-xauth'
|
# --used to be called '-xauth'
|
||||||
try to remove xauth cookies on logout
|
try to remove xauth cookies on logout
|
||||||
|
|
||||||
bnc#98815
|
bnc#98815
|
||||||
|
|
||||||
diff --git a/openssh-7.2p2/session.c b/openssh-7.2p2/session.c
|
diff --git a/openssh-7.6p1/session.c b/openssh-7.6p1/session.c
|
||||||
--- a/openssh-7.2p2/session.c
|
--- a/openssh-7.6p1/session.c
|
||||||
+++ b/openssh-7.2p2/session.c
|
+++ b/openssh-7.6p1/session.c
|
||||||
@@ -2540,16 +2540,44 @@ session_close(Session *s)
|
@@ -2294,16 +2294,44 @@ session_close(struct ssh *ssh, Session *
|
||||||
u_int i;
|
u_int i;
|
||||||
|
|
||||||
verbose("Close session: user %s from %.200s port %d id %d",
|
verbose("Close session: user %s from %.200s port %d id %d",
|
||||||
s->pw->pw_name,
|
s->pw->pw_name,
|
||||||
get_remote_ipaddr(),
|
ssh_remote_ipaddr(ssh),
|
||||||
get_remote_port(),
|
ssh_remote_port(ssh),
|
||||||
s->self);
|
s->self);
|
||||||
|
|
||||||
+ if ((s->display != NULL) && (s->auth_proto != NULL) &&
|
+ if ((s->display != NULL) && (s->auth_proto != NULL) &&
|
34
openssh-7.6p1-seccomp_geteuid.patch
Normal file
34
openssh-7.6p1-seccomp_geteuid.patch
Normal file
@ -0,0 +1,34 @@
|
|||||||
|
# HG changeset patch
|
||||||
|
# Parent 85f3cd6c8291c7feb0c1e7a0a3645c130532d206
|
||||||
|
Add the 'geteuid' syscall to allowed list, since it may becalled on the
|
||||||
|
mainframes when OpenSSL is using hardware crypto accelerator via libica
|
||||||
|
(via ibmica)
|
||||||
|
|
||||||
|
bsc#1004258
|
||||||
|
|
||||||
|
diff --git a/openssh-7.6p1/sandbox-seccomp-filter.c b/openssh-7.6p1/sandbox-seccomp-filter.c
|
||||||
|
--- a/openssh-7.6p1/sandbox-seccomp-filter.c
|
||||||
|
+++ b/openssh-7.6p1/sandbox-seccomp-filter.c
|
||||||
|
@@ -161,16 +161,22 @@ static const struct sock_filter preauth_
|
||||||
|
SC_ALLOW(__NR_close),
|
||||||
|
#endif
|
||||||
|
#ifdef __NR_exit
|
||||||
|
SC_ALLOW(__NR_exit),
|
||||||
|
#endif
|
||||||
|
#ifdef __NR_exit_group
|
||||||
|
SC_ALLOW(__NR_exit_group),
|
||||||
|
#endif
|
||||||
|
+#ifdef __NR_geteuid
|
||||||
|
+ SC_ALLOW(__NR_geteuid),
|
||||||
|
+#endif
|
||||||
|
+#ifdef __NR_geteuid32
|
||||||
|
+ SC_ALLOW(__NR_geteuid32),
|
||||||
|
+#endif
|
||||||
|
#ifdef __NR_getpgid
|
||||||
|
SC_ALLOW(__NR_getpgid),
|
||||||
|
#endif
|
||||||
|
#ifdef __NR_getpid
|
||||||
|
SC_ALLOW(__NR_getpid),
|
||||||
|
#endif
|
||||||
|
#ifdef __NR_getrandom
|
||||||
|
SC_ALLOW(__NR_getrandom),
|
31
openssh-7.6p1-seccomp_getuid.patch
Normal file
31
openssh-7.6p1-seccomp_getuid.patch
Normal file
@ -0,0 +1,31 @@
|
|||||||
|
# HG changeset patch
|
||||||
|
# Parent 004731f82470b22b9bd563ef3216034cf00ba133
|
||||||
|
add 'getuid' syscall to list of allowed ones to prevent the sanboxed thread
|
||||||
|
from being killed by the seccomp filter
|
||||||
|
|
||||||
|
diff --git a/openssh-7.6p1/sandbox-seccomp-filter.c b/openssh-7.6p1/sandbox-seccomp-filter.c
|
||||||
|
--- a/openssh-7.6p1/sandbox-seccomp-filter.c
|
||||||
|
+++ b/openssh-7.6p1/sandbox-seccomp-filter.c
|
||||||
|
@@ -173,16 +173,22 @@ static const struct sock_filter preauth_
|
||||||
|
SC_ALLOW(__NR_getpid),
|
||||||
|
#endif
|
||||||
|
#ifdef __NR_getrandom
|
||||||
|
SC_ALLOW(__NR_getrandom),
|
||||||
|
#endif
|
||||||
|
#ifdef __NR_gettimeofday
|
||||||
|
SC_ALLOW(__NR_gettimeofday),
|
||||||
|
#endif
|
||||||
|
+#ifdef __NR_getuid
|
||||||
|
+ SC_ALLOW(__NR_getuid),
|
||||||
|
+#endif
|
||||||
|
+#ifdef __NR_getuid32
|
||||||
|
+ SC_ALLOW(__NR_getuid32),
|
||||||
|
+#endif
|
||||||
|
#ifdef __NR_madvise
|
||||||
|
SC_ALLOW(__NR_madvise),
|
||||||
|
#endif
|
||||||
|
#ifdef __NR_mmap
|
||||||
|
SC_ALLOW(__NR_mmap),
|
||||||
|
#endif
|
||||||
|
#ifdef __NR_mmap2
|
||||||
|
SC_ALLOW(__NR_mmap2),
|
30
openssh-7.6p1-seccomp_stat.patch
Normal file
30
openssh-7.6p1-seccomp_stat.patch
Normal file
@ -0,0 +1,30 @@
|
|||||||
|
# HG changeset patch
|
||||||
|
# Parent ddbb42a2825e7e837d7b0387b79a9542c7869174
|
||||||
|
Allow the stat() syscall for OpenSSL re-seed patch
|
||||||
|
(which causes OpenSSL use stat() on some file)
|
||||||
|
|
||||||
|
bnc#912436
|
||||||
|
|
||||||
|
diff --git a/openssh-7.6p1/sandbox-seccomp-filter.c b/openssh-7.6p1/sandbox-seccomp-filter.c
|
||||||
|
--- a/openssh-7.6p1/sandbox-seccomp-filter.c
|
||||||
|
+++ b/openssh-7.6p1/sandbox-seccomp-filter.c
|
||||||
|
@@ -224,16 +224,19 @@ static const struct sock_filter preauth_
|
||||||
|
SC_ALLOW(__NR_select),
|
||||||
|
#endif
|
||||||
|
#ifdef __NR_shutdown
|
||||||
|
SC_ALLOW(__NR_shutdown),
|
||||||
|
#endif
|
||||||
|
#ifdef __NR_sigprocmask
|
||||||
|
SC_ALLOW(__NR_sigprocmask),
|
||||||
|
#endif
|
||||||
|
+#ifdef __NR_stat
|
||||||
|
+ SC_ALLOW(__NR_stat),
|
||||||
|
+#endif
|
||||||
|
#ifdef __NR_time
|
||||||
|
SC_ALLOW(__NR_time),
|
||||||
|
#endif
|
||||||
|
#ifdef __NR_write
|
||||||
|
SC_ALLOW(__NR_write),
|
||||||
|
#endif
|
||||||
|
#ifdef __NR_socketcall
|
||||||
|
SC_ALLOW_ARG(__NR_socketcall, 0, SYS_SHUTDOWN),
|
@ -1,11 +1,11 @@
|
|||||||
# HG changeset patch
|
# HG changeset patch
|
||||||
# Parent dfcac093fca4d826a806b9d1c0bdc26e7ae8ee8e
|
# Parent f258e8b7fc48a4b0f60fc436dc9ec72423a11bfc
|
||||||
send locales in default configuration
|
send locales in default configuration
|
||||||
bnc#65747
|
bnc#65747
|
||||||
|
|
||||||
diff --git a/openssh-7.2p2/ssh_config b/openssh-7.2p2/ssh_config
|
diff --git a/openssh-7.6p1/ssh_config b/openssh-7.6p1/ssh_config
|
||||||
--- a/openssh-7.2p2/ssh_config
|
--- a/openssh-7.6p1/ssh_config
|
||||||
+++ b/openssh-7.2p2/ssh_config
|
+++ b/openssh-7.6p1/ssh_config
|
||||||
@@ -26,16 +26,21 @@ Host *
|
@@ -26,16 +26,21 @@ Host *
|
||||||
# security reasons: Someone stealing the authentification data on the
|
# security reasons: Someone stealing the authentification data on the
|
||||||
# remote side (the "spoofed" X-server by the remote sshd) can read your
|
# remote side (the "spoofed" X-server by the remote sshd) can read your
|
||||||
@ -20,18 +20,18 @@ diff --git a/openssh-7.2p2/ssh_config b/openssh-7.2p2/ssh_config
|
|||||||
+ SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
|
+ SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
|
||||||
+ SendEnv LC_IDENTIFICATION LC_ALL
|
+ SendEnv LC_IDENTIFICATION LC_ALL
|
||||||
+
|
+
|
||||||
# RhostsRSAAuthentication no
|
|
||||||
# RSAAuthentication yes
|
|
||||||
# PasswordAuthentication yes
|
# PasswordAuthentication yes
|
||||||
# HostbasedAuthentication no
|
# HostbasedAuthentication no
|
||||||
# GSSAPIAuthentication no
|
# GSSAPIAuthentication no
|
||||||
# GSSAPIDelegateCredentials no
|
# GSSAPIDelegateCredentials no
|
||||||
# BatchMode no
|
# BatchMode no
|
||||||
# CheckHostIP yes
|
# CheckHostIP yes
|
||||||
diff --git a/openssh-7.2p2/sshd_config b/openssh-7.2p2/sshd_config
|
# AddressFamily any
|
||||||
--- a/openssh-7.2p2/sshd_config
|
# ConnectTimeout 0
|
||||||
+++ b/openssh-7.2p2/sshd_config
|
diff --git a/openssh-7.6p1/sshd_config b/openssh-7.6p1/sshd_config
|
||||||
@@ -120,14 +120,19 @@ X11Forwarding yes
|
--- a/openssh-7.6p1/sshd_config
|
||||||
|
+++ b/openssh-7.6p1/sshd_config
|
||||||
|
@@ -105,14 +105,19 @@ X11Forwarding yes
|
||||||
#VersionAddendum none
|
#VersionAddendum none
|
||||||
|
|
||||||
# no default banner path
|
# no default banner path
|
3
openssh-7.6p1.tar.gz
Normal file
3
openssh-7.6p1.tar.gz
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
version https://git-lfs.github.com/spec/v1
|
||||||
|
oid sha256:a323caeeddfe145baaa0db16e98d784b1fbc7dd436a6bf1f479dfd5cd1d21723
|
||||||
|
size 1489788
|
14
openssh-7.6p1.tar.gz.asc
Normal file
14
openssh-7.6p1.tar.gz.asc
Normal file
@ -0,0 +1,14 @@
|
|||||||
|
-----BEGIN PGP SIGNATURE-----
|
||||||
|
|
||||||
|
iQHDBAABCgAdFiEEWcIRjtIG2SfmZ+vj0+X1a22SDTAFAlnTtXUACgkQ0+X1a22S
|
||||||
|
DTCQxgx+MJ1JjIWwVjXUxwpFfjj4aBv5xSqiKqwzGgVjnlmwtpTn+tqdGiACts3K
|
||||||
|
46fh/8ujknJJ5lBIlWKBfqhKzC7A+gCBaFiLoXiad8Q3NIESbXGxRkuMe6jxFtR7
|
||||||
|
SHidUjRqmn1kLCy1TSkj8mqg0/UZ5UZAJcsldQTmEAnxFVbK1l8CLB7vn4rJnj+v
|
||||||
|
PdbtsSdw8ZHtakkoNHiqQD+mwy+FXY5QcN7IUEX2/E0hKx0wou1S/36j8k89UQf8
|
||||||
|
Jbntg31N4EUOQ0fRwuxdRkHSUrJJpPgwWO4XgHw4u9yghsOCYr+X9Pa1+LCtL4PE
|
||||||
|
o4+08UoD92VORzRETH5Cbtv1XmdUWrpHVHUjVORTgYxVgXbbnoDuzxfsrbfJRRLE
|
||||||
|
NBsFxodltDxfdljL27PReBqpneWBxNJd6ruaY5wYxhu1qTEcszCGXuSd583TJ49b
|
||||||
|
hhkWrk5+knErwFdDbtOy+l3L1pvxXvuyIuWl/aXaoVSPDwtPFui94Dl2G7QbSeEb
|
||||||
|
PQDWU6PReeP+SRsMyYJSoxwgbZIzaQ==
|
||||||
|
=K6iy
|
||||||
|
-----END PGP SIGNATURE-----
|
@ -1,3 +1,9 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Fri Nov 3 12:27:18 UTC 2017 - pcerny@suse.com
|
||||||
|
|
||||||
|
- upgrade to 7.6p1
|
||||||
|
see main package changelog for details
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Mon Jul 25 13:45:53 UTC 2016 - meissner@suse.com
|
Mon Jul 25 13:45:53 UTC 2016 - meissner@suse.com
|
||||||
|
|
||||||
|
@ -1,7 +1,7 @@
|
|||||||
#
|
#
|
||||||
# spec file for package openssh-askpass-gnome
|
# spec file for package openssh-askpass-gnome
|
||||||
#
|
#
|
||||||
# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany.
|
# Copyright (c) 2017 SUSE LINUX Products GmbH, Nuernberg, Germany.
|
||||||
#
|
#
|
||||||
# All modifications and additions to the file contributed by third parties
|
# All modifications and additions to the file contributed by third parties
|
||||||
# remain the property of their copyright owners, unless otherwise agreed
|
# remain the property of their copyright owners, unless otherwise agreed
|
||||||
@ -26,7 +26,7 @@ BuildRequires: openssl-devel
|
|||||||
BuildRequires: pam-devel
|
BuildRequires: pam-devel
|
||||||
BuildRequires: tcpd-devel
|
BuildRequires: tcpd-devel
|
||||||
BuildRequires: update-desktop-files
|
BuildRequires: update-desktop-files
|
||||||
Version: 7.2p2
|
Version: 7.6p1
|
||||||
Release: 0
|
Release: 0
|
||||||
Requires: openssh = %{version}
|
Requires: openssh = %{version}
|
||||||
Summary: A GNOME-Based Passphrase Dialog for OpenSSH
|
Summary: A GNOME-Based Passphrase Dialog for OpenSSH
|
||||||
|
573
openssh.changes
573
openssh.changes
@ -1,3 +1,576 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Fri Nov 3 12:27:18 UTC 2017 - pcerny@suse.com
|
||||||
|
|
||||||
|
- Update to vanilla 7.6p1
|
||||||
|
Most important changes (more details below):
|
||||||
|
* complete removal of the ancient SSHv1 protocol
|
||||||
|
* sshd(8) cannot run without privilege separation
|
||||||
|
* removal of suport for arcfourm blowfish and CAST ciphers
|
||||||
|
and RIPE-MD160 HMAC
|
||||||
|
* refuse RSA keys shorter than 1024 bits
|
||||||
|
Distilled upstream log:
|
||||||
|
- OpenSSH 7.3
|
||||||
|
---- Security
|
||||||
|
* sshd(8): Mitigate a potential denial-of-service attack
|
||||||
|
against the system's crypt(3) function via sshd(8). An
|
||||||
|
attacker could send very long passwords that would cause
|
||||||
|
excessive CPU use in crypt(3). sshd(8) now refuses to accept
|
||||||
|
password authentication requests of length greater than 1024
|
||||||
|
characters. Independently reported by Tomas Kuthan (Oracle),
|
||||||
|
Andres Rojas and Javier Nieto.
|
||||||
|
* sshd(8): Mitigate timing differences in password
|
||||||
|
authentication that could be used to discern valid from
|
||||||
|
invalid account names when long passwords were sent and
|
||||||
|
particular password hashing algorithms are in use on the
|
||||||
|
server. CVE-2016-6210, reported by EddieEzra.Harari at
|
||||||
|
verint.com
|
||||||
|
* ssh(1), sshd(8): Fix observable timing weakness in the CBC
|
||||||
|
padding oracle countermeasures. Reported by Jean Paul
|
||||||
|
Degabriele, Kenny Paterson, Torben Hansen and Martin
|
||||||
|
Albrecht. Note that CBC ciphers are disabled by default and
|
||||||
|
only included for legacy compatibility.
|
||||||
|
* ssh(1), sshd(8): Improve operation ordering of MAC
|
||||||
|
verification for Encrypt-then-MAC (EtM) mode transport MAC
|
||||||
|
algorithms to verify the MAC before decrypting any
|
||||||
|
ciphertext. This removes the possibility of timing
|
||||||
|
differences leaking facts about the plaintext, though no such
|
||||||
|
leakage has been observed. Reported by Jean Paul Degabriele,
|
||||||
|
Kenny Paterson, Torben Hansen and Martin Albrecht.
|
||||||
|
* sshd(8): (portable only) Ignore PAM environment vars when
|
||||||
|
UseLogin=yes. If PAM is configured to read user-specified
|
||||||
|
environment variables and UseLogin=yes in sshd_config, then a
|
||||||
|
hostile local user may attack /bin/login via LD_PRELOAD or
|
||||||
|
similar environment variables set via PAM. CVE-2015-8325,
|
||||||
|
found by Shayan Sadigh.
|
||||||
|
---- New Features
|
||||||
|
* ssh(1): Add a ProxyJump option and corresponding -J
|
||||||
|
command-line flag to allow simplified indirection through a
|
||||||
|
one or more SSH bastions or "jump hosts".
|
||||||
|
* ssh(1): Add an IdentityAgent option to allow specifying
|
||||||
|
specific agent sockets instead of accepting one from the
|
||||||
|
environment.
|
||||||
|
* ssh(1): Allow ExitOnForwardFailure and ClearAllForwardings to
|
||||||
|
be optionally overridden when using ssh -W. bz#2577
|
||||||
|
* ssh(1), sshd(8): Implement support for the IUTF8 terminal
|
||||||
|
mode as per draft-sgtatham-secsh-iutf8-00.
|
||||||
|
* ssh(1), sshd(8): Add support for additional fixed
|
||||||
|
Diffie-Hellman 2K, 4K and 8K groups from
|
||||||
|
draft-ietf-curdle-ssh-kex-sha2-03.
|
||||||
|
* ssh-keygen(1), ssh(1), sshd(8): support SHA256 and SHA512 RSA
|
||||||
|
signatures in certificates;
|
||||||
|
* ssh(1): Add an Include directive for ssh_config(5) files.
|
||||||
|
* ssh(1): Permit UTF-8 characters in pre-authentication banners
|
||||||
|
sent from the server. bz#2058
|
||||||
|
---- Bugfixes
|
||||||
|
* ssh(1), sshd(8): Reduce the syslog level of some relatively
|
||||||
|
common protocol events from LOG_CRIT. bz#2585
|
||||||
|
* sshd(8): Refuse AuthenticationMethods="" in configurations
|
||||||
|
and accept AuthenticationMethods=any for the default
|
||||||
|
behaviour of not requiring multiple authentication. bz#2398
|
||||||
|
* sshd(8): Remove obsolete and misleading "POSSIBLE BREAK-IN
|
||||||
|
ATTEMPT!" message when forward and reverse DNS don't match.
|
||||||
|
bz#2585
|
||||||
|
* ssh(1): Close ControlPersist background process stderr except
|
||||||
|
in debug mode or when logging to syslog. bz#1988
|
||||||
|
* misc: Make PROTOCOL description for
|
||||||
|
direct-streamlocal@openssh.com channel open messages match
|
||||||
|
deployed code. bz#2529
|
||||||
|
* ssh(1): Deduplicate LocalForward and RemoteForward entries to
|
||||||
|
fix failures when both ExitOnForwardFailure and hostname
|
||||||
|
canonicalisation are enabled. bz#2562
|
||||||
|
* sshd(8): Remove fallback from moduli to obsolete "primes"
|
||||||
|
file that was deprecated in 2001. bz#2559.
|
||||||
|
* sshd_config(5): Correct description of UseDNS: it affects ssh
|
||||||
|
hostname processing for authorized_keys, not known_hosts;
|
||||||
|
bz#2554
|
||||||
|
* ssh(1): Fix authentication using lone certificate keys in an
|
||||||
|
agent without corresponding private keys on the filesystem.
|
||||||
|
bz#2550
|
||||||
|
* sshd(8): Send ClientAliveInterval pings when a time-based
|
||||||
|
RekeyLimit is set; previously keepalive packets were not
|
||||||
|
being sent. bz#2252
|
||||||
|
---- Portability
|
||||||
|
* ssh(1), sshd(8): Fix compilation by automatically disabling
|
||||||
|
ciphers not supported by OpenSSL. bz#2466
|
||||||
|
* misc: Fix compilation failures on some versions of AIX's
|
||||||
|
compiler related to the definition of the VA_COPY macro.
|
||||||
|
bz#2589
|
||||||
|
* sshd(8): Whitelist more architectures to enable the
|
||||||
|
seccomp-bpf sandbox. bz#2590
|
||||||
|
* ssh-agent(1), sftp-server(8): Disable process tracing on
|
||||||
|
Solaris using setpflags(__PROC_PROTECT, ...). bz#2584
|
||||||
|
* sshd(8): On Solaris, don't call Solaris setproject() with
|
||||||
|
UsePAM=yes it's PAM's responsibility. bz#2425
|
||||||
|
- OpenSSH 7.4
|
||||||
|
---- Potentially-incompatible changes
|
||||||
|
* ssh(1): Remove 3des-cbc from the client's default proposal.
|
||||||
|
64-bit block ciphers are not safe in 2016 and we don't want
|
||||||
|
to wait until attacks like SWEET32 are extended to SSH. As
|
||||||
|
3des-cbc was the only mandatory cipher in the SSH RFCs, this
|
||||||
|
may cause problems connecting to older devices using the
|
||||||
|
default configuration, but it's highly likely that such
|
||||||
|
devices already need explicit configuration for key exchange
|
||||||
|
and hostkey algorithms already anyway.
|
||||||
|
* sshd(8): Remove support for pre-authentication compression.
|
||||||
|
Doing compression early in the protocol probably seemed
|
||||||
|
reasonable in the 1990s, but today it's clearly a bad idea in
|
||||||
|
terms of both cryptography (cf. multiple compression oracle
|
||||||
|
attacks in TLS) and attack surface. Pre-auth compression
|
||||||
|
support has been disabled by default for >10 years. Support
|
||||||
|
remains in the client.
|
||||||
|
* ssh-agent will refuse to load PKCS#11 modules outside a
|
||||||
|
whitelist of trusted paths by default. The path whitelist may
|
||||||
|
be specified at run-time.
|
||||||
|
* sshd(8): When a forced-command appears in both a certificate
|
||||||
|
and an authorized keys/principals command= restriction, sshd
|
||||||
|
will now refuse to accept the certificate unless they are
|
||||||
|
identical. The previous (documented) behaviour of having the
|
||||||
|
certificate forced-command override the other could be a bit
|
||||||
|
confusing and error-prone.
|
||||||
|
* sshd(8): Remove the UseLogin configuration directive and
|
||||||
|
support for having /bin/login manage login sessions.
|
||||||
|
---- Security
|
||||||
|
* ssh-agent(1): Will now refuse to load PKCS#11 modules from
|
||||||
|
paths outside a trusted whitelist (run-time configurable).
|
||||||
|
Requests to load modules could be passed via agent forwarding
|
||||||
|
and an attacker could attempt to load a hostile PKCS#11
|
||||||
|
module across the forwarded agent channel: PKCS#11 modules
|
||||||
|
are shared libraries, so this would result in code execution
|
||||||
|
on the system running the ssh-agent if the attacker has
|
||||||
|
control of the forwarded agent-socket (on the host running
|
||||||
|
the sshd server) and the ability to write to the filesystem
|
||||||
|
of the host running ssh-agent (usually the host running the
|
||||||
|
ssh client). Reported by Jann Horn of Project Zero.
|
||||||
|
* sshd(8): When privilege separation is disabled, forwarded
|
||||||
|
Unix- domain sockets would be created by sshd(8) with the
|
||||||
|
privileges of 'root' instead of the authenticated user. This
|
||||||
|
release refuses Unix-domain socket forwarding when privilege
|
||||||
|
separation is disabled (Privilege separation has been enabled
|
||||||
|
by default for 14 years). Reported by Jann Horn of Project
|
||||||
|
Zero.
|
||||||
|
* sshd(8): Avoid theoretical leak of host private key material
|
||||||
|
to privilege-separated child processes via realloc() when
|
||||||
|
reading keys. No such leak was observed in practice for
|
||||||
|
normal-sized keys, nor does a leak to the child processes
|
||||||
|
directly expose key material to unprivileged users. Reported
|
||||||
|
by Jann Horn of Project Zero.
|
||||||
|
* sshd(8): The shared memory manager used by pre-authentication
|
||||||
|
compression support had a bounds checks that could be elided
|
||||||
|
by some optimising compilers. Additionally, this memory
|
||||||
|
manager was incorrectly accessible when pre-authentication
|
||||||
|
compression was disabled. This could potentially allow
|
||||||
|
attacks against the privileged monitor process from the
|
||||||
|
sandboxed privilege-separation process (a compromise of the
|
||||||
|
latter would be required first). This release removes
|
||||||
|
support for pre-authentication compression from sshd(8).
|
||||||
|
Reported by Guido Vranken using the Stack unstable
|
||||||
|
optimisation identification tool
|
||||||
|
(http://css.csail.mit.edu/stack/)
|
||||||
|
* sshd(8): Fix denial-of-service condition where an attacker
|
||||||
|
who sends multiple KEXINIT messages may consume up to 128MB
|
||||||
|
per connection. Reported by Shi Lei of Gear Team, Qihoo 360.
|
||||||
|
* sshd(8): Validate address ranges for AllowUser and DenyUsers
|
||||||
|
directives at configuration load time and refuse to accept
|
||||||
|
invalid ones. It was previously possible to specify invalid
|
||||||
|
CIDR address ranges (e.g. user@127.1.2.3/55) and these would
|
||||||
|
always match, possibly resulting in granting access where it
|
||||||
|
was not intended. Reported by Laurence Parry.
|
||||||
|
---- New Features
|
||||||
|
* ssh(1): Add a proxy multiplexing mode to ssh(1) inspired by
|
||||||
|
the version in PuTTY by Simon Tatham. This allows a
|
||||||
|
multiplexing client to communicate with the master process
|
||||||
|
using a subset of the SSH packet and channels protocol over a
|
||||||
|
Unix-domain socket, with the main process acting as a proxy
|
||||||
|
that translates channel IDs, etc. This allows multiplexing
|
||||||
|
mode to run on systems that lack file- descriptor passing
|
||||||
|
(used by current multiplexing code) and potentially, in
|
||||||
|
conjunction with Unix-domain socket forwarding, with the
|
||||||
|
client and multiplexing master process on different machines.
|
||||||
|
Multiplexing proxy mode may be invoked using "ssh -O proxy
|
||||||
|
..."
|
||||||
|
* sshd(8): Add a sshd_config DisableForwarding option that
|
||||||
|
disables X11, agent, TCP, tunnel and Unix domain socket
|
||||||
|
forwarding, as well as anything else we might implement in
|
||||||
|
the future. Like the 'restrict' authorized_keys flag, this is
|
||||||
|
intended to be a simple and future-proof way of restricting
|
||||||
|
an account.
|
||||||
|
* sshd(8), ssh(1): Support the "curve25519-sha256" key exchange
|
||||||
|
method. This is identical to the currently-supported method
|
||||||
|
named "curve25519-sha256@libssh.org".
|
||||||
|
* sshd(8): Improve handling of SIGHUP by checking to see if
|
||||||
|
sshd is already daemonised at startup and skipping the call
|
||||||
|
to daemon(3) if it is. This ensures that a SIGHUP restart of
|
||||||
|
sshd(8) will retain the same process-ID as the initial
|
||||||
|
execution. sshd(8) will also now unlink the PidFile prior to
|
||||||
|
SIGHUP restart and re-create it after a successful restart,
|
||||||
|
rather than leaving a stale file in the case of a
|
||||||
|
configuration error. bz#2641
|
||||||
|
* sshd(8): Allow ClientAliveInterval and ClientAliveCountMax
|
||||||
|
directives to appear in sshd_config Match blocks.
|
||||||
|
* sshd(8): Add %-escapes to AuthorizedPrincipalsCommand to
|
||||||
|
match those supported by AuthorizedKeysCommand (key, key
|
||||||
|
type, fingerprint, etc.) and a few more to provide access to
|
||||||
|
the contents of the certificate being offered.
|
||||||
|
* Added regression tests for string matching, address matching
|
||||||
|
and string sanitisation functions.
|
||||||
|
* Improved the key exchange fuzzer harness.
|
||||||
|
---- Bugfixes
|
||||||
|
* ssh(1): Allow IdentityFile to successfully load and use
|
||||||
|
certificates that have no corresponding bare public key.
|
||||||
|
bz#2617 certificate id_rsa-cert.pub (and no id_rsa.pub).
|
||||||
|
* ssh(1): Fix public key authentication when multiple
|
||||||
|
authentication is in use and publickey is not just the first
|
||||||
|
method attempted. bz#2642
|
||||||
|
* regress: Allow the PuTTY interop tests to run unattended.
|
||||||
|
bz#2639
|
||||||
|
* ssh-agent(1), ssh(1): improve reporting when attempting to
|
||||||
|
load keys from PKCS#11 tokens with fewer useless log messages
|
||||||
|
and more detail in debug messages. bz#2610
|
||||||
|
* ssh(1): When tearing down ControlMaster connections, don't
|
||||||
|
pollute stderr when LogLevel=quiet.
|
||||||
|
* sftp(1): On ^Z wait for underlying ssh(1) to suspend before
|
||||||
|
suspending sftp(1) to ensure that ssh(1) restores the
|
||||||
|
terminal mode correctly if suspended during a password
|
||||||
|
prompt.
|
||||||
|
* ssh(1): Avoid busy-wait when ssh(1) is suspended during a
|
||||||
|
password prompt.
|
||||||
|
* ssh(1), sshd(8): Correctly report errors during sending of
|
||||||
|
ext- info messages.
|
||||||
|
* sshd(8): fix NULL-deref crash if sshd(8) received an out-of-
|
||||||
|
sequence NEWKEYS message.
|
||||||
|
* sshd(8): Correct list of supported signature algorithms sent
|
||||||
|
in the server-sig-algs extension. bz#2547
|
||||||
|
* sshd(8): Fix sending ext_info message if privsep is disabled.
|
||||||
|
* sshd(8): more strictly enforce the expected ordering of
|
||||||
|
privilege separation monitor calls used for authentication
|
||||||
|
and allow them only when their respective authentication
|
||||||
|
methods are enabled in the configuration
|
||||||
|
* sshd(8): Fix uninitialised optlen in getsockopt() call;
|
||||||
|
harmless on Unix/BSD but potentially crashy on Cygwin.
|
||||||
|
* Fix false positive reports caused by explicit_bzero(3) not
|
||||||
|
being recognised as a memory initialiser when compiled with
|
||||||
|
-fsanitize-memory.
|
||||||
|
* sshd_config(5): Use 2001:db8::/32, the official IPv6 subnet
|
||||||
|
for configuration examples.
|
||||||
|
---- Portability
|
||||||
|
* On environments configured with Turkish locales, fall back to
|
||||||
|
the C/POSIX locale to avoid errors in configuration parsing
|
||||||
|
caused by that locale's unique handling of the letters 'i'
|
||||||
|
and 'I'. bz#2643
|
||||||
|
* sftp-server(8), ssh-agent(1): Deny ptrace on OS X using
|
||||||
|
ptrace(PT_DENY_ATTACH, ..)
|
||||||
|
* ssh(1), sshd(8): Unbreak AES-CTR ciphers on old (~0.9.8)
|
||||||
|
OpenSSL.
|
||||||
|
* Fix compilation for libcrypto compiled without RIPEMD160
|
||||||
|
support.
|
||||||
|
* contrib: Add a gnome-ssh-askpass3 with GTK+3 support. bz#2640
|
||||||
|
* sshd(8): Improve PRNG reseeding across privilege separation
|
||||||
|
and force libcrypto to obtain a high-quality seed before
|
||||||
|
chroot or sandboxing.
|
||||||
|
* All: Explicitly test for broken strnvis. NetBSD added an
|
||||||
|
strnvis and unfortunately made it incompatible with the
|
||||||
|
existing one in OpenBSD and Linux's libbsd (the former having
|
||||||
|
existed for over ten years). Try to detect this mess, and
|
||||||
|
assume the only safe option if we're cross compiling.
|
||||||
|
- OpenSSH 7.5
|
||||||
|
---- Potentially-incompatible changes
|
||||||
|
* This release deprecates the sshd_config
|
||||||
|
UsePrivilegeSeparation option, thereby making privilege
|
||||||
|
separation mandatory. Privilege separation has been on by
|
||||||
|
default for almost 15 years and sandboxing has been on by
|
||||||
|
default for almost the last five.
|
||||||
|
* The format of several log messages emitted by the packet code
|
||||||
|
has changed to include additional information about the user
|
||||||
|
and their authentication state. Software that monitors
|
||||||
|
ssh/sshd logs may need to account for these changes. For
|
||||||
|
example:
|
||||||
|
Connection closed by user x 1.1.1.1 port 1234 [preauth]
|
||||||
|
Connection closed by authenticating user x 10.1.1.1 port 1234
|
||||||
|
[preauth] Connection closed by invalid user x 1.1.1.1 port
|
||||||
|
1234 [preauth]
|
||||||
|
Affected messages include connection closure, timeout, remote
|
||||||
|
disconnection, negotiation failure and some other fatal
|
||||||
|
messages generated by the packet code.
|
||||||
|
* [Portable OpenSSH only] This version removes support for
|
||||||
|
building against OpenSSL versions prior to 1.0.1. OpenSSL
|
||||||
|
stopped supporting versions prior to 1.0.1 over 12 months ago
|
||||||
|
(i.e. they no longer receive fixes for security bugs).
|
||||||
|
---- Security
|
||||||
|
* ssh(1), sshd(8): Fix weakness in CBC padding oracle
|
||||||
|
countermeasures that allowed a variant of the attack fixed in
|
||||||
|
OpenSSH 7.3 to proceed. Note that the OpenSSH client
|
||||||
|
disables CBC ciphers by default, sshd offers them as
|
||||||
|
lowest-preference options and will remove them by default
|
||||||
|
entriely in the next release. Reported by Jean Paul
|
||||||
|
Degabriele, Kenny Paterson, Martin Albrecht and Torben Hansen
|
||||||
|
of Royal Holloway, University of London.
|
||||||
|
* sftp-client(1): [portable OpenSSH only] On Cygwin, a client
|
||||||
|
making a recursive file transfer could be maniuplated by a
|
||||||
|
hostile server to perform a path-traversal attack. creating
|
||||||
|
or modifying files outside of the intended target directory.
|
||||||
|
Reported by Jann Horn of Google Project Zero.
|
||||||
|
---- New Features
|
||||||
|
* ssh(1), sshd(8): Support "=-" syntax to easily remove methods
|
||||||
|
from algorithm lists, e.g. Ciphers=-*cbc. bz#2671
|
||||||
|
---- Bugfixes
|
||||||
|
* sshd(1): Fix NULL dereference crash when key exchange start
|
||||||
|
messages are sent out of sequence.
|
||||||
|
* ssh(1), sshd(8): Allow form-feed characters to appear in
|
||||||
|
configuration files.
|
||||||
|
* sshd(8): Fix regression in OpenSSH 7.4 support for the
|
||||||
|
server-sig-algs extension, where SHA2 RSA signature methods
|
||||||
|
were not being correctly advertised. bz#2680
|
||||||
|
* ssh(1), ssh-keygen(1): Fix a number of case-sensitivity bugs
|
||||||
|
in known_hosts processing. bz#2591 bz#2685
|
||||||
|
* ssh(1): Allow ssh to use certificates accompanied by a
|
||||||
|
private key file but no corresponding plain *.pub public key.
|
||||||
|
bz#2617
|
||||||
|
* ssh(1): When updating hostkeys using the UpdateHostKeys
|
||||||
|
option, accept RSA keys if HostkeyAlgorithms contains any RSA
|
||||||
|
keytype. Previously, ssh could ignore RSA keys when only the
|
||||||
|
ssh-rsa-sha2-* methods were enabled in HostkeyAlgorithms and
|
||||||
|
not the old ssh-rsa method. bz#2650
|
||||||
|
* ssh(1): Detect and report excessively long configuration file
|
||||||
|
lines. bz#2651
|
||||||
|
* Merge a number of fixes found by Coverity and reported via
|
||||||
|
Redhat and FreeBSD. Includes fixes for some memory and file
|
||||||
|
descriptor leaks in error paths. bz#2687
|
||||||
|
* ssh-keyscan(1): Correctly hash hosts with a port number.
|
||||||
|
bz#2692
|
||||||
|
* ssh(1), sshd(8): When logging long messages to stderr, don't
|
||||||
|
truncate "\r\n" if the length of the message exceeds the
|
||||||
|
buffer. bz#2688
|
||||||
|
* ssh(1): Fully quote [host]:port in generated ProxyJump/-J
|
||||||
|
command- line; avoid confusion over IPv6 addresses and shells
|
||||||
|
that treat square bracket characters specially.
|
||||||
|
* ssh-keygen(1): Fix corruption of known_hosts when running
|
||||||
|
"ssh-keygen -H" on a known_hosts containing already-hashed
|
||||||
|
entries.
|
||||||
|
* Fix various fallout and sharp edges caused by removing SSH
|
||||||
|
protocol 1 support from the server, including the server
|
||||||
|
banner string being incorrectly terminated with only \n
|
||||||
|
(instead of \r\n), confusing error messages from ssh-keyscan
|
||||||
|
bz#2583 and a segfault in sshd if protocol v.1 was enabled
|
||||||
|
for the client and sshd_config contained references to legacy
|
||||||
|
keys bz#2686.
|
||||||
|
* ssh(1), sshd(8): Free fd_set on connection timeout. bz#2683
|
||||||
|
* sshd(8): Fix Unix domain socket forwarding for root
|
||||||
|
(regression in OpenSSH 7.4).
|
||||||
|
* sftp(1): Fix division by zero crash in "df" output when
|
||||||
|
server returns zero total filesystem blocks/inodes.
|
||||||
|
* ssh(1), ssh-add(1), ssh-keygen(1), sshd(8): Translate OpenSSL
|
||||||
|
errors encountered during key loading to more meaningful
|
||||||
|
error codes. bz#2522 bz#2523
|
||||||
|
* ssh-keygen(1): Sanitise escape sequences in key comments sent
|
||||||
|
to printf but preserve valid UTF-8 when the locale supports
|
||||||
|
it; bz#2520
|
||||||
|
* ssh(1), sshd(8): Return reason for port forwarding failures
|
||||||
|
where feasible rather than always "administratively
|
||||||
|
prohibited". bz#2674
|
||||||
|
* sshd(8): Fix deadlock when AuthorizedKeysCommand or
|
||||||
|
AuthorizedPrincipalsCommand produces a lot of output and a
|
||||||
|
key is matched early. bz#2655
|
||||||
|
* Regression tests: several reliability fixes. bz#2654 bz#2658
|
||||||
|
bz#2659
|
||||||
|
* ssh(1): Fix typo in ~C error message for bad port forward
|
||||||
|
cancellation. bz#2672
|
||||||
|
* ssh(1): Show a useful error message when included config
|
||||||
|
files can't be opened; bz#2653
|
||||||
|
* sshd(8): Make sshd set GSSAPIStrictAcceptorCheck=yes as the
|
||||||
|
manual page (previously incorrectly) advertised. bz#2637
|
||||||
|
* sshd_config(5): Repair accidentally-deleted mention of %k
|
||||||
|
token in AuthorizedKeysCommand; bz#2656
|
||||||
|
* sshd(8): Remove vestiges of previously removed LOGIN_PROGRAM;
|
||||||
|
bz#2665
|
||||||
|
* ssh-agent(1): Relax PKCS#11 whitelist to include libexec and
|
||||||
|
common 32-bit compatibility library directories.
|
||||||
|
* sftp-client(1): Fix non-exploitable integer overflow in
|
||||||
|
SSH2_FXP_NAME response handling.
|
||||||
|
* ssh-agent(1): Fix regression in 7.4 of deleting
|
||||||
|
PKCS#11-hosted keys. It was not possible to delete them
|
||||||
|
except by specifying their full physical path. bz#2682
|
||||||
|
---- Portability
|
||||||
|
* sshd(8): Avoid sandbox errors for Linux S390 systems using an
|
||||||
|
ICA crypto coprocessor.
|
||||||
|
* sshd(8): Fix non-exploitable weakness in seccomp-bpf sandbox
|
||||||
|
arg inspection.
|
||||||
|
* ssh(1): Fix X11 forwarding on OSX where X11 was being started
|
||||||
|
by launchd. bz#2341
|
||||||
|
* ssh-keygen(1), ssh(1), sftp(1): Fix output truncation for
|
||||||
|
various that contain non-printable characters where the
|
||||||
|
codeset in use is ASCII.
|
||||||
|
* build: Fix builds that attempt to link a kerberised libldns.
|
||||||
|
bz#2603
|
||||||
|
* build: Fix compilation problems caused by unconditionally
|
||||||
|
defining _XOPEN_SOURCE in wide character detection.
|
||||||
|
* sshd(8): Fix sandbox violations for clock_gettime VSDO
|
||||||
|
syscall fallback on some Linux/X32 kernels. bz#2142
|
||||||
|
- OpenSSH 7.6
|
||||||
|
---- Potentially-incompatible changes
|
||||||
|
This release includes a number of changes that may affect
|
||||||
|
existing configurations:
|
||||||
|
* ssh(1): delete SSH protocol version 1 support, associated
|
||||||
|
configuration options and documentation.
|
||||||
|
* ssh(1)/sshd(8): remove support for the hmac-ripemd160 MAC.
|
||||||
|
* ssh(1)/sshd(8): remove support for the arcfour, blowfish and
|
||||||
|
CAST ciphers.
|
||||||
|
* Refuse RSA keys <1024 bits in length and improve reporting
|
||||||
|
for keys that do not meet this requirement.
|
||||||
|
* ssh(1): do not offer CBC ciphers by default.
|
||||||
|
---- Security
|
||||||
|
* sftp-server(8): in read-only mode, sftp-server was
|
||||||
|
incorrectly permitting creation of zero-length files.
|
||||||
|
Reported by Michal Zalewski.
|
||||||
|
---- New Features
|
||||||
|
* ssh(1): add RemoteCommand option to specify a command in the
|
||||||
|
ssh config file instead of giving it on the client's command
|
||||||
|
line. This allows the configuration file to specify the
|
||||||
|
command that will be executed on the remote host.
|
||||||
|
* sshd(8): add ExposeAuthInfo option that enables writing
|
||||||
|
details of the authentication methods used (including public
|
||||||
|
keys where applicable) to a file that is exposed via a
|
||||||
|
$SSH_USER_AUTH environment variable in the subsequent
|
||||||
|
session.
|
||||||
|
* ssh(1): add support for reverse dynamic forwarding. In this
|
||||||
|
mode, ssh will act as a SOCKS4/5 proxy and forward
|
||||||
|
connections to destinations requested by the remote SOCKS
|
||||||
|
client. This mode is requested using extended syntax for the
|
||||||
|
-R and RemoteForward options and, because it is implemented
|
||||||
|
solely at the client, does not require the server be updated
|
||||||
|
to be supported.
|
||||||
|
* sshd(8): allow LogLevel directive in sshd_config Match
|
||||||
|
blocks; bz#2717
|
||||||
|
* ssh-keygen(1): allow inclusion of arbitrary string or flag
|
||||||
|
certificate extensions and critical options.
|
||||||
|
* ssh-keygen(1): allow ssh-keygen to use a key held in
|
||||||
|
ssh-agent as a CA when signing certificates. bz#2377
|
||||||
|
* ssh(1)/sshd(8): allow IPQoS=none in ssh/sshd to not set an
|
||||||
|
explicit ToS/DSCP value and just use the operating system
|
||||||
|
default.
|
||||||
|
* ssh-add(1): added -q option to make ssh-add quiet on success.
|
||||||
|
* ssh(1): expand the StrictHostKeyChecking option with two new
|
||||||
|
settings. The first "accept-new" will automatically accept
|
||||||
|
hitherto-unseen keys but will refuse connections for changed
|
||||||
|
or invalid hostkeys. This is a safer subset of the current
|
||||||
|
behaviour of StrictHostKeyChecking=no. The second setting
|
||||||
|
"off", is a synonym for the current behaviour of
|
||||||
|
StrictHostKeyChecking=no: accept new host keys, and continue
|
||||||
|
connection for hosts with incorrect hostkeys. A future
|
||||||
|
release will change the meaning of StrictHostKeyChecking=no
|
||||||
|
to the behaviour of "accept-new". bz#2400
|
||||||
|
* ssh(1): add SyslogFacility option to ssh(1) matching the
|
||||||
|
equivalent option in sshd(8). bz#2705
|
||||||
|
---- Bugfixes
|
||||||
|
* ssh(1): use HostKeyAlias if specified instead of hostname for
|
||||||
|
matching host certificate principal names; bz#2728
|
||||||
|
* sftp(1): implement sorting for globbed ls; bz#2649
|
||||||
|
* ssh(1): add a user@host prefix to client's "Permission
|
||||||
|
denied" messages, useful in particular when using "stacked"
|
||||||
|
connections (e.g. ssh -J) where it's not clear which host is
|
||||||
|
denying. bz#2720
|
||||||
|
* ssh(1): accept unknown EXT_INFO extension values that contain
|
||||||
|
\0 characters. These are legal, but would previously cause
|
||||||
|
fatal connection errors if received.
|
||||||
|
* ssh(1)/sshd(8): repair compression statistics printed at
|
||||||
|
connection exit
|
||||||
|
* sftp(1): print '?' instead of incorrect link count (that the
|
||||||
|
protocol doesn't provide) for remote listings. bz#2710
|
||||||
|
* ssh(1): return failure rather than fatal() for more cases
|
||||||
|
during session multiplexing negotiations. Causes the session
|
||||||
|
to fall back to a non-mux connection if they occur. bz#2707
|
||||||
|
* ssh(1): mention that the server may send debug messages to
|
||||||
|
explain public key authentication problems under some
|
||||||
|
circumstances; bz#2709
|
||||||
|
* Translate OpenSSL error codes to better report incorrect
|
||||||
|
passphrase errors when loading private keys; bz#2699
|
||||||
|
* sshd(8): adjust compatibility patterns for WinSCP to
|
||||||
|
correctly identify versions that implement only the legacy DH
|
||||||
|
group exchange scheme. bz#2748
|
||||||
|
* ssh(1): print the "Killed by signal 1" message only at
|
||||||
|
LogLevel verbose so that it is not shown at the default
|
||||||
|
level; prevents it from appearing during ssh -J and
|
||||||
|
equivalent ProxyCommand configs. bz#1906, bz#2744
|
||||||
|
* ssh-keygen(1): when generating all hostkeys (ssh-keygen -A),
|
||||||
|
clobber existing keys if they exist but are zero length.
|
||||||
|
zero-length keys could previously be made if ssh-keygen
|
||||||
|
failed or was interrupted part way through generating them.
|
||||||
|
bz#2561
|
||||||
|
* ssh(1): fix pledge(2) violation in the escape sequence "~&"
|
||||||
|
used to place the current session in the background.
|
||||||
|
* ssh-keyscan(1): avoid double-close() on file descriptors;
|
||||||
|
bz#2734
|
||||||
|
* sshd(8): avoid reliance on shared use of pointers shared
|
||||||
|
between monitor and child sshd processes. bz#2704
|
||||||
|
* sshd_config(8): document available AuthenticationMethods;
|
||||||
|
bz#2453
|
||||||
|
* ssh(1): avoid truncation in some login prompts; bz#2768
|
||||||
|
* sshd(8): Fix various compilations failures, inc bz#2767
|
||||||
|
* ssh(1): make "--" before the hostname terminate argument
|
||||||
|
processing after the hostname too.
|
||||||
|
* ssh-keygen(1): switch from aes256-cbc to aes256-ctr for
|
||||||
|
encrypting new-style private keys. Fixes problems related to
|
||||||
|
private key handling for no-OpenSSL builds. bz#2754
|
||||||
|
* ssh(1): warn and do not attempt to use keys when the public
|
||||||
|
and private halves do not match. bz#2737
|
||||||
|
* sftp(1): don't print verbose error message when ssh
|
||||||
|
disconnects from under sftp. bz#2750
|
||||||
|
* sshd(8): fix keepalive scheduling problem: activity on a
|
||||||
|
forwarded port from preventing the keepalive from being sent;
|
||||||
|
bz#2756
|
||||||
|
* sshd(8): when started without root privileges, don't require
|
||||||
|
the privilege separation user or path to exist. Makes running
|
||||||
|
the regression tests easier without touching the filesystem.
|
||||||
|
* Make integrity.sh regression tests more robust against
|
||||||
|
timeouts. bz#2658
|
||||||
|
* ssh(1)/sshd(8): correctness fix for channels implementation:
|
||||||
|
accept channel IDs greater than 0x7FFFFFFF.
|
||||||
|
---- Portability
|
||||||
|
* sshd(9): drop two more privileges in the Solaris sandbox:
|
||||||
|
PRIV_DAX_ACCESS and PRIV_SYS_IB_INFO; bz#2723
|
||||||
|
* sshd(8): expose list of completed authentication methods to
|
||||||
|
PAM via the SSH_AUTH_INFO_0 PAM environment variable. bz#2408
|
||||||
|
* ssh(1)/sshd(8): fix several problems in the tun/tap
|
||||||
|
forwarding code, mostly to do with host/network byte order
|
||||||
|
confusion. bz#2735
|
||||||
|
* Add --with-cflags-after and --with-ldflags-after configure
|
||||||
|
flags to allow setting CFLAGS/LDFLAGS after configure has
|
||||||
|
completed. These are useful for setting sanitiser/fuzzing
|
||||||
|
options that may interfere with configure's operation.
|
||||||
|
* sshd(8): avoid Linux seccomp violations on ppc64le over the
|
||||||
|
socketcall syscall.
|
||||||
|
* Fix use of ldns when using ldns-config; bz#2697
|
||||||
|
* configure: set cache variables when cross-compiling. The
|
||||||
|
cross- compiling fallback message was saying it assumed the
|
||||||
|
test passed, but it wasn't actually set the cache variables
|
||||||
|
and this would cause later tests to fail.
|
||||||
|
* Add clang libFuzzer harnesses for public key parsing and
|
||||||
|
signature verification.
|
||||||
|
- packaging:
|
||||||
|
* removal of all 7.2 patches
|
||||||
|
* first round of rebased patches:
|
||||||
|
[openssh-7.6p1-X11_trusted_forwarding.patch]
|
||||||
|
[openssh-7.6p1-allow_root_password_login.patch]
|
||||||
|
[openssh-7.6p1-blocksigalrm.patch]
|
||||||
|
[openssh-7.6p1-disable_short_DH_parameters.patch]
|
||||||
|
[openssh-7.6p1-eal3.patch]
|
||||||
|
[openssh-7.6p1-enable_PAM_by_default.patch]
|
||||||
|
[openssh-7.6p1-hostname_changes_when_forwarding_X.patch]
|
||||||
|
[openssh-7.6p1-lastlog.patch]
|
||||||
|
[openssh-7.6p1-pam_check_locks.patch]
|
||||||
|
[openssh-7.6p1-pts_names_formatting.patch]
|
||||||
|
[openssh-7.6p1-remove_xauth_cookies_on_exit.patch]
|
||||||
|
[openssh-7.6p1-seccomp_geteuid.patch]
|
||||||
|
[openssh-7.6p1-seccomp_getuid.patch]
|
||||||
|
[openssh-7.6p1-seccomp_stat.patch]
|
||||||
|
[openssh-7.6p1-send_locale.patch]
|
||||||
|
* not rebased (obsoleted) patches (so far):
|
||||||
|
[openssh-7.2p2-saveargv-fix.diff]
|
||||||
|
[openssh-7.2p2-dont_use_pthreads_in_PAM.diff]
|
||||||
|
[openssh-7.2p2-gssapimitm.diff]
|
||||||
|
[openssh-7.2p2-eal3_obsolete.diff]
|
||||||
|
[openssh-7.2p2-default_protocol.diff]
|
||||||
|
[openssh-7.2p2-additional_seccomp_archs.patch]
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Wed Oct 25 15:09:06 UTC 2017 - jsegitz@suse.com
|
Wed Oct 25 15:09:06 UTC 2017 - jsegitz@suse.com
|
||||||
|
|
||||||
|
116
openssh.spec
116
openssh.spec
@ -1,7 +1,7 @@
|
|||||||
#
|
#
|
||||||
# spec file for package openssh
|
# spec file for package openssh
|
||||||
#
|
#
|
||||||
# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany.
|
# Copyright (c) 2017 SUSE LINUX Products GmbH, Nuernberg, Germany.
|
||||||
#
|
#
|
||||||
# All modifications and additions to the file contributed by third parties
|
# All modifications and additions to the file contributed by third parties
|
||||||
# remain the property of their copyright owners, unless otherwise agreed
|
# remain the property of their copyright owners, unless otherwise agreed
|
||||||
@ -93,7 +93,7 @@ PreReq: pwdutils %{fillup_prereq} coreutils
|
|||||||
%if ! %{uses_systemd}
|
%if ! %{uses_systemd}
|
||||||
PreReq: %{insserv_prereq}
|
PreReq: %{insserv_prereq}
|
||||||
%endif
|
%endif
|
||||||
Version: 7.2p2
|
Version: 7.6p1
|
||||||
Release: 0
|
Release: 0
|
||||||
Summary: Secure Shell Client and Server (Remote Login Program)
|
Summary: Secure Shell Client and Server (Remote Login Program)
|
||||||
License: BSD-2-Clause and MIT
|
License: BSD-2-Clause and MIT
|
||||||
@ -113,54 +113,21 @@ Source9: sshd-gen-keys-start
|
|||||||
Source10: sshd.service
|
Source10: sshd.service
|
||||||
Source11: README.FIPS
|
Source11: README.FIPS
|
||||||
Source12: cavs_driver-ssh.pl
|
Source12: cavs_driver-ssh.pl
|
||||||
Patch00: openssh-7.2p2-allow_root_password_login.patch
|
Patch00: openssh-7.6p1-allow_root_password_login.patch
|
||||||
Patch01: openssh-7.2p2-allow_DSS_by_default.patch
|
Patch01: openssh-7.6p1-X11_trusted_forwarding.patch
|
||||||
Patch02: openssh-7.2p2-X11_trusted_forwarding.patch
|
Patch02: openssh-7.6p1-lastlog.patch
|
||||||
Patch03: openssh-7.2p2-lastlog.patch
|
Patch03: openssh-7.6p1-enable_PAM_by_default.patch
|
||||||
Patch04: openssh-7.2p2-enable_PAM_by_default.patch
|
Patch04: openssh-7.6p1-eal3.patch
|
||||||
Patch05: openssh-7.2p2-dont_use_pthreads_in_PAM.patch
|
Patch05: openssh-7.6p1-blocksigalrm.patch
|
||||||
Patch06: openssh-7.2p2-eal3.patch
|
Patch06: openssh-7.6p1-send_locale.patch
|
||||||
Patch07: openssh-7.2p2-blocksigalrm.patch
|
Patch07: openssh-7.6p1-hostname_changes_when_forwarding_X.patch
|
||||||
Patch08: openssh-7.2p2-send_locale.patch
|
Patch08: openssh-7.6p1-remove_xauth_cookies_on_exit.patch
|
||||||
Patch09: openssh-7.2p2-hostname_changes_when_forwarding_X.patch
|
Patch09: openssh-7.6p1-pts_names_formatting.patch
|
||||||
Patch10: openssh-7.2p2-remove_xauth_cookies_on_exit.patch
|
Patch10: openssh-7.6p1-pam_check_locks.patch
|
||||||
Patch11: openssh-7.2p2-pts_names_formatting.patch
|
Patch11: openssh-7.6p1-disable_short_DH_parameters.patch
|
||||||
Patch12: openssh-7.2p2-pam_check_locks.patch
|
Patch12: openssh-7.6p1-seccomp_getuid.patch
|
||||||
Patch13: openssh-7.2p2-disable_short_DH_parameters.patch
|
Patch13: openssh-7.6p1-seccomp_geteuid.patch
|
||||||
Patch14: openssh-7.2p2-seccomp_getuid.patch
|
Patch14: openssh-7.6p1-seccomp_stat.patch
|
||||||
Patch15: openssh-7.2p2-seccomp_geteuid.patch
|
|
||||||
Patch16: openssh-7.2p2-seccomp_stat.patch
|
|
||||||
Patch17: openssh-7.2p2-additional_seccomp_archs.patch
|
|
||||||
Patch18: openssh-7.2p2-fips.patch
|
|
||||||
Patch19: openssh-7.2p2-cavstest-ctr.patch
|
|
||||||
Patch20: openssh-7.2p2-cavstest-kdf.patch
|
|
||||||
Patch21: openssh-7.2p2-seed-prng.patch
|
|
||||||
Patch22: openssh-7.2p2-gssapi_key_exchange.patch
|
|
||||||
Patch23: openssh-7.2p2-audit.patch
|
|
||||||
Patch24: openssh-7.2p2-audit_fixes.patch
|
|
||||||
Patch25: openssh-7.2p2-audit_seed_prng.patch
|
|
||||||
Patch26: openssh-7.2p2-login_options.patch
|
|
||||||
Patch27: openssh-7.2p2-disable_openssl_abi_check.patch
|
|
||||||
Patch28: openssh-7.2p2-no_fork-no_pid_file.patch
|
|
||||||
Patch29: openssh-7.2p2-host_ident.patch
|
|
||||||
Patch30: openssh-7.2p2-sftp_homechroot.patch
|
|
||||||
Patch31: openssh-7.2p2-sftp_force_permissions.patch
|
|
||||||
Patch32: openssh-7.2p2-X_forward_with_disabled_ipv6.patch
|
|
||||||
Patch33: openssh-7.2p2-ldap.patch
|
|
||||||
Patch34: openssh-7.2p2-IPv6_X_forwarding.patch
|
|
||||||
Patch35: openssh-7.2p2-ignore_PAM_with_UseLogin.patch
|
|
||||||
Patch36: openssh-7.2p2-prevent_timing_user_enumeration.patch
|
|
||||||
Patch37: openssh-7.2p2-limit_password_length.patch
|
|
||||||
Patch38: openssh-7.2p2-keep_slogin.patch
|
|
||||||
Patch39: openssh-7.2p2-kex_resource_depletion.patch
|
|
||||||
Patch40: openssh-7.2p2-verify_CIDR_address_ranges.patch
|
|
||||||
Patch41: openssh-7.2p2-restrict_pkcs11-modules.patch
|
|
||||||
Patch42: openssh-7.2p2-prevent_private_key_leakage.patch
|
|
||||||
Patch43: openssh-7.2p2-secure_unix_sockets_forwarding.patch
|
|
||||||
Patch44: openssh-7.2p2-ssh_case_insensitive_host_matching.patch
|
|
||||||
Patch45: openssh-7.2p2-disable_preauth_compression.patch
|
|
||||||
Patch46: openssh-7.2p2-s390_hw_crypto_syscalls.patch
|
|
||||||
Patch47: openssh-7.2p2-s390_OpenSSL-ibmpkcs11_syscalls.patch
|
|
||||||
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
||||||
Conflicts: nonfreessh
|
Conflicts: nonfreessh
|
||||||
Recommends: audit
|
Recommends: audit
|
||||||
@ -227,47 +194,14 @@ FIPS140 CAVS tests related parts of the OpenSSH package
|
|||||||
%patch12 -p2
|
%patch12 -p2
|
||||||
%patch13 -p2
|
%patch13 -p2
|
||||||
%patch14 -p2
|
%patch14 -p2
|
||||||
%patch15 -p2
|
|
||||||
%patch16 -p2
|
|
||||||
%patch17 -p2
|
|
||||||
%patch18 -p2
|
|
||||||
%patch19 -p2
|
|
||||||
%patch20 -p2
|
|
||||||
%patch21 -p2
|
|
||||||
%patch22 -p2
|
|
||||||
%patch23 -p2
|
|
||||||
%patch24 -p2
|
|
||||||
%patch25 -p2
|
|
||||||
%patch26 -p2
|
|
||||||
%patch27 -p2
|
|
||||||
%patch28 -p2
|
|
||||||
%patch29 -p2
|
|
||||||
%patch30 -p2
|
|
||||||
%patch31 -p2
|
|
||||||
%patch32 -p2
|
|
||||||
%patch33 -p2
|
|
||||||
%patch34 -p2
|
|
||||||
%patch35 -p2
|
|
||||||
%patch36 -p2
|
|
||||||
%patch37 -p2
|
|
||||||
%patch38 -p2
|
|
||||||
%patch39 -p2
|
|
||||||
%patch40 -p2
|
|
||||||
%patch41 -p2
|
|
||||||
%patch42 -p2
|
|
||||||
%patch43 -p2
|
|
||||||
%patch44 -p2
|
|
||||||
%patch45 -p2
|
|
||||||
%patch46 -p2
|
|
||||||
%patch47 -p2
|
|
||||||
cp %{SOURCE3} %{SOURCE4} %{SOURCE11} .
|
cp %{SOURCE3} %{SOURCE4} %{SOURCE11} .
|
||||||
|
|
||||||
%build
|
%build
|
||||||
# set libexec dir in the LDAP patch
|
### TODO: # set libexec dir in the LDAP patch
|
||||||
sed -i.libexec 's,@LIBEXECDIR@,%{_libexecdir}/ssh,' \
|
### TODO: sed -i.libexec 's,@LIBEXECDIR@,%{_libexecdir}/ssh,' \
|
||||||
$( grep -Rl @LIBEXECDIR@ \
|
### TODO: $( grep -Rl @LIBEXECDIR@ \
|
||||||
$( grep "^+++" %{PATCH33} | sed -r 's@^.+/([^/\t ]+).*$@\1@' )
|
### TODO: $( grep "^+++" %{PATCH33} | sed -r 's@^.+/([^/\t ]+).*$@\1@' )
|
||||||
)
|
### TODO: )
|
||||||
|
|
||||||
autoreconf -fiv
|
autoreconf -fiv
|
||||||
%ifarch s390 s390x %sparc
|
%ifarch s390 s390x %sparc
|
||||||
@ -461,10 +395,10 @@ rpm -q openssh-fips >& /dev/null && DISABLE_RESTART_ON_UPDATE=yes
|
|||||||
%files helpers
|
%files helpers
|
||||||
%defattr(-,root,root)
|
%defattr(-,root,root)
|
||||||
%attr(0755,root,root) %dir %{_sysconfdir}/ssh
|
%attr(0755,root,root) %dir %{_sysconfdir}/ssh
|
||||||
%verify(not mode) %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/ldap.conf
|
#verify(not mode) %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/ldap.conf
|
||||||
%attr(0755,root,root) %dir %{_libexecdir}/ssh
|
%attr(0755,root,root) %dir %{_libexecdir}/ssh
|
||||||
%attr(0755,root,root) %{_libexecdir}/ssh/ssh-ldap*
|
#attr(0755,root,root) %{_libexecdir}/ssh/ssh-ldap*
|
||||||
%doc HOWTO.ldap-keys openssh-lpk-openldap.schema openssh-lpk-sun.schema
|
#doc HOWTO.ldap-keys openssh-lpk-openldap.schema openssh-lpk-sun.schema
|
||||||
|
|
||||||
%files fips
|
%files fips
|
||||||
%defattr(-,root,root)
|
%defattr(-,root,root)
|
||||||
|
Loading…
Reference in New Issue
Block a user