- Update to openssh 9.8p1:

* No changes for askpass, see main package changelog for
    details.

- Fix a dbus connection leaked in the logind patch that was
  missing a sd_bus_unref call (found by Matthias Gerstner):
  * logind_set_tty.patch
- Add a patch that fixes a small memory leak when parsing the
  subsystem configuration option:
  * fix-memleak-in-process_server_config_line_depth.patch

- Update to openssh 9.8p1:
  = Security
  * 1) Race condition in sshd(8) (bsc#1226642, CVE-2024-6387).
    A critical vulnerability in sshd(8) was present in Portable
    OpenSSH versions between 8.5p1 and 9.7p1 (inclusive) that may
    allow arbitrary code execution with root privileges.
    Successful exploitation has been demonstrated on 32-bit
    Linux/glibc systems with ASLR. Under lab conditions, the attack
    requires on average 6-8 hours of continuous connections up to
    the maximum the server will accept. Exploitation on 64-bit
    systems is believed to be possible but has not been
    demonstrated at this time. It's likely that these attacks will
    be improved upon.
    Exploitation on non-glibc systems is conceivable but has not
    been examined. Systems that lack ASLR or users of downstream
    Linux distributions that have modified OpenSSH to disable
    per-connection ASLR re-randomisation (yes - this is a thing, no
    - we don't understand why) may potentially have an easier path
    to exploitation. OpenBSD is not vulnerable.

OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=272
This commit is contained in:
Antonio Larrosa 2024-08-12 09:54:46 +00:00 committed by Git OBS Bridge
commit da2c6cc517
85 changed files with 24878 additions and 0 deletions

23
.gitattributes vendored Normal file
View File

@ -0,0 +1,23 @@
## Default LFS
*.7z filter=lfs diff=lfs merge=lfs -text
*.bsp filter=lfs diff=lfs merge=lfs -text
*.bz2 filter=lfs diff=lfs merge=lfs -text
*.gem filter=lfs diff=lfs merge=lfs -text
*.gz filter=lfs diff=lfs merge=lfs -text
*.jar filter=lfs diff=lfs merge=lfs -text
*.lz filter=lfs diff=lfs merge=lfs -text
*.lzma filter=lfs diff=lfs merge=lfs -text
*.obscpio filter=lfs diff=lfs merge=lfs -text
*.oxt filter=lfs diff=lfs merge=lfs -text
*.pdf filter=lfs diff=lfs merge=lfs -text
*.png filter=lfs diff=lfs merge=lfs -text
*.rpm filter=lfs diff=lfs merge=lfs -text
*.tbz filter=lfs diff=lfs merge=lfs -text
*.tbz2 filter=lfs diff=lfs merge=lfs -text
*.tgz filter=lfs diff=lfs merge=lfs -text
*.ttf filter=lfs diff=lfs merge=lfs -text
*.txz filter=lfs diff=lfs merge=lfs -text
*.whl filter=lfs diff=lfs merge=lfs -text
*.xz filter=lfs diff=lfs merge=lfs -text
*.zip filter=lfs diff=lfs merge=lfs -text
*.zst filter=lfs diff=lfs merge=lfs -text

1
.gitignore vendored Normal file
View File

@ -0,0 +1 @@
.osc

View File

@ -0,0 +1,55 @@
From 66aaa678dbe59aa21d0d9d89a3596ecedde0254b Mon Sep 17 00:00:00 2001
From: "djm@openbsd.org" <djm@openbsd.org>
Date: Tue, 30 Apr 2024 02:14:10 +0000
Subject: [PATCH] upstream: correctly restore sigprocmask around ppoll()
reported
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
by Tõivo Leedjärv; ok deraadt@
OpenBSD-Commit-ID: c0c0f89de5294a166578f071eade2501929c4686
---
clientloop.c | 4 ++--
serverloop.c | 4 ++--
2 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/clientloop.c b/clientloop.c
index be8bb5fc1f2..8ea2ada4216 100644
--- a/clientloop.c
+++ b/clientloop.c
#@@ -1,4 +1,4 @@
#-/* $OpenBSD: clientloop.c,v 1.404 2024/04/30 02:10:49 djm Exp $ */
#+/* $OpenBSD: clientloop.c,v 1.405 2024/04/30 02:14:10 djm Exp $ */
# /*
# * Author: Tatu Ylonen <ylo@cs.hut.fi>
# * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -1585,7 +1585,7 @@ client_loop(struct ssh *ssh, int have_pty, int escape_char_arg,
client_wait_until_can_do_something(ssh, &pfd, &npfd_alloc,
&npfd_active, channel_did_enqueue, &osigset,
&conn_in_ready, &conn_out_ready);
- if (sigprocmask(SIG_UNBLOCK, &bsigset, &osigset) == -1)
+ if (sigprocmask(SIG_SETMASK, &osigset, NULL) == -1)
error_f("osigset sigprocmask: %s", strerror(errno));
if (quit_pending)
diff --git a/serverloop.c b/serverloop.c
index f3683c2e4a6..94c8943a616 100644
--- a/serverloop.c
+++ b/serverloop.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: serverloop.c,v 1.237 2023/08/21 04:59:54 djm Exp $ */
+/* $OpenBSD: serverloop.c,v 1.238 2024/04/30 02:14:10 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -380,7 +380,7 @@ server_loop2(struct ssh *ssh, Authctxt *authctxt)
wait_until_can_do_something(ssh, connection_in, connection_out,
&pfd, &npfd_alloc, &npfd_active, &osigset,
&conn_in_ready, &conn_out_ready);
- if (sigprocmask(SIG_UNBLOCK, &bsigset, &osigset) == -1)
+ if (sigprocmask(SIG_SETMASK, &osigset, NULL) == -1)
error_f("osigset sigprocmask: %s", strerror(errno));
if (received_sigterm) {

View File

@ -0,0 +1,32 @@
From 9844aa2521ccfb1a2d73745680327b79e0574445 Mon Sep 17 00:00:00 2001
From: "djm@openbsd.org" <djm@openbsd.org>
Date: Wed, 21 Feb 2024 05:57:34 +0000
Subject: [PATCH] upstream: fix proxy multiplexing mode, broken when keystroke
timing
obfuscation was added. GHPR#463 from montag451
OpenBSD-Commit-ID: 4e412d59b3f557d431f1d81c715a3bc0491cc677
---
clientloop.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/clientloop.c b/clientloop.c
index eb4902905fb..8ec36af94b3 100644
--- a/clientloop.c
+++ b/clientloop.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: clientloop.c,v 1.402 2023/11/24 00:31:30 dtucker Exp $ */
+/* $OpenBSD: clientloop.c,v 1.403 2024/02/21 05:57:34 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -517,7 +517,7 @@ send_chaff(struct ssh *ssh)
{
int r;
- if ((ssh->kex->flags & KEX_HAS_PING) == 0)
+ if (ssh->kex == NULL || (ssh->kex->flags & KEX_HAS_PING) == 0)
return 0;
/* XXX probabilistically send chaff? */
/*

View File

@ -0,0 +1,38 @@
From 146c420d29d055cc75c8606327a1cf8439fe3a08 Mon Sep 17 00:00:00 2001
From: "djm@openbsd.org" <djm@openbsd.org>
Date: Mon, 1 Jul 2024 04:31:17 +0000
Subject: [PATCH] upstream: when sending ObscureKeystrokeTiming chaff packets,
we
can't rely on channel_did_enqueue to tell that there is data to send. This
flag indicates that the channels code enqueued a packet on _this_ ppoll()
iteration, not that data was enqueued in _any_ ppoll() iteration in the
timeslice. ok markus@
OpenBSD-Commit-ID: 009b74fd2769b36b5284a0188ade182f00564136
---
clientloop.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/clientloop.c b/clientloop.c
index 0b6f3c9be02..8ed8b1c3449 100644
--- a/clientloop.c
+++ b/clientloop.c
#@@ -1,4 +1,4 @@
#-/* $OpenBSD: clientloop.c,v 1.407 2024/05/17 06:42:04 jsg Exp $ */
#+/* $OpenBSD: clientloop.c,v 1.408 2024/07/01 04:31:17 djm Exp $ */
# /*
# * Author: Tatu Ylonen <ylo@cs.hut.fi>
# * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -607,8 +607,9 @@ obfuscate_keystroke_timing(struct ssh *ssh, struct timespec *timeout,
if (timespeccmp(&now, &chaff_until, >=)) {
/* Stop if there have been no keystrokes for a while */
stop_reason = "chaff time expired";
- } else if (timespeccmp(&now, &next_interval, >=)) {
- /* Otherwise if we were due to send, then send chaff */
+ } else if (timespeccmp(&now, &next_interval, >=) &&
+ !ssh_packet_have_data_to_write(ssh)) {
+ /* If due to send but have no data, then send chaff */
if (send_chaff(ssh))
nchaff++;
}

64
README.FIPS Normal file
View File

@ -0,0 +1,64 @@
Notes on FIPS mode and OpenSSH
---
SUSE OpenSSH comes with FIPS 140-2 support, and certain versions have been
certified as FIPS compliant by NIST. Apart from other things, this standard
puts restrictions on cryptographic algorithms that may be used.
Important notice: FIPS is not only a matter of functionality. If you want to
claim having a FIPS certified service, you *must* use the certified binaries.
Even binaries built from the same sources in the same environment and running
on a certified system, yet from a package lacking the certification, are
formally not considered to be fulfilling the requirements.
The certified binaries (ssh, sshd, sftp-server) perform mandatory selfcheck at
startup and proceed only when the checks succeed (non-certified binaries may
skip the check). These checks require the cryptographic hashes contained in the
openssh-fips subpackage.
The FIPS mode for OpenSSH is enabled in two ways - either:
1) /proc/sys/crypto/fips_enabled contains a single character '1' - this is a
system-wide setting controlled bu the fips kernel parameter; or
2) the environment variable SSH_FORCE_FIPS - if set (to any value), the
binaries behave as if they were running on a system in FIPS mode.
Since FIPS 140-2 only allows use of certain cryptographic algorithms, both the
client and server will fail if they are requested to use non-approved
algorithms while in FIPS mode. This means that working configurations for FIPS
mode form a proper subset of all working (generic) configurations. Some
configurations may even prevent the binaries from starting at all.
This however should be viewed in the context of FIPS being a security policy
tool - it is not of much use to run the same system both in FIPS mode and
outside of it, since that would defeat the main purpose of FIPS having
guaranteeing standardised minimum restrictions on cryptographic algorithms
(and thus on the overall security of the system).
Unless you specify what cryptographic algorithms you wish to use, both the
client and server should work out of the box in FIPS mode.
For sshd, you can use the `-t` option to check whether the configuration file
is working. Setting the above mentioned environment variable allows testing of
behaviour in FIPS mode (checksum files for both OpenSSH and OpenSSL must be
installed).
In addition to cryptographic algorithms restrictions, sshd performs periodic
PRNG re-seeding. The seed is read from entropy source either /dev/urandom or
/dev/random. By default, the former is used, unless the environment variable
SSH_USE_STRONG_RNG is set to a non-zero value or the binary is running in FIPS
mode. This has two important implications:
1) the selected entropy source must be available, i.e. when running in a
changeroot the device files need to be present there.
2) /dev/random is a blocking interface - unless enough randomness is available,
the process stops until the entropy pool is replenished. Thus on systems where
a long running processes are expected, one should make sure there is always
enough entropy for sshd. Sporadically this may also cause sshd to aborted,
since some versions of OpenSSL (the underlying cryptographic engine) don't
handle gracefully being interrupted while trying to read entropy from the
system source.

23
README.SUSE Normal file
View File

@ -0,0 +1,23 @@
There are following changes in default settings of ssh client and server:
* Accepting and sending of locale environment variables in protocol 2 is
enabled.
* PAM authentication is enabled and mostly even required, do not turn it off.
* In SLE15, root authentiation with password is enabled by default
(PermitRootLogin yes).
NOTE: this has security implications and is only done in order to not change
behaviour of the server in an update. We strongly suggest setting this option
either "prohibit-password" or even better to "no" (which disables direct
remote root login entirely).
* DSA authentication is enabled by default for maximum compatibility.
NOTE: do not use DSA authentication since it is being phased out for a reason
- the size of DSA keys is limited by the standard to 1024 bits which cannot
be considered safe any more.
* Accepting all RFC4419 specified DH group parameters. See KexDHMin in
ssh_config and sshd_config manual pages.
For more information on differences in SUSE OpenSSH package see README.FIPS

18
README.kerberos Normal file
View File

@ -0,0 +1,18 @@
This version of the Kerbros/GSSAPI support avoids DNS lookups
for Kerberos-related names. These DNS lookups were problematic
for dialup users because they would lead to excessive delays
if DNS was not reachable.
If you do use Kerberos, please make sure you edit the server and
client configuration files as follows:
/etc/ssh/sshd_config:
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
/etc/ssh/ssh_config:
Host *
... lots of other options ...
GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes

3
_multibuild Normal file
View File

@ -0,0 +1,3 @@
<multibuild>
<package>openssh-askpass-gnome</package>
</multibuild>

184
cavs_driver-ssh.pl Normal file
View File

@ -0,0 +1,184 @@
#!/usr/bin/perl
#
# CAVS test driver for OpenSSH
#
# Copyright (C) 2015, Stephan Mueller <smueller@chronox.de>
#
# Permission is hereby granted, free of charge, to any person obtaining a copy
# of this software and associated documentation files (the "Software"), to deal
# in the Software without restriction, including without limitation the rights
# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
# copies of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
#
# The above copyright notice and this permission notice shall be included in
# all copies or substantial portions of the Software.
#
# NO WARRANTY
#
# BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
# FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN
# OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
# PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
# OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS
# TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE
# PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
# REPAIR OR CORRECTION.
#
# IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
# WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
# REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
# INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
# OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
# TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
# YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
# PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
# POSSIBILITY OF SUCH DAMAGES.
#
use strict;
use warnings;
use IPC::Open2;
# Executing a program by feeding STDIN and retrieving
# STDOUT
# $1: data string to be piped to the app on STDIN
# rest: program and args
# returns: STDOUT of program as string
sub pipe_through_program($@) {
my $in = shift;
my @args = @_;
my ($CO, $CI);
my $pid = open2($CO, $CI, @args);
my $out = "";
my $len = length($in);
my $first = 1;
while (1) {
my $rin = "";
my $win = "";
# Output of prog is FD that we read
vec($rin,fileno($CO),1) = 1;
# Input of prog is FD that we write
# check for $first is needed because we can have NULL input
# that is to be written to the app
if ( $len > 0 || $first) {
(vec($win,fileno($CI),1) = 1);
$first=0;
}
# Let us wait for 100ms
my $nfound = select(my $rout=$rin, my $wout=$win, undef, 0.1);
if ( $wout ) {
my $written = syswrite($CI, $in, $len);
die "broken pipe" if !defined $written;
$len -= $written;
substr($in, 0, $written) = "";
if ($len <= 0) {
close $CI or die "broken pipe: $!";
}
}
if ( $rout ) {
my $tmp_out = "";
my $bytes_read = sysread($CO, $tmp_out, 4096);
$out .= $tmp_out;
last if ($bytes_read == 0);
}
}
close $CO or die "broken pipe: $!";
waitpid $pid, 0;
return $out;
}
# Parser of CAVS test vector file
# $1: Test vector file
# $2: Output file for test results
# return: nothing
sub parse($$) {
my $infile = shift;
my $outfile = shift;
my $out = "";
my $K = "";
my $H = "";
my $session_id = "";
my $ivlen = 0;
my $eklen = "";
my $iklen = "";
open(IN, "<$infile");
while(<IN>) {
my $line = $_;
chomp($line);
$line =~ s/\r//;
if ($line =~ /\[SHA-1\]/) {
$iklen = 20;
} elsif ($line =~ /\[SHA-256\]/) {
$iklen = 32;
} elsif ($line =~ /\[SHA-384\]/) {
$iklen = 48;
} elsif ($line =~ /\[SHA-512\]/) {
$iklen = 64;
} elsif ($line =~ /^\[IV length\s*=\s*(.*)\]/) {
$ivlen = $1;
$ivlen = $ivlen / 8;
} elsif ($line =~ /^\[encryption key length\s*=\s*(.*)\]/) {
$eklen = $1;
$eklen = $eklen / 8;
} elsif ($line =~ /^K\s*=\s*(.*)/) {
$K = $1;
$K = substr($K, 8);
$K = "00" . $K;
} elsif ($line =~ /^H\s*=\s*(.*)/) {
$H = $1;
} elsif ($line =~ /^session_id\s*=\s*(.*)/) {
$session_id = $1;
}
$out .= $line . "\n";
if ($K ne "" && $H ne "" && $session_id ne "" &&
$ivlen ne "" && $eklen ne "" && $iklen > 0) {
$out .= pipe_through_program("", "@LIBEXECDIR@/ssh/cavstest-kdf -H $H -K $K -s $session_id -i $ivlen -e $eklen -m $iklen");
$K = "";
$H = "";
$session_id = "";
}
}
close IN;
$out =~ s/\n/\r\n/g; # make it a dos file
open(OUT, ">$outfile") or die "Cannot create output file $outfile: $?";
print OUT $out;
close OUT;
}
############################################################
#
# let us pretend to be C :-)
sub main() {
my $infile=$ARGV[0];
die "Error: Test vector file $infile not found" if (! -f $infile);
my $outfile = $infile;
# let us add .rsp regardless whether we could strip .req
$outfile =~ s/\.req$//;
$outfile .= ".rsp";
if (-f $outfile) {
die "Output file $outfile could not be removed: $?"
unless unlink($outfile);
}
print STDERR "Performing tests from source file $infile with results stored in destination file $outfile\n";
# Do the job
parse($infile, $outfile);
}
###########################################
# Call it
main();
1;

19
fix-CVE-2024-6387.patch Normal file
View File

@ -0,0 +1,19 @@
Index: openssh-9.6p1/log.c
===================================================================
--- openssh-9.6p1.orig/log.c
+++ openssh-9.6p1/log.c
@@ -451,12 +451,14 @@ void
sshsigdie(const char *file, const char *func, int line, int showfunc,
LogLevel level, const char *suffix, const char *fmt, ...)
{
+#if 0
va_list args;
va_start(args, fmt);
sshlogv(file, func, line, showfunc, SYSLOG_LEVEL_FATAL,
suffix, fmt, args);
va_end(args);
+#endif
_exit(1);
}

View File

@ -0,0 +1,39 @@
From fcc66557503124ab98491a598b706a24eb3cf0e1 Mon Sep 17 00:00:00 2001
From: Antonio Larrosa <alarrosa@suse.com>
Date: Mon, 12 Aug 2024 11:32:42 +0200
Subject: [PATCH] Fix a small memory leak in process_server_config_line_depth
The return value of argv_assemble is owned by the caller and should be
free'd. When processing the sSubsystem case there are two calls to
argv_assemble but only one of them is freed. This patch fixes the small
(29 bytes according to valgrind) memory leak.
The output from valgrind:
==115369== 29 bytes in 1 blocks are definitely lost in loss record 573 of 913
==115369== at 0x4845794: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==115369== by 0x124A22: argv_assemble (misc.c:2165)
==115369== by 0x1385E5: process_server_config_line_depth.constprop.0 (servconf.c:2004)
==115369== by 0x13984D: parse_server_config_depth.constprop.0 (servconf.c:3032)
==115369== by 0x139986: parse_server_config.constprop.0 (servconf.c:3049)
==115369== by 0x111C6E: main (sshd.c:1445)
Submitted to upstream at https://github.com/openssh/openssh-portable/pull/515
---
servconf.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/servconf.c b/servconf.c
index 5a20d6f8..0b989b95 100644
--- a/servconf.c
+++ b/servconf.c
@@ -2006,6 +2006,7 @@ process_server_config_line_depth(ServerOptions *options, char *line,
xasprintf(&options->subsystem_args[options->num_subsystems],
"%s%s%s", arg, *arg2 == '\0' ? "" : " ", arg2);
free(arg2);
+ free(arg);
argv_consume(&ac);
options->num_subsystems++;
break;
--
2.45.2

25
fix-missing-lz.patch Normal file
View File

@ -0,0 +1,25 @@
Index: openssh-9.3p1/Makefile.in
===================================================================
--- openssh-9.3p1.orig/Makefile.in
+++ openssh-9.3p1/Makefile.in
@@ -250,17 +250,17 @@ ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) l
$(LD) -o $@ ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-sk.o sk-usbhid.o $(SFTPSERVER_OBJS)
- $(LD) -o $@ $(SFTPSERVER_OBJS) ssh-sk.o sk-usbhid.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) $(LIBFIDO2)
+ $(LD) -o $@ $(SFTPSERVER_OBJS) ssh-sk.o sk-usbhid.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) $(LIBFIDO2) -lz
sftp$(EXEEXT): $(LIBCOMPAT) libssh.a $(SFTP_OBJS)
$(LD) -o $@ $(SFTP_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) $(LIBEDIT)
# FIPS tests
cavstest-ctr$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-sk.o sk-usbhid.o cavstest-ctr.o
- $(LD) -o $@ cavstest-ctr.o ssh-sk.o sk-usbhid.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) $(LIBFIDO2)
+ $(LD) -o $@ cavstest-ctr.o ssh-sk.o sk-usbhid.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) $(LIBFIDO2) -lz
cavstest-kdf$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-sk.o sk-usbhid.o cavstest-kdf.o
- $(LD) -o $@ cavstest-kdf.o ssh-sk.o sk-usbhid.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) $(LIBFIDO2)
+ $(LD) -o $@ cavstest-kdf.o ssh-sk.o sk-usbhid.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) $(LIBFIDO2) -lz
# test driver for the loginrec code - not built by default
logintest: logintest.o $(LIBCOMPAT) libssh.a loginrec.o

200
logind_set_tty.patch Normal file
View File

@ -0,0 +1,200 @@
diff --git a/Makefile.in b/Makefile.in
index f0ea07e7b..35dcf45f1 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -56,6 +56,7 @@ SSHDLIBS=@SSHDLIBS@
LIBEDIT=@LIBEDIT@
LIBFIDO2=@LIBFIDO2@
LIBWTMPDB=@LIBWTMPDB@
+LIBSYSTEMD=@LIBSYSTEMD@
AR=@AR@
AWK=@AWK@
RANLIB=@RANLIB@
@@ -208,7 +209,7 @@ ssh$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHOBJS)
$(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) $(GSSLIBS) $(CHANNELLIBS)
sshd$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHDOBJS)
- $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(CHANNELLIBS) $(LIBWTMPDB)
+ $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(CHANNELLIBS) $(LIBWTMPDB) $(LIBSYSTEMD)
sshd-session$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHD_SESSION_OBJS)
$(LD) -o $@ $(SSHD_SESSION_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS) $(CHANNELLIBS) $(LIBWTMPDB)
diff --git a/configure.ac b/configure.ac
index a12c6f7ad..860df3379 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1789,6 +1789,47 @@ AC_ARG_WITH([wtmpdb],
)
+# Check whether user wants logind/set tty support
+AC_ARG_WITH([logind],
+ [ --with-logind[[=PATH]] Enable logind support for sshd],
+ [ if test "x$withval" != "xno" ; then
+ if test "x$withval" = "xyes" ; then
+ AC_PATH_TOOL([PKGCONFIG], [pkg-config], [no])
+ if test "x$PKGCONFIG" != "xno"; then
+ AC_MSG_CHECKING([if $PKGCONFIG knows about libsystemd])
+ if "$PKGCONFIG" libsystemd; then
+ AC_MSG_RESULT([yes])
+ use_pkgconfig_for_libsystemd=yes
+ else
+ AC_MSG_RESULT([no])
+ fi
+ fi
+ else
+ CPPFLAGS="$CPPFLAGS -I${withval}/include"
+ if test -n "${rpath_opt}"; then
+ LDFLAGS="-L${withval}/lib ${rpath_opt}${withval}/lib ${LDFLAGS}"
+ else
+ LDFLAGS="-L${withval}/lib ${LDFLAGS}"
+ fi
+ fi
+ if test "x$use_pkgconfig_for_libsystemd" = "xyes"; then
+ LIBSYSTEMD=`$PKGCONFIG --libs libsystemd`
+ CPPFLAGS="$CPPFLAGS `$PKGCONFIG --cflags libsystemd`"
+ else
+ LIBSYSTEMD="-lsystemd"
+ fi
+ OTHERLIBS=`echo $LIBSYSTEMD | sed 's/-lsystemd//'`
+ AC_CHECK_LIB([systemd], [sd_bus_open_system],
+ [ AC_DEFINE([USE_LOGIND], [1], [Use systemd-logind])
+ AC_SUBST([LIBSYSTEMD])
+ ],
+ [ AC_MSG_ERROR([libsystemd not found]) ],
+ [ $OTHERLIBS ]
+ )
+ fi ]
+)
+
+
AUDIT_MODULE=none
AC_ARG_WITH([audit],
[ --with-audit=module Enable audit support (modules=debug,bsm,linux)],
diff --git a/loginrec.c b/loginrec.c
index 86caf83b2..8b413190b 100644
--- a/loginrec.c
+++ b/loginrec.c
@@ -191,6 +191,10 @@
# include <wtmpdb.h>
#endif
+#ifdef USE_LOGIND
+# include <systemd/sd-bus.h>
+#endif
+
/**
** prototypes for helper functions in this file
**/
@@ -214,6 +218,9 @@ int syslogin_write_entry(struct logininfo *li);
#ifdef USE_WTMPDB
int wtmpdb_write_entry(struct logininfo *li);
#endif
+#ifdef USE_LOGIND
+int logind_set_tty(struct logininfo *li);
+#endif
int getlast_entry(struct logininfo *li);
int lastlog_get_entry(struct logininfo *li);
@@ -477,6 +484,9 @@ login_write(struct logininfo *li)
#ifdef USE_WTMPDB
wtmpdb_write_entry(li);
#endif
+#ifdef USE_LOGIND
+ logind_set_tty(li);
+#endif
#ifdef CUSTOM_SYS_AUTH_RECORD_LOGIN
if (li->type == LTYPE_LOGIN &&
!sys_auth_record_login(li->username,li->hostname,li->line,
@@ -1476,6 +1486,91 @@ wtmpdb_write_entry(struct logininfo *li)
}
#endif
+#ifdef USE_LOGIND
+#define DBUS_DESTINATION "org.freedesktop.login1"
+#define DBUS_PATH_ID "/org/freedesktop/login1/session/auto"
+#define DBUS_INTERFACE "org.freedesktop.login1.Session"
+#define DBUS_PATH "/org/freedesktop/login1/session/%s"
+
+static int
+logind_perform_login(struct logininfo *li)
+{
+ sd_bus *bus = NULL;
+ sd_bus_error error = SD_BUS_ERROR_NULL;
+ char *session_id = NULL;
+ char *dbus_path;
+ const char *tty;
+ char buf[PATH_MAX];
+ int r;
+ int fd;
+
+ if (sd_bus_open_system(&bus) < 0)
+ {
+ logit("logind: canot open dbus");
+ return (0);
+ }
+
+ if (sd_bus_get_property_string(bus, DBUS_DESTINATION,
+ DBUS_PATH_ID, DBUS_INTERFACE,
+ "Id", &error, &session_id) < 0)
+ {
+ logit("logind: cannot get session ID");
+ return (0);
+ }
+
+ if (strncmp(li->line, "/dev/", 5) != 0)
+ snprintf (buf, sizeof(buf), "/dev/%s", li->line);
+ else
+ tty = li->line;
+
+ fd = open(tty, O_RDWR|O_CLOEXEC|O_NOCTTY);
+
+ if (asprintf (&dbus_path, DBUS_PATH, session_id) < 0)
+ return (0);
+
+ if (sd_bus_call_method(bus, DBUS_DESTINATION, dbus_path,
+ DBUS_INTERFACE, "TakeControl", &error, NULL,
+ "b", 1) < 0) {
+ logit("logind: cannot take control");
+ free(dbus_path);
+ return (0);
+ }
+
+ if ((r = sd_bus_call_method(bus, DBUS_DESTINATION, dbus_path,
+ DBUS_INTERFACE, "SetTTY", &error, NULL,
+ "h", fd)) < 0) {
+ if (r != -EBADR) /* logind does not support "SetTTY" */
+ logit("logind: cannot set TTY(%s, %s): %s", session_id, tty, strerror(-r));
+ free(dbus_path);
+ return (0);
+ }
+
+ free(dbus_path);
+
+ if (sd_bus_flush(bus) < 0) {
+ sd_bus_unref(bus);
+ return (0);
+ }
+
+ sd_bus_unref(bus);
+ return (1);
+}
+
+int
+logind_set_tty(struct logininfo *li)
+{
+ switch(li->type) {
+ case LTYPE_LOGIN:
+ return (logind_perform_login(li));
+ case LTYPE_LOGOUT:
+ return (1);
+ default:
+ logit("%s: invalid type field", __func__);
+ return (0);
+ }
+}
+#endif
+
/**
** Low-level libutil login() functions

View File

@ -0,0 +1,119 @@
Index: openssh-9.6p1/openbsd-compat/port-linux-sshd.c
===================================================================
--- openssh-9.6p1.orig/openbsd-compat/port-linux-sshd.c
+++ openssh-9.6p1/openbsd-compat/port-linux-sshd.c
@@ -33,6 +33,7 @@
#include "misc.h" /* servconf.h needs misc.h for struct ForwardOptions */
#include "servconf.h"
#include "port-linux.h"
+#include "misc.h"
#include "sshkey.h"
#include "hostfile.h"
#include "auth.h"
@@ -451,7 +452,7 @@ sshd_selinux_setup_exec_context(char *pw
void
sshd_selinux_copy_context(void)
{
- security_context_t *ctx;
+ char *ctx;
if (!sshd_selinux_enabled())
return;
@@ -470,6 +471,72 @@ sshd_selinux_copy_context(void)
}
}
+void
+sshd_selinux_change_privsep_preauth_context(void)
+{
+ int len;
+ char line[1024], *preauth_context = NULL, *cp, *arg;
+ const char *contexts_path;
+ FILE *contexts_file;
+ struct stat sb;
+
+ contexts_path = selinux_openssh_contexts_path();
+ if (contexts_path == NULL) {
+ debug3_f("Failed to get the path to SELinux context");
+ return;
+ }
+
+ if ((contexts_file = fopen(contexts_path, "r")) == NULL) {
+ debug_f("Failed to open SELinux context file");
+ return;
+ }
+
+ if (fstat(fileno(contexts_file), &sb) != 0 ||
+ sb.st_uid != 0 || (sb.st_mode & 022) != 0) {
+ logit_f("SELinux context file needs to be owned by root"
+ " and not writable by anyone else");
+ fclose(contexts_file);
+ return;
+ }
+
+ while (fgets(line, sizeof(line), contexts_file)) {
+ /* Strip trailing whitespace */
+ for (len = strlen(line) - 1; len > 0; len--) {
+ if (strchr(" \t\r\n", line[len]) == NULL)
+ break;
+ line[len] = '\0';
+ }
+
+ if (line[0] == '\0')
+ continue;
+
+ cp = line;
+ arg = strdelim(&cp);
+ if (arg && *arg == '\0')
+ arg = strdelim(&cp);
+
+ if (arg && strcmp(arg, "privsep_preauth") == 0) {
+ arg = strdelim(&cp);
+ if (!arg || *arg == '\0') {
+ debug_f("privsep_preauth is empty");
+ fclose(contexts_file);
+ return;
+ }
+ preauth_context = xstrdup(arg);
+ }
+ }
+ fclose(contexts_file);
+
+ if (preauth_context == NULL) {
+ debug_f("Unable to find 'privsep_preauth' option in"
+ " SELinux context file");
+ return;
+ }
+
+ ssh_selinux_change_context(preauth_context);
+ free(preauth_context);
+}
+
#endif
#endif
Index: openssh-9.6p1/openbsd-compat/port-linux.h
===================================================================
--- openssh-9.6p1.orig/openbsd-compat/port-linux.h
+++ openssh-9.6p1/openbsd-compat/port-linux.h
@@ -27,6 +27,7 @@ int sshd_selinux_enabled(void);
void sshd_selinux_copy_context(void);
void sshd_selinux_setup_exec_context(char *);
int sshd_selinux_setup_env_variables(void);
+void sshd_selinux_change_privsep_preauth_context(void);
#endif
#ifdef LINUX_OOM_ADJUST
Index: openssh-9.6p1/sshd-session.c
===================================================================
--- openssh-9.6p1.orig/sshd-session.c
+++ openssh-9.6p1/sshd-session.c
@@ -511,7 +511,7 @@ privsep_preauth_child(struct ssh *ssh)
demote_sensitive_data(ssh);
#ifdef WITH_SELINUX
- ssh_selinux_change_context("sshd_net_t");
+ sshd_selinux_change_privsep_preauth_context();
#endif
/* Demote the child */

491
openssh-6.6p1-keycat.patch Normal file
View File

@ -0,0 +1,491 @@
Index: openssh-9.3p2/misc.c
===================================================================
--- openssh-9.3p2.orig/misc.c
+++ openssh-9.3p2/misc.c
@@ -2770,6 +2770,13 @@ subprocess(const char *tag, const char *
error("%s: dup2: %s", tag, strerror(errno));
_exit(1);
}
+#ifdef WITH_SELINUX
+ if (sshd_selinux_setup_env_variables() < 0) {
+ error ("failed to copy environment: %s",
+ strerror(errno));
+ _exit(127);
+ }
+#endif
if (env != NULL)
execve(av[0], av, env);
else
Index: openssh-9.3p2/HOWTO.ssh-keycat
===================================================================
--- /dev/null
+++ openssh-9.3p2/HOWTO.ssh-keycat
@@ -0,0 +1,12 @@
+The ssh-keycat retrieves the content of the ~/.ssh/authorized_keys
+of an user in any environment. This includes environments with
+polyinstantiation of home directories and SELinux MLS policy enabled.
+
+To use ssh-keycat, set these options in /etc/ssh/sshd_config file:
+ AuthorizedKeysCommand /usr/libexec/openssh/ssh-keycat
+ AuthorizedKeysCommandUser root
+
+Do not forget to enable public key authentication:
+ PubkeyAuthentication yes
+
+
Index: openssh-9.3p2/Makefile.in
===================================================================
--- openssh-9.3p2.orig/Makefile.in
+++ openssh-9.3p2/Makefile.in
@@ -27,6 +27,7 @@ SFTP_SERVER=$(libexecdir)/sftp-server
ASKPASS_PROGRAM=$(libexecdir)/ssh-askpass
SFTP_SERVER=$(libexecdir)/sftp-server
SSH_KEYSIGN=$(libexecdir)/ssh-keysign
+SSH_KEYCAT=$(libexecdir)/ssh-keycat
SSHD_SESSION=$(libexecdir)/sshd-session
SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
SSH_SK_HELPER=$(libexecdir)/ssh-sk-helper
@@ -57,6 +58,7 @@ CHANNELLIBS=@CHANNELLIBS@
K5LIBS=@K5LIBS@
GSSLIBS=@GSSLIBS@
SSHDLIBS=@SSHDLIBS@
+KEYCATLIBS=@KEYCATLIBS@
LIBEDIT=@LIBEDIT@
LIBFIDO2=@LIBFIDO2@
LIBWTMPDB=@LIBWTMPDB@
@@ -65,7 +66,7 @@ EXEEXT=@EXEEXT@
.SUFFIXES: .lo
-TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) sshd-session$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT)
+TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) sshd-session$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) ssh-keycat$(EXEEXT)
TARGETS += cavstest-ctr$(EXEEXT) cavstest-kdf$(EXEEXT)
@@ -245,6 +247,9 @@ ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT)
ssh-sk-helper$(EXEEXT): $(LIBCOMPAT) libssh.a $(SKHELPER_OBJS)
$(LD) -o $@ $(SKHELPER_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS) $(LIBFIDO2) $(CHANNELLIBS)
+ssh-keycat$(EXEEXT): $(LIBCOMPAT) $(SSHDOBJS) libssh.a ssh-keycat.o uidswap.o
+ $(LD) -o $@ ssh-keycat.o uidswap.o $(LDFLAGS) -lssh -lopenbsd-compat $(KEYCATLIBS) $(LIBS)
+
ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHKEYSCAN_OBJS)
$(LD) -o $@ $(SSHKEYSCAN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) $(CHANNELLIBS)
@@ -431,6 +436,7 @@ install-files:
$(INSTALL) -m 0755 ssh-ldap-wrapper $(DESTDIR)$(SSH_LDAP_WRAPPER) ; \
fi
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-sk-helper$(EXEEXT) $(DESTDIR)$(SSH_SK_HELPER)$(EXEEXT)
+ $(INSTALL) -m 0755 $(STRIP_OPT) ssh-keycat$(EXEEXT) $(DESTDIR)$(libexecdir)/ssh-keycat$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) cavstest-ctr$(EXEEXT) $(DESTDIR)$(libexecdir)/cavstest-ctr$(EXEEXT)
Index: openssh-9.3p2/openbsd-compat/port-linux.h
===================================================================
--- openssh-9.3p2.orig/openbsd-compat/port-linux.h
+++ openssh-9.3p2/openbsd-compat/port-linux.h
@@ -23,8 +23,10 @@ void ssh_selinux_setup_pty(char *, const
void ssh_selinux_change_context(const char *);
void ssh_selinux_setfscreatecon(const char *);
+int sshd_selinux_enabled(void);
void sshd_selinux_copy_context(void);
void sshd_selinux_setup_exec_context(char *);
+int sshd_selinux_setup_env_variables(void);
#endif
#ifdef LINUX_OOM_ADJUST
Index: openssh-9.3p2/openbsd-compat/port-linux-sshd.c
===================================================================
--- openssh-9.3p2.orig/openbsd-compat/port-linux-sshd.c
+++ openssh-9.3p2/openbsd-compat/port-linux-sshd.c
@@ -54,6 +54,20 @@ extern Authctxt *the_authctxt;
extern Authctxt *the_authctxt;
extern int inetd_flag;
+/* Wrapper around is_selinux_enabled() to log its return value once only */
+int
+sshd_selinux_enabled(void)
+{
+ static int enabled = -1;
+
+ if (enabled == -1) {
+ enabled = (is_selinux_enabled() == 1);
+ debug("SELinux support %s", enabled ? "enabled" : "disabled");
+ }
+
+ return (enabled);
+}
+
/* Send audit message */
static int
sshd_selinux_send_audit_message(int success, security_context_t default_context,
@@ -318,7 +332,7 @@ sshd_selinux_getctxbyname(char *pwname,
/* Setup environment variables for pam_selinux */
static int
-sshd_selinux_setup_pam_variables(void)
+sshd_selinux_setup_variables(int(*set_it)(char *, const char *))
{
const char *reqlvl;
char *role;
@@ -319,16 +333,16 @@ sshd_selinux_setup_pam_variables(void)
ssh_selinux_get_role_level(&role, &reqlvl);
- rv = do_pam_putenv("SELINUX_ROLE_REQUESTED", role ? role : "");
+ rv = set_it("SELINUX_ROLE_REQUESTED", role ? role : "");
if (inetd_flag) {
use_current = "1";
} else {
use_current = "";
- rv = rv || do_pam_putenv("SELINUX_LEVEL_REQUESTED", reqlvl ? reqlvl: "");
+ rv = rv || set_it("SELINUX_LEVEL_REQUESTED", reqlvl ? reqlvl: "");
}
- rv = rv || do_pam_putenv("SELINUX_USE_CURRENT_RANGE", use_current);
+ rv = rv || set_it("SELINUX_USE_CURRENT_RANGE", use_current);
if (role != NULL)
free(role);
@@ -346,6 +360,24 @@ sshd_selinux_setup_pam_variables(void)
return rv;
}
+static int
+sshd_selinux_setup_pam_variables(void)
+{
+ return sshd_selinux_setup_variables(do_pam_putenv);
+}
+
+static int
+do_setenv(char *name, const char *value)
+{
+ return setenv(name, value, 1);
+}
+
+int
+sshd_selinux_setup_env_variables(void)
+{
+ return sshd_selinux_setup_variables(do_setenv);
+}
+
/* Set the execution context to the default for the specified user */
void
sshd_selinux_setup_exec_context(char *pwname)
@@ -354,7 +386,7 @@ sshd_selinux_setup_exec_context(char *pw
int r = 0;
security_context_t default_ctx = NULL;
- if (!ssh_selinux_enabled())
+ if (!sshd_selinux_enabled())
return;
if (options.use_pam) {
@@ -421,7 +453,7 @@ sshd_selinux_copy_context(void)
{
security_context_t *ctx;
- if (!ssh_selinux_enabled())
+ if (!sshd_selinux_enabled())
return;
if (getexeccon((security_context_t *)&ctx) != 0) {
Index: openssh-9.3p2/platform.c
===================================================================
--- openssh-9.3p2.orig/platform.c
+++ openssh-9.3p2/platform.c
@@ -100,7 +100,7 @@ platform_setusercontext(struct passwd *p
{
#ifdef WITH_SELINUX
/* Cache selinux status for later use */
- (void)ssh_selinux_enabled();
+ (void)sshd_selinux_enabled();
#endif
#ifdef USE_SOLARIS_PROJECTS
Index: openssh-9.3p2/ssh-keycat.c
===================================================================
--- /dev/null
+++ openssh-9.3p2/ssh-keycat.c
@@ -0,0 +1,241 @@
+/*
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, and the entire permission notice in its entirety,
+ * including the disclaimer of warranties.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ * products derived from this software without specific prior
+ * written permission.
+ *
+ * ALTERNATIVELY, this product may be distributed under the terms of
+ * the GNU Public License, in which case the provisions of the GPL are
+ * required INSTEAD OF the above restrictions. (This clause is
+ * necessary due to a potential bad interaction between the GPL and
+ * the restrictions contained in a BSD-style copyright.)
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
+ * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+ * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/*
+ * Copyright (c) 2011 Red Hat, Inc.
+ * Written by Tomas Mraz <tmraz@redhat.com>
+*/
+
+#define _GNU_SOURCE
+
+#include "config.h"
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <pwd.h>
+#include <fcntl.h>
+#include <unistd.h>
+#ifdef HAVE_STDINT_H
+#include <stdint.h>
+#endif
+
+#include <security/pam_appl.h>
+
+#include "uidswap.h"
+#include "misc.h"
+
+#define ERR_USAGE 1
+#define ERR_PAM_START 2
+#define ERR_OPEN_SESSION 3
+#define ERR_CLOSE_SESSION 4
+#define ERR_PAM_END 5
+#define ERR_GETPWNAM 6
+#define ERR_MEMORY 7
+#define ERR_OPEN 8
+#define ERR_FILE_MODE 9
+#define ERR_FDOPEN 10
+#define ERR_STAT 11
+#define ERR_WRITE 12
+#define ERR_PAM_PUTENV 13
+#define BUFLEN 4096
+
+/* Just ignore the messages in the conversation function */
+static int
+dummy_conv(int num_msg, const struct pam_message **msgm,
+ struct pam_response **response, void *appdata_ptr)
+{
+ struct pam_response *rsp;
+
+ (void)msgm;
+ (void)appdata_ptr;
+
+ if (num_msg <= 0)
+ return PAM_CONV_ERR;
+
+ /* Just allocate the array as empty responses */
+ rsp = calloc (num_msg, sizeof (struct pam_response));
+ if (rsp == NULL)
+ return PAM_CONV_ERR;
+
+ *response = rsp;
+ return PAM_SUCCESS;
+}
+
+static struct pam_conv conv = {
+ dummy_conv,
+ NULL
+};
+
+char *
+make_auth_keys_name(const struct passwd *pwd)
+{
+ char *fname;
+
+ if (asprintf(&fname, "%s/.ssh/authorized_keys", pwd->pw_dir) < 0)
+ return NULL;
+
+ return fname;
+}
+
+int
+dump_keys(const char *user)
+{
+ struct passwd *pwd;
+ int fd = -1;
+ FILE *f = NULL;
+ char *fname = NULL;
+ int rv = 0;
+ char buf[BUFLEN];
+ size_t len;
+ struct stat st;
+
+ if ((pwd = getpwnam(user)) == NULL) {
+ return ERR_GETPWNAM;
+ }
+
+ if ((fname = make_auth_keys_name(pwd)) == NULL) {
+ return ERR_MEMORY;
+ }
+
+ temporarily_use_uid(pwd);
+
+ if ((fd = open(fname, O_RDONLY|O_NONBLOCK|O_NOFOLLOW, 0)) < 0) {
+ rv = ERR_OPEN;
+ goto fail;
+ }
+
+ if (fstat(fd, &st) < 0) {
+ rv = ERR_STAT;
+ goto fail;
+ }
+
+ if (!S_ISREG(st.st_mode) ||
+ (st.st_uid != pwd->pw_uid && st.st_uid != 0)) {
+ rv = ERR_FILE_MODE;
+ goto fail;
+ }
+
+ unset_nonblock(fd);
+
+ if ((f = fdopen(fd, "r")) == NULL) {
+ rv = ERR_FDOPEN;
+ goto fail;
+ }
+
+ fd = -1;
+
+ while ((len = fread(buf, 1, sizeof(buf), f)) > 0) {
+ rv = fwrite(buf, 1, len, stdout) != len ? ERR_WRITE : 0;
+ }
+
+fail:
+ if (fd != -1)
+ close(fd);
+ if (f != NULL)
+ fclose(f);
+ free(fname);
+ restore_uid();
+ return rv;
+}
+
+static const char *env_names[] = { "SELINUX_ROLE_REQUESTED",
+ "SELINUX_LEVEL_REQUESTED",
+ "SELINUX_USE_CURRENT_RANGE"
+};
+
+extern char **environ;
+
+int
+set_pam_environment(pam_handle_t *pamh)
+{
+ int i;
+ size_t j;
+
+ for (j = 0; j < sizeof(env_names)/sizeof(env_names[0]); ++j) {
+ int len = strlen(env_names[j]);
+
+ for (i = 0; environ[i] != NULL; ++i) {
+ if (strncmp(env_names[j], environ[i], len) == 0 &&
+ environ[i][len] == '=') {
+ if (pam_putenv(pamh, environ[i]) != PAM_SUCCESS)
+ return ERR_PAM_PUTENV;
+ }
+ }
+ }
+
+ return 0;
+}
+
+int
+main(int argc, char *argv[])
+{
+ pam_handle_t *pamh = NULL;
+ int retval;
+ int ev = 0;
+
+ if (argc != 2) {
+ fprintf(stderr, "Usage: %s <user-name>\n", argv[0]);
+ return ERR_USAGE;
+ }
+
+ retval = pam_start("ssh-keycat", argv[1], &conv, &pamh);
+ if (retval != PAM_SUCCESS) {
+ return ERR_PAM_START;
+ }
+
+ ev = set_pam_environment(pamh);
+ if (ev != 0)
+ goto finish;
+
+ retval = pam_open_session(pamh, PAM_SILENT);
+ if (retval != PAM_SUCCESS) {
+ ev = ERR_OPEN_SESSION;
+ goto finish;
+ }
+
+ ev = dump_keys(argv[1]);
+
+ retval = pam_close_session(pamh, PAM_SILENT);
+ if (retval != PAM_SUCCESS) {
+ ev = ERR_CLOSE_SESSION;
+ }
+
+finish:
+ retval = pam_end (pamh,retval);
+ if (retval != PAM_SUCCESS) {
+ ev = ERR_PAM_END;
+ }
+ return ev;
+}
Index: openssh-9.3p2/configure.ac
===================================================================
--- openssh-9.3p2.orig/configure.ac
+++ openssh-9.3p2/configure.ac
@@ -3632,6 +3632,7 @@ AC_ARG_WITH([pam],
PAM_MSG="yes"
SSHDLIBS="$SSHDLIBS -lpam"
+ KEYCATLIBS="$KEYCATLIBS -lpam"
AC_DEFINE([USE_PAM], [1],
[Define if you want to enable PAM support])
@@ -3642,6 +3643,7 @@ AC_ARG_WITH([pam],
;;
*)
SSHDLIBS="$SSHDLIBS -ldl"
+ KEYCATLIBS="$KEYCATLIBS -ldl"
;;
esac
fi
@@ -4875,6 +4877,7 @@ AC_ARG_WITH([selinux],
fi ]
)
AC_SUBST([SSHDLIBS])
+AC_SUBST([KEYCATLIBS])
# Check whether user wants Kerberos 5 support
KRB5_MSG="no"
@@ -5905,6 +5908,9 @@ fi
if test ! -z "${SSHDLIBS}"; then
echo " +for sshd: ${SSHDLIBS}"
fi
+if test ! -z "${KEYCATLIBS}"; then
+echo " +for ssh-keycat: ${KEYCATLIBS}"
+fi
echo ""

View File

@ -0,0 +1,124 @@
Index: openssh-9.3p2/openbsd-compat/port-linux.h
===================================================================
--- openssh-9.3p2.orig/openbsd-compat/port-linux.h
+++ openssh-9.3p2/openbsd-compat/port-linux.h
@@ -23,6 +23,7 @@ void ssh_selinux_setup_pty(char *, const
void ssh_selinux_change_context(const char *);
void ssh_selinux_setfscreatecon(const char *);
+void sshd_selinux_copy_context(void);
void sshd_selinux_setup_exec_context(char *);
#endif
Index: openssh-9.3p2/openbsd-compat/port-linux-sshd.c
===================================================================
--- openssh-9.3p2.orig/openbsd-compat/port-linux-sshd.c
+++ openssh-9.3p2/openbsd-compat/port-linux-sshd.c
@@ -416,6 +416,28 @@ sshd_selinux_setup_exec_context(char *pw
debug3_f("done");
}
+void
+sshd_selinux_copy_context(void)
+{
+ security_context_t *ctx;
+
+ if (!ssh_selinux_enabled())
+ return;
+
+ if (getexeccon((security_context_t *)&ctx) != 0) {
+ logit_f("getexeccon failed with %s", strerror(errno));
+ return;
+ }
+ if (ctx != NULL) {
+ /* unset exec context before we will lose this capabililty */
+ if (setexeccon(NULL) != 0)
+ fatal_f("setexeccon failed with %s", strerror(errno));
+ if (setcon(ctx) != 0)
+ fatal_f("setcon failed with %s", strerror(errno));
+ freecon(ctx);
+ }
+}
+
#endif
#endif
Index: openssh-9.3p2/session.c
===================================================================
--- openssh-9.3p2.orig/session.c
+++ openssh-9.3p2/session.c
@@ -1403,7 +1403,7 @@ do_setusercontext(struct passwd *pw)
platform_setusercontext(pw);
- if (platform_privileged_uidswap()) {
+ if (platform_privileged_uidswap() && !is_child) {
#ifdef HAVE_LOGIN_CAP
if (setusercontext(lc, pw, pw->pw_uid,
(LOGIN_SETALL & ~(LOGIN_SETPATH|LOGIN_SETUSER))) < 0) {
@@ -1435,6 +1435,9 @@ do_setusercontext(struct passwd *pw)
(unsigned long long)pw->pw_uid);
chroot_path = percent_expand(tmp, "h", pw->pw_dir,
"u", pw->pw_name, "U", uidstr, (char *)NULL);
+#ifdef WITH_SELINUX
+ sshd_selinux_copy_context();
+#endif
safely_chroot(chroot_path, pw->pw_uid);
free(tmp);
free(chroot_path);
@@ -1470,6 +1473,11 @@ do_setusercontext(struct passwd *pw)
/* Permanently switch to the desired uid. */
permanently_set_uid(pw);
#endif
+
+#ifdef WITH_SELINUX
+ if (in_chroot == 0)
+ sshd_selinux_copy_context();
+#endif
} else if (options.chroot_directory != NULL &&
strcasecmp(options.chroot_directory, "none") != 0) {
fatal("server lacks privileges to chroot to ChrootDirectory");
@@ -1487,9 +1495,6 @@ do_pwchange(Session *s)
if (s->ttyfd != -1) {
fprintf(stderr,
"You must change your password now and login again!\n");
-#ifdef WITH_SELINUX
- setexeccon(NULL);
-#endif
#ifdef PASSWD_NEEDS_USERNAME
execl(_PATH_PASSWD_PROG, "passwd", s->pw->pw_name,
(char *)NULL);
@@ -1723,9 +1728,6 @@ do_child(struct ssh *ssh, Session *s, co
argv[i] = NULL;
optind = optreset = 1;
__progname = argv[0];
-#ifdef WITH_SELINUX
- ssh_selinux_change_context("sftpd_t");
-#endif
exit(sftp_server_main(i, argv, s->pw));
}
Index: openssh-9.3p2/sshd-session.c
===================================================================
--- openssh-9.3p2.orig/sshd-session.c
+++ openssh-9.3p2/sshd-session.c
@@ -342,6 +342,10 @@ privsep_preauth_child(struct ssh *ssh)
/* Demote the private keys to public keys. */
demote_sensitive_data(ssh);
+#ifdef WITH_SELINUX
+ ssh_selinux_change_context("sshd_net_t");
+#endif
+
/* Demote the child */
if (privsep_chroot) {
/* Change our root directory */
@@ -444,7 +448,7 @@ privsep_postauth(struct ssh *ssh, Authct
* fd passing, as AFAIK PTY allocation on this platform doesn't require
* special privileges to begin with.
*/
-#if defined(DISABLE_FD_PASSING) && !defined(HAVE_CYGWIN)
+#if defined(DISABLE_FD_PASSING) && !defined(HAVE_CYGWIN) && !defined(WITH_SELINUX)
skip_privdrop = 1;
#endif

View File

@ -0,0 +1,280 @@
Index: openssh-9.3p2/auth2-pubkey.c
===================================================================
--- openssh-9.3p2.orig/auth2-pubkey.c
+++ openssh-9.3p2/auth2-pubkey.c
@@ -72,6 +72,9 @@
/* import */
extern ServerOptions options;
+extern int inetd_flag;
+extern int rexeced_flag;
+extern Authctxt *the_authctxt;
extern struct authmethod_cfg methodcfg_pubkey;
static char *
@@ -459,7 +462,8 @@ match_principals_command(struct passwd *
if ((pid = subprocess("AuthorizedPrincipalsCommand", command,
ac, av, &f,
SSH_SUBPROCESS_STDOUT_CAPTURE|SSH_SUBPROCESS_STDERR_DISCARD,
- runas_pw, temporarily_use_uid, restore_uid)) == 0)
+ runas_pw, temporarily_use_uid, restore_uid,
+ inetd_flag, the_authctxt)) == 0)
goto out;
uid_swapped = 1;
@@ -727,7 +731,8 @@ user_key_command_allowed2(struct passwd
if ((pid = subprocess("AuthorizedKeysCommand", command,
ac, av, &f,
SSH_SUBPROCESS_STDOUT_CAPTURE|SSH_SUBPROCESS_STDERR_DISCARD,
- runas_pw, temporarily_use_uid, restore_uid)) == 0)
+ runas_pw, temporarily_use_uid, restore_uid,
+ inetd_flag, the_authctxt)) == 0)
goto out;
uid_swapped = 1;
Index: openssh-9.3p2/misc.c
===================================================================
--- openssh-9.3p2.orig/misc.c
+++ openssh-9.3p2/misc.c
@@ -2637,7 +2637,8 @@ stdfd_devnull(int do_stdin, int do_stdou
pid_t
subprocess(const char *tag, const char *command,
int ac, char **av, FILE **child, u_int flags,
- struct passwd *pw, privdrop_fn *drop_privs, privrestore_fn *restore_privs)
+ struct passwd *pw, privdrop_fn *drop_privs,
+ privrestore_fn *restore_privs, int inetd, void *the_authctxt)
{
FILE *f = NULL;
struct stat st;
@@ -2771,7 +2772,7 @@ subprocess(const char *tag, const char *
_exit(1);
}
#ifdef WITH_SELINUX
- if (sshd_selinux_setup_env_variables() < 0) {
+ if (sshd_selinux_setup_env_variables(inetd, the_authctxt) < 0) {
error ("failed to copy environment: %s",
strerror(errno));
_exit(127);
Index: openssh-9.3p2/misc.h
===================================================================
--- openssh-9.3p2.orig/misc.h
+++ openssh-9.3p2/misc.h
@@ -110,7 +110,7 @@ typedef void privrestore_fn(void);
#define SSH_SUBPROCESS_UNSAFE_PATH (1<<3) /* Don't check for safe cmd */
#define SSH_SUBPROCESS_PRESERVE_ENV (1<<4) /* Keep parent environment */
pid_t subprocess(const char *, const char *, int, char **, FILE **, u_int,
- struct passwd *, privdrop_fn *, privrestore_fn *);
+ struct passwd *, privdrop_fn *, privrestore_fn *, int, void *);
typedef struct arglist arglist;
struct arglist {
Index: openssh-9.3p2/openbsd-compat/port-linux.h
===================================================================
--- openssh-9.3p2.orig/openbsd-compat/port-linux.h
+++ openssh-9.3p2/openbsd-compat/port-linux.h
@@ -25,8 +25,8 @@ void ssh_selinux_setfscreatecon(const ch
int sshd_selinux_enabled(void);
void sshd_selinux_copy_context(void);
-void sshd_selinux_setup_exec_context(char *);
-int sshd_selinux_setup_env_variables(void);
+void sshd_selinux_setup_exec_context(char *, int, int(char *, const char *), void *, int);
+int sshd_selinux_setup_env_variables(int inetd, void *);
void sshd_selinux_change_privsep_preauth_context(void);
#endif
Index: openssh-9.3p2/openbsd-compat/port-linux-sshd.c
===================================================================
--- openssh-9.3p2.orig/openbsd-compat/port-linux-sshd.c
+++ openssh-9.3p2/openbsd-compat/port-linux-sshd.c
@@ -49,10 +49,6 @@
#include <unistd.h>
#endif
-extern ServerOptions options;
-extern Authctxt *the_authctxt;
-extern int inetd_flag;
-
/* Wrapper around is_selinux_enabled() to log its return value once only */
int
sshd_selinux_enabled(void)
@@ -223,7 +218,8 @@ get_user_context(const char *sename, con
}
static void
-ssh_selinux_get_role_level(char **role, const char **level)
+ssh_selinux_get_role_level(char **role, const char **level,
+ Authctxt *the_authctxt)
{
*role = NULL;
*level = NULL;
@@ -241,8 +237,8 @@ ssh_selinux_get_role_level(char **role,
/* Return the default security context for the given username */
static int
-sshd_selinux_getctxbyname(char *pwname,
- security_context_t *default_sc, security_context_t *user_sc)
+sshd_selinux_getctxbyname(char *pwname, security_context_t *default_sc,
+ security_context_t *user_sc, int inetd, Authctxt *the_authctxt)
{
char *sename, *lvl;
char *role;
@@ -250,7 +246,7 @@ sshd_selinux_getctxbyname(char *pwname,
int r = 0;
context_t con = NULL;
- ssh_selinux_get_role_level(&role, &reqlvl);
+ ssh_selinux_get_role_level(&role, &reqlvl, the_authctxt);
#ifdef HAVE_GETSEUSERBYNAME
if ((r=getseuserbyname(pwname, &sename, &lvl)) != 0) {
@@ -272,7 +268,7 @@ sshd_selinux_getctxbyname(char *pwname,
if (r == 0) {
/* If launched from xinetd, we must use current level */
- if (inetd_flag) {
+ if (inetd) {
security_context_t sshdsc=NULL;
if (getcon_raw(&sshdsc) < 0)
@@ -333,7 +329,8 @@ sshd_selinux_getctxbyname(char *pwname,
/* Setup environment variables for pam_selinux */
static int
-sshd_selinux_setup_variables(int(*set_it)(char *, const char *))
+sshd_selinux_setup_variables(int(*set_it)(char *, const char *), int inetd,
+ Authctxt *the_authctxt)
{
const char *reqlvl;
char *role;
@@ -342,11 +339,11 @@ sshd_selinux_setup_variables(int(*set_it
debug3_f("setting execution context");
- ssh_selinux_get_role_level(&role, &reqlvl);
+ ssh_selinux_get_role_level(&role, &reqlvl, the_authctxt);
rv = set_it("SELINUX_ROLE_REQUESTED", role ? role : "");
- if (inetd_flag) {
+ if (inetd) {
use_current = "1";
} else {
use_current = "";
@@ -362,9 +359,10 @@ sshd_selinux_setup_variables(int(*set_it
}
static int
-sshd_selinux_setup_pam_variables(void)
+sshd_selinux_setup_pam_variables(int inetd,
+ int(pam_setenv)(char *, const char *), Authctxt *the_authctxt)
{
- return sshd_selinux_setup_variables(do_pam_putenv);
+ return sshd_selinux_setup_variables(pam_setenv, inetd, the_authctxt);
}
static int
@@ -374,25 +372,28 @@ do_setenv(char *name, const char *value)
}
int
-sshd_selinux_setup_env_variables(void)
+sshd_selinux_setup_env_variables(int inetd, void *the_authctxt)
{
- return sshd_selinux_setup_variables(do_setenv);
+ Authctxt *authctxt = (Authctxt *) the_authctxt;
+ return sshd_selinux_setup_variables(do_setenv, inetd, authctxt);
}
/* Set the execution context to the default for the specified user */
void
-sshd_selinux_setup_exec_context(char *pwname)
+sshd_selinux_setup_exec_context(char *pwname, int inetd,
+ int(pam_setenv)(char *, const char *), void *the_authctxt, int use_pam)
{
security_context_t user_ctx = NULL;
int r = 0;
security_context_t default_ctx = NULL;
+ Authctxt *authctxt = (Authctxt *) the_authctxt;
if (!sshd_selinux_enabled())
return;
- if (options.use_pam) {
+ if (use_pam) {
/* do not compute context, just setup environment for pam_selinux */
- if (sshd_selinux_setup_pam_variables()) {
+ if (sshd_selinux_setup_pam_variables(inetd, pam_setenv, authctxt)) {
switch (security_getenforce()) {
case -1:
fatal_f("security_getenforce() failed");
@@ -408,7 +409,7 @@ sshd_selinux_setup_exec_context(char *pw
debug3_f("setting execution context");
- r = sshd_selinux_getctxbyname(pwname, &default_ctx, &user_ctx);
+ r = sshd_selinux_getctxbyname(pwname, &default_ctx, &user_ctx, inetd, authctxt);
if (r >= 0) {
r = setexeccon(user_ctx);
if (r < 0) {
Index: openssh-9.3p2/platform.c
===================================================================
--- openssh-9.3p2.orig/platform.c
+++ openssh-9.3p2/platform.c
@@ -34,6 +34,8 @@
#include "openbsd-compat/openbsd-compat.h"
extern ServerOptions options;
+extern int inetd_flag;
+extern Authctxt *the_authctxt;
/* return 1 if we are running with privilege to swap UIDs, 0 otherwise */
int
@@ -185,7 +187,9 @@ platform_setusercontext_post_groups(stru
}
#endif /* HAVE_SETPCRED */
#ifdef WITH_SELINUX
- sshd_selinux_setup_exec_context(pw->pw_name);
+ sshd_selinux_setup_exec_context(pw->pw_name,
+ inetd_flag, do_pam_putenv, the_authctxt,
+ options.use_pam);
#endif
}
Index: openssh-9.3p2/sshd-session.c
===================================================================
--- openssh-9.3p2.orig/sshd-session.c
+++ openssh-9.3p2/sshd-session.c
@@ -166,7 +166,7 @@ int debug_flag = 0;
int debug_flag = 0;
/* Flag indicating that the daemon is being started from inetd. */
-static int inetd_flag = 0;
+int inetd_flag = 0;
/* debug goes to stderr unless inetd_flag is set */
static int log_stderr = 0;
@@ -2396,7 +2396,9 @@ main(int ac, char **av)
}
#endif
#ifdef WITH_SELINUX
- sshd_selinux_setup_exec_context(authctxt->pw->pw_name);
+ sshd_selinux_setup_exec_context(authctxt->pw->pw_name,
+ inetd_flag, do_pam_putenv, the_authctxt,
+ options.use_pam);
#endif
#ifdef USE_PAM
if (options.use_pam) {
Index: openssh-9.3p2/sshconnect.c
===================================================================
--- openssh-9.3p2.orig/sshconnect.c
+++ openssh-9.3p2/sshconnect.c
@@ -893,7 +893,7 @@ load_hostkeys_command(struct hostkeys *h
if ((pid = subprocess(tag, command, ac, av, &f,
SSH_SUBPROCESS_STDOUT_CAPTURE|SSH_SUBPROCESS_UNSAFE_PATH|
- SSH_SUBPROCESS_PRESERVE_ENV, NULL, NULL, NULL)) == 0)
+ SSH_SUBPROCESS_PRESERVE_ENV, NULL, NULL, NULL, 0, NULL)) == 0)
goto out;
load_hostkeys_file(hostkeys, hostfile_hostname, tag, f, 1);

View File

@ -0,0 +1,38 @@
# HG changeset patch
# Parent 8df645ca39d64de025d8838c5713812e72308c92
Correctly parse DISPLAY variable for cases where it contains an IPv6 address
(which should - but not always is - in (square) brackets).
bnc#847710 - https://bugzilla.novell.com/show_bug.cgi?id=847710
Index: openssh-8.8p1/channels.c
===================================================================
--- openssh-8.8p1.orig/channels.c
+++ openssh-8.8p1/channels.c
@@ -4776,9 +4776,10 @@ x11_connect_display(struct ssh *ssh)
/*
* Connect to an inet socket. The DISPLAY value is supposedly
* hostname:d[.s], where hostname may also be numeric IP address.
+ * Note that IPv6 numeric addresses contain colons (e.g. ::1:0)
*/
strlcpy(buf, display, sizeof(buf));
- cp = strchr(buf, ':');
+ cp = strrchr(buf, ':');
if (!cp) {
error("Could not find ':' in DISPLAY: %.100s", display);
return -1;
@@ -4793,6 +4794,14 @@ x11_connect_display(struct ssh *ssh)
display);
return -1;
}
+
+ /* Remove brackets surrounding IPv6 addresses if there are any. */
+ if (buf[0] == '[' && (cp = strchr(buf, ']'))) {
+ *cp = 0;
+ cp = buf + 1;
+ } else {
+ cp = buf;
+ }
/* Look up the host address */
memset(&hints, 0, sizeof(hints));

View File

@ -0,0 +1,47 @@
# HG changeset patch
# Parent d25c96855fd67e997e25ec1198d953af33eb289c
# enable trusted X11 forwarding by default in both sshd and sshsystem-wide
# configuration
# bnc#50836 (was suse #35836)
Enable Trusted X11 forwarding by default, since the security benefits of
having it disabled are negligible these days with XI2 being widely used.
Index: openssh-8.8p1/ssh_config
===================================================================
--- openssh-8.8p1.orig/ssh_config
+++ openssh-8.8p1/ssh_config
@@ -17,9 +17,20 @@
# list of available options, their meanings and defaults, please see the
# ssh_config(5) man page.
-# Host *
+Host *
# ForwardAgent no
# ForwardX11 no
+
+# If you do not trust your remote host (or its administrator), you
+# should not forward X11 connections to your local X11-display for
+# security reasons: Someone stealing the authentification data on the
+# remote side (the "spoofed" X-server by the remote sshd) can read your
+# keystrokes as you type, just like any other X11 client could do.
+# Set this to "no" here for global effect or in your own ~/.ssh/config
+# file if you want to have the remote X11 authentification data to
+# expire after twenty minutes after remote login.
+ ForwardX11Trusted yes
+
# PasswordAuthentication yes
# HostbasedAuthentication no
# GSSAPIAuthentication no
Index: openssh-8.8p1/sshd_config
===================================================================
--- openssh-8.8p1.orig/sshd_config
+++ openssh-8.8p1/sshd_config
@@ -84,7 +84,7 @@ AuthorizedKeysFile .ssh/authorized_keys
#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
-#X11Forwarding no
+X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes

View File

@ -0,0 +1,23 @@
# HG changeset patch
# Parent 44592f09f090e74432f608084069d30d808fda69
Do not throw away already open sockets for X11 forwarding if another socket
family is not available for bind()
Index: openssh-8.8p1/channels.c
===================================================================
--- openssh-8.8p1.orig/channels.c
+++ openssh-8.8p1/channels.c
@@ -4607,6 +4607,13 @@ x11_create_display_inet(struct ssh *ssh,
debug2_f("bind port %d: %.100s", port,
strerror(errno));
close(sock);
+ /* do not remove successfully opened sockets if
+ * the request failed because the protocol
+ * IPv4/6 is not available (e.g. IPv6 may be
+ * disabled while being supported)
+ */
+ if (EADDRNOTAVAIL == errno)
+ continue;
for (n = 0; n < num_socks; n++)
close(socks[n]);
num_socks = 0;

View File

@ -0,0 +1,59 @@
# HG changeset patch
# Parent af43d436bc7fe818dd976c923ad99b89051eb299
Allow root login with password by default. While less secure than upstream
default of forbidding access to the root account with a password, we are
temporarily introducing this change to keep the default used in older OpenSSH
versions shipped with SLE.
Index: openssh-8.4p1/servconf.c
===================================================================
--- openssh-8.4p1.orig/servconf.c
+++ openssh-8.4p1/servconf.c
@@ -329,7 +329,7 @@ fill_default_server_options(ServerOption
if (options->login_grace_time == -1)
options->login_grace_time = 120;
if (options->permit_root_login == PERMIT_NOT_SET)
- options->permit_root_login = PERMIT_NO_PASSWD;
+ options->permit_root_login = PERMIT_YES;
if (options->ignore_rhosts == -1)
options->ignore_rhosts = 1;
if (options->ignore_user_known_hosts == -1)
Index: openssh-8.4p1/sshd_config
===================================================================
--- openssh-8.4p1.orig/sshd_config
+++ openssh-8.4p1/sshd_config
@@ -29,7 +29,7 @@
# Authentication:
#LoginGraceTime 2m
-#PermitRootLogin prohibit-password
+PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10
Index: openssh-8.4p1/sshd_config.0
===================================================================
--- openssh-8.4p1.orig/sshd_config.0
+++ openssh-8.4p1/sshd_config.0
@@ -778,7 +778,7 @@ DESCRIPTION
PermitRootLogin
Specifies whether root can log in using ssh(1). The argument
must be yes, prohibit-password, forced-commands-only, or no. The
- default is prohibit-password.
+ default is yes.
If this option is set to prohibit-password (or its deprecated
alias, without-password), password and keyboard-interactive
Index: openssh-8.4p1/sshd_config.5
===================================================================
--- openssh-8.4p1.orig/sshd_config.5
+++ openssh-8.4p1/sshd_config.5
@@ -1331,7 +1331,7 @@ The argument must be
or
.Cm no .
The default is
-.Cm prohibit-password .
+.Cm yes .
.Pp
If this option is set to
.Cm prohibit-password

View File

@ -0,0 +1,304 @@
# HG changeset patch
# Parent cc1022edba2c5eeb0facba08468f65afc2466b63
CAVS test for OpenSSH's own CTR encryption mode implementation
Index: openssh-8.8p1/Makefile.in
===================================================================
--- openssh-8.8p1.orig/Makefile.in
+++ openssh-8.8p1/Makefile.in
@@ -26,6 +26,7 @@ SFTP_SERVER=$(libexecdir)/sftp-server
SSHD_SESSION=$(libexecdir)/sshd-session
SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
SSH_SK_HELPER=$(libexecdir)/ssh-sk-helper
+CAVSTEST_CTR=$(libexecdir)/cavstest-ctr
PRIVSEP_PATH=@PRIVSEP_PATH@
SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@
STRIP_OPT=@STRIP_OPT@
@@ -69,6 +70,8 @@ MKDIR_P=@MKDIR_P@
TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) sshd-session$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT)
+TARGETS += cavstest-ctr$(EXEEXT)
+
XMSS_OBJS=\
ssh-xmss.o \
sshkey-xmss.o \
@@ -245,6 +248,10 @@ sftp-server$(EXEEXT): $(LIBCOMPAT) libss
sftp$(EXEEXT): $(LIBCOMPAT) libssh.a $(SFTP_OBJS)
$(LD) -o $@ $(SFTP_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) $(LIBEDIT)
+# FIPS tests
+cavstest-ctr$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-sk.o sk-usbhid.o cavstest-ctr.o
+ $(LD) -o $@ cavstest-ctr.o ssh-sk.o sk-usbhid.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) $(LIBFIDO2) -lz
+
# test driver for the loginrec code - not built by default
logintest: logintest.o $(LIBCOMPAT) libssh.a loginrec.o
$(LD) -o $@ logintest.o $(LDFLAGS) loginrec.o -lopenbsd-compat -lssh $(LIBS)
@@ -407,6 +414,7 @@ install-files:
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-sk-helper$(EXEEXT) $(DESTDIR)$(SSH_SK_HELPER)$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
+ $(INSTALL) -m 0755 $(STRIP_OPT) cavstest-ctr$(EXEEXT) $(DESTDIR)$(libexecdir)/cavstest-ctr$(EXEEXT)
$(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
$(INSTALL) -m 644 scp.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1
$(INSTALL) -m 644 ssh-add.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1
Index: openssh-8.8p1/cavstest-ctr.c
===================================================================
--- /dev/null
+++ openssh-8.8p1/cavstest-ctr.c
@@ -0,0 +1,214 @@
+/*
+ *
+ * invocation (all of the following are equal):
+ * ./ctr-cavstest --algo aes128-ctr --key 987212980144b6a632e864031f52dacc --mode encrypt --data a6deca405eef2e8e4609abf3c3ccf4a6
+ * ./ctr-cavstest --algo aes128-ctr --key 987212980144b6a632e864031f52dacc --mode encrypt --data a6deca405eef2e8e4609abf3c3ccf4a6 --iv 00000000000000000000000000000000
+ * echo -n a6deca405eef2e8e4609abf3c3ccf4a6 | ./ctr-cavstest --algo aes128-ctr --key 987212980144b6a632e864031f52dacc --mode encrypt
+ */
+
+#include "includes.h"
+
+#include <sys/types.h>
+#include <sys/param.h>
+#include <stdarg.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <ctype.h>
+
+#include "xmalloc.h"
+#include "log.h"
+#include "cipher.h"
+
+/* compatibility with old or broken OpenSSL versions */
+#include "openbsd-compat/openssl-compat.h"
+
+void
+usage(void)
+{
+ fprintf(stderr, "Usage: ctr-cavstest --algo <ssh-crypto-algorithm>\n"
+ " --key <hexadecimal-key> --mode <encrypt|decrypt>\n"
+ " [--iv <hexadecimal-iv>] --data <hexadecimal-data>\n\n"
+ "Hexadecimal output is printed to stdout.\n"
+ "Hexadecimal input data can be alternatively read from stdin.\n");
+ exit(1);
+}
+
+void *
+fromhex(char *hex, size_t * len)
+{
+ unsigned char *bin;
+ char *p;
+ size_t n = 0;
+ int shift = 4;
+ unsigned char out = 0;
+ unsigned char *optr;
+
+ bin = xmalloc(strlen(hex) / 2);
+ optr = bin;
+
+ for (p = hex; *p != '\0'; ++p) {
+ unsigned char c;
+
+ c = *p;
+ if (isspace(c))
+ continue;
+
+ if (c >= '0' && c <= '9') {
+ c = c - '0';
+ } else if (c >= 'A' && c <= 'F') {
+ c = c - 'A' + 10;
+ } else if (c >= 'a' && c <= 'f') {
+ c = c - 'a' + 10;
+ } else {
+ /* truncate on nonhex cipher */
+ break;
+ }
+
+ out |= c << shift;
+ shift = (shift + 4) % 8;
+
+ if (shift) {
+ *(optr++) = out;
+ out = 0;
+ ++n;
+ }
+ }
+
+ *len = n;
+ return bin;
+}
+
+#define READ_CHUNK 4096
+#define MAX_READ_SIZE 1024*1024*100
+char *
+read_stdin(void)
+{
+ char *buf;
+ size_t n, total = 0;
+
+ buf = xmalloc(READ_CHUNK);
+
+ do {
+ n = fread(buf + total, 1, READ_CHUNK, stdin);
+ if (n < READ_CHUNK) /* terminate on short read */
+ break;
+
+ total += n;
+ buf = xreallocarray(buf, total + READ_CHUNK, 1);
+ } while (total < MAX_READ_SIZE);
+ return buf;
+}
+
+int
+main(int argc, char *argv[])
+{
+
+ struct sshcipher *c;
+ struct sshcipher_ctx cc;
+ struct sshcipher_ctx *ccp;
+ char *algo = "aes128-ctr";
+ char *hexkey = NULL;
+ char *hexiv = "00000000000000000000000000000000";
+ char *hexdata = NULL;
+ char *p;
+ int i;
+ int encrypt = 1;
+ void *key;
+ size_t keylen;
+ void *iv;
+ size_t ivlen;
+ void *data;
+ size_t datalen;
+ void *outdata;
+
+ for (i = 1; i < argc; ++i) {
+ if (strcmp(argv[i], "--algo") == 0) {
+ algo = argv[++i];
+ } else if (strcmp(argv[i], "--key") == 0) {
+ hexkey = argv[++i];
+ } else if (strcmp(argv[i], "--mode") == 0) {
+ ++i;
+ if (argv[i] == NULL) {
+ usage();
+ }
+ if (strncmp(argv[i], "enc", 3) == 0) {
+ encrypt = 1;
+ } else if (strncmp(argv[i], "dec", 3) == 0) {
+ encrypt = 0;
+ } else {
+ usage();
+ }
+ } else if (strcmp(argv[i], "--iv") == 0) {
+ hexiv = argv[++i];
+ } else if (strcmp(argv[i], "--data") == 0) {
+ hexdata = argv[++i];
+ }
+ }
+
+ if (hexkey == NULL || algo == NULL) {
+ usage();
+ }
+
+ OpenSSL_add_all_algorithms();
+
+ c = cipher_by_name(algo);
+ if (c == NULL) {
+ fprintf(stderr, "Error: unknown algorithm\n");
+ return 2;
+ }
+
+ if (hexdata == NULL) {
+ hexdata = read_stdin();
+ } else {
+ hexdata = xstrdup(hexdata);
+ }
+
+ key = fromhex(hexkey, &keylen);
+
+ if (keylen != 16 && keylen != 24 && keylen == 32) {
+ fprintf(stderr, "Error: unsupported key length\n");
+ return 2;
+ }
+
+ iv = fromhex(hexiv, &ivlen);
+
+ if (ivlen != 16) {
+ fprintf(stderr, "Error: unsupported iv length\n");
+ return 2;
+ }
+
+ data = fromhex(hexdata, &datalen);
+
+ if (data == NULL || datalen == 0) {
+ fprintf(stderr, "Error: no data to encrypt/decrypt\n");
+ return 2;
+ }
+
+ ccp = &cc;
+ cipher_init(&ccp, c, key, keylen, iv, ivlen, encrypt);
+
+ free(key);
+ free(iv);
+
+ outdata = malloc(datalen);
+ if (outdata == NULL) {
+ fprintf(stderr, "Error: memory allocation failure\n");
+ return 2;
+ }
+
+ cipher_crypt(&cc, 0, outdata, data, datalen, 0, 0);
+
+ free(data);
+
+ cipher_free(&cc);
+
+ for (p = outdata; datalen > 0; ++p, --datalen) {
+ printf("%02X", (unsigned char) *p);
+ }
+
+ free(outdata);
+
+ printf("\n");
+ return 0;
+}
Index: openssh-8.8p1/cipher.c
===================================================================
--- openssh-8.8p1.orig/cipher.c
+++ openssh-8.8p1/cipher.c
@@ -58,15 +58,6 @@
#define EVP_CIPHER_CTX void
#endif
-struct sshcipher_ctx {
- int plaintext;
- int encrypt;
- EVP_CIPHER_CTX *evp;
- struct chachapoly_ctx *cp_ctx;
- struct aesctr_ctx ac_ctx; /* XXX union with evp? */
- const struct sshcipher *cipher;
-};
-
struct sshcipher {
char *name;
u_int block_size;
Index: openssh-8.8p1/cipher.h
===================================================================
--- openssh-8.8p1.orig/cipher.h
+++ openssh-8.8p1/cipher.h
@@ -48,7 +48,15 @@
#define CIPHER_DECRYPT 0
struct sshcipher;
-struct sshcipher_ctx;
+struct sshcipher_ctx {
+ int plaintext;
+ int encrypt;
+ EVP_CIPHER_CTX *evp;
+ struct chachapoly_ctx *cp_ctx; /* XXX union with evp? */
+ struct aesctr_ctx ac_ctx; /* XXX union with evp? */
+ const struct sshcipher *cipher;
+};
+
const struct sshcipher *cipher_by_name(const char *);
const char *cipher_warning_message(const struct sshcipher_ctx *);

View File

@ -0,0 +1,450 @@
# HG changeset patch
# Parent 1e1d5a2ab8bddfc800f570755f9ea1addcc878c1
CAVS test for KDF implementation in OpenSSH
Index: openssh-8.8p1/Makefile.in
===================================================================
--- openssh-8.8p1.orig/Makefile.in
+++ openssh-8.8p1/Makefile.in
@@ -27,6 +27,7 @@ SSH_KEYSIGN=$(libexecdir)/ssh-keysign
SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
SSH_SK_HELPER=$(libexecdir)/ssh-sk-helper
CAVSTEST_CTR=$(libexecdir)/cavstest-ctr
+CAVSTEST_KDF=$(libexecdir)/cavstest-kdf
PRIVSEP_PATH=@PRIVSEP_PATH@
SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@
STRIP_OPT=@STRIP_OPT@
@@ -70,7 +71,7 @@ MKDIR_P=@MKDIR_P@
TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) sshd-session$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT)
-TARGETS += cavstest-ctr$(EXEEXT)
+TARGETS += cavstest-ctr$(EXEEXT) cavstest-kdf$(EXEEXT)
XMSS_OBJS=\
ssh-xmss.o \
@@ -252,6 +253,9 @@ sftp$(EXEEXT): $(LIBCOMPAT) libssh.a $(S
cavstest-ctr$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-sk.o sk-usbhid.o cavstest-ctr.o
$(LD) -o $@ cavstest-ctr.o ssh-sk.o sk-usbhid.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) $(LIBFIDO2) -lz
+cavstest-kdf$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-sk.o sk-usbhid.o cavstest-kdf.o
+ $(LD) -o $@ cavstest-kdf.o ssh-sk.o sk-usbhid.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) $(LIBFIDO2) -lz
+
# test driver for the loginrec code - not built by default
logintest: logintest.o $(LIBCOMPAT) libssh.a loginrec.o
$(LD) -o $@ logintest.o $(LDFLAGS) loginrec.o -lopenbsd-compat -lssh $(LIBS)
@@ -415,6 +419,7 @@ install-files:
$(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) cavstest-ctr$(EXEEXT) $(DESTDIR)$(libexecdir)/cavstest-ctr$(EXEEXT)
+ $(INSTALL) -m 0755 $(STRIP_OPT) cavstest-kdf$(EXEEXT) $(DESTDIR)$(libexecdir)/cavstest-kdf$(EXEEXT)
$(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
$(INSTALL) -m 644 scp.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1
$(INSTALL) -m 644 ssh-add.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1
Index: openssh-8.8p1/cavstest-kdf.c
===================================================================
--- /dev/null
+++ openssh-8.8p1/cavstest-kdf.c
@@ -0,0 +1,402 @@
+/*
+ * Copyright (C) 2015, Stephan Mueller <smueller@chronox.de>
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, and the entire permission notice in its entirety,
+ * including the disclaimer of warranties.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ * products derived from this software without specific prior
+ * written permission.
+ *
+ * ALTERNATIVELY, this product may be distributed under the terms of
+ * the GNU General Public License, in which case the provisions of the GPL2
+ * are required INSTEAD OF the above restrictions. (This clause is
+ * necessary due to a potential bad interaction between the GPL and
+ * the restrictions contained in a BSD-style copyright.)
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
+ * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, ALL OF
+ * WHICH ARE HEREBY DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
+ * OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+ * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
+ * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
+ * USE OF THIS SOFTWARE, EVEN IF NOT ADVISED OF THE POSSIBILITY OF SUCH
+ * DAMAGE.
+ */
+
+#include "includes.h"
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <errno.h>
+#include <sys/types.h>
+#include <string.h>
+
+#include <openssl/bn.h>
+
+#include "xmalloc.h"
+#include "ssherr.h"
+#include "sshbuf.h"
+#include "sshkey.h"
+#include "cipher.h"
+#include "kex.h"
+#include "packet.h"
+
+static int bin_char(unsigned char hex)
+{
+ if (48 <= hex && 57 >= hex)
+ return (hex - 48);
+ if (65 <= hex && 70 >= hex)
+ return (hex - 55);
+ if (97 <= hex && 102 >= hex)
+ return (hex - 87);
+ return 0;
+}
+
+/*
+ * Convert hex representation into binary string
+ * @hex input buffer with hex representation
+ * @hexlen length of hex
+ * @bin output buffer with binary data
+ * @binlen length of already allocated bin buffer (should be at least
+ * half of hexlen -- if not, only a fraction of hexlen is converted)
+ */
+static void hex2bin(const char *hex, size_t hexlen,
+ unsigned char *bin, size_t binlen)
+{
+ size_t i = 0;
+ size_t chars = (binlen > (hexlen / 2)) ? (hexlen / 2) : binlen;
+
+ for (i = 0; i < chars; i++) {
+ bin[i] = bin_char(hex[(i*2)]) << 4;
+ bin[i] |= bin_char(hex[((i*2)+1)]);
+ }
+}
+
+/*
+ * Allocate sufficient space for binary representation of hex
+ * and convert hex into bin
+ *
+ * Caller must free bin
+ * @hex input buffer with hex representation
+ * @hexlen length of hex
+ * @bin return value holding the pointer to the newly allocated buffer
+ * @binlen return value holding the allocated size of bin
+ *
+ * return: 0 on success, !0 otherwise
+ */
+static int hex2bin_alloc(const char *hex, size_t hexlen,
+ unsigned char **bin, size_t *binlen)
+{
+ unsigned char *out = NULL;
+ size_t outlen = 0;
+
+ if (!hexlen)
+ return -EINVAL;
+
+ outlen = (hexlen + 1) / 2;
+
+ out = calloc(1, outlen);
+ if (!out)
+ return -errno;
+
+ hex2bin(hex, hexlen, out, outlen);
+ *bin = out;
+ *binlen = outlen;
+ return 0;
+}
+
+static char hex_char_map_l[] = { '0', '1', '2', '3', '4', '5', '6', '7',
+ '8', '9', 'a', 'b', 'c', 'd', 'e', 'f' };
+static char hex_char_map_u[] = { '0', '1', '2', '3', '4', '5', '6', '7',
+ '8', '9', 'A', 'B', 'C', 'D', 'E', 'F' };
+static char hex_char(unsigned int bin, int u)
+{
+ if (bin < sizeof(hex_char_map_l))
+ return (u) ? hex_char_map_u[bin] : hex_char_map_l[bin];
+ return 'X';
+}
+
+/*
+ * Convert binary string into hex representation
+ * @bin input buffer with binary data
+ * @binlen length of bin
+ * @hex output buffer to store hex data
+ * @hexlen length of already allocated hex buffer (should be at least
+ * twice binlen -- if not, only a fraction of binlen is converted)
+ * @u case of hex characters (0=>lower case, 1=>upper case)
+ */
+static void bin2hex(const unsigned char *bin, size_t binlen,
+ char *hex, size_t hexlen, int u)
+{
+ size_t i = 0;
+ size_t chars = (binlen > (hexlen / 2)) ? (hexlen / 2) : binlen;
+
+ for (i = 0; i < chars; i++) {
+ hex[(i*2)] = hex_char((bin[i] >> 4), u);
+ hex[((i*2)+1)] = hex_char((bin[i] & 0x0f), u);
+ }
+}
+
+struct kdf_cavs {
+ unsigned char *K;
+ size_t Klen;
+ unsigned char *H;
+ size_t Hlen;
+ unsigned char *session_id;
+ size_t session_id_len;
+
+ unsigned int iv_len;
+ unsigned int ek_len;
+ unsigned int ik_len;
+};
+
+#ifdef WITH_OPENSSL
+static int
+kex_derive_keys_bn(struct ssh *ssh, u_char *hash, u_int hashlen,
+ const BIGNUM *secret)
+{
+ struct sshbuf *shared_secret;
+ int r;
+
+ if ((shared_secret = sshbuf_new()) == NULL)
+ return SSH_ERR_ALLOC_FAIL;
+ if ((r = sshbuf_put_bignum2(shared_secret, secret)) == 0)
+ r = kex_derive_keys(ssh, hash, hashlen, shared_secret);
+ sshbuf_free(shared_secret);
+ return r;
+}
+#endif
+
+static int sshkdf_cavs(struct kdf_cavs *test)
+{
+ int ret = 0;
+ struct kex kex;
+ BIGNUM *Kbn = NULL;
+ int mode = 0;
+ struct newkeys *keys_client;
+ struct newkeys *keys_server;
+ struct ssh *ssh = NULL;
+
+#define HEXOUTLEN 500
+ char hex[HEXOUTLEN];
+
+ memset(&kex, 0, sizeof(struct kex));
+
+ Kbn = BN_new();
+ BN_bin2bn(test->K, test->Klen, Kbn);
+ if (!Kbn) {
+ printf("cannot convert K into BIGNUM\n");
+ ret = 1;
+ goto out;
+ }
+
+ kex.session_id = sshbuf_new();
+ sshbuf_put(kex.session_id, test->session_id, test->session_id_len);
+
+ /* setup kex */
+
+ /* select the right hash based on struct ssh_digest digests */
+ switch (test->ik_len) {
+ case 20:
+ kex.hash_alg = 2;
+ break;
+ case 32:
+ kex.hash_alg = 3;
+ break;
+ case 48:
+ kex.hash_alg = 4;
+ break;
+ case 64:
+ kex.hash_alg = 5;
+ break;
+ default:
+ printf("Wrong hash type %u\n", test->ik_len);
+ ret = 1;
+ goto out;
+ }
+
+ /* implement choose_enc */
+ for (mode = 0; mode < 2; mode++) {
+ kex.newkeys[mode] = calloc(1, sizeof(struct newkeys));
+ if (!kex.newkeys[mode]) {
+ printf("allocation of newkeys failed\n");
+ ret = 1;
+ goto out;
+ }
+ kex.newkeys[mode]->enc.iv_len = test->iv_len;
+ kex.newkeys[mode]->enc.key_len = test->ek_len;
+ kex.newkeys[mode]->enc.block_size = (test->iv_len == 64) ? 8 : 16;
+ kex.newkeys[mode]->mac.key_len = test->ik_len;
+ }
+
+ /* implement kex_choose_conf */
+ kex.we_need = kex.newkeys[0]->enc.key_len;
+ if (kex.we_need < kex.newkeys[0]->enc.block_size)
+ kex.we_need = kex.newkeys[0]->enc.block_size;
+ if (kex.we_need < kex.newkeys[0]->enc.iv_len)
+ kex.we_need = kex.newkeys[0]->enc.iv_len;
+ if (kex.we_need < kex.newkeys[0]->mac.key_len)
+ kex.we_need = kex.newkeys[0]->mac.key_len;
+
+ /* MODE_OUT (1) -> server to client
+ * MODE_IN (0) -> client to server */
+ kex.server = 1;
+
+ /* do it */
+ if ((ssh = ssh_packet_set_connection(NULL, -1, -1)) == NULL){
+ printf("Allocation error\n");
+ goto out;
+ }
+ ssh->kex = &kex;
+ kex_derive_keys_bn(ssh, test->H, test->Hlen, Kbn);
+
+ keys_client = kex.newkeys[0];
+ keys_server = kex.newkeys[1];
+
+ /* get data */
+ memset(hex, 0, HEXOUTLEN);
+ bin2hex(keys_client->enc.iv, (size_t)keys_client->enc.iv_len,
+ hex, HEXOUTLEN, 0);
+ printf("Initial IV (client to server) = %s\n", hex);
+
+ memset(hex, 0, HEXOUTLEN);
+ bin2hex(keys_server->enc.iv, (size_t)keys_server->enc.iv_len,
+ hex, HEXOUTLEN, 0);
+ printf("Initial IV (server to client) = %s\n", hex);
+
+ memset(hex, 0, HEXOUTLEN);
+ bin2hex(keys_client->enc.key, (size_t)keys_client->enc.key_len,
+ hex, HEXOUTLEN, 0);
+ printf("Encryption key (client to server) = %s\n", hex);
+
+ memset(hex, 0, HEXOUTLEN);
+ bin2hex(keys_server->enc.key, (size_t)keys_server->enc.key_len,
+ hex, HEXOUTLEN, 0);
+ printf("Encryption key (server to client) = %s\n", hex);
+
+ memset(hex, 0, HEXOUTLEN);
+ bin2hex(keys_client->mac.key, (size_t)keys_client->mac.key_len,
+ hex, HEXOUTLEN, 0);
+ printf("Integrity key (client to server) = %s\n", hex);
+
+ memset(hex, 0, HEXOUTLEN);
+ bin2hex(keys_server->mac.key, (size_t)keys_server->mac.key_len,
+ hex, HEXOUTLEN, 0);
+ printf("Integrity key (server to client) = %s\n", hex);
+
+out:
+ if (Kbn)
+ BN_free(Kbn);
+ if (ssh)
+ ssh_packet_close(ssh);
+ if (kex.newkeys[0])
+ free(kex.newkeys[0]);
+ if (kex.newkeys[1])
+ free(kex.newkeys[1]);
+ return ret;
+}
+
+static void usage(void)
+{
+ fprintf(stderr, "\nOpenSSH KDF CAVS Test\n\n");
+ fprintf(stderr, "Usage:\n");
+ fprintf(stderr, "\t-K\tShared secret string\n");
+ fprintf(stderr, "\t-H\tHash string\n");
+ fprintf(stderr, "\t-s\tSession ID string\n");
+ fprintf(stderr, "\t-i\tIV length to be generated\n");
+ fprintf(stderr, "\t-e\tEncryption key length to be generated\n");
+ fprintf(stderr, "\t-m\tMAC key length to be generated\n");
+}
+
+/*
+ * Test command example:
+ * ./ssh-cavs -K 0055d50f2d163cc07cd8a93cc7c3430c30ce786b572c01ad29fec7597000cf8618d664e2ec3dcbc8bb7a1a7eb7ef67f61cdaf291625da879186ac0a5cb27af571b59612d6a6e0627344d846271959fda61c78354aa498773d59762f8ca2d0215ec590d8633de921f920d41e47b3de6ab9a3d0869e1c826d0e4adebf8e3fb646a15dea20a410b44e969f4b791ed6a67f13f1b74234004d5fa5e87eff7abc32d49bbdf44d7b0107e8f10609233b7e2b7eff74a4daf25641de7553975dac6ac1e5117df6f6dbaa1c263d23a6c3e5a3d7d49ae8a828c1e333ac3f85fbbf57b5c1a45be45e43a7be1a4707eac779b8285522d1f531fe23f890fd38a004339932b93eda4 -H d3ab91a850febb417a25d892ec48ed5952c7a5de -s d3ab91a850febb417a25d892ec48ed5952c7a5de -i 8 -e 24 -m 20
+ *
+ * Expected result for example:
+ * Initial IV (client to server) = 4bb320d1679dfd3a
+ * Encryption key (client to server) = 13048cc600b9d3cf9095aa6cf8e2ff9cf1c54ca0520c89ed
+ * Integrity key (client to server) = ecef63a092b0dcc585bdc757e01b2740af57d640
+ * Initial IV (server to client) = 43dea6fdf263a308
+ * Encryption key (server to client) = 1e483c5134e901aa11fc4e0a524e7ec7b75556148a222bb0
+ * Integrity key (server to client) = 7424b05f3c44a72b4ebd281fb71f9cbe7b64d479
+ */
+int main(int argc, char *argv[])
+{
+ struct kdf_cavs test;
+ int ret = 1;
+ int opt = 0;
+
+ memset(&test, 0, sizeof(struct kdf_cavs));
+ while((opt = getopt(argc, argv, "K:H:s:i:e:m:")) != -1)
+ {
+ size_t len = 0;
+ switch(opt)
+ {
+ /*
+ * CAVS K is MPINT
+ * we want a hex (i.e. the caller must ensure the
+ * following transformations already happened):
+ * 1. cut off first four bytes
+ * 2. if most significant bit of value is
+ * 1, prepend 0 byte
+ */
+ case 'K':
+ len = strlen(optarg);
+ ret = hex2bin_alloc(optarg, len,
+ &test.K, &test.Klen);
+ if (ret)
+ goto out;
+ break;
+ case 'H':
+ len = strlen(optarg);
+ ret = hex2bin_alloc(optarg, len,
+ &test.H, &test.Hlen);
+ if (ret)
+ goto out;
+ break;
+ case 's':
+ len = strlen(optarg);
+ ret = hex2bin_alloc(optarg, len,
+ &test.session_id,
+ &test.session_id_len);
+ if (ret)
+ goto out;
+ break;
+ case 'i':
+ test.iv_len = strtoul(optarg, NULL, 10);
+ break;
+ case 'e':
+ test.ek_len = strtoul(optarg, NULL, 10);
+ break;
+ case 'm':
+ test.ik_len = strtoul(optarg, NULL, 10);
+ break;
+ default:
+ usage();
+ goto out;
+ }
+ }
+
+ ret = sshkdf_cavs(&test);
+
+out:
+ if (test.session_id)
+ free(test.session_id);
+ if (test.K)
+ free(test.K);
+ if (test.H)
+ free(test.H);
+ return ret;
+
+}

View File

@ -0,0 +1,48 @@
# HG changeset patch
# Parent b13da8c3e99081cb92ab226d2c512241a82cd0d5
disable run-time check for OpenSSL ABI by version number as that is not a
reliable indicator of ABI changes and doesn't make much sense in a
distribution package
Index: openssh-8.8p1/configure.ac
===================================================================
--- openssh-8.8p1.orig/configure.ac
+++ openssh-8.8p1/configure.ac
@@ -5236,6 +5236,19 @@ AC_ARG_WITH([bsd-auth],
]
)
+# Whether we are using distribution (Open)SSL, so no runtime checks are necessary
+DISTRO_SSL=no
+AC_ARG_WITH([distro-ssl],
+ [ --with-distro-ssl Disable runtime OpenSSL version checks (good for distributions)],
+ [
+ if test "x$withval" != "xno" ; then
+ AC_DEFINE([DISTRO_SSL], [1],
+ [Define if you are using distribution SSL library and don;t expect its API/ABI to change])
+ DISTRO_SSL=yes
+ fi
+ ]
+)
+
# Where to place sshd.pid
piddir=/var/run
# make sure the directory exists
Index: openssh-8.8p1/entropy.c
===================================================================
--- openssh-8.8p1.orig/entropy.c
+++ openssh-8.8p1/entropy.c
@@ -100,11 +100,13 @@ seed_rng(void)
/* Initialise libcrypto */
ssh_libcrypto_init();
+#ifndef DISTRO_SSL
if (!ssh_compatible_openssl(OPENSSL_VERSION_NUMBER,
OpenSSL_version_num()))
fatal("OpenSSL version mismatch. Built against %lx, you "
"have %lx", (u_long)OPENSSL_VERSION_NUMBER,
OpenSSL_version_num());
+#endif
#ifndef OPENSSL_PRNG_ONLY
if (RAND_status() == 1)

18
openssh-7.7p1-eal3.patch Normal file
View File

@ -0,0 +1,18 @@
# HG changeset patch
# Parent 8fd4e445c3a5c823568661a4f71b064cbcb217a9
fix paths and references in sshd man pages
Index: openssh-8.8p1/Makefile.in
===================================================================
--- openssh-8.8p1.orig/Makefile.in
+++ openssh-8.8p1/Makefile.in
@@ -165,7 +165,8 @@ PATHSUBS = \
-e 's|/etc/ssh/ssh_known_hosts|$(sysconfdir)/ssh_known_hosts|g' \
-e 's|/etc/ssh/sshd_config|$(sysconfdir)/sshd_config|g' \
-e 's|/usr/libexec|$(libexecdir)|g' \
- -e 's|/etc/shosts.equiv|$(sysconfdir)/shosts.equiv|g' \
+ -e 's|login\.conf|login.defs|g' \
+ -e 's|/etc/shosts.equiv|$(sysconfdir)/ssh/shosts.equiv|g' \
-e 's|/etc/ssh/ssh_host_key|$(sysconfdir)/ssh_host_key|g' \
-e 's|/etc/ssh/ssh_host_ecdsa_key|$(sysconfdir)/ssh_host_ecdsa_key|g' \
-e 's|/etc/ssh/ssh_host_dsa_key|$(sysconfdir)/ssh_host_dsa_key|g' \

View File

@ -0,0 +1,19 @@
# HG changeset patch
# Parent 5c1e122e31b601de64d81085294216af33f31aed
# force PAM in defaullt install (this was removed from upstream in 3.8p1)
# bnc#46749
# --used to be called '-pam-fix2'
Index: openssh-8.8p1/sshd_config
===================================================================
--- openssh-8.8p1.orig/sshd_config
+++ openssh-8.8p1/sshd_config
@@ -79,7 +79,7 @@ AuthorizedKeysFile .ssh/authorized_keys
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and KbdInteractiveAuthentication to 'no'.
-#UsePAM no
+UsePAM yes
#AllowAgentForwarding yes
#AllowTcpForwarding yes

808
openssh-7.7p1-fips.patch Normal file
View File

@ -0,0 +1,808 @@
# HG changeset patch
# Parent 92d953171b34f6fba18d24085eeeaa24b1d2d5b5
FIPS 140-2 compliance. Perform selftests on start and use only FIPS approved
algorithms.
Index: openssh-9.6p1/Makefile.in
===================================================================
--- openssh-9.6p1.orig/Makefile.in
+++ openssh-9.6p1/Makefile.in
@@ -115,6 +115,8 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
SKOBJS= ssh-sk-client.o
+LIBSSH_OBJS += fips.o
+
SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \
sshconnect.o sshconnect2.o mux.o $(SKOBJS)
Index: openssh-9.6p1/cipher.c
===================================================================
--- openssh-9.6p1.orig/cipher.c
+++ openssh-9.6p1/cipher.c
@@ -51,6 +51,9 @@
#include "openbsd-compat/openssl-compat.h"
+#include "fips.h"
+#include "log.h"
+
#ifndef WITH_OPENSSL
#define EVP_CIPHER_CTX void
#endif
@@ -83,7 +86,7 @@ struct sshcipher {
#endif
};
-static const struct sshcipher ciphers[] = {
+static const struct sshcipher ciphers_all[] = {
#ifdef WITH_OPENSSL
#ifndef OPENSSL_NO_DES
{ "3des-cbc", 8, 24, 0, 0, CFLAG_CBC, EVP_des_ede3_cbc },
@@ -110,8 +113,50 @@ static const struct sshcipher ciphers[]
{ NULL, 0, 0, 0, 0, 0, NULL }
};
+static const struct sshcipher ciphers_fips140_2[] = {
+#ifdef WITH_OPENSSL
+ { "aes128-cbc", 16, 16, 0, 0, CFLAG_CBC, EVP_aes_128_cbc },
+ { "aes192-cbc", 16, 24, 0, 0, CFLAG_CBC, EVP_aes_192_cbc },
+ { "aes256-cbc", 16, 32, 0, 0, CFLAG_CBC, EVP_aes_256_cbc },
+ { "rijndael-cbc@lysator.liu.se",
+ 16, 32, 0, 0, CFLAG_CBC, EVP_aes_256_cbc },
+ { "aes128-ctr", 16, 16, 0, 0, 0, EVP_aes_128_ctr },
+ { "aes192-ctr", 16, 24, 0, 0, 0, EVP_aes_192_ctr },
+ { "aes256-ctr", 16, 32, 0, 0, 0, EVP_aes_256_ctr },
+ { "aes128-gcm@openssh.com",
+ 16, 16, 12, 16, 0, EVP_aes_128_gcm },
+ { "aes256-gcm@openssh.com",
+ 16, 32, 12, 16, 0, EVP_aes_256_gcm },
+#else
+ { "aes128-ctr", 16, 16, 0, 0, CFLAG_AESCTR, NULL },
+ { "aes192-ctr", 16, 24, 0, 0, CFLAG_AESCTR, NULL },
+ { "aes256-ctr", 16, 32, 0, 0, CFLAG_AESCTR, NULL },
+#endif
+ { "none", 8, 0, 0, 0, CFLAG_NONE, NULL },
+
+ { NULL, 0, 0, 0, 0, 0, NULL }
+};
+
/*--*/
+/* Returns array of ciphers available depending on selected FIPS mode */
+static const struct sshcipher *
+fips_select_ciphers(void)
+{
+ int fips = fips_mode();
+ switch (fips) {
+ case 0:
+ return ciphers_all;
+ case 1:
+ return ciphers_fips140_2;
+ default:
+ /* should not be reached */
+ fatal("Fatal error: incorrect FIPS mode '%i' at %s:%u",
+ fips, __FILE__, __LINE__);
+ return NULL;
+ }
+}
+
/* Returns a comma-separated list of supported ciphers. */
char *
cipher_alg_list(char sep, int auth_only)
@@ -120,7 +167,7 @@ cipher_alg_list(char sep, int auth_only)
size_t nlen, rlen = 0;
const struct sshcipher *c;
- for (c = ciphers; c->name != NULL; c++) {
+ for (c = fips_select_ciphers(); c->name != NULL; c++) {
if ((c->flags & CFLAG_INTERNAL) != 0)
continue;
if (auth_only && c->auth_len == 0)
@@ -203,7 +250,7 @@ const struct sshcipher *
cipher_by_name(const char *name)
{
const struct sshcipher *c;
- for (c = ciphers; c->name != NULL; c++)
+ for (c = fips_select_ciphers(); c->name != NULL; c++)
if (strcmp(c->name, name) == 0)
return c;
return NULL;
Index: openssh-9.6p1/fips.c
===================================================================
--- /dev/null
+++ openssh-9.6p1/fips.c
@@ -0,0 +1,212 @@
+/*
+ * Copyright (c) 2012 Petr Cerny. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "includes.h"
+
+#include "fips.h"
+
+#include "cipher.h"
+#include "dh.h"
+#include "digest.h"
+#include "kex.h"
+#include "sshkey.h"
+#include "mac.h"
+#include "log.h"
+#include "xmalloc.h"
+
+#include <string.h>
+#include <openssl/crypto.h>
+
+static int fips_state = -1;
+
+static int
+fips_check_required_env(void)
+{
+ int fips_required = 0;
+ char *env = getenv(SSH_FORCE_FIPS_ENV);
+
+ if (env) {
+ errno = 0;
+ fips_required = strtol(env, NULL, 10);
+ if (errno) {
+ debug("bogus value in the %s environment variable, ignoring\n"
+ , SSH_FORCE_FIPS_ENV);
+ fips_required = 0;
+ } else
+ fips_required = 1;
+ }
+ return fips_required;
+}
+
+int
+fips_mode(void)
+{
+ if (-1 == fips_state) {
+ fips_state = FIPS_mode();
+ if (fips_state)
+ debug("FIPS mode initialized");
+ else {
+ if (fips_check_required_env()) {
+ debug("FIPS mode requested through the environment variable '%s'"
+ , SSH_FORCE_FIPS_ENV);
+ if (!FIPS_mode_set(1))
+ fatal("Unable to enter FIPS mode as requested through the environment variable '%s'"
+ , SSH_FORCE_FIPS_ENV);
+ fips_state = 1;
+ }
+ }
+ }
+ return fips_state;
+}
+
+int
+fips_correct_dgst(int digest)
+{
+ int fips;
+ int rv = -1;
+
+ fips = fips_mode();
+ switch (fips) {
+ case 0:
+ rv = digest;
+ break;
+ case 1:
+ switch (digest) {
+ case SSH_DIGEST_MD5:
+ case SSH_DIGEST_SHA1:
+ debug("MD5/RIPEMD160 digests not allowed in FIPS 140-2 mode"
+ "using SHA-256 instead.");
+ rv = SSH_DIGEST_SHA256;
+ break;
+ default:
+ rv = digest;
+ break;
+ }
+ break;
+ default:
+ /* should not be reached */
+ fatal("Fatal error: incorrect FIPS mode '%i' at %s:%u",
+ fips, __FILE__, __LINE__);
+ }
+
+ return rv;
+}
+
+/*
+ * filter out FIPS disallowed algorithms
+ * *crypto MUST be free()-able - it is assigned newly allocated memory and
+ * the previous one is freed
+ *
+ * returns zero if all algorithms were rejected, non-zero otherwise
+ */
+int
+fips_filter_crypto(char **crypto, fips_filters filter)
+{
+ char *token, *tmp, *tmp_sav, *new;
+ int plus = 0;
+ int valid;
+ int comma = 0;
+ int empty = 1;
+ size_t len;
+
+ tmp = tmp_sav = xstrdup(*crypto);
+
+ len = strlen(tmp) + 1;
+ new = xcalloc(1, len);
+
+ if ('+' == *tmp) {
+ plus = 1;
+ tmp++;
+ }
+
+ while ((token = strsep(&tmp, ",")) != NULL) {
+ switch(filter) {
+ case FIPS_FILTER_CIPHERS:
+ valid = ciphers_valid(token);
+ if (!valid)
+ debug("Cipher '%s' is not allowed in FIPS mode",
+ token);
+ break;
+ case FIPS_FILTER_MACS:
+ valid = mac_valid(token);
+ if (!valid)
+ debug("MAC '%s' is not allowed in FIPS mode",
+ token);
+ break;
+ case FIPS_FILTER_KEX_ALGS:
+ valid = kex_names_valid(token);
+ if (!valid)
+ debug("KEX '%s' is not allowed in FIPS mode",
+ token);
+ break;
+ default:
+ /* should not be reached */
+ fatal("Fatal error: incorrect FIPS filter '%i' requested at %s:%u",
+ filter, __FILE__, __LINE__);
+ }
+
+ if (valid) {
+ empty = 0;
+ if (plus) {
+ strlcat(new, "+", len);
+ plus = 0;
+ }
+ if (comma)
+ strlcat(new, ",", len);
+ else
+ comma = 1;
+ strlcat(new, token, len);
+ }
+ }
+
+ /* free tmp and re-allocate shorter buffer for result if necessary */
+ free(tmp_sav);
+ free(*crypto);
+ *crypto = new;
+
+ return (!empty);
+}
+
+int
+fips_dgst_min(void)
+{
+ int fips;
+ int dgst;
+
+ fips = fips_mode();
+ switch (fips) {
+ case 0:
+ dgst = SSH_DIGEST_MD5;
+ break;
+ case 1:
+ dgst = SSH_DIGEST_SHA256;
+ break;
+ default:
+ /* should not be reached */
+ fatal("Fatal error: incorrect FIPS mode '%i' at %s:%u",
+ fips, __FILE__, __LINE__);
+ }
+ return dgst;
+}
+
Index: openssh-9.6p1/fips.h
===================================================================
--- /dev/null
+++ openssh-9.6p1/fips.h
@@ -0,0 +1,44 @@
+/*
+ * Copyright (c) 2012 Petr Cerny. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+#ifndef FIPS_H
+#define FIPS_H
+
+#include "sshkey.h"
+
+#define SSH_FORCE_FIPS_ENV "SSH_FORCE_FIPS"
+
+typedef enum {
+ FIPS_FILTER_CIPHERS,
+ FIPS_FILTER_MACS,
+ FIPS_FILTER_KEX_ALGS
+} fips_filters;
+
+int fips_mode(void);
+int fips_correct_dgst(int);
+int fips_dgst_min(void);
+enum fp_type fips_correct_fp_type(enum fp_type);
+int fips_filter_crypto(char **, fips_filters);
+
+#endif
+
Index: openssh-9.6p1/hmac.c
===================================================================
--- openssh-9.6p1.orig/hmac.c
+++ openssh-9.6p1/hmac.c
@@ -145,7 +145,7 @@ hmac_test(void *key, size_t klen, void *
size_t i;
u_char digest[16];
- if ((ctx = ssh_hmac_start(SSH_DIGEST_MD5)) == NULL)
+ if ((ctx = ssh_hmac_start(fips_correct_dgst(SSH_DIGEST_MD5))) == NULL)
printf("ssh_hmac_start failed");
if (ssh_hmac_init(ctx, key, klen) < 0 ||
ssh_hmac_update(ctx, m, mlen) < 0 ||
Index: openssh-9.6p1/kex.c
===================================================================
--- openssh-9.6p1.orig/kex-names.c
+++ openssh-9.6p1/kex-names.c
@@ -64,6 +64,8 @@
#include "ssherr.h"
#include "xmalloc.h"
+#include "fips.h"
+
struct kexalg {
char *name;
u_int type;
@@ -87,7 +89,7 @@ struct kexalg {
int ec_nid;
int hash_alg;
};
-static const struct kexalg kexalgs[] = {
+static const struct kexalg kexalgs_all[] = {
#ifdef WITH_OPENSSL
{ KEX_DH1, KEX_DH_GRP1_SHA1, 0, SSH_DIGEST_SHA1 },
{ KEX_DH14_SHA1, KEX_DH_GRP14_SHA1, 0, SSH_DIGEST_SHA1 },
@@ -120,6 +122,47 @@ static const struct kexalg kexalgs[] = {
{ NULL, 0, -1, -1},
};
+static const struct kexalg kexalgs_fips140_2[] = {
+#ifdef WITH_OPENSSL
+ { KEX_DH14_SHA1, KEX_DH_GRP14_SHA1, 0, SSH_DIGEST_SHA1 },
+ { KEX_DH14_SHA256, KEX_DH_GRP14_SHA256, 0, SSH_DIGEST_SHA256 },
+ { KEX_DH16_SHA512, KEX_DH_GRP16_SHA512, 0, SSH_DIGEST_SHA512 },
+ { KEX_DH18_SHA512, KEX_DH_GRP18_SHA512, 0, SSH_DIGEST_SHA512 },
+ { KEX_DHGEX_SHA1, KEX_DH_GEX_SHA1, 0, SSH_DIGEST_SHA1 },
+#ifdef HAVE_EVP_SHA256
+ { KEX_DHGEX_SHA256, KEX_DH_GEX_SHA256, 0, SSH_DIGEST_SHA256 },
+#endif /* HAVE_EVP_SHA256 */
+#ifdef OPENSSL_HAS_ECC
+ { KEX_ECDH_SHA2_NISTP256, KEX_ECDH_SHA2,
+ NID_X9_62_prime256v1, SSH_DIGEST_SHA256 },
+ { KEX_ECDH_SHA2_NISTP384, KEX_ECDH_SHA2, NID_secp384r1,
+ SSH_DIGEST_SHA384 },
+# ifdef OPENSSL_HAS_NISTP521
+ { KEX_ECDH_SHA2_NISTP521, KEX_ECDH_SHA2, NID_secp521r1,
+ SSH_DIGEST_SHA512 },
+# endif /* OPENSSL_HAS_NISTP521 */
+#endif /* OPENSSL_HAS_ECC */
+#endif /* WITH_OPENSSL */
+ { NULL, -1, -1, -1},
+};
+
+/* Returns array of macs available depending on selected FIPS mode */
+static const struct kexalg *
+fips_select_kexalgs(void)
+{
+ int fips = fips_mode();
+ switch (fips) {
+ case 0:
+ return kexalgs_all;
+ case 1:
+ return kexalgs_fips140_2;
+ default:
+ /* should not be reached */
+ fatal("Fatal error: incorrect FIPS mode '%i' at %s:%u",
+ fips, __FILE__, __LINE__);
+ }
+}
+
char *
kex_alg_list(char sep)
{
@@ -127,7 +170,7 @@ kex_alg_list(char sep)
size_t nlen, rlen = 0;
const struct kexalg *k;
- for (k = kexalgs; k->name != NULL; k++) {
+ for (k = fips_select_kexalgs(); k->name != NULL; k++) {
if (ret != NULL)
ret[rlen++] = sep;
nlen = strlen(k->name);
@@ -147,7 +190,7 @@ kex_alg_by_name(const char *name)
{
const struct kexalg *k;
- for (k = kexalgs; k->name != NULL; k++) {
+ for (k = fips_select_kexalgs(); k->name != NULL; k++) {
if (strcmp(k->name, name) == 0)
return k;
}
@@ -167,7 +210,10 @@ kex_names_valid(const char *names)
for ((p = strsep(&cp, ",")); p && *p != '\0';
(p = strsep(&cp, ","))) {
if (kex_alg_by_name(p) == NULL) {
+ /* do not complain here - MACs and ciphers checks
+ * are silent here
error("Unsupported KEX algorithm \"%.100s\"", p);
+ */
free(s);
return 0;
}
Index: openssh-9.6p1/mac.c
===================================================================
--- openssh-9.6p1.orig/mac.c
+++ openssh-9.6p1/mac.c
@@ -41,6 +41,9 @@
#include "openbsd-compat/openssl-compat.h"
+#include "fips.h"
+#include "log.h"
+
#define SSH_DIGEST 1 /* SSH_DIGEST_XXX */
#define SSH_UMAC 2 /* UMAC (not integrated with OpenSSL) */
#define SSH_UMAC128 3
@@ -55,7 +58,7 @@ struct macalg {
int etm; /* Encrypt-then-MAC */
};
-static const struct macalg macs[] = {
+static const struct macalg macs_all[] = {
/* Encrypt-and-MAC (encrypt-and-authenticate) variants */
{ "hmac-sha1", SSH_DIGEST, SSH_DIGEST_SHA1, 0, 0, 0, 0 },
{ "hmac-sha1-96", SSH_DIGEST, SSH_DIGEST_SHA1, 96, 0, 0, 0 },
@@ -79,6 +82,41 @@ static const struct macalg macs[] = {
{ NULL, 0, 0, 0, 0, 0, 0 }
};
+static const struct macalg macs_fips140_2[] = {
+ /* Encrypt-and-MAC (encrypt-and-authenticate) variants */
+ { "hmac-sha1", SSH_DIGEST, SSH_DIGEST_SHA1, 0, 0, 0, 0 },
+#ifdef HAVE_EVP_SHA256
+ { "hmac-sha2-256", SSH_DIGEST, SSH_DIGEST_SHA256, 0, 0, 0, 0 },
+ { "hmac-sha2-512", SSH_DIGEST, SSH_DIGEST_SHA512, 0, 0, 0, 0 },
+#endif
+
+ /* Encrypt-then-MAC variants */
+ { "hmac-sha1-etm@openssh.com", SSH_DIGEST, SSH_DIGEST_SHA1, 0, 0, 0, 1 },
+#ifdef HAVE_EVP_SHA256
+ { "hmac-sha2-256-etm@openssh.com", SSH_DIGEST, SSH_DIGEST_SHA256, 0, 0, 0, 1 },
+ { "hmac-sha2-512-etm@openssh.com", SSH_DIGEST, SSH_DIGEST_SHA512, 0, 0, 0, 1 },
+#endif
+
+ { NULL, 0, 0, 0, 0, 0, 0 }
+};
+
+/* Returns array of macs available depending on selected FIPS mode */
+static const struct macalg *
+fips_select_macs(void)
+{
+ int fips = fips_mode();
+ switch (fips) {
+ case 0:
+ return macs_all;
+ case 1:
+ return macs_fips140_2;
+ default:
+ /* should not be reached */
+ fatal("Fatal error: incorrect FIPS mode '%i' at %s:%u",
+ fips, __FILE__, __LINE__);
+ }
+}
+
/* Returns a list of supported MACs separated by the specified char. */
char *
mac_alg_list(char sep)
@@ -87,7 +125,7 @@ mac_alg_list(char sep)
size_t nlen, rlen = 0;
const struct macalg *m;
- for (m = macs; m->name != NULL; m++) {
+ for (m = fips_select_macs(); m->name != NULL; m++) {
if (ret != NULL)
ret[rlen++] = sep;
nlen = strlen(m->name);
@@ -126,7 +164,7 @@ mac_setup(struct sshmac *mac, char *name
{
const struct macalg *m;
- for (m = macs; m->name != NULL; m++) {
+ for (m = fips_select_macs(); m->name != NULL; m++) {
if (strcmp(name, m->name) != 0)
continue;
if (mac != NULL)
Index: openssh-9.6p1/readconf.c
===================================================================
--- openssh-9.6p1.orig/readconf.c
+++ openssh-9.6p1/readconf.c
@@ -71,6 +71,8 @@
#include "myproposal.h"
#include "digest.h"
+#include "fips.h"
+
/* Format of the configuration file:
# Configuration data is parsed as follows:
@@ -2478,6 +2480,23 @@ config_has_permitted_cnames(Options *opt
return options->num_permitted_cnames > 0;
}
+/* remove algorithms not approved for use in FIPS mode, when running in FIPS
+ * mode
+ */
+void
+filter_fips_algorithms(Options *o)
+{
+ if (fips_mode()) {
+ if (!fips_filter_crypto(&o->ciphers, FIPS_FILTER_CIPHERS))
+ fatal("None of selected ciphers can be used in FIPS mode");
+ if (!fips_filter_crypto(&o->macs, FIPS_FILTER_MACS))
+ fatal("None of selected MAC algorithms can be used in FIPS mode");
+ if (!fips_filter_crypto(&o->kex_algorithms, FIPS_FILTER_KEX_ALGS))
+ fatal("None of selected KEX algorithms can be used in FIPS mode");
+ }
+ return;
+}
+
/*
* Initializes options to special values that indicate that they have not yet
* been set. Read_config_file will only set options with this value. Options
@@ -2796,6 +2815,9 @@ fill_default_options(Options * options)
options->canonicalize_hostname = SSH_CANONICALISE_NO;
if (options->fingerprint_hash == -1)
options->fingerprint_hash = SSH_FP_HASH_DEFAULT;
+ options->fingerprint_hash =
+ fips_correct_dgst(options->fingerprint_hash);
+
#ifdef ENABLE_SK_INTERNAL
if (options->sk_provider == NULL)
options->sk_provider = xstrdup("internal");
@@ -2840,6 +2862,8 @@ fill_default_options(Options * options)
ASSEMBLE(ca_sign_algorithms, def_sig, all_sig);
#undef ASSEMBLE
+ filter_fips_algorithms(options);
+
#define CLEAR_ON_NONE(v) \
do { \
if (option_clear_or_none(v)) { \
Index: openssh-9.6p1/readconf.h
===================================================================
--- openssh-9.6p1.orig/readconf.h
+++ openssh-9.6p1/readconf.h
@@ -231,6 +231,7 @@ typedef struct {
#define SSH_KEYSTROKE_CHAFF_MIN_MS 1024
#define SSH_KEYSTROKE_CHAFF_RNG_MS 2048
+void filter_fips_algorithms(Options *o);
const char *kex_default_pk_alg(void);
char *ssh_connection_hash(const char *thishost, const char *host,
const char *portstr, const char *user, const char *jump_host);
Index: openssh-9.6p1/servconf.c
===================================================================
--- openssh-9.6p1.orig/servconf.c
+++ openssh-9.6p1/servconf.c
@@ -68,6 +68,7 @@
#include "auth.h"
#include "myproposal.h"
#include "digest.h"
+#include "fips.h"
#if !defined(SSHD_PAM_SERVICE)
# define SSHD_PAM_SERVICE "sshd"
@@ -207,6 +208,23 @@ option_clear_or_none(const char *o)
return o == NULL || strcasecmp(o, "none") == 0;
}
+/* remove algorithms not approved for use in FIPS mode, when running in FIPS
+ * mode
+ */
+static void
+filter_fips_algorithms_s(ServerOptions *o)
+{
+ if (fips_mode()) {
+ if (!fips_filter_crypto(&o->ciphers, FIPS_FILTER_CIPHERS))
+ fatal("None of selected ciphers can be used in FIPS mode");
+ if (!fips_filter_crypto(&o->macs, FIPS_FILTER_MACS))
+ fatal("None of selected MAC algorithms can be used in FIPS mode");
+ if (!fips_filter_crypto(&o->kex_algorithms, FIPS_FILTER_KEX_ALGS))
+ fatal("None of selected KEX algorithms can be used in FIPS mode");
+ }
+ return;
+}
+
static void
assemble_algorithms(ServerOptions *o)
{
@@ -248,6 +266,8 @@ assemble_algorithms(ServerOptions *o)
free(def_kex);
free(def_key);
free(def_sig);
+
+ filter_fips_algorithms_s(o);
}
void
@@ -440,6 +460,8 @@ fill_default_server_options(ServerOption
options->fwd_opts.streamlocal_bind_unlink = 0;
if (options->fingerprint_hash == -1)
options->fingerprint_hash = SSH_FP_HASH_DEFAULT;
+ options->fingerprint_hash =
+ fips_correct_dgst(options->fingerprint_hash);
if (options->disable_forwarding == -1)
options->disable_forwarding = 0;
if (options->expose_userauth_info == -1)
Index: openssh-9.6p1/ssh-keygen.c
===================================================================
--- openssh-9.6p1.orig/ssh-keygen.c
+++ openssh-9.6p1/ssh-keygen.c
@@ -18,6 +18,8 @@
#include <sys/socket.h>
#include <sys/stat.h>
+#include "fips.h"
+
#ifdef WITH_OPENSSL
#include <openssl/evp.h>
#include <openssl/pem.h>
@@ -1040,11 +1042,13 @@ do_fingerprint(struct passwd *pw)
static void
do_gen_all_hostkeys(struct passwd *pw)
{
- struct {
+ struct Key_types {
char *key_type;
char *key_type_display;
char *path;
- } key_types[] = {
+ };
+
+ struct Key_types key_types_all[] = {
#ifdef WITH_OPENSSL
{ "rsa", "RSA" ,_PATH_HOST_RSA_KEY_FILE },
#ifdef OPENSSL_HAS_ECC
@@ -1058,6 +1062,17 @@ do_gen_all_hostkeys(struct passwd *pw)
{ NULL, NULL, NULL }
};
+ struct Key_types key_types_fips140_2[] = {
+#ifdef WITH_OPENSSL
+ { "rsa", "RSA" ,_PATH_HOST_RSA_KEY_FILE },
+#ifdef OPENSSL_HAS_ECC
+ { "ecdsa", "ECDSA",_PATH_HOST_ECDSA_KEY_FILE },
+#endif /* OPENSSL_HAS_ECC */
+#endif /* WITH_OPENSSL */
+ { NULL, NULL, NULL }
+ };
+
+ struct Key_types *key_types;
u_int32_t bits = 0;
int first = 0;
struct stat st;
@@ -1065,6 +1080,12 @@ do_gen_all_hostkeys(struct passwd *pw)
char comment[1024], *prv_tmp, *pub_tmp, *prv_file, *pub_file;
int i, type, fd, r;
+ if (fips_mode()) {
+ key_types = key_types_fips140_2;
+ } else {
+ key_types = key_types_all;
+ }
+
for (i = 0; key_types[i].key_type; i++) {
public = private = NULL;
prv_tmp = pub_tmp = prv_file = pub_file = NULL;
@@ -3794,6 +3815,15 @@ main(int argc, char **argv)
key_type_name = DEFAULT_KEY_TYPE_NAME;
type = sshkey_type_from_name(key_type_name);
+
+ /* protocol v1 is not allowed in FIPS mode, DSA is not acceptable because
+ * it has to be 1024 bit due to RFC 4253 using SHA-1 which implies 1024 bit
+ * keys due to FIPS-186 specification for DSS */
+ if (fips_mode() &&
+ (type == KEY_DSA || type == KEY_ED25519 ||
+ type == KEY_DSA_CERT || type == KEY_ED25519_CERT))
+ fatal("Key type %s not alowed in FIPS mode", key_type_name);
+
type_bits_valid(type, key_type_name, &bits);
if (!quiet)
Index: openssh-9.6p1/ssh_config.5
===================================================================
--- openssh-9.6p1.orig/ssh_config.5
+++ openssh-9.6p1/ssh_config.5
@@ -831,6 +831,8 @@ The argument to this keyword must be
option) or
.Cm no
(the default).
+.Pp
+In the FIPS mode the minimum of SHA-1 is enforced (which means sha256).
.It Cm ForwardAgent
Specifies whether the connection to the authentication agent (if any)
will be forwarded to the remote machine.
Index: openssh-9.6p1/sshd.c
===================================================================
--- openssh-9.6p1.orig/sshd.c
+++ openssh-9.6p1/sshd.c
@@ -128,6 +128,8 @@
#include "addr.h"
#include "srclimit.h"
+#include "fips.h"
+
/* Re-exec fds */
#define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1)
#define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2)
Index: openssh-9.6p1/sshd_config.5
===================================================================
--- openssh-9.6p1.orig/sshd_config.5
+++ openssh-9.6p1/sshd_config.5
@@ -681,6 +681,8 @@ and
.Cm sha256 .
The default is
.Cm sha256 .
+.Pp
+In the FIPS mode the minimum of SHA-1 is enforced (which means sha256).
.It Cm ForceCommand
Forces the execution of the command specified by
.Cm ForceCommand ,

View File

@ -0,0 +1,471 @@
# HG changeset patch
# Parent e9b69da9a0f8dca923f8fc2836b38fe6590c791a
#
# Simple implementation of FIPS 140-2 selfchecks. Use OpenSSL to generate and
# verify checksums of binaries. Any hash iused in OpenSSH can be used (MD5 would
# obviously be a poor choice, since OpenSSL would barf and abort immediately in
# FIPS mode). SHA-2 seems to be a reasonable choice.
#
# The logic of the checks is as follows: decide whether FIPS mode is mandated
# (either by checking /proc/sys/crypto/fips_enabled or environment variable
# SSH_FORCE_FIPS. In FIPS mode, checksums are required to match (inability to
# retrieve pre-calculated hash is a fatal error). In non-FIPS mode the checks
# still must be performed, unless the hashes are not installed. Thus if the hash
# file is not found (or the hash matches), proceed in non-FIPS mode and abort
# otherwise.
Index: openssh-8.8p1/fips-check.c
===================================================================
--- /dev/null
+++ openssh-8.8p1/fips-check.c
@@ -0,0 +1,34 @@
+#include "includes.h"
+#include <fcntl.h>
+#include <limits.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/stat.h>
+#include <sys/types.h>
+#include <unistd.h>
+
+#include "digest.h"
+#include "fips.h"
+
+#include <openssl/err.h>
+
+#define PROC_NAME_LEN 64
+
+static const char *argv0;
+
+void
+print_help_exit(int ev)
+{
+ fprintf(stderr, "%s <-c|-w> <file> <checksum_file>\n", argv0);
+ fprintf(stderr, " -c verify hash of 'file' against hash in 'checksum_file'\n");
+ fprintf(stderr, " -w write hash of 'file' into 'checksum_file'\n");
+ exit(ev);
+}
+
+int
+main(int argc, char **argv)
+{
+ fips_ssh_init();
+ return 0;
+}
Index: openssh-8.8p1/fips.c
===================================================================
--- openssh-8.8p1.orig/fips.c
+++ openssh-8.8p1/fips.c
@@ -35,30 +35,293 @@
#include "log.h"
#include "xmalloc.h"
+#include <errno.h>
+#include <fcntl.h>
#include <string.h>
+#include <string.h>
+#include <sys/stat.h>
+#include <sys/types.h>
+#include <unistd.h>
#include <openssl/crypto.h>
+#include <openssl/err.h>
+#include <openssl/hmac.h>
static int fips_state = -1;
+/* calculates HMAC of contents of a file given by filename using the hash
+ * algorithm specified by FIPS_HMAC_EVP in fips.h and placing the result into
+ * newly allacated memory - remember to free it when not needed anymore */
static int
-fips_check_required_env(void)
+hmac_file(const char *filename, u_char **hmac_out)
+{
+ int check = -1;
+ int fd;
+ struct stat fs;
+ void *hmap;
+ unsigned char *hmac;
+ unsigned char *hmac_rv = NULL;
+
+ hmac = xmalloc(FIPS_HMAC_LEN);
+
+ fd = open(filename, O_RDONLY);
+ if (-1 == fd)
+ goto bail_out;
+
+ if (-1 == fstat(fd, &fs))
+ goto bail_out;
+
+ hmap = mmap(NULL, fs.st_size, PROT_READ, MAP_SHARED, fd, 0);
+
+ if ((void *)(-1) != hmap) {
+ hmac_rv = HMAC(FIPS_HMAC_EVP(), FIPS_HMAC_KEY
+ , strlen(FIPS_HMAC_KEY), hmap, fs.st_size, hmac, NULL);
+ check = CHECK_OK;
+ munmap(hmap, fs.st_size);
+ }
+ close(fd);
+
+bail_out:
+ if (hmac_rv) {
+ check = CHECK_OK;
+ *hmac_out = hmac;
+ } else {
+ check = CHECK_FAIL;
+ *hmac_out = NULL;
+ free(hmac);
+ }
+ return check;
+}
+
+/* find pathname of binary of process with PID pid. exe is buffer expected to
+ * be capable of holding at least max_pathlen characters
+ */
+static int
+get_executable_path(pid_t pid, char *exe, int max_pathlen)
+{
+ char exe_sl[PROC_EXE_PATH_LEN];
+ int n;
+ int rv = -1;
+
+ n = snprintf(exe_sl, sizeof(exe_sl), "/proc/%u/exe", pid);
+ if ((n <= 10) || (n >= max_pathlen)) {
+ fatal("error compiling filename of link to executable");
+ }
+
+ exe[0] = 0;
+ n = readlink(exe_sl, exe, max_pathlen);
+ /* the file doesn't need to exist - procfs might not be mounted in
+ * chroot */
+ if (n == -1) {
+ rv = CHECK_MISSING;
+ } else {
+ if (n < max_pathlen) {
+ exe[n] = 0;
+ rv = CHECK_OK;
+ } else {
+ rv = CHECK_FAIL;
+ }
+ }
+ return rv;
+}
+
+/* Read HMAC from file chk, allocating enough memory to hold the HMAC and
+ * return it in *hmac.
+ * Remember to free() it when it's not needed anymore.
+ */
+static int
+read_hmac(const char *chk, u_char **hmac)
+{
+ int check = -1;
+ int fdh, n;
+ u_char *hmac_in;
+
+ *hmac = NULL;
+
+ fdh = open(chk, O_RDONLY);
+ if (-1 == fdh) {
+ switch (errno) {
+ case ENOENT:
+ check = CHECK_MISSING;
+ debug("fips: checksum file %s is missing\n", chk);
+ break;
+ default:
+ check = CHECK_FAIL;
+ debug("fips: ckecksum file %s not accessible\n", chk);
+ break;
+
+ }
+ goto bail_out;
+ }
+
+ hmac_in = xmalloc(FIPS_HMAC_LEN);
+
+ n = read(fdh, (void *)hmac_in, FIPS_HMAC_LEN);
+ if (FIPS_HMAC_LEN != n) {
+ debug("fips: unable to read whole checksum from checksum file\n");
+ free (hmac_in);
+ check = CHECK_FAIL;
+ } else {
+ check = CHECK_OK;
+ *hmac = hmac_in;
+ }
+bail_out:
+ return check;
+}
+
+static int
+fips_hmac_self(void)
+{
+ int check = -1;
+ u_char *hmac = NULL, *hmac_chk = NULL;
+ char *exe, *chk;
+
+ exe = xmalloc(PATH_MAX);
+ chk = xmalloc(PATH_MAX);
+
+ /* we will need to add the suffix and the null terminator */
+ check = get_executable_path(getpid(), exe
+ , PATH_MAX - strlen(CHECKSUM_SUFFIX) - 1);
+ if (CHECK_OK != check)
+ goto cleanup;
+
+ strncpy(chk, exe, PATH_MAX);
+ strlcat(chk, CHECKSUM_SUFFIX, PATH_MAX);
+
+ check = read_hmac(chk, &hmac_chk);
+ if (CHECK_OK != check)
+ goto cleanup;
+
+ check = hmac_file(exe, &hmac);
+ if (CHECK_OK != check)
+ goto cleanup;
+
+ check = memcmp(hmac, hmac_chk, FIPS_HMAC_LEN);
+ if (0 == check) {
+ check = CHECK_OK;
+ debug("fips: checksum matches\n");
+ } else {
+ check = CHECK_FAIL;
+ debug("fips: checksum mismatch!\n");
+ }
+
+cleanup:
+ free(hmac);
+ free(hmac_chk);
+ free(chk);
+ free(exe);
+
+ return check;
+}
+
+static int
+fips_check_required_proc(void)
{
int fips_required = 0;
- char *env = getenv(SSH_FORCE_FIPS_ENV);
+ int fips_fd;
+ char fips_sys = 0;
- if (env) {
- errno = 0;
- fips_required = strtol(env, NULL, 10);
- if (errno) {
- debug("bogus value in the %s environment variable, ignoring\n"
- , SSH_FORCE_FIPS_ENV);
- fips_required = 0;
- } else
- fips_required = 1;
+ struct stat dummy;
+ if (-1 == stat(FIPS_PROC_PATH, &dummy)) {
+ switch (errno) {
+ case ENOENT:
+ case ENOTDIR:
+ break;
+ default:
+ fatal("Check for system-wide FIPS mode is required and %s cannot"
+ " be accessed for reason other than non-existence - aborting"
+ , FIPS_PROC_PATH);
+ break;
+ }
+ } else {
+ if (-1 == (fips_fd = open(FIPS_PROC_PATH, O_RDONLY)))
+ fatal("Check for system-wide FIPS mode is required and %s cannot"
+ " be opened for reading - aborting"
+ , FIPS_PROC_PATH);
+ if (1 > read(fips_fd, &fips_sys, 1))
+ fatal("Check for system-wide FIPS mode is required and %s doesn't"
+ " return at least one character - aborting"
+ , FIPS_PROC_PATH);
+ close(fips_sys);
+ switch (fips_sys) {
+ case '0':
+ case '1':
+ fips_required = fips_sys - '0';
+ break;
+ default:
+ fatal("Bogus character %c found in %s - aborting"
+ , fips_sys, FIPS_PROC_PATH);
+ }
}
return fips_required;
}
+static int
+fips_check_required_env(void)
+{
+ return (NULL != getenv(SSH_FORCE_FIPS_ENV));
+}
+
+static int
+fips_required(void)
+{
+ int fips_requests = 0;
+ fips_requests += fips_check_required_proc();
+ fips_requests += fips_check_required_env();
+ return fips_requests;
+}
+
+/* check whether FIPS mode is required and perform selfchecksum/selftest */
+void
+fips_ssh_init(void)
+{
+ int checksum;
+
+ checksum = fips_hmac_self();
+
+ if (fips_required()) {
+ switch (checksum) {
+ case CHECK_OK:
+ debug("fips: mandatory checksum ok");
+ break;
+ case CHECK_FAIL:
+ fatal("fips: mandatory checksum failed - aborting");
+ break;
+ case CHECK_MISSING:
+ fatal("fips: mandatory checksum data missing - aborting");
+ break;
+ default:
+ fatal("Fatal error: internal error at %s:%u"
+ , __FILE__, __LINE__);
+ break;
+ }
+ fips_state = FIPS_mode_set(1);
+ if (1 != fips_state) {
+ ERR_load_crypto_strings();
+ u_long err = ERR_get_error();
+ error("fips: OpenSSL error %lx: %s"
+ , err, ERR_error_string(err, NULL));
+ fatal("fips: unable to set OpenSSL into FIPS mode - aborting");
+ }
+ } else {
+ switch (checksum) {
+ case CHECK_OK:
+ debug("fips: checksum ok");
+ break;
+ case CHECK_FAIL:
+ fatal("fips: checksum failed - aborting");
+ break;
+ case CHECK_MISSING:
+ debug("fips: checksum data missing, but not required - continuing non-FIPS");
+ break;
+ default:
+ fatal("Fatal error: internal error at %s:%u",
+ __FILE__, __LINE__);
+ break;
+ }
+ }
+ return;
+}
+
int
fips_mode(void)
{
Index: openssh-8.8p1/fips.h
===================================================================
--- openssh-8.8p1.orig/fips.h
+++ openssh-8.8p1/fips.h
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2012 Petr Cerny. All rights reserved.
+ * Copyright (c) 2012-2014 Petr Cerny. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -27,6 +27,15 @@
#include "sshkey.h"
#define SSH_FORCE_FIPS_ENV "SSH_FORCE_FIPS"
+#define FIPS_PROC_PATH "/proc/sys/crypto/fips_enabled"
+
+#define PROC_EXE_PATH_LEN 64
+#define CHECKSUM_SUFFIX ".hmac"
+#define FIPS_HMAC_KEY "HMAC_KEY:OpenSSH-FIPS@SLE"
+#define FIPS_HMAC_EVP EVP_sha256
+#define FIPS_HMAC_LEN 32
+
+void fips_ssh_init(void);
typedef enum {
FIPS_FILTER_CIPHERS,
@@ -34,6 +43,12 @@ typedef enum {
FIPS_FILTER_KEX_ALGS
} fips_filters;
+typedef enum {
+ CHECK_OK = 0,
+ CHECK_FAIL,
+ CHECK_MISSING
+} fips_checksum_status;
+
int fips_mode(void);
int fips_correct_dgst(int);
int fips_dgst_min(void);
@@ -41,4 +56,3 @@ enum fp_type fips_correct_fp_type(enum
int fips_filter_crypto(char **, fips_filters);
#endif
-
Index: openssh-8.8p1/sftp-server.c
===================================================================
--- openssh-8.8p1.orig/sftp-server.c
+++ openssh-8.8p1/sftp-server.c
@@ -57,6 +57,8 @@ char *sftp_realpath(const char *, char *
/* Maximum data read that we are willing to accept */
#define SFTP_MAX_READ_LENGTH (SFTP_MAX_MSG_LENGTH - 1024)
+#include "fips.h"
+
/* Our verbosity */
static LogLevel log_level = SYSLOG_LEVEL_ERROR;
@@ -1717,6 +1719,9 @@ sftp_server_main(int argc, char **argv,
extern char *optarg;
extern char *__progname;
+ /* initialize fips */
+ fips_ssh_init();
+
__progname = ssh_get_progname(argv[0]);
log_init(__progname, log_level, log_facility, log_stderr);
Index: openssh-8.8p1/ssh.c
===================================================================
--- openssh-8.8p1.orig/ssh.c
+++ openssh-8.8p1/ssh.c
@@ -113,6 +113,8 @@
#include "ssh-pkcs11.h"
#endif
+#include "fips.h"
+
extern char *__progname;
/* Saves a copy of argv for setproctitle emulation */
@@ -632,6 +634,10 @@ main(int ac, char **av)
u_int j;
struct ssh_conn_info *cinfo = NULL;
+ /* initialize fips - can go before ssh_malloc_init(), since that is a
+ * OpenBSD-only thing (as of OpenSSH 7.6p1) */
+ fips_ssh_init();
+
/* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
sanitise_stdfd();
Index: openssh-8.8p1/sshd.c
===================================================================
--- openssh-8.8p1.orig/sshd.c
+++ openssh-8.8p1/sshd.c
@@ -1547,6 +1547,10 @@ main(int ac, char **av)
struct connection_info connection_info;
sigset_t sigmask;
+ /* initialize fips - can go before ssh_malloc_init(), since that is a
+ * OpenBSD-only thing (as of OpenSSH 7.6p1) */
+ fips_ssh_init();
+
memset(&connection_info, 0, sizeof(connection_info));
#ifdef HAVE_SECUREWARE
(void)set_auth_parameters(ac, av);

View File

@ -0,0 +1,20 @@
# HG changeset patch
# Parent 0f731d0b541b8a919d24ac91098f560a49712822
Suggest command line for removal of offending keys from known_hosts file
Index: openssh-8.8p1/sshconnect.c
===================================================================
--- openssh-8.8p1.orig/sshconnect.c
+++ openssh-8.8p1/sshconnect.c
@@ -1270,6 +1270,11 @@ check_host_key(char *hostname, const str
error("Offending %s key in %s:%lu",
sshkey_type(host_found->key),
host_found->file, host_found->line);
+ error("You can use following command to remove the offending key:");
+ if (host_found->file)
+ error("ssh-keygen -R %s -f %s", host, host_found->file);
+ else
+ error("ssh-keygen -R %s", host);
/*
* If strict host key checking is in use, the user will have

View File

@ -0,0 +1,83 @@
# HG changeset patch
# Parent 5e19a205fa03584bb0d829ecbba7495ce1899b65
# -- uset do be called '-xauthlocalhostname'
handle hostname changes when forwarding X
Index: openssh-8.8p1/session.c
===================================================================
--- openssh-8.8p1.orig/session.c
+++ openssh-8.8p1/session.c
@@ -981,7 +981,7 @@ copy_environment(char **source, char ***
#endif
static char **
-do_setup_env(struct ssh *ssh, Session *s, const char *shell)
+do_setup_env(struct ssh *ssh, Session *s, const char *shell, int *env_size)
{
char buf[256];
size_t n;
@@ -1191,6 +1191,8 @@ do_setup_env(struct ssh *ssh, Session *s
for (i = 0; env[i]; i++)
fprintf(stderr, " %.200s\n", env[i]);
}
+
+ *env_size = envsize;
return env;
}
@@ -1199,7 +1201,7 @@ do_setup_env(struct ssh *ssh, Session *s
* first in this order).
*/
static void
-do_rc_files(struct ssh *ssh, Session *s, const char *shell)
+do_rc_files(struct ssh *ssh, Session *s, const char *shell, char **env, int *env_size)
{
FILE *f = NULL;
char *cmd = NULL, *user_rc = NULL;
@@ -1256,12 +1258,20 @@ do_rc_files(struct ssh *ssh, Session *s,
fatal_f("xasprintf: %s", strerror(errno));
f = popen(cmd, "w");
if (f) {
+ char hostname[MAXHOSTNAMELEN];
+
fprintf(f, "remove %s\n",
s->auth_display);
fprintf(f, "add %s %s %s\n",
s->auth_display, s->auth_proto,
s->auth_data);
pclose(f);
+ if (gethostname(hostname,sizeof(hostname)) >= 0)
+ child_set_env(&env,env_size,"XAUTHLOCALHOSTNAME",
+ hostname);
+ else
+ debug("Cannot set up XAUTHLOCALHOSTNAME %s\n",
+ strerror(errno));
} else {
fprintf(stderr, "Could not run %s\n",
cmd);
@@ -1518,6 +1528,7 @@ do_child(struct ssh *ssh, Session *s, co
char **env, *argv[ARGV_MAX], remote_id[512];
const char *shell, *shell0;
struct passwd *pw = s->pw;
+ int env_size;
int r = 0;
sshpkt_fmt_connection_id(ssh, remote_id, sizeof(remote_id));
@@ -1574,7 +1585,7 @@ do_child(struct ssh *ssh, Session *s, co
* Make sure $SHELL points to the shell from the password file,
* even if shell is overridden from login.conf
*/
- env = do_setup_env(ssh, s, shell);
+ env = do_setup_env(ssh, s, shell, &env_size);
#ifdef HAVE_LOGIN_CAP
shell = login_getcapstr(lc, "shell", (char *)shell, (char *)shell);
@@ -1638,7 +1649,7 @@ do_child(struct ssh *ssh, Session *s, co
closefrom(STDERR_FILENO + 1);
- do_rc_files(ssh, s, shell);
+ do_rc_files(ssh, s, shell, env, &env_size);
/* restore SIGPIPE for child */
ssh_signal(SIGPIPE, SIG_DFL);

2721
openssh-7.7p1-ldap.patch Normal file

File diff suppressed because it is too large Load Diff

View File

@ -0,0 +1,17 @@
# HG changeset patch
# Parent bad0c8b3b8d72abb6960ed85b57ee42352371738
Do not write a PID file when not daemonizing (e.g. when running from systemd)
Index: openssh-8.8p1/sshd.c
===================================================================
--- openssh-8.8p1.orig/sshd.c
+++ openssh-8.8p1/sshd.c
@@ -2129,7 +2129,7 @@ main(int ac, char **av)
* Write out the pid file after the sigterm handler
* is setup and the listen sockets are bound
*/
- if (options.pid_file != NULL && !debug_flag) {
+ if (!no_daemon_flag && options.pid_file != NULL && !debug_flag) {
FILE *f = fopen(options.pid_file, "w");
if (f == NULL) {

View File

@ -0,0 +1,135 @@
# HG changeset patch
# Parent 089f4fba0112d410a1bfa74398941f076681d446
new option UsePAMCheckLocks to enforce checking for locked accounts while
UsePAM is used
bnc#708678, FATE#312033
Index: openssh-8.8p1/auth.c
===================================================================
--- openssh-8.8p1.orig/auth.c
+++ openssh-8.8p1/auth.c
@@ -113,7 +113,7 @@ allowed_user(struct ssh *ssh, struct pas
if (!pw || !pw->pw_name)
return 0;
- if (!options.use_pam && platform_locked_account(pw)) {
+ if ((!options.use_pam || options.use_pam_check_locks) && platform_locked_account(pw)) {
logit("User %.100s not allowed because account is locked",
pw->pw_name);
return 0;
#@@ -133,7 +133,7 @@ allowed_user(struct ssh *ssh, struct pas
# #endif
#
# /* check for locked account */
#- if (!options.use_pam && passwd && *passwd) {
#+ if ((!options.use_pam || options.use_pam_check_locks) && passwd && *passwd) {
# int locked = 0;
#
# #ifdef LOCKED_PASSWD_STRING
Index: openssh-8.8p1/servconf.c
===================================================================
--- openssh-8.8p1.orig/servconf.c
+++ openssh-8.8p1/servconf.c
@@ -92,6 +92,7 @@ initialize_server_options(ServerOptions
/* Portable-specific options */
options->use_pam = -1;
options->pam_service_name = NULL;
+ options->use_pam_check_locks = -1;
/* Standard Options */
options->num_ports = 0;
@@ -278,6 +279,8 @@ fill_default_server_options(ServerOption
options->use_pam = 0;
if (options->pam_service_name == NULL)
options->pam_service_name = xstrdup(SSHD_PAM_SERVICE);
+ if (options->use_pam_check_locks == -1)
+ options->use_pam_check_locks = 0;
/* Standard Options */
if (options->num_host_key_files == 0) {
@@ -485,7 +488,7 @@ fill_default_server_options(ServerOption
typedef enum {
sBadOption, /* == unknown option */
/* Portable-specific options */
- sUsePAM, sPAMServiceName,
+ sUsePAM, sPAMServiceName, sUsePAMChecklocks,
/* Standard Options */
sPort, sHostKeyFile, sLoginGraceTime,
sPermitRootLogin, sLogFacility, sLogLevel, sLogVerbose,
@@ -535,9 +538,11 @@ static struct {
#ifdef USE_PAM
{ "usepam", sUsePAM, SSHCFG_GLOBAL },
{ "pamservicename", sPAMServiceName, SSHCFG_ALL },
+ { "usepamchecklocks", sUsePAMChecklocks, SSHCFG_GLOBAL },
#else
{ "usepam", sUnsupported, SSHCFG_GLOBAL },
{ "pamservicename", sUnsupported, SSHCFG_ALL },
+ { "usepamchecklocks", sUnsupported, SSHCFG_GLOBAL },
#endif
{ "pamauthenticationviakbdint", sDeprecated, SSHCFG_GLOBAL },
/* Standard Options */
@@ -1331,6 +1336,9 @@ process_server_config_line_depth(ServerO
if (*activep && *charptr == NULL)
*charptr = xstrdup(arg);
break;
+ case sUsePAMChecklocks:
+ intptr = &options->use_pam_check_locks;
+ goto parse_flag;
/* Standard Options */
case sBadOption:
Index: openssh-8.8p1/servconf.h
===================================================================
--- openssh-8.8p1.orig/servconf.h
+++ openssh-8.8p1/servconf.h
@@ -200,6 +200,7 @@ typedef struct {
int use_pam; /* Enable auth via PAM */
char *pam_service_name;
+ int use_pam_check_locks; /* internally check for locked accounts even when using PAM */
int permit_tun;
Index: openssh-8.8p1/sshd_config.0
===================================================================
--- openssh-8.8p1.orig/sshd_config.0
+++ openssh-8.8p1/sshd_config.0
@@ -1074,6 +1074,14 @@ DESCRIPTION
If UsePAM is enabled, you will not be able to run sshd(8) as a
non-root user. The default is no.
+ UsePAMCheckLocks
+ When set to ``yes'', the checks whether the account has been
+ locked with `passwd -l' are performed even when PAM authentication
+ is enabled via UsePAM. This is to ensure that it is not possible
+ to log in with e.g. a public key (in such a case PAM is used only
+ to set up the session and some PAM modules will not check whether
+ the account is locked in this scenario). The default is ``no''.
+
VersionAddendum
Optionally specifies additional text to append to the SSH
protocol banner sent by the server upon connection. The default
Index: openssh-8.8p1/sshd_config.5
===================================================================
--- openssh-8.8p1.orig/sshd_config.5
+++ openssh-8.8p1/sshd_config.5
@@ -1775,6 +1775,18 @@ is enabled, you will not be able to run
as a non-root user.
The default is
.Cm no .
+.It Cm UsePAMCheckLocks
+When set to
+.Dq yes
+, the checks whether the account has been locked with
+.Pa passwd -l
+are performed even when PAM authentication is enabled via
+.Cm UsePAM .
+This is to ensure that it is not possible to log in with e.g. a
+public key (in such a case PAM is used only to set up the session and some PAM
+modules will not check whether the account is locked in this scenario). The
+default is
+.Dq no .
.It Cm VersionAddendum
Optionally specifies additional text to append to the SSH protocol banner
sent by the server upon connection.

View File

@ -0,0 +1,30 @@
# HG changeset patch
# Parent 7cd948c83939479d1ba88a3161991cb561306f3f
# use same lines naming as utempter (prevents problems with using different
# formats in ?tmp? files)
# --used to be called '-pts'
Index: openssh-8.8p1/loginrec.c
===================================================================
--- openssh-8.8p1.orig/loginrec.c
+++ openssh-8.8p1/loginrec.c
@@ -549,7 +549,7 @@ getlast_entry(struct logininfo *li)
* 1. The full filename (including '/dev')
* 2. The stripped name (excluding '/dev')
* 3. The abbreviated name (e.g. /dev/ttyp00 -> yp00
- * /dev/pts/1 -> ts/1 )
+ * /dev/pts/1 -> /1 )
*
* Form 3 is used on some systems to identify a .tmp.? entry when
* attempting to remove it. Typically both addition and removal is
@@ -610,6 +610,10 @@ line_abbrevname(char *dst, const char *s
if (strncmp(src, "tty", 3) == 0)
src += 3;
#endif
+ if (strncmp(src, "pts/", 4) == 0) {
+ src += 3;
+ if (strlen(src) > 4) src++;
+ }
len = strlen(src);

View File

@ -0,0 +1,46 @@
# HG changeset patch
# Parent a60c0d88667efe0a64c030168950b69476af1622
# --used to be called '-xauth'
try to remove xauth cookies on logout
bnc#98815
Index: openssh-8.8p1/session.c
===================================================================
--- openssh-8.8p1.orig/session.c
+++ openssh-8.8p1/session.c
@@ -2441,6 +2441,34 @@ session_close(struct ssh *ssh, Session *
ssh_remote_port(ssh),
s->self);
+ if ((s->display != NULL) && (s->auth_proto != NULL) &&
+ (s->auth_data != NULL) && (options.xauth_location != NULL)) {
+ pid_t pid;
+ FILE *f;
+ char cmd[1024];
+ struct passwd * pw = s->pw;
+
+ if (!(pid = fork())) {
+ permanently_set_uid(pw);
+
+ /* Remove authority data from .Xauthority if appropriate. */
+ debug("Running %.500s remove %.100s\n",
+ options.xauth_location, s->auth_display);
+
+ snprintf(cmd, sizeof cmd, "unset XAUTHORITY && HOME=\"%.200s\" %s -q -",
+ s->pw->pw_dir, options.xauth_location);
+ f = popen(cmd, "w");
+ if (f) {
+ fprintf(f, "remove %s\n", s->auth_display);
+ pclose(f);
+ } else
+ error("Could not run %s\n", cmd);
+ exit(0);
+ } else if (pid > 0) {
+ waitpid(pid, NULL, 0);
+ }
+ }
+
if (s->ttyfd != -1)
session_pty_cleanup(s);
free(s->term);

View File

@ -0,0 +1,41 @@
# HG changeset patch
# Parent 9d38b7292619a6d5faf554b1a88888fdfa535de7
Patch from IBM enabling the use of OpenCryptoki, submitted upstreams:
From: Eduardo Barretto <ebarretto@linux.vnet.ibm.com>
To: openssh-unix-dev@mindrot.org
Subject: [PATCH 1/3] Allow flock and ipc syscall for s390 architecture
Date: Tue, 9 May 2017 14:27:13 -0300
In order to use the OpenSSL-ibmpkcs11 engine it is needed to allow flock
and ipc calls, because this engine calls OpenCryptoki (a PKCS#11
implementation) which calls the libraries that will communicate with the
crypto cards. OpenCryptoki makes use of flock and ipc and, as of now,
this is only need on s390 architecture.
Signed-off-by: Eduardo Barretto <ebarretto@linux.vnet.ibm.com>
Index: openssh-8.8p1/sandbox-seccomp-filter.c
===================================================================
--- openssh-8.8p1.orig/sandbox-seccomp-filter.c
+++ openssh-8.8p1/sandbox-seccomp-filter.c
@@ -219,6 +219,9 @@ static const struct sock_filter preauth_
#ifdef __NR_geteuid32
SC_ALLOW(__NR_geteuid32),
#endif
+#if defined(__NR_flock) && defined(__s390__)
+ SC_ALLOW(__NR_flock),
+#endif
#ifdef __NR_getpgid
SC_ALLOW(__NR_getpgid),
#endif
@@ -237,6 +240,9 @@ static const struct sock_filter preauth_
#ifdef __NR_getuid32
SC_ALLOW(__NR_getuid32),
#endif
+#if defined(__NR_ipc) && defined(__s390__)
+ SC_ALLOW(__NR_ipc),
+#endif
#ifdef __NR_madvise
SC_ALLOW_ARG(__NR_madvise, 2, MADV_NORMAL),
# ifdef MADV_FREE

View File

@ -0,0 +1,21 @@
# HG changeset patch
# Parent 5034ae16f6a5c9c7151d931dc1cce2a541fe010e
Allow the stat() syscall for OpenSSL re-seed patch
(which causes OpenSSL use stat() on some file)
bnc#912436
Index: openssh-8.8p1/sandbox-seccomp-filter.c
===================================================================
--- openssh-8.8p1.orig/sandbox-seccomp-filter.c
+++ openssh-8.8p1/sandbox-seccomp-filter.c
@@ -294,6 +294,9 @@ static const struct sock_filter preauth_
#ifdef __NR_sigprocmask
SC_ALLOW(__NR_sigprocmask),
#endif
+#ifdef __NR_stat
+ SC_ALLOW(__NR_stat),
+#endif
#ifdef __NR_time
SC_ALLOW(__NR_time),
#endif

View File

@ -0,0 +1,37 @@
# HG changeset patch
# Parent db426aecefd1f4f8a7f9b9b6e8936cd8dd2f17fa
send locales in default configuration
bnc#65747
Index: openssh-8.8p1/ssh_config
===================================================================
--- openssh-8.8p1.orig/ssh_config
+++ openssh-8.8p1/ssh_config
@@ -31,6 +31,11 @@ Host *
# expire after twenty minutes after remote login.
ForwardX11Trusted yes
+# This enables sending locale enviroment variables LC_* LANG, see ssh_config(5).
+ SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
+ SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
+ SendEnv LC_IDENTIFICATION LC_ALL
+
# PasswordAuthentication yes
# HostbasedAuthentication no
# GSSAPIAuthentication no
Index: openssh-8.8p1/sshd_config
===================================================================
--- openssh-8.8p1.orig/sshd_config
+++ openssh-8.8p1/sshd_config
@@ -108,6 +108,11 @@ X11Forwarding yes
# override default of no subsystems
Subsystem sftp /usr/libexec/sftp-server
+# This enables accepting locale enviroment variables LC_* LANG, see sshd_config(5).
+AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
+AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
+AcceptEnv LC_IDENTIFICATION LC_ALL
+
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no

View File

@ -0,0 +1,125 @@
Index: openssh-8.8p1/sftp-server.8
===================================================================
--- openssh-8.8p1.orig/sftp-server.8
+++ openssh-8.8p1/sftp-server.8
@@ -38,6 +38,7 @@
.Op Fl P Ar denied_requests
.Op Fl p Ar allowed_requests
.Op Fl u Ar umask
+.Op Fl m Ar force_file_dir_perms
.Ek
.Nm
.Fl Q Ar protocol_feature
@@ -138,6 +139,10 @@ Sets an explicit
.Xr umask 2
to be applied to newly-created files and directories, instead of the
user's default mask.
+.It Fl m Ar force_file_dir_perms
+Sets explicit permissions to be applied to newly-created files and directories
+instead of the default or client requested mode. Numeric values include:
+777, 755, 750, 666, 644, 640, etc. Option -u is ineffective if -m is set.
.El
.Pp
On some systems,
Index: openssh-8.8p1/sftp-server.c
===================================================================
--- openssh-8.8p1.orig/sftp-server.c
+++ openssh-8.8p1/sftp-server.c
@@ -73,6 +73,10 @@ struct sshbuf *oqueue;
/* Version of client */
static u_int version;
+/* Force file and directory permissions */
+int permforce = 0;
+long permforcemode;
+
/* SSH2_FXP_INIT received */
static int init_done;
@@ -724,6 +728,7 @@ process_open(u_int32_t id)
Attrib a;
char *name;
int r, handle, fd, flags, mode, status = SSH2_FX_FAILURE;
+ mode_t old_umask = 0;
if ((r = sshbuf_get_cstring(iqueue, &name, NULL)) != 0 ||
(r = sshbuf_get_u32(iqueue, &pflags)) != 0 || /* portable flags */
@@ -733,6 +738,10 @@ process_open(u_int32_t id)
debug3("request %u: open flags %d", id, pflags);
flags = flags_from_portable(pflags);
mode = (a.flags & SSH2_FILEXFER_ATTR_PERMISSIONS) ? a.perm : 0666;
+ if (permforce == 1) { /* Force perm if -m is set */
+ mode = permforcemode;
+ old_umask = umask(0); /* so umask does not interfere */
+ }
logit("open \"%s\" flags %s mode 0%o",
name, string_from_portable(pflags), mode);
if (readonly &&
@@ -754,6 +763,8 @@ process_open(u_int32_t id)
}
}
}
+ if (permforce == 1)
+ (void) umask(old_umask); /* restore umask to something sane */
if (status != SSH2_FX_OK)
send_status(id, status);
free(name);
@@ -1183,6 +1194,7 @@ process_mkdir(u_int32_t id)
Attrib a;
char *name;
int r, mode, status = SSH2_FX_FAILURE;
+ mode_t old_umask = 0;
if ((r = sshbuf_get_cstring(iqueue, &name, NULL)) != 0 ||
(r = decode_attrib(iqueue, &a)) != 0)
@@ -1190,9 +1202,16 @@ process_mkdir(u_int32_t id)
mode = (a.flags & SSH2_FILEXFER_ATTR_PERMISSIONS) ?
a.perm & 07777 : 0777;
+ if (permforce == 1) { /* Force perm if -m is set */
+ mode = permforcemode;
+ old_umask = umask(0); /* so umask does not interfere */
+ }
+
debug3("request %u: mkdir", id);
logit("mkdir name \"%s\" mode 0%o", name, mode);
r = mkdir(name, mode);
+ if (permforce == 1)
+ (void) umask(old_umask); /* restore umask to something sane */
status = (r == -1) ? errno_to_portable(errno) : SSH2_FX_OK;
send_status(id, status);
free(name);
@@ -1700,7 +1719,7 @@ sftp_server_usage(void)
fprintf(stderr,
"usage: %s [-ehR] [-d start_directory] [-f log_facility] "
"[-l log_level]\n\t[-P denied_requests] "
- "[-p allowed_requests] [-u umask]\n"
+ "[-p allowed_requests] [-u umask] [-m force_file_dir_perms]\n"
" %s -Q protocol_feature\n",
__progname, __progname);
exit(1);
@@ -1728,7 +1747,7 @@ sftp_server_main(int argc, char **argv,
pw = pwcopy(user_pw);
while (!skipargs && (ch = getopt(argc, argv,
- "d:f:l:P:p:Q:u:cehR")) != -1) {
+ "d:f:l:P:p:Q:u:m:cehR")) != -1) {
switch (ch) {
case 'Q':
if (strcasecmp(optarg, "requests") != 0) {
@@ -1790,6 +1809,15 @@ sftp_server_main(int argc, char **argv,
fatal("Invalid umask \"%s\"", optarg);
(void)umask((mode_t)mask);
break;
+ case 'm':
+ /* Force permissions on file and directory received via sftp */
+ permforce = 1;
+ permforcemode = strtol(optarg, &cp, 8);
+ if (permforcemode < 0 || permforcemode > 0777 ||
+ *cp != '\0' || (permforcemode == 0 &&
+ errno != 0))
+ fatal("Invalid file mode \"%s\"", optarg);
+ break;
case 'h':
default:
sftp_server_usage();

View File

@ -0,0 +1,60 @@
# HG changeset patch
# Parent 60bdbe6dd8d6bc011883472363d56e1d97f68835
Put back sftp client diagnostic messages in batch mode
Index: openssh-8.8p1/sftp.1
===================================================================
--- openssh-8.8p1.orig/sftp.1
+++ openssh-8.8p1/sftp.1
@@ -287,6 +287,9 @@ Specifies the port to connect to on the
.It Fl p
Preserves modification times, access times, and modes from the
original files transferred.
+.It Fl Q
+Not-so-quiet batch mode: forces printing of diagnostic messages
+in batch mode.
.It Fl q
Quiet mode: disables the progress meter as well as warning and
diagnostic messages from
Index: openssh-8.8p1/sftp.c
===================================================================
--- openssh-8.8p1.orig/sftp.c
+++ openssh-8.8p1/sftp.c
@@ -82,6 +82,9 @@ static volatile pid_t sshpid = -1;
/* Suppress diagnostic messages */
int quiet = 0;
+/* Force diagnositic messages in batch mode */
+int loud = 0;
+
/* This is set to 0 if the progressmeter is not desired. */
int showprogress = 1;
@@ -2381,7 +2384,7 @@ main(int argc, char **argv)
infile = stdin;
while ((ch = getopt(argc, argv,
- "1246AafhNpqrvCc:D:i:l:o:s:S:b:B:F:J:P:R:X:")) != -1) {
+ "1246AafhNpQqrvCc:D:i:l:o:s:S:b:B:F:J:P:R:X:")) != -1) {
switch (ch) {
/* Passed through to ssh(1) */
case 'A':
@@ -2399,6 +2402,9 @@ main(int argc, char **argv)
addargs(&args, "-%c", ch);
addargs(&args, "%s", optarg);
break;
+ case 'Q':
+ loud = 1;
+ break;
case 'q':
ll = SYSLOG_LEVEL_ERROR;
quiet = 1;
@@ -2483,6 +2489,8 @@ main(int argc, char **argv)
usage();
}
}
+ if (batchmode && loud)
+ quiet = 0;
/* Do this last because we want the user to be able to override it */
addargs(&args, "-oForwardAgent no");

View File

@ -0,0 +1,87 @@
# HG changeset patch
# Parent d296e85dc414b8cd1b4b55ad03d8216feb26531a
Send signals to systemd to prevent various race conditions
bsc#1048367
Index: openssh-8.8p1/configure.ac
===================================================================
--- openssh-8.8p1.orig/configure.ac
+++ openssh-8.8p1/configure.ac
@@ -4751,6 +4751,30 @@ AC_ARG_WITH([kerberos5],
# AC_SUBST([GSSLIBS])
AC_SUBST([K5LIBS])
AC_SUBST([CHANNELLIBS])
+# Check whether user wants systemd support
+SYSTEMD_MSG="no"
+AC_ARG_WITH(systemd,
+ [ --with-systemd Enable systemd support],
+ [ if test "x$withval" != "xno" ; then
+ AC_PATH_TOOL([PKGCONFIG], [pkg-config], [no])
+ if test "$PKGCONFIG" != "no"; then
+ AC_MSG_CHECKING([for libsystemd])
+ if $PKGCONFIG --exists libsystemd; then
+ SYSTEMD_CFLAGS=`$PKGCONFIG --cflags libsystemd`
+ SYSTEMD_LIBS=`$PKGCONFIG --libs libsystemd`
+ CPPFLAGS="$CPPFLAGS $SYSTEMD_CFLAGS"
+ SSHDLIBS="$SSHDLIBS $SYSTEMD_LIBS"
+ AC_MSG_RESULT([yes])
+ AC_DEFINE(HAVE_SYSTEMD, 1, [Define if you want systemd support.])
+ SYSTEMD_MSG="yes"
+ else
+ AC_MSG_RESULT([no])
+ fi
+ fi
+ fi ]
+)
+
+
# Looking for programs, paths and files
PRIVSEP_PATH=/var/empty
@@ -5564,6 +5588,7 @@ echo " libldns support
echo " Solaris process contract support: $SPC_MSG"
echo " Solaris project support: $SP_MSG"
echo " Solaris privilege support: $SPP_MSG"
+echo " systemd support: $SYSTEMD_MSG"
echo " IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG"
echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG"
echo " BSD Auth support: $BSD_AUTH_MSG"
Index: openssh-8.8p1/sshd.c
===================================================================
--- openssh-8.8p1.orig/sshd.c
+++ openssh-8.8p1/sshd.c
@@ -85,6 +85,10 @@
#include <prot.h>
#endif
+#ifdef HAVE_SYSTEMD
+#include <systemd/sd-daemon.h>
+#endif
+
#include "xmalloc.h"
#include "ssh.h"
#include "sshpty.h"
@@ -308,6 +312,10 @@ sighup_handler(int sig)
static void
sighup_restart(void)
{
+#ifdef HAVE_SYSTEMD
+ /* Signal systemd that we are reloading */
+ sd_notify(0, "RELOADING=1");
+#endif
logit("Received SIGHUP; restarting.");
if (options.pid_file != NULL)
unlink(options.pid_file);
@@ -2076,6 +2084,11 @@ main(int ac, char **av)
}
}
+#ifdef HAVE_SYSTEMD
+ /* Signal systemd that we are ready to accept connections */
+ sd_notify(0, "READY=1");
+#endif
+
/* Accept a connection and return in a forked child */
server_accept_loop(&sock_in, &sock_out,
&newsock, config_s, log_stderr);

View File

@ -0,0 +1,863 @@
diff -up openssh/auth2.c.role-mls openssh/auth2.c
--- openssh/auth2.c.role-mls 2018-08-20 07:57:29.000000000 +0200
+++ openssh/auth2.c 2018-08-22 11:14:56.815430916 +0200
@@ -256,6 +256,9 @@ input_userauth_request(int type, u_int32
Authctxt *authctxt = ssh->authctxt;
Authmethod *m = NULL;
char *user = NULL, *service = NULL, *method = NULL, *style = NULL;
+#ifdef WITH_SELINUX
+ char *role = NULL;
+#endif
int r, authenticated = 0;
double tstart = monotime_double();
@@ -268,6 +271,11 @@ input_userauth_request(int type, u_int32
debug("userauth-request for user %s service %s method %s", user, service, method);
debug("attempt %d failures %d", authctxt->attempt, authctxt->failures);
+#ifdef WITH_SELINUX
+ if ((role = strchr(user, '/')) != NULL)
+ *role++ = 0;
+#endif
+
if ((style = strchr(user, ':')) != NULL)
*style++ = 0;
@@ -314,7 +314,13 @@ input_userauth_request(int type, u_int32
setproctitle("%s [net]", authctxt->valid ? user : "unknown");
authctxt->service = xstrdup(service);
authctxt->style = style ? xstrdup(style) : NULL;
+#ifdef WITH_SELINUX
+ authctxt->role = role ? xstrdup(role) : NULL;
+#endif
mm_inform_authserv(service, style);
+#ifdef WITH_SELINUX
+ mm_inform_authrole(role);
+#endif
userauth_banner(ssh);
if ((r = kex_server_update_ext_info(ssh)) != 0)
fatal_fr(r, "kex_server_update_ext_info failed");
diff -up openssh/auth2-gss.c.role-mls openssh/auth2-gss.c
--- openssh/auth2-gss.c.role-mls 2018-08-20 07:57:29.000000000 +0200
+++ openssh/auth2-gss.c 2018-08-22 11:15:42.459799171 +0200
@@ -281,6 +281,7 @@ input_gssapi_mic(int type, u_int32_t ple
Authctxt *authctxt = ssh->authctxt;
Gssctxt *gssctxt;
int r, authenticated = 0;
+ char *micuser;
struct sshbuf *b;
gss_buffer_desc mic, gssbuf;
u_char *p;
@@ -298,7 +299,13 @@ input_gssapi_mic(int type, u_int32_t ple
fatal_f("sshbuf_new failed");
mic.value = p;
mic.length = len;
- ssh_gssapi_buildmic(b, authctxt->user, authctxt->service,
+#ifdef WITH_SELINUX
+ if (authctxt->role && authctxt->role[0] != 0)
+ xasprintf(&micuser, "%s/%s", authctxt->user, authctxt->role);
+ else
+#endif
+ micuser = authctxt->user;
+ ssh_gssapi_buildmic(b, micuser, authctxt->service,
"gssapi-with-mic", ssh->kex->session_id);
if ((gssbuf.value = sshbuf_mutable_ptr(b)) == NULL)
@@ -311,6 +318,8 @@ input_gssapi_mic(int type, u_int32_t ple
logit("GSSAPI MIC check failed");
sshbuf_free(b);
+ if (micuser != authctxt->user)
+ free(micuser);
free(mic.value);
authctxt->postponed = 0;
diff -up openssh/auth2-hostbased.c.role-mls openssh/auth2-hostbased.c
--- openssh/auth2-hostbased.c.role-mls 2018-08-20 07:57:29.000000000 +0200
+++ openssh/auth2-hostbased.c 2018-08-22 11:14:56.816430924 +0200
@@ -123,7 +123,16 @@ userauth_hostbased(struct ssh *ssh)
/* reconstruct packet */
if ((r = sshbuf_put_stringb(b, ssh->kex->session_id)) != 0 ||
(r = sshbuf_put_u8(b, SSH2_MSG_USERAUTH_REQUEST)) != 0 ||
+#ifdef WITH_SELINUX
+ (authctxt->role
+ ? ( (r = sshbuf_put_u32(b, strlen(authctxt->user)+strlen(authctxt->role)+1)) != 0 ||
+ (r = sshbuf_put(b, authctxt->user, strlen(authctxt->user))) != 0 ||
+ (r = sshbuf_put_u8(b, '/') != 0) ||
+ (r = sshbuf_put(b, authctxt->role, strlen(authctxt->role))) != 0)
+ : (r = sshbuf_put_cstring(b, authctxt->user)) != 0) ||
+#else
(r = sshbuf_put_cstring(b, authctxt->user)) != 0 ||
+#endif
(r = sshbuf_put_cstring(b, authctxt->service)) != 0 ||
(r = sshbuf_put_cstring(b, method)) != 0 ||
(r = sshbuf_put_string(b, pkalg, alen)) != 0 ||
diff -up openssh/auth2-pubkey.c.role-mls openssh/auth2-pubkey.c
--- openssh/auth2-pubkey.c.role-mls 2018-08-22 11:14:56.816430924 +0200
+++ openssh/auth2-pubkey.c 2018-08-22 11:17:07.331483958 +0200
@@ -169,9 +169,16 @@ userauth_pubkey(struct ssh *ssh)
goto done;
}
/* reconstruct packet */
- xasprintf(&userstyle, "%s%s%s", authctxt->user,
+ xasprintf(&userstyle, "%s%s%s%s%s", authctxt->user,
authctxt->style ? ":" : "",
- authctxt->style ? authctxt->style : "");
+ authctxt->style ? authctxt->style : "",
+#ifdef WITH_SELINUX
+ authctxt->role ? "/" : "",
+ authctxt->role ? authctxt->role : ""
+#else
+ "", ""
+#endif
+ );
if ((r = sshbuf_put_u8(b, SSH2_MSG_USERAUTH_REQUEST)) != 0 ||
(r = sshbuf_put_cstring(b, userstyle)) != 0 ||
(r = sshbuf_put_cstring(b, authctxt->service)) != 0 ||
diff -up openssh/auth.h.role-mls openssh/auth.h
--- openssh/auth.h.role-mls 2018-08-20 07:57:29.000000000 +0200
+++ openssh/auth.h 2018-08-22 11:14:56.816430924 +0200
@@ -65,6 +65,9 @@ struct Authctxt {
char *service;
struct passwd *pw; /* set if 'valid' */
char *style;
+#ifdef WITH_SELINUX
+ char *role;
+#endif
/* Method lists for multiple authentication */
char **auth_methods; /* modified from server config */
diff -up openssh/auth-pam.c.role-mls openssh/auth-pam.c
--- openssh/auth-pam.c.role-mls 2018-08-20 07:57:29.000000000 +0200
+++ openssh/auth-pam.c 2018-08-22 11:14:56.816430924 +0200
@@ -1172,7 +1172,7 @@ is_pam_session_open(void)
* during the ssh authentication process.
*/
int
-do_pam_putenv(char *name, char *value)
+do_pam_putenv(char *name, const char *value)
{
int ret = 1;
char *compound;
diff -up openssh/auth-pam.h.role-mls openssh/auth-pam.h
--- openssh/auth-pam.h.role-mls 2018-08-20 07:57:29.000000000 +0200
+++ openssh/auth-pam.h 2018-08-22 11:14:56.817430932 +0200
@@ -33,7 +33,7 @@ u_int do_pam_account(void);
void do_pam_session(struct ssh *);
void do_pam_setcred(void);
void do_pam_chauthtok(void);
-int do_pam_putenv(char *, char *);
+int do_pam_putenv(char *, const char *);
char ** fetch_pam_environment(void);
char ** fetch_pam_child_environment(void);
void free_pam_environment(char **);
diff -up openssh/misc.c.role-mls openssh/misc.c
--- openssh/misc.c.role-mls 2018-08-20 07:57:29.000000000 +0200
+++ openssh/misc.c 2018-08-22 11:14:56.817430932 +0200
@@ -542,6 +542,7 @@ char *
colon(char *cp)
{
int flag = 0;
+ int start = 1;
if (*cp == ':') /* Leading colon is part of file name. */
return NULL;
@@ -557,6 +558,13 @@ colon(char *cp)
return (cp);
if (*cp == '/')
return NULL;
+ if (start) {
+ /* Slash on beginning or after dots only denotes file name. */
+ if (*cp == '/')
+ return (0);
+ if (*cp != '.')
+ start = 0;
+ }
}
return NULL;
}
diff -up openssh-8.6p1/monitor.c.role-mls openssh-8.6p1/monitor.c
--- openssh-8.6p1/monitor.c.role-mls 2021-04-16 05:55:25.000000000 +0200
+++ openssh-8.6p1/monitor.c 2021-05-21 14:21:56.719414087 +0200
@@ -117,6 +117,9 @@ int mm_answer_sign(struct ssh *, int, st
int mm_answer_pwnamallow(struct ssh *, int, struct sshbuf *);
int mm_answer_auth2_read_banner(struct ssh *, int, struct sshbuf *);
int mm_answer_authserv(struct ssh *, int, struct sshbuf *);
+#ifdef WITH_SELINUX
+int mm_answer_authrole(struct ssh *, int, struct sshbuf *);
+#endif
int mm_answer_authpassword(struct ssh *, int, struct sshbuf *);
int mm_answer_bsdauthquery(struct ssh *, int, struct sshbuf *);
int mm_answer_bsdauthrespond(struct ssh *, int, struct sshbuf *);
@@ -195,6 +198,9 @@ struct mon_table mon_dispatch_proto20[]
{MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign},
{MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},
{MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv},
+#ifdef WITH_SELINUX
+ {MONITOR_REQ_AUTHROLE, MON_ONCE, mm_answer_authrole},
+#endif
{MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner},
{MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},
#ifdef USE_PAM
@@ -803,6 +809,9 @@ mm_answer_pwnamallow(struct ssh *ssh, in
/* Allow service/style information on the auth context */
monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1);
+#ifdef WITH_SELINUX
+ monitor_permit(mon_dispatch, MONITOR_REQ_AUTHROLE, 1);
+#endif
monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1);
#ifdef USE_PAM
@@ -877,6 +886,26 @@ key_base_type_match(const char *method,
return found;
}
+#ifdef WITH_SELINUX
+int
+mm_answer_authrole(struct ssh *ssh, int sock, struct sshbuf *m)
+{
+ int r;
+ monitor_permit_authentications(1);
+
+ if ((r = sshbuf_get_cstring(m, &authctxt->role, NULL)) != 0)
+ fatal_f("buffer error: %s", ssh_err(r));
+ debug3_f("role=%s", authctxt->role);
+
+ if (strlen(authctxt->role) == 0) {
+ free(authctxt->role);
+ authctxt->role = NULL;
+ }
+
+ return (0);
+}
+#endif
+
int
mm_answer_authpassword(struct ssh *ssh, int sock, struct sshbuf *m)
{
@@ -1251,7 +1280,7 @@ monitor_valid_userblob(struct ssh *ssh,
struct sshbuf *b;
struct sshkey *hostkey = NULL;
const u_char *p;
- char *userstyle, *cp;
+ char *userstyle, *s, *cp;
size_t len;
u_char type;
int hostbound = 0, r, fail = 0;
@@ -1282,6 +1311,8 @@ monitor_valid_userblob(struct ssh *ssh,
fail++;
if ((r = sshbuf_get_cstring(b, &cp, NULL)) != 0)
fatal_fr(r, "parse userstyle");
+ if ((s = strchr(cp, '/')) != NULL)
+ *s = '\0';
xasprintf(&userstyle, "%s%s%s", authctxt->user,
authctxt->style ? ":" : "",
authctxt->style ? authctxt->style : "");
@@ -1317,7 +1348,7 @@ monitor_valid_hostbasedblob(const u_char
{
struct sshbuf *b;
const u_char *p;
- char *cp, *userstyle;
+ char *cp, *s, *userstyle;
size_t len;
int r, fail = 0;
u_char type;
@@ -1338,6 +1370,8 @@ monitor_valid_hostbasedblob(const u_char
fail++;
if ((r = sshbuf_get_cstring(b, &cp, NULL)) != 0)
fatal_fr(r, "parse userstyle");
+ if ((s = strchr(cp, '/')) != NULL)
+ *s = '\0';
xasprintf(&userstyle, "%s%s%s", authctxt->user,
authctxt->style ? ":" : "",
authctxt->style ? authctxt->style : "");
diff -up openssh/monitor.h.role-mls openssh/monitor.h
--- openssh/monitor.h.role-mls 2018-08-20 07:57:29.000000000 +0200
+++ openssh/monitor.h 2018-08-22 11:14:56.818430941 +0200
@@ -55,6 +55,10 @@ enum monitor_reqtype {
MONITOR_REQ_GSSCHECKMIC = 48, MONITOR_ANS_GSSCHECKMIC = 49,
MONITOR_REQ_TERM = 50,
+#ifdef WITH_SELINUX
+ MONITOR_REQ_AUTHROLE = 80,
+#endif
+
MONITOR_REQ_PAM_START = 100,
MONITOR_REQ_PAM_ACCOUNT = 102, MONITOR_ANS_PAM_ACCOUNT = 103,
MONITOR_REQ_PAM_INIT_CTX = 104, MONITOR_ANS_PAM_INIT_CTX = 105,
diff -up openssh/monitor_wrap.c.role-mls openssh/monitor_wrap.c
--- openssh/monitor_wrap.c.role-mls 2018-08-22 11:14:56.818430941 +0200
+++ openssh/monitor_wrap.c 2018-08-22 11:21:47.938747968 +0200
@@ -390,6 +390,27 @@ mm_inform_authserv(char *service, char *
sshbuf_free(m);
}
+/* Inform the privileged process about role */
+
+#ifdef WITH_SELINUX
+void
+mm_inform_authrole(char *role)
+{
+ int r;
+ struct sshbuf *m;
+
+ debug3_f("entering");
+
+ if ((m = sshbuf_new()) == NULL)
+ fatal_f("sshbuf_new failed");
+ if ((r = sshbuf_put_cstring(m, role ? role : "")) != 0)
+ fatal_f("buffer error: %s", ssh_err(r));
+ mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHROLE, m);
+
+ sshbuf_free(m);
+}
+#endif
+
/* Do the password authentication */
int
mm_auth_password(struct ssh *ssh, char *password)
diff -up openssh/monitor_wrap.h.role-mls openssh/monitor_wrap.h
--- openssh/monitor_wrap.h.role-mls 2018-08-22 11:14:56.818430941 +0200
+++ openssh/monitor_wrap.h 2018-08-22 11:22:10.439929513 +0200
@@ -44,6 +44,9 @@ DH *mm_choose_dh(int, int, int);
const u_char *, size_t, const char *, const char *,
const char *, u_int compat);
void mm_inform_authserv(char *, char *);
+#ifdef WITH_SELINUX
+void mm_inform_authrole(char *);
+#endif
struct passwd *mm_getpwnamallow(struct ssh *, const char *);
char *mm_auth2_read_banner(void);
int mm_auth_password(struct ssh *, char *);
diff -up openssh/openbsd-compat/Makefile.in.role-mls openssh/openbsd-compat/Makefile.in
--- openssh/openbsd-compat/Makefile.in.role-mls 2018-08-20 07:57:29.000000000 +0200
+++ openssh/openbsd-compat/Makefile.in 2018-08-22 11:14:56.819430949 +0200
@@ -92,7 +92,8 @@ PORTS= port-aix.o \
port-prngd.o \
port-solaris.o \
port-net.o \
- port-uw.o
+ port-uw.o \
+ port-linux-sshd.o
.c.o:
$(CC) $(CFLAGS_NOPIE) $(PICFLAG) $(CPPFLAGS) -c $<
diff -up openssh/openbsd-compat/port-linux.c.role-mls openssh/openbsd-compat/port-linux.c
--- openssh/openbsd-compat/port-linux.c.role-mls 2018-08-20 07:57:29.000000000 +0200
+++ openssh/openbsd-compat/port-linux.c 2018-08-22 11:14:56.819430949 +0200
@@ -100,37 +100,6 @@ ssh_selinux_getctxbyname(char *pwname)
return sc;
}
-/* Set the execution context to the default for the specified user */
-void
-ssh_selinux_setup_exec_context(char *pwname)
-{
- char *user_ctx = NULL;
-
- if (!ssh_selinux_enabled())
- return;
-
- debug3("%s: setting execution context", __func__);
-
- user_ctx = ssh_selinux_getctxbyname(pwname);
- if (setexeccon(user_ctx) != 0) {
- switch (security_getenforce()) {
- case -1:
- fatal("%s: security_getenforce() failed", __func__);
- case 0:
- error("%s: Failed to set SELinux execution "
- "context for %s", __func__, pwname);
- break;
- default:
- fatal("%s: Failed to set SELinux execution context "
- "for %s (in enforcing mode)", __func__, pwname);
- }
- }
- if (user_ctx != NULL)
- freecon(user_ctx);
-
- debug3("%s: done", __func__);
-}
-
/* Set the TTY context for the specified user */
void
ssh_selinux_setup_pty(char *pwname, const char *tty)
@@ -145,7 +114,11 @@ ssh_selinux_setup_pty(char *pwname, cons
debug3("%s: setting TTY context on %s", __func__, tty);
- user_ctx = ssh_selinux_getctxbyname(pwname);
+ if (getexeccon(&user_ctx) != 0) {
+ error_f("getexeccon: %s", strerror(errno));
+ goto out;
+ }
+
/* XXX: should these calls fatal() upon failure in enforcing mode? */
diff -up openssh/openbsd-compat/port-linux.h.role-mls openssh/openbsd-compat/port-linux.h
--- openssh/openbsd-compat/port-linux.h.role-mls 2018-08-20 07:57:29.000000000 +0200
+++ openssh/openbsd-compat/port-linux.h 2018-08-22 11:14:56.819430949 +0200
@@ -20,9 +20,10 @@
#ifdef WITH_SELINUX
int ssh_selinux_enabled(void);
void ssh_selinux_setup_pty(char *, const char *);
-void ssh_selinux_setup_exec_context(char *);
void ssh_selinux_change_context(const char *);
void ssh_selinux_setfscreatecon(const char *);
+
+void sshd_selinux_setup_exec_context(char *);
#endif
#ifdef LINUX_OOM_ADJUST
diff -up openssh/openbsd-compat/port-linux-sshd.c.role-mls openssh/openbsd-compat/port-linux-sshd.c
--- openssh/openbsd-compat/port-linux-sshd.c.role-mls 2018-08-22 11:14:56.819430949 +0200
+++ openssh/openbsd-compat/port-linux-sshd.c 2018-08-22 11:14:56.819430949 +0200
@@ -0,0 +1,420 @@
+/*
+ * Copyright (c) 2005 Daniel Walsh <dwalsh@redhat.com>
+ * Copyright (c) 2014 Petr Lautrbach <plautrba@redhat.com>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/*
+ * Linux-specific portability code - just SELinux support for sshd at present
+ */
+
+#include "includes.h"
+
+#if defined(WITH_SELINUX) || defined(LINUX_OOM_ADJUST)
+#include <errno.h>
+#include <stdarg.h>
+#include <string.h>
+#include <stdio.h>
+#include <stdlib.h>
+
+#include "log.h"
+#include "xmalloc.h"
+#include "misc.h" /* servconf.h needs misc.h for struct ForwardOptions */
+#include "servconf.h"
+#include "port-linux.h"
+#include "sshkey.h"
+#include "hostfile.h"
+#include "auth.h"
+
+#ifdef WITH_SELINUX
+#include <selinux/selinux.h>
+#include <selinux/context.h>
+#include <selinux/get_context_list.h>
+#include <selinux/get_default_type.h>
+
+#ifdef HAVE_LINUX_AUDIT
+#include <libaudit.h>
+#include <unistd.h>
+#endif
+
+extern ServerOptions options;
+extern Authctxt *the_authctxt;
+extern int inetd_flag;
+
+/* Send audit message */
+static int
+sshd_selinux_send_audit_message(int success, security_context_t default_context,
+ security_context_t selected_context)
+{
+ int rc=0;
+#ifdef HAVE_LINUX_AUDIT
+ char *msg = NULL;
+ int audit_fd = audit_open();
+ security_context_t default_raw=NULL;
+ security_context_t selected_raw=NULL;
+ rc = -1;
+ if (audit_fd < 0) {
+ if (errno == EINVAL || errno == EPROTONOSUPPORT ||
+ errno == EAFNOSUPPORT)
+ return 0; /* No audit support in kernel */
+ error("Error connecting to audit system.");
+ return rc;
+ }
+ if (selinux_trans_to_raw_context(default_context, &default_raw) < 0) {
+ error("Error translating default context.");
+ default_raw = NULL;
+ }
+ if (selinux_trans_to_raw_context(selected_context, &selected_raw) < 0) {
+ error("Error translating selected context.");
+ selected_raw = NULL;
+ }
+ if (asprintf(&msg, "sshd: default-context=%s selected-context=%s",
+ default_raw ? default_raw : (default_context ? default_context: "?"),
+ selected_context ? selected_raw : (selected_context ? selected_context :"?")) < 0) {
+ error("Error allocating memory.");
+ goto out;
+ }
+ if (audit_log_user_message(audit_fd, AUDIT_USER_ROLE_CHANGE,
+ msg, NULL, NULL, NULL, success) <= 0) {
+ error("Error sending audit message.");
+ goto out;
+ }
+ rc = 0;
+ out:
+ free(msg);
+ freecon(default_raw);
+ freecon(selected_raw);
+ close(audit_fd);
+#endif
+ return rc;
+}
+
+static int
+mls_range_allowed(security_context_t src, security_context_t dst)
+{
+ struct av_decision avd;
+ int retval;
+ access_vector_t bit;
+ security_class_t class;
+
+ debug_f("src:%s dst:%s", src, dst);
+ class = string_to_security_class("context");
+ if (!class) {
+ error("string_to_security_class failed to translate security class context");
+ return 1;
+ }
+ bit = string_to_av_perm(class, "contains");
+ if (!bit) {
+ error("string_to_av_perm failed to translate av perm contains");
+ return 1;
+ }
+ retval = security_compute_av(src, dst, class, bit, &avd);
+ if (retval || ((bit & avd.allowed) != bit))
+ return 0;
+
+ return 1;
+}
+
+static int
+get_user_context(const char *sename, const char *role, const char *lvl,
+ security_context_t *sc) {
+#ifdef HAVE_GET_DEFAULT_CONTEXT_WITH_LEVEL
+ if (lvl == NULL || lvl[0] == '\0' || get_default_context_with_level(sename, lvl, NULL, sc) != 0) {
+ /* User may have requested a level completely outside of his
+ allowed range. We get a context just for auditing as the
+ range check below will certainly fail for default context. */
+#endif
+ if (get_default_context(sename, NULL, sc) != 0) {
+ *sc = NULL;
+ return -1;
+ }
+#ifdef HAVE_GET_DEFAULT_CONTEXT_WITH_LEVEL
+ }
+#endif
+ if (role != NULL && role[0]) {
+ context_t con;
+ char *type=NULL;
+ if (get_default_type(role, &type) != 0) {
+ error("get_default_type: failed to get default type for '%s'",
+ role);
+ goto out;
+ }
+ con = context_new(*sc);
+ if (!con) {
+ goto out;
+ }
+ context_role_set(con, role);
+ context_type_set(con, type);
+ freecon(*sc);
+ *sc = strdup(context_str(con));
+ context_free(con);
+ if (!*sc)
+ return -1;
+ }
+#ifdef HAVE_GET_DEFAULT_CONTEXT_WITH_LEVEL
+ if (lvl != NULL && lvl[0]) {
+ /* verify that the requested range is obtained */
+ context_t con;
+ security_context_t obtained_raw;
+ security_context_t requested_raw;
+ con = context_new(*sc);
+ if (!con) {
+ goto out;
+ }
+ context_range_set(con, lvl);
+ if (selinux_trans_to_raw_context(*sc, &obtained_raw) < 0) {
+ context_free(con);
+ goto out;
+ }
+ if (selinux_trans_to_raw_context(context_str(con), &requested_raw) < 0) {
+ freecon(obtained_raw);
+ context_free(con);
+ goto out;
+ }
+
+ debug("get_user_context: obtained context '%s' requested context '%s'",
+ obtained_raw, requested_raw);
+ if (strcmp(obtained_raw, requested_raw)) {
+ /* set the context to the real requested one but fail */
+ freecon(requested_raw);
+ freecon(obtained_raw);
+ freecon(*sc);
+ *sc = strdup(context_str(con));
+ context_free(con);
+ return -1;
+ }
+ freecon(requested_raw);
+ freecon(obtained_raw);
+ context_free(con);
+ }
+#endif
+ return 0;
+ out:
+ freecon(*sc);
+ *sc = NULL;
+ return -1;
+}
+
+static void
+ssh_selinux_get_role_level(char **role, const char **level)
+{
+ *role = NULL;
+ *level = NULL;
+ if (the_authctxt) {
+ if (the_authctxt->role != NULL) {
+ char *slash;
+ *role = xstrdup(the_authctxt->role);
+ if ((slash = strchr(*role, '/')) != NULL) {
+ *slash = '\0';
+ *level = slash + 1;
+ }
+ }
+ }
+}
+
+/* Return the default security context for the given username */
+static int
+sshd_selinux_getctxbyname(char *pwname,
+ security_context_t *default_sc, security_context_t *user_sc)
+{
+ char *sename, *lvl;
+ char *role;
+ const char *reqlvl;
+ int r = 0;
+ context_t con = NULL;
+
+ ssh_selinux_get_role_level(&role, &reqlvl);
+
+#ifdef HAVE_GETSEUSERBYNAME
+ if ((r=getseuserbyname(pwname, &sename, &lvl)) != 0) {
+ sename = NULL;
+ lvl = NULL;
+ }
+#else
+ sename = pwname;
+ lvl = "";
+#endif
+
+ if (r == 0) {
+#ifdef HAVE_GET_DEFAULT_CONTEXT_WITH_LEVEL
+ r = get_default_context_with_level(sename, lvl, NULL, default_sc);
+#else
+ r = get_default_context(sename, NULL, default_sc);
+#endif
+ }
+
+ if (r == 0) {
+ /* If launched from xinetd, we must use current level */
+ if (inetd_flag) {
+ security_context_t sshdsc=NULL;
+
+ if (getcon_raw(&sshdsc) < 0)
+ fatal("failed to allocate security context");
+
+ if ((con=context_new(sshdsc)) == NULL)
+ fatal("failed to allocate selinux context");
+ reqlvl = context_range_get(con);
+ freecon(sshdsc);
+ if (reqlvl !=NULL && lvl != NULL && strcmp(reqlvl, lvl) == 0)
+ /* we actually don't change level */
+ reqlvl = "";
+
+ debug_f("current connection level '%s'", reqlvl);
+
+ }
+
+ if ((reqlvl != NULL && reqlvl[0]) || (role != NULL && role[0])) {
+ r = get_user_context(sename, role, reqlvl, user_sc);
+
+ if (r == 0 && reqlvl != NULL && reqlvl[0]) {
+ security_context_t default_level_sc = *default_sc;
+ if (role != NULL && role[0]) {
+ if (get_user_context(sename, role, lvl, &default_level_sc) < 0)
+ default_level_sc = *default_sc;
+ }
+ /* verify that the requested range is contained in the user range */
+ if (mls_range_allowed(default_level_sc, *user_sc)) {
+ logit("permit MLS level %s (user range %s)", reqlvl, lvl);
+ } else {
+ r = -1;
+ error("deny MLS level %s (user range %s)", reqlvl, lvl);
+ }
+ if (default_level_sc != *default_sc)
+ freecon(default_level_sc);
+ }
+ } else {
+ *user_sc = *default_sc;
+ }
+ }
+ if (r != 0) {
+ error_f("Failed to get default SELinux security "
+ "context for %s", pwname);
+ }
+
+#ifdef HAVE_GETSEUSERBYNAME
+ free(sename);
+ free(lvl);
+#endif
+
+ if (role != NULL)
+ free(role);
+ if (con)
+ context_free(con);
+
+ return (r);
+}
+
+/* Setup environment variables for pam_selinux */
+static int
+sshd_selinux_setup_pam_variables(void)
+{
+ const char *reqlvl;
+ char *role;
+ char *use_current;
+ int rv;
+
+ debug3_f("setting execution context");
+
+ ssh_selinux_get_role_level(&role, &reqlvl);
+
+ rv = do_pam_putenv("SELINUX_ROLE_REQUESTED", role ? role : "");
+
+ if (inetd_flag) {
+ use_current = "1";
+ } else {
+ use_current = "";
+ rv = rv || do_pam_putenv("SELINUX_LEVEL_REQUESTED", reqlvl ? reqlvl: "");
+ }
+
+ rv = rv || do_pam_putenv("SELINUX_USE_CURRENT_RANGE", use_current);
+
+ if (role != NULL)
+ free(role);
+
+ return rv;
+}
+
+/* Set the execution context to the default for the specified user */
+void
+sshd_selinux_setup_exec_context(char *pwname)
+{
+ security_context_t user_ctx = NULL;
+ int r = 0;
+ security_context_t default_ctx = NULL;
+
+ if (!ssh_selinux_enabled())
+ return;
+
+ if (options.use_pam) {
+ /* do not compute context, just setup environment for pam_selinux */
+ if (sshd_selinux_setup_pam_variables()) {
+ switch (security_getenforce()) {
+ case -1:
+ fatal_f("security_getenforce() failed");
+ case 0:
+ error_f("SELinux PAM variable setup failure. Continuing in permissive mode.");
+ break;
+ default:
+ fatal_f("SELinux PAM variable setup failure. Aborting connection.");
+ }
+ }
+ return;
+ }
+
+ debug3_f("setting execution context");
+
+ r = sshd_selinux_getctxbyname(pwname, &default_ctx, &user_ctx);
+ if (r >= 0) {
+ r = setexeccon(user_ctx);
+ if (r < 0) {
+ error_f("Failed to set SELinux execution context %s for %s",
+ user_ctx, pwname);
+ }
+#ifdef HAVE_SETKEYCREATECON
+ else if (setkeycreatecon(user_ctx) < 0) {
+ error_f("Failed to set SELinux keyring creation context %s for %s",
+ user_ctx, pwname);
+ }
+#endif
+ }
+ if (user_ctx == NULL) {
+ user_ctx = default_ctx;
+ }
+ if (r < 0 || user_ctx != default_ctx) {
+ /* audit just the case when user changed a role or there was
+ a failure */
+ sshd_selinux_send_audit_message(r >= 0, default_ctx, user_ctx);
+ }
+ if (r < 0) {
+ switch (security_getenforce()) {
+ case -1:
+ fatal_f("security_getenforce() failed");
+ case 0:
+ error_f("ELinux failure. Continuing in permissive mode.");
+ break;
+ default:
+ fatal_f("SELinux failure. Aborting connection.");
+ }
+ }
+ if (user_ctx != NULL && user_ctx != default_ctx)
+ freecon(user_ctx);
+ if (default_ctx != NULL)
+ freecon(default_ctx);
+
+ debug3_f("done");
+}
+
+#endif
+#endif
+
diff -up openssh/platform.c.role-mls openssh/platform.c
--- openssh/platform.c.role-mls 2018-08-20 07:57:29.000000000 +0200
+++ openssh/platform.c 2018-08-22 11:14:56.819430949 +0200
@@ -183,7 +183,7 @@ platform_setusercontext_post_groups(stru
}
#endif /* HAVE_SETPCRED */
#ifdef WITH_SELINUX
- ssh_selinux_setup_exec_context(pw->pw_name);
+ sshd_selinux_setup_exec_context(pw->pw_name);
#endif
}
diff -up openssh/sshd.c.role-mls openssh/sshd.c
--- openssh/sshd-session.c.role-mls 2018-08-20 07:57:29.000000000 +0200
+++ openssh/sshd-session.c 2018-08-22 11:14:56.820430957 +0200
@@ -2186,6 +2186,9 @@ main(int ac, char **av)
restore_uid();
}
#endif
+#ifdef WITH_SELINUX
+ sshd_selinux_setup_exec_context(authctxt->pw->pw_name);
+#endif
#ifdef USE_PAM
if (options.use_pam) {
do_pam_setcred();

View File

@ -0,0 +1,39 @@
commit 07ffb49749c310b82e44278ae05e081d6f4a82bf
Author: Hans Petter Jansson <hpj@cl.no>
Date: Fri Sep 27 01:57:16 2019 +0200
ssh-keygen: Preserve known_hosts permissions on rewrite
Transfer the permissions of the old known_hosts file instead of
just going with what mkstemp() gives us. This is useful in corner
cases where known_hosts is shared between users.
Index: openssh-8.8p1/ssh-keygen.c
===================================================================
--- openssh-8.8p1.orig/ssh-keygen.c
+++ openssh-8.8p1/ssh-keygen.c
@@ -1384,6 +1384,11 @@ do_known_hosts(struct passwd *pw, const
if (inplace)
unlink(tmp);
} else if (inplace) {
+ struct stat st;
+
+ /* Get metadata for existing file */
+ r = stat(identity_file, &st);
+
/* Backup existing file */
if (unlink(old) == -1 && errno != ENOENT)
fatal("unlink %.100s: %s", old, strerror(errno));
@@ -1398,6 +1403,12 @@ do_known_hosts(struct passwd *pw, const
unlink(old);
exit(1);
}
+ /* Preserve permissions; non-critical */
+ if (r != -1)
+ r = chown(identity_file, st.st_uid, st.st_gid);
+ if (r != -1)
+ chmod(identity_file,
+ st.st_mode & (S_IRWXU | S_IRWXG | S_IRWXO));
printf("%s updated.\n", identity_file);
printf("Original contents retained as %s\n", old);

View File

@ -0,0 +1,76 @@
commit 101aa2f70c937abb428c9433c39ba0fd9a91fe6b
Author: Hans Petter Jansson <hpj@cl.no>
Date: Thu Jun 20 23:54:11 2019 +0200
Revert IPQoS DSCP AF21/CS1 from upstream due to bugs in other software
Reverts OpenBSD-Commit-ID: d11d2a4484f461524ef0c20870523dfcdeb52181
Index: openssh-8.8p1/readconf.c
===================================================================
--- openssh-8.8p1.orig/readconf.c
+++ openssh-8.8p1/readconf.c
@@ -2679,9 +2679,9 @@ fill_default_options(Options * options)
if (options->visual_host_key == -1)
options->visual_host_key = 0;
if (options->ip_qos_interactive == -1)
- options->ip_qos_interactive = IPTOS_DSCP_AF21;
+ options->ip_qos_interactive = IPTOS_LOWDELAY;
if (options->ip_qos_bulk == -1)
- options->ip_qos_bulk = IPTOS_DSCP_CS1;
+ options->ip_qos_bulk = IPTOS_THROUGHPUT;
if (options->request_tty == -1)
options->request_tty = REQUEST_TTY_AUTO;
if (options->session_type == -1)
Index: openssh-8.8p1/servconf.c
===================================================================
--- openssh-8.8p1.orig/servconf.c
+++ openssh-8.8p1/servconf.c
@@ -459,9 +459,9 @@ fill_default_server_options(ServerOption
if (options->permit_tun == -1)
options->permit_tun = SSH_TUNMODE_NO;
if (options->ip_qos_interactive == -1)
- options->ip_qos_interactive = IPTOS_DSCP_AF21;
+ options->ip_qos_interactive = IPTOS_LOWDELAY;
if (options->ip_qos_bulk == -1)
- options->ip_qos_bulk = IPTOS_DSCP_CS1;
+ options->ip_qos_bulk = IPTOS_THROUGHPUT;
if (options->version_addendum == NULL)
options->version_addendum = xstrdup("");
if (options->fwd_opts.streamlocal_bind_mask == (mode_t)-1)
Index: openssh-8.8p1/ssh_config.5
===================================================================
--- openssh-8.8p1.orig/ssh_config.5
+++ openssh-8.8p1/ssh_config.5
@@ -1182,11 +1182,9 @@ If one argument is specified, it is used
If two values are specified, the first is automatically selected for
interactive sessions and the second for non-interactive sessions.
The default is
-.Cm af21
-(Low-Latency Data)
+.Cm lowdelay
for interactive sessions and
-.Cm cs1
-(Lower Effort)
+.Cm throughput
for non-interactive sessions.
.It Cm KbdInteractiveAuthentication
Specifies whether to use keyboard-interactive authentication.
Index: openssh-8.8p1/sshd_config.5
===================================================================
--- openssh-8.8p1.orig/sshd_config.5
+++ openssh-8.8p1/sshd_config.5
@@ -903,11 +903,9 @@ If one argument is specified, it is used
If two values are specified, the first is automatically selected for
interactive sessions and the second for non-interactive sessions.
The default is
-.Cm af21
-(Low-Latency Data)
+.Cm lowdelay
for interactive sessions and
-.Cm cs1
-(Lower Effort)
+.Cm throughput
for non-interactive sessions.
.It Cm KbdInteractiveAuthentication
Specifies whether to allow keyboard-interactive authentication.

File diff suppressed because it is too large Load Diff

2312
openssh-8.1p1-audit.patch Normal file

File diff suppressed because it is too large Load Diff

View File

@ -0,0 +1,74 @@
commit d281831d887044ede45d458c3dda74be9ae017e3
Author: Hans Petter Jansson <hpj@hpjansson.org>
Date: Fri Sep 25 23:26:58 2020 +0200
Use OpenSSL's FIPS approved RAND_bytes() to get randomness for Ed25519
diff --git a/ed25519.c b/ed25519.c
index 767ec24..5d506a9 100644
--- a/ed25519.c
+++ b/ed25519.c
@@ -9,6 +9,13 @@
#include "crypto_api.h"
+#ifdef WITH_OPENSSL
+#include <openssl/rand.h>
+#include <openssl/err.h>
+#endif
+
+#include "log.h"
+
#define int8 crypto_int8
#define uint8 crypto_uint8
#define int16 crypto_int16
@@ -33,7 +40,15 @@ int crypto_sign_ed25519_keypair(
sc25519 scsk;
ge25519 gepk;
+#ifdef WITH_OPENSSL
+ /* Use FIPS approved RNG */
+ if (RAND_bytes(sk, 32) <= 0)
+ fatal("Couldn't obtain random bytes (error 0x%lx)",
+ (unsigned long)ERR_get_error());
+#else
randombytes(sk,32);
+#endif
+
crypto_hash_sha512(az,sk,32);
az[0] &= 248;
az[31] &= 127;
diff --git a/kexc25519.c b/kexc25519.c
index f13d766..2604eda 100644
--- a/kexc25519.c
+++ b/kexc25519.c
@@ -33,6 +33,13 @@
#include <string.h>
#include <signal.h>
+#ifdef WITH_OPENSSL
+#include <openssl/rand.h>
+#include <openssl/err.h>
+#endif
+
+#include "log.h"
+
#include "sshkey.h"
#include "kex.h"
#include "sshbuf.h"
@@ -51,7 +58,15 @@ kexc25519_keygen(u_char key[CURVE25519_SIZE], u_char pub[CURVE25519_SIZE])
{
static const u_char basepoint[CURVE25519_SIZE] = {9};
+#ifdef WITH_OPENSSL
+ /* Use FIPS approved RNG */
+ if (RAND_bytes(key, CURVE25519_SIZE) <= 0)
+ fatal("Couldn't obtain random bytes (error 0x%lx)",
+ (unsigned long)ERR_get_error());
+#else
arc4random_buf(key, CURVE25519_SIZE);
+#endif
+
crypto_scalarmult_curve25519(pub, key, basepoint);
}

View File

@ -0,0 +1,25 @@
From b110cefdfbf5a20f49b774a55062d6ded2fb6e22 Mon Sep 17 00:00:00 2001
From: Khem Raj <raj.khem@gmail.com>
Date: Tue, 7 Jan 2020 16:26:45 -0800
Subject: [PATCH] seccomp: Allow clock_gettime64() in sandbox.
This helps sshd accept connections on mips platforms with
upcoming glibc ( 2.31 )
---
sandbox-seccomp-filter.c | 3 +++
1 file changed, 3 insertions(+)
Index: openssh-8.8p1/sandbox-seccomp-filter.c
===================================================================
--- openssh-8.8p1.orig/sandbox-seccomp-filter.c
+++ openssh-8.8p1/sandbox-seccomp-filter.c
@@ -279,6 +279,9 @@ static const struct sock_filter preauth_
#ifdef __NR_clock_nanosleep_time64
SC_ALLOW(__NR_clock_nanosleep_time64),
#endif
+#ifdef __NR_clock_gettime64
+ SC_ALLOW(__NR_clock_gettime64),
+#endif
#ifdef __NR__newselect
SC_ALLOW(__NR__newselect),
#endif

View File

@ -0,0 +1,14 @@
Index: openssh-8.8p1/sandbox-seccomp-filter.c
===================================================================
--- openssh-8.8p1.orig/sandbox-seccomp-filter.c
+++ openssh-8.8p1/sandbox-seccomp-filter.c
@@ -273,6 +273,9 @@ static const struct sock_filter preauth_
#ifdef __NR_clock_gettime64
SC_ALLOW(__NR_clock_gettime64),
#endif
+#ifdef __NR_clock_nanosleep
+ SC_ALLOW(__NR_clock_nanosleep),
+#endif
#ifdef __NR__newselect
SC_ALLOW(__NR__newselect),
#endif

View File

@ -0,0 +1,24 @@
From 5af6fd5461bb709304e6979c8b7856c7af921c9e Mon Sep 17 00:00:00 2001
From: Darren Tucker <dtucker@dtucker.net>
Date: Mon, 16 Dec 2019 13:55:56 +1100
Subject: [PATCH] Allow clock_nanosleep_time64 in seccomp sandbox.
Needed on Linux ARM. bz#3100, patch from jjelen@redhat.com.
---
sandbox-seccomp-filter.c | 3 +++
1 file changed, 3 insertions(+)
Index: openssh-8.8p1/sandbox-seccomp-filter.c
===================================================================
--- openssh-8.8p1.orig/sandbox-seccomp-filter.c
+++ openssh-8.8p1/sandbox-seccomp-filter.c
@@ -276,6 +276,9 @@ static const struct sock_filter preauth_
#ifdef __NR_clock_nanosleep
SC_ALLOW(__NR_clock_nanosleep),
#endif
+#ifdef __NR_clock_nanosleep_time64
+ SC_ALLOW(__NR_clock_nanosleep_time64),
+#endif
#ifdef __NR__newselect
SC_ALLOW(__NR__newselect),
#endif

View File

@ -0,0 +1,158 @@
Index: openssh-8.8p1/kex.c
===================================================================
--- openssh-8.8p1.orig/kex.c
+++ openssh-8.8p1/kex.c
@@ -40,6 +40,7 @@
#ifdef WITH_OPENSSL
#include <openssl/crypto.h>
#include <openssl/dh.h>
+#include <openssl/kdf.h>
#endif
#include "ssh.h"
@@ -1115,8 +1116,93 @@ kex_choose_conf(struct ssh *ssh)
return r;
}
+#ifdef WITH_OPENSSL
+
+static const EVP_MD *
+get_openssl_md_for_hash_alg (int hash_alg)
+{
+ if (hash_alg < 0 || hash_alg >= SSH_DIGEST_MAX)
+ return NULL;
+
+ switch (hash_alg)
+ {
+ case SSH_DIGEST_MD5:
+ return EVP_md5();
+ case SSH_DIGEST_SHA1:
+ return EVP_sha1();
+ case SSH_DIGEST_SHA256:
+ return EVP_sha256();
+ case SSH_DIGEST_SHA384:
+ return EVP_sha384();
+ case SSH_DIGEST_SHA512:
+ return EVP_sha512();
+ default:
+ break;
+ }
+
+ return NULL;
+}
+
static int
-derive_key(struct ssh *ssh, int id, u_int need, u_char *hash, u_int hashlen,
+derive_key_via_openssl(struct ssh *ssh, int id, u_int need, u_char *hash, u_int hashlen,
+ const struct sshbuf *shared_secret, u_char **keyp)
+{
+ struct kex *kex = ssh->kex;
+ EVP_KDF_CTX *hashctx = NULL;
+ const EVP_MD *md = NULL;
+ u_char *digest = NULL;
+ int r = SSH_ERR_LIBCRYPTO_ERROR;
+
+ hashctx = EVP_KDF_CTX_new_id (EVP_KDF_SSHKDF);
+ if (!hashctx)
+ goto out;
+
+ md = get_openssl_md_for_hash_alg (kex->hash_alg);
+ if (!md)
+ goto out;
+
+ if (EVP_KDF_ctrl (hashctx, EVP_KDF_CTRL_SET_MD,
+ md) != 1
+ || EVP_KDF_ctrl (hashctx, EVP_KDF_CTRL_SET_KEY,
+ sshbuf_ptr(shared_secret), sshbuf_len(shared_secret)) != 1
+ || EVP_KDF_ctrl (hashctx, EVP_KDF_CTRL_SET_SSHKDF_TYPE,
+ (int) id) != 1
+ || EVP_KDF_ctrl (hashctx, EVP_KDF_CTRL_SET_SSHKDF_XCGHASH,
+ hash, (size_t) hashlen) != 1
+ || EVP_KDF_ctrl (hashctx, EVP_KDF_CTRL_SET_SSHKDF_SESSION_ID,
+ sshbuf_ptr(kex->session_id),
+ (size_t) sshbuf_len(kex->session_id)) != 1)
+ goto out;
+
+ digest = calloc (1, need);
+ if (!digest) {
+ r = SSH_ERR_ALLOC_FAIL;
+ goto out;
+ }
+
+ if (EVP_KDF_derive (hashctx, digest, need) != 1)
+ goto out;
+
+ *keyp = digest;
+ digest = NULL;
+ r = 0;
+
+ out:
+ if (hashctx)
+ EVP_KDF_CTX_free(hashctx);
+
+ if (digest)
+ free(digest);
+
+ return r;
+}
+
+#else
+# error This version of openssh must be built with openssl to benefit from FIPS certification.
+#endif
+
+static int
+derive_key_via_internal(struct ssh *ssh, int id, u_int need, u_char *hash, u_int hashlen,
const struct sshbuf *shared_secret, u_char **keyp)
{
struct kex *kex = ssh->kex;
@@ -1179,6 +1265,50 @@ derive_key(struct ssh *ssh, int id, u_in
return r;
}
+/* Belt and suspenders; we want the output from openssl because it's FIPS certified. However,
+ * if there's a bug in the implementation, we should not proceed. Minimize risk by requiring
+ * the implementations agree. */
+static int
+derive_key(struct ssh *ssh, int id, u_int need, u_char *hash, u_int hashlen,
+ const struct sshbuf *shared_secret, u_char **keyp)
+{
+#ifdef WITH_OPENSSL
+
+ u_char *buf_openssl = NULL, *buf_internal = NULL;
+ int r;
+
+ r = derive_key_via_openssl (ssh, id, need, hash, hashlen, shared_secret, &buf_openssl);
+ if (r != 0)
+ goto out;
+
+ r = derive_key_via_internal (ssh, id, need, hash, hashlen, shared_secret, &buf_internal);
+ if (r != 0)
+ goto out;
+
+ if (memcmp (buf_openssl, buf_internal, need))
+ {
+ r = SSH_ERR_LIBCRYPTO_ERROR;
+ goto out;
+ }
+
+ *keyp = buf_openssl;
+ buf_openssl = NULL;
+
+ out:
+ if (buf_openssl)
+ free (buf_openssl);
+ if (buf_internal)
+ free (buf_internal);
+
+ return r;
+
+#else
+
+ return derive_key_via_internal (ssh, id, need, hash, hashlen, shared_secret, keyp);
+
+#endif
+}
+
#define NKEYS 6
int
kex_derive_keys(struct ssh *ssh, u_char *hash, u_int hashlen,

View File

@ -0,0 +1,13 @@
diff -u openssh-8.4p1.orig/sshd_config openssh-8.4p1/sshd_config
--- openssh-8.4p1.orig/sshd_config 2020-09-27 09:25:01.000000000 +0200
+++ openssh-8.4p1/sshd_config 2021-05-18 19:15:39.190701511 +0200
@@ -88,8 +88,7 @@
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
-#PrintMotd yes
-#PrintLastLog yes
+PrintMotd no
#TCPKeepAlive yes
#PermitUserEnvironment no
#Compression delayed

View File

@ -0,0 +1,40 @@
Index: openssh-8.9p1/ssh_config
===================================================================
--- openssh-8.9p1.orig/ssh_config
+++ openssh-8.9p1/ssh_config
@@ -17,6 +17,13 @@
# list of available options, their meanings and defaults, please see the
# ssh_config(5) man page.
+# To modify the system-wide ssh configuration, create a "*.conf" file under
+# "/etc/ssh/ssh_config.d/" which will be automatically included below.
+# Don't edit this configuration file itself if possible to avoid update
+# problems.
+Include /etc/ssh/ssh_config.d/*.conf
+Include /usr/etc/ssh/ssh_config.d/*.conf
+
Host *
# ForwardAgent no
# ForwardX11 no
Index: openssh-8.9p1/sshd_config
===================================================================
--- openssh-8.9p1.orig/sshd_config
+++ openssh-8.9p1/sshd_config
@@ -5,10 +5,17 @@
# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
+# To modify the system-wide sshd configuration, create a "*.conf" file under
+# "/etc/ssh/sshd_config.d/" which will be automatically included below.
+# Don't edit this configuration file itself if possible to avoid update
+# problems.
+Include /etc/ssh/sshd_config.d/*.conf
+
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options override the
# default value.
+Include /usr/etc/ssh/sshd_config.d/*.conf
#Port 22
#AddressFamily any

View File

@ -0,0 +1,202 @@
Gemeinsame Unterverzeichnisse: openssh-8.4p1/contrib und openssh-8.4p1-vendor/contrib.
Index: openssh-8.9p1/dh.c
===================================================================
--- openssh-8.9p1.orig/dh.c
+++ openssh-8.9p1/dh.c
@@ -54,7 +54,17 @@ void dh_set_moduli_file(const char *file
static const char * get_moduli_filename(void)
{
- return moduli_filename ? moduli_filename : _PATH_DH_MODULI;
+ struct stat st;
+
+ if (moduli_filename)
+ return moduli_filename;
+
+ if (stat(_PATH_VENDOR_DH_MODULI, &st) == 0 &&
+ stat(_PATH_DH_MODULI, &st) == -1) {
+ return _PATH_VENDOR_DH_MODULI;
+ }
+
+ return _PATH_DH_MODULI;
}
static int
Index: openssh-8.9p1/pathnames.h
===================================================================
--- openssh-8.9p1.orig/pathnames.h
+++ openssh-8.9p1/pathnames.h
@@ -18,6 +18,8 @@
#define SSHDIR ETCDIR "/ssh"
#endif
+#define VENDORDIR "/usr/etc/ssh"
+
#ifndef _PATH_SSH_PIDDIR
#define _PATH_SSH_PIDDIR "/var/run"
#endif
@@ -35,13 +37,17 @@
* should be world-readable.
*/
#define _PATH_SERVER_CONFIG_FILE SSHDIR "/sshd_config"
+#define _PATH_SERVER_VENDOR_CONFIG_FILE VENDORDIR "/sshd_config"
#define _PATH_HOST_CONFIG_FILE SSHDIR "/ssh_config"
+#define _PATH_HOST_VENDOR_CONFIG_FILE VENDORDIR "/ssh_config"
#define _PATH_HOST_DSA_KEY_FILE SSHDIR "/ssh_host_dsa_key"
#define _PATH_HOST_ECDSA_KEY_FILE SSHDIR "/ssh_host_ecdsa_key"
#define _PATH_HOST_ED25519_KEY_FILE SSHDIR "/ssh_host_ed25519_key"
#define _PATH_HOST_XMSS_KEY_FILE SSHDIR "/ssh_host_xmss_key"
#define _PATH_HOST_RSA_KEY_FILE SSHDIR "/ssh_host_rsa_key"
#define _PATH_DH_MODULI SSHDIR "/moduli"
+#define _PATH_VENDOR_DH_MODULI VENDORDIR "/moduli"
+
#ifndef _PATH_SSH_PROGRAM
#define _PATH_SSH_PROGRAM "/usr/bin/ssh"
Index: openssh-8.9p1/ssh.c
===================================================================
--- openssh-8.9p1.orig/ssh.c
+++ openssh-8.9p1/ssh.c
@@ -549,6 +549,7 @@ static void
process_config_files(const char *host_name, struct passwd *pw, int final_pass,
int *want_final_pass)
{
+ struct stat st;
char buf[PATH_MAX];
int r;
@@ -567,10 +568,23 @@ process_config_files(const char *host_na
&options, SSHCONF_CHECKPERM | SSHCONF_USERCONF |
(final_pass ? SSHCONF_FINAL : 0), want_final_pass);
- /* Read systemwide configuration file after user config. */
- (void)read_config_file(_PATH_HOST_CONFIG_FILE, pw,
- host, host_name, &options,
- final_pass ? SSHCONF_FINAL : 0, want_final_pass);
+ /* If only the vendor configuration file exists, use that.
+ * Else use the standard configuration file.
+ */
+ if (stat(_PATH_HOST_VENDOR_CONFIG_FILE, &st) == 0 &&
+ stat(_PATH_HOST_CONFIG_FILE, &st) == -1) {
+ /* Read vendor distributed configuration file. */
+ (void)read_config_file(_PATH_HOST_VENDOR_CONFIG_FILE,
+ pw, host, host_name, &options,
+ final_pass ? SSHCONF_FINAL : 0,
+ want_final_pass);
+ } else {
+ /* Read systemwide configuration file after user config. */
+ (void)read_config_file(_PATH_HOST_CONFIG_FILE, pw,
+ host, host_name, &options,
+ final_pass ? SSHCONF_FINAL : 0,
+ want_final_pass);
+ }
}
}
Index: openssh-8.9p1/ssh_config.5
===================================================================
--- openssh-8.9p1.orig/ssh_config.5
+++ openssh-8.9p1/ssh_config.5
@@ -54,6 +54,9 @@ user's configuration file
.It
system-wide configuration file
.Pq Pa /etc/ssh/ssh_config
+.It
+vendor configuration file
+.Pq Pa /usr/etc/ssh/ssh_config
.El
.Pp
Unless noted otherwise, for each parameter, the first obtained value
@@ -2220,6 +2223,11 @@ This file provides defaults for those
values that are not specified in the user's configuration file, and
for those users who do not have a configuration file.
This file must be world-readable.
+.It Pa /usr/etc/ssh/ssh_config
+Vendor specific configuraiton file.
+This file provides the vendor defaults and is used as fallback if the
+.Ic /etc/ssh/ssh_config
+configuration file does not exist.
.El
.Sh SEE ALSO
.Xr ssh 1
Index: openssh-8.9p1/sshd.c
===================================================================
--- openssh-8.9p1.orig/sshd.c
+++ openssh-8.9p1/sshd.c
@@ -1201,7 +1201,8 @@ prepare_proctitle(int ac, char **av)
extern char *optarg;
extern int optind;
int log_stderr = 0, inetd_flag = 0, test_flag = 0, no_daemon_flag = 0;
- char *config_file_name = _PATH_SERVER_CONFIG_FILE;
+ char *config_file_name = NULL;
+ struct stat st;
int r, opt, do_dump_cfg = 0, keytype, already_daemon, have_agent = 0;
int sock_in = -1, sock_out = -1, newsock = -1, rexec_argc = 0;
int devnull, config_s[2] = { -1 , -1 }, have_connection_info = 0;
@@ -1806,7 +1807,21 @@ main(int ac, char **av)
/* Fetch our configuration */
if ((cfg = sshbuf_new()) == NULL)
fatal("sshbuf_new config failed");
+ if (config_file_name == NULL) {
+ /* If only the vendor configuration file exists, use that.
+ * Else use the standard configuration file.
+ */
+ if (stat(_PATH_SERVER_VENDOR_CONFIG_FILE, &st) == 0 &&
+ stat(_PATH_SERVER_CONFIG_FILE, &st) == -1) {
+ /* fill with global distributor settings */
+ config_file_name = _PATH_SERVER_VENDOR_CONFIG_FILE;
+ } else {
+ /* load global admin settings */
+ config_file_name = _PATH_SERVER_CONFIG_FILE;
+ }
+ load_server_config(config_file_name, cfg);
- if (strcasecmp(config_file_name, "none") != 0)
+ } else if (strcasecmp(config_file_name, "none") != 0)
+ /* load config specified on commandline */
load_server_config(config_file_name, cfg);
parse_server_config(&options, config_file_name, cfg,
Index: openssh-8.9p1/sshd_config.5
===================================================================
--- openssh-8.9p1.orig/sshd_config.5
+++ openssh-8.9p1/sshd_config.5
@@ -44,7 +44,9 @@
.Xr sshd 8
reads configuration data from
.Pa /etc/ssh/sshd_config
-(or the file specified with
+(
+.Pa /usr/etc/ssh/sshd_config
+if the file does not exist or the file specified with
.Fl f
on the command line).
The file contains keyword-argument pairs, one per line.
Index: openssh-8.9p1/ssh-keysign.c
===================================================================
--- openssh-8.9p1.orig/ssh-keysign.c
+++ openssh-8.9p1/ssh-keysign.c
@@ -186,6 +186,7 @@ main(int argc, char **argv)
u_char *signature, *data, rver;
char *host, *fp, *pkalg;
size_t slen, dlen;
+ struct stat st;
if (pledge("stdio rpath getpw dns id", NULL) != 0)
fatal("%s: pledge: %s", __progname, strerror(errno));
@@ -219,8 +220,14 @@ main(int argc, char **argv)
/* verify that ssh-keysign is enabled by the admin */
initialize_options(&options);
- (void)read_config_file(_PATH_HOST_CONFIG_FILE, pw, "", "",
- &options, 0, NULL);
+
+ if (stat(_PATH_HOST_CONFIG_FILE, &st) == 0)
+ (void)read_config_file(_PATH_HOST_CONFIG_FILE, pw, "", "",
+ &options, 0, NULL);
+ else
+ (void)read_config_file(_PATH_HOST_VENDOR_CONFIG_FILE, pw, "", "",
+ &options, 0, NULL);
+
(void)fill_default_options(&options);
if (options.enable_ssh_keysign != 1)
fatal("ssh-keysign not enabled in %s",

View File

@ -0,0 +1,659 @@
Index: openssh-9.6p1/ssh_config.5
===================================================================
--- openssh-9.6p1.orig/ssh_config.5
+++ openssh-9.6p1/ssh_config.5
@@ -403,17 +403,14 @@ A single argument of
causes no CNAMEs to be considered for canonicalization.
This is the default behaviour.
.It Cm CASignatureAlgorithms
+The default is handled system-wide by
+.Xr crypto-policies 7 .
+Information about defaults, how to modify the defaults and how to customize
+existing policies with sub-policies are present in manual page
+.Xr update-crypto-policies 8 .
+.Pp
Specifies which algorithms are allowed for signing of certificates
by certificate authorities (CAs).
-The default is:
-.Bd -literal -offset indent
-ssh-ed25519,ecdsa-sha2-nistp256,
-ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
-sk-ssh-ed25519@openssh.com,
-sk-ecdsa-sha2-nistp256@openssh.com,
-rsa-sha2-512,rsa-sha2-256
-.Ed
-.Pp
If the specified list begins with a
.Sq +
character, then the specified algorithms will be appended to the default set
@@ -542,20 +539,26 @@ If the option is set to
(the default),
the check will not be executed.
.It Cm Ciphers
+The default is handled system-wide by
+.Xr crypto-policies 7 .
+Information about defaults, how to modify the defaults and how to customize
+existing policies with sub-policies are present in manual page
+.Xr update-crypto-policies 8 .
+.Pp
Specifies the ciphers allowed and their order of preference.
Multiple ciphers must be comma-separated.
If the specified list begins with a
.Sq +
-character, then the specified ciphers will be appended to the default set
-instead of replacing them.
+character, then the specified ciphers will be appended to the built-in
+openssh default set instead of replacing them.
If the specified list begins with a
.Sq -
character, then the specified ciphers (including wildcards) will be removed
-from the default set instead of replacing them.
+from the built-in openssh default set instead of replacing them.
If the specified list begins with a
.Sq ^
character, then the specified ciphers will be placed at the head of the
-default set.
+built-in openssh default set.
.Pp
The supported ciphers are:
.Bd -literal -offset indent
@@ -571,13 +574,6 @@ aes256-gcm@openssh.com
chacha20-poly1305@openssh.com
.Ed
.Pp
-The default is:
-.Bd -literal -offset indent
-chacha20-poly1305@openssh.com,
-aes128-ctr,aes192-ctr,aes256-ctr,
-aes128-gcm@openssh.com,aes256-gcm@openssh.com
-.Ed
-.Pp
The list of available ciphers may also be obtained using
.Qq ssh -Q cipher .
.It Cm ClearAllForwardings
@@ -979,6 +975,12 @@ command line will be passed untouched to
The default is
.Dq no .
.It Cm GSSAPIKexAlgorithms
+The default is handled system-wide by
+.Xr crypto-policies 7 .
+Information about defaults, how to modify the defaults and how to customize
+existing policies with sub-policies are present in manual page
+.Xr update-crypto-policies 8 .
+.Pp
The list of key exchange algorithms that are offered for GSSAPI
key exchange. Possible values are
.Bd -literal -offset 3n
@@ -991,10 +993,8 @@ gss-nistp256-sha256-,
gss-curve25519-sha256-
.Ed
.Pp
-The default is
-.Dq gss-group14-sha256-,gss-group16-sha512-,gss-nistp256-sha256-,
-gss-curve25519-sha256-,gss-group14-sha1-,gss-gex-sha1- .
This option only applies to connections using GSSAPI.
+.Pp
.It Cm HashKnownHosts
Indicates that
.Xr ssh 1
@@ -1012,36 +1013,26 @@ will not be converted automatically,
but may be manually hashed using
.Xr ssh-keygen 1 .
.It Cm HostbasedAcceptedAlgorithms
+The default is handled system-wide by
+.Xr crypto-policies 7 .
+Information about defaults, how to modify the defaults and how to customize
+existing policies with sub-policies are present in manual page
+.Xr update-crypto-policies 8 .
+.Pp
Specifies the signature algorithms that will be used for hostbased
authentication as a comma-separated list of patterns.
Alternately if the specified list begins with a
.Sq +
character, then the specified signature algorithms will be appended
-to the default set instead of replacing them.
+to the built-in openssh default set instead of replacing them.
If the specified list begins with a
.Sq -
character, then the specified signature algorithms (including wildcards)
-will be removed from the default set instead of replacing them.
+will be removed from the built-in openssh default set instead of replacing them.
If the specified list begins with a
.Sq ^
character, then the specified signature algorithms will be placed
-at the head of the default set.
-The default for this option is:
-.Bd -literal -offset 3n
-ssh-ed25519-cert-v01@openssh.com,
-ecdsa-sha2-nistp256-cert-v01@openssh.com,
-ecdsa-sha2-nistp384-cert-v01@openssh.com,
-ecdsa-sha2-nistp521-cert-v01@openssh.com,
-sk-ssh-ed25519-cert-v01@openssh.com,
-sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,
-rsa-sha2-512-cert-v01@openssh.com,
-rsa-sha2-256-cert-v01@openssh.com,
-ssh-ed25519,
-ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
-sk-ssh-ed25519@openssh.com,
-sk-ecdsa-sha2-nistp256@openssh.com,
-rsa-sha2-512,rsa-sha2-256
-.Ed
+at the head of the built-in openssh default set.
.Pp
The
.Fl Q
@@ -1094,6 +1085,17 @@ to prefer their algorithms.
.Pp
The list of available signature algorithms may also be obtained using
.Qq ssh -Q HostKeyAlgorithms .
+.Pp
+The proposed
+.Cm HostKeyAlgorithms
+during KEX are limited to the set of algorithms that is defined in
+.Cm PubkeyAcceptedAlgorithms
+and therefore they are indirectly affected by system-wide
+.Xr crypto_policies 7 .
+.Xr crypto_policies 7 can not handle the list of host key algorithms directly
+as doing so would break the order given by the
+.Pa known_hosts
+file.
.It Cm HostKeyAlias
Specifies an alias that should be used instead of the
real host name when looking up or saving the host key
@@ -1311,36 +1313,30 @@ it may be zero or more of:
and
.Cm pam .
.It Cm KexAlgorithms
+The default is handled system-wide by
+.Xr crypto-policies 7 .
+Information about defaults, how to modify the defaults and how to customize
+existing policies with sub-policies are present in manual page
+.Xr update-crypto-policies 8 .
+.Pp
Specifies the permitted KEX (Key Exchange) algorithms that will be used and
their preference order.
The selected algorithm will the the first algorithm in this list that
the server also supports.
Multiple algorithms must be comma-separated.
.Pp
If the specified list begins with a
.Sq +
-character, then the specified algorithms will be appended to the default set
-instead of replacing them.
+character, then the specified methods will be appended to the built-in
+openssh default set instead of replacing them.
If the specified list begins with a
.Sq -
character, then the specified algorithms (including wildcards) will be removed
-from the default set instead of replacing them.
+from the built-in openssh default set instead of replacing them.
If the specified list begins with a
.Sq ^
character, then the specified algorithms will be placed at the head of the
-default set.
-.Pp
-The default is:
-.Bd -literal -offset indent
-sntrup761x25519-sha512@openssh.com,
-curve25519-sha256,curve25519-sha256@libssh.org,
-ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
-diffie-hellman-group-exchange-sha256,
-diffie-hellman-group16-sha512,
-diffie-hellman-group18-sha512,
-diffie-hellman-group14-sha256,
-diffie-hellman-group14-sha1
-.Ed
+built-in openssh default set.
.Pp
The list of supported key exchange algorithms may also be obtained using
.Qq ssh -Q kex .
@@ -1445,37 +1442,34 @@ function, and all code in the
file.
This option is intended for debugging and no overrides are enabled by default.
.It Cm MACs
+The default is handled system-wide by
+.Xr crypto-policies 7 .
+Information about defaults, how to modify the defaults and how to customize
+existing policies with sub-policies are present in manual page
+.Xr update-crypto-policies 8 .
+.Pp
Specifies the MAC (message authentication code) algorithms
in order of preference.
The MAC algorithm is used for data integrity protection.
Multiple algorithms must be comma-separated.
If the specified list begins with a
.Sq +
-character, then the specified algorithms will be appended to the default set
-instead of replacing them.
+character, then the specified algorithms will be appended to the built-in
+openssh default set instead of replacing them.
If the specified list begins with a
.Sq -
character, then the specified algorithms (including wildcards) will be removed
-from the default set instead of replacing them.
+from the built-in openssh default set instead of replacing them.
If the specified list begins with a
.Sq ^
character, then the specified algorithms will be placed at the head of the
-default set.
+built-in openssh default set.
.Pp
The algorithms that contain
.Qq -etm
calculate the MAC after encryption (encrypt-then-mac).
These are considered safer and their use recommended.
.Pp
-The default is:
-.Bd -literal -offset indent
-umac-64-etm@openssh.com,umac-128-etm@openssh.com,
-hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,
-hmac-sha1-etm@openssh.com,
-umac-64@openssh.com,umac-128@openssh.com,
-hmac-sha2-256,hmac-sha2-512,hmac-sha1
-.Ed
-.Pp
The list of available MAC algorithms may also be obtained using
.Qq ssh -Q mac .
.It Cm NoHostAuthenticationForLocalhost
@@ -1666,39 +1660,32 @@ instead of continuing to execute and pas
The default is
.Cm no .
.It Cm PubkeyAcceptedAlgorithms
+The default is handled system-wide by
+.Xr crypto-policies 7 .
+Information about defaults, how to modify the defaults and how to customize
+existing policies with sub-policies are present in manual page
+.Xr update-crypto-policies 8 .
+.Pp
Specifies the signature algorithms that will be used for public key
authentication as a comma-separated list of patterns.
If the specified list begins with a
.Sq +
-character, then the algorithms after it will be appended to the default
-instead of replacing it.
+character, then the algorithms after it will be appended to the built-in
+openssh default instead of replacing it.
If the specified list begins with a
.Sq -
character, then the specified algorithms (including wildcards) will be removed
-from the default set instead of replacing them.
+from the built-in openssh default set instead of replacing them.
If the specified list begins with a
.Sq ^
character, then the specified algorithms will be placed at the head of the
-default set.
-The default for this option is:
-.Bd -literal -offset 3n
-ssh-ed25519-cert-v01@openssh.com,
-ecdsa-sha2-nistp256-cert-v01@openssh.com,
-ecdsa-sha2-nistp384-cert-v01@openssh.com,
-ecdsa-sha2-nistp521-cert-v01@openssh.com,
-sk-ssh-ed25519-cert-v01@openssh.com,
-sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,
-rsa-sha2-512-cert-v01@openssh.com,
-rsa-sha2-256-cert-v01@openssh.com,
-ssh-ed25519,
-ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
-sk-ssh-ed25519@openssh.com,
-sk-ecdsa-sha2-nistp256@openssh.com,
-rsa-sha2-512,rsa-sha2-256
-.Ed
+built-in openssh default set.
.Pp
The list of available signature algorithms may also be obtained using
.Qq ssh -Q PubkeyAcceptedAlgorithms .
+.Pp
+This option affects also
+.Cm HostKeyAlgorithms
.It Cm PubkeyAuthentication
Specifies whether to try public key authentication.
The argument to this keyword must be
@@ -2395,7 +2382,9 @@ This file provides the vendor defaults a
configuration file does not exist.
.El
.Sh SEE ALSO
-.Xr ssh 1
+.Xr ssh 1 ,
+.Xr crypto-policies 7 ,
+.Xr update-crypto-policies 8
.Sh AUTHORS
.An -nosplit
OpenSSH is a derivative of the original and free
Index: openssh-9.6p1/sshd_config.5
===================================================================
--- openssh-9.6p1.orig/sshd_config.5
+++ openssh-9.6p1/sshd_config.5
@@ -381,17 +381,14 @@ If the argument is
then no banner is displayed.
By default, no banner is displayed.
.It Cm CASignatureAlgorithms
+The default is handled system-wide by
+.Xr crypto-policies 7 .
+Information about defaults, how to modify the defaults and how to customize
+existing policies with sub-policies are present in manual page
+.Xr update-crypto-policies 8 .
+.Pp
Specifies which algorithms are allowed for signing of certificates
by certificate authorities (CAs).
-The default is:
-.Bd -literal -offset indent
-ssh-ed25519,ecdsa-sha2-nistp256,
-ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
-sk-ssh-ed25519@openssh.com,
-sk-ecdsa-sha2-nistp256@openssh.com,
-rsa-sha2-512,rsa-sha2-256
-.Ed
-.Pp
If the specified list begins with a
.Sq +
character, then the specified algorithms will be appended to the default set
@@ -527,20 +524,26 @@ The default is
indicating not to
.Xr chroot 2 .
.It Cm Ciphers
+The default is handled system-wide by
+.Xr crypto-policies 7 .
+Information about defaults, how to modify the defaults and how to customize
+existing policies with sub-policies are present in manual page
+.Xr update-crypto-policies 8 .
+.Pp
Specifies the ciphers allowed.
Multiple ciphers must be comma-separated.
If the specified list begins with a
.Sq +
-character, then the specified ciphers will be appended to the default set
-instead of replacing them.
+character, then the specified ciphers will be appended to the built-in
+openssh default set instead of replacing them.
If the specified list begins with a
.Sq -
character, then the specified ciphers (including wildcards) will be removed
-from the default set instead of replacing them.
+from the built-in openssh default set instead of replacing them.
If the specified list begins with a
.Sq ^
character, then the specified ciphers will be placed at the head of the
-default set.
+built-in openssh default set.
.Pp
The supported ciphers are:
.Pp
@@ -567,13 +570,6 @@ aes256-gcm@openssh.com
chacha20-poly1305@openssh.com
.El
.Pp
-The default is:
-.Bd -literal -offset indent
-chacha20-poly1305@openssh.com,
-aes128-ctr,aes192-ctr,aes256-ctr,
-aes128-gcm@openssh.com,aes256-gcm@openssh.com
-.Ed
-.Pp
The list of available ciphers may also be obtained using
.Qq ssh -Q cipher .
.It Cm ClientAliveCountMax
@@ -764,53 +760,45 @@ For this to work
.Cm GSSAPIKeyExchange
needs to be enabled in the server and also used by the client.
.It Cm GSSAPIKexAlgorithms
+The default is handled system-wide by
+.Xr crypto-policies 7 .
+Information about defaults, how to modify the defaults and how to customize
+existing policies with sub-policies are present in manual page
+.Xr update-crypto-policies 8 .
+.Pp
The list of key exchange algorithms that are accepted by GSSAPI
key exchange. Possible values are
.Bd -literal -offset 3n
-gss-gex-sha1-,
-gss-group1-sha1-,
-gss-group14-sha1-,
-gss-group14-sha256-,
-gss-group16-sha512-,
-gss-nistp256-sha256-,
+gss-gex-sha1-
+gss-group1-sha1-
+gss-group14-sha1-
+gss-group14-sha256-
+gss-group16-sha512-
+gss-nistp256-sha256-
gss-curve25519-sha256-
.Ed
-.Pp
-The default is
-.Dq gss-group14-sha256-,gss-group16-sha512-,gss-nistp256-sha256-,
-gss-curve25519-sha256-,gss-group14-sha1-,gss-gex-sha1- .
This option only applies to connections using GSSAPI.
.It Cm HostbasedAcceptedAlgorithms
+The default is handled system-wide by
+.Xr crypto-policies 7 .
+Information about defaults, how to modify the defaults and how to customize
+existing policies with sub-policies are present in manual page
+.Xr update-crypto-policies 8 .
+.Pp
Specifies the signature algorithms that will be accepted for hostbased
authentication as a list of comma-separated patterns.
Alternately if the specified list begins with a
.Sq +
character, then the specified signature algorithms will be appended to
-the default set instead of replacing them.
+the built-in openssh set instead of replacing them.
If the specified list begins with a
.Sq -
character, then the specified signature algorithms (including wildcards)
-will be removed from the default set instead of replacing them.
+will be removed from the built-in openssh set instead of replacing them.
If the specified list begins with a
.Sq ^
character, then the specified signature algorithms will be placed at
-the head of the default set.
-The default for this option is:
-.Bd -literal -offset 3n
-ssh-ed25519-cert-v01@openssh.com,
-ecdsa-sha2-nistp256-cert-v01@openssh.com,
-ecdsa-sha2-nistp384-cert-v01@openssh.com,
-ecdsa-sha2-nistp521-cert-v01@openssh.com,
-sk-ssh-ed25519-cert-v01@openssh.com,
-sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,
-rsa-sha2-512-cert-v01@openssh.com,
-rsa-sha2-256-cert-v01@openssh.com,
-ssh-ed25519,
-ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
-sk-ssh-ed25519@openssh.com,
-sk-ecdsa-sha2-nistp256@openssh.com,
-rsa-sha2-512,rsa-sha2-256
-.Ed
+the head of the built-in openssh default set.
.Pp
The list of available signature algorithms may also be obtained using
.Qq ssh -Q HostbasedAcceptedAlgorithms .
@@ -876,25 +865,15 @@ is specified, the location of the socket
.Ev SSH_AUTH_SOCK
environment variable.
.It Cm HostKeyAlgorithms
+The default is handled system-wide by
+.Xr crypto-policies 7 .
+Information about defaults, how to modify the defaults and how to customize
+existing policies with sub-policies are present in manual page
+.Xr update-crypto-policies 8 .
+.Pp
Specifies the host key signature algorithms
that the server offers.
The default for this option is:
-.Bd -literal -offset 3n
-ssh-ed25519-cert-v01@openssh.com,
-ecdsa-sha2-nistp256-cert-v01@openssh.com,
-ecdsa-sha2-nistp384-cert-v01@openssh.com,
-ecdsa-sha2-nistp521-cert-v01@openssh.com,
-sk-ssh-ed25519-cert-v01@openssh.com,
-sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,
-rsa-sha2-512-cert-v01@openssh.com,
-rsa-sha2-256-cert-v01@openssh.com,
-ssh-ed25519,
-ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
-sk-ssh-ed25519@openssh.com,
-sk-ecdsa-sha2-nistp256@openssh.com,
-rsa-sha2-512,rsa-sha2-256
-.Ed
-.Pp
The list of available signature algorithms may also be obtained using
.Qq ssh -Q HostKeyAlgorithms .
.It Cm IgnoreRhosts
@@ -1027,24 +1006,30 @@ file on logout.
The default is
.Cm yes .
.It Cm KexAlgorithms
+The default is handled system-wide by
+.Xr crypto-policies 7 .
+Information about defaults, how to modify the defaults and how to customize
+existing policies with sub-policies are present in manual page
+.Xr update-crypto-policies 8 .
+.Pp
Specifies the permitted KEX (Key Exchange) algorithms that the server will
offer to clients.
The ordering of this list is not important, as the client specifies the
preference order.
Multiple algorithms must be comma-separated.
.Pp
If the specified list begins with a
.Sq +
-character, then the specified algorithms will be appended to the default set
-instead of replacing them.
+character, then the specified methods will be appended to the built-in
+openssh default set instead of replacing them.
If the specified list begins with a
.Sq -
character, then the specified algorithms (including wildcards) will be removed
-from the default set instead of replacing them.
+from the built-in openssh default set instead of replacing them.
If the specified list begins with a
.Sq ^
character, then the specified algorithms will be placed at the head of the
-default set.
+built-in openssh default set.
.Pp
The supported algorithms are:
.Pp
@@ -1072,16 +1057,6 @@ ecdh-sha2-nistp521
sntrup761x25519-sha512@openssh.com
.El
.Pp
-The default is:
-.Bd -literal -offset indent
-sntrup761x25519-sha512@openssh.com,
-curve25519-sha256,curve25519-sha256@libssh.org,
-ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
-diffie-hellman-group-exchange-sha256,
-diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,
-diffie-hellman-group14-sha256,diffie-hellman-group14-sha1
-.Ed
-.Pp
The list of supported key exchange algorithms may also be obtained using
.Qq ssh -Q KexAlgorithms .
.It Cm ListenAddress
@@ -1167,21 +1142,27 @@ function, and all code in the
file.
This option is intended for debugging and no overrides are enabled by default.
.It Cm MACs
+The default is handled system-wide by
+.Xr crypto-policies 7 .
+Information about defaults, how to modify the defaults and how to customize
+existing policies with sub-policies are present in manual page
+.Xr update-crypto-policies 8 .
+.Pp
Specifies the available MAC (message authentication code) algorithms.
The MAC algorithm is used for data integrity protection.
Multiple algorithms must be comma-separated.
If the specified list begins with a
.Sq +
-character, then the specified algorithms will be appended to the default set
-instead of replacing them.
+character, then the specified algorithms will be appended to the built-in
+openssh default set instead of replacing them.
If the specified list begins with a
.Sq -
character, then the specified algorithms (including wildcards) will be removed
-from the default set instead of replacing them.
+from the built-in openssh default set instead of replacing them.
If the specified list begins with a
.Sq ^
character, then the specified algorithms will be placed at the head of the
-default set.
+built-in openssh default set.
.Pp
The algorithms that contain
.Qq -etm
@@ -1224,15 +1205,6 @@ umac-64-etm@openssh.com
umac-128-etm@openssh.com
.El
.Pp
-The default is:
-.Bd -literal -offset indent
-umac-64-etm@openssh.com,umac-128-etm@openssh.com,
-hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,
-hmac-sha1-etm@openssh.com,
-umac-64@openssh.com,umac-128@openssh.com,
-hmac-sha2-256,hmac-sha2-512,hmac-sha1
-.Ed
-.Pp
The list of available MAC algorithms may also be obtained using
.Qq ssh -Q mac .
.It Cm Match
@@ -1614,36 +1586,26 @@ or equivalent.)
The default is
.Cm yes .
.It Cm PubkeyAcceptedAlgorithms
+The default is handled system-wide by
+.Xr crypto-policies 7 .
+Information about defaults, how to modify the defaults and how to customize
+existing policies with sub-policies are present in manual page
+.Xr update-crypto-policies 8 .
+.Pp
Specifies the signature algorithms that will be accepted for public key
authentication as a list of comma-separated patterns.
Alternately if the specified list begins with a
.Sq +
-character, then the specified algorithms will be appended to the default set
-instead of replacing them.
+character, then the specified algorithms will be appended to the built-in
+openssh default set instead of replacing them.
If the specified list begins with a
.Sq -
character, then the specified algorithms (including wildcards) will be removed
-from the default set instead of replacing them.
+from the built-in openssh default set instead of replacing them.
If the specified list begins with a
.Sq ^
character, then the specified algorithms will be placed at the head of the
-default set.
-The default for this option is:
-.Bd -literal -offset 3n
-ssh-ed25519-cert-v01@openssh.com,
-ecdsa-sha2-nistp256-cert-v01@openssh.com,
-ecdsa-sha2-nistp384-cert-v01@openssh.com,
-ecdsa-sha2-nistp521-cert-v01@openssh.com,
-sk-ssh-ed25519-cert-v01@openssh.com,
-sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,
-rsa-sha2-512-cert-v01@openssh.com,
-rsa-sha2-256-cert-v01@openssh.com,
-ssh-ed25519,
-ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
-sk-ssh-ed25519@openssh.com,
-sk-ecdsa-sha2-nistp256@openssh.com,
-rsa-sha2-512,rsa-sha2-256
-.Ed
+built-in openssh default set.
.Pp
The list of available signature algorithms may also be obtained using
.Qq ssh -Q PubkeyAcceptedAlgorithms .
@@ -2122,7 +2084,9 @@ This file should be writable by root onl
.El
.Sh SEE ALSO
.Xr sftp-server 8 ,
-.Xr sshd 8
+.Xr sshd 8 ,
+.Xr crypto-policies 7 ,
+.Xr update-crypto-policies 8
.Sh AUTHORS
.An -nosplit
OpenSSH is a derivative of the original and free

View File

@ -0,0 +1,43 @@
Index: openssh-9.6p1/ssh_config
===================================================================
--- openssh-9.6p1.orig/ssh_config
+++ openssh-9.6p1/ssh_config
@@ -17,6 +17,12 @@
# list of available options, their meanings and defaults, please see the
# ssh_config(5) man page.
+# This system is following system-wide crypto policies.
+# To modify the crypto properties (Ciphers, MACs, ...), create a *.conf
+# file under /etc/ssh/ssh_config.d/ which will be automatically
+# included below. For more information, see the manual pages for
+# update-crypto-policies(8) and ssh_config(5).
+
# To modify the system-wide ssh configuration, create a "*.conf" file under
# "/etc/ssh/ssh_config.d/" which will be automatically included below.
# Don't edit this configuration file itself if possible to avoid update
Index: openssh-9.6p1/ssh_config_suse
===================================================================
--- /dev/null
+++ openssh-9.6p1/ssh_config_suse
@@ -0,0 +1,9 @@
+# The options here are in the "Match final block" to be applied as the last
+# options and could be potentially overwritten by the user configuration
+Match final all
+ # Follow system-wide Crypto Policy, if defined:
+ Include /etc/crypto-policies/back-ends/openssh.config
+
+# Uncomment this if you want to use .local domain
+# Host *.local
+
Index: openssh-9.6p1/sshd_config_suse_cp
===================================================================
--- /dev/null
+++ openssh-9.6p1/sshd_config_suse_cp
@@ -0,0 +1,7 @@
+# This system is following system-wide crypto policy. The changes to
+# crypto properties (Ciphers, MACs, ...) will not have any effect in
+# this or following included files. To override some configuration option,
+# write it before this block or include it before this file.
+# Please, see manual pages for update-crypto-policies(8) and sshd_config(5).
+Include /etc/crypto-policies/back-ends/opensshserver.config
+

BIN
openssh-9.6p1.tar.gz (Stored with Git LFS) Normal file

Binary file not shown.

16
openssh-9.6p1.tar.gz.asc Normal file
View File

@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEcWi5g4FaXu9ZpK39Kj9BTnNgYLoFAmWAXvAACgkQKj9BTnNg
YLrypA/6A1O8e80XnzVWIFhXkbv/biGL10Q5ZMvjQvND6mbkphNWZ4G4QOEh0nBG
rseD3Fce7me9pfeLYVhaNXO9R3OYAXxjbWfQwI7FpBU4QUCnbH53PG32B6ESq7pl
0vlDqdqI7aBAyMpp+8WFD+EvHWUVA77JtfU4MFw7myKJacrVrDUygDaZkJKOhqKf
N1Nurz4YppdQ5zIK1ElL0jlRJXm08flLFRg8fD5/5rwabpUbZIY9b5qZzGKgnR7I
sxUBlDkfLnvKIlKzUXbRvOHazvFAHYH1ltJZGlJUc/+H/ZaPigWf4IR+E1FB9c2O
zxaZhlbwGKyD+p7l08F9n8T21taxpBCW1Uxkx7MLTz8k9huPNpdX5l8VM4Gotmn8
I4V3Fevyx+M3XJYeKtkspa51h0GqF3gNFPLxW7ERGaIuqwoxuHxIEKwYE+JPmQag
UDma5LDrSrasa8Rw8g5urGE48PeDQ5muPy8Bi9eIGZU5JLqX6TNgz7QDDs/dQsHB
iny4wQOLmdIA78IGttiCo0rqikEvFtFDFR4mCUTC8K0nQKzWwGewO3gRTcHttzyU
xMalxw+wt9cUJ8gb1E9p7OeMUuXdaHMmem8/PcFCar/vKx1mdV/On6evnp3P8yQA
la8WnbcP0+zJg0GGwGszpFlOMjWCDB0kUTBCT+MR+IWbj/pVZVA=
=G9YA
-----END PGP SIGNATURE-----

3
openssh-9.8p1.tar.gz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:dd8bd002a379b5d499dfb050dd1fa9af8029e80461f4bb6c523c49973f5a39f3
size 1910393

16
openssh-9.8p1.tar.gz.asc Normal file
View File

@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEcWi5g4FaXu9ZpK39Kj9BTnNgYLoFAmaCMn0ACgkQKj9BTnNg
YLrjcBAAgO7xhKUXp8YxdqSZigDbcHu7T37bm1pRTKg2ihPepz+q6pV+DY8AHSRu
eyuOCOHYzjLyArFpiMX3z9iT2NqO+KNBvKQoh8loaxNrECmgRGk2jBEKiibFSP5M
i6CYkF3sET9xnVDkt4P6KievWXY1/Tl93qve3K2a/bvvgT8s2AaBMM8u4BMGNm3D
sc3A6euN0aiXRts2V6I885VyrQDMK++E7+eTHet0ex82KH4I+ceIOwB48hny4wpb
Zaqy9pTFisTmFNOF6d3TB58yMWoLQIbLuVrbbbcr7hFYCWsgj0yN5iYQNOR9pU4E
ooF+aC0kK9M4iUXthzjjgIjnMzsCmPeKisbwblsPSfSgccj/pCMzW8C3CMVL6AvG
slSSLK42qm3f38kx3sg2S8LDW0v+hoyvBmKNFMiBwsF2tWCXIG+oP1PDYpJUpaOJ
RFHG7JEPtY94UJGdo5C4YhqDWr3HOqEwuVIt1gWMMPs9IvDkDRo6emmDd64FFAKH
ss3hHixu6OHqU5iw6JIVVtYiur6s9m6N/Xxt5Ho6wuqnzUZ+Dwj3L6lF9IOJbJxU
Ufb70I1Uko9kXcoje9ONUsqr88wfQY+JZxxVTlzDUDadytCzmO3wXsz+cosMQ5Rw
aOZwXYyvmcoZuUQG8GIqRO1wfOcD7o7pI6IyVJQjOeG/rA0eu/4=
=Gj2n
-----END PGP SIGNATURE-----

View File

@ -0,0 +1,341 @@
-------------------------------------------------------------------
Thu Aug 1 09:17:11 UTC 2024 - Antonio Larrosa <alarrosa@suse.com>
- Update to openssh 9.8p1:
* No changes for askpass, see main package changelog for
details.
-------------------------------------------------------------------
Sun Feb 25 18:26:23 UTC 2024 - Hans Petter Jansson <hpj@suse.com>
- Update to openssh 9.6p1:
* No changes for askpass, see main package changelog for
details.
-------------------------------------------------------------------
Fri Jul 21 05:13:56 UTC 2023 - Simon Lees <sflees@suse.de>
- Update to openssh 9.3p2
* No changes for askpass, see main package changelog for
details
-------------------------------------------------------------------
Sun May 28 09:16:44 UTC 2023 - Andreas Stieger <andreas.stieger@gmx.de>
- openssh-askpass-gnome: require only openssh-clients, not the full
openssh (including -server), to avoid pulling in excessive
dependencies when installing git on Gnome (boo#1211446)
-------------------------------------------------------------------
Thu May 11 07:01:54 UTC 2023 - Antonio Larrosa <alarrosa@suse.com>
- Update to openssh 9.3p1
* No changes for askpass, see main package changelog for
details
-------------------------------------------------------------------
Tue Sep 28 19:05:15 UTC 2021 - Hans Petter Jansson <hpj@suse.com>
- Version upgrade to 8.8p1
* No changes for askpass, see main package changelog for
details
-------------------------------------------------------------------
Thu Sep 17 20:41:39 UTC 2020 - Jan Engelhardt <jengelh@inai.de>
- Upgrade some old specfile constructs/macros.
-------------------------------------------------------------------
Thu Sep 10 22:44:00 UTC 2020 - Hans Petter Jansson <hpj@suse.com>
- Supplement openssh-clients instead of openssh (bsc#1176434).
-------------------------------------------------------------------
Thu Jul 18 14:07:56 UTC 2019 - Fabian Vogt <fvogt@suse.com>
- Supplement libgtk-3-0 instead to avoid installation on a textmode install
(boo#1142000)
-------------------------------------------------------------------
Thu Feb 14 10:36:03 UTC 2019 - Tomáš Chvátal <tchvatal@suse.com>
- Supplement the openssh and libx11 together to ensure this package
is installed on machines where there is X stack
-------------------------------------------------------------------
Mon Oct 22 08:59:02 UTC 2018 - Pedro Monreal Gonzalez <pmonrealgonzalez@suse.com>
- Version update to 7.9p1
* No actual changes for the askpass
* See main package changelog for details
-------------------------------------------------------------------
Tue Oct 9 10:52:15 UTC 2018 - Tomáš Chvátal <tchvatal@suse.com>
- Update to 7.8p1:
* no actual changes for the askpass
- Format with spec-cleaner
- Respect cflags
- Use gtk3 rather than gtk2 which is being phased out
-------------------------------------------------------------------
Mon May 21 15:19:03 UTC 2018 - pcerny@suse.com
- Upgrade to 7.7p1 (bsc#1094068)
-------------------------------------------------------------------
Wed Jan 31 22:54:55 UTC 2018 - pcerny@suse.com
- .spec file cleanup
-------------------------------------------------------------------
Fri Nov 3 12:27:18 UTC 2017 - pcerny@suse.com
- upgrade to 7.6p1
see main package changelog for details
-------------------------------------------------------------------
Mon Jul 25 13:45:53 UTC 2016 - meissner@suse.com
- fixed url
-------------------------------------------------------------------
Sun Apr 17 23:27:51 UTC 2016 - pcerny@suse.com
- upgrade to 7.2p2
-------------------------------------------------------------------
Tue Feb 10 13:28:56 UTC 2015 - pcerny@suse.com
- changing license to 2-clause BSD to match source
-------------------------------------------------------------------
Fri Apr 11 21:50:51 UTC 2014 - pcerny@suse.com
- Update of the underlying OpenSSH to 6.6p1
-------------------------------------------------------------------
Wed Feb 12 01:24:16 UTC 2014 - pcerny@suse.com
- Update of the underlying OpenSSH to 6.5p1
-------------------------------------------------------------------
Fri Jan 24 15:13:09 UTC 2014 - pcerny@suse.com
- Update of the underlying OpenSSH to 6.4p1
-------------------------------------------------------------------
Thu Sep 19 02:02:56 UTC 2013 - pcerny@suse.com
- spec file cleanup (don't pointelssly build whole OpenSSH)
-------------------------------------------------------------------
Sat Aug 3 18:12:20 UTC 2013 - crrodriguez@opensuse.org
- Update for 6.2p2
-------------------------------------------------------------------
Tue Nov 13 10:51:12 UTC 2012 - meissner@suse.com
- Updated to 6.1p1, a bugfix release
Features:
* sshd(8): This release turns on pre-auth sandboxing sshd by default for
new installs, by setting UsePrivilegeSeparation=sandbox in sshd_config.
* ssh-keygen(1): Add options to specify starting line number and number of
lines to process when screening moduli candidates, allowing processing
of different parts of a candidate moduli file in parallel
* sshd(8): The Match directive now supports matching on the local (listen)
address and port upon which the incoming connection was received via
LocalAddress and LocalPort clauses.
* sshd(8): Extend sshd_config Match directive to allow setting AcceptEnv
and {Allow,Deny}{Users,Groups}
* Add support for RFC6594 SSHFP DNS records for ECDSA key types. bz#1978
* ssh-keygen(1): Allow conversion of RSA1 keys to public PEM and PKCS8
* sshd(8): Allow the sshd_config PermitOpen directive to accept "none" as
an argument to refuse all port-forwarding requests.
* sshd(8): Support "none" as an argument for AuthorizedPrincipalsFile
* ssh-keyscan(1): Look for ECDSA keys by default. bz#1971
* sshd(8): Add "VersionAddendum" to sshd_config to allow server operators
to append some arbitrary text to the server SSH protocol banner.
Bugfixes:
* ssh(1)/sshd(8): Don't spin in accept() in situations of file
descriptor exhaustion. Instead back off for a while.
* ssh(1)/sshd(8): Remove hmac-sha2-256-96 and hmac-sha2-512-96 MACs as
they were removed from the specification. bz#2023,
* sshd(8): Handle long comments in config files better. bz#2025
* ssh(1): Delay setting tty_flag so RequestTTY options are correctly
picked up. bz#1995
* sshd(8): Fix handling of /etc/nologin incorrectly being applied to root
on platforms that use login_cap.
Portable OpenSSH:
* sshd(8): Allow sshd pre-auth sandboxing to fall-back to the rlimit
sandbox from the Linux SECCOMP filter sandbox when the latter is
not available in the kernel.
* ssh(1): Fix NULL dereference when built with LDNS and using DNSSEC to
retrieve a CNAME SSHFP record.
* Fix cross-compilation problems related to pkg-config. bz#1996
-------------------------------------------------------------------
Wed Jun 27 09:51:19 UTC 2012 - coolo@suse.com
- the gnome askpass does not require the x11 askpass - especially not
in the version of openssh (it's at 1.X)
-------------------------------------------------------------------
Tue May 29 07:14:53 UTC 2012 - meissner@suse.com
- use correct tarball url
- update to 6.0p1.
-------------------------------------------------------------------
Wed Mar 28 11:42:32 UTC 2012 - aj@suse.de
- Add build require on autoconf and automake.
-------------------------------------------------------------------
Wed Dec 21 10:31:42 UTC 2011 - coolo@suse.com
- remove call to suse_update_config (very old work around)
-------------------------------------------------------------------
Wed Oct 19 00:40:15 UTC 2011 - pcerny@suse.com
- Update to 5.9p1
-------------------------------------------------------------------
Fri Feb 4 11:19:14 UTC 2011 - lchiquitto@novell.com
- Update to 5.8p1
-------------------------------------------------------------------
Mon Jan 24 11:51:10 UTC 2011 - lchiquitto@novell.com
- Update to 5.7p1
-------------------------------------------------------------------
Wed Jan 12 13:37:38 CET 2011 - sbrabec@suse.cz
- Removed relics of no more implemented opensc support.
-------------------------------------------------------------------
Tue Aug 24 15:50:17 CEST 2010 - anicka@suse.cz
- update to 5.6p1
-------------------------------------------------------------------
Fri Mar 26 11:04:59 CET 2010 - anicka@suse.cz
- update to 5.4p1
- remove -pam-fix4.diff (in upstream now)
-------------------------------------------------------------------
Mon Feb 23 17:27:22 CET 2009 - anicka@suse.cz
- update to 5.2p1
-------------------------------------------------------------------
Wed Apr 9 14:35:42 CEST 2008 - anicka@suse.cz
- update to 5.0p1
-------------------------------------------------------------------
Wed Apr 2 15:06:01 CEST 2008 - anicka@suse.cz
- update to 4.9p1
-------------------------------------------------------------------
Wed Dec 5 10:56:07 CET 2007 - anicka@suse.cz
- - update to 4.7p1
* Add "-K" flag for ssh to set GSSAPIAuthentication=yes and
GSSAPIDelegateCredentials=yes. This is symmetric with -k
* make scp try to skip FIFOs rather than blocking when nothing is
listening.
* increase default channel windows
* put the MAC list into a display
* many bugfixes
-------------------------------------------------------------------
Tue Dec 12 14:44:41 CET 2006 - anicka@suse.cz
- update to 4.5p1
* Use privsep_pw if we have it, but only require it if we
absolutely need it.
* Correctly check for bad signatures in the monitor, otherwise
the monitor and the unpriv process can get out of sync.
* Clear errno before calling the strtol functions.
* exit instead of doing a blocking tcp send if we detect
a client/server timeout, since the tcp sendqueue might
be already full (of alive requests)
* include signal.h, errno.h, sys/in.h
* some more bugfixes
-------------------------------------------------------------------
Wed Oct 4 12:56:40 CEST 2006 - postadal@suse.cz
- updated to version 4.4p1 [#208662]
* fixed pre-authentication DoS, that would cause sshd(8) to spin
until the login grace time expired
* fixed unsafe signal hander, which was vulnerable to a race condition
that could be exploited to perform a pre-authentication DoS
* fixed a GSSAPI authentication abort that could be used to determine
the validity of usernames on some platforms
* implemented conditional configuration in sshd_config(5) using the
"Match" directive
* added support for Diffie-Hellman group exchange key agreement with a
final hash of SHA256
* added a "ForceCommand", "PermitOpen" directive to sshd_config(5)
* added optional logging of transactions to sftp-server(8)
* ssh(1) will now record port numbers for hosts stored in
~/.ssh/authorized_keys when a non-standard port has been requested
* added an "ExitOnForwardFailure" option to cause ssh(1) to exit (with
a non-zero exit code) when requested port forwardings could not be
established
* extended sshd_config(5) "SubSystem" declarations to allow the
specification of command-line arguments
- removed obsoleted patches: autoconf-fix.patch
-------------------------------------------------------------------
Tue Jul 25 13:40:10 CEST 2006 - schwab@suse.de
- Fix syntax error in configure script.
-------------------------------------------------------------------
Wed Jan 25 21:39:06 CET 2006 - mls@suse.de
- converted neededforbuild to BuildRequires
-------------------------------------------------------------------
Tue Jan 3 15:54:49 CET 2006 - postadal@suse.cz
- updated to version 4.2p1
- removed obsoleted patches: upstream_fixes.diff, gssapi-secfix.patch
-------------------------------------------------------------------
Thu Sep 8 16:20:06 CEST 2005 - postadal@suse.cz
- don't strip
-------------------------------------------------------------------
Thu Aug 4 11:30:18 CEST 2005 - uli@suse.de
- parallelize build
-------------------------------------------------------------------
Fri Jun 10 16:24:22 CEST 2005 - postadal@suse.cz
- updated to version 4.1p1
- removed obsoleted patches: restore_terminal, pam-returnfromsession,
timing-attacks-fix, krb5ccname, gssapi-pam, logdenysource,
sendenv-fix, documentation-fix
-------------------------------------------------------------------
Wed Jan 19 18:25:29 CET 2005 - postadal@suse.cz
- renamed askpass-gnome package to openssh-askpass-gnome
-------------------------------------------------------------------
Wed Jan 19 15:58:07 CET 2005 - postadal@suse.cz
- splited spec file to decreas number of build dependencies

View File

@ -0,0 +1,66 @@
#
# spec file for package openssh-askpass-gnome
#
# Copyright (c) 2024 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via https://bugs.opensuse.org/
#
%define _name openssh
Name: openssh-askpass-gnome
Version: 9.8p1
Release: 0
Summary: A GNOME-Based Passphrase Dialog for OpenSSH
License: BSD-2-Clause
Group: Productivity/Networking/SSH
URL: https://www.openssh.com/
Source: https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/%{_name}-%{version}.tar.gz
Source42: https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/%{_name}-%{version}.tar.gz.asc
Requires: %{_name}-clients = %{version}
Supplements: packageand(openssh-clients:libgtk-3-0)
%if 0%{?suse_version} >= 1550
BuildRequires: gtk3-devel
%else
BuildRequires: gtk2-devel
%endif
%description
SSH (Secure Shell) is a program for logging into a remote machine and
for executing commands on a remote machine. This package contains a
GNOME-based passphrase dialog for OpenSSH.
%prep
%autosetup -p1 -n %{_name}-%{version}
%build
cd contrib
export CFLAGS="%{optflags}"
%if 0%{?suse_version} >= 1550
%make_build gnome-ssh-askpass3
%else
%make_build gnome-ssh-askpass2
%endif
%install
install -d -m 755 %{buildroot}%{_libexecdir}/ssh/
%if 0%{?suse_version} >= 1550
install contrib/gnome-ssh-askpass3 %{buildroot}%{_libexecdir}/ssh/gnome-ssh-askpass
%else
install contrib/gnome-ssh-askpass2 %{buildroot}%{_libexecdir}/ssh/gnome-ssh-askpass
%endif
%files
%dir %{_libexecdir}/ssh
%attr(0755,root,root) %{_libexecdir}/ssh/gnome-ssh-askpass
%changelog

View File

@ -0,0 +1,19 @@
--- openssh-8.4p1.orig/auth-pam.c 2020-09-27 09:25:01.000000000 +0200
+++ openssh-8.4p1/auth-pam.c 2022-03-04 13:02:23.447712697 +0100
@@ -638,10 +638,12 @@
switch (PAM_MSG_MEMBER(msg, i, msg_style)) {
case PAM_ERROR_MSG:
case PAM_TEXT_INFO:
- if ((r = sshbuf_putf(loginmsg, "%s\n",
- PAM_MSG_MEMBER(msg, i, msg))) != 0)
- fatal("%s: buffer error: %s",
- __func__, ssh_err(r));
+ if (strlen(PAM_MSG_MEMBER(msg, i, msg)) != 0) {
+ if ((r = sshbuf_putf(loginmsg, "%s\n",
+ PAM_MSG_MEMBER(msg, i, msg))) != 0)
+ fatal("%s: buffer error: %s",
+ __func__, ssh_err(r));
+ }
reply[i].resp_retcode = PAM_SUCCESS;
break;
default:

View File

@ -0,0 +1,78 @@
commit 15c95d6eb2e8bc549719578c9a16541015363360
Author: Hans Petter Jansson <hpj@hpjansson.org>
Date: Mon Oct 26 22:26:46 2020 +0100
Ensure DHGs are approved in FIPS mode using OpenSSL's DH_check_params()
Index: openssh-8.8p1/dh.c
===================================================================
--- openssh-8.8p1.orig/dh.c
+++ openssh-8.8p1/dh.c
@@ -155,6 +155,28 @@ parse_prime(int linenum, char *line, str
return 0;
}
+static int
+dhg_is_approved(const struct dhgroup *dhg)
+{
+ BIGNUM *g, *p;
+ DH *dh;
+ int dh_status;
+ int is_ok = 0;
+
+ /* DH_set0_pqg() transfers ownership of the bignums, so we
+ * make temporary copies here for simplicity. */
+ g = BN_dup(dhg->g);
+ p = BN_dup(dhg->p);
+ dh = dh_new_group(g, p);
+
+ if (dh) {
+ is_ok = DH_check_params(dh, &dh_status);
+ }
+
+ DH_free(dh);
+ return is_ok;
+}
+
DH *
choose_dh(int min, int wantbits, int max)
{
@@ -173,12 +195,20 @@ choose_dh(int min, int wantbits, int max
linenum = 0;
best = bestcount = 0;
while (getline(&line, &linesize, f) != -1) {
+ int dhg_is_ok;
+
linenum++;
if (!parse_prime(linenum, line, &dhg))
continue;
+
+ dhg_is_ok = dhg_is_approved(&dhg);
+
BN_clear_free(dhg.g);
BN_clear_free(dhg.p);
+ if (!dhg_is_ok)
+ continue;
+
if (dhg.size > max || dhg.size < min)
continue;
@@ -206,10 +236,16 @@ choose_dh(int min, int wantbits, int max
linenum = 0;
bestcount = 0;
while (getline(&line, &linesize, f) != -1) {
+ int dhg_is_ok;
+
linenum++;
if (!parse_prime(linenum, line, &dhg))
continue;
- if ((dhg.size > max || dhg.size < min) ||
+
+ dhg_is_ok = dhg_is_approved(&dhg);
+
+ if (!dhg_is_ok ||
+ (dhg.size > max || dhg.size < min) ||
dhg.size != best ||
bestcount++ != which) {
BN_clear_free(dhg.g);

View File

@ -0,0 +1,15 @@
Index: openssh-8.8p1/Makefile.in
===================================================================
--- openssh-8.8p1.orig/Makefile.in
+++ openssh-8.8p1/Makefile.in
@@ -252,8 +252,8 @@ ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libss
ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o
$(LD) -o $@ ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
-sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a $(SFTPSERVER_OBJS)
- $(LD) -o $@ $(SFTPSERVER_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
+sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-sk.o sk-usbhid.o $(SFTPSERVER_OBJS)
+ $(LD) -o $@ $(SFTPSERVER_OBJS) ssh-sk.o sk-usbhid.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) $(LIBFIDO2)
sftp$(EXEEXT): $(LIBCOMPAT) libssh.a $(SFTP_OBJS)
$(LD) -o $@ $(SFTP_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) $(LIBEDIT)

View File

@ -0,0 +1,344 @@
Index: openssh-9.3p2/kex.c
===================================================================
--- openssh-9.3p2.orig/kex.c
+++ openssh-9.3p2/kex.c
@@ -1564,16 +1564,16 @@ enc_destroy(struct sshenc *enc)
return;
if (enc->key) {
- memset(enc->key, 0, enc->key_len);
+ explicit_bzero(enc->key, enc->key_len);
free(enc->key);
}
if (enc->iv) {
- memset(enc->iv, 0, enc->iv_len);
+ explicit_bzero(enc->iv, enc->iv_len);
free(enc->iv);
}
- memset(enc, 0, sizeof(*enc));
+ explicit_bzero(enc, sizeof(*enc));
}
void
@@ -1584,7 +1584,7 @@ newkeys_destroy(struct newkeys *newkeys)
enc_destroy(&newkeys->enc);
mac_destroy(&newkeys->mac);
- memset(&newkeys->comp, 0, sizeof(newkeys->comp));
+ explicit_bzero(&newkeys->comp, sizeof(newkeys->comp));
}
/*
Index: openssh-9.3p2/mac.c
===================================================================
--- openssh-9.3p2.orig/mac.c
+++ openssh-9.3p2/mac.c
@@ -284,11 +284,11 @@ mac_destroy(struct sshmac *mac)
return;
if (mac->key) {
- memset(mac->key, 0, mac->key_len);
+ explicit_bzero(mac->key, mac->key_len);
free(mac->key);
}
- memset(mac, 0, sizeof(*mac));
+ explicit_bzero(mac, sizeof(*mac));
}
/* XXX copied from ciphers_valid */
Index: openssh-9.3p2/monitor.c
===================================================================
--- openssh-9.3p2.orig/monitor.c
+++ openssh-9.3p2/monitor.c
@@ -1789,8 +1789,12 @@ mm_answer_audit_end_command(struct ssh *
void
monitor_clear_keystate(struct ssh *ssh, struct monitor *pmonitor)
{
- ssh_clear_newkeys(ssh, MODE_IN);
- ssh_clear_newkeys(ssh, MODE_OUT);
+ u_int mode;
+
+ for (mode = 0; mode < MODE_MAX; mode++) {
+ ssh_clear_curkeys(ssh, mode); /* current keys */
+ ssh_clear_newkeys(ssh, mode); /* next keys */
+ }
sshbuf_free(child_state);
child_state = NULL;
}
Index: openssh-9.3p2/packet.c
===================================================================
--- openssh-9.3p2.orig/packet.c
+++ openssh-9.3p2/packet.c
@@ -655,6 +655,7 @@ ssh_packet_close_internal(struct ssh *ss
ssh->local_ipaddr = NULL;
free(ssh->remote_ipaddr);
ssh->remote_ipaddr = NULL;
+ explicit_bzero(ssh->state, sizeof(*ssh->state));
free(ssh->state);
ssh->state = NULL;
kex_free(ssh->kex);
@@ -783,8 +784,10 @@ compress_buffer(struct ssh *ssh, struct
case Z_OK:
/* Append compressed data to output_buffer. */
if ((r = sshbuf_put(out, buf, sizeof(buf) -
- ssh->state->compression_out_stream.avail_out)) != 0)
+ ssh->state->compression_out_stream.avail_out)) != 0) {
+ explicit_bzero(buf, sizeof(buf));
return r;
+ }
break;
case Z_STREAM_ERROR:
default:
@@ -819,8 +822,10 @@ uncompress_buffer(struct ssh *ssh, struc
switch (status) {
case Z_OK:
if ((r = sshbuf_put(out, buf, sizeof(buf) -
- ssh->state->compression_in_stream.avail_out)) != 0)
+ ssh->state->compression_in_stream.avail_out)) != 0) {
+ explicit_bzero(buf, sizeof(buf));
return r;
+ }
break;
case Z_BUF_ERROR:
/*
@@ -870,6 +875,17 @@ uncompress_buffer(struct ssh *ssh, struc
#endif /* WITH_ZLIB */
void
+ssh_clear_curkeys(struct ssh *ssh, int mode)
+{
+ struct session_state *state = ssh->state;
+
+ if (state && state->newkeys[mode]) {
+ kex_free_newkeys(state->newkeys[mode]);
+ state->newkeys[mode] = NULL;
+ }
+}
+
+void
ssh_clear_newkeys(struct ssh *ssh, int mode)
{
if (ssh->kex && ssh->kex->newkeys[mode]) {
@@ -1418,7 +1434,9 @@ ssh_packet_read_seqnr(struct ssh *ssh, u
}
/* Append it to the buffer. */
- if ((r = ssh_packet_process_incoming(ssh, buf, len)) != 0)
+ r = ssh_packet_process_incoming(ssh, buf, len);
+ explicit_bzero(buf, len);
+ if (r != 0)
goto out;
}
out:
@@ -2375,9 +2393,12 @@ ssh_packet_get_state(struct ssh *ssh, st
(r = sshbuf_put_u32(m, state->p_read.packets)) != 0 ||
(r = sshbuf_put_u64(m, state->p_read.bytes)) != 0 ||
(r = sshbuf_put_stringb(m, state->input)) != 0 ||
- (r = sshbuf_put_stringb(m, state->output)) != 0)
+ (r = sshbuf_put_stringb(m, state->output)) != 0) {
+ sshbuf_obfuscate(m);
return r;
+ }
+ sshbuf_obfuscate(m);
return 0;
}
@@ -2496,6 +2517,8 @@ ssh_packet_set_state(struct ssh *ssh, st
size_t ilen, olen;
int r;
+ sshbuf_unobfuscate(m);
+
if ((r = kex_from_blob(m, &ssh->kex)) != 0 ||
(r = newkeys_from_blob(m, ssh, MODE_OUT)) != 0 ||
(r = newkeys_from_blob(m, ssh, MODE_IN)) != 0 ||
@@ -2509,7 +2532,7 @@ ssh_packet_set_state(struct ssh *ssh, st
(r = sshbuf_get_u64(m, &state->p_read.blocks)) != 0 ||
(r = sshbuf_get_u32(m, &state->p_read.packets)) != 0 ||
(r = sshbuf_get_u64(m, &state->p_read.bytes)) != 0)
- return r;
+ goto out;
/*
* We set the time here so that in post-auth privsep child we
* count from the completion of the authentication.
@@ -2518,10 +2541,10 @@ ssh_packet_set_state(struct ssh *ssh, st
/* XXX ssh_set_newkeys overrides p_read.packets? XXX */
if ((r = ssh_set_newkeys(ssh, MODE_IN)) != 0 ||
(r = ssh_set_newkeys(ssh, MODE_OUT)) != 0)
- return r;
+ goto out;
if ((r = ssh_packet_set_postauth(ssh)) != 0)
- return r;
+ goto out;
sshbuf_reset(state->input);
sshbuf_reset(state->output);
@@ -2529,12 +2552,19 @@ ssh_packet_set_state(struct ssh *ssh, st
(r = sshbuf_get_string_direct(m, &output, &olen)) != 0 ||
(r = sshbuf_put(state->input, input, ilen)) != 0 ||
(r = sshbuf_put(state->output, output, olen)) != 0)
- return r;
+ goto out;
- if (sshbuf_len(m))
- return SSH_ERR_INVALID_FORMAT;
+ if (sshbuf_len(m)) {
+ r = SSH_ERR_INVALID_FORMAT;
+ goto out;
+ }
+
+ r = 0;
+out:
+ if (r != 0)
+ sshbuf_obfuscate(m);
debug3_f("done");
- return 0;
+ return r;
}
/* NEW API */
Index: openssh-9.3p2/packet.h
===================================================================
--- openssh-9.3p2.orig/packet.h
+++ openssh-9.3p2/packet.h
@@ -103,6 +103,7 @@ void ssh_packet_close(struct ssh *);
void ssh_packet_close(struct ssh *);
void ssh_packet_set_input_hook(struct ssh *, ssh_packet_hook_fn *, void *);
void ssh_packet_clear_keys(struct ssh *);
+void ssh_clear_curkeys(struct ssh *, int);
void ssh_clear_newkeys(struct ssh *, int);
int ssh_packet_is_rekeying(struct ssh *);
Index: openssh-9.3p2/sshbuf.c
===================================================================
--- openssh-9.3p2.orig/sshbuf.c
+++ openssh-9.3p2/sshbuf.c
@@ -309,6 +309,31 @@ sshbuf_mutable_ptr(const struct sshbuf *
return buf->d + buf->off;
}
+/* Trivially obfuscate the buffer. This is used to make sensitive data
+ * (e.g. keystate) slightly less obvious if found lingering in kernel
+ * memory after being sent from the privsep child to its parent.
+ *
+ * Longer term we should consider using a one-time pad or a stream cipher
+ * here. */
+void
+sshbuf_obfuscate(struct sshbuf *buf)
+{
+ size_t i;
+
+ if (sshbuf_check_sanity(buf) != 0 || buf->readonly || buf->refcount > 1)
+ return;
+
+ for (i = buf->off; i < buf->size; i++) {
+ buf->d [i] ^= 0xaa;
+ }
+}
+
+void
+sshbuf_unobfuscate(struct sshbuf *buf)
+{
+ sshbuf_obfuscate(buf);
+}
+
int
sshbuf_check_reserve(const struct sshbuf *buf, size_t len)
{
Index: openssh-9.3p2/sshbuf.h
===================================================================
--- openssh-9.3p2.orig/sshbuf.h
+++ openssh-9.3p2/sshbuf.h
@@ -298,6 +298,9 @@ int sshbuf_write_file(const char *path,
int sshbuf_read(int, struct sshbuf *, size_t, size_t *)
__attribute__((__nonnull__ (2)));
+void sshbuf_obfuscate(struct sshbuf *buf);
+void sshbuf_unobfuscate(struct sshbuf *buf);
+
/* Macros for decoding/encoding integers */
#define PEEK_U64(p) \
(((u_int64_t)(((const u_char *)(p))[0]) << 56) | \
Index: openssh-9.3p2/sshd-session.c
===================================================================
--- openssh-9.3p2.orig/sshd-session.c
+++ openssh-9.3p2/sshd-session.c
@@ -197,6 +197,19 @@ static void do_ssh2_kex(struct ssh *);
static void do_ssh2_kex(struct ssh *);
/*
+ * Clear some stack space. This is a bit naive, but hopefully helps mitigate
+ * information leaks due to registers and other data having been stored on
+ * the stack. Called after fork() and before exit().
+ */
+static void
+clobber_stack(void)
+{
+ char data [32768];
+
+ explicit_bzero(data, 32768);
+}
+
+/*
* Signal handler for the alarm after the login grace period has expired.
* As usual, this may only take signal-safe actions, even though it is
* terminal.
@@ -260,6 +260,8 @@ destroy_sensitive_data(struct ssh *ssh,
sensitive_data.host_certificates[i] = NULL;
}
}
+
+ clobber_stack();
}
/* Demote private to public keys for network child */
@@ -431,6 +432,8 @@ privsep_preauth(struct ssh *ssh)
{
int skip_privdrop = 0;
+ clobber_stack();
+
/*
* Hack for systems that don't support FD passing: retain privileges
* in the post-auth privsep process so it can allocate PTYs directly.
@@ -1354,6 +1356,7 @@ main(int ac, char **av)
*/
mm_send_keystate(ssh, pmonitor);
ssh_packet_clear_keys(ssh);
+ clobber_stack();
exit(0);
authenticated:
@@ -1431,6 +1434,7 @@ main(int ac, char **av)
mm_terminate();
+ clobber_stack();
exit(0);
}
@@ -1577,8 +1581,10 @@ cleanup_exit(int i)
/* cleanup_exit can be called at the very least from the privsep
wrappers used for auditing. Make sure we don't recurse
indefinitely. */
- if (in_cleanup)
+ if (in_cleanup) {
+ clobber_stack();
_exit(i);
+ }
in_cleanup = 1;
extern int auth_attempted; /* monitor.c */
@@ -1604,5 +1610,7 @@ cleanup_exit(int i)
mm_is_monitor())
audit_event(the_active_state, SSH_CONNECTION_ABANDON);
#endif
+
+ clobber_stack();
_exit(i);
}

125
openssh-openssl-3.patch Normal file
View File

@ -0,0 +1,125 @@
---
fips.c | 5 +++++
kex.c | 61 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++-
2 files changed, 65 insertions(+), 1 deletion(-)
--- a/fips.c
+++ b/fips.c
@@ -48,6 +48,11 @@
static int fips_state = -1;
+#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+# define FIPS_mode() EVP_default_properties_is_fips_enabled(NULL)
+# define FIPS_mode_set(x) EVP_default_properties_enable_fips(NULL,x)
+#endif
+
/* calculates HMAC of contents of a file given by filename using the hash
* algorithm specified by FIPS_HMAC_EVP in fips.h and placing the result into
* newly allacated memory - remember to free it when not needed anymore */
--- a/kex.c
+++ b/kex.c
@@ -41,6 +41,9 @@
#include <openssl/crypto.h>
#include <openssl/dh.h>
#include <openssl/kdf.h>
+# if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+# include <openssl/core_names.h>
+# endif
#endif
#include "ssh.h"
@@ -1191,14 +1194,61 @@ derive_key_via_openssl(struct ssh *ssh,
{
struct kex *kex = ssh->kex;
EVP_KDF_CTX *hashctx = NULL;
- const EVP_MD *md = NULL;
u_char *digest = NULL;
int r = SSH_ERR_LIBCRYPTO_ERROR;
+# if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+ OSSL_PARAM params[6], *p = params;
+ char type = (char) id;
+ EVP_KDF *kdf = EVP_KDF_fetch (NULL, "SSHKDF", NULL);
+ if (!kdf)
+ goto out;
+ hashctx = EVP_KDF_CTX_new (kdf);
+# else
+ const EVP_MD *md = NULL;
hashctx = EVP_KDF_CTX_new_id (EVP_KDF_SSHKDF);
+# endif
if (!hashctx)
goto out;
+# if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+ switch (kex->hash_alg)
+ {
+ case SSH_DIGEST_MD5:
+ *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST,
+ SN_md5, strlen(SN_md5));
+ break;
+ case SSH_DIGEST_SHA1:
+ *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST,
+ SN_sha1, strlen(SN_sha1));
+ break;
+ case SSH_DIGEST_SHA256:
+ *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST,
+ SN_sha256, strlen(SN_sha256));
+ break;
+ case SSH_DIGEST_SHA384:
+ *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST,
+ SN_sha384, strlen(SN_sha384));
+ break;
+ case SSH_DIGEST_SHA512:
+ *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST,
+ SN_sha512, strlen(SN_sha512));
+ break;
+ default:
+ goto out;
+ }
+
+ *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY,
+ sshbuf_ptr(shared_secret), sshbuf_len(shared_secret));
+ *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SSHKDF_XCGHASH,
+ hash, (size_t) hashlen);
+ *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SSHKDF_SESSION_ID,
+ sshbuf_ptr(kex->session_id), (size_t) sshbuf_len(kex->session_id));
+ *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_SSHKDF_TYPE,
+ &type, sizeof(type));
+ *p = OSSL_PARAM_construct_end();
+
+# else
md = get_openssl_md_for_hash_alg (kex->hash_alg);
if (!md)
goto out;
@@ -1215,6 +1265,7 @@ derive_key_via_openssl(struct ssh *ssh,
sshbuf_ptr(kex->session_id),
(size_t) sshbuf_len(kex->session_id)) != 1)
goto out;
+# endif
digest = calloc (1, need);
if (!digest) {
@@ -1222,7 +1273,11 @@ derive_key_via_openssl(struct ssh *ssh,
goto out;
}
+# if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+ if (EVP_KDF_derive (hashctx, digest, need, params) != 1)
+# else
if (EVP_KDF_derive (hashctx, digest, need) != 1)
+# endif
goto out;
*keyp = digest;
@@ -1233,6 +1288,10 @@ derive_key_via_openssl(struct ssh *ssh,
if (hashctx)
EVP_KDF_CTX_free(hashctx);
+# if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+ EVP_KDF_free(kdf);
+# endif
+
if (digest)
free(digest);

View File

@ -0,0 +1,41 @@
Index: openssh-8.9p1/myproposal.h
===================================================================
--- openssh-8.9p1.orig/myproposal.h
+++ openssh-8.9p1/myproposal.h
@@ -34,7 +34,8 @@
"diffie-hellman-group-exchange-sha256," \
"diffie-hellman-group16-sha512," \
"diffie-hellman-group18-sha512," \
- "diffie-hellman-group14-sha256"
+ "diffie-hellman-group14-sha256," \
+ "diffie-hellman-group14-sha1"
#define KEX_CLIENT_KEX KEX_SERVER_KEX
Index: openssh-8.9p1/ssh_config.5
===================================================================
--- openssh-8.9p1.orig/ssh_config.5
+++ openssh-8.9p1/ssh_config.5
@@ -1228,7 +1228,8 @@ sntrup761x25519-sha512@openssh.com,
diffie-hellman-group-exchange-sha256,
diffie-hellman-group16-sha512,
diffie-hellman-group18-sha512,
-diffie-hellman-group14-sha256
+diffie-hellman-group14-sha256,
+diffie-hellman-group14-sha1
.Ed
.Pp
The list of supported key exchange algorithms may also be obtained using
Index: openssh-8.9p1/sshd_config.5
===================================================================
--- openssh-8.9p1.orig/sshd_config.5
+++ openssh-8.9p1/sshd_config.5
@@ -996,7 +996,7 @@ ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec
ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
diffie-hellman-group-exchange-sha256,
diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,
-diffie-hellman-group14-sha256
+diffie-hellman-group14-sha256,diffie-hellman-group14-sha1
.Ed
.Pp
The list of supported key exchange algorithms may also be obtained using

View File

@ -0,0 +1,34 @@
Index: openssh-8.8p1/sandbox-seccomp-filter.c
===================================================================
--- openssh-8.8p1.orig/sandbox-seccomp-filter.c
+++ openssh-8.8p1/sandbox-seccomp-filter.c
@@ -201,6 +201,9 @@ static const struct sock_filter preauth_
#ifdef __NR_close
SC_ALLOW(__NR_close),
#endif
+#ifdef __NR_close_range
+ SC_ALLOW(__NR_close_range),
+#endif
#ifdef __NR_exit
SC_ALLOW(__NR_exit),
#endif
@@ -213,6 +216,9 @@ static const struct sock_filter preauth_
#ifdef __NR_futex_time64
SC_FUTEX(__NR_futex_time64),
#endif
+#ifdef __NR_futex_time64
+ SC_ALLOW(__NR_futex_time64),
+#endif
#ifdef __NR_geteuid
SC_ALLOW(__NR_geteuid),
#endif
@@ -293,6 +299,9 @@ static const struct sock_filter preauth_
#endif
#ifdef __NR_pselect6_time64
SC_ALLOW(__NR_pselect6_time64),
+#endif
+#ifdef __NR_pselect6_time64
+ SC_ALLOW(__NR_pselect6_time64),
#endif
#ifdef __NR_read
SC_ALLOW(__NR_read),

6457
openssh.changes Normal file

File diff suppressed because it is too large Load Diff

353
openssh.keyring Normal file
View File

@ -0,0 +1,353 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQGiBDqa5pwRBADJSEyXXsgXiyytN93prDPTPmrueRP9lQQfgaQvCvqK0bN0AF1Z
Vxxk9wlSXQp3+Qw5+qqsN5ovzsn39r9pqGslfCqQn9ACTmsn42+VCyW4hdwUGSBS
5myh65ZJTK1ufWCZFssxQ0EiALagu4DlH6Z2O7tFDnJNagF55vlnK0uMQwCg/8RU
QYDmisEHjkarAapPaupxjhkD/j9riCVasWPYJwAuhiQWAKxGRwp/ZyTaWCSERUBR
4Dg9QxpuwHKIT8BeDA3hJa/9Yxu5jec2NVKbtVSZvRkgUfRNOkrcH2eiY8Iz6est
J64dGWuGMKQW0GEqW+OXpRTTPJZ0mgPmU16qDzLPdx6F3BAk2LG+TTwlKUPuGqOt
6u2EA/4+1CBYZ8mXq9GJnLRBPAoYwSJJzbQnMm9Jat/yg9N6nigSIiFyG8ixh167
gGGKfzvpjY7DeJzDI0Cub+tRova8gFg+T15AcPMST5v7v6O/ug9aYWERZ0zjUhRH
ybtYLYhUUbdYM29PwGBNfZhGIOYwfFE9UpPS5LeXHs28oVLlH4jcBCARAgCcBQJS
ppQ+lR0BVGhpcyBrZXkgaGFzIGJlZW4gc3VwZXJzZWRlZCBieSBrZXkgSUQgNkQ5
MjBEMzAKS2V5IGZpbmdlcnByaW50ID0gNTlDMiAxMThFIEQyMDYgRDkyNyBFNjY3
ICBFQkUzIEQzRTUgRjU2QiA2RDkyIDBEMzAKUGxlYXNlIHVwZGF0ZSB0byB0aGlz
IG5ldyBrZXkuAAoJEM6OywOG/5xIWdMAoJZA/6ls+J6YIpVDFHkb4/8fl0w4AJ90
K3I7hssc7QuWHfPlq3EozRtjIbQuRGFtaWVuIE1pbGxlciAoUGVyc29uYWwgS2V5
KSA8ZGptQG1pbmRyb3Qub3JnPohXBBMRAgAXBQI6muacBQsHCgMEAxUDAgMWAgEC
F4AACgkQzo7LA4b/nEiDMgCZAUzKq241h5GTJxC0guS6ht9i9ZsAoL/oXCmFsofA
RehZF6AakIdasvS9iEYEExECAAYFAj77h64ACgkQmD+U6HbiLS3r4ACfclqiFP6E
TBkTbjqC328yXlT2rlEAnR6Wv3SNayY4jOgfxCMxi61S2CkAiQGsBBABAgAGBQJS
ppEIAAoJENPl9Wttkg0wMMsMf0tC6QkZnCkTiEVSar2Bd0gJWRCZOGgWwYnXVXif
5UaQhRgfXyXDxADWi76UYl4v8UFrH9yODXhZM0hoNbt6T98stHmw3dIvrYfhRgQ0
83p/N7II3i1iDJDUZ9PA8n4c5BWXirOUXPxtp23WgsEqG5DaN3CGo99YZO8aB3AH
hWd8xvGGDOKOMpAPQekgG/CZw3pcdaSOsZvOEOnbk/VuI2DVjTu/hX0PmRKkfeVf
aafi6bcDkm8Vs7Sw4TIrNmGJTKIDhwXSrFlDfs/CmZJUxzP/S7W+dZ4kvESDSWia
wmxQFMIxRqgHeLiRHYXCL5Fg+WYFv+EMj/ta5PVot86/iWfrj0MRKZFCpRfDjqTv
t0G0ziOW9kTFK8TpxBacJR7n4whM6SNf6L9onHn7xqx2r0J8TLcua9hTvapuNPdL
y1cxAKMZO8q10AMGkYd03qLlHxtgKXBeWkV/UYAc1zArv4JFdWTraLbIHmi8jpvE
NM3qcNWuNVyiTi4Kxum+CFd8V7b4X/6yBLRD/U6/dMUy4LiIVwQTEQIAFwUCOprm
nAULBwoDBAMVAwIDFgIBAheAAAoJEM6OywOG/5xIgzIAnjRm47SkL5RQ9lDvVdm5
SmNw0HX0AKC+AssIfepBFkPIFBSLcNoSWiTkzrkCDQQ6mubUEAgA8/15wnMpXvYZ
sYMp7a9+WUCSsfYOn7QcNe/CUsDNzuyTThqd/fBIeEPa5BKeTR9alXnBvedxbnnU
/SAF6q/KY6ebXajGAnGisvmidEsNc1Q9lTmN4e0sn1NuaXGIhxGtYK3yj1aFpudy
MFhlVbarheXYpgHu+fg9Gl8lQjr9BM/cICUeh+vZaeP3A9hsjWhmq8GPRy7xxb1z
jWNqpvxleTo8jlDuNYJkOKcl0IfoKHBRR6zNAM73iLMIDaSdMTVl1/IlxrK92Ar6
puyaCFPSSsQ1fvem8Qy303SqaC2Cm+vFnbZgMpbIqOfomX1rXTm/16ZNmMeS3Wnc
vf/p95unLwAFEQgAq76FUm3dDEdBVl/mwWdDY0nDQaN5D0kgp0Oo0R6JJM+ea/jB
3u3asQid6Zru2kTpdn4LoOsKG/u/ql3ypHv03U+sLgm+AnRUurT4D632FfosKtjQ
fwWrXjxoO2elAC2lC0NJvNwwhFSyTZ43phHSKLkoXpYpAADu0AyjK+7wIx/J9M8D
KcETF57wjOs2JUvYtZDpvC1QE5NFsooaUBkmk7pHT4ypRu7CsDLttLLCvQxlaT4L
pU2e6x6l5eI7mPC0No+HTzWj6ClhvCbgVQrMn9g+hjVvez3ykEpMxXmbG1QeEkUK
1U3IYAUmKMUVVt3y5P8nN0wuQG4ehqY+Is2sFIhGBBgRAgAGBQI6mubUAAoJEM6O
ywOG/5xIH7YAnRyGVA1QFg0WubIkovAKLPiIsgIAAJ9NsBjpdVqP2CfkWPnOijef
E5gDxJkBogQ3R/zyEQQAsWguKhytuM/8IwqKRSQBPaHRTyVMjsvLr7uUIoW2qf0V
VDVxuSXy4K/k43Q/ssw2nDipUkS74vMgGzgUQk4BI0LkoPSIVoXo+v65KCSbrMNY
m7lGGN7ZkFg5zWDfdVFiN5P/tUg91UfmCI71zp78SltyBM+FLPJhBYE0dvkHDjMA
oN744XCDTRMARJLK8DH1O3eTkE+1A/9brypK8VFX1+J3jfZmz7nD2St9+6/rkcM+
P8V7bHHttSVLswhTZ8bMZv5aJjsyyPrnFFLmlPddaQDND1fVFevrHOTbSnMjt8lK
Ksh4z+FFCQTB8wtpXbs2xHjny1Oy8kwiCnYCtDr3fOYnoqFkCMwT2ulbcKGZ3L6k
neUGSvWOhAQArqhDaGwsZfkvzirG9vo/PFBwdeKNj/tDOE+1SQasDT0L3gd/tfmZ
LBCed2yQ7axppQlQRIcNL24+GHefTY5Y92T7GLVIg2cK5JUtMKMmgWj3szyXi5Oc
QKxQdhmBgsWutyJj6SlAHSDrjFhVabIeJKuyuZzxhyvmSzzjBsugsayIUQQgEQIA
CQUCOprFaAIdAQASCRCiuYn1EbV0jwdlR1BHAAEB6xwAn3FxEH2wPVFlzVKf09Sh
uwEfspiYAKCkKEhT4qVjGQ2D4cwgtoZ03pQgELQlRGFtaWVuIE1pbGxlciA8ZG1p
bGxlckBpbG9naWMuY29tLmF1PohfBBMRAgAXBQI6JFsGBQsHCgMEAxUDAgMWAgEC
F4AAEgkQormJ9RG1dI8HZUdQRwABAU4BAKCFIZWrqfMjc8zKhnfoTSEAt/ojUwCf
eqkKspOp6Uqq1tlr1oyYmN5P5Y6IRgQQEQIABgUCODCW/wAKCRB9nsJ2HENBrF/D
AJ48befkKUUGogX4tPfIAzbu+auUPwCgp41iiMRqeqgWbsG1ujpDnVQRp/y0H0Rh
bWllbiBNaWxsZXIgPGRqbUBtaW5kcm90Lm9yZz6IXwQTEQIAFwUCOiRbLwULBwoD
BAMVAwIDFgIBAheAABIJEKK5ifURtXSPB2VHUEcAAQG/QQCcD+0bmcV5aYRb8JQ9
Q+DeKi2fqfwAoJ0g1TDjN+ZpKAaOI95waVgGjYAhiEYEEBECAAYFAjgwlwgACgkQ
fZ7CdhxDQazdMwCcCWb+3Ehg/wK6nrIebHYlDBwcYLAAoMXIboTxrdRh71R3/4Pd
zTR9g2vQtCVEYW1pZW4gTWlsbGVyIDxkbWlsbGVyQHZpdG5ldC5jb20uc2c+iF8E
ExECABcFAjokWy8FCwcKAwQDFQMCAxYCAQIXgAASCRCiuYn1EbV0jwdlR1BHAAEB
9qQAnAzpzF24V7K84PQTKQ0V5a1EiGmBAKDIg1wPX7ZSRDHBrAaLKpEirnj1MIhG
BBARAgAGBQI4MJcIAAoJEH2ewnYcQ0GsnfYAmwZq27x3h0EV0t+0i3j7dClD5eMX
AJwP4AvyuGuyz3qGOYxXG/1RuhqoubkBDQQ3R/0CEAQA35tSeji8z1JVaQApKuEK
VhZAm2zaZLFiAusKqS+/RXUhIFTI7Du/dJTPODm3pLQEnF4evo3qgokSP5rf5Y++
JPUfkS6NTons29mnCVyWPl8+3yJaTPbX708e+r5ZWuN30c9dl8Br7mHzJrsTRumT
9qSVPUklzv77JOAxBGTEhAcAAwUD/0MelpnyrZNVFja/xObo/OL4r6mwwO0pyK1Q
qE8AuGO37Ug0WO6QNxgFLKR8l+9sod6q4KAEBxhA0DiVrJFNkTuza6HR5i22Y4ei
VNbPC8IqRuF6o4KC3zejZgpPpApqrO0mMmo7GXcBpkpCS8vzJ09EvfExbALB0Jku
GQn7SImsiEkEKBECAAkFAjqaxBECHQEACgkQormJ9RG1dI9+GwCfTEqyOILSu5Nz
DhcUrqpknPlXX/YAoI/vfDq8kQG0QldbtWsC+MWQH9zsiFQEGBECAAwFAjdH/QIF
CQLH6gAAEgkQormJ9RG1dI8HZUdQRwABAfKmAJ9EMdNbg94wSQrHb8oKVAKfjFZt
TACgusXeU8duOaTgSb89XrAGCTb3THu5AQ0EOiRfFRQEAOelb5M0Hjb87WcPiIy2
UAsxOwDno7H7vR9WLfpfKjPwk7Xoa05qyThF2L96keXZZAm54yapyeXhNPGquFyq
YMOwxX+aQyUr13uH3KTkAaDKMkC5jAAkcZwTk+tENsB/StqyqbH5/KVOoCfxEFFA
MVgTbXQnEGpqUL+WGz4Ay6IPAAUXBAChhg+rFXcsAMne7QK2816p64Lm44BB46n6
WdZoST84rOq0ZNd+fYSqfRcaPJHHjO4lAEH+1dgQjpqxkEveodKPsixoLQdHd76s
SRDcX15IhWG+OBNCD4k6Y1DLLYhPE5bUToQYm8kPhVS3yuMLuNhtDntNQURfQL7B
JxQM0A8/b4hJBCgRAgAJBQI6msQVAh0BAAoJEKK5ifURtXSP1O8AnA3CcDJd1ZUD
2Kr86Q9DSuimSMuAAKCX77M6fadIiy415K3vIfadl/nsq4hOBBgRAgAGBQI6JF8V
ABIJEKK5ifURtXSPB2VHUEcAAQHXmQCdEbOoH3DE+L9keE5ODJ7j6CvHPRgAoJZm
54r/EPzKnu9gTsI0J+7oIh7emQGiBDqa3UERBACPhKenaTumEld5L06d5z4yl4AC
f+VsVD98Im0slZfKTcqMb3Y9Vzq4CduOVb6p4M9yX2bjxCk2mtmg5iunPuteGmVb
YSNcd7yjm9giqe6EnxXkxXmCP/AVA0kB09XYcsjmMFbRFahXo3xpdExAjyU6JVxC
/61kX8h4oYxjtWw/BwCgzf2qjNPEXshE0lwpoGwcwxk5cnUEAILKVk6G+rcususo
b2AiPjzcQnCZYNzoHpNOSkwInV/MqN6Pb1reKcJQ44RFyh6+fsdeNM2+7ifF+5DS
ZB13+5fhmtNtryIeMgfH0nYVu7YllPEmSmPOdERpjibxXbxEjWM8n4qKBe7iYVHW
tB+j9O6HyAB36mHcorYIs9NvHl76A/9kl+eBT4i2/jjPQQ4V4rrYXl7M5EWxpgMS
yUwzqM/YPZZCXJTqzv6FxUUc7LprdOEIbzQOyJqugKqHzQCekii7bcyAwu1NrV/z
amTherN+l0UqIArjWVh0IVagpXptGooVq7snoef8W/KzZQRVC1rcEQ3zV3TD3IQZ
mjx8ZgWCqbQuRGFtaWVuIE1pbGxlciAoUGVyc29uYWwgS2V5KSA8ZGptQG1pbmRy
b3Qub3JnPohfBBMRAgAXBQI6mt1BBQsHCgMEAxUDAgMWAgECF4AAEgkQqBmi2Gke
+NoHZUdQRwABAVy9AJ9RqC+W+xZCok3gcEZMiHy1lboyvgCeMSO/ld6brLcz4o8/
OMMwNne2IZeJAawEEAECAAYFAlKmjbQACgkQ0+X1a22SDTCk7wx/TLjgpMrFa/tg
k+/boARaFlsAJ/4OgyiY6314YbTyqatq1RVwWHTln1QJn8zXWpHUi9scfboxFYqz
vKT1g6TXAkg1fu5muiBCTMVVCuawXEDr0iVxfsFoCDjLKecMUxqwfj9gL3kitkbj
Ga7YcZnUcAOoLOWxsXNs5QZmKl/+E26iKGAB1sy/wMU40KjrOEg12fvIoDemeGfV
gPdeChkhpDkm7upB32UvzDbZsKO7eHxoBYW1sRJy04Tyl/hwXnNCfqYJ42BuITrk
EOSDr35MTYuLzC5l5l1uQXiCaJZxLGiM+ngkT76dkVQ4OcCgojuDih8aeT+TkM7H
YkCoVje/6Z45wNzsG1lTxE9AKTBzpi0ZKGv5/WVSQ1anuC56bgdfD9jjMrhsVwWf
mICN8zrOtYLcOJV6sUa+hZy8edEqZRkt93b8r0F2XDEVYId80debcFWExuil2TDO
Z0nfkgxRDq+wtwem51rrRc3gLH1UR/NWsSmC2Mvj7jSDGeA+gIbRFNE6+a2YG1aj
fxNdMBZ/OrkBDQQ6mt1DEAQAp/JyP+Brxt7T5vTTJSUMWSjOC+aBNZNFFHbG9KW3
x8qoE7d/SYLGIqHXscGQ0a6gzoe01DFiDovtipM6g/FarCPjRVMN72SEju2pv7hl
Gr/fcyHhKOYwcxaCVFOQetlnKq4zVrJvc0OZD/nsbRCH2ze3T5xtSQ7IlJ/rDUf/
2JsAAwYD/2h2esQEPQy8MRpFhcBZ8Z3iVaAZ0LSgvoap8RKBSmzS9QHYgk/U4N9k
W6BFQBfmG02aGMLN+WHy8oMMNVEaJxkQvXU7evd2vPIk9mW8JSeqAGa7dmZRjVkK
PBDy79eSoM/Z8Gb1TFnKJ9ju+s+pqdi0bJPsDty+yA+96MFOy5epiE4EGBECAAYF
Ajqa3UMAEgkQqBmi2Gke+NoHZUdQRwABAVDHAJ40H81xz0kVSd6/NVHLDEd7+98X
tACfZmBzmbxbQ1dhnKg3hxACZvKwMKuZAZ0EUqaCBQEMgJQ2qbhw2Hu10RvBo2Fu
fCouIekgt5dPqx10YjRK3Pmh8HW68geb2RdgbldRTCVznLCMhmbYl64qqt3/rADP
mVotqAUDqTzoRnPO4ETdvkXFJDgQ3grldkQmjrXEBIQXvPWZAKKqgDr8XjTuG3uc
2iJUT3mQ6aomW/hypukLDefx/ZVb6ZVQfoxhFlWtgAL02cla/bit6bZ+OAWE1PX9
vHjgbsf1tUmovuEwQZr7FhAEjdhP+6US70diYsVV6JmbWAHV4pdbuNLhy0uXm4+v
FrIDkNf+o0HbKqBVWUgoXBSbyAY8Y86ew0qjTEGx4TsTQX8p4alpPlpL3IWA+b0D
rnYnH196ViBvR70im3eXGuI9DCAX9zEsa4/9YRs3l+lYWe5XRWKSW6y5UjZ7wYck
ZTltAPkCXO9a7hK/qgE5wMJptJzJ1jsjE8GT9cFYIX1AMhraprfYxz11hzwScmzM
95UIdfmEbbeiYNGZ0sYvAfsX4K4G8LEAoLKZm0mXkOFGaeF3NGD137RUbiEsXs7T
oA0AEQEAAbQfRGFtaWVuIE1pbGxlciA8ZGptQG1pbmRyb3Qub3JnPokBzQQTAQIA
JwIbAwUJDUfrsQIeAQIXgAUCUqaMnAQLCQgHBhUKCQgLAgUWAgMBAAAKCRDT5fVr
bZINMHZMDH0TWjM8kpQZYk9l5+qxKvwqw7oOndC4+vDZnCCjZB94JP67M0DkAoIM
gBpgSlVtCy+7iwPLx0BbX4cQ0LFWsxdYb5IfjWVx0B0jiKjQ8YdVAOXjZHmNfd72
l+NgJAAtW/kENd10rrTnifLESa51DcgIUJhchypBsDWd+PdSTTqMaG4z30Hb9qRv
EKgVKJRf24cNko1gAalTv8UIX3EJkXgp31PC/LLXuMMiDuSbf9DgnL75U/wXK8Tk
mMF0tFBIHNIb0YKO/1/IpZbtLRsxjgPdIoq38mbVdyEQyClGvh4GmAKzevE7WFeP
Oqbe173u7Lr+rwK4lS26kmw8pz1aHj6iBRmJ8LS1rtSvFmnzJlNG89JTFiuW8PMz
fZUMtDcVfpjaLhU2jjw9IkwD4E9THsNNxkohe3jnvOwsPiMXixF3A6T9AX8ZcKQf
YYDIodYI9cg576MheCK5qNypmb1wBaMveGJ1KiEp95+8qTOyDvmYOaOG8C0Odwhu
YiYk2Nch7Y9BTiJj1WrmLS+VpUqAGApKiEYEEBECAAYFAlKmi98ACgkQzo7LA4b/
nEid/wCfQDsw+t8kjPZ7rjdURXgBfd0734gAn0w6xCIHgueq1Nxz00Ewd/1UsTjo
iQIcBBABAgAGBQJTFsNwAAoJEOX6rNyYiqSg3ZwQAKMYW9GCRVKwd8fxBIovohsD
oYOK/psUp8f8/IK1+aW9EsYcgnzpd8YuOcEa9PWd7/U+70/2fx4qyIkcJ/ofKP9U
zButogqdW1b4VISDP0t5cO9+DE4nSKod0hQdjJNM3611mr6lIhw2D56BdIzWuJl5
eCSDnyQQd6iDt5j3wELnBJt8YnYC4TytJFzg9R7iFfkONKJZWpZlgj+ChSuMVMjM
qa9l6+mYZKy4FU2mZks4EvLiWYnGQAHPjU9h+KWgoIbTXLv3Rc+NYlgXErECpZaG
B89oiEIHqH7Na4e+gtxML2/RgoLgWEsMPJBnv6AnuX8cVX1EqGJT5AzmHVmWlJHq
pSXw8g7yIRjtHZ9UKJOIamtHhDfcLpI8lSGwb0quyF/OwBcpbyWkFdOhHfTV+6Vj
tLwHbiPDJIEVkCfcyItW9s9l78U42zqyXFsgUNcjrvR09OMf0eXREVRGgo0O6glY
XRwUDFG/StCsKYFDUz2IEe4a9MjzGCSB0bUR5nKFVxomSNNQVw6Qo7oeGfXtyEG/
/KzhkDHsVWKU6qKSTK5fumQIUJHGJCCiQa6a0/6BXdoC/IVPbFgM/MHwAj030hyY
gb525l0BVD9+NEYs4Z7ZXkrdEHSIj2bTaDV2WywIYXcbxwovJlQT+gxeBxMoMJf9
zzAY5iVBn985M85NNXvpiEYEEBEIAAYFAlLp6B4ACgkQyYKAx4/0+mkA8QCdFdv8
9LNkAe1WK2gpjdW4mxXVCsUAmwf9+GFVwx69yKTXwcrvv29glD1WiQIcBBABAgAG
BQJTFqe/AAoJEEu0T4MGAI+Frd8P/0NxkhUMOo7PVWKAYEA15JQ6mvfhUkNI8MCl
PP2r0oDm3hf/sDdhi7P1pI/Wqlc/XAVQLZDtJZfZFvU4q0eF3Zs9uX3jvZjOGGQo
vVTnioQIV1JxHTriucFbkUEaMqdaQiFFAlb09qIbQaClKrbSa1d8oP+G8A7NIKxq
wwQMDk0I1UKus2QN4p0cBEuFdntlbkwwnyse7WrZS/7KcNGiHeFk8B/D63Vy2ISS
yORmeBTkA7r8qs4GAB+qrNTs+xsEQTC7Dx4Nz2FtgEmpXOifE0Txc3n761aAfNao
8bYukIbbF7Sw2ZvfwnEXikiL3m4uYFPcLsGfT3KFSKra69Vrm/DdZVGODJwALqo1
CpPdV69qpq/e6q6SKTdJrc6YKeFZMyjHRFT4IhVG7KvUAjQkt0RcG17JinOlJ26F
MH9nosU2RlVJuESUJH9xzMgWugF5Uj6jQlm5h/PWKNEtX/PjFCFjkacffWzRGOEg
1mqB8B6O7UttATbt4mNV/BMZFGqNH0Jq64RM0n3Q5TaIhUIW/0jsES1TKrJ96W+M
m/JiBd6tTXjAlk7B+m9eI7fEA7y6dugm0Qpw1+C4aIopQayaguPf/hicQqRr/ggu
tKsO+vhJ9ie6cB1Zdc+BNGCrmpPrALmMbKmgw7i9ZI1iWE0pijX8kiBJoZaTb4Rq
PT8tKiYLiQIcBBABAgAGBQJTF2LJAAoJENaX3zJH9H8fPQMP/0MRl17h9QMdSRvU
T0Hy/cVCUwNs4hWhjA5k+eWKZe3LxOjnZEEA7S0Oi07cyOlKH7qNg8xA42KM3NPD
tEM8U6CvkdJ7Bctr1OOMUIdLq4485BDsPccoVc5J8MRf+4BFQodd8B8jekTv/rfn
/eXie3M12pjiy8ZryeBFod/3C/VLCQwMG4eMzga6+anuc66U6zteEnG0QyS4uckJ
iAlcxYqLK3Sm6WB/FlR8LmSPPAEl9xH5W8gSrAGZRg9w5tOVnOOsDWU3yfBxzi8X
ZnMRc7+22XOuzkQlQDDRM/r8L5aM6rGjLTRUpbv3JU11gf0+5yUAqrWD+KumgyGd
cxWnfEHRQZA7jV3eEXpoE2mKOiZ3zaA0gZRmG745+E+MS964jTOdEy3ZEITuSCOt
aPjiySebYSpxhuoqdA5sIgC/qLfigTEDQiY4LnrTxZp1uQGhcbzBKEAScLK6mFHj
MTnTFm9hChnD8UmjfBFpHNhvvXS6h+ZdpgLuG2XEv3DtLs8N/E7uh0zN38lupX5M
r9GC3EOrTXte/TWGQVlXU4j60J2FiUk38ORryyDMd3LS5bjTqaERkqd+uw7utuM7
dTU8cohcMgM+vw6l3fNg8+I31Mpy9N6QLS26qP0b+uYKZpX5UG2H9j+ekrZ7ReBr
LB4s2VIDHBoc6qRbXTI7I6Sf/Ez9iQIcBBABAgAGBQJTF5i3AAoJECPNT7oMAX3y
AaoP/jSWlN++0Sms0WgN67JHDZhXpU+uiumaKS2VXXakIeAKu8kra6KIqmTadmm1
zSJ83yhr6q3TjnCaOMLcSCEaCeizeMHeUbLPiM1zlcXH3jqpZxIPJ2lZTsySeAEA
QwT30NIjySlOX5Ba/ZknQ8iiqqkZM1PBxqYIcjN8ijOY59L4NQnTsdn0m6pAe1m1
6zD3sGljVvJeQuvoyaqxnOEQhzfnYjziFIkTbRKh0bk2jq3GjpYKjm0H0yDzr1xc
G5R31DZb+n5tWDKDYUX+PtDh8ypgzobTBQ1JTl7e2qeu/EpbFccRqsu1S9kJyC3j
yYzpk2Bf8mfsfH6Z+FUR8AEKW67vBQQFRIV0H4WCBazI2k1/ibNoaLqKJNDh0j3p
89XAdlXdie8Cr+kd0XQJ/ExqaBPpTiVWGFeEVxo9cC18zFv8N8ZvOnEBwJZ77uai
KYAjNUEfE8W7RX0bZgkIS5gXcuFRgLDcHqWEhFTasSObmNx8rrbmkZUnyuctCFu3
iYAAOvpBZNEXXnwU5S//G19gjfNlLQSBcCn6A4fJo1szPhC9VD9suf21FkZYZ2dG
T1U1CYmw46wsb6ZyG8hd56fD3VkMF6fs123NuCmKJwdv4dCAtKXeizm3KwuqfiIt
Pr+CZlF7fgBSvxSllErP3fRio6w6ueu/2nMdxq/+VqSSfi0jiQIcBBABAgAGBQJT
GxrFAAoJEGXrljbwLFcEA1wQALFhneSP944km15LMqr4AGOaStxSWv+Fr3NcDv/L
XOZ9olMHGZIrAV2yl6hW0vPOiQXJGM2+t1H5Q2gbktPt/F5LD/lR8cxMOCfDbVA5
nUzi52mY7J6rv15AmJNzlxOrUsOxGIp2AuBFI+NLcmzW1vA4VN8oY22zePYSsAyA
NODpYLwzmLvWh/n6Gkb9Dcr5d5M6clPJlvyCjT3HOkmLCPBTv/I4lm004pLW+pep
wfmHi1XoXDXLChrBU0caV63+KdIKaSkZafGhhdOSeMT2ti6squ+9VBm6g207ZaU4
6wzATdVfCJkhAPk8HMi/853vqXPhl06VFi3KYrL6tsSie0X6vNlMfkQ1obdh2KHV
tqSFhO+0pwjLQ6Ei5X0MIYk2M8XFUIV1RPmQ4RdvfbMuJpyXLBxTY2ItB70ZHvEm
XOTYLYAhAH+UvSODocIP24I/mdyPbiTxgpYVa8pMFw70aA/1zPWftZCYWe0l98im
cUW2YPknLl3bxOV+CI4g5XFW/84qxS1Ty228vIK7GmnZx2AMyaSA0w84d9wQnxJc
rNSS1M3uYvHLICEr4HWP+lTj8wFd3kd0URnB8Ybc7zsy/Rroy/KPKArhbCHb9O+w
+KuC5f1Bu4uZc/o2Zckp5zfKI7xtUbW914PB9hbo+TXkTBre9nZkSQjODL6wPLIa
nYFviQIcBBABAgAGBQJTH7siAAoJEPTXp5Fd6nib42oP/0RJLp8X945IPFd1AMoM
Q23cy74qBAvh+c+k2pFEPrU+W9nJ2w3Mqwn8ja9MDewUjSq9ZLZxlTz+M8idYpoN
46VtZLCxpaLXH3Uv8T++Vwdi143UMPipJqf50mWqqciDsl9LbQZR2XolfzM9WTVU
Vt9ynNVZG+ij4tbeobViZrifY07dfR8y0TZ2LF7mah5lnDAAwSVEUOg/YX7jIgxS
fP9oD5buD2SYH/4rZFzkN3fCZQiV4uwCMIJl+fDR/adBvOaZrUVnM661vmGcsgOq
qRUE+hSZ/ih8Jsox65UAfPHdx/SEptBFgoyIpdxR4NPxpgeHZbNnstJ1R/cyKmww
hMgF11WUJbm1RN1vDPwAZNAcSzDAZhnOmtOsPtiLXDMNm7dufgYWFFxjZUxo87+W
eHgWG8ACki+AuYJgjW0gXMghVdkVQJYcLxcbZBPcHu2eUJLI83QhVQxUg5IjdOGv
OS3SuMhtDYx04zEdGB3FSVRwfyIqImjEbyXnMAT0RDhFoWvrhAy/jGsrH4tO9hg5
1AS4EJ2pwdYme7yCA0h2s1ZG+WHF4lTJ21fvx4H352Ah5tckpmmbpJbB+ZBz+uWv
rYmQP/W+06kP1axNmjSDcMID7rqoITn7emPJYLpc4vszoGxxl3yFbWM7IL8kLT2P
QC1FMP5L9SY95T3L9xciMnFTiEYEEBECAAYFAlMkhq8ACgkQi9gubzC5S1zAmwCg
gBsG5xTQsPG3Ro8GpItuIJBGmZsAoJMRnRC62mQKL700dHk49IFL7sH6iQEcBBAB
AgAGBQJUmgqLAAoJEF+OLmRrT7LQnV0H+gMxUdmn+eZUN+6fyAf1TMHifp3qvqdK
05sL2NIY4rz7GgYbb3L7wH45w+ztuE6pmdg4JwCGijp3V8quyICbvU94YTbu/n7E
3r5U9H4JXUuW99GtML6v0Jnmp7AthmsMVwTFoMj8fzszRTjh0LWxbMIP/BXbr91t
hf0A9L2OBFeHCXtpr8JnTK4lkDtwRw5PKZHQPUlP07R2Ki6pva96ePgtGnpnL8n9
Zlwvg5mCSsQOQv8R7+7GcmGqSWOEcUB67GF4AVsGMqEj/9BRYsdjWozE7oq60FwG
rg+HEaTO7To3EKWI31pZU+u3WgGE7cH82/YgtCQdgKYzDAT9AQFADRCJAhwEEAEC
AAYFAlS3/EIACgkQni8RbMiXM6uvYBAAoDMezX0JkRWg7GlsHJyF9mneaUMmhLiJ
+yO8Jd9JkJcSsDvy56X0mszyqL3e/mcrSow71fGeAnJbKcTsdMX8T7JpWL26LApb
PxiO/wo1vGczwJ+bBMDQAGIQgY9OinCL8OEw1C1saM6rLIa3z9vySBmbQA30TXdG
kRBQETcHGZfDAe7BdzBgqBK+ZlCwoCUoiprP+kidiumZ88cQmmR0LFyB72GDeT2q
H0E1WOlKRhm0hwqB+Tc7E/wvX3YlufA65azQDjeSC7skDGljHxIl+ze2DSED8p99
1bbjE5MESIySX7VdJHpp6mJ/Syh0wdiOKBn5Ff8+DxmymtzyBHGYzdYWs/UOVRIw
VSgjn+BJVpbRPqtlhpAC6PLSots7Mm6f194qJv9SDLfi/HDrKP62PG7p6zYM+zjD
j5FQBdBdMWK84/fTUT9iQsnCkmrSeaXzIlTRCBH1OUByeIbUaxcngZzGwSzsF4S3
fOhYpnsaHW/uBzYRvgui4W2bzcoUui0QU87gGEXg5jnJtUhCtVgD3jvVov+pIQCO
eMMUTSTWzg7w/7uPY8B4+tXf95J7vSJcjYnjr+yM21DrIwjhKbzjmcvsk13FR7tZ
5f7R9vTuO0CJewIXuCJ0NLaahn/s+8V9RXoNa3TA+R+ZW/KFR/awXrq7SOJ2SbTV
JQk037siPOaJAhwEEAECAAYFAlS3/GQACgkQxfSDrd7oY4DKLA/+Kncf9t8FLms1
fo1cflBb9UGgG6YceRx2+O3VZXiCqJSsHFj1Ywk+MyH44mD/JDM/YTKazT8mpnny
2/lDEzFdfbryZdA0p3pyrFp+8sx4pzKNPZxOubAOqefZ1k/SoTbTa35f3V+L926O
zIl2ZdU4WOysa13RhoRvUKjekWl94J0jECcBlkBiOI7uL64Rz4WG4VYhXJGV/LRz
OBot27Umh0sCmb3i24b9FmOu8tvAwf//zlh97ykEH1nLiVz+QU054nmbqVACp2W/
02Z6cnfWqoLsQIg2Y+6oeCrjCldzlHcOjvE6VwXJpAde7mZfQCw66G9ndEs8Xoa7
I4D06uGoewKVMJKU5AaFT4Wf69KXDI9YBRSuyZbww+rxESAB9HGfR3O8quDgsmV3
BKsNRJT7rOPm+Z+UoHS12alJmVcuv+ioh1GpmeWoKiRgjlJOQcXy/TIvTMvGb8oF
ZN9MEMCZ09x3JoYTiXvx6phrxpW82DLXPqCD7mEHR3/u9898VRWMrSP1WKpNeeyC
6Wf8Urz1ySinr/wMbafrQu0Z0nycFFbUXLRO8MwJupt0/S0kA0c2WVzlZwYrbWZ4
XGIxl6G9i+G1D5USOKbLC/bXnZlLERiQbD/85UHpt37s0T2K48lGUhSjCxclGyG7
UpFf+mzEYbQcNMTkjr1RVURd/DtLeXeJAhwEEAECAAYFAlS3/vcACgkQMn7oMPR2
HNgGtxAAiQy29MXY+Ljs3V4ZSE9kuhpV9jruyvNQD3y+vGa2fYXvwZbzqvDQIo/N
TRR+hZngz6Qo7i8NUYfzIp/GHI3nqoZll9idWdWjeg+ioD08XzmoTnTJwJAPTOVp
2WREzTyRc/FZCD8vW51iFV0xpWZA8a+/Foc1q/P9B/zvBx5UQfYCjMCcKpR3Xkuh
oRh6vdxSi9M+QuyATk1mXoniOQKhIvAzLTH2DSoAudI3V4E3GSc1NruGt35WDfvP
cwvcXk7iI4outPfyrG9mEIkiZDukB6MrKG3VKegD0fFIFouQ/eoodWKICY0S3QaP
HRL3rTOtCNtVEEaVDoaT6jDUvsfOpXreev1UriH24cawD4HmMaOs0p9e+FDTkvJx
OLErDBvODG/4Pfqai7BFaLrElnjQ6vI1e42fd+XQJlZPbDqjZkk3PD1DGNeWxXfe
VbQVK3O4G7z9Puj/YTcNyygVxwJPuZQrYX7mSjfetG7J/ZjoSSBKqJSzCyCb529o
sf2cS5JV/U5e+LQCrq+6i6fXWuUGsTu4ceJpskPahjCvcYVWMtbtBf7XhseJk97k
g/Qg01zLg8ff4np1nDCExSd8ak7DPEPOOnbedTNtmUpzaQJ1hAEsIHH23scuJMOZ
WdBHXB8j0l+w7Ssd/Up0+WR6KhYc+7D+U+mRlupXcvtXBgxzeK2JAhwEEAEIAAYF
AlS4CCsACgkQpLsVjWJqnRcPzg//R1PXrcHYVGO5tMkCpd2EdTEN2KsixMzbQAeW
C0LCvCgwuNZz5vXRrO8AIf9d5GvGx1xxr7w/aQHdA3fTwQH4VYz5Diya0OgXDWew
u0+P7AhHJbBTFxikPbX7Pe5J9ri2h9W2QGlNg9xZraF86yjdTOavrDYuc+Ly2OD1
Ln4xGr1x0LbVLCS9Th8v7rzQMjVpZQghpVUBcZ0Jgk2NFTu4ODMpC40CM7iVX4Nc
gzPecBTGRO0UJkU9L1ta/DjTh+TWWSif0gQJB396zeX7P9d9vOXbfYwYwVgvNc5x
rt71agaL6RIRiSR0nVOUu5w7M+rtqw2Goc6rVWk97GaMBxq0hCZvunr2SA5IsGDM
rFlfLb93/a4up+Tcw+4SeKwoLyRIYMcenPRxjsyYni4bVG9W34uwahQe5It875hT
ZWdZob/0uHYpEWOH2w+qzmQUtTsquD+W78J3H3SiojLiPHlsRbAk4nr0SN+EX5R3
+YW7jLRrVhrfvr+vYobH1664P7b1LX2Yi2u7ktZcWKVxLr6vZqNVXgdhgQmNyAOX
VhJurUc7EryV1tnt+EYRj0ruTdi0Je0fE6cNabrkKTnMUHTUbrpJDxJcq0q34SP+
nnqaHmdtfDvuFVMlAynQrfD7nJOY/fm+l6FY9UvNJCvid71afBV9DdbPtivn0oP9
L63+pSCJAhwEEwECAAYFAlS3/okACgkQxodfNUHO/eAexBAAl+zTx7FFagVHNlDe
tN31ErMvImw1oDVyoTAKCJbVK4YOT0AEL/GRM6nbQb2HAW26iWw0tehoKCJjw9uJ
y0m+1o/psE0nRl97sfZX5VCuFiAaRCyboEu49+KUSoCAQnkOc+r2vEPEvO0pNgZU
hUsRIwPRP67aDIfb61T9CSwZXmAkukDTuDq+sTGJ0fUpT59aM398O7BBqVnXZoTa
LHkXAd1sXGbWXNy7vNVXuHEAvebeQDzmAiiTp/RLxlUNrp4nB6bcAK5wn7kaAPJj
jREXeVk4lEGuUE1QpfdtvSAQ+8Qd47A700z4g7XFwHfXN0kX5JmeScVjrghkOCA5
sjM9P6uxgCb54iSGnCrNJf57LddvSrI4UNAvFrYHVkek5VvC48xeUME/ldUT+eQv
1Xs2CJwtX9mxQg8hvuGDr03PP1LfKoxVvAZcJ4iJ+gxD+q7KHae127X0FCbzxrz5
JQtTXep9UO5L9YskX9jKFH2+t+BrLEpxo6EQ2UsY5zmR3FFpvXu8Dryc28nI7MFl
uvNj+HPwNlvGt4/jLDxNUr1/qfny4nmH+F0GwJSbvvOysngGZ2R4XtyBOE7MvxEg
jsspXuLqm1TRyQCidUUOreramtPUUMQ8kbH66T75GAEnD862nlArSTZ76rbTGJ/4
JN+Tb0gCoT3+8rsFFLIbjbi+SBCJAc8EEwECACkFAlKmggUCGwMFCQ1H67EHCwkI
BwMCAQYVCAIJCgsEFgIDAQIeAQIXgAAKCRDT5fVrbZINMHp/DH911etPzwZZetcw
8cKb7UY4UHFHQJ8rQIF91mY1PHpX/fh0VG+kXizlHEZxHpwXHXbJWUevYovymo8D
hbHB/VKV4kSQLMOR/jVtnbFRRhpkzzGSZhypd85NRODfxqqyFd5M6CPH8+vRikLs
QbJTV1OxLUhtlm4/3+W4O+h7pl8Q5pFw8HQRESPFrOeugU7z5nB6h3q0XdE+/2kD
Rf0G2eF+oLrvTBvi16u6ftGYc2Qqzbr4W5D3beWn+9eEvVJrxIb7ZR2iQGn19rV+
92qB87bADM9yddmiAD0fP0ITDz7DOKxTAw7uMr0pfHaN27C1GCv7duqoHdM8BxR6
oSxg/Jm0rsCE52uA1t5EbvFwfWJZ/wSiqv03BUlRTnawlQi0W/fFM3wgq2myWDa7
aU+U+bRUBgt00qb5vtXDeBhS1wFLpKlyrlALsq5g6DStrjKT54pYQfaVnXUjxzxx
u20yI55QygiKhg7foFNgw6vTPwfo2OSid2XQDm3Hjjee4kSovrtn9jL5h27V0HcY
YED6vLNauQGdBFKmggUBDIDU53B+nBcpyH47TRbUWxBIxwSNqEaajzhZOugz+qNN
3tiyV3fTQ8y/fCRCfZZ2HJNxr8SaRbR9VMZJiztne/lKk9/SmthKOZ+7xaVejPrg
Cl1eoYeOP0oB6rY65S1avChuCJATNTgfGXP3hf/rkGAbmTs5PITcnpuBFwzAkKAK
TCMrznBtsGQYf4mj2j9nD1M9zNBwTsGYZiSQs0BdvDuiYoE4vhnrD2xdOjP1SdDQ
QH2zhO8BscYpf3LY8RCNk37CTNHcNq9YHuqXy8dkhGaykCwMAm8NPWh+w227wwHz
AlzG9lqhnuP3BQtimdo1jH3HESGBsH2jWYFxix0OPfHPmOuC2r9yl2AYLpuD5rAN
z/KVDWY2CUp9jw/2EUiEgA1mKWeYCWTkZKhZyU//r2b67fgoqgdThhzcjWk81wvo
3KLRuHyYep71Z50p+h3tjjIzVLbR9dpLi+ssiUqDFuwOlaJauTSW1XTe7ILt6oN7
efPMZb/YYtMePnGwDb4fAa0+ibmabOO9Xk8U2lLtr3QlABEBAAGJAbUEGAECAA8F
AlKmggUCGwwFCQ1H67EACgkQ0+X1a22SDTARJwx/ZCMNabddrAnE0DymqrGsV5MS
j4YRLOdVFNR6mutQV3UYfDfepoC+ouLFn7Hxyv7UaP98l3l6IhUl9EthteULyy7w
lleeB9fRWG4xxShv8VOKR+lyhiRHOuJSwkQHf86aOUuMaCdCbkbP1NXWK3IXdvOg
eRHyy9YQoorM2ggQ8ctTfLtupKQ6uOdjdtl91VGHrXxduNXbw0y6hmxXwTik65Cj
L7ezkiOYh/+aRKIUTdUnB1o96bbdSxdq0Vv96gL8CGLSIJ3/yKgXCL6gdPY+e30e
vNUXoTyAFU7e8qjpQmANOv1C3bs1zp4cvQ7mPnSKez2hv/cOg4Lc/kDTzOGX7Djr
rIYS/n4Sz+6xQCz/ieDiSwjcNMsr1iCPvSXmgG4wVh3dvkoZV8AiUZzmbAg4gbjV
gsjNlOsa465PKaPAJ0L1xRknpHYK/9XHSG1nSGoN3JoM7Qij04b9bazZPvXrS1j2
JzgzAEIV6bPAUQsgEggc1j+f/CybFAaQjc6Pzomk5VWBHmVdZH4GsZwGORITKJkC
DQRf7mYNARAAz2vrsO3Cz8vYpaXvc5tN9uloHBpeMl7Fb5A5U4XB36ux3JE03mxI
WgpVaCtKgwPAwaOprywMBee3jJh2xBIuv3cy1JSB/zCl12erUEQhSqk8wc4SWou/
h9ecl5L0b3255lbayeTWJaaz2EjVzezbiROqeHTXkd8Agrjbr6IzcdycOZiVK8SL
jdpCN8A9VzqjD7FLsQ+i4MN9sE+V7QjUASnTEPBgvVhrEX10xQTagoyF2230XlcY
SKv2rLpgk7J2LzjFWrNZ/m2AriMMg1jQGKijYMHV1f5PQ/DSye/9QTUPLwHziRZe
k7A3pZGTjv4bq1Tywc8d0VmvE56IfVIsn1cYhYq4mBm2IeWTO+IcxVjAS2ufN8RU
u8MnFnFHohzKVB6Q7Cg4HhiUgmNn6xnRE59NxuTd30OcTDxQ0SNgJjSRfMMq8nl0
upQCDH5ksrVSCUPB95GLeO2WtSgMOBsefeZcQU3y0QyxRkBX1sB1H84u9vF25FZH
HzMJmd+PhWW+V8n00wnr8zpUdvmBzIGz3C91Y0DjJxewmfYvgoBD80cSF9SJQ5Hw
vk1M/125sfUBN1rBvh08ON3mMvfxds4deT8Gtc8N74ggWYRGgJUkYvTEc8Ho0FGW
kg/VTNeRTEY7tIzVm2XojWMvdK1733sf1b3mEV3NTyqYuDnnxjoDa0cAEQEAAbQf
RGFtaWVuIE1pbGxlciA8ZGptQG1pbmRyb3Qub3JnPokCTgQTAQgAOBYhBHFouYOB
Wl7vWaSt/So/QU5zYGC6BQJf7mYNAhsDBQsJCAcCBhUKCQgLAgQWAgMBAh4BAheA
AAoJECo/QU5zYGC6kI4P/AxEYU8XTuZHYzAim7sHRr+Z1HnknrgN9mGL3HuCy8H8
cdOZkQLnHSOmYjGfOKRNTzWibr36Cd4ERCXP+blDCtkrFw1QLoLRICZ5nJCcFSr5
CanrU87wUwCQ0xfkkPl8iF8j1dorIDZOetAKumn87wKYnNphGQifPZF5GS0NS+Xp
7vmg+R+abTTCSTnxFNPwiQJwRm/lXO+A4bCHcuPL/X1vfVEYOARS+n3l29gpnHUo
roiWKC/F+HRvr6o4dIAml+jMq6xBMB6j9yYsyzNrq96GMxXDLvPCUkEad96+gR2v
RJJvFMUMa9tzc4C9n/Ks8t5s7um63l3eSYlHuVL6adI9SlVLbzyudBr7P+mU3r0z
xvYozTzPALwgohs4bYiWqdtE9y+qLsJrg5zM1g5gFJWAFWNhXkfB10NeoYN0L8Iy
RZMaBq4154fg99eaQBETzh1qoyAE1wZ5DFzzGMn0Z5gqyYd6pTxYol+6UIFvkuIb
hvzo7AnEQb9CMzCceJcPaSDoWJn8MXibgcR8zQ+bJL9BoOwevTuPBRRg4dW6IOBD
EqBjzZysSI7ET36R99WsBq0kxtPjmrbo5G66DkrwDBps7sggRg2Y23tgmrOssDVs
zN+erC+80XClDTBz8myB3y6d4VU+dWG4n0ZDGJE+w6YNZN/2pCKESlgU8e5K5qUt
iQHDBBABCAAdFiEEWcIRjtIG2SfmZ+vj0+X1a22SDTAFAl/uZjAACgkQ0+X1a22S
DTC/XwyAkFkZcqk56SuA4a4Q1PZydNNkQMKMJME2Kt5L8GB07jQPiTUoCDCEKW7v
SV5Vxl94HLQs0Wt4G+UhEmI74ZzKU0FZfF+Smnw9PQ/chVdXVAeekeBxQgDP++Mp
Lur34YveVeQkIBlQ8fbxrvd3RVI6LJ8DSxTUZ+MT34DgTs6+ryJkyA62mcSy5QL2
ZMH82uZ/1KRN6P2YOUV7UmvWPta5kZ+ocfSoTcYCx/Ms4XOx6g6DbfDZ5AkRfY7c
qUXwJEA5bEooZXxMIVX3cN6O8CVjhl0lzNyeppoCmsuHBg1/YErsLbyphKzIuY0E
8Ng5nSKKefZA3+2OlwvRNN4FPVXcf618s+LkMPdedRxuxOj5Lg0m8I33t//4U8xJ
CjgItN27+C8C+3uAb+oG0JP592z+zweVVjbqgfKKQ0XWJBV8YrdQ7CC65WTBkSKK
Fk9uVDjfftrsWkkyWttGk1As9yAvPbupZ2swoMEcQLAhyaTLmBYrgIW6g6OMhCHv
k4BIGUZ0EQmzi11G5Bu7OEKN2/KIlLkCDQRf7mYNARAA2iZs8bBisxr5aQE1gTVX
wvgtnIOjQ6aDOh9bminaAQtg+ntvNFi6HUzSvB0XTjAw8sH2Bz38CkczuDfd4YfZ
OzAJRJTG58NAubAMDjJ3yHrfP/uXn+KVEUdDYv+wTbbA4cPztMLhNxNJwgPKjVLj
9FGkdYLCe+xTD3POiwMOtazpW4udynNCcQ1P+DIPzHuOisJ1AkYqDrShclEUcitO
44/+8JzhiKH9HxwomOLku7lwjF1nEyvVC6zJXlxqXImbeFFRbKLlItcbrVD1SJWB
F6EstFgSCFcjG0+KN86LRABfp9804OjHiSBiDOTT0W4W5icDnKOzj+ZlsdSdSIcw
AnLz7nsgobgjUaRPos013ddcMDFSIS+SNtAE/si4JHdLGUVCKH5RgHyWMjK2MQGx
3LCaHPVT/Ei0uLdSbKtpLpSsYsNokliw84Czd6sUjjR/IhHjJ7ryD4eJSyXt7vuZ
6e9twyJumcPJvWw3feFjGqGKmhwpw6viKkYEqDSkS7IJRqdS8My1PMm38Ew61WaS
YYehueH1yO//Wtlo2hYfFh4N4Hcu9E6NeJBNEc20gz6tTkkybuIuCsZdRr9MEZgc
EEwH+Mf386Lp+/VqfpmykUaT4XATkzhSHiFFx3y1jD/gClN4zATmS9s21df8Nooc
qWTJjOjLmKn9nevp4Jrf5NEAEQEAAYkCNgQYAQgAIBYhBHFouYOBWl7vWaSt/So/
QU5zYGC6BQJf7mYNAhsMAAoJECo/QU5zYGC6a/oQAKjogHiQqRKLsaRj5yipy52i
s8vXjsDdhv29GTFV/0aLrPcFx5NkHPf5mQsN/k1fYfwHaq2uwGuL/YB6Ra6eZBOP
/xd0i7JpULrSPTDBWEgqF5UzuabQJY8oYK8RdA5RS6Tc4Q38L9f9RbHYPGvRgDeb
ZngMVOUQOD0s4EkAYwofOOE/a5S+Ty+12o7t+BTFucjgF/RiogO38HyeUepKiJFU
vuSRcluIvHaooLvDMvfmZT/nZhZsqAa3nT780Og9aopI36tmUuZSR1fJ5jYgj5dU
3JA11HWaiwbZiVXEnNDh/WPrzM8k+KGf/dxymLuCbROc+wwjhqiWGn7cKJcVLHzS
CO0rPVaJvrliTui0ytRLQ5F3A8+nsq84lbHXDZWnYMcGVF0iluQksbQkc9VPunRI
VA3UfPt7O/rK8LkZlJttKPZL042IC7vrPFZIHDbYl5OEQwohO55v/0MgtaDzc/Pk
7mnVkcLyvaL1yl8FWe+fKY4Jk8SUCygwxCCjtCv7TWYaNGepelQonwRWxCyf+xUa
nErOxgAHhLfgrzFW31qU2nrd2Ubbtj6jXwtJNMeP1ZCBL5BgcUpypYUh9DyxsjdS
mjhmFk4UXBCppf5Po/1qSpr5KPmwuWTd0KGCEnosU9RSpJtE78phxqkKaB8A3HmR
ePJgyS4h2BL0NgQRIRVW
=OOF9
-----END PGP PUBLIC KEY BLOCK-----

675
openssh.spec Normal file
View File

@ -0,0 +1,675 @@
#
# spec file for package openssh
#
# Copyright (c) 2024 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via https://bugs.opensuse.org/
#
%define sandbox_seccomp 0
%ifnarch ppc
%define sandbox_seccomp 1
%endif
%define _fwdir %{_sysconfdir}/sysconfig/SuSEfirewall2.d
%define _fwdefdir %{_fwdir}/services
%define _appdefdir %( grep "configdirspec=" $( which xmkmf ) | sed -r 's,^[^=]+=.*-I(.*)/config.*$,\\1/app-defaults,' )
%define CHECKSUM_SUFFIX .hmac
%define CHECKSUM_HMAC_KEY "HMAC_KEY:OpenSSH-FIPS@SLE"
%bcond_without ldap
%if 0%{?suse_version} >= 1550
%bcond_without wtmpdb
%bcond_with allow_root_password_login_by_default
%else
%bcond_with wtmpdb
%bcond_without allow_root_password_login_by_default
%endif
#Compat macro for new _fillupdir macro introduced in Nov 2017
%if ! %{defined _fillupdir}
%define _fillupdir %{_localstatedir}/adm/fillup-templates
%endif
Name: openssh
Version: 9.8p1
Release: 0
Summary: Secure Shell Client and Server (Remote Login Program)
License: BSD-2-Clause AND MIT
Group: Productivity/Networking/SSH
URL: https://www.openssh.com/
Source0: https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz
Source1: https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz.asc
Source2: sshd.pamd
Source3: README.SUSE
Source4: README.kerberos
Source5: ssh.reg
Source6: ssh-askpass
Source7: sshd.fw
Source8: sysconfig.ssh
Source9: sshd-gen-keys-start
Source10: sshd.service
Source11: README.FIPS
Source12: cavs_driver-ssh.pl
Source13: https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/RELEASE_KEY.asc#/openssh.keyring
Source14: sysusers-sshd.conf
Source15: sshd-sle.pamd
Source16: sshd@.service
Source17: sshd.socket
Patch1: openssh-7.7p1-X11_trusted_forwarding.patch
Patch3: openssh-7.7p1-enable_PAM_by_default.patch
Patch4: openssh-7.7p1-eal3.patch
Patch6: openssh-7.7p1-send_locale.patch
Patch7: openssh-7.7p1-hostname_changes_when_forwarding_X.patch
Patch8: openssh-7.7p1-remove_xauth_cookies_on_exit.patch
Patch9: openssh-7.7p1-pts_names_formatting.patch
Patch10: openssh-7.7p1-pam_check_locks.patch
# https://bugzilla.mindrot.org/show_bug.cgi?id=2752
Patch14: openssh-7.7p1-seccomp_stat.patch
# https://bugzilla.mindrot.org/show_bug.cgi?id=2752
Patch15: openssh-7.7p1-seccomp_ipc_flock.patch
# https://bugzilla.mindrot.org/show_bug.cgi?id=2752
# Local FIPS patchset
Patch17: openssh-7.7p1-fips.patch
# Local cavs patchset
Patch18: openssh-7.7p1-cavstest-ctr.patch
# Local cavs patchset
Patch19: openssh-7.7p1-cavstest-kdf.patch
# Local FIPS patchset
Patch20: openssh-7.7p1-fips_checks.patch
# https://bugzilla.mindrot.org/show_bug.cgi?id=2641
Patch22: openssh-7.7p1-systemd-notify.patch
Patch23: openssh-8.0p1-gssapi-keyex.patch
# https://bugzilla.mindrot.org/show_bug.cgi?id=1402
Patch24: openssh-8.1p1-audit.patch
# Local patch to disable runtime abi SSL checks, quite pointless for us
Patch26: openssh-7.7p1-disable_openssl_abi_check.patch
# https://bugzilla.mindrot.org/show_bug.cgi?id=2641
Patch27: openssh-7.7p1-no_fork-no_pid_file.patch
Patch28: openssh-7.7p1-host_ident.patch
# https://bugzilla.mindrot.org/show_bug.cgi?id=1844
Patch29: openssh-7.7p1-sftp_force_permissions.patch
# https://bugzilla.mindrot.org/show_bug.cgi?id=2143
Patch30: openssh-7.7p1-X_forward_with_disabled_ipv6.patch
Patch31: openssh-7.7p1-ldap.patch
# https://bugzilla.mindrot.org/show_bug.cgi?id=2213
Patch32: openssh-7.7p1-IPv6_X_forwarding.patch
Patch33: openssh-7.7p1-sftp_print_diagnostic_messages.patch
Patch34: openssh-7.9p1-keygen-preserve-perms.patch
Patch35: openssh-7.9p1-revert-new-qos-defaults.patch
Patch36: openssh-8.1p1-seccomp-clock_nanosleep.patch
Patch37: openssh-8.1p1-seccomp-clock_nanosleep_time64.patch
Patch38: openssh-8.1p1-seccomp-clock_gettime64.patch
Patch39: openssh-8.1p1-use-openssl-kdf.patch
Patch40: openssh-8.1p1-ed25519-use-openssl-rng.patch
Patch41: openssh-fips-ensure-approved-moduli.patch
Patch42: openssh-link-with-sk.patch
Patch43: openssh-reenable-dh-group14-sha1-default.patch
Patch45: openssh-8.4p1-ssh_config_d.patch
Patch46: openssh-whitelist-syscalls.patch
Patch47: openssh-8.4p1-vendordir.patch
Patch48: openssh-8.4p1-pam_motd.patch
Patch49: openssh-do-not-send-empty-message.patch
Patch50: openssh-openssl-3.patch
Patch51: wtmpdb.patch
Patch52: logind_set_tty.patch
Patch54: openssh-mitigate-lingering-secrets.patch
Patch102: openssh-7.8p1-role-mls.patch
Patch103: openssh-6.6p1-privsep-selinux.patch
Patch104: openssh-6.6p1-keycat.patch
Patch105: openssh-6.6.1p1-selinux-contexts.patch
Patch106: openssh-7.6p1-cleanup-selinux.patch
# PATCH-FIX-OPENSUSE bsc#1211301 Add crypto-policies support
Patch107: openssh-9.6p1-crypto-policies.patch
Patch108: openssh-9.6p1-crypto-policies-man.patch
Patch109: fix-memleak-in-process_server_config_line_depth.patch
%if 0%{with allow_root_password_login_by_default}
Patch1000: openssh-7.7p1-allow_root_password_login.patch
%endif
BuildRequires: audit-devel
BuildRequires: automake
%if 0%{?sle_version} >= 150500
BuildRequires: gcc11
%endif
BuildRequires: groff
BuildRequires: libedit-devel
BuildRequires: libselinux-devel
%if %{with ldap}
BuildRequires: openldap2-devel
%endif
BuildRequires: openssl-devel
BuildRequires: pam-devel
BuildRequires: pkgconfig
BuildRequires: zlib-devel
BuildRequires: pkgconfig(libfido2) >= 1.2.0
BuildRequires: pkgconfig(libsystemd)
BuildRequires: sysuser-shadow
BuildRequires: sysuser-tools
Requires: %{name}-clients = %{version}-%{release}
Requires: %{name}-server = %{version}-%{release}
%if 0%{?suse_version} >= 1550
BuildRequires: pkgconfig(krb5)
%else
BuildRequires: krb5-mini-devel
%endif
%if %{with wtmpdb}
BuildRequires: pkgconfig(libwtmpdb)
%endif
Requires(pre): findutils
Requires(pre): grep
%description
SSH (Secure Shell) is a program for logging into and executing commands
on a remote machine. It replaces rsh (rlogin and rsh) and
provides secure encrypted communication between two untrusted
hosts over an insecure network.
xorg-x11 (X Window System) connections and arbitrary TCP/IP ports can
also be forwarded over the secure channel.
This is a dummy package that pulls in both the client and server
components.
%package common
Summary: SSH (Secure Shell) common files
Group: Productivity/Networking/SSH
Conflicts: nonfreessh
Conflicts: %{name}-fips < %{version}-%{release}
Conflicts: %{name}-fips > %{version}-%{release}
%description common
SSH (Secure Shell) is a program for logging into and executing commands
on a remote machine. It replaces rsh (rlogin and rsh) and
provides secure encrypted communication between two untrusted
hosts over an insecure network.
xorg-x11 (X Window System) connections and arbitrary TCP/IP ports can
also be forwarded over the secure channel.
This package contains common files for the Secure Shell server and
clients.
%package server
Summary: SSH (Secure Shell) server
Group: Productivity/Networking/SSH
Requires: %{name}-common = %{version}-%{release}
Requires: crypto-policies >= 20220824
Recommends: audit
Requires(pre): findutils
Requires(pre): grep
Requires(post): %fillup_prereq
Requires(post): permissions
Provides: openssh:%{_sbindir}/sshd
%if 0%{with allow_root_password_login_by_default}
# For a brief period of time this package existed in SLE/Leap.
# It was removed before GM but some people might have it from
# a beta distribution version (boo#1227350)
Obsoletes: openssh-server-config-rootlogin <= %{version}
%endif
%sysusers_requires
%description server
SSH (Secure Shell) is a program for logging into and executing commands
on a remote machine. It replaces rsh (rlogin and rsh) and
provides secure encrypted communication between two untrusted
hosts over an insecure network.
xorg-x11 (X Window System) connections and arbitrary TCP/IP ports can
also be forwarded over the secure channel.
This package contains the Secure Shell daemon, which allows clients to
securely connect to your server.
%if 0%{with allow_root_password_login_by_default}
%package server-config-disallow-rootlogin
Summary: Config to disallow password root logins to sshd
Group: Productivity/Networking/SSH
Requires: %{name}-server = %{version}-%{release}
Conflicts: %{name}-server-config-rootlogin
%description server-config-disallow-rootlogin
The openssh-server package by default allows password based
root logins. This package provides a config that disallows root
to log in using the passwor. It's useful to secure your system
preventing password attacks on the root account over ssh.
%else
%package server-config-rootlogin
Summary: Config to permit root logins to sshd
Group: Productivity/Networking/SSH
Requires: %{name}-server = %{version}-%{release}
Conflicts: %{name}-server-config-disallow-rootlogin
%description server-config-rootlogin
The openssh-server package by default disallows password based
root logins. This package provides a config that does. It's useful
to temporarily have a password based login to be able to use
ssh-copy-id(1).
%endif
%package clients
Summary: SSH (Secure Shell) client applications
Group: Productivity/Networking/SSH
Requires: crypto-policies >= 20220824
Requires: %{name}-common = %{version}-%{release}
Provides: openssh:%{_bindir}/ssh
%description clients
SSH (Secure Shell) is a program for logging into and executing commands
on a remote machine. It replaces rsh (rlogin and rsh) and
provides secure encrypted communication between two untrusted
hosts over an insecure network.
xorg-x11 (X Window System) connections and arbitrary TCP/IP ports can
also be forwarded over the secure channel.
This package contains clients for making secure connections to Secure
Shell servers.
%if %{with ldap}
%package helpers
Summary: OpenSSH AuthorizedKeysCommand helpers
Group: Productivity/Networking/SSH
Requires: %{name}-common = %{version}-%{release}
%description helpers
SSH (Secure Shell) is a program for logging into and executing commands
on a remote machine. It replaces rsh (rlogin and rsh) and
provides secure encrypted communication between two untrusted
hosts over an insecure network.
xorg-x11 (X Window System) connections and arbitrary TCP/IP ports can
also be forwarded over the secure channel.
This package contains helper applications for OpenSSH which retrieve
keys from various sources.
%endif
%package fips
Summary: OpenSSH FIPS crypto module HMACs
Group: Productivity/Networking/SSH
Requires: %{name}-common = %{version}-%{release}
Conflicts: %{name}-common < %{version}-%{release}
Conflicts: %{name}-common > %{version}-%{release}
Obsoletes: %{name}-hmac
%description fips
This package contains hashes that, together with the main openssh packages,
form the FIPS certifiable crypto module.
%package cavs
Summary: OpenSSH FIPS crypto module CAVS tests
Group: Productivity/Networking/SSH
Requires: %{name}-common = %{version}-%{release}
%description cavs
This package contains the FIPS-140 CAVS (Cryptographic Algorithm
Validation Program/Suite) related tests of OpenSSH.
%prep
%setup -q
cp %{SOURCE3} %{SOURCE4} %{SOURCE11} .
%autopatch -p1
# set libexec dir in the LDAP patch
sed -i.libexec 's,@LIBEXECDIR@,%{_libexecdir}/ssh,' \
$( grep -Rl @LIBEXECDIR@ \
$( grep "^+++" %{PATCH31} | sed -r 's@^.+/([^/\t ]+).*$@\1@' )
)
%build
%if 0%{?sle_version} >= 150500
export CC=gcc-11
%endif
autoreconf -fiv
%ifarch s390 s390x %{sparc}
PIEFLAGS="-fPIE"
%else
PIEFLAGS="-fpie"
%endif
CFLAGS="%{optflags} $PIEFLAGS -fstack-protector"
CXXFLAGS="%{optflags} $PIEFLAGS -fstack-protector"
LDFLAGS="-pie -Wl,--as-needed"
#CPPFLAGS="%%{optflags} -DUSE_INTERNAL_B64"
export LDFLAGS CFLAGS CXXFLAGS CPPFLAGS
%configure \
--sysconfdir=%{_sysconfdir}/ssh \
--libexecdir=%{_libexecdir}/ssh \
--with-selinux \
--with-pid-dir=/run \
--with-systemd \
--with-ssl-engine \
--with-pam \
--with-kerberos5=%{_prefix} \
--with-privsep-path=%{_localstatedir}/lib/empty \
%if %{sandbox_seccomp}
--with-sandbox=seccomp_filter \
%else
--with-sandbox=rlimit \
%endif
--disable-strip \
--with-audit=linux \
%if %{with ldap}
--with-ldap \
%endif
--with-xauth=%{_bindir}/xauth \
--with-libedit \
%if %{with wtmpdb}
--with-wtmpdb \
%endif
%if 0%{?suse_version} >= 1550
--disable-lastlog \
--with-logind \
%endif
--with-security-key-builtin \
--target=%{_target_cpu}-suse-linux
%make_build
%sysusers_generate_pre %{SOURCE14} sshd sshd.conf
%install
%make_install
%if %{defined _distconfdir}
install -d -m 755 %{buildroot}%{_pam_vendordir}
install -m 644 %{SOURCE2} %{buildroot}%{_pam_vendordir}/sshd
%else
# SLE has no distconfdir, so use sle PAM config
install -d -m 755 %{buildroot}%{_sysconfdir}/pam.d
install -m 644 %{SOURCE15} %{buildroot}%{_sysconfdir}/pam.d/sshd
%endif
install -d -m 755 %{buildroot}%{_localstatedir}/lib/sshd
install -d -m 755 %{buildroot}%{_sysconfdir}/ssh/ssh_config.d
install -d -m 755 %{buildroot}%{_sysconfdir}/ssh/sshd_config.d
%if 0%{?suse_version} < 1600
install -d -m 755 %{buildroot}%{_sysconfdir}/slp.reg.d/
install -m 644 %{SOURCE5} %{buildroot}%{_sysconfdir}/slp.reg.d/
%endif
install -D -m 0644 %{SOURCE10} %{buildroot}%{_unitdir}/sshd.service
install -D -m 0644 %{SOURCE16} %{buildroot}%{_unitdir}/sshd@.service
install -D -m 0644 %{SOURCE17} %{buildroot}%{_unitdir}/sshd.socket
ln -s service %{buildroot}%{_sbindir}/rcsshd
install -d -m 755 %{buildroot}%{_fillupdir}
install -m 644 %{SOURCE8} %{buildroot}%{_fillupdir}
# install shell script to automate the process of adding your public key to a remote machine
install -m 755 contrib/ssh-copy-id %{buildroot}%{_bindir}
install -m 644 contrib/ssh-copy-id.1 %{buildroot}%{_mandir}/man1
sed -i -e s@%{_prefix}/libexec@%{_libexecdir}@g %{buildroot}%{_sysconfdir}/ssh/sshd_config
%if 0%{with allow_root_password_login_by_default}
echo "PermitRootLogin prohibit-password" > %{buildroot}%{_sysconfdir}/ssh/sshd_config.d/51-permit-root-login.conf
%else
echo "PermitRootLogin yes" > %{buildroot}%{_sysconfdir}/ssh/sshd_config.d/50-permit-root-login.conf
%endif
# Move /etc to /usr/etc/ssh
%if %{defined _distconfdir}
mkdir -p %{buildroot}%{_distconfdir}/ssh/ssh{,d}_config.d
mv %{buildroot}%{_sysconfdir}/ssh/moduli %{buildroot}%{_distconfdir}/ssh/
mv %{buildroot}%{_sysconfdir}/ssh/ssh_config %{buildroot}%{_distconfdir}/ssh/
mv %{buildroot}%{_sysconfdir}/ssh/sshd_config %{buildroot}%{_distconfdir}/ssh/
%if 0%{with allow_root_password_login_by_default}
mv %{buildroot}%{_sysconfdir}/ssh/sshd_config.d/51-permit-root-login.conf %{buildroot}%{_distconfdir}/ssh/sshd_config.d/51-permit-root-login.conf
%else
mv %{buildroot}%{_sysconfdir}/ssh/sshd_config.d/50-permit-root-login.conf %{buildroot}%{_distconfdir}/ssh/sshd_config.d/50-permit-root-login.conf
%endif
%endif
install -m 644 ssh_config_suse %{buildroot}%{_sysconfdir}/ssh/ssh_config.d/50-suse.conf
%if %{defined _distconfdir}
install -m 644 sshd_config_suse_cp %{buildroot}%{_distconfdir}/ssh/sshd_config.d/40-suse-crypto-policies.conf
%else
install -m 644 sshd_config_suse_cp %{buildroot}%{_sysconfdir}/ssh/sshd_config.d/40-suse-crypto-policies.conf
%endif
%if 0%{?suse_version} < 1550
# install firewall definitions
mkdir -p %{buildroot}%{_fwdefdir}
install -m 644 %{SOURCE7} %{buildroot}%{_fwdefdir}/sshd
%endif
# askpass wrapper
sed -e "s,@LIBEXECDIR@,%{_libexecdir},g" < %{SOURCE6} > %{buildroot}%{_libexecdir}/ssh/ssh-askpass
sed -e "s,@LIBEXECDIR@,%{_libexecdir},g" < %{SOURCE12} > %{buildroot}%{_libexecdir}/ssh/cavs_driver-ssh.pl
rm -f %{buildroot}%{_datadir}/Ssh.bin
# sshd keys generator wrapper
install -D -m 0755 %{SOURCE9} %{buildroot}%{_sbindir}/sshd-gen-keys-start
# Install sysusers.d config for sshd user
mkdir -p %{buildroot}%{_sysusersdir}
install -m 644 %{SOURCE14} %{buildroot}%{_sysusersdir}/sshd.conf
rm %{buildroot}%{_libexecdir}/ssh/ssh-keycat
#rm -r %{buildroot}/usr/lib/debug/.build-id
# the hmac hashes - taken from openssl
#
# re-define the __os_install_post macro: the macro strips
# the binaries and thereby invalidates any hashes created earlier.
#
# this shows up earlier because otherwise the %%expand of
# the macro is too late.
%{expand:%%global __os_install_post {%__os_install_post
for b in \
%{_bindir}/ssh \
%{_sbindir}/sshd \
%{_libexecdir}/ssh/sftp-server \
; do
openssl dgst -sha256 -binary -hmac %{CHECKSUM_HMAC_KEY} < %{buildroot}$b > %{buildroot}$b%{CHECKSUM_SUFFIX}
done
}}
%pre server -f sshd.pre
%if %{defined _distconfdir}
# Prepare for migration to /usr/etc.
test -f /etc/pam.d/sshd.rpmsave && mv -v /etc/pam.d/sshd.rpmsave /etc/pam.d/sshd.rpmsave.old ||:
test -f /etc/ssh/sshd_config.rpmsave && mv -v /etc/ssh/sshd_config.rpmsave /etc/ssh/sshd_config.rpmsave.old ||:
%endif
%service_add_pre sshd.service sshd.socket
%post server
%{fillup_only -n ssh}
%service_add_post sshd.service sshd.socket
%if ! %{defined _distconfdir}
test -f /etc/ssh/sshd_config && (grep -q "^Include /etc/ssh/sshd_config\.d/\*\.conf" /etc/ssh/sshd_config || ( \
echo "WARNING: /etc/ssh/sshd_config doesn't include config files from"
echo " /etc/ssh/sshd_config.d/ . The crypto-policies configuration won't"
echo "be honored until the following line is added at the start of"
echo "/etc/ssh/sshd_config :"
echo "Include /etc/ssh/sshd_config.d/*.conf" ) ) ||:
%endif
%preun server
%service_del_preun sshd.service sshd.socket
%postun server
# The openssh-fips trigger script for openssh will normally restart sshd once
# it gets installed, so only restart the service here if openssh-fips is not
# present.
if rpm -q openssh-fips >/dev/null 2>/dev/null; then
%service_del_postun_without_restart sshd.service sshd.socket
else
%service_del_postun sshd.service sshd.socket
fi
%if ! %{defined _distconfdir}
%post server-config-disallow-rootlogin
test -f /etc/ssh/sshd_config && (grep -q "^Include /etc/ssh/sshd_config\.d/\*\.conf" /etc/ssh/sshd_config || ( \
echo "WARNING: /etc/ssh/sshd_config doesn't include config files from"
echo " /etc/ssh/sshd_config.d/ . The config file installed by"
echo "openssh-server-config-disallow-rootlogin won't be used until"
echo "the following line is added at the start of /etc/ssh/sshd_config :"
echo "Include /etc/ssh/sshd_config.d/*.conf" ) ) ||:
%endif
%if %{defined _distconfdir}
%posttrans server
# Migration to /usr/etc.
test -f /etc/pam.d/sshd.rpmsave && mv -v /etc/pam.d/sshd.rpmsave /etc/pam.d/sshd ||:
test -f /etc/ssh/sshd_config.rpmsave && mv -v /etc/ssh/sshd_config.rpmsave /etc/ssh/sshd_config ||:
%endif
%if %{defined _distconfdir}
%pre clients
# Prepare for migration to /usr/etc.
test -f /etc/ssh/ssh_config.rpmsave && mv -v /etc/ssh/ssh_config.rpmsave /etc/ssh/ssh_config.rpmsave.old ||:
%endif
%if ! %{defined _distconfdir}
%post clients
test -f /etc/ssh/ssh_config && (grep -q "^Include /etc/ssh/ssh_config\.d/\*\.conf" /etc/ssh/ssh_config || ( \
echo "WARNING: /etc/ssh/ssh_config doesn't include config files from"
echo " /etc/ssh/ssh_config.d/ . The crypto-policies configuration won't"
echo "be honored until the following line is added at the start of"
echo "/etc/ssh/ssh_config :"
echo "Include /etc/ssh/ssh_config.d/*.conf" ) ) ||:
%endif
%if %{defined _distconfdir}
%posttrans clients
# Migration to /usr/etc.
test -f /etc/ssh/ssh_config.rpmsave && mv -v /etc/ssh/ssh_config.rpmsave /etc/ssh/ssh_config ||:
%endif
%triggerin -n openssh-fips -- %{name} = %{version}-%{release}
%restart_on_update sshd
%files
# openssh is an empty package that depends on -clients and -server,
# resulting in a clean upgrade path from prior to the split even when
# recommends are disabled.
%files common
%license LICENCE
%doc README.SUSE README.kerberos README.FIPS ChangeLog OVERVIEW README TODO CREDITS
%attr(0755,root,root) %dir %{_sysconfdir}/ssh
%if %{defined _distconfdir}
%attr(0755,root,root) %dir %{_distconfdir}/ssh
%attr(0600,root,root) %{_distconfdir}/ssh/moduli
%attr(0755,root,root) %dir %{_distconfdir}/ssh/ssh_config.d
%else
%attr(0755,root,root) %dir %{_sysconfdir}/ssh
%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/moduli
%attr(0755,root,root) %dir %{_sysconfdir}/ssh/ssh_config.d
%endif
%attr(0444,root,root) %{_mandir}/man1/ssh-keygen.1*
%attr(0444,root,root) %{_mandir}/man5/moduli.5*
%attr(0755,root,root) %{_bindir}/ssh-keygen*
%files server
%attr(0755,root,root) %{_sbindir}/sshd
%attr(0755,root,root) %{_sbindir}/rcsshd
%attr(0755,root,root) %{_sbindir}/sshd-gen-keys-start
%dir %attr(0755,root,root) %{_localstatedir}/lib/sshd
%dir %attr(0755,root,root) %{_sysconfdir}/ssh/sshd_config.d
%if %{defined _distconfdir}
%attr(0755,root,root) %dir %{_distconfdir}/ssh
%attr(0755,root,root) %dir %{_distconfdir}/ssh/sshd_config.d
%attr(0640,root,root) %config(noreplace) %{_distconfdir}/ssh/sshd_config
%attr(0644,root,root) %{_pam_vendordir}/sshd
%else
%attr(0640,root,root) %config(noreplace) %{_sysconfdir}/ssh/sshd_config
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/pam.d/sshd
%endif
%if %{defined _distconfdir}
%attr(0600,root,root) %config(noreplace) %{_distconfdir}/ssh/sshd_config.d/40-suse-crypto-policies.conf
%else
%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/sshd_config.d/40-suse-crypto-policies.conf
%endif
%attr(0644,root,root) %{_unitdir}/sshd.service
%attr(0644,root,root) %{_unitdir}/sshd@.service
%attr(0644,root,root) %{_unitdir}/sshd.socket
%attr(0644,root,root) %{_sysusersdir}/sshd.conf
%attr(0444,root,root) %{_mandir}/man5/sshd_config*
%attr(0444,root,root) %{_mandir}/man8/sftp-server.8*
%attr(0444,root,root) %{_mandir}/man8/sshd.8*
%attr(0755,root,root) %{_libexecdir}/ssh/sftp-server
%attr(0755,root,root) %{_libexecdir}/ssh/sshd-session
%if 0%{?suse_version} < 1600
%dir %{_sysconfdir}/slp.reg.d
%config %{_sysconfdir}/slp.reg.d/ssh.reg
%endif
%{_fillupdir}/sysconfig.ssh
%if 0%{?suse_version} < 1550
%dir %{_fwdir}
%dir %{_fwdefdir}
%config %{_fwdefdir}/sshd
%endif
%if 0%{with allow_root_password_login_by_default}
%files server-config-disallow-rootlogin
%if %{defined _distconfdir}
%{_distconfdir}/ssh/sshd_config.d/51-permit-root-login.conf
%else
%config(noreplace) %{_sysconfdir}/ssh/sshd_config.d/51-permit-root-login.conf
%endif
%else
%files server-config-rootlogin
%if %{defined _distconfdir}
%{_distconfdir}/ssh/sshd_config.d/50-permit-root-login.conf
%else
%config(noreplace) %{_sysconfdir}/ssh/sshd_config.d/50-permit-root-login.conf
%endif
%endif
%files clients
%dir %attr(0755,root,root) %{_sysconfdir}/ssh/ssh_config.d
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/ssh_config.d/50-suse.conf
%if %{defined _distconfdir}
%attr(0644,root,root) %{_distconfdir}/ssh/ssh_config
%else
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/ssh_config
%endif
%attr(0755,root,root) %{_bindir}/ssh
%attr(0755,root,root) %{_bindir}/scp*
%attr(0755,root,root) %{_bindir}/sftp*
%attr(0755,root,root) %{_bindir}/ssh-add*
%attr(0755,root,root) %{_bindir}/ssh-agent*
%attr(0755,root,root) %{_bindir}/ssh-copy-id*
%attr(0755,root,root) %{_bindir}/ssh-keyscan*
%attr(0755,root,root) %dir %{_libexecdir}/ssh
%attr(0755,root,root) %{_libexecdir}/ssh/ssh-askpass*
%attr(0755,root,root) %{_libexecdir}/ssh/ssh-keysign*
%attr(0755,root,root) %{_libexecdir}/ssh/ssh-pkcs11-helper*
%attr(0755,root,root) %{_libexecdir}/ssh/ssh-sk-helper*
%attr(0444,root,root) %{_mandir}/man1/scp.1*
%attr(0444,root,root) %{_mandir}/man1/sftp.1*
%attr(0444,root,root) %{_mandir}/man1/ssh-add.1*
%attr(0444,root,root) %{_mandir}/man1/ssh-agent.1*
%attr(0444,root,root) %{_mandir}/man1/ssh-keyscan.1*
%attr(0444,root,root) %{_mandir}/man1/ssh.1*
%attr(0444,root,root) %{_mandir}/man1/ssh-copy-id.1*
%attr(0444,root,root) %{_mandir}/man5/ssh_config.5*
%attr(0444,root,root) %{_mandir}/man8/ssh-pkcs11-helper.8*
%attr(0444,root,root) %{_mandir}/man8/ssh-sk-helper.8*
%attr(0444,root,root) %{_mandir}/man8/ssh-keysign.8*
%if %{with ldap}
%files helpers
%attr(0755,root,root) %dir %{_sysconfdir}/ssh
%verify(not mode) %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/ldap.conf
%attr(0755,root,root) %dir %{_libexecdir}/ssh
%attr(0755,root,root) %{_libexecdir}/ssh/ssh-ldap*
%attr(0444,root,root) %{_mandir}/man5/ssh-ldap*
%attr(0444,root,root) %{_mandir}/man8/ssh-ldap*
%doc HOWTO.ldap-keys openssh-lpk-openldap.schema openssh-lpk-sun.schema
%endif
%files fips
%attr(0444,root,root) %{_bindir}/ssh%{CHECKSUM_SUFFIX}
%attr(0444,root,root) %{_sbindir}/sshd%{CHECKSUM_SUFFIX}
%attr(0444,root,root) %{_libexecdir}/ssh/sftp-server%{CHECKSUM_SUFFIX}
%files cavs
%attr(0755,root,root) %{_libexecdir}/ssh/cavs*
%changelog

26
ssh-askpass Normal file
View File

@ -0,0 +1,26 @@
#!/bin/bash
SESSION=
if [ -n "$KDE_FULL_SESSION" ] ; then
SESSION=kde
fi
if [ "$DESKTOP_SESSION" = "lxqt" ]; then
SESSION=kde
fi
GNOME_SSH_ASKPASS="@LIBEXECDIR@/ssh/gnome-ssh-askpass"
KDE_SSH_ASKPASS="@LIBEXECDIR@/ssh/ksshaskpass"
case "$SESSION" in
kde)
[ -e $KDE_SSH_ASKPASS ] && exec $KDE_SSH_ASKPASS ${1+"$@"}
exec $GNOME_SSH_ASKPASS ${1+"$@"}
;;
*)
[ -e $GNOME_SSH_ASKPASS ] && exec $GNOME_SSH_ASKPASS ${1+"$@"}
exec $KDE_SSH_ASKPASS ${1+"$@"}
;;
esac

18
ssh.reg Normal file
View File

@ -0,0 +1,18 @@
#############################################################################
#
# OpenSLP registration file
#
# register SSH daemon
#
#############################################################################
# Register the usual sshd, if it is running
service:ssh://$HOSTNAME:22,en,65535
tcp-port=22
description=Secure Shell Daemon
# ssh can get used to copy files with konqueror using the fish:/ protocol
service:fish://$HOSTNAME:22,en,65535
tcp-port=22
description=KDE file transfer via SSH

9
sshd-gen-keys-start Normal file
View File

@ -0,0 +1,9 @@
#!/bin/sh
test -f /etc/sysconfig/ssh && . /etc/sysconfig/ssh
if [ "x$SSHD_AUTO_KEYGEN" != "xno" ]; then
echo "Checking for missing server keys in /etc/ssh"
test -d /etc/ssh || mkdir -p /etc/ssh
ssh-keygen -A
fi

11
sshd-sle.pamd Normal file
View File

@ -0,0 +1,11 @@
#%PAM-1.0
auth requisite pam_nologin.so
auth include common-auth
account requisite pam_nologin.so
account include common-account
password include common-password
session required pam_loginuid.so
session optional pam_keyinit.so force revoke
session include common-session
session optional pam_motd.so

5
sshd.fw Normal file
View File

@ -0,0 +1,5 @@
## Name: Secure Shell Server
## Description: Open ports for Secure Shell Server
# space separated list of allowed TCP ports
TCP="ssh"

14
sshd.pamd Normal file
View File

@ -0,0 +1,14 @@
#%PAM-1.0
auth requisite pam_nologin.so
auth substack common-auth
auth include postlogin-auth
account requisite pam_nologin.so
account substack common-account
account include postlogin-account
password substack common-password
password include postlogin-password
session required pam_loginuid.so
session optional pam_keyinit.so force revoke
session substack common-session
session include postlogin-session
session optional pam_motd.so

18
sshd.service Normal file
View File

@ -0,0 +1,18 @@
[Unit]
Description=OpenSSH Daemon
After=network.target
[Service]
Type=notify
EnvironmentFile=-/etc/sysconfig/ssh
ExecStartPre=/usr/sbin/sshd-gen-keys-start
ExecStartPre=/usr/sbin/sshd -t $SSHD_OPTS
ExecStart=/usr/sbin/sshd -D $SSHD_OPTS
ExecReload=/bin/kill -HUP $MAINPID
KillMode=process
Restart=on-failure
RestartPreventExitStatus=255
TasksMax=infinity
[Install]
WantedBy=multi-user.target

11
sshd.socket Normal file
View File

@ -0,0 +1,11 @@
[Unit]
Description=OpenSSH Server Socket
Conflicts=sshd.service
[Socket]
ListenStream=22
Accept=yes
[Install]
WantedBy=sockets.target

11
sshd@.service Normal file
View File

@ -0,0 +1,11 @@
[Unit]
Description=OpenSSH Per-Connection Server Daemon
Documentation=man:systemd-ssh-generator(8) man:sshd(8)
After=network.target
[Service]
EnvironmentFile=-/etc/sysconfig/ssh
ExecStartPre=/usr/sbin/sshd-gen-keys-start
ExecStartPre=/usr/sbin/sshd -t $SSHD_OPTS
ExecStart=-/usr/sbin/sshd -i $SSHD_OPTS
StandardInput=socket

14
sysconfig.ssh Normal file
View File

@ -0,0 +1,14 @@
## Path: Network/Remote access/SSH
## Description: SSH server settings
## Type: string
## Default: ""
## ServiceRestart: sshd
#
# Options for sshd
#
SSHD_OPTS=""
#
# Whether to run ssh-keygen -A
#
SSHD_AUTO_KEYGEN="yes"

2
sysusers-sshd.conf Normal file
View File

@ -0,0 +1,2 @@
# Type Name ID GECOS [HOME]
u sshd - "SSH daemon" /var/lib/sshd

189
wtmpdb.patch Normal file
View File

@ -0,0 +1,189 @@
diff -ur openssh-8.9p1.old/configure.ac openssh-8.9p1/configure.ac
--- openssh-8.9p1.old/configure.ac 2022-02-23 12:31:11.000000000 +0100
+++ openssh-8.9p1/configure.ac 2023-04-17 14:52:21.499002203 +0200
@@ -1703,6 +1703,49 @@
fi ]
)
+# Check whether user wants wtmpdb support
+WTMPDB_MSG="no"
+AC_ARG_WITH([wtmpdb],
+ [ --with-wtmpdb[[=PATH]] Enable wtmpdb support for sshd],
+ [ if test "x$withval" != "xno" ; then
+ if test "x$withval" = "xyes" ; then
+ AC_PATH_TOOL([PKGCONFIG], [pkg-config], [no])
+ if test "x$PKGCONFIG" != "xno"; then
+ AC_MSG_CHECKING([if $PKGCONFIG knows about wtmpdb])
+ if "$PKGCONFIG" libwtmpdb; then
+ AC_MSG_RESULT([yes])
+ use_pkgconfig_for_libwtmpdb=yes
+ else
+ AC_MSG_RESULT([no])
+ fi
+ fi
+ else
+ CPPFLAGS="$CPPFLAGS -I${withval}/include"
+ if test -n "${rpath_opt}"; then
+ LDFLAGS="-L${withval}/lib ${rpath_opt}${withval}/lib ${LDFLAGS}"
+ else
+ LDFLAGS="-L${withval}/lib ${LDFLAGS}"
+ fi
+ fi
+ if test "x$use_pkgconfig_for_libwtmpdb" = "xyes"; then
+ LIBWTMPDB=`$PKGCONFIG --libs libwtmpdb`
+ CPPFLAGS="$CPPFLAGS `$PKGCONFIG --cflags libwtmpdb`"
+ else
+ LIBWTMPDB="-lwtmpdb"
+ fi
+ OTHERLIBS=`echo $LIBWTMPDB | sed 's/-lwtmpdb//'`
+ AC_CHECK_LIB([wtmpdb], [wtmpdb_login],
+ [ AC_DEFINE([USE_WTMPDB], [1], [Use libwtmpdb for sshd])
+ WTMPDB_MSG="yes"
+ AC_SUBST([LIBWTMPDB])
+ ],
+ [ AC_MSG_ERROR([libwtmpdb not found]) ],
+ [ $OTHERLIBS ]
+ )
+ fi ]
+)
+
+
AUDIT_MODULE=none
AC_ARG_WITH([audit],
[ --with-audit=module Enable audit support (modules=debug,bsm,linux)],
diff -ur openssh-8.9p1.old/loginrec.c openssh-8.9p1/loginrec.c
--- openssh-8.9p1.old/loginrec.c 2022-02-23 12:31:11.000000000 +0100
+++ openssh-8.9p1/loginrec.c 2023-04-18 10:05:04.311193333 +0200
@@ -187,6 +187,10 @@
# include <util.h>
#endif
+#ifdef USE_WTMPDB
+# include <wtmpdb.h>
+#endif
+
/**
** prototypes for helper functions in this file
**/
@@ -207,6 +211,9 @@
int wtmpx_write_entry(struct logininfo *li);
int lastlog_write_entry(struct logininfo *li);
int syslogin_write_entry(struct logininfo *li);
+#ifdef USE_WTMPDB
+int wtmpdb_write_entry(struct logininfo *li);
+#endif
int getlast_entry(struct logininfo *li);
int lastlog_get_entry(struct logininfo *li);
@@ -467,6 +474,9 @@
#ifdef USE_WTMPX
wtmpx_write_entry(li);
#endif
+#ifdef USE_WTMPDB
+ wtmpdb_write_entry(li);
+#endif
#ifdef CUSTOM_SYS_AUTH_RECORD_LOGIN
if (li->type == LTYPE_LOGIN &&
!sys_auth_record_login(li->username,li->hostname,li->line,
@@ -1409,6 +1419,64 @@
}
#endif /* USE_WTMPX */
+#ifdef USE_WTMPDB
+static int
+wtmpdb_perform_login(struct logininfo *li)
+{
+ uint64_t login_time = li->tv_sec * ((uint64_t) 1000000ULL) + li->tv_usec;
+ const char *tty;
+
+ if (strncmp(li->line, "/dev/", 5) == 0)
+ tty = &(li->line[5]);
+ else
+ tty = li->line;
+
+ li->wtmpdb_id = wtmpdb_login(NULL, USER_PROCESS, li->username,
+ login_time, tty, li->hostname, 0, 0);
+ if (li->wtmpdb_id < 0)
+ return (0);
+
+ return (1);
+}
+
+
+static int
+wtmpdb_perform_logout(struct logininfo *li)
+{
+ uint64_t logout_time = li->tv_sec * ((uint64_t) 1000000ULL) + li->tv_usec;
+
+ if (li->wtmpdb_id == 0) {
+ const char *tty;
+
+ if (strncmp(li->line, "/dev/", 5) == 0)
+ tty = &(li->line[5]);
+ else
+ tty = li->line;
+
+ li->wtmpdb_id = wtmpdb_get_id(NULL, tty, NULL);
+ }
+ wtmpdb_logout(NULL, li->wtmpdb_id, logout_time, NULL);
+
+ return (1);
+}
+
+
+int
+wtmpdb_write_entry(struct logininfo *li)
+{
+ switch(li->type) {
+ case LTYPE_LOGIN:
+ return (wtmpdb_perform_login(li));
+ case LTYPE_LOGOUT:
+ return (wtmpdb_perform_logout(li));
+ default:
+ logit("%s: invalid type field", __func__);
+ return (0);
+ }
+}
+#endif
+
+
/**
** Low-level libutil login() functions
**/
diff -ur openssh-8.9p1.old/loginrec.h openssh-8.9p1/loginrec.h
--- openssh-8.9p1.old/loginrec.h 2022-02-23 12:31:11.000000000 +0100
+++ openssh-8.9p1/loginrec.h 2023-04-17 14:58:20.808850750 +0200
@@ -79,6 +79,9 @@
unsigned int tv_sec;
unsigned int tv_usec;
union login_netinfo hostaddr; /* caller's host address(es) */
+#ifdef USE_WTMPDB
+ int64_t wtmpdb_id; /* ID for wtmpdb_logout */
+#endif
}; /* struct logininfo */
/*
diff -ur openssh-8.9p1.old/Makefile.in openssh-8.9p1/Makefile.in
--- openssh-8.9p1.old/Makefile.in 2022-02-23 12:31:11.000000000 +0100
+++ openssh-8.9p1/Makefile.in 2023-04-17 14:44:32.156538001 +0200
@@ -55,6 +55,7 @@
SSHDLIBS=@SSHDLIBS@
LIBEDIT=@LIBEDIT@
LIBFIDO2=@LIBFIDO2@
+LIBWTMPDB=@LIBWTMPDB@
AR=@AR@
AWK=@AWK@
RANLIB=@RANLIB@
@@ -212,10 +213,10 @@
$(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) $(GSSLIBS) $(CHANNELLIBS)
sshd$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHDOBJS)
- $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(CHANNELLIBS)
+ $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(CHANNELLIBS) $(LIBWTMPDB)
sshd-session$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHD_SESSION_OBJS)
- $(LD) -o $@ $(SSHD_SESSION_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS) $(CHANNELLIBS)
+ $(LD) -o $@ $(SSHD_SESSION_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS) $(CHANNELLIBS) $(LIBWTMPDB)
scp$(EXEEXT): $(LIBCOMPAT) libssh.a $(SCP_OBJS)
$(LD) -o $@ $(SCP_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)