Accepting request 811897 from home:hpjansson:openssh-8.3
- Version update to 8.3p1: = Potentially-incompatible changes * sftp(1): reject an argument of "-1" in the same way as ssh(1) and scp(1) do instead of accepting and silently ignoring it. = New features * sshd(8): make IgnoreRhosts a tri-state option: "yes" to ignore rhosts/shosts, "no" allow rhosts/shosts or (new) "shosts-only" to allow .shosts files but not .rhosts. * sshd(8): allow the IgnoreRhosts directive to appear anywhere in a sshd_config, not just before any Match blocks. * ssh(1): add %TOKEN percent expansion for the LocalFoward and RemoteForward keywords when used for Unix domain socket forwarding. * all: allow loading public keys from the unencrypted envelope of a private key file if no corresponding public key file is present. * ssh(1), sshd(8): prefer to use chacha20 from libcrypto where possible instead of the (slower) portable C implementation included in OpenSSH. * ssh-keygen(1): add ability to dump the contents of a binary key revocation list via "ssh-keygen -lQf /path". - Additional changes from 8.2p1 release: = Potentially-incompatible changes * ssh(1), sshd(8), ssh-keygen(1): this release removes the "ssh-rsa" (RSA/SHA1) algorithm from those accepted for certificate signatures (i.e. the client and server CASignatureAlgorithms option) and will use the rsa-sha2-512 signature algorithm by default when the ssh-keygen(1) CA signs new certificates. * ssh(1), sshd(8): this release removes diffie-hellman-group14-sha1 from the default key exchange proposal for both the client and server. * ssh-keygen(1): the command-line options related to the generation OBS-URL: https://build.opensuse.org/request/show/811897 OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=211
This commit is contained in:
parent
059b14422b
commit
dbcbd30908
@ -3,29 +3,29 @@
|
||||
CAVS test for OpenSSH's own CTR encryption mode implementation
|
||||
|
||||
diff --git a/Makefile.in b/Makefile.in
|
||||
index 7488595..d426006 100644
|
||||
index d5c37b5..5d4fcd2 100644
|
||||
--- a/Makefile.in
|
||||
+++ b/Makefile.in
|
||||
@@ -24,6 +24,7 @@ ASKPASS_PROGRAM=$(libexecdir)/ssh-askpass
|
||||
SFTP_SERVER=$(libexecdir)/sftp-server
|
||||
@@ -25,6 +25,7 @@ SFTP_SERVER=$(libexecdir)/sftp-server
|
||||
SSH_KEYSIGN=$(libexecdir)/ssh-keysign
|
||||
SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
|
||||
SSH_SK_HELPER=$(libexecdir)/ssh-sk-helper
|
||||
+CAVSTEST_CTR=$(libexecdir)/cavstest-ctr
|
||||
PRIVSEP_PATH=@PRIVSEP_PATH@
|
||||
SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@
|
||||
STRIP_OPT=@STRIP_OPT@
|
||||
@@ -62,6 +63,8 @@ MKDIR_P=@MKDIR_P@
|
||||
@@ -70,6 +71,8 @@ MKDIR_P=@MKDIR_P@
|
||||
|
||||
TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT)
|
||||
TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT)
|
||||
|
||||
+TARGETS += cavstest-ctr$(EXEEXT)
|
||||
+
|
||||
XMSS_OBJS=\
|
||||
ssh-xmss.o \
|
||||
sshkey-xmss.o \
|
||||
@@ -210,6 +213,10 @@ sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o sftp-server.o s
|
||||
sftp$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-client.o sftp-common.o sftp-glob.o progressmeter.o
|
||||
$(LD) -o $@ progressmeter.o sftp.o sftp-client.o sftp-common.o sftp-glob.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) $(LIBEDIT)
|
||||
@@ -244,6 +247,10 @@ sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a $(SFTPSERVER_OBJS)
|
||||
sftp$(EXEEXT): $(LIBCOMPAT) libssh.a $(SFTP_OBJS)
|
||||
$(LD) -o $@ $(SFTP_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) $(LIBEDIT)
|
||||
|
||||
+# FIPS tests
|
||||
+cavstest-ctr$(EXEEXT): $(LIBCOMPAT) libssh.a cavstest-ctr.o
|
||||
@ -34,8 +34,8 @@ index 7488595..d426006 100644
|
||||
# test driver for the loginrec code - not built by default
|
||||
logintest: logintest.o $(LIBCOMPAT) libssh.a loginrec.o
|
||||
$(LD) -o $@ logintest.o $(LDFLAGS) loginrec.o -lopenbsd-compat -lssh $(LIBS)
|
||||
@@ -354,6 +361,7 @@ install-files:
|
||||
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
|
||||
@@ -398,6 +405,7 @@ install-files:
|
||||
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-sk-helper$(EXEEXT) $(DESTDIR)$(SSH_SK_HELPER)$(EXEEXT)
|
||||
$(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
|
||||
$(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
|
||||
+ $(INSTALL) -m 0755 $(STRIP_OPT) cavstest-ctr$(EXEEXT) $(DESTDIR)$(libexecdir)/cavstest-ctr$(EXEEXT)
|
||||
@ -263,7 +263,7 @@ index 0000000..f81cb72
|
||||
+ return 0;
|
||||
+}
|
||||
diff --git a/cipher.c b/cipher.c
|
||||
index acca752..b67a4ff 100644
|
||||
index 2f5430b..599b54a 100644
|
||||
--- a/cipher.c
|
||||
+++ b/cipher.c
|
||||
@@ -58,15 +58,6 @@
|
||||
@ -274,7 +274,7 @@ index acca752..b67a4ff 100644
|
||||
- int plaintext;
|
||||
- int encrypt;
|
||||
- EVP_CIPHER_CTX *evp;
|
||||
- struct chachapoly_ctx cp_ctx; /* XXX union with evp? */
|
||||
- struct chachapoly_ctx *cp_ctx;
|
||||
- struct aesctr_ctx ac_ctx; /* XXX union with evp? */
|
||||
- const struct sshcipher *cipher;
|
||||
-};
|
||||
@ -283,7 +283,7 @@ index acca752..b67a4ff 100644
|
||||
char *name;
|
||||
u_int block_size;
|
||||
diff --git a/cipher.h b/cipher.h
|
||||
index 5843aab..d7d8c89 100644
|
||||
index 1a591cd..10ccb28 100644
|
||||
--- a/cipher.h
|
||||
+++ b/cipher.h
|
||||
@@ -48,7 +48,15 @@
|
||||
@ -295,7 +295,7 @@ index 5843aab..d7d8c89 100644
|
||||
+ int plaintext;
|
||||
+ int encrypt;
|
||||
+ EVP_CIPHER_CTX *evp;
|
||||
+ struct chachapoly_ctx cp_ctx; /* XXX union with evp? */
|
||||
+ struct chachapoly_ctx *cp_ctx; /* XXX union with evp? */
|
||||
+ struct aesctr_ctx ac_ctx; /* XXX union with evp? */
|
||||
+ const struct sshcipher *cipher;
|
||||
+};
|
||||
|
@ -3,27 +3,27 @@
|
||||
CAVS test for KDF implementation in OpenSSH
|
||||
|
||||
diff --git a/Makefile.in b/Makefile.in
|
||||
index d426006..85818f4 100644
|
||||
index 5d4fcd2..9eab827 100644
|
||||
--- a/Makefile.in
|
||||
+++ b/Makefile.in
|
||||
@@ -25,6 +25,7 @@ SFTP_SERVER=$(libexecdir)/sftp-server
|
||||
SSH_KEYSIGN=$(libexecdir)/ssh-keysign
|
||||
@@ -26,6 +26,7 @@ SSH_KEYSIGN=$(libexecdir)/ssh-keysign
|
||||
SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
|
||||
SSH_SK_HELPER=$(libexecdir)/ssh-sk-helper
|
||||
CAVSTEST_CTR=$(libexecdir)/cavstest-ctr
|
||||
+CAVSTEST_KDF=$(libexecdir)/cavstest-kdf
|
||||
PRIVSEP_PATH=@PRIVSEP_PATH@
|
||||
SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@
|
||||
STRIP_OPT=@STRIP_OPT@
|
||||
@@ -63,7 +64,7 @@ MKDIR_P=@MKDIR_P@
|
||||
@@ -71,7 +72,7 @@ MKDIR_P=@MKDIR_P@
|
||||
|
||||
TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT)
|
||||
TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT)
|
||||
|
||||
-TARGETS += cavstest-ctr$(EXEEXT)
|
||||
+TARGETS += cavstest-ctr$(EXEEXT) cavstest-kdf$(EXEEXT)
|
||||
|
||||
XMSS_OBJS=\
|
||||
ssh-xmss.o \
|
||||
@@ -217,6 +218,9 @@ sftp$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-client.o sftp-common.o sftp-glo
|
||||
@@ -251,6 +252,9 @@ sftp$(EXEEXT): $(LIBCOMPAT) libssh.a $(SFTP_OBJS)
|
||||
cavstest-ctr$(EXEEXT): $(LIBCOMPAT) libssh.a cavstest-ctr.o
|
||||
$(LD) -o $@ cavstest-ctr.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
|
||||
|
||||
@ -33,7 +33,7 @@ index d426006..85818f4 100644
|
||||
# test driver for the loginrec code - not built by default
|
||||
logintest: logintest.o $(LIBCOMPAT) libssh.a loginrec.o
|
||||
$(LD) -o $@ logintest.o $(LDFLAGS) loginrec.o -lopenbsd-compat -lssh $(LIBS)
|
||||
@@ -362,6 +366,7 @@ install-files:
|
||||
@@ -406,6 +410,7 @@ install-files:
|
||||
$(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
|
||||
$(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
|
||||
$(INSTALL) -m 0755 $(STRIP_OPT) cavstest-ctr$(EXEEXT) $(DESTDIR)$(libexecdir)/cavstest-ctr$(EXEEXT)
|
||||
|
@ -4,17 +4,17 @@ FIPS 140-2 compliance. Perform selftests on start and use only FIPS approved
|
||||
algorithms.
|
||||
|
||||
diff --git a/Makefile.in b/Makefile.in
|
||||
index 1d2b2d9..7488595 100644
|
||||
index 62cd072..d5c37b5 100644
|
||||
--- a/Makefile.in
|
||||
+++ b/Makefile.in
|
||||
@@ -103,6 +103,8 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
|
||||
platform-pledge.o platform-tracing.o platform-misc.o
|
||||
@@ -114,6 +114,8 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
|
||||
|
||||
SKOBJS= ssh-sk-client.o
|
||||
|
||||
+LIBSSH_OBJS += fips.o
|
||||
+
|
||||
SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \
|
||||
sshconnect.o sshconnect2.o mux.o
|
||||
sshconnect.o sshconnect2.o mux.o $(SKOBJS)
|
||||
|
||||
diff --git a/cipher-ctr.c b/cipher-ctr.c
|
||||
index 32771f2..b66f92f 100644
|
||||
@ -39,7 +39,7 @@ index 32771f2..b66f92f 100644
|
||||
return (&aes_ctr);
|
||||
}
|
||||
diff --git a/cipher.c b/cipher.c
|
||||
index 25f98ba..acca752 100644
|
||||
index 8195199..2f5430b 100644
|
||||
--- a/cipher.c
|
||||
+++ b/cipher.c
|
||||
@@ -51,6 +51,9 @@
|
||||
@ -123,7 +123,7 @@ index 25f98ba..acca752 100644
|
||||
if ((c->flags & CFLAG_INTERNAL) != 0)
|
||||
continue;
|
||||
if (auth_only && c->auth_len == 0)
|
||||
@@ -196,7 +243,7 @@ const struct sshcipher *
|
||||
@@ -207,7 +254,7 @@ const struct sshcipher *
|
||||
cipher_by_name(const char *name)
|
||||
{
|
||||
const struct sshcipher *c;
|
||||
@ -401,10 +401,10 @@ index 0000000..a115a61
|
||||
+#endif
|
||||
+
|
||||
diff --git a/hmac.c b/hmac.c
|
||||
index 3268887..b905a1e 100644
|
||||
index 7b58801..5a92074 100644
|
||||
--- a/hmac.c
|
||||
+++ b/hmac.c
|
||||
@@ -146,7 +146,7 @@ hmac_test(void *key, size_t klen, void *m, size_t mlen, u_char *e, size_t elen)
|
||||
@@ -145,7 +145,7 @@ hmac_test(void *key, size_t klen, void *m, size_t mlen, u_char *e, size_t elen)
|
||||
size_t i;
|
||||
u_char digest[16];
|
||||
|
||||
@ -414,10 +414,10 @@ index 3268887..b905a1e 100644
|
||||
if (ssh_hmac_init(ctx, key, klen) < 0 ||
|
||||
ssh_hmac_update(ctx, m, mlen) < 0 ||
|
||||
diff --git a/kex.c b/kex.c
|
||||
index 49d7015..1f82c2e 100644
|
||||
index b09fbac..a5e4be7 100644
|
||||
--- a/kex.c
|
||||
+++ b/kex.c
|
||||
@@ -60,6 +60,8 @@
|
||||
@@ -63,6 +63,8 @@
|
||||
#include "sshbuf.h"
|
||||
#include "digest.h"
|
||||
|
||||
@ -426,7 +426,7 @@ index 49d7015..1f82c2e 100644
|
||||
/* prototype */
|
||||
static int kex_choose_conf(struct ssh *);
|
||||
static int kex_input_newkeys(int, u_int32_t, struct ssh *);
|
||||
@@ -83,7 +85,7 @@ struct kexalg {
|
||||
@@ -86,7 +88,7 @@ struct kexalg {
|
||||
int ec_nid;
|
||||
int hash_alg;
|
||||
};
|
||||
@ -435,7 +435,7 @@ index 49d7015..1f82c2e 100644
|
||||
#ifdef WITH_OPENSSL
|
||||
{ KEX_DH1, KEX_DH_GRP1_SHA1, 0, SSH_DIGEST_SHA1 },
|
||||
{ KEX_DH14_SHA1, KEX_DH_GRP14_SHA1, 0, SSH_DIGEST_SHA1 },
|
||||
@@ -114,6 +116,47 @@ static const struct kexalg kexalgs[] = {
|
||||
@@ -117,6 +119,47 @@ static const struct kexalg kexalgs[] = {
|
||||
{ NULL, 0, -1, -1},
|
||||
};
|
||||
|
||||
@ -483,7 +483,7 @@ index 49d7015..1f82c2e 100644
|
||||
char *
|
||||
kex_alg_list(char sep)
|
||||
{
|
||||
@@ -121,7 +164,7 @@ kex_alg_list(char sep)
|
||||
@@ -124,7 +167,7 @@ kex_alg_list(char sep)
|
||||
size_t nlen, rlen = 0;
|
||||
const struct kexalg *k;
|
||||
|
||||
@ -492,7 +492,7 @@ index 49d7015..1f82c2e 100644
|
||||
if (ret != NULL)
|
||||
ret[rlen++] = sep;
|
||||
nlen = strlen(k->name);
|
||||
@@ -141,7 +184,7 @@ kex_alg_by_name(const char *name)
|
||||
@@ -144,7 +187,7 @@ kex_alg_by_name(const char *name)
|
||||
{
|
||||
const struct kexalg *k;
|
||||
|
||||
@ -501,7 +501,7 @@ index 49d7015..1f82c2e 100644
|
||||
if (strcmp(k->name, name) == 0)
|
||||
return k;
|
||||
}
|
||||
@@ -161,7 +204,10 @@ kex_names_valid(const char *names)
|
||||
@@ -164,7 +207,10 @@ kex_names_valid(const char *names)
|
||||
for ((p = strsep(&cp, ",")); p && *p != '\0';
|
||||
(p = strsep(&cp, ","))) {
|
||||
if (kex_alg_by_name(p) == NULL) {
|
||||
@ -595,21 +595,8 @@ index f3dda66..90d71c8 100644
|
||||
if (strcmp(name, m->name) != 0)
|
||||
continue;
|
||||
if (mac != NULL)
|
||||
diff --git a/myproposal.h b/myproposal.h
|
||||
index 34bd10c..e6be484 100644
|
||||
--- a/myproposal.h
|
||||
+++ b/myproposal.h
|
||||
@@ -144,6 +144,8 @@
|
||||
|
||||
#else /* WITH_OPENSSL */
|
||||
|
||||
+#error "OpenSSL support is needed for FIPS mode to compile"
|
||||
+
|
||||
#define KEX_SERVER_KEX \
|
||||
"curve25519-sha256," \
|
||||
"curve25519-sha256@libssh.org"
|
||||
diff --git a/readconf.c b/readconf.c
|
||||
index f78b4d6..228f481 100644
|
||||
index 26e80c5..595f053 100644
|
||||
--- a/readconf.c
|
||||
+++ b/readconf.c
|
||||
@@ -68,6 +68,8 @@
|
||||
@ -621,7 +608,7 @@ index f78b4d6..228f481 100644
|
||||
/* Format of the configuration file:
|
||||
|
||||
# Configuration data is parsed as follows:
|
||||
@@ -1837,6 +1839,23 @@ option_clear_or_none(const char *o)
|
||||
@@ -1908,6 +1910,23 @@ option_clear_or_none(const char *o)
|
||||
return o == NULL || strcasecmp(o, "none") == 0;
|
||||
}
|
||||
|
||||
@ -645,40 +632,50 @@ index f78b4d6..228f481 100644
|
||||
/*
|
||||
* Initializes options to special values that indicate that they have not yet
|
||||
* been set. Read_config_file will only set options with this value. Options
|
||||
@@ -2116,6 +2135,8 @@ fill_default_options(Options * options)
|
||||
@@ -2196,6 +2215,9 @@ fill_default_options(Options * options)
|
||||
options->canonicalize_hostname = SSH_CANONICALISE_NO;
|
||||
if (options->fingerprint_hash == -1)
|
||||
options->fingerprint_hash = SSH_FP_HASH_DEFAULT;
|
||||
+ options->fingerprint_hash =
|
||||
+ fips_correct_dgst(options->fingerprint_hash);
|
||||
if (options->update_hostkeys == -1)
|
||||
options->update_hostkeys = 0;
|
||||
|
||||
@@ -2143,6 +2164,7 @@ fill_default_options(Options * options)
|
||||
+
|
||||
#ifdef ENABLE_SK_INTERNAL
|
||||
if (options->sk_provider == NULL)
|
||||
options->sk_provider = xstrdup("internal");
|
||||
@@ -2229,6 +2251,7 @@ fill_default_options(Options * options)
|
||||
ASSEMBLE(pubkey_key_types, def_key, all_key);
|
||||
ASSEMBLE(ca_sign_algorithms, def_sig, all_sig);
|
||||
#undef ASSEMBLE
|
||||
+
|
||||
free(all_cipher);
|
||||
free(all_mac);
|
||||
free(all_kex);
|
||||
free(all_key);
|
||||
free(all_sig);
|
||||
+ filter_fips_algorithms(options);
|
||||
@@ -2240,6 +2263,8 @@ fill_default_options(Options * options)
|
||||
kex_default_pk_alg_filtered = def_key; /* save for later use */
|
||||
free(def_sig);
|
||||
|
||||
+ filter_fips_algorithms(options);
|
||||
+
|
||||
#define CLEAR_ON_NONE(v) \
|
||||
do { \
|
||||
if (option_clear_or_none(v)) { \
|
||||
diff --git a/readconf.h b/readconf.h
|
||||
index 8e36bf3..67111e9 100644
|
||||
index e143a10..ef18d5c 100644
|
||||
--- a/readconf.h
|
||||
+++ b/readconf.h
|
||||
@@ -197,6 +197,7 @@ typedef struct {
|
||||
@@ -199,6 +199,7 @@ typedef struct {
|
||||
#define SSH_STRICT_HOSTKEY_YES 2
|
||||
#define SSH_STRICT_HOSTKEY_ASK 3
|
||||
|
||||
+void filter_fips_algorithms(Options *o);
|
||||
void initialize_options(Options *);
|
||||
void fill_default_options(Options *);
|
||||
void fill_default_options_for_canonicalization(Options *);
|
||||
const char *kex_default_pk_alg(void);
|
||||
char *ssh_connection_hash(const char *thishost, const char *host,
|
||||
const char *portstr, const char *user);
|
||||
diff --git a/servconf.c b/servconf.c
|
||||
index f58fecb..a8833a9 100644
|
||||
index 6be7274..9a51bfb 100644
|
||||
--- a/servconf.c
|
||||
+++ b/servconf.c
|
||||
@@ -64,6 +64,7 @@
|
||||
@@ -69,6 +69,7 @@
|
||||
#include "auth.h"
|
||||
#include "myproposal.h"
|
||||
#include "digest.h"
|
||||
@ -686,7 +683,7 @@ index f58fecb..a8833a9 100644
|
||||
|
||||
static void add_listen_addr(ServerOptions *, const char *,
|
||||
const char *, int);
|
||||
@@ -190,6 +191,23 @@ option_clear_or_none(const char *o)
|
||||
@@ -200,6 +201,23 @@ option_clear_or_none(const char *o)
|
||||
return o == NULL || strcasecmp(o, "none") == 0;
|
||||
}
|
||||
|
||||
@ -710,16 +707,16 @@ index f58fecb..a8833a9 100644
|
||||
static void
|
||||
assemble_algorithms(ServerOptions *o)
|
||||
{
|
||||
@@ -219,6 +237,8 @@ assemble_algorithms(ServerOptions *o)
|
||||
free(all_kex);
|
||||
free(all_key);
|
||||
free(all_sig);
|
||||
@@ -241,6 +259,8 @@ assemble_algorithms(ServerOptions *o)
|
||||
free(def_kex);
|
||||
free(def_key);
|
||||
free(def_sig);
|
||||
+
|
||||
+ filter_fips_algorithms_s(o);
|
||||
}
|
||||
|
||||
static void
|
||||
@@ -424,6 +444,8 @@ fill_default_server_options(ServerOptions *options)
|
||||
@@ -453,6 +473,8 @@ fill_default_server_options(ServerOptions *options)
|
||||
options->fwd_opts.streamlocal_bind_unlink = 0;
|
||||
if (options->fingerprint_hash == -1)
|
||||
options->fingerprint_hash = SSH_FP_HASH_DEFAULT;
|
||||
@ -729,19 +726,19 @@ index f58fecb..a8833a9 100644
|
||||
options->disable_forwarding = 0;
|
||||
if (options->expose_userauth_info == -1)
|
||||
diff --git a/ssh-keygen.c b/ssh-keygen.c
|
||||
index 8c829ca..da63fb0 100644
|
||||
index 944faca..c1ecc54 100644
|
||||
--- a/ssh-keygen.c
|
||||
+++ b/ssh-keygen.c
|
||||
@@ -64,6 +64,8 @@
|
||||
#include "authfd.h"
|
||||
#include "sshsig.h"
|
||||
@@ -66,6 +66,8 @@
|
||||
#include "ssh-sk.h"
|
||||
#include "sk-api.h" /* XXX for SSH_SK_USER_PRESENCE_REQD; remove */
|
||||
|
||||
+#include "fips.h"
|
||||
+
|
||||
#ifdef WITH_OPENSSL
|
||||
# define DEFAULT_KEY_TYPE_NAME "rsa"
|
||||
#else
|
||||
@@ -1002,11 +1004,13 @@ do_fingerprint(struct passwd *pw)
|
||||
@@ -1032,11 +1034,13 @@ do_fingerprint(struct passwd *pw)
|
||||
static void
|
||||
do_gen_all_hostkeys(struct passwd *pw)
|
||||
{
|
||||
@ -757,7 +754,7 @@ index 8c829ca..da63fb0 100644
|
||||
#ifdef WITH_OPENSSL
|
||||
{ "rsa", "RSA" ,_PATH_HOST_RSA_KEY_FILE },
|
||||
{ "dsa", "DSA", _PATH_HOST_DSA_KEY_FILE },
|
||||
@@ -1021,6 +1025,17 @@ do_gen_all_hostkeys(struct passwd *pw)
|
||||
@@ -1051,6 +1055,17 @@ do_gen_all_hostkeys(struct passwd *pw)
|
||||
{ NULL, NULL, NULL }
|
||||
};
|
||||
|
||||
@ -775,9 +772,9 @@ index 8c829ca..da63fb0 100644
|
||||
u_int32_t bits = 0;
|
||||
int first = 0;
|
||||
struct stat st;
|
||||
@@ -1029,6 +1044,12 @@ do_gen_all_hostkeys(struct passwd *pw)
|
||||
@@ -1058,6 +1073,12 @@ do_gen_all_hostkeys(struct passwd *pw)
|
||||
char comment[1024], *prv_tmp, *pub_tmp, *prv_file, *pub_file;
|
||||
int i, type, fd, r;
|
||||
FILE *f;
|
||||
|
||||
+ if (fips_mode()) {
|
||||
+ key_types = key_types_fips140_2;
|
||||
@ -788,7 +785,7 @@ index 8c829ca..da63fb0 100644
|
||||
for (i = 0; key_types[i].key_type; i++) {
|
||||
public = private = NULL;
|
||||
prv_tmp = pub_tmp = prv_file = pub_file = NULL;
|
||||
@@ -3215,6 +3236,15 @@ main(int argc, char **argv)
|
||||
@@ -3532,6 +3553,15 @@ main(int argc, char **argv)
|
||||
key_type_name = DEFAULT_KEY_TYPE_NAME;
|
||||
|
||||
type = sshkey_type_from_name(key_type_name);
|
||||
@ -805,10 +802,10 @@ index 8c829ca..da63fb0 100644
|
||||
|
||||
if (!quiet)
|
||||
diff --git a/ssh_config.5 b/ssh_config.5
|
||||
index 02a8789..f0cb291 100644
|
||||
index c45fb8d..55d4b5e 100644
|
||||
--- a/ssh_config.5
|
||||
+++ b/ssh_config.5
|
||||
@@ -664,6 +664,8 @@ Valid options are:
|
||||
@@ -669,6 +669,8 @@ Valid options are:
|
||||
and
|
||||
.Cm sha256
|
||||
(the default).
|
||||
@ -818,12 +815,12 @@ index 02a8789..f0cb291 100644
|
||||
Specifies whether the connection to the authentication agent (if any)
|
||||
will be forwarded to the remote machine.
|
||||
diff --git a/sshd.c b/sshd.c
|
||||
index 6b55ef7..c8086cd 100644
|
||||
index a24241c..e18078f 100644
|
||||
--- a/sshd.c
|
||||
+++ b/sshd.c
|
||||
@@ -127,6 +127,8 @@
|
||||
#include "version.h"
|
||||
@@ -128,6 +128,8 @@
|
||||
#include "ssherr.h"
|
||||
#include "sk-api.h"
|
||||
|
||||
+#include "fips.h"
|
||||
+
|
||||
@ -831,10 +828,10 @@ index 6b55ef7..c8086cd 100644
|
||||
#define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1)
|
||||
#define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2)
|
||||
diff --git a/sshd_config.5 b/sshd_config.5
|
||||
index 0707b47..8818ea5 100644
|
||||
index 52552d2..35affe5 100644
|
||||
--- a/sshd_config.5
|
||||
+++ b/sshd_config.5
|
||||
@@ -605,6 +605,8 @@ and
|
||||
@@ -594,6 +594,8 @@ and
|
||||
.Cm sha256 .
|
||||
The default is
|
||||
.Cm sha256 .
|
||||
|
@ -7,7 +7,7 @@
|
||||
# FIPS mode). SHA-2 seems to be a reasonable choice.
|
||||
#
|
||||
# The logic of the checks is as follows: decide whether FIPS mode is mandated
|
||||
# (either by checking /proc/sys/crypto/fips_enabled or envoroinment variable
|
||||
# (either by checking /proc/sys/crypto/fips_enabled or environment variable
|
||||
# SSH_FORCE_FIPS. In FIPS mode, checksums are required to match (inability to
|
||||
# retrieve pre-calculated hash is a fatal error). In non-FIPS mode the checks
|
||||
# still must be performed, unless the hashes are not installed. Thus if the hash
|
||||
@ -410,7 +410,7 @@ index a115a61..3404684 100644
|
||||
#endif
|
||||
-
|
||||
diff --git a/sftp-server.c b/sftp-server.c
|
||||
index b133cbc..c3086b6 100644
|
||||
index 359204f..d6395fd 100644
|
||||
--- a/sftp-server.c
|
||||
+++ b/sftp-server.c
|
||||
@@ -53,6 +53,8 @@
|
||||
@ -422,7 +422,7 @@ index b133cbc..c3086b6 100644
|
||||
/* Our verbosity */
|
||||
static LogLevel log_level = SYSLOG_LEVEL_ERROR;
|
||||
|
||||
@@ -1595,6 +1597,9 @@ sftp_server_main(int argc, char **argv, struct passwd *user_pw)
|
||||
@@ -1576,6 +1578,9 @@ sftp_server_main(int argc, char **argv, struct passwd *user_pw)
|
||||
extern char *optarg;
|
||||
extern char *__progname;
|
||||
|
||||
@ -433,7 +433,7 @@ index b133cbc..c3086b6 100644
|
||||
log_init(__progname, log_level, log_facility, log_stderr);
|
||||
|
||||
diff --git a/ssh.c b/ssh.c
|
||||
index ee51823..882d1da 100644
|
||||
index 98b6ce7..dce28fd 100644
|
||||
--- a/ssh.c
|
||||
+++ b/ssh.c
|
||||
@@ -113,6 +113,8 @@
|
||||
@ -445,9 +445,9 @@ index ee51823..882d1da 100644
|
||||
extern char *__progname;
|
||||
|
||||
/* Saves a copy of argv for setproctitle emulation */
|
||||
@@ -596,6 +598,10 @@ main(int ac, char **av)
|
||||
struct ssh_digest_ctx *md;
|
||||
u_char conn_hash[SSH_DIGEST_MAX_LENGTH];
|
||||
@@ -630,6 +632,10 @@ main(int ac, char **av)
|
||||
struct addrinfo *addrs = NULL;
|
||||
size_t n, len;
|
||||
|
||||
+ /* initialize fips - can go before ssh_malloc_init(), since that is a
|
||||
+ * OpenBSD-only thing (as of OpenSSH 7.6p1) */
|
||||
@ -457,10 +457,10 @@ index ee51823..882d1da 100644
|
||||
sanitise_stdfd();
|
||||
|
||||
diff --git a/sshd.c b/sshd.c
|
||||
index c8086cd..bb20eec 100644
|
||||
index b2146a6..6092f0f 100644
|
||||
--- a/sshd.c
|
||||
+++ b/sshd.c
|
||||
@@ -1443,6 +1443,10 @@ main(int ac, char **av)
|
||||
@@ -1505,6 +1505,10 @@ main(int ac, char **av)
|
||||
Authctxt *authctxt;
|
||||
struct connection_info *connection_info = NULL;
|
||||
|
||||
|
@ -3,14 +3,12 @@
|
||||
# -- uset do be called '-xauthlocalhostname'
|
||||
handle hostname changes when forwarding X
|
||||
|
||||
bnc#98627
|
||||
|
||||
diff --git a/session.c b/session.c
|
||||
index 94d7438..d81060c 100644
|
||||
index 18cdfa8..85a9ee2 100644
|
||||
--- a/session.c
|
||||
+++ b/session.c
|
||||
@@ -981,7 +981,7 @@ copy_environment(char **source, char ***env, u_int *envsize)
|
||||
}
|
||||
@@ -985,7 +985,7 @@ copy_environment(char **source, char ***env, u_int *envsize)
|
||||
#endif
|
||||
|
||||
static char **
|
||||
-do_setup_env(struct ssh *ssh, Session *s, const char *shell)
|
||||
@ -18,7 +16,7 @@ index 94d7438..d81060c 100644
|
||||
{
|
||||
char buf[256];
|
||||
size_t n;
|
||||
@@ -1191,6 +1191,8 @@ do_setup_env(struct ssh *ssh, Session *s, const char *shell)
|
||||
@@ -1195,6 +1195,8 @@ do_setup_env(struct ssh *ssh, Session *s, const char *shell)
|
||||
for (i = 0; env[i]; i++)
|
||||
fprintf(stderr, " %.200s\n", env[i]);
|
||||
}
|
||||
@ -27,7 +25,7 @@ index 94d7438..d81060c 100644
|
||||
return env;
|
||||
}
|
||||
|
||||
@@ -1199,7 +1201,7 @@ do_setup_env(struct ssh *ssh, Session *s, const char *shell)
|
||||
@@ -1203,7 +1205,7 @@ do_setup_env(struct ssh *ssh, Session *s, const char *shell)
|
||||
* first in this order).
|
||||
*/
|
||||
static void
|
||||
@ -36,7 +34,7 @@ index 94d7438..d81060c 100644
|
||||
{
|
||||
FILE *f = NULL;
|
||||
char cmd[1024];
|
||||
@@ -1254,12 +1256,20 @@ do_rc_files(struct ssh *ssh, Session *s, const char *shell)
|
||||
@@ -1258,12 +1260,20 @@ do_rc_files(struct ssh *ssh, Session *s, const char *shell)
|
||||
options.xauth_location);
|
||||
f = popen(cmd, "w");
|
||||
if (f) {
|
||||
@ -57,7 +55,7 @@ index 94d7438..d81060c 100644
|
||||
} else {
|
||||
fprintf(stderr, "Could not run %s\n",
|
||||
cmd);
|
||||
@@ -1515,6 +1525,7 @@ do_child(struct ssh *ssh, Session *s, const char *command)
|
||||
@@ -1519,6 +1529,7 @@ do_child(struct ssh *ssh, Session *s, const char *command)
|
||||
char **env, *argv[ARGV_MAX], remote_id[512];
|
||||
const char *shell, *shell0;
|
||||
struct passwd *pw = s->pw;
|
||||
@ -65,7 +63,7 @@ index 94d7438..d81060c 100644
|
||||
int r = 0;
|
||||
|
||||
sshpkt_fmt_connection_id(ssh, remote_id, sizeof(remote_id));
|
||||
@@ -1571,7 +1582,7 @@ do_child(struct ssh *ssh, Session *s, const char *command)
|
||||
@@ -1575,7 +1586,7 @@ do_child(struct ssh *ssh, Session *s, const char *command)
|
||||
* Make sure $SHELL points to the shell from the password file,
|
||||
* even if shell is overridden from login.conf
|
||||
*/
|
||||
@ -74,7 +72,7 @@ index 94d7438..d81060c 100644
|
||||
|
||||
#ifdef HAVE_LOGIN_CAP
|
||||
shell = login_getcapstr(lc, "shell", (char *)shell, (char *)shell);
|
||||
@@ -1635,7 +1646,7 @@ do_child(struct ssh *ssh, Session *s, const char *command)
|
||||
@@ -1639,7 +1650,7 @@ do_child(struct ssh *ssh, Session *s, const char *command)
|
||||
|
||||
closefrom(STDERR_FILENO + 1);
|
||||
|
||||
@ -82,4 +80,4 @@ index 94d7438..d81060c 100644
|
||||
+ do_rc_files(ssh, s, shell, env, &env_size);
|
||||
|
||||
/* restore SIGPIPE for child */
|
||||
signal(SIGPIPE, SIG_DFL);
|
||||
ssh_signal(SIGPIPE, SIG_DFL);
|
||||
|
@ -125,19 +125,19 @@ index 0000000..831d399
|
||||
+ - Finlay dobbie.
|
||||
+ - Stefan Fisher.
|
||||
diff --git a/Makefile.in b/Makefile.in
|
||||
index 750aada..1baf5c6 100644
|
||||
index 6010d1c..f54348b 100644
|
||||
--- a/Makefile.in
|
||||
+++ b/Makefile.in
|
||||
@@ -24,6 +24,8 @@ ASKPASS_PROGRAM=$(libexecdir)/ssh-askpass
|
||||
SFTP_SERVER=$(libexecdir)/sftp-server
|
||||
@@ -25,6 +25,8 @@ SFTP_SERVER=$(libexecdir)/sftp-server
|
||||
SSH_KEYSIGN=$(libexecdir)/ssh-keysign
|
||||
SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
|
||||
SSH_SK_HELPER=$(libexecdir)/ssh-sk-helper
|
||||
+SSH_LDAP_HELPER=$(libexecdir)/ssh-ldap-helper
|
||||
+SSH_LDAP_WRAPPER=$(libexecdir)/ssh-ldap-wrapper
|
||||
CAVSTEST_CTR=$(libexecdir)/cavstest-ctr
|
||||
CAVSTEST_KDF=$(libexecdir)/cavstest-kdf
|
||||
PRIVSEP_PATH=@PRIVSEP_PATH@
|
||||
@@ -66,6 +68,9 @@ TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keys
|
||||
@@ -74,6 +76,9 @@ TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keys
|
||||
|
||||
TARGETS += cavstest-ctr$(EXEEXT) cavstest-kdf$(EXEEXT)
|
||||
|
||||
@ -147,28 +147,28 @@ index 750aada..1baf5c6 100644
|
||||
XMSS_OBJS=\
|
||||
ssh-xmss.o \
|
||||
sshkey-xmss.o \
|
||||
@@ -127,8 +132,8 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o \
|
||||
sandbox-seccomp-filter.o sandbox-capsicum.o sandbox-pledge.o \
|
||||
sandbox-solaris.o uidswap.o
|
||||
@@ -158,8 +163,8 @@ SFTPSERVER_OBJS=sftp-common.o sftp-server.o sftp-server-main.o
|
||||
|
||||
-MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out
|
||||
-MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 sshd_config.5 ssh_config.5
|
||||
+MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out ssh-ldap-helper.8.out ssh-ldap.conf.5.out
|
||||
+MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 sshd_config.5 ssh_config.5 ssh-ldap-helper.8 ssh-ldap.conf.5
|
||||
SFTP_OBJS= sftp.o sftp-client.o sftp-common.o sftp-glob.o progressmeter.o
|
||||
|
||||
-MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out ssh-sk-helper.8.out sshd_config.5.out ssh_config.5.out
|
||||
-MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 ssh-sk-helper.8 sshd_config.5 ssh_config.5
|
||||
+MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out ssh-sk-helper.8.out sshd_config.5.out ssh_config.5.out ssh-ldap-helper.8.out ssh-ldap.conf.5.out
|
||||
+MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 ssh-sk-helper.8 sshd_config.5 ssh_config.5 ssh-ldap-helper.8 ssh-ldap.conf.5
|
||||
MANTYPE = @MANTYPE@
|
||||
|
||||
CONFIGFILES=sshd_config.out ssh_config.out moduli.out
|
||||
@@ -208,6 +213,9 @@ ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11
|
||||
ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o
|
||||
$(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
|
||||
@@ -242,6 +247,9 @@ ssh-sk-helper$(EXEEXT): $(LIBCOMPAT) libssh.a $(SKHELPER_OBJS)
|
||||
ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHKEYSCAN_OBJS)
|
||||
$(LD) -o $@ $(SSHKEYSCAN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
|
||||
|
||||
+ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o
|
||||
+ $(LD) -o $@ ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
|
||||
+
|
||||
sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o sftp-server.o sftp-realpath.o sftp-server-main.o
|
||||
$(LD) -o $@ sftp-server.o sftp-common.o sftp-realpath.o sftp-server-main.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
|
||||
sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a $(SFTPSERVER_OBJS)
|
||||
$(LD) -o $@ $(SFTPSERVER_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
|
||||
|
||||
@@ -363,6 +371,10 @@ install-files:
|
||||
@@ -406,6 +414,10 @@ install-files:
|
||||
$(INSTALL) -m 0755 $(STRIP_OPT) sshd$(EXEEXT) $(DESTDIR)$(sbindir)/sshd$(EXEEXT)
|
||||
$(INSTALL) -m 4711 $(STRIP_OPT) ssh-keysign$(EXEEXT) $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT)
|
||||
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
|
||||
@ -176,10 +176,10 @@ index 750aada..1baf5c6 100644
|
||||
+ $(INSTALL) -m 0755 $(STRIP_OPT) ssh-ldap-helper $(DESTDIR)$(SSH_LDAP_HELPER) ; \
|
||||
+ $(INSTALL) -m 0755 ssh-ldap-wrapper $(DESTDIR)$(SSH_LDAP_WRAPPER) ; \
|
||||
+ fi
|
||||
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-sk-helper$(EXEEXT) $(DESTDIR)$(SSH_SK_HELPER)$(EXEEXT)
|
||||
$(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
|
||||
$(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
|
||||
$(INSTALL) -m 0755 $(STRIP_OPT) cavstest-ctr$(EXEEXT) $(DESTDIR)$(libexecdir)/cavstest-ctr$(EXEEXT)
|
||||
@@ -381,6 +393,10 @@ install-files:
|
||||
@@ -425,6 +437,10 @@ install-files:
|
||||
$(INSTALL) -m 644 sftp-server.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8
|
||||
$(INSTALL) -m 644 ssh-keysign.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8
|
||||
$(INSTALL) -m 644 ssh-pkcs11-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
|
||||
@ -187,10 +187,10 @@ index 750aada..1baf5c6 100644
|
||||
+ $(INSTALL) -m 644 ssh-ldap-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-ldap-helper.8 ; \
|
||||
+ $(INSTALL) -m 644 ssh-ldap.conf.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/ssh-ldap.conf.5 ; \
|
||||
+ fi
|
||||
$(INSTALL) -m 644 ssh-sk-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-sk-helper.8
|
||||
|
||||
install-sysconf:
|
||||
$(MKDIR_P) $(DESTDIR)$(sysconfdir)
|
||||
@@ -404,6 +420,13 @@ install-sysconf:
|
||||
@@ -449,6 +465,13 @@ install-sysconf:
|
||||
else \
|
||||
echo "$(DESTDIR)$(sysconfdir)/moduli already exists, install will not overwrite"; \
|
||||
fi
|
||||
@ -204,28 +204,28 @@ index 750aada..1baf5c6 100644
|
||||
|
||||
host-key: ssh-keygen$(EXEEXT)
|
||||
@if [ -z "$(DESTDIR)" ] ; then \
|
||||
@@ -441,6 +464,8 @@ uninstall:
|
||||
-rm -r $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
|
||||
@@ -487,6 +510,8 @@ uninstall:
|
||||
-rm -f $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT)
|
||||
-rm -f $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
|
||||
-rm -f $(DESTDIR)$(SSH_SK_HELPER)$(EXEEXT)
|
||||
+ -rm -f $(DESTDIR)$(SSH_LDAP_HELPER)$(EXEEXT)
|
||||
+ -rm -f $(DESTDIR)$(SSH_LDAP_WRAPPER)$(EXEEXT)
|
||||
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
|
||||
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1
|
||||
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1
|
||||
@@ -452,6 +477,7 @@ uninstall:
|
||||
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8
|
||||
@@ -499,6 +524,7 @@ uninstall:
|
||||
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8
|
||||
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
|
||||
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-sk-helper.8
|
||||
+ -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-ldap-helper.8
|
||||
|
||||
regress-prep:
|
||||
$(MKDIR_P) `pwd`/regress/unittests/test_helper
|
||||
diff --git a/configure.ac b/configure.ac
|
||||
index 20a1884..ff9c11a 100644
|
||||
index 4ddf539..1fd0b17 100644
|
||||
--- a/configure.ac
|
||||
+++ b/configure.ac
|
||||
@@ -1651,6 +1651,106 @@ AC_ARG_WITH([audit],
|
||||
@@ -1688,6 +1688,106 @@ AC_ARG_WITH([audit],
|
||||
esac ]
|
||||
)
|
||||
|
||||
|
@ -2,15 +2,11 @@
|
||||
# Parent bad0c8b3b8d72abb6960ed85b57ee42352371738
|
||||
Do not write a PID file when not daemonizing (e.g. when running from systemd)
|
||||
|
||||
diff --git a/openssh-7.7p1/sshd.c b/openssh-7.7p1/sshd.c
|
||||
--- openssh-7.7p1/sshd.c
|
||||
+++ openssh-7.7p1/sshd.c
|
||||
@@ -1996,17 +1996,17 @@ main(int ac, char **av)
|
||||
signal(SIGCHLD, main_sigchld_handler);
|
||||
signal(SIGTERM, sigterm_handler);
|
||||
signal(SIGQUIT, sigterm_handler);
|
||||
|
||||
/*
|
||||
diff --git a/sshd.c b/sshd.c
|
||||
index f3ccc3a..eadc1b3 100644
|
||||
--- a/sshd.c
|
||||
+++ b/sshd.c
|
||||
@@ -2076,7 +2076,7 @@ main(int ac, char **av)
|
||||
* Write out the pid file after the sigterm handler
|
||||
* is setup and the listen sockets are bound
|
||||
*/
|
||||
@ -19,8 +15,3 @@ diff --git a/openssh-7.7p1/sshd.c b/openssh-7.7p1/sshd.c
|
||||
FILE *f = fopen(options.pid_file, "w");
|
||||
|
||||
if (f == NULL) {
|
||||
error("Couldn't create pid file \"%s\": %s",
|
||||
options.pid_file, strerror(errno));
|
||||
} else {
|
||||
fprintf(f, "%ld\n", (long) getpid());
|
||||
fclose(f);
|
||||
|
@ -1,379 +0,0 @@
|
||||
# HG changeset patch
|
||||
# Parent e655fcb8e89d19ce9e954d6fc330e5e3e093a848
|
||||
# extended support for (re-)seeding the OpenSSL PRNG from /dev/random
|
||||
# bnc#703221, FATE#312172
|
||||
|
||||
diff --git a/Makefile.in b/Makefile.in
|
||||
index 85818f4..750aada 100644
|
||||
--- a/Makefile.in
|
||||
+++ b/Makefile.in
|
||||
@@ -182,13 +182,13 @@ libssh.a: $(LIBSSH_OBJS)
|
||||
$(RANLIB) $@
|
||||
|
||||
ssh$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHOBJS)
|
||||
- $(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHLIBS) $(LIBS) $(GSSLIBS)
|
||||
+ $(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(SSHLIBS) $(LIBS) $(GSSLIBS)
|
||||
|
||||
sshd$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHDOBJS)
|
||||
- $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS)
|
||||
+ $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS)
|
||||
|
||||
scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o
|
||||
- $(LD) -o $@ scp.o progressmeter.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
|
||||
+ $(LD) -o $@ scp.o progressmeter.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
|
||||
|
||||
ssh-add$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-add.o
|
||||
$(LD) -o $@ ssh-add.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
|
||||
@@ -197,10 +197,10 @@ ssh-agent$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-agent.o ssh-pkcs11-client.o
|
||||
$(LD) -o $@ ssh-agent.o ssh-pkcs11-client.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
|
||||
|
||||
ssh-keygen$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keygen.o sshsig.o
|
||||
- $(LD) -o $@ ssh-keygen.o sshsig.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
|
||||
+ $(LD) -o $@ ssh-keygen.o sshsig.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
|
||||
|
||||
ssh-keysign$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keysign.o readconf.o uidswap.o compat.o
|
||||
- $(LD) -o $@ ssh-keysign.o readconf.o uidswap.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
|
||||
+ $(LD) -o $@ ssh-keysign.o readconf.o uidswap.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
|
||||
|
||||
ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11.o
|
||||
$(LD) -o $@ ssh-pkcs11-helper.o ssh-pkcs11.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
|
||||
@@ -209,10 +209,10 @@ ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o
|
||||
$(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
|
||||
|
||||
sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o sftp-server.o sftp-realpath.o sftp-server-main.o
|
||||
- $(LD) -o $@ sftp-server.o sftp-common.o sftp-realpath.o sftp-server-main.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
|
||||
+ $(LD) -o $@ sftp-server.o sftp-common.o sftp-realpath.o sftp-server-main.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
|
||||
|
||||
sftp$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-client.o sftp-common.o sftp-glob.o progressmeter.o
|
||||
- $(LD) -o $@ progressmeter.o sftp.o sftp-client.o sftp-common.o sftp-glob.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) $(LIBEDIT)
|
||||
+ $(LD) -o $@ progressmeter.o sftp.o sftp-client.o sftp-common.o sftp-glob.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS) $(LIBEDIT)
|
||||
|
||||
# FIPS tests
|
||||
cavstest-ctr$(EXEEXT): $(LIBCOMPAT) libssh.a cavstest-ctr.o
|
||||
diff --git a/entropy.c b/entropy.c
|
||||
index 5de6801..f8b9f42 100644
|
||||
--- a/entropy.c
|
||||
+++ b/entropy.c
|
||||
@@ -239,6 +239,8 @@ seed_rng(void)
|
||||
}
|
||||
#endif /* OPENSSL_PRNG_ONLY */
|
||||
|
||||
+ linux_seed();
|
||||
+
|
||||
if (RAND_status() != 1)
|
||||
fatal("PRNG is not seeded");
|
||||
|
||||
diff --git a/openbsd-compat/Makefile.in b/openbsd-compat/Makefile.in
|
||||
index 1162dc5..80fd688 100644
|
||||
--- a/openbsd-compat/Makefile.in
|
||||
+++ b/openbsd-compat/Makefile.in
|
||||
@@ -91,6 +91,7 @@ COMPAT= arc4random.o \
|
||||
PORTS= port-aix.o \
|
||||
port-irix.o \
|
||||
port-linux.o \
|
||||
+ port-linux-prng.o \
|
||||
port-solaris.o \
|
||||
port-net.o \
|
||||
port-uw.o
|
||||
diff --git a/openbsd-compat/port-linux-prng.c b/openbsd-compat/port-linux-prng.c
|
||||
new file mode 100644
|
||||
index 0000000..dfc4bdb
|
||||
--- /dev/null
|
||||
+++ b/openbsd-compat/port-linux-prng.c
|
||||
@@ -0,0 +1,81 @@
|
||||
+/*
|
||||
+ * Copyright (c) 2011 Jan F. Chadima <jchadima@redhat.com>
|
||||
+ * (c) 2011 Petr Cerny <pcerny@suse.cz>
|
||||
+ *
|
||||
+ * Permission to use, copy, modify, and distribute this software for any
|
||||
+ * purpose with or without fee is hereby granted, provided that the above
|
||||
+ * copyright notice and this permission notice appear in all copies.
|
||||
+ *
|
||||
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
|
||||
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
|
||||
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
|
||||
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
|
||||
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
|
||||
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
|
||||
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
||||
+ */
|
||||
+
|
||||
+/*
|
||||
+ * Linux-specific portability code - prng support
|
||||
+ */
|
||||
+
|
||||
+#include "includes.h"
|
||||
+#include "defines.h"
|
||||
+
|
||||
+#include <errno.h>
|
||||
+#include <stdarg.h>
|
||||
+#include <string.h>
|
||||
+#include <stdio.h>
|
||||
+#include <openssl/rand.h>
|
||||
+
|
||||
+#include "log.h"
|
||||
+#include "port-linux.h"
|
||||
+#include "fips.h"
|
||||
+
|
||||
+#define RNG_BYTES_DEFAULT 6L
|
||||
+#define RNG_ENV_VAR "SSH_USE_STRONG_RNG"
|
||||
+
|
||||
+long rand_bytes = 0;
|
||||
+char *rand_file = NULL;
|
||||
+
|
||||
+static void
|
||||
+linux_seed_init(void)
|
||||
+{
|
||||
+ long elen = 0;
|
||||
+ char *env = getenv(RNG_ENV_VAR);
|
||||
+
|
||||
+ if (env) {
|
||||
+ errno = 0;
|
||||
+ elen = strtol(env, NULL, 10);
|
||||
+ if (errno) {
|
||||
+ elen = RNG_BYTES_DEFAULT;
|
||||
+ debug("bogus value in the %s environment variable, "
|
||||
+ "using %li bytes from /dev/random\n",
|
||||
+ RNG_ENV_VAR, RNG_BYTES_DEFAULT);
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ if (elen || fips_mode())
|
||||
+ rand_file = "/dev/random";
|
||||
+ else
|
||||
+ rand_file = "/dev/urandom";
|
||||
+
|
||||
+ rand_bytes = MAX(elen, RNG_BYTES_DEFAULT);
|
||||
+}
|
||||
+
|
||||
+void
|
||||
+linux_seed(void)
|
||||
+{
|
||||
+ long len;
|
||||
+ if (!rand_file)
|
||||
+ linux_seed_init();
|
||||
+
|
||||
+ errno = 0;
|
||||
+ len = RAND_load_file(rand_file, rand_bytes);
|
||||
+ if (len != rand_bytes) {
|
||||
+ if (errno)
|
||||
+ fatal ("cannot read from %s, %s", rand_file, strerror(errno));
|
||||
+ else
|
||||
+ fatal ("EOF reading %s", rand_file);
|
||||
+ }
|
||||
+}
|
||||
diff --git a/openbsd-compat/port-linux.h b/openbsd-compat/port-linux.h
|
||||
index 3c22a85..2dc1fd0 100644
|
||||
--- a/openbsd-compat/port-linux.h
|
||||
+++ b/openbsd-compat/port-linux.h
|
||||
@@ -17,6 +17,10 @@
|
||||
#ifndef _PORT_LINUX_H
|
||||
#define _PORT_LINUX_H
|
||||
|
||||
+extern long rand_bytes;
|
||||
+extern char *rand_file;
|
||||
+void linux_seed(void);
|
||||
+
|
||||
#ifdef WITH_SELINUX
|
||||
int ssh_selinux_enabled(void);
|
||||
void ssh_selinux_setup_pty(char *, const char *);
|
||||
diff --git a/ssh-add.1 b/ssh-add.1
|
||||
index d4e1c60..6f76900 100644
|
||||
--- a/ssh-add.1
|
||||
+++ b/ssh-add.1
|
||||
@@ -189,6 +189,20 @@ to make this work.)
|
||||
Identifies the path of a
|
||||
.Ux Ns -domain
|
||||
socket used to communicate with the agent.
|
||||
+.It Ev SSH_USE_STRONG_RNG
|
||||
+The reseeding of the OpenSSL random generator is usually done from
|
||||
+.Cm /dev/urandom .
|
||||
+If the
|
||||
+.Cm SSH_USE_STRONG_RNG
|
||||
+environment variable is set to value other than
|
||||
+.Cm 0
|
||||
+the OpenSSL random generator is reseeded from
|
||||
+.Cm /dev/random .
|
||||
+The number of bytes read is defined by the SSH_USE_STRONG_RNG value.
|
||||
+Minimum is 6 bytes.
|
||||
+This setting is not recommended on the computers without the hardware
|
||||
+random generator because insufficient entropy causes the connection to
|
||||
+be blocked until enough entropy is available.
|
||||
.El
|
||||
.Sh FILES
|
||||
.Bl -tag -width Ds
|
||||
diff --git a/ssh-agent.1 b/ssh-agent.1
|
||||
index 83b2b41..9e187f2 100644
|
||||
--- a/ssh-agent.1
|
||||
+++ b/ssh-agent.1
|
||||
@@ -214,6 +214,23 @@ sockets used to contain the connection to the authentication agent.
|
||||
These sockets should only be readable by the owner.
|
||||
The sockets should get automatically removed when the agent exits.
|
||||
.El
|
||||
+.Sh ENVIRONMENT
|
||||
+.Bl -tag -width Ds -compact
|
||||
+.Pp
|
||||
+.It Pa SSH_USE_STRONG_RNG
|
||||
+The reseeding of the OpenSSL random generator is usually done from
|
||||
+.Cm /dev/urandom .
|
||||
+If the
|
||||
+.Cm SSH_USE_STRONG_RNG
|
||||
+environment variable is set to value other than
|
||||
+.Cm 0
|
||||
+the OpenSSL random generator is reseeded from
|
||||
+.Cm /dev/random .
|
||||
+The number of bytes read is defined by the SSH_USE_STRONG_RNG value.
|
||||
+Minimum is 6 bytes.
|
||||
+This setting is not recommended on the computers without the hardware
|
||||
+random generator because insufficient entropy causes the connection to
|
||||
+be blocked until enough entropy is available.
|
||||
.Sh SEE ALSO
|
||||
.Xr ssh 1 ,
|
||||
.Xr ssh-add 1 ,
|
||||
diff --git a/ssh-keygen.1 b/ssh-keygen.1
|
||||
index 957d2f0..70c4a28 100644
|
||||
--- a/ssh-keygen.1
|
||||
+++ b/ssh-keygen.1
|
||||
@@ -1054,6 +1054,23 @@ Contains Diffie-Hellman groups used for DH-GEX.
|
||||
The file format is described in
|
||||
.Xr moduli 5 .
|
||||
.El
|
||||
+.Sh ENVIRONMENT
|
||||
+.Bl -tag -width Ds -compact
|
||||
+.Pp
|
||||
+.It Pa SSH_USE_STRONG_RNG
|
||||
+The reseeding of the OpenSSL random generator is usually done from
|
||||
+.Cm /dev/urandom .
|
||||
+If the
|
||||
+.Cm SSH_USE_STRONG_RNG
|
||||
+environment variable is set to value other than
|
||||
+.Cm 0
|
||||
+the OpenSSL random generator is reseeded from
|
||||
+.Cm /dev/random .
|
||||
+The number of bytes read is defined by the SSH_USE_STRONG_RNG value.
|
||||
+Minimum is 6 bytes.
|
||||
+This setting is not recommended on the computers without the hardware
|
||||
+random generator because insufficient entropy causes the connection to
|
||||
+be blocked until enough entropy is available.
|
||||
.Sh SEE ALSO
|
||||
.Xr ssh 1 ,
|
||||
.Xr ssh-add 1 ,
|
||||
diff --git a/ssh-keysign.8 b/ssh-keysign.8
|
||||
index 19b0dbc..639b56e 100644
|
||||
--- a/ssh-keysign.8
|
||||
+++ b/ssh-keysign.8
|
||||
@@ -80,6 +80,23 @@ must be set-uid root if host-based authentication is used.
|
||||
If these files exist they are assumed to contain public certificate
|
||||
information corresponding with the private keys above.
|
||||
.El
|
||||
+.Sh ENVIRONMENT
|
||||
+.Bl -tag -width Ds -compact
|
||||
+.Pp
|
||||
+.It Pa SSH_USE_STRONG_RNG
|
||||
+The reseeding of the OpenSSL random generator is usually done from
|
||||
+.Cm /dev/urandom .
|
||||
+If the
|
||||
+.Cm SSH_USE_STRONG_RNG
|
||||
+environment variable is set to value other than
|
||||
+.Cm 0
|
||||
+the OpenSSL random generator is reseeded from
|
||||
+.Cm /dev/random .
|
||||
+The number of bytes read is defined by the SSH_USE_STRONG_RNG value.
|
||||
+Minimum is 6 bytes.
|
||||
+This setting is not recommended on the computers without the hardware
|
||||
+random generator because insufficient entropy causes the connection to
|
||||
+be blocked until enough entropy is available.
|
||||
.Sh SEE ALSO
|
||||
.Xr ssh 1 ,
|
||||
.Xr ssh-keygen 1 ,
|
||||
diff --git a/ssh.1 b/ssh.1
|
||||
index 424d6c3..899a339 100644
|
||||
--- a/ssh.1
|
||||
+++ b/ssh.1
|
||||
@@ -1433,6 +1433,20 @@ For more information, see the
|
||||
.Cm PermitUserEnvironment
|
||||
option in
|
||||
.Xr sshd_config 5 .
|
||||
+.It Ev SSH_USE_STRONG_RNG
|
||||
+The reseeding of the OpenSSL random generator is usually done from
|
||||
+.Cm /dev/urandom .
|
||||
+If the
|
||||
+.Cm SSH_USE_STRONG_RNG
|
||||
+environment variable is set to value other than
|
||||
+.Cm 0
|
||||
+the OpenSSL random generator is reseeded from
|
||||
+.Cm /dev/random .
|
||||
+The number of bytes read is defined by the SSH_USE_STRONG_RNG value.
|
||||
+Minimum is 6 bytes.
|
||||
+This setting is not recommended on the computers without the hardware
|
||||
+random generator because insufficient entropy causes the connection to
|
||||
+be blocked until enough entropy is available.
|
||||
.Sh FILES
|
||||
.Bl -tag -width Ds -compact
|
||||
.It Pa ~/.rhosts
|
||||
diff --git a/sshd.8 b/sshd.8
|
||||
index fb133c1..2f1d3ab 100644
|
||||
--- a/sshd.8
|
||||
+++ b/sshd.8
|
||||
@@ -966,6 +966,23 @@ concurrently for different ports, this contains the process ID of the one
|
||||
started last).
|
||||
The content of this file is not sensitive; it can be world-readable.
|
||||
.El
|
||||
+.Sh ENVIRONMENT
|
||||
+.Bl -tag -width Ds -compact
|
||||
+.Pp
|
||||
+.It Pa SSH_USE_STRONG_RNG
|
||||
+The reseeding of the OpenSSL random generator is usually done from
|
||||
+.Cm /dev/urandom .
|
||||
+If the
|
||||
+.Cm SSH_USE_STRONG_RNG
|
||||
+environment variable is set to value other than
|
||||
+.Cm 0
|
||||
+the OpenSSL random generator is reseeded from
|
||||
+.Cm /dev/random .
|
||||
+The number of bytes read is defined by the SSH_USE_STRONG_RNG value.
|
||||
+Minimum is 6 bytes.
|
||||
+This setting is not recommended on the computers without the hardware
|
||||
+random generator because insufficient entropy causes the connection to
|
||||
+be blocked until enough entropy is available.
|
||||
.Sh SEE ALSO
|
||||
.Xr scp 1 ,
|
||||
.Xr sftp 1 ,
|
||||
diff --git a/sshd.c b/sshd.c
|
||||
index bb20eec..c562094 100644
|
||||
--- a/sshd.c
|
||||
+++ b/sshd.c
|
||||
@@ -55,6 +55,8 @@
|
||||
#endif
|
||||
#include "openbsd-compat/sys-tree.h"
|
||||
#include "openbsd-compat/sys-queue.h"
|
||||
+#include "openbsd-compat/port-linux.h"
|
||||
+
|
||||
#include <sys/wait.h>
|
||||
|
||||
#include <errno.h>
|
||||
@@ -205,6 +207,13 @@ struct {
|
||||
int have_ssh2_key;
|
||||
} sensitive_data;
|
||||
|
||||
+/*
|
||||
+ * Every RESEED_AFTERth connection triggers call to linux_seed() to re-seed the
|
||||
+ * random pool.
|
||||
+ */
|
||||
+#define RESEED_AFTER 100
|
||||
+static int re_seeding_counter = RESEED_AFTER;
|
||||
+
|
||||
/* This is set to true when a signal is received. */
|
||||
static volatile sig_atomic_t received_sighup = 0;
|
||||
static volatile sig_atomic_t received_sigterm = 0;
|
||||
@@ -1201,6 +1210,10 @@ server_accept_loop(int *sock_in, int *sock_out, int *newsock, int *config_s)
|
||||
startup_flags[j] = 1;
|
||||
break;
|
||||
}
|
||||
+ if(!(--re_seeding_counter)) {
|
||||
+ re_seeding_counter = RESEED_AFTER;
|
||||
+ linux_seed();
|
||||
+ }
|
||||
|
||||
/*
|
||||
* Got connection. Fork a child to handle it, unless
|
@ -2,12 +2,11 @@
|
||||
# Parent 60bdbe6dd8d6bc011883472363d56e1d97f68835
|
||||
Put back sftp client diagnostic messages in batch mode
|
||||
|
||||
bsc#1023275
|
||||
diff --git a/sftp.1 b/sftp.1
|
||||
index a52c1cf..7333de8 100644
|
||||
index a305b37..6e802ec 100644
|
||||
--- a/sftp.1
|
||||
+++ b/sftp.1
|
||||
@@ -278,6 +278,9 @@ Specifies the port to connect to on the remote host.
|
||||
@@ -282,6 +282,9 @@ Specifies the port to connect to on the remote host.
|
||||
.It Fl p
|
||||
Preserves modification times, access times, and modes from the
|
||||
original files transferred.
|
||||
@ -18,7 +17,7 @@ index a52c1cf..7333de8 100644
|
||||
Quiet mode: disables the progress meter as well as warning and
|
||||
diagnostic messages from
|
||||
diff --git a/sftp.c b/sftp.c
|
||||
index b66037f..6c94a38 100644
|
||||
index 2799e4a..52b2c23 100644
|
||||
--- a/sftp.c
|
||||
+++ b/sftp.c
|
||||
@@ -85,6 +85,9 @@ static volatile pid_t sshpid = -1;
|
||||
@ -31,16 +30,16 @@ index b66037f..6c94a38 100644
|
||||
/* This is set to 0 if the progressmeter is not desired. */
|
||||
int showprogress = 1;
|
||||
|
||||
@@ -2406,7 +2409,7 @@ main(int argc, char **argv)
|
||||
@@ -2409,7 +2412,7 @@ main(int argc, char **argv)
|
||||
infile = stdin;
|
||||
|
||||
while ((ch = getopt(argc, argv,
|
||||
- "1246afhpqrvCc:D:i:l:o:s:S:b:B:F:J:P:R:")) != -1) {
|
||||
+ "1246afhpQqrvCc:D:i:l:o:s:S:b:B:F:J:P:R:")) != -1) {
|
||||
- "1246afhNpqrvCc:D:i:l:o:s:S:b:B:F:J:P:R:")) != -1) {
|
||||
+ "1246afhNpQqrvCc:D:i:l:o:s:S:b:B:F:J:P:R:")) != -1) {
|
||||
switch (ch) {
|
||||
/* Passed through to ssh(1) */
|
||||
case '4':
|
||||
@@ -2423,6 +2426,9 @@ main(int argc, char **argv)
|
||||
@@ -2426,6 +2429,9 @@ main(int argc, char **argv)
|
||||
addargs(&args, "-%c", ch);
|
||||
addargs(&args, "%s", optarg);
|
||||
break;
|
||||
@ -50,7 +49,7 @@ index b66037f..6c94a38 100644
|
||||
case 'q':
|
||||
ll = SYSLOG_LEVEL_ERROR;
|
||||
quiet = 1;
|
||||
@@ -2506,6 +2512,8 @@ main(int argc, char **argv)
|
||||
@@ -2510,6 +2516,8 @@ main(int argc, char **argv)
|
||||
usage();
|
||||
}
|
||||
}
|
||||
|
@ -1,29 +1,29 @@
|
||||
diff --git a/Makefile.in b/Makefile.in
|
||||
index 1baf5c6..02bafbc 100644
|
||||
index 9eab827..9d3f569 100644
|
||||
--- a/Makefile.in
|
||||
+++ b/Makefile.in
|
||||
@@ -109,6 +109,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
|
||||
@@ -113,6 +113,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
|
||||
kex.o kexdh.o kexgex.o kexecdh.o kexc25519.o \
|
||||
kexgexc.o kexgexs.o \
|
||||
sntrup4591761.o kexsntrup4591761x25519.o kexgen.o \
|
||||
+ kexgssc.o \
|
||||
platform-pledge.o platform-tracing.o platform-misc.o
|
||||
sftp-realpath.o platform-pledge.o platform-tracing.o platform-misc.o \
|
||||
sshbuf-io.o
|
||||
|
||||
|
||||
@@ -125,7 +126,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o \
|
||||
@@ -131,7 +132,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o \
|
||||
auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o \
|
||||
auth2-none.o auth2-passwd.o auth2-pubkey.o \
|
||||
monitor.o monitor_wrap.o auth-krb5.o \
|
||||
- auth2-gss.o gss-serv.o gss-serv-krb5.o \
|
||||
+ auth2-gss.o gss-serv.o gss-serv-krb5.o kexgsss.o \
|
||||
loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \
|
||||
sftp-server.o sftp-common.o sftp-realpath.o \
|
||||
sftp-server.o sftp-common.o \
|
||||
sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \
|
||||
diff --git a/auth.c b/auth.c
|
||||
index 5c58dd1..ab43955 100644
|
||||
index 0a2dd3a..779a1af 100644
|
||||
--- a/auth.c
|
||||
+++ b/auth.c
|
||||
@@ -399,7 +399,8 @@ auth_root_allowed(struct ssh *ssh, const char *method)
|
||||
@@ -400,7 +400,8 @@ auth_root_allowed(struct ssh *ssh, const char *method)
|
||||
case PERMIT_NO_PASSWD:
|
||||
if (strcmp(method, "publickey") == 0 ||
|
||||
strcmp(method, "hostbased") == 0 ||
|
||||
@ -33,7 +33,7 @@ index 5c58dd1..ab43955 100644
|
||||
return 1;
|
||||
break;
|
||||
case PERMIT_FORCED_ONLY:
|
||||
@@ -723,99 +724,6 @@ fakepw(void)
|
||||
@@ -724,99 +725,6 @@ fakepw(void)
|
||||
return (&fake);
|
||||
}
|
||||
|
||||
@ -62,7 +62,7 @@ index 5c58dd1..ab43955 100644
|
||||
- if (getpeername(ssh_packet_get_connection_in(ssh),
|
||||
- (struct sockaddr *)&from, &fromlen) == -1) {
|
||||
- debug("getpeername failed: %.100s", strerror(errno));
|
||||
- return strdup(ntop);
|
||||
- return xstrdup(ntop);
|
||||
- }
|
||||
-
|
||||
- ipv64_normalise_mapped(&from, &fromlen);
|
||||
@ -74,7 +74,7 @@ index 5c58dd1..ab43955 100644
|
||||
- if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name),
|
||||
- NULL, 0, NI_NAMEREQD) != 0) {
|
||||
- /* Host name not found. Use ip address. */
|
||||
- return strdup(ntop);
|
||||
- return xstrdup(ntop);
|
||||
- }
|
||||
-
|
||||
- /*
|
||||
@ -89,7 +89,7 @@ index 5c58dd1..ab43955 100644
|
||||
- logit("Nasty PTR record \"%s\" is set up for %s, ignoring",
|
||||
- name, ntop);
|
||||
- freeaddrinfo(ai);
|
||||
- return strdup(ntop);
|
||||
- return xstrdup(ntop);
|
||||
- }
|
||||
-
|
||||
- /* Names are stored in lowercase. */
|
||||
@ -110,7 +110,7 @@ index 5c58dd1..ab43955 100644
|
||||
- if (getaddrinfo(name, NULL, &hints, &aitop) != 0) {
|
||||
- logit("reverse mapping checking getaddrinfo for %.700s "
|
||||
- "[%s] failed.", name, ntop);
|
||||
- return strdup(ntop);
|
||||
- return xstrdup(ntop);
|
||||
- }
|
||||
- /* Look for the address from the list of addresses. */
|
||||
- for (ai = aitop; ai; ai = ai->ai_next) {
|
||||
@ -125,9 +125,9 @@ index 5c58dd1..ab43955 100644
|
||||
- /* Address not found for the host name. */
|
||||
- logit("Address %.100s maps to %.600s, but this does not "
|
||||
- "map back to the address.", ntop, name);
|
||||
- return strdup(ntop);
|
||||
- return xstrdup(ntop);
|
||||
- }
|
||||
- return strdup(name);
|
||||
- return xstrdup(name);
|
||||
-}
|
||||
-
|
||||
/*
|
||||
@ -229,7 +229,7 @@ index 9351e04..d6446c0 100644
|
||||
"gssapi-with-mic",
|
||||
userauth_gssapi,
|
||||
diff --git a/auth2.c b/auth2.c
|
||||
index 0e77622..1c21726 100644
|
||||
index 91aaf34..a4a5e00 100644
|
||||
--- a/auth2.c
|
||||
+++ b/auth2.c
|
||||
@@ -73,6 +73,7 @@ extern Authmethod method_passwd;
|
||||
@ -249,7 +249,7 @@ index 0e77622..1c21726 100644
|
||||
#endif
|
||||
&method_passwd,
|
||||
diff --git a/canohost.c b/canohost.c
|
||||
index abea9c6..9a00fc2 100644
|
||||
index abea9c6..8e81b51 100644
|
||||
--- a/canohost.c
|
||||
+++ b/canohost.c
|
||||
@@ -35,6 +35,99 @@
|
||||
@ -281,7 +281,7 @@ index abea9c6..9a00fc2 100644
|
||||
+ if (getpeername(ssh_packet_get_connection_in(ssh),
|
||||
+ (struct sockaddr *)&from, &fromlen) == -1) {
|
||||
+ debug("getpeername failed: %.100s", strerror(errno));
|
||||
+ return strdup(ntop);
|
||||
+ return xstrdup(ntop);
|
||||
+ }
|
||||
+
|
||||
+ ipv64_normalise_mapped(&from, &fromlen);
|
||||
@ -293,7 +293,7 @@ index abea9c6..9a00fc2 100644
|
||||
+ if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name),
|
||||
+ NULL, 0, NI_NAMEREQD) != 0) {
|
||||
+ /* Host name not found. Use ip address. */
|
||||
+ return strdup(ntop);
|
||||
+ return xstrdup(ntop);
|
||||
+ }
|
||||
+
|
||||
+ /*
|
||||
@ -308,7 +308,7 @@ index abea9c6..9a00fc2 100644
|
||||
+ logit("Nasty PTR record \"%s\" is set up for %s, ignoring",
|
||||
+ name, ntop);
|
||||
+ freeaddrinfo(ai);
|
||||
+ return strdup(ntop);
|
||||
+ return xstrdup(ntop);
|
||||
+ }
|
||||
+
|
||||
+ /* Names are stored in lowercase. */
|
||||
@ -329,7 +329,7 @@ index abea9c6..9a00fc2 100644
|
||||
+ if (getaddrinfo(name, NULL, &hints, &aitop) != 0) {
|
||||
+ logit("reverse mapping checking getaddrinfo for %.700s "
|
||||
+ "[%s] failed.", name, ntop);
|
||||
+ return strdup(ntop);
|
||||
+ return xstrdup(ntop);
|
||||
+ }
|
||||
+ /* Look for the address from the list of addresses. */
|
||||
+ for (ai = aitop; ai; ai = ai->ai_next) {
|
||||
@ -344,9 +344,9 @@ index abea9c6..9a00fc2 100644
|
||||
+ /* Address not found for the host name. */
|
||||
+ logit("Address %.100s maps to %.600s, but this does not "
|
||||
+ "map back to the address.", ntop, name);
|
||||
+ return strdup(ntop);
|
||||
+ return xstrdup(ntop);
|
||||
+ }
|
||||
+ return strdup(name);
|
||||
+ return xstrdup(name);
|
||||
+}
|
||||
+
|
||||
void
|
||||
@ -367,7 +367,7 @@ index 26d6285..0cadc9f 100644
|
||||
int get_peer_port(int);
|
||||
char *get_local_ipaddr(int);
|
||||
diff --git a/clientloop.c b/clientloop.c
|
||||
index b5a1f70..9def2a1 100644
|
||||
index da396c7..42ace77 100644
|
||||
--- a/clientloop.c
|
||||
+++ b/clientloop.c
|
||||
@@ -112,6 +112,10 @@
|
||||
@ -381,7 +381,7 @@ index b5a1f70..9def2a1 100644
|
||||
/* import options */
|
||||
extern Options options;
|
||||
|
||||
@@ -1373,9 +1377,18 @@ client_loop(struct ssh *ssh, int have_pty, int escape_char_arg,
|
||||
@@ -1361,9 +1365,18 @@ client_loop(struct ssh *ssh, int have_pty, int escape_char_arg,
|
||||
break;
|
||||
|
||||
/* Do channel operations unless rekeying in progress. */
|
||||
@ -402,10 +402,10 @@ index b5a1f70..9def2a1 100644
|
||||
client_process_net_input(ssh, readset);
|
||||
|
||||
diff --git a/configure.ac b/configure.ac
|
||||
index ff9c11a..c0db779 100644
|
||||
index 82aafe3..8a0e791 100644
|
||||
--- a/configure.ac
|
||||
+++ b/configure.ac
|
||||
@@ -666,6 +666,30 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
|
||||
@@ -676,6 +676,30 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
|
||||
[Use tunnel device compatibility to OpenBSD])
|
||||
AC_DEFINE([SSH_TUN_PREPEND_AF], [1],
|
||||
[Prepend the address family to IP tunnel traffic])
|
||||
@ -959,11 +959,11 @@ index a151bc1..8d2b677 100644
|
||||
|
||||
#endif /* KRB5 */
|
||||
diff --git a/gss-serv.c b/gss-serv.c
|
||||
index ab3a15f..6ce56e9 100644
|
||||
index b5d4bb2..d8010dd 100644
|
||||
--- a/gss-serv.c
|
||||
+++ b/gss-serv.c
|
||||
@@ -1,7 +1,7 @@
|
||||
/* $OpenBSD: gss-serv.c,v 1.31 2018/07/09 21:37:55 markus Exp $ */
|
||||
/* $OpenBSD: gss-serv.c,v 1.32 2020/03/13 03:17:07 djm Exp $ */
|
||||
|
||||
/*
|
||||
- * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
|
||||
@ -1259,10 +1259,10 @@ index ab3a15f..6ce56e9 100644
|
||||
|
||||
/* Privileged */
|
||||
diff --git a/kex.c b/kex.c
|
||||
index 1f82c2e..92d8ee0 100644
|
||||
index 53f7ff8..fbb8e4f 100644
|
||||
--- a/kex.c
|
||||
+++ b/kex.c
|
||||
@@ -55,11 +55,16 @@
|
||||
@@ -57,11 +57,16 @@
|
||||
#include "misc.h"
|
||||
#include "dispatch.h"
|
||||
#include "monitor.h"
|
||||
@ -1279,7 +1279,7 @@ index 1f82c2e..92d8ee0 100644
|
||||
#include "fips.h"
|
||||
|
||||
/* prototype */
|
||||
@@ -115,6 +120,19 @@ static const struct kexalg kexalgs_all[] = {
|
||||
@@ -117,6 +122,19 @@ static const struct kexalg kexalgs_all[] = {
|
||||
#endif /* HAVE_EVP_SHA256 || !WITH_OPENSSL */
|
||||
{ NULL, 0, -1, -1},
|
||||
};
|
||||
@ -1299,7 +1299,7 @@ index 1f82c2e..92d8ee0 100644
|
||||
|
||||
static const struct kexalg kexalgs_fips140_2[] = {
|
||||
#ifdef WITH_OPENSSL
|
||||
@@ -142,12 +160,12 @@ static const struct kexalg kexalgs_fips140_2[] = {
|
||||
@@ -144,12 +162,12 @@ static const struct kexalg kexalgs_fips140_2[] = {
|
||||
|
||||
/* Returns array of macs available depending on selected FIPS mode */
|
||||
static const struct kexalg *
|
||||
@ -1314,7 +1314,7 @@ index 1f82c2e..92d8ee0 100644
|
||||
case 1:
|
||||
return kexalgs_fips140_2;
|
||||
default:
|
||||
@@ -158,13 +176,13 @@ fips_select_kexalgs(void)
|
||||
@@ -160,13 +178,13 @@ fips_select_kexalgs(void)
|
||||
}
|
||||
|
||||
char *
|
||||
@ -1330,7 +1330,7 @@ index 1f82c2e..92d8ee0 100644
|
||||
if (ret != NULL)
|
||||
ret[rlen++] = sep;
|
||||
nlen = strlen(k->name);
|
||||
@@ -179,15 +197,31 @@ kex_alg_list(char sep)
|
||||
@@ -181,15 +199,31 @@ kex_alg_list(char sep)
|
||||
return ret;
|
||||
}
|
||||
|
||||
@ -1363,7 +1363,7 @@ index 1f82c2e..92d8ee0 100644
|
||||
return NULL;
|
||||
}
|
||||
|
||||
@@ -359,6 +393,29 @@ kex_assemble_names(char **listp, const char *def, const char *all)
|
||||
@@ -361,6 +395,29 @@ kex_assemble_names(char **listp, const char *def, const char *all)
|
||||
return r;
|
||||
}
|
||||
|
||||
@ -1393,7 +1393,7 @@ index 1f82c2e..92d8ee0 100644
|
||||
/* put algorithm proposal into buffer */
|
||||
int
|
||||
kex_prop2buf(struct sshbuf *b, char *proposal[PROPOSAL_MAX])
|
||||
@@ -742,6 +799,9 @@ kex_free(struct kex *kex)
|
||||
@@ -743,6 +800,9 @@ kex_free(struct kex *kex)
|
||||
sshbuf_free(kex->server_version);
|
||||
sshbuf_free(kex->client_pub);
|
||||
free(kex->session_id);
|
||||
@ -1502,7 +1502,7 @@ index 67133e3..edaa467 100644
|
||||
break;
|
||||
case KEX_DH_GRP18_SHA512:
|
||||
diff --git a/kexgen.c b/kexgen.c
|
||||
index bb996b5..d353ed8 100644
|
||||
index 69348b9..c0e8c2f 100644
|
||||
--- a/kexgen.c
|
||||
+++ b/kexgen.c
|
||||
@@ -44,7 +44,7 @@
|
||||
@ -2596,10 +2596,10 @@ index 0000000..60bc02d
|
||||
+}
|
||||
+#endif /* defined(GSSAPI) && defined(WITH_OPENSSL) */
|
||||
diff --git a/monitor.c b/monitor.c
|
||||
index 00af44f..20812fa 100644
|
||||
index b6e855d..cf775e5 100644
|
||||
--- a/monitor.c
|
||||
+++ b/monitor.c
|
||||
@@ -147,6 +147,8 @@ int mm_answer_gss_setup_ctx(struct ssh *, int, struct sshbuf *);
|
||||
@@ -148,6 +148,8 @@ int mm_answer_gss_setup_ctx(struct ssh *, int, struct sshbuf *);
|
||||
int mm_answer_gss_accept_ctx(struct ssh *, int, struct sshbuf *);
|
||||
int mm_answer_gss_userok(struct ssh *, int, struct sshbuf *);
|
||||
int mm_answer_gss_checkmic(struct ssh *, int, struct sshbuf *);
|
||||
@ -2608,7 +2608,7 @@ index 00af44f..20812fa 100644
|
||||
#endif
|
||||
|
||||
#ifdef SSH_AUDIT_EVENTS
|
||||
@@ -219,11 +221,18 @@ struct mon_table mon_dispatch_proto20[] = {
|
||||
@@ -220,11 +222,18 @@ struct mon_table mon_dispatch_proto20[] = {
|
||||
{MONITOR_REQ_GSSSTEP, 0, mm_answer_gss_accept_ctx},
|
||||
{MONITOR_REQ_GSSUSEROK, MON_ONCE|MON_AUTHDECIDE, mm_answer_gss_userok},
|
||||
{MONITOR_REQ_GSSCHECKMIC, MON_ONCE, mm_answer_gss_checkmic},
|
||||
@ -2627,7 +2627,7 @@ index 00af44f..20812fa 100644
|
||||
#ifdef WITH_OPENSSL
|
||||
{MONITOR_REQ_MODULI, 0, mm_answer_moduli},
|
||||
#endif
|
||||
@@ -292,6 +301,10 @@ monitor_child_preauth(struct ssh *ssh, struct monitor *pmonitor)
|
||||
@@ -293,6 +302,10 @@ monitor_child_preauth(struct ssh *ssh, struct monitor *pmonitor)
|
||||
/* Permit requests for moduli and signatures */
|
||||
monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
|
||||
monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
|
||||
@ -2638,7 +2638,7 @@ index 00af44f..20812fa 100644
|
||||
|
||||
/* The first few requests do not require asynchronous access */
|
||||
while (!authenticated) {
|
||||
@@ -405,6 +418,10 @@ monitor_child_postauth(struct ssh *ssh, struct monitor *pmonitor)
|
||||
@@ -406,6 +419,10 @@ monitor_child_postauth(struct ssh *ssh, struct monitor *pmonitor)
|
||||
monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
|
||||
monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
|
||||
monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
|
||||
@ -2649,7 +2649,7 @@ index 00af44f..20812fa 100644
|
||||
|
||||
if (auth_opts->permit_pty_flag) {
|
||||
monitor_permit(mon_dispatch, MONITOR_REQ_PTY, 1);
|
||||
@@ -1687,6 +1704,17 @@ monitor_apply_keystate(struct ssh *ssh, struct monitor *pmonitor)
|
||||
@@ -1712,6 +1729,17 @@ monitor_apply_keystate(struct ssh *ssh, struct monitor *pmonitor)
|
||||
# ifdef OPENSSL_HAS_ECC
|
||||
kex->kex[KEX_ECDH_SHA2] = kex_gen_server;
|
||||
# endif
|
||||
@ -2667,7 +2667,7 @@ index 00af44f..20812fa 100644
|
||||
#endif /* WITH_OPENSSL */
|
||||
kex->kex[KEX_C25519_SHA256] = kex_gen_server;
|
||||
kex->kex[KEX_KEM_SNTRUP4591761X25519_SHA512] = kex_gen_server;
|
||||
@@ -1780,8 +1808,8 @@ mm_answer_gss_setup_ctx(struct ssh *ssh, int sock, struct sshbuf *m)
|
||||
@@ -1805,8 +1833,8 @@ mm_answer_gss_setup_ctx(struct ssh *ssh, int sock, struct sshbuf *m)
|
||||
u_char *p;
|
||||
int r;
|
||||
|
||||
@ -2678,7 +2678,7 @@ index 00af44f..20812fa 100644
|
||||
|
||||
if ((r = sshbuf_get_string(m, &p, &len)) != 0)
|
||||
fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
||||
@@ -1813,8 +1841,8 @@ mm_answer_gss_accept_ctx(struct ssh *ssh, int sock, struct sshbuf *m)
|
||||
@@ -1838,8 +1866,8 @@ mm_answer_gss_accept_ctx(struct ssh *ssh, int sock, struct sshbuf *m)
|
||||
OM_uint32 flags = 0; /* GSI needs this */
|
||||
int r;
|
||||
|
||||
@ -2689,7 +2689,7 @@ index 00af44f..20812fa 100644
|
||||
|
||||
if ((r = ssh_gssapi_get_buffer_desc(m, &in)) != 0)
|
||||
fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
||||
@@ -1834,6 +1862,7 @@ mm_answer_gss_accept_ctx(struct ssh *ssh, int sock, struct sshbuf *m)
|
||||
@@ -1859,6 +1887,7 @@ mm_answer_gss_accept_ctx(struct ssh *ssh, int sock, struct sshbuf *m)
|
||||
monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0);
|
||||
monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1);
|
||||
monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1);
|
||||
@ -2697,7 +2697,7 @@ index 00af44f..20812fa 100644
|
||||
}
|
||||
return (0);
|
||||
}
|
||||
@@ -1845,8 +1874,8 @@ mm_answer_gss_checkmic(struct ssh *ssh, int sock, struct sshbuf *m)
|
||||
@@ -1870,8 +1899,8 @@ mm_answer_gss_checkmic(struct ssh *ssh, int sock, struct sshbuf *m)
|
||||
OM_uint32 ret;
|
||||
int r;
|
||||
|
||||
@ -2708,7 +2708,7 @@ index 00af44f..20812fa 100644
|
||||
|
||||
if ((r = ssh_gssapi_get_buffer_desc(m, &gssbuf)) != 0 ||
|
||||
(r = ssh_gssapi_get_buffer_desc(m, &mic)) != 0)
|
||||
@@ -1872,13 +1901,17 @@ mm_answer_gss_checkmic(struct ssh *ssh, int sock, struct sshbuf *m)
|
||||
@@ -1897,13 +1926,17 @@ mm_answer_gss_checkmic(struct ssh *ssh, int sock, struct sshbuf *m)
|
||||
int
|
||||
mm_answer_gss_userok(struct ssh *ssh, int sock, struct sshbuf *m)
|
||||
{
|
||||
@ -2730,7 +2730,7 @@ index 00af44f..20812fa 100644
|
||||
|
||||
sshbuf_reset(m);
|
||||
if ((r = sshbuf_put_u32(m, authenticated)) != 0)
|
||||
@@ -1887,7 +1920,11 @@ mm_answer_gss_userok(struct ssh *ssh, int sock, struct sshbuf *m)
|
||||
@@ -1912,7 +1945,11 @@ mm_answer_gss_userok(struct ssh *ssh, int sock, struct sshbuf *m)
|
||||
debug3("%s: sending result %d", __func__, authenticated);
|
||||
mm_request_send(sock, MONITOR_ANS_GSSUSEROK, m);
|
||||
|
||||
@ -2743,7 +2743,7 @@ index 00af44f..20812fa 100644
|
||||
|
||||
if ((displayname = ssh_gssapi_displayname()) != NULL)
|
||||
auth2_record_info(authctxt, "%s", displayname);
|
||||
@@ -1895,5 +1932,85 @@ mm_answer_gss_userok(struct ssh *ssh, int sock, struct sshbuf *m)
|
||||
@@ -1920,5 +1957,85 @@ mm_answer_gss_userok(struct ssh *ssh, int sock, struct sshbuf *m)
|
||||
/* Monitor loop will terminate if authenticated */
|
||||
return (authenticated);
|
||||
}
|
||||
@ -2843,10 +2843,10 @@ index 683e5e0..2b1a2d5 100644
|
||||
|
||||
struct ssh;
|
||||
diff --git a/monitor_wrap.c b/monitor_wrap.c
|
||||
index 4169b76..fdca39a 100644
|
||||
index 001a8fa..6edb509 100644
|
||||
--- a/monitor_wrap.c
|
||||
+++ b/monitor_wrap.c
|
||||
@@ -978,13 +978,15 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic)
|
||||
@@ -993,13 +993,15 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic)
|
||||
}
|
||||
|
||||
int
|
||||
@ -2863,7 +2863,7 @@ index 4169b76..fdca39a 100644
|
||||
|
||||
mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_GSSUSEROK, m);
|
||||
mm_request_receive_expect(pmonitor->m_recvfd,
|
||||
@@ -997,4 +999,57 @@ mm_ssh_gssapi_userok(char *user)
|
||||
@@ -1012,4 +1014,57 @@ mm_ssh_gssapi_userok(char *user)
|
||||
debug3("%s: user %sauthenticated",__func__, authenticated ? "" : "not ");
|
||||
return (authenticated);
|
||||
}
|
||||
@ -2922,10 +2922,10 @@ index 4169b76..fdca39a 100644
|
||||
+
|
||||
#endif /* GSSAPI */
|
||||
diff --git a/monitor_wrap.h b/monitor_wrap.h
|
||||
index 191277f..92dda57 100644
|
||||
index 23ab096..485590c 100644
|
||||
--- a/monitor_wrap.h
|
||||
+++ b/monitor_wrap.h
|
||||
@@ -63,8 +63,10 @@ int mm_sshkey_verify(const struct sshkey *, const u_char *, size_t,
|
||||
@@ -64,8 +64,10 @@ int mm_sshkey_verify(const struct sshkey *, const u_char *, size_t,
|
||||
OM_uint32 mm_ssh_gssapi_server_ctx(Gssctxt **, gss_OID);
|
||||
OM_uint32 mm_ssh_gssapi_accept_ctx(Gssctxt *,
|
||||
gss_buffer_desc *, gss_buffer_desc *, OM_uint32 *);
|
||||
@ -2938,7 +2938,7 @@ index 191277f..92dda57 100644
|
||||
|
||||
#ifdef USE_PAM
|
||||
diff --git a/readconf.c b/readconf.c
|
||||
index 228f481..24f2cb1 100644
|
||||
index 408a80c..d37658a 100644
|
||||
--- a/readconf.c
|
||||
+++ b/readconf.c
|
||||
@@ -67,6 +67,7 @@
|
||||
@ -2949,7 +2949,7 @@ index 228f481..24f2cb1 100644
|
||||
|
||||
#include "fips.h"
|
||||
|
||||
@@ -164,6 +165,8 @@ typedef enum {
|
||||
@@ -162,6 +163,8 @@ typedef enum {
|
||||
oClearAllForwardings, oNoHostAuthenticationForLocalhost,
|
||||
oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
|
||||
oAddressFamily, oGssAuthentication, oGssDelegateCreds,
|
||||
@ -2958,7 +2958,7 @@ index 228f481..24f2cb1 100644
|
||||
oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
|
||||
oSendEnv, oSetEnv, oControlPath, oControlMaster, oControlPersist,
|
||||
oHashKnownHosts,
|
||||
@@ -204,10 +207,22 @@ static struct {
|
||||
@@ -206,10 +209,22 @@ static struct {
|
||||
/* Sometimes-unsupported options */
|
||||
#if defined(GSSAPI)
|
||||
{ "gssapiauthentication", oGssAuthentication },
|
||||
@ -2981,7 +2981,7 @@ index 228f481..24f2cb1 100644
|
||||
#endif
|
||||
#ifdef ENABLE_PKCS11
|
||||
{ "pkcs11provider", oPKCS11Provider },
|
||||
@@ -990,10 +1005,42 @@ parse_time:
|
||||
@@ -1055,10 +1070,42 @@ parse_time:
|
||||
intptr = &options->gss_authentication;
|
||||
goto parse_flag;
|
||||
|
||||
@ -3024,7 +3024,7 @@ index 228f481..24f2cb1 100644
|
||||
case oBatchMode:
|
||||
intptr = &options->batch_mode;
|
||||
goto parse_flag;
|
||||
@@ -1882,7 +1929,13 @@ initialize_options(Options * options)
|
||||
@@ -1954,7 +2001,13 @@ initialize_options(Options * options)
|
||||
options->pubkey_authentication = -1;
|
||||
options->challenge_response_authentication = -1;
|
||||
options->gss_authentication = -1;
|
||||
@ -3038,7 +3038,7 @@ index 228f481..24f2cb1 100644
|
||||
options->password_authentication = -1;
|
||||
options->kbd_interactive_authentication = -1;
|
||||
options->kbd_interactive_devices = NULL;
|
||||
@@ -2028,8 +2081,18 @@ fill_default_options(Options * options)
|
||||
@@ -2102,8 +2155,18 @@ fill_default_options(Options * options)
|
||||
options->challenge_response_authentication = 1;
|
||||
if (options->gss_authentication == -1)
|
||||
options->gss_authentication = 0;
|
||||
@ -3057,7 +3057,7 @@ index 228f481..24f2cb1 100644
|
||||
if (options->password_authentication == -1)
|
||||
options->password_authentication = 1;
|
||||
if (options->kbd_interactive_authentication == -1)
|
||||
@@ -2647,7 +2710,14 @@ dump_client_config(Options *o, const char *host)
|
||||
@@ -2751,7 +2814,14 @@ dump_client_config(Options *o, const char *host)
|
||||
dump_cfg_fmtint(oGatewayPorts, o->fwd_opts.gateway_ports);
|
||||
#ifdef GSSAPI
|
||||
dump_cfg_fmtint(oGssAuthentication, o->gss_authentication);
|
||||
@ -3073,10 +3073,10 @@ index 228f481..24f2cb1 100644
|
||||
dump_cfg_fmtint(oHashKnownHosts, o->hash_known_hosts);
|
||||
dump_cfg_fmtint(oHostbasedAuthentication, o->hostbased_authentication);
|
||||
diff --git a/readconf.h b/readconf.h
|
||||
index 67111e9..2617764 100644
|
||||
index ef18d5c..c0d797e 100644
|
||||
--- a/readconf.h
|
||||
+++ b/readconf.h
|
||||
@@ -40,7 +40,13 @@ typedef struct {
|
||||
@@ -41,7 +41,13 @@ typedef struct {
|
||||
int challenge_response_authentication;
|
||||
/* Try S/Key or TIS, authentication. */
|
||||
int gss_authentication; /* Try GSS authentication */
|
||||
@ -3091,10 +3091,10 @@ index 67111e9..2617764 100644
|
||||
* authentication. */
|
||||
int kbd_interactive_authentication; /* Try keyboard-interactive auth. */
|
||||
diff --git a/servconf.c b/servconf.c
|
||||
index a8833a9..13cf154 100644
|
||||
index 8a9db25..18b70b6 100644
|
||||
--- a/servconf.c
|
||||
+++ b/servconf.c
|
||||
@@ -64,6 +64,7 @@
|
||||
@@ -69,6 +69,7 @@
|
||||
#include "auth.h"
|
||||
#include "myproposal.h"
|
||||
#include "digest.h"
|
||||
@ -3102,7 +3102,7 @@ index a8833a9..13cf154 100644
|
||||
#include "fips.h"
|
||||
|
||||
static void add_listen_addr(ServerOptions *, const char *,
|
||||
@@ -126,8 +127,11 @@ initialize_server_options(ServerOptions *options)
|
||||
@@ -135,8 +136,11 @@ initialize_server_options(ServerOptions *options)
|
||||
options->kerberos_ticket_cleanup = -1;
|
||||
options->kerberos_get_afs_token = -1;
|
||||
options->gss_authentication=-1;
|
||||
@ -3114,7 +3114,7 @@ index a8833a9..13cf154 100644
|
||||
options->password_authentication = -1;
|
||||
options->kbd_interactive_authentication = -1;
|
||||
options->challenge_response_authentication = -1;
|
||||
@@ -374,10 +378,18 @@ fill_default_server_options(ServerOptions *options)
|
||||
@@ -398,10 +402,18 @@ fill_default_server_options(ServerOptions *options)
|
||||
options->kerberos_get_afs_token = 0;
|
||||
if (options->gss_authentication == -1)
|
||||
options->gss_authentication = 0;
|
||||
@ -3133,7 +3133,7 @@ index a8833a9..13cf154 100644
|
||||
if (options->password_authentication == -1)
|
||||
options->password_authentication = 1;
|
||||
if (options->kbd_interactive_authentication == -1)
|
||||
@@ -523,6 +535,7 @@ typedef enum {
|
||||
@@ -556,6 +568,7 @@ typedef enum {
|
||||
sHostKeyAlgorithms,
|
||||
sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
|
||||
sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
|
||||
@ -3141,7 +3141,7 @@ index a8833a9..13cf154 100644
|
||||
sAcceptEnv, sSetEnv, sPermitTunnel,
|
||||
sMatch, sPermitOpen, sPermitListen, sForceCommand, sChrootDirectory,
|
||||
sUsePrivilegeSeparation, sAllowAgentForwarding,
|
||||
@@ -599,12 +612,22 @@ static struct {
|
||||
@@ -634,12 +647,22 @@ static struct {
|
||||
#ifdef GSSAPI
|
||||
{ "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
|
||||
{ "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
|
||||
@ -3164,7 +3164,7 @@ index a8833a9..13cf154 100644
|
||||
{ "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
|
||||
{ "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
|
||||
{ "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL },
|
||||
@@ -1518,6 +1541,10 @@ process_server_config_line(ServerOptions *options, char *line,
|
||||
@@ -1585,6 +1608,10 @@ process_server_config_line_depth(ServerOptions *options, char *line,
|
||||
intptr = &options->gss_authentication;
|
||||
goto parse_flag;
|
||||
|
||||
@ -3175,7 +3175,7 @@ index a8833a9..13cf154 100644
|
||||
case sGssCleanupCreds:
|
||||
intptr = &options->gss_cleanup_creds;
|
||||
goto parse_flag;
|
||||
@@ -1526,6 +1553,22 @@ process_server_config_line(ServerOptions *options, char *line,
|
||||
@@ -1593,6 +1620,22 @@ process_server_config_line_depth(ServerOptions *options, char *line,
|
||||
intptr = &options->gss_strict_acceptor;
|
||||
goto parse_flag;
|
||||
|
||||
@ -3198,7 +3198,7 @@ index a8833a9..13cf154 100644
|
||||
case sPasswordAuthentication:
|
||||
intptr = &options->password_authentication;
|
||||
goto parse_flag;
|
||||
@@ -2615,6 +2658,10 @@ dump_config(ServerOptions *o)
|
||||
@@ -2821,6 +2864,10 @@ dump_config(ServerOptions *o)
|
||||
#ifdef GSSAPI
|
||||
dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
|
||||
dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds);
|
||||
@ -3210,10 +3210,10 @@ index a8833a9..13cf154 100644
|
||||
dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication);
|
||||
dump_cfg_fmtint(sKbdInteractiveAuthentication,
|
||||
diff --git a/servconf.h b/servconf.h
|
||||
index 4670a5a..56373e5 100644
|
||||
index d24d459..45665df 100644
|
||||
--- a/servconf.h
|
||||
+++ b/servconf.h
|
||||
@@ -126,8 +126,11 @@ typedef struct {
|
||||
@@ -137,8 +137,11 @@ typedef struct {
|
||||
int kerberos_get_afs_token; /* If true, try to get AFS token if
|
||||
* authenticated with Kerberos. */
|
||||
int gss_authentication; /* If true, permit GSSAPI authentication */
|
||||
@ -3226,10 +3226,10 @@ index 4670a5a..56373e5 100644
|
||||
* authentication. */
|
||||
int kbd_interactive_authentication; /* If true, permit */
|
||||
diff --git a/session.c b/session.c
|
||||
index d81060c..89f9539 100644
|
||||
index 501bbdf..530aa26 100644
|
||||
--- a/session.c
|
||||
+++ b/session.c
|
||||
@@ -2713,13 +2713,19 @@ do_cleanup(struct ssh *ssh, Authctxt *authctxt)
|
||||
@@ -2717,13 +2717,19 @@ do_cleanup(struct ssh *ssh, Authctxt *authctxt)
|
||||
|
||||
#ifdef KRB5
|
||||
if (options.kerberos_ticket_cleanup &&
|
||||
@ -3372,10 +3372,10 @@ index 36180d0..70dd366 100644
|
||||
|
||||
#endif /* _SSH_GSS_H */
|
||||
diff --git a/ssh.1 b/ssh.1
|
||||
index 899a339..70d3017 100644
|
||||
index dce5f40..7a3ba31 100644
|
||||
--- a/ssh.1
|
||||
+++ b/ssh.1
|
||||
@@ -497,7 +497,13 @@ For full details of the options listed below, and their possible values, see
|
||||
@@ -506,7 +506,13 @@ For full details of the options listed below, and their possible values, see
|
||||
.It GatewayPorts
|
||||
.It GlobalKnownHostsFile
|
||||
.It GSSAPIAuthentication
|
||||
@ -3389,7 +3389,7 @@ index 899a339..70d3017 100644
|
||||
.It HashKnownHosts
|
||||
.It Host
|
||||
.It HostbasedAuthentication
|
||||
@@ -573,6 +579,8 @@ flag),
|
||||
@@ -582,6 +588,8 @@ flag),
|
||||
(supported message integrity codes),
|
||||
.Ar kex
|
||||
(key exchange algorithms),
|
||||
@ -3399,25 +3399,25 @@ index 899a339..70d3017 100644
|
||||
(key types),
|
||||
.Ar key-cert
|
||||
diff --git a/ssh.c b/ssh.c
|
||||
index 882d1da..5f3ca8d 100644
|
||||
index dce28fd..c99e0e4 100644
|
||||
--- a/ssh.c
|
||||
+++ b/ssh.c
|
||||
@@ -742,6 +742,8 @@ main(int ac, char **av)
|
||||
cp = mac_alg_list('\n');
|
||||
else if (strcmp(optarg, "kex") == 0)
|
||||
@@ -779,6 +779,8 @@ main(int ac, char **av)
|
||||
else if (strcmp(optarg, "kex") == 0 ||
|
||||
strcasecmp(optarg, "KexAlgorithms") == 0)
|
||||
cp = kex_alg_list('\n');
|
||||
+ else if (strcmp(optarg, "kex-gss") == 0)
|
||||
+ cp = kex_gss_alg_list('\n');
|
||||
else if (strcmp(optarg, "key") == 0)
|
||||
cp = sshkey_alg_list(0, 0, 0, '\n');
|
||||
else if (strcmp(optarg, "key-cert") == 0)
|
||||
@@ -754,7 +756,7 @@ main(int ac, char **av)
|
||||
cp = xstrdup("2");
|
||||
else if (strcmp(optarg, "help") == 0) {
|
||||
@@ -803,7 +805,7 @@ main(int ac, char **av)
|
||||
cp[n] = '\n';
|
||||
} else if (strcmp(optarg, "help") == 0) {
|
||||
cp = xstrdup(
|
||||
- "cipher\ncipher-auth\nkex\nkey\n"
|
||||
+ "cipher\ncipher-auth\nkex\nkex-gss\nkey\n"
|
||||
"key-cert\nkey-plain\nmac\n"
|
||||
- "cipher\ncipher-auth\ncompression\nkex\n"
|
||||
+ "cipher\ncipher-auth\ncompression\nkex\nkex-gss\n"
|
||||
"key\nkey-cert\nkey-plain\nkey-sig\nmac\n"
|
||||
"protocol-version\nsig");
|
||||
}
|
||||
diff --git a/ssh_config b/ssh_config
|
||||
@ -3434,10 +3434,10 @@ index 3a00f4d..a798a43 100644
|
||||
# CheckHostIP yes
|
||||
# AddressFamily any
|
||||
diff --git a/ssh_config.5 b/ssh_config.5
|
||||
index f0cb291..3bf0502 100644
|
||||
index f6c3bdc..30c22e5 100644
|
||||
--- a/ssh_config.5
|
||||
+++ b/ssh_config.5
|
||||
@@ -760,10 +760,67 @@ The default is
|
||||
@@ -768,10 +768,67 @@ The default is
|
||||
Specifies whether user authentication based on GSSAPI is allowed.
|
||||
The default is
|
||||
.Cm no .
|
||||
@ -3506,10 +3506,10 @@ index f0cb291..3bf0502 100644
|
||||
Indicates that
|
||||
.Xr ssh 1
|
||||
diff --git a/sshconnect2.c b/sshconnect2.c
|
||||
index 87fa70a..9e8c3e5 100644
|
||||
index 1a6545e..b970198 100644
|
||||
--- a/sshconnect2.c
|
||||
+++ b/sshconnect2.c
|
||||
@@ -78,8 +78,6 @@
|
||||
@@ -80,8 +80,6 @@
|
||||
#endif
|
||||
|
||||
/* import */
|
||||
@ -3518,9 +3518,9 @@ index 87fa70a..9e8c3e5 100644
|
||||
extern Options options;
|
||||
|
||||
/*
|
||||
@@ -161,6 +159,11 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port)
|
||||
@@ -163,6 +161,11 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port)
|
||||
char *s, *all_key;
|
||||
int r;
|
||||
int r, use_known_hosts_order = 0;
|
||||
|
||||
+#if defined(GSSAPI) && defined(WITH_OPENSSL)
|
||||
+ char *orig = NULL, *gss = NULL;
|
||||
@ -3530,8 +3530,8 @@ index 87fa70a..9e8c3e5 100644
|
||||
xxx_host = host;
|
||||
xxx_hostaddr = hostaddr;
|
||||
|
||||
@@ -193,6 +196,35 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port)
|
||||
order_hostkeyalgs(host, hostaddr, port));
|
||||
@@ -206,6 +209,35 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port)
|
||||
compat_pkalg_proposal(options.hostkeyalgorithms);
|
||||
}
|
||||
|
||||
+#if defined(GSSAPI) && defined(WITH_OPENSSL)
|
||||
@ -3566,7 +3566,7 @@ index 87fa70a..9e8c3e5 100644
|
||||
if (options.rekey_limit || options.rekey_interval)
|
||||
ssh_packet_set_rekey_limits(ssh, options.rekey_limit,
|
||||
options.rekey_interval);
|
||||
@@ -211,16 +243,46 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port)
|
||||
@@ -224,16 +256,46 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port)
|
||||
# ifdef OPENSSL_HAS_ECC
|
||||
ssh->kex->kex[KEX_ECDH_SHA2] = kex_gen_client;
|
||||
# endif
|
||||
@ -3614,7 +3614,7 @@ index 87fa70a..9e8c3e5 100644
|
||||
if ((r = kex_prop2buf(ssh->kex->my, myproposal)) != 0)
|
||||
fatal("kex_prop2buf: %s", ssh_err(r));
|
||||
|
||||
@@ -317,6 +379,7 @@ static int input_gssapi_response(int type, u_int32_t, struct ssh *);
|
||||
@@ -330,6 +392,7 @@ static int input_gssapi_response(int type, u_int32_t, struct ssh *);
|
||||
static int input_gssapi_token(int type, u_int32_t, struct ssh *);
|
||||
static int input_gssapi_error(int, u_int32_t, struct ssh *);
|
||||
static int input_gssapi_errtok(int, u_int32_t, struct ssh *);
|
||||
@ -3622,7 +3622,7 @@ index 87fa70a..9e8c3e5 100644
|
||||
#endif
|
||||
|
||||
void userauth(struct ssh *, char *);
|
||||
@@ -333,6 +396,11 @@ static char *authmethods_get(void);
|
||||
@@ -346,6 +409,11 @@ static char *authmethods_get(void);
|
||||
|
||||
Authmethod authmethods[] = {
|
||||
#ifdef GSSAPI
|
||||
@ -3634,7 +3634,7 @@ index 87fa70a..9e8c3e5 100644
|
||||
{"gssapi-with-mic",
|
||||
userauth_gssapi,
|
||||
userauth_gssapi_cleanup,
|
||||
@@ -697,12 +765,23 @@ userauth_gssapi(struct ssh *ssh)
|
||||
@@ -716,12 +784,23 @@ userauth_gssapi(struct ssh *ssh)
|
||||
OM_uint32 min;
|
||||
int r, ok = 0;
|
||||
gss_OID mech = NULL;
|
||||
@ -3659,7 +3659,7 @@ index 87fa70a..9e8c3e5 100644
|
||||
|
||||
/* Check to see whether the mechanism is usable before we offer it */
|
||||
while (authctxt->mech_tried < authctxt->gss_supported_mechs->count &&
|
||||
@@ -711,13 +790,15 @@ userauth_gssapi(struct ssh *ssh)
|
||||
@@ -730,13 +809,15 @@ userauth_gssapi(struct ssh *ssh)
|
||||
elements[authctxt->mech_tried];
|
||||
/* My DER encoding requires length<128 */
|
||||
if (mech->length < 128 && ssh_gssapi_check_mechanism(&gssctxt,
|
||||
@ -3676,7 +3676,7 @@ index 87fa70a..9e8c3e5 100644
|
||||
if (!ok || mech == NULL)
|
||||
return 0;
|
||||
|
||||
@@ -957,6 +1038,55 @@ input_gssapi_error(int type, u_int32_t plen, struct ssh *ssh)
|
||||
@@ -976,6 +1057,55 @@ input_gssapi_error(int type, u_int32_t plen, struct ssh *ssh)
|
||||
free(lang);
|
||||
return r;
|
||||
}
|
||||
@ -3733,10 +3733,10 @@ index 87fa70a..9e8c3e5 100644
|
||||
|
||||
static int
|
||||
diff --git a/sshd.c b/sshd.c
|
||||
index c562094..0d5c4c4 100644
|
||||
index 1a09e7b..7d23232 100644
|
||||
--- a/sshd.c
|
||||
+++ b/sshd.c
|
||||
@@ -815,8 +815,8 @@ notify_hostkeys(struct ssh *ssh)
|
||||
@@ -826,8 +826,8 @@ notify_hostkeys(struct ssh *ssh)
|
||||
}
|
||||
debug3("%s: sent %u hostkeys", __func__, nkeys);
|
||||
if (nkeys == 0)
|
||||
@ -3747,7 +3747,7 @@ index c562094..0d5c4c4 100644
|
||||
sshpkt_fatal(ssh, r, "%s: send", __func__);
|
||||
sshbuf_free(buf);
|
||||
}
|
||||
@@ -1800,7 +1800,8 @@ main(int ac, char **av)
|
||||
@@ -1865,7 +1865,8 @@ main(int ac, char **av)
|
||||
free(fp);
|
||||
}
|
||||
accumulate_host_timing_secret(cfg, NULL);
|
||||
@ -3757,7 +3757,7 @@ index c562094..0d5c4c4 100644
|
||||
logit("sshd: no hostkeys available -- exiting.");
|
||||
exit(1);
|
||||
}
|
||||
@@ -2297,6 +2298,48 @@ do_ssh2_kex(struct ssh *ssh)
|
||||
@@ -2361,6 +2362,48 @@ do_ssh2_kex(struct ssh *ssh)
|
||||
myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal(
|
||||
list_hostkey_types());
|
||||
|
||||
@ -3806,7 +3806,7 @@ index c562094..0d5c4c4 100644
|
||||
/* start key exchange */
|
||||
if ((r = kex_setup(ssh, myproposal)) != 0)
|
||||
fatal("kex_setup: %s", ssh_err(r));
|
||||
@@ -2312,7 +2355,18 @@ do_ssh2_kex(struct ssh *ssh)
|
||||
@@ -2376,7 +2419,18 @@ do_ssh2_kex(struct ssh *ssh)
|
||||
# ifdef OPENSSL_HAS_ECC
|
||||
kex->kex[KEX_ECDH_SHA2] = kex_gen_server;
|
||||
# endif
|
||||
@ -3840,10 +3840,10 @@ index 9ae8b05..8c1d1e5 100644
|
||||
# Set this to 'yes' to enable PAM authentication, account processing,
|
||||
# and session processing. If this is enabled, PAM authentication will
|
||||
diff --git a/sshd_config.5 b/sshd_config.5
|
||||
index 8818ea5..50a4917 100644
|
||||
index 9c64f41..36696cc 100644
|
||||
--- a/sshd_config.5
|
||||
+++ b/sshd_config.5
|
||||
@@ -657,6 +657,11 @@ Specifies whether to automatically destroy the user's credentials cache
|
||||
@@ -646,6 +646,11 @@ Specifies whether to automatically destroy the user's credentials cache
|
||||
on logout.
|
||||
The default is
|
||||
.Cm yes .
|
||||
@ -3855,7 +3855,7 @@ index 8818ea5..50a4917 100644
|
||||
.It Cm GSSAPIStrictAcceptorCheck
|
||||
Determines whether to be strict about the identity of the GSSAPI acceptor
|
||||
a client authenticates against.
|
||||
@@ -671,6 +676,31 @@ machine's default store.
|
||||
@@ -660,6 +665,31 @@ machine's default store.
|
||||
This facility is provided to assist with operation on multi homed machines.
|
||||
The default is
|
||||
.Cm yes .
|
||||
@ -3888,18 +3888,18 @@ index 8818ea5..50a4917 100644
|
||||
Specifies the key types that will be accepted for hostbased authentication
|
||||
as a list of comma-separated patterns.
|
||||
diff --git a/sshkey.c b/sshkey.c
|
||||
index ef90563..4d2048b 100644
|
||||
index 1571e3d..1ac32a0 100644
|
||||
--- a/sshkey.c
|
||||
+++ b/sshkey.c
|
||||
@@ -145,6 +145,7 @@ static const struct keytype keytypes[] = {
|
||||
# endif /* OPENSSL_HAS_NISTP521 */
|
||||
@@ -154,6 +154,7 @@ static const struct keytype keytypes[] = {
|
||||
KEY_ECDSA_SK_CERT, NID_X9_62_prime256v1, 1, 0 },
|
||||
# endif /* OPENSSL_HAS_ECC */
|
||||
#endif /* WITH_OPENSSL */
|
||||
+ { "null", "null", NULL, KEY_NULL, 0, 0, 0 },
|
||||
{ NULL, NULL, NULL, -1, -1, 0, 0 }
|
||||
};
|
||||
|
||||
@@ -233,7 +234,7 @@ sshkey_alg_list(int certs_only, int plain_only, int include_sigonly, char sep)
|
||||
@@ -255,7 +256,7 @@ sshkey_alg_list(int certs_only, int plain_only, int include_sigonly, char sep)
|
||||
const struct keytype *kt;
|
||||
|
||||
for (kt = keytypes; kt->type != -1; kt++) {
|
||||
@ -3909,13 +3909,13 @@ index ef90563..4d2048b 100644
|
||||
if (!include_sigonly && kt->sigonly)
|
||||
continue;
|
||||
diff --git a/sshkey.h b/sshkey.h
|
||||
index 1119a7b..1bf30d0 100644
|
||||
index 9c1d4f6..f586e89 100644
|
||||
--- a/sshkey.h
|
||||
+++ b/sshkey.h
|
||||
@@ -65,6 +65,7 @@ enum sshkey_types {
|
||||
KEY_ED25519_CERT,
|
||||
KEY_XMSS,
|
||||
KEY_XMSS_CERT,
|
||||
@@ -69,6 +69,7 @@ enum sshkey_types {
|
||||
KEY_ECDSA_SK_CERT,
|
||||
KEY_ED25519_SK,
|
||||
KEY_ED25519_SK_CERT,
|
||||
+ KEY_NULL,
|
||||
KEY_UNSPEC
|
||||
};
|
||||
|
@ -1,17 +1,16 @@
|
||||
diff --git a/Makefile.in b/Makefile.in
|
||||
index 02bafbc..4ee4ab2 100644
|
||||
index 9d3f569..5a0e0b6 100644
|
||||
--- a/Makefile.in
|
||||
+++ b/Makefile.in
|
||||
@@ -110,7 +110,8 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
|
||||
kexgexc.o kexgexs.o \
|
||||
@@ -115,7 +115,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
|
||||
sntrup4591761.o kexsntrup4591761x25519.o kexgen.o \
|
||||
kexgssc.o \
|
||||
- platform-pledge.o platform-tracing.o platform-misc.o
|
||||
+ platform-pledge.o platform-tracing.o platform-misc.o \
|
||||
+ auditstub.o
|
||||
sftp-realpath.o platform-pledge.o platform-tracing.o platform-misc.o \
|
||||
- sshbuf-io.o
|
||||
+ sshbuf-io.o auditstub.o
|
||||
|
||||
SKOBJS= ssh-sk-client.o
|
||||
|
||||
LIBSSH_OBJS += fips.o
|
||||
diff --git a/audit-bsm.c b/audit-bsm.c
|
||||
index 0ba16c7..d5e9cda 100644
|
||||
--- a/audit-bsm.c
|
||||
@ -744,10 +743,10 @@ index 0000000..639a798
|
||||
+{
|
||||
+}
|
||||
diff --git a/auth.c b/auth.c
|
||||
index ab43955..5a4d11a 100644
|
||||
index 779a1af..f6f3c86 100644
|
||||
--- a/auth.c
|
||||
+++ b/auth.c
|
||||
@@ -366,7 +366,7 @@ auth_log(struct ssh *ssh, int authenticated, int partial,
|
||||
@@ -367,7 +367,7 @@ auth_log(struct ssh *ssh, int authenticated, int partial,
|
||||
# endif
|
||||
#endif
|
||||
#ifdef SSH_AUDIT_EVENTS
|
||||
@ -756,7 +755,7 @@ index ab43955..5a4d11a 100644
|
||||
audit_event(ssh, audit_classify_auth(method));
|
||||
#endif
|
||||
}
|
||||
@@ -592,9 +592,6 @@ getpwnamallow(struct ssh *ssh, const char *user)
|
||||
@@ -593,9 +593,6 @@ getpwnamallow(struct ssh *ssh, const char *user)
|
||||
record_failed_login(ssh, user,
|
||||
auth_get_canonical_hostname(ssh, options.use_dns), "ssh");
|
||||
#endif
|
||||
@ -767,7 +766,7 @@ index ab43955..5a4d11a 100644
|
||||
}
|
||||
if (!allowed_user(ssh, pw))
|
||||
diff --git a/auth.h b/auth.h
|
||||
index becc672..84532d0 100644
|
||||
index becc672..c8a99fb 100644
|
||||
--- a/auth.h
|
||||
+++ b/auth.h
|
||||
@@ -189,6 +189,8 @@ struct passwd * getpwnamallow(struct ssh *, const char *user);
|
||||
@ -775,7 +774,7 @@ index becc672..84532d0 100644
|
||||
char *expand_authorized_keys(const char *, struct passwd *pw);
|
||||
char *authorized_principals_file(struct passwd *);
|
||||
+int user_key_verify(struct ssh *, const struct sshkey *, const u_char *, size_t,
|
||||
+ const u_char *, size_t, const char *, u_int);
|
||||
+ const u_char *, size_t, const char *, u_int, struct sshkey_sig_details **);
|
||||
|
||||
FILE *auth_openkeyfile(const char *, struct passwd *, int);
|
||||
FILE *auth_openprincipals(const char *, struct passwd *, int);
|
||||
@ -784,12 +783,12 @@ index becc672..84532d0 100644
|
||||
int sshd_hostkey_sign(struct ssh *, struct sshkey *, struct sshkey *,
|
||||
u_char **, size_t *, const u_char *, size_t, const char *);
|
||||
+int hostbased_key_verify(struct ssh *, const struct sshkey *, const u_char *, size_t,
|
||||
+ const u_char *, size_t, const char *, u_int);
|
||||
+ const u_char *, size_t, const char *, u_int, struct sshkey_sig_details **);
|
||||
|
||||
/* Key / cert options linkage to auth layer */
|
||||
const struct sshauthopt *auth_options(struct ssh *);
|
||||
diff --git a/auth2-hostbased.c b/auth2-hostbased.c
|
||||
index d460470..de26444 100644
|
||||
index 5e9b7c6..c0a09a3 100644
|
||||
--- a/auth2-hostbased.c
|
||||
+++ b/auth2-hostbased.c
|
||||
@@ -150,7 +150,7 @@ userauth_hostbased(struct ssh *ssh)
|
||||
@ -798,7 +797,7 @@ index d460470..de26444 100644
|
||||
chost, key)) &&
|
||||
- PRIVSEP(sshkey_verify(key, sig, slen,
|
||||
+ PRIVSEP(hostbased_key_verify(ssh, key, sig, slen,
|
||||
sshbuf_ptr(b), sshbuf_len(b), pkalg, ssh->compat)) == 0)
|
||||
sshbuf_ptr(b), sshbuf_len(b), pkalg, ssh->compat, NULL)) == 0)
|
||||
authenticated = 1;
|
||||
|
||||
@@ -167,6 +167,19 @@ done:
|
||||
@ -807,11 +806,11 @@ index d460470..de26444 100644
|
||||
|
||||
+int
|
||||
+hostbased_key_verify(struct ssh *ssh, const struct sshkey *key, const u_char *sig,
|
||||
+ size_t slen, const u_char *data, size_t datalen, const char *pkalg, u_int compat)
|
||||
+ size_t slen, const u_char *data, size_t datalen, const char *pkalg, u_int compat, struct sshkey_sig_details **sigdet)
|
||||
+{
|
||||
+ int rv;
|
||||
+
|
||||
+ rv = sshkey_verify(key, sig, slen, data, datalen, pkalg, compat);
|
||||
+ rv = sshkey_verify(key, sig, slen, data, datalen, pkalg, compat, sigdet);
|
||||
+#ifdef SSH_AUDIT_EVENTS
|
||||
+ audit_key(ssh, 0, &rv, key);
|
||||
+#endif
|
||||
@ -822,10 +821,10 @@ index d460470..de26444 100644
|
||||
int
|
||||
hostbased_key_allowed(struct ssh *ssh, struct passwd *pw,
|
||||
diff --git a/auth2-pubkey.c b/auth2-pubkey.c
|
||||
index df12c2c..6062b8b 100644
|
||||
index 815ea0f..f8a4325 100644
|
||||
--- a/auth2-pubkey.c
|
||||
+++ b/auth2-pubkey.c
|
||||
@@ -210,7 +210,7 @@ userauth_pubkey(struct ssh *ssh)
|
||||
@@ -212,7 +212,7 @@ userauth_pubkey(struct ssh *ssh)
|
||||
/* test for correct signature */
|
||||
authenticated = 0;
|
||||
if (PRIVSEP(user_key_allowed(ssh, pw, key, 1, &authopts)) &&
|
||||
@ -833,18 +832,18 @@ index df12c2c..6062b8b 100644
|
||||
+ PRIVSEP(user_key_verify(ssh, key, sig, slen,
|
||||
sshbuf_ptr(b), sshbuf_len(b),
|
||||
(ssh->compat & SSH_BUG_SIGTYPE) == 0 ? pkalg : NULL,
|
||||
ssh->compat)) == 0) {
|
||||
@@ -269,6 +269,19 @@ done:
|
||||
ssh->compat, &sig_details)) == 0) {
|
||||
@@ -294,6 +294,19 @@ done:
|
||||
return authenticated;
|
||||
}
|
||||
|
||||
+int
|
||||
+user_key_verify(struct ssh *ssh, const struct sshkey *key, const u_char *sig,
|
||||
+ size_t slen, const u_char *data, size_t datalen, const char *pkalg, u_int compat)
|
||||
+ size_t slen, const u_char *data, size_t datalen, const char *pkalg, u_int compat, struct sshkey_sig_details **sigdet)
|
||||
+{
|
||||
+ int rv;
|
||||
+
|
||||
+ rv = sshkey_verify(key, sig, slen, data, datalen, pkalg, compat);
|
||||
+ rv = sshkey_verify(key, sig, slen, data, datalen, pkalg, compat, sigdet);
|
||||
+#ifdef SSH_AUDIT_EVENTS
|
||||
+ audit_key(ssh, 1, &rv, key);
|
||||
+#endif
|
||||
@ -855,7 +854,7 @@ index df12c2c..6062b8b 100644
|
||||
match_principals_option(const char *principal_list, struct sshkey_cert *cert)
|
||||
{
|
||||
diff --git a/auth2.c b/auth2.c
|
||||
index 1c21726..e54509a 100644
|
||||
index a4a5e00..b12d2ac 100644
|
||||
--- a/auth2.c
|
||||
+++ b/auth2.c
|
||||
@@ -293,9 +293,6 @@ input_userauth_request(int type, u_int32_t seq, struct ssh *ssh)
|
||||
@ -869,7 +868,7 @@ index 1c21726..e54509a 100644
|
||||
#ifdef USE_PAM
|
||||
if (options.use_pam)
|
||||
diff --git a/cipher.c b/cipher.c
|
||||
index b67a4ff..e0d23a5 100644
|
||||
index 599b54a..7f25a18 100644
|
||||
--- a/cipher.c
|
||||
+++ b/cipher.c
|
||||
@@ -58,25 +58,6 @@
|
||||
@ -898,17 +897,17 @@ index b67a4ff..e0d23a5 100644
|
||||
static const struct sshcipher ciphers_all[] = {
|
||||
#ifdef WITH_OPENSSL
|
||||
#ifndef OPENSSL_NO_DES
|
||||
@@ -451,7 +432,7 @@ cipher_get_length(struct sshcipher_ctx *cc, u_int *plenp, u_int seqnr,
|
||||
@@ -462,7 +443,7 @@ cipher_get_length(struct sshcipher_ctx *cc, u_int *plenp, u_int seqnr,
|
||||
void
|
||||
cipher_free(struct sshcipher_ctx *cc)
|
||||
{
|
||||
- if (cc == NULL)
|
||||
+ if (cc == NULL || cc->cipher == NULL)
|
||||
return;
|
||||
if ((cc->cipher->flags & CFLAG_CHACHAPOLY) != 0)
|
||||
explicit_bzero(&cc->cp_ctx, sizeof(cc->cp_ctx));
|
||||
if ((cc->cipher->flags & CFLAG_CHACHAPOLY) != 0) {
|
||||
chachapoly_free(cc->cp_ctx);
|
||||
diff --git a/cipher.h b/cipher.h
|
||||
index d7d8c89..2341068 100644
|
||||
index 626f2f5..b3383a5 100644
|
||||
--- a/cipher.h
|
||||
+++ b/cipher.h
|
||||
@@ -47,7 +47,25 @@
|
||||
@ -939,10 +938,10 @@ index d7d8c89..2341068 100644
|
||||
int plaintext;
|
||||
int encrypt;
|
||||
diff --git a/kex.c b/kex.c
|
||||
index 92d8ee0..96e44a5 100644
|
||||
index fbb8e4f..39cad99 100644
|
||||
--- a/kex.c
|
||||
+++ b/kex.c
|
||||
@@ -60,6 +60,7 @@
|
||||
@@ -62,6 +62,7 @@
|
||||
#include "ssherr.h"
|
||||
#include "sshbuf.h"
|
||||
#include "digest.h"
|
||||
@ -950,7 +949,7 @@ index 92d8ee0..96e44a5 100644
|
||||
|
||||
#ifdef GSSAPI
|
||||
#include "ssh-gss.h"
|
||||
@@ -856,12 +857,16 @@ kex_start_rekex(struct ssh *ssh)
|
||||
@@ -857,12 +858,16 @@ kex_start_rekex(struct ssh *ssh)
|
||||
}
|
||||
|
||||
static int
|
||||
@ -969,7 +968,7 @@ index 92d8ee0..96e44a5 100644
|
||||
if ((enc->cipher = cipher_by_name(name)) == NULL) {
|
||||
error("%s: unsupported cipher %s", __func__, name);
|
||||
free(name);
|
||||
@@ -882,8 +887,12 @@ choose_mac(struct ssh *ssh, struct sshmac *mac, char *client, char *server)
|
||||
@@ -883,8 +888,12 @@ choose_mac(struct ssh *ssh, struct sshmac *mac, char *client, char *server)
|
||||
{
|
||||
char *name = match_list(client, server, NULL);
|
||||
|
||||
@ -983,7 +982,7 @@ index 92d8ee0..96e44a5 100644
|
||||
if (mac_setup(mac, name) < 0) {
|
||||
error("%s: unsupported MAC %s", __func__, name);
|
||||
free(name);
|
||||
@@ -896,12 +905,16 @@ choose_mac(struct ssh *ssh, struct sshmac *mac, char *client, char *server)
|
||||
@@ -897,12 +906,16 @@ choose_mac(struct ssh *ssh, struct sshmac *mac, char *client, char *server)
|
||||
}
|
||||
|
||||
static int
|
||||
@ -999,10 +998,10 @@ index 92d8ee0..96e44a5 100644
|
||||
+#endif
|
||||
return SSH_ERR_NO_COMPRESS_ALG_MATCH;
|
||||
+ }
|
||||
#ifdef WITH_ZLIB
|
||||
if (strcmp(name, "zlib@openssh.com") == 0) {
|
||||
comp->type = COMP_DELAYED;
|
||||
} else if (strcmp(name, "zlib") == 0) {
|
||||
@@ -1039,7 +1052,7 @@ kex_choose_conf(struct ssh *ssh)
|
||||
@@ -1043,7 +1056,7 @@ kex_choose_conf(struct ssh *ssh)
|
||||
nenc = ctos ? PROPOSAL_ENC_ALGS_CTOS : PROPOSAL_ENC_ALGS_STOC;
|
||||
nmac = ctos ? PROPOSAL_MAC_ALGS_CTOS : PROPOSAL_MAC_ALGS_STOC;
|
||||
ncomp = ctos ? PROPOSAL_COMP_ALGS_CTOS : PROPOSAL_COMP_ALGS_STOC;
|
||||
@ -1011,7 +1010,7 @@ index 92d8ee0..96e44a5 100644
|
||||
sprop[nenc])) != 0) {
|
||||
kex->failed_choice = peer[nenc];
|
||||
peer[nenc] = NULL;
|
||||
@@ -1054,7 +1067,7 @@ kex_choose_conf(struct ssh *ssh)
|
||||
@@ -1058,7 +1071,7 @@ kex_choose_conf(struct ssh *ssh)
|
||||
peer[nmac] = NULL;
|
||||
goto out;
|
||||
}
|
||||
@ -1020,7 +1019,7 @@ index 92d8ee0..96e44a5 100644
|
||||
sprop[ncomp])) != 0) {
|
||||
kex->failed_choice = peer[ncomp];
|
||||
peer[ncomp] = NULL;
|
||||
@@ -1077,6 +1090,10 @@ kex_choose_conf(struct ssh *ssh)
|
||||
@@ -1081,6 +1094,10 @@ kex_choose_conf(struct ssh *ssh)
|
||||
dh_need = MAXIMUM(dh_need, newkeys->enc.block_size);
|
||||
dh_need = MAXIMUM(dh_need, newkeys->enc.iv_len);
|
||||
dh_need = MAXIMUM(dh_need, newkeys->mac.key_len);
|
||||
@ -1031,7 +1030,7 @@ index 92d8ee0..96e44a5 100644
|
||||
}
|
||||
/* XXX need runden? */
|
||||
kex->we_need = need;
|
||||
@@ -1241,6 +1258,36 @@ dump_digest(const char *msg, const u_char *digest, int len)
|
||||
@@ -1245,6 +1262,36 @@ dump_digest(const char *msg, const u_char *digest, int len)
|
||||
}
|
||||
#endif
|
||||
|
||||
@ -1118,7 +1117,7 @@ index 0b119d7..5fb593b 100644
|
||||
|
||||
#endif /* SSHMAC_H */
|
||||
diff --git a/monitor.c b/monitor.c
|
||||
index 20812fa..2e421cf 100644
|
||||
index cf775e5..fcd8283 100644
|
||||
--- a/monitor.c
|
||||
+++ b/monitor.c
|
||||
@@ -93,6 +93,7 @@
|
||||
@ -1128,8 +1127,8 @@ index 20812fa..2e421cf 100644
|
||||
+#include "audit.h"
|
||||
#include "match.h"
|
||||
#include "ssherr.h"
|
||||
|
||||
@@ -107,6 +108,8 @@ extern u_char session_id[];
|
||||
#include "sk-api.h"
|
||||
@@ -108,6 +109,8 @@ extern u_char session_id[];
|
||||
extern struct sshbuf *loginmsg;
|
||||
extern struct sshauthopt *auth_opts; /* XXX move to permanent ssh->authctxt? */
|
||||
|
||||
@ -1138,7 +1137,7 @@ index 20812fa..2e421cf 100644
|
||||
/* State exported from the child */
|
||||
static struct sshbuf *child_state;
|
||||
|
||||
@@ -154,6 +157,11 @@ int mm_answer_gss_updatecreds(struct ssh*, int, struct sshbuf *);
|
||||
@@ -155,6 +158,11 @@ int mm_answer_gss_updatecreds(struct ssh*, int, struct sshbuf *);
|
||||
#ifdef SSH_AUDIT_EVENTS
|
||||
int mm_answer_audit_event(struct ssh *, int, struct sshbuf *);
|
||||
int mm_answer_audit_command(struct ssh *, int, struct sshbuf *);
|
||||
@ -1150,7 +1149,7 @@ index 20812fa..2e421cf 100644
|
||||
#endif
|
||||
|
||||
static Authctxt *authctxt;
|
||||
@@ -209,6 +217,10 @@ struct mon_table mon_dispatch_proto20[] = {
|
||||
@@ -210,6 +218,10 @@ struct mon_table mon_dispatch_proto20[] = {
|
||||
#endif
|
||||
#ifdef SSH_AUDIT_EVENTS
|
||||
{MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
|
||||
@ -1161,7 +1160,7 @@ index 20812fa..2e421cf 100644
|
||||
#endif
|
||||
#ifdef BSD_AUTH
|
||||
{MONITOR_REQ_BSDAUTHQUERY, MON_ISAUTH, mm_answer_bsdauthquery},
|
||||
@@ -243,6 +255,11 @@ struct mon_table mon_dispatch_postauth20[] = {
|
||||
@@ -244,6 +256,11 @@ struct mon_table mon_dispatch_postauth20[] = {
|
||||
#ifdef SSH_AUDIT_EVENTS
|
||||
{MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
|
||||
{MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT, mm_answer_audit_command},
|
||||
@ -1173,19 +1172,19 @@ index 20812fa..2e421cf 100644
|
||||
#endif
|
||||
{0, 0, NULL}
|
||||
};
|
||||
@@ -1408,8 +1425,10 @@ mm_answer_keyverify(struct ssh *ssh, int sock, struct sshbuf *m)
|
||||
char *sigalg;
|
||||
@@ -1406,8 +1423,10 @@ mm_answer_keyverify(struct ssh *ssh, int sock, struct sshbuf *m)
|
||||
size_t signaturelen, datalen, bloblen;
|
||||
int r, ret, valid_data = 0, encoded_ret;
|
||||
int r, ret, req_presence = 0, valid_data = 0, encoded_ret;
|
||||
struct sshkey_sig_details *sig_details = NULL;
|
||||
+ int type = 0;
|
||||
|
||||
- if ((r = sshbuf_get_string(m, &blob, &bloblen)) != 0 ||
|
||||
- if ((r = sshbuf_get_string_direct(m, &blob, &bloblen)) != 0 ||
|
||||
+ if ((r = sshbuf_get_u32(m, &type)) != 0 ||
|
||||
+ (r = sshbuf_get_string(m, &blob, &bloblen)) != 0 ||
|
||||
(r = sshbuf_get_string(m, &signature, &signaturelen)) != 0 ||
|
||||
(r = sshbuf_get_string(m, &data, &datalen)) != 0 ||
|
||||
+ (r = sshbuf_get_string_direct(m, &blob, &bloblen)) != 0 ||
|
||||
(r = sshbuf_get_string_direct(m, &signature, &signaturelen)) != 0 ||
|
||||
(r = sshbuf_get_string_direct(m, &data, &datalen)) != 0 ||
|
||||
(r = sshbuf_get_cstring(m, &sigalg, NULL)) != 0)
|
||||
@@ -1418,6 +1437,8 @@ mm_answer_keyverify(struct ssh *ssh, int sock, struct sshbuf *m)
|
||||
@@ -1416,6 +1435,8 @@ mm_answer_keyverify(struct ssh *ssh, int sock, struct sshbuf *m)
|
||||
if (hostbased_cuser == NULL || hostbased_chost == NULL ||
|
||||
!monitor_allowed_key(blob, bloblen))
|
||||
fatal("%s: bad key, not previously allowed", __func__);
|
||||
@ -1194,19 +1193,19 @@ index 20812fa..2e421cf 100644
|
||||
|
||||
/* Empty signature algorithm means NULL. */
|
||||
if (*sigalg == '\0') {
|
||||
@@ -1433,21 +1454,24 @@ mm_answer_keyverify(struct ssh *ssh, int sock, struct sshbuf *m)
|
||||
@@ -1431,14 +1452,19 @@ mm_answer_keyverify(struct ssh *ssh, int sock, struct sshbuf *m)
|
||||
case MM_USERKEY:
|
||||
valid_data = monitor_valid_userblob(data, datalen);
|
||||
auth_method = "publickey";
|
||||
+ ret = user_key_verify(ssh, key, signature, signaturelen, data,
|
||||
+ datalen, sigalg, ssh->compat);
|
||||
+ datalen, sigalg, ssh->compat, &sig_details);
|
||||
break;
|
||||
case MM_HOSTKEY:
|
||||
valid_data = monitor_valid_hostbasedblob(data, datalen,
|
||||
hostbased_cuser, hostbased_chost);
|
||||
+ ret = hostbased_key_verify(ssh, key, signature, signaturelen, data,
|
||||
+ datalen, sigalg, ssh->compat);
|
||||
auth_method = "hostbased";
|
||||
+ ret = hostbased_key_verify(ssh, key, signature, signaturelen, data,
|
||||
+ datalen, sigalg, ssh->compat, &sig_details);
|
||||
break;
|
||||
default:
|
||||
valid_data = 0;
|
||||
@ -1214,14 +1213,16 @@ index 20812fa..2e421cf 100644
|
||||
break;
|
||||
}
|
||||
if (!valid_data)
|
||||
fatal("%s: bad signature data blob", __func__);
|
||||
@@ -1448,8 +1474,6 @@ mm_answer_keyverify(struct ssh *ssh, int sock, struct sshbuf *m)
|
||||
SSH_FP_DEFAULT)) == NULL)
|
||||
fatal("%s: sshkey_fingerprint failed", __func__);
|
||||
|
||||
- ret = sshkey_verify(key, signature, signaturelen, data, datalen,
|
||||
- sigalg, ssh->compat);
|
||||
debug3("%s: %s %p signature %s", __func__, auth_method, key,
|
||||
(ret == 0) ? "verified" : "unverified");
|
||||
auth2_record_key(authctxt, ret == 0, key);
|
||||
@@ -1499,13 +1523,19 @@ mm_record_login(struct ssh *ssh, Session *s, struct passwd *pw)
|
||||
- sigalg, ssh->compat, &sig_details);
|
||||
debug3("%s: %s %p signature %s%s%s", __func__, auth_method, key,
|
||||
(ret == 0) ? "verified" : "unverified",
|
||||
(ret != 0) ? ": " : "", (ret != 0) ? ssh_err(ret) : "");
|
||||
@@ -1524,13 +1548,19 @@ mm_record_login(struct ssh *ssh, Session *s, struct passwd *pw)
|
||||
}
|
||||
|
||||
static void
|
||||
@ -1242,7 +1243,7 @@ index 20812fa..2e421cf 100644
|
||||
session_unused(s->self);
|
||||
}
|
||||
|
||||
@@ -1572,7 +1602,7 @@ mm_answer_pty(struct ssh *ssh, int sock, struct sshbuf *m)
|
||||
@@ -1597,7 +1627,7 @@ mm_answer_pty(struct ssh *ssh, int sock, struct sshbuf *m)
|
||||
|
||||
error:
|
||||
if (s != NULL)
|
||||
@ -1251,7 +1252,7 @@ index 20812fa..2e421cf 100644
|
||||
if ((r = sshbuf_put_u32(m, 0)) != 0)
|
||||
fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
||||
mm_request_send(sock, MONITOR_ANS_PTY, m);
|
||||
@@ -1591,7 +1621,7 @@ mm_answer_pty_cleanup(struct ssh *ssh, int sock, struct sshbuf *m)
|
||||
@@ -1616,7 +1646,7 @@ mm_answer_pty_cleanup(struct ssh *ssh, int sock, struct sshbuf *m)
|
||||
if ((r = sshbuf_get_cstring(m, &tty, NULL)) != 0)
|
||||
fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
||||
if ((s = session_by_tty(tty)) != NULL)
|
||||
@ -1260,7 +1261,7 @@ index 20812fa..2e421cf 100644
|
||||
sshbuf_reset(m);
|
||||
free(tty);
|
||||
return (0);
|
||||
@@ -1613,6 +1643,8 @@ mm_answer_term(struct ssh *ssh, int sock, struct sshbuf *req)
|
||||
@@ -1638,6 +1668,8 @@ mm_answer_term(struct ssh *ssh, int sock, struct sshbuf *req)
|
||||
sshpam_cleanup();
|
||||
#endif
|
||||
|
||||
@ -1269,7 +1270,7 @@ index 20812fa..2e421cf 100644
|
||||
while (waitpid(pmonitor->m_pid, &status, 0) == -1)
|
||||
if (errno != EINTR)
|
||||
exit(1);
|
||||
@@ -1659,12 +1691,47 @@ mm_answer_audit_command(struct ssh *ssh, int socket, struct sshbuf *m)
|
||||
@@ -1684,12 +1716,47 @@ mm_answer_audit_command(struct ssh *ssh, int socket, struct sshbuf *m)
|
||||
{
|
||||
char *cmd;
|
||||
int r;
|
||||
@ -1318,7 +1319,7 @@ index 20812fa..2e421cf 100644
|
||||
free(cmd);
|
||||
return (0);
|
||||
}
|
||||
@@ -1730,6 +1797,7 @@ monitor_apply_keystate(struct ssh *ssh, struct monitor *pmonitor)
|
||||
@@ -1755,6 +1822,7 @@ monitor_apply_keystate(struct ssh *ssh, struct monitor *pmonitor)
|
||||
void
|
||||
mm_get_keystate(struct ssh *ssh, struct monitor *pmonitor)
|
||||
{
|
||||
@ -1326,7 +1327,7 @@ index 20812fa..2e421cf 100644
|
||||
debug3("%s: Waiting for new keys", __func__);
|
||||
|
||||
if ((child_state = sshbuf_new()) == NULL)
|
||||
@@ -1737,6 +1805,19 @@ mm_get_keystate(struct ssh *ssh, struct monitor *pmonitor)
|
||||
@@ -1762,6 +1830,19 @@ mm_get_keystate(struct ssh *ssh, struct monitor *pmonitor)
|
||||
mm_request_receive_expect(pmonitor->m_sendfd, MONITOR_REQ_KEYEXPORT,
|
||||
child_state);
|
||||
debug3("%s: GOT new keys", __func__);
|
||||
@ -1346,7 +1347,7 @@ index 20812fa..2e421cf 100644
|
||||
}
|
||||
|
||||
|
||||
@@ -2014,3 +2095,102 @@ mm_answer_gss_updatecreds(struct ssh *ssh, int socket, struct sshbuf *m) {
|
||||
@@ -2039,3 +2120,102 @@ mm_answer_gss_updatecreds(struct ssh *ssh, int socket, struct sshbuf *m) {
|
||||
|
||||
#endif /* GSSAPI */
|
||||
|
||||
@ -1469,7 +1470,7 @@ index 2b1a2d5..7817990 100644
|
||||
MONITOR_REQ_GSSSIGN = 150, MONITOR_ANS_GSSSIGN = 151,
|
||||
MONITOR_REQ_GSSUPCREDS = 152, MONITOR_ANS_GSSUPCREDS = 153,
|
||||
diff --git a/monitor_wrap.c b/monitor_wrap.c
|
||||
index fdca39a..b427dd6 100644
|
||||
index 6edb509..cb5e5f3 100644
|
||||
--- a/monitor_wrap.c
|
||||
+++ b/monitor_wrap.c
|
||||
@@ -492,7 +492,7 @@ mm_key_allowed(enum mm_keytype type, const char *user, const char *host,
|
||||
@ -1478,11 +1479,11 @@ index fdca39a..b427dd6 100644
|
||||
int
|
||||
-mm_sshkey_verify(const struct sshkey *key, const u_char *sig, size_t siglen,
|
||||
+mm_sshkey_verify(enum mm_keytype type, const struct sshkey *key, const u_char *sig, size_t siglen,
|
||||
const u_char *data, size_t datalen, const char *sigalg, u_int compat)
|
||||
const u_char *data, size_t datalen, const char *sigalg, u_int compat,
|
||||
struct sshkey_sig_details **sig_detailsp)
|
||||
{
|
||||
struct sshbuf *m;
|
||||
@@ -504,7 +504,8 @@ mm_sshkey_verify(const struct sshkey *key, const u_char *sig, size_t siglen,
|
||||
|
||||
@@ -508,7 +508,8 @@ mm_sshkey_verify(const struct sshkey *key, const u_char *sig, size_t siglen,
|
||||
*sig_detailsp = NULL;
|
||||
if ((m = sshbuf_new()) == NULL)
|
||||
fatal("%s: sshbuf_new failed", __func__);
|
||||
- if ((r = sshkey_puts(key, m)) != 0 ||
|
||||
@ -1491,28 +1492,28 @@ index fdca39a..b427dd6 100644
|
||||
(r = sshbuf_put_string(m, sig, siglen)) != 0 ||
|
||||
(r = sshbuf_put_string(m, data, datalen)) != 0 ||
|
||||
(r = sshbuf_put_cstring(m, sigalg == NULL ? "" : sigalg)) != 0)
|
||||
@@ -526,6 +527,20 @@ mm_sshkey_verify(const struct sshkey *key, const u_char *sig, size_t siglen,
|
||||
@@ -541,6 +542,20 @@ mm_sshkey_verify(const struct sshkey *key, const u_char *sig, size_t siglen,
|
||||
return 0;
|
||||
}
|
||||
|
||||
+int
|
||||
+mm_hostbased_key_verify(struct ssh *ssh, const struct sshkey *key, const u_char *sig, size_t siglen,
|
||||
+ const u_char *data, size_t datalen, const char *pkalg, u_int compat)
|
||||
+ const u_char *data, size_t datalen, const char *pkalg, u_int compat, struct sshkey_sig_details **sigdet)
|
||||
+{
|
||||
+ return mm_sshkey_verify(MM_HOSTKEY, key, sig, siglen, data, datalen, pkalg, compat);
|
||||
+ return mm_sshkey_verify(MM_HOSTKEY, key, sig, siglen, data, datalen, pkalg, compat, sigdet);
|
||||
+}
|
||||
+
|
||||
+int
|
||||
+mm_user_key_verify(struct ssh *ssh, const struct sshkey *key, const u_char *sig, size_t siglen,
|
||||
+ const u_char *data, size_t datalen, const char *pkalg, u_int compat)
|
||||
+ const u_char *data, size_t datalen, const char *pkalg, u_int compat, struct sshkey_sig_details **sigdet)
|
||||
+{
|
||||
+ return mm_sshkey_verify(MM_USERKEY, key, sig, siglen, data, datalen, pkalg, compat);
|
||||
+ return mm_sshkey_verify(MM_USERKEY, key, sig, siglen, data, datalen, pkalg, compat, sigdet);
|
||||
+}
|
||||
+
|
||||
void
|
||||
mm_send_keystate(struct ssh *ssh, struct monitor *monitor)
|
||||
{
|
||||
@@ -879,11 +894,12 @@ mm_audit_event(struct ssh *ssh, ssh_audit_event_t event)
|
||||
@@ -894,11 +909,12 @@ mm_audit_event(struct ssh *ssh, ssh_audit_event_t event)
|
||||
sshbuf_free(m);
|
||||
}
|
||||
|
||||
@ -1527,7 +1528,7 @@ index fdca39a..b427dd6 100644
|
||||
|
||||
debug3("%s entering command %s", __func__, command);
|
||||
|
||||
@@ -893,6 +909,30 @@ mm_audit_run_command(const char *command)
|
||||
@@ -908,6 +924,30 @@ mm_audit_run_command(const char *command)
|
||||
fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
||||
|
||||
mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_COMMAND, m);
|
||||
@ -1558,7 +1559,7 @@ index fdca39a..b427dd6 100644
|
||||
sshbuf_free(m);
|
||||
}
|
||||
#endif /* SSH_AUDIT_EVENTS */
|
||||
@@ -1053,3 +1093,83 @@ mm_ssh_gssapi_update_creds(ssh_gssapi_ccache *store)
|
||||
@@ -1068,3 +1108,83 @@ mm_ssh_gssapi_update_creds(ssh_gssapi_ccache *store)
|
||||
}
|
||||
|
||||
#endif /* GSSAPI */
|
||||
@ -1643,21 +1644,21 @@ index fdca39a..b427dd6 100644
|
||||
+}
|
||||
+#endif /* SSH_AUDIT_EVENTS */
|
||||
diff --git a/monitor_wrap.h b/monitor_wrap.h
|
||||
index 92dda57..d413dac 100644
|
||||
index 485590c..73c095e 100644
|
||||
--- a/monitor_wrap.h
|
||||
+++ b/monitor_wrap.h
|
||||
@@ -56,7 +56,9 @@ int mm_user_key_allowed(struct ssh *, struct passwd *, struct sshkey *, int,
|
||||
@@ -57,7 +57,9 @@ int mm_user_key_allowed(struct ssh *, struct passwd *, struct sshkey *, int,
|
||||
struct sshauthopt **);
|
||||
int mm_hostbased_key_allowed(struct ssh *, struct passwd *, const char *,
|
||||
const char *, struct sshkey *);
|
||||
-int mm_sshkey_verify(const struct sshkey *, const u_char *, size_t,
|
||||
+int mm_hostbased_key_verify(struct ssh *, const struct sshkey *, const u_char *, size_t,
|
||||
+ const u_char *, size_t, const char *, u_int);
|
||||
+int mm_user_key_verify(struct ssh*, const struct sshkey *, const u_char *, size_t,
|
||||
const u_char *, size_t, const char *, u_int);
|
||||
+ const u_char *, size_t, const char *, u_int, struct sshkey_sig_details **);
|
||||
+int mm_user_key_verify(struct ssh *, const struct sshkey *, const u_char *, size_t,
|
||||
const u_char *, size_t, const char *, u_int, struct sshkey_sig_details **);
|
||||
|
||||
#ifdef GSSAPI
|
||||
@@ -81,7 +83,12 @@ void mm_sshpam_free_ctx(void *);
|
||||
@@ -82,7 +84,12 @@ void mm_sshpam_free_ctx(void *);
|
||||
#ifdef SSH_AUDIT_EVENTS
|
||||
#include "audit.h"
|
||||
void mm_audit_event(struct ssh *, ssh_audit_event_t);
|
||||
@ -1672,18 +1673,18 @@ index 92dda57..d413dac 100644
|
||||
|
||||
struct Session;
|
||||
diff --git a/packet.c b/packet.c
|
||||
index 817da43..aec02e4 100644
|
||||
index e7abb34..3e9c95e 100644
|
||||
--- a/packet.c
|
||||
+++ b/packet.c
|
||||
@@ -77,6 +77,7 @@
|
||||
#include <zlib.h>
|
||||
@@ -81,6 +81,7 @@
|
||||
#endif
|
||||
|
||||
#include "xmalloc.h"
|
||||
+#include "audit.h"
|
||||
#include "compat.h"
|
||||
#include "ssh2.h"
|
||||
#include "cipher.h"
|
||||
@@ -509,6 +510,13 @@ ssh_packet_get_connection_out(struct ssh *ssh)
|
||||
@@ -515,6 +516,13 @@ ssh_packet_get_connection_out(struct ssh *ssh)
|
||||
return ssh->state->connection_out;
|
||||
}
|
||||
|
||||
@ -1697,7 +1698,7 @@ index 817da43..aec02e4 100644
|
||||
/*
|
||||
* Returns the IP-address of the remote host as a string. The returned
|
||||
* string must not be freed.
|
||||
@@ -586,22 +594,19 @@ ssh_packet_close_internal(struct ssh *ssh, int do_close)
|
||||
@@ -592,22 +600,19 @@ ssh_packet_close_internal(struct ssh *ssh, int do_close)
|
||||
{
|
||||
struct session_state *state = ssh->state;
|
||||
u_int mode;
|
||||
@ -1725,8 +1726,8 @@ index 817da43..aec02e4 100644
|
||||
for (mode = 0; mode < MODE_MAX; mode++) {
|
||||
kex_free_newkeys(state->newkeys[mode]); /* current keys */
|
||||
state->newkeys[mode] = NULL;
|
||||
@@ -635,8 +640,18 @@ ssh_packet_close_internal(struct ssh *ssh, int do_close)
|
||||
}
|
||||
@@ -643,8 +648,18 @@ ssh_packet_close_internal(struct ssh *ssh, int do_close)
|
||||
#endif /* WITH_ZLIB */
|
||||
cipher_free(state->send_context);
|
||||
cipher_free(state->receive_context);
|
||||
+ if (had_keys && state->server_side) {
|
||||
@ -1744,7 +1745,7 @@ index 817da43..aec02e4 100644
|
||||
free(ssh->local_ipaddr);
|
||||
ssh->local_ipaddr = NULL;
|
||||
free(ssh->remote_ipaddr);
|
||||
@@ -863,6 +878,7 @@ ssh_set_newkeys(struct ssh *ssh, int mode)
|
||||
@@ -899,6 +914,7 @@ ssh_set_newkeys(struct ssh *ssh, int mode)
|
||||
(unsigned long long)state->p_send.bytes,
|
||||
(unsigned long long)state->p_send.blocks);
|
||||
kex_free_newkeys(state->newkeys[mode]);
|
||||
@ -1752,7 +1753,7 @@ index 817da43..aec02e4 100644
|
||||
state->newkeys[mode] = NULL;
|
||||
}
|
||||
/* note that both bytes and the seqnr are not reset */
|
||||
@@ -2166,6 +2182,71 @@ ssh_packet_get_output(struct ssh *ssh)
|
||||
@@ -2205,6 +2221,71 @@ ssh_packet_get_output(struct ssh *ssh)
|
||||
return (void *)ssh->state->output;
|
||||
}
|
||||
|
||||
@ -1825,17 +1826,17 @@ index 817da43..aec02e4 100644
|
||||
static int
|
||||
ssh_packet_set_postauth(struct ssh *ssh)
|
||||
diff --git a/packet.h b/packet.h
|
||||
index 8ccfd2e..cfd9ebe 100644
|
||||
index c2544bd..239b391 100644
|
||||
--- a/packet.h
|
||||
+++ b/packet.h
|
||||
@@ -217,4 +217,5 @@ const u_char *sshpkt_ptr(struct ssh *, size_t *lenp);
|
||||
@@ -218,4 +218,5 @@ const u_char *sshpkt_ptr(struct ssh *, size_t *lenp);
|
||||
# undef EC_POINT
|
||||
#endif
|
||||
|
||||
+void packet_destroy_all(struct ssh *, int, int);
|
||||
#endif /* PACKET_H */
|
||||
diff --git a/session.c b/session.c
|
||||
index 89f9539..07411f3 100644
|
||||
index 530aa26..9e7a8f8 100644
|
||||
--- a/session.c
|
||||
+++ b/session.c
|
||||
@@ -136,7 +136,7 @@ extern char *__progname;
|
||||
@ -1884,7 +1885,7 @@ index 89f9539..07411f3 100644
|
||||
#endif
|
||||
if (s->ttyfd != -1)
|
||||
ret = do_exec_pty(ssh, s, command);
|
||||
@@ -1531,8 +1543,11 @@ do_child(struct ssh *ssh, Session *s, const char *command)
|
||||
@@ -1535,8 +1547,11 @@ do_child(struct ssh *ssh, Session *s, const char *command)
|
||||
sshpkt_fmt_connection_id(ssh, remote_id, sizeof(remote_id));
|
||||
|
||||
/* remove hostkey from the child's memory */
|
||||
@ -1897,7 +1898,7 @@ index 89f9539..07411f3 100644
|
||||
|
||||
/* Force a password change */
|
||||
if (s->authctxt->force_pwchange) {
|
||||
@@ -1741,6 +1756,9 @@ session_unused(int id)
|
||||
@@ -1745,6 +1760,9 @@ session_unused(int id)
|
||||
sessions[id].ttyfd = -1;
|
||||
sessions[id].ptymaster = -1;
|
||||
sessions[id].x11_chanids = NULL;
|
||||
@ -1907,7 +1908,7 @@ index 89f9539..07411f3 100644
|
||||
sessions[id].next_unused = sessions_first_unused;
|
||||
sessions_first_unused = id;
|
||||
}
|
||||
@@ -1822,6 +1840,19 @@ session_open(Authctxt *authctxt, int chanid)
|
||||
@@ -1826,6 +1844,19 @@ session_open(Authctxt *authctxt, int chanid)
|
||||
return 1;
|
||||
}
|
||||
|
||||
@ -1927,7 +1928,7 @@ index 89f9539..07411f3 100644
|
||||
Session *
|
||||
session_by_tty(char *tty)
|
||||
{
|
||||
@@ -2433,6 +2464,32 @@ session_exit_message(struct ssh *ssh, Session *s, int status)
|
||||
@@ -2437,6 +2468,32 @@ session_exit_message(struct ssh *ssh, Session *s, int status)
|
||||
chan_write_failed(ssh, c);
|
||||
}
|
||||
|
||||
@ -1960,7 +1961,7 @@ index 89f9539..07411f3 100644
|
||||
void
|
||||
session_close(struct ssh *ssh, Session *s)
|
||||
{
|
||||
@@ -2474,6 +2531,10 @@ session_close(struct ssh *ssh, Session *s)
|
||||
@@ -2478,6 +2535,10 @@ session_close(struct ssh *ssh, Session *s)
|
||||
|
||||
if (s->ttyfd != -1)
|
||||
session_pty_cleanup(s);
|
||||
@ -1971,7 +1972,7 @@ index 89f9539..07411f3 100644
|
||||
free(s->term);
|
||||
free(s->display);
|
||||
free(s->x11_chanids);
|
||||
@@ -2549,14 +2610,14 @@ session_close_by_channel(struct ssh *ssh, int id, void *arg)
|
||||
@@ -2553,14 +2614,14 @@ session_close_by_channel(struct ssh *ssh, int id, void *arg)
|
||||
}
|
||||
|
||||
void
|
||||
@ -1988,7 +1989,7 @@ index 89f9539..07411f3 100644
|
||||
else
|
||||
session_close(ssh, s);
|
||||
}
|
||||
@@ -2682,6 +2743,15 @@ do_authenticated2(struct ssh *ssh, Authctxt *authctxt)
|
||||
@@ -2686,6 +2747,15 @@ do_authenticated2(struct ssh *ssh, Authctxt *authctxt)
|
||||
server_loop2(ssh, authctxt);
|
||||
}
|
||||
|
||||
@ -2004,7 +2005,7 @@ index 89f9539..07411f3 100644
|
||||
void
|
||||
do_cleanup(struct ssh *ssh, Authctxt *authctxt)
|
||||
{
|
||||
@@ -2745,7 +2815,7 @@ do_cleanup(struct ssh *ssh, Authctxt *authctxt)
|
||||
@@ -2749,7 +2819,7 @@ do_cleanup(struct ssh *ssh, Authctxt *authctxt)
|
||||
* or if running in monitor.
|
||||
*/
|
||||
if (!use_privsep || mm_is_monitor())
|
||||
@ -2045,10 +2046,10 @@ index ce59dab..bcd4b1d 100644
|
||||
void session_close(struct ssh *, Session *);
|
||||
void do_setusercontext(struct passwd *);
|
||||
diff --git a/sshd.c b/sshd.c
|
||||
index 0d5c4c4..dca7b1e 100644
|
||||
index 7d23232..9c83ce0 100644
|
||||
--- a/sshd.c
|
||||
+++ b/sshd.c
|
||||
@@ -124,6 +124,7 @@
|
||||
@@ -122,6 +122,7 @@
|
||||
#include "ssh-gss.h"
|
||||
#endif
|
||||
#include "monitor_wrap.h"
|
||||
@ -2056,7 +2057,7 @@ index 0d5c4c4..dca7b1e 100644
|
||||
#include "ssh-sandbox.h"
|
||||
#include "auth-options.h"
|
||||
#include "version.h"
|
||||
@@ -272,8 +273,8 @@ struct sshbuf *loginmsg;
|
||||
@@ -267,8 +268,8 @@ struct sshbuf *loginmsg;
|
||||
struct passwd *privsep_pw = NULL;
|
||||
|
||||
/* Prototypes for various functions defined later in this file. */
|
||||
@ -2066,8 +2067,8 @@ index 0d5c4c4..dca7b1e 100644
|
||||
+void demote_sensitive_data(struct ssh *);
|
||||
static void do_ssh2_kex(struct ssh *);
|
||||
|
||||
/*
|
||||
@@ -289,6 +290,15 @@ close_listen_socks(void)
|
||||
static char *listener_proctitle;
|
||||
@@ -286,6 +287,15 @@ close_listen_socks(void)
|
||||
num_listen_socks = -1;
|
||||
}
|
||||
|
||||
@ -2083,7 +2084,7 @@ index 0d5c4c4..dca7b1e 100644
|
||||
static void
|
||||
close_startup_pipes(void)
|
||||
{
|
||||
@@ -395,18 +405,45 @@ grace_alarm_handler(int sig)
|
||||
@@ -390,18 +400,45 @@ grace_alarm_handler(int sig)
|
||||
ssh_remote_port(the_active_state));
|
||||
}
|
||||
|
||||
@ -2132,7 +2133,7 @@ index 0d5c4c4..dca7b1e 100644
|
||||
sshkey_free(sensitive_data.host_certificates[i]);
|
||||
sensitive_data.host_certificates[i] = NULL;
|
||||
}
|
||||
@@ -415,14 +452,26 @@ destroy_sensitive_data(void)
|
||||
@@ -410,14 +447,26 @@ destroy_sensitive_data(void)
|
||||
|
||||
/* Demote private to public keys for network child */
|
||||
void
|
||||
@ -2160,7 +2161,7 @@ index 0d5c4c4..dca7b1e 100644
|
||||
if ((r = sshkey_from_private(
|
||||
sensitive_data.host_keys[i], &tmp)) != 0)
|
||||
fatal("could not demote host %s key: %s",
|
||||
@@ -430,6 +479,12 @@ demote_sensitive_data(void)
|
||||
@@ -425,6 +474,12 @@ demote_sensitive_data(void)
|
||||
ssh_err(r));
|
||||
sshkey_free(sensitive_data.host_keys[i]);
|
||||
sensitive_data.host_keys[i] = tmp;
|
||||
@ -2173,7 +2174,7 @@ index 0d5c4c4..dca7b1e 100644
|
||||
}
|
||||
/* Certs do not need demotion */
|
||||
}
|
||||
@@ -457,7 +512,7 @@ reseed_prngs(void)
|
||||
@@ -452,7 +507,7 @@ reseed_prngs(void)
|
||||
}
|
||||
|
||||
static void
|
||||
@ -2182,7 +2183,7 @@ index 0d5c4c4..dca7b1e 100644
|
||||
{
|
||||
gid_t gidset[1];
|
||||
|
||||
@@ -472,7 +527,7 @@ privsep_preauth_child(void)
|
||||
@@ -467,7 +522,7 @@ privsep_preauth_child(void)
|
||||
reseed_prngs();
|
||||
|
||||
/* Demote the private keys to public keys. */
|
||||
@ -2191,7 +2192,7 @@ index 0d5c4c4..dca7b1e 100644
|
||||
|
||||
/* Demote the child */
|
||||
if (privsep_chroot) {
|
||||
@@ -507,7 +562,7 @@ privsep_preauth(struct ssh *ssh)
|
||||
@@ -502,7 +557,7 @@ privsep_preauth(struct ssh *ssh)
|
||||
|
||||
if (use_privsep == PRIVSEP_ON)
|
||||
box = ssh_sandbox_init(pmonitor);
|
||||
@ -2200,7 +2201,7 @@ index 0d5c4c4..dca7b1e 100644
|
||||
if (pid == -1) {
|
||||
fatal("fork of unprivileged child failed");
|
||||
} else if (pid != 0) {
|
||||
@@ -553,7 +608,7 @@ privsep_preauth(struct ssh *ssh)
|
||||
@@ -548,7 +603,7 @@ privsep_preauth(struct ssh *ssh)
|
||||
/* Arrange for logging to be sent to the monitor */
|
||||
set_log_handler(mm_log_handler, pmonitor);
|
||||
|
||||
@ -2209,7 +2210,7 @@ index 0d5c4c4..dca7b1e 100644
|
||||
setproctitle("%s", "[net]");
|
||||
if (box != NULL)
|
||||
ssh_sandbox_child(box);
|
||||
@@ -597,7 +652,7 @@ privsep_postauth(struct ssh *ssh, Authctxt *authctxt)
|
||||
@@ -592,7 +647,7 @@ privsep_postauth(struct ssh *ssh, Authctxt *authctxt)
|
||||
pmonitor->m_sendfd = -1;
|
||||
|
||||
/* Demote the private keys to public keys. */
|
||||
@ -2218,7 +2219,7 @@ index 0d5c4c4..dca7b1e 100644
|
||||
|
||||
reseed_prngs();
|
||||
|
||||
@@ -1060,7 +1115,7 @@ server_listen(void)
|
||||
@@ -1101,7 +1156,7 @@ server_listen(void)
|
||||
* from this function are in a forked subprocess.
|
||||
*/
|
||||
static void
|
||||
@ -2227,7 +2228,7 @@ index 0d5c4c4..dca7b1e 100644
|
||||
{
|
||||
fd_set *fdset;
|
||||
int i, j, ret, maxfd;
|
||||
@@ -1115,6 +1170,7 @@ server_accept_loop(int *sock_in, int *sock_out, int *newsock, int *config_s)
|
||||
@@ -1162,6 +1217,7 @@ server_accept_loop(int *sock_in, int *sock_out, int *newsock, int *config_s)
|
||||
if (received_sigterm) {
|
||||
logit("Received signal %d; terminating.",
|
||||
(int) received_sigterm);
|
||||
@ -2235,7 +2236,7 @@ index 0d5c4c4..dca7b1e 100644
|
||||
close_listen_socks();
|
||||
if (options.pid_file != NULL)
|
||||
unlink(options.pid_file);
|
||||
@@ -1973,7 +2029,7 @@ main(int ac, char **av)
|
||||
@@ -2039,7 +2095,7 @@ main(int ac, char **av)
|
||||
#endif
|
||||
|
||||
/* Accept a connection and return in a forked child */
|
||||
@ -2244,7 +2245,7 @@ index 0d5c4c4..dca7b1e 100644
|
||||
&newsock, config_s);
|
||||
}
|
||||
|
||||
@@ -2212,6 +2268,9 @@ main(int ac, char **av)
|
||||
@@ -2274,6 +2330,9 @@ main(int ac, char **av)
|
||||
do_authenticated(ssh, authctxt);
|
||||
|
||||
/* The connection has been terminated. */
|
||||
@ -2254,7 +2255,7 @@ index 0d5c4c4..dca7b1e 100644
|
||||
ssh_packet_get_bytes(ssh, &ibytes, &obytes);
|
||||
verbose("Transferred: sent %llu, received %llu bytes",
|
||||
(unsigned long long)obytes, (unsigned long long)ibytes);
|
||||
@@ -2393,6 +2452,15 @@ do_ssh2_kex(struct ssh *ssh)
|
||||
@@ -2457,6 +2516,15 @@ do_ssh2_kex(struct ssh *ssh)
|
||||
void
|
||||
cleanup_exit(int i)
|
||||
{
|
||||
@ -2270,7 +2271,7 @@ index 0d5c4c4..dca7b1e 100644
|
||||
if (the_active_state != NULL && the_authctxt != NULL) {
|
||||
do_cleanup(the_active_state, the_authctxt);
|
||||
if (use_privsep && privsep_is_preauth &&
|
||||
@@ -2404,9 +2472,16 @@ cleanup_exit(int i)
|
||||
@@ -2468,9 +2536,16 @@ cleanup_exit(int i)
|
||||
pmonitor->m_pid, strerror(errno));
|
||||
}
|
||||
}
|
||||
@ -2289,10 +2290,10 @@ index 0d5c4c4..dca7b1e 100644
|
||||
#endif
|
||||
_exit(i);
|
||||
diff --git a/sshkey.c b/sshkey.c
|
||||
index 4d2048b..142dc09 100644
|
||||
index 1ac32a0..f579108 100644
|
||||
--- a/sshkey.c
|
||||
+++ b/sshkey.c
|
||||
@@ -340,6 +340,38 @@ sshkey_type_is_valid_ca(int type)
|
||||
@@ -368,6 +368,38 @@ sshkey_type_is_valid_ca(int type)
|
||||
}
|
||||
}
|
||||
|
||||
@ -2332,14 +2333,14 @@ index 4d2048b..142dc09 100644
|
||||
sshkey_is_cert(const struct sshkey *k)
|
||||
{
|
||||
diff --git a/sshkey.h b/sshkey.h
|
||||
index 1bf30d0..065ef0b 100644
|
||||
index f586e89..a08bc65 100644
|
||||
--- a/sshkey.h
|
||||
+++ b/sshkey.h
|
||||
@@ -164,6 +164,7 @@ int sshkey_shield_private(struct sshkey *);
|
||||
@@ -187,6 +187,7 @@ int sshkey_shield_private(struct sshkey *);
|
||||
int sshkey_unshield_private(struct sshkey *);
|
||||
|
||||
int sshkey_type_from_name(const char *);
|
||||
+int sshkey_is_private(const struct sshkey *);
|
||||
int sshkey_is_cert(const struct sshkey *);
|
||||
int sshkey_is_sk(const struct sshkey *);
|
||||
int sshkey_type_is_cert(int);
|
||||
int sshkey_type_plain(int);
|
||||
|
@ -1,10 +1,10 @@
|
||||
Index: openssh-8.1p1/sandbox-seccomp-filter.c
|
||||
===================================================================
|
||||
--- openssh-8.1p1.orig/sandbox-seccomp-filter.c
|
||||
+++ openssh-8.1p1/sandbox-seccomp-filter.c
|
||||
@@ -248,6 +248,9 @@ static const struct sock_filter preauth_
|
||||
#ifdef __NR_nanosleep
|
||||
SC_ALLOW(__NR_nanosleep),
|
||||
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
|
||||
index c1e689e..74f69bc 100644
|
||||
--- a/sandbox-seccomp-filter.c
|
||||
+++ b/sandbox-seccomp-filter.c
|
||||
@@ -264,6 +264,9 @@ static const struct sock_filter preauth_insns[] = {
|
||||
#ifdef __NR_clock_gettime64
|
||||
SC_ALLOW(__NR_clock_gettime64),
|
||||
#endif
|
||||
+#ifdef __NR_clock_nanosleep
|
||||
+ SC_ALLOW(__NR_clock_nanosleep),
|
||||
|
@ -1,3 +0,0 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:02f5dbef3835d0753556f973cd57b4c19b6b1f6cd24c03445e23ac77ca1b93ff
|
||||
size 1625894
|
@ -1,14 +0,0 @@
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
|
||||
iQHDBAABCgAdFiEEWcIRjtIG2SfmZ+vj0+X1a22SDTAFAl2dLEgACgkQ0+X1a22S
|
||||
DTAcUgx7BcRCaH7fb0AeQGvIrxXlyeN3uL6HOyo8MKkryN+y9zpvpcU6T8FBjtoh
|
||||
zgjonewzodGj+C1ma0O9TgIfnUxdOVL+eQsPYgOWLJt2MzSnY/Ru+20J5ZGwGc+5
|
||||
pJcuV+xlAuwae/EL+Pk86CdQ0D6zaf9NBHGTNmrswwhT9B3UWSCbEmmc8jm0DChm
|
||||
F5+dW1nK0n6YSQ9dVUH17/ujvego5WQkOiaSxjaK29/xS39BD6jrbwfFpL3/iKru
|
||||
mWVzcNJaX5WL3ZUnyZRcIHzVpBdr2n0pLCnmqIT8LGPwI3razEbZKIDXf+q0ZA88
|
||||
wRfCL9aEVWjhG+v56c/NiM/wD3h3A4uh8fZeeeyP3hmgEv8Wp8g7fFxf5MaEJlGL
|
||||
Oy6LeH0+x/uPySxaEvy4kuo/hapX2ClM16EMCUXHPwGIYRWdbTL7rzMTaoG3thyz
|
||||
VO04LulI9Xmvadn6k3JR5mFPpIsV+LNwt3g+c+4rBWspOdTHnFqo+OO7Uk8Ee3E0
|
||||
/MeuPBtqQq9o7RkoY8wtVOqT8q9/6g==
|
||||
=mpF6
|
||||
-----END PGP SIGNATURE-----
|
3
openssh-8.3p1.tar.gz
Normal file
3
openssh-8.3p1.tar.gz
Normal file
@ -0,0 +1,3 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:f2befbe0472fe7eb75d23340eb17531cb6b3aac24075e2066b41f814e12387b2
|
||||
size 1706358
|
14
openssh-8.3p1.tar.gz.asc
Normal file
14
openssh-8.3p1.tar.gz.asc
Normal file
@ -0,0 +1,14 @@
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
|
||||
iQHDBAABCgAdFiEEWcIRjtIG2SfmZ+vj0+X1a22SDTAFAl7N2TQACgkQ0+X1a22S
|
||||
DTCXbAx/eycNNXxdVK3JtDQBUuSyup/eXeiuAdfTb77dKhdInk6ivaaKtVZ+3rlu
|
||||
eEUwAY2Bf/majUUigI5OI/niODMqbYWBBDKRudQlDSGfH8XnRge6dRjIWXU6XvZP
|
||||
MJpxVZWRorjnuCArWemlJ5QFxSds938Ae+7MFkveQ59UpRDeslYiI6twCXjRiZEL
|
||||
e8lBfsfZqcOLO8KLVRvDx6sqD8EXlak8fhdjmjKdbvA4oWHLcwUcuaNT/o5I2ZWn
|
||||
m2sOQcuhwt3+jm+f9SQKLURHcmGC6Hu5YXBq4+Ut7P9Qc9lAf76SDDnsrRQ8pv+Z
|
||||
tLsXBO+bNe3tSkRbG/AQQRZtGEzlhM8KPyQ6oA0JqlN4Wb5XMWYFyYyJTwJ/95ZI
|
||||
dluMmpwQTRVQGUNU7kVNe04TwRl+8APqvcnE3/i7MDm6EG5BHGcAneRmZfvt209F
|
||||
z8yGtKQKCvZm5Rn9V0/Gm3+pq5O2sie90CPW9ebyPsajzQlrYBQPoJ1aQ+Ue4QE6
|
||||
gee5eO3TZOJJ3peTqjihGUtpKH+21w==
|
||||
=lhX0
|
||||
-----END PGP SIGNATURE-----
|
@ -1,7 +1,7 @@
|
||||
#
|
||||
# spec file for package openssh-askpass-gnome
|
||||
#
|
||||
# Copyright (c) 2020 SUSE LLC
|
||||
# Copyright (c) 2020 SUSE LINUX GmbH, Nuernberg, Germany.
|
||||
#
|
||||
# All modifications and additions to the file contributed by third parties
|
||||
# remain the property of their copyright owners, unless otherwise agreed
|
||||
@ -18,7 +18,7 @@
|
||||
|
||||
%define _name openssh
|
||||
Name: openssh-askpass-gnome
|
||||
Version: 8.1p1
|
||||
Version: 8.3p1
|
||||
Release: 0
|
||||
Summary: A GNOME-Based Passphrase Dialog for OpenSSH
|
||||
License: BSD-2-Clause
|
||||
|
103
openssh.changes
103
openssh.changes
@ -1,3 +1,106 @@
|
||||
-------------------------------------------------------------------
|
||||
Fri Jun 5 00:36:08 UTC 2020 - Hans Petter Jansson <hpj@suse.com>
|
||||
|
||||
- Version update to 8.3p1:
|
||||
= Potentially-incompatible changes
|
||||
* sftp(1): reject an argument of "-1" in the same way as ssh(1) and
|
||||
scp(1) do instead of accepting and silently ignoring it.
|
||||
|
||||
= New features
|
||||
* sshd(8): make IgnoreRhosts a tri-state option: "yes" to ignore
|
||||
rhosts/shosts, "no" allow rhosts/shosts or (new) "shosts-only"
|
||||
to allow .shosts files but not .rhosts.
|
||||
* sshd(8): allow the IgnoreRhosts directive to appear anywhere in a
|
||||
sshd_config, not just before any Match blocks.
|
||||
* ssh(1): add %TOKEN percent expansion for the LocalFoward and
|
||||
RemoteForward keywords when used for Unix domain socket forwarding.
|
||||
* all: allow loading public keys from the unencrypted envelope of a
|
||||
private key file if no corresponding public key file is present.
|
||||
* ssh(1), sshd(8): prefer to use chacha20 from libcrypto where
|
||||
possible instead of the (slower) portable C implementation included
|
||||
in OpenSSH.
|
||||
* ssh-keygen(1): add ability to dump the contents of a binary key
|
||||
revocation list via "ssh-keygen -lQf /path".
|
||||
|
||||
- Additional changes from 8.2p1 release:
|
||||
= Potentially-incompatible changes
|
||||
* ssh(1), sshd(8), ssh-keygen(1): this release removes the "ssh-rsa"
|
||||
(RSA/SHA1) algorithm from those accepted for certificate signatures
|
||||
(i.e. the client and server CASignatureAlgorithms option) and will
|
||||
use the rsa-sha2-512 signature algorithm by default when the
|
||||
ssh-keygen(1) CA signs new certificates.
|
||||
* ssh(1), sshd(8): this release removes diffie-hellman-group14-sha1
|
||||
from the default key exchange proposal for both the client and
|
||||
server.
|
||||
* ssh-keygen(1): the command-line options related to the generation
|
||||
and screening of safe prime numbers used by the
|
||||
diffie-hellman-group-exchange-* key exchange algorithms have
|
||||
changed. Most options have been folded under the -O flag.
|
||||
* sshd(8): the sshd listener process title visible to ps(1) has
|
||||
changed to include information about the number of connections that
|
||||
are currently attempting authentication and the limits configured
|
||||
by MaxStartups.
|
||||
* ssh-sk-helper(8): this is a new binary. It is used by the FIDO/U2F
|
||||
support to provide address-space isolation for token middleware
|
||||
libraries (including the internal one). It needs to be installed
|
||||
in the expected path, typically under /usr/libexec or similar.
|
||||
|
||||
= New features
|
||||
* This release adds support for FIDO/U2F hardware authenticators to
|
||||
OpenSSH. U2F/FIDO are open standards for inexpensive two-factor
|
||||
authentication hardware that are widely used for website
|
||||
authentication. In OpenSSH FIDO devices are supported by new public
|
||||
key types "ecdsa-sk" and "ed25519-sk", along with corresponding
|
||||
certificate types.
|
||||
* sshd(8): add an Include sshd_config keyword that allows including
|
||||
additional configuration files via glob(3) patterns.
|
||||
* ssh(1)/sshd(8): make the LE (low effort) DSCP code point available
|
||||
via the IPQoS directive.
|
||||
* ssh(1): when AddKeysToAgent=yes is set and the key contains no
|
||||
comment, add the key to the agent with the key's path as the
|
||||
comment.
|
||||
* ssh-keygen(1), ssh-agent(1): expose PKCS#11 key labels and X.509
|
||||
subjects as key comments, rather than simply listing the PKCS#11
|
||||
provider library path.
|
||||
* ssh-keygen(1): allow PEM export of DSA and ECDSA keys.
|
||||
* ssh(1), sshd(8): make zlib compile-time optional, available via the
|
||||
Makefile.inc ZLIB flag on OpenBSD or via the --with-zlib configure
|
||||
option for OpenSSH portable.
|
||||
* sshd(8): when clients get denied by MaxStartups, send a
|
||||
notification prior to the SSH2 protocol banner according to
|
||||
RFC4253 section 4.2.
|
||||
* ssh(1), ssh-agent(1): when invoking the $SSH_ASKPASS prompt
|
||||
program, pass a hint to the program to describe the type of
|
||||
desired prompt. The possible values are "confirm" (indicating
|
||||
that a yes/no confirmation dialog with no text entry should be
|
||||
shown), "none" (to indicate an informational message only), or
|
||||
blank for the original ssh-askpass behaviour of requesting a
|
||||
password/phrase.
|
||||
* ssh(1): allow forwarding a different agent socket to the path
|
||||
specified by $SSH_AUTH_SOCK, by extending the existing ForwardAgent
|
||||
option to accepting an explicit path or the name of an environment
|
||||
variable in addition to yes/no.
|
||||
* ssh-keygen(1): add a new signature operations "find-principals" to
|
||||
look up the principal associated with a signature from an allowed-
|
||||
signers file.
|
||||
* sshd(8): expose the number of currently-authenticating connections
|
||||
along with the MaxStartups limit in the process title visible to
|
||||
"ps".
|
||||
|
||||
- Rebased patches:
|
||||
* openssh-7.7p1-cavstest-ctr.patch
|
||||
* openssh-7.7p1-cavstest-kdf.patch
|
||||
* openssh-7.7p1-fips.patch
|
||||
* openssh-7.7p1-fips_checks.patch
|
||||
* openssh-7.7p1-ldap.patch
|
||||
* openssh-7.7p1-no_fork-no_pid_file.patch
|
||||
* openssh-7.7p1-sftp_print_diagnostic_messages.patch
|
||||
* openssh-8.0p1-gssapi-keyex.patch
|
||||
* openssh-8.1p1-audit.patch
|
||||
* openssh-8.1p1-seccomp-clock_nanosleep.patch
|
||||
|
||||
- Removed openssh-7.7p1-seed-prng.patch (bsc#1165158).
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Sun May 31 11:25:07 UTC 2020 - Andreas Stieger <andreas.stieger@gmx.de>
|
||||
|
||||
|
@ -1,7 +1,7 @@
|
||||
#
|
||||
# spec file for package openssh
|
||||
#
|
||||
# Copyright (c) 2020 SUSE LLC
|
||||
# Copyright (c) 2020 SUSE LINUX GmbH, Nuernberg, Germany.
|
||||
#
|
||||
# All modifications and additions to the file contributed by third parties
|
||||
# remain the property of their copyright owners, unless otherwise agreed
|
||||
@ -35,7 +35,7 @@
|
||||
%define _fillupdir %{_localstatedir}/adm/fillup-templates
|
||||
%endif
|
||||
Name: openssh
|
||||
Version: 8.1p1
|
||||
Version: 8.3p1
|
||||
Release: 0
|
||||
Summary: Secure Shell Client and Server (Remote Login Program)
|
||||
License: BSD-2-Clause AND MIT
|
||||
@ -77,7 +77,6 @@ Patch18: openssh-7.7p1-cavstest-ctr.patch
|
||||
Patch19: openssh-7.7p1-cavstest-kdf.patch
|
||||
# Local FIPS patchset
|
||||
Patch20: openssh-7.7p1-fips_checks.patch
|
||||
Patch21: openssh-7.7p1-seed-prng.patch
|
||||
# https://bugzilla.mindrot.org/show_bug.cgi?id=2641
|
||||
Patch22: openssh-7.7p1-systemd-notify.patch
|
||||
Patch23: openssh-8.0p1-gssapi-keyex.patch
|
||||
@ -112,6 +111,7 @@ BuildRequires: openssl-devel
|
||||
BuildRequires: pam-devel
|
||||
BuildRequires: pkgconfig
|
||||
BuildRequires: zlib-devel
|
||||
BuildRequires: pkgconfig(libfido2)
|
||||
BuildRequires: pkgconfig(libsystemd)
|
||||
Requires(post): %fillup_prereq
|
||||
Requires(pre): shadow
|
||||
@ -211,6 +211,7 @@ export LDFLAGS CFLAGS CXXFLAGS CPPFLAGS
|
||||
--with-ldap \
|
||||
--with-xauth=%{_bindir}/xauth \
|
||||
--with-libedit \
|
||||
--with-security-key-builtin \
|
||||
--target=%{_target_cpu}-suse-linux
|
||||
|
||||
%make_build
|
||||
|
Loading…
Reference in New Issue
Block a user