From dd9c4b9bb10032f690dbbcb2925d2b9ad2d929d8d79f93b6bf19876619244009 Mon Sep 17 00:00:00 2001 From: Antonio Larrosa Date: Fri, 23 Aug 2024 12:36:12 +0000 Subject: [PATCH] - Add patch to fix sshd not logging in the audit failed login attempts (submitted to upstream in https://github.com/openssh/openssh-portable/pull/516): * fix-audit-fail-attempt.patch - Use --enable-dsa-keys when building openssh. It's required if the user sets the crypto-policy mode to LEGACY, where DSA keys should be allowed. The option was added by upstream in 9.7 and set to disabled by default. - These two changes fix 2 of the 3 issues reported in bsc#1229650. OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=273 --- fix-audit-fail-attempt.patch | 23 +++++++++++++++++++++++ openssh.changes | 13 +++++++++++++ openssh.spec | 3 +++ 3 files changed, 39 insertions(+) create mode 100644 fix-audit-fail-attempt.patch diff --git a/fix-audit-fail-attempt.patch b/fix-audit-fail-attempt.patch new file mode 100644 index 0000000..0934bed --- /dev/null +++ b/fix-audit-fail-attempt.patch @@ -0,0 +1,23 @@ +Index: openssh-9.8p1/sshd-session.c +=================================================================== +--- openssh-9.8p1.orig/sshd-session.c ++++ openssh-9.8p1/sshd-session.c +@@ -1624,9 +1624,6 @@ cleanup_exit(int i) + } + } + } +- /* Override default fatal exit value when auth was attempted */ +- if (i == 255 && auth_attempted) +- _exit(EXIT_AUTH_ATTEMPTED); + #ifdef SSH_AUDIT_EVENTS + /* done after do_cleanup so it can cancel the PAM auth 'thread' */ + if (the_active_state != NULL && +@@ -1636,5 +1633,8 @@ cleanup_exit(int i) + #endif + + clobber_stack(); ++ /* Override default fatal exit value when auth was attempted */ ++ if (i == 255 && auth_attempted) ++ _exit(EXIT_AUTH_ATTEMPTED); + _exit(i); + } diff --git a/openssh.changes b/openssh.changes index 9920ce7..a280f79 100644 --- a/openssh.changes +++ b/openssh.changes @@ -1,3 +1,16 @@ +------------------------------------------------------------------- +Fri Aug 23 12:10:00 UTC 2024 - Antonio Larrosa + +- Add patch to fix sshd not logging in the audit failed login + attempts (submitted to upstream in + https://github.com/openssh/openssh-portable/pull/516): + * fix-audit-fail-attempt.patch +- Use --enable-dsa-keys when building openssh. It's required if + the user sets the crypto-policy mode to LEGACY, where DSA keys + should be allowed. The option was added by upstream in 9.7 and + set to disabled by default. +- These two changes fix 2 of the 3 issues reported in bsc#1229650. + ------------------------------------------------------------------- Mon Aug 12 08:55:38 UTC 2024 - Antonio Larrosa diff --git a/openssh.spec b/openssh.spec index f52a2a9..4852318 100644 --- a/openssh.spec +++ b/openssh.spec @@ -130,6 +130,8 @@ Patch106: openssh-7.6p1-cleanup-selinux.patch Patch107: openssh-9.6p1-crypto-policies.patch Patch108: openssh-9.6p1-crypto-policies-man.patch Patch109: fix-memleak-in-process_server_config_line_depth.patch +# PATCH-FIX-UPSTREAM alarrosa@suse.com -- https://github.com/openssh/openssh-portable/pull/516 +Patch110: fix-audit-fail-attempt.patch %if 0%{with allow_root_password_login_by_default} Patch1000: openssh-7.7p1-allow_root_password_login.patch %endif @@ -368,6 +370,7 @@ export LDFLAGS CFLAGS CXXFLAGS CPPFLAGS --disable-lastlog \ --with-logind \ %endif + --enable-dsa-keys \ --with-security-key-builtin \ --target=%{_target_cpu}-suse-linux