pool/openssh
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

- Add patch to fix sshd not logging in the audit failed login

Browse Source 
attempts (submitted to upstream in
  https://github.com/openssh/openssh-portable/pull/516):
  * fix-audit-fail-attempt.patch
- Use --enable-dsa-keys when building openssh. It's required if
  the user sets the crypto-policy mode to LEGACY, where DSA keys
  should be allowed. The option was added by upstream in 9.7 and
  set to disabled by default.
- These two changes fix 2 of the 3 issues reported in bsc#1229650.

OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=273
This commit is contained in:
Antonio Larrosa 2024-08-23 12:36:12 +00:00 committed by Git OBS Bridge
parent da2c6cc517
commit dd9c4b9bb1
3 changed files with 39 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
fix-audit-fail-attempt.patch Normal file
View File

@ -0,0 +1,23 @@
Index: openssh-9.8p1/sshd-session.c
===================================================================
--- openssh-9.8p1.orig/sshd-session.c
+++ openssh-9.8p1/sshd-session.c
@@ -1624,9 +1624,6 @@ cleanup_exit(int i)
}
}
}
- /* Override default fatal exit value when auth was attempted */
- if (i == 255 && auth_attempted)
- _exit(EXIT_AUTH_ATTEMPTED);
#ifdef SSH_AUDIT_EVENTS
/* done after do_cleanup so it can cancel the PAM auth 'thread' */
if (the_active_state != NULL &&
@@ -1636,5 +1633,8 @@ cleanup_exit(int i)
#endif
clobber_stack();
+ /* Override default fatal exit value when auth was attempted */
+ if (i == 255 && auth_attempted)
+ _exit(EXIT_AUTH_ATTEMPTED);
_exit(i);
}

13
openssh.changes
View File

@ -1,3 +1,16 @@
-------------------------------------------------------------------
Fri Aug 23 12:10:00 UTC 2024 - Antonio Larrosa <alarrosa@suse.com>
- Add patch to fix sshd not logging in the audit failed login
attempts (submitted to upstream in
https://github.com/openssh/openssh-portable/pull/516):
* fix-audit-fail-attempt.patch
- Use --enable-dsa-keys when building openssh. It's required if
the user sets the crypto-policy mode to LEGACY, where DSA keys
should be allowed. The option was added by upstream in 9.7 and
set to disabled by default.
- These two changes fix 2 of the 3 issues reported in bsc#1229650.
------------------------------------------------------------------- -------------------------------------------------------------------
Mon Aug 12 08:55:38 UTC 2024 - Antonio Larrosa <alarrosa@suse.com> Mon Aug 12 08:55:38 UTC 2024 - Antonio Larrosa <alarrosa@suse.com>

3
openssh.spec
View File

@ -130,6 +130,8 @@ Patch106: openssh-7.6p1-cleanup-selinux.patch
Patch107: openssh-9.6p1-crypto-policies.patch Patch107: openssh-9.6p1-crypto-policies.patch
Patch108: openssh-9.6p1-crypto-policies-man.patch Patch108: openssh-9.6p1-crypto-policies-man.patch
Patch109: fix-memleak-in-process_server_config_line_depth.patch Patch109: fix-memleak-in-process_server_config_line_depth.patch
# PATCH-FIX-UPSTREAM alarrosa@suse.com -- https://github.com/openssh/openssh-portable/pull/516
Patch110: fix-audit-fail-attempt.patch
%if 0%{with allow_root_password_login_by_default} %if 0%{with allow_root_password_login_by_default}
Patch1000: openssh-7.7p1-allow_root_password_login.patch Patch1000: openssh-7.7p1-allow_root_password_login.patch
%endif %endif
@ -368,6 +370,7 @@ export LDFLAGS CFLAGS CXXFLAGS CPPFLAGS
--disable-lastlog \ --disable-lastlog \
--with-logind \ --with-logind \
%endif %endif
--enable-dsa-keys \
--with-security-key-builtin \ --with-security-key-builtin \
--target=%{_target_cpu}-suse-linux --target=%{_target_cpu}-suse-linux