Accepting request 428544 from home:pcerny:factory

- FIPS compatibility (no selfchecks, only crypto restrictions)
  [openssh-7.2p2-fips.patch]
- PRNG re-seeding
  [openssh-7.2p2-seed-prng.patch]
- preliminary version of GSSAPI KEX
  [openssh-7.2p2-gssapi_key_exchange.patch]

OBS-URL: https://build.opensuse.org/request/show/428544
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=110
This commit is contained in:
Petr Cerny 2016-09-18 23:04:18 +00:00 committed by Git OBS Bridge
parent a412ed9d8d
commit e0d7fb0744
7 changed files with 6644 additions and 20 deletions

View File

@ -1,5 +1,5 @@
# HG changeset patch # HG changeset patch
# Parent c924f46e3639b3646e42dd7505c206d43d7180fa # Parent c40dce555117c740f3df867e9fc2b07b64b3ad96
Raise minimal size of DH group parameters to 2048 bits like upstream did in Raise minimal size of DH group parameters to 2048 bits like upstream did in
7.2. 1024b values are believed to be in breaking range for state adversaries 7.2. 1024b values are believed to be in breaking range for state adversaries
@ -101,7 +101,7 @@ diff --git a/openssh-7.2p2/kexgexc.c b/openssh-7.2p2/kexgexc.c
goto out; goto out;
if ((bits = BN_num_bits(p)) < 0 || if ((bits = BN_num_bits(p)) < 0 ||
(u_int)bits < kex->min || (u_int)bits > kex->max) { (u_int)bits < kex->min || (u_int)bits > kex->max) {
+ if (bits < kex->min && bits >= DH_GRP_MIN_RFC) + if ((u_int)bits < kex->min && (u_int)bits >= DH_GRP_MIN_RFC)
+ logit("DH parameter offered by the server (%d bits) " + logit("DH parameter offered by the server (%d bits) "
+ "is considered insecure. " + "is considered insecure. "
+ "You can lower the accepted the minimum " + "You can lower the accepted the minimum "
@ -115,6 +115,61 @@ diff --git a/openssh-7.2p2/kexgexc.c b/openssh-7.2p2/kexgexc.c
goto out; goto out;
} }
p = g = NULL; /* belong to kex->dh now */ p = g = NULL; /* belong to kex->dh now */
diff --git a/openssh-7.2p2/kexgexs.c b/openssh-7.2p2/kexgexs.c
--- a/openssh-7.2p2/kexgexs.c
+++ b/openssh-7.2p2/kexgexs.c
@@ -49,16 +49,19 @@
#ifdef GSSAPI
#include "ssh-gss.h"
#endif
#include "monitor_wrap.h"
#include "dispatch.h"
#include "ssherr.h"
#include "sshbuf.h"
+/* import from dh.c */
+extern int dh_grp_min;
+
static int input_kex_dh_gex_request(int, u_int32_t, void *);
static int input_kex_dh_gex_init(int, u_int32_t, void *);
int
kexgex_server(struct ssh *ssh)
{
ssh_dispatch_set(ssh, SSH2_MSG_KEX_DH_GEX_REQUEST,
&input_kex_dh_gex_request);
@@ -78,23 +81,29 @@ input_kex_dh_gex_request(int type, u_int
if ((r = sshpkt_get_u32(ssh, &min)) != 0 ||
(r = sshpkt_get_u32(ssh, &nbits)) != 0 ||
(r = sshpkt_get_u32(ssh, &max)) != 0 ||
(r = sshpkt_get_end(ssh)) != 0)
goto out;
kex->nbits = nbits;
kex->min = min;
kex->max = max;
- min = MAX(DH_GRP_MIN, min);
+ min = MAX(dh_grp_min, min);
max = MIN(DH_GRP_MAX, max);
- nbits = MAX(DH_GRP_MIN, nbits);
+ nbits = MAX(dh_grp_min, nbits);
nbits = MIN(DH_GRP_MAX, nbits);
if (kex->max < kex->min || kex->nbits < kex->min ||
kex->max < kex->nbits) {
+ if (kex->nbits < kex->min && kex->nbits >= DH_GRP_MIN_RFC)
+ logit("DH parameter requested by the client (%d bits) "
+ "is considered insecure. "
+ "You can lower the accepted minimum "
+ "via the KexDHMin option.",
+ kex->nbits);
r = SSH_ERR_DH_GEX_OUT_OF_RANGE;
goto out;
}
/* Contact privileged parent */
kex->dh = PRIVSEP(choose_dh(min, nbits, max));
if (kex->dh == NULL) {
sshpkt_disconnect(ssh, "no matching DH grp found");
diff --git a/openssh-7.2p2/readconf.c b/openssh-7.2p2/readconf.c diff --git a/openssh-7.2p2/readconf.c b/openssh-7.2p2/readconf.c
--- a/openssh-7.2p2/readconf.c --- a/openssh-7.2p2/readconf.c
+++ b/openssh-7.2p2/readconf.c +++ b/openssh-7.2p2/readconf.c
@ -243,7 +298,7 @@ diff --git a/openssh-7.2p2/readconf.c b/openssh-7.2p2/readconf.c
if (options->cipher == -1) if (options->cipher == -1)
options->cipher = SSH_CIPHER_NOT_SET; options->cipher = SSH_CIPHER_NOT_SET;
+ if (options->kex_dhmin == -1) + if (options->kex_dhmin == -1)
+ options->kex_dhmin = DH_GRP_MIN; + options->kex_dhmin = DH_GRP_MIN_RFC;
+ else { + else {
+ options->kex_dhmin = MAX(options->kex_dhmin, DH_GRP_MIN_RFC); + options->kex_dhmin = MAX(options->kex_dhmin, DH_GRP_MIN_RFC);
+ options->kex_dhmin = MIN(options->kex_dhmin, DH_GRP_MAX); + options->kex_dhmin = MIN(options->kex_dhmin, DH_GRP_MAX);
@ -278,10 +333,199 @@ diff --git a/openssh-7.2p2/readconf.h b/openssh-7.2p2/readconf.h
int escape_char; /* Escape character; -2 = none */ int escape_char; /* Escape character; -2 = none */
u_int num_system_hostfiles; /* Paths for /etc/ssh/ssh_known_hosts */ u_int num_system_hostfiles; /* Paths for /etc/ssh/ssh_known_hosts */
diff --git a/openssh-7.2p2/servconf.c b/openssh-7.2p2/servconf.c
--- a/openssh-7.2p2/servconf.c
+++ b/openssh-7.2p2/servconf.c
@@ -52,16 +52,20 @@
#include "channels.h"
#include "groupaccess.h"
#include "canohost.h"
#include "packet.h"
#include "hostfile.h"
#include "auth.h"
#include "myproposal.h"
#include "digest.h"
+#include "dh.h"
+
+/* import from dh.c */
+extern int dh_grp_min;
static void add_listen_addr(ServerOptions *, char *, int);
static void add_one_listen_addr(ServerOptions *, char *, int);
/* Use of privilege separation or not */
extern int use_privsep;
extern Buffer cfg;
@@ -134,16 +138,17 @@ initialize_server_options(ServerOptions
options->allow_agent_forwarding = -1;
options->num_allow_users = 0;
options->num_deny_users = 0;
options->num_allow_groups = 0;
options->num_deny_groups = 0;
options->ciphers = NULL;
options->macs = NULL;
options->kex_algorithms = NULL;
+ options->kex_dhmin = -1;
options->protocol = SSH_PROTO_UNKNOWN;
options->fwd_opts.gateway_ports = -1;
options->fwd_opts.streamlocal_bind_mask = (mode_t)-1;
options->fwd_opts.streamlocal_bind_unlink = -1;
options->num_subsystems = 0;
options->max_startups_begin = -1;
options->max_startups_rate = -1;
options->max_startups = -1;
@@ -199,16 +204,23 @@ fill_default_server_options(ServerOption
int i;
/* Portable-specific options */
if (options->use_pam == -1)
options->use_pam = 0;
if (options->use_pam_check_locks == -1)
options->use_pam_check_locks = 0;
+ if (options->kex_dhmin == -1)
+ options->kex_dhmin = DH_GRP_MIN_RFC;
+ else {
+ options->kex_dhmin = MAX(options->kex_dhmin, DH_GRP_MIN_RFC);
+ options->kex_dhmin = MIN(options->kex_dhmin, DH_GRP_MAX);
+ }
+ dh_grp_min = options->kex_dhmin;
/* Standard Options */
if (options->protocol == SSH_PROTO_UNKNOWN)
options->protocol = SSH_PROTO_2;
if (options->num_host_key_files == 0) {
/* fill default hostkeys for protocols */
if (options->protocol & SSH_PROTO_1)
options->host_key_files[options->num_host_key_files++] =
_PATH_HOST_KEY_FILE;
@@ -423,17 +435,18 @@ typedef enum {
sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
sAcceptEnv, sPermitTunnel,
sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
sUsePrivilegeSeparation, sAllowAgentForwarding,
sHostCertificate,
sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,
sAuthorizedPrincipalsCommand, sAuthorizedPrincipalsCommandUser,
- sKexAlgorithms, sIPQoS, sVersionAddendum,
+ sKexAlgorithms, sKexDHMin,
+ sIPQoS, sVersionAddendum,
sAuthorizedKeysCommand, sAuthorizedKeysCommandUser,
sAuthenticationMethods, sHostKeyAgent, sPermitUserRC,
sStreamLocalBindMask, sStreamLocalBindUnlink,
sAllowStreamLocalForwarding, sFingerprintHash,
sDeprecated, sUnsupported
} ServerOpCodes;
#define SSHCFG_GLOBAL 0x01 /* allowed in main section of sshd_config */
@@ -561,16 +574,17 @@ static struct {
{ "permitopen", sPermitOpen, SSHCFG_ALL },
{ "forcecommand", sForceCommand, SSHCFG_ALL },
{ "chrootdirectory", sChrootDirectory, SSHCFG_ALL },
{ "hostcertificate", sHostCertificate, SSHCFG_GLOBAL },
{ "revokedkeys", sRevokedKeys, SSHCFG_ALL },
{ "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL },
{ "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
{ "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },
+ { "kexdhmin", sKexDHMin },
{ "ipqos", sIPQoS, SSHCFG_ALL },
{ "authorizedkeyscommand", sAuthorizedKeysCommand, SSHCFG_ALL },
{ "authorizedkeyscommanduser", sAuthorizedKeysCommandUser, SSHCFG_ALL },
{ "authorizedprincipalscommand", sAuthorizedPrincipalsCommand, SSHCFG_ALL },
{ "authorizedprincipalscommanduser", sAuthorizedPrincipalsCommandUser, SSHCFG_ALL },
{ "versionaddendum", sVersionAddendum, SSHCFG_GLOBAL },
{ "authenticationmethods", sAuthenticationMethods, SSHCFG_ALL },
{ "streamlocalbindmask", sStreamLocalBindMask, SSHCFG_ALL },
@@ -1481,16 +1495,20 @@ process_server_config_line(ServerOptions
filename, linenum);
if (!kex_names_valid(*arg == '+' ? arg + 1 : arg))
fatal("%s line %d: Bad SSH2 KexAlgorithms '%s'.",
filename, linenum, arg ? arg : "<NONE>");
if (options->kex_algorithms == NULL)
options->kex_algorithms = xstrdup(arg);
break;
+ case sKexDHMin:
+ intptr = &options->kex_dhmin;
+ goto parse_int;
+
case sProtocol:
intptr = &options->protocol;
arg = strdelim(&cp);
if (!arg || *arg == '\0')
fatal("%s line %d: Missing argument.", filename, linenum);
value = proto_spec(arg);
if (value == SSH_PROTO_UNKNOWN)
fatal("%s line %d: Bad protocol spec '%s'.",
@@ -2247,16 +2265,17 @@ dump_config(ServerOptions *o)
dump_cfg_int(sLoginGraceTime, o->login_grace_time);
dump_cfg_int(sKeyRegenerationTime, o->key_regeneration_time);
dump_cfg_int(sX11DisplayOffset, o->x11_display_offset);
dump_cfg_int(sMaxAuthTries, o->max_authtries);
dump_cfg_int(sMaxSessions, o->max_sessions);
dump_cfg_int(sClientAliveInterval, o->client_alive_interval);
dump_cfg_int(sClientAliveCountMax, o->client_alive_count_max);
dump_cfg_oct(sStreamLocalBindMask, o->fwd_opts.streamlocal_bind_mask);
+ dump_cfg_int(sKexDHMin, o->kex_dhmin);
/* formatted integer arguments */
dump_cfg_fmtint(sPermitRootLogin, o->permit_root_login);
dump_cfg_fmtint(sIgnoreRhosts, o->ignore_rhosts);
dump_cfg_fmtint(sIgnoreUserKnownHosts, o->ignore_user_known_hosts);
dump_cfg_fmtint(sRhostsRSAAuthentication, o->rhosts_rsa_authentication);
dump_cfg_fmtint(sHostbasedAuthentication, o->hostbased_authentication);
dump_cfg_fmtint(sHostbasedUsesNameFromPacketOnly,
diff --git a/openssh-7.2p2/servconf.h b/openssh-7.2p2/servconf.h
--- a/openssh-7.2p2/servconf.h
+++ b/openssh-7.2p2/servconf.h
@@ -88,16 +88,17 @@ typedef struct {
int permit_user_rc; /* If false, deny ~/.ssh/rc execution */
int strict_modes; /* If true, require string home dir modes. */
int tcp_keep_alive; /* If true, set SO_KEEPALIVE. */
int ip_qos_interactive; /* IP ToS/DSCP/class for interactive */
int ip_qos_bulk; /* IP ToS/DSCP/class for bulk traffic */
char *ciphers; /* Supported SSH2 ciphers. */
char *macs; /* Supported SSH2 macs. */
char *kex_algorithms; /* SSH2 kex methods in order of preference. */
+ int kex_dhmin; /* minimum bit length of the DH group parameter */
int protocol; /* Supported protocol versions. */
struct ForwardOptions fwd_opts; /* forwarding options */
SyslogFacility log_facility; /* Facility for system logging. */
LogLevel log_level; /* Level for system logging. */
int rhosts_rsa_authentication; /* If true, permit rhosts RSA
* authentication. */
int hostbased_authentication; /* If true, permit ssh2 hostbased auth */
int hostbased_uses_name_from_packet_only; /* experimental */
diff --git a/openssh-7.2p2/ssh_config b/openssh-7.2p2/ssh_config
--- a/openssh-7.2p2/ssh_config
+++ b/openssh-7.2p2/ssh_config
@@ -12,16 +12,21 @@
# Any configuration value is only changed the first time it is set.
# Thus, host-specific definitions should be at the beginning of the
# configuration file, and defaults at the end.
# Site-wide defaults for some commonly used options. For a comprehensive
# list of available options, their meanings and defaults, please see the
# ssh_config(5) man page.
+# Minimum accepted size of the DH parameter p. By default this is set to 1024
+# to maintain compatibility with RFC4419, but should be set higher.
+# Upstream default is identical to setting this to 2048.
+#KexDHMin 1024
+
Host *
# ForwardAgent no
# ForwardX11 no
# If you do not trust your remote host (or its administrator), you
# should not forward X11 connections to your local X11-display for
# security reasons: Someone stealing the authentification data on the
# remote side (the "spoofed" X-server by the remote sshd) can read your
diff --git a/openssh-7.2p2/ssh_config.0 b/openssh-7.2p2/ssh_config.0 diff --git a/openssh-7.2p2/ssh_config.0 b/openssh-7.2p2/ssh_config.0
--- a/openssh-7.2p2/ssh_config.0 --- a/openssh-7.2p2/ssh_config.0
+++ b/openssh-7.2p2/ssh_config.0 +++ b/openssh-7.2p2/ssh_config.0
@@ -606,16 +606,29 @@ DESCRIPTION @@ -606,16 +606,33 @@ DESCRIPTION
ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521, ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
diffie-hellman-group-exchange-sha256, diffie-hellman-group-exchange-sha256,
diffie-hellman-group-exchange-sha1, diffie-hellman-group-exchange-sha1,
@ -291,17 +535,21 @@ diff --git a/openssh-7.2p2/ssh_config.0 b/openssh-7.2p2/ssh_config.0
obtained using the -Q option of ssh(1) with an argument of M-bM-^@M-^\kexM-bM-^@M-^]. obtained using the -Q option of ssh(1) with an argument of M-bM-^@M-^\kexM-bM-^@M-^].
+ KexDHMin + KexDHMin
+ Specifies the minimum accepted bit length of the DH group parameter p. + Specifies the minimum accepted bit length of the DH group
+ As per RFC4419, this is 1024 bits however, this has increasingly + parameter p.
+
+ As per RFC4419, this is 1024 bits, however this has increasingly
+ been seen as insecure, which prompted the change to 2048 bits. + been seen as insecure, which prompted the change to 2048 bits.
+ Setting this option allows the client to accept parameters shorter + Setting this option allows the client to accept parameters shorter
+ than the current minimum, down to the RFC specified 1024 bits. + than the current minimum, down to the RFC specified 1024 bits.
+ Using this option may be needed when connecting to servers that + Using this option may be needed when connecting to servers that
+ only know short DH group parameters. + only know short DH group parameters.
+ +
+ Note that using this option can severly impact security and thus + Note, that while by default this option is set to 1024 to maintain
+ should be viewed as a temporary fix of last resort and all efforts + maximum backward compatibility, using it can severly impact
+ should be made to fix the server. + security and thus should be viewed as a temporary fix of last
+ resort and all efforts should be made to fix the (broken)
+ counterparty.
+ +
LocalCommand LocalCommand
Specifies a command to execute on the local machine after Specifies a command to execute on the local machine after
@ -314,7 +562,7 @@ diff --git a/openssh-7.2p2/ssh_config.0 b/openssh-7.2p2/ssh_config.0
diff --git a/openssh-7.2p2/ssh_config.5 b/openssh-7.2p2/ssh_config.5 diff --git a/openssh-7.2p2/ssh_config.5 b/openssh-7.2p2/ssh_config.5
--- a/openssh-7.2p2/ssh_config.5 --- a/openssh-7.2p2/ssh_config.5
+++ b/openssh-7.2p2/ssh_config.5 +++ b/openssh-7.2p2/ssh_config.5
@@ -1092,16 +1092,28 @@ diffie-hellman-group14-sha1 @@ -1092,16 +1092,32 @@ diffie-hellman-group14-sha1
.Ed .Ed
.Pp .Pp
The list of available key exchange algorithms may also be obtained using the The list of available key exchange algorithms may also be obtained using the
@ -324,17 +572,21 @@ diff --git a/openssh-7.2p2/ssh_config.5 b/openssh-7.2p2/ssh_config.5
with an argument of with an argument of
.Dq kex . .Dq kex .
+.It Cm KexDHMin +.It Cm KexDHMin
+Specifies the minimum accepted bit length of the DH group parameter p. +Specifies the minimum accepted bit length of the DH group
+As per RFC4419, this is 1024 bits however, this has increasingly +parameter p.
+.Pp
+As per RFC4419, this is 1024 bits, however this has increasingly
+been seen as insecure, which prompted the change to 2048 bits. +been seen as insecure, which prompted the change to 2048 bits.
+Setting this option allows the client to accept parameters shorter +Setting this option allows the client to accept parameters shorter
+than the current minimum, down to the RFC specified 1024 bits. +than the current minimum, down to the RFC specified 1024 bits.
+Using this option may be needed when connecting to servers that +Using this option may be needed when connecting to servers that
+only know short DH group parameters. +only know short DH group parameters.
+ +.Pp
+Note that using this option can severly impact security and thus +Note, that while by default this option is set to 1024 to maintain
+should be viewed as a temporary fix of last resort and all efforts +maximum backward compatibility, using it can severly impact
+should be made to fix the server. +security and thus should be viewed as a temporary fix of last
+resort and all efforts should be made to fix the (broken)
+counterparty.
.It Cm LocalCommand .It Cm LocalCommand
Specifies a command to execute on the local machine after successfully Specifies a command to execute on the local machine after successfully
connecting to the server. connecting to the server.
@ -343,3 +595,101 @@ diff --git a/openssh-7.2p2/ssh_config.5 b/openssh-7.2p2/ssh_config.5
The following escape character substitutions will be performed: The following escape character substitutions will be performed:
.Ql %d .Ql %d
(local user's home directory), (local user's home directory),
diff --git a/openssh-7.2p2/sshd_config b/openssh-7.2p2/sshd_config
--- a/openssh-7.2p2/sshd_config
+++ b/openssh-7.2p2/sshd_config
@@ -21,16 +21,21 @@
# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key
+# Minimum accepted size of the DH parameter p. By default this is set to 1024
+# to maintain compatibility with RFC4419, but should be set higher.
+# Upstream default is identical to setting this to 2048.
+#KexDHMin 1024
+
# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 1024
# Ciphers and keying
#RekeyLimit default none
# Logging
diff --git a/openssh-7.2p2/sshd_config.0 b/openssh-7.2p2/sshd_config.0
--- a/openssh-7.2p2/sshd_config.0
+++ b/openssh-7.2p2/sshd_config.0
@@ -539,16 +539,33 @@ DESCRIPTION
curve25519-sha256@libssh.org,
ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
diffie-hellman-group-exchange-sha256,
diffie-hellman-group14-sha1
The list of available key exchange algorithms may also be
obtained using the -Q option of ssh(1) with an argument of M-bM-^@M-^\kexM-bM-^@M-^].
+ KexDHMin
+ Specifies the minimum accepted bit length of the DH group
+ parameter p.
+
+ As per RFC4419, this is 1024 bits, however this has increasingly
+ been seen as insecure, which prompted the change to 2048 bits.
+ Setting this option allows the server to accept parameters shorter
+ than the current minimum, down to the RFC specified 1024 bits.
+ Using this option may be needed when some of the connectiong
+ clients only know short DH group parameters.
+
+ Note, that while by default this option is set to 1024 to maintain
+ maximum backward compatibility, using it can severly impact
+ security and thus should be viewed as a temporary fix of last
+ resort and all efforts should be made to fix the (broken)
+ counterparty.
+
KeyRegenerationInterval
In protocol version 1, the ephemeral server key is automatically
regenerated after this many seconds (if it has been used). The
purpose of regeneration is to prevent decrypting captured
sessions by later breaking into the machine and stealing the
keys. The key is never stored anywhere. If the value is 0, the
key is never regenerated. The default is 3600 (seconds).
diff --git a/openssh-7.2p2/sshd_config.5 b/openssh-7.2p2/sshd_config.5
--- a/openssh-7.2p2/sshd_config.5
+++ b/openssh-7.2p2/sshd_config.5
@@ -895,16 +895,32 @@ diffie-hellman-group14-sha1
.Ed
.Pp
The list of available key exchange algorithms may also be obtained using the
.Fl Q
option of
.Xr ssh 1
with an argument of
.Dq kex .
+.It Cm KexDHMin
+Specifies the minimum accepted bit length of the DH group
+parameter p.
+.Pp
+As per RFC4419, this is 1024 bits, however this has increasingly
+been seen as insecure, which prompted the change to 2048 bits.
+Setting this option allows the server to accept parameters shorter
+than the current minimum, down to the RFC specified 1024 bits.
+Using this option may be needed when some of the connectiong
+clients only know short DH group parameters.
+.Pp
+Note, that while by default this option is set to 1024 to maintain
+maximum backward compatibility, using it can severly impact
+security and thus should be viewed as a temporary fix of last
+resort and all efforts should be made to fix the (broken)
+counterparty.
.It Cm KeyRegenerationInterval
In protocol version 1, the ephemeral server key is automatically regenerated
after this many seconds (if it has been used).
The purpose of regeneration is to prevent
decrypting captured sessions by later breaking into the machine and
stealing the keys.
The key is never stored anywhere.
If the value is 0, the key is never regenerated.

1834
openssh-7.2p2-fips.patch Normal file

File diff suppressed because it is too large Load Diff

File diff suppressed because it is too large Load Diff

View File

@ -0,0 +1,461 @@
# HG changeset patch
# Parent 36ab4b78afea8cea4e3bed1291a49ba05cbb9115
# extended support for (re-)seeding the OpenSSL PRNG from /dev/random
# bnc#703221, FATE#312172
diff --git a/openssh-7.2p2/entropy.c b/openssh-7.2p2/entropy.c
--- a/openssh-7.2p2/entropy.c
+++ b/openssh-7.2p2/entropy.c
@@ -49,16 +49,17 @@
#include "ssh.h"
#include "misc.h"
#include "xmalloc.h"
#include "atomicio.h"
#include "pathnames.h"
#include "log.h"
#include "buffer.h"
+#include "openbsd-compat/port-linux.h"
/*
* Portable OpenSSH PRNG seeding:
* If OpenSSL has not "internally seeded" itself (e.g. pulled data from
* /dev/random), then collect RANDOM_SEED_SIZE bytes of randomness from
* PRNGd.
*/
#ifndef OPENSSL_PRNG_ONLY
@@ -224,16 +225,19 @@ seed_rng(void)
}
if (seed_from_prngd(buf, sizeof(buf)) == -1)
fatal("Could not obtain seed from PRNGd");
RAND_add(buf, sizeof(buf), sizeof(buf));
memset(buf, '\0', sizeof(buf));
#endif /* OPENSSL_PRNG_ONLY */
+
+ linux_seed();
+
if (RAND_status() != 1)
fatal("PRNG is not seeded");
}
#else /* WITH_OPENSSL */
/* Handled in arc4random() */
void
diff --git a/openssh-7.2p2/openbsd-compat/Makefile.in b/openssh-7.2p2/openbsd-compat/Makefile.in
--- a/openssh-7.2p2/openbsd-compat/Makefile.in
+++ b/openssh-7.2p2/openbsd-compat/Makefile.in
@@ -15,17 +15,17 @@ AR=@AR@
RANLIB=@RANLIB@
INSTALL=@INSTALL@
LDFLAGS=-L. @LDFLAGS@
OPENBSD=base64.o basename.o bcrypt_pbkdf.o bindresvport.o blowfish.o daemon.o dirname.o fmt_scaled.o getcwd.o getgrouplist.o getopt_long.o getrrsetbyname.o glob.o inet_aton.o inet_ntoa.o inet_ntop.o mktemp.o pwcache.o readpassphrase.o reallocarray.o realpath.o rresvport.o setenv.o setproctitle.o sha1.o sha2.o rmd160.o md5.o sigact.o strlcat.o strlcpy.o strmode.o strnlen.o strptime.o strsep.o strtonum.o strtoll.o strtoul.o strtoull.o timingsafe_bcmp.o vis.o blowfish.o bcrypt_pbkdf.o explicit_bzero.o
COMPAT=arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o getrrsetbyname-ldns.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-setres_id.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o kludge-fd_set.o
-PORTS=port-aix.o port-irix.o port-linux.o port-solaris.o port-tun.o port-uw.o
+PORTS=port-aix.o port-irix.o port-linux.o port-linux-prng.o port-solaris.o port-tun.o port-uw.o
.c.o:
$(CC) $(CFLAGS) $(CPPFLAGS) -c $<
all: libopenbsd-compat.a
$(COMPAT): ../config.h
$(OPENBSD): ../config.h
diff --git a/openssh-7.2p2/openbsd-compat/port-linux-prng.c b/openssh-7.2p2/openbsd-compat/port-linux-prng.c
new file mode 100644
--- /dev/null
+++ b/openssh-7.2p2/openbsd-compat/port-linux-prng.c
@@ -0,0 +1,81 @@
+/*
+ * Copyright (c) 2011 Jan F. Chadima <jchadima@redhat.com>
+ * (c) 2011 Petr Cerny <pcerny@suse.cz>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/*
+ * Linux-specific portability code - prng support
+ */
+
+#include "includes.h"
+#include "defines.h"
+
+#include <errno.h>
+#include <stdarg.h>
+#include <string.h>
+#include <stdio.h>
+#include <openssl/rand.h>
+
+#include "log.h"
+#include "port-linux.h"
+#include "fips.h"
+
+#define RNG_BYTES_DEFAULT 6L
+#define RNG_ENV_VAR "SSH_USE_STRONG_RNG"
+
+long rand_bytes = 0;
+char *rand_file = NULL;
+
+static void
+linux_seed_init(void)
+{
+ long elen = 0;
+ char *env = getenv(RNG_ENV_VAR);
+
+ if (env) {
+ errno = 0;
+ elen = strtol(env, NULL, 10);
+ if (errno) {
+ elen = RNG_BYTES_DEFAULT;
+ debug("bogus value in the %s environment variable, "
+ "using %li bytes from /dev/random\n",
+ RNG_ENV_VAR, RNG_BYTES_DEFAULT);
+ }
+ }
+
+ if (elen || fips_mode())
+ rand_file = "/dev/random";
+ else
+ rand_file = "/dev/urandom";
+
+ rand_bytes = MAX(elen, RNG_BYTES_DEFAULT);
+}
+
+void
+linux_seed(void)
+{
+ long len;
+ if (!rand_file)
+ linux_seed_init();
+
+ errno = 0;
+ len = RAND_load_file(rand_file, rand_bytes);
+ if (len != rand_bytes) {
+ if (errno)
+ fatal ("cannot read from %s, %s", rand_file, strerror(errno));
+ else
+ fatal ("EOF reading %s", rand_file);
+ }
+}
diff --git a/openssh-7.2p2/openbsd-compat/port-linux.h b/openssh-7.2p2/openbsd-compat/port-linux.h
--- a/openssh-7.2p2/openbsd-compat/port-linux.h
+++ b/openssh-7.2p2/openbsd-compat/port-linux.h
@@ -14,16 +14,20 @@
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
#ifndef _PORT_LINUX_H
#define _PORT_LINUX_H
+extern long rand_bytes;
+extern char *rand_file;
+void linux_seed(void);
+
#ifdef WITH_SELINUX
int ssh_selinux_enabled(void);
void ssh_selinux_setup_pty(char *, const char *);
void ssh_selinux_setup_exec_context(char *);
void ssh_selinux_change_context(const char *);
void ssh_selinux_setfscreatecon(const char *);
#endif
diff --git a/openssh-7.2p2/ssh-add.1 b/openssh-7.2p2/ssh-add.1
--- a/openssh-7.2p2/ssh-add.1
+++ b/openssh-7.2p2/ssh-add.1
@@ -166,16 +166,30 @@ or related script.
(Note that on some machines it
may be necessary to redirect the input from
.Pa /dev/null
to make this work.)
.It Ev SSH_AUTH_SOCK
Identifies the path of a
.Ux Ns -domain
socket used to communicate with the agent.
+.It Ev SSH_USE_STRONG_RNG
+The reseeding of the OpenSSL random generator is usually done from
+.Cm /dev/urandom .
+If the
+.Cm SSH_USE_STRONG_RNG
+environment variable is set to value other than
+.Cm 0
+the OpenSSL random generator is reseeded from
+.Cm /dev/random .
+The number of bytes read is defined by the SSH_USE_STRONG_RNG value.
+Minimum is 6 bytes.
+This setting is not recommended on the computers without the hardware
+random generator because insufficient entropy causes the connection to
+be blocked until enough entropy is available.
.El
.Sh FILES
.Bl -tag -width Ds
.It Pa ~/.ssh/identity
Contains the protocol version 1 RSA authentication identity of the user.
.It Pa ~/.ssh/id_dsa
Contains the protocol version 2 DSA authentication identity of the user.
.It Pa ~/.ssh/id_ecdsa
diff --git a/openssh-7.2p2/ssh-agent.1 b/openssh-7.2p2/ssh-agent.1
--- a/openssh-7.2p2/ssh-agent.1
+++ b/openssh-7.2p2/ssh-agent.1
@@ -196,16 +196,33 @@ line terminates.
.Sh FILES
.Bl -tag -width Ds
.It Pa $TMPDIR/ssh-XXXXXXXXXX/agent.\*(Ltppid\*(Gt
.Ux Ns -domain
sockets used to contain the connection to the authentication agent.
These sockets should only be readable by the owner.
The sockets should get automatically removed when the agent exits.
.El
+.Sh ENVIRONMENT
+.Bl -tag -width Ds -compact
+.Pp
+.It Pa SSH_USE_STRONG_RNG
+The reseeding of the OpenSSL random generator is usually done from
+.Cm /dev/urandom .
+If the
+.Cm SSH_USE_STRONG_RNG
+environment variable is set to value other than
+.Cm 0
+the OpenSSL random generator is reseeded from
+.Cm /dev/random .
+The number of bytes read is defined by the SSH_USE_STRONG_RNG value.
+Minimum is 6 bytes.
+This setting is not recommended on the computers without the hardware
+random generator because insufficient entropy causes the connection to
+be blocked until enough entropy is available.
.Sh SEE ALSO
.Xr ssh 1 ,
.Xr ssh-add 1 ,
.Xr ssh-keygen 1 ,
.Xr sshd 8
.Sh AUTHORS
OpenSSH is a derivative of the original and free
ssh 1.2.12 release by Tatu Ylonen.
diff --git a/openssh-7.2p2/ssh-keygen.1 b/openssh-7.2p2/ssh-keygen.1
--- a/openssh-7.2p2/ssh-keygen.1
+++ b/openssh-7.2p2/ssh-keygen.1
@@ -841,16 +841,33 @@ on all machines
where the user wishes to log in using public key authentication.
There is no need to keep the contents of this file secret.
.Pp
.It Pa /etc/moduli
Contains Diffie-Hellman groups used for DH-GEX.
The file format is described in
.Xr moduli 5 .
.El
+.Sh ENVIRONMENT
+.Bl -tag -width Ds -compact
+.Pp
+.It Pa SSH_USE_STRONG_RNG
+The reseeding of the OpenSSL random generator is usually done from
+.Cm /dev/urandom .
+If the
+.Cm SSH_USE_STRONG_RNG
+environment variable is set to value other than
+.Cm 0
+the OpenSSL random generator is reseeded from
+.Cm /dev/random .
+The number of bytes read is defined by the SSH_USE_STRONG_RNG value.
+Minimum is 6 bytes.
+This setting is not recommended on the computers without the hardware
+random generator because insufficient entropy causes the connection to
+be blocked until enough entropy is available.
.Sh SEE ALSO
.Xr ssh 1 ,
.Xr ssh-add 1 ,
.Xr ssh-agent 1 ,
.Xr moduli 5 ,
.Xr sshd 8
.Rs
.%R RFC 4716
diff --git a/openssh-7.2p2/ssh-keysign.8 b/openssh-7.2p2/ssh-keysign.8
--- a/openssh-7.2p2/ssh-keysign.8
+++ b/openssh-7.2p2/ssh-keysign.8
@@ -75,16 +75,33 @@ must be set-uid root if host-based authe
.Pp
.It Pa /etc/ssh/ssh_host_dsa_key-cert.pub
.It Pa /etc/ssh/ssh_host_ecdsa_key-cert.pub
.It Pa /etc/ssh/ssh_host_ed25519_key-cert.pub
.It Pa /etc/ssh/ssh_host_rsa_key-cert.pub
If these files exist they are assumed to contain public certificate
information corresponding with the private keys above.
.El
+.Sh ENVIRONMENT
+.Bl -tag -width Ds -compact
+.Pp
+.It Pa SSH_USE_STRONG_RNG
+The reseeding of the OpenSSL random generator is usually done from
+.Cm /dev/urandom .
+If the
+.Cm SSH_USE_STRONG_RNG
+environment variable is set to value other than
+.Cm 0
+the OpenSSL random generator is reseeded from
+.Cm /dev/random .
+The number of bytes read is defined by the SSH_USE_STRONG_RNG value.
+Minimum is 6 bytes.
+This setting is not recommended on the computers without the hardware
+random generator because insufficient entropy causes the connection to
+be blocked until enough entropy is available.
.Sh SEE ALSO
.Xr ssh 1 ,
.Xr ssh-keygen 1 ,
.Xr ssh_config 5 ,
.Xr sshd 8
.Sh HISTORY
.Nm
first appeared in
diff --git a/openssh-7.2p2/ssh.1 b/openssh-7.2p2/ssh.1
--- a/openssh-7.2p2/ssh.1
+++ b/openssh-7.2p2/ssh.1
@@ -1411,16 +1411,30 @@ reads
and adds lines of the format
.Dq VARNAME=value
to the environment if the file exists and users are allowed to
change their environment.
For more information, see the
.Cm PermitUserEnvironment
option in
.Xr sshd_config 5 .
+.It Ev SSH_USE_STRONG_RNG
+The reseeding of the OpenSSL random generator is usually done from
+.Cm /dev/urandom .
+If the
+.Cm SSH_USE_STRONG_RNG
+environment variable is set to value other than
+.Cm 0
+the OpenSSL random generator is reseeded from
+.Cm /dev/random .
+The number of bytes read is defined by the SSH_USE_STRONG_RNG value.
+Minimum is 6 bytes.
+This setting is not recommended on the computers without the hardware
+random generator because insufficient entropy causes the connection to
+be blocked until enough entropy is available.
.Sh FILES
.Bl -tag -width Ds -compact
.It Pa ~/.rhosts
This file is used for host-based authentication (see above).
On some machines this file may need to be
world-readable if the user's home directory is on an NFS partition,
because
.Xr sshd 8
diff --git a/openssh-7.2p2/sshd.8 b/openssh-7.2p2/sshd.8
--- a/openssh-7.2p2/sshd.8
+++ b/openssh-7.2p2/sshd.8
@@ -972,16 +972,33 @@ and not group or world-writable.
.It Pa /var/run/sshd.pid
Contains the process ID of the
.Nm
listening for connections (if there are several daemons running
concurrently for different ports, this contains the process ID of the one
started last).
The content of this file is not sensitive; it can be world-readable.
.El
+.Sh ENVIRONMENT
+.Bl -tag -width Ds -compact
+.Pp
+.It Pa SSH_USE_STRONG_RNG
+The reseeding of the OpenSSL random generator is usually done from
+.Cm /dev/urandom .
+If the
+.Cm SSH_USE_STRONG_RNG
+environment variable is set to value other than
+.Cm 0
+the OpenSSL random generator is reseeded from
+.Cm /dev/random .
+The number of bytes read is defined by the SSH_USE_STRONG_RNG value.
+Minimum is 6 bytes.
+This setting is not recommended on the computers without the hardware
+random generator because insufficient entropy causes the connection to
+be blocked until enough entropy is available.
.Sh SEE ALSO
.Xr scp 1 ,
.Xr sftp 1 ,
.Xr ssh 1 ,
.Xr ssh-add 1 ,
.Xr ssh-agent 1 ,
.Xr ssh-keygen 1 ,
.Xr ssh-keyscan 1 ,
diff --git a/openssh-7.2p2/sshd.c b/openssh-7.2p2/sshd.c
--- a/openssh-7.2p2/sshd.c
+++ b/openssh-7.2p2/sshd.c
@@ -50,16 +50,18 @@
#ifdef HAVE_SYS_STAT_H
# include <sys/stat.h>
#endif
#ifdef HAVE_SYS_TIME_H
# include <sys/time.h>
#endif
#include "openbsd-compat/sys-tree.h"
#include "openbsd-compat/sys-queue.h"
+#include "openbsd-compat/port-linux.h"
+
#include <sys/wait.h>
#include <errno.h>
#include <fcntl.h>
#include <netdb.h>
#ifdef HAVE_PATHS_H
#include <paths.h>
#endif
@@ -209,16 +211,23 @@ struct {
Key **host_pubkeys; /* all public host keys */
Key **host_certificates; /* all public host certificates */
int have_ssh1_key;
int have_ssh2_key;
u_char ssh1_cookie[SSH_SESSION_KEY_LENGTH];
} sensitive_data;
/*
+ * Every RESEED_AFTERth connection triggers call to linux_seed() to re-seed the
+ * random pool.
+ */
+#define RESEED_AFTER 100
+static int re_seeding_counter = RESEED_AFTER;
+
+/*
* Flag indicating whether the RSA server key needs to be regenerated.
* Is set in the SIGALRM handler and cleared when the key is regenerated.
*/
static volatile sig_atomic_t key_do_regen = 0;
/* This is set to true when a signal is received. */
static volatile sig_atomic_t received_sighup = 0;
static volatile sig_atomic_t received_sigterm = 0;
@@ -1343,16 +1352,20 @@ server_accept_loop(int *sock_in, int *so
for (j = 0; j < options.max_startups; j++)
if (startup_pipes[j] == -1) {
startup_pipes[j] = startup_p[0];
if (maxfd < startup_p[0])
maxfd = startup_p[0];
startups++;
break;
}
+ if(!(--re_seeding_counter)) {
+ re_seeding_counter = RESEED_AFTER;
+ linux_seed();
+ }
/*
* Got connection. Fork a child to handle it, unless
* we are in debugging mode.
*/
if (debug_flag) {
/*
* In debugging mode. Close the listening

View File

@ -1,7 +1,7 @@
# #
# spec file for package openssh-askpass-gnome # spec file for package openssh-askpass-gnome
# #
# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany. # Copyright (c) 2016 SUSE LINUX Products GmbH, Nuernberg, Germany.
# #
# All modifications and additions to the file contributed by third parties # All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed # remain the property of their copyright owners, unless otherwise agreed

View File

@ -1,3 +1,13 @@
-------------------------------------------------------------------
Fri Sep 16 12:45:11 UTC 2016 - pcerny@suse.com
- FIPS compatibility (no selfchecks, only crypto restrictions)
[openssh-7.2p2-fips.patch]
- PRNG re-seeding
[openssh-7.2p2-seed-prng.patch]
- preliminary version of GSSAPI KEX
[openssh-7.2p2-gssapi_key_exchange.patch]
------------------------------------------------------------------- -------------------------------------------------------------------
Mon Jul 25 13:46:06 UTC 2016 - meissner@suse.com Mon Jul 25 13:46:06 UTC 2016 - meissner@suse.com

View File

@ -1,7 +1,7 @@
# #
# spec file for package openssh # spec file for package openssh
# #
# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany. # Copyright (c) 2016 SUSE LINUX Products GmbH, Nuernberg, Germany.
# #
# All modifications and additions to the file contributed by third parties # All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed # remain the property of their copyright owners, unless otherwise agreed
@ -125,6 +125,9 @@ Patch12: openssh-7.2p2-pam_check_locks.patch
Patch13: openssh-7.2p2-disable_short_DH_parameters.patch Patch13: openssh-7.2p2-disable_short_DH_parameters.patch
Patch14: openssh-7.2p2-seccomp_getuid.patch Patch14: openssh-7.2p2-seccomp_getuid.patch
Patch15: openssh-7.2p2-seccomp_stat.patch Patch15: openssh-7.2p2-seccomp_stat.patch
Patch16: openssh-7.2p2-fips.patch
Patch17: openssh-7.2p2-seed-prng.patch
Patch18: openssh-7.2p2-gssapi_key_exchange.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRoot: %{_tmppath}/%{name}-%{version}-build
Conflicts: nonfreessh Conflicts: nonfreessh
Recommends: audit Recommends: audit
@ -192,6 +195,9 @@ FIPS140 CAVS tests related parts of the OpenSSH package
%patch13 -p2 %patch13 -p2
%patch14 -p2 %patch14 -p2
%patch15 -p2 %patch15 -p2
%patch16 -p2
%patch17 -p2
%patch18 -p2
cp %{SOURCE3} %{SOURCE4} %{SOURCE11} . cp %{SOURCE3} %{SOURCE4} %{SOURCE11} .
%build %build