pool/openssh
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 230097 from home:pcerny:factory

Browse Source 
- Update of the underlying OpenSSH to 6.6p1

- update to 6.6p1
  Security:
  * sshd(8): when using environment passing with a sshd_config(5)
    AcceptEnv pattern with a wildcard. OpenSSH prior to 6.6 could
    be tricked into accepting any enviornment variable that
    contains the characters before the wildcard character.
  Features since 6.5p1:
  * ssh(1), sshd(8): removal of the J-PAKE authentication code,
    which was experimental, never enabled and has been
    unmaintained for some time.
  * ssh(1): skip 'exec' clauses other clauses predicates failed
    to match while processing Match blocks.
  * ssh(1): if hostname canonicalisation is enabled and results
    in the destination hostname being changed, then re-parse
    ssh_config(5) files using the new destination hostname. This
    gives 'Host' and 'Match' directives that use the expanded
    hostname a chance to be applied.
  Bugfixes:
  * ssh(1): avoid spurious "getsockname failed: Bad file
    descriptor" in ssh -W. bz#2200, debian#738692
  * sshd(8): allow the shutdown(2) syscall in seccomp-bpf and
    systrace sandbox modes, as it is reachable if the connection
    is terminated during the pre-auth phase.
  * ssh(1), sshd(8): fix unsigned overflow that in SSH protocol 1
    bignum parsing. Minimum key length checks render this bug
    unexploitable to compromise SSH 1 sessions.
  * sshd_config(5): clarify behaviour of a keyword that appears
    in multiple matching Match blocks. bz#2184

OBS-URL: https://build.opensuse.org/request/show/230097
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=76
This commit is contained in:
Petr Cerny 2014-04-14 21:53:01 +00:00 committed by Git OBS Bridge
parent f722726301
commit efb05e6527
45 changed files with 1937 additions and 1302 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
openssh-6.5p1.tar.gz
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:a1195ed55db945252d5a1730d4a2a2a5c1c9a6aa01ef2e5af750a962623d9027
size 1293187

12
openssh-6.5p1-X11-forwarding.patch → openssh-6.6p1-X11-forwarding.patch
View File

@ -2,9 +2,9 @@
# configuration
# bnc#50836 (was suse #35836)
diff --git a/openssh-6.5p1/ssh_config b/openssh-6.5p1/ssh_config
--- a/openssh-6.5p1/ssh_config
+++ b/openssh-6.5p1/ssh_config
diff --git a/openssh-6.6p1/ssh_config b/openssh-6.6p1/ssh_config
--- a/openssh-6.6p1/ssh_config
+++ b/openssh-6.6p1/ssh_config
@@ -12,19 +12,30 @@
# Any configuration value is only changed the first time it is set.
# Thus, host-specific definitions should be at the beginning of the
@ -37,9 +37,9 @@ diff --git a/openssh-6.5p1/ssh_config b/openssh-6.5p1/ssh_config
# GSSAPIDelegateCredentials no
# BatchMode no
# CheckHostIP yes
diff --git a/openssh-6.5p1/sshd_config b/openssh-6.5p1/sshd_config
--- a/openssh-6.5p1/sshd_config
+++ b/openssh-6.5p1/sshd_config
diff --git a/openssh-6.6p1/sshd_config b/openssh-6.6p1/sshd_config
--- a/openssh-6.6p1/sshd_config
+++ b/openssh-6.6p1/sshd_config
@@ -94,17 +94,17 @@ AuthorizedKeysFile .ssh/authorized_keys
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication

10
openssh-6.5p1-X_forward_with_disabled_ipv6.patch → openssh-6.6p1-X_forward_with_disabled_ipv6.patch
View File

@ -1,12 +1,12 @@
# HG changeset patch
# Parent bb0162afc928b3eeb69f11419e214e0737bb8034
# Parent 73eb63cbbd603bf8c13995c478333c1b5a2a020a
Do not throw away already open sockets for X11 forwarding if another socket
family is not available for bind()
diff --git a/openssh-6.5p1/channels.c b/openssh-6.5p1/channels.c
--- a/openssh-6.5p1/channels.c
+++ b/openssh-6.5p1/channels.c
@@ -3475,22 +3475,24 @@ x11_create_display_inet(int x11_display_
diff --git a/openssh-6.6p1/channels.c b/openssh-6.6p1/channels.c
--- a/openssh-6.6p1/channels.c
+++ b/openssh-6.6p1/channels.c
@@ -3476,22 +3476,24 @@ x11_create_display_inet(int x11_display_
}
if (ai->ai_family == AF_INET6)
sock_set_v6only(sock);

8
openssh-6.5p1-audit1-remove_duplicit_audit.patch → openssh-6.6p1-audit1-remove_duplicit_audit.patch
View File

@ -8,10 +8,10 @@
#
# PRIVSEP(getpwnamallow()) a few lines above already did this.
diff --git a/openssh-6.5p1/auth2.c b/openssh-6.5p1/auth2.c
--- a/openssh-6.5p1/auth2.c
+++ b/openssh-6.5p1/auth2.c
@@ -242,19 +242,16 @@ input_userauth_request(int type, u_int32
diff --git a/openssh-6.6p1/auth2.c b/openssh-6.6p1/auth2.c
--- a/openssh-6.6p1/auth2.c
+++ b/openssh-6.6p1/auth2.c
@@ -236,19 +236,16 @@ input_userauth_request(int type, u_int32
authctxt->pw = PRIVSEP(getpwnamallow(user));
authctxt->user = xstrdup(user);
if (authctxt->pw && strcmp(service, "ssh-connection")==0) {

96
openssh-6.5p1-audit2-better_audit_of_user_actions.patch → openssh-6.6p1-audit2-better_audit_of_user_actions.patch
View File

@ -4,9 +4,9 @@
# https://bugzilla.mindrot.org/attachment.cgi?id=2011
# by jchadima@redhat.com
diff --git a/openssh-6.5p1/audit-bsm.c b/openssh-6.5p1/audit-bsm.c
--- a/openssh-6.5p1/audit-bsm.c
+++ b/openssh-6.5p1/audit-bsm.c
diff --git a/openssh-6.6p1/audit-bsm.c b/openssh-6.6p1/audit-bsm.c
--- a/openssh-6.6p1/audit-bsm.c
+++ b/openssh-6.6p1/audit-bsm.c
@@ -370,20 +370,33 @@ audit_connection_from(const char *host,
/* this is used on IPv4-only machines */
tid->port = (dev_t)port;
@ -42,9 +42,9 @@ diff --git a/openssh-6.5p1/audit-bsm.c b/openssh-6.5p1/audit-bsm.c
/* not implemented */
}
diff --git a/openssh-6.5p1/audit-linux.c b/openssh-6.5p1/audit-linux.c
--- a/openssh-6.5p1/audit-linux.c
+++ b/openssh-6.5p1/audit-linux.c
diff --git a/openssh-6.6p1/audit-linux.c b/openssh-6.6p1/audit-linux.c
--- a/openssh-6.6p1/audit-linux.c
+++ b/openssh-6.6p1/audit-linux.c
@@ -30,97 +30,210 @@
#include "includes.h"
#if defined(USE_LINUX_AUDIT)
@ -276,9 +276,9 @@ diff --git a/openssh-6.5p1/audit-linux.c b/openssh-6.5p1/audit-linux.c
}
#endif /* USE_LINUX_AUDIT */
diff --git a/openssh-6.5p1/audit.c b/openssh-6.5p1/audit.c
--- a/openssh-6.5p1/audit.c
+++ b/openssh-6.5p1/audit.c
diff --git a/openssh-6.6p1/audit.c b/openssh-6.6p1/audit.c
--- a/openssh-6.6p1/audit.c
+++ b/openssh-6.6p1/audit.c
@@ -135,16 +135,27 @@ audit_connection_from(const char *host,
void
audit_event(ssh_audit_event_t event)
@ -344,9 +344,9 @@ diff --git a/openssh-6.5p1/audit.c b/openssh-6.5p1/audit.c
+
# endif /* !defined CUSTOM_SSH_AUDIT_EVENTS */
#endif /* SSH_AUDIT_EVENTS */
diff --git a/openssh-6.5p1/audit.h b/openssh-6.5p1/audit.h
--- a/openssh-6.5p1/audit.h
+++ b/openssh-6.5p1/audit.h
diff --git a/openssh-6.6p1/audit.h b/openssh-6.6p1/audit.h
--- a/openssh-6.6p1/audit.h
+++ b/openssh-6.6p1/audit.h
@@ -44,14 +44,16 @@ enum ssh_audit_event_type {
SSH_CONNECTION_CLOSE, /* closed after attempting auth or session */
SSH_CONNECTION_ABANDON, /* closed without completing auth */
@ -365,10 +365,10 @@ diff --git a/openssh-6.5p1/audit.h b/openssh-6.5p1/audit.h
ssh_audit_event_t audit_classify_auth(const char *);
#endif /* _SSH_AUDIT_H */
diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c
--- a/openssh-6.5p1/monitor.c
+++ b/openssh-6.5p1/monitor.c
@@ -181,16 +181,17 @@ int mm_answer_gss_setup_ctx(int, Buffer
diff --git a/openssh-6.6p1/monitor.c b/openssh-6.6p1/monitor.c
--- a/openssh-6.6p1/monitor.c
+++ b/openssh-6.6p1/monitor.c
@@ -175,16 +175,17 @@ int mm_answer_gss_setup_ctx(int, Buffer
int mm_answer_gss_accept_ctx(int, Buffer *);
int mm_answer_gss_userok(int, Buffer *);
int mm_answer_gss_checkmic(int, Buffer *);
@ -386,7 +386,7 @@ diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c
static BIGNUM *ssh1_challenge = NULL; /* used for ssh1 rsa auth */
/* local state for key verify */
@@ -268,16 +269,17 @@ struct mon_table mon_dispatch_postauth20
@@ -255,16 +256,17 @@ struct mon_table mon_dispatch_postauth20
{MONITOR_REQ_MODULI, 0, mm_answer_moduli},
{MONITOR_REQ_SIGN, 0, mm_answer_sign},
{MONITOR_REQ_PTY, 0, mm_answer_pty},
@ -404,7 +404,7 @@ diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c
{MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},
{MONITOR_REQ_SESSKEY, MON_ONCE, mm_answer_sesskey},
{MONITOR_REQ_SESSID, MON_ONCE, mm_answer_sessid},
@@ -310,16 +312,17 @@ struct mon_table mon_dispatch_proto15[]
@@ -297,16 +299,17 @@ struct mon_table mon_dispatch_proto15[]
struct mon_table mon_dispatch_postauth15[] = {
{MONITOR_REQ_PTY, MON_ONCE, mm_answer_pty},
@ -422,7 +422,7 @@ diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c
/* Specifies if a certain message is allowed at the moment */
@@ -1442,16 +1445,22 @@ mm_record_login(Session *s, struct passw
@@ -1420,16 +1423,22 @@ mm_record_login(Session *s, struct passw
static void
mm_session_close(Session *s)
{
@ -445,7 +445,7 @@ diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c
{
extern struct monitor *pmonitor;
Session *s;
@@ -1764,21 +1773,53 @@ mm_answer_audit_event(int socket, Buffer
@@ -1742,21 +1751,53 @@ mm_answer_audit_event(int socket, Buffer
return (0);
}
@ -500,10 +500,10 @@ diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c
void
monitor_apply_keystate(struct monitor *pmonitor)
{
diff --git a/openssh-6.5p1/monitor.h b/openssh-6.5p1/monitor.h
--- a/openssh-6.5p1/monitor.h
+++ b/openssh-6.5p1/monitor.h
@@ -64,16 +64,17 @@ enum monitor_reqtype {
diff --git a/openssh-6.6p1/monitor.h b/openssh-6.6p1/monitor.h
--- a/openssh-6.6p1/monitor.h
+++ b/openssh-6.6p1/monitor.h
@@ -59,16 +59,17 @@ enum monitor_reqtype {
MONITOR_REQ_PAM_START = 100,
MONITOR_REQ_PAM_ACCOUNT = 102, MONITOR_ANS_PAM_ACCOUNT = 103,
@ -521,10 +521,10 @@ diff --git a/openssh-6.5p1/monitor.h b/openssh-6.5p1/monitor.h
int m_recvfd;
int m_sendfd;
int m_log_recvfd;
diff --git a/openssh-6.5p1/monitor_wrap.c b/openssh-6.5p1/monitor_wrap.c
--- a/openssh-6.5p1/monitor_wrap.c
+++ b/openssh-6.5p1/monitor_wrap.c
@@ -1186,27 +1186,48 @@ mm_audit_event(ssh_audit_event_t event)
diff --git a/openssh-6.6p1/monitor_wrap.c b/openssh-6.6p1/monitor_wrap.c
--- a/openssh-6.6p1/monitor_wrap.c
+++ b/openssh-6.6p1/monitor_wrap.c
@@ -1184,27 +1184,48 @@ mm_audit_event(ssh_audit_event_t event)
buffer_init(&m);
buffer_put_int(&m, event);
@ -574,9 +574,9 @@ diff --git a/openssh-6.5p1/monitor_wrap.c b/openssh-6.5p1/monitor_wrap.c
OM_uint32
mm_ssh_gssapi_server_ctx(Gssctxt **ctx, gss_OID goid)
{
diff --git a/openssh-6.5p1/monitor_wrap.h b/openssh-6.5p1/monitor_wrap.h
--- a/openssh-6.5p1/monitor_wrap.h
+++ b/openssh-6.5p1/monitor_wrap.h
diff --git a/openssh-6.6p1/monitor_wrap.h b/openssh-6.6p1/monitor_wrap.h
--- a/openssh-6.6p1/monitor_wrap.h
+++ b/openssh-6.6p1/monitor_wrap.h
@@ -69,17 +69,18 @@ void *mm_sshpam_init_ctx(struct Authctxt
int mm_sshpam_query(void *, char **, char **, u_int *, char ***, u_int **);
int mm_sshpam_respond(void *, u_int, char **);
@ -597,9 +597,9 @@ diff --git a/openssh-6.5p1/monitor_wrap.h b/openssh-6.5p1/monitor_wrap.h
void mm_session_pty_cleanup2(struct Session *);
/* SSHv1 interfaces */
diff --git a/openssh-6.5p1/session.c b/openssh-6.5p1/session.c
--- a/openssh-6.5p1/session.c
+++ b/openssh-6.5p1/session.c
diff --git a/openssh-6.6p1/session.c b/openssh-6.6p1/session.c
--- a/openssh-6.6p1/session.c
+++ b/openssh-6.6p1/session.c
@@ -740,16 +740,24 @@ do_exec_pty(Session *s, const char *comm
cygwin_set_impersonation_token(INVALID_HANDLE_VALUE);
#endif
@ -657,8 +657,8 @@ diff --git a/openssh-6.5p1/session.c b/openssh-6.5p1/session.c
original_command = NULL;
@@ -1903,16 +1915,17 @@ session_unused(int id)
bzero(&sessions[id], sizeof(*sessions));
@@ -1908,16 +1920,17 @@ session_unused(int id)
memset(&sessions[id], 0, sizeof(*sessions));
sessions[id].self = id;
sessions[id].used = 0;
sessions[id].chanid = -1;
@ -675,7 +675,7 @@ diff --git a/openssh-6.5p1/session.c b/openssh-6.5p1/session.c
session_new(void)
{
Session *s, *tmp;
@@ -1985,16 +1998,29 @@ session_open(Authctxt *authctxt, int cha
@@ -1990,16 +2003,29 @@ session_open(Authctxt *authctxt, int cha
if (s->pw == NULL || !authctxt->valid)
fatal("no user for session %d", s->self);
debug("session_open: session %d: link with channel %d", s->self, chanid);
@ -705,7 +705,7 @@ diff --git a/openssh-6.5p1/session.c b/openssh-6.5p1/session.c
if (s->used && s->ttyfd != -1 && strcmp(s->tty, tty) == 0) {
debug("session_by_tty: session %d tty %s", i, tty);
return s;
@@ -2501,16 +2527,40 @@ session_exit_message(Session *s, int sta
@@ -2506,16 +2532,40 @@ session_exit_message(Session *s, int sta
* interested in data we write.
* Note that we must not call 'chan_read_failed', since there could
* be some more data waiting in the pipe.
@ -746,7 +746,7 @@ diff --git a/openssh-6.5p1/session.c b/openssh-6.5p1/session.c
debug("session_close: session %d pid %ld", s->self, (long)s->pid);
@@ -2541,16 +2591,20 @@ session_close(Session *s)
@@ -2546,16 +2596,20 @@ session_close(Session *s)
int status;
waitpid(pid, &status, 0);
@ -767,7 +767,7 @@ diff --git a/openssh-6.5p1/session.c b/openssh-6.5p1/session.c
free(s->auth_proto);
free(s->subsys);
if (s->env != NULL) {
@@ -2755,16 +2809,25 @@ session_setup_x11fwd(Session *s)
@@ -2760,16 +2814,25 @@ session_setup_x11fwd(Session *s)
}
static void
@ -793,7 +793,7 @@ diff --git a/openssh-6.5p1/session.c b/openssh-6.5p1/session.c
debug("do_cleanup");
/* no cleanup if we're in the child for login shell */
@@ -2803,10 +2866,10 @@ do_cleanup(Authctxt *authctxt)
@@ -2808,10 +2871,10 @@ do_cleanup(Authctxt *authctxt)
/* remove agent socket */
auth_sock_cleanup_proc(authctxt->pw);
@ -805,9 +805,9 @@ diff --git a/openssh-6.5p1/session.c b/openssh-6.5p1/session.c
- session_destroy_all(session_pty_cleanup2);
+ session_destroy_all(do_cleanup_one_session);
}
diff --git a/openssh-6.5p1/session.h b/openssh-6.5p1/session.h
--- a/openssh-6.5p1/session.h
+++ b/openssh-6.5p1/session.h
diff --git a/openssh-6.6p1/session.h b/openssh-6.6p1/session.h
--- a/openssh-6.6p1/session.h
+++ b/openssh-6.6p1/session.h
@@ -56,29 +56,37 @@ struct Session {
int *x11_chanids;
int is_subsystem;
@ -846,10 +846,10 @@ diff --git a/openssh-6.5p1/session.h b/openssh-6.5p1/session.h
const char *value);
#endif
diff --git a/openssh-6.5p1/sshd.c b/openssh-6.5p1/sshd.c
--- a/openssh-6.5p1/sshd.c
+++ b/openssh-6.5p1/sshd.c
@@ -2504,13 +2504,14 @@ cleanup_exit(int i)
diff --git a/openssh-6.6p1/sshd.c b/openssh-6.6p1/sshd.c
--- a/openssh-6.6p1/sshd.c
+++ b/openssh-6.6p1/sshd.c
@@ -2529,13 +2529,14 @@ cleanup_exit(int i)
if (kill(pmonitor->m_pid, SIGKILL) != 0 &&
errno != ESRCH)
error("%s: kill(%d): %s", __func__,

131
openssh-6.5p1-audit3-key_auth_usage.patch → openssh-6.6p1-audit3-key_auth_usage.patch
View File

@ -5,9 +5,9 @@
# (replaces: https://bugzilla.mindrot.org/attachment.cgi?id=1975)
# by jchadima@redhat.com
diff --git a/openssh-6.5p1/audit-bsm.c b/openssh-6.5p1/audit-bsm.c
--- a/openssh-6.5p1/audit-bsm.c
+++ b/openssh-6.5p1/audit-bsm.c
diff --git a/openssh-6.6p1/audit-bsm.c b/openssh-6.6p1/audit-bsm.c
--- a/openssh-6.6p1/audit-bsm.c
+++ b/openssh-6.6p1/audit-bsm.c
@@ -401,16 +401,22 @@ audit_session_open(struct logininfo *li)
}
@ -31,9 +31,9 @@ diff --git a/openssh-6.5p1/audit-bsm.c b/openssh-6.5p1/audit-bsm.c
const char *user = the_authctxt ? the_authctxt->user : "(unknown user)";
if (cannot_audit(0))
diff --git a/openssh-6.5p1/audit-linux.c b/openssh-6.5p1/audit-linux.c
--- a/openssh-6.5p1/audit-linux.c
+++ b/openssh-6.5p1/audit-linux.c
diff --git a/openssh-6.6p1/audit-linux.c b/openssh-6.6p1/audit-linux.c
--- a/openssh-6.6p1/audit-linux.c
+++ b/openssh-6.6p1/audit-linux.c
@@ -36,16 +36,18 @@
#include "log.h"
#include "audit.h"
@ -101,9 +101,9 @@ diff --git a/openssh-6.5p1/audit-linux.c b/openssh-6.5p1/audit-linux.c
audit_connection_from(const char *host, int port)
{
/* not implemented */
diff --git a/openssh-6.5p1/audit.c b/openssh-6.5p1/audit.c
--- a/openssh-6.5p1/audit.c
+++ b/openssh-6.5p1/audit.c
diff --git a/openssh-6.6p1/audit.c b/openssh-6.6p1/audit.c
--- a/openssh-6.6p1/audit.c
+++ b/openssh-6.6p1/audit.c
@@ -31,16 +31,17 @@
#ifdef SSH_AUDIT_EVENTS
@ -178,9 +178,9 @@ diff --git a/openssh-6.5p1/audit.c b/openssh-6.5p1/audit.c
+}
# endif /* !defined CUSTOM_SSH_AUDIT_EVENTS */
#endif /* SSH_AUDIT_EVENTS */
diff --git a/openssh-6.5p1/audit.h b/openssh-6.5p1/audit.h
--- a/openssh-6.5p1/audit.h
+++ b/openssh-6.5p1/audit.h
diff --git a/openssh-6.6p1/audit.h b/openssh-6.6p1/audit.h
--- a/openssh-6.6p1/audit.h
+++ b/openssh-6.6p1/audit.h
@@ -23,16 +23,17 @@
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
@ -212,69 +212,10 @@ diff --git a/openssh-6.5p1/audit.h b/openssh-6.5p1/audit.h
+void audit_key(int, int *, const Key *);
#endif /* _SSH_AUDIT_H */
diff --git a/openssh-6.5p1/auth-rsa.c b/openssh-6.5p1/auth-rsa.c
--- a/openssh-6.5p1/auth-rsa.c
+++ b/openssh-6.5p1/auth-rsa.c
@@ -87,17 +87,20 @@ auth_rsa_generate_challenge(Key *key)
return challenge;
}
int
auth_rsa_verify_response(Key *key, BIGNUM *challenge, u_char response[16])
{
u_char buf[32], mdbuf[16];
MD5_CTX md;
- int len;
+ int len, rv;
+#ifdef SSH_AUDIT_EVENTS
+ char *fp;
+#endif
/* don't allow short keys */
if (BN_num_bits(key->rsa->n) < SSH_RSA_MINIMUM_MODULUS_SIZE) {
error("auth_rsa_verify_response: RSA modulus too small: %d < minimum %d bits",
BN_num_bits(key->rsa->n), SSH_RSA_MINIMUM_MODULUS_SIZE);
return (0);
}
@@ -108,22 +111,28 @@ auth_rsa_verify_response(Key *key, BIGNU
memset(buf, 0, 32);
BN_bn2bin(challenge, buf + 32 - len);
MD5_Init(&md);
MD5_Update(&md, buf, 32);
MD5_Update(&md, session_id, 16);
MD5_Final(mdbuf, &md);
/* Verify that the response is the original challenge. */
- if (timingsafe_bcmp(response, mdbuf, 16) != 0) {
- /* Wrong answer. */
- return (0);
+ rv = timingsafe_bcmp(response, mdbuf, 16) == 0;
+
+#ifdef SSH_AUDIT_EVENTS
+ fp = key_fingerprint(key, key_fp_type_select(), SSH_FP_HEX);
+ if (audit_keyusage(1, "ssh-rsa1", RSA_size(key->rsa) * 8, fp, rv) == 0) {
+ debug("unsuccessful audit");
+ rv = 0;
}
- /* Correct answer. */
- return (1);
+ free(fp);
+#endif
+
+ return rv;
}
/*
* Performs the RSA authentication challenge-response dialog with the client,
* and returns true (non-zero) if the client gave the correct answer to
* our challenge; returns zero if the client gives a wrong answer.
*/
diff --git a/openssh-6.5p1/auth.h b/openssh-6.5p1/auth.h
--- a/openssh-6.5p1/auth.h
+++ b/openssh-6.5p1/auth.h
@@ -182,16 +182,17 @@ int allowed_user(struct passwd *);
diff --git a/openssh-6.6p1/auth.h b/openssh-6.6p1/auth.h
--- a/openssh-6.6p1/auth.h
+++ b/openssh-6.6p1/auth.h
@@ -178,16 +178,17 @@ int allowed_user(struct passwd *);
struct passwd * getpwnamallow(const char *user);
char *get_challenge(Authctxt *);
@ -292,7 +233,7 @@ diff --git a/openssh-6.5p1/auth.h b/openssh-6.5p1/auth.h
HostStatus
check_key_in_hostfiles(struct passwd *, Key *, const char *,
const char *, const char *);
@@ -199,16 +200,17 @@ check_key_in_hostfiles(struct passwd *,
@@ -195,16 +196,17 @@ check_key_in_hostfiles(struct passwd *,
/* hostkey handling */
Key *get_hostkey_by_index(int);
Key *get_hostkey_public_by_index(int);
@ -310,9 +251,9 @@ diff --git a/openssh-6.5p1/auth.h b/openssh-6.5p1/auth.h
struct passwd *fakepw(void);
diff --git a/openssh-6.5p1/auth2-hostbased.c b/openssh-6.5p1/auth2-hostbased.c
--- a/openssh-6.5p1/auth2-hostbased.c
+++ b/openssh-6.5p1/auth2-hostbased.c
diff --git a/openssh-6.6p1/auth2-hostbased.c b/openssh-6.6p1/auth2-hostbased.c
--- a/openssh-6.6p1/auth2-hostbased.c
+++ b/openssh-6.6p1/auth2-hostbased.c
@@ -124,33 +124,45 @@ userauth_hostbased(Authctxt *authctxt)
#endif
@ -360,9 +301,9 @@ diff --git a/openssh-6.5p1/auth2-hostbased.c b/openssh-6.5p1/auth2-hostbased.c
const char *resolvedname, *ipaddr, *lookup, *reason;
HostStatus host_status;
int len;
diff --git a/openssh-6.5p1/auth2-pubkey.c b/openssh-6.5p1/auth2-pubkey.c
--- a/openssh-6.5p1/auth2-pubkey.c
+++ b/openssh-6.5p1/auth2-pubkey.c
diff --git a/openssh-6.6p1/auth2-pubkey.c b/openssh-6.6p1/auth2-pubkey.c
--- a/openssh-6.6p1/auth2-pubkey.c
+++ b/openssh-6.6p1/auth2-pubkey.c
@@ -153,17 +153,17 @@ userauth_pubkey(Authctxt *authctxt)
#ifdef DEBUG_PK
buffer_dump(&b);
@ -411,10 +352,10 @@ diff --git a/openssh-6.5p1/auth2-pubkey.c b/openssh-6.5p1/auth2-pubkey.c
int i;
extra = NULL;
diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c
--- a/openssh-6.5p1/monitor.c
+++ b/openssh-6.5p1/monitor.c
@@ -1362,26 +1362,30 @@ monitor_valid_hostbasedblob(u_char *data
diff --git a/openssh-6.6p1/monitor.c b/openssh-6.6p1/monitor.c
--- a/openssh-6.6p1/monitor.c
+++ b/openssh-6.6p1/monitor.c
@@ -1340,26 +1340,30 @@ monitor_valid_hostbasedblob(u_char *data
}
int
@ -445,7 +386,7 @@ diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c
switch (key_blobtype) {
case MM_USERKEY:
valid_data = monitor_valid_userblob(data, datalen);
@@ -1392,17 +1396,27 @@ mm_answer_keyverify(int sock, Buffer *m)
@@ -1370,17 +1374,27 @@ mm_answer_keyverify(int sock, Buffer *m)
break;
default:
valid_data = 0;
@ -474,10 +415,10 @@ diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c
free(signature);
free(data);
diff --git a/openssh-6.5p1/monitor_wrap.c b/openssh-6.5p1/monitor_wrap.c
--- a/openssh-6.5p1/monitor_wrap.c
+++ b/openssh-6.5p1/monitor_wrap.c
@@ -428,30 +428,31 @@ mm_key_allowed(enum mm_keytype type, cha
diff --git a/openssh-6.6p1/monitor_wrap.c b/openssh-6.6p1/monitor_wrap.c
--- a/openssh-6.6p1/monitor_wrap.c
+++ b/openssh-6.6p1/monitor_wrap.c
@@ -426,30 +426,31 @@ mm_key_allowed(enum mm_keytype type, cha
/*
* This key verify needs to send the key type along, because the
@ -510,7 +451,7 @@ diff --git a/openssh-6.5p1/monitor_wrap.c b/openssh-6.5p1/monitor_wrap.c
mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_KEYVERIFY, &m);
debug3("%s: waiting for MONITOR_ANS_KEYVERIFY", __func__);
@@ -459,16 +460,29 @@ mm_key_verify(Key *key, u_char *sig, u_i
@@ -457,16 +458,29 @@ mm_key_verify(Key *key, u_char *sig, u_i
verified = buffer_get_int(&m);
@ -540,9 +481,9 @@ diff --git a/openssh-6.5p1/monitor_wrap.c b/openssh-6.5p1/monitor_wrap.c
u_int len;
Newkeys *newkey = NULL;
Enc *enc;
diff --git a/openssh-6.5p1/monitor_wrap.h b/openssh-6.5p1/monitor_wrap.h
--- a/openssh-6.5p1/monitor_wrap.h
+++ b/openssh-6.5p1/monitor_wrap.h
diff --git a/openssh-6.6p1/monitor_wrap.h b/openssh-6.6p1/monitor_wrap.h
--- a/openssh-6.6p1/monitor_wrap.h
+++ b/openssh-6.6p1/monitor_wrap.h
@@ -44,17 +44,18 @@ int mm_key_sign(Key *, u_char **, u_int
void mm_inform_authserv(char *, char *);
struct passwd *mm_getpwnamallow(const char *);

61
openssh-6.6p1-audit3_fips-key_auth_usage.patch Normal file
View File

@ -0,0 +1,61 @@
# HG changeset patch
# Parent c487e15d91bc5cdfb0aedcf4d3c7fe4d0f309a73
diff --git a/openssh-6.6p1/auth-rsa.c b/openssh-6.6p1/auth-rsa.c
--- a/openssh-6.6p1/auth-rsa.c
+++ b/openssh-6.6p1/auth-rsa.c
@@ -94,16 +94,20 @@ int
auth_rsa_verify_response(Key *key, BIGNUM *challenge,
u_char response[SSH_DIGEST_MAX_LENGTH])
{
u_char buf[2 * SSH_DIGEST_MAX_LENGTH], mdbuf[SSH_DIGEST_MAX_LENGTH];
struct ssh_digest_ctx *md;
int len;
int dgst;
size_t dgst_len;
+ int rv;
+#ifdef SSH_AUDIT_EVENTS
+ char *fp;
+#endif
/* don't allow short keys */
if (BN_num_bits(key->rsa->n) < SSH_RSA_MINIMUM_MODULUS_SIZE) {
error("%s: RSA modulus too small: %d < minimum %d bits",
__func__,
BN_num_bits(key->rsa->n), SSH_RSA_MINIMUM_MODULUS_SIZE);
return (0);
}
@@ -121,22 +125,28 @@ auth_rsa_verify_response(Key *key, BIGNU
if ((md = ssh_digest_start(dgst)) == NULL ||
ssh_digest_update(md, buf, 2 * dgst_len) < 0 ||
ssh_digest_update(md, session_id, dgst_len) < 0 ||
ssh_digest_final(md, mdbuf, sizeof(mdbuf)) < 0)
fatal("%s: md5 failed", __func__);
ssh_digest_free(md);
/* Verify that the response is the original challenge. */
- if (timingsafe_bcmp(response, mdbuf, dgst_len) != 0) {
- /* Wrong answer. */
- return (0);
+ rv = timingsafe_bcmp(response, mdbuf, dgst_len) == 0;
+
+#ifdef SSH_AUDIT_EVENTS
+ fp = key_fingerprint(key, key_fp_type_select(), SSH_FP_HEX);
+ if (audit_keyusage(1, "ssh-rsa1", RSA_size(key->rsa) * 8, fp, rv) == 0) {
+ debug("unsuccessful audit");
+ rv = 0;
}
- /* Correct answer. */
- return (1);
+ free(fp);
+#endif
+
+ return rv;
}
/*
* Performs the RSA authentication challenge-response dialog with the client,
* and returns true (non-zero) if the client gave the correct answer to
* our challenge; returns zero if the client gives a wrong answer.
*/

189
openssh-6.5p1-audit4-kex_results.patch → openssh-6.6p1-audit4-kex_results.patch
View File

@ -5,32 +5,9 @@
# (replaces: https://bugzilla.mindrot.org/attachment.cgi?id=1976)
# by jchadima@redhat.com
diff --git a/openssh-6.5p1/Makefile.in b/openssh-6.5p1/Makefile.in
--- a/openssh-6.5p1/Makefile.in
+++ b/openssh-6.5p1/Makefile.in
@@ -71,17 +71,18 @@ LIBSSH_OBJS=authfd.o authfile.o bufaux.o
readpass.o rsa.o ttymodes.o xmalloc.o addrmatch.o \
atomicio.o key.o dispatch.o kex.o mac.o uidswap.o uuencode.o misc.o \
monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-rsa.o dh.o \
kexdh.o kexgex.o kexdhc.o kexgexc.o bufec.o kexecdh.o kexecdhc.o \
msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o umac128.o \
jpake.o schnorr.o ssh-pkcs11.o krl.o smult_curve25519_ref.o \
kexc25519.o kexc25519c.o poly1305.o chacha.o cipher-chachapoly.o \
ssh-ed25519.o digest.o \
- sc25519.o ge25519.o fe25519.o ed25519.o verify.o hash.o blocks.o
+ sc25519.o ge25519.o fe25519.o ed25519.o verify.o hash.o blocks.o \
+ auditstub.o
SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \
sshconnect.o sshconnect1.o sshconnect2.o mux.o \
roaming_common.o roaming_client.o
SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \
audit.o audit-bsm.o audit-linux.o platform.o \
sshpty.o sshlogin.o servconf.o serverloop.o \
diff --git a/openssh-6.5p1/audit-bsm.c b/openssh-6.5p1/audit-bsm.c
--- a/openssh-6.5p1/audit-bsm.c
+++ b/openssh-6.5p1/audit-bsm.c
diff --git a/openssh-6.6p1/audit-bsm.c b/openssh-6.6p1/audit-bsm.c
--- a/openssh-6.6p1/audit-bsm.c
+++ b/openssh-6.6p1/audit-bsm.c
@@ -468,9 +468,21 @@ audit_event(ssh_audit_event_t event)
case SSH_AUTH_FAIL_KBDINT:
bsm_audit_bad_login("interactive password entry");
@ -53,9 +30,9 @@ diff --git a/openssh-6.5p1/audit-bsm.c b/openssh-6.5p1/audit-bsm.c
+ /* not implemented */
+}
#endif /* BSM */
diff --git a/openssh-6.5p1/audit-linux.c b/openssh-6.5p1/audit-linux.c
--- a/openssh-6.5p1/audit-linux.c
+++ b/openssh-6.5p1/audit-linux.c
diff --git a/openssh-6.6p1/audit-linux.c b/openssh-6.6p1/audit-linux.c
--- a/openssh-6.6p1/audit-linux.c
+++ b/openssh-6.6p1/audit-linux.c
@@ -35,16 +35,18 @@
#include "log.h"
@ -141,9 +118,9 @@ diff --git a/openssh-6.5p1/audit-linux.c b/openssh-6.5p1/audit-linux.c
+}
+
#endif /* USE_LINUX_AUDIT */
diff --git a/openssh-6.5p1/audit.c b/openssh-6.5p1/audit.c
--- a/openssh-6.5p1/audit.c
+++ b/openssh-6.5p1/audit.c
diff --git a/openssh-6.6p1/audit.c b/openssh-6.6p1/audit.c
--- a/openssh-6.6p1/audit.c
+++ b/openssh-6.6p1/audit.c
@@ -23,24 +23,27 @@
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
@ -233,9 +210,9 @@ diff --git a/openssh-6.5p1/audit.c b/openssh-6.5p1/audit.c
+}
# endif /* !defined CUSTOM_SSH_AUDIT_EVENTS */
#endif /* SSH_AUDIT_EVENTS */
diff --git a/openssh-6.5p1/audit.h b/openssh-6.5p1/audit.h
--- a/openssh-6.5p1/audit.h
+++ b/openssh-6.5p1/audit.h
diff --git a/openssh-6.6p1/audit.h b/openssh-6.6p1/audit.h
--- a/openssh-6.6p1/audit.h
+++ b/openssh-6.6p1/audit.h
@@ -53,10 +53,14 @@ void audit_event(ssh_audit_event_t);
void audit_count_session_open(void);
void audit_session_open(struct logininfo *);
@ -251,10 +228,10 @@ diff --git a/openssh-6.5p1/audit.h b/openssh-6.5p1/audit.h
+void audit_kex_body(int, char *, char *, char *, pid_t, uid_t);
#endif /* _SSH_AUDIT_H */
diff --git a/openssh-6.5p1/auditstub.c b/openssh-6.5p1/auditstub.c
diff --git a/openssh-6.6p1/auditstub.c b/openssh-6.6p1/auditstub.c
new file mode 100644
--- /dev/null
+++ b/openssh-6.5p1/auditstub.c
+++ b/openssh-6.6p1/auditstub.c
@@ -0,0 +1,39 @@
+/* $Id: auditstub.c,v 1.1 jfch Exp $ */
+
@ -295,45 +272,9 @@ new file mode 100644
+{
+}
+
diff --git a/openssh-6.5p1/cipher.c b/openssh-6.5p1/cipher.c
--- a/openssh-6.5p1/cipher.c
+++ b/openssh-6.5p1/cipher.c
@@ -52,31 +52,17 @@
/* compatibility with old or broken OpenSSL versions */
#include "openbsd-compat/openssl-compat.h"
extern const EVP_CIPHER *evp_ssh1_bf(void);
extern const EVP_CIPHER *evp_ssh1_3des(void);
extern void ssh1_3des_iv(EVP_CIPHER_CTX *, int, u_char *, int);
-struct Cipher {
- char *name;
- int number; /* for ssh1 only */
- u_int block_size;
- u_int key_len;
- u_int iv_len; /* defaults to block_size */
- u_int auth_len;
- u_int discard_len;
- u_int flags;
-#define CFLAG_CBC (1<<0)
-#define CFLAG_CHACHAPOLY (1<<1)
- const EVP_CIPHER *(*evptype)(void);
-};
-
-static const struct Cipher ciphers[] = {
+struct Cipher ciphers[] = {
{ "none", SSH_CIPHER_NONE, 8, 0, 0, 0, 0, 0, EVP_enc_null },
{ "des", SSH_CIPHER_DES, 8, 8, 0, 0, 0, 1, EVP_des_cbc },
{ "3des", SSH_CIPHER_3DES, 8, 16, 0, 0, 0, 1, evp_ssh1_3des },
{ "blowfish", SSH_CIPHER_BLOWFISH, 8, 32, 0, 0, 0, 1, evp_ssh1_bf },
{ "3des-cbc", SSH_CIPHER_SSH2, 8, 24, 0, 0, 0, 1, EVP_des_ede3_cbc },
{ "blowfish-cbc",
SSH_CIPHER_SSH2, 8, 16, 0, 0, 0, 1, EVP_bf_cbc },
diff --git a/openssh-6.5p1/cipher.h b/openssh-6.5p1/cipher.h
--- a/openssh-6.5p1/cipher.h
+++ b/openssh-6.5p1/cipher.h
diff --git a/openssh-6.6p1/cipher.h b/openssh-6.6p1/cipher.h
--- a/openssh-6.6p1/cipher.h
+++ b/openssh-6.6p1/cipher.h
@@ -58,17 +58,30 @@
#define SSH_CIPHER_MAX 31
@ -366,9 +307,9 @@ diff --git a/openssh-6.5p1/cipher.h b/openssh-6.5p1/cipher.h
const Cipher *cipher;
};
diff --git a/openssh-6.5p1/kex.c b/openssh-6.5p1/kex.c
--- a/openssh-6.5p1/kex.c
+++ b/openssh-6.5p1/kex.c
diff --git a/openssh-6.6p1/kex.c b/openssh-6.6p1/kex.c
--- a/openssh-6.6p1/kex.c
+++ b/openssh-6.6p1/kex.c
@@ -45,16 +45,17 @@
#include "kex.h"
#include "log.h"
@ -476,16 +417,16 @@ diff --git a/openssh-6.5p1/kex.c b/openssh-6.5p1/kex.c
for (mode = 0; mode < MODE_MAX; mode++) {
newkeys = kex->newkeys[mode];
need = MAX(need, newkeys->enc.key_len);
diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c
--- a/openssh-6.5p1/monitor.c
+++ b/openssh-6.5p1/monitor.c
@@ -93,16 +93,17 @@
diff --git a/openssh-6.6p1/monitor.c b/openssh-6.6p1/monitor.c
--- a/openssh-6.6p1/monitor.c
+++ b/openssh-6.6p1/monitor.c
@@ -92,16 +92,17 @@
#endif
#include "monitor_wrap.h"
#include "monitor_fdpass.h"
#include "misc.h"
#include "compat.h"
#include "ssh2.h"
#include "jpake.h"
#include "roaming.h"
#include "authfd.h"
+#include "audit.h"
@ -497,7 +438,7 @@ diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c
/* Imports */
extern ServerOptions options;
extern u_int utmp_len;
@@ -182,16 +183,18 @@ int mm_answer_gss_accept_ctx(int, Buffer
@@ -176,16 +177,18 @@ int mm_answer_gss_accept_ctx(int, Buffer
int mm_answer_gss_userok(int, Buffer *);
int mm_answer_gss_checkmic(int, Buffer *);
#endif
@ -516,7 +457,7 @@ diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c
static BIGNUM *ssh1_challenge = NULL; /* used for ssh1 rsa auth */
/* local state for key verify */
@@ -233,16 +236,18 @@ struct mon_table mon_dispatch_proto20[]
@@ -227,16 +230,18 @@ struct mon_table mon_dispatch_proto20[]
{MONITOR_REQ_PAM_ACCOUNT, 0, mm_answer_pam_account},
{MONITOR_REQ_PAM_INIT_CTX, MON_ISAUTH, mm_answer_pam_init_ctx},
{MONITOR_REQ_PAM_QUERY, MON_ISAUTH, mm_answer_pam_query},
@ -535,7 +476,7 @@ diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c
#ifdef SKEY
{MONITOR_REQ_SKEYQUERY, MON_ISAUTH, mm_answer_skeyquery},
{MONITOR_REQ_SKEYRESPOND, MON_AUTH, mm_answer_skeyrespond},
@@ -270,16 +275,18 @@ struct mon_table mon_dispatch_postauth20
@@ -257,16 +262,18 @@ struct mon_table mon_dispatch_postauth20
{MONITOR_REQ_SIGN, 0, mm_answer_sign},
{MONITOR_REQ_PTY, 0, mm_answer_pty},
{MONITOR_REQ_PTYCLEANUP, 0, mm_answer_pty_cleanup},
@ -554,7 +495,7 @@ diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c
{MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},
{MONITOR_REQ_SESSKEY, MON_ONCE, mm_answer_sesskey},
{MONITOR_REQ_SESSID, MON_ONCE, mm_answer_sessid},
@@ -301,28 +308,32 @@ struct mon_table mon_dispatch_proto15[]
@@ -288,28 +295,32 @@ struct mon_table mon_dispatch_proto15[]
{MONITOR_REQ_PAM_ACCOUNT, 0, mm_answer_pam_account},
{MONITOR_REQ_PAM_INIT_CTX, MON_ISAUTH, mm_answer_pam_init_ctx},
{MONITOR_REQ_PAM_QUERY, MON_ISAUTH, mm_answer_pam_query},
@ -587,16 +528,15 @@ diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c
/* Specifies if a certain message is allowed at the moment */
@@ -2411,8 +2422,52 @@ mm_answer_jpake_check_confirm(int sock,
@@ -2187,8 +2198,52 @@ mm_answer_gss_userok(int sock, Buffer *m
monitor_permit(mon_dispatch, MONITOR_REQ_JPAKE_STEP1, 1);
auth_method = "gssapi-with-mic";
auth_method = "jpake-01@openssh.com";
return authenticated;
/* Monitor loop will terminate if authenticated */
return (authenticated);
}
#endif /* GSSAPI */
#endif /* JPAKE */
+
+#ifdef SSH_AUDIT_EVENTS
+int
+mm_answer_audit_unsupported_body(int sock, Buffer *m)
@ -640,10 +580,11 @@ diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c
+}
+
+#endif /* SSH_AUDIT_EVENTS */
diff --git a/openssh-6.5p1/monitor.h b/openssh-6.5p1/monitor.h
--- a/openssh-6.5p1/monitor.h
+++ b/openssh-6.5p1/monitor.h
@@ -65,16 +65,18 @@ enum monitor_reqtype {
+
diff --git a/openssh-6.6p1/monitor.h b/openssh-6.6p1/monitor.h
--- a/openssh-6.6p1/monitor.h
+++ b/openssh-6.6p1/monitor.h
@@ -60,16 +60,18 @@ enum monitor_reqtype {
MONITOR_REQ_PAM_START = 100,
MONITOR_REQ_PAM_ACCOUNT = 102, MONITOR_ANS_PAM_ACCOUNT = 103,
MONITOR_REQ_PAM_INIT_CTX = 104, MONITOR_ANS_PAM_INIT_CTX = 105,
@ -662,19 +603,18 @@ diff --git a/openssh-6.5p1/monitor.h b/openssh-6.5p1/monitor.h
int m_recvfd;
int m_sendfd;
int m_log_recvfd;
diff --git a/openssh-6.5p1/monitor_wrap.c b/openssh-6.5p1/monitor_wrap.c
--- a/openssh-6.5p1/monitor_wrap.c
+++ b/openssh-6.5p1/monitor_wrap.c
@@ -1483,8 +1483,46 @@ mm_jpake_check_confirm(const BIGNUM *k,
diff --git a/openssh-6.6p1/monitor_wrap.c b/openssh-6.6p1/monitor_wrap.c
--- a/openssh-6.6p1/monitor_wrap.c
+++ b/openssh-6.6p1/monitor_wrap.c
@@ -1320,8 +1320,46 @@ mm_ssh_gssapi_userok(char *user)
authenticated = buffer_get_int(&m);
success = buffer_get_int(&m);
buffer_free(&m);
debug3("%s: success = %d", __func__, success);
return success;
debug3("%s: user %sauthenticated",__func__, authenticated ? "" : "not ");
return (authenticated);
}
#endif /* JPAKE */
+
#endif /* GSSAPI */
+#ifdef SSH_AUDIT_EVENTS
+void
+mm_audit_unsupported_body(int what)
@ -712,9 +652,10 @@ diff --git a/openssh-6.5p1/monitor_wrap.c b/openssh-6.5p1/monitor_wrap.c
+ buffer_free(&m);
+}
+#endif /* SSH_AUDIT_EVENTS */
diff --git a/openssh-6.5p1/monitor_wrap.h b/openssh-6.5p1/monitor_wrap.h
--- a/openssh-6.5p1/monitor_wrap.h
+++ b/openssh-6.5p1/monitor_wrap.h
+
diff --git a/openssh-6.6p1/monitor_wrap.h b/openssh-6.6p1/monitor_wrap.h
--- a/openssh-6.6p1/monitor_wrap.h
+++ b/openssh-6.6p1/monitor_wrap.h
@@ -72,16 +72,18 @@ int mm_sshpam_respond(void *, u_int, cha
void mm_sshpam_free_ctx(void *);
#endif
@ -734,28 +675,10 @@ diff --git a/openssh-6.5p1/monitor_wrap.h b/openssh-6.5p1/monitor_wrap.h
void mm_session_pty_cleanup2(struct Session *);
/* SSHv1 interfaces */
diff --git a/openssh-6.5p1/sshd.c b/openssh-6.5p1/sshd.c
--- a/openssh-6.5p1/sshd.c
+++ b/openssh-6.5p1/sshd.c
@@ -114,16 +114,17 @@
#include "session.h"
#include "monitor_mm.h"
#include "monitor.h"
#ifdef GSSAPI
#include "ssh-gss.h"
#endif
#include "monitor_wrap.h"
#include "roaming.h"
+#include "audit.h"
#include "ssh-sandbox.h"
#include "version.h"
#ifdef LIBWRAP
#include <tcpd.h>
#include <syslog.h>
int allow_severity;
int deny_severity;
@@ -2312,16 +2313,20 @@ do_ssh1_kex(void)
diff --git a/openssh-6.6p1/sshd.c b/openssh-6.6p1/sshd.c
--- a/openssh-6.6p1/sshd.c
+++ b/openssh-6.6p1/sshd.c
@@ -2325,16 +2325,20 @@ do_ssh1_kex(void)
packet_disconnect("Warning: client selects unsupported cipher.");
/* Get check bytes from the packet. These must match those we

82
openssh-6.6p1-audit4_fips-kex_results.patch Normal file
View File

@ -0,0 +1,82 @@
# HG changeset patch
# Parent dec5efd68e0b652282f2b9b31f5999342123d33d
diff --git a/openssh-6.6p1/Makefile.in b/openssh-6.6p1/Makefile.in
--- a/openssh-6.6p1/Makefile.in
+++ b/openssh-6.6p1/Makefile.in
@@ -72,17 +72,18 @@ LIBSSH_OBJS=authfd.o authfile.o bufaux.o
atomicio.o key.o dispatch.o kex.o mac.o uidswap.o uuencode.o misc.o \
monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-rsa.o dh.o \
kexdh.o kexgex.o kexdhc.o kexgexc.o bufec.o kexecdh.o kexecdhc.o \
msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o umac128.o \
ssh-pkcs11.o krl.o smult_curve25519_ref.o \
kexc25519.o kexc25519c.o poly1305.o chacha.o cipher-chachapoly.o \
ssh-ed25519.o digest-openssl.o hmac.o \
sc25519.o ge25519.o fe25519.o ed25519.o verify.o hash.o blocks.o \
- fips.o
+ fips.o \
+ auditstub.o
SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \
sshconnect.o sshconnect1.o sshconnect2.o mux.o \
roaming_common.o roaming_client.o
SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \
audit.o audit-bsm.o audit-linux.o platform.o \
sshpty.o sshlogin.o servconf.o serverloop.o \
diff --git a/openssh-6.6p1/cipher.c b/openssh-6.6p1/cipher.c
--- a/openssh-6.6p1/cipher.c
+++ b/openssh-6.6p1/cipher.c
@@ -54,30 +54,16 @@
/* compatibility with old or broken OpenSSL versions */
#include "openbsd-compat/openssl-compat.h"
extern const EVP_CIPHER *evp_ssh1_bf(void);
extern const EVP_CIPHER *evp_ssh1_3des(void);
extern void ssh1_3des_iv(EVP_CIPHER_CTX *, int, u_char *, int);
-struct Cipher {
- char *name;
- int number; /* for ssh1 only */
- u_int block_size;
- u_int key_len;
- u_int iv_len; /* defaults to block_size */
- u_int auth_len;
- u_int discard_len;
- u_int flags;
-#define CFLAG_CBC (1<<0)
-#define CFLAG_CHACHAPOLY (1<<1)
- const EVP_CIPHER *(*evptype)(void);
-};
-
static const struct Cipher ciphers_all[] = {
{ "none", SSH_CIPHER_NONE, 8, 0, 0, 0, 0, 0, EVP_enc_null },
{ "des", SSH_CIPHER_DES, 8, 8, 0, 0, 0, 1, EVP_des_cbc },
{ "3des", SSH_CIPHER_3DES, 8, 16, 0, 0, 0, 1, evp_ssh1_3des },
{ "blowfish", SSH_CIPHER_BLOWFISH, 8, 32, 0, 0, 0, 1, evp_ssh1_bf },
{ "3des-cbc", SSH_CIPHER_SSH2, 8, 24, 0, 0, 0, 1, EVP_des_ede3_cbc },
{ "blowfish-cbc",
diff --git a/openssh-6.6p1/sshd.c b/openssh-6.6p1/sshd.c
--- a/openssh-6.6p1/sshd.c
+++ b/openssh-6.6p1/sshd.c
@@ -119,16 +119,18 @@
#endif
#include "monitor_wrap.h"
#include "roaming.h"
#include "ssh-sandbox.h"
#include "version.h"
#include "fips.h"
+#include "audit.h"
+
#ifdef LIBWRAP
#include <tcpd.h>
#include <syslog.h>
int allow_severity;
int deny_severity;
#endif /* LIBWRAP */
#ifndef O_NOCTTY

154
openssh-6.5p1-audit5-session_key_destruction.patch → openssh-6.6p1-audit5-session_key_destruction.patch
View File

@ -4,9 +4,9 @@
# https://bugzilla.mindrot.org/attachment.cgi?id=2014
# by jchadima@redhat.com
diff --git a/openssh-6.5p1/audit-bsm.c b/openssh-6.5p1/audit-bsm.c
--- a/openssh-6.5p1/audit-bsm.c
+++ b/openssh-6.5p1/audit-bsm.c
diff --git a/openssh-6.6p1/audit-bsm.c b/openssh-6.6p1/audit-bsm.c
--- a/openssh-6.6p1/audit-bsm.c
+++ b/openssh-6.6p1/audit-bsm.c
@@ -480,9 +480,15 @@ audit_unsupported_body(int what)
/* not implemented */
}
@ -23,9 +23,9 @@ diff --git a/openssh-6.5p1/audit-bsm.c b/openssh-6.5p1/audit-bsm.c
+ /* not implemented */
+}
#endif /* BSM */
diff --git a/openssh-6.5p1/audit-linux.c b/openssh-6.5p1/audit-linux.c
--- a/openssh-6.5p1/audit-linux.c
+++ b/openssh-6.5p1/audit-linux.c
diff --git a/openssh-6.6p1/audit-linux.c b/openssh-6.6p1/audit-linux.c
--- a/openssh-6.6p1/audit-linux.c
+++ b/openssh-6.6p1/audit-linux.c
@@ -289,24 +289,25 @@ audit_unsupported_body(int what)
/* no problem, the next instruction will be fatal() */
return;
@ -91,9 +91,9 @@ diff --git a/openssh-6.5p1/audit-linux.c b/openssh-6.5p1/audit-linux.c
+}
+
#endif /* USE_LINUX_AUDIT */
diff --git a/openssh-6.5p1/audit.c b/openssh-6.5p1/audit.c
--- a/openssh-6.5p1/audit.c
+++ b/openssh-6.5p1/audit.c
diff --git a/openssh-6.6p1/audit.c b/openssh-6.6p1/audit.c
--- a/openssh-6.6p1/audit.c
+++ b/openssh-6.6p1/audit.c
@@ -138,16 +138,22 @@ audit_unsupported(int what)
}
@ -138,9 +138,9 @@ diff --git a/openssh-6.5p1/audit.c b/openssh-6.5p1/audit.c
+}
# endif /* !defined CUSTOM_SSH_AUDIT_EVENTS */
#endif /* SSH_AUDIT_EVENTS */
diff --git a/openssh-6.5p1/audit.h b/openssh-6.5p1/audit.h
--- a/openssh-6.5p1/audit.h
+++ b/openssh-6.5p1/audit.h
diff --git a/openssh-6.6p1/audit.h b/openssh-6.6p1/audit.h
--- a/openssh-6.6p1/audit.h
+++ b/openssh-6.6p1/audit.h
@@ -57,10 +57,12 @@ int audit_run_command(const char *);
void audit_end_command(int, const char *);
ssh_audit_event_t audit_classify_auth(const char *);
@ -154,9 +154,9 @@ diff --git a/openssh-6.5p1/audit.h b/openssh-6.5p1/audit.h
+void audit_session_key_free_body(int ctos, pid_t, uid_t);
#endif /* _SSH_AUDIT_H */
diff --git a/openssh-6.5p1/auditstub.c b/openssh-6.5p1/auditstub.c
--- a/openssh-6.5p1/auditstub.c
+++ b/openssh-6.5p1/auditstub.c
diff --git a/openssh-6.6p1/auditstub.c b/openssh-6.6p1/auditstub.c
--- a/openssh-6.6p1/auditstub.c
+++ b/openssh-6.6p1/auditstub.c
@@ -22,18 +22,29 @@
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
@ -187,10 +187,10 @@ diff --git a/openssh-6.5p1/auditstub.c b/openssh-6.5p1/auditstub.c
+audit_session_key_free_body(int ctos, pid_t pid, uid_t uid)
+{
+}
diff --git a/openssh-6.5p1/kex.c b/openssh-6.5p1/kex.c
--- a/openssh-6.5p1/kex.c
+++ b/openssh-6.5p1/kex.c
@@ -698,8 +698,39 @@ dump_digest(char *msg, u_char *digest, i
diff --git a/openssh-6.6p1/kex.c b/openssh-6.6p1/kex.c
--- a/openssh-6.6p1/kex.c
+++ b/openssh-6.6p1/kex.c
@@ -700,8 +700,39 @@ dump_digest(char *msg, u_char *digest, i
if (i%32 == 31)
fprintf(stderr, "\n");
else if (i%8 == 7)
@ -230,10 +230,10 @@ diff --git a/openssh-6.5p1/kex.c b/openssh-6.5p1/kex.c
+ memset(&newkeys->comp, 0, sizeof(newkeys->comp));
+}
+
diff --git a/openssh-6.5p1/kex.h b/openssh-6.5p1/kex.h
--- a/openssh-6.5p1/kex.h
+++ b/openssh-6.5p1/kex.h
@@ -163,16 +163,18 @@ void kexdh_client(Kex *);
diff --git a/openssh-6.6p1/kex.h b/openssh-6.6p1/kex.h
--- a/openssh-6.6p1/kex.h
+++ b/openssh-6.6p1/kex.h
@@ -162,16 +162,18 @@ void kexdh_client(Kex *);
void kexdh_server(Kex *);
void kexgex_client(Kex *);
void kexgex_server(Kex *);
@ -252,15 +252,15 @@ diff --git a/openssh-6.5p1/kex.h b/openssh-6.5p1/kex.h
int, u_char *, int, int, int, int, BIGNUM *, BIGNUM *, BIGNUM *,
BIGNUM *, BIGNUM *, u_char **, u_int *);
#ifdef OPENSSL_HAS_ECC
diff --git a/openssh-6.5p1/mac.c b/openssh-6.5p1/mac.c
--- a/openssh-6.5p1/mac.c
+++ b/openssh-6.5p1/mac.c
@@ -219,16 +219,30 @@ mac_clear(Mac *mac)
diff --git a/openssh-6.6p1/mac.c b/openssh-6.6p1/mac.c
--- a/openssh-6.6p1/mac.c
+++ b/openssh-6.6p1/mac.c
@@ -253,16 +253,30 @@ mac_clear(Mac *mac)
if (mac->umac_ctx != NULL)
umac128_delete(mac->umac_ctx);
} else if (mac->evp_md != NULL)
HMAC_cleanup(&mac->evp_ctx);
mac->evp_md = NULL;
} else if (mac->hmac_ctx != NULL)
ssh_hmac_free(mac->hmac_ctx);
mac->hmac_ctx = NULL;
mac->umac_ctx = NULL;
}
@ -286,9 +286,9 @@ diff --git a/openssh-6.5p1/mac.c b/openssh-6.5p1/mac.c
char *maclist, *cp, *p;
if (names == NULL || strcmp(names, "") == 0)
diff --git a/openssh-6.5p1/mac.h b/openssh-6.5p1/mac.h
--- a/openssh-6.5p1/mac.h
+++ b/openssh-6.5p1/mac.h
diff --git a/openssh-6.6p1/mac.h b/openssh-6.6p1/mac.h
--- a/openssh-6.6p1/mac.h
+++ b/openssh-6.6p1/mac.h
@@ -24,8 +24,9 @@
*/
@ -299,10 +299,10 @@ diff --git a/openssh-6.5p1/mac.h b/openssh-6.5p1/mac.h
u_char *mac_compute(Mac *, u_int32_t, u_char *, int);
void mac_clear(Mac *);
+void mac_destroy(Mac *);
diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c
--- a/openssh-6.5p1/monitor.c
+++ b/openssh-6.5p1/monitor.c
@@ -185,16 +185,17 @@ int mm_answer_gss_checkmic(int, Buffer *
diff --git a/openssh-6.6p1/monitor.c b/openssh-6.6p1/monitor.c
--- a/openssh-6.6p1/monitor.c
+++ b/openssh-6.6p1/monitor.c
@@ -179,16 +179,17 @@ int mm_answer_gss_checkmic(int, Buffer *
#endif
#ifdef SSH_AUDIT_EVENTS
@ -320,7 +320,7 @@ diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c
static BIGNUM *ssh1_challenge = NULL; /* used for ssh1 rsa auth */
/* local state for key verify */
@@ -238,16 +239,17 @@ struct mon_table mon_dispatch_proto20[]
@@ -232,16 +233,17 @@ struct mon_table mon_dispatch_proto20[]
{MONITOR_REQ_PAM_QUERY, MON_ISAUTH, mm_answer_pam_query},
{MONITOR_REQ_PAM_RESPOND, MON_ISAUTH, mm_answer_pam_respond},
{MONITOR_REQ_PAM_FREE_CTX, MON_ONCE|MON_AUTHDECIDE, mm_answer_pam_free_ctx},
@ -338,7 +338,7 @@ diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c
#ifdef SKEY
{MONITOR_REQ_SKEYQUERY, MON_ISAUTH, mm_answer_skeyquery},
{MONITOR_REQ_SKEYRESPOND, MON_AUTH, mm_answer_skeyrespond},
@@ -277,16 +279,17 @@ struct mon_table mon_dispatch_postauth20
@@ -264,16 +266,17 @@ struct mon_table mon_dispatch_postauth20
{MONITOR_REQ_PTYCLEANUP, 0, mm_answer_pty_cleanup},
{MONITOR_REQ_TERM, 0, mm_answer_term},
#ifdef SSH_AUDIT_EVENTS
@ -356,7 +356,7 @@ diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c
{MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},
{MONITOR_REQ_SESSKEY, MON_ONCE, mm_answer_sesskey},
{MONITOR_REQ_SESSID, MON_ONCE, mm_answer_sessid},
@@ -310,30 +313,32 @@ struct mon_table mon_dispatch_proto15[]
@@ -297,30 +300,32 @@ struct mon_table mon_dispatch_proto15[]
{MONITOR_REQ_PAM_QUERY, MON_ISAUTH, mm_answer_pam_query},
{MONITOR_REQ_PAM_RESPOND, MON_ISAUTH, mm_answer_pam_respond},
{MONITOR_REQ_PAM_FREE_CTX, MON_ONCE|MON_AUTHDECIDE, mm_answer_pam_free_ctx},
@ -389,7 +389,7 @@ diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c
/* Specifies if a certain message is allowed at the moment */
@@ -1971,21 +1976,23 @@ mm_get_keystate(struct monitor *pmonitor
@@ -1949,21 +1954,23 @@ mm_get_keystate(struct monitor *pmonitor
goto skip;
} else {
/* Get the Kex for rekeying */
@ -413,7 +413,7 @@ diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c
packets = buffer_get_int(&m);
bytes = buffer_get_int64(&m);
packet_set_state(MODE_OUT, seqnr, blocks, packets, bytes);
@@ -2021,16 +2028,31 @@ mm_get_keystate(struct monitor *pmonitor
@@ -1999,16 +2006,31 @@ mm_get_keystate(struct monitor *pmonitor
/* Roaming */
if (compat20) {
@ -445,7 +445,7 @@ diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c
mm_zalloc(struct mm_master *mm, u_int ncount, u_int size)
{
size_t len = (size_t) size * ncount;
@@ -2465,9 +2487,27 @@ mm_answer_audit_kex_body(int sock, Buffe
@@ -2240,10 +2262,28 @@ mm_answer_audit_kex_body(int sock, Buffe
free(mac);
free(compress);
buffer_clear(m);
@ -473,10 +473,11 @@ diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c
+ return 0;
+}
#endif /* SSH_AUDIT_EVENTS */
diff --git a/openssh-6.5p1/monitor.h b/openssh-6.5p1/monitor.h
--- a/openssh-6.5p1/monitor.h
+++ b/openssh-6.5p1/monitor.h
@@ -67,16 +67,17 @@ enum monitor_reqtype {
diff --git a/openssh-6.6p1/monitor.h b/openssh-6.6p1/monitor.h
--- a/openssh-6.6p1/monitor.h
+++ b/openssh-6.6p1/monitor.h
@@ -62,16 +62,17 @@ enum monitor_reqtype {
MONITOR_REQ_PAM_INIT_CTX = 104, MONITOR_ANS_PAM_INIT_CTX = 105,
MONITOR_REQ_PAM_QUERY = 106, MONITOR_ANS_PAM_QUERY = 107,
MONITOR_REQ_PAM_RESPOND = 108, MONITOR_ANS_PAM_RESPOND = 109,
@ -494,10 +495,10 @@ diff --git a/openssh-6.5p1/monitor.h b/openssh-6.5p1/monitor.h
int m_recvfd;
int m_sendfd;
int m_log_recvfd;
diff --git a/openssh-6.5p1/monitor_wrap.c b/openssh-6.5p1/monitor_wrap.c
--- a/openssh-6.5p1/monitor_wrap.c
+++ b/openssh-6.5p1/monitor_wrap.c
@@ -651,22 +651,24 @@ mm_send_keystate(struct monitor *monitor
diff --git a/openssh-6.6p1/monitor_wrap.c b/openssh-6.6p1/monitor_wrap.c
--- a/openssh-6.6p1/monitor_wrap.c
+++ b/openssh-6.6p1/monitor_wrap.c
@@ -649,22 +649,24 @@ mm_send_keystate(struct monitor *monitor
__func__, packet_get_newkeys(MODE_OUT),
packet_get_newkeys(MODE_IN));
@ -522,7 +523,7 @@ diff --git a/openssh-6.5p1/monitor_wrap.c b/openssh-6.5p1/monitor_wrap.c
buffer_put_int(&m, packets);
buffer_put_int64(&m, bytes);
packet_get_state(MODE_IN, &seqnr, &blocks, &packets, &bytes);
@@ -1520,9 +1522,24 @@ mm_audit_kex_body(int ctos, char *cipher
@@ -1356,10 +1358,25 @@ mm_audit_kex_body(int ctos, char *cipher
buffer_put_int64(&m, uid);
mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_KEX, &m);
@ -547,9 +548,10 @@ diff --git a/openssh-6.5p1/monitor_wrap.c b/openssh-6.5p1/monitor_wrap.c
+ buffer_free(&m);
+}
#endif /* SSH_AUDIT_EVENTS */
diff --git a/openssh-6.5p1/monitor_wrap.h b/openssh-6.5p1/monitor_wrap.h
--- a/openssh-6.5p1/monitor_wrap.h
+++ b/openssh-6.5p1/monitor_wrap.h
diff --git a/openssh-6.6p1/monitor_wrap.h b/openssh-6.6p1/monitor_wrap.h
--- a/openssh-6.6p1/monitor_wrap.h
+++ b/openssh-6.6p1/monitor_wrap.h
@@ -74,16 +74,17 @@ void mm_sshpam_free_ctx(void *);
#ifdef SSH_AUDIT_EVENTS
@ -568,9 +570,9 @@ diff --git a/openssh-6.5p1/monitor_wrap.h b/openssh-6.5p1/monitor_wrap.h
void mm_session_pty_cleanup2(struct Session *);
/* SSHv1 interfaces */
diff --git a/openssh-6.5p1/packet.c b/openssh-6.5p1/packet.c
--- a/openssh-6.5p1/packet.c
+++ b/openssh-6.5p1/packet.c
diff --git a/openssh-6.6p1/packet.c b/openssh-6.6p1/packet.c
--- a/openssh-6.6p1/packet.c
+++ b/openssh-6.6p1/packet.c
@@ -56,16 +56,17 @@
#include <stdio.h>
#include <stdlib.h>
@ -701,9 +703,9 @@ diff --git a/openssh-6.5p1/packet.c b/openssh-6.5p1/packet.c
- mac = &active_state->newkeys[mode]->mac;
- comp = &active_state->newkeys[mode]->comp;
- mac_clear(mac);
- memset(enc->iv, 0, enc->iv_len);
- memset(enc->key, 0, enc->key_len);
- memset(mac->key, 0, mac->key_len);
- explicit_bzero(enc->iv, enc->iv_len);
- explicit_bzero(enc->key, enc->key_len);
- explicit_bzero(mac->key, mac->key_len);
- free(enc->name);
- free(enc->iv);
- free(enc->key);
@ -823,9 +825,9 @@ diff --git a/openssh-6.5p1/packet.c b/openssh-6.5p1/packet.c
+ backup_state = NULL;
}
+
diff --git a/openssh-6.5p1/packet.h b/openssh-6.5p1/packet.h
--- a/openssh-6.5p1/packet.h
+++ b/openssh-6.5p1/packet.h
diff --git a/openssh-6.6p1/packet.h b/openssh-6.6p1/packet.h
--- a/openssh-6.6p1/packet.h
+++ b/openssh-6.6p1/packet.h
@@ -119,9 +119,10 @@ void packet_set_rekey_limits(u_int32_t,
time_t packet_get_rekey_timeout(void);
@ -837,10 +839,10 @@ diff --git a/openssh-6.5p1/packet.h b/openssh-6.5p1/packet.h
+void packet_destroy_all(int, int);
#endif /* PACKET_H */
diff --git a/openssh-6.5p1/session.c b/openssh-6.5p1/session.c
--- a/openssh-6.5p1/session.c
+++ b/openssh-6.5p1/session.c
@@ -1689,16 +1689,19 @@ do_child(Session *s, const char *command
diff --git a/openssh-6.6p1/session.c b/openssh-6.6p1/session.c
--- a/openssh-6.6p1/session.c
+++ b/openssh-6.6p1/session.c
@@ -1694,16 +1694,19 @@ do_child(Session *s, const char *command
int env_size;
char *argv[ARGV_MAX];
const char *shell, *shell0, *hostname = NULL;
@ -860,10 +862,10 @@ diff --git a/openssh-6.5p1/session.c b/openssh-6.5p1/session.c
do_pwchange(s);
exit(1);
}
diff --git a/openssh-6.5p1/sshd.c b/openssh-6.5p1/sshd.c
--- a/openssh-6.5p1/sshd.c
+++ b/openssh-6.5p1/sshd.c
@@ -711,16 +711,18 @@ privsep_preauth(Authctxt *authctxt)
diff --git a/openssh-6.6p1/sshd.c b/openssh-6.6p1/sshd.c
--- a/openssh-6.6p1/sshd.c
+++ b/openssh-6.6p1/sshd.c
@@ -720,16 +720,18 @@ privsep_preauth(Authctxt *authctxt)
setproctitle("%s", "[net]");
if (box != NULL)
ssh_sandbox_child(box);
@ -882,7 +884,7 @@ diff --git a/openssh-6.5p1/sshd.c b/openssh-6.5p1/sshd.c
#ifdef DISABLE_FD_PASSING
if (1) {
#else
@@ -735,16 +737,20 @@ privsep_postauth(Authctxt *authctxt)
@@ -744,16 +746,20 @@ privsep_postauth(Authctxt *authctxt)
monitor_reinit(pmonitor);
pmonitor->m_pid = fork();
@ -903,7 +905,7 @@ diff --git a/openssh-6.5p1/sshd.c b/openssh-6.5p1/sshd.c
/* child */
@@ -2104,16 +2110,17 @@ main(int ac, char **av)
@@ -2118,16 +2124,17 @@ main(int ac, char **av)
do_authentication(authctxt);
}
/*
@ -921,7 +923,7 @@ diff --git a/openssh-6.5p1/sshd.c b/openssh-6.5p1/sshd.c
* Cancel the alarm we set to limit the time taken for
* authentication.
*/
@@ -2156,16 +2163,18 @@ main(int ac, char **av)
@@ -2170,16 +2177,18 @@ main(int ac, char **av)
packet_set_timeout(options.client_alive_interval,
options.client_alive_count_max);
@ -940,7 +942,7 @@ diff --git a/openssh-6.5p1/sshd.c b/openssh-6.5p1/sshd.c
verbose("Closing connection to %.500s port %d", remote_ip, remote_port);
#ifdef USE_PAM
@@ -2497,26 +2506,38 @@ do_ssh2_kex(void)
@@ -2523,26 +2532,38 @@ do_ssh2_kex(void)
#endif
debug("KEX done");
}

122
openssh-6.5p1-audit6-server_key_destruction.patch → openssh-6.6p1-audit6-server_key_destruction.patch
View File

@ -4,9 +4,9 @@
# https://bugzilla.mindrot.org/attachment.cgi?id=2015
# by jchadima@redhat.com
diff --git a/openssh-6.5p1/audit-bsm.c b/openssh-6.5p1/audit-bsm.c
--- a/openssh-6.5p1/audit-bsm.c
+++ b/openssh-6.5p1/audit-bsm.c
diff --git a/openssh-6.6p1/audit-bsm.c b/openssh-6.6p1/audit-bsm.c
--- a/openssh-6.6p1/audit-bsm.c
+++ b/openssh-6.6p1/audit-bsm.c
@@ -486,9 +486,27 @@ audit_kex_body(int ctos, char *enc, char
/* not implemented */
}
@ -35,9 +35,9 @@ diff --git a/openssh-6.5p1/audit-bsm.c b/openssh-6.5p1/audit-bsm.c
+ /* not implemented */
+}
#endif /* BSM */
diff --git a/openssh-6.5p1/audit-linux.c b/openssh-6.5p1/audit-linux.c
--- a/openssh-6.5p1/audit-linux.c
+++ b/openssh-6.5p1/audit-linux.c
diff --git a/openssh-6.6p1/audit-linux.c b/openssh-6.6p1/audit-linux.c
--- a/openssh-6.6p1/audit-linux.c
+++ b/openssh-6.6p1/audit-linux.c
@@ -351,9 +351,55 @@ audit_session_key_free_body(int ctos, pi
audit_ok = audit_log_user_message(audit_fd, AUDIT_CRYPTO_KEY_USER,
buf, NULL, get_remote_ipaddr(), NULL, 1);
@ -94,9 +94,9 @@ diff --git a/openssh-6.5p1/audit-linux.c b/openssh-6.5p1/audit-linux.c
+ error("cannot write into audit");
+}
#endif /* USE_LINUX_AUDIT */
diff --git a/openssh-6.5p1/audit.c b/openssh-6.5p1/audit.c
--- a/openssh-6.5p1/audit.c
+++ b/openssh-6.5p1/audit.c
diff --git a/openssh-6.6p1/audit.c b/openssh-6.6p1/audit.c
--- a/openssh-6.6p1/audit.c
+++ b/openssh-6.6p1/audit.c
@@ -285,10 +285,29 @@ audit_kex_body(int ctos, char *enc, char
* This will be called on succesfull session key discard
*/
@ -127,9 +127,9 @@ diff --git a/openssh-6.5p1/audit.c b/openssh-6.5p1/audit.c
+}
# endif /* !defined CUSTOM_SSH_AUDIT_EVENTS */
#endif /* SSH_AUDIT_EVENTS */
diff --git a/openssh-6.5p1/audit.h b/openssh-6.5p1/audit.h
--- a/openssh-6.5p1/audit.h
+++ b/openssh-6.5p1/audit.h
diff --git a/openssh-6.6p1/audit.h b/openssh-6.6p1/audit.h
--- a/openssh-6.6p1/audit.h
+++ b/openssh-6.6p1/audit.h
@@ -43,26 +43,30 @@ enum ssh_audit_event_type {
SSH_INVALID_USER,
SSH_NOLOGIN, /* denied by /etc/nologin, not implemented */
@ -161,10 +161,10 @@ diff --git a/openssh-6.5p1/audit.h b/openssh-6.5p1/audit.h
+void audit_generate_ephemeral_server_key(const char *);
#endif /* _SSH_AUDIT_H */
diff --git a/openssh-6.5p1/key.c b/openssh-6.5p1/key.c
--- a/openssh-6.5p1/key.c
+++ b/openssh-6.5p1/key.c
@@ -1959,16 +1959,43 @@ key_demote(const Key *k)
diff --git a/openssh-6.6p1/key.c b/openssh-6.6p1/key.c
--- a/openssh-6.6p1/key.c
+++ b/openssh-6.6p1/key.c
@@ -1964,16 +1964,43 @@ key_demote(const Key *k)
fatal("key_demote: bad key type %d", k->type);
break;
}
@ -208,9 +208,9 @@ diff --git a/openssh-6.5p1/key.c b/openssh-6.5p1/key.c
}
/* Return the cert-less equivalent to a certified key type */
diff --git a/openssh-6.5p1/key.h b/openssh-6.5p1/key.h
--- a/openssh-6.5p1/key.h
+++ b/openssh-6.5p1/key.h
diff --git a/openssh-6.6p1/key.h b/openssh-6.6p1/key.h
--- a/openssh-6.6p1/key.h
+++ b/openssh-6.6p1/key.h
@@ -113,16 +113,17 @@ int key_read(Key *, char **);
u_int key_size(const Key *);
enum fp_type key_fp_type_select(void);
@ -229,10 +229,10 @@ diff --git a/openssh-6.5p1/key.h b/openssh-6.5p1/key.h
void key_cert_copy(const Key *, struct Key *);
int key_cert_check_authority(const Key *, int, int, const char *,
const char **);
diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c
--- a/openssh-6.5p1/monitor.c
+++ b/openssh-6.5p1/monitor.c
@@ -110,16 +110,18 @@ extern u_int utmp_len;
diff --git a/openssh-6.6p1/monitor.c b/openssh-6.6p1/monitor.c
--- a/openssh-6.6p1/monitor.c
+++ b/openssh-6.6p1/monitor.c
@@ -109,16 +109,18 @@ extern u_int utmp_len;
extern Newkeys *current_keys[];
extern z_stream incoming_stream;
extern z_stream outgoing_stream;
@ -251,7 +251,7 @@ diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c
u_char *keyin;
u_int keyinlen;
u_char *keyout;
@@ -186,16 +188,17 @@ int mm_answer_gss_checkmic(int, Buffer *
@@ -180,16 +182,17 @@ int mm_answer_gss_checkmic(int, Buffer *
#ifdef SSH_AUDIT_EVENTS
int mm_answer_audit_event(int, Buffer *);
@ -269,7 +269,7 @@ diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c
static BIGNUM *ssh1_challenge = NULL; /* used for ssh1 rsa auth */
/* local state for key verify */
@@ -240,16 +243,17 @@ struct mon_table mon_dispatch_proto20[]
@@ -234,16 +237,17 @@ struct mon_table mon_dispatch_proto20[]
{MONITOR_REQ_PAM_RESPOND, MON_ISAUTH, mm_answer_pam_respond},
{MONITOR_REQ_PAM_FREE_CTX, MON_ONCE|MON_AUTHDECIDE, mm_answer_pam_free_ctx},
#endif
@ -287,7 +287,7 @@ diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c
#ifdef SKEY
{MONITOR_REQ_SKEYQUERY, MON_ISAUTH, mm_answer_skeyquery},
{MONITOR_REQ_SKEYRESPOND, MON_AUTH, mm_answer_skeyrespond},
@@ -280,16 +284,17 @@ struct mon_table mon_dispatch_postauth20
@@ -267,16 +271,17 @@ struct mon_table mon_dispatch_postauth20
{MONITOR_REQ_TERM, 0, mm_answer_term},
#ifdef SSH_AUDIT_EVENTS
{MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
@ -305,7 +305,7 @@ diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c
{MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},
{MONITOR_REQ_SESSKEY, MON_ONCE, mm_answer_sesskey},
{MONITOR_REQ_SESSID, MON_ONCE, mm_answer_sessid},
@@ -314,31 +319,33 @@ struct mon_table mon_dispatch_proto15[]
@@ -301,31 +306,33 @@ struct mon_table mon_dispatch_proto15[]
{MONITOR_REQ_PAM_RESPOND, MON_ISAUTH, mm_answer_pam_respond},
{MONITOR_REQ_PAM_FREE_CTX, MON_ONCE|MON_AUTHDECIDE, mm_answer_pam_free_ctx},
#endif
@ -339,7 +339,7 @@ diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c
/* Specifies if a certain message is allowed at the moment */
@@ -1761,16 +1768,18 @@ mm_answer_term(int sock, Buffer *req)
@@ -1739,16 +1746,18 @@ mm_answer_term(int sock, Buffer *req)
/* The child is terminating */
session_destroy_all(&mm_session_close);
@ -358,7 +358,7 @@ diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c
/* Terminate process */
exit(res);
@@ -2505,9 +2514,30 @@ mm_answer_audit_session_key_free_body(in
@@ -2280,10 +2289,31 @@ mm_answer_audit_session_key_free_body(in
audit_session_key_free_body(ctos, pid, uid);
@ -389,10 +389,11 @@ diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c
+ return 0;
+}
#endif /* SSH_AUDIT_EVENTS */
diff --git a/openssh-6.5p1/monitor.h b/openssh-6.5p1/monitor.h
--- a/openssh-6.5p1/monitor.h
+++ b/openssh-6.5p1/monitor.h
@@ -68,16 +68,17 @@ enum monitor_reqtype {
diff --git a/openssh-6.6p1/monitor.h b/openssh-6.6p1/monitor.h
--- a/openssh-6.6p1/monitor.h
+++ b/openssh-6.6p1/monitor.h
@@ -63,16 +63,17 @@ enum monitor_reqtype {
MONITOR_REQ_PAM_QUERY = 106, MONITOR_ANS_PAM_QUERY = 107,
MONITOR_REQ_PAM_RESPOND = 108, MONITOR_ANS_PAM_RESPOND = 109,
MONITOR_REQ_PAM_FREE_CTX = 110, MONITOR_ANS_PAM_FREE_CTX = 111,
@ -410,10 +411,10 @@ diff --git a/openssh-6.5p1/monitor.h b/openssh-6.5p1/monitor.h
int m_recvfd;
int m_sendfd;
int m_log_recvfd;
diff --git a/openssh-6.5p1/monitor_wrap.c b/openssh-6.5p1/monitor_wrap.c
--- a/openssh-6.5p1/monitor_wrap.c
+++ b/openssh-6.5p1/monitor_wrap.c
@@ -1537,9 +1537,25 @@ mm_audit_session_key_free_body(int ctos,
diff --git a/openssh-6.6p1/monitor_wrap.c b/openssh-6.6p1/monitor_wrap.c
--- a/openssh-6.6p1/monitor_wrap.c
+++ b/openssh-6.6p1/monitor_wrap.c
@@ -1373,10 +1373,26 @@ mm_audit_session_key_free_body(int ctos,
buffer_put_int(&m, ctos);
buffer_put_int64(&m, pid);
buffer_put_int64(&m, uid);
@ -439,9 +440,10 @@ diff --git a/openssh-6.5p1/monitor_wrap.c b/openssh-6.5p1/monitor_wrap.c
+ buffer_free(&m);
+}
#endif /* SSH_AUDIT_EVENTS */
diff --git a/openssh-6.5p1/monitor_wrap.h b/openssh-6.5p1/monitor_wrap.h
--- a/openssh-6.5p1/monitor_wrap.h
+++ b/openssh-6.5p1/monitor_wrap.h
diff --git a/openssh-6.6p1/monitor_wrap.h b/openssh-6.6p1/monitor_wrap.h
--- a/openssh-6.6p1/monitor_wrap.h
+++ b/openssh-6.6p1/monitor_wrap.h
@@ -75,16 +75,17 @@ void mm_sshpam_free_ctx(void *);
#ifdef SSH_AUDIT_EVENTS
#include "audit.h"
@ -460,9 +462,9 @@ diff --git a/openssh-6.5p1/monitor_wrap.h b/openssh-6.5p1/monitor_wrap.h
void mm_session_pty_cleanup2(struct Session *);
/* SSHv1 interfaces */
diff --git a/openssh-6.5p1/session.c b/openssh-6.5p1/session.c
--- a/openssh-6.5p1/session.c
+++ b/openssh-6.5p1/session.c
diff --git a/openssh-6.6p1/session.c b/openssh-6.6p1/session.c
--- a/openssh-6.6p1/session.c
+++ b/openssh-6.6p1/session.c
@@ -132,17 +132,17 @@ static int session_pty_req(Session *);
/* import */
@ -482,7 +484,7 @@ diff --git a/openssh-6.5p1/session.c b/openssh-6.5p1/session.c
/* data */
static int sessions_first_unused = -1;
static int sessions_nalloc = 0;
@@ -1688,17 +1688,17 @@ do_child(Session *s, const char *command
@@ -1693,17 +1693,17 @@ do_child(Session *s, const char *command
char **env;
int env_size;
char *argv[ARGV_MAX];
@ -501,10 +503,10 @@ diff --git a/openssh-6.5p1/session.c b/openssh-6.5p1/session.c
if (s->authctxt->force_pwchange) {
do_setusercontext(pw);
child_close_fds();
diff --git a/openssh-6.5p1/sshd.c b/openssh-6.5p1/sshd.c
--- a/openssh-6.5p1/sshd.c
+++ b/openssh-6.5p1/sshd.c
@@ -256,17 +256,17 @@ Buffer cfg;
diff --git a/openssh-6.6p1/sshd.c b/openssh-6.6p1/sshd.c
--- a/openssh-6.6p1/sshd.c
+++ b/openssh-6.6p1/sshd.c
@@ -259,17 +259,17 @@ Buffer cfg;
/* message to be displayed after login */
Buffer loginmsg;
@ -523,7 +525,7 @@ diff --git a/openssh-6.5p1/sshd.c b/openssh-6.5p1/sshd.c
/*
* Close all listening sockets
*/
@@ -275,16 +275,25 @@ close_listen_socks(void)
@@ -278,16 +278,25 @@ close_listen_socks(void)
{
int i;
@ -549,7 +551,7 @@ diff --git a/openssh-6.5p1/sshd.c b/openssh-6.5p1/sshd.c
if (startup_pipes)
for (i = 0; i < options.max_startups; i++)
if (startup_pipes[i] != -1)
@@ -554,60 +563,99 @@ sshd_exchange_identification(int sock_in
@@ -557,60 +566,99 @@ sshd_exchange_identification(int sock_in
close(sock_out);
logit("Protocol major versions differ for %s: %.200s vs. %.200s",
get_remote_ipaddr(),
@ -606,7 +608,7 @@ diff --git a/openssh-6.5p1/sshd.c b/openssh-6.5p1/sshd.c
}
}
sensitive_data.ssh1_host_key = NULL;
memset(sensitive_data.ssh1_cookie, 0, SSH_SESSION_KEY_LENGTH);
explicit_bzero(sensitive_data.ssh1_cookie, SSH_SESSION_KEY_LENGTH);
}
/* Demote private to public keys for network child */
@ -618,14 +620,14 @@ diff --git a/openssh-6.5p1/sshd.c b/openssh-6.5p1/sshd.c
+ uid_t uid;
int i;
+ pid = getpid();
+ uid = getuid();
if (sensitive_data.server_key) {
tmp = key_demote(sensitive_data.server_key);
key_free(sensitive_data.server_key);
sensitive_data.server_key = tmp;
}
+ pid = getpid();
+ uid = getuid();
for (i = 0; i < options.num_host_key_files; i++) {
if (sensitive_data.host_keys[i]) {
+ char *fp;
@ -652,7 +654,7 @@ diff --git a/openssh-6.5p1/sshd.c b/openssh-6.5p1/sshd.c
}
static void
@@ -1192,16 +1240,17 @@ server_accept_loop(int *sock_in, int *so
@@ -1201,16 +1249,17 @@ server_accept_loop(int *sock_in, int *so
/* Wait in select until there is a connection. */
ret = select(maxfd+1, fdset, NULL, NULL, NULL);
@ -670,7 +672,7 @@ diff --git a/openssh-6.5p1/sshd.c b/openssh-6.5p1/sshd.c
generate_ephemeral_server_key();
key_used = 0;
key_do_regen = 0;
@@ -2153,27 +2202,28 @@ main(int ac, char **av)
@@ -2167,27 +2216,28 @@ main(int ac, char **av)
/*
* In privilege separation, we fork another child and prepare
* file descriptor passing.
@ -700,10 +702,10 @@ diff --git a/openssh-6.5p1/sshd.c b/openssh-6.5p1/sshd.c
verbose("Closing connection to %.500s port %d", remote_ip, remote_port);
@@ -2392,17 +2442,17 @@ do_ssh1_kex(void)
MD5_Update(&md, sensitive_data.ssh1_cookie, SSH_SESSION_KEY_LENGTH);
MD5_Final(session_key + 16, &md);
memset(buf, 0, bytes);
@@ -2412,17 +2462,17 @@ do_ssh1_kex(void)
fatal("%s: hash failed", __func__);
ssh_digest_free(md);
explicit_bzero(buf, bytes);
free(buf);
for (i = 0; i < 16; i++)
session_id[i] = session_key[i] ^ session_key[i + 16];
@ -719,7 +721,7 @@ diff --git a/openssh-6.5p1/sshd.c b/openssh-6.5p1/sshd.c
BN_clear_free(session_key_int);
/* Set the session key. From this on all communications will be encrypted. */
@@ -2527,16 +2577,18 @@ cleanup_exit(int i)
@@ -2553,16 +2603,18 @@ cleanup_exit(int i)
debug("Killing privsep child %d", pmonitor->m_pid);
if (kill(pmonitor->m_pid, SIGKILL) != 0 &&
errno != ESRCH)

10
openssh-6.5p1-audit7-libaudit_compat.patch → openssh-6.6p1-audit7-libaudit_compat.patch
View File

@ -1,8 +1,8 @@
# definitions for AUDIT_CRYPTO_* symbols fom libaudit 2.x
diff --git a/openssh-6.5p1/audit-linux.c b/openssh-6.5p1/audit-linux.c
--- a/openssh-6.5p1/audit-linux.c
+++ b/openssh-6.5p1/audit-linux.c
diff --git a/openssh-6.6p1/audit-linux.c b/openssh-6.6p1/audit-linux.c
--- a/openssh-6.6p1/audit-linux.c
+++ b/openssh-6.6p1/audit-linux.c
@@ -25,16 +25,17 @@
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
@ -21,10 +21,10 @@ diff --git a/openssh-6.5p1/audit-linux.c b/openssh-6.5p1/audit-linux.c
#include "key.h"
#include "hostfile.h"
#include "auth.h"
diff --git a/openssh-6.5p1/compat-libaudit.h b/openssh-6.5p1/compat-libaudit.h
diff --git a/openssh-6.6p1/compat-libaudit.h b/openssh-6.6p1/compat-libaudit.h
new file mode 100644
--- /dev/null
+++ b/openssh-6.5p1/compat-libaudit.h
+++ b/openssh-6.6p1/compat-libaudit.h
@@ -0,0 +1,79 @@
+/* AUDIT_CRYPTO symbol definitions from libaudit 2.x */
+/* libaudit.h --

6
openssh-6.5p1-audit8-libaudit_dns_timeouts.patch → openssh-6.6p1-audit8-libaudit_dns_timeouts.patch
View File

@ -4,9 +4,9 @@
# Note that this particular solution causes the logs to always contain
# "hostname=?, addr=?" when DNS lookups are disabled.
diff --git a/openssh-6.5p1/audit-linux.c b/openssh-6.5p1/audit-linux.c
--- a/openssh-6.5p1/audit-linux.c
+++ b/openssh-6.5p1/audit-linux.c
diff --git a/openssh-6.6p1/audit-linux.c b/openssh-6.6p1/audit-linux.c
--- a/openssh-6.6p1/audit-linux.c
+++ b/openssh-6.6p1/audit-linux.c
@@ -62,17 +62,17 @@ linux_audit_user_logxxx(int uid, const c
if (errno == EINVAL || errno == EPROTONOSUPPORT ||
errno == EAFNOSUPPORT)

6
openssh-6.5p1-blocksigalrm.patch → openssh-6.6p1-blocksigalrm.patch
View File

@ -2,9 +2,9 @@
# grace_alarm_handler)
# bnc#57354
diff --git a/openssh-6.5p1/log.c b/openssh-6.5p1/log.c
--- a/openssh-6.5p1/log.c
+++ b/openssh-6.5p1/log.c
diff --git a/openssh-6.6p1/log.c b/openssh-6.6p1/log.c
--- a/openssh-6.6p1/log.c
+++ b/openssh-6.6p1/log.c
@@ -47,16 +47,17 @@
#include <unistd.h>
#include <errno.h>

6
openssh-6.5p1-default-protocol.patch → openssh-6.6p1-default-protocol.patch
View File

@ -1,8 +1,8 @@
# only enable SSHv2 protocol by default (upstream default is fallback to v1)
diff --git a/openssh-6.5p1/ssh_config b/openssh-6.5p1/ssh_config
--- a/openssh-6.5p1/ssh_config
+++ b/openssh-6.5p1/ssh_config
diff --git a/openssh-6.6p1/ssh_config b/openssh-6.6p1/ssh_config
--- a/openssh-6.6p1/ssh_config
+++ b/openssh-6.6p1/ssh_config
@@ -41,17 +41,17 @@ ForwardX11Trusted yes
# CheckHostIP yes
# AddressFamily any

6
openssh-6.5p1-disable-openssl-abi-check.patch → openssh-6.6p1-disable-openssl-abi-check.patch
View File

@ -2,9 +2,9 @@
# reliable indicator of ABI changes and doesn't make much sense in a
# distribution package
diff --git a/openssh-6.5p1/entropy.c b/openssh-6.5p1/entropy.c
--- a/openssh-6.5p1/entropy.c
+++ b/openssh-6.5p1/entropy.c
diff --git a/openssh-6.6p1/entropy.c b/openssh-6.6p1/entropy.c
--- a/openssh-6.6p1/entropy.c
+++ b/openssh-6.6p1/entropy.c
@@ -212,22 +212,23 @@ seed_rng(void)
#endif
/*

12
openssh-6.5p1-eal3.patch → openssh-6.6p1-eal3.patch
View File

@ -1,8 +1,8 @@
# fix paths and references in sshd man pages
diff --git a/openssh-6.5p1/sshd.8 b/openssh-6.5p1/sshd.8
--- a/openssh-6.5p1/sshd.8
+++ b/openssh-6.5p1/sshd.8
diff --git a/openssh-6.6p1/sshd.8 b/openssh-6.6p1/sshd.8
--- a/openssh-6.6p1/sshd.8
+++ b/openssh-6.6p1/sshd.8
@@ -875,17 +875,17 @@ See
If this file exists,
.Nm
@ -41,9 +41,9 @@ diff --git a/openssh-6.5p1/sshd.8 b/openssh-6.5p1/sshd.8
OpenSSH is a derivative of the original and free
ssh 1.2.12 release by Tatu Ylonen.
Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos,
diff --git a/openssh-6.5p1/sshd_config.5 b/openssh-6.5p1/sshd_config.5
--- a/openssh-6.5p1/sshd_config.5
+++ b/openssh-6.5p1/sshd_config.5
diff --git a/openssh-6.6p1/sshd_config.5 b/openssh-6.6p1/sshd_config.5
--- a/openssh-6.6p1/sshd_config.5
+++ b/openssh-6.6p1/sshd_config.5
@@ -278,18 +278,17 @@ The contents of the specified file are s
authentication is allowed.
If the argument is

86
openssh-6.5p1-fingerprint_hash.patch → openssh-6.6p1-fingerprint_hash.patch
View File

@ -1,14 +1,14 @@
# HG changeset patch
# Parent 450c3933f35c6801a682ea32c588e4c9ff73414a
# Parent a3a898b117b0f726e6cc923f18463de8e45e74f5
# select fingerprint hash algorithms based on the environment variable
# SSH_FP_TYPE_ENVVAR and append it to hex and randomart fingerprints
# Petr Cerny <pcerny@suse.cz>
diff --git a/openssh-6.5p1/auth-rsa.c b/openssh-6.5p1/auth-rsa.c
--- a/openssh-6.5p1/auth-rsa.c
+++ b/openssh-6.5p1/auth-rsa.c
@@ -226,17 +226,17 @@ rsa_key_allowed_in_file(struct passwd *p
diff --git a/openssh-6.6p1/auth-rsa.c b/openssh-6.6p1/auth-rsa.c
--- a/openssh-6.6p1/auth-rsa.c
+++ b/openssh-6.6p1/auth-rsa.c
@@ -230,17 +230,17 @@ rsa_key_allowed_in_file(struct passwd *p
/* check the real bits */
keybits = BN_num_bits(key->rsa->n);
@ -27,9 +27,9 @@ diff --git a/openssh-6.5p1/auth-rsa.c b/openssh-6.5p1/auth-rsa.c
if (auth_key_is_revoked(key))
break;
diff --git a/openssh-6.5p1/auth.c b/openssh-6.5p1/auth.c
--- a/openssh-6.5p1/auth.c
+++ b/openssh-6.5p1/auth.c
diff --git a/openssh-6.6p1/auth.c b/openssh-6.6p1/auth.c
--- a/openssh-6.6p1/auth.c
+++ b/openssh-6.6p1/auth.c
@@ -680,17 +680,17 @@ auth_key_is_revoked(Key *key)
case -1:
/* Error opening revoked_keys_file: refuse all keys */
@ -49,9 +49,9 @@ diff --git a/openssh-6.5p1/auth.c b/openssh-6.5p1/auth.c
fatal("key_in_file returned junk");
}
diff --git a/openssh-6.5p1/auth2-hostbased.c b/openssh-6.5p1/auth2-hostbased.c
--- a/openssh-6.5p1/auth2-hostbased.c
+++ b/openssh-6.5p1/auth2-hostbased.c
diff --git a/openssh-6.6p1/auth2-hostbased.c b/openssh-6.6p1/auth2-hostbased.c
--- a/openssh-6.6p1/auth2-hostbased.c
+++ b/openssh-6.6p1/auth2-hostbased.c
@@ -202,23 +202,23 @@ hostbased_key_allowed(struct passwd *pw,
_PATH_SSH_SYSTEM_HOSTFILE2,
options.ignore_user_known_hosts ? NULL :
@ -78,9 +78,9 @@ diff --git a/openssh-6.5p1/auth2-hostbased.c b/openssh-6.5p1/auth2-hostbased.c
return (host_status == HOST_OK);
}
diff --git a/openssh-6.5p1/auth2-pubkey.c b/openssh-6.5p1/auth2-pubkey.c
--- a/openssh-6.5p1/auth2-pubkey.c
+++ b/openssh-6.5p1/auth2-pubkey.c
diff --git a/openssh-6.6p1/auth2-pubkey.c b/openssh-6.6p1/auth2-pubkey.c
--- a/openssh-6.6p1/auth2-pubkey.c
+++ b/openssh-6.6p1/auth2-pubkey.c
@@ -208,25 +208,25 @@ pubkey_auth_info(Authctxt *authctxt, con
i = vasprintf(&extra, fmt, ap);
va_end(ap);
@ -166,9 +166,9 @@ diff --git a/openssh-6.5p1/auth2-pubkey.c b/openssh-6.5p1/auth2-pubkey.c
options.trusted_user_ca_keys);
goto out;
}
diff --git a/openssh-6.5p1/key.c b/openssh-6.5p1/key.c
--- a/openssh-6.5p1/key.c
+++ b/openssh-6.5p1/key.c
diff --git a/openssh-6.6p1/key.c b/openssh-6.6p1/key.c
--- a/openssh-6.6p1/key.c
+++ b/openssh-6.6p1/key.c
@@ -420,30 +420,39 @@ key_fingerprint_raw(const Key *k, enum f
*dgst_raw_length = ssh_digest_bytes(hash_alg);
} else {
@ -278,7 +278,7 @@ diff --git a/openssh-6.5p1/key.c b/openssh-6.5p1/key.c
dgst_rep);
break;
}
memset(dgst_raw, 0, dgst_raw_len);
explicit_bzero(dgst_raw, dgst_raw_len);
free(dgst_raw);
return retval;
}
@ -348,9 +348,9 @@ diff --git a/openssh-6.5p1/key.c b/openssh-6.5p1/key.c
* the buffer containing the number.
*/
static int
diff --git a/openssh-6.5p1/key.h b/openssh-6.5p1/key.h
--- a/openssh-6.5p1/key.h
+++ b/openssh-6.5p1/key.h
diff --git a/openssh-6.6p1/key.h b/openssh-6.6p1/key.h
--- a/openssh-6.6p1/key.h
+++ b/openssh-6.6p1/key.h
@@ -53,16 +53,18 @@ enum fp_type {
SSH_FP_MD5,
SSH_FP_SHA256
@ -389,9 +389,9 @@ diff --git a/openssh-6.5p1/key.h b/openssh-6.5p1/key.h
int key_type_is_cert(int);
int key_type_plain(int);
int key_to_certified(Key *, int);
diff --git a/openssh-6.5p1/ssh-add.c b/openssh-6.5p1/ssh-add.c
--- a/openssh-6.5p1/ssh-add.c
+++ b/openssh-6.5p1/ssh-add.c
diff --git a/openssh-6.6p1/ssh-add.c b/openssh-6.6p1/ssh-add.c
--- a/openssh-6.6p1/ssh-add.c
+++ b/openssh-6.6p1/ssh-add.c
@@ -325,17 +325,17 @@ list_identities(AuthenticationConnection
int version;
@ -411,9 +411,9 @@ diff --git a/openssh-6.5p1/ssh-add.c b/openssh-6.5p1/ssh-add.c
if (!key_write(key, stdout))
fprintf(stderr, "key_write failed");
fprintf(stdout, " %s\n", comment);
diff --git a/openssh-6.5p1/ssh-agent.c b/openssh-6.5p1/ssh-agent.c
--- a/openssh-6.5p1/ssh-agent.c
+++ b/openssh-6.5p1/ssh-agent.c
diff --git a/openssh-6.6p1/ssh-agent.c b/openssh-6.6p1/ssh-agent.c
--- a/openssh-6.6p1/ssh-agent.c
+++ b/openssh-6.6p1/ssh-agent.c
@@ -193,17 +193,17 @@ lookup_identity(Key *key, int version)
/* Check confirmation of keysign request */
@ -433,9 +433,9 @@ diff --git a/openssh-6.5p1/ssh-agent.c b/openssh-6.5p1/ssh-agent.c
return (ret);
}
diff --git a/openssh-6.5p1/ssh-keygen.c b/openssh-6.5p1/ssh-keygen.c
--- a/openssh-6.5p1/ssh-keygen.c
+++ b/openssh-6.5p1/ssh-keygen.c
diff --git a/openssh-6.6p1/ssh-keygen.c b/openssh-6.6p1/ssh-keygen.c
--- a/openssh-6.6p1/ssh-keygen.c
+++ b/openssh-6.6p1/ssh-keygen.c
@@ -741,27 +741,27 @@ do_download(struct passwd *pw)
{
#ifdef ENABLE_PKCS11
@ -583,10 +583,10 @@ diff --git a/openssh-6.5p1/ssh-keygen.c b/openssh-6.5p1/ssh-keygen.c
printf("The key's randomart image is:\n");
printf("%s\n", ra);
free(ra);
diff --git a/openssh-6.5p1/sshconnect.c b/openssh-6.5p1/sshconnect.c
--- a/openssh-6.5p1/sshconnect.c
+++ b/openssh-6.5p1/sshconnect.c
@@ -906,18 +906,18 @@ check_host_key(char *hostname, struct so
diff --git a/openssh-6.6p1/sshconnect.c b/openssh-6.6p1/sshconnect.c
--- a/openssh-6.6p1/sshconnect.c
+++ b/openssh-6.6p1/sshconnect.c
@@ -909,18 +909,18 @@ check_host_key(char *hostname, struct so
"address '%.128s' to the list of known "
"hosts (%.30s).", type, ip,
user_hostfiles[0]);
@ -607,7 +607,7 @@ diff --git a/openssh-6.5p1/sshconnect.c b/openssh-6.5p1/sshconnect.c
break;
case HOST_NEW:
if (options.host_key_alias == NULL && port != 0 &&
@@ -947,18 +947,18 @@ check_host_key(char *hostname, struct so
@@ -950,18 +950,18 @@ check_host_key(char *hostname, struct so
if (show_other_keys(host_hostkeys, host_key))
snprintf(msg1, sizeof(msg1),
@ -628,7 +628,7 @@ diff --git a/openssh-6.5p1/sshconnect.c b/openssh-6.5p1/sshconnect.c
"Matching host key fingerprint"
" found in DNS.\n");
else
@@ -1212,17 +1212,17 @@ fail:
@@ -1215,17 +1215,17 @@ fail:
/* returns 0 if key verifies or -1 if key does NOT verify */
int
@ -647,7 +647,7 @@ diff --git a/openssh-6.5p1/sshconnect.c b/openssh-6.5p1/sshconnect.c
verify_host_key_dns(host, hostaddr, host_key, &flags) == 0) {
if (flags & DNS_VERIFY_FOUND) {
@@ -1319,18 +1319,18 @@ show_other_keys(struct hostkeys *hostkey
@@ -1322,18 +1322,18 @@ show_other_keys(struct hostkeys *hostkey
char *fp, *ra;
const struct hostkey_entry *found;
@ -668,7 +668,7 @@ diff --git a/openssh-6.5p1/sshconnect.c b/openssh-6.5p1/sshconnect.c
key_type(found->key), fp);
if (options.visual_host_key)
logit("%s", ra);
@@ -1341,17 +1341,17 @@ show_other_keys(struct hostkeys *hostkey
@@ -1344,17 +1344,17 @@ show_other_keys(struct hostkeys *hostkey
return ret;
}
@ -687,10 +687,10 @@ diff --git a/openssh-6.5p1/sshconnect.c b/openssh-6.5p1/sshconnect.c
error("Someone could be eavesdropping on you right now (man-in-the-middle attack)!");
error("It is also possible that a host key has just been changed.");
error("The fingerprint for the %s key sent by the remote host is\n%s.",
diff --git a/openssh-6.5p1/sshconnect2.c b/openssh-6.5p1/sshconnect2.c
--- a/openssh-6.5p1/sshconnect2.c
+++ b/openssh-6.5p1/sshconnect2.c
@@ -592,17 +592,17 @@ input_userauth_pk_ok(int type, u_int32_t
diff --git a/openssh-6.6p1/sshconnect2.c b/openssh-6.6p1/sshconnect2.c
--- a/openssh-6.6p1/sshconnect2.c
+++ b/openssh-6.6p1/sshconnect2.c
@@ -577,17 +577,17 @@ input_userauth_pk_ok(int type, u_int32_t
goto done;
}
if (key->type != pktype) {
@ -709,7 +709,7 @@ diff --git a/openssh-6.5p1/sshconnect2.c b/openssh-6.5p1/sshconnect2.c
* moved to the end of the queue. this also avoids confusion by
* duplicate keys
*/
@@ -1206,17 +1206,17 @@ sign_and_send_pubkey(Authctxt *authctxt,
@@ -988,17 +988,17 @@ sign_and_send_pubkey(Authctxt *authctxt,
Buffer b;
u_char *blob, *signature;
u_int bloblen, slen;

517
openssh-6.6p1-fips-checks.patch Normal file
View File

@ -0,0 +1,517 @@
# HG changeset patch
# Parent 12ad7b6077ef9c6b3a3a53b4f0084c3eb2f80fe7
diff --git a/openssh-6.6p1/fips-check.c b/openssh-6.6p1/fips-check.c
new file mode 100644
--- /dev/null
+++ b/openssh-6.6p1/fips-check.c
@@ -0,0 +1,37 @@
+#include "includes.h"
+#include <fcntl.h>
+#include <limits.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/stat.h>
+#include <sys/types.h>
+#include <unistd.h>
+
+#include "digest.h"
+#include "fips.h"
+
+#include <openssl/err.h>
+
+#define PROC_NAME_LEN 64
+
+static const char *argv0;
+
+void
+print_help_exit(int ev)
+{
+ fprintf(stderr, "%s <-c|-w> <file> <checksum_file>\n", argv0);
+ fprintf(stderr, " -c verify hash of 'file' against hash in 'checksum_file'\n");
+ fprintf(stderr, " -w write hash of 'file' into 'checksum_file'\n");
+ exit(ev);
+}
+
+int
+main(int argc, char **argv)
+{
+
+ fips_ssh_init();
+// printf("SSL Error: %lx: %s", ERR_get_error(), ERR_get_string(ERR_get_error(), NULL));
+
+ return 0;
+}
diff --git a/openssh-6.6p1/fips.c b/openssh-6.6p1/fips.c
--- a/openssh-6.6p1/fips.c
+++ b/openssh-6.6p1/fips.c
@@ -24,21 +24,342 @@
#include "includes.h"
#include "fips.h"
#include "digest.h"
#include "key.h"
#include "log.h"
+#include "xmalloc.h"
+#include <openbsd-compat/openssl-compat.h>
+
+#include <errno.h>
+#include <fcntl.h>
+#include <string.h>
+#include <sys/mman.h>
+#include <sys/stat.h>
+#include <sys/types.h>
+#include <unistd.h>
#include <openssl/crypto.h>
+#include <openssl/err.h>
+
+enum fips_checksum_status {
+ CHECK_OK = 0,
+ CHECK_FAIL,
+ CHECK_MISSING
+};
static int fips_state = -1;
+static char *
+hex_fingerprint(u_int raw_len, u_char *raw)
+{
+ char *retval;
+ u_int i;
+
+ /* reserve space for both the key hash and the string for the hash type */
+ retval = malloc(3 * raw_len);
+ for (i = 0; i < raw_len; i++) {
+ char hex[4];
+ snprintf(hex, sizeof(hex), "%02x:", raw[i]);
+ strlcat(retval, hex, raw_len * 3);
+ }
+
+ return retval;
+}
+
+/* calculates hash of contents of file given by filename using algorithm alg
+ * and placing the resukt into newly allacated memory - remember to free it
+ * when not needed anymore */
+static int
+hash_file(const char *filename, int alg, u_char **hash_out)
+{
+ int check = -1;
+ int hash_len;
+ int fd;
+ struct stat fs;
+ void *hmap;
+ char *hash;
+
+ hash_len = ssh_digest_bytes(alg);
+ hash = xmalloc(hash_len);
+
+ fd = open(filename, O_RDONLY);
+ if (-1 == fd)
+ goto bail_out;
+
+ if (-1 == fstat(fd, &fs))
+ goto bail_out;
+
+ hmap = mmap(NULL, fs.st_size, PROT_READ, MAP_SHARED, fd, 0);
+
+ if ((void *)(-1) != hmap) {
+ check = ssh_digest_memory(alg, hmap, fs.st_size, hash, hash_len);
+ munmap(hmap, fs.st_size);
+ }
+ close(fd);
+
+bail_out:
+ if (0 == check) {
+ check = CHECK_OK;
+ *hash_out = hash;
+ } else {
+ check = CHECK_FAIL;
+ *hash_out = NULL;
+ free(hash);
+ }
+ return check;
+}
+
+/* find pathname of binary of process with PID pid. exe is buffer expected to
+ * be capable of holding at least max_pathlen characters
+ */
+static int
+get_executable_path(pid_t pid, char *exe, int max_pathlen)
+{
+ char exe_sl[PROC_EXE_PATH_LEN];
+ int n;
+
+ n = snprintf(exe_sl, sizeof(exe_sl), "/proc/%u/exe", pid);
+ if ((n <= 10) || (n >= max_pathlen)) {
+ fatal("error compiling filename of link to executable");
+ }
+
+ n = readlink(exe_sl, exe, max_pathlen);
+ if (n < max_pathlen) {
+ exe[n] = 0;
+ } else {
+ fatal("error getting executable pathname");
+ }
+ return 0;
+}
+
+/* Read checksum file chk, storing the algorithm used for generating it into
+ * *alg; allocate enough memory to hold the hash and return it in *hash.
+ * Remember to free() it when not needed anymore.
+ */
+static int
+read_hash(const char *chk, int *alg, u_char **hash)
+{
+ int check = -1;
+ int hash_len;
+ int fdh, n;
+ char alg_c;
+ char *hash_in;
+
+ *hash = NULL;
+
+ fdh = open(chk, O_RDONLY);
+ if (-1 == fdh) {
+ switch (errno) {
+ case ENOENT:
+ check = CHECK_MISSING;
+ debug("fips: checksum file %s is missing\n", chk);
+ break;
+ default:
+ check = CHECK_FAIL;
+ debug("fips: ckecksum file %s not accessible\n", chk);
+ break;
+
+ }
+ goto bail_out;
+ }
+
+ n = read(fdh, &alg_c, 1);
+ if (1 != n) {
+ check = CHECK_FAIL;
+ goto bail_out;
+ }
+
+ *alg = (int)alg_c;
+ hash_len = ssh_digest_bytes(*alg);
+ hash_in = xmalloc(hash_len);
+
+ n = read(fdh, (void *)hash_in, hash_len);
+ if (hash_len != n) {
+ debug("fips: unable to read whole checksum from checksum file\n");
+ free (hash_in);
+ check = CHECK_FAIL;
+ } else {
+ check = CHECK_OK;
+ *hash = hash_in;
+ }
+bail_out:
+ return check;
+}
+
+static int
+fips_hash_self(void)
+{
+ int check = -1;
+ int alg;
+ u_char *hash, *hash_chk;
+ char *exe, *chk;
+
+ exe = xmalloc(PATH_MAX);
+ chk = xmalloc(PATH_MAX);
+
+ /* we will need to add the ".chk" suffix and the null terminator */
+ check = get_executable_path(getpid(), exe
+ , PATH_MAX - strlen(CHECKSUM_SUFFIX) - 1);
+
+ strncpy(chk, exe, PATH_MAX);
+ strlcat(chk, CHECKSUM_SUFFIX, PATH_MAX);
+
+ check = read_hash(chk, &alg, &hash_chk);
+ if (CHECK_OK != check)
+ goto cleanup_chk;
+
+ check = hash_file(exe, alg, &hash);
+ if (CHECK_OK != check)
+ goto cleanup;
+
+ check = memcmp(hash, hash_chk, ssh_digest_bytes(alg));
+ if (0 == check) {
+ check = CHECK_OK;
+ debug("fips: checksum matches\n");
+ } else {
+ check = CHECK_FAIL;
+ debug("fips: checksum mismatch!\n");
+ }
+
+cleanup:
+ free(hash);
+cleanup_chk:
+ free(hash_chk);
+ free(chk);
+ free(exe);
+
+ return check;
+}
+
+static int
+fips_check_required_proc(void)
+{
+ int fips_required = 0;
+ int fips_fd;
+ char fips_sys = 0;
+
+ struct stat dummy;
+ if (-1 == stat(FIPS_PROC_PATH, &dummy)) {
+ switch (errno) {
+ case ENOENT:
+ case ENOTDIR:
+ break;
+ default:
+ fatal("Check for system-wide FIPS mode is required and %s cannot"
+ " be accessed for reason other than non-existence - aborting"
+ , FIPS_PROC_PATH);
+ break;
+ }
+ } else {
+ if (-1 == (fips_fd = open(FIPS_PROC_PATH, O_RDONLY)))
+ fatal("Check for system-wide FIPS mode is required and %s cannot"
+ " be opened for reading - aborting"
+ , FIPS_PROC_PATH);
+ if (1 > read(fips_fd, &fips_sys, 1))
+ fatal("Check for system-wide FIPS mode is required and %s doesn't"
+ " return at least one character - aborting"
+ , FIPS_PROC_PATH);
+ close(fips_sys);
+ switch (fips_sys) {
+ case '0':
+ case '1':
+ fips_required = fips_sys - '0';
+ break;
+ default:
+ fatal("Bogus character %c found in %s - aborting"
+ , fips_sys, FIPS_PROC_PATH);
+ }
+ }
+ return fips_required;
+}
+
+static int
+fips_check_required_env(void)
+{
+ int fips_required = 0;
+ char *env = getenv(SSH_FORCE_FIPS_ENV);
+
+ if (env) {
+ errno = 0;
+ fips_required = strtol(env, NULL, 10);
+ if (errno) {
+ debug("bogus value in the %s environment variable, ignoring\n"
+ , SSH_FORCE_FIPS_ENV);
+ fips_required = 0;
+ } else
+ fips_required = 1;
+ }
+ return fips_required;
+}
+
+static int
+fips_required(void)
+{
+ int fips_requests = 0;
+ fips_requests += fips_check_required_proc();
+ fips_requests += fips_check_required_env();
+ return fips_requests;
+}
+
+/* check whether FIPS mode is required and perform selfchecksum/selftest */
+void
+fips_ssh_init(void)
+{
+ int checksum;
+
+ checksum = fips_hash_self();
+
+ if (fips_required()) {
+ switch (checksum) {
+ case CHECK_OK:
+ debug("fips: mandatory checksum ok");
+ break;
+ case CHECK_FAIL:
+ fatal("fips: mandatory checksum failed - aborting");
+ break;
+ case CHECK_MISSING:
+ fatal("fips: mandatory checksum data missing - aborting");
+ break;
+ default:
+ fatal("Fatal error: internal error at %s:%u"
+ , __FILE__, __LINE__);
+ break;
+ }
+ fips_state = FIPS_mode_set(1);
+ if (1 != fips_state) {
+ ERR_load_crypto_strings();
+ u_long err = ERR_get_error();
+ error("fips: OpenSSL error %lx: %s", err, ERR_error_string(err, NULL));
+ fatal("fips: unable to set OpenSSL into FIPS mode - aborting"
+ , fips_state);
+ }
+ } else {
+ switch (checksum) {
+ case CHECK_OK:
+ debug("fips: checksum ok");
+ break;
+ case CHECK_FAIL:
+ fatal("fips: checksum failed - aborting");
+ break;
+ case CHECK_MISSING:
+ debug("fips: mandatory checksum data missing, but not required - continuing non-FIPS");
+ break;
+ default:
+ fatal("Fatal error: internal error at %s:%u",
+ __FILE__, __LINE__);
+ break;
+ }
+ }
+ return;
+}
+
int
fips_mode()
{
if (-1 == fips_state) {
fips_state = FIPS_mode();
if (fips_state)
debug("FIPS mode initialized");
}
diff --git a/openssh-6.6p1/fips.h b/openssh-6.6p1/fips.h
--- a/openssh-6.6p1/fips.h
+++ b/openssh-6.6p1/fips.h
@@ -1,10 +1,10 @@
/*
- * Copyright (c) 2012 Petr Cerny. All rights reserved.
+ * Copyright (c) 2012-2014 Petr Cerny. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
@@ -19,15 +19,22 @@
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
#ifndef FIPS_H
#define FIPS_H
+#define SSH_FORCE_FIPS_ENV "SSH_FORCE_FIPS"
+#define FIPS_PROC_PATH "/proc/sys/crypto/fips_enabled"
+
+#define PROC_EXE_PATH_LEN 64
+#define CHECKSUM_SUFFIX ".chk"
+
+void fips_ssh_init(void);
int fips_mode(void);
int fips_correct_dgst(int);
int fips_dgst_min(void);
enum fp_type fips_correct_fp_type(enum fp_type);
#endif
diff --git a/openssh-6.6p1/sftp-server.c b/openssh-6.6p1/sftp-server.c
--- a/openssh-6.6p1/sftp-server.c
+++ b/openssh-6.6p1/sftp-server.c
@@ -47,16 +47,18 @@
#include "log.h"
#include "misc.h"
#include "match.h"
#include "uidswap.h"
#include "sftp.h"
#include "sftp-common.h"
+#include "fips.h"
+
/* helper */
#define get_int64() buffer_get_int64(&iqueue);
#define get_int() buffer_get_int(&iqueue);
#define get_string(lenp) buffer_get_string(&iqueue, lenp);
/* Our verbosity */
static LogLevel log_level = SYSLOG_LEVEL_ERROR;
@@ -1453,16 +1455,19 @@ sftp_server_main(int argc, char **argv,
ssize_t len, olen, set_size;
SyslogFacility log_facility = SYSLOG_FACILITY_AUTH;
char *cp, *homedir = NULL, buf[4*4096];
long mask;
extern char *optarg;
extern char *__progname;
+ /* initialize fips */
+ fips_ssh_init();
+
__progname = ssh_get_progname(argv[0]);
log_init(__progname, log_level, log_facility, log_stderr);
pw = pwcopy(user_pw);
while (!skipargs && (ch = getopt(argc, argv,
"d:f:l:P:p:Q:u:m:cehR")) != -1) {
switch (ch) {
diff --git a/openssh-6.6p1/ssh.c b/openssh-6.6p1/ssh.c
--- a/openssh-6.6p1/ssh.c
+++ b/openssh-6.6p1/ssh.c
@@ -420,16 +420,19 @@ main(int ac, char **av)
struct stat st;
struct passwd *pw;
int timeout_ms;
extern int optind, optreset;
extern char *optarg;
Forward fwd;
struct addrinfo *addrs = NULL;
+ /* initialize fips */
+ fips_ssh_init();
+
/* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
sanitise_stdfd();
__progname = ssh_get_progname(av[0]);
#ifndef HAVE_SETPROCTITLE
/* Prepare for later setproctitle emulation */
/* Save argv so it isn't clobbered by setproctitle() emulation */
diff --git a/openssh-6.6p1/sshd.c b/openssh-6.6p1/sshd.c
--- a/openssh-6.6p1/sshd.c
+++ b/openssh-6.6p1/sshd.c
@@ -1466,16 +1466,19 @@ main(int ac, char **av)
u_int64_t ibytes, obytes;
mode_t new_umask;
Key *key;
Key *pubkey;
int keytype;
Authctxt *authctxt;
struct connection_info *connection_info = get_connection_info(0, 0);
+ /* initialize fips */
+ fips_ssh_init();
+
#ifdef HAVE_SECUREWARE
(void)set_auth_parameters(ac, av);
#endif
__progname = ssh_get_progname(av[0]);
/* Save argv. Duplicate so setproctitle emulation doesn't clobber it */
saved_argc = ac;
rexec_argc = ac;

645
openssh-6.5p1-fips.patch → openssh-6.6p1-fips.patch
View File

File diff suppressed because it is too large Load Diff

377
openssh-6.5p1-gssapi_key_exchange.patch → openssh-6.6p1-gssapi_key_exchange.patch
View File

@ -1,10 +1,10 @@
# HG changeset patch
# Parent fd62140898f5f8bfaa6d0b527c5893001322a662
# Parent b50b01e06558d268ae59e8be8c1a41fde44fc70d
diff --git a/openssh-6.5p1/ChangeLog.gssapi b/openssh-6.5p1/ChangeLog.gssapi
diff --git a/openssh-6.6p1/ChangeLog.gssapi b/openssh-6.6p1/ChangeLog.gssapi
new file mode 100644
--- /dev/null
+++ b/openssh-6.5p1/ChangeLog.gssapi
+++ b/openssh-6.6p1/ChangeLog.gssapi
@@ -0,0 +1,113 @@
+20110101
+ - Finally update for OpenSSH 5.6p1
@ -119,10 +119,10 @@ new file mode 100644
+ add support for GssapiTrustDns option for gssapi-with-mic
+ (from jbasney AT ncsa.uiuc.edu)
+ <gssapi-with-mic support is Bugzilla #1008>
diff --git a/openssh-6.5p1/Makefile.in b/openssh-6.5p1/Makefile.in
--- a/openssh-6.5p1/Makefile.in
+++ b/openssh-6.5p1/Makefile.in
@@ -71,16 +71,17 @@ LIBSSH_OBJS=authfd.o authfile.o bufaux.o
diff --git a/openssh-6.6p1/Makefile.in b/openssh-6.6p1/Makefile.in
--- a/openssh-6.6p1/Makefile.in
+++ b/openssh-6.6p1/Makefile.in
@@ -67,16 +67,17 @@ LIBSSH_OBJS=authfd.o authfile.o bufaux.o
canohost.o channels.o cipher.o cipher-aes.o \
cipher-bf1.o cipher-ctr.o cipher-3des1.o cleanup.o \
compat.o compress.o crc32.o deattack.o fatal.o hostfile.o \
@ -133,35 +133,35 @@ diff --git a/openssh-6.5p1/Makefile.in b/openssh-6.5p1/Makefile.in
kexdh.o kexgex.o kexdhc.o kexgexc.o bufec.o kexecdh.o kexecdhc.o \
+ kexgssc.o \
msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o umac128.o \
jpake.o schnorr.o ssh-pkcs11.o krl.o smult_curve25519_ref.o \
ssh-pkcs11.o krl.o smult_curve25519_ref.o \
kexc25519.o kexc25519c.o poly1305.o chacha.o cipher-chachapoly.o \
ssh-ed25519.o digest.o \
ssh-ed25519.o digest-openssl.o hmac.o \
sc25519.o ge25519.o fe25519.o ed25519.o verify.o hash.o blocks.o \
auditstub.o \
fips.o
fips.o \
auditstub.o
@@ -92,17 +93,17 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw
@@ -86,17 +87,17 @@ SSHOBJS= ssh.o readconf.o clientloop.o s
SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \
audit.o audit-bsm.o audit-linux.o platform.o \
sshpty.o sshlogin.o servconf.o serverloop.o \
auth.o auth1.o auth2.o auth-options.o session.o \
auth-chall.o auth2-chall.o groupaccess.o \
auth-skey.o auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o \
auth2-none.o auth2-passwd.o auth2-pubkey.o auth2-jpake.o \
monitor_mm.o monitor.o monitor_wrap.o kexdhs.o kexgexs.o kexecdhs.o \
auth2-none.o auth2-passwd.o auth2-pubkey.o \
- monitor_mm.o monitor.o monitor_wrap.o kexdhs.o kexgexs.o kexecdhs.o \
+ monitor_mm.o monitor.o monitor_wrap.o kexdhs.o kexgexs.o kexecdhs.o kexgsss.o \
kexc25519s.o auth-krb5.o \
- auth2-gss.o gss-serv.o gss-serv-krb5.o \
+ auth2-gss.o gss-serv.o gss-serv-krb5.o kexgsss.o\
auth2-gss.o gss-serv.o gss-serv-krb5.o \
loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \
sftp-server.o sftp-common.o \
roaming_common.o roaming_serv.o \
sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \
sandbox-seccomp-filter.o sandbox-capsicum.o
MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out ssh-ldap-helper.8.out ssh-ldap.conf.5.out
MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 sshd_config.5 ssh_config.5 ssh-ldap-helper.8 ssh-ldap.conf.5
diff --git a/openssh-6.5p1/auth-krb5.c b/openssh-6.5p1/auth-krb5.c
--- a/openssh-6.5p1/auth-krb5.c
+++ b/openssh-6.5p1/auth-krb5.c
diff --git a/openssh-6.6p1/auth-krb5.c b/openssh-6.6p1/auth-krb5.c
--- a/openssh-6.6p1/auth-krb5.c
+++ b/openssh-6.6p1/auth-krb5.c
@@ -177,18 +177,23 @@ auth_krb5_password(Authctxt *authctxt, c
if (problem)
goto out;
@ -230,11 +230,11 @@ diff --git a/openssh-6.5p1/auth-krb5.c b/openssh-6.5p1/auth-krb5.c
}
#endif /* !HEIMDAL */
#endif /* KRB5 */
diff --git a/openssh-6.5p1/auth2-gss.c b/openssh-6.5p1/auth2-gss.c
--- a/openssh-6.5p1/auth2-gss.c
+++ b/openssh-6.5p1/auth2-gss.c
diff --git a/openssh-6.6p1/auth2-gss.c b/openssh-6.6p1/auth2-gss.c
--- a/openssh-6.6p1/auth2-gss.c
+++ b/openssh-6.6p1/auth2-gss.c
@@ -1,12 +1,12 @@
/* $OpenBSD: auth2-gss.c,v 1.20 2013/05/17 00:13:13 djm Exp $ */
/* $OpenBSD: auth2-gss.c,v 1.21 2014/02/26 20:28:44 djm Exp $ */
/*
- * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
@ -298,7 +298,7 @@ diff --git a/openssh-6.5p1/auth2-gss.c b/openssh-6.5p1/auth2-gss.c
userauth_gssapi(Authctxt *authctxt)
{
gss_OID_desc goid = {0, NULL};
@@ -244,17 +278,18 @@ input_gssapi_exchange_complete(int type,
@@ -239,17 +273,18 @@ input_gssapi_exchange_complete(int type,
/*
* We don't need to check the status, because we're only enabled in
@ -318,7 +318,7 @@ diff --git a/openssh-6.5p1/auth2-gss.c b/openssh-6.5p1/auth2-gss.c
dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, NULL);
userauth_finish(authctxt, authenticated, "gssapi-with-mic", NULL);
}
@@ -279,31 +314,38 @@ input_gssapi_mic(int type, u_int32_t ple
@@ -274,31 +309,38 @@ input_gssapi_mic(int type, u_int32_t ple
ssh_gssapi_buildmic(&b, authctxt->user, authctxt->service,
"gssapi-with-mic");
@ -358,10 +358,10 @@ diff --git a/openssh-6.5p1/auth2-gss.c b/openssh-6.5p1/auth2-gss.c
Authmethod method_gssapi_old = {
"gssapi",
diff --git a/openssh-6.5p1/auth2.c b/openssh-6.5p1/auth2.c
--- a/openssh-6.5p1/auth2.c
+++ b/openssh-6.5p1/auth2.c
@@ -64,27 +64,29 @@ extern Buffer loginmsg;
diff --git a/openssh-6.6p1/auth2.c b/openssh-6.6p1/auth2.c
--- a/openssh-6.6p1/auth2.c
+++ b/openssh-6.6p1/auth2.c
@@ -64,24 +64,26 @@ extern Buffer loginmsg;
/* methods */
extern Authmethod method_none;
@ -374,9 +374,6 @@ diff --git a/openssh-6.5p1/auth2.c b/openssh-6.5p1/auth2.c
extern Authmethod method_gssapi;
extern Authmethod method_gssapi_old;
#endif
#ifdef JPAKE
extern Authmethod method_jpake;
#endif
Authmethod *authmethods[] = {
&method_none,
@ -385,15 +382,15 @@ diff --git a/openssh-6.5p1/auth2.c b/openssh-6.5p1/auth2.c
+ &method_gsskeyex,
&method_gssapi,
&method_gssapi_old,
#endif
#ifdef JPAKE
&method_jpake,
#endif
&method_passwd,
&method_kbdint,
diff --git a/openssh-6.5p1/clientloop.c b/openssh-6.5p1/clientloop.c
--- a/openssh-6.5p1/clientloop.c
+++ b/openssh-6.5p1/clientloop.c
&method_hostbased,
NULL
};
diff --git a/openssh-6.6p1/clientloop.c b/openssh-6.6p1/clientloop.c
--- a/openssh-6.6p1/clientloop.c
+++ b/openssh-6.6p1/clientloop.c
@@ -106,16 +106,20 @@
#include "authfd.h"
#include "atomicio.h"
@ -441,9 +438,9 @@ diff --git a/openssh-6.5p1/clientloop.c b/openssh-6.5p1/clientloop.c
}
}
diff --git a/openssh-6.5p1/configure.ac b/openssh-6.5p1/configure.ac
--- a/openssh-6.5p1/configure.ac
+++ b/openssh-6.5p1/configure.ac
diff --git a/openssh-6.6p1/configure.ac b/openssh-6.6p1/configure.ac
--- a/openssh-6.6p1/configure.ac
+++ b/openssh-6.6p1/configure.ac
@@ -579,16 +579,40 @@ main() { if (NSVersionOfRunTimeLibrary("
AC_DEFINE([BROKEN_GLOB], [1], [OS X glob does not do what we expect])
AC_DEFINE_UNQUOTED([BIND_8_COMPAT], [1],
@ -485,9 +482,9 @@ diff --git a/openssh-6.5p1/configure.ac b/openssh-6.5p1/configure.ac
[Define if pututxline updates lastlog too])
)
AC_DEFINE([SPT_TYPE], [SPT_REUSEARGV],
diff --git a/openssh-6.5p1/gss-genr.c b/openssh-6.5p1/gss-genr.c
--- a/openssh-6.5p1/gss-genr.c
+++ b/openssh-6.5p1/gss-genr.c
diff --git a/openssh-6.6p1/gss-genr.c b/openssh-6.6p1/gss-genr.c
--- a/openssh-6.6p1/gss-genr.c
+++ b/openssh-6.6p1/gss-genr.c
@@ -1,12 +1,12 @@
/* $OpenBSD: gss-genr.c,v 1.22 2013/11/08 00:39:15 djm Exp $ */
@ -875,9 +872,9 @@ diff --git a/openssh-6.5p1/gss-genr.c b/openssh-6.5p1/gss-genr.c
+}
+
#endif /* GSSAPI */
diff --git a/openssh-6.5p1/gss-serv-krb5.c b/openssh-6.5p1/gss-serv-krb5.c
--- a/openssh-6.5p1/gss-serv-krb5.c
+++ b/openssh-6.5p1/gss-serv-krb5.c
diff --git a/openssh-6.6p1/gss-serv-krb5.c b/openssh-6.6p1/gss-serv-krb5.c
--- a/openssh-6.6p1/gss-serv-krb5.c
+++ b/openssh-6.6p1/gss-serv-krb5.c
@@ -1,12 +1,12 @@
/* $OpenBSD: gss-serv-krb5.c,v 1.8 2013/07/20 01:55:13 djm Exp $ */
@ -1024,11 +1021,11 @@ diff --git a/openssh-6.5p1/gss-serv-krb5.c b/openssh-6.5p1/gss-serv-krb5.c
#endif /* KRB5 */
#endif /* GSSAPI */
diff --git a/openssh-6.5p1/gss-serv.c b/openssh-6.5p1/gss-serv.c
--- a/openssh-6.5p1/gss-serv.c
+++ b/openssh-6.5p1/gss-serv.c
diff --git a/openssh-6.6p1/gss-serv.c b/openssh-6.6p1/gss-serv.c
--- a/openssh-6.6p1/gss-serv.c
+++ b/openssh-6.6p1/gss-serv.c
@@ -1,12 +1,12 @@
/* $OpenBSD: gss-serv.c,v 1.24 2013/07/20 01:55:13 djm Exp $ */
/* $OpenBSD: gss-serv.c,v 1.26 2014/02/26 20:28:44 djm Exp $ */
/*
- * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
@ -1074,7 +1071,7 @@ diff --git a/openssh-6.5p1/gss-serv.c b/openssh-6.5p1/gss-serv.c
ssh_gssapi_mech* supported_mechs[]= {
#ifdef KRB5
&gssapi_kerberos_mech,
@@ -76,59 +81,91 @@ ssh_gssapi_mech* supported_mechs[]= {
@@ -95,59 +100,91 @@ ssh_gssapi_test_oid_supported(OM_uint32
/* Privileged (called from ssh_gssapi_server_ctx) */
static OM_uint32
ssh_gssapi_acquire_cred(Gssctxt *ctx)
@ -1181,7 +1178,7 @@ diff --git a/openssh-6.5p1/gss-serv.c b/openssh-6.5p1/gss-serv.c
if (present)
gss_add_oid_set_member(&min_status,
&supported_mechs[i]->oid, oidset);
@@ -244,32 +281,79 @@ ssh_gssapi_parse_ename(Gssctxt *ctx, gss
@@ -263,32 +300,79 @@ ssh_gssapi_parse_ename(Gssctxt *ctx, gss
/* Extract the client details from a given context. This can only reliably
* be called once for a context */
@ -1262,7 +1259,7 @@ diff --git a/openssh-6.5p1/gss-serv.c b/openssh-6.5p1/gss-serv.c
if ((ctx->major = gss_export_name(&ctx->minor, ctx->client,
&ename))) {
@@ -277,16 +361,18 @@ ssh_gssapi_getclient(Gssctxt *ctx, ssh_g
@@ -296,16 +380,18 @@ ssh_gssapi_getclient(Gssctxt *ctx, ssh_g
return (ctx->major);
}
@ -1281,7 +1278,7 @@ diff --git a/openssh-6.5p1/gss-serv.c b/openssh-6.5p1/gss-serv.c
/* As user - called on fatal/exit */
void
@@ -324,44 +410,122 @@ ssh_gssapi_do_child(char ***envp, u_int
@@ -343,45 +429,124 @@ ssh_gssapi_do_child(char ***envp, u_int
gssapi_client.store.envval);
child_set_env(envp, envsizep, gssapi_client.store.envvar,
gssapi_client.store.envval);
@ -1307,12 +1304,13 @@ diff --git a/openssh-6.5p1/gss-serv.c b/openssh-6.5p1/gss-serv.c
+ gssapi_client.store.owner = pw;
return 1;
- else {
+ } else {
+ } else {
/* Destroy delegated credentials if userok fails */
gss_release_buffer(&lmin, &gssapi_client.displayname);
gss_release_buffer(&lmin, &gssapi_client.exportedname);
gss_release_cred(&lmin, &gssapi_client.creds);
memset(&gssapi_client, 0, sizeof(ssh_gssapi_client));
explicit_bzero(&gssapi_client,
sizeof(ssh_gssapi_client));
return 0;
}
else
@ -1320,7 +1318,7 @@ diff --git a/openssh-6.5p1/gss-serv.c b/openssh-6.5p1/gss-serv.c
return (0);
}
-/* Privileged */
/* Privileged */
-OM_uint32
-ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic)
+/* These bits are only used for rekeying. The unpriviledged child is running
@ -1413,9 +1411,9 @@ diff --git a/openssh-6.5p1/gss-serv.c b/openssh-6.5p1/gss-serv.c
}
#endif
diff --git a/openssh-6.5p1/kex.c b/openssh-6.5p1/kex.c
--- a/openssh-6.5p1/kex.c
+++ b/openssh-6.5p1/kex.c
diff --git a/openssh-6.6p1/kex.c b/openssh-6.6p1/kex.c
--- a/openssh-6.6p1/kex.c
+++ b/openssh-6.6p1/kex.c
@@ -47,16 +47,20 @@
#include "mac.h"
#include "match.h"
@ -1459,9 +1457,9 @@ diff --git a/openssh-6.5p1/kex.c b/openssh-6.5p1/kex.c
{
char *ret = NULL;
size_t nlen, rlen = 0;
diff --git a/openssh-6.5p1/kex.h b/openssh-6.5p1/kex.h
--- a/openssh-6.5p1/kex.h
+++ b/openssh-6.5p1/kex.h
diff --git a/openssh-6.6p1/kex.h b/openssh-6.6p1/kex.h
--- a/openssh-6.6p1/kex.h
+++ b/openssh-6.6p1/kex.h
@@ -71,16 +71,19 @@ enum kex_modes {
enum kex_exchange {
@ -1482,7 +1480,7 @@ diff --git a/openssh-6.5p1/kex.h b/openssh-6.5p1/kex.h
typedef struct Kex Kex;
typedef struct Mac Mac;
typedef struct Comp Comp;
@@ -131,16 +134,22 @@ struct Kex {
@@ -130,16 +133,22 @@ struct Kex {
int kex_type;
int roaming;
Buffer my;
@ -1505,7 +1503,7 @@ diff --git a/openssh-6.5p1/kex.h b/openssh-6.5p1/kex.h
int (*host_key_index)(Key *);
void (*sign)(Key *, Key *, u_char **, u_int *, u_char *, u_int);
void (*kex[KEX_MAX])(Kex *);
@@ -164,16 +173,21 @@ void kexdh_server(Kex *);
@@ -163,16 +172,21 @@ void kexdh_server(Kex *);
void kexgex_client(Kex *);
void kexgex_server(Kex *);
void kexecdh_client(Kex *);
@ -1527,10 +1525,10 @@ diff --git a/openssh-6.5p1/kex.h b/openssh-6.5p1/kex.h
kexgex_hash(int, char *, char *, char *, int, char *,
int, u_char *, int, int, int, int, BIGNUM *, BIGNUM *, BIGNUM *,
BIGNUM *, BIGNUM *, u_char **, u_int *);
diff --git a/openssh-6.5p1/kexgssc.c b/openssh-6.5p1/kexgssc.c
diff --git a/openssh-6.6p1/kexgssc.c b/openssh-6.6p1/kexgssc.c
new file mode 100644
--- /dev/null
+++ b/openssh-6.5p1/kexgssc.c
+++ b/openssh-6.6p1/kexgssc.c
@@ -0,0 +1,334 @@
+/*
+ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
@ -1866,10 +1864,10 @@ new file mode 100644
+}
+
+#endif /* GSSAPI */
diff --git a/openssh-6.5p1/kexgsss.c b/openssh-6.5p1/kexgsss.c
diff --git a/openssh-6.6p1/kexgsss.c b/openssh-6.6p1/kexgsss.c
new file mode 100644
--- /dev/null
+++ b/openssh-6.5p1/kexgsss.c
+++ b/openssh-6.6p1/kexgsss.c
@@ -0,0 +1,288 @@
+/*
+ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
@ -2159,10 +2157,10 @@ new file mode 100644
+ ssh_gssapi_rekey_creds();
+}
+#endif /* GSSAPI */
diff --git a/openssh-6.5p1/key.c b/openssh-6.5p1/key.c
--- a/openssh-6.5p1/key.c
+++ b/openssh-6.5p1/key.c
@@ -1052,16 +1052,18 @@ static const struct keytype keytypes[] =
diff --git a/openssh-6.6p1/key.c b/openssh-6.6p1/key.c
--- a/openssh-6.6p1/key.c
+++ b/openssh-6.6p1/key.c
@@ -1053,16 +1053,18 @@ static const struct keytype keytypes[] =
# endif
#endif /* OPENSSL_HAS_ECC */
{ "ssh-rsa-cert-v00@openssh.com", "RSA-CERT-V00",
@ -2181,9 +2179,9 @@ diff --git a/openssh-6.5p1/key.c b/openssh-6.5p1/key.c
{
const struct keytype *kt;
diff --git a/openssh-6.5p1/key.h b/openssh-6.5p1/key.h
--- a/openssh-6.5p1/key.h
+++ b/openssh-6.5p1/key.h
diff --git a/openssh-6.6p1/key.h b/openssh-6.6p1/key.h
--- a/openssh-6.6p1/key.h
+++ b/openssh-6.6p1/key.h
@@ -41,16 +41,17 @@ enum types {
KEY_ECDSA,
KEY_ED25519,
@ -2202,10 +2200,10 @@ diff --git a/openssh-6.5p1/key.h b/openssh-6.5p1/key.h
SSH_FP_SHA256
};
enum fp_rep {
diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c
--- a/openssh-6.5p1/monitor.c
+++ b/openssh-6.5p1/monitor.c
@@ -179,16 +179,18 @@ int mm_answer_pam_respond(int, Buffer *)
diff --git a/openssh-6.6p1/monitor.c b/openssh-6.6p1/monitor.c
--- a/openssh-6.6p1/monitor.c
+++ b/openssh-6.6p1/monitor.c
@@ -173,16 +173,18 @@ int mm_answer_pam_respond(int, Buffer *)
int mm_answer_pam_free_ctx(int, Buffer *);
#endif
@ -2224,7 +2222,7 @@ diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c
int mm_answer_audit_end_command(int, Buffer *);
int mm_answer_audit_unsupported_body(int, Buffer *);
int mm_answer_audit_kex_body(int, Buffer *);
@@ -260,28 +262,35 @@ struct mon_table mon_dispatch_proto20[]
@@ -254,21 +256,28 @@ struct mon_table mon_dispatch_proto20[]
#endif
{MONITOR_REQ_KEYALLOWED, MON_ISAUTH, mm_answer_keyallowed},
{MONITOR_REQ_KEYVERIFY, MON_AUTH, mm_answer_keyverify},
@ -2234,13 +2232,6 @@ diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c
{MONITOR_REQ_GSSUSEROK, MON_AUTH, mm_answer_gss_userok},
{MONITOR_REQ_GSSCHECKMIC, MON_ISAUTH, mm_answer_gss_checkmic},
+ {MONITOR_REQ_GSSSIGN, MON_ONCE, mm_answer_gss_sign},
#endif
#ifdef JPAKE
{MONITOR_REQ_JPAKE_GET_PWDATA, MON_ONCE, mm_answer_jpake_get_pwdata},
{MONITOR_REQ_JPAKE_STEP1, MON_ISAUTH, mm_answer_jpake_step1},
{MONITOR_REQ_JPAKE_STEP2, MON_ONCE, mm_answer_jpake_step2},
{MONITOR_REQ_JPAKE_KEY_CONFIRM, MON_ONCE, mm_answer_jpake_key_confirm},
{MONITOR_REQ_JPAKE_CHECK_CONFIRM, MON_AUTH, mm_answer_jpake_check_confirm},
#endif
{0, 0, NULL}
};
@ -2260,7 +2251,7 @@ diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c
#ifdef SSH_AUDIT_EVENTS
{MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
{MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT, mm_answer_audit_command},
@@ -394,16 +403,20 @@ monitor_child_preauth(Authctxt *_authctx
@@ -381,16 +390,20 @@ monitor_child_preauth(Authctxt *_authctx
authctxt->loginmsg = &loginmsg;
if (compat20) {
@ -2281,7 +2272,7 @@ diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c
/* The first few requests do not require asynchronous access */
while (!authenticated) {
@@ -508,16 +521,20 @@ monitor_child_postauth(struct monitor *p
@@ -486,16 +499,20 @@ monitor_child_postauth(struct monitor *p
if (compat20) {
mon_dispatch = mon_dispatch_postauth20;
@ -2302,7 +2293,7 @@ diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c
monitor_permit(mon_dispatch, MONITOR_REQ_PTY, 1);
monitor_permit(mon_dispatch, MONITOR_REQ_PTYCLEANUP, 1);
}
@@ -1931,16 +1948,23 @@ mm_get_kex(Buffer *m)
@@ -1909,16 +1926,23 @@ mm_get_kex(Buffer *m)
fatal("mm_get_get: internal error: bad session id");
kex->we_need = buffer_get_int(m);
kex->kex[KEX_DH_GRP1_SHA1] = kexdh_server;
@ -2326,7 +2317,7 @@ diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c
buffer_append(&kex->my, blob, bloblen);
free(blob);
blob = buffer_get_string(m, &bloblen);
@@ -2155,16 +2179,19 @@ monitor_reinit(struct monitor *mon)
@@ -2133,16 +2157,19 @@ monitor_reinit(struct monitor *mon)
#ifdef GSSAPI
int
mm_answer_gss_setup_ctx(int sock, Buffer *m)
@ -2346,7 +2337,7 @@ diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c
free(goid.elements);
buffer_clear(m);
@@ -2182,16 +2209,19 @@ int
@@ -2160,16 +2187,19 @@ int
mm_answer_gss_accept_ctx(int sock, Buffer *m)
{
gss_buffer_desc in;
@ -2366,7 +2357,7 @@ diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c
buffer_clear(m);
buffer_put_int(m, major);
buffer_put_string(m, out.value, out.length);
@@ -2199,27 +2229,31 @@ mm_answer_gss_accept_ctx(int sock, Buffe
@@ -2177,27 +2207,31 @@ mm_answer_gss_accept_ctx(int sock, Buffe
mm_request_send(sock, MONITOR_ANS_GSSSTEP, m);
gss_release_buffer(&minor, &out);
@ -2398,7 +2389,7 @@ diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c
ret = ssh_gssapi_checkmic(gsscontext, &gssbuf, &mic);
free(gssbuf.value);
@@ -2236,29 +2270,101 @@ mm_answer_gss_checkmic(int sock, Buffer
@@ -2214,29 +2248,101 @@ mm_answer_gss_checkmic(int sock, Buffer
return (0);
}
@ -2495,16 +2486,16 @@ diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c
+
#endif /* GSSAPI */
#ifdef JPAKE
#ifdef SSH_AUDIT_EVENTS
int
mm_answer_jpake_step1(int sock, Buffer *m)
mm_answer_audit_unsupported_body(int sock, Buffer *m)
{
struct jpake_ctx *pctx;
u_char *x3_proof, *x4_proof;
diff --git a/openssh-6.5p1/monitor.h b/openssh-6.5p1/monitor.h
--- a/openssh-6.5p1/monitor.h
+++ b/openssh-6.5p1/monitor.h
@@ -70,16 +70,19 @@ enum monitor_reqtype {
int what;
diff --git a/openssh-6.6p1/monitor.h b/openssh-6.6p1/monitor.h
--- a/openssh-6.6p1/monitor.h
+++ b/openssh-6.6p1/monitor.h
@@ -65,16 +65,19 @@ enum monitor_reqtype {
MONITOR_REQ_PAM_FREE_CTX = 110, MONITOR_ANS_PAM_FREE_CTX = 111,
MONITOR_REQ_AUDIT_EVENT = 112, MONITOR_REQ_AUDIT_COMMAND = 113,
MONITOR_ANS_AUDIT_COMMAND = 114, MONITOR_REQ_AUDIT_END_COMMAND = 115,
@ -2524,10 +2515,10 @@ diff --git a/openssh-6.5p1/monitor.h b/openssh-6.5p1/monitor.h
int m_sendfd;
int m_log_recvfd;
int m_log_sendfd;
diff --git a/openssh-6.5p1/monitor_wrap.c b/openssh-6.5p1/monitor_wrap.c
--- a/openssh-6.5p1/monitor_wrap.c
+++ b/openssh-6.5p1/monitor_wrap.c
@@ -1305,33 +1305,78 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss
diff --git a/openssh-6.6p1/monitor_wrap.c b/openssh-6.6p1/monitor_wrap.c
--- a/openssh-6.6p1/monitor_wrap.c
+++ b/openssh-6.6p1/monitor_wrap.c
@@ -1303,33 +1303,78 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss
&m);
major = buffer_get_int(&m);
@ -2601,15 +2592,15 @@ diff --git a/openssh-6.5p1/monitor_wrap.c b/openssh-6.5p1/monitor_wrap.c
+
#endif /* GSSAPI */
#ifdef JPAKE
#ifdef SSH_AUDIT_EVENTS
void
mm_auth2_jpake_get_pwdata(Authctxt *authctxt, BIGNUM **s,
char **hash_scheme, char **salt)
mm_audit_unsupported_body(int what)
{
Buffer m;
diff --git a/openssh-6.5p1/monitor_wrap.h b/openssh-6.5p1/monitor_wrap.h
--- a/openssh-6.5p1/monitor_wrap.h
+++ b/openssh-6.5p1/monitor_wrap.h
diff --git a/openssh-6.6p1/monitor_wrap.h b/openssh-6.6p1/monitor_wrap.h
--- a/openssh-6.6p1/monitor_wrap.h
+++ b/openssh-6.6p1/monitor_wrap.h
@@ -54,18 +54,20 @@ int mm_user_key_verify(Key *, u_char *,
int mm_auth_rsa_key_allowed(struct passwd *, BIGNUM *, Key **);
int mm_auth_rsa_verify_response(Key *, BIGNUM *, u_char *);
@ -2632,10 +2623,10 @@ diff --git a/openssh-6.5p1/monitor_wrap.h b/openssh-6.5p1/monitor_wrap.h
void *mm_sshpam_init_ctx(struct Authctxt *);
int mm_sshpam_query(void *, char **, char **, u_int *, char ***, u_int **);
int mm_sshpam_respond(void *, u_int, char **);
diff --git a/openssh-6.5p1/readconf.c b/openssh-6.5p1/readconf.c
--- a/openssh-6.5p1/readconf.c
+++ b/openssh-6.5p1/readconf.c
@@ -135,16 +135,18 @@ typedef enum {
diff --git a/openssh-6.6p1/readconf.c b/openssh-6.6p1/readconf.c
--- a/openssh-6.6p1/readconf.c
+++ b/openssh-6.6p1/readconf.c
@@ -136,16 +136,18 @@ typedef enum {
oUsePrivilegedPort, oLogLevel, oCiphers, oProtocol, oMacs,
oGlobalKnownHostsFile2, oUserKnownHostsFile2, oPubkeyAuthentication,
oKbdInteractiveAuthentication, oKbdInteractiveDevices, oHostKeyAlias,
@ -2650,11 +2641,11 @@ diff --git a/openssh-6.5p1/readconf.c b/openssh-6.5p1/readconf.c
oSendEnv, oControlPath, oControlMaster, oControlPersist,
oHashKnownHosts,
oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand,
oVisualHostKey, oUseRoaming, oZeroKnowledgePasswordAuthentication,
oVisualHostKey, oUseRoaming,
oKexAlgorithms, oIPQoS, oRequestTTY, oIgnoreUnknown, oProxyUseFdpass,
oCanonicalDomains, oCanonicalizeHostname, oCanonicalizeMaxDots,
oCanonicalizeFallbackLocal, oCanonicalizePermittedCNAMEs,
@@ -177,22 +179,31 @@ static struct {
@@ -178,22 +180,31 @@ static struct {
{ "challengeresponseauthentication", oChallengeResponseAuthentication },
{ "skeyauthentication", oChallengeResponseAuthentication }, /* alias */
{ "tisauthentication", oChallengeResponseAuthentication }, /* alias */
@ -2686,7 +2677,7 @@ diff --git a/openssh-6.5p1/readconf.c b/openssh-6.5p1/readconf.c
{ "identitiesonly", oIdentitiesOnly },
{ "hostname", oHostName },
{ "hostkeyalias", oHostKeyAlias },
@@ -836,24 +847,44 @@ parse_time:
@@ -838,24 +849,44 @@ parse_time:
case oChallengeResponseAuthentication:
intptr = &options->challenge_response_authentication;
goto parse_flag;
@ -2731,7 +2722,7 @@ diff --git a/openssh-6.5p1/readconf.c b/openssh-6.5p1/readconf.c
intptr = &options->check_host_ip;
goto parse_flag;
@@ -1489,18 +1520,23 @@ initialize_options(Options * options)
@@ -1498,18 +1529,23 @@ initialize_options(Options * options)
options->exit_on_forward_failure = -1;
options->xauth_location = NULL;
options->gateway_ports = -1;
@ -2755,7 +2746,7 @@ diff --git a/openssh-6.5p1/readconf.c b/openssh-6.5p1/readconf.c
options->batch_mode = -1;
options->check_host_ip = -1;
options->strict_host_key_checking = -1;
@@ -1596,20 +1632,26 @@ fill_default_options(Options * options)
@@ -1618,20 +1654,26 @@ fill_default_options(Options * options)
if (options->rsa_authentication == -1)
options->rsa_authentication = 1;
if (options->pubkey_authentication == -1)
@ -2782,9 +2773,9 @@ diff --git a/openssh-6.5p1/readconf.c b/openssh-6.5p1/readconf.c
options->rhosts_rsa_authentication = 0;
if (options->hostbased_authentication == -1)
options->hostbased_authentication = 0;
diff --git a/openssh-6.5p1/readconf.h b/openssh-6.5p1/readconf.h
--- a/openssh-6.5p1/readconf.h
+++ b/openssh-6.5p1/readconf.h
diff --git a/openssh-6.6p1/readconf.h b/openssh-6.6p1/readconf.h
--- a/openssh-6.6p1/readconf.h
+++ b/openssh-6.6p1/readconf.h
@@ -49,18 +49,23 @@ typedef struct {
int rhosts_rsa_authentication; /* Try rhosts with RSA
* authentication. */
@ -2805,13 +2796,13 @@ diff --git a/openssh-6.5p1/readconf.h b/openssh-6.5p1/readconf.h
* authentication. */
int kbd_interactive_authentication; /* Try keyboard-interactive auth. */
char *kbd_interactive_devices; /* Keyboard-interactive auth devices. */
int zero_knowledge_password_authentication; /* Try jpake */
int batch_mode; /* Batch mode: do not ask for passwords. */
int check_host_ip; /* Also keep track of keys for IP address */
int strict_host_key_checking; /* Strict host key checking. */
diff --git a/openssh-6.5p1/servconf.c b/openssh-6.5p1/servconf.c
--- a/openssh-6.5p1/servconf.c
+++ b/openssh-6.5p1/servconf.c
int compression; /* Compress packets in both directions. */
diff --git a/openssh-6.6p1/servconf.c b/openssh-6.6p1/servconf.c
--- a/openssh-6.6p1/servconf.c
+++ b/openssh-6.6p1/servconf.c
@@ -104,18 +104,21 @@ initialize_server_options(ServerOptions
options->hostbased_uses_name_from_packet_only = -1;
options->rsa_authentication = -1;
@ -2834,7 +2825,7 @@ diff --git a/openssh-6.5p1/servconf.c b/openssh-6.5p1/servconf.c
options->use_login = -1;
options->compression = -1;
options->rekey_limit = -1;
@@ -244,20 +247,26 @@ fill_default_server_options(ServerOption
@@ -243,20 +246,26 @@ fill_default_server_options(ServerOption
if (options->kerberos_or_local_passwd == -1)
options->kerberos_or_local_passwd = 1;
if (options->kerberos_ticket_cleanup == -1)
@ -2861,7 +2852,7 @@ diff --git a/openssh-6.5p1/servconf.c b/openssh-6.5p1/servconf.c
options->challenge_response_authentication = 1;
if (options->permit_empty_passwd == -1)
options->permit_empty_passwd = 0;
@@ -345,16 +354,17 @@ typedef enum {
@@ -342,16 +351,17 @@ typedef enum {
sRekeyLimit, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem,
@ -2873,13 +2864,13 @@ diff --git a/openssh-6.5p1/servconf.c b/openssh-6.5p1/servconf.c
+ sGssStrictAcceptor, sGssKeyEx, sGssStoreRekey,
sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
sUsePrivilegeSeparation, sAllowAgentForwarding,
sZeroKnowledgePasswordAuthentication, sHostCertificate,
sHostCertificate,
sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,
sKexAlgorithms, sIPQoS, sVersionAddendum,
sAuthorizedKeysCommand, sAuthorizedKeysCommandUser,
sAuthenticationMethods, sHostKeyAgent,
sDeprecated, sUnsupported
@@ -414,21 +424,31 @@ static struct {
@@ -411,21 +421,31 @@ static struct {
{ "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
#endif
{ "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL },
@ -2907,11 +2898,11 @@ diff --git a/openssh-6.5p1/servconf.c b/openssh-6.5p1/servconf.c
{ "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
{ "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL },
{ "skeyauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, /* alias */
#ifdef JPAKE
{ "zeroknowledgepasswordauthentication", sZeroKnowledgePasswordAuthentication, SSHCFG_ALL },
#else
{ "zeroknowledgepasswordauthentication", sUnsupported, SSHCFG_ALL },
@@ -1102,24 +1122,36 @@ process_server_config_line(ServerOptions
{ "checkmail", sDeprecated, SSHCFG_GLOBAL },
{ "listenaddress", sListenAddress, SSHCFG_GLOBAL },
{ "addressfamily", sAddressFamily, SSHCFG_GLOBAL },
{ "printmotd", sPrintMotd, SSHCFG_GLOBAL },
@@ -1094,24 +1114,36 @@ process_server_config_line(ServerOptions
case sKerberosGetAFSToken:
intptr = &options->kerberos_get_afs_token;
goto parse_flag;
@ -2944,11 +2935,11 @@ diff --git a/openssh-6.5p1/servconf.c b/openssh-6.5p1/servconf.c
intptr = &options->password_authentication;
goto parse_flag;
case sZeroKnowledgePasswordAuthentication:
intptr = &options->zero_knowledge_password_authentication;
case sKbdInteractiveAuthentication:
intptr = &options->kbd_interactive_authentication;
goto parse_flag;
@@ -2020,17 +2052,20 @@ dump_config(ServerOptions *o)
@@ -2007,17 +2039,20 @@ dump_config(ServerOptions *o)
dump_cfg_fmtint(sKerberosOrLocalPasswd, o->kerberos_or_local_passwd);
dump_cfg_fmtint(sKerberosTicketCleanup, o->kerberos_ticket_cleanup);
# ifdef USE_AFS
@ -2961,17 +2952,17 @@ diff --git a/openssh-6.5p1/servconf.c b/openssh-6.5p1/servconf.c
dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds);
+ dump_cfg_fmtint(sGssStrictAcceptor, o->gss_strict_acceptor);
+ dump_cfg_fmtint(sGssStoreRekey, o->gss_store_rekey);
#endif
#ifdef JPAKE
dump_cfg_fmtint(sZeroKnowledgePasswordAuthentication,
o->zero_knowledge_password_authentication);
#endif
dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication);
dump_cfg_fmtint(sKbdInteractiveAuthentication,
o->kbd_interactive_authentication);
diff --git a/openssh-6.5p1/servconf.h b/openssh-6.5p1/servconf.h
--- a/openssh-6.5p1/servconf.h
+++ b/openssh-6.5p1/servconf.h
dump_cfg_fmtint(sChallengeResponseAuthentication,
o->challenge_response_authentication);
dump_cfg_fmtint(sPrintMotd, o->print_motd);
dump_cfg_fmtint(sPrintLastLog, o->print_lastlog);
diff --git a/openssh-6.6p1/servconf.h b/openssh-6.6p1/servconf.h
--- a/openssh-6.6p1/servconf.h
+++ b/openssh-6.6p1/servconf.h
@@ -107,18 +107,21 @@ typedef struct {
* authentication mechanism,
* such as SecurID or
@ -2990,15 +2981,15 @@ diff --git a/openssh-6.5p1/servconf.h b/openssh-6.5p1/servconf.h
* authentication. */
int kbd_interactive_authentication; /* If true, permit */
int challenge_response_authentication;
int zero_knowledge_password_authentication;
/* If true, permit jpake auth */
int permit_empty_passwd; /* If false, do not permit empty
* passwords. */
diff --git a/openssh-6.5p1/ssh-gss.h b/openssh-6.5p1/ssh-gss.h
--- a/openssh-6.5p1/ssh-gss.h
+++ b/openssh-6.5p1/ssh-gss.h
int permit_user_env; /* If true, read ~/.ssh/environment */
int use_login; /* If true, login(1) is used */
diff --git a/openssh-6.6p1/ssh-gss.h b/openssh-6.6p1/ssh-gss.h
--- a/openssh-6.6p1/ssh-gss.h
+++ b/openssh-6.6p1/ssh-gss.h
@@ -1,11 +1,11 @@
/* $OpenBSD: ssh-gss.h,v 1.10 2007/06/12 08:20:00 djm Exp $ */
/* $OpenBSD: ssh-gss.h,v 1.11 2014/02/26 20:28:44 djm Exp $ */
/*
- * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
+ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
@ -3080,9 +3071,9 @@ diff --git a/openssh-6.5p1/ssh-gss.h b/openssh-6.5p1/ssh-gss.h
void ssh_gssapi_set_oid(Gssctxt *, gss_OID);
void ssh_gssapi_supported_oids(gss_OID_set *);
ssh_gssapi_mech *ssh_gssapi_get_ctype(Gssctxt *);
OM_uint32 ssh_gssapi_import_name(Gssctxt *, const char *);
@@ -112,21 +129,35 @@ OM_uint32 ssh_gssapi_accept_ctx(Gssctxt
void ssh_gssapi_prepare_supported_oids(void);
OM_uint32 ssh_gssapi_test_oid_supported(OM_uint32 *, gss_OID, int *);
@@ -114,21 +131,35 @@ OM_uint32 ssh_gssapi_accept_ctx(Gssctxt
gss_buffer_desc *, gss_buffer_desc *, OM_uint32 *);
OM_uint32 ssh_gssapi_getclient(Gssctxt *, ssh_gssapi_client *);
void ssh_gssapi_error(Gssctxt *);
@ -3120,9 +3111,9 @@ diff --git a/openssh-6.5p1/ssh-gss.h b/openssh-6.5p1/ssh-gss.h
#endif /* GSSAPI */
#endif /* _SSH_GSS_H */
diff --git a/openssh-6.5p1/ssh_config b/openssh-6.5p1/ssh_config
--- a/openssh-6.5p1/ssh_config
+++ b/openssh-6.5p1/ssh_config
diff --git a/openssh-6.6p1/ssh_config b/openssh-6.6p1/ssh_config
--- a/openssh-6.6p1/ssh_config
+++ b/openssh-6.6p1/ssh_config
@@ -32,16 +32,18 @@ Host *
ForwardX11Trusted yes
@ -3142,10 +3133,10 @@ diff --git a/openssh-6.5p1/ssh_config b/openssh-6.5p1/ssh_config
# IdentityFile ~/.ssh/identity
# IdentityFile ~/.ssh/id_rsa
# IdentityFile ~/.ssh/id_dsa
diff --git a/openssh-6.5p1/ssh_config.5 b/openssh-6.5p1/ssh_config.5
--- a/openssh-6.5p1/ssh_config.5
+++ b/openssh-6.5p1/ssh_config.5
@@ -671,21 +671,53 @@ host key database, separated by whitespa
diff --git a/openssh-6.6p1/ssh_config.5 b/openssh-6.6p1/ssh_config.5
--- a/openssh-6.6p1/ssh_config.5
+++ b/openssh-6.6p1/ssh_config.5
@@ -677,21 +677,53 @@ host key database, separated by whitespa
The default is
.Pa /etc/ssh/ssh_known_hosts ,
.Pa /etc/ssh/ssh_known_hosts2 .
@ -3200,10 +3191,10 @@ diff --git a/openssh-6.5p1/ssh_config.5 b/openssh-6.5p1/ssh_config.5
These hashed names may be used normally by
.Xr ssh 1
and
diff --git a/openssh-6.5p1/sshconnect2.c b/openssh-6.5p1/sshconnect2.c
--- a/openssh-6.5p1/sshconnect2.c
+++ b/openssh-6.5p1/sshconnect2.c
@@ -156,19 +156,44 @@ order_hostkeyalgs(char *host, struct soc
diff --git a/openssh-6.6p1/sshconnect2.c b/openssh-6.6p1/sshconnect2.c
--- a/openssh-6.6p1/sshconnect2.c
+++ b/openssh-6.6p1/sshconnect2.c
@@ -155,19 +155,44 @@ order_hostkeyalgs(char *host, struct soc
return ret;
}
@ -3248,7 +3239,7 @@ diff --git a/openssh-6.5p1/sshconnect2.c b/openssh-6.5p1/sshconnect2.c
myproposal[PROPOSAL_ENC_ALGS_CTOS] =
myproposal[PROPOSAL_ENC_ALGS_STOC] = options.ciphers;
} else if (fips_mode()) {
@@ -204,32 +229,63 @@ ssh_kex2(char *host, struct sockaddr *ho
@@ -203,32 +228,63 @@ ssh_kex2(char *host, struct sockaddr *ho
/* Prefer algorithms that we already have keys for */
myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] =
compat_pkalg_proposal(
@ -3312,7 +3303,7 @@ diff --git a/openssh-6.5p1/sshconnect2.c b/openssh-6.5p1/sshconnect2.c
debug("Roaming not allowed by server");
options.use_roaming = 0;
}
@@ -315,31 +371,37 @@ void userauth_jpake_cleanup(Authctxt *);
@@ -308,31 +364,37 @@ int userauth_hostbased(Authctxt *);
#ifdef GSSAPI
int userauth_gssapi(Authctxt *authctxt);
@ -3350,7 +3341,7 @@ diff --git a/openssh-6.5p1/sshconnect2.c b/openssh-6.5p1/sshconnect2.c
{"gssapi",
userauth_gssapi,
NULL,
@@ -638,29 +700,41 @@ done:
@@ -624,29 +686,41 @@ done:
int
userauth_gssapi(Authctxt *authctxt)
{
@ -3394,7 +3385,7 @@ diff --git a/openssh-6.5p1/sshconnect2.c b/openssh-6.5p1/sshconnect2.c
if (!ok)
return 0;
@@ -749,18 +823,18 @@ process_gssapi_token(void *ctxt, gss_buf
@@ -735,18 +809,18 @@ process_gssapi_token(void *ctxt, gss_buf
}
/* ARGSUSED */
@ -3415,7 +3406,7 @@ diff --git a/openssh-6.5p1/sshconnect2.c b/openssh-6.5p1/sshconnect2.c
/* Setup our OID */
oidv = packet_get_string(&oidlen);
@@ -859,16 +933,58 @@ input_gssapi_error(int type, u_int32_t p
@@ -845,16 +919,58 @@ input_gssapi_error(int type, u_int32_t p
lang=packet_get_string(NULL);
packet_check_eom();
@ -3474,18 +3465,18 @@ diff --git a/openssh-6.5p1/sshconnect2.c b/openssh-6.5p1/sshconnect2.c
/* initial userauth request */
packet_start(SSH2_MSG_USERAUTH_REQUEST);
packet_put_cstring(authctxt->server_user);
diff --git a/openssh-6.5p1/sshd.c b/openssh-6.5p1/sshd.c
--- a/openssh-6.5p1/sshd.c
+++ b/openssh-6.5p1/sshd.c
@@ -121,16 +121,20 @@
#endif
#include "monitor_wrap.h"
diff --git a/openssh-6.6p1/sshd.c b/openssh-6.6p1/sshd.c
--- a/openssh-6.6p1/sshd.c
+++ b/openssh-6.6p1/sshd.c
@@ -123,16 +123,20 @@
#include "roaming.h"
#include "audit.h"
#include "ssh-sandbox.h"
#include "version.h"
#include "fips.h"
#include "audit.h"
+#ifdef USE_SECURITY_SESSION_API
+#include <Security/AuthSession.h>
+#endif
@ -3498,7 +3489,7 @@ diff --git a/openssh-6.5p1/sshd.c b/openssh-6.5p1/sshd.c
#endif /* LIBWRAP */
#ifndef O_NOCTTY
@@ -1795,20 +1799,23 @@ main(int ac, char **av)
@@ -1804,20 +1808,23 @@ main(int ac, char **av)
if ((options.protocol & SSH_PROTO_1) && fips_mode()) {
logit("Disabling protocol version 1. Not allowed in the FIPS mode.");
options.protocol &= ~SSH_PROTO_1;
@ -3522,7 +3513,7 @@ diff --git a/openssh-6.5p1/sshd.c b/openssh-6.5p1/sshd.c
/*
* Load certificates. They are stored in an array at identical
* indices to the public keys that they relate to.
@@ -1998,16 +2005,70 @@ main(int ac, char **av)
@@ -2007,16 +2014,70 @@ main(int ac, char **av)
/* Accept a connection and return in a forked child */
server_accept_loop(&sock_in, &sock_out,
&newsock, config_s);
@ -3593,7 +3584,7 @@ diff --git a/openssh-6.5p1/sshd.c b/openssh-6.5p1/sshd.c
#if !defined(SSHD_ACQUIRES_CTTY)
/*
* If setsid is called, on some platforms sshd will later acquire a
@@ -2125,16 +2186,70 @@ main(int ac, char **av)
@@ -2134,16 +2195,70 @@ main(int ac, char **av)
}
#endif /* LIBWRAP */
@ -3664,7 +3655,7 @@ diff --git a/openssh-6.5p1/sshd.c b/openssh-6.5p1/sshd.c
* mode; it is just annoying to have the server exit just when you
* are about to discover the bug.
*/
@@ -2544,24 +2659,73 @@ do_ssh2_kex(void)
@@ -2559,24 +2674,73 @@ do_ssh2_kex(void)
if (options.rekey_limit || options.rekey_interval)
packet_set_rekey_limits((u_int32_t)options.rekey_limit,
@ -3738,9 +3729,9 @@ diff --git a/openssh-6.5p1/sshd.c b/openssh-6.5p1/sshd.c
kex->host_key_index=&get_hostkey_index;
kex->sign = sshd_hostkey_sign;
diff --git a/openssh-6.5p1/sshd_config b/openssh-6.5p1/sshd_config
--- a/openssh-6.5p1/sshd_config
+++ b/openssh-6.5p1/sshd_config
diff --git a/openssh-6.6p1/sshd_config b/openssh-6.6p1/sshd_config
--- a/openssh-6.6p1/sshd_config
+++ b/openssh-6.6p1/sshd_config
@@ -79,16 +79,18 @@ PasswordAuthentication no
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
@ -3760,9 +3751,9 @@ diff --git a/openssh-6.5p1/sshd_config b/openssh-6.5p1/sshd_config
#GSSAPIEnableMITMAttack no
diff --git a/openssh-6.5p1/sshd_config.5 b/openssh-6.5p1/sshd_config.5
--- a/openssh-6.5p1/sshd_config.5
+++ b/openssh-6.5p1/sshd_config.5
diff --git a/openssh-6.6p1/sshd_config.5 b/openssh-6.6p1/sshd_config.5
--- a/openssh-6.6p1/sshd_config.5
+++ b/openssh-6.6p1/sshd_config.5
@@ -487,22 +487,50 @@ to force remote port forwardings to bind
to allow the client to select the address to which the forwarding is bound.
The default is

111
openssh-6.5p1-gssapimitm.patch → openssh-6.6p1-gssapimitm.patch
View File

@ -13,10 +13,10 @@
# recommended to use the 'gssapi-with-mic' mechanism. Existing installations
# are encouraged to upgrade as soon as possible.
diff --git a/openssh-6.5p1/auth2-gss.c b/openssh-6.5p1/auth2-gss.c
--- a/openssh-6.5p1/auth2-gss.c
+++ b/openssh-6.5p1/auth2-gss.c
@@ -173,16 +173,25 @@ input_gssapi_token(int type, u_int32_t p
diff --git a/openssh-6.6p1/auth2-gss.c b/openssh-6.6p1/auth2-gss.c
--- a/openssh-6.6p1/auth2-gss.c
+++ b/openssh-6.6p1/auth2-gss.c
@@ -168,16 +168,25 @@ input_gssapi_token(int type, u_int32_t p
dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL);
if (flags & GSS_C_INTEG_FLAG)
dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_MIC,
@ -42,7 +42,7 @@ diff --git a/openssh-6.5p1/auth2-gss.c b/openssh-6.5p1/auth2-gss.c
static void
input_gssapi_errtok(int type, u_int32_t plen, void *ctxt)
@@ -291,9 +300,15 @@ input_gssapi_mic(int type, u_int32_t ple
@@ -286,9 +295,15 @@ input_gssapi_mic(int type, u_int32_t ple
}
Authmethod method_gssapi = {
@ -58,10 +58,10 @@ diff --git a/openssh-6.5p1/auth2-gss.c b/openssh-6.5p1/auth2-gss.c
+};
+
#endif /* GSSAPI */
diff --git a/openssh-6.5p1/auth2.c b/openssh-6.5p1/auth2.c
--- a/openssh-6.5p1/auth2.c
+++ b/openssh-6.5p1/auth2.c
@@ -65,26 +65,28 @@ extern Buffer loginmsg;
diff --git a/openssh-6.6p1/auth2.c b/openssh-6.6p1/auth2.c
--- a/openssh-6.6p1/auth2.c
+++ b/openssh-6.6p1/auth2.c
@@ -65,23 +65,25 @@ extern Buffer loginmsg;
extern Authmethod method_none;
extern Authmethod method_pubkey;
@ -72,9 +72,6 @@ diff --git a/openssh-6.5p1/auth2.c b/openssh-6.5p1/auth2.c
extern Authmethod method_gssapi;
+extern Authmethod method_gssapi_old;
#endif
#ifdef JPAKE
extern Authmethod method_jpake;
#endif
Authmethod *authmethods[] = {
&method_none,
@ -82,18 +79,18 @@ diff --git a/openssh-6.5p1/auth2.c b/openssh-6.5p1/auth2.c
#ifdef GSSAPI
&method_gssapi,
+ &method_gssapi_old,
#endif
#ifdef JPAKE
&method_jpake,
#endif
&method_passwd,
&method_kbdint,
&method_hostbased,
NULL
diff --git a/openssh-6.5p1/readconf.c b/openssh-6.5p1/readconf.c
--- a/openssh-6.5p1/readconf.c
+++ b/openssh-6.5p1/readconf.c
@@ -134,17 +134,17 @@ typedef enum {
};
/* protocol */
diff --git a/openssh-6.6p1/readconf.c b/openssh-6.6p1/readconf.c
--- a/openssh-6.6p1/readconf.c
+++ b/openssh-6.6p1/readconf.c
@@ -135,17 +135,17 @@ typedef enum {
oCompressionLevel, oTCPKeepAlive, oNumberOfPasswordPrompts,
oUsePrivilegedPort, oLogLevel, oCiphers, oProtocol, oMacs,
oGlobalKnownHostsFile2, oUserKnownHostsFile2, oPubkeyAuthentication,
@ -108,11 +105,11 @@ diff --git a/openssh-6.5p1/readconf.c b/openssh-6.5p1/readconf.c
oSendEnv, oControlPath, oControlMaster, oControlPersist,
oHashKnownHosts,
oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand,
oVisualHostKey, oUseRoaming, oZeroKnowledgePasswordAuthentication,
oVisualHostKey, oUseRoaming,
oKexAlgorithms, oIPQoS, oRequestTTY, oIgnoreUnknown, oProxyUseFdpass,
oCanonicalDomains, oCanonicalizeHostname, oCanonicalizeMaxDots,
oCanonicalizeFallbackLocal, oCanonicalizePermittedCNAMEs,
@@ -178,19 +178,21 @@ static struct {
@@ -179,19 +179,21 @@ static struct {
{ "skeyauthentication", oChallengeResponseAuthentication }, /* alias */
{ "tisauthentication", oChallengeResponseAuthentication }, /* alias */
{ "kerberosauthentication", oUnsupported },
@ -134,7 +131,7 @@ diff --git a/openssh-6.5p1/readconf.c b/openssh-6.5p1/readconf.c
{ "identitiesonly", oIdentitiesOnly },
{ "hostname", oHostName },
{ "hostkeyalias", oHostKeyAlias },
@@ -837,16 +839,20 @@ parse_time:
@@ -839,16 +841,20 @@ parse_time:
case oGssAuthentication:
intptr = &options->gss_authentication;
@ -155,7 +152,7 @@ diff --git a/openssh-6.5p1/readconf.c b/openssh-6.5p1/readconf.c
case oCheckHostIP:
intptr = &options->check_host_ip;
goto parse_flag;
@@ -1484,16 +1490,17 @@ initialize_options(Options * options)
@@ -1493,16 +1499,17 @@ initialize_options(Options * options)
options->xauth_location = NULL;
options->gateway_ports = -1;
options->use_privileged_port = -1;
@ -173,7 +170,7 @@ diff --git a/openssh-6.5p1/readconf.c b/openssh-6.5p1/readconf.c
options->batch_mode = -1;
options->check_host_ip = -1;
options->strict_host_key_checking = -1;
@@ -1591,16 +1598,18 @@ fill_default_options(Options * options)
@@ -1613,16 +1620,18 @@ fill_default_options(Options * options)
if (options->pubkey_authentication == -1)
options->pubkey_authentication = 1;
if (options->challenge_response_authentication == -1)
@ -192,9 +189,9 @@ diff --git a/openssh-6.5p1/readconf.c b/openssh-6.5p1/readconf.c
options->rhosts_rsa_authentication = 0;
if (options->hostbased_authentication == -1)
options->hostbased_authentication = 0;
diff --git a/openssh-6.5p1/readconf.h b/openssh-6.5p1/readconf.h
--- a/openssh-6.5p1/readconf.h
+++ b/openssh-6.5p1/readconf.h
diff --git a/openssh-6.6p1/readconf.h b/openssh-6.6p1/readconf.h
--- a/openssh-6.6p1/readconf.h
+++ b/openssh-6.6p1/readconf.h
@@ -50,16 +50,17 @@ typedef struct {
* authentication. */
int rsa_authentication; /* Try RSA authentication. */
@ -209,13 +206,13 @@ diff --git a/openssh-6.5p1/readconf.h b/openssh-6.5p1/readconf.h
* authentication. */
int kbd_interactive_authentication; /* Try keyboard-interactive auth. */
char *kbd_interactive_devices; /* Keyboard-interactive auth devices. */
int zero_knowledge_password_authentication; /* Try jpake */
int batch_mode; /* Batch mode: do not ask for passwords. */
int check_host_ip; /* Also keep track of keys for IP address */
int strict_host_key_checking; /* Strict host key checking. */
diff --git a/openssh-6.5p1/servconf.c b/openssh-6.5p1/servconf.c
--- a/openssh-6.5p1/servconf.c
+++ b/openssh-6.5p1/servconf.c
int compression; /* Compress packets in both directions. */
diff --git a/openssh-6.6p1/servconf.c b/openssh-6.6p1/servconf.c
--- a/openssh-6.6p1/servconf.c
+++ b/openssh-6.6p1/servconf.c
@@ -104,16 +104,17 @@ initialize_server_options(ServerOptions
options->rsa_authentication = -1;
options->pubkey_authentication = -1;
@ -234,7 +231,7 @@ diff --git a/openssh-6.5p1/servconf.c b/openssh-6.5p1/servconf.c
options->use_login = -1;
options->compression = -1;
options->rekey_limit = -1;
@@ -242,16 +243,18 @@ fill_default_server_options(ServerOption
@@ -241,16 +242,18 @@ fill_default_server_options(ServerOption
if (options->kerberos_ticket_cleanup == -1)
options->kerberos_ticket_cleanup = 1;
if (options->kerberos_get_afs_token == -1)
@ -253,7 +250,7 @@ diff --git a/openssh-6.5p1/servconf.c b/openssh-6.5p1/servconf.c
options->challenge_response_authentication = 1;
if (options->permit_empty_passwd == -1)
options->permit_empty_passwd = 0;
@@ -338,17 +341,17 @@ typedef enum {
@@ -335,17 +338,17 @@ typedef enum {
sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression,
sRekeyLimit, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
@ -266,13 +263,13 @@ diff --git a/openssh-6.5p1/servconf.c b/openssh-6.5p1/servconf.c
+ sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel, sGssEnableMITM,
sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
sUsePrivilegeSeparation, sAllowAgentForwarding,
sZeroKnowledgePasswordAuthentication, sHostCertificate,
sHostCertificate,
sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,
sKexAlgorithms, sIPQoS, sVersionAddendum,
sAuthorizedKeysCommand, sAuthorizedKeysCommandUser,
sAuthenticationMethods, sHostKeyAgent,
sDeprecated, sUnsupported
@@ -405,19 +408,21 @@ static struct {
@@ -402,19 +405,21 @@ static struct {
{ "kerberosticketcleanup", sUnsupported, SSHCFG_GLOBAL },
{ "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
#endif
@ -291,10 +288,10 @@ diff --git a/openssh-6.5p1/servconf.c b/openssh-6.5p1/servconf.c
{ "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
{ "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL },
{ "skeyauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, /* alias */
#ifdef JPAKE
{ "zeroknowledgepasswordauthentication", sZeroKnowledgePasswordAuthentication, SSHCFG_ALL },
#else
@@ -1093,16 +1098,20 @@ process_server_config_line(ServerOptions
{ "checkmail", sDeprecated, SSHCFG_GLOBAL },
{ "listenaddress", sListenAddress, SSHCFG_GLOBAL },
{ "addressfamily", sAddressFamily, SSHCFG_GLOBAL },
@@ -1085,16 +1090,20 @@ process_server_config_line(ServerOptions
case sGssAuthentication:
intptr = &options->gss_authentication;
goto parse_flag;
@ -311,13 +308,13 @@ diff --git a/openssh-6.5p1/servconf.c b/openssh-6.5p1/servconf.c
intptr = &options->password_authentication;
goto parse_flag;
case sZeroKnowledgePasswordAuthentication:
intptr = &options->zero_knowledge_password_authentication;
case sKbdInteractiveAuthentication:
intptr = &options->kbd_interactive_authentication;
goto parse_flag;
diff --git a/openssh-6.5p1/servconf.h b/openssh-6.5p1/servconf.h
--- a/openssh-6.5p1/servconf.h
+++ b/openssh-6.5p1/servconf.h
diff --git a/openssh-6.6p1/servconf.h b/openssh-6.6p1/servconf.h
--- a/openssh-6.6p1/servconf.h
+++ b/openssh-6.6p1/servconf.h
@@ -108,16 +108,17 @@ typedef struct {
* such as SecurID or
* /etc/passwd */
@ -332,13 +329,13 @@ diff --git a/openssh-6.5p1/servconf.h b/openssh-6.5p1/servconf.h
* authentication. */
int kbd_interactive_authentication; /* If true, permit */
int challenge_response_authentication;
int zero_knowledge_password_authentication;
/* If true, permit jpake auth */
int permit_empty_passwd; /* If false, do not permit empty
* passwords. */
diff --git a/openssh-6.5p1/ssh_config b/openssh-6.5p1/ssh_config
--- a/openssh-6.5p1/ssh_config
+++ b/openssh-6.5p1/ssh_config
int permit_user_env; /* If true, read ~/.ssh/environment */
int use_login; /* If true, login(1) is used */
diff --git a/openssh-6.6p1/ssh_config b/openssh-6.6p1/ssh_config
--- a/openssh-6.6p1/ssh_config
+++ b/openssh-6.6p1/ssh_config
@@ -51,9 +51,16 @@ ForwardX11Trusted yes
# Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc
# MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160
@ -356,10 +353,10 @@ diff --git a/openssh-6.5p1/ssh_config b/openssh-6.5p1/ssh_config
+# GSSAPIEnableMITMAttack no
+
# RekeyLimit 1G 1h
diff --git a/openssh-6.5p1/sshconnect2.c b/openssh-6.5p1/sshconnect2.c
--- a/openssh-6.5p1/sshconnect2.c
+++ b/openssh-6.5p1/sshconnect2.c
@@ -324,16 +324,21 @@ static char *authmethods_get(void);
diff --git a/openssh-6.6p1/sshconnect2.c b/openssh-6.6p1/sshconnect2.c
--- a/openssh-6.6p1/sshconnect2.c
+++ b/openssh-6.6p1/sshconnect2.c
@@ -316,16 +316,21 @@ static char *authmethods_get(void);
Authmethod authmethods[] = {
#ifdef GSSAPI
@ -381,7 +378,7 @@ diff --git a/openssh-6.5p1/sshconnect2.c b/openssh-6.5p1/sshconnect2.c
NULL},
{"publickey",
userauth_pubkey,
@@ -698,17 +703,19 @@ process_gssapi_token(void *ctxt, gss_buf
@@ -683,17 +688,19 @@ process_gssapi_token(void *ctxt, gss_buf
packet_put_string(send_tok.value, send_tok.length);
packet_send();
@ -402,9 +399,9 @@ diff --git a/openssh-6.5p1/sshconnect2.c b/openssh-6.5p1/sshconnect2.c
gssbuf.value = buffer_ptr(&b);
gssbuf.length = buffer_len(&b);
diff --git a/openssh-6.5p1/sshd_config b/openssh-6.5p1/sshd_config
--- a/openssh-6.5p1/sshd_config
+++ b/openssh-6.5p1/sshd_config
diff --git a/openssh-6.6p1/sshd_config b/openssh-6.6p1/sshd_config
--- a/openssh-6.6p1/sshd_config
+++ b/openssh-6.6p1/sshd_config
@@ -80,16 +80,23 @@ PasswordAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes

8
openssh-6.5p1-host_ident.patch → openssh-6.6p1-host_ident.patch
View File

@ -1,10 +1,10 @@
# identify hashed hosts in known_hosts and suggest command line for their
# removal
diff --git a/openssh-6.5p1/sshconnect.c b/openssh-6.5p1/sshconnect.c
--- a/openssh-6.5p1/sshconnect.c
+++ b/openssh-6.5p1/sshconnect.c
@@ -1067,16 +1067,21 @@ check_host_key(char *hostname, struct so
diff --git a/openssh-6.6p1/sshconnect.c b/openssh-6.6p1/sshconnect.c
--- a/openssh-6.6p1/sshconnect.c
+++ b/openssh-6.6p1/sshconnect.c
@@ -1070,16 +1070,21 @@ check_host_key(char *hostname, struct so
ip_found->file, ip_found->line);
}
/* The host key has changed. */

12
openssh-6.5p1-key-converter.patch → openssh-6.6p1-key-converter.patch
View File

@ -1,9 +1,9 @@
# SSHv1 to SSHv2 RSA keys converter
diff --git a/openssh-6.5p1/converter/Makefile b/openssh-6.5p1/converter/Makefile
diff --git a/openssh-6.6p1/converter/Makefile b/openssh-6.6p1/converter/Makefile
new file mode 100644
--- /dev/null
+++ b/openssh-6.5p1/converter/Makefile
+++ b/openssh-6.6p1/converter/Makefile
@@ -0,0 +1,17 @@
+
+bindir=/usr/bin
@ -22,10 +22,10 @@ new file mode 100644
+ install -m 755 ssh-keyconverter $(DESTDIR)$(bindir)
+ if [ ! -d $(DESTDIR)$(mandir)/man1 ]; then install -d -m 755 $(DESTDIR)$(mandir)/man1; fi
+ install -m 644 ssh-keyconverter.1 $(DESTDIR)$(mandir)/man1
diff --git a/openssh-6.5p1/converter/ssh-keyconverter.1 b/openssh-6.5p1/converter/ssh-keyconverter.1
diff --git a/openssh-6.6p1/converter/ssh-keyconverter.1 b/openssh-6.6p1/converter/ssh-keyconverter.1
new file mode 100644
--- /dev/null
+++ b/openssh-6.5p1/converter/ssh-keyconverter.1
+++ b/openssh-6.6p1/converter/ssh-keyconverter.1
@@ -0,0 +1,155 @@
+.\" Manpage for ssh-keyconverter
+.\"
@ -182,10 +182,10 @@ new file mode 100644
+.%D March 2001
+.%O work in progress material
+.Re
diff --git a/openssh-6.5p1/converter/ssh-keyconverter.c b/openssh-6.5p1/converter/ssh-keyconverter.c
diff --git a/openssh-6.6p1/converter/ssh-keyconverter.c b/openssh-6.6p1/converter/ssh-keyconverter.c
new file mode 100644
--- /dev/null
+++ b/openssh-6.5p1/converter/ssh-keyconverter.c
+++ b/openssh-6.6p1/converter/ssh-keyconverter.c
@@ -0,0 +1,345 @@
+/*
+ * SSH v1 to v2 RSA key converter.

6
openssh-6.5p1-lastlog.patch → openssh-6.6p1-lastlog.patch
View File

@ -1,9 +1,9 @@
# set uid for functions that use it to seek in lastlog and wtmp files
# bnc#18024 (was suse #3024)
diff --git a/openssh-6.5p1/sshlogin.c b/openssh-6.5p1/sshlogin.c
--- a/openssh-6.5p1/sshlogin.c
+++ b/openssh-6.5p1/sshlogin.c
diff --git a/openssh-6.6p1/sshlogin.c b/openssh-6.6p1/sshlogin.c
--- a/openssh-6.6p1/sshlogin.c
+++ b/openssh-6.6p1/sshlogin.c
@@ -128,16 +128,17 @@ record_login(pid_t pid, const char *tty,
{
struct logininfo *li;

100
openssh-6.5p1-ldap.patch → openssh-6.6p1-ldap.patch
View File

@ -8,10 +8,10 @@
# internal versions. ssh-keyconverter consequently fails to link as it lacks
# the proper flags, and libopenbsd-compat doesn't contain the b64_* functions)
diff --git a/openssh-6.5p1/HOWTO.ldap-keys b/openssh-6.5p1/HOWTO.ldap-keys
diff --git a/openssh-6.6p1/HOWTO.ldap-keys b/openssh-6.6p1/HOWTO.ldap-keys
new file mode 100644
--- /dev/null
+++ b/openssh-6.5p1/HOWTO.ldap-keys
+++ b/openssh-6.6p1/HOWTO.ldap-keys
@@ -0,0 +1,108 @@
+
+HOW TO START
@ -121,9 +121,9 @@ new file mode 100644
+ - frederic peters.
+ - Finlay dobbie.
+ - Stefan Fisher.
diff --git a/openssh-6.5p1/Makefile.in b/openssh-6.5p1/Makefile.in
--- a/openssh-6.5p1/Makefile.in
+++ b/openssh-6.5p1/Makefile.in
diff --git a/openssh-6.6p1/Makefile.in b/openssh-6.6p1/Makefile.in
--- a/openssh-6.6p1/Makefile.in
+++ b/openssh-6.6p1/Makefile.in
@@ -20,16 +20,18 @@ srcdir=@srcdir@
top_srcdir=@top_srcdir@
@ -164,7 +164,7 @@ diff --git a/openssh-6.5p1/Makefile.in b/openssh-6.5p1/Makefile.in
log.o match.o md-sha256.o moduli.o nchan.o packet.o \
readpass.o rsa.o ttymodes.o xmalloc.o addrmatch.o \
atomicio.o key.o dispatch.o kex.o mac.o uidswap.o uuencode.o misc.o \
@@ -94,18 +98,18 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw
@@ -96,18 +100,18 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw
kexc25519s.o auth-krb5.o \
auth2-gss.o gss-serv.o gss-serv-krb5.o \
loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \
@ -185,7 +185,7 @@ diff --git a/openssh-6.5p1/Makefile.in b/openssh-6.5p1/Makefile.in
PATHSUBS = \
-e 's|/etc/ssh/ssh_config|$(sysconfdir)/ssh_config|g' \
-e 's|/etc/ssh/ssh_known_hosts|$(sysconfdir)/ssh_known_hosts|g' \
@@ -169,16 +173,19 @@ ssh-keysign$(EXEEXT): $(LIBCOMPAT) libss
@@ -171,16 +175,19 @@ ssh-keysign$(EXEEXT): $(LIBCOMPAT) libss
$(LD) -o $@ ssh-keysign.o readconf.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11.o
@ -205,7 +205,7 @@ diff --git a/openssh-6.5p1/Makefile.in b/openssh-6.5p1/Makefile.in
# test driver for the loginrec code - not built by default
logintest: logintest.o $(LIBCOMPAT) libssh.a loginrec.o
@@ -271,30 +278,38 @@ install-files:
@@ -273,30 +280,38 @@ install-files:
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-agent$(EXEEXT) $(DESTDIR)$(bindir)/ssh-agent$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-keygen$(EXEEXT) $(DESTDIR)$(bindir)/ssh-keygen$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-keyscan$(EXEEXT) $(DESTDIR)$(bindir)/ssh-keyscan$(EXEEXT)
@ -244,7 +244,7 @@ diff --git a/openssh-6.5p1/Makefile.in b/openssh-6.5p1/Makefile.in
install-sysconf:
if [ ! -d $(DESTDIR)$(sysconfdir) ]; then \
$(srcdir)/mkinstalldirs $(DESTDIR)$(sysconfdir); \
@@ -314,16 +329,23 @@ install-sysconf:
@@ -316,16 +331,23 @@ install-sysconf:
echo "moving $(DESTDIR)$(sysconfdir)/primes to $(DESTDIR)$(sysconfdir)/moduli"; \
mv "$(DESTDIR)$(sysconfdir)/primes" "$(DESTDIR)$(sysconfdir)/moduli"; \
else \
@ -268,7 +268,7 @@ diff --git a/openssh-6.5p1/Makefile.in b/openssh-6.5p1/Makefile.in
else \
./ssh-keygen -t rsa1 -f $(sysconfdir)/ssh_host_key -N "" ; \
fi ; \
@@ -377,27 +399,30 @@ uninstall:
@@ -379,27 +401,30 @@ uninstall:
-rm -f $(DESTDIR)$(bindir)/ssh-agent$(EXEEXT)
-rm -f $(DESTDIR)$(bindir)/ssh-keygen$(EXEEXT)
-rm -f $(DESTDIR)$(bindir)/ssh-keyscan$(EXEEXT)
@ -299,10 +299,10 @@ diff --git a/openssh-6.5p1/Makefile.in b/openssh-6.5p1/Makefile.in
ln -s `cd $(srcdir) && pwd`/regress/Makefile `pwd`/regress/Makefile
$(CC) $(CFLAGS) $(CPPFLAGS) -o $@ $? \
$(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
diff --git a/openssh-6.5p1/configure.ac b/openssh-6.5p1/configure.ac
--- a/openssh-6.5p1/configure.ac
+++ b/openssh-6.5p1/configure.ac
@@ -1573,16 +1573,116 @@ AC_ARG_WITH([audit],
diff --git a/openssh-6.6p1/configure.ac b/openssh-6.6p1/configure.ac
--- a/openssh-6.6p1/configure.ac
+++ b/openssh-6.6p1/configure.ac
@@ -1599,16 +1599,116 @@ AC_ARG_WITH([audit],
AC_MSG_RESULT([no])
;;
*)
@ -419,10 +419,10 @@ diff --git a/openssh-6.5p1/configure.ac b/openssh-6.5p1/configure.ac
if test "x$withval" = "xyes"; then
use_pie=yes
fi
diff --git a/openssh-6.5p1/ldap-helper.c b/openssh-6.5p1/ldap-helper.c
diff --git a/openssh-6.6p1/ldap-helper.c b/openssh-6.6p1/ldap-helper.c
new file mode 100644
--- /dev/null
+++ b/openssh-6.5p1/ldap-helper.c
+++ b/openssh-6.6p1/ldap-helper.c
@@ -0,0 +1,155 @@
+/* $OpenBSD: ssh-pka-ldap.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
+/*
@ -579,10 +579,10 @@ new file mode 100644
+void *buffer_get_string(Buffer *b, u_int *l) { return NULL; }
+void buffer_put_string(Buffer *b, const void *f, u_int l) {}
+
diff --git a/openssh-6.5p1/ldap-helper.h b/openssh-6.5p1/ldap-helper.h
diff --git a/openssh-6.6p1/ldap-helper.h b/openssh-6.6p1/ldap-helper.h
new file mode 100644
--- /dev/null
+++ b/openssh-6.5p1/ldap-helper.h
+++ b/openssh-6.6p1/ldap-helper.h
@@ -0,0 +1,32 @@
+/* $OpenBSD: ldap-helper.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
+/*
@ -616,10 +616,10 @@ new file mode 100644
+extern int config_warning_config_file;
+
+#endif /* LDAP_HELPER_H */
diff --git a/openssh-6.5p1/ldap.conf b/openssh-6.5p1/ldap.conf
diff --git a/openssh-6.6p1/ldap.conf b/openssh-6.6p1/ldap.conf
new file mode 100644
--- /dev/null
+++ b/openssh-6.5p1/ldap.conf
+++ b/openssh-6.6p1/ldap.conf
@@ -0,0 +1,88 @@
+# $Id: openssh-5.5p1-ldap.patch,v 1.3 2010/07/07 13:48:36 jfch2222 Exp $
+#
@ -709,10 +709,10 @@ new file mode 100644
+#tls_cert
+#tls_key
+
diff --git a/openssh-6.5p1/ldapbody.c b/openssh-6.5p1/ldapbody.c
diff --git a/openssh-6.6p1/ldapbody.c b/openssh-6.6p1/ldapbody.c
new file mode 100644
--- /dev/null
+++ b/openssh-6.5p1/ldapbody.c
+++ b/openssh-6.6p1/ldapbody.c
@@ -0,0 +1,494 @@
+/* $OpenBSD: ldapbody.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
+/*
@ -1208,10 +1208,10 @@ new file mode 100644
+ return;
+}
+
diff --git a/openssh-6.5p1/ldapbody.h b/openssh-6.5p1/ldapbody.h
diff --git a/openssh-6.6p1/ldapbody.h b/openssh-6.6p1/ldapbody.h
new file mode 100644
--- /dev/null
+++ b/openssh-6.5p1/ldapbody.h
+++ b/openssh-6.6p1/ldapbody.h
@@ -0,0 +1,37 @@
+/* $OpenBSD: ldapbody.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
+/*
@ -1250,10 +1250,10 @@ new file mode 100644
+
+#endif /* LDAPBODY_H */
+
diff --git a/openssh-6.5p1/ldapconf.c b/openssh-6.5p1/ldapconf.c
diff --git a/openssh-6.6p1/ldapconf.c b/openssh-6.6p1/ldapconf.c
new file mode 100644
--- /dev/null
+++ b/openssh-6.5p1/ldapconf.c
+++ b/openssh-6.6p1/ldapconf.c
@@ -0,0 +1,682 @@
+/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
+/*
@ -1937,10 +1937,10 @@ new file mode 100644
+ dump_cfg_string(lSSH_Filter, options.ssh_filter);
+}
+
diff --git a/openssh-6.5p1/ldapconf.h b/openssh-6.5p1/ldapconf.h
diff --git a/openssh-6.6p1/ldapconf.h b/openssh-6.6p1/ldapconf.h
new file mode 100644
--- /dev/null
+++ b/openssh-6.5p1/ldapconf.h
+++ b/openssh-6.6p1/ldapconf.h
@@ -0,0 +1,71 @@
+/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
+/*
@ -2013,10 +2013,10 @@ new file mode 100644
+void dump_config(void);
+
+#endif /* LDAPCONF_H */
diff --git a/openssh-6.5p1/ldapincludes.h b/openssh-6.5p1/ldapincludes.h
diff --git a/openssh-6.6p1/ldapincludes.h b/openssh-6.6p1/ldapincludes.h
new file mode 100644
--- /dev/null
+++ b/openssh-6.5p1/ldapincludes.h
+++ b/openssh-6.6p1/ldapincludes.h
@@ -0,0 +1,41 @@
+/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
+/*
@ -2059,10 +2059,10 @@ new file mode 100644
+#endif
+
+#endif /* LDAPINCLUDES_H */
diff --git a/openssh-6.5p1/ldapmisc.c b/openssh-6.5p1/ldapmisc.c
diff --git a/openssh-6.6p1/ldapmisc.c b/openssh-6.6p1/ldapmisc.c
new file mode 100644
--- /dev/null
+++ b/openssh-6.5p1/ldapmisc.c
+++ b/openssh-6.6p1/ldapmisc.c
@@ -0,0 +1,79 @@
+
+#include "ldapincludes.h"
@ -2143,10 +2143,10 @@ new file mode 100644
+}
+#endif
+
diff --git a/openssh-6.5p1/ldapmisc.h b/openssh-6.5p1/ldapmisc.h
diff --git a/openssh-6.6p1/ldapmisc.h b/openssh-6.6p1/ldapmisc.h
new file mode 100644
--- /dev/null
+++ b/openssh-6.5p1/ldapmisc.h
+++ b/openssh-6.6p1/ldapmisc.h
@@ -0,0 +1,35 @@
+/* $OpenBSD: ldapbody.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
+/*
@ -2183,9 +2183,9 @@ new file mode 100644
+
+#endif /* LDAPMISC_H */
+
diff --git a/openssh-6.5p1/openbsd-compat/base64.c b/openssh-6.5p1/openbsd-compat/base64.c
--- a/openssh-6.5p1/openbsd-compat/base64.c
+++ b/openssh-6.5p1/openbsd-compat/base64.c
diff --git a/openssh-6.6p1/openbsd-compat/base64.c b/openssh-6.6p1/openbsd-compat/base64.c
--- a/openssh-6.6p1/openbsd-compat/base64.c
+++ b/openssh-6.6p1/openbsd-compat/base64.c
@@ -41,17 +41,17 @@
* OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE, EVEN
* IF IBM IS APPRISED OF THE POSSIBILITY OF SUCH DAMAGES.
@ -2243,9 +2243,9 @@ diff --git a/openssh-6.5p1/openbsd-compat/base64.c b/openssh-6.5p1/openbsd-compa
*/
int
diff --git a/openssh-6.5p1/openbsd-compat/base64.h b/openssh-6.5p1/openbsd-compat/base64.h
--- a/openssh-6.5p1/openbsd-compat/base64.h
+++ b/openssh-6.5p1/openbsd-compat/base64.h
diff --git a/openssh-6.6p1/openbsd-compat/base64.h b/openssh-6.6p1/openbsd-compat/base64.h
--- a/openssh-6.6p1/openbsd-compat/base64.h
+++ b/openssh-6.6p1/openbsd-compat/base64.h
@@ -42,24 +42,24 @@
* IF IBM IS APPRISED OF THE POSSIBILITY OF SUCH DAMAGES.
*/
@ -2275,10 +2275,10 @@ diff --git a/openssh-6.5p1/openbsd-compat/base64.h b/openssh-6.5p1/openbsd-compa
#endif /* HAVE___B64_PTON */
#endif /* _BSD_BASE64_H */
diff --git a/openssh-6.5p1/openssh-lpk-openldap.schema b/openssh-6.5p1/openssh-lpk-openldap.schema
diff --git a/openssh-6.6p1/openssh-lpk-openldap.schema b/openssh-6.6p1/openssh-lpk-openldap.schema
new file mode 100644
--- /dev/null
+++ b/openssh-6.5p1/openssh-lpk-openldap.schema
+++ b/openssh-6.6p1/openssh-lpk-openldap.schema
@@ -0,0 +1,21 @@
+#
+# LDAP Public Key Patch schema for use with openssh-ldappubkey
@ -2301,10 +2301,10 @@ new file mode 100644
+ DESC 'MANDATORY: OpenSSH LPK objectclass'
+ MUST ( sshPublicKey $ uid )
+ )
diff --git a/openssh-6.5p1/openssh-lpk-sun.schema b/openssh-6.5p1/openssh-lpk-sun.schema
diff --git a/openssh-6.6p1/openssh-lpk-sun.schema b/openssh-6.6p1/openssh-lpk-sun.schema
new file mode 100644
--- /dev/null
+++ b/openssh-6.5p1/openssh-lpk-sun.schema
+++ b/openssh-6.6p1/openssh-lpk-sun.schema
@@ -0,0 +1,23 @@
+#
+# LDAP Public Key Patch schema for use with openssh-ldappubkey
@ -2329,10 +2329,10 @@ new file mode 100644
+ DESC 'MANDATORY: OpenSSH LPK objectclass'
+ MUST ( sshPublicKey $ uid )
+ )
diff --git a/openssh-6.5p1/ssh-ldap-helper.8 b/openssh-6.5p1/ssh-ldap-helper.8
diff --git a/openssh-6.6p1/ssh-ldap-helper.8 b/openssh-6.6p1/ssh-ldap-helper.8
new file mode 100644
--- /dev/null
+++ b/openssh-6.5p1/ssh-ldap-helper.8
+++ b/openssh-6.6p1/ssh-ldap-helper.8
@@ -0,0 +1,79 @@
+.\" $OpenBSD: ssh-ldap-helper.8,v 1.1 2010/02/10 23:20:38 markus Exp $
+.\"
@ -2413,19 +2413,19 @@ new file mode 100644
+OpenSSH 5.5 + PKA-LDAP .
+.Sh AUTHORS
+.An Jan F. Chadima Aq jchadima@redhat.com
diff --git a/openssh-6.5p1/ssh-ldap-wrapper b/openssh-6.5p1/ssh-ldap-wrapper
diff --git a/openssh-6.6p1/ssh-ldap-wrapper b/openssh-6.6p1/ssh-ldap-wrapper
new file mode 100644
--- /dev/null
+++ b/openssh-6.5p1/ssh-ldap-wrapper
+++ b/openssh-6.6p1/ssh-ldap-wrapper
@@ -0,0 +1,4 @@
+#!/bin/sh
+
+exec @LIBEXECDIR@/ssh-ldap-helper -s "$1"
+
diff --git a/openssh-6.5p1/ssh-ldap.conf.5 b/openssh-6.5p1/ssh-ldap.conf.5
diff --git a/openssh-6.6p1/ssh-ldap.conf.5 b/openssh-6.6p1/ssh-ldap.conf.5
new file mode 100644
--- /dev/null
+++ b/openssh-6.5p1/ssh-ldap.conf.5
+++ b/openssh-6.6p1/ssh-ldap.conf.5
@@ -0,0 +1,376 @@
+.\" $OpenBSD: ssh-ldap.conf.5,v 1.1 2010/02/10 23:20:38 markus Exp $
+.\"

6
openssh-6.5p1-login_options.patch → openssh-6.6p1-login_options.patch
View File

@ -4,9 +4,9 @@
#
# bnc#833605
diff --git a/openssh-6.5p1/configure.ac b/openssh-6.5p1/configure.ac
--- a/openssh-6.5p1/configure.ac
+++ b/openssh-6.5p1/configure.ac
diff --git a/openssh-6.6p1/configure.ac b/openssh-6.6p1/configure.ac
--- a/openssh-6.6p1/configure.ac
+++ b/openssh-6.6p1/configure.ac
@@ -719,16 +719,18 @@ main() { if (NSVersionOfRunTimeLibrary("
AC_DEFINE([_PATH_BTMP], ["/var/log/btmp"], [log for bad login attempts])
AC_DEFINE([USE_BTMP], [1], [Use btmp to log bad logins])

8
openssh-6.5p1-no_fork-no_pid_file.patch → openssh-6.6p1-no_fork-no_pid_file.patch
View File

@ -1,9 +1,9 @@
# Do not write a PID file when not daemonizing (e.g. when running from systemd)
diff --git a/openssh-6.5p1/sshd.c b/openssh-6.5p1/sshd.c
--- a/openssh-6.5p1/sshd.c
+++ b/openssh-6.5p1/sshd.c
@@ -1985,17 +1985,17 @@ main(int ac, char **av)
diff --git a/openssh-6.6p1/sshd.c b/openssh-6.6p1/sshd.c
--- a/openssh-6.6p1/sshd.c
+++ b/openssh-6.6p1/sshd.c
@@ -1994,17 +1994,17 @@ main(int ac, char **av)
signal(SIGCHLD, main_sigchld_handler);
signal(SIGTERM, sigterm_handler);
signal(SIGQUIT, sigterm_handler);

44
openssh-6.5p1-pam-check-locks.patch → openssh-6.6p1-pam-check-locks.patch
View File

@ -2,9 +2,9 @@
# UsePAM is used
# bnc#708678, FATE#312033
diff --git a/openssh-6.5p1/auth.c b/openssh-6.5p1/auth.c
--- a/openssh-6.5p1/auth.c
+++ b/openssh-6.5p1/auth.c
diff --git a/openssh-6.6p1/auth.c b/openssh-6.6p1/auth.c
--- a/openssh-6.6p1/auth.c
+++ b/openssh-6.6p1/auth.c
@@ -103,17 +103,17 @@ allowed_user(struct passwd * pw)
struct spwd *spw = NULL;
#endif
@ -43,9 +43,9 @@ diff --git a/openssh-6.5p1/auth.c b/openssh-6.5p1/auth.c
#endif
#ifdef LOCKED_PASSWD_PREFIX
if (strncmp(passwd, LOCKED_PASSWD_PREFIX,
diff --git a/openssh-6.5p1/servconf.c b/openssh-6.5p1/servconf.c
--- a/openssh-6.5p1/servconf.c
+++ b/openssh-6.5p1/servconf.c
diff --git a/openssh-6.6p1/servconf.c b/openssh-6.6p1/servconf.c
--- a/openssh-6.6p1/servconf.c
+++ b/openssh-6.6p1/servconf.c
@@ -66,16 +66,17 @@ extern Buffer cfg;
void
@ -64,7 +64,7 @@ diff --git a/openssh-6.5p1/servconf.c b/openssh-6.5p1/servconf.c
options->address_family = -1;
options->num_host_key_files = 0;
options->num_host_cert_files = 0;
@@ -158,16 +159,18 @@ initialize_server_options(ServerOptions
@@ -157,16 +158,18 @@ initialize_server_options(ServerOptions
}
void
@ -83,7 +83,7 @@ diff --git a/openssh-6.5p1/servconf.c b/openssh-6.5p1/servconf.c
/* fill default hostkeys for protocols */
if (options->protocol & SSH_PROTO_1)
options->host_key_files[options->num_host_key_files++] =
@@ -320,17 +323,17 @@ fill_default_server_options(ServerOption
@@ -317,17 +320,17 @@ fill_default_server_options(ServerOption
#endif
}
@ -102,7 +102,7 @@ diff --git a/openssh-6.5p1/servconf.c b/openssh-6.5p1/servconf.c
sKerberosGetAFSToken,
sKerberosTgtPassing, sChallengeResponseAuthentication,
sPasswordAuthentication, sKbdInteractiveAuthentication,
@@ -365,18 +368,20 @@ typedef enum {
@@ -362,18 +365,20 @@ typedef enum {
static struct {
const char *name;
ServerOpCodes opcode;
@ -123,7 +123,7 @@ diff --git a/openssh-6.5p1/servconf.c b/openssh-6.5p1/servconf.c
{ "hostdsakey", sHostKeyFile, SSHCFG_GLOBAL }, /* alias */
{ "hostkeyagent", sHostKeyAgent, SSHCFG_GLOBAL },
{ "pidfile", sPidFile, SSHCFG_GLOBAL },
@@ -878,16 +883,19 @@ process_server_config_line(ServerOptions
@@ -870,16 +875,19 @@ process_server_config_line(ServerOptions
}
}
@ -143,10 +143,10 @@ diff --git a/openssh-6.5p1/servconf.c b/openssh-6.5p1/servconf.c
/* ignore ports from configfile if cmdline specifies ports */
if (options->ports_from_cmdline)
return 0;
diff --git a/openssh-6.5p1/servconf.h b/openssh-6.5p1/servconf.h
--- a/openssh-6.5p1/servconf.h
+++ b/openssh-6.5p1/servconf.h
@@ -162,16 +162,17 @@ typedef struct {
diff --git a/openssh-6.6p1/servconf.h b/openssh-6.6p1/servconf.h
--- a/openssh-6.6p1/servconf.h
+++ b/openssh-6.6p1/servconf.h
@@ -160,16 +160,17 @@ typedef struct {
*/
u_int num_authkeys_files; /* Files containing public keys */
@ -164,10 +164,10 @@ diff --git a/openssh-6.5p1/servconf.h b/openssh-6.5p1/servconf.h
char *chroot_directory;
char *revoked_keys_file;
char *trusted_user_ca_keys;
diff --git a/openssh-6.5p1/sshd_config.0 b/openssh-6.5p1/sshd_config.0
--- a/openssh-6.5p1/sshd_config.0
+++ b/openssh-6.5p1/sshd_config.0
@@ -720,16 +720,24 @@ DESCRIPTION
diff --git a/openssh-6.6p1/sshd_config.0 b/openssh-6.6p1/sshd_config.0
--- a/openssh-6.6p1/sshd_config.0
+++ b/openssh-6.6p1/sshd_config.0
@@ -728,16 +728,24 @@ DESCRIPTION
Because PAM challenge-response authentication usually serves an
equivalent role to password authentication, you should disable
@ -192,10 +192,10 @@ diff --git a/openssh-6.5p1/sshd_config.0 b/openssh-6.5p1/sshd_config.0
privilege separation is to prevent privilege escalation by
containing any corruption within the unprivileged processes. The
default is ``yes''. If UsePrivilegeSeparation is set to
diff --git a/openssh-6.5p1/sshd_config.5 b/openssh-6.5p1/sshd_config.5
--- a/openssh-6.5p1/sshd_config.5
+++ b/openssh-6.5p1/sshd_config.5
@@ -1199,16 +1199,28 @@ or
diff --git a/openssh-6.6p1/sshd_config.5 b/openssh-6.6p1/sshd_config.5
--- a/openssh-6.6p1/sshd_config.5
+++ b/openssh-6.6p1/sshd_config.5
@@ -1214,16 +1214,28 @@ or
.Pp
If
.Cm UsePAM

6
openssh-6.5p1-pam-fix2.patch → openssh-6.6p1-pam-fix2.patch
View File

@ -1,9 +1,9 @@
# force PAM in defaullt install (this was removed from upstream in 3.8p1)
# bnc#46749
diff --git a/openssh-6.5p1/sshd_config b/openssh-6.5p1/sshd_config
--- a/openssh-6.5p1/sshd_config
+++ b/openssh-6.5p1/sshd_config
diff --git a/openssh-6.6p1/sshd_config b/openssh-6.6p1/sshd_config
--- a/openssh-6.6p1/sshd_config
+++ b/openssh-6.6p1/sshd_config
@@ -64,17 +64,17 @@ AuthorizedKeysFile .ssh/authorized_keys
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for

6
openssh-6.5p1-pam-fix3.patch → openssh-6.6p1-pam-fix3.patch
View File

@ -1,9 +1,9 @@
# posix threads are generally not supported nor safe
# (see upstream log from 2005-05-24)
diff --git a/openssh-6.5p1/auth-pam.c b/openssh-6.5p1/auth-pam.c
--- a/openssh-6.5p1/auth-pam.c
+++ b/openssh-6.5p1/auth-pam.c
diff --git a/openssh-6.6p1/auth-pam.c b/openssh-6.6p1/auth-pam.c
--- a/openssh-6.6p1/auth-pam.c
+++ b/openssh-6.6p1/auth-pam.c
@@ -781,17 +781,19 @@ sshpam_query(void *ctx, char **name, cha
}
if (type == PAM_SUCCESS) {

6
openssh-6.5p1-pts.patch → openssh-6.6p1-pts.patch
View File

@ -1,9 +1,9 @@
# use same lines naming as utempter (prevents problems with using different
# formats in ?tmp? files)
diff --git a/openssh-6.5p1/loginrec.c b/openssh-6.5p1/loginrec.c
--- a/openssh-6.5p1/loginrec.c
+++ b/openssh-6.5p1/loginrec.c
diff --git a/openssh-6.6p1/loginrec.c b/openssh-6.6p1/loginrec.c
--- a/openssh-6.6p1/loginrec.c
+++ b/openssh-6.6p1/loginrec.c
@@ -538,17 +538,17 @@ getlast_entry(struct logininfo *li)
/*
* 'line' string utility functions

8
openssh-6.5p1-saveargv-fix.patch → openssh-6.6p1-saveargv-fix.patch
View File

@ -1,9 +1,9 @@
# related to bnc#49845, upstream bug #529
diff --git a/openssh-6.5p1/sshd.c b/openssh-6.5p1/sshd.c
--- a/openssh-6.5p1/sshd.c
+++ b/openssh-6.5p1/sshd.c
@@ -1399,17 +1399,21 @@ main(int ac, char **av)
diff --git a/openssh-6.6p1/sshd.c b/openssh-6.6p1/sshd.c
--- a/openssh-6.6p1/sshd.c
+++ b/openssh-6.6p1/sshd.c
@@ -1405,17 +1405,21 @@ main(int ac, char **av)
saved_argv = xcalloc(ac + 1, sizeof(*saved_argv));
for (i = 0; i < ac; i++)
saved_argv[i] = xstrdup(av[i]);

8
openssh-6.5p1-seccomp_getuid.patch → openssh-6.6p1-seccomp_getuid.patch
View File

@ -1,11 +1,11 @@
# HG changeset patch
# Parent d625afd0d51ac51161b25728bc2f227c098fa0fb
# Parent 47040f4641d43b039f19c8c902b0259729bb88e2
add 'getuid' syscall to list of allowed ones to prevent the sanboxed thread
from being killed by the seccomp filter
diff --git a/openssh-6.5p1/sandbox-seccomp-filter.c b/openssh-6.5p1/sandbox-seccomp-filter.c
--- a/openssh-6.5p1/sandbox-seccomp-filter.c
+++ b/openssh-6.5p1/sandbox-seccomp-filter.c
diff --git a/openssh-6.6p1/sandbox-seccomp-filter.c b/openssh-6.6p1/sandbox-seccomp-filter.c
--- a/openssh-6.6p1/sandbox-seccomp-filter.c
+++ b/openssh-6.6p1/sandbox-seccomp-filter.c
@@ -85,16 +85,20 @@ static const struct sock_filter preauth_
offsetof(struct seccomp_data, arch)),
BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SECCOMP_AUDIT_ARCH, 1, 0),

94
openssh-6.5p1-seed-prng.patch → openssh-6.6p1-seed-prng.patch
View File

@ -1,9 +1,9 @@
# extended support for (re-)seeding the OpenSSL PRNG from /dev/random
# bnc#703221, FATE#312172
diff --git a/openssh-6.5p1/audit-bsm.c b/openssh-6.5p1/audit-bsm.c
--- a/openssh-6.5p1/audit-bsm.c
+++ b/openssh-6.5p1/audit-bsm.c
diff --git a/openssh-6.6p1/audit-bsm.c b/openssh-6.6p1/audit-bsm.c
--- a/openssh-6.6p1/audit-bsm.c
+++ b/openssh-6.6p1/audit-bsm.c
@@ -504,9 +504,15 @@ audit_destroy_sensitive_data(const char
/* not implemented */
}
@ -20,9 +20,9 @@ diff --git a/openssh-6.5p1/audit-bsm.c b/openssh-6.5p1/audit-bsm.c
+ /* not implemented */
+}
#endif /* BSM */
diff --git a/openssh-6.5p1/audit-linux.c b/openssh-6.5p1/audit-linux.c
--- a/openssh-6.5p1/audit-linux.c
+++ b/openssh-6.5p1/audit-linux.c
diff --git a/openssh-6.6p1/audit-linux.c b/openssh-6.6p1/audit-linux.c
--- a/openssh-6.6p1/audit-linux.c
+++ b/openssh-6.6p1/audit-linux.c
@@ -398,9 +398,31 @@ audit_generate_ephemeral_server_key(cons
}
audit_ok = audit_log_user_message(audit_fd, AUDIT_CRYPTO_KEY_USER,
@ -55,9 +55,9 @@ diff --git a/openssh-6.5p1/audit-linux.c b/openssh-6.5p1/audit-linux.c
+ error("cannot write into audit");
+}
#endif /* USE_LINUX_AUDIT */
diff --git a/openssh-6.5p1/audit.c b/openssh-6.5p1/audit.c
--- a/openssh-6.5p1/audit.c
+++ b/openssh-6.5p1/audit.c
diff --git a/openssh-6.6p1/audit.c b/openssh-6.6p1/audit.c
--- a/openssh-6.6p1/audit.c
+++ b/openssh-6.6p1/audit.c
@@ -304,10 +304,16 @@ audit_destroy_sensitive_data(const char
/*
* This will be called on generation of the ephemeral server key
@ -75,9 +75,9 @@ diff --git a/openssh-6.5p1/audit.c b/openssh-6.5p1/audit.c
+}
# endif /* !defined CUSTOM_SSH_AUDIT_EVENTS */
#endif /* SSH_AUDIT_EVENTS */
diff --git a/openssh-6.5p1/audit.h b/openssh-6.5p1/audit.h
--- a/openssh-6.5p1/audit.h
+++ b/openssh-6.5p1/audit.h
diff --git a/openssh-6.6p1/audit.h b/openssh-6.6p1/audit.h
--- a/openssh-6.6p1/audit.h
+++ b/openssh-6.6p1/audit.h
@@ -63,10 +63,11 @@ void audit_key(int, int *, const Key *);
void audit_unsupported(int);
void audit_kex(int, char *, char *, char *);
@ -90,9 +90,9 @@ diff --git a/openssh-6.5p1/audit.h b/openssh-6.5p1/audit.h
+void audit_linux_prng_seed(long, const char *);
#endif /* _SSH_AUDIT_H */
diff --git a/openssh-6.5p1/entropy.c b/openssh-6.5p1/entropy.c
--- a/openssh-6.5p1/entropy.c
+++ b/openssh-6.5p1/entropy.c
diff --git a/openssh-6.6p1/entropy.c b/openssh-6.6p1/entropy.c
--- a/openssh-6.6p1/entropy.c
+++ b/openssh-6.6p1/entropy.c
@@ -45,16 +45,17 @@
#include "ssh.h"
@ -126,15 +126,15 @@ diff --git a/openssh-6.5p1/entropy.c b/openssh-6.5p1/entropy.c
if (RAND_status() != 1)
fatal("PRNG is not seeded");
}
diff --git a/openssh-6.5p1/openbsd-compat/Makefile.in b/openssh-6.5p1/openbsd-compat/Makefile.in
--- a/openssh-6.5p1/openbsd-compat/Makefile.in
+++ b/openssh-6.5p1/openbsd-compat/Makefile.in
diff --git a/openssh-6.6p1/openbsd-compat/Makefile.in b/openssh-6.6p1/openbsd-compat/Makefile.in
--- a/openssh-6.6p1/openbsd-compat/Makefile.in
+++ b/openssh-6.6p1/openbsd-compat/Makefile.in
@@ -15,17 +15,17 @@ AR=@AR@
RANLIB=@RANLIB@
INSTALL=@INSTALL@
LDFLAGS=-L. @LDFLAGS@
OPENBSD=base64.o basename.o bcrypt_pbkdf.o bindresvport.o blowfish.o daemon.o dirname.o fmt_scaled.o getcwd.o getgrouplist.o getopt_long.o getrrsetbyname.o glob.o inet_aton.o inet_ntoa.o inet_ntop.o mktemp.o pwcache.o readpassphrase.o realpath.o rresvport.o setenv.o setproctitle.o sha2.o sigact.o strlcat.o strlcpy.o strmode.o strnlen.o strptime.o strsep.o strtonum.o strtoll.o strtoul.o strtoull.o timingsafe_bcmp.o vis.o blowfish.o bcrypt_pbkdf.o
OPENBSD=base64.o basename.o bcrypt_pbkdf.o bindresvport.o blowfish.o daemon.o dirname.o fmt_scaled.o getcwd.o getgrouplist.o getopt_long.o getrrsetbyname.o glob.o inet_aton.o inet_ntoa.o inet_ntop.o mktemp.o pwcache.o readpassphrase.o realpath.o rresvport.o setenv.o setproctitle.o sha2.o sigact.o strlcat.o strlcpy.o strmode.o strnlen.o strptime.o strsep.o strtonum.o strtoll.o strtoul.o strtoull.o timingsafe_bcmp.o vis.o blowfish.o bcrypt_pbkdf.o explicit_bzero.o
COMPAT=arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o getrrsetbyname-ldns.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-setres_id.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o
@ -148,10 +148,10 @@ diff --git a/openssh-6.5p1/openbsd-compat/Makefile.in b/openssh-6.5p1/openbsd-co
$(COMPAT): ../config.h
$(OPENBSD): ../config.h
diff --git a/openssh-6.5p1/openbsd-compat/port-linux-prng.c b/openssh-6.5p1/openbsd-compat/port-linux-prng.c
diff --git a/openssh-6.6p1/openbsd-compat/port-linux-prng.c b/openssh-6.6p1/openbsd-compat/port-linux-prng.c
new file mode 100644
--- /dev/null
+++ b/openssh-6.5p1/openbsd-compat/port-linux-prng.c
+++ b/openssh-6.6p1/openbsd-compat/port-linux-prng.c
@@ -0,0 +1,79 @@
+/*
+ * Copyright (c) 2011 Jan F. Chadima <jchadima@redhat.com>
@ -232,9 +232,9 @@ new file mode 100644
+ fatal ("EOF reading %s", random);
+ }
+}
diff --git a/openssh-6.5p1/openbsd-compat/port-linux.h b/openssh-6.5p1/openbsd-compat/port-linux.h
--- a/openssh-6.5p1/openbsd-compat/port-linux.h
+++ b/openssh-6.5p1/openbsd-compat/port-linux.h
diff --git a/openssh-6.6p1/openbsd-compat/port-linux.h b/openssh-6.6p1/openbsd-compat/port-linux.h
--- a/openssh-6.6p1/openbsd-compat/port-linux.h
+++ b/openssh-6.6p1/openbsd-compat/port-linux.h
@@ -14,16 +14,20 @@
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
@ -256,9 +256,9 @@ diff --git a/openssh-6.5p1/openbsd-compat/port-linux.h b/openssh-6.5p1/openbsd-c
void ssh_selinux_setfscreatecon(const char *);
#endif
diff --git a/openssh-6.5p1/ssh-add.1 b/openssh-6.5p1/ssh-add.1
--- a/openssh-6.5p1/ssh-add.1
+++ b/openssh-6.5p1/ssh-add.1
diff --git a/openssh-6.6p1/ssh-add.1 b/openssh-6.6p1/ssh-add.1
--- a/openssh-6.6p1/ssh-add.1
+++ b/openssh-6.6p1/ssh-add.1
@@ -156,16 +156,30 @@ or related script.
(Note that on some machines it
may be necessary to redirect the input from
@ -290,9 +290,9 @@ diff --git a/openssh-6.5p1/ssh-add.1 b/openssh-6.5p1/ssh-add.1
.It Pa ~/.ssh/id_dsa
Contains the protocol version 2 DSA authentication identity of the user.
.It Pa ~/.ssh/id_ecdsa
diff --git a/openssh-6.5p1/ssh-agent.1 b/openssh-6.5p1/ssh-agent.1
--- a/openssh-6.5p1/ssh-agent.1
+++ b/openssh-6.5p1/ssh-agent.1
diff --git a/openssh-6.6p1/ssh-agent.1 b/openssh-6.6p1/ssh-agent.1
--- a/openssh-6.6p1/ssh-agent.1
+++ b/openssh-6.6p1/ssh-agent.1
@@ -196,16 +196,33 @@ Contains the protocol version 2 ED25519
.It Pa ~/.ssh/id_rsa
Contains the protocol version 2 RSA authentication identity of the user.
@ -327,9 +327,9 @@ diff --git a/openssh-6.5p1/ssh-agent.1 b/openssh-6.5p1/ssh-agent.1
.Sh AUTHORS
OpenSSH is a derivative of the original and free
ssh 1.2.12 release by Tatu Ylonen.
diff --git a/openssh-6.5p1/ssh-keygen.1 b/openssh-6.5p1/ssh-keygen.1
--- a/openssh-6.5p1/ssh-keygen.1
+++ b/openssh-6.5p1/ssh-keygen.1
diff --git a/openssh-6.6p1/ssh-keygen.1 b/openssh-6.6p1/ssh-keygen.1
--- a/openssh-6.6p1/ssh-keygen.1
+++ b/openssh-6.6p1/ssh-keygen.1
@@ -827,16 +827,33 @@ on all machines
where the user wishes to log in using public key authentication.
There is no need to keep the contents of this file secret.
@ -364,9 +364,9 @@ diff --git a/openssh-6.5p1/ssh-keygen.1 b/openssh-6.5p1/ssh-keygen.1
.Xr sshd 8
.Rs
.%R RFC 4716
diff --git a/openssh-6.5p1/ssh-keysign.8 b/openssh-6.5p1/ssh-keysign.8
--- a/openssh-6.5p1/ssh-keysign.8
+++ b/openssh-6.5p1/ssh-keysign.8
diff --git a/openssh-6.6p1/ssh-keysign.8 b/openssh-6.6p1/ssh-keysign.8
--- a/openssh-6.6p1/ssh-keysign.8
+++ b/openssh-6.6p1/ssh-keysign.8
@@ -75,16 +75,33 @@ must be set-uid root if host-based authe
.Pp
.It Pa /etc/ssh/ssh_host_dsa_key-cert.pub
@ -401,9 +401,9 @@ diff --git a/openssh-6.5p1/ssh-keysign.8 b/openssh-6.5p1/ssh-keysign.8
.Sh HISTORY
.Nm
first appeared in
diff --git a/openssh-6.5p1/ssh.1 b/openssh-6.5p1/ssh.1
--- a/openssh-6.5p1/ssh.1
+++ b/openssh-6.5p1/ssh.1
diff --git a/openssh-6.6p1/ssh.1 b/openssh-6.6p1/ssh.1
--- a/openssh-6.6p1/ssh.1
+++ b/openssh-6.6p1/ssh.1
@@ -1304,16 +1304,30 @@ reads
and adds lines of the format
.Dq VARNAME=value
@ -435,9 +435,9 @@ diff --git a/openssh-6.5p1/ssh.1 b/openssh-6.5p1/ssh.1
world-readable if the user's home directory is on an NFS partition,
because
.Xr sshd 8
diff --git a/openssh-6.5p1/sshd.8 b/openssh-6.5p1/sshd.8
--- a/openssh-6.5p1/sshd.8
+++ b/openssh-6.5p1/sshd.8
diff --git a/openssh-6.6p1/sshd.8 b/openssh-6.6p1/sshd.8
--- a/openssh-6.6p1/sshd.8
+++ b/openssh-6.6p1/sshd.8
@@ -946,16 +946,33 @@ and not group or world-writable.
.It Pa /var/run/sshd.pid
Contains the process ID of the
@ -472,9 +472,9 @@ diff --git a/openssh-6.5p1/sshd.8 b/openssh-6.5p1/sshd.8
.Xr ssh-agent 1 ,
.Xr ssh-keygen 1 ,
.Xr ssh-keyscan 1 ,
diff --git a/openssh-6.5p1/sshd.c b/openssh-6.5p1/sshd.c
--- a/openssh-6.5p1/sshd.c
+++ b/openssh-6.5p1/sshd.c
diff --git a/openssh-6.6p1/sshd.c b/openssh-6.6p1/sshd.c
--- a/openssh-6.6p1/sshd.c
+++ b/openssh-6.6p1/sshd.c
@@ -50,16 +50,18 @@
#ifdef HAVE_SYS_STAT_H
# include <sys/stat.h>
@ -494,7 +494,7 @@ diff --git a/openssh-6.5p1/sshd.c b/openssh-6.5p1/sshd.c
#ifdef HAVE_PATHS_H
#include <paths.h>
#endif
@@ -215,16 +217,23 @@ struct {
@@ -218,16 +220,23 @@ struct {
Key **host_pubkeys; /* all public host keys */
Key **host_certificates; /* all public host certificates */
int have_ssh1_key;
@ -518,7 +518,7 @@ diff --git a/openssh-6.5p1/sshd.c b/openssh-6.5p1/sshd.c
/* This is set to true when a signal is received. */
static volatile sig_atomic_t received_sighup = 0;
static volatile sig_atomic_t received_sigterm = 0;
@@ -1313,16 +1322,21 @@ server_accept_loop(int *sock_in, int *so
@@ -1322,16 +1331,21 @@ server_accept_loop(int *sock_in, int *so
for (j = 0; j < options.max_startups; j++)
if (startup_pipes[j] == -1) {
startup_pipes[j] = startup_p[0];

12
openssh-6.5p1-send_locale.patch → openssh-6.6p1-send_locale.patch
View File

@ -1,9 +1,9 @@
# send locales in default configuration
# bnc#65747
diff --git a/openssh-6.5p1/ssh_config b/openssh-6.5p1/ssh_config
--- a/openssh-6.5p1/ssh_config
+++ b/openssh-6.5p1/ssh_config
diff --git a/openssh-6.6p1/ssh_config b/openssh-6.6p1/ssh_config
--- a/openssh-6.6p1/ssh_config
+++ b/openssh-6.6p1/ssh_config
@@ -58,9 +58,14 @@ ForwardX11Trusted yes
# ProxyCommand ssh -q -W %h:%p gateway.example.com
@ -19,9 +19,9 @@ diff --git a/openssh-6.5p1/ssh_config b/openssh-6.5p1/ssh_config
+SendEnv LC_IDENTIFICATION LC_ALL
+
# RekeyLimit 1G 1h
diff --git a/openssh-6.5p1/sshd_config b/openssh-6.5p1/sshd_config
--- a/openssh-6.5p1/sshd_config
+++ b/openssh-6.5p1/sshd_config
diff --git a/openssh-6.6p1/sshd_config b/openssh-6.6p1/sshd_config
--- a/openssh-6.6p1/sshd_config
+++ b/openssh-6.6p1/sshd_config
@@ -127,14 +127,19 @@ UsePrivilegeSeparation sandbox # Defaul
#VersionAddendum none

12
openssh-6.5p1-sftp_force_permissions.patch → openssh-6.6p1-sftp_force_permissions.patch
View File

@ -3,9 +3,9 @@
# http://lists.mindrot.org/pipermail/openssh-unix-dev/2010-November/029044.html
# http://marc.info/?l=openssh-unix-dev&m=128896838930893
diff --git a/openssh-6.5p1/sftp-server.8 b/openssh-6.5p1/sftp-server.8
--- a/openssh-6.5p1/sftp-server.8
+++ b/openssh-6.5p1/sftp-server.8
diff --git a/openssh-6.6p1/sftp-server.8 b/openssh-6.6p1/sftp-server.8
--- a/openssh-6.6p1/sftp-server.8
+++ b/openssh-6.6p1/sftp-server.8
@@ -33,16 +33,17 @@
.Bk -words
.Op Fl ehR
@ -45,9 +45,9 @@ diff --git a/openssh-6.5p1/sftp-server.8 b/openssh-6.5p1/sftp-server.8
.Pa /dev/log .
Use of
.Nm
diff --git a/openssh-6.5p1/sftp-server.c b/openssh-6.5p1/sftp-server.c
--- a/openssh-6.5p1/sftp-server.c
+++ b/openssh-6.5p1/sftp-server.c
diff --git a/openssh-6.6p1/sftp-server.c b/openssh-6.6p1/sftp-server.c
--- a/openssh-6.6p1/sftp-server.c
+++ b/openssh-6.6p1/sftp-server.c
@@ -75,16 +75,20 @@ static u_int version;
static int init_done;

45
openssh-6.5p1-sftp_homechroot.patch → openssh-6.6p1-sftp_homechroot.patch
View File

@ -1,8 +1,8 @@
# run sftp sessions inside a chroot
diff --git a/openssh-6.5p1/session.c b/openssh-6.5p1/session.c
--- a/openssh-6.5p1/session.c
+++ b/openssh-6.5p1/session.c
diff --git a/openssh-6.6p1/session.c b/openssh-6.6p1/session.c
--- a/openssh-6.6p1/session.c
+++ b/openssh-6.6p1/session.c
@@ -120,16 +120,18 @@ int do_exec(Session *, const char *);
void do_login(Session *, const char *);
#ifdef LOGIN_NEEDS_UTMPX
@ -44,7 +44,7 @@ diff --git a/openssh-6.5p1/session.c b/openssh-6.5p1/session.c
verbose("Starting session: %s%s%s for %s from %.200s port %d",
session_type,
@@ -1458,67 +1465,132 @@ do_nologin(struct passwd *pw)
@@ -1463,67 +1470,132 @@ do_nologin(struct passwd *pw)
while (fgets(buf, sizeof(buf), f))
fputs(buf, stderr);
fclose(f);
@ -153,10 +153,11 @@ diff --git a/openssh-6.5p1/session.c b/openssh-6.5p1/session.c
if (!S_ISDIR(st.st_mode))
fatal("chroot path %s\"%s\" is not a directory",
cp == NULL ? "" : "component ", component);
-
+ }
+ setenv ("TZ", "/etc/localtime", 0);
+ tzset();
+
+ if (st.st_uid) {
+ test_nosuid(path, st.st_dev);
+ ++chroot_no_tree;
@ -179,10 +180,10 @@ diff --git a/openssh-6.5p1/session.c b/openssh-6.5p1/session.c
do_setusercontext(struct passwd *pw)
{
char *chroot_path, *tmp;
diff --git a/openssh-6.5p1/sftp-chrootenv.h b/openssh-6.5p1/sftp-chrootenv.h
diff --git a/openssh-6.6p1/sftp-chrootenv.h b/openssh-6.6p1/sftp-chrootenv.h
new file mode 100644
--- /dev/null
+++ b/openssh-6.5p1/sftp-chrootenv.h
+++ b/openssh-6.6p1/sftp-chrootenv.h
@@ -0,0 +1,30 @@
+/*
+ * Copyright (c) 2009 Jan F Chadima. All rights reserved.
@ -214,9 +215,9 @@ new file mode 100644
+
+#endif
+
diff --git a/openssh-6.5p1/sftp-common.c b/openssh-6.5p1/sftp-common.c
--- a/openssh-6.5p1/sftp-common.c
+++ b/openssh-6.5p1/sftp-common.c
diff --git a/openssh-6.6p1/sftp-common.c b/openssh-6.6p1/sftp-common.c
--- a/openssh-6.6p1/sftp-common.c
+++ b/openssh-6.6p1/sftp-common.c
@@ -42,16 +42,17 @@
#endif
@ -261,9 +262,9 @@ diff --git a/openssh-6.5p1/sftp-common.c b/openssh-6.5p1/sftp-common.c
if (ltime != NULL) {
now = time(NULL);
if (now - (365*24*60*60)/2 < st->st_mtime &&
diff --git a/openssh-6.5p1/sftp-server-main.c b/openssh-6.5p1/sftp-server-main.c
--- a/openssh-6.5p1/sftp-server-main.c
+++ b/openssh-6.5p1/sftp-server-main.c
diff --git a/openssh-6.6p1/sftp-server-main.c b/openssh-6.6p1/sftp-server-main.c
--- a/openssh-6.6p1/sftp-server-main.c
+++ b/openssh-6.6p1/sftp-server-main.c
@@ -17,21 +17,24 @@
#include "includes.h"
@ -289,9 +290,9 @@ diff --git a/openssh-6.5p1/sftp-server-main.c b/openssh-6.5p1/sftp-server-main.c
int
main(int argc, char **argv)
diff --git a/openssh-6.5p1/sftp.c b/openssh-6.5p1/sftp.c
--- a/openssh-6.5p1/sftp.c
+++ b/openssh-6.5p1/sftp.c
diff --git a/openssh-6.6p1/sftp.c b/openssh-6.6p1/sftp.c
--- a/openssh-6.6p1/sftp.c
+++ b/openssh-6.6p1/sftp.c
@@ -109,16 +109,18 @@ struct complete_ctx {
char **remote_pathp;
};
@ -311,9 +312,9 @@ diff --git a/openssh-6.5p1/sftp.c b/openssh-6.5p1/sftp.c
#define LS_SHORT_VIEW 0x0002 /* Single row view ala ls -1 */
#define LS_NUMERIC_VIEW 0x0004 /* Long view with numeric uid/gid */
#define LS_NAME_SORT 0x0008 /* Sort by name (default) */
diff --git a/openssh-6.5p1/sshd_config.0 b/openssh-6.5p1/sshd_config.0
--- a/openssh-6.5p1/sshd_config.0
+++ b/openssh-6.5p1/sshd_config.0
diff --git a/openssh-6.6p1/sshd_config.0 b/openssh-6.6p1/sshd_config.0
--- a/openssh-6.6p1/sshd_config.0
+++ b/openssh-6.6p1/sshd_config.0
@@ -189,16 +189,24 @@ DESCRIPTION
session this requires at least a shell, typically sh(1), and
basic /dev nodes such as null(4), zero(4), stdin(4), stdout(4),
@ -339,9 +340,9 @@ diff --git a/openssh-6.5p1/sshd_config.0 b/openssh-6.5p1/sshd_config.0
``3des-cbc'', ``aes128-cbc'', ``aes192-cbc'', ``aes256-cbc'',
``aes128-ctr'', ``aes192-ctr'', ``aes256-ctr'',
diff --git a/openssh-6.5p1/sshd_config.5 b/openssh-6.5p1/sshd_config.5
--- a/openssh-6.5p1/sshd_config.5
+++ b/openssh-6.5p1/sshd_config.5
diff --git a/openssh-6.6p1/sshd_config.5 b/openssh-6.6p1/sshd_config.5
--- a/openssh-6.6p1/sshd_config.5
+++ b/openssh-6.6p1/sshd_config.5
@@ -324,16 +324,27 @@ For file transfer sessions using
no additional configuration of the environment is necessary if the
in-process sftp server is used,

8
openssh-6.5p1-xauth.patch → openssh-6.6p1-xauth.patch
View File

@ -1,10 +1,10 @@
# try to remove xauth cookies on logout
# bnc#98815
diff --git a/openssh-6.5p1/session.c b/openssh-6.5p1/session.c
--- a/openssh-6.5p1/session.c
+++ b/openssh-6.5p1/session.c
@@ -2505,18 +2505,50 @@ session_exit_message(Session *s, int sta
diff --git a/openssh-6.6p1/session.c b/openssh-6.6p1/session.c
--- a/openssh-6.6p1/session.c
+++ b/openssh-6.6p1/session.c
@@ -2510,18 +2510,50 @@ session_exit_message(Session *s, int sta
if (c->ostate != CHAN_OUTPUT_CLOSED)
chan_write_failed(c);
}

18
openssh-6.5p1-xauthlocalhostname.patch → openssh-6.6p1-xauthlocalhostname.patch
View File

@ -1,10 +1,10 @@
# handle hostname changes when forwarding X
# bnc#98627
diff --git a/openssh-6.5p1/session.c b/openssh-6.5p1/session.c
--- a/openssh-6.5p1/session.c
+++ b/openssh-6.5p1/session.c
@@ -1141,17 +1141,17 @@ copy_environment(char **source, char ***
diff --git a/openssh-6.6p1/session.c b/openssh-6.6p1/session.c
--- a/openssh-6.6p1/session.c
+++ b/openssh-6.6p1/session.c
@@ -1146,17 +1146,17 @@ copy_environment(char **source, char ***
debug3("Copy environment: %s=%s", var_name, var_val);
child_set_env(env, envsize, var_name, var_val);
@ -23,7 +23,7 @@ diff --git a/openssh-6.5p1/session.c b/openssh-6.5p1/session.c
#if !defined (HAVE_LOGIN_CAP) && !defined (HAVE_CYGWIN)
char *path = NULL;
#endif
@@ -1328,25 +1328,27 @@ do_setup_env(Session *s, const char *she
@@ -1333,25 +1333,27 @@ do_setup_env(Session *s, const char *she
read_environment_file(&env, &envsize, buf);
}
if (debug_flag) {
@ -52,7 +52,7 @@ diff --git a/openssh-6.5p1/session.c b/openssh-6.5p1/session.c
do_xauth =
s->display != NULL && s->auth_proto != NULL && s->auth_data != NULL;
@@ -1390,22 +1392,30 @@ do_rc_files(Session *s, const char *shel
@@ -1395,22 +1397,30 @@ do_rc_files(Session *s, const char *shel
"%.500s add %.100s %.100s %.100s\n",
options.xauth_location, s->auth_display,
s->auth_proto, s->auth_data);
@ -83,7 +83,7 @@ diff --git a/openssh-6.5p1/session.c b/openssh-6.5p1/session.c
}
static void
@@ -1659,16 +1669,17 @@ child_close_fds(void)
@@ -1664,16 +1674,17 @@ child_close_fds(void)
* ids, and executing the command or shell.
*/
#define ARGV_MAX 10
@ -101,7 +101,7 @@ diff --git a/openssh-6.5p1/session.c b/openssh-6.5p1/session.c
/* remove hostkey from the child's memory */
destroy_sensitive_data();
@@ -1725,17 +1736,17 @@ do_child(Session *s, const char *command
@@ -1730,17 +1741,17 @@ do_child(Session *s, const char *command
* legal, and means /bin/sh.
*/
shell = (pw->pw_shell[0] == '\0') ? _PATH_BSHELL : pw->pw_shell;
@ -120,7 +120,7 @@ diff --git a/openssh-6.5p1/session.c b/openssh-6.5p1/session.c
/* we have to stash the hostname before we close our socket. */
if (options.use_login)
hostname = get_remote_name_or_ip(utmp_len,
@@ -1794,17 +1805,17 @@ do_child(Session *s, const char *command
@@ -1799,17 +1810,17 @@ do_child(Session *s, const char *command
strerror(errno));
if (r)
exit(1);

3
openssh-6.6p1.tar.gz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:48c1f0664b4534875038004cc4f3555b8329c2a81c1df48db5c517800de203bb
size 1282502

5
openssh-askpass-gnome.changes
View File

@ -1,3 +1,8 @@
-------------------------------------------------------------------
Fri Apr 11 21:50:51 UTC 2014 - pcerny@suse.com
- Update of the underlying OpenSSH to 6.6p1
-------------------------------------------------------------------
Wed Feb 12 01:24:16 UTC 2014 - pcerny@suse.com

2
openssh-askpass-gnome.spec
View File

@ -26,7 +26,7 @@ BuildRequires: openssl-devel
BuildRequires: pam-devel
BuildRequires: tcpd-devel
BuildRequires: update-desktop-files
Version: 6.5p1
Version: 6.6p1
Release: 0
Requires: openssh = %{version}
Summary: A GNOME-Based Passphrase Dialog for OpenSSH

51
openssh.changes
View File

@ -1,4 +1,55 @@
-------------------------------------------------------------------
Fri Apr 11 21:50:51 UTC 2014 - pcerny@suse.com
- update to 6.6p1
Security:
* sshd(8): when using environment passing with a sshd_config(5)
AcceptEnv pattern with a wildcard. OpenSSH prior to 6.6 could
be tricked into accepting any enviornment variable that
contains the characters before the wildcard character.
Features since 6.5p1:
* ssh(1), sshd(8): removal of the J-PAKE authentication code,
which was experimental, never enabled and has been
unmaintained for some time.
* ssh(1): skip 'exec' clauses other clauses predicates failed
to match while processing Match blocks.
* ssh(1): if hostname canonicalisation is enabled and results
in the destination hostname being changed, then re-parse
ssh_config(5) files using the new destination hostname. This
gives 'Host' and 'Match' directives that use the expanded
hostname a chance to be applied.
Bugfixes:
* ssh(1): avoid spurious "getsockname failed: Bad file
descriptor" in ssh -W. bz#2200, debian#738692
* sshd(8): allow the shutdown(2) syscall in seccomp-bpf and
systrace sandbox modes, as it is reachable if the connection
is terminated during the pre-auth phase.
* ssh(1), sshd(8): fix unsigned overflow that in SSH protocol 1
bignum parsing. Minimum key length checks render this bug
unexploitable to compromise SSH 1 sessions.
* sshd_config(5): clarify behaviour of a keyword that appears
in multiple matching Match blocks. bz#2184
* ssh(1): avoid unnecessary hostname lookups when
canonicalisation is disabled. bz#2205
* sshd(8): avoid sandbox violation crashes in GSSAPI code by
caching the supported list of GSSAPI mechanism OIDs before
entering the sandbox. bz#2107
* ssh(1): fix possible crashes in SOCKS4 parsing caused by
assumption that the SOCKS username is nul-terminated.
* ssh(1): fix regression for UsePrivilegedPort=yes when
BindAddress is not specified.
* ssh(1), sshd(8): fix memory leak in ECDSA signature
verification.
* ssh(1): fix matching of 'Host' directives in ssh_config(5)
files to be case-insensitive again (regression in 6.5).
- FIPS checks in sftp-server
-------------------------------------------------------------------
Mon Mar 31 01:22:21 UTC 2014 - pcerny@suse.com
- FIPS checks during ssh client and daemon startup
(-fips-checks.patch)
-------------------------------------------------------------------
Tue Mar 25 10:07:18 UTC 2014 - idonmez@suse.com
- Update openssh-6.5p1-audit4-kex_results.patch to ensure that

121
openssh.spec
View File

@ -91,7 +91,7 @@ PreReq: pwdutils %{insserv_prereq} %{fillup_prereq} coreutils
Conflicts: nonfreessh
Recommends: xauth
Recommends: %{name}-helpers
Version: 6.5p1
Version: 6.6p1
Release: 0
Summary: Secure Shell Client and Server (Remote Login Program)
License: BSD-3-Clause and MIT
@ -108,43 +108,45 @@ Source7: sshd.fw
Source8: sysconfig.ssh
Source9: sshd-gen-keys-start
Source10: sshd.service
Patch1: openssh-6.5p1-key-converter.patch
Patch2: openssh-6.5p1-X11-forwarding.patch
Patch3: openssh-6.5p1-lastlog.patch
Patch4: openssh-6.5p1-pam-fix2.patch
Patch5: openssh-6.5p1-saveargv-fix.patch
Patch6: openssh-6.5p1-pam-fix3.patch
Patch7: openssh-6.5p1-gssapimitm.patch
Patch8: openssh-6.5p1-eal3.patch
Patch9: openssh-6.5p1-blocksigalrm.patch
Patch10: openssh-6.5p1-send_locale.patch
Patch11: openssh-6.5p1-xauthlocalhostname.patch
Patch12: openssh-6.5p1-xauth.patch
Patch13: openssh-6.5p1-default-protocol.patch
Patch14: openssh-6.5p1-pts.patch
Patch15: openssh-6.5p1-pam-check-locks.patch
Patch16: openssh-6.5p1-fingerprint_hash.patch
Patch17: openssh-6.5p1-audit1-remove_duplicit_audit.patch
Patch18: openssh-6.5p1-audit2-better_audit_of_user_actions.patch
Patch19: openssh-6.5p1-audit3-key_auth_usage.patch
Patch20: openssh-6.5p1-audit4-kex_results.patch
Patch21: openssh-6.5p1-audit5-session_key_destruction.patch
Patch22: openssh-6.5p1-audit6-server_key_destruction.patch
Patch23: openssh-6.5p1-audit7-libaudit_compat.patch
Patch24: openssh-6.5p1-audit8-libaudit_dns_timeouts.patch
Patch25: openssh-6.5p1-seed-prng.patch
Patch26: openssh-6.5p1-ldap.patch
Patch27: openssh-6.5p1-fips.patch
Patch28: openssh-6.5p1-gssapi_key_exchange.patch
Patch29: openssh-6.5p1-login_options.patch
Patch30: openssh-6.5p1-disable-openssl-abi-check.patch
Patch31: openssh-6.5p1-no_fork-no_pid_file.patch
Patch32: openssh-6.5p1-host_ident.patch
Patch33: openssh-6.5p1-sftp_homechroot.patch
Patch34: openssh-6.5p1-sftp_force_permissions.patch
Patch35: openssh-6.5p1-seccomp_getuid.patch
Patch36: openssh-6.5p1-X_forward_with_disabled_ipv6.patch
Patch1: openssh-6.6p1-key-converter.patch
Patch2: openssh-6.6p1-X11-forwarding.patch
Patch3: openssh-6.6p1-lastlog.patch
Patch4: openssh-6.6p1-pam-fix2.patch
Patch5: openssh-6.6p1-saveargv-fix.patch
Patch6: openssh-6.6p1-pam-fix3.patch
Patch7: openssh-6.6p1-gssapimitm.patch
Patch8: openssh-6.6p1-eal3.patch
Patch9: openssh-6.6p1-blocksigalrm.patch
Patch10: openssh-6.6p1-send_locale.patch
Patch11: openssh-6.6p1-xauthlocalhostname.patch
Patch12: openssh-6.6p1-xauth.patch
Patch13: openssh-6.6p1-default-protocol.patch
Patch14: openssh-6.6p1-pts.patch
Patch15: openssh-6.6p1-pam-check-locks.patch
Patch16: openssh-6.6p1-fingerprint_hash.patch
Patch17: openssh-6.6p1-fips.patch
Patch18: openssh-6.6p1-audit1-remove_duplicit_audit.patch
Patch19: openssh-6.6p1-audit2-better_audit_of_user_actions.patch
Patch20: openssh-6.6p1-audit3-key_auth_usage.patch
Patch21: openssh-6.6p1-audit3_fips-key_auth_usage.patch
Patch22: openssh-6.6p1-audit4-kex_results.patch
Patch23: openssh-6.6p1-audit4_fips-kex_results.patch
Patch24: openssh-6.6p1-audit5-session_key_destruction.patch
Patch25: openssh-6.6p1-audit6-server_key_destruction.patch
Patch26: openssh-6.6p1-audit7-libaudit_compat.patch
Patch27: openssh-6.6p1-audit8-libaudit_dns_timeouts.patch
Patch28: openssh-6.6p1-seed-prng.patch
Patch29: openssh-6.6p1-gssapi_key_exchange.patch
Patch30: openssh-6.6p1-login_options.patch
Patch31: openssh-6.6p1-disable-openssl-abi-check.patch
Patch32: openssh-6.6p1-no_fork-no_pid_file.patch
Patch33: openssh-6.6p1-host_ident.patch
Patch34: openssh-6.6p1-sftp_homechroot.patch
Patch35: openssh-6.6p1-sftp_force_permissions.patch
Patch36: openssh-6.6p1-seccomp_getuid.patch
Patch37: openssh-6.6p1-X_forward_with_disabled_ipv6.patch
Patch38: openssh-6.6p1-fips-checks.patch
Patch39: openssh-6.6p1-ldap.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
%description
@ -167,6 +169,16 @@ Requires: openssh
Helper applications for OpenSSH which retrieve keys from various sources.
%package fips
Summary: OpenSSH FIPS cryptomodule hashes
Group: Productivity/Networking/SSH
Requires: openssh
%description fips
Hashes that together with the main package form the FIPS certifiable
cryptomodule.
%prep
%setup -q
#patch1 -p2
@ -207,13 +219,16 @@ Helper applications for OpenSSH which retrieve keys from various sources.
%patch34 -p2
%patch35 -p2
%patch36 -p2
%patch37 -p2
%patch38 -p2
%patch39 -p2
cp %{SOURCE3} %{SOURCE4} .
%build
# set libexec dir in the LDAP patch
sed -i.libexec 's,@LIBEXECDIR@,%{_libexecdir}/ssh,' \
$( grep -Rl @LIBEXECDIR@ \
$( grep "^+++" %{PATCH26} | sed -r 's@^.+/([^/\t ]+).*$@\1@' )
$( grep "^+++" %{PATCH39} | sed -r 's@^.+/([^/\t ]+).*$@\1@' )
)
autoreconf -fiv
@ -311,6 +326,25 @@ rm -f %{buildroot}%{_datadir}/Ssh.bin
# sshd keys generator wrapper
install -D -m 0755 %{SOURCE9} %{buildroot}%{_sbindir}/sshd-gen-keys-start
# the hmac hashes - taken from openssl
#
# re-define the __os_install_post macro: the macro strips
# the binaries and thereby invalidates any hashes created earlier.
#
# this shows up earlier because otherwise the %expand of
# the macro is too late.
%{expand:%%global __os_install_post {%__os_install_post
for b in \
%{_bindir}/ssh \
%{_sbindir}/sshd \
%{_libexecdir}/ssh/sftp-server \
; do
( printf "\03"; openssl dgst -sha256 -binary < %{buildroot}$b ) > %{buildroot}$b.chk
done
}}
%pre
getent group sshd >/dev/null || %{_sbindir}/groupadd -r sshd
getent passwd sshd >/dev/null || %{_sbindir}/useradd -r -g sshd -d /var/lib/sshd -s /bin/false -c "SSH daemon" sshd
@ -343,6 +377,9 @@ getent passwd sshd >/dev/null || %{_sbindir}/useradd -r -g sshd -d /var/lib/sshd
%files
%defattr(-,root,root)
%exclude %{_bindir}/*.chk
%exclude %{_sbindir}/*.chk
%exclude %{_libexecdir}/ssh/sftp-server.chk
%dir %attr(755,root,root) /var/lib/sshd
%doc README.SuSE README.kerberos ChangeLog OVERVIEW README TODO LICENCE CREDITS
%attr(0755,root,root) %dir %{_sysconfdir}/ssh
@ -384,4 +421,10 @@ getent passwd sshd >/dev/null || %{_sbindir}/useradd -r -g sshd -d /var/lib/sshd
%attr(0755,root,root) %{_libexecdir}/ssh/ssh-ldap*
%doc HOWTO.ldap-keys openssh-lpk-openldap.schema openssh-lpk-sun.schema
%files fips
%defattr(-,root,root)
%attr(0444,root,root) %{_bindir}/ssh.chk
%attr(0444,root,root) %{_sbindir}/sshd.chk
%attr(0444,root,root) %{_libexecdir}/ssh/sftp-server.chk
%changelog