pool/openssh
SHA256
3
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 1200282 from network

Browse Source 
OBS-URL: https://build.opensuse.org/request/show/1200282
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssh?expand=0&rev=184
This commit is contained in:
Ana Guerrero 2024-09-13 12:26:08 +00:00 committed by Git OBS Bridge
commit f15242edbd
4 changed files with 778 additions and 351 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

414
0001-auth-pam-Immediately-report-instructions-to-clients-and-fix-handling-in-ssh-client.patch Normal file
View File

@ -0,0 +1,414 @@
From 7c116ef927a8ef14d09065757f75560fa0ab79d0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marco=20Trevisan=20=28Trevi=C3=B1o=29?= <mail@3v1n0.net>
Date: Tue, 17 Oct 2023 04:04:13 +0200
Subject: [PATCH 1/6] auth: Add KbdintResult definition to define result values
explicitly
kbdint result vfunc may return various values, so use an enum to make it
clearer what each result means without having to dig into the struct
documentation.
---
auth-bsdauth.c | 2 +-
auth-pam.c | 10 +++++-----
auth.h | 5 +++++
auth2-chall.c | 4 ++--
4 files changed, 13 insertions(+), 8 deletions(-)
diff --git a/auth-bsdauth.c b/auth-bsdauth.c
index d124e994e77..ca41735debb 100644
--- a/auth-bsdauth.c
+++ b/auth-bsdauth.c
@@ -111,7 +111,7 @@ bsdauth_respond(void *ctx, u_int numresponses, char **responses)
authctxt->as = NULL;
debug3("bsdauth_respond: <%s> = <%d>", responses[0], authok);
- return (authok == 0) ? -1 : 0;
+ return (authok == 0) ? KbdintResultFailure : KbdintResultSuccess;
}
static void
diff --git a/auth-pam.c b/auth-pam.c
index b49d415e7c7..86137a1acdb 100644
--- a/auth-pam.c
+++ b/auth-pam.c
@@ -990,15 +990,15 @@ sshpam_respond(void *ctx, u_int num, char **resp)
switch (ctxt->pam_done) {
case 1:
sshpam_authenticated = 1;
- return (0);
+ return KbdintResultSuccess;
case 0:
break;
default:
- return (-1);
+ return KbdintResultFailure;
}
if (num != 1) {
error("PAM: expected one response, got %u", num);
- return (-1);
+ return KbdintResultFailure;
}
if ((buffer = sshbuf_new()) == NULL)
fatal("%s: sshbuf_new failed", __func__);
@@ -1015,10 +1015,10 @@ sshpam_respond(void *ctx, u_int num, char **resp)
}
if (ssh_msg_send(ctxt->pam_psock, PAM_AUTHTOK, buffer) == -1) {
sshbuf_free(buffer);
- return (-1);
+ return KbdintResultFailure;
}
sshbuf_free(buffer);
- return (1);
+ return KbdintResultAgain;
}
static void
diff --git a/auth.h b/auth.h
index 6d2d3976234..aac1e92d9cd 100644
--- a/auth.h
+++ b/auth.h
@@ -51,6 +51,7 @@ struct sshauthopt;
typedef struct Authctxt Authctxt;
typedef struct Authmethod Authmethod;
typedef struct KbdintDevice KbdintDevice;
+typedef int KbdintResult;
struct Authctxt {
sig_atomic_t success;
@@ -111,6 +112,10 @@ struct Authmethod {
# int *enabled;
int (*userauth)(struct ssh *, const char *);
};
+#define KbdintResultFailure -1
+#define KbdintResultSuccess 0
+#define KbdintResultAgain 1
+
/*
* Keyboard interactive device:
* init_ctx returns: non NULL upon success
diff --git a/auth2-chall.c b/auth2-chall.c
index 021df829173..047d4e83c33 100644
--- a/auth2-chall.c
+++ b/auth2-chall.c
@@ -331,11 +331,11 @@ input_userauth_info_response(int type, u_int32_t seq, struct ssh *ssh)
free(response);
switch (res) {
- case 0:
+ case KbdintResultSuccess:
/* Success! */
authenticated = authctxt->valid ? 1 : 0;
break;
- case 1:
+ case KbdintResultAgain:
/* Authentication needs further interaction */
if (send_userauth_info_request(ssh) == 1)
authctxt->postponed = 1;
From 91ef15e8ed01a7e16d96ba6cb9ed51965dca9641 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marco=20Trevisan=20=28Trevi=C3=B1o=29?= <mail@3v1n0.net>
Date: Mon, 16 Oct 2023 21:15:45 +0200
Subject: [PATCH 2/6] auth-pam: Add an enum to define the PAM done status
Makes things more readable and easier to extend
---
auth-pam.c | 17 +++++++++++------
1 file changed, 11 insertions(+), 6 deletions(-)
diff --git a/auth-pam.c b/auth-pam.c
index 86137a1acdb..21291631011 100644
--- a/auth-pam.c
+++ b/auth-pam.c
@@ -136,11 +136,16 @@ typedef pid_t sp_pthread_t;
#define pthread_join fake_pthread_join
#endif
+typedef int SshPamDone;
+#define SshPamError -1
+#define SshPamNone 0
+#define SshPamAuthenticated 1
+
struct pam_ctxt {
sp_pthread_t pam_thread;
int pam_psock;
int pam_csock;
- int pam_done;
+ SshPamDone pam_done;
};
static void sshpam_free_ctx(void *);
@@ -904,7 +909,7 @@ sshpam_query(void *ctx, char **name, char **info,
**prompts = NULL;
*num = 0;
**echo_on = 0;
- ctxt->pam_done = -1;
+ ctxt->pam_done = SshPamError;
free(msg);
sshbuf_free(buffer);
return 0;
@@ -931,7 +936,7 @@ sshpam_query(void *ctx, char **name, char **info,
import_environments(buffer);
*num = 0;
**echo_on = 0;
- ctxt->pam_done = 1;
+ ctxt->pam_done = SshPamAuthenticated;
free(msg);
sshbuf_free(buffer);
return (0);
@@ -944,7 +949,7 @@ sshpam_query(void *ctx, char **name, char **info,
*num = 0;
**echo_on = 0;
free(msg);
- ctxt->pam_done = -1;
+ ctxt->pam_done = SshPamError;
sshbuf_free(buffer);
return (-1);
}
@@ -988,10 +993,10 @@ sshpam_respond(void *ctx, u_int num, char **resp)
debug2("PAM: %s entering, %u responses", __func__, num);
switch (ctxt->pam_done) {
- case 1:
+ case SshPamAuthenticated:
sshpam_authenticated = 1;
return KbdintResultSuccess;
- case 0:
+ case SshPamNone:
break;
default:
return KbdintResultFailure;
From 6fa8934d31cb9925c856f1b992fc5e04dd26da21 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marco=20Trevisan=20=28Trevi=C3=B1o=29?= <mail@3v1n0.net>
Date: Tue, 17 Oct 2023 04:35:17 +0200
Subject: [PATCH 3/6] auth-pam: Add debugging information when we receive PAM
messages
---
auth-pam.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/auth-pam.c b/auth-pam.c
index 21291631011..7a72e724adc 100644
--- a/auth-pam.c
+++ b/auth-pam.c
@@ -450,6 +450,9 @@ sshpam_thread_conv(int n, sshpam_const struct pam_message **msg,
break;
case PAM_ERROR_MSG:
case PAM_TEXT_INFO:
+ debug3("PAM: Got message of type %d: %s",
+ PAM_MSG_MEMBER(msg, i, msg_style),
+ PAM_MSG_MEMBER(msg, i, msg));
if ((r = sshbuf_put_cstring(buffer,
PAM_MSG_MEMBER(msg, i, msg))) != 0)
fatal("%s: buffer error: %s",
From 598ee34312b541fa7b3988b4896641bf81996e27 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marco=20Trevisan=20=28Trevi=C3=B1o=29?= <mail@3v1n0.net>
Date: Tue, 17 Oct 2023 04:27:32 +0200
Subject: [PATCH 4/6] auth-pam: Immediately report interactive instructions to
clients
SSH keyboard-interactive authentication method supports instructions but
sshd didn't show them until an user prompt was requested.
This is quite inconvenient for various PAM modules that need to notify
an user without requiring for their explicit input.
So, properly implement RFC4256 making instructions to be shown to users
when they are requested from PAM.
Closes: https://bugzilla.mindrot.org/show_bug.cgi?id=2876
---
auth-pam.c | 21 ++++++++++++---------
1 file changed, 12 insertions(+), 9 deletions(-)
diff --git a/auth-pam.c b/auth-pam.c
index 7a72e724adc..b756f0e5221 100644
--- a/auth-pam.c
+++ b/auth-pam.c
@@ -140,6 +140,7 @@ typedef int SshPamDone;
#define SshPamError -1
#define SshPamNone 0
#define SshPamAuthenticated 1
+#define SshPamAgain 2
struct pam_ctxt {
sp_pthread_t pam_thread;
@@ -868,6 +869,8 @@ sshpam_query(void *ctx, char **name, char **info,
**prompts = NULL;
plen = 0;
*echo_on = xmalloc(sizeof(u_int));
+ ctxt->pam_done = SshPamNone;
+
while (ssh_msg_recv(ctxt->pam_psock, buffer) == 0) {
if (++nmesg > PAM_MAX_NUM_MSG)
fatal_f("too many query messages");
@@ -888,15 +891,13 @@ sshpam_query(void *ctx, char **name, char **info,
return (0);
case PAM_ERROR_MSG:
case PAM_TEXT_INFO:
- /* accumulate messages */
- len = plen + mlen + 2;
- **prompts = xreallocarray(**prompts, 1, len);
- strlcpy(**prompts + plen, msg, len - plen);
- plen += mlen;
- strlcat(**prompts + plen, "\n", len - plen);
- plen++;
- free(msg);
- break;
+ *num = 0;
+ free(*info);
+ *info = msg; /* Steal the message */
+ msg = NULL;
+ ctxt->pam_done = SshPamAgain;
+ sshbuf_free(buffer);
+ return (0);
case PAM_ACCT_EXPIRED:
case PAM_MAXTRIES:
if (type == PAM_ACCT_EXPIRED)
@@ -1001,6 +1002,8 @@ sshpam_respond(void *ctx, u_int num, char **resp)
return KbdintResultSuccess;
case SshPamNone:
break;
+ case SshPamAgain:
+ return KbdintResultAgain;
default:
return KbdintResultFailure;
}
From cc14301ce0542cdbb825eff8041ce98a1da9ef08 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marco=20Trevisan=20=28Trevi=C3=B1o=29?= <mail@3v1n0.net>
Date: Tue, 17 Oct 2023 06:12:03 +0200
Subject: [PATCH 5/6] sshconnect2: Write kbd-interactive service, info and
instructions as utf-8
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
As per the previous server change now the keyboard-interactive service
and instruction values could be reported as soon as they are available
and so they're not prompts anymore and not parsed like them.
While this was already supported by the SSH client, these messages were
not properly written as the escaped sequences they contained were not
correctly reported.
So for example a message containing "\" was represented as "\\" and
similarly for all the other C escape sequences.
This was leading to more problems when it come to utf-8 chars, as they
were only represented by their octal representation.
This was easily testable by adding a line like the one below to the
sshd PAM service:
auth requisite pam_echo.so Hello SSHD! Want some 🍕?
Which was causing this to be written instead:
Hello SSHD! Want some \360\237\215\225?
To handle this, instead of simply using fmprintf, we're using the notifier
in a way can be exposed to users in the proper format and UI.
---
sshconnect2.c | 33 ++++++++++++++++++++++++---------
1 file changed, 24 insertions(+), 9 deletions(-)
diff --git a/sshconnect2.c b/sshconnect2.c
index 5831a00c6d1..543431218c1 100644
--- a/sshconnect2.c
+++ b/sshconnect2.c
@@ -1091,6 +1091,7 @@ input_userauth_passwd_changereq(int type, u_int32_t seqnr, struct ssh *ssh)
char *info = NULL, *lang = NULL, *password = NULL, *retype = NULL;
char prompt[256];
const char *host;
+ size_t info_len;
int r;
debug2("input_userauth_passwd_changereq");
@@ -1100,11 +1101,15 @@ input_userauth_passwd_changereq(int type, u_int32_t seqnr, struct ssh *ssh)
"no authentication context");
host = options.host_key_alias ? options.host_key_alias : authctxt->host;
- if ((r = sshpkt_get_cstring(ssh, &info, NULL)) != 0 ||
+ if ((r = sshpkt_get_cstring(ssh, &info, &info_len)) != 0 ||
(r = sshpkt_get_cstring(ssh, &lang, NULL)) != 0)
goto out;
- if (strlen(info) > 0)
- logit("%s", info);
+ if (info_len > 0) {
+ struct notifier_ctx *notifier = NULL;
+ debug_f("input_userauth_passwd_changereq info: %s", info);
+ notifier = notify_start(0, "%s", info);
+ notify_complete(notifier, NULL);
+ }
if ((r = sshpkt_start(ssh, SSH2_MSG_USERAUTH_REQUEST)) != 0 ||
(r = sshpkt_put_cstring(ssh, authctxt->server_user)) != 0 ||
(r = sshpkt_put_cstring(ssh, authctxt->service)) != 0 ||
@@ -1938,8 +1943,10 @@ input_userauth_info_req(int type, u_int32_t seq, struct ssh *ssh)
Authctxt *authctxt = ssh->authctxt;
char *name = NULL, *inst = NULL, *lang = NULL, *prompt = NULL;
char *display_prompt = NULL, *response = NULL;
+ struct notifier_ctx *notifier = NULL;
u_char echo = 0;
u_int num_prompts, i;
+ size_t name_len, inst_len;
int r;
debug2_f("entering");
@@ -1949,14 +1956,22 @@ input_userauth_info_req(int type, u_int32_t seq, struct ssh *ssh)
authctxt->info_req_seen = 1;
- if ((r = sshpkt_get_cstring(ssh, &name, NULL)) != 0 ||
- (r = sshpkt_get_cstring(ssh, &inst, NULL)) != 0 ||
+ if ((r = sshpkt_get_cstring(ssh, &name, &name_len)) != 0 ||
+ (r = sshpkt_get_cstring(ssh, &inst, &inst_len)) != 0 ||
(r = sshpkt_get_cstring(ssh, &lang, NULL)) != 0)
goto out;
- if (strlen(name) > 0)
- logit("%s", name);
- if (strlen(inst) > 0)
- logit("%s", inst);
+ if (name_len > 0) {
+ debug_f("kbd int name: %s", name);
+ notifier = notify_start(0, "%s", name);
+ notify_complete(notifier, NULL);
+ notifier = NULL;
+ }
+ if (inst_len > 0) {
+ debug_f("kbd int inst: %s", inst);
+ notifier = notify_start(0, "%s", inst);
+ notify_complete(notifier, NULL);
+ notifier = NULL;
+ }
if ((r = sshpkt_get_u32(ssh, &num_prompts)) != 0)
goto out;
From 99656caabc5cff24122e5b9a140e5a38ab418a5d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marco=20Trevisan=20=28Trevi=C3=B1o=29?= <mail@3v1n0.net>
Date: Tue, 17 Oct 2023 06:05:59 +0200
Subject: [PATCH 6/6] auth2-chall: Fix selection of the keyboard-interactive
device
We were only checking if the prefix of a device name was matching what
we had in the devices list, so if the device list contained "pam", then
also the device "pam-foo" was matching.
---
auth2-chall.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/auth2-chall.c b/auth2-chall.c
index 047d4e83c33..db658c9b4a7 100644
--- a/auth2-chall.c
+++ b/auth2-chall.c
@@ -170,7 +170,7 @@ kbdint_next_device(Authctxt *authctxt, KbdintAuthctxt *kbdintctxt)
"keyboard-interactive", devices[i]->name))
continue;
if (strncmp(kbdintctxt->devices, devices[i]->name,
- len) == 0) {
+ len) == 0 && strlen(devices[i]->name) == len) {
kbdintctxt->device = devices[i];
kbdintctxt->devices_done |= 1 << i;
}

696
openssh-6.6p1-keycat.patch
View File

@ -16,70 +16,70 @@ Index: openssh-9.3p2/misc.c
if (env != NULL)
execve(av[0], av, env);
else
Index: openssh-9.3p2/HOWTO.ssh-keycat
===================================================================
--- /dev/null
+++ openssh-9.3p2/HOWTO.ssh-keycat
@@ -0,0 +1,12 @@
+The ssh-keycat retrieves the content of the ~/.ssh/authorized_keys
+of an user in any environment. This includes environments with
+polyinstantiation of home directories and SELinux MLS policy enabled.
+
+To use ssh-keycat, set these options in /etc/ssh/sshd_config file:
+ AuthorizedKeysCommand /usr/libexec/openssh/ssh-keycat
+ AuthorizedKeysCommandUser root
+
+Do not forget to enable public key authentication:
+ PubkeyAuthentication yes
+
+
Index: openssh-9.3p2/Makefile.in
===================================================================
--- openssh-9.3p2.orig/Makefile.in
+++ openssh-9.3p2/Makefile.in
@@ -27,6 +27,7 @@ SFTP_SERVER=$(libexecdir)/sftp-server
ASKPASS_PROGRAM=$(libexecdir)/ssh-askpass
SFTP_SERVER=$(libexecdir)/sftp-server
SSH_KEYSIGN=$(libexecdir)/ssh-keysign
+SSH_KEYCAT=$(libexecdir)/ssh-keycat
SSHD_SESSION=$(libexecdir)/sshd-session
SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
SSH_SK_HELPER=$(libexecdir)/ssh-sk-helper
@@ -57,6 +58,7 @@ CHANNELLIBS=@CHANNELLIBS@
K5LIBS=@K5LIBS@
GSSLIBS=@GSSLIBS@
SSHDLIBS=@SSHDLIBS@
+KEYCATLIBS=@KEYCATLIBS@
LIBEDIT=@LIBEDIT@
LIBFIDO2=@LIBFIDO2@
LIBWTMPDB=@LIBWTMPDB@
@@ -65,7 +66,7 @@ EXEEXT=@EXEEXT@
.SUFFIXES: .lo
-TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) sshd-session$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT)
+TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) sshd-session$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) ssh-keycat$(EXEEXT)
TARGETS += cavstest-ctr$(EXEEXT) cavstest-kdf$(EXEEXT)
@@ -245,6 +247,9 @@ ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT)
ssh-sk-helper$(EXEEXT): $(LIBCOMPAT) libssh.a $(SKHELPER_OBJS)
$(LD) -o $@ $(SKHELPER_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS) $(LIBFIDO2) $(CHANNELLIBS)
+ssh-keycat$(EXEEXT): $(LIBCOMPAT) $(SSHDOBJS) libssh.a ssh-keycat.o uidswap.o
+ $(LD) -o $@ ssh-keycat.o uidswap.o $(LDFLAGS) -lssh -lopenbsd-compat $(KEYCATLIBS) $(LIBS)
+
ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHKEYSCAN_OBJS)
$(LD) -o $@ $(SSHKEYSCAN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) $(CHANNELLIBS)
@@ -431,6 +436,7 @@ install-files:
$(INSTALL) -m 0755 ssh-ldap-wrapper $(DESTDIR)$(SSH_LDAP_WRAPPER) ; \
fi
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-sk-helper$(EXEEXT) $(DESTDIR)$(SSH_SK_HELPER)$(EXEEXT)
+ $(INSTALL) -m 0755 $(STRIP_OPT) ssh-keycat$(EXEEXT) $(DESTDIR)$(libexecdir)/ssh-keycat$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) cavstest-ctr$(EXEEXT) $(DESTDIR)$(libexecdir)/cavstest-ctr$(EXEEXT)
#Index: openssh-9.3p2/HOWTO.ssh-keycat
#===================================================================
#--- /dev/null
#+++ openssh-9.3p2/HOWTO.ssh-keycat
#@@ -0,0 +1,12 @@
#+The ssh-keycat retrieves the content of the ~/.ssh/authorized_keys
#+of an user in any environment. This includes environments with
#+polyinstantiation of home directories and SELinux MLS policy enabled.
#+
#+To use ssh-keycat, set these options in /etc/ssh/sshd_config file:
#+ AuthorizedKeysCommand /usr/libexec/openssh/ssh-keycat
#+ AuthorizedKeysCommandUser root
#+
#+Do not forget to enable public key authentication:
#+ PubkeyAuthentication yes
#+
#+
#Index: openssh-9.3p2/Makefile.in
#===================================================================
#--- openssh-9.3p2.orig/Makefile.in
#+++ openssh-9.3p2/Makefile.in
#@@ -27,6 +27,7 @@ SFTP_SERVER=$(libexecdir)/sftp-server
# ASKPASS_PROGRAM=$(libexecdir)/ssh-askpass
# SFTP_SERVER=$(libexecdir)/sftp-server
# SSH_KEYSIGN=$(libexecdir)/ssh-keysign
#+SSH_KEYCAT=$(libexecdir)/ssh-keycat
# SSHD_SESSION=$(libexecdir)/sshd-session
# SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
# SSH_SK_HELPER=$(libexecdir)/ssh-sk-helper
#@@ -57,6 +58,7 @@ CHANNELLIBS=@CHANNELLIBS@
# K5LIBS=@K5LIBS@
# GSSLIBS=@GSSLIBS@
# SSHDLIBS=@SSHDLIBS@
#+KEYCATLIBS=@KEYCATLIBS@
# LIBEDIT=@LIBEDIT@
# LIBFIDO2=@LIBFIDO2@
# LIBWTMPDB=@LIBWTMPDB@
#@@ -65,7 +66,7 @@ EXEEXT=@EXEEXT@
#
# .SUFFIXES: .lo
#
#-TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) sshd-session$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT)
#+TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) sshd-session$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) ssh-keycat$(EXEEXT)
#
# TARGETS += cavstest-ctr$(EXEEXT) cavstest-kdf$(EXEEXT)
#
#@@ -245,6 +247,9 @@ ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT)
# ssh-sk-helper$(EXEEXT): $(LIBCOMPAT) libssh.a $(SKHELPER_OBJS)
# $(LD) -o $@ $(SKHELPER_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS) $(LIBFIDO2) $(CHANNELLIBS)
#
#+ssh-keycat$(EXEEXT): $(LIBCOMPAT) $(SSHDOBJS) libssh.a ssh-keycat.o uidswap.o
#+ $(LD) -o $@ ssh-keycat.o uidswap.o $(LDFLAGS) -lssh -lopenbsd-compat $(KEYCATLIBS) $(LIBS)
#+
# ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHKEYSCAN_OBJS)
# $(LD) -o $@ $(SSHKEYSCAN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) $(CHANNELLIBS)
#
#@@ -431,6 +436,7 @@ install-files:
# $(INSTALL) -m 0755 ssh-ldap-wrapper $(DESTDIR)$(SSH_LDAP_WRAPPER) ; \
# fi
# $(INSTALL) -m 0755 $(STRIP_OPT) ssh-sk-helper$(EXEEXT) $(DESTDIR)$(SSH_SK_HELPER)$(EXEEXT)
#+ $(INSTALL) -m 0755 $(STRIP_OPT) ssh-keycat$(EXEEXT) $(DESTDIR)$(libexecdir)/ssh-keycat$(EXEEXT)
# $(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
# $(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
# $(INSTALL) -m 0755 $(STRIP_OPT) cavstest-ctr$(EXEEXT) $(DESTDIR)$(libexecdir)/cavstest-ctr$(EXEEXT)
Index: openssh-9.3p2/openbsd-compat/port-linux.h
===================================================================
--- openssh-9.3p2.orig/openbsd-compat/port-linux.h
@ -205,287 +205,287 @@ Index: openssh-9.3p2/platform.c
#endif
#ifdef USE_SOLARIS_PROJECTS
Index: openssh-9.3p2/ssh-keycat.c
===================================================================
--- /dev/null
+++ openssh-9.3p2/ssh-keycat.c
@@ -0,0 +1,241 @@
+/*
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, and the entire permission notice in its entirety,
+ * including the disclaimer of warranties.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ * products derived from this software without specific prior
+ * written permission.
+ *
+ * ALTERNATIVELY, this product may be distributed under the terms of
+ * the GNU Public License, in which case the provisions of the GPL are
+ * required INSTEAD OF the above restrictions. (This clause is
+ * necessary due to a potential bad interaction between the GPL and
+ * the restrictions contained in a BSD-style copyright.)
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
+ * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+ * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/*
+ * Copyright (c) 2011 Red Hat, Inc.
+ * Written by Tomas Mraz <tmraz@redhat.com>
+*/
+
+#define _GNU_SOURCE
+
+#include "config.h"
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <pwd.h>
+#include <fcntl.h>
+#include <unistd.h>
+#ifdef HAVE_STDINT_H
+#include <stdint.h>
+#endif
+
+#include <security/pam_appl.h>
+
+#include "uidswap.h"
+#include "misc.h"
+
+#define ERR_USAGE 1
+#define ERR_PAM_START 2
+#define ERR_OPEN_SESSION 3
+#define ERR_CLOSE_SESSION 4
+#define ERR_PAM_END 5
+#define ERR_GETPWNAM 6
+#define ERR_MEMORY 7
+#define ERR_OPEN 8
+#define ERR_FILE_MODE 9
+#define ERR_FDOPEN 10
+#define ERR_STAT 11
+#define ERR_WRITE 12
+#define ERR_PAM_PUTENV 13
+#define BUFLEN 4096
+
+/* Just ignore the messages in the conversation function */
+static int
+dummy_conv(int num_msg, const struct pam_message **msgm,
+ struct pam_response **response, void *appdata_ptr)
+{
+ struct pam_response *rsp;
+
+ (void)msgm;
+ (void)appdata_ptr;
+
+ if (num_msg <= 0)
+ return PAM_CONV_ERR;
+
+ /* Just allocate the array as empty responses */
+ rsp = calloc (num_msg, sizeof (struct pam_response));
+ if (rsp == NULL)
+ return PAM_CONV_ERR;
+
+ *response = rsp;
+ return PAM_SUCCESS;
+}
+
+static struct pam_conv conv = {
+ dummy_conv,
+ NULL
+};
+
+char *
+make_auth_keys_name(const struct passwd *pwd)
+{
+ char *fname;
+
+ if (asprintf(&fname, "%s/.ssh/authorized_keys", pwd->pw_dir) < 0)
+ return NULL;
+
+ return fname;
+}
+
+int
+dump_keys(const char *user)
+{
+ struct passwd *pwd;
+ int fd = -1;
+ FILE *f = NULL;
+ char *fname = NULL;
+ int rv = 0;
+ char buf[BUFLEN];
+ size_t len;
+ struct stat st;
+
+ if ((pwd = getpwnam(user)) == NULL) {
+ return ERR_GETPWNAM;
+ }
+
+ if ((fname = make_auth_keys_name(pwd)) == NULL) {
+ return ERR_MEMORY;
+ }
+
+ temporarily_use_uid(pwd);
+
+ if ((fd = open(fname, O_RDONLY|O_NONBLOCK|O_NOFOLLOW, 0)) < 0) {
+ rv = ERR_OPEN;
+ goto fail;
+ }
+
+ if (fstat(fd, &st) < 0) {
+ rv = ERR_STAT;
+ goto fail;
+ }
+
+ if (!S_ISREG(st.st_mode) ||
+ (st.st_uid != pwd->pw_uid && st.st_uid != 0)) {
+ rv = ERR_FILE_MODE;
+ goto fail;
+ }
+
+ unset_nonblock(fd);
+
+ if ((f = fdopen(fd, "r")) == NULL) {
+ rv = ERR_FDOPEN;
+ goto fail;
+ }
+
+ fd = -1;
+
+ while ((len = fread(buf, 1, sizeof(buf), f)) > 0) {
+ rv = fwrite(buf, 1, len, stdout) != len ? ERR_WRITE : 0;
+ }
+
+fail:
+ if (fd != -1)
+ close(fd);
+ if (f != NULL)
+ fclose(f);
+ free(fname);
+ restore_uid();
+ return rv;
+}
+
+static const char *env_names[] = { "SELINUX_ROLE_REQUESTED",
+ "SELINUX_LEVEL_REQUESTED",
+ "SELINUX_USE_CURRENT_RANGE"
+};
+
+extern char **environ;
+
+int
+set_pam_environment(pam_handle_t *pamh)
+{
+ int i;
+ size_t j;
+
+ for (j = 0; j < sizeof(env_names)/sizeof(env_names[0]); ++j) {
+ int len = strlen(env_names[j]);
+
+ for (i = 0; environ[i] != NULL; ++i) {
+ if (strncmp(env_names[j], environ[i], len) == 0 &&
+ environ[i][len] == '=') {
+ if (pam_putenv(pamh, environ[i]) != PAM_SUCCESS)
+ return ERR_PAM_PUTENV;
+ }
+ }
+ }
+
+ return 0;
+}
+
+int
+main(int argc, char *argv[])
+{
+ pam_handle_t *pamh = NULL;
+ int retval;
+ int ev = 0;
+
+ if (argc != 2) {
+ fprintf(stderr, "Usage: %s <user-name>\n", argv[0]);
+ return ERR_USAGE;
+ }
+
+ retval = pam_start("ssh-keycat", argv[1], &conv, &pamh);
+ if (retval != PAM_SUCCESS) {
+ return ERR_PAM_START;
+ }
+
+ ev = set_pam_environment(pamh);
+ if (ev != 0)
+ goto finish;
+
+ retval = pam_open_session(pamh, PAM_SILENT);
+ if (retval != PAM_SUCCESS) {
+ ev = ERR_OPEN_SESSION;
+ goto finish;
+ }
+
+ ev = dump_keys(argv[1]);
+
+ retval = pam_close_session(pamh, PAM_SILENT);
+ if (retval != PAM_SUCCESS) {
+ ev = ERR_CLOSE_SESSION;
+ }
+
+finish:
+ retval = pam_end (pamh,retval);
+ if (retval != PAM_SUCCESS) {
+ ev = ERR_PAM_END;
+ }
+ return ev;
+}
Index: openssh-9.3p2/configure.ac
===================================================================
--- openssh-9.3p2.orig/configure.ac
+++ openssh-9.3p2/configure.ac
@@ -3632,6 +3632,7 @@ AC_ARG_WITH([pam],
PAM_MSG="yes"
SSHDLIBS="$SSHDLIBS -lpam"
+ KEYCATLIBS="$KEYCATLIBS -lpam"
AC_DEFINE([USE_PAM], [1],
[Define if you want to enable PAM support])
@@ -3642,6 +3643,7 @@ AC_ARG_WITH([pam],
;;
*)
SSHDLIBS="$SSHDLIBS -ldl"
+ KEYCATLIBS="$KEYCATLIBS -ldl"
;;
esac
fi
@@ -4875,6 +4877,7 @@ AC_ARG_WITH([selinux],
fi ]
)
AC_SUBST([SSHDLIBS])
+AC_SUBST([KEYCATLIBS])
# Check whether user wants Kerberos 5 support
KRB5_MSG="no"
@@ -5905,6 +5908,9 @@ fi
if test ! -z "${SSHDLIBS}"; then
echo " +for sshd: ${SSHDLIBS}"
fi
+if test ! -z "${KEYCATLIBS}"; then
+echo " +for ssh-keycat: ${KEYCATLIBS}"
+fi
echo ""
#Index: openssh-9.3p2/ssh-keycat.c
#===================================================================
#--- /dev/null
#+++ openssh-9.3p2/ssh-keycat.c
#@@ -0,0 +1,241 @@
#+/*
#+ * Redistribution and use in source and binary forms, with or without
#+ * modification, are permitted provided that the following conditions
#+ * are met:
#+ * 1. Redistributions of source code must retain the above copyright
#+ * notice, and the entire permission notice in its entirety,
#+ * including the disclaimer of warranties.
#+ * 2. Redistributions in binary form must reproduce the above copyright
#+ * notice, this list of conditions and the following disclaimer in the
#+ * documentation and/or other materials provided with the distribution.
#+ * 3. The name of the author may not be used to endorse or promote
#+ * products derived from this software without specific prior
#+ * written permission.
#+ *
#+ * ALTERNATIVELY, this product may be distributed under the terms of
#+ * the GNU Public License, in which case the provisions of the GPL are
#+ * required INSTEAD OF the above restrictions. (This clause is
#+ * necessary due to a potential bad interaction between the GPL and
#+ * the restrictions contained in a BSD-style copyright.)
#+ *
#+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
#+ * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
#+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
#+ * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
#+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
#+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
#+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
#+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
#+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
#+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
#+ * OF THE POSSIBILITY OF SUCH DAMAGE.
#+ */
#+
#+/*
#+ * Copyright (c) 2011 Red Hat, Inc.
#+ * Written by Tomas Mraz <tmraz@redhat.com>
#+*/
#+
#+#define _GNU_SOURCE
#+
#+#include "config.h"
#+#include <stdio.h>
#+#include <stdlib.h>
#+#include <string.h>
#+#include <sys/types.h>
#+#include <sys/stat.h>
#+#include <pwd.h>
#+#include <fcntl.h>
#+#include <unistd.h>
#+#ifdef HAVE_STDINT_H
#+#include <stdint.h>
#+#endif
#+
#+#include <security/pam_appl.h>
#+
#+#include "uidswap.h"
#+#include "misc.h"
#+
#+#define ERR_USAGE 1
#+#define ERR_PAM_START 2
#+#define ERR_OPEN_SESSION 3
#+#define ERR_CLOSE_SESSION 4
#+#define ERR_PAM_END 5
#+#define ERR_GETPWNAM 6
#+#define ERR_MEMORY 7
#+#define ERR_OPEN 8
#+#define ERR_FILE_MODE 9
#+#define ERR_FDOPEN 10
#+#define ERR_STAT 11
#+#define ERR_WRITE 12
#+#define ERR_PAM_PUTENV 13
#+#define BUFLEN 4096
#+
#+/* Just ignore the messages in the conversation function */
#+static int
#+dummy_conv(int num_msg, const struct pam_message **msgm,
#+ struct pam_response **response, void *appdata_ptr)
#+{
#+ struct pam_response *rsp;
#+
#+ (void)msgm;
#+ (void)appdata_ptr;
#+
#+ if (num_msg <= 0)
#+ return PAM_CONV_ERR;
#+
#+ /* Just allocate the array as empty responses */
#+ rsp = calloc (num_msg, sizeof (struct pam_response));
#+ if (rsp == NULL)
#+ return PAM_CONV_ERR;
#+
#+ *response = rsp;
#+ return PAM_SUCCESS;
#+}
#+
#+static struct pam_conv conv = {
#+ dummy_conv,
#+ NULL
#+};
#+
#+char *
#+make_auth_keys_name(const struct passwd *pwd)
#+{
#+ char *fname;
#+
#+ if (asprintf(&fname, "%s/.ssh/authorized_keys", pwd->pw_dir) < 0)
#+ return NULL;
#+
#+ return fname;
#+}
#+
#+int
#+dump_keys(const char *user)
#+{
#+ struct passwd *pwd;
#+ int fd = -1;
#+ FILE *f = NULL;
#+ char *fname = NULL;
#+ int rv = 0;
#+ char buf[BUFLEN];
#+ size_t len;
#+ struct stat st;
#+
#+ if ((pwd = getpwnam(user)) == NULL) {
#+ return ERR_GETPWNAM;
#+ }
#+
#+ if ((fname = make_auth_keys_name(pwd)) == NULL) {
#+ return ERR_MEMORY;
#+ }
#+
#+ temporarily_use_uid(pwd);
#+
#+ if ((fd = open(fname, O_RDONLY|O_NONBLOCK|O_NOFOLLOW, 0)) < 0) {
#+ rv = ERR_OPEN;
#+ goto fail;
#+ }
#+
#+ if (fstat(fd, &st) < 0) {
#+ rv = ERR_STAT;
#+ goto fail;
#+ }
#+
#+ if (!S_ISREG(st.st_mode) ||
#+ (st.st_uid != pwd->pw_uid && st.st_uid != 0)) {
#+ rv = ERR_FILE_MODE;
#+ goto fail;
#+ }
#+
#+ unset_nonblock(fd);
#+
#+ if ((f = fdopen(fd, "r")) == NULL) {
#+ rv = ERR_FDOPEN;
#+ goto fail;
#+ }
#+
#+ fd = -1;
#+
#+ while ((len = fread(buf, 1, sizeof(buf), f)) > 0) {
#+ rv = fwrite(buf, 1, len, stdout) != len ? ERR_WRITE : 0;
#+ }
#+
#+fail:
#+ if (fd != -1)
#+ close(fd);
#+ if (f != NULL)
#+ fclose(f);
#+ free(fname);
#+ restore_uid();
#+ return rv;
#+}
#+
#+static const char *env_names[] = { "SELINUX_ROLE_REQUESTED",
#+ "SELINUX_LEVEL_REQUESTED",
#+ "SELINUX_USE_CURRENT_RANGE"
#+};
#+
#+extern char **environ;
#+
#+int
#+set_pam_environment(pam_handle_t *pamh)
#+{
#+ int i;
#+ size_t j;
#+
#+ for (j = 0; j < sizeof(env_names)/sizeof(env_names[0]); ++j) {
#+ int len = strlen(env_names[j]);
#+
#+ for (i = 0; environ[i] != NULL; ++i) {
#+ if (strncmp(env_names[j], environ[i], len) == 0 &&
#+ environ[i][len] == '=') {
#+ if (pam_putenv(pamh, environ[i]) != PAM_SUCCESS)
#+ return ERR_PAM_PUTENV;
#+ }
#+ }
#+ }
#+
#+ return 0;
#+}
#+
#+int
#+main(int argc, char *argv[])
#+{
#+ pam_handle_t *pamh = NULL;
#+ int retval;
#+ int ev = 0;
#+
#+ if (argc != 2) {
#+ fprintf(stderr, "Usage: %s <user-name>\n", argv[0]);
#+ return ERR_USAGE;
#+ }
#+
#+ retval = pam_start("ssh-keycat", argv[1], &conv, &pamh);
#+ if (retval != PAM_SUCCESS) {
#+ return ERR_PAM_START;
#+ }
#+
#+ ev = set_pam_environment(pamh);
#+ if (ev != 0)
#+ goto finish;
#+
#+ retval = pam_open_session(pamh, PAM_SILENT);
#+ if (retval != PAM_SUCCESS) {
#+ ev = ERR_OPEN_SESSION;
#+ goto finish;
#+ }
#+
#+ ev = dump_keys(argv[1]);
#+
#+ retval = pam_close_session(pamh, PAM_SILENT);
#+ if (retval != PAM_SUCCESS) {
#+ ev = ERR_CLOSE_SESSION;
#+ }
#+
#+finish:
#+ retval = pam_end (pamh,retval);
#+ if (retval != PAM_SUCCESS) {
#+ ev = ERR_PAM_END;
#+ }
#+ return ev;
#+}
#Index: openssh-9.3p2/configure.ac
#===================================================================
#--- openssh-9.3p2.orig/configure.ac
#+++ openssh-9.3p2/configure.ac
#@@ -3632,6 +3632,7 @@ AC_ARG_WITH([pam],
# PAM_MSG="yes"
#
# SSHDLIBS="$SSHDLIBS -lpam"
#+ KEYCATLIBS="$KEYCATLIBS -lpam"
# AC_DEFINE([USE_PAM], [1],
# [Define if you want to enable PAM support])
#
#@@ -3642,6 +3643,7 @@ AC_ARG_WITH([pam],
# ;;
# *)
# SSHDLIBS="$SSHDLIBS -ldl"
#+ KEYCATLIBS="$KEYCATLIBS -ldl"
# ;;
# esac
# fi
#@@ -4875,6 +4877,7 @@ AC_ARG_WITH([selinux],
# fi ]
# )
# AC_SUBST([SSHDLIBS])
#+AC_SUBST([KEYCATLIBS])
#
# # Check whether user wants Kerberos 5 support
# KRB5_MSG="no"
#@@ -5905,6 +5908,9 @@ fi
# if test ! -z "${SSHDLIBS}"; then
# echo " +for sshd: ${SSHDLIBS}"
# fi
#+if test ! -z "${KEYCATLIBS}"; then
#+echo " +for ssh-keycat: ${KEYCATLIBS}"
#+fi
#
# echo ""
#

14
openssh.changes
View File

@ -1,3 +1,17 @@
-------------------------------------------------------------------
Thu Sep 12 07:43:18 UTC 2024 - Antonio Larrosa <alarrosa@suse.com>
- Drop most of openssh-6.6p1-keycat.patch (actually, it was just
commented out). The keycat binary isn't really installed nor
supported, so we can drop it, except for the code that is used
by other SELinux patches, which is what I kept from that patch
(boo#1229072).
- Add patch submitted to upstream to fix RFC4256 implementation
so that keyboard-interactive authentication method can send
instructions and sshd shows them to users even before a prompt
is requested. This fixes MFA push notifications (boo#1229010).
* 0001-auth-pam-Immediately-report-instructions-to-clients-and-fix-handling-in-ssh-client.patch
-------------------------------------------------------------------
Fri Aug 23 12:10:00 UTC 2024 - Antonio Larrosa <alarrosa@suse.com>

5
openssh.spec
View File

@ -132,6 +132,8 @@ Patch108: openssh-9.6p1-crypto-policies-man.patch
Patch109: fix-memleak-in-process_server_config_line_depth.patch
# PATCH-FIX-UPSTREAM alarrosa@suse.com -- https://github.com/openssh/openssh-portable/pull/516
Patch110: fix-audit-fail-attempt.patch
# PATCH-FIX-UPSTREAM -- https://github.com/openssh/openssh-portable/pull/452 boo#1229010
Patch111: 0001-auth-pam-Immediately-report-instructions-to-clients-and-fix-handling-in-ssh-client.patch
%if 0%{with allow_root_password_login_by_default}
Patch1000: openssh-7.7p1-allow_root_password_login.patch
%endif
@ -448,9 +450,6 @@ install -D -m 0755 %{SOURCE9} %{buildroot}%{_sbindir}/sshd-gen-keys-start
mkdir -p %{buildroot}%{_sysusersdir}
install -m 644 %{SOURCE14} %{buildroot}%{_sysusersdir}/sshd.conf
rm %{buildroot}%{_libexecdir}/ssh/ssh-keycat
#rm -r %{buildroot}/usr/lib/debug/.build-id
# the hmac hashes - taken from openssl
#
# re-define the __os_install_post macro: the macro strips