- Drop most of openssh-6.6p1-keycat.patch (actually, it was just
commented out). The keycat binary isn't really installed nor supported, so we can drop it, except for the code that is used by other SELinux patches, which is what I kept from that patch (boo#1229072). - Add patch submitted to upstream to fix RFC4256 implementation so that keyboard-interactive authentication method can send instructions and sshd shows them to users even before a prompt is requested. This fixes MFA push notifications (boo#1229010). * 0001-auth-pam-Immediately-report-instructions-to-clients-and-fix-handling-in-ssh-client.patch OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=274
This commit is contained in:
commit
fef1b16e66
23
.gitattributes
vendored
Normal file
23
.gitattributes
vendored
Normal file
@ -0,0 +1,23 @@
|
||||
## Default LFS
|
||||
*.7z filter=lfs diff=lfs merge=lfs -text
|
||||
*.bsp filter=lfs diff=lfs merge=lfs -text
|
||||
*.bz2 filter=lfs diff=lfs merge=lfs -text
|
||||
*.gem filter=lfs diff=lfs merge=lfs -text
|
||||
*.gz filter=lfs diff=lfs merge=lfs -text
|
||||
*.jar filter=lfs diff=lfs merge=lfs -text
|
||||
*.lz filter=lfs diff=lfs merge=lfs -text
|
||||
*.lzma filter=lfs diff=lfs merge=lfs -text
|
||||
*.obscpio filter=lfs diff=lfs merge=lfs -text
|
||||
*.oxt filter=lfs diff=lfs merge=lfs -text
|
||||
*.pdf filter=lfs diff=lfs merge=lfs -text
|
||||
*.png filter=lfs diff=lfs merge=lfs -text
|
||||
*.rpm filter=lfs diff=lfs merge=lfs -text
|
||||
*.tbz filter=lfs diff=lfs merge=lfs -text
|
||||
*.tbz2 filter=lfs diff=lfs merge=lfs -text
|
||||
*.tgz filter=lfs diff=lfs merge=lfs -text
|
||||
*.ttf filter=lfs diff=lfs merge=lfs -text
|
||||
*.txz filter=lfs diff=lfs merge=lfs -text
|
||||
*.whl filter=lfs diff=lfs merge=lfs -text
|
||||
*.xz filter=lfs diff=lfs merge=lfs -text
|
||||
*.zip filter=lfs diff=lfs merge=lfs -text
|
||||
*.zst filter=lfs diff=lfs merge=lfs -text
|
1
.gitignore
vendored
Normal file
1
.gitignore
vendored
Normal file
@ -0,0 +1 @@
|
||||
.osc
|
@ -0,0 +1,414 @@
|
||||
From 7c116ef927a8ef14d09065757f75560fa0ab79d0 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Marco=20Trevisan=20=28Trevi=C3=B1o=29?= <mail@3v1n0.net>
|
||||
Date: Tue, 17 Oct 2023 04:04:13 +0200
|
||||
Subject: [PATCH 1/6] auth: Add KbdintResult definition to define result values
|
||||
explicitly
|
||||
|
||||
kbdint result vfunc may return various values, so use an enum to make it
|
||||
clearer what each result means without having to dig into the struct
|
||||
documentation.
|
||||
---
|
||||
auth-bsdauth.c | 2 +-
|
||||
auth-pam.c | 10 +++++-----
|
||||
auth.h | 5 +++++
|
||||
auth2-chall.c | 4 ++--
|
||||
4 files changed, 13 insertions(+), 8 deletions(-)
|
||||
|
||||
diff --git a/auth-bsdauth.c b/auth-bsdauth.c
|
||||
index d124e994e77..ca41735debb 100644
|
||||
--- a/auth-bsdauth.c
|
||||
+++ b/auth-bsdauth.c
|
||||
@@ -111,7 +111,7 @@ bsdauth_respond(void *ctx, u_int numresponses, char **responses)
|
||||
authctxt->as = NULL;
|
||||
debug3("bsdauth_respond: <%s> = <%d>", responses[0], authok);
|
||||
|
||||
- return (authok == 0) ? -1 : 0;
|
||||
+ return (authok == 0) ? KbdintResultFailure : KbdintResultSuccess;
|
||||
}
|
||||
|
||||
static void
|
||||
diff --git a/auth-pam.c b/auth-pam.c
|
||||
index b49d415e7c7..86137a1acdb 100644
|
||||
--- a/auth-pam.c
|
||||
+++ b/auth-pam.c
|
||||
@@ -990,15 +990,15 @@ sshpam_respond(void *ctx, u_int num, char **resp)
|
||||
switch (ctxt->pam_done) {
|
||||
case 1:
|
||||
sshpam_authenticated = 1;
|
||||
- return (0);
|
||||
+ return KbdintResultSuccess;
|
||||
case 0:
|
||||
break;
|
||||
default:
|
||||
- return (-1);
|
||||
+ return KbdintResultFailure;
|
||||
}
|
||||
if (num != 1) {
|
||||
error("PAM: expected one response, got %u", num);
|
||||
- return (-1);
|
||||
+ return KbdintResultFailure;
|
||||
}
|
||||
if ((buffer = sshbuf_new()) == NULL)
|
||||
fatal("%s: sshbuf_new failed", __func__);
|
||||
@@ -1015,10 +1015,10 @@ sshpam_respond(void *ctx, u_int num, char **resp)
|
||||
}
|
||||
if (ssh_msg_send(ctxt->pam_psock, PAM_AUTHTOK, buffer) == -1) {
|
||||
sshbuf_free(buffer);
|
||||
- return (-1);
|
||||
+ return KbdintResultFailure;
|
||||
}
|
||||
sshbuf_free(buffer);
|
||||
- return (1);
|
||||
+ return KbdintResultAgain;
|
||||
}
|
||||
|
||||
static void
|
||||
diff --git a/auth.h b/auth.h
|
||||
index 6d2d3976234..aac1e92d9cd 100644
|
||||
--- a/auth.h
|
||||
+++ b/auth.h
|
||||
@@ -51,6 +51,7 @@ struct sshauthopt;
|
||||
typedef struct Authctxt Authctxt;
|
||||
typedef struct Authmethod Authmethod;
|
||||
typedef struct KbdintDevice KbdintDevice;
|
||||
+typedef int KbdintResult;
|
||||
|
||||
struct Authctxt {
|
||||
sig_atomic_t success;
|
||||
@@ -111,6 +112,10 @@ struct Authmethod {
|
||||
# int *enabled;
|
||||
int (*userauth)(struct ssh *, const char *);
|
||||
};
|
||||
|
||||
+#define KbdintResultFailure -1
|
||||
+#define KbdintResultSuccess 0
|
||||
+#define KbdintResultAgain 1
|
||||
+
|
||||
/*
|
||||
* Keyboard interactive device:
|
||||
* init_ctx returns: non NULL upon success
|
||||
diff --git a/auth2-chall.c b/auth2-chall.c
|
||||
index 021df829173..047d4e83c33 100644
|
||||
--- a/auth2-chall.c
|
||||
+++ b/auth2-chall.c
|
||||
@@ -331,11 +331,11 @@ input_userauth_info_response(int type, u_int32_t seq, struct ssh *ssh)
|
||||
free(response);
|
||||
|
||||
switch (res) {
|
||||
- case 0:
|
||||
+ case KbdintResultSuccess:
|
||||
/* Success! */
|
||||
authenticated = authctxt->valid ? 1 : 0;
|
||||
break;
|
||||
- case 1:
|
||||
+ case KbdintResultAgain:
|
||||
/* Authentication needs further interaction */
|
||||
if (send_userauth_info_request(ssh) == 1)
|
||||
authctxt->postponed = 1;
|
||||
|
||||
From 91ef15e8ed01a7e16d96ba6cb9ed51965dca9641 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Marco=20Trevisan=20=28Trevi=C3=B1o=29?= <mail@3v1n0.net>
|
||||
Date: Mon, 16 Oct 2023 21:15:45 +0200
|
||||
Subject: [PATCH 2/6] auth-pam: Add an enum to define the PAM done status
|
||||
|
||||
Makes things more readable and easier to extend
|
||||
---
|
||||
auth-pam.c | 17 +++++++++++------
|
||||
1 file changed, 11 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/auth-pam.c b/auth-pam.c
|
||||
index 86137a1acdb..21291631011 100644
|
||||
--- a/auth-pam.c
|
||||
+++ b/auth-pam.c
|
||||
@@ -136,11 +136,16 @@ typedef pid_t sp_pthread_t;
|
||||
#define pthread_join fake_pthread_join
|
||||
#endif
|
||||
|
||||
+typedef int SshPamDone;
|
||||
+#define SshPamError -1
|
||||
+#define SshPamNone 0
|
||||
+#define SshPamAuthenticated 1
|
||||
+
|
||||
struct pam_ctxt {
|
||||
sp_pthread_t pam_thread;
|
||||
int pam_psock;
|
||||
int pam_csock;
|
||||
- int pam_done;
|
||||
+ SshPamDone pam_done;
|
||||
};
|
||||
|
||||
static void sshpam_free_ctx(void *);
|
||||
@@ -904,7 +909,7 @@ sshpam_query(void *ctx, char **name, char **info,
|
||||
**prompts = NULL;
|
||||
*num = 0;
|
||||
**echo_on = 0;
|
||||
- ctxt->pam_done = -1;
|
||||
+ ctxt->pam_done = SshPamError;
|
||||
free(msg);
|
||||
sshbuf_free(buffer);
|
||||
return 0;
|
||||
@@ -931,7 +936,7 @@ sshpam_query(void *ctx, char **name, char **info,
|
||||
import_environments(buffer);
|
||||
*num = 0;
|
||||
**echo_on = 0;
|
||||
- ctxt->pam_done = 1;
|
||||
+ ctxt->pam_done = SshPamAuthenticated;
|
||||
free(msg);
|
||||
sshbuf_free(buffer);
|
||||
return (0);
|
||||
@@ -944,7 +949,7 @@ sshpam_query(void *ctx, char **name, char **info,
|
||||
*num = 0;
|
||||
**echo_on = 0;
|
||||
free(msg);
|
||||
- ctxt->pam_done = -1;
|
||||
+ ctxt->pam_done = SshPamError;
|
||||
sshbuf_free(buffer);
|
||||
return (-1);
|
||||
}
|
||||
@@ -988,10 +993,10 @@ sshpam_respond(void *ctx, u_int num, char **resp)
|
||||
|
||||
debug2("PAM: %s entering, %u responses", __func__, num);
|
||||
switch (ctxt->pam_done) {
|
||||
- case 1:
|
||||
+ case SshPamAuthenticated:
|
||||
sshpam_authenticated = 1;
|
||||
return KbdintResultSuccess;
|
||||
- case 0:
|
||||
+ case SshPamNone:
|
||||
break;
|
||||
default:
|
||||
return KbdintResultFailure;
|
||||
|
||||
From 6fa8934d31cb9925c856f1b992fc5e04dd26da21 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Marco=20Trevisan=20=28Trevi=C3=B1o=29?= <mail@3v1n0.net>
|
||||
Date: Tue, 17 Oct 2023 04:35:17 +0200
|
||||
Subject: [PATCH 3/6] auth-pam: Add debugging information when we receive PAM
|
||||
messages
|
||||
|
||||
---
|
||||
auth-pam.c | 3 +++
|
||||
1 file changed, 3 insertions(+)
|
||||
|
||||
diff --git a/auth-pam.c b/auth-pam.c
|
||||
index 21291631011..7a72e724adc 100644
|
||||
--- a/auth-pam.c
|
||||
+++ b/auth-pam.c
|
||||
@@ -450,6 +450,9 @@ sshpam_thread_conv(int n, sshpam_const struct pam_message **msg,
|
||||
break;
|
||||
case PAM_ERROR_MSG:
|
||||
case PAM_TEXT_INFO:
|
||||
+ debug3("PAM: Got message of type %d: %s",
|
||||
+ PAM_MSG_MEMBER(msg, i, msg_style),
|
||||
+ PAM_MSG_MEMBER(msg, i, msg));
|
||||
if ((r = sshbuf_put_cstring(buffer,
|
||||
PAM_MSG_MEMBER(msg, i, msg))) != 0)
|
||||
fatal("%s: buffer error: %s",
|
||||
|
||||
From 598ee34312b541fa7b3988b4896641bf81996e27 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Marco=20Trevisan=20=28Trevi=C3=B1o=29?= <mail@3v1n0.net>
|
||||
Date: Tue, 17 Oct 2023 04:27:32 +0200
|
||||
Subject: [PATCH 4/6] auth-pam: Immediately report interactive instructions to
|
||||
clients
|
||||
|
||||
SSH keyboard-interactive authentication method supports instructions but
|
||||
sshd didn't show them until an user prompt was requested.
|
||||
|
||||
This is quite inconvenient for various PAM modules that need to notify
|
||||
an user without requiring for their explicit input.
|
||||
|
||||
So, properly implement RFC4256 making instructions to be shown to users
|
||||
when they are requested from PAM.
|
||||
|
||||
Closes: https://bugzilla.mindrot.org/show_bug.cgi?id=2876
|
||||
---
|
||||
auth-pam.c | 21 ++++++++++++---------
|
||||
1 file changed, 12 insertions(+), 9 deletions(-)
|
||||
|
||||
diff --git a/auth-pam.c b/auth-pam.c
|
||||
index 7a72e724adc..b756f0e5221 100644
|
||||
--- a/auth-pam.c
|
||||
+++ b/auth-pam.c
|
||||
@@ -140,6 +140,7 @@ typedef int SshPamDone;
|
||||
#define SshPamError -1
|
||||
#define SshPamNone 0
|
||||
#define SshPamAuthenticated 1
|
||||
+#define SshPamAgain 2
|
||||
|
||||
struct pam_ctxt {
|
||||
sp_pthread_t pam_thread;
|
||||
@@ -868,6 +869,8 @@ sshpam_query(void *ctx, char **name, char **info,
|
||||
**prompts = NULL;
|
||||
plen = 0;
|
||||
*echo_on = xmalloc(sizeof(u_int));
|
||||
+ ctxt->pam_done = SshPamNone;
|
||||
+
|
||||
while (ssh_msg_recv(ctxt->pam_psock, buffer) == 0) {
|
||||
if (++nmesg > PAM_MAX_NUM_MSG)
|
||||
fatal_f("too many query messages");
|
||||
@@ -888,15 +891,13 @@ sshpam_query(void *ctx, char **name, char **info,
|
||||
return (0);
|
||||
case PAM_ERROR_MSG:
|
||||
case PAM_TEXT_INFO:
|
||||
- /* accumulate messages */
|
||||
- len = plen + mlen + 2;
|
||||
- **prompts = xreallocarray(**prompts, 1, len);
|
||||
- strlcpy(**prompts + plen, msg, len - plen);
|
||||
- plen += mlen;
|
||||
- strlcat(**prompts + plen, "\n", len - plen);
|
||||
- plen++;
|
||||
- free(msg);
|
||||
- break;
|
||||
+ *num = 0;
|
||||
+ free(*info);
|
||||
+ *info = msg; /* Steal the message */
|
||||
+ msg = NULL;
|
||||
+ ctxt->pam_done = SshPamAgain;
|
||||
+ sshbuf_free(buffer);
|
||||
+ return (0);
|
||||
case PAM_ACCT_EXPIRED:
|
||||
case PAM_MAXTRIES:
|
||||
if (type == PAM_ACCT_EXPIRED)
|
||||
@@ -1001,6 +1002,8 @@ sshpam_respond(void *ctx, u_int num, char **resp)
|
||||
return KbdintResultSuccess;
|
||||
case SshPamNone:
|
||||
break;
|
||||
+ case SshPamAgain:
|
||||
+ return KbdintResultAgain;
|
||||
default:
|
||||
return KbdintResultFailure;
|
||||
}
|
||||
|
||||
From cc14301ce0542cdbb825eff8041ce98a1da9ef08 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Marco=20Trevisan=20=28Trevi=C3=B1o=29?= <mail@3v1n0.net>
|
||||
Date: Tue, 17 Oct 2023 06:12:03 +0200
|
||||
Subject: [PATCH 5/6] sshconnect2: Write kbd-interactive service, info and
|
||||
instructions as utf-8
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
As per the previous server change now the keyboard-interactive service
|
||||
and instruction values could be reported as soon as they are available
|
||||
and so they're not prompts anymore and not parsed like them.
|
||||
|
||||
While this was already supported by the SSH client, these messages were
|
||||
not properly written as the escaped sequences they contained were not
|
||||
correctly reported.
|
||||
|
||||
So for example a message containing "\" was represented as "\\" and
|
||||
similarly for all the other C escape sequences.
|
||||
|
||||
This was leading to more problems when it come to utf-8 chars, as they
|
||||
were only represented by their octal representation.
|
||||
|
||||
This was easily testable by adding a line like the one below to the
|
||||
sshd PAM service:
|
||||
auth requisite pam_echo.so Hello SSHD! Want some 🍕?
|
||||
|
||||
Which was causing this to be written instead:
|
||||
Hello SSHD! Want some \360\237\215\225?
|
||||
|
||||
To handle this, instead of simply using fmprintf, we're using the notifier
|
||||
in a way can be exposed to users in the proper format and UI.
|
||||
---
|
||||
sshconnect2.c | 33 ++++++++++++++++++++++++---------
|
||||
1 file changed, 24 insertions(+), 9 deletions(-)
|
||||
|
||||
diff --git a/sshconnect2.c b/sshconnect2.c
|
||||
index 5831a00c6d1..543431218c1 100644
|
||||
--- a/sshconnect2.c
|
||||
+++ b/sshconnect2.c
|
||||
@@ -1091,6 +1091,7 @@ input_userauth_passwd_changereq(int type, u_int32_t seqnr, struct ssh *ssh)
|
||||
char *info = NULL, *lang = NULL, *password = NULL, *retype = NULL;
|
||||
char prompt[256];
|
||||
const char *host;
|
||||
+ size_t info_len;
|
||||
int r;
|
||||
|
||||
debug2("input_userauth_passwd_changereq");
|
||||
@@ -1100,11 +1101,15 @@ input_userauth_passwd_changereq(int type, u_int32_t seqnr, struct ssh *ssh)
|
||||
"no authentication context");
|
||||
host = options.host_key_alias ? options.host_key_alias : authctxt->host;
|
||||
|
||||
- if ((r = sshpkt_get_cstring(ssh, &info, NULL)) != 0 ||
|
||||
+ if ((r = sshpkt_get_cstring(ssh, &info, &info_len)) != 0 ||
|
||||
(r = sshpkt_get_cstring(ssh, &lang, NULL)) != 0)
|
||||
goto out;
|
||||
- if (strlen(info) > 0)
|
||||
- logit("%s", info);
|
||||
+ if (info_len > 0) {
|
||||
+ struct notifier_ctx *notifier = NULL;
|
||||
+ debug_f("input_userauth_passwd_changereq info: %s", info);
|
||||
+ notifier = notify_start(0, "%s", info);
|
||||
+ notify_complete(notifier, NULL);
|
||||
+ }
|
||||
if ((r = sshpkt_start(ssh, SSH2_MSG_USERAUTH_REQUEST)) != 0 ||
|
||||
(r = sshpkt_put_cstring(ssh, authctxt->server_user)) != 0 ||
|
||||
(r = sshpkt_put_cstring(ssh, authctxt->service)) != 0 ||
|
||||
@@ -1938,8 +1943,10 @@ input_userauth_info_req(int type, u_int32_t seq, struct ssh *ssh)
|
||||
Authctxt *authctxt = ssh->authctxt;
|
||||
char *name = NULL, *inst = NULL, *lang = NULL, *prompt = NULL;
|
||||
char *display_prompt = NULL, *response = NULL;
|
||||
+ struct notifier_ctx *notifier = NULL;
|
||||
u_char echo = 0;
|
||||
u_int num_prompts, i;
|
||||
+ size_t name_len, inst_len;
|
||||
int r;
|
||||
|
||||
debug2_f("entering");
|
||||
@@ -1949,14 +1956,22 @@ input_userauth_info_req(int type, u_int32_t seq, struct ssh *ssh)
|
||||
|
||||
authctxt->info_req_seen = 1;
|
||||
|
||||
- if ((r = sshpkt_get_cstring(ssh, &name, NULL)) != 0 ||
|
||||
- (r = sshpkt_get_cstring(ssh, &inst, NULL)) != 0 ||
|
||||
+ if ((r = sshpkt_get_cstring(ssh, &name, &name_len)) != 0 ||
|
||||
+ (r = sshpkt_get_cstring(ssh, &inst, &inst_len)) != 0 ||
|
||||
(r = sshpkt_get_cstring(ssh, &lang, NULL)) != 0)
|
||||
goto out;
|
||||
- if (strlen(name) > 0)
|
||||
- logit("%s", name);
|
||||
- if (strlen(inst) > 0)
|
||||
- logit("%s", inst);
|
||||
+ if (name_len > 0) {
|
||||
+ debug_f("kbd int name: %s", name);
|
||||
+ notifier = notify_start(0, "%s", name);
|
||||
+ notify_complete(notifier, NULL);
|
||||
+ notifier = NULL;
|
||||
+ }
|
||||
+ if (inst_len > 0) {
|
||||
+ debug_f("kbd int inst: %s", inst);
|
||||
+ notifier = notify_start(0, "%s", inst);
|
||||
+ notify_complete(notifier, NULL);
|
||||
+ notifier = NULL;
|
||||
+ }
|
||||
|
||||
if ((r = sshpkt_get_u32(ssh, &num_prompts)) != 0)
|
||||
goto out;
|
||||
|
||||
From 99656caabc5cff24122e5b9a140e5a38ab418a5d Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Marco=20Trevisan=20=28Trevi=C3=B1o=29?= <mail@3v1n0.net>
|
||||
Date: Tue, 17 Oct 2023 06:05:59 +0200
|
||||
Subject: [PATCH 6/6] auth2-chall: Fix selection of the keyboard-interactive
|
||||
device
|
||||
|
||||
We were only checking if the prefix of a device name was matching what
|
||||
we had in the devices list, so if the device list contained "pam", then
|
||||
also the device "pam-foo" was matching.
|
||||
---
|
||||
auth2-chall.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/auth2-chall.c b/auth2-chall.c
|
||||
index 047d4e83c33..db658c9b4a7 100644
|
||||
--- a/auth2-chall.c
|
||||
+++ b/auth2-chall.c
|
||||
@@ -170,7 +170,7 @@ kbdint_next_device(Authctxt *authctxt, KbdintAuthctxt *kbdintctxt)
|
||||
"keyboard-interactive", devices[i]->name))
|
||||
continue;
|
||||
if (strncmp(kbdintctxt->devices, devices[i]->name,
|
||||
- len) == 0) {
|
||||
+ len) == 0 && strlen(devices[i]->name) == len) {
|
||||
kbdintctxt->device = devices[i];
|
||||
kbdintctxt->devices_done |= 1 << i;
|
||||
}
|
@ -0,0 +1,55 @@
|
||||
From 66aaa678dbe59aa21d0d9d89a3596ecedde0254b Mon Sep 17 00:00:00 2001
|
||||
From: "djm@openbsd.org" <djm@openbsd.org>
|
||||
Date: Tue, 30 Apr 2024 02:14:10 +0000
|
||||
Subject: [PATCH] upstream: correctly restore sigprocmask around ppoll()
|
||||
reported
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
by Tõivo Leedjärv; ok deraadt@
|
||||
|
||||
OpenBSD-Commit-ID: c0c0f89de5294a166578f071eade2501929c4686
|
||||
---
|
||||
clientloop.c | 4 ++--
|
||||
serverloop.c | 4 ++--
|
||||
2 files changed, 4 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/clientloop.c b/clientloop.c
|
||||
index be8bb5fc1f2..8ea2ada4216 100644
|
||||
--- a/clientloop.c
|
||||
+++ b/clientloop.c
|
||||
#@@ -1,4 +1,4 @@
|
||||
#-/* $OpenBSD: clientloop.c,v 1.404 2024/04/30 02:10:49 djm Exp $ */
|
||||
#+/* $OpenBSD: clientloop.c,v 1.405 2024/04/30 02:14:10 djm Exp $ */
|
||||
# /*
|
||||
# * Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
# * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||
@@ -1585,7 +1585,7 @@ client_loop(struct ssh *ssh, int have_pty, int escape_char_arg,
|
||||
client_wait_until_can_do_something(ssh, &pfd, &npfd_alloc,
|
||||
&npfd_active, channel_did_enqueue, &osigset,
|
||||
&conn_in_ready, &conn_out_ready);
|
||||
- if (sigprocmask(SIG_UNBLOCK, &bsigset, &osigset) == -1)
|
||||
+ if (sigprocmask(SIG_SETMASK, &osigset, NULL) == -1)
|
||||
error_f("osigset sigprocmask: %s", strerror(errno));
|
||||
|
||||
if (quit_pending)
|
||||
diff --git a/serverloop.c b/serverloop.c
|
||||
index f3683c2e4a6..94c8943a616 100644
|
||||
--- a/serverloop.c
|
||||
+++ b/serverloop.c
|
||||
@@ -1,4 +1,4 @@
|
||||
-/* $OpenBSD: serverloop.c,v 1.237 2023/08/21 04:59:54 djm Exp $ */
|
||||
+/* $OpenBSD: serverloop.c,v 1.238 2024/04/30 02:14:10 djm Exp $ */
|
||||
/*
|
||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||
@@ -380,7 +380,7 @@ server_loop2(struct ssh *ssh, Authctxt *authctxt)
|
||||
wait_until_can_do_something(ssh, connection_in, connection_out,
|
||||
&pfd, &npfd_alloc, &npfd_active, &osigset,
|
||||
&conn_in_ready, &conn_out_ready);
|
||||
- if (sigprocmask(SIG_UNBLOCK, &bsigset, &osigset) == -1)
|
||||
+ if (sigprocmask(SIG_SETMASK, &osigset, NULL) == -1)
|
||||
error_f("osigset sigprocmask: %s", strerror(errno));
|
||||
|
||||
if (received_sigterm) {
|
@ -0,0 +1,32 @@
|
||||
From 9844aa2521ccfb1a2d73745680327b79e0574445 Mon Sep 17 00:00:00 2001
|
||||
From: "djm@openbsd.org" <djm@openbsd.org>
|
||||
Date: Wed, 21 Feb 2024 05:57:34 +0000
|
||||
Subject: [PATCH] upstream: fix proxy multiplexing mode, broken when keystroke
|
||||
timing
|
||||
|
||||
obfuscation was added. GHPR#463 from montag451
|
||||
|
||||
OpenBSD-Commit-ID: 4e412d59b3f557d431f1d81c715a3bc0491cc677
|
||||
---
|
||||
clientloop.c | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/clientloop.c b/clientloop.c
|
||||
index eb4902905fb..8ec36af94b3 100644
|
||||
--- a/clientloop.c
|
||||
+++ b/clientloop.c
|
||||
@@ -1,4 +1,4 @@
|
||||
-/* $OpenBSD: clientloop.c,v 1.402 2023/11/24 00:31:30 dtucker Exp $ */
|
||||
+/* $OpenBSD: clientloop.c,v 1.403 2024/02/21 05:57:34 djm Exp $ */
|
||||
/*
|
||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||
@@ -517,7 +517,7 @@ send_chaff(struct ssh *ssh)
|
||||
{
|
||||
int r;
|
||||
|
||||
- if ((ssh->kex->flags & KEX_HAS_PING) == 0)
|
||||
+ if (ssh->kex == NULL || (ssh->kex->flags & KEX_HAS_PING) == 0)
|
||||
return 0;
|
||||
/* XXX probabilistically send chaff? */
|
||||
/*
|
@ -0,0 +1,38 @@
|
||||
From 146c420d29d055cc75c8606327a1cf8439fe3a08 Mon Sep 17 00:00:00 2001
|
||||
From: "djm@openbsd.org" <djm@openbsd.org>
|
||||
Date: Mon, 1 Jul 2024 04:31:17 +0000
|
||||
Subject: [PATCH] upstream: when sending ObscureKeystrokeTiming chaff packets,
|
||||
we
|
||||
|
||||
can't rely on channel_did_enqueue to tell that there is data to send. This
|
||||
flag indicates that the channels code enqueued a packet on _this_ ppoll()
|
||||
iteration, not that data was enqueued in _any_ ppoll() iteration in the
|
||||
timeslice. ok markus@
|
||||
|
||||
OpenBSD-Commit-ID: 009b74fd2769b36b5284a0188ade182f00564136
|
||||
---
|
||||
clientloop.c | 7 ++++---
|
||||
1 file changed, 4 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/clientloop.c b/clientloop.c
|
||||
index 0b6f3c9be02..8ed8b1c3449 100644
|
||||
--- a/clientloop.c
|
||||
+++ b/clientloop.c
|
||||
#@@ -1,4 +1,4 @@
|
||||
#-/* $OpenBSD: clientloop.c,v 1.407 2024/05/17 06:42:04 jsg Exp $ */
|
||||
#+/* $OpenBSD: clientloop.c,v 1.408 2024/07/01 04:31:17 djm Exp $ */
|
||||
# /*
|
||||
# * Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
# * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||
@@ -607,8 +607,9 @@ obfuscate_keystroke_timing(struct ssh *ssh, struct timespec *timeout,
|
||||
if (timespeccmp(&now, &chaff_until, >=)) {
|
||||
/* Stop if there have been no keystrokes for a while */
|
||||
stop_reason = "chaff time expired";
|
||||
- } else if (timespeccmp(&now, &next_interval, >=)) {
|
||||
- /* Otherwise if we were due to send, then send chaff */
|
||||
+ } else if (timespeccmp(&now, &next_interval, >=) &&
|
||||
+ !ssh_packet_have_data_to_write(ssh)) {
|
||||
+ /* If due to send but have no data, then send chaff */
|
||||
if (send_chaff(ssh))
|
||||
nchaff++;
|
||||
}
|
64
README.FIPS
Normal file
64
README.FIPS
Normal file
@ -0,0 +1,64 @@
|
||||
Notes on FIPS mode and OpenSSH
|
||||
|
||||
---
|
||||
|
||||
SUSE OpenSSH comes with FIPS 140-2 support, and certain versions have been
|
||||
certified as FIPS compliant by NIST. Apart from other things, this standard
|
||||
puts restrictions on cryptographic algorithms that may be used.
|
||||
|
||||
Important notice: FIPS is not only a matter of functionality. If you want to
|
||||
claim having a FIPS certified service, you *must* use the certified binaries.
|
||||
Even binaries built from the same sources in the same environment and running
|
||||
on a certified system, yet from a package lacking the certification, are
|
||||
formally not considered to be fulfilling the requirements.
|
||||
|
||||
The certified binaries (ssh, sshd, sftp-server) perform mandatory selfcheck at
|
||||
startup and proceed only when the checks succeed (non-certified binaries may
|
||||
skip the check). These checks require the cryptographic hashes contained in the
|
||||
openssh-fips subpackage.
|
||||
|
||||
The FIPS mode for OpenSSH is enabled in two ways - either:
|
||||
|
||||
1) /proc/sys/crypto/fips_enabled contains a single character '1' - this is a
|
||||
system-wide setting controlled bu the fips kernel parameter; or
|
||||
|
||||
2) the environment variable SSH_FORCE_FIPS - if set (to any value), the
|
||||
binaries behave as if they were running on a system in FIPS mode.
|
||||
|
||||
Since FIPS 140-2 only allows use of certain cryptographic algorithms, both the
|
||||
client and server will fail if they are requested to use non-approved
|
||||
algorithms while in FIPS mode. This means that working configurations for FIPS
|
||||
mode form a proper subset of all working (generic) configurations. Some
|
||||
configurations may even prevent the binaries from starting at all.
|
||||
|
||||
This however should be viewed in the context of FIPS being a security policy
|
||||
tool - it is not of much use to run the same system both in FIPS mode and
|
||||
outside of it, since that would defeat the main purpose of FIPS having
|
||||
guaranteeing standardised minimum restrictions on cryptographic algorithms
|
||||
(and thus on the overall security of the system).
|
||||
|
||||
Unless you specify what cryptographic algorithms you wish to use, both the
|
||||
client and server should work out of the box in FIPS mode.
|
||||
|
||||
For sshd, you can use the `-t` option to check whether the configuration file
|
||||
is working. Setting the above mentioned environment variable allows testing of
|
||||
behaviour in FIPS mode (checksum files for both OpenSSH and OpenSSL must be
|
||||
installed).
|
||||
|
||||
In addition to cryptographic algorithms restrictions, sshd performs periodic
|
||||
PRNG re-seeding. The seed is read from entropy source either /dev/urandom or
|
||||
/dev/random. By default, the former is used, unless the environment variable
|
||||
SSH_USE_STRONG_RNG is set to a non-zero value or the binary is running in FIPS
|
||||
mode. This has two important implications:
|
||||
|
||||
1) the selected entropy source must be available, i.e. when running in a
|
||||
changeroot the device files need to be present there.
|
||||
|
||||
2) /dev/random is a blocking interface - unless enough randomness is available,
|
||||
the process stops until the entropy pool is replenished. Thus on systems where
|
||||
a long running processes are expected, one should make sure there is always
|
||||
enough entropy for sshd. Sporadically this may also cause sshd to aborted,
|
||||
since some versions of OpenSSL (the underlying cryptographic engine) don't
|
||||
handle gracefully being interrupted while trying to read entropy from the
|
||||
system source.
|
||||
|
23
README.SUSE
Normal file
23
README.SUSE
Normal file
@ -0,0 +1,23 @@
|
||||
There are following changes in default settings of ssh client and server:
|
||||
|
||||
* Accepting and sending of locale environment variables in protocol 2 is
|
||||
enabled.
|
||||
|
||||
* PAM authentication is enabled and mostly even required, do not turn it off.
|
||||
|
||||
* In SLE15, root authentiation with password is enabled by default
|
||||
(PermitRootLogin yes).
|
||||
NOTE: this has security implications and is only done in order to not change
|
||||
behaviour of the server in an update. We strongly suggest setting this option
|
||||
either "prohibit-password" or even better to "no" (which disables direct
|
||||
remote root login entirely).
|
||||
|
||||
* DSA authentication is enabled by default for maximum compatibility.
|
||||
NOTE: do not use DSA authentication since it is being phased out for a reason
|
||||
- the size of DSA keys is limited by the standard to 1024 bits which cannot
|
||||
be considered safe any more.
|
||||
|
||||
* Accepting all RFC4419 specified DH group parameters. See KexDHMin in
|
||||
ssh_config and sshd_config manual pages.
|
||||
|
||||
For more information on differences in SUSE OpenSSH package see README.FIPS
|
18
README.kerberos
Normal file
18
README.kerberos
Normal file
@ -0,0 +1,18 @@
|
||||
This version of the Kerbros/GSSAPI support avoids DNS lookups
|
||||
for Kerberos-related names. These DNS lookups were problematic
|
||||
for dialup users because they would lead to excessive delays
|
||||
if DNS was not reachable.
|
||||
|
||||
If you do use Kerberos, please make sure you edit the server and
|
||||
client configuration files as follows:
|
||||
|
||||
/etc/ssh/sshd_config:
|
||||
|
||||
GSSAPIAuthentication yes
|
||||
GSSAPICleanupCredentials yes
|
||||
|
||||
/etc/ssh/ssh_config:
|
||||
Host *
|
||||
... lots of other options ...
|
||||
GSSAPIAuthentication yes
|
||||
GSSAPIDelegateCredentials yes
|
3
_multibuild
Normal file
3
_multibuild
Normal file
@ -0,0 +1,3 @@
|
||||
<multibuild>
|
||||
<package>openssh-askpass-gnome</package>
|
||||
</multibuild>
|
184
cavs_driver-ssh.pl
Normal file
184
cavs_driver-ssh.pl
Normal file
@ -0,0 +1,184 @@
|
||||
#!/usr/bin/perl
|
||||
#
|
||||
# CAVS test driver for OpenSSH
|
||||
#
|
||||
# Copyright (C) 2015, Stephan Mueller <smueller@chronox.de>
|
||||
#
|
||||
# Permission is hereby granted, free of charge, to any person obtaining a copy
|
||||
# of this software and associated documentation files (the "Software"), to deal
|
||||
# in the Software without restriction, including without limitation the rights
|
||||
# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
||||
# copies of the Software, and to permit persons to whom the Software is
|
||||
# furnished to do so, subject to the following conditions:
|
||||
#
|
||||
# The above copyright notice and this permission notice shall be included in
|
||||
# all copies or substantial portions of the Software.
|
||||
#
|
||||
# NO WARRANTY
|
||||
#
|
||||
# BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
|
||||
# FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN
|
||||
# OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
|
||||
# PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
|
||||
# OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
|
||||
# MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS
|
||||
# TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE
|
||||
# PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
|
||||
# REPAIR OR CORRECTION.
|
||||
#
|
||||
# IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
|
||||
# WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
|
||||
# REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
|
||||
# INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
|
||||
# OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
|
||||
# TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
|
||||
# YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
|
||||
# PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
|
||||
# POSSIBILITY OF SUCH DAMAGES.
|
||||
#
|
||||
use strict;
|
||||
use warnings;
|
||||
use IPC::Open2;
|
||||
|
||||
# Executing a program by feeding STDIN and retrieving
|
||||
# STDOUT
|
||||
# $1: data string to be piped to the app on STDIN
|
||||
# rest: program and args
|
||||
# returns: STDOUT of program as string
|
||||
sub pipe_through_program($@) {
|
||||
my $in = shift;
|
||||
my @args = @_;
|
||||
|
||||
my ($CO, $CI);
|
||||
my $pid = open2($CO, $CI, @args);
|
||||
|
||||
my $out = "";
|
||||
my $len = length($in);
|
||||
my $first = 1;
|
||||
while (1) {
|
||||
my $rin = "";
|
||||
my $win = "";
|
||||
# Output of prog is FD that we read
|
||||
vec($rin,fileno($CO),1) = 1;
|
||||
# Input of prog is FD that we write
|
||||
# check for $first is needed because we can have NULL input
|
||||
# that is to be written to the app
|
||||
if ( $len > 0 || $first) {
|
||||
(vec($win,fileno($CI),1) = 1);
|
||||
$first=0;
|
||||
}
|
||||
# Let us wait for 100ms
|
||||
my $nfound = select(my $rout=$rin, my $wout=$win, undef, 0.1);
|
||||
if ( $wout ) {
|
||||
my $written = syswrite($CI, $in, $len);
|
||||
die "broken pipe" if !defined $written;
|
||||
$len -= $written;
|
||||
substr($in, 0, $written) = "";
|
||||
if ($len <= 0) {
|
||||
close $CI or die "broken pipe: $!";
|
||||
}
|
||||
}
|
||||
if ( $rout ) {
|
||||
my $tmp_out = "";
|
||||
my $bytes_read = sysread($CO, $tmp_out, 4096);
|
||||
$out .= $tmp_out;
|
||||
last if ($bytes_read == 0);
|
||||
}
|
||||
}
|
||||
close $CO or die "broken pipe: $!";
|
||||
waitpid $pid, 0;
|
||||
|
||||
return $out;
|
||||
}
|
||||
|
||||
# Parser of CAVS test vector file
|
||||
# $1: Test vector file
|
||||
# $2: Output file for test results
|
||||
# return: nothing
|
||||
sub parse($$) {
|
||||
my $infile = shift;
|
||||
my $outfile = shift;
|
||||
|
||||
my $out = "";
|
||||
|
||||
my $K = "";
|
||||
my $H = "";
|
||||
my $session_id = "";
|
||||
my $ivlen = 0;
|
||||
my $eklen = "";
|
||||
my $iklen = "";
|
||||
|
||||
open(IN, "<$infile");
|
||||
while(<IN>) {
|
||||
|
||||
my $line = $_;
|
||||
chomp($line);
|
||||
$line =~ s/\r//;
|
||||
|
||||
if ($line =~ /\[SHA-1\]/) {
|
||||
$iklen = 20;
|
||||
} elsif ($line =~ /\[SHA-256\]/) {
|
||||
$iklen = 32;
|
||||
} elsif ($line =~ /\[SHA-384\]/) {
|
||||
$iklen = 48;
|
||||
} elsif ($line =~ /\[SHA-512\]/) {
|
||||
$iklen = 64;
|
||||
} elsif ($line =~ /^\[IV length\s*=\s*(.*)\]/) {
|
||||
$ivlen = $1;
|
||||
$ivlen = $ivlen / 8;
|
||||
} elsif ($line =~ /^\[encryption key length\s*=\s*(.*)\]/) {
|
||||
$eklen = $1;
|
||||
$eklen = $eklen / 8;
|
||||
} elsif ($line =~ /^K\s*=\s*(.*)/) {
|
||||
$K = $1;
|
||||
$K = substr($K, 8);
|
||||
$K = "00" . $K;
|
||||
} elsif ($line =~ /^H\s*=\s*(.*)/) {
|
||||
$H = $1;
|
||||
} elsif ($line =~ /^session_id\s*=\s*(.*)/) {
|
||||
$session_id = $1;
|
||||
}
|
||||
$out .= $line . "\n";
|
||||
|
||||
if ($K ne "" && $H ne "" && $session_id ne "" &&
|
||||
$ivlen ne "" && $eklen ne "" && $iklen > 0) {
|
||||
$out .= pipe_through_program("", "@LIBEXECDIR@/ssh/cavstest-kdf -H $H -K $K -s $session_id -i $ivlen -e $eklen -m $iklen");
|
||||
|
||||
$K = "";
|
||||
$H = "";
|
||||
$session_id = "";
|
||||
}
|
||||
}
|
||||
close IN;
|
||||
$out =~ s/\n/\r\n/g; # make it a dos file
|
||||
open(OUT, ">$outfile") or die "Cannot create output file $outfile: $?";
|
||||
print OUT $out;
|
||||
close OUT;
|
||||
}
|
||||
|
||||
############################################################
|
||||
#
|
||||
# let us pretend to be C :-)
|
||||
sub main() {
|
||||
|
||||
my $infile=$ARGV[0];
|
||||
die "Error: Test vector file $infile not found" if (! -f $infile);
|
||||
|
||||
my $outfile = $infile;
|
||||
# let us add .rsp regardless whether we could strip .req
|
||||
$outfile =~ s/\.req$//;
|
||||
$outfile .= ".rsp";
|
||||
if (-f $outfile) {
|
||||
die "Output file $outfile could not be removed: $?"
|
||||
unless unlink($outfile);
|
||||
}
|
||||
print STDERR "Performing tests from source file $infile with results stored in destination file $outfile\n";
|
||||
|
||||
# Do the job
|
||||
parse($infile, $outfile);
|
||||
}
|
||||
|
||||
###########################################
|
||||
# Call it
|
||||
main();
|
||||
1;
|
19
fix-CVE-2024-6387.patch
Normal file
19
fix-CVE-2024-6387.patch
Normal file
@ -0,0 +1,19 @@
|
||||
Index: openssh-9.6p1/log.c
|
||||
===================================================================
|
||||
--- openssh-9.6p1.orig/log.c
|
||||
+++ openssh-9.6p1/log.c
|
||||
@@ -451,12 +451,14 @@ void
|
||||
sshsigdie(const char *file, const char *func, int line, int showfunc,
|
||||
LogLevel level, const char *suffix, const char *fmt, ...)
|
||||
{
|
||||
+#if 0
|
||||
va_list args;
|
||||
|
||||
va_start(args, fmt);
|
||||
sshlogv(file, func, line, showfunc, SYSLOG_LEVEL_FATAL,
|
||||
suffix, fmt, args);
|
||||
va_end(args);
|
||||
+#endif
|
||||
_exit(1);
|
||||
}
|
||||
|
23
fix-audit-fail-attempt.patch
Normal file
23
fix-audit-fail-attempt.patch
Normal file
@ -0,0 +1,23 @@
|
||||
Index: openssh-9.8p1/sshd-session.c
|
||||
===================================================================
|
||||
--- openssh-9.8p1.orig/sshd-session.c
|
||||
+++ openssh-9.8p1/sshd-session.c
|
||||
@@ -1624,9 +1624,6 @@ cleanup_exit(int i)
|
||||
}
|
||||
}
|
||||
}
|
||||
- /* Override default fatal exit value when auth was attempted */
|
||||
- if (i == 255 && auth_attempted)
|
||||
- _exit(EXIT_AUTH_ATTEMPTED);
|
||||
#ifdef SSH_AUDIT_EVENTS
|
||||
/* done after do_cleanup so it can cancel the PAM auth 'thread' */
|
||||
if (the_active_state != NULL &&
|
||||
@@ -1636,5 +1633,8 @@ cleanup_exit(int i)
|
||||
#endif
|
||||
|
||||
clobber_stack();
|
||||
+ /* Override default fatal exit value when auth was attempted */
|
||||
+ if (i == 255 && auth_attempted)
|
||||
+ _exit(EXIT_AUTH_ATTEMPTED);
|
||||
_exit(i);
|
||||
}
|
39
fix-memleak-in-process_server_config_line_depth.patch
Normal file
39
fix-memleak-in-process_server_config_line_depth.patch
Normal file
@ -0,0 +1,39 @@
|
||||
From fcc66557503124ab98491a598b706a24eb3cf0e1 Mon Sep 17 00:00:00 2001
|
||||
From: Antonio Larrosa <alarrosa@suse.com>
|
||||
Date: Mon, 12 Aug 2024 11:32:42 +0200
|
||||
Subject: [PATCH] Fix a small memory leak in process_server_config_line_depth
|
||||
|
||||
The return value of argv_assemble is owned by the caller and should be
|
||||
free'd. When processing the sSubsystem case there are two calls to
|
||||
argv_assemble but only one of them is freed. This patch fixes the small
|
||||
(29 bytes according to valgrind) memory leak.
|
||||
|
||||
The output from valgrind:
|
||||
==115369== 29 bytes in 1 blocks are definitely lost in loss record 573 of 913
|
||||
==115369== at 0x4845794: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
|
||||
==115369== by 0x124A22: argv_assemble (misc.c:2165)
|
||||
==115369== by 0x1385E5: process_server_config_line_depth.constprop.0 (servconf.c:2004)
|
||||
==115369== by 0x13984D: parse_server_config_depth.constprop.0 (servconf.c:3032)
|
||||
==115369== by 0x139986: parse_server_config.constprop.0 (servconf.c:3049)
|
||||
==115369== by 0x111C6E: main (sshd.c:1445)
|
||||
|
||||
Submitted to upstream at https://github.com/openssh/openssh-portable/pull/515
|
||||
---
|
||||
servconf.c | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/servconf.c b/servconf.c
|
||||
index 5a20d6f8..0b989b95 100644
|
||||
--- a/servconf.c
|
||||
+++ b/servconf.c
|
||||
@@ -2006,6 +2006,7 @@ process_server_config_line_depth(ServerOptions *options, char *line,
|
||||
xasprintf(&options->subsystem_args[options->num_subsystems],
|
||||
"%s%s%s", arg, *arg2 == '\0' ? "" : " ", arg2);
|
||||
free(arg2);
|
||||
+ free(arg);
|
||||
argv_consume(&ac);
|
||||
options->num_subsystems++;
|
||||
break;
|
||||
--
|
||||
2.45.2
|
||||
|
25
fix-missing-lz.patch
Normal file
25
fix-missing-lz.patch
Normal file
@ -0,0 +1,25 @@
|
||||
Index: openssh-9.3p1/Makefile.in
|
||||
===================================================================
|
||||
--- openssh-9.3p1.orig/Makefile.in
|
||||
+++ openssh-9.3p1/Makefile.in
|
||||
@@ -250,17 +250,17 @@ ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) l
|
||||
$(LD) -o $@ ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
|
||||
|
||||
sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-sk.o sk-usbhid.o $(SFTPSERVER_OBJS)
|
||||
- $(LD) -o $@ $(SFTPSERVER_OBJS) ssh-sk.o sk-usbhid.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) $(LIBFIDO2)
|
||||
+ $(LD) -o $@ $(SFTPSERVER_OBJS) ssh-sk.o sk-usbhid.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) $(LIBFIDO2) -lz
|
||||
|
||||
sftp$(EXEEXT): $(LIBCOMPAT) libssh.a $(SFTP_OBJS)
|
||||
$(LD) -o $@ $(SFTP_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) $(LIBEDIT)
|
||||
|
||||
# FIPS tests
|
||||
cavstest-ctr$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-sk.o sk-usbhid.o cavstest-ctr.o
|
||||
- $(LD) -o $@ cavstest-ctr.o ssh-sk.o sk-usbhid.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) $(LIBFIDO2)
|
||||
+ $(LD) -o $@ cavstest-ctr.o ssh-sk.o sk-usbhid.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) $(LIBFIDO2) -lz
|
||||
|
||||
cavstest-kdf$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-sk.o sk-usbhid.o cavstest-kdf.o
|
||||
- $(LD) -o $@ cavstest-kdf.o ssh-sk.o sk-usbhid.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) $(LIBFIDO2)
|
||||
+ $(LD) -o $@ cavstest-kdf.o ssh-sk.o sk-usbhid.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) $(LIBFIDO2) -lz
|
||||
|
||||
# test driver for the loginrec code - not built by default
|
||||
logintest: logintest.o $(LIBCOMPAT) libssh.a loginrec.o
|
200
logind_set_tty.patch
Normal file
200
logind_set_tty.patch
Normal file
@ -0,0 +1,200 @@
|
||||
diff --git a/Makefile.in b/Makefile.in
|
||||
index f0ea07e7b..35dcf45f1 100644
|
||||
--- a/Makefile.in
|
||||
+++ b/Makefile.in
|
||||
@@ -56,6 +56,7 @@ SSHDLIBS=@SSHDLIBS@
|
||||
LIBEDIT=@LIBEDIT@
|
||||
LIBFIDO2=@LIBFIDO2@
|
||||
LIBWTMPDB=@LIBWTMPDB@
|
||||
+LIBSYSTEMD=@LIBSYSTEMD@
|
||||
AR=@AR@
|
||||
AWK=@AWK@
|
||||
RANLIB=@RANLIB@
|
||||
@@ -208,7 +209,7 @@ ssh$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHOBJS)
|
||||
$(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) $(GSSLIBS) $(CHANNELLIBS)
|
||||
|
||||
sshd$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHDOBJS)
|
||||
- $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(CHANNELLIBS) $(LIBWTMPDB)
|
||||
+ $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(CHANNELLIBS) $(LIBWTMPDB) $(LIBSYSTEMD)
|
||||
|
||||
sshd-session$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHD_SESSION_OBJS)
|
||||
$(LD) -o $@ $(SSHD_SESSION_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS) $(CHANNELLIBS) $(LIBWTMPDB)
|
||||
diff --git a/configure.ac b/configure.ac
|
||||
index a12c6f7ad..860df3379 100644
|
||||
--- a/configure.ac
|
||||
+++ b/configure.ac
|
||||
@@ -1789,6 +1789,47 @@ AC_ARG_WITH([wtmpdb],
|
||||
)
|
||||
|
||||
|
||||
+# Check whether user wants logind/set tty support
|
||||
+AC_ARG_WITH([logind],
|
||||
+ [ --with-logind[[=PATH]] Enable logind support for sshd],
|
||||
+ [ if test "x$withval" != "xno" ; then
|
||||
+ if test "x$withval" = "xyes" ; then
|
||||
+ AC_PATH_TOOL([PKGCONFIG], [pkg-config], [no])
|
||||
+ if test "x$PKGCONFIG" != "xno"; then
|
||||
+ AC_MSG_CHECKING([if $PKGCONFIG knows about libsystemd])
|
||||
+ if "$PKGCONFIG" libsystemd; then
|
||||
+ AC_MSG_RESULT([yes])
|
||||
+ use_pkgconfig_for_libsystemd=yes
|
||||
+ else
|
||||
+ AC_MSG_RESULT([no])
|
||||
+ fi
|
||||
+ fi
|
||||
+ else
|
||||
+ CPPFLAGS="$CPPFLAGS -I${withval}/include"
|
||||
+ if test -n "${rpath_opt}"; then
|
||||
+ LDFLAGS="-L${withval}/lib ${rpath_opt}${withval}/lib ${LDFLAGS}"
|
||||
+ else
|
||||
+ LDFLAGS="-L${withval}/lib ${LDFLAGS}"
|
||||
+ fi
|
||||
+ fi
|
||||
+ if test "x$use_pkgconfig_for_libsystemd" = "xyes"; then
|
||||
+ LIBSYSTEMD=`$PKGCONFIG --libs libsystemd`
|
||||
+ CPPFLAGS="$CPPFLAGS `$PKGCONFIG --cflags libsystemd`"
|
||||
+ else
|
||||
+ LIBSYSTEMD="-lsystemd"
|
||||
+ fi
|
||||
+ OTHERLIBS=`echo $LIBSYSTEMD | sed 's/-lsystemd//'`
|
||||
+ AC_CHECK_LIB([systemd], [sd_bus_open_system],
|
||||
+ [ AC_DEFINE([USE_LOGIND], [1], [Use systemd-logind])
|
||||
+ AC_SUBST([LIBSYSTEMD])
|
||||
+ ],
|
||||
+ [ AC_MSG_ERROR([libsystemd not found]) ],
|
||||
+ [ $OTHERLIBS ]
|
||||
+ )
|
||||
+ fi ]
|
||||
+)
|
||||
+
|
||||
+
|
||||
AUDIT_MODULE=none
|
||||
AC_ARG_WITH([audit],
|
||||
[ --with-audit=module Enable audit support (modules=debug,bsm,linux)],
|
||||
diff --git a/loginrec.c b/loginrec.c
|
||||
index 86caf83b2..8b413190b 100644
|
||||
--- a/loginrec.c
|
||||
+++ b/loginrec.c
|
||||
@@ -191,6 +191,10 @@
|
||||
# include <wtmpdb.h>
|
||||
#endif
|
||||
|
||||
+#ifdef USE_LOGIND
|
||||
+# include <systemd/sd-bus.h>
|
||||
+#endif
|
||||
+
|
||||
/**
|
||||
** prototypes for helper functions in this file
|
||||
**/
|
||||
@@ -214,6 +218,9 @@ int syslogin_write_entry(struct logininfo *li);
|
||||
#ifdef USE_WTMPDB
|
||||
int wtmpdb_write_entry(struct logininfo *li);
|
||||
#endif
|
||||
+#ifdef USE_LOGIND
|
||||
+int logind_set_tty(struct logininfo *li);
|
||||
+#endif
|
||||
|
||||
int getlast_entry(struct logininfo *li);
|
||||
int lastlog_get_entry(struct logininfo *li);
|
||||
@@ -477,6 +484,9 @@ login_write(struct logininfo *li)
|
||||
#ifdef USE_WTMPDB
|
||||
wtmpdb_write_entry(li);
|
||||
#endif
|
||||
+#ifdef USE_LOGIND
|
||||
+ logind_set_tty(li);
|
||||
+#endif
|
||||
#ifdef CUSTOM_SYS_AUTH_RECORD_LOGIN
|
||||
if (li->type == LTYPE_LOGIN &&
|
||||
!sys_auth_record_login(li->username,li->hostname,li->line,
|
||||
@@ -1476,6 +1486,91 @@ wtmpdb_write_entry(struct logininfo *li)
|
||||
}
|
||||
#endif
|
||||
|
||||
+#ifdef USE_LOGIND
|
||||
+#define DBUS_DESTINATION "org.freedesktop.login1"
|
||||
+#define DBUS_PATH_ID "/org/freedesktop/login1/session/auto"
|
||||
+#define DBUS_INTERFACE "org.freedesktop.login1.Session"
|
||||
+#define DBUS_PATH "/org/freedesktop/login1/session/%s"
|
||||
+
|
||||
+static int
|
||||
+logind_perform_login(struct logininfo *li)
|
||||
+{
|
||||
+ sd_bus *bus = NULL;
|
||||
+ sd_bus_error error = SD_BUS_ERROR_NULL;
|
||||
+ char *session_id = NULL;
|
||||
+ char *dbus_path;
|
||||
+ const char *tty;
|
||||
+ char buf[PATH_MAX];
|
||||
+ int r;
|
||||
+ int fd;
|
||||
+
|
||||
+ if (sd_bus_open_system(&bus) < 0)
|
||||
+ {
|
||||
+ logit("logind: canot open dbus");
|
||||
+ return (0);
|
||||
+ }
|
||||
+
|
||||
+ if (sd_bus_get_property_string(bus, DBUS_DESTINATION,
|
||||
+ DBUS_PATH_ID, DBUS_INTERFACE,
|
||||
+ "Id", &error, &session_id) < 0)
|
||||
+ {
|
||||
+ logit("logind: cannot get session ID");
|
||||
+ return (0);
|
||||
+ }
|
||||
+
|
||||
+ if (strncmp(li->line, "/dev/", 5) != 0)
|
||||
+ snprintf (buf, sizeof(buf), "/dev/%s", li->line);
|
||||
+ else
|
||||
+ tty = li->line;
|
||||
+
|
||||
+ fd = open(tty, O_RDWR|O_CLOEXEC|O_NOCTTY);
|
||||
+
|
||||
+ if (asprintf (&dbus_path, DBUS_PATH, session_id) < 0)
|
||||
+ return (0);
|
||||
+
|
||||
+ if (sd_bus_call_method(bus, DBUS_DESTINATION, dbus_path,
|
||||
+ DBUS_INTERFACE, "TakeControl", &error, NULL,
|
||||
+ "b", 1) < 0) {
|
||||
+ logit("logind: cannot take control");
|
||||
+ free(dbus_path);
|
||||
+ return (0);
|
||||
+ }
|
||||
+
|
||||
+ if ((r = sd_bus_call_method(bus, DBUS_DESTINATION, dbus_path,
|
||||
+ DBUS_INTERFACE, "SetTTY", &error, NULL,
|
||||
+ "h", fd)) < 0) {
|
||||
+ if (r != -EBADR) /* logind does not support "SetTTY" */
|
||||
+ logit("logind: cannot set TTY(%s, %s): %s", session_id, tty, strerror(-r));
|
||||
+ free(dbus_path);
|
||||
+ return (0);
|
||||
+ }
|
||||
+
|
||||
+ free(dbus_path);
|
||||
+
|
||||
+ if (sd_bus_flush(bus) < 0) {
|
||||
+ sd_bus_unref(bus);
|
||||
+ return (0);
|
||||
+ }
|
||||
+
|
||||
+ sd_bus_unref(bus);
|
||||
+ return (1);
|
||||
+}
|
||||
+
|
||||
+int
|
||||
+logind_set_tty(struct logininfo *li)
|
||||
+{
|
||||
+ switch(li->type) {
|
||||
+ case LTYPE_LOGIN:
|
||||
+ return (logind_perform_login(li));
|
||||
+ case LTYPE_LOGOUT:
|
||||
+ return (1);
|
||||
+ default:
|
||||
+ logit("%s: invalid type field", __func__);
|
||||
+ return (0);
|
||||
+ }
|
||||
+}
|
||||
+#endif
|
||||
+
|
||||
|
||||
/**
|
||||
** Low-level libutil login() functions
|
119
openssh-6.6.1p1-selinux-contexts.patch
Normal file
119
openssh-6.6.1p1-selinux-contexts.patch
Normal file
@ -0,0 +1,119 @@
|
||||
Index: openssh-9.6p1/openbsd-compat/port-linux-sshd.c
|
||||
===================================================================
|
||||
--- openssh-9.6p1.orig/openbsd-compat/port-linux-sshd.c
|
||||
+++ openssh-9.6p1/openbsd-compat/port-linux-sshd.c
|
||||
@@ -33,6 +33,7 @@
|
||||
#include "misc.h" /* servconf.h needs misc.h for struct ForwardOptions */
|
||||
#include "servconf.h"
|
||||
#include "port-linux.h"
|
||||
+#include "misc.h"
|
||||
#include "sshkey.h"
|
||||
#include "hostfile.h"
|
||||
#include "auth.h"
|
||||
@@ -451,7 +452,7 @@ sshd_selinux_setup_exec_context(char *pw
|
||||
void
|
||||
sshd_selinux_copy_context(void)
|
||||
{
|
||||
- security_context_t *ctx;
|
||||
+ char *ctx;
|
||||
|
||||
if (!sshd_selinux_enabled())
|
||||
return;
|
||||
@@ -470,6 +471,72 @@ sshd_selinux_copy_context(void)
|
||||
}
|
||||
}
|
||||
|
||||
+void
|
||||
+sshd_selinux_change_privsep_preauth_context(void)
|
||||
+{
|
||||
+ int len;
|
||||
+ char line[1024], *preauth_context = NULL, *cp, *arg;
|
||||
+ const char *contexts_path;
|
||||
+ FILE *contexts_file;
|
||||
+ struct stat sb;
|
||||
+
|
||||
+ contexts_path = selinux_openssh_contexts_path();
|
||||
+ if (contexts_path == NULL) {
|
||||
+ debug3_f("Failed to get the path to SELinux context");
|
||||
+ return;
|
||||
+ }
|
||||
+
|
||||
+ if ((contexts_file = fopen(contexts_path, "r")) == NULL) {
|
||||
+ debug_f("Failed to open SELinux context file");
|
||||
+ return;
|
||||
+ }
|
||||
+
|
||||
+ if (fstat(fileno(contexts_file), &sb) != 0 ||
|
||||
+ sb.st_uid != 0 || (sb.st_mode & 022) != 0) {
|
||||
+ logit_f("SELinux context file needs to be owned by root"
|
||||
+ " and not writable by anyone else");
|
||||
+ fclose(contexts_file);
|
||||
+ return;
|
||||
+ }
|
||||
+
|
||||
+ while (fgets(line, sizeof(line), contexts_file)) {
|
||||
+ /* Strip trailing whitespace */
|
||||
+ for (len = strlen(line) - 1; len > 0; len--) {
|
||||
+ if (strchr(" \t\r\n", line[len]) == NULL)
|
||||
+ break;
|
||||
+ line[len] = '\0';
|
||||
+ }
|
||||
+
|
||||
+ if (line[0] == '\0')
|
||||
+ continue;
|
||||
+
|
||||
+ cp = line;
|
||||
+ arg = strdelim(&cp);
|
||||
+ if (arg && *arg == '\0')
|
||||
+ arg = strdelim(&cp);
|
||||
+
|
||||
+ if (arg && strcmp(arg, "privsep_preauth") == 0) {
|
||||
+ arg = strdelim(&cp);
|
||||
+ if (!arg || *arg == '\0') {
|
||||
+ debug_f("privsep_preauth is empty");
|
||||
+ fclose(contexts_file);
|
||||
+ return;
|
||||
+ }
|
||||
+ preauth_context = xstrdup(arg);
|
||||
+ }
|
||||
+ }
|
||||
+ fclose(contexts_file);
|
||||
+
|
||||
+ if (preauth_context == NULL) {
|
||||
+ debug_f("Unable to find 'privsep_preauth' option in"
|
||||
+ " SELinux context file");
|
||||
+ return;
|
||||
+ }
|
||||
+
|
||||
+ ssh_selinux_change_context(preauth_context);
|
||||
+ free(preauth_context);
|
||||
+}
|
||||
+
|
||||
#endif
|
||||
#endif
|
||||
|
||||
Index: openssh-9.6p1/openbsd-compat/port-linux.h
|
||||
===================================================================
|
||||
--- openssh-9.6p1.orig/openbsd-compat/port-linux.h
|
||||
+++ openssh-9.6p1/openbsd-compat/port-linux.h
|
||||
@@ -27,6 +27,7 @@ int sshd_selinux_enabled(void);
|
||||
void sshd_selinux_copy_context(void);
|
||||
void sshd_selinux_setup_exec_context(char *);
|
||||
int sshd_selinux_setup_env_variables(void);
|
||||
+void sshd_selinux_change_privsep_preauth_context(void);
|
||||
#endif
|
||||
|
||||
#ifdef LINUX_OOM_ADJUST
|
||||
Index: openssh-9.6p1/sshd-session.c
|
||||
===================================================================
|
||||
--- openssh-9.6p1.orig/sshd-session.c
|
||||
+++ openssh-9.6p1/sshd-session.c
|
||||
@@ -511,7 +511,7 @@ privsep_preauth_child(struct ssh *ssh)
|
||||
demote_sensitive_data(ssh);
|
||||
|
||||
#ifdef WITH_SELINUX
|
||||
- ssh_selinux_change_context("sshd_net_t");
|
||||
+ sshd_selinux_change_privsep_preauth_context();
|
||||
#endif
|
||||
|
||||
/* Demote the child */
|
491
openssh-6.6p1-keycat.patch
Normal file
491
openssh-6.6p1-keycat.patch
Normal file
@ -0,0 +1,491 @@
|
||||
Index: openssh-9.3p2/misc.c
|
||||
===================================================================
|
||||
--- openssh-9.3p2.orig/misc.c
|
||||
+++ openssh-9.3p2/misc.c
|
||||
@@ -2770,6 +2770,13 @@ subprocess(const char *tag, const char *
|
||||
error("%s: dup2: %s", tag, strerror(errno));
|
||||
_exit(1);
|
||||
}
|
||||
+#ifdef WITH_SELINUX
|
||||
+ if (sshd_selinux_setup_env_variables() < 0) {
|
||||
+ error ("failed to copy environment: %s",
|
||||
+ strerror(errno));
|
||||
+ _exit(127);
|
||||
+ }
|
||||
+#endif
|
||||
if (env != NULL)
|
||||
execve(av[0], av, env);
|
||||
else
|
||||
#Index: openssh-9.3p2/HOWTO.ssh-keycat
|
||||
#===================================================================
|
||||
#--- /dev/null
|
||||
#+++ openssh-9.3p2/HOWTO.ssh-keycat
|
||||
#@@ -0,0 +1,12 @@
|
||||
#+The ssh-keycat retrieves the content of the ~/.ssh/authorized_keys
|
||||
#+of an user in any environment. This includes environments with
|
||||
#+polyinstantiation of home directories and SELinux MLS policy enabled.
|
||||
#+
|
||||
#+To use ssh-keycat, set these options in /etc/ssh/sshd_config file:
|
||||
#+ AuthorizedKeysCommand /usr/libexec/openssh/ssh-keycat
|
||||
#+ AuthorizedKeysCommandUser root
|
||||
#+
|
||||
#+Do not forget to enable public key authentication:
|
||||
#+ PubkeyAuthentication yes
|
||||
#+
|
||||
#+
|
||||
#Index: openssh-9.3p2/Makefile.in
|
||||
#===================================================================
|
||||
#--- openssh-9.3p2.orig/Makefile.in
|
||||
#+++ openssh-9.3p2/Makefile.in
|
||||
#@@ -27,6 +27,7 @@ SFTP_SERVER=$(libexecdir)/sftp-server
|
||||
# ASKPASS_PROGRAM=$(libexecdir)/ssh-askpass
|
||||
# SFTP_SERVER=$(libexecdir)/sftp-server
|
||||
# SSH_KEYSIGN=$(libexecdir)/ssh-keysign
|
||||
#+SSH_KEYCAT=$(libexecdir)/ssh-keycat
|
||||
# SSHD_SESSION=$(libexecdir)/sshd-session
|
||||
# SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
|
||||
# SSH_SK_HELPER=$(libexecdir)/ssh-sk-helper
|
||||
#@@ -57,6 +58,7 @@ CHANNELLIBS=@CHANNELLIBS@
|
||||
# K5LIBS=@K5LIBS@
|
||||
# GSSLIBS=@GSSLIBS@
|
||||
# SSHDLIBS=@SSHDLIBS@
|
||||
#+KEYCATLIBS=@KEYCATLIBS@
|
||||
# LIBEDIT=@LIBEDIT@
|
||||
# LIBFIDO2=@LIBFIDO2@
|
||||
# LIBWTMPDB=@LIBWTMPDB@
|
||||
#@@ -65,7 +66,7 @@ EXEEXT=@EXEEXT@
|
||||
#
|
||||
# .SUFFIXES: .lo
|
||||
#
|
||||
#-TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) sshd-session$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT)
|
||||
#+TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) sshd-session$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) ssh-keycat$(EXEEXT)
|
||||
#
|
||||
# TARGETS += cavstest-ctr$(EXEEXT) cavstest-kdf$(EXEEXT)
|
||||
#
|
||||
#@@ -245,6 +247,9 @@ ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT)
|
||||
# ssh-sk-helper$(EXEEXT): $(LIBCOMPAT) libssh.a $(SKHELPER_OBJS)
|
||||
# $(LD) -o $@ $(SKHELPER_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS) $(LIBFIDO2) $(CHANNELLIBS)
|
||||
#
|
||||
#+ssh-keycat$(EXEEXT): $(LIBCOMPAT) $(SSHDOBJS) libssh.a ssh-keycat.o uidswap.o
|
||||
#+ $(LD) -o $@ ssh-keycat.o uidswap.o $(LDFLAGS) -lssh -lopenbsd-compat $(KEYCATLIBS) $(LIBS)
|
||||
#+
|
||||
# ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHKEYSCAN_OBJS)
|
||||
# $(LD) -o $@ $(SSHKEYSCAN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) $(CHANNELLIBS)
|
||||
#
|
||||
#@@ -431,6 +436,7 @@ install-files:
|
||||
# $(INSTALL) -m 0755 ssh-ldap-wrapper $(DESTDIR)$(SSH_LDAP_WRAPPER) ; \
|
||||
# fi
|
||||
# $(INSTALL) -m 0755 $(STRIP_OPT) ssh-sk-helper$(EXEEXT) $(DESTDIR)$(SSH_SK_HELPER)$(EXEEXT)
|
||||
#+ $(INSTALL) -m 0755 $(STRIP_OPT) ssh-keycat$(EXEEXT) $(DESTDIR)$(libexecdir)/ssh-keycat$(EXEEXT)
|
||||
# $(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
|
||||
# $(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
|
||||
# $(INSTALL) -m 0755 $(STRIP_OPT) cavstest-ctr$(EXEEXT) $(DESTDIR)$(libexecdir)/cavstest-ctr$(EXEEXT)
|
||||
Index: openssh-9.3p2/openbsd-compat/port-linux.h
|
||||
===================================================================
|
||||
--- openssh-9.3p2.orig/openbsd-compat/port-linux.h
|
||||
+++ openssh-9.3p2/openbsd-compat/port-linux.h
|
||||
@@ -23,8 +23,10 @@ void ssh_selinux_setup_pty(char *, const
|
||||
void ssh_selinux_change_context(const char *);
|
||||
void ssh_selinux_setfscreatecon(const char *);
|
||||
|
||||
+int sshd_selinux_enabled(void);
|
||||
void sshd_selinux_copy_context(void);
|
||||
void sshd_selinux_setup_exec_context(char *);
|
||||
+int sshd_selinux_setup_env_variables(void);
|
||||
#endif
|
||||
|
||||
#ifdef LINUX_OOM_ADJUST
|
||||
Index: openssh-9.3p2/openbsd-compat/port-linux-sshd.c
|
||||
===================================================================
|
||||
--- openssh-9.3p2.orig/openbsd-compat/port-linux-sshd.c
|
||||
+++ openssh-9.3p2/openbsd-compat/port-linux-sshd.c
|
||||
@@ -54,6 +54,20 @@ extern Authctxt *the_authctxt;
|
||||
extern Authctxt *the_authctxt;
|
||||
extern int inetd_flag;
|
||||
|
||||
+/* Wrapper around is_selinux_enabled() to log its return value once only */
|
||||
+int
|
||||
+sshd_selinux_enabled(void)
|
||||
+{
|
||||
+ static int enabled = -1;
|
||||
+
|
||||
+ if (enabled == -1) {
|
||||
+ enabled = (is_selinux_enabled() == 1);
|
||||
+ debug("SELinux support %s", enabled ? "enabled" : "disabled");
|
||||
+ }
|
||||
+
|
||||
+ return (enabled);
|
||||
+}
|
||||
+
|
||||
/* Send audit message */
|
||||
static int
|
||||
sshd_selinux_send_audit_message(int success, security_context_t default_context,
|
||||
@@ -318,7 +332,7 @@ sshd_selinux_getctxbyname(char *pwname,
|
||||
|
||||
/* Setup environment variables for pam_selinux */
|
||||
static int
|
||||
-sshd_selinux_setup_pam_variables(void)
|
||||
+sshd_selinux_setup_variables(int(*set_it)(char *, const char *))
|
||||
{
|
||||
const char *reqlvl;
|
||||
char *role;
|
||||
@@ -319,16 +333,16 @@ sshd_selinux_setup_pam_variables(void)
|
||||
|
||||
ssh_selinux_get_role_level(&role, &reqlvl);
|
||||
|
||||
- rv = do_pam_putenv("SELINUX_ROLE_REQUESTED", role ? role : "");
|
||||
+ rv = set_it("SELINUX_ROLE_REQUESTED", role ? role : "");
|
||||
|
||||
if (inetd_flag) {
|
||||
use_current = "1";
|
||||
} else {
|
||||
use_current = "";
|
||||
- rv = rv || do_pam_putenv("SELINUX_LEVEL_REQUESTED", reqlvl ? reqlvl: "");
|
||||
+ rv = rv || set_it("SELINUX_LEVEL_REQUESTED", reqlvl ? reqlvl: "");
|
||||
}
|
||||
|
||||
- rv = rv || do_pam_putenv("SELINUX_USE_CURRENT_RANGE", use_current);
|
||||
+ rv = rv || set_it("SELINUX_USE_CURRENT_RANGE", use_current);
|
||||
|
||||
if (role != NULL)
|
||||
free(role);
|
||||
@@ -346,6 +360,24 @@ sshd_selinux_setup_pam_variables(void)
|
||||
return rv;
|
||||
}
|
||||
|
||||
+static int
|
||||
+sshd_selinux_setup_pam_variables(void)
|
||||
+{
|
||||
+ return sshd_selinux_setup_variables(do_pam_putenv);
|
||||
+}
|
||||
+
|
||||
+static int
|
||||
+do_setenv(char *name, const char *value)
|
||||
+{
|
||||
+ return setenv(name, value, 1);
|
||||
+}
|
||||
+
|
||||
+int
|
||||
+sshd_selinux_setup_env_variables(void)
|
||||
+{
|
||||
+ return sshd_selinux_setup_variables(do_setenv);
|
||||
+}
|
||||
+
|
||||
/* Set the execution context to the default for the specified user */
|
||||
void
|
||||
sshd_selinux_setup_exec_context(char *pwname)
|
||||
@@ -354,7 +386,7 @@ sshd_selinux_setup_exec_context(char *pw
|
||||
int r = 0;
|
||||
security_context_t default_ctx = NULL;
|
||||
|
||||
- if (!ssh_selinux_enabled())
|
||||
+ if (!sshd_selinux_enabled())
|
||||
return;
|
||||
|
||||
if (options.use_pam) {
|
||||
@@ -421,7 +453,7 @@ sshd_selinux_copy_context(void)
|
||||
{
|
||||
security_context_t *ctx;
|
||||
|
||||
- if (!ssh_selinux_enabled())
|
||||
+ if (!sshd_selinux_enabled())
|
||||
return;
|
||||
|
||||
if (getexeccon((security_context_t *)&ctx) != 0) {
|
||||
Index: openssh-9.3p2/platform.c
|
||||
===================================================================
|
||||
--- openssh-9.3p2.orig/platform.c
|
||||
+++ openssh-9.3p2/platform.c
|
||||
@@ -100,7 +100,7 @@ platform_setusercontext(struct passwd *p
|
||||
{
|
||||
#ifdef WITH_SELINUX
|
||||
/* Cache selinux status for later use */
|
||||
- (void)ssh_selinux_enabled();
|
||||
+ (void)sshd_selinux_enabled();
|
||||
#endif
|
||||
|
||||
#ifdef USE_SOLARIS_PROJECTS
|
||||
#Index: openssh-9.3p2/ssh-keycat.c
|
||||
#===================================================================
|
||||
#--- /dev/null
|
||||
#+++ openssh-9.3p2/ssh-keycat.c
|
||||
#@@ -0,0 +1,241 @@
|
||||
#+/*
|
||||
#+ * Redistribution and use in source and binary forms, with or without
|
||||
#+ * modification, are permitted provided that the following conditions
|
||||
#+ * are met:
|
||||
#+ * 1. Redistributions of source code must retain the above copyright
|
||||
#+ * notice, and the entire permission notice in its entirety,
|
||||
#+ * including the disclaimer of warranties.
|
||||
#+ * 2. Redistributions in binary form must reproduce the above copyright
|
||||
#+ * notice, this list of conditions and the following disclaimer in the
|
||||
#+ * documentation and/or other materials provided with the distribution.
|
||||
#+ * 3. The name of the author may not be used to endorse or promote
|
||||
#+ * products derived from this software without specific prior
|
||||
#+ * written permission.
|
||||
#+ *
|
||||
#+ * ALTERNATIVELY, this product may be distributed under the terms of
|
||||
#+ * the GNU Public License, in which case the provisions of the GPL are
|
||||
#+ * required INSTEAD OF the above restrictions. (This clause is
|
||||
#+ * necessary due to a potential bad interaction between the GPL and
|
||||
#+ * the restrictions contained in a BSD-style copyright.)
|
||||
#+ *
|
||||
#+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
|
||||
#+ * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
|
||||
#+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
|
||||
#+ * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
|
||||
#+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
|
||||
#+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
|
||||
#+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
||||
#+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
|
||||
#+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
|
||||
#+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
|
||||
#+ * OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
#+ */
|
||||
#+
|
||||
#+/*
|
||||
#+ * Copyright (c) 2011 Red Hat, Inc.
|
||||
#+ * Written by Tomas Mraz <tmraz@redhat.com>
|
||||
#+*/
|
||||
#+
|
||||
#+#define _GNU_SOURCE
|
||||
#+
|
||||
#+#include "config.h"
|
||||
#+#include <stdio.h>
|
||||
#+#include <stdlib.h>
|
||||
#+#include <string.h>
|
||||
#+#include <sys/types.h>
|
||||
#+#include <sys/stat.h>
|
||||
#+#include <pwd.h>
|
||||
#+#include <fcntl.h>
|
||||
#+#include <unistd.h>
|
||||
#+#ifdef HAVE_STDINT_H
|
||||
#+#include <stdint.h>
|
||||
#+#endif
|
||||
#+
|
||||
#+#include <security/pam_appl.h>
|
||||
#+
|
||||
#+#include "uidswap.h"
|
||||
#+#include "misc.h"
|
||||
#+
|
||||
#+#define ERR_USAGE 1
|
||||
#+#define ERR_PAM_START 2
|
||||
#+#define ERR_OPEN_SESSION 3
|
||||
#+#define ERR_CLOSE_SESSION 4
|
||||
#+#define ERR_PAM_END 5
|
||||
#+#define ERR_GETPWNAM 6
|
||||
#+#define ERR_MEMORY 7
|
||||
#+#define ERR_OPEN 8
|
||||
#+#define ERR_FILE_MODE 9
|
||||
#+#define ERR_FDOPEN 10
|
||||
#+#define ERR_STAT 11
|
||||
#+#define ERR_WRITE 12
|
||||
#+#define ERR_PAM_PUTENV 13
|
||||
#+#define BUFLEN 4096
|
||||
#+
|
||||
#+/* Just ignore the messages in the conversation function */
|
||||
#+static int
|
||||
#+dummy_conv(int num_msg, const struct pam_message **msgm,
|
||||
#+ struct pam_response **response, void *appdata_ptr)
|
||||
#+{
|
||||
#+ struct pam_response *rsp;
|
||||
#+
|
||||
#+ (void)msgm;
|
||||
#+ (void)appdata_ptr;
|
||||
#+
|
||||
#+ if (num_msg <= 0)
|
||||
#+ return PAM_CONV_ERR;
|
||||
#+
|
||||
#+ /* Just allocate the array as empty responses */
|
||||
#+ rsp = calloc (num_msg, sizeof (struct pam_response));
|
||||
#+ if (rsp == NULL)
|
||||
#+ return PAM_CONV_ERR;
|
||||
#+
|
||||
#+ *response = rsp;
|
||||
#+ return PAM_SUCCESS;
|
||||
#+}
|
||||
#+
|
||||
#+static struct pam_conv conv = {
|
||||
#+ dummy_conv,
|
||||
#+ NULL
|
||||
#+};
|
||||
#+
|
||||
#+char *
|
||||
#+make_auth_keys_name(const struct passwd *pwd)
|
||||
#+{
|
||||
#+ char *fname;
|
||||
#+
|
||||
#+ if (asprintf(&fname, "%s/.ssh/authorized_keys", pwd->pw_dir) < 0)
|
||||
#+ return NULL;
|
||||
#+
|
||||
#+ return fname;
|
||||
#+}
|
||||
#+
|
||||
#+int
|
||||
#+dump_keys(const char *user)
|
||||
#+{
|
||||
#+ struct passwd *pwd;
|
||||
#+ int fd = -1;
|
||||
#+ FILE *f = NULL;
|
||||
#+ char *fname = NULL;
|
||||
#+ int rv = 0;
|
||||
#+ char buf[BUFLEN];
|
||||
#+ size_t len;
|
||||
#+ struct stat st;
|
||||
#+
|
||||
#+ if ((pwd = getpwnam(user)) == NULL) {
|
||||
#+ return ERR_GETPWNAM;
|
||||
#+ }
|
||||
#+
|
||||
#+ if ((fname = make_auth_keys_name(pwd)) == NULL) {
|
||||
#+ return ERR_MEMORY;
|
||||
#+ }
|
||||
#+
|
||||
#+ temporarily_use_uid(pwd);
|
||||
#+
|
||||
#+ if ((fd = open(fname, O_RDONLY|O_NONBLOCK|O_NOFOLLOW, 0)) < 0) {
|
||||
#+ rv = ERR_OPEN;
|
||||
#+ goto fail;
|
||||
#+ }
|
||||
#+
|
||||
#+ if (fstat(fd, &st) < 0) {
|
||||
#+ rv = ERR_STAT;
|
||||
#+ goto fail;
|
||||
#+ }
|
||||
#+
|
||||
#+ if (!S_ISREG(st.st_mode) ||
|
||||
#+ (st.st_uid != pwd->pw_uid && st.st_uid != 0)) {
|
||||
#+ rv = ERR_FILE_MODE;
|
||||
#+ goto fail;
|
||||
#+ }
|
||||
#+
|
||||
#+ unset_nonblock(fd);
|
||||
#+
|
||||
#+ if ((f = fdopen(fd, "r")) == NULL) {
|
||||
#+ rv = ERR_FDOPEN;
|
||||
#+ goto fail;
|
||||
#+ }
|
||||
#+
|
||||
#+ fd = -1;
|
||||
#+
|
||||
#+ while ((len = fread(buf, 1, sizeof(buf), f)) > 0) {
|
||||
#+ rv = fwrite(buf, 1, len, stdout) != len ? ERR_WRITE : 0;
|
||||
#+ }
|
||||
#+
|
||||
#+fail:
|
||||
#+ if (fd != -1)
|
||||
#+ close(fd);
|
||||
#+ if (f != NULL)
|
||||
#+ fclose(f);
|
||||
#+ free(fname);
|
||||
#+ restore_uid();
|
||||
#+ return rv;
|
||||
#+}
|
||||
#+
|
||||
#+static const char *env_names[] = { "SELINUX_ROLE_REQUESTED",
|
||||
#+ "SELINUX_LEVEL_REQUESTED",
|
||||
#+ "SELINUX_USE_CURRENT_RANGE"
|
||||
#+};
|
||||
#+
|
||||
#+extern char **environ;
|
||||
#+
|
||||
#+int
|
||||
#+set_pam_environment(pam_handle_t *pamh)
|
||||
#+{
|
||||
#+ int i;
|
||||
#+ size_t j;
|
||||
#+
|
||||
#+ for (j = 0; j < sizeof(env_names)/sizeof(env_names[0]); ++j) {
|
||||
#+ int len = strlen(env_names[j]);
|
||||
#+
|
||||
#+ for (i = 0; environ[i] != NULL; ++i) {
|
||||
#+ if (strncmp(env_names[j], environ[i], len) == 0 &&
|
||||
#+ environ[i][len] == '=') {
|
||||
#+ if (pam_putenv(pamh, environ[i]) != PAM_SUCCESS)
|
||||
#+ return ERR_PAM_PUTENV;
|
||||
#+ }
|
||||
#+ }
|
||||
#+ }
|
||||
#+
|
||||
#+ return 0;
|
||||
#+}
|
||||
#+
|
||||
#+int
|
||||
#+main(int argc, char *argv[])
|
||||
#+{
|
||||
#+ pam_handle_t *pamh = NULL;
|
||||
#+ int retval;
|
||||
#+ int ev = 0;
|
||||
#+
|
||||
#+ if (argc != 2) {
|
||||
#+ fprintf(stderr, "Usage: %s <user-name>\n", argv[0]);
|
||||
#+ return ERR_USAGE;
|
||||
#+ }
|
||||
#+
|
||||
#+ retval = pam_start("ssh-keycat", argv[1], &conv, &pamh);
|
||||
#+ if (retval != PAM_SUCCESS) {
|
||||
#+ return ERR_PAM_START;
|
||||
#+ }
|
||||
#+
|
||||
#+ ev = set_pam_environment(pamh);
|
||||
#+ if (ev != 0)
|
||||
#+ goto finish;
|
||||
#+
|
||||
#+ retval = pam_open_session(pamh, PAM_SILENT);
|
||||
#+ if (retval != PAM_SUCCESS) {
|
||||
#+ ev = ERR_OPEN_SESSION;
|
||||
#+ goto finish;
|
||||
#+ }
|
||||
#+
|
||||
#+ ev = dump_keys(argv[1]);
|
||||
#+
|
||||
#+ retval = pam_close_session(pamh, PAM_SILENT);
|
||||
#+ if (retval != PAM_SUCCESS) {
|
||||
#+ ev = ERR_CLOSE_SESSION;
|
||||
#+ }
|
||||
#+
|
||||
#+finish:
|
||||
#+ retval = pam_end (pamh,retval);
|
||||
#+ if (retval != PAM_SUCCESS) {
|
||||
#+ ev = ERR_PAM_END;
|
||||
#+ }
|
||||
#+ return ev;
|
||||
#+}
|
||||
#Index: openssh-9.3p2/configure.ac
|
||||
#===================================================================
|
||||
#--- openssh-9.3p2.orig/configure.ac
|
||||
#+++ openssh-9.3p2/configure.ac
|
||||
#@@ -3632,6 +3632,7 @@ AC_ARG_WITH([pam],
|
||||
# PAM_MSG="yes"
|
||||
#
|
||||
# SSHDLIBS="$SSHDLIBS -lpam"
|
||||
#+ KEYCATLIBS="$KEYCATLIBS -lpam"
|
||||
# AC_DEFINE([USE_PAM], [1],
|
||||
# [Define if you want to enable PAM support])
|
||||
#
|
||||
#@@ -3642,6 +3643,7 @@ AC_ARG_WITH([pam],
|
||||
# ;;
|
||||
# *)
|
||||
# SSHDLIBS="$SSHDLIBS -ldl"
|
||||
#+ KEYCATLIBS="$KEYCATLIBS -ldl"
|
||||
# ;;
|
||||
# esac
|
||||
# fi
|
||||
#@@ -4875,6 +4877,7 @@ AC_ARG_WITH([selinux],
|
||||
# fi ]
|
||||
# )
|
||||
# AC_SUBST([SSHDLIBS])
|
||||
#+AC_SUBST([KEYCATLIBS])
|
||||
#
|
||||
# # Check whether user wants Kerberos 5 support
|
||||
# KRB5_MSG="no"
|
||||
#@@ -5905,6 +5908,9 @@ fi
|
||||
# if test ! -z "${SSHDLIBS}"; then
|
||||
# echo " +for sshd: ${SSHDLIBS}"
|
||||
# fi
|
||||
#+if test ! -z "${KEYCATLIBS}"; then
|
||||
#+echo " +for ssh-keycat: ${KEYCATLIBS}"
|
||||
#+fi
|
||||
#
|
||||
# echo ""
|
||||
#
|
124
openssh-6.6p1-privsep-selinux.patch
Normal file
124
openssh-6.6p1-privsep-selinux.patch
Normal file
@ -0,0 +1,124 @@
|
||||
Index: openssh-9.3p2/openbsd-compat/port-linux.h
|
||||
===================================================================
|
||||
--- openssh-9.3p2.orig/openbsd-compat/port-linux.h
|
||||
+++ openssh-9.3p2/openbsd-compat/port-linux.h
|
||||
@@ -23,6 +23,7 @@ void ssh_selinux_setup_pty(char *, const
|
||||
void ssh_selinux_change_context(const char *);
|
||||
void ssh_selinux_setfscreatecon(const char *);
|
||||
|
||||
+void sshd_selinux_copy_context(void);
|
||||
void sshd_selinux_setup_exec_context(char *);
|
||||
#endif
|
||||
|
||||
Index: openssh-9.3p2/openbsd-compat/port-linux-sshd.c
|
||||
===================================================================
|
||||
--- openssh-9.3p2.orig/openbsd-compat/port-linux-sshd.c
|
||||
+++ openssh-9.3p2/openbsd-compat/port-linux-sshd.c
|
||||
@@ -416,6 +416,28 @@ sshd_selinux_setup_exec_context(char *pw
|
||||
debug3_f("done");
|
||||
}
|
||||
|
||||
+void
|
||||
+sshd_selinux_copy_context(void)
|
||||
+{
|
||||
+ security_context_t *ctx;
|
||||
+
|
||||
+ if (!ssh_selinux_enabled())
|
||||
+ return;
|
||||
+
|
||||
+ if (getexeccon((security_context_t *)&ctx) != 0) {
|
||||
+ logit_f("getexeccon failed with %s", strerror(errno));
|
||||
+ return;
|
||||
+ }
|
||||
+ if (ctx != NULL) {
|
||||
+ /* unset exec context before we will lose this capabililty */
|
||||
+ if (setexeccon(NULL) != 0)
|
||||
+ fatal_f("setexeccon failed with %s", strerror(errno));
|
||||
+ if (setcon(ctx) != 0)
|
||||
+ fatal_f("setcon failed with %s", strerror(errno));
|
||||
+ freecon(ctx);
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
#endif
|
||||
#endif
|
||||
|
||||
Index: openssh-9.3p2/session.c
|
||||
===================================================================
|
||||
--- openssh-9.3p2.orig/session.c
|
||||
+++ openssh-9.3p2/session.c
|
||||
@@ -1403,7 +1403,7 @@ do_setusercontext(struct passwd *pw)
|
||||
|
||||
platform_setusercontext(pw);
|
||||
|
||||
- if (platform_privileged_uidswap()) {
|
||||
+ if (platform_privileged_uidswap() && !is_child) {
|
||||
#ifdef HAVE_LOGIN_CAP
|
||||
if (setusercontext(lc, pw, pw->pw_uid,
|
||||
(LOGIN_SETALL & ~(LOGIN_SETPATH|LOGIN_SETUSER))) < 0) {
|
||||
@@ -1435,6 +1435,9 @@ do_setusercontext(struct passwd *pw)
|
||||
(unsigned long long)pw->pw_uid);
|
||||
chroot_path = percent_expand(tmp, "h", pw->pw_dir,
|
||||
"u", pw->pw_name, "U", uidstr, (char *)NULL);
|
||||
+#ifdef WITH_SELINUX
|
||||
+ sshd_selinux_copy_context();
|
||||
+#endif
|
||||
safely_chroot(chroot_path, pw->pw_uid);
|
||||
free(tmp);
|
||||
free(chroot_path);
|
||||
@@ -1470,6 +1473,11 @@ do_setusercontext(struct passwd *pw)
|
||||
/* Permanently switch to the desired uid. */
|
||||
permanently_set_uid(pw);
|
||||
#endif
|
||||
+
|
||||
+#ifdef WITH_SELINUX
|
||||
+ if (in_chroot == 0)
|
||||
+ sshd_selinux_copy_context();
|
||||
+#endif
|
||||
} else if (options.chroot_directory != NULL &&
|
||||
strcasecmp(options.chroot_directory, "none") != 0) {
|
||||
fatal("server lacks privileges to chroot to ChrootDirectory");
|
||||
@@ -1487,9 +1495,6 @@ do_pwchange(Session *s)
|
||||
if (s->ttyfd != -1) {
|
||||
fprintf(stderr,
|
||||
"You must change your password now and login again!\n");
|
||||
-#ifdef WITH_SELINUX
|
||||
- setexeccon(NULL);
|
||||
-#endif
|
||||
#ifdef PASSWD_NEEDS_USERNAME
|
||||
execl(_PATH_PASSWD_PROG, "passwd", s->pw->pw_name,
|
||||
(char *)NULL);
|
||||
@@ -1723,9 +1728,6 @@ do_child(struct ssh *ssh, Session *s, co
|
||||
argv[i] = NULL;
|
||||
optind = optreset = 1;
|
||||
__progname = argv[0];
|
||||
-#ifdef WITH_SELINUX
|
||||
- ssh_selinux_change_context("sftpd_t");
|
||||
-#endif
|
||||
exit(sftp_server_main(i, argv, s->pw));
|
||||
}
|
||||
|
||||
Index: openssh-9.3p2/sshd-session.c
|
||||
===================================================================
|
||||
--- openssh-9.3p2.orig/sshd-session.c
|
||||
+++ openssh-9.3p2/sshd-session.c
|
||||
@@ -342,6 +342,10 @@ privsep_preauth_child(struct ssh *ssh)
|
||||
/* Demote the private keys to public keys. */
|
||||
demote_sensitive_data(ssh);
|
||||
|
||||
+#ifdef WITH_SELINUX
|
||||
+ ssh_selinux_change_context("sshd_net_t");
|
||||
+#endif
|
||||
+
|
||||
/* Demote the child */
|
||||
if (privsep_chroot) {
|
||||
/* Change our root directory */
|
||||
@@ -444,7 +448,7 @@ privsep_postauth(struct ssh *ssh, Authct
|
||||
* fd passing, as AFAIK PTY allocation on this platform doesn't require
|
||||
* special privileges to begin with.
|
||||
*/
|
||||
-#if defined(DISABLE_FD_PASSING) && !defined(HAVE_CYGWIN)
|
||||
+#if defined(DISABLE_FD_PASSING) && !defined(HAVE_CYGWIN) && !defined(WITH_SELINUX)
|
||||
skip_privdrop = 1;
|
||||
#endif
|
||||
|
280
openssh-7.6p1-cleanup-selinux.patch
Normal file
280
openssh-7.6p1-cleanup-selinux.patch
Normal file
@ -0,0 +1,280 @@
|
||||
Index: openssh-9.3p2/auth2-pubkey.c
|
||||
===================================================================
|
||||
--- openssh-9.3p2.orig/auth2-pubkey.c
|
||||
+++ openssh-9.3p2/auth2-pubkey.c
|
||||
@@ -72,6 +72,9 @@
|
||||
|
||||
/* import */
|
||||
extern ServerOptions options;
|
||||
+extern int inetd_flag;
|
||||
+extern int rexeced_flag;
|
||||
+extern Authctxt *the_authctxt;
|
||||
extern struct authmethod_cfg methodcfg_pubkey;
|
||||
|
||||
static char *
|
||||
@@ -459,7 +462,8 @@ match_principals_command(struct passwd *
|
||||
if ((pid = subprocess("AuthorizedPrincipalsCommand", command,
|
||||
ac, av, &f,
|
||||
SSH_SUBPROCESS_STDOUT_CAPTURE|SSH_SUBPROCESS_STDERR_DISCARD,
|
||||
- runas_pw, temporarily_use_uid, restore_uid)) == 0)
|
||||
+ runas_pw, temporarily_use_uid, restore_uid,
|
||||
+ inetd_flag, the_authctxt)) == 0)
|
||||
goto out;
|
||||
|
||||
uid_swapped = 1;
|
||||
@@ -727,7 +731,8 @@ user_key_command_allowed2(struct passwd
|
||||
if ((pid = subprocess("AuthorizedKeysCommand", command,
|
||||
ac, av, &f,
|
||||
SSH_SUBPROCESS_STDOUT_CAPTURE|SSH_SUBPROCESS_STDERR_DISCARD,
|
||||
- runas_pw, temporarily_use_uid, restore_uid)) == 0)
|
||||
+ runas_pw, temporarily_use_uid, restore_uid,
|
||||
+ inetd_flag, the_authctxt)) == 0)
|
||||
goto out;
|
||||
|
||||
uid_swapped = 1;
|
||||
Index: openssh-9.3p2/misc.c
|
||||
===================================================================
|
||||
--- openssh-9.3p2.orig/misc.c
|
||||
+++ openssh-9.3p2/misc.c
|
||||
@@ -2637,7 +2637,8 @@ stdfd_devnull(int do_stdin, int do_stdou
|
||||
pid_t
|
||||
subprocess(const char *tag, const char *command,
|
||||
int ac, char **av, FILE **child, u_int flags,
|
||||
- struct passwd *pw, privdrop_fn *drop_privs, privrestore_fn *restore_privs)
|
||||
+ struct passwd *pw, privdrop_fn *drop_privs,
|
||||
+ privrestore_fn *restore_privs, int inetd, void *the_authctxt)
|
||||
{
|
||||
FILE *f = NULL;
|
||||
struct stat st;
|
||||
@@ -2771,7 +2772,7 @@ subprocess(const char *tag, const char *
|
||||
_exit(1);
|
||||
}
|
||||
#ifdef WITH_SELINUX
|
||||
- if (sshd_selinux_setup_env_variables() < 0) {
|
||||
+ if (sshd_selinux_setup_env_variables(inetd, the_authctxt) < 0) {
|
||||
error ("failed to copy environment: %s",
|
||||
strerror(errno));
|
||||
_exit(127);
|
||||
Index: openssh-9.3p2/misc.h
|
||||
===================================================================
|
||||
--- openssh-9.3p2.orig/misc.h
|
||||
+++ openssh-9.3p2/misc.h
|
||||
@@ -110,7 +110,7 @@ typedef void privrestore_fn(void);
|
||||
#define SSH_SUBPROCESS_UNSAFE_PATH (1<<3) /* Don't check for safe cmd */
|
||||
#define SSH_SUBPROCESS_PRESERVE_ENV (1<<4) /* Keep parent environment */
|
||||
pid_t subprocess(const char *, const char *, int, char **, FILE **, u_int,
|
||||
- struct passwd *, privdrop_fn *, privrestore_fn *);
|
||||
+ struct passwd *, privdrop_fn *, privrestore_fn *, int, void *);
|
||||
|
||||
typedef struct arglist arglist;
|
||||
struct arglist {
|
||||
Index: openssh-9.3p2/openbsd-compat/port-linux.h
|
||||
===================================================================
|
||||
--- openssh-9.3p2.orig/openbsd-compat/port-linux.h
|
||||
+++ openssh-9.3p2/openbsd-compat/port-linux.h
|
||||
@@ -25,8 +25,8 @@ void ssh_selinux_setfscreatecon(const ch
|
||||
|
||||
int sshd_selinux_enabled(void);
|
||||
void sshd_selinux_copy_context(void);
|
||||
-void sshd_selinux_setup_exec_context(char *);
|
||||
-int sshd_selinux_setup_env_variables(void);
|
||||
+void sshd_selinux_setup_exec_context(char *, int, int(char *, const char *), void *, int);
|
||||
+int sshd_selinux_setup_env_variables(int inetd, void *);
|
||||
void sshd_selinux_change_privsep_preauth_context(void);
|
||||
#endif
|
||||
|
||||
Index: openssh-9.3p2/openbsd-compat/port-linux-sshd.c
|
||||
===================================================================
|
||||
--- openssh-9.3p2.orig/openbsd-compat/port-linux-sshd.c
|
||||
+++ openssh-9.3p2/openbsd-compat/port-linux-sshd.c
|
||||
@@ -49,10 +49,6 @@
|
||||
#include <unistd.h>
|
||||
#endif
|
||||
|
||||
-extern ServerOptions options;
|
||||
-extern Authctxt *the_authctxt;
|
||||
-extern int inetd_flag;
|
||||
-
|
||||
/* Wrapper around is_selinux_enabled() to log its return value once only */
|
||||
int
|
||||
sshd_selinux_enabled(void)
|
||||
@@ -223,7 +218,8 @@ get_user_context(const char *sename, con
|
||||
}
|
||||
|
||||
static void
|
||||
-ssh_selinux_get_role_level(char **role, const char **level)
|
||||
+ssh_selinux_get_role_level(char **role, const char **level,
|
||||
+ Authctxt *the_authctxt)
|
||||
{
|
||||
*role = NULL;
|
||||
*level = NULL;
|
||||
@@ -241,8 +237,8 @@ ssh_selinux_get_role_level(char **role,
|
||||
|
||||
/* Return the default security context for the given username */
|
||||
static int
|
||||
-sshd_selinux_getctxbyname(char *pwname,
|
||||
- security_context_t *default_sc, security_context_t *user_sc)
|
||||
+sshd_selinux_getctxbyname(char *pwname, security_context_t *default_sc,
|
||||
+ security_context_t *user_sc, int inetd, Authctxt *the_authctxt)
|
||||
{
|
||||
char *sename, *lvl;
|
||||
char *role;
|
||||
@@ -250,7 +246,7 @@ sshd_selinux_getctxbyname(char *pwname,
|
||||
int r = 0;
|
||||
context_t con = NULL;
|
||||
|
||||
- ssh_selinux_get_role_level(&role, &reqlvl);
|
||||
+ ssh_selinux_get_role_level(&role, &reqlvl, the_authctxt);
|
||||
|
||||
#ifdef HAVE_GETSEUSERBYNAME
|
||||
if ((r=getseuserbyname(pwname, &sename, &lvl)) != 0) {
|
||||
@@ -272,7 +268,7 @@ sshd_selinux_getctxbyname(char *pwname,
|
||||
|
||||
if (r == 0) {
|
||||
/* If launched from xinetd, we must use current level */
|
||||
- if (inetd_flag) {
|
||||
+ if (inetd) {
|
||||
security_context_t sshdsc=NULL;
|
||||
|
||||
if (getcon_raw(&sshdsc) < 0)
|
||||
@@ -333,7 +329,8 @@ sshd_selinux_getctxbyname(char *pwname,
|
||||
|
||||
/* Setup environment variables for pam_selinux */
|
||||
static int
|
||||
-sshd_selinux_setup_variables(int(*set_it)(char *, const char *))
|
||||
+sshd_selinux_setup_variables(int(*set_it)(char *, const char *), int inetd,
|
||||
+ Authctxt *the_authctxt)
|
||||
{
|
||||
const char *reqlvl;
|
||||
char *role;
|
||||
@@ -342,11 +339,11 @@ sshd_selinux_setup_variables(int(*set_it
|
||||
|
||||
debug3_f("setting execution context");
|
||||
|
||||
- ssh_selinux_get_role_level(&role, &reqlvl);
|
||||
+ ssh_selinux_get_role_level(&role, &reqlvl, the_authctxt);
|
||||
|
||||
rv = set_it("SELINUX_ROLE_REQUESTED", role ? role : "");
|
||||
|
||||
- if (inetd_flag) {
|
||||
+ if (inetd) {
|
||||
use_current = "1";
|
||||
} else {
|
||||
use_current = "";
|
||||
@@ -362,9 +359,10 @@ sshd_selinux_setup_variables(int(*set_it
|
||||
}
|
||||
|
||||
static int
|
||||
-sshd_selinux_setup_pam_variables(void)
|
||||
+sshd_selinux_setup_pam_variables(int inetd,
|
||||
+ int(pam_setenv)(char *, const char *), Authctxt *the_authctxt)
|
||||
{
|
||||
- return sshd_selinux_setup_variables(do_pam_putenv);
|
||||
+ return sshd_selinux_setup_variables(pam_setenv, inetd, the_authctxt);
|
||||
}
|
||||
|
||||
static int
|
||||
@@ -374,25 +372,28 @@ do_setenv(char *name, const char *value)
|
||||
}
|
||||
|
||||
int
|
||||
-sshd_selinux_setup_env_variables(void)
|
||||
+sshd_selinux_setup_env_variables(int inetd, void *the_authctxt)
|
||||
{
|
||||
- return sshd_selinux_setup_variables(do_setenv);
|
||||
+ Authctxt *authctxt = (Authctxt *) the_authctxt;
|
||||
+ return sshd_selinux_setup_variables(do_setenv, inetd, authctxt);
|
||||
}
|
||||
|
||||
/* Set the execution context to the default for the specified user */
|
||||
void
|
||||
-sshd_selinux_setup_exec_context(char *pwname)
|
||||
+sshd_selinux_setup_exec_context(char *pwname, int inetd,
|
||||
+ int(pam_setenv)(char *, const char *), void *the_authctxt, int use_pam)
|
||||
{
|
||||
security_context_t user_ctx = NULL;
|
||||
int r = 0;
|
||||
security_context_t default_ctx = NULL;
|
||||
+ Authctxt *authctxt = (Authctxt *) the_authctxt;
|
||||
|
||||
if (!sshd_selinux_enabled())
|
||||
return;
|
||||
|
||||
- if (options.use_pam) {
|
||||
+ if (use_pam) {
|
||||
/* do not compute context, just setup environment for pam_selinux */
|
||||
- if (sshd_selinux_setup_pam_variables()) {
|
||||
+ if (sshd_selinux_setup_pam_variables(inetd, pam_setenv, authctxt)) {
|
||||
switch (security_getenforce()) {
|
||||
case -1:
|
||||
fatal_f("security_getenforce() failed");
|
||||
@@ -408,7 +409,7 @@ sshd_selinux_setup_exec_context(char *pw
|
||||
|
||||
debug3_f("setting execution context");
|
||||
|
||||
- r = sshd_selinux_getctxbyname(pwname, &default_ctx, &user_ctx);
|
||||
+ r = sshd_selinux_getctxbyname(pwname, &default_ctx, &user_ctx, inetd, authctxt);
|
||||
if (r >= 0) {
|
||||
r = setexeccon(user_ctx);
|
||||
if (r < 0) {
|
||||
Index: openssh-9.3p2/platform.c
|
||||
===================================================================
|
||||
--- openssh-9.3p2.orig/platform.c
|
||||
+++ openssh-9.3p2/platform.c
|
||||
@@ -34,6 +34,8 @@
|
||||
#include "openbsd-compat/openbsd-compat.h"
|
||||
|
||||
extern ServerOptions options;
|
||||
+extern int inetd_flag;
|
||||
+extern Authctxt *the_authctxt;
|
||||
|
||||
/* return 1 if we are running with privilege to swap UIDs, 0 otherwise */
|
||||
int
|
||||
@@ -185,7 +187,9 @@ platform_setusercontext_post_groups(stru
|
||||
}
|
||||
#endif /* HAVE_SETPCRED */
|
||||
#ifdef WITH_SELINUX
|
||||
- sshd_selinux_setup_exec_context(pw->pw_name);
|
||||
+ sshd_selinux_setup_exec_context(pw->pw_name,
|
||||
+ inetd_flag, do_pam_putenv, the_authctxt,
|
||||
+ options.use_pam);
|
||||
#endif
|
||||
}
|
||||
|
||||
Index: openssh-9.3p2/sshd-session.c
|
||||
===================================================================
|
||||
--- openssh-9.3p2.orig/sshd-session.c
|
||||
+++ openssh-9.3p2/sshd-session.c
|
||||
@@ -166,7 +166,7 @@ int debug_flag = 0;
|
||||
int debug_flag = 0;
|
||||
|
||||
/* Flag indicating that the daemon is being started from inetd. */
|
||||
-static int inetd_flag = 0;
|
||||
+int inetd_flag = 0;
|
||||
|
||||
/* debug goes to stderr unless inetd_flag is set */
|
||||
static int log_stderr = 0;
|
||||
@@ -2396,7 +2396,9 @@ main(int ac, char **av)
|
||||
}
|
||||
#endif
|
||||
#ifdef WITH_SELINUX
|
||||
- sshd_selinux_setup_exec_context(authctxt->pw->pw_name);
|
||||
+ sshd_selinux_setup_exec_context(authctxt->pw->pw_name,
|
||||
+ inetd_flag, do_pam_putenv, the_authctxt,
|
||||
+ options.use_pam);
|
||||
#endif
|
||||
#ifdef USE_PAM
|
||||
if (options.use_pam) {
|
||||
Index: openssh-9.3p2/sshconnect.c
|
||||
===================================================================
|
||||
--- openssh-9.3p2.orig/sshconnect.c
|
||||
+++ openssh-9.3p2/sshconnect.c
|
||||
@@ -893,7 +893,7 @@ load_hostkeys_command(struct hostkeys *h
|
||||
|
||||
if ((pid = subprocess(tag, command, ac, av, &f,
|
||||
SSH_SUBPROCESS_STDOUT_CAPTURE|SSH_SUBPROCESS_UNSAFE_PATH|
|
||||
- SSH_SUBPROCESS_PRESERVE_ENV, NULL, NULL, NULL)) == 0)
|
||||
+ SSH_SUBPROCESS_PRESERVE_ENV, NULL, NULL, NULL, 0, NULL)) == 0)
|
||||
goto out;
|
||||
|
||||
load_hostkeys_file(hostkeys, hostfile_hostname, tag, f, 1);
|
38
openssh-7.7p1-IPv6_X_forwarding.patch
Normal file
38
openssh-7.7p1-IPv6_X_forwarding.patch
Normal file
@ -0,0 +1,38 @@
|
||||
# HG changeset patch
|
||||
# Parent 8df645ca39d64de025d8838c5713812e72308c92
|
||||
Correctly parse DISPLAY variable for cases where it contains an IPv6 address
|
||||
(which should - but not always is - in (square) brackets).
|
||||
|
||||
bnc#847710 - https://bugzilla.novell.com/show_bug.cgi?id=847710
|
||||
|
||||
Index: openssh-8.8p1/channels.c
|
||||
===================================================================
|
||||
--- openssh-8.8p1.orig/channels.c
|
||||
+++ openssh-8.8p1/channels.c
|
||||
@@ -4776,9 +4776,10 @@ x11_connect_display(struct ssh *ssh)
|
||||
/*
|
||||
* Connect to an inet socket. The DISPLAY value is supposedly
|
||||
* hostname:d[.s], where hostname may also be numeric IP address.
|
||||
+ * Note that IPv6 numeric addresses contain colons (e.g. ::1:0)
|
||||
*/
|
||||
strlcpy(buf, display, sizeof(buf));
|
||||
- cp = strchr(buf, ':');
|
||||
+ cp = strrchr(buf, ':');
|
||||
if (!cp) {
|
||||
error("Could not find ':' in DISPLAY: %.100s", display);
|
||||
return -1;
|
||||
@@ -4793,6 +4794,14 @@ x11_connect_display(struct ssh *ssh)
|
||||
display);
|
||||
return -1;
|
||||
}
|
||||
+
|
||||
+ /* Remove brackets surrounding IPv6 addresses if there are any. */
|
||||
+ if (buf[0] == '[' && (cp = strchr(buf, ']'))) {
|
||||
+ *cp = 0;
|
||||
+ cp = buf + 1;
|
||||
+ } else {
|
||||
+ cp = buf;
|
||||
+ }
|
||||
|
||||
/* Look up the host address */
|
||||
memset(&hints, 0, sizeof(hints));
|
47
openssh-7.7p1-X11_trusted_forwarding.patch
Normal file
47
openssh-7.7p1-X11_trusted_forwarding.patch
Normal file
@ -0,0 +1,47 @@
|
||||
# HG changeset patch
|
||||
# Parent d25c96855fd67e997e25ec1198d953af33eb289c
|
||||
# enable trusted X11 forwarding by default in both sshd and sshsystem-wide
|
||||
# configuration
|
||||
# bnc#50836 (was suse #35836)
|
||||
Enable Trusted X11 forwarding by default, since the security benefits of
|
||||
having it disabled are negligible these days with XI2 being widely used.
|
||||
|
||||
Index: openssh-8.8p1/ssh_config
|
||||
===================================================================
|
||||
--- openssh-8.8p1.orig/ssh_config
|
||||
+++ openssh-8.8p1/ssh_config
|
||||
@@ -17,9 +17,20 @@
|
||||
# list of available options, their meanings and defaults, please see the
|
||||
# ssh_config(5) man page.
|
||||
|
||||
-# Host *
|
||||
+Host *
|
||||
# ForwardAgent no
|
||||
# ForwardX11 no
|
||||
+
|
||||
+# If you do not trust your remote host (or its administrator), you
|
||||
+# should not forward X11 connections to your local X11-display for
|
||||
+# security reasons: Someone stealing the authentification data on the
|
||||
+# remote side (the "spoofed" X-server by the remote sshd) can read your
|
||||
+# keystrokes as you type, just like any other X11 client could do.
|
||||
+# Set this to "no" here for global effect or in your own ~/.ssh/config
|
||||
+# file if you want to have the remote X11 authentification data to
|
||||
+# expire after twenty minutes after remote login.
|
||||
+ ForwardX11Trusted yes
|
||||
+
|
||||
# PasswordAuthentication yes
|
||||
# HostbasedAuthentication no
|
||||
# GSSAPIAuthentication no
|
||||
Index: openssh-8.8p1/sshd_config
|
||||
===================================================================
|
||||
--- openssh-8.8p1.orig/sshd_config
|
||||
+++ openssh-8.8p1/sshd_config
|
||||
@@ -84,7 +84,7 @@ AuthorizedKeysFile .ssh/authorized_keys
|
||||
#AllowAgentForwarding yes
|
||||
#AllowTcpForwarding yes
|
||||
#GatewayPorts no
|
||||
-#X11Forwarding no
|
||||
+X11Forwarding yes
|
||||
#X11DisplayOffset 10
|
||||
#X11UseLocalhost yes
|
||||
#PermitTTY yes
|
23
openssh-7.7p1-X_forward_with_disabled_ipv6.patch
Normal file
23
openssh-7.7p1-X_forward_with_disabled_ipv6.patch
Normal file
@ -0,0 +1,23 @@
|
||||
# HG changeset patch
|
||||
# Parent 44592f09f090e74432f608084069d30d808fda69
|
||||
Do not throw away already open sockets for X11 forwarding if another socket
|
||||
family is not available for bind()
|
||||
|
||||
Index: openssh-8.8p1/channels.c
|
||||
===================================================================
|
||||
--- openssh-8.8p1.orig/channels.c
|
||||
+++ openssh-8.8p1/channels.c
|
||||
@@ -4607,6 +4607,13 @@ x11_create_display_inet(struct ssh *ssh,
|
||||
debug2_f("bind port %d: %.100s", port,
|
||||
strerror(errno));
|
||||
close(sock);
|
||||
+ /* do not remove successfully opened sockets if
|
||||
+ * the request failed because the protocol
|
||||
+ * IPv4/6 is not available (e.g. IPv6 may be
|
||||
+ * disabled while being supported)
|
||||
+ */
|
||||
+ if (EADDRNOTAVAIL == errno)
|
||||
+ continue;
|
||||
for (n = 0; n < num_socks; n++)
|
||||
close(socks[n]);
|
||||
num_socks = 0;
|
59
openssh-7.7p1-allow_root_password_login.patch
Normal file
59
openssh-7.7p1-allow_root_password_login.patch
Normal file
@ -0,0 +1,59 @@
|
||||
# HG changeset patch
|
||||
# Parent af43d436bc7fe818dd976c923ad99b89051eb299
|
||||
Allow root login with password by default. While less secure than upstream
|
||||
default of forbidding access to the root account with a password, we are
|
||||
temporarily introducing this change to keep the default used in older OpenSSH
|
||||
versions shipped with SLE.
|
||||
|
||||
Index: openssh-8.4p1/servconf.c
|
||||
===================================================================
|
||||
--- openssh-8.4p1.orig/servconf.c
|
||||
+++ openssh-8.4p1/servconf.c
|
||||
@@ -329,7 +329,7 @@ fill_default_server_options(ServerOption
|
||||
if (options->login_grace_time == -1)
|
||||
options->login_grace_time = 120;
|
||||
if (options->permit_root_login == PERMIT_NOT_SET)
|
||||
- options->permit_root_login = PERMIT_NO_PASSWD;
|
||||
+ options->permit_root_login = PERMIT_YES;
|
||||
if (options->ignore_rhosts == -1)
|
||||
options->ignore_rhosts = 1;
|
||||
if (options->ignore_user_known_hosts == -1)
|
||||
Index: openssh-8.4p1/sshd_config
|
||||
===================================================================
|
||||
--- openssh-8.4p1.orig/sshd_config
|
||||
+++ openssh-8.4p1/sshd_config
|
||||
@@ -29,7 +29,7 @@
|
||||
# Authentication:
|
||||
|
||||
#LoginGraceTime 2m
|
||||
-#PermitRootLogin prohibit-password
|
||||
+PermitRootLogin yes
|
||||
#StrictModes yes
|
||||
#MaxAuthTries 6
|
||||
#MaxSessions 10
|
||||
Index: openssh-8.4p1/sshd_config.0
|
||||
===================================================================
|
||||
--- openssh-8.4p1.orig/sshd_config.0
|
||||
+++ openssh-8.4p1/sshd_config.0
|
||||
@@ -778,7 +778,7 @@ DESCRIPTION
|
||||
PermitRootLogin
|
||||
Specifies whether root can log in using ssh(1). The argument
|
||||
must be yes, prohibit-password, forced-commands-only, or no. The
|
||||
- default is prohibit-password.
|
||||
+ default is yes.
|
||||
|
||||
If this option is set to prohibit-password (or its deprecated
|
||||
alias, without-password), password and keyboard-interactive
|
||||
Index: openssh-8.4p1/sshd_config.5
|
||||
===================================================================
|
||||
--- openssh-8.4p1.orig/sshd_config.5
|
||||
+++ openssh-8.4p1/sshd_config.5
|
||||
@@ -1331,7 +1331,7 @@ The argument must be
|
||||
or
|
||||
.Cm no .
|
||||
The default is
|
||||
-.Cm prohibit-password .
|
||||
+.Cm yes .
|
||||
.Pp
|
||||
If this option is set to
|
||||
.Cm prohibit-password
|
304
openssh-7.7p1-cavstest-ctr.patch
Normal file
304
openssh-7.7p1-cavstest-ctr.patch
Normal file
@ -0,0 +1,304 @@
|
||||
# HG changeset patch
|
||||
# Parent cc1022edba2c5eeb0facba08468f65afc2466b63
|
||||
CAVS test for OpenSSH's own CTR encryption mode implementation
|
||||
|
||||
Index: openssh-8.8p1/Makefile.in
|
||||
===================================================================
|
||||
--- openssh-8.8p1.orig/Makefile.in
|
||||
+++ openssh-8.8p1/Makefile.in
|
||||
@@ -26,6 +26,7 @@ SFTP_SERVER=$(libexecdir)/sftp-server
|
||||
SSHD_SESSION=$(libexecdir)/sshd-session
|
||||
SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
|
||||
SSH_SK_HELPER=$(libexecdir)/ssh-sk-helper
|
||||
+CAVSTEST_CTR=$(libexecdir)/cavstest-ctr
|
||||
PRIVSEP_PATH=@PRIVSEP_PATH@
|
||||
SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@
|
||||
STRIP_OPT=@STRIP_OPT@
|
||||
@@ -69,6 +70,8 @@ MKDIR_P=@MKDIR_P@
|
||||
|
||||
TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) sshd-session$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT)
|
||||
|
||||
+TARGETS += cavstest-ctr$(EXEEXT)
|
||||
+
|
||||
XMSS_OBJS=\
|
||||
ssh-xmss.o \
|
||||
sshkey-xmss.o \
|
||||
@@ -245,6 +248,10 @@ sftp-server$(EXEEXT): $(LIBCOMPAT) libss
|
||||
sftp$(EXEEXT): $(LIBCOMPAT) libssh.a $(SFTP_OBJS)
|
||||
$(LD) -o $@ $(SFTP_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) $(LIBEDIT)
|
||||
|
||||
+# FIPS tests
|
||||
+cavstest-ctr$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-sk.o sk-usbhid.o cavstest-ctr.o
|
||||
+ $(LD) -o $@ cavstest-ctr.o ssh-sk.o sk-usbhid.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) $(LIBFIDO2) -lz
|
||||
+
|
||||
# test driver for the loginrec code - not built by default
|
||||
logintest: logintest.o $(LIBCOMPAT) libssh.a loginrec.o
|
||||
$(LD) -o $@ logintest.o $(LDFLAGS) loginrec.o -lopenbsd-compat -lssh $(LIBS)
|
||||
@@ -407,6 +414,7 @@ install-files:
|
||||
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-sk-helper$(EXEEXT) $(DESTDIR)$(SSH_SK_HELPER)$(EXEEXT)
|
||||
$(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
|
||||
$(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
|
||||
+ $(INSTALL) -m 0755 $(STRIP_OPT) cavstest-ctr$(EXEEXT) $(DESTDIR)$(libexecdir)/cavstest-ctr$(EXEEXT)
|
||||
$(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
|
||||
$(INSTALL) -m 644 scp.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1
|
||||
$(INSTALL) -m 644 ssh-add.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1
|
||||
Index: openssh-8.8p1/cavstest-ctr.c
|
||||
===================================================================
|
||||
--- /dev/null
|
||||
+++ openssh-8.8p1/cavstest-ctr.c
|
||||
@@ -0,0 +1,214 @@
|
||||
+/*
|
||||
+ *
|
||||
+ * invocation (all of the following are equal):
|
||||
+ * ./ctr-cavstest --algo aes128-ctr --key 987212980144b6a632e864031f52dacc --mode encrypt --data a6deca405eef2e8e4609abf3c3ccf4a6
|
||||
+ * ./ctr-cavstest --algo aes128-ctr --key 987212980144b6a632e864031f52dacc --mode encrypt --data a6deca405eef2e8e4609abf3c3ccf4a6 --iv 00000000000000000000000000000000
|
||||
+ * echo -n a6deca405eef2e8e4609abf3c3ccf4a6 | ./ctr-cavstest --algo aes128-ctr --key 987212980144b6a632e864031f52dacc --mode encrypt
|
||||
+ */
|
||||
+
|
||||
+#include "includes.h"
|
||||
+
|
||||
+#include <sys/types.h>
|
||||
+#include <sys/param.h>
|
||||
+#include <stdarg.h>
|
||||
+#include <stdio.h>
|
||||
+#include <stdlib.h>
|
||||
+#include <string.h>
|
||||
+#include <ctype.h>
|
||||
+
|
||||
+#include "xmalloc.h"
|
||||
+#include "log.h"
|
||||
+#include "cipher.h"
|
||||
+
|
||||
+/* compatibility with old or broken OpenSSL versions */
|
||||
+#include "openbsd-compat/openssl-compat.h"
|
||||
+
|
||||
+void
|
||||
+usage(void)
|
||||
+{
|
||||
+ fprintf(stderr, "Usage: ctr-cavstest --algo <ssh-crypto-algorithm>\n"
|
||||
+ " --key <hexadecimal-key> --mode <encrypt|decrypt>\n"
|
||||
+ " [--iv <hexadecimal-iv>] --data <hexadecimal-data>\n\n"
|
||||
+ "Hexadecimal output is printed to stdout.\n"
|
||||
+ "Hexadecimal input data can be alternatively read from stdin.\n");
|
||||
+ exit(1);
|
||||
+}
|
||||
+
|
||||
+void *
|
||||
+fromhex(char *hex, size_t * len)
|
||||
+{
|
||||
+ unsigned char *bin;
|
||||
+ char *p;
|
||||
+ size_t n = 0;
|
||||
+ int shift = 4;
|
||||
+ unsigned char out = 0;
|
||||
+ unsigned char *optr;
|
||||
+
|
||||
+ bin = xmalloc(strlen(hex) / 2);
|
||||
+ optr = bin;
|
||||
+
|
||||
+ for (p = hex; *p != '\0'; ++p) {
|
||||
+ unsigned char c;
|
||||
+
|
||||
+ c = *p;
|
||||
+ if (isspace(c))
|
||||
+ continue;
|
||||
+
|
||||
+ if (c >= '0' && c <= '9') {
|
||||
+ c = c - '0';
|
||||
+ } else if (c >= 'A' && c <= 'F') {
|
||||
+ c = c - 'A' + 10;
|
||||
+ } else if (c >= 'a' && c <= 'f') {
|
||||
+ c = c - 'a' + 10;
|
||||
+ } else {
|
||||
+ /* truncate on nonhex cipher */
|
||||
+ break;
|
||||
+ }
|
||||
+
|
||||
+ out |= c << shift;
|
||||
+ shift = (shift + 4) % 8;
|
||||
+
|
||||
+ if (shift) {
|
||||
+ *(optr++) = out;
|
||||
+ out = 0;
|
||||
+ ++n;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ *len = n;
|
||||
+ return bin;
|
||||
+}
|
||||
+
|
||||
+#define READ_CHUNK 4096
|
||||
+#define MAX_READ_SIZE 1024*1024*100
|
||||
+char *
|
||||
+read_stdin(void)
|
||||
+{
|
||||
+ char *buf;
|
||||
+ size_t n, total = 0;
|
||||
+
|
||||
+ buf = xmalloc(READ_CHUNK);
|
||||
+
|
||||
+ do {
|
||||
+ n = fread(buf + total, 1, READ_CHUNK, stdin);
|
||||
+ if (n < READ_CHUNK) /* terminate on short read */
|
||||
+ break;
|
||||
+
|
||||
+ total += n;
|
||||
+ buf = xreallocarray(buf, total + READ_CHUNK, 1);
|
||||
+ } while (total < MAX_READ_SIZE);
|
||||
+ return buf;
|
||||
+}
|
||||
+
|
||||
+int
|
||||
+main(int argc, char *argv[])
|
||||
+{
|
||||
+
|
||||
+ struct sshcipher *c;
|
||||
+ struct sshcipher_ctx cc;
|
||||
+ struct sshcipher_ctx *ccp;
|
||||
+ char *algo = "aes128-ctr";
|
||||
+ char *hexkey = NULL;
|
||||
+ char *hexiv = "00000000000000000000000000000000";
|
||||
+ char *hexdata = NULL;
|
||||
+ char *p;
|
||||
+ int i;
|
||||
+ int encrypt = 1;
|
||||
+ void *key;
|
||||
+ size_t keylen;
|
||||
+ void *iv;
|
||||
+ size_t ivlen;
|
||||
+ void *data;
|
||||
+ size_t datalen;
|
||||
+ void *outdata;
|
||||
+
|
||||
+ for (i = 1; i < argc; ++i) {
|
||||
+ if (strcmp(argv[i], "--algo") == 0) {
|
||||
+ algo = argv[++i];
|
||||
+ } else if (strcmp(argv[i], "--key") == 0) {
|
||||
+ hexkey = argv[++i];
|
||||
+ } else if (strcmp(argv[i], "--mode") == 0) {
|
||||
+ ++i;
|
||||
+ if (argv[i] == NULL) {
|
||||
+ usage();
|
||||
+ }
|
||||
+ if (strncmp(argv[i], "enc", 3) == 0) {
|
||||
+ encrypt = 1;
|
||||
+ } else if (strncmp(argv[i], "dec", 3) == 0) {
|
||||
+ encrypt = 0;
|
||||
+ } else {
|
||||
+ usage();
|
||||
+ }
|
||||
+ } else if (strcmp(argv[i], "--iv") == 0) {
|
||||
+ hexiv = argv[++i];
|
||||
+ } else if (strcmp(argv[i], "--data") == 0) {
|
||||
+ hexdata = argv[++i];
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ if (hexkey == NULL || algo == NULL) {
|
||||
+ usage();
|
||||
+ }
|
||||
+
|
||||
+ OpenSSL_add_all_algorithms();
|
||||
+
|
||||
+ c = cipher_by_name(algo);
|
||||
+ if (c == NULL) {
|
||||
+ fprintf(stderr, "Error: unknown algorithm\n");
|
||||
+ return 2;
|
||||
+ }
|
||||
+
|
||||
+ if (hexdata == NULL) {
|
||||
+ hexdata = read_stdin();
|
||||
+ } else {
|
||||
+ hexdata = xstrdup(hexdata);
|
||||
+ }
|
||||
+
|
||||
+ key = fromhex(hexkey, &keylen);
|
||||
+
|
||||
+ if (keylen != 16 && keylen != 24 && keylen == 32) {
|
||||
+ fprintf(stderr, "Error: unsupported key length\n");
|
||||
+ return 2;
|
||||
+ }
|
||||
+
|
||||
+ iv = fromhex(hexiv, &ivlen);
|
||||
+
|
||||
+ if (ivlen != 16) {
|
||||
+ fprintf(stderr, "Error: unsupported iv length\n");
|
||||
+ return 2;
|
||||
+ }
|
||||
+
|
||||
+ data = fromhex(hexdata, &datalen);
|
||||
+
|
||||
+ if (data == NULL || datalen == 0) {
|
||||
+ fprintf(stderr, "Error: no data to encrypt/decrypt\n");
|
||||
+ return 2;
|
||||
+ }
|
||||
+
|
||||
+ ccp = &cc;
|
||||
+ cipher_init(&ccp, c, key, keylen, iv, ivlen, encrypt);
|
||||
+
|
||||
+ free(key);
|
||||
+ free(iv);
|
||||
+
|
||||
+ outdata = malloc(datalen);
|
||||
+ if (outdata == NULL) {
|
||||
+ fprintf(stderr, "Error: memory allocation failure\n");
|
||||
+ return 2;
|
||||
+ }
|
||||
+
|
||||
+ cipher_crypt(&cc, 0, outdata, data, datalen, 0, 0);
|
||||
+
|
||||
+ free(data);
|
||||
+
|
||||
+ cipher_free(&cc);
|
||||
+
|
||||
+ for (p = outdata; datalen > 0; ++p, --datalen) {
|
||||
+ printf("%02X", (unsigned char) *p);
|
||||
+ }
|
||||
+
|
||||
+ free(outdata);
|
||||
+
|
||||
+ printf("\n");
|
||||
+ return 0;
|
||||
+}
|
||||
Index: openssh-8.8p1/cipher.c
|
||||
===================================================================
|
||||
--- openssh-8.8p1.orig/cipher.c
|
||||
+++ openssh-8.8p1/cipher.c
|
||||
@@ -58,15 +58,6 @@
|
||||
#define EVP_CIPHER_CTX void
|
||||
#endif
|
||||
|
||||
-struct sshcipher_ctx {
|
||||
- int plaintext;
|
||||
- int encrypt;
|
||||
- EVP_CIPHER_CTX *evp;
|
||||
- struct chachapoly_ctx *cp_ctx;
|
||||
- struct aesctr_ctx ac_ctx; /* XXX union with evp? */
|
||||
- const struct sshcipher *cipher;
|
||||
-};
|
||||
-
|
||||
struct sshcipher {
|
||||
char *name;
|
||||
u_int block_size;
|
||||
Index: openssh-8.8p1/cipher.h
|
||||
===================================================================
|
||||
--- openssh-8.8p1.orig/cipher.h
|
||||
+++ openssh-8.8p1/cipher.h
|
||||
@@ -48,7 +48,15 @@
|
||||
#define CIPHER_DECRYPT 0
|
||||
|
||||
struct sshcipher;
|
||||
-struct sshcipher_ctx;
|
||||
+struct sshcipher_ctx {
|
||||
+ int plaintext;
|
||||
+ int encrypt;
|
||||
+ EVP_CIPHER_CTX *evp;
|
||||
+ struct chachapoly_ctx *cp_ctx; /* XXX union with evp? */
|
||||
+ struct aesctr_ctx ac_ctx; /* XXX union with evp? */
|
||||
+ const struct sshcipher *cipher;
|
||||
+};
|
||||
+
|
||||
|
||||
const struct sshcipher *cipher_by_name(const char *);
|
||||
const char *cipher_warning_message(const struct sshcipher_ctx *);
|
450
openssh-7.7p1-cavstest-kdf.patch
Normal file
450
openssh-7.7p1-cavstest-kdf.patch
Normal file
@ -0,0 +1,450 @@
|
||||
# HG changeset patch
|
||||
# Parent 1e1d5a2ab8bddfc800f570755f9ea1addcc878c1
|
||||
CAVS test for KDF implementation in OpenSSH
|
||||
|
||||
Index: openssh-8.8p1/Makefile.in
|
||||
===================================================================
|
||||
--- openssh-8.8p1.orig/Makefile.in
|
||||
+++ openssh-8.8p1/Makefile.in
|
||||
@@ -27,6 +27,7 @@ SSH_KEYSIGN=$(libexecdir)/ssh-keysign
|
||||
SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
|
||||
SSH_SK_HELPER=$(libexecdir)/ssh-sk-helper
|
||||
CAVSTEST_CTR=$(libexecdir)/cavstest-ctr
|
||||
+CAVSTEST_KDF=$(libexecdir)/cavstest-kdf
|
||||
PRIVSEP_PATH=@PRIVSEP_PATH@
|
||||
SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@
|
||||
STRIP_OPT=@STRIP_OPT@
|
||||
@@ -70,7 +71,7 @@ MKDIR_P=@MKDIR_P@
|
||||
|
||||
TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) sshd-session$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT)
|
||||
|
||||
-TARGETS += cavstest-ctr$(EXEEXT)
|
||||
+TARGETS += cavstest-ctr$(EXEEXT) cavstest-kdf$(EXEEXT)
|
||||
|
||||
XMSS_OBJS=\
|
||||
ssh-xmss.o \
|
||||
@@ -252,6 +253,9 @@ sftp$(EXEEXT): $(LIBCOMPAT) libssh.a $(S
|
||||
cavstest-ctr$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-sk.o sk-usbhid.o cavstest-ctr.o
|
||||
$(LD) -o $@ cavstest-ctr.o ssh-sk.o sk-usbhid.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) $(LIBFIDO2) -lz
|
||||
|
||||
+cavstest-kdf$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-sk.o sk-usbhid.o cavstest-kdf.o
|
||||
+ $(LD) -o $@ cavstest-kdf.o ssh-sk.o sk-usbhid.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) $(LIBFIDO2) -lz
|
||||
+
|
||||
# test driver for the loginrec code - not built by default
|
||||
logintest: logintest.o $(LIBCOMPAT) libssh.a loginrec.o
|
||||
$(LD) -o $@ logintest.o $(LDFLAGS) loginrec.o -lopenbsd-compat -lssh $(LIBS)
|
||||
@@ -415,6 +419,7 @@ install-files:
|
||||
$(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
|
||||
$(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
|
||||
$(INSTALL) -m 0755 $(STRIP_OPT) cavstest-ctr$(EXEEXT) $(DESTDIR)$(libexecdir)/cavstest-ctr$(EXEEXT)
|
||||
+ $(INSTALL) -m 0755 $(STRIP_OPT) cavstest-kdf$(EXEEXT) $(DESTDIR)$(libexecdir)/cavstest-kdf$(EXEEXT)
|
||||
$(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
|
||||
$(INSTALL) -m 644 scp.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1
|
||||
$(INSTALL) -m 644 ssh-add.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1
|
||||
Index: openssh-8.8p1/cavstest-kdf.c
|
||||
===================================================================
|
||||
--- /dev/null
|
||||
+++ openssh-8.8p1/cavstest-kdf.c
|
||||
@@ -0,0 +1,402 @@
|
||||
+/*
|
||||
+ * Copyright (C) 2015, Stephan Mueller <smueller@chronox.de>
|
||||
+ *
|
||||
+ * Redistribution and use in source and binary forms, with or without
|
||||
+ * modification, are permitted provided that the following conditions
|
||||
+ * are met:
|
||||
+ * 1. Redistributions of source code must retain the above copyright
|
||||
+ * notice, and the entire permission notice in its entirety,
|
||||
+ * including the disclaimer of warranties.
|
||||
+ * 2. Redistributions in binary form must reproduce the above copyright
|
||||
+ * notice, this list of conditions and the following disclaimer in the
|
||||
+ * documentation and/or other materials provided with the distribution.
|
||||
+ * 3. The name of the author may not be used to endorse or promote
|
||||
+ * products derived from this software without specific prior
|
||||
+ * written permission.
|
||||
+ *
|
||||
+ * ALTERNATIVELY, this product may be distributed under the terms of
|
||||
+ * the GNU General Public License, in which case the provisions of the GPL2
|
||||
+ * are required INSTEAD OF the above restrictions. (This clause is
|
||||
+ * necessary due to a potential bad interaction between the GPL and
|
||||
+ * the restrictions contained in a BSD-style copyright.)
|
||||
+ *
|
||||
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
|
||||
+ * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
|
||||
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, ALL OF
|
||||
+ * WHICH ARE HEREBY DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE
|
||||
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
|
||||
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
|
||||
+ * OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
|
||||
+ * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
|
||||
+ * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
||||
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
|
||||
+ * USE OF THIS SOFTWARE, EVEN IF NOT ADVISED OF THE POSSIBILITY OF SUCH
|
||||
+ * DAMAGE.
|
||||
+ */
|
||||
+
|
||||
+#include "includes.h"
|
||||
+
|
||||
+#include <stdio.h>
|
||||
+#include <stdlib.h>
|
||||
+#include <errno.h>
|
||||
+#include <sys/types.h>
|
||||
+#include <string.h>
|
||||
+
|
||||
+#include <openssl/bn.h>
|
||||
+
|
||||
+#include "xmalloc.h"
|
||||
+#include "ssherr.h"
|
||||
+#include "sshbuf.h"
|
||||
+#include "sshkey.h"
|
||||
+#include "cipher.h"
|
||||
+#include "kex.h"
|
||||
+#include "packet.h"
|
||||
+
|
||||
+static int bin_char(unsigned char hex)
|
||||
+{
|
||||
+ if (48 <= hex && 57 >= hex)
|
||||
+ return (hex - 48);
|
||||
+ if (65 <= hex && 70 >= hex)
|
||||
+ return (hex - 55);
|
||||
+ if (97 <= hex && 102 >= hex)
|
||||
+ return (hex - 87);
|
||||
+ return 0;
|
||||
+}
|
||||
+
|
||||
+/*
|
||||
+ * Convert hex representation into binary string
|
||||
+ * @hex input buffer with hex representation
|
||||
+ * @hexlen length of hex
|
||||
+ * @bin output buffer with binary data
|
||||
+ * @binlen length of already allocated bin buffer (should be at least
|
||||
+ * half of hexlen -- if not, only a fraction of hexlen is converted)
|
||||
+ */
|
||||
+static void hex2bin(const char *hex, size_t hexlen,
|
||||
+ unsigned char *bin, size_t binlen)
|
||||
+{
|
||||
+ size_t i = 0;
|
||||
+ size_t chars = (binlen > (hexlen / 2)) ? (hexlen / 2) : binlen;
|
||||
+
|
||||
+ for (i = 0; i < chars; i++) {
|
||||
+ bin[i] = bin_char(hex[(i*2)]) << 4;
|
||||
+ bin[i] |= bin_char(hex[((i*2)+1)]);
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
+/*
|
||||
+ * Allocate sufficient space for binary representation of hex
|
||||
+ * and convert hex into bin
|
||||
+ *
|
||||
+ * Caller must free bin
|
||||
+ * @hex input buffer with hex representation
|
||||
+ * @hexlen length of hex
|
||||
+ * @bin return value holding the pointer to the newly allocated buffer
|
||||
+ * @binlen return value holding the allocated size of bin
|
||||
+ *
|
||||
+ * return: 0 on success, !0 otherwise
|
||||
+ */
|
||||
+static int hex2bin_alloc(const char *hex, size_t hexlen,
|
||||
+ unsigned char **bin, size_t *binlen)
|
||||
+{
|
||||
+ unsigned char *out = NULL;
|
||||
+ size_t outlen = 0;
|
||||
+
|
||||
+ if (!hexlen)
|
||||
+ return -EINVAL;
|
||||
+
|
||||
+ outlen = (hexlen + 1) / 2;
|
||||
+
|
||||
+ out = calloc(1, outlen);
|
||||
+ if (!out)
|
||||
+ return -errno;
|
||||
+
|
||||
+ hex2bin(hex, hexlen, out, outlen);
|
||||
+ *bin = out;
|
||||
+ *binlen = outlen;
|
||||
+ return 0;
|
||||
+}
|
||||
+
|
||||
+static char hex_char_map_l[] = { '0', '1', '2', '3', '4', '5', '6', '7',
|
||||
+ '8', '9', 'a', 'b', 'c', 'd', 'e', 'f' };
|
||||
+static char hex_char_map_u[] = { '0', '1', '2', '3', '4', '5', '6', '7',
|
||||
+ '8', '9', 'A', 'B', 'C', 'D', 'E', 'F' };
|
||||
+static char hex_char(unsigned int bin, int u)
|
||||
+{
|
||||
+ if (bin < sizeof(hex_char_map_l))
|
||||
+ return (u) ? hex_char_map_u[bin] : hex_char_map_l[bin];
|
||||
+ return 'X';
|
||||
+}
|
||||
+
|
||||
+/*
|
||||
+ * Convert binary string into hex representation
|
||||
+ * @bin input buffer with binary data
|
||||
+ * @binlen length of bin
|
||||
+ * @hex output buffer to store hex data
|
||||
+ * @hexlen length of already allocated hex buffer (should be at least
|
||||
+ * twice binlen -- if not, only a fraction of binlen is converted)
|
||||
+ * @u case of hex characters (0=>lower case, 1=>upper case)
|
||||
+ */
|
||||
+static void bin2hex(const unsigned char *bin, size_t binlen,
|
||||
+ char *hex, size_t hexlen, int u)
|
||||
+{
|
||||
+ size_t i = 0;
|
||||
+ size_t chars = (binlen > (hexlen / 2)) ? (hexlen / 2) : binlen;
|
||||
+
|
||||
+ for (i = 0; i < chars; i++) {
|
||||
+ hex[(i*2)] = hex_char((bin[i] >> 4), u);
|
||||
+ hex[((i*2)+1)] = hex_char((bin[i] & 0x0f), u);
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
+struct kdf_cavs {
|
||||
+ unsigned char *K;
|
||||
+ size_t Klen;
|
||||
+ unsigned char *H;
|
||||
+ size_t Hlen;
|
||||
+ unsigned char *session_id;
|
||||
+ size_t session_id_len;
|
||||
+
|
||||
+ unsigned int iv_len;
|
||||
+ unsigned int ek_len;
|
||||
+ unsigned int ik_len;
|
||||
+};
|
||||
+
|
||||
+#ifdef WITH_OPENSSL
|
||||
+static int
|
||||
+kex_derive_keys_bn(struct ssh *ssh, u_char *hash, u_int hashlen,
|
||||
+ const BIGNUM *secret)
|
||||
+{
|
||||
+ struct sshbuf *shared_secret;
|
||||
+ int r;
|
||||
+
|
||||
+ if ((shared_secret = sshbuf_new()) == NULL)
|
||||
+ return SSH_ERR_ALLOC_FAIL;
|
||||
+ if ((r = sshbuf_put_bignum2(shared_secret, secret)) == 0)
|
||||
+ r = kex_derive_keys(ssh, hash, hashlen, shared_secret);
|
||||
+ sshbuf_free(shared_secret);
|
||||
+ return r;
|
||||
+}
|
||||
+#endif
|
||||
+
|
||||
+static int sshkdf_cavs(struct kdf_cavs *test)
|
||||
+{
|
||||
+ int ret = 0;
|
||||
+ struct kex kex;
|
||||
+ BIGNUM *Kbn = NULL;
|
||||
+ int mode = 0;
|
||||
+ struct newkeys *keys_client;
|
||||
+ struct newkeys *keys_server;
|
||||
+ struct ssh *ssh = NULL;
|
||||
+
|
||||
+#define HEXOUTLEN 500
|
||||
+ char hex[HEXOUTLEN];
|
||||
+
|
||||
+ memset(&kex, 0, sizeof(struct kex));
|
||||
+
|
||||
+ Kbn = BN_new();
|
||||
+ BN_bin2bn(test->K, test->Klen, Kbn);
|
||||
+ if (!Kbn) {
|
||||
+ printf("cannot convert K into BIGNUM\n");
|
||||
+ ret = 1;
|
||||
+ goto out;
|
||||
+ }
|
||||
+
|
||||
+ kex.session_id = sshbuf_new();
|
||||
+ sshbuf_put(kex.session_id, test->session_id, test->session_id_len);
|
||||
+
|
||||
+ /* setup kex */
|
||||
+
|
||||
+ /* select the right hash based on struct ssh_digest digests */
|
||||
+ switch (test->ik_len) {
|
||||
+ case 20:
|
||||
+ kex.hash_alg = 2;
|
||||
+ break;
|
||||
+ case 32:
|
||||
+ kex.hash_alg = 3;
|
||||
+ break;
|
||||
+ case 48:
|
||||
+ kex.hash_alg = 4;
|
||||
+ break;
|
||||
+ case 64:
|
||||
+ kex.hash_alg = 5;
|
||||
+ break;
|
||||
+ default:
|
||||
+ printf("Wrong hash type %u\n", test->ik_len);
|
||||
+ ret = 1;
|
||||
+ goto out;
|
||||
+ }
|
||||
+
|
||||
+ /* implement choose_enc */
|
||||
+ for (mode = 0; mode < 2; mode++) {
|
||||
+ kex.newkeys[mode] = calloc(1, sizeof(struct newkeys));
|
||||
+ if (!kex.newkeys[mode]) {
|
||||
+ printf("allocation of newkeys failed\n");
|
||||
+ ret = 1;
|
||||
+ goto out;
|
||||
+ }
|
||||
+ kex.newkeys[mode]->enc.iv_len = test->iv_len;
|
||||
+ kex.newkeys[mode]->enc.key_len = test->ek_len;
|
||||
+ kex.newkeys[mode]->enc.block_size = (test->iv_len == 64) ? 8 : 16;
|
||||
+ kex.newkeys[mode]->mac.key_len = test->ik_len;
|
||||
+ }
|
||||
+
|
||||
+ /* implement kex_choose_conf */
|
||||
+ kex.we_need = kex.newkeys[0]->enc.key_len;
|
||||
+ if (kex.we_need < kex.newkeys[0]->enc.block_size)
|
||||
+ kex.we_need = kex.newkeys[0]->enc.block_size;
|
||||
+ if (kex.we_need < kex.newkeys[0]->enc.iv_len)
|
||||
+ kex.we_need = kex.newkeys[0]->enc.iv_len;
|
||||
+ if (kex.we_need < kex.newkeys[0]->mac.key_len)
|
||||
+ kex.we_need = kex.newkeys[0]->mac.key_len;
|
||||
+
|
||||
+ /* MODE_OUT (1) -> server to client
|
||||
+ * MODE_IN (0) -> client to server */
|
||||
+ kex.server = 1;
|
||||
+
|
||||
+ /* do it */
|
||||
+ if ((ssh = ssh_packet_set_connection(NULL, -1, -1)) == NULL){
|
||||
+ printf("Allocation error\n");
|
||||
+ goto out;
|
||||
+ }
|
||||
+ ssh->kex = &kex;
|
||||
+ kex_derive_keys_bn(ssh, test->H, test->Hlen, Kbn);
|
||||
+
|
||||
+ keys_client = kex.newkeys[0];
|
||||
+ keys_server = kex.newkeys[1];
|
||||
+
|
||||
+ /* get data */
|
||||
+ memset(hex, 0, HEXOUTLEN);
|
||||
+ bin2hex(keys_client->enc.iv, (size_t)keys_client->enc.iv_len,
|
||||
+ hex, HEXOUTLEN, 0);
|
||||
+ printf("Initial IV (client to server) = %s\n", hex);
|
||||
+
|
||||
+ memset(hex, 0, HEXOUTLEN);
|
||||
+ bin2hex(keys_server->enc.iv, (size_t)keys_server->enc.iv_len,
|
||||
+ hex, HEXOUTLEN, 0);
|
||||
+ printf("Initial IV (server to client) = %s\n", hex);
|
||||
+
|
||||
+ memset(hex, 0, HEXOUTLEN);
|
||||
+ bin2hex(keys_client->enc.key, (size_t)keys_client->enc.key_len,
|
||||
+ hex, HEXOUTLEN, 0);
|
||||
+ printf("Encryption key (client to server) = %s\n", hex);
|
||||
+
|
||||
+ memset(hex, 0, HEXOUTLEN);
|
||||
+ bin2hex(keys_server->enc.key, (size_t)keys_server->enc.key_len,
|
||||
+ hex, HEXOUTLEN, 0);
|
||||
+ printf("Encryption key (server to client) = %s\n", hex);
|
||||
+
|
||||
+ memset(hex, 0, HEXOUTLEN);
|
||||
+ bin2hex(keys_client->mac.key, (size_t)keys_client->mac.key_len,
|
||||
+ hex, HEXOUTLEN, 0);
|
||||
+ printf("Integrity key (client to server) = %s\n", hex);
|
||||
+
|
||||
+ memset(hex, 0, HEXOUTLEN);
|
||||
+ bin2hex(keys_server->mac.key, (size_t)keys_server->mac.key_len,
|
||||
+ hex, HEXOUTLEN, 0);
|
||||
+ printf("Integrity key (server to client) = %s\n", hex);
|
||||
+
|
||||
+out:
|
||||
+ if (Kbn)
|
||||
+ BN_free(Kbn);
|
||||
+ if (ssh)
|
||||
+ ssh_packet_close(ssh);
|
||||
+ if (kex.newkeys[0])
|
||||
+ free(kex.newkeys[0]);
|
||||
+ if (kex.newkeys[1])
|
||||
+ free(kex.newkeys[1]);
|
||||
+ return ret;
|
||||
+}
|
||||
+
|
||||
+static void usage(void)
|
||||
+{
|
||||
+ fprintf(stderr, "\nOpenSSH KDF CAVS Test\n\n");
|
||||
+ fprintf(stderr, "Usage:\n");
|
||||
+ fprintf(stderr, "\t-K\tShared secret string\n");
|
||||
+ fprintf(stderr, "\t-H\tHash string\n");
|
||||
+ fprintf(stderr, "\t-s\tSession ID string\n");
|
||||
+ fprintf(stderr, "\t-i\tIV length to be generated\n");
|
||||
+ fprintf(stderr, "\t-e\tEncryption key length to be generated\n");
|
||||
+ fprintf(stderr, "\t-m\tMAC key length to be generated\n");
|
||||
+}
|
||||
+
|
||||
+/*
|
||||
+ * Test command example:
|
||||
+ * ./ssh-cavs -K 0055d50f2d163cc07cd8a93cc7c3430c30ce786b572c01ad29fec7597000cf8618d664e2ec3dcbc8bb7a1a7eb7ef67f61cdaf291625da879186ac0a5cb27af571b59612d6a6e0627344d846271959fda61c78354aa498773d59762f8ca2d0215ec590d8633de921f920d41e47b3de6ab9a3d0869e1c826d0e4adebf8e3fb646a15dea20a410b44e969f4b791ed6a67f13f1b74234004d5fa5e87eff7abc32d49bbdf44d7b0107e8f10609233b7e2b7eff74a4daf25641de7553975dac6ac1e5117df6f6dbaa1c263d23a6c3e5a3d7d49ae8a828c1e333ac3f85fbbf57b5c1a45be45e43a7be1a4707eac779b8285522d1f531fe23f890fd38a004339932b93eda4 -H d3ab91a850febb417a25d892ec48ed5952c7a5de -s d3ab91a850febb417a25d892ec48ed5952c7a5de -i 8 -e 24 -m 20
|
||||
+ *
|
||||
+ * Expected result for example:
|
||||
+ * Initial IV (client to server) = 4bb320d1679dfd3a
|
||||
+ * Encryption key (client to server) = 13048cc600b9d3cf9095aa6cf8e2ff9cf1c54ca0520c89ed
|
||||
+ * Integrity key (client to server) = ecef63a092b0dcc585bdc757e01b2740af57d640
|
||||
+ * Initial IV (server to client) = 43dea6fdf263a308
|
||||
+ * Encryption key (server to client) = 1e483c5134e901aa11fc4e0a524e7ec7b75556148a222bb0
|
||||
+ * Integrity key (server to client) = 7424b05f3c44a72b4ebd281fb71f9cbe7b64d479
|
||||
+ */
|
||||
+int main(int argc, char *argv[])
|
||||
+{
|
||||
+ struct kdf_cavs test;
|
||||
+ int ret = 1;
|
||||
+ int opt = 0;
|
||||
+
|
||||
+ memset(&test, 0, sizeof(struct kdf_cavs));
|
||||
+ while((opt = getopt(argc, argv, "K:H:s:i:e:m:")) != -1)
|
||||
+ {
|
||||
+ size_t len = 0;
|
||||
+ switch(opt)
|
||||
+ {
|
||||
+ /*
|
||||
+ * CAVS K is MPINT
|
||||
+ * we want a hex (i.e. the caller must ensure the
|
||||
+ * following transformations already happened):
|
||||
+ * 1. cut off first four bytes
|
||||
+ * 2. if most significant bit of value is
|
||||
+ * 1, prepend 0 byte
|
||||
+ */
|
||||
+ case 'K':
|
||||
+ len = strlen(optarg);
|
||||
+ ret = hex2bin_alloc(optarg, len,
|
||||
+ &test.K, &test.Klen);
|
||||
+ if (ret)
|
||||
+ goto out;
|
||||
+ break;
|
||||
+ case 'H':
|
||||
+ len = strlen(optarg);
|
||||
+ ret = hex2bin_alloc(optarg, len,
|
||||
+ &test.H, &test.Hlen);
|
||||
+ if (ret)
|
||||
+ goto out;
|
||||
+ break;
|
||||
+ case 's':
|
||||
+ len = strlen(optarg);
|
||||
+ ret = hex2bin_alloc(optarg, len,
|
||||
+ &test.session_id,
|
||||
+ &test.session_id_len);
|
||||
+ if (ret)
|
||||
+ goto out;
|
||||
+ break;
|
||||
+ case 'i':
|
||||
+ test.iv_len = strtoul(optarg, NULL, 10);
|
||||
+ break;
|
||||
+ case 'e':
|
||||
+ test.ek_len = strtoul(optarg, NULL, 10);
|
||||
+ break;
|
||||
+ case 'm':
|
||||
+ test.ik_len = strtoul(optarg, NULL, 10);
|
||||
+ break;
|
||||
+ default:
|
||||
+ usage();
|
||||
+ goto out;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ ret = sshkdf_cavs(&test);
|
||||
+
|
||||
+out:
|
||||
+ if (test.session_id)
|
||||
+ free(test.session_id);
|
||||
+ if (test.K)
|
||||
+ free(test.K);
|
||||
+ if (test.H)
|
||||
+ free(test.H);
|
||||
+ return ret;
|
||||
+
|
||||
+}
|
48
openssh-7.7p1-disable_openssl_abi_check.patch
Normal file
48
openssh-7.7p1-disable_openssl_abi_check.patch
Normal file
@ -0,0 +1,48 @@
|
||||
# HG changeset patch
|
||||
# Parent b13da8c3e99081cb92ab226d2c512241a82cd0d5
|
||||
disable run-time check for OpenSSL ABI by version number as that is not a
|
||||
reliable indicator of ABI changes and doesn't make much sense in a
|
||||
distribution package
|
||||
|
||||
Index: openssh-8.8p1/configure.ac
|
||||
===================================================================
|
||||
--- openssh-8.8p1.orig/configure.ac
|
||||
+++ openssh-8.8p1/configure.ac
|
||||
@@ -5236,6 +5236,19 @@ AC_ARG_WITH([bsd-auth],
|
||||
]
|
||||
)
|
||||
|
||||
+# Whether we are using distribution (Open)SSL, so no runtime checks are necessary
|
||||
+DISTRO_SSL=no
|
||||
+AC_ARG_WITH([distro-ssl],
|
||||
+ [ --with-distro-ssl Disable runtime OpenSSL version checks (good for distributions)],
|
||||
+ [
|
||||
+ if test "x$withval" != "xno" ; then
|
||||
+ AC_DEFINE([DISTRO_SSL], [1],
|
||||
+ [Define if you are using distribution SSL library and don;t expect its API/ABI to change])
|
||||
+ DISTRO_SSL=yes
|
||||
+ fi
|
||||
+ ]
|
||||
+)
|
||||
+
|
||||
# Where to place sshd.pid
|
||||
piddir=/var/run
|
||||
# make sure the directory exists
|
||||
Index: openssh-8.8p1/entropy.c
|
||||
===================================================================
|
||||
--- openssh-8.8p1.orig/entropy.c
|
||||
+++ openssh-8.8p1/entropy.c
|
||||
@@ -100,11 +100,13 @@ seed_rng(void)
|
||||
/* Initialise libcrypto */
|
||||
ssh_libcrypto_init();
|
||||
|
||||
+#ifndef DISTRO_SSL
|
||||
if (!ssh_compatible_openssl(OPENSSL_VERSION_NUMBER,
|
||||
OpenSSL_version_num()))
|
||||
fatal("OpenSSL version mismatch. Built against %lx, you "
|
||||
"have %lx", (u_long)OPENSSL_VERSION_NUMBER,
|
||||
OpenSSL_version_num());
|
||||
+#endif
|
||||
|
||||
#ifndef OPENSSL_PRNG_ONLY
|
||||
if (RAND_status() == 1)
|
18
openssh-7.7p1-eal3.patch
Normal file
18
openssh-7.7p1-eal3.patch
Normal file
@ -0,0 +1,18 @@
|
||||
# HG changeset patch
|
||||
# Parent 8fd4e445c3a5c823568661a4f71b064cbcb217a9
|
||||
fix paths and references in sshd man pages
|
||||
|
||||
Index: openssh-8.8p1/Makefile.in
|
||||
===================================================================
|
||||
--- openssh-8.8p1.orig/Makefile.in
|
||||
+++ openssh-8.8p1/Makefile.in
|
||||
@@ -165,7 +165,8 @@ PATHSUBS = \
|
||||
-e 's|/etc/ssh/ssh_known_hosts|$(sysconfdir)/ssh_known_hosts|g' \
|
||||
-e 's|/etc/ssh/sshd_config|$(sysconfdir)/sshd_config|g' \
|
||||
-e 's|/usr/libexec|$(libexecdir)|g' \
|
||||
- -e 's|/etc/shosts.equiv|$(sysconfdir)/shosts.equiv|g' \
|
||||
+ -e 's|login\.conf|login.defs|g' \
|
||||
+ -e 's|/etc/shosts.equiv|$(sysconfdir)/ssh/shosts.equiv|g' \
|
||||
-e 's|/etc/ssh/ssh_host_key|$(sysconfdir)/ssh_host_key|g' \
|
||||
-e 's|/etc/ssh/ssh_host_ecdsa_key|$(sysconfdir)/ssh_host_ecdsa_key|g' \
|
||||
-e 's|/etc/ssh/ssh_host_dsa_key|$(sysconfdir)/ssh_host_dsa_key|g' \
|
19
openssh-7.7p1-enable_PAM_by_default.patch
Normal file
19
openssh-7.7p1-enable_PAM_by_default.patch
Normal file
@ -0,0 +1,19 @@
|
||||
# HG changeset patch
|
||||
# Parent 5c1e122e31b601de64d81085294216af33f31aed
|
||||
# force PAM in defaullt install (this was removed from upstream in 3.8p1)
|
||||
# bnc#46749
|
||||
# --used to be called '-pam-fix2'
|
||||
|
||||
Index: openssh-8.8p1/sshd_config
|
||||
===================================================================
|
||||
--- openssh-8.8p1.orig/sshd_config
|
||||
+++ openssh-8.8p1/sshd_config
|
||||
@@ -79,7 +79,7 @@ AuthorizedKeysFile .ssh/authorized_keys
|
||||
# If you just want the PAM account and session checks to run without
|
||||
# PAM authentication, then enable this but set PasswordAuthentication
|
||||
# and KbdInteractiveAuthentication to 'no'.
|
||||
-#UsePAM no
|
||||
+UsePAM yes
|
||||
|
||||
#AllowAgentForwarding yes
|
||||
#AllowTcpForwarding yes
|
808
openssh-7.7p1-fips.patch
Normal file
808
openssh-7.7p1-fips.patch
Normal file
@ -0,0 +1,808 @@
|
||||
# HG changeset patch
|
||||
# Parent 92d953171b34f6fba18d24085eeeaa24b1d2d5b5
|
||||
FIPS 140-2 compliance. Perform selftests on start and use only FIPS approved
|
||||
algorithms.
|
||||
|
||||
Index: openssh-9.6p1/Makefile.in
|
||||
===================================================================
|
||||
--- openssh-9.6p1.orig/Makefile.in
|
||||
+++ openssh-9.6p1/Makefile.in
|
||||
@@ -115,6 +115,8 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
|
||||
|
||||
SKOBJS= ssh-sk-client.o
|
||||
|
||||
+LIBSSH_OBJS += fips.o
|
||||
+
|
||||
SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \
|
||||
sshconnect.o sshconnect2.o mux.o $(SKOBJS)
|
||||
|
||||
Index: openssh-9.6p1/cipher.c
|
||||
===================================================================
|
||||
--- openssh-9.6p1.orig/cipher.c
|
||||
+++ openssh-9.6p1/cipher.c
|
||||
@@ -51,6 +51,9 @@
|
||||
|
||||
#include "openbsd-compat/openssl-compat.h"
|
||||
|
||||
+#include "fips.h"
|
||||
+#include "log.h"
|
||||
+
|
||||
#ifndef WITH_OPENSSL
|
||||
#define EVP_CIPHER_CTX void
|
||||
#endif
|
||||
@@ -83,7 +86,7 @@ struct sshcipher {
|
||||
#endif
|
||||
};
|
||||
|
||||
-static const struct sshcipher ciphers[] = {
|
||||
+static const struct sshcipher ciphers_all[] = {
|
||||
#ifdef WITH_OPENSSL
|
||||
#ifndef OPENSSL_NO_DES
|
||||
{ "3des-cbc", 8, 24, 0, 0, CFLAG_CBC, EVP_des_ede3_cbc },
|
||||
@@ -110,8 +113,50 @@ static const struct sshcipher ciphers[]
|
||||
{ NULL, 0, 0, 0, 0, 0, NULL }
|
||||
};
|
||||
|
||||
+static const struct sshcipher ciphers_fips140_2[] = {
|
||||
+#ifdef WITH_OPENSSL
|
||||
+ { "aes128-cbc", 16, 16, 0, 0, CFLAG_CBC, EVP_aes_128_cbc },
|
||||
+ { "aes192-cbc", 16, 24, 0, 0, CFLAG_CBC, EVP_aes_192_cbc },
|
||||
+ { "aes256-cbc", 16, 32, 0, 0, CFLAG_CBC, EVP_aes_256_cbc },
|
||||
+ { "rijndael-cbc@lysator.liu.se",
|
||||
+ 16, 32, 0, 0, CFLAG_CBC, EVP_aes_256_cbc },
|
||||
+ { "aes128-ctr", 16, 16, 0, 0, 0, EVP_aes_128_ctr },
|
||||
+ { "aes192-ctr", 16, 24, 0, 0, 0, EVP_aes_192_ctr },
|
||||
+ { "aes256-ctr", 16, 32, 0, 0, 0, EVP_aes_256_ctr },
|
||||
+ { "aes128-gcm@openssh.com",
|
||||
+ 16, 16, 12, 16, 0, EVP_aes_128_gcm },
|
||||
+ { "aes256-gcm@openssh.com",
|
||||
+ 16, 32, 12, 16, 0, EVP_aes_256_gcm },
|
||||
+#else
|
||||
+ { "aes128-ctr", 16, 16, 0, 0, CFLAG_AESCTR, NULL },
|
||||
+ { "aes192-ctr", 16, 24, 0, 0, CFLAG_AESCTR, NULL },
|
||||
+ { "aes256-ctr", 16, 32, 0, 0, CFLAG_AESCTR, NULL },
|
||||
+#endif
|
||||
+ { "none", 8, 0, 0, 0, CFLAG_NONE, NULL },
|
||||
+
|
||||
+ { NULL, 0, 0, 0, 0, 0, NULL }
|
||||
+};
|
||||
+
|
||||
/*--*/
|
||||
|
||||
+/* Returns array of ciphers available depending on selected FIPS mode */
|
||||
+static const struct sshcipher *
|
||||
+fips_select_ciphers(void)
|
||||
+{
|
||||
+ int fips = fips_mode();
|
||||
+ switch (fips) {
|
||||
+ case 0:
|
||||
+ return ciphers_all;
|
||||
+ case 1:
|
||||
+ return ciphers_fips140_2;
|
||||
+ default:
|
||||
+ /* should not be reached */
|
||||
+ fatal("Fatal error: incorrect FIPS mode '%i' at %s:%u",
|
||||
+ fips, __FILE__, __LINE__);
|
||||
+ return NULL;
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
/* Returns a comma-separated list of supported ciphers. */
|
||||
char *
|
||||
cipher_alg_list(char sep, int auth_only)
|
||||
@@ -120,7 +167,7 @@ cipher_alg_list(char sep, int auth_only)
|
||||
size_t nlen, rlen = 0;
|
||||
const struct sshcipher *c;
|
||||
|
||||
- for (c = ciphers; c->name != NULL; c++) {
|
||||
+ for (c = fips_select_ciphers(); c->name != NULL; c++) {
|
||||
if ((c->flags & CFLAG_INTERNAL) != 0)
|
||||
continue;
|
||||
if (auth_only && c->auth_len == 0)
|
||||
@@ -203,7 +250,7 @@ const struct sshcipher *
|
||||
cipher_by_name(const char *name)
|
||||
{
|
||||
const struct sshcipher *c;
|
||||
- for (c = ciphers; c->name != NULL; c++)
|
||||
+ for (c = fips_select_ciphers(); c->name != NULL; c++)
|
||||
if (strcmp(c->name, name) == 0)
|
||||
return c;
|
||||
return NULL;
|
||||
Index: openssh-9.6p1/fips.c
|
||||
===================================================================
|
||||
--- /dev/null
|
||||
+++ openssh-9.6p1/fips.c
|
||||
@@ -0,0 +1,212 @@
|
||||
+/*
|
||||
+ * Copyright (c) 2012 Petr Cerny. All rights reserved.
|
||||
+ *
|
||||
+ * Redistribution and use in source and binary forms, with or without
|
||||
+ * modification, are permitted provided that the following conditions
|
||||
+ * are met:
|
||||
+ * 1. Redistributions of source code must retain the above copyright
|
||||
+ * notice, this list of conditions and the following disclaimer.
|
||||
+ * 2. Redistributions in binary form must reproduce the above copyright
|
||||
+ * notice, this list of conditions and the following disclaimer in the
|
||||
+ * documentation and/or other materials provided with the distribution.
|
||||
+ *
|
||||
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
|
||||
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
|
||||
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
|
||||
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
|
||||
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
|
||||
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
||||
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
||||
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
||||
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
||||
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
+ */
|
||||
+
|
||||
+#include "includes.h"
|
||||
+
|
||||
+#include "fips.h"
|
||||
+
|
||||
+#include "cipher.h"
|
||||
+#include "dh.h"
|
||||
+#include "digest.h"
|
||||
+#include "kex.h"
|
||||
+#include "sshkey.h"
|
||||
+#include "mac.h"
|
||||
+#include "log.h"
|
||||
+#include "xmalloc.h"
|
||||
+
|
||||
+#include <string.h>
|
||||
+#include <openssl/crypto.h>
|
||||
+
|
||||
+static int fips_state = -1;
|
||||
+
|
||||
+static int
|
||||
+fips_check_required_env(void)
|
||||
+{
|
||||
+ int fips_required = 0;
|
||||
+ char *env = getenv(SSH_FORCE_FIPS_ENV);
|
||||
+
|
||||
+ if (env) {
|
||||
+ errno = 0;
|
||||
+ fips_required = strtol(env, NULL, 10);
|
||||
+ if (errno) {
|
||||
+ debug("bogus value in the %s environment variable, ignoring\n"
|
||||
+ , SSH_FORCE_FIPS_ENV);
|
||||
+ fips_required = 0;
|
||||
+ } else
|
||||
+ fips_required = 1;
|
||||
+ }
|
||||
+ return fips_required;
|
||||
+}
|
||||
+
|
||||
+int
|
||||
+fips_mode(void)
|
||||
+{
|
||||
+ if (-1 == fips_state) {
|
||||
+ fips_state = FIPS_mode();
|
||||
+ if (fips_state)
|
||||
+ debug("FIPS mode initialized");
|
||||
+ else {
|
||||
+ if (fips_check_required_env()) {
|
||||
+ debug("FIPS mode requested through the environment variable '%s'"
|
||||
+ , SSH_FORCE_FIPS_ENV);
|
||||
+ if (!FIPS_mode_set(1))
|
||||
+ fatal("Unable to enter FIPS mode as requested through the environment variable '%s'"
|
||||
+ , SSH_FORCE_FIPS_ENV);
|
||||
+ fips_state = 1;
|
||||
+ }
|
||||
+ }
|
||||
+ }
|
||||
+ return fips_state;
|
||||
+}
|
||||
+
|
||||
+int
|
||||
+fips_correct_dgst(int digest)
|
||||
+{
|
||||
+ int fips;
|
||||
+ int rv = -1;
|
||||
+
|
||||
+ fips = fips_mode();
|
||||
+ switch (fips) {
|
||||
+ case 0:
|
||||
+ rv = digest;
|
||||
+ break;
|
||||
+ case 1:
|
||||
+ switch (digest) {
|
||||
+ case SSH_DIGEST_MD5:
|
||||
+ case SSH_DIGEST_SHA1:
|
||||
+ debug("MD5/RIPEMD160 digests not allowed in FIPS 140-2 mode"
|
||||
+ "using SHA-256 instead.");
|
||||
+ rv = SSH_DIGEST_SHA256;
|
||||
+ break;
|
||||
+ default:
|
||||
+ rv = digest;
|
||||
+ break;
|
||||
+ }
|
||||
+ break;
|
||||
+ default:
|
||||
+ /* should not be reached */
|
||||
+ fatal("Fatal error: incorrect FIPS mode '%i' at %s:%u",
|
||||
+ fips, __FILE__, __LINE__);
|
||||
+ }
|
||||
+
|
||||
+ return rv;
|
||||
+}
|
||||
+
|
||||
+/*
|
||||
+ * filter out FIPS disallowed algorithms
|
||||
+ * *crypto MUST be free()-able - it is assigned newly allocated memory and
|
||||
+ * the previous one is freed
|
||||
+ *
|
||||
+ * returns zero if all algorithms were rejected, non-zero otherwise
|
||||
+ */
|
||||
+int
|
||||
+fips_filter_crypto(char **crypto, fips_filters filter)
|
||||
+{
|
||||
+ char *token, *tmp, *tmp_sav, *new;
|
||||
+ int plus = 0;
|
||||
+ int valid;
|
||||
+ int comma = 0;
|
||||
+ int empty = 1;
|
||||
+ size_t len;
|
||||
+
|
||||
+ tmp = tmp_sav = xstrdup(*crypto);
|
||||
+
|
||||
+ len = strlen(tmp) + 1;
|
||||
+ new = xcalloc(1, len);
|
||||
+
|
||||
+ if ('+' == *tmp) {
|
||||
+ plus = 1;
|
||||
+ tmp++;
|
||||
+ }
|
||||
+
|
||||
+ while ((token = strsep(&tmp, ",")) != NULL) {
|
||||
+ switch(filter) {
|
||||
+ case FIPS_FILTER_CIPHERS:
|
||||
+ valid = ciphers_valid(token);
|
||||
+ if (!valid)
|
||||
+ debug("Cipher '%s' is not allowed in FIPS mode",
|
||||
+ token);
|
||||
+ break;
|
||||
+ case FIPS_FILTER_MACS:
|
||||
+ valid = mac_valid(token);
|
||||
+ if (!valid)
|
||||
+ debug("MAC '%s' is not allowed in FIPS mode",
|
||||
+ token);
|
||||
+ break;
|
||||
+ case FIPS_FILTER_KEX_ALGS:
|
||||
+ valid = kex_names_valid(token);
|
||||
+ if (!valid)
|
||||
+ debug("KEX '%s' is not allowed in FIPS mode",
|
||||
+ token);
|
||||
+ break;
|
||||
+ default:
|
||||
+ /* should not be reached */
|
||||
+ fatal("Fatal error: incorrect FIPS filter '%i' requested at %s:%u",
|
||||
+ filter, __FILE__, __LINE__);
|
||||
+ }
|
||||
+
|
||||
+ if (valid) {
|
||||
+ empty = 0;
|
||||
+ if (plus) {
|
||||
+ strlcat(new, "+", len);
|
||||
+ plus = 0;
|
||||
+ }
|
||||
+ if (comma)
|
||||
+ strlcat(new, ",", len);
|
||||
+ else
|
||||
+ comma = 1;
|
||||
+ strlcat(new, token, len);
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ /* free tmp and re-allocate shorter buffer for result if necessary */
|
||||
+ free(tmp_sav);
|
||||
+ free(*crypto);
|
||||
+ *crypto = new;
|
||||
+
|
||||
+ return (!empty);
|
||||
+}
|
||||
+
|
||||
+int
|
||||
+fips_dgst_min(void)
|
||||
+{
|
||||
+ int fips;
|
||||
+ int dgst;
|
||||
+
|
||||
+ fips = fips_mode();
|
||||
+ switch (fips) {
|
||||
+ case 0:
|
||||
+ dgst = SSH_DIGEST_MD5;
|
||||
+ break;
|
||||
+ case 1:
|
||||
+ dgst = SSH_DIGEST_SHA256;
|
||||
+ break;
|
||||
+ default:
|
||||
+ /* should not be reached */
|
||||
+ fatal("Fatal error: incorrect FIPS mode '%i' at %s:%u",
|
||||
+ fips, __FILE__, __LINE__);
|
||||
+ }
|
||||
+ return dgst;
|
||||
+}
|
||||
+
|
||||
Index: openssh-9.6p1/fips.h
|
||||
===================================================================
|
||||
--- /dev/null
|
||||
+++ openssh-9.6p1/fips.h
|
||||
@@ -0,0 +1,44 @@
|
||||
+/*
|
||||
+ * Copyright (c) 2012 Petr Cerny. All rights reserved.
|
||||
+ *
|
||||
+ * Redistribution and use in source and binary forms, with or without
|
||||
+ * modification, are permitted provided that the following conditions
|
||||
+ * are met:
|
||||
+ * 1. Redistributions of source code must retain the above copyright
|
||||
+ * notice, this list of conditions and the following disclaimer.
|
||||
+ * 2. Redistributions in binary form must reproduce the above copyright
|
||||
+ * notice, this list of conditions and the following disclaimer in the
|
||||
+ * documentation and/or other materials provided with the distribution.
|
||||
+ *
|
||||
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
|
||||
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
|
||||
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
|
||||
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
|
||||
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
|
||||
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
||||
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
||||
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
||||
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
||||
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
+ */
|
||||
+#ifndef FIPS_H
|
||||
+#define FIPS_H
|
||||
+
|
||||
+#include "sshkey.h"
|
||||
+
|
||||
+#define SSH_FORCE_FIPS_ENV "SSH_FORCE_FIPS"
|
||||
+
|
||||
+typedef enum {
|
||||
+ FIPS_FILTER_CIPHERS,
|
||||
+ FIPS_FILTER_MACS,
|
||||
+ FIPS_FILTER_KEX_ALGS
|
||||
+} fips_filters;
|
||||
+
|
||||
+int fips_mode(void);
|
||||
+int fips_correct_dgst(int);
|
||||
+int fips_dgst_min(void);
|
||||
+enum fp_type fips_correct_fp_type(enum fp_type);
|
||||
+int fips_filter_crypto(char **, fips_filters);
|
||||
+
|
||||
+#endif
|
||||
+
|
||||
Index: openssh-9.6p1/hmac.c
|
||||
===================================================================
|
||||
--- openssh-9.6p1.orig/hmac.c
|
||||
+++ openssh-9.6p1/hmac.c
|
||||
@@ -145,7 +145,7 @@ hmac_test(void *key, size_t klen, void *
|
||||
size_t i;
|
||||
u_char digest[16];
|
||||
|
||||
- if ((ctx = ssh_hmac_start(SSH_DIGEST_MD5)) == NULL)
|
||||
+ if ((ctx = ssh_hmac_start(fips_correct_dgst(SSH_DIGEST_MD5))) == NULL)
|
||||
printf("ssh_hmac_start failed");
|
||||
if (ssh_hmac_init(ctx, key, klen) < 0 ||
|
||||
ssh_hmac_update(ctx, m, mlen) < 0 ||
|
||||
Index: openssh-9.6p1/kex.c
|
||||
===================================================================
|
||||
--- openssh-9.6p1.orig/kex-names.c
|
||||
+++ openssh-9.6p1/kex-names.c
|
||||
@@ -64,6 +64,8 @@
|
||||
#include "ssherr.h"
|
||||
#include "xmalloc.h"
|
||||
|
||||
+#include "fips.h"
|
||||
+
|
||||
struct kexalg {
|
||||
char *name;
|
||||
u_int type;
|
||||
@@ -87,7 +89,7 @@ struct kexalg {
|
||||
int ec_nid;
|
||||
int hash_alg;
|
||||
};
|
||||
-static const struct kexalg kexalgs[] = {
|
||||
+static const struct kexalg kexalgs_all[] = {
|
||||
#ifdef WITH_OPENSSL
|
||||
{ KEX_DH1, KEX_DH_GRP1_SHA1, 0, SSH_DIGEST_SHA1 },
|
||||
{ KEX_DH14_SHA1, KEX_DH_GRP14_SHA1, 0, SSH_DIGEST_SHA1 },
|
||||
@@ -120,6 +122,47 @@ static const struct kexalg kexalgs[] = {
|
||||
{ NULL, 0, -1, -1},
|
||||
};
|
||||
|
||||
+static const struct kexalg kexalgs_fips140_2[] = {
|
||||
+#ifdef WITH_OPENSSL
|
||||
+ { KEX_DH14_SHA1, KEX_DH_GRP14_SHA1, 0, SSH_DIGEST_SHA1 },
|
||||
+ { KEX_DH14_SHA256, KEX_DH_GRP14_SHA256, 0, SSH_DIGEST_SHA256 },
|
||||
+ { KEX_DH16_SHA512, KEX_DH_GRP16_SHA512, 0, SSH_DIGEST_SHA512 },
|
||||
+ { KEX_DH18_SHA512, KEX_DH_GRP18_SHA512, 0, SSH_DIGEST_SHA512 },
|
||||
+ { KEX_DHGEX_SHA1, KEX_DH_GEX_SHA1, 0, SSH_DIGEST_SHA1 },
|
||||
+#ifdef HAVE_EVP_SHA256
|
||||
+ { KEX_DHGEX_SHA256, KEX_DH_GEX_SHA256, 0, SSH_DIGEST_SHA256 },
|
||||
+#endif /* HAVE_EVP_SHA256 */
|
||||
+#ifdef OPENSSL_HAS_ECC
|
||||
+ { KEX_ECDH_SHA2_NISTP256, KEX_ECDH_SHA2,
|
||||
+ NID_X9_62_prime256v1, SSH_DIGEST_SHA256 },
|
||||
+ { KEX_ECDH_SHA2_NISTP384, KEX_ECDH_SHA2, NID_secp384r1,
|
||||
+ SSH_DIGEST_SHA384 },
|
||||
+# ifdef OPENSSL_HAS_NISTP521
|
||||
+ { KEX_ECDH_SHA2_NISTP521, KEX_ECDH_SHA2, NID_secp521r1,
|
||||
+ SSH_DIGEST_SHA512 },
|
||||
+# endif /* OPENSSL_HAS_NISTP521 */
|
||||
+#endif /* OPENSSL_HAS_ECC */
|
||||
+#endif /* WITH_OPENSSL */
|
||||
+ { NULL, -1, -1, -1},
|
||||
+};
|
||||
+
|
||||
+/* Returns array of macs available depending on selected FIPS mode */
|
||||
+static const struct kexalg *
|
||||
+fips_select_kexalgs(void)
|
||||
+{
|
||||
+ int fips = fips_mode();
|
||||
+ switch (fips) {
|
||||
+ case 0:
|
||||
+ return kexalgs_all;
|
||||
+ case 1:
|
||||
+ return kexalgs_fips140_2;
|
||||
+ default:
|
||||
+ /* should not be reached */
|
||||
+ fatal("Fatal error: incorrect FIPS mode '%i' at %s:%u",
|
||||
+ fips, __FILE__, __LINE__);
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
char *
|
||||
kex_alg_list(char sep)
|
||||
{
|
||||
@@ -127,7 +170,7 @@ kex_alg_list(char sep)
|
||||
size_t nlen, rlen = 0;
|
||||
const struct kexalg *k;
|
||||
|
||||
- for (k = kexalgs; k->name != NULL; k++) {
|
||||
+ for (k = fips_select_kexalgs(); k->name != NULL; k++) {
|
||||
if (ret != NULL)
|
||||
ret[rlen++] = sep;
|
||||
nlen = strlen(k->name);
|
||||
@@ -147,7 +190,7 @@ kex_alg_by_name(const char *name)
|
||||
{
|
||||
const struct kexalg *k;
|
||||
|
||||
- for (k = kexalgs; k->name != NULL; k++) {
|
||||
+ for (k = fips_select_kexalgs(); k->name != NULL; k++) {
|
||||
if (strcmp(k->name, name) == 0)
|
||||
return k;
|
||||
}
|
||||
@@ -167,7 +210,10 @@ kex_names_valid(const char *names)
|
||||
for ((p = strsep(&cp, ",")); p && *p != '\0';
|
||||
(p = strsep(&cp, ","))) {
|
||||
if (kex_alg_by_name(p) == NULL) {
|
||||
+ /* do not complain here - MACs and ciphers checks
|
||||
+ * are silent here
|
||||
error("Unsupported KEX algorithm \"%.100s\"", p);
|
||||
+ */
|
||||
free(s);
|
||||
return 0;
|
||||
}
|
||||
Index: openssh-9.6p1/mac.c
|
||||
===================================================================
|
||||
--- openssh-9.6p1.orig/mac.c
|
||||
+++ openssh-9.6p1/mac.c
|
||||
@@ -41,6 +41,9 @@
|
||||
|
||||
#include "openbsd-compat/openssl-compat.h"
|
||||
|
||||
+#include "fips.h"
|
||||
+#include "log.h"
|
||||
+
|
||||
#define SSH_DIGEST 1 /* SSH_DIGEST_XXX */
|
||||
#define SSH_UMAC 2 /* UMAC (not integrated with OpenSSL) */
|
||||
#define SSH_UMAC128 3
|
||||
@@ -55,7 +58,7 @@ struct macalg {
|
||||
int etm; /* Encrypt-then-MAC */
|
||||
};
|
||||
|
||||
-static const struct macalg macs[] = {
|
||||
+static const struct macalg macs_all[] = {
|
||||
/* Encrypt-and-MAC (encrypt-and-authenticate) variants */
|
||||
{ "hmac-sha1", SSH_DIGEST, SSH_DIGEST_SHA1, 0, 0, 0, 0 },
|
||||
{ "hmac-sha1-96", SSH_DIGEST, SSH_DIGEST_SHA1, 96, 0, 0, 0 },
|
||||
@@ -79,6 +82,41 @@ static const struct macalg macs[] = {
|
||||
{ NULL, 0, 0, 0, 0, 0, 0 }
|
||||
};
|
||||
|
||||
+static const struct macalg macs_fips140_2[] = {
|
||||
+ /* Encrypt-and-MAC (encrypt-and-authenticate) variants */
|
||||
+ { "hmac-sha1", SSH_DIGEST, SSH_DIGEST_SHA1, 0, 0, 0, 0 },
|
||||
+#ifdef HAVE_EVP_SHA256
|
||||
+ { "hmac-sha2-256", SSH_DIGEST, SSH_DIGEST_SHA256, 0, 0, 0, 0 },
|
||||
+ { "hmac-sha2-512", SSH_DIGEST, SSH_DIGEST_SHA512, 0, 0, 0, 0 },
|
||||
+#endif
|
||||
+
|
||||
+ /* Encrypt-then-MAC variants */
|
||||
+ { "hmac-sha1-etm@openssh.com", SSH_DIGEST, SSH_DIGEST_SHA1, 0, 0, 0, 1 },
|
||||
+#ifdef HAVE_EVP_SHA256
|
||||
+ { "hmac-sha2-256-etm@openssh.com", SSH_DIGEST, SSH_DIGEST_SHA256, 0, 0, 0, 1 },
|
||||
+ { "hmac-sha2-512-etm@openssh.com", SSH_DIGEST, SSH_DIGEST_SHA512, 0, 0, 0, 1 },
|
||||
+#endif
|
||||
+
|
||||
+ { NULL, 0, 0, 0, 0, 0, 0 }
|
||||
+};
|
||||
+
|
||||
+/* Returns array of macs available depending on selected FIPS mode */
|
||||
+static const struct macalg *
|
||||
+fips_select_macs(void)
|
||||
+{
|
||||
+ int fips = fips_mode();
|
||||
+ switch (fips) {
|
||||
+ case 0:
|
||||
+ return macs_all;
|
||||
+ case 1:
|
||||
+ return macs_fips140_2;
|
||||
+ default:
|
||||
+ /* should not be reached */
|
||||
+ fatal("Fatal error: incorrect FIPS mode '%i' at %s:%u",
|
||||
+ fips, __FILE__, __LINE__);
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
/* Returns a list of supported MACs separated by the specified char. */
|
||||
char *
|
||||
mac_alg_list(char sep)
|
||||
@@ -87,7 +125,7 @@ mac_alg_list(char sep)
|
||||
size_t nlen, rlen = 0;
|
||||
const struct macalg *m;
|
||||
|
||||
- for (m = macs; m->name != NULL; m++) {
|
||||
+ for (m = fips_select_macs(); m->name != NULL; m++) {
|
||||
if (ret != NULL)
|
||||
ret[rlen++] = sep;
|
||||
nlen = strlen(m->name);
|
||||
@@ -126,7 +164,7 @@ mac_setup(struct sshmac *mac, char *name
|
||||
{
|
||||
const struct macalg *m;
|
||||
|
||||
- for (m = macs; m->name != NULL; m++) {
|
||||
+ for (m = fips_select_macs(); m->name != NULL; m++) {
|
||||
if (strcmp(name, m->name) != 0)
|
||||
continue;
|
||||
if (mac != NULL)
|
||||
Index: openssh-9.6p1/readconf.c
|
||||
===================================================================
|
||||
--- openssh-9.6p1.orig/readconf.c
|
||||
+++ openssh-9.6p1/readconf.c
|
||||
@@ -71,6 +71,8 @@
|
||||
#include "myproposal.h"
|
||||
#include "digest.h"
|
||||
|
||||
+#include "fips.h"
|
||||
+
|
||||
/* Format of the configuration file:
|
||||
|
||||
# Configuration data is parsed as follows:
|
||||
@@ -2478,6 +2480,23 @@ config_has_permitted_cnames(Options *opt
|
||||
return options->num_permitted_cnames > 0;
|
||||
}
|
||||
|
||||
+/* remove algorithms not approved for use in FIPS mode, when running in FIPS
|
||||
+ * mode
|
||||
+ */
|
||||
+void
|
||||
+filter_fips_algorithms(Options *o)
|
||||
+{
|
||||
+ if (fips_mode()) {
|
||||
+ if (!fips_filter_crypto(&o->ciphers, FIPS_FILTER_CIPHERS))
|
||||
+ fatal("None of selected ciphers can be used in FIPS mode");
|
||||
+ if (!fips_filter_crypto(&o->macs, FIPS_FILTER_MACS))
|
||||
+ fatal("None of selected MAC algorithms can be used in FIPS mode");
|
||||
+ if (!fips_filter_crypto(&o->kex_algorithms, FIPS_FILTER_KEX_ALGS))
|
||||
+ fatal("None of selected KEX algorithms can be used in FIPS mode");
|
||||
+ }
|
||||
+ return;
|
||||
+}
|
||||
+
|
||||
/*
|
||||
* Initializes options to special values that indicate that they have not yet
|
||||
* been set. Read_config_file will only set options with this value. Options
|
||||
@@ -2796,6 +2815,9 @@ fill_default_options(Options * options)
|
||||
options->canonicalize_hostname = SSH_CANONICALISE_NO;
|
||||
if (options->fingerprint_hash == -1)
|
||||
options->fingerprint_hash = SSH_FP_HASH_DEFAULT;
|
||||
+ options->fingerprint_hash =
|
||||
+ fips_correct_dgst(options->fingerprint_hash);
|
||||
+
|
||||
#ifdef ENABLE_SK_INTERNAL
|
||||
if (options->sk_provider == NULL)
|
||||
options->sk_provider = xstrdup("internal");
|
||||
@@ -2840,6 +2862,8 @@ fill_default_options(Options * options)
|
||||
ASSEMBLE(ca_sign_algorithms, def_sig, all_sig);
|
||||
#undef ASSEMBLE
|
||||
|
||||
+ filter_fips_algorithms(options);
|
||||
+
|
||||
#define CLEAR_ON_NONE(v) \
|
||||
do { \
|
||||
if (option_clear_or_none(v)) { \
|
||||
Index: openssh-9.6p1/readconf.h
|
||||
===================================================================
|
||||
--- openssh-9.6p1.orig/readconf.h
|
||||
+++ openssh-9.6p1/readconf.h
|
||||
@@ -231,6 +231,7 @@ typedef struct {
|
||||
#define SSH_KEYSTROKE_CHAFF_MIN_MS 1024
|
||||
#define SSH_KEYSTROKE_CHAFF_RNG_MS 2048
|
||||
|
||||
+void filter_fips_algorithms(Options *o);
|
||||
const char *kex_default_pk_alg(void);
|
||||
char *ssh_connection_hash(const char *thishost, const char *host,
|
||||
const char *portstr, const char *user, const char *jump_host);
|
||||
Index: openssh-9.6p1/servconf.c
|
||||
===================================================================
|
||||
--- openssh-9.6p1.orig/servconf.c
|
||||
+++ openssh-9.6p1/servconf.c
|
||||
@@ -68,6 +68,7 @@
|
||||
#include "auth.h"
|
||||
#include "myproposal.h"
|
||||
#include "digest.h"
|
||||
+#include "fips.h"
|
||||
|
||||
#if !defined(SSHD_PAM_SERVICE)
|
||||
# define SSHD_PAM_SERVICE "sshd"
|
||||
@@ -207,6 +208,23 @@ option_clear_or_none(const char *o)
|
||||
return o == NULL || strcasecmp(o, "none") == 0;
|
||||
}
|
||||
|
||||
+/* remove algorithms not approved for use in FIPS mode, when running in FIPS
|
||||
+ * mode
|
||||
+ */
|
||||
+static void
|
||||
+filter_fips_algorithms_s(ServerOptions *o)
|
||||
+{
|
||||
+ if (fips_mode()) {
|
||||
+ if (!fips_filter_crypto(&o->ciphers, FIPS_FILTER_CIPHERS))
|
||||
+ fatal("None of selected ciphers can be used in FIPS mode");
|
||||
+ if (!fips_filter_crypto(&o->macs, FIPS_FILTER_MACS))
|
||||
+ fatal("None of selected MAC algorithms can be used in FIPS mode");
|
||||
+ if (!fips_filter_crypto(&o->kex_algorithms, FIPS_FILTER_KEX_ALGS))
|
||||
+ fatal("None of selected KEX algorithms can be used in FIPS mode");
|
||||
+ }
|
||||
+ return;
|
||||
+}
|
||||
+
|
||||
static void
|
||||
assemble_algorithms(ServerOptions *o)
|
||||
{
|
||||
@@ -248,6 +266,8 @@ assemble_algorithms(ServerOptions *o)
|
||||
free(def_kex);
|
||||
free(def_key);
|
||||
free(def_sig);
|
||||
+
|
||||
+ filter_fips_algorithms_s(o);
|
||||
}
|
||||
|
||||
void
|
||||
@@ -440,6 +460,8 @@ fill_default_server_options(ServerOption
|
||||
options->fwd_opts.streamlocal_bind_unlink = 0;
|
||||
if (options->fingerprint_hash == -1)
|
||||
options->fingerprint_hash = SSH_FP_HASH_DEFAULT;
|
||||
+ options->fingerprint_hash =
|
||||
+ fips_correct_dgst(options->fingerprint_hash);
|
||||
if (options->disable_forwarding == -1)
|
||||
options->disable_forwarding = 0;
|
||||
if (options->expose_userauth_info == -1)
|
||||
Index: openssh-9.6p1/ssh-keygen.c
|
||||
===================================================================
|
||||
--- openssh-9.6p1.orig/ssh-keygen.c
|
||||
+++ openssh-9.6p1/ssh-keygen.c
|
||||
@@ -18,6 +18,8 @@
|
||||
#include <sys/socket.h>
|
||||
#include <sys/stat.h>
|
||||
|
||||
+#include "fips.h"
|
||||
+
|
||||
#ifdef WITH_OPENSSL
|
||||
#include <openssl/evp.h>
|
||||
#include <openssl/pem.h>
|
||||
@@ -1040,11 +1042,13 @@ do_fingerprint(struct passwd *pw)
|
||||
static void
|
||||
do_gen_all_hostkeys(struct passwd *pw)
|
||||
{
|
||||
- struct {
|
||||
+ struct Key_types {
|
||||
char *key_type;
|
||||
char *key_type_display;
|
||||
char *path;
|
||||
- } key_types[] = {
|
||||
+ };
|
||||
+
|
||||
+ struct Key_types key_types_all[] = {
|
||||
#ifdef WITH_OPENSSL
|
||||
{ "rsa", "RSA" ,_PATH_HOST_RSA_KEY_FILE },
|
||||
#ifdef OPENSSL_HAS_ECC
|
||||
@@ -1058,6 +1062,17 @@ do_gen_all_hostkeys(struct passwd *pw)
|
||||
{ NULL, NULL, NULL }
|
||||
};
|
||||
|
||||
+ struct Key_types key_types_fips140_2[] = {
|
||||
+#ifdef WITH_OPENSSL
|
||||
+ { "rsa", "RSA" ,_PATH_HOST_RSA_KEY_FILE },
|
||||
+#ifdef OPENSSL_HAS_ECC
|
||||
+ { "ecdsa", "ECDSA",_PATH_HOST_ECDSA_KEY_FILE },
|
||||
+#endif /* OPENSSL_HAS_ECC */
|
||||
+#endif /* WITH_OPENSSL */
|
||||
+ { NULL, NULL, NULL }
|
||||
+ };
|
||||
+
|
||||
+ struct Key_types *key_types;
|
||||
u_int32_t bits = 0;
|
||||
int first = 0;
|
||||
struct stat st;
|
||||
@@ -1065,6 +1080,12 @@ do_gen_all_hostkeys(struct passwd *pw)
|
||||
char comment[1024], *prv_tmp, *pub_tmp, *prv_file, *pub_file;
|
||||
int i, type, fd, r;
|
||||
|
||||
+ if (fips_mode()) {
|
||||
+ key_types = key_types_fips140_2;
|
||||
+ } else {
|
||||
+ key_types = key_types_all;
|
||||
+ }
|
||||
+
|
||||
for (i = 0; key_types[i].key_type; i++) {
|
||||
public = private = NULL;
|
||||
prv_tmp = pub_tmp = prv_file = pub_file = NULL;
|
||||
@@ -3794,6 +3815,15 @@ main(int argc, char **argv)
|
||||
key_type_name = DEFAULT_KEY_TYPE_NAME;
|
||||
|
||||
type = sshkey_type_from_name(key_type_name);
|
||||
+
|
||||
+ /* protocol v1 is not allowed in FIPS mode, DSA is not acceptable because
|
||||
+ * it has to be 1024 bit due to RFC 4253 using SHA-1 which implies 1024 bit
|
||||
+ * keys due to FIPS-186 specification for DSS */
|
||||
+ if (fips_mode() &&
|
||||
+ (type == KEY_DSA || type == KEY_ED25519 ||
|
||||
+ type == KEY_DSA_CERT || type == KEY_ED25519_CERT))
|
||||
+ fatal("Key type %s not alowed in FIPS mode", key_type_name);
|
||||
+
|
||||
type_bits_valid(type, key_type_name, &bits);
|
||||
|
||||
if (!quiet)
|
||||
Index: openssh-9.6p1/ssh_config.5
|
||||
===================================================================
|
||||
--- openssh-9.6p1.orig/ssh_config.5
|
||||
+++ openssh-9.6p1/ssh_config.5
|
||||
@@ -831,6 +831,8 @@ The argument to this keyword must be
|
||||
option) or
|
||||
.Cm no
|
||||
(the default).
|
||||
+.Pp
|
||||
+In the FIPS mode the minimum of SHA-1 is enforced (which means sha256).
|
||||
.It Cm ForwardAgent
|
||||
Specifies whether the connection to the authentication agent (if any)
|
||||
will be forwarded to the remote machine.
|
||||
Index: openssh-9.6p1/sshd.c
|
||||
===================================================================
|
||||
--- openssh-9.6p1.orig/sshd.c
|
||||
+++ openssh-9.6p1/sshd.c
|
||||
@@ -128,6 +128,8 @@
|
||||
#include "addr.h"
|
||||
#include "srclimit.h"
|
||||
|
||||
+#include "fips.h"
|
||||
+
|
||||
/* Re-exec fds */
|
||||
#define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1)
|
||||
#define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2)
|
||||
Index: openssh-9.6p1/sshd_config.5
|
||||
===================================================================
|
||||
--- openssh-9.6p1.orig/sshd_config.5
|
||||
+++ openssh-9.6p1/sshd_config.5
|
||||
@@ -681,6 +681,8 @@ and
|
||||
.Cm sha256 .
|
||||
The default is
|
||||
.Cm sha256 .
|
||||
+.Pp
|
||||
+In the FIPS mode the minimum of SHA-1 is enforced (which means sha256).
|
||||
.It Cm ForceCommand
|
||||
Forces the execution of the command specified by
|
||||
.Cm ForceCommand ,
|
471
openssh-7.7p1-fips_checks.patch
Normal file
471
openssh-7.7p1-fips_checks.patch
Normal file
@ -0,0 +1,471 @@
|
||||
# HG changeset patch
|
||||
# Parent e9b69da9a0f8dca923f8fc2836b38fe6590c791a
|
||||
#
|
||||
# Simple implementation of FIPS 140-2 selfchecks. Use OpenSSL to generate and
|
||||
# verify checksums of binaries. Any hash iused in OpenSSH can be used (MD5 would
|
||||
# obviously be a poor choice, since OpenSSL would barf and abort immediately in
|
||||
# FIPS mode). SHA-2 seems to be a reasonable choice.
|
||||
#
|
||||
# The logic of the checks is as follows: decide whether FIPS mode is mandated
|
||||
# (either by checking /proc/sys/crypto/fips_enabled or environment variable
|
||||
# SSH_FORCE_FIPS. In FIPS mode, checksums are required to match (inability to
|
||||
# retrieve pre-calculated hash is a fatal error). In non-FIPS mode the checks
|
||||
# still must be performed, unless the hashes are not installed. Thus if the hash
|
||||
# file is not found (or the hash matches), proceed in non-FIPS mode and abort
|
||||
# otherwise.
|
||||
|
||||
Index: openssh-8.8p1/fips-check.c
|
||||
===================================================================
|
||||
--- /dev/null
|
||||
+++ openssh-8.8p1/fips-check.c
|
||||
@@ -0,0 +1,34 @@
|
||||
+#include "includes.h"
|
||||
+#include <fcntl.h>
|
||||
+#include <limits.h>
|
||||
+#include <stdio.h>
|
||||
+#include <stdlib.h>
|
||||
+#include <string.h>
|
||||
+#include <sys/stat.h>
|
||||
+#include <sys/types.h>
|
||||
+#include <unistd.h>
|
||||
+
|
||||
+#include "digest.h"
|
||||
+#include "fips.h"
|
||||
+
|
||||
+#include <openssl/err.h>
|
||||
+
|
||||
+#define PROC_NAME_LEN 64
|
||||
+
|
||||
+static const char *argv0;
|
||||
+
|
||||
+void
|
||||
+print_help_exit(int ev)
|
||||
+{
|
||||
+ fprintf(stderr, "%s <-c|-w> <file> <checksum_file>\n", argv0);
|
||||
+ fprintf(stderr, " -c verify hash of 'file' against hash in 'checksum_file'\n");
|
||||
+ fprintf(stderr, " -w write hash of 'file' into 'checksum_file'\n");
|
||||
+ exit(ev);
|
||||
+}
|
||||
+
|
||||
+int
|
||||
+main(int argc, char **argv)
|
||||
+{
|
||||
+ fips_ssh_init();
|
||||
+ return 0;
|
||||
+}
|
||||
Index: openssh-8.8p1/fips.c
|
||||
===================================================================
|
||||
--- openssh-8.8p1.orig/fips.c
|
||||
+++ openssh-8.8p1/fips.c
|
||||
@@ -35,30 +35,293 @@
|
||||
#include "log.h"
|
||||
#include "xmalloc.h"
|
||||
|
||||
+#include <errno.h>
|
||||
+#include <fcntl.h>
|
||||
#include <string.h>
|
||||
+#include <string.h>
|
||||
+#include <sys/stat.h>
|
||||
+#include <sys/types.h>
|
||||
+#include <unistd.h>
|
||||
#include <openssl/crypto.h>
|
||||
+#include <openssl/err.h>
|
||||
+#include <openssl/hmac.h>
|
||||
|
||||
static int fips_state = -1;
|
||||
|
||||
+/* calculates HMAC of contents of a file given by filename using the hash
|
||||
+ * algorithm specified by FIPS_HMAC_EVP in fips.h and placing the result into
|
||||
+ * newly allacated memory - remember to free it when not needed anymore */
|
||||
static int
|
||||
-fips_check_required_env(void)
|
||||
+hmac_file(const char *filename, u_char **hmac_out)
|
||||
+{
|
||||
+ int check = -1;
|
||||
+ int fd;
|
||||
+ struct stat fs;
|
||||
+ void *hmap;
|
||||
+ unsigned char *hmac;
|
||||
+ unsigned char *hmac_rv = NULL;
|
||||
+
|
||||
+ hmac = xmalloc(FIPS_HMAC_LEN);
|
||||
+
|
||||
+ fd = open(filename, O_RDONLY);
|
||||
+ if (-1 == fd)
|
||||
+ goto bail_out;
|
||||
+
|
||||
+ if (-1 == fstat(fd, &fs))
|
||||
+ goto bail_out;
|
||||
+
|
||||
+ hmap = mmap(NULL, fs.st_size, PROT_READ, MAP_SHARED, fd, 0);
|
||||
+
|
||||
+ if ((void *)(-1) != hmap) {
|
||||
+ hmac_rv = HMAC(FIPS_HMAC_EVP(), FIPS_HMAC_KEY
|
||||
+ , strlen(FIPS_HMAC_KEY), hmap, fs.st_size, hmac, NULL);
|
||||
+ check = CHECK_OK;
|
||||
+ munmap(hmap, fs.st_size);
|
||||
+ }
|
||||
+ close(fd);
|
||||
+
|
||||
+bail_out:
|
||||
+ if (hmac_rv) {
|
||||
+ check = CHECK_OK;
|
||||
+ *hmac_out = hmac;
|
||||
+ } else {
|
||||
+ check = CHECK_FAIL;
|
||||
+ *hmac_out = NULL;
|
||||
+ free(hmac);
|
||||
+ }
|
||||
+ return check;
|
||||
+}
|
||||
+
|
||||
+/* find pathname of binary of process with PID pid. exe is buffer expected to
|
||||
+ * be capable of holding at least max_pathlen characters
|
||||
+ */
|
||||
+static int
|
||||
+get_executable_path(pid_t pid, char *exe, int max_pathlen)
|
||||
+{
|
||||
+ char exe_sl[PROC_EXE_PATH_LEN];
|
||||
+ int n;
|
||||
+ int rv = -1;
|
||||
+
|
||||
+ n = snprintf(exe_sl, sizeof(exe_sl), "/proc/%u/exe", pid);
|
||||
+ if ((n <= 10) || (n >= max_pathlen)) {
|
||||
+ fatal("error compiling filename of link to executable");
|
||||
+ }
|
||||
+
|
||||
+ exe[0] = 0;
|
||||
+ n = readlink(exe_sl, exe, max_pathlen);
|
||||
+ /* the file doesn't need to exist - procfs might not be mounted in
|
||||
+ * chroot */
|
||||
+ if (n == -1) {
|
||||
+ rv = CHECK_MISSING;
|
||||
+ } else {
|
||||
+ if (n < max_pathlen) {
|
||||
+ exe[n] = 0;
|
||||
+ rv = CHECK_OK;
|
||||
+ } else {
|
||||
+ rv = CHECK_FAIL;
|
||||
+ }
|
||||
+ }
|
||||
+ return rv;
|
||||
+}
|
||||
+
|
||||
+/* Read HMAC from file chk, allocating enough memory to hold the HMAC and
|
||||
+ * return it in *hmac.
|
||||
+ * Remember to free() it when it's not needed anymore.
|
||||
+ */
|
||||
+static int
|
||||
+read_hmac(const char *chk, u_char **hmac)
|
||||
+{
|
||||
+ int check = -1;
|
||||
+ int fdh, n;
|
||||
+ u_char *hmac_in;
|
||||
+
|
||||
+ *hmac = NULL;
|
||||
+
|
||||
+ fdh = open(chk, O_RDONLY);
|
||||
+ if (-1 == fdh) {
|
||||
+ switch (errno) {
|
||||
+ case ENOENT:
|
||||
+ check = CHECK_MISSING;
|
||||
+ debug("fips: checksum file %s is missing\n", chk);
|
||||
+ break;
|
||||
+ default:
|
||||
+ check = CHECK_FAIL;
|
||||
+ debug("fips: ckecksum file %s not accessible\n", chk);
|
||||
+ break;
|
||||
+
|
||||
+ }
|
||||
+ goto bail_out;
|
||||
+ }
|
||||
+
|
||||
+ hmac_in = xmalloc(FIPS_HMAC_LEN);
|
||||
+
|
||||
+ n = read(fdh, (void *)hmac_in, FIPS_HMAC_LEN);
|
||||
+ if (FIPS_HMAC_LEN != n) {
|
||||
+ debug("fips: unable to read whole checksum from checksum file\n");
|
||||
+ free (hmac_in);
|
||||
+ check = CHECK_FAIL;
|
||||
+ } else {
|
||||
+ check = CHECK_OK;
|
||||
+ *hmac = hmac_in;
|
||||
+ }
|
||||
+bail_out:
|
||||
+ return check;
|
||||
+}
|
||||
+
|
||||
+static int
|
||||
+fips_hmac_self(void)
|
||||
+{
|
||||
+ int check = -1;
|
||||
+ u_char *hmac = NULL, *hmac_chk = NULL;
|
||||
+ char *exe, *chk;
|
||||
+
|
||||
+ exe = xmalloc(PATH_MAX);
|
||||
+ chk = xmalloc(PATH_MAX);
|
||||
+
|
||||
+ /* we will need to add the suffix and the null terminator */
|
||||
+ check = get_executable_path(getpid(), exe
|
||||
+ , PATH_MAX - strlen(CHECKSUM_SUFFIX) - 1);
|
||||
+ if (CHECK_OK != check)
|
||||
+ goto cleanup;
|
||||
+
|
||||
+ strncpy(chk, exe, PATH_MAX);
|
||||
+ strlcat(chk, CHECKSUM_SUFFIX, PATH_MAX);
|
||||
+
|
||||
+ check = read_hmac(chk, &hmac_chk);
|
||||
+ if (CHECK_OK != check)
|
||||
+ goto cleanup;
|
||||
+
|
||||
+ check = hmac_file(exe, &hmac);
|
||||
+ if (CHECK_OK != check)
|
||||
+ goto cleanup;
|
||||
+
|
||||
+ check = memcmp(hmac, hmac_chk, FIPS_HMAC_LEN);
|
||||
+ if (0 == check) {
|
||||
+ check = CHECK_OK;
|
||||
+ debug("fips: checksum matches\n");
|
||||
+ } else {
|
||||
+ check = CHECK_FAIL;
|
||||
+ debug("fips: checksum mismatch!\n");
|
||||
+ }
|
||||
+
|
||||
+cleanup:
|
||||
+ free(hmac);
|
||||
+ free(hmac_chk);
|
||||
+ free(chk);
|
||||
+ free(exe);
|
||||
+
|
||||
+ return check;
|
||||
+}
|
||||
+
|
||||
+static int
|
||||
+fips_check_required_proc(void)
|
||||
{
|
||||
int fips_required = 0;
|
||||
- char *env = getenv(SSH_FORCE_FIPS_ENV);
|
||||
+ int fips_fd;
|
||||
+ char fips_sys = 0;
|
||||
|
||||
- if (env) {
|
||||
- errno = 0;
|
||||
- fips_required = strtol(env, NULL, 10);
|
||||
- if (errno) {
|
||||
- debug("bogus value in the %s environment variable, ignoring\n"
|
||||
- , SSH_FORCE_FIPS_ENV);
|
||||
- fips_required = 0;
|
||||
- } else
|
||||
- fips_required = 1;
|
||||
+ struct stat dummy;
|
||||
+ if (-1 == stat(FIPS_PROC_PATH, &dummy)) {
|
||||
+ switch (errno) {
|
||||
+ case ENOENT:
|
||||
+ case ENOTDIR:
|
||||
+ break;
|
||||
+ default:
|
||||
+ fatal("Check for system-wide FIPS mode is required and %s cannot"
|
||||
+ " be accessed for reason other than non-existence - aborting"
|
||||
+ , FIPS_PROC_PATH);
|
||||
+ break;
|
||||
+ }
|
||||
+ } else {
|
||||
+ if (-1 == (fips_fd = open(FIPS_PROC_PATH, O_RDONLY)))
|
||||
+ fatal("Check for system-wide FIPS mode is required and %s cannot"
|
||||
+ " be opened for reading - aborting"
|
||||
+ , FIPS_PROC_PATH);
|
||||
+ if (1 > read(fips_fd, &fips_sys, 1))
|
||||
+ fatal("Check for system-wide FIPS mode is required and %s doesn't"
|
||||
+ " return at least one character - aborting"
|
||||
+ , FIPS_PROC_PATH);
|
||||
+ close(fips_sys);
|
||||
+ switch (fips_sys) {
|
||||
+ case '0':
|
||||
+ case '1':
|
||||
+ fips_required = fips_sys - '0';
|
||||
+ break;
|
||||
+ default:
|
||||
+ fatal("Bogus character %c found in %s - aborting"
|
||||
+ , fips_sys, FIPS_PROC_PATH);
|
||||
+ }
|
||||
}
|
||||
return fips_required;
|
||||
}
|
||||
|
||||
+static int
|
||||
+fips_check_required_env(void)
|
||||
+{
|
||||
+ return (NULL != getenv(SSH_FORCE_FIPS_ENV));
|
||||
+}
|
||||
+
|
||||
+static int
|
||||
+fips_required(void)
|
||||
+{
|
||||
+ int fips_requests = 0;
|
||||
+ fips_requests += fips_check_required_proc();
|
||||
+ fips_requests += fips_check_required_env();
|
||||
+ return fips_requests;
|
||||
+}
|
||||
+
|
||||
+/* check whether FIPS mode is required and perform selfchecksum/selftest */
|
||||
+void
|
||||
+fips_ssh_init(void)
|
||||
+{
|
||||
+ int checksum;
|
||||
+
|
||||
+ checksum = fips_hmac_self();
|
||||
+
|
||||
+ if (fips_required()) {
|
||||
+ switch (checksum) {
|
||||
+ case CHECK_OK:
|
||||
+ debug("fips: mandatory checksum ok");
|
||||
+ break;
|
||||
+ case CHECK_FAIL:
|
||||
+ fatal("fips: mandatory checksum failed - aborting");
|
||||
+ break;
|
||||
+ case CHECK_MISSING:
|
||||
+ fatal("fips: mandatory checksum data missing - aborting");
|
||||
+ break;
|
||||
+ default:
|
||||
+ fatal("Fatal error: internal error at %s:%u"
|
||||
+ , __FILE__, __LINE__);
|
||||
+ break;
|
||||
+ }
|
||||
+ fips_state = FIPS_mode_set(1);
|
||||
+ if (1 != fips_state) {
|
||||
+ ERR_load_crypto_strings();
|
||||
+ u_long err = ERR_get_error();
|
||||
+ error("fips: OpenSSL error %lx: %s"
|
||||
+ , err, ERR_error_string(err, NULL));
|
||||
+ fatal("fips: unable to set OpenSSL into FIPS mode - aborting");
|
||||
+ }
|
||||
+ } else {
|
||||
+ switch (checksum) {
|
||||
+ case CHECK_OK:
|
||||
+ debug("fips: checksum ok");
|
||||
+ break;
|
||||
+ case CHECK_FAIL:
|
||||
+ fatal("fips: checksum failed - aborting");
|
||||
+ break;
|
||||
+ case CHECK_MISSING:
|
||||
+ debug("fips: checksum data missing, but not required - continuing non-FIPS");
|
||||
+ break;
|
||||
+ default:
|
||||
+ fatal("Fatal error: internal error at %s:%u",
|
||||
+ __FILE__, __LINE__);
|
||||
+ break;
|
||||
+ }
|
||||
+ }
|
||||
+ return;
|
||||
+}
|
||||
+
|
||||
int
|
||||
fips_mode(void)
|
||||
{
|
||||
Index: openssh-8.8p1/fips.h
|
||||
===================================================================
|
||||
--- openssh-8.8p1.orig/fips.h
|
||||
+++ openssh-8.8p1/fips.h
|
||||
@@ -1,5 +1,5 @@
|
||||
/*
|
||||
- * Copyright (c) 2012 Petr Cerny. All rights reserved.
|
||||
+ * Copyright (c) 2012-2014 Petr Cerny. All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
@@ -27,6 +27,15 @@
|
||||
#include "sshkey.h"
|
||||
|
||||
#define SSH_FORCE_FIPS_ENV "SSH_FORCE_FIPS"
|
||||
+#define FIPS_PROC_PATH "/proc/sys/crypto/fips_enabled"
|
||||
+
|
||||
+#define PROC_EXE_PATH_LEN 64
|
||||
+#define CHECKSUM_SUFFIX ".hmac"
|
||||
+#define FIPS_HMAC_KEY "HMAC_KEY:OpenSSH-FIPS@SLE"
|
||||
+#define FIPS_HMAC_EVP EVP_sha256
|
||||
+#define FIPS_HMAC_LEN 32
|
||||
+
|
||||
+void fips_ssh_init(void);
|
||||
|
||||
typedef enum {
|
||||
FIPS_FILTER_CIPHERS,
|
||||
@@ -34,6 +43,12 @@ typedef enum {
|
||||
FIPS_FILTER_KEX_ALGS
|
||||
} fips_filters;
|
||||
|
||||
+typedef enum {
|
||||
+ CHECK_OK = 0,
|
||||
+ CHECK_FAIL,
|
||||
+ CHECK_MISSING
|
||||
+} fips_checksum_status;
|
||||
+
|
||||
int fips_mode(void);
|
||||
int fips_correct_dgst(int);
|
||||
int fips_dgst_min(void);
|
||||
@@ -41,4 +56,3 @@ enum fp_type fips_correct_fp_type(enum
|
||||
int fips_filter_crypto(char **, fips_filters);
|
||||
|
||||
#endif
|
||||
-
|
||||
Index: openssh-8.8p1/sftp-server.c
|
||||
===================================================================
|
||||
--- openssh-8.8p1.orig/sftp-server.c
|
||||
+++ openssh-8.8p1/sftp-server.c
|
||||
@@ -57,6 +57,8 @@ char *sftp_realpath(const char *, char *
|
||||
/* Maximum data read that we are willing to accept */
|
||||
#define SFTP_MAX_READ_LENGTH (SFTP_MAX_MSG_LENGTH - 1024)
|
||||
|
||||
+#include "fips.h"
|
||||
+
|
||||
/* Our verbosity */
|
||||
static LogLevel log_level = SYSLOG_LEVEL_ERROR;
|
||||
|
||||
@@ -1717,6 +1719,9 @@ sftp_server_main(int argc, char **argv,
|
||||
extern char *optarg;
|
||||
extern char *__progname;
|
||||
|
||||
+ /* initialize fips */
|
||||
+ fips_ssh_init();
|
||||
+
|
||||
__progname = ssh_get_progname(argv[0]);
|
||||
log_init(__progname, log_level, log_facility, log_stderr);
|
||||
|
||||
Index: openssh-8.8p1/ssh.c
|
||||
===================================================================
|
||||
--- openssh-8.8p1.orig/ssh.c
|
||||
+++ openssh-8.8p1/ssh.c
|
||||
@@ -113,6 +113,8 @@
|
||||
#include "ssh-pkcs11.h"
|
||||
#endif
|
||||
|
||||
+#include "fips.h"
|
||||
+
|
||||
extern char *__progname;
|
||||
|
||||
/* Saves a copy of argv for setproctitle emulation */
|
||||
@@ -632,6 +634,10 @@ main(int ac, char **av)
|
||||
u_int j;
|
||||
struct ssh_conn_info *cinfo = NULL;
|
||||
|
||||
+ /* initialize fips - can go before ssh_malloc_init(), since that is a
|
||||
+ * OpenBSD-only thing (as of OpenSSH 7.6p1) */
|
||||
+ fips_ssh_init();
|
||||
+
|
||||
/* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
|
||||
sanitise_stdfd();
|
||||
|
||||
Index: openssh-8.8p1/sshd.c
|
||||
===================================================================
|
||||
--- openssh-8.8p1.orig/sshd.c
|
||||
+++ openssh-8.8p1/sshd.c
|
||||
@@ -1547,6 +1547,10 @@ main(int ac, char **av)
|
||||
struct connection_info connection_info;
|
||||
sigset_t sigmask;
|
||||
|
||||
+ /* initialize fips - can go before ssh_malloc_init(), since that is a
|
||||
+ * OpenBSD-only thing (as of OpenSSH 7.6p1) */
|
||||
+ fips_ssh_init();
|
||||
+
|
||||
memset(&connection_info, 0, sizeof(connection_info));
|
||||
#ifdef HAVE_SECUREWARE
|
||||
(void)set_auth_parameters(ac, av);
|
20
openssh-7.7p1-host_ident.patch
Normal file
20
openssh-7.7p1-host_ident.patch
Normal file
@ -0,0 +1,20 @@
|
||||
# HG changeset patch
|
||||
# Parent 0f731d0b541b8a919d24ac91098f560a49712822
|
||||
Suggest command line for removal of offending keys from known_hosts file
|
||||
|
||||
Index: openssh-8.8p1/sshconnect.c
|
||||
===================================================================
|
||||
--- openssh-8.8p1.orig/sshconnect.c
|
||||
+++ openssh-8.8p1/sshconnect.c
|
||||
@@ -1270,6 +1270,11 @@ check_host_key(char *hostname, const str
|
||||
error("Offending %s key in %s:%lu",
|
||||
sshkey_type(host_found->key),
|
||||
host_found->file, host_found->line);
|
||||
+ error("You can use following command to remove the offending key:");
|
||||
+ if (host_found->file)
|
||||
+ error("ssh-keygen -R %s -f %s", host, host_found->file);
|
||||
+ else
|
||||
+ error("ssh-keygen -R %s", host);
|
||||
|
||||
/*
|
||||
* If strict host key checking is in use, the user will have
|
83
openssh-7.7p1-hostname_changes_when_forwarding_X.patch
Normal file
83
openssh-7.7p1-hostname_changes_when_forwarding_X.patch
Normal file
@ -0,0 +1,83 @@
|
||||
# HG changeset patch
|
||||
# Parent 5e19a205fa03584bb0d829ecbba7495ce1899b65
|
||||
# -- uset do be called '-xauthlocalhostname'
|
||||
handle hostname changes when forwarding X
|
||||
|
||||
Index: openssh-8.8p1/session.c
|
||||
===================================================================
|
||||
--- openssh-8.8p1.orig/session.c
|
||||
+++ openssh-8.8p1/session.c
|
||||
@@ -981,7 +981,7 @@ copy_environment(char **source, char ***
|
||||
#endif
|
||||
|
||||
static char **
|
||||
-do_setup_env(struct ssh *ssh, Session *s, const char *shell)
|
||||
+do_setup_env(struct ssh *ssh, Session *s, const char *shell, int *env_size)
|
||||
{
|
||||
char buf[256];
|
||||
size_t n;
|
||||
@@ -1191,6 +1191,8 @@ do_setup_env(struct ssh *ssh, Session *s
|
||||
for (i = 0; env[i]; i++)
|
||||
fprintf(stderr, " %.200s\n", env[i]);
|
||||
}
|
||||
+
|
||||
+ *env_size = envsize;
|
||||
return env;
|
||||
}
|
||||
|
||||
@@ -1199,7 +1201,7 @@ do_setup_env(struct ssh *ssh, Session *s
|
||||
* first in this order).
|
||||
*/
|
||||
static void
|
||||
-do_rc_files(struct ssh *ssh, Session *s, const char *shell)
|
||||
+do_rc_files(struct ssh *ssh, Session *s, const char *shell, char **env, int *env_size)
|
||||
{
|
||||
FILE *f = NULL;
|
||||
char *cmd = NULL, *user_rc = NULL;
|
||||
@@ -1256,12 +1258,20 @@ do_rc_files(struct ssh *ssh, Session *s,
|
||||
fatal_f("xasprintf: %s", strerror(errno));
|
||||
f = popen(cmd, "w");
|
||||
if (f) {
|
||||
+ char hostname[MAXHOSTNAMELEN];
|
||||
+
|
||||
fprintf(f, "remove %s\n",
|
||||
s->auth_display);
|
||||
fprintf(f, "add %s %s %s\n",
|
||||
s->auth_display, s->auth_proto,
|
||||
s->auth_data);
|
||||
pclose(f);
|
||||
+ if (gethostname(hostname,sizeof(hostname)) >= 0)
|
||||
+ child_set_env(&env,env_size,"XAUTHLOCALHOSTNAME",
|
||||
+ hostname);
|
||||
+ else
|
||||
+ debug("Cannot set up XAUTHLOCALHOSTNAME %s\n",
|
||||
+ strerror(errno));
|
||||
} else {
|
||||
fprintf(stderr, "Could not run %s\n",
|
||||
cmd);
|
||||
@@ -1518,6 +1528,7 @@ do_child(struct ssh *ssh, Session *s, co
|
||||
char **env, *argv[ARGV_MAX], remote_id[512];
|
||||
const char *shell, *shell0;
|
||||
struct passwd *pw = s->pw;
|
||||
+ int env_size;
|
||||
int r = 0;
|
||||
|
||||
sshpkt_fmt_connection_id(ssh, remote_id, sizeof(remote_id));
|
||||
@@ -1574,7 +1585,7 @@ do_child(struct ssh *ssh, Session *s, co
|
||||
* Make sure $SHELL points to the shell from the password file,
|
||||
* even if shell is overridden from login.conf
|
||||
*/
|
||||
- env = do_setup_env(ssh, s, shell);
|
||||
+ env = do_setup_env(ssh, s, shell, &env_size);
|
||||
|
||||
#ifdef HAVE_LOGIN_CAP
|
||||
shell = login_getcapstr(lc, "shell", (char *)shell, (char *)shell);
|
||||
@@ -1638,7 +1649,7 @@ do_child(struct ssh *ssh, Session *s, co
|
||||
|
||||
closefrom(STDERR_FILENO + 1);
|
||||
|
||||
- do_rc_files(ssh, s, shell);
|
||||
+ do_rc_files(ssh, s, shell, env, &env_size);
|
||||
|
||||
/* restore SIGPIPE for child */
|
||||
ssh_signal(SIGPIPE, SIG_DFL);
|
2721
openssh-7.7p1-ldap.patch
Normal file
2721
openssh-7.7p1-ldap.patch
Normal file
File diff suppressed because it is too large
Load Diff
17
openssh-7.7p1-no_fork-no_pid_file.patch
Normal file
17
openssh-7.7p1-no_fork-no_pid_file.patch
Normal file
@ -0,0 +1,17 @@
|
||||
# HG changeset patch
|
||||
# Parent bad0c8b3b8d72abb6960ed85b57ee42352371738
|
||||
Do not write a PID file when not daemonizing (e.g. when running from systemd)
|
||||
|
||||
Index: openssh-8.8p1/sshd.c
|
||||
===================================================================
|
||||
--- openssh-8.8p1.orig/sshd.c
|
||||
+++ openssh-8.8p1/sshd.c
|
||||
@@ -2129,7 +2129,7 @@ main(int ac, char **av)
|
||||
* Write out the pid file after the sigterm handler
|
||||
* is setup and the listen sockets are bound
|
||||
*/
|
||||
- if (options.pid_file != NULL && !debug_flag) {
|
||||
+ if (!no_daemon_flag && options.pid_file != NULL && !debug_flag) {
|
||||
FILE *f = fopen(options.pid_file, "w");
|
||||
|
||||
if (f == NULL) {
|
135
openssh-7.7p1-pam_check_locks.patch
Normal file
135
openssh-7.7p1-pam_check_locks.patch
Normal file
@ -0,0 +1,135 @@
|
||||
# HG changeset patch
|
||||
# Parent 089f4fba0112d410a1bfa74398941f076681d446
|
||||
new option UsePAMCheckLocks to enforce checking for locked accounts while
|
||||
UsePAM is used
|
||||
|
||||
bnc#708678, FATE#312033
|
||||
|
||||
Index: openssh-8.8p1/auth.c
|
||||
===================================================================
|
||||
--- openssh-8.8p1.orig/auth.c
|
||||
+++ openssh-8.8p1/auth.c
|
||||
@@ -113,7 +113,7 @@ allowed_user(struct ssh *ssh, struct pas
|
||||
if (!pw || !pw->pw_name)
|
||||
return 0;
|
||||
|
||||
- if (!options.use_pam && platform_locked_account(pw)) {
|
||||
+ if ((!options.use_pam || options.use_pam_check_locks) && platform_locked_account(pw)) {
|
||||
logit("User %.100s not allowed because account is locked",
|
||||
pw->pw_name);
|
||||
return 0;
|
||||
#@@ -133,7 +133,7 @@ allowed_user(struct ssh *ssh, struct pas
|
||||
# #endif
|
||||
#
|
||||
# /* check for locked account */
|
||||
#- if (!options.use_pam && passwd && *passwd) {
|
||||
#+ if ((!options.use_pam || options.use_pam_check_locks) && passwd && *passwd) {
|
||||
# int locked = 0;
|
||||
#
|
||||
# #ifdef LOCKED_PASSWD_STRING
|
||||
Index: openssh-8.8p1/servconf.c
|
||||
===================================================================
|
||||
--- openssh-8.8p1.orig/servconf.c
|
||||
+++ openssh-8.8p1/servconf.c
|
||||
@@ -92,6 +92,7 @@ initialize_server_options(ServerOptions
|
||||
/* Portable-specific options */
|
||||
options->use_pam = -1;
|
||||
options->pam_service_name = NULL;
|
||||
+ options->use_pam_check_locks = -1;
|
||||
|
||||
/* Standard Options */
|
||||
options->num_ports = 0;
|
||||
@@ -278,6 +279,8 @@ fill_default_server_options(ServerOption
|
||||
options->use_pam = 0;
|
||||
if (options->pam_service_name == NULL)
|
||||
options->pam_service_name = xstrdup(SSHD_PAM_SERVICE);
|
||||
+ if (options->use_pam_check_locks == -1)
|
||||
+ options->use_pam_check_locks = 0;
|
||||
|
||||
/* Standard Options */
|
||||
if (options->num_host_key_files == 0) {
|
||||
@@ -485,7 +488,7 @@ fill_default_server_options(ServerOption
|
||||
typedef enum {
|
||||
sBadOption, /* == unknown option */
|
||||
/* Portable-specific options */
|
||||
- sUsePAM, sPAMServiceName,
|
||||
+ sUsePAM, sPAMServiceName, sUsePAMChecklocks,
|
||||
/* Standard Options */
|
||||
sPort, sHostKeyFile, sLoginGraceTime,
|
||||
sPermitRootLogin, sLogFacility, sLogLevel, sLogVerbose,
|
||||
@@ -535,9 +538,11 @@ static struct {
|
||||
#ifdef USE_PAM
|
||||
{ "usepam", sUsePAM, SSHCFG_GLOBAL },
|
||||
{ "pamservicename", sPAMServiceName, SSHCFG_ALL },
|
||||
+ { "usepamchecklocks", sUsePAMChecklocks, SSHCFG_GLOBAL },
|
||||
#else
|
||||
{ "usepam", sUnsupported, SSHCFG_GLOBAL },
|
||||
{ "pamservicename", sUnsupported, SSHCFG_ALL },
|
||||
+ { "usepamchecklocks", sUnsupported, SSHCFG_GLOBAL },
|
||||
#endif
|
||||
{ "pamauthenticationviakbdint", sDeprecated, SSHCFG_GLOBAL },
|
||||
/* Standard Options */
|
||||
@@ -1331,6 +1336,9 @@ process_server_config_line_depth(ServerO
|
||||
if (*activep && *charptr == NULL)
|
||||
*charptr = xstrdup(arg);
|
||||
break;
|
||||
+ case sUsePAMChecklocks:
|
||||
+ intptr = &options->use_pam_check_locks;
|
||||
+ goto parse_flag;
|
||||
|
||||
/* Standard Options */
|
||||
case sBadOption:
|
||||
Index: openssh-8.8p1/servconf.h
|
||||
===================================================================
|
||||
--- openssh-8.8p1.orig/servconf.h
|
||||
+++ openssh-8.8p1/servconf.h
|
||||
@@ -200,6 +200,7 @@ typedef struct {
|
||||
|
||||
int use_pam; /* Enable auth via PAM */
|
||||
char *pam_service_name;
|
||||
+ int use_pam_check_locks; /* internally check for locked accounts even when using PAM */
|
||||
|
||||
int permit_tun;
|
||||
|
||||
Index: openssh-8.8p1/sshd_config.0
|
||||
===================================================================
|
||||
--- openssh-8.8p1.orig/sshd_config.0
|
||||
+++ openssh-8.8p1/sshd_config.0
|
||||
@@ -1074,6 +1074,14 @@ DESCRIPTION
|
||||
If UsePAM is enabled, you will not be able to run sshd(8) as a
|
||||
non-root user. The default is no.
|
||||
|
||||
+ UsePAMCheckLocks
|
||||
+ When set to ``yes'', the checks whether the account has been
|
||||
+ locked with `passwd -l' are performed even when PAM authentication
|
||||
+ is enabled via UsePAM. This is to ensure that it is not possible
|
||||
+ to log in with e.g. a public key (in such a case PAM is used only
|
||||
+ to set up the session and some PAM modules will not check whether
|
||||
+ the account is locked in this scenario). The default is ``no''.
|
||||
+
|
||||
VersionAddendum
|
||||
Optionally specifies additional text to append to the SSH
|
||||
protocol banner sent by the server upon connection. The default
|
||||
Index: openssh-8.8p1/sshd_config.5
|
||||
===================================================================
|
||||
--- openssh-8.8p1.orig/sshd_config.5
|
||||
+++ openssh-8.8p1/sshd_config.5
|
||||
@@ -1775,6 +1775,18 @@ is enabled, you will not be able to run
|
||||
as a non-root user.
|
||||
The default is
|
||||
.Cm no .
|
||||
+.It Cm UsePAMCheckLocks
|
||||
+When set to
|
||||
+.Dq yes
|
||||
+, the checks whether the account has been locked with
|
||||
+.Pa passwd -l
|
||||
+are performed even when PAM authentication is enabled via
|
||||
+.Cm UsePAM .
|
||||
+This is to ensure that it is not possible to log in with e.g. a
|
||||
+public key (in such a case PAM is used only to set up the session and some PAM
|
||||
+modules will not check whether the account is locked in this scenario). The
|
||||
+default is
|
||||
+.Dq no .
|
||||
.It Cm VersionAddendum
|
||||
Optionally specifies additional text to append to the SSH protocol banner
|
||||
sent by the server upon connection.
|
30
openssh-7.7p1-pts_names_formatting.patch
Normal file
30
openssh-7.7p1-pts_names_formatting.patch
Normal file
@ -0,0 +1,30 @@
|
||||
# HG changeset patch
|
||||
# Parent 7cd948c83939479d1ba88a3161991cb561306f3f
|
||||
# use same lines naming as utempter (prevents problems with using different
|
||||
# formats in ?tmp? files)
|
||||
# --used to be called '-pts'
|
||||
|
||||
Index: openssh-8.8p1/loginrec.c
|
||||
===================================================================
|
||||
--- openssh-8.8p1.orig/loginrec.c
|
||||
+++ openssh-8.8p1/loginrec.c
|
||||
@@ -549,7 +549,7 @@ getlast_entry(struct logininfo *li)
|
||||
* 1. The full filename (including '/dev')
|
||||
* 2. The stripped name (excluding '/dev')
|
||||
* 3. The abbreviated name (e.g. /dev/ttyp00 -> yp00
|
||||
- * /dev/pts/1 -> ts/1 )
|
||||
+ * /dev/pts/1 -> /1 )
|
||||
*
|
||||
* Form 3 is used on some systems to identify a .tmp.? entry when
|
||||
* attempting to remove it. Typically both addition and removal is
|
||||
@@ -610,6 +610,10 @@ line_abbrevname(char *dst, const char *s
|
||||
if (strncmp(src, "tty", 3) == 0)
|
||||
src += 3;
|
||||
#endif
|
||||
+ if (strncmp(src, "pts/", 4) == 0) {
|
||||
+ src += 3;
|
||||
+ if (strlen(src) > 4) src++;
|
||||
+ }
|
||||
|
||||
len = strlen(src);
|
||||
|
46
openssh-7.7p1-remove_xauth_cookies_on_exit.patch
Normal file
46
openssh-7.7p1-remove_xauth_cookies_on_exit.patch
Normal file
@ -0,0 +1,46 @@
|
||||
# HG changeset patch
|
||||
# Parent a60c0d88667efe0a64c030168950b69476af1622
|
||||
# --used to be called '-xauth'
|
||||
try to remove xauth cookies on logout
|
||||
|
||||
bnc#98815
|
||||
|
||||
Index: openssh-8.8p1/session.c
|
||||
===================================================================
|
||||
--- openssh-8.8p1.orig/session.c
|
||||
+++ openssh-8.8p1/session.c
|
||||
@@ -2441,6 +2441,34 @@ session_close(struct ssh *ssh, Session *
|
||||
ssh_remote_port(ssh),
|
||||
s->self);
|
||||
|
||||
+ if ((s->display != NULL) && (s->auth_proto != NULL) &&
|
||||
+ (s->auth_data != NULL) && (options.xauth_location != NULL)) {
|
||||
+ pid_t pid;
|
||||
+ FILE *f;
|
||||
+ char cmd[1024];
|
||||
+ struct passwd * pw = s->pw;
|
||||
+
|
||||
+ if (!(pid = fork())) {
|
||||
+ permanently_set_uid(pw);
|
||||
+
|
||||
+ /* Remove authority data from .Xauthority if appropriate. */
|
||||
+ debug("Running %.500s remove %.100s\n",
|
||||
+ options.xauth_location, s->auth_display);
|
||||
+
|
||||
+ snprintf(cmd, sizeof cmd, "unset XAUTHORITY && HOME=\"%.200s\" %s -q -",
|
||||
+ s->pw->pw_dir, options.xauth_location);
|
||||
+ f = popen(cmd, "w");
|
||||
+ if (f) {
|
||||
+ fprintf(f, "remove %s\n", s->auth_display);
|
||||
+ pclose(f);
|
||||
+ } else
|
||||
+ error("Could not run %s\n", cmd);
|
||||
+ exit(0);
|
||||
+ } else if (pid > 0) {
|
||||
+ waitpid(pid, NULL, 0);
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
if (s->ttyfd != -1)
|
||||
session_pty_cleanup(s);
|
||||
free(s->term);
|
41
openssh-7.7p1-seccomp_ipc_flock.patch
Normal file
41
openssh-7.7p1-seccomp_ipc_flock.patch
Normal file
@ -0,0 +1,41 @@
|
||||
# HG changeset patch
|
||||
# Parent 9d38b7292619a6d5faf554b1a88888fdfa535de7
|
||||
Patch from IBM enabling the use of OpenCryptoki, submitted upstreams:
|
||||
|
||||
From: Eduardo Barretto <ebarretto@linux.vnet.ibm.com>
|
||||
To: openssh-unix-dev@mindrot.org
|
||||
Subject: [PATCH 1/3] Allow flock and ipc syscall for s390 architecture
|
||||
Date: Tue, 9 May 2017 14:27:13 -0300
|
||||
|
||||
In order to use the OpenSSL-ibmpkcs11 engine it is needed to allow flock
|
||||
and ipc calls, because this engine calls OpenCryptoki (a PKCS#11
|
||||
implementation) which calls the libraries that will communicate with the
|
||||
crypto cards. OpenCryptoki makes use of flock and ipc and, as of now,
|
||||
this is only need on s390 architecture.
|
||||
|
||||
Signed-off-by: Eduardo Barretto <ebarretto@linux.vnet.ibm.com>
|
||||
|
||||
Index: openssh-8.8p1/sandbox-seccomp-filter.c
|
||||
===================================================================
|
||||
--- openssh-8.8p1.orig/sandbox-seccomp-filter.c
|
||||
+++ openssh-8.8p1/sandbox-seccomp-filter.c
|
||||
@@ -219,6 +219,9 @@ static const struct sock_filter preauth_
|
||||
#ifdef __NR_geteuid32
|
||||
SC_ALLOW(__NR_geteuid32),
|
||||
#endif
|
||||
+#if defined(__NR_flock) && defined(__s390__)
|
||||
+ SC_ALLOW(__NR_flock),
|
||||
+#endif
|
||||
#ifdef __NR_getpgid
|
||||
SC_ALLOW(__NR_getpgid),
|
||||
#endif
|
||||
@@ -237,6 +240,9 @@ static const struct sock_filter preauth_
|
||||
#ifdef __NR_getuid32
|
||||
SC_ALLOW(__NR_getuid32),
|
||||
#endif
|
||||
+#if defined(__NR_ipc) && defined(__s390__)
|
||||
+ SC_ALLOW(__NR_ipc),
|
||||
+#endif
|
||||
#ifdef __NR_madvise
|
||||
SC_ALLOW_ARG(__NR_madvise, 2, MADV_NORMAL),
|
||||
# ifdef MADV_FREE
|
21
openssh-7.7p1-seccomp_stat.patch
Normal file
21
openssh-7.7p1-seccomp_stat.patch
Normal file
@ -0,0 +1,21 @@
|
||||
# HG changeset patch
|
||||
# Parent 5034ae16f6a5c9c7151d931dc1cce2a541fe010e
|
||||
Allow the stat() syscall for OpenSSL re-seed patch
|
||||
(which causes OpenSSL use stat() on some file)
|
||||
|
||||
bnc#912436
|
||||
|
||||
Index: openssh-8.8p1/sandbox-seccomp-filter.c
|
||||
===================================================================
|
||||
--- openssh-8.8p1.orig/sandbox-seccomp-filter.c
|
||||
+++ openssh-8.8p1/sandbox-seccomp-filter.c
|
||||
@@ -294,6 +294,9 @@ static const struct sock_filter preauth_
|
||||
#ifdef __NR_sigprocmask
|
||||
SC_ALLOW(__NR_sigprocmask),
|
||||
#endif
|
||||
+#ifdef __NR_stat
|
||||
+ SC_ALLOW(__NR_stat),
|
||||
+#endif
|
||||
#ifdef __NR_time
|
||||
SC_ALLOW(__NR_time),
|
||||
#endif
|
37
openssh-7.7p1-send_locale.patch
Normal file
37
openssh-7.7p1-send_locale.patch
Normal file
@ -0,0 +1,37 @@
|
||||
# HG changeset patch
|
||||
# Parent db426aecefd1f4f8a7f9b9b6e8936cd8dd2f17fa
|
||||
send locales in default configuration
|
||||
bnc#65747
|
||||
|
||||
Index: openssh-8.8p1/ssh_config
|
||||
===================================================================
|
||||
--- openssh-8.8p1.orig/ssh_config
|
||||
+++ openssh-8.8p1/ssh_config
|
||||
@@ -31,6 +31,11 @@ Host *
|
||||
# expire after twenty minutes after remote login.
|
||||
ForwardX11Trusted yes
|
||||
|
||||
+# This enables sending locale enviroment variables LC_* LANG, see ssh_config(5).
|
||||
+ SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
|
||||
+ SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
|
||||
+ SendEnv LC_IDENTIFICATION LC_ALL
|
||||
+
|
||||
# PasswordAuthentication yes
|
||||
# HostbasedAuthentication no
|
||||
# GSSAPIAuthentication no
|
||||
Index: openssh-8.8p1/sshd_config
|
||||
===================================================================
|
||||
--- openssh-8.8p1.orig/sshd_config
|
||||
+++ openssh-8.8p1/sshd_config
|
||||
@@ -108,6 +108,11 @@ X11Forwarding yes
|
||||
# override default of no subsystems
|
||||
Subsystem sftp /usr/libexec/sftp-server
|
||||
|
||||
+# This enables accepting locale enviroment variables LC_* LANG, see sshd_config(5).
|
||||
+AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
|
||||
+AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
|
||||
+AcceptEnv LC_IDENTIFICATION LC_ALL
|
||||
+
|
||||
# Example of overriding settings on a per-user basis
|
||||
#Match User anoncvs
|
||||
# X11Forwarding no
|
125
openssh-7.7p1-sftp_force_permissions.patch
Normal file
125
openssh-7.7p1-sftp_force_permissions.patch
Normal file
@ -0,0 +1,125 @@
|
||||
Index: openssh-8.8p1/sftp-server.8
|
||||
===================================================================
|
||||
--- openssh-8.8p1.orig/sftp-server.8
|
||||
+++ openssh-8.8p1/sftp-server.8
|
||||
@@ -38,6 +38,7 @@
|
||||
.Op Fl P Ar denied_requests
|
||||
.Op Fl p Ar allowed_requests
|
||||
.Op Fl u Ar umask
|
||||
+.Op Fl m Ar force_file_dir_perms
|
||||
.Ek
|
||||
.Nm
|
||||
.Fl Q Ar protocol_feature
|
||||
@@ -138,6 +139,10 @@ Sets an explicit
|
||||
.Xr umask 2
|
||||
to be applied to newly-created files and directories, instead of the
|
||||
user's default mask.
|
||||
+.It Fl m Ar force_file_dir_perms
|
||||
+Sets explicit permissions to be applied to newly-created files and directories
|
||||
+instead of the default or client requested mode. Numeric values include:
|
||||
+777, 755, 750, 666, 644, 640, etc. Option -u is ineffective if -m is set.
|
||||
.El
|
||||
.Pp
|
||||
On some systems,
|
||||
Index: openssh-8.8p1/sftp-server.c
|
||||
===================================================================
|
||||
--- openssh-8.8p1.orig/sftp-server.c
|
||||
+++ openssh-8.8p1/sftp-server.c
|
||||
@@ -73,6 +73,10 @@ struct sshbuf *oqueue;
|
||||
/* Version of client */
|
||||
static u_int version;
|
||||
|
||||
+/* Force file and directory permissions */
|
||||
+int permforce = 0;
|
||||
+long permforcemode;
|
||||
+
|
||||
/* SSH2_FXP_INIT received */
|
||||
static int init_done;
|
||||
|
||||
@@ -724,6 +728,7 @@ process_open(u_int32_t id)
|
||||
Attrib a;
|
||||
char *name;
|
||||
int r, handle, fd, flags, mode, status = SSH2_FX_FAILURE;
|
||||
+ mode_t old_umask = 0;
|
||||
|
||||
if ((r = sshbuf_get_cstring(iqueue, &name, NULL)) != 0 ||
|
||||
(r = sshbuf_get_u32(iqueue, &pflags)) != 0 || /* portable flags */
|
||||
@@ -733,6 +738,10 @@ process_open(u_int32_t id)
|
||||
debug3("request %u: open flags %d", id, pflags);
|
||||
flags = flags_from_portable(pflags);
|
||||
mode = (a.flags & SSH2_FILEXFER_ATTR_PERMISSIONS) ? a.perm : 0666;
|
||||
+ if (permforce == 1) { /* Force perm if -m is set */
|
||||
+ mode = permforcemode;
|
||||
+ old_umask = umask(0); /* so umask does not interfere */
|
||||
+ }
|
||||
logit("open \"%s\" flags %s mode 0%o",
|
||||
name, string_from_portable(pflags), mode);
|
||||
if (readonly &&
|
||||
@@ -754,6 +763,8 @@ process_open(u_int32_t id)
|
||||
}
|
||||
}
|
||||
}
|
||||
+ if (permforce == 1)
|
||||
+ (void) umask(old_umask); /* restore umask to something sane */
|
||||
if (status != SSH2_FX_OK)
|
||||
send_status(id, status);
|
||||
free(name);
|
||||
@@ -1183,6 +1194,7 @@ process_mkdir(u_int32_t id)
|
||||
Attrib a;
|
||||
char *name;
|
||||
int r, mode, status = SSH2_FX_FAILURE;
|
||||
+ mode_t old_umask = 0;
|
||||
|
||||
if ((r = sshbuf_get_cstring(iqueue, &name, NULL)) != 0 ||
|
||||
(r = decode_attrib(iqueue, &a)) != 0)
|
||||
@@ -1190,9 +1202,16 @@ process_mkdir(u_int32_t id)
|
||||
|
||||
mode = (a.flags & SSH2_FILEXFER_ATTR_PERMISSIONS) ?
|
||||
a.perm & 07777 : 0777;
|
||||
+ if (permforce == 1) { /* Force perm if -m is set */
|
||||
+ mode = permforcemode;
|
||||
+ old_umask = umask(0); /* so umask does not interfere */
|
||||
+ }
|
||||
+
|
||||
debug3("request %u: mkdir", id);
|
||||
logit("mkdir name \"%s\" mode 0%o", name, mode);
|
||||
r = mkdir(name, mode);
|
||||
+ if (permforce == 1)
|
||||
+ (void) umask(old_umask); /* restore umask to something sane */
|
||||
status = (r == -1) ? errno_to_portable(errno) : SSH2_FX_OK;
|
||||
send_status(id, status);
|
||||
free(name);
|
||||
@@ -1700,7 +1719,7 @@ sftp_server_usage(void)
|
||||
fprintf(stderr,
|
||||
"usage: %s [-ehR] [-d start_directory] [-f log_facility] "
|
||||
"[-l log_level]\n\t[-P denied_requests] "
|
||||
- "[-p allowed_requests] [-u umask]\n"
|
||||
+ "[-p allowed_requests] [-u umask] [-m force_file_dir_perms]\n"
|
||||
" %s -Q protocol_feature\n",
|
||||
__progname, __progname);
|
||||
exit(1);
|
||||
@@ -1728,7 +1747,7 @@ sftp_server_main(int argc, char **argv,
|
||||
pw = pwcopy(user_pw);
|
||||
|
||||
while (!skipargs && (ch = getopt(argc, argv,
|
||||
- "d:f:l:P:p:Q:u:cehR")) != -1) {
|
||||
+ "d:f:l:P:p:Q:u:m:cehR")) != -1) {
|
||||
switch (ch) {
|
||||
case 'Q':
|
||||
if (strcasecmp(optarg, "requests") != 0) {
|
||||
@@ -1790,6 +1809,15 @@ sftp_server_main(int argc, char **argv,
|
||||
fatal("Invalid umask \"%s\"", optarg);
|
||||
(void)umask((mode_t)mask);
|
||||
break;
|
||||
+ case 'm':
|
||||
+ /* Force permissions on file and directory received via sftp */
|
||||
+ permforce = 1;
|
||||
+ permforcemode = strtol(optarg, &cp, 8);
|
||||
+ if (permforcemode < 0 || permforcemode > 0777 ||
|
||||
+ *cp != '\0' || (permforcemode == 0 &&
|
||||
+ errno != 0))
|
||||
+ fatal("Invalid file mode \"%s\"", optarg);
|
||||
+ break;
|
||||
case 'h':
|
||||
default:
|
||||
sftp_server_usage();
|
60
openssh-7.7p1-sftp_print_diagnostic_messages.patch
Normal file
60
openssh-7.7p1-sftp_print_diagnostic_messages.patch
Normal file
@ -0,0 +1,60 @@
|
||||
# HG changeset patch
|
||||
# Parent 60bdbe6dd8d6bc011883472363d56e1d97f68835
|
||||
Put back sftp client diagnostic messages in batch mode
|
||||
|
||||
Index: openssh-8.8p1/sftp.1
|
||||
===================================================================
|
||||
--- openssh-8.8p1.orig/sftp.1
|
||||
+++ openssh-8.8p1/sftp.1
|
||||
@@ -287,6 +287,9 @@ Specifies the port to connect to on the
|
||||
.It Fl p
|
||||
Preserves modification times, access times, and modes from the
|
||||
original files transferred.
|
||||
+.It Fl Q
|
||||
+Not-so-quiet batch mode: forces printing of diagnostic messages
|
||||
+in batch mode.
|
||||
.It Fl q
|
||||
Quiet mode: disables the progress meter as well as warning and
|
||||
diagnostic messages from
|
||||
Index: openssh-8.8p1/sftp.c
|
||||
===================================================================
|
||||
--- openssh-8.8p1.orig/sftp.c
|
||||
+++ openssh-8.8p1/sftp.c
|
||||
@@ -82,6 +82,9 @@ static volatile pid_t sshpid = -1;
|
||||
/* Suppress diagnostic messages */
|
||||
int quiet = 0;
|
||||
|
||||
+/* Force diagnositic messages in batch mode */
|
||||
+int loud = 0;
|
||||
+
|
||||
/* This is set to 0 if the progressmeter is not desired. */
|
||||
int showprogress = 1;
|
||||
|
||||
@@ -2381,7 +2384,7 @@ main(int argc, char **argv)
|
||||
infile = stdin;
|
||||
|
||||
while ((ch = getopt(argc, argv,
|
||||
- "1246AafhNpqrvCc:D:i:l:o:s:S:b:B:F:J:P:R:X:")) != -1) {
|
||||
+ "1246AafhNpQqrvCc:D:i:l:o:s:S:b:B:F:J:P:R:X:")) != -1) {
|
||||
switch (ch) {
|
||||
/* Passed through to ssh(1) */
|
||||
case 'A':
|
||||
@@ -2399,6 +2402,9 @@ main(int argc, char **argv)
|
||||
addargs(&args, "-%c", ch);
|
||||
addargs(&args, "%s", optarg);
|
||||
break;
|
||||
+ case 'Q':
|
||||
+ loud = 1;
|
||||
+ break;
|
||||
case 'q':
|
||||
ll = SYSLOG_LEVEL_ERROR;
|
||||
quiet = 1;
|
||||
@@ -2483,6 +2489,8 @@ main(int argc, char **argv)
|
||||
usage();
|
||||
}
|
||||
}
|
||||
+ if (batchmode && loud)
|
||||
+ quiet = 0;
|
||||
|
||||
/* Do this last because we want the user to be able to override it */
|
||||
addargs(&args, "-oForwardAgent no");
|
87
openssh-7.7p1-systemd-notify.patch
Normal file
87
openssh-7.7p1-systemd-notify.patch
Normal file
@ -0,0 +1,87 @@
|
||||
# HG changeset patch
|
||||
# Parent d296e85dc414b8cd1b4b55ad03d8216feb26531a
|
||||
Send signals to systemd to prevent various race conditions
|
||||
bsc#1048367
|
||||
|
||||
Index: openssh-8.8p1/configure.ac
|
||||
===================================================================
|
||||
--- openssh-8.8p1.orig/configure.ac
|
||||
+++ openssh-8.8p1/configure.ac
|
||||
@@ -4751,6 +4751,30 @@ AC_ARG_WITH([kerberos5],
|
||||
# AC_SUBST([GSSLIBS])
|
||||
AC_SUBST([K5LIBS])
|
||||
AC_SUBST([CHANNELLIBS])
|
||||
|
||||
+# Check whether user wants systemd support
|
||||
+SYSTEMD_MSG="no"
|
||||
+AC_ARG_WITH(systemd,
|
||||
+ [ --with-systemd Enable systemd support],
|
||||
+ [ if test "x$withval" != "xno" ; then
|
||||
+ AC_PATH_TOOL([PKGCONFIG], [pkg-config], [no])
|
||||
+ if test "$PKGCONFIG" != "no"; then
|
||||
+ AC_MSG_CHECKING([for libsystemd])
|
||||
+ if $PKGCONFIG --exists libsystemd; then
|
||||
+ SYSTEMD_CFLAGS=`$PKGCONFIG --cflags libsystemd`
|
||||
+ SYSTEMD_LIBS=`$PKGCONFIG --libs libsystemd`
|
||||
+ CPPFLAGS="$CPPFLAGS $SYSTEMD_CFLAGS"
|
||||
+ SSHDLIBS="$SSHDLIBS $SYSTEMD_LIBS"
|
||||
+ AC_MSG_RESULT([yes])
|
||||
+ AC_DEFINE(HAVE_SYSTEMD, 1, [Define if you want systemd support.])
|
||||
+ SYSTEMD_MSG="yes"
|
||||
+ else
|
||||
+ AC_MSG_RESULT([no])
|
||||
+ fi
|
||||
+ fi
|
||||
+ fi ]
|
||||
+)
|
||||
+
|
||||
+
|
||||
# Looking for programs, paths and files
|
||||
|
||||
PRIVSEP_PATH=/var/empty
|
||||
@@ -5564,6 +5588,7 @@ echo " libldns support
|
||||
echo " Solaris process contract support: $SPC_MSG"
|
||||
echo " Solaris project support: $SP_MSG"
|
||||
echo " Solaris privilege support: $SPP_MSG"
|
||||
+echo " systemd support: $SYSTEMD_MSG"
|
||||
echo " IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG"
|
||||
echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG"
|
||||
echo " BSD Auth support: $BSD_AUTH_MSG"
|
||||
Index: openssh-8.8p1/sshd.c
|
||||
===================================================================
|
||||
--- openssh-8.8p1.orig/sshd.c
|
||||
+++ openssh-8.8p1/sshd.c
|
||||
@@ -85,6 +85,10 @@
|
||||
#include <prot.h>
|
||||
#endif
|
||||
|
||||
+#ifdef HAVE_SYSTEMD
|
||||
+#include <systemd/sd-daemon.h>
|
||||
+#endif
|
||||
+
|
||||
#include "xmalloc.h"
|
||||
#include "ssh.h"
|
||||
#include "sshpty.h"
|
||||
@@ -308,6 +312,10 @@ sighup_handler(int sig)
|
||||
static void
|
||||
sighup_restart(void)
|
||||
{
|
||||
+#ifdef HAVE_SYSTEMD
|
||||
+ /* Signal systemd that we are reloading */
|
||||
+ sd_notify(0, "RELOADING=1");
|
||||
+#endif
|
||||
logit("Received SIGHUP; restarting.");
|
||||
if (options.pid_file != NULL)
|
||||
unlink(options.pid_file);
|
||||
@@ -2076,6 +2084,11 @@ main(int ac, char **av)
|
||||
}
|
||||
}
|
||||
|
||||
+#ifdef HAVE_SYSTEMD
|
||||
+ /* Signal systemd that we are ready to accept connections */
|
||||
+ sd_notify(0, "READY=1");
|
||||
+#endif
|
||||
+
|
||||
/* Accept a connection and return in a forked child */
|
||||
server_accept_loop(&sock_in, &sock_out,
|
||||
&newsock, config_s, log_stderr);
|
863
openssh-7.8p1-role-mls.patch
Normal file
863
openssh-7.8p1-role-mls.patch
Normal file
@ -0,0 +1,863 @@
|
||||
diff -up openssh/auth2.c.role-mls openssh/auth2.c
|
||||
--- openssh/auth2.c.role-mls 2018-08-20 07:57:29.000000000 +0200
|
||||
+++ openssh/auth2.c 2018-08-22 11:14:56.815430916 +0200
|
||||
@@ -256,6 +256,9 @@ input_userauth_request(int type, u_int32
|
||||
Authctxt *authctxt = ssh->authctxt;
|
||||
Authmethod *m = NULL;
|
||||
char *user = NULL, *service = NULL, *method = NULL, *style = NULL;
|
||||
+#ifdef WITH_SELINUX
|
||||
+ char *role = NULL;
|
||||
+#endif
|
||||
int r, authenticated = 0;
|
||||
double tstart = monotime_double();
|
||||
|
||||
@@ -268,6 +271,11 @@ input_userauth_request(int type, u_int32
|
||||
debug("userauth-request for user %s service %s method %s", user, service, method);
|
||||
debug("attempt %d failures %d", authctxt->attempt, authctxt->failures);
|
||||
|
||||
+#ifdef WITH_SELINUX
|
||||
+ if ((role = strchr(user, '/')) != NULL)
|
||||
+ *role++ = 0;
|
||||
+#endif
|
||||
+
|
||||
if ((style = strchr(user, ':')) != NULL)
|
||||
*style++ = 0;
|
||||
|
||||
@@ -314,7 +314,13 @@ input_userauth_request(int type, u_int32
|
||||
setproctitle("%s [net]", authctxt->valid ? user : "unknown");
|
||||
authctxt->service = xstrdup(service);
|
||||
authctxt->style = style ? xstrdup(style) : NULL;
|
||||
+#ifdef WITH_SELINUX
|
||||
+ authctxt->role = role ? xstrdup(role) : NULL;
|
||||
+#endif
|
||||
mm_inform_authserv(service, style);
|
||||
+#ifdef WITH_SELINUX
|
||||
+ mm_inform_authrole(role);
|
||||
+#endif
|
||||
userauth_banner(ssh);
|
||||
if ((r = kex_server_update_ext_info(ssh)) != 0)
|
||||
fatal_fr(r, "kex_server_update_ext_info failed");
|
||||
diff -up openssh/auth2-gss.c.role-mls openssh/auth2-gss.c
|
||||
--- openssh/auth2-gss.c.role-mls 2018-08-20 07:57:29.000000000 +0200
|
||||
+++ openssh/auth2-gss.c 2018-08-22 11:15:42.459799171 +0200
|
||||
@@ -281,6 +281,7 @@ input_gssapi_mic(int type, u_int32_t ple
|
||||
Authctxt *authctxt = ssh->authctxt;
|
||||
Gssctxt *gssctxt;
|
||||
int r, authenticated = 0;
|
||||
+ char *micuser;
|
||||
struct sshbuf *b;
|
||||
gss_buffer_desc mic, gssbuf;
|
||||
u_char *p;
|
||||
@@ -298,7 +299,13 @@ input_gssapi_mic(int type, u_int32_t ple
|
||||
fatal_f("sshbuf_new failed");
|
||||
mic.value = p;
|
||||
mic.length = len;
|
||||
- ssh_gssapi_buildmic(b, authctxt->user, authctxt->service,
|
||||
+#ifdef WITH_SELINUX
|
||||
+ if (authctxt->role && authctxt->role[0] != 0)
|
||||
+ xasprintf(&micuser, "%s/%s", authctxt->user, authctxt->role);
|
||||
+ else
|
||||
+#endif
|
||||
+ micuser = authctxt->user;
|
||||
+ ssh_gssapi_buildmic(b, micuser, authctxt->service,
|
||||
"gssapi-with-mic", ssh->kex->session_id);
|
||||
|
||||
if ((gssbuf.value = sshbuf_mutable_ptr(b)) == NULL)
|
||||
@@ -311,6 +318,8 @@ input_gssapi_mic(int type, u_int32_t ple
|
||||
logit("GSSAPI MIC check failed");
|
||||
|
||||
sshbuf_free(b);
|
||||
+ if (micuser != authctxt->user)
|
||||
+ free(micuser);
|
||||
free(mic.value);
|
||||
|
||||
authctxt->postponed = 0;
|
||||
diff -up openssh/auth2-hostbased.c.role-mls openssh/auth2-hostbased.c
|
||||
--- openssh/auth2-hostbased.c.role-mls 2018-08-20 07:57:29.000000000 +0200
|
||||
+++ openssh/auth2-hostbased.c 2018-08-22 11:14:56.816430924 +0200
|
||||
@@ -123,7 +123,16 @@ userauth_hostbased(struct ssh *ssh)
|
||||
/* reconstruct packet */
|
||||
if ((r = sshbuf_put_stringb(b, ssh->kex->session_id)) != 0 ||
|
||||
(r = sshbuf_put_u8(b, SSH2_MSG_USERAUTH_REQUEST)) != 0 ||
|
||||
+#ifdef WITH_SELINUX
|
||||
+ (authctxt->role
|
||||
+ ? ( (r = sshbuf_put_u32(b, strlen(authctxt->user)+strlen(authctxt->role)+1)) != 0 ||
|
||||
+ (r = sshbuf_put(b, authctxt->user, strlen(authctxt->user))) != 0 ||
|
||||
+ (r = sshbuf_put_u8(b, '/') != 0) ||
|
||||
+ (r = sshbuf_put(b, authctxt->role, strlen(authctxt->role))) != 0)
|
||||
+ : (r = sshbuf_put_cstring(b, authctxt->user)) != 0) ||
|
||||
+#else
|
||||
(r = sshbuf_put_cstring(b, authctxt->user)) != 0 ||
|
||||
+#endif
|
||||
(r = sshbuf_put_cstring(b, authctxt->service)) != 0 ||
|
||||
(r = sshbuf_put_cstring(b, method)) != 0 ||
|
||||
(r = sshbuf_put_string(b, pkalg, alen)) != 0 ||
|
||||
diff -up openssh/auth2-pubkey.c.role-mls openssh/auth2-pubkey.c
|
||||
--- openssh/auth2-pubkey.c.role-mls 2018-08-22 11:14:56.816430924 +0200
|
||||
+++ openssh/auth2-pubkey.c 2018-08-22 11:17:07.331483958 +0200
|
||||
@@ -169,9 +169,16 @@ userauth_pubkey(struct ssh *ssh)
|
||||
goto done;
|
||||
}
|
||||
/* reconstruct packet */
|
||||
- xasprintf(&userstyle, "%s%s%s", authctxt->user,
|
||||
+ xasprintf(&userstyle, "%s%s%s%s%s", authctxt->user,
|
||||
authctxt->style ? ":" : "",
|
||||
- authctxt->style ? authctxt->style : "");
|
||||
+ authctxt->style ? authctxt->style : "",
|
||||
+#ifdef WITH_SELINUX
|
||||
+ authctxt->role ? "/" : "",
|
||||
+ authctxt->role ? authctxt->role : ""
|
||||
+#else
|
||||
+ "", ""
|
||||
+#endif
|
||||
+ );
|
||||
if ((r = sshbuf_put_u8(b, SSH2_MSG_USERAUTH_REQUEST)) != 0 ||
|
||||
(r = sshbuf_put_cstring(b, userstyle)) != 0 ||
|
||||
(r = sshbuf_put_cstring(b, authctxt->service)) != 0 ||
|
||||
diff -up openssh/auth.h.role-mls openssh/auth.h
|
||||
--- openssh/auth.h.role-mls 2018-08-20 07:57:29.000000000 +0200
|
||||
+++ openssh/auth.h 2018-08-22 11:14:56.816430924 +0200
|
||||
@@ -65,6 +65,9 @@ struct Authctxt {
|
||||
char *service;
|
||||
struct passwd *pw; /* set if 'valid' */
|
||||
char *style;
|
||||
+#ifdef WITH_SELINUX
|
||||
+ char *role;
|
||||
+#endif
|
||||
|
||||
/* Method lists for multiple authentication */
|
||||
char **auth_methods; /* modified from server config */
|
||||
diff -up openssh/auth-pam.c.role-mls openssh/auth-pam.c
|
||||
--- openssh/auth-pam.c.role-mls 2018-08-20 07:57:29.000000000 +0200
|
||||
+++ openssh/auth-pam.c 2018-08-22 11:14:56.816430924 +0200
|
||||
@@ -1172,7 +1172,7 @@ is_pam_session_open(void)
|
||||
* during the ssh authentication process.
|
||||
*/
|
||||
int
|
||||
-do_pam_putenv(char *name, char *value)
|
||||
+do_pam_putenv(char *name, const char *value)
|
||||
{
|
||||
int ret = 1;
|
||||
char *compound;
|
||||
diff -up openssh/auth-pam.h.role-mls openssh/auth-pam.h
|
||||
--- openssh/auth-pam.h.role-mls 2018-08-20 07:57:29.000000000 +0200
|
||||
+++ openssh/auth-pam.h 2018-08-22 11:14:56.817430932 +0200
|
||||
@@ -33,7 +33,7 @@ u_int do_pam_account(void);
|
||||
void do_pam_session(struct ssh *);
|
||||
void do_pam_setcred(void);
|
||||
void do_pam_chauthtok(void);
|
||||
-int do_pam_putenv(char *, char *);
|
||||
+int do_pam_putenv(char *, const char *);
|
||||
char ** fetch_pam_environment(void);
|
||||
char ** fetch_pam_child_environment(void);
|
||||
void free_pam_environment(char **);
|
||||
diff -up openssh/misc.c.role-mls openssh/misc.c
|
||||
--- openssh/misc.c.role-mls 2018-08-20 07:57:29.000000000 +0200
|
||||
+++ openssh/misc.c 2018-08-22 11:14:56.817430932 +0200
|
||||
@@ -542,6 +542,7 @@ char *
|
||||
colon(char *cp)
|
||||
{
|
||||
int flag = 0;
|
||||
+ int start = 1;
|
||||
|
||||
if (*cp == ':') /* Leading colon is part of file name. */
|
||||
return NULL;
|
||||
@@ -557,6 +558,13 @@ colon(char *cp)
|
||||
return (cp);
|
||||
if (*cp == '/')
|
||||
return NULL;
|
||||
+ if (start) {
|
||||
+ /* Slash on beginning or after dots only denotes file name. */
|
||||
+ if (*cp == '/')
|
||||
+ return (0);
|
||||
+ if (*cp != '.')
|
||||
+ start = 0;
|
||||
+ }
|
||||
}
|
||||
return NULL;
|
||||
}
|
||||
diff -up openssh-8.6p1/monitor.c.role-mls openssh-8.6p1/monitor.c
|
||||
--- openssh-8.6p1/monitor.c.role-mls 2021-04-16 05:55:25.000000000 +0200
|
||||
+++ openssh-8.6p1/monitor.c 2021-05-21 14:21:56.719414087 +0200
|
||||
@@ -117,6 +117,9 @@ int mm_answer_sign(struct ssh *, int, st
|
||||
int mm_answer_pwnamallow(struct ssh *, int, struct sshbuf *);
|
||||
int mm_answer_auth2_read_banner(struct ssh *, int, struct sshbuf *);
|
||||
int mm_answer_authserv(struct ssh *, int, struct sshbuf *);
|
||||
+#ifdef WITH_SELINUX
|
||||
+int mm_answer_authrole(struct ssh *, int, struct sshbuf *);
|
||||
+#endif
|
||||
int mm_answer_authpassword(struct ssh *, int, struct sshbuf *);
|
||||
int mm_answer_bsdauthquery(struct ssh *, int, struct sshbuf *);
|
||||
int mm_answer_bsdauthrespond(struct ssh *, int, struct sshbuf *);
|
||||
@@ -195,6 +198,9 @@ struct mon_table mon_dispatch_proto20[]
|
||||
{MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign},
|
||||
{MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},
|
||||
{MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv},
|
||||
+#ifdef WITH_SELINUX
|
||||
+ {MONITOR_REQ_AUTHROLE, MON_ONCE, mm_answer_authrole},
|
||||
+#endif
|
||||
{MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner},
|
||||
{MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},
|
||||
#ifdef USE_PAM
|
||||
@@ -803,6 +809,9 @@ mm_answer_pwnamallow(struct ssh *ssh, in
|
||||
|
||||
/* Allow service/style information on the auth context */
|
||||
monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1);
|
||||
+#ifdef WITH_SELINUX
|
||||
+ monitor_permit(mon_dispatch, MONITOR_REQ_AUTHROLE, 1);
|
||||
+#endif
|
||||
monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1);
|
||||
|
||||
#ifdef USE_PAM
|
||||
@@ -877,6 +886,26 @@ key_base_type_match(const char *method,
|
||||
return found;
|
||||
}
|
||||
|
||||
+#ifdef WITH_SELINUX
|
||||
+int
|
||||
+mm_answer_authrole(struct ssh *ssh, int sock, struct sshbuf *m)
|
||||
+{
|
||||
+ int r;
|
||||
+ monitor_permit_authentications(1);
|
||||
+
|
||||
+ if ((r = sshbuf_get_cstring(m, &authctxt->role, NULL)) != 0)
|
||||
+ fatal_f("buffer error: %s", ssh_err(r));
|
||||
+ debug3_f("role=%s", authctxt->role);
|
||||
+
|
||||
+ if (strlen(authctxt->role) == 0) {
|
||||
+ free(authctxt->role);
|
||||
+ authctxt->role = NULL;
|
||||
+ }
|
||||
+
|
||||
+ return (0);
|
||||
+}
|
||||
+#endif
|
||||
+
|
||||
int
|
||||
mm_answer_authpassword(struct ssh *ssh, int sock, struct sshbuf *m)
|
||||
{
|
||||
@@ -1251,7 +1280,7 @@ monitor_valid_userblob(struct ssh *ssh,
|
||||
struct sshbuf *b;
|
||||
struct sshkey *hostkey = NULL;
|
||||
const u_char *p;
|
||||
- char *userstyle, *cp;
|
||||
+ char *userstyle, *s, *cp;
|
||||
size_t len;
|
||||
u_char type;
|
||||
int hostbound = 0, r, fail = 0;
|
||||
@@ -1282,6 +1311,8 @@ monitor_valid_userblob(struct ssh *ssh,
|
||||
fail++;
|
||||
if ((r = sshbuf_get_cstring(b, &cp, NULL)) != 0)
|
||||
fatal_fr(r, "parse userstyle");
|
||||
+ if ((s = strchr(cp, '/')) != NULL)
|
||||
+ *s = '\0';
|
||||
xasprintf(&userstyle, "%s%s%s", authctxt->user,
|
||||
authctxt->style ? ":" : "",
|
||||
authctxt->style ? authctxt->style : "");
|
||||
@@ -1317,7 +1348,7 @@ monitor_valid_hostbasedblob(const u_char
|
||||
{
|
||||
struct sshbuf *b;
|
||||
const u_char *p;
|
||||
- char *cp, *userstyle;
|
||||
+ char *cp, *s, *userstyle;
|
||||
size_t len;
|
||||
int r, fail = 0;
|
||||
u_char type;
|
||||
@@ -1338,6 +1370,8 @@ monitor_valid_hostbasedblob(const u_char
|
||||
fail++;
|
||||
if ((r = sshbuf_get_cstring(b, &cp, NULL)) != 0)
|
||||
fatal_fr(r, "parse userstyle");
|
||||
+ if ((s = strchr(cp, '/')) != NULL)
|
||||
+ *s = '\0';
|
||||
xasprintf(&userstyle, "%s%s%s", authctxt->user,
|
||||
authctxt->style ? ":" : "",
|
||||
authctxt->style ? authctxt->style : "");
|
||||
diff -up openssh/monitor.h.role-mls openssh/monitor.h
|
||||
--- openssh/monitor.h.role-mls 2018-08-20 07:57:29.000000000 +0200
|
||||
+++ openssh/monitor.h 2018-08-22 11:14:56.818430941 +0200
|
||||
@@ -55,6 +55,10 @@ enum monitor_reqtype {
|
||||
MONITOR_REQ_GSSCHECKMIC = 48, MONITOR_ANS_GSSCHECKMIC = 49,
|
||||
MONITOR_REQ_TERM = 50,
|
||||
|
||||
+#ifdef WITH_SELINUX
|
||||
+ MONITOR_REQ_AUTHROLE = 80,
|
||||
+#endif
|
||||
+
|
||||
MONITOR_REQ_PAM_START = 100,
|
||||
MONITOR_REQ_PAM_ACCOUNT = 102, MONITOR_ANS_PAM_ACCOUNT = 103,
|
||||
MONITOR_REQ_PAM_INIT_CTX = 104, MONITOR_ANS_PAM_INIT_CTX = 105,
|
||||
diff -up openssh/monitor_wrap.c.role-mls openssh/monitor_wrap.c
|
||||
--- openssh/monitor_wrap.c.role-mls 2018-08-22 11:14:56.818430941 +0200
|
||||
+++ openssh/monitor_wrap.c 2018-08-22 11:21:47.938747968 +0200
|
||||
@@ -390,6 +390,27 @@ mm_inform_authserv(char *service, char *
|
||||
sshbuf_free(m);
|
||||
}
|
||||
|
||||
+/* Inform the privileged process about role */
|
||||
+
|
||||
+#ifdef WITH_SELINUX
|
||||
+void
|
||||
+mm_inform_authrole(char *role)
|
||||
+{
|
||||
+ int r;
|
||||
+ struct sshbuf *m;
|
||||
+
|
||||
+ debug3_f("entering");
|
||||
+
|
||||
+ if ((m = sshbuf_new()) == NULL)
|
||||
+ fatal_f("sshbuf_new failed");
|
||||
+ if ((r = sshbuf_put_cstring(m, role ? role : "")) != 0)
|
||||
+ fatal_f("buffer error: %s", ssh_err(r));
|
||||
+ mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHROLE, m);
|
||||
+
|
||||
+ sshbuf_free(m);
|
||||
+}
|
||||
+#endif
|
||||
+
|
||||
/* Do the password authentication */
|
||||
int
|
||||
mm_auth_password(struct ssh *ssh, char *password)
|
||||
diff -up openssh/monitor_wrap.h.role-mls openssh/monitor_wrap.h
|
||||
--- openssh/monitor_wrap.h.role-mls 2018-08-22 11:14:56.818430941 +0200
|
||||
+++ openssh/monitor_wrap.h 2018-08-22 11:22:10.439929513 +0200
|
||||
@@ -44,6 +44,9 @@ DH *mm_choose_dh(int, int, int);
|
||||
const u_char *, size_t, const char *, const char *,
|
||||
const char *, u_int compat);
|
||||
void mm_inform_authserv(char *, char *);
|
||||
+#ifdef WITH_SELINUX
|
||||
+void mm_inform_authrole(char *);
|
||||
+#endif
|
||||
struct passwd *mm_getpwnamallow(struct ssh *, const char *);
|
||||
char *mm_auth2_read_banner(void);
|
||||
int mm_auth_password(struct ssh *, char *);
|
||||
diff -up openssh/openbsd-compat/Makefile.in.role-mls openssh/openbsd-compat/Makefile.in
|
||||
--- openssh/openbsd-compat/Makefile.in.role-mls 2018-08-20 07:57:29.000000000 +0200
|
||||
+++ openssh/openbsd-compat/Makefile.in 2018-08-22 11:14:56.819430949 +0200
|
||||
@@ -92,7 +92,8 @@ PORTS= port-aix.o \
|
||||
port-prngd.o \
|
||||
port-solaris.o \
|
||||
port-net.o \
|
||||
- port-uw.o
|
||||
+ port-uw.o \
|
||||
+ port-linux-sshd.o
|
||||
|
||||
.c.o:
|
||||
$(CC) $(CFLAGS_NOPIE) $(PICFLAG) $(CPPFLAGS) -c $<
|
||||
diff -up openssh/openbsd-compat/port-linux.c.role-mls openssh/openbsd-compat/port-linux.c
|
||||
--- openssh/openbsd-compat/port-linux.c.role-mls 2018-08-20 07:57:29.000000000 +0200
|
||||
+++ openssh/openbsd-compat/port-linux.c 2018-08-22 11:14:56.819430949 +0200
|
||||
@@ -100,37 +100,6 @@ ssh_selinux_getctxbyname(char *pwname)
|
||||
return sc;
|
||||
}
|
||||
|
||||
-/* Set the execution context to the default for the specified user */
|
||||
-void
|
||||
-ssh_selinux_setup_exec_context(char *pwname)
|
||||
-{
|
||||
- char *user_ctx = NULL;
|
||||
-
|
||||
- if (!ssh_selinux_enabled())
|
||||
- return;
|
||||
-
|
||||
- debug3("%s: setting execution context", __func__);
|
||||
-
|
||||
- user_ctx = ssh_selinux_getctxbyname(pwname);
|
||||
- if (setexeccon(user_ctx) != 0) {
|
||||
- switch (security_getenforce()) {
|
||||
- case -1:
|
||||
- fatal("%s: security_getenforce() failed", __func__);
|
||||
- case 0:
|
||||
- error("%s: Failed to set SELinux execution "
|
||||
- "context for %s", __func__, pwname);
|
||||
- break;
|
||||
- default:
|
||||
- fatal("%s: Failed to set SELinux execution context "
|
||||
- "for %s (in enforcing mode)", __func__, pwname);
|
||||
- }
|
||||
- }
|
||||
- if (user_ctx != NULL)
|
||||
- freecon(user_ctx);
|
||||
-
|
||||
- debug3("%s: done", __func__);
|
||||
-}
|
||||
-
|
||||
/* Set the TTY context for the specified user */
|
||||
void
|
||||
ssh_selinux_setup_pty(char *pwname, const char *tty)
|
||||
@@ -145,7 +114,11 @@ ssh_selinux_setup_pty(char *pwname, cons
|
||||
|
||||
debug3("%s: setting TTY context on %s", __func__, tty);
|
||||
|
||||
- user_ctx = ssh_selinux_getctxbyname(pwname);
|
||||
+ if (getexeccon(&user_ctx) != 0) {
|
||||
+ error_f("getexeccon: %s", strerror(errno));
|
||||
+ goto out;
|
||||
+ }
|
||||
+
|
||||
|
||||
/* XXX: should these calls fatal() upon failure in enforcing mode? */
|
||||
|
||||
diff -up openssh/openbsd-compat/port-linux.h.role-mls openssh/openbsd-compat/port-linux.h
|
||||
--- openssh/openbsd-compat/port-linux.h.role-mls 2018-08-20 07:57:29.000000000 +0200
|
||||
+++ openssh/openbsd-compat/port-linux.h 2018-08-22 11:14:56.819430949 +0200
|
||||
@@ -20,9 +20,10 @@
|
||||
#ifdef WITH_SELINUX
|
||||
int ssh_selinux_enabled(void);
|
||||
void ssh_selinux_setup_pty(char *, const char *);
|
||||
-void ssh_selinux_setup_exec_context(char *);
|
||||
void ssh_selinux_change_context(const char *);
|
||||
void ssh_selinux_setfscreatecon(const char *);
|
||||
+
|
||||
+void sshd_selinux_setup_exec_context(char *);
|
||||
#endif
|
||||
|
||||
#ifdef LINUX_OOM_ADJUST
|
||||
diff -up openssh/openbsd-compat/port-linux-sshd.c.role-mls openssh/openbsd-compat/port-linux-sshd.c
|
||||
--- openssh/openbsd-compat/port-linux-sshd.c.role-mls 2018-08-22 11:14:56.819430949 +0200
|
||||
+++ openssh/openbsd-compat/port-linux-sshd.c 2018-08-22 11:14:56.819430949 +0200
|
||||
@@ -0,0 +1,420 @@
|
||||
+/*
|
||||
+ * Copyright (c) 2005 Daniel Walsh <dwalsh@redhat.com>
|
||||
+ * Copyright (c) 2014 Petr Lautrbach <plautrba@redhat.com>
|
||||
+ *
|
||||
+ * Permission to use, copy, modify, and distribute this software for any
|
||||
+ * purpose with or without fee is hereby granted, provided that the above
|
||||
+ * copyright notice and this permission notice appear in all copies.
|
||||
+ *
|
||||
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
|
||||
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
|
||||
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
|
||||
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
|
||||
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
|
||||
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
|
||||
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
||||
+ */
|
||||
+
|
||||
+/*
|
||||
+ * Linux-specific portability code - just SELinux support for sshd at present
|
||||
+ */
|
||||
+
|
||||
+#include "includes.h"
|
||||
+
|
||||
+#if defined(WITH_SELINUX) || defined(LINUX_OOM_ADJUST)
|
||||
+#include <errno.h>
|
||||
+#include <stdarg.h>
|
||||
+#include <string.h>
|
||||
+#include <stdio.h>
|
||||
+#include <stdlib.h>
|
||||
+
|
||||
+#include "log.h"
|
||||
+#include "xmalloc.h"
|
||||
+#include "misc.h" /* servconf.h needs misc.h for struct ForwardOptions */
|
||||
+#include "servconf.h"
|
||||
+#include "port-linux.h"
|
||||
+#include "sshkey.h"
|
||||
+#include "hostfile.h"
|
||||
+#include "auth.h"
|
||||
+
|
||||
+#ifdef WITH_SELINUX
|
||||
+#include <selinux/selinux.h>
|
||||
+#include <selinux/context.h>
|
||||
+#include <selinux/get_context_list.h>
|
||||
+#include <selinux/get_default_type.h>
|
||||
+
|
||||
+#ifdef HAVE_LINUX_AUDIT
|
||||
+#include <libaudit.h>
|
||||
+#include <unistd.h>
|
||||
+#endif
|
||||
+
|
||||
+extern ServerOptions options;
|
||||
+extern Authctxt *the_authctxt;
|
||||
+extern int inetd_flag;
|
||||
+
|
||||
+/* Send audit message */
|
||||
+static int
|
||||
+sshd_selinux_send_audit_message(int success, security_context_t default_context,
|
||||
+ security_context_t selected_context)
|
||||
+{
|
||||
+ int rc=0;
|
||||
+#ifdef HAVE_LINUX_AUDIT
|
||||
+ char *msg = NULL;
|
||||
+ int audit_fd = audit_open();
|
||||
+ security_context_t default_raw=NULL;
|
||||
+ security_context_t selected_raw=NULL;
|
||||
+ rc = -1;
|
||||
+ if (audit_fd < 0) {
|
||||
+ if (errno == EINVAL || errno == EPROTONOSUPPORT ||
|
||||
+ errno == EAFNOSUPPORT)
|
||||
+ return 0; /* No audit support in kernel */
|
||||
+ error("Error connecting to audit system.");
|
||||
+ return rc;
|
||||
+ }
|
||||
+ if (selinux_trans_to_raw_context(default_context, &default_raw) < 0) {
|
||||
+ error("Error translating default context.");
|
||||
+ default_raw = NULL;
|
||||
+ }
|
||||
+ if (selinux_trans_to_raw_context(selected_context, &selected_raw) < 0) {
|
||||
+ error("Error translating selected context.");
|
||||
+ selected_raw = NULL;
|
||||
+ }
|
||||
+ if (asprintf(&msg, "sshd: default-context=%s selected-context=%s",
|
||||
+ default_raw ? default_raw : (default_context ? default_context: "?"),
|
||||
+ selected_context ? selected_raw : (selected_context ? selected_context :"?")) < 0) {
|
||||
+ error("Error allocating memory.");
|
||||
+ goto out;
|
||||
+ }
|
||||
+ if (audit_log_user_message(audit_fd, AUDIT_USER_ROLE_CHANGE,
|
||||
+ msg, NULL, NULL, NULL, success) <= 0) {
|
||||
+ error("Error sending audit message.");
|
||||
+ goto out;
|
||||
+ }
|
||||
+ rc = 0;
|
||||
+ out:
|
||||
+ free(msg);
|
||||
+ freecon(default_raw);
|
||||
+ freecon(selected_raw);
|
||||
+ close(audit_fd);
|
||||
+#endif
|
||||
+ return rc;
|
||||
+}
|
||||
+
|
||||
+static int
|
||||
+mls_range_allowed(security_context_t src, security_context_t dst)
|
||||
+{
|
||||
+ struct av_decision avd;
|
||||
+ int retval;
|
||||
+ access_vector_t bit;
|
||||
+ security_class_t class;
|
||||
+
|
||||
+ debug_f("src:%s dst:%s", src, dst);
|
||||
+ class = string_to_security_class("context");
|
||||
+ if (!class) {
|
||||
+ error("string_to_security_class failed to translate security class context");
|
||||
+ return 1;
|
||||
+ }
|
||||
+ bit = string_to_av_perm(class, "contains");
|
||||
+ if (!bit) {
|
||||
+ error("string_to_av_perm failed to translate av perm contains");
|
||||
+ return 1;
|
||||
+ }
|
||||
+ retval = security_compute_av(src, dst, class, bit, &avd);
|
||||
+ if (retval || ((bit & avd.allowed) != bit))
|
||||
+ return 0;
|
||||
+
|
||||
+ return 1;
|
||||
+}
|
||||
+
|
||||
+static int
|
||||
+get_user_context(const char *sename, const char *role, const char *lvl,
|
||||
+ security_context_t *sc) {
|
||||
+#ifdef HAVE_GET_DEFAULT_CONTEXT_WITH_LEVEL
|
||||
+ if (lvl == NULL || lvl[0] == '\0' || get_default_context_with_level(sename, lvl, NULL, sc) != 0) {
|
||||
+ /* User may have requested a level completely outside of his
|
||||
+ allowed range. We get a context just for auditing as the
|
||||
+ range check below will certainly fail for default context. */
|
||||
+#endif
|
||||
+ if (get_default_context(sename, NULL, sc) != 0) {
|
||||
+ *sc = NULL;
|
||||
+ return -1;
|
||||
+ }
|
||||
+#ifdef HAVE_GET_DEFAULT_CONTEXT_WITH_LEVEL
|
||||
+ }
|
||||
+#endif
|
||||
+ if (role != NULL && role[0]) {
|
||||
+ context_t con;
|
||||
+ char *type=NULL;
|
||||
+ if (get_default_type(role, &type) != 0) {
|
||||
+ error("get_default_type: failed to get default type for '%s'",
|
||||
+ role);
|
||||
+ goto out;
|
||||
+ }
|
||||
+ con = context_new(*sc);
|
||||
+ if (!con) {
|
||||
+ goto out;
|
||||
+ }
|
||||
+ context_role_set(con, role);
|
||||
+ context_type_set(con, type);
|
||||
+ freecon(*sc);
|
||||
+ *sc = strdup(context_str(con));
|
||||
+ context_free(con);
|
||||
+ if (!*sc)
|
||||
+ return -1;
|
||||
+ }
|
||||
+#ifdef HAVE_GET_DEFAULT_CONTEXT_WITH_LEVEL
|
||||
+ if (lvl != NULL && lvl[0]) {
|
||||
+ /* verify that the requested range is obtained */
|
||||
+ context_t con;
|
||||
+ security_context_t obtained_raw;
|
||||
+ security_context_t requested_raw;
|
||||
+ con = context_new(*sc);
|
||||
+ if (!con) {
|
||||
+ goto out;
|
||||
+ }
|
||||
+ context_range_set(con, lvl);
|
||||
+ if (selinux_trans_to_raw_context(*sc, &obtained_raw) < 0) {
|
||||
+ context_free(con);
|
||||
+ goto out;
|
||||
+ }
|
||||
+ if (selinux_trans_to_raw_context(context_str(con), &requested_raw) < 0) {
|
||||
+ freecon(obtained_raw);
|
||||
+ context_free(con);
|
||||
+ goto out;
|
||||
+ }
|
||||
+
|
||||
+ debug("get_user_context: obtained context '%s' requested context '%s'",
|
||||
+ obtained_raw, requested_raw);
|
||||
+ if (strcmp(obtained_raw, requested_raw)) {
|
||||
+ /* set the context to the real requested one but fail */
|
||||
+ freecon(requested_raw);
|
||||
+ freecon(obtained_raw);
|
||||
+ freecon(*sc);
|
||||
+ *sc = strdup(context_str(con));
|
||||
+ context_free(con);
|
||||
+ return -1;
|
||||
+ }
|
||||
+ freecon(requested_raw);
|
||||
+ freecon(obtained_raw);
|
||||
+ context_free(con);
|
||||
+ }
|
||||
+#endif
|
||||
+ return 0;
|
||||
+ out:
|
||||
+ freecon(*sc);
|
||||
+ *sc = NULL;
|
||||
+ return -1;
|
||||
+}
|
||||
+
|
||||
+static void
|
||||
+ssh_selinux_get_role_level(char **role, const char **level)
|
||||
+{
|
||||
+ *role = NULL;
|
||||
+ *level = NULL;
|
||||
+ if (the_authctxt) {
|
||||
+ if (the_authctxt->role != NULL) {
|
||||
+ char *slash;
|
||||
+ *role = xstrdup(the_authctxt->role);
|
||||
+ if ((slash = strchr(*role, '/')) != NULL) {
|
||||
+ *slash = '\0';
|
||||
+ *level = slash + 1;
|
||||
+ }
|
||||
+ }
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
+/* Return the default security context for the given username */
|
||||
+static int
|
||||
+sshd_selinux_getctxbyname(char *pwname,
|
||||
+ security_context_t *default_sc, security_context_t *user_sc)
|
||||
+{
|
||||
+ char *sename, *lvl;
|
||||
+ char *role;
|
||||
+ const char *reqlvl;
|
||||
+ int r = 0;
|
||||
+ context_t con = NULL;
|
||||
+
|
||||
+ ssh_selinux_get_role_level(&role, &reqlvl);
|
||||
+
|
||||
+#ifdef HAVE_GETSEUSERBYNAME
|
||||
+ if ((r=getseuserbyname(pwname, &sename, &lvl)) != 0) {
|
||||
+ sename = NULL;
|
||||
+ lvl = NULL;
|
||||
+ }
|
||||
+#else
|
||||
+ sename = pwname;
|
||||
+ lvl = "";
|
||||
+#endif
|
||||
+
|
||||
+ if (r == 0) {
|
||||
+#ifdef HAVE_GET_DEFAULT_CONTEXT_WITH_LEVEL
|
||||
+ r = get_default_context_with_level(sename, lvl, NULL, default_sc);
|
||||
+#else
|
||||
+ r = get_default_context(sename, NULL, default_sc);
|
||||
+#endif
|
||||
+ }
|
||||
+
|
||||
+ if (r == 0) {
|
||||
+ /* If launched from xinetd, we must use current level */
|
||||
+ if (inetd_flag) {
|
||||
+ security_context_t sshdsc=NULL;
|
||||
+
|
||||
+ if (getcon_raw(&sshdsc) < 0)
|
||||
+ fatal("failed to allocate security context");
|
||||
+
|
||||
+ if ((con=context_new(sshdsc)) == NULL)
|
||||
+ fatal("failed to allocate selinux context");
|
||||
+ reqlvl = context_range_get(con);
|
||||
+ freecon(sshdsc);
|
||||
+ if (reqlvl !=NULL && lvl != NULL && strcmp(reqlvl, lvl) == 0)
|
||||
+ /* we actually don't change level */
|
||||
+ reqlvl = "";
|
||||
+
|
||||
+ debug_f("current connection level '%s'", reqlvl);
|
||||
+
|
||||
+ }
|
||||
+
|
||||
+ if ((reqlvl != NULL && reqlvl[0]) || (role != NULL && role[0])) {
|
||||
+ r = get_user_context(sename, role, reqlvl, user_sc);
|
||||
+
|
||||
+ if (r == 0 && reqlvl != NULL && reqlvl[0]) {
|
||||
+ security_context_t default_level_sc = *default_sc;
|
||||
+ if (role != NULL && role[0]) {
|
||||
+ if (get_user_context(sename, role, lvl, &default_level_sc) < 0)
|
||||
+ default_level_sc = *default_sc;
|
||||
+ }
|
||||
+ /* verify that the requested range is contained in the user range */
|
||||
+ if (mls_range_allowed(default_level_sc, *user_sc)) {
|
||||
+ logit("permit MLS level %s (user range %s)", reqlvl, lvl);
|
||||
+ } else {
|
||||
+ r = -1;
|
||||
+ error("deny MLS level %s (user range %s)", reqlvl, lvl);
|
||||
+ }
|
||||
+ if (default_level_sc != *default_sc)
|
||||
+ freecon(default_level_sc);
|
||||
+ }
|
||||
+ } else {
|
||||
+ *user_sc = *default_sc;
|
||||
+ }
|
||||
+ }
|
||||
+ if (r != 0) {
|
||||
+ error_f("Failed to get default SELinux security "
|
||||
+ "context for %s", pwname);
|
||||
+ }
|
||||
+
|
||||
+#ifdef HAVE_GETSEUSERBYNAME
|
||||
+ free(sename);
|
||||
+ free(lvl);
|
||||
+#endif
|
||||
+
|
||||
+ if (role != NULL)
|
||||
+ free(role);
|
||||
+ if (con)
|
||||
+ context_free(con);
|
||||
+
|
||||
+ return (r);
|
||||
+}
|
||||
+
|
||||
+/* Setup environment variables for pam_selinux */
|
||||
+static int
|
||||
+sshd_selinux_setup_pam_variables(void)
|
||||
+{
|
||||
+ const char *reqlvl;
|
||||
+ char *role;
|
||||
+ char *use_current;
|
||||
+ int rv;
|
||||
+
|
||||
+ debug3_f("setting execution context");
|
||||
+
|
||||
+ ssh_selinux_get_role_level(&role, &reqlvl);
|
||||
+
|
||||
+ rv = do_pam_putenv("SELINUX_ROLE_REQUESTED", role ? role : "");
|
||||
+
|
||||
+ if (inetd_flag) {
|
||||
+ use_current = "1";
|
||||
+ } else {
|
||||
+ use_current = "";
|
||||
+ rv = rv || do_pam_putenv("SELINUX_LEVEL_REQUESTED", reqlvl ? reqlvl: "");
|
||||
+ }
|
||||
+
|
||||
+ rv = rv || do_pam_putenv("SELINUX_USE_CURRENT_RANGE", use_current);
|
||||
+
|
||||
+ if (role != NULL)
|
||||
+ free(role);
|
||||
+
|
||||
+ return rv;
|
||||
+}
|
||||
+
|
||||
+/* Set the execution context to the default for the specified user */
|
||||
+void
|
||||
+sshd_selinux_setup_exec_context(char *pwname)
|
||||
+{
|
||||
+ security_context_t user_ctx = NULL;
|
||||
+ int r = 0;
|
||||
+ security_context_t default_ctx = NULL;
|
||||
+
|
||||
+ if (!ssh_selinux_enabled())
|
||||
+ return;
|
||||
+
|
||||
+ if (options.use_pam) {
|
||||
+ /* do not compute context, just setup environment for pam_selinux */
|
||||
+ if (sshd_selinux_setup_pam_variables()) {
|
||||
+ switch (security_getenforce()) {
|
||||
+ case -1:
|
||||
+ fatal_f("security_getenforce() failed");
|
||||
+ case 0:
|
||||
+ error_f("SELinux PAM variable setup failure. Continuing in permissive mode.");
|
||||
+ break;
|
||||
+ default:
|
||||
+ fatal_f("SELinux PAM variable setup failure. Aborting connection.");
|
||||
+ }
|
||||
+ }
|
||||
+ return;
|
||||
+ }
|
||||
+
|
||||
+ debug3_f("setting execution context");
|
||||
+
|
||||
+ r = sshd_selinux_getctxbyname(pwname, &default_ctx, &user_ctx);
|
||||
+ if (r >= 0) {
|
||||
+ r = setexeccon(user_ctx);
|
||||
+ if (r < 0) {
|
||||
+ error_f("Failed to set SELinux execution context %s for %s",
|
||||
+ user_ctx, pwname);
|
||||
+ }
|
||||
+#ifdef HAVE_SETKEYCREATECON
|
||||
+ else if (setkeycreatecon(user_ctx) < 0) {
|
||||
+ error_f("Failed to set SELinux keyring creation context %s for %s",
|
||||
+ user_ctx, pwname);
|
||||
+ }
|
||||
+#endif
|
||||
+ }
|
||||
+ if (user_ctx == NULL) {
|
||||
+ user_ctx = default_ctx;
|
||||
+ }
|
||||
+ if (r < 0 || user_ctx != default_ctx) {
|
||||
+ /* audit just the case when user changed a role or there was
|
||||
+ a failure */
|
||||
+ sshd_selinux_send_audit_message(r >= 0, default_ctx, user_ctx);
|
||||
+ }
|
||||
+ if (r < 0) {
|
||||
+ switch (security_getenforce()) {
|
||||
+ case -1:
|
||||
+ fatal_f("security_getenforce() failed");
|
||||
+ case 0:
|
||||
+ error_f("ELinux failure. Continuing in permissive mode.");
|
||||
+ break;
|
||||
+ default:
|
||||
+ fatal_f("SELinux failure. Aborting connection.");
|
||||
+ }
|
||||
+ }
|
||||
+ if (user_ctx != NULL && user_ctx != default_ctx)
|
||||
+ freecon(user_ctx);
|
||||
+ if (default_ctx != NULL)
|
||||
+ freecon(default_ctx);
|
||||
+
|
||||
+ debug3_f("done");
|
||||
+}
|
||||
+
|
||||
+#endif
|
||||
+#endif
|
||||
+
|
||||
diff -up openssh/platform.c.role-mls openssh/platform.c
|
||||
--- openssh/platform.c.role-mls 2018-08-20 07:57:29.000000000 +0200
|
||||
+++ openssh/platform.c 2018-08-22 11:14:56.819430949 +0200
|
||||
@@ -183,7 +183,7 @@ platform_setusercontext_post_groups(stru
|
||||
}
|
||||
#endif /* HAVE_SETPCRED */
|
||||
#ifdef WITH_SELINUX
|
||||
- ssh_selinux_setup_exec_context(pw->pw_name);
|
||||
+ sshd_selinux_setup_exec_context(pw->pw_name);
|
||||
#endif
|
||||
}
|
||||
|
||||
diff -up openssh/sshd.c.role-mls openssh/sshd.c
|
||||
--- openssh/sshd-session.c.role-mls 2018-08-20 07:57:29.000000000 +0200
|
||||
+++ openssh/sshd-session.c 2018-08-22 11:14:56.820430957 +0200
|
||||
@@ -2186,6 +2186,9 @@ main(int ac, char **av)
|
||||
restore_uid();
|
||||
}
|
||||
#endif
|
||||
+#ifdef WITH_SELINUX
|
||||
+ sshd_selinux_setup_exec_context(authctxt->pw->pw_name);
|
||||
+#endif
|
||||
#ifdef USE_PAM
|
||||
if (options.use_pam) {
|
||||
do_pam_setcred();
|
39
openssh-7.9p1-keygen-preserve-perms.patch
Normal file
39
openssh-7.9p1-keygen-preserve-perms.patch
Normal file
@ -0,0 +1,39 @@
|
||||
commit 07ffb49749c310b82e44278ae05e081d6f4a82bf
|
||||
Author: Hans Petter Jansson <hpj@cl.no>
|
||||
Date: Fri Sep 27 01:57:16 2019 +0200
|
||||
|
||||
ssh-keygen: Preserve known_hosts permissions on rewrite
|
||||
|
||||
Transfer the permissions of the old known_hosts file instead of
|
||||
just going with what mkstemp() gives us. This is useful in corner
|
||||
cases where known_hosts is shared between users.
|
||||
|
||||
Index: openssh-8.8p1/ssh-keygen.c
|
||||
===================================================================
|
||||
--- openssh-8.8p1.orig/ssh-keygen.c
|
||||
+++ openssh-8.8p1/ssh-keygen.c
|
||||
@@ -1384,6 +1384,11 @@ do_known_hosts(struct passwd *pw, const
|
||||
if (inplace)
|
||||
unlink(tmp);
|
||||
} else if (inplace) {
|
||||
+ struct stat st;
|
||||
+
|
||||
+ /* Get metadata for existing file */
|
||||
+ r = stat(identity_file, &st);
|
||||
+
|
||||
/* Backup existing file */
|
||||
if (unlink(old) == -1 && errno != ENOENT)
|
||||
fatal("unlink %.100s: %s", old, strerror(errno));
|
||||
@@ -1398,6 +1403,12 @@ do_known_hosts(struct passwd *pw, const
|
||||
unlink(old);
|
||||
exit(1);
|
||||
}
|
||||
+ /* Preserve permissions; non-critical */
|
||||
+ if (r != -1)
|
||||
+ r = chown(identity_file, st.st_uid, st.st_gid);
|
||||
+ if (r != -1)
|
||||
+ chmod(identity_file,
|
||||
+ st.st_mode & (S_IRWXU | S_IRWXG | S_IRWXO));
|
||||
|
||||
printf("%s updated.\n", identity_file);
|
||||
printf("Original contents retained as %s\n", old);
|
76
openssh-7.9p1-revert-new-qos-defaults.patch
Normal file
76
openssh-7.9p1-revert-new-qos-defaults.patch
Normal file
@ -0,0 +1,76 @@
|
||||
commit 101aa2f70c937abb428c9433c39ba0fd9a91fe6b
|
||||
Author: Hans Petter Jansson <hpj@cl.no>
|
||||
Date: Thu Jun 20 23:54:11 2019 +0200
|
||||
|
||||
Revert IPQoS DSCP AF21/CS1 from upstream due to bugs in other software
|
||||
|
||||
Reverts OpenBSD-Commit-ID: d11d2a4484f461524ef0c20870523dfcdeb52181
|
||||
|
||||
Index: openssh-8.8p1/readconf.c
|
||||
===================================================================
|
||||
--- openssh-8.8p1.orig/readconf.c
|
||||
+++ openssh-8.8p1/readconf.c
|
||||
@@ -2679,9 +2679,9 @@ fill_default_options(Options * options)
|
||||
if (options->visual_host_key == -1)
|
||||
options->visual_host_key = 0;
|
||||
if (options->ip_qos_interactive == -1)
|
||||
- options->ip_qos_interactive = IPTOS_DSCP_AF21;
|
||||
+ options->ip_qos_interactive = IPTOS_LOWDELAY;
|
||||
if (options->ip_qos_bulk == -1)
|
||||
- options->ip_qos_bulk = IPTOS_DSCP_CS1;
|
||||
+ options->ip_qos_bulk = IPTOS_THROUGHPUT;
|
||||
if (options->request_tty == -1)
|
||||
options->request_tty = REQUEST_TTY_AUTO;
|
||||
if (options->session_type == -1)
|
||||
Index: openssh-8.8p1/servconf.c
|
||||
===================================================================
|
||||
--- openssh-8.8p1.orig/servconf.c
|
||||
+++ openssh-8.8p1/servconf.c
|
||||
@@ -459,9 +459,9 @@ fill_default_server_options(ServerOption
|
||||
if (options->permit_tun == -1)
|
||||
options->permit_tun = SSH_TUNMODE_NO;
|
||||
if (options->ip_qos_interactive == -1)
|
||||
- options->ip_qos_interactive = IPTOS_DSCP_AF21;
|
||||
+ options->ip_qos_interactive = IPTOS_LOWDELAY;
|
||||
if (options->ip_qos_bulk == -1)
|
||||
- options->ip_qos_bulk = IPTOS_DSCP_CS1;
|
||||
+ options->ip_qos_bulk = IPTOS_THROUGHPUT;
|
||||
if (options->version_addendum == NULL)
|
||||
options->version_addendum = xstrdup("");
|
||||
if (options->fwd_opts.streamlocal_bind_mask == (mode_t)-1)
|
||||
Index: openssh-8.8p1/ssh_config.5
|
||||
===================================================================
|
||||
--- openssh-8.8p1.orig/ssh_config.5
|
||||
+++ openssh-8.8p1/ssh_config.5
|
||||
@@ -1182,11 +1182,9 @@ If one argument is specified, it is used
|
||||
If two values are specified, the first is automatically selected for
|
||||
interactive sessions and the second for non-interactive sessions.
|
||||
The default is
|
||||
-.Cm af21
|
||||
-(Low-Latency Data)
|
||||
+.Cm lowdelay
|
||||
for interactive sessions and
|
||||
-.Cm cs1
|
||||
-(Lower Effort)
|
||||
+.Cm throughput
|
||||
for non-interactive sessions.
|
||||
.It Cm KbdInteractiveAuthentication
|
||||
Specifies whether to use keyboard-interactive authentication.
|
||||
Index: openssh-8.8p1/sshd_config.5
|
||||
===================================================================
|
||||
--- openssh-8.8p1.orig/sshd_config.5
|
||||
+++ openssh-8.8p1/sshd_config.5
|
||||
@@ -903,11 +903,9 @@ If one argument is specified, it is used
|
||||
If two values are specified, the first is automatically selected for
|
||||
interactive sessions and the second for non-interactive sessions.
|
||||
The default is
|
||||
-.Cm af21
|
||||
-(Low-Latency Data)
|
||||
+.Cm lowdelay
|
||||
for interactive sessions and
|
||||
-.Cm cs1
|
||||
-(Lower Effort)
|
||||
+.Cm throughput
|
||||
for non-interactive sessions.
|
||||
.It Cm KbdInteractiveAuthentication
|
||||
Specifies whether to allow keyboard-interactive authentication.
|
3976
openssh-8.0p1-gssapi-keyex.patch
Normal file
3976
openssh-8.0p1-gssapi-keyex.patch
Normal file
File diff suppressed because it is too large
Load Diff
2312
openssh-8.1p1-audit.patch
Normal file
2312
openssh-8.1p1-audit.patch
Normal file
File diff suppressed because it is too large
Load Diff
74
openssh-8.1p1-ed25519-use-openssl-rng.patch
Normal file
74
openssh-8.1p1-ed25519-use-openssl-rng.patch
Normal file
@ -0,0 +1,74 @@
|
||||
commit d281831d887044ede45d458c3dda74be9ae017e3
|
||||
Author: Hans Petter Jansson <hpj@hpjansson.org>
|
||||
Date: Fri Sep 25 23:26:58 2020 +0200
|
||||
|
||||
Use OpenSSL's FIPS approved RAND_bytes() to get randomness for Ed25519
|
||||
|
||||
diff --git a/ed25519.c b/ed25519.c
|
||||
index 767ec24..5d506a9 100644
|
||||
--- a/ed25519.c
|
||||
+++ b/ed25519.c
|
||||
@@ -9,6 +9,13 @@
|
||||
|
||||
#include "crypto_api.h"
|
||||
|
||||
+#ifdef WITH_OPENSSL
|
||||
+#include <openssl/rand.h>
|
||||
+#include <openssl/err.h>
|
||||
+#endif
|
||||
+
|
||||
+#include "log.h"
|
||||
+
|
||||
#define int8 crypto_int8
|
||||
#define uint8 crypto_uint8
|
||||
#define int16 crypto_int16
|
||||
@@ -33,7 +40,15 @@ int crypto_sign_ed25519_keypair(
|
||||
sc25519 scsk;
|
||||
ge25519 gepk;
|
||||
|
||||
+#ifdef WITH_OPENSSL
|
||||
+ /* Use FIPS approved RNG */
|
||||
+ if (RAND_bytes(sk, 32) <= 0)
|
||||
+ fatal("Couldn't obtain random bytes (error 0x%lx)",
|
||||
+ (unsigned long)ERR_get_error());
|
||||
+#else
|
||||
randombytes(sk,32);
|
||||
+#endif
|
||||
+
|
||||
crypto_hash_sha512(az,sk,32);
|
||||
az[0] &= 248;
|
||||
az[31] &= 127;
|
||||
diff --git a/kexc25519.c b/kexc25519.c
|
||||
index f13d766..2604eda 100644
|
||||
--- a/kexc25519.c
|
||||
+++ b/kexc25519.c
|
||||
@@ -33,6 +33,13 @@
|
||||
#include <string.h>
|
||||
#include <signal.h>
|
||||
|
||||
+#ifdef WITH_OPENSSL
|
||||
+#include <openssl/rand.h>
|
||||
+#include <openssl/err.h>
|
||||
+#endif
|
||||
+
|
||||
+#include "log.h"
|
||||
+
|
||||
#include "sshkey.h"
|
||||
#include "kex.h"
|
||||
#include "sshbuf.h"
|
||||
@@ -51,7 +58,15 @@ kexc25519_keygen(u_char key[CURVE25519_SIZE], u_char pub[CURVE25519_SIZE])
|
||||
{
|
||||
static const u_char basepoint[CURVE25519_SIZE] = {9};
|
||||
|
||||
+#ifdef WITH_OPENSSL
|
||||
+ /* Use FIPS approved RNG */
|
||||
+ if (RAND_bytes(key, CURVE25519_SIZE) <= 0)
|
||||
+ fatal("Couldn't obtain random bytes (error 0x%lx)",
|
||||
+ (unsigned long)ERR_get_error());
|
||||
+#else
|
||||
arc4random_buf(key, CURVE25519_SIZE);
|
||||
+#endif
|
||||
+
|
||||
crypto_scalarmult_curve25519(pub, key, basepoint);
|
||||
}
|
||||
|
25
openssh-8.1p1-seccomp-clock_gettime64.patch
Normal file
25
openssh-8.1p1-seccomp-clock_gettime64.patch
Normal file
@ -0,0 +1,25 @@
|
||||
From b110cefdfbf5a20f49b774a55062d6ded2fb6e22 Mon Sep 17 00:00:00 2001
|
||||
From: Khem Raj <raj.khem@gmail.com>
|
||||
Date: Tue, 7 Jan 2020 16:26:45 -0800
|
||||
Subject: [PATCH] seccomp: Allow clock_gettime64() in sandbox.
|
||||
|
||||
This helps sshd accept connections on mips platforms with
|
||||
upcoming glibc ( 2.31 )
|
||||
---
|
||||
sandbox-seccomp-filter.c | 3 +++
|
||||
1 file changed, 3 insertions(+)
|
||||
|
||||
Index: openssh-8.8p1/sandbox-seccomp-filter.c
|
||||
===================================================================
|
||||
--- openssh-8.8p1.orig/sandbox-seccomp-filter.c
|
||||
+++ openssh-8.8p1/sandbox-seccomp-filter.c
|
||||
@@ -279,6 +279,9 @@ static const struct sock_filter preauth_
|
||||
#ifdef __NR_clock_nanosleep_time64
|
||||
SC_ALLOW(__NR_clock_nanosleep_time64),
|
||||
#endif
|
||||
+#ifdef __NR_clock_gettime64
|
||||
+ SC_ALLOW(__NR_clock_gettime64),
|
||||
+#endif
|
||||
#ifdef __NR__newselect
|
||||
SC_ALLOW(__NR__newselect),
|
||||
#endif
|
14
openssh-8.1p1-seccomp-clock_nanosleep.patch
Normal file
14
openssh-8.1p1-seccomp-clock_nanosleep.patch
Normal file
@ -0,0 +1,14 @@
|
||||
Index: openssh-8.8p1/sandbox-seccomp-filter.c
|
||||
===================================================================
|
||||
--- openssh-8.8p1.orig/sandbox-seccomp-filter.c
|
||||
+++ openssh-8.8p1/sandbox-seccomp-filter.c
|
||||
@@ -273,6 +273,9 @@ static const struct sock_filter preauth_
|
||||
#ifdef __NR_clock_gettime64
|
||||
SC_ALLOW(__NR_clock_gettime64),
|
||||
#endif
|
||||
+#ifdef __NR_clock_nanosleep
|
||||
+ SC_ALLOW(__NR_clock_nanosleep),
|
||||
+#endif
|
||||
#ifdef __NR__newselect
|
||||
SC_ALLOW(__NR__newselect),
|
||||
#endif
|
24
openssh-8.1p1-seccomp-clock_nanosleep_time64.patch
Normal file
24
openssh-8.1p1-seccomp-clock_nanosleep_time64.patch
Normal file
@ -0,0 +1,24 @@
|
||||
From 5af6fd5461bb709304e6979c8b7856c7af921c9e Mon Sep 17 00:00:00 2001
|
||||
From: Darren Tucker <dtucker@dtucker.net>
|
||||
Date: Mon, 16 Dec 2019 13:55:56 +1100
|
||||
Subject: [PATCH] Allow clock_nanosleep_time64 in seccomp sandbox.
|
||||
|
||||
Needed on Linux ARM. bz#3100, patch from jjelen@redhat.com.
|
||||
---
|
||||
sandbox-seccomp-filter.c | 3 +++
|
||||
1 file changed, 3 insertions(+)
|
||||
|
||||
Index: openssh-8.8p1/sandbox-seccomp-filter.c
|
||||
===================================================================
|
||||
--- openssh-8.8p1.orig/sandbox-seccomp-filter.c
|
||||
+++ openssh-8.8p1/sandbox-seccomp-filter.c
|
||||
@@ -276,6 +276,9 @@ static const struct sock_filter preauth_
|
||||
#ifdef __NR_clock_nanosleep
|
||||
SC_ALLOW(__NR_clock_nanosleep),
|
||||
#endif
|
||||
+#ifdef __NR_clock_nanosleep_time64
|
||||
+ SC_ALLOW(__NR_clock_nanosleep_time64),
|
||||
+#endif
|
||||
#ifdef __NR__newselect
|
||||
SC_ALLOW(__NR__newselect),
|
||||
#endif
|
158
openssh-8.1p1-use-openssl-kdf.patch
Normal file
158
openssh-8.1p1-use-openssl-kdf.patch
Normal file
@ -0,0 +1,158 @@
|
||||
Index: openssh-8.8p1/kex.c
|
||||
===================================================================
|
||||
--- openssh-8.8p1.orig/kex.c
|
||||
+++ openssh-8.8p1/kex.c
|
||||
@@ -40,6 +40,7 @@
|
||||
#ifdef WITH_OPENSSL
|
||||
#include <openssl/crypto.h>
|
||||
#include <openssl/dh.h>
|
||||
+#include <openssl/kdf.h>
|
||||
#endif
|
||||
|
||||
#include "ssh.h"
|
||||
@@ -1115,8 +1116,93 @@ kex_choose_conf(struct ssh *ssh)
|
||||
return r;
|
||||
}
|
||||
|
||||
+#ifdef WITH_OPENSSL
|
||||
+
|
||||
+static const EVP_MD *
|
||||
+get_openssl_md_for_hash_alg (int hash_alg)
|
||||
+{
|
||||
+ if (hash_alg < 0 || hash_alg >= SSH_DIGEST_MAX)
|
||||
+ return NULL;
|
||||
+
|
||||
+ switch (hash_alg)
|
||||
+ {
|
||||
+ case SSH_DIGEST_MD5:
|
||||
+ return EVP_md5();
|
||||
+ case SSH_DIGEST_SHA1:
|
||||
+ return EVP_sha1();
|
||||
+ case SSH_DIGEST_SHA256:
|
||||
+ return EVP_sha256();
|
||||
+ case SSH_DIGEST_SHA384:
|
||||
+ return EVP_sha384();
|
||||
+ case SSH_DIGEST_SHA512:
|
||||
+ return EVP_sha512();
|
||||
+ default:
|
||||
+ break;
|
||||
+ }
|
||||
+
|
||||
+ return NULL;
|
||||
+}
|
||||
+
|
||||
static int
|
||||
-derive_key(struct ssh *ssh, int id, u_int need, u_char *hash, u_int hashlen,
|
||||
+derive_key_via_openssl(struct ssh *ssh, int id, u_int need, u_char *hash, u_int hashlen,
|
||||
+ const struct sshbuf *shared_secret, u_char **keyp)
|
||||
+{
|
||||
+ struct kex *kex = ssh->kex;
|
||||
+ EVP_KDF_CTX *hashctx = NULL;
|
||||
+ const EVP_MD *md = NULL;
|
||||
+ u_char *digest = NULL;
|
||||
+ int r = SSH_ERR_LIBCRYPTO_ERROR;
|
||||
+
|
||||
+ hashctx = EVP_KDF_CTX_new_id (EVP_KDF_SSHKDF);
|
||||
+ if (!hashctx)
|
||||
+ goto out;
|
||||
+
|
||||
+ md = get_openssl_md_for_hash_alg (kex->hash_alg);
|
||||
+ if (!md)
|
||||
+ goto out;
|
||||
+
|
||||
+ if (EVP_KDF_ctrl (hashctx, EVP_KDF_CTRL_SET_MD,
|
||||
+ md) != 1
|
||||
+ || EVP_KDF_ctrl (hashctx, EVP_KDF_CTRL_SET_KEY,
|
||||
+ sshbuf_ptr(shared_secret), sshbuf_len(shared_secret)) != 1
|
||||
+ || EVP_KDF_ctrl (hashctx, EVP_KDF_CTRL_SET_SSHKDF_TYPE,
|
||||
+ (int) id) != 1
|
||||
+ || EVP_KDF_ctrl (hashctx, EVP_KDF_CTRL_SET_SSHKDF_XCGHASH,
|
||||
+ hash, (size_t) hashlen) != 1
|
||||
+ || EVP_KDF_ctrl (hashctx, EVP_KDF_CTRL_SET_SSHKDF_SESSION_ID,
|
||||
+ sshbuf_ptr(kex->session_id),
|
||||
+ (size_t) sshbuf_len(kex->session_id)) != 1)
|
||||
+ goto out;
|
||||
+
|
||||
+ digest = calloc (1, need);
|
||||
+ if (!digest) {
|
||||
+ r = SSH_ERR_ALLOC_FAIL;
|
||||
+ goto out;
|
||||
+ }
|
||||
+
|
||||
+ if (EVP_KDF_derive (hashctx, digest, need) != 1)
|
||||
+ goto out;
|
||||
+
|
||||
+ *keyp = digest;
|
||||
+ digest = NULL;
|
||||
+ r = 0;
|
||||
+
|
||||
+ out:
|
||||
+ if (hashctx)
|
||||
+ EVP_KDF_CTX_free(hashctx);
|
||||
+
|
||||
+ if (digest)
|
||||
+ free(digest);
|
||||
+
|
||||
+ return r;
|
||||
+}
|
||||
+
|
||||
+#else
|
||||
+# error This version of openssh must be built with openssl to benefit from FIPS certification.
|
||||
+#endif
|
||||
+
|
||||
+static int
|
||||
+derive_key_via_internal(struct ssh *ssh, int id, u_int need, u_char *hash, u_int hashlen,
|
||||
const struct sshbuf *shared_secret, u_char **keyp)
|
||||
{
|
||||
struct kex *kex = ssh->kex;
|
||||
@@ -1179,6 +1265,50 @@ derive_key(struct ssh *ssh, int id, u_in
|
||||
return r;
|
||||
}
|
||||
|
||||
+/* Belt and suspenders; we want the output from openssl because it's FIPS certified. However,
|
||||
+ * if there's a bug in the implementation, we should not proceed. Minimize risk by requiring
|
||||
+ * the implementations agree. */
|
||||
+static int
|
||||
+derive_key(struct ssh *ssh, int id, u_int need, u_char *hash, u_int hashlen,
|
||||
+ const struct sshbuf *shared_secret, u_char **keyp)
|
||||
+{
|
||||
+#ifdef WITH_OPENSSL
|
||||
+
|
||||
+ u_char *buf_openssl = NULL, *buf_internal = NULL;
|
||||
+ int r;
|
||||
+
|
||||
+ r = derive_key_via_openssl (ssh, id, need, hash, hashlen, shared_secret, &buf_openssl);
|
||||
+ if (r != 0)
|
||||
+ goto out;
|
||||
+
|
||||
+ r = derive_key_via_internal (ssh, id, need, hash, hashlen, shared_secret, &buf_internal);
|
||||
+ if (r != 0)
|
||||
+ goto out;
|
||||
+
|
||||
+ if (memcmp (buf_openssl, buf_internal, need))
|
||||
+ {
|
||||
+ r = SSH_ERR_LIBCRYPTO_ERROR;
|
||||
+ goto out;
|
||||
+ }
|
||||
+
|
||||
+ *keyp = buf_openssl;
|
||||
+ buf_openssl = NULL;
|
||||
+
|
||||
+ out:
|
||||
+ if (buf_openssl)
|
||||
+ free (buf_openssl);
|
||||
+ if (buf_internal)
|
||||
+ free (buf_internal);
|
||||
+
|
||||
+ return r;
|
||||
+
|
||||
+#else
|
||||
+
|
||||
+ return derive_key_via_internal (ssh, id, need, hash, hashlen, shared_secret, keyp);
|
||||
+
|
||||
+#endif
|
||||
+}
|
||||
+
|
||||
#define NKEYS 6
|
||||
int
|
||||
kex_derive_keys(struct ssh *ssh, u_char *hash, u_int hashlen,
|
13
openssh-8.4p1-pam_motd.patch
Normal file
13
openssh-8.4p1-pam_motd.patch
Normal file
@ -0,0 +1,13 @@
|
||||
diff -u openssh-8.4p1.orig/sshd_config openssh-8.4p1/sshd_config
|
||||
--- openssh-8.4p1.orig/sshd_config 2020-09-27 09:25:01.000000000 +0200
|
||||
+++ openssh-8.4p1/sshd_config 2021-05-18 19:15:39.190701511 +0200
|
||||
@@ -88,8 +88,7 @@
|
||||
#X11DisplayOffset 10
|
||||
#X11UseLocalhost yes
|
||||
#PermitTTY yes
|
||||
-#PrintMotd yes
|
||||
-#PrintLastLog yes
|
||||
+PrintMotd no
|
||||
#TCPKeepAlive yes
|
||||
#PermitUserEnvironment no
|
||||
#Compression delayed
|
40
openssh-8.4p1-ssh_config_d.patch
Normal file
40
openssh-8.4p1-ssh_config_d.patch
Normal file
@ -0,0 +1,40 @@
|
||||
Index: openssh-8.9p1/ssh_config
|
||||
===================================================================
|
||||
--- openssh-8.9p1.orig/ssh_config
|
||||
+++ openssh-8.9p1/ssh_config
|
||||
@@ -17,6 +17,13 @@
|
||||
# list of available options, their meanings and defaults, please see the
|
||||
# ssh_config(5) man page.
|
||||
|
||||
+# To modify the system-wide ssh configuration, create a "*.conf" file under
|
||||
+# "/etc/ssh/ssh_config.d/" which will be automatically included below.
|
||||
+# Don't edit this configuration file itself if possible to avoid update
|
||||
+# problems.
|
||||
+Include /etc/ssh/ssh_config.d/*.conf
|
||||
+Include /usr/etc/ssh/ssh_config.d/*.conf
|
||||
+
|
||||
Host *
|
||||
# ForwardAgent no
|
||||
# ForwardX11 no
|
||||
Index: openssh-8.9p1/sshd_config
|
||||
===================================================================
|
||||
--- openssh-8.9p1.orig/sshd_config
|
||||
+++ openssh-8.9p1/sshd_config
|
||||
@@ -5,10 +5,17 @@
|
||||
|
||||
# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
|
||||
|
||||
+# To modify the system-wide sshd configuration, create a "*.conf" file under
|
||||
+# "/etc/ssh/sshd_config.d/" which will be automatically included below.
|
||||
+# Don't edit this configuration file itself if possible to avoid update
|
||||
+# problems.
|
||||
+Include /etc/ssh/sshd_config.d/*.conf
|
||||
+
|
||||
# The strategy used for options in the default sshd_config shipped with
|
||||
# OpenSSH is to specify options with their default value where
|
||||
# possible, but leave them commented. Uncommented options override the
|
||||
# default value.
|
||||
+Include /usr/etc/ssh/sshd_config.d/*.conf
|
||||
|
||||
#Port 22
|
||||
#AddressFamily any
|
202
openssh-8.4p1-vendordir.patch
Normal file
202
openssh-8.4p1-vendordir.patch
Normal file
@ -0,0 +1,202 @@
|
||||
Gemeinsame Unterverzeichnisse: openssh-8.4p1/contrib und openssh-8.4p1-vendor/contrib.
|
||||
Index: openssh-8.9p1/dh.c
|
||||
===================================================================
|
||||
--- openssh-8.9p1.orig/dh.c
|
||||
+++ openssh-8.9p1/dh.c
|
||||
@@ -54,7 +54,17 @@ void dh_set_moduli_file(const char *file
|
||||
|
||||
static const char * get_moduli_filename(void)
|
||||
{
|
||||
- return moduli_filename ? moduli_filename : _PATH_DH_MODULI;
|
||||
+ struct stat st;
|
||||
+
|
||||
+ if (moduli_filename)
|
||||
+ return moduli_filename;
|
||||
+
|
||||
+ if (stat(_PATH_VENDOR_DH_MODULI, &st) == 0 &&
|
||||
+ stat(_PATH_DH_MODULI, &st) == -1) {
|
||||
+ return _PATH_VENDOR_DH_MODULI;
|
||||
+ }
|
||||
+
|
||||
+ return _PATH_DH_MODULI;
|
||||
}
|
||||
|
||||
static int
|
||||
Index: openssh-8.9p1/pathnames.h
|
||||
===================================================================
|
||||
--- openssh-8.9p1.orig/pathnames.h
|
||||
+++ openssh-8.9p1/pathnames.h
|
||||
@@ -18,6 +18,8 @@
|
||||
#define SSHDIR ETCDIR "/ssh"
|
||||
#endif
|
||||
|
||||
+#define VENDORDIR "/usr/etc/ssh"
|
||||
+
|
||||
#ifndef _PATH_SSH_PIDDIR
|
||||
#define _PATH_SSH_PIDDIR "/var/run"
|
||||
#endif
|
||||
@@ -35,13 +37,17 @@
|
||||
* should be world-readable.
|
||||
*/
|
||||
#define _PATH_SERVER_CONFIG_FILE SSHDIR "/sshd_config"
|
||||
+#define _PATH_SERVER_VENDOR_CONFIG_FILE VENDORDIR "/sshd_config"
|
||||
#define _PATH_HOST_CONFIG_FILE SSHDIR "/ssh_config"
|
||||
+#define _PATH_HOST_VENDOR_CONFIG_FILE VENDORDIR "/ssh_config"
|
||||
#define _PATH_HOST_DSA_KEY_FILE SSHDIR "/ssh_host_dsa_key"
|
||||
#define _PATH_HOST_ECDSA_KEY_FILE SSHDIR "/ssh_host_ecdsa_key"
|
||||
#define _PATH_HOST_ED25519_KEY_FILE SSHDIR "/ssh_host_ed25519_key"
|
||||
#define _PATH_HOST_XMSS_KEY_FILE SSHDIR "/ssh_host_xmss_key"
|
||||
#define _PATH_HOST_RSA_KEY_FILE SSHDIR "/ssh_host_rsa_key"
|
||||
#define _PATH_DH_MODULI SSHDIR "/moduli"
|
||||
+#define _PATH_VENDOR_DH_MODULI VENDORDIR "/moduli"
|
||||
+
|
||||
|
||||
#ifndef _PATH_SSH_PROGRAM
|
||||
#define _PATH_SSH_PROGRAM "/usr/bin/ssh"
|
||||
Index: openssh-8.9p1/ssh.c
|
||||
===================================================================
|
||||
--- openssh-8.9p1.orig/ssh.c
|
||||
+++ openssh-8.9p1/ssh.c
|
||||
@@ -549,6 +549,7 @@ static void
|
||||
process_config_files(const char *host_name, struct passwd *pw, int final_pass,
|
||||
int *want_final_pass)
|
||||
{
|
||||
+ struct stat st;
|
||||
char buf[PATH_MAX];
|
||||
int r;
|
||||
|
||||
@@ -567,10 +568,23 @@ process_config_files(const char *host_na
|
||||
&options, SSHCONF_CHECKPERM | SSHCONF_USERCONF |
|
||||
(final_pass ? SSHCONF_FINAL : 0), want_final_pass);
|
||||
|
||||
- /* Read systemwide configuration file after user config. */
|
||||
- (void)read_config_file(_PATH_HOST_CONFIG_FILE, pw,
|
||||
- host, host_name, &options,
|
||||
- final_pass ? SSHCONF_FINAL : 0, want_final_pass);
|
||||
+ /* If only the vendor configuration file exists, use that.
|
||||
+ * Else use the standard configuration file.
|
||||
+ */
|
||||
+ if (stat(_PATH_HOST_VENDOR_CONFIG_FILE, &st) == 0 &&
|
||||
+ stat(_PATH_HOST_CONFIG_FILE, &st) == -1) {
|
||||
+ /* Read vendor distributed configuration file. */
|
||||
+ (void)read_config_file(_PATH_HOST_VENDOR_CONFIG_FILE,
|
||||
+ pw, host, host_name, &options,
|
||||
+ final_pass ? SSHCONF_FINAL : 0,
|
||||
+ want_final_pass);
|
||||
+ } else {
|
||||
+ /* Read systemwide configuration file after user config. */
|
||||
+ (void)read_config_file(_PATH_HOST_CONFIG_FILE, pw,
|
||||
+ host, host_name, &options,
|
||||
+ final_pass ? SSHCONF_FINAL : 0,
|
||||
+ want_final_pass);
|
||||
+ }
|
||||
}
|
||||
}
|
||||
|
||||
Index: openssh-8.9p1/ssh_config.5
|
||||
===================================================================
|
||||
--- openssh-8.9p1.orig/ssh_config.5
|
||||
+++ openssh-8.9p1/ssh_config.5
|
||||
@@ -54,6 +54,9 @@ user's configuration file
|
||||
.It
|
||||
system-wide configuration file
|
||||
.Pq Pa /etc/ssh/ssh_config
|
||||
+.It
|
||||
+vendor configuration file
|
||||
+.Pq Pa /usr/etc/ssh/ssh_config
|
||||
.El
|
||||
.Pp
|
||||
Unless noted otherwise, for each parameter, the first obtained value
|
||||
@@ -2220,6 +2223,11 @@ This file provides defaults for those
|
||||
values that are not specified in the user's configuration file, and
|
||||
for those users who do not have a configuration file.
|
||||
This file must be world-readable.
|
||||
+.It Pa /usr/etc/ssh/ssh_config
|
||||
+Vendor specific configuraiton file.
|
||||
+This file provides the vendor defaults and is used as fallback if the
|
||||
+.Ic /etc/ssh/ssh_config
|
||||
+configuration file does not exist.
|
||||
.El
|
||||
.Sh SEE ALSO
|
||||
.Xr ssh 1
|
||||
Index: openssh-8.9p1/sshd.c
|
||||
===================================================================
|
||||
--- openssh-8.9p1.orig/sshd.c
|
||||
+++ openssh-8.9p1/sshd.c
|
||||
@@ -1201,7 +1201,8 @@ prepare_proctitle(int ac, char **av)
|
||||
extern char *optarg;
|
||||
extern int optind;
|
||||
int log_stderr = 0, inetd_flag = 0, test_flag = 0, no_daemon_flag = 0;
|
||||
- char *config_file_name = _PATH_SERVER_CONFIG_FILE;
|
||||
+ char *config_file_name = NULL;
|
||||
+ struct stat st;
|
||||
int r, opt, do_dump_cfg = 0, keytype, already_daemon, have_agent = 0;
|
||||
int sock_in = -1, sock_out = -1, newsock = -1, rexec_argc = 0;
|
||||
int devnull, config_s[2] = { -1 , -1 }, have_connection_info = 0;
|
||||
@@ -1806,7 +1807,21 @@ main(int ac, char **av)
|
||||
/* Fetch our configuration */
|
||||
if ((cfg = sshbuf_new()) == NULL)
|
||||
fatal("sshbuf_new config failed");
|
||||
+ if (config_file_name == NULL) {
|
||||
+ /* If only the vendor configuration file exists, use that.
|
||||
+ * Else use the standard configuration file.
|
||||
+ */
|
||||
+ if (stat(_PATH_SERVER_VENDOR_CONFIG_FILE, &st) == 0 &&
|
||||
+ stat(_PATH_SERVER_CONFIG_FILE, &st) == -1) {
|
||||
+ /* fill with global distributor settings */
|
||||
+ config_file_name = _PATH_SERVER_VENDOR_CONFIG_FILE;
|
||||
+ } else {
|
||||
+ /* load global admin settings */
|
||||
+ config_file_name = _PATH_SERVER_CONFIG_FILE;
|
||||
+ }
|
||||
+ load_server_config(config_file_name, cfg);
|
||||
- if (strcasecmp(config_file_name, "none") != 0)
|
||||
+ } else if (strcasecmp(config_file_name, "none") != 0)
|
||||
+ /* load config specified on commandline */
|
||||
load_server_config(config_file_name, cfg);
|
||||
|
||||
parse_server_config(&options, config_file_name, cfg,
|
||||
Index: openssh-8.9p1/sshd_config.5
|
||||
===================================================================
|
||||
--- openssh-8.9p1.orig/sshd_config.5
|
||||
+++ openssh-8.9p1/sshd_config.5
|
||||
@@ -44,7 +44,9 @@
|
||||
.Xr sshd 8
|
||||
reads configuration data from
|
||||
.Pa /etc/ssh/sshd_config
|
||||
-(or the file specified with
|
||||
+(
|
||||
+.Pa /usr/etc/ssh/sshd_config
|
||||
+if the file does not exist or the file specified with
|
||||
.Fl f
|
||||
on the command line).
|
||||
The file contains keyword-argument pairs, one per line.
|
||||
Index: openssh-8.9p1/ssh-keysign.c
|
||||
===================================================================
|
||||
--- openssh-8.9p1.orig/ssh-keysign.c
|
||||
+++ openssh-8.9p1/ssh-keysign.c
|
||||
@@ -186,6 +186,7 @@ main(int argc, char **argv)
|
||||
u_char *signature, *data, rver;
|
||||
char *host, *fp, *pkalg;
|
||||
size_t slen, dlen;
|
||||
+ struct stat st;
|
||||
|
||||
if (pledge("stdio rpath getpw dns id", NULL) != 0)
|
||||
fatal("%s: pledge: %s", __progname, strerror(errno));
|
||||
@@ -219,8 +220,14 @@ main(int argc, char **argv)
|
||||
|
||||
/* verify that ssh-keysign is enabled by the admin */
|
||||
initialize_options(&options);
|
||||
- (void)read_config_file(_PATH_HOST_CONFIG_FILE, pw, "", "",
|
||||
- &options, 0, NULL);
|
||||
+
|
||||
+ if (stat(_PATH_HOST_CONFIG_FILE, &st) == 0)
|
||||
+ (void)read_config_file(_PATH_HOST_CONFIG_FILE, pw, "", "",
|
||||
+ &options, 0, NULL);
|
||||
+ else
|
||||
+ (void)read_config_file(_PATH_HOST_VENDOR_CONFIG_FILE, pw, "", "",
|
||||
+ &options, 0, NULL);
|
||||
+
|
||||
(void)fill_default_options(&options);
|
||||
if (options.enable_ssh_keysign != 1)
|
||||
fatal("ssh-keysign not enabled in %s",
|
659
openssh-9.6p1-crypto-policies-man.patch
Normal file
659
openssh-9.6p1-crypto-policies-man.patch
Normal file
@ -0,0 +1,659 @@
|
||||
Index: openssh-9.6p1/ssh_config.5
|
||||
===================================================================
|
||||
--- openssh-9.6p1.orig/ssh_config.5
|
||||
+++ openssh-9.6p1/ssh_config.5
|
||||
@@ -403,17 +403,14 @@ A single argument of
|
||||
causes no CNAMEs to be considered for canonicalization.
|
||||
This is the default behaviour.
|
||||
.It Cm CASignatureAlgorithms
|
||||
+The default is handled system-wide by
|
||||
+.Xr crypto-policies 7 .
|
||||
+Information about defaults, how to modify the defaults and how to customize
|
||||
+existing policies with sub-policies are present in manual page
|
||||
+.Xr update-crypto-policies 8 .
|
||||
+.Pp
|
||||
Specifies which algorithms are allowed for signing of certificates
|
||||
by certificate authorities (CAs).
|
||||
-The default is:
|
||||
-.Bd -literal -offset indent
|
||||
-ssh-ed25519,ecdsa-sha2-nistp256,
|
||||
-ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
|
||||
-sk-ssh-ed25519@openssh.com,
|
||||
-sk-ecdsa-sha2-nistp256@openssh.com,
|
||||
-rsa-sha2-512,rsa-sha2-256
|
||||
-.Ed
|
||||
-.Pp
|
||||
If the specified list begins with a
|
||||
.Sq +
|
||||
character, then the specified algorithms will be appended to the default set
|
||||
@@ -542,20 +539,26 @@ If the option is set to
|
||||
(the default),
|
||||
the check will not be executed.
|
||||
.It Cm Ciphers
|
||||
+The default is handled system-wide by
|
||||
+.Xr crypto-policies 7 .
|
||||
+Information about defaults, how to modify the defaults and how to customize
|
||||
+existing policies with sub-policies are present in manual page
|
||||
+.Xr update-crypto-policies 8 .
|
||||
+.Pp
|
||||
Specifies the ciphers allowed and their order of preference.
|
||||
Multiple ciphers must be comma-separated.
|
||||
If the specified list begins with a
|
||||
.Sq +
|
||||
-character, then the specified ciphers will be appended to the default set
|
||||
-instead of replacing them.
|
||||
+character, then the specified ciphers will be appended to the built-in
|
||||
+openssh default set instead of replacing them.
|
||||
If the specified list begins with a
|
||||
.Sq -
|
||||
character, then the specified ciphers (including wildcards) will be removed
|
||||
-from the default set instead of replacing them.
|
||||
+from the built-in openssh default set instead of replacing them.
|
||||
If the specified list begins with a
|
||||
.Sq ^
|
||||
character, then the specified ciphers will be placed at the head of the
|
||||
-default set.
|
||||
+built-in openssh default set.
|
||||
.Pp
|
||||
The supported ciphers are:
|
||||
.Bd -literal -offset indent
|
||||
@@ -571,13 +574,6 @@ aes256-gcm@openssh.com
|
||||
chacha20-poly1305@openssh.com
|
||||
.Ed
|
||||
.Pp
|
||||
-The default is:
|
||||
-.Bd -literal -offset indent
|
||||
-chacha20-poly1305@openssh.com,
|
||||
-aes128-ctr,aes192-ctr,aes256-ctr,
|
||||
-aes128-gcm@openssh.com,aes256-gcm@openssh.com
|
||||
-.Ed
|
||||
-.Pp
|
||||
The list of available ciphers may also be obtained using
|
||||
.Qq ssh -Q cipher .
|
||||
.It Cm ClearAllForwardings
|
||||
@@ -979,6 +975,12 @@ command line will be passed untouched to
|
||||
The default is
|
||||
.Dq no .
|
||||
.It Cm GSSAPIKexAlgorithms
|
||||
+The default is handled system-wide by
|
||||
+.Xr crypto-policies 7 .
|
||||
+Information about defaults, how to modify the defaults and how to customize
|
||||
+existing policies with sub-policies are present in manual page
|
||||
+.Xr update-crypto-policies 8 .
|
||||
+.Pp
|
||||
The list of key exchange algorithms that are offered for GSSAPI
|
||||
key exchange. Possible values are
|
||||
.Bd -literal -offset 3n
|
||||
@@ -991,10 +993,8 @@ gss-nistp256-sha256-,
|
||||
gss-curve25519-sha256-
|
||||
.Ed
|
||||
.Pp
|
||||
-The default is
|
||||
-.Dq gss-group14-sha256-,gss-group16-sha512-,gss-nistp256-sha256-,
|
||||
-gss-curve25519-sha256-,gss-group14-sha1-,gss-gex-sha1- .
|
||||
This option only applies to connections using GSSAPI.
|
||||
+.Pp
|
||||
.It Cm HashKnownHosts
|
||||
Indicates that
|
||||
.Xr ssh 1
|
||||
@@ -1012,36 +1013,26 @@ will not be converted automatically,
|
||||
but may be manually hashed using
|
||||
.Xr ssh-keygen 1 .
|
||||
.It Cm HostbasedAcceptedAlgorithms
|
||||
+The default is handled system-wide by
|
||||
+.Xr crypto-policies 7 .
|
||||
+Information about defaults, how to modify the defaults and how to customize
|
||||
+existing policies with sub-policies are present in manual page
|
||||
+.Xr update-crypto-policies 8 .
|
||||
+.Pp
|
||||
Specifies the signature algorithms that will be used for hostbased
|
||||
authentication as a comma-separated list of patterns.
|
||||
Alternately if the specified list begins with a
|
||||
.Sq +
|
||||
character, then the specified signature algorithms will be appended
|
||||
-to the default set instead of replacing them.
|
||||
+to the built-in openssh default set instead of replacing them.
|
||||
If the specified list begins with a
|
||||
.Sq -
|
||||
character, then the specified signature algorithms (including wildcards)
|
||||
-will be removed from the default set instead of replacing them.
|
||||
+will be removed from the built-in openssh default set instead of replacing them.
|
||||
If the specified list begins with a
|
||||
.Sq ^
|
||||
character, then the specified signature algorithms will be placed
|
||||
-at the head of the default set.
|
||||
-The default for this option is:
|
||||
-.Bd -literal -offset 3n
|
||||
-ssh-ed25519-cert-v01@openssh.com,
|
||||
-ecdsa-sha2-nistp256-cert-v01@openssh.com,
|
||||
-ecdsa-sha2-nistp384-cert-v01@openssh.com,
|
||||
-ecdsa-sha2-nistp521-cert-v01@openssh.com,
|
||||
-sk-ssh-ed25519-cert-v01@openssh.com,
|
||||
-sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,
|
||||
-rsa-sha2-512-cert-v01@openssh.com,
|
||||
-rsa-sha2-256-cert-v01@openssh.com,
|
||||
-ssh-ed25519,
|
||||
-ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
|
||||
-sk-ssh-ed25519@openssh.com,
|
||||
-sk-ecdsa-sha2-nistp256@openssh.com,
|
||||
-rsa-sha2-512,rsa-sha2-256
|
||||
-.Ed
|
||||
+at the head of the built-in openssh default set.
|
||||
.Pp
|
||||
The
|
||||
.Fl Q
|
||||
@@ -1094,6 +1085,17 @@ to prefer their algorithms.
|
||||
.Pp
|
||||
The list of available signature algorithms may also be obtained using
|
||||
.Qq ssh -Q HostKeyAlgorithms .
|
||||
+.Pp
|
||||
+The proposed
|
||||
+.Cm HostKeyAlgorithms
|
||||
+during KEX are limited to the set of algorithms that is defined in
|
||||
+.Cm PubkeyAcceptedAlgorithms
|
||||
+and therefore they are indirectly affected by system-wide
|
||||
+.Xr crypto_policies 7 .
|
||||
+.Xr crypto_policies 7 can not handle the list of host key algorithms directly
|
||||
+as doing so would break the order given by the
|
||||
+.Pa known_hosts
|
||||
+file.
|
||||
.It Cm HostKeyAlias
|
||||
Specifies an alias that should be used instead of the
|
||||
real host name when looking up or saving the host key
|
||||
@@ -1311,36 +1313,30 @@ it may be zero or more of:
|
||||
and
|
||||
.Cm pam .
|
||||
.It Cm KexAlgorithms
|
||||
+The default is handled system-wide by
|
||||
+.Xr crypto-policies 7 .
|
||||
+Information about defaults, how to modify the defaults and how to customize
|
||||
+existing policies with sub-policies are present in manual page
|
||||
+.Xr update-crypto-policies 8 .
|
||||
+.Pp
|
||||
Specifies the permitted KEX (Key Exchange) algorithms that will be used and
|
||||
their preference order.
|
||||
The selected algorithm will the the first algorithm in this list that
|
||||
the server also supports.
|
||||
Multiple algorithms must be comma-separated.
|
||||
.Pp
|
||||
If the specified list begins with a
|
||||
.Sq +
|
||||
-character, then the specified algorithms will be appended to the default set
|
||||
-instead of replacing them.
|
||||
+character, then the specified methods will be appended to the built-in
|
||||
+openssh default set instead of replacing them.
|
||||
If the specified list begins with a
|
||||
.Sq -
|
||||
character, then the specified algorithms (including wildcards) will be removed
|
||||
-from the default set instead of replacing them.
|
||||
+from the built-in openssh default set instead of replacing them.
|
||||
If the specified list begins with a
|
||||
.Sq ^
|
||||
character, then the specified algorithms will be placed at the head of the
|
||||
-default set.
|
||||
-.Pp
|
||||
-The default is:
|
||||
-.Bd -literal -offset indent
|
||||
-sntrup761x25519-sha512@openssh.com,
|
||||
-curve25519-sha256,curve25519-sha256@libssh.org,
|
||||
-ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
|
||||
-diffie-hellman-group-exchange-sha256,
|
||||
-diffie-hellman-group16-sha512,
|
||||
-diffie-hellman-group18-sha512,
|
||||
-diffie-hellman-group14-sha256,
|
||||
-diffie-hellman-group14-sha1
|
||||
-.Ed
|
||||
+built-in openssh default set.
|
||||
.Pp
|
||||
The list of supported key exchange algorithms may also be obtained using
|
||||
.Qq ssh -Q kex .
|
||||
@@ -1445,37 +1442,34 @@ function, and all code in the
|
||||
file.
|
||||
This option is intended for debugging and no overrides are enabled by default.
|
||||
.It Cm MACs
|
||||
+The default is handled system-wide by
|
||||
+.Xr crypto-policies 7 .
|
||||
+Information about defaults, how to modify the defaults and how to customize
|
||||
+existing policies with sub-policies are present in manual page
|
||||
+.Xr update-crypto-policies 8 .
|
||||
+.Pp
|
||||
Specifies the MAC (message authentication code) algorithms
|
||||
in order of preference.
|
||||
The MAC algorithm is used for data integrity protection.
|
||||
Multiple algorithms must be comma-separated.
|
||||
If the specified list begins with a
|
||||
.Sq +
|
||||
-character, then the specified algorithms will be appended to the default set
|
||||
-instead of replacing them.
|
||||
+character, then the specified algorithms will be appended to the built-in
|
||||
+openssh default set instead of replacing them.
|
||||
If the specified list begins with a
|
||||
.Sq -
|
||||
character, then the specified algorithms (including wildcards) will be removed
|
||||
-from the default set instead of replacing them.
|
||||
+from the built-in openssh default set instead of replacing them.
|
||||
If the specified list begins with a
|
||||
.Sq ^
|
||||
character, then the specified algorithms will be placed at the head of the
|
||||
-default set.
|
||||
+built-in openssh default set.
|
||||
.Pp
|
||||
The algorithms that contain
|
||||
.Qq -etm
|
||||
calculate the MAC after encryption (encrypt-then-mac).
|
||||
These are considered safer and their use recommended.
|
||||
.Pp
|
||||
-The default is:
|
||||
-.Bd -literal -offset indent
|
||||
-umac-64-etm@openssh.com,umac-128-etm@openssh.com,
|
||||
-hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,
|
||||
-hmac-sha1-etm@openssh.com,
|
||||
-umac-64@openssh.com,umac-128@openssh.com,
|
||||
-hmac-sha2-256,hmac-sha2-512,hmac-sha1
|
||||
-.Ed
|
||||
-.Pp
|
||||
The list of available MAC algorithms may also be obtained using
|
||||
.Qq ssh -Q mac .
|
||||
.It Cm NoHostAuthenticationForLocalhost
|
||||
@@ -1666,39 +1660,32 @@ instead of continuing to execute and pas
|
||||
The default is
|
||||
.Cm no .
|
||||
.It Cm PubkeyAcceptedAlgorithms
|
||||
+The default is handled system-wide by
|
||||
+.Xr crypto-policies 7 .
|
||||
+Information about defaults, how to modify the defaults and how to customize
|
||||
+existing policies with sub-policies are present in manual page
|
||||
+.Xr update-crypto-policies 8 .
|
||||
+.Pp
|
||||
Specifies the signature algorithms that will be used for public key
|
||||
authentication as a comma-separated list of patterns.
|
||||
If the specified list begins with a
|
||||
.Sq +
|
||||
-character, then the algorithms after it will be appended to the default
|
||||
-instead of replacing it.
|
||||
+character, then the algorithms after it will be appended to the built-in
|
||||
+openssh default instead of replacing it.
|
||||
If the specified list begins with a
|
||||
.Sq -
|
||||
character, then the specified algorithms (including wildcards) will be removed
|
||||
-from the default set instead of replacing them.
|
||||
+from the built-in openssh default set instead of replacing them.
|
||||
If the specified list begins with a
|
||||
.Sq ^
|
||||
character, then the specified algorithms will be placed at the head of the
|
||||
-default set.
|
||||
-The default for this option is:
|
||||
-.Bd -literal -offset 3n
|
||||
-ssh-ed25519-cert-v01@openssh.com,
|
||||
-ecdsa-sha2-nistp256-cert-v01@openssh.com,
|
||||
-ecdsa-sha2-nistp384-cert-v01@openssh.com,
|
||||
-ecdsa-sha2-nistp521-cert-v01@openssh.com,
|
||||
-sk-ssh-ed25519-cert-v01@openssh.com,
|
||||
-sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,
|
||||
-rsa-sha2-512-cert-v01@openssh.com,
|
||||
-rsa-sha2-256-cert-v01@openssh.com,
|
||||
-ssh-ed25519,
|
||||
-ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
|
||||
-sk-ssh-ed25519@openssh.com,
|
||||
-sk-ecdsa-sha2-nistp256@openssh.com,
|
||||
-rsa-sha2-512,rsa-sha2-256
|
||||
-.Ed
|
||||
+built-in openssh default set.
|
||||
.Pp
|
||||
The list of available signature algorithms may also be obtained using
|
||||
.Qq ssh -Q PubkeyAcceptedAlgorithms .
|
||||
+.Pp
|
||||
+This option affects also
|
||||
+.Cm HostKeyAlgorithms
|
||||
.It Cm PubkeyAuthentication
|
||||
Specifies whether to try public key authentication.
|
||||
The argument to this keyword must be
|
||||
@@ -2395,7 +2382,9 @@ This file provides the vendor defaults a
|
||||
configuration file does not exist.
|
||||
.El
|
||||
.Sh SEE ALSO
|
||||
-.Xr ssh 1
|
||||
+.Xr ssh 1 ,
|
||||
+.Xr crypto-policies 7 ,
|
||||
+.Xr update-crypto-policies 8
|
||||
.Sh AUTHORS
|
||||
.An -nosplit
|
||||
OpenSSH is a derivative of the original and free
|
||||
Index: openssh-9.6p1/sshd_config.5
|
||||
===================================================================
|
||||
--- openssh-9.6p1.orig/sshd_config.5
|
||||
+++ openssh-9.6p1/sshd_config.5
|
||||
@@ -381,17 +381,14 @@ If the argument is
|
||||
then no banner is displayed.
|
||||
By default, no banner is displayed.
|
||||
.It Cm CASignatureAlgorithms
|
||||
+The default is handled system-wide by
|
||||
+.Xr crypto-policies 7 .
|
||||
+Information about defaults, how to modify the defaults and how to customize
|
||||
+existing policies with sub-policies are present in manual page
|
||||
+.Xr update-crypto-policies 8 .
|
||||
+.Pp
|
||||
Specifies which algorithms are allowed for signing of certificates
|
||||
by certificate authorities (CAs).
|
||||
-The default is:
|
||||
-.Bd -literal -offset indent
|
||||
-ssh-ed25519,ecdsa-sha2-nistp256,
|
||||
-ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
|
||||
-sk-ssh-ed25519@openssh.com,
|
||||
-sk-ecdsa-sha2-nistp256@openssh.com,
|
||||
-rsa-sha2-512,rsa-sha2-256
|
||||
-.Ed
|
||||
-.Pp
|
||||
If the specified list begins with a
|
||||
.Sq +
|
||||
character, then the specified algorithms will be appended to the default set
|
||||
@@ -527,20 +524,26 @@ The default is
|
||||
indicating not to
|
||||
.Xr chroot 2 .
|
||||
.It Cm Ciphers
|
||||
+The default is handled system-wide by
|
||||
+.Xr crypto-policies 7 .
|
||||
+Information about defaults, how to modify the defaults and how to customize
|
||||
+existing policies with sub-policies are present in manual page
|
||||
+.Xr update-crypto-policies 8 .
|
||||
+.Pp
|
||||
Specifies the ciphers allowed.
|
||||
Multiple ciphers must be comma-separated.
|
||||
If the specified list begins with a
|
||||
.Sq +
|
||||
-character, then the specified ciphers will be appended to the default set
|
||||
-instead of replacing them.
|
||||
+character, then the specified ciphers will be appended to the built-in
|
||||
+openssh default set instead of replacing them.
|
||||
If the specified list begins with a
|
||||
.Sq -
|
||||
character, then the specified ciphers (including wildcards) will be removed
|
||||
-from the default set instead of replacing them.
|
||||
+from the built-in openssh default set instead of replacing them.
|
||||
If the specified list begins with a
|
||||
.Sq ^
|
||||
character, then the specified ciphers will be placed at the head of the
|
||||
-default set.
|
||||
+built-in openssh default set.
|
||||
.Pp
|
||||
The supported ciphers are:
|
||||
.Pp
|
||||
@@ -567,13 +570,6 @@ aes256-gcm@openssh.com
|
||||
chacha20-poly1305@openssh.com
|
||||
.El
|
||||
.Pp
|
||||
-The default is:
|
||||
-.Bd -literal -offset indent
|
||||
-chacha20-poly1305@openssh.com,
|
||||
-aes128-ctr,aes192-ctr,aes256-ctr,
|
||||
-aes128-gcm@openssh.com,aes256-gcm@openssh.com
|
||||
-.Ed
|
||||
-.Pp
|
||||
The list of available ciphers may also be obtained using
|
||||
.Qq ssh -Q cipher .
|
||||
.It Cm ClientAliveCountMax
|
||||
@@ -764,53 +760,45 @@ For this to work
|
||||
.Cm GSSAPIKeyExchange
|
||||
needs to be enabled in the server and also used by the client.
|
||||
.It Cm GSSAPIKexAlgorithms
|
||||
+The default is handled system-wide by
|
||||
+.Xr crypto-policies 7 .
|
||||
+Information about defaults, how to modify the defaults and how to customize
|
||||
+existing policies with sub-policies are present in manual page
|
||||
+.Xr update-crypto-policies 8 .
|
||||
+.Pp
|
||||
The list of key exchange algorithms that are accepted by GSSAPI
|
||||
key exchange. Possible values are
|
||||
.Bd -literal -offset 3n
|
||||
-gss-gex-sha1-,
|
||||
-gss-group1-sha1-,
|
||||
-gss-group14-sha1-,
|
||||
-gss-group14-sha256-,
|
||||
-gss-group16-sha512-,
|
||||
-gss-nistp256-sha256-,
|
||||
+gss-gex-sha1-
|
||||
+gss-group1-sha1-
|
||||
+gss-group14-sha1-
|
||||
+gss-group14-sha256-
|
||||
+gss-group16-sha512-
|
||||
+gss-nistp256-sha256-
|
||||
gss-curve25519-sha256-
|
||||
.Ed
|
||||
-.Pp
|
||||
-The default is
|
||||
-.Dq gss-group14-sha256-,gss-group16-sha512-,gss-nistp256-sha256-,
|
||||
-gss-curve25519-sha256-,gss-group14-sha1-,gss-gex-sha1- .
|
||||
This option only applies to connections using GSSAPI.
|
||||
.It Cm HostbasedAcceptedAlgorithms
|
||||
+The default is handled system-wide by
|
||||
+.Xr crypto-policies 7 .
|
||||
+Information about defaults, how to modify the defaults and how to customize
|
||||
+existing policies with sub-policies are present in manual page
|
||||
+.Xr update-crypto-policies 8 .
|
||||
+.Pp
|
||||
Specifies the signature algorithms that will be accepted for hostbased
|
||||
authentication as a list of comma-separated patterns.
|
||||
Alternately if the specified list begins with a
|
||||
.Sq +
|
||||
character, then the specified signature algorithms will be appended to
|
||||
-the default set instead of replacing them.
|
||||
+the built-in openssh set instead of replacing them.
|
||||
If the specified list begins with a
|
||||
.Sq -
|
||||
character, then the specified signature algorithms (including wildcards)
|
||||
-will be removed from the default set instead of replacing them.
|
||||
+will be removed from the built-in openssh set instead of replacing them.
|
||||
If the specified list begins with a
|
||||
.Sq ^
|
||||
character, then the specified signature algorithms will be placed at
|
||||
-the head of the default set.
|
||||
-The default for this option is:
|
||||
-.Bd -literal -offset 3n
|
||||
-ssh-ed25519-cert-v01@openssh.com,
|
||||
-ecdsa-sha2-nistp256-cert-v01@openssh.com,
|
||||
-ecdsa-sha2-nistp384-cert-v01@openssh.com,
|
||||
-ecdsa-sha2-nistp521-cert-v01@openssh.com,
|
||||
-sk-ssh-ed25519-cert-v01@openssh.com,
|
||||
-sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,
|
||||
-rsa-sha2-512-cert-v01@openssh.com,
|
||||
-rsa-sha2-256-cert-v01@openssh.com,
|
||||
-ssh-ed25519,
|
||||
-ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
|
||||
-sk-ssh-ed25519@openssh.com,
|
||||
-sk-ecdsa-sha2-nistp256@openssh.com,
|
||||
-rsa-sha2-512,rsa-sha2-256
|
||||
-.Ed
|
||||
+the head of the built-in openssh default set.
|
||||
.Pp
|
||||
The list of available signature algorithms may also be obtained using
|
||||
.Qq ssh -Q HostbasedAcceptedAlgorithms .
|
||||
@@ -876,25 +865,15 @@ is specified, the location of the socket
|
||||
.Ev SSH_AUTH_SOCK
|
||||
environment variable.
|
||||
.It Cm HostKeyAlgorithms
|
||||
+The default is handled system-wide by
|
||||
+.Xr crypto-policies 7 .
|
||||
+Information about defaults, how to modify the defaults and how to customize
|
||||
+existing policies with sub-policies are present in manual page
|
||||
+.Xr update-crypto-policies 8 .
|
||||
+.Pp
|
||||
Specifies the host key signature algorithms
|
||||
that the server offers.
|
||||
The default for this option is:
|
||||
-.Bd -literal -offset 3n
|
||||
-ssh-ed25519-cert-v01@openssh.com,
|
||||
-ecdsa-sha2-nistp256-cert-v01@openssh.com,
|
||||
-ecdsa-sha2-nistp384-cert-v01@openssh.com,
|
||||
-ecdsa-sha2-nistp521-cert-v01@openssh.com,
|
||||
-sk-ssh-ed25519-cert-v01@openssh.com,
|
||||
-sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,
|
||||
-rsa-sha2-512-cert-v01@openssh.com,
|
||||
-rsa-sha2-256-cert-v01@openssh.com,
|
||||
-ssh-ed25519,
|
||||
-ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
|
||||
-sk-ssh-ed25519@openssh.com,
|
||||
-sk-ecdsa-sha2-nistp256@openssh.com,
|
||||
-rsa-sha2-512,rsa-sha2-256
|
||||
-.Ed
|
||||
-.Pp
|
||||
The list of available signature algorithms may also be obtained using
|
||||
.Qq ssh -Q HostKeyAlgorithms .
|
||||
.It Cm IgnoreRhosts
|
||||
@@ -1027,24 +1006,30 @@ file on logout.
|
||||
The default is
|
||||
.Cm yes .
|
||||
.It Cm KexAlgorithms
|
||||
+The default is handled system-wide by
|
||||
+.Xr crypto-policies 7 .
|
||||
+Information about defaults, how to modify the defaults and how to customize
|
||||
+existing policies with sub-policies are present in manual page
|
||||
+.Xr update-crypto-policies 8 .
|
||||
+.Pp
|
||||
Specifies the permitted KEX (Key Exchange) algorithms that the server will
|
||||
offer to clients.
|
||||
The ordering of this list is not important, as the client specifies the
|
||||
preference order.
|
||||
Multiple algorithms must be comma-separated.
|
||||
.Pp
|
||||
If the specified list begins with a
|
||||
.Sq +
|
||||
-character, then the specified algorithms will be appended to the default set
|
||||
-instead of replacing them.
|
||||
+character, then the specified methods will be appended to the built-in
|
||||
+openssh default set instead of replacing them.
|
||||
If the specified list begins with a
|
||||
.Sq -
|
||||
character, then the specified algorithms (including wildcards) will be removed
|
||||
-from the default set instead of replacing them.
|
||||
+from the built-in openssh default set instead of replacing them.
|
||||
If the specified list begins with a
|
||||
.Sq ^
|
||||
character, then the specified algorithms will be placed at the head of the
|
||||
-default set.
|
||||
+built-in openssh default set.
|
||||
.Pp
|
||||
The supported algorithms are:
|
||||
.Pp
|
||||
@@ -1072,16 +1057,6 @@ ecdh-sha2-nistp521
|
||||
sntrup761x25519-sha512@openssh.com
|
||||
.El
|
||||
.Pp
|
||||
-The default is:
|
||||
-.Bd -literal -offset indent
|
||||
-sntrup761x25519-sha512@openssh.com,
|
||||
-curve25519-sha256,curve25519-sha256@libssh.org,
|
||||
-ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
|
||||
-diffie-hellman-group-exchange-sha256,
|
||||
-diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,
|
||||
-diffie-hellman-group14-sha256,diffie-hellman-group14-sha1
|
||||
-.Ed
|
||||
-.Pp
|
||||
The list of supported key exchange algorithms may also be obtained using
|
||||
.Qq ssh -Q KexAlgorithms .
|
||||
.It Cm ListenAddress
|
||||
@@ -1167,21 +1142,27 @@ function, and all code in the
|
||||
file.
|
||||
This option is intended for debugging and no overrides are enabled by default.
|
||||
.It Cm MACs
|
||||
+The default is handled system-wide by
|
||||
+.Xr crypto-policies 7 .
|
||||
+Information about defaults, how to modify the defaults and how to customize
|
||||
+existing policies with sub-policies are present in manual page
|
||||
+.Xr update-crypto-policies 8 .
|
||||
+.Pp
|
||||
Specifies the available MAC (message authentication code) algorithms.
|
||||
The MAC algorithm is used for data integrity protection.
|
||||
Multiple algorithms must be comma-separated.
|
||||
If the specified list begins with a
|
||||
.Sq +
|
||||
-character, then the specified algorithms will be appended to the default set
|
||||
-instead of replacing them.
|
||||
+character, then the specified algorithms will be appended to the built-in
|
||||
+openssh default set instead of replacing them.
|
||||
If the specified list begins with a
|
||||
.Sq -
|
||||
character, then the specified algorithms (including wildcards) will be removed
|
||||
-from the default set instead of replacing them.
|
||||
+from the built-in openssh default set instead of replacing them.
|
||||
If the specified list begins with a
|
||||
.Sq ^
|
||||
character, then the specified algorithms will be placed at the head of the
|
||||
-default set.
|
||||
+built-in openssh default set.
|
||||
.Pp
|
||||
The algorithms that contain
|
||||
.Qq -etm
|
||||
@@ -1224,15 +1205,6 @@ umac-64-etm@openssh.com
|
||||
umac-128-etm@openssh.com
|
||||
.El
|
||||
.Pp
|
||||
-The default is:
|
||||
-.Bd -literal -offset indent
|
||||
-umac-64-etm@openssh.com,umac-128-etm@openssh.com,
|
||||
-hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,
|
||||
-hmac-sha1-etm@openssh.com,
|
||||
-umac-64@openssh.com,umac-128@openssh.com,
|
||||
-hmac-sha2-256,hmac-sha2-512,hmac-sha1
|
||||
-.Ed
|
||||
-.Pp
|
||||
The list of available MAC algorithms may also be obtained using
|
||||
.Qq ssh -Q mac .
|
||||
.It Cm Match
|
||||
@@ -1614,36 +1586,26 @@ or equivalent.)
|
||||
The default is
|
||||
.Cm yes .
|
||||
.It Cm PubkeyAcceptedAlgorithms
|
||||
+The default is handled system-wide by
|
||||
+.Xr crypto-policies 7 .
|
||||
+Information about defaults, how to modify the defaults and how to customize
|
||||
+existing policies with sub-policies are present in manual page
|
||||
+.Xr update-crypto-policies 8 .
|
||||
+.Pp
|
||||
Specifies the signature algorithms that will be accepted for public key
|
||||
authentication as a list of comma-separated patterns.
|
||||
Alternately if the specified list begins with a
|
||||
.Sq +
|
||||
-character, then the specified algorithms will be appended to the default set
|
||||
-instead of replacing them.
|
||||
+character, then the specified algorithms will be appended to the built-in
|
||||
+openssh default set instead of replacing them.
|
||||
If the specified list begins with a
|
||||
.Sq -
|
||||
character, then the specified algorithms (including wildcards) will be removed
|
||||
-from the default set instead of replacing them.
|
||||
+from the built-in openssh default set instead of replacing them.
|
||||
If the specified list begins with a
|
||||
.Sq ^
|
||||
character, then the specified algorithms will be placed at the head of the
|
||||
-default set.
|
||||
-The default for this option is:
|
||||
-.Bd -literal -offset 3n
|
||||
-ssh-ed25519-cert-v01@openssh.com,
|
||||
-ecdsa-sha2-nistp256-cert-v01@openssh.com,
|
||||
-ecdsa-sha2-nistp384-cert-v01@openssh.com,
|
||||
-ecdsa-sha2-nistp521-cert-v01@openssh.com,
|
||||
-sk-ssh-ed25519-cert-v01@openssh.com,
|
||||
-sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,
|
||||
-rsa-sha2-512-cert-v01@openssh.com,
|
||||
-rsa-sha2-256-cert-v01@openssh.com,
|
||||
-ssh-ed25519,
|
||||
-ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
|
||||
-sk-ssh-ed25519@openssh.com,
|
||||
-sk-ecdsa-sha2-nistp256@openssh.com,
|
||||
-rsa-sha2-512,rsa-sha2-256
|
||||
-.Ed
|
||||
+built-in openssh default set.
|
||||
.Pp
|
||||
The list of available signature algorithms may also be obtained using
|
||||
.Qq ssh -Q PubkeyAcceptedAlgorithms .
|
||||
@@ -2122,7 +2084,9 @@ This file should be writable by root onl
|
||||
.El
|
||||
.Sh SEE ALSO
|
||||
.Xr sftp-server 8 ,
|
||||
-.Xr sshd 8
|
||||
+.Xr sshd 8 ,
|
||||
+.Xr crypto-policies 7 ,
|
||||
+.Xr update-crypto-policies 8
|
||||
.Sh AUTHORS
|
||||
.An -nosplit
|
||||
OpenSSH is a derivative of the original and free
|
43
openssh-9.6p1-crypto-policies.patch
Normal file
43
openssh-9.6p1-crypto-policies.patch
Normal file
@ -0,0 +1,43 @@
|
||||
Index: openssh-9.6p1/ssh_config
|
||||
===================================================================
|
||||
--- openssh-9.6p1.orig/ssh_config
|
||||
+++ openssh-9.6p1/ssh_config
|
||||
@@ -17,6 +17,12 @@
|
||||
# list of available options, their meanings and defaults, please see the
|
||||
# ssh_config(5) man page.
|
||||
|
||||
+# This system is following system-wide crypto policies.
|
||||
+# To modify the crypto properties (Ciphers, MACs, ...), create a *.conf
|
||||
+# file under /etc/ssh/ssh_config.d/ which will be automatically
|
||||
+# included below. For more information, see the manual pages for
|
||||
+# update-crypto-policies(8) and ssh_config(5).
|
||||
+
|
||||
# To modify the system-wide ssh configuration, create a "*.conf" file under
|
||||
# "/etc/ssh/ssh_config.d/" which will be automatically included below.
|
||||
# Don't edit this configuration file itself if possible to avoid update
|
||||
Index: openssh-9.6p1/ssh_config_suse
|
||||
===================================================================
|
||||
--- /dev/null
|
||||
+++ openssh-9.6p1/ssh_config_suse
|
||||
@@ -0,0 +1,9 @@
|
||||
+# The options here are in the "Match final block" to be applied as the last
|
||||
+# options and could be potentially overwritten by the user configuration
|
||||
+Match final all
|
||||
+ # Follow system-wide Crypto Policy, if defined:
|
||||
+ Include /etc/crypto-policies/back-ends/openssh.config
|
||||
+
|
||||
+# Uncomment this if you want to use .local domain
|
||||
+# Host *.local
|
||||
+
|
||||
Index: openssh-9.6p1/sshd_config_suse_cp
|
||||
===================================================================
|
||||
--- /dev/null
|
||||
+++ openssh-9.6p1/sshd_config_suse_cp
|
||||
@@ -0,0 +1,7 @@
|
||||
+# This system is following system-wide crypto policy. The changes to
|
||||
+# crypto properties (Ciphers, MACs, ...) will not have any effect in
|
||||
+# this or following included files. To override some configuration option,
|
||||
+# write it before this block or include it before this file.
|
||||
+# Please, see manual pages for update-crypto-policies(8) and sshd_config(5).
|
||||
+Include /etc/crypto-policies/back-ends/opensshserver.config
|
||||
+
|
BIN
openssh-9.6p1.tar.gz
(Stored with Git LFS)
Normal file
BIN
openssh-9.6p1.tar.gz
(Stored with Git LFS)
Normal file
Binary file not shown.
16
openssh-9.6p1.tar.gz.asc
Normal file
16
openssh-9.6p1.tar.gz.asc
Normal file
@ -0,0 +1,16 @@
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
|
||||
iQIzBAABCgAdFiEEcWi5g4FaXu9ZpK39Kj9BTnNgYLoFAmWAXvAACgkQKj9BTnNg
|
||||
YLrypA/6A1O8e80XnzVWIFhXkbv/biGL10Q5ZMvjQvND6mbkphNWZ4G4QOEh0nBG
|
||||
rseD3Fce7me9pfeLYVhaNXO9R3OYAXxjbWfQwI7FpBU4QUCnbH53PG32B6ESq7pl
|
||||
0vlDqdqI7aBAyMpp+8WFD+EvHWUVA77JtfU4MFw7myKJacrVrDUygDaZkJKOhqKf
|
||||
N1Nurz4YppdQ5zIK1ElL0jlRJXm08flLFRg8fD5/5rwabpUbZIY9b5qZzGKgnR7I
|
||||
sxUBlDkfLnvKIlKzUXbRvOHazvFAHYH1ltJZGlJUc/+H/ZaPigWf4IR+E1FB9c2O
|
||||
zxaZhlbwGKyD+p7l08F9n8T21taxpBCW1Uxkx7MLTz8k9huPNpdX5l8VM4Gotmn8
|
||||
I4V3Fevyx+M3XJYeKtkspa51h0GqF3gNFPLxW7ERGaIuqwoxuHxIEKwYE+JPmQag
|
||||
UDma5LDrSrasa8Rw8g5urGE48PeDQ5muPy8Bi9eIGZU5JLqX6TNgz7QDDs/dQsHB
|
||||
iny4wQOLmdIA78IGttiCo0rqikEvFtFDFR4mCUTC8K0nQKzWwGewO3gRTcHttzyU
|
||||
xMalxw+wt9cUJ8gb1E9p7OeMUuXdaHMmem8/PcFCar/vKx1mdV/On6evnp3P8yQA
|
||||
la8WnbcP0+zJg0GGwGszpFlOMjWCDB0kUTBCT+MR+IWbj/pVZVA=
|
||||
=G9YA
|
||||
-----END PGP SIGNATURE-----
|
3
openssh-9.8p1.tar.gz
Normal file
3
openssh-9.8p1.tar.gz
Normal file
@ -0,0 +1,3 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:dd8bd002a379b5d499dfb050dd1fa9af8029e80461f4bb6c523c49973f5a39f3
|
||||
size 1910393
|
16
openssh-9.8p1.tar.gz.asc
Normal file
16
openssh-9.8p1.tar.gz.asc
Normal file
@ -0,0 +1,16 @@
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
|
||||
iQIzBAABCgAdFiEEcWi5g4FaXu9ZpK39Kj9BTnNgYLoFAmaCMn0ACgkQKj9BTnNg
|
||||
YLrjcBAAgO7xhKUXp8YxdqSZigDbcHu7T37bm1pRTKg2ihPepz+q6pV+DY8AHSRu
|
||||
eyuOCOHYzjLyArFpiMX3z9iT2NqO+KNBvKQoh8loaxNrECmgRGk2jBEKiibFSP5M
|
||||
i6CYkF3sET9xnVDkt4P6KievWXY1/Tl93qve3K2a/bvvgT8s2AaBMM8u4BMGNm3D
|
||||
sc3A6euN0aiXRts2V6I885VyrQDMK++E7+eTHet0ex82KH4I+ceIOwB48hny4wpb
|
||||
Zaqy9pTFisTmFNOF6d3TB58yMWoLQIbLuVrbbbcr7hFYCWsgj0yN5iYQNOR9pU4E
|
||||
ooF+aC0kK9M4iUXthzjjgIjnMzsCmPeKisbwblsPSfSgccj/pCMzW8C3CMVL6AvG
|
||||
slSSLK42qm3f38kx3sg2S8LDW0v+hoyvBmKNFMiBwsF2tWCXIG+oP1PDYpJUpaOJ
|
||||
RFHG7JEPtY94UJGdo5C4YhqDWr3HOqEwuVIt1gWMMPs9IvDkDRo6emmDd64FFAKH
|
||||
ss3hHixu6OHqU5iw6JIVVtYiur6s9m6N/Xxt5Ho6wuqnzUZ+Dwj3L6lF9IOJbJxU
|
||||
Ufb70I1Uko9kXcoje9ONUsqr88wfQY+JZxxVTlzDUDadytCzmO3wXsz+cosMQ5Rw
|
||||
aOZwXYyvmcoZuUQG8GIqRO1wfOcD7o7pI6IyVJQjOeG/rA0eu/4=
|
||||
=Gj2n
|
||||
-----END PGP SIGNATURE-----
|
341
openssh-askpass-gnome.changes
Normal file
341
openssh-askpass-gnome.changes
Normal file
@ -0,0 +1,341 @@
|
||||
-------------------------------------------------------------------
|
||||
Thu Aug 1 09:17:11 UTC 2024 - Antonio Larrosa <alarrosa@suse.com>
|
||||
|
||||
- Update to openssh 9.8p1:
|
||||
* No changes for askpass, see main package changelog for
|
||||
details.
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Sun Feb 25 18:26:23 UTC 2024 - Hans Petter Jansson <hpj@suse.com>
|
||||
|
||||
- Update to openssh 9.6p1:
|
||||
* No changes for askpass, see main package changelog for
|
||||
details.
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Fri Jul 21 05:13:56 UTC 2023 - Simon Lees <sflees@suse.de>
|
||||
|
||||
- Update to openssh 9.3p2
|
||||
* No changes for askpass, see main package changelog for
|
||||
details
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Sun May 28 09:16:44 UTC 2023 - Andreas Stieger <andreas.stieger@gmx.de>
|
||||
|
||||
- openssh-askpass-gnome: require only openssh-clients, not the full
|
||||
openssh (including -server), to avoid pulling in excessive
|
||||
dependencies when installing git on Gnome (boo#1211446)
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Thu May 11 07:01:54 UTC 2023 - Antonio Larrosa <alarrosa@suse.com>
|
||||
|
||||
- Update to openssh 9.3p1
|
||||
* No changes for askpass, see main package changelog for
|
||||
details
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Sep 28 19:05:15 UTC 2021 - Hans Petter Jansson <hpj@suse.com>
|
||||
|
||||
- Version upgrade to 8.8p1
|
||||
* No changes for askpass, see main package changelog for
|
||||
details
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Thu Sep 17 20:41:39 UTC 2020 - Jan Engelhardt <jengelh@inai.de>
|
||||
|
||||
- Upgrade some old specfile constructs/macros.
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Thu Sep 10 22:44:00 UTC 2020 - Hans Petter Jansson <hpj@suse.com>
|
||||
|
||||
- Supplement openssh-clients instead of openssh (bsc#1176434).
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Thu Jul 18 14:07:56 UTC 2019 - Fabian Vogt <fvogt@suse.com>
|
||||
|
||||
- Supplement libgtk-3-0 instead to avoid installation on a textmode install
|
||||
(boo#1142000)
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Thu Feb 14 10:36:03 UTC 2019 - Tomáš Chvátal <tchvatal@suse.com>
|
||||
|
||||
- Supplement the openssh and libx11 together to ensure this package
|
||||
is installed on machines where there is X stack
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Mon Oct 22 08:59:02 UTC 2018 - Pedro Monreal Gonzalez <pmonrealgonzalez@suse.com>
|
||||
|
||||
- Version update to 7.9p1
|
||||
* No actual changes for the askpass
|
||||
* See main package changelog for details
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Oct 9 10:52:15 UTC 2018 - Tomáš Chvátal <tchvatal@suse.com>
|
||||
|
||||
- Update to 7.8p1:
|
||||
* no actual changes for the askpass
|
||||
- Format with spec-cleaner
|
||||
- Respect cflags
|
||||
- Use gtk3 rather than gtk2 which is being phased out
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Mon May 21 15:19:03 UTC 2018 - pcerny@suse.com
|
||||
|
||||
- Upgrade to 7.7p1 (bsc#1094068)
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Jan 31 22:54:55 UTC 2018 - pcerny@suse.com
|
||||
|
||||
- .spec file cleanup
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Fri Nov 3 12:27:18 UTC 2017 - pcerny@suse.com
|
||||
|
||||
- upgrade to 7.6p1
|
||||
see main package changelog for details
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Mon Jul 25 13:45:53 UTC 2016 - meissner@suse.com
|
||||
|
||||
- fixed url
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Sun Apr 17 23:27:51 UTC 2016 - pcerny@suse.com
|
||||
|
||||
- upgrade to 7.2p2
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Feb 10 13:28:56 UTC 2015 - pcerny@suse.com
|
||||
|
||||
- changing license to 2-clause BSD to match source
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Fri Apr 11 21:50:51 UTC 2014 - pcerny@suse.com
|
||||
|
||||
- Update of the underlying OpenSSH to 6.6p1
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Feb 12 01:24:16 UTC 2014 - pcerny@suse.com
|
||||
|
||||
- Update of the underlying OpenSSH to 6.5p1
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Fri Jan 24 15:13:09 UTC 2014 - pcerny@suse.com
|
||||
|
||||
- Update of the underlying OpenSSH to 6.4p1
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Thu Sep 19 02:02:56 UTC 2013 - pcerny@suse.com
|
||||
|
||||
- spec file cleanup (don't pointelssly build whole OpenSSH)
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Sat Aug 3 18:12:20 UTC 2013 - crrodriguez@opensuse.org
|
||||
|
||||
- Update for 6.2p2
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Nov 13 10:51:12 UTC 2012 - meissner@suse.com
|
||||
|
||||
- Updated to 6.1p1, a bugfix release
|
||||
Features:
|
||||
* sshd(8): This release turns on pre-auth sandboxing sshd by default for
|
||||
new installs, by setting UsePrivilegeSeparation=sandbox in sshd_config.
|
||||
* ssh-keygen(1): Add options to specify starting line number and number of
|
||||
lines to process when screening moduli candidates, allowing processing
|
||||
of different parts of a candidate moduli file in parallel
|
||||
* sshd(8): The Match directive now supports matching on the local (listen)
|
||||
address and port upon which the incoming connection was received via
|
||||
LocalAddress and LocalPort clauses.
|
||||
* sshd(8): Extend sshd_config Match directive to allow setting AcceptEnv
|
||||
and {Allow,Deny}{Users,Groups}
|
||||
* Add support for RFC6594 SSHFP DNS records for ECDSA key types. bz#1978
|
||||
* ssh-keygen(1): Allow conversion of RSA1 keys to public PEM and PKCS8
|
||||
* sshd(8): Allow the sshd_config PermitOpen directive to accept "none" as
|
||||
an argument to refuse all port-forwarding requests.
|
||||
* sshd(8): Support "none" as an argument for AuthorizedPrincipalsFile
|
||||
* ssh-keyscan(1): Look for ECDSA keys by default. bz#1971
|
||||
* sshd(8): Add "VersionAddendum" to sshd_config to allow server operators
|
||||
to append some arbitrary text to the server SSH protocol banner.
|
||||
Bugfixes:
|
||||
* ssh(1)/sshd(8): Don't spin in accept() in situations of file
|
||||
descriptor exhaustion. Instead back off for a while.
|
||||
* ssh(1)/sshd(8): Remove hmac-sha2-256-96 and hmac-sha2-512-96 MACs as
|
||||
they were removed from the specification. bz#2023,
|
||||
* sshd(8): Handle long comments in config files better. bz#2025
|
||||
* ssh(1): Delay setting tty_flag so RequestTTY options are correctly
|
||||
picked up. bz#1995
|
||||
* sshd(8): Fix handling of /etc/nologin incorrectly being applied to root
|
||||
on platforms that use login_cap.
|
||||
Portable OpenSSH:
|
||||
* sshd(8): Allow sshd pre-auth sandboxing to fall-back to the rlimit
|
||||
sandbox from the Linux SECCOMP filter sandbox when the latter is
|
||||
not available in the kernel.
|
||||
* ssh(1): Fix NULL dereference when built with LDNS and using DNSSEC to
|
||||
retrieve a CNAME SSHFP record.
|
||||
* Fix cross-compilation problems related to pkg-config. bz#1996
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Jun 27 09:51:19 UTC 2012 - coolo@suse.com
|
||||
|
||||
- the gnome askpass does not require the x11 askpass - especially not
|
||||
in the version of openssh (it's at 1.X)
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue May 29 07:14:53 UTC 2012 - meissner@suse.com
|
||||
|
||||
- use correct tarball url
|
||||
- update to 6.0p1.
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Mar 28 11:42:32 UTC 2012 - aj@suse.de
|
||||
|
||||
- Add build require on autoconf and automake.
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Dec 21 10:31:42 UTC 2011 - coolo@suse.com
|
||||
|
||||
- remove call to suse_update_config (very old work around)
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Oct 19 00:40:15 UTC 2011 - pcerny@suse.com
|
||||
|
||||
- Update to 5.9p1
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Fri Feb 4 11:19:14 UTC 2011 - lchiquitto@novell.com
|
||||
|
||||
- Update to 5.8p1
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Mon Jan 24 11:51:10 UTC 2011 - lchiquitto@novell.com
|
||||
|
||||
- Update to 5.7p1
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Jan 12 13:37:38 CET 2011 - sbrabec@suse.cz
|
||||
|
||||
- Removed relics of no more implemented opensc support.
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Aug 24 15:50:17 CEST 2010 - anicka@suse.cz
|
||||
|
||||
- update to 5.6p1
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Fri Mar 26 11:04:59 CET 2010 - anicka@suse.cz
|
||||
|
||||
- update to 5.4p1
|
||||
- remove -pam-fix4.diff (in upstream now)
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Mon Feb 23 17:27:22 CET 2009 - anicka@suse.cz
|
||||
|
||||
- update to 5.2p1
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Apr 9 14:35:42 CEST 2008 - anicka@suse.cz
|
||||
|
||||
- update to 5.0p1
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Apr 2 15:06:01 CEST 2008 - anicka@suse.cz
|
||||
|
||||
- update to 4.9p1
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Dec 5 10:56:07 CET 2007 - anicka@suse.cz
|
||||
|
||||
- - update to 4.7p1
|
||||
* Add "-K" flag for ssh to set GSSAPIAuthentication=yes and
|
||||
GSSAPIDelegateCredentials=yes. This is symmetric with -k
|
||||
* make scp try to skip FIFOs rather than blocking when nothing is
|
||||
listening.
|
||||
* increase default channel windows
|
||||
* put the MAC list into a display
|
||||
* many bugfixes
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Dec 12 14:44:41 CET 2006 - anicka@suse.cz
|
||||
|
||||
- update to 4.5p1
|
||||
* Use privsep_pw if we have it, but only require it if we
|
||||
absolutely need it.
|
||||
* Correctly check for bad signatures in the monitor, otherwise
|
||||
the monitor and the unpriv process can get out of sync.
|
||||
* Clear errno before calling the strtol functions.
|
||||
* exit instead of doing a blocking tcp send if we detect
|
||||
a client/server timeout, since the tcp sendqueue might
|
||||
be already full (of alive requests)
|
||||
* include signal.h, errno.h, sys/in.h
|
||||
* some more bugfixes
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Oct 4 12:56:40 CEST 2006 - postadal@suse.cz
|
||||
|
||||
- updated to version 4.4p1 [#208662]
|
||||
* fixed pre-authentication DoS, that would cause sshd(8) to spin
|
||||
until the login grace time expired
|
||||
* fixed unsafe signal hander, which was vulnerable to a race condition
|
||||
that could be exploited to perform a pre-authentication DoS
|
||||
* fixed a GSSAPI authentication abort that could be used to determine
|
||||
the validity of usernames on some platforms
|
||||
* implemented conditional configuration in sshd_config(5) using the
|
||||
"Match" directive
|
||||
* added support for Diffie-Hellman group exchange key agreement with a
|
||||
final hash of SHA256
|
||||
* added a "ForceCommand", "PermitOpen" directive to sshd_config(5)
|
||||
* added optional logging of transactions to sftp-server(8)
|
||||
* ssh(1) will now record port numbers for hosts stored in
|
||||
~/.ssh/authorized_keys when a non-standard port has been requested
|
||||
* added an "ExitOnForwardFailure" option to cause ssh(1) to exit (with
|
||||
a non-zero exit code) when requested port forwardings could not be
|
||||
established
|
||||
* extended sshd_config(5) "SubSystem" declarations to allow the
|
||||
specification of command-line arguments
|
||||
- removed obsoleted patches: autoconf-fix.patch
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Jul 25 13:40:10 CEST 2006 - schwab@suse.de
|
||||
|
||||
- Fix syntax error in configure script.
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Jan 25 21:39:06 CET 2006 - mls@suse.de
|
||||
|
||||
- converted neededforbuild to BuildRequires
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Jan 3 15:54:49 CET 2006 - postadal@suse.cz
|
||||
|
||||
- updated to version 4.2p1
|
||||
- removed obsoleted patches: upstream_fixes.diff, gssapi-secfix.patch
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Thu Sep 8 16:20:06 CEST 2005 - postadal@suse.cz
|
||||
|
||||
- don't strip
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Thu Aug 4 11:30:18 CEST 2005 - uli@suse.de
|
||||
|
||||
- parallelize build
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Fri Jun 10 16:24:22 CEST 2005 - postadal@suse.cz
|
||||
|
||||
- updated to version 4.1p1
|
||||
- removed obsoleted patches: restore_terminal, pam-returnfromsession,
|
||||
timing-attacks-fix, krb5ccname, gssapi-pam, logdenysource,
|
||||
sendenv-fix, documentation-fix
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Jan 19 18:25:29 CET 2005 - postadal@suse.cz
|
||||
|
||||
- renamed askpass-gnome package to openssh-askpass-gnome
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Jan 19 15:58:07 CET 2005 - postadal@suse.cz
|
||||
|
||||
- splited spec file to decreas number of build dependencies
|
||||
|
66
openssh-askpass-gnome.spec
Normal file
66
openssh-askpass-gnome.spec
Normal file
@ -0,0 +1,66 @@
|
||||
#
|
||||
# spec file for package openssh-askpass-gnome
|
||||
#
|
||||
# Copyright (c) 2024 SUSE LLC
|
||||
#
|
||||
# All modifications and additions to the file contributed by third parties
|
||||
# remain the property of their copyright owners, unless otherwise agreed
|
||||
# upon. The license for this file, and modifications and additions to the
|
||||
# file, is the same license as for the pristine package itself (unless the
|
||||
# license for the pristine package is not an Open Source License, in which
|
||||
# case the license is the MIT License). An "Open Source License" is a
|
||||
# license that conforms to the Open Source Definition (Version 1.9)
|
||||
# published by the Open Source Initiative.
|
||||
|
||||
# Please submit bugfixes or comments via https://bugs.opensuse.org/
|
||||
#
|
||||
|
||||
|
||||
%define _name openssh
|
||||
Name: openssh-askpass-gnome
|
||||
Version: 9.8p1
|
||||
Release: 0
|
||||
Summary: A GNOME-Based Passphrase Dialog for OpenSSH
|
||||
License: BSD-2-Clause
|
||||
Group: Productivity/Networking/SSH
|
||||
URL: https://www.openssh.com/
|
||||
Source: https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/%{_name}-%{version}.tar.gz
|
||||
Source42: https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/%{_name}-%{version}.tar.gz.asc
|
||||
Requires: %{_name}-clients = %{version}
|
||||
Supplements: packageand(openssh-clients:libgtk-3-0)
|
||||
%if 0%{?suse_version} >= 1550
|
||||
BuildRequires: gtk3-devel
|
||||
%else
|
||||
BuildRequires: gtk2-devel
|
||||
%endif
|
||||
|
||||
%description
|
||||
SSH (Secure Shell) is a program for logging into a remote machine and
|
||||
for executing commands on a remote machine. This package contains a
|
||||
GNOME-based passphrase dialog for OpenSSH.
|
||||
|
||||
%prep
|
||||
%autosetup -p1 -n %{_name}-%{version}
|
||||
|
||||
%build
|
||||
cd contrib
|
||||
export CFLAGS="%{optflags}"
|
||||
%if 0%{?suse_version} >= 1550
|
||||
%make_build gnome-ssh-askpass3
|
||||
%else
|
||||
%make_build gnome-ssh-askpass2
|
||||
%endif
|
||||
|
||||
%install
|
||||
install -d -m 755 %{buildroot}%{_libexecdir}/ssh/
|
||||
%if 0%{?suse_version} >= 1550
|
||||
install contrib/gnome-ssh-askpass3 %{buildroot}%{_libexecdir}/ssh/gnome-ssh-askpass
|
||||
%else
|
||||
install contrib/gnome-ssh-askpass2 %{buildroot}%{_libexecdir}/ssh/gnome-ssh-askpass
|
||||
%endif
|
||||
|
||||
%files
|
||||
%dir %{_libexecdir}/ssh
|
||||
%attr(0755,root,root) %{_libexecdir}/ssh/gnome-ssh-askpass
|
||||
|
||||
%changelog
|
19
openssh-do-not-send-empty-message.patch
Normal file
19
openssh-do-not-send-empty-message.patch
Normal file
@ -0,0 +1,19 @@
|
||||
--- openssh-8.4p1.orig/auth-pam.c 2020-09-27 09:25:01.000000000 +0200
|
||||
+++ openssh-8.4p1/auth-pam.c 2022-03-04 13:02:23.447712697 +0100
|
||||
@@ -638,10 +638,12 @@
|
||||
switch (PAM_MSG_MEMBER(msg, i, msg_style)) {
|
||||
case PAM_ERROR_MSG:
|
||||
case PAM_TEXT_INFO:
|
||||
- if ((r = sshbuf_putf(loginmsg, "%s\n",
|
||||
- PAM_MSG_MEMBER(msg, i, msg))) != 0)
|
||||
- fatal("%s: buffer error: %s",
|
||||
- __func__, ssh_err(r));
|
||||
+ if (strlen(PAM_MSG_MEMBER(msg, i, msg)) != 0) {
|
||||
+ if ((r = sshbuf_putf(loginmsg, "%s\n",
|
||||
+ PAM_MSG_MEMBER(msg, i, msg))) != 0)
|
||||
+ fatal("%s: buffer error: %s",
|
||||
+ __func__, ssh_err(r));
|
||||
+ }
|
||||
reply[i].resp_retcode = PAM_SUCCESS;
|
||||
break;
|
||||
default:
|
78
openssh-fips-ensure-approved-moduli.patch
Normal file
78
openssh-fips-ensure-approved-moduli.patch
Normal file
@ -0,0 +1,78 @@
|
||||
commit 15c95d6eb2e8bc549719578c9a16541015363360
|
||||
Author: Hans Petter Jansson <hpj@hpjansson.org>
|
||||
Date: Mon Oct 26 22:26:46 2020 +0100
|
||||
|
||||
Ensure DHGs are approved in FIPS mode using OpenSSL's DH_check_params()
|
||||
|
||||
Index: openssh-8.8p1/dh.c
|
||||
===================================================================
|
||||
--- openssh-8.8p1.orig/dh.c
|
||||
+++ openssh-8.8p1/dh.c
|
||||
@@ -155,6 +155,28 @@ parse_prime(int linenum, char *line, str
|
||||
return 0;
|
||||
}
|
||||
|
||||
+static int
|
||||
+dhg_is_approved(const struct dhgroup *dhg)
|
||||
+{
|
||||
+ BIGNUM *g, *p;
|
||||
+ DH *dh;
|
||||
+ int dh_status;
|
||||
+ int is_ok = 0;
|
||||
+
|
||||
+ /* DH_set0_pqg() transfers ownership of the bignums, so we
|
||||
+ * make temporary copies here for simplicity. */
|
||||
+ g = BN_dup(dhg->g);
|
||||
+ p = BN_dup(dhg->p);
|
||||
+ dh = dh_new_group(g, p);
|
||||
+
|
||||
+ if (dh) {
|
||||
+ is_ok = DH_check_params(dh, &dh_status);
|
||||
+ }
|
||||
+
|
||||
+ DH_free(dh);
|
||||
+ return is_ok;
|
||||
+}
|
||||
+
|
||||
DH *
|
||||
choose_dh(int min, int wantbits, int max)
|
||||
{
|
||||
@@ -173,12 +195,20 @@ choose_dh(int min, int wantbits, int max
|
||||
linenum = 0;
|
||||
best = bestcount = 0;
|
||||
while (getline(&line, &linesize, f) != -1) {
|
||||
+ int dhg_is_ok;
|
||||
+
|
||||
linenum++;
|
||||
if (!parse_prime(linenum, line, &dhg))
|
||||
continue;
|
||||
+
|
||||
+ dhg_is_ok = dhg_is_approved(&dhg);
|
||||
+
|
||||
BN_clear_free(dhg.g);
|
||||
BN_clear_free(dhg.p);
|
||||
|
||||
+ if (!dhg_is_ok)
|
||||
+ continue;
|
||||
+
|
||||
if (dhg.size > max || dhg.size < min)
|
||||
continue;
|
||||
|
||||
@@ -206,10 +236,16 @@ choose_dh(int min, int wantbits, int max
|
||||
linenum = 0;
|
||||
bestcount = 0;
|
||||
while (getline(&line, &linesize, f) != -1) {
|
||||
+ int dhg_is_ok;
|
||||
+
|
||||
linenum++;
|
||||
if (!parse_prime(linenum, line, &dhg))
|
||||
continue;
|
||||
- if ((dhg.size > max || dhg.size < min) ||
|
||||
+
|
||||
+ dhg_is_ok = dhg_is_approved(&dhg);
|
||||
+
|
||||
+ if (!dhg_is_ok ||
|
||||
+ (dhg.size > max || dhg.size < min) ||
|
||||
dhg.size != best ||
|
||||
bestcount++ != which) {
|
||||
BN_clear_free(dhg.g);
|
15
openssh-link-with-sk.patch
Normal file
15
openssh-link-with-sk.patch
Normal file
@ -0,0 +1,15 @@
|
||||
Index: openssh-8.8p1/Makefile.in
|
||||
===================================================================
|
||||
--- openssh-8.8p1.orig/Makefile.in
|
||||
+++ openssh-8.8p1/Makefile.in
|
||||
@@ -252,8 +252,8 @@ ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libss
|
||||
ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o
|
||||
$(LD) -o $@ ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
|
||||
|
||||
-sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a $(SFTPSERVER_OBJS)
|
||||
- $(LD) -o $@ $(SFTPSERVER_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
|
||||
+sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-sk.o sk-usbhid.o $(SFTPSERVER_OBJS)
|
||||
+ $(LD) -o $@ $(SFTPSERVER_OBJS) ssh-sk.o sk-usbhid.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) $(LIBFIDO2)
|
||||
|
||||
sftp$(EXEEXT): $(LIBCOMPAT) libssh.a $(SFTP_OBJS)
|
||||
$(LD) -o $@ $(SFTP_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) $(LIBEDIT)
|
344
openssh-mitigate-lingering-secrets.patch
Normal file
344
openssh-mitigate-lingering-secrets.patch
Normal file
@ -0,0 +1,344 @@
|
||||
Index: openssh-9.3p2/kex.c
|
||||
===================================================================
|
||||
--- openssh-9.3p2.orig/kex.c
|
||||
+++ openssh-9.3p2/kex.c
|
||||
@@ -1564,16 +1564,16 @@ enc_destroy(struct sshenc *enc)
|
||||
return;
|
||||
|
||||
if (enc->key) {
|
||||
- memset(enc->key, 0, enc->key_len);
|
||||
+ explicit_bzero(enc->key, enc->key_len);
|
||||
free(enc->key);
|
||||
}
|
||||
|
||||
if (enc->iv) {
|
||||
- memset(enc->iv, 0, enc->iv_len);
|
||||
+ explicit_bzero(enc->iv, enc->iv_len);
|
||||
free(enc->iv);
|
||||
}
|
||||
|
||||
- memset(enc, 0, sizeof(*enc));
|
||||
+ explicit_bzero(enc, sizeof(*enc));
|
||||
}
|
||||
|
||||
void
|
||||
@@ -1584,7 +1584,7 @@ newkeys_destroy(struct newkeys *newkeys)
|
||||
|
||||
enc_destroy(&newkeys->enc);
|
||||
mac_destroy(&newkeys->mac);
|
||||
- memset(&newkeys->comp, 0, sizeof(newkeys->comp));
|
||||
+ explicit_bzero(&newkeys->comp, sizeof(newkeys->comp));
|
||||
}
|
||||
|
||||
/*
|
||||
Index: openssh-9.3p2/mac.c
|
||||
===================================================================
|
||||
--- openssh-9.3p2.orig/mac.c
|
||||
+++ openssh-9.3p2/mac.c
|
||||
@@ -284,11 +284,11 @@ mac_destroy(struct sshmac *mac)
|
||||
return;
|
||||
|
||||
if (mac->key) {
|
||||
- memset(mac->key, 0, mac->key_len);
|
||||
+ explicit_bzero(mac->key, mac->key_len);
|
||||
free(mac->key);
|
||||
}
|
||||
|
||||
- memset(mac, 0, sizeof(*mac));
|
||||
+ explicit_bzero(mac, sizeof(*mac));
|
||||
}
|
||||
|
||||
/* XXX copied from ciphers_valid */
|
||||
Index: openssh-9.3p2/monitor.c
|
||||
===================================================================
|
||||
--- openssh-9.3p2.orig/monitor.c
|
||||
+++ openssh-9.3p2/monitor.c
|
||||
@@ -1789,8 +1789,12 @@ mm_answer_audit_end_command(struct ssh *
|
||||
void
|
||||
monitor_clear_keystate(struct ssh *ssh, struct monitor *pmonitor)
|
||||
{
|
||||
- ssh_clear_newkeys(ssh, MODE_IN);
|
||||
- ssh_clear_newkeys(ssh, MODE_OUT);
|
||||
+ u_int mode;
|
||||
+
|
||||
+ for (mode = 0; mode < MODE_MAX; mode++) {
|
||||
+ ssh_clear_curkeys(ssh, mode); /* current keys */
|
||||
+ ssh_clear_newkeys(ssh, mode); /* next keys */
|
||||
+ }
|
||||
sshbuf_free(child_state);
|
||||
child_state = NULL;
|
||||
}
|
||||
Index: openssh-9.3p2/packet.c
|
||||
===================================================================
|
||||
--- openssh-9.3p2.orig/packet.c
|
||||
+++ openssh-9.3p2/packet.c
|
||||
@@ -655,6 +655,7 @@ ssh_packet_close_internal(struct ssh *ss
|
||||
ssh->local_ipaddr = NULL;
|
||||
free(ssh->remote_ipaddr);
|
||||
ssh->remote_ipaddr = NULL;
|
||||
+ explicit_bzero(ssh->state, sizeof(*ssh->state));
|
||||
free(ssh->state);
|
||||
ssh->state = NULL;
|
||||
kex_free(ssh->kex);
|
||||
@@ -783,8 +784,10 @@ compress_buffer(struct ssh *ssh, struct
|
||||
case Z_OK:
|
||||
/* Append compressed data to output_buffer. */
|
||||
if ((r = sshbuf_put(out, buf, sizeof(buf) -
|
||||
- ssh->state->compression_out_stream.avail_out)) != 0)
|
||||
+ ssh->state->compression_out_stream.avail_out)) != 0) {
|
||||
+ explicit_bzero(buf, sizeof(buf));
|
||||
return r;
|
||||
+ }
|
||||
break;
|
||||
case Z_STREAM_ERROR:
|
||||
default:
|
||||
@@ -819,8 +822,10 @@ uncompress_buffer(struct ssh *ssh, struc
|
||||
switch (status) {
|
||||
case Z_OK:
|
||||
if ((r = sshbuf_put(out, buf, sizeof(buf) -
|
||||
- ssh->state->compression_in_stream.avail_out)) != 0)
|
||||
+ ssh->state->compression_in_stream.avail_out)) != 0) {
|
||||
+ explicit_bzero(buf, sizeof(buf));
|
||||
return r;
|
||||
+ }
|
||||
break;
|
||||
case Z_BUF_ERROR:
|
||||
/*
|
||||
@@ -870,6 +875,17 @@ uncompress_buffer(struct ssh *ssh, struc
|
||||
#endif /* WITH_ZLIB */
|
||||
|
||||
void
|
||||
+ssh_clear_curkeys(struct ssh *ssh, int mode)
|
||||
+{
|
||||
+ struct session_state *state = ssh->state;
|
||||
+
|
||||
+ if (state && state->newkeys[mode]) {
|
||||
+ kex_free_newkeys(state->newkeys[mode]);
|
||||
+ state->newkeys[mode] = NULL;
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
+void
|
||||
ssh_clear_newkeys(struct ssh *ssh, int mode)
|
||||
{
|
||||
if (ssh->kex && ssh->kex->newkeys[mode]) {
|
||||
@@ -1418,7 +1434,9 @@ ssh_packet_read_seqnr(struct ssh *ssh, u
|
||||
}
|
||||
|
||||
/* Append it to the buffer. */
|
||||
- if ((r = ssh_packet_process_incoming(ssh, buf, len)) != 0)
|
||||
+ r = ssh_packet_process_incoming(ssh, buf, len);
|
||||
+ explicit_bzero(buf, len);
|
||||
+ if (r != 0)
|
||||
goto out;
|
||||
}
|
||||
out:
|
||||
@@ -2375,9 +2393,12 @@ ssh_packet_get_state(struct ssh *ssh, st
|
||||
(r = sshbuf_put_u32(m, state->p_read.packets)) != 0 ||
|
||||
(r = sshbuf_put_u64(m, state->p_read.bytes)) != 0 ||
|
||||
(r = sshbuf_put_stringb(m, state->input)) != 0 ||
|
||||
- (r = sshbuf_put_stringb(m, state->output)) != 0)
|
||||
+ (r = sshbuf_put_stringb(m, state->output)) != 0) {
|
||||
+ sshbuf_obfuscate(m);
|
||||
return r;
|
||||
+ }
|
||||
|
||||
+ sshbuf_obfuscate(m);
|
||||
return 0;
|
||||
}
|
||||
|
||||
@@ -2496,6 +2517,8 @@ ssh_packet_set_state(struct ssh *ssh, st
|
||||
size_t ilen, olen;
|
||||
int r;
|
||||
|
||||
+ sshbuf_unobfuscate(m);
|
||||
+
|
||||
if ((r = kex_from_blob(m, &ssh->kex)) != 0 ||
|
||||
(r = newkeys_from_blob(m, ssh, MODE_OUT)) != 0 ||
|
||||
(r = newkeys_from_blob(m, ssh, MODE_IN)) != 0 ||
|
||||
@@ -2509,7 +2532,7 @@ ssh_packet_set_state(struct ssh *ssh, st
|
||||
(r = sshbuf_get_u64(m, &state->p_read.blocks)) != 0 ||
|
||||
(r = sshbuf_get_u32(m, &state->p_read.packets)) != 0 ||
|
||||
(r = sshbuf_get_u64(m, &state->p_read.bytes)) != 0)
|
||||
- return r;
|
||||
+ goto out;
|
||||
/*
|
||||
* We set the time here so that in post-auth privsep child we
|
||||
* count from the completion of the authentication.
|
||||
@@ -2518,10 +2541,10 @@ ssh_packet_set_state(struct ssh *ssh, st
|
||||
/* XXX ssh_set_newkeys overrides p_read.packets? XXX */
|
||||
if ((r = ssh_set_newkeys(ssh, MODE_IN)) != 0 ||
|
||||
(r = ssh_set_newkeys(ssh, MODE_OUT)) != 0)
|
||||
- return r;
|
||||
+ goto out;
|
||||
|
||||
if ((r = ssh_packet_set_postauth(ssh)) != 0)
|
||||
- return r;
|
||||
+ goto out;
|
||||
|
||||
sshbuf_reset(state->input);
|
||||
sshbuf_reset(state->output);
|
||||
@@ -2529,12 +2552,19 @@ ssh_packet_set_state(struct ssh *ssh, st
|
||||
(r = sshbuf_get_string_direct(m, &output, &olen)) != 0 ||
|
||||
(r = sshbuf_put(state->input, input, ilen)) != 0 ||
|
||||
(r = sshbuf_put(state->output, output, olen)) != 0)
|
||||
- return r;
|
||||
+ goto out;
|
||||
|
||||
- if (sshbuf_len(m))
|
||||
- return SSH_ERR_INVALID_FORMAT;
|
||||
+ if (sshbuf_len(m)) {
|
||||
+ r = SSH_ERR_INVALID_FORMAT;
|
||||
+ goto out;
|
||||
+ }
|
||||
+
|
||||
+ r = 0;
|
||||
+out:
|
||||
+ if (r != 0)
|
||||
+ sshbuf_obfuscate(m);
|
||||
debug3_f("done");
|
||||
- return 0;
|
||||
+ return r;
|
||||
}
|
||||
|
||||
/* NEW API */
|
||||
Index: openssh-9.3p2/packet.h
|
||||
===================================================================
|
||||
--- openssh-9.3p2.orig/packet.h
|
||||
+++ openssh-9.3p2/packet.h
|
||||
@@ -103,6 +103,7 @@ void ssh_packet_close(struct ssh *);
|
||||
void ssh_packet_close(struct ssh *);
|
||||
void ssh_packet_set_input_hook(struct ssh *, ssh_packet_hook_fn *, void *);
|
||||
void ssh_packet_clear_keys(struct ssh *);
|
||||
+void ssh_clear_curkeys(struct ssh *, int);
|
||||
void ssh_clear_newkeys(struct ssh *, int);
|
||||
|
||||
int ssh_packet_is_rekeying(struct ssh *);
|
||||
Index: openssh-9.3p2/sshbuf.c
|
||||
===================================================================
|
||||
--- openssh-9.3p2.orig/sshbuf.c
|
||||
+++ openssh-9.3p2/sshbuf.c
|
||||
@@ -309,6 +309,31 @@ sshbuf_mutable_ptr(const struct sshbuf *
|
||||
return buf->d + buf->off;
|
||||
}
|
||||
|
||||
+/* Trivially obfuscate the buffer. This is used to make sensitive data
|
||||
+ * (e.g. keystate) slightly less obvious if found lingering in kernel
|
||||
+ * memory after being sent from the privsep child to its parent.
|
||||
+ *
|
||||
+ * Longer term we should consider using a one-time pad or a stream cipher
|
||||
+ * here. */
|
||||
+void
|
||||
+sshbuf_obfuscate(struct sshbuf *buf)
|
||||
+{
|
||||
+ size_t i;
|
||||
+
|
||||
+ if (sshbuf_check_sanity(buf) != 0 || buf->readonly || buf->refcount > 1)
|
||||
+ return;
|
||||
+
|
||||
+ for (i = buf->off; i < buf->size; i++) {
|
||||
+ buf->d [i] ^= 0xaa;
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
+void
|
||||
+sshbuf_unobfuscate(struct sshbuf *buf)
|
||||
+{
|
||||
+ sshbuf_obfuscate(buf);
|
||||
+}
|
||||
+
|
||||
int
|
||||
sshbuf_check_reserve(const struct sshbuf *buf, size_t len)
|
||||
{
|
||||
Index: openssh-9.3p2/sshbuf.h
|
||||
===================================================================
|
||||
--- openssh-9.3p2.orig/sshbuf.h
|
||||
+++ openssh-9.3p2/sshbuf.h
|
||||
@@ -298,6 +298,9 @@ int sshbuf_write_file(const char *path,
|
||||
int sshbuf_read(int, struct sshbuf *, size_t, size_t *)
|
||||
__attribute__((__nonnull__ (2)));
|
||||
|
||||
+void sshbuf_obfuscate(struct sshbuf *buf);
|
||||
+void sshbuf_unobfuscate(struct sshbuf *buf);
|
||||
+
|
||||
/* Macros for decoding/encoding integers */
|
||||
#define PEEK_U64(p) \
|
||||
(((u_int64_t)(((const u_char *)(p))[0]) << 56) | \
|
||||
Index: openssh-9.3p2/sshd-session.c
|
||||
===================================================================
|
||||
--- openssh-9.3p2.orig/sshd-session.c
|
||||
+++ openssh-9.3p2/sshd-session.c
|
||||
@@ -197,6 +197,19 @@ static void do_ssh2_kex(struct ssh *);
|
||||
static void do_ssh2_kex(struct ssh *);
|
||||
|
||||
/*
|
||||
+ * Clear some stack space. This is a bit naive, but hopefully helps mitigate
|
||||
+ * information leaks due to registers and other data having been stored on
|
||||
+ * the stack. Called after fork() and before exit().
|
||||
+ */
|
||||
+static void
|
||||
+clobber_stack(void)
|
||||
+{
|
||||
+ char data [32768];
|
||||
+
|
||||
+ explicit_bzero(data, 32768);
|
||||
+}
|
||||
+
|
||||
+/*
|
||||
* Signal handler for the alarm after the login grace period has expired.
|
||||
* As usual, this may only take signal-safe actions, even though it is
|
||||
* terminal.
|
||||
@@ -260,6 +260,8 @@ destroy_sensitive_data(struct ssh *ssh,
|
||||
sensitive_data.host_certificates[i] = NULL;
|
||||
}
|
||||
}
|
||||
+
|
||||
+ clobber_stack();
|
||||
}
|
||||
|
||||
/* Demote private to public keys for network child */
|
||||
@@ -431,6 +432,8 @@ privsep_preauth(struct ssh *ssh)
|
||||
{
|
||||
int skip_privdrop = 0;
|
||||
|
||||
+ clobber_stack();
|
||||
+
|
||||
/*
|
||||
* Hack for systems that don't support FD passing: retain privileges
|
||||
* in the post-auth privsep process so it can allocate PTYs directly.
|
||||
@@ -1354,6 +1356,7 @@ main(int ac, char **av)
|
||||
*/
|
||||
mm_send_keystate(ssh, pmonitor);
|
||||
ssh_packet_clear_keys(ssh);
|
||||
+ clobber_stack();
|
||||
exit(0);
|
||||
|
||||
authenticated:
|
||||
@@ -1431,6 +1434,7 @@ main(int ac, char **av)
|
||||
|
||||
mm_terminate();
|
||||
|
||||
+ clobber_stack();
|
||||
exit(0);
|
||||
}
|
||||
|
||||
@@ -1577,8 +1581,10 @@ cleanup_exit(int i)
|
||||
/* cleanup_exit can be called at the very least from the privsep
|
||||
wrappers used for auditing. Make sure we don't recurse
|
||||
indefinitely. */
|
||||
- if (in_cleanup)
|
||||
+ if (in_cleanup) {
|
||||
+ clobber_stack();
|
||||
_exit(i);
|
||||
+ }
|
||||
in_cleanup = 1;
|
||||
extern int auth_attempted; /* monitor.c */
|
||||
|
||||
@@ -1604,5 +1610,7 @@ cleanup_exit(int i)
|
||||
mm_is_monitor())
|
||||
audit_event(the_active_state, SSH_CONNECTION_ABANDON);
|
||||
#endif
|
||||
+
|
||||
+ clobber_stack();
|
||||
_exit(i);
|
||||
}
|
125
openssh-openssl-3.patch
Normal file
125
openssh-openssl-3.patch
Normal file
@ -0,0 +1,125 @@
|
||||
---
|
||||
fips.c | 5 +++++
|
||||
kex.c | 61 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++-
|
||||
2 files changed, 65 insertions(+), 1 deletion(-)
|
||||
|
||||
--- a/fips.c
|
||||
+++ b/fips.c
|
||||
@@ -48,6 +48,11 @@
|
||||
|
||||
static int fips_state = -1;
|
||||
|
||||
+#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
|
||||
+# define FIPS_mode() EVP_default_properties_is_fips_enabled(NULL)
|
||||
+# define FIPS_mode_set(x) EVP_default_properties_enable_fips(NULL,x)
|
||||
+#endif
|
||||
+
|
||||
/* calculates HMAC of contents of a file given by filename using the hash
|
||||
* algorithm specified by FIPS_HMAC_EVP in fips.h and placing the result into
|
||||
* newly allacated memory - remember to free it when not needed anymore */
|
||||
--- a/kex.c
|
||||
+++ b/kex.c
|
||||
@@ -41,6 +41,9 @@
|
||||
#include <openssl/crypto.h>
|
||||
#include <openssl/dh.h>
|
||||
#include <openssl/kdf.h>
|
||||
+# if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
|
||||
+# include <openssl/core_names.h>
|
||||
+# endif
|
||||
#endif
|
||||
|
||||
#include "ssh.h"
|
||||
@@ -1191,14 +1194,61 @@ derive_key_via_openssl(struct ssh *ssh,
|
||||
{
|
||||
struct kex *kex = ssh->kex;
|
||||
EVP_KDF_CTX *hashctx = NULL;
|
||||
- const EVP_MD *md = NULL;
|
||||
u_char *digest = NULL;
|
||||
int r = SSH_ERR_LIBCRYPTO_ERROR;
|
||||
|
||||
+# if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
|
||||
+ OSSL_PARAM params[6], *p = params;
|
||||
+ char type = (char) id;
|
||||
+ EVP_KDF *kdf = EVP_KDF_fetch (NULL, "SSHKDF", NULL);
|
||||
+ if (!kdf)
|
||||
+ goto out;
|
||||
+ hashctx = EVP_KDF_CTX_new (kdf);
|
||||
+# else
|
||||
+ const EVP_MD *md = NULL;
|
||||
hashctx = EVP_KDF_CTX_new_id (EVP_KDF_SSHKDF);
|
||||
+# endif
|
||||
if (!hashctx)
|
||||
goto out;
|
||||
|
||||
+# if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
|
||||
+ switch (kex->hash_alg)
|
||||
+ {
|
||||
+ case SSH_DIGEST_MD5:
|
||||
+ *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST,
|
||||
+ SN_md5, strlen(SN_md5));
|
||||
+ break;
|
||||
+ case SSH_DIGEST_SHA1:
|
||||
+ *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST,
|
||||
+ SN_sha1, strlen(SN_sha1));
|
||||
+ break;
|
||||
+ case SSH_DIGEST_SHA256:
|
||||
+ *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST,
|
||||
+ SN_sha256, strlen(SN_sha256));
|
||||
+ break;
|
||||
+ case SSH_DIGEST_SHA384:
|
||||
+ *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST,
|
||||
+ SN_sha384, strlen(SN_sha384));
|
||||
+ break;
|
||||
+ case SSH_DIGEST_SHA512:
|
||||
+ *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST,
|
||||
+ SN_sha512, strlen(SN_sha512));
|
||||
+ break;
|
||||
+ default:
|
||||
+ goto out;
|
||||
+ }
|
||||
+
|
||||
+ *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY,
|
||||
+ sshbuf_ptr(shared_secret), sshbuf_len(shared_secret));
|
||||
+ *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SSHKDF_XCGHASH,
|
||||
+ hash, (size_t) hashlen);
|
||||
+ *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SSHKDF_SESSION_ID,
|
||||
+ sshbuf_ptr(kex->session_id), (size_t) sshbuf_len(kex->session_id));
|
||||
+ *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_SSHKDF_TYPE,
|
||||
+ &type, sizeof(type));
|
||||
+ *p = OSSL_PARAM_construct_end();
|
||||
+
|
||||
+# else
|
||||
md = get_openssl_md_for_hash_alg (kex->hash_alg);
|
||||
if (!md)
|
||||
goto out;
|
||||
@@ -1215,6 +1265,7 @@ derive_key_via_openssl(struct ssh *ssh,
|
||||
sshbuf_ptr(kex->session_id),
|
||||
(size_t) sshbuf_len(kex->session_id)) != 1)
|
||||
goto out;
|
||||
+# endif
|
||||
|
||||
digest = calloc (1, need);
|
||||
if (!digest) {
|
||||
@@ -1222,7 +1273,11 @@ derive_key_via_openssl(struct ssh *ssh,
|
||||
goto out;
|
||||
}
|
||||
|
||||
+# if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
|
||||
+ if (EVP_KDF_derive (hashctx, digest, need, params) != 1)
|
||||
+# else
|
||||
if (EVP_KDF_derive (hashctx, digest, need) != 1)
|
||||
+# endif
|
||||
goto out;
|
||||
|
||||
*keyp = digest;
|
||||
@@ -1233,6 +1288,10 @@ derive_key_via_openssl(struct ssh *ssh,
|
||||
if (hashctx)
|
||||
EVP_KDF_CTX_free(hashctx);
|
||||
|
||||
+# if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
|
||||
+ EVP_KDF_free(kdf);
|
||||
+# endif
|
||||
+
|
||||
if (digest)
|
||||
free(digest);
|
||||
|
41
openssh-reenable-dh-group14-sha1-default.patch
Normal file
41
openssh-reenable-dh-group14-sha1-default.patch
Normal file
@ -0,0 +1,41 @@
|
||||
Index: openssh-8.9p1/myproposal.h
|
||||
===================================================================
|
||||
--- openssh-8.9p1.orig/myproposal.h
|
||||
+++ openssh-8.9p1/myproposal.h
|
||||
@@ -34,7 +34,8 @@
|
||||
"diffie-hellman-group-exchange-sha256," \
|
||||
"diffie-hellman-group16-sha512," \
|
||||
"diffie-hellman-group18-sha512," \
|
||||
- "diffie-hellman-group14-sha256"
|
||||
+ "diffie-hellman-group14-sha256," \
|
||||
+ "diffie-hellman-group14-sha1"
|
||||
|
||||
#define KEX_CLIENT_KEX KEX_SERVER_KEX
|
||||
|
||||
Index: openssh-8.9p1/ssh_config.5
|
||||
===================================================================
|
||||
--- openssh-8.9p1.orig/ssh_config.5
|
||||
+++ openssh-8.9p1/ssh_config.5
|
||||
@@ -1228,7 +1228,8 @@ sntrup761x25519-sha512@openssh.com,
|
||||
diffie-hellman-group-exchange-sha256,
|
||||
diffie-hellman-group16-sha512,
|
||||
diffie-hellman-group18-sha512,
|
||||
-diffie-hellman-group14-sha256
|
||||
+diffie-hellman-group14-sha256,
|
||||
+diffie-hellman-group14-sha1
|
||||
.Ed
|
||||
.Pp
|
||||
The list of supported key exchange algorithms may also be obtained using
|
||||
Index: openssh-8.9p1/sshd_config.5
|
||||
===================================================================
|
||||
--- openssh-8.9p1.orig/sshd_config.5
|
||||
+++ openssh-8.9p1/sshd_config.5
|
||||
@@ -996,7 +996,7 @@ ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec
|
||||
ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
|
||||
diffie-hellman-group-exchange-sha256,
|
||||
diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,
|
||||
-diffie-hellman-group14-sha256
|
||||
+diffie-hellman-group14-sha256,diffie-hellman-group14-sha1
|
||||
.Ed
|
||||
.Pp
|
||||
The list of supported key exchange algorithms may also be obtained using
|
34
openssh-whitelist-syscalls.patch
Normal file
34
openssh-whitelist-syscalls.patch
Normal file
@ -0,0 +1,34 @@
|
||||
Index: openssh-8.8p1/sandbox-seccomp-filter.c
|
||||
===================================================================
|
||||
--- openssh-8.8p1.orig/sandbox-seccomp-filter.c
|
||||
+++ openssh-8.8p1/sandbox-seccomp-filter.c
|
||||
@@ -201,6 +201,9 @@ static const struct sock_filter preauth_
|
||||
#ifdef __NR_close
|
||||
SC_ALLOW(__NR_close),
|
||||
#endif
|
||||
+#ifdef __NR_close_range
|
||||
+ SC_ALLOW(__NR_close_range),
|
||||
+#endif
|
||||
#ifdef __NR_exit
|
||||
SC_ALLOW(__NR_exit),
|
||||
#endif
|
||||
@@ -213,6 +216,9 @@ static const struct sock_filter preauth_
|
||||
#ifdef __NR_futex_time64
|
||||
SC_FUTEX(__NR_futex_time64),
|
||||
#endif
|
||||
+#ifdef __NR_futex_time64
|
||||
+ SC_ALLOW(__NR_futex_time64),
|
||||
+#endif
|
||||
#ifdef __NR_geteuid
|
||||
SC_ALLOW(__NR_geteuid),
|
||||
#endif
|
||||
@@ -293,6 +299,9 @@ static const struct sock_filter preauth_
|
||||
#endif
|
||||
#ifdef __NR_pselect6_time64
|
||||
SC_ALLOW(__NR_pselect6_time64),
|
||||
+#endif
|
||||
+#ifdef __NR_pselect6_time64
|
||||
+ SC_ALLOW(__NR_pselect6_time64),
|
||||
#endif
|
||||
#ifdef __NR_read
|
||||
SC_ALLOW(__NR_read),
|
6484
openssh.changes
Normal file
6484
openssh.changes
Normal file
File diff suppressed because it is too large
Load Diff
353
openssh.keyring
Normal file
353
openssh.keyring
Normal file
@ -0,0 +1,353 @@
|
||||
-----BEGIN PGP PUBLIC KEY BLOCK-----
|
||||
|
||||
mQGiBDqa5pwRBADJSEyXXsgXiyytN93prDPTPmrueRP9lQQfgaQvCvqK0bN0AF1Z
|
||||
Vxxk9wlSXQp3+Qw5+qqsN5ovzsn39r9pqGslfCqQn9ACTmsn42+VCyW4hdwUGSBS
|
||||
5myh65ZJTK1ufWCZFssxQ0EiALagu4DlH6Z2O7tFDnJNagF55vlnK0uMQwCg/8RU
|
||||
QYDmisEHjkarAapPaupxjhkD/j9riCVasWPYJwAuhiQWAKxGRwp/ZyTaWCSERUBR
|
||||
4Dg9QxpuwHKIT8BeDA3hJa/9Yxu5jec2NVKbtVSZvRkgUfRNOkrcH2eiY8Iz6est
|
||||
J64dGWuGMKQW0GEqW+OXpRTTPJZ0mgPmU16qDzLPdx6F3BAk2LG+TTwlKUPuGqOt
|
||||
6u2EA/4+1CBYZ8mXq9GJnLRBPAoYwSJJzbQnMm9Jat/yg9N6nigSIiFyG8ixh167
|
||||
gGGKfzvpjY7DeJzDI0Cub+tRova8gFg+T15AcPMST5v7v6O/ug9aYWERZ0zjUhRH
|
||||
ybtYLYhUUbdYM29PwGBNfZhGIOYwfFE9UpPS5LeXHs28oVLlH4jcBCARAgCcBQJS
|
||||
ppQ+lR0BVGhpcyBrZXkgaGFzIGJlZW4gc3VwZXJzZWRlZCBieSBrZXkgSUQgNkQ5
|
||||
MjBEMzAKS2V5IGZpbmdlcnByaW50ID0gNTlDMiAxMThFIEQyMDYgRDkyNyBFNjY3
|
||||
ICBFQkUzIEQzRTUgRjU2QiA2RDkyIDBEMzAKUGxlYXNlIHVwZGF0ZSB0byB0aGlz
|
||||
IG5ldyBrZXkuAAoJEM6OywOG/5xIWdMAoJZA/6ls+J6YIpVDFHkb4/8fl0w4AJ90
|
||||
K3I7hssc7QuWHfPlq3EozRtjIbQuRGFtaWVuIE1pbGxlciAoUGVyc29uYWwgS2V5
|
||||
KSA8ZGptQG1pbmRyb3Qub3JnPohXBBMRAgAXBQI6muacBQsHCgMEAxUDAgMWAgEC
|
||||
F4AACgkQzo7LA4b/nEiDMgCZAUzKq241h5GTJxC0guS6ht9i9ZsAoL/oXCmFsofA
|
||||
RehZF6AakIdasvS9iEYEExECAAYFAj77h64ACgkQmD+U6HbiLS3r4ACfclqiFP6E
|
||||
TBkTbjqC328yXlT2rlEAnR6Wv3SNayY4jOgfxCMxi61S2CkAiQGsBBABAgAGBQJS
|
||||
ppEIAAoJENPl9Wttkg0wMMsMf0tC6QkZnCkTiEVSar2Bd0gJWRCZOGgWwYnXVXif
|
||||
5UaQhRgfXyXDxADWi76UYl4v8UFrH9yODXhZM0hoNbt6T98stHmw3dIvrYfhRgQ0
|
||||
83p/N7II3i1iDJDUZ9PA8n4c5BWXirOUXPxtp23WgsEqG5DaN3CGo99YZO8aB3AH
|
||||
hWd8xvGGDOKOMpAPQekgG/CZw3pcdaSOsZvOEOnbk/VuI2DVjTu/hX0PmRKkfeVf
|
||||
aafi6bcDkm8Vs7Sw4TIrNmGJTKIDhwXSrFlDfs/CmZJUxzP/S7W+dZ4kvESDSWia
|
||||
wmxQFMIxRqgHeLiRHYXCL5Fg+WYFv+EMj/ta5PVot86/iWfrj0MRKZFCpRfDjqTv
|
||||
t0G0ziOW9kTFK8TpxBacJR7n4whM6SNf6L9onHn7xqx2r0J8TLcua9hTvapuNPdL
|
||||
y1cxAKMZO8q10AMGkYd03qLlHxtgKXBeWkV/UYAc1zArv4JFdWTraLbIHmi8jpvE
|
||||
NM3qcNWuNVyiTi4Kxum+CFd8V7b4X/6yBLRD/U6/dMUy4LiIVwQTEQIAFwUCOprm
|
||||
nAULBwoDBAMVAwIDFgIBAheAAAoJEM6OywOG/5xIgzIAnjRm47SkL5RQ9lDvVdm5
|
||||
SmNw0HX0AKC+AssIfepBFkPIFBSLcNoSWiTkzrkCDQQ6mubUEAgA8/15wnMpXvYZ
|
||||
sYMp7a9+WUCSsfYOn7QcNe/CUsDNzuyTThqd/fBIeEPa5BKeTR9alXnBvedxbnnU
|
||||
/SAF6q/KY6ebXajGAnGisvmidEsNc1Q9lTmN4e0sn1NuaXGIhxGtYK3yj1aFpudy
|
||||
MFhlVbarheXYpgHu+fg9Gl8lQjr9BM/cICUeh+vZaeP3A9hsjWhmq8GPRy7xxb1z
|
||||
jWNqpvxleTo8jlDuNYJkOKcl0IfoKHBRR6zNAM73iLMIDaSdMTVl1/IlxrK92Ar6
|
||||
puyaCFPSSsQ1fvem8Qy303SqaC2Cm+vFnbZgMpbIqOfomX1rXTm/16ZNmMeS3Wnc
|
||||
vf/p95unLwAFEQgAq76FUm3dDEdBVl/mwWdDY0nDQaN5D0kgp0Oo0R6JJM+ea/jB
|
||||
3u3asQid6Zru2kTpdn4LoOsKG/u/ql3ypHv03U+sLgm+AnRUurT4D632FfosKtjQ
|
||||
fwWrXjxoO2elAC2lC0NJvNwwhFSyTZ43phHSKLkoXpYpAADu0AyjK+7wIx/J9M8D
|
||||
KcETF57wjOs2JUvYtZDpvC1QE5NFsooaUBkmk7pHT4ypRu7CsDLttLLCvQxlaT4L
|
||||
pU2e6x6l5eI7mPC0No+HTzWj6ClhvCbgVQrMn9g+hjVvez3ykEpMxXmbG1QeEkUK
|
||||
1U3IYAUmKMUVVt3y5P8nN0wuQG4ehqY+Is2sFIhGBBgRAgAGBQI6mubUAAoJEM6O
|
||||
ywOG/5xIH7YAnRyGVA1QFg0WubIkovAKLPiIsgIAAJ9NsBjpdVqP2CfkWPnOijef
|
||||
E5gDxJkBogQ3R/zyEQQAsWguKhytuM/8IwqKRSQBPaHRTyVMjsvLr7uUIoW2qf0V
|
||||
VDVxuSXy4K/k43Q/ssw2nDipUkS74vMgGzgUQk4BI0LkoPSIVoXo+v65KCSbrMNY
|
||||
m7lGGN7ZkFg5zWDfdVFiN5P/tUg91UfmCI71zp78SltyBM+FLPJhBYE0dvkHDjMA
|
||||
oN744XCDTRMARJLK8DH1O3eTkE+1A/9brypK8VFX1+J3jfZmz7nD2St9+6/rkcM+
|
||||
P8V7bHHttSVLswhTZ8bMZv5aJjsyyPrnFFLmlPddaQDND1fVFevrHOTbSnMjt8lK
|
||||
Ksh4z+FFCQTB8wtpXbs2xHjny1Oy8kwiCnYCtDr3fOYnoqFkCMwT2ulbcKGZ3L6k
|
||||
neUGSvWOhAQArqhDaGwsZfkvzirG9vo/PFBwdeKNj/tDOE+1SQasDT0L3gd/tfmZ
|
||||
LBCed2yQ7axppQlQRIcNL24+GHefTY5Y92T7GLVIg2cK5JUtMKMmgWj3szyXi5Oc
|
||||
QKxQdhmBgsWutyJj6SlAHSDrjFhVabIeJKuyuZzxhyvmSzzjBsugsayIUQQgEQIA
|
||||
CQUCOprFaAIdAQASCRCiuYn1EbV0jwdlR1BHAAEB6xwAn3FxEH2wPVFlzVKf09Sh
|
||||
uwEfspiYAKCkKEhT4qVjGQ2D4cwgtoZ03pQgELQlRGFtaWVuIE1pbGxlciA8ZG1p
|
||||
bGxlckBpbG9naWMuY29tLmF1PohfBBMRAgAXBQI6JFsGBQsHCgMEAxUDAgMWAgEC
|
||||
F4AAEgkQormJ9RG1dI8HZUdQRwABAU4BAKCFIZWrqfMjc8zKhnfoTSEAt/ojUwCf
|
||||
eqkKspOp6Uqq1tlr1oyYmN5P5Y6IRgQQEQIABgUCODCW/wAKCRB9nsJ2HENBrF/D
|
||||
AJ48befkKUUGogX4tPfIAzbu+auUPwCgp41iiMRqeqgWbsG1ujpDnVQRp/y0H0Rh
|
||||
bWllbiBNaWxsZXIgPGRqbUBtaW5kcm90Lm9yZz6IXwQTEQIAFwUCOiRbLwULBwoD
|
||||
BAMVAwIDFgIBAheAABIJEKK5ifURtXSPB2VHUEcAAQG/QQCcD+0bmcV5aYRb8JQ9
|
||||
Q+DeKi2fqfwAoJ0g1TDjN+ZpKAaOI95waVgGjYAhiEYEEBECAAYFAjgwlwgACgkQ
|
||||
fZ7CdhxDQazdMwCcCWb+3Ehg/wK6nrIebHYlDBwcYLAAoMXIboTxrdRh71R3/4Pd
|
||||
zTR9g2vQtCVEYW1pZW4gTWlsbGVyIDxkbWlsbGVyQHZpdG5ldC5jb20uc2c+iF8E
|
||||
ExECABcFAjokWy8FCwcKAwQDFQMCAxYCAQIXgAASCRCiuYn1EbV0jwdlR1BHAAEB
|
||||
9qQAnAzpzF24V7K84PQTKQ0V5a1EiGmBAKDIg1wPX7ZSRDHBrAaLKpEirnj1MIhG
|
||||
BBARAgAGBQI4MJcIAAoJEH2ewnYcQ0GsnfYAmwZq27x3h0EV0t+0i3j7dClD5eMX
|
||||
AJwP4AvyuGuyz3qGOYxXG/1RuhqoubkBDQQ3R/0CEAQA35tSeji8z1JVaQApKuEK
|
||||
VhZAm2zaZLFiAusKqS+/RXUhIFTI7Du/dJTPODm3pLQEnF4evo3qgokSP5rf5Y++
|
||||
JPUfkS6NTons29mnCVyWPl8+3yJaTPbX708e+r5ZWuN30c9dl8Br7mHzJrsTRumT
|
||||
9qSVPUklzv77JOAxBGTEhAcAAwUD/0MelpnyrZNVFja/xObo/OL4r6mwwO0pyK1Q
|
||||
qE8AuGO37Ug0WO6QNxgFLKR8l+9sod6q4KAEBxhA0DiVrJFNkTuza6HR5i22Y4ei
|
||||
VNbPC8IqRuF6o4KC3zejZgpPpApqrO0mMmo7GXcBpkpCS8vzJ09EvfExbALB0Jku
|
||||
GQn7SImsiEkEKBECAAkFAjqaxBECHQEACgkQormJ9RG1dI9+GwCfTEqyOILSu5Nz
|
||||
DhcUrqpknPlXX/YAoI/vfDq8kQG0QldbtWsC+MWQH9zsiFQEGBECAAwFAjdH/QIF
|
||||
CQLH6gAAEgkQormJ9RG1dI8HZUdQRwABAfKmAJ9EMdNbg94wSQrHb8oKVAKfjFZt
|
||||
TACgusXeU8duOaTgSb89XrAGCTb3THu5AQ0EOiRfFRQEAOelb5M0Hjb87WcPiIy2
|
||||
UAsxOwDno7H7vR9WLfpfKjPwk7Xoa05qyThF2L96keXZZAm54yapyeXhNPGquFyq
|
||||
YMOwxX+aQyUr13uH3KTkAaDKMkC5jAAkcZwTk+tENsB/StqyqbH5/KVOoCfxEFFA
|
||||
MVgTbXQnEGpqUL+WGz4Ay6IPAAUXBAChhg+rFXcsAMne7QK2816p64Lm44BB46n6
|
||||
WdZoST84rOq0ZNd+fYSqfRcaPJHHjO4lAEH+1dgQjpqxkEveodKPsixoLQdHd76s
|
||||
SRDcX15IhWG+OBNCD4k6Y1DLLYhPE5bUToQYm8kPhVS3yuMLuNhtDntNQURfQL7B
|
||||
JxQM0A8/b4hJBCgRAgAJBQI6msQVAh0BAAoJEKK5ifURtXSP1O8AnA3CcDJd1ZUD
|
||||
2Kr86Q9DSuimSMuAAKCX77M6fadIiy415K3vIfadl/nsq4hOBBgRAgAGBQI6JF8V
|
||||
ABIJEKK5ifURtXSPB2VHUEcAAQHXmQCdEbOoH3DE+L9keE5ODJ7j6CvHPRgAoJZm
|
||||
54r/EPzKnu9gTsI0J+7oIh7emQGiBDqa3UERBACPhKenaTumEld5L06d5z4yl4AC
|
||||
f+VsVD98Im0slZfKTcqMb3Y9Vzq4CduOVb6p4M9yX2bjxCk2mtmg5iunPuteGmVb
|
||||
YSNcd7yjm9giqe6EnxXkxXmCP/AVA0kB09XYcsjmMFbRFahXo3xpdExAjyU6JVxC
|
||||
/61kX8h4oYxjtWw/BwCgzf2qjNPEXshE0lwpoGwcwxk5cnUEAILKVk6G+rcususo
|
||||
b2AiPjzcQnCZYNzoHpNOSkwInV/MqN6Pb1reKcJQ44RFyh6+fsdeNM2+7ifF+5DS
|
||||
ZB13+5fhmtNtryIeMgfH0nYVu7YllPEmSmPOdERpjibxXbxEjWM8n4qKBe7iYVHW
|
||||
tB+j9O6HyAB36mHcorYIs9NvHl76A/9kl+eBT4i2/jjPQQ4V4rrYXl7M5EWxpgMS
|
||||
yUwzqM/YPZZCXJTqzv6FxUUc7LprdOEIbzQOyJqugKqHzQCekii7bcyAwu1NrV/z
|
||||
amTherN+l0UqIArjWVh0IVagpXptGooVq7snoef8W/KzZQRVC1rcEQ3zV3TD3IQZ
|
||||
mjx8ZgWCqbQuRGFtaWVuIE1pbGxlciAoUGVyc29uYWwgS2V5KSA8ZGptQG1pbmRy
|
||||
b3Qub3JnPohfBBMRAgAXBQI6mt1BBQsHCgMEAxUDAgMWAgECF4AAEgkQqBmi2Gke
|
||||
+NoHZUdQRwABAVy9AJ9RqC+W+xZCok3gcEZMiHy1lboyvgCeMSO/ld6brLcz4o8/
|
||||
OMMwNne2IZeJAawEEAECAAYFAlKmjbQACgkQ0+X1a22SDTCk7wx/TLjgpMrFa/tg
|
||||
k+/boARaFlsAJ/4OgyiY6314YbTyqatq1RVwWHTln1QJn8zXWpHUi9scfboxFYqz
|
||||
vKT1g6TXAkg1fu5muiBCTMVVCuawXEDr0iVxfsFoCDjLKecMUxqwfj9gL3kitkbj
|
||||
Ga7YcZnUcAOoLOWxsXNs5QZmKl/+E26iKGAB1sy/wMU40KjrOEg12fvIoDemeGfV
|
||||
gPdeChkhpDkm7upB32UvzDbZsKO7eHxoBYW1sRJy04Tyl/hwXnNCfqYJ42BuITrk
|
||||
EOSDr35MTYuLzC5l5l1uQXiCaJZxLGiM+ngkT76dkVQ4OcCgojuDih8aeT+TkM7H
|
||||
YkCoVje/6Z45wNzsG1lTxE9AKTBzpi0ZKGv5/WVSQ1anuC56bgdfD9jjMrhsVwWf
|
||||
mICN8zrOtYLcOJV6sUa+hZy8edEqZRkt93b8r0F2XDEVYId80debcFWExuil2TDO
|
||||
Z0nfkgxRDq+wtwem51rrRc3gLH1UR/NWsSmC2Mvj7jSDGeA+gIbRFNE6+a2YG1aj
|
||||
fxNdMBZ/OrkBDQQ6mt1DEAQAp/JyP+Brxt7T5vTTJSUMWSjOC+aBNZNFFHbG9KW3
|
||||
x8qoE7d/SYLGIqHXscGQ0a6gzoe01DFiDovtipM6g/FarCPjRVMN72SEju2pv7hl
|
||||
Gr/fcyHhKOYwcxaCVFOQetlnKq4zVrJvc0OZD/nsbRCH2ze3T5xtSQ7IlJ/rDUf/
|
||||
2JsAAwYD/2h2esQEPQy8MRpFhcBZ8Z3iVaAZ0LSgvoap8RKBSmzS9QHYgk/U4N9k
|
||||
W6BFQBfmG02aGMLN+WHy8oMMNVEaJxkQvXU7evd2vPIk9mW8JSeqAGa7dmZRjVkK
|
||||
PBDy79eSoM/Z8Gb1TFnKJ9ju+s+pqdi0bJPsDty+yA+96MFOy5epiE4EGBECAAYF
|
||||
Ajqa3UMAEgkQqBmi2Gke+NoHZUdQRwABAVDHAJ40H81xz0kVSd6/NVHLDEd7+98X
|
||||
tACfZmBzmbxbQ1dhnKg3hxACZvKwMKuZAZ0EUqaCBQEMgJQ2qbhw2Hu10RvBo2Fu
|
||||
fCouIekgt5dPqx10YjRK3Pmh8HW68geb2RdgbldRTCVznLCMhmbYl64qqt3/rADP
|
||||
mVotqAUDqTzoRnPO4ETdvkXFJDgQ3grldkQmjrXEBIQXvPWZAKKqgDr8XjTuG3uc
|
||||
2iJUT3mQ6aomW/hypukLDefx/ZVb6ZVQfoxhFlWtgAL02cla/bit6bZ+OAWE1PX9
|
||||
vHjgbsf1tUmovuEwQZr7FhAEjdhP+6US70diYsVV6JmbWAHV4pdbuNLhy0uXm4+v
|
||||
FrIDkNf+o0HbKqBVWUgoXBSbyAY8Y86ew0qjTEGx4TsTQX8p4alpPlpL3IWA+b0D
|
||||
rnYnH196ViBvR70im3eXGuI9DCAX9zEsa4/9YRs3l+lYWe5XRWKSW6y5UjZ7wYck
|
||||
ZTltAPkCXO9a7hK/qgE5wMJptJzJ1jsjE8GT9cFYIX1AMhraprfYxz11hzwScmzM
|
||||
95UIdfmEbbeiYNGZ0sYvAfsX4K4G8LEAoLKZm0mXkOFGaeF3NGD137RUbiEsXs7T
|
||||
oA0AEQEAAbQfRGFtaWVuIE1pbGxlciA8ZGptQG1pbmRyb3Qub3JnPokBzQQTAQIA
|
||||
JwIbAwUJDUfrsQIeAQIXgAUCUqaMnAQLCQgHBhUKCQgLAgUWAgMBAAAKCRDT5fVr
|
||||
bZINMHZMDH0TWjM8kpQZYk9l5+qxKvwqw7oOndC4+vDZnCCjZB94JP67M0DkAoIM
|
||||
gBpgSlVtCy+7iwPLx0BbX4cQ0LFWsxdYb5IfjWVx0B0jiKjQ8YdVAOXjZHmNfd72
|
||||
l+NgJAAtW/kENd10rrTnifLESa51DcgIUJhchypBsDWd+PdSTTqMaG4z30Hb9qRv
|
||||
EKgVKJRf24cNko1gAalTv8UIX3EJkXgp31PC/LLXuMMiDuSbf9DgnL75U/wXK8Tk
|
||||
mMF0tFBIHNIb0YKO/1/IpZbtLRsxjgPdIoq38mbVdyEQyClGvh4GmAKzevE7WFeP
|
||||
Oqbe173u7Lr+rwK4lS26kmw8pz1aHj6iBRmJ8LS1rtSvFmnzJlNG89JTFiuW8PMz
|
||||
fZUMtDcVfpjaLhU2jjw9IkwD4E9THsNNxkohe3jnvOwsPiMXixF3A6T9AX8ZcKQf
|
||||
YYDIodYI9cg576MheCK5qNypmb1wBaMveGJ1KiEp95+8qTOyDvmYOaOG8C0Odwhu
|
||||
YiYk2Nch7Y9BTiJj1WrmLS+VpUqAGApKiEYEEBECAAYFAlKmi98ACgkQzo7LA4b/
|
||||
nEid/wCfQDsw+t8kjPZ7rjdURXgBfd0734gAn0w6xCIHgueq1Nxz00Ewd/1UsTjo
|
||||
iQIcBBABAgAGBQJTFsNwAAoJEOX6rNyYiqSg3ZwQAKMYW9GCRVKwd8fxBIovohsD
|
||||
oYOK/psUp8f8/IK1+aW9EsYcgnzpd8YuOcEa9PWd7/U+70/2fx4qyIkcJ/ofKP9U
|
||||
zButogqdW1b4VISDP0t5cO9+DE4nSKod0hQdjJNM3611mr6lIhw2D56BdIzWuJl5
|
||||
eCSDnyQQd6iDt5j3wELnBJt8YnYC4TytJFzg9R7iFfkONKJZWpZlgj+ChSuMVMjM
|
||||
qa9l6+mYZKy4FU2mZks4EvLiWYnGQAHPjU9h+KWgoIbTXLv3Rc+NYlgXErECpZaG
|
||||
B89oiEIHqH7Na4e+gtxML2/RgoLgWEsMPJBnv6AnuX8cVX1EqGJT5AzmHVmWlJHq
|
||||
pSXw8g7yIRjtHZ9UKJOIamtHhDfcLpI8lSGwb0quyF/OwBcpbyWkFdOhHfTV+6Vj
|
||||
tLwHbiPDJIEVkCfcyItW9s9l78U42zqyXFsgUNcjrvR09OMf0eXREVRGgo0O6glY
|
||||
XRwUDFG/StCsKYFDUz2IEe4a9MjzGCSB0bUR5nKFVxomSNNQVw6Qo7oeGfXtyEG/
|
||||
/KzhkDHsVWKU6qKSTK5fumQIUJHGJCCiQa6a0/6BXdoC/IVPbFgM/MHwAj030hyY
|
||||
gb525l0BVD9+NEYs4Z7ZXkrdEHSIj2bTaDV2WywIYXcbxwovJlQT+gxeBxMoMJf9
|
||||
zzAY5iVBn985M85NNXvpiEYEEBEIAAYFAlLp6B4ACgkQyYKAx4/0+mkA8QCdFdv8
|
||||
9LNkAe1WK2gpjdW4mxXVCsUAmwf9+GFVwx69yKTXwcrvv29glD1WiQIcBBABAgAG
|
||||
BQJTFqe/AAoJEEu0T4MGAI+Frd8P/0NxkhUMOo7PVWKAYEA15JQ6mvfhUkNI8MCl
|
||||
PP2r0oDm3hf/sDdhi7P1pI/Wqlc/XAVQLZDtJZfZFvU4q0eF3Zs9uX3jvZjOGGQo
|
||||
vVTnioQIV1JxHTriucFbkUEaMqdaQiFFAlb09qIbQaClKrbSa1d8oP+G8A7NIKxq
|
||||
wwQMDk0I1UKus2QN4p0cBEuFdntlbkwwnyse7WrZS/7KcNGiHeFk8B/D63Vy2ISS
|
||||
yORmeBTkA7r8qs4GAB+qrNTs+xsEQTC7Dx4Nz2FtgEmpXOifE0Txc3n761aAfNao
|
||||
8bYukIbbF7Sw2ZvfwnEXikiL3m4uYFPcLsGfT3KFSKra69Vrm/DdZVGODJwALqo1
|
||||
CpPdV69qpq/e6q6SKTdJrc6YKeFZMyjHRFT4IhVG7KvUAjQkt0RcG17JinOlJ26F
|
||||
MH9nosU2RlVJuESUJH9xzMgWugF5Uj6jQlm5h/PWKNEtX/PjFCFjkacffWzRGOEg
|
||||
1mqB8B6O7UttATbt4mNV/BMZFGqNH0Jq64RM0n3Q5TaIhUIW/0jsES1TKrJ96W+M
|
||||
m/JiBd6tTXjAlk7B+m9eI7fEA7y6dugm0Qpw1+C4aIopQayaguPf/hicQqRr/ggu
|
||||
tKsO+vhJ9ie6cB1Zdc+BNGCrmpPrALmMbKmgw7i9ZI1iWE0pijX8kiBJoZaTb4Rq
|
||||
PT8tKiYLiQIcBBABAgAGBQJTF2LJAAoJENaX3zJH9H8fPQMP/0MRl17h9QMdSRvU
|
||||
T0Hy/cVCUwNs4hWhjA5k+eWKZe3LxOjnZEEA7S0Oi07cyOlKH7qNg8xA42KM3NPD
|
||||
tEM8U6CvkdJ7Bctr1OOMUIdLq4485BDsPccoVc5J8MRf+4BFQodd8B8jekTv/rfn
|
||||
/eXie3M12pjiy8ZryeBFod/3C/VLCQwMG4eMzga6+anuc66U6zteEnG0QyS4uckJ
|
||||
iAlcxYqLK3Sm6WB/FlR8LmSPPAEl9xH5W8gSrAGZRg9w5tOVnOOsDWU3yfBxzi8X
|
||||
ZnMRc7+22XOuzkQlQDDRM/r8L5aM6rGjLTRUpbv3JU11gf0+5yUAqrWD+KumgyGd
|
||||
cxWnfEHRQZA7jV3eEXpoE2mKOiZ3zaA0gZRmG745+E+MS964jTOdEy3ZEITuSCOt
|
||||
aPjiySebYSpxhuoqdA5sIgC/qLfigTEDQiY4LnrTxZp1uQGhcbzBKEAScLK6mFHj
|
||||
MTnTFm9hChnD8UmjfBFpHNhvvXS6h+ZdpgLuG2XEv3DtLs8N/E7uh0zN38lupX5M
|
||||
r9GC3EOrTXte/TWGQVlXU4j60J2FiUk38ORryyDMd3LS5bjTqaERkqd+uw7utuM7
|
||||
dTU8cohcMgM+vw6l3fNg8+I31Mpy9N6QLS26qP0b+uYKZpX5UG2H9j+ekrZ7ReBr
|
||||
LB4s2VIDHBoc6qRbXTI7I6Sf/Ez9iQIcBBABAgAGBQJTF5i3AAoJECPNT7oMAX3y
|
||||
AaoP/jSWlN++0Sms0WgN67JHDZhXpU+uiumaKS2VXXakIeAKu8kra6KIqmTadmm1
|
||||
zSJ83yhr6q3TjnCaOMLcSCEaCeizeMHeUbLPiM1zlcXH3jqpZxIPJ2lZTsySeAEA
|
||||
QwT30NIjySlOX5Ba/ZknQ8iiqqkZM1PBxqYIcjN8ijOY59L4NQnTsdn0m6pAe1m1
|
||||
6zD3sGljVvJeQuvoyaqxnOEQhzfnYjziFIkTbRKh0bk2jq3GjpYKjm0H0yDzr1xc
|
||||
G5R31DZb+n5tWDKDYUX+PtDh8ypgzobTBQ1JTl7e2qeu/EpbFccRqsu1S9kJyC3j
|
||||
yYzpk2Bf8mfsfH6Z+FUR8AEKW67vBQQFRIV0H4WCBazI2k1/ibNoaLqKJNDh0j3p
|
||||
89XAdlXdie8Cr+kd0XQJ/ExqaBPpTiVWGFeEVxo9cC18zFv8N8ZvOnEBwJZ77uai
|
||||
KYAjNUEfE8W7RX0bZgkIS5gXcuFRgLDcHqWEhFTasSObmNx8rrbmkZUnyuctCFu3
|
||||
iYAAOvpBZNEXXnwU5S//G19gjfNlLQSBcCn6A4fJo1szPhC9VD9suf21FkZYZ2dG
|
||||
T1U1CYmw46wsb6ZyG8hd56fD3VkMF6fs123NuCmKJwdv4dCAtKXeizm3KwuqfiIt
|
||||
Pr+CZlF7fgBSvxSllErP3fRio6w6ueu/2nMdxq/+VqSSfi0jiQIcBBABAgAGBQJT
|
||||
GxrFAAoJEGXrljbwLFcEA1wQALFhneSP944km15LMqr4AGOaStxSWv+Fr3NcDv/L
|
||||
XOZ9olMHGZIrAV2yl6hW0vPOiQXJGM2+t1H5Q2gbktPt/F5LD/lR8cxMOCfDbVA5
|
||||
nUzi52mY7J6rv15AmJNzlxOrUsOxGIp2AuBFI+NLcmzW1vA4VN8oY22zePYSsAyA
|
||||
NODpYLwzmLvWh/n6Gkb9Dcr5d5M6clPJlvyCjT3HOkmLCPBTv/I4lm004pLW+pep
|
||||
wfmHi1XoXDXLChrBU0caV63+KdIKaSkZafGhhdOSeMT2ti6squ+9VBm6g207ZaU4
|
||||
6wzATdVfCJkhAPk8HMi/853vqXPhl06VFi3KYrL6tsSie0X6vNlMfkQ1obdh2KHV
|
||||
tqSFhO+0pwjLQ6Ei5X0MIYk2M8XFUIV1RPmQ4RdvfbMuJpyXLBxTY2ItB70ZHvEm
|
||||
XOTYLYAhAH+UvSODocIP24I/mdyPbiTxgpYVa8pMFw70aA/1zPWftZCYWe0l98im
|
||||
cUW2YPknLl3bxOV+CI4g5XFW/84qxS1Ty228vIK7GmnZx2AMyaSA0w84d9wQnxJc
|
||||
rNSS1M3uYvHLICEr4HWP+lTj8wFd3kd0URnB8Ybc7zsy/Rroy/KPKArhbCHb9O+w
|
||||
+KuC5f1Bu4uZc/o2Zckp5zfKI7xtUbW914PB9hbo+TXkTBre9nZkSQjODL6wPLIa
|
||||
nYFviQIcBBABAgAGBQJTH7siAAoJEPTXp5Fd6nib42oP/0RJLp8X945IPFd1AMoM
|
||||
Q23cy74qBAvh+c+k2pFEPrU+W9nJ2w3Mqwn8ja9MDewUjSq9ZLZxlTz+M8idYpoN
|
||||
46VtZLCxpaLXH3Uv8T++Vwdi143UMPipJqf50mWqqciDsl9LbQZR2XolfzM9WTVU
|
||||
Vt9ynNVZG+ij4tbeobViZrifY07dfR8y0TZ2LF7mah5lnDAAwSVEUOg/YX7jIgxS
|
||||
fP9oD5buD2SYH/4rZFzkN3fCZQiV4uwCMIJl+fDR/adBvOaZrUVnM661vmGcsgOq
|
||||
qRUE+hSZ/ih8Jsox65UAfPHdx/SEptBFgoyIpdxR4NPxpgeHZbNnstJ1R/cyKmww
|
||||
hMgF11WUJbm1RN1vDPwAZNAcSzDAZhnOmtOsPtiLXDMNm7dufgYWFFxjZUxo87+W
|
||||
eHgWG8ACki+AuYJgjW0gXMghVdkVQJYcLxcbZBPcHu2eUJLI83QhVQxUg5IjdOGv
|
||||
OS3SuMhtDYx04zEdGB3FSVRwfyIqImjEbyXnMAT0RDhFoWvrhAy/jGsrH4tO9hg5
|
||||
1AS4EJ2pwdYme7yCA0h2s1ZG+WHF4lTJ21fvx4H352Ah5tckpmmbpJbB+ZBz+uWv
|
||||
rYmQP/W+06kP1axNmjSDcMID7rqoITn7emPJYLpc4vszoGxxl3yFbWM7IL8kLT2P
|
||||
QC1FMP5L9SY95T3L9xciMnFTiEYEEBECAAYFAlMkhq8ACgkQi9gubzC5S1zAmwCg
|
||||
gBsG5xTQsPG3Ro8GpItuIJBGmZsAoJMRnRC62mQKL700dHk49IFL7sH6iQEcBBAB
|
||||
AgAGBQJUmgqLAAoJEF+OLmRrT7LQnV0H+gMxUdmn+eZUN+6fyAf1TMHifp3qvqdK
|
||||
05sL2NIY4rz7GgYbb3L7wH45w+ztuE6pmdg4JwCGijp3V8quyICbvU94YTbu/n7E
|
||||
3r5U9H4JXUuW99GtML6v0Jnmp7AthmsMVwTFoMj8fzszRTjh0LWxbMIP/BXbr91t
|
||||
hf0A9L2OBFeHCXtpr8JnTK4lkDtwRw5PKZHQPUlP07R2Ki6pva96ePgtGnpnL8n9
|
||||
Zlwvg5mCSsQOQv8R7+7GcmGqSWOEcUB67GF4AVsGMqEj/9BRYsdjWozE7oq60FwG
|
||||
rg+HEaTO7To3EKWI31pZU+u3WgGE7cH82/YgtCQdgKYzDAT9AQFADRCJAhwEEAEC
|
||||
AAYFAlS3/EIACgkQni8RbMiXM6uvYBAAoDMezX0JkRWg7GlsHJyF9mneaUMmhLiJ
|
||||
+yO8Jd9JkJcSsDvy56X0mszyqL3e/mcrSow71fGeAnJbKcTsdMX8T7JpWL26LApb
|
||||
PxiO/wo1vGczwJ+bBMDQAGIQgY9OinCL8OEw1C1saM6rLIa3z9vySBmbQA30TXdG
|
||||
kRBQETcHGZfDAe7BdzBgqBK+ZlCwoCUoiprP+kidiumZ88cQmmR0LFyB72GDeT2q
|
||||
H0E1WOlKRhm0hwqB+Tc7E/wvX3YlufA65azQDjeSC7skDGljHxIl+ze2DSED8p99
|
||||
1bbjE5MESIySX7VdJHpp6mJ/Syh0wdiOKBn5Ff8+DxmymtzyBHGYzdYWs/UOVRIw
|
||||
VSgjn+BJVpbRPqtlhpAC6PLSots7Mm6f194qJv9SDLfi/HDrKP62PG7p6zYM+zjD
|
||||
j5FQBdBdMWK84/fTUT9iQsnCkmrSeaXzIlTRCBH1OUByeIbUaxcngZzGwSzsF4S3
|
||||
fOhYpnsaHW/uBzYRvgui4W2bzcoUui0QU87gGEXg5jnJtUhCtVgD3jvVov+pIQCO
|
||||
eMMUTSTWzg7w/7uPY8B4+tXf95J7vSJcjYnjr+yM21DrIwjhKbzjmcvsk13FR7tZ
|
||||
5f7R9vTuO0CJewIXuCJ0NLaahn/s+8V9RXoNa3TA+R+ZW/KFR/awXrq7SOJ2SbTV
|
||||
JQk037siPOaJAhwEEAECAAYFAlS3/GQACgkQxfSDrd7oY4DKLA/+Kncf9t8FLms1
|
||||
fo1cflBb9UGgG6YceRx2+O3VZXiCqJSsHFj1Ywk+MyH44mD/JDM/YTKazT8mpnny
|
||||
2/lDEzFdfbryZdA0p3pyrFp+8sx4pzKNPZxOubAOqefZ1k/SoTbTa35f3V+L926O
|
||||
zIl2ZdU4WOysa13RhoRvUKjekWl94J0jECcBlkBiOI7uL64Rz4WG4VYhXJGV/LRz
|
||||
OBot27Umh0sCmb3i24b9FmOu8tvAwf//zlh97ykEH1nLiVz+QU054nmbqVACp2W/
|
||||
02Z6cnfWqoLsQIg2Y+6oeCrjCldzlHcOjvE6VwXJpAde7mZfQCw66G9ndEs8Xoa7
|
||||
I4D06uGoewKVMJKU5AaFT4Wf69KXDI9YBRSuyZbww+rxESAB9HGfR3O8quDgsmV3
|
||||
BKsNRJT7rOPm+Z+UoHS12alJmVcuv+ioh1GpmeWoKiRgjlJOQcXy/TIvTMvGb8oF
|
||||
ZN9MEMCZ09x3JoYTiXvx6phrxpW82DLXPqCD7mEHR3/u9898VRWMrSP1WKpNeeyC
|
||||
6Wf8Urz1ySinr/wMbafrQu0Z0nycFFbUXLRO8MwJupt0/S0kA0c2WVzlZwYrbWZ4
|
||||
XGIxl6G9i+G1D5USOKbLC/bXnZlLERiQbD/85UHpt37s0T2K48lGUhSjCxclGyG7
|
||||
UpFf+mzEYbQcNMTkjr1RVURd/DtLeXeJAhwEEAECAAYFAlS3/vcACgkQMn7oMPR2
|
||||
HNgGtxAAiQy29MXY+Ljs3V4ZSE9kuhpV9jruyvNQD3y+vGa2fYXvwZbzqvDQIo/N
|
||||
TRR+hZngz6Qo7i8NUYfzIp/GHI3nqoZll9idWdWjeg+ioD08XzmoTnTJwJAPTOVp
|
||||
2WREzTyRc/FZCD8vW51iFV0xpWZA8a+/Foc1q/P9B/zvBx5UQfYCjMCcKpR3Xkuh
|
||||
oRh6vdxSi9M+QuyATk1mXoniOQKhIvAzLTH2DSoAudI3V4E3GSc1NruGt35WDfvP
|
||||
cwvcXk7iI4outPfyrG9mEIkiZDukB6MrKG3VKegD0fFIFouQ/eoodWKICY0S3QaP
|
||||
HRL3rTOtCNtVEEaVDoaT6jDUvsfOpXreev1UriH24cawD4HmMaOs0p9e+FDTkvJx
|
||||
OLErDBvODG/4Pfqai7BFaLrElnjQ6vI1e42fd+XQJlZPbDqjZkk3PD1DGNeWxXfe
|
||||
VbQVK3O4G7z9Puj/YTcNyygVxwJPuZQrYX7mSjfetG7J/ZjoSSBKqJSzCyCb529o
|
||||
sf2cS5JV/U5e+LQCrq+6i6fXWuUGsTu4ceJpskPahjCvcYVWMtbtBf7XhseJk97k
|
||||
g/Qg01zLg8ff4np1nDCExSd8ak7DPEPOOnbedTNtmUpzaQJ1hAEsIHH23scuJMOZ
|
||||
WdBHXB8j0l+w7Ssd/Up0+WR6KhYc+7D+U+mRlupXcvtXBgxzeK2JAhwEEAEIAAYF
|
||||
AlS4CCsACgkQpLsVjWJqnRcPzg//R1PXrcHYVGO5tMkCpd2EdTEN2KsixMzbQAeW
|
||||
C0LCvCgwuNZz5vXRrO8AIf9d5GvGx1xxr7w/aQHdA3fTwQH4VYz5Diya0OgXDWew
|
||||
u0+P7AhHJbBTFxikPbX7Pe5J9ri2h9W2QGlNg9xZraF86yjdTOavrDYuc+Ly2OD1
|
||||
Ln4xGr1x0LbVLCS9Th8v7rzQMjVpZQghpVUBcZ0Jgk2NFTu4ODMpC40CM7iVX4Nc
|
||||
gzPecBTGRO0UJkU9L1ta/DjTh+TWWSif0gQJB396zeX7P9d9vOXbfYwYwVgvNc5x
|
||||
rt71agaL6RIRiSR0nVOUu5w7M+rtqw2Goc6rVWk97GaMBxq0hCZvunr2SA5IsGDM
|
||||
rFlfLb93/a4up+Tcw+4SeKwoLyRIYMcenPRxjsyYni4bVG9W34uwahQe5It875hT
|
||||
ZWdZob/0uHYpEWOH2w+qzmQUtTsquD+W78J3H3SiojLiPHlsRbAk4nr0SN+EX5R3
|
||||
+YW7jLRrVhrfvr+vYobH1664P7b1LX2Yi2u7ktZcWKVxLr6vZqNVXgdhgQmNyAOX
|
||||
VhJurUc7EryV1tnt+EYRj0ruTdi0Je0fE6cNabrkKTnMUHTUbrpJDxJcq0q34SP+
|
||||
nnqaHmdtfDvuFVMlAynQrfD7nJOY/fm+l6FY9UvNJCvid71afBV9DdbPtivn0oP9
|
||||
L63+pSCJAhwEEwECAAYFAlS3/okACgkQxodfNUHO/eAexBAAl+zTx7FFagVHNlDe
|
||||
tN31ErMvImw1oDVyoTAKCJbVK4YOT0AEL/GRM6nbQb2HAW26iWw0tehoKCJjw9uJ
|
||||
y0m+1o/psE0nRl97sfZX5VCuFiAaRCyboEu49+KUSoCAQnkOc+r2vEPEvO0pNgZU
|
||||
hUsRIwPRP67aDIfb61T9CSwZXmAkukDTuDq+sTGJ0fUpT59aM398O7BBqVnXZoTa
|
||||
LHkXAd1sXGbWXNy7vNVXuHEAvebeQDzmAiiTp/RLxlUNrp4nB6bcAK5wn7kaAPJj
|
||||
jREXeVk4lEGuUE1QpfdtvSAQ+8Qd47A700z4g7XFwHfXN0kX5JmeScVjrghkOCA5
|
||||
sjM9P6uxgCb54iSGnCrNJf57LddvSrI4UNAvFrYHVkek5VvC48xeUME/ldUT+eQv
|
||||
1Xs2CJwtX9mxQg8hvuGDr03PP1LfKoxVvAZcJ4iJ+gxD+q7KHae127X0FCbzxrz5
|
||||
JQtTXep9UO5L9YskX9jKFH2+t+BrLEpxo6EQ2UsY5zmR3FFpvXu8Dryc28nI7MFl
|
||||
uvNj+HPwNlvGt4/jLDxNUr1/qfny4nmH+F0GwJSbvvOysngGZ2R4XtyBOE7MvxEg
|
||||
jsspXuLqm1TRyQCidUUOreramtPUUMQ8kbH66T75GAEnD862nlArSTZ76rbTGJ/4
|
||||
JN+Tb0gCoT3+8rsFFLIbjbi+SBCJAc8EEwECACkFAlKmggUCGwMFCQ1H67EHCwkI
|
||||
BwMCAQYVCAIJCgsEFgIDAQIeAQIXgAAKCRDT5fVrbZINMHp/DH911etPzwZZetcw
|
||||
8cKb7UY4UHFHQJ8rQIF91mY1PHpX/fh0VG+kXizlHEZxHpwXHXbJWUevYovymo8D
|
||||
hbHB/VKV4kSQLMOR/jVtnbFRRhpkzzGSZhypd85NRODfxqqyFd5M6CPH8+vRikLs
|
||||
QbJTV1OxLUhtlm4/3+W4O+h7pl8Q5pFw8HQRESPFrOeugU7z5nB6h3q0XdE+/2kD
|
||||
Rf0G2eF+oLrvTBvi16u6ftGYc2Qqzbr4W5D3beWn+9eEvVJrxIb7ZR2iQGn19rV+
|
||||
92qB87bADM9yddmiAD0fP0ITDz7DOKxTAw7uMr0pfHaN27C1GCv7duqoHdM8BxR6
|
||||
oSxg/Jm0rsCE52uA1t5EbvFwfWJZ/wSiqv03BUlRTnawlQi0W/fFM3wgq2myWDa7
|
||||
aU+U+bRUBgt00qb5vtXDeBhS1wFLpKlyrlALsq5g6DStrjKT54pYQfaVnXUjxzxx
|
||||
u20yI55QygiKhg7foFNgw6vTPwfo2OSid2XQDm3Hjjee4kSovrtn9jL5h27V0HcY
|
||||
YED6vLNauQGdBFKmggUBDIDU53B+nBcpyH47TRbUWxBIxwSNqEaajzhZOugz+qNN
|
||||
3tiyV3fTQ8y/fCRCfZZ2HJNxr8SaRbR9VMZJiztne/lKk9/SmthKOZ+7xaVejPrg
|
||||
Cl1eoYeOP0oB6rY65S1avChuCJATNTgfGXP3hf/rkGAbmTs5PITcnpuBFwzAkKAK
|
||||
TCMrznBtsGQYf4mj2j9nD1M9zNBwTsGYZiSQs0BdvDuiYoE4vhnrD2xdOjP1SdDQ
|
||||
QH2zhO8BscYpf3LY8RCNk37CTNHcNq9YHuqXy8dkhGaykCwMAm8NPWh+w227wwHz
|
||||
AlzG9lqhnuP3BQtimdo1jH3HESGBsH2jWYFxix0OPfHPmOuC2r9yl2AYLpuD5rAN
|
||||
z/KVDWY2CUp9jw/2EUiEgA1mKWeYCWTkZKhZyU//r2b67fgoqgdThhzcjWk81wvo
|
||||
3KLRuHyYep71Z50p+h3tjjIzVLbR9dpLi+ssiUqDFuwOlaJauTSW1XTe7ILt6oN7
|
||||
efPMZb/YYtMePnGwDb4fAa0+ibmabOO9Xk8U2lLtr3QlABEBAAGJAbUEGAECAA8F
|
||||
AlKmggUCGwwFCQ1H67EACgkQ0+X1a22SDTARJwx/ZCMNabddrAnE0DymqrGsV5MS
|
||||
j4YRLOdVFNR6mutQV3UYfDfepoC+ouLFn7Hxyv7UaP98l3l6IhUl9EthteULyy7w
|
||||
lleeB9fRWG4xxShv8VOKR+lyhiRHOuJSwkQHf86aOUuMaCdCbkbP1NXWK3IXdvOg
|
||||
eRHyy9YQoorM2ggQ8ctTfLtupKQ6uOdjdtl91VGHrXxduNXbw0y6hmxXwTik65Cj
|
||||
L7ezkiOYh/+aRKIUTdUnB1o96bbdSxdq0Vv96gL8CGLSIJ3/yKgXCL6gdPY+e30e
|
||||
vNUXoTyAFU7e8qjpQmANOv1C3bs1zp4cvQ7mPnSKez2hv/cOg4Lc/kDTzOGX7Djr
|
||||
rIYS/n4Sz+6xQCz/ieDiSwjcNMsr1iCPvSXmgG4wVh3dvkoZV8AiUZzmbAg4gbjV
|
||||
gsjNlOsa465PKaPAJ0L1xRknpHYK/9XHSG1nSGoN3JoM7Qij04b9bazZPvXrS1j2
|
||||
JzgzAEIV6bPAUQsgEggc1j+f/CybFAaQjc6Pzomk5VWBHmVdZH4GsZwGORITKJkC
|
||||
DQRf7mYNARAAz2vrsO3Cz8vYpaXvc5tN9uloHBpeMl7Fb5A5U4XB36ux3JE03mxI
|
||||
WgpVaCtKgwPAwaOprywMBee3jJh2xBIuv3cy1JSB/zCl12erUEQhSqk8wc4SWou/
|
||||
h9ecl5L0b3255lbayeTWJaaz2EjVzezbiROqeHTXkd8Agrjbr6IzcdycOZiVK8SL
|
||||
jdpCN8A9VzqjD7FLsQ+i4MN9sE+V7QjUASnTEPBgvVhrEX10xQTagoyF2230XlcY
|
||||
SKv2rLpgk7J2LzjFWrNZ/m2AriMMg1jQGKijYMHV1f5PQ/DSye/9QTUPLwHziRZe
|
||||
k7A3pZGTjv4bq1Tywc8d0VmvE56IfVIsn1cYhYq4mBm2IeWTO+IcxVjAS2ufN8RU
|
||||
u8MnFnFHohzKVB6Q7Cg4HhiUgmNn6xnRE59NxuTd30OcTDxQ0SNgJjSRfMMq8nl0
|
||||
upQCDH5ksrVSCUPB95GLeO2WtSgMOBsefeZcQU3y0QyxRkBX1sB1H84u9vF25FZH
|
||||
HzMJmd+PhWW+V8n00wnr8zpUdvmBzIGz3C91Y0DjJxewmfYvgoBD80cSF9SJQ5Hw
|
||||
vk1M/125sfUBN1rBvh08ON3mMvfxds4deT8Gtc8N74ggWYRGgJUkYvTEc8Ho0FGW
|
||||
kg/VTNeRTEY7tIzVm2XojWMvdK1733sf1b3mEV3NTyqYuDnnxjoDa0cAEQEAAbQf
|
||||
RGFtaWVuIE1pbGxlciA8ZGptQG1pbmRyb3Qub3JnPokCTgQTAQgAOBYhBHFouYOB
|
||||
Wl7vWaSt/So/QU5zYGC6BQJf7mYNAhsDBQsJCAcCBhUKCQgLAgQWAgMBAh4BAheA
|
||||
AAoJECo/QU5zYGC6kI4P/AxEYU8XTuZHYzAim7sHRr+Z1HnknrgN9mGL3HuCy8H8
|
||||
cdOZkQLnHSOmYjGfOKRNTzWibr36Cd4ERCXP+blDCtkrFw1QLoLRICZ5nJCcFSr5
|
||||
CanrU87wUwCQ0xfkkPl8iF8j1dorIDZOetAKumn87wKYnNphGQifPZF5GS0NS+Xp
|
||||
7vmg+R+abTTCSTnxFNPwiQJwRm/lXO+A4bCHcuPL/X1vfVEYOARS+n3l29gpnHUo
|
||||
roiWKC/F+HRvr6o4dIAml+jMq6xBMB6j9yYsyzNrq96GMxXDLvPCUkEad96+gR2v
|
||||
RJJvFMUMa9tzc4C9n/Ks8t5s7um63l3eSYlHuVL6adI9SlVLbzyudBr7P+mU3r0z
|
||||
xvYozTzPALwgohs4bYiWqdtE9y+qLsJrg5zM1g5gFJWAFWNhXkfB10NeoYN0L8Iy
|
||||
RZMaBq4154fg99eaQBETzh1qoyAE1wZ5DFzzGMn0Z5gqyYd6pTxYol+6UIFvkuIb
|
||||
hvzo7AnEQb9CMzCceJcPaSDoWJn8MXibgcR8zQ+bJL9BoOwevTuPBRRg4dW6IOBD
|
||||
EqBjzZysSI7ET36R99WsBq0kxtPjmrbo5G66DkrwDBps7sggRg2Y23tgmrOssDVs
|
||||
zN+erC+80XClDTBz8myB3y6d4VU+dWG4n0ZDGJE+w6YNZN/2pCKESlgU8e5K5qUt
|
||||
iQHDBBABCAAdFiEEWcIRjtIG2SfmZ+vj0+X1a22SDTAFAl/uZjAACgkQ0+X1a22S
|
||||
DTC/XwyAkFkZcqk56SuA4a4Q1PZydNNkQMKMJME2Kt5L8GB07jQPiTUoCDCEKW7v
|
||||
SV5Vxl94HLQs0Wt4G+UhEmI74ZzKU0FZfF+Smnw9PQ/chVdXVAeekeBxQgDP++Mp
|
||||
Lur34YveVeQkIBlQ8fbxrvd3RVI6LJ8DSxTUZ+MT34DgTs6+ryJkyA62mcSy5QL2
|
||||
ZMH82uZ/1KRN6P2YOUV7UmvWPta5kZ+ocfSoTcYCx/Ms4XOx6g6DbfDZ5AkRfY7c
|
||||
qUXwJEA5bEooZXxMIVX3cN6O8CVjhl0lzNyeppoCmsuHBg1/YErsLbyphKzIuY0E
|
||||
8Ng5nSKKefZA3+2OlwvRNN4FPVXcf618s+LkMPdedRxuxOj5Lg0m8I33t//4U8xJ
|
||||
CjgItN27+C8C+3uAb+oG0JP592z+zweVVjbqgfKKQ0XWJBV8YrdQ7CC65WTBkSKK
|
||||
Fk9uVDjfftrsWkkyWttGk1As9yAvPbupZ2swoMEcQLAhyaTLmBYrgIW6g6OMhCHv
|
||||
k4BIGUZ0EQmzi11G5Bu7OEKN2/KIlLkCDQRf7mYNARAA2iZs8bBisxr5aQE1gTVX
|
||||
wvgtnIOjQ6aDOh9bminaAQtg+ntvNFi6HUzSvB0XTjAw8sH2Bz38CkczuDfd4YfZ
|
||||
OzAJRJTG58NAubAMDjJ3yHrfP/uXn+KVEUdDYv+wTbbA4cPztMLhNxNJwgPKjVLj
|
||||
9FGkdYLCe+xTD3POiwMOtazpW4udynNCcQ1P+DIPzHuOisJ1AkYqDrShclEUcitO
|
||||
44/+8JzhiKH9HxwomOLku7lwjF1nEyvVC6zJXlxqXImbeFFRbKLlItcbrVD1SJWB
|
||||
F6EstFgSCFcjG0+KN86LRABfp9804OjHiSBiDOTT0W4W5icDnKOzj+ZlsdSdSIcw
|
||||
AnLz7nsgobgjUaRPos013ddcMDFSIS+SNtAE/si4JHdLGUVCKH5RgHyWMjK2MQGx
|
||||
3LCaHPVT/Ei0uLdSbKtpLpSsYsNokliw84Czd6sUjjR/IhHjJ7ryD4eJSyXt7vuZ
|
||||
6e9twyJumcPJvWw3feFjGqGKmhwpw6viKkYEqDSkS7IJRqdS8My1PMm38Ew61WaS
|
||||
YYehueH1yO//Wtlo2hYfFh4N4Hcu9E6NeJBNEc20gz6tTkkybuIuCsZdRr9MEZgc
|
||||
EEwH+Mf386Lp+/VqfpmykUaT4XATkzhSHiFFx3y1jD/gClN4zATmS9s21df8Nooc
|
||||
qWTJjOjLmKn9nevp4Jrf5NEAEQEAAYkCNgQYAQgAIBYhBHFouYOBWl7vWaSt/So/
|
||||
QU5zYGC6BQJf7mYNAhsMAAoJECo/QU5zYGC6a/oQAKjogHiQqRKLsaRj5yipy52i
|
||||
s8vXjsDdhv29GTFV/0aLrPcFx5NkHPf5mQsN/k1fYfwHaq2uwGuL/YB6Ra6eZBOP
|
||||
/xd0i7JpULrSPTDBWEgqF5UzuabQJY8oYK8RdA5RS6Tc4Q38L9f9RbHYPGvRgDeb
|
||||
ZngMVOUQOD0s4EkAYwofOOE/a5S+Ty+12o7t+BTFucjgF/RiogO38HyeUepKiJFU
|
||||
vuSRcluIvHaooLvDMvfmZT/nZhZsqAa3nT780Og9aopI36tmUuZSR1fJ5jYgj5dU
|
||||
3JA11HWaiwbZiVXEnNDh/WPrzM8k+KGf/dxymLuCbROc+wwjhqiWGn7cKJcVLHzS
|
||||
CO0rPVaJvrliTui0ytRLQ5F3A8+nsq84lbHXDZWnYMcGVF0iluQksbQkc9VPunRI
|
||||
VA3UfPt7O/rK8LkZlJttKPZL042IC7vrPFZIHDbYl5OEQwohO55v/0MgtaDzc/Pk
|
||||
7mnVkcLyvaL1yl8FWe+fKY4Jk8SUCygwxCCjtCv7TWYaNGepelQonwRWxCyf+xUa
|
||||
nErOxgAHhLfgrzFW31qU2nrd2Ubbtj6jXwtJNMeP1ZCBL5BgcUpypYUh9DyxsjdS
|
||||
mjhmFk4UXBCppf5Po/1qSpr5KPmwuWTd0KGCEnosU9RSpJtE78phxqkKaB8A3HmR
|
||||
ePJgyS4h2BL0NgQRIRVW
|
||||
=OOF9
|
||||
-----END PGP PUBLIC KEY BLOCK-----
|
677
openssh.spec
Normal file
677
openssh.spec
Normal file
@ -0,0 +1,677 @@
|
||||
#
|
||||
# spec file for package openssh
|
||||
#
|
||||
# Copyright (c) 2024 SUSE LLC
|
||||
#
|
||||
# All modifications and additions to the file contributed by third parties
|
||||
# remain the property of their copyright owners, unless otherwise agreed
|
||||
# upon. The license for this file, and modifications and additions to the
|
||||
# file, is the same license as for the pristine package itself (unless the
|
||||
# license for the pristine package is not an Open Source License, in which
|
||||
# case the license is the MIT License). An "Open Source License" is a
|
||||
# license that conforms to the Open Source Definition (Version 1.9)
|
||||
# published by the Open Source Initiative.
|
||||
|
||||
# Please submit bugfixes or comments via https://bugs.opensuse.org/
|
||||
#
|
||||
|
||||
%define sandbox_seccomp 0
|
||||
%ifnarch ppc
|
||||
%define sandbox_seccomp 1
|
||||
%endif
|
||||
%define _fwdir %{_sysconfdir}/sysconfig/SuSEfirewall2.d
|
||||
%define _fwdefdir %{_fwdir}/services
|
||||
%define _appdefdir %( grep "configdirspec=" $( which xmkmf ) | sed -r 's,^[^=]+=.*-I(.*)/config.*$,\\1/app-defaults,' )
|
||||
%define CHECKSUM_SUFFIX .hmac
|
||||
%define CHECKSUM_HMAC_KEY "HMAC_KEY:OpenSSH-FIPS@SLE"
|
||||
%bcond_without ldap
|
||||
|
||||
%if 0%{?suse_version} >= 1550
|
||||
%bcond_without wtmpdb
|
||||
%bcond_with allow_root_password_login_by_default
|
||||
%else
|
||||
%bcond_with wtmpdb
|
||||
%bcond_without allow_root_password_login_by_default
|
||||
%endif
|
||||
|
||||
#Compat macro for new _fillupdir macro introduced in Nov 2017
|
||||
%if ! %{defined _fillupdir}
|
||||
%define _fillupdir %{_localstatedir}/adm/fillup-templates
|
||||
%endif
|
||||
Name: openssh
|
||||
Version: 9.8p1
|
||||
Release: 0
|
||||
Summary: Secure Shell Client and Server (Remote Login Program)
|
||||
License: BSD-2-Clause AND MIT
|
||||
Group: Productivity/Networking/SSH
|
||||
URL: https://www.openssh.com/
|
||||
Source0: https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz
|
||||
Source1: https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz.asc
|
||||
Source2: sshd.pamd
|
||||
Source3: README.SUSE
|
||||
Source4: README.kerberos
|
||||
Source5: ssh.reg
|
||||
Source6: ssh-askpass
|
||||
Source7: sshd.fw
|
||||
Source8: sysconfig.ssh
|
||||
Source9: sshd-gen-keys-start
|
||||
Source10: sshd.service
|
||||
Source11: README.FIPS
|
||||
Source12: cavs_driver-ssh.pl
|
||||
Source13: https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/RELEASE_KEY.asc#/openssh.keyring
|
||||
Source14: sysusers-sshd.conf
|
||||
Source15: sshd-sle.pamd
|
||||
Source16: sshd@.service
|
||||
Source17: sshd.socket
|
||||
Patch1: openssh-7.7p1-X11_trusted_forwarding.patch
|
||||
Patch3: openssh-7.7p1-enable_PAM_by_default.patch
|
||||
Patch4: openssh-7.7p1-eal3.patch
|
||||
Patch6: openssh-7.7p1-send_locale.patch
|
||||
Patch7: openssh-7.7p1-hostname_changes_when_forwarding_X.patch
|
||||
Patch8: openssh-7.7p1-remove_xauth_cookies_on_exit.patch
|
||||
Patch9: openssh-7.7p1-pts_names_formatting.patch
|
||||
Patch10: openssh-7.7p1-pam_check_locks.patch
|
||||
# https://bugzilla.mindrot.org/show_bug.cgi?id=2752
|
||||
Patch14: openssh-7.7p1-seccomp_stat.patch
|
||||
# https://bugzilla.mindrot.org/show_bug.cgi?id=2752
|
||||
Patch15: openssh-7.7p1-seccomp_ipc_flock.patch
|
||||
# https://bugzilla.mindrot.org/show_bug.cgi?id=2752
|
||||
# Local FIPS patchset
|
||||
Patch17: openssh-7.7p1-fips.patch
|
||||
# Local cavs patchset
|
||||
Patch18: openssh-7.7p1-cavstest-ctr.patch
|
||||
# Local cavs patchset
|
||||
Patch19: openssh-7.7p1-cavstest-kdf.patch
|
||||
# Local FIPS patchset
|
||||
Patch20: openssh-7.7p1-fips_checks.patch
|
||||
# https://bugzilla.mindrot.org/show_bug.cgi?id=2641
|
||||
Patch22: openssh-7.7p1-systemd-notify.patch
|
||||
Patch23: openssh-8.0p1-gssapi-keyex.patch
|
||||
# https://bugzilla.mindrot.org/show_bug.cgi?id=1402
|
||||
Patch24: openssh-8.1p1-audit.patch
|
||||
# Local patch to disable runtime abi SSL checks, quite pointless for us
|
||||
Patch26: openssh-7.7p1-disable_openssl_abi_check.patch
|
||||
# https://bugzilla.mindrot.org/show_bug.cgi?id=2641
|
||||
Patch27: openssh-7.7p1-no_fork-no_pid_file.patch
|
||||
Patch28: openssh-7.7p1-host_ident.patch
|
||||
# https://bugzilla.mindrot.org/show_bug.cgi?id=1844
|
||||
Patch29: openssh-7.7p1-sftp_force_permissions.patch
|
||||
# https://bugzilla.mindrot.org/show_bug.cgi?id=2143
|
||||
Patch30: openssh-7.7p1-X_forward_with_disabled_ipv6.patch
|
||||
Patch31: openssh-7.7p1-ldap.patch
|
||||
# https://bugzilla.mindrot.org/show_bug.cgi?id=2213
|
||||
Patch32: openssh-7.7p1-IPv6_X_forwarding.patch
|
||||
Patch33: openssh-7.7p1-sftp_print_diagnostic_messages.patch
|
||||
Patch34: openssh-7.9p1-keygen-preserve-perms.patch
|
||||
Patch35: openssh-7.9p1-revert-new-qos-defaults.patch
|
||||
Patch36: openssh-8.1p1-seccomp-clock_nanosleep.patch
|
||||
Patch37: openssh-8.1p1-seccomp-clock_nanosleep_time64.patch
|
||||
Patch38: openssh-8.1p1-seccomp-clock_gettime64.patch
|
||||
Patch39: openssh-8.1p1-use-openssl-kdf.patch
|
||||
Patch40: openssh-8.1p1-ed25519-use-openssl-rng.patch
|
||||
Patch41: openssh-fips-ensure-approved-moduli.patch
|
||||
Patch42: openssh-link-with-sk.patch
|
||||
Patch43: openssh-reenable-dh-group14-sha1-default.patch
|
||||
Patch45: openssh-8.4p1-ssh_config_d.patch
|
||||
Patch46: openssh-whitelist-syscalls.patch
|
||||
Patch47: openssh-8.4p1-vendordir.patch
|
||||
Patch48: openssh-8.4p1-pam_motd.patch
|
||||
Patch49: openssh-do-not-send-empty-message.patch
|
||||
Patch50: openssh-openssl-3.patch
|
||||
Patch51: wtmpdb.patch
|
||||
Patch52: logind_set_tty.patch
|
||||
Patch54: openssh-mitigate-lingering-secrets.patch
|
||||
Patch102: openssh-7.8p1-role-mls.patch
|
||||
Patch103: openssh-6.6p1-privsep-selinux.patch
|
||||
Patch104: openssh-6.6p1-keycat.patch
|
||||
Patch105: openssh-6.6.1p1-selinux-contexts.patch
|
||||
Patch106: openssh-7.6p1-cleanup-selinux.patch
|
||||
# PATCH-FIX-OPENSUSE bsc#1211301 Add crypto-policies support
|
||||
Patch107: openssh-9.6p1-crypto-policies.patch
|
||||
Patch108: openssh-9.6p1-crypto-policies-man.patch
|
||||
Patch109: fix-memleak-in-process_server_config_line_depth.patch
|
||||
# PATCH-FIX-UPSTREAM alarrosa@suse.com -- https://github.com/openssh/openssh-portable/pull/516
|
||||
Patch110: fix-audit-fail-attempt.patch
|
||||
# PATCH-FIX-UPSTREAM -- https://github.com/openssh/openssh-portable/pull/452 boo#1229010
|
||||
Patch111: 0001-auth-pam-Immediately-report-instructions-to-clients-and-fix-handling-in-ssh-client.patch
|
||||
%if 0%{with allow_root_password_login_by_default}
|
||||
Patch1000: openssh-7.7p1-allow_root_password_login.patch
|
||||
%endif
|
||||
BuildRequires: audit-devel
|
||||
BuildRequires: automake
|
||||
%if 0%{?sle_version} >= 150500
|
||||
BuildRequires: gcc11
|
||||
%endif
|
||||
BuildRequires: groff
|
||||
BuildRequires: libedit-devel
|
||||
BuildRequires: libselinux-devel
|
||||
%if %{with ldap}
|
||||
BuildRequires: openldap2-devel
|
||||
%endif
|
||||
BuildRequires: openssl-devel
|
||||
BuildRequires: pam-devel
|
||||
BuildRequires: pkgconfig
|
||||
BuildRequires: zlib-devel
|
||||
BuildRequires: pkgconfig(libfido2) >= 1.2.0
|
||||
BuildRequires: pkgconfig(libsystemd)
|
||||
BuildRequires: sysuser-shadow
|
||||
BuildRequires: sysuser-tools
|
||||
Requires: %{name}-clients = %{version}-%{release}
|
||||
Requires: %{name}-server = %{version}-%{release}
|
||||
%if 0%{?suse_version} >= 1550
|
||||
BuildRequires: pkgconfig(krb5)
|
||||
%else
|
||||
BuildRequires: krb5-mini-devel
|
||||
%endif
|
||||
%if %{with wtmpdb}
|
||||
BuildRequires: pkgconfig(libwtmpdb)
|
||||
%endif
|
||||
Requires(pre): findutils
|
||||
Requires(pre): grep
|
||||
|
||||
%description
|
||||
SSH (Secure Shell) is a program for logging into and executing commands
|
||||
on a remote machine. It replaces rsh (rlogin and rsh) and
|
||||
provides secure encrypted communication between two untrusted
|
||||
hosts over an insecure network.
|
||||
|
||||
xorg-x11 (X Window System) connections and arbitrary TCP/IP ports can
|
||||
also be forwarded over the secure channel.
|
||||
|
||||
This is a dummy package that pulls in both the client and server
|
||||
components.
|
||||
|
||||
%package common
|
||||
Summary: SSH (Secure Shell) common files
|
||||
Group: Productivity/Networking/SSH
|
||||
Conflicts: nonfreessh
|
||||
Conflicts: %{name}-fips < %{version}-%{release}
|
||||
Conflicts: %{name}-fips > %{version}-%{release}
|
||||
|
||||
%description common
|
||||
SSH (Secure Shell) is a program for logging into and executing commands
|
||||
on a remote machine. It replaces rsh (rlogin and rsh) and
|
||||
provides secure encrypted communication between two untrusted
|
||||
hosts over an insecure network.
|
||||
|
||||
xorg-x11 (X Window System) connections and arbitrary TCP/IP ports can
|
||||
also be forwarded over the secure channel.
|
||||
|
||||
This package contains common files for the Secure Shell server and
|
||||
clients.
|
||||
|
||||
%package server
|
||||
Summary: SSH (Secure Shell) server
|
||||
Group: Productivity/Networking/SSH
|
||||
Requires: %{name}-common = %{version}-%{release}
|
||||
Requires: crypto-policies >= 20220824
|
||||
Recommends: audit
|
||||
Requires(pre): findutils
|
||||
Requires(pre): grep
|
||||
Requires(post): %fillup_prereq
|
||||
Requires(post): permissions
|
||||
Provides: openssh:%{_sbindir}/sshd
|
||||
%if 0%{with allow_root_password_login_by_default}
|
||||
# For a brief period of time this package existed in SLE/Leap.
|
||||
# It was removed before GM but some people might have it from
|
||||
# a beta distribution version (boo#1227350)
|
||||
Obsoletes: openssh-server-config-rootlogin <= %{version}
|
||||
%endif
|
||||
%sysusers_requires
|
||||
|
||||
%description server
|
||||
SSH (Secure Shell) is a program for logging into and executing commands
|
||||
on a remote machine. It replaces rsh (rlogin and rsh) and
|
||||
provides secure encrypted communication between two untrusted
|
||||
hosts over an insecure network.
|
||||
|
||||
xorg-x11 (X Window System) connections and arbitrary TCP/IP ports can
|
||||
also be forwarded over the secure channel.
|
||||
|
||||
This package contains the Secure Shell daemon, which allows clients to
|
||||
securely connect to your server.
|
||||
|
||||
%if 0%{with allow_root_password_login_by_default}
|
||||
%package server-config-disallow-rootlogin
|
||||
Summary: Config to disallow password root logins to sshd
|
||||
Group: Productivity/Networking/SSH
|
||||
Requires: %{name}-server = %{version}-%{release}
|
||||
Conflicts: %{name}-server-config-rootlogin
|
||||
|
||||
%description server-config-disallow-rootlogin
|
||||
The openssh-server package by default allows password based
|
||||
root logins. This package provides a config that disallows root
|
||||
to log in using the passwor. It's useful to secure your system
|
||||
preventing password attacks on the root account over ssh.
|
||||
%else
|
||||
%package server-config-rootlogin
|
||||
Summary: Config to permit root logins to sshd
|
||||
Group: Productivity/Networking/SSH
|
||||
Requires: %{name}-server = %{version}-%{release}
|
||||
Conflicts: %{name}-server-config-disallow-rootlogin
|
||||
|
||||
%description server-config-rootlogin
|
||||
The openssh-server package by default disallows password based
|
||||
root logins. This package provides a config that does. It's useful
|
||||
to temporarily have a password based login to be able to use
|
||||
ssh-copy-id(1).
|
||||
%endif
|
||||
|
||||
%package clients
|
||||
Summary: SSH (Secure Shell) client applications
|
||||
Group: Productivity/Networking/SSH
|
||||
Requires: crypto-policies >= 20220824
|
||||
Requires: %{name}-common = %{version}-%{release}
|
||||
Provides: openssh:%{_bindir}/ssh
|
||||
|
||||
%description clients
|
||||
SSH (Secure Shell) is a program for logging into and executing commands
|
||||
on a remote machine. It replaces rsh (rlogin and rsh) and
|
||||
provides secure encrypted communication between two untrusted
|
||||
hosts over an insecure network.
|
||||
|
||||
xorg-x11 (X Window System) connections and arbitrary TCP/IP ports can
|
||||
also be forwarded over the secure channel.
|
||||
|
||||
This package contains clients for making secure connections to Secure
|
||||
Shell servers.
|
||||
|
||||
%if %{with ldap}
|
||||
%package helpers
|
||||
Summary: OpenSSH AuthorizedKeysCommand helpers
|
||||
Group: Productivity/Networking/SSH
|
||||
Requires: %{name}-common = %{version}-%{release}
|
||||
|
||||
%description helpers
|
||||
SSH (Secure Shell) is a program for logging into and executing commands
|
||||
on a remote machine. It replaces rsh (rlogin and rsh) and
|
||||
provides secure encrypted communication between two untrusted
|
||||
hosts over an insecure network.
|
||||
|
||||
xorg-x11 (X Window System) connections and arbitrary TCP/IP ports can
|
||||
also be forwarded over the secure channel.
|
||||
|
||||
This package contains helper applications for OpenSSH which retrieve
|
||||
keys from various sources.
|
||||
%endif
|
||||
|
||||
%package fips
|
||||
Summary: OpenSSH FIPS crypto module HMACs
|
||||
Group: Productivity/Networking/SSH
|
||||
Requires: %{name}-common = %{version}-%{release}
|
||||
Conflicts: %{name}-common < %{version}-%{release}
|
||||
Conflicts: %{name}-common > %{version}-%{release}
|
||||
Obsoletes: %{name}-hmac
|
||||
|
||||
%description fips
|
||||
This package contains hashes that, together with the main openssh packages,
|
||||
form the FIPS certifiable crypto module.
|
||||
|
||||
%package cavs
|
||||
Summary: OpenSSH FIPS crypto module CAVS tests
|
||||
Group: Productivity/Networking/SSH
|
||||
Requires: %{name}-common = %{version}-%{release}
|
||||
|
||||
%description cavs
|
||||
This package contains the FIPS-140 CAVS (Cryptographic Algorithm
|
||||
Validation Program/Suite) related tests of OpenSSH.
|
||||
|
||||
%prep
|
||||
%setup -q
|
||||
cp %{SOURCE3} %{SOURCE4} %{SOURCE11} .
|
||||
|
||||
%autopatch -p1
|
||||
|
||||
# set libexec dir in the LDAP patch
|
||||
sed -i.libexec 's,@LIBEXECDIR@,%{_libexecdir}/ssh,' \
|
||||
$( grep -Rl @LIBEXECDIR@ \
|
||||
$( grep "^+++" %{PATCH31} | sed -r 's@^.+/([^/\t ]+).*$@\1@' )
|
||||
)
|
||||
|
||||
%build
|
||||
%if 0%{?sle_version} >= 150500
|
||||
export CC=gcc-11
|
||||
%endif
|
||||
autoreconf -fiv
|
||||
%ifarch s390 s390x %{sparc}
|
||||
PIEFLAGS="-fPIE"
|
||||
%else
|
||||
PIEFLAGS="-fpie"
|
||||
%endif
|
||||
CFLAGS="%{optflags} $PIEFLAGS -fstack-protector"
|
||||
CXXFLAGS="%{optflags} $PIEFLAGS -fstack-protector"
|
||||
LDFLAGS="-pie -Wl,--as-needed"
|
||||
#CPPFLAGS="%%{optflags} -DUSE_INTERNAL_B64"
|
||||
export LDFLAGS CFLAGS CXXFLAGS CPPFLAGS
|
||||
%configure \
|
||||
--sysconfdir=%{_sysconfdir}/ssh \
|
||||
--libexecdir=%{_libexecdir}/ssh \
|
||||
--with-selinux \
|
||||
--with-pid-dir=/run \
|
||||
--with-systemd \
|
||||
--with-ssl-engine \
|
||||
--with-pam \
|
||||
--with-kerberos5=%{_prefix} \
|
||||
--with-privsep-path=%{_localstatedir}/lib/empty \
|
||||
%if %{sandbox_seccomp}
|
||||
--with-sandbox=seccomp_filter \
|
||||
%else
|
||||
--with-sandbox=rlimit \
|
||||
%endif
|
||||
--disable-strip \
|
||||
--with-audit=linux \
|
||||
%if %{with ldap}
|
||||
--with-ldap \
|
||||
%endif
|
||||
--with-xauth=%{_bindir}/xauth \
|
||||
--with-libedit \
|
||||
%if %{with wtmpdb}
|
||||
--with-wtmpdb \
|
||||
%endif
|
||||
%if 0%{?suse_version} >= 1550
|
||||
--disable-lastlog \
|
||||
--with-logind \
|
||||
%endif
|
||||
--enable-dsa-keys \
|
||||
--with-security-key-builtin \
|
||||
--target=%{_target_cpu}-suse-linux
|
||||
|
||||
%make_build
|
||||
%sysusers_generate_pre %{SOURCE14} sshd sshd.conf
|
||||
|
||||
%install
|
||||
%make_install
|
||||
%if %{defined _distconfdir}
|
||||
install -d -m 755 %{buildroot}%{_pam_vendordir}
|
||||
install -m 644 %{SOURCE2} %{buildroot}%{_pam_vendordir}/sshd
|
||||
%else
|
||||
# SLE has no distconfdir, so use sle PAM config
|
||||
install -d -m 755 %{buildroot}%{_sysconfdir}/pam.d
|
||||
install -m 644 %{SOURCE15} %{buildroot}%{_sysconfdir}/pam.d/sshd
|
||||
%endif
|
||||
install -d -m 755 %{buildroot}%{_localstatedir}/lib/sshd
|
||||
install -d -m 755 %{buildroot}%{_sysconfdir}/ssh/ssh_config.d
|
||||
install -d -m 755 %{buildroot}%{_sysconfdir}/ssh/sshd_config.d
|
||||
%if 0%{?suse_version} < 1600
|
||||
install -d -m 755 %{buildroot}%{_sysconfdir}/slp.reg.d/
|
||||
install -m 644 %{SOURCE5} %{buildroot}%{_sysconfdir}/slp.reg.d/
|
||||
%endif
|
||||
install -D -m 0644 %{SOURCE10} %{buildroot}%{_unitdir}/sshd.service
|
||||
install -D -m 0644 %{SOURCE16} %{buildroot}%{_unitdir}/sshd@.service
|
||||
install -D -m 0644 %{SOURCE17} %{buildroot}%{_unitdir}/sshd.socket
|
||||
ln -s service %{buildroot}%{_sbindir}/rcsshd
|
||||
install -d -m 755 %{buildroot}%{_fillupdir}
|
||||
install -m 644 %{SOURCE8} %{buildroot}%{_fillupdir}
|
||||
# install shell script to automate the process of adding your public key to a remote machine
|
||||
install -m 755 contrib/ssh-copy-id %{buildroot}%{_bindir}
|
||||
install -m 644 contrib/ssh-copy-id.1 %{buildroot}%{_mandir}/man1
|
||||
sed -i -e s@%{_prefix}/libexec@%{_libexecdir}@g %{buildroot}%{_sysconfdir}/ssh/sshd_config
|
||||
|
||||
%if 0%{with allow_root_password_login_by_default}
|
||||
echo "PermitRootLogin prohibit-password" > %{buildroot}%{_sysconfdir}/ssh/sshd_config.d/51-permit-root-login.conf
|
||||
%else
|
||||
echo "PermitRootLogin yes" > %{buildroot}%{_sysconfdir}/ssh/sshd_config.d/50-permit-root-login.conf
|
||||
%endif
|
||||
|
||||
# Move /etc to /usr/etc/ssh
|
||||
%if %{defined _distconfdir}
|
||||
mkdir -p %{buildroot}%{_distconfdir}/ssh/ssh{,d}_config.d
|
||||
mv %{buildroot}%{_sysconfdir}/ssh/moduli %{buildroot}%{_distconfdir}/ssh/
|
||||
mv %{buildroot}%{_sysconfdir}/ssh/ssh_config %{buildroot}%{_distconfdir}/ssh/
|
||||
mv %{buildroot}%{_sysconfdir}/ssh/sshd_config %{buildroot}%{_distconfdir}/ssh/
|
||||
%if 0%{with allow_root_password_login_by_default}
|
||||
mv %{buildroot}%{_sysconfdir}/ssh/sshd_config.d/51-permit-root-login.conf %{buildroot}%{_distconfdir}/ssh/sshd_config.d/51-permit-root-login.conf
|
||||
%else
|
||||
mv %{buildroot}%{_sysconfdir}/ssh/sshd_config.d/50-permit-root-login.conf %{buildroot}%{_distconfdir}/ssh/sshd_config.d/50-permit-root-login.conf
|
||||
%endif
|
||||
%endif
|
||||
|
||||
install -m 644 ssh_config_suse %{buildroot}%{_sysconfdir}/ssh/ssh_config.d/50-suse.conf
|
||||
%if %{defined _distconfdir}
|
||||
install -m 644 sshd_config_suse_cp %{buildroot}%{_distconfdir}/ssh/sshd_config.d/40-suse-crypto-policies.conf
|
||||
%else
|
||||
install -m 644 sshd_config_suse_cp %{buildroot}%{_sysconfdir}/ssh/sshd_config.d/40-suse-crypto-policies.conf
|
||||
%endif
|
||||
|
||||
%if 0%{?suse_version} < 1550
|
||||
# install firewall definitions
|
||||
mkdir -p %{buildroot}%{_fwdefdir}
|
||||
install -m 644 %{SOURCE7} %{buildroot}%{_fwdefdir}/sshd
|
||||
%endif
|
||||
|
||||
# askpass wrapper
|
||||
sed -e "s,@LIBEXECDIR@,%{_libexecdir},g" < %{SOURCE6} > %{buildroot}%{_libexecdir}/ssh/ssh-askpass
|
||||
sed -e "s,@LIBEXECDIR@,%{_libexecdir},g" < %{SOURCE12} > %{buildroot}%{_libexecdir}/ssh/cavs_driver-ssh.pl
|
||||
rm -f %{buildroot}%{_datadir}/Ssh.bin
|
||||
# sshd keys generator wrapper
|
||||
install -D -m 0755 %{SOURCE9} %{buildroot}%{_sbindir}/sshd-gen-keys-start
|
||||
|
||||
# Install sysusers.d config for sshd user
|
||||
mkdir -p %{buildroot}%{_sysusersdir}
|
||||
install -m 644 %{SOURCE14} %{buildroot}%{_sysusersdir}/sshd.conf
|
||||
|
||||
# the hmac hashes - taken from openssl
|
||||
#
|
||||
# re-define the __os_install_post macro: the macro strips
|
||||
# the binaries and thereby invalidates any hashes created earlier.
|
||||
#
|
||||
# this shows up earlier because otherwise the %%expand of
|
||||
# the macro is too late.
|
||||
%{expand:%%global __os_install_post {%__os_install_post
|
||||
for b in \
|
||||
%{_bindir}/ssh \
|
||||
%{_sbindir}/sshd \
|
||||
%{_libexecdir}/ssh/sftp-server \
|
||||
; do
|
||||
openssl dgst -sha256 -binary -hmac %{CHECKSUM_HMAC_KEY} < %{buildroot}$b > %{buildroot}$b%{CHECKSUM_SUFFIX}
|
||||
done
|
||||
|
||||
}}
|
||||
|
||||
%pre server -f sshd.pre
|
||||
%if %{defined _distconfdir}
|
||||
# Prepare for migration to /usr/etc.
|
||||
test -f /etc/pam.d/sshd.rpmsave && mv -v /etc/pam.d/sshd.rpmsave /etc/pam.d/sshd.rpmsave.old ||:
|
||||
test -f /etc/ssh/sshd_config.rpmsave && mv -v /etc/ssh/sshd_config.rpmsave /etc/ssh/sshd_config.rpmsave.old ||:
|
||||
%endif
|
||||
|
||||
%service_add_pre sshd.service sshd.socket
|
||||
|
||||
%post server
|
||||
%{fillup_only -n ssh}
|
||||
%service_add_post sshd.service sshd.socket
|
||||
|
||||
%if ! %{defined _distconfdir}
|
||||
test -f /etc/ssh/sshd_config && (grep -q "^Include /etc/ssh/sshd_config\.d/\*\.conf" /etc/ssh/sshd_config || ( \
|
||||
echo "WARNING: /etc/ssh/sshd_config doesn't include config files from"
|
||||
echo " /etc/ssh/sshd_config.d/ . The crypto-policies configuration won't"
|
||||
echo "be honored until the following line is added at the start of"
|
||||
echo "/etc/ssh/sshd_config :"
|
||||
echo "Include /etc/ssh/sshd_config.d/*.conf" ) ) ||:
|
||||
%endif
|
||||
|
||||
%preun server
|
||||
%service_del_preun sshd.service sshd.socket
|
||||
|
||||
%postun server
|
||||
# The openssh-fips trigger script for openssh will normally restart sshd once
|
||||
# it gets installed, so only restart the service here if openssh-fips is not
|
||||
# present.
|
||||
if rpm -q openssh-fips >/dev/null 2>/dev/null; then
|
||||
%service_del_postun_without_restart sshd.service sshd.socket
|
||||
else
|
||||
%service_del_postun sshd.service sshd.socket
|
||||
fi
|
||||
|
||||
%if ! %{defined _distconfdir}
|
||||
%post server-config-disallow-rootlogin
|
||||
test -f /etc/ssh/sshd_config && (grep -q "^Include /etc/ssh/sshd_config\.d/\*\.conf" /etc/ssh/sshd_config || ( \
|
||||
echo "WARNING: /etc/ssh/sshd_config doesn't include config files from"
|
||||
echo " /etc/ssh/sshd_config.d/ . The config file installed by"
|
||||
echo "openssh-server-config-disallow-rootlogin won't be used until"
|
||||
echo "the following line is added at the start of /etc/ssh/sshd_config :"
|
||||
echo "Include /etc/ssh/sshd_config.d/*.conf" ) ) ||:
|
||||
%endif
|
||||
|
||||
%if %{defined _distconfdir}
|
||||
%posttrans server
|
||||
# Migration to /usr/etc.
|
||||
test -f /etc/pam.d/sshd.rpmsave && mv -v /etc/pam.d/sshd.rpmsave /etc/pam.d/sshd ||:
|
||||
test -f /etc/ssh/sshd_config.rpmsave && mv -v /etc/ssh/sshd_config.rpmsave /etc/ssh/sshd_config ||:
|
||||
%endif
|
||||
|
||||
%if %{defined _distconfdir}
|
||||
%pre clients
|
||||
# Prepare for migration to /usr/etc.
|
||||
test -f /etc/ssh/ssh_config.rpmsave && mv -v /etc/ssh/ssh_config.rpmsave /etc/ssh/ssh_config.rpmsave.old ||:
|
||||
%endif
|
||||
|
||||
%if ! %{defined _distconfdir}
|
||||
%post clients
|
||||
test -f /etc/ssh/ssh_config && (grep -q "^Include /etc/ssh/ssh_config\.d/\*\.conf" /etc/ssh/ssh_config || ( \
|
||||
echo "WARNING: /etc/ssh/ssh_config doesn't include config files from"
|
||||
echo " /etc/ssh/ssh_config.d/ . The crypto-policies configuration won't"
|
||||
echo "be honored until the following line is added at the start of"
|
||||
echo "/etc/ssh/ssh_config :"
|
||||
echo "Include /etc/ssh/ssh_config.d/*.conf" ) ) ||:
|
||||
%endif
|
||||
|
||||
%if %{defined _distconfdir}
|
||||
%posttrans clients
|
||||
# Migration to /usr/etc.
|
||||
test -f /etc/ssh/ssh_config.rpmsave && mv -v /etc/ssh/ssh_config.rpmsave /etc/ssh/ssh_config ||:
|
||||
%endif
|
||||
|
||||
%triggerin -n openssh-fips -- %{name} = %{version}-%{release}
|
||||
%restart_on_update sshd
|
||||
|
||||
%files
|
||||
# openssh is an empty package that depends on -clients and -server,
|
||||
# resulting in a clean upgrade path from prior to the split even when
|
||||
# recommends are disabled.
|
||||
|
||||
%files common
|
||||
%license LICENCE
|
||||
%doc README.SUSE README.kerberos README.FIPS ChangeLog OVERVIEW README TODO CREDITS
|
||||
%attr(0755,root,root) %dir %{_sysconfdir}/ssh
|
||||
%if %{defined _distconfdir}
|
||||
%attr(0755,root,root) %dir %{_distconfdir}/ssh
|
||||
%attr(0600,root,root) %{_distconfdir}/ssh/moduli
|
||||
%attr(0755,root,root) %dir %{_distconfdir}/ssh/ssh_config.d
|
||||
%else
|
||||
%attr(0755,root,root) %dir %{_sysconfdir}/ssh
|
||||
%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/moduli
|
||||
%attr(0755,root,root) %dir %{_sysconfdir}/ssh/ssh_config.d
|
||||
%endif
|
||||
%attr(0444,root,root) %{_mandir}/man1/ssh-keygen.1*
|
||||
%attr(0444,root,root) %{_mandir}/man5/moduli.5*
|
||||
%attr(0755,root,root) %{_bindir}/ssh-keygen*
|
||||
|
||||
%files server
|
||||
%attr(0755,root,root) %{_sbindir}/sshd
|
||||
%attr(0755,root,root) %{_sbindir}/rcsshd
|
||||
%attr(0755,root,root) %{_sbindir}/sshd-gen-keys-start
|
||||
%dir %attr(0755,root,root) %{_localstatedir}/lib/sshd
|
||||
%dir %attr(0755,root,root) %{_sysconfdir}/ssh/sshd_config.d
|
||||
%if %{defined _distconfdir}
|
||||
%attr(0755,root,root) %dir %{_distconfdir}/ssh
|
||||
%attr(0755,root,root) %dir %{_distconfdir}/ssh/sshd_config.d
|
||||
%attr(0640,root,root) %config(noreplace) %{_distconfdir}/ssh/sshd_config
|
||||
%attr(0644,root,root) %{_pam_vendordir}/sshd
|
||||
%else
|
||||
%attr(0640,root,root) %config(noreplace) %{_sysconfdir}/ssh/sshd_config
|
||||
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/pam.d/sshd
|
||||
%endif
|
||||
%if %{defined _distconfdir}
|
||||
%attr(0600,root,root) %config(noreplace) %{_distconfdir}/ssh/sshd_config.d/40-suse-crypto-policies.conf
|
||||
%else
|
||||
%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/sshd_config.d/40-suse-crypto-policies.conf
|
||||
%endif
|
||||
%attr(0644,root,root) %{_unitdir}/sshd.service
|
||||
%attr(0644,root,root) %{_unitdir}/sshd@.service
|
||||
%attr(0644,root,root) %{_unitdir}/sshd.socket
|
||||
%attr(0644,root,root) %{_sysusersdir}/sshd.conf
|
||||
%attr(0444,root,root) %{_mandir}/man5/sshd_config*
|
||||
%attr(0444,root,root) %{_mandir}/man8/sftp-server.8*
|
||||
%attr(0444,root,root) %{_mandir}/man8/sshd.8*
|
||||
%attr(0755,root,root) %{_libexecdir}/ssh/sftp-server
|
||||
%attr(0755,root,root) %{_libexecdir}/ssh/sshd-session
|
||||
%if 0%{?suse_version} < 1600
|
||||
%dir %{_sysconfdir}/slp.reg.d
|
||||
%config %{_sysconfdir}/slp.reg.d/ssh.reg
|
||||
%endif
|
||||
%{_fillupdir}/sysconfig.ssh
|
||||
%if 0%{?suse_version} < 1550
|
||||
%dir %{_fwdir}
|
||||
%dir %{_fwdefdir}
|
||||
%config %{_fwdefdir}/sshd
|
||||
%endif
|
||||
|
||||
%if 0%{with allow_root_password_login_by_default}
|
||||
%files server-config-disallow-rootlogin
|
||||
%if %{defined _distconfdir}
|
||||
%{_distconfdir}/ssh/sshd_config.d/51-permit-root-login.conf
|
||||
%else
|
||||
%config(noreplace) %{_sysconfdir}/ssh/sshd_config.d/51-permit-root-login.conf
|
||||
%endif
|
||||
%else
|
||||
%files server-config-rootlogin
|
||||
%if %{defined _distconfdir}
|
||||
%{_distconfdir}/ssh/sshd_config.d/50-permit-root-login.conf
|
||||
%else
|
||||
%config(noreplace) %{_sysconfdir}/ssh/sshd_config.d/50-permit-root-login.conf
|
||||
%endif
|
||||
%endif
|
||||
|
||||
%files clients
|
||||
%dir %attr(0755,root,root) %{_sysconfdir}/ssh/ssh_config.d
|
||||
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/ssh_config.d/50-suse.conf
|
||||
%if %{defined _distconfdir}
|
||||
%attr(0644,root,root) %{_distconfdir}/ssh/ssh_config
|
||||
%else
|
||||
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/ssh_config
|
||||
%endif
|
||||
%attr(0755,root,root) %{_bindir}/ssh
|
||||
%attr(0755,root,root) %{_bindir}/scp*
|
||||
%attr(0755,root,root) %{_bindir}/sftp*
|
||||
%attr(0755,root,root) %{_bindir}/ssh-add*
|
||||
%attr(0755,root,root) %{_bindir}/ssh-agent*
|
||||
%attr(0755,root,root) %{_bindir}/ssh-copy-id*
|
||||
%attr(0755,root,root) %{_bindir}/ssh-keyscan*
|
||||
%attr(0755,root,root) %dir %{_libexecdir}/ssh
|
||||
%attr(0755,root,root) %{_libexecdir}/ssh/ssh-askpass*
|
||||
%attr(0755,root,root) %{_libexecdir}/ssh/ssh-keysign*
|
||||
%attr(0755,root,root) %{_libexecdir}/ssh/ssh-pkcs11-helper*
|
||||
%attr(0755,root,root) %{_libexecdir}/ssh/ssh-sk-helper*
|
||||
%attr(0444,root,root) %{_mandir}/man1/scp.1*
|
||||
%attr(0444,root,root) %{_mandir}/man1/sftp.1*
|
||||
%attr(0444,root,root) %{_mandir}/man1/ssh-add.1*
|
||||
%attr(0444,root,root) %{_mandir}/man1/ssh-agent.1*
|
||||
%attr(0444,root,root) %{_mandir}/man1/ssh-keyscan.1*
|
||||
%attr(0444,root,root) %{_mandir}/man1/ssh.1*
|
||||
%attr(0444,root,root) %{_mandir}/man1/ssh-copy-id.1*
|
||||
%attr(0444,root,root) %{_mandir}/man5/ssh_config.5*
|
||||
%attr(0444,root,root) %{_mandir}/man8/ssh-pkcs11-helper.8*
|
||||
%attr(0444,root,root) %{_mandir}/man8/ssh-sk-helper.8*
|
||||
%attr(0444,root,root) %{_mandir}/man8/ssh-keysign.8*
|
||||
|
||||
%if %{with ldap}
|
||||
%files helpers
|
||||
%attr(0755,root,root) %dir %{_sysconfdir}/ssh
|
||||
%verify(not mode) %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/ldap.conf
|
||||
%attr(0755,root,root) %dir %{_libexecdir}/ssh
|
||||
%attr(0755,root,root) %{_libexecdir}/ssh/ssh-ldap*
|
||||
%attr(0444,root,root) %{_mandir}/man5/ssh-ldap*
|
||||
%attr(0444,root,root) %{_mandir}/man8/ssh-ldap*
|
||||
%doc HOWTO.ldap-keys openssh-lpk-openldap.schema openssh-lpk-sun.schema
|
||||
%endif
|
||||
|
||||
%files fips
|
||||
%attr(0444,root,root) %{_bindir}/ssh%{CHECKSUM_SUFFIX}
|
||||
%attr(0444,root,root) %{_sbindir}/sshd%{CHECKSUM_SUFFIX}
|
||||
%attr(0444,root,root) %{_libexecdir}/ssh/sftp-server%{CHECKSUM_SUFFIX}
|
||||
|
||||
%files cavs
|
||||
%attr(0755,root,root) %{_libexecdir}/ssh/cavs*
|
||||
|
||||
%changelog
|
26
ssh-askpass
Normal file
26
ssh-askpass
Normal file
@ -0,0 +1,26 @@
|
||||
#!/bin/bash
|
||||
|
||||
SESSION=
|
||||
|
||||
if [ -n "$KDE_FULL_SESSION" ] ; then
|
||||
SESSION=kde
|
||||
fi
|
||||
|
||||
if [ "$DESKTOP_SESSION" = "lxqt" ]; then
|
||||
SESSION=kde
|
||||
fi
|
||||
|
||||
GNOME_SSH_ASKPASS="@LIBEXECDIR@/ssh/gnome-ssh-askpass"
|
||||
KDE_SSH_ASKPASS="@LIBEXECDIR@/ssh/ksshaskpass"
|
||||
|
||||
case "$SESSION" in
|
||||
kde)
|
||||
[ -e $KDE_SSH_ASKPASS ] && exec $KDE_SSH_ASKPASS ${1+"$@"}
|
||||
exec $GNOME_SSH_ASKPASS ${1+"$@"}
|
||||
;;
|
||||
*)
|
||||
[ -e $GNOME_SSH_ASKPASS ] && exec $GNOME_SSH_ASKPASS ${1+"$@"}
|
||||
exec $KDE_SSH_ASKPASS ${1+"$@"}
|
||||
;;
|
||||
esac
|
||||
|
18
ssh.reg
Normal file
18
ssh.reg
Normal file
@ -0,0 +1,18 @@
|
||||
#############################################################################
|
||||
#
|
||||
# OpenSLP registration file
|
||||
#
|
||||
# register SSH daemon
|
||||
#
|
||||
#############################################################################
|
||||
|
||||
# Register the usual sshd, if it is running
|
||||
service:ssh://$HOSTNAME:22,en,65535
|
||||
tcp-port=22
|
||||
description=Secure Shell Daemon
|
||||
|
||||
# ssh can get used to copy files with konqueror using the fish:/ protocol
|
||||
service:fish://$HOSTNAME:22,en,65535
|
||||
tcp-port=22
|
||||
description=KDE file transfer via SSH
|
||||
|
9
sshd-gen-keys-start
Normal file
9
sshd-gen-keys-start
Normal file
@ -0,0 +1,9 @@
|
||||
#!/bin/sh
|
||||
|
||||
test -f /etc/sysconfig/ssh && . /etc/sysconfig/ssh
|
||||
|
||||
if [ "x$SSHD_AUTO_KEYGEN" != "xno" ]; then
|
||||
echo "Checking for missing server keys in /etc/ssh"
|
||||
test -d /etc/ssh || mkdir -p /etc/ssh
|
||||
ssh-keygen -A
|
||||
fi
|
11
sshd-sle.pamd
Normal file
11
sshd-sle.pamd
Normal file
@ -0,0 +1,11 @@
|
||||
#%PAM-1.0
|
||||
auth requisite pam_nologin.so
|
||||
auth include common-auth
|
||||
account requisite pam_nologin.so
|
||||
account include common-account
|
||||
password include common-password
|
||||
session required pam_loginuid.so
|
||||
session optional pam_keyinit.so force revoke
|
||||
session include common-session
|
||||
session optional pam_motd.so
|
||||
|
5
sshd.fw
Normal file
5
sshd.fw
Normal file
@ -0,0 +1,5 @@
|
||||
## Name: Secure Shell Server
|
||||
## Description: Open ports for Secure Shell Server
|
||||
|
||||
# space separated list of allowed TCP ports
|
||||
TCP="ssh"
|
14
sshd.pamd
Normal file
14
sshd.pamd
Normal file
@ -0,0 +1,14 @@
|
||||
#%PAM-1.0
|
||||
auth requisite pam_nologin.so
|
||||
auth substack common-auth
|
||||
auth include postlogin-auth
|
||||
account requisite pam_nologin.so
|
||||
account substack common-account
|
||||
account include postlogin-account
|
||||
password substack common-password
|
||||
password include postlogin-password
|
||||
session required pam_loginuid.so
|
||||
session optional pam_keyinit.so force revoke
|
||||
session substack common-session
|
||||
session include postlogin-session
|
||||
session optional pam_motd.so
|
18
sshd.service
Normal file
18
sshd.service
Normal file
@ -0,0 +1,18 @@
|
||||
[Unit]
|
||||
Description=OpenSSH Daemon
|
||||
After=network.target
|
||||
|
||||
[Service]
|
||||
Type=notify
|
||||
EnvironmentFile=-/etc/sysconfig/ssh
|
||||
ExecStartPre=/usr/sbin/sshd-gen-keys-start
|
||||
ExecStartPre=/usr/sbin/sshd -t $SSHD_OPTS
|
||||
ExecStart=/usr/sbin/sshd -D $SSHD_OPTS
|
||||
ExecReload=/bin/kill -HUP $MAINPID
|
||||
KillMode=process
|
||||
Restart=on-failure
|
||||
RestartPreventExitStatus=255
|
||||
TasksMax=infinity
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
11
sshd.socket
Normal file
11
sshd.socket
Normal file
@ -0,0 +1,11 @@
|
||||
[Unit]
|
||||
Description=OpenSSH Server Socket
|
||||
Conflicts=sshd.service
|
||||
|
||||
[Socket]
|
||||
ListenStream=22
|
||||
Accept=yes
|
||||
|
||||
[Install]
|
||||
WantedBy=sockets.target
|
||||
|
11
sshd@.service
Normal file
11
sshd@.service
Normal file
@ -0,0 +1,11 @@
|
||||
[Unit]
|
||||
Description=OpenSSH Per-Connection Server Daemon
|
||||
Documentation=man:systemd-ssh-generator(8) man:sshd(8)
|
||||
After=network.target
|
||||
|
||||
[Service]
|
||||
EnvironmentFile=-/etc/sysconfig/ssh
|
||||
ExecStartPre=/usr/sbin/sshd-gen-keys-start
|
||||
ExecStartPre=/usr/sbin/sshd -t $SSHD_OPTS
|
||||
ExecStart=-/usr/sbin/sshd -i $SSHD_OPTS
|
||||
StandardInput=socket
|
14
sysconfig.ssh
Normal file
14
sysconfig.ssh
Normal file
@ -0,0 +1,14 @@
|
||||
## Path: Network/Remote access/SSH
|
||||
## Description: SSH server settings
|
||||
## Type: string
|
||||
## Default: ""
|
||||
## ServiceRestart: sshd
|
||||
#
|
||||
# Options for sshd
|
||||
#
|
||||
SSHD_OPTS=""
|
||||
|
||||
#
|
||||
# Whether to run ssh-keygen -A
|
||||
#
|
||||
SSHD_AUTO_KEYGEN="yes"
|
2
sysusers-sshd.conf
Normal file
2
sysusers-sshd.conf
Normal file
@ -0,0 +1,2 @@
|
||||
# Type Name ID GECOS [HOME]
|
||||
u sshd - "SSH daemon" /var/lib/sshd
|
189
wtmpdb.patch
Normal file
189
wtmpdb.patch
Normal file
@ -0,0 +1,189 @@
|
||||
diff -ur openssh-8.9p1.old/configure.ac openssh-8.9p1/configure.ac
|
||||
--- openssh-8.9p1.old/configure.ac 2022-02-23 12:31:11.000000000 +0100
|
||||
+++ openssh-8.9p1/configure.ac 2023-04-17 14:52:21.499002203 +0200
|
||||
@@ -1703,6 +1703,49 @@
|
||||
fi ]
|
||||
)
|
||||
|
||||
+# Check whether user wants wtmpdb support
|
||||
+WTMPDB_MSG="no"
|
||||
+AC_ARG_WITH([wtmpdb],
|
||||
+ [ --with-wtmpdb[[=PATH]] Enable wtmpdb support for sshd],
|
||||
+ [ if test "x$withval" != "xno" ; then
|
||||
+ if test "x$withval" = "xyes" ; then
|
||||
+ AC_PATH_TOOL([PKGCONFIG], [pkg-config], [no])
|
||||
+ if test "x$PKGCONFIG" != "xno"; then
|
||||
+ AC_MSG_CHECKING([if $PKGCONFIG knows about wtmpdb])
|
||||
+ if "$PKGCONFIG" libwtmpdb; then
|
||||
+ AC_MSG_RESULT([yes])
|
||||
+ use_pkgconfig_for_libwtmpdb=yes
|
||||
+ else
|
||||
+ AC_MSG_RESULT([no])
|
||||
+ fi
|
||||
+ fi
|
||||
+ else
|
||||
+ CPPFLAGS="$CPPFLAGS -I${withval}/include"
|
||||
+ if test -n "${rpath_opt}"; then
|
||||
+ LDFLAGS="-L${withval}/lib ${rpath_opt}${withval}/lib ${LDFLAGS}"
|
||||
+ else
|
||||
+ LDFLAGS="-L${withval}/lib ${LDFLAGS}"
|
||||
+ fi
|
||||
+ fi
|
||||
+ if test "x$use_pkgconfig_for_libwtmpdb" = "xyes"; then
|
||||
+ LIBWTMPDB=`$PKGCONFIG --libs libwtmpdb`
|
||||
+ CPPFLAGS="$CPPFLAGS `$PKGCONFIG --cflags libwtmpdb`"
|
||||
+ else
|
||||
+ LIBWTMPDB="-lwtmpdb"
|
||||
+ fi
|
||||
+ OTHERLIBS=`echo $LIBWTMPDB | sed 's/-lwtmpdb//'`
|
||||
+ AC_CHECK_LIB([wtmpdb], [wtmpdb_login],
|
||||
+ [ AC_DEFINE([USE_WTMPDB], [1], [Use libwtmpdb for sshd])
|
||||
+ WTMPDB_MSG="yes"
|
||||
+ AC_SUBST([LIBWTMPDB])
|
||||
+ ],
|
||||
+ [ AC_MSG_ERROR([libwtmpdb not found]) ],
|
||||
+ [ $OTHERLIBS ]
|
||||
+ )
|
||||
+ fi ]
|
||||
+)
|
||||
+
|
||||
+
|
||||
AUDIT_MODULE=none
|
||||
AC_ARG_WITH([audit],
|
||||
[ --with-audit=module Enable audit support (modules=debug,bsm,linux)],
|
||||
diff -ur openssh-8.9p1.old/loginrec.c openssh-8.9p1/loginrec.c
|
||||
--- openssh-8.9p1.old/loginrec.c 2022-02-23 12:31:11.000000000 +0100
|
||||
+++ openssh-8.9p1/loginrec.c 2023-04-18 10:05:04.311193333 +0200
|
||||
@@ -187,6 +187,10 @@
|
||||
# include <util.h>
|
||||
#endif
|
||||
|
||||
+#ifdef USE_WTMPDB
|
||||
+# include <wtmpdb.h>
|
||||
+#endif
|
||||
+
|
||||
/**
|
||||
** prototypes for helper functions in this file
|
||||
**/
|
||||
@@ -207,6 +211,9 @@
|
||||
int wtmpx_write_entry(struct logininfo *li);
|
||||
int lastlog_write_entry(struct logininfo *li);
|
||||
int syslogin_write_entry(struct logininfo *li);
|
||||
+#ifdef USE_WTMPDB
|
||||
+int wtmpdb_write_entry(struct logininfo *li);
|
||||
+#endif
|
||||
|
||||
int getlast_entry(struct logininfo *li);
|
||||
int lastlog_get_entry(struct logininfo *li);
|
||||
@@ -467,6 +474,9 @@
|
||||
#ifdef USE_WTMPX
|
||||
wtmpx_write_entry(li);
|
||||
#endif
|
||||
+#ifdef USE_WTMPDB
|
||||
+ wtmpdb_write_entry(li);
|
||||
+#endif
|
||||
#ifdef CUSTOM_SYS_AUTH_RECORD_LOGIN
|
||||
if (li->type == LTYPE_LOGIN &&
|
||||
!sys_auth_record_login(li->username,li->hostname,li->line,
|
||||
@@ -1409,6 +1419,64 @@
|
||||
}
|
||||
#endif /* USE_WTMPX */
|
||||
|
||||
+#ifdef USE_WTMPDB
|
||||
+static int
|
||||
+wtmpdb_perform_login(struct logininfo *li)
|
||||
+{
|
||||
+ uint64_t login_time = li->tv_sec * ((uint64_t) 1000000ULL) + li->tv_usec;
|
||||
+ const char *tty;
|
||||
+
|
||||
+ if (strncmp(li->line, "/dev/", 5) == 0)
|
||||
+ tty = &(li->line[5]);
|
||||
+ else
|
||||
+ tty = li->line;
|
||||
+
|
||||
+ li->wtmpdb_id = wtmpdb_login(NULL, USER_PROCESS, li->username,
|
||||
+ login_time, tty, li->hostname, 0, 0);
|
||||
+ if (li->wtmpdb_id < 0)
|
||||
+ return (0);
|
||||
+
|
||||
+ return (1);
|
||||
+}
|
||||
+
|
||||
+
|
||||
+static int
|
||||
+wtmpdb_perform_logout(struct logininfo *li)
|
||||
+{
|
||||
+ uint64_t logout_time = li->tv_sec * ((uint64_t) 1000000ULL) + li->tv_usec;
|
||||
+
|
||||
+ if (li->wtmpdb_id == 0) {
|
||||
+ const char *tty;
|
||||
+
|
||||
+ if (strncmp(li->line, "/dev/", 5) == 0)
|
||||
+ tty = &(li->line[5]);
|
||||
+ else
|
||||
+ tty = li->line;
|
||||
+
|
||||
+ li->wtmpdb_id = wtmpdb_get_id(NULL, tty, NULL);
|
||||
+ }
|
||||
+ wtmpdb_logout(NULL, li->wtmpdb_id, logout_time, NULL);
|
||||
+
|
||||
+ return (1);
|
||||
+}
|
||||
+
|
||||
+
|
||||
+int
|
||||
+wtmpdb_write_entry(struct logininfo *li)
|
||||
+{
|
||||
+ switch(li->type) {
|
||||
+ case LTYPE_LOGIN:
|
||||
+ return (wtmpdb_perform_login(li));
|
||||
+ case LTYPE_LOGOUT:
|
||||
+ return (wtmpdb_perform_logout(li));
|
||||
+ default:
|
||||
+ logit("%s: invalid type field", __func__);
|
||||
+ return (0);
|
||||
+ }
|
||||
+}
|
||||
+#endif
|
||||
+
|
||||
+
|
||||
/**
|
||||
** Low-level libutil login() functions
|
||||
**/
|
||||
diff -ur openssh-8.9p1.old/loginrec.h openssh-8.9p1/loginrec.h
|
||||
--- openssh-8.9p1.old/loginrec.h 2022-02-23 12:31:11.000000000 +0100
|
||||
+++ openssh-8.9p1/loginrec.h 2023-04-17 14:58:20.808850750 +0200
|
||||
@@ -79,6 +79,9 @@
|
||||
unsigned int tv_sec;
|
||||
unsigned int tv_usec;
|
||||
union login_netinfo hostaddr; /* caller's host address(es) */
|
||||
+#ifdef USE_WTMPDB
|
||||
+ int64_t wtmpdb_id; /* ID for wtmpdb_logout */
|
||||
+#endif
|
||||
}; /* struct logininfo */
|
||||
|
||||
/*
|
||||
diff -ur openssh-8.9p1.old/Makefile.in openssh-8.9p1/Makefile.in
|
||||
--- openssh-8.9p1.old/Makefile.in 2022-02-23 12:31:11.000000000 +0100
|
||||
+++ openssh-8.9p1/Makefile.in 2023-04-17 14:44:32.156538001 +0200
|
||||
@@ -55,6 +55,7 @@
|
||||
SSHDLIBS=@SSHDLIBS@
|
||||
LIBEDIT=@LIBEDIT@
|
||||
LIBFIDO2=@LIBFIDO2@
|
||||
+LIBWTMPDB=@LIBWTMPDB@
|
||||
AR=@AR@
|
||||
AWK=@AWK@
|
||||
RANLIB=@RANLIB@
|
||||
@@ -212,10 +213,10 @@
|
||||
$(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) $(GSSLIBS) $(CHANNELLIBS)
|
||||
|
||||
sshd$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHDOBJS)
|
||||
- $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(CHANNELLIBS)
|
||||
+ $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(CHANNELLIBS) $(LIBWTMPDB)
|
||||
|
||||
sshd-session$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHD_SESSION_OBJS)
|
||||
- $(LD) -o $@ $(SSHD_SESSION_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS) $(CHANNELLIBS)
|
||||
+ $(LD) -o $@ $(SSHD_SESSION_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS) $(CHANNELLIBS) $(LIBWTMPDB)
|
||||
|
||||
scp$(EXEEXT): $(LIBCOMPAT) libssh.a $(SCP_OBJS)
|
||||
$(LD) -o $@ $(SCP_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
|
Loading…
Reference in New Issue
Block a user