Ana Guerrero 2024-09-26 16:52:30 +00:00 committed by Git OBS Bridge
commit fef82d94da
15 changed files with 291 additions and 122 deletions

View File

@ -1,23 +0,0 @@
Index: openssh-9.8p1/sshd-session.c
===================================================================
--- openssh-9.8p1.orig/sshd-session.c
+++ openssh-9.8p1/sshd-session.c
@@ -1624,9 +1624,6 @@ cleanup_exit(int i)
}
}
}
- /* Override default fatal exit value when auth was attempted */
- if (i == 255 && auth_attempted)
- _exit(EXIT_AUTH_ATTEMPTED);
#ifdef SSH_AUDIT_EVENTS
/* done after do_cleanup so it can cancel the PAM auth 'thread' */
if (the_active_state != NULL &&
@@ -1636,5 +1633,8 @@ cleanup_exit(int i)
#endif
clobber_stack();
+ /* Override default fatal exit value when auth was attempted */
+ if (i == 255 && auth_attempted)
+ _exit(EXIT_AUTH_ATTEMPTED);
_exit(i);
}

View File

@ -1,39 +0,0 @@
From fcc66557503124ab98491a598b706a24eb3cf0e1 Mon Sep 17 00:00:00 2001
From: Antonio Larrosa <alarrosa@suse.com>
Date: Mon, 12 Aug 2024 11:32:42 +0200
Subject: [PATCH] Fix a small memory leak in process_server_config_line_depth
The return value of argv_assemble is owned by the caller and should be
free'd. When processing the sSubsystem case there are two calls to
argv_assemble but only one of them is freed. This patch fixes the small
(29 bytes according to valgrind) memory leak.
The output from valgrind:
==115369== 29 bytes in 1 blocks are definitely lost in loss record 573 of 913
==115369== at 0x4845794: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==115369== by 0x124A22: argv_assemble (misc.c:2165)
==115369== by 0x1385E5: process_server_config_line_depth.constprop.0 (servconf.c:2004)
==115369== by 0x13984D: parse_server_config_depth.constprop.0 (servconf.c:3032)
==115369== by 0x139986: parse_server_config.constprop.0 (servconf.c:3049)
==115369== by 0x111C6E: main (sshd.c:1445)
Submitted to upstream at https://github.com/openssh/openssh-portable/pull/515
---
servconf.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/servconf.c b/servconf.c
index 5a20d6f8..0b989b95 100644
--- a/servconf.c
+++ b/servconf.c
@@ -2006,6 +2006,7 @@ process_server_config_line_depth(ServerOptions *options, char *line,
xasprintf(&options->subsystem_args[options->num_subsystems],
"%s%s%s", arg, *arg2 == '\0' ? "" : " ", arg2);
free(arg2);
+ free(arg);
argv_consume(&ac);
options->num_subsystems++;
break;
--
2.45.2

View File

@ -754,7 +754,7 @@ Index: openssh-9.6p1/ssh-keygen.c
@@ -3794,6 +3815,15 @@ main(int argc, char **argv)
key_type_name = DEFAULT_KEY_TYPE_NAME;
type = sshkey_type_from_name(key_type_name);
type = sshkey_type_from_shortname(key_type_name);
+
+ /* protocol v1 is not allowed in FIPS mode, DSA is not acceptable because
+ * it has to be 1024 bit due to RFC 4253 using SHA-1 which implies 1024 bit

View File

@ -5,7 +5,7 @@ index e7549470..b68c1710 100644
@@ -109,6 +109,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
kex.o kex-names.o kexdh.o kexgex.o kexecdh.o kexc25519.o \
kexgexc.o kexgexs.o \
kexsntrup761x25519.o sntrup761.o kexgen.o \
kexsntrup761x25519.o kexmlkem768x25519.o sntrup761.o kexgen.o \
+ kexgssc.o \
sftp-realpath.o platform-pledge.o platform-tracing.o platform-misc.o \
sshbuf-io.o
@ -1293,9 +1293,9 @@ index a5ae6ac0..fe714141 100644
--- a/kex.h
+++ b/kex.h
@@ -102,6 +102,15 @@ enum kex_exchange {
KEX_ECDH_SHA2,
KEX_C25519_SHA256,
KEX_KEM_SNTRUP761X25519_SHA512,
KEX_KEM_MLKEM768X25519_SHA256,
+#ifdef GSSAPI
+ KEX_GSS_GRP1_SHA1,
+ KEX_GSS_GRP14_SHA1,
@ -3488,7 +3488,7 @@ index af00fb30..03bc87eb 100644
free(hkalgs);
@@ -224,14 +256,44 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port)
@@ -224,15 +256,45 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port)
# ifdef OPENSSL_HAS_ECC
ssh->kex->kex[KEX_ECDH_SHA2] = kex_gen_client;
# endif
@ -3507,6 +3507,7 @@ index af00fb30..03bc87eb 100644
+#endif /* WITH_OPENSSL */
ssh->kex->kex[KEX_C25519_SHA256] = kex_gen_client;
ssh->kex->kex[KEX_KEM_SNTRUP761X25519_SHA512] = kex_gen_client;
ssh->kex->kex[KEX_KEM_MLKEM768X25519_SHA256] = kex_gen_client;
ssh->kex->verify_host_key=&verify_host_key_callback;
+#if defined(GSSAPI) && defined(WITH_OPENSSL)
@ -3758,7 +3759,7 @@ index 60b2aaf7..d92f03aa 100644
+#endif /* WITH_OPENSSL */
kex->kex[KEX_C25519_SHA256] = kex_gen_server;
kex->kex[KEX_KEM_SNTRUP761X25519_SHA512] = kex_gen_server;
kex->load_host_public_key=&get_hostkey_public_by_type;
kex->kex[KEX_KEM_MLKEM768X25519_SHA256] = kex_gen_server;
diff --git a/sshd_config b/sshd_config
index 19b7c91a..2c48105f 100644
--- a/sshd_config

View File

@ -3,7 +3,7 @@ Index: openssh-8.9p1/Makefile.in
--- openssh-8.9p1.orig/Makefile.in
+++ openssh-8.9p1/Makefile.in
@@ -116,7 +116,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
kexsntrup761x25519.o sntrup761.o kexgen.o \
kexsntrup761x25519.o kexmlkem768x25519.o sntrup761.o kexgen.o \
kexgssc.o \
sftp-realpath.o platform-pledge.o platform-tracing.o platform-misc.o \
- sshbuf-io.o
@ -2245,7 +2245,7 @@ Index: openssh-8.9p1/sshd-session.c
if (the_active_state != NULL && the_authctxt != NULL) {
@@ -2525,7 +2593,9 @@ cleanup_exit(int i)
_exit(EXIT_AUTH_ATTEMPTED);
}
#ifdef SSH_AUDIT_EVENTS
/* done after do_cleanup so it can cancel the PAM auth 'thread' */
- if (the_active_state != NULL && mm_is_monitor())
@ -2254,12 +2254,22 @@ Index: openssh-8.9p1/sshd-session.c
+ mm_is_monitor())
audit_event(the_active_state, SSH_CONNECTION_ABANDON);
#endif
_exit(i);
/* Override default fatal exit value when auth was attempted */
Index: openssh-8.9p1/sshkey.c
===================================================================
--- openssh-8.9p1.orig/sshkey.c
+++ openssh-8.9p1/sshkey.c
@@ -400,6 +400,38 @@ sshkey_type_is_valid_ca(int type)
@@ -35,6 +35,9 @@ sshkey_type_is_valid_ca(int type)
#include <openssl/evp.h>
#include <openssl/err.h>
#include <openssl/pem.h>
+# if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+# include <openssl/core_names.h>
+# endif
#endif
#include "crypto_api.h"
@@ -400,6 +403,53 @@ sshkey_type_is_valid_ca(int type)
}
int
@ -2267,23 +2277,38 @@ Index: openssh-8.9p1/sshkey.c
+{
+ switch (k->type) {
+#ifdef WITH_OPENSSL
+# if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+ case KEY_RSA_CERT:
+ case KEY_RSA: {
+ const BIGNUM *d;
+ RSA_get0_key(k->rsa, NULL, NULL, &d);
+ case KEY_RSA:
+ case KEY_ECDSA_CERT:
+ case KEY_ECDSA: {
+ BIGNUM *d = NULL;
+ EVP_PKEY_get_bn_param(k->pkey, OSSL_PKEY_PARAM_PRIV_KEY, &d);
+ return d != NULL;
+ }
+# else /* OPENSSL < 3.0.0 */
+ case KEY_RSA_CERT:
+ case KEY_RSA: {
+ const BIGNUM *d = NULL;
+ RSA *rsakey = EVP_PKEY_get0_RSA(k->pkey);
+ if (rsakey)
+ RSA_get0_key(rsakey, NULL, NULL, &d);
+ return d != NULL;
+ }
+# ifdef OPENSSL_HAS_ECC
+ case KEY_ECDSA_CERT:
+ case KEY_ECDSA: {
+ EC_KEY *eckey = EVP_PKEY_get0_EC_KEY(k->pkey);
+ return (eckey != NULL) && (EC_KEY_get0_private_key(eckey) != NULL);
+ }
+# endif /* OPENSSL_HAS_ECC */
+# endif /* OPENSSL < 3.0.0 */
+ case KEY_DSA_CERT:
+ case KEY_DSA: {
+ const BIGNUM *priv_key;
+ const BIGNUM *priv_key = NULL;
+ DSA_get0_key(k->dsa, NULL, &priv_key);
+ return priv_key != NULL;
+ }
+#ifdef OPENSSL_HAS_ECC
+ case KEY_ECDSA_CERT:
+ case KEY_ECDSA:
+ return EC_KEY_get0_private_key(k->ecdsa) != NULL;
+#endif /* OPENSSL_HAS_ECC */
+#endif /* WITH_OPENSSL */
+ case KEY_ED25519_CERT:
+ case KEY_ED25519:
@ -2303,9 +2328,9 @@ Index: openssh-8.9p1/sshkey.h
--- openssh-8.9p1.orig/sshkey.h
+++ openssh-8.9p1/sshkey.h
@@ -189,6 +189,7 @@ int sshkey_shield_private(struct sshke
int sshkey_unshield_private(struct sshkey *);
int sshkey_type_from_name(const char *);
int sshkey_type_from_shortname(const char *);
+int sshkey_is_private(const struct sshkey *);
int sshkey_is_cert(const struct sshkey *);
int sshkey_is_sk(const struct sshkey *);

View File

@ -160,7 +160,7 @@ Index: openssh-9.6p1/ssh_config.5
.It Cm HostKeyAlias
Specifies an alias that should be used instead of the
real host name when looking up or saving the host key
@@ -1311,36 +1313,30 @@ it may be zero or more of:
@@ -1311,37 +1313,30 @@ it may be zero or more of:
and
.Cm pam .
.It Cm KexAlgorithms
@ -172,7 +172,7 @@ Index: openssh-9.6p1/ssh_config.5
+.Pp
Specifies the permitted KEX (Key Exchange) algorithms that will be used and
their preference order.
The selected algorithm will the the first algorithm in this list that
The selected algorithm will be the first algorithm in this list that
the server also supports.
Multiple algorithms must be comma-separated.
.Pp
@ -194,7 +194,8 @@ Index: openssh-9.6p1/ssh_config.5
-.Pp
-The default is:
-.Bd -literal -offset indent
-sntrup761x25519-sha512@openssh.com,
-sntrup761x25519-sha512,sntrup761x25519-sha512@openssh.com,
-mlkem768x25519-sha256,
-curve25519-sha256,curve25519-sha256@libssh.org,
-ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
-diffie-hellman-group-exchange-sha256,
@ -534,13 +535,14 @@ Index: openssh-9.6p1/sshd_config.5
.Pp
The supported algorithms are:
.Pp
@@ -1072,16 +1057,6 @@ ecdh-sha2-nistp521
@@ -1072,17 +1057,6 @@ ecdh-sha2-nistp521
sntrup761x25519-sha512@openssh.com
.El
.Pp
-The default is:
-.Bd -literal -offset indent
-sntrup761x25519-sha512@openssh.com,
-sntrup761x25519-sha512,sntrup761x25519-sha512@openssh.com,
-mlkem768x25519-sha256,
-curve25519-sha256,curve25519-sha256@libssh.org,
-ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
-diffie-hellman-group-exchange-sha256,

View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:dd8bd002a379b5d499dfb050dd1fa9af8029e80461f4bb6c523c49973f5a39f3
size 1910393

View File

@ -1,16 +0,0 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEcWi5g4FaXu9ZpK39Kj9BTnNgYLoFAmaCMn0ACgkQKj9BTnNg
YLrjcBAAgO7xhKUXp8YxdqSZigDbcHu7T37bm1pRTKg2ihPepz+q6pV+DY8AHSRu
eyuOCOHYzjLyArFpiMX3z9iT2NqO+KNBvKQoh8loaxNrECmgRGk2jBEKiibFSP5M
i6CYkF3sET9xnVDkt4P6KievWXY1/Tl93qve3K2a/bvvgT8s2AaBMM8u4BMGNm3D
sc3A6euN0aiXRts2V6I885VyrQDMK++E7+eTHet0ex82KH4I+ceIOwB48hny4wpb
Zaqy9pTFisTmFNOF6d3TB58yMWoLQIbLuVrbbbcr7hFYCWsgj0yN5iYQNOR9pU4E
ooF+aC0kK9M4iUXthzjjgIjnMzsCmPeKisbwblsPSfSgccj/pCMzW8C3CMVL6AvG
slSSLK42qm3f38kx3sg2S8LDW0v+hoyvBmKNFMiBwsF2tWCXIG+oP1PDYpJUpaOJ
RFHG7JEPtY94UJGdo5C4YhqDWr3HOqEwuVIt1gWMMPs9IvDkDRo6emmDd64FFAKH
ss3hHixu6OHqU5iw6JIVVtYiur6s9m6N/Xxt5Ho6wuqnzUZ+Dwj3L6lF9IOJbJxU
Ufb70I1Uko9kXcoje9ONUsqr88wfQY+JZxxVTlzDUDadytCzmO3wXsz+cosMQ5Rw
aOZwXYyvmcoZuUQG8GIqRO1wfOcD7o7pI6IyVJQjOeG/rA0eu/4=
=Gj2n
-----END PGP SIGNATURE-----

BIN
openssh-9.9p1.tar.gz (Stored with Git LFS) Normal file

Binary file not shown.

16
openssh-9.9p1.tar.gz.asc Normal file
View File

@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEcWi5g4FaXu9ZpK39Kj9BTnNgYLoFAmbspccACgkQKj9BTnNg
YLppxRAAv7eU/Xd2w9MX9vWQdhugiPByEcKg7KuKXUUs9xJGy+HbLqPqUCvn1UW6
qodKoSAdeBuSB7AjzuIQ1lTVX7C67OmZaVPRq25ar5b+Wq4SSlv23KMRq0b4EVyw
pOW6R9tsxqYBwYaiXQ50APcYL8SpepnGU+b/iR15f7q3SU2XMVVtkVb149UdLOqK
smfurbDGwUKFb2Q009MUfEV/d9zq31tdSjphvkqAXCcmxc8siuOYWYcByuysie+m
NpaOpee0047L5JIxNSLsa2yZrJZhClP8LbTCH1Vfwr7l0KE5nvL2qAtPKI2XxGQC
3jXrDLzp10RFxV8sCym+QlY9pZyzGj9d3G7vCHtxWGQ1Y0Qt+xs18OeBpjiehRhl
WM3Y+cjoN35jBaGhOoHdh3ePZQdTUyZ16aSv0h/cUHOohiM7i/4XW+dQtkqsJsw4
a81O0E64WrL8ho3Ju9mwcVZ9A0aEaftJsmJPDB+qYBjF/i7xcnH32LginzP5pel7
/W0aS2C1ZNo3QKHezI6IA9MyENMZiAMy2ybvfmN0HgLBaBY1plJ8a5GvMwJc+Qwh
iCHLCQ6Qgf/1hh+F6liTXnhtedtFHneJdyqvd7XOoardDEipZjxcnGa4HthbDFU+
8XdHKnWWhn4BLA+y7KB3ZGURniQK+qibwkF6J63CuMU+LmG+bvQ=
=Ukrb
-----END PGP SIGNATURE-----

View File

@ -1,3 +1,10 @@
-------------------------------------------------------------------
Mon Sep 23 06:16:59 UTC 2024 - Antonio Larrosa <alarrosa@suse.com>
- Update to openssh 9.9p1:
* No changes for askpass, see main package changelog for
details.
-------------------------------------------------------------------
Thu Aug 1 09:17:11 UTC 2024 - Antonio Larrosa <alarrosa@suse.com>

View File

@ -18,7 +18,7 @@
%define _name openssh
Name: openssh-askpass-gnome
Version: 9.8p1
Version: 9.9p1
Release: 0
Summary: A GNOME-Based Passphrase Dialog for OpenSSH
License: BSD-2-Clause

View File

@ -334,11 +334,12 @@ Index: openssh-9.3p2/sshd-session.c
in_cleanup = 1;
extern int auth_attempted; /* monitor.c */
@@ -1604,5 +1610,7 @@ cleanup_exit(int i)
@@ -1604,6 +1610,8 @@ cleanup_exit(int i)
mm_is_monitor())
audit_event(the_active_state, SSH_CONNECTION_ABANDON);
#endif
+
+ clobber_stack();
_exit(i);
}
/* Override default fatal exit value when auth was attempted */
if (i == 255 && auth_attempted)
_exit(EXIT_AUTH_ATTEMPTED);

View File

@ -1,3 +1,157 @@
-------------------------------------------------------------------
Wed Sep 25 10:45:17 UTC 2024 - Antonio Larrosa <alarrosa@suse.com>
- Add a const to the openssl 1.1/RSA section of sshkey_is_private
to keep it similar to what it used before the 9.9 rebase:
* openssh-8.1p1-audit.patch
- Add a openssl11 bcond to the spec file for the SLE12 case
instead of checking suse_version in different parts.
- Move conditional patches to a number >= 1000.
-------------------------------------------------------------------
Mon Sep 23 06:16:59 UTC 2024 - Antonio Larrosa <alarrosa@suse.com>
- Update to openssh 9.9p1:
= Future deprecation notice
* OpenSSH plans to remove support for the DSA signature algorithm
in early 2025. This release disables DSA by default at compile
time. DSA, as specified in the SSHv2 protocol, is inherently
weak - being limited to a 160 bit private key and use of the
SHA1 digest. Its estimated security level is only 80 bits
symmetric equivalent.
OpenSSH has disabled DSA keys by default since 2015 but has
retained run-time optional support for them. DSA was the only
mandatory-to-implement algorithm in the SSHv2 RFCs, mostly
because alternative algorithms were encumbered by patents when
the SSHv2 protocol was specified.
This has not been the case for decades at this point and better
algorithms are well supported by all actively-maintained SSH
implementations. We do not consider the costs of maintaining
DSA in OpenSSH to be justified and hope that removing it from
OpenSSH can accelerate its wider deprecation in supporting
cryptography libraries.
= Potentially-incompatible changes
* ssh(1): remove support for pre-authentication compression.
OpenSSH has only supported post-authentication compression in
the server for some years. Compression before authentication
significantly increases the attack surface of SSH servers and
risks creating oracles that reveal information about
information sent during authentication.
* ssh(1), sshd(8): processing of the arguments to the "Match"
configuration directive now follows more shell-like rules for
quoted strings, including allowing nested quotes and \-escaped
characters. If configurations contained workarounds for the
previous simplistic quote handling then they may need to be
adjusted. If this is the case, it's most likely to be in the
arguments to a "Match exec" confition. In this case, moving the
command to be evaluated from the Match line to an external
shell script is easiest way to preserve compatibility with both
the old and new versions.
= New features
* ssh(1), sshd(8): add support for a new hybrid post-quantum key
exchange based on the FIPS 203 Module-Lattice Key Enapsulation
mechanism (ML-KEM) combined with X25519 ECDH as described by
https://datatracker.ietf.org/doc/html/draft-kampanakis-curdle-ssh-pq-ke-03
This algorithm "mlkem768x25519-sha256" is available by default.
* ssh(1): the ssh_config "Include" directive can now expand
environment as well as the same set of %-tokens "Match Exec"
supports.
* sshd(8): add a sshd_config "RefuseConnection" option that, if
set will terminate the connection at the first authentication
request.
* sshd(8): add a "refuseconnection" penalty class to sshd_config
PerSourcePenalties that is applied when a connection is dropped
by the new RefuseConnection keyword.
* sshd(8): add a "Match invalid-user" predicate to sshd_config
Match options that matches when the target username is not
valid on the server.
* ssh(1), sshd(8): update the Streamlined NTRUPrime code to a
substantially faster implementation.
* ssh(1), sshd(8): the hybrid Streamlined NTRUPrime/X25519 key
exchange algorithm now has an IANA-assigned name in addition to
the "@openssh.com" vendor extension name. This algorithm is now
also available under this name "sntrup761x25519-sha512"
* ssh(1), sshd(8), ssh-agent(1): prevent private keys from being
included in core dump files for most of their lifespans. This
is in addition to pre-existing controls in ssh-agent(1) and
sshd(8) that prevented coredumps. This feature is supported on
OpenBSD, Linux and FreeBSD.
* All: convert key handling to use the libcrypto EVP_PKEY API,
with the exception of DSA.
* sshd(8): add a random amount of jitter (up to 4 seconds) to the
grace login time to make its expiry unpredictable.
= Bugfixes
* sshd(8): relax absolute path requirement back to what it was
prior to OpenSSH 9.8, which incorrectly required that sshd was
started with an absolute path in inetd mode. bz3717
* sshd(8): fix regression introduced in openssh-9.8 that swapped
the order of source and destination addresses in some sshd log
messages.
* sshd(8): do not apply authorized_keys options when signature
verification fails. Prevents more restrictive key options being
incorrectly applied to subsequent keys in authorized_keys.
bz3733
* ssh-keygen(1): include pathname in some of ssh-keygen's
passphrase prompts. Helps the user know what's going on when
ssh-keygen is invoked via other tools. Requested in GHPR503
* ssh(1), ssh-add(1): make parsing user@host consistently look
for the last '@' in the string rather than the first. This
makes it possible to more consistently use usernames that
contain '@' characters.
* ssh(1), sshd(8): be more strict in parsing key type names. Only
allow short names (e.g "rsa") in user-interface code and
require full SSH protocol names (e.g. "ssh-rsa") everywhere
else. bz3725
* regress: many performance and correctness improvements to the
re-keying regression test.
* ssh-keygen(1): clarify that ed25519 is the default key type
generated and clarify that rsa-sha2-512 is the default
signature scheme when RSA is in use. GHPR505
* sshd(8): fix minor memory leak in Subsystem option parsing;
GHPR515
* All: additional hardening and consistency checks for the sshbuf
code.
* sshd(8): reduce default logingrace penalty to ensure that a
single forgotton login that times out will be below the penalty
threshold.
* ssh(1): fix proxy multiplexing (-O proxy) bug. If a mux started
with ControlPersist then later has a forwarding added using mux
proxy connection and the forwarding was used, then when the mux
proxy session terminated, the mux master process would issue a
bad message that terminated the connection.
= Portability
* sync contrib/ssh-copy-id to the latest upstream version.
* regress: improve portablility for some awk(1) usage
(e.g. Solaris)
* In the contrib/redhat RPM spec file, without_openssl was
previously incorrectly enabled unconditionally.
* sshd(8) restore audit call before exit that regressed in
openssh-9.8. Fixes an issue where the SSH_CONNECTION_ABANDON
event was not recorded.
* sshd(8): add support for class-imposed loging restrictions on
FreeBSD. Allowing auth_hostok(3) and auth_timeok(3) to control
logins.
* Build fixes for Musl libc.
* Fix detection of setres*id on GNU/Hurd
- Drop patches that were already merged by upstream:
* fix-memleak-in-process_server_config_line_depth.patch
* fix-audit-fail-attempt.patch
- Rebase patch with significant changes:
* openssh-8.1p1-audit.patch
- Rebase patches with context or trivial changes:
* openssh-7.7p1-fips.patch
* openssh-8.0p1-gssapi-keyex.patch
* openssh-9.6p1-crypto-policies-man.patch
* openssh-mitigate-lingering-secrets.patch
- Several spec file fixes so the package builds and can be
installed in SLE 15 SP5 and SLE 12 SP5
- Use gcc11 when building in SLE12 and SLE15.
-------------------------------------------------------------------
Thu Sep 12 07:43:18 UTC 2024 - Antonio Larrosa <alarrosa@suse.com>

View File

@ -34,12 +34,24 @@
%bcond_without allow_root_password_login_by_default
%endif
%if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150600
%bcond_without crypto_policies
%else
%bcond_with crypto_policies
%endif
%if 0%{?suse_version} < 1500
%bcond_without openssl11
%else
%bcond_with openssl11
%endif
#Compat macro for new _fillupdir macro introduced in Nov 2017
%if ! %{defined _fillupdir}
%define _fillupdir %{_localstatedir}/adm/fillup-templates
%endif
Name: openssh
Version: 9.8p1
Version: 9.9p1
Release: 0
Summary: Secure Shell Client and Server (Remote Login Program)
License: BSD-2-Clause AND MIT
@ -126,20 +138,22 @@ Patch103: openssh-6.6p1-privsep-selinux.patch
Patch104: openssh-6.6p1-keycat.patch
Patch105: openssh-6.6.1p1-selinux-contexts.patch
Patch106: openssh-7.6p1-cleanup-selinux.patch
# PATCH-FIX-OPENSUSE bsc#1211301 Add crypto-policies support
Patch107: openssh-9.6p1-crypto-policies.patch
Patch108: openssh-9.6p1-crypto-policies-man.patch
Patch109: fix-memleak-in-process_server_config_line_depth.patch
# PATCH-FIX-UPSTREAM alarrosa@suse.com -- https://github.com/openssh/openssh-portable/pull/516
Patch110: fix-audit-fail-attempt.patch
# 200 - 300 -- Patches submitted to upstream
# PATCH-FIX-UPSTREAM -- https://github.com/openssh/openssh-portable/pull/452 boo#1229010
Patch111: 0001-auth-pam-Immediately-report-instructions-to-clients-and-fix-handling-in-ssh-client.patch
Patch200: 0001-auth-pam-Immediately-report-instructions-to-clients-and-fix-handling-in-ssh-client.patch
# 1000 - 2000 -- Conditional patches
# PATCH-FIX-OPENSUSE bsc#1211301 Add crypto-policies support
%if 0%{with crypto_policies}
Patch1000: openssh-9.6p1-crypto-policies.patch
Patch1001: openssh-9.6p1-crypto-policies-man.patch
%endif
%if 0%{with allow_root_password_login_by_default}
Patch1000: openssh-7.7p1-allow_root_password_login.patch
# PATCH-FIX-SLE Allow root login with password by default (for SLE12 and SLE15)
Patch1002: openssh-7.7p1-allow_root_password_login.patch
%endif
BuildRequires: audit-devel
BuildRequires: automake
%if 0%{?sle_version} >= 150500
%if 0%{?suse_version} <= 1600
BuildRequires: gcc11
%endif
BuildRequires: groff
@ -148,7 +162,12 @@ BuildRequires: libselinux-devel
%if %{with ldap}
BuildRequires: openldap2-devel
%endif
%if 0%{with openssl11}
BuildRequires: libopenssl-1_1-devel
BuildRequires: openssl-1_1
%else
BuildRequires: openssl-devel
%endif
BuildRequires: pam-devel
BuildRequires: pkgconfig
BuildRequires: zlib-devel
@ -158,7 +177,7 @@ BuildRequires: sysuser-shadow
BuildRequires: sysuser-tools
Requires: %{name}-clients = %{version}-%{release}
Requires: %{name}-server = %{version}-%{release}
%if 0%{?suse_version} >= 1550
%if 0%{?suse_version} >= 1550 || 0%{?suse_version} < 1500
BuildRequires: pkgconfig(krb5)
%else
BuildRequires: krb5-mini-devel
@ -204,7 +223,9 @@ clients.
Summary: SSH (Secure Shell) server
Group: Productivity/Networking/SSH
Requires: %{name}-common = %{version}-%{release}
%if 0%{with crypto_policies}
Requires: crypto-policies >= 20220824
%endif
Recommends: audit
Requires(pre): findutils
Requires(pre): grep
@ -260,7 +281,9 @@ ssh-copy-id(1).
%package clients
Summary: SSH (Secure Shell) client applications
Group: Productivity/Networking/SSH
%if 0%{with crypto_policies}
Requires: crypto-policies >= 20220824
%endif
Requires: %{name}-common = %{version}-%{release}
Provides: openssh:%{_bindir}/ssh
@ -329,7 +352,7 @@ sed -i.libexec 's,@LIBEXECDIR@,%{_libexecdir}/ssh,' \
)
%build
%if 0%{?sle_version} >= 150500
%if 0%{?suse_version} <= 1600
export CC=gcc-11
%endif
autoreconf -fiv
@ -426,12 +449,14 @@ mv %{buildroot}%{_sysconfdir}/ssh/sshd_config.d/50-permit-root-login.conf %{buil
%endif
%endif
%if 0%{with crypto_policies}
install -m 644 ssh_config_suse %{buildroot}%{_sysconfdir}/ssh/ssh_config.d/50-suse.conf
%if %{defined _distconfdir}
install -m 644 sshd_config_suse_cp %{buildroot}%{_distconfdir}/ssh/sshd_config.d/40-suse-crypto-policies.conf
%else
install -m 644 sshd_config_suse_cp %{buildroot}%{_sysconfdir}/ssh/sshd_config.d/40-suse-crypto-policies.conf
%endif
%endif
%if 0%{?suse_version} < 1550
# install firewall definitions
@ -457,13 +482,19 @@ install -m 644 %{SOURCE14} %{buildroot}%{_sysusersdir}/sshd.conf
#
# this shows up earlier because otherwise the %%expand of
# the macro is too late.
%if 0%{with openssl11}
%define opensslbin openssl-1_1
%else
%define opensslbin openssl
%endif
%{expand:%%global __os_install_post {%__os_install_post
for b in \
%{_bindir}/ssh \
%{_sbindir}/sshd \
%{_libexecdir}/ssh/sftp-server \
; do
openssl dgst -sha256 -binary -hmac %{CHECKSUM_HMAC_KEY} < %{buildroot}$b > %{buildroot}$b%{CHECKSUM_SUFFIX}
%{opensslbin} dgst -sha256 -binary -hmac %{CHECKSUM_HMAC_KEY} < %{buildroot}$b > %{buildroot}$b%{CHECKSUM_SUFFIX}
done
}}
@ -481,6 +512,7 @@ test -f /etc/ssh/sshd_config.rpmsave && mv -v /etc/ssh/sshd_config.rpmsave /etc/
%{fillup_only -n ssh}
%service_add_post sshd.service sshd.socket
%if 0%{with crypto_policies}
%if ! %{defined _distconfdir}
test -f /etc/ssh/sshd_config && (grep -q "^Include /etc/ssh/sshd_config\.d/\*\.conf" /etc/ssh/sshd_config || ( \
echo "WARNING: /etc/ssh/sshd_config doesn't include config files from"
@ -489,6 +521,7 @@ test -f /etc/ssh/sshd_config && (grep -q "^Include /etc/ssh/sshd_config\.d/\*\.c
echo "/etc/ssh/sshd_config :"
echo "Include /etc/ssh/sshd_config.d/*.conf" ) ) ||:
%endif
%endif
%preun server
%service_del_preun sshd.service sshd.socket
@ -503,6 +536,7 @@ else
%service_del_postun sshd.service sshd.socket
fi
%if 0%{with crypto_policies}
%if ! %{defined _distconfdir}
%post server-config-disallow-rootlogin
test -f /etc/ssh/sshd_config && (grep -q "^Include /etc/ssh/sshd_config\.d/\*\.conf" /etc/ssh/sshd_config || ( \
@ -512,6 +546,7 @@ test -f /etc/ssh/sshd_config && (grep -q "^Include /etc/ssh/sshd_config\.d/\*\.c
echo "the following line is added at the start of /etc/ssh/sshd_config :"
echo "Include /etc/ssh/sshd_config.d/*.conf" ) ) ||:
%endif
%endif
%if %{defined _distconfdir}
%posttrans server
@ -526,6 +561,7 @@ test -f /etc/ssh/sshd_config.rpmsave && mv -v /etc/ssh/sshd_config.rpmsave /etc/
test -f /etc/ssh/ssh_config.rpmsave && mv -v /etc/ssh/ssh_config.rpmsave /etc/ssh/ssh_config.rpmsave.old ||:
%endif
%if 0%{with crypto_policies}
%if ! %{defined _distconfdir}
%post clients
test -f /etc/ssh/ssh_config && (grep -q "^Include /etc/ssh/ssh_config\.d/\*\.conf" /etc/ssh/ssh_config || ( \
@ -535,6 +571,7 @@ test -f /etc/ssh/ssh_config && (grep -q "^Include /etc/ssh/ssh_config\.d/\*\.con
echo "/etc/ssh/ssh_config :"
echo "Include /etc/ssh/ssh_config.d/*.conf" ) ) ||:
%endif
%endif
%if %{defined _distconfdir}
%posttrans clients
@ -582,11 +619,13 @@ test -f /etc/ssh/ssh_config.rpmsave && mv -v /etc/ssh/ssh_config.rpmsave /etc/ss
%attr(0640,root,root) %config(noreplace) %{_sysconfdir}/ssh/sshd_config
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/pam.d/sshd
%endif
%if 0%{with crypto_policies}
%if %{defined _distconfdir}
%attr(0600,root,root) %config(noreplace) %{_distconfdir}/ssh/sshd_config.d/40-suse-crypto-policies.conf
%else
%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/sshd_config.d/40-suse-crypto-policies.conf
%endif
%endif
%attr(0644,root,root) %{_unitdir}/sshd.service
%attr(0644,root,root) %{_unitdir}/sshd@.service
%attr(0644,root,root) %{_unitdir}/sshd.socket
@ -624,8 +663,10 @@ test -f /etc/ssh/ssh_config.rpmsave && mv -v /etc/ssh/ssh_config.rpmsave /etc/ss
%endif
%files clients
%if 0%{with crypto_policies}
%dir %attr(0755,root,root) %{_sysconfdir}/ssh/ssh_config.d
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/ssh_config.d/50-suse.conf
%endif
%if %{defined _distconfdir}
%attr(0644,root,root) %{_distconfdir}/ssh/ssh_config
%else