Gemeinsame Unterverzeichnisse: openssh-8.4p1/contrib und openssh-8.4p1-vendor/contrib. Index: openssh-8.9p1/dh.c =================================================================== --- openssh-8.9p1.orig/dh.c +++ openssh-8.9p1/dh.c @@ -54,7 +54,17 @@ void dh_set_moduli_file(const char *file static const char * get_moduli_filename(void) { - return moduli_filename ? moduli_filename : _PATH_DH_MODULI; + struct stat st; + + if (moduli_filename) + return moduli_filename; + + if (stat(_PATH_VENDOR_DH_MODULI, &st) == 0 && + stat(_PATH_DH_MODULI, &st) == -1) { + return _PATH_VENDOR_DH_MODULI; + } + + return _PATH_DH_MODULI; } static int Index: openssh-8.9p1/pathnames.h =================================================================== --- openssh-8.9p1.orig/pathnames.h +++ openssh-8.9p1/pathnames.h @@ -18,6 +18,8 @@ #define SSHDIR ETCDIR "/ssh" #endif +#define VENDORDIR "/usr/etc/ssh" + #ifndef _PATH_SSH_PIDDIR #define _PATH_SSH_PIDDIR "/var/run" #endif @@ -35,13 +37,17 @@ * should be world-readable. */ #define _PATH_SERVER_CONFIG_FILE SSHDIR "/sshd_config" +#define _PATH_SERVER_VENDOR_CONFIG_FILE VENDORDIR "/sshd_config" #define _PATH_HOST_CONFIG_FILE SSHDIR "/ssh_config" +#define _PATH_HOST_VENDOR_CONFIG_FILE VENDORDIR "/ssh_config" #define _PATH_HOST_DSA_KEY_FILE SSHDIR "/ssh_host_dsa_key" #define _PATH_HOST_ECDSA_KEY_FILE SSHDIR "/ssh_host_ecdsa_key" #define _PATH_HOST_ED25519_KEY_FILE SSHDIR "/ssh_host_ed25519_key" #define _PATH_HOST_XMSS_KEY_FILE SSHDIR "/ssh_host_xmss_key" #define _PATH_HOST_RSA_KEY_FILE SSHDIR "/ssh_host_rsa_key" #define _PATH_DH_MODULI SSHDIR "/moduli" +#define _PATH_VENDOR_DH_MODULI VENDORDIR "/moduli" + #ifndef _PATH_SSH_PROGRAM #define _PATH_SSH_PROGRAM "/usr/bin/ssh" Index: openssh-8.9p1/ssh.c =================================================================== --- openssh-8.9p1.orig/ssh.c +++ openssh-8.9p1/ssh.c @@ -549,6 +549,7 @@ static void process_config_files(const char *host_name, struct passwd *pw, int final_pass, int *want_final_pass) { + struct stat st; char buf[PATH_MAX]; int r; @@ -567,10 +568,23 @@ process_config_files(const char *host_na &options, SSHCONF_CHECKPERM | SSHCONF_USERCONF | (final_pass ? SSHCONF_FINAL : 0), want_final_pass); - /* Read systemwide configuration file after user config. */ - (void)read_config_file(_PATH_HOST_CONFIG_FILE, pw, - host, host_name, &options, - final_pass ? SSHCONF_FINAL : 0, want_final_pass); + /* If only the vendor configuration file exists, use that. + * Else use the standard configuration file. + */ + if (stat(_PATH_HOST_VENDOR_CONFIG_FILE, &st) == 0 && + stat(_PATH_HOST_CONFIG_FILE, &st) == -1) { + /* Read vendor distributed configuration file. */ + (void)read_config_file(_PATH_HOST_VENDOR_CONFIG_FILE, + pw, host, host_name, &options, + final_pass ? SSHCONF_FINAL : 0, + want_final_pass); + } else { + /* Read systemwide configuration file after user config. */ + (void)read_config_file(_PATH_HOST_CONFIG_FILE, pw, + host, host_name, &options, + final_pass ? SSHCONF_FINAL : 0, + want_final_pass); + } } } Index: openssh-8.9p1/ssh_config.5 =================================================================== --- openssh-8.9p1.orig/ssh_config.5 +++ openssh-8.9p1/ssh_config.5 @@ -54,6 +54,9 @@ user's configuration file .It system-wide configuration file .Pq Pa /etc/ssh/ssh_config +.It +vendor configuration file +.Pq Pa /usr/etc/ssh/ssh_config .El .Pp Unless noted otherwise, for each parameter, the first obtained value @@ -2220,6 +2223,11 @@ This file provides defaults for those values that are not specified in the user's configuration file, and for those users who do not have a configuration file. This file must be world-readable. +.It Pa /usr/etc/ssh/ssh_config +Vendor specific configuraiton file. +This file provides the vendor defaults and is used as fallback if the +.Ic /etc/ssh/ssh_config +configuration file does not exist. .El .Sh SEE ALSO .Xr ssh 1 Index: openssh-8.9p1/sshd.c =================================================================== --- openssh-8.9p1.orig/sshd.c +++ openssh-8.9p1/sshd.c @@ -1201,7 +1201,8 @@ prepare_proctitle(int ac, char **av) extern char *optarg; extern int optind; int log_stderr = 0, inetd_flag = 0, test_flag = 0, no_daemon_flag = 0; - char *config_file_name = _PATH_SERVER_CONFIG_FILE; + char *config_file_name = NULL; + struct stat st; int r, opt, do_dump_cfg = 0, keytype, already_daemon, have_agent = 0; int sock_in = -1, sock_out = -1, newsock = -1, rexec_argc = 0; int devnull, config_s[2] = { -1 , -1 }, have_connection_info = 0; @@ -1806,7 +1807,21 @@ main(int ac, char **av) /* Fetch our configuration */ if ((cfg = sshbuf_new()) == NULL) fatal("sshbuf_new config failed"); + if (config_file_name == NULL) { + /* If only the vendor configuration file exists, use that. + * Else use the standard configuration file. + */ + if (stat(_PATH_SERVER_VENDOR_CONFIG_FILE, &st) == 0 && + stat(_PATH_SERVER_CONFIG_FILE, &st) == -1) { + /* fill with global distributor settings */ + config_file_name = _PATH_SERVER_VENDOR_CONFIG_FILE; + } else { + /* load global admin settings */ + config_file_name = _PATH_SERVER_CONFIG_FILE; + } + load_server_config(config_file_name, cfg); - if (strcasecmp(config_file_name, "none") != 0) + } else if (strcasecmp(config_file_name, "none") != 0) + /* load config specified on commandline */ load_server_config(config_file_name, cfg); parse_server_config(&options, config_file_name, cfg, Index: openssh-8.9p1/sshd_config.5 =================================================================== --- openssh-8.9p1.orig/sshd_config.5 +++ openssh-8.9p1/sshd_config.5 @@ -44,7 +44,9 @@ .Xr sshd 8 reads configuration data from .Pa /etc/ssh/sshd_config -(or the file specified with +( +.Pa /usr/etc/ssh/sshd_config +if the file does not exist or the file specified with .Fl f on the command line). The file contains keyword-argument pairs, one per line. Index: openssh-8.9p1/ssh-keysign.c =================================================================== --- openssh-8.9p1.orig/ssh-keysign.c +++ openssh-8.9p1/ssh-keysign.c @@ -186,6 +186,7 @@ main(int argc, char **argv) u_char *signature, *data, rver; char *host, *fp, *pkalg; size_t slen, dlen; + struct stat st; if (pledge("stdio rpath getpw dns id", NULL) != 0) fatal("%s: pledge: %s", __progname, strerror(errno)); @@ -219,8 +220,14 @@ main(int argc, char **argv) /* verify that ssh-keysign is enabled by the admin */ initialize_options(&options); - (void)read_config_file(_PATH_HOST_CONFIG_FILE, pw, "", "", - &options, 0, NULL); + + if (stat(_PATH_HOST_CONFIG_FILE, &st) == 0) + (void)read_config_file(_PATH_HOST_CONFIG_FILE, pw, "", "", + &options, 0, NULL); + else + (void)read_config_file(_PATH_HOST_VENDOR_CONFIG_FILE, pw, "", "", + &options, 0, NULL); + (void)fill_default_options(&options); if (options.enable_ssh_keysign != 1) fatal("ssh-keysign not enabled in %s",