03fc1a6def
- Update to openssh 9.3p1
* No changes for askpass, see main package changelog for
details
- Update to openssh 9.3p1:
= Security
* ssh-add(1): when adding smartcard keys to ssh-agent(1) with the
per-hop destination constraints (ssh-add -h ...) added in
OpenSSH 8.9, a logic error prevented the constraints from being
communicated to the agent. This resulted in the keys being added
without constraints. The common cases of non-smartcard keys and
keys without destination constraints are unaffected. This
problem was reported by Luci Stanescu.
* ssh(1): Portable OpenSSH provides an implementation of the
getrrsetbyname(3) function if the standard library does not
provide it, for use by the VerifyHostKeyDNS feature. A
specifically crafted DNS response could cause this function to
perform an out-of-bounds read of adjacent stack data, but this
condition does not appear to be exploitable beyond denial-of-
service to the ssh(1) client.
The getrrsetbyname(3) replacement is only included if the
system's standard library lacks this function and portable
OpenSSH was not compiled with the ldns library (--with-ldns).
getrrsetbyname(3) is only invoked if using VerifyHostKeyDNS to
fetch SSHFP records. This problem was found by the Coverity
static analyzer.
= New features
* ssh-keygen(1), ssh-keyscan(1): accept -Ohashalg=sha1|sha256
when outputting SSHFP fingerprints to allow algorithm
selection. bz3493
OBS-URL: https://build.opensuse.org/request/show/1087770
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=247
209 lines
7.0 KiB
Diff
209 lines
7.0 KiB
Diff
Gemeinsame Unterverzeichnisse: openssh-8.4p1/contrib und openssh-8.4p1-vendor/contrib.
|
|
Index: openssh-8.9p1/dh.c
|
|
===================================================================
|
|
--- openssh-8.9p1.orig/dh.c
|
|
+++ openssh-8.9p1/dh.c
|
|
@@ -54,7 +54,17 @@ void dh_set_moduli_file(const char *file
|
|
|
|
static const char * get_moduli_filename(void)
|
|
{
|
|
- return moduli_filename ? moduli_filename : _PATH_DH_MODULI;
|
|
+ struct stat st;
|
|
+
|
|
+ if (moduli_filename)
|
|
+ return moduli_filename;
|
|
+
|
|
+ if (stat(_PATH_VENDOR_DH_MODULI, &st) == 0 &&
|
|
+ stat(_PATH_DH_MODULI, &st) == -1) {
|
|
+ return _PATH_VENDOR_DH_MODULI;
|
|
+ }
|
|
+
|
|
+ return _PATH_DH_MODULI;
|
|
}
|
|
|
|
static int
|
|
Index: openssh-8.9p1/pathnames.h
|
|
===================================================================
|
|
--- openssh-8.9p1.orig/pathnames.h
|
|
+++ openssh-8.9p1/pathnames.h
|
|
@@ -18,6 +18,8 @@
|
|
#define SSHDIR ETCDIR "/ssh"
|
|
#endif
|
|
|
|
+#define VENDORDIR "/usr/etc/ssh"
|
|
+
|
|
#ifndef _PATH_SSH_PIDDIR
|
|
#define _PATH_SSH_PIDDIR "/var/run"
|
|
#endif
|
|
@@ -35,13 +37,17 @@
|
|
* should be world-readable.
|
|
*/
|
|
#define _PATH_SERVER_CONFIG_FILE SSHDIR "/sshd_config"
|
|
+#define _PATH_SERVER_VENDOR_CONFIG_FILE VENDORDIR "/sshd_config"
|
|
#define _PATH_HOST_CONFIG_FILE SSHDIR "/ssh_config"
|
|
+#define _PATH_HOST_VENDOR_CONFIG_FILE VENDORDIR "/ssh_config"
|
|
#define _PATH_HOST_DSA_KEY_FILE SSHDIR "/ssh_host_dsa_key"
|
|
#define _PATH_HOST_ECDSA_KEY_FILE SSHDIR "/ssh_host_ecdsa_key"
|
|
#define _PATH_HOST_ED25519_KEY_FILE SSHDIR "/ssh_host_ed25519_key"
|
|
#define _PATH_HOST_XMSS_KEY_FILE SSHDIR "/ssh_host_xmss_key"
|
|
#define _PATH_HOST_RSA_KEY_FILE SSHDIR "/ssh_host_rsa_key"
|
|
#define _PATH_DH_MODULI SSHDIR "/moduli"
|
|
+#define _PATH_VENDOR_DH_MODULI VENDORDIR "/moduli"
|
|
+
|
|
|
|
#ifndef _PATH_SSH_PROGRAM
|
|
#define _PATH_SSH_PROGRAM "/usr/bin/ssh"
|
|
Index: openssh-8.9p1/ssh.c
|
|
===================================================================
|
|
--- openssh-8.9p1.orig/ssh.c
|
|
+++ openssh-8.9p1/ssh.c
|
|
@@ -549,6 +549,7 @@ static void
|
|
process_config_files(const char *host_name, struct passwd *pw, int final_pass,
|
|
int *want_final_pass)
|
|
{
|
|
+ struct stat st;
|
|
char buf[PATH_MAX];
|
|
int r;
|
|
|
|
@@ -567,10 +568,23 @@ process_config_files(const char *host_na
|
|
&options, SSHCONF_CHECKPERM | SSHCONF_USERCONF |
|
|
(final_pass ? SSHCONF_FINAL : 0), want_final_pass);
|
|
|
|
- /* Read systemwide configuration file after user config. */
|
|
- (void)read_config_file(_PATH_HOST_CONFIG_FILE, pw,
|
|
- host, host_name, &options,
|
|
- final_pass ? SSHCONF_FINAL : 0, want_final_pass);
|
|
+ /* If only the vendor configuration file exists, use that.
|
|
+ * Else use the standard configuration file.
|
|
+ */
|
|
+ if (stat(_PATH_HOST_VENDOR_CONFIG_FILE, &st) == 0 &&
|
|
+ stat(_PATH_HOST_CONFIG_FILE, &st) == -1) {
|
|
+ /* Read vendor distributed configuration file. */
|
|
+ (void)read_config_file(_PATH_HOST_VENDOR_CONFIG_FILE,
|
|
+ pw, host, host_name, &options,
|
|
+ final_pass ? SSHCONF_FINAL : 0,
|
|
+ want_final_pass);
|
|
+ } else {
|
|
+ /* Read systemwide configuration file after user config. */
|
|
+ (void)read_config_file(_PATH_HOST_CONFIG_FILE, pw,
|
|
+ host, host_name, &options,
|
|
+ final_pass ? SSHCONF_FINAL : 0,
|
|
+ want_final_pass);
|
|
+ }
|
|
}
|
|
}
|
|
|
|
Index: openssh-8.9p1/ssh_config.5
|
|
===================================================================
|
|
--- openssh-8.9p1.orig/ssh_config.5
|
|
+++ openssh-8.9p1/ssh_config.5
|
|
@@ -54,6 +54,9 @@ user's configuration file
|
|
.It
|
|
system-wide configuration file
|
|
.Pq Pa /etc/ssh/ssh_config
|
|
+.It
|
|
+vendor configuration file
|
|
+.Pq Pa /usr/etc/ssh/ssh_config
|
|
.El
|
|
.Pp
|
|
Unless noted otherwise, for each parameter, the first obtained value
|
|
@@ -2220,6 +2223,11 @@ This file provides defaults for those
|
|
values that are not specified in the user's configuration file, and
|
|
for those users who do not have a configuration file.
|
|
This file must be world-readable.
|
|
+.It Pa /usr/etc/ssh/ssh_config
|
|
+Vendor specific configuraiton file.
|
|
+This file provides the vendor defaults and is used as fallback if the
|
|
+.Ic /etc/ssh/ssh_config
|
|
+configuration file does not exist.
|
|
.El
|
|
.Sh SEE ALSO
|
|
.Xr ssh 1
|
|
Index: openssh-8.9p1/sshd.c
|
|
===================================================================
|
|
--- openssh-8.9p1.orig/sshd.c
|
|
+++ openssh-8.9p1/sshd.c
|
|
@@ -148,7 +148,7 @@ extern char *__progname;
|
|
ServerOptions options;
|
|
|
|
/* Name of the server configuration file. */
|
|
-char *config_file_name = _PATH_SERVER_CONFIG_FILE;
|
|
+char *config_file_name = NULL;
|
|
|
|
/*
|
|
* Debug mode flag. This can be set on the command line. If debug
|
|
@@ -1591,6 +1591,7 @@ prepare_proctitle(int ac, char **av)
|
|
int
|
|
main(int ac, char **av)
|
|
{
|
|
+ struct stat st;
|
|
struct ssh *ssh = NULL;
|
|
extern char *optarg;
|
|
extern int optind;
|
|
@@ -1806,7 +1807,21 @@ main(int ac, char **av)
|
|
*/
|
|
(void)atomicio(vwrite, startup_pipe, "\0", 1);
|
|
}
|
|
+ } else if (config_file_name == NULL) {
|
|
+ /* If only the vendor configuration file exists, use that.
|
|
+ * Else use the standard configuration file.
|
|
+ */
|
|
+ if (stat(_PATH_SERVER_VENDOR_CONFIG_FILE, &st) == 0 &&
|
|
+ stat(_PATH_SERVER_CONFIG_FILE, &st) == -1) {
|
|
+ /* fill with global distributor settings */
|
|
+ config_file_name = _PATH_SERVER_VENDOR_CONFIG_FILE;
|
|
+ } else {
|
|
+ /* load global admin settings */
|
|
+ config_file_name = _PATH_SERVER_CONFIG_FILE;
|
|
+ }
|
|
+ load_server_config(config_file_name, cfg);
|
|
} else if (strcasecmp(config_file_name, "none") != 0)
|
|
+ /* load config specified on commandline */
|
|
load_server_config(config_file_name, cfg);
|
|
|
|
parse_server_config(&options, rexeced_flag ? "rexec" : config_file_name,
|
|
Index: openssh-8.9p1/sshd_config.5
|
|
===================================================================
|
|
--- openssh-8.9p1.orig/sshd_config.5
|
|
+++ openssh-8.9p1/sshd_config.5
|
|
@@ -44,7 +44,9 @@
|
|
.Xr sshd 8
|
|
reads configuration data from
|
|
.Pa /etc/ssh/sshd_config
|
|
-(or the file specified with
|
|
+(
|
|
+.Pa /usr/etc/ssh/sshd_config
|
|
+if the file does not exist or the file specified with
|
|
.Fl f
|
|
on the command line).
|
|
The file contains keyword-argument pairs, one per line.
|
|
Index: openssh-8.9p1/ssh-keysign.c
|
|
===================================================================
|
|
--- openssh-8.9p1.orig/ssh-keysign.c
|
|
+++ openssh-8.9p1/ssh-keysign.c
|
|
@@ -186,6 +186,7 @@ main(int argc, char **argv)
|
|
u_char *signature, *data, rver;
|
|
char *host, *fp, *pkalg;
|
|
size_t slen, dlen;
|
|
+ struct stat st;
|
|
|
|
if (pledge("stdio rpath getpw dns id", NULL) != 0)
|
|
fatal("%s: pledge: %s", __progname, strerror(errno));
|
|
@@ -219,8 +220,14 @@ main(int argc, char **argv)
|
|
|
|
/* verify that ssh-keysign is enabled by the admin */
|
|
initialize_options(&options);
|
|
- (void)read_config_file(_PATH_HOST_CONFIG_FILE, pw, "", "",
|
|
- &options, 0, NULL);
|
|
+
|
|
+ if (stat(_PATH_HOST_CONFIG_FILE, &st) == 0)
|
|
+ (void)read_config_file(_PATH_HOST_CONFIG_FILE, pw, "", "",
|
|
+ &options, 0, NULL);
|
|
+ else
|
|
+ (void)read_config_file(_PATH_HOST_VENDOR_CONFIG_FILE, pw, "", "",
|
|
+ &options, 0, NULL);
|
|
+
|
|
(void)fill_default_options(&options);
|
|
if (options.enable_ssh_keysign != 1)
|
|
fatal("ssh-keysign not enabled in %s",
|