Antonio Larrosa
52583b8481
- Update to openssh 10.0p1:
* No changes for askpass, see main package changelog for
details.
- Update to openssh 10.0p1:
= Potentially-incompatible changes
* This release removes support for the weak DSA signature
algorithm, completing the deprecation process that began in
2015 (when DSA was disabled by default) and repeatedly warned
over the last 12 months.
* scp(1), sftp(1): pass "ControlMaster no" to ssh when invoked by
scp & sftp. This disables implicit session creation by these
tools when ControlMaster was set to yes/auto by configuration,
which some users found surprising. This change will not prevent
scp/sftp from using an existing multiplexing session if one had
already been created. GHPR557
* This release has the version number 10.0 and announces itself
as "SSH-2.0-OpenSSH_10.0". Software that naively matches
versions using patterns like "OpenSSH_1*" may be confused by
this.
* sshd(8): this release removes the code responsible for the
user authentication phase of the protocol from the per-
connection sshd-session binary to a new sshd-auth binary.
Splitting this code into a separate binary ensures that the
crucial pre-authentication attack surface has an entirely
disjoint address space from the code used for the rest of the
connection. It also yields a small runtime memory saving as the
authentication code will be unloaded after the authentication
phase completes. This change should be largely invisible to
users, though some log messages may now come from "sshd-auth"
OBS-URL: https://build.opensuse.org/request/show/1268126
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=286
203 lines
7.1 KiB
Diff
203 lines
7.1 KiB
Diff
Gemeinsame Unterverzeichnisse: openssh-8.4p1/contrib und openssh-8.4p1-vendor/contrib.
|
|
Index: openssh-8.9p1/dh.c
|
|
===================================================================
|
|
--- openssh-8.9p1.orig/dh.c
|
|
+++ openssh-8.9p1/dh.c
|
|
@@ -54,7 +54,17 @@ void dh_set_moduli_file(const char *file
|
|
|
|
static const char * get_moduli_filename(void)
|
|
{
|
|
- return moduli_filename ? moduli_filename : _PATH_DH_MODULI;
|
|
+ struct stat st;
|
|
+
|
|
+ if (moduli_filename)
|
|
+ return moduli_filename;
|
|
+
|
|
+ if (stat(_PATH_VENDOR_DH_MODULI, &st) == 0 &&
|
|
+ stat(_PATH_DH_MODULI, &st) == -1) {
|
|
+ return _PATH_VENDOR_DH_MODULI;
|
|
+ }
|
|
+
|
|
+ return _PATH_DH_MODULI;
|
|
}
|
|
|
|
static int
|
|
Index: openssh-8.9p1/pathnames.h
|
|
===================================================================
|
|
--- openssh-8.9p1.orig/pathnames.h
|
|
+++ openssh-8.9p1/pathnames.h
|
|
@@ -18,6 +18,8 @@
|
|
#define SSHDIR ETCDIR "/ssh"
|
|
#endif
|
|
|
|
+#define VENDORDIR "/usr/etc/ssh"
|
|
+
|
|
#ifndef _PATH_SSH_PIDDIR
|
|
#define _PATH_SSH_PIDDIR "/var/run"
|
|
#endif
|
|
@@ -35,13 +37,17 @@
|
|
* should be world-readable.
|
|
*/
|
|
#define _PATH_SERVER_CONFIG_FILE SSHDIR "/sshd_config"
|
|
+#define _PATH_SERVER_VENDOR_CONFIG_FILE VENDORDIR "/sshd_config"
|
|
#define _PATH_HOST_CONFIG_FILE SSHDIR "/ssh_config"
|
|
+#define _PATH_HOST_VENDOR_CONFIG_FILE VENDORDIR "/ssh_config"
|
|
#define _PATH_HOST_DSA_KEY_FILE SSHDIR "/ssh_host_dsa_key"
|
|
#define _PATH_HOST_ECDSA_KEY_FILE SSHDIR "/ssh_host_ecdsa_key"
|
|
#define _PATH_HOST_ED25519_KEY_FILE SSHDIR "/ssh_host_ed25519_key"
|
|
#define _PATH_HOST_XMSS_KEY_FILE SSHDIR "/ssh_host_xmss_key"
|
|
#define _PATH_HOST_RSA_KEY_FILE SSHDIR "/ssh_host_rsa_key"
|
|
#define _PATH_DH_MODULI SSHDIR "/moduli"
|
|
+#define _PATH_VENDOR_DH_MODULI VENDORDIR "/moduli"
|
|
+
|
|
|
|
#ifndef _PATH_SSH_PROGRAM
|
|
#define _PATH_SSH_PROGRAM "/usr/bin/ssh"
|
|
Index: openssh-8.9p1/ssh.c
|
|
===================================================================
|
|
--- openssh-8.9p1.orig/ssh.c
|
|
+++ openssh-8.9p1/ssh.c
|
|
@@ -549,6 +549,7 @@ static void
|
|
process_config_files(const char *host_name, struct passwd *pw,
|
|
int final_pass, int *want_final_pass)
|
|
{
|
|
+ struct stat st;
|
|
char *cmd, buf[PATH_MAX];
|
|
int r;
|
|
|
|
@@ -567,10 +568,23 @@ process_config_files(const char *host_na
|
|
&options, SSHCONF_CHECKPERM | SSHCONF_USERCONF |
|
|
(final_pass ? SSHCONF_FINAL : 0), want_final_pass);
|
|
|
|
- /* Read systemwide configuration file after user config. */
|
|
- (void)read_config_file(_PATH_HOST_CONFIG_FILE, pw,
|
|
- host, host_name, cmd, &options,
|
|
- final_pass ? SSHCONF_FINAL : 0, want_final_pass);
|
|
+ /* If only the vendor configuration file exists, use that.
|
|
+ * Else use the standard configuration file.
|
|
+ */
|
|
+ if (stat(_PATH_HOST_VENDOR_CONFIG_FILE, &st) == 0 &&
|
|
+ stat(_PATH_HOST_CONFIG_FILE, &st) == -1) {
|
|
+ /* Read vendor distributed configuration file. */
|
|
+ (void)read_config_file(_PATH_HOST_VENDOR_CONFIG_FILE,
|
|
+ pw, host, host_name, cmd, &options,
|
|
+ final_pass ? SSHCONF_FINAL : 0,
|
|
+ want_final_pass);
|
|
+ } else {
|
|
+ /* Read systemwide configuration file after user config. */
|
|
+ (void)read_config_file(_PATH_HOST_CONFIG_FILE, pw,
|
|
+ host, host_name, cmd, &options,
|
|
+ final_pass ? SSHCONF_FINAL : 0,
|
|
+ want_final_pass);
|
|
+ }
|
|
}
|
|
free(cmd);
|
|
}
|
|
Index: openssh-8.9p1/ssh_config.5
|
|
===================================================================
|
|
--- openssh-8.9p1.orig/ssh_config.5
|
|
+++ openssh-8.9p1/ssh_config.5
|
|
@@ -54,6 +54,9 @@ user's configuration file
|
|
.It
|
|
system-wide configuration file
|
|
.Pq Pa /etc/ssh/ssh_config
|
|
+.It
|
|
+vendor configuration file
|
|
+.Pq Pa /usr/etc/ssh/ssh_config
|
|
.El
|
|
.Pp
|
|
Unless noted otherwise, for each parameter, the first obtained value
|
|
@@ -2220,6 +2223,11 @@ This file provides defaults for those
|
|
values that are not specified in the user's configuration file, and
|
|
for those users who do not have a configuration file.
|
|
This file must be world-readable.
|
|
+.It Pa /usr/etc/ssh/ssh_config
|
|
+Vendor specific configuraiton file.
|
|
+This file provides the vendor defaults and is used as fallback if the
|
|
+.Ic /etc/ssh/ssh_config
|
|
+configuration file does not exist.
|
|
.El
|
|
.Sh SEE ALSO
|
|
.Xr ssh 1
|
|
Index: openssh-8.9p1/sshd.c
|
|
===================================================================
|
|
--- openssh-8.9p1.orig/sshd.c
|
|
+++ openssh-8.9p1/sshd.c
|
|
@@ -1201,7 +1201,8 @@ prepare_proctitle(int ac, char **av)
|
|
extern char *optarg;
|
|
extern int optind;
|
|
int log_stderr = 0, inetd_flag = 0, test_flag = 0, no_daemon_flag = 0;
|
|
- char *config_file_name = _PATH_SERVER_CONFIG_FILE;
|
|
+ char *config_file_name = NULL;
|
|
+ struct stat st;
|
|
int r, opt, do_dump_cfg = 0, keytype, already_daemon, have_agent = 0;
|
|
int sock_in = -1, sock_out = -1, newsock = -1, rexec_argc = 0;
|
|
int devnull, config_s[2] = { -1 , -1 }, have_connection_info = 0;
|
|
@@ -1806,7 +1807,21 @@ main(int ac, char **av)
|
|
/* Fetch our configuration */
|
|
if ((cfg = sshbuf_new()) == NULL)
|
|
fatal("sshbuf_new config failed");
|
|
+ if (config_file_name == NULL) {
|
|
+ /* If only the vendor configuration file exists, use that.
|
|
+ * Else use the standard configuration file.
|
|
+ */
|
|
+ if (stat(_PATH_SERVER_VENDOR_CONFIG_FILE, &st) == 0 &&
|
|
+ stat(_PATH_SERVER_CONFIG_FILE, &st) == -1) {
|
|
+ /* fill with global distributor settings */
|
|
+ config_file_name = _PATH_SERVER_VENDOR_CONFIG_FILE;
|
|
+ } else {
|
|
+ /* load global admin settings */
|
|
+ config_file_name = _PATH_SERVER_CONFIG_FILE;
|
|
+ }
|
|
+ load_server_config(config_file_name, cfg);
|
|
- if (strcasecmp(config_file_name, "none") != 0)
|
|
+ } else if (strcasecmp(config_file_name, "none") != 0)
|
|
+ /* load config specified on commandline */
|
|
load_server_config(config_file_name, cfg);
|
|
|
|
parse_server_config(&options, config_file_name, cfg,
|
|
Index: openssh-8.9p1/sshd_config.5
|
|
===================================================================
|
|
--- openssh-8.9p1.orig/sshd_config.5
|
|
+++ openssh-8.9p1/sshd_config.5
|
|
@@ -44,7 +44,9 @@
|
|
.Xr sshd 8
|
|
reads configuration data from
|
|
.Pa /etc/ssh/sshd_config
|
|
-(or the file specified with
|
|
+(
|
|
+.Pa /usr/etc/ssh/sshd_config
|
|
+if the file does not exist or the file specified with
|
|
.Fl f
|
|
on the command line).
|
|
The file contains keyword-argument pairs, one per line.
|
|
Index: openssh-8.9p1/ssh-keysign.c
|
|
===================================================================
|
|
--- openssh-8.9p1.orig/ssh-keysign.c
|
|
+++ openssh-8.9p1/ssh-keysign.c
|
|
@@ -186,6 +186,7 @@ main(int argc, char **argv)
|
|
u_char *signature, *data, rver;
|
|
char *host, *fp, *pkalg;
|
|
size_t slen, dlen;
|
|
+ struct stat st;
|
|
|
|
if (pledge("stdio rpath getpw dns id", NULL) != 0)
|
|
fatal("%s: pledge: %s", __progname, strerror(errno));
|
|
@@ -219,8 +220,14 @@ main(int argc, char **argv)
|
|
|
|
/* verify that ssh-keysign is enabled by the admin */
|
|
initialize_options(&options);
|
|
- (void)read_config_file(_PATH_HOST_CONFIG_FILE, pw, "", "", "",
|
|
- &options, 0, NULL);
|
|
+
|
|
+ if (stat(_PATH_HOST_CONFIG_FILE, &st) == 0)
|
|
+ (void)read_config_file(_PATH_HOST_CONFIG_FILE, pw, "", "", "",
|
|
+ &options, 0, NULL);
|
|
+ else
|
|
+ (void)read_config_file(_PATH_HOST_VENDOR_CONFIG_FILE, pw, "", "", "",
|
|
+ &options, 0, NULL);
|
|
+
|
|
(void)fill_default_options(&options);
|
|
if (options.enable_ssh_keysign != 1)
|
|
fatal("ssh-keysign not enabled in %s",
|