d83100ae13
- upgrade to 7.6p1
see main package changelog for details
- Update to vanilla 7.6p1
Most important changes (more details below):
* complete removal of the ancient SSHv1 protocol
* sshd(8) cannot run without privilege separation
* removal of suport for arcfourm blowfish and CAST ciphers
and RIPE-MD160 HMAC
* refuse RSA keys shorter than 1024 bits
Distilled upstream log:
- OpenSSH 7.3
---- Security
* sshd(8): Mitigate a potential denial-of-service attack
against the system's crypt(3) function via sshd(8). An
attacker could send very long passwords that would cause
excessive CPU use in crypt(3). sshd(8) now refuses to accept
password authentication requests of length greater than 1024
characters. Independently reported by Tomas Kuthan (Oracle),
Andres Rojas and Javier Nieto.
* sshd(8): Mitigate timing differences in password
authentication that could be used to discern valid from
invalid account names when long passwords were sent and
particular password hashing algorithms are in use on the
server. CVE-2016-6210, reported by EddieEzra.Harari at
verint.com
* ssh(1), sshd(8): Fix observable timing weakness in the CBC
padding oracle countermeasures. Reported by Jean Paul
Degabriele, Kenny Paterson, Torben Hansen and Martin
Albrecht. Note that CBC ciphers are disabled by default and
OBS-URL: https://build.opensuse.org/request/show/539322
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=122
230 lines
7.2 KiB
Diff
230 lines
7.2 KiB
Diff
# HG changeset patch
|
|
# Parent ee0459c1b5173da57f9b3a6e62b232dcf9b3a029
|
|
new option UsePAMCheckLocks to enforce checking for locked accounts while
|
|
UsePAM is used
|
|
|
|
bnc#708678, FATE#312033
|
|
|
|
diff --git a/openssh-7.6p1/auth.c b/openssh-7.6p1/auth.c
|
|
--- a/openssh-7.6p1/auth.c
|
|
+++ b/openssh-7.6p1/auth.c
|
|
@@ -105,17 +105,17 @@ allowed_user(struct passwd * pw)
|
|
struct spwd *spw = NULL;
|
|
#endif
|
|
|
|
/* Shouldn't be called if pw is NULL, but better safe than sorry... */
|
|
if (!pw || !pw->pw_name)
|
|
return 0;
|
|
|
|
#ifdef USE_SHADOW
|
|
- if (!options.use_pam)
|
|
+ if (!options.use_pam || options.use_pam_check_locks)
|
|
spw = getspnam(pw->pw_name);
|
|
#ifdef HAS_SHADOW_EXPIRE
|
|
if (!options.use_pam && spw != NULL && auth_shadow_acctexpired(spw))
|
|
return 0;
|
|
#endif /* HAS_SHADOW_EXPIRE */
|
|
#endif /* USE_SHADOW */
|
|
|
|
/* grab passwd field for locked account check */
|
|
@@ -125,17 +125,17 @@ allowed_user(struct passwd * pw)
|
|
#ifdef USE_LIBIAF
|
|
passwd = get_iaf_password(pw);
|
|
#else
|
|
passwd = spw->sp_pwdp;
|
|
#endif /* USE_LIBIAF */
|
|
#endif
|
|
|
|
/* check for locked account */
|
|
- if (!options.use_pam && passwd && *passwd) {
|
|
+ if ((!options.use_pam || options.use_pam_check_locks) && passwd && *passwd) {
|
|
int locked = 0;
|
|
|
|
#ifdef LOCKED_PASSWD_STRING
|
|
if (strcmp(passwd, LOCKED_PASSWD_STRING) == 0)
|
|
locked = 1;
|
|
#endif
|
|
#ifdef LOCKED_PASSWD_PREFIX
|
|
if (strncmp(passwd, LOCKED_PASSWD_PREFIX,
|
|
diff --git a/openssh-7.6p1/servconf.c b/openssh-7.6p1/servconf.c
|
|
--- a/openssh-7.6p1/servconf.c
|
|
+++ b/openssh-7.6p1/servconf.c
|
|
@@ -69,16 +69,17 @@ extern Buffer cfg;
|
|
|
|
void
|
|
initialize_server_options(ServerOptions *options)
|
|
{
|
|
memset(options, 0, sizeof(*options));
|
|
|
|
/* Portable-specific options */
|
|
options->use_pam = -1;
|
|
+ options->use_pam_check_locks = -1;
|
|
|
|
/* Standard Options */
|
|
options->num_ports = 0;
|
|
options->ports_from_cmdline = 0;
|
|
options->queued_listen_addrs = NULL;
|
|
options->num_queued_listens = 0;
|
|
options->listen_addrs = NULL;
|
|
options->address_family = -1;
|
|
@@ -191,16 +192,18 @@ assemble_algorithms(ServerOptions *o)
|
|
void
|
|
fill_default_server_options(ServerOptions *options)
|
|
{
|
|
int i;
|
|
|
|
/* Portable-specific options */
|
|
if (options->use_pam == -1)
|
|
options->use_pam = 0;
|
|
+ if (options->use_pam_check_locks == -1)
|
|
+ options->use_pam_check_locks = 0;
|
|
|
|
/* Standard Options */
|
|
if (options->num_host_key_files == 0) {
|
|
/* fill default hostkeys for protocols */
|
|
options->host_key_files[options->num_host_key_files++] =
|
|
_PATH_HOST_RSA_KEY_FILE;
|
|
options->host_key_files[options->num_host_key_files++] =
|
|
_PATH_HOST_DSA_KEY_FILE;
|
|
@@ -382,17 +385,17 @@ fill_default_server_options(ServerOption
|
|
#endif
|
|
|
|
}
|
|
|
|
/* Keyword tokens. */
|
|
typedef enum {
|
|
sBadOption, /* == unknown option */
|
|
/* Portable-specific options */
|
|
- sUsePAM,
|
|
+ sUsePAM, sUsePAMChecklocks,
|
|
/* Standard Options */
|
|
sPort, sHostKeyFile, sLoginGraceTime,
|
|
sPermitRootLogin, sLogFacility, sLogLevel,
|
|
sRhostsRSAAuthentication, sRSAAuthentication,
|
|
sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
|
|
sKerberosGetAFSToken,
|
|
sKerberosTgtPassing, sChallengeResponseAuthentication,
|
|
sPasswordAuthentication, sKbdInteractiveAuthentication,
|
|
@@ -433,18 +436,20 @@ typedef enum {
|
|
static struct {
|
|
const char *name;
|
|
ServerOpCodes opcode;
|
|
u_int flags;
|
|
} keywords[] = {
|
|
/* Portable-specific options */
|
|
#ifdef USE_PAM
|
|
{ "usepam", sUsePAM, SSHCFG_GLOBAL },
|
|
+ { "usepamchecklocks", sUsePAMChecklocks, SSHCFG_GLOBAL },
|
|
#else
|
|
{ "usepam", sUnsupported, SSHCFG_GLOBAL },
|
|
+ { "usepamchecklocks", sUnsupported, SSHCFG_GLOBAL },
|
|
#endif
|
|
{ "pamauthenticationviakbdint", sDeprecated, SSHCFG_GLOBAL },
|
|
/* Standard Options */
|
|
{ "port", sPort, SSHCFG_GLOBAL },
|
|
{ "hostkey", sHostKeyFile, SSHCFG_GLOBAL },
|
|
{ "hostdsakey", sHostKeyFile, SSHCFG_GLOBAL }, /* alias */
|
|
{ "hostkeyagent", sHostKeyAgent, SSHCFG_GLOBAL },
|
|
{ "pidfile", sPidFile, SSHCFG_GLOBAL },
|
|
@@ -1040,16 +1045,19 @@ process_server_config_line(ServerOptions
|
|
}
|
|
}
|
|
|
|
switch (opcode) {
|
|
/* Portable-specific options */
|
|
case sUsePAM:
|
|
intptr = &options->use_pam;
|
|
goto parse_flag;
|
|
+ case sUsePAMChecklocks:
|
|
+ intptr = &options->use_pam_check_locks;
|
|
+ goto parse_flag;
|
|
|
|
/* Standard Options */
|
|
case sBadOption:
|
|
return -1;
|
|
case sPort:
|
|
/* ignore ports from configfile if cmdline specifies ports */
|
|
if (options->ports_from_cmdline)
|
|
return 0;
|
|
diff --git a/openssh-7.6p1/servconf.h b/openssh-7.6p1/servconf.h
|
|
--- a/openssh-7.6p1/servconf.h
|
|
+++ b/openssh-7.6p1/servconf.h
|
|
@@ -168,16 +168,17 @@ typedef struct {
|
|
*/
|
|
|
|
u_int num_authkeys_files; /* Files containing public keys */
|
|
char *authorized_keys_files[MAX_AUTHKEYS_FILES];
|
|
|
|
char *adm_forced_command;
|
|
|
|
int use_pam; /* Enable auth via PAM */
|
|
+ int use_pam_check_locks; /* internally check for locked accounts even when using PAM */
|
|
|
|
int permit_tun;
|
|
|
|
char **permitted_opens;
|
|
u_int num_permitted_opens; /* May also be one of PERMITOPEN_* */
|
|
|
|
char *chroot_directory;
|
|
char *revoked_keys_file;
|
|
diff --git a/openssh-7.6p1/sshd_config.0 b/openssh-7.6p1/sshd_config.0
|
|
--- a/openssh-7.6p1/sshd_config.0
|
|
+++ b/openssh-7.6p1/sshd_config.0
|
|
@@ -901,16 +901,24 @@ DESCRIPTION
|
|
|
|
Because PAM challenge-response authentication usually serves an
|
|
equivalent role to password authentication, you should disable
|
|
either PasswordAuthentication or ChallengeResponseAuthentication.
|
|
|
|
If UsePAM is enabled, you will not be able to run sshd(8) as a
|
|
non-root user. The default is no.
|
|
|
|
+ UsePAMCheckLocks
|
|
+ When set to ``yes'', the checks whether the account has been
|
|
+ locked with `passwd -l' are performed even when PAM authentication
|
|
+ is enabled via UsePAM. This is to ensure that it is not possible
|
|
+ to log in with e.g. a public key (in such a case PAM is used only
|
|
+ to set up the session and some PAM modules will not check whether
|
|
+ the account is locked in this scenario). The default is ``no''.
|
|
+
|
|
VersionAddendum
|
|
Optionally specifies additional text to append to the SSH
|
|
protocol banner sent by the server upon connection. The default
|
|
is none.
|
|
|
|
X11DisplayOffset
|
|
Specifies the first display number available for sshd(8)'s X11
|
|
forwarding. This prevents sshd from interfering with real X11
|
|
diff --git a/openssh-7.6p1/sshd_config.5 b/openssh-7.6p1/sshd_config.5
|
|
--- a/openssh-7.6p1/sshd_config.5
|
|
+++ b/openssh-7.6p1/sshd_config.5
|
|
@@ -1496,16 +1496,28 @@ or
|
|
.Pp
|
|
If
|
|
.Cm UsePAM
|
|
is enabled, you will not be able to run
|
|
.Xr sshd 8
|
|
as a non-root user.
|
|
The default is
|
|
.Cm no .
|
|
+.It Cm UsePAMCheckLocks
|
|
+When set to
|
|
+.Dq yes
|
|
+, the checks whether the account has been locked with
|
|
+.Pa passwd -l
|
|
+are performed even when PAM authentication is enabled via
|
|
+.Cm UsePAM .
|
|
+This is to ensure that it is not possible to log in with e.g. a
|
|
+public key (in such a case PAM is used only to set up the session and some PAM
|
|
+modules will not check whether the account is locked in this scenario). The
|
|
+default is
|
|
+.Dq no .
|
|
.It Cm VersionAddendum
|
|
Optionally specifies additional text to append to the SSH protocol banner
|
|
sent by the server upon connection.
|
|
The default is
|
|
.Cm none .
|
|
.It Cm X11DisplayOffset
|
|
Specifies the first display number available for
|
|
.Xr sshd 8 Ns 's
|