efb05e6527
- Update of the underlying OpenSSH to 6.6p1
- update to 6.6p1
Security:
* sshd(8): when using environment passing with a sshd_config(5)
AcceptEnv pattern with a wildcard. OpenSSH prior to 6.6 could
be tricked into accepting any enviornment variable that
contains the characters before the wildcard character.
Features since 6.5p1:
* ssh(1), sshd(8): removal of the J-PAKE authentication code,
which was experimental, never enabled and has been
unmaintained for some time.
* ssh(1): skip 'exec' clauses other clauses predicates failed
to match while processing Match blocks.
* ssh(1): if hostname canonicalisation is enabled and results
in the destination hostname being changed, then re-parse
ssh_config(5) files using the new destination hostname. This
gives 'Host' and 'Match' directives that use the expanded
hostname a chance to be applied.
Bugfixes:
* ssh(1): avoid spurious "getsockname failed: Bad file
descriptor" in ssh -W. bz#2200, debian#738692
* sshd(8): allow the shutdown(2) syscall in seccomp-bpf and
systrace sandbox modes, as it is reachable if the connection
is terminated during the pre-auth phase.
* ssh(1), sshd(8): fix unsigned overflow that in SSH protocol 1
bignum parsing. Minimum key length checks render this bug
unexploitable to compromise SSH 1 sessions.
* sshd_config(5): clarify behaviour of a keyword that appears
in multiple matching Match blocks. bz#2184
OBS-URL: https://build.opensuse.org/request/show/230097
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=76
58 lines
1.4 KiB
Diff
58 lines
1.4 KiB
Diff
# try to remove xauth cookies on logout
|
|
# bnc#98815
|
|
|
|
diff --git a/openssh-6.6p1/session.c b/openssh-6.6p1/session.c
|
|
--- a/openssh-6.6p1/session.c
|
|
+++ b/openssh-6.6p1/session.c
|
|
@@ -2510,18 +2510,50 @@ session_exit_message(Session *s, int sta
|
|
if (c->ostate != CHAN_OUTPUT_CLOSED)
|
|
chan_write_failed(c);
|
|
}
|
|
|
|
void
|
|
session_close(Session *s)
|
|
{
|
|
u_int i;
|
|
+ int do_xauth;
|
|
|
|
debug("session_close: session %d pid %ld", s->self, (long)s->pid);
|
|
+
|
|
+ do_xauth = (s->display != NULL) && (s->auth_proto != NULL) && (s->auth_data != NULL);
|
|
+ if (do_xauth && options.xauth_location != NULL) {
|
|
+ pid_t pid;
|
|
+ FILE *f;
|
|
+ char cmd[1024];
|
|
+ struct passwd * pw = s->pw;
|
|
+
|
|
+ if (!(pid = fork())) {
|
|
+ permanently_set_uid(pw);
|
|
+
|
|
+ /* Remove authority data from .Xauthority if appropriate. */
|
|
+ debug("Running %.500s remove %.100s\n",
|
|
+ options.xauth_location, s->auth_display);
|
|
+
|
|
+ snprintf(cmd, sizeof cmd, "unset XAUTHORITY && HOME=\"%.200s\" %s -q -",
|
|
+ s->pw->pw_dir, options.xauth_location);
|
|
+ f = popen(cmd, "w");
|
|
+ if (f) {
|
|
+ fprintf(f, "remove %s\n", s->auth_display);
|
|
+ pclose(f);
|
|
+ } else
|
|
+ error("Could not run %s\n", cmd);
|
|
+ exit(0);
|
|
+ } else if (pid > 0) {
|
|
+ int status;
|
|
+
|
|
+ waitpid(pid, &status, 0);
|
|
+ }
|
|
+ }
|
|
+
|
|
if (s->ttyfd != -1)
|
|
session_pty_cleanup(s);
|
|
free(s->term);
|
|
free(s->display);
|
|
free(s->x11_chanids);
|
|
free(s->auth_display);
|
|
free(s->auth_data);
|
|
free(s->auth_proto);
|