Marcus Meissner
3f6eda5c88
* No changes for askpass, see main package changelog for details. - Update to openssh 9.9p1: = Future deprecation notice * OpenSSH plans to remove support for the DSA signature algorithm in early 2025. This release disables DSA by default at compile time. DSA, as specified in the SSHv2 protocol, is inherently weak - being limited to a 160 bit private key and use of the SHA1 digest. Its estimated security level is only 80 bits symmetric equivalent. OpenSSH has disabled DSA keys by default since 2015 but has retained run-time optional support for them. DSA was the only mandatory-to-implement algorithm in the SSHv2 RFCs, mostly because alternative algorithms were encumbered by patents when the SSHv2 protocol was specified. This has not been the case for decades at this point and better algorithms are well supported by all actively-maintained SSH implementations. We do not consider the costs of maintaining DSA in OpenSSH to be justified and hope that removing it from OpenSSH can accelerate its wider deprecation in supporting cryptography libraries. = Potentially-incompatible changes * ssh(1): remove support for pre-authentication compression. OpenSSH has only supported post-authentication compression in the server for some years. Compression before authentication significantly increases the attack surface of SSH servers and risks creating oracles that reveal information about information sent during authentication. OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=275
203 lines
7.1 KiB
Diff
203 lines
7.1 KiB
Diff
Gemeinsame Unterverzeichnisse: openssh-8.4p1/contrib und openssh-8.4p1-vendor/contrib.
|
|
Index: openssh-8.9p1/dh.c
|
|
===================================================================
|
|
--- openssh-8.9p1.orig/dh.c
|
|
+++ openssh-8.9p1/dh.c
|
|
@@ -54,7 +54,17 @@ void dh_set_moduli_file(const char *file
|
|
|
|
static const char * get_moduli_filename(void)
|
|
{
|
|
- return moduli_filename ? moduli_filename : _PATH_DH_MODULI;
|
|
+ struct stat st;
|
|
+
|
|
+ if (moduli_filename)
|
|
+ return moduli_filename;
|
|
+
|
|
+ if (stat(_PATH_VENDOR_DH_MODULI, &st) == 0 &&
|
|
+ stat(_PATH_DH_MODULI, &st) == -1) {
|
|
+ return _PATH_VENDOR_DH_MODULI;
|
|
+ }
|
|
+
|
|
+ return _PATH_DH_MODULI;
|
|
}
|
|
|
|
static int
|
|
Index: openssh-8.9p1/pathnames.h
|
|
===================================================================
|
|
--- openssh-8.9p1.orig/pathnames.h
|
|
+++ openssh-8.9p1/pathnames.h
|
|
@@ -18,6 +18,8 @@
|
|
#define SSHDIR ETCDIR "/ssh"
|
|
#endif
|
|
|
|
+#define VENDORDIR "/usr/etc/ssh"
|
|
+
|
|
#ifndef _PATH_SSH_PIDDIR
|
|
#define _PATH_SSH_PIDDIR "/var/run"
|
|
#endif
|
|
@@ -35,13 +37,17 @@
|
|
* should be world-readable.
|
|
*/
|
|
#define _PATH_SERVER_CONFIG_FILE SSHDIR "/sshd_config"
|
|
+#define _PATH_SERVER_VENDOR_CONFIG_FILE VENDORDIR "/sshd_config"
|
|
#define _PATH_HOST_CONFIG_FILE SSHDIR "/ssh_config"
|
|
+#define _PATH_HOST_VENDOR_CONFIG_FILE VENDORDIR "/ssh_config"
|
|
#define _PATH_HOST_DSA_KEY_FILE SSHDIR "/ssh_host_dsa_key"
|
|
#define _PATH_HOST_ECDSA_KEY_FILE SSHDIR "/ssh_host_ecdsa_key"
|
|
#define _PATH_HOST_ED25519_KEY_FILE SSHDIR "/ssh_host_ed25519_key"
|
|
#define _PATH_HOST_XMSS_KEY_FILE SSHDIR "/ssh_host_xmss_key"
|
|
#define _PATH_HOST_RSA_KEY_FILE SSHDIR "/ssh_host_rsa_key"
|
|
#define _PATH_DH_MODULI SSHDIR "/moduli"
|
|
+#define _PATH_VENDOR_DH_MODULI VENDORDIR "/moduli"
|
|
+
|
|
|
|
#ifndef _PATH_SSH_PROGRAM
|
|
#define _PATH_SSH_PROGRAM "/usr/bin/ssh"
|
|
Index: openssh-8.9p1/ssh.c
|
|
===================================================================
|
|
--- openssh-8.9p1.orig/ssh.c
|
|
+++ openssh-8.9p1/ssh.c
|
|
@@ -549,6 +549,7 @@ static void
|
|
process_config_files(const char *host_name, struct passwd *pw, int final_pass,
|
|
int *want_final_pass)
|
|
{
|
|
+ struct stat st;
|
|
char buf[PATH_MAX];
|
|
int r;
|
|
|
|
@@ -567,10 +568,23 @@ process_config_files(const char *host_na
|
|
&options, SSHCONF_CHECKPERM | SSHCONF_USERCONF |
|
|
(final_pass ? SSHCONF_FINAL : 0), want_final_pass);
|
|
|
|
- /* Read systemwide configuration file after user config. */
|
|
- (void)read_config_file(_PATH_HOST_CONFIG_FILE, pw,
|
|
- host, host_name, &options,
|
|
- final_pass ? SSHCONF_FINAL : 0, want_final_pass);
|
|
+ /* If only the vendor configuration file exists, use that.
|
|
+ * Else use the standard configuration file.
|
|
+ */
|
|
+ if (stat(_PATH_HOST_VENDOR_CONFIG_FILE, &st) == 0 &&
|
|
+ stat(_PATH_HOST_CONFIG_FILE, &st) == -1) {
|
|
+ /* Read vendor distributed configuration file. */
|
|
+ (void)read_config_file(_PATH_HOST_VENDOR_CONFIG_FILE,
|
|
+ pw, host, host_name, &options,
|
|
+ final_pass ? SSHCONF_FINAL : 0,
|
|
+ want_final_pass);
|
|
+ } else {
|
|
+ /* Read systemwide configuration file after user config. */
|
|
+ (void)read_config_file(_PATH_HOST_CONFIG_FILE, pw,
|
|
+ host, host_name, &options,
|
|
+ final_pass ? SSHCONF_FINAL : 0,
|
|
+ want_final_pass);
|
|
+ }
|
|
}
|
|
}
|
|
|
|
Index: openssh-8.9p1/ssh_config.5
|
|
===================================================================
|
|
--- openssh-8.9p1.orig/ssh_config.5
|
|
+++ openssh-8.9p1/ssh_config.5
|
|
@@ -54,6 +54,9 @@ user's configuration file
|
|
.It
|
|
system-wide configuration file
|
|
.Pq Pa /etc/ssh/ssh_config
|
|
+.It
|
|
+vendor configuration file
|
|
+.Pq Pa /usr/etc/ssh/ssh_config
|
|
.El
|
|
.Pp
|
|
Unless noted otherwise, for each parameter, the first obtained value
|
|
@@ -2220,6 +2223,11 @@ This file provides defaults for those
|
|
values that are not specified in the user's configuration file, and
|
|
for those users who do not have a configuration file.
|
|
This file must be world-readable.
|
|
+.It Pa /usr/etc/ssh/ssh_config
|
|
+Vendor specific configuraiton file.
|
|
+This file provides the vendor defaults and is used as fallback if the
|
|
+.Ic /etc/ssh/ssh_config
|
|
+configuration file does not exist.
|
|
.El
|
|
.Sh SEE ALSO
|
|
.Xr ssh 1
|
|
Index: openssh-8.9p1/sshd.c
|
|
===================================================================
|
|
--- openssh-8.9p1.orig/sshd.c
|
|
+++ openssh-8.9p1/sshd.c
|
|
@@ -1201,7 +1201,8 @@ prepare_proctitle(int ac, char **av)
|
|
extern char *optarg;
|
|
extern int optind;
|
|
int log_stderr = 0, inetd_flag = 0, test_flag = 0, no_daemon_flag = 0;
|
|
- char *config_file_name = _PATH_SERVER_CONFIG_FILE;
|
|
+ char *config_file_name = NULL;
|
|
+ struct stat st;
|
|
int r, opt, do_dump_cfg = 0, keytype, already_daemon, have_agent = 0;
|
|
int sock_in = -1, sock_out = -1, newsock = -1, rexec_argc = 0;
|
|
int devnull, config_s[2] = { -1 , -1 }, have_connection_info = 0;
|
|
@@ -1806,7 +1807,21 @@ main(int ac, char **av)
|
|
/* Fetch our configuration */
|
|
if ((cfg = sshbuf_new()) == NULL)
|
|
fatal("sshbuf_new config failed");
|
|
+ if (config_file_name == NULL) {
|
|
+ /* If only the vendor configuration file exists, use that.
|
|
+ * Else use the standard configuration file.
|
|
+ */
|
|
+ if (stat(_PATH_SERVER_VENDOR_CONFIG_FILE, &st) == 0 &&
|
|
+ stat(_PATH_SERVER_CONFIG_FILE, &st) == -1) {
|
|
+ /* fill with global distributor settings */
|
|
+ config_file_name = _PATH_SERVER_VENDOR_CONFIG_FILE;
|
|
+ } else {
|
|
+ /* load global admin settings */
|
|
+ config_file_name = _PATH_SERVER_CONFIG_FILE;
|
|
+ }
|
|
+ load_server_config(config_file_name, cfg);
|
|
- if (strcasecmp(config_file_name, "none") != 0)
|
|
+ } else if (strcasecmp(config_file_name, "none") != 0)
|
|
+ /* load config specified on commandline */
|
|
load_server_config(config_file_name, cfg);
|
|
|
|
parse_server_config(&options, config_file_name, cfg,
|
|
Index: openssh-8.9p1/sshd_config.5
|
|
===================================================================
|
|
--- openssh-8.9p1.orig/sshd_config.5
|
|
+++ openssh-8.9p1/sshd_config.5
|
|
@@ -44,7 +44,9 @@
|
|
.Xr sshd 8
|
|
reads configuration data from
|
|
.Pa /etc/ssh/sshd_config
|
|
-(or the file specified with
|
|
+(
|
|
+.Pa /usr/etc/ssh/sshd_config
|
|
+if the file does not exist or the file specified with
|
|
.Fl f
|
|
on the command line).
|
|
The file contains keyword-argument pairs, one per line.
|
|
Index: openssh-8.9p1/ssh-keysign.c
|
|
===================================================================
|
|
--- openssh-8.9p1.orig/ssh-keysign.c
|
|
+++ openssh-8.9p1/ssh-keysign.c
|
|
@@ -186,6 +186,7 @@ main(int argc, char **argv)
|
|
u_char *signature, *data, rver;
|
|
char *host, *fp, *pkalg;
|
|
size_t slen, dlen;
|
|
+ struct stat st;
|
|
|
|
if (pledge("stdio rpath getpw dns id", NULL) != 0)
|
|
fatal("%s: pledge: %s", __progname, strerror(errno));
|
|
@@ -219,8 +220,14 @@ main(int argc, char **argv)
|
|
|
|
/* verify that ssh-keysign is enabled by the admin */
|
|
initialize_options(&options);
|
|
- (void)read_config_file(_PATH_HOST_CONFIG_FILE, pw, "", "",
|
|
- &options, 0, NULL);
|
|
+
|
|
+ if (stat(_PATH_HOST_CONFIG_FILE, &st) == 0)
|
|
+ (void)read_config_file(_PATH_HOST_CONFIG_FILE, pw, "", "",
|
|
+ &options, 0, NULL);
|
|
+ else
|
|
+ (void)read_config_file(_PATH_HOST_VENDOR_CONFIG_FILE, pw, "", "",
|
|
+ &options, 0, NULL);
|
|
+
|
|
(void)fill_default_options(&options);
|
|
if (options.enable_ssh_keysign != 1)
|
|
fatal("ssh-keysign not enabled in %s",
|