03fc1a6def
- Update to openssh 9.3p1 * No changes for askpass, see main package changelog for details - Update to openssh 9.3p1: = Security * ssh-add(1): when adding smartcard keys to ssh-agent(1) with the per-hop destination constraints (ssh-add -h ...) added in OpenSSH 8.9, a logic error prevented the constraints from being communicated to the agent. This resulted in the keys being added without constraints. The common cases of non-smartcard keys and keys without destination constraints are unaffected. This problem was reported by Luci Stanescu. * ssh(1): Portable OpenSSH provides an implementation of the getrrsetbyname(3) function if the standard library does not provide it, for use by the VerifyHostKeyDNS feature. A specifically crafted DNS response could cause this function to perform an out-of-bounds read of adjacent stack data, but this condition does not appear to be exploitable beyond denial-of- service to the ssh(1) client. The getrrsetbyname(3) replacement is only included if the system's standard library lacks this function and portable OpenSSH was not compiled with the ldns library (--with-ldns). getrrsetbyname(3) is only invoked if using VerifyHostKeyDNS to fetch SSHFP records. This problem was found by the Coverity static analyzer. = New features * ssh-keygen(1), ssh-keyscan(1): accept -Ohashalg=sha1|sha256 when outputting SSHFP fingerprints to allow algorithm selection. bz3493 OBS-URL: https://build.opensuse.org/request/show/1087770 OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=247
135 lines
4.7 KiB
Diff
135 lines
4.7 KiB
Diff
# HG changeset patch
|
|
# Parent 089f4fba0112d410a1bfa74398941f076681d446
|
|
new option UsePAMCheckLocks to enforce checking for locked accounts while
|
|
UsePAM is used
|
|
|
|
bnc#708678, FATE#312033
|
|
|
|
Index: openssh-8.8p1/auth.c
|
|
===================================================================
|
|
--- openssh-8.8p1.orig/auth.c
|
|
+++ openssh-8.8p1/auth.c
|
|
@@ -113,7 +113,7 @@ allowed_user(struct ssh *ssh, struct pas
|
|
if (!pw || !pw->pw_name)
|
|
return 0;
|
|
|
|
- if (!options.use_pam && platform_locked_account(pw)) {
|
|
+ if ((!options.use_pam || options.use_pam_check_locks) && platform_locked_account(pw)) {
|
|
logit("User %.100s not allowed because account is locked",
|
|
pw->pw_name);
|
|
return 0;
|
|
#@@ -133,7 +133,7 @@ allowed_user(struct ssh *ssh, struct pas
|
|
# #endif
|
|
#
|
|
# /* check for locked account */
|
|
#- if (!options.use_pam && passwd && *passwd) {
|
|
#+ if ((!options.use_pam || options.use_pam_check_locks) && passwd && *passwd) {
|
|
# int locked = 0;
|
|
#
|
|
# #ifdef LOCKED_PASSWD_STRING
|
|
Index: openssh-8.8p1/servconf.c
|
|
===================================================================
|
|
--- openssh-8.8p1.orig/servconf.c
|
|
+++ openssh-8.8p1/servconf.c
|
|
@@ -92,6 +92,7 @@ initialize_server_options(ServerOptions
|
|
|
|
/* Portable-specific options */
|
|
options->use_pam = -1;
|
|
+ options->use_pam_check_locks = -1;
|
|
|
|
/* Standard Options */
|
|
options->num_ports = 0;
|
|
@@ -278,6 +279,8 @@ fill_default_server_options(ServerOption
|
|
/* Portable-specific options */
|
|
if (options->use_pam == -1)
|
|
options->use_pam = 0;
|
|
+ if (options->use_pam_check_locks == -1)
|
|
+ options->use_pam_check_locks = 0;
|
|
|
|
/* Standard Options */
|
|
if (options->num_host_key_files == 0) {
|
|
@@ -485,7 +488,7 @@ fill_default_server_options(ServerOption
|
|
typedef enum {
|
|
sBadOption, /* == unknown option */
|
|
/* Portable-specific options */
|
|
- sUsePAM,
|
|
+ sUsePAM, sUsePAMChecklocks,
|
|
/* Standard Options */
|
|
sPort, sHostKeyFile, sLoginGraceTime,
|
|
sPermitRootLogin, sLogFacility, sLogLevel, sLogVerbose,
|
|
@@ -535,8 +538,10 @@ static struct {
|
|
/* Portable-specific options */
|
|
#ifdef USE_PAM
|
|
{ "usepam", sUsePAM, SSHCFG_GLOBAL },
|
|
+ { "usepamchecklocks", sUsePAMChecklocks, SSHCFG_GLOBAL },
|
|
#else
|
|
{ "usepam", sUnsupported, SSHCFG_GLOBAL },
|
|
+ { "usepamchecklocks", sUnsupported, SSHCFG_GLOBAL },
|
|
#endif
|
|
{ "pamauthenticationviakbdint", sDeprecated, SSHCFG_GLOBAL },
|
|
/* Standard Options */
|
|
@@ -1331,6 +1336,9 @@ process_server_config_line_depth(ServerO
|
|
case sUsePAM:
|
|
intptr = &options->use_pam;
|
|
goto parse_flag;
|
|
+ case sUsePAMChecklocks:
|
|
+ intptr = &options->use_pam_check_locks;
|
|
+ goto parse_flag;
|
|
|
|
/* Standard Options */
|
|
case sBadOption:
|
|
Index: openssh-8.8p1/servconf.h
|
|
===================================================================
|
|
--- openssh-8.8p1.orig/servconf.h
|
|
+++ openssh-8.8p1/servconf.h
|
|
@@ -200,6 +200,7 @@ typedef struct {
|
|
char *adm_forced_command;
|
|
|
|
int use_pam; /* Enable auth via PAM */
|
|
+ int use_pam_check_locks; /* internally check for locked accounts even when using PAM */
|
|
|
|
int permit_tun;
|
|
|
|
Index: openssh-8.8p1/sshd_config.0
|
|
===================================================================
|
|
--- openssh-8.8p1.orig/sshd_config.0
|
|
+++ openssh-8.8p1/sshd_config.0
|
|
@@ -1074,6 +1074,14 @@ DESCRIPTION
|
|
If UsePAM is enabled, you will not be able to run sshd(8) as a
|
|
non-root user. The default is no.
|
|
|
|
+ UsePAMCheckLocks
|
|
+ When set to ``yes'', the checks whether the account has been
|
|
+ locked with `passwd -l' are performed even when PAM authentication
|
|
+ is enabled via UsePAM. This is to ensure that it is not possible
|
|
+ to log in with e.g. a public key (in such a case PAM is used only
|
|
+ to set up the session and some PAM modules will not check whether
|
|
+ the account is locked in this scenario). The default is ``no''.
|
|
+
|
|
VersionAddendum
|
|
Optionally specifies additional text to append to the SSH
|
|
protocol banner sent by the server upon connection. The default
|
|
Index: openssh-8.8p1/sshd_config.5
|
|
===================================================================
|
|
--- openssh-8.8p1.orig/sshd_config.5
|
|
+++ openssh-8.8p1/sshd_config.5
|
|
@@ -1775,6 +1775,18 @@ is enabled, you will not be able to run
|
|
as a non-root user.
|
|
The default is
|
|
.Cm no .
|
|
+.It Cm UsePAMCheckLocks
|
|
+When set to
|
|
+.Dq yes
|
|
+, the checks whether the account has been locked with
|
|
+.Pa passwd -l
|
|
+are performed even when PAM authentication is enabled via
|
|
+.Cm UsePAM .
|
|
+This is to ensure that it is not possible to log in with e.g. a
|
|
+public key (in such a case PAM is used only to set up the session and some PAM
|
|
+modules will not check whether the account is locked in this scenario). The
|
|
+default is
|
|
+.Dq no .
|
|
.It Cm VersionAddendum
|
|
Optionally specifies additional text to append to the SSH protocol banner
|
|
sent by the server upon connection.
|