forked from pool/openssh
Accepting request 547144 from home:pcerny:factory
temporarily downgrading to 7.2p2 to run tests on additional 7.2p2 patches OBS-URL: https://build.opensuse.org/request/show/547144 OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=124
This commit is contained in:
parent
3a77b6ed2a
commit
56e0af8154
72
openssh-7.2p2-IPv6_X_forwarding.patch
Normal file
72
openssh-7.2p2-IPv6_X_forwarding.patch
Normal file
@ -0,0 +1,72 @@
|
||||
# HG changeset patch
|
||||
# Parent 9130c9e19c8a076a7f6f214070283cd3e0326894
|
||||
Correctly parse DISPLAY variable for cases where it contains an IPv6 address
|
||||
(which should - but not always is - in (square) brackets).
|
||||
|
||||
bnc#847710 - https://bugzilla.novell.com/show_bug.cgi?id=847710
|
||||
|
||||
diff --git a/openssh-7.2p2/channels.c b/openssh-7.2p2/channels.c
|
||||
--- a/openssh-7.2p2/channels.c
|
||||
+++ b/openssh-7.2p2/channels.c
|
||||
@@ -4049,18 +4049,19 @@ x11_connect_display(void)
|
||||
/* OK, we now have a connection to the display. */
|
||||
return sock;
|
||||
}
|
||||
#endif
|
||||
/*
|
||||
* Check if it is a unix domain socket. Unix domain displays are in
|
||||
* one of the following formats: unix:d[.s], :d[.s], ::d[.s]
|
||||
*/
|
||||
+ cp = strrchr(display, ':');
|
||||
if (strncmp(display, "unix:", 5) == 0 ||
|
||||
- display[0] == ':') {
|
||||
+ (display[0] == ':' && ((cp - display) < 2)) ) {
|
||||
/* Connect to the unix domain socket. */
|
||||
if (sscanf(strrchr(display, ':') + 1, "%u", &display_number) != 1) {
|
||||
error("Could not parse display number from DISPLAY: %.100s",
|
||||
display);
|
||||
return -1;
|
||||
}
|
||||
/* Create a socket. */
|
||||
sock = connect_local_xsocket(display_number);
|
||||
@@ -4068,30 +4069,39 @@ x11_connect_display(void)
|
||||
return -1;
|
||||
|
||||
/* OK, we now have a connection to the display. */
|
||||
return sock;
|
||||
}
|
||||
/*
|
||||
* Connect to an inet socket. The DISPLAY value is supposedly
|
||||
* hostname:d[.s], where hostname may also be numeric IP address.
|
||||
+ * Note that IPv6 numberic addresses contain colons (e.g. ::1:0)
|
||||
*/
|
||||
strlcpy(buf, display, sizeof(buf));
|
||||
- cp = strchr(buf, ':');
|
||||
+ cp = strrchr(buf, ':');
|
||||
if (!cp) {
|
||||
error("Could not find ':' in DISPLAY: %.100s", display);
|
||||
return -1;
|
||||
}
|
||||
*cp = 0;
|
||||
/* buf now contains the host name. But first we parse the display number. */
|
||||
if (sscanf(cp + 1, "%u", &display_number) != 1) {
|
||||
error("Could not parse display number from DISPLAY: %.100s",
|
||||
display);
|
||||
return -1;
|
||||
}
|
||||
+
|
||||
+ /* Remove brackets surrounding IPv6 addresses if there are any. */
|
||||
+ if (buf[0] == '[' && (cp = strchr(buf, ']'))) {
|
||||
+ *cp = 0;
|
||||
+ cp = buf + 1;
|
||||
+ } else {
|
||||
+ cp = buf;
|
||||
+ }
|
||||
|
||||
/* Look up the host address */
|
||||
memset(&hints, 0, sizeof(hints));
|
||||
hints.ai_family = IPv4or6;
|
||||
hints.ai_socktype = SOCK_STREAM;
|
||||
snprintf(strport, sizeof strport, "%u", 6000 + display_number);
|
||||
if ((gaierr = getaddrinfo(buf, strport, &hints, &aitop)) != 0) {
|
||||
error("%.100s: unknown host. (%s)", buf,
|
@ -1,14 +1,14 @@
|
||||
# HG changeset patch
|
||||
# Parent c004421528bc443fa9a56db1123005c92014e6b3
|
||||
# Parent 7197d7a6b7c90566c68e980b5f8b937c183e79d0
|
||||
# enable trusted X11 forwarding by default in both sshd and sshsystem-wide
|
||||
# configuration
|
||||
# bnc#50836 (was suse #35836)
|
||||
Enable Trusted X11 forwarding by default, since the security benefits of
|
||||
having it disabled are negligible these days with XI2 being widely used.
|
||||
|
||||
diff --git a/openssh-7.6p1/ssh_config b/openssh-7.6p1/ssh_config
|
||||
--- a/openssh-7.6p1/ssh_config
|
||||
+++ b/openssh-7.6p1/ssh_config
|
||||
diff --git a/openssh-7.2p2/ssh_config b/openssh-7.2p2/ssh_config
|
||||
--- a/openssh-7.2p2/ssh_config
|
||||
+++ b/openssh-7.2p2/ssh_config
|
||||
@@ -12,19 +12,30 @@
|
||||
# Any configuration value is only changed the first time it is set.
|
||||
# Thus, host-specific definitions should be at the beginning of the
|
||||
@ -33,18 +33,18 @@ diff --git a/openssh-7.6p1/ssh_config b/openssh-7.6p1/ssh_config
|
||||
+# expire after twenty minutes after remote login.
|
||||
+ ForwardX11Trusted yes
|
||||
+
|
||||
# RhostsRSAAuthentication no
|
||||
# RSAAuthentication yes
|
||||
# PasswordAuthentication yes
|
||||
# HostbasedAuthentication no
|
||||
# GSSAPIAuthentication no
|
||||
# GSSAPIDelegateCredentials no
|
||||
# BatchMode no
|
||||
# CheckHostIP yes
|
||||
# AddressFamily any
|
||||
# ConnectTimeout 0
|
||||
diff --git a/openssh-7.6p1/sshd_config b/openssh-7.6p1/sshd_config
|
||||
--- a/openssh-7.6p1/sshd_config
|
||||
+++ b/openssh-7.6p1/sshd_config
|
||||
@@ -80,17 +80,17 @@ AuthorizedKeysFile .ssh/authorized_keys
|
||||
diff --git a/openssh-7.2p2/sshd_config b/openssh-7.2p2/sshd_config
|
||||
--- a/openssh-7.2p2/sshd_config
|
||||
+++ b/openssh-7.2p2/sshd_config
|
||||
@@ -94,17 +94,17 @@ AuthorizedKeysFile .ssh/authorized_keys
|
||||
# If you just want the PAM account and session checks to run without
|
||||
# PAM authentication, then enable this but set PasswordAuthentication
|
||||
# and ChallengeResponseAuthentication to 'no'.
|
||||
@ -62,4 +62,4 @@ diff --git a/openssh-7.6p1/sshd_config b/openssh-7.6p1/sshd_config
|
||||
#PrintLastLog yes
|
||||
#TCPKeepAlive yes
|
||||
#UseLogin no
|
||||
#PermitUserEnvironment no
|
||||
#UsePrivilegeSeparation sandbox
|
34
openssh-7.2p2-X_forward_with_disabled_ipv6.patch
Normal file
34
openssh-7.2p2-X_forward_with_disabled_ipv6.patch
Normal file
@ -0,0 +1,34 @@
|
||||
# HG changeset patch
|
||||
# Parent a9e60634acb905a830a0f57ece296781ab08d0fb
|
||||
Do not throw away already open sockets for X11 forwarding if another socket
|
||||
family is not available for bind()
|
||||
|
||||
diff --git a/openssh-7.2p2/channels.c b/openssh-7.2p2/channels.c
|
||||
--- a/openssh-7.2p2/channels.c
|
||||
+++ b/openssh-7.2p2/channels.c
|
||||
@@ -3938,16 +3938,25 @@ x11_create_display_inet(int x11_display_
|
||||
if (ai->ai_family == AF_INET6)
|
||||
sock_set_v6only(sock);
|
||||
if (x11_use_localhost)
|
||||
channel_set_reuseaddr(sock);
|
||||
if (bind(sock, ai->ai_addr, ai->ai_addrlen) < 0) {
|
||||
debug2("bind port %d: %.100s", port, strerror(errno));
|
||||
close(sock);
|
||||
|
||||
+ /* do not remove successfully opened
|
||||
+ * sockets if the request failed because
|
||||
+ * the protocol IPv4/6 is not available
|
||||
+ * (e.g. IPv6 may be disabled while being
|
||||
+ * supported)
|
||||
+ */
|
||||
+ if (EADDRNOTAVAIL == errno)
|
||||
+ continue;
|
||||
+
|
||||
for (n = 0; n < num_socks; n++) {
|
||||
close(socks[n]);
|
||||
}
|
||||
num_socks = 0;
|
||||
break;
|
||||
}
|
||||
socks[num_socks++] = sock;
|
||||
if (num_socks == NUM_SOCKS)
|
56
openssh-7.2p2-additional_seccomp_archs.patch
Normal file
56
openssh-7.2p2-additional_seccomp_archs.patch
Normal file
@ -0,0 +1,56 @@
|
||||
# HG changeset patch
|
||||
# Parent e7bdbc5ea8971599466becf01bff12b9fcb5df3e
|
||||
Enable the seccomp-bpf sandbox on more architectures
|
||||
|
||||
upstream commit: b9c50614eba9d90939b2b119b6e1b7e03b462278 (7.3p1)
|
||||
Author: Damien Miller <djm@mindrot.org>
|
||||
Date: Fri Jul 8 13:59:13 2016 +1000
|
||||
|
||||
whitelist more architectures for seccomp-bpf
|
||||
|
||||
bz#2590 - testing and patch from Jakub Jelen
|
||||
|
||||
diff --git a/openssh-7.2p2/configure.ac b/openssh-7.2p2/configure.ac
|
||||
--- a/openssh-7.2p2/configure.ac
|
||||
+++ b/openssh-7.2p2/configure.ac
|
||||
@@ -818,16 +818,40 @@ main() { if (NSVersionOfRunTimeLibrary("
|
||||
seccomp_audit_arch=AUDIT_ARCH_I386
|
||||
;;
|
||||
arm*-*)
|
||||
seccomp_audit_arch=AUDIT_ARCH_ARM
|
||||
;;
|
||||
aarch64*-*)
|
||||
seccomp_audit_arch=AUDIT_ARCH_AARCH64
|
||||
;;
|
||||
+ s390x-*)
|
||||
+ seccomp_audit_arch=AUDIT_ARCH_S390X
|
||||
+ ;;
|
||||
+ s390-*)
|
||||
+ seccomp_audit_arch=AUDIT_ARCH_S390
|
||||
+ ;;
|
||||
+ powerpc64-*)
|
||||
+ seccomp_audit_arch=AUDIT_ARCH_PPC64
|
||||
+ ;;
|
||||
+ powerpc64le-*)
|
||||
+ seccomp_audit_arch=AUDIT_ARCH_PPC64LE
|
||||
+ ;;
|
||||
+ mips-*)
|
||||
+ seccomp_audit_arch=AUDIT_ARCH_MIPS
|
||||
+ ;;
|
||||
+ mipsel-*)
|
||||
+ seccomp_audit_arch=AUDIT_ARCH_MIPSEL
|
||||
+ ;;
|
||||
+ mips64-*)
|
||||
+ seccomp_audit_arch=AUDIT_ARCH_MIPS64
|
||||
+ ;;
|
||||
+ mips64el-*)
|
||||
+ seccomp_audit_arch=AUDIT_ARCH_MIPSEL64
|
||||
+ ;;
|
||||
esac
|
||||
if test "x$seccomp_audit_arch" != "x" ; then
|
||||
AC_MSG_RESULT(["$seccomp_audit_arch"])
|
||||
AC_DEFINE_UNQUOTED([SECCOMP_AUDIT_ARCH], [$seccomp_audit_arch],
|
||||
[Specify the system call convention in use])
|
||||
else
|
||||
AC_MSG_RESULT([architecture not supported])
|
||||
fi
|
129
openssh-7.2p2-allow_DSS_by_default.patch
Normal file
129
openssh-7.2p2-allow_DSS_by_default.patch
Normal file
@ -0,0 +1,129 @@
|
||||
# HG changeset patch
|
||||
# Parent d33bce122aa351a56ce457be35feda52171f9088
|
||||
Enable DSS authentication by default to maintain compatibility with older
|
||||
versions.
|
||||
|
||||
bsc#983784
|
||||
|
||||
diff --git a/openssh-7.2p2/myproposal.h b/openssh-7.2p2/myproposal.h
|
||||
--- a/openssh-7.2p2/myproposal.h
|
||||
+++ b/openssh-7.2p2/myproposal.h
|
||||
@@ -94,21 +94,23 @@
|
||||
#define KEX_CLIENT_KEX KEX_COMMON_KEX \
|
||||
"diffie-hellman-group-exchange-sha1," \
|
||||
"diffie-hellman-group14-sha1"
|
||||
|
||||
#define KEX_DEFAULT_PK_ALG \
|
||||
HOSTKEY_ECDSA_CERT_METHODS \
|
||||
"ssh-ed25519-cert-v01@openssh.com," \
|
||||
"ssh-rsa-cert-v01@openssh.com," \
|
||||
+ "ssh-dss-cert-v01@openssh.com," \
|
||||
HOSTKEY_ECDSA_METHODS \
|
||||
"ssh-ed25519," \
|
||||
"rsa-sha2-512," \
|
||||
"rsa-sha2-256," \
|
||||
- "ssh-rsa"
|
||||
+ "ssh-rsa," \
|
||||
+ "ssh-dss"
|
||||
|
||||
/* the actual algorithms */
|
||||
|
||||
#define KEX_SERVER_ENCRYPT \
|
||||
"chacha20-poly1305@openssh.com," \
|
||||
"aes128-ctr,aes192-ctr,aes256-ctr" \
|
||||
AESGCM_CIPHER_MODES
|
||||
|
||||
diff --git a/openssh-7.2p2/ssh_config.5 b/openssh-7.2p2/ssh_config.5
|
||||
--- a/openssh-7.2p2/ssh_config.5
|
||||
+++ b/openssh-7.2p2/ssh_config.5
|
||||
@@ -887,19 +887,19 @@ Alternately if the specified value begin
|
||||
character, then the specified key types will be appended to the default set
|
||||
instead of replacing them.
|
||||
The default for this option is:
|
||||
.Bd -literal -offset 3n
|
||||
ecdsa-sha2-nistp256-cert-v01@openssh.com,
|
||||
ecdsa-sha2-nistp384-cert-v01@openssh.com,
|
||||
ecdsa-sha2-nistp521-cert-v01@openssh.com,
|
||||
ssh-ed25519-cert-v01@openssh.com,
|
||||
-ssh-rsa-cert-v01@openssh.com,
|
||||
+ssh-rsa-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com,
|
||||
ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
|
||||
-ssh-ed25519,ssh-rsa
|
||||
+ssh-ed25519,ssh-rsa,ssh-dss
|
||||
.Ed
|
||||
.Pp
|
||||
If hostkeys are known for the destination host then this default is modified
|
||||
to prefer their algorithms.
|
||||
.Pp
|
||||
The list of available key types may also be obtained using the
|
||||
.Fl Q
|
||||
option of
|
||||
@@ -1325,19 +1325,19 @@ Alternately if the specified value begin
|
||||
character, then the key types after it will be appended to the default
|
||||
instead of replacing it.
|
||||
The default for this option is:
|
||||
.Bd -literal -offset 3n
|
||||
ecdsa-sha2-nistp256-cert-v01@openssh.com,
|
||||
ecdsa-sha2-nistp384-cert-v01@openssh.com,
|
||||
ecdsa-sha2-nistp521-cert-v01@openssh.com,
|
||||
ssh-ed25519-cert-v01@openssh.com,
|
||||
-ssh-rsa-cert-v01@openssh.com,
|
||||
+ssh-rsa-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com,
|
||||
ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
|
||||
-ssh-ed25519,ssh-rsa
|
||||
+ssh-ed25519,ssh-rsa,ssh-dss
|
||||
.Ed
|
||||
.Pp
|
||||
The
|
||||
.Fl Q
|
||||
option of
|
||||
.Xr ssh 1
|
||||
may be used to list supported key types.
|
||||
.It Cm PubkeyAuthentication
|
||||
diff --git a/openssh-7.2p2/sshd_config.5 b/openssh-7.2p2/sshd_config.5
|
||||
--- a/openssh-7.2p2/sshd_config.5
|
||||
+++ b/openssh-7.2p2/sshd_config.5
|
||||
@@ -651,19 +651,19 @@ Alternately if the specified value begin
|
||||
character, then the specified key types will be appended to the default set
|
||||
instead of replacing them.
|
||||
The default for this option is:
|
||||
.Bd -literal -offset 3n
|
||||
ecdsa-sha2-nistp256-cert-v01@openssh.com,
|
||||
ecdsa-sha2-nistp384-cert-v01@openssh.com,
|
||||
ecdsa-sha2-nistp521-cert-v01@openssh.com,
|
||||
ssh-ed25519-cert-v01@openssh.com,
|
||||
-ssh-rsa-cert-v01@openssh.com,
|
||||
+ssh-rsa-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com,
|
||||
ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
|
||||
-ssh-ed25519,ssh-rsa
|
||||
+ssh-ed25519,ssh-rsa,ssh-dss
|
||||
.Ed
|
||||
.Pp
|
||||
The
|
||||
.Fl Q
|
||||
option of
|
||||
.Xr ssh 1
|
||||
may be used to list supported key types.
|
||||
.It Cm HostbasedAuthentication
|
||||
@@ -743,19 +743,19 @@ environment variable.
|
||||
Specifies the host key algorithms
|
||||
that the server offers.
|
||||
The default for this option is:
|
||||
.Bd -literal -offset 3n
|
||||
ecdsa-sha2-nistp256-cert-v01@openssh.com,
|
||||
ecdsa-sha2-nistp384-cert-v01@openssh.com,
|
||||
ecdsa-sha2-nistp521-cert-v01@openssh.com,
|
||||
ssh-ed25519-cert-v01@openssh.com,
|
||||
-ssh-rsa-cert-v01@openssh.com,
|
||||
+ssh-rsa-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com,
|
||||
ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
|
||||
-ssh-ed25519,ssh-rsa
|
||||
+ssh-ed25519,ssh-rsa,ssh-dss
|
||||
.Ed
|
||||
.Pp
|
||||
The list of available key types may also be obtained using the
|
||||
.Fl Q
|
||||
option of
|
||||
.Xr ssh 1
|
||||
with an argument of
|
||||
.Dq key .
|
95
openssh-7.2p2-allow_root_password_login.patch
Normal file
95
openssh-7.2p2-allow_root_password_login.patch
Normal file
@ -0,0 +1,95 @@
|
||||
# HG changeset patch
|
||||
# Parent c43ae523939377778762e81743b77b3c75eb4bd1
|
||||
Allow root login with password by default. While less secure than upstream
|
||||
default of forbidding access to the root account with a password, we are
|
||||
temporarily introducing this change to keep the default used in older OpenSSH
|
||||
versions shipped with SLE.
|
||||
|
||||
diff --git a/openssh-7.2p2/servconf.c b/openssh-7.2p2/servconf.c
|
||||
--- a/openssh-7.2p2/servconf.c
|
||||
+++ b/openssh-7.2p2/servconf.c
|
||||
@@ -233,17 +233,17 @@ fill_default_server_options(ServerOption
|
||||
options->pid_file = xstrdup(_PATH_SSH_DAEMON_PID_FILE);
|
||||
if (options->server_key_bits == -1)
|
||||
options->server_key_bits = 1024;
|
||||
if (options->login_grace_time == -1)
|
||||
options->login_grace_time = 120;
|
||||
if (options->key_regeneration_time == -1)
|
||||
options->key_regeneration_time = 3600;
|
||||
if (options->permit_root_login == PERMIT_NOT_SET)
|
||||
- options->permit_root_login = PERMIT_NO_PASSWD;
|
||||
+ options->permit_root_login = PERMIT_YES;
|
||||
if (options->ignore_rhosts == -1)
|
||||
options->ignore_rhosts = 1;
|
||||
if (options->ignore_user_known_hosts == -1)
|
||||
options->ignore_user_known_hosts = 0;
|
||||
if (options->print_motd == -1)
|
||||
options->print_motd = 1;
|
||||
if (options->print_lastlog == -1)
|
||||
options->print_lastlog = 1;
|
||||
diff --git a/openssh-7.2p2/sshd_config b/openssh-7.2p2/sshd_config
|
||||
--- a/openssh-7.2p2/sshd_config
|
||||
+++ b/openssh-7.2p2/sshd_config
|
||||
@@ -36,17 +36,17 @@
|
||||
# Logging
|
||||
# obsoletes QuietMode and FascistLogging
|
||||
#SyslogFacility AUTH
|
||||
#LogLevel INFO
|
||||
|
||||
# Authentication:
|
||||
|
||||
#LoginGraceTime 2m
|
||||
-#PermitRootLogin prohibit-password
|
||||
+#PermitRootLogin yes
|
||||
#StrictModes yes
|
||||
#MaxAuthTries 6
|
||||
#MaxSessions 10
|
||||
|
||||
#RSAAuthentication yes
|
||||
#PubkeyAuthentication yes
|
||||
|
||||
# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
|
||||
diff --git a/openssh-7.2p2/sshd_config.0 b/openssh-7.2p2/sshd_config.0
|
||||
--- a/openssh-7.2p2/sshd_config.0
|
||||
+++ b/openssh-7.2p2/sshd_config.0
|
||||
@@ -710,17 +710,17 @@ DESCRIPTION
|
||||
restrictions and permit any forwarding requests. An argument of
|
||||
M-bM-^@M-^\noneM-bM-^@M-^] can be used to prohibit all forwarding requests. By
|
||||
default all port forwarding requests are permitted.
|
||||
|
||||
PermitRootLogin
|
||||
Specifies whether root can log in using ssh(1). The argument
|
||||
must be M-bM-^@M-^\yesM-bM-^@M-^], M-bM-^@M-^\prohibit-passwordM-bM-^@M-^], M-bM-^@M-^\without-passwordM-bM-^@M-^],
|
||||
M-bM-^@M-^\forced-commands-onlyM-bM-^@M-^], or M-bM-^@M-^\noM-bM-^@M-^]. The default is
|
||||
- M-bM-^@M-^\prohibit-passwordM-bM-^@M-^].
|
||||
+ M-bM-^@M-^\yesM-bM-^@M-^].
|
||||
|
||||
If this option is set to M-bM-^@M-^\prohibit-passwordM-bM-^@M-^] or
|
||||
M-bM-^@M-^\without-passwordM-bM-^@M-^], password and keyboard-interactive
|
||||
authentication are disabled for root.
|
||||
|
||||
If this option is set to M-bM-^@M-^\forced-commands-onlyM-bM-^@M-^], root login with
|
||||
public key authentication will be allowed, but only if the
|
||||
command option has been specified (which may be useful for taking
|
||||
diff --git a/openssh-7.2p2/sshd_config.5 b/openssh-7.2p2/sshd_config.5
|
||||
--- a/openssh-7.2p2/sshd_config.5
|
||||
+++ b/openssh-7.2p2/sshd_config.5
|
||||
@@ -1213,17 +1213,17 @@ Specifies whether root can log in using
|
||||
The argument must be
|
||||
.Dq yes ,
|
||||
.Dq prohibit-password ,
|
||||
.Dq without-password ,
|
||||
.Dq forced-commands-only ,
|
||||
or
|
||||
.Dq no .
|
||||
The default is
|
||||
-.Dq prohibit-password .
|
||||
+.Dq yes .
|
||||
.Pp
|
||||
If this option is set to
|
||||
.Dq prohibit-password
|
||||
or
|
||||
.Dq without-password ,
|
||||
password and keyboard-interactive authentication are disabled for root.
|
||||
.Pp
|
||||
If this option is set to
|
3239
openssh-7.2p2-audit.patch
Normal file
3239
openssh-7.2p2-audit.patch
Normal file
File diff suppressed because it is too large
Load Diff
35
openssh-7.2p2-audit_fixes.patch
Normal file
35
openssh-7.2p2-audit_fixes.patch
Normal file
@ -0,0 +1,35 @@
|
||||
# HG changeset patch
|
||||
# Parent fdc9167221e501a9f4db5343cf8cadc31e13fd56
|
||||
Various auditing fixes to be merged into the RH-originated patch.
|
||||
|
||||
diff --git a/openssh-7.2p2/packet.c b/openssh-7.2p2/packet.c
|
||||
--- a/openssh-7.2p2/packet.c
|
||||
+++ b/openssh-7.2p2/packet.c
|
||||
@@ -371,20 +371,26 @@ ssh_packet_start_discard(struct ssh *ssh
|
||||
return 0;
|
||||
}
|
||||
|
||||
/* Returns 1 if remote host is connected via socket, 0 if not. */
|
||||
|
||||
int
|
||||
ssh_packet_connection_is_on_socket(struct ssh *ssh)
|
||||
{
|
||||
- struct session_state *state = ssh->state;
|
||||
+ struct session_state *state;
|
||||
struct sockaddr_storage from, to;
|
||||
socklen_t fromlen, tolen;
|
||||
|
||||
+ /* auditing might get here without valid connection structure when
|
||||
+ * destroying sensitive data on exit and thus aborting disgracefully */
|
||||
+ if ((!ssh) || (!(ssh->state)))
|
||||
+ return 0;
|
||||
+ state = ssh->state;
|
||||
+
|
||||
/* filedescriptors in and out are the same, so it's a socket */
|
||||
if (state->connection_in == state->connection_out)
|
||||
return 1;
|
||||
fromlen = sizeof(from);
|
||||
memset(&from, 0, sizeof(from));
|
||||
if (getpeername(state->connection_in, (struct sockaddr *)&from,
|
||||
&fromlen) < 0)
|
||||
return 0;
|
116
openssh-7.2p2-audit_seed_prng.patch
Normal file
116
openssh-7.2p2-audit_seed_prng.patch
Normal file
@ -0,0 +1,116 @@
|
||||
# HG changeset patch
|
||||
# Parent e6ff441d171012183f7bd37cb7399473e8376acd
|
||||
Audit PRNG re-seeding
|
||||
|
||||
diff --git a/openssh-7.2p2/audit-bsm.c b/openssh-7.2p2/audit-bsm.c
|
||||
--- a/openssh-7.2p2/audit-bsm.c
|
||||
+++ b/openssh-7.2p2/audit-bsm.c
|
||||
@@ -504,9 +504,15 @@ audit_destroy_sensitive_data(const char
|
||||
/* not implemented */
|
||||
}
|
||||
|
||||
void
|
||||
audit_generate_ephemeral_server_key(const char *fp)
|
||||
{
|
||||
/* not implemented */
|
||||
}
|
||||
+
|
||||
+void
|
||||
+audit_linux_prng_seed(long bytes, const char *rf)
|
||||
+{
|
||||
+ /* not implemented */
|
||||
+}
|
||||
#endif /* BSM */
|
||||
diff --git a/openssh-7.2p2/audit-linux.c b/openssh-7.2p2/audit-linux.c
|
||||
--- a/openssh-7.2p2/audit-linux.c
|
||||
+++ b/openssh-7.2p2/audit-linux.c
|
||||
@@ -402,9 +402,31 @@ audit_generate_ephemeral_server_key(cons
|
||||
}
|
||||
audit_ok = audit_log_user_message(audit_fd, AUDIT_CRYPTO_KEY_USER,
|
||||
buf, NULL, 0, NULL, 1);
|
||||
audit_close(audit_fd);
|
||||
/* do not abort if the error is EPERM and sshd is run as non root user */
|
||||
if ((audit_ok < 0) && ((audit_ok != -1) || (getuid() == 0)))
|
||||
error("cannot write into audit");
|
||||
}
|
||||
+
|
||||
+void
|
||||
+audit_linux_prng_seed(long bytes, const char *rf)
|
||||
+{
|
||||
+ char buf[AUDIT_LOG_SIZE];
|
||||
+ int audit_fd, audit_ok;
|
||||
+
|
||||
+ snprintf(buf, sizeof(buf), "op=prng_seed kind=server bytes=%li source=%s ", bytes, rf);
|
||||
+ audit_fd = audit_open();
|
||||
+ if (audit_fd < 0) {
|
||||
+ if (errno != EINVAL && errno != EPROTONOSUPPORT &&
|
||||
+ errno != EAFNOSUPPORT)
|
||||
+ error("cannot open audit");
|
||||
+ return;
|
||||
+ }
|
||||
+ audit_ok = audit_log_user_message(audit_fd, AUDIT_CRYPTO_PARAM_CHANGE_USER,
|
||||
+ buf, NULL, 0, NULL, 1);
|
||||
+ audit_close(audit_fd);
|
||||
+ /* do not abort if the error is EPERM and sshd is run as non root user */
|
||||
+ if ((audit_ok < 0) && ((audit_ok != -1) || (getuid() == 0)))
|
||||
+ error("cannot write into audit");
|
||||
+}
|
||||
#endif /* USE_LINUX_AUDIT */
|
||||
diff --git a/openssh-7.2p2/audit.c b/openssh-7.2p2/audit.c
|
||||
--- a/openssh-7.2p2/audit.c
|
||||
+++ b/openssh-7.2p2/audit.c
|
||||
@@ -304,10 +304,16 @@ audit_destroy_sensitive_data(const char
|
||||
/*
|
||||
* This will be called on generation of the ephemeral server key
|
||||
*/
|
||||
void
|
||||
audit_generate_ephemeral_server_key(const char *)
|
||||
{
|
||||
debug("audit create ephemeral server key euid %d fingerprint %s", geteuid(), fp);
|
||||
}
|
||||
+
|
||||
+void
|
||||
+audit_linux_prng_seed(long bytes, const char *rf)
|
||||
+{
|
||||
+ debug("audit PRNG seed euid %d bytes %li source %s", geteuid(), bytes, rf);
|
||||
+}
|
||||
# endif /* !defined CUSTOM_SSH_AUDIT_EVENTS */
|
||||
#endif /* SSH_AUDIT_EVENTS */
|
||||
diff --git a/openssh-7.2p2/audit.h b/openssh-7.2p2/audit.h
|
||||
--- a/openssh-7.2p2/audit.h
|
||||
+++ b/openssh-7.2p2/audit.h
|
||||
@@ -69,10 +69,11 @@ void audit_key(int, int *, const Key *);
|
||||
void audit_unsupported(int);
|
||||
void audit_kex(int, char *, char *, char *, char *);
|
||||
void audit_unsupported_body(int);
|
||||
void audit_kex_body(int, char *, char *, char *, char *, pid_t, uid_t);
|
||||
void audit_session_key_free(int ctos);
|
||||
void audit_session_key_free_body(int ctos, pid_t, uid_t);
|
||||
void audit_destroy_sensitive_data(const char *, pid_t, uid_t);
|
||||
void audit_generate_ephemeral_server_key(const char *);
|
||||
+void audit_linux_prng_seed(long, const char *);
|
||||
|
||||
#endif /* _SSH_AUDIT_H */
|
||||
diff --git a/openssh-7.2p2/sshd.c b/openssh-7.2p2/sshd.c
|
||||
--- a/openssh-7.2p2/sshd.c
|
||||
+++ b/openssh-7.2p2/sshd.c
|
||||
@@ -1421,16 +1421,19 @@ server_accept_loop(int *sock_in, int *so
|
||||
if (maxfd < startup_p[0])
|
||||
maxfd = startup_p[0];
|
||||
startups++;
|
||||
break;
|
||||
}
|
||||
if(!(--re_seeding_counter)) {
|
||||
re_seeding_counter = RESEED_AFTER;
|
||||
linux_seed();
|
||||
+#ifdef SSH_AUDIT_EVENTS
|
||||
+ audit_linux_prng_seed(rand_bytes, rand_file);
|
||||
+#endif
|
||||
}
|
||||
|
||||
/*
|
||||
* Got connection. Fork a child to handle it, unless
|
||||
* we are in debugging mode.
|
||||
*/
|
||||
if (debug_flag) {
|
||||
/*
|
@ -1,13 +1,13 @@
|
||||
# HG changeset patch
|
||||
# Parent 724c9ea86fe2c4a1f0e0d3aba168357ab1b2c3aa
|
||||
# Parent 0bfb5dd4b190b546a3e40a59483b2b2884a47c39
|
||||
block SIGALRM while logging through syslog to prevent deadlocks
|
||||
(through grace_alarm_handler())
|
||||
|
||||
bnc#57354
|
||||
|
||||
diff --git a/openssh-7.6p1/log.c b/openssh-7.6p1/log.c
|
||||
--- a/openssh-7.6p1/log.c
|
||||
+++ b/openssh-7.6p1/log.c
|
||||
diff --git a/openssh-7.2p2/log.c b/openssh-7.2p2/log.c
|
||||
--- a/openssh-7.2p2/log.c
|
||||
+++ b/openssh-7.2p2/log.c
|
||||
@@ -46,16 +46,17 @@
|
||||
#include <syslog.h>
|
||||
#include <unistd.h>
|
||||
@ -26,7 +26,7 @@ diff --git a/openssh-7.6p1/log.c b/openssh-7.6p1/log.c
|
||||
static char *argv0;
|
||||
static log_handler_fn *log_handler;
|
||||
static void *log_handler_ctx;
|
||||
@@ -396,16 +397,17 @@ do_log(LogLevel level, const char *fmt,
|
||||
@@ -383,16 +384,17 @@ do_log(LogLevel level, const char *fmt,
|
||||
{
|
||||
#if defined(HAVE_OPENLOG_R) && defined(SYSLOG_DATA_INIT)
|
||||
struct syslog_data sdata = SYSLOG_DATA_INIT;
|
||||
@ -44,18 +44,19 @@ diff --git a/openssh-7.6p1/log.c b/openssh-7.6p1/log.c
|
||||
|
||||
switch (level) {
|
||||
case SYSLOG_LEVEL_FATAL:
|
||||
@@ -455,20 +457,28 @@ do_log(LogLevel level, const char *fmt,
|
||||
@@ -441,20 +443,29 @@ do_log(LogLevel level, const char *fmt,
|
||||
tmp_handler = log_handler;
|
||||
log_handler = NULL;
|
||||
tmp_handler(level, fmtbuf, log_handler_ctx);
|
||||
log_handler = tmp_handler;
|
||||
} else if (log_on_stderr) {
|
||||
snprintf(msgbuf, sizeof msgbuf, "%.*s\r\n",
|
||||
(int)sizeof msgbuf - 3, fmtbuf);
|
||||
snprintf(msgbuf, sizeof msgbuf, "%s\r\n", fmtbuf);
|
||||
(void)write(log_stderr_fd, msgbuf, strlen(msgbuf));
|
||||
} else {
|
||||
+ /* Prevent a race between the grace_alarm which writes a
|
||||
+ * log message and terminates and main sshd code that leads
|
||||
+ * to deadlock as syslog is not async safe.
|
||||
+ /* Prevent a race between the grace_alarm
|
||||
+ * which writes a log message and terminates
|
||||
+ * and main sshd code that leads to deadlock
|
||||
+ * as syslog is not async safe.
|
||||
+ */
|
||||
+ sigemptyset(&nset);
|
||||
+ sigaddset(&nset, SIGALRM);
|
300
openssh-7.2p2-cavstest-ctr.patch
Normal file
300
openssh-7.2p2-cavstest-ctr.patch
Normal file
@ -0,0 +1,300 @@
|
||||
# HG changeset patch
|
||||
# Parent cb502e7e796ac9289a571167a97ad9ec91562efb
|
||||
CAVS test for OpenSSH's own CTR encryption mode implementation
|
||||
|
||||
diff --git a/openssh-7.2p2/Makefile.in b/openssh-7.2p2/Makefile.in
|
||||
--- a/openssh-7.2p2/Makefile.in
|
||||
+++ b/openssh-7.2p2/Makefile.in
|
||||
@@ -21,16 +21,17 @@ top_srcdir=@top_srcdir@
|
||||
|
||||
DESTDIR=
|
||||
VPATH=@srcdir@
|
||||
SSH_PROGRAM=@bindir@/ssh
|
||||
ASKPASS_PROGRAM=$(libexecdir)/ssh-askpass
|
||||
SFTP_SERVER=$(libexecdir)/sftp-server
|
||||
SSH_KEYSIGN=$(libexecdir)/ssh-keysign
|
||||
SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
|
||||
+CAVSTEST_CTR=$(libexecdir)/cavstest-ctr
|
||||
PRIVSEP_PATH=@PRIVSEP_PATH@
|
||||
SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@
|
||||
STRIP_OPT=@STRIP_OPT@
|
||||
TEST_SHELL=@TEST_SHELL@
|
||||
|
||||
PATHS= -DSSHDIR=\"$(sysconfdir)\" \
|
||||
-D_PATH_SSH_PROGRAM=\"$(SSH_PROGRAM)\" \
|
||||
-D_PATH_SSH_ASKPASS_DEFAULT=\"$(ASKPASS_PROGRAM)\" \
|
||||
@@ -59,16 +60,18 @@ SED=@SED@
|
||||
ENT=@ENT@
|
||||
XAUTH_PATH=@XAUTH_PATH@
|
||||
LDFLAGS=-L. -Lopenbsd-compat/ @LDFLAGS@
|
||||
EXEEXT=@EXEEXT@
|
||||
MANFMT=@MANFMT@
|
||||
|
||||
TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT)
|
||||
|
||||
+TARGETS += cavstest-ctr$(EXEEXT)
|
||||
+
|
||||
LIBOPENSSH_OBJS=\
|
||||
ssh_api.o \
|
||||
ssherr.o \
|
||||
sshbuf.o \
|
||||
sshkey.o \
|
||||
sshbuf-getput-basic.o \
|
||||
sshbuf-misc.o \
|
||||
sshbuf-getput-crypto.o \
|
||||
@@ -190,16 +193,20 @@ ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libss
|
||||
$(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
|
||||
|
||||
sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o sftp-server.o sftp-server-main.o
|
||||
$(LD) -o $@ sftp-server.o sftp-common.o sftp-server-main.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
|
||||
|
||||
sftp$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-client.o sftp-common.o sftp-glob.o progressmeter.o
|
||||
$(LD) -o $@ progressmeter.o sftp.o sftp-client.o sftp-common.o sftp-glob.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) $(LIBEDIT)
|
||||
|
||||
+# FIPS tests
|
||||
+cavstest-ctr$(EXEEXT): $(LIBCOMPAT) libssh.a cavstest-ctr.o
|
||||
+ $(LD) -o $@ cavstest-ctr.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
|
||||
+
|
||||
# test driver for the loginrec code - not built by default
|
||||
logintest: logintest.o $(LIBCOMPAT) libssh.a loginrec.o
|
||||
$(LD) -o $@ logintest.o $(LDFLAGS) loginrec.o -lopenbsd-compat -lssh $(LIBS)
|
||||
|
||||
$(MANPAGES): $(MANPAGES_IN)
|
||||
if test "$(MANTYPE)" = "cat"; then \
|
||||
manpage=$(srcdir)/`echo $@ | sed 's/\.[1-9]\.out$$/\.0/'`; \
|
||||
else \
|
||||
@@ -310,16 +317,17 @@ install-files:
|
||||
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-agent$(EXEEXT) $(DESTDIR)$(bindir)/ssh-agent$(EXEEXT)
|
||||
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-keygen$(EXEEXT) $(DESTDIR)$(bindir)/ssh-keygen$(EXEEXT)
|
||||
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-keyscan$(EXEEXT) $(DESTDIR)$(bindir)/ssh-keyscan$(EXEEXT)
|
||||
$(INSTALL) -m 0755 $(STRIP_OPT) sshd$(EXEEXT) $(DESTDIR)$(sbindir)/sshd$(EXEEXT)
|
||||
$(INSTALL) -m 4711 $(STRIP_OPT) ssh-keysign$(EXEEXT) $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT)
|
||||
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
|
||||
$(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
|
||||
$(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
|
||||
+ $(INSTALL) -m 0755 $(STRIP_OPT) cavstest-ctr$(EXEEXT) $(DESTDIR)$(libexecdir)/cavstest-ctr$(EXEEXT)
|
||||
$(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
|
||||
$(INSTALL) -m 644 scp.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1
|
||||
$(INSTALL) -m 644 ssh-add.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1
|
||||
$(INSTALL) -m 644 ssh-agent.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-agent.1
|
||||
$(INSTALL) -m 644 ssh-keygen.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keygen.1
|
||||
$(INSTALL) -m 644 ssh-keyscan.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keyscan.1
|
||||
$(INSTALL) -m 644 moduli.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/moduli.5
|
||||
$(INSTALL) -m 644 sshd_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/sshd_config.5
|
||||
diff --git a/openssh-7.2p2/cavstest-ctr.c b/openssh-7.2p2/cavstest-ctr.c
|
||||
new file mode 100644
|
||||
--- /dev/null
|
||||
+++ b/openssh-7.2p2/cavstest-ctr.c
|
||||
@@ -0,0 +1,212 @@
|
||||
+/*
|
||||
+ *
|
||||
+ * invocation (all of the following are equal):
|
||||
+ * ./ctr-cavstest --algo aes128-ctr --key 987212980144b6a632e864031f52dacc --mode encrypt --data a6deca405eef2e8e4609abf3c3ccf4a6
|
||||
+ * ./ctr-cavstest --algo aes128-ctr --key 987212980144b6a632e864031f52dacc --mode encrypt --data a6deca405eef2e8e4609abf3c3ccf4a6 --iv 00000000000000000000000000000000
|
||||
+ * echo -n a6deca405eef2e8e4609abf3c3ccf4a6 | ./ctr-cavstest --algo aes128-ctr --key 987212980144b6a632e864031f52dacc --mode encrypt
|
||||
+ */
|
||||
+
|
||||
+#include "includes.h"
|
||||
+
|
||||
+#include <sys/types.h>
|
||||
+#include <sys/param.h>
|
||||
+#include <stdarg.h>
|
||||
+#include <stdio.h>
|
||||
+#include <stdlib.h>
|
||||
+#include <string.h>
|
||||
+#include <ctype.h>
|
||||
+
|
||||
+#include "xmalloc.h"
|
||||
+#include "log.h"
|
||||
+#include "cipher.h"
|
||||
+
|
||||
+/* compatibility with old or broken OpenSSL versions */
|
||||
+#include "openbsd-compat/openssl-compat.h"
|
||||
+
|
||||
+void
|
||||
+usage(void)
|
||||
+{
|
||||
+ fprintf(stderr, "Usage: ctr-cavstest --algo <ssh-crypto-algorithm>\n"
|
||||
+ " --key <hexadecimal-key> --mode <encrypt|decrypt>\n"
|
||||
+ " [--iv <hexadecimal-iv>] --data <hexadecimal-data>\n\n"
|
||||
+ "Hexadecimal output is printed to stdout.\n"
|
||||
+ "Hexadecimal input data can be alternatively read from stdin.\n");
|
||||
+ exit(1);
|
||||
+}
|
||||
+
|
||||
+void *
|
||||
+fromhex(char *hex, size_t * len)
|
||||
+{
|
||||
+ unsigned char *bin;
|
||||
+ char *p;
|
||||
+ size_t n = 0;
|
||||
+ int shift = 4;
|
||||
+ unsigned char out = 0;
|
||||
+ unsigned char *optr;
|
||||
+
|
||||
+ bin = xmalloc(strlen(hex) / 2);
|
||||
+ optr = bin;
|
||||
+
|
||||
+ for (p = hex; *p != '\0'; ++p) {
|
||||
+ unsigned char c;
|
||||
+
|
||||
+ c = *p;
|
||||
+ if (isspace(c))
|
||||
+ continue;
|
||||
+
|
||||
+ if (c >= '0' && c <= '9') {
|
||||
+ c = c - '0';
|
||||
+ } else if (c >= 'A' && c <= 'F') {
|
||||
+ c = c - 'A' + 10;
|
||||
+ } else if (c >= 'a' && c <= 'f') {
|
||||
+ c = c - 'a' + 10;
|
||||
+ } else {
|
||||
+ /* truncate on nonhex cipher */
|
||||
+ break;
|
||||
+ }
|
||||
+
|
||||
+ out |= c << shift;
|
||||
+ shift = (shift + 4) % 8;
|
||||
+
|
||||
+ if (shift) {
|
||||
+ *(optr++) = out;
|
||||
+ out = 0;
|
||||
+ ++n;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ *len = n;
|
||||
+ return bin;
|
||||
+}
|
||||
+
|
||||
+#define READ_CHUNK 4096
|
||||
+#define MAX_READ_SIZE 1024*1024*100
|
||||
+char *
|
||||
+read_stdin(void)
|
||||
+{
|
||||
+ char *buf;
|
||||
+ size_t n, total = 0;
|
||||
+
|
||||
+ buf = xmalloc(READ_CHUNK);
|
||||
+
|
||||
+ do {
|
||||
+ n = fread(buf + total, 1, READ_CHUNK, stdin);
|
||||
+ if (n < READ_CHUNK) /* terminate on short read */
|
||||
+ break;
|
||||
+
|
||||
+ total += n;
|
||||
+ buf = xreallocarray(buf, total + READ_CHUNK, 1);
|
||||
+ } while (total < MAX_READ_SIZE);
|
||||
+ return buf;
|
||||
+}
|
||||
+
|
||||
+int
|
||||
+main(int argc, char *argv[])
|
||||
+{
|
||||
+
|
||||
+ struct sshcipher *c;
|
||||
+ struct sshcipher_ctx cc;
|
||||
+ char *algo = "aes128-ctr";
|
||||
+ char *hexkey = NULL;
|
||||
+ char *hexiv = "00000000000000000000000000000000";
|
||||
+ char *hexdata = NULL;
|
||||
+ char *p;
|
||||
+ int i;
|
||||
+ int encrypt = 1;
|
||||
+ void *key;
|
||||
+ size_t keylen;
|
||||
+ void *iv;
|
||||
+ size_t ivlen;
|
||||
+ void *data;
|
||||
+ size_t datalen;
|
||||
+ void *outdata;
|
||||
+
|
||||
+ for (i = 1; i < argc; ++i) {
|
||||
+ if (strcmp(argv[i], "--algo") == 0) {
|
||||
+ algo = argv[++i];
|
||||
+ } else if (strcmp(argv[i], "--key") == 0) {
|
||||
+ hexkey = argv[++i];
|
||||
+ } else if (strcmp(argv[i], "--mode") == 0) {
|
||||
+ ++i;
|
||||
+ if (argv[i] == NULL) {
|
||||
+ usage();
|
||||
+ }
|
||||
+ if (strncmp(argv[i], "enc", 3) == 0) {
|
||||
+ encrypt = 1;
|
||||
+ } else if (strncmp(argv[i], "dec", 3) == 0) {
|
||||
+ encrypt = 0;
|
||||
+ } else {
|
||||
+ usage();
|
||||
+ }
|
||||
+ } else if (strcmp(argv[i], "--iv") == 0) {
|
||||
+ hexiv = argv[++i];
|
||||
+ } else if (strcmp(argv[i], "--data") == 0) {
|
||||
+ hexdata = argv[++i];
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ if (hexkey == NULL || algo == NULL) {
|
||||
+ usage();
|
||||
+ }
|
||||
+
|
||||
+ SSLeay_add_all_algorithms();
|
||||
+
|
||||
+ c = cipher_by_name(algo);
|
||||
+ if (c == NULL) {
|
||||
+ fprintf(stderr, "Error: unknown algorithm\n");
|
||||
+ return 2;
|
||||
+ }
|
||||
+
|
||||
+ if (hexdata == NULL) {
|
||||
+ hexdata = read_stdin();
|
||||
+ } else {
|
||||
+ hexdata = xstrdup(hexdata);
|
||||
+ }
|
||||
+
|
||||
+ key = fromhex(hexkey, &keylen);
|
||||
+
|
||||
+ if (keylen != 16 && keylen != 24 && keylen == 32) {
|
||||
+ fprintf(stderr, "Error: unsupported key length\n");
|
||||
+ return 2;
|
||||
+ }
|
||||
+
|
||||
+ iv = fromhex(hexiv, &ivlen);
|
||||
+
|
||||
+ if (ivlen != 16) {
|
||||
+ fprintf(stderr, "Error: unsupported iv length\n");
|
||||
+ return 2;
|
||||
+ }
|
||||
+
|
||||
+ data = fromhex(hexdata, &datalen);
|
||||
+
|
||||
+ if (data == NULL || datalen == 0) {
|
||||
+ fprintf(stderr, "Error: no data to encrypt/decrypt\n");
|
||||
+ return 2;
|
||||
+ }
|
||||
+
|
||||
+ cipher_init(&cc, c, key, keylen, iv, ivlen, encrypt);
|
||||
+
|
||||
+ free(key);
|
||||
+ free(iv);
|
||||
+
|
||||
+ outdata = malloc(datalen);
|
||||
+ if (outdata == NULL) {
|
||||
+ fprintf(stderr, "Error: memory allocation failure\n");
|
||||
+ return 2;
|
||||
+ }
|
||||
+
|
||||
+ cipher_crypt(&cc, 0, outdata, data, datalen, 0, 0);
|
||||
+
|
||||
+ free(data);
|
||||
+
|
||||
+ cipher_cleanup(&cc);
|
||||
+
|
||||
+ for (p = outdata; datalen > 0; ++p, --datalen) {
|
||||
+ printf("%02X", (unsigned char) *p);
|
||||
+ }
|
||||
+
|
||||
+ free(outdata);
|
||||
+
|
||||
+ printf("\n");
|
||||
+ return 0;
|
||||
+}
|
469
openssh-7.2p2-cavstest-kdf.patch
Normal file
469
openssh-7.2p2-cavstest-kdf.patch
Normal file
@ -0,0 +1,469 @@
|
||||
# HG changeset patch
|
||||
# Parent f9ffcfb88e5a9d611a61aee3571050dea67e363e
|
||||
CAVS test for KDF implementation in OpenSSH
|
||||
|
||||
diff --git a/openssh-7.2p2/Makefile.in b/openssh-7.2p2/Makefile.in
|
||||
--- a/openssh-7.2p2/Makefile.in
|
||||
+++ b/openssh-7.2p2/Makefile.in
|
||||
@@ -22,16 +22,17 @@ top_srcdir=@top_srcdir@
|
||||
DESTDIR=
|
||||
VPATH=@srcdir@
|
||||
SSH_PROGRAM=@bindir@/ssh
|
||||
ASKPASS_PROGRAM=$(libexecdir)/ssh-askpass
|
||||
SFTP_SERVER=$(libexecdir)/sftp-server
|
||||
SSH_KEYSIGN=$(libexecdir)/ssh-keysign
|
||||
SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
|
||||
CAVSTEST_CTR=$(libexecdir)/cavstest-ctr
|
||||
+CAVSTEST_KDF=$(libexecdir)/cavstest-kdf
|
||||
PRIVSEP_PATH=@PRIVSEP_PATH@
|
||||
SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@
|
||||
STRIP_OPT=@STRIP_OPT@
|
||||
TEST_SHELL=@TEST_SHELL@
|
||||
|
||||
PATHS= -DSSHDIR=\"$(sysconfdir)\" \
|
||||
-D_PATH_SSH_PROGRAM=\"$(SSH_PROGRAM)\" \
|
||||
-D_PATH_SSH_ASKPASS_DEFAULT=\"$(ASKPASS_PROGRAM)\" \
|
||||
@@ -60,17 +61,17 @@ SED=@SED@
|
||||
ENT=@ENT@
|
||||
XAUTH_PATH=@XAUTH_PATH@
|
||||
LDFLAGS=-L. -Lopenbsd-compat/ @LDFLAGS@
|
||||
EXEEXT=@EXEEXT@
|
||||
MANFMT=@MANFMT@
|
||||
|
||||
TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT)
|
||||
|
||||
-TARGETS += cavstest-ctr$(EXEEXT)
|
||||
+TARGETS += cavstest-ctr$(EXEEXT) cavstest-kdf$(EXEEXT)
|
||||
|
||||
LIBOPENSSH_OBJS=\
|
||||
ssh_api.o \
|
||||
ssherr.o \
|
||||
sshbuf.o \
|
||||
sshkey.o \
|
||||
sshbuf-getput-basic.o \
|
||||
sshbuf-misc.o \
|
||||
@@ -197,16 +198,19 @@ sftp-server$(EXEEXT): $(LIBCOMPAT) libss
|
||||
|
||||
sftp$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-client.o sftp-common.o sftp-glob.o progressmeter.o
|
||||
$(LD) -o $@ progressmeter.o sftp.o sftp-client.o sftp-common.o sftp-glob.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) $(LIBEDIT)
|
||||
|
||||
# FIPS tests
|
||||
cavstest-ctr$(EXEEXT): $(LIBCOMPAT) libssh.a cavstest-ctr.o
|
||||
$(LD) -o $@ cavstest-ctr.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
|
||||
|
||||
+cavstest-kdf$(EXEEXT): $(LIBCOMPAT) libssh.a cavstest-kdf.o
|
||||
+ $(LD) -o $@ cavstest-kdf.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
|
||||
+
|
||||
# test driver for the loginrec code - not built by default
|
||||
logintest: logintest.o $(LIBCOMPAT) libssh.a loginrec.o
|
||||
$(LD) -o $@ logintest.o $(LDFLAGS) loginrec.o -lopenbsd-compat -lssh $(LIBS)
|
||||
|
||||
$(MANPAGES): $(MANPAGES_IN)
|
||||
if test "$(MANTYPE)" = "cat"; then \
|
||||
manpage=$(srcdir)/`echo $@ | sed 's/\.[1-9]\.out$$/\.0/'`; \
|
||||
else \
|
||||
@@ -318,16 +322,17 @@ install-files:
|
||||
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-keygen$(EXEEXT) $(DESTDIR)$(bindir)/ssh-keygen$(EXEEXT)
|
||||
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-keyscan$(EXEEXT) $(DESTDIR)$(bindir)/ssh-keyscan$(EXEEXT)
|
||||
$(INSTALL) -m 0755 $(STRIP_OPT) sshd$(EXEEXT) $(DESTDIR)$(sbindir)/sshd$(EXEEXT)
|
||||
$(INSTALL) -m 4711 $(STRIP_OPT) ssh-keysign$(EXEEXT) $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT)
|
||||
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
|
||||
$(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
|
||||
$(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
|
||||
$(INSTALL) -m 0755 $(STRIP_OPT) cavstest-ctr$(EXEEXT) $(DESTDIR)$(libexecdir)/cavstest-ctr$(EXEEXT)
|
||||
+ $(INSTALL) -m 0755 $(STRIP_OPT) cavstest-kdf$(EXEEXT) $(DESTDIR)$(libexecdir)/cavstest-kdf$(EXEEXT)
|
||||
$(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
|
||||
$(INSTALL) -m 644 scp.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1
|
||||
$(INSTALL) -m 644 ssh-add.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1
|
||||
$(INSTALL) -m 644 ssh-agent.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-agent.1
|
||||
$(INSTALL) -m 644 ssh-keygen.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keygen.1
|
||||
$(INSTALL) -m 644 ssh-keyscan.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keyscan.1
|
||||
$(INSTALL) -m 644 moduli.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/moduli.5
|
||||
$(INSTALL) -m 644 sshd_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/sshd_config.5
|
||||
diff --git a/openssh-7.2p2/cavstest-kdf.c b/openssh-7.2p2/cavstest-kdf.c
|
||||
new file mode 100644
|
||||
--- /dev/null
|
||||
+++ b/openssh-7.2p2/cavstest-kdf.c
|
||||
@@ -0,0 +1,382 @@
|
||||
+/*
|
||||
+ * Copyright (C) 2015, Stephan Mueller <smueller@chronox.de>
|
||||
+ *
|
||||
+ * Redistribution and use in source and binary forms, with or without
|
||||
+ * modification, are permitted provided that the following conditions
|
||||
+ * are met:
|
||||
+ * 1. Redistributions of source code must retain the above copyright
|
||||
+ * notice, and the entire permission notice in its entirety,
|
||||
+ * including the disclaimer of warranties.
|
||||
+ * 2. Redistributions in binary form must reproduce the above copyright
|
||||
+ * notice, this list of conditions and the following disclaimer in the
|
||||
+ * documentation and/or other materials provided with the distribution.
|
||||
+ * 3. The name of the author may not be used to endorse or promote
|
||||
+ * products derived from this software without specific prior
|
||||
+ * written permission.
|
||||
+ *
|
||||
+ * ALTERNATIVELY, this product may be distributed under the terms of
|
||||
+ * the GNU General Public License, in which case the provisions of the GPL2
|
||||
+ * are required INSTEAD OF the above restrictions. (This clause is
|
||||
+ * necessary due to a potential bad interaction between the GPL and
|
||||
+ * the restrictions contained in a BSD-style copyright.)
|
||||
+ *
|
||||
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
|
||||
+ * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
|
||||
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, ALL OF
|
||||
+ * WHICH ARE HEREBY DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE
|
||||
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
|
||||
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
|
||||
+ * OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
|
||||
+ * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
|
||||
+ * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
||||
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
|
||||
+ * USE OF THIS SOFTWARE, EVEN IF NOT ADVISED OF THE POSSIBILITY OF SUCH
|
||||
+ * DAMAGE.
|
||||
+ */
|
||||
+
|
||||
+#include "includes.h"
|
||||
+
|
||||
+#include <stdio.h>
|
||||
+#include <stdlib.h>
|
||||
+#include <errno.h>
|
||||
+#include <sys/types.h>
|
||||
+#include <string.h>
|
||||
+
|
||||
+#include <openssl/bn.h>
|
||||
+
|
||||
+#include "xmalloc.h"
|
||||
+#include "buffer.h"
|
||||
+#include "key.h"
|
||||
+#include "cipher.h"
|
||||
+#include "kex.h"
|
||||
+#include "packet.h"
|
||||
+
|
||||
+static int bin_char(unsigned char hex)
|
||||
+{
|
||||
+ if (48 <= hex && 57 >= hex)
|
||||
+ return (hex - 48);
|
||||
+ if (65 <= hex && 70 >= hex)
|
||||
+ return (hex - 55);
|
||||
+ if (97 <= hex && 102 >= hex)
|
||||
+ return (hex - 87);
|
||||
+ return 0;
|
||||
+}
|
||||
+
|
||||
+/*
|
||||
+ * Convert hex representation into binary string
|
||||
+ * @hex input buffer with hex representation
|
||||
+ * @hexlen length of hex
|
||||
+ * @bin output buffer with binary data
|
||||
+ * @binlen length of already allocated bin buffer (should be at least
|
||||
+ * half of hexlen -- if not, only a fraction of hexlen is converted)
|
||||
+ */
|
||||
+static void hex2bin(const char *hex, size_t hexlen,
|
||||
+ unsigned char *bin, size_t binlen)
|
||||
+{
|
||||
+ size_t i = 0;
|
||||
+ size_t chars = (binlen > (hexlen / 2)) ? (hexlen / 2) : binlen;
|
||||
+
|
||||
+ for (i = 0; i < chars; i++) {
|
||||
+ bin[i] = bin_char(hex[(i*2)]) << 4;
|
||||
+ bin[i] |= bin_char(hex[((i*2)+1)]);
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
+/*
|
||||
+ * Allocate sufficient space for binary representation of hex
|
||||
+ * and convert hex into bin
|
||||
+ *
|
||||
+ * Caller must free bin
|
||||
+ * @hex input buffer with hex representation
|
||||
+ * @hexlen length of hex
|
||||
+ * @bin return value holding the pointer to the newly allocated buffer
|
||||
+ * @binlen return value holding the allocated size of bin
|
||||
+ *
|
||||
+ * return: 0 on success, !0 otherwise
|
||||
+ */
|
||||
+static int hex2bin_alloc(const char *hex, size_t hexlen,
|
||||
+ unsigned char **bin, size_t *binlen)
|
||||
+{
|
||||
+ unsigned char *out = NULL;
|
||||
+ size_t outlen = 0;
|
||||
+
|
||||
+ if (!hexlen)
|
||||
+ return -EINVAL;
|
||||
+
|
||||
+ outlen = (hexlen + 1) / 2;
|
||||
+
|
||||
+ out = calloc(1, outlen);
|
||||
+ if (!out)
|
||||
+ return -errno;
|
||||
+
|
||||
+ hex2bin(hex, hexlen, out, outlen);
|
||||
+ *bin = out;
|
||||
+ *binlen = outlen;
|
||||
+ return 0;
|
||||
+}
|
||||
+
|
||||
+static char hex_char_map_l[] = { '0', '1', '2', '3', '4', '5', '6', '7',
|
||||
+ '8', '9', 'a', 'b', 'c', 'd', 'e', 'f' };
|
||||
+static char hex_char_map_u[] = { '0', '1', '2', '3', '4', '5', '6', '7',
|
||||
+ '8', '9', 'A', 'B', 'C', 'D', 'E', 'F' };
|
||||
+static char hex_char(unsigned int bin, int u)
|
||||
+{
|
||||
+ if (bin < sizeof(hex_char_map_l))
|
||||
+ return (u) ? hex_char_map_u[bin] : hex_char_map_l[bin];
|
||||
+ return 'X';
|
||||
+}
|
||||
+
|
||||
+/*
|
||||
+ * Convert binary string into hex representation
|
||||
+ * @bin input buffer with binary data
|
||||
+ * @binlen length of bin
|
||||
+ * @hex output buffer to store hex data
|
||||
+ * @hexlen length of already allocated hex buffer (should be at least
|
||||
+ * twice binlen -- if not, only a fraction of binlen is converted)
|
||||
+ * @u case of hex characters (0=>lower case, 1=>upper case)
|
||||
+ */
|
||||
+static void bin2hex(const unsigned char *bin, size_t binlen,
|
||||
+ char *hex, size_t hexlen, int u)
|
||||
+{
|
||||
+ size_t i = 0;
|
||||
+ size_t chars = (binlen > (hexlen / 2)) ? (hexlen / 2) : binlen;
|
||||
+
|
||||
+ for (i = 0; i < chars; i++) {
|
||||
+ hex[(i*2)] = hex_char((bin[i] >> 4), u);
|
||||
+ hex[((i*2)+1)] = hex_char((bin[i] & 0x0f), u);
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
+struct kdf_cavs {
|
||||
+ unsigned char *K;
|
||||
+ size_t Klen;
|
||||
+ unsigned char *H;
|
||||
+ size_t Hlen;
|
||||
+ unsigned char *session_id;
|
||||
+ size_t session_id_len;
|
||||
+
|
||||
+ unsigned int iv_len;
|
||||
+ unsigned int ek_len;
|
||||
+ unsigned int ik_len;
|
||||
+};
|
||||
+
|
||||
+static int sshkdf_cavs(struct kdf_cavs *test)
|
||||
+{
|
||||
+ int ret = 0;
|
||||
+ struct kex kex;
|
||||
+ struct ssh ssh;
|
||||
+ BIGNUM *Kbn = NULL;
|
||||
+ int mode = 0;
|
||||
+ struct newkeys *keys_client;
|
||||
+ struct newkeys *keys_server;
|
||||
+
|
||||
+#define HEXOUTLEN 500
|
||||
+ char hex[HEXOUTLEN];
|
||||
+
|
||||
+ memset(&ssh, 0, sizeof(struct ssh));
|
||||
+ memset(&kex, 0, sizeof(struct kex));
|
||||
+ ssh.kex = &kex;
|
||||
+
|
||||
+ Kbn = BN_new();
|
||||
+ BN_bin2bn(test->K, test->Klen, Kbn);
|
||||
+ if (!Kbn) {
|
||||
+ printf("cannot convert K into BIGNUM\n");
|
||||
+ ret = 1;
|
||||
+ goto out;
|
||||
+ }
|
||||
+
|
||||
+ kex.session_id = test->session_id;
|
||||
+ kex.session_id_len = test->session_id_len;
|
||||
+
|
||||
+ /* setup kex */
|
||||
+
|
||||
+ /* select the right hash based on struct ssh_digest digests */
|
||||
+ switch (test->ik_len) {
|
||||
+ case 20:
|
||||
+ kex.hash_alg = 2;
|
||||
+ break;
|
||||
+ case 32:
|
||||
+ kex.hash_alg = 3;
|
||||
+ break;
|
||||
+ case 48:
|
||||
+ kex.hash_alg = 4;
|
||||
+ break;
|
||||
+ case 64:
|
||||
+ kex.hash_alg = 5;
|
||||
+ break;
|
||||
+ default:
|
||||
+ printf("Wrong hash type %u\n", test->ik_len);
|
||||
+ ret = 1;
|
||||
+ goto out;
|
||||
+ }
|
||||
+
|
||||
+ /* implement choose_enc */
|
||||
+ for (mode = 0; mode < 2; mode++) {
|
||||
+ kex.newkeys[mode] = calloc(1, sizeof(struct newkeys));
|
||||
+ if (!kex.newkeys[mode]) {
|
||||
+ printf("allocation of newkeys failed\n");
|
||||
+ ret = 1;
|
||||
+ goto out;
|
||||
+ }
|
||||
+ kex.newkeys[mode]->enc.iv_len = test->iv_len;
|
||||
+ kex.newkeys[mode]->enc.key_len = test->ek_len;
|
||||
+ kex.newkeys[mode]->enc.block_size = (test->iv_len == 64) ? 8 : 16;
|
||||
+ kex.newkeys[mode]->mac.key_len = test->ik_len;
|
||||
+ }
|
||||
+
|
||||
+ /* implement kex_choose_conf */
|
||||
+ kex.we_need = kex.newkeys[0]->enc.key_len;
|
||||
+ if (kex.we_need < kex.newkeys[0]->enc.block_size)
|
||||
+ kex.we_need = kex.newkeys[0]->enc.block_size;
|
||||
+ if (kex.we_need < kex.newkeys[0]->enc.iv_len)
|
||||
+ kex.we_need = kex.newkeys[0]->enc.iv_len;
|
||||
+ if (kex.we_need < kex.newkeys[0]->mac.key_len)
|
||||
+ kex.we_need = kex.newkeys[0]->mac.key_len;
|
||||
+
|
||||
+ /* MODE_OUT (1) -> server to client
|
||||
+ * MODE_IN (0) -> client to server */
|
||||
+ kex.server = 1;
|
||||
+
|
||||
+ /* do it */
|
||||
+ kex_derive_keys_bn(&ssh, test->H, test->Hlen, Kbn);
|
||||
+
|
||||
+ keys_client = ssh.kex->newkeys[0];
|
||||
+ keys_server = ssh.kex->newkeys[1];
|
||||
+
|
||||
+ /* get data */
|
||||
+ memset(hex, 0, HEXOUTLEN);
|
||||
+ bin2hex(keys_client->enc.iv, (size_t)keys_client->enc.iv_len,
|
||||
+ hex, HEXOUTLEN, 0);
|
||||
+ printf("Initial IV (client to server) = %s\n", hex);
|
||||
+
|
||||
+ memset(hex, 0, HEXOUTLEN);
|
||||
+ bin2hex(keys_server->enc.iv, (size_t)keys_server->enc.iv_len,
|
||||
+ hex, HEXOUTLEN, 0);
|
||||
+ printf("Initial IV (server to client) = %s\n", hex);
|
||||
+
|
||||
+ memset(hex, 0, HEXOUTLEN);
|
||||
+ bin2hex(keys_client->enc.key, (size_t)keys_client->enc.key_len,
|
||||
+ hex, HEXOUTLEN, 0);
|
||||
+ printf("Encryption key (client to server) = %s\n", hex);
|
||||
+
|
||||
+ memset(hex, 0, HEXOUTLEN);
|
||||
+ bin2hex(keys_server->enc.key, (size_t)keys_server->enc.key_len,
|
||||
+ hex, HEXOUTLEN, 0);
|
||||
+ printf("Encryption key (server to client) = %s\n", hex);
|
||||
+
|
||||
+ memset(hex, 0, HEXOUTLEN);
|
||||
+ bin2hex(keys_client->mac.key, (size_t)keys_client->mac.key_len,
|
||||
+ hex, HEXOUTLEN, 0);
|
||||
+ printf("Integrity key (client to server) = %s\n", hex);
|
||||
+
|
||||
+ memset(hex, 0, HEXOUTLEN);
|
||||
+ bin2hex(keys_server->mac.key, (size_t)keys_server->mac.key_len,
|
||||
+ hex, HEXOUTLEN, 0);
|
||||
+ printf("Integrity key (server to client) = %s\n", hex);
|
||||
+
|
||||
+ free(keys_client);
|
||||
+ free(keys_server);
|
||||
+
|
||||
+out:
|
||||
+ if (Kbn)
|
||||
+ BN_free(Kbn);
|
||||
+ if (kex.newkeys[0])
|
||||
+ free(kex.newkeys[0]);
|
||||
+ if (kex.newkeys[1])
|
||||
+ free(kex.newkeys[1]);
|
||||
+ return ret;
|
||||
+}
|
||||
+
|
||||
+static void usage(void)
|
||||
+{
|
||||
+ fprintf(stderr, "\nOpenSSH KDF CAVS Test\n\n");
|
||||
+ fprintf(stderr, "Usage:\n");
|
||||
+ fprintf(stderr, "\t-K\tShared secret string\n");
|
||||
+ fprintf(stderr, "\t-H\tHash string\n");
|
||||
+ fprintf(stderr, "\t-s\tSession ID string\n");
|
||||
+ fprintf(stderr, "\t-i\tIV length to be generated\n");
|
||||
+ fprintf(stderr, "\t-e\tEncryption key length to be generated\n");
|
||||
+ fprintf(stderr, "\t-m\tMAC key length to be generated\n");
|
||||
+}
|
||||
+
|
||||
+/*
|
||||
+ * Test command example:
|
||||
+ * ./ssh-cavs -K 0055d50f2d163cc07cd8a93cc7c3430c30ce786b572c01ad29fec7597000cf8618d664e2ec3dcbc8bb7a1a7eb7ef67f61cdaf291625da879186ac0a5cb27af571b59612d6a6e0627344d846271959fda61c78354aa498773d59762f8ca2d0215ec590d8633de921f920d41e47b3de6ab9a3d0869e1c826d0e4adebf8e3fb646a15dea20a410b44e969f4b791ed6a67f13f1b74234004d5fa5e87eff7abc32d49bbdf44d7b0107e8f10609233b7e2b7eff74a4daf25641de7553975dac6ac1e5117df6f6dbaa1c263d23a6c3e5a3d7d49ae8a828c1e333ac3f85fbbf57b5c1a45be45e43a7be1a4707eac779b8285522d1f531fe23f890fd38a004339932b93eda4 -H d3ab91a850febb417a25d892ec48ed5952c7a5de -s d3ab91a850febb417a25d892ec48ed5952c7a5de -i 8 -e 24 -m 20
|
||||
+ *
|
||||
+ * Expected result for example:
|
||||
+ * Initial IV (client to server) = 4bb320d1679dfd3a
|
||||
+ * Encryption key (client to server) = 13048cc600b9d3cf9095aa6cf8e2ff9cf1c54ca0520c89ed
|
||||
+ * Integrity key (client to server) = ecef63a092b0dcc585bdc757e01b2740af57d640
|
||||
+ * Initial IV (server to client) = 43dea6fdf263a308
|
||||
+ * Encryption key (server to client) = 1e483c5134e901aa11fc4e0a524e7ec7b75556148a222bb0
|
||||
+ * Integrity key (server to client) = 7424b05f3c44a72b4ebd281fb71f9cbe7b64d479
|
||||
+ */
|
||||
+int main(int argc, char *argv[])
|
||||
+{
|
||||
+ struct kdf_cavs test;
|
||||
+ int ret = 1;
|
||||
+ int opt = 0;
|
||||
+
|
||||
+ memset(&test, 0, sizeof(struct kdf_cavs));
|
||||
+ while((opt = getopt(argc, argv, "K:H:s:i:e:m:")) != -1)
|
||||
+ {
|
||||
+ size_t len = 0;
|
||||
+ switch(opt)
|
||||
+ {
|
||||
+ /*
|
||||
+ * CAVS K is MPINT
|
||||
+ * we want a hex (i.e. the caller must ensure the
|
||||
+ * following transformations already happened):
|
||||
+ * 1. cut off first four bytes
|
||||
+ * 2. if most significant bit of value is
|
||||
+ * 1, prepend 0 byte
|
||||
+ */
|
||||
+ case 'K':
|
||||
+ len = strlen(optarg);
|
||||
+ ret = hex2bin_alloc(optarg, len,
|
||||
+ &test.K, &test.Klen);
|
||||
+ if (ret)
|
||||
+ goto out;
|
||||
+ break;
|
||||
+ case 'H':
|
||||
+ len = strlen(optarg);
|
||||
+ ret = hex2bin_alloc(optarg, len,
|
||||
+ &test.H, &test.Hlen);
|
||||
+ if (ret)
|
||||
+ goto out;
|
||||
+ break;
|
||||
+ case 's':
|
||||
+ len = strlen(optarg);
|
||||
+ ret = hex2bin_alloc(optarg, len,
|
||||
+ &test.session_id,
|
||||
+ &test.session_id_len);
|
||||
+ if (ret)
|
||||
+ goto out;
|
||||
+ break;
|
||||
+ case 'i':
|
||||
+ test.iv_len = strtoul(optarg, NULL, 10);
|
||||
+ break;
|
||||
+ case 'e':
|
||||
+ test.ek_len = strtoul(optarg, NULL, 10);
|
||||
+ break;
|
||||
+ case 'm':
|
||||
+ test.ik_len = strtoul(optarg, NULL, 10);
|
||||
+ break;
|
||||
+ default:
|
||||
+ usage();
|
||||
+ goto out;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ ret = sshkdf_cavs(&test);
|
||||
+
|
||||
+out:
|
||||
+ if (test.session_id)
|
||||
+ free(test.session_id);
|
||||
+ if (test.K)
|
||||
+ free(test.K);
|
||||
+ if (test.H)
|
||||
+ free(test.H);
|
||||
+ return ret;
|
||||
+
|
||||
+}
|
64
openssh-7.2p2-disable_openssl_abi_check.patch
Normal file
64
openssh-7.2p2-disable_openssl_abi_check.patch
Normal file
@ -0,0 +1,64 @@
|
||||
# HG changeset patch
|
||||
# Parent 4821397c95e57962905e6d47554bef9e4ea57483
|
||||
disable run-time check for OpenSSL ABI by version number as that is not a
|
||||
reliable indicator of ABI changes and doesn't make much sense in a
|
||||
distribution package
|
||||
|
||||
diff --git a/openssh-7.2p2/configure.ac b/openssh-7.2p2/configure.ac
|
||||
--- a/openssh-7.2p2/configure.ac
|
||||
+++ b/openssh-7.2p2/configure.ac
|
||||
@@ -4663,16 +4663,29 @@ AC_ARG_WITH([bsd-auth],
|
||||
if test "x$withval" != "xno" ; then
|
||||
AC_DEFINE([BSD_AUTH], [1],
|
||||
[Define if you have BSD auth support])
|
||||
BSD_AUTH_MSG=yes
|
||||
fi
|
||||
]
|
||||
)
|
||||
|
||||
+# Whether we are using distribution (Open)SSL, so no runtime checks are necessary
|
||||
+DISTRO_SSL=no
|
||||
+AC_ARG_WITH([distro-ssl],
|
||||
+ [ --with-distro-ssl Disable runtime OpenSSL version checks (good for distributions)],
|
||||
+ [
|
||||
+ if test "x$withval" != "xno" ; then
|
||||
+ AC_DEFINE([DISTRO_SSL], [1],
|
||||
+ [Define if you are using distribution SSL library and don;t expect its API/ABI to change])
|
||||
+ DISTRO_SSL=yes
|
||||
+ fi
|
||||
+ ]
|
||||
+)
|
||||
+
|
||||
# Where to place sshd.pid
|
||||
piddir=/var/run
|
||||
# make sure the directory exists
|
||||
if test ! -d $piddir ; then
|
||||
piddir=`eval echo ${sysconfdir}`
|
||||
case $piddir in
|
||||
NONE/*) piddir=`echo $piddir | sed "s~NONE~$ac_default_prefix~"` ;;
|
||||
esac
|
||||
diff --git a/openssh-7.2p2/entropy.c b/openssh-7.2p2/entropy.c
|
||||
--- a/openssh-7.2p2/entropy.c
|
||||
+++ b/openssh-7.2p2/entropy.c
|
||||
@@ -209,19 +209,21 @@ rexec_recv_rng_seed(Buffer *m)
|
||||
#endif /* OPENSSL_PRNG_ONLY */
|
||||
|
||||
void
|
||||
seed_rng(void)
|
||||
{
|
||||
#ifndef OPENSSL_PRNG_ONLY
|
||||
unsigned char buf[RANDOM_SEED_SIZE];
|
||||
#endif
|
||||
+#ifndef DISTRO_SSL
|
||||
if (!ssh_compatible_openssl(OPENSSL_VERSION_NUMBER, SSLeay()))
|
||||
fatal("OpenSSL version mismatch. Built against %lx, you "
|
||||
"have %lx", (u_long)OPENSSL_VERSION_NUMBER, SSLeay());
|
||||
+#endif
|
||||
|
||||
#ifndef OPENSSL_PRNG_ONLY
|
||||
if (RAND_status() == 1) {
|
||||
debug3("RNG is ready, skipping seeding");
|
||||
return;
|
||||
}
|
||||
|
||||
if (seed_from_prngd(buf, sizeof(buf)) == -1)
|
1317
openssh-7.2p2-disable_preauth_compression.patch
Normal file
1317
openssh-7.2p2-disable_preauth_compression.patch
Normal file
File diff suppressed because it is too large
Load Diff
@ -1,5 +1,5 @@
|
||||
# HG changeset patch
|
||||
# Parent a5b0f249f564de9c9efd023c6430f607d9861acd
|
||||
# Parent 7b5f436e0026923299fdd1994f8da8fd9948be7c
|
||||
|
||||
Raise minimal size of DH group parameters to 2048 bits like upstream did in
|
||||
7.2. 1024b values are believed to be in breaking range for state adversaries
|
||||
@ -12,9 +12,9 @@ compliant) parameters.
|
||||
CVE-2015-4000 (LOGJAM)
|
||||
bsc#932483
|
||||
|
||||
diff --git a/openssh-7.6p1/dh.c b/openssh-7.6p1/dh.c
|
||||
--- a/openssh-7.6p1/dh.c
|
||||
+++ b/openssh-7.6p1/dh.c
|
||||
diff --git a/openssh-7.2p2/dh.c b/openssh-7.2p2/dh.c
|
||||
--- a/openssh-7.2p2/dh.c
|
||||
+++ b/openssh-7.2p2/dh.c
|
||||
@@ -37,16 +37,18 @@
|
||||
#include <limits.h>
|
||||
|
||||
@ -34,10 +34,10 @@ diff --git a/openssh-7.6p1/dh.c b/openssh-7.6p1/dh.c
|
||||
const char *errstr = NULL;
|
||||
long long n;
|
||||
|
||||
diff --git a/openssh-7.6p1/dh.h b/openssh-7.6p1/dh.h
|
||||
--- a/openssh-7.6p1/dh.h
|
||||
+++ b/openssh-7.6p1/dh.h
|
||||
@@ -45,16 +45,17 @@ int dh_gen_key(DH *, int);
|
||||
diff --git a/openssh-7.2p2/dh.h b/openssh-7.2p2/dh.h
|
||||
--- a/openssh-7.2p2/dh.h
|
||||
+++ b/openssh-7.2p2/dh.h
|
||||
@@ -43,16 +43,17 @@ int dh_gen_key(DH *, int);
|
||||
int dh_pub_is_valid(DH *, BIGNUM *);
|
||||
|
||||
u_int dh_estimate(int);
|
||||
@ -55,23 +55,23 @@ diff --git a/openssh-7.6p1/dh.h b/openssh-7.6p1/dh.h
|
||||
* Specifies the internal structure of the prime modulus.
|
||||
*/
|
||||
#define MODULI_TYPE_UNKNOWN (0)
|
||||
diff --git a/openssh-7.6p1/kexgexc.c b/openssh-7.6p1/kexgexc.c
|
||||
--- a/openssh-7.6p1/kexgexc.c
|
||||
+++ b/openssh-7.6p1/kexgexc.c
|
||||
diff --git a/openssh-7.2p2/kexgexc.c b/openssh-7.2p2/kexgexc.c
|
||||
--- a/openssh-7.2p2/kexgexc.c
|
||||
+++ b/openssh-7.2p2/kexgexc.c
|
||||
@@ -46,29 +46,32 @@
|
||||
#include "packet.h"
|
||||
#include "dh.h"
|
||||
#include "ssh2.h"
|
||||
#include "compat.h"
|
||||
#include "dispatch.h"
|
||||
#include "ssherr.h"
|
||||
#include "sshbuf.h"
|
||||
#include "misc.h"
|
||||
|
||||
+/* import from dh.c */
|
||||
+extern int dh_grp_min;
|
||||
+
|
||||
static int input_kex_dh_gex_group(int, u_int32_t, struct ssh *);
|
||||
static int input_kex_dh_gex_reply(int, u_int32_t, struct ssh *);
|
||||
static int input_kex_dh_gex_group(int, u_int32_t, void *);
|
||||
static int input_kex_dh_gex_reply(int, u_int32_t, void *);
|
||||
|
||||
int
|
||||
kexgex_client(struct ssh *ssh)
|
||||
@ -87,12 +87,12 @@ diff --git a/openssh-7.6p1/kexgexc.c b/openssh-7.6p1/kexgexc.c
|
||||
kex->max = DH_GRP_MAX;
|
||||
kex->nbits = nbits;
|
||||
if (datafellows & SSH_BUG_DHGEX_LARGE)
|
||||
kex->nbits = MINIMUM(kex->nbits, 4096);
|
||||
kex->nbits = MIN(kex->nbits, 4096);
|
||||
/* New GEX request */
|
||||
if ((r = sshpkt_start(ssh, SSH2_MSG_KEX_DH_GEX_REQUEST)) != 0 ||
|
||||
(r = sshpkt_put_u32(ssh, kex->min)) != 0 ||
|
||||
(r = sshpkt_put_u32(ssh, kex->nbits)) != 0 ||
|
||||
@@ -103,16 +106,22 @@ input_kex_dh_gex_group(int type, u_int32
|
||||
@@ -104,16 +107,22 @@ input_kex_dh_gex_group(int type, u_int32
|
||||
goto out;
|
||||
}
|
||||
if ((r = sshpkt_get_bignum2(ssh, p)) != 0 ||
|
||||
@ -115,30 +115,30 @@ diff --git a/openssh-7.6p1/kexgexc.c b/openssh-7.6p1/kexgexc.c
|
||||
goto out;
|
||||
}
|
||||
p = g = NULL; /* belong to kex->dh now */
|
||||
diff --git a/openssh-7.6p1/kexgexs.c b/openssh-7.6p1/kexgexs.c
|
||||
--- a/openssh-7.6p1/kexgexs.c
|
||||
+++ b/openssh-7.6p1/kexgexs.c
|
||||
diff --git a/openssh-7.2p2/kexgexs.c b/openssh-7.2p2/kexgexs.c
|
||||
--- a/openssh-7.2p2/kexgexs.c
|
||||
+++ b/openssh-7.2p2/kexgexs.c
|
||||
@@ -49,16 +49,19 @@
|
||||
#ifdef GSSAPI
|
||||
#include "ssh-gss.h"
|
||||
#endif
|
||||
#include "monitor_wrap.h"
|
||||
#include "dispatch.h"
|
||||
#include "ssherr.h"
|
||||
#include "sshbuf.h"
|
||||
#include "misc.h"
|
||||
|
||||
+/* import from dh.c */
|
||||
+extern int dh_grp_min;
|
||||
+
|
||||
static int input_kex_dh_gex_request(int, u_int32_t, struct ssh *);
|
||||
static int input_kex_dh_gex_init(int, u_int32_t, struct ssh *);
|
||||
static int input_kex_dh_gex_request(int, u_int32_t, void *);
|
||||
static int input_kex_dh_gex_init(int, u_int32_t, void *);
|
||||
|
||||
int
|
||||
kexgex_server(struct ssh *ssh)
|
||||
{
|
||||
ssh_dispatch_set(ssh, SSH2_MSG_KEX_DH_GEX_REQUEST,
|
||||
&input_kex_dh_gex_request);
|
||||
@@ -77,23 +80,29 @@ input_kex_dh_gex_request(int type, u_int
|
||||
@@ -78,23 +81,29 @@ input_kex_dh_gex_request(int type, u_int
|
||||
if ((r = sshpkt_get_u32(ssh, &min)) != 0 ||
|
||||
(r = sshpkt_get_u32(ssh, &nbits)) != 0 ||
|
||||
(r = sshpkt_get_u32(ssh, &max)) != 0 ||
|
||||
@ -147,15 +147,15 @@ diff --git a/openssh-7.6p1/kexgexs.c b/openssh-7.6p1/kexgexs.c
|
||||
kex->nbits = nbits;
|
||||
kex->min = min;
|
||||
kex->max = max;
|
||||
- min = MAXIMUM(DH_GRP_MIN, min);
|
||||
+ min = MAXIMUM(dh_grp_min, min);
|
||||
max = MINIMUM(DH_GRP_MAX, max);
|
||||
- nbits = MAXIMUM(DH_GRP_MIN, nbits);
|
||||
+ nbits = MAXIMUM(dh_grp_min, nbits);
|
||||
nbits = MINIMUM(DH_GRP_MAX, nbits);
|
||||
- min = MAX(DH_GRP_MIN, min);
|
||||
+ min = MAX(dh_grp_min, min);
|
||||
max = MIN(DH_GRP_MAX, max);
|
||||
- nbits = MAX(DH_GRP_MIN, nbits);
|
||||
+ nbits = MAX(dh_grp_min, nbits);
|
||||
nbits = MIN(DH_GRP_MAX, nbits);
|
||||
|
||||
if (kex->max < kex->min || kex->nbits < kex->min ||
|
||||
kex->max < kex->nbits || kex->max < DH_GRP_MIN) {
|
||||
kex->max < kex->nbits) {
|
||||
+ if (kex->nbits < kex->min && kex->nbits >= DH_GRP_MIN_RFC)
|
||||
+ logit("DH parameter requested by the client (%d bits) "
|
||||
+ "is considered insecure. "
|
||||
@ -170,10 +170,10 @@ diff --git a/openssh-7.6p1/kexgexs.c b/openssh-7.6p1/kexgexs.c
|
||||
kex->dh = PRIVSEP(choose_dh(min, nbits, max));
|
||||
if (kex->dh == NULL) {
|
||||
sshpkt_disconnect(ssh, "no matching DH grp found");
|
||||
diff --git a/openssh-7.6p1/readconf.c b/openssh-7.6p1/readconf.c
|
||||
--- a/openssh-7.6p1/readconf.c
|
||||
+++ b/openssh-7.6p1/readconf.c
|
||||
@@ -61,16 +61,17 @@
|
||||
diff --git a/openssh-7.2p2/readconf.c b/openssh-7.2p2/readconf.c
|
||||
--- a/openssh-7.2p2/readconf.c
|
||||
+++ b/openssh-7.2p2/readconf.c
|
||||
@@ -56,16 +56,17 @@
|
||||
#include "misc.h"
|
||||
#include "readconf.h"
|
||||
#include "match.h"
|
||||
@ -191,14 +191,14 @@ diff --git a/openssh-7.6p1/readconf.c b/openssh-7.6p1/readconf.c
|
||||
# 2. user-specific file
|
||||
# 3. system-wide file
|
||||
# Any configuration value is only changed the first time it is set.
|
||||
@@ -161,17 +162,18 @@ typedef enum {
|
||||
@@ -148,17 +149,18 @@ typedef enum {
|
||||
oClearAllForwardings, oNoHostAuthenticationForLocalhost,
|
||||
oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
|
||||
oAddressFamily, oGssAuthentication, oGssDelegateCreds,
|
||||
oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
|
||||
oSendEnv, oControlPath, oControlMaster, oControlPersist,
|
||||
oHashKnownHosts,
|
||||
oTunnel, oTunnelDevice,
|
||||
oLocalCommand, oPermitLocalCommand, oRemoteCommand,
|
||||
oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand,
|
||||
oVisualHostKey,
|
||||
- oKexAlgorithms, oIPQoS, oRequestTTY, oIgnoreUnknown, oProxyUseFdpass,
|
||||
+ oKexAlgorithms, oKexDHMin,
|
||||
@ -207,18 +207,18 @@ diff --git a/openssh-7.6p1/readconf.c b/openssh-7.6p1/readconf.c
|
||||
oCanonicalizeFallbackLocal, oCanonicalizePermittedCNAMEs,
|
||||
oStreamLocalBindMask, oStreamLocalBindUnlink, oRevokedHostKeys,
|
||||
oFingerprintHash, oUpdateHostkeys, oHostbasedKeyTypes,
|
||||
oPubkeyAcceptedKeyTypes, oProxyJump,
|
||||
oIgnore, oIgnoredUnknownOption, oDeprecated, oUnsupported
|
||||
oPubkeyAcceptedKeyTypes,
|
||||
oIgnoredUnknownOption, oDeprecated, oUnsupported
|
||||
} OpCodes;
|
||||
|
||||
@@ -283,16 +285,17 @@ static struct {
|
||||
{ "include", oInclude },
|
||||
@@ -260,16 +262,17 @@ static struct {
|
||||
{ "hashknownhosts", oHashKnownHosts },
|
||||
{ "tunnel", oTunnel },
|
||||
{ "tunneldevice", oTunnelDevice },
|
||||
{ "localcommand", oLocalCommand },
|
||||
{ "permitlocalcommand", oPermitLocalCommand },
|
||||
{ "remotecommand", oRemoteCommand },
|
||||
{ "visualhostkey", oVisualHostKey },
|
||||
{ "useroaming", oDeprecated },
|
||||
{ "kexalgorithms", oKexAlgorithms },
|
||||
+ { "kexdhmin", oKexDHMin },
|
||||
{ "ipqos", oIPQoS },
|
||||
@ -229,11 +229,11 @@ diff --git a/openssh-7.6p1/readconf.c b/openssh-7.6p1/readconf.c
|
||||
{ "canonicalizehostname", oCanonicalizeHostname },
|
||||
{ "canonicalizemaxdots", oCanonicalizeMaxDots },
|
||||
{ "canonicalizepermittedcnames", oCanonicalizePermittedCNAMEs },
|
||||
@@ -304,16 +307,19 @@ static struct {
|
||||
@@ -280,16 +283,19 @@ static struct {
|
||||
{ "updatehostkeys", oUpdateHostkeys },
|
||||
{ "hostbasedkeytypes", oHostbasedKeyTypes },
|
||||
{ "pubkeyacceptedkeytypes", oPubkeyAcceptedKeyTypes },
|
||||
{ "ignoreunknown", oIgnoreUnknown },
|
||||
{ "proxyjump", oProxyJump },
|
||||
|
||||
{ NULL, oBadOption }
|
||||
};
|
||||
@ -249,9 +249,9 @@ diff --git a/openssh-7.6p1/readconf.c b/openssh-7.6p1/readconf.c
|
||||
void
|
||||
add_local_forward(Options *options, const struct Forward *newfwd)
|
||||
{
|
||||
@@ -1206,16 +1212,20 @@ parse_int:
|
||||
if (*arg != '-' &&
|
||||
!kex_names_valid(*arg == '+' ? arg + 1 : arg))
|
||||
@@ -1157,16 +1163,20 @@ parse_int:
|
||||
filename, linenum);
|
||||
if (!kex_names_valid(*arg == '+' ? arg + 1 : arg))
|
||||
fatal("%.200s line %d: Bad SSH2 KexAlgorithms '%s'.",
|
||||
filename, linenum, arg ? arg : "<NONE>");
|
||||
if (*activep && options->kex_algorithms == NULL)
|
||||
@ -269,62 +269,63 @@ diff --git a/openssh-7.6p1/readconf.c b/openssh-7.6p1/readconf.c
|
||||
if (!arg || *arg == '\0')
|
||||
fatal("%.200s line %d: Missing argument.",
|
||||
filename, linenum);
|
||||
if (*arg != '-' &&
|
||||
@@ -1803,16 +1813,17 @@ initialize_options(Options * options)
|
||||
options->port = -1;
|
||||
if (!sshkey_names_valid2(*arg == '+' ? arg + 1 : arg, 1))
|
||||
@@ -1664,16 +1674,17 @@ initialize_options(Options * options)
|
||||
options->address_family = -1;
|
||||
options->connection_attempts = -1;
|
||||
options->connection_timeout = -1;
|
||||
options->number_of_password_prompts = -1;
|
||||
options->cipher = -1;
|
||||
options->ciphers = NULL;
|
||||
options->macs = NULL;
|
||||
options->kex_algorithms = NULL;
|
||||
+ options->kex_dhmin = -1;
|
||||
options->hostkeyalgorithms = NULL;
|
||||
options->protocol = SSH_PROTO_UNKNOWN;
|
||||
options->num_identity_files = 0;
|
||||
options->num_certificate_files = 0;
|
||||
options->hostname = NULL;
|
||||
options->host_key_alias = NULL;
|
||||
options->proxy_command = NULL;
|
||||
options->jump_user = NULL;
|
||||
options->jump_host = NULL;
|
||||
@@ -1951,16 +1962,23 @@ fill_default_options(Options * options)
|
||||
if (options->port == -1)
|
||||
options->port = 0; /* Filled in ssh_connect. */
|
||||
if (options->address_family == -1)
|
||||
options->user = NULL;
|
||||
@@ -1805,16 +1816,23 @@ fill_default_options(Options * options)
|
||||
options->address_family = AF_UNSPEC;
|
||||
if (options->connection_attempts == -1)
|
||||
options->connection_attempts = 1;
|
||||
if (options->number_of_password_prompts == -1)
|
||||
options->number_of_password_prompts = 3;
|
||||
/* Selected in ssh_login(). */
|
||||
if (options->cipher == -1)
|
||||
options->cipher = SSH_CIPHER_NOT_SET;
|
||||
+ if (options->kex_dhmin == -1)
|
||||
+ options->kex_dhmin = DH_GRP_MIN_RFC;
|
||||
+ else {
|
||||
+ options->kex_dhmin = MAXIMUM(options->kex_dhmin, DH_GRP_MIN_RFC);
|
||||
+ options->kex_dhmin = MINIMUM(options->kex_dhmin, DH_GRP_MAX);
|
||||
+ options->kex_dhmin = MAX(options->kex_dhmin, DH_GRP_MIN_RFC);
|
||||
+ options->kex_dhmin = MIN(options->kex_dhmin, DH_GRP_MAX);
|
||||
+ }
|
||||
+ dh_grp_min = options->kex_dhmin;
|
||||
/* options->hostkeyalgorithms, default set in myproposals.h */
|
||||
if (options->protocol == SSH_PROTO_UNKNOWN)
|
||||
options->protocol = SSH_PROTO_2;
|
||||
if (options->add_keys_to_agent == -1)
|
||||
options->add_keys_to_agent = 0;
|
||||
if (options->num_identity_files == 0) {
|
||||
add_identity_file(options, "~/", _PATH_SSH_CLIENT_ID_RSA, 0);
|
||||
add_identity_file(options, "~/", _PATH_SSH_CLIENT_ID_DSA, 0);
|
||||
#ifdef OPENSSL_HAS_ECC
|
||||
add_identity_file(options, "~/", _PATH_SSH_CLIENT_ID_ECDSA, 0);
|
||||
diff --git a/openssh-7.6p1/readconf.h b/openssh-7.6p1/readconf.h
|
||||
--- a/openssh-7.6p1/readconf.h
|
||||
+++ b/openssh-7.6p1/readconf.h
|
||||
@@ -64,16 +64,17 @@ typedef struct {
|
||||
int connection_timeout; /* Max time (seconds) before
|
||||
if (options->protocol & SSH_PROTO_1) {
|
||||
add_identity_file(options, "~/",
|
||||
diff --git a/openssh-7.2p2/readconf.h b/openssh-7.2p2/readconf.h
|
||||
--- a/openssh-7.2p2/readconf.h
|
||||
+++ b/openssh-7.2p2/readconf.h
|
||||
@@ -69,16 +69,17 @@ typedef struct {
|
||||
* aborting connection attempt */
|
||||
int number_of_password_prompts; /* Max number of password
|
||||
* prompts. */
|
||||
int cipher; /* Cipher to use. */
|
||||
char *ciphers; /* SSH2 ciphers in order of preference. */
|
||||
char *macs; /* SSH2 macs in order of preference. */
|
||||
char *hostkeyalgorithms; /* SSH2 server key types in order of preference. */
|
||||
char *kex_algorithms; /* SSH2 kex methods in order of preference. */
|
||||
+ int kex_dhmin; /* minimum bit length of the DH group parameter */
|
||||
int protocol; /* Protocol in order of preference. */
|
||||
char *hostname; /* Real host to connect. */
|
||||
char *host_key_alias; /* hostname alias for .ssh/known_hosts */
|
||||
char *proxy_command; /* Proxy command for connecting the host. */
|
||||
@ -332,10 +333,9 @@ diff --git a/openssh-7.6p1/readconf.h b/openssh-7.6p1/readconf.h
|
||||
int escape_char; /* Escape character; -2 = none */
|
||||
|
||||
u_int num_system_hostfiles; /* Paths for /etc/ssh/ssh_known_hosts */
|
||||
char *system_hostfiles[SSH_MAX_HOSTS_FILES];
|
||||
diff --git a/openssh-7.6p1/servconf.c b/openssh-7.6p1/servconf.c
|
||||
--- a/openssh-7.6p1/servconf.c
|
||||
+++ b/openssh-7.6p1/servconf.c
|
||||
diff --git a/openssh-7.2p2/servconf.c b/openssh-7.2p2/servconf.c
|
||||
--- a/openssh-7.2p2/servconf.c
|
||||
+++ b/openssh-7.2p2/servconf.c
|
||||
@@ -52,16 +52,20 @@
|
||||
#include "channels.h"
|
||||
#include "groupaccess.h"
|
||||
@ -357,7 +357,7 @@ diff --git a/openssh-7.6p1/servconf.c b/openssh-7.6p1/servconf.c
|
||||
extern int use_privsep;
|
||||
extern Buffer cfg;
|
||||
|
||||
@@ -129,16 +133,17 @@ initialize_server_options(ServerOptions
|
||||
@@ -134,16 +138,17 @@ initialize_server_options(ServerOptions
|
||||
options->allow_agent_forwarding = -1;
|
||||
options->num_allow_users = 0;
|
||||
options->num_deny_users = 0;
|
||||
@ -367,6 +367,7 @@ diff --git a/openssh-7.6p1/servconf.c b/openssh-7.6p1/servconf.c
|
||||
options->macs = NULL;
|
||||
options->kex_algorithms = NULL;
|
||||
+ options->kex_dhmin = -1;
|
||||
options->protocol = SSH_PROTO_UNKNOWN;
|
||||
options->fwd_opts.gateway_ports = -1;
|
||||
options->fwd_opts.streamlocal_bind_mask = (mode_t)-1;
|
||||
options->fwd_opts.streamlocal_bind_unlink = -1;
|
||||
@ -374,8 +375,7 @@ diff --git a/openssh-7.6p1/servconf.c b/openssh-7.6p1/servconf.c
|
||||
options->max_startups_begin = -1;
|
||||
options->max_startups_rate = -1;
|
||||
options->max_startups = -1;
|
||||
options->max_authtries = -1;
|
||||
@@ -195,16 +200,24 @@ fill_default_server_options(ServerOption
|
||||
@@ -199,16 +204,23 @@ fill_default_server_options(ServerOption
|
||||
int i;
|
||||
|
||||
/* Portable-specific options */
|
||||
@ -387,20 +387,19 @@ diff --git a/openssh-7.6p1/servconf.c b/openssh-7.6p1/servconf.c
|
||||
+ if (options->kex_dhmin == -1)
|
||||
+ options->kex_dhmin = DH_GRP_MIN_RFC;
|
||||
+ else {
|
||||
+ options->kex_dhmin = MAXIMUM(options->kex_dhmin, DH_GRP_MIN_RFC);
|
||||
+ options->kex_dhmin = MINIMUM(options->kex_dhmin, DH_GRP_MAX);
|
||||
+ options->kex_dhmin = MAX(options->kex_dhmin, DH_GRP_MIN_RFC);
|
||||
+ options->kex_dhmin = MIN(options->kex_dhmin, DH_GRP_MAX);
|
||||
+ }
|
||||
+ dh_grp_min = options->kex_dhmin;
|
||||
+
|
||||
/* Standard Options */
|
||||
if (options->protocol == SSH_PROTO_UNKNOWN)
|
||||
options->protocol = SSH_PROTO_2;
|
||||
if (options->num_host_key_files == 0) {
|
||||
/* fill default hostkeys for protocols */
|
||||
if (options->protocol & SSH_PROTO_1)
|
||||
options->host_key_files[options->num_host_key_files++] =
|
||||
_PATH_HOST_RSA_KEY_FILE;
|
||||
options->host_key_files[options->num_host_key_files++] =
|
||||
_PATH_HOST_DSA_KEY_FILE;
|
||||
#ifdef OPENSSL_HAS_ECC
|
||||
@@ -414,17 +427,18 @@ typedef enum {
|
||||
_PATH_HOST_KEY_FILE;
|
||||
@@ -423,17 +435,18 @@ typedef enum {
|
||||
sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
|
||||
sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
|
||||
sAcceptEnv, sPermitTunnel,
|
||||
@ -415,12 +414,12 @@ diff --git a/openssh-7.6p1/servconf.c b/openssh-7.6p1/servconf.c
|
||||
sAuthorizedKeysCommand, sAuthorizedKeysCommandUser,
|
||||
sAuthenticationMethods, sHostKeyAgent, sPermitUserRC,
|
||||
sStreamLocalBindMask, sStreamLocalBindUnlink,
|
||||
sAllowStreamLocalForwarding, sFingerprintHash, sDisableForwarding,
|
||||
sExposeAuthInfo,
|
||||
sDeprecated, sIgnore, sUnsupported
|
||||
sAllowStreamLocalForwarding, sFingerprintHash,
|
||||
sDeprecated, sUnsupported
|
||||
} ServerOpCodes;
|
||||
|
||||
@@ -553,16 +567,17 @@ static struct {
|
||||
#define SSHCFG_GLOBAL 0x01 /* allowed in main section of sshd_config */
|
||||
@@ -561,16 +574,17 @@ static struct {
|
||||
{ "permitopen", sPermitOpen, SSHCFG_ALL },
|
||||
{ "forcecommand", sForceCommand, SSHCFG_ALL },
|
||||
{ "chrootdirectory", sChrootDirectory, SSHCFG_ALL },
|
||||
@ -438,9 +437,9 @@ diff --git a/openssh-7.6p1/servconf.c b/openssh-7.6p1/servconf.c
|
||||
{ "versionaddendum", sVersionAddendum, SSHCFG_GLOBAL },
|
||||
{ "authenticationmethods", sAuthenticationMethods, SSHCFG_ALL },
|
||||
{ "streamlocalbindmask", sStreamLocalBindMask, SSHCFG_ALL },
|
||||
@@ -1502,16 +1517,20 @@ process_server_config_line(ServerOptions
|
||||
if (*arg != '-' &&
|
||||
!kex_names_valid(*arg == '+' ? arg + 1 : arg))
|
||||
@@ -1481,16 +1495,20 @@ process_server_config_line(ServerOptions
|
||||
filename, linenum);
|
||||
if (!kex_names_valid(*arg == '+' ? arg + 1 : arg))
|
||||
fatal("%s line %d: Bad SSH2 KexAlgorithms '%s'.",
|
||||
filename, linenum, arg ? arg : "<NONE>");
|
||||
if (options->kex_algorithms == NULL)
|
||||
@ -451,17 +450,17 @@ diff --git a/openssh-7.6p1/servconf.c b/openssh-7.6p1/servconf.c
|
||||
+ intptr = &options->kex_dhmin;
|
||||
+ goto parse_int;
|
||||
+
|
||||
case sSubsystem:
|
||||
if (options->num_subsystems >= MAX_SUBSYSTEMS) {
|
||||
fatal("%s line %d: too many subsystems defined.",
|
||||
filename, linenum);
|
||||
}
|
||||
case sProtocol:
|
||||
intptr = &options->protocol;
|
||||
arg = strdelim(&cp);
|
||||
if (!arg || *arg == '\0')
|
||||
fatal("%s line %d: Missing subsystem name.",
|
||||
@@ -2285,16 +2304,17 @@ dump_config(ServerOptions *o)
|
||||
#endif
|
||||
fatal("%s line %d: Missing argument.", filename, linenum);
|
||||
value = proto_spec(arg);
|
||||
if (value == SSH_PROTO_UNKNOWN)
|
||||
fatal("%s line %d: Bad protocol spec '%s'.",
|
||||
@@ -2247,16 +2265,17 @@ dump_config(ServerOptions *o)
|
||||
dump_cfg_int(sLoginGraceTime, o->login_grace_time);
|
||||
dump_cfg_int(sKeyRegenerationTime, o->key_regeneration_time);
|
||||
dump_cfg_int(sX11DisplayOffset, o->x11_display_offset);
|
||||
dump_cfg_int(sMaxAuthTries, o->max_authtries);
|
||||
dump_cfg_int(sMaxSessions, o->max_sessions);
|
||||
@ -474,13 +473,13 @@ diff --git a/openssh-7.6p1/servconf.c b/openssh-7.6p1/servconf.c
|
||||
dump_cfg_fmtint(sPermitRootLogin, o->permit_root_login);
|
||||
dump_cfg_fmtint(sIgnoreRhosts, o->ignore_rhosts);
|
||||
dump_cfg_fmtint(sIgnoreUserKnownHosts, o->ignore_user_known_hosts);
|
||||
dump_cfg_fmtint(sRhostsRSAAuthentication, o->rhosts_rsa_authentication);
|
||||
dump_cfg_fmtint(sHostbasedAuthentication, o->hostbased_authentication);
|
||||
dump_cfg_fmtint(sHostbasedUsesNameFromPacketOnly,
|
||||
o->hostbased_uses_name_from_packet_only);
|
||||
diff --git a/openssh-7.6p1/servconf.h b/openssh-7.6p1/servconf.h
|
||||
--- a/openssh-7.6p1/servconf.h
|
||||
+++ b/openssh-7.6p1/servconf.h
|
||||
@@ -93,16 +93,17 @@ typedef struct {
|
||||
diff --git a/openssh-7.2p2/servconf.h b/openssh-7.2p2/servconf.h
|
||||
--- a/openssh-7.2p2/servconf.h
|
||||
+++ b/openssh-7.2p2/servconf.h
|
||||
@@ -88,16 +88,17 @@ typedef struct {
|
||||
int permit_user_rc; /* If false, deny ~/.ssh/rc execution */
|
||||
int strict_modes; /* If true, require string home dir modes. */
|
||||
int tcp_keep_alive; /* If true, set SO_KEEPALIVE. */
|
||||
@ -490,17 +489,17 @@ diff --git a/openssh-7.6p1/servconf.h b/openssh-7.6p1/servconf.h
|
||||
char *macs; /* Supported SSH2 macs. */
|
||||
char *kex_algorithms; /* SSH2 kex methods in order of preference. */
|
||||
+ int kex_dhmin; /* minimum bit length of the DH group parameter */
|
||||
int protocol; /* Supported protocol versions. */
|
||||
struct ForwardOptions fwd_opts; /* forwarding options */
|
||||
SyslogFacility log_facility; /* Facility for system logging. */
|
||||
LogLevel log_level; /* Level for system logging. */
|
||||
int rhosts_rsa_authentication; /* If true, permit rhosts RSA
|
||||
* authentication. */
|
||||
int hostbased_authentication; /* If true, permit ssh2 hostbased auth */
|
||||
int hostbased_uses_name_from_packet_only; /* experimental */
|
||||
char *hostbased_key_types; /* Key types allowed for hostbased */
|
||||
char *hostkeyalgorithms; /* SSH2 server key types */
|
||||
int pubkey_authentication; /* If true, permit ssh2 pubkey authentication. */
|
||||
diff --git a/openssh-7.6p1/ssh_config b/openssh-7.6p1/ssh_config
|
||||
--- a/openssh-7.6p1/ssh_config
|
||||
+++ b/openssh-7.6p1/ssh_config
|
||||
diff --git a/openssh-7.2p2/ssh_config b/openssh-7.2p2/ssh_config
|
||||
--- a/openssh-7.2p2/ssh_config
|
||||
+++ b/openssh-7.2p2/ssh_config
|
||||
@@ -12,16 +12,21 @@
|
||||
# Any configuration value is only changed the first time it is set.
|
||||
# Thus, host-specific definitions should be at the beginning of the
|
||||
@ -523,17 +522,17 @@ diff --git a/openssh-7.6p1/ssh_config b/openssh-7.6p1/ssh_config
|
||||
# should not forward X11 connections to your local X11-display for
|
||||
# security reasons: Someone stealing the authentification data on the
|
||||
# remote side (the "spoofed" X-server by the remote sshd) can read your
|
||||
diff --git a/openssh-7.6p1/ssh_config.0 b/openssh-7.6p1/ssh_config.0
|
||||
--- a/openssh-7.6p1/ssh_config.0
|
||||
+++ b/openssh-7.6p1/ssh_config.0
|
||||
@@ -584,16 +584,33 @@ DESCRIPTION
|
||||
diff --git a/openssh-7.2p2/ssh_config.0 b/openssh-7.2p2/ssh_config.0
|
||||
--- a/openssh-7.2p2/ssh_config.0
|
||||
+++ b/openssh-7.2p2/ssh_config.0
|
||||
@@ -606,16 +606,33 @@ DESCRIPTION
|
||||
ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
|
||||
diffie-hellman-group-exchange-sha256,
|
||||
diffie-hellman-group-exchange-sha1,
|
||||
diffie-hellman-group14-sha1
|
||||
|
||||
The list of available key exchange algorithms may also be
|
||||
obtained using "ssh -Q kex".
|
||||
obtained using the -Q option of ssh(1) with an argument of M-bM-^@M-^\kexM-bM-^@M-^].
|
||||
|
||||
+ KexDHMin
|
||||
+ Specifies the minimum accepted bit length of the DH group
|
||||
@ -556,22 +555,22 @@ diff --git a/openssh-7.6p1/ssh_config.0 b/openssh-7.6p1/ssh_config.0
|
||||
Specifies a command to execute on the local machine after
|
||||
successfully connecting to the server. The command string
|
||||
extends to the end of the line, and is executed with the user's
|
||||
shell. Arguments to LocalCommand accept the tokens described in
|
||||
the TOKENS section.
|
||||
|
||||
The command is run synchronously and does not have access to the
|
||||
diff --git a/openssh-7.6p1/ssh_config.5 b/openssh-7.6p1/ssh_config.5
|
||||
--- a/openssh-7.6p1/ssh_config.5
|
||||
+++ b/openssh-7.6p1/ssh_config.5
|
||||
@@ -1016,16 +1016,32 @@ curve25519-sha256,curve25519-sha256@libs
|
||||
ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
|
||||
diffie-hellman-group-exchange-sha256,
|
||||
diffie-hellman-group-exchange-sha1,
|
||||
diffie-hellman-group14-sha1
|
||||
shell. The following escape character substitutions will be
|
||||
performed: M-bM-^@M-^X%dM-bM-^@M-^Y (local user's home directory), M-bM-^@M-^X%hM-bM-^@M-^Y (remote host
|
||||
name), M-bM-^@M-^X%lM-bM-^@M-^Y (local host name), M-bM-^@M-^X%nM-bM-^@M-^Y (host name as provided on the
|
||||
command line), M-bM-^@M-^X%pM-bM-^@M-^Y (remote port), M-bM-^@M-^X%rM-bM-^@M-^Y (remote user name) or
|
||||
diff --git a/openssh-7.2p2/ssh_config.5 b/openssh-7.2p2/ssh_config.5
|
||||
--- a/openssh-7.2p2/ssh_config.5
|
||||
+++ b/openssh-7.2p2/ssh_config.5
|
||||
@@ -1092,16 +1092,32 @@ diffie-hellman-group14-sha1
|
||||
.Ed
|
||||
.Pp
|
||||
The list of available key exchange algorithms may also be obtained using
|
||||
.Qq ssh -Q kex .
|
||||
The list of available key exchange algorithms may also be obtained using the
|
||||
.Fl Q
|
||||
option of
|
||||
.Xr ssh 1
|
||||
with an argument of
|
||||
.Dq kex .
|
||||
+.It Cm KexDHMin
|
||||
+Specifies the minimum accepted bit length of the DH group
|
||||
+parameter p.
|
||||
@ -593,16 +592,16 @@ diff --git a/openssh-7.6p1/ssh_config.5 b/openssh-7.6p1/ssh_config.5
|
||||
connecting to the server.
|
||||
The command string extends to the end of the line, and is executed with
|
||||
the user's shell.
|
||||
Arguments to
|
||||
.Cm LocalCommand
|
||||
accept the tokens described in the
|
||||
diff --git a/openssh-7.6p1/sshd_config b/openssh-7.6p1/sshd_config
|
||||
--- a/openssh-7.6p1/sshd_config
|
||||
+++ b/openssh-7.6p1/sshd_config
|
||||
@@ -15,16 +15,21 @@
|
||||
#ListenAddress 0.0.0.0
|
||||
#ListenAddress ::
|
||||
|
||||
The following escape character substitutions will be performed:
|
||||
.Ql %d
|
||||
(local user's home directory),
|
||||
diff --git a/openssh-7.2p2/sshd_config b/openssh-7.2p2/sshd_config
|
||||
--- a/openssh-7.2p2/sshd_config
|
||||
+++ b/openssh-7.2p2/sshd_config
|
||||
@@ -21,16 +21,21 @@
|
||||
# HostKey for protocol version 1
|
||||
#HostKey /etc/ssh/ssh_host_key
|
||||
# HostKeys for protocol version 2
|
||||
#HostKey /etc/ssh/ssh_host_rsa_key
|
||||
#HostKey /etc/ssh/ssh_host_dsa_key
|
||||
#HostKey /etc/ssh/ssh_host_ecdsa_key
|
||||
@ -613,25 +612,25 @@ diff --git a/openssh-7.6p1/sshd_config b/openssh-7.6p1/sshd_config
|
||||
+# Upstream default is identical to setting this to 2048.
|
||||
+#KexDHMin 1024
|
||||
+
|
||||
# Lifetime and size of ephemeral version 1 server key
|
||||
#KeyRegenerationInterval 1h
|
||||
#ServerKeyBits 1024
|
||||
|
||||
# Ciphers and keying
|
||||
#RekeyLimit default none
|
||||
|
||||
# Logging
|
||||
#SyslogFacility AUTH
|
||||
#LogLevel INFO
|
||||
|
||||
# Authentication:
|
||||
diff --git a/openssh-7.6p1/sshd_config.0 b/openssh-7.6p1/sshd_config.0
|
||||
--- a/openssh-7.6p1/sshd_config.0
|
||||
+++ b/openssh-7.6p1/sshd_config.0
|
||||
@@ -532,16 +532,33 @@ DESCRIPTION
|
||||
curve25519-sha256,curve25519-sha256@libssh.org,
|
||||
diff --git a/openssh-7.2p2/sshd_config.0 b/openssh-7.2p2/sshd_config.0
|
||||
--- a/openssh-7.2p2/sshd_config.0
|
||||
+++ b/openssh-7.2p2/sshd_config.0
|
||||
@@ -539,16 +539,33 @@ DESCRIPTION
|
||||
curve25519-sha256@libssh.org,
|
||||
ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
|
||||
diffie-hellman-group-exchange-sha256,
|
||||
diffie-hellman-group14-sha1
|
||||
|
||||
The list of available key exchange algorithms may also be
|
||||
obtained using "ssh -Q kex".
|
||||
obtained using the -Q option of ssh(1) with an argument of M-bM-^@M-^\kexM-bM-^@M-^].
|
||||
|
||||
+ KexDHMin
|
||||
+ Specifies the minimum accepted bit length of the DH group
|
||||
@ -650,26 +649,26 @@ diff --git a/openssh-7.6p1/sshd_config.0 b/openssh-7.6p1/sshd_config.0
|
||||
+ resort and all efforts should be made to fix the (broken)
|
||||
+ counterparty.
|
||||
+
|
||||
ListenAddress
|
||||
Specifies the local addresses sshd(8) should listen on. The
|
||||
following forms may be used:
|
||||
KeyRegenerationInterval
|
||||
In protocol version 1, the ephemeral server key is automatically
|
||||
regenerated after this many seconds (if it has been used). The
|
||||
purpose of regeneration is to prevent decrypting captured
|
||||
sessions by later breaking into the machine and stealing the
|
||||
keys. The key is never stored anywhere. If the value is 0, the
|
||||
key is never regenerated. The default is 3600 (seconds).
|
||||
|
||||
ListenAddress host|IPv4_addr|IPv6_addr
|
||||
ListenAddress host|IPv4_addr:port
|
||||
ListenAddress [host|IPv6_addr]:port
|
||||
|
||||
diff --git a/openssh-7.6p1/sshd_config.5 b/openssh-7.6p1/sshd_config.5
|
||||
--- a/openssh-7.6p1/sshd_config.5
|
||||
+++ b/openssh-7.6p1/sshd_config.5
|
||||
@@ -893,16 +893,32 @@ The default is:
|
||||
curve25519-sha256,curve25519-sha256@libssh.org,
|
||||
ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
|
||||
diffie-hellman-group-exchange-sha256,
|
||||
diffie-hellman-group14-sha1
|
||||
diff --git a/openssh-7.2p2/sshd_config.5 b/openssh-7.2p2/sshd_config.5
|
||||
--- a/openssh-7.2p2/sshd_config.5
|
||||
+++ b/openssh-7.2p2/sshd_config.5
|
||||
@@ -895,16 +895,32 @@ diffie-hellman-group14-sha1
|
||||
.Ed
|
||||
.Pp
|
||||
The list of available key exchange algorithms may also be obtained using
|
||||
.Qq ssh -Q kex .
|
||||
The list of available key exchange algorithms may also be obtained using the
|
||||
.Fl Q
|
||||
option of
|
||||
.Xr ssh 1
|
||||
with an argument of
|
||||
.Dq kex .
|
||||
+.It Cm KexDHMin
|
||||
+Specifies the minimum accepted bit length of the DH group
|
||||
+parameter p.
|
||||
@ -686,11 +685,11 @@ diff --git a/openssh-7.6p1/sshd_config.5 b/openssh-7.6p1/sshd_config.5
|
||||
+security and thus should be viewed as a temporary fix of last
|
||||
+resort and all efforts should be made to fix the (broken)
|
||||
+counterparty.
|
||||
.It Cm ListenAddress
|
||||
Specifies the local addresses
|
||||
.Xr sshd 8
|
||||
should listen on.
|
||||
The following forms may be used:
|
||||
.Pp
|
||||
.Bl -item -offset indent -compact
|
||||
.It
|
||||
.It Cm KeyRegenerationInterval
|
||||
In protocol version 1, the ephemeral server key is automatically regenerated
|
||||
after this many seconds (if it has been used).
|
||||
The purpose of regeneration is to prevent
|
||||
decrypting captured sessions by later breaking into the machine and
|
||||
stealing the keys.
|
||||
The key is never stored anywhere.
|
||||
If the value is 0, the key is never regenerated.
|
29
openssh-7.2p2-dont_use_pthreads_in_PAM.patch
Normal file
29
openssh-7.2p2-dont_use_pthreads_in_PAM.patch
Normal file
@ -0,0 +1,29 @@
|
||||
# HG changeset patch
|
||||
# Parent e4886597a8984ae1594b6866fe1b232370b23529
|
||||
# posix threads are generally not supported nor safe
|
||||
# (see upstream log from 2005-05-24)
|
||||
# --used to be called '-pam-fix3'
|
||||
|
||||
diff --git a/openssh-7.2p2/auth-pam.c b/openssh-7.2p2/auth-pam.c
|
||||
--- a/openssh-7.2p2/auth-pam.c
|
||||
+++ b/openssh-7.2p2/auth-pam.c
|
||||
@@ -782,17 +782,19 @@ sshpam_query(void *ctx, char **name, cha
|
||||
}
|
||||
if (type == PAM_SUCCESS) {
|
||||
if (!sshpam_authctxt->valid ||
|
||||
(sshpam_authctxt->pw->pw_uid == 0 &&
|
||||
options.permit_root_login != PERMIT_YES))
|
||||
fatal("Internal error: PAM auth "
|
||||
"succeeded when it should have "
|
||||
"failed");
|
||||
+#ifndef UNSUPPORTED_POSIX_THREADS_HACK
|
||||
import_environments(&buffer);
|
||||
+#endif
|
||||
*num = 0;
|
||||
**echo_on = 0;
|
||||
ctxt->pam_done = 1;
|
||||
free(msg);
|
||||
return (0);
|
||||
}
|
||||
error("PAM: %s for %s%.100s from %.100s", msg,
|
||||
sshpam_authctxt->valid ? "" : "illegal user ",
|
87
openssh-7.2p2-eal3.patch
Normal file
87
openssh-7.2p2-eal3.patch
Normal file
@ -0,0 +1,87 @@
|
||||
# HG changeset patch
|
||||
# Parent f19426f2fa9c634474e635bf33b86acea0518f6d
|
||||
fix paths and references in sshd man pages
|
||||
|
||||
diff --git a/openssh-7.2p2/sshd.8 b/openssh-7.2p2/sshd.8
|
||||
--- a/openssh-7.2p2/sshd.8
|
||||
+++ b/openssh-7.2p2/sshd.8
|
||||
@@ -901,17 +901,17 @@ See
|
||||
If this file exists,
|
||||
.Nm
|
||||
refuses to let anyone except root log in.
|
||||
The contents of the file
|
||||
are displayed to anyone trying to log in, and non-root connections are
|
||||
refused.
|
||||
The file should be world-readable.
|
||||
.Pp
|
||||
-.It Pa /etc/shosts.equiv
|
||||
+.It Pa /etc/ssh/shosts.equiv
|
||||
This file is used in exactly the same way as
|
||||
.Pa hosts.equiv ,
|
||||
but allows host-based authentication without permitting login with
|
||||
rlogin/rsh.
|
||||
.Pp
|
||||
.It Pa /etc/ssh/ssh_host_key
|
||||
.It Pa /etc/ssh/ssh_host_dsa_key
|
||||
.It Pa /etc/ssh/ssh_host_ecdsa_key
|
||||
@@ -981,17 +981,17 @@ The content of this file is not sensitiv
|
||||
.Xr scp 1 ,
|
||||
.Xr sftp 1 ,
|
||||
.Xr ssh 1 ,
|
||||
.Xr ssh-add 1 ,
|
||||
.Xr ssh-agent 1 ,
|
||||
.Xr ssh-keygen 1 ,
|
||||
.Xr ssh-keyscan 1 ,
|
||||
.Xr chroot 2 ,
|
||||
-.Xr login.conf 5 ,
|
||||
+.Xr login.defs 5 ,
|
||||
.Xr moduli 5 ,
|
||||
.Xr sshd_config 5 ,
|
||||
.Xr inetd 8 ,
|
||||
.Xr sftp-server 8
|
||||
.Sh AUTHORS
|
||||
OpenSSH is a derivative of the original and free
|
||||
ssh 1.2.12 release by Tatu Ylonen.
|
||||
Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos,
|
||||
diff --git a/openssh-7.2p2/sshd_config.5 b/openssh-7.2p2/sshd_config.5
|
||||
--- a/openssh-7.2p2/sshd_config.5
|
||||
+++ b/openssh-7.2p2/sshd_config.5
|
||||
@@ -370,18 +370,17 @@ for details).
|
||||
The contents of the specified file are sent to the remote user before
|
||||
authentication is allowed.
|
||||
If the argument is
|
||||
.Dq none
|
||||
then no banner is displayed.
|
||||
By default, no banner is displayed.
|
||||
.It Cm ChallengeResponseAuthentication
|
||||
Specifies whether challenge-response authentication is allowed (e.g. via
|
||||
-PAM or through authentication styles supported in
|
||||
-.Xr login.conf 5 )
|
||||
+PAM)
|
||||
The default is
|
||||
.Dq yes .
|
||||
.It Cm ChrootDirectory
|
||||
Specifies the pathname of a directory to
|
||||
.Xr chroot 2
|
||||
to after authentication.
|
||||
At session startup
|
||||
.Xr sshd 8
|
||||
@@ -766,17 +765,17 @@ and
|
||||
.Pa .shosts
|
||||
files will not be used in
|
||||
.Cm RhostsRSAAuthentication
|
||||
or
|
||||
.Cm HostbasedAuthentication .
|
||||
.Pp
|
||||
.Pa /etc/hosts.equiv
|
||||
and
|
||||
-.Pa /etc/shosts.equiv
|
||||
+.Pa /etc/ssh/shosts.equiv
|
||||
are still used.
|
||||
The default is
|
||||
.Dq yes .
|
||||
.It Cm IgnoreUserKnownHosts
|
||||
Specifies whether
|
||||
.Xr sshd 8
|
||||
should ignore the user's
|
||||
.Pa ~/.ssh/known_hosts
|
47
openssh-7.2p2-enable_PAM_by_default.patch
Normal file
47
openssh-7.2p2-enable_PAM_by_default.patch
Normal file
@ -0,0 +1,47 @@
|
||||
# HG changeset patch
|
||||
# Parent 980f301b2920c09b30577dd722546bca85d25fc1
|
||||
# force PAM in defaullt install (this was removed from upstream in 3.8p1)
|
||||
# bnc#46749
|
||||
# --used to be called '-pam-fix2'
|
||||
|
||||
diff --git a/openssh-7.2p2/sshd_config b/openssh-7.2p2/sshd_config
|
||||
--- a/openssh-7.2p2/sshd_config
|
||||
+++ b/openssh-7.2p2/sshd_config
|
||||
@@ -64,17 +64,17 @@ AuthorizedKeysFile .ssh/authorized_keys
|
||||
#HostbasedAuthentication no
|
||||
# Change to yes if you don't trust ~/.ssh/known_hosts for
|
||||
# RhostsRSAAuthentication and HostbasedAuthentication
|
||||
#IgnoreUserKnownHosts no
|
||||
# Don't read the user's ~/.rhosts and ~/.shosts files
|
||||
#IgnoreRhosts yes
|
||||
|
||||
# To disable tunneled clear text passwords, change to no here!
|
||||
-#PasswordAuthentication yes
|
||||
+PasswordAuthentication no
|
||||
#PermitEmptyPasswords no
|
||||
|
||||
# Change to no to disable s/key passwords
|
||||
#ChallengeResponseAuthentication yes
|
||||
|
||||
# Kerberos options
|
||||
#KerberosAuthentication no
|
||||
#KerberosOrLocalPasswd yes
|
||||
@@ -89,17 +89,17 @@ AuthorizedKeysFile .ssh/authorized_keys
|
||||
# and session processing. If this is enabled, PAM authentication will
|
||||
# be allowed through the ChallengeResponseAuthentication and
|
||||
# PasswordAuthentication. Depending on your PAM configuration,
|
||||
# PAM authentication via ChallengeResponseAuthentication may bypass
|
||||
# the setting of "PermitRootLogin without-password".
|
||||
# If you just want the PAM account and session checks to run without
|
||||
# PAM authentication, then enable this but set PasswordAuthentication
|
||||
# and ChallengeResponseAuthentication to 'no'.
|
||||
-#UsePAM no
|
||||
+UsePAM yes
|
||||
|
||||
#AllowAgentForwarding yes
|
||||
#AllowTcpForwarding yes
|
||||
#GatewayPorts no
|
||||
X11Forwarding yes
|
||||
#X11DisplayOffset 10
|
||||
#X11UseLocalhost yes
|
||||
#PermitTTY yes
|
1834
openssh-7.2p2-fips.patch
Normal file
1834
openssh-7.2p2-fips.patch
Normal file
File diff suppressed because it is too large
Load Diff
31
openssh-7.2p2-fips_fixes.patch
Normal file
31
openssh-7.2p2-fips_fixes.patch
Normal file
@ -0,0 +1,31 @@
|
||||
# HG changeset patch
|
||||
# Parent cb502e7e796ac9289a571167a97ad9ec91562efb
|
||||
Silent warnings about unsupported KEX algorithms - synchronize behaviour with
|
||||
that of MAC and cipher checking code paths.
|
||||
|
||||
bsc#1006166
|
||||
|
||||
diff --git a/openssh-7.2p2/kex.c b/openssh-7.2p2/kex.c
|
||||
--- a/openssh-7.2p2/kex.c
|
||||
+++ b/openssh-7.2p2/kex.c
|
||||
@@ -192,17 +192,20 @@ kex_names_valid(const char *names)
|
||||
|
||||
if (names == NULL || strcmp(names, "") == 0)
|
||||
return 0;
|
||||
if ((s = cp = strdup(names)) == NULL)
|
||||
return 0;
|
||||
for ((p = strsep(&cp, ",")); p && *p != '\0';
|
||||
(p = strsep(&cp, ","))) {
|
||||
if (kex_alg_by_name(p) == NULL) {
|
||||
+ /* do not complain here - MACs and ciphers checks
|
||||
+ * are silent here
|
||||
error("Unsupported KEX algorithm \"%.100s\"", p);
|
||||
+ */
|
||||
free(s);
|
||||
return 0;
|
||||
}
|
||||
}
|
||||
debug3("kex names ok: [%s]", names);
|
||||
free(s);
|
||||
return 1;
|
||||
}
|
3963
openssh-7.2p2-gssapi_key_exchange.patch
Normal file
3963
openssh-7.2p2-gssapi_key_exchange.patch
Normal file
File diff suppressed because it is too large
Load Diff
29
openssh-7.2p2-host_ident.patch
Normal file
29
openssh-7.2p2-host_ident.patch
Normal file
@ -0,0 +1,29 @@
|
||||
# HG changeset patch
|
||||
# Parent e2f9b3303b4a4ed5d0e5f01009dd1ebea166890d
|
||||
Suggest command line for removal of offending keys from known_hosts file
|
||||
|
||||
diff --git a/openssh-7.2p2/sshconnect.c b/openssh-7.2p2/sshconnect.c
|
||||
--- a/openssh-7.2p2/sshconnect.c
|
||||
+++ b/openssh-7.2p2/sshconnect.c
|
||||
@@ -1086,16 +1086,21 @@ check_host_key(char *hostname, struct so
|
||||
ip_found->file, ip_found->line);
|
||||
}
|
||||
/* The host key has changed. */
|
||||
warn_changed_key(host_key);
|
||||
error("Add correct host key in %.100s to get rid of this message.",
|
||||
user_hostfiles[0]);
|
||||
error("Offending %s key in %s:%lu", key_type(host_found->key),
|
||||
host_found->file, host_found->line);
|
||||
+ error("You can use following command to remove the offending key:");
|
||||
+ if (host_found->file)
|
||||
+ error("ssh-keygen -R %s -f %s", host, host_found->file);
|
||||
+ else
|
||||
+ error("ssh-keygen -R %s", host);
|
||||
|
||||
/*
|
||||
* If strict host key checking is in use, the user will have
|
||||
* to edit the key manually and we can only abort.
|
||||
*/
|
||||
if (options.strict_host_key_checking) {
|
||||
error("%s host key for %.200s has changed and you have "
|
||||
"requested strict checking.", type, host);
|
@ -1,24 +1,24 @@
|
||||
# HG changeset patch
|
||||
# Parent e4a7e5799420a3d4b8047c5984c75c4bd4331951
|
||||
# Parent f7ba2081f120bd1e44dbe68737c898f078725aab
|
||||
# -- uset do be called '-xauthlocalhostname'
|
||||
handle hostname changes when forwarding X
|
||||
|
||||
bnc#98627
|
||||
|
||||
diff --git a/openssh-7.6p1/session.c b/openssh-7.6p1/session.c
|
||||
--- a/openssh-7.6p1/session.c
|
||||
+++ b/openssh-7.6p1/session.c
|
||||
@@ -953,17 +953,17 @@ copy_environment_blacklist(char **source
|
||||
diff --git a/openssh-7.2p2/session.c b/openssh-7.2p2/session.c
|
||||
--- a/openssh-7.2p2/session.c
|
||||
+++ b/openssh-7.2p2/session.c
|
||||
@@ -1154,17 +1154,17 @@ copy_environment(char **source, char ***
|
||||
debug3("Copy environment: %s=%s", var_name, var_val);
|
||||
child_set_env(env, envsize, var_name, var_val);
|
||||
|
||||
void
|
||||
copy_environment(char **source, char ***env, u_int *envsize)
|
||||
{
|
||||
copy_environment_blacklist(source, env, envsize, NULL);
|
||||
free(var_name);
|
||||
}
|
||||
}
|
||||
|
||||
static char **
|
||||
-do_setup_env(struct ssh *ssh, Session *s, const char *shell)
|
||||
+do_setup_env(struct ssh *ssh, Session *s, const char *shell, int *env_size)
|
||||
-do_setup_env(Session *s, const char *shell)
|
||||
+do_setup_env(Session *s, const char *shell, int *env_size)
|
||||
{
|
||||
char buf[256];
|
||||
u_int i, envsize;
|
||||
@ -27,7 +27,7 @@ diff --git a/openssh-7.6p1/session.c b/openssh-7.6p1/session.c
|
||||
#if !defined (HAVE_LOGIN_CAP) && !defined (HAVE_CYGWIN)
|
||||
char *path = NULL;
|
||||
#endif
|
||||
@@ -1142,25 +1142,27 @@ do_setup_env(struct ssh *ssh, Session *s
|
||||
@@ -1341,25 +1341,27 @@ do_setup_env(Session *s, const char *she
|
||||
read_environment_file(&env, &envsize, buf);
|
||||
}
|
||||
if (debug_flag) {
|
||||
@ -56,7 +56,7 @@ diff --git a/openssh-7.6p1/session.c b/openssh-7.6p1/session.c
|
||||
|
||||
do_xauth =
|
||||
s->display != NULL && s->auth_proto != NULL && s->auth_data != NULL;
|
||||
@@ -1205,22 +1207,30 @@ do_rc_files(Session *s, const char *shel
|
||||
@@ -1404,22 +1406,30 @@ do_rc_files(Session *s, const char *shel
|
||||
"%.500s add %.100s %.100s %.100s\n",
|
||||
options.xauth_location, s->auth_display,
|
||||
s->auth_proto, s->auth_data);
|
||||
@ -87,25 +87,25 @@ diff --git a/openssh-7.6p1/session.c b/openssh-7.6p1/session.c
|
||||
}
|
||||
|
||||
static void
|
||||
@@ -1461,16 +1471,17 @@ child_close_fds(struct ssh *ssh)
|
||||
@@ -1681,16 +1691,17 @@ child_close_fds(void)
|
||||
* ids, and executing the command or shell.
|
||||
*/
|
||||
#define ARGV_MAX 10
|
||||
void
|
||||
do_child(struct ssh *ssh, Session *s, const char *command)
|
||||
do_child(Session *s, const char *command)
|
||||
{
|
||||
extern char **environ;
|
||||
char **env;
|
||||
+ int env_size;
|
||||
char *argv[ARGV_MAX];
|
||||
const char *shell, *shell0;
|
||||
const char *shell, *shell0, *hostname = NULL;
|
||||
struct passwd *pw = s->pw;
|
||||
int r = 0;
|
||||
|
||||
/* remove hostkey from the child's memory */
|
||||
destroy_sensitive_data();
|
||||
packet_clear_keys();
|
||||
@@ -1522,17 +1533,17 @@ do_child(struct ssh *ssh, Session *s, co
|
||||
|
||||
@@ -1747,17 +1758,17 @@ do_child(Session *s, const char *command
|
||||
* legal, and means /bin/sh.
|
||||
*/
|
||||
shell = (pw->pw_shell[0] == '\0') ? _PATH_BSHELL : pw->pw_shell;
|
||||
@ -114,18 +114,17 @@ diff --git a/openssh-7.6p1/session.c b/openssh-7.6p1/session.c
|
||||
* Make sure $SHELL points to the shell from the password file,
|
||||
* even if shell is overridden from login.conf
|
||||
*/
|
||||
- env = do_setup_env(ssh, s, shell);
|
||||
+ env = do_setup_env(ssh, s, shell, &env_size);
|
||||
- env = do_setup_env(s, shell);
|
||||
+ env = do_setup_env(s, shell, &env_size);
|
||||
|
||||
#ifdef HAVE_LOGIN_CAP
|
||||
shell = login_getcapstr(lc, "shell", (char *)shell, (char *)shell);
|
||||
#endif
|
||||
|
||||
/*
|
||||
* Close the connection descriptors; note that this is the child, and
|
||||
* the server will still have the socket open, and it is important
|
||||
@@ -1586,17 +1597,17 @@ do_child(struct ssh *ssh, Session *s, co
|
||||
strerror(errno));
|
||||
/* we have to stash the hostname before we close our socket. */
|
||||
if (options.use_login)
|
||||
hostname = get_remote_name_or_ip(utmp_len,
|
||||
@@ -1816,17 +1827,17 @@ do_child(Session *s, const char *command
|
||||
}
|
||||
if (r)
|
||||
exit(1);
|
||||
@ -133,6 +132,7 @@ diff --git a/openssh-7.6p1/session.c b/openssh-7.6p1/session.c
|
||||
|
||||
closefrom(STDERR_FILENO + 1);
|
||||
|
||||
if (!options.use_login)
|
||||
- do_rc_files(s, shell);
|
||||
+ do_rc_files(s, shell, env, &env_size);
|
||||
|
33
openssh-7.2p2-ignore_PAM_with_UseLogin.patch
Normal file
33
openssh-7.2p2-ignore_PAM_with_UseLogin.patch
Normal file
@ -0,0 +1,33 @@
|
||||
# HG changeset patch
|
||||
# Parent 0f00e960e1069c6a6eec975cc184171343701077
|
||||
|
||||
Do not import PAM environment variables when using login, since it may have
|
||||
security implications.
|
||||
|
||||
CVE-2015-8325
|
||||
bsc#975865
|
||||
|
||||
Backport of upstream commit 85bdcd7c92fe7ff133bbc4e10a65c91810f88755
|
||||
|
||||
diff --git a/openssh-7.2p2/session.c b/openssh-7.2p2/session.c
|
||||
--- a/openssh-7.2p2/session.c
|
||||
+++ b/openssh-7.2p2/session.c
|
||||
@@ -1351,17 +1351,17 @@ do_setup_env(Session *s, const char *she
|
||||
child_set_env(&env, &envsize, "KRB5CCNAME",
|
||||
s->authctxt->krb5_ccname);
|
||||
#endif
|
||||
#ifdef USE_PAM
|
||||
/*
|
||||
* Pull in any environment variables that may have
|
||||
* been set by PAM.
|
||||
*/
|
||||
- if (options.use_pam) {
|
||||
+ if (options.use_pam && !options.use_login) {
|
||||
char **p;
|
||||
|
||||
p = fetch_pam_child_environment();
|
||||
copy_environment(p, &env, &envsize);
|
||||
free_pam_environment(p);
|
||||
|
||||
p = fetch_pam_environment();
|
||||
copy_environment(p, &env, &envsize);
|
66
openssh-7.2p2-keep_slogin.patch
Normal file
66
openssh-7.2p2-keep_slogin.patch
Normal file
@ -0,0 +1,66 @@
|
||||
# HG changeset patch
|
||||
# Parent 7c29b31d3502bbf5b80e01f8d1db8b2733a3c7f4
|
||||
Add slogin back to the distribution, since it might be used downstreams
|
||||
|
||||
Revert of cupstream commit 69fead5d7cdaa73bdece9fcba80f8e8e70b90346
|
||||
|
||||
diff --git a/openssh-7.2p2/Makefile.in b/openssh-7.2p2/Makefile.in
|
||||
--- a/openssh-7.2p2/Makefile.in
|
||||
+++ b/openssh-7.2p2/Makefile.in
|
||||
@@ -354,16 +354,20 @@ install-files:
|
||||
$(INSTALL) -m 644 sftp.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/sftp.1
|
||||
$(INSTALL) -m 644 sftp-server.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8
|
||||
$(INSTALL) -m 644 ssh-keysign.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8
|
||||
$(INSTALL) -m 644 ssh-pkcs11-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
|
||||
if test ! -z "$(INSTALL_SSH_LDAP_HELPER)" ; then \
|
||||
$(INSTALL) -m 644 ssh-ldap-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-ldap-helper.8 ; \
|
||||
$(INSTALL) -m 644 ssh-ldap.conf.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/ssh-ldap.conf.5 ; \
|
||||
fi
|
||||
+ -rm -f $(DESTDIR)$(bindir)/slogin
|
||||
+ ln -s ./ssh$(EXEEXT) $(DESTDIR)$(bindir)/slogin
|
||||
+ -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1
|
||||
+ ln -s ./ssh.1 $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1
|
||||
|
||||
install-sysconf:
|
||||
if [ ! -d $(DESTDIR)$(sysconfdir) ]; then \
|
||||
$(srcdir)/mkinstalldirs $(DESTDIR)$(sysconfdir); \
|
||||
fi
|
||||
@if [ ! -f $(DESTDIR)$(sysconfdir)/ssh_config ]; then \
|
||||
$(INSTALL) -m 644 ssh_config.out $(DESTDIR)$(sysconfdir)/ssh_config; \
|
||||
else \
|
||||
@@ -415,16 +419,17 @@ uninstallall: uninstall
|
||||
-rmdir $(DESTDIR)$(bindir)
|
||||
-rmdir $(DESTDIR)$(sbindir)
|
||||
-rmdir $(DESTDIR)$(mandir)/$(mansubdir)1
|
||||
-rmdir $(DESTDIR)$(mandir)/$(mansubdir)8
|
||||
-rmdir $(DESTDIR)$(mandir)
|
||||
-rmdir $(DESTDIR)$(libexecdir)
|
||||
|
||||
uninstall:
|
||||
+ -rm -f $(DESTDIR)$(bindir)/slogin
|
||||
-rm -f $(DESTDIR)$(bindir)/ssh$(EXEEXT)
|
||||
-rm -f $(DESTDIR)$(bindir)/scp$(EXEEXT)
|
||||
-rm -f $(DESTDIR)$(bindir)/ssh-add$(EXEEXT)
|
||||
-rm -f $(DESTDIR)$(bindir)/ssh-agent$(EXEEXT)
|
||||
-rm -f $(DESTDIR)$(bindir)/ssh-keygen$(EXEEXT)
|
||||
-rm -f $(DESTDIR)$(bindir)/ssh-keyscan$(EXEEXT)
|
||||
-rm -f $(DESTDIR)$(bindir)/sftp$(EXEEXT)
|
||||
-rm -f $(DESTDIR)$(sbindir)/sshd$(EXEEXT)
|
||||
@@ -440,16 +445,17 @@ uninstall:
|
||||
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keygen.1
|
||||
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/sftp.1
|
||||
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keyscan.1
|
||||
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/sshd.8
|
||||
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8
|
||||
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8
|
||||
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
|
||||
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-ldap-helper.8
|
||||
+ -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1
|
||||
|
||||
regress-prep:
|
||||
[ -d `pwd`/regress ] || mkdir -p `pwd`/regress
|
||||
[ -d `pwd`/regress/unittests ] || mkdir -p `pwd`/regress/unittests
|
||||
[ -d `pwd`/regress/unittests/test_helper ] || \
|
||||
mkdir -p `pwd`/regress/unittests/test_helper
|
||||
[ -d `pwd`/regress/unittests/sshbuf ] || \
|
||||
mkdir -p `pwd`/regress/unittests/sshbuf
|
30
openssh-7.2p2-kex_resource_depletion.patch
Normal file
30
openssh-7.2p2-kex_resource_depletion.patch
Normal file
@ -0,0 +1,30 @@
|
||||
# HG changeset patch
|
||||
# Parent 5d3b620e9c7c42bfb1d8f24eb7e0645a55d967fa
|
||||
Prevent memory depletion during key exchange
|
||||
|
||||
CVE-2016-8858
|
||||
bsc#1005480
|
||||
|
||||
upstream commit ec165c392ca54317dbe3064a8c200de6531e89ad
|
||||
|
||||
diff --git a/openssh-7.2p2/kex.c b/openssh-7.2p2/kex.c
|
||||
--- a/openssh-7.2p2/kex.c
|
||||
+++ b/openssh-7.2p2/kex.c
|
||||
@@ -523,16 +523,17 @@ kex_input_kexinit(int type, u_int32_t se
|
||||
u_int i;
|
||||
size_t dlen;
|
||||
int r;
|
||||
|
||||
debug("SSH2_MSG_KEXINIT received");
|
||||
if (kex == NULL)
|
||||
return SSH_ERR_INVALID_ARGUMENT;
|
||||
|
||||
+ ssh_dispatch_set(ssh, SSH2_MSG_KEXINIT, NULL);
|
||||
ptr = sshpkt_ptr(ssh, &dlen);
|
||||
if ((r = sshbuf_put(kex->peer, ptr, dlen)) != 0)
|
||||
return r;
|
||||
|
||||
/* discard packet */
|
||||
for (i = 0; i < KEX_COOKIE_LEN; i++)
|
||||
if ((r = sshpkt_get_u8(ssh, NULL)) != 0)
|
||||
return r;
|
@ -1,11 +1,11 @@
|
||||
# HG changeset patch
|
||||
# Parent b26f93cf21e4cfff1212ad2e61696ad099cfaf5e
|
||||
# Parent 79c00e0f450c33b3f545ef104112b55186290e2c
|
||||
# set uid for functions that use it to seek in lastlog and wtmp files
|
||||
# bnc#18024 (was suse #3024)
|
||||
|
||||
diff --git a/openssh-7.6p1/sshlogin.c b/openssh-7.6p1/sshlogin.c
|
||||
--- a/openssh-7.6p1/sshlogin.c
|
||||
+++ b/openssh-7.6p1/sshlogin.c
|
||||
diff --git a/openssh-7.2p2/sshlogin.c b/openssh-7.2p2/sshlogin.c
|
||||
--- a/openssh-7.2p2/sshlogin.c
|
||||
+++ b/openssh-7.2p2/sshlogin.c
|
||||
@@ -129,16 +129,17 @@ record_login(pid_t pid, const char *tty,
|
||||
{
|
||||
struct logininfo *li;
|
2838
openssh-7.2p2-ldap.patch
Normal file
2838
openssh-7.2p2-ldap.patch
Normal file
File diff suppressed because it is too large
Load Diff
52
openssh-7.2p2-limit_password_length.patch
Normal file
52
openssh-7.2p2-limit_password_length.patch
Normal file
@ -0,0 +1,52 @@
|
||||
# HG changeset patch
|
||||
# Parent 9888bc3f536eab9f528d9c96e5e8a2501ed168f5
|
||||
Limit accepted passwords length to prevent DoS by resource consumption
|
||||
(via crypt() eating CPU cycles).
|
||||
|
||||
CVE-2016-6515
|
||||
bsc#992533
|
||||
|
||||
upstream commit: fcd135c9df440bcd2d5870405ad3311743d78d97
|
||||
|
||||
diff --git a/openssh-7.2p2/auth-passwd.c b/openssh-7.2p2/auth-passwd.c
|
||||
--- a/openssh-7.2p2/auth-passwd.c
|
||||
+++ b/openssh-7.2p2/auth-passwd.c
|
||||
@@ -61,16 +61,18 @@ extern ServerOptions options;
|
||||
#ifdef HAVE_LOGIN_CAP
|
||||
extern login_cap_t *lc;
|
||||
#endif
|
||||
|
||||
|
||||
#define DAY (24L * 60 * 60) /* 1 day in seconds */
|
||||
#define TWO_WEEKS (2L * 7 * DAY) /* 2 weeks in seconds */
|
||||
|
||||
+#define MAX_PASSWORD_LEN 1024
|
||||
+
|
||||
void
|
||||
disable_forwarding(void)
|
||||
{
|
||||
no_port_forwarding_flag = 1;
|
||||
no_agent_forwarding_flag = 1;
|
||||
no_x11_forwarding_flag = 1;
|
||||
}
|
||||
|
||||
@@ -82,16 +84,19 @@ int
|
||||
auth_password(Authctxt *authctxt, const char *password)
|
||||
{
|
||||
struct passwd * pw = authctxt->pw;
|
||||
int result, ok = authctxt->valid;
|
||||
#if defined(USE_SHADOW) && defined(HAS_SHADOW_EXPIRE)
|
||||
static int expire_checked = 0;
|
||||
#endif
|
||||
|
||||
+ if (strlen(password) > MAX_PASSWORD_LEN)
|
||||
+ return 0;
|
||||
+
|
||||
#ifndef HAVE_CYGWIN
|
||||
if (pw->pw_uid == 0 && options.permit_root_login != PERMIT_YES)
|
||||
ok = 0;
|
||||
#endif
|
||||
if (*password == '\0' && options.permit_empty_passwd == 0)
|
||||
return 0;
|
||||
|
||||
#ifdef KRB5
|
32
openssh-7.2p2-login_options.patch
Normal file
32
openssh-7.2p2-login_options.patch
Normal file
@ -0,0 +1,32 @@
|
||||
# HG changeset patch
|
||||
# Parent b86c2190c93aeaf958c22fc7b224dcaf87100288
|
||||
# HG changeset patch
|
||||
# Parent b262fd34c8ecd55e93d457b3ca5593abce716856
|
||||
# login-pam cannot handle the option terminator "--" as login from util-linux
|
||||
# (this is correct behaviour considering its man-page), hence use option which
|
||||
# selects the compile-time branch in the code which doesn't use the terminator
|
||||
#
|
||||
# bnc#833605
|
||||
|
||||
diff --git a/openssh-7.2p2/configure.ac b/openssh-7.2p2/configure.ac
|
||||
--- a/openssh-7.2p2/configure.ac
|
||||
+++ b/openssh-7.2p2/configure.ac
|
||||
@@ -770,16 +770,18 @@ main() { if (NSVersionOfRunTimeLibrary("
|
||||
AC_DEFINE([_PATH_BTMP], ["/var/log/btmp"], [log for bad login attempts])
|
||||
AC_DEFINE([USE_BTMP], [1], [Use btmp to log bad logins])
|
||||
;;
|
||||
*-*-linux*)
|
||||
no_dev_ptmx=1
|
||||
use_pie=auto
|
||||
check_for_libcrypt_later=1
|
||||
check_for_openpty_ctty_bug=1
|
||||
+ AC_DEFINE([LOGIN_NO_ENDOPT], [1],
|
||||
+ [Define if your login program cannot handle end of options ("--")])
|
||||
AC_DEFINE([PAM_TTY_KLUDGE], [1],
|
||||
[Work around problematic Linux PAM modules handling of PAM_TTY])
|
||||
AC_DEFINE([LOCKED_PASSWD_PREFIX], ["!"],
|
||||
[String used in /etc/passwd to denote locked account])
|
||||
AC_DEFINE([SPT_TYPE], [SPT_REUSEARGV])
|
||||
AC_DEFINE([LINK_OPNOTSUPP_ERRNO], [EPERM],
|
||||
[Define to whatever link() returns for "not supported"
|
||||
if it doesn't return EOPNOTSUPP.])
|
26
openssh-7.2p2-no_fork-no_pid_file.patch
Normal file
26
openssh-7.2p2-no_fork-no_pid_file.patch
Normal file
@ -0,0 +1,26 @@
|
||||
# HG changeset patch
|
||||
# Parent 4011d0f5c00b663976c9940dc4ef79642605cf90
|
||||
Do not write a PID file when not daemonizing (e.g. when running from systemd)
|
||||
|
||||
diff --git a/openssh-7.2p2/sshd.c b/openssh-7.2p2/sshd.c
|
||||
--- a/openssh-7.2p2/sshd.c
|
||||
+++ b/openssh-7.2p2/sshd.c
|
||||
@@ -2107,17 +2107,17 @@ main(int ac, char **av)
|
||||
signal(SIGCHLD, main_sigchld_handler);
|
||||
signal(SIGTERM, sigterm_handler);
|
||||
signal(SIGQUIT, sigterm_handler);
|
||||
|
||||
/*
|
||||
* Write out the pid file after the sigterm handler
|
||||
* is setup and the listen sockets are bound
|
||||
*/
|
||||
- if (options.pid_file != NULL && !debug_flag) {
|
||||
+ if (!no_daemon_flag && options.pid_file != NULL && !debug_flag) {
|
||||
FILE *f = fopen(options.pid_file, "w");
|
||||
|
||||
if (f == NULL) {
|
||||
error("Couldn't create pid file \"%s\": %s",
|
||||
options.pid_file, strerror(errno));
|
||||
} else {
|
||||
fprintf(f, "%ld\n", (long) getpid());
|
||||
fclose(f);
|
@ -1,14 +1,14 @@
|
||||
# HG changeset patch
|
||||
# Parent ee0459c1b5173da57f9b3a6e62b232dcf9b3a029
|
||||
# Parent ac7f843cd7ebec413691d51823cdc67b611abdff
|
||||
new option UsePAMCheckLocks to enforce checking for locked accounts while
|
||||
UsePAM is used
|
||||
|
||||
bnc#708678, FATE#312033
|
||||
|
||||
diff --git a/openssh-7.6p1/auth.c b/openssh-7.6p1/auth.c
|
||||
--- a/openssh-7.6p1/auth.c
|
||||
+++ b/openssh-7.6p1/auth.c
|
||||
@@ -105,17 +105,17 @@ allowed_user(struct passwd * pw)
|
||||
diff --git a/openssh-7.2p2/auth.c b/openssh-7.2p2/auth.c
|
||||
--- a/openssh-7.2p2/auth.c
|
||||
+++ b/openssh-7.2p2/auth.c
|
||||
@@ -104,17 +104,17 @@ allowed_user(struct passwd * pw)
|
||||
struct spwd *spw = NULL;
|
||||
#endif
|
||||
|
||||
@ -27,7 +27,7 @@ diff --git a/openssh-7.6p1/auth.c b/openssh-7.6p1/auth.c
|
||||
#endif /* USE_SHADOW */
|
||||
|
||||
/* grab passwd field for locked account check */
|
||||
@@ -125,17 +125,17 @@ allowed_user(struct passwd * pw)
|
||||
@@ -124,17 +124,17 @@ allowed_user(struct passwd * pw)
|
||||
#ifdef USE_LIBIAF
|
||||
passwd = get_iaf_password(pw);
|
||||
#else
|
||||
@ -46,9 +46,9 @@ diff --git a/openssh-7.6p1/auth.c b/openssh-7.6p1/auth.c
|
||||
#endif
|
||||
#ifdef LOCKED_PASSWD_PREFIX
|
||||
if (strncmp(passwd, LOCKED_PASSWD_PREFIX,
|
||||
diff --git a/openssh-7.6p1/servconf.c b/openssh-7.6p1/servconf.c
|
||||
--- a/openssh-7.6p1/servconf.c
|
||||
+++ b/openssh-7.6p1/servconf.c
|
||||
diff --git a/openssh-7.2p2/servconf.c b/openssh-7.2p2/servconf.c
|
||||
--- a/openssh-7.2p2/servconf.c
|
||||
+++ b/openssh-7.2p2/servconf.c
|
||||
@@ -69,16 +69,17 @@ extern Buffer cfg;
|
||||
|
||||
void
|
||||
@ -67,7 +67,7 @@ diff --git a/openssh-7.6p1/servconf.c b/openssh-7.6p1/servconf.c
|
||||
options->num_queued_listens = 0;
|
||||
options->listen_addrs = NULL;
|
||||
options->address_family = -1;
|
||||
@@ -191,16 +192,18 @@ assemble_algorithms(ServerOptions *o)
|
||||
@@ -195,16 +196,18 @@ assemble_algorithms(ServerOptions *o)
|
||||
void
|
||||
fill_default_server_options(ServerOptions *options)
|
||||
{
|
||||
@ -80,13 +80,13 @@ diff --git a/openssh-7.6p1/servconf.c b/openssh-7.6p1/servconf.c
|
||||
+ options->use_pam_check_locks = 0;
|
||||
|
||||
/* Standard Options */
|
||||
if (options->protocol == SSH_PROTO_UNKNOWN)
|
||||
options->protocol = SSH_PROTO_2;
|
||||
if (options->num_host_key_files == 0) {
|
||||
/* fill default hostkeys for protocols */
|
||||
if (options->protocol & SSH_PROTO_1)
|
||||
options->host_key_files[options->num_host_key_files++] =
|
||||
_PATH_HOST_RSA_KEY_FILE;
|
||||
options->host_key_files[options->num_host_key_files++] =
|
||||
_PATH_HOST_DSA_KEY_FILE;
|
||||
@@ -382,17 +385,17 @@ fill_default_server_options(ServerOption
|
||||
@@ -391,17 +394,17 @@ fill_default_server_options(ServerOption
|
||||
#endif
|
||||
|
||||
}
|
||||
@ -98,14 +98,14 @@ diff --git a/openssh-7.6p1/servconf.c b/openssh-7.6p1/servconf.c
|
||||
- sUsePAM,
|
||||
+ sUsePAM, sUsePAMChecklocks,
|
||||
/* Standard Options */
|
||||
sPort, sHostKeyFile, sLoginGraceTime,
|
||||
sPermitRootLogin, sLogFacility, sLogLevel,
|
||||
sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime,
|
||||
sKeyRegenerationTime, sPermitRootLogin, sLogFacility, sLogLevel,
|
||||
sRhostsRSAAuthentication, sRSAAuthentication,
|
||||
sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
|
||||
sKerberosGetAFSToken,
|
||||
sKerberosTgtPassing, sChallengeResponseAuthentication,
|
||||
sPasswordAuthentication, sKbdInteractiveAuthentication,
|
||||
@@ -433,18 +436,20 @@ typedef enum {
|
||||
@@ -441,18 +444,20 @@ typedef enum {
|
||||
static struct {
|
||||
const char *name;
|
||||
ServerOpCodes opcode;
|
||||
@ -126,7 +126,7 @@ diff --git a/openssh-7.6p1/servconf.c b/openssh-7.6p1/servconf.c
|
||||
{ "hostdsakey", sHostKeyFile, SSHCFG_GLOBAL }, /* alias */
|
||||
{ "hostkeyagent", sHostKeyAgent, SSHCFG_GLOBAL },
|
||||
{ "pidfile", sPidFile, SSHCFG_GLOBAL },
|
||||
@@ -1040,16 +1045,19 @@ process_server_config_line(ServerOptions
|
||||
@@ -1005,16 +1010,19 @@ process_server_config_line(ServerOptions
|
||||
}
|
||||
}
|
||||
|
||||
@ -146,10 +146,10 @@ diff --git a/openssh-7.6p1/servconf.c b/openssh-7.6p1/servconf.c
|
||||
/* ignore ports from configfile if cmdline specifies ports */
|
||||
if (options->ports_from_cmdline)
|
||||
return 0;
|
||||
diff --git a/openssh-7.6p1/servconf.h b/openssh-7.6p1/servconf.h
|
||||
--- a/openssh-7.6p1/servconf.h
|
||||
+++ b/openssh-7.6p1/servconf.h
|
||||
@@ -168,16 +168,17 @@ typedef struct {
|
||||
diff --git a/openssh-7.2p2/servconf.h b/openssh-7.2p2/servconf.h
|
||||
--- a/openssh-7.2p2/servconf.h
|
||||
+++ b/openssh-7.2p2/servconf.h
|
||||
@@ -167,16 +167,17 @@ typedef struct {
|
||||
*/
|
||||
|
||||
u_int num_authkeys_files; /* Files containing public keys */
|
||||
@ -162,22 +162,22 @@ diff --git a/openssh-7.6p1/servconf.h b/openssh-7.6p1/servconf.h
|
||||
|
||||
int permit_tun;
|
||||
|
||||
char **permitted_opens;
|
||||
u_int num_permitted_opens; /* May also be one of PERMITOPEN_* */
|
||||
int num_permitted_opens;
|
||||
|
||||
char *chroot_directory;
|
||||
char *revoked_keys_file;
|
||||
diff --git a/openssh-7.6p1/sshd_config.0 b/openssh-7.6p1/sshd_config.0
|
||||
--- a/openssh-7.6p1/sshd_config.0
|
||||
+++ b/openssh-7.6p1/sshd_config.0
|
||||
@@ -901,16 +901,24 @@ DESCRIPTION
|
||||
char *trusted_user_ca_keys;
|
||||
diff --git a/openssh-7.2p2/sshd_config.0 b/openssh-7.2p2/sshd_config.0
|
||||
--- a/openssh-7.2p2/sshd_config.0
|
||||
+++ b/openssh-7.2p2/sshd_config.0
|
||||
@@ -946,16 +946,24 @@ DESCRIPTION
|
||||
|
||||
Because PAM challenge-response authentication usually serves an
|
||||
equivalent role to password authentication, you should disable
|
||||
either PasswordAuthentication or ChallengeResponseAuthentication.
|
||||
|
||||
If UsePAM is enabled, you will not be able to run sshd(8) as a
|
||||
non-root user. The default is no.
|
||||
non-root user. The default is M-bM-^@M-^\noM-bM-^@M-^].
|
||||
|
||||
+ UsePAMCheckLocks
|
||||
+ When set to ``yes'', the checks whether the account has been
|
||||
@ -187,18 +187,18 @@ diff --git a/openssh-7.6p1/sshd_config.0 b/openssh-7.6p1/sshd_config.0
|
||||
+ to set up the session and some PAM modules will not check whether
|
||||
+ the account is locked in this scenario). The default is ``no''.
|
||||
+
|
||||
VersionAddendum
|
||||
Optionally specifies additional text to append to the SSH
|
||||
protocol banner sent by the server upon connection. The default
|
||||
is none.
|
||||
|
||||
X11DisplayOffset
|
||||
Specifies the first display number available for sshd(8)'s X11
|
||||
forwarding. This prevents sshd from interfering with real X11
|
||||
diff --git a/openssh-7.6p1/sshd_config.5 b/openssh-7.6p1/sshd_config.5
|
||||
--- a/openssh-7.6p1/sshd_config.5
|
||||
+++ b/openssh-7.6p1/sshd_config.5
|
||||
@@ -1496,16 +1496,28 @@ or
|
||||
UsePrivilegeSeparation
|
||||
Specifies whether sshd(8) separates privileges by creating an
|
||||
unprivileged child process to deal with incoming network traffic.
|
||||
After successful authentication, another process will be created
|
||||
that has the privilege of the authenticated user. The goal of
|
||||
privilege separation is to prevent privilege escalation by
|
||||
containing any corruption within the unprivileged processes. The
|
||||
argument must be M-bM-^@M-^\yesM-bM-^@M-^], M-bM-^@M-^\noM-bM-^@M-^], or M-bM-^@M-^\sandboxM-bM-^@M-^]. If
|
||||
diff --git a/openssh-7.2p2/sshd_config.5 b/openssh-7.2p2/sshd_config.5
|
||||
--- a/openssh-7.2p2/sshd_config.5
|
||||
+++ b/openssh-7.2p2/sshd_config.5
|
||||
@@ -1578,16 +1578,28 @@ or
|
||||
.Pp
|
||||
If
|
||||
.Cm UsePAM
|
||||
@ -206,7 +206,7 @@ diff --git a/openssh-7.6p1/sshd_config.5 b/openssh-7.6p1/sshd_config.5
|
||||
.Xr sshd 8
|
||||
as a non-root user.
|
||||
The default is
|
||||
.Cm no .
|
||||
.Dq no .
|
||||
+.It Cm UsePAMCheckLocks
|
||||
+When set to
|
||||
+.Dq yes
|
||||
@ -219,11 +219,11 @@ diff --git a/openssh-7.6p1/sshd_config.5 b/openssh-7.6p1/sshd_config.5
|
||||
+modules will not check whether the account is locked in this scenario). The
|
||||
+default is
|
||||
+.Dq no .
|
||||
.It Cm VersionAddendum
|
||||
Optionally specifies additional text to append to the SSH protocol banner
|
||||
sent by the server upon connection.
|
||||
The default is
|
||||
.Cm none .
|
||||
.It Cm X11DisplayOffset
|
||||
Specifies the first display number available for
|
||||
.Xr sshd 8 Ns 's
|
||||
.It Cm UsePrivilegeSeparation
|
||||
Specifies whether
|
||||
.Xr sshd 8
|
||||
separates privileges by creating an unprivileged child process
|
||||
to deal with incoming network traffic.
|
||||
After successful authentication, another process will be created that has
|
||||
the privilege of the authenticated user.
|
||||
The goal of privilege separation is to prevent privilege
|
188
openssh-7.2p2-prevent_private_key_leakage.patch
Normal file
188
openssh-7.2p2-prevent_private_key_leakage.patch
Normal file
@ -0,0 +1,188 @@
|
||||
# HG changeset patch
|
||||
# Parent e2a8c999f737bca97bbc330ce6683de842ba195e
|
||||
Pre-allocare buffer for private keys data to prevent leaking of sensitive data
|
||||
via heap.
|
||||
|
||||
CVE-2016-10011
|
||||
bsc#1016369
|
||||
|
||||
backported upstream commit 54d022026aae4f53fa74cc636e4a032d9689b64d
|
||||
backported upstream commit a9c746088787549bb5b1ae3add7d06a1b6d93d5e
|
||||
|
||||
diff --git a/openssh-7.2p2/authfile.c b/openssh-7.2p2/authfile.c
|
||||
--- a/openssh-7.2p2/authfile.c
|
||||
+++ b/openssh-7.2p2/authfile.c
|
||||
@@ -95,23 +95,35 @@ sshkey_save_private(struct sshkey *key,
|
||||
|
||||
/* Load a key from a fd into a buffer */
|
||||
int
|
||||
sshkey_load_file(int fd, struct sshbuf *blob)
|
||||
{
|
||||
u_char buf[1024];
|
||||
size_t len;
|
||||
struct stat st;
|
||||
- int r;
|
||||
+ int r, dontmax = 0;
|
||||
|
||||
if (fstat(fd, &st) < 0)
|
||||
return SSH_ERR_SYSTEM_ERROR;
|
||||
if ((st.st_mode & (S_IFSOCK|S_IFCHR|S_IFIFO)) == 0 &&
|
||||
st.st_size > MAX_KEY_FILE_SIZE)
|
||||
return SSH_ERR_INVALID_FORMAT;
|
||||
+ /*
|
||||
+ * Pre-allocate the buffer used for the key contents and clamp its
|
||||
+ * maximum size. This ensures that key contents are never leaked via
|
||||
+ * implicit realloc() in the sshbuf code.
|
||||
+ */
|
||||
+ if ((st.st_mode & S_IFREG) == 0 || st.st_size <= 0) {
|
||||
+ st.st_size = 64*1024; /* 64k should be enough for anyone :) */
|
||||
+ dontmax = 1;
|
||||
+ }
|
||||
+ if ((r = sshbuf_allocate(blob, st.st_size)) != 0 ||
|
||||
+ (dontmax && (r = sshbuf_set_max_size(blob, st.st_size)) != 0))
|
||||
+ return r;
|
||||
for (;;) {
|
||||
if ((len = atomicio(read, fd, buf, sizeof(buf))) == 0) {
|
||||
if (errno == EPIPE)
|
||||
break;
|
||||
r = SSH_ERR_SYSTEM_ERROR;
|
||||
goto out;
|
||||
}
|
||||
if ((r = sshbuf_put(blob, buf, len)) != 0)
|
||||
diff --git a/openssh-7.2p2/sshbuf.c b/openssh-7.2p2/sshbuf.c
|
||||
--- a/openssh-7.2p2/sshbuf.c
|
||||
+++ b/openssh-7.2p2/sshbuf.c
|
||||
@@ -311,63 +311,73 @@ sshbuf_check_reserve(const struct sshbuf
|
||||
SSHBUF_TELL("check");
|
||||
/* Check that len is reasonable and that max_size + available < len */
|
||||
if (len > buf->max_size || buf->max_size - len < buf->size - buf->off)
|
||||
return SSH_ERR_NO_BUFFER_SPACE;
|
||||
return 0;
|
||||
}
|
||||
|
||||
int
|
||||
-sshbuf_reserve(struct sshbuf *buf, size_t len, u_char **dpp)
|
||||
+sshbuf_allocate(struct sshbuf *buf, size_t len)
|
||||
{
|
||||
size_t rlen, need;
|
||||
u_char *dp;
|
||||
int r;
|
||||
|
||||
- if (dpp != NULL)
|
||||
- *dpp = NULL;
|
||||
-
|
||||
- SSHBUF_DBG(("reserve buf = %p len = %zu", buf, len));
|
||||
+ SSHBUF_DBG(("allocate buf = %p len = %zu", buf, len));
|
||||
if ((r = sshbuf_check_reserve(buf, len)) != 0)
|
||||
return r;
|
||||
/*
|
||||
* If the requested allocation appended would push us past max_size
|
||||
* then pack the buffer, zeroing buf->off.
|
||||
*/
|
||||
sshbuf_maybe_pack(buf, buf->size + len > buf->max_size);
|
||||
- SSHBUF_TELL("reserve");
|
||||
- if (len + buf->size > buf->alloc) {
|
||||
- /*
|
||||
- * Prefer to alloc in SSHBUF_SIZE_INC units, but
|
||||
- * allocate less if doing so would overflow max_size.
|
||||
- */
|
||||
- need = len + buf->size - buf->alloc;
|
||||
- rlen = roundup(buf->alloc + need, SSHBUF_SIZE_INC);
|
||||
- SSHBUF_DBG(("need %zu initial rlen %zu", need, rlen));
|
||||
- if (rlen > buf->max_size)
|
||||
- rlen = buf->alloc + need;
|
||||
- SSHBUF_DBG(("adjusted rlen %zu", rlen));
|
||||
- if ((dp = realloc(buf->d, rlen)) == NULL) {
|
||||
- SSHBUF_DBG(("realloc fail"));
|
||||
- if (dpp != NULL)
|
||||
- *dpp = NULL;
|
||||
- return SSH_ERR_ALLOC_FAIL;
|
||||
- }
|
||||
- buf->alloc = rlen;
|
||||
- buf->cd = buf->d = dp;
|
||||
- if ((r = sshbuf_check_reserve(buf, len)) < 0) {
|
||||
- /* shouldn't fail */
|
||||
- if (dpp != NULL)
|
||||
- *dpp = NULL;
|
||||
- return r;
|
||||
- }
|
||||
+ SSHBUF_TELL("allocate");
|
||||
+ if (len + buf->size <= buf->alloc)
|
||||
+ return 0; /* already have it. */
|
||||
+
|
||||
+ /*
|
||||
+ * Prefer to alloc in SSHBUF_SIZE_INC units, but
|
||||
+ * allocate less if doing so would overflow max_size.
|
||||
+ */
|
||||
+ need = len + buf->size - buf->alloc;
|
||||
+ rlen = roundup(buf->alloc + need, SSHBUF_SIZE_INC);
|
||||
+ SSHBUF_DBG(("need %zu initial rlen %zu", need, rlen));
|
||||
+ if (rlen > buf->max_size)
|
||||
+ rlen = buf->alloc + need;
|
||||
+ SSHBUF_DBG(("adjusted rlen %zu", rlen));
|
||||
+ if ((dp = realloc(buf->d, rlen)) == NULL) {
|
||||
+ SSHBUF_DBG(("realloc fail"));
|
||||
+ return SSH_ERR_ALLOC_FAIL;
|
||||
}
|
||||
+ buf->alloc = rlen;
|
||||
+ buf->cd = buf->d = dp;
|
||||
+ if ((r = sshbuf_check_reserve(buf, len)) < 0) {
|
||||
+ /* shouldn't fail */
|
||||
+ return r;
|
||||
+ }
|
||||
+ SSHBUF_TELL("done");
|
||||
+ return 0;
|
||||
+}
|
||||
+
|
||||
+int
|
||||
+sshbuf_reserve(struct sshbuf *buf, size_t len, u_char **dpp)
|
||||
+{
|
||||
+ u_char *dp;
|
||||
+ int r;
|
||||
+
|
||||
+ if (dpp != NULL)
|
||||
+ *dpp = NULL;
|
||||
+
|
||||
+ SSHBUF_DBG(("reserve buf = %p len = %zu", buf, len));
|
||||
+ if ((r = sshbuf_allocate(buf, len)) != 0)
|
||||
+ return r;
|
||||
+
|
||||
dp = buf->d + buf->size;
|
||||
buf->size += len;
|
||||
- SSHBUF_TELL("done");
|
||||
if (dpp != NULL)
|
||||
*dpp = dp;
|
||||
return 0;
|
||||
}
|
||||
|
||||
int
|
||||
sshbuf_consume(struct sshbuf *buf, size_t len)
|
||||
{
|
||||
diff --git a/openssh-7.2p2/sshbuf.h b/openssh-7.2p2/sshbuf.h
|
||||
--- a/openssh-7.2p2/sshbuf.h
|
||||
+++ b/openssh-7.2p2/sshbuf.h
|
||||
@@ -134,16 +134,24 @@ u_char *sshbuf_mutable_ptr(const struct
|
||||
* Check whether a reservation of size len will succeed in buf
|
||||
* Safer to use than direct comparisons again sshbuf_avail as it copes
|
||||
* with unsigned overflows correctly.
|
||||
* Returns 0 on success, or a negative SSH_ERR_* error code on failure.
|
||||
*/
|
||||
int sshbuf_check_reserve(const struct sshbuf *buf, size_t len);
|
||||
|
||||
/*
|
||||
+ * Preallocates len additional bytes in buf.
|
||||
+ * Useful for cases where the caller knows how many bytes will ultimately be
|
||||
+ * required to avoid realloc in the buffer code.
|
||||
+ * Returns 0 on success, or a negative SSH_ERR_* error code on failure.
|
||||
+ */
|
||||
+int sshbuf_allocate(struct sshbuf *buf, size_t len);
|
||||
+
|
||||
+/*
|
||||
* Reserve len bytes in buf.
|
||||
* Returns 0 on success and a pointer to the first reserved byte via the
|
||||
* optional dpp parameter or a negative * SSH_ERR_* error code on failure.
|
||||
*/
|
||||
int sshbuf_reserve(struct sshbuf *buf, size_t len, u_char **dpp);
|
||||
|
||||
/*
|
||||
* Consume len bytes from the start of buf
|
264
openssh-7.2p2-prevent_timing_user_enumeration.patch
Normal file
264
openssh-7.2p2-prevent_timing_user_enumeration.patch
Normal file
@ -0,0 +1,264 @@
|
||||
# HG changeset patch
|
||||
# Parent 4a254abf4ef391358257310ad2fe15c9e12dee34
|
||||
Prevent user enumeration through password processing timing
|
||||
CVE-2016-6210
|
||||
bsc#989363
|
||||
|
||||
non-PAM part:
|
||||
upstream commit: 9286875a73b2de7736b5e50692739d314cd8d9dc
|
||||
|
||||
PAM part:
|
||||
upstream commit: 283b97ff33ea2c641161950849931bd578de6946
|
||||
|
||||
diff --git a/openssh-7.2p2/auth-pam.c b/openssh-7.2p2/auth-pam.c
|
||||
--- a/openssh-7.2p2/auth-pam.c
|
||||
+++ b/openssh-7.2p2/auth-pam.c
|
||||
@@ -227,17 +227,16 @@ static pam_handle_t *sshpam_handle = NUL
|
||||
static int sshpam_err = 0;
|
||||
static int sshpam_authenticated = 0;
|
||||
static int sshpam_session_open = 0;
|
||||
static int sshpam_cred_established = 0;
|
||||
static int sshpam_account_status = -1;
|
||||
static char **sshpam_env = NULL;
|
||||
static Authctxt *sshpam_authctxt = NULL;
|
||||
static const char *sshpam_password = NULL;
|
||||
-static char badpw[] = "\b\n\r\177INCORRECT";
|
||||
|
||||
/* Some PAM implementations don't implement this */
|
||||
#ifndef HAVE_PAM_GETENVLIST
|
||||
static char **
|
||||
pam_getenvlist(pam_handle_t *pamh)
|
||||
{
|
||||
/*
|
||||
* XXX - If necessary, we can still support envrionment passing
|
||||
@@ -807,22 +806,45 @@ sshpam_query(void *ctx, char **name, cha
|
||||
free(msg);
|
||||
ctxt->pam_done = -1;
|
||||
return (-1);
|
||||
}
|
||||
}
|
||||
return (-1);
|
||||
}
|
||||
|
||||
+/*
|
||||
+ * Returns a junk password of identical length to that the user supplied.
|
||||
+ * Used to mitigate timing attacks against crypt(3)/PAM stacks that
|
||||
+ * vary processing time in proportion to password length.
|
||||
+ */
|
||||
+static char *
|
||||
+fake_password(const char *wire_password)
|
||||
+{
|
||||
+ const char junk[] = "\b\n\r\177INCORRECT";
|
||||
+ char *ret = NULL;
|
||||
+ size_t i, l = wire_password != NULL ? strlen(wire_password) : 0;
|
||||
+
|
||||
+ if (l >= INT_MAX)
|
||||
+ fatal("%s: password length too long: %zu", __func__, l);
|
||||
+
|
||||
+ ret = xmalloc(l + 1);
|
||||
+ for (i = 0; i < l; i++)
|
||||
+ ret[i] = junk[i % (sizeof(junk) - 1)];
|
||||
+ ret[i] = '\0';
|
||||
+ return ret;
|
||||
+}
|
||||
+
|
||||
/* XXX - see also comment in auth-chall.c:verify_response */
|
||||
static int
|
||||
sshpam_respond(void *ctx, u_int num, char **resp)
|
||||
{
|
||||
Buffer buffer;
|
||||
struct pam_ctxt *ctxt = ctx;
|
||||
+ char *fake;
|
||||
|
||||
debug2("PAM: %s entering, %u responses", __func__, num);
|
||||
switch (ctxt->pam_done) {
|
||||
case 1:
|
||||
sshpam_authenticated = 1;
|
||||
return (0);
|
||||
case 0:
|
||||
break;
|
||||
@@ -833,18 +855,21 @@ sshpam_respond(void *ctx, u_int num, cha
|
||||
error("PAM: expected one response, got %u", num);
|
||||
return (-1);
|
||||
}
|
||||
buffer_init(&buffer);
|
||||
if (sshpam_authctxt->valid &&
|
||||
(sshpam_authctxt->pw->pw_uid != 0 ||
|
||||
options.permit_root_login == PERMIT_YES))
|
||||
buffer_put_cstring(&buffer, *resp);
|
||||
- else
|
||||
- buffer_put_cstring(&buffer, badpw);
|
||||
+ else {
|
||||
+ fake = fake_password(*resp);
|
||||
+ buffer_put_cstring(&buffer, fake);
|
||||
+ free(fake);
|
||||
+ }
|
||||
if (ssh_msg_send(ctxt->pam_psock, PAM_AUTHTOK, &buffer) == -1) {
|
||||
buffer_free(&buffer);
|
||||
return (-1);
|
||||
}
|
||||
buffer_free(&buffer);
|
||||
return (1);
|
||||
}
|
||||
|
||||
@@ -1178,41 +1203,43 @@ static struct pam_conv passwd_conv = { s
|
||||
/*
|
||||
* Attempt password authentication via PAM
|
||||
*/
|
||||
int
|
||||
sshpam_auth_passwd(Authctxt *authctxt, const char *password)
|
||||
{
|
||||
int flags = (options.permit_empty_passwd == 0 ?
|
||||
PAM_DISALLOW_NULL_AUTHTOK : 0);
|
||||
+ char *fake = NULL;
|
||||
|
||||
if (!options.use_pam || sshpam_handle == NULL)
|
||||
fatal("PAM: %s called when PAM disabled or failed to "
|
||||
"initialise.", __func__);
|
||||
|
||||
sshpam_password = password;
|
||||
sshpam_authctxt = authctxt;
|
||||
|
||||
/*
|
||||
* If the user logging in is invalid, or is root but is not permitted
|
||||
* by PermitRootLogin, use an invalid password to prevent leaking
|
||||
* information via timing (eg if the PAM config has a delay on fail).
|
||||
*/
|
||||
if (!authctxt->valid || (authctxt->pw->pw_uid == 0 &&
|
||||
options.permit_root_login != PERMIT_YES))
|
||||
- sshpam_password = badpw;
|
||||
+ sshpam_password = fake = fake_password(password);
|
||||
|
||||
sshpam_err = pam_set_item(sshpam_handle, PAM_CONV,
|
||||
(const void *)&passwd_conv);
|
||||
if (sshpam_err != PAM_SUCCESS)
|
||||
fatal("PAM: %s: failed to set PAM_CONV: %s", __func__,
|
||||
pam_strerror(sshpam_handle, sshpam_err));
|
||||
|
||||
sshpam_err = pam_authenticate(sshpam_handle, flags);
|
||||
sshpam_password = NULL;
|
||||
+ free(fake);
|
||||
if (sshpam_err == PAM_SUCCESS && authctxt->valid) {
|
||||
debug("PAM: password authentication accepted for %.100s",
|
||||
authctxt->user);
|
||||
return 1;
|
||||
} else {
|
||||
debug("PAM: password authentication failed for %.100s: %s",
|
||||
authctxt->valid ? authctxt->user : "an illegal user",
|
||||
pam_strerror(sshpam_handle, sshpam_err));
|
||||
diff --git a/openssh-7.2p2/auth-passwd.c b/openssh-7.2p2/auth-passwd.c
|
||||
--- a/openssh-7.2p2/auth-passwd.c
|
||||
+++ b/openssh-7.2p2/auth-passwd.c
|
||||
@@ -188,28 +188,32 @@ sys_auth_passwd(Authctxt *authctxt, cons
|
||||
return (auth_close(as));
|
||||
}
|
||||
}
|
||||
#elif !defined(CUSTOM_SYS_AUTH_PASSWD)
|
||||
int
|
||||
sys_auth_passwd(Authctxt *authctxt, const char *password)
|
||||
{
|
||||
struct passwd *pw = authctxt->pw;
|
||||
- char *encrypted_password;
|
||||
+ char *encrypted_password, *salt = NULL;
|
||||
|
||||
/* Just use the supplied fake password if authctxt is invalid */
|
||||
char *pw_password = authctxt->valid ? shadow_pw(pw) : pw->pw_passwd;
|
||||
|
||||
/* Check for users with no password. */
|
||||
if (strcmp(pw_password, "") == 0 && strcmp(password, "") == 0)
|
||||
return (1);
|
||||
|
||||
- /* Encrypt the candidate password using the proper salt. */
|
||||
- encrypted_password = xcrypt(password,
|
||||
- (pw_password[0] && pw_password[1]) ? pw_password : "xx");
|
||||
+ /*
|
||||
+ * Encrypt the candidate password using the proper salt, or pass a
|
||||
+ * NULL and let xcrypt pick one.
|
||||
+ */
|
||||
+ if (authctxt->valid && pw_password[0] && pw_password[1])
|
||||
+ salt = pw_password;
|
||||
+ encrypted_password = xcrypt(password, salt);
|
||||
|
||||
/*
|
||||
* Authentication is accepted if the encrypted passwords
|
||||
* are identical.
|
||||
*/
|
||||
return encrypted_password != NULL &&
|
||||
strcmp(encrypted_password, pw_password) == 0;
|
||||
}
|
||||
diff --git a/openssh-7.2p2/openbsd-compat/xcrypt.c b/openssh-7.2p2/openbsd-compat/xcrypt.c
|
||||
--- a/openssh-7.2p2/openbsd-compat/xcrypt.c
|
||||
+++ b/openssh-7.2p2/openbsd-compat/xcrypt.c
|
||||
@@ -20,16 +20,17 @@
|
||||
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
||||
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
||||
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
*/
|
||||
|
||||
#include "includes.h"
|
||||
|
||||
#include <sys/types.h>
|
||||
+#include <string.h>
|
||||
#include <unistd.h>
|
||||
#include <pwd.h>
|
||||
|
||||
# if defined(HAVE_CRYPT_H) && !defined(HAVE_SECUREWARE)
|
||||
# include <crypt.h>
|
||||
# endif
|
||||
|
||||
# ifdef __hpux
|
||||
@@ -57,21 +58,54 @@
|
||||
# include "md5crypt.h"
|
||||
# endif
|
||||
|
||||
# if defined(WITH_OPENSSL) && !defined(HAVE_CRYPT) && defined(HAVE_DES_CRYPT)
|
||||
# include <openssl/des.h>
|
||||
# define crypt DES_crypt
|
||||
# endif
|
||||
|
||||
+/*
|
||||
+ * Pick an appropriate password encryption type and salt for the running
|
||||
+ * system.
|
||||
+ */
|
||||
+static const char *
|
||||
+pick_salt(void)
|
||||
+{
|
||||
+ struct passwd *pw;
|
||||
+ char *passwd, *p;
|
||||
+ size_t typelen;
|
||||
+ static char salt[32];
|
||||
+
|
||||
+ if (salt[0] != '\0')
|
||||
+ return salt;
|
||||
+ strlcpy(salt, "xx", sizeof(salt));
|
||||
+ if ((pw = getpwuid(0)) == NULL)
|
||||
+ return salt;
|
||||
+ passwd = shadow_pw(pw);
|
||||
+ if (passwd[0] != '$' || (p = strrchr(passwd + 1, '$')) == NULL)
|
||||
+ return salt; /* no $, DES */
|
||||
+ typelen = p - passwd + 1;
|
||||
+ strlcpy(salt, passwd, MIN(typelen, sizeof(salt)));
|
||||
+ explicit_bzero(passwd, strlen(passwd));
|
||||
+ return salt;
|
||||
+}
|
||||
+
|
||||
char *
|
||||
xcrypt(const char *password, const char *salt)
|
||||
{
|
||||
char *crypted;
|
||||
|
||||
+ /*
|
||||
+ * If we don't have a salt we are encrypting a fake password for
|
||||
+ * for timing purposes. Pick an appropriate salt.
|
||||
+ */
|
||||
+ if (salt == NULL)
|
||||
+ salt = pick_salt();
|
||||
+
|
||||
# ifdef HAVE_MD5_PASSWORDS
|
||||
if (is_md5_salt(salt))
|
||||
crypted = md5_crypt(password, salt);
|
||||
else
|
||||
crypted = crypt(password, salt);
|
||||
# elif defined(__hpux) && !defined(HAVE_SECUREWARE)
|
||||
if (iscomsec())
|
||||
crypted = bigcrypt(password, salt);
|
@ -1,12 +1,12 @@
|
||||
# HG changeset patch
|
||||
# Parent 6dd892b74f13d258dc1bb3a70db7397dfb46c5e0
|
||||
# Parent 787bc0aab11e5a7b6510c8dbf771958743ca25b0
|
||||
# use same lines naming as utempter (prevents problems with using different
|
||||
# formats in ?tmp? files)
|
||||
# --used to be called '-pts'
|
||||
|
||||
diff --git a/openssh-7.6p1/loginrec.c b/openssh-7.6p1/loginrec.c
|
||||
--- a/openssh-7.6p1/loginrec.c
|
||||
+++ b/openssh-7.6p1/loginrec.c
|
||||
diff --git a/openssh-7.2p2/loginrec.c b/openssh-7.2p2/loginrec.c
|
||||
--- a/openssh-7.2p2/loginrec.c
|
||||
+++ b/openssh-7.2p2/loginrec.c
|
||||
@@ -541,17 +541,17 @@ getlast_entry(struct logininfo *li)
|
||||
/*
|
||||
* 'line' string utility functions
|
@ -1,20 +1,20 @@
|
||||
# HG changeset patch
|
||||
# Parent 2c6d52d1229cbfd1cd4b7b356bb649470df4d3b3
|
||||
# Parent 18c2690afd988b9cb0fd0fa927d02cf5336dce9c
|
||||
# --used to be called '-xauth'
|
||||
try to remove xauth cookies on logout
|
||||
|
||||
bnc#98815
|
||||
|
||||
diff --git a/openssh-7.6p1/session.c b/openssh-7.6p1/session.c
|
||||
--- a/openssh-7.6p1/session.c
|
||||
+++ b/openssh-7.6p1/session.c
|
||||
@@ -2294,16 +2294,44 @@ session_close(struct ssh *ssh, Session *
|
||||
diff --git a/openssh-7.2p2/session.c b/openssh-7.2p2/session.c
|
||||
--- a/openssh-7.2p2/session.c
|
||||
+++ b/openssh-7.2p2/session.c
|
||||
@@ -2540,16 +2540,44 @@ session_close(Session *s)
|
||||
u_int i;
|
||||
|
||||
verbose("Close session: user %s from %.200s port %d id %d",
|
||||
s->pw->pw_name,
|
||||
ssh_remote_ipaddr(ssh),
|
||||
ssh_remote_port(ssh),
|
||||
get_remote_ipaddr(),
|
||||
get_remote_port(),
|
||||
s->self);
|
||||
|
||||
+ if ((s->display != NULL) && (s->auth_proto != NULL) &&
|
297
openssh-7.2p2-restrict_pkcs11-modules.patch
Normal file
297
openssh-7.2p2-restrict_pkcs11-modules.patch
Normal file
@ -0,0 +1,297 @@
|
||||
# HG changeset patch
|
||||
# Parent 22de9aeddbde2b36da9c23475cfa5dcd42e95287
|
||||
whitelist paths for loading of PKCS#11 modules in ssh-agent
|
||||
|
||||
CVE-2016-10009
|
||||
bsc#1016366
|
||||
|
||||
upstream commit 786d5994da79151180cb14a6cf157ebbba61c0cc
|
||||
|
||||
diff --git a/openssh-7.2p2/ssh-agent.1 b/openssh-7.2p2/ssh-agent.1
|
||||
--- a/openssh-7.2p2/ssh-agent.1
|
||||
+++ b/openssh-7.2p2/ssh-agent.1
|
||||
@@ -1,9 +1,9 @@
|
||||
-.\" $OpenBSD: ssh-agent.1,v 1.62 2015/11/15 23:54:15 jmc Exp $
|
||||
+.\" $OpenBSD: ssh-agent.1,v 1.63 2016/11/30 03:07:37 djm Exp $
|
||||
.\"
|
||||
.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||
.\" All rights reserved
|
||||
.\"
|
||||
.\" As far as I am concerned, the code I have written for this software
|
||||
.\" can be used freely for any purpose. Any derived versions of this
|
||||
.\" software must be clearly marked as such, and if the derived work is
|
||||
@@ -29,29 +29,30 @@
|
||||
.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
|
||||
.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
|
||||
.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
||||
.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
||||
.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
||||
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
||||
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
.\"
|
||||
-.Dd $Mdocdate: November 15 2015 $
|
||||
+.Dd $Mdocdate: November 30 2016 $
|
||||
.Dt SSH-AGENT 1
|
||||
.Os
|
||||
.Sh NAME
|
||||
.Nm ssh-agent
|
||||
.Nd authentication agent
|
||||
.Sh SYNOPSIS
|
||||
.Nm ssh-agent
|
||||
.Op Fl c | s
|
||||
.Op Fl \&Dd
|
||||
.Op Fl a Ar bind_address
|
||||
.Op Fl E Ar fingerprint_hash
|
||||
.Op Fl t Ar life
|
||||
+.Op Fl P Ar pkcs11_whitelist
|
||||
.Op Ar command Op Ar arg ...
|
||||
.Nm ssh-agent
|
||||
.Op Fl c | s
|
||||
.Fl k
|
||||
.Sh DESCRIPTION
|
||||
.Nm
|
||||
is a program to hold private keys used for public key authentication
|
||||
(RSA, DSA, ECDSA, Ed25519).
|
||||
@@ -116,16 +117,28 @@ Valid options are:
|
||||
and
|
||||
.Dq sha256 .
|
||||
The default is
|
||||
.Dq sha256 .
|
||||
.It Fl k
|
||||
Kill the current agent (given by the
|
||||
.Ev SSH_AGENT_PID
|
||||
environment variable).
|
||||
+.It Fl P
|
||||
+Specify a pattern-list of acceptable paths for PKCS#11 shared libraries
|
||||
+that may be added using the
|
||||
+.Fl s
|
||||
+option to
|
||||
+.Xr ssh-add 1 .
|
||||
+The default is to allow loading PKCS#11 libraries from
|
||||
+.Dq /usr/lib/*,/usr/local/lib/* .
|
||||
+PKCS#11 libraries that do not match the whitelist will be refused.
|
||||
+See PATTERNS in
|
||||
+.Xr ssh_config 5
|
||||
+for a description of pattern-list syntax.
|
||||
.It Fl s
|
||||
Generate Bourne shell commands on
|
||||
.Dv stdout .
|
||||
This is the default if
|
||||
.Ev SHELL
|
||||
does not look like it's a csh style of shell.
|
||||
.It Fl t Ar life
|
||||
Set a default value for the maximum lifetime of identities added to the agent.
|
||||
diff --git a/openssh-7.2p2/ssh-agent.c b/openssh-7.2p2/ssh-agent.c
|
||||
--- a/openssh-7.2p2/ssh-agent.c
|
||||
+++ b/openssh-7.2p2/ssh-agent.c
|
||||
@@ -78,25 +78,30 @@
|
||||
#include "sshbuf.h"
|
||||
#include "sshkey.h"
|
||||
#include "authfd.h"
|
||||
#include "compat.h"
|
||||
#include "log.h"
|
||||
#include "misc.h"
|
||||
#include "digest.h"
|
||||
#include "ssherr.h"
|
||||
+#include "match.h"
|
||||
|
||||
#ifdef ENABLE_PKCS11
|
||||
#include "ssh-pkcs11.h"
|
||||
#endif
|
||||
|
||||
#if defined(HAVE_SYS_PRCTL_H)
|
||||
#include <sys/prctl.h> /* For prctl() and PR_SET_DUMPABLE */
|
||||
#endif
|
||||
|
||||
+#ifndef DEFAULT_PKCS11_WHITELIST
|
||||
+# define DEFAULT_PKCS11_WHITELIST "/usr/lib/*,/usr/local/lib/*"
|
||||
+#endif
|
||||
+
|
||||
typedef enum {
|
||||
AUTH_UNUSED,
|
||||
AUTH_SOCKET,
|
||||
AUTH_CONNECTION
|
||||
} sock_type;
|
||||
|
||||
typedef struct {
|
||||
int fd;
|
||||
@@ -134,16 +139,19 @@ time_t parent_alive_interval = 0;
|
||||
|
||||
/* pid of process for which cleanup_socket is applicable */
|
||||
pid_t cleanup_pid = 0;
|
||||
|
||||
/* pathname and directory for AUTH_SOCKET */
|
||||
char socket_name[PATH_MAX];
|
||||
char socket_dir[PATH_MAX];
|
||||
|
||||
+/* PKCS#11 path whitelist */
|
||||
+static char *pkcs11_whitelist;
|
||||
+
|
||||
/* locking */
|
||||
#define LOCK_SIZE 32
|
||||
#define LOCK_SALT_SIZE 16
|
||||
#define LOCK_ROUNDS 1
|
||||
int locked = 0;
|
||||
char lock_passwd[LOCK_SIZE];
|
||||
char lock_salt[LOCK_SALT_SIZE];
|
||||
|
||||
@@ -736,17 +744,17 @@ no_identities(SocketEntry *e, u_int type
|
||||
fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
||||
sshbuf_free(msg);
|
||||
}
|
||||
|
||||
#ifdef ENABLE_PKCS11
|
||||
static void
|
||||
process_add_smartcard_key(SocketEntry *e)
|
||||
{
|
||||
- char *provider = NULL, *pin;
|
||||
+ char *provider = NULL, *pin, canonical_provider[PATH_MAX];
|
||||
int r, i, version, count = 0, success = 0, confirm = 0;
|
||||
u_int seconds;
|
||||
time_t death = 0;
|
||||
u_char type;
|
||||
struct sshkey **keys = NULL, *k;
|
||||
Identity *id;
|
||||
Idtab *tab;
|
||||
|
||||
@@ -768,29 +776,40 @@ process_add_smartcard_key(SocketEntry *e
|
||||
confirm = 1;
|
||||
break;
|
||||
default:
|
||||
error("process_add_smartcard_key: "
|
||||
"Unknown constraint type %d", type);
|
||||
goto send;
|
||||
}
|
||||
}
|
||||
+ if (realpath(provider, canonical_provider) == NULL) {
|
||||
+ verbose("failed PKCS#11 add of \"%.100s\": realpath: %s",
|
||||
+ provider, strerror(errno));
|
||||
+ goto send;
|
||||
+ }
|
||||
+ if (match_pattern_list(canonical_provider, pkcs11_whitelist, 0) != 1) {
|
||||
+ verbose("refusing PKCS#11 add of \"%.100s\": "
|
||||
+ "provider not whitelisted", canonical_provider);
|
||||
+ goto send;
|
||||
+ }
|
||||
+ debug("%s: add %.100s", __func__, canonical_provider);
|
||||
if (lifetime && !death)
|
||||
death = monotime() + lifetime;
|
||||
|
||||
- count = pkcs11_add_provider(provider, pin, &keys);
|
||||
+ count = pkcs11_add_provider(canonical_provider, pin, &keys);
|
||||
for (i = 0; i < count; i++) {
|
||||
k = keys[i];
|
||||
version = k->type == KEY_RSA1 ? 1 : 2;
|
||||
tab = idtab_lookup(version);
|
||||
if (lookup_identity(k, version) == NULL) {
|
||||
id = xcalloc(1, sizeof(Identity));
|
||||
id->key = k;
|
||||
- id->provider = xstrdup(provider);
|
||||
- id->comment = xstrdup(provider); /* XXX */
|
||||
+ id->provider = xstrdup(canonical_provider);
|
||||
+ id->comment = xstrdup(canonical_provider); /* XXX */
|
||||
id->death = death;
|
||||
id->confirm = confirm;
|
||||
TAILQ_INSERT_TAIL(&tab->idlist, id, next);
|
||||
tab->nentries++;
|
||||
success = 1;
|
||||
} else {
|
||||
sshkey_free(k);
|
||||
}
|
||||
@@ -1171,17 +1190,17 @@ check_parent_exists(void)
|
||||
}
|
||||
}
|
||||
|
||||
static void
|
||||
usage(void)
|
||||
{
|
||||
fprintf(stderr,
|
||||
"usage: ssh-agent [-c | -s] [-Dd] [-a bind_address] [-E fingerprint_hash]\n"
|
||||
- " [-t life] [command [arg ...]]\n"
|
||||
+ " [-P pkcs11_whitelist] [-t life] [command [arg ...]]\n"
|
||||
" ssh-agent [-c | -s] -k\n");
|
||||
exit(1);
|
||||
}
|
||||
|
||||
int
|
||||
main(int ac, char **av)
|
||||
{
|
||||
int c_flag = 0, d_flag = 0, D_flag = 0, k_flag = 0, s_flag = 0;
|
||||
@@ -1215,31 +1234,36 @@ main(int ac, char **av)
|
||||
|
||||
#ifdef WITH_OPENSSL
|
||||
OpenSSL_add_all_algorithms();
|
||||
#endif
|
||||
|
||||
__progname = ssh_get_progname(av[0]);
|
||||
seed_rng();
|
||||
|
||||
- while ((ch = getopt(ac, av, "cDdksE:a:t:")) != -1) {
|
||||
+ while ((ch = getopt(ac, av, "cDdksE:a:P:t:")) != -1) {
|
||||
switch (ch) {
|
||||
case 'E':
|
||||
fingerprint_hash = ssh_digest_alg_by_name(optarg);
|
||||
if (fingerprint_hash == -1)
|
||||
fatal("Invalid hash algorithm \"%s\"", optarg);
|
||||
break;
|
||||
case 'c':
|
||||
if (s_flag)
|
||||
usage();
|
||||
c_flag++;
|
||||
break;
|
||||
case 'k':
|
||||
k_flag++;
|
||||
break;
|
||||
+ case 'P':
|
||||
+ if (pkcs11_whitelist != NULL)
|
||||
+ fatal("-P option already specified");
|
||||
+ pkcs11_whitelist = xstrdup(optarg);
|
||||
+ break;
|
||||
case 's':
|
||||
if (c_flag)
|
||||
usage();
|
||||
s_flag++;
|
||||
break;
|
||||
case 'd':
|
||||
if (d_flag || D_flag)
|
||||
usage();
|
||||
@@ -1264,16 +1288,19 @@ main(int ac, char **av)
|
||||
}
|
||||
}
|
||||
ac -= optind;
|
||||
av += optind;
|
||||
|
||||
if (ac > 0 && (c_flag || k_flag || s_flag || d_flag || D_flag))
|
||||
usage();
|
||||
|
||||
+ if (pkcs11_whitelist == NULL)
|
||||
+ pkcs11_whitelist = xstrdup(DEFAULT_PKCS11_WHITELIST);
|
||||
+
|
||||
if (ac == 0 && !c_flag && !s_flag) {
|
||||
shell = getenv("SHELL");
|
||||
if (shell != NULL && (len = strlen(shell)) > 2 &&
|
||||
strncmp(shell + len - 3, "csh", 3) == 0)
|
||||
c_flag = 1;
|
||||
}
|
||||
if (k_flag) {
|
||||
const char *errstr = NULL;
|
||||
@@ -1411,17 +1438,17 @@ skip:
|
||||
parent_alive_interval = 10;
|
||||
idtab_init();
|
||||
signal(SIGPIPE, SIG_IGN);
|
||||
signal(SIGINT, (d_flag | D_flag) ? cleanup_handler : SIG_IGN);
|
||||
signal(SIGHUP, cleanup_handler);
|
||||
signal(SIGTERM, cleanup_handler);
|
||||
nalloc = 0;
|
||||
|
||||
- if (pledge("stdio cpath unix id proc exec", NULL) == -1)
|
||||
+ if (pledge("stdio rpath cpath unix id proc exec", NULL) == -1)
|
||||
fatal("%s: pledge: %s", __progname, strerror(errno));
|
||||
platform_pledge_agent();
|
||||
|
||||
while (1) {
|
||||
prepare_select(&readsetp, &writesetp, &max_fd, &nalloc, &tvp);
|
||||
result = select(max_fd + 1, readsetp, writesetp, NULL, tvp);
|
||||
saved_errno = errno;
|
||||
if (parent_alive_interval != 0)
|
82
openssh-7.2p2-s390_OpenSSL-ibmpkcs11_syscalls.patch
Normal file
82
openssh-7.2p2-s390_OpenSSL-ibmpkcs11_syscalls.patch
Normal file
@ -0,0 +1,82 @@
|
||||
# HG changeset patch
|
||||
# Parent bb92b9f037cc3686a669cd84caa44a2716f34058
|
||||
Date: Tue, 9 May 2017 14:27:34 -0300
|
||||
|
||||
[PATCH 0/3] Allow syscalls for openssl engines
|
||||
From: Eduardo Barretto <ebarretto@linux.vnet.ibm.com>
|
||||
To: openssh-unix-dev@mindrot.org
|
||||
In order to use the OpenSSL-ibmpkcs11 engine it is needed to allow flock
|
||||
and ipc calls, because this engine calls OpenCryptoki (a PKCS#11
|
||||
implementation) which calls the libraries that will communicate with the
|
||||
crypto cards. OpenCryptoki makes use of flock and ipc and, as of now,
|
||||
this is only need on s390 architecture.
|
||||
|
||||
The EP11 crypto card also needs to make an ioctl call, which receives an
|
||||
specific argument.
|
||||
|
||||
Signed-off-by: Eduardo Barretto <ebarretto@linux.vnet.ibm.com>
|
||||
|
||||
related to bsc#1016709
|
||||
|
||||
diff --git a/openssh-7.2p2/sandbox-seccomp-filter.c b/openssh-7.2p2/sandbox-seccomp-filter.c
|
||||
--- a/openssh-7.2p2/sandbox-seccomp-filter.c
|
||||
+++ b/openssh-7.2p2/sandbox-seccomp-filter.c
|
||||
@@ -150,16 +150,19 @@ static const struct sock_filter preauth_
|
||||
SC_ALLOW(stat),
|
||||
#endif
|
||||
#ifdef __NR_exit
|
||||
SC_ALLOW(exit),
|
||||
#endif
|
||||
#ifdef __NR_exit_group
|
||||
SC_ALLOW(exit_group),
|
||||
#endif
|
||||
+#if defined(__NR_flock) && defined(__s390__)
|
||||
+ SC_ALLOW(flock),
|
||||
+#endif
|
||||
#ifdef __NR_getpgid
|
||||
SC_ALLOW(getpgid),
|
||||
#endif
|
||||
#ifdef __NR_getpid
|
||||
SC_ALLOW(getpid),
|
||||
#endif
|
||||
#ifdef __NR_getuid
|
||||
SC_ALLOW(getuid),
|
||||
@@ -180,16 +183,19 @@ static const struct sock_filter preauth_
|
||||
SC_ALLOW(gettimeofday),
|
||||
#endif
|
||||
#ifdef SSH_AUDIT_EVENTS
|
||||
SC_ALLOW(getuid),
|
||||
#ifdef __NR_getuid32 /* not defined on x86_64 */
|
||||
SC_ALLOW(getuid32),
|
||||
#endif
|
||||
#endif
|
||||
+#if defined(__NR_ipc) && defined(__s390__)
|
||||
+ SC_ALLOW(ipc),
|
||||
+#endif
|
||||
#ifdef __NR_madvise
|
||||
SC_ALLOW(madvise),
|
||||
#endif
|
||||
#ifdef __NR_mmap
|
||||
SC_ALLOW(mmap),
|
||||
#endif
|
||||
#ifdef __NR_mmap2
|
||||
SC_ALLOW(mmap2),
|
||||
@@ -233,16 +239,18 @@ static const struct sock_filter preauth_
|
||||
#ifdef __NR_socketcall
|
||||
SC_ALLOW_ARG(socketcall, 0, SYS_SHUTDOWN),
|
||||
#endif
|
||||
#ifdef __NR_ioctl
|
||||
#ifdef __s390__
|
||||
SC_ALLOW_ARG(ioctl, 1, Z90STAT_STATUS_MASK),
|
||||
SC_ALLOW_ARG(ioctl, 1, ICARSAMODEXPO),
|
||||
SC_ALLOW_ARG(ioctl, 1, ICARSACRT),
|
||||
+ /* Allow ioctls for EP11 crypto card on s390 */
|
||||
+ SC_ALLOW_ARG(ioctl, 1, ZSENDEP11CPRB),
|
||||
#endif
|
||||
#endif
|
||||
|
||||
/* Default deny */
|
||||
BPF_STMT(BPF_RET+BPF_K, SECCOMP_FILTER_FAIL),
|
||||
};
|
||||
|
||||
static const struct sock_fprog preauth_program = {
|
100
openssh-7.2p2-s390_hw_crypto_syscalls.patch
Normal file
100
openssh-7.2p2-s390_hw_crypto_syscalls.patch
Normal file
@ -0,0 +1,100 @@
|
||||
# HG changeset patch
|
||||
# Parent 6d8637bec747de081eccba9874f640dcbc4fbb68
|
||||
This patch enables specific ioctl calls for ICA crypto card on s390
|
||||
platform. Without this patch, users using the IBMCA engine are not able
|
||||
to perform ssh login as the filter blocks the communication with the
|
||||
crypto card.
|
||||
|
||||
Signed-off-by: Harald Freudenberger <freude@linux.vnet.ibm.com>
|
||||
Signed-off-by: Eduardo Barretto <ebarretto@linux.vnet.ibm.com>
|
||||
|
||||
bsc#1016709
|
||||
|
||||
Upstreamed as:
|
||||
5f1596e11d55539678c41f68aed358628d33d86f
|
||||
58b8cfa2a062b72139d7229ae8de567f55776f24
|
||||
|
||||
diff --git a/openssh-7.2p2/sandbox-seccomp-filter.c b/openssh-7.2p2/sandbox-seccomp-filter.c
|
||||
--- a/openssh-7.2p2/sandbox-seccomp-filter.c
|
||||
+++ b/openssh-7.2p2/sandbox-seccomp-filter.c
|
||||
@@ -54,42 +54,53 @@
|
||||
#include <errno.h>
|
||||
#include <signal.h>
|
||||
#include <stdarg.h>
|
||||
#include <stddef.h> /* for offsetof */
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
#include <string.h>
|
||||
#include <unistd.h>
|
||||
+#include <endian.h>
|
||||
+
|
||||
+#ifdef __s390__
|
||||
+#include <asm/zcrypt.h>
|
||||
+#endif
|
||||
|
||||
#include "log.h"
|
||||
#include "ssh-sandbox.h"
|
||||
#include "xmalloc.h"
|
||||
|
||||
/* Linux seccomp_filter sandbox */
|
||||
#define SECCOMP_FILTER_FAIL SECCOMP_RET_KILL
|
||||
|
||||
/* Use a signal handler to emit violations when debugging */
|
||||
#ifdef SANDBOX_SECCOMP_FILTER_DEBUG
|
||||
# undef SECCOMP_FILTER_FAIL
|
||||
# define SECCOMP_FILTER_FAIL SECCOMP_RET_TRAP
|
||||
#endif /* SANDBOX_SECCOMP_FILTER_DEBUG */
|
||||
|
||||
/* Simple helpers to avoid manual errors (but larger BPF programs). */
|
||||
+#if __BYTE_ORDER == __LITTLE_ENDIAN
|
||||
+#define LO_ARG(idx) offsetof(struct seccomp_data, args[(idx)])
|
||||
+#elif __BYTE_ORDER == __BIG_ENDIAN
|
||||
+#define LO_ARG(idx) offsetof(struct seccomp_data, args[(idx)]) + sizeof(uint32_t)
|
||||
+#else
|
||||
+#error "Unknown endianness"
|
||||
+#endif
|
||||
#define SC_DENY(_nr, _errno) \
|
||||
BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_ ## _nr, 0, 1), \
|
||||
BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ERRNO|(_errno))
|
||||
#define SC_ALLOW(_nr) \
|
||||
BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_ ## _nr, 0, 1), \
|
||||
BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW)
|
||||
#define SC_ALLOW_ARG(_nr, _arg_nr, _arg_val) \
|
||||
BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_ ## _nr, 0, 4), \
|
||||
- /* load first syscall argument */ \
|
||||
- BPF_STMT(BPF_LD+BPF_W+BPF_ABS, \
|
||||
- offsetof(struct seccomp_data, args[(_arg_nr)])), \
|
||||
+ /* load the syscall argument to check into accumulator */ \
|
||||
+ BPF_STMT(BPF_LD+BPF_W+BPF_ABS, LO_ARG(_arg_nr)), \
|
||||
BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, (_arg_val), 0, 1), \
|
||||
BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW), \
|
||||
/* reload syscall number; all rules expect it in accumulator */ \
|
||||
BPF_STMT(BPF_LD+BPF_W+BPF_ABS, \
|
||||
offsetof(struct seccomp_data, nr))
|
||||
|
||||
/* Syscall filtering set for preauth. */
|
||||
static const struct sock_filter preauth_insns[] = {
|
||||
@@ -217,16 +228,23 @@ static const struct sock_filter preauth_
|
||||
SC_ALLOW(time),
|
||||
#endif
|
||||
#ifdef __NR_write
|
||||
SC_ALLOW(write),
|
||||
#endif
|
||||
#ifdef __NR_socketcall
|
||||
SC_ALLOW_ARG(socketcall, 0, SYS_SHUTDOWN),
|
||||
#endif
|
||||
+#ifdef __NR_ioctl
|
||||
+#ifdef __s390__
|
||||
+ SC_ALLOW_ARG(ioctl, 1, Z90STAT_STATUS_MASK),
|
||||
+ SC_ALLOW_ARG(ioctl, 1, ICARSAMODEXPO),
|
||||
+ SC_ALLOW_ARG(ioctl, 1, ICARSACRT),
|
||||
+#endif
|
||||
+#endif
|
||||
|
||||
/* Default deny */
|
||||
BPF_STMT(BPF_RET+BPF_K, SECCOMP_FILTER_FAIL),
|
||||
};
|
||||
|
||||
static const struct sock_fprog preauth_program = {
|
||||
.len = (unsigned short)(sizeof(preauth_insns)/sizeof(preauth_insns[0])),
|
||||
.filter = (struct sock_filter *)preauth_insns,
|
34
openssh-7.2p2-seccomp_geteuid.patch
Normal file
34
openssh-7.2p2-seccomp_geteuid.patch
Normal file
@ -0,0 +1,34 @@
|
||||
# HG changeset patch
|
||||
# Parent b07f00d5d805c043f5bdc7b8cf6701d924879fa6
|
||||
Add the 'geteuid' syscall to allowed list, since it may becalled on the
|
||||
mainframes when OpenSSL is using hardware crypto accelerator via libica
|
||||
(via ibmica)
|
||||
|
||||
bsc#1004258
|
||||
|
||||
diff --git a/openssh-7.2p2/sandbox-seccomp-filter.c b/openssh-7.2p2/sandbox-seccomp-filter.c
|
||||
--- a/openssh-7.2p2/sandbox-seccomp-filter.c
|
||||
+++ b/openssh-7.2p2/sandbox-seccomp-filter.c
|
||||
@@ -148,16 +148,22 @@ static const struct sock_filter preauth_
|
||||
SC_ALLOW(getpid),
|
||||
#endif
|
||||
#ifdef __NR_getuid
|
||||
SC_ALLOW(getuid),
|
||||
#endif
|
||||
#ifdef __NR_getuid32
|
||||
SC_ALLOW(getuid32),
|
||||
#endif
|
||||
+#ifdef __NR_geteuid
|
||||
+ SC_ALLOW(geteuid),
|
||||
+#endif
|
||||
+#ifdef __NR_geteuid32
|
||||
+ SC_ALLOW(geteuid32),
|
||||
+#endif
|
||||
#ifdef __NR_getrandom
|
||||
SC_ALLOW(getrandom),
|
||||
#endif
|
||||
#ifdef __NR_gettimeofday
|
||||
SC_ALLOW(gettimeofday),
|
||||
#endif
|
||||
#ifdef __NR_madvise
|
||||
SC_ALLOW(madvise),
|
31
openssh-7.2p2-seccomp_getuid.patch
Normal file
31
openssh-7.2p2-seccomp_getuid.patch
Normal file
@ -0,0 +1,31 @@
|
||||
# HG changeset patch
|
||||
# Parent d75417bf0f4d50cabd84299773bab4ac68f68caa
|
||||
add 'getuid' syscall to list of allowed ones to prevent the sanboxed thread
|
||||
from being killed by the seccomp filter
|
||||
|
||||
diff --git a/openssh-7.2p2/sandbox-seccomp-filter.c b/openssh-7.2p2/sandbox-seccomp-filter.c
|
||||
--- a/openssh-7.2p2/sandbox-seccomp-filter.c
|
||||
+++ b/openssh-7.2p2/sandbox-seccomp-filter.c
|
||||
@@ -142,16 +142,22 @@ static const struct sock_filter preauth_
|
||||
SC_ALLOW(exit_group),
|
||||
#endif
|
||||
#ifdef __NR_getpgid
|
||||
SC_ALLOW(getpgid),
|
||||
#endif
|
||||
#ifdef __NR_getpid
|
||||
SC_ALLOW(getpid),
|
||||
#endif
|
||||
+#ifdef __NR_getuid
|
||||
+ SC_ALLOW(getuid),
|
||||
+#endif
|
||||
+#ifdef __NR_getuid32
|
||||
+ SC_ALLOW(getuid32),
|
||||
+#endif
|
||||
#ifdef __NR_getrandom
|
||||
SC_ALLOW(getrandom),
|
||||
#endif
|
||||
#ifdef __NR_gettimeofday
|
||||
SC_ALLOW(gettimeofday),
|
||||
#endif
|
||||
#ifdef __NR_madvise
|
||||
SC_ALLOW(madvise),
|
30
openssh-7.2p2-seccomp_stat.patch
Normal file
30
openssh-7.2p2-seccomp_stat.patch
Normal file
@ -0,0 +1,30 @@
|
||||
# HG changeset patch
|
||||
# Parent 2153c4af090728c778931d2fad72d4b260294122
|
||||
Allow the stat() syscall for OpenSSL re-seed patch
|
||||
(which causes OpenSSL use stat() on some file)
|
||||
|
||||
bnc#912436
|
||||
|
||||
diff --git a/openssh-7.2p2/sandbox-seccomp-filter.c b/openssh-7.2p2/sandbox-seccomp-filter.c
|
||||
--- a/openssh-7.2p2/sandbox-seccomp-filter.c
|
||||
+++ b/openssh-7.2p2/sandbox-seccomp-filter.c
|
||||
@@ -130,16 +130,19 @@ static const struct sock_filter preauth_
|
||||
SC_ALLOW(brk),
|
||||
#endif
|
||||
#ifdef __NR_clock_gettime
|
||||
SC_ALLOW(clock_gettime),
|
||||
#endif
|
||||
#ifdef __NR_close
|
||||
SC_ALLOW(close),
|
||||
#endif
|
||||
+#ifdef __NR_stat
|
||||
+ SC_ALLOW(stat),
|
||||
+#endif
|
||||
#ifdef __NR_exit
|
||||
SC_ALLOW(exit),
|
||||
#endif
|
||||
#ifdef __NR_exit_group
|
||||
SC_ALLOW(exit_group),
|
||||
#endif
|
||||
#ifdef __NR_getpgid
|
||||
SC_ALLOW(getpgid),
|
51
openssh-7.2p2-secure_unix_sockets_forwarding.patch
Normal file
51
openssh-7.2p2-secure_unix_sockets_forwarding.patch
Normal file
@ -0,0 +1,51 @@
|
||||
# HG changeset patch
|
||||
# Parent 4e1fd41aaa9cafe8f7b07868ac38ed4dbdf594aa
|
||||
Do not allow unix socket when running without privilege separation to prevent
|
||||
privilege escalation through a socket created with root: ownership.
|
||||
|
||||
CVE-2016-10010
|
||||
bsc#1016368
|
||||
|
||||
backported upstream commit b737e4d7433577403a31cff6614f6a1b0b5e22f4
|
||||
|
||||
diff --git a/openssh-7.2p2/serverloop.c b/openssh-7.2p2/serverloop.c
|
||||
--- a/openssh-7.2p2/serverloop.c
|
||||
+++ b/openssh-7.2p2/serverloop.c
|
||||
@@ -990,17 +990,17 @@ server_request_direct_streamlocal(void)
|
||||
originator_port = packet_get_int();
|
||||
packet_check_eom();
|
||||
|
||||
debug("server_request_direct_streamlocal: originator %s port %d, target %s",
|
||||
originator, originator_port, target);
|
||||
|
||||
/* XXX fine grained permissions */
|
||||
if ((options.allow_streamlocal_forwarding & FORWARD_LOCAL) != 0 &&
|
||||
- !no_port_forwarding_flag) {
|
||||
+ !no_port_forwarding_flag && use_privsep) {
|
||||
c = channel_connect_to_path(target,
|
||||
"direct-streamlocal@openssh.com", "direct-streamlocal");
|
||||
} else {
|
||||
logit("refused streamlocal port forward: "
|
||||
"originator %s port %d, target %s",
|
||||
originator, originator_port, target);
|
||||
}
|
||||
|
||||
@@ -1274,17 +1274,17 @@ server_input_global_request(int type, u_
|
||||
|
||||
memset(&fwd, 0, sizeof(fwd));
|
||||
fwd.listen_path = packet_get_string(NULL);
|
||||
debug("server_input_global_request: streamlocal-forward listen path %s",
|
||||
fwd.listen_path);
|
||||
|
||||
/* check permissions */
|
||||
if ((options.allow_streamlocal_forwarding & FORWARD_REMOTE) == 0
|
||||
- || no_port_forwarding_flag) {
|
||||
+ || no_port_forwarding_flag || !use_privsep) {
|
||||
success = 0;
|
||||
packet_send_debug("Server has disabled port forwarding.");
|
||||
} else {
|
||||
/* Start listening on the socket */
|
||||
success = channel_setup_remote_fwd_listener(
|
||||
&fwd, NULL, &options.fwd_opts);
|
||||
}
|
||||
free(fwd.listen_path);
|
461
openssh-7.2p2-seed-prng.patch
Normal file
461
openssh-7.2p2-seed-prng.patch
Normal file
@ -0,0 +1,461 @@
|
||||
# HG changeset patch
|
||||
# Parent 6ece65e11f754d75dd33d72b6f8e487a9d047f2e
|
||||
# extended support for (re-)seeding the OpenSSL PRNG from /dev/random
|
||||
# bnc#703221, FATE#312172
|
||||
|
||||
diff --git a/openssh-7.2p2/entropy.c b/openssh-7.2p2/entropy.c
|
||||
--- a/openssh-7.2p2/entropy.c
|
||||
+++ b/openssh-7.2p2/entropy.c
|
||||
@@ -49,16 +49,17 @@
|
||||
|
||||
#include "ssh.h"
|
||||
#include "misc.h"
|
||||
#include "xmalloc.h"
|
||||
#include "atomicio.h"
|
||||
#include "pathnames.h"
|
||||
#include "log.h"
|
||||
#include "buffer.h"
|
||||
+#include "openbsd-compat/port-linux.h"
|
||||
|
||||
/*
|
||||
* Portable OpenSSH PRNG seeding:
|
||||
* If OpenSSL has not "internally seeded" itself (e.g. pulled data from
|
||||
* /dev/random), then collect RANDOM_SEED_SIZE bytes of randomness from
|
||||
* PRNGd.
|
||||
*/
|
||||
#ifndef OPENSSL_PRNG_ONLY
|
||||
@@ -224,16 +225,19 @@ seed_rng(void)
|
||||
}
|
||||
|
||||
if (seed_from_prngd(buf, sizeof(buf)) == -1)
|
||||
fatal("Could not obtain seed from PRNGd");
|
||||
RAND_add(buf, sizeof(buf), sizeof(buf));
|
||||
memset(buf, '\0', sizeof(buf));
|
||||
|
||||
#endif /* OPENSSL_PRNG_ONLY */
|
||||
+
|
||||
+ linux_seed();
|
||||
+
|
||||
if (RAND_status() != 1)
|
||||
fatal("PRNG is not seeded");
|
||||
}
|
||||
|
||||
#else /* WITH_OPENSSL */
|
||||
|
||||
/* Handled in arc4random() */
|
||||
void
|
||||
diff --git a/openssh-7.2p2/openbsd-compat/Makefile.in b/openssh-7.2p2/openbsd-compat/Makefile.in
|
||||
--- a/openssh-7.2p2/openbsd-compat/Makefile.in
|
||||
+++ b/openssh-7.2p2/openbsd-compat/Makefile.in
|
||||
@@ -15,17 +15,17 @@ AR=@AR@
|
||||
RANLIB=@RANLIB@
|
||||
INSTALL=@INSTALL@
|
||||
LDFLAGS=-L. @LDFLAGS@
|
||||
|
||||
OPENBSD=base64.o basename.o bcrypt_pbkdf.o bindresvport.o blowfish.o daemon.o dirname.o fmt_scaled.o getcwd.o getgrouplist.o getopt_long.o getrrsetbyname.o glob.o inet_aton.o inet_ntoa.o inet_ntop.o mktemp.o pwcache.o readpassphrase.o reallocarray.o realpath.o rresvport.o setenv.o setproctitle.o sha1.o sha2.o rmd160.o md5.o sigact.o strlcat.o strlcpy.o strmode.o strnlen.o strptime.o strsep.o strtonum.o strtoll.o strtoul.o strtoull.o timingsafe_bcmp.o vis.o blowfish.o bcrypt_pbkdf.o explicit_bzero.o
|
||||
|
||||
COMPAT=arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o getrrsetbyname-ldns.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-setres_id.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o kludge-fd_set.o
|
||||
|
||||
-PORTS=port-aix.o port-irix.o port-linux.o port-solaris.o port-tun.o port-uw.o
|
||||
+PORTS=port-aix.o port-irix.o port-linux.o port-linux-prng.o port-solaris.o port-tun.o port-uw.o
|
||||
|
||||
.c.o:
|
||||
$(CC) $(CFLAGS) $(CPPFLAGS) -c $<
|
||||
|
||||
all: libopenbsd-compat.a
|
||||
|
||||
$(COMPAT): ../config.h
|
||||
$(OPENBSD): ../config.h
|
||||
diff --git a/openssh-7.2p2/openbsd-compat/port-linux-prng.c b/openssh-7.2p2/openbsd-compat/port-linux-prng.c
|
||||
new file mode 100644
|
||||
--- /dev/null
|
||||
+++ b/openssh-7.2p2/openbsd-compat/port-linux-prng.c
|
||||
@@ -0,0 +1,81 @@
|
||||
+/*
|
||||
+ * Copyright (c) 2011 Jan F. Chadima <jchadima@redhat.com>
|
||||
+ * (c) 2011 Petr Cerny <pcerny@suse.cz>
|
||||
+ *
|
||||
+ * Permission to use, copy, modify, and distribute this software for any
|
||||
+ * purpose with or without fee is hereby granted, provided that the above
|
||||
+ * copyright notice and this permission notice appear in all copies.
|
||||
+ *
|
||||
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
|
||||
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
|
||||
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
|
||||
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
|
||||
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
|
||||
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
|
||||
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
||||
+ */
|
||||
+
|
||||
+/*
|
||||
+ * Linux-specific portability code - prng support
|
||||
+ */
|
||||
+
|
||||
+#include "includes.h"
|
||||
+#include "defines.h"
|
||||
+
|
||||
+#include <errno.h>
|
||||
+#include <stdarg.h>
|
||||
+#include <string.h>
|
||||
+#include <stdio.h>
|
||||
+#include <openssl/rand.h>
|
||||
+
|
||||
+#include "log.h"
|
||||
+#include "port-linux.h"
|
||||
+#include "fips.h"
|
||||
+
|
||||
+#define RNG_BYTES_DEFAULT 6L
|
||||
+#define RNG_ENV_VAR "SSH_USE_STRONG_RNG"
|
||||
+
|
||||
+long rand_bytes = 0;
|
||||
+char *rand_file = NULL;
|
||||
+
|
||||
+static void
|
||||
+linux_seed_init(void)
|
||||
+{
|
||||
+ long elen = 0;
|
||||
+ char *env = getenv(RNG_ENV_VAR);
|
||||
+
|
||||
+ if (env) {
|
||||
+ errno = 0;
|
||||
+ elen = strtol(env, NULL, 10);
|
||||
+ if (errno) {
|
||||
+ elen = RNG_BYTES_DEFAULT;
|
||||
+ debug("bogus value in the %s environment variable, "
|
||||
+ "using %li bytes from /dev/random\n",
|
||||
+ RNG_ENV_VAR, RNG_BYTES_DEFAULT);
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ if (elen || fips_mode())
|
||||
+ rand_file = "/dev/random";
|
||||
+ else
|
||||
+ rand_file = "/dev/urandom";
|
||||
+
|
||||
+ rand_bytes = MAX(elen, RNG_BYTES_DEFAULT);
|
||||
+}
|
||||
+
|
||||
+void
|
||||
+linux_seed(void)
|
||||
+{
|
||||
+ long len;
|
||||
+ if (!rand_file)
|
||||
+ linux_seed_init();
|
||||
+
|
||||
+ errno = 0;
|
||||
+ len = RAND_load_file(rand_file, rand_bytes);
|
||||
+ if (len != rand_bytes) {
|
||||
+ if (errno)
|
||||
+ fatal ("cannot read from %s, %s", rand_file, strerror(errno));
|
||||
+ else
|
||||
+ fatal ("EOF reading %s", rand_file);
|
||||
+ }
|
||||
+}
|
||||
diff --git a/openssh-7.2p2/openbsd-compat/port-linux.h b/openssh-7.2p2/openbsd-compat/port-linux.h
|
||||
--- a/openssh-7.2p2/openbsd-compat/port-linux.h
|
||||
+++ b/openssh-7.2p2/openbsd-compat/port-linux.h
|
||||
@@ -14,16 +14,20 @@
|
||||
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
|
||||
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
|
||||
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
||||
*/
|
||||
|
||||
#ifndef _PORT_LINUX_H
|
||||
#define _PORT_LINUX_H
|
||||
|
||||
+extern long rand_bytes;
|
||||
+extern char *rand_file;
|
||||
+void linux_seed(void);
|
||||
+
|
||||
#ifdef WITH_SELINUX
|
||||
int ssh_selinux_enabled(void);
|
||||
void ssh_selinux_setup_pty(char *, const char *);
|
||||
void ssh_selinux_setup_exec_context(char *);
|
||||
void ssh_selinux_change_context(const char *);
|
||||
void ssh_selinux_setfscreatecon(const char *);
|
||||
#endif
|
||||
|
||||
diff --git a/openssh-7.2p2/ssh-add.1 b/openssh-7.2p2/ssh-add.1
|
||||
--- a/openssh-7.2p2/ssh-add.1
|
||||
+++ b/openssh-7.2p2/ssh-add.1
|
||||
@@ -166,16 +166,30 @@ or related script.
|
||||
(Note that on some machines it
|
||||
may be necessary to redirect the input from
|
||||
.Pa /dev/null
|
||||
to make this work.)
|
||||
.It Ev SSH_AUTH_SOCK
|
||||
Identifies the path of a
|
||||
.Ux Ns -domain
|
||||
socket used to communicate with the agent.
|
||||
+.It Ev SSH_USE_STRONG_RNG
|
||||
+The reseeding of the OpenSSL random generator is usually done from
|
||||
+.Cm /dev/urandom .
|
||||
+If the
|
||||
+.Cm SSH_USE_STRONG_RNG
|
||||
+environment variable is set to value other than
|
||||
+.Cm 0
|
||||
+the OpenSSL random generator is reseeded from
|
||||
+.Cm /dev/random .
|
||||
+The number of bytes read is defined by the SSH_USE_STRONG_RNG value.
|
||||
+Minimum is 6 bytes.
|
||||
+This setting is not recommended on the computers without the hardware
|
||||
+random generator because insufficient entropy causes the connection to
|
||||
+be blocked until enough entropy is available.
|
||||
.El
|
||||
.Sh FILES
|
||||
.Bl -tag -width Ds
|
||||
.It Pa ~/.ssh/identity
|
||||
Contains the protocol version 1 RSA authentication identity of the user.
|
||||
.It Pa ~/.ssh/id_dsa
|
||||
Contains the protocol version 2 DSA authentication identity of the user.
|
||||
.It Pa ~/.ssh/id_ecdsa
|
||||
diff --git a/openssh-7.2p2/ssh-agent.1 b/openssh-7.2p2/ssh-agent.1
|
||||
--- a/openssh-7.2p2/ssh-agent.1
|
||||
+++ b/openssh-7.2p2/ssh-agent.1
|
||||
@@ -196,16 +196,33 @@ line terminates.
|
||||
.Sh FILES
|
||||
.Bl -tag -width Ds
|
||||
.It Pa $TMPDIR/ssh-XXXXXXXXXX/agent.\*(Ltppid\*(Gt
|
||||
.Ux Ns -domain
|
||||
sockets used to contain the connection to the authentication agent.
|
||||
These sockets should only be readable by the owner.
|
||||
The sockets should get automatically removed when the agent exits.
|
||||
.El
|
||||
+.Sh ENVIRONMENT
|
||||
+.Bl -tag -width Ds -compact
|
||||
+.Pp
|
||||
+.It Pa SSH_USE_STRONG_RNG
|
||||
+The reseeding of the OpenSSL random generator is usually done from
|
||||
+.Cm /dev/urandom .
|
||||
+If the
|
||||
+.Cm SSH_USE_STRONG_RNG
|
||||
+environment variable is set to value other than
|
||||
+.Cm 0
|
||||
+the OpenSSL random generator is reseeded from
|
||||
+.Cm /dev/random .
|
||||
+The number of bytes read is defined by the SSH_USE_STRONG_RNG value.
|
||||
+Minimum is 6 bytes.
|
||||
+This setting is not recommended on the computers without the hardware
|
||||
+random generator because insufficient entropy causes the connection to
|
||||
+be blocked until enough entropy is available.
|
||||
.Sh SEE ALSO
|
||||
.Xr ssh 1 ,
|
||||
.Xr ssh-add 1 ,
|
||||
.Xr ssh-keygen 1 ,
|
||||
.Xr sshd 8
|
||||
.Sh AUTHORS
|
||||
OpenSSH is a derivative of the original and free
|
||||
ssh 1.2.12 release by Tatu Ylonen.
|
||||
diff --git a/openssh-7.2p2/ssh-keygen.1 b/openssh-7.2p2/ssh-keygen.1
|
||||
--- a/openssh-7.2p2/ssh-keygen.1
|
||||
+++ b/openssh-7.2p2/ssh-keygen.1
|
||||
@@ -841,16 +841,33 @@ on all machines
|
||||
where the user wishes to log in using public key authentication.
|
||||
There is no need to keep the contents of this file secret.
|
||||
.Pp
|
||||
.It Pa /etc/moduli
|
||||
Contains Diffie-Hellman groups used for DH-GEX.
|
||||
The file format is described in
|
||||
.Xr moduli 5 .
|
||||
.El
|
||||
+.Sh ENVIRONMENT
|
||||
+.Bl -tag -width Ds -compact
|
||||
+.Pp
|
||||
+.It Pa SSH_USE_STRONG_RNG
|
||||
+The reseeding of the OpenSSL random generator is usually done from
|
||||
+.Cm /dev/urandom .
|
||||
+If the
|
||||
+.Cm SSH_USE_STRONG_RNG
|
||||
+environment variable is set to value other than
|
||||
+.Cm 0
|
||||
+the OpenSSL random generator is reseeded from
|
||||
+.Cm /dev/random .
|
||||
+The number of bytes read is defined by the SSH_USE_STRONG_RNG value.
|
||||
+Minimum is 6 bytes.
|
||||
+This setting is not recommended on the computers without the hardware
|
||||
+random generator because insufficient entropy causes the connection to
|
||||
+be blocked until enough entropy is available.
|
||||
.Sh SEE ALSO
|
||||
.Xr ssh 1 ,
|
||||
.Xr ssh-add 1 ,
|
||||
.Xr ssh-agent 1 ,
|
||||
.Xr moduli 5 ,
|
||||
.Xr sshd 8
|
||||
.Rs
|
||||
.%R RFC 4716
|
||||
diff --git a/openssh-7.2p2/ssh-keysign.8 b/openssh-7.2p2/ssh-keysign.8
|
||||
--- a/openssh-7.2p2/ssh-keysign.8
|
||||
+++ b/openssh-7.2p2/ssh-keysign.8
|
||||
@@ -75,16 +75,33 @@ must be set-uid root if host-based authe
|
||||
.Pp
|
||||
.It Pa /etc/ssh/ssh_host_dsa_key-cert.pub
|
||||
.It Pa /etc/ssh/ssh_host_ecdsa_key-cert.pub
|
||||
.It Pa /etc/ssh/ssh_host_ed25519_key-cert.pub
|
||||
.It Pa /etc/ssh/ssh_host_rsa_key-cert.pub
|
||||
If these files exist they are assumed to contain public certificate
|
||||
information corresponding with the private keys above.
|
||||
.El
|
||||
+.Sh ENVIRONMENT
|
||||
+.Bl -tag -width Ds -compact
|
||||
+.Pp
|
||||
+.It Pa SSH_USE_STRONG_RNG
|
||||
+The reseeding of the OpenSSL random generator is usually done from
|
||||
+.Cm /dev/urandom .
|
||||
+If the
|
||||
+.Cm SSH_USE_STRONG_RNG
|
||||
+environment variable is set to value other than
|
||||
+.Cm 0
|
||||
+the OpenSSL random generator is reseeded from
|
||||
+.Cm /dev/random .
|
||||
+The number of bytes read is defined by the SSH_USE_STRONG_RNG value.
|
||||
+Minimum is 6 bytes.
|
||||
+This setting is not recommended on the computers without the hardware
|
||||
+random generator because insufficient entropy causes the connection to
|
||||
+be blocked until enough entropy is available.
|
||||
.Sh SEE ALSO
|
||||
.Xr ssh 1 ,
|
||||
.Xr ssh-keygen 1 ,
|
||||
.Xr ssh_config 5 ,
|
||||
.Xr sshd 8
|
||||
.Sh HISTORY
|
||||
.Nm
|
||||
first appeared in
|
||||
diff --git a/openssh-7.2p2/ssh.1 b/openssh-7.2p2/ssh.1
|
||||
--- a/openssh-7.2p2/ssh.1
|
||||
+++ b/openssh-7.2p2/ssh.1
|
||||
@@ -1411,16 +1411,30 @@ reads
|
||||
and adds lines of the format
|
||||
.Dq VARNAME=value
|
||||
to the environment if the file exists and users are allowed to
|
||||
change their environment.
|
||||
For more information, see the
|
||||
.Cm PermitUserEnvironment
|
||||
option in
|
||||
.Xr sshd_config 5 .
|
||||
+.It Ev SSH_USE_STRONG_RNG
|
||||
+The reseeding of the OpenSSL random generator is usually done from
|
||||
+.Cm /dev/urandom .
|
||||
+If the
|
||||
+.Cm SSH_USE_STRONG_RNG
|
||||
+environment variable is set to value other than
|
||||
+.Cm 0
|
||||
+the OpenSSL random generator is reseeded from
|
||||
+.Cm /dev/random .
|
||||
+The number of bytes read is defined by the SSH_USE_STRONG_RNG value.
|
||||
+Minimum is 6 bytes.
|
||||
+This setting is not recommended on the computers without the hardware
|
||||
+random generator because insufficient entropy causes the connection to
|
||||
+be blocked until enough entropy is available.
|
||||
.Sh FILES
|
||||
.Bl -tag -width Ds -compact
|
||||
.It Pa ~/.rhosts
|
||||
This file is used for host-based authentication (see above).
|
||||
On some machines this file may need to be
|
||||
world-readable if the user's home directory is on an NFS partition,
|
||||
because
|
||||
.Xr sshd 8
|
||||
diff --git a/openssh-7.2p2/sshd.8 b/openssh-7.2p2/sshd.8
|
||||
--- a/openssh-7.2p2/sshd.8
|
||||
+++ b/openssh-7.2p2/sshd.8
|
||||
@@ -972,16 +972,33 @@ and not group or world-writable.
|
||||
.It Pa /var/run/sshd.pid
|
||||
Contains the process ID of the
|
||||
.Nm
|
||||
listening for connections (if there are several daemons running
|
||||
concurrently for different ports, this contains the process ID of the one
|
||||
started last).
|
||||
The content of this file is not sensitive; it can be world-readable.
|
||||
.El
|
||||
+.Sh ENVIRONMENT
|
||||
+.Bl -tag -width Ds -compact
|
||||
+.Pp
|
||||
+.It Pa SSH_USE_STRONG_RNG
|
||||
+The reseeding of the OpenSSL random generator is usually done from
|
||||
+.Cm /dev/urandom .
|
||||
+If the
|
||||
+.Cm SSH_USE_STRONG_RNG
|
||||
+environment variable is set to value other than
|
||||
+.Cm 0
|
||||
+the OpenSSL random generator is reseeded from
|
||||
+.Cm /dev/random .
|
||||
+The number of bytes read is defined by the SSH_USE_STRONG_RNG value.
|
||||
+Minimum is 6 bytes.
|
||||
+This setting is not recommended on the computers without the hardware
|
||||
+random generator because insufficient entropy causes the connection to
|
||||
+be blocked until enough entropy is available.
|
||||
.Sh SEE ALSO
|
||||
.Xr scp 1 ,
|
||||
.Xr sftp 1 ,
|
||||
.Xr ssh 1 ,
|
||||
.Xr ssh-add 1 ,
|
||||
.Xr ssh-agent 1 ,
|
||||
.Xr ssh-keygen 1 ,
|
||||
.Xr ssh-keyscan 1 ,
|
||||
diff --git a/openssh-7.2p2/sshd.c b/openssh-7.2p2/sshd.c
|
||||
--- a/openssh-7.2p2/sshd.c
|
||||
+++ b/openssh-7.2p2/sshd.c
|
||||
@@ -50,16 +50,18 @@
|
||||
#ifdef HAVE_SYS_STAT_H
|
||||
# include <sys/stat.h>
|
||||
#endif
|
||||
#ifdef HAVE_SYS_TIME_H
|
||||
# include <sys/time.h>
|
||||
#endif
|
||||
#include "openbsd-compat/sys-tree.h"
|
||||
#include "openbsd-compat/sys-queue.h"
|
||||
+#include "openbsd-compat/port-linux.h"
|
||||
+
|
||||
#include <sys/wait.h>
|
||||
|
||||
#include <errno.h>
|
||||
#include <fcntl.h>
|
||||
#include <netdb.h>
|
||||
#ifdef HAVE_PATHS_H
|
||||
#include <paths.h>
|
||||
#endif
|
||||
@@ -209,16 +211,23 @@ struct {
|
||||
Key **host_pubkeys; /* all public host keys */
|
||||
Key **host_certificates; /* all public host certificates */
|
||||
int have_ssh1_key;
|
||||
int have_ssh2_key;
|
||||
u_char ssh1_cookie[SSH_SESSION_KEY_LENGTH];
|
||||
} sensitive_data;
|
||||
|
||||
/*
|
||||
+ * Every RESEED_AFTERth connection triggers call to linux_seed() to re-seed the
|
||||
+ * random pool.
|
||||
+ */
|
||||
+#define RESEED_AFTER 100
|
||||
+static int re_seeding_counter = RESEED_AFTER;
|
||||
+
|
||||
+/*
|
||||
* Flag indicating whether the RSA server key needs to be regenerated.
|
||||
* Is set in the SIGALRM handler and cleared when the key is regenerated.
|
||||
*/
|
||||
static volatile sig_atomic_t key_do_regen = 0;
|
||||
|
||||
/* This is set to true when a signal is received. */
|
||||
static volatile sig_atomic_t received_sighup = 0;
|
||||
static volatile sig_atomic_t received_sigterm = 0;
|
||||
@@ -1343,16 +1352,20 @@ server_accept_loop(int *sock_in, int *so
|
||||
for (j = 0; j < options.max_startups; j++)
|
||||
if (startup_pipes[j] == -1) {
|
||||
startup_pipes[j] = startup_p[0];
|
||||
if (maxfd < startup_p[0])
|
||||
maxfd = startup_p[0];
|
||||
startups++;
|
||||
break;
|
||||
}
|
||||
+ if(!(--re_seeding_counter)) {
|
||||
+ re_seeding_counter = RESEED_AFTER;
|
||||
+ linux_seed();
|
||||
+ }
|
||||
|
||||
/*
|
||||
* Got connection. Fork a child to handle it, unless
|
||||
* we are in debugging mode.
|
||||
*/
|
||||
if (debug_flag) {
|
||||
/*
|
||||
* In debugging mode. Close the listening
|
@ -1,11 +1,11 @@
|
||||
# HG changeset patch
|
||||
# Parent f258e8b7fc48a4b0f60fc436dc9ec72423a11bfc
|
||||
# Parent dfcac093fca4d826a806b9d1c0bdc26e7ae8ee8e
|
||||
send locales in default configuration
|
||||
bnc#65747
|
||||
|
||||
diff --git a/openssh-7.6p1/ssh_config b/openssh-7.6p1/ssh_config
|
||||
--- a/openssh-7.6p1/ssh_config
|
||||
+++ b/openssh-7.6p1/ssh_config
|
||||
diff --git a/openssh-7.2p2/ssh_config b/openssh-7.2p2/ssh_config
|
||||
--- a/openssh-7.2p2/ssh_config
|
||||
+++ b/openssh-7.2p2/ssh_config
|
||||
@@ -26,16 +26,21 @@ Host *
|
||||
# security reasons: Someone stealing the authentification data on the
|
||||
# remote side (the "spoofed" X-server by the remote sshd) can read your
|
||||
@ -20,18 +20,18 @@ diff --git a/openssh-7.6p1/ssh_config b/openssh-7.6p1/ssh_config
|
||||
+ SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
|
||||
+ SendEnv LC_IDENTIFICATION LC_ALL
|
||||
+
|
||||
# RhostsRSAAuthentication no
|
||||
# RSAAuthentication yes
|
||||
# PasswordAuthentication yes
|
||||
# HostbasedAuthentication no
|
||||
# GSSAPIAuthentication no
|
||||
# GSSAPIDelegateCredentials no
|
||||
# BatchMode no
|
||||
# CheckHostIP yes
|
||||
# AddressFamily any
|
||||
# ConnectTimeout 0
|
||||
diff --git a/openssh-7.6p1/sshd_config b/openssh-7.6p1/sshd_config
|
||||
--- a/openssh-7.6p1/sshd_config
|
||||
+++ b/openssh-7.6p1/sshd_config
|
||||
@@ -105,14 +105,19 @@ X11Forwarding yes
|
||||
diff --git a/openssh-7.2p2/sshd_config b/openssh-7.2p2/sshd_config
|
||||
--- a/openssh-7.2p2/sshd_config
|
||||
+++ b/openssh-7.2p2/sshd_config
|
||||
@@ -120,14 +120,19 @@ X11Forwarding yes
|
||||
#VersionAddendum none
|
||||
|
||||
# no default banner path
|
157
openssh-7.2p2-sftp_force_permissions.patch
Normal file
157
openssh-7.2p2-sftp_force_permissions.patch
Normal file
@ -0,0 +1,157 @@
|
||||
# HG changeset patch
|
||||
# Parent 7b45c4f3fef6836db00c5b198736cce17290c5cd
|
||||
additional option for sftp-server to force file mode for new files
|
||||
FATE#312774
|
||||
http://lists.mindrot.org/pipermail/openssh-unix-dev/2010-November/029044.html
|
||||
http://marc.info/?l=openssh-unix-dev&m=128896838930893
|
||||
|
||||
diff --git a/openssh-7.2p2/sftp-server.8 b/openssh-7.2p2/sftp-server.8
|
||||
--- a/openssh-7.2p2/sftp-server.8
|
||||
+++ b/openssh-7.2p2/sftp-server.8
|
||||
@@ -33,16 +33,17 @@
|
||||
.Bk -words
|
||||
.Op Fl ehR
|
||||
.Op Fl d Ar start_directory
|
||||
.Op Fl f Ar log_facility
|
||||
.Op Fl l Ar log_level
|
||||
.Op Fl P Ar blacklisted_requests
|
||||
.Op Fl p Ar whitelisted_requests
|
||||
.Op Fl u Ar umask
|
||||
+.Op Fl m Ar force_file_permissions
|
||||
.Ek
|
||||
.Nm
|
||||
.Fl Q Ar protocol_feature
|
||||
.Sh DESCRIPTION
|
||||
.Nm
|
||||
is a program that speaks the server side of SFTP protocol
|
||||
to stdout and expects client requests from stdin.
|
||||
.Nm
|
||||
@@ -133,16 +134,20 @@ Places this instance of
|
||||
into a read-only mode.
|
||||
Attempts to open files for writing, as well as other operations that change
|
||||
the state of the filesystem, will be denied.
|
||||
.It Fl u Ar umask
|
||||
Sets an explicit
|
||||
.Xr umask 2
|
||||
to be applied to newly-created files and directories, instead of the
|
||||
user's default mask.
|
||||
+.It Fl m Ar force_file_permissions
|
||||
+Sets explicit file permissions to be applied to newly-created files instead
|
||||
+of the default or client requested mode. Numeric values include:
|
||||
+777, 755, 750, 666, 644, 640, etc. Option -u is ineffective if -m is set.
|
||||
.El
|
||||
.Pp
|
||||
On some systems,
|
||||
.Nm
|
||||
must be able to access
|
||||
.Pa /dev/log
|
||||
for logging to work, and use of
|
||||
.Nm
|
||||
diff --git a/openssh-7.2p2/sftp-server.c b/openssh-7.2p2/sftp-server.c
|
||||
--- a/openssh-7.2p2/sftp-server.c
|
||||
+++ b/openssh-7.2p2/sftp-server.c
|
||||
@@ -73,16 +73,20 @@ static u_int version;
|
||||
static int init_done;
|
||||
|
||||
/* Disable writes */
|
||||
static int readonly;
|
||||
|
||||
/* Requests that are allowed/denied */
|
||||
static char *request_whitelist, *request_blacklist;
|
||||
|
||||
+/* Force file permissions */
|
||||
+int permforce = 0;
|
||||
+long permforcemode;
|
||||
+
|
||||
/* portable attributes, etc. */
|
||||
typedef struct Stat Stat;
|
||||
|
||||
struct Stat {
|
||||
char *name;
|
||||
char *long_name;
|
||||
Attrib attrib;
|
||||
};
|
||||
@@ -687,16 +691,20 @@ process_open(u_int32_t id)
|
||||
if ((r = sshbuf_get_cstring(iqueue, &name, NULL)) != 0 ||
|
||||
(r = sshbuf_get_u32(iqueue, &pflags)) != 0 || /* portable flags */
|
||||
(r = decode_attrib(iqueue, &a)) != 0)
|
||||
fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
||||
|
||||
debug3("request %u: open flags %d", id, pflags);
|
||||
flags = flags_from_portable(pflags);
|
||||
mode = (a.flags & SSH2_FILEXFER_ATTR_PERMISSIONS) ? a.perm : 0666;
|
||||
+ if (permforce == 1) {
|
||||
+ mode = permforcemode;
|
||||
+ (void)umask(0); /* so umask does not interfere */
|
||||
+ }
|
||||
logit("open \"%s\" flags %s mode 0%o",
|
||||
name, string_from_portable(pflags), mode);
|
||||
if (readonly &&
|
||||
((flags & O_ACCMODE) == O_WRONLY ||
|
||||
(flags & O_ACCMODE) == O_RDWR)) {
|
||||
verbose("Refusing open request in read-only mode");
|
||||
status = SSH2_FX_PERMISSION_DENIED;
|
||||
} else {
|
||||
@@ -1489,17 +1497,18 @@ sftp_server_cleanup_exit(int i)
|
||||
static void
|
||||
sftp_server_usage(void)
|
||||
{
|
||||
extern char *__progname;
|
||||
|
||||
fprintf(stderr,
|
||||
"usage: %s [-ehR] [-d start_directory] [-f log_facility] "
|
||||
"[-l log_level]\n\t[-P blacklisted_requests] "
|
||||
- "[-p whitelisted_requests] [-u umask]\n"
|
||||
+ "[-p whitelisted_requests] [-u umask]\n\t"
|
||||
+ "[-m force_file_permissions]\n"
|
||||
" %s -Q protocol_feature\n",
|
||||
__progname, __progname);
|
||||
exit(1);
|
||||
}
|
||||
|
||||
int
|
||||
sftp_server_main(int argc, char **argv, struct passwd *user_pw)
|
||||
{
|
||||
@@ -1515,17 +1524,17 @@ sftp_server_main(int argc, char **argv,
|
||||
|
||||
ssh_malloc_init(); /* must be called before any mallocs */
|
||||
__progname = ssh_get_progname(argv[0]);
|
||||
log_init(__progname, log_level, log_facility, log_stderr);
|
||||
|
||||
pw = pwcopy(user_pw);
|
||||
|
||||
while (!skipargs && (ch = getopt(argc, argv,
|
||||
- "d:f:l:P:p:Q:u:cehR")) != -1) {
|
||||
+ "d:f:l:P:p:Q:u:m:cehR")) != -1) {
|
||||
switch (ch) {
|
||||
case 'Q':
|
||||
if (strcasecmp(optarg, "requests") != 0) {
|
||||
fprintf(stderr, "Invalid query type\n");
|
||||
exit(1);
|
||||
}
|
||||
for (i = 0; handlers[i].handler != NULL; i++)
|
||||
printf("%s\n", handlers[i].name);
|
||||
@@ -1575,16 +1584,23 @@ sftp_server_main(int argc, char **argv,
|
||||
case 'u':
|
||||
errno = 0;
|
||||
mask = strtol(optarg, &cp, 8);
|
||||
if (mask < 0 || mask > 0777 || *cp != '\0' ||
|
||||
cp == optarg || (mask == 0 && errno != 0))
|
||||
fatal("Invalid umask \"%s\"", optarg);
|
||||
(void)umask((mode_t)mask);
|
||||
break;
|
||||
+ case 'm':
|
||||
+ permforce = 1;
|
||||
+ permforcemode = strtol(optarg, &cp, 8);
|
||||
+ if (permforcemode < 0 || permforcemode > 0777 || *cp != '\0' ||
|
||||
+ cp == optarg || (permforcemode == 0 && errno != 0))
|
||||
+ fatal("Invalid umask \"%s\"", optarg);
|
||||
+ break;
|
||||
case 'h':
|
||||
default:
|
||||
sftp_server_usage();
|
||||
}
|
||||
}
|
||||
|
||||
log_init(__progname, log_level, log_facility, log_stderr);
|
||||
|
366
openssh-7.2p2-sftp_homechroot.patch
Normal file
366
openssh-7.2p2-sftp_homechroot.patch
Normal file
@ -0,0 +1,366 @@
|
||||
# HG changeset patch
|
||||
# Parent fc81df6f2bf393e45e703c89976c3a0fe6e0a273
|
||||
run sftp sessions inside a chroot
|
||||
|
||||
diff --git a/openssh-7.2p2/session.c b/openssh-7.2p2/session.c
|
||||
--- a/openssh-7.2p2/session.c
|
||||
+++ b/openssh-7.2p2/session.c
|
||||
@@ -123,16 +123,18 @@ int do_exec(Session *, const char *);
|
||||
void do_login(Session *, const char *);
|
||||
#ifdef LOGIN_NEEDS_UTMPX
|
||||
static void do_pre_login(Session *s);
|
||||
#endif
|
||||
void do_child(Session *, const char *);
|
||||
void do_motd(void);
|
||||
int check_quietlogin(Session *, const char *);
|
||||
|
||||
+int chroot_no_tree = 0;
|
||||
+
|
||||
static void do_authenticated1(Authctxt *);
|
||||
static void do_authenticated2(Authctxt *);
|
||||
|
||||
static int session_pty_req(Session *);
|
||||
|
||||
/* import */
|
||||
extern ServerOptions options;
|
||||
extern char *__progname;
|
||||
@@ -838,16 +840,21 @@ do_exec(Session *s, const char *command)
|
||||
"subsystem '%.900s'", s->subsys);
|
||||
} else if (command == NULL) {
|
||||
snprintf(session_type, sizeof(session_type), "shell");
|
||||
} else {
|
||||
/* NB. we don't log unforced commands to preserve privacy */
|
||||
snprintf(session_type, sizeof(session_type), "command");
|
||||
}
|
||||
|
||||
+ if ((s->is_subsystem != SUBSYSTEM_INT_SFTP) && chroot_no_tree) {
|
||||
+ logit("You aren't welcomed, go away!");
|
||||
+ exit (1);
|
||||
+ }
|
||||
+
|
||||
if (s->ttyfd != -1) {
|
||||
tty = s->tty;
|
||||
if (strncmp(tty, "/dev/", 5) == 0)
|
||||
tty += 5;
|
||||
}
|
||||
|
||||
verbose("Starting session: %s%s%s for %s from %.200s port %d id %d",
|
||||
session_type,
|
||||
@@ -1492,58 +1499,123 @@ do_nologin(struct passwd *pw)
|
||||
while (fgets(buf, sizeof(buf), f))
|
||||
fputs(buf, stderr);
|
||||
fclose(f);
|
||||
}
|
||||
exit(254);
|
||||
}
|
||||
|
||||
/*
|
||||
+ * Test if filesystem is mounted nosuid and nodev
|
||||
+ */
|
||||
+
|
||||
+static void
|
||||
+test_nosuid (char * path, dev_t fs)
|
||||
+{
|
||||
+ FILE *f;
|
||||
+ struct stat st;
|
||||
+ char buf[4096], *s, *on, *mountpoint, *opt;
|
||||
+ int nodev, nosuid;
|
||||
+
|
||||
+ if (!(f = popen ("/bin/mount", "r")))
|
||||
+ fatal ("%s: popen(\"/bin/mount\", \"r\"): %s",
|
||||
+ __func__, strerror (errno));
|
||||
+ for (;;) {
|
||||
+ s = fgets (buf, sizeof (buf), f);
|
||||
+ if (ferror (f))
|
||||
+ fatal ("%s: read from popen: %s", __func__,
|
||||
+ strerror (errno));
|
||||
+ if (!s) {
|
||||
+ pclose (f);
|
||||
+ fatal ("cannot find filesystem with the chroot directory");
|
||||
+ }
|
||||
+ (void) strtok (buf, " ");
|
||||
+ on = strtok (NULL, " ");
|
||||
+ if (strcmp (on, "on")) {
|
||||
+ pclose (f);
|
||||
+ fatal ("bad format of mount output");
|
||||
+ }
|
||||
+ mountpoint = strtok (NULL, " ");
|
||||
+ if (memcmp (path, mountpoint, strlen (mountpoint)))
|
||||
+ continue;
|
||||
+ if (stat(mountpoint, &st) != 0) {
|
||||
+ pclose (f);
|
||||
+ fatal("%s: stat(\"%s\"): %s", __func__,
|
||||
+ mountpoint, strerror(errno));
|
||||
+ }
|
||||
+ if (fs != st.st_dev)
|
||||
+ continue;
|
||||
+ nodev = nosuid = 0;
|
||||
+ for (opt = strtok (NULL, "("); opt; opt = strtok (NULL, " ,)")) {
|
||||
+ if (!strcmp (opt, "nodev"))
|
||||
+ nodev = 1;
|
||||
+ else if (!strcmp (opt, "nosuid"))
|
||||
+ nosuid = 1;
|
||||
+ else if (!strcmp (opt, "noexec"))
|
||||
+ nosuid = 1;
|
||||
+ if (nodev && nosuid) {
|
||||
+ pclose (f);
|
||||
+ return;
|
||||
+ }
|
||||
+ }
|
||||
+ fatal ("chroot into directory without nodev and either noexec or nosuid");
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
+/*
|
||||
* Chroot into a directory after checking it for safety: all path components
|
||||
* must be root-owned directories with strict permissions.
|
||||
*/
|
||||
static void
|
||||
safely_chroot(const char *path, uid_t uid)
|
||||
{
|
||||
const char *cp;
|
||||
char component[PATH_MAX];
|
||||
struct stat st;
|
||||
+ int last;
|
||||
|
||||
if (*path != '/')
|
||||
fatal("chroot path does not begin at root");
|
||||
if (strlen(path) >= sizeof(component))
|
||||
fatal("chroot path too long");
|
||||
|
||||
/*
|
||||
* Descend the path, checking that each component is a
|
||||
* root-owned directory with strict permissions.
|
||||
*/
|
||||
for (cp = path; cp != NULL;) {
|
||||
- if ((cp = strchr(cp, '/')) == NULL)
|
||||
+ if (last = ((cp = strchr(cp, '/')) == NULL))
|
||||
strlcpy(component, path, sizeof(component));
|
||||
else {
|
||||
cp++;
|
||||
memcpy(component, path, cp - path);
|
||||
component[cp - path] = '\0';
|
||||
}
|
||||
|
||||
debug3("%s: checking '%s'", __func__, component);
|
||||
|
||||
if (stat(component, &st) != 0)
|
||||
fatal("%s: stat(\"%s\"): %s", __func__,
|
||||
component, strerror(errno));
|
||||
- if (st.st_uid != 0 || (st.st_mode & 022) != 0)
|
||||
+ if ((st.st_uid != 0 || (st.st_mode & 022) != 0) && !(last && st.st_uid == uid))
|
||||
fatal("bad ownership or modes for chroot "
|
||||
"directory %s\"%s\"",
|
||||
cp == NULL ? "" : "component ", component);
|
||||
if (!S_ISDIR(st.st_mode))
|
||||
fatal("chroot path %s\"%s\" is not a directory",
|
||||
cp == NULL ? "" : "component ", component);
|
||||
|
||||
}
|
||||
+ setenv ("TZ", "/etc/localtime", 0);
|
||||
+ tzset();
|
||||
+
|
||||
+ if (st.st_uid) {
|
||||
+ test_nosuid(path, st.st_dev);
|
||||
+ ++chroot_no_tree;
|
||||
+ }
|
||||
|
||||
if (chdir(path) == -1)
|
||||
fatal("Unable to chdir to chroot path \"%s\": "
|
||||
"%s", path, strerror(errno));
|
||||
if (chroot(path) == -1)
|
||||
fatal("chroot(\"%s\"): %s", path, strerror(errno));
|
||||
if (chdir("/") == -1)
|
||||
fatal("%s: chdir(/) after chroot: %s",
|
||||
diff --git a/openssh-7.2p2/sftp-chrootenv.h b/openssh-7.2p2/sftp-chrootenv.h
|
||||
new file mode 100644
|
||||
--- /dev/null
|
||||
+++ b/openssh-7.2p2/sftp-chrootenv.h
|
||||
@@ -0,0 +1,30 @@
|
||||
+/*
|
||||
+ * Copyright (c) 2009 Jan F Chadima. All rights reserved.
|
||||
+ *
|
||||
+ * Redistribution and use in source and binary forms, with or without
|
||||
+ * modification, are permitted provided that the following conditions
|
||||
+ * are met:
|
||||
+ * 1. Redistributions of source code must retain the above copyright
|
||||
+ * notice, this list of conditions and the following disclaimer.
|
||||
+ * 2. Redistributions in binary form must reproduce the above copyright
|
||||
+ * notice, this list of conditions and the following disclaimer in the
|
||||
+ * documentation and/or other materials provided with the distribution.
|
||||
+ *
|
||||
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
|
||||
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
|
||||
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
|
||||
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
|
||||
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
|
||||
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
||||
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
||||
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
||||
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
||||
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
+ */
|
||||
+#ifndef CHROOTENV_H
|
||||
+#define CHROOTENV_H
|
||||
+
|
||||
+extern int chroot_no_tree;
|
||||
+
|
||||
+#endif
|
||||
+
|
||||
diff --git a/openssh-7.2p2/sftp-common.c b/openssh-7.2p2/sftp-common.c
|
||||
--- a/openssh-7.2p2/sftp-common.c
|
||||
+++ b/openssh-7.2p2/sftp-common.c
|
||||
@@ -43,16 +43,17 @@
|
||||
|
||||
#include "xmalloc.h"
|
||||
#include "ssherr.h"
|
||||
#include "sshbuf.h"
|
||||
#include "log.h"
|
||||
|
||||
#include "sftp.h"
|
||||
#include "sftp-common.h"
|
||||
+#include "sftp-chrootenv.h"
|
||||
|
||||
/* Clear contents of attributes structure */
|
||||
void
|
||||
attrib_clear(Attrib *a)
|
||||
{
|
||||
a->flags = 0;
|
||||
a->size = 0;
|
||||
a->uid = 0;
|
||||
@@ -216,23 +217,23 @@ ls_file(const char *name, const struct s
|
||||
int ulen, glen, sz = 0;
|
||||
struct tm *ltime = localtime(&st->st_mtime);
|
||||
char *user, *group;
|
||||
char buf[1024], mode[11+1], tbuf[12+1], ubuf[11+1], gbuf[11+1];
|
||||
char sbuf[FMT_SCALED_STRSIZE];
|
||||
time_t now;
|
||||
|
||||
strmode(st->st_mode, mode);
|
||||
- if (!remote) {
|
||||
+ if (!remote && !chroot_no_tree) {
|
||||
user = user_from_uid(st->st_uid, 0);
|
||||
} else {
|
||||
snprintf(ubuf, sizeof ubuf, "%u", (u_int)st->st_uid);
|
||||
user = ubuf;
|
||||
}
|
||||
- if (!remote) {
|
||||
+ if (!remote && !chroot_no_tree) {
|
||||
group = group_from_gid(st->st_gid, 0);
|
||||
} else {
|
||||
snprintf(gbuf, sizeof gbuf, "%u", (u_int)st->st_gid);
|
||||
group = gbuf;
|
||||
}
|
||||
if (ltime != NULL) {
|
||||
now = time(NULL);
|
||||
if (now - (365*24*60*60)/2 < st->st_mtime &&
|
||||
diff --git a/openssh-7.2p2/sftp-server-main.c b/openssh-7.2p2/sftp-server-main.c
|
||||
--- a/openssh-7.2p2/sftp-server-main.c
|
||||
+++ b/openssh-7.2p2/sftp-server-main.c
|
||||
@@ -17,22 +17,25 @@
|
||||
|
||||
#include "includes.h"
|
||||
|
||||
#include <sys/types.h>
|
||||
#include <pwd.h>
|
||||
#include <stdarg.h>
|
||||
#include <stdio.h>
|
||||
#include <unistd.h>
|
||||
+//#include <time.h>
|
||||
|
||||
#include "log.h"
|
||||
#include "sftp.h"
|
||||
#include "misc.h"
|
||||
#include "xmalloc.h"
|
||||
|
||||
+int chroot_no_tree = 0;
|
||||
+
|
||||
void
|
||||
cleanup_exit(int i)
|
||||
{
|
||||
sftp_server_cleanup_exit(i);
|
||||
}
|
||||
|
||||
int
|
||||
main(int argc, char **argv)
|
||||
diff --git a/openssh-7.2p2/sftp.c b/openssh-7.2p2/sftp.c
|
||||
--- a/openssh-7.2p2/sftp.c
|
||||
+++ b/openssh-7.2p2/sftp.c
|
||||
@@ -112,16 +112,18 @@ struct complete_ctx {
|
||||
char **remote_pathp;
|
||||
};
|
||||
|
||||
int remote_glob(struct sftp_conn *, const char *, int,
|
||||
int (*)(const char *, int), glob_t *); /* proto for sftp-glob.c */
|
||||
|
||||
extern char *__progname;
|
||||
|
||||
+int chroot_no_tree = 0;
|
||||
+
|
||||
/* Separators for interactive commands */
|
||||
#define WHITESPACE " \t\r\n"
|
||||
|
||||
/* ls flags */
|
||||
#define LS_LONG_VIEW 0x0001 /* Full view ala ls -l */
|
||||
#define LS_SHORT_VIEW 0x0002 /* Single row view ala ls -1 */
|
||||
#define LS_NUMERIC_VIEW 0x0004 /* Long view with numeric uid/gid */
|
||||
#define LS_NAME_SORT 0x0008 /* Sort by name (default) */
|
||||
diff --git a/openssh-7.2p2/sshd_config.0 b/openssh-7.2p2/sshd_config.0
|
||||
--- a/openssh-7.2p2/sshd_config.0
|
||||
+++ b/openssh-7.2p2/sshd_config.0
|
||||
@@ -251,16 +251,24 @@ DESCRIPTION
|
||||
directory on some operating systems (see sftp-server(8) for
|
||||
details).
|
||||
|
||||
For safety, it is very important that the directory hierarchy be
|
||||
prevented from modification by other processes on the system
|
||||
(especially those outside the jail). Misconfiguration can lead
|
||||
to unsafe environments which sshd(8) cannot detect.
|
||||
|
||||
+ In the special case when only sftp is used, not ssh nor scp, it
|
||||
+ is possible to use ChrootDirectory %h or ChrootDirectory
|
||||
+ /some/path/%u. The file system containing this directory must be
|
||||
+ mounted with options nodev and either nosuid or noexec. The owner
|
||||
+ of the directory should be the user. The ownership of the other
|
||||
+ components of the path must fulfill the usual conditions. No adi-
|
||||
+ tional files are required to be present in the directory.
|
||||
+
|
||||
The default is M-bM-^@M-^\noneM-bM-^@M-^], indicating not to chroot(2).
|
||||
|
||||
Ciphers
|
||||
Specifies the ciphers allowed. Multiple ciphers must be comma-
|
||||
separated. If the specified value begins with a M-bM-^@M-^X+M-bM-^@M-^Y character,
|
||||
then the specified ciphers will be appended to the default set
|
||||
instead of replacing them.
|
||||
|
||||
diff --git a/openssh-7.2p2/sshd_config.5 b/openssh-7.2p2/sshd_config.5
|
||||
--- a/openssh-7.2p2/sshd_config.5
|
||||
+++ b/openssh-7.2p2/sshd_config.5
|
||||
@@ -424,16 +424,27 @@ for details).
|
||||
.Pp
|
||||
For safety, it is very important that the directory hierarchy be
|
||||
prevented from modification by other processes on the system (especially
|
||||
those outside the jail).
|
||||
Misconfiguration can lead to unsafe environments which
|
||||
.Xr sshd 8
|
||||
cannot detect.
|
||||
.Pp
|
||||
+In the special case when only sftp is used, not ssh nor scp,
|
||||
+it is possible to use
|
||||
+.Cm ChrootDirectory
|
||||
+%h or
|
||||
+.Cm ChrootDirectory
|
||||
+/some/path/%u. The file system containing this directory must be
|
||||
+mounted with options nodev and either nosuid or noexec. The owner of the
|
||||
+directory should be the user. The ownership of the other components of the path
|
||||
+must fulfill the usual conditions. No aditional files are required to be present
|
||||
+in the directory.
|
||||
+.Pp
|
||||
The default is
|
||||
.Dq none ,
|
||||
indicating not to
|
||||
.Xr chroot 2 .
|
||||
.It Cm Ciphers
|
||||
Specifies the ciphers allowed.
|
||||
Multiple ciphers must be comma-separated.
|
||||
If the specified value begins with a
|
130
openssh-7.2p2-sftp_print_diagnostic_messages.patch
Normal file
130
openssh-7.2p2-sftp_print_diagnostic_messages.patch
Normal file
@ -0,0 +1,130 @@
|
||||
# HG changeset patch
|
||||
# Parent af7fb4f9e794f639262d9847e95c52a74017aaaf
|
||||
Put back sftp client diagnostic messages in batch mode
|
||||
|
||||
bsc#1023275
|
||||
|
||||
diff --git a/openssh-7.2p2/sftp.0 b/openssh-7.2p2/sftp.0
|
||||
--- a/openssh-7.2p2/sftp.0
|
||||
+++ b/openssh-7.2p2/sftp.0
|
||||
@@ -162,16 +162,19 @@ DESCRIPTION
|
||||
VerifyHostKeyDNS
|
||||
|
||||
-P port
|
||||
Specifies the port to connect to on the remote host.
|
||||
|
||||
-p Preserves modification times, access times, and modes from the
|
||||
original files transferred.
|
||||
|
||||
+ -Q Not-so-quiet batch mode: forces printing of diagnostic messages
|
||||
+ in batch mode.
|
||||
+
|
||||
-q Quiet mode: disables the progress meter as well as warning and
|
||||
diagnostic messages from ssh(1).
|
||||
|
||||
-R num_requests
|
||||
Specify how many requests may be outstanding at any one time.
|
||||
Increasing this may slightly improve file transfer speed but will
|
||||
increase memory usage. The default is 64 outstanding requests.
|
||||
|
||||
diff --git a/openssh-7.2p2/sftp.1 b/openssh-7.2p2/sftp.1
|
||||
--- a/openssh-7.2p2/sftp.1
|
||||
+++ b/openssh-7.2p2/sftp.1
|
||||
@@ -251,16 +251,19 @@ For full details of the options listed b
|
||||
.It UserKnownHostsFile
|
||||
.It VerifyHostKeyDNS
|
||||
.El
|
||||
.It Fl P Ar port
|
||||
Specifies the port to connect to on the remote host.
|
||||
.It Fl p
|
||||
Preserves modification times, access times, and modes from the
|
||||
original files transferred.
|
||||
+.It Fl Q
|
||||
+Not-so-quiet batch mode: forces printing of diagnostic messages
|
||||
+in batch mode.
|
||||
.It Fl q
|
||||
Quiet mode: disables the progress meter as well as warning and
|
||||
diagnostic messages from
|
||||
.Xr ssh 1 .
|
||||
.It Fl R Ar num_requests
|
||||
Specify how many requests may be outstanding at any one time.
|
||||
Increasing this may slightly improve file transfer speed
|
||||
but will increase memory usage.
|
||||
diff --git a/openssh-7.2p2/sftp.c b/openssh-7.2p2/sftp.c
|
||||
--- a/openssh-7.2p2/sftp.c
|
||||
+++ b/openssh-7.2p2/sftp.c
|
||||
@@ -79,16 +79,18 @@ FILE* infile;
|
||||
/* Are we in batchfile mode? */
|
||||
int batchmode = 0;
|
||||
|
||||
/* PID of ssh transport process */
|
||||
static pid_t sshpid = -1;
|
||||
|
||||
/* Suppress diagnositic messages */
|
||||
int quiet = 0;
|
||||
+/* Force diagnositic messages in batch mode */
|
||||
+int loud = 0;
|
||||
|
||||
/* This is set to 0 if the progressmeter is not desired. */
|
||||
int showprogress = 1;
|
||||
|
||||
/* When this option is set, we always recursively download/upload directories */
|
||||
int global_rflag = 0;
|
||||
|
||||
/* When this option is set, we resume download or upload if possible */
|
||||
@@ -2263,32 +2265,35 @@ main(int argc, char **argv)
|
||||
addargs(&args, "-oForwardAgent no");
|
||||
addargs(&args, "-oPermitLocalCommand no");
|
||||
addargs(&args, "-oClearAllForwardings yes");
|
||||
|
||||
ll = SYSLOG_LEVEL_INFO;
|
||||
infile = stdin;
|
||||
|
||||
while ((ch = getopt(argc, argv,
|
||||
- "1246afhpqrvCc:D:i:l:o:s:S:b:B:F:P:R:")) != -1) {
|
||||
+ "1246afhpQqrvCc:D:i:l:o:s:S:b:B:F:P:R:")) != -1) {
|
||||
switch (ch) {
|
||||
/* Passed through to ssh(1) */
|
||||
case '4':
|
||||
case '6':
|
||||
case 'C':
|
||||
addargs(&args, "-%c", ch);
|
||||
break;
|
||||
/* Passed through to ssh(1) with argument */
|
||||
case 'F':
|
||||
case 'c':
|
||||
case 'i':
|
||||
case 'o':
|
||||
addargs(&args, "-%c", ch);
|
||||
addargs(&args, "%s", optarg);
|
||||
break;
|
||||
+ case 'Q':
|
||||
+ loud = 1;
|
||||
+ break;
|
||||
case 'q':
|
||||
ll = SYSLOG_LEVEL_ERROR;
|
||||
quiet = 1;
|
||||
showprogress = 0;
|
||||
addargs(&args, "-%c", ch);
|
||||
break;
|
||||
case 'P':
|
||||
addargs(&args, "-oPort %s", optarg);
|
||||
@@ -2360,16 +2365,18 @@ main(int argc, char **argv)
|
||||
ssh_program = optarg;
|
||||
replacearg(&args, 0, "%s", ssh_program);
|
||||
break;
|
||||
case 'h':
|
||||
default:
|
||||
usage();
|
||||
}
|
||||
}
|
||||
+ if (batchmode && loud)
|
||||
+ quiet = 0;
|
||||
|
||||
if (!isatty(STDERR_FILENO))
|
||||
showprogress = 0;
|
||||
|
||||
log_init(argv[0], ll, SYSLOG_FACILITY_USER, 1);
|
||||
|
||||
if (sftp_direct == NULL) {
|
||||
if (optind == argc || argc > (optind + 2))
|
87
openssh-7.2p2-ssh_case_insensitive_host_matching.patch
Normal file
87
openssh-7.2p2-ssh_case_insensitive_host_matching.patch
Normal file
@ -0,0 +1,87 @@
|
||||
# HG changeset patch
|
||||
# Parent 1b99f71db584917a37c5e9140bf63dcb860e8b59
|
||||
Match hostnames in a case-insensitive manner.
|
||||
|
||||
bsc#1017099
|
||||
|
||||
diff --git a/openssh-7.2p2/readconf.c b/openssh-7.2p2/readconf.c
|
||||
--- a/openssh-7.2p2/readconf.c
|
||||
+++ b/openssh-7.2p2/readconf.c
|
||||
@@ -526,16 +526,17 @@ execute_in_shell(const char *cmd)
|
||||
* Parse and execute a Match directive.
|
||||
*/
|
||||
static int
|
||||
match_cfg_line(Options *options, char **condition, struct passwd *pw,
|
||||
const char *host_arg, const char *original_host, int post_canon,
|
||||
const char *filename, int linenum)
|
||||
{
|
||||
char *arg, *oattrib, *attrib, *cmd, *cp = *condition, *host, *criteria;
|
||||
+ char *hostlc;
|
||||
const char *ruser;
|
||||
int r, port, this_result, result = 1, attributes = 0, negate;
|
||||
char thishost[NI_MAXHOST], shorthost[NI_MAXHOST], portstr[NI_MAXSERV];
|
||||
|
||||
/*
|
||||
* Configuration is likely to be incomplete at this point so we
|
||||
* must be prepared to use default values.
|
||||
*/
|
||||
@@ -546,16 +547,20 @@ match_cfg_line(Options *options, char **
|
||||
} else if (options->hostname != NULL) {
|
||||
/* NB. Please keep in sync with ssh.c:main() */
|
||||
host = percent_expand(options->hostname,
|
||||
"h", host_arg, (char *)NULL);
|
||||
} else {
|
||||
host = xstrdup(host_arg);
|
||||
}
|
||||
|
||||
+ /* match_hostname() requires the hostname to be lowercase */
|
||||
+ hostlc = xstrdup(host);
|
||||
+ lowercase(hostlc);
|
||||
+
|
||||
debug2("checking match for '%s' host %s originally %s",
|
||||
cp, host, original_host);
|
||||
while ((oattrib = attrib = strdelim(&cp)) && *attrib != '\0') {
|
||||
criteria = NULL;
|
||||
this_result = 1;
|
||||
if ((negate = attrib[0] == '!'))
|
||||
attrib++;
|
||||
/* criteria "all" and "canonical" have no argument */
|
||||
@@ -584,18 +589,18 @@ match_cfg_line(Options *options, char **
|
||||
}
|
||||
/* All other criteria require an argument */
|
||||
if ((arg = strdelim(&cp)) == NULL || *arg == '\0') {
|
||||
error("Missing Match criteria for %s", attrib);
|
||||
result = -1;
|
||||
goto out;
|
||||
}
|
||||
if (strcasecmp(attrib, "host") == 0) {
|
||||
- criteria = xstrdup(host);
|
||||
- r = match_hostname(host, arg) == 1;
|
||||
+ criteria = xstrdup(hostlc);
|
||||
+ r = match_hostname(hostlc, arg) == 1;
|
||||
if (r == (negate ? 1 : 0))
|
||||
this_result = result = 0;
|
||||
} else if (strcasecmp(attrib, "originalhost") == 0) {
|
||||
criteria = xstrdup(original_host);
|
||||
r = match_hostname(original_host, arg) == 1;
|
||||
if (r == (negate ? 1 : 0))
|
||||
this_result = result = 0;
|
||||
} else if (strcasecmp(attrib, "user") == 0) {
|
||||
@@ -658,16 +663,17 @@ match_cfg_line(Options *options, char **
|
||||
error("One or more attributes required for Match");
|
||||
result = -1;
|
||||
goto out;
|
||||
}
|
||||
out:
|
||||
if (result != -1)
|
||||
debug2("match %sfound", result ? "" : "not ");
|
||||
*condition = cp;
|
||||
+ free(hostlc);
|
||||
free(host);
|
||||
return result;
|
||||
}
|
||||
|
||||
/* Check and prepare a domain name: removes trailing '.' and lowercases */
|
||||
static void
|
||||
valid_domain(char *name, const char *filename, int linenum)
|
||||
{
|
32
openssh-7.2p2-stricter_readonly_sftp.patch
Normal file
32
openssh-7.2p2-stricter_readonly_sftp.patch
Normal file
@ -0,0 +1,32 @@
|
||||
# HG changeset patch
|
||||
# Parent 70f144cf46b999eed1eebda70cb27cadc4e49b82
|
||||
Stricter checking for write actions in read-only mode in the stfp server
|
||||
CVE-2017-15906
|
||||
bsc#1065000
|
||||
|
||||
backoported upstream commit 4d827f0d75a53d3952288ab882efbddea7ffadfe
|
||||
|
||||
diff --git a/openssh-7.2p2/sftp-server.c b/openssh-7.2p2/sftp-server.c
|
||||
--- a/openssh-7.2p2/sftp-server.c
|
||||
+++ b/openssh-7.2p2/sftp-server.c
|
||||
@@ -700,18 +700,18 @@ process_open(u_int32_t id)
|
||||
mode = (a.flags & SSH2_FILEXFER_ATTR_PERMISSIONS) ? a.perm : 0666;
|
||||
if (permforce == 1) {
|
||||
mode = permforcemode;
|
||||
(void)umask(0); /* so umask does not interfere */
|
||||
}
|
||||
logit("open \"%s\" flags %s mode 0%o",
|
||||
name, string_from_portable(pflags), mode);
|
||||
if (readonly &&
|
||||
- ((flags & O_ACCMODE) == O_WRONLY ||
|
||||
- (flags & O_ACCMODE) == O_RDWR)) {
|
||||
+ ((flags & O_ACCMODE) != O_RDONLY ||
|
||||
+ (flags & (O_CREAT|O_TRUNC)) != 0)) {
|
||||
verbose("Refusing open request in read-only mode");
|
||||
status = SSH2_FX_PERMISSION_DENIED;
|
||||
} else {
|
||||
fd = open(name, flags, mode);
|
||||
if (fd < 0) {
|
||||
status = errno_to_portable(errno);
|
||||
} else {
|
||||
handle = handle_new(HANDLE_FILE, name, fd, flags, NULL);
|
134
openssh-7.2p2-systemd-notify.patch
Normal file
134
openssh-7.2p2-systemd-notify.patch
Normal file
@ -0,0 +1,134 @@
|
||||
# HG changeset patch
|
||||
# Parent 1ba8782c9cf18b104779c751839f3a2575c87954
|
||||
Send signals to systemd to prevent various race conditions
|
||||
bsc#1048367
|
||||
|
||||
diff --git a/openssh-7.2p2/configure.ac b/openssh-7.2p2/configure.ac
|
||||
--- a/openssh-7.2p2/configure.ac
|
||||
+++ b/openssh-7.2p2/configure.ac
|
||||
@@ -4326,16 +4326,40 @@ AC_ARG_WITH([kerberos5],
|
||||
LIBS="$saved_LIBS"
|
||||
|
||||
fi
|
||||
]
|
||||
)
|
||||
AC_SUBST([GSSLIBS])
|
||||
AC_SUBST([K5LIBS])
|
||||
|
||||
+# Check whether user wants systemd support
|
||||
+SYSTEMD_MSG="no"
|
||||
+AC_ARG_WITH(systemd,
|
||||
+ [ --with-systemd Enable systemd support],
|
||||
+ [ if test "x$withval" != "xno" ; then
|
||||
+ AC_PATH_TOOL([PKGCONFIG], [pkg-config], [no])
|
||||
+ if test "$PKGCONFIG" != "no"; then
|
||||
+ AC_MSG_CHECKING([for libsystemd])
|
||||
+ if $PKGCONFIG --exists libsystemd; then
|
||||
+ SYSTEMD_CFLAGS=`$PKGCONFIG --cflags libsystemd`
|
||||
+ SYSTEMD_LIBS=`$PKGCONFIG --libs libsystemd`
|
||||
+ CPPFLAGS="$CPPFLAGS $SYSTEMD_CFLAGS"
|
||||
+ SSHDLIBS="$SSHDLIBS $SYSTEMD_LIBS"
|
||||
+ AC_MSG_RESULT([yes])
|
||||
+ AC_DEFINE(HAVE_SYSTEMD, 1, [Define if you want systemd support.])
|
||||
+ SYSTEMD_MSG="yes"
|
||||
+ else
|
||||
+ AC_MSG_RESULT([no])
|
||||
+ fi
|
||||
+ fi
|
||||
+ fi ]
|
||||
+)
|
||||
+
|
||||
+
|
||||
# Looking for programs, paths and files
|
||||
|
||||
PRIVSEP_PATH=/var/empty
|
||||
AC_ARG_WITH([privsep-path],
|
||||
[ --with-privsep-path=xxx Path for privilege separation chroot (default=/var/empty)],
|
||||
[
|
||||
if test -n "$withval" && test "x$withval" != "xno" && \
|
||||
test "x${withval}" != "xyes"; then
|
||||
@@ -5140,16 +5164,17 @@ echo " KerberosV support
|
||||
echo " SELinux support: $SELINUX_MSG"
|
||||
echo " Smartcard support: $SCARD_MSG"
|
||||
echo " S/KEY support: $SKEY_MSG"
|
||||
echo " MD5 password support: $MD5_MSG"
|
||||
echo " libedit support: $LIBEDIT_MSG"
|
||||
echo " Solaris process contract support: $SPC_MSG"
|
||||
echo " Solaris project support: $SP_MSG"
|
||||
echo " Solaris privilege support: $SPP_MSG"
|
||||
+echo " systemd support: $SYSTEMD_MSG"
|
||||
echo " IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG"
|
||||
echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG"
|
||||
echo " BSD Auth support: $BSD_AUTH_MSG"
|
||||
echo " Random number source: $RAND_MSG"
|
||||
echo " Privsep sandbox style: $SANDBOX_STYLE"
|
||||
|
||||
echo ""
|
||||
|
||||
diff --git a/openssh-7.2p2/sshd.c b/openssh-7.2p2/sshd.c
|
||||
--- a/openssh-7.2p2/sshd.c
|
||||
+++ b/openssh-7.2p2/sshd.c
|
||||
@@ -82,16 +82,20 @@
|
||||
#include "openbsd-compat/openssl-compat.h"
|
||||
#endif
|
||||
|
||||
#ifdef HAVE_SECUREWARE
|
||||
#include <sys/security.h>
|
||||
#include <prot.h>
|
||||
#endif
|
||||
|
||||
+#ifdef HAVE_SYSTEMD
|
||||
+#include <systemd/sd-daemon.h>
|
||||
+#endif
|
||||
+
|
||||
#include "xmalloc.h"
|
||||
#include "ssh.h"
|
||||
#include "ssh1.h"
|
||||
#include "ssh2.h"
|
||||
#include "rsa.h"
|
||||
#include "sshpty.h"
|
||||
#include "packet.h"
|
||||
#include "log.h"
|
||||
@@ -328,16 +332,20 @@ sighup_handler(int sig)
|
||||
|
||||
/*
|
||||
* Called from the main program after receiving SIGHUP.
|
||||
* Restarts the server.
|
||||
*/
|
||||
static void
|
||||
sighup_restart(void)
|
||||
{
|
||||
+#ifdef HAVE_SYSTEMD
|
||||
+ /* Signal systemd that we are reloading */
|
||||
+ sd_notify(0, "RELOADING=1");
|
||||
+#endif
|
||||
logit("Received SIGHUP; restarting.");
|
||||
platform_pre_restart();
|
||||
close_listen_socks();
|
||||
close_startup_pipes();
|
||||
alarm(0); /* alarm timer persists across exec */
|
||||
signal(SIGHUP, SIG_IGN); /* will be restored after exec */
|
||||
execv(saved_argv[0], saved_argv);
|
||||
logit("RESTART FAILED: av[0]='%.100s', error: %.100s.", saved_argv[0],
|
||||
@@ -2119,16 +2127,21 @@ main(int ac, char **av)
|
||||
error("Couldn't create pid file \"%s\": %s",
|
||||
options.pid_file, strerror(errno));
|
||||
} else {
|
||||
fprintf(f, "%ld\n", (long) getpid());
|
||||
fclose(f);
|
||||
}
|
||||
}
|
||||
|
||||
+#ifdef HAVE_SYSTEMD
|
||||
+ /* Signal systemd that we are ready to accept connections */
|
||||
+ sd_notify(0, "READY=1");
|
||||
+#endif
|
||||
+
|
||||
/* Accept a connection and return in a forked child */
|
||||
server_accept_loop(&sock_in, &sock_out,
|
||||
&newsock, config_s);
|
||||
}
|
||||
|
||||
/* This is the child processing a new connection. */
|
||||
setproctitle("%s", "[accepted]");
|
||||
|
433
openssh-7.2p2-tcpwrappers.patch
Normal file
433
openssh-7.2p2-tcpwrappers.patch
Normal file
@ -0,0 +1,433 @@
|
||||
# HG changeset patch
|
||||
# Parent 20564b2e34b780c138dbd876c800dd5f28c91c23
|
||||
Forward port TCP wrappers support (libwrap) from OpenSSH 6.6p1. Make it
|
||||
run-time switchable through the new UseTCPWrappers option for sshd.
|
||||
|
||||
diff --git a/openssh-7.2p2/configure.ac b/openssh-7.2p2/configure.ac
|
||||
--- a/openssh-7.2p2/configure.ac
|
||||
+++ b/openssh-7.2p2/configure.ac
|
||||
@@ -1501,16 +1501,72 @@ AC_ARG_WITH([skey],
|
||||
function takes 4 arguments (NetBSD)])],
|
||||
[
|
||||
AC_MSG_RESULT([no])
|
||||
])
|
||||
fi
|
||||
]
|
||||
)
|
||||
|
||||
+# Check whether user wants TCP wrappers support
|
||||
+TCPW_MSG="no"
|
||||
+AC_ARG_WITH([tcp-wrappers],
|
||||
+ [ --with-tcp-wrappers[[=PATH]] Enable tcpwrappers support (optionally in PATH)],
|
||||
+ [
|
||||
+ if test "x$withval" != "xno" ; then
|
||||
+ saved_LIBS="$LIBS"
|
||||
+ saved_LDFLAGS="$LDFLAGS"
|
||||
+ saved_CPPFLAGS="$CPPFLAGS"
|
||||
+ if test -n "${withval}" && \
|
||||
+ test "x${withval}" != "xyes"; then
|
||||
+ if test -d "${withval}/lib"; then
|
||||
+ if test -n "${need_dash_r}"; then
|
||||
+ LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}"
|
||||
+ else
|
||||
+ LDFLAGS="-L${withval}/lib ${LDFLAGS}"
|
||||
+ fi
|
||||
+ else
|
||||
+ if test -n "${need_dash_r}"; then
|
||||
+ LDFLAGS="-L${withval} -R${withval} ${LDFLAGS}"
|
||||
+ else
|
||||
+ LDFLAGS="-L${withval} ${LDFLAGS}"
|
||||
+ fi
|
||||
+ fi
|
||||
+ if test -d "${withval}/include"; then
|
||||
+ CPPFLAGS="-I${withval}/include ${CPPFLAGS}"
|
||||
+ else
|
||||
+ CPPFLAGS="-I${withval} ${CPPFLAGS}"
|
||||
+ fi
|
||||
+ fi
|
||||
+ LIBS="-lwrap $LIBS"
|
||||
+ AC_MSG_CHECKING([for libwrap])
|
||||
+ AC_LINK_IFELSE([AC_LANG_PROGRAM([[
|
||||
+#include <sys/types.h>
|
||||
+#include <sys/socket.h>
|
||||
+#include <netinet/in.h>
|
||||
+#include <tcpd.h>
|
||||
+int deny_severity = 0, allow_severity = 0;
|
||||
+ ]], [[
|
||||
+ hosts_access(0);
|
||||
+ ]])], [
|
||||
+ AC_MSG_RESULT([yes])
|
||||
+ AC_DEFINE([LIBWRAP], [1],
|
||||
+ [Define if you want
|
||||
+ TCP Wrappers support])
|
||||
+ SSHDLIBS="$SSHDLIBS -lwrap"
|
||||
+ TCPW_MSG="yes"
|
||||
+ ], [
|
||||
+ AC_MSG_ERROR([*** libwrap missing])
|
||||
+
|
||||
+ ])
|
||||
+ LIBS="$saved_LIBS"
|
||||
+ fi
|
||||
+ ]
|
||||
+)
|
||||
+
|
||||
# Check whether user wants to use ldns
|
||||
LDNS_MSG="no"
|
||||
AC_ARG_WITH(ldns,
|
||||
[ --with-ldns[[=PATH]] Use ldns for DNSSEC support (optionally in PATH)],
|
||||
[
|
||||
if test "x$withval" != "xno" ; then
|
||||
|
||||
if test "x$withval" != "xyes" ; then
|
||||
@@ -5159,16 +5215,17 @@ echo " sshd superuser user PATH
|
||||
fi
|
||||
echo " Manpage format: $MANTYPE"
|
||||
echo " PAM support: $PAM_MSG"
|
||||
echo " OSF SIA support: $SIA_MSG"
|
||||
echo " KerberosV support: $KRB5_MSG"
|
||||
echo " SELinux support: $SELINUX_MSG"
|
||||
echo " Smartcard support: $SCARD_MSG"
|
||||
echo " S/KEY support: $SKEY_MSG"
|
||||
+echo " TCP Wrappers support: $TCPW_MSG"
|
||||
echo " MD5 password support: $MD5_MSG"
|
||||
echo " libedit support: $LIBEDIT_MSG"
|
||||
echo " Solaris process contract support: $SPC_MSG"
|
||||
echo " Solaris project support: $SP_MSG"
|
||||
echo " Solaris privilege support: $SPP_MSG"
|
||||
echo " systemd support: $SYSTEMD_MSG"
|
||||
echo " IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG"
|
||||
echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG"
|
||||
diff --git a/openssh-7.2p2/servconf.c b/openssh-7.2p2/servconf.c
|
||||
--- a/openssh-7.2p2/servconf.c
|
||||
+++ b/openssh-7.2p2/servconf.c
|
||||
@@ -173,16 +173,17 @@ initialize_server_options(ServerOptions
|
||||
options->trusted_user_ca_keys = NULL;
|
||||
options->authorized_principals_file = NULL;
|
||||
options->authorized_principals_command = NULL;
|
||||
options->authorized_principals_command_user = NULL;
|
||||
options->ip_qos_interactive = -1;
|
||||
options->ip_qos_bulk = -1;
|
||||
options->version_addendum = NULL;
|
||||
options->fingerprint_hash = -1;
|
||||
+ options->use_tcpwrappers = -1;
|
||||
}
|
||||
|
||||
/* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */
|
||||
static int
|
||||
option_clear_or_none(const char *o)
|
||||
{
|
||||
return o == NULL || strcasecmp(o, "none") == 0;
|
||||
}
|
||||
@@ -392,16 +393,19 @@ fill_default_server_options(ServerOption
|
||||
if (options->fwd_opts.streamlocal_bind_mask == (mode_t)-1)
|
||||
options->fwd_opts.streamlocal_bind_mask = 0177;
|
||||
if (options->fwd_opts.streamlocal_bind_unlink == -1)
|
||||
options->fwd_opts.streamlocal_bind_unlink = 0;
|
||||
if (options->fingerprint_hash == -1)
|
||||
options->fingerprint_hash = SSH_FP_HASH_DEFAULT;
|
||||
options->fingerprint_hash =
|
||||
fips_correct_dgst(options->fingerprint_hash);
|
||||
+ if (options->use_tcpwrappers == -1) {
|
||||
+ options->use_tcpwrappers = 0;
|
||||
+ }
|
||||
|
||||
assemble_algorithms(options);
|
||||
|
||||
/* Turn privilege separation and sandboxing on by default */
|
||||
if (use_privsep == -1)
|
||||
use_privsep = PRIVSEP_ON;
|
||||
|
||||
#define CLEAR_ON_NONE(v) \
|
||||
@@ -471,16 +475,17 @@ typedef enum {
|
||||
sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,
|
||||
sAuthorizedPrincipalsCommand, sAuthorizedPrincipalsCommandUser,
|
||||
sKexAlgorithms, sKexDHMin,
|
||||
sIPQoS, sVersionAddendum,
|
||||
sAuthorizedKeysCommand, sAuthorizedKeysCommandUser,
|
||||
sAuthenticationMethods, sHostKeyAgent, sPermitUserRC,
|
||||
sStreamLocalBindMask, sStreamLocalBindUnlink,
|
||||
sAllowStreamLocalForwarding, sFingerprintHash,
|
||||
+ sUseTCPWrappers,
|
||||
sDeprecated, sUnsupported
|
||||
} ServerOpCodes;
|
||||
|
||||
#define SSHCFG_GLOBAL 0x01 /* allowed in main section of sshd_config */
|
||||
#define SSHCFG_MATCH 0x02 /* allowed inside a Match section */
|
||||
#define SSHCFG_ALL (SSHCFG_GLOBAL|SSHCFG_MATCH)
|
||||
|
||||
/* Textual representation of the tokens. */
|
||||
@@ -622,16 +627,17 @@ static struct {
|
||||
{ "authorizedprincipalscommand", sAuthorizedPrincipalsCommand, SSHCFG_ALL },
|
||||
{ "authorizedprincipalscommanduser", sAuthorizedPrincipalsCommandUser, SSHCFG_ALL },
|
||||
{ "versionaddendum", sVersionAddendum, SSHCFG_GLOBAL },
|
||||
{ "authenticationmethods", sAuthenticationMethods, SSHCFG_ALL },
|
||||
{ "streamlocalbindmask", sStreamLocalBindMask, SSHCFG_ALL },
|
||||
{ "streamlocalbindunlink", sStreamLocalBindUnlink, SSHCFG_ALL },
|
||||
{ "allowstreamlocalforwarding", sAllowStreamLocalForwarding, SSHCFG_ALL },
|
||||
{ "fingerprinthash", sFingerprintHash, SSHCFG_GLOBAL },
|
||||
+ { "usetcpwrappers", sUseTCPWrappers, SSHCFG_GLOBAL },
|
||||
{ NULL, sBadOption, 0 }
|
||||
};
|
||||
|
||||
static struct {
|
||||
int val;
|
||||
char *text;
|
||||
} tunmode_desc[] = {
|
||||
{ SSH_TUNMODE_NO, "no" },
|
||||
@@ -1245,16 +1251,20 @@ process_server_config_line(ServerOptions
|
||||
case sHostbasedAuthentication:
|
||||
intptr = &options->hostbased_authentication;
|
||||
goto parse_flag;
|
||||
|
||||
case sHostbasedUsesNameFromPacketOnly:
|
||||
intptr = &options->hostbased_uses_name_from_packet_only;
|
||||
goto parse_flag;
|
||||
|
||||
+ case sUseTCPWrappers:
|
||||
+ intptr = &options->use_tcpwrappers;
|
||||
+ goto parse_flag;
|
||||
+
|
||||
case sHostbasedAcceptedKeyTypes:
|
||||
charptr = &options->hostbased_key_types;
|
||||
parse_keytypes:
|
||||
arg = strdelim(&cp);
|
||||
if (!arg || *arg == '\0')
|
||||
fatal("%s line %d: Missing argument.",
|
||||
filename, linenum);
|
||||
if (!sshkey_names_valid2(*arg == '+' ? arg + 1 : arg, 1))
|
||||
@@ -2400,16 +2410,17 @@ dump_config(ServerOptions *o)
|
||||
dump_cfg_fmtint(sCompression, o->compression);
|
||||
dump_cfg_fmtint(sGatewayPorts, o->fwd_opts.gateway_ports);
|
||||
dump_cfg_fmtint(sUseDNS, o->use_dns);
|
||||
dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding);
|
||||
dump_cfg_fmtint(sAllowAgentForwarding, o->allow_agent_forwarding);
|
||||
dump_cfg_fmtint(sAllowStreamLocalForwarding, o->allow_streamlocal_forwarding);
|
||||
dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep);
|
||||
dump_cfg_fmtint(sFingerprintHash, o->fingerprint_hash);
|
||||
+ dump_cfg_fmtint(sUseTCPWrappers, o->use_tcpwrappers);
|
||||
|
||||
/* string arguments */
|
||||
dump_cfg_string(sPidFile, o->pid_file);
|
||||
dump_cfg_string(sXAuthLocation, o->xauth_location);
|
||||
dump_cfg_string(sCiphers, o->ciphers ? o->ciphers : KEX_SERVER_ENCRYPT);
|
||||
dump_cfg_string(sMacs, o->macs ? o->macs : KEX_SERVER_MAC);
|
||||
dump_cfg_string(sBanner, o->banner);
|
||||
dump_cfg_string(sForceCommand, o->adm_forced_command);
|
||||
diff --git a/openssh-7.2p2/servconf.h b/openssh-7.2p2/servconf.h
|
||||
--- a/openssh-7.2p2/servconf.h
|
||||
+++ b/openssh-7.2p2/servconf.h
|
||||
@@ -196,16 +196,17 @@ typedef struct {
|
||||
int rekey_interval;
|
||||
|
||||
char *version_addendum; /* Appended to SSH banner */
|
||||
|
||||
u_int num_auth_methods;
|
||||
char *auth_methods[MAX_AUTH_METHODS];
|
||||
|
||||
int fingerprint_hash;
|
||||
+ int use_tcpwrappers;
|
||||
} ServerOptions;
|
||||
|
||||
/* Information about the incoming connection as used by Match */
|
||||
struct connection_info {
|
||||
const char *user;
|
||||
const char *host; /* possibly resolved hostname */
|
||||
const char *address; /* remote address */
|
||||
const char *laddress; /* local address */
|
||||
diff --git a/openssh-7.2p2/sshd.8 b/openssh-7.2p2/sshd.8
|
||||
--- a/openssh-7.2p2/sshd.8
|
||||
+++ b/openssh-7.2p2/sshd.8
|
||||
@@ -875,16 +875,22 @@ This file should be writable only by roo
|
||||
can, but need not be, world-readable.
|
||||
.Pp
|
||||
.It Pa ~/.ssh/rc
|
||||
Contains initialization routines to be run before
|
||||
the user's home directory becomes accessible.
|
||||
This file should be writable only by the user, and need not be
|
||||
readable by anyone else.
|
||||
.Pp
|
||||
+.It Pa /etc/hosts.allow
|
||||
+.It Pa /etc/hosts.deny
|
||||
+Access controls that should be enforced by tcp-wrappers are defined here.
|
||||
+Further details are described in
|
||||
+.Xr hosts_access 5 .
|
||||
+.Pp
|
||||
.It Pa /etc/hosts.equiv
|
||||
This file is for host-based authentication (see
|
||||
.Xr ssh 1 ) .
|
||||
It should only be writable by root.
|
||||
.Pp
|
||||
.It Pa /etc/moduli
|
||||
Contains Diffie-Hellman groups used for the "Diffie-Hellman Group Exchange"
|
||||
key exchange method.
|
||||
@@ -998,16 +1004,17 @@ be blocked until enough entropy is avail
|
||||
.Xr scp 1 ,
|
||||
.Xr sftp 1 ,
|
||||
.Xr ssh 1 ,
|
||||
.Xr ssh-add 1 ,
|
||||
.Xr ssh-agent 1 ,
|
||||
.Xr ssh-keygen 1 ,
|
||||
.Xr ssh-keyscan 1 ,
|
||||
.Xr chroot 2 ,
|
||||
+.Xr hosts_access 5 ,
|
||||
.Xr login.defs 5 ,
|
||||
.Xr moduli 5 ,
|
||||
.Xr sshd_config 5 ,
|
||||
.Xr inetd 8 ,
|
||||
.Xr sftp-server 8
|
||||
.Sh AUTHORS
|
||||
OpenSSH is a derivative of the original and free
|
||||
ssh 1.2.12 release by Tatu Ylonen.
|
||||
diff --git a/openssh-7.2p2/sshd.c b/openssh-7.2p2/sshd.c
|
||||
--- a/openssh-7.2p2/sshd.c
|
||||
+++ b/openssh-7.2p2/sshd.c
|
||||
@@ -132,16 +132,23 @@
|
||||
#include "ssherr.h"
|
||||
|
||||
#include "fips.h"
|
||||
|
||||
#ifdef USE_SECURITY_SESSION_API
|
||||
#include <Security/AuthSession.h>
|
||||
#endif
|
||||
|
||||
+#ifdef LIBWRAP
|
||||
+#include <tcpd.h>
|
||||
+#include <syslog.h>
|
||||
+int allow_severity;
|
||||
+int deny_severity;
|
||||
+#endif /* LIBWRAP */
|
||||
+
|
||||
#ifndef O_NOCTTY
|
||||
#define O_NOCTTY 0
|
||||
#endif
|
||||
|
||||
/* Re-exec fds */
|
||||
#define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1)
|
||||
#define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2)
|
||||
#define REEXEC_CONFIG_PASS_FD (STDERR_FILENO + 3)
|
||||
@@ -2298,16 +2305,37 @@ main(int ac, char **av)
|
||||
* the socket goes away.
|
||||
*/
|
||||
remote_ip = get_remote_ipaddr();
|
||||
|
||||
#ifdef SSH_AUDIT_EVENTS
|
||||
audit_connection_from(remote_ip, remote_port);
|
||||
#endif
|
||||
|
||||
+#ifdef LIBWRAP
|
||||
+ if (options.use_tcpwrappers) {
|
||||
+ allow_severity = options.log_facility|LOG_INFO;
|
||||
+ deny_severity = options.log_facility|LOG_WARNING;
|
||||
+ /* Check whether logins are denied from this host. */
|
||||
+ if (packet_connection_is_on_socket()) {
|
||||
+ struct request_info req;
|
||||
+
|
||||
+ request_init(&req, RQ_DAEMON, __progname, RQ_FILE, sock_in, 0);
|
||||
+ fromhost(&req);
|
||||
+
|
||||
+ if (!hosts_access(&req)) {
|
||||
+ debug("Connection refused by tcp wrapper");
|
||||
+ refuse(&req);
|
||||
+ /* NOTREACHED */
|
||||
+ fatal("libwrap refuse returns");
|
||||
+ }
|
||||
+ }
|
||||
+ }
|
||||
+#endif /* LIBWRAP */
|
||||
+
|
||||
/* Log the connection. */
|
||||
laddr = get_local_ipaddr(sock_in);
|
||||
verbose("Connection from %s port %d on %s port %d",
|
||||
remote_ip, remote_port, laddr, get_local_port());
|
||||
free(laddr);
|
||||
|
||||
#ifdef USE_SECURITY_SESSION_API
|
||||
/*
|
||||
diff --git a/openssh-7.2p2/sshd_config b/openssh-7.2p2/sshd_config
|
||||
--- a/openssh-7.2p2/sshd_config
|
||||
+++ b/openssh-7.2p2/sshd_config
|
||||
@@ -120,16 +120,17 @@ X11Forwarding yes
|
||||
#ClientAliveInterval 0
|
||||
#ClientAliveCountMax 3
|
||||
#UseDNS no
|
||||
#PidFile /var/run/sshd.pid
|
||||
#MaxStartups 10:30:100
|
||||
#PermitTunnel no
|
||||
#ChrootDirectory none
|
||||
#VersionAddendum none
|
||||
+#UseTCPWrappers yes
|
||||
|
||||
# no default banner path
|
||||
#Banner none
|
||||
|
||||
# override default of no subsystems
|
||||
Subsystem sftp /usr/libexec/sftp-server
|
||||
|
||||
# This enables accepting locale enviroment variables LC_* LANG, see sshd_config(5).
|
||||
diff --git a/openssh-7.2p2/sshd_config.0 b/openssh-7.2p2/sshd_config.0
|
||||
--- a/openssh-7.2p2/sshd_config.0
|
||||
+++ b/openssh-7.2p2/sshd_config.0
|
||||
@@ -1008,16 +1008,27 @@ DESCRIPTION
|
||||
that has the privilege of the authenticated user. The goal of
|
||||
privilege separation is to prevent privilege escalation by
|
||||
containing any corruption within the unprivileged processes. The
|
||||
argument must be M-bM-^@M-^\yesM-bM-^@M-^], M-bM-^@M-^\noM-bM-^@M-^], or M-bM-^@M-^\sandboxM-bM-^@M-^]. If
|
||||
UsePrivilegeSeparation is set to M-bM-^@M-^\sandboxM-bM-^@M-^] then the pre-
|
||||
authentication unprivileged process is subject to additional
|
||||
restrictions. The default is M-bM-^@M-^\sandboxM-bM-^@M-^].
|
||||
|
||||
+ UseTCPWrappers
|
||||
+ When set to "yes" , TCP wrappers (libwrap) are used to determine
|
||||
+ whether a connection from a remote system should be allowed as
|
||||
+ specified in hosts_accept(5). The default is "yes".
|
||||
+
|
||||
+ Warning: This functionality has been backported for backward
|
||||
+ compatibility and should be avoided, since libwrap pulls in a
|
||||
+ whole load of security issues. Moving to sshd's internal host
|
||||
+ matching is highly recommended - see the Match keyword for
|
||||
+ details.
|
||||
+
|
||||
VersionAddendum
|
||||
Optionally specifies additional text to append to the SSH
|
||||
protocol banner sent by the server upon connection. The default
|
||||
is M-bM-^@M-^\noneM-bM-^@M-^].
|
||||
|
||||
X11DisplayOffset
|
||||
Specifies the first display number available for sshd(8)'s X11
|
||||
forwarding. This prevents sshd from interfering with real X11
|
||||
diff --git a/openssh-7.2p2/sshd_config.5 b/openssh-7.2p2/sshd_config.5
|
||||
--- a/openssh-7.2p2/sshd_config.5
|
||||
+++ b/openssh-7.2p2/sshd_config.5
|
||||
@@ -1657,16 +1657,32 @@ or
|
||||
If
|
||||
.Cm UsePrivilegeSeparation
|
||||
is set to
|
||||
.Dq sandbox
|
||||
then the pre-authentication unprivileged process is subject to additional
|
||||
restrictions.
|
||||
The default is
|
||||
.Dq sandbox .
|
||||
+.It Cm UseTCPWrappers
|
||||
+When set to
|
||||
+.Dq yes
|
||||
+, TCP wrappers (libwrap) are used to determine whether a connection from a
|
||||
+remote system should be allowed as specified in
|
||||
+.Xr hosts_accept 5 .
|
||||
+The default is
|
||||
+.Dq no .
|
||||
+
|
||||
+.Em Warning: This functionality has been backported for backward \
|
||||
+compatibility and should be avoided, since libwrap pulls in a whole load of \
|
||||
+security issues.
|
||||
+Moving to sshd's internal host matching is highly
|
||||
+recommended - see the
|
||||
+.Cm Match
|
||||
+keyword for details.
|
||||
.It Cm VersionAddendum
|
||||
Optionally specifies additional text to append to the SSH protocol banner
|
||||
sent by the server upon connection.
|
||||
The default is
|
||||
.Dq none .
|
||||
.It Cm X11DisplayOffset
|
||||
Specifies the first display number available for
|
||||
.Xr sshd 8 Ns 's
|
175
openssh-7.2p2-verify_CIDR_address_ranges.patch
Normal file
175
openssh-7.2p2-verify_CIDR_address_ranges.patch
Normal file
@ -0,0 +1,175 @@
|
||||
# HG changeset patch
|
||||
# Parent 1b2dad1b57b086d094fe09327fcf1c490475a7cd
|
||||
Check for invalid CIDR adress masks.
|
||||
bsc#1005893
|
||||
|
||||
backported upstream commit: 010359b32659f455fddd2bd85fd7cc4d7a3b994a (7.4)
|
||||
backported upstream commit: 1a6f9d2e2493d445cd9ee496e6e3c2a2f283f66a
|
||||
backported upstream commit: fe06b68f824f8f55670442fb31f2c03526dd326c
|
||||
|
||||
diff --git a/openssh-7.2p2/auth.c b/openssh-7.2p2/auth.c
|
||||
--- a/openssh-7.2p2/auth.c
|
||||
+++ b/openssh-7.2p2/auth.c
|
||||
@@ -95,16 +95,17 @@ int auth_debug_init;
|
||||
* Otherwise true is returned.
|
||||
*/
|
||||
int
|
||||
allowed_user(struct passwd * pw)
|
||||
{
|
||||
struct stat st;
|
||||
const char *hostname = NULL, *ipaddr = NULL, *passwd = NULL;
|
||||
u_int i;
|
||||
+ int r;
|
||||
#ifdef USE_SHADOW
|
||||
struct spwd *spw = NULL;
|
||||
#endif
|
||||
|
||||
/* Shouldn't be called if pw is NULL, but better safe than sorry... */
|
||||
if (!pw || !pw->pw_name)
|
||||
return 0;
|
||||
|
||||
@@ -183,31 +184,41 @@ allowed_user(struct passwd * pw)
|
||||
if (options.num_deny_users > 0 || options.num_allow_users > 0 ||
|
||||
options.num_deny_groups > 0 || options.num_allow_groups > 0) {
|
||||
hostname = get_canonical_hostname(options.use_dns);
|
||||
ipaddr = get_remote_ipaddr();
|
||||
}
|
||||
|
||||
/* Return false if user is listed in DenyUsers */
|
||||
if (options.num_deny_users > 0) {
|
||||
- for (i = 0; i < options.num_deny_users; i++)
|
||||
- if (match_user(pw->pw_name, hostname, ipaddr,
|
||||
- options.deny_users[i])) {
|
||||
+ for (i = 0; i < options.num_deny_users; i++) {
|
||||
+ r = match_user(pw->pw_name, hostname, ipaddr,
|
||||
+ options.deny_users[i]);
|
||||
+ if (r < 0) {
|
||||
+ fatal("Invalid DenyUsers pattern \"%.100s\"",
|
||||
+ options.deny_users[i]);
|
||||
+ } else if (r != 0) {
|
||||
logit("User %.100s from %.100s not allowed "
|
||||
"because listed in DenyUsers",
|
||||
pw->pw_name, hostname);
|
||||
return 0;
|
||||
}
|
||||
+ }
|
||||
}
|
||||
/* Return false if AllowUsers isn't empty and user isn't listed there */
|
||||
if (options.num_allow_users > 0) {
|
||||
- for (i = 0; i < options.num_allow_users; i++)
|
||||
- if (match_user(pw->pw_name, hostname, ipaddr,
|
||||
- options.allow_users[i]))
|
||||
+ for (i = 0; i < options.num_allow_users; i++) {
|
||||
+ r = match_user(pw->pw_name, hostname, ipaddr,
|
||||
+ options.allow_users[i]);
|
||||
+ if (r < 0) {
|
||||
+ fatal("Invalid AllowUsers pattern \"%.100s\"",
|
||||
+ options.allow_users[i]);
|
||||
+ } else if (r == 1)
|
||||
break;
|
||||
+ }
|
||||
/* i < options.num_allow_users iff we break for loop */
|
||||
if (i >= options.num_allow_users) {
|
||||
logit("User %.100s from %.100s not allowed because "
|
||||
"not listed in AllowUsers", pw->pw_name, hostname);
|
||||
return 0;
|
||||
}
|
||||
}
|
||||
if (options.num_deny_groups > 0 || options.num_allow_groups > 0) {
|
||||
diff --git a/openssh-7.2p2/match.c b/openssh-7.2p2/match.c
|
||||
--- a/openssh-7.2p2/match.c
|
||||
+++ b/openssh-7.2p2/match.c
|
||||
@@ -186,41 +186,50 @@ match_hostname(const char *host, const c
|
||||
* successful match.
|
||||
*/
|
||||
int
|
||||
match_host_and_ip(const char *host, const char *ipaddr,
|
||||
const char *patterns)
|
||||
{
|
||||
int mhost, mip;
|
||||
|
||||
- /* error in ipaddr match */
|
||||
if ((mip = addr_match_list(ipaddr, patterns)) == -2)
|
||||
- return -1;
|
||||
- else if (mip == -1) /* negative ip address match */
|
||||
- return 0;
|
||||
+ return -1; /* error in ipaddr match */
|
||||
+ else if (host == NULL || ipaddr == NULL || mip == -1)
|
||||
+ return 0; /* negative ip address match, or testing pattern */
|
||||
|
||||
/* negative hostname match */
|
||||
if ((mhost = match_hostname(host, patterns)) == -1)
|
||||
return 0;
|
||||
/* no match at all */
|
||||
if (mhost == 0 && mip == 0)
|
||||
return 0;
|
||||
return 1;
|
||||
}
|
||||
|
||||
/*
|
||||
- * match user, user@host_or_ip, user@host_or_ip_list against pattern
|
||||
+ * Match user, user@host_or_ip, user@host_or_ip_list against pattern.
|
||||
+ * If user, host and ipaddr are all NULL then validate pattern/
|
||||
+ * Returns -1 on invalid pattern, 0 on no match, 1 on match.
|
||||
*/
|
||||
int
|
||||
match_user(const char *user, const char *host, const char *ipaddr,
|
||||
const char *pattern)
|
||||
{
|
||||
char *p, *pat;
|
||||
int ret;
|
||||
|
||||
+ /* test mode */
|
||||
+ if (user == NULL && host == NULL && ipaddr == NULL) {
|
||||
+ if ((p = strchr(pattern, '@')) != NULL &&
|
||||
+ match_host_and_ip(NULL, NULL, p + 1) < 0)
|
||||
+ return -1;
|
||||
+ return 0;
|
||||
+ }
|
||||
+
|
||||
if ((p = strchr(pattern,'@')) == NULL)
|
||||
return match_pattern(user, pattern);
|
||||
|
||||
pat = xstrdup(pattern);
|
||||
p = strchr(pat, '@');
|
||||
*p++ = '\0';
|
||||
|
||||
if ((ret = match_pattern(user, pat)) == 1)
|
||||
diff --git a/openssh-7.2p2/servconf.c b/openssh-7.2p2/servconf.c
|
||||
--- a/openssh-7.2p2/servconf.c
|
||||
+++ b/openssh-7.2p2/servconf.c
|
||||
@@ -1462,28 +1462,34 @@ process_server_config_line(ServerOptions
|
||||
multistate_ptr = multistate_privsep;
|
||||
goto parse_multistate;
|
||||
|
||||
case sAllowUsers:
|
||||
while ((arg = strdelim(&cp)) && *arg != '\0') {
|
||||
if (options->num_allow_users >= MAX_ALLOW_USERS)
|
||||
fatal("%s line %d: too many allow users.",
|
||||
filename, linenum);
|
||||
+ if (match_user(NULL, NULL, NULL, arg) == -1)
|
||||
+ fatal("%s line %d: invalid AllowUsers pattern: "
|
||||
+ "\"%.100s\"", filename, linenum, arg);
|
||||
if (!*activep)
|
||||
continue;
|
||||
options->allow_users[options->num_allow_users++] =
|
||||
xstrdup(arg);
|
||||
}
|
||||
break;
|
||||
|
||||
case sDenyUsers:
|
||||
while ((arg = strdelim(&cp)) && *arg != '\0') {
|
||||
if (options->num_deny_users >= MAX_DENY_USERS)
|
||||
fatal("%s line %d: too many deny users.",
|
||||
filename, linenum);
|
||||
+ if (match_user(NULL, NULL, NULL, arg) == -1)
|
||||
+ fatal("%s line %d: invalid DenyUsers pattern: "
|
||||
+ "\"%.100s\"", filename, linenum, arg);
|
||||
if (!*activep)
|
||||
continue;
|
||||
options->deny_users[options->num_deny_users++] =
|
||||
xstrdup(arg);
|
||||
}
|
||||
break;
|
||||
|
||||
case sAllowGroups:
|
3
openssh-7.2p2.tar.gz
Normal file
3
openssh-7.2p2.tar.gz
Normal file
@ -0,0 +1,3 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:a72781d1a043876a224ff1b0032daa4094d87565a68528759c1c2cab5482548c
|
||||
size 1499808
|
14
openssh-7.2p2.tar.gz.asc
Normal file
14
openssh-7.2p2.tar.gz.asc
Normal file
@ -0,0 +1,14 @@
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
Version: GnuPG v2
|
||||
|
||||
iQGsBAABCgAGBQJW4HGiAAoJENPl9Wttkg0w8uUMfRnuvFkcQWBAHy+idRJoL/9W
|
||||
aPis5PRMJW9ENNLUI2eiSNAhcIsAXKZXv3W2S/tuVrztwYv2+ckrlnaOg2GiMc9N
|
||||
l66ZFpoZBNNPqImG88rgl28idkvGlYMwaKoE+YihPdB9BvPvHzZUEKdPtf/HsvI/
|
||||
2vVTKYg2dbIb7M9h8RIXGvSW8UoGd+6pSbjnJaLHsxVsnBXk8ZYqUgq9PT+slS4d
|
||||
/yp9OdZr99JcQqIFEpWs9WG93JxBbRBUif6OdymV3JAGJxfrpA0a0EPbiCNedxkY
|
||||
TB+XZ53ydKx0s9Gv3k2wFfpT4VOIXvlrcPgYyTs7SVbigvT6TomNyK3TUfMQemN6
|
||||
rTP4qt4b74cXne7zfcmr/Axmr3+xg1LybJn4L1IIH7TWAjj5dhPHJwqLRw3owaFB
|
||||
Y8I+5ViCHGNCsBiil8oBOgdg09BITriL76Xs9WEY7+hC+FP/A286ggPDi+De3GPK
|
||||
L7nB1FZgfo3gCGGJVVAH1i8P/ZZEedJHo/AXAYlNax7g6ZDkfmzt1KaVNhtoNvI=
|
||||
=yfYj
|
||||
-----END PGP SIGNATURE-----
|
@ -1,95 +0,0 @@
|
||||
# HG changeset patch
|
||||
# Parent af43d436bc7fe818dd976c923ad99b89051eb299
|
||||
Allow root login with password by default. While less secure than upstream
|
||||
default of forbidding access to the root account with a password, we are
|
||||
temporarily introducing this change to keep the default used in older OpenSSH
|
||||
versions shipped with SLE.
|
||||
|
||||
diff --git a/openssh-7.6p1/servconf.c b/openssh-7.6p1/servconf.c
|
||||
--- a/openssh-7.6p1/servconf.c
|
||||
+++ b/openssh-7.6p1/servconf.c
|
||||
@@ -218,17 +218,17 @@ fill_default_server_options(ServerOption
|
||||
options->address_family = AF_UNSPEC;
|
||||
if (options->listen_addrs == NULL)
|
||||
add_listen_addr(options, NULL, 0);
|
||||
if (options->pid_file == NULL)
|
||||
options->pid_file = xstrdup(_PATH_SSH_DAEMON_PID_FILE);
|
||||
if (options->login_grace_time == -1)
|
||||
options->login_grace_time = 120;
|
||||
if (options->permit_root_login == PERMIT_NOT_SET)
|
||||
- options->permit_root_login = PERMIT_NO_PASSWD;
|
||||
+ options->permit_root_login = PERMIT_YES;
|
||||
if (options->ignore_rhosts == -1)
|
||||
options->ignore_rhosts = 1;
|
||||
if (options->ignore_user_known_hosts == -1)
|
||||
options->ignore_user_known_hosts = 0;
|
||||
if (options->print_motd == -1)
|
||||
options->print_motd = 1;
|
||||
if (options->print_lastlog == -1)
|
||||
options->print_lastlog = 1;
|
||||
diff --git a/openssh-7.6p1/sshd_config b/openssh-7.6p1/sshd_config
|
||||
--- a/openssh-7.6p1/sshd_config
|
||||
+++ b/openssh-7.6p1/sshd_config
|
||||
@@ -25,17 +25,17 @@
|
||||
|
||||
# Logging
|
||||
#SyslogFacility AUTH
|
||||
#LogLevel INFO
|
||||
|
||||
# Authentication:
|
||||
|
||||
#LoginGraceTime 2m
|
||||
-#PermitRootLogin prohibit-password
|
||||
+#PermitRootLogin yes
|
||||
#StrictModes yes
|
||||
#MaxAuthTries 6
|
||||
#MaxSessions 10
|
||||
|
||||
#PubkeyAuthentication yes
|
||||
|
||||
# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
|
||||
# but this is overridden so installations will only check .ssh/authorized_keys
|
||||
diff --git a/openssh-7.6p1/sshd_config.0 b/openssh-7.6p1/sshd_config.0
|
||||
--- a/openssh-7.6p1/sshd_config.0
|
||||
+++ b/openssh-7.6p1/sshd_config.0
|
||||
@@ -696,17 +696,17 @@ DESCRIPTION
|
||||
none can be used to prohibit all forwarding requests. The
|
||||
wildcard M-bM-^@M-^X*M-bM-^@M-^Y can be used for host or port to allow all hosts or
|
||||
ports, respectively. By default all port forwarding requests are
|
||||
permitted.
|
||||
|
||||
PermitRootLogin
|
||||
Specifies whether root can log in using ssh(1). The argument
|
||||
must be yes, prohibit-password, without-password,
|
||||
- forced-commands-only, or no. The default is prohibit-password.
|
||||
+ forced-commands-only, or no. The default is yes.
|
||||
|
||||
If this option is set to prohibit-password or without-password,
|
||||
password and keyboard-interactive authentication are disabled for
|
||||
root.
|
||||
|
||||
If this option is set to forced-commands-only, root login with
|
||||
public key authentication will be allowed, but only if the
|
||||
command option has been specified (which may be useful for taking
|
||||
diff --git a/openssh-7.6p1/sshd_config.5 b/openssh-7.6p1/sshd_config.5
|
||||
--- a/openssh-7.6p1/sshd_config.5
|
||||
+++ b/openssh-7.6p1/sshd_config.5
|
||||
@@ -1188,17 +1188,17 @@ Specifies whether root can log in using
|
||||
The argument must be
|
||||
.Cm yes ,
|
||||
.Cm prohibit-password ,
|
||||
.Cm without-password ,
|
||||
.Cm forced-commands-only ,
|
||||
or
|
||||
.Cm no .
|
||||
The default is
|
||||
-.Cm prohibit-password .
|
||||
+.Cm yes .
|
||||
.Pp
|
||||
If this option is set to
|
||||
.Cm prohibit-password
|
||||
or
|
||||
.Cm without-password ,
|
||||
password and keyboard-interactive authentication are disabled for root.
|
||||
.Pp
|
||||
If this option is set to
|
@ -1,27 +0,0 @@
|
||||
# HG changeset patch
|
||||
# Parent 9797aecac98b26573a295fd75128b7c68dfc5aad
|
||||
fix paths and references in sshd man pages
|
||||
|
||||
diff --git a/openssh-7.6p1/Makefile.in b/openssh-7.6p1/Makefile.in
|
||||
--- a/openssh-7.6p1/Makefile.in
|
||||
+++ b/openssh-7.6p1/Makefile.in
|
||||
@@ -119,17 +119,18 @@ MANTYPE = @MANTYPE@
|
||||
CONFIGFILES=sshd_config.out ssh_config.out moduli.out
|
||||
CONFIGFILES_IN=sshd_config ssh_config moduli
|
||||
|
||||
PATHSUBS = \
|
||||
-e 's|/etc/ssh/ssh_config|$(sysconfdir)/ssh_config|g' \
|
||||
-e 's|/etc/ssh/ssh_known_hosts|$(sysconfdir)/ssh_known_hosts|g' \
|
||||
-e 's|/etc/ssh/sshd_config|$(sysconfdir)/sshd_config|g' \
|
||||
-e 's|/usr/libexec|$(libexecdir)|g' \
|
||||
- -e 's|/etc/shosts.equiv|$(sysconfdir)/shosts.equiv|g' \
|
||||
+ -e 's|login\.conf|login.defs|g' \
|
||||
+ -e 's|/etc/shosts.equiv|$(sysconfdir)/ssh/shosts.equiv|g' \
|
||||
-e 's|/etc/ssh/ssh_host_key|$(sysconfdir)/ssh_host_key|g' \
|
||||
-e 's|/etc/ssh/ssh_host_ecdsa_key|$(sysconfdir)/ssh_host_ecdsa_key|g' \
|
||||
-e 's|/etc/ssh/ssh_host_dsa_key|$(sysconfdir)/ssh_host_dsa_key|g' \
|
||||
-e 's|/etc/ssh/ssh_host_rsa_key|$(sysconfdir)/ssh_host_rsa_key|g' \
|
||||
-e 's|/etc/ssh/ssh_host_ed25519_key|$(sysconfdir)/ssh_host_ed25519_key|g' \
|
||||
-e 's|/var/run/sshd.pid|$(piddir)/sshd.pid|g' \
|
||||
-e 's|/etc/moduli|$(sysconfdir)/moduli|g' \
|
||||
-e 's|/etc/ssh/moduli|$(sysconfdir)/moduli|g' \
|
@ -1,28 +0,0 @@
|
||||
# HG changeset patch
|
||||
# Parent d47e806f23ad0649ef38b24e8cb9d5617e5d5d15
|
||||
# force PAM in defaullt install (this was removed from upstream in 3.8p1)
|
||||
# bnc#46749
|
||||
# --used to be called '-pam-fix2'
|
||||
|
||||
diff --git a/openssh-7.6p1/sshd_config b/openssh-7.6p1/sshd_config
|
||||
--- a/openssh-7.6p1/sshd_config
|
||||
+++ b/openssh-7.6p1/sshd_config
|
||||
@@ -75,17 +75,17 @@ AuthorizedKeysFile .ssh/authorized_keys
|
||||
# and session processing. If this is enabled, PAM authentication will
|
||||
# be allowed through the ChallengeResponseAuthentication and
|
||||
# PasswordAuthentication. Depending on your PAM configuration,
|
||||
# PAM authentication via ChallengeResponseAuthentication may bypass
|
||||
# the setting of "PermitRootLogin without-password".
|
||||
# If you just want the PAM account and session checks to run without
|
||||
# PAM authentication, then enable this but set PasswordAuthentication
|
||||
# and ChallengeResponseAuthentication to 'no'.
|
||||
-#UsePAM no
|
||||
+UsePAM yes
|
||||
|
||||
#AllowAgentForwarding yes
|
||||
#AllowTcpForwarding yes
|
||||
#GatewayPorts no
|
||||
X11Forwarding yes
|
||||
#X11DisplayOffset 10
|
||||
#X11UseLocalhost yes
|
||||
#PermitTTY yes
|
@ -1,34 +0,0 @@
|
||||
# HG changeset patch
|
||||
# Parent 85f3cd6c8291c7feb0c1e7a0a3645c130532d206
|
||||
Add the 'geteuid' syscall to allowed list, since it may becalled on the
|
||||
mainframes when OpenSSL is using hardware crypto accelerator via libica
|
||||
(via ibmica)
|
||||
|
||||
bsc#1004258
|
||||
|
||||
diff --git a/openssh-7.6p1/sandbox-seccomp-filter.c b/openssh-7.6p1/sandbox-seccomp-filter.c
|
||||
--- a/openssh-7.6p1/sandbox-seccomp-filter.c
|
||||
+++ b/openssh-7.6p1/sandbox-seccomp-filter.c
|
||||
@@ -161,16 +161,22 @@ static const struct sock_filter preauth_
|
||||
SC_ALLOW(__NR_close),
|
||||
#endif
|
||||
#ifdef __NR_exit
|
||||
SC_ALLOW(__NR_exit),
|
||||
#endif
|
||||
#ifdef __NR_exit_group
|
||||
SC_ALLOW(__NR_exit_group),
|
||||
#endif
|
||||
+#ifdef __NR_geteuid
|
||||
+ SC_ALLOW(__NR_geteuid),
|
||||
+#endif
|
||||
+#ifdef __NR_geteuid32
|
||||
+ SC_ALLOW(__NR_geteuid32),
|
||||
+#endif
|
||||
#ifdef __NR_getpgid
|
||||
SC_ALLOW(__NR_getpgid),
|
||||
#endif
|
||||
#ifdef __NR_getpid
|
||||
SC_ALLOW(__NR_getpid),
|
||||
#endif
|
||||
#ifdef __NR_getrandom
|
||||
SC_ALLOW(__NR_getrandom),
|
@ -1,31 +0,0 @@
|
||||
# HG changeset patch
|
||||
# Parent 004731f82470b22b9bd563ef3216034cf00ba133
|
||||
add 'getuid' syscall to list of allowed ones to prevent the sanboxed thread
|
||||
from being killed by the seccomp filter
|
||||
|
||||
diff --git a/openssh-7.6p1/sandbox-seccomp-filter.c b/openssh-7.6p1/sandbox-seccomp-filter.c
|
||||
--- a/openssh-7.6p1/sandbox-seccomp-filter.c
|
||||
+++ b/openssh-7.6p1/sandbox-seccomp-filter.c
|
||||
@@ -173,16 +173,22 @@ static const struct sock_filter preauth_
|
||||
SC_ALLOW(__NR_getpid),
|
||||
#endif
|
||||
#ifdef __NR_getrandom
|
||||
SC_ALLOW(__NR_getrandom),
|
||||
#endif
|
||||
#ifdef __NR_gettimeofday
|
||||
SC_ALLOW(__NR_gettimeofday),
|
||||
#endif
|
||||
+#ifdef __NR_getuid
|
||||
+ SC_ALLOW(__NR_getuid),
|
||||
+#endif
|
||||
+#ifdef __NR_getuid32
|
||||
+ SC_ALLOW(__NR_getuid32),
|
||||
+#endif
|
||||
#ifdef __NR_madvise
|
||||
SC_ALLOW(__NR_madvise),
|
||||
#endif
|
||||
#ifdef __NR_mmap
|
||||
SC_ALLOW(__NR_mmap),
|
||||
#endif
|
||||
#ifdef __NR_mmap2
|
||||
SC_ALLOW(__NR_mmap2),
|
@ -1,30 +0,0 @@
|
||||
# HG changeset patch
|
||||
# Parent ddbb42a2825e7e837d7b0387b79a9542c7869174
|
||||
Allow the stat() syscall for OpenSSL re-seed patch
|
||||
(which causes OpenSSL use stat() on some file)
|
||||
|
||||
bnc#912436
|
||||
|
||||
diff --git a/openssh-7.6p1/sandbox-seccomp-filter.c b/openssh-7.6p1/sandbox-seccomp-filter.c
|
||||
--- a/openssh-7.6p1/sandbox-seccomp-filter.c
|
||||
+++ b/openssh-7.6p1/sandbox-seccomp-filter.c
|
||||
@@ -224,16 +224,19 @@ static const struct sock_filter preauth_
|
||||
SC_ALLOW(__NR_select),
|
||||
#endif
|
||||
#ifdef __NR_shutdown
|
||||
SC_ALLOW(__NR_shutdown),
|
||||
#endif
|
||||
#ifdef __NR_sigprocmask
|
||||
SC_ALLOW(__NR_sigprocmask),
|
||||
#endif
|
||||
+#ifdef __NR_stat
|
||||
+ SC_ALLOW(__NR_stat),
|
||||
+#endif
|
||||
#ifdef __NR_time
|
||||
SC_ALLOW(__NR_time),
|
||||
#endif
|
||||
#ifdef __NR_write
|
||||
SC_ALLOW(__NR_write),
|
||||
#endif
|
||||
#ifdef __NR_socketcall
|
||||
SC_ALLOW_ARG(__NR_socketcall, 0, SYS_SHUTDOWN),
|
@ -1,3 +0,0 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:a323caeeddfe145baaa0db16e98d784b1fbc7dd436a6bf1f479dfd5cd1d21723
|
||||
size 1489788
|
@ -1,14 +0,0 @@
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
|
||||
iQHDBAABCgAdFiEEWcIRjtIG2SfmZ+vj0+X1a22SDTAFAlnTtXUACgkQ0+X1a22S
|
||||
DTCQxgx+MJ1JjIWwVjXUxwpFfjj4aBv5xSqiKqwzGgVjnlmwtpTn+tqdGiACts3K
|
||||
46fh/8ujknJJ5lBIlWKBfqhKzC7A+gCBaFiLoXiad8Q3NIESbXGxRkuMe6jxFtR7
|
||||
SHidUjRqmn1kLCy1TSkj8mqg0/UZ5UZAJcsldQTmEAnxFVbK1l8CLB7vn4rJnj+v
|
||||
PdbtsSdw8ZHtakkoNHiqQD+mwy+FXY5QcN7IUEX2/E0hKx0wou1S/36j8k89UQf8
|
||||
Jbntg31N4EUOQ0fRwuxdRkHSUrJJpPgwWO4XgHw4u9yghsOCYr+X9Pa1+LCtL4PE
|
||||
o4+08UoD92VORzRETH5Cbtv1XmdUWrpHVHUjVORTgYxVgXbbnoDuzxfsrbfJRRLE
|
||||
NBsFxodltDxfdljL27PReBqpneWBxNJd6ruaY5wYxhu1qTEcszCGXuSd583TJ49b
|
||||
hhkWrk5+knErwFdDbtOy+l3L1pvxXvuyIuWl/aXaoVSPDwtPFui94Dl2G7QbSeEb
|
||||
PQDWU6PReeP+SRsMyYJSoxwgbZIzaQ==
|
||||
=K6iy
|
||||
-----END PGP SIGNATURE-----
|
@ -1,9 +1,3 @@
|
||||
-------------------------------------------------------------------
|
||||
Fri Nov 3 12:27:18 UTC 2017 - pcerny@suse.com
|
||||
|
||||
- upgrade to 7.6p1
|
||||
see main package changelog for details
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Mon Jul 25 13:45:53 UTC 2016 - meissner@suse.com
|
||||
|
||||
|
@ -26,7 +26,7 @@ BuildRequires: openssl-devel
|
||||
BuildRequires: pam-devel
|
||||
BuildRequires: tcpd-devel
|
||||
BuildRequires: update-desktop-files
|
||||
Version: 7.6p1
|
||||
Version: 7.2p2
|
||||
Release: 0
|
||||
Requires: openssh = %{version}
|
||||
Summary: A GNOME-Based Passphrase Dialog for OpenSSH
|
||||
|
597
openssh.changes
597
openssh.changes
@ -1,581 +1,26 @@
|
||||
-------------------------------------------------------------------
|
||||
Thu Nov 23 13:38:52 UTC 2017 - rbrown@suse.com
|
||||
Fri Dec 1 13:18:24 UTC 2017 - pcerny@suse.com
|
||||
|
||||
- Replace references to /var/adm/fillup-templates with new
|
||||
%_fillupdir macro (boo#1069468)
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Fri Nov 3 12:27:18 UTC 2017 - pcerny@suse.com
|
||||
|
||||
- Update to vanilla 7.6p1
|
||||
Most important changes (more details below):
|
||||
* complete removal of the ancient SSHv1 protocol
|
||||
* sshd(8) cannot run without privilege separation
|
||||
* removal of suport for arcfourm blowfish and CAST ciphers
|
||||
and RIPE-MD160 HMAC
|
||||
* refuse RSA keys shorter than 1024 bits
|
||||
Distilled upstream log:
|
||||
- OpenSSH 7.3
|
||||
---- Security
|
||||
* sshd(8): Mitigate a potential denial-of-service attack
|
||||
against the system's crypt(3) function via sshd(8). An
|
||||
attacker could send very long passwords that would cause
|
||||
excessive CPU use in crypt(3). sshd(8) now refuses to accept
|
||||
password authentication requests of length greater than 1024
|
||||
characters. Independently reported by Tomas Kuthan (Oracle),
|
||||
Andres Rojas and Javier Nieto.
|
||||
* sshd(8): Mitigate timing differences in password
|
||||
authentication that could be used to discern valid from
|
||||
invalid account names when long passwords were sent and
|
||||
particular password hashing algorithms are in use on the
|
||||
server. CVE-2016-6210, reported by EddieEzra.Harari at
|
||||
verint.com
|
||||
* ssh(1), sshd(8): Fix observable timing weakness in the CBC
|
||||
padding oracle countermeasures. Reported by Jean Paul
|
||||
Degabriele, Kenny Paterson, Torben Hansen and Martin
|
||||
Albrecht. Note that CBC ciphers are disabled by default and
|
||||
only included for legacy compatibility.
|
||||
* ssh(1), sshd(8): Improve operation ordering of MAC
|
||||
verification for Encrypt-then-MAC (EtM) mode transport MAC
|
||||
algorithms to verify the MAC before decrypting any
|
||||
ciphertext. This removes the possibility of timing
|
||||
differences leaking facts about the plaintext, though no such
|
||||
leakage has been observed. Reported by Jean Paul Degabriele,
|
||||
Kenny Paterson, Torben Hansen and Martin Albrecht.
|
||||
* sshd(8): (portable only) Ignore PAM environment vars when
|
||||
UseLogin=yes. If PAM is configured to read user-specified
|
||||
environment variables and UseLogin=yes in sshd_config, then a
|
||||
hostile local user may attack /bin/login via LD_PRELOAD or
|
||||
similar environment variables set via PAM. CVE-2015-8325,
|
||||
found by Shayan Sadigh.
|
||||
---- New Features
|
||||
* ssh(1): Add a ProxyJump option and corresponding -J
|
||||
command-line flag to allow simplified indirection through a
|
||||
one or more SSH bastions or "jump hosts".
|
||||
* ssh(1): Add an IdentityAgent option to allow specifying
|
||||
specific agent sockets instead of accepting one from the
|
||||
environment.
|
||||
* ssh(1): Allow ExitOnForwardFailure and ClearAllForwardings to
|
||||
be optionally overridden when using ssh -W. bz#2577
|
||||
* ssh(1), sshd(8): Implement support for the IUTF8 terminal
|
||||
mode as per draft-sgtatham-secsh-iutf8-00.
|
||||
* ssh(1), sshd(8): Add support for additional fixed
|
||||
Diffie-Hellman 2K, 4K and 8K groups from
|
||||
draft-ietf-curdle-ssh-kex-sha2-03.
|
||||
* ssh-keygen(1), ssh(1), sshd(8): support SHA256 and SHA512 RSA
|
||||
signatures in certificates;
|
||||
* ssh(1): Add an Include directive for ssh_config(5) files.
|
||||
* ssh(1): Permit UTF-8 characters in pre-authentication banners
|
||||
sent from the server. bz#2058
|
||||
---- Bugfixes
|
||||
* ssh(1), sshd(8): Reduce the syslog level of some relatively
|
||||
common protocol events from LOG_CRIT. bz#2585
|
||||
* sshd(8): Refuse AuthenticationMethods="" in configurations
|
||||
and accept AuthenticationMethods=any for the default
|
||||
behaviour of not requiring multiple authentication. bz#2398
|
||||
* sshd(8): Remove obsolete and misleading "POSSIBLE BREAK-IN
|
||||
ATTEMPT!" message when forward and reverse DNS don't match.
|
||||
bz#2585
|
||||
* ssh(1): Close ControlPersist background process stderr except
|
||||
in debug mode or when logging to syslog. bz#1988
|
||||
* misc: Make PROTOCOL description for
|
||||
direct-streamlocal@openssh.com channel open messages match
|
||||
deployed code. bz#2529
|
||||
* ssh(1): Deduplicate LocalForward and RemoteForward entries to
|
||||
fix failures when both ExitOnForwardFailure and hostname
|
||||
canonicalisation are enabled. bz#2562
|
||||
* sshd(8): Remove fallback from moduli to obsolete "primes"
|
||||
file that was deprecated in 2001. bz#2559.
|
||||
* sshd_config(5): Correct description of UseDNS: it affects ssh
|
||||
hostname processing for authorized_keys, not known_hosts;
|
||||
bz#2554
|
||||
* ssh(1): Fix authentication using lone certificate keys in an
|
||||
agent without corresponding private keys on the filesystem.
|
||||
bz#2550
|
||||
* sshd(8): Send ClientAliveInterval pings when a time-based
|
||||
RekeyLimit is set; previously keepalive packets were not
|
||||
being sent. bz#2252
|
||||
---- Portability
|
||||
* ssh(1), sshd(8): Fix compilation by automatically disabling
|
||||
ciphers not supported by OpenSSL. bz#2466
|
||||
* misc: Fix compilation failures on some versions of AIX's
|
||||
compiler related to the definition of the VA_COPY macro.
|
||||
bz#2589
|
||||
* sshd(8): Whitelist more architectures to enable the
|
||||
seccomp-bpf sandbox. bz#2590
|
||||
* ssh-agent(1), sftp-server(8): Disable process tracing on
|
||||
Solaris using setpflags(__PROC_PROTECT, ...). bz#2584
|
||||
* sshd(8): On Solaris, don't call Solaris setproject() with
|
||||
UsePAM=yes it's PAM's responsibility. bz#2425
|
||||
- OpenSSH 7.4
|
||||
---- Potentially-incompatible changes
|
||||
* ssh(1): Remove 3des-cbc from the client's default proposal.
|
||||
64-bit block ciphers are not safe in 2016 and we don't want
|
||||
to wait until attacks like SWEET32 are extended to SSH. As
|
||||
3des-cbc was the only mandatory cipher in the SSH RFCs, this
|
||||
may cause problems connecting to older devices using the
|
||||
default configuration, but it's highly likely that such
|
||||
devices already need explicit configuration for key exchange
|
||||
and hostkey algorithms already anyway.
|
||||
* sshd(8): Remove support for pre-authentication compression.
|
||||
Doing compression early in the protocol probably seemed
|
||||
reasonable in the 1990s, but today it's clearly a bad idea in
|
||||
terms of both cryptography (cf. multiple compression oracle
|
||||
attacks in TLS) and attack surface. Pre-auth compression
|
||||
support has been disabled by default for >10 years. Support
|
||||
remains in the client.
|
||||
* ssh-agent will refuse to load PKCS#11 modules outside a
|
||||
whitelist of trusted paths by default. The path whitelist may
|
||||
be specified at run-time.
|
||||
* sshd(8): When a forced-command appears in both a certificate
|
||||
and an authorized keys/principals command= restriction, sshd
|
||||
will now refuse to accept the certificate unless they are
|
||||
identical. The previous (documented) behaviour of having the
|
||||
certificate forced-command override the other could be a bit
|
||||
confusing and error-prone.
|
||||
* sshd(8): Remove the UseLogin configuration directive and
|
||||
support for having /bin/login manage login sessions.
|
||||
---- Security
|
||||
* ssh-agent(1): Will now refuse to load PKCS#11 modules from
|
||||
paths outside a trusted whitelist (run-time configurable).
|
||||
Requests to load modules could be passed via agent forwarding
|
||||
and an attacker could attempt to load a hostile PKCS#11
|
||||
module across the forwarded agent channel: PKCS#11 modules
|
||||
are shared libraries, so this would result in code execution
|
||||
on the system running the ssh-agent if the attacker has
|
||||
control of the forwarded agent-socket (on the host running
|
||||
the sshd server) and the ability to write to the filesystem
|
||||
of the host running ssh-agent (usually the host running the
|
||||
ssh client). Reported by Jann Horn of Project Zero.
|
||||
* sshd(8): When privilege separation is disabled, forwarded
|
||||
Unix- domain sockets would be created by sshd(8) with the
|
||||
privileges of 'root' instead of the authenticated user. This
|
||||
release refuses Unix-domain socket forwarding when privilege
|
||||
separation is disabled (Privilege separation has been enabled
|
||||
by default for 14 years). Reported by Jann Horn of Project
|
||||
Zero.
|
||||
* sshd(8): Avoid theoretical leak of host private key material
|
||||
to privilege-separated child processes via realloc() when
|
||||
reading keys. No such leak was observed in practice for
|
||||
normal-sized keys, nor does a leak to the child processes
|
||||
directly expose key material to unprivileged users. Reported
|
||||
by Jann Horn of Project Zero.
|
||||
* sshd(8): The shared memory manager used by pre-authentication
|
||||
compression support had a bounds checks that could be elided
|
||||
by some optimising compilers. Additionally, this memory
|
||||
manager was incorrectly accessible when pre-authentication
|
||||
compression was disabled. This could potentially allow
|
||||
attacks against the privileged monitor process from the
|
||||
sandboxed privilege-separation process (a compromise of the
|
||||
latter would be required first). This release removes
|
||||
support for pre-authentication compression from sshd(8).
|
||||
Reported by Guido Vranken using the Stack unstable
|
||||
optimisation identification tool
|
||||
(http://css.csail.mit.edu/stack/)
|
||||
* sshd(8): Fix denial-of-service condition where an attacker
|
||||
who sends multiple KEXINIT messages may consume up to 128MB
|
||||
per connection. Reported by Shi Lei of Gear Team, Qihoo 360.
|
||||
* sshd(8): Validate address ranges for AllowUser and DenyUsers
|
||||
directives at configuration load time and refuse to accept
|
||||
invalid ones. It was previously possible to specify invalid
|
||||
CIDR address ranges (e.g. user@127.1.2.3/55) and these would
|
||||
always match, possibly resulting in granting access where it
|
||||
was not intended. Reported by Laurence Parry.
|
||||
---- New Features
|
||||
* ssh(1): Add a proxy multiplexing mode to ssh(1) inspired by
|
||||
the version in PuTTY by Simon Tatham. This allows a
|
||||
multiplexing client to communicate with the master process
|
||||
using a subset of the SSH packet and channels protocol over a
|
||||
Unix-domain socket, with the main process acting as a proxy
|
||||
that translates channel IDs, etc. This allows multiplexing
|
||||
mode to run on systems that lack file- descriptor passing
|
||||
(used by current multiplexing code) and potentially, in
|
||||
conjunction with Unix-domain socket forwarding, with the
|
||||
client and multiplexing master process on different machines.
|
||||
Multiplexing proxy mode may be invoked using "ssh -O proxy
|
||||
..."
|
||||
* sshd(8): Add a sshd_config DisableForwarding option that
|
||||
disables X11, agent, TCP, tunnel and Unix domain socket
|
||||
forwarding, as well as anything else we might implement in
|
||||
the future. Like the 'restrict' authorized_keys flag, this is
|
||||
intended to be a simple and future-proof way of restricting
|
||||
an account.
|
||||
* sshd(8), ssh(1): Support the "curve25519-sha256" key exchange
|
||||
method. This is identical to the currently-supported method
|
||||
named "curve25519-sha256@libssh.org".
|
||||
* sshd(8): Improve handling of SIGHUP by checking to see if
|
||||
sshd is already daemonised at startup and skipping the call
|
||||
to daemon(3) if it is. This ensures that a SIGHUP restart of
|
||||
sshd(8) will retain the same process-ID as the initial
|
||||
execution. sshd(8) will also now unlink the PidFile prior to
|
||||
SIGHUP restart and re-create it after a successful restart,
|
||||
rather than leaving a stale file in the case of a
|
||||
configuration error. bz#2641
|
||||
* sshd(8): Allow ClientAliveInterval and ClientAliveCountMax
|
||||
directives to appear in sshd_config Match blocks.
|
||||
* sshd(8): Add %-escapes to AuthorizedPrincipalsCommand to
|
||||
match those supported by AuthorizedKeysCommand (key, key
|
||||
type, fingerprint, etc.) and a few more to provide access to
|
||||
the contents of the certificate being offered.
|
||||
* Added regression tests for string matching, address matching
|
||||
and string sanitisation functions.
|
||||
* Improved the key exchange fuzzer harness.
|
||||
---- Bugfixes
|
||||
* ssh(1): Allow IdentityFile to successfully load and use
|
||||
certificates that have no corresponding bare public key.
|
||||
bz#2617 certificate id_rsa-cert.pub (and no id_rsa.pub).
|
||||
* ssh(1): Fix public key authentication when multiple
|
||||
authentication is in use and publickey is not just the first
|
||||
method attempted. bz#2642
|
||||
* regress: Allow the PuTTY interop tests to run unattended.
|
||||
bz#2639
|
||||
* ssh-agent(1), ssh(1): improve reporting when attempting to
|
||||
load keys from PKCS#11 tokens with fewer useless log messages
|
||||
and more detail in debug messages. bz#2610
|
||||
* ssh(1): When tearing down ControlMaster connections, don't
|
||||
pollute stderr when LogLevel=quiet.
|
||||
* sftp(1): On ^Z wait for underlying ssh(1) to suspend before
|
||||
suspending sftp(1) to ensure that ssh(1) restores the
|
||||
terminal mode correctly if suspended during a password
|
||||
prompt.
|
||||
* ssh(1): Avoid busy-wait when ssh(1) is suspended during a
|
||||
password prompt.
|
||||
* ssh(1), sshd(8): Correctly report errors during sending of
|
||||
ext- info messages.
|
||||
* sshd(8): fix NULL-deref crash if sshd(8) received an out-of-
|
||||
sequence NEWKEYS message.
|
||||
* sshd(8): Correct list of supported signature algorithms sent
|
||||
in the server-sig-algs extension. bz#2547
|
||||
* sshd(8): Fix sending ext_info message if privsep is disabled.
|
||||
* sshd(8): more strictly enforce the expected ordering of
|
||||
privilege separation monitor calls used for authentication
|
||||
and allow them only when their respective authentication
|
||||
methods are enabled in the configuration
|
||||
* sshd(8): Fix uninitialised optlen in getsockopt() call;
|
||||
harmless on Unix/BSD but potentially crashy on Cygwin.
|
||||
* Fix false positive reports caused by explicit_bzero(3) not
|
||||
being recognised as a memory initialiser when compiled with
|
||||
-fsanitize-memory.
|
||||
* sshd_config(5): Use 2001:db8::/32, the official IPv6 subnet
|
||||
for configuration examples.
|
||||
---- Portability
|
||||
* On environments configured with Turkish locales, fall back to
|
||||
the C/POSIX locale to avoid errors in configuration parsing
|
||||
caused by that locale's unique handling of the letters 'i'
|
||||
and 'I'. bz#2643
|
||||
* sftp-server(8), ssh-agent(1): Deny ptrace on OS X using
|
||||
ptrace(PT_DENY_ATTACH, ..)
|
||||
* ssh(1), sshd(8): Unbreak AES-CTR ciphers on old (~0.9.8)
|
||||
OpenSSL.
|
||||
* Fix compilation for libcrypto compiled without RIPEMD160
|
||||
support.
|
||||
* contrib: Add a gnome-ssh-askpass3 with GTK+3 support. bz#2640
|
||||
* sshd(8): Improve PRNG reseeding across privilege separation
|
||||
and force libcrypto to obtain a high-quality seed before
|
||||
chroot or sandboxing.
|
||||
* All: Explicitly test for broken strnvis. NetBSD added an
|
||||
strnvis and unfortunately made it incompatible with the
|
||||
existing one in OpenBSD and Linux's libbsd (the former having
|
||||
existed for over ten years). Try to detect this mess, and
|
||||
assume the only safe option if we're cross compiling.
|
||||
- OpenSSH 7.5
|
||||
---- Potentially-incompatible changes
|
||||
* This release deprecates the sshd_config
|
||||
UsePrivilegeSeparation option, thereby making privilege
|
||||
separation mandatory. Privilege separation has been on by
|
||||
default for almost 15 years and sandboxing has been on by
|
||||
default for almost the last five.
|
||||
* The format of several log messages emitted by the packet code
|
||||
has changed to include additional information about the user
|
||||
and their authentication state. Software that monitors
|
||||
ssh/sshd logs may need to account for these changes. For
|
||||
example:
|
||||
Connection closed by user x 1.1.1.1 port 1234 [preauth]
|
||||
Connection closed by authenticating user x 10.1.1.1 port 1234
|
||||
[preauth] Connection closed by invalid user x 1.1.1.1 port
|
||||
1234 [preauth]
|
||||
Affected messages include connection closure, timeout, remote
|
||||
disconnection, negotiation failure and some other fatal
|
||||
messages generated by the packet code.
|
||||
* [Portable OpenSSH only] This version removes support for
|
||||
building against OpenSSL versions prior to 1.0.1. OpenSSL
|
||||
stopped supporting versions prior to 1.0.1 over 12 months ago
|
||||
(i.e. they no longer receive fixes for security bugs).
|
||||
---- Security
|
||||
* ssh(1), sshd(8): Fix weakness in CBC padding oracle
|
||||
countermeasures that allowed a variant of the attack fixed in
|
||||
OpenSSH 7.3 to proceed. Note that the OpenSSH client
|
||||
disables CBC ciphers by default, sshd offers them as
|
||||
lowest-preference options and will remove them by default
|
||||
entriely in the next release. Reported by Jean Paul
|
||||
Degabriele, Kenny Paterson, Martin Albrecht and Torben Hansen
|
||||
of Royal Holloway, University of London.
|
||||
* sftp-client(1): [portable OpenSSH only] On Cygwin, a client
|
||||
making a recursive file transfer could be maniuplated by a
|
||||
hostile server to perform a path-traversal attack. creating
|
||||
or modifying files outside of the intended target directory.
|
||||
Reported by Jann Horn of Google Project Zero.
|
||||
---- New Features
|
||||
* ssh(1), sshd(8): Support "=-" syntax to easily remove methods
|
||||
from algorithm lists, e.g. Ciphers=-*cbc. bz#2671
|
||||
---- Bugfixes
|
||||
* sshd(1): Fix NULL dereference crash when key exchange start
|
||||
messages are sent out of sequence.
|
||||
* ssh(1), sshd(8): Allow form-feed characters to appear in
|
||||
configuration files.
|
||||
* sshd(8): Fix regression in OpenSSH 7.4 support for the
|
||||
server-sig-algs extension, where SHA2 RSA signature methods
|
||||
were not being correctly advertised. bz#2680
|
||||
* ssh(1), ssh-keygen(1): Fix a number of case-sensitivity bugs
|
||||
in known_hosts processing. bz#2591 bz#2685
|
||||
* ssh(1): Allow ssh to use certificates accompanied by a
|
||||
private key file but no corresponding plain *.pub public key.
|
||||
bz#2617
|
||||
* ssh(1): When updating hostkeys using the UpdateHostKeys
|
||||
option, accept RSA keys if HostkeyAlgorithms contains any RSA
|
||||
keytype. Previously, ssh could ignore RSA keys when only the
|
||||
ssh-rsa-sha2-* methods were enabled in HostkeyAlgorithms and
|
||||
not the old ssh-rsa method. bz#2650
|
||||
* ssh(1): Detect and report excessively long configuration file
|
||||
lines. bz#2651
|
||||
* Merge a number of fixes found by Coverity and reported via
|
||||
Redhat and FreeBSD. Includes fixes for some memory and file
|
||||
descriptor leaks in error paths. bz#2687
|
||||
* ssh-keyscan(1): Correctly hash hosts with a port number.
|
||||
bz#2692
|
||||
* ssh(1), sshd(8): When logging long messages to stderr, don't
|
||||
truncate "\r\n" if the length of the message exceeds the
|
||||
buffer. bz#2688
|
||||
* ssh(1): Fully quote [host]:port in generated ProxyJump/-J
|
||||
command- line; avoid confusion over IPv6 addresses and shells
|
||||
that treat square bracket characters specially.
|
||||
* ssh-keygen(1): Fix corruption of known_hosts when running
|
||||
"ssh-keygen -H" on a known_hosts containing already-hashed
|
||||
entries.
|
||||
* Fix various fallout and sharp edges caused by removing SSH
|
||||
protocol 1 support from the server, including the server
|
||||
banner string being incorrectly terminated with only \n
|
||||
(instead of \r\n), confusing error messages from ssh-keyscan
|
||||
bz#2583 and a segfault in sshd if protocol v.1 was enabled
|
||||
for the client and sshd_config contained references to legacy
|
||||
keys bz#2686.
|
||||
* ssh(1), sshd(8): Free fd_set on connection timeout. bz#2683
|
||||
* sshd(8): Fix Unix domain socket forwarding for root
|
||||
(regression in OpenSSH 7.4).
|
||||
* sftp(1): Fix division by zero crash in "df" output when
|
||||
server returns zero total filesystem blocks/inodes.
|
||||
* ssh(1), ssh-add(1), ssh-keygen(1), sshd(8): Translate OpenSSL
|
||||
errors encountered during key loading to more meaningful
|
||||
error codes. bz#2522 bz#2523
|
||||
* ssh-keygen(1): Sanitise escape sequences in key comments sent
|
||||
to printf but preserve valid UTF-8 when the locale supports
|
||||
it; bz#2520
|
||||
* ssh(1), sshd(8): Return reason for port forwarding failures
|
||||
where feasible rather than always "administratively
|
||||
prohibited". bz#2674
|
||||
* sshd(8): Fix deadlock when AuthorizedKeysCommand or
|
||||
AuthorizedPrincipalsCommand produces a lot of output and a
|
||||
key is matched early. bz#2655
|
||||
* Regression tests: several reliability fixes. bz#2654 bz#2658
|
||||
bz#2659
|
||||
* ssh(1): Fix typo in ~C error message for bad port forward
|
||||
cancellation. bz#2672
|
||||
* ssh(1): Show a useful error message when included config
|
||||
files can't be opened; bz#2653
|
||||
* sshd(8): Make sshd set GSSAPIStrictAcceptorCheck=yes as the
|
||||
manual page (previously incorrectly) advertised. bz#2637
|
||||
* sshd_config(5): Repair accidentally-deleted mention of %k
|
||||
token in AuthorizedKeysCommand; bz#2656
|
||||
* sshd(8): Remove vestiges of previously removed LOGIN_PROGRAM;
|
||||
bz#2665
|
||||
* ssh-agent(1): Relax PKCS#11 whitelist to include libexec and
|
||||
common 32-bit compatibility library directories.
|
||||
* sftp-client(1): Fix non-exploitable integer overflow in
|
||||
SSH2_FXP_NAME response handling.
|
||||
* ssh-agent(1): Fix regression in 7.4 of deleting
|
||||
PKCS#11-hosted keys. It was not possible to delete them
|
||||
except by specifying their full physical path. bz#2682
|
||||
---- Portability
|
||||
* sshd(8): Avoid sandbox errors for Linux S390 systems using an
|
||||
ICA crypto coprocessor.
|
||||
* sshd(8): Fix non-exploitable weakness in seccomp-bpf sandbox
|
||||
arg inspection.
|
||||
* ssh(1): Fix X11 forwarding on OSX where X11 was being started
|
||||
by launchd. bz#2341
|
||||
* ssh-keygen(1), ssh(1), sftp(1): Fix output truncation for
|
||||
various that contain non-printable characters where the
|
||||
codeset in use is ASCII.
|
||||
* build: Fix builds that attempt to link a kerberised libldns.
|
||||
bz#2603
|
||||
* build: Fix compilation problems caused by unconditionally
|
||||
defining _XOPEN_SOURCE in wide character detection.
|
||||
* sshd(8): Fix sandbox violations for clock_gettime VSDO
|
||||
syscall fallback on some Linux/X32 kernels. bz#2142
|
||||
- OpenSSH 7.6
|
||||
---- Potentially-incompatible changes
|
||||
This release includes a number of changes that may affect
|
||||
existing configurations:
|
||||
* ssh(1): delete SSH protocol version 1 support, associated
|
||||
configuration options and documentation.
|
||||
* ssh(1)/sshd(8): remove support for the hmac-ripemd160 MAC.
|
||||
* ssh(1)/sshd(8): remove support for the arcfour, blowfish and
|
||||
CAST ciphers.
|
||||
* Refuse RSA keys <1024 bits in length and improve reporting
|
||||
for keys that do not meet this requirement.
|
||||
* ssh(1): do not offer CBC ciphers by default.
|
||||
---- Security
|
||||
* sftp-server(8): in read-only mode, sftp-server was
|
||||
incorrectly permitting creation of zero-length files.
|
||||
Reported by Michal Zalewski.
|
||||
---- New Features
|
||||
* ssh(1): add RemoteCommand option to specify a command in the
|
||||
ssh config file instead of giving it on the client's command
|
||||
line. This allows the configuration file to specify the
|
||||
command that will be executed on the remote host.
|
||||
* sshd(8): add ExposeAuthInfo option that enables writing
|
||||
details of the authentication methods used (including public
|
||||
keys where applicable) to a file that is exposed via a
|
||||
$SSH_USER_AUTH environment variable in the subsequent
|
||||
session.
|
||||
* ssh(1): add support for reverse dynamic forwarding. In this
|
||||
mode, ssh will act as a SOCKS4/5 proxy and forward
|
||||
connections to destinations requested by the remote SOCKS
|
||||
client. This mode is requested using extended syntax for the
|
||||
-R and RemoteForward options and, because it is implemented
|
||||
solely at the client, does not require the server be updated
|
||||
to be supported.
|
||||
* sshd(8): allow LogLevel directive in sshd_config Match
|
||||
blocks; bz#2717
|
||||
* ssh-keygen(1): allow inclusion of arbitrary string or flag
|
||||
certificate extensions and critical options.
|
||||
* ssh-keygen(1): allow ssh-keygen to use a key held in
|
||||
ssh-agent as a CA when signing certificates. bz#2377
|
||||
* ssh(1)/sshd(8): allow IPQoS=none in ssh/sshd to not set an
|
||||
explicit ToS/DSCP value and just use the operating system
|
||||
default.
|
||||
* ssh-add(1): added -q option to make ssh-add quiet on success.
|
||||
* ssh(1): expand the StrictHostKeyChecking option with two new
|
||||
settings. The first "accept-new" will automatically accept
|
||||
hitherto-unseen keys but will refuse connections for changed
|
||||
or invalid hostkeys. This is a safer subset of the current
|
||||
behaviour of StrictHostKeyChecking=no. The second setting
|
||||
"off", is a synonym for the current behaviour of
|
||||
StrictHostKeyChecking=no: accept new host keys, and continue
|
||||
connection for hosts with incorrect hostkeys. A future
|
||||
release will change the meaning of StrictHostKeyChecking=no
|
||||
to the behaviour of "accept-new". bz#2400
|
||||
* ssh(1): add SyslogFacility option to ssh(1) matching the
|
||||
equivalent option in sshd(8). bz#2705
|
||||
---- Bugfixes
|
||||
* ssh(1): use HostKeyAlias if specified instead of hostname for
|
||||
matching host certificate principal names; bz#2728
|
||||
* sftp(1): implement sorting for globbed ls; bz#2649
|
||||
* ssh(1): add a user@host prefix to client's "Permission
|
||||
denied" messages, useful in particular when using "stacked"
|
||||
connections (e.g. ssh -J) where it's not clear which host is
|
||||
denying. bz#2720
|
||||
* ssh(1): accept unknown EXT_INFO extension values that contain
|
||||
\0 characters. These are legal, but would previously cause
|
||||
fatal connection errors if received.
|
||||
* ssh(1)/sshd(8): repair compression statistics printed at
|
||||
connection exit
|
||||
* sftp(1): print '?' instead of incorrect link count (that the
|
||||
protocol doesn't provide) for remote listings. bz#2710
|
||||
* ssh(1): return failure rather than fatal() for more cases
|
||||
during session multiplexing negotiations. Causes the session
|
||||
to fall back to a non-mux connection if they occur. bz#2707
|
||||
* ssh(1): mention that the server may send debug messages to
|
||||
explain public key authentication problems under some
|
||||
circumstances; bz#2709
|
||||
* Translate OpenSSL error codes to better report incorrect
|
||||
passphrase errors when loading private keys; bz#2699
|
||||
* sshd(8): adjust compatibility patterns for WinSCP to
|
||||
correctly identify versions that implement only the legacy DH
|
||||
group exchange scheme. bz#2748
|
||||
* ssh(1): print the "Killed by signal 1" message only at
|
||||
LogLevel verbose so that it is not shown at the default
|
||||
level; prevents it from appearing during ssh -J and
|
||||
equivalent ProxyCommand configs. bz#1906, bz#2744
|
||||
* ssh-keygen(1): when generating all hostkeys (ssh-keygen -A),
|
||||
clobber existing keys if they exist but are zero length.
|
||||
zero-length keys could previously be made if ssh-keygen
|
||||
failed or was interrupted part way through generating them.
|
||||
bz#2561
|
||||
* ssh(1): fix pledge(2) violation in the escape sequence "~&"
|
||||
used to place the current session in the background.
|
||||
* ssh-keyscan(1): avoid double-close() on file descriptors;
|
||||
bz#2734
|
||||
* sshd(8): avoid reliance on shared use of pointers shared
|
||||
between monitor and child sshd processes. bz#2704
|
||||
* sshd_config(8): document available AuthenticationMethods;
|
||||
bz#2453
|
||||
* ssh(1): avoid truncation in some login prompts; bz#2768
|
||||
* sshd(8): Fix various compilations failures, inc bz#2767
|
||||
* ssh(1): make "--" before the hostname terminate argument
|
||||
processing after the hostname too.
|
||||
* ssh-keygen(1): switch from aes256-cbc to aes256-ctr for
|
||||
encrypting new-style private keys. Fixes problems related to
|
||||
private key handling for no-OpenSSL builds. bz#2754
|
||||
* ssh(1): warn and do not attempt to use keys when the public
|
||||
and private halves do not match. bz#2737
|
||||
* sftp(1): don't print verbose error message when ssh
|
||||
disconnects from under sftp. bz#2750
|
||||
* sshd(8): fix keepalive scheduling problem: activity on a
|
||||
forwarded port from preventing the keepalive from being sent;
|
||||
bz#2756
|
||||
* sshd(8): when started without root privileges, don't require
|
||||
the privilege separation user or path to exist. Makes running
|
||||
the regression tests easier without touching the filesystem.
|
||||
* Make integrity.sh regression tests more robust against
|
||||
timeouts. bz#2658
|
||||
* ssh(1)/sshd(8): correctness fix for channels implementation:
|
||||
accept channel IDs greater than 0x7FFFFFFF.
|
||||
---- Portability
|
||||
* sshd(9): drop two more privileges in the Solaris sandbox:
|
||||
PRIV_DAX_ACCESS and PRIV_SYS_IB_INFO; bz#2723
|
||||
* sshd(8): expose list of completed authentication methods to
|
||||
PAM via the SSH_AUTH_INFO_0 PAM environment variable. bz#2408
|
||||
* ssh(1)/sshd(8): fix several problems in the tun/tap
|
||||
forwarding code, mostly to do with host/network byte order
|
||||
confusion. bz#2735
|
||||
* Add --with-cflags-after and --with-ldflags-after configure
|
||||
flags to allow setting CFLAGS/LDFLAGS after configure has
|
||||
completed. These are useful for setting sanitiser/fuzzing
|
||||
options that may interfere with configure's operation.
|
||||
* sshd(8): avoid Linux seccomp violations on ppc64le over the
|
||||
socketcall syscall.
|
||||
* Fix use of ldns when using ldns-config; bz#2697
|
||||
* configure: set cache variables when cross-compiling. The
|
||||
cross- compiling fallback message was saying it assumed the
|
||||
test passed, but it wasn't actually set the cache variables
|
||||
and this would cause later tests to fail.
|
||||
* Add clang libFuzzer harnesses for public key parsing and
|
||||
signature verification.
|
||||
- packaging:
|
||||
* removal of all 7.2 patches
|
||||
* first round of rebased patches:
|
||||
[openssh-7.6p1-X11_trusted_forwarding.patch]
|
||||
[openssh-7.6p1-allow_root_password_login.patch]
|
||||
[openssh-7.6p1-blocksigalrm.patch]
|
||||
[openssh-7.6p1-disable_short_DH_parameters.patch]
|
||||
[openssh-7.6p1-eal3.patch]
|
||||
[openssh-7.6p1-enable_PAM_by_default.patch]
|
||||
[openssh-7.6p1-hostname_changes_when_forwarding_X.patch]
|
||||
[openssh-7.6p1-lastlog.patch]
|
||||
[openssh-7.6p1-pam_check_locks.patch]
|
||||
[openssh-7.6p1-pts_names_formatting.patch]
|
||||
[openssh-7.6p1-remove_xauth_cookies_on_exit.patch]
|
||||
[openssh-7.6p1-seccomp_geteuid.patch]
|
||||
[openssh-7.6p1-seccomp_getuid.patch]
|
||||
[openssh-7.6p1-seccomp_stat.patch]
|
||||
[openssh-7.6p1-send_locale.patch]
|
||||
* not rebased (obsoleted) patches (so far):
|
||||
[openssh-7.2p2-saveargv-fix.diff]
|
||||
[openssh-7.2p2-dont_use_pthreads_in_PAM.diff]
|
||||
[openssh-7.2p2-gssapimitm.diff]
|
||||
[openssh-7.2p2-eal3_obsolete.diff]
|
||||
[openssh-7.2p2-default_protocol.diff]
|
||||
[openssh-7.2p2-additional_seccomp_archs.patch]
|
||||
- Silent complaints about unsupported key exchange methods
|
||||
(bsc#1006166)
|
||||
[openssh-7.2p2-fips_fixes.patch]
|
||||
- Stricter checking of operations in read-only mode in sftp server
|
||||
(CVE-2017-15906, bsc#1065000)
|
||||
[openssh-7.2p2-stricter_readonly_sftp.patch]
|
||||
- Refine handling of sockets for X11 forwarding to remove
|
||||
reintroduced CVE-2008-1483 (bsc#1069509)
|
||||
- systemd integration to work around various race conditions
|
||||
(bsc#1048367)
|
||||
[openssh-7.2p2-systemd-notify.patch]
|
||||
- Add back support for TCP wrappers removed by the upgrade
|
||||
to 7.2p2. TCP wrappers support will be dripped with the next
|
||||
version upgrade.
|
||||
[openssh-7.2p2-tcpwrappers.patch]
|
||||
- fix regression of (bsc#823710)
|
||||
[openssh-7.2p2-audit_fixes.patch]
|
||||
- new switch for printing diagnostic messages in sftp client's
|
||||
batch mode (bsc#1023275)
|
||||
[openssh-7.2p2-sftp_print_diagnostic_messages.patch]
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Oct 25 15:09:06 UTC 2017 - jsegitz@suse.com
|
||||
|
133
openssh.spec
133
openssh.spec
@ -16,11 +16,6 @@
|
||||
#
|
||||
|
||||
|
||||
#Compat macro for new _fillupdir macro introduced in Nov 2017
|
||||
%if ! %{defined _fillupdir}
|
||||
%define _fillupdir /var/adm/fillup-templates
|
||||
%endif
|
||||
|
||||
%if 0%{suse_version} >= 1100
|
||||
%define has_fw_dir 1
|
||||
%else
|
||||
@ -98,7 +93,7 @@ PreReq: pwdutils %{fillup_prereq} coreutils
|
||||
%if ! %{uses_systemd}
|
||||
PreReq: %{insserv_prereq}
|
||||
%endif
|
||||
Version: 7.6p1
|
||||
Version: 7.2p2
|
||||
Release: 0
|
||||
Summary: Secure Shell Client and Server (Remote Login Program)
|
||||
License: BSD-2-Clause and MIT
|
||||
@ -118,21 +113,58 @@ Source9: sshd-gen-keys-start
|
||||
Source10: sshd.service
|
||||
Source11: README.FIPS
|
||||
Source12: cavs_driver-ssh.pl
|
||||
Patch00: openssh-7.6p1-allow_root_password_login.patch
|
||||
Patch01: openssh-7.6p1-X11_trusted_forwarding.patch
|
||||
Patch02: openssh-7.6p1-lastlog.patch
|
||||
Patch03: openssh-7.6p1-enable_PAM_by_default.patch
|
||||
Patch04: openssh-7.6p1-eal3.patch
|
||||
Patch05: openssh-7.6p1-blocksigalrm.patch
|
||||
Patch06: openssh-7.6p1-send_locale.patch
|
||||
Patch07: openssh-7.6p1-hostname_changes_when_forwarding_X.patch
|
||||
Patch08: openssh-7.6p1-remove_xauth_cookies_on_exit.patch
|
||||
Patch09: openssh-7.6p1-pts_names_formatting.patch
|
||||
Patch10: openssh-7.6p1-pam_check_locks.patch
|
||||
Patch11: openssh-7.6p1-disable_short_DH_parameters.patch
|
||||
Patch12: openssh-7.6p1-seccomp_getuid.patch
|
||||
Patch13: openssh-7.6p1-seccomp_geteuid.patch
|
||||
Patch14: openssh-7.6p1-seccomp_stat.patch
|
||||
Patch00: openssh-7.2p2-allow_root_password_login.patch
|
||||
Patch01: openssh-7.2p2-allow_DSS_by_default.patch
|
||||
Patch02: openssh-7.2p2-X11_trusted_forwarding.patch
|
||||
Patch03: openssh-7.2p2-lastlog.patch
|
||||
Patch04: openssh-7.2p2-enable_PAM_by_default.patch
|
||||
Patch05: openssh-7.2p2-dont_use_pthreads_in_PAM.patch
|
||||
Patch06: openssh-7.2p2-eal3.patch
|
||||
Patch07: openssh-7.2p2-blocksigalrm.patch
|
||||
Patch08: openssh-7.2p2-send_locale.patch
|
||||
Patch09: openssh-7.2p2-hostname_changes_when_forwarding_X.patch
|
||||
Patch10: openssh-7.2p2-remove_xauth_cookies_on_exit.patch
|
||||
Patch11: openssh-7.2p2-pts_names_formatting.patch
|
||||
Patch12: openssh-7.2p2-pam_check_locks.patch
|
||||
Patch13: openssh-7.2p2-disable_short_DH_parameters.patch
|
||||
Patch14: openssh-7.2p2-seccomp_getuid.patch
|
||||
Patch15: openssh-7.2p2-seccomp_geteuid.patch
|
||||
Patch16: openssh-7.2p2-seccomp_stat.patch
|
||||
Patch17: openssh-7.2p2-additional_seccomp_archs.patch
|
||||
Patch18: openssh-7.2p2-fips.patch
|
||||
Patch19: openssh-7.2p2-fips_fixes.patch
|
||||
Patch21: openssh-7.2p2-cavstest-ctr.patch
|
||||
Patch22: openssh-7.2p2-cavstest-kdf.patch
|
||||
Patch23: openssh-7.2p2-seed-prng.patch
|
||||
Patch24: openssh-7.2p2-gssapi_key_exchange.patch
|
||||
Patch25: openssh-7.2p2-audit.patch
|
||||
Patch26: openssh-7.2p2-audit_fixes.patch
|
||||
Patch27: openssh-7.2p2-audit_seed_prng.patch
|
||||
Patch28: openssh-7.2p2-login_options.patch
|
||||
Patch29: openssh-7.2p2-disable_openssl_abi_check.patch
|
||||
Patch30: openssh-7.2p2-no_fork-no_pid_file.patch
|
||||
Patch31: openssh-7.2p2-host_ident.patch
|
||||
Patch32: openssh-7.2p2-sftp_homechroot.patch
|
||||
Patch33: openssh-7.2p2-sftp_force_permissions.patch
|
||||
Patch34: openssh-7.2p2-X_forward_with_disabled_ipv6.patch
|
||||
Patch35: openssh-7.2p2-ldap.patch
|
||||
Patch36: openssh-7.2p2-IPv6_X_forwarding.patch
|
||||
Patch37: openssh-7.2p2-ignore_PAM_with_UseLogin.patch
|
||||
Patch38: openssh-7.2p2-prevent_timing_user_enumeration.patch
|
||||
Patch39: openssh-7.2p2-limit_password_length.patch
|
||||
Patch40: openssh-7.2p2-keep_slogin.patch
|
||||
Patch41: openssh-7.2p2-kex_resource_depletion.patch
|
||||
Patch42: openssh-7.2p2-verify_CIDR_address_ranges.patch
|
||||
Patch43: openssh-7.2p2-restrict_pkcs11-modules.patch
|
||||
Patch44: openssh-7.2p2-prevent_private_key_leakage.patch
|
||||
Patch45: openssh-7.2p2-secure_unix_sockets_forwarding.patch
|
||||
Patch46: openssh-7.2p2-ssh_case_insensitive_host_matching.patch
|
||||
Patch47: openssh-7.2p2-disable_preauth_compression.patch
|
||||
Patch48: openssh-7.2p2-s390_hw_crypto_syscalls.patch
|
||||
Patch49: openssh-7.2p2-s390_OpenSSL-ibmpkcs11_syscalls.patch
|
||||
Patch50: openssh-7.2p2-sftp_print_diagnostic_messages.patch
|
||||
Patch51: openssh-7.2p2-stricter_readonly_sftp.patch
|
||||
Patch52: openssh-7.2p2-tcpwrappers.patch
|
||||
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
||||
Conflicts: nonfreessh
|
||||
Recommends: audit
|
||||
@ -199,14 +231,51 @@ FIPS140 CAVS tests related parts of the OpenSSH package
|
||||
%patch12 -p2
|
||||
%patch13 -p2
|
||||
%patch14 -p2
|
||||
%patch15 -p2
|
||||
%patch16 -p2
|
||||
%patch17 -p2
|
||||
%patch18 -p2
|
||||
%patch19 -p2
|
||||
%patch21 -p2
|
||||
%patch22 -p2
|
||||
%patch23 -p2
|
||||
%patch24 -p2
|
||||
%patch25 -p2
|
||||
%patch26 -p2
|
||||
%patch27 -p2
|
||||
%patch28 -p2
|
||||
%patch29 -p2
|
||||
%patch30 -p2
|
||||
%patch31 -p2
|
||||
%patch32 -p2
|
||||
%patch33 -p2
|
||||
%patch34 -p2
|
||||
%patch35 -p2
|
||||
%patch36 -p2
|
||||
%patch37 -p2
|
||||
%patch38 -p2
|
||||
%patch39 -p2
|
||||
%patch40 -p2
|
||||
%patch41 -p2
|
||||
%patch42 -p2
|
||||
%patch43 -p2
|
||||
%patch44 -p2
|
||||
%patch45 -p2
|
||||
%patch46 -p2
|
||||
%patch47 -p2
|
||||
%patch48 -p2
|
||||
%patch49 -p2
|
||||
%patch50 -p2
|
||||
%patch51 -p2
|
||||
%patch52 -p2
|
||||
cp %{SOURCE3} %{SOURCE4} %{SOURCE11} .
|
||||
|
||||
%build
|
||||
### TODO: # set libexec dir in the LDAP patch
|
||||
### TODO: sed -i.libexec 's,@LIBEXECDIR@,%{_libexecdir}/ssh,' \
|
||||
### TODO: $( grep -Rl @LIBEXECDIR@ \
|
||||
### TODO: $( grep "^+++" %{PATCH33} | sed -r 's@^.+/([^/\t ]+).*$@\1@' )
|
||||
### TODO: )
|
||||
# set libexec dir in the LDAP patch
|
||||
sed -i.libexec 's,@LIBEXECDIR@,%{_libexecdir}/ssh,' \
|
||||
$( grep -Rl @LIBEXECDIR@ \
|
||||
$( grep "^+++" %{PATCH35} | sed -r 's@^.+/([^/\t ]+).*$@\1@' )
|
||||
)
|
||||
|
||||
autoreconf -fiv
|
||||
%ifarch s390 s390x %sparc
|
||||
@ -278,8 +347,8 @@ install -D -m 0755 %{SOURCE1} %{buildroot}%{_initddir}/sshd
|
||||
install -m 0644 %{SOURCE10} .
|
||||
ln -s ../..%{_initddir}/sshd %{buildroot}%{_sbindir}/rcsshd
|
||||
%endif
|
||||
install -d -m 755 %{buildroot}%{_fillupdir}
|
||||
install -m 644 %{SOURCE8} %{buildroot}%{_fillupdir}
|
||||
install -d -m 755 %{buildroot}/var/adm/fillup-templates
|
||||
install -m 644 %{SOURCE8} %{buildroot}/var/adm/fillup-templates
|
||||
# install shell script to automate the process of adding your public key to a remote machine
|
||||
install -m 755 contrib/ssh-copy-id %{buildroot}%{_bindir}
|
||||
install -m 644 contrib/ssh-copy-id.1 %{buildroot}%{_mandir}/man1
|
||||
@ -388,7 +457,7 @@ rpm -q openssh-fips >& /dev/null && DISABLE_RESTART_ON_UPDATE=yes
|
||||
%attr(0444,root,root) %doc %{_mandir}/man8/*
|
||||
%dir %{_sysconfdir}/slp.reg.d
|
||||
%config %{_sysconfdir}/slp.reg.d/ssh.reg
|
||||
%{_fillupdir}/sysconfig.ssh
|
||||
/var/adm/fillup-templates/sysconfig.ssh
|
||||
%if %{has_fw_dir}
|
||||
%if %{needs_all_dirs}
|
||||
%dir %{_fwdir}
|
||||
@ -400,10 +469,10 @@ rpm -q openssh-fips >& /dev/null && DISABLE_RESTART_ON_UPDATE=yes
|
||||
%files helpers
|
||||
%defattr(-,root,root)
|
||||
%attr(0755,root,root) %dir %{_sysconfdir}/ssh
|
||||
#verify(not mode) %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/ldap.conf
|
||||
%verify(not mode) %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/ldap.conf
|
||||
%attr(0755,root,root) %dir %{_libexecdir}/ssh
|
||||
#attr(0755,root,root) %{_libexecdir}/ssh/ssh-ldap*
|
||||
#doc HOWTO.ldap-keys openssh-lpk-openldap.schema openssh-lpk-sun.schema
|
||||
%attr(0755,root,root) %{_libexecdir}/ssh/ssh-ldap*
|
||||
%doc HOWTO.ldap-keys openssh-lpk-openldap.schema openssh-lpk-sun.schema
|
||||
|
||||
%files fips
|
||||
%defattr(-,root,root)
|
||||
|
Loading…
Reference in New Issue
Block a user