SHA256
1
0
forked from pool/openssh

Accepting request 863944 from home:dirkmueller:branches:network

- update to 8.4p1:
  Security
  ========
 * ssh-agent(1): restrict ssh-agent from signing web challenges for
   FIDO/U2F keys.
 * ssh-keygen(1): Enable FIDO 2.1 credProtect extension when generating
   a FIDO resident key.
 * ssh(1), ssh-keygen(1): support for FIDO keys that require a PIN for
   each use. These keys may be generated using ssh-keygen using a new
   "verify-required" option. When a PIN-required key is used, the user
   will be prompted for a PIN to complete the signature operation.
  New Features
  ------------
 * sshd(8): authorized_keys now supports a new "verify-required"
   option to require FIDO signatures assert that the token verified
   that the user was present before making the signature. The FIDO
   protocol supports multiple methods for user-verification, but
   currently OpenSSH only supports PIN verification.
 * sshd(8), ssh-keygen(1): add support for verifying FIDO webauthn
   signatures. Webauthn is a standard for using FIDO keys in web
   browsers. These signatures are a slightly different format to plain
   FIDO signatures and thus require explicit support.
 * ssh(1): allow some keywords to expand shell-style ${ENV}
   environment variables. The supported keywords are CertificateFile,
   ControlPath, IdentityAgent and IdentityFile, plus LocalForward and
   RemoteForward when used for Unix domain socket paths. bz#3140
 * ssh(1), ssh-agent(1): allow some additional control over the use of
   ssh-askpass via a new $SSH_ASKPASS_REQUIRE environment variable,
   including forcibly enabling and disabling its use. bz#69
 * ssh(1): allow ssh_config(5)'s AddKeysToAgent keyword accept a time

OBS-URL: https://build.opensuse.org/request/show/863944
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=222
This commit is contained in:
Hans Petter Jansson 2021-01-18 01:12:55 +00:00 committed by Git OBS Bridge
parent 87425e5010
commit 6543c1a02b
17 changed files with 583 additions and 454 deletions

View File

@ -5,11 +5,11 @@ default of forbidding access to the root account with a password, we are
temporarily introducing this change to keep the default used in older OpenSSH
versions shipped with SLE.
Index: openssh-7.9p1/servconf.c
Index: openssh-8.4p1/servconf.c
===================================================================
--- openssh-7.9p1.orig/servconf.c
+++ openssh-7.9p1/servconf.c
@@ -292,7 +292,7 @@ fill_default_server_options(ServerOption
--- openssh-8.4p1.orig/servconf.c
+++ openssh-8.4p1/servconf.c
@@ -329,7 +329,7 @@ fill_default_server_options(ServerOption
if (options->login_grace_time == -1)
options->login_grace_time = 120;
if (options->permit_root_login == PERMIT_NOT_SET)
@ -18,10 +18,10 @@ Index: openssh-7.9p1/servconf.c
if (options->ignore_rhosts == -1)
options->ignore_rhosts = 1;
if (options->ignore_user_known_hosts == -1)
Index: openssh-7.9p1/sshd_config
Index: openssh-8.4p1/sshd_config
===================================================================
--- openssh-7.9p1.orig/sshd_config
+++ openssh-7.9p1/sshd_config
--- openssh-8.4p1.orig/sshd_config
+++ openssh-8.4p1/sshd_config
@@ -29,7 +29,7 @@
# Authentication:
@ -31,11 +31,11 @@ Index: openssh-7.9p1/sshd_config
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10
Index: openssh-7.9p1/sshd_config.0
Index: openssh-8.4p1/sshd_config.0
===================================================================
--- openssh-7.9p1.orig/sshd_config.0
+++ openssh-7.9p1/sshd_config.0
@@ -749,7 +749,7 @@ DESCRIPTION
--- openssh-8.4p1.orig/sshd_config.0
+++ openssh-8.4p1/sshd_config.0
@@ -778,7 +778,7 @@ DESCRIPTION
PermitRootLogin
Specifies whether root can log in using ssh(1). The argument
must be yes, prohibit-password, forced-commands-only, or no. The
@ -44,11 +44,11 @@ Index: openssh-7.9p1/sshd_config.0
If this option is set to prohibit-password (or its deprecated
alias, without-password), password and keyboard-interactive
Index: openssh-7.9p1/sshd_config.5
Index: openssh-8.4p1/sshd_config.5
===================================================================
--- openssh-7.9p1.orig/sshd_config.5
+++ openssh-7.9p1/sshd_config.5
@@ -1285,7 +1285,7 @@ The argument must be
--- openssh-8.4p1.orig/sshd_config.5
+++ openssh-8.4p1/sshd_config.5
@@ -1331,7 +1331,7 @@ The argument must be
or
.Cm no .
The default is

View File

@ -2,10 +2,10 @@
# Parent cc1022edba2c5eeb0facba08468f65afc2466b63
CAVS test for OpenSSH's own CTR encryption mode implementation
diff --git a/Makefile.in b/Makefile.in
index d5c37b5..5d4fcd2 100644
--- a/Makefile.in
+++ b/Makefile.in
Index: openssh-8.4p1/Makefile.in
===================================================================
--- openssh-8.4p1.orig/Makefile.in
+++ openssh-8.4p1/Makefile.in
@@ -25,6 +25,7 @@ SFTP_SERVER=$(libexecdir)/sftp-server
SSH_KEYSIGN=$(libexecdir)/ssh-keysign
SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
@ -14,7 +14,7 @@ index d5c37b5..5d4fcd2 100644
PRIVSEP_PATH=@PRIVSEP_PATH@
SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@
STRIP_OPT=@STRIP_OPT@
@@ -70,6 +71,8 @@ MKDIR_P=@MKDIR_P@
@@ -68,6 +69,8 @@ MKDIR_P=@MKDIR_P@
TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT)
@ -23,7 +23,7 @@ index d5c37b5..5d4fcd2 100644
XMSS_OBJS=\
ssh-xmss.o \
sshkey-xmss.o \
@@ -244,6 +247,10 @@ sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a $(SFTPSERVER_OBJS)
@@ -242,6 +245,10 @@ sftp-server$(EXEEXT): $(LIBCOMPAT) libss
sftp$(EXEEXT): $(LIBCOMPAT) libssh.a $(SFTP_OBJS)
$(LD) -o $@ $(SFTP_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) $(LIBEDIT)
@ -34,7 +34,7 @@ index d5c37b5..5d4fcd2 100644
# test driver for the loginrec code - not built by default
logintest: logintest.o $(LIBCOMPAT) libssh.a loginrec.o
$(LD) -o $@ logintest.o $(LDFLAGS) loginrec.o -lopenbsd-compat -lssh $(LIBS)
@@ -398,6 +405,7 @@ install-files:
@@ -400,6 +407,7 @@ install-files:
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-sk-helper$(EXEEXT) $(DESTDIR)$(SSH_SK_HELPER)$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
@ -42,11 +42,10 @@ index d5c37b5..5d4fcd2 100644
$(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
$(INSTALL) -m 644 scp.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1
$(INSTALL) -m 644 ssh-add.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1
diff --git a/cavstest-ctr.c b/cavstest-ctr.c
new file mode 100644
index 0000000..f81cb72
Index: openssh-8.4p1/cavstest-ctr.c
===================================================================
--- /dev/null
+++ b/cavstest-ctr.c
+++ openssh-8.4p1/cavstest-ctr.c
@@ -0,0 +1,214 @@
+/*
+ *
@ -262,10 +261,10 @@ index 0000000..f81cb72
+ printf("\n");
+ return 0;
+}
diff --git a/cipher.c b/cipher.c
index 2f5430b..599b54a 100644
--- a/cipher.c
+++ b/cipher.c
Index: openssh-8.4p1/cipher.c
===================================================================
--- openssh-8.4p1.orig/cipher.c
+++ openssh-8.4p1/cipher.c
@@ -58,15 +58,6 @@
#define EVP_CIPHER_CTX void
#endif
@ -282,10 +281,10 @@ index 2f5430b..599b54a 100644
struct sshcipher {
char *name;
u_int block_size;
diff --git a/cipher.h b/cipher.h
index 1a591cd..10ccb28 100644
--- a/cipher.h
+++ b/cipher.h
Index: openssh-8.4p1/cipher.h
===================================================================
--- openssh-8.4p1.orig/cipher.h
+++ openssh-8.4p1/cipher.h
@@ -48,7 +48,15 @@
#define CIPHER_DECRYPT 0

View File

@ -2,10 +2,10 @@
# Parent 1e1d5a2ab8bddfc800f570755f9ea1addcc878c1
CAVS test for KDF implementation in OpenSSH
diff --git a/Makefile.in b/Makefile.in
index 5d4fcd2..9eab827 100644
--- a/Makefile.in
+++ b/Makefile.in
Index: openssh-8.4p1/Makefile.in
===================================================================
--- openssh-8.4p1.orig/Makefile.in
+++ openssh-8.4p1/Makefile.in
@@ -26,6 +26,7 @@ SSH_KEYSIGN=$(libexecdir)/ssh-keysign
SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
SSH_SK_HELPER=$(libexecdir)/ssh-sk-helper
@ -14,7 +14,7 @@ index 5d4fcd2..9eab827 100644
PRIVSEP_PATH=@PRIVSEP_PATH@
SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@
STRIP_OPT=@STRIP_OPT@
@@ -71,7 +72,7 @@ MKDIR_P=@MKDIR_P@
@@ -69,7 +70,7 @@ MKDIR_P=@MKDIR_P@
TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT)
@ -23,7 +23,7 @@ index 5d4fcd2..9eab827 100644
XMSS_OBJS=\
ssh-xmss.o \
@@ -251,6 +252,9 @@ sftp$(EXEEXT): $(LIBCOMPAT) libssh.a $(SFTP_OBJS)
@@ -249,6 +250,9 @@ sftp$(EXEEXT): $(LIBCOMPAT) libssh.a $(S
cavstest-ctr$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-sk.o sk-usbhid.o cavstest-ctr.o
$(LD) -o $@ cavstest-ctr.o ssh-sk.o sk-usbhid.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) $(LIBFIDO2)
@ -33,7 +33,7 @@ index 5d4fcd2..9eab827 100644
# test driver for the loginrec code - not built by default
logintest: logintest.o $(LIBCOMPAT) libssh.a loginrec.o
$(LD) -o $@ logintest.o $(LDFLAGS) loginrec.o -lopenbsd-compat -lssh $(LIBS)
@@ -406,6 +410,7 @@ install-files:
@@ -408,6 +412,7 @@ install-files:
$(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) cavstest-ctr$(EXEEXT) $(DESTDIR)$(libexecdir)/cavstest-ctr$(EXEEXT)
@ -41,11 +41,10 @@ index 5d4fcd2..9eab827 100644
$(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
$(INSTALL) -m 644 scp.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1
$(INSTALL) -m 644 ssh-add.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1
diff --git a/cavstest-kdf.c b/cavstest-kdf.c
new file mode 100644
index 0000000..a6ecf45
Index: openssh-8.4p1/cavstest-kdf.c
===================================================================
--- /dev/null
+++ b/cavstest-kdf.c
+++ openssh-8.4p1/cavstest-kdf.c
@@ -0,0 +1,402 @@
+/*
+ * Copyright (C) 2015, Stephan Mueller <smueller@chronox.de>

View File

@ -3,11 +3,11 @@
FIPS 140-2 compliance. Perform selftests on start and use only FIPS approved
algorithms.
diff --git a/Makefile.in b/Makefile.in
index 62cd072..d5c37b5 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -114,6 +114,8 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
Index: openssh-8.4p1/Makefile.in
===================================================================
--- openssh-8.4p1.orig/Makefile.in
+++ openssh-8.4p1/Makefile.in
@@ -112,6 +112,8 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
SKOBJS= ssh-sk-client.o
@ -16,10 +16,10 @@ index 62cd072..d5c37b5 100644
SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \
sshconnect.o sshconnect2.o mux.o $(SKOBJS)
diff --git a/cipher-ctr.c b/cipher-ctr.c
index 32771f2..b66f92f 100644
--- a/cipher-ctr.c
+++ b/cipher-ctr.c
Index: openssh-8.4p1/cipher-ctr.c
===================================================================
--- openssh-8.4p1.orig/cipher-ctr.c
+++ openssh-8.4p1/cipher-ctr.c
@@ -27,6 +27,8 @@
#include "xmalloc.h"
#include "log.h"
@ -38,10 +38,10 @@ index 32771f2..b66f92f 100644
#endif
return (&aes_ctr);
}
diff --git a/cipher.c b/cipher.c
index 8195199..2f5430b 100644
--- a/cipher.c
+++ b/cipher.c
Index: openssh-8.4p1/cipher.c
===================================================================
--- openssh-8.4p1.orig/cipher.c
+++ openssh-8.4p1/cipher.c
@@ -51,6 +51,9 @@
#include "openbsd-compat/openssl-compat.h"
@ -61,7 +61,7 @@ index 8195199..2f5430b 100644
#ifdef WITH_OPENSSL
#ifndef OPENSSL_NO_DES
{ "3des-cbc", 8, 24, 0, 0, CFLAG_CBC, EVP_des_ede3_cbc },
@@ -114,8 +117,52 @@ static const struct sshcipher ciphers[] = {
@@ -114,8 +117,52 @@ static const struct sshcipher ciphers[]
{ NULL, 0, 0, 0, 0, 0, NULL }
};
@ -132,11 +132,10 @@ index 8195199..2f5430b 100644
if (strcmp(c->name, name) == 0)
return c;
return NULL;
diff --git a/fips.c b/fips.c
new file mode 100644
index 0000000..23e3876
Index: openssh-8.4p1/fips.c
===================================================================
--- /dev/null
+++ b/fips.c
+++ openssh-8.4p1/fips.c
@@ -0,0 +1,212 @@
+/*
+ * Copyright (c) 2012 Petr Cerny. All rights reserved.
@ -350,11 +349,10 @@ index 0000000..23e3876
+ return dgst;
+}
+
diff --git a/fips.h b/fips.h
new file mode 100644
index 0000000..a115a61
Index: openssh-8.4p1/fips.h
===================================================================
--- /dev/null
+++ b/fips.h
+++ openssh-8.4p1/fips.h
@@ -0,0 +1,44 @@
+/*
+ * Copyright (c) 2012 Petr Cerny. All rights reserved.
@ -400,11 +398,11 @@ index 0000000..a115a61
+
+#endif
+
diff --git a/hmac.c b/hmac.c
index 7b58801..5a92074 100644
--- a/hmac.c
+++ b/hmac.c
@@ -145,7 +145,7 @@ hmac_test(void *key, size_t klen, void *m, size_t mlen, u_char *e, size_t elen)
Index: openssh-8.4p1/hmac.c
===================================================================
--- openssh-8.4p1.orig/hmac.c
+++ openssh-8.4p1/hmac.c
@@ -145,7 +145,7 @@ hmac_test(void *key, size_t klen, void *
size_t i;
u_char digest[16];
@ -413,11 +411,11 @@ index 7b58801..5a92074 100644
printf("ssh_hmac_start failed");
if (ssh_hmac_init(ctx, key, klen) < 0 ||
ssh_hmac_update(ctx, m, mlen) < 0 ||
diff --git a/kex.c b/kex.c
index b09fbac..a5e4be7 100644
--- a/kex.c
+++ b/kex.c
@@ -63,6 +63,8 @@
Index: openssh-8.4p1/kex.c
===================================================================
--- openssh-8.4p1.orig/kex.c
+++ openssh-8.4p1/kex.c
@@ -62,6 +62,8 @@
#include "sshbuf.h"
#include "digest.h"
@ -426,7 +424,7 @@ index b09fbac..a5e4be7 100644
/* prototype */
static int kex_choose_conf(struct ssh *);
static int kex_input_newkeys(int, u_int32_t, struct ssh *);
@@ -86,7 +88,7 @@ struct kexalg {
@@ -85,7 +87,7 @@ struct kexalg {
int ec_nid;
int hash_alg;
};
@ -435,7 +433,7 @@ index b09fbac..a5e4be7 100644
#ifdef WITH_OPENSSL
{ KEX_DH1, KEX_DH_GRP1_SHA1, 0, SSH_DIGEST_SHA1 },
{ KEX_DH14_SHA1, KEX_DH_GRP14_SHA1, 0, SSH_DIGEST_SHA1 },
@@ -117,6 +119,47 @@ static const struct kexalg kexalgs[] = {
@@ -116,6 +118,47 @@ static const struct kexalg kexalgs[] = {
{ NULL, 0, -1, -1},
};
@ -483,7 +481,7 @@ index b09fbac..a5e4be7 100644
char *
kex_alg_list(char sep)
{
@@ -124,7 +167,7 @@ kex_alg_list(char sep)
@@ -123,7 +166,7 @@ kex_alg_list(char sep)
size_t nlen, rlen = 0;
const struct kexalg *k;
@ -492,7 +490,7 @@ index b09fbac..a5e4be7 100644
if (ret != NULL)
ret[rlen++] = sep;
nlen = strlen(k->name);
@@ -144,7 +187,7 @@ kex_alg_by_name(const char *name)
@@ -143,7 +186,7 @@ kex_alg_by_name(const char *name)
{
const struct kexalg *k;
@ -501,7 +499,7 @@ index b09fbac..a5e4be7 100644
if (strcmp(k->name, name) == 0)
return k;
}
@@ -164,7 +207,10 @@ kex_names_valid(const char *names)
@@ -163,7 +206,10 @@ kex_names_valid(const char *names)
for ((p = strsep(&cp, ",")); p && *p != '\0';
(p = strsep(&cp, ","))) {
if (kex_alg_by_name(p) == NULL) {
@ -512,10 +510,10 @@ index b09fbac..a5e4be7 100644
free(s);
return 0;
}
diff --git a/mac.c b/mac.c
index f3dda66..90d71c8 100644
--- a/mac.c
+++ b/mac.c
Index: openssh-8.4p1/mac.c
===================================================================
--- openssh-8.4p1.orig/mac.c
+++ openssh-8.4p1/mac.c
@@ -41,6 +41,9 @@
#include "openbsd-compat/openssl-compat.h"
@ -586,7 +584,7 @@ index f3dda66..90d71c8 100644
if (ret != NULL)
ret[rlen++] = sep;
nlen = strlen(m->name);
@@ -126,7 +164,7 @@ mac_setup(struct sshmac *mac, char *name)
@@ -126,7 +164,7 @@ mac_setup(struct sshmac *mac, char *name
{
const struct macalg *m;
@ -595,10 +593,10 @@ index f3dda66..90d71c8 100644
if (strcmp(name, m->name) != 0)
continue;
if (mac != NULL)
diff --git a/readconf.c b/readconf.c
index 26e80c5..595f053 100644
--- a/readconf.c
+++ b/readconf.c
Index: openssh-8.4p1/readconf.c
===================================================================
--- openssh-8.4p1.orig/readconf.c
+++ openssh-8.4p1/readconf.c
@@ -68,6 +68,8 @@
#include "myproposal.h"
#include "digest.h"
@ -608,7 +606,7 @@ index 26e80c5..595f053 100644
/* Format of the configuration file:
# Configuration data is parsed as follows:
@@ -1908,6 +1910,23 @@ option_clear_or_none(const char *o)
@@ -1949,6 +1951,23 @@ option_clear_or_none(const char *o)
return o == NULL || strcasecmp(o, "none") == 0;
}
@ -632,7 +630,7 @@ index 26e80c5..595f053 100644
/*
* Initializes options to special values that indicate that they have not yet
* been set. Read_config_file will only set options with this value. Options
@@ -2196,6 +2215,9 @@ fill_default_options(Options * options)
@@ -2240,6 +2259,9 @@ fill_default_options(Options * options)
options->canonicalize_hostname = SSH_CANONICALISE_NO;
if (options->fingerprint_hash == -1)
options->fingerprint_hash = SSH_FP_HASH_DEFAULT;
@ -642,7 +640,7 @@ index 26e80c5..595f053 100644
#ifdef ENABLE_SK_INTERNAL
if (options->sk_provider == NULL)
options->sk_provider = xstrdup("internal");
@@ -2229,6 +2251,7 @@ fill_default_options(Options * options)
@@ -2273,6 +2295,7 @@ fill_default_options(Options * options)
ASSEMBLE(pubkey_key_types, def_key, all_key);
ASSEMBLE(ca_sign_algorithms, def_sig, all_sig);
#undef ASSEMBLE
@ -650,7 +648,7 @@ index 26e80c5..595f053 100644
free(all_cipher);
free(all_mac);
free(all_kex);
@@ -2240,6 +2263,8 @@ fill_default_options(Options * options)
@@ -2284,6 +2307,8 @@ fill_default_options(Options * options)
kex_default_pk_alg_filtered = def_key; /* save for later use */
free(def_sig);
@ -659,11 +657,11 @@ index 26e80c5..595f053 100644
#define CLEAR_ON_NONE(v) \
do { \
if (option_clear_or_none(v)) { \
diff --git a/readconf.h b/readconf.h
index e143a10..ef18d5c 100644
--- a/readconf.h
+++ b/readconf.h
@@ -199,6 +199,7 @@ typedef struct {
Index: openssh-8.4p1/readconf.h
===================================================================
--- openssh-8.4p1.orig/readconf.h
+++ openssh-8.4p1/readconf.h
@@ -200,6 +200,7 @@ typedef struct {
#define SSH_STRICT_HOSTKEY_YES 2
#define SSH_STRICT_HOSTKEY_ASK 3
@ -671,11 +669,11 @@ index e143a10..ef18d5c 100644
const char *kex_default_pk_alg(void);
char *ssh_connection_hash(const char *thishost, const char *host,
const char *portstr, const char *user);
diff --git a/servconf.c b/servconf.c
index 6be7274..9a51bfb 100644
--- a/servconf.c
+++ b/servconf.c
@@ -69,6 +69,7 @@
Index: openssh-8.4p1/servconf.c
===================================================================
--- openssh-8.4p1.orig/servconf.c
+++ openssh-8.4p1/servconf.c
@@ -70,6 +70,7 @@
#include "auth.h"
#include "myproposal.h"
#include "digest.h"
@ -683,7 +681,7 @@ index 6be7274..9a51bfb 100644
static void add_listen_addr(ServerOptions *, const char *,
const char *, int);
@@ -200,6 +201,23 @@ option_clear_or_none(const char *o)
@@ -201,6 +202,23 @@ option_clear_or_none(const char *o)
return o == NULL || strcasecmp(o, "none") == 0;
}
@ -707,7 +705,7 @@ index 6be7274..9a51bfb 100644
static void
assemble_algorithms(ServerOptions *o)
{
@@ -241,6 +259,8 @@ assemble_algorithms(ServerOptions *o)
@@ -242,6 +260,8 @@ assemble_algorithms(ServerOptions *o)
free(def_kex);
free(def_key);
free(def_sig);
@ -716,7 +714,7 @@ index 6be7274..9a51bfb 100644
}
static void
@@ -453,6 +473,8 @@ fill_default_server_options(ServerOptions *options)
@@ -454,6 +474,8 @@ fill_default_server_options(ServerOption
options->fwd_opts.streamlocal_bind_unlink = 0;
if (options->fingerprint_hash == -1)
options->fingerprint_hash = SSH_FP_HASH_DEFAULT;
@ -725,10 +723,10 @@ index 6be7274..9a51bfb 100644
if (options->disable_forwarding == -1)
options->disable_forwarding = 0;
if (options->expose_userauth_info == -1)
diff --git a/ssh-keygen.c b/ssh-keygen.c
index 944faca..c1ecc54 100644
--- a/ssh-keygen.c
+++ b/ssh-keygen.c
Index: openssh-8.4p1/ssh-keygen.c
===================================================================
--- openssh-8.4p1.orig/ssh-keygen.c
+++ openssh-8.4p1/ssh-keygen.c
@@ -66,6 +66,8 @@
#include "ssh-sk.h"
#include "sk-api.h" /* XXX for SSH_SK_USER_PRESENCE_REQD; remove */
@ -738,7 +736,7 @@ index 944faca..c1ecc54 100644
#ifdef WITH_OPENSSL
# define DEFAULT_KEY_TYPE_NAME "rsa"
#else
@@ -1032,11 +1034,13 @@ do_fingerprint(struct passwd *pw)
@@ -1036,11 +1038,13 @@ do_fingerprint(struct passwd *pw)
static void
do_gen_all_hostkeys(struct passwd *pw)
{
@ -754,7 +752,7 @@ index 944faca..c1ecc54 100644
#ifdef WITH_OPENSSL
{ "rsa", "RSA" ,_PATH_HOST_RSA_KEY_FILE },
{ "dsa", "DSA", _PATH_HOST_DSA_KEY_FILE },
@@ -1051,6 +1055,17 @@ do_gen_all_hostkeys(struct passwd *pw)
@@ -1055,6 +1059,17 @@ do_gen_all_hostkeys(struct passwd *pw)
{ NULL, NULL, NULL }
};
@ -772,7 +770,7 @@ index 944faca..c1ecc54 100644
u_int32_t bits = 0;
int first = 0;
struct stat st;
@@ -1058,6 +1073,12 @@ do_gen_all_hostkeys(struct passwd *pw)
@@ -1062,6 +1077,12 @@ do_gen_all_hostkeys(struct passwd *pw)
char comment[1024], *prv_tmp, *pub_tmp, *prv_file, *pub_file;
int i, type, fd, r;
@ -785,7 +783,7 @@ index 944faca..c1ecc54 100644
for (i = 0; key_types[i].key_type; i++) {
public = private = NULL;
prv_tmp = pub_tmp = prv_file = pub_file = NULL;
@@ -3532,6 +3553,15 @@ main(int argc, char **argv)
@@ -3586,6 +3607,15 @@ main(int argc, char **argv)
key_type_name = DEFAULT_KEY_TYPE_NAME;
type = sshkey_type_from_name(key_type_name);
@ -801,11 +799,11 @@ index 944faca..c1ecc54 100644
type_bits_valid(type, key_type_name, &bits);
if (!quiet)
diff --git a/ssh_config.5 b/ssh_config.5
index c45fb8d..55d4b5e 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -669,6 +669,8 @@ Valid options are:
Index: openssh-8.4p1/ssh_config.5
===================================================================
--- openssh-8.4p1.orig/ssh_config.5
+++ openssh-8.4p1/ssh_config.5
@@ -682,6 +682,8 @@ Valid options are:
and
.Cm sha256
(the default).
@ -814,11 +812,11 @@ index c45fb8d..55d4b5e 100644
.It Cm ForwardAgent
Specifies whether the connection to the authentication agent (if any)
will be forwarded to the remote machine.
diff --git a/sshd.c b/sshd.c
index a24241c..e18078f 100644
--- a/sshd.c
+++ b/sshd.c
@@ -128,6 +128,8 @@
Index: openssh-8.4p1/sshd.c
===================================================================
--- openssh-8.4p1.orig/sshd.c
+++ openssh-8.4p1/sshd.c
@@ -124,6 +124,8 @@
#include "ssherr.h"
#include "sk-api.h"
@ -827,10 +825,10 @@ index a24241c..e18078f 100644
/* Re-exec fds */
#define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1)
#define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2)
diff --git a/sshd_config.5 b/sshd_config.5
index 52552d2..35affe5 100644
--- a/sshd_config.5
+++ b/sshd_config.5
Index: openssh-8.4p1/sshd_config.5
===================================================================
--- openssh-8.4p1.orig/sshd_config.5
+++ openssh-8.4p1/sshd_config.5
@@ -594,6 +594,8 @@ and
.Cm sha256 .
The default is

View File

@ -14,11 +14,10 @@
# file is not found (or the hash matches), proceed in non-FIPS mode and abort
# otherwise.
diff --git a/fips-check.c b/fips-check.c
new file mode 100644
index 0000000..eceb031
Index: openssh-8.4p1/fips-check.c
===================================================================
--- /dev/null
+++ b/fips-check.c
+++ openssh-8.4p1/fips-check.c
@@ -0,0 +1,34 @@
+#include "includes.h"
+#include <fcntl.h>
@ -54,10 +53,10 @@ index 0000000..eceb031
+ fips_ssh_init();
+ return 0;
+}
diff --git a/fips.c b/fips.c
index 23e3876..297ae99 100644
--- a/fips.c
+++ b/fips.c
Index: openssh-8.4p1/fips.c
===================================================================
--- openssh-8.4p1.orig/fips.c
+++ openssh-8.4p1/fips.c
@@ -35,30 +35,293 @@
#include "log.h"
#include "xmalloc.h"
@ -246,7 +245,9 @@ index 23e3876..297ae99 100644
{
int fips_required = 0;
- char *env = getenv(SSH_FORCE_FIPS_ENV);
-
+ int fips_fd;
+ char fips_sys = 0;
- if (env) {
- errno = 0;
- fips_required = strtol(env, NULL, 10);
@ -256,9 +257,6 @@ index 23e3876..297ae99 100644
- fips_required = 0;
- } else
- fips_required = 1;
+ int fips_fd;
+ char fips_sys = 0;
+
+ struct stat dummy;
+ if (-1 == stat(FIPS_PROC_PATH, &dummy)) {
+ switch (errno) {
@ -364,10 +362,10 @@ index 23e3876..297ae99 100644
int
fips_mode(void)
{
diff --git a/fips.h b/fips.h
index a115a61..3404684 100644
--- a/fips.h
+++ b/fips.h
Index: openssh-8.4p1/fips.h
===================================================================
--- openssh-8.4p1.orig/fips.h
+++ openssh-8.4p1/fips.h
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2012 Petr Cerny. All rights reserved.
@ -404,15 +402,15 @@ index a115a61..3404684 100644
int fips_mode(void);
int fips_correct_dgst(int);
int fips_dgst_min(void);
@@ -41,4 +56,3 @@ enum fp_type fips_correct_fp_type(enum fp_type);
@@ -41,4 +56,3 @@ enum fp_type fips_correct_fp_type(enum
int fips_filter_crypto(char **, fips_filters);
#endif
-
diff --git a/sftp-server.c b/sftp-server.c
index 359204f..d6395fd 100644
--- a/sftp-server.c
+++ b/sftp-server.c
Index: openssh-8.4p1/sftp-server.c
===================================================================
--- openssh-8.4p1.orig/sftp-server.c
+++ openssh-8.4p1/sftp-server.c
@@ -53,6 +53,8 @@
char *sftp_realpath(const char *, char *); /* sftp-realpath.c */
@ -422,7 +420,7 @@ index 359204f..d6395fd 100644
/* Our verbosity */
static LogLevel log_level = SYSLOG_LEVEL_ERROR;
@@ -1576,6 +1578,9 @@ sftp_server_main(int argc, char **argv, struct passwd *user_pw)
@@ -1577,6 +1579,9 @@ sftp_server_main(int argc, char **argv,
extern char *optarg;
extern char *__progname;
@ -432,10 +430,10 @@ index 359204f..d6395fd 100644
__progname = ssh_get_progname(argv[0]);
log_init(__progname, log_level, log_facility, log_stderr);
diff --git a/ssh.c b/ssh.c
index 98b6ce7..dce28fd 100644
--- a/ssh.c
+++ b/ssh.c
Index: openssh-8.4p1/ssh.c
===================================================================
--- openssh-8.4p1.orig/ssh.c
+++ openssh-8.4p1/ssh.c
@@ -113,6 +113,8 @@
#include "ssh-pkcs11.h"
#endif
@ -445,9 +443,9 @@ index 98b6ce7..dce28fd 100644
extern char *__progname;
/* Saves a copy of argv for setproctitle emulation */
@@ -630,6 +632,10 @@ main(int ac, char **av)
struct addrinfo *addrs = NULL;
@@ -658,6 +660,10 @@ main(int ac, char **av)
size_t n, len;
u_int j;
+ /* initialize fips - can go before ssh_malloc_init(), since that is a
+ * OpenBSD-only thing (as of OpenSSH 7.6p1) */
@ -456,11 +454,11 @@ index 98b6ce7..dce28fd 100644
/* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
sanitise_stdfd();
diff --git a/sshd.c b/sshd.c
index b2146a6..6092f0f 100644
--- a/sshd.c
+++ b/sshd.c
@@ -1505,6 +1505,10 @@ main(int ac, char **av)
Index: openssh-8.4p1/sshd.c
===================================================================
--- openssh-8.4p1.orig/sshd.c
+++ openssh-8.4p1/sshd.c
@@ -1545,6 +1545,10 @@ main(int ac, char **av)
Authctxt *authctxt;
struct connection_info *connection_info = NULL;

View File

@ -3,11 +3,11 @@
# -- uset do be called '-xauthlocalhostname'
handle hostname changes when forwarding X
diff --git a/session.c b/session.c
index 18cdfa8..85a9ee2 100644
--- a/session.c
+++ b/session.c
@@ -985,7 +985,7 @@ copy_environment(char **source, char ***env, u_int *envsize)
Index: openssh-8.4p1/session.c
===================================================================
--- openssh-8.4p1.orig/session.c
+++ openssh-8.4p1/session.c
@@ -985,7 +985,7 @@ copy_environment(char **source, char ***
#endif
static char **
@ -16,7 +16,7 @@ index 18cdfa8..85a9ee2 100644
{
char buf[256];
size_t n;
@@ -1195,6 +1195,8 @@ do_setup_env(struct ssh *ssh, Session *s, const char *shell)
@@ -1195,6 +1195,8 @@ do_setup_env(struct ssh *ssh, Session *s
for (i = 0; env[i]; i++)
fprintf(stderr, " %.200s\n", env[i]);
}
@ -25,7 +25,7 @@ index 18cdfa8..85a9ee2 100644
return env;
}
@@ -1203,7 +1205,7 @@ do_setup_env(struct ssh *ssh, Session *s, const char *shell)
@@ -1203,7 +1205,7 @@ do_setup_env(struct ssh *ssh, Session *s
* first in this order).
*/
static void
@ -33,9 +33,9 @@ index 18cdfa8..85a9ee2 100644
+do_rc_files(struct ssh *ssh, Session *s, const char *shell, char **env, int *env_size)
{
FILE *f = NULL;
char cmd[1024];
@@ -1258,12 +1260,20 @@ do_rc_files(struct ssh *ssh, Session *s, const char *shell)
options.xauth_location);
char *cmd = NULL, *user_rc = NULL;
@@ -1260,12 +1262,20 @@ do_rc_files(struct ssh *ssh, Session *s,
fatal("%s: xasprintf: %s", __func__, strerror(errno));
f = popen(cmd, "w");
if (f) {
+ char hostname[MAXHOSTNAMELEN];
@ -55,7 +55,7 @@ index 18cdfa8..85a9ee2 100644
} else {
fprintf(stderr, "Could not run %s\n",
cmd);
@@ -1519,6 +1529,7 @@ do_child(struct ssh *ssh, Session *s, const char *command)
@@ -1526,6 +1536,7 @@ do_child(struct ssh *ssh, Session *s, co
char **env, *argv[ARGV_MAX], remote_id[512];
const char *shell, *shell0;
struct passwd *pw = s->pw;
@ -63,7 +63,7 @@ index 18cdfa8..85a9ee2 100644
int r = 0;
sshpkt_fmt_connection_id(ssh, remote_id, sizeof(remote_id));
@@ -1575,7 +1586,7 @@ do_child(struct ssh *ssh, Session *s, const char *command)
@@ -1582,7 +1593,7 @@ do_child(struct ssh *ssh, Session *s, co
* Make sure $SHELL points to the shell from the password file,
* even if shell is overridden from login.conf
*/
@ -72,7 +72,7 @@ index 18cdfa8..85a9ee2 100644
#ifdef HAVE_LOGIN_CAP
shell = login_getcapstr(lc, "shell", (char *)shell, (char *)shell);
@@ -1639,7 +1650,7 @@ do_child(struct ssh *ssh, Session *s, const char *command)
@@ -1646,7 +1657,7 @@ do_child(struct ssh *ssh, Session *s, co
closefrom(STDERR_FILENO + 1);

View File

@ -5,11 +5,11 @@ UsePAM is used
bnc#708678, FATE#312033
Index: openssh-7.8p1/auth.c
Index: openssh-8.4p1/auth.c
===================================================================
--- openssh-7.8p1.orig/auth.c
+++ openssh-7.8p1/auth.c
@@ -112,7 +112,7 @@ allowed_user(struct passwd * pw)
--- openssh-8.4p1.orig/auth.c
+++ openssh-8.4p1/auth.c
@@ -113,7 +113,7 @@ allowed_user(struct ssh *ssh, struct pas
return 0;
#ifdef USE_SHADOW
@ -18,7 +18,7 @@ Index: openssh-7.8p1/auth.c
spw = getspnam(pw->pw_name);
#ifdef HAS_SHADOW_EXPIRE
if (!options.use_pam && spw != NULL && auth_shadow_acctexpired(spw))
@@ -132,7 +132,7 @@ allowed_user(struct passwd * pw)
@@ -133,7 +133,7 @@ allowed_user(struct ssh *ssh, struct pas
#endif
/* check for locked account */
@ -27,11 +27,11 @@ Index: openssh-7.8p1/auth.c
int locked = 0;
#ifdef LOCKED_PASSWD_STRING
Index: openssh-7.8p1/servconf.c
Index: openssh-8.4p1/servconf.c
===================================================================
--- openssh-7.8p1.orig/servconf.c
+++ openssh-7.8p1/servconf.c
@@ -83,6 +83,7 @@ initialize_server_options(ServerOptions
--- openssh-8.4p1.orig/servconf.c
+++ openssh-8.4p1/servconf.c
@@ -92,6 +92,7 @@ initialize_server_options(ServerOptions
/* Portable-specific options */
options->use_pam = -1;
@ -39,7 +39,7 @@ Index: openssh-7.8p1/servconf.c
/* Standard Options */
options->num_ports = 0;
@@ -259,6 +260,8 @@ fill_default_server_options(ServerOption
@@ -300,6 +301,8 @@ fill_default_server_options(ServerOption
/* Portable-specific options */
if (options->use_pam == -1)
options->use_pam = 0;
@ -48,7 +48,7 @@ Index: openssh-7.8p1/servconf.c
/* Standard Options */
if (options->num_host_key_files == 0) {
@@ -459,7 +462,7 @@ fill_default_server_options(ServerOption
@@ -501,7 +504,7 @@ fill_default_server_options(ServerOption
typedef enum {
sBadOption, /* == unknown option */
/* Portable-specific options */
@ -57,7 +57,7 @@ Index: openssh-7.8p1/servconf.c
/* Standard Options */
sPort, sHostKeyFile, sLoginGraceTime,
sPermitRootLogin, sLogFacility, sLogLevel,
@@ -509,8 +512,10 @@ static struct {
@@ -553,8 +556,10 @@ static struct {
/* Portable-specific options */
#ifdef USE_PAM
{ "usepam", sUsePAM, SSHCFG_GLOBAL },
@ -68,7 +68,7 @@ Index: openssh-7.8p1/servconf.c
#endif
{ "pamauthenticationviakbdint", sDeprecated, SSHCFG_GLOBAL },
/* Standard Options */
@@ -1250,6 +1255,9 @@ process_server_config_line(ServerOptions
@@ -1318,6 +1323,9 @@ process_server_config_line_depth(ServerO
case sUsePAM:
intptr = &options->use_pam;
goto parse_flag;
@ -78,11 +78,11 @@ Index: openssh-7.8p1/servconf.c
/* Standard Options */
case sBadOption:
Index: openssh-7.8p1/servconf.h
Index: openssh-8.4p1/servconf.h
===================================================================
--- openssh-7.8p1.orig/servconf.h
+++ openssh-7.8p1/servconf.h
@@ -181,6 +181,7 @@ typedef struct {
--- openssh-8.4p1.orig/servconf.h
+++ openssh-8.4p1/servconf.h
@@ -195,6 +195,7 @@ typedef struct {
char *adm_forced_command;
int use_pam; /* Enable auth via PAM */
@ -90,11 +90,11 @@ Index: openssh-7.8p1/servconf.h
int permit_tun;
Index: openssh-7.8p1/sshd_config.0
Index: openssh-8.4p1/sshd_config.0
===================================================================
--- openssh-7.8p1.orig/sshd_config.0
+++ openssh-7.8p1/sshd_config.0
@@ -961,6 +961,14 @@ DESCRIPTION
--- openssh-8.4p1.orig/sshd_config.0
+++ openssh-8.4p1/sshd_config.0
@@ -1032,6 +1032,14 @@ DESCRIPTION
If UsePAM is enabled, you will not be able to run sshd(8) as a
non-root user. The default is no.
@ -109,11 +109,11 @@ Index: openssh-7.8p1/sshd_config.0
VersionAddendum
Optionally specifies additional text to append to the SSH
protocol banner sent by the server upon connection. The default
Index: openssh-7.8p1/sshd_config.5
Index: openssh-8.4p1/sshd_config.5
===================================================================
--- openssh-7.8p1.orig/sshd_config.5
+++ openssh-7.8p1/sshd_config.5
@@ -1613,6 +1613,18 @@ is enabled, you will not be able to run
--- openssh-8.4p1.orig/sshd_config.5
+++ openssh-8.4p1/sshd_config.5
@@ -1718,6 +1718,18 @@ is enabled, you will not be able to run
as a non-root user.
The default is
.Cm no .

View File

@ -1,14 +1,16 @@
--- original/sftp-server.8 2016-12-19 04:59:41.000000000 +0000
+++ original/sftp-server.8 2017-11-23 08:47:01.267239186 +0000
@@ -38,6 +38,7 @@
.Op Fl P Ar blacklisted_requests
.Op Fl p Ar whitelisted_requests
Index: openssh-8.4p1/sftp-server.8
===================================================================
--- openssh-8.4p1.orig/sftp-server.8
+++ openssh-8.4p1/sftp-server.8
@@ -38,6 +38,7 @@
.Op Fl P Ar denied_requests
.Op Fl p Ar allowed_requests
.Op Fl u Ar umask
+.Op Fl m Ar force_file_dir_perms
.Ek
.Nm
.Fl Q Ar protocol_feature
@@ -138,6 +139,10 @@
@@ -138,6 +139,10 @@ Sets an explicit
.Xr umask 2
to be applied to newly-created files and directories, instead of the
user's default mask.
@ -19,9 +21,11 @@
.El
.Pp
On some systems,
--- original/sftp-server.c 2016-12-19 04:59:41.000000000 +0000
+++ original/sftp-server.c 2017-11-23 13:07:08.481765581 +0000
@@ -65,6 +65,10 @@
Index: openssh-8.4p1/sftp-server.c
===================================================================
--- openssh-8.4p1.orig/sftp-server.c
+++ openssh-8.4p1/sftp-server.c
@@ -69,6 +69,10 @@ struct sshbuf *oqueue;
/* Version of client */
static u_int version;
@ -32,7 +36,7 @@
/* SSH2_FXP_INIT received */
static int init_done;
@@ -679,6 +683,7 @@
@@ -687,6 +691,7 @@ process_open(u_int32_t id)
Attrib a;
char *name;
int r, handle, fd, flags, mode, status = SSH2_FX_FAILURE;
@ -40,7 +44,7 @@
if ((r = sshbuf_get_cstring(iqueue, &name, NULL)) != 0 ||
(r = sshbuf_get_u32(iqueue, &pflags)) != 0 || /* portable flags */
@@ -688,6 +693,10 @@
@@ -696,6 +701,10 @@ process_open(u_int32_t id)
debug3("request %u: open flags %d", id, pflags);
flags = flags_from_portable(pflags);
mode = (a.flags & SSH2_FILEXFER_ATTR_PERMISSIONS) ? a.perm : 0666;
@ -51,7 +55,7 @@
logit("open \"%s\" flags %s mode 0%o",
name, string_from_portable(pflags), mode);
if (readonly &&
@@ -709,6 +718,8 @@
@@ -717,6 +726,8 @@ process_open(u_int32_t id)
}
}
}
@ -60,7 +64,7 @@
if (status != SSH2_FX_OK)
send_status(id, status);
free(name);
@@ -1110,6 +1121,7 @@
@@ -1131,6 +1142,7 @@ process_mkdir(u_int32_t id)
Attrib a;
char *name;
int r, mode, status = SSH2_FX_FAILURE;
@ -68,7 +72,7 @@
if ((r = sshbuf_get_cstring(iqueue, &name, NULL)) != 0 ||
(r = decode_attrib(iqueue, &a)) != 0)
@@ -1117,9 +1129,16 @@
@@ -1138,9 +1150,16 @@ process_mkdir(u_int32_t id)
mode = (a.flags & SSH2_FILEXFER_ATTR_PERMISSIONS) ?
a.perm & 07777 : 0777;
@ -85,16 +89,16 @@
status = (r == -1) ? errno_to_portable(errno) : SSH2_FX_OK;
send_status(id, status);
free(name);
@@ -1490,7 +1509,7 @@
@@ -1560,7 +1579,7 @@ sftp_server_usage(void)
fprintf(stderr,
"usage: %s [-ehR] [-d start_directory] [-f log_facility] "
"[-l log_level]\n\t[-P blacklisted_requests] "
- "[-p whitelisted_requests] [-u umask]\n"
+ "[-p whitelisted_requests] [-u umask] [-m force_file_dir_perms]\n"
"[-l log_level]\n\t[-P denied_requests] "
- "[-p allowed_requests] [-u umask]\n"
+ "[-p allowed_requests] [-u umask] [-m force_file_dir_perms]\n"
" %s -Q protocol_feature\n",
__progname, __progname);
exit(1);
@@ -1516,7 +1535,7 @@
@@ -1588,7 +1607,7 @@ sftp_server_main(int argc, char **argv,
pw = pwcopy(user_pw);
while (!skipargs && (ch = getopt(argc, argv,
@ -103,7 +107,7 @@
switch (ch) {
case 'Q':
if (strcasecmp(optarg, "requests") != 0) {
@@ -1576,6 +1595,15 @@
@@ -1650,6 +1669,15 @@ sftp_server_main(int argc, char **argv,
fatal("Invalid umask \"%s\"", optarg);
(void)umask((mode_t)mask);
break;

View File

@ -2,11 +2,11 @@
# Parent 60bdbe6dd8d6bc011883472363d56e1d97f68835
Put back sftp client diagnostic messages in batch mode
diff --git a/sftp.1 b/sftp.1
index a305b37..6e802ec 100644
--- a/sftp.1
+++ b/sftp.1
@@ -282,6 +282,9 @@ Specifies the port to connect to on the remote host.
Index: openssh-8.4p1/sftp.1
===================================================================
--- openssh-8.4p1.orig/sftp.1
+++ openssh-8.4p1/sftp.1
@@ -287,6 +287,9 @@ Specifies the port to connect to on the
.It Fl p
Preserves modification times, access times, and modes from the
original files transferred.
@ -16,10 +16,10 @@ index a305b37..6e802ec 100644
.It Fl q
Quiet mode: disables the progress meter as well as warning and
diagnostic messages from
diff --git a/sftp.c b/sftp.c
index 2799e4a..52b2c23 100644
--- a/sftp.c
+++ b/sftp.c
Index: openssh-8.4p1/sftp.c
===================================================================
--- openssh-8.4p1.orig/sftp.c
+++ openssh-8.4p1/sftp.c
@@ -85,6 +85,9 @@ static volatile pid_t sshpid = -1;
/* Suppress diagnositic messages */
int quiet = 0;
@ -30,15 +30,15 @@ index 2799e4a..52b2c23 100644
/* This is set to 0 if the progressmeter is not desired. */
int showprogress = 1;
@@ -2409,7 +2412,7 @@ main(int argc, char **argv)
@@ -2408,7 +2411,7 @@ main(int argc, char **argv)
infile = stdin;
while ((ch = getopt(argc, argv,
- "1246afhNpqrvCc:D:i:l:o:s:S:b:B:F:J:P:R:")) != -1) {
+ "1246afhNpQqrvCc:D:i:l:o:s:S:b:B:F:J:P:R:")) != -1) {
- "1246AafhNpqrvCc:D:i:l:o:s:S:b:B:F:J:P:R:")) != -1) {
+ "1246AafhNpQqrvCc:D:i:l:o:s:S:b:B:F:J:P:R:")) != -1) {
switch (ch) {
/* Passed through to ssh(1) */
case '4':
case 'A':
@@ -2426,6 +2429,9 @@ main(int argc, char **argv)
addargs(&args, "-%c", ch);
addargs(&args, "%s", optarg);
@ -56,5 +56,5 @@ index 2799e4a..52b2c23 100644
+ if (batchmode && loud)
+ quiet = 0;
if (!isatty(STDERR_FILENO))
showprogress = 0;
/* Do this last because we want the user to be able to override it */
addargs(&args, "-oForwardAgent no");

View File

@ -1,8 +1,8 @@
diff --git a/Makefile.in b/Makefile.in
index 88aba09..b815eac 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -115,7 +115,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
Index: openssh-8.4p1/Makefile.in
===================================================================
--- openssh-8.4p1.orig/Makefile.in
+++ openssh-8.4p1/Makefile.in
@@ -113,7 +113,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
sntrup4591761.o kexsntrup4591761x25519.o kexgen.o \
kexgssc.o \
sftp-realpath.o platform-pledge.o platform-tracing.o platform-misc.o \
@ -11,11 +11,11 @@ index 88aba09..b815eac 100644
SKOBJS= ssh-sk-client.o
diff --git a/audit-bsm.c b/audit-bsm.c
index 0ba16c7..d5e9cda 100644
--- a/audit-bsm.c
+++ b/audit-bsm.c
@@ -372,12 +372,25 @@ audit_connection_from(const char *host, int port)
Index: openssh-8.4p1/audit-bsm.c
===================================================================
--- openssh-8.4p1.orig/audit-bsm.c
+++ openssh-8.4p1/audit-bsm.c
@@ -372,13 +372,26 @@ audit_connection_from(const char *host,
#endif
}
@ -33,16 +33,17 @@ index 0ba16c7..d5e9cda 100644
/* not implemented */
}
+void
void
+audit_count_session_open(void)
+{
+ /* not necessary */
+}
+
void
+void
audit_session_open(struct logininfo *li)
{
@@ -390,6 +403,12 @@ audit_session_close(struct logininfo *li)
/* not implemented */
@@ -390,6 +403,12 @@ audit_session_close(struct logininfo *li
/* not implemented */
}
@ -55,7 +56,7 @@ index 0ba16c7..d5e9cda 100644
void
audit_event(struct ssh *ssh, ssh_audit_event_t event)
{
@@ -451,4 +470,28 @@ audit_event(struct ssh *ssh, ssh_audit_event_t event)
@@ -451,4 +470,28 @@ audit_event(struct ssh *ssh, ssh_audit_e
debug("%s: unhandled event %d", __func__, event);
}
}
@ -84,10 +85,10 @@ index 0ba16c7..d5e9cda 100644
+ /* not implemented */
+}
#endif /* BSM */
diff --git a/audit-linux.c b/audit-linux.c
index 3fcbe5c..a823c30 100644
--- a/audit-linux.c
+++ b/audit-linux.c
Index: openssh-8.4p1/audit-linux.c
===================================================================
--- openssh-8.4p1.orig/audit-linux.c
+++ openssh-8.4p1/audit-linux.c
@@ -33,27 +33,40 @@
#include "log.h"
@ -99,10 +100,11 @@ index 3fcbe5c..a823c30 100644
+#include "servconf.h"
#include "canohost.h"
#include "packet.h"
-
+#include "cipher.h"
+#include "channels.h"
+#include "session.h"
+
+#define AUDIT_LOG_SIZE 256
+
+extern ServerOptions options;
@ -136,7 +138,7 @@ index 3fcbe5c..a823c30 100644
saved_errno = errno;
close(audit_fd);
@@ -65,9 +78,96 @@ linux_audit_record_event(int uid, const char *username, const char *hostname,
@@ -65,9 +78,96 @@ linux_audit_record_event(int uid, const
rc = 0;
errno = saved_errno;
@ -234,7 +236,7 @@ index 3fcbe5c..a823c30 100644
/* Below is the sshd audit API code */
void
@@ -76,49 +176,210 @@ audit_connection_from(const char *host, int port)
@@ -76,49 +176,210 @@ audit_connection_from(const char *host,
/* not implemented */
}
@ -457,10 +459,10 @@ index 3fcbe5c..a823c30 100644
+ error("cannot write into audit");
+}
#endif /* USE_LINUX_AUDIT */
diff --git a/audit.c b/audit.c
index dd2f035..c8d54b1 100644
--- a/audit.c
+++ b/audit.c
Index: openssh-8.4p1/audit.c
===================================================================
--- openssh-8.4p1.orig/audit.c
+++ openssh-8.4p1/audit.c
@@ -34,6 +34,12 @@
#include "log.h"
#include "hostfile.h"
@ -534,11 +536,10 @@ index dd2f035..c8d54b1 100644
# ifndef CUSTOM_SSH_AUDIT_EVENTS
/*
* Null implementations of audit functions.
@@ -137,6 +170,17 @@ audit_event(struct ssh *ssh, ssh_audit_event_t event)
audit_username(), event, audit_event_lookup(event));
@@ -138,6 +171,17 @@ audit_event(struct ssh *ssh, ssh_audit_e
}
+/*
/*
+ * Called when a child process has called, or will soon call,
+ * audit_session_open.
+ */
@ -549,10 +550,11 @@ index dd2f035..c8d54b1 100644
+ audit_username());
+}
+
/*
+/*
* Called when a user session is started. Argument is the tty allocated to
* the session, or NULL if no tty was allocated.
@@ -172,13 +216,82 @@ audit_session_close(struct logininfo *li)
*
@@ -172,13 +216,82 @@ audit_session_close(struct logininfo *li
/*
* This will be called when a user runs a non-interactive command. Note that
* it may be called multiple times for a single connection since SSH2 allows
@ -638,10 +640,10 @@ index dd2f035..c8d54b1 100644
}
# endif /* !defined CUSTOM_SSH_AUDIT_EVENTS */
#endif /* SSH_AUDIT_EVENTS */
diff --git a/audit.h b/audit.h
index 38cb5ad..45d66cc 100644
--- a/audit.h
+++ b/audit.h
Index: openssh-8.4p1/audit.h
===================================================================
--- openssh-8.4p1.orig/audit.h
+++ openssh-8.4p1/audit.h
@@ -26,6 +26,7 @@
# define _SSH_AUDIT_H
@ -684,11 +686,10 @@ index 38cb5ad..45d66cc 100644
+void audit_destroy_sensitive_data(struct ssh *, const char *, pid_t, uid_t);
#endif /* _SSH_AUDIT_H */
diff --git a/auditstub.c b/auditstub.c
new file mode 100644
index 0000000..639a798
Index: openssh-8.4p1/auditstub.c
===================================================================
--- /dev/null
+++ b/auditstub.c
+++ openssh-8.4p1/auditstub.c
@@ -0,0 +1,52 @@
+/* $Id: auditstub.c,v 1.1 jfch Exp $ */
+
@ -742,11 +743,11 @@ index 0000000..639a798
+audit_session_key_free_body(struct ssh *ssh, int ctos, pid_t pid, uid_t uid)
+{
+}
diff --git a/auth.c b/auth.c
index 779a1af..f6f3c86 100644
--- a/auth.c
+++ b/auth.c
@@ -367,7 +367,7 @@ auth_log(struct ssh *ssh, int authenticated, int partial,
Index: openssh-8.4p1/auth.c
===================================================================
--- openssh-8.4p1.orig/auth.c
+++ openssh-8.4p1/auth.c
@@ -367,7 +367,7 @@ auth_log(struct ssh *ssh, int authentica
# endif
#endif
#ifdef SSH_AUDIT_EVENTS
@ -755,7 +756,7 @@ index 779a1af..f6f3c86 100644
audit_event(ssh, audit_classify_auth(method));
#endif
}
@@ -593,9 +593,6 @@ getpwnamallow(struct ssh *ssh, const char *user)
@@ -593,9 +593,6 @@ getpwnamallow(struct ssh *ssh, const cha
record_failed_login(ssh, user,
auth_get_canonical_hostname(ssh, options.use_dns), "ssh");
#endif
@ -765,11 +766,11 @@ index 779a1af..f6f3c86 100644
return (NULL);
}
if (!allowed_user(ssh, pw))
diff --git a/auth.h b/auth.h
index becc672..c8a99fb 100644
--- a/auth.h
+++ b/auth.h
@@ -189,6 +189,8 @@ struct passwd * getpwnamallow(struct ssh *, const char *user);
Index: openssh-8.4p1/auth.h
===================================================================
--- openssh-8.4p1.orig/auth.h
+++ openssh-8.4p1/auth.h
@@ -189,6 +189,8 @@ struct passwd * getpwnamallow(struct ssh
char *expand_authorized_keys(const char *, struct passwd *pw);
char *authorized_principals_file(struct passwd *);
@ -778,7 +779,7 @@ index becc672..c8a99fb 100644
FILE *auth_openkeyfile(const char *, struct passwd *, int);
FILE *auth_openprincipals(const char *, struct passwd *, int);
@@ -208,6 +210,8 @@ struct sshkey *get_hostkey_private_by_type(int, int, struct ssh *);
@@ -208,6 +210,8 @@ struct sshkey *get_hostkey_private_by_ty
int get_hostkey_index(struct sshkey *, int, struct ssh *);
int sshd_hostkey_sign(struct ssh *, struct sshkey *, struct sshkey *,
u_char **, size_t *, const u_char *, size_t, const char *);
@ -787,10 +788,10 @@ index becc672..c8a99fb 100644
/* Key / cert options linkage to auth layer */
const struct sshauthopt *auth_options(struct ssh *);
diff --git a/auth2-hostbased.c b/auth2-hostbased.c
index 5e9b7c6..c0a09a3 100644
--- a/auth2-hostbased.c
+++ b/auth2-hostbased.c
Index: openssh-8.4p1/auth2-hostbased.c
===================================================================
--- openssh-8.4p1.orig/auth2-hostbased.c
+++ openssh-8.4p1/auth2-hostbased.c
@@ -150,7 +150,7 @@ userauth_hostbased(struct ssh *ssh)
authenticated = 0;
if (PRIVSEP(hostbased_key_allowed(ssh, authctxt->pw, cuser,
@ -820,10 +821,10 @@ index 5e9b7c6..c0a09a3 100644
/* return 1 if given hostkey is allowed */
int
hostbased_key_allowed(struct ssh *ssh, struct passwd *pw,
diff --git a/auth2-pubkey.c b/auth2-pubkey.c
index 815ea0f..f8a4325 100644
--- a/auth2-pubkey.c
+++ b/auth2-pubkey.c
Index: openssh-8.4p1/auth2-pubkey.c
===================================================================
--- openssh-8.4p1.orig/auth2-pubkey.c
+++ openssh-8.4p1/auth2-pubkey.c
@@ -212,7 +212,7 @@ userauth_pubkey(struct ssh *ssh)
/* test for correct signature */
authenticated = 0;
@ -833,7 +834,7 @@ index 815ea0f..f8a4325 100644
sshbuf_ptr(b), sshbuf_len(b),
(ssh->compat & SSH_BUG_SIGTYPE) == 0 ? pkalg : NULL,
ssh->compat, &sig_details)) == 0) {
@@ -294,6 +294,19 @@ done:
@@ -308,6 +308,19 @@ done:
return authenticated;
}
@ -853,11 +854,11 @@ index 815ea0f..f8a4325 100644
static int
match_principals_option(const char *principal_list, struct sshkey_cert *cert)
{
diff --git a/auth2.c b/auth2.c
index a4a5e00..b12d2ac 100644
--- a/auth2.c
+++ b/auth2.c
@@ -293,9 +293,6 @@ input_userauth_request(int type, u_int32_t seq, struct ssh *ssh)
Index: openssh-8.4p1/auth2.c
===================================================================
--- openssh-8.4p1.orig/auth2.c
+++ openssh-8.4p1/auth2.c
@@ -293,9 +293,6 @@ input_userauth_request(int type, u_int32
} else {
/* Invalid user, fake password information */
authctxt->pw = fakepw();
@ -867,10 +868,10 @@ index a4a5e00..b12d2ac 100644
}
#ifdef USE_PAM
if (options.use_pam)
diff --git a/cipher.c b/cipher.c
index 599b54a..7f25a18 100644
--- a/cipher.c
+++ b/cipher.c
Index: openssh-8.4p1/cipher.c
===================================================================
--- openssh-8.4p1.orig/cipher.c
+++ openssh-8.4p1/cipher.c
@@ -58,25 +58,6 @@
#define EVP_CIPHER_CTX void
#endif
@ -897,7 +898,7 @@ index 599b54a..7f25a18 100644
static const struct sshcipher ciphers_all[] = {
#ifdef WITH_OPENSSL
#ifndef OPENSSL_NO_DES
@@ -462,7 +443,7 @@ cipher_get_length(struct sshcipher_ctx *cc, u_int *plenp, u_int seqnr,
@@ -462,7 +443,7 @@ cipher_get_length(struct sshcipher_ctx *
void
cipher_free(struct sshcipher_ctx *cc)
{
@ -906,10 +907,10 @@ index 599b54a..7f25a18 100644
return;
if ((cc->cipher->flags & CFLAG_CHACHAPOLY) != 0) {
chachapoly_free(cc->cp_ctx);
diff --git a/cipher.h b/cipher.h
index 626f2f5..b3383a5 100644
--- a/cipher.h
+++ b/cipher.h
Index: openssh-8.4p1/cipher.h
===================================================================
--- openssh-8.4p1.orig/cipher.h
+++ openssh-8.4p1/cipher.h
@@ -47,7 +47,25 @@
#define CIPHER_ENCRYPT 1
#define CIPHER_DECRYPT 0
@ -937,10 +938,10 @@ index 626f2f5..b3383a5 100644
struct sshcipher_ctx {
int plaintext;
int encrypt;
diff --git a/kex.c b/kex.c
index fbb8e4f..39cad99 100644
--- a/kex.c
+++ b/kex.c
Index: openssh-8.4p1/kex.c
===================================================================
--- openssh-8.4p1.orig/kex.c
+++ openssh-8.4p1/kex.c
@@ -62,6 +62,7 @@
#include "ssherr.h"
#include "sshbuf.h"
@ -968,7 +969,7 @@ index fbb8e4f..39cad99 100644
if ((enc->cipher = cipher_by_name(name)) == NULL) {
error("%s: unsupported cipher %s", __func__, name);
free(name);
@@ -883,8 +888,12 @@ choose_mac(struct ssh *ssh, struct sshmac *mac, char *client, char *server)
@@ -883,8 +888,12 @@ choose_mac(struct ssh *ssh, struct sshma
{
char *name = match_list(client, server, NULL);
@ -982,7 +983,7 @@ index fbb8e4f..39cad99 100644
if (mac_setup(mac, name) < 0) {
error("%s: unsupported MAC %s", __func__, name);
free(name);
@@ -897,12 +906,16 @@ choose_mac(struct ssh *ssh, struct sshmac *mac, char *client, char *server)
@@ -897,12 +906,16 @@ choose_mac(struct ssh *ssh, struct sshma
}
static int
@ -1030,7 +1031,7 @@ index fbb8e4f..39cad99 100644
}
/* XXX need runden? */
kex->we_need = need;
@@ -1245,6 +1262,36 @@ dump_digest(const char *msg, const u_char *digest, int len)
@@ -1245,6 +1262,36 @@ dump_digest(const char *msg, const u_cha
}
#endif
@ -1067,10 +1068,10 @@ index fbb8e4f..39cad99 100644
/*
* Send a plaintext error message to the peer, suffixed by \r\n.
* Only used during banner exchange, and there only for the server.
diff --git a/kex.h b/kex.h
index 4dc48fd..fdf0cf6 100644
--- a/kex.h
+++ b/kex.h
Index: openssh-8.4p1/kex.h
===================================================================
--- openssh-8.4p1.orig/kex.h
+++ openssh-8.4p1/kex.h
@@ -226,6 +226,8 @@ int kexgss_client(struct ssh *);
int kexgss_server(struct ssh *);
#endif
@ -1080,10 +1081,10 @@ index 4dc48fd..fdf0cf6 100644
int kex_dh_keypair(struct kex *);
int kex_dh_enc(struct kex *, const struct sshbuf *, struct sshbuf **,
struct sshbuf **);
diff --git a/mac.c b/mac.c
index 90d71c8..6d87a80 100644
--- a/mac.c
+++ b/mac.c
Index: openssh-8.4p1/mac.c
===================================================================
--- openssh-8.4p1.orig/mac.c
+++ openssh-8.4p1/mac.c
@@ -277,6 +277,20 @@ mac_clear(struct sshmac *mac)
mac->umac_ctx = NULL;
}
@ -1105,21 +1106,21 @@ index 90d71c8..6d87a80 100644
/* XXX copied from ciphers_valid */
#define MAC_SEP ","
int
diff --git a/mac.h b/mac.h
index 0b119d7..5fb593b 100644
--- a/mac.h
+++ b/mac.h
@@ -49,5 +49,6 @@ int mac_compute(struct sshmac *, u_int32_t, const u_char *, int,
Index: openssh-8.4p1/mac.h
===================================================================
--- openssh-8.4p1.orig/mac.h
+++ openssh-8.4p1/mac.h
@@ -49,5 +49,6 @@ int mac_compute(struct sshmac *, u_int3
int mac_check(struct sshmac *, u_int32_t, const u_char *, size_t,
const u_char *, size_t);
void mac_clear(struct sshmac *);
+void mac_destroy(struct sshmac *);
#endif /* SSHMAC_H */
diff --git a/monitor.c b/monitor.c
index cf775e5..fcd8283 100644
--- a/monitor.c
+++ b/monitor.c
Index: openssh-8.4p1/monitor.c
===================================================================
--- openssh-8.4p1.orig/monitor.c
+++ openssh-8.4p1/monitor.c
@@ -93,6 +93,7 @@
#include "compat.h"
#include "ssh2.h"
@ -1137,7 +1138,7 @@ index cf775e5..fcd8283 100644
/* State exported from the child */
static struct sshbuf *child_state;
@@ -155,6 +158,11 @@ int mm_answer_gss_updatecreds(struct ssh*, int, struct sshbuf *);
@@ -155,6 +158,11 @@ int mm_answer_gss_updatecreds(struct ssh
#ifdef SSH_AUDIT_EVENTS
int mm_answer_audit_event(struct ssh *, int, struct sshbuf *);
int mm_answer_audit_command(struct ssh *, int, struct sshbuf *);
@ -1149,7 +1150,7 @@ index cf775e5..fcd8283 100644
#endif
static Authctxt *authctxt;
@@ -210,6 +218,10 @@ struct mon_table mon_dispatch_proto20[] = {
@@ -210,6 +218,10 @@ struct mon_table mon_dispatch_proto20[]
#endif
#ifdef SSH_AUDIT_EVENTS
{MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
@ -1160,7 +1161,7 @@ index cf775e5..fcd8283 100644
#endif
#ifdef BSD_AUTH
{MONITOR_REQ_BSDAUTHQUERY, MON_ISAUTH, mm_answer_bsdauthquery},
@@ -244,6 +256,11 @@ struct mon_table mon_dispatch_postauth20[] = {
@@ -244,6 +256,11 @@ struct mon_table mon_dispatch_postauth20
#ifdef SSH_AUDIT_EVENTS
{MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
{MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT, mm_answer_audit_command},
@ -1172,9 +1173,9 @@ index cf775e5..fcd8283 100644
#endif
{0, 0, NULL}
};
@@ -1406,8 +1423,10 @@ mm_answer_keyverify(struct ssh *ssh, int sock, struct sshbuf *m)
size_t signaturelen, datalen, bloblen;
int r, ret, req_presence = 0, valid_data = 0, encoded_ret;
@@ -1407,8 +1424,10 @@ mm_answer_keyverify(struct ssh *ssh, int
int r, ret, req_presence = 0, req_verify = 0, valid_data = 0;
int encoded_ret;
struct sshkey_sig_details *sig_details = NULL;
+ int type = 0;
@ -1184,7 +1185,7 @@ index cf775e5..fcd8283 100644
(r = sshbuf_get_string_direct(m, &signature, &signaturelen)) != 0 ||
(r = sshbuf_get_string_direct(m, &data, &datalen)) != 0 ||
(r = sshbuf_get_cstring(m, &sigalg, NULL)) != 0)
@@ -1416,6 +1435,8 @@ mm_answer_keyverify(struct ssh *ssh, int sock, struct sshbuf *m)
@@ -1417,6 +1436,8 @@ mm_answer_keyverify(struct ssh *ssh, int
if (hostbased_cuser == NULL || hostbased_chost == NULL ||
!monitor_allowed_key(blob, bloblen))
fatal("%s: bad key, not previously allowed", __func__);
@ -1193,7 +1194,7 @@ index cf775e5..fcd8283 100644
/* Empty signature algorithm means NULL. */
if (*sigalg == '\0') {
@@ -1431,14 +1452,19 @@ mm_answer_keyverify(struct ssh *ssh, int sock, struct sshbuf *m)
@@ -1432,14 +1453,19 @@ mm_answer_keyverify(struct ssh *ssh, int
case MM_USERKEY:
valid_data = monitor_valid_userblob(data, datalen);
auth_method = "publickey";
@ -1213,7 +1214,7 @@ index cf775e5..fcd8283 100644
break;
}
if (!valid_data)
@@ -1448,8 +1474,6 @@ mm_answer_keyverify(struct ssh *ssh, int sock, struct sshbuf *m)
@@ -1449,8 +1475,6 @@ mm_answer_keyverify(struct ssh *ssh, int
SSH_FP_DEFAULT)) == NULL)
fatal("%s: sshkey_fingerprint failed", __func__);
@ -1222,7 +1223,7 @@ index cf775e5..fcd8283 100644
debug3("%s: %s %p signature %s%s%s", __func__, auth_method, key,
(ret == 0) ? "verified" : "unverified",
(ret != 0) ? ": " : "", (ret != 0) ? ssh_err(ret) : "");
@@ -1524,13 +1548,19 @@ mm_record_login(struct ssh *ssh, Session *s, struct passwd *pw)
@@ -1537,13 +1561,19 @@ mm_record_login(struct ssh *ssh, Session
}
static void
@ -1243,7 +1244,7 @@ index cf775e5..fcd8283 100644
session_unused(s->self);
}
@@ -1597,7 +1627,7 @@ mm_answer_pty(struct ssh *ssh, int sock, struct sshbuf *m)
@@ -1610,7 +1640,7 @@ mm_answer_pty(struct ssh *ssh, int sock,
error:
if (s != NULL)
@ -1252,7 +1253,7 @@ index cf775e5..fcd8283 100644
if ((r = sshbuf_put_u32(m, 0)) != 0)
fatal("%s: buffer error: %s", __func__, ssh_err(r));
mm_request_send(sock, MONITOR_ANS_PTY, m);
@@ -1616,7 +1646,7 @@ mm_answer_pty_cleanup(struct ssh *ssh, int sock, struct sshbuf *m)
@@ -1629,7 +1659,7 @@ mm_answer_pty_cleanup(struct ssh *ssh, i
if ((r = sshbuf_get_cstring(m, &tty, NULL)) != 0)
fatal("%s: buffer error: %s", __func__, ssh_err(r));
if ((s = session_by_tty(tty)) != NULL)
@ -1261,7 +1262,7 @@ index cf775e5..fcd8283 100644
sshbuf_reset(m);
free(tty);
return (0);
@@ -1638,6 +1668,8 @@ mm_answer_term(struct ssh *ssh, int sock, struct sshbuf *req)
@@ -1651,6 +1681,8 @@ mm_answer_term(struct ssh *ssh, int sock
sshpam_cleanup();
#endif
@ -1270,7 +1271,7 @@ index cf775e5..fcd8283 100644
while (waitpid(pmonitor->m_pid, &status, 0) == -1)
if (errno != EINTR)
exit(1);
@@ -1684,12 +1716,47 @@ mm_answer_audit_command(struct ssh *ssh, int socket, struct sshbuf *m)
@@ -1697,12 +1729,47 @@ mm_answer_audit_command(struct ssh *ssh,
{
char *cmd;
int r;
@ -1319,7 +1320,7 @@ index cf775e5..fcd8283 100644
free(cmd);
return (0);
}
@@ -1755,6 +1822,7 @@ monitor_apply_keystate(struct ssh *ssh, struct monitor *pmonitor)
@@ -1768,6 +1835,7 @@ monitor_apply_keystate(struct ssh *ssh,
void
mm_get_keystate(struct ssh *ssh, struct monitor *pmonitor)
{
@ -1327,7 +1328,7 @@ index cf775e5..fcd8283 100644
debug3("%s: Waiting for new keys", __func__);
if ((child_state = sshbuf_new()) == NULL)
@@ -1762,6 +1830,19 @@ mm_get_keystate(struct ssh *ssh, struct monitor *pmonitor)
@@ -1775,6 +1843,19 @@ mm_get_keystate(struct ssh *ssh, struct
mm_request_receive_expect(pmonitor->m_sendfd, MONITOR_REQ_KEYEXPORT,
child_state);
debug3("%s: GOT new keys", __func__);
@ -1347,7 +1348,7 @@ index cf775e5..fcd8283 100644
}
@@ -2039,3 +2120,102 @@ mm_answer_gss_updatecreds(struct ssh *ssh, int socket, struct sshbuf *m) {
@@ -2052,3 +2133,102 @@ mm_answer_gss_updatecreds(struct ssh *ss
#endif /* GSSAPI */
@ -1450,10 +1451,10 @@ index cf775e5..fcd8283 100644
+ return 0;
+}
+#endif /* SSH_AUDIT_EVENTS */
diff --git a/monitor.h b/monitor.h
index 2b1a2d5..7817990 100644
--- a/monitor.h
+++ b/monitor.h
Index: openssh-8.4p1/monitor.h
===================================================================
--- openssh-8.4p1.orig/monitor.h
+++ openssh-8.4p1/monitor.h
@@ -61,7 +61,13 @@ enum monitor_reqtype {
MONITOR_REQ_PAM_QUERY = 106, MONITOR_ANS_PAM_QUERY = 107,
MONITOR_REQ_PAM_RESPOND = 108, MONITOR_ANS_PAM_RESPOND = 109,
@ -1469,11 +1470,11 @@ index 2b1a2d5..7817990 100644
MONITOR_REQ_GSSSIGN = 150, MONITOR_ANS_GSSSIGN = 151,
MONITOR_REQ_GSSUPCREDS = 152, MONITOR_ANS_GSSUPCREDS = 153,
diff --git a/monitor_wrap.c b/monitor_wrap.c
index 6edb509..cb5e5f3 100644
--- a/monitor_wrap.c
+++ b/monitor_wrap.c
@@ -492,7 +492,7 @@ mm_key_allowed(enum mm_keytype type, const char *user, const char *host,
Index: openssh-8.4p1/monitor_wrap.c
===================================================================
--- openssh-8.4p1.orig/monitor_wrap.c
+++ openssh-8.4p1/monitor_wrap.c
@@ -492,7 +492,7 @@ mm_key_allowed(enum mm_keytype type, con
*/
int
@ -1482,7 +1483,7 @@ index 6edb509..cb5e5f3 100644
const u_char *data, size_t datalen, const char *sigalg, u_int compat,
struct sshkey_sig_details **sig_detailsp)
{
@@ -508,7 +508,8 @@ mm_sshkey_verify(const struct sshkey *key, const u_char *sig, size_t siglen,
@@ -508,7 +508,8 @@ mm_sshkey_verify(const struct sshkey *ke
*sig_detailsp = NULL;
if ((m = sshbuf_new()) == NULL)
fatal("%s: sshbuf_new failed", __func__);
@ -1492,7 +1493,7 @@ index 6edb509..cb5e5f3 100644
(r = sshbuf_put_string(m, sig, siglen)) != 0 ||
(r = sshbuf_put_string(m, data, datalen)) != 0 ||
(r = sshbuf_put_cstring(m, sigalg == NULL ? "" : sigalg)) != 0)
@@ -541,6 +542,20 @@ mm_sshkey_verify(const struct sshkey *key, const u_char *sig, size_t siglen,
@@ -541,6 +542,20 @@ mm_sshkey_verify(const struct sshkey *ke
return 0;
}
@ -1513,7 +1514,7 @@ index 6edb509..cb5e5f3 100644
void
mm_send_keystate(struct ssh *ssh, struct monitor *monitor)
{
@@ -894,11 +909,12 @@ mm_audit_event(struct ssh *ssh, ssh_audit_event_t event)
@@ -894,11 +909,12 @@ mm_audit_event(struct ssh *ssh, ssh_audi
sshbuf_free(m);
}
@ -1528,7 +1529,7 @@ index 6edb509..cb5e5f3 100644
debug3("%s entering command %s", __func__, command);
@@ -908,6 +924,30 @@ mm_audit_run_command(const char *command)
@@ -908,6 +924,30 @@ mm_audit_run_command(const char *command
fatal("%s: buffer error: %s", __func__, ssh_err(r));
mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_COMMAND, m);
@ -1559,7 +1560,7 @@ index 6edb509..cb5e5f3 100644
sshbuf_free(m);
}
#endif /* SSH_AUDIT_EVENTS */
@@ -1068,3 +1108,83 @@ mm_ssh_gssapi_update_creds(ssh_gssapi_ccache *store)
@@ -1068,3 +1108,83 @@ mm_ssh_gssapi_update_creds(ssh_gssapi_cc
}
#endif /* GSSAPI */
@ -1643,11 +1644,11 @@ index 6edb509..cb5e5f3 100644
+ sshbuf_free(m);
+}
+#endif /* SSH_AUDIT_EVENTS */
diff --git a/monitor_wrap.h b/monitor_wrap.h
index 485590c..73c095e 100644
--- a/monitor_wrap.h
+++ b/monitor_wrap.h
@@ -57,7 +57,9 @@ int mm_user_key_allowed(struct ssh *, struct passwd *, struct sshkey *, int,
Index: openssh-8.4p1/monitor_wrap.h
===================================================================
--- openssh-8.4p1.orig/monitor_wrap.h
+++ openssh-8.4p1/monitor_wrap.h
@@ -58,7 +58,9 @@ int mm_user_key_allowed(struct ssh *, st
struct sshauthopt **);
int mm_hostbased_key_allowed(struct ssh *, struct passwd *, const char *,
const char *, struct sshkey *);
@ -1658,7 +1659,7 @@ index 485590c..73c095e 100644
const u_char *, size_t, const char *, u_int, struct sshkey_sig_details **);
#ifdef GSSAPI
@@ -82,7 +84,12 @@ void mm_sshpam_free_ctx(void *);
@@ -83,7 +85,12 @@ void mm_sshpam_free_ctx(void *);
#ifdef SSH_AUDIT_EVENTS
#include "audit.h"
void mm_audit_event(struct ssh *, ssh_audit_event_t);
@ -1672,10 +1673,10 @@ index 485590c..73c095e 100644
#endif
struct Session;
diff --git a/packet.c b/packet.c
index e7abb34..997c338 100644
--- a/packet.c
+++ b/packet.c
Index: openssh-8.4p1/packet.c
===================================================================
--- openssh-8.4p1.orig/packet.c
+++ openssh-8.4p1/packet.c
@@ -81,6 +81,7 @@
#endif
@ -1684,7 +1685,7 @@ index e7abb34..997c338 100644
#include "compat.h"
#include "ssh2.h"
#include "cipher.h"
@@ -515,6 +516,13 @@ ssh_packet_get_connection_out(struct ssh *ssh)
@@ -518,6 +519,13 @@ ssh_packet_get_connection_out(struct ssh
return ssh->state->connection_out;
}
@ -1698,7 +1699,7 @@ index e7abb34..997c338 100644
/*
* Returns the IP-address of the remote host as a string. The returned
* string must not be freed.
@@ -592,22 +600,19 @@ ssh_packet_close_internal(struct ssh *ssh, int do_close)
@@ -595,22 +603,19 @@ ssh_packet_close_internal(struct ssh *ss
{
struct session_state *state = ssh->state;
u_int mode;
@ -1726,7 +1727,7 @@ index e7abb34..997c338 100644
for (mode = 0; mode < MODE_MAX; mode++) {
kex_free_newkeys(state->newkeys[mode]); /* current keys */
state->newkeys[mode] = NULL;
@@ -643,8 +648,18 @@ ssh_packet_close_internal(struct ssh *ssh, int do_close)
@@ -646,8 +651,18 @@ ssh_packet_close_internal(struct ssh *ss
#endif /* WITH_ZLIB */
cipher_free(state->send_context);
cipher_free(state->receive_context);
@ -1745,7 +1746,7 @@ index e7abb34..997c338 100644
free(ssh->local_ipaddr);
ssh->local_ipaddr = NULL;
free(ssh->remote_ipaddr);
@@ -899,6 +914,7 @@ ssh_set_newkeys(struct ssh *ssh, int mode)
@@ -904,6 +919,7 @@ ssh_set_newkeys(struct ssh *ssh, int mod
(unsigned long long)state->p_send.bytes,
(unsigned long long)state->p_send.blocks);
kex_free_newkeys(state->newkeys[mode]);
@ -1753,7 +1754,7 @@ index e7abb34..997c338 100644
state->newkeys[mode] = NULL;
}
/* note that both bytes and the seqnr are not reset */
@@ -2205,6 +2221,73 @@ ssh_packet_get_output(struct ssh *ssh)
@@ -2210,6 +2226,73 @@ ssh_packet_get_output(struct ssh *ssh)
return (void *)ssh->state->output;
}
@ -1827,20 +1828,20 @@ index e7abb34..997c338 100644
/* Reset after_authentication and reset compression in post-auth privsep */
static int
ssh_packet_set_postauth(struct ssh *ssh)
diff --git a/packet.h b/packet.h
index c2544bd..239b391 100644
--- a/packet.h
+++ b/packet.h
@@ -218,4 +218,5 @@ const u_char *sshpkt_ptr(struct ssh *, size_t *lenp);
Index: openssh-8.4p1/packet.h
===================================================================
--- openssh-8.4p1.orig/packet.h
+++ openssh-8.4p1/packet.h
@@ -218,4 +218,5 @@ const u_char *sshpkt_ptr(struct ssh *, s
# undef EC_POINT
#endif
+void packet_destroy_all(struct ssh *, int, int);
#endif /* PACKET_H */
diff --git a/session.c b/session.c
index 530aa26..9e7a8f8 100644
--- a/session.c
+++ b/session.c
Index: openssh-8.4p1/session.c
===================================================================
--- openssh-8.4p1.orig/session.c
+++ openssh-8.4p1/session.c
@@ -136,7 +136,7 @@ extern char *__progname;
extern int debug_flag;
extern u_int utmp_len;
@ -1850,7 +1851,7 @@ index 530aa26..9e7a8f8 100644
extern struct sshbuf *loginmsg;
extern struct sshauthopt *auth_opts;
extern char *tun_fwd_ifnames; /* serverloop.c */
@@ -647,6 +647,14 @@ do_exec_pty(struct ssh *ssh, Session *s, const char *command)
@@ -647,6 +647,14 @@ do_exec_pty(struct ssh *ssh, Session *s,
/* Parent. Close the slave side of the pseudo tty. */
close(ttyfd);
@ -1865,7 +1866,7 @@ index 530aa26..9e7a8f8 100644
/* Enter interactive session. */
s->ptymaster = ptymaster;
ssh_packet_set_interactive(ssh, 1,
@@ -711,15 +719,19 @@ do_exec(struct ssh *ssh, Session *s, const char *command)
@@ -711,15 +719,19 @@ do_exec(struct ssh *ssh, Session *s, con
s->self);
#ifdef SSH_AUDIT_EVENTS
@ -1887,7 +1888,7 @@ index 530aa26..9e7a8f8 100644
#endif
if (s->ttyfd != -1)
ret = do_exec_pty(ssh, s, command);
@@ -1535,8 +1547,11 @@ do_child(struct ssh *ssh, Session *s, const char *command)
@@ -1542,8 +1554,11 @@ do_child(struct ssh *ssh, Session *s, co
sshpkt_fmt_connection_id(ssh, remote_id, sizeof(remote_id));
/* remove hostkey from the child's memory */
@ -1900,7 +1901,7 @@ index 530aa26..9e7a8f8 100644
/* Force a password change */
if (s->authctxt->force_pwchange) {
@@ -1745,6 +1760,9 @@ session_unused(int id)
@@ -1752,6 +1767,9 @@ session_unused(int id)
sessions[id].ttyfd = -1;
sessions[id].ptymaster = -1;
sessions[id].x11_chanids = NULL;
@ -1910,11 +1911,10 @@ index 530aa26..9e7a8f8 100644
sessions[id].next_unused = sessions_first_unused;
sessions_first_unused = id;
}
@@ -1826,6 +1844,19 @@ session_open(Authctxt *authctxt, int chanid)
return 1;
@@ -1834,6 +1852,19 @@ session_open(Authctxt *authctxt, int cha
}
+Session *
Session *
+session_by_id(int id)
+{
+ if (id >= 0 && id < sessions_nalloc) {
@ -1927,10 +1927,11 @@ index 530aa26..9e7a8f8 100644
+ return NULL;
+}
+
Session *
+Session *
session_by_tty(char *tty)
{
@@ -2437,6 +2468,32 @@ session_exit_message(struct ssh *ssh, Session *s, int status)
int i;
@@ -2444,6 +2475,32 @@ session_exit_message(struct ssh *ssh, Se
chan_write_failed(ssh, c);
}
@ -1963,7 +1964,7 @@ index 530aa26..9e7a8f8 100644
void
session_close(struct ssh *ssh, Session *s)
{
@@ -2478,6 +2535,10 @@ session_close(struct ssh *ssh, Session *s)
@@ -2485,6 +2542,10 @@ session_close(struct ssh *ssh, Session *
if (s->ttyfd != -1)
session_pty_cleanup(s);
@ -1974,7 +1975,7 @@ index 530aa26..9e7a8f8 100644
free(s->term);
free(s->display);
free(s->x11_chanids);
@@ -2553,14 +2614,14 @@ session_close_by_channel(struct ssh *ssh, int id, void *arg)
@@ -2560,14 +2621,14 @@ session_close_by_channel(struct ssh *ssh
}
void
@ -1991,7 +1992,7 @@ index 530aa26..9e7a8f8 100644
else
session_close(ssh, s);
}
@@ -2686,6 +2747,15 @@ do_authenticated2(struct ssh *ssh, Authctxt *authctxt)
@@ -2693,6 +2754,15 @@ do_authenticated2(struct ssh *ssh, Authc
server_loop2(ssh, authctxt);
}
@ -2007,7 +2008,7 @@ index 530aa26..9e7a8f8 100644
void
do_cleanup(struct ssh *ssh, Authctxt *authctxt)
{
@@ -2749,7 +2819,7 @@ do_cleanup(struct ssh *ssh, Authctxt *authctxt)
@@ -2756,7 +2826,7 @@ do_cleanup(struct ssh *ssh, Authctxt *au
* or if running in monitor.
*/
if (!use_privsep || mm_is_monitor())
@ -2016,10 +2017,10 @@ index 530aa26..9e7a8f8 100644
}
/* Return a name for the remote host that fits inside utmp_size */
diff --git a/session.h b/session.h
index ce59dab..bcd4b1d 100644
--- a/session.h
+++ b/session.h
Index: openssh-8.4p1/session.h
===================================================================
--- openssh-8.4p1.orig/session.h
+++ openssh-8.4p1/session.h
@@ -61,6 +61,12 @@ struct Session {
char *name;
char *val;
@ -2047,10 +2048,10 @@ index ce59dab..bcd4b1d 100644
Session *session_by_tty(char *);
void session_close(struct ssh *, Session *);
void do_setusercontext(struct passwd *);
diff --git a/sshd.c b/sshd.c
index 7d23232..9c83ce0 100644
--- a/sshd.c
+++ b/sshd.c
Index: openssh-8.4p1/sshd.c
===================================================================
--- openssh-8.4p1.orig/sshd.c
+++ openssh-8.4p1/sshd.c
@@ -122,6 +122,7 @@
#include "ssh-gss.h"
#endif
@ -2212,7 +2213,7 @@ index 7d23232..9c83ce0 100644
setproctitle("%s", "[net]");
if (box != NULL)
ssh_sandbox_child(box);
@@ -592,7 +647,7 @@ privsep_postauth(struct ssh *ssh, Authctxt *authctxt)
@@ -592,7 +647,7 @@ privsep_postauth(struct ssh *ssh, Authct
pmonitor->m_sendfd = -1;
/* Demote the private keys to public keys. */
@ -2221,7 +2222,7 @@ index 7d23232..9c83ce0 100644
reseed_prngs();
@@ -1101,7 +1156,7 @@ server_listen(void)
@@ -1159,7 +1214,7 @@ server_listen(void)
* from this function are in a forked subprocess.
*/
static void
@ -2230,7 +2231,7 @@ index 7d23232..9c83ce0 100644
{
fd_set *fdset;
int i, j, ret, maxfd;
@@ -1162,6 +1217,7 @@ server_accept_loop(int *sock_in, int *sock_out, int *newsock, int *config_s)
@@ -1220,6 +1275,7 @@ server_accept_loop(int *sock_in, int *so
if (received_sigterm) {
logit("Received signal %d; terminating.",
(int) received_sigterm);
@ -2238,7 +2239,7 @@ index 7d23232..9c83ce0 100644
close_listen_socks();
if (options.pid_file != NULL)
unlink(options.pid_file);
@@ -2039,7 +2095,7 @@ main(int ac, char **av)
@@ -2089,7 +2145,7 @@ main(int ac, char **av)
#endif
/* Accept a connection and return in a forked child */
@ -2247,7 +2248,7 @@ index 7d23232..9c83ce0 100644
&newsock, config_s);
}
@@ -2274,6 +2330,9 @@ main(int ac, char **av)
@@ -2325,6 +2381,9 @@ main(int ac, char **av)
do_authenticated(ssh, authctxt);
/* The connection has been terminated. */
@ -2257,7 +2258,7 @@ index 7d23232..9c83ce0 100644
ssh_packet_get_bytes(ssh, &ibytes, &obytes);
verbose("Transferred: sent %llu, received %llu bytes",
(unsigned long long)obytes, (unsigned long long)ibytes);
@@ -2457,6 +2516,15 @@ do_ssh2_kex(struct ssh *ssh)
@@ -2509,6 +2568,15 @@ do_ssh2_kex(struct ssh *ssh)
void
cleanup_exit(int i)
{
@ -2273,7 +2274,7 @@ index 7d23232..9c83ce0 100644
if (the_active_state != NULL && the_authctxt != NULL) {
do_cleanup(the_active_state, the_authctxt);
if (use_privsep && privsep_is_preauth &&
@@ -2468,9 +2536,16 @@ cleanup_exit(int i)
@@ -2520,9 +2588,16 @@ cleanup_exit(int i)
pmonitor->m_pid, strerror(errno));
}
}
@ -2291,15 +2292,14 @@ index 7d23232..9c83ce0 100644
audit_event(the_active_state, SSH_CONNECTION_ABANDON);
#endif
_exit(i);
diff --git a/sshkey.c b/sshkey.c
index 1ac32a0..f579108 100644
--- a/sshkey.c
+++ b/sshkey.c
@@ -368,6 +368,38 @@ sshkey_type_is_valid_ca(int type)
}
Index: openssh-8.4p1/sshkey.c
===================================================================
--- openssh-8.4p1.orig/sshkey.c
+++ openssh-8.4p1/sshkey.c
@@ -371,6 +371,38 @@ sshkey_type_is_valid_ca(int type)
}
+int
int
+sshkey_is_private(const struct sshkey *k)
+{
+ switch (k->type) {
@ -2331,14 +2331,15 @@ index 1ac32a0..f579108 100644
+ }
+}
+
int
+int
sshkey_is_cert(const struct sshkey *k)
{
diff --git a/sshkey.h b/sshkey.h
index f586e89..a08bc65 100644
--- a/sshkey.h
+++ b/sshkey.h
@@ -187,6 +187,7 @@ int sshkey_shield_private(struct sshkey *);
if (k == NULL)
Index: openssh-8.4p1/sshkey.h
===================================================================
--- openssh-8.4p1.orig/sshkey.h
+++ openssh-8.4p1/sshkey.h
@@ -187,6 +187,7 @@ int sshkey_shield_private(struct sshke
int sshkey_unshield_private(struct sshkey *);
int sshkey_type_from_name(const char *);

View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:f2befbe0472fe7eb75d23340eb17531cb6b3aac24075e2066b41f814e12387b2
size 1706358

View File

@ -1,14 +0,0 @@
-----BEGIN PGP SIGNATURE-----
iQHDBAABCgAdFiEEWcIRjtIG2SfmZ+vj0+X1a22SDTAFAl7N2TQACgkQ0+X1a22S
DTCXbAx/eycNNXxdVK3JtDQBUuSyup/eXeiuAdfTb77dKhdInk6ivaaKtVZ+3rlu
eEUwAY2Bf/majUUigI5OI/niODMqbYWBBDKRudQlDSGfH8XnRge6dRjIWXU6XvZP
MJpxVZWRorjnuCArWemlJ5QFxSds938Ae+7MFkveQ59UpRDeslYiI6twCXjRiZEL
e8lBfsfZqcOLO8KLVRvDx6sqD8EXlak8fhdjmjKdbvA4oWHLcwUcuaNT/o5I2ZWn
m2sOQcuhwt3+jm+f9SQKLURHcmGC6Hu5YXBq4+Ut7P9Qc9lAf76SDDnsrRQ8pv+Z
tLsXBO+bNe3tSkRbG/AQQRZtGEzlhM8KPyQ6oA0JqlN4Wb5XMWYFyYyJTwJ/95ZI
dluMmpwQTRVQGUNU7kVNe04TwRl+8APqvcnE3/i7MDm6EG5BHGcAneRmZfvt209F
z8yGtKQKCvZm5Rn9V0/Gm3+pq5O2sie90CPW9ebyPsajzQlrYBQPoJ1aQ+Ue4QE6
gee5eO3TZOJJ3peTqjihGUtpKH+21w==
=lhX0
-----END PGP SIGNATURE-----

3
openssh-8.4p1.tar.gz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:5a01d22e407eb1c05ba8a8f7c654d388a13e9f226e4ed33bd38748dafa1d2b24
size 1742201

14
openssh-8.4p1.tar.gz.asc Normal file
View File

@ -0,0 +1,14 @@
-----BEGIN PGP SIGNATURE-----
iQHDBAABCgAdFiEEWcIRjtIG2SfmZ+vj0+X1a22SDTAFAl9wQnwACgkQ0+X1a22S
DTAR6wyAjRcvW7Jg9v73AR7TUO4WAD085sYi4ZLsECMZqhVZUBVv0Ofmcz2ISg3I
NU1nr9Kiqf1/i05OUIR64kJEd4wTSwv+4HhyP5MPJqyCkKcFJ9TyRy6pASZtyH6D
hKezJ79iGUg1U46bI6yyxchcAKrz0if97fKd0/1h5yE7T5lcbo+zQPsAg9dDXHBJ
nL5mpBQXU3xbU8bC+E+vZ7VAyxEm6kzuY7MRW2wOhpPQ5DJgEjAUjtvzvd9SJhKl
u/hgKXqIJBQB1pHlAFI1knfTrGUGrzob8QphukrvmbMJC3dO/o3Dplvx6lZkes0c
6hP66rhTRp5Tmw9ae3iUmoDf6SyStlo/4QomCuw0NxHrSOng16VjCR+NRWHvZbXC
JckIqparyOJ2jtHz0+e52sRZCZKauFBDMZboNj7f+htwQRUFOVfeSecpJiYut4bM
YALdayOQwL96J6aMdoMKfMGZUevCPN6OM96E6cMC1fmanBenZQ/vatmskIvvvO/P
rwECYTpGVRezhAvXMEy9x+EVdV6ctA==
=PW3D
-----END PGP SIGNATURE-----

View File

@ -18,14 +18,14 @@
%define _name openssh
Name: openssh-askpass-gnome
Version: 8.3p1
Version: 8.4p1
Release: 0
Summary: A GNOME-Based Passphrase Dialog for OpenSSH
License: BSD-2-Clause
Group: Productivity/Networking/SSH
URL: http://www.openssh.com/
Source: http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/%{_name}-%{version}.tar.gz
Source42: http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/%{_name}-%{version}.tar.gz.asc
URL: https://www.openssh.com/
Source: https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/%{_name}-%{version}.tar.gz
Source42: https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/%{_name}-%{version}.tar.gz.asc
Requires: %{_name} = %{version}
Supplements: packageand(openssh-clients:libgtk-3-0)
%if 0%{?suse_version} >= 1550

View File

@ -1,3 +1,133 @@
-------------------------------------------------------------------
Mon Jan 18 00:30:37 UTC 2021 - Dirk Müller <dmueller@suse.com>
- update to 8.4p1:
Security
========
* ssh-agent(1): restrict ssh-agent from signing web challenges for
FIDO/U2F keys.
* ssh-keygen(1): Enable FIDO 2.1 credProtect extension when generating
a FIDO resident key.
* ssh(1), ssh-keygen(1): support for FIDO keys that require a PIN for
each use. These keys may be generated using ssh-keygen using a new
"verify-required" option. When a PIN-required key is used, the user
will be prompted for a PIN to complete the signature operation.
New Features
------------
* sshd(8): authorized_keys now supports a new "verify-required"
option to require FIDO signatures assert that the token verified
that the user was present before making the signature. The FIDO
protocol supports multiple methods for user-verification, but
currently OpenSSH only supports PIN verification.
* sshd(8), ssh-keygen(1): add support for verifying FIDO webauthn
signatures. Webauthn is a standard for using FIDO keys in web
browsers. These signatures are a slightly different format to plain
FIDO signatures and thus require explicit support.
* ssh(1): allow some keywords to expand shell-style ${ENV}
environment variables. The supported keywords are CertificateFile,
ControlPath, IdentityAgent and IdentityFile, plus LocalForward and
RemoteForward when used for Unix domain socket paths. bz#3140
* ssh(1), ssh-agent(1): allow some additional control over the use of
ssh-askpass via a new $SSH_ASKPASS_REQUIRE environment variable,
including forcibly enabling and disabling its use. bz#69
* ssh(1): allow ssh_config(5)'s AddKeysToAgent keyword accept a time
limit for keys in addition to its current flag options. Time-
limited keys will automatically be removed from ssh-agent after
their expiry time has passed.
* scp(1), sftp(1): allow the -A flag to explicitly enable agent
forwarding in scp and sftp. The default remains to not forward an
agent, even when ssh_config enables it.
* ssh(1): add a '%k' TOKEN that expands to the effective HostKey of
the destination. This allows, e.g., keeping host keys in individual
files using "UserKnownHostsFile ~/.ssh/known_hosts.d/%k". bz#1654
* ssh(1): add %-TOKEN, environment variable and tilde expansion to
the UserKnownHostsFile directive, allowing the path to be
completed by the configuration (e.g. bz#1654)
* ssh-keygen(1): allow "ssh-add -d -" to read keys to be deleted
from stdin. bz#3180
* sshd(8): improve logging for MaxStartups connection throttling.
sshd will now log when it starts and stops throttling and periodically
while in this state. bz#3055
Bugfixes
--------
* ssh(1), ssh-keygen(1): better support for multiple attached FIDO
tokens. In cases where OpenSSH cannot unambiguously determine which
token to direct a request to, the user is now required to select a
token by touching it. In cases of operations that require a PIN to
be verified, this avoids sending the wrong PIN to the wrong token
and incrementing the token's PIN failure counter (tokens
effectively erase their keys after too many PIN failures).
* sshd(8): fix Include before Match in sshd_config; bz#3122
* ssh(1): close stdin/out/error when forking after authentication
completes ("ssh -f ...") bz#3137
* ssh(1), sshd(8): limit the amount of channel input data buffered,
avoiding peers that advertise large windows but are slow to read
from causing high memory consumption.
* ssh-agent(1): handle multiple requests sent in a single write() to
the agent.
* sshd(8): allow sshd_config longer than 256k
* sshd(8): avoid spurious "Unable to load host key" message when sshd
load a private key but no public counterpart
* ssh(1): prefer the default hostkey algorithm list whenever we have
a hostkey that matches its best-preference algorithm.
* sshd(1): when ordering the hostkey algorithms to request from a
server, prefer certificate types if the known_hosts files contain a key
marked as a @cert-authority; bz#3157
* ssh(1): perform host key fingerprint comparisons for the "Are you
sure you want to continue connecting (yes/no/[fingerprint])?"
prompt with case sensitivity.
* sshd(8): ensure that address/masklen mismatches in sshd_config
yield fatal errors at daemon start time rather than later when
they are evaluated.
* ssh-keygen(1): ensure that certificate extensions are lexically
sorted. Previously if the user specified a custom extension then
the everything would be in order except the custom ones. bz#3198
* ssh(1): also compare username when checking for JumpHost loops.
bz#3057
* ssh-keygen(1): preserve group/world read permission on known_hosts
files across runs of "ssh-keygen -Rf /path". The old behaviour was
to remove all rights for group/other. bz#3146
* ssh-keygen(1): Mention the [-a rounds] flag in the ssh-keygen
manual page and usage().
* sshd(8): explicitly construct path to ~/.ssh/rc rather than
relying on it being relative to the current directory, so that it
can still be found if the shell startup changes its directory.
bz#3185
* sshd(8): when redirecting sshd's log output to a file, undo this
redirection after the session child process is forked(). Fixes
missing log messages when using this feature under some
circumstances.
* sshd(8): start ClientAliveInterval bookkeeping before first pass
through select() loop; fixed theoretical case where busy sshd may
ignore timeouts from client.
* ssh(1): only reset the ServerAliveInterval check when we receive
traffic from the server and ignore traffic from a port forwarding
client, preventing a client from keeping a connection alive when
it should be terminated. bz#2265
* ssh-keygen(1): avoid spurious error message when ssh-keygen
creates files outside ~/.ssh
* sftp-client(1): fix off-by-one error that caused sftp downloads to
make one more concurrent request that desired. This prevented using
sftp(1) in unpipelined request/response mode, which is useful when
debugging. bz#3054
* ssh(1), sshd(8): handle EINTR in waitfd() and timeout_connect()
helpers. bz#3071
* ssh(1), ssh-keygen(1): defer creation of ~/.ssh until we attempt to
write to it so we don't leave an empty .ssh directory when it's not
needed. bz#3156
* ssh(1), sshd(8): fix multiplier when parsing time specifications
when handling seconds after other units. bz#3171
-------------------------------------------------------------------
Fri Jan 8 01:37:02 UTC 2021 - Hans Petter Jansson <hpj@suse.com>

View File

@ -38,14 +38,14 @@
%define _fillupdir %{_localstatedir}/adm/fillup-templates
%endif
Name: openssh
Version: 8.3p1
Version: 8.4p1
Release: 0
Summary: Secure Shell Client and Server (Remote Login Program)
License: BSD-2-Clause AND MIT
Group: Productivity/Networking/SSH
URL: https://www.openssh.com/
Source0: http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz
Source1: http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz.asc
Source0: https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz
Source1: https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz.asc
Source2: sshd.pamd
Source3: README.SUSE
Source4: README.kerberos
@ -108,7 +108,7 @@ Patch40: openssh-8.1p1-ed25519-use-openssl-rng.patch
Patch41: openssh-fips-ensure-approved-moduli.patch
Patch42: openssh-link-with-sk.patch
BuildRequires: audit-devel
BuildRequires: autoconf
BuildRequires: automake
BuildRequires: groff
BuildRequires: libedit-devel
BuildRequires: libselinux-devel