forked from pool/openssh
Accepting request 433779 from home:pcerny:factory
- remaining patches that were still missing since the update to 7.2p2 (FATE#319675): [openssh-7.2p2-disable_openssl_abi_check.patch] - fix forwarding with IPv6 addresses in DISPLAY (bnc#847710) [openssh-7.2p2-IPv6_X_forwarding.patch] - ignore PAM environment when using login (bsc#975865, CVE-2015-8325) [openssh-7.2p2-ignore_PAM_with_UseLogin.patch] - limit accepted password length (prevents possible DoS) (bsc#992533, CVE-2016-6515) [openssh-7.2p2-limit_password_length.patch] - Prevent user enumeration through the timing of password processing (bsc#989363, CVE-2016-6210) [openssh-7.2p2-prevent_timing_user_enumeration.patch] - Add auditing for PRNG re-seeding [openssh-7.2p2-audit_seed_prng.patch] OBS-URL: https://build.opensuse.org/request/show/433779 OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=113
This commit is contained in:
parent
fe873a1c10
commit
6c861e0b33
72
openssh-7.2p2-IPv6_X_forwarding.patch
Normal file
72
openssh-7.2p2-IPv6_X_forwarding.patch
Normal file
@ -0,0 +1,72 @@
|
||||
# HG changeset patch
|
||||
# Parent 8c4cb20b9633595de68131224b2d434e8dc41e17
|
||||
Correctly parse DISPLAY variable for cases where it contains an IPv6 address
|
||||
(which should - but not always is - in (square) brackets).
|
||||
|
||||
bnc#847710 - https://bugzilla.novell.com/show_bug.cgi?id=847710
|
||||
|
||||
diff --git a/openssh-7.2p2/channels.c b/openssh-7.2p2/channels.c
|
||||
--- a/openssh-7.2p2/channels.c
|
||||
+++ b/openssh-7.2p2/channels.c
|
||||
@@ -4049,18 +4049,19 @@ x11_connect_display(void)
|
||||
/* OK, we now have a connection to the display. */
|
||||
return sock;
|
||||
}
|
||||
#endif
|
||||
/*
|
||||
* Check if it is a unix domain socket. Unix domain displays are in
|
||||
* one of the following formats: unix:d[.s], :d[.s], ::d[.s]
|
||||
*/
|
||||
+ cp = strrchr(display, ':');
|
||||
if (strncmp(display, "unix:", 5) == 0 ||
|
||||
- display[0] == ':') {
|
||||
+ (display[0] == ':' && ((cp - display) < 2)) ) {
|
||||
/* Connect to the unix domain socket. */
|
||||
if (sscanf(strrchr(display, ':') + 1, "%u", &display_number) != 1) {
|
||||
error("Could not parse display number from DISPLAY: %.100s",
|
||||
display);
|
||||
return -1;
|
||||
}
|
||||
/* Create a socket. */
|
||||
sock = connect_local_xsocket(display_number);
|
||||
@@ -4068,30 +4069,39 @@ x11_connect_display(void)
|
||||
return -1;
|
||||
|
||||
/* OK, we now have a connection to the display. */
|
||||
return sock;
|
||||
}
|
||||
/*
|
||||
* Connect to an inet socket. The DISPLAY value is supposedly
|
||||
* hostname:d[.s], where hostname may also be numeric IP address.
|
||||
+ * Note that IPv6 numberic addresses contain colons (e.g. ::1:0)
|
||||
*/
|
||||
strlcpy(buf, display, sizeof(buf));
|
||||
- cp = strchr(buf, ':');
|
||||
+ cp = strrchr(buf, ':');
|
||||
if (!cp) {
|
||||
error("Could not find ':' in DISPLAY: %.100s", display);
|
||||
return -1;
|
||||
}
|
||||
*cp = 0;
|
||||
/* buf now contains the host name. But first we parse the display number. */
|
||||
if (sscanf(cp + 1, "%u", &display_number) != 1) {
|
||||
error("Could not parse display number from DISPLAY: %.100s",
|
||||
display);
|
||||
return -1;
|
||||
}
|
||||
+
|
||||
+ /* Remove brackets surrounding IPv6 addresses if there are any. */
|
||||
+ if (buf[0] == '[' && (cp = strchr(buf, ']'))) {
|
||||
+ *cp = 0;
|
||||
+ cp = buf + 1;
|
||||
+ } else {
|
||||
+ cp = buf;
|
||||
+ }
|
||||
|
||||
/* Look up the host address */
|
||||
memset(&hints, 0, sizeof(hints));
|
||||
hints.ai_family = IPv4or6;
|
||||
hints.ai_socktype = SOCK_STREAM;
|
||||
snprintf(strport, sizeof strport, "%u", 6000 + display_number);
|
||||
if ((gaierr = getaddrinfo(buf, strport, &hints, &aitop)) != 0) {
|
||||
error("%.100s: unknown host. (%s)", buf,
|
@ -1,5 +1,5 @@
|
||||
# HG changeset patch
|
||||
# Parent d11948586a6da11e968278f55b48318b2263802b
|
||||
# Parent 7197d7a6b7c90566c68e980b5f8b937c183e79d0
|
||||
# enable trusted X11 forwarding by default in both sshd and sshsystem-wide
|
||||
# configuration
|
||||
# bnc#50836 (was suse #35836)
|
||||
|
@ -1,5 +1,5 @@
|
||||
# HG changeset patch
|
||||
# Parent 3d4efb38a918055f977a08aa7d1486a04bee6e11
|
||||
# Parent 28e8840bbf49c6e603bf2b55a08ed9050a60f9fb
|
||||
Do not throw away already open sockets for X11 forwarding if another socket
|
||||
family is not available for bind()
|
||||
|
||||
|
@ -1,5 +1,5 @@
|
||||
# HG changeset patch
|
||||
# Parent 27b9bd4a1a53a28b5e9eda0a9c013d98f821149b
|
||||
# Parent e7bdbc5ea8971599466becf01bff12b9fcb5df3e
|
||||
Enable the seccomp-bpf sandbox on more architectures
|
||||
|
||||
upstream commit: b9c50614eba9d90939b2b119b6e1b7e03b462278 (7.3p1)
|
||||
|
@ -1,5 +1,5 @@
|
||||
# HG changeset patch
|
||||
# Parent ec31f6a59145c0db748855bd5bc178161591dae9
|
||||
# Parent d33bce122aa351a56ce457be35feda52171f9088
|
||||
Enable DSS authentication by default to maintain compatibility with older
|
||||
versions.
|
||||
|
||||
|
@ -1,5 +1,5 @@
|
||||
# HG changeset patch
|
||||
# Parent aab6d99cb51e48a9046c3d7be8443b83b8ee5127
|
||||
# Parent c43ae523939377778762e81743b77b3c75eb4bd1
|
||||
Allow root login with password by default. While less secure than upstream
|
||||
default of forbidding access to the root account with a password, we are
|
||||
temporarily introducing this change to keep the default used in older OpenSSH
|
||||
|
@ -1,7 +1,6 @@
|
||||
# HG changeset patch
|
||||
# Parent cca48c52e3c70244e7f52d4fb3f86f920d5c8e0f
|
||||
Extended auditing through Linux Audit subsystem
|
||||
bz#1402
|
||||
# Parent af5c4026e36e7aa181c164d2eca72b7e2a8a897a
|
||||
Extended auditing through the Linux Auditing subsystem
|
||||
|
||||
diff --git a/openssh-7.2p2/Makefile.in b/openssh-7.2p2/Makefile.in
|
||||
--- a/openssh-7.2p2/Makefile.in
|
||||
|
116
openssh-7.2p2-audit_seed_prng.patch
Normal file
116
openssh-7.2p2-audit_seed_prng.patch
Normal file
@ -0,0 +1,116 @@
|
||||
# HG changeset patch
|
||||
# Parent 3aad88a155050008275527c0624ae6fa05d0cdad
|
||||
Audit PRNG re-seeding
|
||||
|
||||
diff --git a/openssh-7.2p2/audit-bsm.c b/openssh-7.2p2/audit-bsm.c
|
||||
--- a/openssh-7.2p2/audit-bsm.c
|
||||
+++ b/openssh-7.2p2/audit-bsm.c
|
||||
@@ -504,9 +504,15 @@ audit_destroy_sensitive_data(const char
|
||||
/* not implemented */
|
||||
}
|
||||
|
||||
void
|
||||
audit_generate_ephemeral_server_key(const char *fp)
|
||||
{
|
||||
/* not implemented */
|
||||
}
|
||||
+
|
||||
+void
|
||||
+audit_linux_prng_seed(long bytes, const char *rf)
|
||||
+{
|
||||
+ /* not implemented */
|
||||
+}
|
||||
#endif /* BSM */
|
||||
diff --git a/openssh-7.2p2/audit-linux.c b/openssh-7.2p2/audit-linux.c
|
||||
--- a/openssh-7.2p2/audit-linux.c
|
||||
+++ b/openssh-7.2p2/audit-linux.c
|
||||
@@ -402,9 +402,31 @@ audit_generate_ephemeral_server_key(cons
|
||||
}
|
||||
audit_ok = audit_log_user_message(audit_fd, AUDIT_CRYPTO_KEY_USER,
|
||||
buf, NULL, 0, NULL, 1);
|
||||
audit_close(audit_fd);
|
||||
/* do not abort if the error is EPERM and sshd is run as non root user */
|
||||
if ((audit_ok < 0) && ((audit_ok != -1) || (getuid() == 0)))
|
||||
error("cannot write into audit");
|
||||
}
|
||||
+
|
||||
+void
|
||||
+audit_linux_prng_seed(long bytes, const char *rf)
|
||||
+{
|
||||
+ char buf[AUDIT_LOG_SIZE];
|
||||
+ int audit_fd, audit_ok;
|
||||
+
|
||||
+ snprintf(buf, sizeof(buf), "op=prng_seed kind=server bytes=%li source=%s ", bytes, rf);
|
||||
+ audit_fd = audit_open();
|
||||
+ if (audit_fd < 0) {
|
||||
+ if (errno != EINVAL && errno != EPROTONOSUPPORT &&
|
||||
+ errno != EAFNOSUPPORT)
|
||||
+ error("cannot open audit");
|
||||
+ return;
|
||||
+ }
|
||||
+ audit_ok = audit_log_user_message(audit_fd, AUDIT_CRYPTO_PARAM_CHANGE_USER,
|
||||
+ buf, NULL, 0, NULL, 1);
|
||||
+ audit_close(audit_fd);
|
||||
+ /* do not abort if the error is EPERM and sshd is run as non root user */
|
||||
+ if ((audit_ok < 0) && ((audit_ok != -1) || (getuid() == 0)))
|
||||
+ error("cannot write into audit");
|
||||
+}
|
||||
#endif /* USE_LINUX_AUDIT */
|
||||
diff --git a/openssh-7.2p2/audit.c b/openssh-7.2p2/audit.c
|
||||
--- a/openssh-7.2p2/audit.c
|
||||
+++ b/openssh-7.2p2/audit.c
|
||||
@@ -304,10 +304,16 @@ audit_destroy_sensitive_data(const char
|
||||
/*
|
||||
* This will be called on generation of the ephemeral server key
|
||||
*/
|
||||
void
|
||||
audit_generate_ephemeral_server_key(const char *)
|
||||
{
|
||||
debug("audit create ephemeral server key euid %d fingerprint %s", geteuid(), fp);
|
||||
}
|
||||
+
|
||||
+void
|
||||
+audit_linux_prng_seed(long bytes, const char *rf)
|
||||
+{
|
||||
+ debug("audit PRNG seed euid %d bytes %li source %s", geteuid(), bytes, rf);
|
||||
+}
|
||||
# endif /* !defined CUSTOM_SSH_AUDIT_EVENTS */
|
||||
#endif /* SSH_AUDIT_EVENTS */
|
||||
diff --git a/openssh-7.2p2/audit.h b/openssh-7.2p2/audit.h
|
||||
--- a/openssh-7.2p2/audit.h
|
||||
+++ b/openssh-7.2p2/audit.h
|
||||
@@ -69,10 +69,11 @@ void audit_key(int, int *, const Key *);
|
||||
void audit_unsupported(int);
|
||||
void audit_kex(int, char *, char *, char *, char *);
|
||||
void audit_unsupported_body(int);
|
||||
void audit_kex_body(int, char *, char *, char *, char *, pid_t, uid_t);
|
||||
void audit_session_key_free(int ctos);
|
||||
void audit_session_key_free_body(int ctos, pid_t, uid_t);
|
||||
void audit_destroy_sensitive_data(const char *, pid_t, uid_t);
|
||||
void audit_generate_ephemeral_server_key(const char *);
|
||||
+void audit_linux_prng_seed(long, const char *);
|
||||
|
||||
#endif /* _SSH_AUDIT_H */
|
||||
diff --git a/openssh-7.2p2/sshd.c b/openssh-7.2p2/sshd.c
|
||||
--- a/openssh-7.2p2/sshd.c
|
||||
+++ b/openssh-7.2p2/sshd.c
|
||||
@@ -1421,16 +1421,19 @@ server_accept_loop(int *sock_in, int *so
|
||||
if (maxfd < startup_p[0])
|
||||
maxfd = startup_p[0];
|
||||
startups++;
|
||||
break;
|
||||
}
|
||||
if(!(--re_seeding_counter)) {
|
||||
re_seeding_counter = RESEED_AFTER;
|
||||
linux_seed();
|
||||
+#ifdef SSH_AUDIT_EVENTS
|
||||
+ audit_linux_prng_seed(rand_bytes, rand_file);
|
||||
+#endif
|
||||
}
|
||||
|
||||
/*
|
||||
* Got connection. Fork a child to handle it, unless
|
||||
* we are in debugging mode.
|
||||
*/
|
||||
if (debug_flag) {
|
||||
/*
|
@ -1,5 +1,5 @@
|
||||
# HG changeset patch
|
||||
# Parent 0c50460ce313d041c2484d21ab810c8ee487cded
|
||||
# Parent 0bfb5dd4b190b546a3e40a59483b2b2884a47c39
|
||||
block SIGALRM while logging through syslog to prevent deadlocks
|
||||
(through grace_alarm_handler())
|
||||
|
||||
|
@ -1,5 +1,5 @@
|
||||
# HG changeset patch
|
||||
# Parent 2d4a91c3c6c5b161f21511712889c2906fa158a4
|
||||
# Parent 16c4937db837ab7cdbe0422b81de0e7a9a8479cd
|
||||
disable run-time check for OpenSSL ABI by version number as that is not a
|
||||
reliable indicator of ABI changes and doesn't make much sense in a
|
||||
distribution package
|
@ -1,5 +1,5 @@
|
||||
# HG changeset patch
|
||||
# Parent 69bdfde8282f9ab67c29e431a74916c045301ff5
|
||||
# Parent 7b5f436e0026923299fdd1994f8da8fd9948be7c
|
||||
|
||||
Raise minimal size of DH group parameters to 2048 bits like upstream did in
|
||||
7.2. 1024b values are believed to be in breaking range for state adversaries
|
||||
|
@ -1,5 +1,5 @@
|
||||
# HG changeset patch
|
||||
# Parent 93f67586b27e7f018c5b34e33f8156df772e980d
|
||||
# Parent e4886597a8984ae1594b6866fe1b232370b23529
|
||||
# posix threads are generally not supported nor safe
|
||||
# (see upstream log from 2005-05-24)
|
||||
# --used to be called '-pam-fix3'
|
||||
|
@ -1,5 +1,5 @@
|
||||
# HG changeset patch
|
||||
# Parent 8e5876ee9478740b83887db9fc6e3b1605848534
|
||||
# Parent f19426f2fa9c634474e635bf33b86acea0518f6d
|
||||
fix paths and references in sshd man pages
|
||||
|
||||
diff --git a/openssh-7.2p2/sshd.8 b/openssh-7.2p2/sshd.8
|
||||
|
@ -1,5 +1,5 @@
|
||||
# HG changeset patch
|
||||
# Parent a51f9cba48652fc5df45b9ac8bd238268c70673c
|
||||
# Parent 980f301b2920c09b30577dd722546bca85d25fc1
|
||||
# force PAM in defaullt install (this was removed from upstream in 3.8p1)
|
||||
# bnc#46749
|
||||
# --used to be called '-pam-fix2'
|
||||
|
@ -1,5 +1,5 @@
|
||||
# HG changeset patch
|
||||
# Parent 0c3e1f1c3b2ab533f9cb1c82fb75ff247a9c71b1
|
||||
# Parent 3e1393b771d6430ae09ae30741a3b9b382e3e041
|
||||
FIPS 140-2 compliance. Perform selftests on start and use only FIPS approved
|
||||
algorithms.
|
||||
|
||||
|
@ -1,5 +1,5 @@
|
||||
# HG changeset patch
|
||||
# Parent 9240088fbf80624f62dc79bcf5f3113a1b6dddd8
|
||||
# Parent 84a6252b7ac18855cf188e5911bdf8a757d4460a
|
||||
GSSAPI Key Exchange implementation
|
||||
|
||||
diff --git a/openssh-7.2p2/ChangeLog.gssapi b/openssh-7.2p2/ChangeLog.gssapi
|
||||
|
@ -1,5 +1,5 @@
|
||||
# HG changeset patch
|
||||
# Parent fe2618b7337c0d97483dc98a6b53636c89f3d371
|
||||
# Parent 605a6220fcc2c96e9196681fe480fab16b505ee1
|
||||
Suggest command line for removal of offending keys from known_hosts file
|
||||
|
||||
diff --git a/openssh-7.2p2/sshconnect.c b/openssh-7.2p2/sshconnect.c
|
||||
|
@ -1,5 +1,5 @@
|
||||
# HG changeset patch
|
||||
# Parent 7e84e692f90c19e76a4180d54c7fdda2752c6c41
|
||||
# Parent f7ba2081f120bd1e44dbe68737c898f078725aab
|
||||
# -- uset do be called '-xauthlocalhostname'
|
||||
handle hostname changes when forwarding X
|
||||
|
||||
|
33
openssh-7.2p2-ignore_PAM_with_UseLogin.patch
Normal file
33
openssh-7.2p2-ignore_PAM_with_UseLogin.patch
Normal file
@ -0,0 +1,33 @@
|
||||
# HG changeset patch
|
||||
# Parent cb9be7363a9f32133f0d105d515149dd77cc8cd3
|
||||
|
||||
Do not import PAM environment variables when using login, since it may have
|
||||
security implications.
|
||||
|
||||
CVE-2015-8325
|
||||
bsc#975865
|
||||
|
||||
Backport of upstream commit 85bdcd7c92fe7ff133bbc4e10a65c91810f88755
|
||||
|
||||
diff --git a/openssh-7.2p2/session.c b/openssh-7.2p2/session.c
|
||||
--- a/openssh-7.2p2/session.c
|
||||
+++ b/openssh-7.2p2/session.c
|
||||
@@ -1351,17 +1351,17 @@ do_setup_env(Session *s, const char *she
|
||||
child_set_env(&env, &envsize, "KRB5CCNAME",
|
||||
s->authctxt->krb5_ccname);
|
||||
#endif
|
||||
#ifdef USE_PAM
|
||||
/*
|
||||
* Pull in any environment variables that may have
|
||||
* been set by PAM.
|
||||
*/
|
||||
- if (options.use_pam) {
|
||||
+ if (options.use_pam && !options.use_login) {
|
||||
char **p;
|
||||
|
||||
p = fetch_pam_child_environment();
|
||||
copy_environment(p, &env, &envsize);
|
||||
free_pam_environment(p);
|
||||
|
||||
p = fetch_pam_environment();
|
||||
copy_environment(p, &env, &envsize);
|
@ -1,5 +1,5 @@
|
||||
# HG changeset patch
|
||||
# Parent 3007da75cc9c93ead70a4971b9057d230178511c
|
||||
# Parent 79c00e0f450c33b3f545ef104112b55186290e2c
|
||||
# set uid for functions that use it to seek in lastlog and wtmp files
|
||||
# bnc#18024 (was suse #3024)
|
||||
|
||||
|
@ -1,5 +1,5 @@
|
||||
# HG changeset patch
|
||||
# Parent fac59d81a8fba12278aea6a7b8a88b02fe02155a
|
||||
# Parent b8135c449e59282a8926ff44fcb4670baf8f158e
|
||||
# Helper app for retrieving keys from a LDAP server
|
||||
# by Jan F. Chadima <jchadima@redhat.com>
|
||||
#
|
||||
|
52
openssh-7.2p2-limit_password_length.patch
Normal file
52
openssh-7.2p2-limit_password_length.patch
Normal file
@ -0,0 +1,52 @@
|
||||
# HG changeset patch
|
||||
# Parent e351203d2784230a3b56b8e3dd6955403ed10ca4
|
||||
Limit accepted passwords length to prevent DoS by resource consumption
|
||||
(via crypt() eating CPU cycles).
|
||||
|
||||
CVE-2016-6515
|
||||
bsc#992533
|
||||
|
||||
upstream commit: fcd135c9df440bcd2d5870405ad3311743d78d97
|
||||
|
||||
diff --git a/openssh-7.2p2/auth-passwd.c b/openssh-7.2p2/auth-passwd.c
|
||||
--- a/openssh-7.2p2/auth-passwd.c
|
||||
+++ b/openssh-7.2p2/auth-passwd.c
|
||||
@@ -61,16 +61,18 @@ extern ServerOptions options;
|
||||
#ifdef HAVE_LOGIN_CAP
|
||||
extern login_cap_t *lc;
|
||||
#endif
|
||||
|
||||
|
||||
#define DAY (24L * 60 * 60) /* 1 day in seconds */
|
||||
#define TWO_WEEKS (2L * 7 * DAY) /* 2 weeks in seconds */
|
||||
|
||||
+#define MAX_PASSWORD_LEN 1024
|
||||
+
|
||||
void
|
||||
disable_forwarding(void)
|
||||
{
|
||||
no_port_forwarding_flag = 1;
|
||||
no_agent_forwarding_flag = 1;
|
||||
no_x11_forwarding_flag = 1;
|
||||
}
|
||||
|
||||
@@ -82,16 +84,19 @@ int
|
||||
auth_password(Authctxt *authctxt, const char *password)
|
||||
{
|
||||
struct passwd * pw = authctxt->pw;
|
||||
int result, ok = authctxt->valid;
|
||||
#if defined(USE_SHADOW) && defined(HAS_SHADOW_EXPIRE)
|
||||
static int expire_checked = 0;
|
||||
#endif
|
||||
|
||||
+ if (strlen(password) > MAX_PASSWORD_LEN)
|
||||
+ return 0;
|
||||
+
|
||||
#ifndef HAVE_CYGWIN
|
||||
if (pw->pw_uid == 0 && options.permit_root_login != PERMIT_YES)
|
||||
ok = 0;
|
||||
#endif
|
||||
if (*password == '\0' && options.permit_empty_passwd == 0)
|
||||
return 0;
|
||||
|
||||
#ifdef KRB5
|
@ -1,5 +1,5 @@
|
||||
# HG changeset patch
|
||||
# Parent a2ec408c99eefdd4c23f01eafddb0ce786514f50
|
||||
# Parent 295ae9c5f5da12d273f3b91e90145b449984a7dc
|
||||
# HG changeset patch
|
||||
# Parent b262fd34c8ecd55e93d457b3ca5593abce716856
|
||||
# login-pam cannot handle the option terminator "--" as login from util-linux
|
||||
|
@ -1,11 +1,11 @@
|
||||
# HG changeset patch
|
||||
# Parent 09a93433f5bb8baff0dce629c75f96357e3b1055
|
||||
# Parent 7ce81a30bb196401c63782b646d8a6d511ddec4b
|
||||
Do not write a PID file when not daemonizing (e.g. when running from systemd)
|
||||
|
||||
diff --git a/openssh-7.2p2/sshd.c b/openssh-7.2p2/sshd.c
|
||||
--- a/openssh-7.2p2/sshd.c
|
||||
+++ b/openssh-7.2p2/sshd.c
|
||||
@@ -2104,17 +2104,17 @@ main(int ac, char **av)
|
||||
@@ -2107,17 +2107,17 @@ main(int ac, char **av)
|
||||
signal(SIGCHLD, main_sigchld_handler);
|
||||
signal(SIGTERM, sigterm_handler);
|
||||
signal(SIGQUIT, sigterm_handler);
|
||||
|
@ -1,5 +1,5 @@
|
||||
# HG changeset patch
|
||||
# Parent 2b2855c68e979299aee899a7cb6e4aa57a828668
|
||||
# Parent ac7f843cd7ebec413691d51823cdc67b611abdff
|
||||
new option UsePAMCheckLocks to enforce checking for locked accounts while
|
||||
UsePAM is used
|
||||
|
||||
|
264
openssh-7.2p2-prevent_timing_user_enumeration.patch
Normal file
264
openssh-7.2p2-prevent_timing_user_enumeration.patch
Normal file
@ -0,0 +1,264 @@
|
||||
# HG changeset patch
|
||||
# Parent 323ac0fc20b1d5e9bf7037e020adfd760dd2d5f2
|
||||
Prevent user enumeration through password processing timing
|
||||
CVE-2016-6210
|
||||
bsc#989363
|
||||
|
||||
non-PAM part:
|
||||
upstream commit: 9286875a73b2de7736b5e50692739d314cd8d9dc
|
||||
|
||||
PAM part:
|
||||
upstream commit: 283b97ff33ea2c641161950849931bd578de6946
|
||||
|
||||
diff --git a/openssh-7.2p2/auth-pam.c b/openssh-7.2p2/auth-pam.c
|
||||
--- a/openssh-7.2p2/auth-pam.c
|
||||
+++ b/openssh-7.2p2/auth-pam.c
|
||||
@@ -227,17 +227,16 @@ static pam_handle_t *sshpam_handle = NUL
|
||||
static int sshpam_err = 0;
|
||||
static int sshpam_authenticated = 0;
|
||||
static int sshpam_session_open = 0;
|
||||
static int sshpam_cred_established = 0;
|
||||
static int sshpam_account_status = -1;
|
||||
static char **sshpam_env = NULL;
|
||||
static Authctxt *sshpam_authctxt = NULL;
|
||||
static const char *sshpam_password = NULL;
|
||||
-static char badpw[] = "\b\n\r\177INCORRECT";
|
||||
|
||||
/* Some PAM implementations don't implement this */
|
||||
#ifndef HAVE_PAM_GETENVLIST
|
||||
static char **
|
||||
pam_getenvlist(pam_handle_t *pamh)
|
||||
{
|
||||
/*
|
||||
* XXX - If necessary, we can still support envrionment passing
|
||||
@@ -807,22 +806,45 @@ sshpam_query(void *ctx, char **name, cha
|
||||
free(msg);
|
||||
ctxt->pam_done = -1;
|
||||
return (-1);
|
||||
}
|
||||
}
|
||||
return (-1);
|
||||
}
|
||||
|
||||
+/*
|
||||
+ * Returns a junk password of identical length to that the user supplied.
|
||||
+ * Used to mitigate timing attacks against crypt(3)/PAM stacks that
|
||||
+ * vary processing time in proportion to password length.
|
||||
+ */
|
||||
+static char *
|
||||
+fake_password(const char *wire_password)
|
||||
+{
|
||||
+ const char junk[] = "\b\n\r\177INCORRECT";
|
||||
+ char *ret = NULL;
|
||||
+ size_t i, l = wire_password != NULL ? strlen(wire_password) : 0;
|
||||
+
|
||||
+ if (l >= INT_MAX)
|
||||
+ fatal("%s: password length too long: %zu", __func__, l);
|
||||
+
|
||||
+ ret = xmalloc(l + 1);
|
||||
+ for (i = 0; i < l; i++)
|
||||
+ ret[i] = junk[i % (sizeof(junk) - 1)];
|
||||
+ ret[i] = '\0';
|
||||
+ return ret;
|
||||
+}
|
||||
+
|
||||
/* XXX - see also comment in auth-chall.c:verify_response */
|
||||
static int
|
||||
sshpam_respond(void *ctx, u_int num, char **resp)
|
||||
{
|
||||
Buffer buffer;
|
||||
struct pam_ctxt *ctxt = ctx;
|
||||
+ char *fake;
|
||||
|
||||
debug2("PAM: %s entering, %u responses", __func__, num);
|
||||
switch (ctxt->pam_done) {
|
||||
case 1:
|
||||
sshpam_authenticated = 1;
|
||||
return (0);
|
||||
case 0:
|
||||
break;
|
||||
@@ -833,18 +855,21 @@ sshpam_respond(void *ctx, u_int num, cha
|
||||
error("PAM: expected one response, got %u", num);
|
||||
return (-1);
|
||||
}
|
||||
buffer_init(&buffer);
|
||||
if (sshpam_authctxt->valid &&
|
||||
(sshpam_authctxt->pw->pw_uid != 0 ||
|
||||
options.permit_root_login == PERMIT_YES))
|
||||
buffer_put_cstring(&buffer, *resp);
|
||||
- else
|
||||
- buffer_put_cstring(&buffer, badpw);
|
||||
+ else {
|
||||
+ fake = fake_password(*resp);
|
||||
+ buffer_put_cstring(&buffer, fake);
|
||||
+ free(fake);
|
||||
+ }
|
||||
if (ssh_msg_send(ctxt->pam_psock, PAM_AUTHTOK, &buffer) == -1) {
|
||||
buffer_free(&buffer);
|
||||
return (-1);
|
||||
}
|
||||
buffer_free(&buffer);
|
||||
return (1);
|
||||
}
|
||||
|
||||
@@ -1178,41 +1203,43 @@ static struct pam_conv passwd_conv = { s
|
||||
/*
|
||||
* Attempt password authentication via PAM
|
||||
*/
|
||||
int
|
||||
sshpam_auth_passwd(Authctxt *authctxt, const char *password)
|
||||
{
|
||||
int flags = (options.permit_empty_passwd == 0 ?
|
||||
PAM_DISALLOW_NULL_AUTHTOK : 0);
|
||||
+ char *fake = NULL;
|
||||
|
||||
if (!options.use_pam || sshpam_handle == NULL)
|
||||
fatal("PAM: %s called when PAM disabled or failed to "
|
||||
"initialise.", __func__);
|
||||
|
||||
sshpam_password = password;
|
||||
sshpam_authctxt = authctxt;
|
||||
|
||||
/*
|
||||
* If the user logging in is invalid, or is root but is not permitted
|
||||
* by PermitRootLogin, use an invalid password to prevent leaking
|
||||
* information via timing (eg if the PAM config has a delay on fail).
|
||||
*/
|
||||
if (!authctxt->valid || (authctxt->pw->pw_uid == 0 &&
|
||||
options.permit_root_login != PERMIT_YES))
|
||||
- sshpam_password = badpw;
|
||||
+ sshpam_password = fake = fake_password(password);
|
||||
|
||||
sshpam_err = pam_set_item(sshpam_handle, PAM_CONV,
|
||||
(const void *)&passwd_conv);
|
||||
if (sshpam_err != PAM_SUCCESS)
|
||||
fatal("PAM: %s: failed to set PAM_CONV: %s", __func__,
|
||||
pam_strerror(sshpam_handle, sshpam_err));
|
||||
|
||||
sshpam_err = pam_authenticate(sshpam_handle, flags);
|
||||
sshpam_password = NULL;
|
||||
+ free(fake);
|
||||
if (sshpam_err == PAM_SUCCESS && authctxt->valid) {
|
||||
debug("PAM: password authentication accepted for %.100s",
|
||||
authctxt->user);
|
||||
return 1;
|
||||
} else {
|
||||
debug("PAM: password authentication failed for %.100s: %s",
|
||||
authctxt->valid ? authctxt->user : "an illegal user",
|
||||
pam_strerror(sshpam_handle, sshpam_err));
|
||||
diff --git a/openssh-7.2p2/auth-passwd.c b/openssh-7.2p2/auth-passwd.c
|
||||
--- a/openssh-7.2p2/auth-passwd.c
|
||||
+++ b/openssh-7.2p2/auth-passwd.c
|
||||
@@ -188,28 +188,32 @@ sys_auth_passwd(Authctxt *authctxt, cons
|
||||
return (auth_close(as));
|
||||
}
|
||||
}
|
||||
#elif !defined(CUSTOM_SYS_AUTH_PASSWD)
|
||||
int
|
||||
sys_auth_passwd(Authctxt *authctxt, const char *password)
|
||||
{
|
||||
struct passwd *pw = authctxt->pw;
|
||||
- char *encrypted_password;
|
||||
+ char *encrypted_password, *salt = NULL;
|
||||
|
||||
/* Just use the supplied fake password if authctxt is invalid */
|
||||
char *pw_password = authctxt->valid ? shadow_pw(pw) : pw->pw_passwd;
|
||||
|
||||
/* Check for users with no password. */
|
||||
if (strcmp(pw_password, "") == 0 && strcmp(password, "") == 0)
|
||||
return (1);
|
||||
|
||||
- /* Encrypt the candidate password using the proper salt. */
|
||||
- encrypted_password = xcrypt(password,
|
||||
- (pw_password[0] && pw_password[1]) ? pw_password : "xx");
|
||||
+ /*
|
||||
+ * Encrypt the candidate password using the proper salt, or pass a
|
||||
+ * NULL and let xcrypt pick one.
|
||||
+ */
|
||||
+ if (authctxt->valid && pw_password[0] && pw_password[1])
|
||||
+ salt = pw_password;
|
||||
+ encrypted_password = xcrypt(password, salt);
|
||||
|
||||
/*
|
||||
* Authentication is accepted if the encrypted passwords
|
||||
* are identical.
|
||||
*/
|
||||
return encrypted_password != NULL &&
|
||||
strcmp(encrypted_password, pw_password) == 0;
|
||||
}
|
||||
diff --git a/openssh-7.2p2/openbsd-compat/xcrypt.c b/openssh-7.2p2/openbsd-compat/xcrypt.c
|
||||
--- a/openssh-7.2p2/openbsd-compat/xcrypt.c
|
||||
+++ b/openssh-7.2p2/openbsd-compat/xcrypt.c
|
||||
@@ -20,16 +20,17 @@
|
||||
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
||||
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
||||
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
*/
|
||||
|
||||
#include "includes.h"
|
||||
|
||||
#include <sys/types.h>
|
||||
+#include <string.h>
|
||||
#include <unistd.h>
|
||||
#include <pwd.h>
|
||||
|
||||
# if defined(HAVE_CRYPT_H) && !defined(HAVE_SECUREWARE)
|
||||
# include <crypt.h>
|
||||
# endif
|
||||
|
||||
# ifdef __hpux
|
||||
@@ -57,21 +58,54 @@
|
||||
# include "md5crypt.h"
|
||||
# endif
|
||||
|
||||
# if defined(WITH_OPENSSL) && !defined(HAVE_CRYPT) && defined(HAVE_DES_CRYPT)
|
||||
# include <openssl/des.h>
|
||||
# define crypt DES_crypt
|
||||
# endif
|
||||
|
||||
+/*
|
||||
+ * Pick an appropriate password encryption type and salt for the running
|
||||
+ * system.
|
||||
+ */
|
||||
+static const char *
|
||||
+pick_salt(void)
|
||||
+{
|
||||
+ struct passwd *pw;
|
||||
+ char *passwd, *p;
|
||||
+ size_t typelen;
|
||||
+ static char salt[32];
|
||||
+
|
||||
+ if (salt[0] != '\0')
|
||||
+ return salt;
|
||||
+ strlcpy(salt, "xx", sizeof(salt));
|
||||
+ if ((pw = getpwuid(0)) == NULL)
|
||||
+ return salt;
|
||||
+ passwd = shadow_pw(pw);
|
||||
+ if (passwd[0] != '$' || (p = strrchr(passwd + 1, '$')) == NULL)
|
||||
+ return salt; /* no $, DES */
|
||||
+ typelen = p - passwd + 1;
|
||||
+ strlcpy(salt, passwd, MIN(typelen, sizeof(salt)));
|
||||
+ explicit_bzero(passwd, strlen(passwd));
|
||||
+ return salt;
|
||||
+}
|
||||
+
|
||||
char *
|
||||
xcrypt(const char *password, const char *salt)
|
||||
{
|
||||
char *crypted;
|
||||
|
||||
+ /*
|
||||
+ * If we don't have a salt we are encrypting a fake password for
|
||||
+ * for timing purposes. Pick an appropriate salt.
|
||||
+ */
|
||||
+ if (salt == NULL)
|
||||
+ salt = pick_salt();
|
||||
+
|
||||
# ifdef HAVE_MD5_PASSWORDS
|
||||
if (is_md5_salt(salt))
|
||||
crypted = md5_crypt(password, salt);
|
||||
else
|
||||
crypted = crypt(password, salt);
|
||||
# elif defined(__hpux) && !defined(HAVE_SECUREWARE)
|
||||
if (iscomsec())
|
||||
crypted = bigcrypt(password, salt);
|
@ -1,5 +1,5 @@
|
||||
# HG changeset patch
|
||||
# Parent c08afc8b92580b589ea02d84cf3d29be257ec103
|
||||
# Parent 787bc0aab11e5a7b6510c8dbf771958743ca25b0
|
||||
# use same lines naming as utempter (prevents problems with using different
|
||||
# formats in ?tmp? files)
|
||||
# --used to be called '-pts'
|
||||
|
@ -1,5 +1,5 @@
|
||||
# HG changeset patch
|
||||
# Parent ff8f0a192e120430204441cdcd18ff130f85a61e
|
||||
# Parent 18c2690afd988b9cb0fd0fa927d02cf5336dce9c
|
||||
# --used to be called '-xauth'
|
||||
try to remove xauth cookies on logout
|
||||
|
||||
|
@ -1,5 +1,5 @@
|
||||
# HG changeset patch
|
||||
# Parent 80f5b9b81269880fbc12bcbc5830fe2044baf894
|
||||
# Parent c66097e5e31cd607bf2206b2da95730cce518b7a
|
||||
add 'getuid' syscall to list of allowed ones to prevent the sanboxed thread
|
||||
from being killed by the seccomp filter
|
||||
|
||||
|
@ -1,5 +1,5 @@
|
||||
# HG changeset patch
|
||||
# Parent f8357691112e6b15424f506f7ab6c417f5aa6f9e
|
||||
# Parent def949a57b8101691c79ecce6366cc7ae1685b07
|
||||
Allow the stat() syscall for OpenSSL re-seed patch
|
||||
(which causes OpenSSL use stat() on some file)
|
||||
|
||||
|
@ -1,5 +1,5 @@
|
||||
# HG changeset patch
|
||||
# Parent ea1ef0bb63e77f14c91b2b417f1b8c3383b2835f
|
||||
# Parent 6ece65e11f754d75dd33d72b6f8e487a9d047f2e
|
||||
# extended support for (re-)seeding the OpenSSL PRNG from /dev/random
|
||||
# bnc#703221, FATE#312172
|
||||
|
||||
|
@ -1,5 +1,5 @@
|
||||
# HG changeset patch
|
||||
# Parent 5bcf5f230ccaec7b9c9398cc6b4193574559861d
|
||||
# Parent dfcac093fca4d826a806b9d1c0bdc26e7ae8ee8e
|
||||
send locales in default configuration
|
||||
bnc#65747
|
||||
|
||||
|
@ -1,5 +1,5 @@
|
||||
# HG changeset patch
|
||||
# Parent 7951ad8c720728b382cfaa32e3d7a549126a1496
|
||||
# Parent efa850d8312ceef224dbec0f2ae1002201afabd9
|
||||
additional option for sftp-server to force file mode for new files
|
||||
FATE#312774
|
||||
http://lists.mindrot.org/pipermail/openssh-unix-dev/2010-November/029044.html
|
||||
|
@ -1,5 +1,5 @@
|
||||
# HG changeset patch
|
||||
# Parent 2f269fe1cd176bc5ff833819e1b04f1d96f13144
|
||||
# Parent 9b1033f35a6cb173fbc13416065ed40c4b14e656
|
||||
run sftp sessions inside a chroot
|
||||
|
||||
diff --git a/openssh-7.2p2/session.c b/openssh-7.2p2/session.c
|
||||
|
@ -1,6 +1,8 @@
|
||||
-------------------------------------------------------------------
|
||||
Thu Sep 29 23:27:49 UTC 2016 - pcerny@suse.com
|
||||
|
||||
- remaining patches that were still missing
|
||||
since the update to 7.2p2 (FATE#319675):
|
||||
- allow X forwarding over IPv4 when IPv6 sockets is not available
|
||||
[openssh-7.2p2-X_forward_with_disabled_ipv6.patch]
|
||||
- do not write PID file when not daemonizing
|
||||
@ -13,7 +15,7 @@ Thu Sep 29 23:27:49 UTC 2016 - pcerny@suse.com
|
||||
- allow forcing permissions over sftp
|
||||
[openssh-7.2p2-sftp_force_permissions.patch]
|
||||
- do not perform run-time checks for OpenSSL API/ABI change
|
||||
[openssh-7.2p2-disable-openssl-abi-check.patch]
|
||||
[openssh-7.2p2-disable_openssl_abi_check.patch]
|
||||
- suggest commands for cleaning known hosts file
|
||||
[openssh-7.2p2-host_ident.patch]
|
||||
- sftp home chroot patch
|
||||
@ -22,6 +24,19 @@ Thu Sep 29 23:27:49 UTC 2016 - pcerny@suse.com
|
||||
[openssh-7.2p2-audit.patch]
|
||||
- enable seccomp sandbox on additional architectures
|
||||
[openssh-7.2p2-additional_seccomp_archs.patch]
|
||||
- fix forwarding with IPv6 addresses in DISPLAY (bnc#847710)
|
||||
[openssh-7.2p2-IPv6_X_forwarding.patch]
|
||||
- ignore PAM environment when using login
|
||||
(bsc#975865, CVE-2015-8325)
|
||||
[openssh-7.2p2-ignore_PAM_with_UseLogin.patch]
|
||||
- limit accepted password length (prevents possible DoS)
|
||||
(bsc#992533, CVE-2016-6515)
|
||||
[openssh-7.2p2-limit_password_length.patch]
|
||||
- Prevent user enumeration through the timing of password
|
||||
processing (bsc#989363, CVE-2016-6210)
|
||||
[openssh-7.2p2-prevent_timing_user_enumeration.patch]
|
||||
- Add auditing for PRNG re-seeding
|
||||
[openssh-7.2p2-audit_seed_prng.patch]
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Fri Sep 16 12:45:11 UTC 2016 - pcerny@suse.com
|
||||
|
32
openssh.spec
32
openssh.spec
@ -53,11 +53,9 @@
|
||||
%endif
|
||||
|
||||
%define sandbox_seccomp 0
|
||||
%ifarch %ix86 x86_64
|
||||
%if 0%{?suse_version} > 1220
|
||||
%define sandbox_seccomp 1
|
||||
%endif
|
||||
%endif
|
||||
|
||||
%define _fwdir %{_sysconfdir}/sysconfig/SuSEfirewall2.d
|
||||
%define _fwdefdir %{_fwdir}/services
|
||||
@ -132,15 +130,20 @@ Patch16: openssh-7.2p2-fips.patch
|
||||
Patch17: openssh-7.2p2-seed-prng.patch
|
||||
Patch18: openssh-7.2p2-gssapi_key_exchange.patch
|
||||
Patch19: openssh-7.2p2-audit.patch
|
||||
Patch20: openssh-7.2p2-login_options.patch
|
||||
Patch21: openssh-7.2p2-disable-openssl-abi-check.patch
|
||||
Patch22: openssh-7.2p2-no_fork-no_pid_file.patch
|
||||
Patch23: openssh-7.2p2-host_ident.patch
|
||||
Patch24: openssh-7.2p2-sftp_homechroot.patch
|
||||
Patch25: openssh-7.2p2-sftp_force_permissions.patch
|
||||
Patch26: openssh-7.2p2-X_forward_with_disabled_ipv6.patch
|
||||
Patch27: openssh-7.2p2-ldap.patch
|
||||
Patch28: openssh-7.2p2-additional_seccomp_archs.patch
|
||||
Patch20: openssh-7.2p2-audit_seed_prng.patch
|
||||
Patch21: openssh-7.2p2-login_options.patch
|
||||
Patch22: openssh-7.2p2-disable_openssl_abi_check.patch
|
||||
Patch23: openssh-7.2p2-no_fork-no_pid_file.patch
|
||||
Patch24: openssh-7.2p2-host_ident.patch
|
||||
Patch25: openssh-7.2p2-sftp_homechroot.patch
|
||||
Patch26: openssh-7.2p2-sftp_force_permissions.patch
|
||||
Patch27: openssh-7.2p2-X_forward_with_disabled_ipv6.patch
|
||||
Patch28: openssh-7.2p2-ldap.patch
|
||||
Patch29: openssh-7.2p2-additional_seccomp_archs.patch
|
||||
Patch30: openssh-7.2p2-IPv6_X_forwarding.patch
|
||||
Patch31: openssh-7.2p2-ignore_PAM_with_UseLogin.patch
|
||||
Patch32: openssh-7.2p2-prevent_timing_user_enumeration.patch
|
||||
Patch33: openssh-7.2p2-limit_password_length.patch
|
||||
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
||||
Conflicts: nonfreessh
|
||||
Recommends: audit
|
||||
@ -221,13 +224,18 @@ FIPS140 CAVS tests related parts of the OpenSSH package
|
||||
%patch26 -p2
|
||||
%patch27 -p2
|
||||
%patch28 -p2
|
||||
%patch29 -p2
|
||||
%patch30 -p2
|
||||
%patch31 -p2
|
||||
%patch32 -p2
|
||||
%patch33 -p2
|
||||
cp %{SOURCE3} %{SOURCE4} %{SOURCE11} .
|
||||
|
||||
%build
|
||||
# set libexec dir in the LDAP patch
|
||||
sed -i.libexec 's,@LIBEXECDIR@,%{_libexecdir}/ssh,' \
|
||||
$( grep -Rl @LIBEXECDIR@ \
|
||||
$( grep "^+++" %{PATCH27} | sed -r 's@^.+/([^/\t ]+).*$@\1@' )
|
||||
$( grep "^+++" %{PATCH28} | sed -r 's@^.+/([^/\t ]+).*$@\1@' )
|
||||
)
|
||||
|
||||
autoreconf -fiv
|
||||
|
Loading…
Reference in New Issue
Block a user