forked from pool/openssh
Accepting request 652023 from network
OBS-URL: https://build.opensuse.org/request/show/652023 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssh?expand=0&rev=123
This commit is contained in:
commit
7ca123a3a4
10
README.SUSE
10
README.SUSE
@ -5,16 +5,6 @@ There are following changes in default settings of ssh client and server:
|
||||
|
||||
* PAM authentication is enabled and mostly even required, do not turn it off.
|
||||
|
||||
* root authentiation with password is enabled by default (PermitRootLogin yes).
|
||||
NOTE: this has security implications and is only done in order to not change
|
||||
behaviour of the server in an update. We strongly suggest setting this option
|
||||
either "prohibit-password" or even better to "no" (which disables direct
|
||||
remote root login entirely).
|
||||
|
||||
* SSH protocol version 1 is enabled for maximum compatibility.
|
||||
NOTE: do not use protocol version 1. It is less secure then v2 and should
|
||||
generally be phased out.
|
||||
|
||||
* DSA authentication is enabled by default for maximum compatibility.
|
||||
NOTE: do not use DSA authentication since it is being phased out for a reason
|
||||
- the size of DSA keys is limited by the standard to 1024 bits which cannot
|
||||
|
@ -1,95 +0,0 @@
|
||||
# HG changeset patch
|
||||
# Parent 3bf0158be93bd08d60a30a320650ea7f9844ef50
|
||||
Allow root login with password by default. While less secure than upstream
|
||||
default of forbidding access to the root account with a password, we are
|
||||
temporarily introducing this change to keep the default used in older OpenSSH
|
||||
versions shipped with SLE.
|
||||
|
||||
diff --git a/openssh-7.7p1/servconf.c b/openssh-7.7p1/servconf.c
|
||||
--- openssh-7.7p1/servconf.c
|
||||
+++ openssh-7.7p1/servconf.c
|
||||
@@ -265,17 +265,17 @@ fill_default_server_options(ServerOption
|
||||
options->address_family = AF_UNSPEC;
|
||||
if (options->listen_addrs == NULL)
|
||||
add_listen_addr(options, NULL, NULL, 0);
|
||||
if (options->pid_file == NULL)
|
||||
options->pid_file = xstrdup(_PATH_SSH_DAEMON_PID_FILE);
|
||||
if (options->login_grace_time == -1)
|
||||
options->login_grace_time = 120;
|
||||
if (options->permit_root_login == PERMIT_NOT_SET)
|
||||
- options->permit_root_login = PERMIT_NO_PASSWD;
|
||||
+ options->permit_root_login = PERMIT_YES;
|
||||
if (options->ignore_rhosts == -1)
|
||||
options->ignore_rhosts = 1;
|
||||
if (options->ignore_user_known_hosts == -1)
|
||||
options->ignore_user_known_hosts = 0;
|
||||
if (options->print_motd == -1)
|
||||
options->print_motd = 1;
|
||||
if (options->print_lastlog == -1)
|
||||
options->print_lastlog = 1;
|
||||
diff --git a/openssh-7.7p1/sshd_config b/openssh-7.7p1/sshd_config
|
||||
--- openssh-7.7p1/sshd_config
|
||||
+++ openssh-7.7p1/sshd_config
|
||||
@@ -24,17 +24,17 @@
|
||||
|
||||
# Logging
|
||||
#SyslogFacility AUTH
|
||||
#LogLevel INFO
|
||||
|
||||
# Authentication:
|
||||
|
||||
#LoginGraceTime 2m
|
||||
-#PermitRootLogin prohibit-password
|
||||
+#PermitRootLogin yes
|
||||
#StrictModes yes
|
||||
#MaxAuthTries 6
|
||||
#MaxSessions 10
|
||||
|
||||
#PubkeyAuthentication yes
|
||||
|
||||
# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
|
||||
# but this is overridden so installations will only check .ssh/authorized_keys
|
||||
diff --git a/openssh-7.7p1/sshd_config.0 b/openssh-7.7p1/sshd_config.0
|
||||
--- openssh-7.7p1/sshd_config.0
|
||||
+++ openssh-7.7p1/sshd_config.0
|
||||
@@ -709,17 +709,17 @@ DESCRIPTION
|
||||
none can be used to prohibit all forwarding requests. The
|
||||
wildcard M-bM-^@M-^X*M-bM-^@M-^Y can be used for host or port to allow all hosts or
|
||||
ports, respectively. By default all port forwarding requests are
|
||||
permitted.
|
||||
|
||||
PermitRootLogin
|
||||
Specifies whether root can log in using ssh(1). The argument
|
||||
must be yes, prohibit-password, forced-commands-only, or no. The
|
||||
- default is prohibit-password.
|
||||
+ default is yes.
|
||||
|
||||
If this option is set to prohibit-password (or its deprecated
|
||||
alias, without-password), password and keyboard-interactive
|
||||
authentication are disabled for root.
|
||||
|
||||
If this option is set to forced-commands-only, root login with
|
||||
public key authentication will be allowed, but only if the
|
||||
command option has been specified (which may be useful for taking
|
||||
diff --git a/openssh-7.7p1/sshd_config.5 b/openssh-7.7p1/sshd_config.5
|
||||
--- openssh-7.7p1/sshd_config.5
|
||||
+++ openssh-7.7p1/sshd_config.5
|
||||
@@ -1220,17 +1220,17 @@ Specifies whether root can log in using
|
||||
.Xr ssh 1 .
|
||||
The argument must be
|
||||
.Cm yes ,
|
||||
.Cm prohibit-password ,
|
||||
.Cm forced-commands-only ,
|
||||
or
|
||||
.Cm no .
|
||||
The default is
|
||||
-.Cm prohibit-password .
|
||||
+.Cm yes .
|
||||
.Pp
|
||||
If this option is set to
|
||||
.Cm prohibit-password
|
||||
(or its deprecated alias,
|
||||
.Cm without-password ) ,
|
||||
password and keyboard-interactive authentication are disabled for root.
|
||||
.Pp
|
||||
If this option is set to
|
@ -3,11 +3,11 @@
|
||||
Extended auditing through the Linux Auditing subsystem
|
||||
RH patch from git://pkgs.fedoraproject.org/openssh.git
|
||||
|
||||
Index: openssh-7.8p1/Makefile.in
|
||||
Index: openssh-7.9p1/Makefile.in
|
||||
===================================================================
|
||||
--- openssh-7.8p1.orig/Makefile.in
|
||||
+++ openssh-7.8p1/Makefile.in
|
||||
@@ -110,6 +110,8 @@ LIBSSH_OBJS += fips.o
|
||||
--- openssh-7.9p1.orig/Makefile.in
|
||||
+++ openssh-7.9p1/Makefile.in
|
||||
@@ -111,6 +111,8 @@ LIBSSH_OBJS += fips.o
|
||||
|
||||
LIBSSH_OBJS += kexgssc.o kexgsss.o
|
||||
|
||||
@ -16,10 +16,10 @@ Index: openssh-7.8p1/Makefile.in
|
||||
SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \
|
||||
sshconnect.o sshconnect2.o mux.o
|
||||
|
||||
Index: openssh-7.8p1/audit-bsm.c
|
||||
Index: openssh-7.9p1/audit-bsm.c
|
||||
===================================================================
|
||||
--- openssh-7.8p1.orig/audit-bsm.c
|
||||
+++ openssh-7.8p1/audit-bsm.c
|
||||
--- openssh-7.9p1.orig/audit-bsm.c
|
||||
+++ openssh-7.9p1/audit-bsm.c
|
||||
@@ -372,10 +372,23 @@ audit_connection_from(const char *host,
|
||||
#endif
|
||||
}
|
||||
@ -93,11 +93,11 @@ Index: openssh-7.8p1/audit-bsm.c
|
||||
+ /* not implemented */
|
||||
+}
|
||||
#endif /* BSM */
|
||||
Index: openssh-7.8p1/audit-linux.c
|
||||
Index: openssh-7.9p1/audit-linux.c
|
||||
===================================================================
|
||||
--- openssh-7.8p1.orig/audit-linux.c
|
||||
+++ openssh-7.8p1/audit-linux.c
|
||||
@@ -33,27 +33,40 @@
|
||||
--- openssh-7.9p1.orig/audit-linux.c
|
||||
+++ openssh-7.9p1/audit-linux.c
|
||||
@@ -33,27 +33,41 @@
|
||||
|
||||
#include "log.h"
|
||||
#include "audit.h"
|
||||
@ -106,6 +106,7 @@ Index: openssh-7.8p1/audit-linux.c
|
||||
+#include "auth.h"
|
||||
+#include "misc.h" /* servconf.h needs misc.h for struct ForwardOptions */
|
||||
+#include "servconf.h"
|
||||
+#include "ssherr.h"
|
||||
#include "canohost.h"
|
||||
#include "packet.h"
|
||||
-
|
||||
@ -146,7 +147,7 @@ Index: openssh-7.8p1/audit-linux.c
|
||||
saved_errno = errno;
|
||||
close(audit_fd);
|
||||
|
||||
@@ -65,9 +78,96 @@ linux_audit_record_event(int uid, const
|
||||
@@ -65,9 +79,96 @@ linux_audit_record_event(int uid, const
|
||||
rc = 0;
|
||||
errno = saved_errno;
|
||||
|
||||
@ -244,7 +245,7 @@ Index: openssh-7.8p1/audit-linux.c
|
||||
/* Below is the sshd audit API code */
|
||||
|
||||
void
|
||||
@@ -76,24 +176,55 @@ audit_connection_from(const char *host,
|
||||
@@ -76,24 +177,55 @@ audit_connection_from(const char *host,
|
||||
/* not implemented */
|
||||
}
|
||||
|
||||
@ -306,7 +307,7 @@ Index: openssh-7.8p1/audit-linux.c
|
||||
}
|
||||
|
||||
void
|
||||
@@ -102,25 +233,155 @@ audit_event(ssh_audit_event_t event)
|
||||
@@ -102,25 +234,155 @@ audit_event(ssh_audit_event_t event)
|
||||
struct ssh *ssh = active_state; /* XXX */
|
||||
|
||||
switch(event) {
|
||||
@ -468,10 +469,10 @@ Index: openssh-7.8p1/audit-linux.c
|
||||
+ error("cannot write into audit");
|
||||
+}
|
||||
#endif /* USE_LINUX_AUDIT */
|
||||
Index: openssh-7.8p1/audit.c
|
||||
Index: openssh-7.9p1/audit.c
|
||||
===================================================================
|
||||
--- openssh-7.8p1.orig/audit.c
|
||||
+++ openssh-7.8p1/audit.c
|
||||
--- openssh-7.9p1.orig/audit.c
|
||||
+++ openssh-7.9p1/audit.c
|
||||
@@ -34,13 +34,19 @@
|
||||
#include "log.h"
|
||||
#include "hostfile.h"
|
||||
@ -648,10 +649,10 @@ Index: openssh-7.8p1/audit.c
|
||||
}
|
||||
# endif /* !defined CUSTOM_SSH_AUDIT_EVENTS */
|
||||
#endif /* SSH_AUDIT_EVENTS */
|
||||
Index: openssh-7.8p1/audit.h
|
||||
Index: openssh-7.9p1/audit.h
|
||||
===================================================================
|
||||
--- openssh-7.8p1.orig/audit.h
|
||||
+++ openssh-7.8p1/audit.h
|
||||
--- openssh-7.9p1.orig/audit.h
|
||||
+++ openssh-7.9p1/audit.h
|
||||
@@ -26,6 +26,7 @@
|
||||
# define _SSH_AUDIT_H
|
||||
|
||||
@ -694,10 +695,10 @@ Index: openssh-7.8p1/audit.h
|
||||
+void audit_destroy_sensitive_data(const char *, pid_t, uid_t);
|
||||
|
||||
#endif /* _SSH_AUDIT_H */
|
||||
Index: openssh-7.8p1/auditstub.c
|
||||
Index: openssh-7.9p1/auditstub.c
|
||||
===================================================================
|
||||
--- /dev/null
|
||||
+++ openssh-7.8p1/auditstub.c
|
||||
+++ openssh-7.9p1/auditstub.c
|
||||
@@ -0,0 +1,50 @@
|
||||
+/* $Id: auditstub.c,v 1.1 jfch Exp $ */
|
||||
+
|
||||
@ -749,11 +750,11 @@ Index: openssh-7.8p1/auditstub.c
|
||||
+audit_session_key_free_body(int ctos, pid_t pid, uid_t uid)
|
||||
+{
|
||||
+}
|
||||
Index: openssh-7.8p1/auth.c
|
||||
Index: openssh-7.9p1/auth.c
|
||||
===================================================================
|
||||
--- openssh-7.8p1.orig/auth.c
|
||||
+++ openssh-7.8p1/auth.c
|
||||
@@ -362,7 +362,7 @@ auth_log(Authctxt *authctxt, int authent
|
||||
--- openssh-7.9p1.orig/auth.c
|
||||
+++ openssh-7.9p1/auth.c
|
||||
@@ -366,7 +366,7 @@ auth_log(Authctxt *authctxt, int authent
|
||||
# endif
|
||||
#endif
|
||||
#ifdef SSH_AUDIT_EVENTS
|
||||
@ -762,7 +763,7 @@ Index: openssh-7.8p1/auth.c
|
||||
audit_event(audit_classify_auth(method));
|
||||
#endif
|
||||
}
|
||||
@@ -601,9 +601,6 @@ getpwnamallow(const char *user)
|
||||
@@ -605,9 +605,6 @@ getpwnamallow(const char *user)
|
||||
record_failed_login(user,
|
||||
auth_get_canonical_hostname(ssh, options.use_dns), "ssh");
|
||||
#endif
|
||||
@ -772,10 +773,10 @@ Index: openssh-7.8p1/auth.c
|
||||
return (NULL);
|
||||
}
|
||||
if (!allowed_user(pw))
|
||||
Index: openssh-7.8p1/auth.h
|
||||
Index: openssh-7.9p1/auth.h
|
||||
===================================================================
|
||||
--- openssh-7.8p1.orig/auth.h
|
||||
+++ openssh-7.8p1/auth.h
|
||||
--- openssh-7.9p1.orig/auth.h
|
||||
+++ openssh-7.9p1/auth.h
|
||||
@@ -193,6 +193,8 @@ struct passwd * getpwnamallow(const char
|
||||
|
||||
char *expand_authorized_keys(const char *, struct passwd *pw);
|
||||
@ -794,11 +795,11 @@ Index: openssh-7.8p1/auth.h
|
||||
|
||||
/* Key / cert options linkage to auth layer */
|
||||
const struct sshauthopt *auth_options(struct ssh *);
|
||||
Index: openssh-7.8p1/auth2-hostbased.c
|
||||
Index: openssh-7.9p1/auth2-hostbased.c
|
||||
===================================================================
|
||||
--- openssh-7.8p1.orig/auth2-hostbased.c
|
||||
+++ openssh-7.8p1/auth2-hostbased.c
|
||||
@@ -141,7 +141,7 @@ userauth_hostbased(struct ssh *ssh)
|
||||
--- openssh-7.9p1.orig/auth2-hostbased.c
|
||||
+++ openssh-7.9p1/auth2-hostbased.c
|
||||
@@ -148,7 +148,7 @@ userauth_hostbased(struct ssh *ssh)
|
||||
/* test for allowed key and correct signature */
|
||||
authenticated = 0;
|
||||
if (PRIVSEP(hostbased_key_allowed(authctxt->pw, cuser, chost, key)) &&
|
||||
@ -807,7 +808,7 @@ Index: openssh-7.8p1/auth2-hostbased.c
|
||||
sshbuf_ptr(b), sshbuf_len(b), pkalg, ssh->compat)) == 0)
|
||||
authenticated = 1;
|
||||
|
||||
@@ -158,6 +158,19 @@ done:
|
||||
@@ -165,6 +165,19 @@ done:
|
||||
return authenticated;
|
||||
}
|
||||
|
||||
@ -827,11 +828,11 @@ Index: openssh-7.8p1/auth2-hostbased.c
|
||||
/* return 1 if given hostkey is allowed */
|
||||
int
|
||||
hostbased_key_allowed(struct passwd *pw, const char *cuser, char *chost,
|
||||
Index: openssh-7.8p1/auth2-pubkey.c
|
||||
Index: openssh-7.9p1/auth2-pubkey.c
|
||||
===================================================================
|
||||
--- openssh-7.8p1.orig/auth2-pubkey.c
|
||||
+++ openssh-7.8p1/auth2-pubkey.c
|
||||
@@ -187,7 +187,7 @@ userauth_pubkey(struct ssh *ssh)
|
||||
--- openssh-7.9p1.orig/auth2-pubkey.c
|
||||
+++ openssh-7.9p1/auth2-pubkey.c
|
||||
@@ -193,7 +193,7 @@ userauth_pubkey(struct ssh *ssh)
|
||||
/* test for correct signature */
|
||||
authenticated = 0;
|
||||
if (PRIVSEP(user_key_allowed(ssh, pw, key, 1, &authopts)) &&
|
||||
@ -840,7 +841,7 @@ Index: openssh-7.8p1/auth2-pubkey.c
|
||||
sshbuf_ptr(b), sshbuf_len(b),
|
||||
(ssh->compat & SSH_BUG_SIGTYPE) == 0 ? pkalg : NULL,
|
||||
ssh->compat)) == 0) {
|
||||
@@ -246,6 +246,19 @@ done:
|
||||
@@ -252,6 +252,19 @@ done:
|
||||
return authenticated;
|
||||
}
|
||||
|
||||
@ -860,7 +861,7 @@ Index: openssh-7.8p1/auth2-pubkey.c
|
||||
static int
|
||||
match_principals_option(const char *principal_list, struct sshkey_cert *cert)
|
||||
{
|
||||
@@ -767,7 +780,7 @@ user_cert_trusted_ca(struct ssh *ssh, st
|
||||
@@ -773,7 +786,7 @@ user_cert_trusted_ca(struct ssh *ssh, st
|
||||
found_principal = 1;
|
||||
/* If principals file or command is specified, then require a match */
|
||||
use_authorized_principals = principals_file != NULL ||
|
||||
@ -869,10 +870,10 @@ Index: openssh-7.8p1/auth2-pubkey.c
|
||||
if (!found_principal && use_authorized_principals) {
|
||||
reason = "Certificate does not contain an authorized principal";
|
||||
goto fail_reason;
|
||||
Index: openssh-7.8p1/auth2.c
|
||||
Index: openssh-7.9p1/auth2.c
|
||||
===================================================================
|
||||
--- openssh-7.8p1.orig/auth2.c
|
||||
+++ openssh-7.8p1/auth2.c
|
||||
--- openssh-7.9p1.orig/auth2.c
|
||||
+++ openssh-7.9p1/auth2.c
|
||||
@@ -284,9 +284,6 @@ input_userauth_request(int type, u_int32
|
||||
} else {
|
||||
/* Invalid user, fake password information */
|
||||
@ -883,10 +884,10 @@ Index: openssh-7.8p1/auth2.c
|
||||
}
|
||||
#ifdef USE_PAM
|
||||
if (options.use_pam)
|
||||
Index: openssh-7.8p1/cipher.c
|
||||
Index: openssh-7.9p1/cipher.c
|
||||
===================================================================
|
||||
--- openssh-7.8p1.orig/cipher.c
|
||||
+++ openssh-7.8p1/cipher.c
|
||||
--- openssh-7.9p1.orig/cipher.c
|
||||
+++ openssh-7.9p1/cipher.c
|
||||
@@ -54,25 +54,6 @@
|
||||
#include "fips.h"
|
||||
#include "log.h"
|
||||
@ -922,10 +923,10 @@ Index: openssh-7.8p1/cipher.c
|
||||
return;
|
||||
if ((cc->cipher->flags & CFLAG_CHACHAPOLY) != 0)
|
||||
explicit_bzero(&cc->cp_ctx, sizeof(cc->cp_ctx));
|
||||
Index: openssh-7.8p1/cipher.h
|
||||
Index: openssh-7.9p1/cipher.h
|
||||
===================================================================
|
||||
--- openssh-7.8p1.orig/cipher.h
|
||||
+++ openssh-7.8p1/cipher.h
|
||||
--- openssh-7.9p1.orig/cipher.h
|
||||
+++ openssh-7.9p1/cipher.h
|
||||
@@ -45,7 +45,25 @@
|
||||
#define CIPHER_ENCRYPT 1
|
||||
#define CIPHER_DECRYPT 0
|
||||
@ -953,10 +954,10 @@ Index: openssh-7.8p1/cipher.h
|
||||
struct sshcipher_ctx {
|
||||
int plaintext;
|
||||
int encrypt;
|
||||
Index: openssh-7.8p1/kex.c
|
||||
Index: openssh-7.9p1/kex.c
|
||||
===================================================================
|
||||
--- openssh-7.8p1.orig/kex.c
|
||||
+++ openssh-7.8p1/kex.c
|
||||
--- openssh-7.9p1.orig/kex.c
|
||||
+++ openssh-7.9p1/kex.c
|
||||
@@ -53,6 +53,7 @@
|
||||
#include "ssherr.h"
|
||||
#include "sshbuf.h"
|
||||
@ -1053,10 +1054,10 @@ Index: openssh-7.8p1/kex.c
|
||||
+ mac_destroy(&newkeys->mac);
|
||||
+ memset(&newkeys->comp, 0, sizeof(newkeys->comp));
|
||||
+}
|
||||
Index: openssh-7.8p1/kex.h
|
||||
Index: openssh-7.9p1/kex.h
|
||||
===================================================================
|
||||
--- openssh-7.8p1.orig/kex.h
|
||||
+++ openssh-7.8p1/kex.h
|
||||
--- openssh-7.9p1.orig/kex.h
|
||||
+++ openssh-7.9p1/kex.h
|
||||
@@ -213,6 +213,8 @@ int kexgss_client(struct ssh *);
|
||||
int kexgss_server(struct ssh *);
|
||||
#endif
|
||||
@ -1066,10 +1067,10 @@ Index: openssh-7.8p1/kex.h
|
||||
int kex_dh_hash(int, const char *, const char *,
|
||||
const u_char *, size_t, const u_char *, size_t, const u_char *, size_t,
|
||||
const BIGNUM *, const BIGNUM *, const BIGNUM *, u_char *, size_t *);
|
||||
Index: openssh-7.8p1/mac.c
|
||||
Index: openssh-7.9p1/mac.c
|
||||
===================================================================
|
||||
--- openssh-7.8p1.orig/mac.c
|
||||
+++ openssh-7.8p1/mac.c
|
||||
--- openssh-7.9p1.orig/mac.c
|
||||
+++ openssh-7.9p1/mac.c
|
||||
@@ -280,6 +280,20 @@ mac_clear(struct sshmac *mac)
|
||||
mac->umac_ctx = NULL;
|
||||
}
|
||||
@ -1091,10 +1092,10 @@ Index: openssh-7.8p1/mac.c
|
||||
/* XXX copied from ciphers_valid */
|
||||
#define MAC_SEP ","
|
||||
int
|
||||
Index: openssh-7.8p1/mac.h
|
||||
Index: openssh-7.9p1/mac.h
|
||||
===================================================================
|
||||
--- openssh-7.8p1.orig/mac.h
|
||||
+++ openssh-7.8p1/mac.h
|
||||
--- openssh-7.9p1.orig/mac.h
|
||||
+++ openssh-7.9p1/mac.h
|
||||
@@ -49,5 +49,6 @@ int mac_compute(struct sshmac *, u_int3
|
||||
int mac_check(struct sshmac *, u_int32_t, const u_char *, size_t,
|
||||
const u_char *, size_t);
|
||||
@ -1102,11 +1103,11 @@ Index: openssh-7.8p1/mac.h
|
||||
+void mac_destroy(struct sshmac *);
|
||||
|
||||
#endif /* SSHMAC_H */
|
||||
Index: openssh-7.8p1/monitor.c
|
||||
Index: openssh-7.9p1/monitor.c
|
||||
===================================================================
|
||||
--- openssh-7.8p1.orig/monitor.c
|
||||
+++ openssh-7.8p1/monitor.c
|
||||
@@ -91,6 +91,7 @@
|
||||
--- openssh-7.9p1.orig/monitor.c
|
||||
+++ openssh-7.9p1/monitor.c
|
||||
@@ -93,6 +93,7 @@
|
||||
#include "compat.h"
|
||||
#include "ssh2.h"
|
||||
#include "authfd.h"
|
||||
@ -1114,7 +1115,7 @@ Index: openssh-7.8p1/monitor.c
|
||||
#include "match.h"
|
||||
#include "ssherr.h"
|
||||
|
||||
@@ -105,6 +106,8 @@ extern u_char session_id[];
|
||||
@@ -107,6 +108,8 @@ extern u_char session_id[];
|
||||
extern struct sshbuf *loginmsg;
|
||||
extern struct sshauthopt *auth_opts; /* XXX move to permanent ssh->authctxt? */
|
||||
|
||||
@ -1123,7 +1124,7 @@ Index: openssh-7.8p1/monitor.c
|
||||
/* State exported from the child */
|
||||
static struct sshbuf *child_state;
|
||||
|
||||
@@ -150,6 +153,11 @@ int mm_answer_gss_updatecreds(int, struc
|
||||
@@ -152,6 +155,11 @@ int mm_answer_gss_updatecreds(int, struc
|
||||
#ifdef SSH_AUDIT_EVENTS
|
||||
int mm_answer_audit_event(int, struct sshbuf *);
|
||||
int mm_answer_audit_command(int, struct sshbuf *);
|
||||
@ -1135,7 +1136,7 @@ Index: openssh-7.8p1/monitor.c
|
||||
#endif
|
||||
|
||||
static int monitor_read_log(struct monitor *);
|
||||
@@ -203,6 +211,11 @@ struct mon_table mon_dispatch_proto20[]
|
||||
@@ -205,6 +213,11 @@ struct mon_table mon_dispatch_proto20[]
|
||||
#endif
|
||||
#ifdef SSH_AUDIT_EVENTS
|
||||
{MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
|
||||
@ -1147,7 +1148,7 @@ Index: openssh-7.8p1/monitor.c
|
||||
#endif
|
||||
#ifdef BSD_AUTH
|
||||
{MONITOR_REQ_BSDAUTHQUERY, MON_ISAUTH, mm_answer_bsdauthquery},
|
||||
@@ -231,6 +244,11 @@ struct mon_table mon_dispatch_postauth20
|
||||
@@ -233,6 +246,11 @@ struct mon_table mon_dispatch_postauth20
|
||||
#ifdef SSH_AUDIT_EVENTS
|
||||
{MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
|
||||
{MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT, mm_answer_audit_command},
|
||||
@ -1159,15 +1160,19 @@ Index: openssh-7.8p1/monitor.c
|
||||
#endif
|
||||
#ifdef GSSAPI
|
||||
{MONITOR_REQ_GSSSETUP, 0, mm_answer_gss_setup_ctx},
|
||||
@@ -1375,6 +1393,7 @@ mm_answer_keyverify(int sock, struct ssh
|
||||
@@ -1379,8 +1397,10 @@ mm_answer_keyverify(int sock, struct ssh
|
||||
char *sigalg;
|
||||
size_t signaturelen, datalen, bloblen;
|
||||
int r, ret, valid_data = 0, encoded_ret;
|
||||
+ int type = 0;
|
||||
|
||||
if ((r = sshbuf_get_string(m, &blob, &bloblen)) != 0 ||
|
||||
- if ((r = sshbuf_get_string(m, &blob, &bloblen)) != 0 ||
|
||||
+ if ((r = sshbuf_get_u32(m, &type)) != 0 ||
|
||||
+ (r = sshbuf_get_string(m, &blob, &bloblen)) != 0 ||
|
||||
(r = sshbuf_get_string(m, &signature, &signaturelen)) != 0 ||
|
||||
@@ -1385,6 +1404,8 @@ mm_answer_keyverify(int sock, struct ssh
|
||||
(r = sshbuf_get_string(m, &data, &datalen)) != 0 ||
|
||||
(r = sshbuf_get_cstring(m, &sigalg, NULL)) != 0)
|
||||
@@ -1389,6 +1409,8 @@ mm_answer_keyverify(int sock, struct ssh
|
||||
if (hostbased_cuser == NULL || hostbased_chost == NULL ||
|
||||
!monitor_allowed_key(blob, bloblen))
|
||||
fatal("%s: bad key, not previously allowed", __func__);
|
||||
@ -1176,7 +1181,7 @@ Index: openssh-7.8p1/monitor.c
|
||||
|
||||
/* Empty signature algorithm means NULL. */
|
||||
if (*sigalg == '\0') {
|
||||
@@ -1399,22 +1420,25 @@ mm_answer_keyverify(int sock, struct ssh
|
||||
@@ -1403,22 +1425,25 @@ mm_answer_keyverify(int sock, struct ssh
|
||||
switch (key_blobtype) {
|
||||
case MM_USERKEY:
|
||||
valid_data = monitor_valid_userblob(data, datalen);
|
||||
@ -1204,7 +1209,7 @@ Index: openssh-7.8p1/monitor.c
|
||||
debug3("%s: %s %p signature %s", __func__, auth_method, key,
|
||||
(ret == 0) ? "verified" : "unverified");
|
||||
auth2_record_key(authctxt, ret == 0, key);
|
||||
@@ -1474,6 +1498,12 @@ mm_session_close(Session *s)
|
||||
@@ -1478,6 +1503,12 @@ mm_session_close(Session *s)
|
||||
debug3("%s: tty %s ptyfd %d", __func__, s->tty, s->ptyfd);
|
||||
session_pty_cleanup2(s);
|
||||
}
|
||||
@ -1217,7 +1222,7 @@ Index: openssh-7.8p1/monitor.c
|
||||
session_unused(s->self);
|
||||
}
|
||||
|
||||
@@ -1582,6 +1612,8 @@ mm_answer_term(int sock, struct sshbuf *
|
||||
@@ -1586,6 +1617,8 @@ mm_answer_term(int sock, struct sshbuf *
|
||||
sshpam_cleanup();
|
||||
#endif
|
||||
|
||||
@ -1226,7 +1231,7 @@ Index: openssh-7.8p1/monitor.c
|
||||
while (waitpid(pmonitor->m_pid, &status, 0) == -1)
|
||||
if (errno != EINTR)
|
||||
exit(1);
|
||||
@@ -1628,14 +1660,50 @@ mm_answer_audit_command(int socket, stru
|
||||
@@ -1632,14 +1665,50 @@ mm_answer_audit_command(int socket, stru
|
||||
{
|
||||
char *cmd;
|
||||
int r;
|
||||
@ -1280,7 +1285,7 @@ Index: openssh-7.8p1/monitor.c
|
||||
}
|
||||
#endif /* SSH_AUDIT_EVENTS */
|
||||
|
||||
@@ -1697,6 +1765,7 @@ monitor_apply_keystate(struct monitor *p
|
||||
@@ -1701,6 +1770,7 @@ monitor_apply_keystate(struct monitor *p
|
||||
void
|
||||
mm_get_keystate(struct monitor *pmonitor)
|
||||
{
|
||||
@ -1288,7 +1293,7 @@ Index: openssh-7.8p1/monitor.c
|
||||
debug3("%s: Waiting for new keys", __func__);
|
||||
|
||||
if ((child_state = sshbuf_new()) == NULL)
|
||||
@@ -1704,6 +1773,19 @@ mm_get_keystate(struct monitor *pmonitor
|
||||
@@ -1708,6 +1778,19 @@ mm_get_keystate(struct monitor *pmonitor
|
||||
mm_request_receive_expect(pmonitor->m_sendfd, MONITOR_REQ_KEYEXPORT,
|
||||
child_state);
|
||||
debug3("%s: GOT new keys", __func__);
|
||||
@ -1308,33 +1313,16 @@ Index: openssh-7.8p1/monitor.c
|
||||
}
|
||||
|
||||
|
||||
@@ -1902,19 +1984,19 @@ mm_answer_gss_sign(int socket, struct ss
|
||||
int r;
|
||||
|
||||
if (!options.gss_authentication && !options.gss_keyex)
|
||||
- fatal("In GSSAPI monitor when GSSAPI is disabled");
|
||||
+ fatal("In GSSAPI monitor when GSSAPI is disabled");
|
||||
@@ -1909,7 +1992,7 @@ mm_answer_gss_sign(int socket, struct ss
|
||||
fatal("In GSSAPI monitor when GSSAPI is disabled");
|
||||
|
||||
if ((r = sshbuf_get_string(m, (u_char **)&data.value, &data.length)) != 0)
|
||||
fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
||||
- fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
||||
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
||||
if (data.length != 20)
|
||||
- fatal("%s: data length incorrect: %d", __func__,
|
||||
- (int) data.length);
|
||||
+ fatal("%s: data length incorrect: %d", __func__,
|
||||
+ (int) data.length);
|
||||
|
||||
/* Save the session ID on the first time around */
|
||||
if (session_id2_len == 0) {
|
||||
- session_id2_len = data.length;
|
||||
- session_id2 = xmalloc(session_id2_len);
|
||||
- memcpy(session_id2, data.value, session_id2_len);
|
||||
+ session_id2_len = data.length;
|
||||
+ session_id2 = xmalloc(session_id2_len);
|
||||
+ memcpy(session_id2, data.value, session_id2_len);
|
||||
}
|
||||
major = ssh_gssapi_sign(gsscontext, &data, &hash);
|
||||
|
||||
@@ -1962,3 +2044,102 @@ mm_answer_gss_updatecreds(int socket, st
|
||||
fatal("%s: data length incorrect: %d", __func__,
|
||||
(int) data.length);
|
||||
@@ -1966,3 +2049,102 @@ mm_answer_gss_updatecreds(int socket, st
|
||||
}
|
||||
|
||||
#endif /* GSSAPI */
|
||||
@ -1437,10 +1425,10 @@ Index: openssh-7.8p1/monitor.c
|
||||
+ return 0;
|
||||
+}
|
||||
+#endif /* SSH_AUDIT_EVENTS */
|
||||
Index: openssh-7.8p1/monitor.h
|
||||
Index: openssh-7.9p1/monitor.h
|
||||
===================================================================
|
||||
--- openssh-7.8p1.orig/monitor.h
|
||||
+++ openssh-7.8p1/monitor.h
|
||||
--- openssh-7.9p1.orig/monitor.h
|
||||
+++ openssh-7.9p1/monitor.h
|
||||
@@ -61,7 +61,13 @@ enum monitor_reqtype {
|
||||
MONITOR_REQ_PAM_QUERY = 106, MONITOR_ANS_PAM_QUERY = 107,
|
||||
MONITOR_REQ_PAM_RESPOND = 108, MONITOR_ANS_PAM_RESPOND = 109,
|
||||
@ -1456,10 +1444,10 @@ Index: openssh-7.8p1/monitor.h
|
||||
|
||||
MONITOR_REQ_GSSSIGN = 201, MONITOR_ANS_GSSSIGN = 202,
|
||||
MONITOR_REQ_GSSUPCREDS = 203, MONITOR_ANS_GSSUPCREDS = 204,
|
||||
Index: openssh-7.8p1/monitor_wrap.c
|
||||
Index: openssh-7.9p1/monitor_wrap.c
|
||||
===================================================================
|
||||
--- openssh-7.8p1.orig/monitor_wrap.c
|
||||
+++ openssh-7.8p1/monitor_wrap.c
|
||||
--- openssh-7.9p1.orig/monitor_wrap.c
|
||||
+++ openssh-7.9p1/monitor_wrap.c
|
||||
@@ -497,7 +497,7 @@ mm_key_allowed(enum mm_keytype type, con
|
||||
*/
|
||||
|
||||
@ -1637,10 +1625,10 @@ Index: openssh-7.8p1/monitor_wrap.c
|
||||
+ sshbuf_free(m);
|
||||
+}
|
||||
+#endif /* SSH_AUDIT_EVENTS */
|
||||
Index: openssh-7.8p1/monitor_wrap.h
|
||||
Index: openssh-7.9p1/monitor_wrap.h
|
||||
===================================================================
|
||||
--- openssh-7.8p1.orig/monitor_wrap.h
|
||||
+++ openssh-7.8p1/monitor_wrap.h
|
||||
--- openssh-7.9p1.orig/monitor_wrap.h
|
||||
+++ openssh-7.9p1/monitor_wrap.h
|
||||
@@ -53,7 +53,9 @@ int mm_user_key_allowed(struct ssh *, st
|
||||
struct sshauthopt **);
|
||||
int mm_hostbased_key_allowed(struct passwd *, const char *,
|
||||
@ -1666,10 +1654,10 @@ Index: openssh-7.8p1/monitor_wrap.h
|
||||
#endif
|
||||
|
||||
struct Session;
|
||||
Index: openssh-7.8p1/packet.c
|
||||
Index: openssh-7.9p1/packet.c
|
||||
===================================================================
|
||||
--- openssh-7.8p1.orig/packet.c
|
||||
+++ openssh-7.8p1/packet.c
|
||||
--- openssh-7.9p1.orig/packet.c
|
||||
+++ openssh-7.9p1/packet.c
|
||||
@@ -76,6 +76,7 @@
|
||||
#include <zlib.h>
|
||||
|
||||
@ -1829,20 +1817,20 @@ Index: openssh-7.8p1/packet.c
|
||||
/* Reset after_authentication and reset compression in post-auth privsep */
|
||||
static int
|
||||
ssh_packet_set_postauth(struct ssh *ssh)
|
||||
Index: openssh-7.8p1/packet.h
|
||||
Index: openssh-7.9p1/packet.h
|
||||
===================================================================
|
||||
--- openssh-7.8p1.orig/packet.h
|
||||
+++ openssh-7.8p1/packet.h
|
||||
--- openssh-7.9p1.orig/packet.h
|
||||
+++ openssh-7.9p1/packet.h
|
||||
@@ -219,4 +219,5 @@ extern struct ssh *active_state;
|
||||
# undef EC_POINT
|
||||
#endif
|
||||
|
||||
+void packet_destroy_all(int, int);
|
||||
#endif /* PACKET_H */
|
||||
Index: openssh-7.8p1/session.c
|
||||
Index: openssh-7.9p1/session.c
|
||||
===================================================================
|
||||
--- openssh-7.8p1.orig/session.c
|
||||
+++ openssh-7.8p1/session.c
|
||||
--- openssh-7.9p1.orig/session.c
|
||||
+++ openssh-7.9p1/session.c
|
||||
@@ -139,7 +139,7 @@ extern char *__progname;
|
||||
extern int debug_flag;
|
||||
extern u_int utmp_len;
|
||||
@ -1867,7 +1855,7 @@ Index: openssh-7.8p1/session.c
|
||||
/* Enter interactive session. */
|
||||
s->ptymaster = ptymaster;
|
||||
packet_set_interactive(1,
|
||||
@@ -739,15 +747,19 @@ do_exec(struct ssh *ssh, Session *s, con
|
||||
@@ -741,15 +749,19 @@ do_exec(struct ssh *ssh, Session *s, con
|
||||
s->self);
|
||||
|
||||
#ifdef SSH_AUDIT_EVENTS
|
||||
@ -1889,7 +1877,7 @@ Index: openssh-7.8p1/session.c
|
||||
#endif
|
||||
if (s->ttyfd != -1)
|
||||
ret = do_exec_pty(ssh, s, command);
|
||||
@@ -1551,8 +1563,11 @@ do_child(struct ssh *ssh, Session *s, co
|
||||
@@ -1553,8 +1565,11 @@ do_child(struct ssh *ssh, Session *s, co
|
||||
int r = 0;
|
||||
|
||||
/* remove hostkey from the child's memory */
|
||||
@ -1902,7 +1890,7 @@ Index: openssh-7.8p1/session.c
|
||||
|
||||
/* Force a password change */
|
||||
if (s->authctxt->force_pwchange) {
|
||||
@@ -1759,6 +1774,9 @@ session_unused(int id)
|
||||
@@ -1761,6 +1776,9 @@ session_unused(int id)
|
||||
sessions[id].ttyfd = -1;
|
||||
sessions[id].ptymaster = -1;
|
||||
sessions[id].x11_chanids = NULL;
|
||||
@ -1912,7 +1900,7 @@ Index: openssh-7.8p1/session.c
|
||||
sessions[id].next_unused = sessions_first_unused;
|
||||
sessions_first_unused = id;
|
||||
}
|
||||
@@ -1841,6 +1859,19 @@ session_open(Authctxt *authctxt, int cha
|
||||
@@ -1843,6 +1861,19 @@ session_open(Authctxt *authctxt, int cha
|
||||
}
|
||||
|
||||
Session *
|
||||
@ -1932,7 +1920,7 @@ Index: openssh-7.8p1/session.c
|
||||
session_by_tty(char *tty)
|
||||
{
|
||||
int i;
|
||||
@@ -2352,6 +2383,32 @@ session_exit_message(struct ssh *ssh, Se
|
||||
@@ -2428,6 +2459,32 @@ session_exit_message(struct ssh *ssh, Se
|
||||
chan_write_failed(ssh, c);
|
||||
}
|
||||
|
||||
@ -1965,7 +1953,7 @@ Index: openssh-7.8p1/session.c
|
||||
void
|
||||
session_close(struct ssh *ssh, Session *s)
|
||||
{
|
||||
@@ -2393,6 +2450,10 @@ session_close(struct ssh *ssh, Session *
|
||||
@@ -2469,6 +2526,10 @@ session_close(struct ssh *ssh, Session *
|
||||
|
||||
if (s->ttyfd != -1)
|
||||
session_pty_cleanup(s);
|
||||
@ -1976,7 +1964,7 @@ Index: openssh-7.8p1/session.c
|
||||
free(s->term);
|
||||
free(s->display);
|
||||
free(s->x11_chanids);
|
||||
@@ -2600,6 +2661,15 @@ do_authenticated2(struct ssh *ssh, Authc
|
||||
@@ -2677,6 +2738,15 @@ do_authenticated2(struct ssh *ssh, Authc
|
||||
server_loop2(ssh, authctxt);
|
||||
}
|
||||
|
||||
@ -1992,7 +1980,7 @@ Index: openssh-7.8p1/session.c
|
||||
void
|
||||
do_cleanup(struct ssh *ssh, Authctxt *authctxt)
|
||||
{
|
||||
@@ -2657,7 +2727,7 @@ do_cleanup(struct ssh *ssh, Authctxt *au
|
||||
@@ -2734,7 +2804,7 @@ do_cleanup(struct ssh *ssh, Authctxt *au
|
||||
* or if running in monitor.
|
||||
*/
|
||||
if (!use_privsep || mm_is_monitor())
|
||||
@ -2001,11 +1989,11 @@ Index: openssh-7.8p1/session.c
|
||||
}
|
||||
|
||||
/* Return a name for the remote host that fits inside utmp_size */
|
||||
Index: openssh-7.8p1/session.h
|
||||
Index: openssh-7.9p1/session.h
|
||||
===================================================================
|
||||
--- openssh-7.8p1.orig/session.h
|
||||
+++ openssh-7.8p1/session.h
|
||||
@@ -60,6 +60,12 @@ struct Session {
|
||||
--- openssh-7.9p1.orig/session.h
|
||||
+++ openssh-7.9p1/session.h
|
||||
@@ -61,6 +61,12 @@ struct Session {
|
||||
char *name;
|
||||
char *val;
|
||||
} *env;
|
||||
@ -2018,7 +2006,7 @@ Index: openssh-7.8p1/session.h
|
||||
};
|
||||
|
||||
void do_authenticated(struct ssh *, Authctxt *);
|
||||
@@ -72,8 +78,10 @@ void session_close_by_pid(struct ssh *s
|
||||
@@ -73,8 +79,10 @@ void session_close_by_pid(struct ssh *s
|
||||
void session_close_by_channel(struct ssh *, int, void *);
|
||||
void session_destroy_all(struct ssh *, void (*)(Session *));
|
||||
void session_pty_cleanup2(Session *);
|
||||
@ -2029,10 +2017,10 @@ Index: openssh-7.8p1/session.h
|
||||
Session *session_by_tty(char *);
|
||||
void session_close(struct ssh *, Session *);
|
||||
void do_setusercontext(struct passwd *);
|
||||
Index: openssh-7.8p1/sshd.c
|
||||
Index: openssh-7.9p1/sshd.c
|
||||
===================================================================
|
||||
--- openssh-7.8p1.orig/sshd.c
|
||||
+++ openssh-7.8p1/sshd.c
|
||||
--- openssh-7.9p1.orig/sshd.c
|
||||
+++ openssh-7.9p1/sshd.c
|
||||
@@ -124,6 +124,7 @@
|
||||
#include "ssh-gss.h"
|
||||
#endif
|
||||
@ -2091,24 +2079,24 @@ Index: openssh-7.8p1/sshd.c
|
||||
for (i = 0; i < options.num_host_key_files; i++) {
|
||||
if (sensitive_data.host_keys[i]) {
|
||||
- sshkey_free(sensitive_data.host_keys[i]);
|
||||
+ char *fp;
|
||||
+ char *fp;
|
||||
+
|
||||
+ if (sshkey_is_private(sensitive_data.host_keys[i]))
|
||||
+ fp = sshkey_fingerprint(sensitive_data.host_keys[i], options.fingerprint_hash, SSH_FP_HEX);
|
||||
+ else
|
||||
+ fp = NULL;
|
||||
+ sshkey_free(sensitive_data.host_keys[i]);
|
||||
+ if (sshkey_is_private(sensitive_data.host_keys[i]))
|
||||
+ fp = sshkey_fingerprint(sensitive_data.host_keys[i], options.fingerprint_hash, SSH_FP_HEX);
|
||||
+ else
|
||||
+ fp = NULL;
|
||||
+ sshkey_free(sensitive_data.host_keys[i]);
|
||||
sensitive_data.host_keys[i] = NULL;
|
||||
+ if (fp != NULL) {
|
||||
+#ifdef SSH_AUDIT_EVENTS
|
||||
+ if (privsep)
|
||||
+ PRIVSEP(audit_destroy_sensitive_data(fp,
|
||||
+ pid, uid));
|
||||
+ else
|
||||
+ audit_destroy_sensitive_data(fp,
|
||||
+ pid, uid);
|
||||
+ if (privsep)
|
||||
+ PRIVSEP(audit_destroy_sensitive_data(fp,
|
||||
+ pid, uid));
|
||||
+ else
|
||||
+ audit_destroy_sensitive_data(fp,
|
||||
+ pid, uid);
|
||||
+#endif
|
||||
+ free(fp);
|
||||
+ free(fp);
|
||||
+ }
|
||||
}
|
||||
- if (sensitive_data.host_certificates[i]) {
|
||||
@ -2117,30 +2105,28 @@ Index: openssh-7.8p1/sshd.c
|
||||
sshkey_free(sensitive_data.host_certificates[i]);
|
||||
sensitive_data.host_certificates[i] = NULL;
|
||||
}
|
||||
@@ -513,9 +551,22 @@ demote_sensitive_data(void)
|
||||
@@ -513,8 +551,21 @@ demote_sensitive_data(void)
|
||||
struct sshkey *tmp;
|
||||
u_int i;
|
||||
int r;
|
||||
+#ifdef SSH_AUDIT_EVENTS
|
||||
+ pid_t pid;
|
||||
+ uid_t uid;
|
||||
|
||||
- for (i = 0; i < options.num_host_key_files; i++) {
|
||||
+ pid = getpid();
|
||||
+ uid = getuid();
|
||||
+ pid_t pid;
|
||||
+ uid_t uid;
|
||||
+
|
||||
+ pid = getpid();
|
||||
+ uid = getuid();
|
||||
+#endif
|
||||
|
||||
for (i = 0; i < options.num_host_key_files; i++) {
|
||||
+ char *fp;
|
||||
+
|
||||
+ for (i = 0; i < options.num_host_key_files; i++) {
|
||||
+ if (sshkey_is_private(sensitive_data.host_keys[i]))
|
||||
+ fp = sshkey_fingerprint(sensitive_data.host_keys[i], options.fingerprint_hash, SSH_FP_HEX);
|
||||
+ else
|
||||
+ fp = NULL;
|
||||
if (sensitive_data.host_keys[i]) {
|
||||
+ char *fp;
|
||||
+
|
||||
+ if (sshkey_is_private(sensitive_data.host_keys[i]))
|
||||
+ fp = sshkey_fingerprint(sensitive_data.host_keys[i], options.fingerprint_hash, SSH_FP_HEX);
|
||||
+ else
|
||||
+ fp = NULL;
|
||||
if ((r = sshkey_demote(sensitive_data.host_keys[i],
|
||||
&tmp)) != 0)
|
||||
fatal("could not demote host %s key: %s",
|
||||
if ((r = sshkey_from_private(
|
||||
sensitive_data.host_keys[i], &tmp)) != 0)
|
||||
@@ -523,6 +574,12 @@ demote_sensitive_data(void)
|
||||
ssh_err(r));
|
||||
sshkey_free(sensitive_data.host_keys[i]);
|
||||
@ -2213,48 +2199,11 @@ Index: openssh-7.8p1/sshd.c
|
||||
audit_event(SSH_CONNECTION_ABANDON);
|
||||
#endif
|
||||
_exit(i);
|
||||
Index: openssh-7.8p1/sshkey.c
|
||||
Index: openssh-7.9p1/sshkey.h
|
||||
===================================================================
|
||||
--- openssh-7.8p1.orig/sshkey.c
|
||||
+++ openssh-7.8p1/sshkey.c
|
||||
@@ -326,6 +326,32 @@ sshkey_type_is_valid_ca(int type)
|
||||
}
|
||||
|
||||
int
|
||||
+sshkey_is_private(const struct sshkey *k)
|
||||
+{
|
||||
+ switch (k->type) {
|
||||
+#ifdef WITH_OPENSSL
|
||||
+ case KEY_RSA_CERT:
|
||||
+ case KEY_RSA:
|
||||
+ return k->rsa->d != NULL;
|
||||
+ case KEY_DSA_CERT:
|
||||
+ case KEY_DSA:
|
||||
+ return k->dsa->priv_key != NULL;
|
||||
+#ifdef OPENSSL_HAS_ECC
|
||||
+ case KEY_ECDSA_CERT:
|
||||
+ case KEY_ECDSA:
|
||||
+ return EC_KEY_get0_private_key(k->ecdsa) != NULL;
|
||||
+#endif /* OPENSSL_HAS_ECC */
|
||||
+#endif /* WITH_OPENSSL */
|
||||
+ case KEY_ED25519_CERT:
|
||||
+ case KEY_ED25519:
|
||||
+ return (k->ed25519_pk != NULL);
|
||||
+ default:
|
||||
+ /* fatal("key_is_private: bad key type %d", k->type); */
|
||||
+ return 0;
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
+int
|
||||
sshkey_is_cert(const struct sshkey *k)
|
||||
{
|
||||
if (k == NULL)
|
||||
Index: openssh-7.8p1/sshkey.h
|
||||
===================================================================
|
||||
--- openssh-7.8p1.orig/sshkey.h
|
||||
+++ openssh-7.8p1/sshkey.h
|
||||
@@ -148,6 +148,7 @@ u_int sshkey_size(const struct sshkey
|
||||
--- openssh-7.9p1.orig/sshkey.h
|
||||
+++ openssh-7.9p1/sshkey.h
|
||||
@@ -147,6 +147,7 @@ u_int sshkey_size(const struct sshkey
|
||||
int sshkey_generate(int type, u_int bits, struct sshkey **keyp);
|
||||
int sshkey_from_private(const struct sshkey *, struct sshkey **);
|
||||
int sshkey_type_from_name(const char *);
|
||||
@ -2262,3 +2211,46 @@ Index: openssh-7.8p1/sshkey.h
|
||||
int sshkey_is_cert(const struct sshkey *);
|
||||
int sshkey_type_is_cert(int);
|
||||
int sshkey_type_plain(int);
|
||||
Index: openssh-7.9p1/sshkey.c
|
||||
===================================================================
|
||||
--- openssh-7.9p1.orig/sshkey.c
|
||||
+++ openssh-7.9p1/sshkey.c
|
||||
@@ -331,6 +331,38 @@ sshkey_type_is_valid_ca(int type)
|
||||
}
|
||||
|
||||
int
|
||||
+sshkey_is_private(const struct sshkey *k)
|
||||
+{
|
||||
+ switch (k->type) {
|
||||
+#ifdef WITH_OPENSSL
|
||||
+ case KEY_RSA_CERT:
|
||||
+ case KEY_RSA: {
|
||||
+ const BIGNUM *d;
|
||||
+ RSA_get0_key(k->rsa, NULL, NULL, &d);
|
||||
+ return d != NULL;
|
||||
+ }
|
||||
+ case KEY_DSA_CERT:
|
||||
+ case KEY_DSA: {
|
||||
+ const BIGNUM *priv_key;
|
||||
+ DSA_get0_key(k->dsa, NULL, &priv_key);
|
||||
+ return priv_key != NULL;
|
||||
+ }
|
||||
+#ifdef OPENSSL_HAS_ECC
|
||||
+ case KEY_ECDSA_CERT:
|
||||
+ case KEY_ECDSA:
|
||||
+ return EC_KEY_get0_private_key(k->ecdsa) != NULL;
|
||||
+#endif /* OPENSSL_HAS_ECC */
|
||||
+#endif /* WITH_OPENSSL */
|
||||
+ case KEY_ED25519_CERT:
|
||||
+ case KEY_ED25519:
|
||||
+ return (k->ed25519_pk != NULL);
|
||||
+ default:
|
||||
+ /* fatal("key_is_private: bad key type %d", k->type); */
|
||||
+ return 0;
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
+int
|
||||
sshkey_is_cert(const struct sshkey *k)
|
||||
{
|
||||
if (k == NULL)
|
||||
|
@ -1,75 +0,0 @@
|
||||
# HG changeset patch
|
||||
# Parent 2e66b48b2212113d9897a58aaada67557b7c4f35
|
||||
block SIGALRM while logging through syslog to prevent deadlocks
|
||||
(through grace_alarm_handler())
|
||||
|
||||
bnc#57354
|
||||
|
||||
diff --git a/openssh-7.7p1/log.c b/openssh-7.7p1/log.c
|
||||
--- openssh-7.7p1/log.c
|
||||
+++ openssh-7.7p1/log.c
|
||||
@@ -46,16 +46,17 @@
|
||||
#include <syslog.h>
|
||||
#include <unistd.h>
|
||||
#include <errno.h>
|
||||
#if defined(HAVE_STRNVIS) && defined(HAVE_VIS_H) && !defined(BROKEN_STRNVIS)
|
||||
# include <vis.h>
|
||||
#endif
|
||||
|
||||
#include "log.h"
|
||||
+#include <signal.h>
|
||||
|
||||
static LogLevel log_level = SYSLOG_LEVEL_INFO;
|
||||
static int log_on_stderr = 1;
|
||||
static int log_stderr_fd = STDERR_FILENO;
|
||||
static int log_facility = LOG_AUTH;
|
||||
static char *argv0;
|
||||
static log_handler_fn *log_handler;
|
||||
static void *log_handler_ctx;
|
||||
@@ -396,16 +397,17 @@ do_log(LogLevel level, const char *fmt,
|
||||
{
|
||||
#if defined(HAVE_OPENLOG_R) && defined(SYSLOG_DATA_INIT)
|
||||
struct syslog_data sdata = SYSLOG_DATA_INIT;
|
||||
#endif
|
||||
char msgbuf[MSGBUFSIZ];
|
||||
char fmtbuf[MSGBUFSIZ];
|
||||
char *txt = NULL;
|
||||
int pri = LOG_INFO;
|
||||
+ sigset_t nset, oset;
|
||||
int saved_errno = errno;
|
||||
log_handler_fn *tmp_handler;
|
||||
|
||||
if (level > log_level)
|
||||
return;
|
||||
|
||||
switch (level) {
|
||||
case SYSLOG_LEVEL_FATAL:
|
||||
@@ -455,20 +457,28 @@ do_log(LogLevel level, const char *fmt,
|
||||
log_handler = NULL;
|
||||
tmp_handler(level, fmtbuf, log_handler_ctx);
|
||||
log_handler = tmp_handler;
|
||||
} else if (log_on_stderr) {
|
||||
snprintf(msgbuf, sizeof msgbuf, "%.*s\r\n",
|
||||
(int)sizeof msgbuf - 3, fmtbuf);
|
||||
(void)write(log_stderr_fd, msgbuf, strlen(msgbuf));
|
||||
} else {
|
||||
+ /* Prevent a race between the grace_alarm which writes a
|
||||
+ * log message and terminates and main sshd code that leads
|
||||
+ * to deadlock as syslog is not async safe.
|
||||
+ */
|
||||
+ sigemptyset(&nset);
|
||||
+ sigaddset(&nset, SIGALRM);
|
||||
+ sigprocmask(SIG_BLOCK, &nset, &oset);
|
||||
#if defined(HAVE_OPENLOG_R) && defined(SYSLOG_DATA_INIT)
|
||||
openlog_r(argv0 ? argv0 : __progname, LOG_PID, log_facility, &sdata);
|
||||
syslog_r(pri, &sdata, "%.500s", fmtbuf);
|
||||
closelog_r(&sdata);
|
||||
#else
|
||||
openlog(argv0 ? argv0 : __progname, LOG_PID, log_facility);
|
||||
syslog(pri, "%.500s", fmtbuf);
|
||||
closelog();
|
||||
#endif
|
||||
+ sigprocmask(SIG_SETMASK, &oset, NULL);
|
||||
}
|
||||
errno = saved_errno;
|
||||
}
|
@ -2,15 +2,11 @@
|
||||
# Parent cc1022edba2c5eeb0facba08468f65afc2466b63
|
||||
CAVS test for OpenSSH's own CTR encryption mode implementation
|
||||
|
||||
diff --git a/openssh-7.7p1/Makefile.in b/openssh-7.7p1/Makefile.in
|
||||
--- openssh-7.7p1/Makefile.in
|
||||
+++ openssh-7.7p1/Makefile.in
|
||||
@@ -19,16 +19,17 @@ top_srcdir=@top_srcdir@
|
||||
|
||||
DESTDIR=
|
||||
VPATH=@srcdir@
|
||||
SSH_PROGRAM=@bindir@/ssh
|
||||
ASKPASS_PROGRAM=$(libexecdir)/ssh-askpass
|
||||
Index: openssh-7.9p1/Makefile.in
|
||||
===================================================================
|
||||
--- openssh-7.9p1.orig/Makefile.in
|
||||
+++ openssh-7.9p1/Makefile.in
|
||||
@@ -24,6 +24,7 @@ ASKPASS_PROGRAM=$(libexecdir)/ssh-askpas
|
||||
SFTP_SERVER=$(libexecdir)/sftp-server
|
||||
SSH_KEYSIGN=$(libexecdir)/ssh-keysign
|
||||
SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
|
||||
@ -18,17 +14,7 @@ diff --git a/openssh-7.7p1/Makefile.in b/openssh-7.7p1/Makefile.in
|
||||
PRIVSEP_PATH=@PRIVSEP_PATH@
|
||||
SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@
|
||||
STRIP_OPT=@STRIP_OPT@
|
||||
TEST_SHELL=@TEST_SHELL@
|
||||
|
||||
PATHS= -DSSHDIR=\"$(sysconfdir)\" \
|
||||
-D_PATH_SSH_PROGRAM=\"$(SSH_PROGRAM)\" \
|
||||
-D_PATH_SSH_ASKPASS_DEFAULT=\"$(ASKPASS_PROGRAM)\" \
|
||||
@@ -57,16 +58,18 @@ ENT=@ENT@
|
||||
XAUTH_PATH=@XAUTH_PATH@
|
||||
LDFLAGS=-L. -Lopenbsd-compat/ @LDFLAGS@
|
||||
EXEEXT=@EXEEXT@
|
||||
MANFMT=@MANFMT@
|
||||
MKDIR_P=@MKDIR_P@
|
||||
@@ -62,6 +63,8 @@ MKDIR_P=@MKDIR_P@
|
||||
|
||||
TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT)
|
||||
|
||||
@ -37,17 +23,7 @@ diff --git a/openssh-7.7p1/Makefile.in b/openssh-7.7p1/Makefile.in
|
||||
XMSS_OBJS=\
|
||||
ssh-xmss.o \
|
||||
sshkey-xmss.o \
|
||||
xmss_commons.o \
|
||||
xmss_fast.o \
|
||||
xmss_hash.o \
|
||||
xmss_hash_address.o \
|
||||
xmss_wots.o
|
||||
@@ -199,16 +202,20 @@ ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libss
|
||||
$(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
|
||||
|
||||
sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o sftp-server.o sftp-server-main.o
|
||||
$(LD) -o $@ sftp-server.o sftp-common.o sftp-server-main.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
|
||||
|
||||
@@ -204,6 +207,10 @@ sftp-server$(EXEEXT): $(LIBCOMPAT) libss
|
||||
sftp$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-client.o sftp-common.o sftp-glob.o progressmeter.o
|
||||
$(LD) -o $@ progressmeter.o sftp.o sftp-client.o sftp-common.o sftp-glob.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) $(LIBEDIT)
|
||||
|
||||
@ -58,17 +34,7 @@ diff --git a/openssh-7.7p1/Makefile.in b/openssh-7.7p1/Makefile.in
|
||||
# test driver for the loginrec code - not built by default
|
||||
logintest: logintest.o $(LIBCOMPAT) libssh.a loginrec.o
|
||||
$(LD) -o $@ logintest.o $(LDFLAGS) loginrec.o -lopenbsd-compat -lssh $(LIBS)
|
||||
|
||||
$(MANPAGES): $(MANPAGES_IN)
|
||||
if test "$(MANTYPE)" = "cat"; then \
|
||||
manpage=$(srcdir)/`echo $@ | sed 's/\.[1-9]\.out$$/\.0/'`; \
|
||||
else \
|
||||
@@ -339,16 +346,17 @@ install-files:
|
||||
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-agent$(EXEEXT) $(DESTDIR)$(bindir)/ssh-agent$(EXEEXT)
|
||||
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-keygen$(EXEEXT) $(DESTDIR)$(bindir)/ssh-keygen$(EXEEXT)
|
||||
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-keyscan$(EXEEXT) $(DESTDIR)$(bindir)/ssh-keyscan$(EXEEXT)
|
||||
$(INSTALL) -m 0755 $(STRIP_OPT) sshd$(EXEEXT) $(DESTDIR)$(sbindir)/sshd$(EXEEXT)
|
||||
$(INSTALL) -m 4711 $(STRIP_OPT) ssh-keysign$(EXEEXT) $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT)
|
||||
@@ -348,6 +355,7 @@ install-files:
|
||||
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
|
||||
$(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
|
||||
$(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
|
||||
@ -76,15 +42,10 @@ diff --git a/openssh-7.7p1/Makefile.in b/openssh-7.7p1/Makefile.in
|
||||
$(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
|
||||
$(INSTALL) -m 644 scp.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1
|
||||
$(INSTALL) -m 644 ssh-add.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1
|
||||
$(INSTALL) -m 644 ssh-agent.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-agent.1
|
||||
$(INSTALL) -m 644 ssh-keygen.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keygen.1
|
||||
$(INSTALL) -m 644 ssh-keyscan.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keyscan.1
|
||||
$(INSTALL) -m 644 moduli.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/moduli.5
|
||||
$(INSTALL) -m 644 sshd_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/sshd_config.5
|
||||
diff --git a/openssh-7.7p1/cavstest-ctr.c b/openssh-7.7p1/cavstest-ctr.c
|
||||
new file mode 100644
|
||||
Index: openssh-7.9p1/cavstest-ctr.c
|
||||
===================================================================
|
||||
--- /dev/null
|
||||
+++ openssh-7.7p1/cavstest-ctr.c
|
||||
+++ openssh-7.9p1/cavstest-ctr.c
|
||||
@@ -0,0 +1,214 @@
|
||||
+/*
|
||||
+ *
|
||||
@ -238,7 +199,7 @@ new file mode 100644
|
||||
+ usage();
|
||||
+ }
|
||||
+
|
||||
+ SSLeay_add_all_algorithms();
|
||||
+ OpenSSL_add_all_algorithms();
|
||||
+
|
||||
+ c = cipher_by_name(algo);
|
||||
+ if (c == NULL) {
|
||||
@ -300,15 +261,11 @@ new file mode 100644
|
||||
+ printf("\n");
|
||||
+ return 0;
|
||||
+}
|
||||
diff --git a/openssh-7.7p1/cipher.c b/openssh-7.7p1/cipher.c
|
||||
--- openssh-7.7p1/cipher.c
|
||||
+++ openssh-7.7p1/cipher.c
|
||||
@@ -49,25 +49,16 @@
|
||||
#include "ssherr.h"
|
||||
#include "digest.h"
|
||||
|
||||
#include "openbsd-compat/openssl-compat.h"
|
||||
|
||||
Index: openssh-7.9p1/cipher.c
|
||||
===================================================================
|
||||
--- openssh-7.9p1.orig/cipher.c
|
||||
+++ openssh-7.9p1/cipher.c
|
||||
@@ -54,15 +54,6 @@
|
||||
#include "fips.h"
|
||||
#include "log.h"
|
||||
|
||||
@ -324,20 +281,11 @@ diff --git a/openssh-7.7p1/cipher.c b/openssh-7.7p1/cipher.c
|
||||
struct sshcipher {
|
||||
char *name;
|
||||
u_int block_size;
|
||||
u_int key_len;
|
||||
u_int iv_len; /* defaults to block_size */
|
||||
u_int auth_len;
|
||||
u_int flags;
|
||||
#define CFLAG_CBC (1<<0)
|
||||
diff --git a/openssh-7.7p1/cipher.h b/openssh-7.7p1/cipher.h
|
||||
--- openssh-7.7p1/cipher.h
|
||||
+++ openssh-7.7p1/cipher.h
|
||||
@@ -41,17 +41,25 @@
|
||||
#include <openssl/evp.h>
|
||||
#include "cipher-chachapoly.h"
|
||||
#include "cipher-aesctr.h"
|
||||
|
||||
#define CIPHER_ENCRYPT 1
|
||||
Index: openssh-7.9p1/cipher.h
|
||||
===================================================================
|
||||
--- openssh-7.9p1.orig/cipher.h
|
||||
+++ openssh-7.9p1/cipher.h
|
||||
@@ -46,7 +46,15 @@
|
||||
#define CIPHER_DECRYPT 0
|
||||
|
||||
struct sshcipher;
|
||||
@ -354,8 +302,3 @@ diff --git a/openssh-7.7p1/cipher.h b/openssh-7.7p1/cipher.h
|
||||
|
||||
const struct sshcipher *cipher_by_name(const char *);
|
||||
const char *cipher_warning_message(const struct sshcipher_ctx *);
|
||||
int ciphers_valid(const char *);
|
||||
char *cipher_alg_list(char, int);
|
||||
int cipher_init(struct sshcipher_ctx **, const struct sshcipher *,
|
||||
const u_char *, u_int, const u_char *, u_int, int);
|
||||
int cipher_crypt(struct sshcipher_ctx *, u_int, u_char *, const u_char *,
|
||||
|
@ -12,23 +12,23 @@ compliant) parameters.
|
||||
CVE-2015-4000 (LOGJAM)
|
||||
bsc#932483
|
||||
|
||||
Index: openssh-7.8p1/dh.c
|
||||
Index: openssh-7.9p1/dh.c
|
||||
===================================================================
|
||||
--- openssh-7.8p1.orig/dh.c
|
||||
+++ openssh-7.8p1/dh.c
|
||||
@@ -43,6 +43,8 @@
|
||||
#include "misc.h"
|
||||
#include "ssherr.h"
|
||||
--- openssh-7.9p1.orig/dh.c
|
||||
+++ openssh-7.9p1/dh.c
|
||||
@@ -45,6 +45,8 @@
|
||||
|
||||
#include "openbsd-compat/openssl-compat.h"
|
||||
|
||||
+int dh_grp_min = DH_GRP_MIN;
|
||||
+
|
||||
static int
|
||||
parse_prime(int linenum, char *line, struct dhgroup *dhg)
|
||||
{
|
||||
Index: openssh-7.8p1/dh.h
|
||||
Index: openssh-7.9p1/dh.h
|
||||
===================================================================
|
||||
--- openssh-7.8p1.orig/dh.h
|
||||
+++ openssh-7.8p1/dh.h
|
||||
--- openssh-7.9p1.orig/dh.h
|
||||
+++ openssh-7.9p1/dh.h
|
||||
@@ -50,6 +50,7 @@ u_int dh_estimate(int);
|
||||
* Max value from RFC4419.
|
||||
* Miniumum increased in light of DH precomputation attacks.
|
||||
@ -37,11 +37,11 @@ Index: openssh-7.8p1/dh.h
|
||||
#define DH_GRP_MIN 2048
|
||||
#define DH_GRP_MAX 8192
|
||||
|
||||
Index: openssh-7.8p1/kexgexc.c
|
||||
Index: openssh-7.9p1/kexgexc.c
|
||||
===================================================================
|
||||
--- openssh-7.8p1.orig/kexgexc.c
|
||||
+++ openssh-7.8p1/kexgexc.c
|
||||
@@ -51,6 +51,9 @@
|
||||
--- openssh-7.9p1.orig/kexgexc.c
|
||||
+++ openssh-7.9p1/kexgexc.c
|
||||
@@ -53,6 +53,9 @@
|
||||
#include "sshbuf.h"
|
||||
#include "misc.h"
|
||||
|
||||
@ -51,7 +51,7 @@ Index: openssh-7.8p1/kexgexc.c
|
||||
static int input_kex_dh_gex_group(int, u_int32_t, struct ssh *);
|
||||
static int input_kex_dh_gex_reply(int, u_int32_t, struct ssh *);
|
||||
|
||||
@@ -63,7 +66,7 @@ kexgex_client(struct ssh *ssh)
|
||||
@@ -65,7 +68,7 @@ kexgex_client(struct ssh *ssh)
|
||||
|
||||
nbits = dh_estimate(kex->dh_need * 8);
|
||||
|
||||
@ -60,7 +60,7 @@ Index: openssh-7.8p1/kexgexc.c
|
||||
kex->max = DH_GRP_MAX;
|
||||
kex->nbits = nbits;
|
||||
if (datafellows & SSH_BUG_DHGEX_LARGE)
|
||||
@@ -108,6 +111,12 @@ input_kex_dh_gex_group(int type, u_int32
|
||||
@@ -111,6 +114,12 @@ input_kex_dh_gex_group(int type, u_int32
|
||||
goto out;
|
||||
if ((bits = BN_num_bits(p)) < 0 ||
|
||||
(u_int)bits < kex->min || (u_int)bits > kex->max) {
|
||||
@ -73,11 +73,11 @@ Index: openssh-7.8p1/kexgexc.c
|
||||
r = SSH_ERR_DH_GEX_OUT_OF_RANGE;
|
||||
goto out;
|
||||
}
|
||||
Index: openssh-7.8p1/kexgexs.c
|
||||
Index: openssh-7.9p1/kexgexs.c
|
||||
===================================================================
|
||||
--- openssh-7.8p1.orig/kexgexs.c
|
||||
+++ openssh-7.8p1/kexgexs.c
|
||||
@@ -54,6 +54,9 @@
|
||||
--- openssh-7.9p1.orig/kexgexs.c
|
||||
+++ openssh-7.9p1/kexgexs.c
|
||||
@@ -56,6 +56,9 @@
|
||||
#include "sshbuf.h"
|
||||
#include "misc.h"
|
||||
|
||||
@ -87,7 +87,7 @@ Index: openssh-7.8p1/kexgexs.c
|
||||
static int input_kex_dh_gex_request(int, u_int32_t, struct ssh *);
|
||||
static int input_kex_dh_gex_init(int, u_int32_t, struct ssh *);
|
||||
|
||||
@@ -82,13 +85,19 @@ input_kex_dh_gex_request(int type, u_int
|
||||
@@ -85,13 +88,19 @@ input_kex_dh_gex_request(int type, u_int
|
||||
kex->nbits = nbits;
|
||||
kex->min = min;
|
||||
kex->max = max;
|
||||
@ -109,10 +109,10 @@ Index: openssh-7.8p1/kexgexs.c
|
||||
r = SSH_ERR_DH_GEX_OUT_OF_RANGE;
|
||||
goto out;
|
||||
}
|
||||
Index: openssh-7.8p1/readconf.c
|
||||
Index: openssh-7.9p1/readconf.c
|
||||
===================================================================
|
||||
--- openssh-7.8p1.orig/readconf.c
|
||||
+++ openssh-7.8p1/readconf.c
|
||||
--- openssh-7.9p1.orig/readconf.c
|
||||
+++ openssh-7.9p1/readconf.c
|
||||
@@ -67,6 +67,7 @@
|
||||
#include "uidswap.h"
|
||||
#include "myproposal.h"
|
||||
@ -130,7 +130,7 @@ Index: openssh-7.8p1/readconf.c
|
||||
oCanonicalDomains, oCanonicalizeHostname, oCanonicalizeMaxDots,
|
||||
oCanonicalizeFallbackLocal, oCanonicalizePermittedCNAMEs,
|
||||
oStreamLocalBindMask, oStreamLocalBindUnlink, oRevokedHostKeys,
|
||||
@@ -291,6 +292,7 @@ static struct {
|
||||
@@ -292,6 +293,7 @@ static struct {
|
||||
{ "remotecommand", oRemoteCommand },
|
||||
{ "visualhostkey", oVisualHostKey },
|
||||
{ "kexalgorithms", oKexAlgorithms },
|
||||
@ -138,7 +138,7 @@ Index: openssh-7.8p1/readconf.c
|
||||
{ "ipqos", oIPQoS },
|
||||
{ "requesttty", oRequestTTY },
|
||||
{ "proxyusefdpass", oProxyUseFdpass },
|
||||
@@ -312,6 +314,9 @@ static struct {
|
||||
@@ -313,6 +315,9 @@ static struct {
|
||||
{ NULL, oBadOption }
|
||||
};
|
||||
|
||||
@ -148,7 +148,7 @@ Index: openssh-7.8p1/readconf.c
|
||||
/*
|
||||
* Adds a local TCP/IP port forward to options. Never returns if there is an
|
||||
* error.
|
||||
@@ -1206,6 +1211,10 @@ parse_int:
|
||||
@@ -1216,6 +1221,10 @@ parse_int:
|
||||
options->kex_algorithms = xstrdup(arg);
|
||||
break;
|
||||
|
||||
@ -159,15 +159,15 @@ Index: openssh-7.8p1/readconf.c
|
||||
case oHostKeyAlgorithms:
|
||||
charptr = &options->hostkeyalgorithms;
|
||||
parse_keytypes:
|
||||
@@ -1835,6 +1844,7 @@ initialize_options(Options * options)
|
||||
@@ -1860,6 +1869,7 @@ initialize_options(Options * options)
|
||||
options->ciphers = NULL;
|
||||
options->macs = NULL;
|
||||
options->kex_algorithms = NULL;
|
||||
+ options->kex_dhmin = -1;
|
||||
options->hostkeyalgorithms = NULL;
|
||||
options->ca_sign_algorithms = NULL;
|
||||
options->num_identity_files = 0;
|
||||
options->num_certificate_files = 0;
|
||||
@@ -1988,6 +1998,13 @@ fill_default_options(Options * options)
|
||||
@@ -2014,6 +2024,13 @@ fill_default_options(Options * options)
|
||||
options->connection_attempts = 1;
|
||||
if (options->number_of_password_prompts == -1)
|
||||
options->number_of_password_prompts = 3;
|
||||
@ -181,22 +181,22 @@ Index: openssh-7.8p1/readconf.c
|
||||
/* options->hostkeyalgorithms, default set in myproposals.h */
|
||||
if (options->add_keys_to_agent == -1)
|
||||
options->add_keys_to_agent = 0;
|
||||
Index: openssh-7.8p1/readconf.h
|
||||
Index: openssh-7.9p1/readconf.h
|
||||
===================================================================
|
||||
--- openssh-7.8p1.orig/readconf.h
|
||||
+++ openssh-7.8p1/readconf.h
|
||||
@@ -67,6 +67,7 @@ typedef struct {
|
||||
char *macs; /* SSH2 macs in order of preference. */
|
||||
--- openssh-7.9p1.orig/readconf.h
|
||||
+++ openssh-7.9p1/readconf.h
|
||||
@@ -68,6 +68,7 @@ typedef struct {
|
||||
char *hostkeyalgorithms; /* SSH2 server key types in order of preference. */
|
||||
char *kex_algorithms; /* SSH2 kex methods in order of preference. */
|
||||
+ int kex_dhmin; /* minimum bit length of the DH group parameter */
|
||||
char *ca_sign_algorithms; /* Allowed CA signature algorithms */
|
||||
+ int kex_dhmin; /* minimum bit length of the DH group parameter */
|
||||
char *hostname; /* Real host to connect. */
|
||||
char *host_key_alias; /* hostname alias for .ssh/known_hosts */
|
||||
char *proxy_command; /* Proxy command for connecting the host. */
|
||||
Index: openssh-7.8p1/servconf.c
|
||||
Index: openssh-7.9p1/servconf.c
|
||||
===================================================================
|
||||
--- openssh-7.8p1.orig/servconf.c
|
||||
+++ openssh-7.8p1/servconf.c
|
||||
--- openssh-7.9p1.orig/servconf.c
|
||||
+++ openssh-7.9p1/servconf.c
|
||||
@@ -64,6 +64,10 @@
|
||||
#include "auth.h"
|
||||
#include "myproposal.h"
|
||||
@ -213,10 +213,10 @@ Index: openssh-7.8p1/servconf.c
|
||||
options->macs = NULL;
|
||||
options->kex_algorithms = NULL;
|
||||
+ options->kex_dhmin = -1;
|
||||
options->ca_sign_algorithms = NULL;
|
||||
options->fwd_opts.gateway_ports = -1;
|
||||
options->fwd_opts.streamlocal_bind_mask = (mode_t)-1;
|
||||
options->fwd_opts.streamlocal_bind_unlink = -1;
|
||||
@@ -263,6 +268,14 @@ fill_default_server_options(ServerOption
|
||||
@@ -267,6 +272,14 @@ fill_default_server_options(ServerOption
|
||||
if (options->use_pam_check_locks == -1)
|
||||
options->use_pam_check_locks = 0;
|
||||
|
||||
@ -231,16 +231,16 @@ Index: openssh-7.8p1/servconf.c
|
||||
/* Standard Options */
|
||||
if (options->num_host_key_files == 0) {
|
||||
/* fill default hostkeys for protocols */
|
||||
@@ -490,7 +503,7 @@ typedef enum {
|
||||
@@ -494,7 +507,7 @@ typedef enum {
|
||||
sHostCertificate,
|
||||
sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,
|
||||
sAuthorizedPrincipalsCommand, sAuthorizedPrincipalsCommandUser,
|
||||
- sKexAlgorithms, sIPQoS, sVersionAddendum,
|
||||
+ sKexAlgorithms, sKexDHMin, sIPQoS, sVersionAddendum,
|
||||
- sKexAlgorithms, sCASignatureAlgorithms, sIPQoS, sVersionAddendum,
|
||||
+ sKexAlgorithms, sKexDHMin, sCASignatureAlgorithms, sIPQoS, sVersionAddendum,
|
||||
sAuthorizedKeysCommand, sAuthorizedKeysCommandUser,
|
||||
sAuthenticationMethods, sHostKeyAgent, sPermitUserRC,
|
||||
sStreamLocalBindMask, sStreamLocalBindUnlink,
|
||||
@@ -631,6 +644,7 @@ static struct {
|
||||
@@ -635,6 +648,7 @@ static struct {
|
||||
{ "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL },
|
||||
{ "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
|
||||
{ "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },
|
||||
@ -248,7 +248,7 @@ Index: openssh-7.8p1/servconf.c
|
||||
{ "ipqos", sIPQoS, SSHCFG_ALL },
|
||||
{ "authorizedkeyscommand", sAuthorizedKeysCommand, SSHCFG_ALL },
|
||||
{ "authorizedkeyscommanduser", sAuthorizedKeysCommandUser, SSHCFG_ALL },
|
||||
@@ -1726,6 +1740,10 @@ process_server_config_line(ServerOptions
|
||||
@@ -1735,6 +1749,10 @@ process_server_config_line(ServerOptions
|
||||
options->kex_algorithms = xstrdup(arg);
|
||||
break;
|
||||
|
||||
@ -259,7 +259,7 @@ Index: openssh-7.8p1/servconf.c
|
||||
case sSubsystem:
|
||||
if (options->num_subsystems >= MAX_SUBSYSTEMS) {
|
||||
fatal("%s line %d: too many subsystems defined.",
|
||||
@@ -2540,6 +2558,7 @@ dump_config(ServerOptions *o)
|
||||
@@ -2549,6 +2567,7 @@ dump_config(ServerOptions *o)
|
||||
dump_cfg_int(sClientAliveInterval, o->client_alive_interval);
|
||||
dump_cfg_int(sClientAliveCountMax, o->client_alive_count_max);
|
||||
dump_cfg_oct(sStreamLocalBindMask, o->fwd_opts.streamlocal_bind_mask);
|
||||
@ -267,10 +267,10 @@ Index: openssh-7.8p1/servconf.c
|
||||
|
||||
/* formatted integer arguments */
|
||||
dump_cfg_fmtint(sPermitRootLogin, o->permit_root_login);
|
||||
Index: openssh-7.8p1/servconf.h
|
||||
Index: openssh-7.9p1/servconf.h
|
||||
===================================================================
|
||||
--- openssh-7.8p1.orig/servconf.h
|
||||
+++ openssh-7.8p1/servconf.h
|
||||
--- openssh-7.9p1.orig/servconf.h
|
||||
+++ openssh-7.9p1/servconf.h
|
||||
@@ -103,6 +103,7 @@ typedef struct {
|
||||
char *ciphers; /* Supported SSH2 ciphers. */
|
||||
char *macs; /* Supported SSH2 macs. */
|
||||
@ -279,10 +279,10 @@ Index: openssh-7.8p1/servconf.h
|
||||
struct ForwardOptions fwd_opts; /* forwarding options */
|
||||
SyslogFacility log_facility; /* Facility for system logging. */
|
||||
LogLevel log_level; /* Level for system logging. */
|
||||
Index: openssh-7.8p1/ssh_config
|
||||
Index: openssh-7.9p1/ssh_config
|
||||
===================================================================
|
||||
--- openssh-7.8p1.orig/ssh_config
|
||||
+++ openssh-7.8p1/ssh_config
|
||||
--- openssh-7.9p1.orig/ssh_config
|
||||
+++ openssh-7.9p1/ssh_config
|
||||
@@ -17,6 +17,11 @@
|
||||
# list of available options, their meanings and defaults, please see the
|
||||
# ssh_config(5) man page.
|
||||
@ -295,11 +295,11 @@ Index: openssh-7.8p1/ssh_config
|
||||
Host *
|
||||
# ForwardAgent no
|
||||
# ForwardX11 no
|
||||
Index: openssh-7.8p1/ssh_config.0
|
||||
Index: openssh-7.9p1/ssh_config.0
|
||||
===================================================================
|
||||
--- openssh-7.8p1.orig/ssh_config.0
|
||||
+++ openssh-7.8p1/ssh_config.0
|
||||
@@ -595,6 +595,23 @@ DESCRIPTION
|
||||
--- openssh-7.9p1.orig/ssh_config.0
|
||||
+++ openssh-7.9p1/ssh_config.0
|
||||
@@ -610,6 +610,23 @@ DESCRIPTION
|
||||
The list of available key exchange algorithms may also be
|
||||
obtained using "ssh -Q kex".
|
||||
|
||||
@ -323,11 +323,11 @@ Index: openssh-7.8p1/ssh_config.0
|
||||
LocalCommand
|
||||
Specifies a command to execute on the local machine after
|
||||
successfully connecting to the server. The command string
|
||||
Index: openssh-7.8p1/ssh_config.5
|
||||
Index: openssh-7.9p1/ssh_config.5
|
||||
===================================================================
|
||||
--- openssh-7.8p1.orig/ssh_config.5
|
||||
+++ openssh-7.8p1/ssh_config.5
|
||||
@@ -1025,6 +1025,22 @@ diffie-hellman-group14-sha1
|
||||
--- openssh-7.9p1.orig/ssh_config.5
|
||||
+++ openssh-7.9p1/ssh_config.5
|
||||
@@ -1047,6 +1047,22 @@ diffie-hellman-group14-sha1
|
||||
.Pp
|
||||
The list of available key exchange algorithms may also be obtained using
|
||||
.Qq ssh -Q kex .
|
||||
@ -350,10 +350,10 @@ Index: openssh-7.8p1/ssh_config.5
|
||||
.It Cm LocalCommand
|
||||
Specifies a command to execute on the local machine after successfully
|
||||
connecting to the server.
|
||||
Index: openssh-7.8p1/sshd_config
|
||||
Index: openssh-7.9p1/sshd_config
|
||||
===================================================================
|
||||
--- openssh-7.8p1.orig/sshd_config
|
||||
+++ openssh-7.8p1/sshd_config
|
||||
--- openssh-7.9p1.orig/sshd_config
|
||||
+++ openssh-7.9p1/sshd_config
|
||||
@@ -19,6 +19,13 @@
|
||||
#HostKey /etc/ssh/ssh_host_ecdsa_key
|
||||
#HostKey /etc/ssh/ssh_host_ed25519_key
|
||||
@ -368,11 +368,11 @@ Index: openssh-7.8p1/sshd_config
|
||||
# Ciphers and keying
|
||||
#RekeyLimit default none
|
||||
|
||||
Index: openssh-7.8p1/sshd_config.0
|
||||
Index: openssh-7.9p1/sshd_config.0
|
||||
===================================================================
|
||||
--- openssh-7.8p1.orig/sshd_config.0
|
||||
+++ openssh-7.8p1/sshd_config.0
|
||||
@@ -545,6 +545,23 @@ DESCRIPTION
|
||||
--- openssh-7.9p1.orig/sshd_config.0
|
||||
+++ openssh-7.9p1/sshd_config.0
|
||||
@@ -555,6 +555,23 @@ DESCRIPTION
|
||||
The list of available key exchange algorithms may also be
|
||||
obtained using "ssh -Q kex".
|
||||
|
||||
@ -396,11 +396,11 @@ Index: openssh-7.8p1/sshd_config.0
|
||||
ListenAddress
|
||||
Specifies the local addresses sshd(8) should listen on. The
|
||||
following forms may be used:
|
||||
Index: openssh-7.8p1/sshd_config.5
|
||||
Index: openssh-7.9p1/sshd_config.5
|
||||
===================================================================
|
||||
--- openssh-7.8p1.orig/sshd_config.5
|
||||
+++ openssh-7.8p1/sshd_config.5
|
||||
@@ -912,6 +912,22 @@ diffie-hellman-group14-sha256,diffie-hel
|
||||
--- openssh-7.9p1.orig/sshd_config.5
|
||||
+++ openssh-7.9p1/sshd_config.5
|
||||
@@ -923,6 +923,22 @@ diffie-hellman-group14-sha256,diffie-hel
|
||||
.Pp
|
||||
The list of available key exchange algorithms may also be obtained using
|
||||
.Qq ssh -Q kex .
|
||||
|
@ -3,10 +3,10 @@
|
||||
FIPS 140-2 compliance. Perform selftests on start and use only FIPS approved
|
||||
algorithms.
|
||||
|
||||
Index: openssh-7.8p1/Makefile.in
|
||||
Index: openssh-7.9p1/Makefile.in
|
||||
===================================================================
|
||||
--- openssh-7.8p1.orig/Makefile.in
|
||||
+++ openssh-7.8p1/Makefile.in
|
||||
--- openssh-7.9p1.orig/Makefile.in
|
||||
+++ openssh-7.9p1/Makefile.in
|
||||
@@ -102,6 +102,8 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
|
||||
kexdhs.o kexgexs.o kexecdhs.o kexc25519s.o \
|
||||
platform-pledge.o platform-tracing.o platform-misc.o
|
||||
@ -16,10 +16,10 @@ Index: openssh-7.8p1/Makefile.in
|
||||
SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \
|
||||
sshconnect.o sshconnect2.o mux.o
|
||||
|
||||
Index: openssh-7.8p1/cipher-ctr.c
|
||||
Index: openssh-7.9p1/cipher-ctr.c
|
||||
===================================================================
|
||||
--- openssh-7.8p1.orig/cipher-ctr.c
|
||||
+++ openssh-7.8p1/cipher-ctr.c
|
||||
--- openssh-7.9p1.orig/cipher-ctr.c
|
||||
+++ openssh-7.9p1/cipher-ctr.c
|
||||
@@ -27,6 +27,8 @@
|
||||
#include "xmalloc.h"
|
||||
#include "log.h"
|
||||
@ -38,10 +38,10 @@ Index: openssh-7.8p1/cipher-ctr.c
|
||||
#endif
|
||||
return (&aes_ctr);
|
||||
}
|
||||
Index: openssh-7.8p1/cipher.c
|
||||
Index: openssh-7.9p1/cipher.c
|
||||
===================================================================
|
||||
--- openssh-7.8p1.orig/cipher.c
|
||||
+++ openssh-7.8p1/cipher.c
|
||||
--- openssh-7.9p1.orig/cipher.c
|
||||
+++ openssh-7.9p1/cipher.c
|
||||
@@ -51,6 +51,8 @@
|
||||
|
||||
#include "openbsd-compat/openssl-compat.h"
|
||||
@ -131,10 +131,10 @@ Index: openssh-7.8p1/cipher.c
|
||||
if (strcmp(c->name, name) == 0)
|
||||
return c;
|
||||
return NULL;
|
||||
Index: openssh-7.8p1/dh.h
|
||||
Index: openssh-7.9p1/dh.h
|
||||
===================================================================
|
||||
--- openssh-7.8p1.orig/dh.h
|
||||
+++ openssh-7.8p1/dh.h
|
||||
--- openssh-7.9p1.orig/dh.h
|
||||
+++ openssh-7.9p1/dh.h
|
||||
@@ -52,6 +52,7 @@ u_int dh_estimate(int);
|
||||
*/
|
||||
#define DH_GRP_MIN_RFC 1024
|
||||
@ -143,10 +143,10 @@ Index: openssh-7.8p1/dh.h
|
||||
#define DH_GRP_MAX 8192
|
||||
|
||||
/*
|
||||
Index: openssh-7.8p1/fips.c
|
||||
Index: openssh-7.9p1/fips.c
|
||||
===================================================================
|
||||
--- /dev/null
|
||||
+++ openssh-7.8p1/fips.c
|
||||
+++ openssh-7.9p1/fips.c
|
||||
@@ -0,0 +1,237 @@
|
||||
+/*
|
||||
+ * Copyright (c) 2012 Petr Cerny. All rights reserved.
|
||||
@ -385,10 +385,10 @@ Index: openssh-7.8p1/fips.c
|
||||
+ return dh;
|
||||
+}
|
||||
+
|
||||
Index: openssh-7.8p1/fips.h
|
||||
Index: openssh-7.9p1/fips.h
|
||||
===================================================================
|
||||
--- /dev/null
|
||||
+++ openssh-7.8p1/fips.h
|
||||
+++ openssh-7.9p1/fips.h
|
||||
@@ -0,0 +1,45 @@
|
||||
+/*
|
||||
+ * Copyright (c) 2012 Petr Cerny. All rights reserved.
|
||||
@ -435,10 +435,10 @@ Index: openssh-7.8p1/fips.h
|
||||
+
|
||||
+#endif
|
||||
+
|
||||
Index: openssh-7.8p1/hmac.c
|
||||
Index: openssh-7.9p1/hmac.c
|
||||
===================================================================
|
||||
--- openssh-7.8p1.orig/hmac.c
|
||||
+++ openssh-7.8p1/hmac.c
|
||||
--- openssh-7.9p1.orig/hmac.c
|
||||
+++ openssh-7.9p1/hmac.c
|
||||
@@ -144,7 +144,7 @@ hmac_test(void *key, size_t klen, void *
|
||||
size_t i;
|
||||
u_char digest[16];
|
||||
@ -448,10 +448,10 @@ Index: openssh-7.8p1/hmac.c
|
||||
printf("ssh_hmac_start failed");
|
||||
if (ssh_hmac_init(ctx, key, klen) < 0 ||
|
||||
ssh_hmac_update(ctx, m, mlen) < 0 ||
|
||||
Index: openssh-7.8p1/kex.c
|
||||
Index: openssh-7.9p1/kex.c
|
||||
===================================================================
|
||||
--- openssh-7.8p1.orig/kex.c
|
||||
+++ openssh-7.8p1/kex.c
|
||||
--- openssh-7.9p1.orig/kex.c
|
||||
+++ openssh-7.9p1/kex.c
|
||||
@@ -54,6 +54,8 @@
|
||||
#include "sshbuf.h"
|
||||
#include "digest.h"
|
||||
@ -547,11 +547,11 @@ Index: openssh-7.8p1/kex.c
|
||||
free(s);
|
||||
return 0;
|
||||
}
|
||||
Index: openssh-7.8p1/kexgexc.c
|
||||
Index: openssh-7.9p1/kexgexc.c
|
||||
===================================================================
|
||||
--- openssh-7.8p1.orig/kexgexc.c
|
||||
+++ openssh-7.8p1/kexgexc.c
|
||||
@@ -51,8 +51,7 @@
|
||||
--- openssh-7.9p1.orig/kexgexc.c
|
||||
+++ openssh-7.9p1/kexgexc.c
|
||||
@@ -53,8 +53,7 @@
|
||||
#include "sshbuf.h"
|
||||
#include "misc.h"
|
||||
|
||||
@ -561,7 +561,7 @@ Index: openssh-7.8p1/kexgexc.c
|
||||
|
||||
static int input_kex_dh_gex_group(int, u_int32_t, struct ssh *);
|
||||
static int input_kex_dh_gex_reply(int, u_int32_t, struct ssh *);
|
||||
@@ -66,7 +65,7 @@ kexgex_client(struct ssh *ssh)
|
||||
@@ -68,7 +67,7 @@ kexgex_client(struct ssh *ssh)
|
||||
|
||||
nbits = dh_estimate(kex->dh_need * 8);
|
||||
|
||||
@ -570,11 +570,11 @@ Index: openssh-7.8p1/kexgexc.c
|
||||
kex->max = DH_GRP_MAX;
|
||||
kex->nbits = nbits;
|
||||
if (datafellows & SSH_BUG_DHGEX_LARGE)
|
||||
Index: openssh-7.8p1/kexgexs.c
|
||||
Index: openssh-7.9p1/kexgexs.c
|
||||
===================================================================
|
||||
--- openssh-7.8p1.orig/kexgexs.c
|
||||
+++ openssh-7.8p1/kexgexs.c
|
||||
@@ -54,8 +54,7 @@
|
||||
--- openssh-7.9p1.orig/kexgexs.c
|
||||
+++ openssh-7.9p1/kexgexs.c
|
||||
@@ -56,8 +56,7 @@
|
||||
#include "sshbuf.h"
|
||||
#include "misc.h"
|
||||
|
||||
@ -584,7 +584,7 @@ Index: openssh-7.8p1/kexgexs.c
|
||||
|
||||
static int input_kex_dh_gex_request(int, u_int32_t, struct ssh *);
|
||||
static int input_kex_dh_gex_init(int, u_int32_t, struct ssh *);
|
||||
@@ -85,9 +84,9 @@ input_kex_dh_gex_request(int type, u_int
|
||||
@@ -88,9 +87,9 @@ input_kex_dh_gex_request(int type, u_int
|
||||
kex->nbits = nbits;
|
||||
kex->min = min;
|
||||
kex->max = max;
|
||||
@ -596,10 +596,10 @@ Index: openssh-7.8p1/kexgexs.c
|
||||
nbits = MINIMUM(DH_GRP_MAX, nbits);
|
||||
|
||||
if (kex->max < kex->min || kex->nbits < kex->min ||
|
||||
Index: openssh-7.8p1/mac.c
|
||||
Index: openssh-7.9p1/mac.c
|
||||
===================================================================
|
||||
--- openssh-7.8p1.orig/mac.c
|
||||
+++ openssh-7.8p1/mac.c
|
||||
--- openssh-7.9p1.orig/mac.c
|
||||
+++ openssh-7.9p1/mac.c
|
||||
@@ -40,6 +40,9 @@
|
||||
|
||||
#include "openbsd-compat/openssl-compat.h"
|
||||
@ -679,11 +679,11 @@ Index: openssh-7.8p1/mac.c
|
||||
if (strcmp(name, m->name) != 0)
|
||||
continue;
|
||||
if (mac != NULL)
|
||||
Index: openssh-7.8p1/myproposal.h
|
||||
Index: openssh-7.9p1/myproposal.h
|
||||
===================================================================
|
||||
--- openssh-7.8p1.orig/myproposal.h
|
||||
+++ openssh-7.8p1/myproposal.h
|
||||
@@ -141,6 +141,8 @@
|
||||
--- openssh-7.9p1.orig/myproposal.h
|
||||
+++ openssh-7.9p1/myproposal.h
|
||||
@@ -151,6 +151,8 @@
|
||||
|
||||
#else /* WITH_OPENSSL */
|
||||
|
||||
@ -692,10 +692,10 @@ Index: openssh-7.8p1/myproposal.h
|
||||
#define KEX_SERVER_KEX \
|
||||
"curve25519-sha256," \
|
||||
"curve25519-sha256@libssh.org"
|
||||
Index: openssh-7.8p1/readconf.c
|
||||
Index: openssh-7.9p1/readconf.c
|
||||
===================================================================
|
||||
--- openssh-7.8p1.orig/readconf.c
|
||||
+++ openssh-7.8p1/readconf.c
|
||||
--- openssh-7.9p1.orig/readconf.c
|
||||
+++ openssh-7.9p1/readconf.c
|
||||
@@ -68,6 +68,7 @@
|
||||
#include "myproposal.h"
|
||||
#include "digest.h"
|
||||
@ -704,7 +704,7 @@ Index: openssh-7.8p1/readconf.c
|
||||
|
||||
/* Format of the configuration file:
|
||||
|
||||
@@ -1800,6 +1801,23 @@ option_clear_or_none(const char *o)
|
||||
@@ -1825,6 +1826,23 @@ option_clear_or_none(const char *o)
|
||||
return o == NULL || strcasecmp(o, "none") == 0;
|
||||
}
|
||||
|
||||
@ -728,7 +728,7 @@ Index: openssh-7.8p1/readconf.c
|
||||
/*
|
||||
* Initializes options to special values that indicate that they have not yet
|
||||
* been set. Read_config_file will only set options with this value. Options
|
||||
@@ -1999,9 +2017,9 @@ fill_default_options(Options * options)
|
||||
@@ -2025,9 +2043,9 @@ fill_default_options(Options * options)
|
||||
if (options->number_of_password_prompts == -1)
|
||||
options->number_of_password_prompts = 3;
|
||||
if (options->kex_dhmin == -1)
|
||||
@ -740,7 +740,7 @@ Index: openssh-7.8p1/readconf.c
|
||||
options->kex_dhmin = MINIMUM(options->kex_dhmin, DH_GRP_MAX);
|
||||
}
|
||||
dh_grp_min = options->kex_dhmin;
|
||||
@@ -2086,6 +2104,8 @@ fill_default_options(Options * options)
|
||||
@@ -2112,6 +2130,8 @@ fill_default_options(Options * options)
|
||||
options->canonicalize_hostname = SSH_CANONICALISE_NO;
|
||||
if (options->fingerprint_hash == -1)
|
||||
options->fingerprint_hash = SSH_FP_HASH_DEFAULT;
|
||||
@ -749,19 +749,19 @@ Index: openssh-7.8p1/readconf.c
|
||||
if (options->update_hostkeys == -1)
|
||||
options->update_hostkeys = 0;
|
||||
|
||||
@@ -2110,6 +2130,7 @@ fill_default_options(Options * options)
|
||||
free(all_mac);
|
||||
free(all_kex);
|
||||
@@ -2594,6 +2614,7 @@ dump_client_config(Options *o, const cha
|
||||
KEX_DEFAULT_PK_ALG, all_key) != 0)
|
||||
fatal("%s: kex_assemble_names failed", __func__);
|
||||
free(all_key);
|
||||
+ filter_fips_algorithms(options);
|
||||
+ filter_fips_algorithms(o);
|
||||
|
||||
#define CLEAR_ON_NONE(v) \
|
||||
do { \
|
||||
Index: openssh-7.8p1/readconf.h
|
||||
/* Most interesting options first: user, host, port */
|
||||
dump_cfg_string(oUser, o->user);
|
||||
Index: openssh-7.9p1/readconf.h
|
||||
===================================================================
|
||||
--- openssh-7.8p1.orig/readconf.h
|
||||
+++ openssh-7.8p1/readconf.h
|
||||
@@ -197,6 +197,7 @@ typedef struct {
|
||||
--- openssh-7.9p1.orig/readconf.h
|
||||
+++ openssh-7.9p1/readconf.h
|
||||
@@ -198,6 +198,7 @@ typedef struct {
|
||||
#define SSH_STRICT_HOSTKEY_YES 2
|
||||
#define SSH_STRICT_HOSTKEY_ASK 3
|
||||
|
||||
@ -769,10 +769,10 @@ Index: openssh-7.8p1/readconf.h
|
||||
void initialize_options(Options *);
|
||||
void fill_default_options(Options *);
|
||||
void fill_default_options_for_canonicalization(Options *);
|
||||
Index: openssh-7.8p1/servconf.c
|
||||
Index: openssh-7.9p1/servconf.c
|
||||
===================================================================
|
||||
--- openssh-7.8p1.orig/servconf.c
|
||||
+++ openssh-7.8p1/servconf.c
|
||||
--- openssh-7.9p1.orig/servconf.c
|
||||
+++ openssh-7.9p1/servconf.c
|
||||
@@ -65,6 +65,7 @@
|
||||
#include "myproposal.h"
|
||||
#include "digest.h"
|
||||
@ -781,7 +781,7 @@ Index: openssh-7.8p1/servconf.c
|
||||
|
||||
/* import from dh.c */
|
||||
extern int dh_grp_min;
|
||||
@@ -194,6 +195,23 @@ option_clear_or_none(const char *o)
|
||||
@@ -195,6 +196,23 @@ option_clear_or_none(const char *o)
|
||||
return o == NULL || strcasecmp(o, "none") == 0;
|
||||
}
|
||||
|
||||
@ -805,16 +805,16 @@ Index: openssh-7.8p1/servconf.c
|
||||
static void
|
||||
assemble_algorithms(ServerOptions *o)
|
||||
{
|
||||
@@ -220,6 +238,8 @@ assemble_algorithms(ServerOptions *o)
|
||||
free(all_mac);
|
||||
@@ -224,6 +242,8 @@ assemble_algorithms(ServerOptions *o)
|
||||
free(all_kex);
|
||||
free(all_key);
|
||||
free(all_sig);
|
||||
+
|
||||
+ filter_fips_algorithms_s(o);
|
||||
}
|
||||
|
||||
static void
|
||||
@@ -269,9 +289,9 @@ fill_default_server_options(ServerOption
|
||||
@@ -273,9 +293,9 @@ fill_default_server_options(ServerOption
|
||||
options->use_pam_check_locks = 0;
|
||||
|
||||
if (options->kex_dhmin == -1)
|
||||
@ -826,7 +826,7 @@ Index: openssh-7.8p1/servconf.c
|
||||
options->kex_dhmin = MINIMUM(options->kex_dhmin, DH_GRP_MAX);
|
||||
}
|
||||
dh_grp_min = options->kex_dhmin;
|
||||
@@ -419,6 +439,8 @@ fill_default_server_options(ServerOption
|
||||
@@ -423,6 +443,8 @@ fill_default_server_options(ServerOption
|
||||
options->fwd_opts.streamlocal_bind_unlink = 0;
|
||||
if (options->fingerprint_hash == -1)
|
||||
options->fingerprint_hash = SSH_FP_HASH_DEFAULT;
|
||||
@ -835,10 +835,10 @@ Index: openssh-7.8p1/servconf.c
|
||||
if (options->disable_forwarding == -1)
|
||||
options->disable_forwarding = 0;
|
||||
if (options->expose_userauth_info == -1)
|
||||
Index: openssh-7.8p1/ssh-keygen.c
|
||||
Index: openssh-7.9p1/ssh-keygen.c
|
||||
===================================================================
|
||||
--- openssh-7.8p1.orig/ssh-keygen.c
|
||||
+++ openssh-7.8p1/ssh-keygen.c
|
||||
--- openssh-7.9p1.orig/ssh-keygen.c
|
||||
+++ openssh-7.9p1/ssh-keygen.c
|
||||
@@ -61,6 +61,8 @@
|
||||
#include "utf8.h"
|
||||
#include "authfd.h"
|
||||
@ -848,7 +848,7 @@ Index: openssh-7.8p1/ssh-keygen.c
|
||||
#ifdef WITH_OPENSSL
|
||||
# define DEFAULT_KEY_TYPE_NAME "rsa"
|
||||
#else
|
||||
@@ -965,11 +967,13 @@ do_fingerprint(struct passwd *pw)
|
||||
@@ -996,11 +998,13 @@ do_fingerprint(struct passwd *pw)
|
||||
static void
|
||||
do_gen_all_hostkeys(struct passwd *pw)
|
||||
{
|
||||
@ -864,7 +864,7 @@ Index: openssh-7.8p1/ssh-keygen.c
|
||||
#ifdef WITH_OPENSSL
|
||||
{ "rsa", "RSA" ,_PATH_HOST_RSA_KEY_FILE },
|
||||
{ "dsa", "DSA", _PATH_HOST_DSA_KEY_FILE },
|
||||
@@ -984,6 +988,17 @@ do_gen_all_hostkeys(struct passwd *pw)
|
||||
@@ -1015,6 +1019,17 @@ do_gen_all_hostkeys(struct passwd *pw)
|
||||
{ NULL, NULL, NULL }
|
||||
};
|
||||
|
||||
@ -882,7 +882,7 @@ Index: openssh-7.8p1/ssh-keygen.c
|
||||
int first = 0;
|
||||
struct stat st;
|
||||
struct sshkey *private, *public;
|
||||
@@ -991,6 +1006,12 @@ do_gen_all_hostkeys(struct passwd *pw)
|
||||
@@ -1022,6 +1037,12 @@ do_gen_all_hostkeys(struct passwd *pw)
|
||||
int i, type, fd, r;
|
||||
FILE *f;
|
||||
|
||||
@ -895,7 +895,7 @@ Index: openssh-7.8p1/ssh-keygen.c
|
||||
for (i = 0; key_types[i].key_type; i++) {
|
||||
public = private = NULL;
|
||||
prv_tmp = pub_tmp = prv_file = pub_file = NULL;
|
||||
@@ -2727,6 +2748,15 @@ main(int argc, char **argv)
|
||||
@@ -2817,6 +2838,15 @@ main(int argc, char **argv)
|
||||
key_type_name = DEFAULT_KEY_TYPE_NAME;
|
||||
|
||||
type = sshkey_type_from_name(key_type_name);
|
||||
@ -911,11 +911,11 @@ Index: openssh-7.8p1/ssh-keygen.c
|
||||
type_bits_valid(type, key_type_name, &bits);
|
||||
|
||||
if (!quiet)
|
||||
Index: openssh-7.8p1/ssh_config.0
|
||||
Index: openssh-7.9p1/ssh_config.0
|
||||
===================================================================
|
||||
--- openssh-7.8p1.orig/ssh_config.0
|
||||
+++ openssh-7.8p1/ssh_config.0
|
||||
@@ -343,6 +343,9 @@ DESCRIPTION
|
||||
--- openssh-7.9p1.orig/ssh_config.0
|
||||
+++ openssh-7.9p1/ssh_config.0
|
||||
@@ -353,6 +353,9 @@ DESCRIPTION
|
||||
Specifies the hash algorithm used when displaying key
|
||||
fingerprints. Valid options are: md5 and sha256 (the default).
|
||||
|
||||
@ -925,7 +925,7 @@ Index: openssh-7.8p1/ssh_config.0
|
||||
ForwardAgent
|
||||
Specifies whether the connection to the authentication agent (if
|
||||
any) will be forwarded to the remote machine. The argument must
|
||||
@@ -612,6 +615,9 @@ DESCRIPTION
|
||||
@@ -627,6 +630,9 @@ DESCRIPTION
|
||||
resort and all efforts should be made to fix the (broken)
|
||||
counterparty.
|
||||
|
||||
@ -935,11 +935,11 @@ Index: openssh-7.8p1/ssh_config.0
|
||||
LocalCommand
|
||||
Specifies a command to execute on the local machine after
|
||||
successfully connecting to the server. The command string
|
||||
Index: openssh-7.8p1/ssh_config.5
|
||||
Index: openssh-7.9p1/ssh_config.5
|
||||
===================================================================
|
||||
--- openssh-7.8p1.orig/ssh_config.5
|
||||
+++ openssh-7.8p1/ssh_config.5
|
||||
@@ -628,6 +628,8 @@ Valid options are:
|
||||
--- openssh-7.9p1.orig/ssh_config.5
|
||||
+++ openssh-7.9p1/ssh_config.5
|
||||
@@ -642,6 +642,8 @@ Valid options are:
|
||||
and
|
||||
.Cm sha256
|
||||
(the default).
|
||||
@ -948,7 +948,7 @@ Index: openssh-7.8p1/ssh_config.5
|
||||
.It Cm ForwardAgent
|
||||
Specifies whether the connection to the authentication agent (if any)
|
||||
will be forwarded to the remote machine.
|
||||
@@ -1041,6 +1043,9 @@ maximum backward compatibility, using it
|
||||
@@ -1063,6 +1065,9 @@ maximum backward compatibility, using it
|
||||
security and thus should be viewed as a temporary fix of last
|
||||
resort and all efforts should be made to fix the (broken)
|
||||
counterparty.
|
||||
@ -958,10 +958,10 @@ Index: openssh-7.8p1/ssh_config.5
|
||||
.It Cm LocalCommand
|
||||
Specifies a command to execute on the local machine after successfully
|
||||
connecting to the server.
|
||||
Index: openssh-7.8p1/sshd.c
|
||||
Index: openssh-7.9p1/sshd.c
|
||||
===================================================================
|
||||
--- openssh-7.8p1.orig/sshd.c
|
||||
+++ openssh-7.8p1/sshd.c
|
||||
--- openssh-7.9p1.orig/sshd.c
|
||||
+++ openssh-7.9p1/sshd.c
|
||||
@@ -123,6 +123,8 @@
|
||||
#include "version.h"
|
||||
#include "ssherr.h"
|
||||
@ -971,11 +971,11 @@ Index: openssh-7.8p1/sshd.c
|
||||
/* Re-exec fds */
|
||||
#define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1)
|
||||
#define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2)
|
||||
Index: openssh-7.8p1/sshd_config.0
|
||||
Index: openssh-7.9p1/sshd_config.0
|
||||
===================================================================
|
||||
--- openssh-7.8p1.orig/sshd_config.0
|
||||
+++ openssh-7.8p1/sshd_config.0
|
||||
@@ -338,6 +338,9 @@ DESCRIPTION
|
||||
--- openssh-7.9p1.orig/sshd_config.0
|
||||
+++ openssh-7.9p1/sshd_config.0
|
||||
@@ -348,6 +348,9 @@ DESCRIPTION
|
||||
Specifies the hash algorithm used when logging key fingerprints.
|
||||
Valid options are: md5 and sha256. The default is sha256.
|
||||
|
||||
@ -985,7 +985,7 @@ Index: openssh-7.8p1/sshd_config.0
|
||||
ForceCommand
|
||||
Forces the execution of the command specified by ForceCommand,
|
||||
ignoring any command supplied by the client and ~/.ssh/rc if
|
||||
@@ -562,6 +565,9 @@ DESCRIPTION
|
||||
@@ -572,6 +575,9 @@ DESCRIPTION
|
||||
resort and all efforts should be made to fix the (broken)
|
||||
counterparty.
|
||||
|
||||
@ -995,11 +995,11 @@ Index: openssh-7.8p1/sshd_config.0
|
||||
ListenAddress
|
||||
Specifies the local addresses sshd(8) should listen on. The
|
||||
following forms may be used:
|
||||
Index: openssh-7.8p1/sshd_config.5
|
||||
Index: openssh-7.9p1/sshd_config.5
|
||||
===================================================================
|
||||
--- openssh-7.8p1.orig/sshd_config.5
|
||||
+++ openssh-7.8p1/sshd_config.5
|
||||
@@ -592,6 +592,8 @@ and
|
||||
--- openssh-7.9p1.orig/sshd_config.5
|
||||
+++ openssh-7.9p1/sshd_config.5
|
||||
@@ -603,6 +603,8 @@ and
|
||||
.Cm sha256 .
|
||||
The default is
|
||||
.Cm sha256 .
|
||||
|
File diff suppressed because it is too large
Load Diff
@ -10,10 +10,10 @@
|
||||
# internal versions. ssh-keyconverter consequently fails to link as it lacks
|
||||
# the proper flags, and libopenbsd-compat doesn't contain the b64_* functions)
|
||||
|
||||
Index: openssh-7.8p1/HOWTO.ldap-keys
|
||||
Index: openssh-7.9p1/HOWTO.ldap-keys
|
||||
===================================================================
|
||||
--- /dev/null
|
||||
+++ openssh-7.8p1/HOWTO.ldap-keys
|
||||
+++ openssh-7.9p1/HOWTO.ldap-keys
|
||||
@@ -0,0 +1,108 @@
|
||||
+
|
||||
+HOW TO START
|
||||
@ -123,10 +123,10 @@ Index: openssh-7.8p1/HOWTO.ldap-keys
|
||||
+ - frederic peters.
|
||||
+ - Finlay dobbie.
|
||||
+ - Stefan Fisher.
|
||||
Index: openssh-7.8p1/Makefile.in
|
||||
Index: openssh-7.9p1/Makefile.in
|
||||
===================================================================
|
||||
--- openssh-7.8p1.orig/Makefile.in
|
||||
+++ openssh-7.8p1/Makefile.in
|
||||
--- openssh-7.9p1.orig/Makefile.in
|
||||
+++ openssh-7.9p1/Makefile.in
|
||||
@@ -24,6 +24,8 @@ ASKPASS_PROGRAM=$(libexecdir)/ssh-askpas
|
||||
SFTP_SERVER=$(libexecdir)/sftp-server
|
||||
SSH_KEYSIGN=$(libexecdir)/ssh-keysign
|
||||
@ -146,7 +146,7 @@ Index: openssh-7.8p1/Makefile.in
|
||||
XMSS_OBJS=\
|
||||
ssh-xmss.o \
|
||||
sshkey-xmss.o \
|
||||
@@ -132,8 +137,8 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw
|
||||
@@ -130,8 +135,8 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw
|
||||
sandbox-seccomp-filter.o sandbox-capsicum.o sandbox-pledge.o \
|
||||
sandbox-solaris.o uidswap.o
|
||||
|
||||
@ -157,7 +157,7 @@ Index: openssh-7.8p1/Makefile.in
|
||||
MANTYPE = @MANTYPE@
|
||||
|
||||
CONFIGFILES=sshd_config.out ssh_config.out moduli.out
|
||||
@@ -208,6 +213,9 @@ ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT)
|
||||
@@ -206,6 +211,9 @@ ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT)
|
||||
ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o
|
||||
$(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
|
||||
|
||||
@ -167,7 +167,7 @@ Index: openssh-7.8p1/Makefile.in
|
||||
sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o sftp-server.o sftp-server-main.o
|
||||
$(LD) -o $@ sftp-server.o sftp-common.o sftp-server-main.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
|
||||
|
||||
@@ -363,6 +371,10 @@ install-files:
|
||||
@@ -361,6 +369,10 @@ install-files:
|
||||
$(INSTALL) -m 0755 $(STRIP_OPT) sshd$(EXEEXT) $(DESTDIR)$(sbindir)/sshd$(EXEEXT)
|
||||
$(INSTALL) -m 4711 $(STRIP_OPT) ssh-keysign$(EXEEXT) $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT)
|
||||
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
|
||||
@ -178,7 +178,7 @@ Index: openssh-7.8p1/Makefile.in
|
||||
$(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
|
||||
$(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
|
||||
$(INSTALL) -m 0755 $(STRIP_OPT) cavstest-ctr$(EXEEXT) $(DESTDIR)$(libexecdir)/cavstest-ctr$(EXEEXT)
|
||||
@@ -381,6 +393,10 @@ install-files:
|
||||
@@ -379,6 +391,10 @@ install-files:
|
||||
$(INSTALL) -m 644 sftp-server.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8
|
||||
$(INSTALL) -m 644 ssh-keysign.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8
|
||||
$(INSTALL) -m 644 ssh-pkcs11-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
|
||||
@ -189,7 +189,7 @@ Index: openssh-7.8p1/Makefile.in
|
||||
|
||||
install-sysconf:
|
||||
$(MKDIR_P) $(DESTDIR)$(sysconfdir)
|
||||
@@ -404,6 +420,13 @@ install-sysconf:
|
||||
@@ -402,6 +418,13 @@ install-sysconf:
|
||||
else \
|
||||
echo "$(DESTDIR)$(sysconfdir)/moduli already exists, install will not overwrite"; \
|
||||
fi
|
||||
@ -203,7 +203,7 @@ Index: openssh-7.8p1/Makefile.in
|
||||
|
||||
host-key: ssh-keygen$(EXEEXT)
|
||||
@if [ -z "$(DESTDIR)" ] ; then \
|
||||
@@ -441,6 +464,8 @@ uninstall:
|
||||
@@ -439,6 +462,8 @@ uninstall:
|
||||
-rm -r $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
|
||||
-rm -f $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT)
|
||||
-rm -f $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
|
||||
@ -212,7 +212,7 @@ Index: openssh-7.8p1/Makefile.in
|
||||
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
|
||||
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1
|
||||
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1
|
||||
@@ -452,6 +477,7 @@ uninstall:
|
||||
@@ -450,6 +475,7 @@ uninstall:
|
||||
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8
|
||||
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8
|
||||
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
|
||||
@ -220,11 +220,11 @@ Index: openssh-7.8p1/Makefile.in
|
||||
|
||||
regress-prep:
|
||||
$(MKDIR_P) `pwd`/regress/unittests/test_helper
|
||||
Index: openssh-7.8p1/configure.ac
|
||||
Index: openssh-7.9p1/configure.ac
|
||||
===================================================================
|
||||
--- openssh-7.8p1.orig/configure.ac
|
||||
+++ openssh-7.8p1/configure.ac
|
||||
@@ -1680,6 +1680,106 @@ AC_ARG_WITH([audit],
|
||||
--- openssh-7.9p1.orig/configure.ac
|
||||
+++ openssh-7.9p1/configure.ac
|
||||
@@ -1671,6 +1671,106 @@ AC_ARG_WITH([audit],
|
||||
esac ]
|
||||
)
|
||||
|
||||
@ -331,10 +331,10 @@ Index: openssh-7.8p1/configure.ac
|
||||
AC_ARG_WITH([pie],
|
||||
[ --with-pie Build Position Independent Executables if possible], [
|
||||
if test "x$withval" = "xno"; then
|
||||
Index: openssh-7.8p1/ldap-helper.c
|
||||
Index: openssh-7.9p1/ldap-helper.c
|
||||
===================================================================
|
||||
--- /dev/null
|
||||
+++ openssh-7.8p1/ldap-helper.c
|
||||
+++ openssh-7.9p1/ldap-helper.c
|
||||
@@ -0,0 +1,155 @@
|
||||
+/* $OpenBSD: ssh-pka-ldap.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
|
||||
+/*
|
||||
@ -491,10 +491,10 @@ Index: openssh-7.8p1/ldap-helper.c
|
||||
+void *buffer_get_string(struct sshbuf *b, u_int *l) { return NULL; }
|
||||
+void buffer_put_string(struct sshbuf *b, const void *f, u_int l) {}
|
||||
+
|
||||
Index: openssh-7.8p1/ldap-helper.h
|
||||
Index: openssh-7.9p1/ldap-helper.h
|
||||
===================================================================
|
||||
--- /dev/null
|
||||
+++ openssh-7.8p1/ldap-helper.h
|
||||
+++ openssh-7.9p1/ldap-helper.h
|
||||
@@ -0,0 +1,32 @@
|
||||
+/* $OpenBSD: ldap-helper.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
|
||||
+/*
|
||||
@ -528,10 +528,10 @@ Index: openssh-7.8p1/ldap-helper.h
|
||||
+extern int config_warning_config_file;
|
||||
+
|
||||
+#endif /* LDAP_HELPER_H */
|
||||
Index: openssh-7.8p1/ldap.conf
|
||||
Index: openssh-7.9p1/ldap.conf
|
||||
===================================================================
|
||||
--- /dev/null
|
||||
+++ openssh-7.8p1/ldap.conf
|
||||
+++ openssh-7.9p1/ldap.conf
|
||||
@@ -0,0 +1,88 @@
|
||||
+# $Id: openssh-5.5p1-ldap.patch,v 1.3 2010/07/07 13:48:36 jfch2222 Exp $
|
||||
+#
|
||||
@ -621,10 +621,10 @@ Index: openssh-7.8p1/ldap.conf
|
||||
+#tls_cert
|
||||
+#tls_key
|
||||
+
|
||||
Index: openssh-7.8p1/ldapbody.c
|
||||
Index: openssh-7.9p1/ldapbody.c
|
||||
===================================================================
|
||||
--- /dev/null
|
||||
+++ openssh-7.8p1/ldapbody.c
|
||||
+++ openssh-7.9p1/ldapbody.c
|
||||
@@ -0,0 +1,494 @@
|
||||
+/* $OpenBSD: ldapbody.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
|
||||
+/*
|
||||
@ -1120,10 +1120,10 @@ Index: openssh-7.8p1/ldapbody.c
|
||||
+ return;
|
||||
+}
|
||||
+
|
||||
Index: openssh-7.8p1/ldapbody.h
|
||||
Index: openssh-7.9p1/ldapbody.h
|
||||
===================================================================
|
||||
--- /dev/null
|
||||
+++ openssh-7.8p1/ldapbody.h
|
||||
+++ openssh-7.9p1/ldapbody.h
|
||||
@@ -0,0 +1,37 @@
|
||||
+/* $OpenBSD: ldapbody.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
|
||||
+/*
|
||||
@ -1162,10 +1162,10 @@ Index: openssh-7.8p1/ldapbody.h
|
||||
+
|
||||
+#endif /* LDAPBODY_H */
|
||||
+
|
||||
Index: openssh-7.8p1/ldapconf.c
|
||||
Index: openssh-7.9p1/ldapconf.c
|
||||
===================================================================
|
||||
--- /dev/null
|
||||
+++ openssh-7.8p1/ldapconf.c
|
||||
+++ openssh-7.9p1/ldapconf.c
|
||||
@@ -0,0 +1,711 @@
|
||||
+/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
|
||||
+/*
|
||||
@ -1878,10 +1878,10 @@ Index: openssh-7.8p1/ldapconf.c
|
||||
+ dump_cfg_string(lSSH_Filter, options.ssh_filter);
|
||||
+}
|
||||
+
|
||||
Index: openssh-7.8p1/ldapconf.h
|
||||
Index: openssh-7.9p1/ldapconf.h
|
||||
===================================================================
|
||||
--- /dev/null
|
||||
+++ openssh-7.8p1/ldapconf.h
|
||||
+++ openssh-7.9p1/ldapconf.h
|
||||
@@ -0,0 +1,71 @@
|
||||
+/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
|
||||
+/*
|
||||
@ -1954,10 +1954,10 @@ Index: openssh-7.8p1/ldapconf.h
|
||||
+void dump_config(void);
|
||||
+
|
||||
+#endif /* LDAPCONF_H */
|
||||
Index: openssh-7.8p1/ldapincludes.h
|
||||
Index: openssh-7.9p1/ldapincludes.h
|
||||
===================================================================
|
||||
--- /dev/null
|
||||
+++ openssh-7.8p1/ldapincludes.h
|
||||
+++ openssh-7.9p1/ldapincludes.h
|
||||
@@ -0,0 +1,41 @@
|
||||
+/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
|
||||
+/*
|
||||
@ -2000,10 +2000,10 @@ Index: openssh-7.8p1/ldapincludes.h
|
||||
+#endif
|
||||
+
|
||||
+#endif /* LDAPINCLUDES_H */
|
||||
Index: openssh-7.8p1/ldapmisc.c
|
||||
Index: openssh-7.9p1/ldapmisc.c
|
||||
===================================================================
|
||||
--- /dev/null
|
||||
+++ openssh-7.8p1/ldapmisc.c
|
||||
+++ openssh-7.9p1/ldapmisc.c
|
||||
@@ -0,0 +1,79 @@
|
||||
+
|
||||
+#include "ldapincludes.h"
|
||||
@ -2084,10 +2084,10 @@ Index: openssh-7.8p1/ldapmisc.c
|
||||
+}
|
||||
+#endif
|
||||
+
|
||||
Index: openssh-7.8p1/ldapmisc.h
|
||||
Index: openssh-7.9p1/ldapmisc.h
|
||||
===================================================================
|
||||
--- /dev/null
|
||||
+++ openssh-7.8p1/ldapmisc.h
|
||||
+++ openssh-7.9p1/ldapmisc.h
|
||||
@@ -0,0 +1,35 @@
|
||||
+/* $OpenBSD: ldapbody.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
|
||||
+/*
|
||||
@ -2124,10 +2124,10 @@ Index: openssh-7.8p1/ldapmisc.h
|
||||
+
|
||||
+#endif /* LDAPMISC_H */
|
||||
+
|
||||
Index: openssh-7.8p1/openbsd-compat/base64.c
|
||||
Index: openssh-7.9p1/openbsd-compat/base64.c
|
||||
===================================================================
|
||||
--- openssh-7.8p1.orig/openbsd-compat/base64.c
|
||||
+++ openssh-7.8p1/openbsd-compat/base64.c
|
||||
--- openssh-7.9p1.orig/openbsd-compat/base64.c
|
||||
+++ openssh-7.9p1/openbsd-compat/base64.c
|
||||
@@ -46,7 +46,7 @@
|
||||
|
||||
#include "includes.h"
|
||||
@ -2155,10 +2155,10 @@ Index: openssh-7.8p1/openbsd-compat/base64.c
|
||||
|
||||
/* skips all whitespace anywhere.
|
||||
converts characters, four at a time, starting at (or after)
|
||||
Index: openssh-7.8p1/openbsd-compat/base64.h
|
||||
Index: openssh-7.9p1/openbsd-compat/base64.h
|
||||
===================================================================
|
||||
--- openssh-7.8p1.orig/openbsd-compat/base64.h
|
||||
+++ openssh-7.8p1/openbsd-compat/base64.h
|
||||
--- openssh-7.9p1.orig/openbsd-compat/base64.h
|
||||
+++ openssh-7.9p1/openbsd-compat/base64.h
|
||||
@@ -45,16 +45,16 @@
|
||||
|
||||
#include "includes.h"
|
||||
@ -2180,10 +2180,10 @@ Index: openssh-7.8p1/openbsd-compat/base64.h
|
||||
int b64_pton(char const *src, u_char *target, size_t targsize);
|
||||
# endif /* !HAVE_B64_PTON */
|
||||
# define __b64_pton(a,b,c) b64_pton(a,b,c)
|
||||
Index: openssh-7.8p1/openssh-lpk-openldap.schema
|
||||
Index: openssh-7.9p1/openssh-lpk-openldap.schema
|
||||
===================================================================
|
||||
--- /dev/null
|
||||
+++ openssh-7.8p1/openssh-lpk-openldap.schema
|
||||
+++ openssh-7.9p1/openssh-lpk-openldap.schema
|
||||
@@ -0,0 +1,21 @@
|
||||
+#
|
||||
+# LDAP Public Key Patch schema for use with openssh-ldappubkey
|
||||
@ -2206,10 +2206,10 @@ Index: openssh-7.8p1/openssh-lpk-openldap.schema
|
||||
+ DESC 'MANDATORY: OpenSSH LPK objectclass'
|
||||
+ MUST ( sshPublicKey $ uid )
|
||||
+ )
|
||||
Index: openssh-7.8p1/openssh-lpk-sun.schema
|
||||
Index: openssh-7.9p1/openssh-lpk-sun.schema
|
||||
===================================================================
|
||||
--- /dev/null
|
||||
+++ openssh-7.8p1/openssh-lpk-sun.schema
|
||||
+++ openssh-7.9p1/openssh-lpk-sun.schema
|
||||
@@ -0,0 +1,23 @@
|
||||
+#
|
||||
+# LDAP Public Key Patch schema for use with openssh-ldappubkey
|
||||
@ -2234,10 +2234,10 @@ Index: openssh-7.8p1/openssh-lpk-sun.schema
|
||||
+ DESC 'MANDATORY: OpenSSH LPK objectclass'
|
||||
+ MUST ( sshPublicKey $ uid )
|
||||
+ )
|
||||
Index: openssh-7.8p1/ssh-ldap-helper.8
|
||||
Index: openssh-7.9p1/ssh-ldap-helper.8
|
||||
===================================================================
|
||||
--- /dev/null
|
||||
+++ openssh-7.8p1/ssh-ldap-helper.8
|
||||
+++ openssh-7.9p1/ssh-ldap-helper.8
|
||||
@@ -0,0 +1,79 @@
|
||||
+.\" $OpenBSD: ssh-ldap-helper.8,v 1.1 2010/02/10 23:20:38 markus Exp $
|
||||
+.\"
|
||||
@ -2318,19 +2318,19 @@ Index: openssh-7.8p1/ssh-ldap-helper.8
|
||||
+OpenSSH 5.5 + PKA-LDAP .
|
||||
+.Sh AUTHORS
|
||||
+.An Jan F. Chadima Aq jchadima@redhat.com
|
||||
Index: openssh-7.8p1/ssh-ldap-wrapper
|
||||
Index: openssh-7.9p1/ssh-ldap-wrapper
|
||||
===================================================================
|
||||
--- /dev/null
|
||||
+++ openssh-7.8p1/ssh-ldap-wrapper
|
||||
+++ openssh-7.9p1/ssh-ldap-wrapper
|
||||
@@ -0,0 +1,4 @@
|
||||
+#!/bin/sh
|
||||
+
|
||||
+exec @LIBEXECDIR@/ssh-ldap-helper -s "$1"
|
||||
+
|
||||
Index: openssh-7.8p1/ssh-ldap.conf.5
|
||||
Index: openssh-7.9p1/ssh-ldap.conf.5
|
||||
===================================================================
|
||||
--- /dev/null
|
||||
+++ openssh-7.8p1/ssh-ldap.conf.5
|
||||
+++ openssh-7.9p1/ssh-ldap.conf.5
|
||||
@@ -0,0 +1,376 @@
|
||||
+.\" $OpenBSD: ssh-ldap.conf.5,v 1.1 2010/02/10 23:20:38 markus Exp $
|
||||
+.\"
|
||||
|
File diff suppressed because it is too large
Load Diff
@ -15,15 +15,11 @@ this is only need on s390 architecture.
|
||||
|
||||
Signed-off-by: Eduardo Barretto <ebarretto@linux.vnet.ibm.com>
|
||||
|
||||
diff --git a/openssh-7.7p1/sandbox-seccomp-filter.c b/openssh-7.7p1/sandbox-seccomp-filter.c
|
||||
--- openssh-7.7p1/sandbox-seccomp-filter.c
|
||||
+++ openssh-7.7p1/sandbox-seccomp-filter.c
|
||||
@@ -167,16 +167,19 @@ static const struct sock_filter preauth_
|
||||
SC_ALLOW(__NR_exit_group),
|
||||
#endif
|
||||
#ifdef __NR_geteuid
|
||||
SC_ALLOW(__NR_geteuid),
|
||||
#endif
|
||||
Index: openssh-7.9p1/sandbox-seccomp-filter.c
|
||||
===================================================================
|
||||
--- openssh-7.9p1.orig/sandbox-seccomp-filter.c
|
||||
+++ openssh-7.9p1/sandbox-seccomp-filter.c
|
||||
@@ -175,6 +175,9 @@ static const struct sock_filter preauth_
|
||||
#ifdef __NR_geteuid32
|
||||
SC_ALLOW(__NR_geteuid32),
|
||||
#endif
|
||||
@ -33,17 +29,7 @@ diff --git a/openssh-7.7p1/sandbox-seccomp-filter.c b/openssh-7.7p1/sandbox-secc
|
||||
#ifdef __NR_getpgid
|
||||
SC_ALLOW(__NR_getpgid),
|
||||
#endif
|
||||
#ifdef __NR_getpid
|
||||
SC_ALLOW(__NR_getpid),
|
||||
#endif
|
||||
#ifdef __NR_getrandom
|
||||
SC_ALLOW(__NR_getrandom),
|
||||
@@ -185,16 +188,19 @@ static const struct sock_filter preauth_
|
||||
SC_ALLOW(__NR_gettimeofday),
|
||||
#endif
|
||||
#ifdef __NR_getuid
|
||||
SC_ALLOW(__NR_getuid),
|
||||
#endif
|
||||
@@ -193,6 +196,9 @@ static const struct sock_filter preauth_
|
||||
#ifdef __NR_getuid32
|
||||
SC_ALLOW(__NR_getuid32),
|
||||
#endif
|
||||
@ -53,8 +39,3 @@ diff --git a/openssh-7.7p1/sandbox-seccomp-filter.c b/openssh-7.7p1/sandbox-secc
|
||||
#ifdef __NR_madvise
|
||||
SC_ALLOW(__NR_madvise),
|
||||
#endif
|
||||
#ifdef __NR_mmap
|
||||
SC_ALLOW(__NR_mmap),
|
||||
#endif
|
||||
#ifdef __NR_mmap2
|
||||
SC_ALLOW(__NR_mmap2),
|
||||
|
@ -1,123 +1,100 @@
|
||||
# HG changeset patch
|
||||
# Parent 37bba3ff816d9ab93ddcf23389a4eb29d7716006
|
||||
additional option for sftp-server to force file mode for new files
|
||||
FATE#312774
|
||||
http://lists.mindrot.org/pipermail/openssh-unix-dev/2010-November/029044.html
|
||||
http://marc.info/?l=openssh-unix-dev&m=128896838930893
|
||||
|
||||
diff --git a/openssh-7.7p1/sftp-server.8 b/openssh-7.7p1/sftp-server.8
|
||||
--- openssh-7.7p1/sftp-server.8
|
||||
+++ openssh-7.7p1/sftp-server.8
|
||||
@@ -33,16 +33,17 @@
|
||||
.Bk -words
|
||||
.Op Fl ehR
|
||||
.Op Fl d Ar start_directory
|
||||
.Op Fl f Ar log_facility
|
||||
.Op Fl l Ar log_level
|
||||
--- original/sftp-server.8 2016-12-19 04:59:41.000000000 +0000
|
||||
+++ original/sftp-server.8 2017-11-23 08:47:01.267239186 +0000
|
||||
@@ -38,6 +38,7 @@
|
||||
.Op Fl P Ar blacklisted_requests
|
||||
.Op Fl p Ar whitelisted_requests
|
||||
.Op Fl u Ar umask
|
||||
+.Op Fl m Ar force_file_permissions
|
||||
+.Op Fl m Ar force_file_dir_perms
|
||||
.Ek
|
||||
.Nm
|
||||
.Fl Q Ar protocol_feature
|
||||
.Sh DESCRIPTION
|
||||
.Nm
|
||||
is a program that speaks the server side of SFTP protocol
|
||||
to stdout and expects client requests from stdin.
|
||||
.Nm
|
||||
@@ -133,16 +134,20 @@ Places this instance of
|
||||
into a read-only mode.
|
||||
Attempts to open files for writing, as well as other operations that change
|
||||
the state of the filesystem, will be denied.
|
||||
.It Fl u Ar umask
|
||||
Sets an explicit
|
||||
@@ -138,6 +139,10 @@
|
||||
.Xr umask 2
|
||||
to be applied to newly-created files and directories, instead of the
|
||||
user's default mask.
|
||||
+.It Fl m Ar force_file_permissions
|
||||
+Sets explicit file permissions to be applied to newly-created files instead
|
||||
+of the default or client requested mode. Numeric values include:
|
||||
+.It Fl m Ar force_file_dir_perms
|
||||
+Sets explicit permissions to be applied to newly-created files and directories
|
||||
+instead of the default or client requested mode. Numeric values include:
|
||||
+777, 755, 750, 666, 644, 640, etc. Option -u is ineffective if -m is set.
|
||||
.El
|
||||
.Pp
|
||||
On some systems,
|
||||
.Nm
|
||||
must be able to access
|
||||
.Pa /dev/log
|
||||
for logging to work, and use of
|
||||
.Nm
|
||||
diff --git a/openssh-7.7p1/sftp-server.c b/openssh-7.7p1/sftp-server.c
|
||||
--- openssh-7.7p1/sftp-server.c
|
||||
+++ openssh-7.7p1/sftp-server.c
|
||||
@@ -71,16 +71,20 @@ static u_int version;
|
||||
static int init_done;
|
||||
--- original/sftp-server.c 2016-12-19 04:59:41.000000000 +0000
|
||||
+++ original/sftp-server.c 2017-11-23 13:07:08.481765581 +0000
|
||||
@@ -65,6 +65,10 @@
|
||||
/* Version of client */
|
||||
static u_int version;
|
||||
|
||||
/* Disable writes */
|
||||
static int readonly;
|
||||
|
||||
/* Requests that are allowed/denied */
|
||||
static char *request_whitelist, *request_blacklist;
|
||||
|
||||
+/* Force file permissions */
|
||||
+/* Force file and directory permissions */
|
||||
+int permforce = 0;
|
||||
+long permforcemode;
|
||||
+
|
||||
/* portable attributes, etc. */
|
||||
typedef struct Stat Stat;
|
||||
/* SSH2_FXP_INIT received */
|
||||
static int init_done;
|
||||
|
||||
struct Stat {
|
||||
@@ -679,6 +683,7 @@
|
||||
Attrib a;
|
||||
char *name;
|
||||
char *long_name;
|
||||
Attrib attrib;
|
||||
};
|
||||
@@ -685,16 +689,20 @@ process_open(u_int32_t id)
|
||||
int r, handle, fd, flags, mode, status = SSH2_FX_FAILURE;
|
||||
+ mode_t old_umask = 0;
|
||||
|
||||
if ((r = sshbuf_get_cstring(iqueue, &name, NULL)) != 0 ||
|
||||
(r = sshbuf_get_u32(iqueue, &pflags)) != 0 || /* portable flags */
|
||||
(r = decode_attrib(iqueue, &a)) != 0)
|
||||
fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
||||
|
||||
@@ -688,6 +693,10 @@
|
||||
debug3("request %u: open flags %d", id, pflags);
|
||||
flags = flags_from_portable(pflags);
|
||||
mode = (a.flags & SSH2_FILEXFER_ATTR_PERMISSIONS) ? a.perm : 0666;
|
||||
+ if (permforce == 1) {
|
||||
+ if (permforce == 1) { /* Force perm if -m is set */
|
||||
+ mode = permforcemode;
|
||||
+ (void)umask(0); /* so umask does not interfere */
|
||||
+ old_umask = umask(0); /* so umask does not interfere */
|
||||
+ }
|
||||
logit("open \"%s\" flags %s mode 0%o",
|
||||
name, string_from_portable(pflags), mode);
|
||||
if (readonly &&
|
||||
((flags & O_ACCMODE) != O_RDONLY ||
|
||||
(flags & (O_CREAT|O_TRUNC)) != 0)) {
|
||||
verbose("Refusing open request in read-only mode");
|
||||
status = SSH2_FX_PERMISSION_DENIED;
|
||||
} else {
|
||||
@@ -1487,17 +1495,18 @@ sftp_server_cleanup_exit(int i)
|
||||
static void
|
||||
sftp_server_usage(void)
|
||||
{
|
||||
extern char *__progname;
|
||||
@@ -709,6 +718,8 @@
|
||||
}
|
||||
}
|
||||
}
|
||||
+ if (permforce == 1)
|
||||
+ (void) umask(old_umask); /* restore umask to something sane */
|
||||
if (status != SSH2_FX_OK)
|
||||
send_status(id, status);
|
||||
free(name);
|
||||
@@ -1110,6 +1121,7 @@
|
||||
Attrib a;
|
||||
char *name;
|
||||
int r, mode, status = SSH2_FX_FAILURE;
|
||||
+ mode_t old_umask = 0;
|
||||
|
||||
if ((r = sshbuf_get_cstring(iqueue, &name, NULL)) != 0 ||
|
||||
(r = decode_attrib(iqueue, &a)) != 0)
|
||||
@@ -1117,9 +1129,16 @@
|
||||
|
||||
mode = (a.flags & SSH2_FILEXFER_ATTR_PERMISSIONS) ?
|
||||
a.perm & 07777 : 0777;
|
||||
+ if (permforce == 1) { /* Force perm if -m is set */
|
||||
+ mode = permforcemode;
|
||||
+ old_umask = umask(0); /* so umask does not interfere */
|
||||
+ }
|
||||
+
|
||||
debug3("request %u: mkdir", id);
|
||||
logit("mkdir name \"%s\" mode 0%o", name, mode);
|
||||
r = mkdir(name, mode);
|
||||
+ if (permforce == 1)
|
||||
+ (void) umask(old_umask); /* restore umask to something sane */
|
||||
status = (r == -1) ? errno_to_portable(errno) : SSH2_FX_OK;
|
||||
send_status(id, status);
|
||||
free(name);
|
||||
@@ -1490,7 +1509,7 @@
|
||||
fprintf(stderr,
|
||||
"usage: %s [-ehR] [-d start_directory] [-f log_facility] "
|
||||
"[-l log_level]\n\t[-P blacklisted_requests] "
|
||||
- "[-p whitelisted_requests] [-u umask]\n"
|
||||
+ "[-p whitelisted_requests] [-u umask]\n\t"
|
||||
+ "[-m force_file_permissions]\n"
|
||||
+ "[-p whitelisted_requests] [-u umask] [-m force_file_dir_perms]\n"
|
||||
" %s -Q protocol_feature\n",
|
||||
__progname, __progname);
|
||||
exit(1);
|
||||
}
|
||||
|
||||
int
|
||||
sftp_server_main(int argc, char **argv, struct passwd *user_pw)
|
||||
{
|
||||
@@ -1516,17 +1525,17 @@ sftp_server_main(int argc, char **argv,
|
||||
|
||||
ssh_malloc_init(); /* must be called before any mallocs */
|
||||
__progname = ssh_get_progname(argv[0]);
|
||||
log_init(__progname, log_level, log_facility, log_stderr);
|
||||
|
||||
@@ -1516,7 +1535,7 @@
|
||||
pw = pwcopy(user_pw);
|
||||
|
||||
while (!skipargs && (ch = getopt(argc, argv,
|
||||
@ -126,32 +103,19 @@ diff --git a/openssh-7.7p1/sftp-server.c b/openssh-7.7p1/sftp-server.c
|
||||
switch (ch) {
|
||||
case 'Q':
|
||||
if (strcasecmp(optarg, "requests") != 0) {
|
||||
fprintf(stderr, "Invalid query type\n");
|
||||
exit(1);
|
||||
}
|
||||
for (i = 0; handlers[i].handler != NULL; i++)
|
||||
printf("%s\n", handlers[i].name);
|
||||
@@ -1576,16 +1585,23 @@ sftp_server_main(int argc, char **argv,
|
||||
case 'u':
|
||||
errno = 0;
|
||||
mask = strtol(optarg, &cp, 8);
|
||||
if (mask < 0 || mask > 0777 || *cp != '\0' ||
|
||||
cp == optarg || (mask == 0 && errno != 0))
|
||||
@@ -1576,6 +1595,15 @@
|
||||
fatal("Invalid umask \"%s\"", optarg);
|
||||
(void)umask((mode_t)mask);
|
||||
break;
|
||||
+ case 'm':
|
||||
+ /* Force permissions on file and directory received via sftp */
|
||||
+ permforce = 1;
|
||||
+ permforcemode = strtol(optarg, &cp, 8);
|
||||
+ if (permforcemode < 0 || permforcemode > 0777 || *cp != '\0' ||
|
||||
+ cp == optarg || (permforcemode == 0 && errno != 0))
|
||||
+ fatal("Invalid umask \"%s\"", optarg);
|
||||
+ if (permforcemode < 0 || permforcemode > 0777 ||
|
||||
+ *cp != '\0' || (permforcemode == 0 &&
|
||||
+ errno != 0))
|
||||
+ fatal("Invalid file mode \"%s\"", optarg);
|
||||
+ break;
|
||||
case 'h':
|
||||
default:
|
||||
sftp_server_usage();
|
||||
}
|
||||
}
|
||||
|
||||
log_init(__progname, log_level, log_facility, log_stderr);
|
||||
|
||||
|
@ -1,3 +0,0 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:1a484bb15152c183bb2514e112aa30dd34138c3cfb032eee5490a66c507144ca
|
||||
size 1548026
|
@ -1,14 +0,0 @@
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
|
||||
iQHDBAABCgAdFiEEWcIRjtIG2SfmZ+vj0+X1a22SDTAFAlt+Xa8ACgkQ0+X1a22S
|
||||
DTAJPwx9HIW/obxNJYTU7M8trpalBekdl1SqUjxdDwInIsKTLSOpJCsnynBai/3c
|
||||
SuvZkBwcKwZZFe+xCvRQDHkf/YYLT+d7slUQolb0OJmzFKbvu6xwuv7q12ag9hQj
|
||||
/8BUfdYRKb63uemfKuVAHfcnUm9WlwSbif+Au/j1yg/MlETY47ezYA9/q75wignx
|
||||
3g38JVHVgKDenDd8o9/hgjeQpEHKNdCQo71nN2h3MYRlh4xrR9ENZj7y8x65Kp1j
|
||||
WoZEhlvjYkka4deSGwj2MIAJnzsc39uppEoEjkB7F9SUo4O7CxbWFein70Ct7Xbs
|
||||
VDWXQibnJGHKatHIecaPLUYexGWO1XYNZErDhY7fPw0ChfMGbz3+0eDfDJqGY49r
|
||||
Lo6wzsrgv2kDJMqwciT/D/Zb3ocHnCrq1Isnz/Ug2lW58LMk7Y1HisPteZFQ/pkC
|
||||
xKeO+K1RkaRUSCrB5iToqF+7i8eRNVROYmkKLgKcMrC0WYEjnbEoFdr4bktAS9QM
|
||||
BS6aIsh2cyg2H0FjDKmYvcKOUf0IgA==
|
||||
=ZiYm
|
||||
-----END PGP SIGNATURE-----
|
3
openssh-7.9p1.tar.gz
Normal file
3
openssh-7.9p1.tar.gz
Normal file
@ -0,0 +1,3 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:6b4b3ba2253d84ed3771c8050728d597c91cfce898713beb7b64a305b6f11aad
|
||||
size 1565384
|
14
openssh-7.9p1.tar.gz.asc
Normal file
14
openssh-7.9p1.tar.gz.asc
Normal file
@ -0,0 +1,14 @@
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
|
||||
iQHDBAABCgAdFiEEWcIRjtIG2SfmZ+vj0+X1a22SDTAFAlvJLhsACgkQ0+X1a22S
|
||||
DTBjHwx/T3EX3EtCzB9I6zHFUgF2/0hEKVYZw2Yl4UbUvgjy/KdEdlJzdH3Hc/yU
|
||||
jJZzraDY7nJMrCly734FbFGKsKoRkxWMkeuQGOhvpzgTYg+fOa1J0a14xK/ub9Y0
|
||||
9Z/4zP0Zs7mn+8MApMS3XOZ+AJgdRiXN9i3PXmbYO9Gcg+QthtgE1DeG0d0vVTP/
|
||||
ipCBBg8mMlAANdlu9IUCv4CJPwJjQt2aYsvCiuUQuzrKYsV5noCOBaGRbmPcN9SM
|
||||
3cvSTZgDbK3kHdL1RnBgWpcO+o+D8sqSW2rm8xpCQv/ILo86/BLBjXDCYLEt0nSn
|
||||
+dONPytwhwwJWPPYe7+RSYWHS2cKwVTDk7lr2E636SwU1fM1NiNYle9hB6cUT0nU
|
||||
sypfHOIARAMSqepnaT3WgffM0jlEWrSB0PuDLTLTO5ZPmUijqqT6xGwWSUc4GQZY
|
||||
WNyGg1w0Ryj2pRd7DlXDDivTCneXFqV7JZiR3R4ZXJJV0uVQOUitCS/DnwSDpIfp
|
||||
HlVEWeRAszQFKLKttu0/4SY2NVrRBA==
|
||||
=4Z9x
|
||||
-----END PGP SIGNATURE-----
|
@ -1,3 +1,10 @@
|
||||
-------------------------------------------------------------------
|
||||
Mon Oct 22 08:59:02 UTC 2018 - Pedro Monreal Gonzalez <pmonrealgonzalez@suse.com>
|
||||
|
||||
- Version update to 7.9p1
|
||||
* No actual changes for the askpass
|
||||
* See main package changelog for details
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Oct 9 10:52:15 UTC 2018 - Tomáš Chvátal <tchvatal@suse.com>
|
||||
|
||||
|
@ -18,7 +18,7 @@
|
||||
|
||||
%define _name openssh
|
||||
Name: openssh-askpass-gnome
|
||||
Version: 7.8p1
|
||||
Version: 7.9p1
|
||||
Release: 0
|
||||
Summary: A GNOME-Based Passphrase Dialog for OpenSSH
|
||||
License: BSD-2-Clause
|
||||
|
41
openssh-openssl-1_0_0-compatibility.patch
Normal file
41
openssh-openssl-1_0_0-compatibility.patch
Normal file
@ -0,0 +1,41 @@
|
||||
Index: openssh-7.9p1/openbsd-compat/openssl-compat.c
|
||||
===================================================================
|
||||
--- openssh-7.9p1.orig/openbsd-compat/openssl-compat.c 2018-11-26 11:47:17.417925053 +0100
|
||||
+++ openssh-7.9p1/openbsd-compat/openssl-compat.c 2018-11-26 11:52:47.127727580 +0100
|
||||
@@ -76,7 +76,7 @@ ssh_OpenSSL_add_all_algorithms(void)
|
||||
ENGINE_load_builtin_engines();
|
||||
ENGINE_register_all_complete();
|
||||
|
||||
-#if OPENSSL_VERSION_NUMBER < 0x10001000L
|
||||
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
|
||||
OPENSSL_config(NULL);
|
||||
#else
|
||||
OPENSSL_init_crypto(OPENSSL_INIT_ADD_ALL_CIPHERS |
|
||||
Index: openssh-7.9p1/gss-genr.c
|
||||
===================================================================
|
||||
--- openssh-7.9p1.orig/gss-genr.c 2018-11-26 11:47:17.417925053 +0100
|
||||
+++ openssh-7.9p1/gss-genr.c 2018-11-26 12:01:40.354642746 +0100
|
||||
@@ -114,7 +114,11 @@ ssh_gssapi_kex_mechs(gss_OID_set gss_sup
|
||||
if ((buf = sshbuf_new()) == NULL)
|
||||
fatal("%s: sshbuf_new failed", __func__);
|
||||
|
||||
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
|
||||
+ md = EVP_MD_CTX_create();
|
||||
+#else
|
||||
md = EVP_MD_CTX_new();
|
||||
+#endif
|
||||
oidpos = 0;
|
||||
for (i = 0; i < gss_supported->count; i++) {
|
||||
if (gss_supported->elements[i].length < 128 &&
|
||||
@@ -156,7 +160,11 @@ ssh_gssapi_kex_mechs(gss_OID_set gss_sup
|
||||
oidpos++;
|
||||
}
|
||||
}
|
||||
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
|
||||
+ EVP_MD_CTX_destroy(md);
|
||||
+#else
|
||||
EVP_MD_CTX_free(md);
|
||||
+#endif
|
||||
gss_enc2oid[oidpos].oid = NULL;
|
||||
gss_enc2oid[oidpos].encoded = NULL;
|
||||
|
@ -1,3 +1,89 @@
|
||||
-------------------------------------------------------------------
|
||||
Mon Nov 26 11:07:42 UTC 2018 - Vítězslav Čížek <vcizek@suse.com>
|
||||
|
||||
- Fix build with openssl < 1.1.0
|
||||
* add openssh-openssl-1_0_0-compatibility.patch
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Oct 31 00:27:41 UTC 2018 - Cristian Rodríguez <crrodriguez@opensuse.org>
|
||||
|
||||
- openssh-7.7p1-audit.patch: fix sshd fatal error in
|
||||
mm_answer_keyverify: buffer error: incomplete message [bnc#1114008]
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Mon Oct 22 08:51:30 UTC 2018 - Pedro Monreal Gonzalez <pmonrealgonzalez@suse.com>
|
||||
|
||||
- Version update to 7.9p1
|
||||
* ssh(1), sshd(8): the setting of the new CASignatureAlgorithms
|
||||
option (see below) bans the use of DSA keys as certificate
|
||||
authorities.
|
||||
* sshd(8): the authentication success/failure log message has
|
||||
changed format slightly. It now includes the certificate
|
||||
fingerprint (previously it included only key ID and CA key
|
||||
fingerprint).
|
||||
* ssh(1), sshd(8): allow most port numbers to be specified using
|
||||
service names from getservbyname(3) (typically /etc/services).
|
||||
* sshd(8): support signalling sessions via the SSH protocol.
|
||||
A limited subset of signals is supported and only for login or
|
||||
command sessions (i.e. not subsystems) that were not subject to
|
||||
a forced command via authorized_keys or sshd_config. bz#1424
|
||||
* ssh(1): support "ssh -Q sig" to list supported signature options.
|
||||
Also "ssh -Q help" to show the full set of supported queries.
|
||||
* ssh(1), sshd(8): add a CASignatureAlgorithms option for the
|
||||
client and server configs to allow control over which signature
|
||||
formats are allowed for CAs to sign certificates. For example,
|
||||
this allows banning CAs that sign certificates using the RSA-SHA1
|
||||
signature algorithm.
|
||||
* sshd(8), ssh-keygen(1): allow key revocation lists (KRLs) to
|
||||
revoke keys specified by SHA256 hash.
|
||||
* ssh-keygen(1): allow creation of key revocation lists directly
|
||||
from base64-encoded SHA256 fingerprints. This supports revoking
|
||||
keys using only the information contained in sshd(8)
|
||||
authentication log messages.
|
||||
|
||||
- Removed obsolete configuration option --with-tcp-wrappers, and
|
||||
--with-opensc for s390 and s390x.
|
||||
|
||||
- Removed patch merged upstream
|
||||
* openssh-7.7p1-openssl_1.1.0.patch
|
||||
|
||||
- Refreshed patches
|
||||
* openssh-7.7p1-audit.patch
|
||||
* openssh-7.7p1-disable_short_DH_parameters.patch
|
||||
* openssh-7.7p1-fips.patch
|
||||
* openssh-7.7p1-gssapi_key_exchange.patch
|
||||
* openssh-7.7p1-seccomp_ipc_flock.patch
|
||||
* openssh-7.7p1-cavstest-ctr.patch
|
||||
* openssh-7.7p1-ldap.patch
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Fri Oct 19 13:22:10 UTC 2018 - Tomáš Chvátal <tchvatal@suse.com>
|
||||
|
||||
- Mention upstream bugs on multiple local patches
|
||||
- Adjust service to not spam restart and reload only on fails
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Fri Oct 19 13:11:34 UTC 2018 - Tomáš Chvátal <tchvatal@suse.com>
|
||||
|
||||
- Update openssh-7.7p1-sftp_force_permissions.patch from the
|
||||
upstream bug, and mention the bug in the spec
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Fri Oct 19 08:36:52 UTC 2018 - Tomáš Chvátal <tchvatal@suse.com>
|
||||
|
||||
- Drop patch openssh-7.7p1-allow_root_password_login.patch
|
||||
* There is no reason to set less secure default value, if
|
||||
users need the behaviour they can still set it up themselves
|
||||
- Drop patch openssh-7.7p1-blocksigalrm.patch
|
||||
* We had a bug way in past about this but it was never reproduced
|
||||
or even confirmed in the ticket, thus rather drop the patch
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Oct 17 09:22:36 UTC 2018 - Tomáš Chvátal <tchvatal@suse.com>
|
||||
|
||||
- Disable ssh1 protocol support as neither RH or Debian enable
|
||||
this protocol by default anymore either.
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Oct 17 08:42:12 UTC 2018 - Tomáš Chvátal <tchvatal@suse.com>
|
||||
|
||||
|
31
openssh.spec
31
openssh.spec
@ -27,8 +27,7 @@
|
||||
%bcond_without susefirewall
|
||||
%bcond_with tirpc
|
||||
%endif
|
||||
%define _fwdir %{_sysconfdir}/sysconfig/SuSEfirewall2.d
|
||||
%define _fwdefdir %{_fwdir}/services
|
||||
%define _fwdefdir %{_sysconfdir}/sysconfig/SuSEfirewall2.d/services
|
||||
%define _appdefdir %( grep "configdirspec=" $( which xmkmf ) | sed -r 's,^[^=]+=.*-I(.*)/config.*$,\\1/app-defaults,' )
|
||||
%define CHECKSUM_SUFFIX .hmac
|
||||
%define CHECKSUM_HMAC_KEY "HMAC_KEY:OpenSSH-FIPS@SLE"
|
||||
@ -37,7 +36,7 @@
|
||||
%define _fillupdir %{_localstatedir}/adm/fillup-templates
|
||||
%endif
|
||||
Name: openssh
|
||||
Version: 7.8p1
|
||||
Version: 7.9p1
|
||||
Release: 0
|
||||
Summary: Secure Shell Client and Server (Remote Login Program)
|
||||
License: BSD-2-Clause AND MIT
|
||||
@ -56,37 +55,49 @@ Source9: sshd-gen-keys-start
|
||||
Source10: sshd.service
|
||||
Source11: README.FIPS
|
||||
Source12: cavs_driver-ssh.pl
|
||||
Patch0: openssh-7.7p1-allow_root_password_login.patch
|
||||
Patch1: openssh-7.7p1-X11_trusted_forwarding.patch
|
||||
Patch3: openssh-7.7p1-enable_PAM_by_default.patch
|
||||
Patch4: openssh-7.7p1-eal3.patch
|
||||
Patch5: openssh-7.7p1-blocksigalrm.patch
|
||||
Patch6: openssh-7.7p1-send_locale.patch
|
||||
Patch7: openssh-7.7p1-hostname_changes_when_forwarding_X.patch
|
||||
Patch8: openssh-7.7p1-remove_xauth_cookies_on_exit.patch
|
||||
Patch9: openssh-7.7p1-pts_names_formatting.patch
|
||||
Patch10: openssh-7.7p1-pam_check_locks.patch
|
||||
Patch11: openssh-7.7p1-disable_short_DH_parameters.patch
|
||||
# https://bugzilla.mindrot.org/show_bug.cgi?id=2752
|
||||
Patch14: openssh-7.7p1-seccomp_stat.patch
|
||||
# https://bugzilla.mindrot.org/show_bug.cgi?id=2752
|
||||
Patch15: openssh-7.7p1-seccomp_ipc_flock.patch
|
||||
# https://bugzilla.mindrot.org/show_bug.cgi?id=2752
|
||||
Patch16: openssh-7.7p1-seccomp_ioctl_s390_EP11.patch
|
||||
# Local FIPS patchset
|
||||
Patch17: openssh-7.7p1-fips.patch
|
||||
# Local cavs patchset
|
||||
Patch18: openssh-7.7p1-cavstest-ctr.patch
|
||||
# Local cavs patchset
|
||||
Patch19: openssh-7.7p1-cavstest-kdf.patch
|
||||
# Local FIPS patchset
|
||||
Patch20: openssh-7.7p1-fips_checks.patch
|
||||
Patch21: openssh-7.7p1-seed-prng.patch
|
||||
# https://bugzilla.mindrot.org/show_bug.cgi?id=2641
|
||||
Patch22: openssh-7.7p1-systemd-notify.patch
|
||||
Patch23: openssh-7.7p1-gssapi_key_exchange.patch
|
||||
# https://bugzilla.mindrot.org/show_bug.cgi?id=1402
|
||||
Patch24: openssh-7.7p1-audit.patch
|
||||
Patch25: openssh-7.7p1-openssl_1.1.0.patch
|
||||
# Local patch to disable runtime abi SSL checks, quite pointless for us
|
||||
Patch26: openssh-7.7p1-disable_openssl_abi_check.patch
|
||||
# https://bugzilla.mindrot.org/show_bug.cgi?id=2641
|
||||
Patch27: openssh-7.7p1-no_fork-no_pid_file.patch
|
||||
Patch28: openssh-7.7p1-host_ident.patch
|
||||
# https://bugzilla.mindrot.org/show_bug.cgi?id=1844
|
||||
Patch29: openssh-7.7p1-sftp_force_permissions.patch
|
||||
# https://bugzilla.mindrot.org/show_bug.cgi?id=2143
|
||||
Patch30: openssh-7.7p1-X_forward_with_disabled_ipv6.patch
|
||||
Patch31: openssh-7.7p1-ldap.patch
|
||||
# https://bugzilla.mindrot.org/show_bug.cgi?id=2213
|
||||
Patch32: openssh-7.7p1-IPv6_X_forwarding.patch
|
||||
Patch33: openssh-7.7p1-sftp_print_diagnostic_messages.patch
|
||||
Patch34: openssh-openssl-1_0_0-compatibility.patch
|
||||
BuildRequires: audit-devel
|
||||
BuildRequires: autoconf
|
||||
BuildRequires: groff
|
||||
@ -176,7 +187,6 @@ export LDFLAGS CFLAGS CXXFLAGS CPPFLAGS
|
||||
%configure \
|
||||
--sysconfdir=%{_sysconfdir}/ssh \
|
||||
--libexecdir=%{_libexecdir}/ssh \
|
||||
--with-tcp-wrappers \
|
||||
--with-selinux \
|
||||
--with-pid-dir=/run \
|
||||
--with-systemd \
|
||||
@ -188,19 +198,14 @@ export LDFLAGS CFLAGS CXXFLAGS CPPFLAGS
|
||||
--with-sandbox=seccomp_filter \
|
||||
%else
|
||||
--with-sandbox=rlimit \
|
||||
%endif
|
||||
%ifnarch s390 s390x
|
||||
--with-opensc \
|
||||
%endif
|
||||
--disable-strip \
|
||||
--with-audit=linux \
|
||||
--with-ldap \
|
||||
--with-xauth=%{_bindir}/xauth \
|
||||
--with-libedit \
|
||||
--with-ssh1 \
|
||||
--target=%{_target_cpu}-suse-linux \
|
||||
--target=%{_target_cpu}-suse-linux
|
||||
|
||||
### configure end
|
||||
make %{?_smp_mflags}
|
||||
|
||||
%install
|
||||
|
@ -10,7 +10,8 @@ ExecStartPre=/usr/sbin/sshd -t $SSHD_OPTS
|
||||
ExecStart=/usr/sbin/sshd -D $SSHD_OPTS
|
||||
ExecReload=/bin/kill -HUP $MAINPID
|
||||
KillMode=process
|
||||
Restart=always
|
||||
Restart=on-failure
|
||||
RestartPreventExitStatus=255
|
||||
TasksMax=infinity
|
||||
|
||||
[Install]
|
||||
|
Loading…
Reference in New Issue
Block a user