forked from pool/openssh
Accepting request 960152 from network
OBS-URL: https://build.opensuse.org/request/show/960152 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssh?expand=0&rev=155
This commit is contained in:
commit
7cf91bcce7
@ -10,10 +10,10 @@
|
||||
# internal versions. ssh-keyconverter consequently fails to link as it lacks
|
||||
# the proper flags, and libopenbsd-compat doesn't contain the b64_* functions)
|
||||
|
||||
Index: openssh-8.8p1/HOWTO.ldap-keys
|
||||
Index: openssh-8.9p1/HOWTO.ldap-keys
|
||||
===================================================================
|
||||
--- /dev/null
|
||||
+++ openssh-8.8p1/HOWTO.ldap-keys
|
||||
+++ openssh-8.9p1/HOWTO.ldap-keys
|
||||
@@ -0,0 +1,108 @@
|
||||
+
|
||||
+HOW TO START
|
||||
@ -123,11 +123,11 @@ Index: openssh-8.8p1/HOWTO.ldap-keys
|
||||
+ - frederic peters.
|
||||
+ - Finlay dobbie.
|
||||
+ - Stefan Fisher.
|
||||
Index: openssh-8.8p1/Makefile.in
|
||||
Index: openssh-8.9p1/Makefile.in
|
||||
===================================================================
|
||||
--- openssh-8.8p1.orig/Makefile.in
|
||||
+++ openssh-8.8p1/Makefile.in
|
||||
@@ -26,6 +26,8 @@ SFTP_SERVER=$(libexecdir)/sftp-server
|
||||
--- openssh-8.9p1.orig/Makefile.in
|
||||
+++ openssh-8.9p1/Makefile.in
|
||||
@@ -27,6 +27,8 @@ SFTP_SERVER=$(libexecdir)/sftp-server
|
||||
SSH_KEYSIGN=$(libexecdir)/ssh-keysign
|
||||
SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
|
||||
SSH_SK_HELPER=$(libexecdir)/ssh-sk-helper
|
||||
@ -136,7 +136,7 @@ Index: openssh-8.8p1/Makefile.in
|
||||
CAVSTEST_CTR=$(libexecdir)/cavstest-ctr
|
||||
CAVSTEST_KDF=$(libexecdir)/cavstest-kdf
|
||||
PRIVSEP_PATH=@PRIVSEP_PATH@
|
||||
@@ -73,6 +75,9 @@ TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-a
|
||||
@@ -75,6 +77,9 @@ TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-a
|
||||
|
||||
TARGETS += cavstest-ctr$(EXEEXT) cavstest-kdf$(EXEEXT)
|
||||
|
||||
@ -146,7 +146,7 @@ Index: openssh-8.8p1/Makefile.in
|
||||
XMSS_OBJS=\
|
||||
ssh-xmss.o \
|
||||
sshkey-xmss.o \
|
||||
@@ -160,8 +165,8 @@ SFTPSERVER_OBJS=sftp-common.o sftp-serve
|
||||
@@ -162,8 +167,8 @@ SFTPSERVER_OBJS=sftp-common.o sftp-serve
|
||||
|
||||
SFTP_OBJS= sftp.o progressmeter.o $(SFTP_CLIENT_OBJS)
|
||||
|
||||
@ -157,7 +157,7 @@ Index: openssh-8.8p1/Makefile.in
|
||||
MANTYPE = @MANTYPE@
|
||||
|
||||
CONFIGFILES=sshd_config.out ssh_config.out moduli.out
|
||||
@@ -244,6 +249,9 @@ ssh-sk-helper$(EXEEXT): $(LIBCOMPAT) lib
|
||||
@@ -246,6 +251,9 @@ ssh-sk-helper$(EXEEXT): $(LIBCOMPAT) lib
|
||||
ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHKEYSCAN_OBJS)
|
||||
$(LD) -o $@ $(SSHKEYSCAN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
|
||||
|
||||
@ -167,7 +167,7 @@ Index: openssh-8.8p1/Makefile.in
|
||||
sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a $(SFTPSERVER_OBJS)
|
||||
$(LD) -o $@ $(SFTPSERVER_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
|
||||
|
||||
@@ -416,6 +424,10 @@ install-files:
|
||||
@@ -421,6 +429,10 @@ install-files:
|
||||
$(INSTALL) -m 0755 $(STRIP_OPT) sshd$(EXEEXT) $(DESTDIR)$(sbindir)/sshd$(EXEEXT)
|
||||
$(INSTALL) -m 4711 $(STRIP_OPT) ssh-keysign$(EXEEXT) $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT)
|
||||
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
|
||||
@ -178,7 +178,7 @@ Index: openssh-8.8p1/Makefile.in
|
||||
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-sk-helper$(EXEEXT) $(DESTDIR)$(SSH_SK_HELPER)$(EXEEXT)
|
||||
$(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
|
||||
$(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
|
||||
@@ -435,6 +447,10 @@ install-files:
|
||||
@@ -440,6 +452,10 @@ install-files:
|
||||
$(INSTALL) -m 644 sftp-server.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8
|
||||
$(INSTALL) -m 644 ssh-keysign.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8
|
||||
$(INSTALL) -m 644 ssh-pkcs11-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
|
||||
@ -189,7 +189,7 @@ Index: openssh-8.8p1/Makefile.in
|
||||
$(INSTALL) -m 644 ssh-sk-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-sk-helper.8
|
||||
|
||||
install-sysconf:
|
||||
@@ -459,6 +475,13 @@ install-sysconf:
|
||||
@@ -464,6 +480,13 @@ install-sysconf:
|
||||
else \
|
||||
echo "$(DESTDIR)$(sysconfdir)/moduli already exists, install will not overwrite"; \
|
||||
fi
|
||||
@ -203,7 +203,7 @@ Index: openssh-8.8p1/Makefile.in
|
||||
|
||||
host-key: ssh-keygen$(EXEEXT)
|
||||
@if [ -z "$(DESTDIR)" ] ; then \
|
||||
@@ -497,6 +520,8 @@ uninstall:
|
||||
@@ -502,6 +525,8 @@ uninstall:
|
||||
-rm -f $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT)
|
||||
-rm -f $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
|
||||
-rm -f $(DESTDIR)$(SSH_SK_HELPER)$(EXEEXT)
|
||||
@ -212,7 +212,7 @@ Index: openssh-8.8p1/Makefile.in
|
||||
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
|
||||
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1
|
||||
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1
|
||||
@@ -509,6 +534,7 @@ uninstall:
|
||||
@@ -514,6 +539,7 @@ uninstall:
|
||||
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8
|
||||
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
|
||||
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-sk-helper.8
|
||||
@ -220,11 +220,11 @@ Index: openssh-8.8p1/Makefile.in
|
||||
|
||||
regress-prep:
|
||||
$(MKDIR_P) `pwd`/regress/unittests/test_helper
|
||||
Index: openssh-8.8p1/configure.ac
|
||||
Index: openssh-8.9p1/configure.ac
|
||||
===================================================================
|
||||
--- openssh-8.8p1.orig/configure.ac
|
||||
+++ openssh-8.8p1/configure.ac
|
||||
@@ -1758,6 +1758,106 @@ AC_ARG_WITH([audit],
|
||||
--- openssh-8.9p1.orig/configure.ac
|
||||
+++ openssh-8.9p1/configure.ac
|
||||
@@ -1780,6 +1780,106 @@ AC_ARG_WITH([audit],
|
||||
esac ]
|
||||
)
|
||||
|
||||
@ -331,10 +331,10 @@ Index: openssh-8.8p1/configure.ac
|
||||
AC_ARG_WITH([pie],
|
||||
[ --with-pie Build Position Independent Executables if possible], [
|
||||
if test "x$withval" = "xno"; then
|
||||
Index: openssh-8.8p1/ldap-helper.c
|
||||
Index: openssh-8.9p1/ldap-helper.c
|
||||
===================================================================
|
||||
--- /dev/null
|
||||
+++ openssh-8.8p1/ldap-helper.c
|
||||
+++ openssh-8.9p1/ldap-helper.c
|
||||
@@ -0,0 +1,155 @@
|
||||
+/* $OpenBSD: ssh-pka-ldap.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
|
||||
+/*
|
||||
@ -491,10 +491,10 @@ Index: openssh-8.8p1/ldap-helper.c
|
||||
+void *buffer_get_string(struct sshbuf *b, u_int *l) { return NULL; }
|
||||
+void buffer_put_string(struct sshbuf *b, const void *f, u_int l) {}
|
||||
+
|
||||
Index: openssh-8.8p1/ldap-helper.h
|
||||
Index: openssh-8.9p1/ldap-helper.h
|
||||
===================================================================
|
||||
--- /dev/null
|
||||
+++ openssh-8.8p1/ldap-helper.h
|
||||
+++ openssh-8.9p1/ldap-helper.h
|
||||
@@ -0,0 +1,32 @@
|
||||
+/* $OpenBSD: ldap-helper.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
|
||||
+/*
|
||||
@ -528,10 +528,10 @@ Index: openssh-8.8p1/ldap-helper.h
|
||||
+extern int config_warning_config_file;
|
||||
+
|
||||
+#endif /* LDAP_HELPER_H */
|
||||
Index: openssh-8.8p1/ldap.conf
|
||||
Index: openssh-8.9p1/ldap.conf
|
||||
===================================================================
|
||||
--- /dev/null
|
||||
+++ openssh-8.8p1/ldap.conf
|
||||
+++ openssh-8.9p1/ldap.conf
|
||||
@@ -0,0 +1,88 @@
|
||||
+# $Id: openssh-5.5p1-ldap.patch,v 1.3 2010/07/07 13:48:36 jfch2222 Exp $
|
||||
+#
|
||||
@ -621,10 +621,10 @@ Index: openssh-8.8p1/ldap.conf
|
||||
+#tls_cert
|
||||
+#tls_key
|
||||
+
|
||||
Index: openssh-8.8p1/ldapbody.c
|
||||
Index: openssh-8.9p1/ldapbody.c
|
||||
===================================================================
|
||||
--- /dev/null
|
||||
+++ openssh-8.8p1/ldapbody.c
|
||||
+++ openssh-8.9p1/ldapbody.c
|
||||
@@ -0,0 +1,503 @@
|
||||
+/* $OpenBSD: ldapbody.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
|
||||
+/*
|
||||
@ -1129,10 +1129,10 @@ Index: openssh-8.8p1/ldapbody.c
|
||||
+ return;
|
||||
+}
|
||||
+
|
||||
Index: openssh-8.8p1/ldapbody.h
|
||||
Index: openssh-8.9p1/ldapbody.h
|
||||
===================================================================
|
||||
--- /dev/null
|
||||
+++ openssh-8.8p1/ldapbody.h
|
||||
+++ openssh-8.9p1/ldapbody.h
|
||||
@@ -0,0 +1,37 @@
|
||||
+/* $OpenBSD: ldapbody.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
|
||||
+/*
|
||||
@ -1171,10 +1171,10 @@ Index: openssh-8.8p1/ldapbody.h
|
||||
+
|
||||
+#endif /* LDAPBODY_H */
|
||||
+
|
||||
Index: openssh-8.8p1/ldapconf.c
|
||||
Index: openssh-8.9p1/ldapconf.c
|
||||
===================================================================
|
||||
--- /dev/null
|
||||
+++ openssh-8.8p1/ldapconf.c
|
||||
+++ openssh-8.9p1/ldapconf.c
|
||||
@@ -0,0 +1,711 @@
|
||||
+/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
|
||||
+/*
|
||||
@ -1887,10 +1887,10 @@ Index: openssh-8.8p1/ldapconf.c
|
||||
+ dump_cfg_string(lSSH_Filter, options.ssh_filter);
|
||||
+}
|
||||
+
|
||||
Index: openssh-8.8p1/ldapconf.h
|
||||
Index: openssh-8.9p1/ldapconf.h
|
||||
===================================================================
|
||||
--- /dev/null
|
||||
+++ openssh-8.8p1/ldapconf.h
|
||||
+++ openssh-8.9p1/ldapconf.h
|
||||
@@ -0,0 +1,71 @@
|
||||
+/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
|
||||
+/*
|
||||
@ -1963,10 +1963,10 @@ Index: openssh-8.8p1/ldapconf.h
|
||||
+void dump_config(void);
|
||||
+
|
||||
+#endif /* LDAPCONF_H */
|
||||
Index: openssh-8.8p1/ldapincludes.h
|
||||
Index: openssh-8.9p1/ldapincludes.h
|
||||
===================================================================
|
||||
--- /dev/null
|
||||
+++ openssh-8.8p1/ldapincludes.h
|
||||
+++ openssh-8.9p1/ldapincludes.h
|
||||
@@ -0,0 +1,41 @@
|
||||
+/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
|
||||
+/*
|
||||
@ -2009,10 +2009,10 @@ Index: openssh-8.8p1/ldapincludes.h
|
||||
+#endif
|
||||
+
|
||||
+#endif /* LDAPINCLUDES_H */
|
||||
Index: openssh-8.8p1/ldapmisc.c
|
||||
Index: openssh-8.9p1/ldapmisc.c
|
||||
===================================================================
|
||||
--- /dev/null
|
||||
+++ openssh-8.8p1/ldapmisc.c
|
||||
+++ openssh-8.9p1/ldapmisc.c
|
||||
@@ -0,0 +1,79 @@
|
||||
+
|
||||
+#include "ldapincludes.h"
|
||||
@ -2093,10 +2093,10 @@ Index: openssh-8.8p1/ldapmisc.c
|
||||
+}
|
||||
+#endif
|
||||
+
|
||||
Index: openssh-8.8p1/ldapmisc.h
|
||||
Index: openssh-8.9p1/ldapmisc.h
|
||||
===================================================================
|
||||
--- /dev/null
|
||||
+++ openssh-8.8p1/ldapmisc.h
|
||||
+++ openssh-8.9p1/ldapmisc.h
|
||||
@@ -0,0 +1,35 @@
|
||||
+/* $OpenBSD: ldapbody.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
|
||||
+/*
|
||||
@ -2133,10 +2133,10 @@ Index: openssh-8.8p1/ldapmisc.h
|
||||
+
|
||||
+#endif /* LDAPMISC_H */
|
||||
+
|
||||
Index: openssh-8.8p1/openbsd-compat/base64.c
|
||||
Index: openssh-8.9p1/openbsd-compat/base64.c
|
||||
===================================================================
|
||||
--- openssh-8.8p1.orig/openbsd-compat/base64.c
|
||||
+++ openssh-8.8p1/openbsd-compat/base64.c
|
||||
--- openssh-8.9p1.orig/openbsd-compat/base64.c
|
||||
+++ openssh-8.9p1/openbsd-compat/base64.c
|
||||
@@ -46,7 +46,7 @@
|
||||
|
||||
#include "includes.h"
|
||||
@ -2145,8 +2145,8 @@ Index: openssh-8.8p1/openbsd-compat/base64.c
|
||||
+#if (!defined(HAVE_B64_NTOP) && !defined(HAVE___B64_NTOP)) || (!defined(HAVE_B64_PTON) && !defined(HAVE___B64_PTON)) || defined(USE_INTERNAL_B64)
|
||||
|
||||
#include <sys/types.h>
|
||||
#include <sys/param.h>
|
||||
@@ -129,7 +129,7 @@ static const char Pad64 = '=';
|
||||
#include <sys/socket.h>
|
||||
@@ -128,7 +128,7 @@ static const char Pad64 = '=';
|
||||
characters followed by one "=" padding character.
|
||||
*/
|
||||
|
||||
@ -2155,7 +2155,7 @@ Index: openssh-8.8p1/openbsd-compat/base64.c
|
||||
int
|
||||
b64_ntop(u_char const *src, size_t srclength, char *target, size_t targsize)
|
||||
{
|
||||
@@ -185,7 +185,7 @@ b64_ntop(u_char const *src, size_t srcle
|
||||
@@ -184,7 +184,7 @@ b64_ntop(u_char const *src, size_t srcle
|
||||
}
|
||||
#endif /* !defined(HAVE_B64_NTOP) && !defined(HAVE___B64_NTOP) */
|
||||
|
||||
@ -2164,10 +2164,10 @@ Index: openssh-8.8p1/openbsd-compat/base64.c
|
||||
|
||||
/* skips all whitespace anywhere.
|
||||
converts characters, four at a time, starting at (or after)
|
||||
Index: openssh-8.8p1/openbsd-compat/base64.h
|
||||
Index: openssh-8.9p1/openbsd-compat/base64.h
|
||||
===================================================================
|
||||
--- openssh-8.8p1.orig/openbsd-compat/base64.h
|
||||
+++ openssh-8.8p1/openbsd-compat/base64.h
|
||||
--- openssh-8.9p1.orig/openbsd-compat/base64.h
|
||||
+++ openssh-8.9p1/openbsd-compat/base64.h
|
||||
@@ -45,16 +45,16 @@
|
||||
|
||||
#include "includes.h"
|
||||
@ -2189,10 +2189,10 @@ Index: openssh-8.8p1/openbsd-compat/base64.h
|
||||
int b64_pton(char const *src, u_char *target, size_t targsize);
|
||||
# endif /* !HAVE_B64_PTON */
|
||||
# define __b64_pton(a,b,c) b64_pton(a,b,c)
|
||||
Index: openssh-8.8p1/openssh-lpk-openldap.schema
|
||||
Index: openssh-8.9p1/openssh-lpk-openldap.schema
|
||||
===================================================================
|
||||
--- /dev/null
|
||||
+++ openssh-8.8p1/openssh-lpk-openldap.schema
|
||||
+++ openssh-8.9p1/openssh-lpk-openldap.schema
|
||||
@@ -0,0 +1,21 @@
|
||||
+#
|
||||
+# LDAP Public Key Patch schema for use with openssh-ldappubkey
|
||||
@ -2215,10 +2215,10 @@ Index: openssh-8.8p1/openssh-lpk-openldap.schema
|
||||
+ DESC 'MANDATORY: OpenSSH LPK objectclass'
|
||||
+ MUST ( sshPublicKey $ uid )
|
||||
+ )
|
||||
Index: openssh-8.8p1/openssh-lpk-sun.schema
|
||||
Index: openssh-8.9p1/openssh-lpk-sun.schema
|
||||
===================================================================
|
||||
--- /dev/null
|
||||
+++ openssh-8.8p1/openssh-lpk-sun.schema
|
||||
+++ openssh-8.9p1/openssh-lpk-sun.schema
|
||||
@@ -0,0 +1,23 @@
|
||||
+#
|
||||
+# LDAP Public Key Patch schema for use with openssh-ldappubkey
|
||||
@ -2243,10 +2243,10 @@ Index: openssh-8.8p1/openssh-lpk-sun.schema
|
||||
+ DESC 'MANDATORY: OpenSSH LPK objectclass'
|
||||
+ MUST ( sshPublicKey $ uid )
|
||||
+ )
|
||||
Index: openssh-8.8p1/ssh-ldap-helper.8
|
||||
Index: openssh-8.9p1/ssh-ldap-helper.8
|
||||
===================================================================
|
||||
--- /dev/null
|
||||
+++ openssh-8.8p1/ssh-ldap-helper.8
|
||||
+++ openssh-8.9p1/ssh-ldap-helper.8
|
||||
@@ -0,0 +1,79 @@
|
||||
+.\" $OpenBSD: ssh-ldap-helper.8,v 1.1 2010/02/10 23:20:38 markus Exp $
|
||||
+.\"
|
||||
@ -2327,19 +2327,19 @@ Index: openssh-8.8p1/ssh-ldap-helper.8
|
||||
+OpenSSH 5.5 + PKA-LDAP .
|
||||
+.Sh AUTHORS
|
||||
+.An Jan F. Chadima Aq jchadima@redhat.com
|
||||
Index: openssh-8.8p1/ssh-ldap-wrapper
|
||||
Index: openssh-8.9p1/ssh-ldap-wrapper
|
||||
===================================================================
|
||||
--- /dev/null
|
||||
+++ openssh-8.8p1/ssh-ldap-wrapper
|
||||
+++ openssh-8.9p1/ssh-ldap-wrapper
|
||||
@@ -0,0 +1,4 @@
|
||||
+#!/bin/sh
|
||||
+
|
||||
+exec @LIBEXECDIR@/ssh-ldap-helper -s "$1"
|
||||
+
|
||||
Index: openssh-8.8p1/ssh-ldap.conf.5
|
||||
Index: openssh-8.9p1/ssh-ldap.conf.5
|
||||
===================================================================
|
||||
--- /dev/null
|
||||
+++ openssh-8.8p1/ssh-ldap.conf.5
|
||||
+++ openssh-8.9p1/ssh-ldap.conf.5
|
||||
@@ -0,0 +1,376 @@
|
||||
+.\" $OpenBSD: ssh-ldap.conf.5,v 1.1 2010/02/10 23:20:38 markus Exp $
|
||||
+.\"
|
||||
|
@ -1,8 +1,8 @@
|
||||
Index: openssh-8.8p1/Makefile.in
|
||||
Index: openssh-8.9p1/Makefile.in
|
||||
===================================================================
|
||||
--- openssh-8.8p1.orig/Makefile.in
|
||||
+++ openssh-8.8p1/Makefile.in
|
||||
@@ -112,6 +112,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
|
||||
--- openssh-8.9p1.orig/Makefile.in
|
||||
+++ openssh-8.9p1/Makefile.in
|
||||
@@ -114,6 +114,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
|
||||
kex.o kexdh.o kexgex.o kexecdh.o kexc25519.o \
|
||||
kexgexc.o kexgexs.o \
|
||||
kexsntrup761x25519.o sntrup761.o kexgen.o \
|
||||
@ -10,19 +10,19 @@ Index: openssh-8.8p1/Makefile.in
|
||||
sftp-realpath.o platform-pledge.o platform-tracing.o platform-misc.o \
|
||||
sshbuf-io.o
|
||||
|
||||
@@ -130,7 +131,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw
|
||||
@@ -132,7 +133,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw
|
||||
auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o \
|
||||
auth2-none.o auth2-passwd.o auth2-pubkey.o \
|
||||
monitor.o monitor_wrap.o auth-krb5.o \
|
||||
- auth2-gss.o gss-serv.o gss-serv-krb5.o \
|
||||
+ auth2-gss.o gss-serv.o gss-serv-krb5.o kexgsss.o \
|
||||
loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \
|
||||
loginrec.o auth-pam.o auth-shadow.o auth-sia.o \
|
||||
srclimit.o sftp-server.o sftp-common.o \
|
||||
sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \
|
||||
Index: openssh-8.8p1/auth.c
|
||||
Index: openssh-8.9p1/auth.c
|
||||
===================================================================
|
||||
--- openssh-8.8p1.orig/auth.c
|
||||
+++ openssh-8.8p1/auth.c
|
||||
--- openssh-8.9p1.orig/auth.c
|
||||
+++ openssh-8.9p1/auth.c
|
||||
@@ -402,7 +402,8 @@ auth_root_allowed(struct ssh *ssh, const
|
||||
case PERMIT_NO_PASSWD:
|
||||
if (strcmp(method, "publickey") == 0 ||
|
||||
@ -33,7 +33,7 @@ Index: openssh-8.8p1/auth.c
|
||||
return 1;
|
||||
break;
|
||||
case PERMIT_FORCED_ONLY:
|
||||
@@ -730,97 +731,6 @@ fakepw(void)
|
||||
@@ -740,97 +741,6 @@ fakepw(void)
|
||||
}
|
||||
|
||||
/*
|
||||
@ -131,12 +131,12 @@ Index: openssh-8.8p1/auth.c
|
||||
* Return the canonical name of the host in the other side of the current
|
||||
* connection. The host name is cached, so it is efficient to call this
|
||||
* several times.
|
||||
Index: openssh-8.8p1/auth2-gss.c
|
||||
Index: openssh-8.9p1/auth2-gss.c
|
||||
===================================================================
|
||||
--- openssh-8.8p1.orig/auth2-gss.c
|
||||
+++ openssh-8.8p1/auth2-gss.c
|
||||
--- openssh-8.9p1.orig/auth2-gss.c
|
||||
+++ openssh-8.9p1/auth2-gss.c
|
||||
@@ -1,7 +1,7 @@
|
||||
/* $OpenBSD: auth2-gss.c,v 1.32 2021/01/27 10:15:08 djm Exp $ */
|
||||
/* $OpenBSD: auth2-gss.c,v 1.33 2021/12/19 22:12:07 djm Exp $ */
|
||||
|
||||
/*
|
||||
- * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
|
||||
@ -225,11 +225,11 @@ Index: openssh-8.8p1/auth2-gss.c
|
||||
+
|
||||
Authmethod method_gssapi = {
|
||||
"gssapi-with-mic",
|
||||
userauth_gssapi,
|
||||
Index: openssh-8.8p1/auth2.c
|
||||
NULL,
|
||||
Index: openssh-8.9p1/auth2.c
|
||||
===================================================================
|
||||
--- openssh-8.8p1.orig/auth2.c
|
||||
+++ openssh-8.8p1/auth2.c
|
||||
--- openssh-8.9p1.orig/auth2.c
|
||||
+++ openssh-8.9p1/auth2.c
|
||||
@@ -71,6 +71,7 @@ extern Authmethod method_passwd;
|
||||
extern Authmethod method_kbdint;
|
||||
extern Authmethod method_hostbased;
|
||||
@ -246,10 +246,10 @@ Index: openssh-8.8p1/auth2.c
|
||||
&method_gssapi,
|
||||
#endif
|
||||
&method_passwd,
|
||||
Index: openssh-8.8p1/canohost.c
|
||||
Index: openssh-8.9p1/canohost.c
|
||||
===================================================================
|
||||
--- openssh-8.8p1.orig/canohost.c
|
||||
+++ openssh-8.8p1/canohost.c
|
||||
--- openssh-8.9p1.orig/canohost.c
|
||||
+++ openssh-8.9p1/canohost.c
|
||||
@@ -35,6 +35,99 @@
|
||||
#include "canohost.h"
|
||||
#include "misc.h"
|
||||
@ -350,10 +350,10 @@ Index: openssh-8.8p1/canohost.c
|
||||
void
|
||||
ipv64_normalise_mapped(struct sockaddr_storage *addr, socklen_t *len)
|
||||
{
|
||||
Index: openssh-8.8p1/canohost.h
|
||||
Index: openssh-8.9p1/canohost.h
|
||||
===================================================================
|
||||
--- openssh-8.8p1.orig/canohost.h
|
||||
+++ openssh-8.8p1/canohost.h
|
||||
--- openssh-8.9p1.orig/canohost.h
|
||||
+++ openssh-8.9p1/canohost.h
|
||||
@@ -15,6 +15,9 @@
|
||||
#ifndef _CANOHOST_H
|
||||
#define _CANOHOST_H
|
||||
@ -364,13 +364,13 @@ Index: openssh-8.8p1/canohost.h
|
||||
char *get_peer_ipaddr(int);
|
||||
int get_peer_port(int);
|
||||
char *get_local_ipaddr(int);
|
||||
Index: openssh-8.8p1/clientloop.c
|
||||
Index: openssh-8.9p1/clientloop.c
|
||||
===================================================================
|
||||
--- openssh-8.8p1.orig/clientloop.c
|
||||
+++ openssh-8.8p1/clientloop.c
|
||||
@@ -112,6 +112,10 @@
|
||||
#include "ssherr.h"
|
||||
#include "hostfile.h"
|
||||
--- openssh-8.9p1.orig/clientloop.c
|
||||
+++ openssh-8.9p1/clientloop.c
|
||||
@@ -118,6 +118,10 @@
|
||||
/* Permitted RSA signature algorithms for UpdateHostkeys proofs */
|
||||
#define HOSTKEY_PROOF_RSA_ALGS "rsa-sha2-512,rsa-sha2-256"
|
||||
|
||||
+#ifdef GSSAPI
|
||||
+#include "ssh-gss.h"
|
||||
@ -379,13 +379,13 @@ Index: openssh-8.8p1/clientloop.c
|
||||
/* import options */
|
||||
extern Options options;
|
||||
|
||||
@@ -1343,9 +1347,18 @@ client_loop(struct ssh *ssh, int have_pt
|
||||
@@ -1349,9 +1353,18 @@ client_loop(struct ssh *ssh, int have_pt
|
||||
break;
|
||||
|
||||
/* Do channel operations unless rekeying in progress. */
|
||||
- if (!ssh_packet_is_rekeying(ssh))
|
||||
+ if (!ssh_packet_is_rekeying(ssh)) {
|
||||
channel_after_select(ssh, readset, writeset);
|
||||
channel_after_poll(ssh, pfd, npfd_active);
|
||||
|
||||
+#ifdef GSSAPI
|
||||
+ if (options.gss_renewal_rekey &&
|
||||
@ -397,13 +397,13 @@ Index: openssh-8.8p1/clientloop.c
|
||||
+ }
|
||||
+
|
||||
/* Buffer input from the connection. */
|
||||
client_process_net_input(ssh, readset);
|
||||
|
||||
Index: openssh-8.8p1/configure.ac
|
||||
if (conn_in_ready)
|
||||
client_process_net_input(ssh);
|
||||
Index: openssh-8.9p1/configure.ac
|
||||
===================================================================
|
||||
--- openssh-8.8p1.orig/configure.ac
|
||||
+++ openssh-8.8p1/configure.ac
|
||||
@@ -709,6 +709,30 @@ main() { if (NSVersionOfRunTimeLibrary("
|
||||
--- openssh-8.9p1.orig/configure.ac
|
||||
+++ openssh-8.9p1/configure.ac
|
||||
@@ -714,6 +714,30 @@ main() { if (NSVersionOfRunTimeLibrary("
|
||||
[Use tunnel device compatibility to OpenBSD])
|
||||
AC_DEFINE([SSH_TUN_PREPEND_AF], [1],
|
||||
[Prepend the address family to IP tunnel traffic])
|
||||
@ -434,10 +434,10 @@ Index: openssh-8.8p1/configure.ac
|
||||
m4_pattern_allow([AU_IPv])
|
||||
AC_CHECK_DECL([AU_IPv4], [],
|
||||
AC_DEFINE([AU_IPv4], [0], [System only supports IPv4 audit records])
|
||||
Index: openssh-8.8p1/gss-genr.c
|
||||
Index: openssh-8.9p1/gss-genr.c
|
||||
===================================================================
|
||||
--- openssh-8.8p1.orig/gss-genr.c
|
||||
+++ openssh-8.8p1/gss-genr.c
|
||||
--- openssh-8.9p1.orig/gss-genr.c
|
||||
+++ openssh-8.9p1/gss-genr.c
|
||||
@@ -1,7 +1,7 @@
|
||||
/* $OpenBSD: gss-genr.c,v 1.28 2021/01/27 10:05:28 djm Exp $ */
|
||||
|
||||
@ -447,7 +447,7 @@ Index: openssh-8.8p1/gss-genr.c
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
@@ -42,8 +42,34 @@
|
||||
@@ -43,8 +43,34 @@
|
||||
#include "log.h"
|
||||
#include "ssh2.h"
|
||||
|
||||
@ -482,7 +482,7 @@ Index: openssh-8.8p1/gss-genr.c
|
||||
/* sshbuf_get for gss_buffer_desc */
|
||||
int
|
||||
ssh_gssapi_get_buffer_desc(struct sshbuf *b, gss_buffer_desc *g)
|
||||
@@ -59,6 +85,161 @@ ssh_gssapi_get_buffer_desc(struct sshbuf
|
||||
@@ -60,6 +86,161 @@ ssh_gssapi_get_buffer_desc(struct sshbuf
|
||||
return 0;
|
||||
}
|
||||
|
||||
@ -644,7 +644,7 @@ Index: openssh-8.8p1/gss-genr.c
|
||||
/* Check that the OID in a data stream matches that in the context */
|
||||
int
|
||||
ssh_gssapi_check_oid(Gssctxt *ctx, void *data, size_t len)
|
||||
@@ -215,7 +396,7 @@ ssh_gssapi_init_ctx(Gssctxt *ctx, int de
|
||||
@@ -216,7 +397,7 @@ ssh_gssapi_init_ctx(Gssctxt *ctx, int de
|
||||
}
|
||||
|
||||
ctx->major = gss_init_sec_context(&ctx->minor,
|
||||
@ -653,7 +653,7 @@ Index: openssh-8.8p1/gss-genr.c
|
||||
GSS_C_MUTUAL_FLAG | GSS_C_INTEG_FLAG | deleg_flag,
|
||||
0, NULL, recv_tok, NULL, send_tok, flags, NULL);
|
||||
|
||||
@@ -245,8 +426,42 @@ ssh_gssapi_import_name(Gssctxt *ctx, con
|
||||
@@ -246,8 +427,42 @@ ssh_gssapi_import_name(Gssctxt *ctx, con
|
||||
}
|
||||
|
||||
OM_uint32
|
||||
@ -696,7 +696,7 @@ Index: openssh-8.8p1/gss-genr.c
|
||||
if ((ctx->major = gss_get_mic(&ctx->minor, ctx->context,
|
||||
GSS_C_QOP_DEFAULT, buffer, hash)))
|
||||
ssh_gssapi_error(ctx);
|
||||
@@ -254,6 +469,19 @@ ssh_gssapi_sign(Gssctxt *ctx, gss_buffer
|
||||
@@ -255,6 +470,19 @@ ssh_gssapi_sign(Gssctxt *ctx, gss_buffer
|
||||
return (ctx->major);
|
||||
}
|
||||
|
||||
@ -716,7 +716,7 @@ Index: openssh-8.8p1/gss-genr.c
|
||||
void
|
||||
ssh_gssapi_buildmic(struct sshbuf *b, const char *user, const char *service,
|
||||
const char *context, const struct sshbuf *session_id)
|
||||
@@ -270,11 +498,16 @@ ssh_gssapi_buildmic(struct sshbuf *b, co
|
||||
@@ -271,11 +499,16 @@ ssh_gssapi_buildmic(struct sshbuf *b, co
|
||||
}
|
||||
|
||||
int
|
||||
@ -734,7 +734,7 @@ Index: openssh-8.8p1/gss-genr.c
|
||||
|
||||
/* RFC 4462 says we MUST NOT do SPNEGO */
|
||||
if (oid->length == spnego_oid.length &&
|
||||
@@ -284,6 +517,10 @@ ssh_gssapi_check_mechanism(Gssctxt **ctx
|
||||
@@ -285,6 +518,10 @@ ssh_gssapi_check_mechanism(Gssctxt **ctx
|
||||
ssh_gssapi_build_ctx(ctx);
|
||||
ssh_gssapi_set_oid(*ctx, oid);
|
||||
major = ssh_gssapi_import_name(*ctx, host);
|
||||
@ -745,7 +745,7 @@ Index: openssh-8.8p1/gss-genr.c
|
||||
if (!GSS_ERROR(major)) {
|
||||
major = ssh_gssapi_init_ctx(*ctx, 0, GSS_C_NO_BUFFER, &token,
|
||||
NULL);
|
||||
@@ -293,10 +530,66 @@ ssh_gssapi_check_mechanism(Gssctxt **ctx
|
||||
@@ -294,10 +531,66 @@ ssh_gssapi_check_mechanism(Gssctxt **ctx
|
||||
GSS_C_NO_BUFFER);
|
||||
}
|
||||
|
||||
@ -813,10 +813,10 @@ Index: openssh-8.8p1/gss-genr.c
|
||||
+}
|
||||
+
|
||||
#endif /* GSSAPI */
|
||||
Index: openssh-8.8p1/gss-serv-krb5.c
|
||||
Index: openssh-8.9p1/gss-serv-krb5.c
|
||||
===================================================================
|
||||
--- openssh-8.8p1.orig/gss-serv-krb5.c
|
||||
+++ openssh-8.8p1/gss-serv-krb5.c
|
||||
--- openssh-8.9p1.orig/gss-serv-krb5.c
|
||||
+++ openssh-8.9p1/gss-serv-krb5.c
|
||||
@@ -1,7 +1,7 @@
|
||||
/* $OpenBSD: gss-serv-krb5.c,v 1.9 2018/07/09 21:37:55 markus Exp $ */
|
||||
|
||||
@ -953,10 +953,10 @@ Index: openssh-8.8p1/gss-serv-krb5.c
|
||||
};
|
||||
|
||||
#endif /* KRB5 */
|
||||
Index: openssh-8.8p1/gss-serv.c
|
||||
Index: openssh-8.9p1/gss-serv.c
|
||||
===================================================================
|
||||
--- openssh-8.8p1.orig/gss-serv.c
|
||||
+++ openssh-8.8p1/gss-serv.c
|
||||
--- openssh-8.9p1.orig/gss-serv.c
|
||||
+++ openssh-8.9p1/gss-serv.c
|
||||
@@ -1,7 +1,7 @@
|
||||
/* $OpenBSD: gss-serv.c,v 1.32 2020/03/13 03:17:07 djm Exp $ */
|
||||
|
||||
@ -1253,10 +1253,10 @@ Index: openssh-8.8p1/gss-serv.c
|
||||
}
|
||||
|
||||
/* Privileged */
|
||||
Index: openssh-8.8p1/kex.c
|
||||
Index: openssh-8.9p1/kex.c
|
||||
===================================================================
|
||||
--- openssh-8.8p1.orig/kex.c
|
||||
+++ openssh-8.8p1/kex.c
|
||||
--- openssh-8.9p1.orig/kex.c
|
||||
+++ openssh-8.9p1/kex.c
|
||||
@@ -57,11 +57,16 @@
|
||||
#include "misc.h"
|
||||
#include "dispatch.h"
|
||||
@ -1388,20 +1388,20 @@ Index: openssh-8.8p1/kex.c
|
||||
/* put algorithm proposal into buffer */
|
||||
int
|
||||
kex_prop2buf(struct sshbuf *b, char *proposal[PROPOSAL_MAX])
|
||||
@@ -745,6 +802,9 @@ kex_free(struct kex *kex)
|
||||
sshbuf_free(kex->server_version);
|
||||
sshbuf_free(kex->client_pub);
|
||||
@@ -765,6 +822,9 @@ kex_free(struct kex *kex)
|
||||
sshbuf_free(kex->session_id);
|
||||
sshbuf_free(kex->initial_sig);
|
||||
sshkey_free(kex->initial_hostkey);
|
||||
+#ifdef GSSAPI
|
||||
+ free(kex->gss_host);
|
||||
+#endif /* GSSAPI */
|
||||
free(kex->failed_choice);
|
||||
free(kex->hostkey_alg);
|
||||
free(kex->name);
|
||||
Index: openssh-8.8p1/kex.h
|
||||
Index: openssh-8.9p1/kex.h
|
||||
===================================================================
|
||||
--- openssh-8.8p1.orig/kex.h
|
||||
+++ openssh-8.8p1/kex.h
|
||||
--- openssh-8.9p1.orig/kex.h
|
||||
+++ openssh-8.9p1/kex.h
|
||||
@@ -102,6 +102,15 @@ enum kex_exchange {
|
||||
KEX_ECDH_SHA2,
|
||||
KEX_C25519_SHA256,
|
||||
@ -1418,7 +1418,7 @@ Index: openssh-8.8p1/kex.h
|
||||
KEX_MAX
|
||||
};
|
||||
|
||||
@@ -152,6 +161,12 @@ struct kex {
|
||||
@@ -159,6 +168,12 @@ struct kex {
|
||||
u_int flags;
|
||||
int hash_alg;
|
||||
int ec_nid;
|
||||
@ -1431,7 +1431,7 @@ Index: openssh-8.8p1/kex.h
|
||||
char *failed_choice;
|
||||
int (*verify_host_key)(struct sshkey *, struct ssh *);
|
||||
struct sshkey *(*load_host_public_key)(int, int, struct ssh *);
|
||||
@@ -173,8 +188,10 @@ struct kex {
|
||||
@@ -180,8 +195,10 @@ struct kex {
|
||||
|
||||
int kex_names_valid(const char *);
|
||||
char *kex_alg_list(char);
|
||||
@ -1442,7 +1442,7 @@ Index: openssh-8.8p1/kex.h
|
||||
|
||||
int kex_exchange_identification(struct ssh *, int, const char *);
|
||||
|
||||
@@ -202,6 +219,12 @@ int kexgex_client(struct ssh *);
|
||||
@@ -209,6 +226,12 @@ int kexgex_client(struct ssh *);
|
||||
int kexgex_server(struct ssh *);
|
||||
int kex_gen_client(struct ssh *);
|
||||
int kex_gen_server(struct ssh *);
|
||||
@ -1455,7 +1455,7 @@ Index: openssh-8.8p1/kex.h
|
||||
|
||||
int kex_dh_keypair(struct kex *);
|
||||
int kex_dh_enc(struct kex *, const struct sshbuf *, struct sshbuf **,
|
||||
@@ -234,6 +257,12 @@ int kexgex_hash(int, const struct sshbu
|
||||
@@ -241,6 +264,12 @@ int kexgex_hash(int, const struct sshbu
|
||||
const BIGNUM *, const u_char *, size_t,
|
||||
u_char *, size_t *);
|
||||
|
||||
@ -1468,10 +1468,10 @@ Index: openssh-8.8p1/kex.h
|
||||
void kexc25519_keygen(u_char key[CURVE25519_SIZE], u_char pub[CURVE25519_SIZE])
|
||||
__attribute__((__bounded__(__minbytes__, 1, CURVE25519_SIZE)))
|
||||
__attribute__((__bounded__(__minbytes__, 2, CURVE25519_SIZE)));
|
||||
Index: openssh-8.8p1/kexdh.c
|
||||
Index: openssh-8.9p1/kexdh.c
|
||||
===================================================================
|
||||
--- openssh-8.8p1.orig/kexdh.c
|
||||
+++ openssh-8.8p1/kexdh.c
|
||||
--- openssh-8.9p1.orig/kexdh.c
|
||||
+++ openssh-8.9p1/kexdh.c
|
||||
@@ -49,13 +49,23 @@ kex_dh_keygen(struct kex *kex)
|
||||
{
|
||||
switch (kex->kex_type) {
|
||||
@ -1496,10 +1496,10 @@ Index: openssh-8.8p1/kexdh.c
|
||||
kex->dh = dh_new_group16();
|
||||
break;
|
||||
case KEX_DH_GRP18_SHA512:
|
||||
Index: openssh-8.8p1/kexgen.c
|
||||
Index: openssh-8.9p1/kexgen.c
|
||||
===================================================================
|
||||
--- openssh-8.8p1.orig/kexgen.c
|
||||
+++ openssh-8.8p1/kexgen.c
|
||||
--- openssh-8.9p1.orig/kexgen.c
|
||||
+++ openssh-8.9p1/kexgen.c
|
||||
@@ -44,7 +44,7 @@
|
||||
static int input_kex_gen_init(int, u_int32_t, struct ssh *);
|
||||
static int input_kex_gen_reply(int type, u_int32_t seq, struct ssh *ssh);
|
||||
@ -1509,10 +1509,10 @@ Index: openssh-8.8p1/kexgen.c
|
||||
kex_gen_hash(
|
||||
int hash_alg,
|
||||
const struct sshbuf *client_version,
|
||||
Index: openssh-8.8p1/kexgssc.c
|
||||
Index: openssh-8.9p1/kexgssc.c
|
||||
===================================================================
|
||||
--- /dev/null
|
||||
+++ openssh-8.8p1/kexgssc.c
|
||||
+++ openssh-8.9p1/kexgssc.c
|
||||
@@ -0,0 +1,595 @@
|
||||
+/*
|
||||
+ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
|
||||
@ -2109,10 +2109,10 @@ Index: openssh-8.8p1/kexgssc.c
|
||||
+ return r;
|
||||
+}
|
||||
+#endif /* defined(GSSAPI) && defined(WITH_OPENSSL) */
|
||||
Index: openssh-8.8p1/kexgsss.c
|
||||
Index: openssh-8.9p1/kexgsss.c
|
||||
===================================================================
|
||||
--- /dev/null
|
||||
+++ openssh-8.8p1/kexgsss.c
|
||||
+++ openssh-8.9p1/kexgsss.c
|
||||
@@ -0,0 +1,474 @@
|
||||
+/*
|
||||
+ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
|
||||
@ -2588,10 +2588,10 @@ Index: openssh-8.8p1/kexgsss.c
|
||||
+ return r;
|
||||
+}
|
||||
+#endif /* defined(GSSAPI) && defined(WITH_OPENSSL) */
|
||||
Index: openssh-8.8p1/monitor.c
|
||||
Index: openssh-8.9p1/monitor.c
|
||||
===================================================================
|
||||
--- openssh-8.8p1.orig/monitor.c
|
||||
+++ openssh-8.8p1/monitor.c
|
||||
--- openssh-8.9p1.orig/monitor.c
|
||||
+++ openssh-8.9p1/monitor.c
|
||||
@@ -145,6 +145,8 @@ int mm_answer_gss_setup_ctx(struct ssh *
|
||||
int mm_answer_gss_accept_ctx(struct ssh *, int, struct sshbuf *);
|
||||
int mm_answer_gss_userok(struct ssh *, int, struct sshbuf *);
|
||||
@ -2642,7 +2642,7 @@ Index: openssh-8.8p1/monitor.c
|
||||
|
||||
if (auth_opts->permit_pty_flag) {
|
||||
monitor_permit(mon_dispatch, MONITOR_REQ_PTY, 1);
|
||||
@@ -1730,6 +1747,17 @@ monitor_apply_keystate(struct ssh *ssh,
|
||||
@@ -1747,6 +1764,17 @@ monitor_apply_keystate(struct ssh *ssh,
|
||||
# ifdef OPENSSL_HAS_ECC
|
||||
kex->kex[KEX_ECDH_SHA2] = kex_gen_server;
|
||||
# endif
|
||||
@ -2660,7 +2660,7 @@ Index: openssh-8.8p1/monitor.c
|
||||
#endif /* WITH_OPENSSL */
|
||||
kex->kex[KEX_C25519_SHA256] = kex_gen_server;
|
||||
kex->kex[KEX_KEM_SNTRUP761X25519_SHA512] = kex_gen_server;
|
||||
@@ -1822,8 +1850,8 @@ mm_answer_gss_setup_ctx(struct ssh *ssh,
|
||||
@@ -1839,8 +1867,8 @@ mm_answer_gss_setup_ctx(struct ssh *ssh,
|
||||
u_char *p;
|
||||
int r;
|
||||
|
||||
@ -2671,7 +2671,7 @@ Index: openssh-8.8p1/monitor.c
|
||||
|
||||
if ((r = sshbuf_get_string(m, &p, &len)) != 0)
|
||||
fatal_fr(r, "parse");
|
||||
@@ -1855,8 +1883,8 @@ mm_answer_gss_accept_ctx(struct ssh *ssh
|
||||
@@ -1872,8 +1900,8 @@ mm_answer_gss_accept_ctx(struct ssh *ssh
|
||||
OM_uint32 flags = 0; /* GSI needs this */
|
||||
int r;
|
||||
|
||||
@ -2682,7 +2682,7 @@ Index: openssh-8.8p1/monitor.c
|
||||
|
||||
if ((r = ssh_gssapi_get_buffer_desc(m, &in)) != 0)
|
||||
fatal_fr(r, "ssh_gssapi_get_buffer_desc");
|
||||
@@ -1876,6 +1904,7 @@ mm_answer_gss_accept_ctx(struct ssh *ssh
|
||||
@@ -1893,6 +1921,7 @@ mm_answer_gss_accept_ctx(struct ssh *ssh
|
||||
monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0);
|
||||
monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1);
|
||||
monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1);
|
||||
@ -2690,7 +2690,7 @@ Index: openssh-8.8p1/monitor.c
|
||||
}
|
||||
return (0);
|
||||
}
|
||||
@@ -1887,8 +1916,8 @@ mm_answer_gss_checkmic(struct ssh *ssh,
|
||||
@@ -1904,8 +1933,8 @@ mm_answer_gss_checkmic(struct ssh *ssh,
|
||||
OM_uint32 ret;
|
||||
int r;
|
||||
|
||||
@ -2701,7 +2701,7 @@ Index: openssh-8.8p1/monitor.c
|
||||
|
||||
if ((r = ssh_gssapi_get_buffer_desc(m, &gssbuf)) != 0 ||
|
||||
(r = ssh_gssapi_get_buffer_desc(m, &mic)) != 0)
|
||||
@@ -1914,13 +1943,17 @@ mm_answer_gss_checkmic(struct ssh *ssh,
|
||||
@@ -1931,13 +1960,17 @@ mm_answer_gss_checkmic(struct ssh *ssh,
|
||||
int
|
||||
mm_answer_gss_userok(struct ssh *ssh, int sock, struct sshbuf *m)
|
||||
{
|
||||
@ -2723,7 +2723,7 @@ Index: openssh-8.8p1/monitor.c
|
||||
|
||||
sshbuf_reset(m);
|
||||
if ((r = sshbuf_put_u32(m, authenticated)) != 0)
|
||||
@@ -1929,7 +1962,11 @@ mm_answer_gss_userok(struct ssh *ssh, in
|
||||
@@ -1946,7 +1979,11 @@ mm_answer_gss_userok(struct ssh *ssh, in
|
||||
debug3_f("sending result %d", authenticated);
|
||||
mm_request_send(sock, MONITOR_ANS_GSSUSEROK, m);
|
||||
|
||||
@ -2736,7 +2736,7 @@ Index: openssh-8.8p1/monitor.c
|
||||
|
||||
if ((displayname = ssh_gssapi_displayname()) != NULL)
|
||||
auth2_record_info(authctxt, "%s", displayname);
|
||||
@@ -1937,5 +1974,85 @@ mm_answer_gss_userok(struct ssh *ssh, in
|
||||
@@ -1954,5 +1991,85 @@ mm_answer_gss_userok(struct ssh *ssh, in
|
||||
/* Monitor loop will terminate if authenticated */
|
||||
return (authenticated);
|
||||
}
|
||||
@ -2822,10 +2822,10 @@ Index: openssh-8.8p1/monitor.c
|
||||
+
|
||||
#endif /* GSSAPI */
|
||||
|
||||
Index: openssh-8.8p1/monitor.h
|
||||
Index: openssh-8.9p1/monitor.h
|
||||
===================================================================
|
||||
--- openssh-8.8p1.orig/monitor.h
|
||||
+++ openssh-8.8p1/monitor.h
|
||||
--- openssh-8.9p1.orig/monitor.h
|
||||
+++ openssh-8.9p1/monitor.h
|
||||
@@ -63,6 +63,8 @@ enum monitor_reqtype {
|
||||
MONITOR_REQ_PAM_FREE_CTX = 110, MONITOR_ANS_PAM_FREE_CTX = 111,
|
||||
MONITOR_REQ_AUDIT_EVENT = 112, MONITOR_REQ_AUDIT_COMMAND = 113,
|
||||
@ -2835,10 +2835,10 @@ Index: openssh-8.8p1/monitor.h
|
||||
};
|
||||
|
||||
struct ssh;
|
||||
Index: openssh-8.8p1/monitor_wrap.c
|
||||
Index: openssh-8.9p1/monitor_wrap.c
|
||||
===================================================================
|
||||
--- openssh-8.8p1.orig/monitor_wrap.c
|
||||
+++ openssh-8.8p1/monitor_wrap.c
|
||||
--- openssh-8.9p1.orig/monitor_wrap.c
|
||||
+++ openssh-8.9p1/monitor_wrap.c
|
||||
@@ -999,13 +999,15 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss
|
||||
}
|
||||
|
||||
@ -2914,10 +2914,10 @@ Index: openssh-8.8p1/monitor_wrap.c
|
||||
+}
|
||||
+
|
||||
#endif /* GSSAPI */
|
||||
Index: openssh-8.8p1/monitor_wrap.h
|
||||
Index: openssh-8.9p1/monitor_wrap.h
|
||||
===================================================================
|
||||
--- openssh-8.8p1.orig/monitor_wrap.h
|
||||
+++ openssh-8.8p1/monitor_wrap.h
|
||||
--- openssh-8.9p1.orig/monitor_wrap.h
|
||||
+++ openssh-8.9p1/monitor_wrap.h
|
||||
@@ -65,8 +65,10 @@ int mm_sshkey_verify(const struct sshkey
|
||||
OM_uint32 mm_ssh_gssapi_server_ctx(Gssctxt **, gss_OID);
|
||||
OM_uint32 mm_ssh_gssapi_accept_ctx(Gssctxt *,
|
||||
@ -2930,10 +2930,10 @@ Index: openssh-8.8p1/monitor_wrap.h
|
||||
#endif
|
||||
|
||||
#ifdef USE_PAM
|
||||
Index: openssh-8.8p1/readconf.c
|
||||
Index: openssh-8.9p1/readconf.c
|
||||
===================================================================
|
||||
--- openssh-8.8p1.orig/readconf.c
|
||||
+++ openssh-8.8p1/readconf.c
|
||||
--- openssh-8.9p1.orig/readconf.c
|
||||
+++ openssh-8.9p1/readconf.c
|
||||
@@ -67,6 +67,7 @@
|
||||
#include "uidswap.h"
|
||||
#include "myproposal.h"
|
||||
@ -2974,7 +2974,7 @@ Index: openssh-8.8p1/readconf.c
|
||||
#endif
|
||||
#ifdef ENABLE_PKCS11
|
||||
{ "pkcs11provider", oPKCS11Provider },
|
||||
@@ -1115,10 +1130,42 @@ parse_time:
|
||||
@@ -1125,10 +1140,42 @@ parse_time:
|
||||
intptr = &options->gss_authentication;
|
||||
goto parse_flag;
|
||||
|
||||
@ -3017,7 +3017,7 @@ Index: openssh-8.8p1/readconf.c
|
||||
case oBatchMode:
|
||||
intptr = &options->batch_mode;
|
||||
goto parse_flag;
|
||||
@@ -2352,7 +2399,13 @@ initialize_options(Options * options)
|
||||
@@ -2361,7 +2408,13 @@ initialize_options(Options * options)
|
||||
options->fwd_opts.streamlocal_bind_unlink = -1;
|
||||
options->pubkey_authentication = -1;
|
||||
options->gss_authentication = -1;
|
||||
@ -3031,8 +3031,8 @@ Index: openssh-8.8p1/readconf.c
|
||||
options->password_authentication = -1;
|
||||
options->kbd_interactive_authentication = -1;
|
||||
options->kbd_interactive_devices = NULL;
|
||||
@@ -2509,8 +2562,18 @@ fill_default_options(Options * options)
|
||||
options->pubkey_authentication = 1;
|
||||
@@ -2518,8 +2571,18 @@ fill_default_options(Options * options)
|
||||
options->pubkey_authentication = SSH_PUBKEY_AUTH_ALL;
|
||||
if (options->gss_authentication == -1)
|
||||
options->gss_authentication = 0;
|
||||
+ if (options->gss_keyex == -1)
|
||||
@ -3050,7 +3050,7 @@ Index: openssh-8.8p1/readconf.c
|
||||
if (options->password_authentication == -1)
|
||||
options->password_authentication = 1;
|
||||
if (options->kbd_interactive_authentication == -1)
|
||||
@@ -3306,7 +3369,14 @@ dump_client_config(Options *o, const cha
|
||||
@@ -3317,7 +3380,14 @@ dump_client_config(Options *o, const cha
|
||||
dump_cfg_fmtint(oGatewayPorts, o->fwd_opts.gateway_ports);
|
||||
#ifdef GSSAPI
|
||||
dump_cfg_fmtint(oGssAuthentication, o->gss_authentication);
|
||||
@ -3065,10 +3065,10 @@ Index: openssh-8.8p1/readconf.c
|
||||
#endif /* GSSAPI */
|
||||
dump_cfg_fmtint(oHashKnownHosts, o->hash_known_hosts);
|
||||
dump_cfg_fmtint(oHostbasedAuthentication, o->hostbased_authentication);
|
||||
Index: openssh-8.8p1/readconf.h
|
||||
Index: openssh-8.9p1/readconf.h
|
||||
===================================================================
|
||||
--- openssh-8.8p1.orig/readconf.h
|
||||
+++ openssh-8.8p1/readconf.h
|
||||
--- openssh-8.9p1.orig/readconf.h
|
||||
+++ openssh-8.9p1/readconf.h
|
||||
@@ -39,7 +39,13 @@ typedef struct {
|
||||
int pubkey_authentication; /* Try ssh2 pubkey authentication. */
|
||||
int hostbased_authentication; /* ssh2's rhosts_rsa */
|
||||
@ -3083,10 +3083,10 @@ Index: openssh-8.8p1/readconf.h
|
||||
int password_authentication; /* Try password
|
||||
* authentication. */
|
||||
int kbd_interactive_authentication; /* Try keyboard-interactive auth. */
|
||||
Index: openssh-8.8p1/servconf.c
|
||||
Index: openssh-8.9p1/servconf.c
|
||||
===================================================================
|
||||
--- openssh-8.8p1.orig/servconf.c
|
||||
+++ openssh-8.8p1/servconf.c
|
||||
--- openssh-8.9p1.orig/servconf.c
|
||||
+++ openssh-8.9p1/servconf.c
|
||||
@@ -70,6 +70,7 @@
|
||||
#include "auth.h"
|
||||
#include "myproposal.h"
|
||||
@ -3157,7 +3157,7 @@ Index: openssh-8.8p1/servconf.c
|
||||
{ "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
|
||||
{ "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
|
||||
{ "challengeresponseauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, /* alias */
|
||||
@@ -1605,6 +1628,10 @@ process_server_config_line_depth(ServerO
|
||||
@@ -1603,6 +1626,10 @@ process_server_config_line_depth(ServerO
|
||||
intptr = &options->gss_authentication;
|
||||
goto parse_flag;
|
||||
|
||||
@ -3168,7 +3168,7 @@ Index: openssh-8.8p1/servconf.c
|
||||
case sGssCleanupCreds:
|
||||
intptr = &options->gss_cleanup_creds;
|
||||
goto parse_flag;
|
||||
@@ -1613,6 +1640,22 @@ process_server_config_line_depth(ServerO
|
||||
@@ -1611,6 +1638,22 @@ process_server_config_line_depth(ServerO
|
||||
intptr = &options->gss_strict_acceptor;
|
||||
goto parse_flag;
|
||||
|
||||
@ -3191,7 +3191,7 @@ Index: openssh-8.8p1/servconf.c
|
||||
case sPasswordAuthentication:
|
||||
intptr = &options->password_authentication;
|
||||
goto parse_flag;
|
||||
@@ -2921,6 +2964,10 @@ dump_config(ServerOptions *o)
|
||||
@@ -2918,6 +2961,10 @@ dump_config(ServerOptions *o)
|
||||
#ifdef GSSAPI
|
||||
dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
|
||||
dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds);
|
||||
@ -3202,10 +3202,10 @@ Index: openssh-8.8p1/servconf.c
|
||||
#endif
|
||||
dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication);
|
||||
dump_cfg_fmtint(sKbdInteractiveAuthentication,
|
||||
Index: openssh-8.8p1/servconf.h
|
||||
Index: openssh-8.9p1/servconf.h
|
||||
===================================================================
|
||||
--- openssh-8.8p1.orig/servconf.h
|
||||
+++ openssh-8.8p1/servconf.h
|
||||
--- openssh-8.9p1.orig/servconf.h
|
||||
+++ openssh-8.9p1/servconf.h
|
||||
@@ -141,8 +141,11 @@ typedef struct {
|
||||
int kerberos_get_afs_token; /* If true, try to get AFS token if
|
||||
* authenticated with Kerberos. */
|
||||
@ -3218,11 +3218,11 @@ Index: openssh-8.8p1/servconf.h
|
||||
int password_authentication; /* If true, permit password
|
||||
* authentication. */
|
||||
int kbd_interactive_authentication; /* If true, permit */
|
||||
Index: openssh-8.8p1/session.c
|
||||
Index: openssh-8.9p1/session.c
|
||||
===================================================================
|
||||
--- openssh-8.8p1.orig/session.c
|
||||
+++ openssh-8.8p1/session.c
|
||||
@@ -2709,13 +2709,19 @@ do_cleanup(struct ssh *ssh, Authctxt *au
|
||||
--- openssh-8.9p1.orig/session.c
|
||||
+++ openssh-8.9p1/session.c
|
||||
@@ -2708,13 +2708,19 @@ do_cleanup(struct ssh *ssh, Authctxt *au
|
||||
|
||||
#ifdef KRB5
|
||||
if (options.kerberos_ticket_cleanup &&
|
||||
@ -3244,10 +3244,10 @@ Index: openssh-8.8p1/session.c
|
||||
#endif
|
||||
|
||||
/* remove agent socket */
|
||||
Index: openssh-8.8p1/ssh-gss.h
|
||||
Index: openssh-8.9p1/ssh-gss.h
|
||||
===================================================================
|
||||
--- openssh-8.8p1.orig/ssh-gss.h
|
||||
+++ openssh-8.8p1/ssh-gss.h
|
||||
--- openssh-8.9p1.orig/ssh-gss.h
|
||||
+++ openssh-8.9p1/ssh-gss.h
|
||||
@@ -1,6 +1,6 @@
|
||||
/* $OpenBSD: ssh-gss.h,v 1.15 2021/01/27 10:05:28 djm Exp $ */
|
||||
/*
|
||||
@ -3364,10 +3364,10 @@ Index: openssh-8.8p1/ssh-gss.h
|
||||
#endif /* GSSAPI */
|
||||
|
||||
#endif /* _SSH_GSS_H */
|
||||
Index: openssh-8.8p1/ssh.1
|
||||
Index: openssh-8.9p1/ssh.1
|
||||
===================================================================
|
||||
--- openssh-8.8p1.orig/ssh.1
|
||||
+++ openssh-8.8p1/ssh.1
|
||||
--- openssh-8.9p1.orig/ssh.1
|
||||
+++ openssh-8.9p1/ssh.1
|
||||
@@ -530,7 +530,13 @@ For full details of the options listed b
|
||||
.It GatewayPorts
|
||||
.It GlobalKnownHostsFile
|
||||
@ -3391,10 +3391,10 @@ Index: openssh-8.8p1/ssh.1
|
||||
.Ar key
|
||||
(key types),
|
||||
.Ar key-cert
|
||||
Index: openssh-8.8p1/ssh.c
|
||||
Index: openssh-8.9p1/ssh.c
|
||||
===================================================================
|
||||
--- openssh-8.8p1.orig/ssh.c
|
||||
+++ openssh-8.8p1/ssh.c
|
||||
--- openssh-8.9p1.orig/ssh.c
|
||||
+++ openssh-8.9p1/ssh.c
|
||||
@@ -781,6 +781,8 @@ main(int ac, char **av)
|
||||
else if (strcmp(optarg, "kex") == 0 ||
|
||||
strcasecmp(optarg, "KexAlgorithms") == 0)
|
||||
@ -3413,10 +3413,10 @@ Index: openssh-8.8p1/ssh.c
|
||||
"key\nkey-cert\nkey-plain\nkey-sig\nmac\n"
|
||||
"protocol-version\nsig");
|
||||
}
|
||||
Index: openssh-8.8p1/ssh_config
|
||||
Index: openssh-8.9p1/ssh_config
|
||||
===================================================================
|
||||
--- openssh-8.8p1.orig/ssh_config
|
||||
+++ openssh-8.8p1/ssh_config
|
||||
--- openssh-8.9p1.orig/ssh_config
|
||||
+++ openssh-8.9p1/ssh_config
|
||||
@@ -40,6 +40,8 @@ Host *
|
||||
# HostbasedAuthentication no
|
||||
# GSSAPIAuthentication no
|
||||
@ -3426,10 +3426,10 @@ Index: openssh-8.8p1/ssh_config
|
||||
# BatchMode no
|
||||
# CheckHostIP yes
|
||||
# AddressFamily any
|
||||
Index: openssh-8.8p1/ssh_config.5
|
||||
Index: openssh-8.9p1/ssh_config.5
|
||||
===================================================================
|
||||
--- openssh-8.8p1.orig/ssh_config.5
|
||||
+++ openssh-8.8p1/ssh_config.5
|
||||
--- openssh-8.9p1.orig/ssh_config.5
|
||||
+++ openssh-8.9p1/ssh_config.5
|
||||
@@ -835,10 +835,67 @@ The default is
|
||||
Specifies whether user authentication based on GSSAPI is allowed.
|
||||
The default is
|
||||
@ -3498,10 +3498,10 @@ Index: openssh-8.8p1/ssh_config.5
|
||||
.It Cm HashKnownHosts
|
||||
Indicates that
|
||||
.Xr ssh 1
|
||||
Index: openssh-8.8p1/sshconnect2.c
|
||||
Index: openssh-8.9p1/sshconnect2.c
|
||||
===================================================================
|
||||
--- openssh-8.8p1.orig/sshconnect2.c
|
||||
+++ openssh-8.8p1/sshconnect2.c
|
||||
--- openssh-8.9p1.orig/sshconnect2.c
|
||||
+++ openssh-8.9p1/sshconnect2.c
|
||||
@@ -81,8 +81,6 @@
|
||||
#endif
|
||||
|
||||
@ -3725,11 +3725,11 @@ Index: openssh-8.8p1/sshconnect2.c
|
||||
#endif /* GSSAPI */
|
||||
|
||||
static int
|
||||
Index: openssh-8.8p1/sshd.c
|
||||
Index: openssh-8.9p1/sshd.c
|
||||
===================================================================
|
||||
--- openssh-8.8p1.orig/sshd.c
|
||||
+++ openssh-8.8p1/sshd.c
|
||||
@@ -817,8 +817,8 @@ notify_hostkeys(struct ssh *ssh)
|
||||
--- openssh-8.9p1.orig/sshd.c
|
||||
+++ openssh-8.9p1/sshd.c
|
||||
@@ -813,8 +813,8 @@ notify_hostkeys(struct ssh *ssh)
|
||||
}
|
||||
debug3_f("sent %u hostkeys", nkeys);
|
||||
if (nkeys == 0)
|
||||
@ -3740,7 +3740,7 @@ Index: openssh-8.8p1/sshd.c
|
||||
sshpkt_fatal(ssh, r, "%s: send", __func__);
|
||||
sshbuf_free(buf);
|
||||
}
|
||||
@@ -1912,7 +1912,8 @@ main(int ac, char **av)
|
||||
@@ -1909,7 +1909,8 @@ main(int ac, char **av)
|
||||
free(fp);
|
||||
}
|
||||
accumulate_host_timing_secret(cfg, NULL);
|
||||
@ -3750,7 +3750,7 @@ Index: openssh-8.8p1/sshd.c
|
||||
logit("sshd: no hostkeys available -- exiting.");
|
||||
exit(1);
|
||||
}
|
||||
@@ -2407,6 +2408,48 @@ do_ssh2_kex(struct ssh *ssh)
|
||||
@@ -2397,6 +2398,48 @@ do_ssh2_kex(struct ssh *ssh)
|
||||
myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal(
|
||||
ssh, list_hostkey_types());
|
||||
|
||||
@ -3799,7 +3799,7 @@ Index: openssh-8.8p1/sshd.c
|
||||
/* start key exchange */
|
||||
if ((r = kex_setup(ssh, myproposal)) != 0)
|
||||
fatal_r(r, "kex_setup");
|
||||
@@ -2422,7 +2465,18 @@ do_ssh2_kex(struct ssh *ssh)
|
||||
@@ -2412,7 +2455,18 @@ do_ssh2_kex(struct ssh *ssh)
|
||||
# ifdef OPENSSL_HAS_ECC
|
||||
kex->kex[KEX_ECDH_SHA2] = kex_gen_server;
|
||||
# endif
|
||||
@ -3819,10 +3819,10 @@ Index: openssh-8.8p1/sshd.c
|
||||
kex->kex[KEX_C25519_SHA256] = kex_gen_server;
|
||||
kex->kex[KEX_KEM_SNTRUP761X25519_SHA512] = kex_gen_server;
|
||||
kex->load_host_public_key=&get_hostkey_public_by_type;
|
||||
Index: openssh-8.8p1/sshd_config
|
||||
Index: openssh-8.9p1/sshd_config
|
||||
===================================================================
|
||||
--- openssh-8.8p1.orig/sshd_config
|
||||
+++ openssh-8.8p1/sshd_config
|
||||
--- openssh-8.9p1.orig/sshd_config
|
||||
+++ openssh-8.9p1/sshd_config
|
||||
@@ -69,6 +69,8 @@ AuthorizedKeysFile .ssh/authorized_keys
|
||||
# GSSAPI options
|
||||
#GSSAPIAuthentication no
|
||||
@ -3832,10 +3832,10 @@ Index: openssh-8.8p1/sshd_config
|
||||
|
||||
# Set this to 'yes' to enable PAM authentication, account processing,
|
||||
# and session processing. If this is enabled, PAM authentication will
|
||||
Index: openssh-8.8p1/sshd_config.5
|
||||
Index: openssh-8.9p1/sshd_config.5
|
||||
===================================================================
|
||||
--- openssh-8.8p1.orig/sshd_config.5
|
||||
+++ openssh-8.8p1/sshd_config.5
|
||||
--- openssh-8.9p1.orig/sshd_config.5
|
||||
+++ openssh-8.9p1/sshd_config.5
|
||||
@@ -652,6 +652,11 @@ Specifies whether to automatically destr
|
||||
on logout.
|
||||
The default is
|
||||
@ -3880,19 +3880,19 @@ Index: openssh-8.8p1/sshd_config.5
|
||||
.It Cm HostbasedAcceptedAlgorithms
|
||||
Specifies the signature algorithms that will be accepted for hostbased
|
||||
authentication as a list of comma-separated patterns.
|
||||
Index: openssh-8.8p1/sshkey.c
|
||||
Index: openssh-8.9p1/sshkey.c
|
||||
===================================================================
|
||||
--- openssh-8.8p1.orig/sshkey.c
|
||||
+++ openssh-8.8p1/sshkey.c
|
||||
@@ -156,6 +156,7 @@ static const struct keytype keytypes[] =
|
||||
KEY_ECDSA_SK_CERT, NID_X9_62_prime256v1, 1, 0 },
|
||||
--- openssh-8.9p1.orig/sshkey.c
|
||||
+++ openssh-8.9p1/sshkey.c
|
||||
@@ -162,6 +162,7 @@ static const struct keytype keytypes[] =
|
||||
# endif /* ENABLE_SK */
|
||||
# endif /* OPENSSL_HAS_ECC */
|
||||
#endif /* WITH_OPENSSL */
|
||||
+ { "null", "null", NULL, KEY_NULL, 0, 0, 0 },
|
||||
{ NULL, NULL, NULL, -1, -1, 0, 0 }
|
||||
};
|
||||
|
||||
@@ -257,7 +258,7 @@ sshkey_alg_list(int certs_only, int plai
|
||||
@@ -286,7 +287,7 @@ sshkey_alg_list(int certs_only, int plai
|
||||
const struct keytype *kt;
|
||||
|
||||
for (kt = keytypes; kt->type != -1; kt++) {
|
||||
@ -3901,10 +3901,10 @@ Index: openssh-8.8p1/sshkey.c
|
||||
continue;
|
||||
if (!include_sigonly && kt->sigonly)
|
||||
continue;
|
||||
Index: openssh-8.8p1/sshkey.h
|
||||
Index: openssh-8.9p1/sshkey.h
|
||||
===================================================================
|
||||
--- openssh-8.8p1.orig/sshkey.h
|
||||
+++ openssh-8.8p1/sshkey.h
|
||||
--- openssh-8.9p1.orig/sshkey.h
|
||||
+++ openssh-8.9p1/sshkey.h
|
||||
@@ -71,6 +71,7 @@ enum sshkey_types {
|
||||
KEY_ECDSA_SK_CERT,
|
||||
KEY_ED25519_SK,
|
||||
|
@ -1,8 +1,8 @@
|
||||
Index: openssh-8.8p1/Makefile.in
|
||||
Index: openssh-8.9p1/Makefile.in
|
||||
===================================================================
|
||||
--- openssh-8.8p1.orig/Makefile.in
|
||||
+++ openssh-8.8p1/Makefile.in
|
||||
@@ -114,7 +114,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
|
||||
--- openssh-8.9p1.orig/Makefile.in
|
||||
+++ openssh-8.9p1/Makefile.in
|
||||
@@ -116,7 +116,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
|
||||
kexsntrup761x25519.o sntrup761.o kexgen.o \
|
||||
kexgssc.o \
|
||||
sftp-realpath.o platform-pledge.o platform-tracing.o platform-misc.o \
|
||||
@ -11,10 +11,10 @@ Index: openssh-8.8p1/Makefile.in
|
||||
|
||||
SKOBJS= ssh-sk-client.o
|
||||
|
||||
Index: openssh-8.8p1/audit-bsm.c
|
||||
Index: openssh-8.9p1/audit-bsm.c
|
||||
===================================================================
|
||||
--- openssh-8.8p1.orig/audit-bsm.c
|
||||
+++ openssh-8.8p1/audit-bsm.c
|
||||
--- openssh-8.9p1.orig/audit-bsm.c
|
||||
+++ openssh-8.9p1/audit-bsm.c
|
||||
@@ -373,13 +373,26 @@ audit_connection_from(const char *host,
|
||||
#endif
|
||||
}
|
||||
@ -85,10 +85,10 @@ Index: openssh-8.8p1/audit-bsm.c
|
||||
+ /* not implemented */
|
||||
+}
|
||||
#endif /* BSM */
|
||||
Index: openssh-8.8p1/audit-linux.c
|
||||
Index: openssh-8.9p1/audit-linux.c
|
||||
===================================================================
|
||||
--- openssh-8.8p1.orig/audit-linux.c
|
||||
+++ openssh-8.8p1/audit-linux.c
|
||||
--- openssh-8.9p1.orig/audit-linux.c
|
||||
+++ openssh-8.9p1/audit-linux.c
|
||||
@@ -33,27 +33,40 @@
|
||||
|
||||
#include "log.h"
|
||||
@ -459,10 +459,10 @@ Index: openssh-8.8p1/audit-linux.c
|
||||
+ error("cannot write into audit");
|
||||
+}
|
||||
#endif /* USE_LINUX_AUDIT */
|
||||
Index: openssh-8.8p1/audit.c
|
||||
Index: openssh-8.9p1/audit.c
|
||||
===================================================================
|
||||
--- openssh-8.8p1.orig/audit.c
|
||||
+++ openssh-8.8p1/audit.c
|
||||
--- openssh-8.9p1.orig/audit.c
|
||||
+++ openssh-8.9p1/audit.c
|
||||
@@ -34,6 +34,12 @@
|
||||
#include "log.h"
|
||||
#include "hostfile.h"
|
||||
@ -640,10 +640,10 @@ Index: openssh-8.8p1/audit.c
|
||||
}
|
||||
# endif /* !defined CUSTOM_SSH_AUDIT_EVENTS */
|
||||
#endif /* SSH_AUDIT_EVENTS */
|
||||
Index: openssh-8.8p1/audit.h
|
||||
Index: openssh-8.9p1/audit.h
|
||||
===================================================================
|
||||
--- openssh-8.8p1.orig/audit.h
|
||||
+++ openssh-8.8p1/audit.h
|
||||
--- openssh-8.9p1.orig/audit.h
|
||||
+++ openssh-8.9p1/audit.h
|
||||
@@ -26,6 +26,7 @@
|
||||
# define _SSH_AUDIT_H
|
||||
|
||||
@ -686,10 +686,10 @@ Index: openssh-8.8p1/audit.h
|
||||
+void audit_destroy_sensitive_data(struct ssh *, const char *, pid_t, uid_t);
|
||||
|
||||
#endif /* _SSH_AUDIT_H */
|
||||
Index: openssh-8.8p1/auditstub.c
|
||||
Index: openssh-8.9p1/auditstub.c
|
||||
===================================================================
|
||||
--- /dev/null
|
||||
+++ openssh-8.8p1/auditstub.c
|
||||
+++ openssh-8.9p1/auditstub.c
|
||||
@@ -0,0 +1,52 @@
|
||||
+/* $Id: auditstub.c,v 1.1 jfch Exp $ */
|
||||
+
|
||||
@ -743,10 +743,10 @@ Index: openssh-8.8p1/auditstub.c
|
||||
+audit_session_key_free_body(struct ssh *ssh, int ctos, pid_t pid, uid_t uid)
|
||||
+{
|
||||
+}
|
||||
Index: openssh-8.8p1/auth.c
|
||||
Index: openssh-8.9p1/auth.c
|
||||
===================================================================
|
||||
--- openssh-8.8p1.orig/auth.c
|
||||
+++ openssh-8.8p1/auth.c
|
||||
--- openssh-8.9p1.orig/auth.c
|
||||
+++ openssh-8.9p1/auth.c
|
||||
@@ -599,9 +599,6 @@ getpwnamallow(struct ssh *ssh, const cha
|
||||
record_failed_login(ssh, user,
|
||||
auth_get_canonical_hostname(ssh, options.use_dns), "ssh");
|
||||
@ -757,11 +757,11 @@ Index: openssh-8.8p1/auth.c
|
||||
return (NULL);
|
||||
}
|
||||
if (!allowed_user(ssh, pw))
|
||||
Index: openssh-8.8p1/auth.h
|
||||
Index: openssh-8.9p1/auth.h
|
||||
===================================================================
|
||||
--- openssh-8.8p1.orig/auth.h
|
||||
+++ openssh-8.8p1/auth.h
|
||||
@@ -189,6 +189,8 @@ struct passwd * getpwnamallow(struct ssh
|
||||
--- openssh-8.9p1.orig/auth.h
|
||||
+++ openssh-8.9p1/auth.h
|
||||
@@ -190,6 +190,8 @@ struct passwd * getpwnamallow(struct ssh
|
||||
|
||||
char *expand_authorized_keys(const char *, struct passwd *pw);
|
||||
char *authorized_principals_file(struct passwd *);
|
||||
@ -770,7 +770,7 @@ Index: openssh-8.8p1/auth.h
|
||||
|
||||
FILE *auth_openkeyfile(const char *, struct passwd *, int);
|
||||
FILE *auth_openprincipals(const char *, struct passwd *, int);
|
||||
@@ -208,6 +210,8 @@ struct sshkey *get_hostkey_private_by_ty
|
||||
@@ -209,6 +211,8 @@ struct sshkey *get_hostkey_private_by_ty
|
||||
int get_hostkey_index(struct sshkey *, int, struct ssh *);
|
||||
int sshd_hostkey_sign(struct ssh *, struct sshkey *, struct sshkey *,
|
||||
u_char **, size_t *, const u_char *, size_t, const char *);
|
||||
@ -779,11 +779,11 @@ Index: openssh-8.8p1/auth.h
|
||||
|
||||
/* Key / cert options linkage to auth layer */
|
||||
const struct sshauthopt *auth_options(struct ssh *);
|
||||
Index: openssh-8.8p1/auth2-hostbased.c
|
||||
Index: openssh-8.9p1/auth2-hostbased.c
|
||||
===================================================================
|
||||
--- openssh-8.8p1.orig/auth2-hostbased.c
|
||||
+++ openssh-8.8p1/auth2-hostbased.c
|
||||
@@ -149,7 +149,7 @@ userauth_hostbased(struct ssh *ssh)
|
||||
--- openssh-8.9p1.orig/auth2-hostbased.c
|
||||
+++ openssh-8.9p1/auth2-hostbased.c
|
||||
@@ -149,7 +149,7 @@ userauth_hostbased(struct ssh *ssh, cons
|
||||
authenticated = 0;
|
||||
if (PRIVSEP(hostbased_key_allowed(ssh, authctxt->pw, cuser,
|
||||
chost, key)) &&
|
||||
@ -812,11 +812,11 @@ Index: openssh-8.8p1/auth2-hostbased.c
|
||||
/* return 1 if given hostkey is allowed */
|
||||
int
|
||||
hostbased_key_allowed(struct ssh *ssh, struct passwd *pw,
|
||||
Index: openssh-8.8p1/auth2-pubkey.c
|
||||
Index: openssh-8.9p1/auth2-pubkey.c
|
||||
===================================================================
|
||||
--- openssh-8.8p1.orig/auth2-pubkey.c
|
||||
+++ openssh-8.8p1/auth2-pubkey.c
|
||||
@@ -203,7 +203,7 @@ userauth_pubkey(struct ssh *ssh)
|
||||
--- openssh-8.9p1.orig/auth2-pubkey.c
|
||||
+++ openssh-8.9p1/auth2-pubkey.c
|
||||
@@ -223,7 +223,7 @@ userauth_pubkey(struct ssh *ssh, const c
|
||||
/* test for correct signature */
|
||||
authenticated = 0;
|
||||
if (PRIVSEP(user_key_allowed(ssh, pw, key, 1, &authopts)) &&
|
||||
@ -825,7 +825,7 @@ Index: openssh-8.8p1/auth2-pubkey.c
|
||||
sshbuf_ptr(b), sshbuf_len(b),
|
||||
(ssh->compat & SSH_BUG_SIGTYPE) == 0 ? pkalg : NULL,
|
||||
ssh->compat, &sig_details)) == 0) {
|
||||
@@ -295,6 +295,19 @@ done:
|
||||
@@ -316,6 +316,19 @@ done:
|
||||
return authenticated;
|
||||
}
|
||||
|
||||
@ -845,12 +845,12 @@ Index: openssh-8.8p1/auth2-pubkey.c
|
||||
static int
|
||||
match_principals_option(const char *principal_list, struct sshkey_cert *cert)
|
||||
{
|
||||
Index: openssh-8.8p1/auth2.c
|
||||
Index: openssh-8.9p1/auth2.c
|
||||
===================================================================
|
||||
--- openssh-8.8p1.orig/auth2.c
|
||||
+++ openssh-8.8p1/auth2.c
|
||||
@@ -290,9 +290,6 @@ input_userauth_request(int type, u_int32
|
||||
} else {
|
||||
--- openssh-8.9p1.orig/auth2.c
|
||||
+++ openssh-8.9p1/auth2.c
|
||||
@@ -294,9 +294,6 @@ input_userauth_request(int type, u_int32
|
||||
authctxt->valid = 0;
|
||||
/* Invalid user, fake password information */
|
||||
authctxt->pw = fakepw();
|
||||
-#ifdef SSH_AUDIT_EVENTS
|
||||
@ -859,10 +859,10 @@ Index: openssh-8.8p1/auth2.c
|
||||
}
|
||||
#ifdef USE_PAM
|
||||
if (options.use_pam)
|
||||
Index: openssh-8.8p1/cipher.c
|
||||
Index: openssh-8.9p1/cipher.c
|
||||
===================================================================
|
||||
--- openssh-8.8p1.orig/cipher.c
|
||||
+++ openssh-8.8p1/cipher.c
|
||||
--- openssh-8.9p1.orig/cipher.c
|
||||
+++ openssh-8.9p1/cipher.c
|
||||
@@ -58,25 +58,6 @@
|
||||
#define EVP_CIPHER_CTX void
|
||||
#endif
|
||||
@ -898,10 +898,10 @@ Index: openssh-8.8p1/cipher.c
|
||||
return;
|
||||
if ((cc->cipher->flags & CFLAG_CHACHAPOLY) != 0) {
|
||||
chachapoly_free(cc->cp_ctx);
|
||||
Index: openssh-8.8p1/cipher.h
|
||||
Index: openssh-8.9p1/cipher.h
|
||||
===================================================================
|
||||
--- openssh-8.8p1.orig/cipher.h
|
||||
+++ openssh-8.8p1/cipher.h
|
||||
--- openssh-8.9p1.orig/cipher.h
|
||||
+++ openssh-8.9p1/cipher.h
|
||||
@@ -47,7 +47,25 @@
|
||||
#define CIPHER_ENCRYPT 1
|
||||
#define CIPHER_DECRYPT 0
|
||||
@ -929,10 +929,10 @@ Index: openssh-8.8p1/cipher.h
|
||||
struct sshcipher_ctx {
|
||||
int plaintext;
|
||||
int encrypt;
|
||||
Index: openssh-8.8p1/kex.c
|
||||
Index: openssh-8.9p1/kex.c
|
||||
===================================================================
|
||||
--- openssh-8.8p1.orig/kex.c
|
||||
+++ openssh-8.8p1/kex.c
|
||||
--- openssh-8.9p1.orig/kex.c
|
||||
+++ openssh-8.9p1/kex.c
|
||||
@@ -62,6 +62,7 @@
|
||||
#include "ssherr.h"
|
||||
#include "sshbuf.h"
|
||||
@ -941,7 +941,7 @@ Index: openssh-8.8p1/kex.c
|
||||
|
||||
#ifdef GSSAPI
|
||||
#include "ssh-gss.h"
|
||||
@@ -859,12 +860,16 @@ kex_start_rekex(struct ssh *ssh)
|
||||
@@ -879,12 +880,16 @@ kex_start_rekex(struct ssh *ssh)
|
||||
}
|
||||
|
||||
static int
|
||||
@ -960,7 +960,7 @@ Index: openssh-8.8p1/kex.c
|
||||
if ((enc->cipher = cipher_by_name(name)) == NULL) {
|
||||
error_f("unsupported cipher %s", name);
|
||||
free(name);
|
||||
@@ -885,8 +890,12 @@ choose_mac(struct ssh *ssh, struct sshma
|
||||
@@ -905,8 +910,12 @@ choose_mac(struct ssh *ssh, struct sshma
|
||||
{
|
||||
char *name = match_list(client, server, NULL);
|
||||
|
||||
@ -974,7 +974,7 @@ Index: openssh-8.8p1/kex.c
|
||||
if (mac_setup(mac, name) < 0) {
|
||||
error_f("unsupported MAC %s", name);
|
||||
free(name);
|
||||
@@ -899,12 +908,16 @@ choose_mac(struct ssh *ssh, struct sshma
|
||||
@@ -919,12 +928,16 @@ choose_mac(struct ssh *ssh, struct sshma
|
||||
}
|
||||
|
||||
static int
|
||||
@ -993,7 +993,7 @@ Index: openssh-8.8p1/kex.c
|
||||
#ifdef WITH_ZLIB
|
||||
if (strcmp(name, "zlib@openssh.com") == 0) {
|
||||
comp->type = COMP_DELAYED;
|
||||
@@ -1045,7 +1058,7 @@ kex_choose_conf(struct ssh *ssh)
|
||||
@@ -1087,7 +1100,7 @@ kex_choose_conf(struct ssh *ssh)
|
||||
nenc = ctos ? PROPOSAL_ENC_ALGS_CTOS : PROPOSAL_ENC_ALGS_STOC;
|
||||
nmac = ctos ? PROPOSAL_MAC_ALGS_CTOS : PROPOSAL_MAC_ALGS_STOC;
|
||||
ncomp = ctos ? PROPOSAL_COMP_ALGS_CTOS : PROPOSAL_COMP_ALGS_STOC;
|
||||
@ -1002,7 +1002,7 @@ Index: openssh-8.8p1/kex.c
|
||||
sprop[nenc])) != 0) {
|
||||
kex->failed_choice = peer[nenc];
|
||||
peer[nenc] = NULL;
|
||||
@@ -1060,7 +1073,7 @@ kex_choose_conf(struct ssh *ssh)
|
||||
@@ -1102,7 +1115,7 @@ kex_choose_conf(struct ssh *ssh)
|
||||
peer[nmac] = NULL;
|
||||
goto out;
|
||||
}
|
||||
@ -1011,7 +1011,7 @@ Index: openssh-8.8p1/kex.c
|
||||
sprop[ncomp])) != 0) {
|
||||
kex->failed_choice = peer[ncomp];
|
||||
peer[ncomp] = NULL;
|
||||
@@ -1083,6 +1096,10 @@ kex_choose_conf(struct ssh *ssh)
|
||||
@@ -1125,6 +1138,10 @@ kex_choose_conf(struct ssh *ssh)
|
||||
dh_need = MAXIMUM(dh_need, newkeys->enc.block_size);
|
||||
dh_need = MAXIMUM(dh_need, newkeys->enc.iv_len);
|
||||
dh_need = MAXIMUM(dh_need, newkeys->mac.key_len);
|
||||
@ -1022,7 +1022,7 @@ Index: openssh-8.8p1/kex.c
|
||||
}
|
||||
/* XXX need runden? */
|
||||
kex->we_need = need;
|
||||
@@ -1250,6 +1267,36 @@ dump_digest(const char *msg, const u_cha
|
||||
@@ -1292,6 +1309,36 @@ dump_digest(const char *msg, const u_cha
|
||||
}
|
||||
#endif
|
||||
|
||||
@ -1059,11 +1059,11 @@ Index: openssh-8.8p1/kex.c
|
||||
/*
|
||||
* Send a plaintext error message to the peer, suffixed by \r\n.
|
||||
* Only used during banner exchange, and there only for the server.
|
||||
Index: openssh-8.8p1/kex.h
|
||||
Index: openssh-8.9p1/kex.h
|
||||
===================================================================
|
||||
--- openssh-8.8p1.orig/kex.h
|
||||
+++ openssh-8.8p1/kex.h
|
||||
@@ -226,6 +226,8 @@ int kexgss_client(struct ssh *);
|
||||
--- openssh-8.9p1.orig/kex.h
|
||||
+++ openssh-8.9p1/kex.h
|
||||
@@ -233,6 +233,8 @@ int kexgss_client(struct ssh *);
|
||||
int kexgss_server(struct ssh *);
|
||||
#endif
|
||||
|
||||
@ -1072,10 +1072,10 @@ Index: openssh-8.8p1/kex.h
|
||||
int kex_dh_keypair(struct kex *);
|
||||
int kex_dh_enc(struct kex *, const struct sshbuf *, struct sshbuf **,
|
||||
struct sshbuf **);
|
||||
Index: openssh-8.8p1/mac.c
|
||||
Index: openssh-8.9p1/mac.c
|
||||
===================================================================
|
||||
--- openssh-8.8p1.orig/mac.c
|
||||
+++ openssh-8.8p1/mac.c
|
||||
--- openssh-8.9p1.orig/mac.c
|
||||
+++ openssh-8.9p1/mac.c
|
||||
@@ -277,6 +277,20 @@ mac_clear(struct sshmac *mac)
|
||||
mac->umac_ctx = NULL;
|
||||
}
|
||||
@ -1097,10 +1097,10 @@ Index: openssh-8.8p1/mac.c
|
||||
/* XXX copied from ciphers_valid */
|
||||
#define MAC_SEP ","
|
||||
int
|
||||
Index: openssh-8.8p1/mac.h
|
||||
Index: openssh-8.9p1/mac.h
|
||||
===================================================================
|
||||
--- openssh-8.8p1.orig/mac.h
|
||||
+++ openssh-8.8p1/mac.h
|
||||
--- openssh-8.9p1.orig/mac.h
|
||||
+++ openssh-8.9p1/mac.h
|
||||
@@ -49,5 +49,6 @@ int mac_compute(struct sshmac *, u_int3
|
||||
int mac_check(struct sshmac *, u_int32_t, const u_char *, size_t,
|
||||
const u_char *, size_t);
|
||||
@ -1108,10 +1108,10 @@ Index: openssh-8.8p1/mac.h
|
||||
+void mac_destroy(struct sshmac *);
|
||||
|
||||
#endif /* SSHMAC_H */
|
||||
Index: openssh-8.8p1/monitor.c
|
||||
Index: openssh-8.9p1/monitor.c
|
||||
===================================================================
|
||||
--- openssh-8.8p1.orig/monitor.c
|
||||
+++ openssh-8.8p1/monitor.c
|
||||
--- openssh-8.9p1.orig/monitor.c
|
||||
+++ openssh-8.9p1/monitor.c
|
||||
@@ -93,6 +93,7 @@
|
||||
#include "compat.h"
|
||||
#include "ssh2.h"
|
||||
@ -1164,7 +1164,7 @@ Index: openssh-8.8p1/monitor.c
|
||||
#endif
|
||||
{0, 0, NULL}
|
||||
};
|
||||
@@ -1403,8 +1420,10 @@ mm_answer_keyverify(struct ssh *ssh, int
|
||||
@@ -1419,8 +1436,10 @@ mm_answer_keyverify(struct ssh *ssh, int
|
||||
int r, ret, req_presence = 0, req_verify = 0, valid_data = 0;
|
||||
int encoded_ret;
|
||||
struct sshkey_sig_details *sig_details = NULL;
|
||||
@ -1176,7 +1176,7 @@ Index: openssh-8.8p1/monitor.c
|
||||
(r = sshbuf_get_string_direct(m, &signature, &signaturelen)) != 0 ||
|
||||
(r = sshbuf_get_string_direct(m, &data, &datalen)) != 0 ||
|
||||
(r = sshbuf_get_cstring(m, &sigalg, NULL)) != 0)
|
||||
@@ -1413,6 +1432,8 @@ mm_answer_keyverify(struct ssh *ssh, int
|
||||
@@ -1429,6 +1448,8 @@ mm_answer_keyverify(struct ssh *ssh, int
|
||||
if (hostbased_cuser == NULL || hostbased_chost == NULL ||
|
||||
!monitor_allowed_key(blob, bloblen))
|
||||
fatal_f("bad key, not previously allowed");
|
||||
@ -1185,7 +1185,7 @@ Index: openssh-8.8p1/monitor.c
|
||||
|
||||
/* Empty signature algorithm means NULL. */
|
||||
if (*sigalg == '\0') {
|
||||
@@ -1428,14 +1449,19 @@ mm_answer_keyverify(struct ssh *ssh, int
|
||||
@@ -1444,14 +1465,19 @@ mm_answer_keyverify(struct ssh *ssh, int
|
||||
case MM_USERKEY:
|
||||
valid_data = monitor_valid_userblob(ssh, data, datalen);
|
||||
auth_method = "publickey";
|
||||
@ -1205,16 +1205,16 @@ Index: openssh-8.8p1/monitor.c
|
||||
break;
|
||||
}
|
||||
if (!valid_data)
|
||||
@@ -1447,8 +1473,6 @@ mm_answer_keyverify(struct ssh *ssh, int
|
||||
@@ -1463,8 +1489,6 @@ mm_answer_keyverify(struct ssh *ssh, int
|
||||
SSH_FP_DEFAULT)) == NULL)
|
||||
fatal_f("sshkey_fingerprint failed");
|
||||
|
||||
- ret = sshkey_verify(key, signature, signaturelen, data, datalen,
|
||||
- sigalg, ssh->compat, &sig_details);
|
||||
debug3_f("%s %s signature %s%s%s", auth_method, sshkey_type(key),
|
||||
debug3_f("%s %s signature using %s %s%s%s", auth_method,
|
||||
sshkey_type(key), sigalg == NULL ? "default" : sigalg,
|
||||
(ret == 0) ? "verified" : "unverified",
|
||||
(ret != 0) ? ": " : "", (ret != 0) ? ssh_err(ret) : "");
|
||||
@@ -1535,13 +1559,19 @@ mm_record_login(struct ssh *ssh, Session
|
||||
@@ -1552,13 +1576,19 @@ mm_record_login(struct ssh *ssh, Session
|
||||
}
|
||||
|
||||
static void
|
||||
@ -1235,7 +1235,7 @@ Index: openssh-8.8p1/monitor.c
|
||||
session_unused(s->self);
|
||||
}
|
||||
|
||||
@@ -1608,7 +1638,7 @@ mm_answer_pty(struct ssh *ssh, int sock,
|
||||
@@ -1625,7 +1655,7 @@ mm_answer_pty(struct ssh *ssh, int sock,
|
||||
|
||||
error:
|
||||
if (s != NULL)
|
||||
@ -1244,7 +1244,7 @@ Index: openssh-8.8p1/monitor.c
|
||||
if ((r = sshbuf_put_u32(m, 0)) != 0)
|
||||
fatal_fr(r, "assemble 0");
|
||||
mm_request_send(sock, MONITOR_ANS_PTY, m);
|
||||
@@ -1627,7 +1657,7 @@ mm_answer_pty_cleanup(struct ssh *ssh, i
|
||||
@@ -1644,7 +1674,7 @@ mm_answer_pty_cleanup(struct ssh *ssh, i
|
||||
if ((r = sshbuf_get_cstring(m, &tty, NULL)) != 0)
|
||||
fatal_fr(r, "parse tty");
|
||||
if ((s = session_by_tty(tty)) != NULL)
|
||||
@ -1253,7 +1253,7 @@ Index: openssh-8.8p1/monitor.c
|
||||
sshbuf_reset(m);
|
||||
free(tty);
|
||||
return (0);
|
||||
@@ -1649,6 +1679,8 @@ mm_answer_term(struct ssh *ssh, int sock
|
||||
@@ -1666,6 +1696,8 @@ mm_answer_term(struct ssh *ssh, int sock
|
||||
sshpam_cleanup();
|
||||
#endif
|
||||
|
||||
@ -1262,7 +1262,7 @@ Index: openssh-8.8p1/monitor.c
|
||||
while (waitpid(pmonitor->m_pid, &status, 0) == -1)
|
||||
if (errno != EINTR)
|
||||
exit(1);
|
||||
@@ -1695,12 +1727,47 @@ mm_answer_audit_command(struct ssh *ssh,
|
||||
@@ -1712,12 +1744,47 @@ mm_answer_audit_command(struct ssh *ssh,
|
||||
{
|
||||
char *cmd;
|
||||
int r;
|
||||
@ -1311,7 +1311,7 @@ Index: openssh-8.8p1/monitor.c
|
||||
free(cmd);
|
||||
return (0);
|
||||
}
|
||||
@@ -1772,6 +1839,7 @@ monitor_apply_keystate(struct ssh *ssh,
|
||||
@@ -1789,6 +1856,7 @@ monitor_apply_keystate(struct ssh *ssh,
|
||||
void
|
||||
mm_get_keystate(struct ssh *ssh, struct monitor *pmonitor)
|
||||
{
|
||||
@ -1319,7 +1319,7 @@ Index: openssh-8.8p1/monitor.c
|
||||
debug3_f("Waiting for new keys");
|
||||
|
||||
if ((child_state = sshbuf_new()) == NULL)
|
||||
@@ -1779,6 +1847,18 @@ mm_get_keystate(struct ssh *ssh, struct
|
||||
@@ -1796,6 +1864,18 @@ mm_get_keystate(struct ssh *ssh, struct
|
||||
mm_request_receive_expect(pmonitor->m_sendfd, MONITOR_REQ_KEYEXPORT,
|
||||
child_state);
|
||||
debug3_f("GOT new keys");
|
||||
@ -1338,7 +1338,7 @@ Index: openssh-8.8p1/monitor.c
|
||||
}
|
||||
|
||||
|
||||
@@ -2056,3 +2136,102 @@ mm_answer_gss_updatecreds(struct ssh *ss
|
||||
@@ -2073,3 +2153,102 @@ mm_answer_gss_updatecreds(struct ssh *ss
|
||||
|
||||
#endif /* GSSAPI */
|
||||
|
||||
@ -1441,10 +1441,10 @@ Index: openssh-8.8p1/monitor.c
|
||||
+ return 0;
|
||||
+}
|
||||
+#endif /* SSH_AUDIT_EVENTS */
|
||||
Index: openssh-8.8p1/monitor.h
|
||||
Index: openssh-8.9p1/monitor.h
|
||||
===================================================================
|
||||
--- openssh-8.8p1.orig/monitor.h
|
||||
+++ openssh-8.8p1/monitor.h
|
||||
--- openssh-8.9p1.orig/monitor.h
|
||||
+++ openssh-8.9p1/monitor.h
|
||||
@@ -61,7 +61,13 @@ enum monitor_reqtype {
|
||||
MONITOR_REQ_PAM_QUERY = 106, MONITOR_ANS_PAM_QUERY = 107,
|
||||
MONITOR_REQ_PAM_RESPOND = 108, MONITOR_ANS_PAM_RESPOND = 109,
|
||||
@ -1460,10 +1460,10 @@ Index: openssh-8.8p1/monitor.h
|
||||
|
||||
MONITOR_REQ_GSSSIGN = 150, MONITOR_ANS_GSSSIGN = 151,
|
||||
MONITOR_REQ_GSSUPCREDS = 152, MONITOR_ANS_GSSUPCREDS = 153,
|
||||
Index: openssh-8.8p1/monitor_wrap.c
|
||||
Index: openssh-8.9p1/monitor_wrap.c
|
||||
===================================================================
|
||||
--- openssh-8.8p1.orig/monitor_wrap.c
|
||||
+++ openssh-8.8p1/monitor_wrap.c
|
||||
--- openssh-8.9p1.orig/monitor_wrap.c
|
||||
+++ openssh-8.9p1/monitor_wrap.c
|
||||
@@ -499,7 +499,7 @@ mm_key_allowed(enum mm_keytype type, con
|
||||
*/
|
||||
|
||||
@ -1634,10 +1634,10 @@ Index: openssh-8.8p1/monitor_wrap.c
|
||||
+ sshbuf_free(m);
|
||||
+}
|
||||
+#endif /* SSH_AUDIT_EVENTS */
|
||||
Index: openssh-8.8p1/monitor_wrap.h
|
||||
Index: openssh-8.9p1/monitor_wrap.h
|
||||
===================================================================
|
||||
--- openssh-8.8p1.orig/monitor_wrap.h
|
||||
+++ openssh-8.8p1/monitor_wrap.h
|
||||
--- openssh-8.9p1.orig/monitor_wrap.h
|
||||
+++ openssh-8.9p1/monitor_wrap.h
|
||||
@@ -58,7 +58,9 @@ int mm_user_key_allowed(struct ssh *, st
|
||||
struct sshauthopt **);
|
||||
int mm_hostbased_key_allowed(struct ssh *, struct passwd *, const char *,
|
||||
@ -1663,10 +1663,10 @@ Index: openssh-8.8p1/monitor_wrap.h
|
||||
#endif
|
||||
|
||||
struct Session;
|
||||
Index: openssh-8.8p1/packet.c
|
||||
Index: openssh-8.9p1/packet.c
|
||||
===================================================================
|
||||
--- openssh-8.8p1.orig/packet.c
|
||||
+++ openssh-8.8p1/packet.c
|
||||
--- openssh-8.9p1.orig/packet.c
|
||||
+++ openssh-8.9p1/packet.c
|
||||
@@ -81,6 +81,7 @@
|
||||
#endif
|
||||
|
||||
@ -1744,7 +1744,7 @@ Index: openssh-8.8p1/packet.c
|
||||
state->newkeys[mode] = NULL;
|
||||
}
|
||||
/* note that both bytes and the seqnr are not reset */
|
||||
@@ -2178,6 +2194,73 @@ ssh_packet_get_output(struct ssh *ssh)
|
||||
@@ -2183,6 +2199,73 @@ ssh_packet_get_output(struct ssh *ssh)
|
||||
return (void *)ssh->state->output;
|
||||
}
|
||||
|
||||
@ -1818,21 +1818,21 @@ Index: openssh-8.8p1/packet.c
|
||||
/* Reset after_authentication and reset compression in post-auth privsep */
|
||||
static int
|
||||
ssh_packet_set_postauth(struct ssh *ssh)
|
||||
Index: openssh-8.8p1/packet.h
|
||||
Index: openssh-8.9p1/packet.h
|
||||
===================================================================
|
||||
--- openssh-8.8p1.orig/packet.h
|
||||
+++ openssh-8.8p1/packet.h
|
||||
@@ -219,4 +219,5 @@ const u_char *sshpkt_ptr(struct ssh *, s
|
||||
--- openssh-8.9p1.orig/packet.h
|
||||
+++ openssh-8.9p1/packet.h
|
||||
@@ -220,4 +220,5 @@ const u_char *sshpkt_ptr(struct ssh *, s
|
||||
# undef EC_POINT
|
||||
#endif
|
||||
|
||||
+void packet_destroy_all(struct ssh *, int, int);
|
||||
#endif /* PACKET_H */
|
||||
Index: openssh-8.8p1/session.c
|
||||
Index: openssh-8.9p1/session.c
|
||||
===================================================================
|
||||
--- openssh-8.8p1.orig/session.c
|
||||
+++ openssh-8.8p1/session.c
|
||||
@@ -136,7 +136,7 @@ extern char *__progname;
|
||||
--- openssh-8.9p1.orig/session.c
|
||||
+++ openssh-8.9p1/session.c
|
||||
@@ -135,7 +135,7 @@ extern char *__progname;
|
||||
extern int debug_flag;
|
||||
extern u_int utmp_len;
|
||||
extern int startup_pipe;
|
||||
@ -1841,7 +1841,7 @@ Index: openssh-8.8p1/session.c
|
||||
extern struct sshbuf *loginmsg;
|
||||
extern struct sshauthopt *auth_opts;
|
||||
extern char *tun_fwd_ifnames; /* serverloop.c */
|
||||
@@ -643,6 +643,14 @@ do_exec_pty(struct ssh *ssh, Session *s,
|
||||
@@ -642,6 +642,14 @@ do_exec_pty(struct ssh *ssh, Session *s,
|
||||
/* Parent. Close the slave side of the pseudo tty. */
|
||||
close(ttyfd);
|
||||
|
||||
@ -1856,7 +1856,7 @@ Index: openssh-8.8p1/session.c
|
||||
/* Enter interactive session. */
|
||||
s->ptymaster = ptymaster;
|
||||
ssh_packet_set_interactive(ssh, 1,
|
||||
@@ -707,15 +715,19 @@ do_exec(struct ssh *ssh, Session *s, con
|
||||
@@ -706,15 +714,19 @@ do_exec(struct ssh *ssh, Session *s, con
|
||||
s->self);
|
||||
|
||||
#ifdef SSH_AUDIT_EVENTS
|
||||
@ -1878,7 +1878,7 @@ Index: openssh-8.8p1/session.c
|
||||
#endif
|
||||
if (s->ttyfd != -1)
|
||||
ret = do_exec_pty(ssh, s, command);
|
||||
@@ -1534,8 +1546,11 @@ do_child(struct ssh *ssh, Session *s, co
|
||||
@@ -1533,8 +1545,11 @@ do_child(struct ssh *ssh, Session *s, co
|
||||
sshpkt_fmt_connection_id(ssh, remote_id, sizeof(remote_id));
|
||||
|
||||
/* remove hostkey from the child's memory */
|
||||
@ -1891,7 +1891,7 @@ Index: openssh-8.8p1/session.c
|
||||
|
||||
/* Force a password change */
|
||||
if (s->authctxt->force_pwchange) {
|
||||
@@ -1744,6 +1759,9 @@ session_unused(int id)
|
||||
@@ -1743,6 +1758,9 @@ session_unused(int id)
|
||||
sessions[id].ttyfd = -1;
|
||||
sessions[id].ptymaster = -1;
|
||||
sessions[id].x11_chanids = NULL;
|
||||
@ -1901,7 +1901,7 @@ Index: openssh-8.8p1/session.c
|
||||
sessions[id].next_unused = sessions_first_unused;
|
||||
sessions_first_unused = id;
|
||||
}
|
||||
@@ -1823,6 +1841,19 @@ session_open(Authctxt *authctxt, int cha
|
||||
@@ -1822,6 +1840,19 @@ session_open(Authctxt *authctxt, int cha
|
||||
}
|
||||
|
||||
Session *
|
||||
@ -1921,7 +1921,7 @@ Index: openssh-8.8p1/session.c
|
||||
session_by_tty(char *tty)
|
||||
{
|
||||
int i;
|
||||
@@ -2430,6 +2461,32 @@ session_exit_message(struct ssh *ssh, Se
|
||||
@@ -2429,6 +2460,32 @@ session_exit_message(struct ssh *ssh, Se
|
||||
chan_write_failed(ssh, c);
|
||||
}
|
||||
|
||||
@ -1954,7 +1954,7 @@ Index: openssh-8.8p1/session.c
|
||||
void
|
||||
session_close(struct ssh *ssh, Session *s)
|
||||
{
|
||||
@@ -2471,6 +2528,10 @@ session_close(struct ssh *ssh, Session *
|
||||
@@ -2470,6 +2527,10 @@ session_close(struct ssh *ssh, Session *
|
||||
|
||||
if (s->ttyfd != -1)
|
||||
session_pty_cleanup(s);
|
||||
@ -1965,7 +1965,7 @@ Index: openssh-8.8p1/session.c
|
||||
free(s->term);
|
||||
free(s->display);
|
||||
free(s->x11_chanids);
|
||||
@@ -2545,14 +2606,14 @@ session_close_by_channel(struct ssh *ssh
|
||||
@@ -2544,14 +2605,14 @@ session_close_by_channel(struct ssh *ssh
|
||||
}
|
||||
|
||||
void
|
||||
@ -1982,7 +1982,7 @@ Index: openssh-8.8p1/session.c
|
||||
else
|
||||
session_close(ssh, s);
|
||||
}
|
||||
@@ -2678,6 +2739,15 @@ do_authenticated2(struct ssh *ssh, Authc
|
||||
@@ -2677,6 +2738,15 @@ do_authenticated2(struct ssh *ssh, Authc
|
||||
server_loop2(ssh, authctxt);
|
||||
}
|
||||
|
||||
@ -1998,7 +1998,7 @@ Index: openssh-8.8p1/session.c
|
||||
void
|
||||
do_cleanup(struct ssh *ssh, Authctxt *authctxt)
|
||||
{
|
||||
@@ -2741,7 +2811,7 @@ do_cleanup(struct ssh *ssh, Authctxt *au
|
||||
@@ -2740,7 +2810,7 @@ do_cleanup(struct ssh *ssh, Authctxt *au
|
||||
* or if running in monitor.
|
||||
*/
|
||||
if (!use_privsep || mm_is_monitor())
|
||||
@ -2007,10 +2007,10 @@ Index: openssh-8.8p1/session.c
|
||||
}
|
||||
|
||||
/* Return a name for the remote host that fits inside utmp_size */
|
||||
Index: openssh-8.8p1/session.h
|
||||
Index: openssh-8.9p1/session.h
|
||||
===================================================================
|
||||
--- openssh-8.8p1.orig/session.h
|
||||
+++ openssh-8.8p1/session.h
|
||||
--- openssh-8.9p1.orig/session.h
|
||||
+++ openssh-8.9p1/session.h
|
||||
@@ -61,6 +61,12 @@ struct Session {
|
||||
char *name;
|
||||
char *val;
|
||||
@ -2038,11 +2038,11 @@ Index: openssh-8.8p1/session.h
|
||||
Session *session_by_tty(char *);
|
||||
void session_close(struct ssh *, Session *);
|
||||
void do_setusercontext(struct passwd *);
|
||||
Index: openssh-8.8p1/sshd.c
|
||||
Index: openssh-8.9p1/sshd.c
|
||||
===================================================================
|
||||
--- openssh-8.8p1.orig/sshd.c
|
||||
+++ openssh-8.8p1/sshd.c
|
||||
@@ -122,6 +122,7 @@
|
||||
--- openssh-8.9p1.orig/sshd.c
|
||||
+++ openssh-8.9p1/sshd.c
|
||||
@@ -125,6 +125,7 @@
|
||||
#include "ssh-gss.h"
|
||||
#endif
|
||||
#include "monitor_wrap.h"
|
||||
@ -2050,7 +2050,7 @@ Index: openssh-8.8p1/sshd.c
|
||||
#include "ssh-sandbox.h"
|
||||
#include "auth-options.h"
|
||||
#include "version.h"
|
||||
@@ -262,8 +263,8 @@ struct sshbuf *loginmsg;
|
||||
@@ -265,8 +266,8 @@ struct sshbuf *loginmsg;
|
||||
struct passwd *privsep_pw = NULL;
|
||||
|
||||
/* Prototypes for various functions defined later in this file. */
|
||||
@ -2061,8 +2061,8 @@ Index: openssh-8.8p1/sshd.c
|
||||
static void do_ssh2_kex(struct ssh *);
|
||||
|
||||
static char *listener_proctitle;
|
||||
@@ -281,6 +282,15 @@ close_listen_socks(void)
|
||||
num_listen_socks = -1;
|
||||
@@ -284,6 +285,15 @@ close_listen_socks(void)
|
||||
num_listen_socks = 0;
|
||||
}
|
||||
|
||||
+/*
|
||||
@ -2077,8 +2077,8 @@ Index: openssh-8.8p1/sshd.c
|
||||
static void
|
||||
close_startup_pipes(void)
|
||||
{
|
||||
@@ -386,18 +396,45 @@ grace_alarm_handler(int sig)
|
||||
}
|
||||
@@ -382,18 +392,45 @@ grace_alarm_handler(int sig)
|
||||
ssh_remote_port(the_active_state));
|
||||
}
|
||||
|
||||
-/* Destroy the host and server keys. They will no longer be needed. */
|
||||
@ -2126,7 +2126,7 @@ Index: openssh-8.8p1/sshd.c
|
||||
sshkey_free(sensitive_data.host_certificates[i]);
|
||||
sensitive_data.host_certificates[i] = NULL;
|
||||
}
|
||||
@@ -406,20 +443,38 @@ destroy_sensitive_data(void)
|
||||
@@ -402,20 +439,38 @@ destroy_sensitive_data(void)
|
||||
|
||||
/* Demote private to public keys for network child */
|
||||
void
|
||||
@ -2166,7 +2166,7 @@ Index: openssh-8.8p1/sshd.c
|
||||
}
|
||||
/* Certs do not need demotion */
|
||||
}
|
||||
@@ -447,7 +502,7 @@ reseed_prngs(void)
|
||||
@@ -443,7 +498,7 @@ reseed_prngs(void)
|
||||
}
|
||||
|
||||
static void
|
||||
@ -2175,7 +2175,7 @@ Index: openssh-8.8p1/sshd.c
|
||||
{
|
||||
gid_t gidset[1];
|
||||
|
||||
@@ -462,7 +517,7 @@ privsep_preauth_child(void)
|
||||
@@ -458,7 +513,7 @@ privsep_preauth_child(void)
|
||||
reseed_prngs();
|
||||
|
||||
/* Demote the private keys to public keys. */
|
||||
@ -2184,7 +2184,7 @@ Index: openssh-8.8p1/sshd.c
|
||||
|
||||
/* Demote the child */
|
||||
if (privsep_chroot) {
|
||||
@@ -497,7 +552,7 @@ privsep_preauth(struct ssh *ssh)
|
||||
@@ -493,7 +548,7 @@ privsep_preauth(struct ssh *ssh)
|
||||
|
||||
if (use_privsep == PRIVSEP_ON)
|
||||
box = ssh_sandbox_init(pmonitor);
|
||||
@ -2193,7 +2193,7 @@ Index: openssh-8.8p1/sshd.c
|
||||
if (pid == -1) {
|
||||
fatal("fork of unprivileged child failed");
|
||||
} else if (pid != 0) {
|
||||
@@ -542,7 +597,7 @@ privsep_preauth(struct ssh *ssh)
|
||||
@@ -538,7 +593,7 @@ privsep_preauth(struct ssh *ssh)
|
||||
/* Arrange for logging to be sent to the monitor */
|
||||
set_log_handler(mm_log_handler, pmonitor);
|
||||
|
||||
@ -2202,7 +2202,7 @@ Index: openssh-8.8p1/sshd.c
|
||||
setproctitle("%s", "[net]");
|
||||
if (box != NULL)
|
||||
ssh_sandbox_child(box);
|
||||
@@ -586,7 +641,7 @@ privsep_postauth(struct ssh *ssh, Authct
|
||||
@@ -582,7 +637,7 @@ privsep_postauth(struct ssh *ssh, Authct
|
||||
pmonitor->m_sendfd = -1;
|
||||
|
||||
/* Demote the private keys to public keys. */
|
||||
@ -2211,16 +2211,16 @@ Index: openssh-8.8p1/sshd.c
|
||||
|
||||
reseed_prngs();
|
||||
|
||||
@@ -1140,7 +1195,7 @@ server_listen(void)
|
||||
@@ -1136,7 +1191,7 @@ server_listen(void)
|
||||
* from this function are in a forked subprocess.
|
||||
*/
|
||||
static void
|
||||
-server_accept_loop(int *sock_in, int *sock_out, int *newsock, int *config_s)
|
||||
+server_accept_loop(struct ssh *ssh, int *sock_in, int *sock_out, int *newsock, int *config_s)
|
||||
{
|
||||
fd_set *fdset;
|
||||
int i, j, ret, maxfd;
|
||||
@@ -1186,6 +1241,7 @@ server_accept_loop(int *sock_in, int *so
|
||||
struct pollfd *pfd = NULL;
|
||||
int i, j, ret;
|
||||
@@ -1179,6 +1234,7 @@ server_accept_loop(int *sock_in, int *so
|
||||
if (received_sigterm) {
|
||||
logit("Received signal %d; terminating.",
|
||||
(int) received_sigterm);
|
||||
@ -2228,7 +2228,7 @@ Index: openssh-8.8p1/sshd.c
|
||||
close_listen_socks();
|
||||
if (options.pid_file != NULL)
|
||||
unlink(options.pid_file);
|
||||
@@ -2091,7 +2147,7 @@ main(int ac, char **av)
|
||||
@@ -2088,7 +2144,7 @@ main(int ac, char **av)
|
||||
#endif
|
||||
|
||||
/* Accept a connection and return in a forked child */
|
||||
@ -2237,7 +2237,7 @@ Index: openssh-8.8p1/sshd.c
|
||||
&newsock, config_s);
|
||||
}
|
||||
|
||||
@@ -2321,6 +2377,9 @@ main(int ac, char **av)
|
||||
@@ -2311,6 +2367,9 @@ main(int ac, char **av)
|
||||
do_authenticated(ssh, authctxt);
|
||||
|
||||
/* The connection has been terminated. */
|
||||
@ -2247,7 +2247,7 @@ Index: openssh-8.8p1/sshd.c
|
||||
ssh_packet_get_bytes(ssh, &ibytes, &obytes);
|
||||
verbose("Transferred: sent %llu, received %llu bytes",
|
||||
(unsigned long long)obytes, (unsigned long long)ibytes);
|
||||
@@ -2501,6 +2560,15 @@ do_ssh2_kex(struct ssh *ssh)
|
||||
@@ -2491,6 +2550,15 @@ do_ssh2_kex(struct ssh *ssh)
|
||||
void
|
||||
cleanup_exit(int i)
|
||||
{
|
||||
@ -2263,7 +2263,7 @@ Index: openssh-8.8p1/sshd.c
|
||||
if (the_active_state != NULL && the_authctxt != NULL) {
|
||||
do_cleanup(the_active_state, the_authctxt);
|
||||
if (use_privsep && privsep_is_preauth &&
|
||||
@@ -2513,9 +2581,16 @@ cleanup_exit(int i)
|
||||
@@ -2503,9 +2571,16 @@ cleanup_exit(int i)
|
||||
}
|
||||
}
|
||||
}
|
||||
@ -2281,11 +2281,11 @@ Index: openssh-8.8p1/sshd.c
|
||||
audit_event(the_active_state, SSH_CONNECTION_ABANDON);
|
||||
#endif
|
||||
_exit(i);
|
||||
Index: openssh-8.8p1/sshkey.c
|
||||
Index: openssh-8.9p1/sshkey.c
|
||||
===================================================================
|
||||
--- openssh-8.8p1.orig/sshkey.c
|
||||
+++ openssh-8.8p1/sshkey.c
|
||||
@@ -371,6 +371,38 @@ sshkey_type_is_valid_ca(int type)
|
||||
--- openssh-8.9p1.orig/sshkey.c
|
||||
+++ openssh-8.9p1/sshkey.c
|
||||
@@ -400,6 +400,38 @@ sshkey_type_is_valid_ca(int type)
|
||||
}
|
||||
|
||||
int
|
||||
@ -2324,10 +2324,10 @@ Index: openssh-8.8p1/sshkey.c
|
||||
sshkey_is_cert(const struct sshkey *k)
|
||||
{
|
||||
if (k == NULL)
|
||||
Index: openssh-8.8p1/sshkey.h
|
||||
Index: openssh-8.9p1/sshkey.h
|
||||
===================================================================
|
||||
--- openssh-8.8p1.orig/sshkey.h
|
||||
+++ openssh-8.8p1/sshkey.h
|
||||
--- openssh-8.9p1.orig/sshkey.h
|
||||
+++ openssh-8.9p1/sshkey.h
|
||||
@@ -189,6 +189,7 @@ int sshkey_shield_private(struct sshke
|
||||
int sshkey_unshield_private(struct sshkey *);
|
||||
|
||||
|
@ -1,8 +1,8 @@
|
||||
Gemeinsame Unterverzeichnisse: openssh-8.4p1/contrib und openssh-8.4p1-vendor/contrib.
|
||||
Index: openssh-8.8p1/dh.c
|
||||
Index: openssh-8.9p1/dh.c
|
||||
===================================================================
|
||||
--- openssh-8.8p1.orig/dh.c
|
||||
+++ openssh-8.8p1/dh.c
|
||||
--- openssh-8.9p1.orig/dh.c
|
||||
+++ openssh-8.9p1/dh.c
|
||||
@@ -54,7 +54,17 @@ void dh_set_moduli_file(const char *file
|
||||
|
||||
static const char * get_moduli_filename(void)
|
||||
@ -22,10 +22,10 @@ Index: openssh-8.8p1/dh.c
|
||||
}
|
||||
|
||||
static int
|
||||
Index: openssh-8.8p1/pathnames.h
|
||||
Index: openssh-8.9p1/pathnames.h
|
||||
===================================================================
|
||||
--- openssh-8.8p1.orig/pathnames.h
|
||||
+++ openssh-8.8p1/pathnames.h
|
||||
--- openssh-8.9p1.orig/pathnames.h
|
||||
+++ openssh-8.9p1/pathnames.h
|
||||
@@ -18,6 +18,8 @@
|
||||
#define SSHDIR ETCDIR "/ssh"
|
||||
#endif
|
||||
@ -53,10 +53,10 @@ Index: openssh-8.8p1/pathnames.h
|
||||
|
||||
#ifndef _PATH_SSH_PROGRAM
|
||||
#define _PATH_SSH_PROGRAM "/usr/bin/ssh"
|
||||
Index: openssh-8.8p1/ssh.c
|
||||
Index: openssh-8.9p1/ssh.c
|
||||
===================================================================
|
||||
--- openssh-8.8p1.orig/ssh.c
|
||||
+++ openssh-8.8p1/ssh.c
|
||||
--- openssh-8.9p1.orig/ssh.c
|
||||
+++ openssh-8.9p1/ssh.c
|
||||
@@ -549,6 +549,7 @@ static void
|
||||
process_config_files(const char *host_name, struct passwd *pw, int final_pass,
|
||||
int *want_final_pass)
|
||||
@ -93,10 +93,10 @@ Index: openssh-8.8p1/ssh.c
|
||||
}
|
||||
}
|
||||
|
||||
Index: openssh-8.8p1/ssh_config.5
|
||||
Index: openssh-8.9p1/ssh_config.5
|
||||
===================================================================
|
||||
--- openssh-8.8p1.orig/ssh_config.5
|
||||
+++ openssh-8.8p1/ssh_config.5
|
||||
--- openssh-8.9p1.orig/ssh_config.5
|
||||
+++ openssh-8.9p1/ssh_config.5
|
||||
@@ -54,6 +54,9 @@ user's configuration file
|
||||
.It
|
||||
system-wide configuration file
|
||||
@ -107,7 +107,7 @@ Index: openssh-8.8p1/ssh_config.5
|
||||
.El
|
||||
.Pp
|
||||
For each parameter, the first obtained value
|
||||
@@ -2212,6 +2215,11 @@ This file provides defaults for those
|
||||
@@ -2220,6 +2223,11 @@ This file provides defaults for those
|
||||
values that are not specified in the user's configuration file, and
|
||||
for those users who do not have a configuration file.
|
||||
This file must be world-readable.
|
||||
@ -119,11 +119,11 @@ Index: openssh-8.8p1/ssh_config.5
|
||||
.El
|
||||
.Sh SEE ALSO
|
||||
.Xr ssh 1
|
||||
Index: openssh-8.8p1/sshd.c
|
||||
Index: openssh-8.9p1/sshd.c
|
||||
===================================================================
|
||||
--- openssh-8.8p1.orig/sshd.c
|
||||
+++ openssh-8.8p1/sshd.c
|
||||
@@ -145,7 +145,7 @@ extern char *__progname;
|
||||
--- openssh-8.9p1.orig/sshd.c
|
||||
+++ openssh-8.9p1/sshd.c
|
||||
@@ -148,7 +148,7 @@ extern char *__progname;
|
||||
ServerOptions options;
|
||||
|
||||
/* Name of the server configuration file. */
|
||||
@ -132,7 +132,7 @@ Index: openssh-8.8p1/sshd.c
|
||||
|
||||
/*
|
||||
* Debug mode flag. This can be set on the command line. If debug
|
||||
@@ -1594,6 +1594,7 @@ prepare_proctitle(int ac, char **av)
|
||||
@@ -1591,6 +1591,7 @@ prepare_proctitle(int ac, char **av)
|
||||
int
|
||||
main(int ac, char **av)
|
||||
{
|
||||
@ -140,7 +140,7 @@ Index: openssh-8.8p1/sshd.c
|
||||
struct ssh *ssh = NULL;
|
||||
extern char *optarg;
|
||||
extern int optind;
|
||||
@@ -1809,7 +1810,21 @@ main(int ac, char **av)
|
||||
@@ -1806,7 +1807,21 @@ main(int ac, char **av)
|
||||
*/
|
||||
(void)atomicio(vwrite, startup_pipe, "\0", 1);
|
||||
}
|
||||
@ -162,10 +162,10 @@ Index: openssh-8.8p1/sshd.c
|
||||
load_server_config(config_file_name, cfg);
|
||||
|
||||
parse_server_config(&options, rexeced_flag ? "rexec" : config_file_name,
|
||||
Index: openssh-8.8p1/sshd_config.5
|
||||
Index: openssh-8.9p1/sshd_config.5
|
||||
===================================================================
|
||||
--- openssh-8.8p1.orig/sshd_config.5
|
||||
+++ openssh-8.8p1/sshd_config.5
|
||||
--- openssh-8.9p1.orig/sshd_config.5
|
||||
+++ openssh-8.9p1/sshd_config.5
|
||||
@@ -44,7 +44,9 @@
|
||||
.Xr sshd 8
|
||||
reads configuration data from
|
||||
@ -177,19 +177,19 @@ Index: openssh-8.8p1/sshd_config.5
|
||||
.Fl f
|
||||
on the command line).
|
||||
The file contains keyword-argument pairs, one per line.
|
||||
Index: openssh-8.8p1/ssh-keysign.c
|
||||
Index: openssh-8.9p1/ssh-keysign.c
|
||||
===================================================================
|
||||
--- openssh-8.8p1.orig/ssh-keysign.c
|
||||
+++ openssh-8.8p1/ssh-keysign.c
|
||||
@@ -172,6 +172,7 @@ main(int argc, char **argv)
|
||||
--- openssh-8.9p1.orig/ssh-keysign.c
|
||||
+++ openssh-8.9p1/ssh-keysign.c
|
||||
@@ -186,6 +186,7 @@ main(int argc, char **argv)
|
||||
u_char *signature, *data, rver;
|
||||
char *host, *fp;
|
||||
char *host, *fp, *pkalg;
|
||||
size_t slen, dlen;
|
||||
+ struct stat st;
|
||||
|
||||
if (pledge("stdio rpath getpw dns id", NULL) != 0)
|
||||
fatal("%s: pledge: %s", __progname, strerror(errno));
|
||||
@@ -205,8 +206,14 @@ main(int argc, char **argv)
|
||||
@@ -219,8 +220,14 @@ main(int argc, char **argv)
|
||||
|
||||
/* verify that ssh-keysign is enabled by the admin */
|
||||
initialize_options(&options);
|
||||
|
@ -1,3 +0,0 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:4590890ea9bb9ace4f71ae331785a3a5823232435161960ed5fc86588f331fe9
|
||||
size 1815060
|
@ -1,16 +0,0 @@
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
|
||||
iQIzBAABCgAdFiEEcWi5g4FaXu9ZpK39Kj9BTnNgYLoFAmFQfp8ACgkQKj9BTnNg
|
||||
YLq2SQ/8C3iOHTkyqX82FYt0SKkybebe9b2iBPr91HQOUmx+U3I+vgrSWArXabWJ
|
||||
uSu0b685RQKlcr7UjEtPk6g0cm45NoJFjju9ljvnOFfZw73V3a5qX15Lx4xRnkRx
|
||||
v1LJn6Yh12PKLWL4/A1qPQnfAObVwq/BF0BR01FfXLAOt5+lFwYvg79HpE+69b0r
|
||||
KtcIEpsyTEn2lSKSWD7q4lpe6Z/iR+XzBKfnB6JJXhKyHiDV63hlAJk9Pt3mIvS6
|
||||
tnE9/7GDawvi+Tsl018kw3wsf6aHVSQ+O+vzcDgfy0vDJVGjD6Ec9it9FvikXJh6
|
||||
3pSTBYuUJdt+CAQYvmEui73v4nrkfouHXsxqgzEDZaTwIZC4wPrvNYxUaIyirWlc
|
||||
l4/YSnxSxSiYbvPa5eYRBvXvoWbnQXjPOkuhjETxz/KTcHirQpWE9eldi0jHcKUa
|
||||
FVu9YqMPAjIUd1Jj4vC5bgH7v5cLeEMm/AetMvKsJs+rhY9NZaKpiqOqU2m6Geb+
|
||||
sQSXHNTeA8uOlrHim4SmYHtmfglVbH5lIroiUqtRzjbOhMhqUb+yN9+aAxe0bwmN
|
||||
VcFMSThlbmYokb9bkQryY2I/FfXb997vxgF6v15Z8d9e8HH2zc2Irj1HYXG4Bf3o
|
||||
WCiSvd8+Tr/FxS2Gn8qj/vgSPWXT0d0Hy4zHW9JeT/jn3RtIYhU=
|
||||
=EnoG
|
||||
-----END PGP SIGNATURE-----
|
3
openssh-8.9p1.tar.gz
Normal file
3
openssh-8.9p1.tar.gz
Normal file
@ -0,0 +1,3 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:fd497654b7ab1686dac672fb83dfb4ba4096e8b5ffcdaccd262380ae58bec5e7
|
||||
size 1820282
|
16
openssh-8.9p1.tar.gz.asc
Normal file
16
openssh-8.9p1.tar.gz.asc
Normal file
@ -0,0 +1,16 @@
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
|
||||
iQIzBAABCgAdFiEEcWi5g4FaXu9ZpK39Kj9BTnNgYLoFAmIWG5YACgkQKj9BTnNg
|
||||
YLoL2A//TuX5vo9EplHaoqTbgL5KkwaJGaae2bXczbw1N8anfSlnPi7IAL4TkLFW
|
||||
SpIAGYcDoxqSAT62Ad9TsIvallPWmzG8mIa1M6dgQHUW95KbI5NHC53NgMkExI7O
|
||||
x9HGDanLRoXCwbDrYAZN8UlddTsZYGrfoVso7lrW87lcTkM4AYQKNbCum/C8OUq0
|
||||
esJgaaiXTIK+Rwbtpa+msDo8scfq08IG4rMM+kiNOnYpxaVyPIvspUF/ULinEQ5M
|
||||
KrgRCZKI6573yZAdzA3KE6fXlzFJuxqcpk8Zimdm6c5+TEk30pzZ65Q+KLLrW7Gm
|
||||
YK9gkkbdGWvtoRoE66RnPcBbPoFFM3h0mPhY/08iKHZKQL29bhDABx5qqUN0WDtg
|
||||
uqz21PT/yXwxXglvHRMtq9w1dzjrPs/aEWQiO2ta+tspC+vUwVjnengmvcj7pP6B
|
||||
4MQWDcw0ZULn5ns/Vzja6VO9V6hKYApCHs0o4lvBnXXtdIRNHmuROoVQsGPlBTKN
|
||||
jPSfz3XU7lebayJwGpJFVwfHYTzxGu8IuK7k6WUvCA4j98HbRpJCuNEZeE4Jsvlc
|
||||
CLhee1YTkUDtNb3GaV2F8a4pDyCxvxCBlhoTMdDDWLGibylpZKaqZyxuO+X7QTUM
|
||||
TfiyQEZ6YFqQj+f1/BjzPDeXXXMOYA5tgHumjB726rtmK1HB7ZQ=
|
||||
=5Ghp
|
||||
-----END PGP SIGNATURE-----
|
@ -18,7 +18,7 @@
|
||||
|
||||
%define _name openssh
|
||||
Name: openssh-askpass-gnome
|
||||
Version: 8.8p1
|
||||
Version: 8.9p1
|
||||
Release: 0
|
||||
Summary: A GNOME-Based Passphrase Dialog for OpenSSH
|
||||
License: BSD-2-Clause
|
||||
|
@ -1,8 +1,8 @@
|
||||
Index: openssh-8.8p1/myproposal.h
|
||||
Index: openssh-8.9p1/myproposal.h
|
||||
===================================================================
|
||||
--- openssh-8.8p1.orig/myproposal.h
|
||||
+++ openssh-8.8p1/myproposal.h
|
||||
@@ -33,7 +33,8 @@
|
||||
--- openssh-8.9p1.orig/myproposal.h
|
||||
+++ openssh-8.9p1/myproposal.h
|
||||
@@ -34,7 +34,8 @@
|
||||
"diffie-hellman-group-exchange-sha256," \
|
||||
"diffie-hellman-group16-sha512," \
|
||||
"diffie-hellman-group18-sha512," \
|
||||
@ -12,11 +12,11 @@ Index: openssh-8.8p1/myproposal.h
|
||||
|
||||
#define KEX_CLIENT_KEX KEX_SERVER_KEX
|
||||
|
||||
Index: openssh-8.8p1/ssh_config.5
|
||||
Index: openssh-8.9p1/ssh_config.5
|
||||
===================================================================
|
||||
--- openssh-8.8p1.orig/ssh_config.5
|
||||
+++ openssh-8.8p1/ssh_config.5
|
||||
@@ -1227,7 +1227,8 @@ ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec
|
||||
--- openssh-8.9p1.orig/ssh_config.5
|
||||
+++ openssh-8.9p1/ssh_config.5
|
||||
@@ -1228,7 +1228,8 @@ sntrup761x25519-sha512@openssh.com,
|
||||
diffie-hellman-group-exchange-sha256,
|
||||
diffie-hellman-group16-sha512,
|
||||
diffie-hellman-group18-sha512,
|
||||
@ -26,12 +26,12 @@ Index: openssh-8.8p1/ssh_config.5
|
||||
.Ed
|
||||
.Pp
|
||||
The list of available key exchange algorithms may also be obtained using
|
||||
Index: openssh-8.8p1/sshd_config.5
|
||||
Index: openssh-8.9p1/sshd_config.5
|
||||
===================================================================
|
||||
--- openssh-8.8p1.orig/sshd_config.5
|
||||
+++ openssh-8.8p1/sshd_config.5
|
||||
@@ -997,7 +997,7 @@ curve25519-sha256,curve25519-sha256@libs
|
||||
ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
|
||||
--- openssh-8.9p1.orig/sshd_config.5
|
||||
+++ openssh-8.9p1/sshd_config.5
|
||||
@@ -996,7 +996,7 @@ ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec
|
||||
sntrup761x25519-sha512@openssh.com,
|
||||
diffie-hellman-group-exchange-sha256,
|
||||
diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,
|
||||
-diffie-hellman-group14-sha256
|
||||
|
170
openssh.changes
170
openssh.changes
@ -1,3 +1,173 @@
|
||||
-------------------------------------------------------------------
|
||||
Mon Mar 7 18:00:09 UTC 2022 - Hans Petter Jansson <hpj@suse.com>
|
||||
|
||||
- Version update to 8.9p1:
|
||||
= Security
|
||||
* sshd(8): fix an integer overflow in the user authentication path
|
||||
that, in conjunction with other logic errors, could have yielded
|
||||
unauthenticated access under difficult to exploit conditions.
|
||||
|
||||
This situation is not exploitable because of independent checks in
|
||||
the privilege separation monitor. Privilege separation has been
|
||||
enabled by default in since openssh-3.2.2 (released in 2002) and
|
||||
has been mandatory since openssh-7.5 (released in 2017). Moreover,
|
||||
portable OpenSSH has used toolchain features available in most
|
||||
modern compilers to abort on signed integer overflow since
|
||||
openssh-6.5 (released in 2014).
|
||||
|
||||
Thanks to Malcolm Stagg for finding and reporting this bug.
|
||||
|
||||
= Potentially-incompatible changes
|
||||
* sshd(8), portable OpenSSH only: this release removes in-built
|
||||
support for MD5-hashed passwords. If you require these on your
|
||||
system then we recommend linking against libxcrypt or similar.
|
||||
* This release modifies the FIDO security key middleware interface
|
||||
and increments SSH_SK_VERSION_MAJOR.
|
||||
|
||||
= New features
|
||||
* ssh(1), sshd(8), ssh-add(1), ssh-agent(1): add a system for
|
||||
restricting forwarding and use of keys added to ssh-agent(1)
|
||||
A detailed description of the feature is available at
|
||||
https://www.openssh.com/agent-restrict.html and the protocol
|
||||
extensions are documented in the PROTOCOL and PROTOCOL.agent
|
||||
files in the source release.
|
||||
* ssh(1), sshd(8): add the sntrup761x25519-sha512@openssh.com hybrid
|
||||
ECDH/x25519 + Streamlined NTRU Prime post-quantum KEX to the
|
||||
default KEXAlgorithms list (after the ECDH methods but before the
|
||||
prime-group DH ones). The next release of OpenSSH is likely to
|
||||
make this key exchange the default method.
|
||||
* ssh-keygen(1): when downloading resident keys from a FIDO token,
|
||||
pass back the user ID that was used when the key was created and
|
||||
append it to the filename the key is written to (if it is not the
|
||||
default). Avoids keys being clobbered if the user created multiple
|
||||
resident keys with the same application string but different user
|
||||
IDs.
|
||||
* ssh-keygen(1), ssh(1), ssh-agent(1): better handling for FIDO keys
|
||||
on tokens that provide user verification (UV) on the device itself,
|
||||
including biometric keys, avoiding unnecessary PIN prompts.
|
||||
* ssh-keygen(1): add "ssh-keygen -Y match-principals" operation to
|
||||
perform matching of principals names against an allowed signers
|
||||
file. To be used towards a TOFU model for SSH signatures in git.
|
||||
* ssh-add(1), ssh-agent(1): allow pin-required FIDO keys to be added
|
||||
to ssh-agent(1). $SSH_ASKPASS will be used to request the PIN at
|
||||
authentication time.
|
||||
* ssh-keygen(1): allow selection of hash at sshsig signing time
|
||||
(either sha512 (default) or sha256).
|
||||
* ssh(1), sshd(8): read network data directly to the packet input
|
||||
buffer instead of indirectly via a small stack buffer. Provides a
|
||||
modest performance improvement.
|
||||
* ssh(1), sshd(8): read data directly to the channel input buffer,
|
||||
providing a similar modest performance improvement.
|
||||
* ssh(1): extend the PubkeyAuthentication configuration directive to
|
||||
accept yes|no|unbound|host-bound to allow control over one of the
|
||||
protocol extensions used to implement agent-restricted keys.
|
||||
|
||||
= Bugfixes
|
||||
* sshd(8): document that CASignatureAlgorithms, ExposeAuthInfo and
|
||||
PubkeyAuthOptions can be used in a Match block. PR277.
|
||||
* sshd(8): fix possible string truncation when constructing paths to
|
||||
.rhosts/.shosts files with very long user home directory names.
|
||||
* ssh-keysign(1): unbreak for KEX algorithms that use SHA384/512
|
||||
exchange hashes
|
||||
* ssh(1): don't put the TTY into raw mode when SessionType=none,
|
||||
avoids ^C being unable to kill such a session. bz3360
|
||||
* scp(1): fix some corner-case bugs in SFTP-mode handling of
|
||||
~-prefixed paths.
|
||||
* ssh(1): unbreak hostbased auth using RSA keys. Allow ssh(1) to
|
||||
select RSA keys when only RSA/SHA2 signature algorithms are
|
||||
configured (this is the default case). Previously RSA keys were
|
||||
not being considered in the default case.
|
||||
* ssh-keysign(1): make ssh-keysign use the requested signature
|
||||
algorithm and not the default for the key type. Part of unbreaking
|
||||
hostbased auth for RSA/SHA2 keys.
|
||||
* ssh(1): stricter UpdateHostkey signature verification logic on
|
||||
the client- side. Require RSA/SHA2 signatures for RSA hostkeys
|
||||
except when RSA/SHA1 was explicitly negotiated during initial
|
||||
KEX; bz3375
|
||||
* ssh(1), sshd(8): fix signature algorithm selection logic for
|
||||
UpdateHostkeys on the server side. The previous code tried to
|
||||
prefer RSA/SHA2 for hostkey proofs of RSA keys, but missed some
|
||||
cases. This will use RSA/SHA2 signatures for RSA keys if the
|
||||
client proposed these algorithms in initial KEX. bz3375
|
||||
* All: convert all uses of select(2)/pselect(2) to poll(2)/ppoll(2).
|
||||
This includes the mainloops in ssh(1), ssh-agent(1), ssh-agent(1)
|
||||
and sftp-server(8), as well as the sshd(8) listen loop and all
|
||||
other FD read/writability checks. On platforms with missing or
|
||||
broken poll(2)/ppoll(2) syscalls a select(2)-based compat shim is
|
||||
available.
|
||||
* ssh-keygen(1): the "-Y find-principals" command was verifying key
|
||||
validity when using ca certs but not with simple key lifetimes
|
||||
within the allowed signers file.
|
||||
* ssh-keygen(1): make sshsig verify-time argument parsing optional
|
||||
* sshd(8): fix truncation in rhosts/shosts path construction.
|
||||
* ssh(1), ssh-agent(1): avoid xmalloc(0) for PKCS#11 keyid for ECDSA
|
||||
keys (we already did this for RSA keys). Avoids fatal errors for
|
||||
PKCS#11 libraries that return empty keyid, e.g. Microchip ATECC608B
|
||||
"cryptoauthlib"; bz#3364
|
||||
* ssh(1), ssh-agent(1): improve the testing of credentials against
|
||||
inserted FIDO: ask the token whether a particular key belongs to
|
||||
it in cases where the token supports on-token user-verification
|
||||
(e.g. biometrics) rather than just assuming that it will accept it.
|
||||
Will reduce spurious "Confirm user presence" notifications for key
|
||||
handles that relate to FIDO keys that are not currently inserted in at
|
||||
least some cases. bz3366
|
||||
* ssh(1), sshd(8): correct value for IPTOS_DSCP_LE. It needs to
|
||||
allow for the preceding two ECN bits. bz#3373
|
||||
* ssh-keygen(1): add missing -O option to usage() for the "-Y sign"
|
||||
option.
|
||||
* ssh-keygen(1): fix a NULL deref when using the find-principals
|
||||
function, when matching an allowed_signers line that contains a
|
||||
namespace restriction, but no restriction specified on the
|
||||
command-line
|
||||
* ssh-agent(1): fix memleak in process_extension(); oss-fuzz
|
||||
issue #42719
|
||||
* ssh(1): suppress "Connection to xxx closed" messages when LogLevel
|
||||
is set to "error" or above. bz3378
|
||||
* ssh(1), sshd(8): use correct zlib flags when inflate(3)-ing
|
||||
compressed packet data. bz3372
|
||||
* scp(1): when recursively transferring files in SFTP mode, create the
|
||||
destination directory if it doesn't already exist to match scp(1) in
|
||||
legacy RCP mode behaviour.
|
||||
* scp(1): many improvements in error message consistency between scp(1)
|
||||
in SFTP mode vs legacy RCP mode.
|
||||
* sshd(8): fix potential race in SIGTERM handling PR289
|
||||
* ssh(1), ssh(8): since DSA keys are deprecated, move them to the
|
||||
end of the default list of public keys so that they will be tried
|
||||
last. PR295
|
||||
* ssh-keygen(1): allow 'ssh-keygen -Y find-principals' to match
|
||||
wildcard principals in allowed_signers files
|
||||
|
||||
= Portability
|
||||
* ssh(1), sshd(8): don't trust closefrom(2) on Linux. glibc's
|
||||
implementation does not work in a chroot when the kernel does not
|
||||
have close_range(2). It tries to read from /proc/self/fd and when
|
||||
that fails dies with an assertion of sorts. Instead, call
|
||||
close_range(2) directly from our compat code and fall back if
|
||||
that fails. bz#3349,
|
||||
* OS X poll(2) is broken; use compat replacement. For character-
|
||||
special devices like /dev/null, Darwin's poll(2) returns POLLNVAL
|
||||
when polled with POLLIN. Apparently this is Apple bug 3710161 -
|
||||
not public but a websearch will find other OSS projects
|
||||
rediscovering it periodically since it was first identified in
|
||||
2005.
|
||||
* Correct handling of exceptfds/POLLPRI in our select(2)-based
|
||||
poll(2)/ppoll(2) compat implementation.
|
||||
* Cygwin: correct checking of mbstowcs() return value.
|
||||
* Add a basic SECURITY.md that refers people to the openssh.com
|
||||
website.
|
||||
* Enable additional compiler warnings and toolchain hardening flags,
|
||||
including -Wbitwise-instead-of-logical, -Wmisleading-indentation,
|
||||
-fzero-call-used-regs and -ftrivial-auto-var-init.
|
||||
* HP/UX. Use compat getline(3) on HP-UX 10.x, where the libc version
|
||||
is not reliable.
|
||||
|
||||
- Rebased patches:
|
||||
* openssh-7.7p1-ldap.patch
|
||||
* openssh-8.0p1-gssapi-keyex.patch
|
||||
* openssh-8.1p1-audit.patch
|
||||
* openssh-8.4p1-vendordir.patch
|
||||
* openssh-reenable-dh-group14-sha1-default.patch
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Sep 28 17:50:57 UTC 2021 - Hans Petter Jansson <hpj@suse.com>
|
||||
|
||||
|
@ -35,7 +35,7 @@
|
||||
%define _fillupdir %{_localstatedir}/adm/fillup-templates
|
||||
%endif
|
||||
Name: openssh
|
||||
Version: 8.8p1
|
||||
Version: 8.9p1
|
||||
Release: 0
|
||||
Summary: Secure Shell Client and Server (Remote Login Program)
|
||||
License: BSD-2-Clause AND MIT
|
||||
|
Loading…
Reference in New Issue
Block a user