forked from pool/openssh
Accepting request 563724 from home:pcerny:factory
reworking packaging, gssapi kex patch OBS-URL: https://build.opensuse.org/request/show/563724 OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=128
This commit is contained in:
parent
b813991fe5
commit
a03a137de1
184
cavs_driver-ssh.pl
Normal file
184
cavs_driver-ssh.pl
Normal file
@ -0,0 +1,184 @@
|
||||
#!/usr/bin/env perl
|
||||
#
|
||||
# CAVS test driver for OpenSSH
|
||||
#
|
||||
# Copyright (C) 2015, Stephan Mueller <smueller@chronox.de>
|
||||
#
|
||||
# Permission is hereby granted, free of charge, to any person obtaining a copy
|
||||
# of this software and associated documentation files (the "Software"), to deal
|
||||
# in the Software without restriction, including without limitation the rights
|
||||
# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
||||
# copies of the Software, and to permit persons to whom the Software is
|
||||
# furnished to do so, subject to the following conditions:
|
||||
#
|
||||
# The above copyright notice and this permission notice shall be included in
|
||||
# all copies or substantial portions of the Software.
|
||||
#
|
||||
# NO WARRANTY
|
||||
#
|
||||
# BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
|
||||
# FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN
|
||||
# OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
|
||||
# PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
|
||||
# OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
|
||||
# MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS
|
||||
# TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE
|
||||
# PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
|
||||
# REPAIR OR CORRECTION.
|
||||
#
|
||||
# IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
|
||||
# WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
|
||||
# REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
|
||||
# INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
|
||||
# OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
|
||||
# TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
|
||||
# YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
|
||||
# PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
|
||||
# POSSIBILITY OF SUCH DAMAGES.
|
||||
#
|
||||
use strict;
|
||||
use warnings;
|
||||
use IPC::Open2;
|
||||
|
||||
# Executing a program by feeding STDIN and retrieving
|
||||
# STDOUT
|
||||
# $1: data string to be piped to the app on STDIN
|
||||
# rest: program and args
|
||||
# returns: STDOUT of program as string
|
||||
sub pipe_through_program($@) {
|
||||
my $in = shift;
|
||||
my @args = @_;
|
||||
|
||||
my ($CO, $CI);
|
||||
my $pid = open2($CO, $CI, @args);
|
||||
|
||||
my $out = "";
|
||||
my $len = length($in);
|
||||
my $first = 1;
|
||||
while (1) {
|
||||
my $rin = "";
|
||||
my $win = "";
|
||||
# Output of prog is FD that we read
|
||||
vec($rin,fileno($CO),1) = 1;
|
||||
# Input of prog is FD that we write
|
||||
# check for $first is needed because we can have NULL input
|
||||
# that is to be written to the app
|
||||
if ( $len > 0 || $first) {
|
||||
(vec($win,fileno($CI),1) = 1);
|
||||
$first=0;
|
||||
}
|
||||
# Let us wait for 100ms
|
||||
my $nfound = select(my $rout=$rin, my $wout=$win, undef, 0.1);
|
||||
if ( $wout ) {
|
||||
my $written = syswrite($CI, $in, $len);
|
||||
die "broken pipe" if !defined $written;
|
||||
$len -= $written;
|
||||
substr($in, 0, $written) = "";
|
||||
if ($len <= 0) {
|
||||
close $CI or die "broken pipe: $!";
|
||||
}
|
||||
}
|
||||
if ( $rout ) {
|
||||
my $tmp_out = "";
|
||||
my $bytes_read = sysread($CO, $tmp_out, 4096);
|
||||
$out .= $tmp_out;
|
||||
last if ($bytes_read == 0);
|
||||
}
|
||||
}
|
||||
close $CO or die "broken pipe: $!";
|
||||
waitpid $pid, 0;
|
||||
|
||||
return $out;
|
||||
}
|
||||
|
||||
# Parser of CAVS test vector file
|
||||
# $1: Test vector file
|
||||
# $2: Output file for test results
|
||||
# return: nothing
|
||||
sub parse($$) {
|
||||
my $infile = shift;
|
||||
my $outfile = shift;
|
||||
|
||||
my $out = "";
|
||||
|
||||
my $K = "";
|
||||
my $H = "";
|
||||
my $session_id = "";
|
||||
my $ivlen = 0;
|
||||
my $eklen = "";
|
||||
my $iklen = "";
|
||||
|
||||
open(IN, "<$infile");
|
||||
while(<IN>) {
|
||||
|
||||
my $line = $_;
|
||||
chomp($line);
|
||||
$line =~ s/\r//;
|
||||
|
||||
if ($line =~ /\[SHA-1\]/) {
|
||||
$iklen = 20;
|
||||
} elsif ($line =~ /\[SHA-256\]/) {
|
||||
$iklen = 32;
|
||||
} elsif ($line =~ /\[SHA-384\]/) {
|
||||
$iklen = 48;
|
||||
} elsif ($line =~ /\[SHA-512\]/) {
|
||||
$iklen = 64;
|
||||
} elsif ($line =~ /^\[IV length\s*=\s*(.*)\]/) {
|
||||
$ivlen = $1;
|
||||
$ivlen = $ivlen / 8;
|
||||
} elsif ($line =~ /^\[encryption key length\s*=\s*(.*)\]/) {
|
||||
$eklen = $1;
|
||||
$eklen = $eklen / 8;
|
||||
} elsif ($line =~ /^K\s*=\s*(.*)/) {
|
||||
$K = $1;
|
||||
$K = substr($K, 8);
|
||||
$K = "00" . $K;
|
||||
} elsif ($line =~ /^H\s*=\s*(.*)/) {
|
||||
$H = $1;
|
||||
} elsif ($line =~ /^session_id\s*=\s*(.*)/) {
|
||||
$session_id = $1;
|
||||
}
|
||||
$out .= $line . "\n";
|
||||
|
||||
if ($K ne "" && $H ne "" && $session_id ne "" &&
|
||||
$ivlen ne "" && $eklen ne "" && $iklen > 0) {
|
||||
$out .= pipe_through_program("", "@LIBEXECDIR@/ssh/cavstest-kdf -H $H -K $K -s $session_id -i $ivlen -e $eklen -m $iklen");
|
||||
|
||||
$K = "";
|
||||
$H = "";
|
||||
$session_id = "";
|
||||
}
|
||||
}
|
||||
close IN;
|
||||
$out =~ s/\n/\r\n/g; # make it a dos file
|
||||
open(OUT, ">$outfile") or die "Cannot create output file $outfile: $?";
|
||||
print OUT $out;
|
||||
close OUT;
|
||||
}
|
||||
|
||||
############################################################
|
||||
#
|
||||
# let us pretend to be C :-)
|
||||
sub main() {
|
||||
|
||||
my $infile=$ARGV[0];
|
||||
die "Error: Test vector file $infile not found" if (! -f $infile);
|
||||
|
||||
my $outfile = $infile;
|
||||
# let us add .rsp regardless whether we could strip .req
|
||||
$outfile =~ s/\.req$//;
|
||||
$outfile .= ".rsp";
|
||||
if (-f $outfile) {
|
||||
die "Output file $outfile could not be removed: $?"
|
||||
unless unlink($outfile);
|
||||
}
|
||||
print STDERR "Performing tests from source file $infile with results stored in destination file $outfile\n";
|
||||
|
||||
# Do the job
|
||||
parse($infile, $outfile);
|
||||
}
|
||||
|
||||
###########################################
|
||||
# Call it
|
||||
main();
|
||||
1;
|
3
openssh-7.6p1-SUSE_patches.tar.xz
Normal file
3
openssh-7.6p1-SUSE_patches.tar.xz
Normal file
@ -0,0 +1,3 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:d2f790931dbda22f81a9d0b80ce3532bfe02d51750f1170b81faef32f4230af8
|
||||
size 61332
|
@ -1,65 +0,0 @@
|
||||
# HG changeset patch
|
||||
# Parent c004421528bc443fa9a56db1123005c92014e6b3
|
||||
# enable trusted X11 forwarding by default in both sshd and sshsystem-wide
|
||||
# configuration
|
||||
# bnc#50836 (was suse #35836)
|
||||
Enable Trusted X11 forwarding by default, since the security benefits of
|
||||
having it disabled are negligible these days with XI2 being widely used.
|
||||
|
||||
diff --git a/openssh-7.6p1/ssh_config b/openssh-7.6p1/ssh_config
|
||||
--- a/openssh-7.6p1/ssh_config
|
||||
+++ b/openssh-7.6p1/ssh_config
|
||||
@@ -12,19 +12,30 @@
|
||||
# Any configuration value is only changed the first time it is set.
|
||||
# Thus, host-specific definitions should be at the beginning of the
|
||||
# configuration file, and defaults at the end.
|
||||
|
||||
# Site-wide defaults for some commonly used options. For a comprehensive
|
||||
# list of available options, their meanings and defaults, please see the
|
||||
# ssh_config(5) man page.
|
||||
|
||||
-# Host *
|
||||
+Host *
|
||||
# ForwardAgent no
|
||||
# ForwardX11 no
|
||||
+
|
||||
+# If you do not trust your remote host (or its administrator), you
|
||||
+# should not forward X11 connections to your local X11-display for
|
||||
+# security reasons: Someone stealing the authentification data on the
|
||||
+# remote side (the "spoofed" X-server by the remote sshd) can read your
|
||||
+# keystrokes as you type, just like any other X11 client could do.
|
||||
+# Set this to "no" here for global effect or in your own ~/.ssh/config
|
||||
+# file if you want to have the remote X11 authentification data to
|
||||
+# expire after twenty minutes after remote login.
|
||||
+ ForwardX11Trusted yes
|
||||
+
|
||||
# PasswordAuthentication yes
|
||||
# HostbasedAuthentication no
|
||||
# GSSAPIAuthentication no
|
||||
# GSSAPIDelegateCredentials no
|
||||
# BatchMode no
|
||||
# CheckHostIP yes
|
||||
# AddressFamily any
|
||||
# ConnectTimeout 0
|
||||
diff --git a/openssh-7.6p1/sshd_config b/openssh-7.6p1/sshd_config
|
||||
--- a/openssh-7.6p1/sshd_config
|
||||
+++ b/openssh-7.6p1/sshd_config
|
||||
@@ -80,17 +80,17 @@ AuthorizedKeysFile .ssh/authorized_keys
|
||||
# If you just want the PAM account and session checks to run without
|
||||
# PAM authentication, then enable this but set PasswordAuthentication
|
||||
# and ChallengeResponseAuthentication to 'no'.
|
||||
#UsePAM no
|
||||
|
||||
#AllowAgentForwarding yes
|
||||
#AllowTcpForwarding yes
|
||||
#GatewayPorts no
|
||||
-#X11Forwarding no
|
||||
+X11Forwarding yes
|
||||
#X11DisplayOffset 10
|
||||
#X11UseLocalhost yes
|
||||
#PermitTTY yes
|
||||
#PrintMotd yes
|
||||
#PrintLastLog yes
|
||||
#TCPKeepAlive yes
|
||||
#UseLogin no
|
||||
#PermitUserEnvironment no
|
@ -1,95 +0,0 @@
|
||||
# HG changeset patch
|
||||
# Parent af43d436bc7fe818dd976c923ad99b89051eb299
|
||||
Allow root login with password by default. While less secure than upstream
|
||||
default of forbidding access to the root account with a password, we are
|
||||
temporarily introducing this change to keep the default used in older OpenSSH
|
||||
versions shipped with SLE.
|
||||
|
||||
diff --git a/openssh-7.6p1/servconf.c b/openssh-7.6p1/servconf.c
|
||||
--- a/openssh-7.6p1/servconf.c
|
||||
+++ b/openssh-7.6p1/servconf.c
|
||||
@@ -218,17 +218,17 @@ fill_default_server_options(ServerOption
|
||||
options->address_family = AF_UNSPEC;
|
||||
if (options->listen_addrs == NULL)
|
||||
add_listen_addr(options, NULL, 0);
|
||||
if (options->pid_file == NULL)
|
||||
options->pid_file = xstrdup(_PATH_SSH_DAEMON_PID_FILE);
|
||||
if (options->login_grace_time == -1)
|
||||
options->login_grace_time = 120;
|
||||
if (options->permit_root_login == PERMIT_NOT_SET)
|
||||
- options->permit_root_login = PERMIT_NO_PASSWD;
|
||||
+ options->permit_root_login = PERMIT_YES;
|
||||
if (options->ignore_rhosts == -1)
|
||||
options->ignore_rhosts = 1;
|
||||
if (options->ignore_user_known_hosts == -1)
|
||||
options->ignore_user_known_hosts = 0;
|
||||
if (options->print_motd == -1)
|
||||
options->print_motd = 1;
|
||||
if (options->print_lastlog == -1)
|
||||
options->print_lastlog = 1;
|
||||
diff --git a/openssh-7.6p1/sshd_config b/openssh-7.6p1/sshd_config
|
||||
--- a/openssh-7.6p1/sshd_config
|
||||
+++ b/openssh-7.6p1/sshd_config
|
||||
@@ -25,17 +25,17 @@
|
||||
|
||||
# Logging
|
||||
#SyslogFacility AUTH
|
||||
#LogLevel INFO
|
||||
|
||||
# Authentication:
|
||||
|
||||
#LoginGraceTime 2m
|
||||
-#PermitRootLogin prohibit-password
|
||||
+#PermitRootLogin yes
|
||||
#StrictModes yes
|
||||
#MaxAuthTries 6
|
||||
#MaxSessions 10
|
||||
|
||||
#PubkeyAuthentication yes
|
||||
|
||||
# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
|
||||
# but this is overridden so installations will only check .ssh/authorized_keys
|
||||
diff --git a/openssh-7.6p1/sshd_config.0 b/openssh-7.6p1/sshd_config.0
|
||||
--- a/openssh-7.6p1/sshd_config.0
|
||||
+++ b/openssh-7.6p1/sshd_config.0
|
||||
@@ -696,17 +696,17 @@ DESCRIPTION
|
||||
none can be used to prohibit all forwarding requests. The
|
||||
wildcard M-bM-^@M-^X*M-bM-^@M-^Y can be used for host or port to allow all hosts or
|
||||
ports, respectively. By default all port forwarding requests are
|
||||
permitted.
|
||||
|
||||
PermitRootLogin
|
||||
Specifies whether root can log in using ssh(1). The argument
|
||||
must be yes, prohibit-password, without-password,
|
||||
- forced-commands-only, or no. The default is prohibit-password.
|
||||
+ forced-commands-only, or no. The default is yes.
|
||||
|
||||
If this option is set to prohibit-password or without-password,
|
||||
password and keyboard-interactive authentication are disabled for
|
||||
root.
|
||||
|
||||
If this option is set to forced-commands-only, root login with
|
||||
public key authentication will be allowed, but only if the
|
||||
command option has been specified (which may be useful for taking
|
||||
diff --git a/openssh-7.6p1/sshd_config.5 b/openssh-7.6p1/sshd_config.5
|
||||
--- a/openssh-7.6p1/sshd_config.5
|
||||
+++ b/openssh-7.6p1/sshd_config.5
|
||||
@@ -1188,17 +1188,17 @@ Specifies whether root can log in using
|
||||
The argument must be
|
||||
.Cm yes ,
|
||||
.Cm prohibit-password ,
|
||||
.Cm without-password ,
|
||||
.Cm forced-commands-only ,
|
||||
or
|
||||
.Cm no .
|
||||
The default is
|
||||
-.Cm prohibit-password .
|
||||
+.Cm yes .
|
||||
.Pp
|
||||
If this option is set to
|
||||
.Cm prohibit-password
|
||||
or
|
||||
.Cm without-password ,
|
||||
password and keyboard-interactive authentication are disabled for root.
|
||||
.Pp
|
||||
If this option is set to
|
@ -1,75 +0,0 @@
|
||||
# HG changeset patch
|
||||
# Parent 724c9ea86fe2c4a1f0e0d3aba168357ab1b2c3aa
|
||||
block SIGALRM while logging through syslog to prevent deadlocks
|
||||
(through grace_alarm_handler())
|
||||
|
||||
bnc#57354
|
||||
|
||||
diff --git a/openssh-7.6p1/log.c b/openssh-7.6p1/log.c
|
||||
--- a/openssh-7.6p1/log.c
|
||||
+++ b/openssh-7.6p1/log.c
|
||||
@@ -46,16 +46,17 @@
|
||||
#include <syslog.h>
|
||||
#include <unistd.h>
|
||||
#include <errno.h>
|
||||
#if defined(HAVE_STRNVIS) && defined(HAVE_VIS_H) && !defined(BROKEN_STRNVIS)
|
||||
# include <vis.h>
|
||||
#endif
|
||||
|
||||
#include "log.h"
|
||||
+#include <signal.h>
|
||||
|
||||
static LogLevel log_level = SYSLOG_LEVEL_INFO;
|
||||
static int log_on_stderr = 1;
|
||||
static int log_stderr_fd = STDERR_FILENO;
|
||||
static int log_facility = LOG_AUTH;
|
||||
static char *argv0;
|
||||
static log_handler_fn *log_handler;
|
||||
static void *log_handler_ctx;
|
||||
@@ -396,16 +397,17 @@ do_log(LogLevel level, const char *fmt,
|
||||
{
|
||||
#if defined(HAVE_OPENLOG_R) && defined(SYSLOG_DATA_INIT)
|
||||
struct syslog_data sdata = SYSLOG_DATA_INIT;
|
||||
#endif
|
||||
char msgbuf[MSGBUFSIZ];
|
||||
char fmtbuf[MSGBUFSIZ];
|
||||
char *txt = NULL;
|
||||
int pri = LOG_INFO;
|
||||
+ sigset_t nset, oset;
|
||||
int saved_errno = errno;
|
||||
log_handler_fn *tmp_handler;
|
||||
|
||||
if (level > log_level)
|
||||
return;
|
||||
|
||||
switch (level) {
|
||||
case SYSLOG_LEVEL_FATAL:
|
||||
@@ -455,20 +457,28 @@ do_log(LogLevel level, const char *fmt,
|
||||
log_handler = NULL;
|
||||
tmp_handler(level, fmtbuf, log_handler_ctx);
|
||||
log_handler = tmp_handler;
|
||||
} else if (log_on_stderr) {
|
||||
snprintf(msgbuf, sizeof msgbuf, "%.*s\r\n",
|
||||
(int)sizeof msgbuf - 3, fmtbuf);
|
||||
(void)write(log_stderr_fd, msgbuf, strlen(msgbuf));
|
||||
} else {
|
||||
+ /* Prevent a race between the grace_alarm which writes a
|
||||
+ * log message and terminates and main sshd code that leads
|
||||
+ * to deadlock as syslog is not async safe.
|
||||
+ */
|
||||
+ sigemptyset(&nset);
|
||||
+ sigaddset(&nset, SIGALRM);
|
||||
+ sigprocmask(SIG_BLOCK, &nset, &oset);
|
||||
#if defined(HAVE_OPENLOG_R) && defined(SYSLOG_DATA_INIT)
|
||||
openlog_r(argv0 ? argv0 : __progname, LOG_PID, log_facility, &sdata);
|
||||
syslog_r(pri, &sdata, "%.500s", fmtbuf);
|
||||
closelog_r(&sdata);
|
||||
#else
|
||||
openlog(argv0 ? argv0 : __progname, LOG_PID, log_facility);
|
||||
syslog(pri, "%.500s", fmtbuf);
|
||||
closelog();
|
||||
#endif
|
||||
+ sigprocmask(SIG_SETMASK, &oset, NULL);
|
||||
}
|
||||
errno = saved_errno;
|
||||
}
|
@ -1,696 +0,0 @@
|
||||
# HG changeset patch
|
||||
# Parent a5b0f249f564de9c9efd023c6430f607d9861acd
|
||||
|
||||
Raise minimal size of DH group parameters to 2048 bits like upstream did in
|
||||
7.2. 1024b values are believed to be in breaking range for state adversaries
|
||||
and the default moduli shipped with openssh have been around long enough to
|
||||
make it more likely for them to be broken.
|
||||
|
||||
Also provide an option that allows the client to accept shorter (RFC4419
|
||||
compliant) parameters.
|
||||
|
||||
CVE-2015-4000 (LOGJAM)
|
||||
bsc#932483
|
||||
|
||||
diff --git a/openssh-7.6p1/dh.c b/openssh-7.6p1/dh.c
|
||||
--- a/openssh-7.6p1/dh.c
|
||||
+++ b/openssh-7.6p1/dh.c
|
||||
@@ -37,16 +37,18 @@
|
||||
#include <limits.h>
|
||||
|
||||
#include "dh.h"
|
||||
#include "pathnames.h"
|
||||
#include "log.h"
|
||||
#include "misc.h"
|
||||
#include "ssherr.h"
|
||||
|
||||
+int dh_grp_min = DH_GRP_MIN;
|
||||
+
|
||||
static int
|
||||
parse_prime(int linenum, char *line, struct dhgroup *dhg)
|
||||
{
|
||||
char *cp, *arg;
|
||||
char *strsize, *gen, *prime;
|
||||
const char *errstr = NULL;
|
||||
long long n;
|
||||
|
||||
diff --git a/openssh-7.6p1/dh.h b/openssh-7.6p1/dh.h
|
||||
--- a/openssh-7.6p1/dh.h
|
||||
+++ b/openssh-7.6p1/dh.h
|
||||
@@ -45,16 +45,17 @@ int dh_gen_key(DH *, int);
|
||||
int dh_pub_is_valid(DH *, BIGNUM *);
|
||||
|
||||
u_int dh_estimate(int);
|
||||
|
||||
/*
|
||||
* Max value from RFC4419.
|
||||
* Miniumum increased in light of DH precomputation attacks.
|
||||
*/
|
||||
+#define DH_GRP_MIN_RFC 1024
|
||||
#define DH_GRP_MIN 2048
|
||||
#define DH_GRP_MAX 8192
|
||||
|
||||
/*
|
||||
* Values for "type" field of moduli(5)
|
||||
* Specifies the internal structure of the prime modulus.
|
||||
*/
|
||||
#define MODULI_TYPE_UNKNOWN (0)
|
||||
diff --git a/openssh-7.6p1/kexgexc.c b/openssh-7.6p1/kexgexc.c
|
||||
--- a/openssh-7.6p1/kexgexc.c
|
||||
+++ b/openssh-7.6p1/kexgexc.c
|
||||
@@ -46,29 +46,32 @@
|
||||
#include "dh.h"
|
||||
#include "ssh2.h"
|
||||
#include "compat.h"
|
||||
#include "dispatch.h"
|
||||
#include "ssherr.h"
|
||||
#include "sshbuf.h"
|
||||
#include "misc.h"
|
||||
|
||||
+/* import from dh.c */
|
||||
+extern int dh_grp_min;
|
||||
+
|
||||
static int input_kex_dh_gex_group(int, u_int32_t, struct ssh *);
|
||||
static int input_kex_dh_gex_reply(int, u_int32_t, struct ssh *);
|
||||
|
||||
int
|
||||
kexgex_client(struct ssh *ssh)
|
||||
{
|
||||
struct kex *kex = ssh->kex;
|
||||
int r;
|
||||
u_int nbits;
|
||||
|
||||
nbits = dh_estimate(kex->dh_need * 8);
|
||||
|
||||
- kex->min = DH_GRP_MIN;
|
||||
+ kex->min = dh_grp_min;
|
||||
kex->max = DH_GRP_MAX;
|
||||
kex->nbits = nbits;
|
||||
if (datafellows & SSH_BUG_DHGEX_LARGE)
|
||||
kex->nbits = MINIMUM(kex->nbits, 4096);
|
||||
/* New GEX request */
|
||||
if ((r = sshpkt_start(ssh, SSH2_MSG_KEX_DH_GEX_REQUEST)) != 0 ||
|
||||
(r = sshpkt_put_u32(ssh, kex->min)) != 0 ||
|
||||
(r = sshpkt_put_u32(ssh, kex->nbits)) != 0 ||
|
||||
@@ -103,16 +106,22 @@ input_kex_dh_gex_group(int type, u_int32
|
||||
goto out;
|
||||
}
|
||||
if ((r = sshpkt_get_bignum2(ssh, p)) != 0 ||
|
||||
(r = sshpkt_get_bignum2(ssh, g)) != 0 ||
|
||||
(r = sshpkt_get_end(ssh)) != 0)
|
||||
goto out;
|
||||
if ((bits = BN_num_bits(p)) < 0 ||
|
||||
(u_int)bits < kex->min || (u_int)bits > kex->max) {
|
||||
+ if ((u_int)bits < kex->min && (u_int)bits >= DH_GRP_MIN_RFC)
|
||||
+ logit("DH parameter offered by the server (%d bits) "
|
||||
+ "is considered insecure. "
|
||||
+ "You can lower the accepted the minimum "
|
||||
+ "via the KexDHMin option.",
|
||||
+ bits);
|
||||
r = SSH_ERR_DH_GEX_OUT_OF_RANGE;
|
||||
goto out;
|
||||
}
|
||||
if ((kex->dh = dh_new_group(g, p)) == NULL) {
|
||||
r = SSH_ERR_ALLOC_FAIL;
|
||||
goto out;
|
||||
}
|
||||
p = g = NULL; /* belong to kex->dh now */
|
||||
diff --git a/openssh-7.6p1/kexgexs.c b/openssh-7.6p1/kexgexs.c
|
||||
--- a/openssh-7.6p1/kexgexs.c
|
||||
+++ b/openssh-7.6p1/kexgexs.c
|
||||
@@ -49,16 +49,19 @@
|
||||
#include "ssh-gss.h"
|
||||
#endif
|
||||
#include "monitor_wrap.h"
|
||||
#include "dispatch.h"
|
||||
#include "ssherr.h"
|
||||
#include "sshbuf.h"
|
||||
#include "misc.h"
|
||||
|
||||
+/* import from dh.c */
|
||||
+extern int dh_grp_min;
|
||||
+
|
||||
static int input_kex_dh_gex_request(int, u_int32_t, struct ssh *);
|
||||
static int input_kex_dh_gex_init(int, u_int32_t, struct ssh *);
|
||||
|
||||
int
|
||||
kexgex_server(struct ssh *ssh)
|
||||
{
|
||||
ssh_dispatch_set(ssh, SSH2_MSG_KEX_DH_GEX_REQUEST,
|
||||
&input_kex_dh_gex_request);
|
||||
@@ -77,23 +80,29 @@ input_kex_dh_gex_request(int type, u_int
|
||||
if ((r = sshpkt_get_u32(ssh, &min)) != 0 ||
|
||||
(r = sshpkt_get_u32(ssh, &nbits)) != 0 ||
|
||||
(r = sshpkt_get_u32(ssh, &max)) != 0 ||
|
||||
(r = sshpkt_get_end(ssh)) != 0)
|
||||
goto out;
|
||||
kex->nbits = nbits;
|
||||
kex->min = min;
|
||||
kex->max = max;
|
||||
- min = MAXIMUM(DH_GRP_MIN, min);
|
||||
+ min = MAXIMUM(dh_grp_min, min);
|
||||
max = MINIMUM(DH_GRP_MAX, max);
|
||||
- nbits = MAXIMUM(DH_GRP_MIN, nbits);
|
||||
+ nbits = MAXIMUM(dh_grp_min, nbits);
|
||||
nbits = MINIMUM(DH_GRP_MAX, nbits);
|
||||
|
||||
if (kex->max < kex->min || kex->nbits < kex->min ||
|
||||
kex->max < kex->nbits || kex->max < DH_GRP_MIN) {
|
||||
+ if (kex->nbits < kex->min && kex->nbits >= DH_GRP_MIN_RFC)
|
||||
+ logit("DH parameter requested by the client (%d bits) "
|
||||
+ "is considered insecure. "
|
||||
+ "You can lower the accepted minimum "
|
||||
+ "via the KexDHMin option.",
|
||||
+ kex->nbits);
|
||||
r = SSH_ERR_DH_GEX_OUT_OF_RANGE;
|
||||
goto out;
|
||||
}
|
||||
|
||||
/* Contact privileged parent */
|
||||
kex->dh = PRIVSEP(choose_dh(min, nbits, max));
|
||||
if (kex->dh == NULL) {
|
||||
sshpkt_disconnect(ssh, "no matching DH grp found");
|
||||
diff --git a/openssh-7.6p1/readconf.c b/openssh-7.6p1/readconf.c
|
||||
--- a/openssh-7.6p1/readconf.c
|
||||
+++ b/openssh-7.6p1/readconf.c
|
||||
@@ -61,16 +61,17 @@
|
||||
#include "misc.h"
|
||||
#include "readconf.h"
|
||||
#include "match.h"
|
||||
#include "kex.h"
|
||||
#include "mac.h"
|
||||
#include "uidswap.h"
|
||||
#include "myproposal.h"
|
||||
#include "digest.h"
|
||||
+#include "dh.h"
|
||||
|
||||
/* Format of the configuration file:
|
||||
|
||||
# Configuration data is parsed as follows:
|
||||
# 1. command line options
|
||||
# 2. user-specific file
|
||||
# 3. system-wide file
|
||||
# Any configuration value is only changed the first time it is set.
|
||||
@@ -161,17 +162,18 @@ typedef enum {
|
||||
oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
|
||||
oAddressFamily, oGssAuthentication, oGssDelegateCreds,
|
||||
oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
|
||||
oSendEnv, oControlPath, oControlMaster, oControlPersist,
|
||||
oHashKnownHosts,
|
||||
oTunnel, oTunnelDevice,
|
||||
oLocalCommand, oPermitLocalCommand, oRemoteCommand,
|
||||
oVisualHostKey,
|
||||
- oKexAlgorithms, oIPQoS, oRequestTTY, oIgnoreUnknown, oProxyUseFdpass,
|
||||
+ oKexAlgorithms, oKexDHMin,
|
||||
+ oIPQoS, oRequestTTY, oIgnoreUnknown, oProxyUseFdpass,
|
||||
oCanonicalDomains, oCanonicalizeHostname, oCanonicalizeMaxDots,
|
||||
oCanonicalizeFallbackLocal, oCanonicalizePermittedCNAMEs,
|
||||
oStreamLocalBindMask, oStreamLocalBindUnlink, oRevokedHostKeys,
|
||||
oFingerprintHash, oUpdateHostkeys, oHostbasedKeyTypes,
|
||||
oPubkeyAcceptedKeyTypes, oProxyJump,
|
||||
oIgnore, oIgnoredUnknownOption, oDeprecated, oUnsupported
|
||||
} OpCodes;
|
||||
|
||||
@@ -283,16 +285,17 @@ static struct {
|
||||
{ "include", oInclude },
|
||||
{ "tunnel", oTunnel },
|
||||
{ "tunneldevice", oTunnelDevice },
|
||||
{ "localcommand", oLocalCommand },
|
||||
{ "permitlocalcommand", oPermitLocalCommand },
|
||||
{ "remotecommand", oRemoteCommand },
|
||||
{ "visualhostkey", oVisualHostKey },
|
||||
{ "kexalgorithms", oKexAlgorithms },
|
||||
+ { "kexdhmin", oKexDHMin },
|
||||
{ "ipqos", oIPQoS },
|
||||
{ "requesttty", oRequestTTY },
|
||||
{ "proxyusefdpass", oProxyUseFdpass },
|
||||
{ "canonicaldomains", oCanonicalDomains },
|
||||
{ "canonicalizefallbacklocal", oCanonicalizeFallbackLocal },
|
||||
{ "canonicalizehostname", oCanonicalizeHostname },
|
||||
{ "canonicalizemaxdots", oCanonicalizeMaxDots },
|
||||
{ "canonicalizepermittedcnames", oCanonicalizePermittedCNAMEs },
|
||||
@@ -304,16 +307,19 @@ static struct {
|
||||
{ "hostbasedkeytypes", oHostbasedKeyTypes },
|
||||
{ "pubkeyacceptedkeytypes", oPubkeyAcceptedKeyTypes },
|
||||
{ "ignoreunknown", oIgnoreUnknown },
|
||||
{ "proxyjump", oProxyJump },
|
||||
|
||||
{ NULL, oBadOption }
|
||||
};
|
||||
|
||||
+/* import from dh.c */
|
||||
+extern int dh_grp_min;
|
||||
+
|
||||
/*
|
||||
* Adds a local TCP/IP port forward to options. Never returns if there is an
|
||||
* error.
|
||||
*/
|
||||
|
||||
void
|
||||
add_local_forward(Options *options, const struct Forward *newfwd)
|
||||
{
|
||||
@@ -1206,16 +1212,20 @@ parse_int:
|
||||
if (*arg != '-' &&
|
||||
!kex_names_valid(*arg == '+' ? arg + 1 : arg))
|
||||
fatal("%.200s line %d: Bad SSH2 KexAlgorithms '%s'.",
|
||||
filename, linenum, arg ? arg : "<NONE>");
|
||||
if (*activep && options->kex_algorithms == NULL)
|
||||
options->kex_algorithms = xstrdup(arg);
|
||||
break;
|
||||
|
||||
+ case oKexDHMin:
|
||||
+ intptr = &options->kex_dhmin;
|
||||
+ goto parse_int;
|
||||
+
|
||||
case oHostKeyAlgorithms:
|
||||
charptr = &options->hostkeyalgorithms;
|
||||
parse_keytypes:
|
||||
arg = strdelim(&s);
|
||||
if (!arg || *arg == '\0')
|
||||
fatal("%.200s line %d: Missing argument.",
|
||||
filename, linenum);
|
||||
if (*arg != '-' &&
|
||||
@@ -1803,16 +1813,17 @@ initialize_options(Options * options)
|
||||
options->port = -1;
|
||||
options->address_family = -1;
|
||||
options->connection_attempts = -1;
|
||||
options->connection_timeout = -1;
|
||||
options->number_of_password_prompts = -1;
|
||||
options->ciphers = NULL;
|
||||
options->macs = NULL;
|
||||
options->kex_algorithms = NULL;
|
||||
+ options->kex_dhmin = -1;
|
||||
options->hostkeyalgorithms = NULL;
|
||||
options->num_identity_files = 0;
|
||||
options->num_certificate_files = 0;
|
||||
options->hostname = NULL;
|
||||
options->host_key_alias = NULL;
|
||||
options->proxy_command = NULL;
|
||||
options->jump_user = NULL;
|
||||
options->jump_host = NULL;
|
||||
@@ -1951,16 +1962,23 @@ fill_default_options(Options * options)
|
||||
if (options->port == -1)
|
||||
options->port = 0; /* Filled in ssh_connect. */
|
||||
if (options->address_family == -1)
|
||||
options->address_family = AF_UNSPEC;
|
||||
if (options->connection_attempts == -1)
|
||||
options->connection_attempts = 1;
|
||||
if (options->number_of_password_prompts == -1)
|
||||
options->number_of_password_prompts = 3;
|
||||
+ if (options->kex_dhmin == -1)
|
||||
+ options->kex_dhmin = DH_GRP_MIN_RFC;
|
||||
+ else {
|
||||
+ options->kex_dhmin = MAXIMUM(options->kex_dhmin, DH_GRP_MIN_RFC);
|
||||
+ options->kex_dhmin = MINIMUM(options->kex_dhmin, DH_GRP_MAX);
|
||||
+ }
|
||||
+ dh_grp_min = options->kex_dhmin;
|
||||
/* options->hostkeyalgorithms, default set in myproposals.h */
|
||||
if (options->add_keys_to_agent == -1)
|
||||
options->add_keys_to_agent = 0;
|
||||
if (options->num_identity_files == 0) {
|
||||
add_identity_file(options, "~/", _PATH_SSH_CLIENT_ID_RSA, 0);
|
||||
add_identity_file(options, "~/", _PATH_SSH_CLIENT_ID_DSA, 0);
|
||||
#ifdef OPENSSL_HAS_ECC
|
||||
add_identity_file(options, "~/", _PATH_SSH_CLIENT_ID_ECDSA, 0);
|
||||
diff --git a/openssh-7.6p1/readconf.h b/openssh-7.6p1/readconf.h
|
||||
--- a/openssh-7.6p1/readconf.h
|
||||
+++ b/openssh-7.6p1/readconf.h
|
||||
@@ -64,16 +64,17 @@ typedef struct {
|
||||
int connection_timeout; /* Max time (seconds) before
|
||||
* aborting connection attempt */
|
||||
int number_of_password_prompts; /* Max number of password
|
||||
* prompts. */
|
||||
char *ciphers; /* SSH2 ciphers in order of preference. */
|
||||
char *macs; /* SSH2 macs in order of preference. */
|
||||
char *hostkeyalgorithms; /* SSH2 server key types in order of preference. */
|
||||
char *kex_algorithms; /* SSH2 kex methods in order of preference. */
|
||||
+ int kex_dhmin; /* minimum bit length of the DH group parameter */
|
||||
char *hostname; /* Real host to connect. */
|
||||
char *host_key_alias; /* hostname alias for .ssh/known_hosts */
|
||||
char *proxy_command; /* Proxy command for connecting the host. */
|
||||
char *user; /* User to log in as. */
|
||||
int escape_char; /* Escape character; -2 = none */
|
||||
|
||||
u_int num_system_hostfiles; /* Paths for /etc/ssh/ssh_known_hosts */
|
||||
char *system_hostfiles[SSH_MAX_HOSTS_FILES];
|
||||
diff --git a/openssh-7.6p1/servconf.c b/openssh-7.6p1/servconf.c
|
||||
--- a/openssh-7.6p1/servconf.c
|
||||
+++ b/openssh-7.6p1/servconf.c
|
||||
@@ -52,16 +52,20 @@
|
||||
#include "channels.h"
|
||||
#include "groupaccess.h"
|
||||
#include "canohost.h"
|
||||
#include "packet.h"
|
||||
#include "hostfile.h"
|
||||
#include "auth.h"
|
||||
#include "myproposal.h"
|
||||
#include "digest.h"
|
||||
+#include "dh.h"
|
||||
+
|
||||
+/* import from dh.c */
|
||||
+extern int dh_grp_min;
|
||||
|
||||
static void add_listen_addr(ServerOptions *, char *, int);
|
||||
static void add_one_listen_addr(ServerOptions *, char *, int);
|
||||
|
||||
/* Use of privilege separation or not */
|
||||
extern int use_privsep;
|
||||
extern Buffer cfg;
|
||||
|
||||
@@ -129,16 +133,17 @@ initialize_server_options(ServerOptions
|
||||
options->allow_agent_forwarding = -1;
|
||||
options->num_allow_users = 0;
|
||||
options->num_deny_users = 0;
|
||||
options->num_allow_groups = 0;
|
||||
options->num_deny_groups = 0;
|
||||
options->ciphers = NULL;
|
||||
options->macs = NULL;
|
||||
options->kex_algorithms = NULL;
|
||||
+ options->kex_dhmin = -1;
|
||||
options->fwd_opts.gateway_ports = -1;
|
||||
options->fwd_opts.streamlocal_bind_mask = (mode_t)-1;
|
||||
options->fwd_opts.streamlocal_bind_unlink = -1;
|
||||
options->num_subsystems = 0;
|
||||
options->max_startups_begin = -1;
|
||||
options->max_startups_rate = -1;
|
||||
options->max_startups = -1;
|
||||
options->max_authtries = -1;
|
||||
@@ -195,16 +200,24 @@ fill_default_server_options(ServerOption
|
||||
int i;
|
||||
|
||||
/* Portable-specific options */
|
||||
if (options->use_pam == -1)
|
||||
options->use_pam = 0;
|
||||
if (options->use_pam_check_locks == -1)
|
||||
options->use_pam_check_locks = 0;
|
||||
|
||||
+ if (options->kex_dhmin == -1)
|
||||
+ options->kex_dhmin = DH_GRP_MIN_RFC;
|
||||
+ else {
|
||||
+ options->kex_dhmin = MAXIMUM(options->kex_dhmin, DH_GRP_MIN_RFC);
|
||||
+ options->kex_dhmin = MINIMUM(options->kex_dhmin, DH_GRP_MAX);
|
||||
+ }
|
||||
+ dh_grp_min = options->kex_dhmin;
|
||||
+
|
||||
/* Standard Options */
|
||||
if (options->num_host_key_files == 0) {
|
||||
/* fill default hostkeys for protocols */
|
||||
options->host_key_files[options->num_host_key_files++] =
|
||||
_PATH_HOST_RSA_KEY_FILE;
|
||||
options->host_key_files[options->num_host_key_files++] =
|
||||
_PATH_HOST_DSA_KEY_FILE;
|
||||
#ifdef OPENSSL_HAS_ECC
|
||||
@@ -414,17 +427,18 @@ typedef enum {
|
||||
sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
|
||||
sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
|
||||
sAcceptEnv, sPermitTunnel,
|
||||
sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
|
||||
sUsePrivilegeSeparation, sAllowAgentForwarding,
|
||||
sHostCertificate,
|
||||
sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,
|
||||
sAuthorizedPrincipalsCommand, sAuthorizedPrincipalsCommandUser,
|
||||
- sKexAlgorithms, sIPQoS, sVersionAddendum,
|
||||
+ sKexAlgorithms, sKexDHMin,
|
||||
+ sIPQoS, sVersionAddendum,
|
||||
sAuthorizedKeysCommand, sAuthorizedKeysCommandUser,
|
||||
sAuthenticationMethods, sHostKeyAgent, sPermitUserRC,
|
||||
sStreamLocalBindMask, sStreamLocalBindUnlink,
|
||||
sAllowStreamLocalForwarding, sFingerprintHash, sDisableForwarding,
|
||||
sExposeAuthInfo,
|
||||
sDeprecated, sIgnore, sUnsupported
|
||||
} ServerOpCodes;
|
||||
|
||||
@@ -553,16 +567,17 @@ static struct {
|
||||
{ "permitopen", sPermitOpen, SSHCFG_ALL },
|
||||
{ "forcecommand", sForceCommand, SSHCFG_ALL },
|
||||
{ "chrootdirectory", sChrootDirectory, SSHCFG_ALL },
|
||||
{ "hostcertificate", sHostCertificate, SSHCFG_GLOBAL },
|
||||
{ "revokedkeys", sRevokedKeys, SSHCFG_ALL },
|
||||
{ "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL },
|
||||
{ "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
|
||||
{ "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },
|
||||
+ { "kexdhmin", sKexDHMin },
|
||||
{ "ipqos", sIPQoS, SSHCFG_ALL },
|
||||
{ "authorizedkeyscommand", sAuthorizedKeysCommand, SSHCFG_ALL },
|
||||
{ "authorizedkeyscommanduser", sAuthorizedKeysCommandUser, SSHCFG_ALL },
|
||||
{ "authorizedprincipalscommand", sAuthorizedPrincipalsCommand, SSHCFG_ALL },
|
||||
{ "authorizedprincipalscommanduser", sAuthorizedPrincipalsCommandUser, SSHCFG_ALL },
|
||||
{ "versionaddendum", sVersionAddendum, SSHCFG_GLOBAL },
|
||||
{ "authenticationmethods", sAuthenticationMethods, SSHCFG_ALL },
|
||||
{ "streamlocalbindmask", sStreamLocalBindMask, SSHCFG_ALL },
|
||||
@@ -1502,16 +1517,20 @@ process_server_config_line(ServerOptions
|
||||
if (*arg != '-' &&
|
||||
!kex_names_valid(*arg == '+' ? arg + 1 : arg))
|
||||
fatal("%s line %d: Bad SSH2 KexAlgorithms '%s'.",
|
||||
filename, linenum, arg ? arg : "<NONE>");
|
||||
if (options->kex_algorithms == NULL)
|
||||
options->kex_algorithms = xstrdup(arg);
|
||||
break;
|
||||
|
||||
+ case sKexDHMin:
|
||||
+ intptr = &options->kex_dhmin;
|
||||
+ goto parse_int;
|
||||
+
|
||||
case sSubsystem:
|
||||
if (options->num_subsystems >= MAX_SUBSYSTEMS) {
|
||||
fatal("%s line %d: too many subsystems defined.",
|
||||
filename, linenum);
|
||||
}
|
||||
arg = strdelim(&cp);
|
||||
if (!arg || *arg == '\0')
|
||||
fatal("%s line %d: Missing subsystem name.",
|
||||
@@ -2285,16 +2304,17 @@ dump_config(ServerOptions *o)
|
||||
#endif
|
||||
dump_cfg_int(sLoginGraceTime, o->login_grace_time);
|
||||
dump_cfg_int(sX11DisplayOffset, o->x11_display_offset);
|
||||
dump_cfg_int(sMaxAuthTries, o->max_authtries);
|
||||
dump_cfg_int(sMaxSessions, o->max_sessions);
|
||||
dump_cfg_int(sClientAliveInterval, o->client_alive_interval);
|
||||
dump_cfg_int(sClientAliveCountMax, o->client_alive_count_max);
|
||||
dump_cfg_oct(sStreamLocalBindMask, o->fwd_opts.streamlocal_bind_mask);
|
||||
+ dump_cfg_int(sKexDHMin, o->kex_dhmin);
|
||||
|
||||
/* formatted integer arguments */
|
||||
dump_cfg_fmtint(sPermitRootLogin, o->permit_root_login);
|
||||
dump_cfg_fmtint(sIgnoreRhosts, o->ignore_rhosts);
|
||||
dump_cfg_fmtint(sIgnoreUserKnownHosts, o->ignore_user_known_hosts);
|
||||
dump_cfg_fmtint(sHostbasedAuthentication, o->hostbased_authentication);
|
||||
dump_cfg_fmtint(sHostbasedUsesNameFromPacketOnly,
|
||||
o->hostbased_uses_name_from_packet_only);
|
||||
diff --git a/openssh-7.6p1/servconf.h b/openssh-7.6p1/servconf.h
|
||||
--- a/openssh-7.6p1/servconf.h
|
||||
+++ b/openssh-7.6p1/servconf.h
|
||||
@@ -93,16 +93,17 @@ typedef struct {
|
||||
int permit_user_rc; /* If false, deny ~/.ssh/rc execution */
|
||||
int strict_modes; /* If true, require string home dir modes. */
|
||||
int tcp_keep_alive; /* If true, set SO_KEEPALIVE. */
|
||||
int ip_qos_interactive; /* IP ToS/DSCP/class for interactive */
|
||||
int ip_qos_bulk; /* IP ToS/DSCP/class for bulk traffic */
|
||||
char *ciphers; /* Supported SSH2 ciphers. */
|
||||
char *macs; /* Supported SSH2 macs. */
|
||||
char *kex_algorithms; /* SSH2 kex methods in order of preference. */
|
||||
+ int kex_dhmin; /* minimum bit length of the DH group parameter */
|
||||
struct ForwardOptions fwd_opts; /* forwarding options */
|
||||
SyslogFacility log_facility; /* Facility for system logging. */
|
||||
LogLevel log_level; /* Level for system logging. */
|
||||
int hostbased_authentication; /* If true, permit ssh2 hostbased auth */
|
||||
int hostbased_uses_name_from_packet_only; /* experimental */
|
||||
char *hostbased_key_types; /* Key types allowed for hostbased */
|
||||
char *hostkeyalgorithms; /* SSH2 server key types */
|
||||
int pubkey_authentication; /* If true, permit ssh2 pubkey authentication. */
|
||||
diff --git a/openssh-7.6p1/ssh_config b/openssh-7.6p1/ssh_config
|
||||
--- a/openssh-7.6p1/ssh_config
|
||||
+++ b/openssh-7.6p1/ssh_config
|
||||
@@ -12,16 +12,21 @@
|
||||
# Any configuration value is only changed the first time it is set.
|
||||
# Thus, host-specific definitions should be at the beginning of the
|
||||
# configuration file, and defaults at the end.
|
||||
|
||||
# Site-wide defaults for some commonly used options. For a comprehensive
|
||||
# list of available options, their meanings and defaults, please see the
|
||||
# ssh_config(5) man page.
|
||||
|
||||
+# Minimum accepted size of the DH parameter p. By default this is set to 1024
|
||||
+# to maintain compatibility with RFC4419, but should be set higher.
|
||||
+# Upstream default is identical to setting this to 2048.
|
||||
+#KexDHMin 1024
|
||||
+
|
||||
Host *
|
||||
# ForwardAgent no
|
||||
# ForwardX11 no
|
||||
|
||||
# If you do not trust your remote host (or its administrator), you
|
||||
# should not forward X11 connections to your local X11-display for
|
||||
# security reasons: Someone stealing the authentification data on the
|
||||
# remote side (the "spoofed" X-server by the remote sshd) can read your
|
||||
diff --git a/openssh-7.6p1/ssh_config.0 b/openssh-7.6p1/ssh_config.0
|
||||
--- a/openssh-7.6p1/ssh_config.0
|
||||
+++ b/openssh-7.6p1/ssh_config.0
|
||||
@@ -584,16 +584,33 @@ DESCRIPTION
|
||||
ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
|
||||
diffie-hellman-group-exchange-sha256,
|
||||
diffie-hellman-group-exchange-sha1,
|
||||
diffie-hellman-group14-sha1
|
||||
|
||||
The list of available key exchange algorithms may also be
|
||||
obtained using "ssh -Q kex".
|
||||
|
||||
+ KexDHMin
|
||||
+ Specifies the minimum accepted bit length of the DH group
|
||||
+ parameter p.
|
||||
+
|
||||
+ As per RFC4419, this is 1024 bits, however this has increasingly
|
||||
+ been seen as insecure, which prompted the change to 2048 bits.
|
||||
+ Setting this option allows the client to accept parameters shorter
|
||||
+ than the current minimum, down to the RFC specified 1024 bits.
|
||||
+ Using this option may be needed when connecting to servers that
|
||||
+ only know short DH group parameters.
|
||||
+
|
||||
+ Note, that while by default this option is set to 1024 to maintain
|
||||
+ maximum backward compatibility, using it can severly impact
|
||||
+ security and thus should be viewed as a temporary fix of last
|
||||
+ resort and all efforts should be made to fix the (broken)
|
||||
+ counterparty.
|
||||
+
|
||||
LocalCommand
|
||||
Specifies a command to execute on the local machine after
|
||||
successfully connecting to the server. The command string
|
||||
extends to the end of the line, and is executed with the user's
|
||||
shell. Arguments to LocalCommand accept the tokens described in
|
||||
the TOKENS section.
|
||||
|
||||
The command is run synchronously and does not have access to the
|
||||
diff --git a/openssh-7.6p1/ssh_config.5 b/openssh-7.6p1/ssh_config.5
|
||||
--- a/openssh-7.6p1/ssh_config.5
|
||||
+++ b/openssh-7.6p1/ssh_config.5
|
||||
@@ -1016,16 +1016,32 @@ curve25519-sha256,curve25519-sha256@libs
|
||||
ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
|
||||
diffie-hellman-group-exchange-sha256,
|
||||
diffie-hellman-group-exchange-sha1,
|
||||
diffie-hellman-group14-sha1
|
||||
.Ed
|
||||
.Pp
|
||||
The list of available key exchange algorithms may also be obtained using
|
||||
.Qq ssh -Q kex .
|
||||
+.It Cm KexDHMin
|
||||
+Specifies the minimum accepted bit length of the DH group
|
||||
+parameter p.
|
||||
+.Pp
|
||||
+As per RFC4419, this is 1024 bits, however this has increasingly
|
||||
+been seen as insecure, which prompted the change to 2048 bits.
|
||||
+Setting this option allows the client to accept parameters shorter
|
||||
+than the current minimum, down to the RFC specified 1024 bits.
|
||||
+Using this option may be needed when connecting to servers that
|
||||
+only know short DH group parameters.
|
||||
+.Pp
|
||||
+Note, that while by default this option is set to 1024 to maintain
|
||||
+maximum backward compatibility, using it can severly impact
|
||||
+security and thus should be viewed as a temporary fix of last
|
||||
+resort and all efforts should be made to fix the (broken)
|
||||
+counterparty.
|
||||
.It Cm LocalCommand
|
||||
Specifies a command to execute on the local machine after successfully
|
||||
connecting to the server.
|
||||
The command string extends to the end of the line, and is executed with
|
||||
the user's shell.
|
||||
Arguments to
|
||||
.Cm LocalCommand
|
||||
accept the tokens described in the
|
||||
diff --git a/openssh-7.6p1/sshd_config b/openssh-7.6p1/sshd_config
|
||||
--- a/openssh-7.6p1/sshd_config
|
||||
+++ b/openssh-7.6p1/sshd_config
|
||||
@@ -15,16 +15,21 @@
|
||||
#ListenAddress 0.0.0.0
|
||||
#ListenAddress ::
|
||||
|
||||
#HostKey /etc/ssh/ssh_host_rsa_key
|
||||
#HostKey /etc/ssh/ssh_host_dsa_key
|
||||
#HostKey /etc/ssh/ssh_host_ecdsa_key
|
||||
#HostKey /etc/ssh/ssh_host_ed25519_key
|
||||
|
||||
+# Minimum accepted size of the DH parameter p. By default this is set to 1024
|
||||
+# to maintain compatibility with RFC4419, but should be set higher.
|
||||
+# Upstream default is identical to setting this to 2048.
|
||||
+#KexDHMin 1024
|
||||
+
|
||||
# Ciphers and keying
|
||||
#RekeyLimit default none
|
||||
|
||||
# Logging
|
||||
#SyslogFacility AUTH
|
||||
#LogLevel INFO
|
||||
|
||||
# Authentication:
|
||||
diff --git a/openssh-7.6p1/sshd_config.0 b/openssh-7.6p1/sshd_config.0
|
||||
--- a/openssh-7.6p1/sshd_config.0
|
||||
+++ b/openssh-7.6p1/sshd_config.0
|
||||
@@ -532,16 +532,33 @@ DESCRIPTION
|
||||
curve25519-sha256,curve25519-sha256@libssh.org,
|
||||
ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
|
||||
diffie-hellman-group-exchange-sha256,
|
||||
diffie-hellman-group14-sha1
|
||||
|
||||
The list of available key exchange algorithms may also be
|
||||
obtained using "ssh -Q kex".
|
||||
|
||||
+ KexDHMin
|
||||
+ Specifies the minimum accepted bit length of the DH group
|
||||
+ parameter p.
|
||||
+
|
||||
+ As per RFC4419, this is 1024 bits, however this has increasingly
|
||||
+ been seen as insecure, which prompted the change to 2048 bits.
|
||||
+ Setting this option allows the server to accept parameters shorter
|
||||
+ than the current minimum, down to the RFC specified 1024 bits.
|
||||
+ Using this option may be needed when some of the connectiong
|
||||
+ clients only know short DH group parameters.
|
||||
+
|
||||
+ Note, that while by default this option is set to 1024 to maintain
|
||||
+ maximum backward compatibility, using it can severly impact
|
||||
+ security and thus should be viewed as a temporary fix of last
|
||||
+ resort and all efforts should be made to fix the (broken)
|
||||
+ counterparty.
|
||||
+
|
||||
ListenAddress
|
||||
Specifies the local addresses sshd(8) should listen on. The
|
||||
following forms may be used:
|
||||
|
||||
ListenAddress host|IPv4_addr|IPv6_addr
|
||||
ListenAddress host|IPv4_addr:port
|
||||
ListenAddress [host|IPv6_addr]:port
|
||||
|
||||
diff --git a/openssh-7.6p1/sshd_config.5 b/openssh-7.6p1/sshd_config.5
|
||||
--- a/openssh-7.6p1/sshd_config.5
|
||||
+++ b/openssh-7.6p1/sshd_config.5
|
||||
@@ -893,16 +893,32 @@ The default is:
|
||||
curve25519-sha256,curve25519-sha256@libssh.org,
|
||||
ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
|
||||
diffie-hellman-group-exchange-sha256,
|
||||
diffie-hellman-group14-sha1
|
||||
.Ed
|
||||
.Pp
|
||||
The list of available key exchange algorithms may also be obtained using
|
||||
.Qq ssh -Q kex .
|
||||
+.It Cm KexDHMin
|
||||
+Specifies the minimum accepted bit length of the DH group
|
||||
+parameter p.
|
||||
+.Pp
|
||||
+As per RFC4419, this is 1024 bits, however this has increasingly
|
||||
+been seen as insecure, which prompted the change to 2048 bits.
|
||||
+Setting this option allows the server to accept parameters shorter
|
||||
+than the current minimum, down to the RFC specified 1024 bits.
|
||||
+Using this option may be needed when some of the connectiong
|
||||
+clients only know short DH group parameters.
|
||||
+.Pp
|
||||
+Note, that while by default this option is set to 1024 to maintain
|
||||
+maximum backward compatibility, using it can severly impact
|
||||
+security and thus should be viewed as a temporary fix of last
|
||||
+resort and all efforts should be made to fix the (broken)
|
||||
+counterparty.
|
||||
.It Cm ListenAddress
|
||||
Specifies the local addresses
|
||||
.Xr sshd 8
|
||||
should listen on.
|
||||
The following forms may be used:
|
||||
.Pp
|
||||
.Bl -item -offset indent -compact
|
||||
.It
|
@ -1,27 +0,0 @@
|
||||
# HG changeset patch
|
||||
# Parent 9797aecac98b26573a295fd75128b7c68dfc5aad
|
||||
fix paths and references in sshd man pages
|
||||
|
||||
diff --git a/openssh-7.6p1/Makefile.in b/openssh-7.6p1/Makefile.in
|
||||
--- a/openssh-7.6p1/Makefile.in
|
||||
+++ b/openssh-7.6p1/Makefile.in
|
||||
@@ -119,17 +119,18 @@ MANTYPE = @MANTYPE@
|
||||
CONFIGFILES=sshd_config.out ssh_config.out moduli.out
|
||||
CONFIGFILES_IN=sshd_config ssh_config moduli
|
||||
|
||||
PATHSUBS = \
|
||||
-e 's|/etc/ssh/ssh_config|$(sysconfdir)/ssh_config|g' \
|
||||
-e 's|/etc/ssh/ssh_known_hosts|$(sysconfdir)/ssh_known_hosts|g' \
|
||||
-e 's|/etc/ssh/sshd_config|$(sysconfdir)/sshd_config|g' \
|
||||
-e 's|/usr/libexec|$(libexecdir)|g' \
|
||||
- -e 's|/etc/shosts.equiv|$(sysconfdir)/shosts.equiv|g' \
|
||||
+ -e 's|login\.conf|login.defs|g' \
|
||||
+ -e 's|/etc/shosts.equiv|$(sysconfdir)/ssh/shosts.equiv|g' \
|
||||
-e 's|/etc/ssh/ssh_host_key|$(sysconfdir)/ssh_host_key|g' \
|
||||
-e 's|/etc/ssh/ssh_host_ecdsa_key|$(sysconfdir)/ssh_host_ecdsa_key|g' \
|
||||
-e 's|/etc/ssh/ssh_host_dsa_key|$(sysconfdir)/ssh_host_dsa_key|g' \
|
||||
-e 's|/etc/ssh/ssh_host_rsa_key|$(sysconfdir)/ssh_host_rsa_key|g' \
|
||||
-e 's|/etc/ssh/ssh_host_ed25519_key|$(sysconfdir)/ssh_host_ed25519_key|g' \
|
||||
-e 's|/var/run/sshd.pid|$(piddir)/sshd.pid|g' \
|
||||
-e 's|/etc/moduli|$(sysconfdir)/moduli|g' \
|
||||
-e 's|/etc/ssh/moduli|$(sysconfdir)/moduli|g' \
|
@ -1,28 +0,0 @@
|
||||
# HG changeset patch
|
||||
# Parent d47e806f23ad0649ef38b24e8cb9d5617e5d5d15
|
||||
# force PAM in defaullt install (this was removed from upstream in 3.8p1)
|
||||
# bnc#46749
|
||||
# --used to be called '-pam-fix2'
|
||||
|
||||
diff --git a/openssh-7.6p1/sshd_config b/openssh-7.6p1/sshd_config
|
||||
--- a/openssh-7.6p1/sshd_config
|
||||
+++ b/openssh-7.6p1/sshd_config
|
||||
@@ -75,17 +75,17 @@ AuthorizedKeysFile .ssh/authorized_keys
|
||||
# and session processing. If this is enabled, PAM authentication will
|
||||
# be allowed through the ChallengeResponseAuthentication and
|
||||
# PasswordAuthentication. Depending on your PAM configuration,
|
||||
# PAM authentication via ChallengeResponseAuthentication may bypass
|
||||
# the setting of "PermitRootLogin without-password".
|
||||
# If you just want the PAM account and session checks to run without
|
||||
# PAM authentication, then enable this but set PasswordAuthentication
|
||||
# and ChallengeResponseAuthentication to 'no'.
|
||||
-#UsePAM no
|
||||
+UsePAM yes
|
||||
|
||||
#AllowAgentForwarding yes
|
||||
#AllowTcpForwarding yes
|
||||
#GatewayPorts no
|
||||
X11Forwarding yes
|
||||
#X11DisplayOffset 10
|
||||
#X11UseLocalhost yes
|
||||
#PermitTTY yes
|
File diff suppressed because it is too large
Load Diff
@ -1,520 +0,0 @@
|
||||
# HG changeset patch
|
||||
# Parent 4ed7a1ce08460bfdb1ed5b57e6b45940eb7e7167
|
||||
#
|
||||
# Simple implementation of FIPS 140-2 selfchecks. Use OpenSSL to generate and
|
||||
# verify checksums of binaries. Any hash iused in OpenSSH can be used (MD5 would
|
||||
# obviously be a poor choice, since OpenSSL would barf and abort immediately in
|
||||
# FIPS mode). SHA-2 seems to be a reasonable choice.
|
||||
#
|
||||
# The logic of the checks is as follows: decide whether FIPS mode is mandated
|
||||
# (either by checking /proc/sys/crypto/fips_enabled or envoroinment variable
|
||||
# SSH_FORCE_FIPS. In FIPS mode, checksums are required to match (inability to
|
||||
# retrieve pre-calculated hash is a fatal error). In non-FIPS mode the checks
|
||||
# still must be performed, unless the hashes are not installed. Thus if the hash
|
||||
# file is not found (or the hash matches), proceed in non-FIPS mode and abort
|
||||
# otherwise.
|
||||
|
||||
diff --git a/openssh-7.6p1/fips-check.c b/openssh-7.6p1/fips-check.c
|
||||
new file mode 100644
|
||||
--- /dev/null
|
||||
+++ b/openssh-7.6p1/fips-check.c
|
||||
@@ -0,0 +1,34 @@
|
||||
+#include "includes.h"
|
||||
+#include <fcntl.h>
|
||||
+#include <limits.h>
|
||||
+#include <stdio.h>
|
||||
+#include <stdlib.h>
|
||||
+#include <string.h>
|
||||
+#include <sys/stat.h>
|
||||
+#include <sys/types.h>
|
||||
+#include <unistd.h>
|
||||
+
|
||||
+#include "digest.h"
|
||||
+#include "fips.h"
|
||||
+
|
||||
+#include <openssl/err.h>
|
||||
+
|
||||
+#define PROC_NAME_LEN 64
|
||||
+
|
||||
+static const char *argv0;
|
||||
+
|
||||
+void
|
||||
+print_help_exit(int ev)
|
||||
+{
|
||||
+ fprintf(stderr, "%s <-c|-w> <file> <checksum_file>\n", argv0);
|
||||
+ fprintf(stderr, " -c verify hash of 'file' against hash in 'checksum_file'\n");
|
||||
+ fprintf(stderr, " -w write hash of 'file' into 'checksum_file'\n");
|
||||
+ exit(ev);
|
||||
+}
|
||||
+
|
||||
+int
|
||||
+main(int argc, char **argv)
|
||||
+{
|
||||
+ fips_ssh_init();
|
||||
+ return 0;
|
||||
+}
|
||||
diff --git a/openssh-7.6p1/fips.c b/openssh-7.6p1/fips.c
|
||||
--- a/openssh-7.6p1/fips.c
|
||||
+++ b/openssh-7.6p1/fips.c
|
||||
@@ -30,41 +30,304 @@
|
||||
#include "dh.h"
|
||||
#include "digest.h"
|
||||
#include "kex.h"
|
||||
#include "key.h"
|
||||
#include "mac.h"
|
||||
#include "log.h"
|
||||
#include "xmalloc.h"
|
||||
|
||||
+#include <errno.h>
|
||||
+#include <fcntl.h>
|
||||
#include <string.h>
|
||||
+#include <string.h>
|
||||
+#include <sys/stat.h>
|
||||
+#include <sys/types.h>
|
||||
+#include <unistd.h>
|
||||
#include <openssl/crypto.h>
|
||||
+#include <openssl/err.h>
|
||||
+#include <openssl/hmac.h>
|
||||
|
||||
/* import from dh.c */
|
||||
extern int dh_grp_min;
|
||||
|
||||
static int fips_state = -1;
|
||||
|
||||
+/* calculates HMAC of contents of a file given by filename using the hash
|
||||
+ * algorithm specified by FIPS_HMAC_EVP in fips.h and placing the result into
|
||||
+ * newly allacated memory - remember to free it when not needed anymore */
|
||||
+static int
|
||||
+hmac_file(const char *filename, u_char **hmac_out)
|
||||
+{
|
||||
+ int check = -1;
|
||||
+ int fd;
|
||||
+ struct stat fs;
|
||||
+ void *hmap;
|
||||
+ unsigned char *hmac;
|
||||
+ unsigned char *hmac_rv = NULL;
|
||||
+
|
||||
+ hmac = xmalloc(FIPS_HMAC_LEN);
|
||||
+
|
||||
+ fd = open(filename, O_RDONLY);
|
||||
+ if (-1 == fd)
|
||||
+ goto bail_out;
|
||||
+
|
||||
+ if (-1 == fstat(fd, &fs))
|
||||
+ goto bail_out;
|
||||
+
|
||||
+ hmap = mmap(NULL, fs.st_size, PROT_READ, MAP_SHARED, fd, 0);
|
||||
+
|
||||
+ if ((void *)(-1) != hmap) {
|
||||
+ hmac_rv = HMAC(FIPS_HMAC_EVP(), FIPS_HMAC_KEY
|
||||
+ , strlen(FIPS_HMAC_KEY), hmap, fs.st_size, hmac, NULL);
|
||||
+ check = CHECK_OK;
|
||||
+ munmap(hmap, fs.st_size);
|
||||
+ }
|
||||
+ close(fd);
|
||||
+
|
||||
+bail_out:
|
||||
+ if (hmac_rv) {
|
||||
+ check = CHECK_OK;
|
||||
+ *hmac_out = hmac;
|
||||
+ } else {
|
||||
+ check = CHECK_FAIL;
|
||||
+ *hmac_out = NULL;
|
||||
+ free(hmac);
|
||||
+ }
|
||||
+ return check;
|
||||
+}
|
||||
+
|
||||
+/* find pathname of binary of process with PID pid. exe is buffer expected to
|
||||
+ * be capable of holding at least max_pathlen characters
|
||||
+ */
|
||||
+static int
|
||||
+get_executable_path(pid_t pid, char *exe, int max_pathlen)
|
||||
+{
|
||||
+ char exe_sl[PROC_EXE_PATH_LEN];
|
||||
+ int n;
|
||||
+ int rv = -1;
|
||||
+
|
||||
+ n = snprintf(exe_sl, sizeof(exe_sl), "/proc/%u/exe", pid);
|
||||
+ if ((n <= 10) || (n >= max_pathlen)) {
|
||||
+ fatal("error compiling filename of link to executable");
|
||||
+ }
|
||||
+
|
||||
+ exe[0] = 0;
|
||||
+ n = readlink(exe_sl, exe, max_pathlen);
|
||||
+ /* the file doesn't need to exist - procfs might not be mounted in
|
||||
+ * chroot */
|
||||
+ if (n == -1) {
|
||||
+ rv = CHECK_MISSING;
|
||||
+ } else {
|
||||
+ if (n < max_pathlen) {
|
||||
+ exe[n] = 0;
|
||||
+ rv = CHECK_OK;
|
||||
+ } else {
|
||||
+ rv = CHECK_FAIL;
|
||||
+ }
|
||||
+ }
|
||||
+ return rv;
|
||||
+}
|
||||
+
|
||||
+/* Read HMAC from file chk, allocating enough memory to hold the HMAC and
|
||||
+ * return it in *hmac.
|
||||
+ * Remember to free() it when it's not needed anymore.
|
||||
+ */
|
||||
+static int
|
||||
+read_hmac(const char *chk, u_char **hmac)
|
||||
+{
|
||||
+ int check = -1;
|
||||
+ int fdh, n;
|
||||
+ u_char *hmac_in;
|
||||
+
|
||||
+ *hmac = NULL;
|
||||
+
|
||||
+ fdh = open(chk, O_RDONLY);
|
||||
+ if (-1 == fdh) {
|
||||
+ switch (errno) {
|
||||
+ case ENOENT:
|
||||
+ check = CHECK_MISSING;
|
||||
+ debug("fips: checksum file %s is missing\n", chk);
|
||||
+ break;
|
||||
+ default:
|
||||
+ check = CHECK_FAIL;
|
||||
+ debug("fips: ckecksum file %s not accessible\n", chk);
|
||||
+ break;
|
||||
+
|
||||
+ }
|
||||
+ goto bail_out;
|
||||
+ }
|
||||
+
|
||||
+ hmac_in = xmalloc(FIPS_HMAC_LEN);
|
||||
+
|
||||
+ n = read(fdh, (void *)hmac_in, FIPS_HMAC_LEN);
|
||||
+ if (FIPS_HMAC_LEN != n) {
|
||||
+ debug("fips: unable to read whole checksum from checksum file\n");
|
||||
+ free (hmac_in);
|
||||
+ check = CHECK_FAIL;
|
||||
+ } else {
|
||||
+ check = CHECK_OK;
|
||||
+ *hmac = hmac_in;
|
||||
+ }
|
||||
+bail_out:
|
||||
+ return check;
|
||||
+}
|
||||
+
|
||||
+static int
|
||||
+fips_hmac_self(void)
|
||||
+{
|
||||
+ int check = -1;
|
||||
+ u_char *hmac = NULL, *hmac_chk = NULL;
|
||||
+ char *exe, *chk;
|
||||
+
|
||||
+ exe = xmalloc(PATH_MAX);
|
||||
+ chk = xmalloc(PATH_MAX);
|
||||
+
|
||||
+ /* we will need to add the suffix and the null terminator */
|
||||
+ check = get_executable_path(getpid(), exe
|
||||
+ , PATH_MAX - strlen(CHECKSUM_SUFFIX) - 1);
|
||||
+ if (CHECK_OK != check)
|
||||
+ goto cleanup;
|
||||
+
|
||||
+ strncpy(chk, exe, PATH_MAX);
|
||||
+ strlcat(chk, CHECKSUM_SUFFIX, PATH_MAX);
|
||||
+
|
||||
+ check = read_hmac(chk, &hmac_chk);
|
||||
+ if (CHECK_OK != check)
|
||||
+ goto cleanup;
|
||||
+
|
||||
+ check = hmac_file(exe, &hmac);
|
||||
+ if (CHECK_OK != check)
|
||||
+ goto cleanup;
|
||||
+
|
||||
+ check = memcmp(hmac, hmac_chk, FIPS_HMAC_LEN);
|
||||
+ if (0 == check) {
|
||||
+ check = CHECK_OK;
|
||||
+ debug("fips: checksum matches\n");
|
||||
+ } else {
|
||||
+ check = CHECK_FAIL;
|
||||
+ debug("fips: checksum mismatch!\n");
|
||||
+ }
|
||||
+
|
||||
+cleanup:
|
||||
+ free(hmac);
|
||||
+ free(hmac_chk);
|
||||
+ free(chk);
|
||||
+ free(exe);
|
||||
+
|
||||
+ return check;
|
||||
+}
|
||||
+
|
||||
+static int
|
||||
+fips_check_required_proc(void)
|
||||
+{
|
||||
+ int fips_required = 0;
|
||||
+ int fips_fd;
|
||||
+ char fips_sys = 0;
|
||||
+
|
||||
+ struct stat dummy;
|
||||
+ if (-1 == stat(FIPS_PROC_PATH, &dummy)) {
|
||||
+ switch (errno) {
|
||||
+ case ENOENT:
|
||||
+ case ENOTDIR:
|
||||
+ break;
|
||||
+ default:
|
||||
+ fatal("Check for system-wide FIPS mode is required and %s cannot"
|
||||
+ " be accessed for reason other than non-existence - aborting"
|
||||
+ , FIPS_PROC_PATH);
|
||||
+ break;
|
||||
+ }
|
||||
+ } else {
|
||||
+ if (-1 == (fips_fd = open(FIPS_PROC_PATH, O_RDONLY)))
|
||||
+ fatal("Check for system-wide FIPS mode is required and %s cannot"
|
||||
+ " be opened for reading - aborting"
|
||||
+ , FIPS_PROC_PATH);
|
||||
+ if (1 > read(fips_fd, &fips_sys, 1))
|
||||
+ fatal("Check for system-wide FIPS mode is required and %s doesn't"
|
||||
+ " return at least one character - aborting"
|
||||
+ , FIPS_PROC_PATH);
|
||||
+ close(fips_sys);
|
||||
+ switch (fips_sys) {
|
||||
+ case '0':
|
||||
+ case '1':
|
||||
+ fips_required = fips_sys - '0';
|
||||
+ break;
|
||||
+ default:
|
||||
+ fatal("Bogus character %c found in %s - aborting"
|
||||
+ , fips_sys, FIPS_PROC_PATH);
|
||||
+ }
|
||||
+ }
|
||||
+ return fips_required;
|
||||
+}
|
||||
+
|
||||
static int
|
||||
fips_check_required_env(void)
|
||||
{
|
||||
- int fips_required = 0;
|
||||
- char *env = getenv(SSH_FORCE_FIPS_ENV);
|
||||
+ return (NULL != getenv(SSH_FORCE_FIPS_ENV));
|
||||
+}
|
||||
+
|
||||
+static int
|
||||
+fips_required(void)
|
||||
+{
|
||||
+ int fips_requests = 0;
|
||||
+ fips_requests += fips_check_required_proc();
|
||||
+ fips_requests += fips_check_required_env();
|
||||
+ return fips_requests;
|
||||
+}
|
||||
+
|
||||
+/* check whether FIPS mode is required and perform selfchecksum/selftest */
|
||||
+void
|
||||
+fips_ssh_init(void)
|
||||
+{
|
||||
+ int checksum;
|
||||
+
|
||||
+ checksum = fips_hmac_self();
|
||||
|
||||
- if (env) {
|
||||
- errno = 0;
|
||||
- fips_required = strtol(env, NULL, 10);
|
||||
- if (errno) {
|
||||
- debug("bogus value in the %s environment variable, ignoring\n"
|
||||
- , SSH_FORCE_FIPS_ENV);
|
||||
- fips_required = 0;
|
||||
- } else
|
||||
- fips_required = 1;
|
||||
- }
|
||||
- return fips_required;
|
||||
+ if (fips_required()) {
|
||||
+ switch (checksum) {
|
||||
+ case CHECK_OK:
|
||||
+ debug("fips: mandatory checksum ok");
|
||||
+ break;
|
||||
+ case CHECK_FAIL:
|
||||
+ fatal("fips: mandatory checksum failed - aborting");
|
||||
+ break;
|
||||
+ case CHECK_MISSING:
|
||||
+ fatal("fips: mandatory checksum data missing - aborting");
|
||||
+ break;
|
||||
+ default:
|
||||
+ fatal("Fatal error: internal error at %s:%u"
|
||||
+ , __FILE__, __LINE__);
|
||||
+ break;
|
||||
+ }
|
||||
+ fips_state = FIPS_mode_set(1);
|
||||
+ if (1 != fips_state) {
|
||||
+ ERR_load_crypto_strings();
|
||||
+ u_long err = ERR_get_error();
|
||||
+ error("fips: OpenSSL error %lx: %s"
|
||||
+ , err, ERR_error_string(err, NULL));
|
||||
+ fatal("fips: unable to set OpenSSL into FIPS mode - aborting");
|
||||
+ }
|
||||
+ } else {
|
||||
+ switch (checksum) {
|
||||
+ case CHECK_OK:
|
||||
+ debug("fips: checksum ok");
|
||||
+ break;
|
||||
+ case CHECK_FAIL:
|
||||
+ fatal("fips: checksum failed - aborting");
|
||||
+ break;
|
||||
+ case CHECK_MISSING:
|
||||
+ debug("fips: checksum data missing, but not required - continuing non-FIPS");
|
||||
+ break;
|
||||
+ default:
|
||||
+ fatal("Fatal error: internal error at %s:%u",
|
||||
+ __FILE__, __LINE__);
|
||||
+ break;
|
||||
+ }
|
||||
+ }
|
||||
+ return;
|
||||
}
|
||||
|
||||
int
|
||||
fips_mode(void)
|
||||
{
|
||||
if (-1 == fips_state) {
|
||||
fips_state = FIPS_mode();
|
||||
if (fips_state)
|
||||
diff --git a/openssh-7.6p1/fips.h b/openssh-7.6p1/fips.h
|
||||
--- a/openssh-7.6p1/fips.h
|
||||
+++ b/openssh-7.6p1/fips.h
|
||||
@@ -1,10 +1,10 @@
|
||||
/*
|
||||
- * Copyright (c) 2012 Petr Cerny. All rights reserved.
|
||||
+ * Copyright (c) 2012-2014 Petr Cerny. All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
* are met:
|
||||
* 1. Redistributions of source code must retain the above copyright
|
||||
* notice, this list of conditions and the following disclaimer.
|
||||
* 2. Redistributions in binary form must reproduce the above copyright
|
||||
* notice, this list of conditions and the following disclaimer in the
|
||||
@@ -22,23 +22,38 @@
|
||||
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
*/
|
||||
#ifndef FIPS_H
|
||||
#define FIPS_H
|
||||
|
||||
#include "key.h"
|
||||
|
||||
#define SSH_FORCE_FIPS_ENV "SSH_FORCE_FIPS"
|
||||
+#define FIPS_PROC_PATH "/proc/sys/crypto/fips_enabled"
|
||||
+
|
||||
+#define PROC_EXE_PATH_LEN 64
|
||||
+#define CHECKSUM_SUFFIX ".hmac"
|
||||
+#define FIPS_HMAC_KEY "HMAC_KEY:OpenSSH-FIPS@SLE"
|
||||
+#define FIPS_HMAC_EVP EVP_sha256
|
||||
+#define FIPS_HMAC_LEN 32
|
||||
+
|
||||
+void fips_ssh_init(void);
|
||||
|
||||
typedef enum {
|
||||
FIPS_FILTER_CIPHERS,
|
||||
FIPS_FILTER_MACS,
|
||||
FIPS_FILTER_KEX_ALGS
|
||||
} fips_filters;
|
||||
|
||||
+typedef enum {
|
||||
+ CHECK_OK = 0,
|
||||
+ CHECK_FAIL,
|
||||
+ CHECK_MISSING
|
||||
+} fips_checksum_status;
|
||||
+
|
||||
int fips_mode(void);
|
||||
int fips_correct_dgst(int);
|
||||
int fips_dgst_min(void);
|
||||
int fips_dh_grp_min(void);
|
||||
enum fp_type fips_correct_fp_type(enum fp_type);
|
||||
int fips_filter_crypto(char **, fips_filters);
|
||||
|
||||
#endif
|
||||
diff --git a/openssh-7.6p1/sftp-server.c b/openssh-7.6p1/sftp-server.c
|
||||
--- a/openssh-7.6p1/sftp-server.c
|
||||
+++ b/openssh-7.6p1/sftp-server.c
|
||||
@@ -46,16 +46,18 @@
|
||||
#include "log.h"
|
||||
#include "misc.h"
|
||||
#include "match.h"
|
||||
#include "uidswap.h"
|
||||
|
||||
#include "sftp.h"
|
||||
#include "sftp-common.h"
|
||||
|
||||
+#include "fips.h"
|
||||
+
|
||||
/* Our verbosity */
|
||||
static LogLevel log_level = SYSLOG_LEVEL_ERROR;
|
||||
|
||||
/* Our client */
|
||||
static struct passwd *pw = NULL;
|
||||
static char *client_addr = NULL;
|
||||
|
||||
/* input and output queue */
|
||||
@@ -1504,16 +1506,19 @@ sftp_server_main(int argc, char **argv,
|
||||
ssize_t len, olen, set_size;
|
||||
SyslogFacility log_facility = SYSLOG_FACILITY_AUTH;
|
||||
char *cp, *homedir = NULL, buf[4*4096];
|
||||
long mask;
|
||||
|
||||
extern char *optarg;
|
||||
extern char *__progname;
|
||||
|
||||
+ /* initialize fips */
|
||||
+ fips_ssh_init();
|
||||
+
|
||||
ssh_malloc_init(); /* must be called before any mallocs */
|
||||
__progname = ssh_get_progname(argv[0]);
|
||||
log_init(__progname, log_level, log_facility, log_stderr);
|
||||
|
||||
pw = pwcopy(user_pw);
|
||||
|
||||
while (!skipargs && (ch = getopt(argc, argv,
|
||||
"d:f:l:P:p:Q:u:cehR")) != -1) {
|
||||
diff --git a/openssh-7.6p1/ssh.c b/openssh-7.6p1/ssh.c
|
||||
--- a/openssh-7.6p1/ssh.c
|
||||
+++ b/openssh-7.6p1/ssh.c
|
||||
@@ -518,16 +518,20 @@ main(int ac, char **av)
|
||||
struct passwd *pw;
|
||||
extern int optind, optreset;
|
||||
extern char *optarg;
|
||||
struct Forward fwd;
|
||||
struct addrinfo *addrs = NULL;
|
||||
struct ssh_digest_ctx *md;
|
||||
u_char conn_hash[SSH_DIGEST_MAX_LENGTH];
|
||||
|
||||
+ /* initialize fips - can go before ssh_malloc_init(), since that is a
|
||||
+ * OpenBSD-only thing (as of OpenSSH 7.6p1) */
|
||||
+ fips_ssh_init();
|
||||
+
|
||||
ssh_malloc_init(); /* must be called before any mallocs */
|
||||
/* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
|
||||
sanitise_stdfd();
|
||||
|
||||
__progname = ssh_get_progname(av[0]);
|
||||
|
||||
#ifndef HAVE_SETPROCTITLE
|
||||
/* Prepare for later setproctitle emulation */
|
||||
diff --git a/openssh-7.6p1/sshd.c b/openssh-7.6p1/sshd.c
|
||||
--- a/openssh-7.6p1/sshd.c
|
||||
+++ b/openssh-7.6p1/sshd.c
|
||||
@@ -1367,16 +1367,20 @@ main(int ac, char **av)
|
||||
u_int64_t ibytes, obytes;
|
||||
mode_t new_umask;
|
||||
struct sshkey *key;
|
||||
struct sshkey *pubkey;
|
||||
int keytype;
|
||||
Authctxt *authctxt;
|
||||
struct connection_info *connection_info = get_connection_info(0, 0);
|
||||
|
||||
+ /* initialize fips - can go before ssh_malloc_init(), since that is a
|
||||
+ * OpenBSD-only thing (as of OpenSSH 7.6p1) */
|
||||
+ fips_ssh_init();
|
||||
+
|
||||
ssh_malloc_init(); /* must be called before any mallocs */
|
||||
|
||||
#ifdef HAVE_SECUREWARE
|
||||
(void)set_auth_parameters(ac, av);
|
||||
#endif
|
||||
__progname = ssh_get_progname(av[0]);
|
||||
|
||||
/* Save argv. Duplicate so setproctitle emulation doesn't clobber it */
|
@ -1,145 +0,0 @@
|
||||
# HG changeset patch
|
||||
# Parent e4a7e5799420a3d4b8047c5984c75c4bd4331951
|
||||
# -- uset do be called '-xauthlocalhostname'
|
||||
handle hostname changes when forwarding X
|
||||
|
||||
bnc#98627
|
||||
|
||||
diff --git a/openssh-7.6p1/session.c b/openssh-7.6p1/session.c
|
||||
--- a/openssh-7.6p1/session.c
|
||||
+++ b/openssh-7.6p1/session.c
|
||||
@@ -953,17 +953,17 @@ copy_environment_blacklist(char **source
|
||||
|
||||
void
|
||||
copy_environment(char **source, char ***env, u_int *envsize)
|
||||
{
|
||||
copy_environment_blacklist(source, env, envsize, NULL);
|
||||
}
|
||||
|
||||
static char **
|
||||
-do_setup_env(struct ssh *ssh, Session *s, const char *shell)
|
||||
+do_setup_env(struct ssh *ssh, Session *s, const char *shell, int *env_size)
|
||||
{
|
||||
char buf[256];
|
||||
u_int i, envsize;
|
||||
char **env, *laddr;
|
||||
struct passwd *pw = s->pw;
|
||||
#if !defined (HAVE_LOGIN_CAP) && !defined (HAVE_CYGWIN)
|
||||
char *path = NULL;
|
||||
#endif
|
||||
@@ -1142,25 +1142,27 @@ do_setup_env(struct ssh *ssh, Session *s
|
||||
read_environment_file(&env, &envsize, buf);
|
||||
}
|
||||
if (debug_flag) {
|
||||
/* dump the environment */
|
||||
fprintf(stderr, "Environment:\n");
|
||||
for (i = 0; env[i]; i++)
|
||||
fprintf(stderr, " %.200s\n", env[i]);
|
||||
}
|
||||
+
|
||||
+ *env_size = envsize;
|
||||
return env;
|
||||
}
|
||||
|
||||
/*
|
||||
* Run $HOME/.ssh/rc, /etc/ssh/sshrc, or xauth (whichever is found
|
||||
* first in this order).
|
||||
*/
|
||||
static void
|
||||
-do_rc_files(Session *s, const char *shell)
|
||||
+do_rc_files(Session *s, const char *shell, char **env, int *env_size)
|
||||
{
|
||||
FILE *f = NULL;
|
||||
char cmd[1024];
|
||||
int do_xauth;
|
||||
struct stat st;
|
||||
|
||||
do_xauth =
|
||||
s->display != NULL && s->auth_proto != NULL && s->auth_data != NULL;
|
||||
@@ -1205,22 +1207,30 @@ do_rc_files(Session *s, const char *shel
|
||||
"%.500s add %.100s %.100s %.100s\n",
|
||||
options.xauth_location, s->auth_display,
|
||||
s->auth_proto, s->auth_data);
|
||||
}
|
||||
snprintf(cmd, sizeof cmd, "%s -q -",
|
||||
options.xauth_location);
|
||||
f = popen(cmd, "w");
|
||||
if (f) {
|
||||
+ char hostname[MAXHOSTNAMELEN];
|
||||
+
|
||||
fprintf(f, "remove %s\n",
|
||||
s->auth_display);
|
||||
fprintf(f, "add %s %s %s\n",
|
||||
s->auth_display, s->auth_proto,
|
||||
s->auth_data);
|
||||
pclose(f);
|
||||
+ if (gethostname(hostname,sizeof(hostname)) >= 0)
|
||||
+ child_set_env(&env,env_size,"XAUTHLOCALHOSTNAME",
|
||||
+ hostname);
|
||||
+ else
|
||||
+ debug("Cannot set up XAUTHLOCALHOSTNAME %s\n",
|
||||
+ strerror(errno));
|
||||
} else {
|
||||
fprintf(stderr, "Could not run %s\n",
|
||||
cmd);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
static void
|
||||
@@ -1461,16 +1471,17 @@ child_close_fds(struct ssh *ssh)
|
||||
* ids, and executing the command or shell.
|
||||
*/
|
||||
#define ARGV_MAX 10
|
||||
void
|
||||
do_child(struct ssh *ssh, Session *s, const char *command)
|
||||
{
|
||||
extern char **environ;
|
||||
char **env;
|
||||
+ int env_size;
|
||||
char *argv[ARGV_MAX];
|
||||
const char *shell, *shell0;
|
||||
struct passwd *pw = s->pw;
|
||||
int r = 0;
|
||||
|
||||
/* remove hostkey from the child's memory */
|
||||
destroy_sensitive_data();
|
||||
packet_clear_keys();
|
||||
@@ -1522,17 +1533,17 @@ do_child(struct ssh *ssh, Session *s, co
|
||||
* legal, and means /bin/sh.
|
||||
*/
|
||||
shell = (pw->pw_shell[0] == '\0') ? _PATH_BSHELL : pw->pw_shell;
|
||||
|
||||
/*
|
||||
* Make sure $SHELL points to the shell from the password file,
|
||||
* even if shell is overridden from login.conf
|
||||
*/
|
||||
- env = do_setup_env(ssh, s, shell);
|
||||
+ env = do_setup_env(ssh, s, shell, &env_size);
|
||||
|
||||
#ifdef HAVE_LOGIN_CAP
|
||||
shell = login_getcapstr(lc, "shell", (char *)shell, (char *)shell);
|
||||
#endif
|
||||
|
||||
/*
|
||||
* Close the connection descriptors; note that this is the child, and
|
||||
* the server will still have the socket open, and it is important
|
||||
@@ -1586,17 +1597,17 @@ do_child(struct ssh *ssh, Session *s, co
|
||||
strerror(errno));
|
||||
}
|
||||
if (r)
|
||||
exit(1);
|
||||
}
|
||||
|
||||
closefrom(STDERR_FILENO + 1);
|
||||
|
||||
- do_rc_files(s, shell);
|
||||
+ do_rc_files(s, shell, env, &env_size);
|
||||
|
||||
/* restore SIGPIPE for child */
|
||||
signal(SIGPIPE, SIG_DFL);
|
||||
|
||||
if (s->is_subsystem == SUBSYSTEM_INT_SFTP_ERROR) {
|
||||
printf("This service allows sftp connections only.\n");
|
||||
fflush(NULL);
|
||||
exit(1);
|
@ -1,26 +0,0 @@
|
||||
# HG changeset patch
|
||||
# Parent b26f93cf21e4cfff1212ad2e61696ad099cfaf5e
|
||||
# set uid for functions that use it to seek in lastlog and wtmp files
|
||||
# bnc#18024 (was suse #3024)
|
||||
|
||||
diff --git a/openssh-7.6p1/sshlogin.c b/openssh-7.6p1/sshlogin.c
|
||||
--- a/openssh-7.6p1/sshlogin.c
|
||||
+++ b/openssh-7.6p1/sshlogin.c
|
||||
@@ -129,16 +129,17 @@ record_login(pid_t pid, const char *tty,
|
||||
{
|
||||
struct logininfo *li;
|
||||
|
||||
/* save previous login details before writing new */
|
||||
store_lastlog_message(user, uid);
|
||||
|
||||
li = login_alloc_entry(pid, user, host, tty);
|
||||
login_set_addr(li, addr, addrlen);
|
||||
+ li->uid = uid;
|
||||
login_login(li);
|
||||
login_free_entry(li);
|
||||
}
|
||||
|
||||
#ifdef LOGIN_NEEDS_UTMPX
|
||||
void
|
||||
record_utmp_only(pid_t pid, const char *ttyname, const char *user,
|
||||
const char *host, struct sockaddr *addr, socklen_t addrlen)
|
@ -1,229 +0,0 @@
|
||||
# HG changeset patch
|
||||
# Parent ee0459c1b5173da57f9b3a6e62b232dcf9b3a029
|
||||
new option UsePAMCheckLocks to enforce checking for locked accounts while
|
||||
UsePAM is used
|
||||
|
||||
bnc#708678, FATE#312033
|
||||
|
||||
diff --git a/openssh-7.6p1/auth.c b/openssh-7.6p1/auth.c
|
||||
--- a/openssh-7.6p1/auth.c
|
||||
+++ b/openssh-7.6p1/auth.c
|
||||
@@ -105,17 +105,17 @@ allowed_user(struct passwd * pw)
|
||||
struct spwd *spw = NULL;
|
||||
#endif
|
||||
|
||||
/* Shouldn't be called if pw is NULL, but better safe than sorry... */
|
||||
if (!pw || !pw->pw_name)
|
||||
return 0;
|
||||
|
||||
#ifdef USE_SHADOW
|
||||
- if (!options.use_pam)
|
||||
+ if (!options.use_pam || options.use_pam_check_locks)
|
||||
spw = getspnam(pw->pw_name);
|
||||
#ifdef HAS_SHADOW_EXPIRE
|
||||
if (!options.use_pam && spw != NULL && auth_shadow_acctexpired(spw))
|
||||
return 0;
|
||||
#endif /* HAS_SHADOW_EXPIRE */
|
||||
#endif /* USE_SHADOW */
|
||||
|
||||
/* grab passwd field for locked account check */
|
||||
@@ -125,17 +125,17 @@ allowed_user(struct passwd * pw)
|
||||
#ifdef USE_LIBIAF
|
||||
passwd = get_iaf_password(pw);
|
||||
#else
|
||||
passwd = spw->sp_pwdp;
|
||||
#endif /* USE_LIBIAF */
|
||||
#endif
|
||||
|
||||
/* check for locked account */
|
||||
- if (!options.use_pam && passwd && *passwd) {
|
||||
+ if ((!options.use_pam || options.use_pam_check_locks) && passwd && *passwd) {
|
||||
int locked = 0;
|
||||
|
||||
#ifdef LOCKED_PASSWD_STRING
|
||||
if (strcmp(passwd, LOCKED_PASSWD_STRING) == 0)
|
||||
locked = 1;
|
||||
#endif
|
||||
#ifdef LOCKED_PASSWD_PREFIX
|
||||
if (strncmp(passwd, LOCKED_PASSWD_PREFIX,
|
||||
diff --git a/openssh-7.6p1/servconf.c b/openssh-7.6p1/servconf.c
|
||||
--- a/openssh-7.6p1/servconf.c
|
||||
+++ b/openssh-7.6p1/servconf.c
|
||||
@@ -69,16 +69,17 @@ extern Buffer cfg;
|
||||
|
||||
void
|
||||
initialize_server_options(ServerOptions *options)
|
||||
{
|
||||
memset(options, 0, sizeof(*options));
|
||||
|
||||
/* Portable-specific options */
|
||||
options->use_pam = -1;
|
||||
+ options->use_pam_check_locks = -1;
|
||||
|
||||
/* Standard Options */
|
||||
options->num_ports = 0;
|
||||
options->ports_from_cmdline = 0;
|
||||
options->queued_listen_addrs = NULL;
|
||||
options->num_queued_listens = 0;
|
||||
options->listen_addrs = NULL;
|
||||
options->address_family = -1;
|
||||
@@ -191,16 +192,18 @@ assemble_algorithms(ServerOptions *o)
|
||||
void
|
||||
fill_default_server_options(ServerOptions *options)
|
||||
{
|
||||
int i;
|
||||
|
||||
/* Portable-specific options */
|
||||
if (options->use_pam == -1)
|
||||
options->use_pam = 0;
|
||||
+ if (options->use_pam_check_locks == -1)
|
||||
+ options->use_pam_check_locks = 0;
|
||||
|
||||
/* Standard Options */
|
||||
if (options->num_host_key_files == 0) {
|
||||
/* fill default hostkeys for protocols */
|
||||
options->host_key_files[options->num_host_key_files++] =
|
||||
_PATH_HOST_RSA_KEY_FILE;
|
||||
options->host_key_files[options->num_host_key_files++] =
|
||||
_PATH_HOST_DSA_KEY_FILE;
|
||||
@@ -382,17 +385,17 @@ fill_default_server_options(ServerOption
|
||||
#endif
|
||||
|
||||
}
|
||||
|
||||
/* Keyword tokens. */
|
||||
typedef enum {
|
||||
sBadOption, /* == unknown option */
|
||||
/* Portable-specific options */
|
||||
- sUsePAM,
|
||||
+ sUsePAM, sUsePAMChecklocks,
|
||||
/* Standard Options */
|
||||
sPort, sHostKeyFile, sLoginGraceTime,
|
||||
sPermitRootLogin, sLogFacility, sLogLevel,
|
||||
sRhostsRSAAuthentication, sRSAAuthentication,
|
||||
sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
|
||||
sKerberosGetAFSToken,
|
||||
sKerberosTgtPassing, sChallengeResponseAuthentication,
|
||||
sPasswordAuthentication, sKbdInteractiveAuthentication,
|
||||
@@ -433,18 +436,20 @@ typedef enum {
|
||||
static struct {
|
||||
const char *name;
|
||||
ServerOpCodes opcode;
|
||||
u_int flags;
|
||||
} keywords[] = {
|
||||
/* Portable-specific options */
|
||||
#ifdef USE_PAM
|
||||
{ "usepam", sUsePAM, SSHCFG_GLOBAL },
|
||||
+ { "usepamchecklocks", sUsePAMChecklocks, SSHCFG_GLOBAL },
|
||||
#else
|
||||
{ "usepam", sUnsupported, SSHCFG_GLOBAL },
|
||||
+ { "usepamchecklocks", sUnsupported, SSHCFG_GLOBAL },
|
||||
#endif
|
||||
{ "pamauthenticationviakbdint", sDeprecated, SSHCFG_GLOBAL },
|
||||
/* Standard Options */
|
||||
{ "port", sPort, SSHCFG_GLOBAL },
|
||||
{ "hostkey", sHostKeyFile, SSHCFG_GLOBAL },
|
||||
{ "hostdsakey", sHostKeyFile, SSHCFG_GLOBAL }, /* alias */
|
||||
{ "hostkeyagent", sHostKeyAgent, SSHCFG_GLOBAL },
|
||||
{ "pidfile", sPidFile, SSHCFG_GLOBAL },
|
||||
@@ -1040,16 +1045,19 @@ process_server_config_line(ServerOptions
|
||||
}
|
||||
}
|
||||
|
||||
switch (opcode) {
|
||||
/* Portable-specific options */
|
||||
case sUsePAM:
|
||||
intptr = &options->use_pam;
|
||||
goto parse_flag;
|
||||
+ case sUsePAMChecklocks:
|
||||
+ intptr = &options->use_pam_check_locks;
|
||||
+ goto parse_flag;
|
||||
|
||||
/* Standard Options */
|
||||
case sBadOption:
|
||||
return -1;
|
||||
case sPort:
|
||||
/* ignore ports from configfile if cmdline specifies ports */
|
||||
if (options->ports_from_cmdline)
|
||||
return 0;
|
||||
diff --git a/openssh-7.6p1/servconf.h b/openssh-7.6p1/servconf.h
|
||||
--- a/openssh-7.6p1/servconf.h
|
||||
+++ b/openssh-7.6p1/servconf.h
|
||||
@@ -168,16 +168,17 @@ typedef struct {
|
||||
*/
|
||||
|
||||
u_int num_authkeys_files; /* Files containing public keys */
|
||||
char *authorized_keys_files[MAX_AUTHKEYS_FILES];
|
||||
|
||||
char *adm_forced_command;
|
||||
|
||||
int use_pam; /* Enable auth via PAM */
|
||||
+ int use_pam_check_locks; /* internally check for locked accounts even when using PAM */
|
||||
|
||||
int permit_tun;
|
||||
|
||||
char **permitted_opens;
|
||||
u_int num_permitted_opens; /* May also be one of PERMITOPEN_* */
|
||||
|
||||
char *chroot_directory;
|
||||
char *revoked_keys_file;
|
||||
diff --git a/openssh-7.6p1/sshd_config.0 b/openssh-7.6p1/sshd_config.0
|
||||
--- a/openssh-7.6p1/sshd_config.0
|
||||
+++ b/openssh-7.6p1/sshd_config.0
|
||||
@@ -901,16 +901,24 @@ DESCRIPTION
|
||||
|
||||
Because PAM challenge-response authentication usually serves an
|
||||
equivalent role to password authentication, you should disable
|
||||
either PasswordAuthentication or ChallengeResponseAuthentication.
|
||||
|
||||
If UsePAM is enabled, you will not be able to run sshd(8) as a
|
||||
non-root user. The default is no.
|
||||
|
||||
+ UsePAMCheckLocks
|
||||
+ When set to ``yes'', the checks whether the account has been
|
||||
+ locked with `passwd -l' are performed even when PAM authentication
|
||||
+ is enabled via UsePAM. This is to ensure that it is not possible
|
||||
+ to log in with e.g. a public key (in such a case PAM is used only
|
||||
+ to set up the session and some PAM modules will not check whether
|
||||
+ the account is locked in this scenario). The default is ``no''.
|
||||
+
|
||||
VersionAddendum
|
||||
Optionally specifies additional text to append to the SSH
|
||||
protocol banner sent by the server upon connection. The default
|
||||
is none.
|
||||
|
||||
X11DisplayOffset
|
||||
Specifies the first display number available for sshd(8)'s X11
|
||||
forwarding. This prevents sshd from interfering with real X11
|
||||
diff --git a/openssh-7.6p1/sshd_config.5 b/openssh-7.6p1/sshd_config.5
|
||||
--- a/openssh-7.6p1/sshd_config.5
|
||||
+++ b/openssh-7.6p1/sshd_config.5
|
||||
@@ -1496,16 +1496,28 @@ or
|
||||
.Pp
|
||||
If
|
||||
.Cm UsePAM
|
||||
is enabled, you will not be able to run
|
||||
.Xr sshd 8
|
||||
as a non-root user.
|
||||
The default is
|
||||
.Cm no .
|
||||
+.It Cm UsePAMCheckLocks
|
||||
+When set to
|
||||
+.Dq yes
|
||||
+, the checks whether the account has been locked with
|
||||
+.Pa passwd -l
|
||||
+are performed even when PAM authentication is enabled via
|
||||
+.Cm UsePAM .
|
||||
+This is to ensure that it is not possible to log in with e.g. a
|
||||
+public key (in such a case PAM is used only to set up the session and some PAM
|
||||
+modules will not check whether the account is locked in this scenario). The
|
||||
+default is
|
||||
+.Dq no .
|
||||
.It Cm VersionAddendum
|
||||
Optionally specifies additional text to append to the SSH protocol banner
|
||||
sent by the server upon connection.
|
||||
The default is
|
||||
.Cm none .
|
||||
.It Cm X11DisplayOffset
|
||||
Specifies the first display number available for
|
||||
.Xr sshd 8 Ns 's
|
@ -1,49 +0,0 @@
|
||||
# HG changeset patch
|
||||
# Parent 6dd892b74f13d258dc1bb3a70db7397dfb46c5e0
|
||||
# use same lines naming as utempter (prevents problems with using different
|
||||
# formats in ?tmp? files)
|
||||
# --used to be called '-pts'
|
||||
|
||||
diff --git a/openssh-7.6p1/loginrec.c b/openssh-7.6p1/loginrec.c
|
||||
--- a/openssh-7.6p1/loginrec.c
|
||||
+++ b/openssh-7.6p1/loginrec.c
|
||||
@@ -541,17 +541,17 @@ getlast_entry(struct logininfo *li)
|
||||
/*
|
||||
* 'line' string utility functions
|
||||
*
|
||||
* These functions process the 'line' string into one of three forms:
|
||||
*
|
||||
* 1. The full filename (including '/dev')
|
||||
* 2. The stripped name (excluding '/dev')
|
||||
* 3. The abbreviated name (e.g. /dev/ttyp00 -> yp00
|
||||
- * /dev/pts/1 -> ts/1 )
|
||||
+ * /dev/pts/1 -> /1 )
|
||||
*
|
||||
* Form 3 is used on some systems to identify a .tmp.? entry when
|
||||
* attempting to remove it. Typically both addition and removal is
|
||||
* performed by one application - say, sshd - so as long as the choice
|
||||
* uniquely identifies a terminal it's ok.
|
||||
*/
|
||||
|
||||
|
||||
@@ -602,16 +602,20 @@ line_abbrevname(char *dst, const char *s
|
||||
/* Always skip prefix if present */
|
||||
if (strncmp(src, "/dev/", 5) == 0)
|
||||
src += 5;
|
||||
|
||||
#ifdef WITH_ABBREV_NO_TTY
|
||||
if (strncmp(src, "tty", 3) == 0)
|
||||
src += 3;
|
||||
#endif
|
||||
+ if (strncmp(src, "pts/", 4) == 0) {
|
||||
+ src += 3;
|
||||
+ if (strlen(src) > 4) src++;
|
||||
+ }
|
||||
|
||||
len = strlen(src);
|
||||
|
||||
if (len > 0) {
|
||||
if (((int)len - dstsize) > 0)
|
||||
src += ((int)len - dstsize);
|
||||
|
||||
/* note: _don't_ change this to strlcpy */
|
@ -1,55 +0,0 @@
|
||||
# HG changeset patch
|
||||
# Parent 2c6d52d1229cbfd1cd4b7b356bb649470df4d3b3
|
||||
# --used to be called '-xauth'
|
||||
try to remove xauth cookies on logout
|
||||
|
||||
bnc#98815
|
||||
|
||||
diff --git a/openssh-7.6p1/session.c b/openssh-7.6p1/session.c
|
||||
--- a/openssh-7.6p1/session.c
|
||||
+++ b/openssh-7.6p1/session.c
|
||||
@@ -2294,16 +2294,44 @@ session_close(struct ssh *ssh, Session *
|
||||
u_int i;
|
||||
|
||||
verbose("Close session: user %s from %.200s port %d id %d",
|
||||
s->pw->pw_name,
|
||||
ssh_remote_ipaddr(ssh),
|
||||
ssh_remote_port(ssh),
|
||||
s->self);
|
||||
|
||||
+ if ((s->display != NULL) && (s->auth_proto != NULL) &&
|
||||
+ (s->auth_data != NULL) && (options.xauth_location != NULL)) {
|
||||
+ pid_t pid;
|
||||
+ FILE *f;
|
||||
+ char cmd[1024];
|
||||
+ struct passwd * pw = s->pw;
|
||||
+
|
||||
+ if (!(pid = fork())) {
|
||||
+ permanently_set_uid(pw);
|
||||
+
|
||||
+ /* Remove authority data from .Xauthority if appropriate. */
|
||||
+ debug("Running %.500s remove %.100s\n",
|
||||
+ options.xauth_location, s->auth_display);
|
||||
+
|
||||
+ snprintf(cmd, sizeof cmd, "unset XAUTHORITY && HOME=\"%.200s\" %s -q -",
|
||||
+ s->pw->pw_dir, options.xauth_location);
|
||||
+ f = popen(cmd, "w");
|
||||
+ if (f) {
|
||||
+ fprintf(f, "remove %s\n", s->auth_display);
|
||||
+ pclose(f);
|
||||
+ } else
|
||||
+ error("Could not run %s\n", cmd);
|
||||
+ exit(0);
|
||||
+ } else if (pid > 0) {
|
||||
+ waitpid(pid, NULL, 0);
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
if (s->ttyfd != -1)
|
||||
session_pty_cleanup(s);
|
||||
free(s->term);
|
||||
free(s->display);
|
||||
free(s->x11_chanids);
|
||||
free(s->auth_display);
|
||||
free(s->auth_data);
|
||||
free(s->auth_proto);
|
@ -1,34 +0,0 @@
|
||||
# HG changeset patch
|
||||
# Parent 85f3cd6c8291c7feb0c1e7a0a3645c130532d206
|
||||
Add the 'geteuid' syscall to allowed list, since it may becalled on the
|
||||
mainframes when OpenSSL is using hardware crypto accelerator via libica
|
||||
(via ibmica)
|
||||
|
||||
bsc#1004258
|
||||
|
||||
diff --git a/openssh-7.6p1/sandbox-seccomp-filter.c b/openssh-7.6p1/sandbox-seccomp-filter.c
|
||||
--- a/openssh-7.6p1/sandbox-seccomp-filter.c
|
||||
+++ b/openssh-7.6p1/sandbox-seccomp-filter.c
|
||||
@@ -161,16 +161,22 @@ static const struct sock_filter preauth_
|
||||
SC_ALLOW(__NR_close),
|
||||
#endif
|
||||
#ifdef __NR_exit
|
||||
SC_ALLOW(__NR_exit),
|
||||
#endif
|
||||
#ifdef __NR_exit_group
|
||||
SC_ALLOW(__NR_exit_group),
|
||||
#endif
|
||||
+#ifdef __NR_geteuid
|
||||
+ SC_ALLOW(__NR_geteuid),
|
||||
+#endif
|
||||
+#ifdef __NR_geteuid32
|
||||
+ SC_ALLOW(__NR_geteuid32),
|
||||
+#endif
|
||||
#ifdef __NR_getpgid
|
||||
SC_ALLOW(__NR_getpgid),
|
||||
#endif
|
||||
#ifdef __NR_getpid
|
||||
SC_ALLOW(__NR_getpid),
|
||||
#endif
|
||||
#ifdef __NR_getrandom
|
||||
SC_ALLOW(__NR_getrandom),
|
@ -1,31 +0,0 @@
|
||||
# HG changeset patch
|
||||
# Parent 004731f82470b22b9bd563ef3216034cf00ba133
|
||||
add 'getuid' syscall to list of allowed ones to prevent the sanboxed thread
|
||||
from being killed by the seccomp filter
|
||||
|
||||
diff --git a/openssh-7.6p1/sandbox-seccomp-filter.c b/openssh-7.6p1/sandbox-seccomp-filter.c
|
||||
--- a/openssh-7.6p1/sandbox-seccomp-filter.c
|
||||
+++ b/openssh-7.6p1/sandbox-seccomp-filter.c
|
||||
@@ -173,16 +173,22 @@ static const struct sock_filter preauth_
|
||||
SC_ALLOW(__NR_getpid),
|
||||
#endif
|
||||
#ifdef __NR_getrandom
|
||||
SC_ALLOW(__NR_getrandom),
|
||||
#endif
|
||||
#ifdef __NR_gettimeofday
|
||||
SC_ALLOW(__NR_gettimeofday),
|
||||
#endif
|
||||
+#ifdef __NR_getuid
|
||||
+ SC_ALLOW(__NR_getuid),
|
||||
+#endif
|
||||
+#ifdef __NR_getuid32
|
||||
+ SC_ALLOW(__NR_getuid32),
|
||||
+#endif
|
||||
#ifdef __NR_madvise
|
||||
SC_ALLOW(__NR_madvise),
|
||||
#endif
|
||||
#ifdef __NR_mmap
|
||||
SC_ALLOW(__NR_mmap),
|
||||
#endif
|
||||
#ifdef __NR_mmap2
|
||||
SC_ALLOW(__NR_mmap2),
|
@ -1,30 +0,0 @@
|
||||
# HG changeset patch
|
||||
# Parent ddbb42a2825e7e837d7b0387b79a9542c7869174
|
||||
Allow the stat() syscall for OpenSSL re-seed patch
|
||||
(which causes OpenSSL use stat() on some file)
|
||||
|
||||
bnc#912436
|
||||
|
||||
diff --git a/openssh-7.6p1/sandbox-seccomp-filter.c b/openssh-7.6p1/sandbox-seccomp-filter.c
|
||||
--- a/openssh-7.6p1/sandbox-seccomp-filter.c
|
||||
+++ b/openssh-7.6p1/sandbox-seccomp-filter.c
|
||||
@@ -224,16 +224,19 @@ static const struct sock_filter preauth_
|
||||
SC_ALLOW(__NR_select),
|
||||
#endif
|
||||
#ifdef __NR_shutdown
|
||||
SC_ALLOW(__NR_shutdown),
|
||||
#endif
|
||||
#ifdef __NR_sigprocmask
|
||||
SC_ALLOW(__NR_sigprocmask),
|
||||
#endif
|
||||
+#ifdef __NR_stat
|
||||
+ SC_ALLOW(__NR_stat),
|
||||
+#endif
|
||||
#ifdef __NR_time
|
||||
SC_ALLOW(__NR_time),
|
||||
#endif
|
||||
#ifdef __NR_write
|
||||
SC_ALLOW(__NR_write),
|
||||
#endif
|
||||
#ifdef __NR_socketcall
|
||||
SC_ALLOW_ARG(__NR_socketcall, 0, SYS_SHUTDOWN),
|
@ -1,461 +0,0 @@
|
||||
# HG changeset patch
|
||||
# Parent e7721ed81bcf77756a79fbd04d377cc420a994cc
|
||||
# extended support for (re-)seeding the OpenSSL PRNG from /dev/random
|
||||
# bnc#703221, FATE#312172
|
||||
|
||||
diff --git a/openssh-7.6p1/entropy.c b/openssh-7.6p1/entropy.c
|
||||
--- a/openssh-7.6p1/entropy.c
|
||||
+++ b/openssh-7.6p1/entropy.c
|
||||
@@ -49,16 +49,17 @@
|
||||
|
||||
#include "ssh.h"
|
||||
#include "misc.h"
|
||||
#include "xmalloc.h"
|
||||
#include "atomicio.h"
|
||||
#include "pathnames.h"
|
||||
#include "log.h"
|
||||
#include "buffer.h"
|
||||
+#include "openbsd-compat/port-linux.h"
|
||||
|
||||
/*
|
||||
* Portable OpenSSH PRNG seeding:
|
||||
* If OpenSSL has not "internally seeded" itself (e.g. pulled data from
|
||||
* /dev/random), then collect RANDOM_SEED_SIZE bytes of randomness from
|
||||
* PRNGd.
|
||||
*/
|
||||
#ifndef OPENSSL_PRNG_ONLY
|
||||
@@ -224,16 +225,19 @@ seed_rng(void)
|
||||
}
|
||||
|
||||
if (seed_from_prngd(buf, sizeof(buf)) == -1)
|
||||
fatal("Could not obtain seed from PRNGd");
|
||||
RAND_add(buf, sizeof(buf), sizeof(buf));
|
||||
memset(buf, '\0', sizeof(buf));
|
||||
|
||||
#endif /* OPENSSL_PRNG_ONLY */
|
||||
+
|
||||
+ linux_seed();
|
||||
+
|
||||
if (RAND_status() != 1)
|
||||
fatal("PRNG is not seeded");
|
||||
}
|
||||
|
||||
#else /* WITH_OPENSSL */
|
||||
|
||||
/* Handled in arc4random() */
|
||||
void
|
||||
diff --git a/openssh-7.6p1/openbsd-compat/Makefile.in b/openssh-7.6p1/openbsd-compat/Makefile.in
|
||||
--- a/openssh-7.6p1/openbsd-compat/Makefile.in
|
||||
+++ b/openssh-7.6p1/openbsd-compat/Makefile.in
|
||||
@@ -15,17 +15,17 @@ AR=@AR@
|
||||
RANLIB=@RANLIB@
|
||||
INSTALL=@INSTALL@
|
||||
LDFLAGS=-L. @LDFLAGS@
|
||||
|
||||
OPENBSD=base64.o basename.o bcrypt_pbkdf.o bindresvport.o blowfish.o daemon.o dirname.o fmt_scaled.o getcwd.o getgrouplist.o getopt_long.o getrrsetbyname.o glob.o inet_aton.o inet_ntoa.o inet_ntop.o mktemp.o pwcache.o readpassphrase.o reallocarray.o realpath.o recallocarray.o rresvport.o setenv.o setproctitle.o sha1.o sha2.o rmd160.o md5.o sigact.o strcasestr.o strlcat.o strlcpy.o strmode.o strnlen.o strptime.o strsep.o strtonum.o strtoll.o strtoul.o strtoull.o timingsafe_bcmp.o vis.o blowfish.o bcrypt_pbkdf.o explicit_bzero.o freezero.o
|
||||
|
||||
COMPAT=arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o getrrsetbyname-ldns.o bsd-err.o bsd-getpagesize.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-malloc.o bsd-setres_id.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xcrypt.o kludge-fd_set.o
|
||||
|
||||
-PORTS=port-aix.o port-irix.o port-linux.o port-solaris.o port-tun.o port-uw.o
|
||||
+PORTS=port-aix.o port-irix.o port-linux.o port-linux-prng.o port-solaris.o port-tun.o port-uw.o
|
||||
|
||||
.c.o:
|
||||
$(CC) $(CFLAGS) $(CPPFLAGS) -c $<
|
||||
|
||||
all: libopenbsd-compat.a
|
||||
|
||||
$(COMPAT): ../config.h
|
||||
$(OPENBSD): ../config.h
|
||||
diff --git a/openssh-7.6p1/openbsd-compat/port-linux-prng.c b/openssh-7.6p1/openbsd-compat/port-linux-prng.c
|
||||
new file mode 100644
|
||||
--- /dev/null
|
||||
+++ b/openssh-7.6p1/openbsd-compat/port-linux-prng.c
|
||||
@@ -0,0 +1,81 @@
|
||||
+/*
|
||||
+ * Copyright (c) 2011 Jan F. Chadima <jchadima@redhat.com>
|
||||
+ * (c) 2011 Petr Cerny <pcerny@suse.cz>
|
||||
+ *
|
||||
+ * Permission to use, copy, modify, and distribute this software for any
|
||||
+ * purpose with or without fee is hereby granted, provided that the above
|
||||
+ * copyright notice and this permission notice appear in all copies.
|
||||
+ *
|
||||
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
|
||||
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
|
||||
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
|
||||
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
|
||||
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
|
||||
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
|
||||
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
||||
+ */
|
||||
+
|
||||
+/*
|
||||
+ * Linux-specific portability code - prng support
|
||||
+ */
|
||||
+
|
||||
+#include "includes.h"
|
||||
+#include "defines.h"
|
||||
+
|
||||
+#include <errno.h>
|
||||
+#include <stdarg.h>
|
||||
+#include <string.h>
|
||||
+#include <stdio.h>
|
||||
+#include <openssl/rand.h>
|
||||
+
|
||||
+#include "log.h"
|
||||
+#include "port-linux.h"
|
||||
+#include "fips.h"
|
||||
+
|
||||
+#define RNG_BYTES_DEFAULT 6L
|
||||
+#define RNG_ENV_VAR "SSH_USE_STRONG_RNG"
|
||||
+
|
||||
+long rand_bytes = 0;
|
||||
+char *rand_file = NULL;
|
||||
+
|
||||
+static void
|
||||
+linux_seed_init(void)
|
||||
+{
|
||||
+ long elen = 0;
|
||||
+ char *env = getenv(RNG_ENV_VAR);
|
||||
+
|
||||
+ if (env) {
|
||||
+ errno = 0;
|
||||
+ elen = strtol(env, NULL, 10);
|
||||
+ if (errno) {
|
||||
+ elen = RNG_BYTES_DEFAULT;
|
||||
+ debug("bogus value in the %s environment variable, "
|
||||
+ "using %li bytes from /dev/random\n",
|
||||
+ RNG_ENV_VAR, RNG_BYTES_DEFAULT);
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ if (elen || fips_mode())
|
||||
+ rand_file = "/dev/random";
|
||||
+ else
|
||||
+ rand_file = "/dev/urandom";
|
||||
+
|
||||
+ rand_bytes = MAX(elen, RNG_BYTES_DEFAULT);
|
||||
+}
|
||||
+
|
||||
+void
|
||||
+linux_seed(void)
|
||||
+{
|
||||
+ long len;
|
||||
+ if (!rand_file)
|
||||
+ linux_seed_init();
|
||||
+
|
||||
+ errno = 0;
|
||||
+ len = RAND_load_file(rand_file, rand_bytes);
|
||||
+ if (len != rand_bytes) {
|
||||
+ if (errno)
|
||||
+ fatal ("cannot read from %s, %s", rand_file, strerror(errno));
|
||||
+ else
|
||||
+ fatal ("EOF reading %s", rand_file);
|
||||
+ }
|
||||
+}
|
||||
diff --git a/openssh-7.6p1/openbsd-compat/port-linux.h b/openssh-7.6p1/openbsd-compat/port-linux.h
|
||||
--- a/openssh-7.6p1/openbsd-compat/port-linux.h
|
||||
+++ b/openssh-7.6p1/openbsd-compat/port-linux.h
|
||||
@@ -12,16 +12,20 @@
|
||||
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
|
||||
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
|
||||
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
||||
*/
|
||||
|
||||
#ifndef _PORT_LINUX_H
|
||||
#define _PORT_LINUX_H
|
||||
|
||||
+extern long rand_bytes;
|
||||
+extern char *rand_file;
|
||||
+void linux_seed(void);
|
||||
+
|
||||
#ifdef WITH_SELINUX
|
||||
int ssh_selinux_enabled(void);
|
||||
void ssh_selinux_setup_pty(char *, const char *);
|
||||
void ssh_selinux_setup_exec_context(char *);
|
||||
void ssh_selinux_change_context(const char *);
|
||||
void ssh_selinux_setfscreatecon(const char *);
|
||||
#endif
|
||||
|
||||
diff --git a/openssh-7.6p1/ssh-add.1 b/openssh-7.6p1/ssh-add.1
|
||||
--- a/openssh-7.6p1/ssh-add.1
|
||||
+++ b/openssh-7.6p1/ssh-add.1
|
||||
@@ -167,16 +167,30 @@ or related script.
|
||||
(Note that on some machines it
|
||||
may be necessary to redirect the input from
|
||||
.Pa /dev/null
|
||||
to make this work.)
|
||||
.It Ev SSH_AUTH_SOCK
|
||||
Identifies the path of a
|
||||
.Ux Ns -domain
|
||||
socket used to communicate with the agent.
|
||||
+.It Ev SSH_USE_STRONG_RNG
|
||||
+The reseeding of the OpenSSL random generator is usually done from
|
||||
+.Cm /dev/urandom .
|
||||
+If the
|
||||
+.Cm SSH_USE_STRONG_RNG
|
||||
+environment variable is set to value other than
|
||||
+.Cm 0
|
||||
+the OpenSSL random generator is reseeded from
|
||||
+.Cm /dev/random .
|
||||
+The number of bytes read is defined by the SSH_USE_STRONG_RNG value.
|
||||
+Minimum is 6 bytes.
|
||||
+This setting is not recommended on the computers without the hardware
|
||||
+random generator because insufficient entropy causes the connection to
|
||||
+be blocked until enough entropy is available.
|
||||
.El
|
||||
.Sh FILES
|
||||
.Bl -tag -width Ds
|
||||
.It Pa ~/.ssh/id_dsa
|
||||
Contains the DSA authentication identity of the user.
|
||||
.It Pa ~/.ssh/id_ecdsa
|
||||
Contains the ECDSA authentication identity of the user.
|
||||
.It Pa ~/.ssh/id_ed25519
|
||||
diff --git a/openssh-7.6p1/ssh-agent.1 b/openssh-7.6p1/ssh-agent.1
|
||||
--- a/openssh-7.6p1/ssh-agent.1
|
||||
+++ b/openssh-7.6p1/ssh-agent.1
|
||||
@@ -209,16 +209,33 @@ line terminates.
|
||||
.Sh FILES
|
||||
.Bl -tag -width Ds
|
||||
.It Pa $TMPDIR/ssh-XXXXXXXXXX/agent.<ppid>
|
||||
.Ux Ns -domain
|
||||
sockets used to contain the connection to the authentication agent.
|
||||
These sockets should only be readable by the owner.
|
||||
The sockets should get automatically removed when the agent exits.
|
||||
.El
|
||||
+.Sh ENVIRONMENT
|
||||
+.Bl -tag -width Ds -compact
|
||||
+.Pp
|
||||
+.It Pa SSH_USE_STRONG_RNG
|
||||
+The reseeding of the OpenSSL random generator is usually done from
|
||||
+.Cm /dev/urandom .
|
||||
+If the
|
||||
+.Cm SSH_USE_STRONG_RNG
|
||||
+environment variable is set to value other than
|
||||
+.Cm 0
|
||||
+the OpenSSL random generator is reseeded from
|
||||
+.Cm /dev/random .
|
||||
+The number of bytes read is defined by the SSH_USE_STRONG_RNG value.
|
||||
+Minimum is 6 bytes.
|
||||
+This setting is not recommended on the computers without the hardware
|
||||
+random generator because insufficient entropy causes the connection to
|
||||
+be blocked until enough entropy is available.
|
||||
.Sh SEE ALSO
|
||||
.Xr ssh 1 ,
|
||||
.Xr ssh-add 1 ,
|
||||
.Xr ssh-keygen 1 ,
|
||||
.Xr sshd 8
|
||||
.Sh AUTHORS
|
||||
.An -nosplit
|
||||
OpenSSH is a derivative of the original and free ssh 1.2.12 release by
|
||||
diff --git a/openssh-7.6p1/ssh-keygen.1 b/openssh-7.6p1/ssh-keygen.1
|
||||
--- a/openssh-7.6p1/ssh-keygen.1
|
||||
+++ b/openssh-7.6p1/ssh-keygen.1
|
||||
@@ -863,16 +863,33 @@ on all machines
|
||||
where the user wishes to log in using public key authentication.
|
||||
There is no need to keep the contents of this file secret.
|
||||
.Pp
|
||||
.It Pa /etc/moduli
|
||||
Contains Diffie-Hellman groups used for DH-GEX.
|
||||
The file format is described in
|
||||
.Xr moduli 5 .
|
||||
.El
|
||||
+.Sh ENVIRONMENT
|
||||
+.Bl -tag -width Ds -compact
|
||||
+.Pp
|
||||
+.It Pa SSH_USE_STRONG_RNG
|
||||
+The reseeding of the OpenSSL random generator is usually done from
|
||||
+.Cm /dev/urandom .
|
||||
+If the
|
||||
+.Cm SSH_USE_STRONG_RNG
|
||||
+environment variable is set to value other than
|
||||
+.Cm 0
|
||||
+the OpenSSL random generator is reseeded from
|
||||
+.Cm /dev/random .
|
||||
+The number of bytes read is defined by the SSH_USE_STRONG_RNG value.
|
||||
+Minimum is 6 bytes.
|
||||
+This setting is not recommended on the computers without the hardware
|
||||
+random generator because insufficient entropy causes the connection to
|
||||
+be blocked until enough entropy is available.
|
||||
.Sh SEE ALSO
|
||||
.Xr ssh 1 ,
|
||||
.Xr ssh-add 1 ,
|
||||
.Xr ssh-agent 1 ,
|
||||
.Xr moduli 5 ,
|
||||
.Xr sshd 8
|
||||
.Rs
|
||||
.%R RFC 4716
|
||||
diff --git a/openssh-7.6p1/ssh-keysign.8 b/openssh-7.6p1/ssh-keysign.8
|
||||
--- a/openssh-7.6p1/ssh-keysign.8
|
||||
+++ b/openssh-7.6p1/ssh-keysign.8
|
||||
@@ -75,16 +75,33 @@ must be set-uid root if host-based authe
|
||||
.Pp
|
||||
.It Pa /etc/ssh/ssh_host_dsa_key-cert.pub
|
||||
.It Pa /etc/ssh/ssh_host_ecdsa_key-cert.pub
|
||||
.It Pa /etc/ssh/ssh_host_ed25519_key-cert.pub
|
||||
.It Pa /etc/ssh/ssh_host_rsa_key-cert.pub
|
||||
If these files exist they are assumed to contain public certificate
|
||||
information corresponding with the private keys above.
|
||||
.El
|
||||
+.Sh ENVIRONMENT
|
||||
+.Bl -tag -width Ds -compact
|
||||
+.Pp
|
||||
+.It Pa SSH_USE_STRONG_RNG
|
||||
+The reseeding of the OpenSSL random generator is usually done from
|
||||
+.Cm /dev/urandom .
|
||||
+If the
|
||||
+.Cm SSH_USE_STRONG_RNG
|
||||
+environment variable is set to value other than
|
||||
+.Cm 0
|
||||
+the OpenSSL random generator is reseeded from
|
||||
+.Cm /dev/random .
|
||||
+The number of bytes read is defined by the SSH_USE_STRONG_RNG value.
|
||||
+Minimum is 6 bytes.
|
||||
+This setting is not recommended on the computers without the hardware
|
||||
+random generator because insufficient entropy causes the connection to
|
||||
+be blocked until enough entropy is available.
|
||||
.Sh SEE ALSO
|
||||
.Xr ssh 1 ,
|
||||
.Xr ssh-keygen 1 ,
|
||||
.Xr ssh_config 5 ,
|
||||
.Xr sshd 8
|
||||
.Sh HISTORY
|
||||
.Nm
|
||||
first appeared in
|
||||
diff --git a/openssh-7.6p1/ssh.1 b/openssh-7.6p1/ssh.1
|
||||
--- a/openssh-7.6p1/ssh.1
|
||||
+++ b/openssh-7.6p1/ssh.1
|
||||
@@ -1408,16 +1408,30 @@ reads
|
||||
and adds lines of the format
|
||||
.Dq VARNAME=value
|
||||
to the environment if the file exists and users are allowed to
|
||||
change their environment.
|
||||
For more information, see the
|
||||
.Cm PermitUserEnvironment
|
||||
option in
|
||||
.Xr sshd_config 5 .
|
||||
+.It Ev SSH_USE_STRONG_RNG
|
||||
+The reseeding of the OpenSSL random generator is usually done from
|
||||
+.Cm /dev/urandom .
|
||||
+If the
|
||||
+.Cm SSH_USE_STRONG_RNG
|
||||
+environment variable is set to value other than
|
||||
+.Cm 0
|
||||
+the OpenSSL random generator is reseeded from
|
||||
+.Cm /dev/random .
|
||||
+The number of bytes read is defined by the SSH_USE_STRONG_RNG value.
|
||||
+Minimum is 6 bytes.
|
||||
+This setting is not recommended on the computers without the hardware
|
||||
+random generator because insufficient entropy causes the connection to
|
||||
+be blocked until enough entropy is available.
|
||||
.Sh FILES
|
||||
.Bl -tag -width Ds -compact
|
||||
.It Pa ~/.rhosts
|
||||
This file is used for host-based authentication (see above).
|
||||
On some machines this file may need to be
|
||||
world-readable if the user's home directory is on an NFS partition,
|
||||
because
|
||||
.Xr sshd 8
|
||||
diff --git a/openssh-7.6p1/sshd.8 b/openssh-7.6p1/sshd.8
|
||||
--- a/openssh-7.6p1/sshd.8
|
||||
+++ b/openssh-7.6p1/sshd.8
|
||||
@@ -929,16 +929,33 @@ and not group or world-writable.
|
||||
.It Pa /var/run/sshd.pid
|
||||
Contains the process ID of the
|
||||
.Nm
|
||||
listening for connections (if there are several daemons running
|
||||
concurrently for different ports, this contains the process ID of the one
|
||||
started last).
|
||||
The content of this file is not sensitive; it can be world-readable.
|
||||
.El
|
||||
+.Sh ENVIRONMENT
|
||||
+.Bl -tag -width Ds -compact
|
||||
+.Pp
|
||||
+.It Pa SSH_USE_STRONG_RNG
|
||||
+The reseeding of the OpenSSL random generator is usually done from
|
||||
+.Cm /dev/urandom .
|
||||
+If the
|
||||
+.Cm SSH_USE_STRONG_RNG
|
||||
+environment variable is set to value other than
|
||||
+.Cm 0
|
||||
+the OpenSSL random generator is reseeded from
|
||||
+.Cm /dev/random .
|
||||
+The number of bytes read is defined by the SSH_USE_STRONG_RNG value.
|
||||
+Minimum is 6 bytes.
|
||||
+This setting is not recommended on the computers without the hardware
|
||||
+random generator because insufficient entropy causes the connection to
|
||||
+be blocked until enough entropy is available.
|
||||
.Sh SEE ALSO
|
||||
.Xr scp 1 ,
|
||||
.Xr sftp 1 ,
|
||||
.Xr ssh 1 ,
|
||||
.Xr ssh-add 1 ,
|
||||
.Xr ssh-agent 1 ,
|
||||
.Xr ssh-keygen 1 ,
|
||||
.Xr ssh-keyscan 1 ,
|
||||
diff --git a/openssh-7.6p1/sshd.c b/openssh-7.6p1/sshd.c
|
||||
--- a/openssh-7.6p1/sshd.c
|
||||
+++ b/openssh-7.6p1/sshd.c
|
||||
@@ -50,16 +50,18 @@
|
||||
#ifdef HAVE_SYS_STAT_H
|
||||
# include <sys/stat.h>
|
||||
#endif
|
||||
#ifdef HAVE_SYS_TIME_H
|
||||
# include <sys/time.h>
|
||||
#endif
|
||||
#include "openbsd-compat/sys-tree.h"
|
||||
#include "openbsd-compat/sys-queue.h"
|
||||
+#include "openbsd-compat/port-linux.h"
|
||||
+
|
||||
#include <sys/wait.h>
|
||||
|
||||
#include <errno.h>
|
||||
#include <fcntl.h>
|
||||
#include <netdb.h>
|
||||
#ifdef HAVE_PATHS_H
|
||||
#include <paths.h>
|
||||
#endif
|
||||
@@ -195,16 +197,23 @@ int have_agent = 0;
|
||||
*/
|
||||
struct {
|
||||
struct sshkey **host_keys; /* all private host keys */
|
||||
struct sshkey **host_pubkeys; /* all public host keys */
|
||||
struct sshkey **host_certificates; /* all public host certificates */
|
||||
int have_ssh2_key;
|
||||
} sensitive_data;
|
||||
|
||||
+/*
|
||||
+ * Every RESEED_AFTERth connection triggers call to linux_seed() to re-seed the
|
||||
+ * random pool.
|
||||
+ */
|
||||
+#define RESEED_AFTER 100
|
||||
+static int re_seeding_counter = RESEED_AFTER;
|
||||
+
|
||||
/* This is set to true when a signal is received. */
|
||||
static volatile sig_atomic_t received_sighup = 0;
|
||||
static volatile sig_atomic_t received_sigterm = 0;
|
||||
|
||||
/* session identifier, used by RSA-auth */
|
||||
u_char session_id[16];
|
||||
|
||||
/* same for ssh2 */
|
||||
@@ -1208,16 +1217,20 @@ server_accept_loop(int *sock_in, int *so
|
||||
for (j = 0; j < options.max_startups; j++)
|
||||
if (startup_pipes[j] == -1) {
|
||||
startup_pipes[j] = startup_p[0];
|
||||
if (maxfd < startup_p[0])
|
||||
maxfd = startup_p[0];
|
||||
startups++;
|
||||
break;
|
||||
}
|
||||
+ if(!(--re_seeding_counter)) {
|
||||
+ re_seeding_counter = RESEED_AFTER;
|
||||
+ linux_seed();
|
||||
+ }
|
||||
|
||||
/*
|
||||
* Got connection. Fork a child to handle it, unless
|
||||
* we are in debugging mode.
|
||||
*/
|
||||
if (debug_flag) {
|
||||
/*
|
||||
* In debugging mode. Close the listening
|
@ -1,53 +0,0 @@
|
||||
# HG changeset patch
|
||||
# Parent f258e8b7fc48a4b0f60fc436dc9ec72423a11bfc
|
||||
send locales in default configuration
|
||||
bnc#65747
|
||||
|
||||
diff --git a/openssh-7.6p1/ssh_config b/openssh-7.6p1/ssh_config
|
||||
--- a/openssh-7.6p1/ssh_config
|
||||
+++ b/openssh-7.6p1/ssh_config
|
||||
@@ -26,16 +26,21 @@ Host *
|
||||
# security reasons: Someone stealing the authentification data on the
|
||||
# remote side (the "spoofed" X-server by the remote sshd) can read your
|
||||
# keystrokes as you type, just like any other X11 client could do.
|
||||
# Set this to "no" here for global effect or in your own ~/.ssh/config
|
||||
# file if you want to have the remote X11 authentification data to
|
||||
# expire after twenty minutes after remote login.
|
||||
ForwardX11Trusted yes
|
||||
|
||||
+# This enables sending locale enviroment variables LC_* LANG, see ssh_config(5).
|
||||
+ SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
|
||||
+ SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
|
||||
+ SendEnv LC_IDENTIFICATION LC_ALL
|
||||
+
|
||||
# PasswordAuthentication yes
|
||||
# HostbasedAuthentication no
|
||||
# GSSAPIAuthentication no
|
||||
# GSSAPIDelegateCredentials no
|
||||
# BatchMode no
|
||||
# CheckHostIP yes
|
||||
# AddressFamily any
|
||||
# ConnectTimeout 0
|
||||
diff --git a/openssh-7.6p1/sshd_config b/openssh-7.6p1/sshd_config
|
||||
--- a/openssh-7.6p1/sshd_config
|
||||
+++ b/openssh-7.6p1/sshd_config
|
||||
@@ -105,14 +105,19 @@ X11Forwarding yes
|
||||
#VersionAddendum none
|
||||
|
||||
# no default banner path
|
||||
#Banner none
|
||||
|
||||
# override default of no subsystems
|
||||
Subsystem sftp /usr/libexec/sftp-server
|
||||
|
||||
+# This enables accepting locale enviroment variables LC_* LANG, see sshd_config(5).
|
||||
+AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
|
||||
+AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
|
||||
+AcceptEnv LC_IDENTIFICATION LC_ALL
|
||||
+
|
||||
# Example of overriding settings on a per-user basis
|
||||
#Match User anoncvs
|
||||
# X11Forwarding no
|
||||
# AllowTcpForwarding no
|
||||
# PermitTTY no
|
||||
# ForceCommand cvs server
|
@ -1,134 +0,0 @@
|
||||
# HG changeset patch
|
||||
# Parent 47bd7a709835b11e8dbd8fdf8779a2281ed46120
|
||||
Send signals to systemd to prevent various race conditions
|
||||
bsc#1048367
|
||||
|
||||
diff --git a/openssh-7.6p1/configure.ac b/openssh-7.6p1/configure.ac
|
||||
--- a/openssh-7.6p1/configure.ac
|
||||
+++ b/openssh-7.6p1/configure.ac
|
||||
@@ -4304,16 +4304,40 @@ AC_ARG_WITH([kerberos5],
|
||||
LIBS="$saved_LIBS"
|
||||
|
||||
fi
|
||||
]
|
||||
)
|
||||
AC_SUBST([GSSLIBS])
|
||||
AC_SUBST([K5LIBS])
|
||||
|
||||
+# Check whether user wants systemd support
|
||||
+SYSTEMD_MSG="no"
|
||||
+AC_ARG_WITH(systemd,
|
||||
+ [ --with-systemd Enable systemd support],
|
||||
+ [ if test "x$withval" != "xno" ; then
|
||||
+ AC_PATH_TOOL([PKGCONFIG], [pkg-config], [no])
|
||||
+ if test "$PKGCONFIG" != "no"; then
|
||||
+ AC_MSG_CHECKING([for libsystemd])
|
||||
+ if $PKGCONFIG --exists libsystemd; then
|
||||
+ SYSTEMD_CFLAGS=`$PKGCONFIG --cflags libsystemd`
|
||||
+ SYSTEMD_LIBS=`$PKGCONFIG --libs libsystemd`
|
||||
+ CPPFLAGS="$CPPFLAGS $SYSTEMD_CFLAGS"
|
||||
+ SSHDLIBS="$SSHDLIBS $SYSTEMD_LIBS"
|
||||
+ AC_MSG_RESULT([yes])
|
||||
+ AC_DEFINE(HAVE_SYSTEMD, 1, [Define if you want systemd support.])
|
||||
+ SYSTEMD_MSG="yes"
|
||||
+ else
|
||||
+ AC_MSG_RESULT([no])
|
||||
+ fi
|
||||
+ fi
|
||||
+ fi ]
|
||||
+)
|
||||
+
|
||||
+
|
||||
# Looking for programs, paths and files
|
||||
|
||||
PRIVSEP_PATH=/var/empty
|
||||
AC_ARG_WITH([privsep-path],
|
||||
[ --with-privsep-path=xxx Path for privilege separation chroot (default=/var/empty)],
|
||||
[
|
||||
if test -n "$withval" && test "x$withval" != "xno" && \
|
||||
test "x${withval}" != "xyes"; then
|
||||
@@ -5110,16 +5134,17 @@ echo " SELinux support
|
||||
echo " Smartcard support: $SCARD_MSG"
|
||||
echo " S/KEY support: $SKEY_MSG"
|
||||
echo " MD5 password support: $MD5_MSG"
|
||||
echo " libedit support: $LIBEDIT_MSG"
|
||||
echo " libldns support: $LDNS_MSG"
|
||||
echo " Solaris process contract support: $SPC_MSG"
|
||||
echo " Solaris project support: $SP_MSG"
|
||||
echo " Solaris privilege support: $SPP_MSG"
|
||||
+echo " systemd support: $SYSTEMD_MSG"
|
||||
echo " IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG"
|
||||
echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG"
|
||||
echo " BSD Auth support: $BSD_AUTH_MSG"
|
||||
echo " Random number source: $RAND_MSG"
|
||||
echo " Privsep sandbox style: $SANDBOX_STYLE"
|
||||
|
||||
echo ""
|
||||
|
||||
diff --git a/openssh-7.6p1/sshd.c b/openssh-7.6p1/sshd.c
|
||||
--- a/openssh-7.6p1/sshd.c
|
||||
+++ b/openssh-7.6p1/sshd.c
|
||||
@@ -82,16 +82,20 @@
|
||||
#include "openbsd-compat/openssl-compat.h"
|
||||
#endif
|
||||
|
||||
#ifdef HAVE_SECUREWARE
|
||||
#include <sys/security.h>
|
||||
#include <prot.h>
|
||||
#endif
|
||||
|
||||
+#ifdef HAVE_SYSTEMD
|
||||
+#include <systemd/sd-daemon.h>
|
||||
+#endif
|
||||
+
|
||||
#include "xmalloc.h"
|
||||
#include "ssh.h"
|
||||
#include "ssh2.h"
|
||||
#include "sshpty.h"
|
||||
#include "packet.h"
|
||||
#include "log.h"
|
||||
#include "buffer.h"
|
||||
#include "misc.h"
|
||||
@@ -293,16 +297,20 @@ sighup_handler(int sig)
|
||||
|
||||
/*
|
||||
* Called from the main program after receiving SIGHUP.
|
||||
* Restarts the server.
|
||||
*/
|
||||
static void
|
||||
sighup_restart(void)
|
||||
{
|
||||
+#ifdef HAVE_SYSTEMD
|
||||
+ /* Signal systemd that we are reloading */
|
||||
+ sd_notify(0, "RELOADING=1");
|
||||
+#endif
|
||||
logit("Received SIGHUP; restarting.");
|
||||
if (options.pid_file != NULL)
|
||||
unlink(options.pid_file);
|
||||
platform_pre_restart();
|
||||
close_listen_socks();
|
||||
close_startup_pipes();
|
||||
alarm(0); /* alarm timer persists across exec */
|
||||
signal(SIGHUP, SIG_IGN); /* will be restored after exec */
|
||||
@@ -1878,16 +1886,21 @@ main(int ac, char **av)
|
||||
error("Couldn't create pid file \"%s\": %s",
|
||||
options.pid_file, strerror(errno));
|
||||
} else {
|
||||
fprintf(f, "%ld\n", (long) getpid());
|
||||
fclose(f);
|
||||
}
|
||||
}
|
||||
|
||||
+#ifdef HAVE_SYSTEMD
|
||||
+ /* Signal systemd that we are ready to accept connections */
|
||||
+ sd_notify(0, "READY=1");
|
||||
+#endif
|
||||
+
|
||||
/* Accept a connection and return in a forked child */
|
||||
server_accept_loop(&sock_in, &sock_out,
|
||||
&newsock, config_s);
|
||||
}
|
||||
|
||||
/* This is the child processing a new connection. */
|
||||
setproctitle("%s", "[accepted]");
|
||||
|
@ -1,9 +1,3 @@
|
||||
-------------------------------------------------------------------
|
||||
Fri Nov 3 12:27:18 UTC 2017 - pcerny@suse.com
|
||||
|
||||
- upgrade to 7.6p1
|
||||
see main package changelog for details
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Mon Jul 25 13:45:53 UTC 2016 - meissner@suse.com
|
||||
|
||||
|
@ -1,7 +1,7 @@
|
||||
#
|
||||
# spec file for package openssh-askpass-gnome
|
||||
#
|
||||
# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany.
|
||||
# Copyright (c) 2018 SUSE LINUX Products GmbH, Nuernberg, Germany.
|
||||
#
|
||||
# All modifications and additions to the file contributed by third parties
|
||||
# remain the property of their copyright owners, unless otherwise agreed
|
||||
|
118
openssh.changes
118
openssh.changes
@ -1,11 +1,5 @@
|
||||
-------------------------------------------------------------------
|
||||
Thu Nov 23 13:38:52 UTC 2017 - rbrown@suse.com
|
||||
|
||||
- Replace references to /var/adm/fillup-templates with new
|
||||
%_fillupdir macro (boo#1069468)
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Fri Nov 3 12:27:18 UTC 2017 - pcerny@suse.com
|
||||
Fri Jan 12 00:38:37 CET 2018 - pcerny@suse.com
|
||||
|
||||
- Update to vanilla 7.6p1
|
||||
Most important changes (more details below):
|
||||
@ -552,34 +546,94 @@ Fri Nov 3 12:27:18 UTC 2017 - pcerny@suse.com
|
||||
* Add clang libFuzzer harnesses for public key parsing and
|
||||
signature verification.
|
||||
- packaging:
|
||||
* removal of all 7.2 patches
|
||||
* moving patches into a separate archive
|
||||
* first round of rebased patches:
|
||||
[openssh-7.6p1-X11_trusted_forwarding.patch]
|
||||
[openssh-7.6p1-allow_root_password_login.patch]
|
||||
[openssh-7.6p1-blocksigalrm.patch]
|
||||
[openssh-7.6p1-disable_short_DH_parameters.patch]
|
||||
[openssh-7.6p1-eal3.patch]
|
||||
[openssh-7.6p1-enable_PAM_by_default.patch]
|
||||
[openssh-7.6p1-fips.patch]
|
||||
[openssh-7.6p1-fips_checks.patch]
|
||||
[openssh-7.6p1-hostname_changes_when_forwarding_X.patch]
|
||||
[openssh-7.6p1-lastlog.patch]
|
||||
[openssh-7.6p1-pam_check_locks.patch]
|
||||
[openssh-7.6p1-pts_names_formatting.patch]
|
||||
[openssh-7.6p1-remove_xauth_cookies_on_exit.patch]
|
||||
[openssh-7.6p1-seccomp_geteuid.patch]
|
||||
[openssh-7.6p1-seccomp_getuid.patch]
|
||||
[openssh-7.6p1-seccomp_stat.patch]
|
||||
[openssh-7.6p1-seed-prng.patch]
|
||||
[openssh-7.6p1-send_locale.patch]
|
||||
[openssh-7.6p1-systemd-notify.patch]
|
||||
[-X11_trusted_forwarding]
|
||||
[-allow_root_password_login]
|
||||
[-blocksigalrm]
|
||||
[-cavstest-ctr]
|
||||
[-cavstest-kdf]
|
||||
[-disable_short_DH_parameters]
|
||||
[-eal3]
|
||||
[-enable_PAM_by_default]
|
||||
[-fips]
|
||||
[-fips_checks]
|
||||
[-gssapi_key_exchange]
|
||||
[-hostname_changes_when_forwarding_X]
|
||||
[-lastlog]
|
||||
[-missing_headers]
|
||||
[-pam_check_locks]
|
||||
[-pts_names_formatting]
|
||||
[-remove_xauth_cookies_on_exit]
|
||||
[-seccomp_geteuid]
|
||||
[-seccomp_getuid]
|
||||
[-seccomp_stat]
|
||||
[-seed-prng]
|
||||
[-send_locale]
|
||||
[-systemd-notify]
|
||||
* not rebased (obsoleted) patches (so far):
|
||||
[openssh-7.2p2-saveargv-fix.diff]
|
||||
[openssh-7.2p2-dont_use_pthreads_in_PAM.diff]
|
||||
[openssh-7.2p2-gssapimitm.diff]
|
||||
[openssh-7.2p2-eal3_obsolete.diff]
|
||||
[openssh-7.2p2-default_protocol.diff]
|
||||
[-additional_seccomp_archs]
|
||||
[-allow_DSS_by_default]
|
||||
[-default_protocol]
|
||||
[-dont_use_pthreads_in_PAM]
|
||||
[-eal3_obsolete]
|
||||
[-gssapimitm]
|
||||
[-saveargv-fix]
|
||||
* obviously removing all standalone patch files:
|
||||
[openssh-7.2p2-allow_root_password_login.patch]
|
||||
[openssh-7.2p2-allow_DSS_by_default.patch]
|
||||
[openssh-7.2p2-X11_trusted_forwarding.patch]
|
||||
[openssh-7.2p2-lastlog.patch]
|
||||
[openssh-7.2p2-enable_PAM_by_default.patch]
|
||||
[openssh-7.2p2-dont_use_pthreads_in_PAM.patch]
|
||||
[openssh-7.2p2-eal3.patch]
|
||||
[openssh-7.2p2-blocksigalrm.patch]
|
||||
[openssh-7.2p2-send_locale.patch]
|
||||
[openssh-7.2p2-hostname_changes_when_forwarding_X.patch]
|
||||
[openssh-7.2p2-remove_xauth_cookies_on_exit.patch]
|
||||
[openssh-7.2p2-pts_names_formatting.patch]
|
||||
[openssh-7.2p2-pam_check_locks.patch]
|
||||
[openssh-7.2p2-disable_short_DH_parameters.patch]
|
||||
[openssh-7.2p2-seccomp_getuid.patch]
|
||||
[openssh-7.2p2-seccomp_geteuid.patch]
|
||||
[openssh-7.2p2-seccomp_stat.patch]
|
||||
[openssh-7.2p2-additional_seccomp_archs.patch]
|
||||
[openssh-7.2p2-fips.patch]
|
||||
[openssh-7.2p2-cavstest-ctr.patch]
|
||||
[openssh-7.2p2-cavstest-kdf.patch]
|
||||
[openssh-7.2p2-seed-prng.patch]
|
||||
[openssh-7.2p2-gssapi_key_exchange.patch]
|
||||
[openssh-7.2p2-audit.patch]
|
||||
[openssh-7.2p2-audit_fixes.patch]
|
||||
[openssh-7.2p2-audit_seed_prng.patch]
|
||||
[openssh-7.2p2-login_options.patch]
|
||||
[openssh-7.2p2-disable_openssl_abi_check.patch]
|
||||
[openssh-7.2p2-no_fork-no_pid_file.patch]
|
||||
[openssh-7.2p2-host_ident.patch]
|
||||
[openssh-7.2p2-sftp_homechroot.patch]
|
||||
[openssh-7.2p2-sftp_force_permissions.patch]
|
||||
[openssh-7.2p2-X_forward_with_disabled_ipv6.patch]
|
||||
[openssh-7.2p2-ldap.patch]
|
||||
[openssh-7.2p2-IPv6_X_forwarding.patch]
|
||||
[openssh-7.2p2-ignore_PAM_with_UseLogin.patch]
|
||||
[openssh-7.2p2-prevent_timing_user_enumeration.patch]
|
||||
[openssh-7.2p2-limit_password_length.patch]
|
||||
[openssh-7.2p2-keep_slogin.patch]
|
||||
[openssh-7.2p2-kex_resource_depletion.patch]
|
||||
[openssh-7.2p2-verify_CIDR_address_ranges.patch]
|
||||
[openssh-7.2p2-restrict_pkcs11-modules.patch]
|
||||
[openssh-7.2p2-prevent_private_key_leakage.patch]
|
||||
[openssh-7.2p2-secure_unix_sockets_forwarding.patch]
|
||||
[openssh-7.2p2-ssh_case_insensitive_host_matching.patch]
|
||||
[openssh-7.2p2-disable_preauth_compression.patch]
|
||||
[openssh-7.2p2-s390_hw_crypto_syscalls.patch]
|
||||
[openssh-7.2p2-s390_OpenSSL-ibmpkcs11_syscalls.patch]
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Thu Nov 23 13:38:52 UTC 2017 - rbrown@suse.com
|
||||
|
||||
- Replace references to /var/adm/fillup-templates with new
|
||||
%_fillupdir macro (boo#1069468)
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Oct 25 15:09:06 UTC 2017 - jsegitz@suse.com
|
||||
|
104
openssh.spec
104
openssh.spec
@ -1,7 +1,7 @@
|
||||
#
|
||||
# spec file for package openssh
|
||||
#
|
||||
# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany.
|
||||
# Copyright (c) 2018 SUSE LINUX Products GmbH, Nuernberg, Germany.
|
||||
#
|
||||
# All modifications and additions to the file contributed by third parties
|
||||
# remain the property of their copyright owners, unless otherwise agreed
|
||||
@ -90,8 +90,8 @@ BuildRequires: libopenssl-1_0_0-devel
|
||||
BuildRequires: openldap2-devel
|
||||
BuildRequires: pam-devel
|
||||
%if %{uses_systemd}
|
||||
BuildRequires: pkgconfig(systemd)
|
||||
BuildRequires: systemd-devel
|
||||
BuildRequires: pkgconfig(systemd)
|
||||
%{?systemd_requires}
|
||||
%endif
|
||||
BuildRequires: tcpd-devel
|
||||
@ -118,28 +118,8 @@ Source8: sysconfig.ssh
|
||||
Source9: sshd-gen-keys-start
|
||||
Source10: sshd.service
|
||||
Source11: README.FIPS
|
||||
#Source12: cavs_driver-ssh.pl
|
||||
Patch00: openssh-7.6p1-allow_root_password_login.patch
|
||||
Patch01: openssh-7.6p1-X11_trusted_forwarding.patch
|
||||
Patch02: openssh-7.6p1-lastlog.patch
|
||||
Patch03: openssh-7.6p1-enable_PAM_by_default.patch
|
||||
Patch04: openssh-7.6p1-eal3.patch
|
||||
Patch05: openssh-7.6p1-blocksigalrm.patch
|
||||
Patch06: openssh-7.6p1-send_locale.patch
|
||||
Patch07: openssh-7.6p1-hostname_changes_when_forwarding_X.patch
|
||||
Patch08: openssh-7.6p1-remove_xauth_cookies_on_exit.patch
|
||||
Patch09: openssh-7.6p1-pts_names_formatting.patch
|
||||
Patch10: openssh-7.6p1-pam_check_locks.patch
|
||||
Patch11: openssh-7.6p1-disable_short_DH_parameters.patch
|
||||
Patch12: openssh-7.6p1-seccomp_getuid.patch
|
||||
Patch13: openssh-7.6p1-seccomp_geteuid.patch
|
||||
Patch14: openssh-7.6p1-seccomp_stat.patch
|
||||
Patch15: openssh-7.6p1-fips.patch
|
||||
#Patch16: openssh-7.6p1-cavstest-ctr.patch
|
||||
#Patch17: openssh-7.6p1-cavstest-kdf.patch
|
||||
Patch18: openssh-7.6p1-fips_checks.patch
|
||||
Patch19: openssh-7.6p1-seed-prng.patch
|
||||
Patch20: openssh-7.6p1-systemd-notify.patch
|
||||
Source12: cavs_driver-ssh.pl
|
||||
Source100: openssh-7.6p1-SUSE_patches.tar.xz
|
||||
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
||||
Conflicts: nonfreessh
|
||||
Recommends: audit
|
||||
@ -180,47 +160,32 @@ Hashes that together with the main package form the FIPS certifiable
|
||||
cryptomodule.
|
||||
|
||||
|
||||
#%package cavs
|
||||
#Summary: OpenSSH FIPS cryptomodule CAVS tests
|
||||
#Group: Productivity/Networking/SSH
|
||||
#Requires: %{name} = %{version}-%{release}
|
||||
#
|
||||
#%description cavs
|
||||
#FIPS140 CAVS tests related parts of the OpenSSH package
|
||||
%package cavs
|
||||
Summary: OpenSSH FIPS cryptomodule CAVS tests
|
||||
Group: Productivity/Networking/SSH
|
||||
Requires: %{name} = %{version}-%{release}
|
||||
|
||||
%description cavs
|
||||
FIPS140 CAVS tests related parts of the OpenSSH package
|
||||
|
||||
|
||||
%prep
|
||||
%setup -q
|
||||
%patch00 -p2
|
||||
%patch01 -p2
|
||||
%patch02 -p2
|
||||
%patch03 -p2
|
||||
%patch04 -p2
|
||||
%patch05 -p2
|
||||
%patch06 -p2
|
||||
%patch07 -p2
|
||||
%patch08 -p2
|
||||
%patch09 -p2
|
||||
%patch10 -p2
|
||||
%patch11 -p2
|
||||
%patch12 -p2
|
||||
%patch13 -p2
|
||||
%patch14 -p2
|
||||
%patch15 -p2
|
||||
#patch16 -p2
|
||||
#patch17 -p2
|
||||
%patch18 -p2
|
||||
%patch19 -p2
|
||||
%patch20 -p2
|
||||
%setup -q -b 100
|
||||
cp %{SOURCE3} %{SOURCE4} %{SOURCE11} .
|
||||
# patch sources
|
||||
PATCH_DIR="../SUSE_patches"
|
||||
cat $PATCH_DIR/patch.series | while read p; do
|
||||
printf ">> applying '$p'\n"
|
||||
patch -p2 < "${PATCH_DIR}/$p"
|
||||
done
|
||||
|
||||
#LDAP: # set libexec dir in the LDAP patch
|
||||
#LDAP: sed -i.libexec 's,@LIBEXECDIR@,%{_libexecdir}/ssh,' \
|
||||
#LDAP: $( grep -Rl @LIBEXECDIR@ \
|
||||
#LDAP: $( grep "^+++" %{PATCH33} | sed -r 's@^.+/([^/\t ]+).*$@\1@' )
|
||||
#LDAP: )
|
||||
|
||||
%build
|
||||
### TODO: # set libexec dir in the LDAP patch
|
||||
### TODO: sed -i.libexec 's,@LIBEXECDIR@,%{_libexecdir}/ssh,' \
|
||||
### TODO: $( grep -Rl @LIBEXECDIR@ \
|
||||
### TODO: $( grep "^+++" %{PATCH33} | sed -r 's@^.+/([^/\t ]+).*$@\1@' )
|
||||
### TODO: )
|
||||
|
||||
autoreconf -fiv
|
||||
%ifarch s390 s390x %sparc
|
||||
PIEFLAGS="-fPIE"
|
||||
@ -244,7 +209,6 @@ export LDFLAGS CFLAGS CXXFLAGS CPPFLAGS
|
||||
%endif
|
||||
%if %{uses_systemd}
|
||||
--with-pid-dir=/run \
|
||||
--with-systemd \
|
||||
%endif
|
||||
--with-ssl-engine \
|
||||
--with-pam \
|
||||
@ -292,8 +256,8 @@ install -D -m 0755 %{SOURCE1} %{buildroot}%{_initddir}/sshd
|
||||
install -m 0644 %{SOURCE10} .
|
||||
ln -s ../..%{_initddir}/sshd %{buildroot}%{_sbindir}/rcsshd
|
||||
%endif
|
||||
install -d -m 755 %{buildroot}%{_fillupdir}
|
||||
install -m 644 %{SOURCE8} %{buildroot}%{_fillupdir}
|
||||
install -d -m 755 %{buildroot}/var/adm/fillup-templates
|
||||
install -m 644 %{SOURCE8} %{buildroot}/var/adm/fillup-templates
|
||||
# install shell script to automate the process of adding your public key to a remote machine
|
||||
install -m 755 contrib/ssh-copy-id %{buildroot}%{_bindir}
|
||||
install -m 644 contrib/ssh-copy-id.1 %{buildroot}%{_mandir}/man1
|
||||
@ -308,7 +272,7 @@ install -m 644 %{SOURCE7} %{buildroot}%{_fwdefdir}/sshd
|
||||
|
||||
# askpass wrapper
|
||||
sed -e "s,@LIBEXECDIR@,%{_libexecdir},g" < %{SOURCE6} > %{buildroot}%{_libexecdir}/ssh/ssh-askpass
|
||||
#sed -e "s,@LIBEXECDIR@,%{_libexecdir},g" < %{SOURCE12} > %{buildroot}%{_libexecdir}/ssh/cavs_driver-ssh.pl
|
||||
sed -e "s,@LIBEXECDIR@,%{_libexecdir},g" < %{SOURCE12} > %{buildroot}%{_libexecdir}/ssh/cavs_driver-ssh.pl
|
||||
rm -f %{buildroot}%{_datadir}/Ssh.bin
|
||||
# sshd keys generator wrapper
|
||||
install -D -m 0755 %{SOURCE9} %{buildroot}%{_sbindir}/sshd-gen-keys-start
|
||||
@ -345,7 +309,6 @@ getent passwd sshd >/dev/null || %{_sbindir}/useradd -r -g sshd -d /var/lib/sshd
|
||||
%else
|
||||
%{fillup_and_insserv -n ssh sshd}
|
||||
%endif
|
||||
%set_permissions /etc/ssh/sshd_config
|
||||
|
||||
%preun
|
||||
%if %{uses_systemd}
|
||||
@ -369,9 +332,6 @@ rpm -q openssh-fips >& /dev/null && DISABLE_RESTART_ON_UPDATE=yes
|
||||
%triggerin -n openssh-fips -- %{name} = %{version}-%{release}
|
||||
%restart_on_update sshd
|
||||
|
||||
%verifyscript
|
||||
%verify_permissions -e /etc/ssh/sshd_config
|
||||
|
||||
%files
|
||||
%defattr(-,root,root)
|
||||
%exclude %{_bindir}/ssh%{CHECKSUM_SUFFIX}
|
||||
@ -383,7 +343,7 @@ rpm -q openssh-fips >& /dev/null && DISABLE_RESTART_ON_UPDATE=yes
|
||||
%attr(0755,root,root) %dir %{_sysconfdir}/ssh
|
||||
%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/moduli
|
||||
%verify(not mode) %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/ssh_config
|
||||
%verify(not mode) %attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/sshd_config
|
||||
%verify(not mode) %attr(0640,root,root) %config(noreplace) %{_sysconfdir}/ssh/sshd_config
|
||||
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/pam.d/sshd
|
||||
%if %{uses_systemd}
|
||||
%doc sshd.init
|
||||
@ -402,7 +362,7 @@ rpm -q openssh-fips >& /dev/null && DISABLE_RESTART_ON_UPDATE=yes
|
||||
%attr(0444,root,root) %doc %{_mandir}/man8/*
|
||||
%dir %{_sysconfdir}/slp.reg.d
|
||||
%config %{_sysconfdir}/slp.reg.d/ssh.reg
|
||||
%{_fillupdir}/sysconfig.ssh
|
||||
/var/adm/fillup-templates/sysconfig.ssh
|
||||
%if %{has_fw_dir}
|
||||
%if %{needs_all_dirs}
|
||||
%dir %{_fwdir}
|
||||
@ -425,8 +385,8 @@ rpm -q openssh-fips >& /dev/null && DISABLE_RESTART_ON_UPDATE=yes
|
||||
%attr(0444,root,root) %{_sbindir}/sshd%{CHECKSUM_SUFFIX}
|
||||
%attr(0444,root,root) %{_libexecdir}/ssh/sftp-server%{CHECKSUM_SUFFIX}
|
||||
|
||||
#files cavs
|
||||
#defattr(-,root,root)
|
||||
#attr(0755,root,root) %{_libexecdir}/ssh/cavs*
|
||||
%files cavs
|
||||
%defattr(-,root,root)
|
||||
%attr(0755,root,root) %{_libexecdir}/ssh/cavs*
|
||||
|
||||
%changelog
|
||||
|
Loading…
Reference in New Issue
Block a user