forked from pool/openssh
Accepting request 563724 from home:pcerny:factory
reworking packaging, gssapi kex patch OBS-URL: https://build.opensuse.org/request/show/563724 OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=128
This commit is contained in:
parent
b813991fe5
commit
a03a137de1
184
cavs_driver-ssh.pl
Normal file
184
cavs_driver-ssh.pl
Normal file
@ -0,0 +1,184 @@
|
|||||||
|
#!/usr/bin/env perl
|
||||||
|
#
|
||||||
|
# CAVS test driver for OpenSSH
|
||||||
|
#
|
||||||
|
# Copyright (C) 2015, Stephan Mueller <smueller@chronox.de>
|
||||||
|
#
|
||||||
|
# Permission is hereby granted, free of charge, to any person obtaining a copy
|
||||||
|
# of this software and associated documentation files (the "Software"), to deal
|
||||||
|
# in the Software without restriction, including without limitation the rights
|
||||||
|
# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
||||||
|
# copies of the Software, and to permit persons to whom the Software is
|
||||||
|
# furnished to do so, subject to the following conditions:
|
||||||
|
#
|
||||||
|
# The above copyright notice and this permission notice shall be included in
|
||||||
|
# all copies or substantial portions of the Software.
|
||||||
|
#
|
||||||
|
# NO WARRANTY
|
||||||
|
#
|
||||||
|
# BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
|
||||||
|
# FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN
|
||||||
|
# OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
|
||||||
|
# PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
|
||||||
|
# OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
|
||||||
|
# MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS
|
||||||
|
# TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE
|
||||||
|
# PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
|
||||||
|
# REPAIR OR CORRECTION.
|
||||||
|
#
|
||||||
|
# IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
|
||||||
|
# WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
|
||||||
|
# REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
|
||||||
|
# INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
|
||||||
|
# OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
|
||||||
|
# TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
|
||||||
|
# YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
|
||||||
|
# PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
|
||||||
|
# POSSIBILITY OF SUCH DAMAGES.
|
||||||
|
#
|
||||||
|
use strict;
|
||||||
|
use warnings;
|
||||||
|
use IPC::Open2;
|
||||||
|
|
||||||
|
# Executing a program by feeding STDIN and retrieving
|
||||||
|
# STDOUT
|
||||||
|
# $1: data string to be piped to the app on STDIN
|
||||||
|
# rest: program and args
|
||||||
|
# returns: STDOUT of program as string
|
||||||
|
sub pipe_through_program($@) {
|
||||||
|
my $in = shift;
|
||||||
|
my @args = @_;
|
||||||
|
|
||||||
|
my ($CO, $CI);
|
||||||
|
my $pid = open2($CO, $CI, @args);
|
||||||
|
|
||||||
|
my $out = "";
|
||||||
|
my $len = length($in);
|
||||||
|
my $first = 1;
|
||||||
|
while (1) {
|
||||||
|
my $rin = "";
|
||||||
|
my $win = "";
|
||||||
|
# Output of prog is FD that we read
|
||||||
|
vec($rin,fileno($CO),1) = 1;
|
||||||
|
# Input of prog is FD that we write
|
||||||
|
# check for $first is needed because we can have NULL input
|
||||||
|
# that is to be written to the app
|
||||||
|
if ( $len > 0 || $first) {
|
||||||
|
(vec($win,fileno($CI),1) = 1);
|
||||||
|
$first=0;
|
||||||
|
}
|
||||||
|
# Let us wait for 100ms
|
||||||
|
my $nfound = select(my $rout=$rin, my $wout=$win, undef, 0.1);
|
||||||
|
if ( $wout ) {
|
||||||
|
my $written = syswrite($CI, $in, $len);
|
||||||
|
die "broken pipe" if !defined $written;
|
||||||
|
$len -= $written;
|
||||||
|
substr($in, 0, $written) = "";
|
||||||
|
if ($len <= 0) {
|
||||||
|
close $CI or die "broken pipe: $!";
|
||||||
|
}
|
||||||
|
}
|
||||||
|
if ( $rout ) {
|
||||||
|
my $tmp_out = "";
|
||||||
|
my $bytes_read = sysread($CO, $tmp_out, 4096);
|
||||||
|
$out .= $tmp_out;
|
||||||
|
last if ($bytes_read == 0);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
close $CO or die "broken pipe: $!";
|
||||||
|
waitpid $pid, 0;
|
||||||
|
|
||||||
|
return $out;
|
||||||
|
}
|
||||||
|
|
||||||
|
# Parser of CAVS test vector file
|
||||||
|
# $1: Test vector file
|
||||||
|
# $2: Output file for test results
|
||||||
|
# return: nothing
|
||||||
|
sub parse($$) {
|
||||||
|
my $infile = shift;
|
||||||
|
my $outfile = shift;
|
||||||
|
|
||||||
|
my $out = "";
|
||||||
|
|
||||||
|
my $K = "";
|
||||||
|
my $H = "";
|
||||||
|
my $session_id = "";
|
||||||
|
my $ivlen = 0;
|
||||||
|
my $eklen = "";
|
||||||
|
my $iklen = "";
|
||||||
|
|
||||||
|
open(IN, "<$infile");
|
||||||
|
while(<IN>) {
|
||||||
|
|
||||||
|
my $line = $_;
|
||||||
|
chomp($line);
|
||||||
|
$line =~ s/\r//;
|
||||||
|
|
||||||
|
if ($line =~ /\[SHA-1\]/) {
|
||||||
|
$iklen = 20;
|
||||||
|
} elsif ($line =~ /\[SHA-256\]/) {
|
||||||
|
$iklen = 32;
|
||||||
|
} elsif ($line =~ /\[SHA-384\]/) {
|
||||||
|
$iklen = 48;
|
||||||
|
} elsif ($line =~ /\[SHA-512\]/) {
|
||||||
|
$iklen = 64;
|
||||||
|
} elsif ($line =~ /^\[IV length\s*=\s*(.*)\]/) {
|
||||||
|
$ivlen = $1;
|
||||||
|
$ivlen = $ivlen / 8;
|
||||||
|
} elsif ($line =~ /^\[encryption key length\s*=\s*(.*)\]/) {
|
||||||
|
$eklen = $1;
|
||||||
|
$eklen = $eklen / 8;
|
||||||
|
} elsif ($line =~ /^K\s*=\s*(.*)/) {
|
||||||
|
$K = $1;
|
||||||
|
$K = substr($K, 8);
|
||||||
|
$K = "00" . $K;
|
||||||
|
} elsif ($line =~ /^H\s*=\s*(.*)/) {
|
||||||
|
$H = $1;
|
||||||
|
} elsif ($line =~ /^session_id\s*=\s*(.*)/) {
|
||||||
|
$session_id = $1;
|
||||||
|
}
|
||||||
|
$out .= $line . "\n";
|
||||||
|
|
||||||
|
if ($K ne "" && $H ne "" && $session_id ne "" &&
|
||||||
|
$ivlen ne "" && $eklen ne "" && $iklen > 0) {
|
||||||
|
$out .= pipe_through_program("", "@LIBEXECDIR@/ssh/cavstest-kdf -H $H -K $K -s $session_id -i $ivlen -e $eklen -m $iklen");
|
||||||
|
|
||||||
|
$K = "";
|
||||||
|
$H = "";
|
||||||
|
$session_id = "";
|
||||||
|
}
|
||||||
|
}
|
||||||
|
close IN;
|
||||||
|
$out =~ s/\n/\r\n/g; # make it a dos file
|
||||||
|
open(OUT, ">$outfile") or die "Cannot create output file $outfile: $?";
|
||||||
|
print OUT $out;
|
||||||
|
close OUT;
|
||||||
|
}
|
||||||
|
|
||||||
|
############################################################
|
||||||
|
#
|
||||||
|
# let us pretend to be C :-)
|
||||||
|
sub main() {
|
||||||
|
|
||||||
|
my $infile=$ARGV[0];
|
||||||
|
die "Error: Test vector file $infile not found" if (! -f $infile);
|
||||||
|
|
||||||
|
my $outfile = $infile;
|
||||||
|
# let us add .rsp regardless whether we could strip .req
|
||||||
|
$outfile =~ s/\.req$//;
|
||||||
|
$outfile .= ".rsp";
|
||||||
|
if (-f $outfile) {
|
||||||
|
die "Output file $outfile could not be removed: $?"
|
||||||
|
unless unlink($outfile);
|
||||||
|
}
|
||||||
|
print STDERR "Performing tests from source file $infile with results stored in destination file $outfile\n";
|
||||||
|
|
||||||
|
# Do the job
|
||||||
|
parse($infile, $outfile);
|
||||||
|
}
|
||||||
|
|
||||||
|
###########################################
|
||||||
|
# Call it
|
||||||
|
main();
|
||||||
|
1;
|
3
openssh-7.6p1-SUSE_patches.tar.xz
Normal file
3
openssh-7.6p1-SUSE_patches.tar.xz
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
version https://git-lfs.github.com/spec/v1
|
||||||
|
oid sha256:d2f790931dbda22f81a9d0b80ce3532bfe02d51750f1170b81faef32f4230af8
|
||||||
|
size 61332
|
@ -1,65 +0,0 @@
|
|||||||
# HG changeset patch
|
|
||||||
# Parent c004421528bc443fa9a56db1123005c92014e6b3
|
|
||||||
# enable trusted X11 forwarding by default in both sshd and sshsystem-wide
|
|
||||||
# configuration
|
|
||||||
# bnc#50836 (was suse #35836)
|
|
||||||
Enable Trusted X11 forwarding by default, since the security benefits of
|
|
||||||
having it disabled are negligible these days with XI2 being widely used.
|
|
||||||
|
|
||||||
diff --git a/openssh-7.6p1/ssh_config b/openssh-7.6p1/ssh_config
|
|
||||||
--- a/openssh-7.6p1/ssh_config
|
|
||||||
+++ b/openssh-7.6p1/ssh_config
|
|
||||||
@@ -12,19 +12,30 @@
|
|
||||||
# Any configuration value is only changed the first time it is set.
|
|
||||||
# Thus, host-specific definitions should be at the beginning of the
|
|
||||||
# configuration file, and defaults at the end.
|
|
||||||
|
|
||||||
# Site-wide defaults for some commonly used options. For a comprehensive
|
|
||||||
# list of available options, their meanings and defaults, please see the
|
|
||||||
# ssh_config(5) man page.
|
|
||||||
|
|
||||||
-# Host *
|
|
||||||
+Host *
|
|
||||||
# ForwardAgent no
|
|
||||||
# ForwardX11 no
|
|
||||||
+
|
|
||||||
+# If you do not trust your remote host (or its administrator), you
|
|
||||||
+# should not forward X11 connections to your local X11-display for
|
|
||||||
+# security reasons: Someone stealing the authentification data on the
|
|
||||||
+# remote side (the "spoofed" X-server by the remote sshd) can read your
|
|
||||||
+# keystrokes as you type, just like any other X11 client could do.
|
|
||||||
+# Set this to "no" here for global effect or in your own ~/.ssh/config
|
|
||||||
+# file if you want to have the remote X11 authentification data to
|
|
||||||
+# expire after twenty minutes after remote login.
|
|
||||||
+ ForwardX11Trusted yes
|
|
||||||
+
|
|
||||||
# PasswordAuthentication yes
|
|
||||||
# HostbasedAuthentication no
|
|
||||||
# GSSAPIAuthentication no
|
|
||||||
# GSSAPIDelegateCredentials no
|
|
||||||
# BatchMode no
|
|
||||||
# CheckHostIP yes
|
|
||||||
# AddressFamily any
|
|
||||||
# ConnectTimeout 0
|
|
||||||
diff --git a/openssh-7.6p1/sshd_config b/openssh-7.6p1/sshd_config
|
|
||||||
--- a/openssh-7.6p1/sshd_config
|
|
||||||
+++ b/openssh-7.6p1/sshd_config
|
|
||||||
@@ -80,17 +80,17 @@ AuthorizedKeysFile .ssh/authorized_keys
|
|
||||||
# If you just want the PAM account and session checks to run without
|
|
||||||
# PAM authentication, then enable this but set PasswordAuthentication
|
|
||||||
# and ChallengeResponseAuthentication to 'no'.
|
|
||||||
#UsePAM no
|
|
||||||
|
|
||||||
#AllowAgentForwarding yes
|
|
||||||
#AllowTcpForwarding yes
|
|
||||||
#GatewayPorts no
|
|
||||||
-#X11Forwarding no
|
|
||||||
+X11Forwarding yes
|
|
||||||
#X11DisplayOffset 10
|
|
||||||
#X11UseLocalhost yes
|
|
||||||
#PermitTTY yes
|
|
||||||
#PrintMotd yes
|
|
||||||
#PrintLastLog yes
|
|
||||||
#TCPKeepAlive yes
|
|
||||||
#UseLogin no
|
|
||||||
#PermitUserEnvironment no
|
|
@ -1,95 +0,0 @@
|
|||||||
# HG changeset patch
|
|
||||||
# Parent af43d436bc7fe818dd976c923ad99b89051eb299
|
|
||||||
Allow root login with password by default. While less secure than upstream
|
|
||||||
default of forbidding access to the root account with a password, we are
|
|
||||||
temporarily introducing this change to keep the default used in older OpenSSH
|
|
||||||
versions shipped with SLE.
|
|
||||||
|
|
||||||
diff --git a/openssh-7.6p1/servconf.c b/openssh-7.6p1/servconf.c
|
|
||||||
--- a/openssh-7.6p1/servconf.c
|
|
||||||
+++ b/openssh-7.6p1/servconf.c
|
|
||||||
@@ -218,17 +218,17 @@ fill_default_server_options(ServerOption
|
|
||||||
options->address_family = AF_UNSPEC;
|
|
||||||
if (options->listen_addrs == NULL)
|
|
||||||
add_listen_addr(options, NULL, 0);
|
|
||||||
if (options->pid_file == NULL)
|
|
||||||
options->pid_file = xstrdup(_PATH_SSH_DAEMON_PID_FILE);
|
|
||||||
if (options->login_grace_time == -1)
|
|
||||||
options->login_grace_time = 120;
|
|
||||||
if (options->permit_root_login == PERMIT_NOT_SET)
|
|
||||||
- options->permit_root_login = PERMIT_NO_PASSWD;
|
|
||||||
+ options->permit_root_login = PERMIT_YES;
|
|
||||||
if (options->ignore_rhosts == -1)
|
|
||||||
options->ignore_rhosts = 1;
|
|
||||||
if (options->ignore_user_known_hosts == -1)
|
|
||||||
options->ignore_user_known_hosts = 0;
|
|
||||||
if (options->print_motd == -1)
|
|
||||||
options->print_motd = 1;
|
|
||||||
if (options->print_lastlog == -1)
|
|
||||||
options->print_lastlog = 1;
|
|
||||||
diff --git a/openssh-7.6p1/sshd_config b/openssh-7.6p1/sshd_config
|
|
||||||
--- a/openssh-7.6p1/sshd_config
|
|
||||||
+++ b/openssh-7.6p1/sshd_config
|
|
||||||
@@ -25,17 +25,17 @@
|
|
||||||
|
|
||||||
# Logging
|
|
||||||
#SyslogFacility AUTH
|
|
||||||
#LogLevel INFO
|
|
||||||
|
|
||||||
# Authentication:
|
|
||||||
|
|
||||||
#LoginGraceTime 2m
|
|
||||||
-#PermitRootLogin prohibit-password
|
|
||||||
+#PermitRootLogin yes
|
|
||||||
#StrictModes yes
|
|
||||||
#MaxAuthTries 6
|
|
||||||
#MaxSessions 10
|
|
||||||
|
|
||||||
#PubkeyAuthentication yes
|
|
||||||
|
|
||||||
# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
|
|
||||||
# but this is overridden so installations will only check .ssh/authorized_keys
|
|
||||||
diff --git a/openssh-7.6p1/sshd_config.0 b/openssh-7.6p1/sshd_config.0
|
|
||||||
--- a/openssh-7.6p1/sshd_config.0
|
|
||||||
+++ b/openssh-7.6p1/sshd_config.0
|
|
||||||
@@ -696,17 +696,17 @@ DESCRIPTION
|
|
||||||
none can be used to prohibit all forwarding requests. The
|
|
||||||
wildcard M-bM-^@M-^X*M-bM-^@M-^Y can be used for host or port to allow all hosts or
|
|
||||||
ports, respectively. By default all port forwarding requests are
|
|
||||||
permitted.
|
|
||||||
|
|
||||||
PermitRootLogin
|
|
||||||
Specifies whether root can log in using ssh(1). The argument
|
|
||||||
must be yes, prohibit-password, without-password,
|
|
||||||
- forced-commands-only, or no. The default is prohibit-password.
|
|
||||||
+ forced-commands-only, or no. The default is yes.
|
|
||||||
|
|
||||||
If this option is set to prohibit-password or without-password,
|
|
||||||
password and keyboard-interactive authentication are disabled for
|
|
||||||
root.
|
|
||||||
|
|
||||||
If this option is set to forced-commands-only, root login with
|
|
||||||
public key authentication will be allowed, but only if the
|
|
||||||
command option has been specified (which may be useful for taking
|
|
||||||
diff --git a/openssh-7.6p1/sshd_config.5 b/openssh-7.6p1/sshd_config.5
|
|
||||||
--- a/openssh-7.6p1/sshd_config.5
|
|
||||||
+++ b/openssh-7.6p1/sshd_config.5
|
|
||||||
@@ -1188,17 +1188,17 @@ Specifies whether root can log in using
|
|
||||||
The argument must be
|
|
||||||
.Cm yes ,
|
|
||||||
.Cm prohibit-password ,
|
|
||||||
.Cm without-password ,
|
|
||||||
.Cm forced-commands-only ,
|
|
||||||
or
|
|
||||||
.Cm no .
|
|
||||||
The default is
|
|
||||||
-.Cm prohibit-password .
|
|
||||||
+.Cm yes .
|
|
||||||
.Pp
|
|
||||||
If this option is set to
|
|
||||||
.Cm prohibit-password
|
|
||||||
or
|
|
||||||
.Cm without-password ,
|
|
||||||
password and keyboard-interactive authentication are disabled for root.
|
|
||||||
.Pp
|
|
||||||
If this option is set to
|
|
@ -1,75 +0,0 @@
|
|||||||
# HG changeset patch
|
|
||||||
# Parent 724c9ea86fe2c4a1f0e0d3aba168357ab1b2c3aa
|
|
||||||
block SIGALRM while logging through syslog to prevent deadlocks
|
|
||||||
(through grace_alarm_handler())
|
|
||||||
|
|
||||||
bnc#57354
|
|
||||||
|
|
||||||
diff --git a/openssh-7.6p1/log.c b/openssh-7.6p1/log.c
|
|
||||||
--- a/openssh-7.6p1/log.c
|
|
||||||
+++ b/openssh-7.6p1/log.c
|
|
||||||
@@ -46,16 +46,17 @@
|
|
||||||
#include <syslog.h>
|
|
||||||
#include <unistd.h>
|
|
||||||
#include <errno.h>
|
|
||||||
#if defined(HAVE_STRNVIS) && defined(HAVE_VIS_H) && !defined(BROKEN_STRNVIS)
|
|
||||||
# include <vis.h>
|
|
||||||
#endif
|
|
||||||
|
|
||||||
#include "log.h"
|
|
||||||
+#include <signal.h>
|
|
||||||
|
|
||||||
static LogLevel log_level = SYSLOG_LEVEL_INFO;
|
|
||||||
static int log_on_stderr = 1;
|
|
||||||
static int log_stderr_fd = STDERR_FILENO;
|
|
||||||
static int log_facility = LOG_AUTH;
|
|
||||||
static char *argv0;
|
|
||||||
static log_handler_fn *log_handler;
|
|
||||||
static void *log_handler_ctx;
|
|
||||||
@@ -396,16 +397,17 @@ do_log(LogLevel level, const char *fmt,
|
|
||||||
{
|
|
||||||
#if defined(HAVE_OPENLOG_R) && defined(SYSLOG_DATA_INIT)
|
|
||||||
struct syslog_data sdata = SYSLOG_DATA_INIT;
|
|
||||||
#endif
|
|
||||||
char msgbuf[MSGBUFSIZ];
|
|
||||||
char fmtbuf[MSGBUFSIZ];
|
|
||||||
char *txt = NULL;
|
|
||||||
int pri = LOG_INFO;
|
|
||||||
+ sigset_t nset, oset;
|
|
||||||
int saved_errno = errno;
|
|
||||||
log_handler_fn *tmp_handler;
|
|
||||||
|
|
||||||
if (level > log_level)
|
|
||||||
return;
|
|
||||||
|
|
||||||
switch (level) {
|
|
||||||
case SYSLOG_LEVEL_FATAL:
|
|
||||||
@@ -455,20 +457,28 @@ do_log(LogLevel level, const char *fmt,
|
|
||||||
log_handler = NULL;
|
|
||||||
tmp_handler(level, fmtbuf, log_handler_ctx);
|
|
||||||
log_handler = tmp_handler;
|
|
||||||
} else if (log_on_stderr) {
|
|
||||||
snprintf(msgbuf, sizeof msgbuf, "%.*s\r\n",
|
|
||||||
(int)sizeof msgbuf - 3, fmtbuf);
|
|
||||||
(void)write(log_stderr_fd, msgbuf, strlen(msgbuf));
|
|
||||||
} else {
|
|
||||||
+ /* Prevent a race between the grace_alarm which writes a
|
|
||||||
+ * log message and terminates and main sshd code that leads
|
|
||||||
+ * to deadlock as syslog is not async safe.
|
|
||||||
+ */
|
|
||||||
+ sigemptyset(&nset);
|
|
||||||
+ sigaddset(&nset, SIGALRM);
|
|
||||||
+ sigprocmask(SIG_BLOCK, &nset, &oset);
|
|
||||||
#if defined(HAVE_OPENLOG_R) && defined(SYSLOG_DATA_INIT)
|
|
||||||
openlog_r(argv0 ? argv0 : __progname, LOG_PID, log_facility, &sdata);
|
|
||||||
syslog_r(pri, &sdata, "%.500s", fmtbuf);
|
|
||||||
closelog_r(&sdata);
|
|
||||||
#else
|
|
||||||
openlog(argv0 ? argv0 : __progname, LOG_PID, log_facility);
|
|
||||||
syslog(pri, "%.500s", fmtbuf);
|
|
||||||
closelog();
|
|
||||||
#endif
|
|
||||||
+ sigprocmask(SIG_SETMASK, &oset, NULL);
|
|
||||||
}
|
|
||||||
errno = saved_errno;
|
|
||||||
}
|
|
@ -1,696 +0,0 @@
|
|||||||
# HG changeset patch
|
|
||||||
# Parent a5b0f249f564de9c9efd023c6430f607d9861acd
|
|
||||||
|
|
||||||
Raise minimal size of DH group parameters to 2048 bits like upstream did in
|
|
||||||
7.2. 1024b values are believed to be in breaking range for state adversaries
|
|
||||||
and the default moduli shipped with openssh have been around long enough to
|
|
||||||
make it more likely for them to be broken.
|
|
||||||
|
|
||||||
Also provide an option that allows the client to accept shorter (RFC4419
|
|
||||||
compliant) parameters.
|
|
||||||
|
|
||||||
CVE-2015-4000 (LOGJAM)
|
|
||||||
bsc#932483
|
|
||||||
|
|
||||||
diff --git a/openssh-7.6p1/dh.c b/openssh-7.6p1/dh.c
|
|
||||||
--- a/openssh-7.6p1/dh.c
|
|
||||||
+++ b/openssh-7.6p1/dh.c
|
|
||||||
@@ -37,16 +37,18 @@
|
|
||||||
#include <limits.h>
|
|
||||||
|
|
||||||
#include "dh.h"
|
|
||||||
#include "pathnames.h"
|
|
||||||
#include "log.h"
|
|
||||||
#include "misc.h"
|
|
||||||
#include "ssherr.h"
|
|
||||||
|
|
||||||
+int dh_grp_min = DH_GRP_MIN;
|
|
||||||
+
|
|
||||||
static int
|
|
||||||
parse_prime(int linenum, char *line, struct dhgroup *dhg)
|
|
||||||
{
|
|
||||||
char *cp, *arg;
|
|
||||||
char *strsize, *gen, *prime;
|
|
||||||
const char *errstr = NULL;
|
|
||||||
long long n;
|
|
||||||
|
|
||||||
diff --git a/openssh-7.6p1/dh.h b/openssh-7.6p1/dh.h
|
|
||||||
--- a/openssh-7.6p1/dh.h
|
|
||||||
+++ b/openssh-7.6p1/dh.h
|
|
||||||
@@ -45,16 +45,17 @@ int dh_gen_key(DH *, int);
|
|
||||||
int dh_pub_is_valid(DH *, BIGNUM *);
|
|
||||||
|
|
||||||
u_int dh_estimate(int);
|
|
||||||
|
|
||||||
/*
|
|
||||||
* Max value from RFC4419.
|
|
||||||
* Miniumum increased in light of DH precomputation attacks.
|
|
||||||
*/
|
|
||||||
+#define DH_GRP_MIN_RFC 1024
|
|
||||||
#define DH_GRP_MIN 2048
|
|
||||||
#define DH_GRP_MAX 8192
|
|
||||||
|
|
||||||
/*
|
|
||||||
* Values for "type" field of moduli(5)
|
|
||||||
* Specifies the internal structure of the prime modulus.
|
|
||||||
*/
|
|
||||||
#define MODULI_TYPE_UNKNOWN (0)
|
|
||||||
diff --git a/openssh-7.6p1/kexgexc.c b/openssh-7.6p1/kexgexc.c
|
|
||||||
--- a/openssh-7.6p1/kexgexc.c
|
|
||||||
+++ b/openssh-7.6p1/kexgexc.c
|
|
||||||
@@ -46,29 +46,32 @@
|
|
||||||
#include "dh.h"
|
|
||||||
#include "ssh2.h"
|
|
||||||
#include "compat.h"
|
|
||||||
#include "dispatch.h"
|
|
||||||
#include "ssherr.h"
|
|
||||||
#include "sshbuf.h"
|
|
||||||
#include "misc.h"
|
|
||||||
|
|
||||||
+/* import from dh.c */
|
|
||||||
+extern int dh_grp_min;
|
|
||||||
+
|
|
||||||
static int input_kex_dh_gex_group(int, u_int32_t, struct ssh *);
|
|
||||||
static int input_kex_dh_gex_reply(int, u_int32_t, struct ssh *);
|
|
||||||
|
|
||||||
int
|
|
||||||
kexgex_client(struct ssh *ssh)
|
|
||||||
{
|
|
||||||
struct kex *kex = ssh->kex;
|
|
||||||
int r;
|
|
||||||
u_int nbits;
|
|
||||||
|
|
||||||
nbits = dh_estimate(kex->dh_need * 8);
|
|
||||||
|
|
||||||
- kex->min = DH_GRP_MIN;
|
|
||||||
+ kex->min = dh_grp_min;
|
|
||||||
kex->max = DH_GRP_MAX;
|
|
||||||
kex->nbits = nbits;
|
|
||||||
if (datafellows & SSH_BUG_DHGEX_LARGE)
|
|
||||||
kex->nbits = MINIMUM(kex->nbits, 4096);
|
|
||||||
/* New GEX request */
|
|
||||||
if ((r = sshpkt_start(ssh, SSH2_MSG_KEX_DH_GEX_REQUEST)) != 0 ||
|
|
||||||
(r = sshpkt_put_u32(ssh, kex->min)) != 0 ||
|
|
||||||
(r = sshpkt_put_u32(ssh, kex->nbits)) != 0 ||
|
|
||||||
@@ -103,16 +106,22 @@ input_kex_dh_gex_group(int type, u_int32
|
|
||||||
goto out;
|
|
||||||
}
|
|
||||||
if ((r = sshpkt_get_bignum2(ssh, p)) != 0 ||
|
|
||||||
(r = sshpkt_get_bignum2(ssh, g)) != 0 ||
|
|
||||||
(r = sshpkt_get_end(ssh)) != 0)
|
|
||||||
goto out;
|
|
||||||
if ((bits = BN_num_bits(p)) < 0 ||
|
|
||||||
(u_int)bits < kex->min || (u_int)bits > kex->max) {
|
|
||||||
+ if ((u_int)bits < kex->min && (u_int)bits >= DH_GRP_MIN_RFC)
|
|
||||||
+ logit("DH parameter offered by the server (%d bits) "
|
|
||||||
+ "is considered insecure. "
|
|
||||||
+ "You can lower the accepted the minimum "
|
|
||||||
+ "via the KexDHMin option.",
|
|
||||||
+ bits);
|
|
||||||
r = SSH_ERR_DH_GEX_OUT_OF_RANGE;
|
|
||||||
goto out;
|
|
||||||
}
|
|
||||||
if ((kex->dh = dh_new_group(g, p)) == NULL) {
|
|
||||||
r = SSH_ERR_ALLOC_FAIL;
|
|
||||||
goto out;
|
|
||||||
}
|
|
||||||
p = g = NULL; /* belong to kex->dh now */
|
|
||||||
diff --git a/openssh-7.6p1/kexgexs.c b/openssh-7.6p1/kexgexs.c
|
|
||||||
--- a/openssh-7.6p1/kexgexs.c
|
|
||||||
+++ b/openssh-7.6p1/kexgexs.c
|
|
||||||
@@ -49,16 +49,19 @@
|
|
||||||
#include "ssh-gss.h"
|
|
||||||
#endif
|
|
||||||
#include "monitor_wrap.h"
|
|
||||||
#include "dispatch.h"
|
|
||||||
#include "ssherr.h"
|
|
||||||
#include "sshbuf.h"
|
|
||||||
#include "misc.h"
|
|
||||||
|
|
||||||
+/* import from dh.c */
|
|
||||||
+extern int dh_grp_min;
|
|
||||||
+
|
|
||||||
static int input_kex_dh_gex_request(int, u_int32_t, struct ssh *);
|
|
||||||
static int input_kex_dh_gex_init(int, u_int32_t, struct ssh *);
|
|
||||||
|
|
||||||
int
|
|
||||||
kexgex_server(struct ssh *ssh)
|
|
||||||
{
|
|
||||||
ssh_dispatch_set(ssh, SSH2_MSG_KEX_DH_GEX_REQUEST,
|
|
||||||
&input_kex_dh_gex_request);
|
|
||||||
@@ -77,23 +80,29 @@ input_kex_dh_gex_request(int type, u_int
|
|
||||||
if ((r = sshpkt_get_u32(ssh, &min)) != 0 ||
|
|
||||||
(r = sshpkt_get_u32(ssh, &nbits)) != 0 ||
|
|
||||||
(r = sshpkt_get_u32(ssh, &max)) != 0 ||
|
|
||||||
(r = sshpkt_get_end(ssh)) != 0)
|
|
||||||
goto out;
|
|
||||||
kex->nbits = nbits;
|
|
||||||
kex->min = min;
|
|
||||||
kex->max = max;
|
|
||||||
- min = MAXIMUM(DH_GRP_MIN, min);
|
|
||||||
+ min = MAXIMUM(dh_grp_min, min);
|
|
||||||
max = MINIMUM(DH_GRP_MAX, max);
|
|
||||||
- nbits = MAXIMUM(DH_GRP_MIN, nbits);
|
|
||||||
+ nbits = MAXIMUM(dh_grp_min, nbits);
|
|
||||||
nbits = MINIMUM(DH_GRP_MAX, nbits);
|
|
||||||
|
|
||||||
if (kex->max < kex->min || kex->nbits < kex->min ||
|
|
||||||
kex->max < kex->nbits || kex->max < DH_GRP_MIN) {
|
|
||||||
+ if (kex->nbits < kex->min && kex->nbits >= DH_GRP_MIN_RFC)
|
|
||||||
+ logit("DH parameter requested by the client (%d bits) "
|
|
||||||
+ "is considered insecure. "
|
|
||||||
+ "You can lower the accepted minimum "
|
|
||||||
+ "via the KexDHMin option.",
|
|
||||||
+ kex->nbits);
|
|
||||||
r = SSH_ERR_DH_GEX_OUT_OF_RANGE;
|
|
||||||
goto out;
|
|
||||||
}
|
|
||||||
|
|
||||||
/* Contact privileged parent */
|
|
||||||
kex->dh = PRIVSEP(choose_dh(min, nbits, max));
|
|
||||||
if (kex->dh == NULL) {
|
|
||||||
sshpkt_disconnect(ssh, "no matching DH grp found");
|
|
||||||
diff --git a/openssh-7.6p1/readconf.c b/openssh-7.6p1/readconf.c
|
|
||||||
--- a/openssh-7.6p1/readconf.c
|
|
||||||
+++ b/openssh-7.6p1/readconf.c
|
|
||||||
@@ -61,16 +61,17 @@
|
|
||||||
#include "misc.h"
|
|
||||||
#include "readconf.h"
|
|
||||||
#include "match.h"
|
|
||||||
#include "kex.h"
|
|
||||||
#include "mac.h"
|
|
||||||
#include "uidswap.h"
|
|
||||||
#include "myproposal.h"
|
|
||||||
#include "digest.h"
|
|
||||||
+#include "dh.h"
|
|
||||||
|
|
||||||
/* Format of the configuration file:
|
|
||||||
|
|
||||||
# Configuration data is parsed as follows:
|
|
||||||
# 1. command line options
|
|
||||||
# 2. user-specific file
|
|
||||||
# 3. system-wide file
|
|
||||||
# Any configuration value is only changed the first time it is set.
|
|
||||||
@@ -161,17 +162,18 @@ typedef enum {
|
|
||||||
oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
|
|
||||||
oAddressFamily, oGssAuthentication, oGssDelegateCreds,
|
|
||||||
oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
|
|
||||||
oSendEnv, oControlPath, oControlMaster, oControlPersist,
|
|
||||||
oHashKnownHosts,
|
|
||||||
oTunnel, oTunnelDevice,
|
|
||||||
oLocalCommand, oPermitLocalCommand, oRemoteCommand,
|
|
||||||
oVisualHostKey,
|
|
||||||
- oKexAlgorithms, oIPQoS, oRequestTTY, oIgnoreUnknown, oProxyUseFdpass,
|
|
||||||
+ oKexAlgorithms, oKexDHMin,
|
|
||||||
+ oIPQoS, oRequestTTY, oIgnoreUnknown, oProxyUseFdpass,
|
|
||||||
oCanonicalDomains, oCanonicalizeHostname, oCanonicalizeMaxDots,
|
|
||||||
oCanonicalizeFallbackLocal, oCanonicalizePermittedCNAMEs,
|
|
||||||
oStreamLocalBindMask, oStreamLocalBindUnlink, oRevokedHostKeys,
|
|
||||||
oFingerprintHash, oUpdateHostkeys, oHostbasedKeyTypes,
|
|
||||||
oPubkeyAcceptedKeyTypes, oProxyJump,
|
|
||||||
oIgnore, oIgnoredUnknownOption, oDeprecated, oUnsupported
|
|
||||||
} OpCodes;
|
|
||||||
|
|
||||||
@@ -283,16 +285,17 @@ static struct {
|
|
||||||
{ "include", oInclude },
|
|
||||||
{ "tunnel", oTunnel },
|
|
||||||
{ "tunneldevice", oTunnelDevice },
|
|
||||||
{ "localcommand", oLocalCommand },
|
|
||||||
{ "permitlocalcommand", oPermitLocalCommand },
|
|
||||||
{ "remotecommand", oRemoteCommand },
|
|
||||||
{ "visualhostkey", oVisualHostKey },
|
|
||||||
{ "kexalgorithms", oKexAlgorithms },
|
|
||||||
+ { "kexdhmin", oKexDHMin },
|
|
||||||
{ "ipqos", oIPQoS },
|
|
||||||
{ "requesttty", oRequestTTY },
|
|
||||||
{ "proxyusefdpass", oProxyUseFdpass },
|
|
||||||
{ "canonicaldomains", oCanonicalDomains },
|
|
||||||
{ "canonicalizefallbacklocal", oCanonicalizeFallbackLocal },
|
|
||||||
{ "canonicalizehostname", oCanonicalizeHostname },
|
|
||||||
{ "canonicalizemaxdots", oCanonicalizeMaxDots },
|
|
||||||
{ "canonicalizepermittedcnames", oCanonicalizePermittedCNAMEs },
|
|
||||||
@@ -304,16 +307,19 @@ static struct {
|
|
||||||
{ "hostbasedkeytypes", oHostbasedKeyTypes },
|
|
||||||
{ "pubkeyacceptedkeytypes", oPubkeyAcceptedKeyTypes },
|
|
||||||
{ "ignoreunknown", oIgnoreUnknown },
|
|
||||||
{ "proxyjump", oProxyJump },
|
|
||||||
|
|
||||||
{ NULL, oBadOption }
|
|
||||||
};
|
|
||||||
|
|
||||||
+/* import from dh.c */
|
|
||||||
+extern int dh_grp_min;
|
|
||||||
+
|
|
||||||
/*
|
|
||||||
* Adds a local TCP/IP port forward to options. Never returns if there is an
|
|
||||||
* error.
|
|
||||||
*/
|
|
||||||
|
|
||||||
void
|
|
||||||
add_local_forward(Options *options, const struct Forward *newfwd)
|
|
||||||
{
|
|
||||||
@@ -1206,16 +1212,20 @@ parse_int:
|
|
||||||
if (*arg != '-' &&
|
|
||||||
!kex_names_valid(*arg == '+' ? arg + 1 : arg))
|
|
||||||
fatal("%.200s line %d: Bad SSH2 KexAlgorithms '%s'.",
|
|
||||||
filename, linenum, arg ? arg : "<NONE>");
|
|
||||||
if (*activep && options->kex_algorithms == NULL)
|
|
||||||
options->kex_algorithms = xstrdup(arg);
|
|
||||||
break;
|
|
||||||
|
|
||||||
+ case oKexDHMin:
|
|
||||||
+ intptr = &options->kex_dhmin;
|
|
||||||
+ goto parse_int;
|
|
||||||
+
|
|
||||||
case oHostKeyAlgorithms:
|
|
||||||
charptr = &options->hostkeyalgorithms;
|
|
||||||
parse_keytypes:
|
|
||||||
arg = strdelim(&s);
|
|
||||||
if (!arg || *arg == '\0')
|
|
||||||
fatal("%.200s line %d: Missing argument.",
|
|
||||||
filename, linenum);
|
|
||||||
if (*arg != '-' &&
|
|
||||||
@@ -1803,16 +1813,17 @@ initialize_options(Options * options)
|
|
||||||
options->port = -1;
|
|
||||||
options->address_family = -1;
|
|
||||||
options->connection_attempts = -1;
|
|
||||||
options->connection_timeout = -1;
|
|
||||||
options->number_of_password_prompts = -1;
|
|
||||||
options->ciphers = NULL;
|
|
||||||
options->macs = NULL;
|
|
||||||
options->kex_algorithms = NULL;
|
|
||||||
+ options->kex_dhmin = -1;
|
|
||||||
options->hostkeyalgorithms = NULL;
|
|
||||||
options->num_identity_files = 0;
|
|
||||||
options->num_certificate_files = 0;
|
|
||||||
options->hostname = NULL;
|
|
||||||
options->host_key_alias = NULL;
|
|
||||||
options->proxy_command = NULL;
|
|
||||||
options->jump_user = NULL;
|
|
||||||
options->jump_host = NULL;
|
|
||||||
@@ -1951,16 +1962,23 @@ fill_default_options(Options * options)
|
|
||||||
if (options->port == -1)
|
|
||||||
options->port = 0; /* Filled in ssh_connect. */
|
|
||||||
if (options->address_family == -1)
|
|
||||||
options->address_family = AF_UNSPEC;
|
|
||||||
if (options->connection_attempts == -1)
|
|
||||||
options->connection_attempts = 1;
|
|
||||||
if (options->number_of_password_prompts == -1)
|
|
||||||
options->number_of_password_prompts = 3;
|
|
||||||
+ if (options->kex_dhmin == -1)
|
|
||||||
+ options->kex_dhmin = DH_GRP_MIN_RFC;
|
|
||||||
+ else {
|
|
||||||
+ options->kex_dhmin = MAXIMUM(options->kex_dhmin, DH_GRP_MIN_RFC);
|
|
||||||
+ options->kex_dhmin = MINIMUM(options->kex_dhmin, DH_GRP_MAX);
|
|
||||||
+ }
|
|
||||||
+ dh_grp_min = options->kex_dhmin;
|
|
||||||
/* options->hostkeyalgorithms, default set in myproposals.h */
|
|
||||||
if (options->add_keys_to_agent == -1)
|
|
||||||
options->add_keys_to_agent = 0;
|
|
||||||
if (options->num_identity_files == 0) {
|
|
||||||
add_identity_file(options, "~/", _PATH_SSH_CLIENT_ID_RSA, 0);
|
|
||||||
add_identity_file(options, "~/", _PATH_SSH_CLIENT_ID_DSA, 0);
|
|
||||||
#ifdef OPENSSL_HAS_ECC
|
|
||||||
add_identity_file(options, "~/", _PATH_SSH_CLIENT_ID_ECDSA, 0);
|
|
||||||
diff --git a/openssh-7.6p1/readconf.h b/openssh-7.6p1/readconf.h
|
|
||||||
--- a/openssh-7.6p1/readconf.h
|
|
||||||
+++ b/openssh-7.6p1/readconf.h
|
|
||||||
@@ -64,16 +64,17 @@ typedef struct {
|
|
||||||
int connection_timeout; /* Max time (seconds) before
|
|
||||||
* aborting connection attempt */
|
|
||||||
int number_of_password_prompts; /* Max number of password
|
|
||||||
* prompts. */
|
|
||||||
char *ciphers; /* SSH2 ciphers in order of preference. */
|
|
||||||
char *macs; /* SSH2 macs in order of preference. */
|
|
||||||
char *hostkeyalgorithms; /* SSH2 server key types in order of preference. */
|
|
||||||
char *kex_algorithms; /* SSH2 kex methods in order of preference. */
|
|
||||||
+ int kex_dhmin; /* minimum bit length of the DH group parameter */
|
|
||||||
char *hostname; /* Real host to connect. */
|
|
||||||
char *host_key_alias; /* hostname alias for .ssh/known_hosts */
|
|
||||||
char *proxy_command; /* Proxy command for connecting the host. */
|
|
||||||
char *user; /* User to log in as. */
|
|
||||||
int escape_char; /* Escape character; -2 = none */
|
|
||||||
|
|
||||||
u_int num_system_hostfiles; /* Paths for /etc/ssh/ssh_known_hosts */
|
|
||||||
char *system_hostfiles[SSH_MAX_HOSTS_FILES];
|
|
||||||
diff --git a/openssh-7.6p1/servconf.c b/openssh-7.6p1/servconf.c
|
|
||||||
--- a/openssh-7.6p1/servconf.c
|
|
||||||
+++ b/openssh-7.6p1/servconf.c
|
|
||||||
@@ -52,16 +52,20 @@
|
|
||||||
#include "channels.h"
|
|
||||||
#include "groupaccess.h"
|
|
||||||
#include "canohost.h"
|
|
||||||
#include "packet.h"
|
|
||||||
#include "hostfile.h"
|
|
||||||
#include "auth.h"
|
|
||||||
#include "myproposal.h"
|
|
||||||
#include "digest.h"
|
|
||||||
+#include "dh.h"
|
|
||||||
+
|
|
||||||
+/* import from dh.c */
|
|
||||||
+extern int dh_grp_min;
|
|
||||||
|
|
||||||
static void add_listen_addr(ServerOptions *, char *, int);
|
|
||||||
static void add_one_listen_addr(ServerOptions *, char *, int);
|
|
||||||
|
|
||||||
/* Use of privilege separation or not */
|
|
||||||
extern int use_privsep;
|
|
||||||
extern Buffer cfg;
|
|
||||||
|
|
||||||
@@ -129,16 +133,17 @@ initialize_server_options(ServerOptions
|
|
||||||
options->allow_agent_forwarding = -1;
|
|
||||||
options->num_allow_users = 0;
|
|
||||||
options->num_deny_users = 0;
|
|
||||||
options->num_allow_groups = 0;
|
|
||||||
options->num_deny_groups = 0;
|
|
||||||
options->ciphers = NULL;
|
|
||||||
options->macs = NULL;
|
|
||||||
options->kex_algorithms = NULL;
|
|
||||||
+ options->kex_dhmin = -1;
|
|
||||||
options->fwd_opts.gateway_ports = -1;
|
|
||||||
options->fwd_opts.streamlocal_bind_mask = (mode_t)-1;
|
|
||||||
options->fwd_opts.streamlocal_bind_unlink = -1;
|
|
||||||
options->num_subsystems = 0;
|
|
||||||
options->max_startups_begin = -1;
|
|
||||||
options->max_startups_rate = -1;
|
|
||||||
options->max_startups = -1;
|
|
||||||
options->max_authtries = -1;
|
|
||||||
@@ -195,16 +200,24 @@ fill_default_server_options(ServerOption
|
|
||||||
int i;
|
|
||||||
|
|
||||||
/* Portable-specific options */
|
|
||||||
if (options->use_pam == -1)
|
|
||||||
options->use_pam = 0;
|
|
||||||
if (options->use_pam_check_locks == -1)
|
|
||||||
options->use_pam_check_locks = 0;
|
|
||||||
|
|
||||||
+ if (options->kex_dhmin == -1)
|
|
||||||
+ options->kex_dhmin = DH_GRP_MIN_RFC;
|
|
||||||
+ else {
|
|
||||||
+ options->kex_dhmin = MAXIMUM(options->kex_dhmin, DH_GRP_MIN_RFC);
|
|
||||||
+ options->kex_dhmin = MINIMUM(options->kex_dhmin, DH_GRP_MAX);
|
|
||||||
+ }
|
|
||||||
+ dh_grp_min = options->kex_dhmin;
|
|
||||||
+
|
|
||||||
/* Standard Options */
|
|
||||||
if (options->num_host_key_files == 0) {
|
|
||||||
/* fill default hostkeys for protocols */
|
|
||||||
options->host_key_files[options->num_host_key_files++] =
|
|
||||||
_PATH_HOST_RSA_KEY_FILE;
|
|
||||||
options->host_key_files[options->num_host_key_files++] =
|
|
||||||
_PATH_HOST_DSA_KEY_FILE;
|
|
||||||
#ifdef OPENSSL_HAS_ECC
|
|
||||||
@@ -414,17 +427,18 @@ typedef enum {
|
|
||||||
sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
|
|
||||||
sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
|
|
||||||
sAcceptEnv, sPermitTunnel,
|
|
||||||
sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
|
|
||||||
sUsePrivilegeSeparation, sAllowAgentForwarding,
|
|
||||||
sHostCertificate,
|
|
||||||
sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,
|
|
||||||
sAuthorizedPrincipalsCommand, sAuthorizedPrincipalsCommandUser,
|
|
||||||
- sKexAlgorithms, sIPQoS, sVersionAddendum,
|
|
||||||
+ sKexAlgorithms, sKexDHMin,
|
|
||||||
+ sIPQoS, sVersionAddendum,
|
|
||||||
sAuthorizedKeysCommand, sAuthorizedKeysCommandUser,
|
|
||||||
sAuthenticationMethods, sHostKeyAgent, sPermitUserRC,
|
|
||||||
sStreamLocalBindMask, sStreamLocalBindUnlink,
|
|
||||||
sAllowStreamLocalForwarding, sFingerprintHash, sDisableForwarding,
|
|
||||||
sExposeAuthInfo,
|
|
||||||
sDeprecated, sIgnore, sUnsupported
|
|
||||||
} ServerOpCodes;
|
|
||||||
|
|
||||||
@@ -553,16 +567,17 @@ static struct {
|
|
||||||
{ "permitopen", sPermitOpen, SSHCFG_ALL },
|
|
||||||
{ "forcecommand", sForceCommand, SSHCFG_ALL },
|
|
||||||
{ "chrootdirectory", sChrootDirectory, SSHCFG_ALL },
|
|
||||||
{ "hostcertificate", sHostCertificate, SSHCFG_GLOBAL },
|
|
||||||
{ "revokedkeys", sRevokedKeys, SSHCFG_ALL },
|
|
||||||
{ "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL },
|
|
||||||
{ "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
|
|
||||||
{ "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },
|
|
||||||
+ { "kexdhmin", sKexDHMin },
|
|
||||||
{ "ipqos", sIPQoS, SSHCFG_ALL },
|
|
||||||
{ "authorizedkeyscommand", sAuthorizedKeysCommand, SSHCFG_ALL },
|
|
||||||
{ "authorizedkeyscommanduser", sAuthorizedKeysCommandUser, SSHCFG_ALL },
|
|
||||||
{ "authorizedprincipalscommand", sAuthorizedPrincipalsCommand, SSHCFG_ALL },
|
|
||||||
{ "authorizedprincipalscommanduser", sAuthorizedPrincipalsCommandUser, SSHCFG_ALL },
|
|
||||||
{ "versionaddendum", sVersionAddendum, SSHCFG_GLOBAL },
|
|
||||||
{ "authenticationmethods", sAuthenticationMethods, SSHCFG_ALL },
|
|
||||||
{ "streamlocalbindmask", sStreamLocalBindMask, SSHCFG_ALL },
|
|
||||||
@@ -1502,16 +1517,20 @@ process_server_config_line(ServerOptions
|
|
||||||
if (*arg != '-' &&
|
|
||||||
!kex_names_valid(*arg == '+' ? arg + 1 : arg))
|
|
||||||
fatal("%s line %d: Bad SSH2 KexAlgorithms '%s'.",
|
|
||||||
filename, linenum, arg ? arg : "<NONE>");
|
|
||||||
if (options->kex_algorithms == NULL)
|
|
||||||
options->kex_algorithms = xstrdup(arg);
|
|
||||||
break;
|
|
||||||
|
|
||||||
+ case sKexDHMin:
|
|
||||||
+ intptr = &options->kex_dhmin;
|
|
||||||
+ goto parse_int;
|
|
||||||
+
|
|
||||||
case sSubsystem:
|
|
||||||
if (options->num_subsystems >= MAX_SUBSYSTEMS) {
|
|
||||||
fatal("%s line %d: too many subsystems defined.",
|
|
||||||
filename, linenum);
|
|
||||||
}
|
|
||||||
arg = strdelim(&cp);
|
|
||||||
if (!arg || *arg == '\0')
|
|
||||||
fatal("%s line %d: Missing subsystem name.",
|
|
||||||
@@ -2285,16 +2304,17 @@ dump_config(ServerOptions *o)
|
|
||||||
#endif
|
|
||||||
dump_cfg_int(sLoginGraceTime, o->login_grace_time);
|
|
||||||
dump_cfg_int(sX11DisplayOffset, o->x11_display_offset);
|
|
||||||
dump_cfg_int(sMaxAuthTries, o->max_authtries);
|
|
||||||
dump_cfg_int(sMaxSessions, o->max_sessions);
|
|
||||||
dump_cfg_int(sClientAliveInterval, o->client_alive_interval);
|
|
||||||
dump_cfg_int(sClientAliveCountMax, o->client_alive_count_max);
|
|
||||||
dump_cfg_oct(sStreamLocalBindMask, o->fwd_opts.streamlocal_bind_mask);
|
|
||||||
+ dump_cfg_int(sKexDHMin, o->kex_dhmin);
|
|
||||||
|
|
||||||
/* formatted integer arguments */
|
|
||||||
dump_cfg_fmtint(sPermitRootLogin, o->permit_root_login);
|
|
||||||
dump_cfg_fmtint(sIgnoreRhosts, o->ignore_rhosts);
|
|
||||||
dump_cfg_fmtint(sIgnoreUserKnownHosts, o->ignore_user_known_hosts);
|
|
||||||
dump_cfg_fmtint(sHostbasedAuthentication, o->hostbased_authentication);
|
|
||||||
dump_cfg_fmtint(sHostbasedUsesNameFromPacketOnly,
|
|
||||||
o->hostbased_uses_name_from_packet_only);
|
|
||||||
diff --git a/openssh-7.6p1/servconf.h b/openssh-7.6p1/servconf.h
|
|
||||||
--- a/openssh-7.6p1/servconf.h
|
|
||||||
+++ b/openssh-7.6p1/servconf.h
|
|
||||||
@@ -93,16 +93,17 @@ typedef struct {
|
|
||||||
int permit_user_rc; /* If false, deny ~/.ssh/rc execution */
|
|
||||||
int strict_modes; /* If true, require string home dir modes. */
|
|
||||||
int tcp_keep_alive; /* If true, set SO_KEEPALIVE. */
|
|
||||||
int ip_qos_interactive; /* IP ToS/DSCP/class for interactive */
|
|
||||||
int ip_qos_bulk; /* IP ToS/DSCP/class for bulk traffic */
|
|
||||||
char *ciphers; /* Supported SSH2 ciphers. */
|
|
||||||
char *macs; /* Supported SSH2 macs. */
|
|
||||||
char *kex_algorithms; /* SSH2 kex methods in order of preference. */
|
|
||||||
+ int kex_dhmin; /* minimum bit length of the DH group parameter */
|
|
||||||
struct ForwardOptions fwd_opts; /* forwarding options */
|
|
||||||
SyslogFacility log_facility; /* Facility for system logging. */
|
|
||||||
LogLevel log_level; /* Level for system logging. */
|
|
||||||
int hostbased_authentication; /* If true, permit ssh2 hostbased auth */
|
|
||||||
int hostbased_uses_name_from_packet_only; /* experimental */
|
|
||||||
char *hostbased_key_types; /* Key types allowed for hostbased */
|
|
||||||
char *hostkeyalgorithms; /* SSH2 server key types */
|
|
||||||
int pubkey_authentication; /* If true, permit ssh2 pubkey authentication. */
|
|
||||||
diff --git a/openssh-7.6p1/ssh_config b/openssh-7.6p1/ssh_config
|
|
||||||
--- a/openssh-7.6p1/ssh_config
|
|
||||||
+++ b/openssh-7.6p1/ssh_config
|
|
||||||
@@ -12,16 +12,21 @@
|
|
||||||
# Any configuration value is only changed the first time it is set.
|
|
||||||
# Thus, host-specific definitions should be at the beginning of the
|
|
||||||
# configuration file, and defaults at the end.
|
|
||||||
|
|
||||||
# Site-wide defaults for some commonly used options. For a comprehensive
|
|
||||||
# list of available options, their meanings and defaults, please see the
|
|
||||||
# ssh_config(5) man page.
|
|
||||||
|
|
||||||
+# Minimum accepted size of the DH parameter p. By default this is set to 1024
|
|
||||||
+# to maintain compatibility with RFC4419, but should be set higher.
|
|
||||||
+# Upstream default is identical to setting this to 2048.
|
|
||||||
+#KexDHMin 1024
|
|
||||||
+
|
|
||||||
Host *
|
|
||||||
# ForwardAgent no
|
|
||||||
# ForwardX11 no
|
|
||||||
|
|
||||||
# If you do not trust your remote host (or its administrator), you
|
|
||||||
# should not forward X11 connections to your local X11-display for
|
|
||||||
# security reasons: Someone stealing the authentification data on the
|
|
||||||
# remote side (the "spoofed" X-server by the remote sshd) can read your
|
|
||||||
diff --git a/openssh-7.6p1/ssh_config.0 b/openssh-7.6p1/ssh_config.0
|
|
||||||
--- a/openssh-7.6p1/ssh_config.0
|
|
||||||
+++ b/openssh-7.6p1/ssh_config.0
|
|
||||||
@@ -584,16 +584,33 @@ DESCRIPTION
|
|
||||||
ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
|
|
||||||
diffie-hellman-group-exchange-sha256,
|
|
||||||
diffie-hellman-group-exchange-sha1,
|
|
||||||
diffie-hellman-group14-sha1
|
|
||||||
|
|
||||||
The list of available key exchange algorithms may also be
|
|
||||||
obtained using "ssh -Q kex".
|
|
||||||
|
|
||||||
+ KexDHMin
|
|
||||||
+ Specifies the minimum accepted bit length of the DH group
|
|
||||||
+ parameter p.
|
|
||||||
+
|
|
||||||
+ As per RFC4419, this is 1024 bits, however this has increasingly
|
|
||||||
+ been seen as insecure, which prompted the change to 2048 bits.
|
|
||||||
+ Setting this option allows the client to accept parameters shorter
|
|
||||||
+ than the current minimum, down to the RFC specified 1024 bits.
|
|
||||||
+ Using this option may be needed when connecting to servers that
|
|
||||||
+ only know short DH group parameters.
|
|
||||||
+
|
|
||||||
+ Note, that while by default this option is set to 1024 to maintain
|
|
||||||
+ maximum backward compatibility, using it can severly impact
|
|
||||||
+ security and thus should be viewed as a temporary fix of last
|
|
||||||
+ resort and all efforts should be made to fix the (broken)
|
|
||||||
+ counterparty.
|
|
||||||
+
|
|
||||||
LocalCommand
|
|
||||||
Specifies a command to execute on the local machine after
|
|
||||||
successfully connecting to the server. The command string
|
|
||||||
extends to the end of the line, and is executed with the user's
|
|
||||||
shell. Arguments to LocalCommand accept the tokens described in
|
|
||||||
the TOKENS section.
|
|
||||||
|
|
||||||
The command is run synchronously and does not have access to the
|
|
||||||
diff --git a/openssh-7.6p1/ssh_config.5 b/openssh-7.6p1/ssh_config.5
|
|
||||||
--- a/openssh-7.6p1/ssh_config.5
|
|
||||||
+++ b/openssh-7.6p1/ssh_config.5
|
|
||||||
@@ -1016,16 +1016,32 @@ curve25519-sha256,curve25519-sha256@libs
|
|
||||||
ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
|
|
||||||
diffie-hellman-group-exchange-sha256,
|
|
||||||
diffie-hellman-group-exchange-sha1,
|
|
||||||
diffie-hellman-group14-sha1
|
|
||||||
.Ed
|
|
||||||
.Pp
|
|
||||||
The list of available key exchange algorithms may also be obtained using
|
|
||||||
.Qq ssh -Q kex .
|
|
||||||
+.It Cm KexDHMin
|
|
||||||
+Specifies the minimum accepted bit length of the DH group
|
|
||||||
+parameter p.
|
|
||||||
+.Pp
|
|
||||||
+As per RFC4419, this is 1024 bits, however this has increasingly
|
|
||||||
+been seen as insecure, which prompted the change to 2048 bits.
|
|
||||||
+Setting this option allows the client to accept parameters shorter
|
|
||||||
+than the current minimum, down to the RFC specified 1024 bits.
|
|
||||||
+Using this option may be needed when connecting to servers that
|
|
||||||
+only know short DH group parameters.
|
|
||||||
+.Pp
|
|
||||||
+Note, that while by default this option is set to 1024 to maintain
|
|
||||||
+maximum backward compatibility, using it can severly impact
|
|
||||||
+security and thus should be viewed as a temporary fix of last
|
|
||||||
+resort and all efforts should be made to fix the (broken)
|
|
||||||
+counterparty.
|
|
||||||
.It Cm LocalCommand
|
|
||||||
Specifies a command to execute on the local machine after successfully
|
|
||||||
connecting to the server.
|
|
||||||
The command string extends to the end of the line, and is executed with
|
|
||||||
the user's shell.
|
|
||||||
Arguments to
|
|
||||||
.Cm LocalCommand
|
|
||||||
accept the tokens described in the
|
|
||||||
diff --git a/openssh-7.6p1/sshd_config b/openssh-7.6p1/sshd_config
|
|
||||||
--- a/openssh-7.6p1/sshd_config
|
|
||||||
+++ b/openssh-7.6p1/sshd_config
|
|
||||||
@@ -15,16 +15,21 @@
|
|
||||||
#ListenAddress 0.0.0.0
|
|
||||||
#ListenAddress ::
|
|
||||||
|
|
||||||
#HostKey /etc/ssh/ssh_host_rsa_key
|
|
||||||
#HostKey /etc/ssh/ssh_host_dsa_key
|
|
||||||
#HostKey /etc/ssh/ssh_host_ecdsa_key
|
|
||||||
#HostKey /etc/ssh/ssh_host_ed25519_key
|
|
||||||
|
|
||||||
+# Minimum accepted size of the DH parameter p. By default this is set to 1024
|
|
||||||
+# to maintain compatibility with RFC4419, but should be set higher.
|
|
||||||
+# Upstream default is identical to setting this to 2048.
|
|
||||||
+#KexDHMin 1024
|
|
||||||
+
|
|
||||||
# Ciphers and keying
|
|
||||||
#RekeyLimit default none
|
|
||||||
|
|
||||||
# Logging
|
|
||||||
#SyslogFacility AUTH
|
|
||||||
#LogLevel INFO
|
|
||||||
|
|
||||||
# Authentication:
|
|
||||||
diff --git a/openssh-7.6p1/sshd_config.0 b/openssh-7.6p1/sshd_config.0
|
|
||||||
--- a/openssh-7.6p1/sshd_config.0
|
|
||||||
+++ b/openssh-7.6p1/sshd_config.0
|
|
||||||
@@ -532,16 +532,33 @@ DESCRIPTION
|
|
||||||
curve25519-sha256,curve25519-sha256@libssh.org,
|
|
||||||
ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
|
|
||||||
diffie-hellman-group-exchange-sha256,
|
|
||||||
diffie-hellman-group14-sha1
|
|
||||||
|
|
||||||
The list of available key exchange algorithms may also be
|
|
||||||
obtained using "ssh -Q kex".
|
|
||||||
|
|
||||||
+ KexDHMin
|
|
||||||
+ Specifies the minimum accepted bit length of the DH group
|
|
||||||
+ parameter p.
|
|
||||||
+
|
|
||||||
+ As per RFC4419, this is 1024 bits, however this has increasingly
|
|
||||||
+ been seen as insecure, which prompted the change to 2048 bits.
|
|
||||||
+ Setting this option allows the server to accept parameters shorter
|
|
||||||
+ than the current minimum, down to the RFC specified 1024 bits.
|
|
||||||
+ Using this option may be needed when some of the connectiong
|
|
||||||
+ clients only know short DH group parameters.
|
|
||||||
+
|
|
||||||
+ Note, that while by default this option is set to 1024 to maintain
|
|
||||||
+ maximum backward compatibility, using it can severly impact
|
|
||||||
+ security and thus should be viewed as a temporary fix of last
|
|
||||||
+ resort and all efforts should be made to fix the (broken)
|
|
||||||
+ counterparty.
|
|
||||||
+
|
|
||||||
ListenAddress
|
|
||||||
Specifies the local addresses sshd(8) should listen on. The
|
|
||||||
following forms may be used:
|
|
||||||
|
|
||||||
ListenAddress host|IPv4_addr|IPv6_addr
|
|
||||||
ListenAddress host|IPv4_addr:port
|
|
||||||
ListenAddress [host|IPv6_addr]:port
|
|
||||||
|
|
||||||
diff --git a/openssh-7.6p1/sshd_config.5 b/openssh-7.6p1/sshd_config.5
|
|
||||||
--- a/openssh-7.6p1/sshd_config.5
|
|
||||||
+++ b/openssh-7.6p1/sshd_config.5
|
|
||||||
@@ -893,16 +893,32 @@ The default is:
|
|
||||||
curve25519-sha256,curve25519-sha256@libssh.org,
|
|
||||||
ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
|
|
||||||
diffie-hellman-group-exchange-sha256,
|
|
||||||
diffie-hellman-group14-sha1
|
|
||||||
.Ed
|
|
||||||
.Pp
|
|
||||||
The list of available key exchange algorithms may also be obtained using
|
|
||||||
.Qq ssh -Q kex .
|
|
||||||
+.It Cm KexDHMin
|
|
||||||
+Specifies the minimum accepted bit length of the DH group
|
|
||||||
+parameter p.
|
|
||||||
+.Pp
|
|
||||||
+As per RFC4419, this is 1024 bits, however this has increasingly
|
|
||||||
+been seen as insecure, which prompted the change to 2048 bits.
|
|
||||||
+Setting this option allows the server to accept parameters shorter
|
|
||||||
+than the current minimum, down to the RFC specified 1024 bits.
|
|
||||||
+Using this option may be needed when some of the connectiong
|
|
||||||
+clients only know short DH group parameters.
|
|
||||||
+.Pp
|
|
||||||
+Note, that while by default this option is set to 1024 to maintain
|
|
||||||
+maximum backward compatibility, using it can severly impact
|
|
||||||
+security and thus should be viewed as a temporary fix of last
|
|
||||||
+resort and all efforts should be made to fix the (broken)
|
|
||||||
+counterparty.
|
|
||||||
.It Cm ListenAddress
|
|
||||||
Specifies the local addresses
|
|
||||||
.Xr sshd 8
|
|
||||||
should listen on.
|
|
||||||
The following forms may be used:
|
|
||||||
.Pp
|
|
||||||
.Bl -item -offset indent -compact
|
|
||||||
.It
|
|
@ -1,27 +0,0 @@
|
|||||||
# HG changeset patch
|
|
||||||
# Parent 9797aecac98b26573a295fd75128b7c68dfc5aad
|
|
||||||
fix paths and references in sshd man pages
|
|
||||||
|
|
||||||
diff --git a/openssh-7.6p1/Makefile.in b/openssh-7.6p1/Makefile.in
|
|
||||||
--- a/openssh-7.6p1/Makefile.in
|
|
||||||
+++ b/openssh-7.6p1/Makefile.in
|
|
||||||
@@ -119,17 +119,18 @@ MANTYPE = @MANTYPE@
|
|
||||||
CONFIGFILES=sshd_config.out ssh_config.out moduli.out
|
|
||||||
CONFIGFILES_IN=sshd_config ssh_config moduli
|
|
||||||
|
|
||||||
PATHSUBS = \
|
|
||||||
-e 's|/etc/ssh/ssh_config|$(sysconfdir)/ssh_config|g' \
|
|
||||||
-e 's|/etc/ssh/ssh_known_hosts|$(sysconfdir)/ssh_known_hosts|g' \
|
|
||||||
-e 's|/etc/ssh/sshd_config|$(sysconfdir)/sshd_config|g' \
|
|
||||||
-e 's|/usr/libexec|$(libexecdir)|g' \
|
|
||||||
- -e 's|/etc/shosts.equiv|$(sysconfdir)/shosts.equiv|g' \
|
|
||||||
+ -e 's|login\.conf|login.defs|g' \
|
|
||||||
+ -e 's|/etc/shosts.equiv|$(sysconfdir)/ssh/shosts.equiv|g' \
|
|
||||||
-e 's|/etc/ssh/ssh_host_key|$(sysconfdir)/ssh_host_key|g' \
|
|
||||||
-e 's|/etc/ssh/ssh_host_ecdsa_key|$(sysconfdir)/ssh_host_ecdsa_key|g' \
|
|
||||||
-e 's|/etc/ssh/ssh_host_dsa_key|$(sysconfdir)/ssh_host_dsa_key|g' \
|
|
||||||
-e 's|/etc/ssh/ssh_host_rsa_key|$(sysconfdir)/ssh_host_rsa_key|g' \
|
|
||||||
-e 's|/etc/ssh/ssh_host_ed25519_key|$(sysconfdir)/ssh_host_ed25519_key|g' \
|
|
||||||
-e 's|/var/run/sshd.pid|$(piddir)/sshd.pid|g' \
|
|
||||||
-e 's|/etc/moduli|$(sysconfdir)/moduli|g' \
|
|
||||||
-e 's|/etc/ssh/moduli|$(sysconfdir)/moduli|g' \
|
|
@ -1,28 +0,0 @@
|
|||||||
# HG changeset patch
|
|
||||||
# Parent d47e806f23ad0649ef38b24e8cb9d5617e5d5d15
|
|
||||||
# force PAM in defaullt install (this was removed from upstream in 3.8p1)
|
|
||||||
# bnc#46749
|
|
||||||
# --used to be called '-pam-fix2'
|
|
||||||
|
|
||||||
diff --git a/openssh-7.6p1/sshd_config b/openssh-7.6p1/sshd_config
|
|
||||||
--- a/openssh-7.6p1/sshd_config
|
|
||||||
+++ b/openssh-7.6p1/sshd_config
|
|
||||||
@@ -75,17 +75,17 @@ AuthorizedKeysFile .ssh/authorized_keys
|
|
||||||
# and session processing. If this is enabled, PAM authentication will
|
|
||||||
# be allowed through the ChallengeResponseAuthentication and
|
|
||||||
# PasswordAuthentication. Depending on your PAM configuration,
|
|
||||||
# PAM authentication via ChallengeResponseAuthentication may bypass
|
|
||||||
# the setting of "PermitRootLogin without-password".
|
|
||||||
# If you just want the PAM account and session checks to run without
|
|
||||||
# PAM authentication, then enable this but set PasswordAuthentication
|
|
||||||
# and ChallengeResponseAuthentication to 'no'.
|
|
||||||
-#UsePAM no
|
|
||||||
+UsePAM yes
|
|
||||||
|
|
||||||
#AllowAgentForwarding yes
|
|
||||||
#AllowTcpForwarding yes
|
|
||||||
#GatewayPorts no
|
|
||||||
X11Forwarding yes
|
|
||||||
#X11DisplayOffset 10
|
|
||||||
#X11UseLocalhost yes
|
|
||||||
#PermitTTY yes
|
|
File diff suppressed because it is too large
Load Diff
@ -1,520 +0,0 @@
|
|||||||
# HG changeset patch
|
|
||||||
# Parent 4ed7a1ce08460bfdb1ed5b57e6b45940eb7e7167
|
|
||||||
#
|
|
||||||
# Simple implementation of FIPS 140-2 selfchecks. Use OpenSSL to generate and
|
|
||||||
# verify checksums of binaries. Any hash iused in OpenSSH can be used (MD5 would
|
|
||||||
# obviously be a poor choice, since OpenSSL would barf and abort immediately in
|
|
||||||
# FIPS mode). SHA-2 seems to be a reasonable choice.
|
|
||||||
#
|
|
||||||
# The logic of the checks is as follows: decide whether FIPS mode is mandated
|
|
||||||
# (either by checking /proc/sys/crypto/fips_enabled or envoroinment variable
|
|
||||||
# SSH_FORCE_FIPS. In FIPS mode, checksums are required to match (inability to
|
|
||||||
# retrieve pre-calculated hash is a fatal error). In non-FIPS mode the checks
|
|
||||||
# still must be performed, unless the hashes are not installed. Thus if the hash
|
|
||||||
# file is not found (or the hash matches), proceed in non-FIPS mode and abort
|
|
||||||
# otherwise.
|
|
||||||
|
|
||||||
diff --git a/openssh-7.6p1/fips-check.c b/openssh-7.6p1/fips-check.c
|
|
||||||
new file mode 100644
|
|
||||||
--- /dev/null
|
|
||||||
+++ b/openssh-7.6p1/fips-check.c
|
|
||||||
@@ -0,0 +1,34 @@
|
|
||||||
+#include "includes.h"
|
|
||||||
+#include <fcntl.h>
|
|
||||||
+#include <limits.h>
|
|
||||||
+#include <stdio.h>
|
|
||||||
+#include <stdlib.h>
|
|
||||||
+#include <string.h>
|
|
||||||
+#include <sys/stat.h>
|
|
||||||
+#include <sys/types.h>
|
|
||||||
+#include <unistd.h>
|
|
||||||
+
|
|
||||||
+#include "digest.h"
|
|
||||||
+#include "fips.h"
|
|
||||||
+
|
|
||||||
+#include <openssl/err.h>
|
|
||||||
+
|
|
||||||
+#define PROC_NAME_LEN 64
|
|
||||||
+
|
|
||||||
+static const char *argv0;
|
|
||||||
+
|
|
||||||
+void
|
|
||||||
+print_help_exit(int ev)
|
|
||||||
+{
|
|
||||||
+ fprintf(stderr, "%s <-c|-w> <file> <checksum_file>\n", argv0);
|
|
||||||
+ fprintf(stderr, " -c verify hash of 'file' against hash in 'checksum_file'\n");
|
|
||||||
+ fprintf(stderr, " -w write hash of 'file' into 'checksum_file'\n");
|
|
||||||
+ exit(ev);
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+int
|
|
||||||
+main(int argc, char **argv)
|
|
||||||
+{
|
|
||||||
+ fips_ssh_init();
|
|
||||||
+ return 0;
|
|
||||||
+}
|
|
||||||
diff --git a/openssh-7.6p1/fips.c b/openssh-7.6p1/fips.c
|
|
||||||
--- a/openssh-7.6p1/fips.c
|
|
||||||
+++ b/openssh-7.6p1/fips.c
|
|
||||||
@@ -30,41 +30,304 @@
|
|
||||||
#include "dh.h"
|
|
||||||
#include "digest.h"
|
|
||||||
#include "kex.h"
|
|
||||||
#include "key.h"
|
|
||||||
#include "mac.h"
|
|
||||||
#include "log.h"
|
|
||||||
#include "xmalloc.h"
|
|
||||||
|
|
||||||
+#include <errno.h>
|
|
||||||
+#include <fcntl.h>
|
|
||||||
#include <string.h>
|
|
||||||
+#include <string.h>
|
|
||||||
+#include <sys/stat.h>
|
|
||||||
+#include <sys/types.h>
|
|
||||||
+#include <unistd.h>
|
|
||||||
#include <openssl/crypto.h>
|
|
||||||
+#include <openssl/err.h>
|
|
||||||
+#include <openssl/hmac.h>
|
|
||||||
|
|
||||||
/* import from dh.c */
|
|
||||||
extern int dh_grp_min;
|
|
||||||
|
|
||||||
static int fips_state = -1;
|
|
||||||
|
|
||||||
+/* calculates HMAC of contents of a file given by filename using the hash
|
|
||||||
+ * algorithm specified by FIPS_HMAC_EVP in fips.h and placing the result into
|
|
||||||
+ * newly allacated memory - remember to free it when not needed anymore */
|
|
||||||
+static int
|
|
||||||
+hmac_file(const char *filename, u_char **hmac_out)
|
|
||||||
+{
|
|
||||||
+ int check = -1;
|
|
||||||
+ int fd;
|
|
||||||
+ struct stat fs;
|
|
||||||
+ void *hmap;
|
|
||||||
+ unsigned char *hmac;
|
|
||||||
+ unsigned char *hmac_rv = NULL;
|
|
||||||
+
|
|
||||||
+ hmac = xmalloc(FIPS_HMAC_LEN);
|
|
||||||
+
|
|
||||||
+ fd = open(filename, O_RDONLY);
|
|
||||||
+ if (-1 == fd)
|
|
||||||
+ goto bail_out;
|
|
||||||
+
|
|
||||||
+ if (-1 == fstat(fd, &fs))
|
|
||||||
+ goto bail_out;
|
|
||||||
+
|
|
||||||
+ hmap = mmap(NULL, fs.st_size, PROT_READ, MAP_SHARED, fd, 0);
|
|
||||||
+
|
|
||||||
+ if ((void *)(-1) != hmap) {
|
|
||||||
+ hmac_rv = HMAC(FIPS_HMAC_EVP(), FIPS_HMAC_KEY
|
|
||||||
+ , strlen(FIPS_HMAC_KEY), hmap, fs.st_size, hmac, NULL);
|
|
||||||
+ check = CHECK_OK;
|
|
||||||
+ munmap(hmap, fs.st_size);
|
|
||||||
+ }
|
|
||||||
+ close(fd);
|
|
||||||
+
|
|
||||||
+bail_out:
|
|
||||||
+ if (hmac_rv) {
|
|
||||||
+ check = CHECK_OK;
|
|
||||||
+ *hmac_out = hmac;
|
|
||||||
+ } else {
|
|
||||||
+ check = CHECK_FAIL;
|
|
||||||
+ *hmac_out = NULL;
|
|
||||||
+ free(hmac);
|
|
||||||
+ }
|
|
||||||
+ return check;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+/* find pathname of binary of process with PID pid. exe is buffer expected to
|
|
||||||
+ * be capable of holding at least max_pathlen characters
|
|
||||||
+ */
|
|
||||||
+static int
|
|
||||||
+get_executable_path(pid_t pid, char *exe, int max_pathlen)
|
|
||||||
+{
|
|
||||||
+ char exe_sl[PROC_EXE_PATH_LEN];
|
|
||||||
+ int n;
|
|
||||||
+ int rv = -1;
|
|
||||||
+
|
|
||||||
+ n = snprintf(exe_sl, sizeof(exe_sl), "/proc/%u/exe", pid);
|
|
||||||
+ if ((n <= 10) || (n >= max_pathlen)) {
|
|
||||||
+ fatal("error compiling filename of link to executable");
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ exe[0] = 0;
|
|
||||||
+ n = readlink(exe_sl, exe, max_pathlen);
|
|
||||||
+ /* the file doesn't need to exist - procfs might not be mounted in
|
|
||||||
+ * chroot */
|
|
||||||
+ if (n == -1) {
|
|
||||||
+ rv = CHECK_MISSING;
|
|
||||||
+ } else {
|
|
||||||
+ if (n < max_pathlen) {
|
|
||||||
+ exe[n] = 0;
|
|
||||||
+ rv = CHECK_OK;
|
|
||||||
+ } else {
|
|
||||||
+ rv = CHECK_FAIL;
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+ return rv;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+/* Read HMAC from file chk, allocating enough memory to hold the HMAC and
|
|
||||||
+ * return it in *hmac.
|
|
||||||
+ * Remember to free() it when it's not needed anymore.
|
|
||||||
+ */
|
|
||||||
+static int
|
|
||||||
+read_hmac(const char *chk, u_char **hmac)
|
|
||||||
+{
|
|
||||||
+ int check = -1;
|
|
||||||
+ int fdh, n;
|
|
||||||
+ u_char *hmac_in;
|
|
||||||
+
|
|
||||||
+ *hmac = NULL;
|
|
||||||
+
|
|
||||||
+ fdh = open(chk, O_RDONLY);
|
|
||||||
+ if (-1 == fdh) {
|
|
||||||
+ switch (errno) {
|
|
||||||
+ case ENOENT:
|
|
||||||
+ check = CHECK_MISSING;
|
|
||||||
+ debug("fips: checksum file %s is missing\n", chk);
|
|
||||||
+ break;
|
|
||||||
+ default:
|
|
||||||
+ check = CHECK_FAIL;
|
|
||||||
+ debug("fips: ckecksum file %s not accessible\n", chk);
|
|
||||||
+ break;
|
|
||||||
+
|
|
||||||
+ }
|
|
||||||
+ goto bail_out;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ hmac_in = xmalloc(FIPS_HMAC_LEN);
|
|
||||||
+
|
|
||||||
+ n = read(fdh, (void *)hmac_in, FIPS_HMAC_LEN);
|
|
||||||
+ if (FIPS_HMAC_LEN != n) {
|
|
||||||
+ debug("fips: unable to read whole checksum from checksum file\n");
|
|
||||||
+ free (hmac_in);
|
|
||||||
+ check = CHECK_FAIL;
|
|
||||||
+ } else {
|
|
||||||
+ check = CHECK_OK;
|
|
||||||
+ *hmac = hmac_in;
|
|
||||||
+ }
|
|
||||||
+bail_out:
|
|
||||||
+ return check;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+static int
|
|
||||||
+fips_hmac_self(void)
|
|
||||||
+{
|
|
||||||
+ int check = -1;
|
|
||||||
+ u_char *hmac = NULL, *hmac_chk = NULL;
|
|
||||||
+ char *exe, *chk;
|
|
||||||
+
|
|
||||||
+ exe = xmalloc(PATH_MAX);
|
|
||||||
+ chk = xmalloc(PATH_MAX);
|
|
||||||
+
|
|
||||||
+ /* we will need to add the suffix and the null terminator */
|
|
||||||
+ check = get_executable_path(getpid(), exe
|
|
||||||
+ , PATH_MAX - strlen(CHECKSUM_SUFFIX) - 1);
|
|
||||||
+ if (CHECK_OK != check)
|
|
||||||
+ goto cleanup;
|
|
||||||
+
|
|
||||||
+ strncpy(chk, exe, PATH_MAX);
|
|
||||||
+ strlcat(chk, CHECKSUM_SUFFIX, PATH_MAX);
|
|
||||||
+
|
|
||||||
+ check = read_hmac(chk, &hmac_chk);
|
|
||||||
+ if (CHECK_OK != check)
|
|
||||||
+ goto cleanup;
|
|
||||||
+
|
|
||||||
+ check = hmac_file(exe, &hmac);
|
|
||||||
+ if (CHECK_OK != check)
|
|
||||||
+ goto cleanup;
|
|
||||||
+
|
|
||||||
+ check = memcmp(hmac, hmac_chk, FIPS_HMAC_LEN);
|
|
||||||
+ if (0 == check) {
|
|
||||||
+ check = CHECK_OK;
|
|
||||||
+ debug("fips: checksum matches\n");
|
|
||||||
+ } else {
|
|
||||||
+ check = CHECK_FAIL;
|
|
||||||
+ debug("fips: checksum mismatch!\n");
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+cleanup:
|
|
||||||
+ free(hmac);
|
|
||||||
+ free(hmac_chk);
|
|
||||||
+ free(chk);
|
|
||||||
+ free(exe);
|
|
||||||
+
|
|
||||||
+ return check;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+static int
|
|
||||||
+fips_check_required_proc(void)
|
|
||||||
+{
|
|
||||||
+ int fips_required = 0;
|
|
||||||
+ int fips_fd;
|
|
||||||
+ char fips_sys = 0;
|
|
||||||
+
|
|
||||||
+ struct stat dummy;
|
|
||||||
+ if (-1 == stat(FIPS_PROC_PATH, &dummy)) {
|
|
||||||
+ switch (errno) {
|
|
||||||
+ case ENOENT:
|
|
||||||
+ case ENOTDIR:
|
|
||||||
+ break;
|
|
||||||
+ default:
|
|
||||||
+ fatal("Check for system-wide FIPS mode is required and %s cannot"
|
|
||||||
+ " be accessed for reason other than non-existence - aborting"
|
|
||||||
+ , FIPS_PROC_PATH);
|
|
||||||
+ break;
|
|
||||||
+ }
|
|
||||||
+ } else {
|
|
||||||
+ if (-1 == (fips_fd = open(FIPS_PROC_PATH, O_RDONLY)))
|
|
||||||
+ fatal("Check for system-wide FIPS mode is required and %s cannot"
|
|
||||||
+ " be opened for reading - aborting"
|
|
||||||
+ , FIPS_PROC_PATH);
|
|
||||||
+ if (1 > read(fips_fd, &fips_sys, 1))
|
|
||||||
+ fatal("Check for system-wide FIPS mode is required and %s doesn't"
|
|
||||||
+ " return at least one character - aborting"
|
|
||||||
+ , FIPS_PROC_PATH);
|
|
||||||
+ close(fips_sys);
|
|
||||||
+ switch (fips_sys) {
|
|
||||||
+ case '0':
|
|
||||||
+ case '1':
|
|
||||||
+ fips_required = fips_sys - '0';
|
|
||||||
+ break;
|
|
||||||
+ default:
|
|
||||||
+ fatal("Bogus character %c found in %s - aborting"
|
|
||||||
+ , fips_sys, FIPS_PROC_PATH);
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+ return fips_required;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
static int
|
|
||||||
fips_check_required_env(void)
|
|
||||||
{
|
|
||||||
- int fips_required = 0;
|
|
||||||
- char *env = getenv(SSH_FORCE_FIPS_ENV);
|
|
||||||
+ return (NULL != getenv(SSH_FORCE_FIPS_ENV));
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+static int
|
|
||||||
+fips_required(void)
|
|
||||||
+{
|
|
||||||
+ int fips_requests = 0;
|
|
||||||
+ fips_requests += fips_check_required_proc();
|
|
||||||
+ fips_requests += fips_check_required_env();
|
|
||||||
+ return fips_requests;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+/* check whether FIPS mode is required and perform selfchecksum/selftest */
|
|
||||||
+void
|
|
||||||
+fips_ssh_init(void)
|
|
||||||
+{
|
|
||||||
+ int checksum;
|
|
||||||
+
|
|
||||||
+ checksum = fips_hmac_self();
|
|
||||||
|
|
||||||
- if (env) {
|
|
||||||
- errno = 0;
|
|
||||||
- fips_required = strtol(env, NULL, 10);
|
|
||||||
- if (errno) {
|
|
||||||
- debug("bogus value in the %s environment variable, ignoring\n"
|
|
||||||
- , SSH_FORCE_FIPS_ENV);
|
|
||||||
- fips_required = 0;
|
|
||||||
- } else
|
|
||||||
- fips_required = 1;
|
|
||||||
- }
|
|
||||||
- return fips_required;
|
|
||||||
+ if (fips_required()) {
|
|
||||||
+ switch (checksum) {
|
|
||||||
+ case CHECK_OK:
|
|
||||||
+ debug("fips: mandatory checksum ok");
|
|
||||||
+ break;
|
|
||||||
+ case CHECK_FAIL:
|
|
||||||
+ fatal("fips: mandatory checksum failed - aborting");
|
|
||||||
+ break;
|
|
||||||
+ case CHECK_MISSING:
|
|
||||||
+ fatal("fips: mandatory checksum data missing - aborting");
|
|
||||||
+ break;
|
|
||||||
+ default:
|
|
||||||
+ fatal("Fatal error: internal error at %s:%u"
|
|
||||||
+ , __FILE__, __LINE__);
|
|
||||||
+ break;
|
|
||||||
+ }
|
|
||||||
+ fips_state = FIPS_mode_set(1);
|
|
||||||
+ if (1 != fips_state) {
|
|
||||||
+ ERR_load_crypto_strings();
|
|
||||||
+ u_long err = ERR_get_error();
|
|
||||||
+ error("fips: OpenSSL error %lx: %s"
|
|
||||||
+ , err, ERR_error_string(err, NULL));
|
|
||||||
+ fatal("fips: unable to set OpenSSL into FIPS mode - aborting");
|
|
||||||
+ }
|
|
||||||
+ } else {
|
|
||||||
+ switch (checksum) {
|
|
||||||
+ case CHECK_OK:
|
|
||||||
+ debug("fips: checksum ok");
|
|
||||||
+ break;
|
|
||||||
+ case CHECK_FAIL:
|
|
||||||
+ fatal("fips: checksum failed - aborting");
|
|
||||||
+ break;
|
|
||||||
+ case CHECK_MISSING:
|
|
||||||
+ debug("fips: checksum data missing, but not required - continuing non-FIPS");
|
|
||||||
+ break;
|
|
||||||
+ default:
|
|
||||||
+ fatal("Fatal error: internal error at %s:%u",
|
|
||||||
+ __FILE__, __LINE__);
|
|
||||||
+ break;
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+ return;
|
|
||||||
}
|
|
||||||
|
|
||||||
int
|
|
||||||
fips_mode(void)
|
|
||||||
{
|
|
||||||
if (-1 == fips_state) {
|
|
||||||
fips_state = FIPS_mode();
|
|
||||||
if (fips_state)
|
|
||||||
diff --git a/openssh-7.6p1/fips.h b/openssh-7.6p1/fips.h
|
|
||||||
--- a/openssh-7.6p1/fips.h
|
|
||||||
+++ b/openssh-7.6p1/fips.h
|
|
||||||
@@ -1,10 +1,10 @@
|
|
||||||
/*
|
|
||||||
- * Copyright (c) 2012 Petr Cerny. All rights reserved.
|
|
||||||
+ * Copyright (c) 2012-2014 Petr Cerny. All rights reserved.
|
|
||||||
*
|
|
||||||
* Redistribution and use in source and binary forms, with or without
|
|
||||||
* modification, are permitted provided that the following conditions
|
|
||||||
* are met:
|
|
||||||
* 1. Redistributions of source code must retain the above copyright
|
|
||||||
* notice, this list of conditions and the following disclaimer.
|
|
||||||
* 2. Redistributions in binary form must reproduce the above copyright
|
|
||||||
* notice, this list of conditions and the following disclaimer in the
|
|
||||||
@@ -22,23 +22,38 @@
|
|
||||||
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
||||||
*/
|
|
||||||
#ifndef FIPS_H
|
|
||||||
#define FIPS_H
|
|
||||||
|
|
||||||
#include "key.h"
|
|
||||||
|
|
||||||
#define SSH_FORCE_FIPS_ENV "SSH_FORCE_FIPS"
|
|
||||||
+#define FIPS_PROC_PATH "/proc/sys/crypto/fips_enabled"
|
|
||||||
+
|
|
||||||
+#define PROC_EXE_PATH_LEN 64
|
|
||||||
+#define CHECKSUM_SUFFIX ".hmac"
|
|
||||||
+#define FIPS_HMAC_KEY "HMAC_KEY:OpenSSH-FIPS@SLE"
|
|
||||||
+#define FIPS_HMAC_EVP EVP_sha256
|
|
||||||
+#define FIPS_HMAC_LEN 32
|
|
||||||
+
|
|
||||||
+void fips_ssh_init(void);
|
|
||||||
|
|
||||||
typedef enum {
|
|
||||||
FIPS_FILTER_CIPHERS,
|
|
||||||
FIPS_FILTER_MACS,
|
|
||||||
FIPS_FILTER_KEX_ALGS
|
|
||||||
} fips_filters;
|
|
||||||
|
|
||||||
+typedef enum {
|
|
||||||
+ CHECK_OK = 0,
|
|
||||||
+ CHECK_FAIL,
|
|
||||||
+ CHECK_MISSING
|
|
||||||
+} fips_checksum_status;
|
|
||||||
+
|
|
||||||
int fips_mode(void);
|
|
||||||
int fips_correct_dgst(int);
|
|
||||||
int fips_dgst_min(void);
|
|
||||||
int fips_dh_grp_min(void);
|
|
||||||
enum fp_type fips_correct_fp_type(enum fp_type);
|
|
||||||
int fips_filter_crypto(char **, fips_filters);
|
|
||||||
|
|
||||||
#endif
|
|
||||||
diff --git a/openssh-7.6p1/sftp-server.c b/openssh-7.6p1/sftp-server.c
|
|
||||||
--- a/openssh-7.6p1/sftp-server.c
|
|
||||||
+++ b/openssh-7.6p1/sftp-server.c
|
|
||||||
@@ -46,16 +46,18 @@
|
|
||||||
#include "log.h"
|
|
||||||
#include "misc.h"
|
|
||||||
#include "match.h"
|
|
||||||
#include "uidswap.h"
|
|
||||||
|
|
||||||
#include "sftp.h"
|
|
||||||
#include "sftp-common.h"
|
|
||||||
|
|
||||||
+#include "fips.h"
|
|
||||||
+
|
|
||||||
/* Our verbosity */
|
|
||||||
static LogLevel log_level = SYSLOG_LEVEL_ERROR;
|
|
||||||
|
|
||||||
/* Our client */
|
|
||||||
static struct passwd *pw = NULL;
|
|
||||||
static char *client_addr = NULL;
|
|
||||||
|
|
||||||
/* input and output queue */
|
|
||||||
@@ -1504,16 +1506,19 @@ sftp_server_main(int argc, char **argv,
|
|
||||||
ssize_t len, olen, set_size;
|
|
||||||
SyslogFacility log_facility = SYSLOG_FACILITY_AUTH;
|
|
||||||
char *cp, *homedir = NULL, buf[4*4096];
|
|
||||||
long mask;
|
|
||||||
|
|
||||||
extern char *optarg;
|
|
||||||
extern char *__progname;
|
|
||||||
|
|
||||||
+ /* initialize fips */
|
|
||||||
+ fips_ssh_init();
|
|
||||||
+
|
|
||||||
ssh_malloc_init(); /* must be called before any mallocs */
|
|
||||||
__progname = ssh_get_progname(argv[0]);
|
|
||||||
log_init(__progname, log_level, log_facility, log_stderr);
|
|
||||||
|
|
||||||
pw = pwcopy(user_pw);
|
|
||||||
|
|
||||||
while (!skipargs && (ch = getopt(argc, argv,
|
|
||||||
"d:f:l:P:p:Q:u:cehR")) != -1) {
|
|
||||||
diff --git a/openssh-7.6p1/ssh.c b/openssh-7.6p1/ssh.c
|
|
||||||
--- a/openssh-7.6p1/ssh.c
|
|
||||||
+++ b/openssh-7.6p1/ssh.c
|
|
||||||
@@ -518,16 +518,20 @@ main(int ac, char **av)
|
|
||||||
struct passwd *pw;
|
|
||||||
extern int optind, optreset;
|
|
||||||
extern char *optarg;
|
|
||||||
struct Forward fwd;
|
|
||||||
struct addrinfo *addrs = NULL;
|
|
||||||
struct ssh_digest_ctx *md;
|
|
||||||
u_char conn_hash[SSH_DIGEST_MAX_LENGTH];
|
|
||||||
|
|
||||||
+ /* initialize fips - can go before ssh_malloc_init(), since that is a
|
|
||||||
+ * OpenBSD-only thing (as of OpenSSH 7.6p1) */
|
|
||||||
+ fips_ssh_init();
|
|
||||||
+
|
|
||||||
ssh_malloc_init(); /* must be called before any mallocs */
|
|
||||||
/* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
|
|
||||||
sanitise_stdfd();
|
|
||||||
|
|
||||||
__progname = ssh_get_progname(av[0]);
|
|
||||||
|
|
||||||
#ifndef HAVE_SETPROCTITLE
|
|
||||||
/* Prepare for later setproctitle emulation */
|
|
||||||
diff --git a/openssh-7.6p1/sshd.c b/openssh-7.6p1/sshd.c
|
|
||||||
--- a/openssh-7.6p1/sshd.c
|
|
||||||
+++ b/openssh-7.6p1/sshd.c
|
|
||||||
@@ -1367,16 +1367,20 @@ main(int ac, char **av)
|
|
||||||
u_int64_t ibytes, obytes;
|
|
||||||
mode_t new_umask;
|
|
||||||
struct sshkey *key;
|
|
||||||
struct sshkey *pubkey;
|
|
||||||
int keytype;
|
|
||||||
Authctxt *authctxt;
|
|
||||||
struct connection_info *connection_info = get_connection_info(0, 0);
|
|
||||||
|
|
||||||
+ /* initialize fips - can go before ssh_malloc_init(), since that is a
|
|
||||||
+ * OpenBSD-only thing (as of OpenSSH 7.6p1) */
|
|
||||||
+ fips_ssh_init();
|
|
||||||
+
|
|
||||||
ssh_malloc_init(); /* must be called before any mallocs */
|
|
||||||
|
|
||||||
#ifdef HAVE_SECUREWARE
|
|
||||||
(void)set_auth_parameters(ac, av);
|
|
||||||
#endif
|
|
||||||
__progname = ssh_get_progname(av[0]);
|
|
||||||
|
|
||||||
/* Save argv. Duplicate so setproctitle emulation doesn't clobber it */
|
|
@ -1,145 +0,0 @@
|
|||||||
# HG changeset patch
|
|
||||||
# Parent e4a7e5799420a3d4b8047c5984c75c4bd4331951
|
|
||||||
# -- uset do be called '-xauthlocalhostname'
|
|
||||||
handle hostname changes when forwarding X
|
|
||||||
|
|
||||||
bnc#98627
|
|
||||||
|
|
||||||
diff --git a/openssh-7.6p1/session.c b/openssh-7.6p1/session.c
|
|
||||||
--- a/openssh-7.6p1/session.c
|
|
||||||
+++ b/openssh-7.6p1/session.c
|
|
||||||
@@ -953,17 +953,17 @@ copy_environment_blacklist(char **source
|
|
||||||
|
|
||||||
void
|
|
||||||
copy_environment(char **source, char ***env, u_int *envsize)
|
|
||||||
{
|
|
||||||
copy_environment_blacklist(source, env, envsize, NULL);
|
|
||||||
}
|
|
||||||
|
|
||||||
static char **
|
|
||||||
-do_setup_env(struct ssh *ssh, Session *s, const char *shell)
|
|
||||||
+do_setup_env(struct ssh *ssh, Session *s, const char *shell, int *env_size)
|
|
||||||
{
|
|
||||||
char buf[256];
|
|
||||||
u_int i, envsize;
|
|
||||||
char **env, *laddr;
|
|
||||||
struct passwd *pw = s->pw;
|
|
||||||
#if !defined (HAVE_LOGIN_CAP) && !defined (HAVE_CYGWIN)
|
|
||||||
char *path = NULL;
|
|
||||||
#endif
|
|
||||||
@@ -1142,25 +1142,27 @@ do_setup_env(struct ssh *ssh, Session *s
|
|
||||||
read_environment_file(&env, &envsize, buf);
|
|
||||||
}
|
|
||||||
if (debug_flag) {
|
|
||||||
/* dump the environment */
|
|
||||||
fprintf(stderr, "Environment:\n");
|
|
||||||
for (i = 0; env[i]; i++)
|
|
||||||
fprintf(stderr, " %.200s\n", env[i]);
|
|
||||||
}
|
|
||||||
+
|
|
||||||
+ *env_size = envsize;
|
|
||||||
return env;
|
|
||||||
}
|
|
||||||
|
|
||||||
/*
|
|
||||||
* Run $HOME/.ssh/rc, /etc/ssh/sshrc, or xauth (whichever is found
|
|
||||||
* first in this order).
|
|
||||||
*/
|
|
||||||
static void
|
|
||||||
-do_rc_files(Session *s, const char *shell)
|
|
||||||
+do_rc_files(Session *s, const char *shell, char **env, int *env_size)
|
|
||||||
{
|
|
||||||
FILE *f = NULL;
|
|
||||||
char cmd[1024];
|
|
||||||
int do_xauth;
|
|
||||||
struct stat st;
|
|
||||||
|
|
||||||
do_xauth =
|
|
||||||
s->display != NULL && s->auth_proto != NULL && s->auth_data != NULL;
|
|
||||||
@@ -1205,22 +1207,30 @@ do_rc_files(Session *s, const char *shel
|
|
||||||
"%.500s add %.100s %.100s %.100s\n",
|
|
||||||
options.xauth_location, s->auth_display,
|
|
||||||
s->auth_proto, s->auth_data);
|
|
||||||
}
|
|
||||||
snprintf(cmd, sizeof cmd, "%s -q -",
|
|
||||||
options.xauth_location);
|
|
||||||
f = popen(cmd, "w");
|
|
||||||
if (f) {
|
|
||||||
+ char hostname[MAXHOSTNAMELEN];
|
|
||||||
+
|
|
||||||
fprintf(f, "remove %s\n",
|
|
||||||
s->auth_display);
|
|
||||||
fprintf(f, "add %s %s %s\n",
|
|
||||||
s->auth_display, s->auth_proto,
|
|
||||||
s->auth_data);
|
|
||||||
pclose(f);
|
|
||||||
+ if (gethostname(hostname,sizeof(hostname)) >= 0)
|
|
||||||
+ child_set_env(&env,env_size,"XAUTHLOCALHOSTNAME",
|
|
||||||
+ hostname);
|
|
||||||
+ else
|
|
||||||
+ debug("Cannot set up XAUTHLOCALHOSTNAME %s\n",
|
|
||||||
+ strerror(errno));
|
|
||||||
} else {
|
|
||||||
fprintf(stderr, "Could not run %s\n",
|
|
||||||
cmd);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
static void
|
|
||||||
@@ -1461,16 +1471,17 @@ child_close_fds(struct ssh *ssh)
|
|
||||||
* ids, and executing the command or shell.
|
|
||||||
*/
|
|
||||||
#define ARGV_MAX 10
|
|
||||||
void
|
|
||||||
do_child(struct ssh *ssh, Session *s, const char *command)
|
|
||||||
{
|
|
||||||
extern char **environ;
|
|
||||||
char **env;
|
|
||||||
+ int env_size;
|
|
||||||
char *argv[ARGV_MAX];
|
|
||||||
const char *shell, *shell0;
|
|
||||||
struct passwd *pw = s->pw;
|
|
||||||
int r = 0;
|
|
||||||
|
|
||||||
/* remove hostkey from the child's memory */
|
|
||||||
destroy_sensitive_data();
|
|
||||||
packet_clear_keys();
|
|
||||||
@@ -1522,17 +1533,17 @@ do_child(struct ssh *ssh, Session *s, co
|
|
||||||
* legal, and means /bin/sh.
|
|
||||||
*/
|
|
||||||
shell = (pw->pw_shell[0] == '\0') ? _PATH_BSHELL : pw->pw_shell;
|
|
||||||
|
|
||||||
/*
|
|
||||||
* Make sure $SHELL points to the shell from the password file,
|
|
||||||
* even if shell is overridden from login.conf
|
|
||||||
*/
|
|
||||||
- env = do_setup_env(ssh, s, shell);
|
|
||||||
+ env = do_setup_env(ssh, s, shell, &env_size);
|
|
||||||
|
|
||||||
#ifdef HAVE_LOGIN_CAP
|
|
||||||
shell = login_getcapstr(lc, "shell", (char *)shell, (char *)shell);
|
|
||||||
#endif
|
|
||||||
|
|
||||||
/*
|
|
||||||
* Close the connection descriptors; note that this is the child, and
|
|
||||||
* the server will still have the socket open, and it is important
|
|
||||||
@@ -1586,17 +1597,17 @@ do_child(struct ssh *ssh, Session *s, co
|
|
||||||
strerror(errno));
|
|
||||||
}
|
|
||||||
if (r)
|
|
||||||
exit(1);
|
|
||||||
}
|
|
||||||
|
|
||||||
closefrom(STDERR_FILENO + 1);
|
|
||||||
|
|
||||||
- do_rc_files(s, shell);
|
|
||||||
+ do_rc_files(s, shell, env, &env_size);
|
|
||||||
|
|
||||||
/* restore SIGPIPE for child */
|
|
||||||
signal(SIGPIPE, SIG_DFL);
|
|
||||||
|
|
||||||
if (s->is_subsystem == SUBSYSTEM_INT_SFTP_ERROR) {
|
|
||||||
printf("This service allows sftp connections only.\n");
|
|
||||||
fflush(NULL);
|
|
||||||
exit(1);
|
|
@ -1,26 +0,0 @@
|
|||||||
# HG changeset patch
|
|
||||||
# Parent b26f93cf21e4cfff1212ad2e61696ad099cfaf5e
|
|
||||||
# set uid for functions that use it to seek in lastlog and wtmp files
|
|
||||||
# bnc#18024 (was suse #3024)
|
|
||||||
|
|
||||||
diff --git a/openssh-7.6p1/sshlogin.c b/openssh-7.6p1/sshlogin.c
|
|
||||||
--- a/openssh-7.6p1/sshlogin.c
|
|
||||||
+++ b/openssh-7.6p1/sshlogin.c
|
|
||||||
@@ -129,16 +129,17 @@ record_login(pid_t pid, const char *tty,
|
|
||||||
{
|
|
||||||
struct logininfo *li;
|
|
||||||
|
|
||||||
/* save previous login details before writing new */
|
|
||||||
store_lastlog_message(user, uid);
|
|
||||||
|
|
||||||
li = login_alloc_entry(pid, user, host, tty);
|
|
||||||
login_set_addr(li, addr, addrlen);
|
|
||||||
+ li->uid = uid;
|
|
||||||
login_login(li);
|
|
||||||
login_free_entry(li);
|
|
||||||
}
|
|
||||||
|
|
||||||
#ifdef LOGIN_NEEDS_UTMPX
|
|
||||||
void
|
|
||||||
record_utmp_only(pid_t pid, const char *ttyname, const char *user,
|
|
||||||
const char *host, struct sockaddr *addr, socklen_t addrlen)
|
|
@ -1,229 +0,0 @@
|
|||||||
# HG changeset patch
|
|
||||||
# Parent ee0459c1b5173da57f9b3a6e62b232dcf9b3a029
|
|
||||||
new option UsePAMCheckLocks to enforce checking for locked accounts while
|
|
||||||
UsePAM is used
|
|
||||||
|
|
||||||
bnc#708678, FATE#312033
|
|
||||||
|
|
||||||
diff --git a/openssh-7.6p1/auth.c b/openssh-7.6p1/auth.c
|
|
||||||
--- a/openssh-7.6p1/auth.c
|
|
||||||
+++ b/openssh-7.6p1/auth.c
|
|
||||||
@@ -105,17 +105,17 @@ allowed_user(struct passwd * pw)
|
|
||||||
struct spwd *spw = NULL;
|
|
||||||
#endif
|
|
||||||
|
|
||||||
/* Shouldn't be called if pw is NULL, but better safe than sorry... */
|
|
||||||
if (!pw || !pw->pw_name)
|
|
||||||
return 0;
|
|
||||||
|
|
||||||
#ifdef USE_SHADOW
|
|
||||||
- if (!options.use_pam)
|
|
||||||
+ if (!options.use_pam || options.use_pam_check_locks)
|
|
||||||
spw = getspnam(pw->pw_name);
|
|
||||||
#ifdef HAS_SHADOW_EXPIRE
|
|
||||||
if (!options.use_pam && spw != NULL && auth_shadow_acctexpired(spw))
|
|
||||||
return 0;
|
|
||||||
#endif /* HAS_SHADOW_EXPIRE */
|
|
||||||
#endif /* USE_SHADOW */
|
|
||||||
|
|
||||||
/* grab passwd field for locked account check */
|
|
||||||
@@ -125,17 +125,17 @@ allowed_user(struct passwd * pw)
|
|
||||||
#ifdef USE_LIBIAF
|
|
||||||
passwd = get_iaf_password(pw);
|
|
||||||
#else
|
|
||||||
passwd = spw->sp_pwdp;
|
|
||||||
#endif /* USE_LIBIAF */
|
|
||||||
#endif
|
|
||||||
|
|
||||||
/* check for locked account */
|
|
||||||
- if (!options.use_pam && passwd && *passwd) {
|
|
||||||
+ if ((!options.use_pam || options.use_pam_check_locks) && passwd && *passwd) {
|
|
||||||
int locked = 0;
|
|
||||||
|
|
||||||
#ifdef LOCKED_PASSWD_STRING
|
|
||||||
if (strcmp(passwd, LOCKED_PASSWD_STRING) == 0)
|
|
||||||
locked = 1;
|
|
||||||
#endif
|
|
||||||
#ifdef LOCKED_PASSWD_PREFIX
|
|
||||||
if (strncmp(passwd, LOCKED_PASSWD_PREFIX,
|
|
||||||
diff --git a/openssh-7.6p1/servconf.c b/openssh-7.6p1/servconf.c
|
|
||||||
--- a/openssh-7.6p1/servconf.c
|
|
||||||
+++ b/openssh-7.6p1/servconf.c
|
|
||||||
@@ -69,16 +69,17 @@ extern Buffer cfg;
|
|
||||||
|
|
||||||
void
|
|
||||||
initialize_server_options(ServerOptions *options)
|
|
||||||
{
|
|
||||||
memset(options, 0, sizeof(*options));
|
|
||||||
|
|
||||||
/* Portable-specific options */
|
|
||||||
options->use_pam = -1;
|
|
||||||
+ options->use_pam_check_locks = -1;
|
|
||||||
|
|
||||||
/* Standard Options */
|
|
||||||
options->num_ports = 0;
|
|
||||||
options->ports_from_cmdline = 0;
|
|
||||||
options->queued_listen_addrs = NULL;
|
|
||||||
options->num_queued_listens = 0;
|
|
||||||
options->listen_addrs = NULL;
|
|
||||||
options->address_family = -1;
|
|
||||||
@@ -191,16 +192,18 @@ assemble_algorithms(ServerOptions *o)
|
|
||||||
void
|
|
||||||
fill_default_server_options(ServerOptions *options)
|
|
||||||
{
|
|
||||||
int i;
|
|
||||||
|
|
||||||
/* Portable-specific options */
|
|
||||||
if (options->use_pam == -1)
|
|
||||||
options->use_pam = 0;
|
|
||||||
+ if (options->use_pam_check_locks == -1)
|
|
||||||
+ options->use_pam_check_locks = 0;
|
|
||||||
|
|
||||||
/* Standard Options */
|
|
||||||
if (options->num_host_key_files == 0) {
|
|
||||||
/* fill default hostkeys for protocols */
|
|
||||||
options->host_key_files[options->num_host_key_files++] =
|
|
||||||
_PATH_HOST_RSA_KEY_FILE;
|
|
||||||
options->host_key_files[options->num_host_key_files++] =
|
|
||||||
_PATH_HOST_DSA_KEY_FILE;
|
|
||||||
@@ -382,17 +385,17 @@ fill_default_server_options(ServerOption
|
|
||||||
#endif
|
|
||||||
|
|
||||||
}
|
|
||||||
|
|
||||||
/* Keyword tokens. */
|
|
||||||
typedef enum {
|
|
||||||
sBadOption, /* == unknown option */
|
|
||||||
/* Portable-specific options */
|
|
||||||
- sUsePAM,
|
|
||||||
+ sUsePAM, sUsePAMChecklocks,
|
|
||||||
/* Standard Options */
|
|
||||||
sPort, sHostKeyFile, sLoginGraceTime,
|
|
||||||
sPermitRootLogin, sLogFacility, sLogLevel,
|
|
||||||
sRhostsRSAAuthentication, sRSAAuthentication,
|
|
||||||
sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
|
|
||||||
sKerberosGetAFSToken,
|
|
||||||
sKerberosTgtPassing, sChallengeResponseAuthentication,
|
|
||||||
sPasswordAuthentication, sKbdInteractiveAuthentication,
|
|
||||||
@@ -433,18 +436,20 @@ typedef enum {
|
|
||||||
static struct {
|
|
||||||
const char *name;
|
|
||||||
ServerOpCodes opcode;
|
|
||||||
u_int flags;
|
|
||||||
} keywords[] = {
|
|
||||||
/* Portable-specific options */
|
|
||||||
#ifdef USE_PAM
|
|
||||||
{ "usepam", sUsePAM, SSHCFG_GLOBAL },
|
|
||||||
+ { "usepamchecklocks", sUsePAMChecklocks, SSHCFG_GLOBAL },
|
|
||||||
#else
|
|
||||||
{ "usepam", sUnsupported, SSHCFG_GLOBAL },
|
|
||||||
+ { "usepamchecklocks", sUnsupported, SSHCFG_GLOBAL },
|
|
||||||
#endif
|
|
||||||
{ "pamauthenticationviakbdint", sDeprecated, SSHCFG_GLOBAL },
|
|
||||||
/* Standard Options */
|
|
||||||
{ "port", sPort, SSHCFG_GLOBAL },
|
|
||||||
{ "hostkey", sHostKeyFile, SSHCFG_GLOBAL },
|
|
||||||
{ "hostdsakey", sHostKeyFile, SSHCFG_GLOBAL }, /* alias */
|
|
||||||
{ "hostkeyagent", sHostKeyAgent, SSHCFG_GLOBAL },
|
|
||||||
{ "pidfile", sPidFile, SSHCFG_GLOBAL },
|
|
||||||
@@ -1040,16 +1045,19 @@ process_server_config_line(ServerOptions
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
switch (opcode) {
|
|
||||||
/* Portable-specific options */
|
|
||||||
case sUsePAM:
|
|
||||||
intptr = &options->use_pam;
|
|
||||||
goto parse_flag;
|
|
||||||
+ case sUsePAMChecklocks:
|
|
||||||
+ intptr = &options->use_pam_check_locks;
|
|
||||||
+ goto parse_flag;
|
|
||||||
|
|
||||||
/* Standard Options */
|
|
||||||
case sBadOption:
|
|
||||||
return -1;
|
|
||||||
case sPort:
|
|
||||||
/* ignore ports from configfile if cmdline specifies ports */
|
|
||||||
if (options->ports_from_cmdline)
|
|
||||||
return 0;
|
|
||||||
diff --git a/openssh-7.6p1/servconf.h b/openssh-7.6p1/servconf.h
|
|
||||||
--- a/openssh-7.6p1/servconf.h
|
|
||||||
+++ b/openssh-7.6p1/servconf.h
|
|
||||||
@@ -168,16 +168,17 @@ typedef struct {
|
|
||||||
*/
|
|
||||||
|
|
||||||
u_int num_authkeys_files; /* Files containing public keys */
|
|
||||||
char *authorized_keys_files[MAX_AUTHKEYS_FILES];
|
|
||||||
|
|
||||||
char *adm_forced_command;
|
|
||||||
|
|
||||||
int use_pam; /* Enable auth via PAM */
|
|
||||||
+ int use_pam_check_locks; /* internally check for locked accounts even when using PAM */
|
|
||||||
|
|
||||||
int permit_tun;
|
|
||||||
|
|
||||||
char **permitted_opens;
|
|
||||||
u_int num_permitted_opens; /* May also be one of PERMITOPEN_* */
|
|
||||||
|
|
||||||
char *chroot_directory;
|
|
||||||
char *revoked_keys_file;
|
|
||||||
diff --git a/openssh-7.6p1/sshd_config.0 b/openssh-7.6p1/sshd_config.0
|
|
||||||
--- a/openssh-7.6p1/sshd_config.0
|
|
||||||
+++ b/openssh-7.6p1/sshd_config.0
|
|
||||||
@@ -901,16 +901,24 @@ DESCRIPTION
|
|
||||||
|
|
||||||
Because PAM challenge-response authentication usually serves an
|
|
||||||
equivalent role to password authentication, you should disable
|
|
||||||
either PasswordAuthentication or ChallengeResponseAuthentication.
|
|
||||||
|
|
||||||
If UsePAM is enabled, you will not be able to run sshd(8) as a
|
|
||||||
non-root user. The default is no.
|
|
||||||
|
|
||||||
+ UsePAMCheckLocks
|
|
||||||
+ When set to ``yes'', the checks whether the account has been
|
|
||||||
+ locked with `passwd -l' are performed even when PAM authentication
|
|
||||||
+ is enabled via UsePAM. This is to ensure that it is not possible
|
|
||||||
+ to log in with e.g. a public key (in such a case PAM is used only
|
|
||||||
+ to set up the session and some PAM modules will not check whether
|
|
||||||
+ the account is locked in this scenario). The default is ``no''.
|
|
||||||
+
|
|
||||||
VersionAddendum
|
|
||||||
Optionally specifies additional text to append to the SSH
|
|
||||||
protocol banner sent by the server upon connection. The default
|
|
||||||
is none.
|
|
||||||
|
|
||||||
X11DisplayOffset
|
|
||||||
Specifies the first display number available for sshd(8)'s X11
|
|
||||||
forwarding. This prevents sshd from interfering with real X11
|
|
||||||
diff --git a/openssh-7.6p1/sshd_config.5 b/openssh-7.6p1/sshd_config.5
|
|
||||||
--- a/openssh-7.6p1/sshd_config.5
|
|
||||||
+++ b/openssh-7.6p1/sshd_config.5
|
|
||||||
@@ -1496,16 +1496,28 @@ or
|
|
||||||
.Pp
|
|
||||||
If
|
|
||||||
.Cm UsePAM
|
|
||||||
is enabled, you will not be able to run
|
|
||||||
.Xr sshd 8
|
|
||||||
as a non-root user.
|
|
||||||
The default is
|
|
||||||
.Cm no .
|
|
||||||
+.It Cm UsePAMCheckLocks
|
|
||||||
+When set to
|
|
||||||
+.Dq yes
|
|
||||||
+, the checks whether the account has been locked with
|
|
||||||
+.Pa passwd -l
|
|
||||||
+are performed even when PAM authentication is enabled via
|
|
||||||
+.Cm UsePAM .
|
|
||||||
+This is to ensure that it is not possible to log in with e.g. a
|
|
||||||
+public key (in such a case PAM is used only to set up the session and some PAM
|
|
||||||
+modules will not check whether the account is locked in this scenario). The
|
|
||||||
+default is
|
|
||||||
+.Dq no .
|
|
||||||
.It Cm VersionAddendum
|
|
||||||
Optionally specifies additional text to append to the SSH protocol banner
|
|
||||||
sent by the server upon connection.
|
|
||||||
The default is
|
|
||||||
.Cm none .
|
|
||||||
.It Cm X11DisplayOffset
|
|
||||||
Specifies the first display number available for
|
|
||||||
.Xr sshd 8 Ns 's
|
|
@ -1,49 +0,0 @@
|
|||||||
# HG changeset patch
|
|
||||||
# Parent 6dd892b74f13d258dc1bb3a70db7397dfb46c5e0
|
|
||||||
# use same lines naming as utempter (prevents problems with using different
|
|
||||||
# formats in ?tmp? files)
|
|
||||||
# --used to be called '-pts'
|
|
||||||
|
|
||||||
diff --git a/openssh-7.6p1/loginrec.c b/openssh-7.6p1/loginrec.c
|
|
||||||
--- a/openssh-7.6p1/loginrec.c
|
|
||||||
+++ b/openssh-7.6p1/loginrec.c
|
|
||||||
@@ -541,17 +541,17 @@ getlast_entry(struct logininfo *li)
|
|
||||||
/*
|
|
||||||
* 'line' string utility functions
|
|
||||||
*
|
|
||||||
* These functions process the 'line' string into one of three forms:
|
|
||||||
*
|
|
||||||
* 1. The full filename (including '/dev')
|
|
||||||
* 2. The stripped name (excluding '/dev')
|
|
||||||
* 3. The abbreviated name (e.g. /dev/ttyp00 -> yp00
|
|
||||||
- * /dev/pts/1 -> ts/1 )
|
|
||||||
+ * /dev/pts/1 -> /1 )
|
|
||||||
*
|
|
||||||
* Form 3 is used on some systems to identify a .tmp.? entry when
|
|
||||||
* attempting to remove it. Typically both addition and removal is
|
|
||||||
* performed by one application - say, sshd - so as long as the choice
|
|
||||||
* uniquely identifies a terminal it's ok.
|
|
||||||
*/
|
|
||||||
|
|
||||||
|
|
||||||
@@ -602,16 +602,20 @@ line_abbrevname(char *dst, const char *s
|
|
||||||
/* Always skip prefix if present */
|
|
||||||
if (strncmp(src, "/dev/", 5) == 0)
|
|
||||||
src += 5;
|
|
||||||
|
|
||||||
#ifdef WITH_ABBREV_NO_TTY
|
|
||||||
if (strncmp(src, "tty", 3) == 0)
|
|
||||||
src += 3;
|
|
||||||
#endif
|
|
||||||
+ if (strncmp(src, "pts/", 4) == 0) {
|
|
||||||
+ src += 3;
|
|
||||||
+ if (strlen(src) > 4) src++;
|
|
||||||
+ }
|
|
||||||
|
|
||||||
len = strlen(src);
|
|
||||||
|
|
||||||
if (len > 0) {
|
|
||||||
if (((int)len - dstsize) > 0)
|
|
||||||
src += ((int)len - dstsize);
|
|
||||||
|
|
||||||
/* note: _don't_ change this to strlcpy */
|
|
@ -1,55 +0,0 @@
|
|||||||
# HG changeset patch
|
|
||||||
# Parent 2c6d52d1229cbfd1cd4b7b356bb649470df4d3b3
|
|
||||||
# --used to be called '-xauth'
|
|
||||||
try to remove xauth cookies on logout
|
|
||||||
|
|
||||||
bnc#98815
|
|
||||||
|
|
||||||
diff --git a/openssh-7.6p1/session.c b/openssh-7.6p1/session.c
|
|
||||||
--- a/openssh-7.6p1/session.c
|
|
||||||
+++ b/openssh-7.6p1/session.c
|
|
||||||
@@ -2294,16 +2294,44 @@ session_close(struct ssh *ssh, Session *
|
|
||||||
u_int i;
|
|
||||||
|
|
||||||
verbose("Close session: user %s from %.200s port %d id %d",
|
|
||||||
s->pw->pw_name,
|
|
||||||
ssh_remote_ipaddr(ssh),
|
|
||||||
ssh_remote_port(ssh),
|
|
||||||
s->self);
|
|
||||||
|
|
||||||
+ if ((s->display != NULL) && (s->auth_proto != NULL) &&
|
|
||||||
+ (s->auth_data != NULL) && (options.xauth_location != NULL)) {
|
|
||||||
+ pid_t pid;
|
|
||||||
+ FILE *f;
|
|
||||||
+ char cmd[1024];
|
|
||||||
+ struct passwd * pw = s->pw;
|
|
||||||
+
|
|
||||||
+ if (!(pid = fork())) {
|
|
||||||
+ permanently_set_uid(pw);
|
|
||||||
+
|
|
||||||
+ /* Remove authority data from .Xauthority if appropriate. */
|
|
||||||
+ debug("Running %.500s remove %.100s\n",
|
|
||||||
+ options.xauth_location, s->auth_display);
|
|
||||||
+
|
|
||||||
+ snprintf(cmd, sizeof cmd, "unset XAUTHORITY && HOME=\"%.200s\" %s -q -",
|
|
||||||
+ s->pw->pw_dir, options.xauth_location);
|
|
||||||
+ f = popen(cmd, "w");
|
|
||||||
+ if (f) {
|
|
||||||
+ fprintf(f, "remove %s\n", s->auth_display);
|
|
||||||
+ pclose(f);
|
|
||||||
+ } else
|
|
||||||
+ error("Could not run %s\n", cmd);
|
|
||||||
+ exit(0);
|
|
||||||
+ } else if (pid > 0) {
|
|
||||||
+ waitpid(pid, NULL, 0);
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
if (s->ttyfd != -1)
|
|
||||||
session_pty_cleanup(s);
|
|
||||||
free(s->term);
|
|
||||||
free(s->display);
|
|
||||||
free(s->x11_chanids);
|
|
||||||
free(s->auth_display);
|
|
||||||
free(s->auth_data);
|
|
||||||
free(s->auth_proto);
|
|
@ -1,34 +0,0 @@
|
|||||||
# HG changeset patch
|
|
||||||
# Parent 85f3cd6c8291c7feb0c1e7a0a3645c130532d206
|
|
||||||
Add the 'geteuid' syscall to allowed list, since it may becalled on the
|
|
||||||
mainframes when OpenSSL is using hardware crypto accelerator via libica
|
|
||||||
(via ibmica)
|
|
||||||
|
|
||||||
bsc#1004258
|
|
||||||
|
|
||||||
diff --git a/openssh-7.6p1/sandbox-seccomp-filter.c b/openssh-7.6p1/sandbox-seccomp-filter.c
|
|
||||||
--- a/openssh-7.6p1/sandbox-seccomp-filter.c
|
|
||||||
+++ b/openssh-7.6p1/sandbox-seccomp-filter.c
|
|
||||||
@@ -161,16 +161,22 @@ static const struct sock_filter preauth_
|
|
||||||
SC_ALLOW(__NR_close),
|
|
||||||
#endif
|
|
||||||
#ifdef __NR_exit
|
|
||||||
SC_ALLOW(__NR_exit),
|
|
||||||
#endif
|
|
||||||
#ifdef __NR_exit_group
|
|
||||||
SC_ALLOW(__NR_exit_group),
|
|
||||||
#endif
|
|
||||||
+#ifdef __NR_geteuid
|
|
||||||
+ SC_ALLOW(__NR_geteuid),
|
|
||||||
+#endif
|
|
||||||
+#ifdef __NR_geteuid32
|
|
||||||
+ SC_ALLOW(__NR_geteuid32),
|
|
||||||
+#endif
|
|
||||||
#ifdef __NR_getpgid
|
|
||||||
SC_ALLOW(__NR_getpgid),
|
|
||||||
#endif
|
|
||||||
#ifdef __NR_getpid
|
|
||||||
SC_ALLOW(__NR_getpid),
|
|
||||||
#endif
|
|
||||||
#ifdef __NR_getrandom
|
|
||||||
SC_ALLOW(__NR_getrandom),
|
|
@ -1,31 +0,0 @@
|
|||||||
# HG changeset patch
|
|
||||||
# Parent 004731f82470b22b9bd563ef3216034cf00ba133
|
|
||||||
add 'getuid' syscall to list of allowed ones to prevent the sanboxed thread
|
|
||||||
from being killed by the seccomp filter
|
|
||||||
|
|
||||||
diff --git a/openssh-7.6p1/sandbox-seccomp-filter.c b/openssh-7.6p1/sandbox-seccomp-filter.c
|
|
||||||
--- a/openssh-7.6p1/sandbox-seccomp-filter.c
|
|
||||||
+++ b/openssh-7.6p1/sandbox-seccomp-filter.c
|
|
||||||
@@ -173,16 +173,22 @@ static const struct sock_filter preauth_
|
|
||||||
SC_ALLOW(__NR_getpid),
|
|
||||||
#endif
|
|
||||||
#ifdef __NR_getrandom
|
|
||||||
SC_ALLOW(__NR_getrandom),
|
|
||||||
#endif
|
|
||||||
#ifdef __NR_gettimeofday
|
|
||||||
SC_ALLOW(__NR_gettimeofday),
|
|
||||||
#endif
|
|
||||||
+#ifdef __NR_getuid
|
|
||||||
+ SC_ALLOW(__NR_getuid),
|
|
||||||
+#endif
|
|
||||||
+#ifdef __NR_getuid32
|
|
||||||
+ SC_ALLOW(__NR_getuid32),
|
|
||||||
+#endif
|
|
||||||
#ifdef __NR_madvise
|
|
||||||
SC_ALLOW(__NR_madvise),
|
|
||||||
#endif
|
|
||||||
#ifdef __NR_mmap
|
|
||||||
SC_ALLOW(__NR_mmap),
|
|
||||||
#endif
|
|
||||||
#ifdef __NR_mmap2
|
|
||||||
SC_ALLOW(__NR_mmap2),
|
|
@ -1,30 +0,0 @@
|
|||||||
# HG changeset patch
|
|
||||||
# Parent ddbb42a2825e7e837d7b0387b79a9542c7869174
|
|
||||||
Allow the stat() syscall for OpenSSL re-seed patch
|
|
||||||
(which causes OpenSSL use stat() on some file)
|
|
||||||
|
|
||||||
bnc#912436
|
|
||||||
|
|
||||||
diff --git a/openssh-7.6p1/sandbox-seccomp-filter.c b/openssh-7.6p1/sandbox-seccomp-filter.c
|
|
||||||
--- a/openssh-7.6p1/sandbox-seccomp-filter.c
|
|
||||||
+++ b/openssh-7.6p1/sandbox-seccomp-filter.c
|
|
||||||
@@ -224,16 +224,19 @@ static const struct sock_filter preauth_
|
|
||||||
SC_ALLOW(__NR_select),
|
|
||||||
#endif
|
|
||||||
#ifdef __NR_shutdown
|
|
||||||
SC_ALLOW(__NR_shutdown),
|
|
||||||
#endif
|
|
||||||
#ifdef __NR_sigprocmask
|
|
||||||
SC_ALLOW(__NR_sigprocmask),
|
|
||||||
#endif
|
|
||||||
+#ifdef __NR_stat
|
|
||||||
+ SC_ALLOW(__NR_stat),
|
|
||||||
+#endif
|
|
||||||
#ifdef __NR_time
|
|
||||||
SC_ALLOW(__NR_time),
|
|
||||||
#endif
|
|
||||||
#ifdef __NR_write
|
|
||||||
SC_ALLOW(__NR_write),
|
|
||||||
#endif
|
|
||||||
#ifdef __NR_socketcall
|
|
||||||
SC_ALLOW_ARG(__NR_socketcall, 0, SYS_SHUTDOWN),
|
|
@ -1,461 +0,0 @@
|
|||||||
# HG changeset patch
|
|
||||||
# Parent e7721ed81bcf77756a79fbd04d377cc420a994cc
|
|
||||||
# extended support for (re-)seeding the OpenSSL PRNG from /dev/random
|
|
||||||
# bnc#703221, FATE#312172
|
|
||||||
|
|
||||||
diff --git a/openssh-7.6p1/entropy.c b/openssh-7.6p1/entropy.c
|
|
||||||
--- a/openssh-7.6p1/entropy.c
|
|
||||||
+++ b/openssh-7.6p1/entropy.c
|
|
||||||
@@ -49,16 +49,17 @@
|
|
||||||
|
|
||||||
#include "ssh.h"
|
|
||||||
#include "misc.h"
|
|
||||||
#include "xmalloc.h"
|
|
||||||
#include "atomicio.h"
|
|
||||||
#include "pathnames.h"
|
|
||||||
#include "log.h"
|
|
||||||
#include "buffer.h"
|
|
||||||
+#include "openbsd-compat/port-linux.h"
|
|
||||||
|
|
||||||
/*
|
|
||||||
* Portable OpenSSH PRNG seeding:
|
|
||||||
* If OpenSSL has not "internally seeded" itself (e.g. pulled data from
|
|
||||||
* /dev/random), then collect RANDOM_SEED_SIZE bytes of randomness from
|
|
||||||
* PRNGd.
|
|
||||||
*/
|
|
||||||
#ifndef OPENSSL_PRNG_ONLY
|
|
||||||
@@ -224,16 +225,19 @@ seed_rng(void)
|
|
||||||
}
|
|
||||||
|
|
||||||
if (seed_from_prngd(buf, sizeof(buf)) == -1)
|
|
||||||
fatal("Could not obtain seed from PRNGd");
|
|
||||||
RAND_add(buf, sizeof(buf), sizeof(buf));
|
|
||||||
memset(buf, '\0', sizeof(buf));
|
|
||||||
|
|
||||||
#endif /* OPENSSL_PRNG_ONLY */
|
|
||||||
+
|
|
||||||
+ linux_seed();
|
|
||||||
+
|
|
||||||
if (RAND_status() != 1)
|
|
||||||
fatal("PRNG is not seeded");
|
|
||||||
}
|
|
||||||
|
|
||||||
#else /* WITH_OPENSSL */
|
|
||||||
|
|
||||||
/* Handled in arc4random() */
|
|
||||||
void
|
|
||||||
diff --git a/openssh-7.6p1/openbsd-compat/Makefile.in b/openssh-7.6p1/openbsd-compat/Makefile.in
|
|
||||||
--- a/openssh-7.6p1/openbsd-compat/Makefile.in
|
|
||||||
+++ b/openssh-7.6p1/openbsd-compat/Makefile.in
|
|
||||||
@@ -15,17 +15,17 @@ AR=@AR@
|
|
||||||
RANLIB=@RANLIB@
|
|
||||||
INSTALL=@INSTALL@
|
|
||||||
LDFLAGS=-L. @LDFLAGS@
|
|
||||||
|
|
||||||
OPENBSD=base64.o basename.o bcrypt_pbkdf.o bindresvport.o blowfish.o daemon.o dirname.o fmt_scaled.o getcwd.o getgrouplist.o getopt_long.o getrrsetbyname.o glob.o inet_aton.o inet_ntoa.o inet_ntop.o mktemp.o pwcache.o readpassphrase.o reallocarray.o realpath.o recallocarray.o rresvport.o setenv.o setproctitle.o sha1.o sha2.o rmd160.o md5.o sigact.o strcasestr.o strlcat.o strlcpy.o strmode.o strnlen.o strptime.o strsep.o strtonum.o strtoll.o strtoul.o strtoull.o timingsafe_bcmp.o vis.o blowfish.o bcrypt_pbkdf.o explicit_bzero.o freezero.o
|
|
||||||
|
|
||||||
COMPAT=arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o getrrsetbyname-ldns.o bsd-err.o bsd-getpagesize.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-malloc.o bsd-setres_id.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xcrypt.o kludge-fd_set.o
|
|
||||||
|
|
||||||
-PORTS=port-aix.o port-irix.o port-linux.o port-solaris.o port-tun.o port-uw.o
|
|
||||||
+PORTS=port-aix.o port-irix.o port-linux.o port-linux-prng.o port-solaris.o port-tun.o port-uw.o
|
|
||||||
|
|
||||||
.c.o:
|
|
||||||
$(CC) $(CFLAGS) $(CPPFLAGS) -c $<
|
|
||||||
|
|
||||||
all: libopenbsd-compat.a
|
|
||||||
|
|
||||||
$(COMPAT): ../config.h
|
|
||||||
$(OPENBSD): ../config.h
|
|
||||||
diff --git a/openssh-7.6p1/openbsd-compat/port-linux-prng.c b/openssh-7.6p1/openbsd-compat/port-linux-prng.c
|
|
||||||
new file mode 100644
|
|
||||||
--- /dev/null
|
|
||||||
+++ b/openssh-7.6p1/openbsd-compat/port-linux-prng.c
|
|
||||||
@@ -0,0 +1,81 @@
|
|
||||||
+/*
|
|
||||||
+ * Copyright (c) 2011 Jan F. Chadima <jchadima@redhat.com>
|
|
||||||
+ * (c) 2011 Petr Cerny <pcerny@suse.cz>
|
|
||||||
+ *
|
|
||||||
+ * Permission to use, copy, modify, and distribute this software for any
|
|
||||||
+ * purpose with or without fee is hereby granted, provided that the above
|
|
||||||
+ * copyright notice and this permission notice appear in all copies.
|
|
||||||
+ *
|
|
||||||
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
|
|
||||||
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
|
|
||||||
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
|
|
||||||
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
|
|
||||||
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
|
|
||||||
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
|
|
||||||
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
|
||||||
+ */
|
|
||||||
+
|
|
||||||
+/*
|
|
||||||
+ * Linux-specific portability code - prng support
|
|
||||||
+ */
|
|
||||||
+
|
|
||||||
+#include "includes.h"
|
|
||||||
+#include "defines.h"
|
|
||||||
+
|
|
||||||
+#include <errno.h>
|
|
||||||
+#include <stdarg.h>
|
|
||||||
+#include <string.h>
|
|
||||||
+#include <stdio.h>
|
|
||||||
+#include <openssl/rand.h>
|
|
||||||
+
|
|
||||||
+#include "log.h"
|
|
||||||
+#include "port-linux.h"
|
|
||||||
+#include "fips.h"
|
|
||||||
+
|
|
||||||
+#define RNG_BYTES_DEFAULT 6L
|
|
||||||
+#define RNG_ENV_VAR "SSH_USE_STRONG_RNG"
|
|
||||||
+
|
|
||||||
+long rand_bytes = 0;
|
|
||||||
+char *rand_file = NULL;
|
|
||||||
+
|
|
||||||
+static void
|
|
||||||
+linux_seed_init(void)
|
|
||||||
+{
|
|
||||||
+ long elen = 0;
|
|
||||||
+ char *env = getenv(RNG_ENV_VAR);
|
|
||||||
+
|
|
||||||
+ if (env) {
|
|
||||||
+ errno = 0;
|
|
||||||
+ elen = strtol(env, NULL, 10);
|
|
||||||
+ if (errno) {
|
|
||||||
+ elen = RNG_BYTES_DEFAULT;
|
|
||||||
+ debug("bogus value in the %s environment variable, "
|
|
||||||
+ "using %li bytes from /dev/random\n",
|
|
||||||
+ RNG_ENV_VAR, RNG_BYTES_DEFAULT);
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if (elen || fips_mode())
|
|
||||||
+ rand_file = "/dev/random";
|
|
||||||
+ else
|
|
||||||
+ rand_file = "/dev/urandom";
|
|
||||||
+
|
|
||||||
+ rand_bytes = MAX(elen, RNG_BYTES_DEFAULT);
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+void
|
|
||||||
+linux_seed(void)
|
|
||||||
+{
|
|
||||||
+ long len;
|
|
||||||
+ if (!rand_file)
|
|
||||||
+ linux_seed_init();
|
|
||||||
+
|
|
||||||
+ errno = 0;
|
|
||||||
+ len = RAND_load_file(rand_file, rand_bytes);
|
|
||||||
+ if (len != rand_bytes) {
|
|
||||||
+ if (errno)
|
|
||||||
+ fatal ("cannot read from %s, %s", rand_file, strerror(errno));
|
|
||||||
+ else
|
|
||||||
+ fatal ("EOF reading %s", rand_file);
|
|
||||||
+ }
|
|
||||||
+}
|
|
||||||
diff --git a/openssh-7.6p1/openbsd-compat/port-linux.h b/openssh-7.6p1/openbsd-compat/port-linux.h
|
|
||||||
--- a/openssh-7.6p1/openbsd-compat/port-linux.h
|
|
||||||
+++ b/openssh-7.6p1/openbsd-compat/port-linux.h
|
|
||||||
@@ -12,16 +12,20 @@
|
|
||||||
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
|
|
||||||
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
|
|
||||||
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
|
||||||
*/
|
|
||||||
|
|
||||||
#ifndef _PORT_LINUX_H
|
|
||||||
#define _PORT_LINUX_H
|
|
||||||
|
|
||||||
+extern long rand_bytes;
|
|
||||||
+extern char *rand_file;
|
|
||||||
+void linux_seed(void);
|
|
||||||
+
|
|
||||||
#ifdef WITH_SELINUX
|
|
||||||
int ssh_selinux_enabled(void);
|
|
||||||
void ssh_selinux_setup_pty(char *, const char *);
|
|
||||||
void ssh_selinux_setup_exec_context(char *);
|
|
||||||
void ssh_selinux_change_context(const char *);
|
|
||||||
void ssh_selinux_setfscreatecon(const char *);
|
|
||||||
#endif
|
|
||||||
|
|
||||||
diff --git a/openssh-7.6p1/ssh-add.1 b/openssh-7.6p1/ssh-add.1
|
|
||||||
--- a/openssh-7.6p1/ssh-add.1
|
|
||||||
+++ b/openssh-7.6p1/ssh-add.1
|
|
||||||
@@ -167,16 +167,30 @@ or related script.
|
|
||||||
(Note that on some machines it
|
|
||||||
may be necessary to redirect the input from
|
|
||||||
.Pa /dev/null
|
|
||||||
to make this work.)
|
|
||||||
.It Ev SSH_AUTH_SOCK
|
|
||||||
Identifies the path of a
|
|
||||||
.Ux Ns -domain
|
|
||||||
socket used to communicate with the agent.
|
|
||||||
+.It Ev SSH_USE_STRONG_RNG
|
|
||||||
+The reseeding of the OpenSSL random generator is usually done from
|
|
||||||
+.Cm /dev/urandom .
|
|
||||||
+If the
|
|
||||||
+.Cm SSH_USE_STRONG_RNG
|
|
||||||
+environment variable is set to value other than
|
|
||||||
+.Cm 0
|
|
||||||
+the OpenSSL random generator is reseeded from
|
|
||||||
+.Cm /dev/random .
|
|
||||||
+The number of bytes read is defined by the SSH_USE_STRONG_RNG value.
|
|
||||||
+Minimum is 6 bytes.
|
|
||||||
+This setting is not recommended on the computers without the hardware
|
|
||||||
+random generator because insufficient entropy causes the connection to
|
|
||||||
+be blocked until enough entropy is available.
|
|
||||||
.El
|
|
||||||
.Sh FILES
|
|
||||||
.Bl -tag -width Ds
|
|
||||||
.It Pa ~/.ssh/id_dsa
|
|
||||||
Contains the DSA authentication identity of the user.
|
|
||||||
.It Pa ~/.ssh/id_ecdsa
|
|
||||||
Contains the ECDSA authentication identity of the user.
|
|
||||||
.It Pa ~/.ssh/id_ed25519
|
|
||||||
diff --git a/openssh-7.6p1/ssh-agent.1 b/openssh-7.6p1/ssh-agent.1
|
|
||||||
--- a/openssh-7.6p1/ssh-agent.1
|
|
||||||
+++ b/openssh-7.6p1/ssh-agent.1
|
|
||||||
@@ -209,16 +209,33 @@ line terminates.
|
|
||||||
.Sh FILES
|
|
||||||
.Bl -tag -width Ds
|
|
||||||
.It Pa $TMPDIR/ssh-XXXXXXXXXX/agent.<ppid>
|
|
||||||
.Ux Ns -domain
|
|
||||||
sockets used to contain the connection to the authentication agent.
|
|
||||||
These sockets should only be readable by the owner.
|
|
||||||
The sockets should get automatically removed when the agent exits.
|
|
||||||
.El
|
|
||||||
+.Sh ENVIRONMENT
|
|
||||||
+.Bl -tag -width Ds -compact
|
|
||||||
+.Pp
|
|
||||||
+.It Pa SSH_USE_STRONG_RNG
|
|
||||||
+The reseeding of the OpenSSL random generator is usually done from
|
|
||||||
+.Cm /dev/urandom .
|
|
||||||
+If the
|
|
||||||
+.Cm SSH_USE_STRONG_RNG
|
|
||||||
+environment variable is set to value other than
|
|
||||||
+.Cm 0
|
|
||||||
+the OpenSSL random generator is reseeded from
|
|
||||||
+.Cm /dev/random .
|
|
||||||
+The number of bytes read is defined by the SSH_USE_STRONG_RNG value.
|
|
||||||
+Minimum is 6 bytes.
|
|
||||||
+This setting is not recommended on the computers without the hardware
|
|
||||||
+random generator because insufficient entropy causes the connection to
|
|
||||||
+be blocked until enough entropy is available.
|
|
||||||
.Sh SEE ALSO
|
|
||||||
.Xr ssh 1 ,
|
|
||||||
.Xr ssh-add 1 ,
|
|
||||||
.Xr ssh-keygen 1 ,
|
|
||||||
.Xr sshd 8
|
|
||||||
.Sh AUTHORS
|
|
||||||
.An -nosplit
|
|
||||||
OpenSSH is a derivative of the original and free ssh 1.2.12 release by
|
|
||||||
diff --git a/openssh-7.6p1/ssh-keygen.1 b/openssh-7.6p1/ssh-keygen.1
|
|
||||||
--- a/openssh-7.6p1/ssh-keygen.1
|
|
||||||
+++ b/openssh-7.6p1/ssh-keygen.1
|
|
||||||
@@ -863,16 +863,33 @@ on all machines
|
|
||||||
where the user wishes to log in using public key authentication.
|
|
||||||
There is no need to keep the contents of this file secret.
|
|
||||||
.Pp
|
|
||||||
.It Pa /etc/moduli
|
|
||||||
Contains Diffie-Hellman groups used for DH-GEX.
|
|
||||||
The file format is described in
|
|
||||||
.Xr moduli 5 .
|
|
||||||
.El
|
|
||||||
+.Sh ENVIRONMENT
|
|
||||||
+.Bl -tag -width Ds -compact
|
|
||||||
+.Pp
|
|
||||||
+.It Pa SSH_USE_STRONG_RNG
|
|
||||||
+The reseeding of the OpenSSL random generator is usually done from
|
|
||||||
+.Cm /dev/urandom .
|
|
||||||
+If the
|
|
||||||
+.Cm SSH_USE_STRONG_RNG
|
|
||||||
+environment variable is set to value other than
|
|
||||||
+.Cm 0
|
|
||||||
+the OpenSSL random generator is reseeded from
|
|
||||||
+.Cm /dev/random .
|
|
||||||
+The number of bytes read is defined by the SSH_USE_STRONG_RNG value.
|
|
||||||
+Minimum is 6 bytes.
|
|
||||||
+This setting is not recommended on the computers without the hardware
|
|
||||||
+random generator because insufficient entropy causes the connection to
|
|
||||||
+be blocked until enough entropy is available.
|
|
||||||
.Sh SEE ALSO
|
|
||||||
.Xr ssh 1 ,
|
|
||||||
.Xr ssh-add 1 ,
|
|
||||||
.Xr ssh-agent 1 ,
|
|
||||||
.Xr moduli 5 ,
|
|
||||||
.Xr sshd 8
|
|
||||||
.Rs
|
|
||||||
.%R RFC 4716
|
|
||||||
diff --git a/openssh-7.6p1/ssh-keysign.8 b/openssh-7.6p1/ssh-keysign.8
|
|
||||||
--- a/openssh-7.6p1/ssh-keysign.8
|
|
||||||
+++ b/openssh-7.6p1/ssh-keysign.8
|
|
||||||
@@ -75,16 +75,33 @@ must be set-uid root if host-based authe
|
|
||||||
.Pp
|
|
||||||
.It Pa /etc/ssh/ssh_host_dsa_key-cert.pub
|
|
||||||
.It Pa /etc/ssh/ssh_host_ecdsa_key-cert.pub
|
|
||||||
.It Pa /etc/ssh/ssh_host_ed25519_key-cert.pub
|
|
||||||
.It Pa /etc/ssh/ssh_host_rsa_key-cert.pub
|
|
||||||
If these files exist they are assumed to contain public certificate
|
|
||||||
information corresponding with the private keys above.
|
|
||||||
.El
|
|
||||||
+.Sh ENVIRONMENT
|
|
||||||
+.Bl -tag -width Ds -compact
|
|
||||||
+.Pp
|
|
||||||
+.It Pa SSH_USE_STRONG_RNG
|
|
||||||
+The reseeding of the OpenSSL random generator is usually done from
|
|
||||||
+.Cm /dev/urandom .
|
|
||||||
+If the
|
|
||||||
+.Cm SSH_USE_STRONG_RNG
|
|
||||||
+environment variable is set to value other than
|
|
||||||
+.Cm 0
|
|
||||||
+the OpenSSL random generator is reseeded from
|
|
||||||
+.Cm /dev/random .
|
|
||||||
+The number of bytes read is defined by the SSH_USE_STRONG_RNG value.
|
|
||||||
+Minimum is 6 bytes.
|
|
||||||
+This setting is not recommended on the computers without the hardware
|
|
||||||
+random generator because insufficient entropy causes the connection to
|
|
||||||
+be blocked until enough entropy is available.
|
|
||||||
.Sh SEE ALSO
|
|
||||||
.Xr ssh 1 ,
|
|
||||||
.Xr ssh-keygen 1 ,
|
|
||||||
.Xr ssh_config 5 ,
|
|
||||||
.Xr sshd 8
|
|
||||||
.Sh HISTORY
|
|
||||||
.Nm
|
|
||||||
first appeared in
|
|
||||||
diff --git a/openssh-7.6p1/ssh.1 b/openssh-7.6p1/ssh.1
|
|
||||||
--- a/openssh-7.6p1/ssh.1
|
|
||||||
+++ b/openssh-7.6p1/ssh.1
|
|
||||||
@@ -1408,16 +1408,30 @@ reads
|
|
||||||
and adds lines of the format
|
|
||||||
.Dq VARNAME=value
|
|
||||||
to the environment if the file exists and users are allowed to
|
|
||||||
change their environment.
|
|
||||||
For more information, see the
|
|
||||||
.Cm PermitUserEnvironment
|
|
||||||
option in
|
|
||||||
.Xr sshd_config 5 .
|
|
||||||
+.It Ev SSH_USE_STRONG_RNG
|
|
||||||
+The reseeding of the OpenSSL random generator is usually done from
|
|
||||||
+.Cm /dev/urandom .
|
|
||||||
+If the
|
|
||||||
+.Cm SSH_USE_STRONG_RNG
|
|
||||||
+environment variable is set to value other than
|
|
||||||
+.Cm 0
|
|
||||||
+the OpenSSL random generator is reseeded from
|
|
||||||
+.Cm /dev/random .
|
|
||||||
+The number of bytes read is defined by the SSH_USE_STRONG_RNG value.
|
|
||||||
+Minimum is 6 bytes.
|
|
||||||
+This setting is not recommended on the computers without the hardware
|
|
||||||
+random generator because insufficient entropy causes the connection to
|
|
||||||
+be blocked until enough entropy is available.
|
|
||||||
.Sh FILES
|
|
||||||
.Bl -tag -width Ds -compact
|
|
||||||
.It Pa ~/.rhosts
|
|
||||||
This file is used for host-based authentication (see above).
|
|
||||||
On some machines this file may need to be
|
|
||||||
world-readable if the user's home directory is on an NFS partition,
|
|
||||||
because
|
|
||||||
.Xr sshd 8
|
|
||||||
diff --git a/openssh-7.6p1/sshd.8 b/openssh-7.6p1/sshd.8
|
|
||||||
--- a/openssh-7.6p1/sshd.8
|
|
||||||
+++ b/openssh-7.6p1/sshd.8
|
|
||||||
@@ -929,16 +929,33 @@ and not group or world-writable.
|
|
||||||
.It Pa /var/run/sshd.pid
|
|
||||||
Contains the process ID of the
|
|
||||||
.Nm
|
|
||||||
listening for connections (if there are several daemons running
|
|
||||||
concurrently for different ports, this contains the process ID of the one
|
|
||||||
started last).
|
|
||||||
The content of this file is not sensitive; it can be world-readable.
|
|
||||||
.El
|
|
||||||
+.Sh ENVIRONMENT
|
|
||||||
+.Bl -tag -width Ds -compact
|
|
||||||
+.Pp
|
|
||||||
+.It Pa SSH_USE_STRONG_RNG
|
|
||||||
+The reseeding of the OpenSSL random generator is usually done from
|
|
||||||
+.Cm /dev/urandom .
|
|
||||||
+If the
|
|
||||||
+.Cm SSH_USE_STRONG_RNG
|
|
||||||
+environment variable is set to value other than
|
|
||||||
+.Cm 0
|
|
||||||
+the OpenSSL random generator is reseeded from
|
|
||||||
+.Cm /dev/random .
|
|
||||||
+The number of bytes read is defined by the SSH_USE_STRONG_RNG value.
|
|
||||||
+Minimum is 6 bytes.
|
|
||||||
+This setting is not recommended on the computers without the hardware
|
|
||||||
+random generator because insufficient entropy causes the connection to
|
|
||||||
+be blocked until enough entropy is available.
|
|
||||||
.Sh SEE ALSO
|
|
||||||
.Xr scp 1 ,
|
|
||||||
.Xr sftp 1 ,
|
|
||||||
.Xr ssh 1 ,
|
|
||||||
.Xr ssh-add 1 ,
|
|
||||||
.Xr ssh-agent 1 ,
|
|
||||||
.Xr ssh-keygen 1 ,
|
|
||||||
.Xr ssh-keyscan 1 ,
|
|
||||||
diff --git a/openssh-7.6p1/sshd.c b/openssh-7.6p1/sshd.c
|
|
||||||
--- a/openssh-7.6p1/sshd.c
|
|
||||||
+++ b/openssh-7.6p1/sshd.c
|
|
||||||
@@ -50,16 +50,18 @@
|
|
||||||
#ifdef HAVE_SYS_STAT_H
|
|
||||||
# include <sys/stat.h>
|
|
||||||
#endif
|
|
||||||
#ifdef HAVE_SYS_TIME_H
|
|
||||||
# include <sys/time.h>
|
|
||||||
#endif
|
|
||||||
#include "openbsd-compat/sys-tree.h"
|
|
||||||
#include "openbsd-compat/sys-queue.h"
|
|
||||||
+#include "openbsd-compat/port-linux.h"
|
|
||||||
+
|
|
||||||
#include <sys/wait.h>
|
|
||||||
|
|
||||||
#include <errno.h>
|
|
||||||
#include <fcntl.h>
|
|
||||||
#include <netdb.h>
|
|
||||||
#ifdef HAVE_PATHS_H
|
|
||||||
#include <paths.h>
|
|
||||||
#endif
|
|
||||||
@@ -195,16 +197,23 @@ int have_agent = 0;
|
|
||||||
*/
|
|
||||||
struct {
|
|
||||||
struct sshkey **host_keys; /* all private host keys */
|
|
||||||
struct sshkey **host_pubkeys; /* all public host keys */
|
|
||||||
struct sshkey **host_certificates; /* all public host certificates */
|
|
||||||
int have_ssh2_key;
|
|
||||||
} sensitive_data;
|
|
||||||
|
|
||||||
+/*
|
|
||||||
+ * Every RESEED_AFTERth connection triggers call to linux_seed() to re-seed the
|
|
||||||
+ * random pool.
|
|
||||||
+ */
|
|
||||||
+#define RESEED_AFTER 100
|
|
||||||
+static int re_seeding_counter = RESEED_AFTER;
|
|
||||||
+
|
|
||||||
/* This is set to true when a signal is received. */
|
|
||||||
static volatile sig_atomic_t received_sighup = 0;
|
|
||||||
static volatile sig_atomic_t received_sigterm = 0;
|
|
||||||
|
|
||||||
/* session identifier, used by RSA-auth */
|
|
||||||
u_char session_id[16];
|
|
||||||
|
|
||||||
/* same for ssh2 */
|
|
||||||
@@ -1208,16 +1217,20 @@ server_accept_loop(int *sock_in, int *so
|
|
||||||
for (j = 0; j < options.max_startups; j++)
|
|
||||||
if (startup_pipes[j] == -1) {
|
|
||||||
startup_pipes[j] = startup_p[0];
|
|
||||||
if (maxfd < startup_p[0])
|
|
||||||
maxfd = startup_p[0];
|
|
||||||
startups++;
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
+ if(!(--re_seeding_counter)) {
|
|
||||||
+ re_seeding_counter = RESEED_AFTER;
|
|
||||||
+ linux_seed();
|
|
||||||
+ }
|
|
||||||
|
|
||||||
/*
|
|
||||||
* Got connection. Fork a child to handle it, unless
|
|
||||||
* we are in debugging mode.
|
|
||||||
*/
|
|
||||||
if (debug_flag) {
|
|
||||||
/*
|
|
||||||
* In debugging mode. Close the listening
|
|
@ -1,53 +0,0 @@
|
|||||||
# HG changeset patch
|
|
||||||
# Parent f258e8b7fc48a4b0f60fc436dc9ec72423a11bfc
|
|
||||||
send locales in default configuration
|
|
||||||
bnc#65747
|
|
||||||
|
|
||||||
diff --git a/openssh-7.6p1/ssh_config b/openssh-7.6p1/ssh_config
|
|
||||||
--- a/openssh-7.6p1/ssh_config
|
|
||||||
+++ b/openssh-7.6p1/ssh_config
|
|
||||||
@@ -26,16 +26,21 @@ Host *
|
|
||||||
# security reasons: Someone stealing the authentification data on the
|
|
||||||
# remote side (the "spoofed" X-server by the remote sshd) can read your
|
|
||||||
# keystrokes as you type, just like any other X11 client could do.
|
|
||||||
# Set this to "no" here for global effect or in your own ~/.ssh/config
|
|
||||||
# file if you want to have the remote X11 authentification data to
|
|
||||||
# expire after twenty minutes after remote login.
|
|
||||||
ForwardX11Trusted yes
|
|
||||||
|
|
||||||
+# This enables sending locale enviroment variables LC_* LANG, see ssh_config(5).
|
|
||||||
+ SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
|
|
||||||
+ SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
|
|
||||||
+ SendEnv LC_IDENTIFICATION LC_ALL
|
|
||||||
+
|
|
||||||
# PasswordAuthentication yes
|
|
||||||
# HostbasedAuthentication no
|
|
||||||
# GSSAPIAuthentication no
|
|
||||||
# GSSAPIDelegateCredentials no
|
|
||||||
# BatchMode no
|
|
||||||
# CheckHostIP yes
|
|
||||||
# AddressFamily any
|
|
||||||
# ConnectTimeout 0
|
|
||||||
diff --git a/openssh-7.6p1/sshd_config b/openssh-7.6p1/sshd_config
|
|
||||||
--- a/openssh-7.6p1/sshd_config
|
|
||||||
+++ b/openssh-7.6p1/sshd_config
|
|
||||||
@@ -105,14 +105,19 @@ X11Forwarding yes
|
|
||||||
#VersionAddendum none
|
|
||||||
|
|
||||||
# no default banner path
|
|
||||||
#Banner none
|
|
||||||
|
|
||||||
# override default of no subsystems
|
|
||||||
Subsystem sftp /usr/libexec/sftp-server
|
|
||||||
|
|
||||||
+# This enables accepting locale enviroment variables LC_* LANG, see sshd_config(5).
|
|
||||||
+AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
|
|
||||||
+AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
|
|
||||||
+AcceptEnv LC_IDENTIFICATION LC_ALL
|
|
||||||
+
|
|
||||||
# Example of overriding settings on a per-user basis
|
|
||||||
#Match User anoncvs
|
|
||||||
# X11Forwarding no
|
|
||||||
# AllowTcpForwarding no
|
|
||||||
# PermitTTY no
|
|
||||||
# ForceCommand cvs server
|
|
@ -1,134 +0,0 @@
|
|||||||
# HG changeset patch
|
|
||||||
# Parent 47bd7a709835b11e8dbd8fdf8779a2281ed46120
|
|
||||||
Send signals to systemd to prevent various race conditions
|
|
||||||
bsc#1048367
|
|
||||||
|
|
||||||
diff --git a/openssh-7.6p1/configure.ac b/openssh-7.6p1/configure.ac
|
|
||||||
--- a/openssh-7.6p1/configure.ac
|
|
||||||
+++ b/openssh-7.6p1/configure.ac
|
|
||||||
@@ -4304,16 +4304,40 @@ AC_ARG_WITH([kerberos5],
|
|
||||||
LIBS="$saved_LIBS"
|
|
||||||
|
|
||||||
fi
|
|
||||||
]
|
|
||||||
)
|
|
||||||
AC_SUBST([GSSLIBS])
|
|
||||||
AC_SUBST([K5LIBS])
|
|
||||||
|
|
||||||
+# Check whether user wants systemd support
|
|
||||||
+SYSTEMD_MSG="no"
|
|
||||||
+AC_ARG_WITH(systemd,
|
|
||||||
+ [ --with-systemd Enable systemd support],
|
|
||||||
+ [ if test "x$withval" != "xno" ; then
|
|
||||||
+ AC_PATH_TOOL([PKGCONFIG], [pkg-config], [no])
|
|
||||||
+ if test "$PKGCONFIG" != "no"; then
|
|
||||||
+ AC_MSG_CHECKING([for libsystemd])
|
|
||||||
+ if $PKGCONFIG --exists libsystemd; then
|
|
||||||
+ SYSTEMD_CFLAGS=`$PKGCONFIG --cflags libsystemd`
|
|
||||||
+ SYSTEMD_LIBS=`$PKGCONFIG --libs libsystemd`
|
|
||||||
+ CPPFLAGS="$CPPFLAGS $SYSTEMD_CFLAGS"
|
|
||||||
+ SSHDLIBS="$SSHDLIBS $SYSTEMD_LIBS"
|
|
||||||
+ AC_MSG_RESULT([yes])
|
|
||||||
+ AC_DEFINE(HAVE_SYSTEMD, 1, [Define if you want systemd support.])
|
|
||||||
+ SYSTEMD_MSG="yes"
|
|
||||||
+ else
|
|
||||||
+ AC_MSG_RESULT([no])
|
|
||||||
+ fi
|
|
||||||
+ fi
|
|
||||||
+ fi ]
|
|
||||||
+)
|
|
||||||
+
|
|
||||||
+
|
|
||||||
# Looking for programs, paths and files
|
|
||||||
|
|
||||||
PRIVSEP_PATH=/var/empty
|
|
||||||
AC_ARG_WITH([privsep-path],
|
|
||||||
[ --with-privsep-path=xxx Path for privilege separation chroot (default=/var/empty)],
|
|
||||||
[
|
|
||||||
if test -n "$withval" && test "x$withval" != "xno" && \
|
|
||||||
test "x${withval}" != "xyes"; then
|
|
||||||
@@ -5110,16 +5134,17 @@ echo " SELinux support
|
|
||||||
echo " Smartcard support: $SCARD_MSG"
|
|
||||||
echo " S/KEY support: $SKEY_MSG"
|
|
||||||
echo " MD5 password support: $MD5_MSG"
|
|
||||||
echo " libedit support: $LIBEDIT_MSG"
|
|
||||||
echo " libldns support: $LDNS_MSG"
|
|
||||||
echo " Solaris process contract support: $SPC_MSG"
|
|
||||||
echo " Solaris project support: $SP_MSG"
|
|
||||||
echo " Solaris privilege support: $SPP_MSG"
|
|
||||||
+echo " systemd support: $SYSTEMD_MSG"
|
|
||||||
echo " IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG"
|
|
||||||
echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG"
|
|
||||||
echo " BSD Auth support: $BSD_AUTH_MSG"
|
|
||||||
echo " Random number source: $RAND_MSG"
|
|
||||||
echo " Privsep sandbox style: $SANDBOX_STYLE"
|
|
||||||
|
|
||||||
echo ""
|
|
||||||
|
|
||||||
diff --git a/openssh-7.6p1/sshd.c b/openssh-7.6p1/sshd.c
|
|
||||||
--- a/openssh-7.6p1/sshd.c
|
|
||||||
+++ b/openssh-7.6p1/sshd.c
|
|
||||||
@@ -82,16 +82,20 @@
|
|
||||||
#include "openbsd-compat/openssl-compat.h"
|
|
||||||
#endif
|
|
||||||
|
|
||||||
#ifdef HAVE_SECUREWARE
|
|
||||||
#include <sys/security.h>
|
|
||||||
#include <prot.h>
|
|
||||||
#endif
|
|
||||||
|
|
||||||
+#ifdef HAVE_SYSTEMD
|
|
||||||
+#include <systemd/sd-daemon.h>
|
|
||||||
+#endif
|
|
||||||
+
|
|
||||||
#include "xmalloc.h"
|
|
||||||
#include "ssh.h"
|
|
||||||
#include "ssh2.h"
|
|
||||||
#include "sshpty.h"
|
|
||||||
#include "packet.h"
|
|
||||||
#include "log.h"
|
|
||||||
#include "buffer.h"
|
|
||||||
#include "misc.h"
|
|
||||||
@@ -293,16 +297,20 @@ sighup_handler(int sig)
|
|
||||||
|
|
||||||
/*
|
|
||||||
* Called from the main program after receiving SIGHUP.
|
|
||||||
* Restarts the server.
|
|
||||||
*/
|
|
||||||
static void
|
|
||||||
sighup_restart(void)
|
|
||||||
{
|
|
||||||
+#ifdef HAVE_SYSTEMD
|
|
||||||
+ /* Signal systemd that we are reloading */
|
|
||||||
+ sd_notify(0, "RELOADING=1");
|
|
||||||
+#endif
|
|
||||||
logit("Received SIGHUP; restarting.");
|
|
||||||
if (options.pid_file != NULL)
|
|
||||||
unlink(options.pid_file);
|
|
||||||
platform_pre_restart();
|
|
||||||
close_listen_socks();
|
|
||||||
close_startup_pipes();
|
|
||||||
alarm(0); /* alarm timer persists across exec */
|
|
||||||
signal(SIGHUP, SIG_IGN); /* will be restored after exec */
|
|
||||||
@@ -1878,16 +1886,21 @@ main(int ac, char **av)
|
|
||||||
error("Couldn't create pid file \"%s\": %s",
|
|
||||||
options.pid_file, strerror(errno));
|
|
||||||
} else {
|
|
||||||
fprintf(f, "%ld\n", (long) getpid());
|
|
||||||
fclose(f);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
+#ifdef HAVE_SYSTEMD
|
|
||||||
+ /* Signal systemd that we are ready to accept connections */
|
|
||||||
+ sd_notify(0, "READY=1");
|
|
||||||
+#endif
|
|
||||||
+
|
|
||||||
/* Accept a connection and return in a forked child */
|
|
||||||
server_accept_loop(&sock_in, &sock_out,
|
|
||||||
&newsock, config_s);
|
|
||||||
}
|
|
||||||
|
|
||||||
/* This is the child processing a new connection. */
|
|
||||||
setproctitle("%s", "[accepted]");
|
|
||||||
|
|
@ -1,9 +1,3 @@
|
|||||||
-------------------------------------------------------------------
|
|
||||||
Fri Nov 3 12:27:18 UTC 2017 - pcerny@suse.com
|
|
||||||
|
|
||||||
- upgrade to 7.6p1
|
|
||||||
see main package changelog for details
|
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Mon Jul 25 13:45:53 UTC 2016 - meissner@suse.com
|
Mon Jul 25 13:45:53 UTC 2016 - meissner@suse.com
|
||||||
|
|
||||||
|
@ -1,7 +1,7 @@
|
|||||||
#
|
#
|
||||||
# spec file for package openssh-askpass-gnome
|
# spec file for package openssh-askpass-gnome
|
||||||
#
|
#
|
||||||
# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany.
|
# Copyright (c) 2018 SUSE LINUX Products GmbH, Nuernberg, Germany.
|
||||||
#
|
#
|
||||||
# All modifications and additions to the file contributed by third parties
|
# All modifications and additions to the file contributed by third parties
|
||||||
# remain the property of their copyright owners, unless otherwise agreed
|
# remain the property of their copyright owners, unless otherwise agreed
|
||||||
|
118
openssh.changes
118
openssh.changes
@ -1,11 +1,5 @@
|
|||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Thu Nov 23 13:38:52 UTC 2017 - rbrown@suse.com
|
Fri Jan 12 00:38:37 CET 2018 - pcerny@suse.com
|
||||||
|
|
||||||
- Replace references to /var/adm/fillup-templates with new
|
|
||||||
%_fillupdir macro (boo#1069468)
|
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
|
||||||
Fri Nov 3 12:27:18 UTC 2017 - pcerny@suse.com
|
|
||||||
|
|
||||||
- Update to vanilla 7.6p1
|
- Update to vanilla 7.6p1
|
||||||
Most important changes (more details below):
|
Most important changes (more details below):
|
||||||
@ -552,34 +546,94 @@ Fri Nov 3 12:27:18 UTC 2017 - pcerny@suse.com
|
|||||||
* Add clang libFuzzer harnesses for public key parsing and
|
* Add clang libFuzzer harnesses for public key parsing and
|
||||||
signature verification.
|
signature verification.
|
||||||
- packaging:
|
- packaging:
|
||||||
* removal of all 7.2 patches
|
* moving patches into a separate archive
|
||||||
* first round of rebased patches:
|
* first round of rebased patches:
|
||||||
[openssh-7.6p1-X11_trusted_forwarding.patch]
|
[-X11_trusted_forwarding]
|
||||||
[openssh-7.6p1-allow_root_password_login.patch]
|
[-allow_root_password_login]
|
||||||
[openssh-7.6p1-blocksigalrm.patch]
|
[-blocksigalrm]
|
||||||
[openssh-7.6p1-disable_short_DH_parameters.patch]
|
[-cavstest-ctr]
|
||||||
[openssh-7.6p1-eal3.patch]
|
[-cavstest-kdf]
|
||||||
[openssh-7.6p1-enable_PAM_by_default.patch]
|
[-disable_short_DH_parameters]
|
||||||
[openssh-7.6p1-fips.patch]
|
[-eal3]
|
||||||
[openssh-7.6p1-fips_checks.patch]
|
[-enable_PAM_by_default]
|
||||||
[openssh-7.6p1-hostname_changes_when_forwarding_X.patch]
|
[-fips]
|
||||||
[openssh-7.6p1-lastlog.patch]
|
[-fips_checks]
|
||||||
[openssh-7.6p1-pam_check_locks.patch]
|
[-gssapi_key_exchange]
|
||||||
[openssh-7.6p1-pts_names_formatting.patch]
|
[-hostname_changes_when_forwarding_X]
|
||||||
[openssh-7.6p1-remove_xauth_cookies_on_exit.patch]
|
[-lastlog]
|
||||||
[openssh-7.6p1-seccomp_geteuid.patch]
|
[-missing_headers]
|
||||||
[openssh-7.6p1-seccomp_getuid.patch]
|
[-pam_check_locks]
|
||||||
[openssh-7.6p1-seccomp_stat.patch]
|
[-pts_names_formatting]
|
||||||
[openssh-7.6p1-seed-prng.patch]
|
[-remove_xauth_cookies_on_exit]
|
||||||
[openssh-7.6p1-send_locale.patch]
|
[-seccomp_geteuid]
|
||||||
[openssh-7.6p1-systemd-notify.patch]
|
[-seccomp_getuid]
|
||||||
|
[-seccomp_stat]
|
||||||
|
[-seed-prng]
|
||||||
|
[-send_locale]
|
||||||
|
[-systemd-notify]
|
||||||
* not rebased (obsoleted) patches (so far):
|
* not rebased (obsoleted) patches (so far):
|
||||||
[openssh-7.2p2-saveargv-fix.diff]
|
[-additional_seccomp_archs]
|
||||||
[openssh-7.2p2-dont_use_pthreads_in_PAM.diff]
|
[-allow_DSS_by_default]
|
||||||
[openssh-7.2p2-gssapimitm.diff]
|
[-default_protocol]
|
||||||
[openssh-7.2p2-eal3_obsolete.diff]
|
[-dont_use_pthreads_in_PAM]
|
||||||
[openssh-7.2p2-default_protocol.diff]
|
[-eal3_obsolete]
|
||||||
|
[-gssapimitm]
|
||||||
|
[-saveargv-fix]
|
||||||
|
* obviously removing all standalone patch files:
|
||||||
|
[openssh-7.2p2-allow_root_password_login.patch]
|
||||||
|
[openssh-7.2p2-allow_DSS_by_default.patch]
|
||||||
|
[openssh-7.2p2-X11_trusted_forwarding.patch]
|
||||||
|
[openssh-7.2p2-lastlog.patch]
|
||||||
|
[openssh-7.2p2-enable_PAM_by_default.patch]
|
||||||
|
[openssh-7.2p2-dont_use_pthreads_in_PAM.patch]
|
||||||
|
[openssh-7.2p2-eal3.patch]
|
||||||
|
[openssh-7.2p2-blocksigalrm.patch]
|
||||||
|
[openssh-7.2p2-send_locale.patch]
|
||||||
|
[openssh-7.2p2-hostname_changes_when_forwarding_X.patch]
|
||||||
|
[openssh-7.2p2-remove_xauth_cookies_on_exit.patch]
|
||||||
|
[openssh-7.2p2-pts_names_formatting.patch]
|
||||||
|
[openssh-7.2p2-pam_check_locks.patch]
|
||||||
|
[openssh-7.2p2-disable_short_DH_parameters.patch]
|
||||||
|
[openssh-7.2p2-seccomp_getuid.patch]
|
||||||
|
[openssh-7.2p2-seccomp_geteuid.patch]
|
||||||
|
[openssh-7.2p2-seccomp_stat.patch]
|
||||||
[openssh-7.2p2-additional_seccomp_archs.patch]
|
[openssh-7.2p2-additional_seccomp_archs.patch]
|
||||||
|
[openssh-7.2p2-fips.patch]
|
||||||
|
[openssh-7.2p2-cavstest-ctr.patch]
|
||||||
|
[openssh-7.2p2-cavstest-kdf.patch]
|
||||||
|
[openssh-7.2p2-seed-prng.patch]
|
||||||
|
[openssh-7.2p2-gssapi_key_exchange.patch]
|
||||||
|
[openssh-7.2p2-audit.patch]
|
||||||
|
[openssh-7.2p2-audit_fixes.patch]
|
||||||
|
[openssh-7.2p2-audit_seed_prng.patch]
|
||||||
|
[openssh-7.2p2-login_options.patch]
|
||||||
|
[openssh-7.2p2-disable_openssl_abi_check.patch]
|
||||||
|
[openssh-7.2p2-no_fork-no_pid_file.patch]
|
||||||
|
[openssh-7.2p2-host_ident.patch]
|
||||||
|
[openssh-7.2p2-sftp_homechroot.patch]
|
||||||
|
[openssh-7.2p2-sftp_force_permissions.patch]
|
||||||
|
[openssh-7.2p2-X_forward_with_disabled_ipv6.patch]
|
||||||
|
[openssh-7.2p2-ldap.patch]
|
||||||
|
[openssh-7.2p2-IPv6_X_forwarding.patch]
|
||||||
|
[openssh-7.2p2-ignore_PAM_with_UseLogin.patch]
|
||||||
|
[openssh-7.2p2-prevent_timing_user_enumeration.patch]
|
||||||
|
[openssh-7.2p2-limit_password_length.patch]
|
||||||
|
[openssh-7.2p2-keep_slogin.patch]
|
||||||
|
[openssh-7.2p2-kex_resource_depletion.patch]
|
||||||
|
[openssh-7.2p2-verify_CIDR_address_ranges.patch]
|
||||||
|
[openssh-7.2p2-restrict_pkcs11-modules.patch]
|
||||||
|
[openssh-7.2p2-prevent_private_key_leakage.patch]
|
||||||
|
[openssh-7.2p2-secure_unix_sockets_forwarding.patch]
|
||||||
|
[openssh-7.2p2-ssh_case_insensitive_host_matching.patch]
|
||||||
|
[openssh-7.2p2-disable_preauth_compression.patch]
|
||||||
|
[openssh-7.2p2-s390_hw_crypto_syscalls.patch]
|
||||||
|
[openssh-7.2p2-s390_OpenSSL-ibmpkcs11_syscalls.patch]
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Thu Nov 23 13:38:52 UTC 2017 - rbrown@suse.com
|
||||||
|
|
||||||
|
- Replace references to /var/adm/fillup-templates with new
|
||||||
|
%_fillupdir macro (boo#1069468)
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Wed Oct 25 15:09:06 UTC 2017 - jsegitz@suse.com
|
Wed Oct 25 15:09:06 UTC 2017 - jsegitz@suse.com
|
||||||
|
104
openssh.spec
104
openssh.spec
@ -1,7 +1,7 @@
|
|||||||
#
|
#
|
||||||
# spec file for package openssh
|
# spec file for package openssh
|
||||||
#
|
#
|
||||||
# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany.
|
# Copyright (c) 2018 SUSE LINUX Products GmbH, Nuernberg, Germany.
|
||||||
#
|
#
|
||||||
# All modifications and additions to the file contributed by third parties
|
# All modifications and additions to the file contributed by third parties
|
||||||
# remain the property of their copyright owners, unless otherwise agreed
|
# remain the property of their copyright owners, unless otherwise agreed
|
||||||
@ -90,8 +90,8 @@ BuildRequires: libopenssl-1_0_0-devel
|
|||||||
BuildRequires: openldap2-devel
|
BuildRequires: openldap2-devel
|
||||||
BuildRequires: pam-devel
|
BuildRequires: pam-devel
|
||||||
%if %{uses_systemd}
|
%if %{uses_systemd}
|
||||||
BuildRequires: pkgconfig(systemd)
|
|
||||||
BuildRequires: systemd-devel
|
BuildRequires: systemd-devel
|
||||||
|
BuildRequires: pkgconfig(systemd)
|
||||||
%{?systemd_requires}
|
%{?systemd_requires}
|
||||||
%endif
|
%endif
|
||||||
BuildRequires: tcpd-devel
|
BuildRequires: tcpd-devel
|
||||||
@ -118,28 +118,8 @@ Source8: sysconfig.ssh
|
|||||||
Source9: sshd-gen-keys-start
|
Source9: sshd-gen-keys-start
|
||||||
Source10: sshd.service
|
Source10: sshd.service
|
||||||
Source11: README.FIPS
|
Source11: README.FIPS
|
||||||
#Source12: cavs_driver-ssh.pl
|
Source12: cavs_driver-ssh.pl
|
||||||
Patch00: openssh-7.6p1-allow_root_password_login.patch
|
Source100: openssh-7.6p1-SUSE_patches.tar.xz
|
||||||
Patch01: openssh-7.6p1-X11_trusted_forwarding.patch
|
|
||||||
Patch02: openssh-7.6p1-lastlog.patch
|
|
||||||
Patch03: openssh-7.6p1-enable_PAM_by_default.patch
|
|
||||||
Patch04: openssh-7.6p1-eal3.patch
|
|
||||||
Patch05: openssh-7.6p1-blocksigalrm.patch
|
|
||||||
Patch06: openssh-7.6p1-send_locale.patch
|
|
||||||
Patch07: openssh-7.6p1-hostname_changes_when_forwarding_X.patch
|
|
||||||
Patch08: openssh-7.6p1-remove_xauth_cookies_on_exit.patch
|
|
||||||
Patch09: openssh-7.6p1-pts_names_formatting.patch
|
|
||||||
Patch10: openssh-7.6p1-pam_check_locks.patch
|
|
||||||
Patch11: openssh-7.6p1-disable_short_DH_parameters.patch
|
|
||||||
Patch12: openssh-7.6p1-seccomp_getuid.patch
|
|
||||||
Patch13: openssh-7.6p1-seccomp_geteuid.patch
|
|
||||||
Patch14: openssh-7.6p1-seccomp_stat.patch
|
|
||||||
Patch15: openssh-7.6p1-fips.patch
|
|
||||||
#Patch16: openssh-7.6p1-cavstest-ctr.patch
|
|
||||||
#Patch17: openssh-7.6p1-cavstest-kdf.patch
|
|
||||||
Patch18: openssh-7.6p1-fips_checks.patch
|
|
||||||
Patch19: openssh-7.6p1-seed-prng.patch
|
|
||||||
Patch20: openssh-7.6p1-systemd-notify.patch
|
|
||||||
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
||||||
Conflicts: nonfreessh
|
Conflicts: nonfreessh
|
||||||
Recommends: audit
|
Recommends: audit
|
||||||
@ -180,47 +160,32 @@ Hashes that together with the main package form the FIPS certifiable
|
|||||||
cryptomodule.
|
cryptomodule.
|
||||||
|
|
||||||
|
|
||||||
#%package cavs
|
%package cavs
|
||||||
#Summary: OpenSSH FIPS cryptomodule CAVS tests
|
Summary: OpenSSH FIPS cryptomodule CAVS tests
|
||||||
#Group: Productivity/Networking/SSH
|
Group: Productivity/Networking/SSH
|
||||||
#Requires: %{name} = %{version}-%{release}
|
Requires: %{name} = %{version}-%{release}
|
||||||
#
|
|
||||||
#%description cavs
|
%description cavs
|
||||||
#FIPS140 CAVS tests related parts of the OpenSSH package
|
FIPS140 CAVS tests related parts of the OpenSSH package
|
||||||
|
|
||||||
|
|
||||||
%prep
|
%prep
|
||||||
%setup -q
|
%setup -q -b 100
|
||||||
%patch00 -p2
|
|
||||||
%patch01 -p2
|
|
||||||
%patch02 -p2
|
|
||||||
%patch03 -p2
|
|
||||||
%patch04 -p2
|
|
||||||
%patch05 -p2
|
|
||||||
%patch06 -p2
|
|
||||||
%patch07 -p2
|
|
||||||
%patch08 -p2
|
|
||||||
%patch09 -p2
|
|
||||||
%patch10 -p2
|
|
||||||
%patch11 -p2
|
|
||||||
%patch12 -p2
|
|
||||||
%patch13 -p2
|
|
||||||
%patch14 -p2
|
|
||||||
%patch15 -p2
|
|
||||||
#patch16 -p2
|
|
||||||
#patch17 -p2
|
|
||||||
%patch18 -p2
|
|
||||||
%patch19 -p2
|
|
||||||
%patch20 -p2
|
|
||||||
cp %{SOURCE3} %{SOURCE4} %{SOURCE11} .
|
cp %{SOURCE3} %{SOURCE4} %{SOURCE11} .
|
||||||
|
# patch sources
|
||||||
|
PATCH_DIR="../SUSE_patches"
|
||||||
|
cat $PATCH_DIR/patch.series | while read p; do
|
||||||
|
printf ">> applying '$p'\n"
|
||||||
|
patch -p2 < "${PATCH_DIR}/$p"
|
||||||
|
done
|
||||||
|
|
||||||
|
#LDAP: # set libexec dir in the LDAP patch
|
||||||
|
#LDAP: sed -i.libexec 's,@LIBEXECDIR@,%{_libexecdir}/ssh,' \
|
||||||
|
#LDAP: $( grep -Rl @LIBEXECDIR@ \
|
||||||
|
#LDAP: $( grep "^+++" %{PATCH33} | sed -r 's@^.+/([^/\t ]+).*$@\1@' )
|
||||||
|
#LDAP: )
|
||||||
|
|
||||||
%build
|
%build
|
||||||
### TODO: # set libexec dir in the LDAP patch
|
|
||||||
### TODO: sed -i.libexec 's,@LIBEXECDIR@,%{_libexecdir}/ssh,' \
|
|
||||||
### TODO: $( grep -Rl @LIBEXECDIR@ \
|
|
||||||
### TODO: $( grep "^+++" %{PATCH33} | sed -r 's@^.+/([^/\t ]+).*$@\1@' )
|
|
||||||
### TODO: )
|
|
||||||
|
|
||||||
autoreconf -fiv
|
autoreconf -fiv
|
||||||
%ifarch s390 s390x %sparc
|
%ifarch s390 s390x %sparc
|
||||||
PIEFLAGS="-fPIE"
|
PIEFLAGS="-fPIE"
|
||||||
@ -244,7 +209,6 @@ export LDFLAGS CFLAGS CXXFLAGS CPPFLAGS
|
|||||||
%endif
|
%endif
|
||||||
%if %{uses_systemd}
|
%if %{uses_systemd}
|
||||||
--with-pid-dir=/run \
|
--with-pid-dir=/run \
|
||||||
--with-systemd \
|
|
||||||
%endif
|
%endif
|
||||||
--with-ssl-engine \
|
--with-ssl-engine \
|
||||||
--with-pam \
|
--with-pam \
|
||||||
@ -292,8 +256,8 @@ install -D -m 0755 %{SOURCE1} %{buildroot}%{_initddir}/sshd
|
|||||||
install -m 0644 %{SOURCE10} .
|
install -m 0644 %{SOURCE10} .
|
||||||
ln -s ../..%{_initddir}/sshd %{buildroot}%{_sbindir}/rcsshd
|
ln -s ../..%{_initddir}/sshd %{buildroot}%{_sbindir}/rcsshd
|
||||||
%endif
|
%endif
|
||||||
install -d -m 755 %{buildroot}%{_fillupdir}
|
install -d -m 755 %{buildroot}/var/adm/fillup-templates
|
||||||
install -m 644 %{SOURCE8} %{buildroot}%{_fillupdir}
|
install -m 644 %{SOURCE8} %{buildroot}/var/adm/fillup-templates
|
||||||
# install shell script to automate the process of adding your public key to a remote machine
|
# install shell script to automate the process of adding your public key to a remote machine
|
||||||
install -m 755 contrib/ssh-copy-id %{buildroot}%{_bindir}
|
install -m 755 contrib/ssh-copy-id %{buildroot}%{_bindir}
|
||||||
install -m 644 contrib/ssh-copy-id.1 %{buildroot}%{_mandir}/man1
|
install -m 644 contrib/ssh-copy-id.1 %{buildroot}%{_mandir}/man1
|
||||||
@ -308,7 +272,7 @@ install -m 644 %{SOURCE7} %{buildroot}%{_fwdefdir}/sshd
|
|||||||
|
|
||||||
# askpass wrapper
|
# askpass wrapper
|
||||||
sed -e "s,@LIBEXECDIR@,%{_libexecdir},g" < %{SOURCE6} > %{buildroot}%{_libexecdir}/ssh/ssh-askpass
|
sed -e "s,@LIBEXECDIR@,%{_libexecdir},g" < %{SOURCE6} > %{buildroot}%{_libexecdir}/ssh/ssh-askpass
|
||||||
#sed -e "s,@LIBEXECDIR@,%{_libexecdir},g" < %{SOURCE12} > %{buildroot}%{_libexecdir}/ssh/cavs_driver-ssh.pl
|
sed -e "s,@LIBEXECDIR@,%{_libexecdir},g" < %{SOURCE12} > %{buildroot}%{_libexecdir}/ssh/cavs_driver-ssh.pl
|
||||||
rm -f %{buildroot}%{_datadir}/Ssh.bin
|
rm -f %{buildroot}%{_datadir}/Ssh.bin
|
||||||
# sshd keys generator wrapper
|
# sshd keys generator wrapper
|
||||||
install -D -m 0755 %{SOURCE9} %{buildroot}%{_sbindir}/sshd-gen-keys-start
|
install -D -m 0755 %{SOURCE9} %{buildroot}%{_sbindir}/sshd-gen-keys-start
|
||||||
@ -345,7 +309,6 @@ getent passwd sshd >/dev/null || %{_sbindir}/useradd -r -g sshd -d /var/lib/sshd
|
|||||||
%else
|
%else
|
||||||
%{fillup_and_insserv -n ssh sshd}
|
%{fillup_and_insserv -n ssh sshd}
|
||||||
%endif
|
%endif
|
||||||
%set_permissions /etc/ssh/sshd_config
|
|
||||||
|
|
||||||
%preun
|
%preun
|
||||||
%if %{uses_systemd}
|
%if %{uses_systemd}
|
||||||
@ -369,9 +332,6 @@ rpm -q openssh-fips >& /dev/null && DISABLE_RESTART_ON_UPDATE=yes
|
|||||||
%triggerin -n openssh-fips -- %{name} = %{version}-%{release}
|
%triggerin -n openssh-fips -- %{name} = %{version}-%{release}
|
||||||
%restart_on_update sshd
|
%restart_on_update sshd
|
||||||
|
|
||||||
%verifyscript
|
|
||||||
%verify_permissions -e /etc/ssh/sshd_config
|
|
||||||
|
|
||||||
%files
|
%files
|
||||||
%defattr(-,root,root)
|
%defattr(-,root,root)
|
||||||
%exclude %{_bindir}/ssh%{CHECKSUM_SUFFIX}
|
%exclude %{_bindir}/ssh%{CHECKSUM_SUFFIX}
|
||||||
@ -383,7 +343,7 @@ rpm -q openssh-fips >& /dev/null && DISABLE_RESTART_ON_UPDATE=yes
|
|||||||
%attr(0755,root,root) %dir %{_sysconfdir}/ssh
|
%attr(0755,root,root) %dir %{_sysconfdir}/ssh
|
||||||
%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/moduli
|
%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/moduli
|
||||||
%verify(not mode) %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/ssh_config
|
%verify(not mode) %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/ssh_config
|
||||||
%verify(not mode) %attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/sshd_config
|
%verify(not mode) %attr(0640,root,root) %config(noreplace) %{_sysconfdir}/ssh/sshd_config
|
||||||
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/pam.d/sshd
|
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/pam.d/sshd
|
||||||
%if %{uses_systemd}
|
%if %{uses_systemd}
|
||||||
%doc sshd.init
|
%doc sshd.init
|
||||||
@ -402,7 +362,7 @@ rpm -q openssh-fips >& /dev/null && DISABLE_RESTART_ON_UPDATE=yes
|
|||||||
%attr(0444,root,root) %doc %{_mandir}/man8/*
|
%attr(0444,root,root) %doc %{_mandir}/man8/*
|
||||||
%dir %{_sysconfdir}/slp.reg.d
|
%dir %{_sysconfdir}/slp.reg.d
|
||||||
%config %{_sysconfdir}/slp.reg.d/ssh.reg
|
%config %{_sysconfdir}/slp.reg.d/ssh.reg
|
||||||
%{_fillupdir}/sysconfig.ssh
|
/var/adm/fillup-templates/sysconfig.ssh
|
||||||
%if %{has_fw_dir}
|
%if %{has_fw_dir}
|
||||||
%if %{needs_all_dirs}
|
%if %{needs_all_dirs}
|
||||||
%dir %{_fwdir}
|
%dir %{_fwdir}
|
||||||
@ -425,8 +385,8 @@ rpm -q openssh-fips >& /dev/null && DISABLE_RESTART_ON_UPDATE=yes
|
|||||||
%attr(0444,root,root) %{_sbindir}/sshd%{CHECKSUM_SUFFIX}
|
%attr(0444,root,root) %{_sbindir}/sshd%{CHECKSUM_SUFFIX}
|
||||||
%attr(0444,root,root) %{_libexecdir}/ssh/sftp-server%{CHECKSUM_SUFFIX}
|
%attr(0444,root,root) %{_libexecdir}/ssh/sftp-server%{CHECKSUM_SUFFIX}
|
||||||
|
|
||||||
#files cavs
|
%files cavs
|
||||||
#defattr(-,root,root)
|
%defattr(-,root,root)
|
||||||
#attr(0755,root,root) %{_libexecdir}/ssh/cavs*
|
%attr(0755,root,root) %{_libexecdir}/ssh/cavs*
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
Loading…
Reference in New Issue
Block a user