SHA256
1
0
forked from pool/openssh

Accepting request 643660 from home:pmonrealgonzalez:branches:network

- Version update to 7.9p1
  * No actual changes for the askpass
  * See main package changelog for details

- Version update to 7.9p1
  * ssh(1), sshd(8): the setting of the new CASignatureAlgorithms
    option (see below) bans the use of DSA keys as certificate
    authorities.
  * sshd(8): the authentication success/failure log message has
    changed format slightly. It now includes the certificate
    fingerprint (previously it included only key ID and CA key
    fingerprint).
  * ssh(1), sshd(8): allow most port numbers to be specified using
    service names from getservbyname(3) (typically /etc/services).
  * sshd(8): support signalling sessions via the SSH protocol.
    A limited subset of signals is supported and only for login or
    command sessions (i.e. not subsystems) that were not subject to
    a forced command via authorized_keys or sshd_config. bz#1424
  * ssh(1): support "ssh -Q sig" to list supported signature options.
    Also "ssh -Q help" to show the full set of supported queries.
  * ssh(1), sshd(8): add a CASignatureAlgorithms option for the
    client and server configs to allow control over which signature
    formats are allowed for CAs to sign certificates. For example,
    this allows banning CAs that sign certificates using the RSA-SHA1
    signature algorithm.
  * sshd(8), ssh-keygen(1): allow key revocation lists (KRLs) to
    revoke keys specified by SHA256 hash.
  * ssh-keygen(1): allow creation of key revocation lists directly
    from base64-encoded SHA256 fingerprints. This supports revoking
    keys using only the information contained in sshd(8)

OBS-URL: https://build.opensuse.org/request/show/643660
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=159
This commit is contained in:
Tomáš Chvátal 2018-10-22 09:08:19 +00:00 committed by Git OBS Bridge
parent c1e40270e4
commit b21be4c6b4
14 changed files with 533 additions and 3626 deletions

View File

@ -3,10 +3,10 @@
Extended auditing through the Linux Auditing subsystem
RH patch from git://pkgs.fedoraproject.org/openssh.git
Index: openssh-7.8p1/Makefile.in
Index: openssh-7.9p1/Makefile.in
===================================================================
--- openssh-7.8p1.orig/Makefile.in
+++ openssh-7.8p1/Makefile.in
--- openssh-7.9p1.orig/Makefile.in
+++ openssh-7.9p1/Makefile.in
@@ -110,6 +110,8 @@ LIBSSH_OBJS += fips.o
LIBSSH_OBJS += kexgssc.o kexgsss.o
@ -16,10 +16,10 @@ Index: openssh-7.8p1/Makefile.in
SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \
sshconnect.o sshconnect2.o mux.o
Index: openssh-7.8p1/audit-bsm.c
Index: openssh-7.9p1/audit-bsm.c
===================================================================
--- openssh-7.8p1.orig/audit-bsm.c
+++ openssh-7.8p1/audit-bsm.c
--- openssh-7.9p1.orig/audit-bsm.c
+++ openssh-7.9p1/audit-bsm.c
@@ -372,10 +372,23 @@ audit_connection_from(const char *host,
#endif
}
@ -93,10 +93,10 @@ Index: openssh-7.8p1/audit-bsm.c
+ /* not implemented */
+}
#endif /* BSM */
Index: openssh-7.8p1/audit-linux.c
Index: openssh-7.9p1/audit-linux.c
===================================================================
--- openssh-7.8p1.orig/audit-linux.c
+++ openssh-7.8p1/audit-linux.c
--- openssh-7.9p1.orig/audit-linux.c
+++ openssh-7.9p1/audit-linux.c
@@ -33,27 +33,40 @@
#include "log.h"
@ -468,10 +468,10 @@ Index: openssh-7.8p1/audit-linux.c
+ error("cannot write into audit");
+}
#endif /* USE_LINUX_AUDIT */
Index: openssh-7.8p1/audit.c
Index: openssh-7.9p1/audit.c
===================================================================
--- openssh-7.8p1.orig/audit.c
+++ openssh-7.8p1/audit.c
--- openssh-7.9p1.orig/audit.c
+++ openssh-7.9p1/audit.c
@@ -34,13 +34,19 @@
#include "log.h"
#include "hostfile.h"
@ -648,10 +648,10 @@ Index: openssh-7.8p1/audit.c
}
# endif /* !defined CUSTOM_SSH_AUDIT_EVENTS */
#endif /* SSH_AUDIT_EVENTS */
Index: openssh-7.8p1/audit.h
Index: openssh-7.9p1/audit.h
===================================================================
--- openssh-7.8p1.orig/audit.h
+++ openssh-7.8p1/audit.h
--- openssh-7.9p1.orig/audit.h
+++ openssh-7.9p1/audit.h
@@ -26,6 +26,7 @@
# define _SSH_AUDIT_H
@ -694,10 +694,10 @@ Index: openssh-7.8p1/audit.h
+void audit_destroy_sensitive_data(const char *, pid_t, uid_t);
#endif /* _SSH_AUDIT_H */
Index: openssh-7.8p1/auditstub.c
Index: openssh-7.9p1/auditstub.c
===================================================================
--- /dev/null
+++ openssh-7.8p1/auditstub.c
+++ openssh-7.9p1/auditstub.c
@@ -0,0 +1,50 @@
+/* $Id: auditstub.c,v 1.1 jfch Exp $ */
+
@ -749,11 +749,11 @@ Index: openssh-7.8p1/auditstub.c
+audit_session_key_free_body(int ctos, pid_t pid, uid_t uid)
+{
+}
Index: openssh-7.8p1/auth.c
Index: openssh-7.9p1/auth.c
===================================================================
--- openssh-7.8p1.orig/auth.c
+++ openssh-7.8p1/auth.c
@@ -362,7 +362,7 @@ auth_log(Authctxt *authctxt, int authent
--- openssh-7.9p1.orig/auth.c
+++ openssh-7.9p1/auth.c
@@ -366,7 +366,7 @@ auth_log(Authctxt *authctxt, int authent
# endif
#endif
#ifdef SSH_AUDIT_EVENTS
@ -762,7 +762,7 @@ Index: openssh-7.8p1/auth.c
audit_event(audit_classify_auth(method));
#endif
}
@@ -601,9 +601,6 @@ getpwnamallow(const char *user)
@@ -605,9 +605,6 @@ getpwnamallow(const char *user)
record_failed_login(user,
auth_get_canonical_hostname(ssh, options.use_dns), "ssh");
#endif
@ -772,10 +772,10 @@ Index: openssh-7.8p1/auth.c
return (NULL);
}
if (!allowed_user(pw))
Index: openssh-7.8p1/auth.h
Index: openssh-7.9p1/auth.h
===================================================================
--- openssh-7.8p1.orig/auth.h
+++ openssh-7.8p1/auth.h
--- openssh-7.9p1.orig/auth.h
+++ openssh-7.9p1/auth.h
@@ -193,6 +193,8 @@ struct passwd * getpwnamallow(const char
char *expand_authorized_keys(const char *, struct passwd *pw);
@ -794,11 +794,11 @@ Index: openssh-7.8p1/auth.h
/* Key / cert options linkage to auth layer */
const struct sshauthopt *auth_options(struct ssh *);
Index: openssh-7.8p1/auth2-hostbased.c
Index: openssh-7.9p1/auth2-hostbased.c
===================================================================
--- openssh-7.8p1.orig/auth2-hostbased.c
+++ openssh-7.8p1/auth2-hostbased.c
@@ -141,7 +141,7 @@ userauth_hostbased(struct ssh *ssh)
--- openssh-7.9p1.orig/auth2-hostbased.c
+++ openssh-7.9p1/auth2-hostbased.c
@@ -148,7 +148,7 @@ userauth_hostbased(struct ssh *ssh)
/* test for allowed key and correct signature */
authenticated = 0;
if (PRIVSEP(hostbased_key_allowed(authctxt->pw, cuser, chost, key)) &&
@ -807,7 +807,7 @@ Index: openssh-7.8p1/auth2-hostbased.c
sshbuf_ptr(b), sshbuf_len(b), pkalg, ssh->compat)) == 0)
authenticated = 1;
@@ -158,6 +158,19 @@ done:
@@ -165,6 +165,19 @@ done:
return authenticated;
}
@ -827,11 +827,11 @@ Index: openssh-7.8p1/auth2-hostbased.c
/* return 1 if given hostkey is allowed */
int
hostbased_key_allowed(struct passwd *pw, const char *cuser, char *chost,
Index: openssh-7.8p1/auth2-pubkey.c
Index: openssh-7.9p1/auth2-pubkey.c
===================================================================
--- openssh-7.8p1.orig/auth2-pubkey.c
+++ openssh-7.8p1/auth2-pubkey.c
@@ -187,7 +187,7 @@ userauth_pubkey(struct ssh *ssh)
--- openssh-7.9p1.orig/auth2-pubkey.c
+++ openssh-7.9p1/auth2-pubkey.c
@@ -193,7 +193,7 @@ userauth_pubkey(struct ssh *ssh)
/* test for correct signature */
authenticated = 0;
if (PRIVSEP(user_key_allowed(ssh, pw, key, 1, &authopts)) &&
@ -840,7 +840,7 @@ Index: openssh-7.8p1/auth2-pubkey.c
sshbuf_ptr(b), sshbuf_len(b),
(ssh->compat & SSH_BUG_SIGTYPE) == 0 ? pkalg : NULL,
ssh->compat)) == 0) {
@@ -246,6 +246,19 @@ done:
@@ -252,6 +252,19 @@ done:
return authenticated;
}
@ -860,7 +860,7 @@ Index: openssh-7.8p1/auth2-pubkey.c
static int
match_principals_option(const char *principal_list, struct sshkey_cert *cert)
{
@@ -767,7 +780,7 @@ user_cert_trusted_ca(struct ssh *ssh, st
@@ -773,7 +786,7 @@ user_cert_trusted_ca(struct ssh *ssh, st
found_principal = 1;
/* If principals file or command is specified, then require a match */
use_authorized_principals = principals_file != NULL ||
@ -869,10 +869,10 @@ Index: openssh-7.8p1/auth2-pubkey.c
if (!found_principal && use_authorized_principals) {
reason = "Certificate does not contain an authorized principal";
goto fail_reason;
Index: openssh-7.8p1/auth2.c
Index: openssh-7.9p1/auth2.c
===================================================================
--- openssh-7.8p1.orig/auth2.c
+++ openssh-7.8p1/auth2.c
--- openssh-7.9p1.orig/auth2.c
+++ openssh-7.9p1/auth2.c
@@ -284,9 +284,6 @@ input_userauth_request(int type, u_int32
} else {
/* Invalid user, fake password information */
@ -883,10 +883,10 @@ Index: openssh-7.8p1/auth2.c
}
#ifdef USE_PAM
if (options.use_pam)
Index: openssh-7.8p1/cipher.c
Index: openssh-7.9p1/cipher.c
===================================================================
--- openssh-7.8p1.orig/cipher.c
+++ openssh-7.8p1/cipher.c
--- openssh-7.9p1.orig/cipher.c
+++ openssh-7.9p1/cipher.c
@@ -54,25 +54,6 @@
#include "fips.h"
#include "log.h"
@ -922,10 +922,10 @@ Index: openssh-7.8p1/cipher.c
return;
if ((cc->cipher->flags & CFLAG_CHACHAPOLY) != 0)
explicit_bzero(&cc->cp_ctx, sizeof(cc->cp_ctx));
Index: openssh-7.8p1/cipher.h
Index: openssh-7.9p1/cipher.h
===================================================================
--- openssh-7.8p1.orig/cipher.h
+++ openssh-7.8p1/cipher.h
--- openssh-7.9p1.orig/cipher.h
+++ openssh-7.9p1/cipher.h
@@ -45,7 +45,25 @@
#define CIPHER_ENCRYPT 1
#define CIPHER_DECRYPT 0
@ -953,10 +953,10 @@ Index: openssh-7.8p1/cipher.h
struct sshcipher_ctx {
int plaintext;
int encrypt;
Index: openssh-7.8p1/kex.c
Index: openssh-7.9p1/kex.c
===================================================================
--- openssh-7.8p1.orig/kex.c
+++ openssh-7.8p1/kex.c
--- openssh-7.9p1.orig/kex.c
+++ openssh-7.9p1/kex.c
@@ -53,6 +53,7 @@
#include "ssherr.h"
#include "sshbuf.h"
@ -1053,10 +1053,10 @@ Index: openssh-7.8p1/kex.c
+ mac_destroy(&newkeys->mac);
+ memset(&newkeys->comp, 0, sizeof(newkeys->comp));
+}
Index: openssh-7.8p1/kex.h
Index: openssh-7.9p1/kex.h
===================================================================
--- openssh-7.8p1.orig/kex.h
+++ openssh-7.8p1/kex.h
--- openssh-7.9p1.orig/kex.h
+++ openssh-7.9p1/kex.h
@@ -213,6 +213,8 @@ int kexgss_client(struct ssh *);
int kexgss_server(struct ssh *);
#endif
@ -1066,10 +1066,10 @@ Index: openssh-7.8p1/kex.h
int kex_dh_hash(int, const char *, const char *,
const u_char *, size_t, const u_char *, size_t, const u_char *, size_t,
const BIGNUM *, const BIGNUM *, const BIGNUM *, u_char *, size_t *);
Index: openssh-7.8p1/mac.c
Index: openssh-7.9p1/mac.c
===================================================================
--- openssh-7.8p1.orig/mac.c
+++ openssh-7.8p1/mac.c
--- openssh-7.9p1.orig/mac.c
+++ openssh-7.9p1/mac.c
@@ -280,6 +280,20 @@ mac_clear(struct sshmac *mac)
mac->umac_ctx = NULL;
}
@ -1091,10 +1091,10 @@ Index: openssh-7.8p1/mac.c
/* XXX copied from ciphers_valid */
#define MAC_SEP ","
int
Index: openssh-7.8p1/mac.h
Index: openssh-7.9p1/mac.h
===================================================================
--- openssh-7.8p1.orig/mac.h
+++ openssh-7.8p1/mac.h
--- openssh-7.9p1.orig/mac.h
+++ openssh-7.9p1/mac.h
@@ -49,5 +49,6 @@ int mac_compute(struct sshmac *, u_int3
int mac_check(struct sshmac *, u_int32_t, const u_char *, size_t,
const u_char *, size_t);
@ -1102,11 +1102,11 @@ Index: openssh-7.8p1/mac.h
+void mac_destroy(struct sshmac *);
#endif /* SSHMAC_H */
Index: openssh-7.8p1/monitor.c
Index: openssh-7.9p1/monitor.c
===================================================================
--- openssh-7.8p1.orig/monitor.c
+++ openssh-7.8p1/monitor.c
@@ -91,6 +91,7 @@
--- openssh-7.9p1.orig/monitor.c
+++ openssh-7.9p1/monitor.c
@@ -93,6 +93,7 @@
#include "compat.h"
#include "ssh2.h"
#include "authfd.h"
@ -1114,7 +1114,7 @@ Index: openssh-7.8p1/monitor.c
#include "match.h"
#include "ssherr.h"
@@ -105,6 +106,8 @@ extern u_char session_id[];
@@ -107,6 +108,8 @@ extern u_char session_id[];
extern struct sshbuf *loginmsg;
extern struct sshauthopt *auth_opts; /* XXX move to permanent ssh->authctxt? */
@ -1123,7 +1123,7 @@ Index: openssh-7.8p1/monitor.c
/* State exported from the child */
static struct sshbuf *child_state;
@@ -150,6 +153,11 @@ int mm_answer_gss_updatecreds(int, struc
@@ -152,6 +155,11 @@ int mm_answer_gss_updatecreds(int, struc
#ifdef SSH_AUDIT_EVENTS
int mm_answer_audit_event(int, struct sshbuf *);
int mm_answer_audit_command(int, struct sshbuf *);
@ -1135,7 +1135,7 @@ Index: openssh-7.8p1/monitor.c
#endif
static int monitor_read_log(struct monitor *);
@@ -203,6 +211,11 @@ struct mon_table mon_dispatch_proto20[]
@@ -205,6 +213,11 @@ struct mon_table mon_dispatch_proto20[]
#endif
#ifdef SSH_AUDIT_EVENTS
{MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
@ -1147,7 +1147,7 @@ Index: openssh-7.8p1/monitor.c
#endif
#ifdef BSD_AUTH
{MONITOR_REQ_BSDAUTHQUERY, MON_ISAUTH, mm_answer_bsdauthquery},
@@ -231,6 +244,11 @@ struct mon_table mon_dispatch_postauth20
@@ -233,6 +246,11 @@ struct mon_table mon_dispatch_postauth20
#ifdef SSH_AUDIT_EVENTS
{MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
{MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT, mm_answer_audit_command},
@ -1159,7 +1159,7 @@ Index: openssh-7.8p1/monitor.c
#endif
#ifdef GSSAPI
{MONITOR_REQ_GSSSETUP, 0, mm_answer_gss_setup_ctx},
@@ -1375,6 +1393,7 @@ mm_answer_keyverify(int sock, struct ssh
@@ -1379,6 +1397,7 @@ mm_answer_keyverify(int sock, struct ssh
char *sigalg;
size_t signaturelen, datalen, bloblen;
int r, ret, valid_data = 0, encoded_ret;
@ -1167,7 +1167,7 @@ Index: openssh-7.8p1/monitor.c
if ((r = sshbuf_get_string(m, &blob, &bloblen)) != 0 ||
(r = sshbuf_get_string(m, &signature, &signaturelen)) != 0 ||
@@ -1385,6 +1404,8 @@ mm_answer_keyverify(int sock, struct ssh
@@ -1389,6 +1408,8 @@ mm_answer_keyverify(int sock, struct ssh
if (hostbased_cuser == NULL || hostbased_chost == NULL ||
!monitor_allowed_key(blob, bloblen))
fatal("%s: bad key, not previously allowed", __func__);
@ -1176,7 +1176,7 @@ Index: openssh-7.8p1/monitor.c
/* Empty signature algorithm means NULL. */
if (*sigalg == '\0') {
@@ -1399,22 +1420,25 @@ mm_answer_keyverify(int sock, struct ssh
@@ -1403,22 +1424,25 @@ mm_answer_keyverify(int sock, struct ssh
switch (key_blobtype) {
case MM_USERKEY:
valid_data = monitor_valid_userblob(data, datalen);
@ -1204,7 +1204,7 @@ Index: openssh-7.8p1/monitor.c
debug3("%s: %s %p signature %s", __func__, auth_method, key,
(ret == 0) ? "verified" : "unverified");
auth2_record_key(authctxt, ret == 0, key);
@@ -1474,6 +1498,12 @@ mm_session_close(Session *s)
@@ -1478,6 +1502,12 @@ mm_session_close(Session *s)
debug3("%s: tty %s ptyfd %d", __func__, s->tty, s->ptyfd);
session_pty_cleanup2(s);
}
@ -1217,7 +1217,7 @@ Index: openssh-7.8p1/monitor.c
session_unused(s->self);
}
@@ -1582,6 +1612,8 @@ mm_answer_term(int sock, struct sshbuf *
@@ -1586,6 +1616,8 @@ mm_answer_term(int sock, struct sshbuf *
sshpam_cleanup();
#endif
@ -1226,7 +1226,7 @@ Index: openssh-7.8p1/monitor.c
while (waitpid(pmonitor->m_pid, &status, 0) == -1)
if (errno != EINTR)
exit(1);
@@ -1628,14 +1660,50 @@ mm_answer_audit_command(int socket, stru
@@ -1632,14 +1664,50 @@ mm_answer_audit_command(int socket, stru
{
char *cmd;
int r;
@ -1280,7 +1280,7 @@ Index: openssh-7.8p1/monitor.c
}
#endif /* SSH_AUDIT_EVENTS */
@@ -1697,6 +1765,7 @@ monitor_apply_keystate(struct monitor *p
@@ -1701,6 +1769,7 @@ monitor_apply_keystate(struct monitor *p
void
mm_get_keystate(struct monitor *pmonitor)
{
@ -1288,7 +1288,7 @@ Index: openssh-7.8p1/monitor.c
debug3("%s: Waiting for new keys", __func__);
if ((child_state = sshbuf_new()) == NULL)
@@ -1704,6 +1773,19 @@ mm_get_keystate(struct monitor *pmonitor
@@ -1708,6 +1777,19 @@ mm_get_keystate(struct monitor *pmonitor
mm_request_receive_expect(pmonitor->m_sendfd, MONITOR_REQ_KEYEXPORT,
child_state);
debug3("%s: GOT new keys", __func__);
@ -1308,7 +1308,7 @@ Index: openssh-7.8p1/monitor.c
}
@@ -1902,19 +1984,19 @@ mm_answer_gss_sign(int socket, struct ss
@@ -1906,19 +1988,19 @@ mm_answer_gss_sign(int socket, struct ss
int r;
if (!options.gss_authentication && !options.gss_keyex)
@ -1334,7 +1334,7 @@ Index: openssh-7.8p1/monitor.c
}
major = ssh_gssapi_sign(gsscontext, &data, &hash);
@@ -1962,3 +2044,102 @@ mm_answer_gss_updatecreds(int socket, st
@@ -1966,3 +2048,102 @@ mm_answer_gss_updatecreds(int socket, st
}
#endif /* GSSAPI */
@ -1437,10 +1437,10 @@ Index: openssh-7.8p1/monitor.c
+ return 0;
+}
+#endif /* SSH_AUDIT_EVENTS */
Index: openssh-7.8p1/monitor.h
Index: openssh-7.9p1/monitor.h
===================================================================
--- openssh-7.8p1.orig/monitor.h
+++ openssh-7.8p1/monitor.h
--- openssh-7.9p1.orig/monitor.h
+++ openssh-7.9p1/monitor.h
@@ -61,7 +61,13 @@ enum monitor_reqtype {
MONITOR_REQ_PAM_QUERY = 106, MONITOR_ANS_PAM_QUERY = 107,
MONITOR_REQ_PAM_RESPOND = 108, MONITOR_ANS_PAM_RESPOND = 109,
@ -1456,10 +1456,10 @@ Index: openssh-7.8p1/monitor.h
MONITOR_REQ_GSSSIGN = 201, MONITOR_ANS_GSSSIGN = 202,
MONITOR_REQ_GSSUPCREDS = 203, MONITOR_ANS_GSSUPCREDS = 204,
Index: openssh-7.8p1/monitor_wrap.c
Index: openssh-7.9p1/monitor_wrap.c
===================================================================
--- openssh-7.8p1.orig/monitor_wrap.c
+++ openssh-7.8p1/monitor_wrap.c
--- openssh-7.9p1.orig/monitor_wrap.c
+++ openssh-7.9p1/monitor_wrap.c
@@ -497,7 +497,7 @@ mm_key_allowed(enum mm_keytype type, con
*/
@ -1637,10 +1637,10 @@ Index: openssh-7.8p1/monitor_wrap.c
+ sshbuf_free(m);
+}
+#endif /* SSH_AUDIT_EVENTS */
Index: openssh-7.8p1/monitor_wrap.h
Index: openssh-7.9p1/monitor_wrap.h
===================================================================
--- openssh-7.8p1.orig/monitor_wrap.h
+++ openssh-7.8p1/monitor_wrap.h
--- openssh-7.9p1.orig/monitor_wrap.h
+++ openssh-7.9p1/monitor_wrap.h
@@ -53,7 +53,9 @@ int mm_user_key_allowed(struct ssh *, st
struct sshauthopt **);
int mm_hostbased_key_allowed(struct passwd *, const char *,
@ -1666,10 +1666,10 @@ Index: openssh-7.8p1/monitor_wrap.h
#endif
struct Session;
Index: openssh-7.8p1/packet.c
Index: openssh-7.9p1/packet.c
===================================================================
--- openssh-7.8p1.orig/packet.c
+++ openssh-7.8p1/packet.c
--- openssh-7.9p1.orig/packet.c
+++ openssh-7.9p1/packet.c
@@ -76,6 +76,7 @@
#include <zlib.h>
@ -1829,20 +1829,20 @@ Index: openssh-7.8p1/packet.c
/* Reset after_authentication and reset compression in post-auth privsep */
static int
ssh_packet_set_postauth(struct ssh *ssh)
Index: openssh-7.8p1/packet.h
Index: openssh-7.9p1/packet.h
===================================================================
--- openssh-7.8p1.orig/packet.h
+++ openssh-7.8p1/packet.h
--- openssh-7.9p1.orig/packet.h
+++ openssh-7.9p1/packet.h
@@ -219,4 +219,5 @@ extern struct ssh *active_state;
# undef EC_POINT
#endif
+void packet_destroy_all(int, int);
#endif /* PACKET_H */
Index: openssh-7.8p1/session.c
Index: openssh-7.9p1/session.c
===================================================================
--- openssh-7.8p1.orig/session.c
+++ openssh-7.8p1/session.c
--- openssh-7.9p1.orig/session.c
+++ openssh-7.9p1/session.c
@@ -139,7 +139,7 @@ extern char *__progname;
extern int debug_flag;
extern u_int utmp_len;
@ -1867,7 +1867,7 @@ Index: openssh-7.8p1/session.c
/* Enter interactive session. */
s->ptymaster = ptymaster;
packet_set_interactive(1,
@@ -739,15 +747,19 @@ do_exec(struct ssh *ssh, Session *s, con
@@ -741,15 +749,19 @@ do_exec(struct ssh *ssh, Session *s, con
s->self);
#ifdef SSH_AUDIT_EVENTS
@ -1889,7 +1889,7 @@ Index: openssh-7.8p1/session.c
#endif
if (s->ttyfd != -1)
ret = do_exec_pty(ssh, s, command);
@@ -1551,8 +1563,11 @@ do_child(struct ssh *ssh, Session *s, co
@@ -1553,8 +1565,11 @@ do_child(struct ssh *ssh, Session *s, co
int r = 0;
/* remove hostkey from the child's memory */
@ -1902,7 +1902,7 @@ Index: openssh-7.8p1/session.c
/* Force a password change */
if (s->authctxt->force_pwchange) {
@@ -1759,6 +1774,9 @@ session_unused(int id)
@@ -1761,6 +1776,9 @@ session_unused(int id)
sessions[id].ttyfd = -1;
sessions[id].ptymaster = -1;
sessions[id].x11_chanids = NULL;
@ -1912,7 +1912,7 @@ Index: openssh-7.8p1/session.c
sessions[id].next_unused = sessions_first_unused;
sessions_first_unused = id;
}
@@ -1841,6 +1859,19 @@ session_open(Authctxt *authctxt, int cha
@@ -1843,6 +1861,19 @@ session_open(Authctxt *authctxt, int cha
}
Session *
@ -1932,7 +1932,7 @@ Index: openssh-7.8p1/session.c
session_by_tty(char *tty)
{
int i;
@@ -2352,6 +2383,32 @@ session_exit_message(struct ssh *ssh, Se
@@ -2428,6 +2459,32 @@ session_exit_message(struct ssh *ssh, Se
chan_write_failed(ssh, c);
}
@ -1965,7 +1965,7 @@ Index: openssh-7.8p1/session.c
void
session_close(struct ssh *ssh, Session *s)
{
@@ -2393,6 +2450,10 @@ session_close(struct ssh *ssh, Session *
@@ -2469,6 +2526,10 @@ session_close(struct ssh *ssh, Session *
if (s->ttyfd != -1)
session_pty_cleanup(s);
@ -1976,7 +1976,7 @@ Index: openssh-7.8p1/session.c
free(s->term);
free(s->display);
free(s->x11_chanids);
@@ -2600,6 +2661,15 @@ do_authenticated2(struct ssh *ssh, Authc
@@ -2677,6 +2738,15 @@ do_authenticated2(struct ssh *ssh, Authc
server_loop2(ssh, authctxt);
}
@ -1992,7 +1992,7 @@ Index: openssh-7.8p1/session.c
void
do_cleanup(struct ssh *ssh, Authctxt *authctxt)
{
@@ -2657,7 +2727,7 @@ do_cleanup(struct ssh *ssh, Authctxt *au
@@ -2734,7 +2804,7 @@ do_cleanup(struct ssh *ssh, Authctxt *au
* or if running in monitor.
*/
if (!use_privsep || mm_is_monitor())
@ -2001,11 +2001,11 @@ Index: openssh-7.8p1/session.c
}
/* Return a name for the remote host that fits inside utmp_size */
Index: openssh-7.8p1/session.h
Index: openssh-7.9p1/session.h
===================================================================
--- openssh-7.8p1.orig/session.h
+++ openssh-7.8p1/session.h
@@ -60,6 +60,12 @@ struct Session {
--- openssh-7.9p1.orig/session.h
+++ openssh-7.9p1/session.h
@@ -61,6 +61,12 @@ struct Session {
char *name;
char *val;
} *env;
@ -2018,7 +2018,7 @@ Index: openssh-7.8p1/session.h
};
void do_authenticated(struct ssh *, Authctxt *);
@@ -72,8 +78,10 @@ void session_close_by_pid(struct ssh *s
@@ -73,8 +79,10 @@ void session_close_by_pid(struct ssh *s
void session_close_by_channel(struct ssh *, int, void *);
void session_destroy_all(struct ssh *, void (*)(Session *));
void session_pty_cleanup2(Session *);
@ -2029,10 +2029,10 @@ Index: openssh-7.8p1/session.h
Session *session_by_tty(char *);
void session_close(struct ssh *, Session *);
void do_setusercontext(struct passwd *);
Index: openssh-7.8p1/sshd.c
Index: openssh-7.9p1/sshd.c
===================================================================
--- openssh-7.8p1.orig/sshd.c
+++ openssh-7.8p1/sshd.c
--- openssh-7.9p1.orig/sshd.c
+++ openssh-7.9p1/sshd.c
@@ -124,6 +124,7 @@
#include "ssh-gss.h"
#endif
@ -2117,30 +2117,28 @@ Index: openssh-7.8p1/sshd.c
sshkey_free(sensitive_data.host_certificates[i]);
sensitive_data.host_certificates[i] = NULL;
}
@@ -513,9 +551,22 @@ demote_sensitive_data(void)
@@ -513,8 +551,21 @@ demote_sensitive_data(void)
struct sshkey *tmp;
u_int i;
int r;
+#ifdef SSH_AUDIT_EVENTS
+ pid_t pid;
+ uid_t uid;
- for (i = 0; i < options.num_host_key_files; i++) {
+
+ pid = getpid();
+ uid = getuid();
+#endif
+
+ for (i = 0; i < options.num_host_key_files; i++) {
if (sensitive_data.host_keys[i]) {
for (i = 0; i < options.num_host_key_files; i++) {
+ char *fp;
+
+ if (sshkey_is_private(sensitive_data.host_keys[i]))
+ fp = sshkey_fingerprint(sensitive_data.host_keys[i], options.fingerprint_hash, SSH_FP_HEX);
+ else
+ fp = NULL;
if ((r = sshkey_demote(sensitive_data.host_keys[i],
&tmp)) != 0)
fatal("could not demote host %s key: %s",
if (sensitive_data.host_keys[i]) {
if ((r = sshkey_from_private(
sensitive_data.host_keys[i], &tmp)) != 0)
@@ -523,6 +574,12 @@ demote_sensitive_data(void)
ssh_err(r));
sshkey_free(sensitive_data.host_keys[i]);
@ -2213,11 +2211,11 @@ Index: openssh-7.8p1/sshd.c
audit_event(SSH_CONNECTION_ABANDON);
#endif
_exit(i);
Index: openssh-7.8p1/sshkey.c
Index: openssh-7.9p1/sshkey.c
===================================================================
--- openssh-7.8p1.orig/sshkey.c
+++ openssh-7.8p1/sshkey.c
@@ -326,6 +326,32 @@ sshkey_type_is_valid_ca(int type)
--- openssh-7.9p1.orig/sshkey.c
+++ openssh-7.9p1/sshkey.c
@@ -331,6 +331,32 @@ sshkey_type_is_valid_ca(int type)
}
int
@ -2250,11 +2248,11 @@ Index: openssh-7.8p1/sshkey.c
sshkey_is_cert(const struct sshkey *k)
{
if (k == NULL)
Index: openssh-7.8p1/sshkey.h
Index: openssh-7.9p1/sshkey.h
===================================================================
--- openssh-7.8p1.orig/sshkey.h
+++ openssh-7.8p1/sshkey.h
@@ -148,6 +148,7 @@ u_int sshkey_size(const struct sshkey
--- openssh-7.9p1.orig/sshkey.h
+++ openssh-7.9p1/sshkey.h
@@ -147,6 +147,7 @@ u_int sshkey_size(const struct sshkey
int sshkey_generate(int type, u_int bits, struct sshkey **keyp);
int sshkey_from_private(const struct sshkey *, struct sshkey **);
int sshkey_type_from_name(const char *);

View File

@ -12,23 +12,23 @@ compliant) parameters.
CVE-2015-4000 (LOGJAM)
bsc#932483
Index: openssh-7.8p1/dh.c
Index: openssh-7.9p1/dh.c
===================================================================
--- openssh-7.8p1.orig/dh.c
+++ openssh-7.8p1/dh.c
@@ -43,6 +43,8 @@
#include "misc.h"
#include "ssherr.h"
--- openssh-7.9p1.orig/dh.c
+++ openssh-7.9p1/dh.c
@@ -45,6 +45,8 @@
#include "openbsd-compat/openssl-compat.h"
+int dh_grp_min = DH_GRP_MIN;
+
static int
parse_prime(int linenum, char *line, struct dhgroup *dhg)
{
Index: openssh-7.8p1/dh.h
Index: openssh-7.9p1/dh.h
===================================================================
--- openssh-7.8p1.orig/dh.h
+++ openssh-7.8p1/dh.h
--- openssh-7.9p1.orig/dh.h
+++ openssh-7.9p1/dh.h
@@ -50,6 +50,7 @@ u_int dh_estimate(int);
* Max value from RFC4419.
* Miniumum increased in light of DH precomputation attacks.
@ -37,11 +37,11 @@ Index: openssh-7.8p1/dh.h
#define DH_GRP_MIN 2048
#define DH_GRP_MAX 8192
Index: openssh-7.8p1/kexgexc.c
Index: openssh-7.9p1/kexgexc.c
===================================================================
--- openssh-7.8p1.orig/kexgexc.c
+++ openssh-7.8p1/kexgexc.c
@@ -51,6 +51,9 @@
--- openssh-7.9p1.orig/kexgexc.c
+++ openssh-7.9p1/kexgexc.c
@@ -53,6 +53,9 @@
#include "sshbuf.h"
#include "misc.h"
@ -51,7 +51,7 @@ Index: openssh-7.8p1/kexgexc.c
static int input_kex_dh_gex_group(int, u_int32_t, struct ssh *);
static int input_kex_dh_gex_reply(int, u_int32_t, struct ssh *);
@@ -63,7 +66,7 @@ kexgex_client(struct ssh *ssh)
@@ -65,7 +68,7 @@ kexgex_client(struct ssh *ssh)
nbits = dh_estimate(kex->dh_need * 8);
@ -60,7 +60,7 @@ Index: openssh-7.8p1/kexgexc.c
kex->max = DH_GRP_MAX;
kex->nbits = nbits;
if (datafellows & SSH_BUG_DHGEX_LARGE)
@@ -108,6 +111,12 @@ input_kex_dh_gex_group(int type, u_int32
@@ -111,6 +114,12 @@ input_kex_dh_gex_group(int type, u_int32
goto out;
if ((bits = BN_num_bits(p)) < 0 ||
(u_int)bits < kex->min || (u_int)bits > kex->max) {
@ -73,11 +73,11 @@ Index: openssh-7.8p1/kexgexc.c
r = SSH_ERR_DH_GEX_OUT_OF_RANGE;
goto out;
}
Index: openssh-7.8p1/kexgexs.c
Index: openssh-7.9p1/kexgexs.c
===================================================================
--- openssh-7.8p1.orig/kexgexs.c
+++ openssh-7.8p1/kexgexs.c
@@ -54,6 +54,9 @@
--- openssh-7.9p1.orig/kexgexs.c
+++ openssh-7.9p1/kexgexs.c
@@ -56,6 +56,9 @@
#include "sshbuf.h"
#include "misc.h"
@ -87,7 +87,7 @@ Index: openssh-7.8p1/kexgexs.c
static int input_kex_dh_gex_request(int, u_int32_t, struct ssh *);
static int input_kex_dh_gex_init(int, u_int32_t, struct ssh *);
@@ -82,13 +85,19 @@ input_kex_dh_gex_request(int type, u_int
@@ -85,13 +88,19 @@ input_kex_dh_gex_request(int type, u_int
kex->nbits = nbits;
kex->min = min;
kex->max = max;
@ -109,10 +109,10 @@ Index: openssh-7.8p1/kexgexs.c
r = SSH_ERR_DH_GEX_OUT_OF_RANGE;
goto out;
}
Index: openssh-7.8p1/readconf.c
Index: openssh-7.9p1/readconf.c
===================================================================
--- openssh-7.8p1.orig/readconf.c
+++ openssh-7.8p1/readconf.c
--- openssh-7.9p1.orig/readconf.c
+++ openssh-7.9p1/readconf.c
@@ -67,6 +67,7 @@
#include "uidswap.h"
#include "myproposal.h"
@ -130,7 +130,7 @@ Index: openssh-7.8p1/readconf.c
oCanonicalDomains, oCanonicalizeHostname, oCanonicalizeMaxDots,
oCanonicalizeFallbackLocal, oCanonicalizePermittedCNAMEs,
oStreamLocalBindMask, oStreamLocalBindUnlink, oRevokedHostKeys,
@@ -291,6 +292,7 @@ static struct {
@@ -292,6 +293,7 @@ static struct {
{ "remotecommand", oRemoteCommand },
{ "visualhostkey", oVisualHostKey },
{ "kexalgorithms", oKexAlgorithms },
@ -138,7 +138,7 @@ Index: openssh-7.8p1/readconf.c
{ "ipqos", oIPQoS },
{ "requesttty", oRequestTTY },
{ "proxyusefdpass", oProxyUseFdpass },
@@ -312,6 +314,9 @@ static struct {
@@ -313,6 +315,9 @@ static struct {
{ NULL, oBadOption }
};
@ -148,7 +148,7 @@ Index: openssh-7.8p1/readconf.c
/*
* Adds a local TCP/IP port forward to options. Never returns if there is an
* error.
@@ -1206,6 +1211,10 @@ parse_int:
@@ -1216,6 +1221,10 @@ parse_int:
options->kex_algorithms = xstrdup(arg);
break;
@ -159,15 +159,15 @@ Index: openssh-7.8p1/readconf.c
case oHostKeyAlgorithms:
charptr = &options->hostkeyalgorithms;
parse_keytypes:
@@ -1835,6 +1844,7 @@ initialize_options(Options * options)
@@ -1860,6 +1869,7 @@ initialize_options(Options * options)
options->ciphers = NULL;
options->macs = NULL;
options->kex_algorithms = NULL;
+ options->kex_dhmin = -1;
options->hostkeyalgorithms = NULL;
options->ca_sign_algorithms = NULL;
options->num_identity_files = 0;
options->num_certificate_files = 0;
@@ -1988,6 +1998,13 @@ fill_default_options(Options * options)
@@ -2014,6 +2024,13 @@ fill_default_options(Options * options)
options->connection_attempts = 1;
if (options->number_of_password_prompts == -1)
options->number_of_password_prompts = 3;
@ -181,22 +181,22 @@ Index: openssh-7.8p1/readconf.c
/* options->hostkeyalgorithms, default set in myproposals.h */
if (options->add_keys_to_agent == -1)
options->add_keys_to_agent = 0;
Index: openssh-7.8p1/readconf.h
Index: openssh-7.9p1/readconf.h
===================================================================
--- openssh-7.8p1.orig/readconf.h
+++ openssh-7.8p1/readconf.h
@@ -67,6 +67,7 @@ typedef struct {
char *macs; /* SSH2 macs in order of preference. */
--- openssh-7.9p1.orig/readconf.h
+++ openssh-7.9p1/readconf.h
@@ -68,6 +68,7 @@ typedef struct {
char *hostkeyalgorithms; /* SSH2 server key types in order of preference. */
char *kex_algorithms; /* SSH2 kex methods in order of preference. */
char *ca_sign_algorithms; /* Allowed CA signature algorithms */
+ int kex_dhmin; /* minimum bit length of the DH group parameter */
char *hostname; /* Real host to connect. */
char *host_key_alias; /* hostname alias for .ssh/known_hosts */
char *proxy_command; /* Proxy command for connecting the host. */
Index: openssh-7.8p1/servconf.c
Index: openssh-7.9p1/servconf.c
===================================================================
--- openssh-7.8p1.orig/servconf.c
+++ openssh-7.8p1/servconf.c
--- openssh-7.9p1.orig/servconf.c
+++ openssh-7.9p1/servconf.c
@@ -64,6 +64,10 @@
#include "auth.h"
#include "myproposal.h"
@ -213,10 +213,10 @@ Index: openssh-7.8p1/servconf.c
options->macs = NULL;
options->kex_algorithms = NULL;
+ options->kex_dhmin = -1;
options->ca_sign_algorithms = NULL;
options->fwd_opts.gateway_ports = -1;
options->fwd_opts.streamlocal_bind_mask = (mode_t)-1;
options->fwd_opts.streamlocal_bind_unlink = -1;
@@ -263,6 +268,14 @@ fill_default_server_options(ServerOption
@@ -267,6 +272,14 @@ fill_default_server_options(ServerOption
if (options->use_pam_check_locks == -1)
options->use_pam_check_locks = 0;
@ -231,16 +231,16 @@ Index: openssh-7.8p1/servconf.c
/* Standard Options */
if (options->num_host_key_files == 0) {
/* fill default hostkeys for protocols */
@@ -490,7 +503,7 @@ typedef enum {
@@ -494,7 +507,7 @@ typedef enum {
sHostCertificate,
sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,
sAuthorizedPrincipalsCommand, sAuthorizedPrincipalsCommandUser,
- sKexAlgorithms, sIPQoS, sVersionAddendum,
+ sKexAlgorithms, sKexDHMin, sIPQoS, sVersionAddendum,
- sKexAlgorithms, sCASignatureAlgorithms, sIPQoS, sVersionAddendum,
+ sKexAlgorithms, sKexDHMin, sCASignatureAlgorithms, sIPQoS, sVersionAddendum,
sAuthorizedKeysCommand, sAuthorizedKeysCommandUser,
sAuthenticationMethods, sHostKeyAgent, sPermitUserRC,
sStreamLocalBindMask, sStreamLocalBindUnlink,
@@ -631,6 +644,7 @@ static struct {
@@ -635,6 +648,7 @@ static struct {
{ "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL },
{ "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
{ "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },
@ -248,7 +248,7 @@ Index: openssh-7.8p1/servconf.c
{ "ipqos", sIPQoS, SSHCFG_ALL },
{ "authorizedkeyscommand", sAuthorizedKeysCommand, SSHCFG_ALL },
{ "authorizedkeyscommanduser", sAuthorizedKeysCommandUser, SSHCFG_ALL },
@@ -1726,6 +1740,10 @@ process_server_config_line(ServerOptions
@@ -1735,6 +1749,10 @@ process_server_config_line(ServerOptions
options->kex_algorithms = xstrdup(arg);
break;
@ -259,7 +259,7 @@ Index: openssh-7.8p1/servconf.c
case sSubsystem:
if (options->num_subsystems >= MAX_SUBSYSTEMS) {
fatal("%s line %d: too many subsystems defined.",
@@ -2540,6 +2558,7 @@ dump_config(ServerOptions *o)
@@ -2549,6 +2567,7 @@ dump_config(ServerOptions *o)
dump_cfg_int(sClientAliveInterval, o->client_alive_interval);
dump_cfg_int(sClientAliveCountMax, o->client_alive_count_max);
dump_cfg_oct(sStreamLocalBindMask, o->fwd_opts.streamlocal_bind_mask);
@ -267,10 +267,10 @@ Index: openssh-7.8p1/servconf.c
/* formatted integer arguments */
dump_cfg_fmtint(sPermitRootLogin, o->permit_root_login);
Index: openssh-7.8p1/servconf.h
Index: openssh-7.9p1/servconf.h
===================================================================
--- openssh-7.8p1.orig/servconf.h
+++ openssh-7.8p1/servconf.h
--- openssh-7.9p1.orig/servconf.h
+++ openssh-7.9p1/servconf.h
@@ -103,6 +103,7 @@ typedef struct {
char *ciphers; /* Supported SSH2 ciphers. */
char *macs; /* Supported SSH2 macs. */
@ -279,10 +279,10 @@ Index: openssh-7.8p1/servconf.h
struct ForwardOptions fwd_opts; /* forwarding options */
SyslogFacility log_facility; /* Facility for system logging. */
LogLevel log_level; /* Level for system logging. */
Index: openssh-7.8p1/ssh_config
Index: openssh-7.9p1/ssh_config
===================================================================
--- openssh-7.8p1.orig/ssh_config
+++ openssh-7.8p1/ssh_config
--- openssh-7.9p1.orig/ssh_config
+++ openssh-7.9p1/ssh_config
@@ -17,6 +17,11 @@
# list of available options, their meanings and defaults, please see the
# ssh_config(5) man page.
@ -295,11 +295,11 @@ Index: openssh-7.8p1/ssh_config
Host *
# ForwardAgent no
# ForwardX11 no
Index: openssh-7.8p1/ssh_config.0
Index: openssh-7.9p1/ssh_config.0
===================================================================
--- openssh-7.8p1.orig/ssh_config.0
+++ openssh-7.8p1/ssh_config.0
@@ -595,6 +595,23 @@ DESCRIPTION
--- openssh-7.9p1.orig/ssh_config.0
+++ openssh-7.9p1/ssh_config.0
@@ -610,6 +610,23 @@ DESCRIPTION
The list of available key exchange algorithms may also be
obtained using "ssh -Q kex".
@ -323,11 +323,11 @@ Index: openssh-7.8p1/ssh_config.0
LocalCommand
Specifies a command to execute on the local machine after
successfully connecting to the server. The command string
Index: openssh-7.8p1/ssh_config.5
Index: openssh-7.9p1/ssh_config.5
===================================================================
--- openssh-7.8p1.orig/ssh_config.5
+++ openssh-7.8p1/ssh_config.5
@@ -1025,6 +1025,22 @@ diffie-hellman-group14-sha1
--- openssh-7.9p1.orig/ssh_config.5
+++ openssh-7.9p1/ssh_config.5
@@ -1047,6 +1047,22 @@ diffie-hellman-group14-sha1
.Pp
The list of available key exchange algorithms may also be obtained using
.Qq ssh -Q kex .
@ -350,10 +350,10 @@ Index: openssh-7.8p1/ssh_config.5
.It Cm LocalCommand
Specifies a command to execute on the local machine after successfully
connecting to the server.
Index: openssh-7.8p1/sshd_config
Index: openssh-7.9p1/sshd_config
===================================================================
--- openssh-7.8p1.orig/sshd_config
+++ openssh-7.8p1/sshd_config
--- openssh-7.9p1.orig/sshd_config
+++ openssh-7.9p1/sshd_config
@@ -19,6 +19,13 @@
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key
@ -368,11 +368,11 @@ Index: openssh-7.8p1/sshd_config
# Ciphers and keying
#RekeyLimit default none
Index: openssh-7.8p1/sshd_config.0
Index: openssh-7.9p1/sshd_config.0
===================================================================
--- openssh-7.8p1.orig/sshd_config.0
+++ openssh-7.8p1/sshd_config.0
@@ -545,6 +545,23 @@ DESCRIPTION
--- openssh-7.9p1.orig/sshd_config.0
+++ openssh-7.9p1/sshd_config.0
@@ -555,6 +555,23 @@ DESCRIPTION
The list of available key exchange algorithms may also be
obtained using "ssh -Q kex".
@ -396,11 +396,11 @@ Index: openssh-7.8p1/sshd_config.0
ListenAddress
Specifies the local addresses sshd(8) should listen on. The
following forms may be used:
Index: openssh-7.8p1/sshd_config.5
Index: openssh-7.9p1/sshd_config.5
===================================================================
--- openssh-7.8p1.orig/sshd_config.5
+++ openssh-7.8p1/sshd_config.5
@@ -912,6 +912,22 @@ diffie-hellman-group14-sha256,diffie-hel
--- openssh-7.9p1.orig/sshd_config.5
+++ openssh-7.9p1/sshd_config.5
@@ -923,6 +923,22 @@ diffie-hellman-group14-sha256,diffie-hel
.Pp
The list of available key exchange algorithms may also be obtained using
.Qq ssh -Q kex .

View File

@ -3,10 +3,10 @@
FIPS 140-2 compliance. Perform selftests on start and use only FIPS approved
algorithms.
Index: openssh-7.8p1/Makefile.in
Index: openssh-7.9p1/Makefile.in
===================================================================
--- openssh-7.8p1.orig/Makefile.in
+++ openssh-7.8p1/Makefile.in
--- openssh-7.9p1.orig/Makefile.in
+++ openssh-7.9p1/Makefile.in
@@ -102,6 +102,8 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
kexdhs.o kexgexs.o kexecdhs.o kexc25519s.o \
platform-pledge.o platform-tracing.o platform-misc.o
@ -16,10 +16,10 @@ Index: openssh-7.8p1/Makefile.in
SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \
sshconnect.o sshconnect2.o mux.o
Index: openssh-7.8p1/cipher-ctr.c
Index: openssh-7.9p1/cipher-ctr.c
===================================================================
--- openssh-7.8p1.orig/cipher-ctr.c
+++ openssh-7.8p1/cipher-ctr.c
--- openssh-7.9p1.orig/cipher-ctr.c
+++ openssh-7.9p1/cipher-ctr.c
@@ -27,6 +27,8 @@
#include "xmalloc.h"
#include "log.h"
@ -38,10 +38,10 @@ Index: openssh-7.8p1/cipher-ctr.c
#endif
return (&aes_ctr);
}
Index: openssh-7.8p1/cipher.c
Index: openssh-7.9p1/cipher.c
===================================================================
--- openssh-7.8p1.orig/cipher.c
+++ openssh-7.8p1/cipher.c
--- openssh-7.9p1.orig/cipher.c
+++ openssh-7.9p1/cipher.c
@@ -51,6 +51,8 @@
#include "openbsd-compat/openssl-compat.h"
@ -131,10 +131,10 @@ Index: openssh-7.8p1/cipher.c
if (strcmp(c->name, name) == 0)
return c;
return NULL;
Index: openssh-7.8p1/dh.h
Index: openssh-7.9p1/dh.h
===================================================================
--- openssh-7.8p1.orig/dh.h
+++ openssh-7.8p1/dh.h
--- openssh-7.9p1.orig/dh.h
+++ openssh-7.9p1/dh.h
@@ -52,6 +52,7 @@ u_int dh_estimate(int);
*/
#define DH_GRP_MIN_RFC 1024
@ -143,10 +143,10 @@ Index: openssh-7.8p1/dh.h
#define DH_GRP_MAX 8192
/*
Index: openssh-7.8p1/fips.c
Index: openssh-7.9p1/fips.c
===================================================================
--- /dev/null
+++ openssh-7.8p1/fips.c
+++ openssh-7.9p1/fips.c
@@ -0,0 +1,237 @@
+/*
+ * Copyright (c) 2012 Petr Cerny. All rights reserved.
@ -385,10 +385,10 @@ Index: openssh-7.8p1/fips.c
+ return dh;
+}
+
Index: openssh-7.8p1/fips.h
Index: openssh-7.9p1/fips.h
===================================================================
--- /dev/null
+++ openssh-7.8p1/fips.h
+++ openssh-7.9p1/fips.h
@@ -0,0 +1,45 @@
+/*
+ * Copyright (c) 2012 Petr Cerny. All rights reserved.
@ -435,10 +435,10 @@ Index: openssh-7.8p1/fips.h
+
+#endif
+
Index: openssh-7.8p1/hmac.c
Index: openssh-7.9p1/hmac.c
===================================================================
--- openssh-7.8p1.orig/hmac.c
+++ openssh-7.8p1/hmac.c
--- openssh-7.9p1.orig/hmac.c
+++ openssh-7.9p1/hmac.c
@@ -144,7 +144,7 @@ hmac_test(void *key, size_t klen, void *
size_t i;
u_char digest[16];
@ -448,10 +448,10 @@ Index: openssh-7.8p1/hmac.c
printf("ssh_hmac_start failed");
if (ssh_hmac_init(ctx, key, klen) < 0 ||
ssh_hmac_update(ctx, m, mlen) < 0 ||
Index: openssh-7.8p1/kex.c
Index: openssh-7.9p1/kex.c
===================================================================
--- openssh-7.8p1.orig/kex.c
+++ openssh-7.8p1/kex.c
--- openssh-7.9p1.orig/kex.c
+++ openssh-7.9p1/kex.c
@@ -54,6 +54,8 @@
#include "sshbuf.h"
#include "digest.h"
@ -547,11 +547,11 @@ Index: openssh-7.8p1/kex.c
free(s);
return 0;
}
Index: openssh-7.8p1/kexgexc.c
Index: openssh-7.9p1/kexgexc.c
===================================================================
--- openssh-7.8p1.orig/kexgexc.c
+++ openssh-7.8p1/kexgexc.c
@@ -51,8 +51,7 @@
--- openssh-7.9p1.orig/kexgexc.c
+++ openssh-7.9p1/kexgexc.c
@@ -53,8 +53,7 @@
#include "sshbuf.h"
#include "misc.h"
@ -561,7 +561,7 @@ Index: openssh-7.8p1/kexgexc.c
static int input_kex_dh_gex_group(int, u_int32_t, struct ssh *);
static int input_kex_dh_gex_reply(int, u_int32_t, struct ssh *);
@@ -66,7 +65,7 @@ kexgex_client(struct ssh *ssh)
@@ -68,7 +67,7 @@ kexgex_client(struct ssh *ssh)
nbits = dh_estimate(kex->dh_need * 8);
@ -570,11 +570,11 @@ Index: openssh-7.8p1/kexgexc.c
kex->max = DH_GRP_MAX;
kex->nbits = nbits;
if (datafellows & SSH_BUG_DHGEX_LARGE)
Index: openssh-7.8p1/kexgexs.c
Index: openssh-7.9p1/kexgexs.c
===================================================================
--- openssh-7.8p1.orig/kexgexs.c
+++ openssh-7.8p1/kexgexs.c
@@ -54,8 +54,7 @@
--- openssh-7.9p1.orig/kexgexs.c
+++ openssh-7.9p1/kexgexs.c
@@ -56,8 +56,7 @@
#include "sshbuf.h"
#include "misc.h"
@ -584,7 +584,7 @@ Index: openssh-7.8p1/kexgexs.c
static int input_kex_dh_gex_request(int, u_int32_t, struct ssh *);
static int input_kex_dh_gex_init(int, u_int32_t, struct ssh *);
@@ -85,9 +84,9 @@ input_kex_dh_gex_request(int type, u_int
@@ -88,9 +87,9 @@ input_kex_dh_gex_request(int type, u_int
kex->nbits = nbits;
kex->min = min;
kex->max = max;
@ -596,10 +596,10 @@ Index: openssh-7.8p1/kexgexs.c
nbits = MINIMUM(DH_GRP_MAX, nbits);
if (kex->max < kex->min || kex->nbits < kex->min ||
Index: openssh-7.8p1/mac.c
Index: openssh-7.9p1/mac.c
===================================================================
--- openssh-7.8p1.orig/mac.c
+++ openssh-7.8p1/mac.c
--- openssh-7.9p1.orig/mac.c
+++ openssh-7.9p1/mac.c
@@ -40,6 +40,9 @@
#include "openbsd-compat/openssl-compat.h"
@ -679,11 +679,11 @@ Index: openssh-7.8p1/mac.c
if (strcmp(name, m->name) != 0)
continue;
if (mac != NULL)
Index: openssh-7.8p1/myproposal.h
Index: openssh-7.9p1/myproposal.h
===================================================================
--- openssh-7.8p1.orig/myproposal.h
+++ openssh-7.8p1/myproposal.h
@@ -141,6 +141,8 @@
--- openssh-7.9p1.orig/myproposal.h
+++ openssh-7.9p1/myproposal.h
@@ -151,6 +151,8 @@
#else /* WITH_OPENSSL */
@ -692,10 +692,10 @@ Index: openssh-7.8p1/myproposal.h
#define KEX_SERVER_KEX \
"curve25519-sha256," \
"curve25519-sha256@libssh.org"
Index: openssh-7.8p1/readconf.c
Index: openssh-7.9p1/readconf.c
===================================================================
--- openssh-7.8p1.orig/readconf.c
+++ openssh-7.8p1/readconf.c
--- openssh-7.9p1.orig/readconf.c
+++ openssh-7.9p1/readconf.c
@@ -68,6 +68,7 @@
#include "myproposal.h"
#include "digest.h"
@ -704,7 +704,7 @@ Index: openssh-7.8p1/readconf.c
/* Format of the configuration file:
@@ -1800,6 +1801,23 @@ option_clear_or_none(const char *o)
@@ -1825,6 +1826,23 @@ option_clear_or_none(const char *o)
return o == NULL || strcasecmp(o, "none") == 0;
}
@ -728,7 +728,7 @@ Index: openssh-7.8p1/readconf.c
/*
* Initializes options to special values that indicate that they have not yet
* been set. Read_config_file will only set options with this value. Options
@@ -1999,9 +2017,9 @@ fill_default_options(Options * options)
@@ -2025,9 +2043,9 @@ fill_default_options(Options * options)
if (options->number_of_password_prompts == -1)
options->number_of_password_prompts = 3;
if (options->kex_dhmin == -1)
@ -740,7 +740,7 @@ Index: openssh-7.8p1/readconf.c
options->kex_dhmin = MINIMUM(options->kex_dhmin, DH_GRP_MAX);
}
dh_grp_min = options->kex_dhmin;
@@ -2086,6 +2104,8 @@ fill_default_options(Options * options)
@@ -2112,6 +2130,8 @@ fill_default_options(Options * options)
options->canonicalize_hostname = SSH_CANONICALISE_NO;
if (options->fingerprint_hash == -1)
options->fingerprint_hash = SSH_FP_HASH_DEFAULT;
@ -749,19 +749,19 @@ Index: openssh-7.8p1/readconf.c
if (options->update_hostkeys == -1)
options->update_hostkeys = 0;
@@ -2110,6 +2130,7 @@ fill_default_options(Options * options)
free(all_mac);
free(all_kex);
@@ -2594,6 +2614,7 @@ dump_client_config(Options *o, const cha
KEX_DEFAULT_PK_ALG, all_key) != 0)
fatal("%s: kex_assemble_names failed", __func__);
free(all_key);
+ filter_fips_algorithms(options);
#define CLEAR_ON_NONE(v) \
do { \
Index: openssh-7.8p1/readconf.h
/* Most interesting options first: user, host, port */
dump_cfg_string(oUser, o->user);
Index: openssh-7.9p1/readconf.h
===================================================================
--- openssh-7.8p1.orig/readconf.h
+++ openssh-7.8p1/readconf.h
@@ -197,6 +197,7 @@ typedef struct {
--- openssh-7.9p1.orig/readconf.h
+++ openssh-7.9p1/readconf.h
@@ -198,6 +198,7 @@ typedef struct {
#define SSH_STRICT_HOSTKEY_YES 2
#define SSH_STRICT_HOSTKEY_ASK 3
@ -769,10 +769,10 @@ Index: openssh-7.8p1/readconf.h
void initialize_options(Options *);
void fill_default_options(Options *);
void fill_default_options_for_canonicalization(Options *);
Index: openssh-7.8p1/servconf.c
Index: openssh-7.9p1/servconf.c
===================================================================
--- openssh-7.8p1.orig/servconf.c
+++ openssh-7.8p1/servconf.c
--- openssh-7.9p1.orig/servconf.c
+++ openssh-7.9p1/servconf.c
@@ -65,6 +65,7 @@
#include "myproposal.h"
#include "digest.h"
@ -781,7 +781,7 @@ Index: openssh-7.8p1/servconf.c
/* import from dh.c */
extern int dh_grp_min;
@@ -194,6 +195,23 @@ option_clear_or_none(const char *o)
@@ -195,6 +196,23 @@ option_clear_or_none(const char *o)
return o == NULL || strcasecmp(o, "none") == 0;
}
@ -805,16 +805,16 @@ Index: openssh-7.8p1/servconf.c
static void
assemble_algorithms(ServerOptions *o)
{
@@ -220,6 +238,8 @@ assemble_algorithms(ServerOptions *o)
free(all_mac);
@@ -224,6 +242,8 @@ assemble_algorithms(ServerOptions *o)
free(all_kex);
free(all_key);
free(all_sig);
+
+ filter_fips_algorithms_s(o);
}
static void
@@ -269,9 +289,9 @@ fill_default_server_options(ServerOption
@@ -273,9 +293,9 @@ fill_default_server_options(ServerOption
options->use_pam_check_locks = 0;
if (options->kex_dhmin == -1)
@ -826,7 +826,7 @@ Index: openssh-7.8p1/servconf.c
options->kex_dhmin = MINIMUM(options->kex_dhmin, DH_GRP_MAX);
}
dh_grp_min = options->kex_dhmin;
@@ -419,6 +439,8 @@ fill_default_server_options(ServerOption
@@ -423,6 +443,8 @@ fill_default_server_options(ServerOption
options->fwd_opts.streamlocal_bind_unlink = 0;
if (options->fingerprint_hash == -1)
options->fingerprint_hash = SSH_FP_HASH_DEFAULT;
@ -835,10 +835,10 @@ Index: openssh-7.8p1/servconf.c
if (options->disable_forwarding == -1)
options->disable_forwarding = 0;
if (options->expose_userauth_info == -1)
Index: openssh-7.8p1/ssh-keygen.c
Index: openssh-7.9p1/ssh-keygen.c
===================================================================
--- openssh-7.8p1.orig/ssh-keygen.c
+++ openssh-7.8p1/ssh-keygen.c
--- openssh-7.9p1.orig/ssh-keygen.c
+++ openssh-7.9p1/ssh-keygen.c
@@ -61,6 +61,8 @@
#include "utf8.h"
#include "authfd.h"
@ -848,7 +848,7 @@ Index: openssh-7.8p1/ssh-keygen.c
#ifdef WITH_OPENSSL
# define DEFAULT_KEY_TYPE_NAME "rsa"
#else
@@ -965,11 +967,13 @@ do_fingerprint(struct passwd *pw)
@@ -996,11 +998,13 @@ do_fingerprint(struct passwd *pw)
static void
do_gen_all_hostkeys(struct passwd *pw)
{
@ -864,7 +864,7 @@ Index: openssh-7.8p1/ssh-keygen.c
#ifdef WITH_OPENSSL
{ "rsa", "RSA" ,_PATH_HOST_RSA_KEY_FILE },
{ "dsa", "DSA", _PATH_HOST_DSA_KEY_FILE },
@@ -984,6 +988,17 @@ do_gen_all_hostkeys(struct passwd *pw)
@@ -1015,6 +1019,17 @@ do_gen_all_hostkeys(struct passwd *pw)
{ NULL, NULL, NULL }
};
@ -882,7 +882,7 @@ Index: openssh-7.8p1/ssh-keygen.c
int first = 0;
struct stat st;
struct sshkey *private, *public;
@@ -991,6 +1006,12 @@ do_gen_all_hostkeys(struct passwd *pw)
@@ -1022,6 +1037,12 @@ do_gen_all_hostkeys(struct passwd *pw)
int i, type, fd, r;
FILE *f;
@ -895,7 +895,7 @@ Index: openssh-7.8p1/ssh-keygen.c
for (i = 0; key_types[i].key_type; i++) {
public = private = NULL;
prv_tmp = pub_tmp = prv_file = pub_file = NULL;
@@ -2727,6 +2748,15 @@ main(int argc, char **argv)
@@ -2817,6 +2838,15 @@ main(int argc, char **argv)
key_type_name = DEFAULT_KEY_TYPE_NAME;
type = sshkey_type_from_name(key_type_name);
@ -911,11 +911,11 @@ Index: openssh-7.8p1/ssh-keygen.c
type_bits_valid(type, key_type_name, &bits);
if (!quiet)
Index: openssh-7.8p1/ssh_config.0
Index: openssh-7.9p1/ssh_config.0
===================================================================
--- openssh-7.8p1.orig/ssh_config.0
+++ openssh-7.8p1/ssh_config.0
@@ -343,6 +343,9 @@ DESCRIPTION
--- openssh-7.9p1.orig/ssh_config.0
+++ openssh-7.9p1/ssh_config.0
@@ -353,6 +353,9 @@ DESCRIPTION
Specifies the hash algorithm used when displaying key
fingerprints. Valid options are: md5 and sha256 (the default).
@ -925,7 +925,7 @@ Index: openssh-7.8p1/ssh_config.0
ForwardAgent
Specifies whether the connection to the authentication agent (if
any) will be forwarded to the remote machine. The argument must
@@ -612,6 +615,9 @@ DESCRIPTION
@@ -627,6 +630,9 @@ DESCRIPTION
resort and all efforts should be made to fix the (broken)
counterparty.
@ -935,11 +935,11 @@ Index: openssh-7.8p1/ssh_config.0
LocalCommand
Specifies a command to execute on the local machine after
successfully connecting to the server. The command string
Index: openssh-7.8p1/ssh_config.5
Index: openssh-7.9p1/ssh_config.5
===================================================================
--- openssh-7.8p1.orig/ssh_config.5
+++ openssh-7.8p1/ssh_config.5
@@ -628,6 +628,8 @@ Valid options are:
--- openssh-7.9p1.orig/ssh_config.5
+++ openssh-7.9p1/ssh_config.5
@@ -642,6 +642,8 @@ Valid options are:
and
.Cm sha256
(the default).
@ -948,7 +948,7 @@ Index: openssh-7.8p1/ssh_config.5
.It Cm ForwardAgent
Specifies whether the connection to the authentication agent (if any)
will be forwarded to the remote machine.
@@ -1041,6 +1043,9 @@ maximum backward compatibility, using it
@@ -1063,6 +1065,9 @@ maximum backward compatibility, using it
security and thus should be viewed as a temporary fix of last
resort and all efforts should be made to fix the (broken)
counterparty.
@ -958,10 +958,10 @@ Index: openssh-7.8p1/ssh_config.5
.It Cm LocalCommand
Specifies a command to execute on the local machine after successfully
connecting to the server.
Index: openssh-7.8p1/sshd.c
Index: openssh-7.9p1/sshd.c
===================================================================
--- openssh-7.8p1.orig/sshd.c
+++ openssh-7.8p1/sshd.c
--- openssh-7.9p1.orig/sshd.c
+++ openssh-7.9p1/sshd.c
@@ -123,6 +123,8 @@
#include "version.h"
#include "ssherr.h"
@ -971,11 +971,11 @@ Index: openssh-7.8p1/sshd.c
/* Re-exec fds */
#define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1)
#define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2)
Index: openssh-7.8p1/sshd_config.0
Index: openssh-7.9p1/sshd_config.0
===================================================================
--- openssh-7.8p1.orig/sshd_config.0
+++ openssh-7.8p1/sshd_config.0
@@ -338,6 +338,9 @@ DESCRIPTION
--- openssh-7.9p1.orig/sshd_config.0
+++ openssh-7.9p1/sshd_config.0
@@ -348,6 +348,9 @@ DESCRIPTION
Specifies the hash algorithm used when logging key fingerprints.
Valid options are: md5 and sha256. The default is sha256.
@ -985,7 +985,7 @@ Index: openssh-7.8p1/sshd_config.0
ForceCommand
Forces the execution of the command specified by ForceCommand,
ignoring any command supplied by the client and ~/.ssh/rc if
@@ -562,6 +565,9 @@ DESCRIPTION
@@ -572,6 +575,9 @@ DESCRIPTION
resort and all efforts should be made to fix the (broken)
counterparty.
@ -995,11 +995,11 @@ Index: openssh-7.8p1/sshd_config.0
ListenAddress
Specifies the local addresses sshd(8) should listen on. The
following forms may be used:
Index: openssh-7.8p1/sshd_config.5
Index: openssh-7.9p1/sshd_config.5
===================================================================
--- openssh-7.8p1.orig/sshd_config.5
+++ openssh-7.8p1/sshd_config.5
@@ -592,6 +592,8 @@ and
--- openssh-7.9p1.orig/sshd_config.5
+++ openssh-7.9p1/sshd_config.5
@@ -603,6 +603,8 @@ and
.Cm sha256 .
The default is
.Cm sha256 .

View File

@ -1,10 +1,10 @@
# HG changeset patch
# Parent 6a2300496d25e85647e718287d4d9f37170f492a
Index: openssh-7.8p1/Makefile.in
Index: openssh-7.9p1/Makefile.in
===================================================================
--- openssh-7.8p1.orig/Makefile.in
+++ openssh-7.8p1/Makefile.in
--- openssh-7.9p1.orig/Makefile.in
+++ openssh-7.9p1/Makefile.in
@@ -108,6 +108,8 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
LIBSSH_OBJS += fips.o
@ -14,10 +14,10 @@ Index: openssh-7.8p1/Makefile.in
SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \
sshconnect.o sshconnect2.o mux.o
Index: openssh-7.8p1/auth-krb5.c
Index: openssh-7.9p1/auth-krb5.c
===================================================================
--- openssh-7.8p1.orig/auth-krb5.c
+++ openssh-7.8p1/auth-krb5.c
--- openssh-7.9p1.orig/auth-krb5.c
+++ openssh-7.9p1/auth-krb5.c
@@ -182,8 +182,13 @@ auth_krb5_password(Authctxt *authctxt, c
len = strlen(authctxt->krb5_ticket_file) + 6;
@ -60,11 +60,11 @@ Index: openssh-7.8p1/auth-krb5.c
return (krb5_cc_resolve(ctx, ccname, ccache));
}
Index: openssh-7.8p1/auth.c
Index: openssh-7.9p1/auth.c
===================================================================
--- openssh-7.8p1.orig/auth.c
+++ openssh-7.8p1/auth.c
@@ -395,6 +395,7 @@ auth_root_allowed(struct ssh *ssh, const
--- openssh-7.9p1.orig/auth.c
+++ openssh-7.9p1/auth.c
@@ -399,6 +399,7 @@ auth_root_allowed(struct ssh *ssh, const
case PERMIT_NO_PASSWD:
if (strcmp(method, "publickey") == 0 ||
strcmp(method, "hostbased") == 0 ||
@ -72,10 +72,10 @@ Index: openssh-7.8p1/auth.c
strcmp(method, "gssapi-with-mic") == 0)
return 1;
break;
Index: openssh-7.8p1/auth2-gss.c
Index: openssh-7.9p1/auth2-gss.c
===================================================================
--- openssh-7.8p1.orig/auth2-gss.c
+++ openssh-7.8p1/auth2-gss.c
--- openssh-7.9p1.orig/auth2-gss.c
+++ openssh-7.9p1/auth2-gss.c
@@ -31,6 +31,7 @@
#include <sys/types.h>
@ -162,10 +162,10 @@ Index: openssh-7.8p1/auth2-gss.c
Authmethod method_gssapi = {
"gssapi-with-mic",
userauth_gssapi,
Index: openssh-7.8p1/auth2.c
Index: openssh-7.9p1/auth2.c
===================================================================
--- openssh-7.8p1.orig/auth2.c
+++ openssh-7.8p1/auth2.c
--- openssh-7.9p1.orig/auth2.c
+++ openssh-7.9p1/auth2.c
@@ -74,6 +74,7 @@ extern Authmethod method_passwd;
extern Authmethod method_kbdint;
extern Authmethod method_hostbased;
@ -182,10 +182,10 @@ Index: openssh-7.8p1/auth2.c
&method_gssapi,
#endif
&method_passwd,
Index: openssh-7.8p1/clientloop.c
Index: openssh-7.9p1/clientloop.c
===================================================================
--- openssh-7.8p1.orig/clientloop.c
+++ openssh-7.8p1/clientloop.c
--- openssh-7.9p1.orig/clientloop.c
+++ openssh-7.9p1/clientloop.c
@@ -112,6 +112,10 @@
#include "ssherr.h"
#include "hostfile.h"
@ -197,7 +197,7 @@ Index: openssh-7.8p1/clientloop.c
/* import options */
extern Options options;
@@ -1357,9 +1361,18 @@ client_loop(struct ssh *ssh, int have_pt
@@ -1370,9 +1374,18 @@ client_loop(struct ssh *ssh, int have_pt
break;
/* Do channel operations unless rekeying in progress. */
@ -217,11 +217,11 @@ Index: openssh-7.8p1/clientloop.c
/* Buffer input from the connection. */
client_process_net_input(readset);
Index: openssh-7.8p1/configure.ac
Index: openssh-7.9p1/configure.ac
===================================================================
--- openssh-7.8p1.orig/configure.ac
+++ openssh-7.8p1/configure.ac
@@ -673,6 +673,30 @@ main() { if (NSVersionOfRunTimeLibrary("
--- openssh-7.9p1.orig/configure.ac
+++ openssh-7.9p1/configure.ac
@@ -664,6 +664,30 @@ main() { if (NSVersionOfRunTimeLibrary("
[Use tunnel device compatibility to OpenBSD])
AC_DEFINE([SSH_TUN_PREPEND_AF], [1],
[Prepend the address family to IP tunnel traffic])
@ -252,7 +252,7 @@ Index: openssh-7.8p1/configure.ac
m4_pattern_allow([AU_IPv])
AC_CHECK_DECL([AU_IPv4], [],
AC_DEFINE([AU_IPv4], [0], [System only supports IPv4 audit records])
@@ -1853,9 +1877,9 @@ AC_RUN_IFELSE(
@@ -1844,9 +1868,9 @@ AC_RUN_IFELSE(
)
AC_LINK_IFELSE(
@ -265,7 +265,7 @@ Index: openssh-7.8p1/configure.ac
[AC_DEFINE([HAVE_ISBLANK], [1], [Define if you have isblank(3C).])
])
@@ -2161,7 +2185,7 @@ int snprintf(char *a, size_t b, const ch
@@ -2175,7 +2199,7 @@ int snprintf(char *a, size_t b, const ch
]])],
[AC_MSG_RESULT([yes])
AC_DEFINE([SNPRINTF_CONST], [const],
@ -274,7 +274,7 @@ Index: openssh-7.8p1/configure.ac
[AC_MSG_RESULT([no])
AC_DEFINE([SNPRINTF_CONST], [/* not const */])])
@@ -2176,7 +2200,7 @@ if test "x$ac_cv_func_getpeereid" != "xy
@@ -2190,7 +2214,7 @@ if test "x$ac_cv_func_getpeereid" != "xy
AC_DEFINE([HAVE_SO_PEERCRED], [1], [Have PEERCRED socket option])
], [AC_MSG_RESULT([no])
NO_PEERCHECK=1
@ -283,23 +283,7 @@ Index: openssh-7.8p1/configure.ac
fi
dnl see whether mkstemp() requires XXXXXX
@@ -2600,12 +2624,12 @@ if test "x$openssl" = "xyes" ; then
case "$ssl_library_ver" in
10000*|0*)
AC_MSG_ERROR([OpenSSL >= 1.0.1 required (have "$ssl_library_ver")])
- ;;
+ ;;
100*) ;; # 1.0.x
200*) ;; # LibreSSL
- *)
+ *)
AC_MSG_ERROR([OpenSSL >= 1.1.0 is not yet supported (have "$ssl_library_ver")])
- ;;
+ ;;
esac
AC_MSG_RESULT([$ssl_library_ver])
],
@@ -4473,7 +4497,7 @@ AC_ARG_WITH([maildir],
@@ -4601,7 +4625,7 @@ AC_ARG_WITH([maildir],
if test "X$withval" != X && test "x$withval" != xno && \
test "x${withval}" != xyes; then
AC_DEFINE_UNQUOTED([MAIL_DIRECTORY], ["$withval"],
@ -308,10 +292,10 @@ Index: openssh-7.8p1/configure.ac
fi
],[
if test "X$maildir" != "X"; then
Index: openssh-7.8p1/gss-genr.c
Index: openssh-7.9p1/gss-genr.c
===================================================================
--- openssh-7.8p1.orig/gss-genr.c
+++ openssh-7.8p1/gss-genr.c
--- openssh-7.9p1.orig/gss-genr.c
+++ openssh-7.9p1/gss-genr.c
@@ -41,12 +41,169 @@
#include "sshbuf.h"
#include "log.h"
@ -657,10 +641,10 @@ Index: openssh-7.8p1/gss-genr.c
+}
+
#endif /* GSSAPI */
Index: openssh-7.8p1/gss-serv-krb5.c
Index: openssh-7.9p1/gss-serv-krb5.c
===================================================================
--- openssh-7.8p1.orig/gss-serv-krb5.c
+++ openssh-7.8p1/gss-serv-krb5.c
--- openssh-7.9p1.orig/gss-serv-krb5.c
+++ openssh-7.9p1/gss-serv-krb5.c
@@ -120,7 +120,7 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_cl
krb5_error_code problem;
krb5_principal princ;
@ -788,10 +772,10 @@ Index: openssh-7.8p1/gss-serv-krb5.c
};
#endif /* KRB5 */
Index: openssh-7.8p1/gss-serv.c
Index: openssh-7.9p1/gss-serv.c
===================================================================
--- openssh-7.8p1.orig/gss-serv.c
+++ openssh-7.8p1/gss-serv.c
--- openssh-7.9p1.orig/gss-serv.c
+++ openssh-7.9p1/gss-serv.c
@@ -44,17 +44,19 @@
#include "session.h"
#include "misc.h"
@ -1073,10 +1057,10 @@ Index: openssh-7.8p1/gss-serv.c
}
/* Privileged */
Index: openssh-7.8p1/kex.c
Index: openssh-7.9p1/kex.c
===================================================================
--- openssh-7.8p1.orig/kex.c
+++ openssh-7.8p1/kex.c
--- openssh-7.9p1.orig/kex.c
+++ openssh-7.9p1/kex.c
@@ -56,6 +56,10 @@
#include "fips.h"
@ -1124,10 +1108,10 @@ Index: openssh-7.8p1/kex.c
}
return NULL;
}
Index: openssh-7.8p1/kex.h
Index: openssh-7.9p1/kex.h
===================================================================
--- openssh-7.8p1.orig/kex.h
+++ openssh-7.8p1/kex.h
--- openssh-7.9p1.orig/kex.h
+++ openssh-7.9p1/kex.h
@@ -100,6 +100,11 @@ enum kex_exchange {
KEX_DH_GEX_SHA256,
KEX_ECDH_SHA2,
@ -1164,10 +1148,10 @@ Index: openssh-7.8p1/kex.h
int kex_dh_hash(int, const char *, const char *,
const u_char *, size_t, const u_char *, size_t, const u_char *, size_t,
Index: openssh-7.8p1/kexgssc.c
Index: openssh-7.9p1/kexgssc.c
===================================================================
--- /dev/null
+++ openssh-7.8p1/kexgssc.c
+++ openssh-7.9p1/kexgssc.c
@@ -0,0 +1,348 @@
+/*
+ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
@ -1517,10 +1501,10 @@ Index: openssh-7.8p1/kexgssc.c
+}
+
+#endif /* GSSAPI */
Index: openssh-7.8p1/kexgsss.c
Index: openssh-7.9p1/kexgsss.c
===================================================================
--- /dev/null
+++ openssh-7.8p1/kexgsss.c
+++ openssh-7.9p1/kexgsss.c
@@ -0,0 +1,307 @@
+/*
+ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
@ -1829,11 +1813,11 @@ Index: openssh-7.8p1/kexgsss.c
+ return 0;
+}
+#endif /* GSSAPI */
Index: openssh-7.8p1/monitor.c
Index: openssh-7.9p1/monitor.c
===================================================================
--- openssh-7.8p1.orig/monitor.c
+++ openssh-7.8p1/monitor.c
@@ -143,6 +143,8 @@ int mm_answer_gss_setup_ctx(int, struct
--- openssh-7.9p1.orig/monitor.c
+++ openssh-7.9p1/monitor.c
@@ -145,6 +145,8 @@ int mm_answer_gss_setup_ctx(int, struct
int mm_answer_gss_accept_ctx(int, struct sshbuf *);
int mm_answer_gss_userok(int, struct sshbuf *);
int mm_answer_gss_checkmic(int, struct sshbuf *);
@ -1842,7 +1826,7 @@ Index: openssh-7.8p1/monitor.c
#endif
#ifdef SSH_AUDIT_EVENTS
@@ -213,6 +215,7 @@ struct mon_table mon_dispatch_proto20[]
@@ -215,6 +217,7 @@ struct mon_table mon_dispatch_proto20[]
{MONITOR_REQ_GSSSTEP, 0, mm_answer_gss_accept_ctx},
{MONITOR_REQ_GSSUSEROK, MON_ONCE|MON_AUTHDECIDE, mm_answer_gss_userok},
{MONITOR_REQ_GSSCHECKMIC, MON_ONCE, mm_answer_gss_checkmic},
@ -1850,7 +1834,7 @@ Index: openssh-7.8p1/monitor.c
#endif
{0, 0, NULL}
};
@@ -229,6 +232,12 @@ struct mon_table mon_dispatch_postauth20
@@ -231,6 +234,12 @@ struct mon_table mon_dispatch_postauth20
{MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
{MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT, mm_answer_audit_command},
#endif
@ -1863,7 +1847,7 @@ Index: openssh-7.8p1/monitor.c
{0, 0, NULL}
};
@@ -287,7 +296,10 @@ monitor_child_preauth(Authctxt *_authctx
@@ -289,7 +298,10 @@ monitor_child_preauth(Authctxt *_authctx
/* Permit requests for moduli and signatures */
monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
@ -1875,7 +1859,7 @@ Index: openssh-7.8p1/monitor.c
/* The first few requests do not require asynchronous access */
while (!authenticated) {
partial = 0;
@@ -399,6 +411,10 @@ monitor_child_postauth(struct monitor *p
@@ -401,6 +413,10 @@ monitor_child_postauth(struct monitor *p
monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
@ -1886,7 +1870,7 @@ Index: openssh-7.8p1/monitor.c
if (auth_opts->permit_pty_flag) {
monitor_permit(mon_dispatch, MONITOR_REQ_PTY, 1);
@@ -605,7 +621,7 @@ mm_answer_moduli(int sock, struct sshbuf
@@ -609,7 +625,7 @@ mm_answer_moduli(int sock, struct sshbuf
int
mm_answer_sign(int sock, struct sshbuf *m)
{
@ -1895,7 +1879,7 @@ Index: openssh-7.8p1/monitor.c
extern int auth_sock; /* XXX move to state struct? */
struct sshkey *key;
struct sshbuf *sigbuf = NULL;
@@ -1643,7 +1659,7 @@ monitor_apply_keystate(struct monitor *p
@@ -1647,7 +1663,7 @@ monitor_apply_keystate(struct monitor *p
debug3("%s: packet_set_state", __func__);
if ((r = ssh_packet_set_state(ssh, child_state)) != 0)
@ -1904,7 +1888,7 @@ Index: openssh-7.8p1/monitor.c
sshbuf_free(child_state);
child_state = NULL;
@@ -1662,6 +1678,13 @@ monitor_apply_keystate(struct monitor *p
@@ -1666,6 +1682,13 @@ monitor_apply_keystate(struct monitor *p
# endif
#endif /* WITH_OPENSSL */
kex->kex[KEX_C25519_SHA256] = kexc25519_server;
@ -1918,7 +1902,7 @@ Index: openssh-7.8p1/monitor.c
kex->load_host_public_key=&get_hostkey_public_by_type;
kex->load_host_private_key=&get_hostkey_private_by_type;
kex->host_key_index=&get_hostkey_index;
@@ -1752,8 +1775,8 @@ mm_answer_gss_setup_ctx(int sock, struct
@@ -1756,8 +1779,8 @@ mm_answer_gss_setup_ctx(int sock, struct
u_char *p;
int r;
@ -1929,7 +1913,7 @@ Index: openssh-7.8p1/monitor.c
if ((r = sshbuf_get_string(m, &p, &len)) != 0)
fatal("%s: buffer error: %s", __func__, ssh_err(r));
@@ -1785,7 +1808,7 @@ mm_answer_gss_accept_ctx(int sock, struc
@@ -1789,7 +1812,7 @@ mm_answer_gss_accept_ctx(int sock, struc
OM_uint32 flags = 0; /* GSI needs this */
int r;
@ -1938,7 +1922,7 @@ Index: openssh-7.8p1/monitor.c
fatal("%s: GSSAPI authentication not enabled", __func__);
if ((r = ssh_gssapi_get_buffer_desc(m, &in)) != 0)
@@ -1806,6 +1829,7 @@ mm_answer_gss_accept_ctx(int sock, struc
@@ -1810,6 +1833,7 @@ mm_answer_gss_accept_ctx(int sock, struc
monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0);
monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1);
monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1);
@ -1946,7 +1930,7 @@ Index: openssh-7.8p1/monitor.c
}
return (0);
}
@@ -1817,7 +1841,7 @@ mm_answer_gss_checkmic(int sock, struct
@@ -1821,7 +1845,7 @@ mm_answer_gss_checkmic(int sock, struct
OM_uint32 ret;
int r;
@ -1955,7 +1939,7 @@ Index: openssh-7.8p1/monitor.c
fatal("%s: GSSAPI authentication not enabled", __func__);
if ((r = ssh_gssapi_get_buffer_desc(m, &gssbuf)) != 0 ||
@@ -1847,10 +1871,11 @@ mm_answer_gss_userok(int sock, struct ss
@@ -1851,10 +1875,11 @@ mm_answer_gss_userok(int sock, struct ss
int r, authenticated;
const char *displayname;
@ -1969,7 +1953,7 @@ Index: openssh-7.8p1/monitor.c
sshbuf_reset(m);
if ((r = sshbuf_put_u32(m, authenticated)) != 0)
@@ -1867,5 +1892,73 @@ mm_answer_gss_userok(int sock, struct ss
@@ -1871,5 +1896,73 @@ mm_answer_gss_userok(int sock, struct ss
/* Monitor loop will terminate if authenticated */
return (authenticated);
}
@ -2044,10 +2028,10 @@ Index: openssh-7.8p1/monitor.c
+}
+
+#endif /* GSSAPI */
Index: openssh-7.8p1/monitor.h
Index: openssh-7.9p1/monitor.h
===================================================================
--- openssh-7.8p1.orig/monitor.h
+++ openssh-7.8p1/monitor.h
--- openssh-7.9p1.orig/monitor.h
+++ openssh-7.9p1/monitor.h
@@ -63,6 +63,9 @@ enum monitor_reqtype {
MONITOR_REQ_PAM_FREE_CTX = 110, MONITOR_ANS_PAM_FREE_CTX = 111,
MONITOR_REQ_AUDIT_EVENT = 112, MONITOR_REQ_AUDIT_COMMAND = 113,
@ -2058,10 +2042,10 @@ Index: openssh-7.8p1/monitor.h
};
struct monitor {
Index: openssh-7.8p1/monitor_wrap.c
Index: openssh-7.9p1/monitor_wrap.c
===================================================================
--- openssh-7.8p1.orig/monitor_wrap.c
+++ openssh-7.8p1/monitor_wrap.c
--- openssh-7.9p1.orig/monitor_wrap.c
+++ openssh-7.9p1/monitor_wrap.c
@@ -984,7 +984,7 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss
}
@ -2124,10 +2108,10 @@ Index: openssh-7.8p1/monitor_wrap.c
+ return (ok);
+}
#endif /* GSSAPI */
Index: openssh-7.8p1/monitor_wrap.h
Index: openssh-7.9p1/monitor_wrap.h
===================================================================
--- openssh-7.8p1.orig/monitor_wrap.h
+++ openssh-7.8p1/monitor_wrap.h
--- openssh-7.9p1.orig/monitor_wrap.h
+++ openssh-7.9p1/monitor_wrap.h
@@ -60,8 +60,10 @@ int mm_sshkey_verify(const struct sshkey
OM_uint32 mm_ssh_gssapi_server_ctx(Gssctxt **, gss_OID);
OM_uint32 mm_ssh_gssapi_accept_ctx(Gssctxt *,
@ -2140,10 +2124,10 @@ Index: openssh-7.8p1/monitor_wrap.h
#endif
#ifdef USE_PAM
Index: openssh-7.8p1/readconf.c
Index: openssh-7.9p1/readconf.c
===================================================================
--- openssh-7.8p1.orig/readconf.c
+++ openssh-7.8p1/readconf.c
--- openssh-7.9p1.orig/readconf.c
+++ openssh-7.9p1/readconf.c
@@ -163,6 +163,8 @@ typedef enum {
oClearAllForwardings, oNoHostAuthenticationForLocalhost,
oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
@ -2174,7 +2158,7 @@ Index: openssh-7.8p1/readconf.c
#endif
#ifdef ENABLE_PKCS11
{ "smartcarddevice", oPKCS11Provider },
@@ -979,10 +991,30 @@ parse_time:
@@ -980,10 +992,30 @@ parse_time:
intptr = &options->gss_authentication;
goto parse_flag;
@ -2205,7 +2189,7 @@ Index: openssh-7.8p1/readconf.c
case oBatchMode:
intptr = &options->batch_mode;
goto parse_flag;
@@ -1844,7 +1876,12 @@ initialize_options(Options * options)
@@ -1869,7 +1901,12 @@ initialize_options(Options * options)
options->pubkey_authentication = -1;
options->challenge_response_authentication = -1;
options->gss_authentication = -1;
@ -2218,7 +2202,7 @@ Index: openssh-7.8p1/readconf.c
options->password_authentication = -1;
options->kbd_interactive_authentication = -1;
options->kbd_interactive_devices = NULL;
@@ -1990,8 +2027,14 @@ fill_default_options(Options * options)
@@ -2016,8 +2053,14 @@ fill_default_options(Options * options)
options->challenge_response_authentication = 1;
if (options->gss_authentication == -1)
options->gss_authentication = 0;
@ -2233,10 +2217,10 @@ Index: openssh-7.8p1/readconf.c
if (options->password_authentication == -1)
options->password_authentication = 1;
if (options->kbd_interactive_authentication == -1)
Index: openssh-7.8p1/readconf.h
Index: openssh-7.9p1/readconf.h
===================================================================
--- openssh-7.8p1.orig/readconf.h
+++ openssh-7.8p1/readconf.h
--- openssh-7.9p1.orig/readconf.h
+++ openssh-7.9p1/readconf.h
@@ -40,7 +40,12 @@ typedef struct {
int challenge_response_authentication;
/* Try S/Key or TIS, authentication. */
@ -2250,10 +2234,10 @@ Index: openssh-7.8p1/readconf.h
int password_authentication; /* Try password
* authentication. */
int kbd_interactive_authentication; /* Try keyboard-interactive auth. */
Index: openssh-7.8p1/regress/cert-hostkey.sh
Index: openssh-7.9p1/regress/cert-hostkey.sh
===================================================================
--- openssh-7.8p1.orig/regress/cert-hostkey.sh
+++ openssh-7.8p1/regress/cert-hostkey.sh
--- openssh-7.9p1.orig/regress/cert-hostkey.sh
+++ openssh-7.9p1/regress/cert-hostkey.sh
@@ -66,7 +66,7 @@ touch $OBJ/host_revoked_plain
touch $OBJ/host_revoked_cert
cat $OBJ/host_ca_key.pub $OBJ/host_ca_key2.pub > $OBJ/host_revoked_ca
@ -2263,10 +2247,10 @@ Index: openssh-7.8p1/regress/cert-hostkey.sh
if echo "$PLAIN_TYPES" | grep '^rsa$' >/dev/null 2>&1 ; then
PLAIN_TYPES="$PLAIN_TYPES rsa-sha2-256 rsa-sha2-512"
Index: openssh-7.8p1/regress/cert-userkey.sh
Index: openssh-7.9p1/regress/cert-userkey.sh
===================================================================
--- openssh-7.8p1.orig/regress/cert-userkey.sh
+++ openssh-7.8p1/regress/cert-userkey.sh
--- openssh-7.9p1.orig/regress/cert-userkey.sh
+++ openssh-7.9p1/regress/cert-userkey.sh
@@ -7,7 +7,7 @@ rm -f $OBJ/authorized_keys_$USER $OBJ/us
cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
cp $OBJ/ssh_proxy $OBJ/ssh_proxy_bak
@ -2276,10 +2260,10 @@ Index: openssh-7.8p1/regress/cert-userkey.sh
EXTRA_TYPES=""
if echo "$PLAIN_TYPES" | grep '^rsa$' >/dev/null 2>&1 ; then
Index: openssh-7.8p1/regress/kextype.sh
Index: openssh-7.9p1/regress/kextype.sh
===================================================================
--- openssh-7.8p1.orig/regress/kextype.sh
+++ openssh-7.8p1/regress/kextype.sh
--- openssh-7.9p1.orig/regress/kextype.sh
+++ openssh-7.9p1/regress/kextype.sh
@@ -14,6 +14,9 @@ echo "KexAlgorithms=$KEXOPT" >> $OBJ/ssh
tries="1 2 3 4"
@ -2290,10 +2274,10 @@ Index: openssh-7.8p1/regress/kextype.sh
verbose "kex $k"
for i in $tries; do
${SSH} -F $OBJ/ssh_proxy -o KexAlgorithms=$k x true
Index: openssh-7.8p1/regress/rekey.sh
Index: openssh-7.9p1/regress/rekey.sh
===================================================================
--- openssh-7.8p1.orig/regress/rekey.sh
+++ openssh-7.8p1/regress/rekey.sh
--- openssh-7.9p1.orig/regress/rekey.sh
+++ openssh-7.9p1/regress/rekey.sh
@@ -38,6 +38,9 @@ increase_datafile_size 300
opts=""
@ -2314,10 +2298,10 @@ Index: openssh-7.8p1/regress/rekey.sh
verbose "client rekey $c $kex"
ssh_data_rekeying "KexAlgorithms=$kex" -oRekeyLimit=256k -oCiphers=$c
done
Index: openssh-7.8p1/servconf.c
Index: openssh-7.9p1/servconf.c
===================================================================
--- openssh-7.8p1.orig/servconf.c
+++ openssh-7.8p1/servconf.c
--- openssh-7.9p1.orig/servconf.c
+++ openssh-7.9p1/servconf.c
@@ -130,8 +130,10 @@ initialize_server_options(ServerOptions
options->kerberos_ticket_cleanup = -1;
options->kerberos_get_afs_token = -1;
@ -2329,7 +2313,7 @@ Index: openssh-7.8p1/servconf.c
options->password_authentication = -1;
options->kbd_interactive_authentication = -1;
options->challenge_response_authentication = -1;
@@ -369,10 +371,14 @@ fill_default_server_options(ServerOption
@@ -373,10 +375,14 @@ fill_default_server_options(ServerOption
options->kerberos_get_afs_token = 0;
if (options->gss_authentication == -1)
options->gss_authentication = 0;
@ -2344,7 +2328,7 @@ Index: openssh-7.8p1/servconf.c
if (options->password_authentication == -1)
options->password_authentication = 1;
if (options->kbd_interactive_authentication == -1)
@@ -519,6 +525,7 @@ typedef enum {
@@ -523,6 +529,7 @@ typedef enum {
sHostKeyAlgorithms,
sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
@ -2352,7 +2336,7 @@ Index: openssh-7.8p1/servconf.c
sAcceptEnv, sSetEnv, sPermitTunnel,
sMatch, sPermitOpen, sPermitListen, sForceCommand, sChrootDirectory,
sUsePrivilegeSeparation, sAllowAgentForwarding,
@@ -596,11 +603,17 @@ static struct {
@@ -600,11 +607,17 @@ static struct {
{ "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
{ "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
{ "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL },
@ -2370,7 +2354,7 @@ Index: openssh-7.8p1/servconf.c
{ "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
{ "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
{ "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL },
@@ -1503,6 +1516,10 @@ process_server_config_line(ServerOptions
@@ -1512,6 +1525,10 @@ process_server_config_line(ServerOptions
intptr = &options->gss_authentication;
goto parse_flag;
@ -2381,7 +2365,7 @@ Index: openssh-7.8p1/servconf.c
case sGssCleanupCreds:
intptr = &options->gss_cleanup_creds;
goto parse_flag;
@@ -1511,6 +1528,10 @@ process_server_config_line(ServerOptions
@@ -1520,6 +1537,10 @@ process_server_config_line(ServerOptions
intptr = &options->gss_strict_acceptor;
goto parse_flag;
@ -2392,7 +2376,7 @@ Index: openssh-7.8p1/servconf.c
case sPasswordAuthentication:
intptr = &options->password_authentication;
goto parse_flag;
@@ -2304,6 +2325,10 @@ copy_set_server_options(ServerOptions *d
@@ -2313,6 +2334,10 @@ copy_set_server_options(ServerOptions *d
M_CP_INTOPT(password_authentication);
M_CP_INTOPT(gss_authentication);
@ -2403,7 +2387,7 @@ Index: openssh-7.8p1/servconf.c
M_CP_INTOPT(pubkey_authentication);
M_CP_INTOPT(kerberos_authentication);
M_CP_INTOPT(hostbased_authentication);
@@ -2600,7 +2625,10 @@ dump_config(ServerOptions *o)
@@ -2609,7 +2634,10 @@ dump_config(ServerOptions *o)
#endif
#ifdef GSSAPI
dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
@ -2414,10 +2398,10 @@ Index: openssh-7.8p1/servconf.c
#endif
dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication);
dump_cfg_fmtint(sKbdInteractiveAuthentication,
Index: openssh-7.8p1/servconf.h
Index: openssh-7.9p1/servconf.h
===================================================================
--- openssh-7.8p1.orig/servconf.h
+++ openssh-7.8p1/servconf.h
--- openssh-7.9p1.orig/servconf.h
+++ openssh-7.9p1/servconf.h
@@ -16,6 +16,8 @@
#ifndef SERVCONF_H
#define SERVCONF_H
@ -2427,7 +2411,7 @@ Index: openssh-7.8p1/servconf.h
#define MAX_PORTS 256 /* Max # ports. */
#define MAX_SUBSYSTEMS 256 /* Max # subsystems. */
@@ -125,8 +127,10 @@ typedef struct {
@@ -126,8 +128,10 @@ typedef struct {
int kerberos_get_afs_token; /* If true, try to get AFS token if
* authenticated with Kerberos. */
int gss_authentication; /* If true, permit GSSAPI authentication */
@ -2438,10 +2422,10 @@ Index: openssh-7.8p1/servconf.h
int password_authentication; /* If true, permit password
* authentication. */
int kbd_interactive_authentication; /* If true, permit */
Index: openssh-7.8p1/ssh-gss.h
Index: openssh-7.9p1/ssh-gss.h
===================================================================
--- openssh-7.8p1.orig/ssh-gss.h
+++ openssh-7.8p1/ssh-gss.h
--- openssh-7.9p1.orig/ssh-gss.h
+++ openssh-7.9p1/ssh-gss.h
@@ -61,10 +61,22 @@
#define SSH_GSS_OIDTYPE 0x06
@ -2532,10 +2516,10 @@ Index: openssh-7.8p1/ssh-gss.h
#endif /* GSSAPI */
#endif /* _SSH_GSS_H */
Index: openssh-7.8p1/ssh_config
Index: openssh-7.9p1/ssh_config
===================================================================
--- openssh-7.8p1.orig/ssh_config
+++ openssh-7.8p1/ssh_config
--- openssh-7.9p1.orig/ssh_config
+++ openssh-7.9p1/ssh_config
@@ -45,6 +45,8 @@ Host *
# HostbasedAuthentication no
# GSSAPIAuthentication no
@ -2545,11 +2529,11 @@ Index: openssh-7.8p1/ssh_config
# BatchMode no
# CheckHostIP yes
# AddressFamily any
Index: openssh-7.8p1/ssh_config.0
Index: openssh-7.9p1/ssh_config.0
===================================================================
--- openssh-7.8p1.orig/ssh_config.0
+++ openssh-7.8p1/ssh_config.0
@@ -410,9 +410,40 @@ DESCRIPTION
--- openssh-7.9p1.orig/ssh_config.0
+++ openssh-7.9p1/ssh_config.0
@@ -422,9 +422,40 @@ DESCRIPTION
Specifies whether user authentication based on GSSAPI is allowed.
The default is no.
@ -2590,11 +2574,11 @@ Index: openssh-7.8p1/ssh_config.0
HashKnownHosts
Indicates that ssh(1) should hash host names and addresses when
they are added to ~/.ssh/known_hosts. These hashed names may be
Index: openssh-7.8p1/ssh_config.5
Index: openssh-7.9p1/ssh_config.5
===================================================================
--- openssh-7.8p1.orig/ssh_config.5
+++ openssh-7.8p1/ssh_config.5
@@ -720,10 +720,40 @@ The default is
--- openssh-7.9p1.orig/ssh_config.5
+++ openssh-7.9p1/ssh_config.5
@@ -738,10 +738,40 @@ The default is
Specifies whether user authentication based on GSSAPI is allowed.
The default is
.Cm no .
@ -2635,10 +2619,10 @@ Index: openssh-7.8p1/ssh_config.5
.It Cm HashKnownHosts
Indicates that
.Xr ssh 1
Index: openssh-7.8p1/sshconnect2.c
Index: openssh-7.9p1/sshconnect2.c
===================================================================
--- openssh-7.8p1.orig/sshconnect2.c
+++ openssh-7.8p1/sshconnect2.c
--- openssh-7.9p1.orig/sshconnect2.c
+++ openssh-7.9p1/sshconnect2.c
@@ -82,6 +82,124 @@ extern char *client_version_string;
extern char *server_version_string;
extern Options options;
@ -2871,7 +2855,7 @@ Index: openssh-7.8p1/sshconnect2.c
{"gssapi-with-mic",
userauth_gssapi,
NULL,
@@ -657,19 +840,31 @@ userauth_gssapi(Authctxt *authctxt)
@@ -686,19 +869,31 @@ userauth_gssapi(Authctxt *authctxt)
static u_int mech = 0;
OM_uint32 min;
int r, ok = 0;
@ -2905,7 +2889,7 @@ Index: openssh-7.8p1/sshconnect2.c
ok = 1; /* Mechanism works */
} else {
mech++;
@@ -906,6 +1101,51 @@ input_gssapi_error(int type, u_int32_t p
@@ -935,6 +1130,51 @@ input_gssapi_error(int type, u_int32_t p
free(lang);
return r;
}
@ -2957,7 +2941,7 @@ Index: openssh-7.8p1/sshconnect2.c
#endif /* GSSAPI */
int
@@ -1443,8 +1683,8 @@ key_type_allowed_by_config(struct sshkey
@@ -1473,8 +1713,8 @@ key_type_allowed_by_config(struct sshkey
/*
* try keys in the following order:
@ -2968,10 +2952,10 @@ Index: openssh-7.8p1/sshconnect2.c
* 3. agent keys that are found in the config file
* 4. other agent keys
* 5. keys that are only listed in the config file
Index: openssh-7.8p1/sshd.c
Index: openssh-7.9p1/sshd.c
===================================================================
--- openssh-7.8p1.orig/sshd.c
+++ openssh-7.8p1/sshd.c
--- openssh-7.9p1.orig/sshd.c
+++ openssh-7.9p1/sshd.c
@@ -131,6 +131,10 @@
#include "fips.h"
@ -2983,16 +2967,17 @@ Index: openssh-7.8p1/sshd.c
/* Re-exec fds */
#define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1)
#define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2)
@@ -555,7 +559,7 @@ privsep_preauth_child(void)
@@ -555,7 +559,8 @@ privsep_preauth_child(void)
#ifdef GSSAPI
/* Cache supported mechanism OIDs for later use */
- if (options.gss_authentication)
- ssh_gssapi_prepare_supported_oids();
+ if (options.gss_authentication || options.gss_keyex)
ssh_gssapi_prepare_supported_oids();
+ ssh_gssapi_prepare_supported_oids();
#endif
@@ -898,8 +902,9 @@ notify_hostkeys(struct ssh *ssh)
reseed_prngs();
@@ -897,8 +902,9 @@ notify_hostkeys(struct ssh *ssh)
}
debug3("%s: sent %u hostkeys", __func__, nkeys);
if (nkeys == 0)
@ -3004,7 +2989,7 @@ Index: openssh-7.8p1/sshd.c
sshbuf_free(buf);
}
@@ -1838,7 +1843,12 @@ main(int ac, char **av)
@@ -1837,7 +1843,12 @@ main(int ac, char **av)
free(fp);
}
accumulate_host_timing_secret(cfg, NULL);
@ -3017,7 +3002,7 @@ Index: openssh-7.8p1/sshd.c
logit("sshd: no hostkeys available -- exiting.");
exit(1);
}
@@ -2016,6 +2026,60 @@ main(int ac, char **av)
@@ -2015,6 +2026,60 @@ main(int ac, char **av)
/* This is the child processing a new connection. */
setproctitle("%s", "[accepted]");
@ -3078,7 +3063,7 @@ Index: openssh-7.8p1/sshd.c
/*
* Create a new session and process group since the 4.4BSD
* setlogin() affects the entire process group. We don't
@@ -2137,6 +2201,60 @@ main(int ac, char **av)
@@ -2136,6 +2201,60 @@ main(int ac, char **av)
rdomain == NULL ? "" : "\"");
free(laddr);
@ -3139,7 +3124,7 @@ Index: openssh-7.8p1/sshd.c
/*
* We don't want to listen forever unless the other side
* successfully authenticates itself. So we set up an alarm which is
@@ -2320,6 +2438,48 @@ do_ssh2_kex(void)
@@ -2319,6 +2438,48 @@ do_ssh2_kex(void)
myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal(
list_hostkey_types());
@ -3188,7 +3173,7 @@ Index: openssh-7.8p1/sshd.c
/* start key exchange */
if ((r = kex_setup(active_state, myproposal)) != 0)
fatal("kex_setup: %s", ssh_err(r));
@@ -2337,6 +2497,13 @@ do_ssh2_kex(void)
@@ -2336,6 +2497,13 @@ do_ssh2_kex(void)
# endif
#endif
kex->kex[KEX_C25519_SHA256] = kexc25519_server;
@ -3202,10 +3187,10 @@ Index: openssh-7.8p1/sshd.c
kex->server = 1;
kex->client_version_string=client_version_string;
kex->server_version_string=server_version_string;
Index: openssh-7.8p1/sshd_config
Index: openssh-7.9p1/sshd_config
===================================================================
--- openssh-7.8p1.orig/sshd_config
+++ openssh-7.8p1/sshd_config
--- openssh-7.9p1.orig/sshd_config
+++ openssh-7.9p1/sshd_config
@@ -76,6 +76,8 @@ AuthorizedKeysFile .ssh/authorized_keys
# GSSAPI options
#GSSAPIAuthentication no
@ -3215,11 +3200,11 @@ Index: openssh-7.8p1/sshd_config
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
Index: openssh-7.8p1/sshd_config.5
Index: openssh-7.9p1/sshd_config.5
===================================================================
--- openssh-7.8p1.orig/sshd_config.5
+++ openssh-7.8p1/sshd_config.5
@@ -644,6 +644,11 @@ Specifies whether to automatically destr
--- openssh-7.9p1.orig/sshd_config.5
+++ openssh-7.9p1/sshd_config.5
@@ -655,6 +655,11 @@ Specifies whether to automatically destr
on logout.
The default is
.Cm yes .
@ -3231,7 +3216,7 @@ Index: openssh-7.8p1/sshd_config.5
.It Cm GSSAPIStrictAcceptorCheck
Determines whether to be strict about the identity of the GSSAPI acceptor
a client authenticates against.
@@ -658,6 +663,11 @@ machine's default store.
@@ -669,6 +674,11 @@ machine's default store.
This facility is provided to assist with operation on multi homed machines.
The default is
.Cm yes .
@ -3243,7 +3228,7 @@ Index: openssh-7.8p1/sshd_config.5
.It Cm HostbasedAcceptedKeyTypes
Specifies the key types that will be accepted for hostbased authentication
as a list of comma-separated patterns.
@@ -1632,16 +1642,16 @@ as a non-root user.
@@ -1643,16 +1653,16 @@ as a non-root user.
The default is
.Cm no .
.It Cm UsePAMCheckLocks
@ -3263,11 +3248,11 @@ Index: openssh-7.8p1/sshd_config.5
.Dq no .
.It Cm VersionAddendum
Optionally specifies additional text to append to the SSH protocol banner
Index: openssh-7.8p1/sshkey.c
Index: openssh-7.9p1/sshkey.c
===================================================================
--- openssh-7.8p1.orig/sshkey.c
+++ openssh-7.8p1/sshkey.c
@@ -140,6 +140,7 @@ static const struct keytype keytypes[] =
--- openssh-7.9p1.orig/sshkey.c
+++ openssh-7.9p1/sshkey.c
@@ -135,6 +135,7 @@ static const struct keytype keytypes[] =
# endif /* OPENSSL_HAS_NISTP521 */
# endif /* OPENSSL_HAS_ECC */
#endif /* WITH_OPENSSL */
@ -3275,11 +3260,11 @@ Index: openssh-7.8p1/sshkey.c
{ NULL, NULL, NULL, -1, -1, 0, 0 }
};
Index: openssh-7.8p1/sshkey.h
Index: openssh-7.9p1/sshkey.h
===================================================================
--- openssh-7.8p1.orig/sshkey.h
+++ openssh-7.8p1/sshkey.h
@@ -63,6 +63,7 @@ enum sshkey_types {
--- openssh-7.9p1.orig/sshkey.h
+++ openssh-7.9p1/sshkey.h
@@ -64,6 +64,7 @@ enum sshkey_types {
KEY_ED25519_CERT,
KEY_XMSS,
KEY_XMSS_CERT,
@ -3287,11 +3272,11 @@ Index: openssh-7.8p1/sshkey.h
KEY_UNSPEC
};
Index: openssh-7.8p1/sshd_config.0
Index: openssh-7.9p1/sshd_config.0
===================================================================
--- openssh-7.8p1.orig/sshd_config.0
+++ openssh-7.8p1/sshd_config.0
@@ -370,6 +370,12 @@ DESCRIPTION
--- openssh-7.9p1.orig/sshd_config.0
+++ openssh-7.9p1/sshd_config.0
@@ -380,6 +380,12 @@ DESCRIPTION
Specifies whether user authentication based on GSSAPI is allowed.
The default is no.
@ -3304,7 +3289,7 @@ Index: openssh-7.8p1/sshd_config.0
GSSAPICleanupCredentials
Specifies whether to automatically destroy the user's credentials
cache on logout. The default is yes.
@@ -383,6 +388,12 @@ DESCRIPTION
@@ -393,6 +399,12 @@ DESCRIPTION
facility is provided to assist with operation on multi homed
machines. The default is yes.

File diff suppressed because it is too large Load Diff

View File

@ -15,15 +15,11 @@ this is only need on s390 architecture.
Signed-off-by: Eduardo Barretto <ebarretto@linux.vnet.ibm.com>
diff --git a/openssh-7.7p1/sandbox-seccomp-filter.c b/openssh-7.7p1/sandbox-seccomp-filter.c
--- openssh-7.7p1/sandbox-seccomp-filter.c
+++ openssh-7.7p1/sandbox-seccomp-filter.c
@@ -167,16 +167,19 @@ static const struct sock_filter preauth_
SC_ALLOW(__NR_exit_group),
#endif
#ifdef __NR_geteuid
SC_ALLOW(__NR_geteuid),
#endif
Index: openssh-7.9p1/sandbox-seccomp-filter.c
===================================================================
--- openssh-7.9p1.orig/sandbox-seccomp-filter.c
+++ openssh-7.9p1/sandbox-seccomp-filter.c
@@ -175,6 +175,9 @@ static const struct sock_filter preauth_
#ifdef __NR_geteuid32
SC_ALLOW(__NR_geteuid32),
#endif
@ -33,17 +29,7 @@ diff --git a/openssh-7.7p1/sandbox-seccomp-filter.c b/openssh-7.7p1/sandbox-secc
#ifdef __NR_getpgid
SC_ALLOW(__NR_getpgid),
#endif
#ifdef __NR_getpid
SC_ALLOW(__NR_getpid),
#endif
#ifdef __NR_getrandom
SC_ALLOW(__NR_getrandom),
@@ -185,16 +188,19 @@ static const struct sock_filter preauth_
SC_ALLOW(__NR_gettimeofday),
#endif
#ifdef __NR_getuid
SC_ALLOW(__NR_getuid),
#endif
@@ -193,6 +196,9 @@ static const struct sock_filter preauth_
#ifdef __NR_getuid32
SC_ALLOW(__NR_getuid32),
#endif
@ -53,8 +39,3 @@ diff --git a/openssh-7.7p1/sandbox-seccomp-filter.c b/openssh-7.7p1/sandbox-secc
#ifdef __NR_madvise
SC_ALLOW(__NR_madvise),
#endif
#ifdef __NR_mmap
SC_ALLOW(__NR_mmap),
#endif
#ifdef __NR_mmap2
SC_ALLOW(__NR_mmap2),

View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:1a484bb15152c183bb2514e112aa30dd34138c3cfb032eee5490a66c507144ca
size 1548026

View File

@ -1,14 +0,0 @@
-----BEGIN PGP SIGNATURE-----
iQHDBAABCgAdFiEEWcIRjtIG2SfmZ+vj0+X1a22SDTAFAlt+Xa8ACgkQ0+X1a22S
DTAJPwx9HIW/obxNJYTU7M8trpalBekdl1SqUjxdDwInIsKTLSOpJCsnynBai/3c
SuvZkBwcKwZZFe+xCvRQDHkf/YYLT+d7slUQolb0OJmzFKbvu6xwuv7q12ag9hQj
/8BUfdYRKb63uemfKuVAHfcnUm9WlwSbif+Au/j1yg/MlETY47ezYA9/q75wignx
3g38JVHVgKDenDd8o9/hgjeQpEHKNdCQo71nN2h3MYRlh4xrR9ENZj7y8x65Kp1j
WoZEhlvjYkka4deSGwj2MIAJnzsc39uppEoEjkB7F9SUo4O7CxbWFein70Ct7Xbs
VDWXQibnJGHKatHIecaPLUYexGWO1XYNZErDhY7fPw0ChfMGbz3+0eDfDJqGY49r
Lo6wzsrgv2kDJMqwciT/D/Zb3ocHnCrq1Isnz/Ug2lW58LMk7Y1HisPteZFQ/pkC
xKeO+K1RkaRUSCrB5iToqF+7i8eRNVROYmkKLgKcMrC0WYEjnbEoFdr4bktAS9QM
BS6aIsh2cyg2H0FjDKmYvcKOUf0IgA==
=ZiYm
-----END PGP SIGNATURE-----

3
openssh-7.9p1.tar.gz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:6b4b3ba2253d84ed3771c8050728d597c91cfce898713beb7b64a305b6f11aad
size 1565384

14
openssh-7.9p1.tar.gz.asc Normal file
View File

@ -0,0 +1,14 @@
-----BEGIN PGP SIGNATURE-----
iQHDBAABCgAdFiEEWcIRjtIG2SfmZ+vj0+X1a22SDTAFAlvJLhsACgkQ0+X1a22S
DTBjHwx/T3EX3EtCzB9I6zHFUgF2/0hEKVYZw2Yl4UbUvgjy/KdEdlJzdH3Hc/yU
jJZzraDY7nJMrCly734FbFGKsKoRkxWMkeuQGOhvpzgTYg+fOa1J0a14xK/ub9Y0
9Z/4zP0Zs7mn+8MApMS3XOZ+AJgdRiXN9i3PXmbYO9Gcg+QthtgE1DeG0d0vVTP/
ipCBBg8mMlAANdlu9IUCv4CJPwJjQt2aYsvCiuUQuzrKYsV5noCOBaGRbmPcN9SM
3cvSTZgDbK3kHdL1RnBgWpcO+o+D8sqSW2rm8xpCQv/ILo86/BLBjXDCYLEt0nSn
+dONPytwhwwJWPPYe7+RSYWHS2cKwVTDk7lr2E636SwU1fM1NiNYle9hB6cUT0nU
sypfHOIARAMSqepnaT3WgffM0jlEWrSB0PuDLTLTO5ZPmUijqqT6xGwWSUc4GQZY
WNyGg1w0Ryj2pRd7DlXDDivTCneXFqV7JZiR3R4ZXJJV0uVQOUitCS/DnwSDpIfp
HlVEWeRAszQFKLKttu0/4SY2NVrRBA==
=4Z9x
-----END PGP SIGNATURE-----

View File

@ -1,3 +1,10 @@
-------------------------------------------------------------------
Mon Oct 22 08:59:02 UTC 2018 - Pedro Monreal Gonzalez <pmonrealgonzalez@suse.com>
- Version update to 7.9p1
* No actual changes for the askpass
* See main package changelog for details
-------------------------------------------------------------------
Tue Oct 9 10:52:15 UTC 2018 - Tomáš Chvátal <tchvatal@suse.com>

View File

@ -18,7 +18,7 @@
%define _name openssh
Name: openssh-askpass-gnome
Version: 7.8p1
Version: 7.9p1
Release: 0
Summary: A GNOME-Based Passphrase Dialog for OpenSSH
License: BSD-2-Clause

View File

@ -1,3 +1,47 @@
-------------------------------------------------------------------
Mon Oct 22 08:51:30 UTC 2018 - Pedro Monreal Gonzalez <pmonrealgonzalez@suse.com>
- Version update to 7.9p1
* ssh(1), sshd(8): the setting of the new CASignatureAlgorithms
option (see below) bans the use of DSA keys as certificate
authorities.
* sshd(8): the authentication success/failure log message has
changed format slightly. It now includes the certificate
fingerprint (previously it included only key ID and CA key
fingerprint).
* ssh(1), sshd(8): allow most port numbers to be specified using
service names from getservbyname(3) (typically /etc/services).
* sshd(8): support signalling sessions via the SSH protocol.
A limited subset of signals is supported and only for login or
command sessions (i.e. not subsystems) that were not subject to
a forced command via authorized_keys or sshd_config. bz#1424
* ssh(1): support "ssh -Q sig" to list supported signature options.
Also "ssh -Q help" to show the full set of supported queries.
* ssh(1), sshd(8): add a CASignatureAlgorithms option for the
client and server configs to allow control over which signature
formats are allowed for CAs to sign certificates. For example,
this allows banning CAs that sign certificates using the RSA-SHA1
signature algorithm.
* sshd(8), ssh-keygen(1): allow key revocation lists (KRLs) to
revoke keys specified by SHA256 hash.
* ssh-keygen(1): allow creation of key revocation lists directly
from base64-encoded SHA256 fingerprints. This supports revoking
keys using only the information contained in sshd(8)
authentication log messages.
- Removed obsolete configuration option --with-tcp-wrappers, and
--with-opensc for s390 and s390x.
- Removed patch merged upstream
* openssh-7.7p1-openssl_1.1.0.patch
- Refreshed patches
* openssh-7.7p1-audit.patch
* openssh-7.7p1-disable_short_DH_parameters.patch
* openssh-7.7p1-fips.patch
* openssh-7.7p1-gssapi_key_exchange.patch
* openssh-7.7p1-seccomp_ipc_flock.patch
-------------------------------------------------------------------
Fri Oct 19 13:22:10 UTC 2018 - Tomáš Chvátal <tchvatal@suse.com>

View File

@ -36,7 +36,7 @@
%define _fillupdir %{_localstatedir}/adm/fillup-templates
%endif
Name: openssh
Version: 7.8p1
Version: 7.9p1
Release: 0
Summary: Secure Shell Client and Server (Remote Login Program)
License: BSD-2-Clause AND MIT
@ -84,8 +84,6 @@ Patch22: openssh-7.7p1-systemd-notify.patch
Patch23: openssh-7.7p1-gssapi_key_exchange.patch
# https://bugzilla.mindrot.org/show_bug.cgi?id=1402
Patch24: openssh-7.7p1-audit.patch
# Upstream patch, already merged
Patch25: openssh-7.7p1-openssl_1.1.0.patch
# Local patch to disable runtime abi SSL checks, quite pointless for us
Patch26: openssh-7.7p1-disable_openssl_abi_check.patch
# https://bugzilla.mindrot.org/show_bug.cgi?id=2641
@ -188,7 +186,6 @@ export LDFLAGS CFLAGS CXXFLAGS CPPFLAGS
%configure \
--sysconfdir=%{_sysconfdir}/ssh \
--libexecdir=%{_libexecdir}/ssh \
--with-tcp-wrappers \
--with-selinux \
--with-pid-dir=/run \
--with-systemd \
@ -200,9 +197,6 @@ export LDFLAGS CFLAGS CXXFLAGS CPPFLAGS
--with-sandbox=seccomp_filter \
%else
--with-sandbox=rlimit \
%endif
%ifnarch s390 s390x
--with-opensc \
%endif
--disable-strip \
--with-audit=linux \