forked from pool/openssh
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssh?expand=0&rev=182
This commit is contained in:
parent
8a8ed57387
commit
e7740396e0
@ -0,0 +1,55 @@
|
||||
From 66aaa678dbe59aa21d0d9d89a3596ecedde0254b Mon Sep 17 00:00:00 2001
|
||||
From: "djm@openbsd.org" <djm@openbsd.org>
|
||||
Date: Tue, 30 Apr 2024 02:14:10 +0000
|
||||
Subject: [PATCH] upstream: correctly restore sigprocmask around ppoll()
|
||||
reported
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
by Tõivo Leedjärv; ok deraadt@
|
||||
|
||||
OpenBSD-Commit-ID: c0c0f89de5294a166578f071eade2501929c4686
|
||||
---
|
||||
clientloop.c | 4 ++--
|
||||
serverloop.c | 4 ++--
|
||||
2 files changed, 4 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/clientloop.c b/clientloop.c
|
||||
index be8bb5fc1f2..8ea2ada4216 100644
|
||||
--- a/clientloop.c
|
||||
+++ b/clientloop.c
|
||||
#@@ -1,4 +1,4 @@
|
||||
#-/* $OpenBSD: clientloop.c,v 1.404 2024/04/30 02:10:49 djm Exp $ */
|
||||
#+/* $OpenBSD: clientloop.c,v 1.405 2024/04/30 02:14:10 djm Exp $ */
|
||||
# /*
|
||||
# * Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
# * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||
@@ -1585,7 +1585,7 @@ client_loop(struct ssh *ssh, int have_pty, int escape_char_arg,
|
||||
client_wait_until_can_do_something(ssh, &pfd, &npfd_alloc,
|
||||
&npfd_active, channel_did_enqueue, &osigset,
|
||||
&conn_in_ready, &conn_out_ready);
|
||||
- if (sigprocmask(SIG_UNBLOCK, &bsigset, &osigset) == -1)
|
||||
+ if (sigprocmask(SIG_SETMASK, &osigset, NULL) == -1)
|
||||
error_f("osigset sigprocmask: %s", strerror(errno));
|
||||
|
||||
if (quit_pending)
|
||||
diff --git a/serverloop.c b/serverloop.c
|
||||
index f3683c2e4a6..94c8943a616 100644
|
||||
--- a/serverloop.c
|
||||
+++ b/serverloop.c
|
||||
@@ -1,4 +1,4 @@
|
||||
-/* $OpenBSD: serverloop.c,v 1.237 2023/08/21 04:59:54 djm Exp $ */
|
||||
+/* $OpenBSD: serverloop.c,v 1.238 2024/04/30 02:14:10 djm Exp $ */
|
||||
/*
|
||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||
@@ -380,7 +380,7 @@ server_loop2(struct ssh *ssh, Authctxt *authctxt)
|
||||
wait_until_can_do_something(ssh, connection_in, connection_out,
|
||||
&pfd, &npfd_alloc, &npfd_active, &osigset,
|
||||
&conn_in_ready, &conn_out_ready);
|
||||
- if (sigprocmask(SIG_UNBLOCK, &bsigset, &osigset) == -1)
|
||||
+ if (sigprocmask(SIG_SETMASK, &osigset, NULL) == -1)
|
||||
error_f("osigset sigprocmask: %s", strerror(errno));
|
||||
|
||||
if (received_sigterm) {
|
@ -0,0 +1,32 @@
|
||||
From 9844aa2521ccfb1a2d73745680327b79e0574445 Mon Sep 17 00:00:00 2001
|
||||
From: "djm@openbsd.org" <djm@openbsd.org>
|
||||
Date: Wed, 21 Feb 2024 05:57:34 +0000
|
||||
Subject: [PATCH] upstream: fix proxy multiplexing mode, broken when keystroke
|
||||
timing
|
||||
|
||||
obfuscation was added. GHPR#463 from montag451
|
||||
|
||||
OpenBSD-Commit-ID: 4e412d59b3f557d431f1d81c715a3bc0491cc677
|
||||
---
|
||||
clientloop.c | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/clientloop.c b/clientloop.c
|
||||
index eb4902905fb..8ec36af94b3 100644
|
||||
--- a/clientloop.c
|
||||
+++ b/clientloop.c
|
||||
@@ -1,4 +1,4 @@
|
||||
-/* $OpenBSD: clientloop.c,v 1.402 2023/11/24 00:31:30 dtucker Exp $ */
|
||||
+/* $OpenBSD: clientloop.c,v 1.403 2024/02/21 05:57:34 djm Exp $ */
|
||||
/*
|
||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||
@@ -517,7 +517,7 @@ send_chaff(struct ssh *ssh)
|
||||
{
|
||||
int r;
|
||||
|
||||
- if ((ssh->kex->flags & KEX_HAS_PING) == 0)
|
||||
+ if (ssh->kex == NULL || (ssh->kex->flags & KEX_HAS_PING) == 0)
|
||||
return 0;
|
||||
/* XXX probabilistically send chaff? */
|
||||
/*
|
@ -0,0 +1,38 @@
|
||||
From 146c420d29d055cc75c8606327a1cf8439fe3a08 Mon Sep 17 00:00:00 2001
|
||||
From: "djm@openbsd.org" <djm@openbsd.org>
|
||||
Date: Mon, 1 Jul 2024 04:31:17 +0000
|
||||
Subject: [PATCH] upstream: when sending ObscureKeystrokeTiming chaff packets,
|
||||
we
|
||||
|
||||
can't rely on channel_did_enqueue to tell that there is data to send. This
|
||||
flag indicates that the channels code enqueued a packet on _this_ ppoll()
|
||||
iteration, not that data was enqueued in _any_ ppoll() iteration in the
|
||||
timeslice. ok markus@
|
||||
|
||||
OpenBSD-Commit-ID: 009b74fd2769b36b5284a0188ade182f00564136
|
||||
---
|
||||
clientloop.c | 7 ++++---
|
||||
1 file changed, 4 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/clientloop.c b/clientloop.c
|
||||
index 0b6f3c9be02..8ed8b1c3449 100644
|
||||
--- a/clientloop.c
|
||||
+++ b/clientloop.c
|
||||
#@@ -1,4 +1,4 @@
|
||||
#-/* $OpenBSD: clientloop.c,v 1.407 2024/05/17 06:42:04 jsg Exp $ */
|
||||
#+/* $OpenBSD: clientloop.c,v 1.408 2024/07/01 04:31:17 djm Exp $ */
|
||||
# /*
|
||||
# * Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
# * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||
@@ -607,8 +607,9 @@ obfuscate_keystroke_timing(struct ssh *ssh, struct timespec *timeout,
|
||||
if (timespeccmp(&now, &chaff_until, >=)) {
|
||||
/* Stop if there have been no keystrokes for a while */
|
||||
stop_reason = "chaff time expired";
|
||||
- } else if (timespeccmp(&now, &next_interval, >=)) {
|
||||
- /* Otherwise if we were due to send, then send chaff */
|
||||
+ } else if (timespeccmp(&now, &next_interval, >=) &&
|
||||
+ !ssh_packet_have_data_to_write(ssh)) {
|
||||
+ /* If due to send but have no data, then send chaff */
|
||||
if (send_chaff(ssh))
|
||||
nchaff++;
|
||||
}
|
19
fix-CVE-2024-6387.patch
Normal file
19
fix-CVE-2024-6387.patch
Normal file
@ -0,0 +1,19 @@
|
||||
Index: openssh-9.6p1/log.c
|
||||
===================================================================
|
||||
--- openssh-9.6p1.orig/log.c
|
||||
+++ openssh-9.6p1/log.c
|
||||
@@ -451,12 +451,14 @@ void
|
||||
sshsigdie(const char *file, const char *func, int line, int showfunc,
|
||||
LogLevel level, const char *suffix, const char *fmt, ...)
|
||||
{
|
||||
+#if 0
|
||||
va_list args;
|
||||
|
||||
va_start(args, fmt);
|
||||
sshlogv(file, func, line, showfunc, SYSLOG_LEVEL_FATAL,
|
||||
suffix, fmt, args);
|
||||
va_end(args);
|
||||
+#endif
|
||||
_exit(1);
|
||||
}
|
||||
|
@ -1,39 +0,0 @@
|
||||
From fcc66557503124ab98491a598b706a24eb3cf0e1 Mon Sep 17 00:00:00 2001
|
||||
From: Antonio Larrosa <alarrosa@suse.com>
|
||||
Date: Mon, 12 Aug 2024 11:32:42 +0200
|
||||
Subject: [PATCH] Fix a small memory leak in process_server_config_line_depth
|
||||
|
||||
The return value of argv_assemble is owned by the caller and should be
|
||||
free'd. When processing the sSubsystem case there are two calls to
|
||||
argv_assemble but only one of them is freed. This patch fixes the small
|
||||
(29 bytes according to valgrind) memory leak.
|
||||
|
||||
The output from valgrind:
|
||||
==115369== 29 bytes in 1 blocks are definitely lost in loss record 573 of 913
|
||||
==115369== at 0x4845794: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
|
||||
==115369== by 0x124A22: argv_assemble (misc.c:2165)
|
||||
==115369== by 0x1385E5: process_server_config_line_depth.constprop.0 (servconf.c:2004)
|
||||
==115369== by 0x13984D: parse_server_config_depth.constprop.0 (servconf.c:3032)
|
||||
==115369== by 0x139986: parse_server_config.constprop.0 (servconf.c:3049)
|
||||
==115369== by 0x111C6E: main (sshd.c:1445)
|
||||
|
||||
Submitted to upstream at https://github.com/openssh/openssh-portable/pull/515
|
||||
---
|
||||
servconf.c | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/servconf.c b/servconf.c
|
||||
index 5a20d6f8..0b989b95 100644
|
||||
--- a/servconf.c
|
||||
+++ b/servconf.c
|
||||
@@ -2006,6 +2006,7 @@ process_server_config_line_depth(ServerOptions *options, char *line,
|
||||
xasprintf(&options->subsystem_args[options->num_subsystems],
|
||||
"%s%s%s", arg, *arg2 == '\0' ? "" : " ", arg2);
|
||||
free(arg2);
|
||||
+ free(arg);
|
||||
argv_consume(&ac);
|
||||
options->num_subsystems++;
|
||||
break;
|
||||
--
|
||||
2.45.2
|
||||
|
25
fix-missing-lz.patch
Normal file
25
fix-missing-lz.patch
Normal file
@ -0,0 +1,25 @@
|
||||
Index: openssh-9.3p1/Makefile.in
|
||||
===================================================================
|
||||
--- openssh-9.3p1.orig/Makefile.in
|
||||
+++ openssh-9.3p1/Makefile.in
|
||||
@@ -250,17 +250,17 @@ ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) l
|
||||
$(LD) -o $@ ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
|
||||
|
||||
sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-sk.o sk-usbhid.o $(SFTPSERVER_OBJS)
|
||||
- $(LD) -o $@ $(SFTPSERVER_OBJS) ssh-sk.o sk-usbhid.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) $(LIBFIDO2)
|
||||
+ $(LD) -o $@ $(SFTPSERVER_OBJS) ssh-sk.o sk-usbhid.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) $(LIBFIDO2) -lz
|
||||
|
||||
sftp$(EXEEXT): $(LIBCOMPAT) libssh.a $(SFTP_OBJS)
|
||||
$(LD) -o $@ $(SFTP_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) $(LIBEDIT)
|
||||
|
||||
# FIPS tests
|
||||
cavstest-ctr$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-sk.o sk-usbhid.o cavstest-ctr.o
|
||||
- $(LD) -o $@ cavstest-ctr.o ssh-sk.o sk-usbhid.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) $(LIBFIDO2)
|
||||
+ $(LD) -o $@ cavstest-ctr.o ssh-sk.o sk-usbhid.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) $(LIBFIDO2) -lz
|
||||
|
||||
cavstest-kdf$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-sk.o sk-usbhid.o cavstest-kdf.o
|
||||
- $(LD) -o $@ cavstest-kdf.o ssh-sk.o sk-usbhid.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) $(LIBFIDO2)
|
||||
+ $(LD) -o $@ cavstest-kdf.o ssh-sk.o sk-usbhid.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) $(LIBFIDO2) -lz
|
||||
|
||||
# test driver for the loginrec code - not built by default
|
||||
logintest: logintest.o $(LIBCOMPAT) libssh.a loginrec.o
|
@ -14,11 +14,11 @@ index f0ea07e7b..35dcf45f1 100644
|
||||
$(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) $(GSSLIBS) $(CHANNELLIBS)
|
||||
|
||||
sshd$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHDOBJS)
|
||||
- $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(CHANNELLIBS) $(LIBWTMPDB)
|
||||
+ $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(CHANNELLIBS) $(LIBWTMPDB) $(LIBSYSTEMD)
|
||||
- $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS) $(CHANNELLIBS) $(LIBWTMPDB)
|
||||
+ $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS) $(CHANNELLIBS) $(LIBWTMPDB) $(LIBSYSTEMD)
|
||||
|
||||
sshd-session$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHD_SESSION_OBJS)
|
||||
$(LD) -o $@ $(SSHD_SESSION_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS) $(CHANNELLIBS) $(LIBWTMPDB)
|
||||
scp$(EXEEXT): $(LIBCOMPAT) libssh.a $(SCP_OBJS)
|
||||
$(LD) -o $@ $(SCP_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
|
||||
diff --git a/configure.ac b/configure.ac
|
||||
index a12c6f7ad..860df3379 100644
|
||||
--- a/configure.ac
|
||||
@ -106,7 +106,7 @@ index 86caf83b2..8b413190b 100644
|
||||
#ifdef CUSTOM_SYS_AUTH_RECORD_LOGIN
|
||||
if (li->type == LTYPE_LOGIN &&
|
||||
!sys_auth_record_login(li->username,li->hostname,li->line,
|
||||
@@ -1476,6 +1486,91 @@ wtmpdb_write_entry(struct logininfo *li)
|
||||
@@ -1476,6 +1486,88 @@ wtmpdb_write_entry(struct logininfo *li)
|
||||
}
|
||||
#endif
|
||||
|
||||
@ -171,12 +171,9 @@ index 86caf83b2..8b413190b 100644
|
||||
+
|
||||
+ free(dbus_path);
|
||||
+
|
||||
+ if (sd_bus_flush(bus) < 0) {
|
||||
+ sd_bus_unref(bus);
|
||||
+ if (sd_bus_flush(bus) < 0)
|
||||
+ return (0);
|
||||
+ }
|
||||
+
|
||||
+ sd_bus_unref(bus);
|
||||
+ return (1);
|
||||
+}
|
||||
+
|
||||
|
@ -104,10 +104,10 @@ Index: openssh-9.6p1/openbsd-compat/port-linux.h
|
||||
#endif
|
||||
|
||||
#ifdef LINUX_OOM_ADJUST
|
||||
Index: openssh-9.6p1/sshd-session.c
|
||||
Index: openssh-9.6p1/sshd.c
|
||||
===================================================================
|
||||
--- openssh-9.6p1.orig/sshd-session.c
|
||||
+++ openssh-9.6p1/sshd-session.c
|
||||
--- openssh-9.6p1.orig/sshd.c
|
||||
+++ openssh-9.6p1/sshd.c
|
||||
@@ -511,7 +511,7 @@ privsep_preauth_child(struct ssh *ssh)
|
||||
demote_sensitive_data(ssh);
|
||||
|
||||
|
@ -37,14 +37,14 @@ Index: openssh-9.3p2/Makefile.in
|
||||
===================================================================
|
||||
--- openssh-9.3p2.orig/Makefile.in
|
||||
+++ openssh-9.3p2/Makefile.in
|
||||
@@ -27,6 +27,7 @@ SFTP_SERVER=$(libexecdir)/sftp-server
|
||||
@@ -24,6 +24,7 @@ SSH_PROGRAM=@bindir@/ssh
|
||||
ASKPASS_PROGRAM=$(libexecdir)/ssh-askpass
|
||||
SFTP_SERVER=$(libexecdir)/sftp-server
|
||||
SSH_KEYSIGN=$(libexecdir)/ssh-keysign
|
||||
+SSH_KEYCAT=$(libexecdir)/ssh-keycat
|
||||
SSHD_SESSION=$(libexecdir)/sshd-session
|
||||
SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
|
||||
SSH_SK_HELPER=$(libexecdir)/ssh-sk-helper
|
||||
SSH_LDAP_HELPER=$(libexecdir)/ssh-ldap-helper
|
||||
@@ -57,6 +58,7 @@ CHANNELLIBS=@CHANNELLIBS@
|
||||
K5LIBS=@K5LIBS@
|
||||
GSSLIBS=@GSSLIBS@
|
||||
@ -53,12 +53,12 @@ Index: openssh-9.3p2/Makefile.in
|
||||
LIBEDIT=@LIBEDIT@
|
||||
LIBFIDO2=@LIBFIDO2@
|
||||
LIBWTMPDB=@LIBWTMPDB@
|
||||
@@ -65,7 +66,7 @@ EXEEXT=@EXEEXT@
|
||||
@@ -75,7 +77,7 @@ MKDIR_P=@MKDIR_P@
|
||||
|
||||
.SUFFIXES: .lo
|
||||
|
||||
-TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) sshd-session$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT)
|
||||
+TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) sshd-session$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) ssh-keycat$(EXEEXT)
|
||||
-TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT)
|
||||
+TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) ssh-keycat$(EXEEXT)
|
||||
|
||||
TARGETS += cavstest-ctr$(EXEEXT) cavstest-kdf$(EXEEXT)
|
||||
|
||||
@ -99,9 +99,9 @@ Index: openssh-9.3p2/openbsd-compat/port-linux-sshd.c
|
||||
===================================================================
|
||||
--- openssh-9.3p2.orig/openbsd-compat/port-linux-sshd.c
|
||||
+++ openssh-9.3p2/openbsd-compat/port-linux-sshd.c
|
||||
@@ -54,6 +54,20 @@ extern Authctxt *the_authctxt;
|
||||
extern Authctxt *the_authctxt;
|
||||
@@ -53,6 +53,20 @@ extern Authctxt *the_authctxt;
|
||||
extern int inetd_flag;
|
||||
extern int rexeced_flag;
|
||||
|
||||
+/* Wrapper around is_selinux_enabled() to log its return value once only */
|
||||
+int
|
||||
@ -129,14 +129,14 @@ Index: openssh-9.3p2/openbsd-compat/port-linux-sshd.c
|
||||
{
|
||||
const char *reqlvl;
|
||||
char *role;
|
||||
@@ -319,16 +333,16 @@ sshd_selinux_setup_pam_variables(void)
|
||||
@@ -329,16 +343,16 @@ sshd_selinux_setup_pam_variables(void)
|
||||
|
||||
ssh_selinux_get_role_level(&role, &reqlvl);
|
||||
|
||||
- rv = do_pam_putenv("SELINUX_ROLE_REQUESTED", role ? role : "");
|
||||
+ rv = set_it("SELINUX_ROLE_REQUESTED", role ? role : "");
|
||||
|
||||
if (inetd_flag) {
|
||||
if (inetd_flag && !rexeced_flag) {
|
||||
use_current = "1";
|
||||
} else {
|
||||
use_current = "";
|
||||
|
@ -52,7 +52,7 @@ Index: openssh-9.3p2/session.c
|
||||
platform_setusercontext(pw);
|
||||
|
||||
- if (platform_privileged_uidswap()) {
|
||||
+ if (platform_privileged_uidswap() && !is_child) {
|
||||
+ if (platform_privileged_uidswap() && (!is_child || !use_privsep)) {
|
||||
#ifdef HAVE_LOGIN_CAP
|
||||
if (setusercontext(lc, pw, pw->pw_uid,
|
||||
(LOGIN_SETALL & ~(LOGIN_SETPATH|LOGIN_SETUSER))) < 0) {
|
||||
@ -98,11 +98,11 @@ Index: openssh-9.3p2/session.c
|
||||
exit(sftp_server_main(i, argv, s->pw));
|
||||
}
|
||||
|
||||
Index: openssh-9.3p2/sshd-session.c
|
||||
Index: openssh-9.3p2/sshd.c
|
||||
===================================================================
|
||||
--- openssh-9.3p2.orig/sshd-session.c
|
||||
+++ openssh-9.3p2/sshd-session.c
|
||||
@@ -342,6 +342,10 @@ privsep_preauth_child(struct ssh *ssh)
|
||||
--- openssh-9.3p2.orig/sshd.c
|
||||
+++ openssh-9.3p2/sshd.c
|
||||
@@ -510,6 +510,10 @@ privsep_preauth_child(struct ssh *ssh)
|
||||
/* Demote the private keys to public keys. */
|
||||
demote_sensitive_data(ssh);
|
||||
|
||||
@ -113,12 +113,13 @@ Index: openssh-9.3p2/sshd-session.c
|
||||
/* Demote the child */
|
||||
if (privsep_chroot) {
|
||||
/* Change our root directory */
|
||||
@@ -444,7 +448,7 @@ privsep_postauth(struct ssh *ssh, Authct
|
||||
* fd passing, as AFAIK PTY allocation on this platform doesn't require
|
||||
* special privileges to begin with.
|
||||
*/
|
||||
-#if defined(DISABLE_FD_PASSING) && !defined(HAVE_CYGWIN)
|
||||
+#if defined(DISABLE_FD_PASSING) && !defined(HAVE_CYGWIN) && !defined(WITH_SELINUX)
|
||||
skip_privdrop = 1;
|
||||
#endif
|
||||
@@ -602,6 +606,9 @@ privsep_postauth(struct ssh *ssh, Authct
|
||||
|
||||
#ifdef DISABLE_FD_PASSING
|
||||
if (1) {
|
||||
+#elif defined(WITH_SELINUX)
|
||||
+ if (0) {
|
||||
+ /* even root user can be confined by SELinux */
|
||||
#else
|
||||
if (authctxt->pw->pw_uid == 0) {
|
||||
#endif
|
||||
|
@ -9,16 +9,16 @@ Index: openssh-9.3p2/auth2-pubkey.c
|
||||
+extern int inetd_flag;
|
||||
+extern int rexeced_flag;
|
||||
+extern Authctxt *the_authctxt;
|
||||
extern struct authmethod_cfg methodcfg_pubkey;
|
||||
|
||||
static char *
|
||||
format_key(const struct sshkey *key)
|
||||
@@ -459,7 +462,8 @@ match_principals_command(struct passwd *
|
||||
if ((pid = subprocess("AuthorizedPrincipalsCommand", command,
|
||||
ac, av, &f,
|
||||
SSH_SUBPROCESS_STDOUT_CAPTURE|SSH_SUBPROCESS_STDERR_DISCARD,
|
||||
- runas_pw, temporarily_use_uid, restore_uid)) == 0)
|
||||
+ runas_pw, temporarily_use_uid, restore_uid,
|
||||
+ inetd_flag, the_authctxt)) == 0)
|
||||
+ (inetd_flag && !rexeced_flag), the_authctxt)) == 0)
|
||||
goto out;
|
||||
|
||||
uid_swapped = 1;
|
||||
@ -28,7 +28,7 @@ Index: openssh-9.3p2/auth2-pubkey.c
|
||||
SSH_SUBPROCESS_STDOUT_CAPTURE|SSH_SUBPROCESS_STDERR_DISCARD,
|
||||
- runas_pw, temporarily_use_uid, restore_uid)) == 0)
|
||||
+ runas_pw, temporarily_use_uid, restore_uid,
|
||||
+ inetd_flag, the_authctxt)) == 0)
|
||||
+ (inetd_flag && !rexeced_flag), the_authctxt)) == 0)
|
||||
goto out;
|
||||
|
||||
uid_swapped = 1;
|
||||
@ -87,13 +87,14 @@ Index: openssh-9.3p2/openbsd-compat/port-linux-sshd.c
|
||||
===================================================================
|
||||
--- openssh-9.3p2.orig/openbsd-compat/port-linux-sshd.c
|
||||
+++ openssh-9.3p2/openbsd-compat/port-linux-sshd.c
|
||||
@@ -49,10 +49,6 @@
|
||||
@@ -49,11 +49,6 @@
|
||||
#include <unistd.h>
|
||||
#endif
|
||||
|
||||
-extern ServerOptions options;
|
||||
-extern Authctxt *the_authctxt;
|
||||
-extern int inetd_flag;
|
||||
-extern int rexeced_flag;
|
||||
-
|
||||
/* Wrapper around is_selinux_enabled() to log its return value once only */
|
||||
int
|
||||
@ -132,7 +133,7 @@ Index: openssh-9.3p2/openbsd-compat/port-linux-sshd.c
|
||||
|
||||
if (r == 0) {
|
||||
/* If launched from xinetd, we must use current level */
|
||||
- if (inetd_flag) {
|
||||
- if (inetd_flag && !rexeced_flag) {
|
||||
+ if (inetd) {
|
||||
security_context_t sshdsc=NULL;
|
||||
|
||||
@ -156,7 +157,7 @@ Index: openssh-9.3p2/openbsd-compat/port-linux-sshd.c
|
||||
|
||||
rv = set_it("SELINUX_ROLE_REQUESTED", role ? role : "");
|
||||
|
||||
- if (inetd_flag) {
|
||||
- if (inetd_flag && !rexeced_flag) {
|
||||
+ if (inetd) {
|
||||
use_current = "1";
|
||||
} else {
|
||||
@ -221,46 +222,56 @@ Index: openssh-9.3p2/platform.c
|
||||
===================================================================
|
||||
--- openssh-9.3p2.orig/platform.c
|
||||
+++ openssh-9.3p2/platform.c
|
||||
@@ -34,6 +34,8 @@
|
||||
#include "openbsd-compat/openbsd-compat.h"
|
||||
@@ -34,6 +34,9 @@
|
||||
|
||||
extern int use_privsep;
|
||||
extern ServerOptions options;
|
||||
+extern int inetd_flag;
|
||||
+extern int rexeced_flag;
|
||||
+extern Authctxt *the_authctxt;
|
||||
|
||||
/* return 1 if we are running with privilege to swap UIDs, 0 otherwise */
|
||||
int
|
||||
@@ -185,7 +187,9 @@ platform_setusercontext_post_groups(stru
|
||||
void
|
||||
platform_pre_listen(void)
|
||||
@@ -185,7 +188,9 @@ platform_setusercontext_post_groups(stru
|
||||
}
|
||||
#endif /* HAVE_SETPCRED */
|
||||
#ifdef WITH_SELINUX
|
||||
- sshd_selinux_setup_exec_context(pw->pw_name);
|
||||
+ sshd_selinux_setup_exec_context(pw->pw_name,
|
||||
+ inetd_flag, do_pam_putenv, the_authctxt,
|
||||
+ (inetd_flag && !rexeced_flag), do_pam_putenv, the_authctxt,
|
||||
+ options.use_pam);
|
||||
#endif
|
||||
}
|
||||
|
||||
Index: openssh-9.3p2/sshd-session.c
|
||||
Index: openssh-9.3p2/sshd.c
|
||||
===================================================================
|
||||
--- openssh-9.3p2.orig/sshd-session.c
|
||||
+++ openssh-9.3p2/sshd-session.c
|
||||
--- openssh-9.3p2.orig/sshd.c
|
||||
+++ openssh-9.3p2/sshd.c
|
||||
@@ -166,7 +166,7 @@ int debug_flag = 0;
|
||||
int debug_flag = 0;
|
||||
static int test_flag = 0;
|
||||
|
||||
/* Flag indicating that the daemon is being started from inetd. */
|
||||
-static int inetd_flag = 0;
|
||||
+int inetd_flag = 0;
|
||||
|
||||
/* debug goes to stderr unless inetd_flag is set */
|
||||
static int log_stderr = 0;
|
||||
/* Flag indicating that sshd should not detach and become a daemon. */
|
||||
static int no_daemon_flag = 0;
|
||||
@@ -179,7 +179,7 @@ static char **saved_argv;
|
||||
static int saved_argc;
|
||||
|
||||
/* re-exec */
|
||||
-static int rexeced_flag = 0;
|
||||
+int rexeced_flag = 0;
|
||||
static int rexec_flag = 1;
|
||||
static int rexec_argc = 0;
|
||||
static char **rexec_argv;
|
||||
@@ -2396,7 +2396,9 @@ main(int ac, char **av)
|
||||
}
|
||||
#endif
|
||||
#ifdef WITH_SELINUX
|
||||
- sshd_selinux_setup_exec_context(authctxt->pw->pw_name);
|
||||
+ sshd_selinux_setup_exec_context(authctxt->pw->pw_name,
|
||||
+ inetd_flag, do_pam_putenv, the_authctxt,
|
||||
+ (inetd_flag && !rexeced_flag), do_pam_putenv, the_authctxt,
|
||||
+ options.use_pam);
|
||||
#endif
|
||||
#ifdef USE_PAM
|
||||
|
@ -7,7 +7,7 @@ Index: openssh-8.8p1/Makefile.in
|
||||
--- openssh-8.8p1.orig/Makefile.in
|
||||
+++ openssh-8.8p1/Makefile.in
|
||||
@@ -26,6 +26,7 @@ SFTP_SERVER=$(libexecdir)/sftp-server
|
||||
SSHD_SESSION=$(libexecdir)/sshd-session
|
||||
SSH_KEYSIGN=$(libexecdir)/ssh-keysign
|
||||
SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
|
||||
SSH_SK_HELPER=$(libexecdir)/ssh-sk-helper
|
||||
+CAVSTEST_CTR=$(libexecdir)/cavstest-ctr
|
||||
@ -16,7 +16,7 @@ Index: openssh-8.8p1/Makefile.in
|
||||
STRIP_OPT=@STRIP_OPT@
|
||||
@@ -69,6 +70,8 @@ MKDIR_P=@MKDIR_P@
|
||||
|
||||
TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) sshd-session$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT)
|
||||
TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT)
|
||||
|
||||
+TARGETS += cavstest-ctr$(EXEEXT)
|
||||
+
|
||||
@ -29,7 +29,7 @@ Index: openssh-8.8p1/Makefile.in
|
||||
|
||||
+# FIPS tests
|
||||
+cavstest-ctr$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-sk.o sk-usbhid.o cavstest-ctr.o
|
||||
+ $(LD) -o $@ cavstest-ctr.o ssh-sk.o sk-usbhid.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) $(LIBFIDO2) -lz
|
||||
+ $(LD) -o $@ cavstest-ctr.o ssh-sk.o sk-usbhid.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) $(LIBFIDO2)
|
||||
+
|
||||
# test driver for the loginrec code - not built by default
|
||||
logintest: logintest.o $(LIBCOMPAT) libssh.a loginrec.o
|
||||
|
@ -16,7 +16,7 @@ Index: openssh-8.8p1/Makefile.in
|
||||
STRIP_OPT=@STRIP_OPT@
|
||||
@@ -70,7 +71,7 @@ MKDIR_P=@MKDIR_P@
|
||||
|
||||
TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) sshd-session$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT)
|
||||
TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT)
|
||||
|
||||
-TARGETS += cavstest-ctr$(EXEEXT)
|
||||
+TARGETS += cavstest-ctr$(EXEEXT) cavstest-kdf$(EXEEXT)
|
||||
@ -25,10 +25,10 @@ Index: openssh-8.8p1/Makefile.in
|
||||
ssh-xmss.o \
|
||||
@@ -252,6 +253,9 @@ sftp$(EXEEXT): $(LIBCOMPAT) libssh.a $(S
|
||||
cavstest-ctr$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-sk.o sk-usbhid.o cavstest-ctr.o
|
||||
$(LD) -o $@ cavstest-ctr.o ssh-sk.o sk-usbhid.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) $(LIBFIDO2) -lz
|
||||
$(LD) -o $@ cavstest-ctr.o ssh-sk.o sk-usbhid.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) $(LIBFIDO2)
|
||||
|
||||
+cavstest-kdf$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-sk.o sk-usbhid.o cavstest-kdf.o
|
||||
+ $(LD) -o $@ cavstest-kdf.o ssh-sk.o sk-usbhid.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) $(LIBFIDO2) -lz
|
||||
+ $(LD) -o $@ cavstest-kdf.o ssh-sk.o sk-usbhid.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) $(LIBFIDO2)
|
||||
+
|
||||
# test driver for the loginrec code - not built by default
|
||||
logintest: logintest.o $(LIBCOMPAT) libssh.a loginrec.o
|
||||
|
@ -389,17 +389,17 @@ Index: openssh-9.6p1/hmac.c
|
||||
ssh_hmac_update(ctx, m, mlen) < 0 ||
|
||||
Index: openssh-9.6p1/kex.c
|
||||
===================================================================
|
||||
--- openssh-9.6p1.orig/kex-names.c
|
||||
+++ openssh-9.6p1/kex-names.c
|
||||
--- openssh-9.6p1.orig/kex.c
|
||||
+++ openssh-9.6p1/kex.c
|
||||
@@ -64,6 +64,8 @@
|
||||
#include "ssherr.h"
|
||||
#include "digest.h"
|
||||
#include "xmalloc.h"
|
||||
|
||||
+#include "fips.h"
|
||||
+
|
||||
struct kexalg {
|
||||
char *name;
|
||||
u_int type;
|
||||
/* prototype */
|
||||
static int kex_choose_conf(struct ssh *, uint32_t seq);
|
||||
static int kex_input_newkeys(int, u_int32_t, struct ssh *);
|
||||
@@ -87,7 +89,7 @@ struct kexalg {
|
||||
int ec_nid;
|
||||
int hash_alg;
|
||||
@ -647,8 +647,8 @@ Index: openssh-9.6p1/servconf.c
|
||||
#include "digest.h"
|
||||
+#include "fips.h"
|
||||
|
||||
#if !defined(SSHD_PAM_SERVICE)
|
||||
# define SSHD_PAM_SERVICE "sshd"
|
||||
static void add_listen_addr(ServerOptions *, const char *,
|
||||
const char *, int);
|
||||
@@ -207,6 +208,23 @@ option_clear_or_none(const char *o)
|
||||
return o == NULL || strcasecmp(o, "none") == 0;
|
||||
}
|
||||
@ -785,8 +785,8 @@ Index: openssh-9.6p1/sshd.c
|
||||
--- openssh-9.6p1.orig/sshd.c
|
||||
+++ openssh-9.6p1/sshd.c
|
||||
@@ -128,6 +128,8 @@
|
||||
#include "addr.h"
|
||||
#include "srclimit.h"
|
||||
#include "dh.h"
|
||||
|
||||
+#include "fips.h"
|
||||
+
|
||||
|
@ -459,13 +459,13 @@ Index: openssh-8.8p1/sshd.c
|
||||
--- openssh-8.8p1.orig/sshd.c
|
||||
+++ openssh-8.8p1/sshd.c
|
||||
@@ -1547,6 +1547,10 @@ main(int ac, char **av)
|
||||
struct connection_info connection_info;
|
||||
struct connection_info *connection_info = NULL;
|
||||
sigset_t sigmask;
|
||||
|
||||
+ /* initialize fips - can go before ssh_malloc_init(), since that is a
|
||||
+ * OpenBSD-only thing (as of OpenSSH 7.6p1) */
|
||||
+ fips_ssh_init();
|
||||
+
|
||||
memset(&connection_info, 0, sizeof(connection_info));
|
||||
#ifdef HAVE_SECUREWARE
|
||||
(void)set_auth_parameters(ac, av);
|
||||
#endif
|
||||
|
@ -128,7 +128,7 @@ Index: openssh-8.9p1/Makefile.in
|
||||
--- openssh-8.9p1.orig/Makefile.in
|
||||
+++ openssh-8.9p1/Makefile.in
|
||||
@@ -27,6 +27,8 @@ SFTP_SERVER=$(libexecdir)/sftp-server
|
||||
SSHD_SESSION=$(libexecdir)/sshd-session
|
||||
SSH_KEYSIGN=$(libexecdir)/ssh-keysign
|
||||
SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
|
||||
SSH_SK_HELPER=$(libexecdir)/ssh-sk-helper
|
||||
+SSH_LDAP_HELPER=$(libexecdir)/ssh-ldap-helper
|
||||
@ -168,7 +168,7 @@ Index: openssh-8.9p1/Makefile.in
|
||||
$(LD) -o $@ $(SFTPSERVER_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
|
||||
|
||||
@@ -421,6 +429,10 @@ install-files:
|
||||
$(INSTALL) -m 0755 $(STRIP_OPT) sshd-session$(EXEEXT) $(DESTDIR)$(SSHD_SESSION)$(EXEEXT)
|
||||
$(INSTALL) -m 0755 $(STRIP_OPT) sshd$(EXEEXT) $(DESTDIR)$(sbindir)/sshd$(EXEEXT)
|
||||
$(INSTALL) -m 4711 $(STRIP_OPT) ssh-keysign$(EXEEXT) $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT)
|
||||
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
|
||||
+ if test ! -z "$(INSTALL_SSH_LDAP_HELPER)" ; then \
|
||||
|
@ -32,17 +32,17 @@ Index: openssh-8.8p1/servconf.c
|
||||
--- openssh-8.8p1.orig/servconf.c
|
||||
+++ openssh-8.8p1/servconf.c
|
||||
@@ -92,6 +92,7 @@ initialize_server_options(ServerOptions
|
||||
|
||||
/* Portable-specific options */
|
||||
options->use_pam = -1;
|
||||
options->pam_service_name = NULL;
|
||||
+ options->use_pam_check_locks = -1;
|
||||
|
||||
/* Standard Options */
|
||||
options->num_ports = 0;
|
||||
@@ -278,6 +279,8 @@ fill_default_server_options(ServerOption
|
||||
/* Portable-specific options */
|
||||
if (options->use_pam == -1)
|
||||
options->use_pam = 0;
|
||||
if (options->pam_service_name == NULL)
|
||||
options->pam_service_name = xstrdup(SSHD_PAM_SERVICE);
|
||||
+ if (options->use_pam_check_locks == -1)
|
||||
+ options->use_pam_check_locks = 0;
|
||||
|
||||
@ -52,27 +52,26 @@ Index: openssh-8.8p1/servconf.c
|
||||
typedef enum {
|
||||
sBadOption, /* == unknown option */
|
||||
/* Portable-specific options */
|
||||
- sUsePAM, sPAMServiceName,
|
||||
+ sUsePAM, sPAMServiceName, sUsePAMChecklocks,
|
||||
- sUsePAM,
|
||||
+ sUsePAM, sUsePAMChecklocks,
|
||||
/* Standard Options */
|
||||
sPort, sHostKeyFile, sLoginGraceTime,
|
||||
sPermitRootLogin, sLogFacility, sLogLevel, sLogVerbose,
|
||||
@@ -535,9 +538,11 @@ static struct {
|
||||
@@ -535,8 +538,10 @@ static struct {
|
||||
/* Portable-specific options */
|
||||
#ifdef USE_PAM
|
||||
{ "usepam", sUsePAM, SSHCFG_GLOBAL },
|
||||
{ "pamservicename", sPAMServiceName, SSHCFG_ALL },
|
||||
+ { "usepamchecklocks", sUsePAMChecklocks, SSHCFG_GLOBAL },
|
||||
#else
|
||||
{ "usepam", sUnsupported, SSHCFG_GLOBAL },
|
||||
{ "pamservicename", sUnsupported, SSHCFG_ALL },
|
||||
+ { "usepamchecklocks", sUnsupported, SSHCFG_GLOBAL },
|
||||
#endif
|
||||
{ "pamauthenticationviakbdint", sDeprecated, SSHCFG_GLOBAL },
|
||||
/* Standard Options */
|
||||
@@ -1331,6 +1336,9 @@ process_server_config_line_depth(ServerO
|
||||
if (*activep && *charptr == NULL)
|
||||
*charptr = xstrdup(arg);
|
||||
break;
|
||||
case sUsePAM:
|
||||
intptr = &options->use_pam;
|
||||
goto parse_flag;
|
||||
+ case sUsePAMChecklocks:
|
||||
+ intptr = &options->use_pam_check_locks;
|
||||
+ goto parse_flag;
|
||||
@ -84,9 +83,9 @@ Index: openssh-8.8p1/servconf.h
|
||||
--- openssh-8.8p1.orig/servconf.h
|
||||
+++ openssh-8.8p1/servconf.h
|
||||
@@ -200,6 +200,7 @@ typedef struct {
|
||||
char *adm_forced_command;
|
||||
|
||||
int use_pam; /* Enable auth via PAM */
|
||||
char *pam_service_name;
|
||||
+ int use_pam_check_locks; /* internally check for locked accounts even when using PAM */
|
||||
|
||||
int permit_tun;
|
||||
|
@ -61,7 +61,7 @@ Index: openssh-8.8p1/sshd.c
|
||||
+
|
||||
#include "xmalloc.h"
|
||||
#include "ssh.h"
|
||||
#include "sshpty.h"
|
||||
#include "ssh2.h"
|
||||
@@ -308,6 +312,10 @@ sighup_handler(int sig)
|
||||
static void
|
||||
sighup_restart(void)
|
||||
@ -84,4 +84,4 @@ Index: openssh-8.8p1/sshd.c
|
||||
+
|
||||
/* Accept a connection and return in a forked child */
|
||||
server_accept_loop(&sock_in, &sock_out,
|
||||
&newsock, config_s, log_stderr);
|
||||
&newsock, config_s);
|
||||
|
@ -1,7 +1,8 @@
|
||||
diff -up openssh/auth2.c.role-mls openssh/auth2.c
|
||||
--- openssh/auth2.c.role-mls 2018-08-20 07:57:29.000000000 +0200
|
||||
+++ openssh/auth2.c 2018-08-22 11:14:56.815430916 +0200
|
||||
@@ -256,6 +256,9 @@ input_userauth_request(int type, u_int32
|
||||
Index: openssh-9.6p1/auth2.c
|
||||
===================================================================
|
||||
--- openssh-9.6p1.orig/auth2.c
|
||||
+++ openssh-9.6p1/auth2.c
|
||||
@@ -273,6 +273,9 @@ input_userauth_request(int type, u_int32
|
||||
Authctxt *authctxt = ssh->authctxt;
|
||||
Authmethod *m = NULL;
|
||||
char *user = NULL, *service = NULL, *method = NULL, *style = NULL;
|
||||
@ -11,7 +12,7 @@ diff -up openssh/auth2.c.role-mls openssh/auth2.c
|
||||
int r, authenticated = 0;
|
||||
double tstart = monotime_double();
|
||||
|
||||
@@ -268,6 +271,11 @@ input_userauth_request(int type, u_int32
|
||||
@@ -286,6 +289,11 @@ input_userauth_request(int type, u_int32
|
||||
debug("userauth-request for user %s service %s method %s", user, service, method);
|
||||
debug("attempt %d failures %d", authctxt->attempt, authctxt->failures);
|
||||
|
||||
@ -23,32 +24,36 @@ diff -up openssh/auth2.c.role-mls openssh/auth2.c
|
||||
if ((style = strchr(user, ':')) != NULL)
|
||||
*style++ = 0;
|
||||
|
||||
@@ -314,7 +314,13 @@ input_userauth_request(int type, u_int32
|
||||
setproctitle("%s [net]", authctxt->valid ? user : "unknown");
|
||||
@@ -313,8 +321,15 @@ input_userauth_request(int type, u_int32
|
||||
use_privsep ? " [net]" : "");
|
||||
authctxt->service = xstrdup(service);
|
||||
authctxt->style = style ? xstrdup(style) : NULL;
|
||||
- if (use_privsep)
|
||||
+#ifdef WITH_SELINUX
|
||||
+ authctxt->role = role ? xstrdup(role) : NULL;
|
||||
+#endif
|
||||
+ if (use_privsep) {
|
||||
mm_inform_authserv(service, style);
|
||||
+#ifdef WITH_SELINUX
|
||||
+ mm_inform_authrole(role);
|
||||
+#endif
|
||||
+ }
|
||||
userauth_banner(ssh);
|
||||
if ((r = kex_server_update_ext_info(ssh)) != 0)
|
||||
fatal_fr(r, "kex_server_update_ext_info failed");
|
||||
diff -up openssh/auth2-gss.c.role-mls openssh/auth2-gss.c
|
||||
--- openssh/auth2-gss.c.role-mls 2018-08-20 07:57:29.000000000 +0200
|
||||
+++ openssh/auth2-gss.c 2018-08-22 11:15:42.459799171 +0200
|
||||
@@ -281,6 +281,7 @@ input_gssapi_mic(int type, u_int32_t ple
|
||||
Index: openssh-9.6p1/auth2-gss.c
|
||||
===================================================================
|
||||
--- openssh-9.6p1.orig/auth2-gss.c
|
||||
+++ openssh-9.6p1/auth2-gss.c
|
||||
@@ -331,6 +331,7 @@ input_gssapi_mic(int type, u_int32_t ple
|
||||
Authctxt *authctxt = ssh->authctxt;
|
||||
Gssctxt *gssctxt;
|
||||
int r, authenticated = 0;
|
||||
+ char *micuser;
|
||||
struct sshbuf *b;
|
||||
gss_buffer_desc mic, gssbuf;
|
||||
u_char *p;
|
||||
@@ -298,7 +299,13 @@ input_gssapi_mic(int type, u_int32_t ple
|
||||
const char *displayname;
|
||||
@@ -348,7 +349,13 @@ input_gssapi_mic(int type, u_int32_t ple
|
||||
fatal_f("sshbuf_new failed");
|
||||
mic.value = p;
|
||||
mic.length = len;
|
||||
@ -63,7 +68,7 @@ diff -up openssh/auth2-gss.c.role-mls openssh/auth2-gss.c
|
||||
"gssapi-with-mic", ssh->kex->session_id);
|
||||
|
||||
if ((gssbuf.value = sshbuf_mutable_ptr(b)) == NULL)
|
||||
@@ -311,6 +318,8 @@ input_gssapi_mic(int type, u_int32_t ple
|
||||
@@ -362,6 +369,8 @@ input_gssapi_mic(int type, u_int32_t ple
|
||||
logit("GSSAPI MIC check failed");
|
||||
|
||||
sshbuf_free(b);
|
||||
@ -71,11 +76,12 @@ diff -up openssh/auth2-gss.c.role-mls openssh/auth2-gss.c
|
||||
+ free(micuser);
|
||||
free(mic.value);
|
||||
|
||||
authctxt->postponed = 0;
|
||||
diff -up openssh/auth2-hostbased.c.role-mls openssh/auth2-hostbased.c
|
||||
--- openssh/auth2-hostbased.c.role-mls 2018-08-20 07:57:29.000000000 +0200
|
||||
+++ openssh/auth2-hostbased.c 2018-08-22 11:14:56.816430924 +0200
|
||||
@@ -123,7 +123,16 @@ userauth_hostbased(struct ssh *ssh)
|
||||
if ((!use_privsep || mm_is_monitor()) &&
|
||||
Index: openssh-9.6p1/auth2-hostbased.c
|
||||
===================================================================
|
||||
--- openssh-9.6p1.orig/auth2-hostbased.c
|
||||
+++ openssh-9.6p1/auth2-hostbased.c
|
||||
@@ -128,7 +128,16 @@ userauth_hostbased(struct ssh *ssh, cons
|
||||
/* reconstruct packet */
|
||||
if ((r = sshbuf_put_stringb(b, ssh->kex->session_id)) != 0 ||
|
||||
(r = sshbuf_put_u8(b, SSH2_MSG_USERAUTH_REQUEST)) != 0 ||
|
||||
@ -92,10 +98,11 @@ diff -up openssh/auth2-hostbased.c.role-mls openssh/auth2-hostbased.c
|
||||
(r = sshbuf_put_cstring(b, authctxt->service)) != 0 ||
|
||||
(r = sshbuf_put_cstring(b, method)) != 0 ||
|
||||
(r = sshbuf_put_string(b, pkalg, alen)) != 0 ||
|
||||
diff -up openssh/auth2-pubkey.c.role-mls openssh/auth2-pubkey.c
|
||||
--- openssh/auth2-pubkey.c.role-mls 2018-08-22 11:14:56.816430924 +0200
|
||||
+++ openssh/auth2-pubkey.c 2018-08-22 11:17:07.331483958 +0200
|
||||
@@ -169,9 +169,16 @@ userauth_pubkey(struct ssh *ssh)
|
||||
Index: openssh-9.6p1/auth2-pubkey.c
|
||||
===================================================================
|
||||
--- openssh-9.6p1.orig/auth2-pubkey.c
|
||||
+++ openssh-9.6p1/auth2-pubkey.c
|
||||
@@ -200,9 +200,16 @@ userauth_pubkey(struct ssh *ssh, const c
|
||||
goto done;
|
||||
}
|
||||
/* reconstruct packet */
|
||||
@ -114,9 +121,10 @@ diff -up openssh/auth2-pubkey.c.role-mls openssh/auth2-pubkey.c
|
||||
if ((r = sshbuf_put_u8(b, SSH2_MSG_USERAUTH_REQUEST)) != 0 ||
|
||||
(r = sshbuf_put_cstring(b, userstyle)) != 0 ||
|
||||
(r = sshbuf_put_cstring(b, authctxt->service)) != 0 ||
|
||||
diff -up openssh/auth.h.role-mls openssh/auth.h
|
||||
--- openssh/auth.h.role-mls 2018-08-20 07:57:29.000000000 +0200
|
||||
+++ openssh/auth.h 2018-08-22 11:14:56.816430924 +0200
|
||||
Index: openssh-9.6p1/auth.h
|
||||
===================================================================
|
||||
--- openssh-9.6p1.orig/auth.h
|
||||
+++ openssh-9.6p1/auth.h
|
||||
@@ -65,6 +65,9 @@ struct Authctxt {
|
||||
char *service;
|
||||
struct passwd *pw; /* set if 'valid' */
|
||||
@ -127,10 +135,11 @@ diff -up openssh/auth.h.role-mls openssh/auth.h
|
||||
|
||||
/* Method lists for multiple authentication */
|
||||
char **auth_methods; /* modified from server config */
|
||||
diff -up openssh/auth-pam.c.role-mls openssh/auth-pam.c
|
||||
--- openssh/auth-pam.c.role-mls 2018-08-20 07:57:29.000000000 +0200
|
||||
+++ openssh/auth-pam.c 2018-08-22 11:14:56.816430924 +0200
|
||||
@@ -1172,7 +1172,7 @@ is_pam_session_open(void)
|
||||
Index: openssh-9.6p1/auth-pam.c
|
||||
===================================================================
|
||||
--- openssh-9.6p1.orig/auth-pam.c
|
||||
+++ openssh-9.6p1/auth-pam.c
|
||||
@@ -1242,7 +1242,7 @@ is_pam_session_open(void)
|
||||
* during the ssh authentication process.
|
||||
*/
|
||||
int
|
||||
@ -139,22 +148,24 @@ diff -up openssh/auth-pam.c.role-mls openssh/auth-pam.c
|
||||
{
|
||||
int ret = 1;
|
||||
char *compound;
|
||||
diff -up openssh/auth-pam.h.role-mls openssh/auth-pam.h
|
||||
--- openssh/auth-pam.h.role-mls 2018-08-20 07:57:29.000000000 +0200
|
||||
+++ openssh/auth-pam.h 2018-08-22 11:14:56.817430932 +0200
|
||||
Index: openssh-9.6p1/auth-pam.h
|
||||
===================================================================
|
||||
--- openssh-9.6p1.orig/auth-pam.h
|
||||
+++ openssh-9.6p1/auth-pam.h
|
||||
@@ -33,7 +33,7 @@ u_int do_pam_account(void);
|
||||
void do_pam_session(struct ssh *);
|
||||
void do_pam_setcred(void);
|
||||
void do_pam_setcred(int );
|
||||
void do_pam_chauthtok(void);
|
||||
-int do_pam_putenv(char *, char *);
|
||||
+int do_pam_putenv(char *, const char *);
|
||||
char ** fetch_pam_environment(void);
|
||||
char ** fetch_pam_child_environment(void);
|
||||
void free_pam_environment(char **);
|
||||
diff -up openssh/misc.c.role-mls openssh/misc.c
|
||||
--- openssh/misc.c.role-mls 2018-08-20 07:57:29.000000000 +0200
|
||||
+++ openssh/misc.c 2018-08-22 11:14:56.817430932 +0200
|
||||
@@ -542,6 +542,7 @@ char *
|
||||
Index: openssh-9.6p1/misc.c
|
||||
===================================================================
|
||||
--- openssh-9.6p1.orig/misc.c
|
||||
+++ openssh-9.6p1/misc.c
|
||||
@@ -771,6 +771,7 @@ char *
|
||||
colon(char *cp)
|
||||
{
|
||||
int flag = 0;
|
||||
@ -162,7 +173,7 @@ diff -up openssh/misc.c.role-mls openssh/misc.c
|
||||
|
||||
if (*cp == ':') /* Leading colon is part of file name. */
|
||||
return NULL;
|
||||
@@ -557,6 +558,13 @@ colon(char *cp)
|
||||
@@ -786,6 +787,13 @@ colon(char *cp)
|
||||
return (cp);
|
||||
if (*cp == '/')
|
||||
return NULL;
|
||||
@ -176,10 +187,11 @@ diff -up openssh/misc.c.role-mls openssh/misc.c
|
||||
}
|
||||
return NULL;
|
||||
}
|
||||
diff -up openssh-8.6p1/monitor.c.role-mls openssh-8.6p1/monitor.c
|
||||
--- openssh-8.6p1/monitor.c.role-mls 2021-04-16 05:55:25.000000000 +0200
|
||||
+++ openssh-8.6p1/monitor.c 2021-05-21 14:21:56.719414087 +0200
|
||||
@@ -117,6 +117,9 @@ int mm_answer_sign(struct ssh *, int, st
|
||||
Index: openssh-9.6p1/monitor.c
|
||||
===================================================================
|
||||
--- openssh-9.6p1.orig/monitor.c
|
||||
+++ openssh-9.6p1/monitor.c
|
||||
@@ -120,6 +120,9 @@ int mm_answer_sign(struct ssh *, int, st
|
||||
int mm_answer_pwnamallow(struct ssh *, int, struct sshbuf *);
|
||||
int mm_answer_auth2_read_banner(struct ssh *, int, struct sshbuf *);
|
||||
int mm_answer_authserv(struct ssh *, int, struct sshbuf *);
|
||||
@ -189,7 +201,7 @@ diff -up openssh-8.6p1/monitor.c.role-mls openssh-8.6p1/monitor.c
|
||||
int mm_answer_authpassword(struct ssh *, int, struct sshbuf *);
|
||||
int mm_answer_bsdauthquery(struct ssh *, int, struct sshbuf *);
|
||||
int mm_answer_bsdauthrespond(struct ssh *, int, struct sshbuf *);
|
||||
@@ -195,6 +198,9 @@ struct mon_table mon_dispatch_proto20[]
|
||||
@@ -200,6 +203,9 @@ struct mon_table mon_dispatch_proto20[]
|
||||
{MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign},
|
||||
{MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},
|
||||
{MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv},
|
||||
@ -199,7 +211,7 @@ diff -up openssh-8.6p1/monitor.c.role-mls openssh-8.6p1/monitor.c
|
||||
{MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner},
|
||||
{MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},
|
||||
#ifdef USE_PAM
|
||||
@@ -803,6 +809,9 @@ mm_answer_pwnamallow(struct ssh *ssh, in
|
||||
@@ -834,6 +840,9 @@ mm_answer_pwnamallow(struct ssh *ssh, in
|
||||
|
||||
/* Allow service/style information on the auth context */
|
||||
monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1);
|
||||
@ -209,7 +221,7 @@ diff -up openssh-8.6p1/monitor.c.role-mls openssh-8.6p1/monitor.c
|
||||
monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1);
|
||||
|
||||
#ifdef USE_PAM
|
||||
@@ -877,6 +886,26 @@ key_base_type_match(const char *method,
|
||||
@@ -908,6 +917,26 @@ key_base_type_match(const char *method,
|
||||
return found;
|
||||
}
|
||||
|
||||
@ -236,7 +248,7 @@ diff -up openssh-8.6p1/monitor.c.role-mls openssh-8.6p1/monitor.c
|
||||
int
|
||||
mm_answer_authpassword(struct ssh *ssh, int sock, struct sshbuf *m)
|
||||
{
|
||||
@@ -1251,7 +1280,7 @@ monitor_valid_userblob(struct ssh *ssh,
|
||||
@@ -1280,7 +1309,7 @@ monitor_valid_userblob(struct ssh *ssh,
|
||||
struct sshbuf *b;
|
||||
struct sshkey *hostkey = NULL;
|
||||
const u_char *p;
|
||||
@ -245,7 +257,7 @@ diff -up openssh-8.6p1/monitor.c.role-mls openssh-8.6p1/monitor.c
|
||||
size_t len;
|
||||
u_char type;
|
||||
int hostbound = 0, r, fail = 0;
|
||||
@@ -1282,6 +1311,8 @@ monitor_valid_userblob(struct ssh *ssh,
|
||||
@@ -1311,6 +1340,8 @@ monitor_valid_userblob(struct ssh *ssh,
|
||||
fail++;
|
||||
if ((r = sshbuf_get_cstring(b, &cp, NULL)) != 0)
|
||||
fatal_fr(r, "parse userstyle");
|
||||
@ -254,7 +266,7 @@ diff -up openssh-8.6p1/monitor.c.role-mls openssh-8.6p1/monitor.c
|
||||
xasprintf(&userstyle, "%s%s%s", authctxt->user,
|
||||
authctxt->style ? ":" : "",
|
||||
authctxt->style ? authctxt->style : "");
|
||||
@@ -1317,7 +1348,7 @@ monitor_valid_hostbasedblob(const u_char
|
||||
@@ -1361,7 +1392,7 @@ monitor_valid_hostbasedblob(const u_char
|
||||
{
|
||||
struct sshbuf *b;
|
||||
const u_char *p;
|
||||
@ -263,7 +275,7 @@ diff -up openssh-8.6p1/monitor.c.role-mls openssh-8.6p1/monitor.c
|
||||
size_t len;
|
||||
int r, fail = 0;
|
||||
u_char type;
|
||||
@@ -1338,6 +1370,8 @@ monitor_valid_hostbasedblob(const u_char
|
||||
@@ -1382,6 +1413,8 @@ monitor_valid_hostbasedblob(const u_char
|
||||
fail++;
|
||||
if ((r = sshbuf_get_cstring(b, &cp, NULL)) != 0)
|
||||
fatal_fr(r, "parse userstyle");
|
||||
@ -272,9 +284,10 @@ diff -up openssh-8.6p1/monitor.c.role-mls openssh-8.6p1/monitor.c
|
||||
xasprintf(&userstyle, "%s%s%s", authctxt->user,
|
||||
authctxt->style ? ":" : "",
|
||||
authctxt->style ? authctxt->style : "");
|
||||
diff -up openssh/monitor.h.role-mls openssh/monitor.h
|
||||
--- openssh/monitor.h.role-mls 2018-08-20 07:57:29.000000000 +0200
|
||||
+++ openssh/monitor.h 2018-08-22 11:14:56.818430941 +0200
|
||||
Index: openssh-9.6p1/monitor.h
|
||||
===================================================================
|
||||
--- openssh-9.6p1.orig/monitor.h
|
||||
+++ openssh-9.6p1/monitor.h
|
||||
@@ -55,6 +55,10 @@ enum monitor_reqtype {
|
||||
MONITOR_REQ_GSSCHECKMIC = 48, MONITOR_ANS_GSSCHECKMIC = 49,
|
||||
MONITOR_REQ_TERM = 50,
|
||||
@ -286,10 +299,11 @@ diff -up openssh/monitor.h.role-mls openssh/monitor.h
|
||||
MONITOR_REQ_PAM_START = 100,
|
||||
MONITOR_REQ_PAM_ACCOUNT = 102, MONITOR_ANS_PAM_ACCOUNT = 103,
|
||||
MONITOR_REQ_PAM_INIT_CTX = 104, MONITOR_ANS_PAM_INIT_CTX = 105,
|
||||
diff -up openssh/monitor_wrap.c.role-mls openssh/monitor_wrap.c
|
||||
--- openssh/monitor_wrap.c.role-mls 2018-08-22 11:14:56.818430941 +0200
|
||||
+++ openssh/monitor_wrap.c 2018-08-22 11:21:47.938747968 +0200
|
||||
@@ -390,6 +390,27 @@ mm_inform_authserv(char *service, char *
|
||||
Index: openssh-9.6p1/monitor_wrap.c
|
||||
===================================================================
|
||||
--- openssh-9.6p1.orig/monitor_wrap.c
|
||||
+++ openssh-9.6p1/monitor_wrap.c
|
||||
@@ -396,6 +396,27 @@ mm_inform_authserv(char *service, char *
|
||||
sshbuf_free(m);
|
||||
}
|
||||
|
||||
@ -317,10 +331,11 @@ diff -up openssh/monitor_wrap.c.role-mls openssh/monitor_wrap.c
|
||||
/* Do the password authentication */
|
||||
int
|
||||
mm_auth_password(struct ssh *ssh, char *password)
|
||||
diff -up openssh/monitor_wrap.h.role-mls openssh/monitor_wrap.h
|
||||
--- openssh/monitor_wrap.h.role-mls 2018-08-22 11:14:56.818430941 +0200
|
||||
+++ openssh/monitor_wrap.h 2018-08-22 11:22:10.439929513 +0200
|
||||
@@ -44,6 +44,9 @@ DH *mm_choose_dh(int, int, int);
|
||||
Index: openssh-9.6p1/monitor_wrap.h
|
||||
===================================================================
|
||||
--- openssh-9.6p1.orig/monitor_wrap.h
|
||||
+++ openssh-9.6p1/monitor_wrap.h
|
||||
@@ -49,6 +49,9 @@ int mm_sshkey_sign(struct ssh *, struct
|
||||
const u_char *, size_t, const char *, const char *,
|
||||
const char *, u_int compat);
|
||||
void mm_inform_authserv(char *, char *);
|
||||
@ -330,10 +345,11 @@ diff -up openssh/monitor_wrap.h.role-mls openssh/monitor_wrap.h
|
||||
struct passwd *mm_getpwnamallow(struct ssh *, const char *);
|
||||
char *mm_auth2_read_banner(void);
|
||||
int mm_auth_password(struct ssh *, char *);
|
||||
diff -up openssh/openbsd-compat/Makefile.in.role-mls openssh/openbsd-compat/Makefile.in
|
||||
--- openssh/openbsd-compat/Makefile.in.role-mls 2018-08-20 07:57:29.000000000 +0200
|
||||
+++ openssh/openbsd-compat/Makefile.in 2018-08-22 11:14:56.819430949 +0200
|
||||
@@ -92,7 +92,8 @@ PORTS= port-aix.o \
|
||||
Index: openssh-9.6p1/openbsd-compat/Makefile.in
|
||||
===================================================================
|
||||
--- openssh-9.6p1.orig/openbsd-compat/Makefile.in
|
||||
+++ openssh-9.6p1/openbsd-compat/Makefile.in
|
||||
@@ -100,7 +100,8 @@ PORTS= port-aix.o \
|
||||
port-prngd.o \
|
||||
port-solaris.o \
|
||||
port-net.o \
|
||||
@ -343,10 +359,11 @@ diff -up openssh/openbsd-compat/Makefile.in.role-mls openssh/openbsd-compat/Make
|
||||
|
||||
.c.o:
|
||||
$(CC) $(CFLAGS_NOPIE) $(PICFLAG) $(CPPFLAGS) -c $<
|
||||
diff -up openssh/openbsd-compat/port-linux.c.role-mls openssh/openbsd-compat/port-linux.c
|
||||
--- openssh/openbsd-compat/port-linux.c.role-mls 2018-08-20 07:57:29.000000000 +0200
|
||||
+++ openssh/openbsd-compat/port-linux.c 2018-08-22 11:14:56.819430949 +0200
|
||||
@@ -100,37 +100,6 @@ ssh_selinux_getctxbyname(char *pwname)
|
||||
Index: openssh-9.6p1/openbsd-compat/port-linux.c
|
||||
===================================================================
|
||||
--- openssh-9.6p1.orig/openbsd-compat/port-linux.c
|
||||
+++ openssh-9.6p1/openbsd-compat/port-linux.c
|
||||
@@ -101,37 +101,6 @@ ssh_selinux_getctxbyname(char *pwname)
|
||||
return sc;
|
||||
}
|
||||
|
||||
@ -384,7 +401,7 @@ diff -up openssh/openbsd-compat/port-linux.c.role-mls openssh/openbsd-compat/por
|
||||
/* Set the TTY context for the specified user */
|
||||
void
|
||||
ssh_selinux_setup_pty(char *pwname, const char *tty)
|
||||
@@ -145,7 +114,11 @@ ssh_selinux_setup_pty(char *pwname, cons
|
||||
@@ -144,7 +113,11 @@ ssh_selinux_setup_pty(char *pwname, cons
|
||||
|
||||
debug3("%s: setting TTY context on %s", __func__, tty);
|
||||
|
||||
@ -397,9 +414,10 @@ diff -up openssh/openbsd-compat/port-linux.c.role-mls openssh/openbsd-compat/por
|
||||
|
||||
/* XXX: should these calls fatal() upon failure in enforcing mode? */
|
||||
|
||||
diff -up openssh/openbsd-compat/port-linux.h.role-mls openssh/openbsd-compat/port-linux.h
|
||||
--- openssh/openbsd-compat/port-linux.h.role-mls 2018-08-20 07:57:29.000000000 +0200
|
||||
+++ openssh/openbsd-compat/port-linux.h 2018-08-22 11:14:56.819430949 +0200
|
||||
Index: openssh-9.6p1/openbsd-compat/port-linux.h
|
||||
===================================================================
|
||||
--- openssh-9.6p1.orig/openbsd-compat/port-linux.h
|
||||
+++ openssh-9.6p1/openbsd-compat/port-linux.h
|
||||
@@ -20,9 +20,10 @@
|
||||
#ifdef WITH_SELINUX
|
||||
int ssh_selinux_enabled(void);
|
||||
@ -412,10 +430,11 @@ diff -up openssh/openbsd-compat/port-linux.h.role-mls openssh/openbsd-compat/por
|
||||
#endif
|
||||
|
||||
#ifdef LINUX_OOM_ADJUST
|
||||
diff -up openssh/openbsd-compat/port-linux-sshd.c.role-mls openssh/openbsd-compat/port-linux-sshd.c
|
||||
--- openssh/openbsd-compat/port-linux-sshd.c.role-mls 2018-08-22 11:14:56.819430949 +0200
|
||||
+++ openssh/openbsd-compat/port-linux-sshd.c 2018-08-22 11:14:56.819430949 +0200
|
||||
@@ -0,0 +1,420 @@
|
||||
Index: openssh-9.6p1/openbsd-compat/port-linux-sshd.c
|
||||
===================================================================
|
||||
--- /dev/null
|
||||
+++ openssh-9.6p1/openbsd-compat/port-linux-sshd.c
|
||||
@@ -0,0 +1,421 @@
|
||||
+/*
|
||||
+ * Copyright (c) 2005 Daniel Walsh <dwalsh@redhat.com>
|
||||
+ * Copyright (c) 2014 Petr Lautrbach <plautrba@redhat.com>
|
||||
@ -469,6 +488,7 @@ diff -up openssh/openbsd-compat/port-linux-sshd.c.role-mls openssh/openbsd-compa
|
||||
+extern ServerOptions options;
|
||||
+extern Authctxt *the_authctxt;
|
||||
+extern int inetd_flag;
|
||||
+extern int rexeced_flag;
|
||||
+
|
||||
+/* Send audit message */
|
||||
+static int
|
||||
@ -674,7 +694,7 @@ diff -up openssh/openbsd-compat/port-linux-sshd.c.role-mls openssh/openbsd-compa
|
||||
+
|
||||
+ if (r == 0) {
|
||||
+ /* If launched from xinetd, we must use current level */
|
||||
+ if (inetd_flag) {
|
||||
+ if (inetd_flag && !rexeced_flag) {
|
||||
+ security_context_t sshdsc=NULL;
|
||||
+
|
||||
+ if (getcon_raw(&sshdsc) < 0)
|
||||
@ -748,7 +768,7 @@ diff -up openssh/openbsd-compat/port-linux-sshd.c.role-mls openssh/openbsd-compa
|
||||
+
|
||||
+ rv = do_pam_putenv("SELINUX_ROLE_REQUESTED", role ? role : "");
|
||||
+
|
||||
+ if (inetd_flag) {
|
||||
+ if (inetd_flag && !rexeced_flag) {
|
||||
+ use_current = "1";
|
||||
+ } else {
|
||||
+ use_current = "";
|
||||
@ -836,10 +856,11 @@ diff -up openssh/openbsd-compat/port-linux-sshd.c.role-mls openssh/openbsd-compa
|
||||
+#endif
|
||||
+#endif
|
||||
+
|
||||
diff -up openssh/platform.c.role-mls openssh/platform.c
|
||||
--- openssh/platform.c.role-mls 2018-08-20 07:57:29.000000000 +0200
|
||||
+++ openssh/platform.c 2018-08-22 11:14:56.819430949 +0200
|
||||
@@ -183,7 +183,7 @@ platform_setusercontext_post_groups(stru
|
||||
Index: openssh-9.6p1/platform.c
|
||||
===================================================================
|
||||
--- openssh-9.6p1.orig/platform.c
|
||||
+++ openssh-9.6p1/platform.c
|
||||
@@ -185,7 +185,7 @@ platform_setusercontext_post_groups(stru
|
||||
}
|
||||
#endif /* HAVE_SETPCRED */
|
||||
#ifdef WITH_SELINUX
|
||||
@ -848,10 +869,11 @@ diff -up openssh/platform.c.role-mls openssh/platform.c
|
||||
#endif
|
||||
}
|
||||
|
||||
diff -up openssh/sshd.c.role-mls openssh/sshd.c
|
||||
--- openssh/sshd-session.c.role-mls 2018-08-20 07:57:29.000000000 +0200
|
||||
+++ openssh/sshd-session.c 2018-08-22 11:14:56.820430957 +0200
|
||||
@@ -2186,6 +2186,9 @@ main(int ac, char **av)
|
||||
Index: openssh-9.6p1/sshd.c
|
||||
===================================================================
|
||||
--- openssh-9.6p1.orig/sshd.c
|
||||
+++ openssh-9.6p1/sshd.c
|
||||
@@ -2387,6 +2387,9 @@ main(int ac, char **av)
|
||||
restore_uid();
|
||||
}
|
||||
#endif
|
||||
@ -860,4 +882,4 @@ diff -up openssh/sshd.c.role-mls openssh/sshd.c
|
||||
+#endif
|
||||
#ifdef USE_PAM
|
||||
if (options.use_pam) {
|
||||
do_pam_setcred();
|
||||
do_pam_setcred(1);
|
||||
|
File diff suppressed because it is too large
Load Diff
@ -236,7 +236,7 @@ Index: openssh-8.9p1/audit-linux.c
|
||||
/* Below is the sshd audit API code */
|
||||
|
||||
void
|
||||
@@ -76,49 +176,211 @@ audit_connection_from(const char *host,
|
||||
@@ -76,49 +176,210 @@ audit_connection_from(const char *host,
|
||||
/* not implemented */
|
||||
}
|
||||
|
||||
@ -315,7 +315,6 @@ Index: openssh-8.9p1/audit-linux.c
|
||||
case SSH_AUTH_FAIL_PASSWD:
|
||||
+ if (options.use_pam)
|
||||
+ break;
|
||||
+ /* Fallthrough */
|
||||
+ case SSH_LOGIN_EXCEED_MAXTRIES:
|
||||
case SSH_AUTH_FAIL_KBDINT:
|
||||
case SSH_AUTH_FAIL_PUBKEY:
|
||||
@ -452,7 +451,7 @@ Index: openssh-8.9p1/audit-linux.c
|
||||
+ }
|
||||
+ audit_ok = audit_log_user_message(audit_fd, AUDIT_CRYPTO_KEY_USER,
|
||||
+ buf, NULL,
|
||||
+ ssh_remote_ipaddr(ssh), /*FIXME listening_for_clients() ? NULL : ssh_remote_ipaddr(ssh) */
|
||||
+ listening_for_clients() ? NULL : ssh_remote_ipaddr(ssh),
|
||||
+ NULL, 1);
|
||||
+ audit_close(audit_fd);
|
||||
+ /* do not abort if the error is EPERM and sshd is run as non root user */
|
||||
@ -519,19 +518,19 @@ Index: openssh-8.9p1/audit.c
|
||||
+void
|
||||
+audit_unsupported(struct ssh *ssh, int what)
|
||||
+{
|
||||
+ mm_audit_unsupported_body(ssh, what);
|
||||
+ PRIVSEP(audit_unsupported_body(ssh, what));
|
||||
+}
|
||||
+
|
||||
+void
|
||||
+audit_kex(struct ssh *ssh, int ctos, char *enc, char *mac, char *comp, char *pfs)
|
||||
+{
|
||||
+ mm_audit_kex_body(ssh, ctos, enc, mac, comp, pfs, getpid(), getuid());
|
||||
+ PRIVSEP(audit_kex_body(ssh, ctos, enc, mac, comp, pfs, getpid(), getuid()));
|
||||
+}
|
||||
+
|
||||
+void
|
||||
+audit_session_key_free(struct ssh *ssh, int ctos)
|
||||
+{
|
||||
+ mm_audit_session_key_free_body(ssh, ctos, getpid(), getuid());
|
||||
+ PRIVSEP(audit_session_key_free_body(ssh, ctos, getpid(), getuid()));
|
||||
+}
|
||||
+
|
||||
# ifndef CUSTOM_SSH_AUDIT_EVENTS
|
||||
@ -779,18 +778,18 @@ Index: openssh-8.9p1/auth.h
|
||||
+ const u_char *, size_t, const char *, u_int, struct sshkey_sig_details **);
|
||||
|
||||
/* Key / cert options linkage to auth layer */
|
||||
int auth_activate_options(struct ssh *, struct sshauthopt *);
|
||||
const struct sshauthopt *auth_options(struct ssh *);
|
||||
Index: openssh-8.9p1/auth2-hostbased.c
|
||||
===================================================================
|
||||
--- openssh-8.9p1.orig/auth2-hostbased.c
|
||||
+++ openssh-8.9p1/auth2-hostbased.c
|
||||
@@ -149,7 +149,7 @@ userauth_hostbased(struct ssh *ssh, cons
|
||||
authenticated = 0;
|
||||
if (mm_hostbased_key_allowed(ssh, authctxt->pw, cuser,
|
||||
chost, key) &&
|
||||
- mm_sshkey_verify(key, sig, slen,
|
||||
+ mm_hostbased_key_verify(ssh, key, sig, slen,
|
||||
sshbuf_ptr(b), sshbuf_len(b), pkalg, ssh->compat, NULL) == 0)
|
||||
if (PRIVSEP(hostbased_key_allowed(ssh, authctxt->pw, cuser,
|
||||
chost, key)) &&
|
||||
- PRIVSEP(sshkey_verify(key, sig, slen,
|
||||
+ PRIVSEP(hostbased_key_verify(ssh, key, sig, slen,
|
||||
sshbuf_ptr(b), sshbuf_len(b), pkalg, ssh->compat, NULL)) == 0)
|
||||
authenticated = 1;
|
||||
|
||||
@@ -166,6 +166,19 @@ done:
|
||||
@ -820,12 +819,12 @@ Index: openssh-8.9p1/auth2-pubkey.c
|
||||
@@ -223,7 +223,7 @@ userauth_pubkey(struct ssh *ssh, const c
|
||||
/* test for correct signature */
|
||||
authenticated = 0;
|
||||
if (mm_user_key_allowed(ssh, pw, key, 1, &authopts) &&
|
||||
- mm_sshkey_verify(key, sig, slen,
|
||||
+ mm_user_key_verify(ssh, key, sig, slen,
|
||||
if (PRIVSEP(user_key_allowed(ssh, pw, key, 1, &authopts)) &&
|
||||
- PRIVSEP(sshkey_verify(key, sig, slen,
|
||||
+ PRIVSEP(user_key_verify(ssh, key, sig, slen,
|
||||
sshbuf_ptr(b), sshbuf_len(b),
|
||||
(ssh->compat & SSH_BUG_SIGTYPE) == 0 ? pkalg : NULL,
|
||||
ssh->compat, &sig_details) == 0) {
|
||||
ssh->compat, &sig_details)) == 0) {
|
||||
@@ -316,6 +316,19 @@ done:
|
||||
return authenticated;
|
||||
}
|
||||
@ -855,7 +854,7 @@ Index: openssh-8.9p1/auth2.c
|
||||
/* Invalid user, fake password information */
|
||||
authctxt->pw = fakepw();
|
||||
-#ifdef SSH_AUDIT_EVENTS
|
||||
- mm_audit_event(ssh, SSH_INVALID_USER);
|
||||
- PRIVSEP(audit_event(ssh, SSH_INVALID_USER));
|
||||
-#endif
|
||||
}
|
||||
#ifdef USE_PAM
|
||||
@ -940,8 +939,8 @@ Index: openssh-8.9p1/kex.c
|
||||
#include "xmalloc.h"
|
||||
+#include "audit.h"
|
||||
|
||||
/* prototype */
|
||||
static int kex_choose_conf(struct ssh *, uint32_t seq);
|
||||
#ifdef GSSAPI
|
||||
#include "ssh-gss.h"
|
||||
@@ -879,12 +880,16 @@ kex_start_rekex(struct ssh *ssh)
|
||||
}
|
||||
|
||||
@ -1125,7 +1124,7 @@ Index: openssh-8.9p1/monitor.c
|
||||
extern struct sshbuf *loginmsg;
|
||||
extern struct sshauthopt *auth_opts; /* XXX move to permanent ssh->authctxt? */
|
||||
|
||||
+extern void destroy_sensitive_data(struct ssh *);
|
||||
+extern void destroy_sensitive_data(struct ssh *, int);
|
||||
+
|
||||
/* State exported from the child */
|
||||
static struct sshbuf *child_state;
|
||||
@ -1258,7 +1257,7 @@ Index: openssh-8.9p1/monitor.c
|
||||
sshpam_cleanup();
|
||||
#endif
|
||||
|
||||
+ destroy_sensitive_data(ssh);
|
||||
+ destroy_sensitive_data(ssh, 0);
|
||||
+
|
||||
while (waitpid(pmonitor->m_pid, &status, 0) == -1)
|
||||
if (errno != EINTR)
|
||||
@ -1302,12 +1301,12 @@ Index: openssh-8.9p1/monitor.c
|
||||
+ debug3("%s entering", __func__);
|
||||
+ if ((r = sshbuf_get_u32(m, &handle)) != 0 ||
|
||||
+ (r = sshbuf_get_string(m, &cmd, &len)) != 0)
|
||||
+ fatal_fr(r, "buffer error");
|
||||
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
||||
+
|
||||
+ s = session_by_id(handle);
|
||||
+ if (s == NULL || s->ttyfd != -1 || s->command == NULL ||
|
||||
+ strcmp(s->command, cmd) != 0)
|
||||
+ fatal_f("invalid handle");
|
||||
+ fatal("%s: invalid handle", __func__);
|
||||
+ mm_session_close(ssh, s);
|
||||
free(cmd);
|
||||
return (0);
|
||||
@ -1350,7 +1349,7 @@ Index: openssh-8.9p1/monitor.c
|
||||
+ int what, r;
|
||||
+
|
||||
+ if ((r = sshbuf_get_u32(m, &what)) != 0)
|
||||
+ fatal_fr(r, "buffer error");
|
||||
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
||||
+
|
||||
+ audit_unsupported_body(ssh, what);
|
||||
+
|
||||
@ -1375,10 +1374,10 @@ Index: openssh-8.9p1/monitor.c
|
||||
+ (r = sshbuf_get_cstring(m, &compress, NULL)) != 0 ||
|
||||
+ (r = sshbuf_get_cstring(m, &pfs, NULL)) != 0 ||
|
||||
+ (r = sshbuf_get_u64(m, &tmp)) != 0)
|
||||
+ fatal_fr(r, "buffer error");
|
||||
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
||||
+ pid = (pid_t) tmp;
|
||||
+ if ((r = sshbuf_get_u64(m, &tmp)) != 0)
|
||||
+ fatal_fr(r, "buffer error");
|
||||
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
||||
+ uid = (pid_t) tmp;
|
||||
+
|
||||
+ audit_kex_body(ssh, ctos, cipher, mac, compress, pfs, pid, uid);
|
||||
@ -1403,10 +1402,10 @@ Index: openssh-8.9p1/monitor.c
|
||||
+
|
||||
+ if ((r = sshbuf_get_u32(m, &ctos)) != 0 ||
|
||||
+ (r = sshbuf_get_u64(m, &tmp)) != 0)
|
||||
+ fatal_fr(r, "buffer error");
|
||||
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
||||
+ pid = (pid_t) tmp;
|
||||
+ if ((r = sshbuf_get_u64(m, &tmp)) != 0)
|
||||
+ fatal_fr(r, "buffer error");
|
||||
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
||||
+ uid = (uid_t) tmp;
|
||||
+
|
||||
+ audit_session_key_free_body(ssh, ctos, pid, uid);
|
||||
@ -1428,10 +1427,10 @@ Index: openssh-8.9p1/monitor.c
|
||||
+
|
||||
+ if ((r = sshbuf_get_cstring(m, &fp, &len)) != 0 ||
|
||||
+ (r = sshbuf_get_u64(m, &tmp)) != 0)
|
||||
+ fatal_fr(r, "buffer error");
|
||||
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
||||
+ pid = (pid_t) tmp;
|
||||
+ if ((r = sshbuf_get_u64(m, &tmp)) != 0)
|
||||
+ fatal_fr(r, "buffer error");
|
||||
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
||||
+ uid = (uid_t) tmp;
|
||||
+
|
||||
+ audit_destroy_sensitive_data(ssh, fp, pid, uid);
|
||||
@ -1527,7 +1526,7 @@ Index: openssh-8.9p1/monitor_wrap.c
|
||||
+ mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_AUDIT_COMMAND, m);
|
||||
+
|
||||
+ if ((r = sshbuf_get_u32(m, &handle)) != 0)
|
||||
+ fatal_fr(r, "buffer error");
|
||||
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
||||
+ sshbuf_free(m);
|
||||
+
|
||||
+ return (handle);
|
||||
@ -1542,19 +1541,19 @@ Index: openssh-8.9p1/monitor_wrap.c
|
||||
+ debug3("%s entering command %s", __func__, command);
|
||||
+
|
||||
+ if ((m = sshbuf_new()) == NULL)
|
||||
+ fatal_f("sshbuf_new failed");
|
||||
+ fatal("%s: sshbuf_new failed", __func__);
|
||||
+ if ((r = sshbuf_put_u32(m, handle)) != 0 ||
|
||||
+ (r = sshbuf_put_cstring(m, command)) != 0)
|
||||
+ fatal_fr(r, "buffer error");
|
||||
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
||||
+
|
||||
+ mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_END_COMMAND, m);
|
||||
sshbuf_free(m);
|
||||
}
|
||||
#endif /* SSH_AUDIT_EVENTS */
|
||||
@@ -1217,3 +1257,83 @@ mm_ssh_gssapi_update_creds(ssh_gssapi_cc
|
||||
return &ci;
|
||||
@@ -1074,3 +1114,130 @@ mm_ssh_gssapi_update_creds(ssh_gssapi_cc
|
||||
}
|
||||
|
||||
#endif /* GSSAPI */
|
||||
+#ifdef SSH_AUDIT_EVENTS
|
||||
+void
|
||||
+mm_audit_unsupported_body(struct ssh *ssh, int what)
|
||||
@ -1563,9 +1562,9 @@ Index: openssh-8.9p1/monitor_wrap.c
|
||||
+ struct sshbuf *m;
|
||||
+
|
||||
+ if ((m = sshbuf_new()) == NULL)
|
||||
+ fatal_f("sshbuf_new failed");
|
||||
+ fatal("%s: sshbuf_new failed", __func__);
|
||||
+ if ((r = sshbuf_put_u32(m, what)) != 0)
|
||||
+ fatal_fr(r, "buffer error");
|
||||
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
||||
+
|
||||
+ mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_UNSUPPORTED, m);
|
||||
+ mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_AUDIT_UNSUPPORTED,
|
||||
@ -1582,7 +1581,7 @@ Index: openssh-8.9p1/monitor_wrap.c
|
||||
+ struct sshbuf *m;
|
||||
+
|
||||
+ if ((m = sshbuf_new()) == NULL)
|
||||
+ fatal_f("sshbuf_new failed");
|
||||
+ fatal("%s: sshbuf_new failed", __func__);
|
||||
+ if ((r = sshbuf_put_u32(m, ctos)) != 0 ||
|
||||
+ (r = sshbuf_put_cstring(m, cipher)) != 0 ||
|
||||
+ (r = sshbuf_put_cstring(m, (mac ? mac : "<implicit>"))) != 0 ||
|
||||
@ -1590,7 +1589,7 @@ Index: openssh-8.9p1/monitor_wrap.c
|
||||
+ (r = sshbuf_put_cstring(m, fps)) != 0 ||
|
||||
+ (r = sshbuf_put_u64(m, pid)) != 0 ||
|
||||
+ (r = sshbuf_put_u64(m, uid)) != 0)
|
||||
+ fatal_fr(r, "buffer error");
|
||||
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
||||
+
|
||||
+ mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_KEX, m);
|
||||
+ mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_AUDIT_KEX,
|
||||
@ -1606,11 +1605,11 @@ Index: openssh-8.9p1/monitor_wrap.c
|
||||
+ struct sshbuf *m;
|
||||
+
|
||||
+ if ((m = sshbuf_new()) == NULL)
|
||||
+ fatal_f("sshbuf_new failed");
|
||||
+ fatal("%s: sshbuf_new failed", __func__);
|
||||
+ if ((r = sshbuf_put_u32(m, ctos)) != 0 ||
|
||||
+ (r = sshbuf_put_u64(m, pid)) != 0 ||
|
||||
+ (r = sshbuf_put_u64(m, uid)) != 0)
|
||||
+ fatal_fr(r, "buffer error");
|
||||
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
||||
+
|
||||
+ mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_SESSION_KEY_FREE, m);
|
||||
+ mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_AUDIT_SESSION_KEY_FREE,
|
||||
@ -1625,15 +1624,62 @@ Index: openssh-8.9p1/monitor_wrap.c
|
||||
+ struct sshbuf *m;
|
||||
+
|
||||
+ if ((m = sshbuf_new()) == NULL)
|
||||
+ fatal_f("sshbuf_new failed");
|
||||
+ fatal("%s: sshbuf_new failed", __func__);
|
||||
+ if ((r = sshbuf_put_cstring(m, fp)) != 0 ||
|
||||
+ (r = sshbuf_put_u64(m, pid)) != 0 ||
|
||||
+ (r = sshbuf_put_u64(m, uid)) != 0)
|
||||
+ fatal_fr(r, "buffer error");
|
||||
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
||||
+
|
||||
+ mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_SERVER_KEY_FREE, m);
|
||||
+ sshbuf_free(m);
|
||||
+}
|
||||
+
|
||||
+int mm_forward_audit_messages(int fdin)
|
||||
+{
|
||||
+ u_char buf[4];
|
||||
+ u_int blen, msg_len;
|
||||
+ struct sshbuf *m;
|
||||
+ int ret = 0;
|
||||
+
|
||||
+ debug3("%s: entering", __func__);
|
||||
+ m = sshbuf_new();
|
||||
+ do {
|
||||
+ int r;
|
||||
+
|
||||
+ blen = atomicio(read, fdin, buf, sizeof(buf));
|
||||
+ if (blen == 0) /* closed pipe */
|
||||
+ break;
|
||||
+ if (blen != sizeof(buf)) {
|
||||
+ error("%s: Failed to read the buffer from child", __func__);
|
||||
+ ret = -1;
|
||||
+ break;
|
||||
+ }
|
||||
+
|
||||
+ msg_len = get_u32(buf);
|
||||
+ if (msg_len > 256 * 1024)
|
||||
+ fatal("%s: read: bad msg_len %d", __func__, msg_len);
|
||||
+ sshbuf_reset(m);
|
||||
+ if ((r = sshbuf_reserve(m, msg_len, NULL)) != 0)
|
||||
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
||||
+ if (atomicio(read, fdin, sshbuf_mutable_ptr(m), msg_len) != msg_len) {
|
||||
+ error("%s: Failed to read the the buffer conent from the child", __func__);
|
||||
+ ret = -1;
|
||||
+ break;
|
||||
+ }
|
||||
+ if (atomicio(vwrite, pmonitor->m_recvfd, buf, blen) != blen ||
|
||||
+ atomicio(vwrite, pmonitor->m_recvfd, sshbuf_mutable_ptr(m), msg_len) != msg_len) {
|
||||
+ error("%s: Failed to write the messag to the monitor", __func__);
|
||||
+ ret = -1;
|
||||
+ break;
|
||||
+ }
|
||||
+ } while (1);
|
||||
+ sshbuf_free(m);
|
||||
+ return ret;
|
||||
+}
|
||||
+void mm_set_monitor_pipe(int fd)
|
||||
+{
|
||||
+ pmonitor->m_recvfd = fd;
|
||||
+}
|
||||
+#endif /* SSH_AUDIT_EVENTS */
|
||||
Index: openssh-8.9p1/monitor_wrap.h
|
||||
===================================================================
|
||||
@ -1649,8 +1695,8 @@ Index: openssh-8.9p1/monitor_wrap.h
|
||||
+int mm_user_key_verify(struct ssh *, const struct sshkey *, const u_char *, size_t,
|
||||
const u_char *, size_t, const char *, u_int, struct sshkey_sig_details **);
|
||||
|
||||
void mm_decode_activate_server_options(struct ssh *ssh, struct sshbuf *m);
|
||||
@@ -83,7 +85,12 @@ void mm_sshpam_free_ctx(void *);
|
||||
#ifdef GSSAPI
|
||||
@@ -83,7 +85,14 @@ void mm_sshpam_free_ctx(void *);
|
||||
#ifdef SSH_AUDIT_EVENTS
|
||||
#include "audit.h"
|
||||
void mm_audit_event(struct ssh *, ssh_audit_event_t);
|
||||
@ -1661,6 +1707,8 @@ Index: openssh-8.9p1/monitor_wrap.h
|
||||
+void mm_audit_kex_body(struct ssh *, int, char *, char *, char *, char *, pid_t, uid_t);
|
||||
+void mm_audit_session_key_free_body(struct ssh *, int, pid_t, uid_t);
|
||||
+void mm_audit_destroy_sensitive_data(struct ssh *, const char *, pid_t, uid_t);
|
||||
+int mm_forward_audit_messages(int);
|
||||
+void mm_set_monitor_pipe(int);
|
||||
#endif
|
||||
|
||||
struct Session;
|
||||
@ -1690,7 +1738,12 @@ Index: openssh-8.9p1/packet.c
|
||||
/*
|
||||
* Returns the IP-address of the remote host as a string. The returned
|
||||
* string must not be freed.
|
||||
@@ -579,22 +587,19 @@ ssh_packet_rdomain_in(struct ssh *ssh)
|
||||
@@ -579,26 +587,23 @@ ssh_packet_rdomain_in(struct ssh *ssh)
|
||||
/* Closes the connection and clears and frees internal data structures. */
|
||||
|
||||
static void
|
||||
-ssh_packet_close_internal(struct ssh *ssh, int do_close)
|
||||
+ssh_packet_close_internal(struct ssh *ssh, int do_close, int do_audit)
|
||||
{
|
||||
struct session_state *state = ssh->state;
|
||||
u_int mode;
|
||||
@ -1722,7 +1775,7 @@ Index: openssh-8.9p1/packet.c
|
||||
#endif /* WITH_ZLIB */
|
||||
cipher_free(state->send_context);
|
||||
cipher_free(state->receive_context);
|
||||
+ if (had_keys && state->server_side) {
|
||||
+ if (do_audit && had_keys && state->server_side) {
|
||||
+ /* Assuming this is called only from privsep child */
|
||||
+ audit_session_key_free(ssh, MODE_MAX);
|
||||
+ }
|
||||
@ -1737,6 +1790,28 @@ Index: openssh-8.9p1/packet.c
|
||||
free(ssh->local_ipaddr);
|
||||
ssh->local_ipaddr = NULL;
|
||||
free(ssh->remote_ipaddr);
|
||||
@@ -650,13 +665,19 @@ ssh_packet_close_internal(struct ssh *ss
|
||||
void
|
||||
ssh_packet_close(struct ssh *ssh)
|
||||
{
|
||||
- ssh_packet_close_internal(ssh, 1);
|
||||
+ ssh_packet_close_internal(ssh, 1, 1);
|
||||
}
|
||||
|
||||
void
|
||||
ssh_packet_clear_keys(struct ssh *ssh)
|
||||
{
|
||||
- ssh_packet_close_internal(ssh, 0);
|
||||
+ ssh_packet_close_internal(ssh, 0, 1);
|
||||
+}
|
||||
+
|
||||
+void
|
||||
+ssh_packet_clear_keys_noaudit(struct ssh *ssh)
|
||||
+{
|
||||
+ ssh_packet_close_internal(ssh, 0, 0);
|
||||
}
|
||||
|
||||
/* Sets remote side protocol flags. */
|
||||
@@ -892,6 +913,7 @@ ssh_set_newkeys(struct ssh *ssh, int mod
|
||||
(unsigned long long)state->p_send.bytes,
|
||||
(unsigned long long)state->p_send.blocks);
|
||||
@ -1745,7 +1820,7 @@ Index: openssh-8.9p1/packet.c
|
||||
state->newkeys[mode] = NULL;
|
||||
}
|
||||
/* note that both bytes and the seqnr are not reset */
|
||||
@@ -2183,6 +2205,72 @@ ssh_packet_get_output(struct ssh *ssh)
|
||||
@@ -2183,6 +2205,73 @@ ssh_packet_get_output(struct ssh *ssh)
|
||||
return (void *)ssh->state->output;
|
||||
}
|
||||
|
||||
@ -1775,8 +1850,9 @@ Index: openssh-8.9p1/packet.c
|
||||
+ return;
|
||||
+
|
||||
+ cipher_free(state->receive_context);
|
||||
+ state->receive_context = NULL;
|
||||
+ cipher_free(state->send_context);
|
||||
+ state->send_context = state->receive_context = NULL;
|
||||
+ state->send_context = NULL;
|
||||
+
|
||||
+ sshbuf_free(state->input);
|
||||
+ state->input = NULL;
|
||||
@ -1822,6 +1898,14 @@ Index: openssh-8.9p1/packet.h
|
||||
===================================================================
|
||||
--- openssh-8.9p1.orig/packet.h
|
||||
+++ openssh-8.9p1/packet.h
|
||||
@@ -102,6 +102,7 @@ int ssh_packet_get_connection_out(s
|
||||
void ssh_packet_close(struct ssh *);
|
||||
void ssh_packet_set_input_hook(struct ssh *, ssh_packet_hook_fn *, void *);
|
||||
void ssh_packet_clear_keys(struct ssh *);
|
||||
+void ssh_packet_clear_keys_noaudit(struct ssh *);
|
||||
void ssh_clear_newkeys(struct ssh *, int);
|
||||
|
||||
int ssh_packet_is_rekeying(struct ssh *);
|
||||
@@ -220,4 +221,5 @@ const u_char *sshpkt_ptr(struct ssh *, s
|
||||
# undef EC_POINT
|
||||
#endif
|
||||
@ -1837,11 +1921,22 @@ Index: openssh-8.9p1/session.c
|
||||
extern u_int utmp_len;
|
||||
extern int startup_pipe;
|
||||
-extern void destroy_sensitive_data(void);
|
||||
+extern void destroy_sensitive_data(struct ssh *);
|
||||
+extern void destroy_sensitive_data(struct ssh *, int);
|
||||
extern struct sshbuf *loginmsg;
|
||||
extern struct sshauthopt *auth_opts;
|
||||
extern char *tun_fwd_ifnames; /* serverloop.c */
|
||||
@@ -644,6 +644,14 @@ do_exec_pty(struct ssh *ssh, Session *s,
|
||||
@@ -157,6 +157,10 @@ static Session *sessions = NULL;
|
||||
login_cap_t *lc;
|
||||
#endif
|
||||
|
||||
+#ifdef SSH_AUDIT_EVENTS
|
||||
+int paudit[2];
|
||||
+#endif
|
||||
+
|
||||
static int is_child = 0;
|
||||
static int in_chroot = 0;
|
||||
|
||||
@@ -642,6 +646,14 @@ do_exec_pty(struct ssh *ssh, Session *s,
|
||||
/* Parent. Close the slave side of the pseudo tty. */
|
||||
close(ttyfd);
|
||||
|
||||
@ -1856,42 +1951,85 @@ Index: openssh-8.9p1/session.c
|
||||
/* Enter interactive session. */
|
||||
s->ptymaster = ptymaster;
|
||||
ssh_packet_set_interactive(ssh, 1,
|
||||
@@ -736,15 +744,19 @@ do_exec(struct ssh *ssh, Session *s, con
|
||||
@@ -706,15 +718,21 @@ do_exec(struct ssh *ssh, Session *s, con
|
||||
s->self);
|
||||
|
||||
#ifdef SSH_AUDIT_EVENTS
|
||||
+ if (s->command != NULL || s->command_handle != -1)
|
||||
+ fatal("do_exec: command already set");
|
||||
if (command != NULL)
|
||||
- mm_audit_run_command(command);
|
||||
- PRIVSEP(audit_run_command(command));
|
||||
+ s->command = xstrdup(command);
|
||||
else if (s->ttyfd == -1) {
|
||||
char *shell = s->pw->pw_shell;
|
||||
|
||||
if (shell[0] == '\0') /* empty shell means /bin/sh */
|
||||
shell =_PATH_BSHELL;
|
||||
- mm_audit_run_command(shell);
|
||||
- PRIVSEP(audit_run_command(shell));
|
||||
+ s->command = xstrdup(shell);
|
||||
}
|
||||
+ if (s->command != NULL && s->ptyfd == -1)
|
||||
+ s->command_handle = mm_audit_run_command(ssh, s->command);
|
||||
+ s->command_handle = PRIVSEP(audit_run_command(ssh, s->command));
|
||||
+ if (pipe(paudit) < 0)
|
||||
+ fatal("pipe: %s", strerror(errno));
|
||||
#endif
|
||||
if (s->ttyfd != -1)
|
||||
ret = do_exec_pty(ssh, s, command);
|
||||
@@ -1550,8 +1562,11 @@ do_child(struct ssh *ssh, Session *s, co
|
||||
@@ -730,6 +748,20 @@ do_exec(struct ssh *ssh, Session *s, con
|
||||
*/
|
||||
sshbuf_reset(loginmsg);
|
||||
|
||||
+#ifdef SSH_AUDIT_EVENTS
|
||||
+ close(paudit[1]);
|
||||
+ if (use_privsep && ret == 0) {
|
||||
+ /*
|
||||
+ * Read the audit messages from forked child and send them
|
||||
+ * back to monitor. We don't want to communicate directly,
|
||||
+ * because the messages might get mixed up.
|
||||
+ * Continue after the pipe gets closed (all messages sent).
|
||||
+ */
|
||||
+ ret = mm_forward_audit_messages(paudit[0]);
|
||||
+ }
|
||||
+ close(paudit[0]);
|
||||
+#endif /* SSH_AUDIT_EVENTS */
|
||||
+
|
||||
return ret;
|
||||
}
|
||||
|
||||
@@ -1530,11 +1562,30 @@ do_child(struct ssh *ssh, Session *s, co
|
||||
int env_size;
|
||||
int r = 0;
|
||||
|
||||
+#ifdef SSH_AUDIT_EVENTS
|
||||
+ int pparent = paudit[1];
|
||||
+ close(paudit[0]);
|
||||
+ /* Hack the monitor pipe to avoid race condition with parent */
|
||||
+ if (use_privsep)
|
||||
+ mm_set_monitor_pipe(pparent);
|
||||
+#endif
|
||||
+
|
||||
sshpkt_fmt_connection_id(ssh, remote_id, sizeof(remote_id));
|
||||
|
||||
/* remove hostkey from the child's memory */
|
||||
- destroy_sensitive_data();
|
||||
+ destroy_sensitive_data(ssh);
|
||||
ssh_packet_clear_keys(ssh);
|
||||
+ /* Don't audit this - both us and the parent would be talking to the
|
||||
+ monitor over a single socket, with no synchronization. */
|
||||
- ssh_packet_clear_keys(ssh);
|
||||
+ destroy_sensitive_data(ssh, use_privsep);
|
||||
+ ssh_packet_clear_keys_noaudit(ssh);
|
||||
+ /*
|
||||
+ * We can audit this, because we hacked the pipe to direct the
|
||||
+ * messages over postauth child. But this message requires an answer
|
||||
+ * which we can't do using a one-way pipe.
|
||||
+ */
|
||||
+ packet_destroy_all(ssh, 0, 1);
|
||||
+
|
||||
+#ifdef SSH_AUDIT_EVENTS
|
||||
+ /* Notify parent that we are done */
|
||||
+ close(pparent);
|
||||
+#endif
|
||||
|
||||
/* Force a password change */
|
||||
if (s->authctxt->force_pwchange) {
|
||||
@@ -1763,6 +1778,9 @@ session_unused(int id)
|
||||
@@ -1743,6 +1794,9 @@ session_unused(int id)
|
||||
sessions[id].ttyfd = -1;
|
||||
sessions[id].ptymaster = -1;
|
||||
sessions[id].x11_chanids = NULL;
|
||||
@ -1901,7 +2039,7 @@ Index: openssh-8.9p1/session.c
|
||||
sessions[id].next_unused = sessions_first_unused;
|
||||
sessions_first_unused = id;
|
||||
}
|
||||
@@ -1843,6 +1861,19 @@ session_open(Authctxt *authctxt, int cha
|
||||
@@ -1822,6 +1876,19 @@ session_open(Authctxt *authctxt, int cha
|
||||
}
|
||||
|
||||
Session *
|
||||
@ -1912,7 +2050,7 @@ Index: openssh-8.9p1/session.c
|
||||
+ if (s->used)
|
||||
+ return s;
|
||||
+ }
|
||||
+ debug_f("unknown id %d", id);
|
||||
+ debug("%s: unknown id %d", __func__, id);
|
||||
+ session_dump();
|
||||
+ return NULL;
|
||||
+}
|
||||
@ -1921,7 +2059,7 @@ Index: openssh-8.9p1/session.c
|
||||
session_by_tty(char *tty)
|
||||
{
|
||||
int i;
|
||||
@@ -2450,6 +2481,32 @@ session_exit_message(struct ssh *ssh, Se
|
||||
@@ -2429,6 +2496,32 @@ session_exit_message(struct ssh *ssh, Se
|
||||
chan_write_failed(ssh, c);
|
||||
}
|
||||
|
||||
@ -1943,7 +2081,7 @@ Index: openssh-8.9p1/session.c
|
||||
+{
|
||||
+ if (s->command != NULL) {
|
||||
+ if (s->command_handle != -1)
|
||||
+ mm_audit_end_command(ssh, s->command_handle, s->command);
|
||||
+ PRIVSEP(audit_end_command(ssh, s->command_handle, s->command));
|
||||
+ free(s->command);
|
||||
+ s->command = NULL;
|
||||
+ s->command_handle = -1;
|
||||
@ -1954,7 +2092,7 @@ Index: openssh-8.9p1/session.c
|
||||
void
|
||||
session_close(struct ssh *ssh, Session *s)
|
||||
{
|
||||
@@ -2463,6 +2520,10 @@ session_close(struct ssh *ssh, Session *
|
||||
@@ -2470,6 +2563,10 @@ session_close(struct ssh *ssh, Session *
|
||||
|
||||
if (s->ttyfd != -1)
|
||||
session_pty_cleanup(s);
|
||||
@ -1965,7 +2103,7 @@ Index: openssh-8.9p1/session.c
|
||||
free(s->term);
|
||||
free(s->display);
|
||||
free(s->x11_chanids);
|
||||
@@ -2537,14 +2598,14 @@ session_close_by_channel(struct ssh *ssh
|
||||
@@ -2544,14 +2641,14 @@ session_close_by_channel(struct ssh *ssh
|
||||
}
|
||||
|
||||
void
|
||||
@ -1982,7 +2120,7 @@ Index: openssh-8.9p1/session.c
|
||||
else
|
||||
session_close(ssh, s);
|
||||
}
|
||||
@@ -2671,6 +2732,15 @@ do_authenticated2(struct ssh *ssh, Authc
|
||||
@@ -2677,6 +2774,15 @@ do_authenticated2(struct ssh *ssh, Authc
|
||||
server_loop2(ssh, authctxt);
|
||||
}
|
||||
|
||||
@ -1998,10 +2136,10 @@ Index: openssh-8.9p1/session.c
|
||||
void
|
||||
do_cleanup(struct ssh *ssh, Authctxt *authctxt)
|
||||
{
|
||||
@@ -2734,7 +2804,7 @@ do_cleanup(struct ssh *ssh, Authctxt *au
|
||||
@@ -2740,7 +2846,7 @@ do_cleanup(struct ssh *ssh, Authctxt *au
|
||||
* or if running in monitor.
|
||||
*/
|
||||
if (mm_is_monitor())
|
||||
if (!use_privsep || mm_is_monitor())
|
||||
- session_destroy_all(ssh, session_pty_cleanup2);
|
||||
+ session_destroy_all(ssh, do_cleanup_one_session);
|
||||
}
|
||||
@ -2042,34 +2180,6 @@ Index: openssh-8.9p1/sshd.c
|
||||
===================================================================
|
||||
--- openssh-8.9p1.orig/sshd.c
|
||||
+++ openssh-8.9p1/sshd.c
|
||||
@@ -219,6 +219,15 @@ close_listen_socks(void)
|
||||
num_listen_socks = 0;
|
||||
}
|
||||
|
||||
+/*
|
||||
+ * Is this process listening for clients (i.e. not specific to any specific
|
||||
+ * client connection?)
|
||||
+ */
|
||||
+int listening_for_clients(void)
|
||||
+{
|
||||
+ return num_listen_socks > 0;
|
||||
+}
|
||||
+
|
||||
/* Allocate and initialise the children array */
|
||||
static void
|
||||
child_alloc(void)
|
||||
@@ -897,6 +906,7 @@ server_accept_loop(int *sock_in, int *so
|
||||
if (received_sigterm) {
|
||||
logit("Received signal %d; terminating.",
|
||||
(int) received_sigterm);
|
||||
+ /* destroy_sensitive_data(ssh, 0); FIXME */
|
||||
close_listen_socks();
|
||||
if (options.pid_file != NULL)
|
||||
unlink(options.pid_file);
|
||||
Index: openssh-8.9p1/sshd-session.c
|
||||
===================================================================
|
||||
--- openssh-8.9p1.orig/sshd-session.c
|
||||
+++ openssh-8.9p1/sshd-session.c
|
||||
@@ -125,6 +125,7 @@
|
||||
#include "ssh-gss.h"
|
||||
#endif
|
||||
@ -2079,18 +2189,34 @@ Index: openssh-8.9p1/sshd-session.c
|
||||
#include "auth-options.h"
|
||||
#include "version.h"
|
||||
@@ -265,8 +266,8 @@ struct sshbuf *loginmsg;
|
||||
struct sshbuf *loginmsg;
|
||||
struct passwd *privsep_pw = NULL;
|
||||
|
||||
/* Prototypes for various functions defined later in this file. */
|
||||
-void destroy_sensitive_data(void);
|
||||
-void demote_sensitive_data(void);
|
||||
+void destroy_sensitive_data(struct ssh *);
|
||||
+void destroy_sensitive_data(struct ssh *, int);
|
||||
+void demote_sensitive_data(struct ssh *);
|
||||
static void do_ssh2_kex(struct ssh *);
|
||||
|
||||
/*
|
||||
@@ -382,18 +383,40 @@ grace_alarm_handler(int sig)
|
||||
_exit(EXIT_LOGIN_GRACE);
|
||||
static char *listener_proctitle;
|
||||
@@ -284,6 +285,15 @@ close_listen_socks(void)
|
||||
num_listen_socks = 0;
|
||||
}
|
||||
|
||||
+/*
|
||||
+ * Is this process listening for clients (i.e. not specific to any specific
|
||||
+ * client connection?)
|
||||
+ */
|
||||
+int listening_for_clients(void)
|
||||
+{
|
||||
+ return num_listen_socks >= 0;
|
||||
+}
|
||||
+
|
||||
static void
|
||||
close_startup_pipes(void)
|
||||
{
|
||||
@@ -382,18 +392,45 @@ grace_alarm_handler(int sig)
|
||||
ssh_remote_port(the_active_state));
|
||||
}
|
||||
|
||||
-/* Destroy the host and server keys. They will no longer be needed. */
|
||||
@ -2100,7 +2226,7 @@ Index: openssh-8.9p1/sshd-session.c
|
||||
+ */
|
||||
void
|
||||
-destroy_sensitive_data(void)
|
||||
+destroy_sensitive_data(struct ssh *ssh)
|
||||
+destroy_sensitive_data(struct ssh *ssh, int privsep)
|
||||
{
|
||||
u_int i;
|
||||
+#ifdef SSH_AUDIT_EVENTS
|
||||
@ -2122,7 +2248,12 @@ Index: openssh-8.9p1/sshd-session.c
|
||||
sensitive_data.host_keys[i] = NULL;
|
||||
+ if (fp != NULL) {
|
||||
+#ifdef SSH_AUDIT_EVENTS
|
||||
+ audit_destroy_sensitive_data(ssh, fp, pid, uid);
|
||||
+ if (privsep)
|
||||
+ PRIVSEP(audit_destroy_sensitive_data(ssh, fp,
|
||||
+ pid, uid));
|
||||
+ else
|
||||
+ audit_destroy_sensitive_data(ssh, fp,
|
||||
+ pid, uid);
|
||||
+#endif
|
||||
+ free(fp);
|
||||
+ }
|
||||
@ -2133,7 +2264,7 @@ Index: openssh-8.9p1/sshd-session.c
|
||||
sshkey_free(sensitive_data.host_certificates[i]);
|
||||
sensitive_data.host_certificates[i] = NULL;
|
||||
}
|
||||
@@ -402,20 +430,38 @@ destroy_sensitive_data(void)
|
||||
@@ -402,20 +439,38 @@ destroy_sensitive_data(void)
|
||||
|
||||
/* Demote private to public keys for network child */
|
||||
void
|
||||
@ -2173,7 +2304,7 @@ Index: openssh-8.9p1/sshd-session.c
|
||||
}
|
||||
/* Certs do not need demotion */
|
||||
}
|
||||
@@ -443,7 +489,7 @@ reseed_prngs(void)
|
||||
@@ -443,7 +498,7 @@ reseed_prngs(void)
|
||||
}
|
||||
|
||||
static void
|
||||
@ -2182,7 +2313,7 @@ Index: openssh-8.9p1/sshd-session.c
|
||||
{
|
||||
gid_t gidset[1];
|
||||
|
||||
@@ -458,7 +504,7 @@ privsep_preauth_child(void)
|
||||
@@ -458,7 +513,7 @@ privsep_preauth_child(void)
|
||||
reseed_prngs();
|
||||
|
||||
/* Demote the private keys to public keys. */
|
||||
@ -2191,16 +2322,16 @@ Index: openssh-8.9p1/sshd-session.c
|
||||
|
||||
/* Demote the child */
|
||||
if (privsep_chroot) {
|
||||
@@ -493,7 +539,7 @@ privsep_preauth(struct ssh *ssh)
|
||||
pmonitor->m_pkex = &ssh->kex;
|
||||
@@ -493,7 +548,7 @@ privsep_preauth(struct ssh *ssh)
|
||||
|
||||
if (use_privsep == PRIVSEP_ON)
|
||||
box = ssh_sandbox_init(pmonitor);
|
||||
- pid = fork();
|
||||
+ pmonitor->m_pid = pid = fork();
|
||||
if (pid == -1) {
|
||||
fatal("fork of unprivileged child failed");
|
||||
} else if (pid != 0) {
|
||||
@@ -538,7 +584,7 @@ privsep_preauth(struct ssh *ssh)
|
||||
@@ -538,7 +593,7 @@ privsep_preauth(struct ssh *ssh)
|
||||
/* Arrange for logging to be sent to the monitor */
|
||||
set_log_handler(mm_log_handler, pmonitor);
|
||||
|
||||
@ -2209,7 +2340,7 @@ Index: openssh-8.9p1/sshd-session.c
|
||||
setproctitle("%s", "[net]");
|
||||
if (box != NULL)
|
||||
ssh_sandbox_child(box);
|
||||
@@ -582,7 +628,7 @@ privsep_postauth(struct ssh *ssh, Authct
|
||||
@@ -582,7 +637,7 @@ privsep_postauth(struct ssh *ssh, Authct
|
||||
pmonitor->m_sendfd = -1;
|
||||
|
||||
/* Demote the private keys to public keys. */
|
||||
@ -2218,17 +2349,43 @@ Index: openssh-8.9p1/sshd-session.c
|
||||
|
||||
reseed_prngs();
|
||||
|
||||
@@ -2311,6 +2358,9 @@ main(int ac, char **av)
|
||||
@@ -1136,7 +1191,7 @@ server_listen(void)
|
||||
* from this function are in a forked subprocess.
|
||||
*/
|
||||
static void
|
||||
-server_accept_loop(int *sock_in, int *sock_out, int *newsock, int *config_s)
|
||||
+server_accept_loop(struct ssh *ssh, int *sock_in, int *sock_out, int *newsock, int *config_s)
|
||||
{
|
||||
struct pollfd *pfd = NULL;
|
||||
int i, j, ret, npfd;
|
||||
@@ -1179,6 +1234,7 @@ server_accept_loop(int *sock_in, int *so
|
||||
if (received_sigterm) {
|
||||
logit("Received signal %d; terminating.",
|
||||
(int) received_sigterm);
|
||||
+ destroy_sensitive_data(ssh, 0);
|
||||
close_listen_socks();
|
||||
if (options.pid_file != NULL)
|
||||
unlink(options.pid_file);
|
||||
@@ -2088,7 +2144,7 @@ main(int ac, char **av)
|
||||
#endif
|
||||
|
||||
/* Accept a connection and return in a forked child */
|
||||
- server_accept_loop(&sock_in, &sock_out,
|
||||
+ server_accept_loop(ssh, &sock_in, &sock_out,
|
||||
&newsock, config_s);
|
||||
}
|
||||
|
||||
@@ -2311,6 +2367,9 @@ main(int ac, char **av)
|
||||
do_authenticated(ssh, authctxt);
|
||||
|
||||
/* The connection has been terminated. */
|
||||
+ packet_destroy_all(ssh, 1, 1);
|
||||
+ destroy_sensitive_data(ssh);
|
||||
+ destroy_sensitive_data(ssh, 1);
|
||||
+
|
||||
ssh_packet_get_bytes(ssh, &ibytes, &obytes);
|
||||
verbose("Transferred: sent %llu, received %llu bytes",
|
||||
(unsigned long long)obytes, (unsigned long long)ibytes);
|
||||
@@ -2491,6 +2541,15 @@ do_ssh2_kex(struct ssh *ssh)
|
||||
@@ -2491,6 +2550,15 @@ do_ssh2_kex(struct ssh *ssh)
|
||||
void
|
||||
cleanup_exit(int i)
|
||||
{
|
||||
@ -2241,17 +2398,24 @@ Index: openssh-8.9p1/sshd-session.c
|
||||
+ if (in_cleanup)
|
||||
+ _exit(i);
|
||||
+ in_cleanup = 1;
|
||||
extern int auth_attempted; /* monitor.c */
|
||||
|
||||
if (the_active_state != NULL && the_authctxt != NULL) {
|
||||
@@ -2525,7 +2593,9 @@ cleanup_exit(int i)
|
||||
_exit(EXIT_AUTH_ATTEMPTED);
|
||||
do_cleanup(the_active_state, the_authctxt);
|
||||
if (use_privsep && privsep_is_preauth &&
|
||||
@@ -2503,9 +2571,16 @@ cleanup_exit(int i)
|
||||
}
|
||||
}
|
||||
}
|
||||
+ is_privsep_child = use_privsep && pmonitor != NULL && pmonitor->m_pid == 0;
|
||||
+ if (sensitive_data.host_keys != NULL && the_active_state != NULL)
|
||||
+ destroy_sensitive_data(the_active_state, is_privsep_child);
|
||||
+ if (the_active_state != NULL)
|
||||
+ packet_destroy_all(the_active_state, 1, is_privsep_child);
|
||||
#ifdef SSH_AUDIT_EVENTS
|
||||
/* done after do_cleanup so it can cancel the PAM auth 'thread' */
|
||||
- if (the_active_state != NULL && mm_is_monitor())
|
||||
- if (the_active_state != NULL && (!use_privsep || mm_is_monitor()))
|
||||
+ if (the_active_state != NULL &&
|
||||
+ (the_authctxt == NULL || !the_authctxt->authenticated) &&
|
||||
+ mm_is_monitor())
|
||||
+ (!use_privsep || mm_is_monitor()))
|
||||
audit_event(the_active_state, SSH_CONNECTION_ABANDON);
|
||||
#endif
|
||||
_exit(i);
|
||||
|
@ -123,21 +123,28 @@ Index: openssh-8.9p1/sshd.c
|
||||
===================================================================
|
||||
--- openssh-8.9p1.orig/sshd.c
|
||||
+++ openssh-8.9p1/sshd.c
|
||||
@@ -1201,7 +1201,8 @@ prepare_proctitle(int ac, char **av)
|
||||
@@ -148,7 +148,7 @@ extern char *__progname;
|
||||
ServerOptions options;
|
||||
|
||||
/* Name of the server configuration file. */
|
||||
-char *config_file_name = _PATH_SERVER_CONFIG_FILE;
|
||||
+char *config_file_name = NULL;
|
||||
|
||||
/*
|
||||
* Debug mode flag. This can be set on the command line. If debug
|
||||
@@ -1591,6 +1591,7 @@ prepare_proctitle(int ac, char **av)
|
||||
int
|
||||
main(int ac, char **av)
|
||||
{
|
||||
+ struct stat st;
|
||||
struct ssh *ssh = NULL;
|
||||
extern char *optarg;
|
||||
extern int optind;
|
||||
int log_stderr = 0, inetd_flag = 0, test_flag = 0, no_daemon_flag = 0;
|
||||
- char *config_file_name = _PATH_SERVER_CONFIG_FILE;
|
||||
+ char *config_file_name = NULL;
|
||||
+ struct stat st;
|
||||
int r, opt, do_dump_cfg = 0, keytype, already_daemon, have_agent = 0;
|
||||
int sock_in = -1, sock_out = -1, newsock = -1, rexec_argc = 0;
|
||||
int devnull, config_s[2] = { -1 , -1 }, have_connection_info = 0;
|
||||
@@ -1806,7 +1807,21 @@ main(int ac, char **av)
|
||||
/* Fetch our configuration */
|
||||
if ((cfg = sshbuf_new()) == NULL)
|
||||
fatal("sshbuf_new config failed");
|
||||
+ if (config_file_name == NULL) {
|
||||
*/
|
||||
(void)atomicio(vwrite, startup_pipe, "\0", 1);
|
||||
}
|
||||
+ } else if (config_file_name == NULL) {
|
||||
+ /* If only the vendor configuration file exists, use that.
|
||||
+ * Else use the standard configuration file.
|
||||
+ */
|
||||
@ -150,12 +157,11 @@ Index: openssh-8.9p1/sshd.c
|
||||
+ config_file_name = _PATH_SERVER_CONFIG_FILE;
|
||||
+ }
|
||||
+ load_server_config(config_file_name, cfg);
|
||||
- if (strcasecmp(config_file_name, "none") != 0)
|
||||
+ } else if (strcasecmp(config_file_name, "none") != 0)
|
||||
} else if (strcasecmp(config_file_name, "none") != 0)
|
||||
+ /* load config specified on commandline */
|
||||
load_server_config(config_file_name, cfg);
|
||||
|
||||
parse_server_config(&options, config_file_name, cfg,
|
||||
parse_server_config(&options, rexeced_flag ? "rexec" : config_file_name,
|
||||
Index: openssh-8.9p1/sshd_config.5
|
||||
===================================================================
|
||||
--- openssh-8.9p1.orig/sshd_config.5
|
||||
|
@ -84,14 +84,13 @@ Index: openssh-9.6p1/ssh_config.5
|
||||
The list of key exchange algorithms that are offered for GSSAPI
|
||||
key exchange. Possible values are
|
||||
.Bd -literal -offset 3n
|
||||
@@ -991,10 +993,8 @@ gss-nistp256-sha256-,
|
||||
@@ -991,9 +993,8 @@ gss-nistp256-sha256-,
|
||||
gss-curve25519-sha256-
|
||||
.Ed
|
||||
.Pp
|
||||
-The default is
|
||||
-.Dq gss-group14-sha256-,gss-group16-sha512-,gss-nistp256-sha256-,
|
||||
-gss-curve25519-sha256-,gss-group14-sha1-,gss-gex-sha1- .
|
||||
This option only applies to connections using GSSAPI.
|
||||
-.Dq gss-gex-sha1-,gss-group14-sha1- .
|
||||
This option only applies to protocol version 2 connections using GSSAPI.
|
||||
+.Pp
|
||||
.It Cm HashKnownHosts
|
||||
Indicates that
|
||||
@ -160,7 +159,7 @@ Index: openssh-9.6p1/ssh_config.5
|
||||
.It Cm HostKeyAlias
|
||||
Specifies an alias that should be used instead of the
|
||||
real host name when looking up or saving the host key
|
||||
@@ -1311,36 +1313,30 @@ it may be zero or more of:
|
||||
@@ -1311,31 +1313,26 @@ it may be zero or more of:
|
||||
and
|
||||
.Cm pam .
|
||||
.It Cm KexAlgorithms
|
||||
@ -170,12 +169,8 @@ Index: openssh-9.6p1/ssh_config.5
|
||||
+existing policies with sub-policies are present in manual page
|
||||
+.Xr update-crypto-policies 8 .
|
||||
+.Pp
|
||||
Specifies the permitted KEX (Key Exchange) algorithms that will be used and
|
||||
their preference order.
|
||||
The selected algorithm will the the first algorithm in this list that
|
||||
the server also supports.
|
||||
Specifies the available KEX (Key Exchange) algorithms.
|
||||
Multiple algorithms must be comma-separated.
|
||||
.Pp
|
||||
If the specified list begins with a
|
||||
.Sq +
|
||||
-character, then the specified algorithms will be appended to the default set
|
||||
@ -191,7 +186,6 @@ Index: openssh-9.6p1/ssh_config.5
|
||||
.Sq ^
|
||||
character, then the specified algorithms will be placed at the head of the
|
||||
-default set.
|
||||
-.Pp
|
||||
-The default is:
|
||||
-.Bd -literal -offset indent
|
||||
-sntrup761x25519-sha512@openssh.com,
|
||||
@ -205,7 +199,7 @@ Index: openssh-9.6p1/ssh_config.5
|
||||
-.Ed
|
||||
+built-in openssh default set.
|
||||
.Pp
|
||||
The list of supported key exchange algorithms may also be obtained using
|
||||
The list of available key exchange algorithms may also be obtained using
|
||||
.Qq ssh -Q kex .
|
||||
@@ -1445,37 +1442,34 @@ function, and all code in the
|
||||
file.
|
||||
@ -392,7 +386,7 @@ Index: openssh-9.6p1/sshd_config.5
|
||||
The list of available ciphers may also be obtained using
|
||||
.Qq ssh -Q cipher .
|
||||
.It Cm ClientAliveCountMax
|
||||
@@ -764,53 +760,45 @@ For this to work
|
||||
@@ -764,52 +760,45 @@ For this to work
|
||||
.Cm GSSAPIKeyExchange
|
||||
needs to be enabled in the server and also used by the client.
|
||||
.It Cm GSSAPIKexAlgorithms
|
||||
@ -421,9 +415,8 @@ Index: openssh-9.6p1/sshd_config.5
|
||||
.Ed
|
||||
-.Pp
|
||||
-The default is
|
||||
-.Dq gss-group14-sha256-,gss-group16-sha512-,gss-nistp256-sha256-,
|
||||
-gss-curve25519-sha256-,gss-group14-sha1-,gss-gex-sha1- .
|
||||
This option only applies to connections using GSSAPI.
|
||||
-.Dq gss-gex-sha1-,gss-group14-sha1- .
|
||||
This option only applies to protocol version 2 connections using GSSAPI.
|
||||
.It Cm HostbasedAcceptedAlgorithms
|
||||
+The default is handled system-wide by
|
||||
+.Xr crypto-policies 7 .
|
||||
@ -499,7 +492,7 @@ Index: openssh-9.6p1/sshd_config.5
|
||||
The list of available signature algorithms may also be obtained using
|
||||
.Qq ssh -Q HostKeyAlgorithms .
|
||||
.It Cm IgnoreRhosts
|
||||
@@ -1027,24 +1006,30 @@ file on logout.
|
||||
@@ -1027,20 +1006,26 @@ file on logout.
|
||||
The default is
|
||||
.Cm yes .
|
||||
.It Cm KexAlgorithms
|
||||
@ -509,13 +502,9 @@ Index: openssh-9.6p1/sshd_config.5
|
||||
+existing policies with sub-policies are present in manual page
|
||||
+.Xr update-crypto-policies 8 .
|
||||
+.Pp
|
||||
Specifies the permitted KEX (Key Exchange) algorithms that the server will
|
||||
offer to clients.
|
||||
The ordering of this list is not important, as the client specifies the
|
||||
preference order.
|
||||
Specifies the available KEX (Key Exchange) algorithms.
|
||||
Multiple algorithms must be comma-separated.
|
||||
.Pp
|
||||
If the specified list begins with a
|
||||
Alternately if the specified list begins with a
|
||||
.Sq +
|
||||
-character, then the specified algorithms will be appended to the default set
|
||||
-instead of replacing them.
|
||||
@ -531,9 +520,9 @@ Index: openssh-9.6p1/sshd_config.5
|
||||
character, then the specified algorithms will be placed at the head of the
|
||||
-default set.
|
||||
+built-in openssh default set.
|
||||
.Pp
|
||||
The supported algorithms are:
|
||||
.Pp
|
||||
.Bl -item -compact -offset indent
|
||||
@@ -1072,16 +1057,6 @@ ecdh-sha2-nistp521
|
||||
sntrup761x25519-sha512@openssh.com
|
||||
.El
|
||||
@ -548,7 +537,7 @@ Index: openssh-9.6p1/sshd_config.5
|
||||
-diffie-hellman-group14-sha256,diffie-hellman-group14-sha1
|
||||
-.Ed
|
||||
-.Pp
|
||||
The list of supported key exchange algorithms may also be obtained using
|
||||
The list of available key exchange algorithms may also be obtained using
|
||||
.Qq ssh -Q KexAlgorithms .
|
||||
.It Cm ListenAddress
|
||||
@@ -1167,21 +1142,27 @@ function, and all code in the
|
||||
|
BIN
openssh-9.6p1.tar.gz
(Stored with Git LFS)
Normal file
BIN
openssh-9.6p1.tar.gz
(Stored with Git LFS)
Normal file
Binary file not shown.
16
openssh-9.6p1.tar.gz.asc
Normal file
16
openssh-9.6p1.tar.gz.asc
Normal file
@ -0,0 +1,16 @@
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
|
||||
iQIzBAABCgAdFiEEcWi5g4FaXu9ZpK39Kj9BTnNgYLoFAmWAXvAACgkQKj9BTnNg
|
||||
YLrypA/6A1O8e80XnzVWIFhXkbv/biGL10Q5ZMvjQvND6mbkphNWZ4G4QOEh0nBG
|
||||
rseD3Fce7me9pfeLYVhaNXO9R3OYAXxjbWfQwI7FpBU4QUCnbH53PG32B6ESq7pl
|
||||
0vlDqdqI7aBAyMpp+8WFD+EvHWUVA77JtfU4MFw7myKJacrVrDUygDaZkJKOhqKf
|
||||
N1Nurz4YppdQ5zIK1ElL0jlRJXm08flLFRg8fD5/5rwabpUbZIY9b5qZzGKgnR7I
|
||||
sxUBlDkfLnvKIlKzUXbRvOHazvFAHYH1ltJZGlJUc/+H/ZaPigWf4IR+E1FB9c2O
|
||||
zxaZhlbwGKyD+p7l08F9n8T21taxpBCW1Uxkx7MLTz8k9huPNpdX5l8VM4Gotmn8
|
||||
I4V3Fevyx+M3XJYeKtkspa51h0GqF3gNFPLxW7ERGaIuqwoxuHxIEKwYE+JPmQag
|
||||
UDma5LDrSrasa8Rw8g5urGE48PeDQ5muPy8Bi9eIGZU5JLqX6TNgz7QDDs/dQsHB
|
||||
iny4wQOLmdIA78IGttiCo0rqikEvFtFDFR4mCUTC8K0nQKzWwGewO3gRTcHttzyU
|
||||
xMalxw+wt9cUJ8gb1E9p7OeMUuXdaHMmem8/PcFCar/vKx1mdV/On6evnp3P8yQA
|
||||
la8WnbcP0+zJg0GGwGszpFlOMjWCDB0kUTBCT+MR+IWbj/pVZVA=
|
||||
=G9YA
|
||||
-----END PGP SIGNATURE-----
|
@ -1,3 +0,0 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:dd8bd002a379b5d499dfb050dd1fa9af8029e80461f4bb6c523c49973f5a39f3
|
||||
size 1910393
|
@ -1,16 +0,0 @@
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
|
||||
iQIzBAABCgAdFiEEcWi5g4FaXu9ZpK39Kj9BTnNgYLoFAmaCMn0ACgkQKj9BTnNg
|
||||
YLrjcBAAgO7xhKUXp8YxdqSZigDbcHu7T37bm1pRTKg2ihPepz+q6pV+DY8AHSRu
|
||||
eyuOCOHYzjLyArFpiMX3z9iT2NqO+KNBvKQoh8loaxNrECmgRGk2jBEKiibFSP5M
|
||||
i6CYkF3sET9xnVDkt4P6KievWXY1/Tl93qve3K2a/bvvgT8s2AaBMM8u4BMGNm3D
|
||||
sc3A6euN0aiXRts2V6I885VyrQDMK++E7+eTHet0ex82KH4I+ceIOwB48hny4wpb
|
||||
Zaqy9pTFisTmFNOF6d3TB58yMWoLQIbLuVrbbbcr7hFYCWsgj0yN5iYQNOR9pU4E
|
||||
ooF+aC0kK9M4iUXthzjjgIjnMzsCmPeKisbwblsPSfSgccj/pCMzW8C3CMVL6AvG
|
||||
slSSLK42qm3f38kx3sg2S8LDW0v+hoyvBmKNFMiBwsF2tWCXIG+oP1PDYpJUpaOJ
|
||||
RFHG7JEPtY94UJGdo5C4YhqDWr3HOqEwuVIt1gWMMPs9IvDkDRo6emmDd64FFAKH
|
||||
ss3hHixu6OHqU5iw6JIVVtYiur6s9m6N/Xxt5Ho6wuqnzUZ+Dwj3L6lF9IOJbJxU
|
||||
Ufb70I1Uko9kXcoje9ONUsqr88wfQY+JZxxVTlzDUDadytCzmO3wXsz+cosMQ5Rw
|
||||
aOZwXYyvmcoZuUQG8GIqRO1wfOcD7o7pI6IyVJQjOeG/rA0eu/4=
|
||||
=Gj2n
|
||||
-----END PGP SIGNATURE-----
|
@ -1,10 +1,3 @@
|
||||
-------------------------------------------------------------------
|
||||
Thu Aug 1 09:17:11 UTC 2024 - Antonio Larrosa <alarrosa@suse.com>
|
||||
|
||||
- Update to openssh 9.8p1:
|
||||
* No changes for askpass, see main package changelog for
|
||||
details.
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Sun Feb 25 18:26:23 UTC 2024 - Hans Petter Jansson <hpj@suse.com>
|
||||
|
||||
|
@ -1,7 +1,7 @@
|
||||
#
|
||||
# spec file for package openssh-askpass-gnome
|
||||
#
|
||||
# Copyright (c) 2024 SUSE LLC
|
||||
# Copyright (c) 2020 SUSE LLC
|
||||
#
|
||||
# All modifications and additions to the file contributed by third parties
|
||||
# remain the property of their copyright owners, unless otherwise agreed
|
||||
@ -18,7 +18,7 @@
|
||||
|
||||
%define _name openssh
|
||||
Name: openssh-askpass-gnome
|
||||
Version: 9.8p1
|
||||
Version: 9.6p1
|
||||
Release: 0
|
||||
Summary: A GNOME-Based Passphrase Dialog for OpenSSH
|
||||
License: BSD-2-Clause
|
||||
|
@ -207,9 +207,9 @@ Index: openssh-9.3p2/packet.h
|
||||
--- openssh-9.3p2.orig/packet.h
|
||||
+++ openssh-9.3p2/packet.h
|
||||
@@ -103,6 +103,7 @@ void ssh_packet_close(struct ssh *);
|
||||
void ssh_packet_close(struct ssh *);
|
||||
void ssh_packet_set_input_hook(struct ssh *, ssh_packet_hook_fn *, void *);
|
||||
void ssh_packet_clear_keys(struct ssh *);
|
||||
void ssh_packet_clear_keys_noaudit(struct ssh *);
|
||||
+void ssh_clear_curkeys(struct ssh *, int);
|
||||
void ssh_clear_newkeys(struct ssh *, int);
|
||||
|
||||
@ -264,12 +264,12 @@ Index: openssh-9.3p2/sshbuf.h
|
||||
/* Macros for decoding/encoding integers */
|
||||
#define PEEK_U64(p) \
|
||||
(((u_int64_t)(((const u_char *)(p))[0]) << 56) | \
|
||||
Index: openssh-9.3p2/sshd-session.c
|
||||
Index: openssh-9.3p2/sshd.c
|
||||
===================================================================
|
||||
--- openssh-9.3p2.orig/sshd-session.c
|
||||
+++ openssh-9.3p2/sshd-session.c
|
||||
@@ -197,6 +197,19 @@ static void do_ssh2_kex(struct ssh *);
|
||||
static void do_ssh2_kex(struct ssh *);
|
||||
--- openssh-9.3p2.orig/sshd.c
|
||||
+++ openssh-9.3p2/sshd.c
|
||||
@@ -272,6 +272,19 @@ static void do_ssh2_kex(struct ssh *);
|
||||
static char *listener_proctitle;
|
||||
|
||||
/*
|
||||
+ * Clear some stack space. This is a bit naive, but hopefully helps mitigate
|
||||
@ -285,10 +285,10 @@ Index: openssh-9.3p2/sshd-session.c
|
||||
+}
|
||||
+
|
||||
+/*
|
||||
* Signal handler for the alarm after the login grace period has expired.
|
||||
* As usual, this may only take signal-safe actions, even though it is
|
||||
* terminal.
|
||||
@@ -260,6 +260,8 @@ destroy_sensitive_data(struct ssh *ssh,
|
||||
* Close all listening sockets
|
||||
*/
|
||||
static void
|
||||
@@ -430,6 +443,8 @@ destroy_sensitive_data(struct ssh *ssh,
|
||||
sensitive_data.host_certificates[i] = NULL;
|
||||
}
|
||||
}
|
||||
@ -297,32 +297,32 @@ Index: openssh-9.3p2/sshd-session.c
|
||||
}
|
||||
|
||||
/* Demote private to public keys for network child */
|
||||
@@ -431,6 +432,8 @@ privsep_preauth(struct ssh *ssh)
|
||||
@@ -600,6 +615,8 @@ privsep_preauth(struct ssh *ssh)
|
||||
static void
|
||||
privsep_postauth(struct ssh *ssh, Authctxt *authctxt)
|
||||
{
|
||||
int skip_privdrop = 0;
|
||||
|
||||
+ clobber_stack();
|
||||
+
|
||||
/*
|
||||
* Hack for systems that don't support FD passing: retain privileges
|
||||
* in the post-auth privsep process so it can allocate PTYs directly.
|
||||
@@ -1354,6 +1356,7 @@ main(int ac, char **av)
|
||||
*/
|
||||
#ifdef DISABLE_FD_PASSING
|
||||
if (1) {
|
||||
#else
|
||||
@@ -2360,6 +2377,7 @@ main(int ac, char **av)
|
||||
if (use_privsep) {
|
||||
mm_send_keystate(ssh, pmonitor);
|
||||
ssh_packet_clear_keys(ssh);
|
||||
+ clobber_stack();
|
||||
exit(0);
|
||||
}
|
||||
|
||||
authenticated:
|
||||
@@ -1431,6 +1434,7 @@ main(int ac, char **av)
|
||||
|
||||
@@ -2436,6 +2454,7 @@ main(int ac, char **av)
|
||||
if (use_privsep)
|
||||
mm_terminate();
|
||||
|
||||
+ clobber_stack();
|
||||
exit(0);
|
||||
}
|
||||
|
||||
@@ -1577,8 +1581,10 @@ cleanup_exit(int i)
|
||||
@@ -2596,8 +2615,10 @@ cleanup_exit(int i)
|
||||
/* cleanup_exit can be called at the very least from the privsep
|
||||
wrappers used for auditing. Make sure we don't recurse
|
||||
indefinitely. */
|
||||
@ -332,10 +332,10 @@ Index: openssh-9.3p2/sshd-session.c
|
||||
_exit(i);
|
||||
+ }
|
||||
in_cleanup = 1;
|
||||
extern int auth_attempted; /* monitor.c */
|
||||
|
||||
@@ -1604,5 +1610,7 @@ cleanup_exit(int i)
|
||||
mm_is_monitor())
|
||||
if (the_active_state != NULL && the_authctxt != NULL) {
|
||||
do_cleanup(the_active_state, the_authctxt);
|
||||
@@ -2623,5 +2644,7 @@ cleanup_exit(int i)
|
||||
(!use_privsep || mm_is_monitor()))
|
||||
audit_event(the_active_state, SSH_CONNECTION_ABANDON);
|
||||
#endif
|
||||
+
|
||||
|
@ -25,7 +25,7 @@ Index: openssh-8.9p1/ssh_config.5
|
||||
+diffie-hellman-group14-sha1
|
||||
.Ed
|
||||
.Pp
|
||||
The list of supported key exchange algorithms may also be obtained using
|
||||
The list of available key exchange algorithms may also be obtained using
|
||||
Index: openssh-8.9p1/sshd_config.5
|
||||
===================================================================
|
||||
--- openssh-8.9p1.orig/sshd_config.5
|
||||
@ -38,4 +38,4 @@ Index: openssh-8.9p1/sshd_config.5
|
||||
+diffie-hellman-group14-sha256,diffie-hellman-group14-sha1
|
||||
.Ed
|
||||
.Pp
|
||||
The list of supported key exchange algorithms may also be obtained using
|
||||
The list of available key exchange algorithms may also be obtained using
|
||||
|
296
openssh.changes
296
openssh.changes
@ -1,299 +1,3 @@
|
||||
-------------------------------------------------------------------
|
||||
Mon Aug 12 08:55:38 UTC 2024 - Antonio Larrosa <alarrosa@suse.com>
|
||||
|
||||
- Fix a dbus connection leaked in the logind patch that was
|
||||
missing a sd_bus_unref call (found by Matthias Gerstner):
|
||||
* logind_set_tty.patch
|
||||
- Add a patch that fixes a small memory leak when parsing the
|
||||
subsystem configuration option:
|
||||
* fix-memleak-in-process_server_config_line_depth.patch
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Thu Aug 1 09:17:11 UTC 2024 - Antonio Larrosa <alarrosa@suse.com>
|
||||
|
||||
- Update to openssh 9.8p1:
|
||||
= Security
|
||||
* 1) Race condition in sshd(8) (bsc#1226642, CVE-2024-6387).
|
||||
A critical vulnerability in sshd(8) was present in Portable
|
||||
OpenSSH versions between 8.5p1 and 9.7p1 (inclusive) that may
|
||||
allow arbitrary code execution with root privileges.
|
||||
Successful exploitation has been demonstrated on 32-bit
|
||||
Linux/glibc systems with ASLR. Under lab conditions, the attack
|
||||
requires on average 6-8 hours of continuous connections up to
|
||||
the maximum the server will accept. Exploitation on 64-bit
|
||||
systems is believed to be possible but has not been
|
||||
demonstrated at this time. It's likely that these attacks will
|
||||
be improved upon.
|
||||
Exploitation on non-glibc systems is conceivable but has not
|
||||
been examined. Systems that lack ASLR or users of downstream
|
||||
Linux distributions that have modified OpenSSH to disable
|
||||
per-connection ASLR re-randomisation (yes - this is a thing, no
|
||||
- we don't understand why) may potentially have an easier path
|
||||
to exploitation. OpenBSD is not vulnerable.
|
||||
We thank the Qualys Security Advisory Team for discovering,
|
||||
reporting and demonstrating exploitability of this problem, and
|
||||
for providing detailed feedback on additional mitigation
|
||||
measures.
|
||||
* 2) Logic error in ssh(1) ObscureKeystrokeTiming (bsc#1227318,
|
||||
CVE-2024-39894).
|
||||
In OpenSSH version 9.5 through 9.7 (inclusive), when connected
|
||||
to an OpenSSH server version 9.5 or later, a logic error in the
|
||||
ssh(1) ObscureKeystrokeTiming feature (on by default) rendered
|
||||
this feature ineffective - a passive observer could still
|
||||
detect which network packets contained real keystrokes when the
|
||||
countermeasure was active because both fake and real keystroke
|
||||
packets were being sent unconditionally.
|
||||
This bug was found by Philippos Giavridis and also
|
||||
independently by Jacky Wei En Kung, Daniel Hugenroth and
|
||||
Alastair Beresford of the University of Cambridge Computer Lab.
|
||||
Worse, the unconditional sending of both fake and real
|
||||
keystroke packets broke another long-standing timing attack
|
||||
mitigation. Since OpenSSH 2.9.9 sshd(8) has sent fake keystoke
|
||||
echo packets for traffic received on TTYs in echo-off mode,
|
||||
such as when entering a password into su(8) or sudo(8). This
|
||||
bug rendered these fake keystroke echoes ineffective and could
|
||||
allow a passive observer of a SSH session to once again detect
|
||||
when echo was off and obtain fairly limited timing information
|
||||
about keystrokes in this situation (20ms granularity by
|
||||
default).
|
||||
This additional implication of the bug was identified by
|
||||
Jacky Wei En Kung, Daniel Hugenroth and Alastair Beresford and
|
||||
we thank them for their detailed analysis.
|
||||
This bug does not affect connections when
|
||||
ObscureKeystrokeTiming was disabled or sessions where no TTY
|
||||
was requested.
|
||||
|
||||
= Future deprecation notice
|
||||
* OpenSSH plans to remove support for the DSA signature algorithm
|
||||
in early 2025. This release disables DSA by default at compile
|
||||
time.
|
||||
DSA, as specified in the SSHv2 protocol, is inherently weak -
|
||||
being limited to a 160 bit private key and use of the SHA1
|
||||
digest. Its estimated security level is only 80 bits symmetric
|
||||
equivalent.
|
||||
OpenSSH has disabled DSA keys by default since 2015 but has
|
||||
retained run-time optional support for them. DSA was the only
|
||||
mandatory-to-implement algorithm in the SSHv2 RFCs, mostly
|
||||
because alternative algorithms were encumbered by patents when
|
||||
the SSHv2 protocol was specified.
|
||||
This has not been the case for decades at this point and better
|
||||
algorithms are well supported by all actively-maintained SSH
|
||||
implementations. We do not consider the costs of maintaining
|
||||
DSA in OpenSSH to be justified and hope that removing it from
|
||||
OpenSSH can accelerate its wider deprecation in supporting
|
||||
cryptography libraries.
|
||||
This release, and its deactivation of DSA by default at
|
||||
compile-time, marks the second step in our timeline to finally
|
||||
deprecate DSA. The final step of removing DSA support entirely
|
||||
is planned for the first OpenSSH release of 2025.
|
||||
DSA support may be re-enabled in OpenBSD by setting
|
||||
"DSAKEY=yes" in Makefile.inc. To enable DSA support in
|
||||
portable OpenSSH, pass the "--enable-dsa-keys" option to
|
||||
configure.
|
||||
|
||||
= Potentially-incompatible changes
|
||||
* all: as mentioned above, the DSA signature algorithm is now
|
||||
disabled at compile time.
|
||||
* sshd(8): the server will now block client addresses that
|
||||
repeatedly fail authentication, repeatedly connect without ever
|
||||
completing authentication or that crash the server. See the
|
||||
discussion of PerSourcePenalties below for more information.
|
||||
Operators of servers that accept connections from many users,
|
||||
or servers that accept connections from addresses behind NAT or
|
||||
proxies may need to consider these settings.
|
||||
* sshd(8): the server has been split into a listener binary,
|
||||
sshd(8), and a per-session binary "sshd-session". This allows
|
||||
for a much smaller listener binary, as it no longer needs to
|
||||
support the SSH protocol. As part of this work, support for
|
||||
disabling privilege separation (which previously required code
|
||||
changes to disable) and disabling re-execution of sshd(8) has
|
||||
been removed. Further separation of sshd-session into
|
||||
additional, minimal binaries is planned for the future.
|
||||
* sshd(8): several log messages have changed. In particular, some
|
||||
log messages will be tagged with as originating from a process
|
||||
named "sshd-session" rather than "sshd".
|
||||
* ssh-keyscan(1): this tool previously emitted comment lines
|
||||
containing the hostname and SSH protocol banner to standard
|
||||
error. This release now emits them to standard output, but adds
|
||||
a new "-q" flag to silence them altogether.
|
||||
* sshd(8): (portable OpenSSH only) sshd will no longer use
|
||||
argv[0] as the PAM service name. A new "PAMServiceName"
|
||||
sshd_config(5) directive allows selecting the service name at
|
||||
runtime. This defaults to "sshd". bz2101
|
||||
* (portable OpenSSH only) Automatically-generated files, such as
|
||||
configure, config.h.in, etc will now be checked in to the
|
||||
portable OpenSSH git release branch (e.g. V_9_8). This should
|
||||
ensure that the contents of the signed release branch exactly
|
||||
match the contents of the signed release tarball.
|
||||
|
||||
= New features
|
||||
* sshd(8): as described above, sshd(8) will now penalise client
|
||||
addresses that, for various reasons, do not successfully
|
||||
complete authentication. This feature is controlled by a new
|
||||
sshd_config(5) PerSourcePenalties option and is on by default.
|
||||
sshd(8) will now identify situations where the session did not
|
||||
authenticate as expected. These conditions include when the
|
||||
client repeatedly attempted authentication unsucessfully
|
||||
(possibly indicating an attack against one or more accounts,
|
||||
e.g. password guessing), or when client behaviour caused sshd
|
||||
to crash (possibly indicating attempts to exploit bugs in
|
||||
sshd).
|
||||
When such a condition is observed, sshd will record a penalty
|
||||
of some duration (e.g. 30 seconds) against the client's
|
||||
address. If this time is above a minimum configurable
|
||||
threshold, then all connections from the client address will be
|
||||
refused (along with any others in the same
|
||||
PerSourceNetBlockSize CIDR range) until the penalty expire.
|
||||
Repeated offenses by the same client address will accrue
|
||||
greater penalties, up to a configurable maximum. Address ranges
|
||||
may be fully exempted from penalties, e.g. to guarantee access
|
||||
from a set of trusted management addresses, using the new
|
||||
sshd_config(5) PerSourcePenaltyExemptList option.
|
||||
We hope these options will make it significantly more difficult
|
||||
for attackers to find accounts with weak/guessable passwords or
|
||||
exploit bugs in sshd(8) itself. This option is enabled by
|
||||
default.
|
||||
* ssh(8): allow the HostkeyAlgorithms directive to disable the
|
||||
implicit fallback from certificate host key to plain host keys.
|
||||
|
||||
= Bugfixes
|
||||
* misc: fix a number of inaccuracies in the PROTOCOL.*
|
||||
documentation files. GHPR430 GHPR487
|
||||
* all: switch to strtonum(3) for more robust integer parsing in
|
||||
most places.
|
||||
* ssh(1), sshd(8): correctly restore sigprocmask around ppoll()
|
||||
* ssh-keysign(8): stricter validation of messaging socket fd
|
||||
GHPR492
|
||||
* sftp(1): flush stdout after writing "sftp>" prompt when not
|
||||
using editline. GHPR480
|
||||
* sftp-server(8): fix home-directory extension implementation,
|
||||
it previously always returned the current user's home directory
|
||||
contrary to the spec. GHPR477
|
||||
* ssh-keyscan(1): do not close stdin to prevent error messages
|
||||
when stdin is read multiple times. E.g.
|
||||
echo localhost | ssh-keyscan -f - -f -
|
||||
* regression tests: fix rekey test that was testing the same KEX
|
||||
algorithm repeatedly instead of testing all of them. bz3692
|
||||
* ssh_config(5), sshd_config(5): clarify the KEXAlgorithms
|
||||
directive documentation, especially around what is supported
|
||||
vs available. bz3701.
|
||||
|
||||
= Portability
|
||||
* sshd(8): expose SSH_AUTH_INFO_0 always to PAM auth modules
|
||||
unconditionally. The previous behaviour was to expose it only
|
||||
when particular authentication methods were in use.
|
||||
* build: fix OpenSSL ED25519 support detection. An incorrect
|
||||
function signature in configure.ac previously prevented
|
||||
enabling the recently added support for ED25519 private keys in
|
||||
PEM PKCS8 format.
|
||||
* ssh(1), ssh-agent(8): allow the presence of the WAYLAND_DISPLAY
|
||||
environment variable to enable SSH_ASKPASS, similarly to the
|
||||
X11 DISPLAY environment variable. GHPR479
|
||||
* build: improve detection of the -fzero-call-used-regs compiler
|
||||
flag. bz3673.
|
||||
* build: relax OpenSSL version check to accept all OpenSSL 3.x
|
||||
versions.
|
||||
* sshd(8): add support for notifying systemd on server listen and
|
||||
reload, using a standalone implementation that doesn't depend
|
||||
on libsystemd. bz2641
|
||||
|
||||
- Update to openssh 9.7p1:
|
||||
|
||||
= New features
|
||||
* ssh(1), sshd(8): add a "global" ChannelTimeout type that
|
||||
watches all open channels and will close all open channels if
|
||||
there is no traffic on any of them for the specified interval.
|
||||
This is in addition to the existing per-channel timeouts added
|
||||
recently.
|
||||
This supports situations like having both session and x11
|
||||
forwarding channels open where one may be idle for an extended
|
||||
period but the other is actively used. The global timeout could
|
||||
close both channels when both have been idle for too long.
|
||||
* All: make DSA key support compile-time optional, defaulting to
|
||||
on.
|
||||
|
||||
= Bugfixes
|
||||
* sshd(8): don't append an unnecessary space to the end of
|
||||
subsystem arguments (bz3667)
|
||||
* ssh(1): fix the multiplexing "channel proxy" mode, broken when
|
||||
keystroke timing obfuscation was added. (GHPR#463)
|
||||
* ssh(1), sshd(8): fix spurious configuration parsing errors when
|
||||
options that accept array arguments are overridden (bz3657).
|
||||
* ssh-agent(1): fix potential spin in signal handler (bz3670)
|
||||
* Many fixes to manual pages and other documentation, including
|
||||
GHPR#462, GHPR#454, GHPR#442 and GHPR#441.
|
||||
* Greatly improve interop testing against PuTTY.
|
||||
|
||||
= Portability
|
||||
* Improve the error message when the autoconf OpenSSL header
|
||||
check fails (bz#3668)
|
||||
* Improve detection of broken toolchain -fzero-call-used-regs
|
||||
support (bz3645).
|
||||
* Fix regress/misc/fuzz-harness fuzzers and make them compile
|
||||
without warnings when using clang16
|
||||
- Use gcc-11 in SLE to avoid a "parameter name omitted" error
|
||||
- Rebase patches:
|
||||
* logind_set_tty.patch
|
||||
* openssh-6.6.1p1-selinux-contexts.patch
|
||||
* openssh-6.6p1-keycat.patch
|
||||
* openssh-6.6p1-privsep-selinux.patch
|
||||
* openssh-7.6p1-cleanup-selinux.patch
|
||||
* openssh-7.7p1-cavstest-ctr.patch
|
||||
* openssh-7.7p1-cavstest-kdf.patch
|
||||
* openssh-7.7p1-fips.patch
|
||||
* openssh-7.7p1-fips_checks.patch
|
||||
* openssh-7.7p1-ldap.patch
|
||||
* openssh-7.7p1-pam_check_locks.patch
|
||||
* openssh-7.7p1-systemd-notify.patch
|
||||
* openssh-7.8p1-role-mls.patch
|
||||
* openssh-8.0p1-gssapi-keyex.patch
|
||||
* openssh-8.1p1-audit.patch
|
||||
* openssh-8.4p1-vendordir.patch
|
||||
* openssh-9.6p1-crypto-policies-man.patch
|
||||
* openssh-mitigate-lingering-secrets.patch
|
||||
* openssh-reenable-dh-group14-sha1-default.patch
|
||||
* wtmpdb.patch
|
||||
- Thanks to Fedora developers for an initial version of the
|
||||
rebase of the following patches:
|
||||
* openssh-8.0p1-gssapi-keyex.patch
|
||||
* openssh-7.8p1-role-mls.patch
|
||||
* openssh-8.1p1-audit.patch
|
||||
- Remove patches that are already included in 9.8p1:
|
||||
* fix-CVE-2024-6387.patch
|
||||
* 0001-upstream-fix-proxy-multiplexing-mode_-broken-when-keystroke.patch
|
||||
* 0001-upstream-correctly-restore-sigprocmask-around-ppoll.patch
|
||||
* 0001-upstream-when-sending-ObscureKeystrokeTiming-chaff-packets_.patch
|
||||
- Remove patch that is now merged into
|
||||
openssh-7.7p1-cavstest-ctr.patch and
|
||||
openssh-7.7p1-cavstest-kdf.patch where it belongs:
|
||||
* fix-missing-lz.patch
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Mon Jul 15 17:49:06 UTC 2024 - Antonio Larrosa <alarrosa@suse.com>
|
||||
|
||||
- Add sshd.socket and sshd@.service units as alternative to the
|
||||
sshd.service that makes systemd listen to the ssh port
|
||||
and run sshd per incoming connection. To enable this,
|
||||
disable sshd.service and enable sshd.socket . If you want to
|
||||
use a non standard sshd port with sshd.socket you can do
|
||||
"systemctl edit sshd.socket" and add something like:
|
||||
|
||||
[Socket]
|
||||
ListenStream=8022
|
||||
|
||||
which listens on port 8022 as well as on port 22. If you want
|
||||
to reset the list of listened ports and just use 8022, use:
|
||||
|
||||
[Socket]
|
||||
ListenStream=
|
||||
ListenStream=8022
|
||||
- To enable a vsock listener in sshd (which allows to connect to
|
||||
libvirt VMs), the systemd-experimental package needs to be
|
||||
installed in the guest system, the libvirt-ssh-proxy package
|
||||
needs to be installed in the host and the vm needs to have
|
||||
vsock support (in virt-manager, click in "Add hardware" and
|
||||
add "VSOCK VirtIO").
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Fri Jul 5 17:49:06 UTC 2024 - Antonio Larrosa <alarrosa@suse.com>
|
||||
|
||||
|
37
openssh.spec
37
openssh.spec
@ -1,7 +1,7 @@
|
||||
#
|
||||
# spec file for package openssh
|
||||
#
|
||||
# Copyright (c) 2024 SUSE LLC
|
||||
# Copyright (c) 2020 SUSE LLC
|
||||
#
|
||||
# All modifications and additions to the file contributed by third parties
|
||||
# remain the property of their copyright owners, unless otherwise agreed
|
||||
@ -39,7 +39,7 @@
|
||||
%define _fillupdir %{_localstatedir}/adm/fillup-templates
|
||||
%endif
|
||||
Name: openssh
|
||||
Version: 9.8p1
|
||||
Version: 9.6p1
|
||||
Release: 0
|
||||
Summary: Secure Shell Client and Server (Remote Login Program)
|
||||
License: BSD-2-Clause AND MIT
|
||||
@ -61,8 +61,6 @@ Source12: cavs_driver-ssh.pl
|
||||
Source13: https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/RELEASE_KEY.asc#/openssh.keyring
|
||||
Source14: sysusers-sshd.conf
|
||||
Source15: sshd-sle.pamd
|
||||
Source16: sshd@.service
|
||||
Source17: sshd.socket
|
||||
Patch1: openssh-7.7p1-X11_trusted_forwarding.patch
|
||||
Patch3: openssh-7.7p1-enable_PAM_by_default.patch
|
||||
Patch4: openssh-7.7p1-eal3.patch
|
||||
@ -121,6 +119,7 @@ Patch50: openssh-openssl-3.patch
|
||||
Patch51: wtmpdb.patch
|
||||
Patch52: logind_set_tty.patch
|
||||
Patch54: openssh-mitigate-lingering-secrets.patch
|
||||
Patch100: fix-missing-lz.patch
|
||||
Patch102: openssh-7.8p1-role-mls.patch
|
||||
Patch103: openssh-6.6p1-privsep-selinux.patch
|
||||
Patch104: openssh-6.6p1-keycat.patch
|
||||
@ -129,15 +128,19 @@ Patch106: openssh-7.6p1-cleanup-selinux.patch
|
||||
# PATCH-FIX-OPENSUSE bsc#1211301 Add crypto-policies support
|
||||
Patch107: openssh-9.6p1-crypto-policies.patch
|
||||
Patch108: openssh-9.6p1-crypto-policies-man.patch
|
||||
Patch109: fix-memleak-in-process_server_config_line_depth.patch
|
||||
# PATCH-FIX-UPSTREAM bsc#1226642 fix CVE-2024-6387
|
||||
Patch109: fix-CVE-2024-6387.patch
|
||||
# PATCH-FIX-UPSTREAM
|
||||
Patch110: 0001-upstream-fix-proxy-multiplexing-mode_-broken-when-keystroke.patch
|
||||
# PATCH-FIX-UPSTREAM
|
||||
Patch111: 0001-upstream-correctly-restore-sigprocmask-around-ppoll.patch
|
||||
# PATCH-FIX-UPSTREAM bsc#1227318 CVE-2024-39894
|
||||
Patch112: 0001-upstream-when-sending-ObscureKeystrokeTiming-chaff-packets_.patch
|
||||
%if 0%{with allow_root_password_login_by_default}
|
||||
Patch1000: openssh-7.7p1-allow_root_password_login.patch
|
||||
%endif
|
||||
BuildRequires: audit-devel
|
||||
BuildRequires: automake
|
||||
%if 0%{?sle_version} >= 150500
|
||||
BuildRequires: gcc11
|
||||
%endif
|
||||
BuildRequires: groff
|
||||
BuildRequires: libedit-devel
|
||||
BuildRequires: libselinux-devel
|
||||
@ -325,9 +328,6 @@ sed -i.libexec 's,@LIBEXECDIR@,%{_libexecdir}/ssh,' \
|
||||
)
|
||||
|
||||
%build
|
||||
%if 0%{?sle_version} >= 150500
|
||||
export CC=gcc-11
|
||||
%endif
|
||||
autoreconf -fiv
|
||||
%ifarch s390 s390x %{sparc}
|
||||
PIEFLAGS="-fPIE"
|
||||
@ -392,8 +392,6 @@ install -d -m 755 %{buildroot}%{_sysconfdir}/slp.reg.d/
|
||||
install -m 644 %{SOURCE5} %{buildroot}%{_sysconfdir}/slp.reg.d/
|
||||
%endif
|
||||
install -D -m 0644 %{SOURCE10} %{buildroot}%{_unitdir}/sshd.service
|
||||
install -D -m 0644 %{SOURCE16} %{buildroot}%{_unitdir}/sshd@.service
|
||||
install -D -m 0644 %{SOURCE17} %{buildroot}%{_unitdir}/sshd.socket
|
||||
ln -s service %{buildroot}%{_sbindir}/rcsshd
|
||||
install -d -m 755 %{buildroot}%{_fillupdir}
|
||||
install -m 644 %{SOURCE8} %{buildroot}%{_fillupdir}
|
||||
@ -473,11 +471,11 @@ test -f /etc/pam.d/sshd.rpmsave && mv -v /etc/pam.d/sshd.rpmsave /etc/pam.d/sshd
|
||||
test -f /etc/ssh/sshd_config.rpmsave && mv -v /etc/ssh/sshd_config.rpmsave /etc/ssh/sshd_config.rpmsave.old ||:
|
||||
%endif
|
||||
|
||||
%service_add_pre sshd.service sshd.socket
|
||||
%service_add_pre sshd.service
|
||||
|
||||
%post server
|
||||
%{fillup_only -n ssh}
|
||||
%service_add_post sshd.service sshd.socket
|
||||
%service_add_post sshd.service
|
||||
|
||||
%if ! %{defined _distconfdir}
|
||||
test -f /etc/ssh/sshd_config && (grep -q "^Include /etc/ssh/sshd_config\.d/\*\.conf" /etc/ssh/sshd_config || ( \
|
||||
@ -489,16 +487,16 @@ test -f /etc/ssh/sshd_config && (grep -q "^Include /etc/ssh/sshd_config\.d/\*\.c
|
||||
%endif
|
||||
|
||||
%preun server
|
||||
%service_del_preun sshd.service sshd.socket
|
||||
%service_del_preun sshd.service
|
||||
|
||||
%postun server
|
||||
# The openssh-fips trigger script for openssh will normally restart sshd once
|
||||
# it gets installed, so only restart the service here if openssh-fips is not
|
||||
# present.
|
||||
if rpm -q openssh-fips >/dev/null 2>/dev/null; then
|
||||
%service_del_postun_without_restart sshd.service sshd.socket
|
||||
%service_del_postun_without_restart sshd.service
|
||||
else
|
||||
%service_del_postun sshd.service sshd.socket
|
||||
%service_del_postun sshd.service
|
||||
fi
|
||||
|
||||
%if ! %{defined _distconfdir}
|
||||
@ -586,14 +584,11 @@ test -f /etc/ssh/ssh_config.rpmsave && mv -v /etc/ssh/ssh_config.rpmsave /etc/ss
|
||||
%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/sshd_config.d/40-suse-crypto-policies.conf
|
||||
%endif
|
||||
%attr(0644,root,root) %{_unitdir}/sshd.service
|
||||
%attr(0644,root,root) %{_unitdir}/sshd@.service
|
||||
%attr(0644,root,root) %{_unitdir}/sshd.socket
|
||||
%attr(0644,root,root) %{_sysusersdir}/sshd.conf
|
||||
%attr(0444,root,root) %{_mandir}/man5/sshd_config*
|
||||
%attr(0444,root,root) %{_mandir}/man8/sftp-server.8*
|
||||
%attr(0444,root,root) %{_mandir}/man8/sshd.8*
|
||||
%attr(0755,root,root) %{_libexecdir}/ssh/sftp-server
|
||||
%attr(0755,root,root) %{_libexecdir}/ssh/sshd-session
|
||||
%if 0%{?suse_version} < 1600
|
||||
%dir %{_sysconfdir}/slp.reg.d
|
||||
%config %{_sysconfdir}/slp.reg.d/ssh.reg
|
||||
|
11
sshd.socket
11
sshd.socket
@ -1,11 +0,0 @@
|
||||
[Unit]
|
||||
Description=OpenSSH Server Socket
|
||||
Conflicts=sshd.service
|
||||
|
||||
[Socket]
|
||||
ListenStream=22
|
||||
Accept=yes
|
||||
|
||||
[Install]
|
||||
WantedBy=sockets.target
|
||||
|
@ -1,11 +0,0 @@
|
||||
[Unit]
|
||||
Description=OpenSSH Per-Connection Server Daemon
|
||||
Documentation=man:systemd-ssh-generator(8) man:sshd(8)
|
||||
After=network.target
|
||||
|
||||
[Service]
|
||||
EnvironmentFile=-/etc/sysconfig/ssh
|
||||
ExecStartPre=/usr/sbin/sshd-gen-keys-start
|
||||
ExecStartPre=/usr/sbin/sshd -t $SSHD_OPTS
|
||||
ExecStart=-/usr/sbin/sshd -i $SSHD_OPTS
|
||||
StandardInput=socket
|
10
wtmpdb.patch
10
wtmpdb.patch
@ -174,16 +174,12 @@ diff -ur openssh-8.9p1.old/Makefile.in openssh-8.9p1/Makefile.in
|
||||
AR=@AR@
|
||||
AWK=@AWK@
|
||||
RANLIB=@RANLIB@
|
||||
@@ -212,10 +213,10 @@
|
||||
@@ -212,7 +213,7 @@
|
||||
$(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) $(GSSLIBS) $(CHANNELLIBS)
|
||||
|
||||
sshd$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHDOBJS)
|
||||
- $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(CHANNELLIBS)
|
||||
+ $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(CHANNELLIBS) $(LIBWTMPDB)
|
||||
|
||||
sshd-session$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHD_SESSION_OBJS)
|
||||
- $(LD) -o $@ $(SSHD_SESSION_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS) $(CHANNELLIBS)
|
||||
+ $(LD) -o $@ $(SSHD_SESSION_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS) $(CHANNELLIBS) $(LIBWTMPDB)
|
||||
- $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS) $(CHANNELLIBS)
|
||||
+ $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS) $(CHANNELLIBS) $(LIBWTMPDB)
|
||||
|
||||
scp$(EXEEXT): $(LIBCOMPAT) libssh.a $(SCP_OBJS)
|
||||
$(LD) -o $@ $(SCP_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
|
||||
|
Loading…
Reference in New Issue
Block a user