diff --git a/0001-auth-pam-Immediately-report-instructions-to-clients-and-fix-handling-in-ssh-client.patch b/0001-auth-pam-Immediately-report-instructions-to-clients-and-fix-handling-in-ssh-client.patch new file mode 100644 index 0000000..70d5b4a --- /dev/null +++ b/0001-auth-pam-Immediately-report-instructions-to-clients-and-fix-handling-in-ssh-client.patch @@ -0,0 +1,414 @@ +From 7c116ef927a8ef14d09065757f75560fa0ab79d0 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Marco=20Trevisan=20=28Trevi=C3=B1o=29?= +Date: Tue, 17 Oct 2023 04:04:13 +0200 +Subject: [PATCH 1/6] auth: Add KbdintResult definition to define result values + explicitly + +kbdint result vfunc may return various values, so use an enum to make it +clearer what each result means without having to dig into the struct +documentation. +--- + auth-bsdauth.c | 2 +- + auth-pam.c | 10 +++++----- + auth.h | 5 +++++ + auth2-chall.c | 4 ++-- + 4 files changed, 13 insertions(+), 8 deletions(-) + +diff --git a/auth-bsdauth.c b/auth-bsdauth.c +index d124e994e77..ca41735debb 100644 +--- a/auth-bsdauth.c ++++ b/auth-bsdauth.c +@@ -111,7 +111,7 @@ bsdauth_respond(void *ctx, u_int numresponses, char **responses) + authctxt->as = NULL; + debug3("bsdauth_respond: <%s> = <%d>", responses[0], authok); + +- return (authok == 0) ? -1 : 0; ++ return (authok == 0) ? KbdintResultFailure : KbdintResultSuccess; + } + + static void +diff --git a/auth-pam.c b/auth-pam.c +index b49d415e7c7..86137a1acdb 100644 +--- a/auth-pam.c ++++ b/auth-pam.c +@@ -990,15 +990,15 @@ sshpam_respond(void *ctx, u_int num, char **resp) + switch (ctxt->pam_done) { + case 1: + sshpam_authenticated = 1; +- return (0); ++ return KbdintResultSuccess; + case 0: + break; + default: +- return (-1); ++ return KbdintResultFailure; + } + if (num != 1) { + error("PAM: expected one response, got %u", num); +- return (-1); ++ return KbdintResultFailure; + } + if ((buffer = sshbuf_new()) == NULL) + fatal("%s: sshbuf_new failed", __func__); +@@ -1015,10 +1015,10 @@ sshpam_respond(void *ctx, u_int num, char **resp) + } + if (ssh_msg_send(ctxt->pam_psock, PAM_AUTHTOK, buffer) == -1) { + sshbuf_free(buffer); +- return (-1); ++ return KbdintResultFailure; + } + sshbuf_free(buffer); +- return (1); ++ return KbdintResultAgain; + } + + static void +diff --git a/auth.h b/auth.h +index 6d2d3976234..aac1e92d9cd 100644 +--- a/auth.h ++++ b/auth.h +@@ -51,6 +51,7 @@ struct sshauthopt; + typedef struct Authctxt Authctxt; + typedef struct Authmethod Authmethod; + typedef struct KbdintDevice KbdintDevice; ++typedef int KbdintResult; + + struct Authctxt { + sig_atomic_t success; +@@ -111,6 +112,10 @@ struct Authmethod { +# int *enabled; + int (*userauth)(struct ssh *, const char *); + }; + ++#define KbdintResultFailure -1 ++#define KbdintResultSuccess 0 ++#define KbdintResultAgain 1 ++ + /* + * Keyboard interactive device: + * init_ctx returns: non NULL upon success +diff --git a/auth2-chall.c b/auth2-chall.c +index 021df829173..047d4e83c33 100644 +--- a/auth2-chall.c ++++ b/auth2-chall.c +@@ -331,11 +331,11 @@ input_userauth_info_response(int type, u_int32_t seq, struct ssh *ssh) + free(response); + + switch (res) { +- case 0: ++ case KbdintResultSuccess: + /* Success! */ + authenticated = authctxt->valid ? 1 : 0; + break; +- case 1: ++ case KbdintResultAgain: + /* Authentication needs further interaction */ + if (send_userauth_info_request(ssh) == 1) + authctxt->postponed = 1; + +From 91ef15e8ed01a7e16d96ba6cb9ed51965dca9641 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Marco=20Trevisan=20=28Trevi=C3=B1o=29?= +Date: Mon, 16 Oct 2023 21:15:45 +0200 +Subject: [PATCH 2/6] auth-pam: Add an enum to define the PAM done status + +Makes things more readable and easier to extend +--- + auth-pam.c | 17 +++++++++++------ + 1 file changed, 11 insertions(+), 6 deletions(-) + +diff --git a/auth-pam.c b/auth-pam.c +index 86137a1acdb..21291631011 100644 +--- a/auth-pam.c ++++ b/auth-pam.c +@@ -136,11 +136,16 @@ typedef pid_t sp_pthread_t; + #define pthread_join fake_pthread_join + #endif + ++typedef int SshPamDone; ++#define SshPamError -1 ++#define SshPamNone 0 ++#define SshPamAuthenticated 1 ++ + struct pam_ctxt { + sp_pthread_t pam_thread; + int pam_psock; + int pam_csock; +- int pam_done; ++ SshPamDone pam_done; + }; + + static void sshpam_free_ctx(void *); +@@ -904,7 +909,7 @@ sshpam_query(void *ctx, char **name, char **info, + **prompts = NULL; + *num = 0; + **echo_on = 0; +- ctxt->pam_done = -1; ++ ctxt->pam_done = SshPamError; + free(msg); + sshbuf_free(buffer); + return 0; +@@ -931,7 +936,7 @@ sshpam_query(void *ctx, char **name, char **info, + import_environments(buffer); + *num = 0; + **echo_on = 0; +- ctxt->pam_done = 1; ++ ctxt->pam_done = SshPamAuthenticated; + free(msg); + sshbuf_free(buffer); + return (0); +@@ -944,7 +949,7 @@ sshpam_query(void *ctx, char **name, char **info, + *num = 0; + **echo_on = 0; + free(msg); +- ctxt->pam_done = -1; ++ ctxt->pam_done = SshPamError; + sshbuf_free(buffer); + return (-1); + } +@@ -988,10 +993,10 @@ sshpam_respond(void *ctx, u_int num, char **resp) + + debug2("PAM: %s entering, %u responses", __func__, num); + switch (ctxt->pam_done) { +- case 1: ++ case SshPamAuthenticated: + sshpam_authenticated = 1; + return KbdintResultSuccess; +- case 0: ++ case SshPamNone: + break; + default: + return KbdintResultFailure; + +From 6fa8934d31cb9925c856f1b992fc5e04dd26da21 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Marco=20Trevisan=20=28Trevi=C3=B1o=29?= +Date: Tue, 17 Oct 2023 04:35:17 +0200 +Subject: [PATCH 3/6] auth-pam: Add debugging information when we receive PAM + messages + +--- + auth-pam.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/auth-pam.c b/auth-pam.c +index 21291631011..7a72e724adc 100644 +--- a/auth-pam.c ++++ b/auth-pam.c +@@ -450,6 +450,9 @@ sshpam_thread_conv(int n, sshpam_const struct pam_message **msg, + break; + case PAM_ERROR_MSG: + case PAM_TEXT_INFO: ++ debug3("PAM: Got message of type %d: %s", ++ PAM_MSG_MEMBER(msg, i, msg_style), ++ PAM_MSG_MEMBER(msg, i, msg)); + if ((r = sshbuf_put_cstring(buffer, + PAM_MSG_MEMBER(msg, i, msg))) != 0) + fatal("%s: buffer error: %s", + +From 598ee34312b541fa7b3988b4896641bf81996e27 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Marco=20Trevisan=20=28Trevi=C3=B1o=29?= +Date: Tue, 17 Oct 2023 04:27:32 +0200 +Subject: [PATCH 4/6] auth-pam: Immediately report interactive instructions to + clients + +SSH keyboard-interactive authentication method supports instructions but +sshd didn't show them until an user prompt was requested. + +This is quite inconvenient for various PAM modules that need to notify +an user without requiring for their explicit input. + +So, properly implement RFC4256 making instructions to be shown to users +when they are requested from PAM. + +Closes: https://bugzilla.mindrot.org/show_bug.cgi?id=2876 +--- + auth-pam.c | 21 ++++++++++++--------- + 1 file changed, 12 insertions(+), 9 deletions(-) + +diff --git a/auth-pam.c b/auth-pam.c +index 7a72e724adc..b756f0e5221 100644 +--- a/auth-pam.c ++++ b/auth-pam.c +@@ -140,6 +140,7 @@ typedef int SshPamDone; + #define SshPamError -1 + #define SshPamNone 0 + #define SshPamAuthenticated 1 ++#define SshPamAgain 2 + + struct pam_ctxt { + sp_pthread_t pam_thread; +@@ -868,6 +869,8 @@ sshpam_query(void *ctx, char **name, char **info, + **prompts = NULL; + plen = 0; + *echo_on = xmalloc(sizeof(u_int)); ++ ctxt->pam_done = SshPamNone; ++ + while (ssh_msg_recv(ctxt->pam_psock, buffer) == 0) { + if (++nmesg > PAM_MAX_NUM_MSG) + fatal_f("too many query messages"); +@@ -888,15 +891,13 @@ sshpam_query(void *ctx, char **name, char **info, + return (0); + case PAM_ERROR_MSG: + case PAM_TEXT_INFO: +- /* accumulate messages */ +- len = plen + mlen + 2; +- **prompts = xreallocarray(**prompts, 1, len); +- strlcpy(**prompts + plen, msg, len - plen); +- plen += mlen; +- strlcat(**prompts + plen, "\n", len - plen); +- plen++; +- free(msg); +- break; ++ *num = 0; ++ free(*info); ++ *info = msg; /* Steal the message */ ++ msg = NULL; ++ ctxt->pam_done = SshPamAgain; ++ sshbuf_free(buffer); ++ return (0); + case PAM_ACCT_EXPIRED: + case PAM_MAXTRIES: + if (type == PAM_ACCT_EXPIRED) +@@ -1001,6 +1002,8 @@ sshpam_respond(void *ctx, u_int num, char **resp) + return KbdintResultSuccess; + case SshPamNone: + break; ++ case SshPamAgain: ++ return KbdintResultAgain; + default: + return KbdintResultFailure; + } + +From cc14301ce0542cdbb825eff8041ce98a1da9ef08 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Marco=20Trevisan=20=28Trevi=C3=B1o=29?= +Date: Tue, 17 Oct 2023 06:12:03 +0200 +Subject: [PATCH 5/6] sshconnect2: Write kbd-interactive service, info and + instructions as utf-8 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +As per the previous server change now the keyboard-interactive service +and instruction values could be reported as soon as they are available +and so they're not prompts anymore and not parsed like them. + +While this was already supported by the SSH client, these messages were +not properly written as the escaped sequences they contained were not +correctly reported. + +So for example a message containing "\" was represented as "\\" and +similarly for all the other C escape sequences. + +This was leading to more problems when it come to utf-8 chars, as they +were only represented by their octal representation. + +This was easily testable by adding a line like the one below to the +sshd PAM service: + auth requisite pam_echo.so Hello SSHD! Want some 🍕? + +Which was causing this to be written instead: + Hello SSHD! Want some \360\237\215\225? + +To handle this, instead of simply using fmprintf, we're using the notifier +in a way can be exposed to users in the proper format and UI. +--- + sshconnect2.c | 33 ++++++++++++++++++++++++--------- + 1 file changed, 24 insertions(+), 9 deletions(-) + +diff --git a/sshconnect2.c b/sshconnect2.c +index 5831a00c6d1..543431218c1 100644 +--- a/sshconnect2.c ++++ b/sshconnect2.c +@@ -1091,6 +1091,7 @@ input_userauth_passwd_changereq(int type, u_int32_t seqnr, struct ssh *ssh) + char *info = NULL, *lang = NULL, *password = NULL, *retype = NULL; + char prompt[256]; + const char *host; ++ size_t info_len; + int r; + + debug2("input_userauth_passwd_changereq"); +@@ -1100,11 +1101,15 @@ input_userauth_passwd_changereq(int type, u_int32_t seqnr, struct ssh *ssh) + "no authentication context"); + host = options.host_key_alias ? options.host_key_alias : authctxt->host; + +- if ((r = sshpkt_get_cstring(ssh, &info, NULL)) != 0 || ++ if ((r = sshpkt_get_cstring(ssh, &info, &info_len)) != 0 || + (r = sshpkt_get_cstring(ssh, &lang, NULL)) != 0) + goto out; +- if (strlen(info) > 0) +- logit("%s", info); ++ if (info_len > 0) { ++ struct notifier_ctx *notifier = NULL; ++ debug_f("input_userauth_passwd_changereq info: %s", info); ++ notifier = notify_start(0, "%s", info); ++ notify_complete(notifier, NULL); ++ } + if ((r = sshpkt_start(ssh, SSH2_MSG_USERAUTH_REQUEST)) != 0 || + (r = sshpkt_put_cstring(ssh, authctxt->server_user)) != 0 || + (r = sshpkt_put_cstring(ssh, authctxt->service)) != 0 || +@@ -1938,8 +1943,10 @@ input_userauth_info_req(int type, u_int32_t seq, struct ssh *ssh) + Authctxt *authctxt = ssh->authctxt; + char *name = NULL, *inst = NULL, *lang = NULL, *prompt = NULL; + char *display_prompt = NULL, *response = NULL; ++ struct notifier_ctx *notifier = NULL; + u_char echo = 0; + u_int num_prompts, i; ++ size_t name_len, inst_len; + int r; + + debug2_f("entering"); +@@ -1949,14 +1956,22 @@ input_userauth_info_req(int type, u_int32_t seq, struct ssh *ssh) + + authctxt->info_req_seen = 1; + +- if ((r = sshpkt_get_cstring(ssh, &name, NULL)) != 0 || +- (r = sshpkt_get_cstring(ssh, &inst, NULL)) != 0 || ++ if ((r = sshpkt_get_cstring(ssh, &name, &name_len)) != 0 || ++ (r = sshpkt_get_cstring(ssh, &inst, &inst_len)) != 0 || + (r = sshpkt_get_cstring(ssh, &lang, NULL)) != 0) + goto out; +- if (strlen(name) > 0) +- logit("%s", name); +- if (strlen(inst) > 0) +- logit("%s", inst); ++ if (name_len > 0) { ++ debug_f("kbd int name: %s", name); ++ notifier = notify_start(0, "%s", name); ++ notify_complete(notifier, NULL); ++ notifier = NULL; ++ } ++ if (inst_len > 0) { ++ debug_f("kbd int inst: %s", inst); ++ notifier = notify_start(0, "%s", inst); ++ notify_complete(notifier, NULL); ++ notifier = NULL; ++ } + + if ((r = sshpkt_get_u32(ssh, &num_prompts)) != 0) + goto out; + +From 99656caabc5cff24122e5b9a140e5a38ab418a5d Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Marco=20Trevisan=20=28Trevi=C3=B1o=29?= +Date: Tue, 17 Oct 2023 06:05:59 +0200 +Subject: [PATCH 6/6] auth2-chall: Fix selection of the keyboard-interactive + device + +We were only checking if the prefix of a device name was matching what +we had in the devices list, so if the device list contained "pam", then +also the device "pam-foo" was matching. +--- + auth2-chall.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/auth2-chall.c b/auth2-chall.c +index 047d4e83c33..db658c9b4a7 100644 +--- a/auth2-chall.c ++++ b/auth2-chall.c +@@ -170,7 +170,7 @@ kbdint_next_device(Authctxt *authctxt, KbdintAuthctxt *kbdintctxt) + "keyboard-interactive", devices[i]->name)) + continue; + if (strncmp(kbdintctxt->devices, devices[i]->name, +- len) == 0) { ++ len) == 0 && strlen(devices[i]->name) == len) { + kbdintctxt->device = devices[i]; + kbdintctxt->devices_done |= 1 << i; + } diff --git a/openssh-6.6p1-keycat.patch b/openssh-6.6p1-keycat.patch index 1301374..54d5ac1 100644 --- a/openssh-6.6p1-keycat.patch +++ b/openssh-6.6p1-keycat.patch @@ -16,70 +16,70 @@ Index: openssh-9.3p2/misc.c if (env != NULL) execve(av[0], av, env); else -Index: openssh-9.3p2/HOWTO.ssh-keycat -=================================================================== ---- /dev/null -+++ openssh-9.3p2/HOWTO.ssh-keycat -@@ -0,0 +1,12 @@ -+The ssh-keycat retrieves the content of the ~/.ssh/authorized_keys -+of an user in any environment. This includes environments with -+polyinstantiation of home directories and SELinux MLS policy enabled. -+ -+To use ssh-keycat, set these options in /etc/ssh/sshd_config file: -+ AuthorizedKeysCommand /usr/libexec/openssh/ssh-keycat -+ AuthorizedKeysCommandUser root -+ -+Do not forget to enable public key authentication: -+ PubkeyAuthentication yes -+ -+ -Index: openssh-9.3p2/Makefile.in -=================================================================== ---- openssh-9.3p2.orig/Makefile.in -+++ openssh-9.3p2/Makefile.in -@@ -27,6 +27,7 @@ SFTP_SERVER=$(libexecdir)/sftp-server - ASKPASS_PROGRAM=$(libexecdir)/ssh-askpass - SFTP_SERVER=$(libexecdir)/sftp-server - SSH_KEYSIGN=$(libexecdir)/ssh-keysign -+SSH_KEYCAT=$(libexecdir)/ssh-keycat - SSHD_SESSION=$(libexecdir)/sshd-session - SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper - SSH_SK_HELPER=$(libexecdir)/ssh-sk-helper -@@ -57,6 +58,7 @@ CHANNELLIBS=@CHANNELLIBS@ - K5LIBS=@K5LIBS@ - GSSLIBS=@GSSLIBS@ - SSHDLIBS=@SSHDLIBS@ -+KEYCATLIBS=@KEYCATLIBS@ - LIBEDIT=@LIBEDIT@ - LIBFIDO2=@LIBFIDO2@ - LIBWTMPDB=@LIBWTMPDB@ -@@ -65,7 +66,7 @@ EXEEXT=@EXEEXT@ - - .SUFFIXES: .lo - --TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) sshd-session$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) -+TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) sshd-session$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) ssh-keycat$(EXEEXT) - - TARGETS += cavstest-ctr$(EXEEXT) cavstest-kdf$(EXEEXT) - -@@ -245,6 +247,9 @@ ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) - ssh-sk-helper$(EXEEXT): $(LIBCOMPAT) libssh.a $(SKHELPER_OBJS) - $(LD) -o $@ $(SKHELPER_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS) $(LIBFIDO2) $(CHANNELLIBS) - -+ssh-keycat$(EXEEXT): $(LIBCOMPAT) $(SSHDOBJS) libssh.a ssh-keycat.o uidswap.o -+ $(LD) -o $@ ssh-keycat.o uidswap.o $(LDFLAGS) -lssh -lopenbsd-compat $(KEYCATLIBS) $(LIBS) -+ - ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHKEYSCAN_OBJS) - $(LD) -o $@ $(SSHKEYSCAN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) $(CHANNELLIBS) - -@@ -431,6 +436,7 @@ install-files: - $(INSTALL) -m 0755 ssh-ldap-wrapper $(DESTDIR)$(SSH_LDAP_WRAPPER) ; \ - fi - $(INSTALL) -m 0755 $(STRIP_OPT) ssh-sk-helper$(EXEEXT) $(DESTDIR)$(SSH_SK_HELPER)$(EXEEXT) -+ $(INSTALL) -m 0755 $(STRIP_OPT) ssh-keycat$(EXEEXT) $(DESTDIR)$(libexecdir)/ssh-keycat$(EXEEXT) - $(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT) - $(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT) - $(INSTALL) -m 0755 $(STRIP_OPT) cavstest-ctr$(EXEEXT) $(DESTDIR)$(libexecdir)/cavstest-ctr$(EXEEXT) +#Index: openssh-9.3p2/HOWTO.ssh-keycat +#=================================================================== +#--- /dev/null +#+++ openssh-9.3p2/HOWTO.ssh-keycat +#@@ -0,0 +1,12 @@ +#+The ssh-keycat retrieves the content of the ~/.ssh/authorized_keys +#+of an user in any environment. This includes environments with +#+polyinstantiation of home directories and SELinux MLS policy enabled. +#+ +#+To use ssh-keycat, set these options in /etc/ssh/sshd_config file: +#+ AuthorizedKeysCommand /usr/libexec/openssh/ssh-keycat +#+ AuthorizedKeysCommandUser root +#+ +#+Do not forget to enable public key authentication: +#+ PubkeyAuthentication yes +#+ +#+ +#Index: openssh-9.3p2/Makefile.in +#=================================================================== +#--- openssh-9.3p2.orig/Makefile.in +#+++ openssh-9.3p2/Makefile.in +#@@ -27,6 +27,7 @@ SFTP_SERVER=$(libexecdir)/sftp-server +# ASKPASS_PROGRAM=$(libexecdir)/ssh-askpass +# SFTP_SERVER=$(libexecdir)/sftp-server +# SSH_KEYSIGN=$(libexecdir)/ssh-keysign +#+SSH_KEYCAT=$(libexecdir)/ssh-keycat +# SSHD_SESSION=$(libexecdir)/sshd-session +# SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper +# SSH_SK_HELPER=$(libexecdir)/ssh-sk-helper +#@@ -57,6 +58,7 @@ CHANNELLIBS=@CHANNELLIBS@ +# K5LIBS=@K5LIBS@ +# GSSLIBS=@GSSLIBS@ +# SSHDLIBS=@SSHDLIBS@ +#+KEYCATLIBS=@KEYCATLIBS@ +# LIBEDIT=@LIBEDIT@ +# LIBFIDO2=@LIBFIDO2@ +# LIBWTMPDB=@LIBWTMPDB@ +#@@ -65,7 +66,7 @@ EXEEXT=@EXEEXT@ +# +# .SUFFIXES: .lo +# +#-TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) sshd-session$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) +#+TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) sshd-session$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) ssh-keycat$(EXEEXT) +# +# TARGETS += cavstest-ctr$(EXEEXT) cavstest-kdf$(EXEEXT) +# +#@@ -245,6 +247,9 @@ ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) +# ssh-sk-helper$(EXEEXT): $(LIBCOMPAT) libssh.a $(SKHELPER_OBJS) +# $(LD) -o $@ $(SKHELPER_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS) $(LIBFIDO2) $(CHANNELLIBS) +# +#+ssh-keycat$(EXEEXT): $(LIBCOMPAT) $(SSHDOBJS) libssh.a ssh-keycat.o uidswap.o +#+ $(LD) -o $@ ssh-keycat.o uidswap.o $(LDFLAGS) -lssh -lopenbsd-compat $(KEYCATLIBS) $(LIBS) +#+ +# ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHKEYSCAN_OBJS) +# $(LD) -o $@ $(SSHKEYSCAN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) $(CHANNELLIBS) +# +#@@ -431,6 +436,7 @@ install-files: +# $(INSTALL) -m 0755 ssh-ldap-wrapper $(DESTDIR)$(SSH_LDAP_WRAPPER) ; \ +# fi +# $(INSTALL) -m 0755 $(STRIP_OPT) ssh-sk-helper$(EXEEXT) $(DESTDIR)$(SSH_SK_HELPER)$(EXEEXT) +#+ $(INSTALL) -m 0755 $(STRIP_OPT) ssh-keycat$(EXEEXT) $(DESTDIR)$(libexecdir)/ssh-keycat$(EXEEXT) +# $(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT) +# $(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT) +# $(INSTALL) -m 0755 $(STRIP_OPT) cavstest-ctr$(EXEEXT) $(DESTDIR)$(libexecdir)/cavstest-ctr$(EXEEXT) Index: openssh-9.3p2/openbsd-compat/port-linux.h =================================================================== --- openssh-9.3p2.orig/openbsd-compat/port-linux.h @@ -205,287 +205,287 @@ Index: openssh-9.3p2/platform.c #endif #ifdef USE_SOLARIS_PROJECTS -Index: openssh-9.3p2/ssh-keycat.c -=================================================================== ---- /dev/null -+++ openssh-9.3p2/ssh-keycat.c -@@ -0,0 +1,241 @@ -+/* -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * 1. Redistributions of source code must retain the above copyright -+ * notice, and the entire permission notice in its entirety, -+ * including the disclaimer of warranties. -+ * 2. Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in the -+ * documentation and/or other materials provided with the distribution. -+ * 3. The name of the author may not be used to endorse or promote -+ * products derived from this software without specific prior -+ * written permission. -+ * -+ * ALTERNATIVELY, this product may be distributed under the terms of -+ * the GNU Public License, in which case the provisions of the GPL are -+ * required INSTEAD OF the above restrictions. (This clause is -+ * necessary due to a potential bad interaction between the GPL and -+ * the restrictions contained in a BSD-style copyright.) -+ * -+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED -+ * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES -+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE -+ * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, -+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES -+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR -+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -+ * OF THE POSSIBILITY OF SUCH DAMAGE. -+ */ -+ -+/* -+ * Copyright (c) 2011 Red Hat, Inc. -+ * Written by Tomas Mraz -+*/ -+ -+#define _GNU_SOURCE -+ -+#include "config.h" -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#ifdef HAVE_STDINT_H -+#include -+#endif -+ -+#include -+ -+#include "uidswap.h" -+#include "misc.h" -+ -+#define ERR_USAGE 1 -+#define ERR_PAM_START 2 -+#define ERR_OPEN_SESSION 3 -+#define ERR_CLOSE_SESSION 4 -+#define ERR_PAM_END 5 -+#define ERR_GETPWNAM 6 -+#define ERR_MEMORY 7 -+#define ERR_OPEN 8 -+#define ERR_FILE_MODE 9 -+#define ERR_FDOPEN 10 -+#define ERR_STAT 11 -+#define ERR_WRITE 12 -+#define ERR_PAM_PUTENV 13 -+#define BUFLEN 4096 -+ -+/* Just ignore the messages in the conversation function */ -+static int -+dummy_conv(int num_msg, const struct pam_message **msgm, -+ struct pam_response **response, void *appdata_ptr) -+{ -+ struct pam_response *rsp; -+ -+ (void)msgm; -+ (void)appdata_ptr; -+ -+ if (num_msg <= 0) -+ return PAM_CONV_ERR; -+ -+ /* Just allocate the array as empty responses */ -+ rsp = calloc (num_msg, sizeof (struct pam_response)); -+ if (rsp == NULL) -+ return PAM_CONV_ERR; -+ -+ *response = rsp; -+ return PAM_SUCCESS; -+} -+ -+static struct pam_conv conv = { -+ dummy_conv, -+ NULL -+}; -+ -+char * -+make_auth_keys_name(const struct passwd *pwd) -+{ -+ char *fname; -+ -+ if (asprintf(&fname, "%s/.ssh/authorized_keys", pwd->pw_dir) < 0) -+ return NULL; -+ -+ return fname; -+} -+ -+int -+dump_keys(const char *user) -+{ -+ struct passwd *pwd; -+ int fd = -1; -+ FILE *f = NULL; -+ char *fname = NULL; -+ int rv = 0; -+ char buf[BUFLEN]; -+ size_t len; -+ struct stat st; -+ -+ if ((pwd = getpwnam(user)) == NULL) { -+ return ERR_GETPWNAM; -+ } -+ -+ if ((fname = make_auth_keys_name(pwd)) == NULL) { -+ return ERR_MEMORY; -+ } -+ -+ temporarily_use_uid(pwd); -+ -+ if ((fd = open(fname, O_RDONLY|O_NONBLOCK|O_NOFOLLOW, 0)) < 0) { -+ rv = ERR_OPEN; -+ goto fail; -+ } -+ -+ if (fstat(fd, &st) < 0) { -+ rv = ERR_STAT; -+ goto fail; -+ } -+ -+ if (!S_ISREG(st.st_mode) || -+ (st.st_uid != pwd->pw_uid && st.st_uid != 0)) { -+ rv = ERR_FILE_MODE; -+ goto fail; -+ } -+ -+ unset_nonblock(fd); -+ -+ if ((f = fdopen(fd, "r")) == NULL) { -+ rv = ERR_FDOPEN; -+ goto fail; -+ } -+ -+ fd = -1; -+ -+ while ((len = fread(buf, 1, sizeof(buf), f)) > 0) { -+ rv = fwrite(buf, 1, len, stdout) != len ? ERR_WRITE : 0; -+ } -+ -+fail: -+ if (fd != -1) -+ close(fd); -+ if (f != NULL) -+ fclose(f); -+ free(fname); -+ restore_uid(); -+ return rv; -+} -+ -+static const char *env_names[] = { "SELINUX_ROLE_REQUESTED", -+ "SELINUX_LEVEL_REQUESTED", -+ "SELINUX_USE_CURRENT_RANGE" -+}; -+ -+extern char **environ; -+ -+int -+set_pam_environment(pam_handle_t *pamh) -+{ -+ int i; -+ size_t j; -+ -+ for (j = 0; j < sizeof(env_names)/sizeof(env_names[0]); ++j) { -+ int len = strlen(env_names[j]); -+ -+ for (i = 0; environ[i] != NULL; ++i) { -+ if (strncmp(env_names[j], environ[i], len) == 0 && -+ environ[i][len] == '=') { -+ if (pam_putenv(pamh, environ[i]) != PAM_SUCCESS) -+ return ERR_PAM_PUTENV; -+ } -+ } -+ } -+ -+ return 0; -+} -+ -+int -+main(int argc, char *argv[]) -+{ -+ pam_handle_t *pamh = NULL; -+ int retval; -+ int ev = 0; -+ -+ if (argc != 2) { -+ fprintf(stderr, "Usage: %s \n", argv[0]); -+ return ERR_USAGE; -+ } -+ -+ retval = pam_start("ssh-keycat", argv[1], &conv, &pamh); -+ if (retval != PAM_SUCCESS) { -+ return ERR_PAM_START; -+ } -+ -+ ev = set_pam_environment(pamh); -+ if (ev != 0) -+ goto finish; -+ -+ retval = pam_open_session(pamh, PAM_SILENT); -+ if (retval != PAM_SUCCESS) { -+ ev = ERR_OPEN_SESSION; -+ goto finish; -+ } -+ -+ ev = dump_keys(argv[1]); -+ -+ retval = pam_close_session(pamh, PAM_SILENT); -+ if (retval != PAM_SUCCESS) { -+ ev = ERR_CLOSE_SESSION; -+ } -+ -+finish: -+ retval = pam_end (pamh,retval); -+ if (retval != PAM_SUCCESS) { -+ ev = ERR_PAM_END; -+ } -+ return ev; -+} -Index: openssh-9.3p2/configure.ac -=================================================================== ---- openssh-9.3p2.orig/configure.ac -+++ openssh-9.3p2/configure.ac -@@ -3632,6 +3632,7 @@ AC_ARG_WITH([pam], - PAM_MSG="yes" - - SSHDLIBS="$SSHDLIBS -lpam" -+ KEYCATLIBS="$KEYCATLIBS -lpam" - AC_DEFINE([USE_PAM], [1], - [Define if you want to enable PAM support]) - -@@ -3642,6 +3643,7 @@ AC_ARG_WITH([pam], - ;; - *) - SSHDLIBS="$SSHDLIBS -ldl" -+ KEYCATLIBS="$KEYCATLIBS -ldl" - ;; - esac - fi -@@ -4875,6 +4877,7 @@ AC_ARG_WITH([selinux], - fi ] - ) - AC_SUBST([SSHDLIBS]) -+AC_SUBST([KEYCATLIBS]) - - # Check whether user wants Kerberos 5 support - KRB5_MSG="no" -@@ -5905,6 +5908,9 @@ fi - if test ! -z "${SSHDLIBS}"; then - echo " +for sshd: ${SSHDLIBS}" - fi -+if test ! -z "${KEYCATLIBS}"; then -+echo " +for ssh-keycat: ${KEYCATLIBS}" -+fi - - echo "" - +#Index: openssh-9.3p2/ssh-keycat.c +#=================================================================== +#--- /dev/null +#+++ openssh-9.3p2/ssh-keycat.c +#@@ -0,0 +1,241 @@ +#+/* +#+ * Redistribution and use in source and binary forms, with or without +#+ * modification, are permitted provided that the following conditions +#+ * are met: +#+ * 1. Redistributions of source code must retain the above copyright +#+ * notice, and the entire permission notice in its entirety, +#+ * including the disclaimer of warranties. +#+ * 2. Redistributions in binary form must reproduce the above copyright +#+ * notice, this list of conditions and the following disclaimer in the +#+ * documentation and/or other materials provided with the distribution. +#+ * 3. The name of the author may not be used to endorse or promote +#+ * products derived from this software without specific prior +#+ * written permission. +#+ * +#+ * ALTERNATIVELY, this product may be distributed under the terms of +#+ * the GNU Public License, in which case the provisions of the GPL are +#+ * required INSTEAD OF the above restrictions. (This clause is +#+ * necessary due to a potential bad interaction between the GPL and +#+ * the restrictions contained in a BSD-style copyright.) +#+ * +#+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED +#+ * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES +#+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +#+ * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, +#+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +#+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +#+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +#+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +#+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +#+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED +#+ * OF THE POSSIBILITY OF SUCH DAMAGE. +#+ */ +#+ +#+/* +#+ * Copyright (c) 2011 Red Hat, Inc. +#+ * Written by Tomas Mraz +#+*/ +#+ +#+#define _GNU_SOURCE +#+ +#+#include "config.h" +#+#include +#+#include +#+#include +#+#include +#+#include +#+#include +#+#include +#+#include +#+#ifdef HAVE_STDINT_H +#+#include +#+#endif +#+ +#+#include +#+ +#+#include "uidswap.h" +#+#include "misc.h" +#+ +#+#define ERR_USAGE 1 +#+#define ERR_PAM_START 2 +#+#define ERR_OPEN_SESSION 3 +#+#define ERR_CLOSE_SESSION 4 +#+#define ERR_PAM_END 5 +#+#define ERR_GETPWNAM 6 +#+#define ERR_MEMORY 7 +#+#define ERR_OPEN 8 +#+#define ERR_FILE_MODE 9 +#+#define ERR_FDOPEN 10 +#+#define ERR_STAT 11 +#+#define ERR_WRITE 12 +#+#define ERR_PAM_PUTENV 13 +#+#define BUFLEN 4096 +#+ +#+/* Just ignore the messages in the conversation function */ +#+static int +#+dummy_conv(int num_msg, const struct pam_message **msgm, +#+ struct pam_response **response, void *appdata_ptr) +#+{ +#+ struct pam_response *rsp; +#+ +#+ (void)msgm; +#+ (void)appdata_ptr; +#+ +#+ if (num_msg <= 0) +#+ return PAM_CONV_ERR; +#+ +#+ /* Just allocate the array as empty responses */ +#+ rsp = calloc (num_msg, sizeof (struct pam_response)); +#+ if (rsp == NULL) +#+ return PAM_CONV_ERR; +#+ +#+ *response = rsp; +#+ return PAM_SUCCESS; +#+} +#+ +#+static struct pam_conv conv = { +#+ dummy_conv, +#+ NULL +#+}; +#+ +#+char * +#+make_auth_keys_name(const struct passwd *pwd) +#+{ +#+ char *fname; +#+ +#+ if (asprintf(&fname, "%s/.ssh/authorized_keys", pwd->pw_dir) < 0) +#+ return NULL; +#+ +#+ return fname; +#+} +#+ +#+int +#+dump_keys(const char *user) +#+{ +#+ struct passwd *pwd; +#+ int fd = -1; +#+ FILE *f = NULL; +#+ char *fname = NULL; +#+ int rv = 0; +#+ char buf[BUFLEN]; +#+ size_t len; +#+ struct stat st; +#+ +#+ if ((pwd = getpwnam(user)) == NULL) { +#+ return ERR_GETPWNAM; +#+ } +#+ +#+ if ((fname = make_auth_keys_name(pwd)) == NULL) { +#+ return ERR_MEMORY; +#+ } +#+ +#+ temporarily_use_uid(pwd); +#+ +#+ if ((fd = open(fname, O_RDONLY|O_NONBLOCK|O_NOFOLLOW, 0)) < 0) { +#+ rv = ERR_OPEN; +#+ goto fail; +#+ } +#+ +#+ if (fstat(fd, &st) < 0) { +#+ rv = ERR_STAT; +#+ goto fail; +#+ } +#+ +#+ if (!S_ISREG(st.st_mode) || +#+ (st.st_uid != pwd->pw_uid && st.st_uid != 0)) { +#+ rv = ERR_FILE_MODE; +#+ goto fail; +#+ } +#+ +#+ unset_nonblock(fd); +#+ +#+ if ((f = fdopen(fd, "r")) == NULL) { +#+ rv = ERR_FDOPEN; +#+ goto fail; +#+ } +#+ +#+ fd = -1; +#+ +#+ while ((len = fread(buf, 1, sizeof(buf), f)) > 0) { +#+ rv = fwrite(buf, 1, len, stdout) != len ? ERR_WRITE : 0; +#+ } +#+ +#+fail: +#+ if (fd != -1) +#+ close(fd); +#+ if (f != NULL) +#+ fclose(f); +#+ free(fname); +#+ restore_uid(); +#+ return rv; +#+} +#+ +#+static const char *env_names[] = { "SELINUX_ROLE_REQUESTED", +#+ "SELINUX_LEVEL_REQUESTED", +#+ "SELINUX_USE_CURRENT_RANGE" +#+}; +#+ +#+extern char **environ; +#+ +#+int +#+set_pam_environment(pam_handle_t *pamh) +#+{ +#+ int i; +#+ size_t j; +#+ +#+ for (j = 0; j < sizeof(env_names)/sizeof(env_names[0]); ++j) { +#+ int len = strlen(env_names[j]); +#+ +#+ for (i = 0; environ[i] != NULL; ++i) { +#+ if (strncmp(env_names[j], environ[i], len) == 0 && +#+ environ[i][len] == '=') { +#+ if (pam_putenv(pamh, environ[i]) != PAM_SUCCESS) +#+ return ERR_PAM_PUTENV; +#+ } +#+ } +#+ } +#+ +#+ return 0; +#+} +#+ +#+int +#+main(int argc, char *argv[]) +#+{ +#+ pam_handle_t *pamh = NULL; +#+ int retval; +#+ int ev = 0; +#+ +#+ if (argc != 2) { +#+ fprintf(stderr, "Usage: %s \n", argv[0]); +#+ return ERR_USAGE; +#+ } +#+ +#+ retval = pam_start("ssh-keycat", argv[1], &conv, &pamh); +#+ if (retval != PAM_SUCCESS) { +#+ return ERR_PAM_START; +#+ } +#+ +#+ ev = set_pam_environment(pamh); +#+ if (ev != 0) +#+ goto finish; +#+ +#+ retval = pam_open_session(pamh, PAM_SILENT); +#+ if (retval != PAM_SUCCESS) { +#+ ev = ERR_OPEN_SESSION; +#+ goto finish; +#+ } +#+ +#+ ev = dump_keys(argv[1]); +#+ +#+ retval = pam_close_session(pamh, PAM_SILENT); +#+ if (retval != PAM_SUCCESS) { +#+ ev = ERR_CLOSE_SESSION; +#+ } +#+ +#+finish: +#+ retval = pam_end (pamh,retval); +#+ if (retval != PAM_SUCCESS) { +#+ ev = ERR_PAM_END; +#+ } +#+ return ev; +#+} +#Index: openssh-9.3p2/configure.ac +#=================================================================== +#--- openssh-9.3p2.orig/configure.ac +#+++ openssh-9.3p2/configure.ac +#@@ -3632,6 +3632,7 @@ AC_ARG_WITH([pam], +# PAM_MSG="yes" +# +# SSHDLIBS="$SSHDLIBS -lpam" +#+ KEYCATLIBS="$KEYCATLIBS -lpam" +# AC_DEFINE([USE_PAM], [1], +# [Define if you want to enable PAM support]) +# +#@@ -3642,6 +3643,7 @@ AC_ARG_WITH([pam], +# ;; +# *) +# SSHDLIBS="$SSHDLIBS -ldl" +#+ KEYCATLIBS="$KEYCATLIBS -ldl" +# ;; +# esac +# fi +#@@ -4875,6 +4877,7 @@ AC_ARG_WITH([selinux], +# fi ] +# ) +# AC_SUBST([SSHDLIBS]) +#+AC_SUBST([KEYCATLIBS]) +# +# # Check whether user wants Kerberos 5 support +# KRB5_MSG="no" +#@@ -5905,6 +5908,9 @@ fi +# if test ! -z "${SSHDLIBS}"; then +# echo " +for sshd: ${SSHDLIBS}" +# fi +#+if test ! -z "${KEYCATLIBS}"; then +#+echo " +for ssh-keycat: ${KEYCATLIBS}" +#+fi +# +# echo "" +# diff --git a/openssh.changes b/openssh.changes index a280f79..3afe817 100644 --- a/openssh.changes +++ b/openssh.changes @@ -1,3 +1,17 @@ +------------------------------------------------------------------- +Thu Sep 12 07:43:18 UTC 2024 - Antonio Larrosa + +- Drop most of openssh-6.6p1-keycat.patch (actually, it was just + commented out). The keycat binary isn't really installed nor + supported, so we can drop it, except for the code that is used + by other SELinux patches, which is what I kept from that patch + (boo#1229072). +- Add patch submitted to upstream to fix RFC4256 implementation + so that keyboard-interactive authentication method can send + instructions and sshd shows them to users even before a prompt + is requested. This fixes MFA push notifications (boo#1229010). + * 0001-auth-pam-Immediately-report-instructions-to-clients-and-fix-handling-in-ssh-client.patch + ------------------------------------------------------------------- Fri Aug 23 12:10:00 UTC 2024 - Antonio Larrosa diff --git a/openssh.spec b/openssh.spec index 4852318..381f22d 100644 --- a/openssh.spec +++ b/openssh.spec @@ -132,6 +132,8 @@ Patch108: openssh-9.6p1-crypto-policies-man.patch Patch109: fix-memleak-in-process_server_config_line_depth.patch # PATCH-FIX-UPSTREAM alarrosa@suse.com -- https://github.com/openssh/openssh-portable/pull/516 Patch110: fix-audit-fail-attempt.patch +# PATCH-FIX-UPSTREAM -- https://github.com/openssh/openssh-portable/pull/452 boo#1229010 +Patch111: 0001-auth-pam-Immediately-report-instructions-to-clients-and-fix-handling-in-ssh-client.patch %if 0%{with allow_root_password_login_by_default} Patch1000: openssh-7.7p1-allow_root_password_login.patch %endif @@ -448,9 +450,6 @@ install -D -m 0755 %{SOURCE9} %{buildroot}%{_sbindir}/sshd-gen-keys-start mkdir -p %{buildroot}%{_sysusersdir} install -m 644 %{SOURCE14} %{buildroot}%{_sysusersdir}/sshd.conf -rm %{buildroot}%{_libexecdir}/ssh/ssh-keycat -#rm -r %{buildroot}/usr/lib/debug/.build-id - # the hmac hashes - taken from openssl # # re-define the __os_install_post macro: the macro strips