forked from pool/openssh
Accepting request 432093 from home:pcerny:factory
next round of patches - allow X forwarding over IPv4 when IPv6 sockets is not available [openssh-7.2p2-X_forward_with_disabled_ipv6.patch] - do not write PID file when not daemonizing [openssh-7.2p2-no_fork-no_pid_file.patch] - use correct options when invoking login [openssh-7.2p2-login_options.patch] - helper application for retrieving users' public keys from an LDAP server [openssh-7.2p2-ldap.patch] - allow forcing permissions over sftp [openssh-7.2p2-sftp_force_permissions.patch] - do not perform run-time checks for OpenSSL API/ABI change [openssh-7.2p2-disable-openssl-abi-check.patch] - suggest commands for cleaning known hosts file [openssh-7.2p2-host_ident.patch] - sftp home chroot patch [openssh-7.2p2-sftp_homechroot.patch] - ssh sessions auditing [openssh-7.2p2-audit.patch] - enable seccomp sandbox on additional architectures [openssh-7.2p2-additional_seccomp_archs.patch] OBS-URL: https://build.opensuse.org/request/show/432093 OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=112
This commit is contained in:
parent
e0d7fb0744
commit
fe873a1c10
64
README.FIPS
64
README.FIPS
@ -0,0 +1,64 @@
|
||||
Notes on FIPS mode and OpenSSH
|
||||
|
||||
---
|
||||
|
||||
SUSE OpenSSH comes with FIPS 140-2 support, and certain versions have been
|
||||
certified as FIPS compliant by NIST. Apart from other things, this standard
|
||||
puts restrictions on cryptographic algorithms that may be used.
|
||||
|
||||
Important notice: FIPS is not only a matter of functionality. If you want to
|
||||
claim having a FIPS certified service, you *must* use the certified binaries.
|
||||
Even binaries built from the same sources in the same environment and running
|
||||
on a certified system, yet from a package lacking the certification, are
|
||||
formally not considered to be fulfilling the requirements.
|
||||
|
||||
The certified binaries (ssh, sshd, sftp-server) perform mandatory selfcheck at
|
||||
startup and proceed only when the checks succeed (non-certified binaries may
|
||||
skip the check). These checks require the cryptographic hashes contained in the
|
||||
openssh-fips subpackage.
|
||||
|
||||
The FIPS mode for OpenSSH is enabled in two ways - either:
|
||||
|
||||
1) /proc/sys/crypto/fips_enabled contains a single character '1' - this is a
|
||||
system-wide setting controlled bu the fips kernel parameter; or
|
||||
|
||||
2) the environment variable SSH_FORCE_FIPS - if set (to any value), the
|
||||
binaries behave as if they were running on a system in FIPS mode.
|
||||
|
||||
Since FIPS 140-2 only allows use of certain cryptographic algorithms, both the
|
||||
client and server will fail if they are requested to use non-approved
|
||||
algorithms while in FIPS mode. This means that working configurations for FIPS
|
||||
mode form a proper subset of all working (generic) configurations. Some
|
||||
configurations may even prevent the binaries from starting at all.
|
||||
|
||||
This however should be viewed in the context of FIPS being a security policy
|
||||
tool - it is not of much use to run the same system both in FIPS mode and
|
||||
outside of it, since that would defeat the main purpose of FIPS having
|
||||
guaranteeing standardised minimum restrictions on cryptographic algorithms
|
||||
(and thus on the overall security of the system).
|
||||
|
||||
Unless you specify what cryptographic algorithms you wish to use, both the
|
||||
client and server should work out of the box in FIPS mode.
|
||||
|
||||
For sshd, you can use the `-t` option to check whether the configuration file
|
||||
is working. Setting the above mentioned environment variable allows testing of
|
||||
behaviour in FIPS mode (checksum files for both OpenSSH and OpenSSL must be
|
||||
installed).
|
||||
|
||||
In addition to cryptographic algorithms restrictions, sshd performs periodic
|
||||
PRNG re-seeding. The seed is read from entropy source either /dev/urandom or
|
||||
/dev/random. By default, the former is used, unless the environment variable
|
||||
SSH_USE_STRONG_RNG is set to a non-zero value or the binary is running in FIPS
|
||||
mode. This has two important implications:
|
||||
|
||||
1) the selected entropy source must be available, i.e. when running in a
|
||||
changeroot the device files need to be present there.
|
||||
|
||||
2) /dev/random is a blocking interface - unless enough randomness is available,
|
||||
the process stops until the entropy pool is replenished. Thus on systems where
|
||||
a long running processes are expected, one should make sure there is always
|
||||
enough entropy for sshd. Sporadically this may also cause sshd to aborted,
|
||||
since some versions of OpenSSL (the underlying cryptographic engine) don't
|
||||
handle gracefully being interrupted while trying to read entropy from the
|
||||
system source.
|
||||
|
@ -1,5 +1,5 @@
|
||||
# HG changeset patch
|
||||
# Parent 48bbbfeff186061b7fd4795bff15f15f571e2c8f
|
||||
# Parent d11948586a6da11e968278f55b48318b2263802b
|
||||
# enable trusted X11 forwarding by default in both sshd and sshsystem-wide
|
||||
# configuration
|
||||
# bnc#50836 (was suse #35836)
|
||||
|
34
openssh-7.2p2-X_forward_with_disabled_ipv6.patch
Normal file
34
openssh-7.2p2-X_forward_with_disabled_ipv6.patch
Normal file
@ -0,0 +1,34 @@
|
||||
# HG changeset patch
|
||||
# Parent 3d4efb38a918055f977a08aa7d1486a04bee6e11
|
||||
Do not throw away already open sockets for X11 forwarding if another socket
|
||||
family is not available for bind()
|
||||
|
||||
diff --git a/openssh-7.2p2/channels.c b/openssh-7.2p2/channels.c
|
||||
--- a/openssh-7.2p2/channels.c
|
||||
+++ b/openssh-7.2p2/channels.c
|
||||
@@ -3937,22 +3937,24 @@ x11_create_display_inet(int x11_display_
|
||||
}
|
||||
if (ai->ai_family == AF_INET6)
|
||||
sock_set_v6only(sock);
|
||||
if (x11_use_localhost)
|
||||
channel_set_reuseaddr(sock);
|
||||
if (bind(sock, ai->ai_addr, ai->ai_addrlen) < 0) {
|
||||
debug2("bind port %d: %.100s", port, strerror(errno));
|
||||
close(sock);
|
||||
-
|
||||
+ continue;
|
||||
+ /* do not remove successfully opened sockets
|
||||
for (n = 0; n < num_socks; n++) {
|
||||
close(socks[n]);
|
||||
}
|
||||
num_socks = 0;
|
||||
break;
|
||||
+ */
|
||||
}
|
||||
socks[num_socks++] = sock;
|
||||
if (num_socks == NUM_SOCKS)
|
||||
break;
|
||||
}
|
||||
freeaddrinfo(aitop);
|
||||
if (num_socks > 0)
|
||||
break;
|
56
openssh-7.2p2-additional_seccomp_archs.patch
Normal file
56
openssh-7.2p2-additional_seccomp_archs.patch
Normal file
@ -0,0 +1,56 @@
|
||||
# HG changeset patch
|
||||
# Parent 27b9bd4a1a53a28b5e9eda0a9c013d98f821149b
|
||||
Enable the seccomp-bpf sandbox on more architectures
|
||||
|
||||
upstream commit: b9c50614eba9d90939b2b119b6e1b7e03b462278 (7.3p1)
|
||||
Author: Damien Miller <djm@mindrot.org>
|
||||
Date: Fri Jul 8 13:59:13 2016 +1000
|
||||
|
||||
whitelist more architectures for seccomp-bpf
|
||||
|
||||
bz#2590 - testing and patch from Jakub Jelen
|
||||
|
||||
diff --git a/openssh-7.2p2/configure.ac b/openssh-7.2p2/configure.ac
|
||||
--- a/openssh-7.2p2/configure.ac
|
||||
+++ b/openssh-7.2p2/configure.ac
|
||||
@@ -818,16 +818,40 @@ main() { if (NSVersionOfRunTimeLibrary("
|
||||
seccomp_audit_arch=AUDIT_ARCH_I386
|
||||
;;
|
||||
arm*-*)
|
||||
seccomp_audit_arch=AUDIT_ARCH_ARM
|
||||
;;
|
||||
aarch64*-*)
|
||||
seccomp_audit_arch=AUDIT_ARCH_AARCH64
|
||||
;;
|
||||
+ s390x-*)
|
||||
+ seccomp_audit_arch=AUDIT_ARCH_S390X
|
||||
+ ;;
|
||||
+ s390-*)
|
||||
+ seccomp_audit_arch=AUDIT_ARCH_S390
|
||||
+ ;;
|
||||
+ powerpc64-*)
|
||||
+ seccomp_audit_arch=AUDIT_ARCH_PPC64
|
||||
+ ;;
|
||||
+ powerpc64le-*)
|
||||
+ seccomp_audit_arch=AUDIT_ARCH_PPC64LE
|
||||
+ ;;
|
||||
+ mips-*)
|
||||
+ seccomp_audit_arch=AUDIT_ARCH_MIPS
|
||||
+ ;;
|
||||
+ mipsel-*)
|
||||
+ seccomp_audit_arch=AUDIT_ARCH_MIPSEL
|
||||
+ ;;
|
||||
+ mips64-*)
|
||||
+ seccomp_audit_arch=AUDIT_ARCH_MIPS64
|
||||
+ ;;
|
||||
+ mips64el-*)
|
||||
+ seccomp_audit_arch=AUDIT_ARCH_MIPSEL64
|
||||
+ ;;
|
||||
esac
|
||||
if test "x$seccomp_audit_arch" != "x" ; then
|
||||
AC_MSG_RESULT(["$seccomp_audit_arch"])
|
||||
AC_DEFINE_UNQUOTED([SECCOMP_AUDIT_ARCH], [$seccomp_audit_arch],
|
||||
[Specify the system call convention in use])
|
||||
else
|
||||
AC_MSG_RESULT([architecture not supported])
|
||||
fi
|
@ -1,5 +1,5 @@
|
||||
# HG changeset patch
|
||||
# Parent 2730f36bee0d6e141d8391b414a702e1add5a853
|
||||
# Parent ec31f6a59145c0db748855bd5bc178161591dae9
|
||||
Enable DSS authentication by default to maintain compatibility with older
|
||||
versions.
|
||||
|
||||
|
@ -1,5 +1,5 @@
|
||||
# HG changeset patch
|
||||
# Parent 8cf6984812ab2211ce60c0a9156892b3a7ee3aaf
|
||||
# Parent aab6d99cb51e48a9046c3d7be8443b83b8ee5127
|
||||
Allow root login with password by default. While less secure than upstream
|
||||
default of forbidding access to the root account with a password, we are
|
||||
temporarily introducing this change to keep the default used in older OpenSSH
|
||||
|
3242
openssh-7.2p2-audit.patch
Normal file
3242
openssh-7.2p2-audit.patch
Normal file
File diff suppressed because it is too large
Load Diff
@ -1,5 +1,5 @@
|
||||
# HG changeset patch
|
||||
# Parent 5469eb754184144e42c341ccc038309e2880cadc
|
||||
# Parent 0c50460ce313d041c2484d21ab810c8ee487cded
|
||||
block SIGALRM while logging through syslog to prevent deadlocks
|
||||
(through grace_alarm_handler())
|
||||
|
||||
|
64
openssh-7.2p2-disable-openssl-abi-check.patch
Normal file
64
openssh-7.2p2-disable-openssl-abi-check.patch
Normal file
@ -0,0 +1,64 @@
|
||||
# HG changeset patch
|
||||
# Parent 2d4a91c3c6c5b161f21511712889c2906fa158a4
|
||||
disable run-time check for OpenSSL ABI by version number as that is not a
|
||||
reliable indicator of ABI changes and doesn't make much sense in a
|
||||
distribution package
|
||||
|
||||
diff --git a/openssh-7.2p2/configure.ac b/openssh-7.2p2/configure.ac
|
||||
--- a/openssh-7.2p2/configure.ac
|
||||
+++ b/openssh-7.2p2/configure.ac
|
||||
@@ -4639,16 +4639,29 @@ AC_ARG_WITH([bsd-auth],
|
||||
if test "x$withval" != "xno" ; then
|
||||
AC_DEFINE([BSD_AUTH], [1],
|
||||
[Define if you have BSD auth support])
|
||||
BSD_AUTH_MSG=yes
|
||||
fi
|
||||
]
|
||||
)
|
||||
|
||||
+# Whether we are using distribution (Open)SSL, so no runtime checks are necessary
|
||||
+DISTRO_SSL=no
|
||||
+AC_ARG_WITH([distro-ssl],
|
||||
+ [ --with-distro-ssl Disable runtime OpenSSL version checks (good for distributions)],
|
||||
+ [
|
||||
+ if test "x$withval" != "xno" ; then
|
||||
+ AC_DEFINE([DISTRO_SSL], [1],
|
||||
+ [Define if you are using distribution SSL library and don;t expect its API/ABI to change])
|
||||
+ DISTRO_SSL=yes
|
||||
+ fi
|
||||
+ ]
|
||||
+)
|
||||
+
|
||||
# Where to place sshd.pid
|
||||
piddir=/var/run
|
||||
# make sure the directory exists
|
||||
if test ! -d $piddir ; then
|
||||
piddir=`eval echo ${sysconfdir}`
|
||||
case $piddir in
|
||||
NONE/*) piddir=`echo $piddir | sed "s~NONE~$ac_default_prefix~"` ;;
|
||||
esac
|
||||
diff --git a/openssh-7.2p2/entropy.c b/openssh-7.2p2/entropy.c
|
||||
--- a/openssh-7.2p2/entropy.c
|
||||
+++ b/openssh-7.2p2/entropy.c
|
||||
@@ -209,19 +209,21 @@ rexec_recv_rng_seed(Buffer *m)
|
||||
#endif /* OPENSSL_PRNG_ONLY */
|
||||
|
||||
void
|
||||
seed_rng(void)
|
||||
{
|
||||
#ifndef OPENSSL_PRNG_ONLY
|
||||
unsigned char buf[RANDOM_SEED_SIZE];
|
||||
#endif
|
||||
+#ifndef DISTRO_SSL
|
||||
if (!ssh_compatible_openssl(OPENSSL_VERSION_NUMBER, SSLeay()))
|
||||
fatal("OpenSSL version mismatch. Built against %lx, you "
|
||||
"have %lx", (u_long)OPENSSL_VERSION_NUMBER, SSLeay());
|
||||
+#endif
|
||||
|
||||
#ifndef OPENSSL_PRNG_ONLY
|
||||
if (RAND_status() == 1) {
|
||||
debug3("RNG is ready, skipping seeding");
|
||||
return;
|
||||
}
|
||||
|
||||
if (seed_from_prngd(buf, sizeof(buf)) == -1)
|
@ -1,5 +1,5 @@
|
||||
# HG changeset patch
|
||||
# Parent c40dce555117c740f3df867e9fc2b07b64b3ad96
|
||||
# Parent 69bdfde8282f9ab67c29e431a74916c045301ff5
|
||||
|
||||
Raise minimal size of DH group parameters to 2048 bits like upstream did in
|
||||
7.2. 1024b values are believed to be in breaking range for state adversaries
|
||||
|
@ -1,5 +1,5 @@
|
||||
# HG changeset patch
|
||||
# Parent 2aa634b7522f34ddbd380c96df4e750df0608604
|
||||
# Parent 93f67586b27e7f018c5b34e33f8156df772e980d
|
||||
# posix threads are generally not supported nor safe
|
||||
# (see upstream log from 2005-05-24)
|
||||
# --used to be called '-pam-fix3'
|
||||
|
@ -1,5 +1,5 @@
|
||||
# HG changeset patch
|
||||
# Parent bbb49b3f344cf24e9bbd7eb7a7c40fea21be77eb
|
||||
# Parent 8e5876ee9478740b83887db9fc6e3b1605848534
|
||||
fix paths and references in sshd man pages
|
||||
|
||||
diff --git a/openssh-7.2p2/sshd.8 b/openssh-7.2p2/sshd.8
|
||||
|
@ -1,5 +1,5 @@
|
||||
# HG changeset patch
|
||||
# Parent 477d43e9a3889d36b58ff19cf3cb9583e1abf9ce
|
||||
# Parent a51f9cba48652fc5df45b9ac8bd238268c70673c
|
||||
# force PAM in defaullt install (this was removed from upstream in 3.8p1)
|
||||
# bnc#46749
|
||||
# --used to be called '-pam-fix2'
|
||||
|
@ -1,12 +1,12 @@
|
||||
# HG changeset patch
|
||||
# Parent 0dee2a3f80c2db73903388815fb4e311c8588a15
|
||||
# Parent 0c3e1f1c3b2ab533f9cb1c82fb75ff247a9c71b1
|
||||
FIPS 140-2 compliance. Perform selftests on start and use only FIPS approved
|
||||
algorithms.
|
||||
|
||||
diff --git a/openssh-7.2p2/Makefile.in b/openssh-7.2p2/Makefile.in
|
||||
--- a/openssh-7.2p2/Makefile.in
|
||||
+++ b/openssh-7.2p2/Makefile.in
|
||||
@@ -87,17 +87,17 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
|
||||
@@ -87,17 +87,18 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
|
||||
msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o umac128.o \
|
||||
ssh-pkcs11.o smult_curve25519_ref.o \
|
||||
poly1305.o chacha.o cipher-chachapoly.o \
|
||||
@ -16,7 +16,8 @@ diff --git a/openssh-7.2p2/Makefile.in b/openssh-7.2p2/Makefile.in
|
||||
kexdhc.o kexgexc.o kexecdhc.o kexc25519c.o \
|
||||
kexdhs.o kexgexs.o kexecdhs.o kexc25519s.o \
|
||||
- platform-pledge.o
|
||||
+ platform-pledge.o fips.o
|
||||
+ platform-pledge.o \
|
||||
+ fips.o
|
||||
|
||||
SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \
|
||||
sshconnect.o sshconnect1.o sshconnect2.o mux.o
|
||||
|
@ -1,5 +1,5 @@
|
||||
# HG changeset patch
|
||||
# Parent c2049622cf75dbab61a8f49b53a13dc1de6695fd
|
||||
# Parent 9240088fbf80624f62dc79bcf5f3113a1b6dddd8
|
||||
GSSAPI Key Exchange implementation
|
||||
|
||||
diff --git a/openssh-7.2p2/ChangeLog.gssapi b/openssh-7.2p2/ChangeLog.gssapi
|
||||
@ -136,14 +136,14 @@ diff --git a/openssh-7.2p2/Makefile.in b/openssh-7.2p2/Makefile.in
|
||||
- kexdhs.o kexgexs.o kexecdhs.o kexc25519s.o \
|
||||
+ kexdhc.o kexgexc.o kexecdhc.o kexc25519c.o kexgssc.o \
|
||||
+ kexdhs.o kexgexs.o kexecdhs.o kexc25519s.o kexgsss.o \
|
||||
platform-pledge.o fips.o
|
||||
platform-pledge.o \
|
||||
fips.o
|
||||
|
||||
SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \
|
||||
sshconnect.o sshconnect1.o sshconnect2.o mux.o
|
||||
|
||||
SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \
|
||||
audit.o audit-bsm.o audit-linux.o platform.o \
|
||||
sshpty.o sshlogin.o servconf.o serverloop.o \
|
||||
diff --git a/openssh-7.2p2/auth-krb5.c b/openssh-7.2p2/auth-krb5.c
|
||||
--- a/openssh-7.2p2/auth-krb5.c
|
||||
+++ b/openssh-7.2p2/auth-krb5.c
|
||||
|
29
openssh-7.2p2-host_ident.patch
Normal file
29
openssh-7.2p2-host_ident.patch
Normal file
@ -0,0 +1,29 @@
|
||||
# HG changeset patch
|
||||
# Parent fe2618b7337c0d97483dc98a6b53636c89f3d371
|
||||
Suggest command line for removal of offending keys from known_hosts file
|
||||
|
||||
diff --git a/openssh-7.2p2/sshconnect.c b/openssh-7.2p2/sshconnect.c
|
||||
--- a/openssh-7.2p2/sshconnect.c
|
||||
+++ b/openssh-7.2p2/sshconnect.c
|
||||
@@ -1086,16 +1086,21 @@ check_host_key(char *hostname, struct so
|
||||
ip_found->file, ip_found->line);
|
||||
}
|
||||
/* The host key has changed. */
|
||||
warn_changed_key(host_key);
|
||||
error("Add correct host key in %.100s to get rid of this message.",
|
||||
user_hostfiles[0]);
|
||||
error("Offending %s key in %s:%lu", key_type(host_found->key),
|
||||
host_found->file, host_found->line);
|
||||
+ error("You can use following command to remove all keys for this IP:");
|
||||
+ if (host_found->file)
|
||||
+ error("ssh-keygen -R %s -f %s", hostname, host_found->file);
|
||||
+ else
|
||||
+ error("ssh-keygen -R %s", hostname);
|
||||
|
||||
/*
|
||||
* If strict host key checking is in use, the user will have
|
||||
* to edit the key manually and we can only abort.
|
||||
*/
|
||||
if (options.strict_host_key_checking) {
|
||||
error("%s host key for %.200s has changed and you have "
|
||||
"requested strict checking.", type, host);
|
@ -1,5 +1,5 @@
|
||||
# HG changeset patch
|
||||
# Parent b5245fb016a3b83611d4b4ae0c1fe3423cadd6fe
|
||||
# Parent 7e84e692f90c19e76a4180d54c7fdda2752c6c41
|
||||
# -- uset do be called '-xauthlocalhostname'
|
||||
handle hostname changes when forwarding X
|
||||
|
||||
|
@ -1,5 +1,5 @@
|
||||
# HG changeset patch
|
||||
# Parent 2ee086fa64dd40d0d50b13fa3a784717bfdd7e4b
|
||||
# Parent 3007da75cc9c93ead70a4971b9057d230178511c
|
||||
# set uid for functions that use it to seek in lastlog and wtmp files
|
||||
# bnc#18024 (was suse #3024)
|
||||
|
||||
|
2838
openssh-7.2p2-ldap.patch
Normal file
2838
openssh-7.2p2-ldap.patch
Normal file
File diff suppressed because it is too large
Load Diff
32
openssh-7.2p2-login_options.patch
Normal file
32
openssh-7.2p2-login_options.patch
Normal file
@ -0,0 +1,32 @@
|
||||
# HG changeset patch
|
||||
# Parent a2ec408c99eefdd4c23f01eafddb0ce786514f50
|
||||
# HG changeset patch
|
||||
# Parent b262fd34c8ecd55e93d457b3ca5593abce716856
|
||||
# login-pam cannot handle the option terminator "--" as login from util-linux
|
||||
# (this is correct behaviour considering its man-page), hence use option which
|
||||
# selects the compile-time branch in the code which doesn't use the terminator
|
||||
#
|
||||
# bnc#833605
|
||||
|
||||
diff --git a/openssh-7.2p2/configure.ac b/openssh-7.2p2/configure.ac
|
||||
--- a/openssh-7.2p2/configure.ac
|
||||
+++ b/openssh-7.2p2/configure.ac
|
||||
@@ -770,16 +770,18 @@ main() { if (NSVersionOfRunTimeLibrary("
|
||||
AC_DEFINE([_PATH_BTMP], ["/var/log/btmp"], [log for bad login attempts])
|
||||
AC_DEFINE([USE_BTMP], [1], [Use btmp to log bad logins])
|
||||
;;
|
||||
*-*-linux*)
|
||||
no_dev_ptmx=1
|
||||
use_pie=auto
|
||||
check_for_libcrypt_later=1
|
||||
check_for_openpty_ctty_bug=1
|
||||
+ AC_DEFINE([LOGIN_NO_ENDOPT], [1],
|
||||
+ [Define if your login program cannot handle end of options ("--")])
|
||||
AC_DEFINE([PAM_TTY_KLUDGE], [1],
|
||||
[Work around problematic Linux PAM modules handling of PAM_TTY])
|
||||
AC_DEFINE([LOCKED_PASSWD_PREFIX], ["!"],
|
||||
[String used in /etc/passwd to denote locked account])
|
||||
AC_DEFINE([SPT_TYPE], [SPT_REUSEARGV])
|
||||
AC_DEFINE([LINK_OPNOTSUPP_ERRNO], [EPERM],
|
||||
[Define to whatever link() returns for "not supported"
|
||||
if it doesn't return EOPNOTSUPP.])
|
26
openssh-7.2p2-no_fork-no_pid_file.patch
Normal file
26
openssh-7.2p2-no_fork-no_pid_file.patch
Normal file
@ -0,0 +1,26 @@
|
||||
# HG changeset patch
|
||||
# Parent 09a93433f5bb8baff0dce629c75f96357e3b1055
|
||||
Do not write a PID file when not daemonizing (e.g. when running from systemd)
|
||||
|
||||
diff --git a/openssh-7.2p2/sshd.c b/openssh-7.2p2/sshd.c
|
||||
--- a/openssh-7.2p2/sshd.c
|
||||
+++ b/openssh-7.2p2/sshd.c
|
||||
@@ -2104,17 +2104,17 @@ main(int ac, char **av)
|
||||
signal(SIGCHLD, main_sigchld_handler);
|
||||
signal(SIGTERM, sigterm_handler);
|
||||
signal(SIGQUIT, sigterm_handler);
|
||||
|
||||
/*
|
||||
* Write out the pid file after the sigterm handler
|
||||
* is setup and the listen sockets are bound
|
||||
*/
|
||||
- if (options.pid_file != NULL && !debug_flag) {
|
||||
+ if (!no_daemon_flag && options.pid_file != NULL && !debug_flag) {
|
||||
FILE *f = fopen(options.pid_file, "w");
|
||||
|
||||
if (f == NULL) {
|
||||
error("Couldn't create pid file \"%s\": %s",
|
||||
options.pid_file, strerror(errno));
|
||||
} else {
|
||||
fprintf(f, "%ld\n", (long) getpid());
|
||||
fclose(f);
|
@ -1,5 +1,5 @@
|
||||
# HG changeset patch
|
||||
# Parent 5b217a9abc32fa963a125ae29c766c015db53bde
|
||||
# Parent 2b2855c68e979299aee899a7cb6e4aa57a828668
|
||||
new option UsePAMCheckLocks to enforce checking for locked accounts while
|
||||
UsePAM is used
|
||||
|
||||
|
@ -1,5 +1,5 @@
|
||||
# HG changeset patch
|
||||
# Parent 870f97b01b9ed00bac9ff0b8014a998434a6161b
|
||||
# Parent c08afc8b92580b589ea02d84cf3d29be257ec103
|
||||
# use same lines naming as utempter (prevents problems with using different
|
||||
# formats in ?tmp? files)
|
||||
# --used to be called '-pts'
|
||||
|
@ -1,5 +1,5 @@
|
||||
# HG changeset patch
|
||||
# Parent 07998e381c9867b8b6f7b9205261811934bef40f
|
||||
# Parent ff8f0a192e120430204441cdcd18ff130f85a61e
|
||||
# --used to be called '-xauth'
|
||||
try to remove xauth cookies on logout
|
||||
|
||||
|
@ -1,5 +1,5 @@
|
||||
# HG changeset patch
|
||||
# Parent 3582dd949a01d8eca2816986ca4bc0c87c96bed3
|
||||
# Parent 80f5b9b81269880fbc12bcbc5830fe2044baf894
|
||||
add 'getuid' syscall to list of allowed ones to prevent the sanboxed thread
|
||||
from being killed by the seccomp filter
|
||||
|
||||
|
@ -1,5 +1,5 @@
|
||||
# HG changeset patch
|
||||
# Parent d3afe6b01f8769713bde6c175e29a50412799e27
|
||||
# Parent f8357691112e6b15424f506f7ab6c417f5aa6f9e
|
||||
Allow the stat() syscall for OpenSSL re-seed patch
|
||||
(which causes OpenSSL use stat() on some file)
|
||||
|
||||
|
@ -1,5 +1,5 @@
|
||||
# HG changeset patch
|
||||
# Parent 36ab4b78afea8cea4e3bed1291a49ba05cbb9115
|
||||
# Parent ea1ef0bb63e77f14c91b2b417f1b8c3383b2835f
|
||||
# extended support for (re-)seeding the OpenSSL PRNG from /dev/random
|
||||
# bnc#703221, FATE#312172
|
||||
|
||||
|
@ -1,5 +1,5 @@
|
||||
# HG changeset patch
|
||||
# Parent 505927e61d1a7848f0003adb3619cc726b8e5d15
|
||||
# Parent 5bcf5f230ccaec7b9c9398cc6b4193574559861d
|
||||
send locales in default configuration
|
||||
bnc#65747
|
||||
|
||||
|
157
openssh-7.2p2-sftp_force_permissions.patch
Normal file
157
openssh-7.2p2-sftp_force_permissions.patch
Normal file
@ -0,0 +1,157 @@
|
||||
# HG changeset patch
|
||||
# Parent 7951ad8c720728b382cfaa32e3d7a549126a1496
|
||||
additional option for sftp-server to force file mode for new files
|
||||
FATE#312774
|
||||
http://lists.mindrot.org/pipermail/openssh-unix-dev/2010-November/029044.html
|
||||
http://marc.info/?l=openssh-unix-dev&m=128896838930893
|
||||
|
||||
diff --git a/openssh-7.2p2/sftp-server.8 b/openssh-7.2p2/sftp-server.8
|
||||
--- a/openssh-7.2p2/sftp-server.8
|
||||
+++ b/openssh-7.2p2/sftp-server.8
|
||||
@@ -33,16 +33,17 @@
|
||||
.Bk -words
|
||||
.Op Fl ehR
|
||||
.Op Fl d Ar start_directory
|
||||
.Op Fl f Ar log_facility
|
||||
.Op Fl l Ar log_level
|
||||
.Op Fl P Ar blacklisted_requests
|
||||
.Op Fl p Ar whitelisted_requests
|
||||
.Op Fl u Ar umask
|
||||
+.Op Fl m Ar force_file_permissions
|
||||
.Ek
|
||||
.Nm
|
||||
.Fl Q Ar protocol_feature
|
||||
.Sh DESCRIPTION
|
||||
.Nm
|
||||
is a program that speaks the server side of SFTP protocol
|
||||
to stdout and expects client requests from stdin.
|
||||
.Nm
|
||||
@@ -133,16 +134,20 @@ Places this instance of
|
||||
into a read-only mode.
|
||||
Attempts to open files for writing, as well as other operations that change
|
||||
the state of the filesystem, will be denied.
|
||||
.It Fl u Ar umask
|
||||
Sets an explicit
|
||||
.Xr umask 2
|
||||
to be applied to newly-created files and directories, instead of the
|
||||
user's default mask.
|
||||
+.It Fl m Ar force_file_permissions
|
||||
+Sets explicit file permissions to be applied to newly-created files instead
|
||||
+of the default or client requested mode. Numeric values include:
|
||||
+777, 755, 750, 666, 644, 640, etc. Option -u is ineffective if -m is set.
|
||||
.El
|
||||
.Pp
|
||||
On some systems,
|
||||
.Nm
|
||||
must be able to access
|
||||
.Pa /dev/log
|
||||
for logging to work, and use of
|
||||
.Nm
|
||||
diff --git a/openssh-7.2p2/sftp-server.c b/openssh-7.2p2/sftp-server.c
|
||||
--- a/openssh-7.2p2/sftp-server.c
|
||||
+++ b/openssh-7.2p2/sftp-server.c
|
||||
@@ -73,16 +73,20 @@ static u_int version;
|
||||
static int init_done;
|
||||
|
||||
/* Disable writes */
|
||||
static int readonly;
|
||||
|
||||
/* Requests that are allowed/denied */
|
||||
static char *request_whitelist, *request_blacklist;
|
||||
|
||||
+/* Force file permissions */
|
||||
+int permforce = 0;
|
||||
+long permforcemode;
|
||||
+
|
||||
/* portable attributes, etc. */
|
||||
typedef struct Stat Stat;
|
||||
|
||||
struct Stat {
|
||||
char *name;
|
||||
char *long_name;
|
||||
Attrib attrib;
|
||||
};
|
||||
@@ -687,16 +691,20 @@ process_open(u_int32_t id)
|
||||
if ((r = sshbuf_get_cstring(iqueue, &name, NULL)) != 0 ||
|
||||
(r = sshbuf_get_u32(iqueue, &pflags)) != 0 || /* portable flags */
|
||||
(r = decode_attrib(iqueue, &a)) != 0)
|
||||
fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
||||
|
||||
debug3("request %u: open flags %d", id, pflags);
|
||||
flags = flags_from_portable(pflags);
|
||||
mode = (a.flags & SSH2_FILEXFER_ATTR_PERMISSIONS) ? a.perm : 0666;
|
||||
+ if (permforce == 1) {
|
||||
+ mode = permforcemode;
|
||||
+ (void)umask(0); /* so umask does not interfere */
|
||||
+ }
|
||||
logit("open \"%s\" flags %s mode 0%o",
|
||||
name, string_from_portable(pflags), mode);
|
||||
if (readonly &&
|
||||
((flags & O_ACCMODE) == O_WRONLY ||
|
||||
(flags & O_ACCMODE) == O_RDWR)) {
|
||||
verbose("Refusing open request in read-only mode");
|
||||
status = SSH2_FX_PERMISSION_DENIED;
|
||||
} else {
|
||||
@@ -1489,17 +1497,18 @@ sftp_server_cleanup_exit(int i)
|
||||
static void
|
||||
sftp_server_usage(void)
|
||||
{
|
||||
extern char *__progname;
|
||||
|
||||
fprintf(stderr,
|
||||
"usage: %s [-ehR] [-d start_directory] [-f log_facility] "
|
||||
"[-l log_level]\n\t[-P blacklisted_requests] "
|
||||
- "[-p whitelisted_requests] [-u umask]\n"
|
||||
+ "[-p whitelisted_requests] [-u umask]\n\t"
|
||||
+ "[-m force_file_permissions]\n"
|
||||
" %s -Q protocol_feature\n",
|
||||
__progname, __progname);
|
||||
exit(1);
|
||||
}
|
||||
|
||||
int
|
||||
sftp_server_main(int argc, char **argv, struct passwd *user_pw)
|
||||
{
|
||||
@@ -1515,17 +1524,17 @@ sftp_server_main(int argc, char **argv,
|
||||
|
||||
ssh_malloc_init(); /* must be called before any mallocs */
|
||||
__progname = ssh_get_progname(argv[0]);
|
||||
log_init(__progname, log_level, log_facility, log_stderr);
|
||||
|
||||
pw = pwcopy(user_pw);
|
||||
|
||||
while (!skipargs && (ch = getopt(argc, argv,
|
||||
- "d:f:l:P:p:Q:u:cehR")) != -1) {
|
||||
+ "d:f:l:P:p:Q:u:m:cehR")) != -1) {
|
||||
switch (ch) {
|
||||
case 'Q':
|
||||
if (strcasecmp(optarg, "requests") != 0) {
|
||||
fprintf(stderr, "Invalid query type\n");
|
||||
exit(1);
|
||||
}
|
||||
for (i = 0; handlers[i].handler != NULL; i++)
|
||||
printf("%s\n", handlers[i].name);
|
||||
@@ -1575,16 +1584,23 @@ sftp_server_main(int argc, char **argv,
|
||||
case 'u':
|
||||
errno = 0;
|
||||
mask = strtol(optarg, &cp, 8);
|
||||
if (mask < 0 || mask > 0777 || *cp != '\0' ||
|
||||
cp == optarg || (mask == 0 && errno != 0))
|
||||
fatal("Invalid umask \"%s\"", optarg);
|
||||
(void)umask((mode_t)mask);
|
||||
break;
|
||||
+ case 'm':
|
||||
+ permforce = 1;
|
||||
+ permforcemode = strtol(optarg, &cp, 8);
|
||||
+ if (permforcemode < 0 || permforcemode > 0777 || *cp != '\0' ||
|
||||
+ cp == optarg || (permforcemode == 0 && errno != 0))
|
||||
+ fatal("Invalid umask \"%s\"", optarg);
|
||||
+ break;
|
||||
case 'h':
|
||||
default:
|
||||
sftp_server_usage();
|
||||
}
|
||||
}
|
||||
|
||||
log_init(__progname, log_level, log_facility, log_stderr);
|
||||
|
366
openssh-7.2p2-sftp_homechroot.patch
Normal file
366
openssh-7.2p2-sftp_homechroot.patch
Normal file
@ -0,0 +1,366 @@
|
||||
# HG changeset patch
|
||||
# Parent 2f269fe1cd176bc5ff833819e1b04f1d96f13144
|
||||
run sftp sessions inside a chroot
|
||||
|
||||
diff --git a/openssh-7.2p2/session.c b/openssh-7.2p2/session.c
|
||||
--- a/openssh-7.2p2/session.c
|
||||
+++ b/openssh-7.2p2/session.c
|
||||
@@ -123,16 +123,18 @@ int do_exec(Session *, const char *);
|
||||
void do_login(Session *, const char *);
|
||||
#ifdef LOGIN_NEEDS_UTMPX
|
||||
static void do_pre_login(Session *s);
|
||||
#endif
|
||||
void do_child(Session *, const char *);
|
||||
void do_motd(void);
|
||||
int check_quietlogin(Session *, const char *);
|
||||
|
||||
+int chroot_no_tree = 0;
|
||||
+
|
||||
static void do_authenticated1(Authctxt *);
|
||||
static void do_authenticated2(Authctxt *);
|
||||
|
||||
static int session_pty_req(Session *);
|
||||
|
||||
/* import */
|
||||
extern ServerOptions options;
|
||||
extern char *__progname;
|
||||
@@ -838,16 +840,21 @@ do_exec(Session *s, const char *command)
|
||||
"subsystem '%.900s'", s->subsys);
|
||||
} else if (command == NULL) {
|
||||
snprintf(session_type, sizeof(session_type), "shell");
|
||||
} else {
|
||||
/* NB. we don't log unforced commands to preserve privacy */
|
||||
snprintf(session_type, sizeof(session_type), "command");
|
||||
}
|
||||
|
||||
+ if ((s->is_subsystem != SUBSYSTEM_INT_SFTP) && chroot_no_tree) {
|
||||
+ logit("You aren't welcomed, go away!");
|
||||
+ exit (1);
|
||||
+ }
|
||||
+
|
||||
if (s->ttyfd != -1) {
|
||||
tty = s->tty;
|
||||
if (strncmp(tty, "/dev/", 5) == 0)
|
||||
tty += 5;
|
||||
}
|
||||
|
||||
verbose("Starting session: %s%s%s for %s from %.200s port %d id %d",
|
||||
session_type,
|
||||
@@ -1492,58 +1499,123 @@ do_nologin(struct passwd *pw)
|
||||
while (fgets(buf, sizeof(buf), f))
|
||||
fputs(buf, stderr);
|
||||
fclose(f);
|
||||
}
|
||||
exit(254);
|
||||
}
|
||||
|
||||
/*
|
||||
+ * Test if filesystem is mounted nosuid and nodev
|
||||
+ */
|
||||
+
|
||||
+static void
|
||||
+test_nosuid (char * path, dev_t fs)
|
||||
+{
|
||||
+ FILE *f;
|
||||
+ struct stat st;
|
||||
+ char buf[4096], *s, *on, *mountpoint, *opt;
|
||||
+ int nodev, nosuid;
|
||||
+
|
||||
+ if (!(f = popen ("/bin/mount", "r")))
|
||||
+ fatal ("%s: popen(\"/bin/mount\", \"r\"): %s",
|
||||
+ __func__, strerror (errno));
|
||||
+ for (;;) {
|
||||
+ s = fgets (buf, sizeof (buf), f);
|
||||
+ if (ferror (f))
|
||||
+ fatal ("%s: read from popen: %s", __func__,
|
||||
+ strerror (errno));
|
||||
+ if (!s) {
|
||||
+ pclose (f);
|
||||
+ fatal ("cannot find filesystem with the chroot directory");
|
||||
+ }
|
||||
+ (void) strtok (buf, " ");
|
||||
+ on = strtok (NULL, " ");
|
||||
+ if (strcmp (on, "on")) {
|
||||
+ pclose (f);
|
||||
+ fatal ("bad format of mount output");
|
||||
+ }
|
||||
+ mountpoint = strtok (NULL, " ");
|
||||
+ if (memcmp (path, mountpoint, strlen (mountpoint)))
|
||||
+ continue;
|
||||
+ if (stat(mountpoint, &st) != 0) {
|
||||
+ pclose (f);
|
||||
+ fatal("%s: stat(\"%s\"): %s", __func__,
|
||||
+ mountpoint, strerror(errno));
|
||||
+ }
|
||||
+ if (fs != st.st_dev)
|
||||
+ continue;
|
||||
+ nodev = nosuid = 0;
|
||||
+ for (opt = strtok (NULL, "("); opt; opt = strtok (NULL, " ,)")) {
|
||||
+ if (!strcmp (opt, "nodev"))
|
||||
+ nodev = 1;
|
||||
+ else if (!strcmp (opt, "nosuid"))
|
||||
+ nosuid = 1;
|
||||
+ else if (!strcmp (opt, "noexec"))
|
||||
+ nosuid = 1;
|
||||
+ if (nodev && nosuid) {
|
||||
+ pclose (f);
|
||||
+ return;
|
||||
+ }
|
||||
+ }
|
||||
+ fatal ("chroot into directory without nodev and either noexec or nosuid");
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
+/*
|
||||
* Chroot into a directory after checking it for safety: all path components
|
||||
* must be root-owned directories with strict permissions.
|
||||
*/
|
||||
static void
|
||||
safely_chroot(const char *path, uid_t uid)
|
||||
{
|
||||
const char *cp;
|
||||
char component[PATH_MAX];
|
||||
struct stat st;
|
||||
+ int last;
|
||||
|
||||
if (*path != '/')
|
||||
fatal("chroot path does not begin at root");
|
||||
if (strlen(path) >= sizeof(component))
|
||||
fatal("chroot path too long");
|
||||
|
||||
/*
|
||||
* Descend the path, checking that each component is a
|
||||
* root-owned directory with strict permissions.
|
||||
*/
|
||||
for (cp = path; cp != NULL;) {
|
||||
- if ((cp = strchr(cp, '/')) == NULL)
|
||||
+ if (last = ((cp = strchr(cp, '/')) == NULL))
|
||||
strlcpy(component, path, sizeof(component));
|
||||
else {
|
||||
cp++;
|
||||
memcpy(component, path, cp - path);
|
||||
component[cp - path] = '\0';
|
||||
}
|
||||
|
||||
debug3("%s: checking '%s'", __func__, component);
|
||||
|
||||
if (stat(component, &st) != 0)
|
||||
fatal("%s: stat(\"%s\"): %s", __func__,
|
||||
component, strerror(errno));
|
||||
- if (st.st_uid != 0 || (st.st_mode & 022) != 0)
|
||||
+ if ((st.st_uid != 0 || (st.st_mode & 022) != 0) && !(last && st.st_uid == uid))
|
||||
fatal("bad ownership or modes for chroot "
|
||||
"directory %s\"%s\"",
|
||||
cp == NULL ? "" : "component ", component);
|
||||
if (!S_ISDIR(st.st_mode))
|
||||
fatal("chroot path %s\"%s\" is not a directory",
|
||||
cp == NULL ? "" : "component ", component);
|
||||
|
||||
}
|
||||
+ setenv ("TZ", "/etc/localtime", 0);
|
||||
+ tzset();
|
||||
+
|
||||
+ if (st.st_uid) {
|
||||
+ test_nosuid(path, st.st_dev);
|
||||
+ ++chroot_no_tree;
|
||||
+ }
|
||||
|
||||
if (chdir(path) == -1)
|
||||
fatal("Unable to chdir to chroot path \"%s\": "
|
||||
"%s", path, strerror(errno));
|
||||
if (chroot(path) == -1)
|
||||
fatal("chroot(\"%s\"): %s", path, strerror(errno));
|
||||
if (chdir("/") == -1)
|
||||
fatal("%s: chdir(/) after chroot: %s",
|
||||
diff --git a/openssh-7.2p2/sftp-chrootenv.h b/openssh-7.2p2/sftp-chrootenv.h
|
||||
new file mode 100644
|
||||
--- /dev/null
|
||||
+++ b/openssh-7.2p2/sftp-chrootenv.h
|
||||
@@ -0,0 +1,30 @@
|
||||
+/*
|
||||
+ * Copyright (c) 2009 Jan F Chadima. All rights reserved.
|
||||
+ *
|
||||
+ * Redistribution and use in source and binary forms, with or without
|
||||
+ * modification, are permitted provided that the following conditions
|
||||
+ * are met:
|
||||
+ * 1. Redistributions of source code must retain the above copyright
|
||||
+ * notice, this list of conditions and the following disclaimer.
|
||||
+ * 2. Redistributions in binary form must reproduce the above copyright
|
||||
+ * notice, this list of conditions and the following disclaimer in the
|
||||
+ * documentation and/or other materials provided with the distribution.
|
||||
+ *
|
||||
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
|
||||
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
|
||||
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
|
||||
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
|
||||
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
|
||||
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
||||
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
||||
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
||||
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
||||
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
+ */
|
||||
+#ifndef CHROOTENV_H
|
||||
+#define CHROOTENV_H
|
||||
+
|
||||
+extern int chroot_no_tree;
|
||||
+
|
||||
+#endif
|
||||
+
|
||||
diff --git a/openssh-7.2p2/sftp-common.c b/openssh-7.2p2/sftp-common.c
|
||||
--- a/openssh-7.2p2/sftp-common.c
|
||||
+++ b/openssh-7.2p2/sftp-common.c
|
||||
@@ -43,16 +43,17 @@
|
||||
|
||||
#include "xmalloc.h"
|
||||
#include "ssherr.h"
|
||||
#include "sshbuf.h"
|
||||
#include "log.h"
|
||||
|
||||
#include "sftp.h"
|
||||
#include "sftp-common.h"
|
||||
+#include "sftp-chrootenv.h"
|
||||
|
||||
/* Clear contents of attributes structure */
|
||||
void
|
||||
attrib_clear(Attrib *a)
|
||||
{
|
||||
a->flags = 0;
|
||||
a->size = 0;
|
||||
a->uid = 0;
|
||||
@@ -216,23 +217,23 @@ ls_file(const char *name, const struct s
|
||||
int ulen, glen, sz = 0;
|
||||
struct tm *ltime = localtime(&st->st_mtime);
|
||||
char *user, *group;
|
||||
char buf[1024], mode[11+1], tbuf[12+1], ubuf[11+1], gbuf[11+1];
|
||||
char sbuf[FMT_SCALED_STRSIZE];
|
||||
time_t now;
|
||||
|
||||
strmode(st->st_mode, mode);
|
||||
- if (!remote) {
|
||||
+ if (!remote && !chroot_no_tree) {
|
||||
user = user_from_uid(st->st_uid, 0);
|
||||
} else {
|
||||
snprintf(ubuf, sizeof ubuf, "%u", (u_int)st->st_uid);
|
||||
user = ubuf;
|
||||
}
|
||||
- if (!remote) {
|
||||
+ if (!remote && !chroot_no_tree) {
|
||||
group = group_from_gid(st->st_gid, 0);
|
||||
} else {
|
||||
snprintf(gbuf, sizeof gbuf, "%u", (u_int)st->st_gid);
|
||||
group = gbuf;
|
||||
}
|
||||
if (ltime != NULL) {
|
||||
now = time(NULL);
|
||||
if (now - (365*24*60*60)/2 < st->st_mtime &&
|
||||
diff --git a/openssh-7.2p2/sftp-server-main.c b/openssh-7.2p2/sftp-server-main.c
|
||||
--- a/openssh-7.2p2/sftp-server-main.c
|
||||
+++ b/openssh-7.2p2/sftp-server-main.c
|
||||
@@ -17,22 +17,25 @@
|
||||
|
||||
#include "includes.h"
|
||||
|
||||
#include <sys/types.h>
|
||||
#include <pwd.h>
|
||||
#include <stdarg.h>
|
||||
#include <stdio.h>
|
||||
#include <unistd.h>
|
||||
+//#include <time.h>
|
||||
|
||||
#include "log.h"
|
||||
#include "sftp.h"
|
||||
#include "misc.h"
|
||||
#include "xmalloc.h"
|
||||
|
||||
+int chroot_no_tree = 0;
|
||||
+
|
||||
void
|
||||
cleanup_exit(int i)
|
||||
{
|
||||
sftp_server_cleanup_exit(i);
|
||||
}
|
||||
|
||||
int
|
||||
main(int argc, char **argv)
|
||||
diff --git a/openssh-7.2p2/sftp.c b/openssh-7.2p2/sftp.c
|
||||
--- a/openssh-7.2p2/sftp.c
|
||||
+++ b/openssh-7.2p2/sftp.c
|
||||
@@ -112,16 +112,18 @@ struct complete_ctx {
|
||||
char **remote_pathp;
|
||||
};
|
||||
|
||||
int remote_glob(struct sftp_conn *, const char *, int,
|
||||
int (*)(const char *, int), glob_t *); /* proto for sftp-glob.c */
|
||||
|
||||
extern char *__progname;
|
||||
|
||||
+int chroot_no_tree = 0;
|
||||
+
|
||||
/* Separators for interactive commands */
|
||||
#define WHITESPACE " \t\r\n"
|
||||
|
||||
/* ls flags */
|
||||
#define LS_LONG_VIEW 0x0001 /* Full view ala ls -l */
|
||||
#define LS_SHORT_VIEW 0x0002 /* Single row view ala ls -1 */
|
||||
#define LS_NUMERIC_VIEW 0x0004 /* Long view with numeric uid/gid */
|
||||
#define LS_NAME_SORT 0x0008 /* Sort by name (default) */
|
||||
diff --git a/openssh-7.2p2/sshd_config.0 b/openssh-7.2p2/sshd_config.0
|
||||
--- a/openssh-7.2p2/sshd_config.0
|
||||
+++ b/openssh-7.2p2/sshd_config.0
|
||||
@@ -251,16 +251,24 @@ DESCRIPTION
|
||||
directory on some operating systems (see sftp-server(8) for
|
||||
details).
|
||||
|
||||
For safety, it is very important that the directory hierarchy be
|
||||
prevented from modification by other processes on the system
|
||||
(especially those outside the jail). Misconfiguration can lead
|
||||
to unsafe environments which sshd(8) cannot detect.
|
||||
|
||||
+ In the special case when only sftp is used, not ssh nor scp, it
|
||||
+ is possible to use ChrootDirectory %h or ChrootDirectory
|
||||
+ /some/path/%u. The file system containing this directory must be
|
||||
+ mounted with options nodev and either nosuid or noexec. The owner
|
||||
+ of the directory should be the user. The ownership of the other
|
||||
+ components of the path must fulfill the usual conditions. No adi-
|
||||
+ tional files are required to be present in the directory.
|
||||
+
|
||||
The default is M-bM-^@M-^\noneM-bM-^@M-^], indicating not to chroot(2).
|
||||
|
||||
Ciphers
|
||||
Specifies the ciphers allowed. Multiple ciphers must be comma-
|
||||
separated. If the specified value begins with a M-bM-^@M-^X+M-bM-^@M-^Y character,
|
||||
then the specified ciphers will be appended to the default set
|
||||
instead of replacing them.
|
||||
|
||||
diff --git a/openssh-7.2p2/sshd_config.5 b/openssh-7.2p2/sshd_config.5
|
||||
--- a/openssh-7.2p2/sshd_config.5
|
||||
+++ b/openssh-7.2p2/sshd_config.5
|
||||
@@ -424,16 +424,27 @@ for details).
|
||||
.Pp
|
||||
For safety, it is very important that the directory hierarchy be
|
||||
prevented from modification by other processes on the system (especially
|
||||
those outside the jail).
|
||||
Misconfiguration can lead to unsafe environments which
|
||||
.Xr sshd 8
|
||||
cannot detect.
|
||||
.Pp
|
||||
+In the special case when only sftp is used, not ssh nor scp,
|
||||
+it is possible to use
|
||||
+.Cm ChrootDirectory
|
||||
+%h or
|
||||
+.Cm ChrootDirectory
|
||||
+/some/path/%u. The file system containing this directory must be
|
||||
+mounted with options nodev and either nosuid or noexec. The owner of the
|
||||
+directory should be the user. The ownership of the other components of the path
|
||||
+must fulfill the usual conditions. No aditional files are required to be present
|
||||
+in the directory.
|
||||
+.Pp
|
||||
The default is
|
||||
.Dq none ,
|
||||
indicating not to
|
||||
.Xr chroot 2 .
|
||||
.It Cm Ciphers
|
||||
Specifies the ciphers allowed.
|
||||
Multiple ciphers must be comma-separated.
|
||||
If the specified value begins with a
|
@ -1,3 +1,28 @@
|
||||
-------------------------------------------------------------------
|
||||
Thu Sep 29 23:27:49 UTC 2016 - pcerny@suse.com
|
||||
|
||||
- allow X forwarding over IPv4 when IPv6 sockets is not available
|
||||
[openssh-7.2p2-X_forward_with_disabled_ipv6.patch]
|
||||
- do not write PID file when not daemonizing
|
||||
[openssh-7.2p2-no_fork-no_pid_file.patch]
|
||||
- use correct options when invoking login
|
||||
[openssh-7.2p2-login_options.patch]
|
||||
- helper application for retrieving users' public keys from
|
||||
an LDAP server
|
||||
[openssh-7.2p2-ldap.patch]
|
||||
- allow forcing permissions over sftp
|
||||
[openssh-7.2p2-sftp_force_permissions.patch]
|
||||
- do not perform run-time checks for OpenSSL API/ABI change
|
||||
[openssh-7.2p2-disable-openssl-abi-check.patch]
|
||||
- suggest commands for cleaning known hosts file
|
||||
[openssh-7.2p2-host_ident.patch]
|
||||
- sftp home chroot patch
|
||||
[openssh-7.2p2-sftp_homechroot.patch]
|
||||
- ssh sessions auditing
|
||||
[openssh-7.2p2-audit.patch]
|
||||
- enable seccomp sandbox on additional architectures
|
||||
[openssh-7.2p2-additional_seccomp_archs.patch]
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Fri Sep 16 12:45:11 UTC 2016 - pcerny@suse.com
|
||||
|
||||
|
45
openssh.spec
45
openssh.spec
@ -88,7 +88,10 @@ BuildRequires: pkgconfig(systemd)
|
||||
%{?systemd_requires}
|
||||
%endif
|
||||
BuildRequires: tcpd-devel
|
||||
PreReq: pwdutils %{insserv_prereq} %{fillup_prereq} coreutils
|
||||
PreReq: pwdutils %{fillup_prereq} coreutils
|
||||
%if ! %{uses_systemd}
|
||||
PreReq: %{insserv_prereq}
|
||||
%endif
|
||||
Version: 7.2p2
|
||||
Release: 0
|
||||
Summary: Secure Shell Client and Server (Remote Login Program)
|
||||
@ -128,6 +131,16 @@ Patch15: openssh-7.2p2-seccomp_stat.patch
|
||||
Patch16: openssh-7.2p2-fips.patch
|
||||
Patch17: openssh-7.2p2-seed-prng.patch
|
||||
Patch18: openssh-7.2p2-gssapi_key_exchange.patch
|
||||
Patch19: openssh-7.2p2-audit.patch
|
||||
Patch20: openssh-7.2p2-login_options.patch
|
||||
Patch21: openssh-7.2p2-disable-openssl-abi-check.patch
|
||||
Patch22: openssh-7.2p2-no_fork-no_pid_file.patch
|
||||
Patch23: openssh-7.2p2-host_ident.patch
|
||||
Patch24: openssh-7.2p2-sftp_homechroot.patch
|
||||
Patch25: openssh-7.2p2-sftp_force_permissions.patch
|
||||
Patch26: openssh-7.2p2-X_forward_with_disabled_ipv6.patch
|
||||
Patch27: openssh-7.2p2-ldap.patch
|
||||
Patch28: openssh-7.2p2-additional_seccomp_archs.patch
|
||||
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
||||
Conflicts: nonfreessh
|
||||
Recommends: audit
|
||||
@ -198,14 +211,24 @@ FIPS140 CAVS tests related parts of the OpenSSH package
|
||||
%patch16 -p2
|
||||
%patch17 -p2
|
||||
%patch18 -p2
|
||||
%patch19 -p2
|
||||
%patch20 -p2
|
||||
%patch21 -p2
|
||||
%patch22 -p2
|
||||
%patch23 -p2
|
||||
%patch24 -p2
|
||||
%patch25 -p2
|
||||
%patch26 -p2
|
||||
%patch27 -p2
|
||||
%patch28 -p2
|
||||
cp %{SOURCE3} %{SOURCE4} %{SOURCE11} .
|
||||
|
||||
%build
|
||||
#### set libexec dir in the LDAP patch
|
||||
###sed -i.libexec 's,@LIBEXECDIR@,%{_libexecdir}/ssh,' \
|
||||
### $( grep -Rl @LIBEXECDIR@ \
|
||||
### $( grep "^+++" %{PATCH40} | sed -r 's@^.+/([^/\t ]+).*$@\1@' )
|
||||
### )
|
||||
# set libexec dir in the LDAP patch
|
||||
sed -i.libexec 's,@LIBEXECDIR@,%{_libexecdir}/ssh,' \
|
||||
$( grep -Rl @LIBEXECDIR@ \
|
||||
$( grep "^+++" %{PATCH27} | sed -r 's@^.+/([^/\t ]+).*$@\1@' )
|
||||
)
|
||||
|
||||
autoreconf -fiv
|
||||
%ifarch s390 s390x %sparc
|
||||
@ -271,7 +294,7 @@ install -d -m 755 %{buildroot}%{_initddir}
|
||||
%if %{uses_systemd}
|
||||
install -m 0755 %{SOURCE1} .
|
||||
install -D -m 0644 %{SOURCE10} %{buildroot}%{_unitdir}/sshd.service
|
||||
ln -s /usr/sbin/service %{buildroot}%{_sbindir}/rcsshd
|
||||
ln -s /sbin/service %{buildroot}%{_sbindir}/rcsshd
|
||||
%else
|
||||
install -D -m 0755 %{SOURCE1} %{buildroot}%{_initddir}/sshd
|
||||
install -m 0644 %{SOURCE10} .
|
||||
@ -376,7 +399,7 @@ rpm -q openssh-fips >& /dev/null && DISABLE_RESTART_ON_UPDATE=yes
|
||||
%attr(0755,root,root) %{_bindir}/*
|
||||
%attr(0755,root,root) %{_sbindir}/*
|
||||
%attr(0755,root,root) %dir %{_libexecdir}/ssh
|
||||
###%exclude %{_libexecdir}/ssh/ssh-ldap*
|
||||
%exclude %{_libexecdir}/ssh/ssh-ldap*
|
||||
%attr(0755,root,root) %{_libexecdir}/ssh/*
|
||||
%attr(0444,root,root) %doc %{_mandir}/man1/*
|
||||
%attr(0444,root,root) %doc %{_mandir}/man5/*
|
||||
@ -395,10 +418,10 @@ rpm -q openssh-fips >& /dev/null && DISABLE_RESTART_ON_UPDATE=yes
|
||||
%files helpers
|
||||
%defattr(-,root,root)
|
||||
%attr(0755,root,root) %dir %{_sysconfdir}/ssh
|
||||
###%verify(not mode) %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/ldap.conf
|
||||
%verify(not mode) %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/ldap.conf
|
||||
%attr(0755,root,root) %dir %{_libexecdir}/ssh
|
||||
###%attr(0755,root,root) %{_libexecdir}/ssh/ssh-ldap*
|
||||
###%doc HOWTO.ldap-keys openssh-lpk-openldap.schema openssh-lpk-sun.schema
|
||||
%attr(0755,root,root) %{_libexecdir}/ssh/ssh-ldap*
|
||||
%doc HOWTO.ldap-keys openssh-lpk-openldap.schema openssh-lpk-sun.schema
|
||||
|
||||
%files fips
|
||||
%defattr(-,root,root)
|
||||
|
Loading…
Reference in New Issue
Block a user