forked from pool/openssh
efb05e6527
- Update of the underlying OpenSSH to 6.6p1
- update to 6.6p1
Security:
* sshd(8): when using environment passing with a sshd_config(5)
AcceptEnv pattern with a wildcard. OpenSSH prior to 6.6 could
be tricked into accepting any enviornment variable that
contains the characters before the wildcard character.
Features since 6.5p1:
* ssh(1), sshd(8): removal of the J-PAKE authentication code,
which was experimental, never enabled and has been
unmaintained for some time.
* ssh(1): skip 'exec' clauses other clauses predicates failed
to match while processing Match blocks.
* ssh(1): if hostname canonicalisation is enabled and results
in the destination hostname being changed, then re-parse
ssh_config(5) files using the new destination hostname. This
gives 'Host' and 'Match' directives that use the expanded
hostname a chance to be applied.
Bugfixes:
* ssh(1): avoid spurious "getsockname failed: Bad file
descriptor" in ssh -W. bz#2200, debian#738692
* sshd(8): allow the shutdown(2) syscall in seccomp-bpf and
systrace sandbox modes, as it is reachable if the connection
is terminated during the pre-auth phase.
* ssh(1), sshd(8): fix unsigned overflow that in SSH protocol 1
bignum parsing. Minimum key length checks render this bug
unexploitable to compromise SSH 1 sessions.
* sshd_config(5): clarify behaviour of a keyword that appears
in multiple matching Match blocks. bz#2184
OBS-URL: https://build.opensuse.org/request/show/230097
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=76
227 lines
7.4 KiB
Diff
227 lines
7.4 KiB
Diff
# new option UsePAMCheckLocks to enforce checking for locked accounts while
|
|
# UsePAM is used
|
|
# bnc#708678, FATE#312033
|
|
|
|
diff --git a/openssh-6.6p1/auth.c b/openssh-6.6p1/auth.c
|
|
--- a/openssh-6.6p1/auth.c
|
|
+++ b/openssh-6.6p1/auth.c
|
|
@@ -103,17 +103,17 @@ allowed_user(struct passwd * pw)
|
|
struct spwd *spw = NULL;
|
|
#endif
|
|
|
|
/* Shouldn't be called if pw is NULL, but better safe than sorry... */
|
|
if (!pw || !pw->pw_name)
|
|
return 0;
|
|
|
|
#ifdef USE_SHADOW
|
|
- if (!options.use_pam)
|
|
+ if (!options.use_pam || options.use_pam_check_locks)
|
|
spw = getspnam(pw->pw_name);
|
|
#ifdef HAS_SHADOW_EXPIRE
|
|
if (!options.use_pam && spw != NULL && auth_shadow_acctexpired(spw))
|
|
return 0;
|
|
#endif /* HAS_SHADOW_EXPIRE */
|
|
#endif /* USE_SHADOW */
|
|
|
|
/* grab passwd field for locked account check */
|
|
@@ -123,17 +123,17 @@ allowed_user(struct passwd * pw)
|
|
#ifdef USE_LIBIAF
|
|
passwd = get_iaf_password(pw);
|
|
#else
|
|
passwd = spw->sp_pwdp;
|
|
#endif /* USE_LIBIAF */
|
|
#endif
|
|
|
|
/* check for locked account */
|
|
- if (!options.use_pam && passwd && *passwd) {
|
|
+ if ((!options.use_pam || options.use_pam_check_locks) && passwd && *passwd) {
|
|
int locked = 0;
|
|
|
|
#ifdef LOCKED_PASSWD_STRING
|
|
if (strcmp(passwd, LOCKED_PASSWD_STRING) == 0)
|
|
locked = 1;
|
|
#endif
|
|
#ifdef LOCKED_PASSWD_PREFIX
|
|
if (strncmp(passwd, LOCKED_PASSWD_PREFIX,
|
|
diff --git a/openssh-6.6p1/servconf.c b/openssh-6.6p1/servconf.c
|
|
--- a/openssh-6.6p1/servconf.c
|
|
+++ b/openssh-6.6p1/servconf.c
|
|
@@ -66,16 +66,17 @@ extern Buffer cfg;
|
|
|
|
void
|
|
initialize_server_options(ServerOptions *options)
|
|
{
|
|
memset(options, 0, sizeof(*options));
|
|
|
|
/* Portable-specific options */
|
|
options->use_pam = -1;
|
|
+ options->use_pam_check_locks = -1;
|
|
|
|
/* Standard Options */
|
|
options->num_ports = 0;
|
|
options->ports_from_cmdline = 0;
|
|
options->listen_addrs = NULL;
|
|
options->address_family = -1;
|
|
options->num_host_key_files = 0;
|
|
options->num_host_cert_files = 0;
|
|
@@ -157,16 +158,18 @@ initialize_server_options(ServerOptions
|
|
}
|
|
|
|
void
|
|
fill_default_server_options(ServerOptions *options)
|
|
{
|
|
/* Portable-specific options */
|
|
if (options->use_pam == -1)
|
|
options->use_pam = 0;
|
|
+ if (options->use_pam_check_locks == -1)
|
|
+ options->use_pam_check_locks = 0;
|
|
|
|
/* Standard Options */
|
|
if (options->protocol == SSH_PROTO_UNKNOWN)
|
|
options->protocol = SSH_PROTO_2;
|
|
if (options->num_host_key_files == 0) {
|
|
/* fill default hostkeys for protocols */
|
|
if (options->protocol & SSH_PROTO_1)
|
|
options->host_key_files[options->num_host_key_files++] =
|
|
@@ -317,17 +320,17 @@ fill_default_server_options(ServerOption
|
|
#endif
|
|
|
|
}
|
|
|
|
/* Keyword tokens. */
|
|
typedef enum {
|
|
sBadOption, /* == unknown option */
|
|
/* Portable-specific options */
|
|
- sUsePAM,
|
|
+ sUsePAM, sUsePAMChecklocks,
|
|
/* Standard Options */
|
|
sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime,
|
|
sPermitRootLogin, sLogFacility, sLogLevel,
|
|
sRhostsRSAAuthentication, sRSAAuthentication,
|
|
sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
|
|
sKerberosGetAFSToken,
|
|
sKerberosTgtPassing, sChallengeResponseAuthentication,
|
|
sPasswordAuthentication, sKbdInteractiveAuthentication,
|
|
@@ -362,18 +365,20 @@ typedef enum {
|
|
static struct {
|
|
const char *name;
|
|
ServerOpCodes opcode;
|
|
u_int flags;
|
|
} keywords[] = {
|
|
/* Portable-specific options */
|
|
#ifdef USE_PAM
|
|
{ "usepam", sUsePAM, SSHCFG_GLOBAL },
|
|
+ { "usepamchecklocks", sUsePAMChecklocks, SSHCFG_GLOBAL },
|
|
#else
|
|
{ "usepam", sUnsupported, SSHCFG_GLOBAL },
|
|
+ { "usepamchecklocks", sUnsupported, SSHCFG_GLOBAL },
|
|
#endif
|
|
{ "pamauthenticationviakbdint", sDeprecated, SSHCFG_GLOBAL },
|
|
/* Standard Options */
|
|
{ "port", sPort, SSHCFG_GLOBAL },
|
|
{ "hostkey", sHostKeyFile, SSHCFG_GLOBAL },
|
|
{ "hostdsakey", sHostKeyFile, SSHCFG_GLOBAL }, /* alias */
|
|
{ "hostkeyagent", sHostKeyAgent, SSHCFG_GLOBAL },
|
|
{ "pidfile", sPidFile, SSHCFG_GLOBAL },
|
|
@@ -870,16 +875,19 @@ process_server_config_line(ServerOptions
|
|
}
|
|
}
|
|
|
|
switch (opcode) {
|
|
/* Portable-specific options */
|
|
case sUsePAM:
|
|
intptr = &options->use_pam;
|
|
goto parse_flag;
|
|
+ case sUsePAMChecklocks:
|
|
+ intptr = &options->use_pam_check_locks;
|
|
+ goto parse_flag;
|
|
|
|
/* Standard Options */
|
|
case sBadOption:
|
|
return -1;
|
|
case sPort:
|
|
/* ignore ports from configfile if cmdline specifies ports */
|
|
if (options->ports_from_cmdline)
|
|
return 0;
|
|
diff --git a/openssh-6.6p1/servconf.h b/openssh-6.6p1/servconf.h
|
|
--- a/openssh-6.6p1/servconf.h
|
|
+++ b/openssh-6.6p1/servconf.h
|
|
@@ -160,16 +160,17 @@ typedef struct {
|
|
*/
|
|
|
|
u_int num_authkeys_files; /* Files containing public keys */
|
|
char *authorized_keys_files[MAX_AUTHKEYS_FILES];
|
|
|
|
char *adm_forced_command;
|
|
|
|
int use_pam; /* Enable auth via PAM */
|
|
+ int use_pam_check_locks; /* internally check for locked accounts even when using PAM */
|
|
|
|
int permit_tun;
|
|
|
|
int num_permitted_opens;
|
|
|
|
char *chroot_directory;
|
|
char *revoked_keys_file;
|
|
char *trusted_user_ca_keys;
|
|
diff --git a/openssh-6.6p1/sshd_config.0 b/openssh-6.6p1/sshd_config.0
|
|
--- a/openssh-6.6p1/sshd_config.0
|
|
+++ b/openssh-6.6p1/sshd_config.0
|
|
@@ -728,16 +728,24 @@ DESCRIPTION
|
|
|
|
Because PAM challenge-response authentication usually serves an
|
|
equivalent role to password authentication, you should disable
|
|
either PasswordAuthentication or ChallengeResponseAuthentication.
|
|
|
|
If UsePAM is enabled, you will not be able to run sshd(8) as a
|
|
non-root user. The default is ``no''.
|
|
|
|
+ UsePAMCheckLocks
|
|
+ When set to ``yes'', the checks whether the account has been
|
|
+ locked with `passwd -l' are performed even when PAM authentication
|
|
+ is enabled via UsePAM. This is to ensure that it is not possible
|
|
+ to log in with e.g. a public key (in such a case PAM is used only
|
|
+ to set up the session and some PAM modules will not check whether
|
|
+ the account is locked in this scenario). The default is ``no''.
|
|
+
|
|
UsePrivilegeSeparation
|
|
Specifies whether sshd(8) separates privileges by creating an
|
|
unprivileged child process to deal with incoming network traffic.
|
|
After successful authentication, another process will be created
|
|
that has the privilege of the authenticated user. The goal of
|
|
privilege separation is to prevent privilege escalation by
|
|
containing any corruption within the unprivileged processes. The
|
|
default is ``yes''. If UsePrivilegeSeparation is set to
|
|
diff --git a/openssh-6.6p1/sshd_config.5 b/openssh-6.6p1/sshd_config.5
|
|
--- a/openssh-6.6p1/sshd_config.5
|
|
+++ b/openssh-6.6p1/sshd_config.5
|
|
@@ -1214,16 +1214,28 @@ or
|
|
.Pp
|
|
If
|
|
.Cm UsePAM
|
|
is enabled, you will not be able to run
|
|
.Xr sshd 8
|
|
as a non-root user.
|
|
The default is
|
|
.Dq no .
|
|
+.It Cm UsePAMCheckLocks
|
|
+When set to
|
|
+.Dq yes
|
|
+, the checks whether the account has been locked with
|
|
+.Pa passwd -l
|
|
+are performed even when PAM authentication is enabled via
|
|
+.Cm UsePAM .
|
|
+This is to ensure that it is not possible to log in with e.g. a
|
|
+public key (in such a case PAM is used only to set up the session and some PAM
|
|
+modules will not check whether the account is locked in this scenario). The
|
|
+default is
|
|
+.Dq no .
|
|
.It Cm UsePrivilegeSeparation
|
|
Specifies whether
|
|
.Xr sshd 8
|
|
separates privileges by creating an unprivileged child process
|
|
to deal with incoming network traffic.
|
|
After successful authentication, another process will be created that has
|
|
the privilege of the authenticated user.
|
|
The goal of privilege separation is to prevent privilege
|