forked from pool/openssh
08f9072513
- Update of the underlying OpenSSH to 6.5p1 - Update to 6.5p1 Features since 6.4p1: * ssh(1), sshd(8): support for key exchange using ECDH in Daniel Bernstein's Curve25519; default when both the client and server support it. * ssh(1), sshd(8): support for Ed25519 as a public key type fo rboth server and client. Ed25519 is an EC signature offering better security than ECDSA and DSA and good performance. * Add a new private key format that uses a bcrypt KDF to better protect keys at rest. Used unconditionally for Ed25519 keys, on demand for other key types via the -o ssh-keygen(1) option. Intended to become default in the near future. Details documented in PROTOCOL.key. * ssh(1), sshd(8): new transport cipher "chacha20-poly1305@openssh.com" combining Daniel Bernstein's ChaCha20 stream cipher and Poly1305 MAC to build an authenticated encryption mode. Details documented PROTOCOL.chacha20poly1305. * ssh(1), sshd(8): refuse RSA keys from old proprietary clients and servers that use the obsolete RSA+MD5 signature scheme. It will still be possible to connect with these clients/servers but only DSA keys will be accepted, and OpenSSH will refuse connection entirely in a future release. * ssh(1), sshd(8): refuse old proprietary clients and servers that use a weaker key exchange hash calculation. * ssh(1): increase the size of the Diffie-Hellman groups requested for each symmetric key size. New values from NIST Special Publication 800-57 with the upper limit specified by OBS-URL: https://build.opensuse.org/request/show/222365 OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=63
227 lines
7.4 KiB
Diff
227 lines
7.4 KiB
Diff
# new option UsePAMCheckLocks to enforce checking for locked accounts while
|
|
# UsePAM is used
|
|
# bnc#708678, FATE#312033
|
|
|
|
diff --git a/openssh-6.5p1/auth.c b/openssh-6.5p1/auth.c
|
|
--- a/openssh-6.5p1/auth.c
|
|
+++ b/openssh-6.5p1/auth.c
|
|
@@ -103,17 +103,17 @@ allowed_user(struct passwd * pw)
|
|
struct spwd *spw = NULL;
|
|
#endif
|
|
|
|
/* Shouldn't be called if pw is NULL, but better safe than sorry... */
|
|
if (!pw || !pw->pw_name)
|
|
return 0;
|
|
|
|
#ifdef USE_SHADOW
|
|
- if (!options.use_pam)
|
|
+ if (!options.use_pam || options.use_pam_check_locks)
|
|
spw = getspnam(pw->pw_name);
|
|
#ifdef HAS_SHADOW_EXPIRE
|
|
if (!options.use_pam && spw != NULL && auth_shadow_acctexpired(spw))
|
|
return 0;
|
|
#endif /* HAS_SHADOW_EXPIRE */
|
|
#endif /* USE_SHADOW */
|
|
|
|
/* grab passwd field for locked account check */
|
|
@@ -123,17 +123,17 @@ allowed_user(struct passwd * pw)
|
|
#ifdef USE_LIBIAF
|
|
passwd = get_iaf_password(pw);
|
|
#else
|
|
passwd = spw->sp_pwdp;
|
|
#endif /* USE_LIBIAF */
|
|
#endif
|
|
|
|
/* check for locked account */
|
|
- if (!options.use_pam && passwd && *passwd) {
|
|
+ if ((!options.use_pam || options.use_pam_check_locks) && passwd && *passwd) {
|
|
int locked = 0;
|
|
|
|
#ifdef LOCKED_PASSWD_STRING
|
|
if (strcmp(passwd, LOCKED_PASSWD_STRING) == 0)
|
|
locked = 1;
|
|
#endif
|
|
#ifdef LOCKED_PASSWD_PREFIX
|
|
if (strncmp(passwd, LOCKED_PASSWD_PREFIX,
|
|
diff --git a/openssh-6.5p1/servconf.c b/openssh-6.5p1/servconf.c
|
|
--- a/openssh-6.5p1/servconf.c
|
|
+++ b/openssh-6.5p1/servconf.c
|
|
@@ -66,16 +66,17 @@ extern Buffer cfg;
|
|
|
|
void
|
|
initialize_server_options(ServerOptions *options)
|
|
{
|
|
memset(options, 0, sizeof(*options));
|
|
|
|
/* Portable-specific options */
|
|
options->use_pam = -1;
|
|
+ options->use_pam_check_locks = -1;
|
|
|
|
/* Standard Options */
|
|
options->num_ports = 0;
|
|
options->ports_from_cmdline = 0;
|
|
options->listen_addrs = NULL;
|
|
options->address_family = -1;
|
|
options->num_host_key_files = 0;
|
|
options->num_host_cert_files = 0;
|
|
@@ -158,16 +159,18 @@ initialize_server_options(ServerOptions
|
|
}
|
|
|
|
void
|
|
fill_default_server_options(ServerOptions *options)
|
|
{
|
|
/* Portable-specific options */
|
|
if (options->use_pam == -1)
|
|
options->use_pam = 0;
|
|
+ if (options->use_pam_check_locks == -1)
|
|
+ options->use_pam_check_locks = 0;
|
|
|
|
/* Standard Options */
|
|
if (options->protocol == SSH_PROTO_UNKNOWN)
|
|
options->protocol = SSH_PROTO_2;
|
|
if (options->num_host_key_files == 0) {
|
|
/* fill default hostkeys for protocols */
|
|
if (options->protocol & SSH_PROTO_1)
|
|
options->host_key_files[options->num_host_key_files++] =
|
|
@@ -320,17 +323,17 @@ fill_default_server_options(ServerOption
|
|
#endif
|
|
|
|
}
|
|
|
|
/* Keyword tokens. */
|
|
typedef enum {
|
|
sBadOption, /* == unknown option */
|
|
/* Portable-specific options */
|
|
- sUsePAM,
|
|
+ sUsePAM, sUsePAMChecklocks,
|
|
/* Standard Options */
|
|
sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime,
|
|
sPermitRootLogin, sLogFacility, sLogLevel,
|
|
sRhostsRSAAuthentication, sRSAAuthentication,
|
|
sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
|
|
sKerberosGetAFSToken,
|
|
sKerberosTgtPassing, sChallengeResponseAuthentication,
|
|
sPasswordAuthentication, sKbdInteractiveAuthentication,
|
|
@@ -365,18 +368,20 @@ typedef enum {
|
|
static struct {
|
|
const char *name;
|
|
ServerOpCodes opcode;
|
|
u_int flags;
|
|
} keywords[] = {
|
|
/* Portable-specific options */
|
|
#ifdef USE_PAM
|
|
{ "usepam", sUsePAM, SSHCFG_GLOBAL },
|
|
+ { "usepamchecklocks", sUsePAMChecklocks, SSHCFG_GLOBAL },
|
|
#else
|
|
{ "usepam", sUnsupported, SSHCFG_GLOBAL },
|
|
+ { "usepamchecklocks", sUnsupported, SSHCFG_GLOBAL },
|
|
#endif
|
|
{ "pamauthenticationviakbdint", sDeprecated, SSHCFG_GLOBAL },
|
|
/* Standard Options */
|
|
{ "port", sPort, SSHCFG_GLOBAL },
|
|
{ "hostkey", sHostKeyFile, SSHCFG_GLOBAL },
|
|
{ "hostdsakey", sHostKeyFile, SSHCFG_GLOBAL }, /* alias */
|
|
{ "hostkeyagent", sHostKeyAgent, SSHCFG_GLOBAL },
|
|
{ "pidfile", sPidFile, SSHCFG_GLOBAL },
|
|
@@ -878,16 +883,19 @@ process_server_config_line(ServerOptions
|
|
}
|
|
}
|
|
|
|
switch (opcode) {
|
|
/* Portable-specific options */
|
|
case sUsePAM:
|
|
intptr = &options->use_pam;
|
|
goto parse_flag;
|
|
+ case sUsePAMChecklocks:
|
|
+ intptr = &options->use_pam_check_locks;
|
|
+ goto parse_flag;
|
|
|
|
/* Standard Options */
|
|
case sBadOption:
|
|
return -1;
|
|
case sPort:
|
|
/* ignore ports from configfile if cmdline specifies ports */
|
|
if (options->ports_from_cmdline)
|
|
return 0;
|
|
diff --git a/openssh-6.5p1/servconf.h b/openssh-6.5p1/servconf.h
|
|
--- a/openssh-6.5p1/servconf.h
|
|
+++ b/openssh-6.5p1/servconf.h
|
|
@@ -162,16 +162,17 @@ typedef struct {
|
|
*/
|
|
|
|
u_int num_authkeys_files; /* Files containing public keys */
|
|
char *authorized_keys_files[MAX_AUTHKEYS_FILES];
|
|
|
|
char *adm_forced_command;
|
|
|
|
int use_pam; /* Enable auth via PAM */
|
|
+ int use_pam_check_locks; /* internally check for locked accounts even when using PAM */
|
|
|
|
int permit_tun;
|
|
|
|
int num_permitted_opens;
|
|
|
|
char *chroot_directory;
|
|
char *revoked_keys_file;
|
|
char *trusted_user_ca_keys;
|
|
diff --git a/openssh-6.5p1/sshd_config.0 b/openssh-6.5p1/sshd_config.0
|
|
--- a/openssh-6.5p1/sshd_config.0
|
|
+++ b/openssh-6.5p1/sshd_config.0
|
|
@@ -720,16 +720,24 @@ DESCRIPTION
|
|
|
|
Because PAM challenge-response authentication usually serves an
|
|
equivalent role to password authentication, you should disable
|
|
either PasswordAuthentication or ChallengeResponseAuthentication.
|
|
|
|
If UsePAM is enabled, you will not be able to run sshd(8) as a
|
|
non-root user. The default is ``no''.
|
|
|
|
+ UsePAMCheckLocks
|
|
+ When set to ``yes'', the checks whether the account has been
|
|
+ locked with `passwd -l' are performed even when PAM authentication
|
|
+ is enabled via UsePAM. This is to ensure that it is not possible
|
|
+ to log in with e.g. a public key (in such a case PAM is used only
|
|
+ to set up the session and some PAM modules will not check whether
|
|
+ the account is locked in this scenario). The default is ``no''.
|
|
+
|
|
UsePrivilegeSeparation
|
|
Specifies whether sshd(8) separates privileges by creating an
|
|
unprivileged child process to deal with incoming network traffic.
|
|
After successful authentication, another process will be created
|
|
that has the privilege of the authenticated user. The goal of
|
|
privilege separation is to prevent privilege escalation by
|
|
containing any corruption within the unprivileged processes. The
|
|
default is ``yes''. If UsePrivilegeSeparation is set to
|
|
diff --git a/openssh-6.5p1/sshd_config.5 b/openssh-6.5p1/sshd_config.5
|
|
--- a/openssh-6.5p1/sshd_config.5
|
|
+++ b/openssh-6.5p1/sshd_config.5
|
|
@@ -1199,16 +1199,28 @@ or
|
|
.Pp
|
|
If
|
|
.Cm UsePAM
|
|
is enabled, you will not be able to run
|
|
.Xr sshd 8
|
|
as a non-root user.
|
|
The default is
|
|
.Dq no .
|
|
+.It Cm UsePAMCheckLocks
|
|
+When set to
|
|
+.Dq yes
|
|
+, the checks whether the account has been locked with
|
|
+.Pa passwd -l
|
|
+are performed even when PAM authentication is enabled via
|
|
+.Cm UsePAM .
|
|
+This is to ensure that it is not possible to log in with e.g. a
|
|
+public key (in such a case PAM is used only to set up the session and some PAM
|
|
+modules will not check whether the account is locked in this scenario). The
|
|
+default is
|
|
+.Dq no .
|
|
.It Cm UsePrivilegeSeparation
|
|
Specifies whether
|
|
.Xr sshd 8
|
|
separates privileges by creating an unprivileged child process
|
|
to deal with incoming network traffic.
|
|
After successful authentication, another process will be created that has
|
|
the privilege of the authenticated user.
|
|
The goal of privilege separation is to prevent privilege
|