Compare commits

...
Sign in to create a new pull request.

20 commits

Author SHA1 Message Date
Mattias Ellert
513f05f80f Based on openssh-7.4p1-23.el7_9 2023-08-11 22:57:54 +02:00
Mattias Ellert
91484c75c8 Based on openssh-7.4p1-22.el7_9 2021-11-24 17:40:33 +01:00
Frank Scheiner
ed68bed373 Add HPN patch 2020-10-23 20:10:23 +02:00
Mattias Ellert
9bb59e17ee Based on openssh-7.4p1-21.el7 2019-08-07 23:08:32 +02:00
Mattias Ellert
1d6d885889 Change GSSAPITrustDNS default to no 2019-05-28 16:42:24 +02:00
Mattias Ellert
5308f95f9c Remove usage statistics collection support 2019-02-27 13:05:37 +01:00
Mattias Ellert
57d77f9250 Based on openssh-7.4p1-16.el7 2018-04-10 17:14:06 +02:00
Mattias Ellert
16c223fac6 Based on openssh-7.4p1-13.el7_4 2017-11-13 12:40:23 +01:00
Mattias Ellert
e59e91f6ab Based on openssh-6.6.1p1-35.el7_3
Update GSI patch with more openssl 1.1.0 fixes from Globus
2017-07-31 11:37:50 +02:00
Mattias Ellert
53e3b2afc3 Based on openssh-6.6.1p1-33.el7_3 2017-02-24 14:10:14 +01:00
Mattias Ellert
2202381388 Adding mechanism OID negotiation with the introduction of micv2 OID 2016-12-15 16:41:25 +01:00
Mattias Ellert
6348beb8a1 Based on openssh 6.6.1p1-31.el7 2016-12-15 09:18:40 +01:00
Mattias Ellert
aa9e2ef9b3 Based on openssh-6.6.1p1-25.el7_2 2016-06-26 07:42:37 +02:00
Mattias Ellert
92bc715130 Based on openssh-6.6.1p1-23.el7_2 2016-01-19 22:49:53 +01:00
Mattias Ellert
95ab173057 Fix typos in gsisshd.service file 2015-08-05 11:53:02 +02:00
Mattias Ellert
72c0682d9d Based on openssh-6.6.1p1-12.el7_1 2015-07-05 15:16:49 +02:00
Mattias Ellert
50cfa4c143 Based on openssh-6.4p1-8.el7 2014-07-16 23:13:46 +02:00
Mattias Ellert
4ba46b6c82 Based on openssh-6.4p1-1.el7 2014-01-28 09:34:16 +01:00
Mattias Ellert
509f103f2d Based on openssh-6.2p2-7.fc19 2013-12-12 03:15:00 +01:00
Mattias Ellert
da751ef47d Based on openssh-6.2p2-6.fc19 2013-11-26 16:01:28 +01:00
94 changed files with 13373 additions and 7364 deletions

2
.gitignore vendored
View file

@ -1,2 +1,4 @@
/*.tar.bz2
/*.tar.gz
/*.tar.gz.asc
/DJM-GPG-KEY.gpg

View file

@ -28,10 +28,10 @@
# Do we want LDAP support
%global ldap 1
%global openssh_ver 6.4p1
%global openssh_rel 1
%global openssh_ver 7.4p1
%global openssh_rel 8
Summary: An implementation of the SSH protocol with GSI authentication
Summary: An implementation of the SSH protocol with GSI authentication and HPN features
Name: gsi-openssh
Version: %{openssh_ver}
Release: %{openssh_rel}%{?dist}
@ -49,96 +49,168 @@ Source13: gsisshd-keygen
Source99: README.sshd-and-gsisshd
#?
Patch100: openssh-6.3p1-coverity.patch
#https://bugzilla.mindrot.org/show_bug.cgi?id=1872
Patch101: openssh-6.3p1-fingerprint.patch
#https://bugzilla.mindrot.org/show_bug.cgi?id=1894
#https://bugzilla.redhat.com/show_bug.cgi?id=735889
Patch102: openssh-5.8p1-getaddrinfo.patch
Patch100: openssh-7.4p1-coverity.patch
#https://bugzilla.mindrot.org/show_bug.cgi?id=1889
Patch103: openssh-5.8p1-packet.patch
#https://bugzilla.mindrot.org/show_bug.cgi?id=1402
Patch200: openssh-6.4p1-audit.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=1171248
# record pfs= field in CRYPTO_SESSION audit event
Patch200: openssh-7.4p1-audit.patch
# Do not write to one socket from more processes (#1310684)
Patch202: openssh-6.6p1-audit-race-condition.patch
#https://bugzilla.mindrot.org/show_bug.cgi?id=1641 (WONTFIX)
Patch400: openssh-6.3p1-role-mls.patch
Patch400: openssh-7.4p1-role-mls.patch
#https://bugzilla.redhat.com/show_bug.cgi?id=781634
Patch404: openssh-6.3p1-privsep-selinux.patch
Patch404: openssh-6.6p1-privsep-selinux.patch
#?-- unwanted child :(
Patch501: openssh-6.3p1-ldap.patch
Patch501: openssh-6.6p1-ldap.patch
#?
Patch502: openssh-6.3p1-keycat.patch
Patch502: openssh-6.6p1-keycat.patch
#http6://bugzilla.mindrot.org/show_bug.cgi?id=1644
Patch601: openssh-5.2p1-allow-ip-opts.patch
#https://bugzilla.mindrot.org/show_bug.cgi?id=1701
Patch602: openssh-5.9p1-randclean.patch
#http://cvsweb.netbsd.org/cgi-bin/cvsweb.cgi/src/crypto/dist/ssh/Attic/sftp-glob.c.diff?r1=1.13&r2=1.13.12.1&f=h
Patch603: openssh-5.8p1-glob.patch
#https://bugzilla.mindrot.org/show_bug.cgi?id=1644
Patch601: openssh-6.6p1-allow-ip-opts.patch
#https://bugzilla.mindrot.org/show_bug.cgi?id=1893
Patch604: openssh-5.8p1-keyperm.patch
#https://bugzilla.mindrot.org/show_bug.cgi?id=1329 (WONTFIX)
Patch605: openssh-5.8p2-remove-stale-control-socket.patch
Patch604: openssh-6.6p1-keyperm.patch
#https://bugzilla.mindrot.org/show_bug.cgi?id=1925
Patch606: openssh-5.9p1-ipv6man.patch
#?
Patch607: openssh-5.8p2-sigpipe.patch
#?
Patch608: openssh-6.1p1-askpass-ld.patch
#https://bugzilla.mindrot.org/show_bug.cgi?id=1789
Patch609: openssh-5.5p1-x11.patch
#?
Patch700: openssh-6.3p1-fips.patch
Patch700: openssh-7.4p1-fips.patch
#?
Patch701: openssh-5.6p1-exit-deadlock.patch
# drop? Patch701: openssh-5.6p1-exit-deadlock.patch
#?
Patch702: openssh-5.1p1-askpass-progress.patch
#?
Patch703: openssh-4.3p2-askpass-grab-info.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=205842
# drop? Patch704: openssh-5.9p1-edns.patch
#?
Patch704: openssh-5.9p1-edns.patch
#?
Patch705: openssh-5.1p1-scp-manpage.patch
#?
Patch706: openssh-5.8p1-localdomain.patch
Patch706: openssh-6.6.1p1-localdomain.patch
#https://bugzilla.mindrot.org/show_bug.cgi?id=1635 (WONTFIX)
Patch707: openssh-6.3p1-redhat.patch
Patch707: openssh-6.6p1-redhat.patch
#https://bugzilla.mindrot.org/show_bug.cgi?id=1890 (WONTFIX) need integration to prng helper which is discontinued :)
Patch708: openssh-6.2p1-entropy.patch
Patch708: openssh-6.6p1-entropy.patch
#https://bugzilla.mindrot.org/show_bug.cgi?id=1640 (WONTFIX)
Patch709: openssh-6.2p1-vendor.patch
# warn users for unsupported UsePAM=no (#757545)
Patch711: openssh-6.1p1-log-usepam-no.patch
Patch711: openssh-6.6p1-log-usepam-no.patch
# make aes-ctr ciphers use EVP engines such as AES-NI from OpenSSL
Patch712: openssh-6.3p1-ctr-evp-fast.patch
# add cavs test binary for the aes-ctr
Patch713: openssh-6.3p1-ctr-cavstest.patch
Patch713: openssh-7.4p1-ctr-cavstest.patch
# add SSH KDF CAVS test driver
Patch714: openssh-7.4p1-kdf-cavs.patch
#http://www.sxw.org.uk/computing/patches/openssh.html
#changed cache storage type - #848228
Patch800: openssh-6.3p1-gsskex.patch
Patch800: openssh-7.4p1-gsskex.patch
#http://www.mail-archive.com/kerberos@mit.edu/msg17591.html
Patch801: openssh-6.3p1-force_krb.patch
Patch801: openssh-6.6p1-force_krb.patch
# add new option GSSAPIEnablek5users and disable using ~/.k5users by default (#1169843)
# CVE-2014-9278
Patch802: openssh-6.6p1-GSSAPIEnablek5users.patch
# Respect k5login_directory option in krk5.conf (#1328243)
Patch803: openssh-6.6p1-k5login_directory.patch
Patch900: openssh-6.1p1-gssapi-canohost.patch
#https://bugzilla.mindrot.org/show_bug.cgi?id=1780
Patch901: openssh-6.3p1-kuserok.patch
Patch901: openssh-7.4p1-kuserok.patch
# use default_ccache_name from /etc/krb5.conf (#991186)
Patch902: openssh-6.3p1-krb5-use-default_ccache_name.patch
# increase the size of the Diffie-Hellman groups (#1010607)
Patch903: openssh-6.3p1-increase-size-of-DF-groups.patch
# Change GSSAPIStrictAcceptor to yes as it ever was (#1488982)
Patch903: openssh-7.4p1-gss-strict-acceptor.patch
# Run ssh-copy-id in the legacy mode when SSH_COPY_ID_LEGACY variable is set (#969375
Patch905: openssh-7.4p1-legacy-ssh-copy-id.patch
# Use tty allocation for a remote scp (#985650)
Patch906: openssh-6.4p1-fromto-remote.patch
# log when a client requests an interactive session and only sftp is allowed (#1130198)
Patch914: openssh-6.6.1p1-log-sftp-only-connections.patch
# log via monitor in chroots without /dev/log (#1083482)
Patch918: openssh-7.4p1-log-in-chroot.patch
# MLS labeling according to chosen sensitivity (#1202843)
Patch919: openssh-6.6.1p1-mls-fix-labeling.patch
# sshd test mode show all config values (#1187597)
Patch920: openssh-6.6p1-test-mode-all-values.patch
# Add sftp option to force mode of created files (#1191055)
Patch921: openssh-6.6p1-sftp-force-permission.patch
# fix memory problem (#1223218)
Patch924: openssh-6.6p1-memory-problems.patch
# Enhance AllowGroups documentation in man page (#1150007)
Patch925: openssh-6.6p1-allowGroups-documentation.patch
# provide option GssKexAlgorithms to disable vulnerable groun1 kex
Patch928: openssh-7.4p1-gssKexAlgorithms.patch
# make s390 use /dev/ crypto devices -- ignore closefrom (#1318760)
Patch935: openssh-6.6p1-s390-closefrom.patch
# expose more information to PAM (#1312304)
Patch938: openssh-7.4p1-expose-pam.patch
# Move MAX_DISPLAYS to a configuration option (#1341302)
Patch939: openssh-6.6p1-x11-max-displays.patch
# Add systemd stuff so it can track running service (#1381997)
Patch942: openssh-6.6p1-systemd.patch
# Permit root login to preserve backward compatibility
Patch943: openssh-7.4p1-permit-root-login.patch
# Restore TCP wrappers support
Patch944: openssh-7.4p1-debian-restore-tcp-wrappers.patch
# Set sane whitelist for PKCS#11 modules in ssh-agent
Patch945: openssh-7.4p1-pkcs11-whitelist.patch
# Allow legacy algorithms and formats for key exchange after rebase
Patch946: openssh-7.4p1-legacy-algorithms.patch
# Show more fingerprints
Patch947: openssh-7.4p1-show-more-fingerprints.patch
# Fix newline in the end of server ident banner (upstream 5b9070)
Patch948: openssh-7.4p1-newline-banner.patch
# Do not utilize SHA1 by default for digital signatures (#1322911)
Patch949: openssh-7.4p1-sha2-signatures.patch
# Canonize pkcs11 provider path when removing smartcard (#2682)
Patch950: openssh-7.4p1-canonize-pkcs11-provider.patch
# Do not segfault sshd if it loads RSA1 keys (#2686)
Patch951: openssh-7.4p1-rsa1-segfault.patch
# OpenSSH 7.5 fixes CBC cipher weakness
Patch952: openssh-7.4p1-cbc-weakness.patch
# sandbox-seccomp filter is not denying socketcall() on ppc64le (#1443916)
Patch953: openssh-7.4p1-sandbox-ppc64le.patch
# ControlPath too long should not be fatal (#1447561)
Patch954: openssh-7.4p1-ControlPath_too_long.patch
# sandbox-seccomp for ibmca engine from upstream (#1451809)
Patch955: openssh-7.4p1-sandbox-ibmca.patch
# Back to UseDNS=yes by default (#1478175)
Patch956: openssh-7.4p1-usedns-yes.patch
# Clatch between ClientAlive timeouts and rekeying (#1480510)
Patch957: openssh-7.4p1-rekeying-timeouts.patch
# WinSCP 5.10+ compatibility (#1496808)
Patch958: openssh-7.4p1-winscp-compat.patch
# SSH AuthorizedKeysCommand hangs when output is too large (#1496467)
Patch959: openssh-7.4p1-authorized_keys_command.patch
# Fix for CVE-2017-15906 (#1517226)
Patch960: openssh-7.5p1-sftp-empty-files.patch
# Fix for CVE-2018-15473 (#1619079)
Patch961: openssh-7.4p1-CVE-2018-15473.patch
# invalidate supplemental group cache used by temporarily_use_uid() (#1619079)
Patch962: openssh-7.4p1-uidswap.patch
# CVE-2021-41617
Patch978: openssh-8.7p1-upstream-cve-2021-41617.patch
# upsream commit
# b23fe83f06ee7e721033769cfa03ae840476d280
Patch1015: openssh-9.3p1-upstream-cve-2023-38408.patch
# This is the patch that adds GSI support
# Based on http://grid.ncsa.illinois.edu/ssh/dl/patch/openssh-6.4p1.patch
Patch98: openssh-6.4p1-gsissh.patch
# Based on http://grid.ncsa.illinois.edu/ssh/dl/patch/openssh-6.6p1.patch
Patch98: openssh-7.4p1-gsissh.patch
# This is the HPN patch
# Based on https://sourceforge.net/projects/hpnssh/files/Patches/HPN-SSH%2014v13%207.4p1/openssh-7_4_P1-hpn-14.13.diff/download
Patch99: openssh-7.4p1-hpn-14.13-modified.patch
License: BSD
Group: Applications/Internet
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
Requires: /sbin/nologin
Obsoletes: %{name}-clients-fips, %{name}-server-fips
%if %{ldap}
BuildRequires: openldap-devel
@ -150,6 +222,7 @@ BuildRequires: pam-devel
BuildRequires: tcp_wrappers-devel
BuildRequires: fipscheck-devel >= 1.3.0
BuildRequires: openssl-devel >= 0.9.8j
BuildRequires: systemd-devel
%if %{kerberos5}
BuildRequires: krb5-devel
@ -157,9 +230,8 @@ BuildRequires: krb5-devel
%if %{gsi}
BuildRequires: globus-gss-assist-devel >= 8
BuildRequires: globus-gssapi-gsi >= 10
BuildRequires: globus-common >= 14
BuildRequires: globus-usage-devel >= 3
BuildRequires: globus-gssapi-gsi-devel >= 12.12
BuildRequires: globus-common-devel >= 14
%endif
%if %{libedit}
@ -167,6 +239,7 @@ BuildRequires: libedit-devel ncurses-devel
%endif
%if %{WITH_SELINUX}
Conflicts: selinux-policy < 3.13.1-92
Requires: libselinux >= 1.27.7
BuildRequires: libselinux-devel >= 1.27.7
Requires: audit-libs >= 1.0.8
@ -230,13 +303,8 @@ This version of OpenSSH has been modified to support GSI authentication.
%prep
%setup -q -n openssh-%{version}
%patch100 -p1 -b .coverity
%patch101 -p1 -b .fingerprint
%patch102 -p1 -b .getaddrinfo
%patch103 -p1 -b .packet
%patch200 -p1 -b .audit
%if %{WITH_SELINUX}
%patch400 -p1 -b .role-mls
%patch404 -p1 -b .privsep-selinux
@ -248,21 +316,16 @@ This version of OpenSSH has been modified to support GSI authentication.
%patch502 -p1 -b .keycat
%patch601 -p1 -b .ip-opts
%patch602 -p1 -b .randclean
%patch603 -p1 -b .glob
%patch604 -p1 -b .keyperm
%patch605 -p1 -b .remove_stale
%patch606 -p1 -b .ipv6man
%patch607 -p1 -b .sigpipe
%patch608 -p1 -b .askpass-ld
%patch609 -p1 -b .x11
%patch700 -p1 -b .fips
%patch701 -p1 -b .exit-deadlock
# drop? %patch701 -p1 -b .exit-deadlock
%patch702 -p1 -b .progress
%patch703 -p1 -b .grab-info
%patch704 -p1 -b .edns
%patch705 -p1 -b .manpage
# investigate - https://bugzilla.redhat.com/show_bug.cgi?id=205842
# probably not needed anymore %patch704 -p1 -b .edns
%patch706 -p1 -b .localdomain
%patch707 -p1 -b .redhat
%patch708 -p1 -b .entropy
@ -270,6 +333,7 @@ This version of OpenSSH has been modified to support GSI authentication.
%patch711 -p1 -b .log-usepam-no
%patch712 -p1 -b .evp-ctr
%patch713 -p1 -b .ctr-cavs
%patch714 -p1 -b .kdf-cavs
%patch800 -p1 -b .gsskex
%patch801 -p1 -b .force_krb
@ -277,9 +341,55 @@ This version of OpenSSH has been modified to support GSI authentication.
%patch900 -p1 -b .canohost
%patch901 -p1 -b .kuserok
%patch902 -p1 -b .ccache_name
%patch903 -p1 -b .dh
%patch903 -p1 -b .gss-strict
%patch905 -p1 -b .legacy-ssh-copy-id
%patch906 -p1 -b .fromto-remote
%patch914 -p1 -b .log-sftp-only
%patch918 -p1 -b .log-in-chroot
%patch919 -p1 -b .mls-labels
%patch802 -p1 -b .GSSAPIEnablek5users
%patch803 -p1 -b .k5login
%patch920 -p1 -b .sshd-t
%patch921 -p1 -b .sftp-force-mode
%patch924 -p1 -b .memory-problems
%patch925 -p1 -b .allowGroups
%patch928 -p1 -b .gsskexalg
%patch935 -p1 -b .s390
%patch938 -p1 -b .expose-pam
%patch939 -p1 -b .x11max
%patch942 -p1 -b .patch
%patch943 -p1 -b .permit-root
%patch944 -p1 -b .tcp_wrappers
%patch945 -p1 -b .pkcs11-whitelist
%patch946 -p1 -b .legacy
%patch947 -p1 -b .fingerprint
%patch948 -p1 -b .newline-banner
%patch949 -p1 -b .sha2
%patch950 -p1 -b .smartcard
%patch951 -p1 -b .rsa1
%patch952 -p1 -b .cbc
%patch953 -p1 -b .seccomp
%patch954 -p1 -b .ControlPath
%patch955 -p1 -b .ibmca
%patch956 -p1 -b .usedns
%patch957 -p1 -b .rekey-timeout
%patch958 -p1 -b .winscp
%patch959 -p1 -b .large-command
%patch960 -p1 -b .sftp-empty
%patch961 -p1 -b .CVE-2018-15473
%patch962 -p1 -b .uidswap
%patch978 -p1 -b .cve-2021-41617
%patch200 -p1 -b .audit
%patch202 -p1 -b .audit-race
%patch700 -p1 -b .fips
%patch100 -p1 -b .coverity
%patch1015 -p1 -b .cve-2023-38408
%patch98 -p1 -b .gsi
%patch99 -p1 -b .hpn
sed 's/sshd.pid/gsisshd.pid/' -i pathnames.h
sed 's!$(piddir)/sshd.pid!$(piddir)/gsisshd.pid!' -i Makefile.in
@ -325,20 +435,21 @@ fi
--with-tcp-wrappers \
--with-default-path=/usr/local/bin:/usr/bin \
--with-superuser-path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin \
--with-privsep-path=%{_var}/empty/gsisshd \
--enable-vendor-patchlevel="FC-%{version}-%{release}" \
--with-privsep-path=%{_var}/empty/sshd \
--enable-vendor-patchlevel="RHEL7-%{openssh_ver}-%{openssh_rel}" \
--disable-strip \
--without-zlib-version-check \
--with-ssl-engine \
--with-ipaddr-display \
--with-systemd \
--with-ssh1 \
%if %{ldap}
--with-ldap \
%endif
--with-pam \
%if %{WITH_SELINUX}
--with-selinux --with-audit=linux \
%if 0
#seccomp_filter cannot be build right now
%ifnarch ppc
--with-sandbox=seccomp_filter \
%else
--with-sandbox=rlimit \
@ -364,10 +475,10 @@ make SSH_PROGRAM=%{_bindir}/gsissh \
ASKPASS_PROGRAM=%{_libexecdir}/openssh/ssh-askpass
# Add generation of HMAC checksums of the final stripped binaries
%define __spec_install_post \
%{?__debug_package:%{__debug_install_post}} \
%{__arch_install_post} \
%{__os_install_post} \
%global __spec_install_post \
%%{?__debug_package:%%{__debug_install_post}} \
%%{__arch_install_post} \
%%{__os_install_post} \
fipshmac -d $RPM_BUILD_ROOT%{_libdir}/fipscheck $RPM_BUILD_ROOT%{_bindir}/gsissh $RPM_BUILD_ROOT%{_sbindir}/gsisshd \
%{nil}
@ -375,7 +486,7 @@ make SSH_PROGRAM=%{_bindir}/gsissh \
rm -rf $RPM_BUILD_ROOT
mkdir -p -m755 $RPM_BUILD_ROOT%{_sysconfdir}/gsissh
mkdir -p -m755 $RPM_BUILD_ROOT%{_libexecdir}/gsissh
mkdir -p -m755 $RPM_BUILD_ROOT%{_var}/empty/gsisshd
mkdir -p -m755 $RPM_BUILD_ROOT%{_var}/empty/sshd
make install DESTDIR=$RPM_BUILD_ROOT
rm -f $RPM_BUILD_ROOT%{_sysconfdir}/gsissh/ldap.conf
@ -395,6 +506,9 @@ install -m644 %{SOURCE12} $RPM_BUILD_ROOT/%{_unitdir}/gsisshd-keygen.service
rm $RPM_BUILD_ROOT%{_bindir}/ssh-add
rm $RPM_BUILD_ROOT%{_bindir}/ssh-agent
rm $RPM_BUILD_ROOT%{_bindir}/ssh-keyscan
rm $RPM_BUILD_ROOT%{_libexecdir}/gsissh/ctr-cavstest
rm $RPM_BUILD_ROOT%{_libexecdir}/gsissh/ssh-cavs
rm $RPM_BUILD_ROOT%{_libexecdir}/gsissh/ssh-cavs_driver.pl
rm $RPM_BUILD_ROOT%{_libexecdir}/gsissh/ssh-ldap-helper
rm $RPM_BUILD_ROOT%{_libexecdir}/gsissh/ssh-ldap-wrapper
rm $RPM_BUILD_ROOT%{_libexecdir}/gsissh/ssh-keycat
@ -435,26 +549,19 @@ getent passwd sshd >/dev/null || \
%systemd_preun gsisshd.service gsisshd.socket
%postun server
%systemd_postun_with_restart gsisshd.service gsisshd.socket
%triggerun server -- gsi-openssh-server < 5.8p2-1
/usr/bin/systemd-sysv-convert --save gsisshd >/dev/null 2>&1 || :
/sbin/chkconfig --del gsisshd >/dev/null 2>&1 || :
/bin/systemctl try-restart gsisshd.service >/dev/null 2>&1 || :
%triggerun server -- gsi-openssh-server < 5.9p1-6
/bin/systemctl --no-reload disable gsisshd-keygen.service >/dev/null 2>&1 || :
%systemd_postun_with_restart gsisshd.service
%files
%defattr(-,root,root)
%doc CREDITS ChangeLog INSTALL LICENCE LICENSE.globus_usage OVERVIEW PROTOCOL* README README.platform README.privsep README.tun README.dns README.sshd-and-gsisshd TODO
%{!?_licensedir:%global license %%doc}
%license LICENCE
%doc CREDITS ChangeLog INSTALL OVERVIEW PROTOCOL* README HPN-README README.platform README.privsep README.tun README.dns README.sshd-and-gsisshd TODO
%attr(0755,root,root) %dir %{_sysconfdir}/gsissh
%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/gsissh/moduli
%attr(0755,root,root) %{_bindir}/gsissh-keygen
%attr(0644,root,root) %{_mandir}/man1/gsissh-keygen.1*
%attr(0755,root,root) %dir %{_libexecdir}/gsissh
%attr(2755,root,ssh_keys) %{_libexecdir}/gsissh/ssh-keysign
%attr(0755,root,root) %{_libexecdir}/gsissh/ctr-cavstest
%attr(0644,root,root) %{_mandir}/man8/gsissh-keysign.8*
%files clients
@ -473,7 +580,7 @@ getent passwd sshd >/dev/null || \
%files server
%defattr(-,root,root)
%dir %attr(0711,root,root) %{_var}/empty/gsisshd
%dir %attr(0711,root,root) %{_var}/empty/sshd
%attr(0755,root,root) %{_sbindir}/gsisshd
%attr(0755,root,root) %{_sbindir}/gsisshd-keygen
%attr(0644,root,root) %{_libdir}/fipscheck/gsisshd.hmac
@ -491,17 +598,66 @@ getent passwd sshd >/dev/null || \
%attr(0644,root,root) %{_unitdir}/gsisshd-keygen.service
%changelog
* Tue Nov 26 2013 Mattias Ellert <mattias.ellert@fysast.uu.se> - 6.4p1-1
- Based on openssh-6.4p1-2.fc20
* Wed Aug 09 2023 Mattias Ellert <mattias.ellert@physics.uu.se> - 7.4p1-8
- Based on openssh-7.4p1-23.el7_9
* Mon Oct 21 2013 Mattias Ellert <mattias.ellert@fysast.uu.se> - 6.3p1-2
- Add obsoletes for -fips packages
* Wed Nov 24 2021 Mattias Ellert <mattias.ellert@physics.uu.se> - 7.4p1-7
- Based on openssh-7.4p1-22.el7_9
* Tue Oct 15 2013 Mattias Ellert <mattias.ellert@fysast.uu.se> - 6.3p1-1
- Based on openssh-6.3p1-1.fc20
* Fri Oct 23 2020 Frank Scheiner <scheiner@hlrs.de> - 7.4p1-6
- Add HPN patch
* Wed Oct 02 2013 Mattias Ellert <mattias.ellert@fysast.uu.se> - 6.2p2-3
- Based on openssh-6.2p2-8.fc20
* Wed Aug 07 2019 Mattias Ellert <mattias.ellert@physics.uu.se> - 7.4p1-5
- Based on openssh-7.4p1-21.el7
* Tue May 28 2019 Mattias Ellert <mattias.ellert@physics.uu.se> - 7.4p1-4
- Change GSSAPITrustDNS default to no
* Wed Feb 27 2019 Mattias Ellert <mattias.ellert@physics.uu.se> - 7.4p1-3
- Remove usage statistics collection support
* Tue Apr 10 2018 Mattias Ellert <mattias.ellert@physics.uu.se> - 7.4p1-2
- Based on openssh-7.4p1-16.el7
* Sun Nov 12 2017 Mattias Ellert <mattias.ellert@physics.uu.se> - 7.4p1-1
- Based on openssh-7.4p1-13.el7_4
* Mon Jul 31 2017 Mattias Ellert <mattias.ellert@physics.uu.se> - 6.6.1p1-8
- Based on openssh-6.6.1p1-35.el7_3
- Update GSI patch with more openssl 1.1.0 fixes from Globus
* Fri Feb 24 2017 Mattias Ellert <mattias.ellert@physics.uu.se> - 6.6.1p1-7
- Based on openssh-6.6.1p1-33.el7_3
* Thu Dec 15 2016 Mattias Ellert <mattias.ellert@physics.uu.se> - 6.6.1p1-6
- Adding mechanism OID negotiation with the introduction of micv2 OID
* Wed Dec 14 2016 Mattias Ellert <mattias.ellert@physics.uu.se> - 6.6.1p1-5
- Based on openssh 6.6.1p1-31.el7
* Sun Jun 26 2016 Mattias Ellert <mattias.ellert@fysast.uu.se> - 6.6.1p1-4
- Based on openssh-6.6.1p1-25.el7_2
* Tue Jan 19 2016 Mattias Ellert <mattias.ellert@fysast.uu.se> - 6.6.1p1-3
- Based on openssh-6.6.1p1-23.el7_2
* Wed Aug 05 2015 Mattias Ellert <mattias.ellert@fysast.uu.se> - 6.6.1p1-2
- Fix typos in gsisshd.service file
* Sun Jul 05 2015 Mattias Ellert <mattias.ellert@fysast.uu.se> - 6.6.1p1-1
- Based on openssh-6.6.1p1-12.el7_1
* Wed Jul 16 2014 Mattias Ellert <mattias.ellert@fysast.uu.se> - 6.4p1-2
- Based on openssh-6.4p1-8.el7
* Tue Jan 28 2014 Mattias Ellert <mattias.ellert@fysast.uu.se> - 6.4p1-1
- Based on openssh-6.4p1-1.el7
* Thu Dec 12 2013 Mattias Ellert <mattias.ellert@fysast.uu.se> - 6.2p2-4
- Based on openssh-6.2p2-7.fc19
* Tue Nov 26 2013 Mattias Ellert <mattias.ellert@fysast.uu.se> - 6.2p2-3
- Based on openssh-6.2p2-6.fc19
* Fri Aug 23 2013 Mattias Ellert <mattias.ellert@fysast.uu.se> - 6.2p2-2
- Based on openssh-6.2p2-5.fc19

View file

@ -4,7 +4,7 @@
#
# The creation is controlled by the $AUTOCREATE_SERVER_KEYS environment
# variable.
AUTOCREATE_SERVER_KEYS=RSAONLY
AUTOCREATE_SERVER_KEYS="RSA ECDSA ED25519"
# source function library
. /etc/rc.d/init.d/functions
@ -15,6 +15,7 @@ RSA1_KEY=/etc/gsissh/ssh_host_key
RSA_KEY=/etc/gsissh/ssh_host_rsa_key
DSA_KEY=/etc/gsissh/ssh_host_dsa_key
ECDSA_KEY=/etc/gsissh/ssh_host_ecdsa_key
ED25519_KEY=/etc/gsissh/ssh_host_ed25519_key
# pull in sysconfig settings
[ -f /etc/sysconfig/gsisshd ] && . /etc/sysconfig/gsisshd
@ -36,7 +37,7 @@ do_rsa1_keygen() {
chmod 640 $RSA1_KEY
chmod 644 $RSA1_KEY.pub
if [ -x /sbin/restorecon ]; then
/sbin/restorecon $RSA1_KEY.pub
/sbin/restorecon $RSA1_KEY{,.pub}
fi
success $"RSA1 key generation"
echo
@ -57,7 +58,7 @@ do_rsa_keygen() {
chmod 640 $RSA_KEY
chmod 644 $RSA_KEY.pub
if [ -x /sbin/restorecon ]; then
/sbin/restorecon $RSA_KEY.pub
/sbin/restorecon $RSA_KEY{,.pub}
fi
success $"RSA key generation"
echo
@ -70,7 +71,7 @@ do_rsa_keygen() {
}
do_dsa_keygen() {
if [ ! -s $DSA_KEY ]; then
if [ ! -s $DSA_KEY -a `fips_enabled` -eq 0 ]; then
echo -n $"Generating SSH2 DSA host key: "
rm -f $DSA_KEY
if test ! -f $DSA_KEY && $KEYGEN -q -t dsa -f $DSA_KEY -C '' -N '' >&/dev/null; then
@ -78,7 +79,7 @@ do_dsa_keygen() {
chmod 640 $DSA_KEY
chmod 644 $DSA_KEY.pub
if [ -x /sbin/restorecon ]; then
/sbin/restorecon $DSA_KEY.pub
/sbin/restorecon $DSA_KEY{,.pub}
fi
success $"DSA key generation"
echo
@ -96,10 +97,10 @@ do_ecdsa_keygen() {
rm -f $ECDSA_KEY
if test ! -f $ECDSA_KEY && $KEYGEN -q -t ecdsa -f $ECDSA_KEY -C '' -N '' >&/dev/null; then
chgrp ssh_keys $ECDSA_KEY
chmod 600 $ECDSA_KEY
chmod 640 $ECDSA_KEY
chmod 644 $ECDSA_KEY.pub
if [ -x /sbin/restorecon ]; then
/sbin/restorecon $ECDSA_KEY.pub
/sbin/restorecon $ECDSA_KEY{,.pub}
fi
success $"ECDSA key generation"
echo
@ -111,12 +112,43 @@ do_ecdsa_keygen() {
fi
}
# Create keys if necessary
if [ "x${AUTOCREATE_SERVER_KEYS}" != xNO ]; then
do_rsa_keygen
if [ "x${AUTOCREATE_SERVER_KEYS}" != xRSAONLY ]; then
do_rsa1_keygen
do_dsa_keygen
do_ecdsa_keygen
do_ed25519_keygen() {
if [ ! -s $ED25519_KEY -a `fips_enabled` -eq 0 ]; then
echo -n $"Generating SSH2 ED25519 host key: "
rm -f $ED25519_KEY
if test ! -f $ED25519_KEY && $KEYGEN -q -t ed25519 -f $ED25519_KEY -C '' -N '' >&/dev/null; then
chgrp ssh_keys $ED25519_KEY
chmod 640 $ED25519_KEY
chmod 644 $ED25519_KEY.pub
if [ -x /sbin/restorecon ]; then
/sbin/restorecon $ED25519_KEY{,.pub}
fi
success $"ED25519 key generation"
echo
else
failure $"ED25519 key generation"
echo
exit 1
fi
fi
}
if [ "x${AUTOCREATE_SERVER_KEYS}" == "xNO" ]; then
exit 0
fi
# legacy options
case $AUTOCREATE_SERVER_KEYS in
NODSA) AUTOCREATE_SERVER_KEYS="RSA ECDSA ED25519";;
RSAONLY) AUTOCREATE_SERVER_KEYS="RSA";;
YES) AUTOCREATE_SERVER_KEYS="DSA RSA ECDSA ED25519";;
esac
for KEY in $AUTOCREATE_SERVER_KEYS; do
case $KEY in
DSA) do_dsa_keygen;;
RSA) do_rsa_keygen;;
ECDSA) do_ecdsa_keygen;;
ED25519) do_ed25519_keygen;;
esac
done

View file

@ -1,8 +1,11 @@
[Unit]
Description=gsissh Server Key Generation
ConditionPathExists=|!/etc/gsissh/ssh_host_rsa_key
ConditionPathExists=|!/etc/gsissh/ssh_host_dsa_key
ConditionFileNotEmpty=|!/etc/gsissh/ssh_host_rsa_key
ConditionFileNotEmpty=|!/etc/gsissh/ssh_host_ecdsa_key
ConditionFileNotEmpty=|!/etc/gsissh/ssh_host_ed25519_key
PartOf=gsisshd.service gsisshd.socket
[Service]
ExecStart=/usr/sbin/gsisshd-keygen
Type=oneshot
RemainAfterExit=yes

View file

@ -2,6 +2,8 @@
auth required pam_sepermit.so
auth substack password-auth
auth include postlogin
# Used with polkit to reauthorize users in remote sessions
-auth optional pam_reauthorize.so prepare
account required pam_nologin.so
account include password-auth
password include password-auth
@ -10,6 +12,9 @@ session required pam_selinux.so close
session required pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open env_params
session required pam_namespace.so
session optional pam_keyinit.so force revoke
session include password-auth
session include postlogin
# Used with polkit to reauthorize users in remote sessions
-session optional pam_reauthorize.so prepare

View file

@ -1,10 +1,12 @@
[Unit]
Description=gsissh server daemon
After=syslog.target network.target auditd.service
Documentation=man:gsisshd(8) man:gsisshd_config(5)
After=network.target gsisshd-keygen.service
Wants=gsisshd-keygen.service
[Service]
EnvironmentFile=/etc/sysconfig/gsisshd
ExecStartPre=/usr/sbin/gsisshd-keygen
Type=notify
EnvironmentFile=-/etc/sysconfig/gsisshd
ExecStart=/usr/sbin/gsisshd -D $OPTIONS
ExecReload=/bin/kill -HUP $MAINPID
KillMode=process

View file

@ -1,5 +1,6 @@
[Unit]
Description=gsissh Server Socket
Documentation=man:gsisshd(8) man:gsisshd_config(5)
Conflicts=gsisshd.service
[Socket]

View file

@ -1,12 +1,12 @@
# Configuration file for the sshd service.
# The server keys are automatically generated if they ommited
# to change the automatic creation uncomment the approprite
# line. The default is RSAONLY
# The server keys are automatically generated if they are missing.
# To change the automatic creation uncomment and change the appropriate
# line. Accepted key types are: DSA RSA ECDSA ED25519.
# The default is "RSA ECDSA ED25519"
# AUTOCREATE_SERVER_KEYS=RSAONLY
# AUTOCREATE_SERVER_KEYS=NO
# AUTOCREATE_SERVER_KEYS=YES
# AUTOCREATE_SERVER_KEYS=""
# AUTOCREATE_SERVER_KEYS="RSA ECDSA ED25519"
# Do not change this option unless you have hardware random
# generator and you REALLY know what you are doing

View file

@ -1,7 +1,8 @@
[Unit]
Description=gsissh per-connection server daemon
Documentation=man:gsisshd(8) man:gsisshd_config(5)
Wants=gsisshd-keygen.service
After=auditd.service gsisshd-keygen.service
After=gsisshd-keygen.service
[Service]
EnvironmentFile=-/etc/sysconfig/gsisshd

View file

@ -1,7 +1,8 @@
--- openssh-4.3p2/contrib/gnome-ssh-askpass2.c.grab-info 2006-07-17 15:10:11.000000000 +0200
+++ openssh-4.3p2/contrib/gnome-ssh-askpass2.c 2006-07-17 15:25:04.000000000 +0200
@@ -65,9 +65,12 @@
err = gtk_message_dialog_new(NULL, 0,
diff -up openssh-7.4p1/contrib/gnome-ssh-askpass2.c.grab-info openssh-7.4p1/contrib/gnome-ssh-askpass2.c
--- openssh-7.4p1/contrib/gnome-ssh-askpass2.c.grab-info 2016-12-23 13:31:22.645213115 +0100
+++ openssh-7.4p1/contrib/gnome-ssh-askpass2.c 2016-12-23 13:31:40.997216691 +0100
@@ -65,9 +65,12 @@ report_failed_grab (GtkWidget *parent_wi
err = gtk_message_dialog_new(GTK_WINDOW(parent_window), 0,
GTK_MESSAGE_ERROR,
GTK_BUTTONS_CLOSE,
- "Could not grab %s. "
@ -14,5 +15,5 @@
+ "Either close the application which grabs the %s or "
+ "log out and log in again to prevent this from happening.", what, what);
gtk_window_set_position(GTK_WINDOW(err), GTK_WIN_POS_CENTER);
gtk_label_set_line_wrap(GTK_LABEL((GTK_MESSAGE_DIALOG(err))->label),
TRUE);
gtk_dialog_run(GTK_DIALOG(err));

View file

@ -1,6 +1,6 @@
diff -up openssh-5.1p1/contrib/gnome-ssh-askpass2.c.progress openssh-5.1p1/contrib/gnome-ssh-askpass2.c
--- openssh-5.1p1/contrib/gnome-ssh-askpass2.c.progress 2008-07-23 19:05:26.000000000 +0200
+++ openssh-5.1p1/contrib/gnome-ssh-askpass2.c 2008-07-23 19:05:26.000000000 +0200
diff -up openssh-7.4p1/contrib/gnome-ssh-askpass2.c.progress openssh-7.4p1/contrib/gnome-ssh-askpass2.c
--- openssh-7.4p1/contrib/gnome-ssh-askpass2.c.progress 2016-12-19 05:59:41.000000000 +0100
+++ openssh-7.4p1/contrib/gnome-ssh-askpass2.c 2016-12-23 13:31:16.545211926 +0100
@@ -53,6 +53,7 @@
#include <string.h>
#include <unistd.h>
@ -9,7 +9,7 @@ diff -up openssh-5.1p1/contrib/gnome-ssh-askpass2.c.progress openssh-5.1p1/contr
#include <gtk/gtk.h>
#include <gdk/gdkx.h>
@@ -83,13 +84,24 @@ ok_dialog(GtkWidget *entry, gpointer dia
@@ -81,13 +82,24 @@ ok_dialog(GtkWidget *entry, gpointer dia
gtk_dialog_response(GTK_DIALOG(dialog), GTK_RESPONSE_OK);
}
@ -30,12 +30,12 @@ diff -up openssh-5.1p1/contrib/gnome-ssh-askpass2.c.progress openssh-5.1p1/contr
const char *failed;
char *passphrase, *local;
int result, grab_tries, grab_server, grab_pointer;
- GtkWidget *dialog, *entry;
+ GtkWidget *dialog, *entry, *progress, *hbox;
- GtkWidget *parent_window, *dialog, *entry;
+ GtkWidget *parent_window, *dialog, *entry, *progress, *hbox;
GdkGrabStatus status;
grab_server = (getenv("GNOME_SSH_ASKPASS_GRAB_SERVER") != NULL);
@@ -102,13 +114,31 @@ passphrase_dialog(char *message)
@@ -104,14 +116,32 @@ passphrase_dialog(char *message)
"%s",
message);
@ -45,9 +45,11 @@ diff -up openssh-5.1p1/contrib/gnome-ssh-askpass2.c.progress openssh-5.1p1/contr
+ gtk_widget_show(hbox);
+
entry = gtk_entry_new();
- gtk_box_pack_start(GTK_BOX(GTK_DIALOG(dialog)->vbox), entry, FALSE,
+ gtk_box_pack_start(GTK_BOX(hbox), entry, TRUE,
FALSE, 0);
gtk_box_pack_start(
- GTK_BOX(gtk_dialog_get_content_area(GTK_DIALOG(dialog))), entry,
- FALSE, FALSE, 0);
+ GTK_BOX(hbox), entry,
+ TRUE, FALSE, 0);
+ gtk_entry_set_width_chars(GTK_ENTRY(entry), 2);
gtk_entry_set_visibility(GTK_ENTRY(entry), FALSE);
gtk_widget_grab_focus(entry);
@ -68,7 +70,7 @@ diff -up openssh-5.1p1/contrib/gnome-ssh-askpass2.c.progress openssh-5.1p1/contr
gtk_window_set_title(GTK_WINDOW(dialog), "OpenSSH");
gtk_window_set_position (GTK_WINDOW(dialog), GTK_WIN_POS_CENTER);
gtk_window_set_keep_above(GTK_WINDOW(dialog), TRUE);
@@ -119,6 +149,8 @@ passphrase_dialog(char *message)
@@ -120,6 +150,8 @@ passphrase_dialog(char *message)
gtk_dialog_set_default_response(GTK_DIALOG(dialog), GTK_RESPONSE_OK);
g_signal_connect(G_OBJECT(entry), "activate",
G_CALLBACK(ok_dialog), dialog);

View file

@ -1,18 +0,0 @@
diff -up openssh-5.1p1/scp.1.manpage openssh-5.1p1/scp.1
--- openssh-5.1p1/scp.1.manpage 2008-07-12 09:12:49.000000000 +0200
+++ openssh-5.1p1/scp.1 2008-07-23 19:18:15.000000000 +0200
@@ -66,6 +66,14 @@ treating file names containing
as host specifiers.
Copies between two remote hosts are also permitted.
.Pp
+When copying a source file to a target file which already exists,
+.Nm
+will replace the contents of the target file (keeping the inode).
+.Pp
+If the target file does not yet exist, an empty file with the target
+file name is created, then filled with the source file contents.
+No attempt is made at "near-atomic" transfer using temporary files.
+.Pp
The options are as follows:
.Bl -tag -width Ds
.It Fl 1

View file

@ -1,37 +0,0 @@
diff -up openssh-5.2p1/canohost.c.ip-opts openssh-5.2p1/canohost.c
--- openssh-5.2p1/canohost.c.ip-opts 2009-02-14 06:28:21.000000000 +0100
+++ openssh-5.2p1/canohost.c 2009-09-01 15:31:29.000000000 +0200
@@ -169,12 +169,27 @@ check_ip_options(int sock, char *ipaddr)
option_size = sizeof(options);
if (getsockopt(sock, ipproto, IP_OPTIONS, options,
&option_size) >= 0 && option_size != 0) {
- text[0] = '\0';
- for (i = 0; i < option_size; i++)
- snprintf(text + i*3, sizeof(text) - i*3,
- " %2.2x", options[i]);
- fatal("Connection from %.100s with IP options:%.800s",
- ipaddr, text);
+ i = 0;
+ do {
+ switch (options[i]) {
+ case 0:
+ case 1:
+ ++i;
+ break;
+ case 131:
+ case 137:
+ /* Fail, fatally, if we detect either loose or strict
+ * source routing options. */
+ text[0] = '\0';
+ for (i = 0; i < option_size; i++)
+ snprintf(text + i*3, sizeof(text) - i*3,
+ " %2.2x", options[i]);
+ fatal("Connection from %.100s with IP options:%.800s",
+ ipaddr, text);
+ default:
+ i += options[i + 1];
+ }
+ } while (i < option_size);
}
#endif /* IP_OPTIONS */
}

View file

@ -1,7 +1,7 @@
diff -up openssh-5.3p1/channels.c.bz595935 openssh-5.3p1/channels.c
--- openssh-5.3p1/channels.c.bz595935 2010-08-12 14:19:28.000000000 +0200
+++ openssh-5.3p1/channels.c 2010-08-12 14:33:51.000000000 +0200
@@ -3185,7 +3185,7 @@ x11_create_display_inet(int x11_display_
@@ -3990,21 +3990,24 @@ x11_create_display_inet(int x11_display_
}
static int
@ -10,14 +10,16 @@ diff -up openssh-5.3p1/channels.c.bz595935 openssh-5.3p1/channels.c
{
int sock;
struct sockaddr_un addr;
@@ -3195,11 +3195,14 @@ connect_local_xsocket_path(const char *p
+ if (len <= 0)
+ return -1;
sock = socket(AF_UNIX, SOCK_STREAM, 0);
if (sock < 0)
error("socket: %.100s", strerror(errno));
memset(&addr, 0, sizeof(addr));
addr.sun_family = AF_UNIX;
- strlcpy(addr.sun_path, pathname, sizeof addr.sun_path);
- if (connect(sock, (struct sockaddr *)&addr, sizeof(addr)) == 0)
+ if (len <= 0)
+ return -1;
+ if (len > sizeof addr.sun_path)
+ len = sizeof addr.sun_path;
+ memcpy(addr.sun_path, pathname, len);
@ -28,16 +30,13 @@ diff -up openssh-5.3p1/channels.c.bz595935 openssh-5.3p1/channels.c
return -1;
}
@@ -3207,8 +3210,21 @@ static int
@@ -3207,8 +3210,18 @@ static int
connect_local_xsocket(u_int dnr)
{
char buf[1024];
- snprintf(buf, sizeof buf, _PATH_UNIX_X, dnr);
- return connect_local_xsocket_path(buf);
+ int len;
+#ifdef linux
+ int ret;
+#endif
+ int len, ret;
+ len = snprintf(buf + 1, sizeof (buf) - 1, _PATH_UNIX_X, dnr);
+#ifdef linux
+ /* try abstract socket first */

View file

@ -1,14 +0,0 @@
diff -up openssh-5.6p1/channels.c.exit-deadlock openssh-5.6p1/channels.c
--- openssh-5.6p1/channels.c.exit-deadlock 2010-08-05 15:09:48.000000000 +0200
+++ openssh-5.6p1/channels.c 2010-08-23 12:41:43.000000000 +0200
@@ -1647,6 +1647,10 @@ channel_handle_wfd(Channel *c, fd_set *r
u_int dlen, olen = 0;
int len;
+ if(c->wfd != -1 && buffer_len(&c->output) > 0 && c->ostate == CHAN_OUTPUT_WAIT_DRAIN) {
+ debug("channel %d: forcing write", c->self);
+ FD_SET(c->wfd, writeset);
+ }
/* Send buffered output data to the socket. */
if (c->wfd != -1 &&
FD_ISSET(c->wfd, writeset) &&

View file

@ -1,24 +0,0 @@
diff -up openssh-5.6p1/channels.c.getaddrinfo openssh-5.6p1/channels.c
--- openssh-5.6p1/channels.c.getaddrinfo 2012-02-14 16:12:54.427852524 +0100
+++ openssh-5.6p1/channels.c 2012-02-14 16:13:22.818928690 +0100
@@ -3275,6 +3275,9 @@ x11_create_display_inet(int x11_display_
memset(&hints, 0, sizeof(hints));
hints.ai_family = IPv4or6;
hints.ai_flags = x11_use_localhost ? 0: AI_PASSIVE;
+#ifdef AI_ADDRCONFIG
+ hints.ai_flags |= AI_ADDRCONFIG;
+#endif
hints.ai_socktype = SOCK_STREAM;
snprintf(strport, sizeof strport, "%d", port);
if ((gaierr = getaddrinfo(NULL, strport, &hints, &aitop)) != 0) {
diff -up openssh-5.6p1/sshconnect.c.getaddrinfo openssh-5.6p1/sshconnect.c
--- openssh-5.6p1/sshconnect.c.getaddrinfo 2012-02-14 16:09:25.057964291 +0100
+++ openssh-5.6p1/sshconnect.c 2012-02-14 16:09:25.106047007 +0100
@@ -343,6 +343,7 @@ ssh_connect(const char *host, struct soc
memset(&hints, 0, sizeof(hints));
hints.ai_family = family;
hints.ai_socktype = SOCK_STREAM;
+ hints.ai_flags = AI_V4MAPPED | AI_ADDRCONFIG;
snprintf(strport, sizeof strport, "%u", port);
if ((gaierr = getaddrinfo(host, strport, &hints, &aitop)) != 0)
fatal("%s: Could not resolve hostname %.100s: %s", __progname,

View file

@ -1,10 +0,0 @@
diff -up openssh-5.8p1/sftp-glob.c.glob openssh-5.8p1/sftp-glob.c
--- openssh-5.8p1/sftp-glob.c.glob 2011-03-07 20:17:34.000000000 +0100
+++ openssh-5.8p1/sftp-glob.c 2011-03-07 20:18:47.000000000 +0100
@@ -145,5 +145,5 @@ remote_glob(struct sftp_conn *conn, cons
memset(&cur, 0, sizeof(cur));
cur.conn = conn;
- return(glob(pattern, flags | GLOB_ALTDIRFUNC, errfunc, pglob));
+ return(glob(pattern, flags | GLOB_LIMIT | GLOB_ALTDIRFUNC, errfunc, pglob));
}

View file

@ -1,14 +0,0 @@
diff -up openssh-5.8p1/sshd_config.localdomain openssh-5.8p1/sshd_config
--- openssh-5.8p1/sshd_config.localdomain 2011-04-22 11:37:49.273648812 +0200
+++ openssh-5.8p1/sshd_config 2011-04-22 11:39:31.758648401 +0200
@@ -130,6 +130,10 @@ X11Forwarding yes
# override default of no subsystems
Subsystem sftp /usr/libexec/sftp-server
+# Uncomment this if you want to use .local domain
+#Host *.local
+# CheckHostIP no
+
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no

View file

@ -5,8 +5,8 @@ diff -up openssh-5.8p1/packet.c.packet openssh-5.8p1/packet.c
struct sockaddr_storage from, to;
socklen_t fromlen, tolen;
+ if (!active_state)
+ if (!state)
+ return 0;
/* filedescriptors in and out are the same, so it's a socket */
if (active_state->connection_in == active_state->connection_out)
return 1;
if (state->connection_in == -1 || state->connection_out == -1)
return 0;

View file

@ -1,13 +0,0 @@
diff -up openssh-5.8p2/mux.c.remove_stale openssh-5.8p2/mux.c
--- openssh-5.8p2/mux.c.remove_stale 2011-01-14 02:01:32.000000000 +0100
+++ openssh-5.8p2/mux.c 2011-06-09 15:27:42.556360291 +0200
@@ -1867,6 +1867,9 @@ muxclient(const char *path)
unlink(path);
} else if (errno == ENOENT) {
debug("Control socket \"%.100s\" does not exist", path);
+ } else if (errno == ECONNREFUSED) {
+ debug("Removing stale control socket \"%.100s\"", path);
+ unlink(path);
} else {
error("Control socket connect(%.100s): %s", path,
strerror(errno));

View file

@ -1,72 +0,0 @@
diff -up openssh-5.9p1/dns.c.edns openssh-5.9p1/dns.c
--- openssh-5.9p1/dns.c.edns 2010-08-31 14:41:14.000000000 +0200
+++ openssh-5.9p1/dns.c 2011-09-09 08:05:27.782440497 +0200
@@ -177,6 +177,7 @@ verify_host_key_dns(const char *hostname
{
u_int counter;
int result;
+ unsigned int rrset_flags = 0;
struct rrsetinfo *fingerprints = NULL;
u_int8_t hostkey_algorithm;
@@ -200,8 +201,19 @@ verify_host_key_dns(const char *hostname
return -1;
}
+ /*
+ * Original getrrsetbyname function, found on OpenBSD for example,
+ * doesn't accept any flag and prerequisite for obtaining AD bit in
+ * DNS response is set by "options edns0" in resolv.conf.
+ *
+ * Our version is more clever and use RRSET_FORCE_EDNS0 flag.
+ */
+#ifndef HAVE_GETRRSETBYNAME
+ rrset_flags |= RRSET_FORCE_EDNS0;
+#endif
result = getrrsetbyname(hostname, DNS_RDATACLASS_IN,
- DNS_RDATATYPE_SSHFP, 0, &fingerprints);
+ DNS_RDATATYPE_SSHFP, rrset_flags, &fingerprints);
+
if (result) {
verbose("DNS lookup error: %s", dns_result_totext(result));
return -1;
diff -up openssh-5.9p1/openbsd-compat/getrrsetbyname.c.edns openssh-5.9p1/openbsd-compat/getrrsetbyname.c
--- openssh-5.9p1/openbsd-compat/getrrsetbyname.c.edns 2009-07-13 03:38:23.000000000 +0200
+++ openssh-5.9p1/openbsd-compat/getrrsetbyname.c 2011-09-09 15:03:39.930500801 +0200
@@ -209,8 +209,8 @@ getrrsetbyname(const char *hostname, uns
goto fail;
}
- /* don't allow flags yet, unimplemented */
- if (flags) {
+ /* Allow RRSET_FORCE_EDNS0 flag only. */
+ if ((flags & ~RRSET_FORCE_EDNS0) != 0) {
result = ERRSET_INVAL;
goto fail;
}
@@ -226,9 +226,9 @@ getrrsetbyname(const char *hostname, uns
#endif /* DEBUG */
#ifdef RES_USE_DNSSEC
- /* turn on DNSSEC if EDNS0 is configured */
- if (_resp->options & RES_USE_EDNS0)
- _resp->options |= RES_USE_DNSSEC;
+ /* turn on DNSSEC if required */
+ if (flags & RRSET_FORCE_EDNS0)
+ _resp->options |= (RES_USE_EDNS0|RES_USE_DNSSEC);
#endif /* RES_USE_DNSEC */
/* make query */
diff -up openssh-5.9p1/openbsd-compat/getrrsetbyname.h.edns openssh-5.9p1/openbsd-compat/getrrsetbyname.h
--- openssh-5.9p1/openbsd-compat/getrrsetbyname.h.edns 2007-10-26 08:26:50.000000000 +0200
+++ openssh-5.9p1/openbsd-compat/getrrsetbyname.h 2011-09-09 08:05:27.965438689 +0200
@@ -72,6 +72,9 @@
#ifndef RRSET_VALIDATED
# define RRSET_VALIDATED 1
#endif
+#ifndef RRSET_FORCE_EDNS0
+# define RRSET_FORCE_EDNS0 0x0001
+#endif
/*
* Return codes for getrrsetbyname()

View file

@ -1,13 +0,0 @@
diff -up openssh-5.9p0/entropy.c.randclean openssh-5.9p0/entropy.c
--- openssh-5.9p0/entropy.c.randclean 2011-08-30 13:52:45.000000000 +0200
+++ openssh-5.9p0/entropy.c 2011-08-30 13:57:44.630111338 +0200
@@ -217,6 +217,9 @@ seed_rng(void)
fatal("OpenSSL version mismatch. Built against %lx, you "
"have %lx", (u_long)OPENSSL_VERSION_NUMBER, SSLeay());
+ /* clean the PRNG status when exiting the program */
+ atexit(RAND_cleanup);
+
#ifndef OPENSSL_PRNG_ONLY
if (RAND_status() == 1) {
debug3("RNG is ready, skipping seeding");

View file

@ -1,18 +0,0 @@
diff -up openssh-6.1p1/contrib/Makefile.askpass-ld openssh-6.1p1/contrib/Makefile
--- openssh-6.1p1/contrib/Makefile.askpass-ld 2012-05-19 07:24:37.000000000 +0200
+++ openssh-6.1p1/contrib/Makefile 2012-09-14 20:35:47.565704718 +0200
@@ -4,12 +4,12 @@ all:
@echo "Valid targets: gnome-ssh-askpass1 gnome-ssh-askpass2"
gnome-ssh-askpass1: gnome-ssh-askpass1.c
- $(CC) `gnome-config --cflags gnome gnomeui` \
+ $(CC) ${CFLAGS} `gnome-config --cflags gnome gnomeui` \
gnome-ssh-askpass1.c -o gnome-ssh-askpass1 \
`gnome-config --libs gnome gnomeui`
gnome-ssh-askpass2: gnome-ssh-askpass2.c
- $(CC) `$(PKG_CONFIG) --cflags gtk+-2.0` \
+ $(CC) ${CFLAGS} `$(PKG_CONFIG) --cflags gtk+-2.0` \
gnome-ssh-askpass2.c -o gnome-ssh-askpass2 \
`$(PKG_CONFIG) --libs gtk+-2.0 x11`

View file

@ -12,7 +12,7 @@ diff -up openssh-6.1p1/sshconnect2.c.canohost openssh-6.1p1/sshconnect2.c
gss_host = options.gss_server_identity;
- else if (options.gss_trust_dns)
+ else if (options.gss_trust_dns) {
gss_host = get_canonical_hostname(1);
gss_host = get_canonical_hostname(active_state, 1);
+ if ( strcmp( gss_host, "UNKNOWN" ) == 0 )
+ gss_host = authctxt->host;
+ }

View file

@ -1,26 +0,0 @@
diff -up openssh-6.1p1/sshd.c.log-usepam-no openssh-6.1p1/sshd.c
--- openssh-6.1p1/sshd.c.log-usepam-no 2012-09-14 20:54:58.000000000 +0200
+++ openssh-6.1p1/sshd.c 2012-09-14 20:55:42.289477749 +0200
@@ -1617,6 +1617,10 @@ main(int ac, char **av)
parse_server_config(&options, rexeced_flag ? "rexec" : config_file_name,
&cfg, NULL);
+ /* 'UsePAM no' is not supported in Fedora */
+ if (! options.use_pam)
+ logit("WARNING: 'UsePAM no' is not supported in Fedora and may cause several problems.");
+
seed_rng();
/* Fill in default values for those options not explicitly set. */
diff -up openssh-6.1p1/sshd_config.log-usepam-no openssh-6.1p1/sshd_config
--- openssh-6.1p1/sshd_config.log-usepam-no 2012-09-14 20:54:58.514255748 +0200
+++ openssh-6.1p1/sshd_config 2012-09-14 20:54:58.551255954 +0200
@@ -95,6 +95,8 @@ GSSAPICleanupCredentials yes
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
+# WARNING: 'UsePAM no' is not supported in Fedora and may cause several
+# problems.
#UsePAM no
UsePAM yes

View file

@ -1,7 +1,7 @@
diff -up openssh-6.2p1/configure.ac.vendor openssh-6.2p1/configure.ac
--- openssh-6.2p1/configure.ac.vendor 2013-03-25 19:34:01.277495179 +0100
+++ openssh-6.2p1/configure.ac 2013-03-25 19:34:01.377495818 +0100
@@ -4420,6 +4420,12 @@ AC_ARG_WITH([lastlog],
diff -up openssh-7.4p1/configure.ac.vendor openssh-7.4p1/configure.ac
--- openssh-7.4p1/configure.ac.vendor 2017-02-10 10:45:54.977836854 +0100
+++ openssh-7.4p1/configure.ac 2017-02-10 10:45:54.995836725 +0100
@@ -4930,6 +4930,12 @@ AC_ARG_WITH([lastlog],
fi
]
)
@ -14,7 +14,7 @@ diff -up openssh-6.2p1/configure.ac.vendor openssh-6.2p1/configure.ac
dnl lastlog, [uw]tmpx? detection
dnl NOTE: set the paths in the platform section to avoid the
@@ -4681,6 +4687,7 @@ echo " Translate v4 in v6 hack
@@ -5194,6 +5200,7 @@ echo " Translate v4 in v6 hack
echo " BSD Auth support: $BSD_AUTH_MSG"
echo " Random number source: $RAND_MSG"
echo " Privsep sandbox style: $SANDBOX_STYLE"
@ -22,10 +22,10 @@ diff -up openssh-6.2p1/configure.ac.vendor openssh-6.2p1/configure.ac
echo ""
diff -up openssh-6.2p1/servconf.c.vendor openssh-6.2p1/servconf.c
--- openssh-6.2p1/servconf.c.vendor 2013-03-25 19:34:01.197494668 +0100
+++ openssh-6.2p1/servconf.c 2013-03-25 19:34:01.379495831 +0100
@@ -128,6 +128,7 @@ initialize_server_options(ServerOptions
diff -up openssh-7.4p1/servconf.c.vendor openssh-7.4p1/servconf.c
--- openssh-7.4p1/servconf.c.vendor 2016-12-19 05:59:41.000000000 +0100
+++ openssh-7.4p1/servconf.c 2017-02-10 10:45:54.995836725 +0100
@@ -143,6 +143,7 @@ initialize_server_options(ServerOptions
options->max_authtries = -1;
options->max_sessions = -1;
options->banner = NULL;
@ -33,26 +33,25 @@ diff -up openssh-6.2p1/servconf.c.vendor openssh-6.2p1/servconf.c
options->use_dns = -1;
options->client_alive_interval = -1;
options->client_alive_count_max = -1;
@@ -287,6 +288,9 @@ fill_default_server_options(ServerOption
@@ -325,6 +326,8 @@ fill_default_server_options(ServerOption
options->ip_qos_bulk = IPTOS_THROUGHPUT;
if (options->version_addendum == NULL)
options->version_addendum = xstrdup("");
+ if (options->show_patchlevel == -1)
+ options->show_patchlevel = 0;
+
/* Turn privilege separation on by default */
if (use_privsep == -1)
use_privsep = PRIVSEP_NOSANDBOX;
@@ -324,7 +328,7 @@ typedef enum {
sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem,
sMaxStartups, sMaxAuthTries, sMaxSessions,
if (options->fwd_opts.streamlocal_bind_mask == (mode_t)-1)
options->fwd_opts.streamlocal_bind_mask = 0177;
if (options->fwd_opts.streamlocal_bind_unlink == -1)
@@ -402,7 +405,7 @@ typedef enum {
sIgnoreUserKnownHosts, sCiphers, sMacs, sPidFile,
sGatewayPorts, sPubkeyAuthentication, sPubkeyAcceptedKeyTypes,
sXAuthLocation, sSubsystem, sMaxStartups, sMaxAuthTries, sMaxSessions,
- sBanner, sUseDNS, sHostbasedAuthentication,
+ sBanner, sShowPatchLevel, sUseDNS, sHostbasedAuthentication,
sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
sClientAliveCountMax, sAuthorizedKeysFile,
sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel,
@@ -439,6 +443,7 @@ static struct {
sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedKeyTypes,
sHostKeyAlgorithms,
sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
@@ -528,6 +531,7 @@ static struct {
{ "maxauthtries", sMaxAuthTries, SSHCFG_ALL },
{ "maxsessions", sMaxSessions, SSHCFG_ALL },
{ "banner", sBanner, SSHCFG_ALL },
@ -60,7 +59,7 @@ diff -up openssh-6.2p1/servconf.c.vendor openssh-6.2p1/servconf.c
{ "usedns", sUseDNS, SSHCFG_GLOBAL },
{ "verifyreversemapping", sDeprecated, SSHCFG_GLOBAL },
{ "reversemappingcheck", sDeprecated, SSHCFG_GLOBAL },
@@ -1163,6 +1168,10 @@ process_server_config_line(ServerOptions
@@ -1369,6 +1373,10 @@ process_server_config_line(ServerOptions
multistate_ptr = multistate_privsep;
goto parse_multistate;
@ -71,18 +70,18 @@ diff -up openssh-6.2p1/servconf.c.vendor openssh-6.2p1/servconf.c
case sAllowUsers:
while ((arg = strdelim(&cp)) && *arg != '\0') {
if (options->num_allow_users >= MAX_ALLOW_USERS)
@@ -1950,6 +1959,7 @@ dump_config(ServerOptions *o)
dump_cfg_fmtint(sUseLogin, o->use_login);
@@ -2269,6 +2277,7 @@ dump_config(ServerOptions *o)
dump_cfg_fmtint(sPermitUserEnvironment, o->permit_user_env);
dump_cfg_fmtint(sCompression, o->compression);
dump_cfg_fmtint(sGatewayPorts, o->gateway_ports);
dump_cfg_fmtint(sGatewayPorts, o->fwd_opts.gateway_ports);
+ dump_cfg_fmtint(sShowPatchLevel, o->show_patchlevel);
dump_cfg_fmtint(sUseDNS, o->use_dns);
dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding);
dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep);
diff -up openssh-6.2p1/servconf.h.vendor openssh-6.2p1/servconf.h
--- openssh-6.2p1/servconf.h.vendor 2013-01-09 05:56:45.000000000 +0100
+++ openssh-6.2p1/servconf.h 2013-03-25 19:34:01.379495831 +0100
@@ -147,6 +147,7 @@ typedef struct {
dump_cfg_fmtint(sAllowAgentForwarding, o->allow_agent_forwarding);
diff -up openssh-7.4p1/servconf.h.vendor openssh-7.4p1/servconf.h
--- openssh-7.4p1/servconf.h.vendor 2016-12-19 05:59:41.000000000 +0100
+++ openssh-7.4p1/servconf.h 2017-02-10 10:45:54.995836725 +0100
@@ -149,6 +149,7 @@ typedef struct {
int max_authtries;
int max_sessions;
char *banner; /* SSH-2 banner message */
@ -90,39 +89,13 @@ diff -up openssh-6.2p1/servconf.h.vendor openssh-6.2p1/servconf.h
int use_dns;
int client_alive_interval; /*
* poke the client this often to
diff -up openssh-6.2p1/sshd_config.vendor openssh-6.2p1/sshd_config
--- openssh-6.2p1/sshd_config.vendor 2013-03-25 19:34:01.380495837 +0100
+++ openssh-6.2p1/sshd_config 2013-03-25 19:44:43.471296362 +0100
@@ -118,6 +118,7 @@ UsePrivilegeSeparation sandbox # Defaul
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
+#ShowPatchLevel no
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
diff -up openssh-6.2p1/sshd_config.0.vendor openssh-6.2p1/sshd_config.0
--- openssh-6.2p1/sshd_config.0.vendor 2013-03-25 19:34:01.361495716 +0100
+++ openssh-6.2p1/sshd_config.0 2013-03-25 19:34:01.381495844 +0100
@@ -595,6 +595,11 @@ DESCRIPTION
Defines the number of bits in the ephemeral protocol version 1
server key. The minimum value is 512, and the default is 1024.
+ ShowPatchLevel
+ Specifies whether sshd will display the specific patch level of
+ the binary in the server identification string. The patch level
+ is set at compile-time. The default is M-bM-^@M-^\noM-bM-^@M-^].
+
StrictModes
Specifies whether sshd(8) should check file modes and ownership
of the user's files and home directory before accepting login.
diff -up openssh-6.2p1/sshd_config.5.vendor openssh-6.2p1/sshd_config.5
--- openssh-6.2p1/sshd_config.5.vendor 2013-03-25 19:34:01.362495722 +0100
+++ openssh-6.2p1/sshd_config.5 2013-03-25 19:34:01.382495850 +0100
@@ -1019,6 +1019,14 @@ This option applies to protocol version
.It Cm ServerKeyBits
Defines the number of bits in the ephemeral protocol version 1 server key.
The minimum value is 512, and the default is 1024.
diff -up openssh-7.4p1/sshd_config.5.vendor openssh-7.4p1/sshd_config.5
--- openssh-7.4p1/sshd_config.5.vendor 2017-02-10 10:45:54.990836761 +0100
+++ openssh-7.4p1/sshd_config.5 2017-02-10 10:45:54.996836718 +0100
@@ -1334,6 +1334,14 @@ an OpenSSH Key Revocation List (KRL) as
.Xr ssh-keygen 1 .
For more information on KRLs, see the KEY REVOCATION LISTS section in
.Xr ssh-keygen 1 .
+.It Cm ShowPatchLevel
+Specifies whether
+.Nm sshd
@ -131,28 +104,40 @@ diff -up openssh-6.2p1/sshd_config.5.vendor openssh-6.2p1/sshd_config.5
+The default is
+.Dq no .
+This option applies to protocol version 1 only.
.It Cm StrictModes
Specifies whether
.Xr sshd 8
diff -up openssh-6.2p1/sshd.c.vendor openssh-6.2p1/sshd.c
--- openssh-6.2p1/sshd.c.vendor 2013-03-25 19:34:01.332495531 +0100
+++ openssh-6.2p1/sshd.c 2013-03-25 19:44:11.864112092 +0100
@@ -442,7 +442,7 @@ sshd_exchange_identification(int sock_in
}
.It Cm StreamLocalBindMask
Sets the octal file creation mode mask
.Pq umask
diff -up openssh-7.4p1/sshd_config.vendor openssh-7.4p1/sshd_config
--- openssh-7.4p1/sshd_config.vendor 2017-02-10 10:45:54.990836761 +0100
+++ openssh-7.4p1/sshd_config 2017-02-10 10:45:54.996836718 +0100
@@ -105,6 +105,7 @@ X11Forwarding yes
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
+#ShowPatchLevel no
#UseDNS no
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
diff -up openssh-7.4p1/sshd.c.vendor openssh-7.4p1/sshd.c
--- openssh-7.4p1/sshd.c.vendor 2017-02-10 10:45:54.996836718 +0100
+++ openssh-7.4p1/sshd.c 2017-02-10 10:48:41.633648667 +0100
@@ -367,7 +367,8 @@ sshd_exchange_identification(struct ssh
char remote_version[256]; /* Must be at least as big as buf. */
xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s",
- major, minor, SSH_VERSION,
+ major, minor, (options.show_patchlevel == 1) ? SSH_VENDOR_PATCHLEVEL : SSH_VERSION,
- PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION,
+ PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2,
+ (options.show_patchlevel == 1) ? SSH_VENDOR_PATCHLEVEL : SSH_VERSION,
*options.version_addendum == '\0' ? "" : " ",
options.version_addendum, newline);
@@ -1675,7 +1675,8 @@ main(int ac, char **av)
@@ -1654,7 +1655,8 @@ main(int ac, char **av)
exit(1);
}
- debug("sshd version %s, %s", SSH_VERSION,
+ debug("sshd version %s, %s",
+ (options.show_patchlevel == 1) ? SSH_VENDOR_PATCHLEVEL : SSH_VERSION,
SSLeay_version(SSLEAY_VERSION));
/* Store privilege separation user for later use if required. */
#ifdef WITH_OPENSSL
SSLeay_version(SSLEAY_VERSION)
#else

View file

@ -1,788 +0,0 @@
diff -up openssh-6.3p1/auth-pam.c.coverity openssh-6.3p1/auth-pam.c
--- openssh-6.3p1/auth-pam.c.coverity 2013-06-02 00:07:32.000000000 +0200
+++ openssh-6.3p1/auth-pam.c 2013-10-07 13:20:36.288298063 +0200
@@ -216,7 +216,12 @@ pthread_join(sp_pthread_t thread, void *
if (sshpam_thread_status != -1)
return (sshpam_thread_status);
signal(SIGCHLD, sshpam_oldsig);
- waitpid(thread, &status, 0);
+ while (waitpid(thread, &status, 0) < 0) {
+ if (errno == EINTR)
+ continue;
+ fatal("%s: waitpid: %s", __func__,
+ strerror(errno));
+ }
return (status);
}
#endif
diff -up openssh-6.3p1/channels.c.coverity openssh-6.3p1/channels.c
--- openssh-6.3p1/channels.c.coverity 2013-09-13 08:19:31.000000000 +0200
+++ openssh-6.3p1/channels.c 2013-10-07 13:20:36.289298058 +0200
@@ -233,11 +233,11 @@ channel_register_fds(Channel *c, int rfd
channel_max_fd = MAX(channel_max_fd, wfd);
channel_max_fd = MAX(channel_max_fd, efd);
- if (rfd != -1)
+ if (rfd >= 0)
fcntl(rfd, F_SETFD, FD_CLOEXEC);
- if (wfd != -1 && wfd != rfd)
+ if (wfd >= 0 && wfd != rfd)
fcntl(wfd, F_SETFD, FD_CLOEXEC);
- if (efd != -1 && efd != rfd && efd != wfd)
+ if (efd >= 0 && efd != rfd && efd != wfd)
fcntl(efd, F_SETFD, FD_CLOEXEC);
c->rfd = rfd;
@@ -255,11 +255,11 @@ channel_register_fds(Channel *c, int rfd
/* enable nonblocking mode */
if (nonblock) {
- if (rfd != -1)
+ if (rfd >= 0)
set_nonblock(rfd);
- if (wfd != -1)
+ if (wfd >= 0)
set_nonblock(wfd);
- if (efd != -1)
+ if (efd >= 0)
set_nonblock(efd);
}
}
diff -up openssh-6.3p1/clientloop.c.coverity openssh-6.3p1/clientloop.c
--- openssh-6.3p1/clientloop.c.coverity 2013-06-10 05:07:12.000000000 +0200
+++ openssh-6.3p1/clientloop.c 2013-10-07 13:20:36.289298058 +0200
@@ -2068,14 +2068,15 @@ client_input_global_request(int type, u_
char *rtype;
int want_reply;
int success = 0;
+/* success is still 0 the packet is allways SSH2_MSG_REQUEST_FAILURE, isn't it? */
rtype = packet_get_string(NULL);
want_reply = packet_get_char();
debug("client_input_global_request: rtype %s want_reply %d",
rtype, want_reply);
if (want_reply) {
- packet_start(success ?
- SSH2_MSG_REQUEST_SUCCESS : SSH2_MSG_REQUEST_FAILURE);
+ packet_start(/*success ?
+ SSH2_MSG_REQUEST_SUCCESS :*/ SSH2_MSG_REQUEST_FAILURE);
packet_send();
packet_write_wait();
}
diff -up openssh-6.3p1/key.c.coverity openssh-6.3p1/key.c
--- openssh-6.3p1/key.c.coverity 2013-06-01 23:41:51.000000000 +0200
+++ openssh-6.3p1/key.c 2013-10-07 13:20:36.290298054 +0200
@@ -807,8 +807,10 @@ key_read(Key *ret, char **cpp)
success = 1;
/*XXXX*/
key_free(k);
+/*XXXX
if (success != 1)
break;
+XXXX*/
/* advance cp: skip whitespace and data */
while (*cp == ' ' || *cp == '\t')
cp++;
diff -up openssh-6.3p1/monitor.c.coverity openssh-6.3p1/monitor.c
--- openssh-6.3p1/monitor.c.coverity 2013-07-20 05:21:53.000000000 +0200
+++ openssh-6.3p1/monitor.c 2013-10-07 13:54:36.761314042 +0200
@@ -449,7 +449,7 @@ monitor_child_preauth(Authctxt *_authctx
mm_get_keystate(pmonitor);
/* Drain any buffered messages from the child */
- while (pmonitor->m_log_recvfd != -1 && monitor_read_log(pmonitor) == 0)
+ while (pmonitor->m_log_recvfd >= 0 && monitor_read_log(pmonitor) == 0)
;
close(pmonitor->m_sendfd);
@@ -1202,6 +1202,10 @@ mm_answer_keyallowed(int sock, Buffer *m
break;
}
}
+
+ debug3("%s: key %p is %s",
+ __func__, key, allowed ? "allowed" : "not allowed");
+
if (key != NULL)
key_free(key);
@@ -1223,9 +1227,6 @@ mm_answer_keyallowed(int sock, Buffer *m
free(chost);
}
- debug3("%s: key %p is %s",
- __func__, key, allowed ? "allowed" : "not allowed");
-
buffer_clear(m);
buffer_put_int(m, allowed);
buffer_put_int(m, forced_command != NULL);
diff -up openssh-6.3p1/monitor_wrap.c.coverity openssh-6.3p1/monitor_wrap.c
--- openssh-6.3p1/monitor_wrap.c.coverity 2013-06-02 00:07:32.000000000 +0200
+++ openssh-6.3p1/monitor_wrap.c 2013-10-07 13:20:36.291298049 +0200
@@ -710,10 +710,10 @@ mm_pty_allocate(int *ptyfd, int *ttyfd,
if ((tmp1 = dup(pmonitor->m_recvfd)) == -1 ||
(tmp2 = dup(pmonitor->m_recvfd)) == -1) {
error("%s: cannot allocate fds for pty", __func__);
- if (tmp1 > 0)
+ if (tmp1 >= 0)
close(tmp1);
- if (tmp2 > 0)
- close(tmp2);
+ /*DEAD CODE if (tmp2 >= 0)
+ close(tmp2);*/
return 0;
}
close(tmp1);
diff -up openssh-6.3p1/openbsd-compat/bindresvport.c.coverity openssh-6.3p1/openbsd-compat/bindresvport.c
--- openssh-6.3p1/openbsd-compat/bindresvport.c.coverity 2010-12-03 00:50:26.000000000 +0100
+++ openssh-6.3p1/openbsd-compat/bindresvport.c 2013-10-07 13:20:36.291298049 +0200
@@ -58,7 +58,7 @@ bindresvport_sa(int sd, struct sockaddr
struct sockaddr_in6 *in6;
u_int16_t *portp;
u_int16_t port;
- socklen_t salen;
+ socklen_t salen = sizeof(struct sockaddr_storage);
int i;
if (sa == NULL) {
diff -up openssh-6.3p1/packet.c.coverity openssh-6.3p1/packet.c
--- openssh-6.3p1/packet.c.coverity 2013-07-18 08:12:45.000000000 +0200
+++ openssh-6.3p1/packet.c 2013-10-07 13:20:36.291298049 +0200
@@ -1199,6 +1199,7 @@ packet_read_poll1(void)
case DEATTACK_DETECTED:
packet_disconnect("crc32 compensation attack: "
"network attack detected");
+ break;
case DEATTACK_DOS_DETECTED:
packet_disconnect("deattack denial of "
"service detected");
diff -up openssh-6.3p1/progressmeter.c.coverity openssh-6.3p1/progressmeter.c
--- openssh-6.3p1/progressmeter.c.coverity 2013-06-02 15:46:24.000000000 +0200
+++ openssh-6.3p1/progressmeter.c 2013-10-07 13:42:32.377850691 +0200
@@ -65,7 +65,7 @@ static void update_progress_meter(int);
static time_t start; /* start progress */
static time_t last_update; /* last progress update */
-static char *file; /* name of the file being transferred */
+static const char *file; /* name of the file being transferred */
static off_t end_pos; /* ending position of transfer */
static off_t cur_pos; /* transfer position as of last refresh */
static volatile off_t *counter; /* progress counter */
@@ -247,7 +247,7 @@ update_progress_meter(int ignore)
}
void
-start_progress_meter(char *f, off_t filesize, off_t *ctr)
+start_progress_meter(const char *f, off_t filesize, off_t *ctr)
{
start = last_update = monotime();
file = f;
diff -up openssh-6.3p1/progressmeter.h.coverity openssh-6.3p1/progressmeter.h
--- openssh-6.3p1/progressmeter.h.coverity 2006-03-26 05:30:02.000000000 +0200
+++ openssh-6.3p1/progressmeter.h 2013-10-07 13:20:36.292298044 +0200
@@ -23,5 +23,5 @@
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
-void start_progress_meter(char *, off_t, off_t *);
+void start_progress_meter(const char *, off_t, off_t *);
void stop_progress_meter(void);
diff -up openssh-6.3p1/scp.c.coverity openssh-6.3p1/scp.c
--- openssh-6.3p1/scp.c.coverity 2013-07-18 08:11:25.000000000 +0200
+++ openssh-6.3p1/scp.c 2013-10-07 13:20:36.292298044 +0200
@@ -155,7 +155,7 @@ killchild(int signo)
{
if (do_cmd_pid > 1) {
kill(do_cmd_pid, signo ? signo : SIGTERM);
- waitpid(do_cmd_pid, NULL, 0);
+ (void) waitpid(do_cmd_pid, NULL, 0);
}
if (signo)
diff -up openssh-6.3p1/servconf.c.coverity openssh-6.3p1/servconf.c
--- openssh-6.3p1/servconf.c.coverity 2013-07-20 05:21:53.000000000 +0200
+++ openssh-6.3p1/servconf.c 2013-10-07 13:20:36.293298039 +0200
@@ -1323,7 +1323,7 @@ process_server_config_line(ServerOptions
fatal("%s line %d: Missing subsystem name.",
filename, linenum);
if (!*activep) {
- arg = strdelim(&cp);
+ /*arg =*/ (void) strdelim(&cp);
break;
}
for (i = 0; i < options->num_subsystems; i++)
@@ -1414,8 +1414,9 @@ process_server_config_line(ServerOptions
if (*activep && *charptr == NULL) {
*charptr = tilde_expand_filename(arg, getuid());
/* increase optional counter */
- if (intptr != NULL)
- *intptr = *intptr + 1;
+ /* DEAD CODE intptr is still NULL ;)
+ if (intptr != NULL)
+ *intptr = *intptr + 1; */
}
break;
diff -up openssh-6.3p1/serverloop.c.coverity openssh-6.3p1/serverloop.c
--- openssh-6.3p1/serverloop.c.coverity 2013-07-18 08:12:45.000000000 +0200
+++ openssh-6.3p1/serverloop.c 2013-10-07 13:43:36.620537138 +0200
@@ -147,13 +147,13 @@ notify_setup(void)
static void
notify_parent(void)
{
- if (notify_pipe[1] != -1)
+ if (notify_pipe[1] >= 0)
(void)write(notify_pipe[1], "", 1);
}
static void
notify_prepare(fd_set *readset)
{
- if (notify_pipe[0] != -1)
+ if (notify_pipe[0] >= 0)
FD_SET(notify_pipe[0], readset);
}
static void
@@ -161,8 +161,8 @@ notify_done(fd_set *readset)
{
char c;
- if (notify_pipe[0] != -1 && FD_ISSET(notify_pipe[0], readset))
- while (read(notify_pipe[0], &c, 1) != -1)
+ if (notify_pipe[0] >= 0 && FD_ISSET(notify_pipe[0], readset))
+ while (read(notify_pipe[0], &c, 1) >= 0)
debug2("notify_done: reading");
}
@@ -336,7 +336,7 @@ wait_until_can_do_something(fd_set **rea
* If we have buffered data, try to write some of that data
* to the program.
*/
- if (fdin != -1 && buffer_len(&stdin_buffer) > 0)
+ if (fdin >= 0 && buffer_len(&stdin_buffer) > 0)
FD_SET(fdin, *writesetp);
}
notify_prepare(*readsetp);
@@ -476,7 +476,7 @@ process_output(fd_set *writeset)
int len;
/* Write buffered data to program stdin. */
- if (!compat20 && fdin != -1 && FD_ISSET(fdin, writeset)) {
+ if (!compat20 && fdin >= 0 && FD_ISSET(fdin, writeset)) {
data = buffer_ptr(&stdin_buffer);
dlen = buffer_len(&stdin_buffer);
len = write(fdin, data, dlen);
@@ -589,7 +589,7 @@ server_loop(pid_t pid, int fdin_arg, int
set_nonblock(fdin);
set_nonblock(fdout);
/* we don't have stderr for interactive terminal sessions, see below */
- if (fderr != -1)
+ if (fderr >= 0)
set_nonblock(fderr);
if (!(datafellows & SSH_BUG_IGNOREMSG) && isatty(fdin))
@@ -613,7 +613,7 @@ server_loop(pid_t pid, int fdin_arg, int
max_fd = MAX(connection_in, connection_out);
max_fd = MAX(max_fd, fdin);
max_fd = MAX(max_fd, fdout);
- if (fderr != -1)
+ if (fderr >= 0)
max_fd = MAX(max_fd, fderr);
#endif
@@ -643,7 +643,7 @@ server_loop(pid_t pid, int fdin_arg, int
* If we have received eof, and there is no more pending
* input data, cause a real eof by closing fdin.
*/
- if (stdin_eof && fdin != -1 && buffer_len(&stdin_buffer) == 0) {
+ if (stdin_eof && fdin >= 0 && buffer_len(&stdin_buffer) == 0) {
if (fdin != fdout)
close(fdin);
else
@@ -739,15 +739,15 @@ server_loop(pid_t pid, int fdin_arg, int
buffer_free(&stderr_buffer);
/* Close the file descriptors. */
- if (fdout != -1)
+ if (fdout >= 0)
close(fdout);
fdout = -1;
fdout_eof = 1;
- if (fderr != -1)
+ if (fderr >= 0)
close(fderr);
fderr = -1;
fderr_eof = 1;
- if (fdin != -1)
+ if (fdin >= 0)
close(fdin);
fdin = -1;
@@ -946,7 +946,7 @@ server_input_window_size(int type, u_int
debug("Window change received.");
packet_check_eom();
- if (fdin != -1)
+ if (fdin >= 0)
pty_change_window_size(fdin, row, col, xpixel, ypixel);
}
@@ -1006,7 +1006,7 @@ server_request_tun(void)
}
tun = packet_get_int();
- if (forced_tun_device != -1) {
+ if (forced_tun_device >= 0) {
if (tun != SSH_TUNID_ANY && forced_tun_device != tun)
goto done;
tun = forced_tun_device;
diff -up openssh-6.3p1/sftp-client.c.coverity openssh-6.3p1/sftp-client.c
--- openssh-6.3p1/sftp-client.c.coverity 2013-07-26 00:40:00.000000000 +0200
+++ openssh-6.3p1/sftp-client.c 2013-10-07 13:48:45.885027420 +0200
@@ -149,7 +149,7 @@ get_msg(struct sftp_conn *conn, Buffer *
}
static void
-send_string_request(struct sftp_conn *conn, u_int id, u_int code, char *s,
+send_string_request(struct sftp_conn *conn, u_int id, u_int code, const char *s,
u_int len)
{
Buffer msg;
@@ -165,7 +165,7 @@ send_string_request(struct sftp_conn *co
static void
send_string_attrs_request(struct sftp_conn *conn, u_int id, u_int code,
- char *s, u_int len, Attrib *a)
+ const char *s, u_int len, Attrib *a)
{
Buffer msg;
@@ -422,7 +422,7 @@ sftp_proto_version(struct sftp_conn *con
}
int
-do_close(struct sftp_conn *conn, char *handle, u_int handle_len)
+do_close(struct sftp_conn *conn, const char *handle, u_int handle_len)
{
u_int id, status;
Buffer msg;
@@ -447,7 +447,7 @@ do_close(struct sftp_conn *conn, char *h
static int
-do_lsreaddir(struct sftp_conn *conn, char *path, int printflag,
+do_lsreaddir(struct sftp_conn *conn, const char *path, int printflag,
SFTP_DIRENT ***dir)
{
Buffer msg;
@@ -572,7 +572,7 @@ do_lsreaddir(struct sftp_conn *conn, cha
}
int
-do_readdir(struct sftp_conn *conn, char *path, SFTP_DIRENT ***dir)
+do_readdir(struct sftp_conn *conn, const char *path, SFTP_DIRENT ***dir)
{
return(do_lsreaddir(conn, path, 0, dir));
}
@@ -590,7 +590,7 @@ void free_sftp_dirents(SFTP_DIRENT **s)
}
int
-do_rm(struct sftp_conn *conn, char *path)
+do_rm(struct sftp_conn *conn, const char *path)
{
u_int status, id;
@@ -605,7 +605,7 @@ do_rm(struct sftp_conn *conn, char *path
}
int
-do_mkdir(struct sftp_conn *conn, char *path, Attrib *a, int printflag)
+do_mkdir(struct sftp_conn *conn, const char *path, Attrib *a, int printflag)
{
u_int status, id;
@@ -621,7 +621,7 @@ do_mkdir(struct sftp_conn *conn, char *p
}
int
-do_rmdir(struct sftp_conn *conn, char *path)
+do_rmdir(struct sftp_conn *conn, const char *path)
{
u_int status, id;
@@ -637,7 +637,7 @@ do_rmdir(struct sftp_conn *conn, char *p
}
Attrib *
-do_stat(struct sftp_conn *conn, char *path, int quiet)
+do_stat(struct sftp_conn *conn, const char *path, int quiet)
{
u_int id;
@@ -651,7 +651,7 @@ do_stat(struct sftp_conn *conn, char *pa
}
Attrib *
-do_lstat(struct sftp_conn *conn, char *path, int quiet)
+do_lstat(struct sftp_conn *conn, const char *path, int quiet)
{
u_int id;
@@ -685,7 +685,7 @@ do_fstat(struct sftp_conn *conn, char *h
#endif
int
-do_setstat(struct sftp_conn *conn, char *path, Attrib *a)
+do_setstat(struct sftp_conn *conn, const char *path, Attrib *a)
{
u_int status, id;
@@ -702,7 +702,7 @@ do_setstat(struct sftp_conn *conn, char
}
int
-do_fsetstat(struct sftp_conn *conn, char *handle, u_int handle_len,
+do_fsetstat(struct sftp_conn *conn, const char *handle, u_int handle_len,
Attrib *a)
{
u_int status, id;
@@ -719,7 +719,7 @@ do_fsetstat(struct sftp_conn *conn, char
}
char *
-do_realpath(struct sftp_conn *conn, char *path)
+do_realpath(struct sftp_conn *conn, const char *path)
{
Buffer msg;
u_int type, expected_id, count, id;
@@ -768,7 +768,7 @@ do_realpath(struct sftp_conn *conn, char
}
int
-do_rename(struct sftp_conn *conn, char *oldpath, char *newpath)
+do_rename(struct sftp_conn *conn, const char *oldpath, const char *newpath)
{
Buffer msg;
u_int status, id;
@@ -802,7 +802,7 @@ do_rename(struct sftp_conn *conn, char *
}
int
-do_hardlink(struct sftp_conn *conn, char *oldpath, char *newpath)
+do_hardlink(struct sftp_conn *conn, const char *oldpath, const char *newpath)
{
Buffer msg;
u_int status, id;
@@ -835,7 +835,7 @@ do_hardlink(struct sftp_conn *conn, char
}
int
-do_symlink(struct sftp_conn *conn, char *oldpath, char *newpath)
+do_symlink(struct sftp_conn *conn, const char *oldpath, const char *newpath)
{
Buffer msg;
u_int status, id;
@@ -987,7 +987,7 @@ send_read_request(struct sftp_conn *conn
}
int
-do_download(struct sftp_conn *conn, char *remote_path, char *local_path,
+do_download(struct sftp_conn *conn, const char *remote_path, const char *local_path,
Attrib *a, int pflag, int resume)
{
Attrib junk;
@@ -1255,7 +1255,7 @@ do_download(struct sftp_conn *conn, char
}
static int
-download_dir_internal(struct sftp_conn *conn, char *src, char *dst,
+download_dir_internal(struct sftp_conn *conn, const char *src, const char *dst,
Attrib *dirattrib, int pflag, int printflag, int depth, int resume)
{
int i, ret = 0;
@@ -1345,7 +1345,7 @@ download_dir_internal(struct sftp_conn *
}
int
-download_dir(struct sftp_conn *conn, char *src, char *dst,
+download_dir(struct sftp_conn *conn, const char *src, const char *dst,
Attrib *dirattrib, int pflag, int printflag, int resume)
{
char *src_canon;
@@ -1363,7 +1363,7 @@ download_dir(struct sftp_conn *conn, cha
}
int
-do_upload(struct sftp_conn *conn, char *local_path, char *remote_path,
+do_upload(struct sftp_conn *conn, const char *local_path, const char *remote_path,
int pflag)
{
int local_fd;
@@ -1548,7 +1548,7 @@ do_upload(struct sftp_conn *conn, char *
}
static int
-upload_dir_internal(struct sftp_conn *conn, char *src, char *dst,
+upload_dir_internal(struct sftp_conn *conn, const char *src, const char *dst,
int pflag, int printflag, int depth)
{
int ret = 0, status;
@@ -1639,7 +1639,7 @@ upload_dir_internal(struct sftp_conn *co
}
int
-upload_dir(struct sftp_conn *conn, char *src, char *dst, int printflag,
+upload_dir(struct sftp_conn *conn, const char *src, const char *dst, int printflag,
int pflag)
{
char *dst_canon;
@@ -1656,7 +1656,7 @@ upload_dir(struct sftp_conn *conn, char
}
char *
-path_append(char *p1, char *p2)
+path_append(const char *p1, const char *p2)
{
char *ret;
size_t len = strlen(p1) + strlen(p2) + 2;
diff -up openssh-6.3p1/sftp-client.h.coverity openssh-6.3p1/sftp-client.h
--- openssh-6.3p1/sftp-client.h.coverity 2013-07-25 03:56:52.000000000 +0200
+++ openssh-6.3p1/sftp-client.h 2013-10-07 13:45:10.108080813 +0200
@@ -56,49 +56,49 @@ struct sftp_conn *do_init(int, int, u_in
u_int sftp_proto_version(struct sftp_conn *);
/* Close file referred to by 'handle' */
-int do_close(struct sftp_conn *, char *, u_int);
+int do_close(struct sftp_conn *, const char *, u_int);
/* Read contents of 'path' to NULL-terminated array 'dir' */
-int do_readdir(struct sftp_conn *, char *, SFTP_DIRENT ***);
+int do_readdir(struct sftp_conn *, const char *, SFTP_DIRENT ***);
/* Frees a NULL-terminated array of SFTP_DIRENTs (eg. from do_readdir) */
void free_sftp_dirents(SFTP_DIRENT **);
/* Delete file 'path' */
-int do_rm(struct sftp_conn *, char *);
+int do_rm(struct sftp_conn *, const char *);
/* Create directory 'path' */
-int do_mkdir(struct sftp_conn *, char *, Attrib *, int);
+int do_mkdir(struct sftp_conn *, const char *, Attrib *, int);
/* Remove directory 'path' */
-int do_rmdir(struct sftp_conn *, char *);
+int do_rmdir(struct sftp_conn *, const char *);
/* Get file attributes of 'path' (follows symlinks) */
-Attrib *do_stat(struct sftp_conn *, char *, int);
+Attrib *do_stat(struct sftp_conn *, const char *, int);
/* Get file attributes of 'path' (does not follow symlinks) */
-Attrib *do_lstat(struct sftp_conn *, char *, int);
+Attrib *do_lstat(struct sftp_conn *, const char *, int);
/* Set file attributes of 'path' */
-int do_setstat(struct sftp_conn *, char *, Attrib *);
+int do_setstat(struct sftp_conn *, const char *, Attrib *);
/* Set file attributes of open file 'handle' */
-int do_fsetstat(struct sftp_conn *, char *, u_int, Attrib *);
+int do_fsetstat(struct sftp_conn *, const char *, u_int, Attrib *);
/* Canonicalise 'path' - caller must free result */
-char *do_realpath(struct sftp_conn *, char *);
+char *do_realpath(struct sftp_conn *, const char *);
/* Get statistics for filesystem hosting file at "path" */
int do_statvfs(struct sftp_conn *, const char *, struct sftp_statvfs *, int);
/* Rename 'oldpath' to 'newpath' */
-int do_rename(struct sftp_conn *, char *, char *);
+int do_rename(struct sftp_conn *, const char *, const char *);
/* Link 'oldpath' to 'newpath' */
-int do_hardlink(struct sftp_conn *, char *, char *);
+int do_hardlink(struct sftp_conn *, const char *, const char *);
-/* Rename 'oldpath' to 'newpath' */
-int do_symlink(struct sftp_conn *, char *, char *);
+/* Symlink 'oldpath' to 'newpath' */
+int do_symlink(struct sftp_conn *, const char *, const char *);
/* XXX: add callbacks to do_download/do_upload so we can do progress meter */
@@ -106,27 +106,27 @@ int do_symlink(struct sftp_conn *, char
* Download 'remote_path' to 'local_path'. Preserve permissions and times
* if 'pflag' is set
*/
-int do_download(struct sftp_conn *, char *, char *, Attrib *, int, int);
+int do_download(struct sftp_conn *, const char *, const char *, Attrib *, int, int);
/*
* Recursively download 'remote_directory' to 'local_directory'. Preserve
* times if 'pflag' is set
*/
-int download_dir(struct sftp_conn *, char *, char *, Attrib *, int, int, int);
+int download_dir(struct sftp_conn *, const char *, const char *, Attrib *, int, int, int);
/*
* Upload 'local_path' to 'remote_path'. Preserve permissions and times
* if 'pflag' is set
*/
-int do_upload(struct sftp_conn *, char *, char *, int);
+int do_upload(struct sftp_conn *, const char *, const char *, int);
/*
* Recursively upload 'local_directory' to 'remote_directory'. Preserve
* times if 'pflag' is set
*/
-int upload_dir(struct sftp_conn *, char *, char *, int, int);
+int upload_dir(struct sftp_conn *, const char *, const char *, int, int);
/* Concatenate paths, taking care of slashes. Caller must free result. */
-char *path_append(char *, char *);
+char *path_append(const char *, const char *);
#endif
diff -up openssh-6.3p1/sftp.c.coverity openssh-6.3p1/sftp.c
--- openssh-6.3p1/sftp.c.coverity 2013-07-25 03:56:52.000000000 +0200
+++ openssh-6.3p1/sftp.c 2013-10-07 13:49:47.322727449 +0200
@@ -213,7 +213,7 @@ killchild(int signo)
{
if (sshpid > 1) {
kill(sshpid, SIGTERM);
- waitpid(sshpid, NULL, 0);
+ (void) waitpid(sshpid, NULL, 0);
}
_exit(1);
@@ -324,7 +324,7 @@ local_do_ls(const char *args)
/* Strip one path (usually the pwd) from the start of another */
static char *
-path_strip(char *path, char *strip)
+path_strip(const char *path, const char *strip)
{
size_t len;
@@ -342,7 +342,7 @@ path_strip(char *path, char *strip)
}
static char *
-make_absolute(char *p, char *pwd)
+make_absolute(char *p, const char *pwd)
{
char *abs_str;
@@ -493,7 +493,7 @@ parse_df_flags(const char *cmd, char **a
}
static int
-is_dir(char *path)
+is_dir(const char *path)
{
struct stat sb;
@@ -505,7 +505,7 @@ is_dir(char *path)
}
static int
-remote_is_dir(struct sftp_conn *conn, char *path)
+remote_is_dir(struct sftp_conn *conn, const char *path)
{
Attrib *a;
@@ -519,7 +519,7 @@ remote_is_dir(struct sftp_conn *conn, ch
/* Check whether path returned from glob(..., GLOB_MARK, ...) is a directory */
static int
-pathname_is_dir(char *pathname)
+pathname_is_dir(const char *pathname)
{
size_t l = strlen(pathname);
@@ -527,7 +527,7 @@ pathname_is_dir(char *pathname)
}
static int
-process_get(struct sftp_conn *conn, char *src, char *dst, char *pwd,
+process_get(struct sftp_conn *conn, const char *src, const char *dst, const char *pwd,
int pflag, int rflag, int resume)
{
char *abs_src = NULL;
@@ -605,7 +605,7 @@ out:
}
static int
-process_put(struct sftp_conn *conn, char *src, char *dst, char *pwd,
+process_put(struct sftp_conn *conn, const char *src, const char *dst, const char *pwd,
int pflag, int rflag)
{
char *tmp_dst = NULL;
@@ -709,7 +709,7 @@ sdirent_comp(const void *aa, const void
/* sftp ls.1 replacement for directories */
static int
-do_ls_dir(struct sftp_conn *conn, char *path, char *strip_path, int lflag)
+do_ls_dir(struct sftp_conn *conn, const char *path, const char *strip_path, int lflag)
{
int n;
u_int c = 1, colspace = 0, columns = 1;
@@ -794,7 +794,7 @@ do_ls_dir(struct sftp_conn *conn, char *
/* sftp ls.1 replacement which handles path globs */
static int
-do_globbed_ls(struct sftp_conn *conn, char *path, char *strip_path,
+do_globbed_ls(struct sftp_conn *conn, const char *path, const char *strip_path,
int lflag)
{
char *fname, *lname;
@@ -875,7 +875,7 @@ do_globbed_ls(struct sftp_conn *conn, ch
}
static int
-do_df(struct sftp_conn *conn, char *path, int hflag, int iflag)
+do_df(struct sftp_conn *conn, const char *path, int hflag, int iflag)
{
struct sftp_statvfs st;
char s_used[FMT_SCALED_STRSIZE];
diff -up openssh-6.3p1/ssh-agent.c.coverity openssh-6.3p1/ssh-agent.c
--- openssh-6.3p1/ssh-agent.c.coverity 2013-07-20 05:22:49.000000000 +0200
+++ openssh-6.3p1/ssh-agent.c 2013-10-07 13:20:36.296298024 +0200
@@ -1143,8 +1143,8 @@ main(int ac, char **av)
sanitise_stdfd();
/* drop */
- setegid(getgid());
- setgid(getgid());
+ (void) setegid(getgid());
+ (void) setgid(getgid());
#if defined(HAVE_PRCTL) && defined(PR_SET_DUMPABLE)
/* Disable ptrace on Linux without sgid bit */
diff -up openssh-6.3p1/sshd.c.coverity openssh-6.3p1/sshd.c
--- openssh-6.3p1/sshd.c.coverity 2013-07-20 05:21:53.000000000 +0200
+++ openssh-6.3p1/sshd.c 2013-10-07 13:20:36.296298024 +0200
@@ -699,8 +699,10 @@ privsep_preauth(Authctxt *authctxt)
if (getuid() == 0 || geteuid() == 0)
privsep_preauth_child();
setproctitle("%s", "[net]");
- if (box != NULL)
+ if (box != NULL) {
ssh_sandbox_child(box);
+ free(box);
+ }
return 0;
}
@@ -1345,6 +1347,9 @@ server_accept_loop(int *sock_in, int *so
if (num_listen_socks < 0)
break;
}
+
+ if (fdset != NULL)
+ free(fdset);
}

View file

@ -1,406 +0,0 @@
diff -up openssh-6.3p1/auth-rsa.c.fingerprint openssh-6.3p1/auth-rsa.c
diff -up openssh-6.3p1/auth.c.fingerprint openssh-6.3p1/auth.c
--- openssh-6.3p1/auth.c.fingerprint 2013-10-07 14:02:36.998968153 +0200
+++ openssh-6.3p1/auth.c 2013-10-07 15:42:05.243812405 +0200
@@ -685,9 +685,10 @@ auth_key_is_revoked(Key *key)
case 1:
revoked:
/* Key revoked */
- key_fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
+ key_fp = key_selected_fingerprint(key, SSH_FP_HEX);
error("WARNING: authentication attempt with a revoked "
- "%s key %s ", key_type(key), key_fp);
+ "%s key %s%s ", key_type(key),
+ key_fingerprint_prefix(), key_fp);
free(key_fp);
return 1;
}
diff -up openssh-6.3p1/auth2-hostbased.c.fingerprint openssh-6.3p1/auth2-hostbased.c
--- openssh-6.3p1/auth2-hostbased.c.fingerprint 2013-10-07 14:02:36.998968153 +0200
+++ openssh-6.3p1/auth2-hostbased.c 2013-10-07 15:43:49.747355927 +0200
@@ -200,16 +200,18 @@ hostbased_key_allowed(struct passwd *pw,
if (host_status == HOST_OK) {
if (key_is_cert(key)) {
- fp = key_fingerprint(key->cert->signature_key,
- SSH_FP_MD5, SSH_FP_HEX);
+ fp = key_selected_fingerprint(key->cert->signature_key,
+ SSH_FP_HEX);
verbose("Accepted certificate ID \"%s\" signed by "
- "%s CA %s from %s@%s", key->cert->key_id,
- key_type(key->cert->signature_key), fp,
+ "%s CA %s%s from %s@%s", key->cert->key_id,
+ key_type(key->cert->signature_key),
+ key_fingerprint_prefix(), fp,
cuser, lookup);
} else {
- fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
- verbose("Accepted %s public key %s from %s@%s",
- key_type(key), fp, cuser, lookup);
+ fp = key_selected_fingerprint(key, SSH_FP_HEX);
+ verbose("Accepted %s public key %s%s from %s@%s",
+ key_type(key), key_fingerprint_prefix(),
+ fp, cuser, lookup);
}
free(fp);
}
diff -up openssh-6.3p1/auth2-pubkey.c.fingerprint openssh-6.3p1/auth2-pubkey.c
--- openssh-6.3p1/auth2-pubkey.c.fingerprint 2013-07-18 08:10:10.000000000 +0200
+++ openssh-6.3p1/auth2-pubkey.c 2013-10-07 15:50:44.617495624 +0200
@@ -359,10 +359,10 @@ check_authkeys_file(FILE *f, char *file,
continue;
if (!key_is_cert_authority)
continue;
- fp = key_fingerprint(found, SSH_FP_MD5,
- SSH_FP_HEX);
- debug("matching CA found: file %s, line %lu, %s %s",
- file, linenum, key_type(found), fp);
+ fp = key_selected_fingerprint(found, SSH_FP_HEX);
+ debug("matching CA found: file %s, line %lu, %s %s%s",
+ file, linenum, key_type(found),
+ key_fingerprint_prefix(), fp);
/*
* If the user has specified a list of principals as
* a key option, then prefer that list to matching
@@ -400,9 +400,9 @@ check_authkeys_file(FILE *f, char *file,
if (key_is_cert_authority)
continue;
found_key = 1;
- fp = key_fingerprint(found, SSH_FP_MD5, SSH_FP_HEX);
- debug("matching key found: file %s, line %lu %s %s",
- file, linenum, key_type(found), fp);
+ fp = key_selected_fingerprint(found, SSH_FP_HEX);
+ verbose("Found matching %s key: %s%s",
+ key_type(found), key_fingerprint_prefix(), fp);
free(fp);
break;
}
@@ -425,13 +425,13 @@ user_cert_trusted_ca(struct passwd *pw,
if (!key_is_cert(key) || options.trusted_user_ca_keys == NULL)
return 0;
- ca_fp = key_fingerprint(key->cert->signature_key,
- SSH_FP_MD5, SSH_FP_HEX);
+ ca_fp = key_selected_fingerprint(key->cert->signature_key, SSH_FP_HEX);
if (key_in_file(key->cert->signature_key,
options.trusted_user_ca_keys, 1) != 1) {
- debug2("%s: CA %s %s is not listed in %s", __func__,
- key_type(key->cert->signature_key), ca_fp,
+ debug2("%s: CA %s%s %s is not listed in %s", __func__,
+ key_type(key->cert->signature_key),
+ key_fingerprint_prefix(), ca_fp,
options.trusted_user_ca_keys);
goto out;
}
diff -up openssh-6.3p1/key.c.fingerprint openssh-6.3p1/key.c
--- openssh-6.3p1/key.c.fingerprint 2013-10-07 14:02:36.971968285 +0200
+++ openssh-6.3p1/key.c 2013-10-07 14:02:36.999968148 +0200
@@ -598,6 +598,34 @@ key_fingerprint(const Key *k, enum fp_ty
return retval;
}
+enum fp_type
+key_fingerprint_selection(void)
+{
+ static enum fp_type rv;
+ static char rv_defined = 0;
+ char *env;
+
+ if (!rv_defined) {
+ env = getenv("SSH_FINGERPRINT_TYPE");
+ rv = (env && !strcmp (env, "sha")) ?
+ SSH_FP_SHA1 : SSH_FP_MD5;
+ rv_defined = 1;
+ }
+ return rv;
+}
+
+char *
+key_selected_fingerprint(Key *k, enum fp_rep dgst_rep)
+{
+ return key_fingerprint(k, key_fingerprint_selection(), dgst_rep);
+}
+
+char *
+key_fingerprint_prefix(void)
+{
+ return key_fingerprint_selection() == SSH_FP_SHA1 ? "sha1:" : "";
+}
+
/*
* Reads a multiple-precision integer in decimal from the buffer, and advances
* the pointer. The integer must already be initialized. This function is
diff -up openssh-6.3p1/key.h.fingerprint openssh-6.3p1/key.h
--- openssh-6.3p1/key.h.fingerprint 2013-10-07 14:02:36.999968148 +0200
+++ openssh-6.3p1/key.h 2013-10-07 15:44:17.574233450 +0200
@@ -97,6 +97,9 @@ int key_equal_public(const Key *, cons
int key_equal(const Key *, const Key *);
char *key_fingerprint(const Key *, enum fp_type, enum fp_rep);
u_char *key_fingerprint_raw(const Key *, enum fp_type, u_int *);
+enum fp_type key_fingerprint_selection(void);
+char *key_selected_fingerprint(Key *, enum fp_rep);
+char *key_fingerprint_prefix(void);
const char *key_type(const Key *);
const char *key_cert_type(const Key *);
int key_write(const Key *, FILE *);
diff -up openssh-6.3p1/ssh-add.c.fingerprint openssh-6.3p1/ssh-add.c
--- openssh-6.3p1/ssh-add.c.fingerprint 2013-10-07 14:02:37.000968143 +0200
+++ openssh-6.3p1/ssh-add.c 2013-10-07 14:44:57.466515766 +0200
@@ -326,10 +326,10 @@ list_identities(AuthenticationConnection
key = ssh_get_next_identity(ac, &comment, version)) {
had_identities = 1;
if (do_fp) {
- fp = key_fingerprint(key, SSH_FP_MD5,
- SSH_FP_HEX);
- printf("%d %s %s (%s)\n",
- key_size(key), fp, comment, key_type(key));
+ fp = key_selected_fingerprint(key, SSH_FP_HEX);
+ printf("%d %s%s %s (%s)\n",
+ key_size(key), key_fingerprint_prefix(),
+ fp, comment, key_type(key));
free(fp);
} else {
if (!key_write(key, stdout))
diff -up openssh-6.3p1/ssh-agent.c.fingerprint openssh-6.3p1/ssh-agent.c
--- openssh-6.3p1/ssh-agent.c.fingerprint 2013-10-07 14:02:37.000968143 +0200
+++ openssh-6.3p1/ssh-agent.c 2013-10-07 15:41:11.627044336 +0200
@@ -198,9 +198,9 @@ confirm_key(Identity *id)
char *p;
int ret = -1;
- p = key_fingerprint(id->key, SSH_FP_MD5, SSH_FP_HEX);
- if (ask_permission("Allow use of key %s?\nKey fingerprint %s.",
- id->comment, p))
+ p = key_selected_fingerprint(id->key, SSH_FP_HEX);
+ if (ask_permission("Allow use of key %s?\nKey fingerprint %s%s.",
+ id->comment, key_fingerprint_prefix(), p))
ret = 0;
free(p);
diff -up openssh-6.3p1/ssh-keygen.c.fingerprint openssh-6.3p1/ssh-keygen.c
--- openssh-6.3p1/ssh-keygen.c.fingerprint 2013-07-20 05:22:32.000000000 +0200
+++ openssh-6.3p1/ssh-keygen.c 2013-10-07 14:25:52.864145038 +0200
@@ -767,13 +767,14 @@ do_fingerprint(struct passwd *pw)
{
FILE *f;
Key *public;
- char *comment = NULL, *cp, *ep, line[16*1024], *fp, *ra;
+ char *comment = NULL, *cp, *ep, line[16*1024], *fp, *ra, *pfx;
int i, skip = 0, num = 0, invalid = 1;
enum fp_rep rep;
enum fp_type fptype;
struct stat st;
- fptype = print_bubblebabble ? SSH_FP_SHA1 : SSH_FP_MD5;
+ fptype = print_bubblebabble ? SSH_FP_SHA1 : key_fingerprint_selection();
+ pfx = print_bubblebabble ? "" : key_fingerprint_prefix();
rep = print_bubblebabble ? SSH_FP_BUBBLEBABBLE : SSH_FP_HEX;
if (!have_identity)
@@ -785,8 +786,8 @@ do_fingerprint(struct passwd *pw)
public = key_load_public(identity_file, &comment);
if (public != NULL) {
fp = key_fingerprint(public, fptype, rep);
- ra = key_fingerprint(public, SSH_FP_MD5, SSH_FP_RANDOMART);
- printf("%u %s %s (%s)\n", key_size(public), fp, comment,
+ ra = key_selected_fingerprint(public, SSH_FP_RANDOMART);
+ printf("%u %s%s %s (%s)\n", key_size(public), pfx, fp, comment,
key_type(public));
if (log_level >= SYSLOG_LEVEL_VERBOSE)
printf("%s\n", ra);
@@ -851,8 +852,8 @@ do_fingerprint(struct passwd *pw)
}
comment = *cp ? cp : comment;
fp = key_fingerprint(public, fptype, rep);
- ra = key_fingerprint(public, SSH_FP_MD5, SSH_FP_RANDOMART);
- printf("%u %s %s (%s)\n", key_size(public), fp,
+ ra = key_selected_fingerprint(public, SSH_FP_RANDOMART);
+ printf("%u %s%s %s (%s)\n", key_size(public), pfx, fp,
comment ? comment : "no comment", key_type(public));
if (log_level >= SYSLOG_LEVEL_VERBOSE)
printf("%s\n", ra);
@@ -970,13 +971,15 @@ printhost(FILE *f, const char *name, Key
if (print_fingerprint) {
enum fp_rep rep;
enum fp_type fptype;
- char *fp, *ra;
+ char *fp, *ra, *pfx;
- fptype = print_bubblebabble ? SSH_FP_SHA1 : SSH_FP_MD5;
+ fptype = print_bubblebabble ? SSH_FP_SHA1 : key_fingerprint_selection();
+ pfx = print_bubblebabble ? "" : key_fingerprint_prefix();
rep = print_bubblebabble ? SSH_FP_BUBBLEBABBLE : SSH_FP_HEX;
+
fp = key_fingerprint(public, fptype, rep);
- ra = key_fingerprint(public, SSH_FP_MD5, SSH_FP_RANDOMART);
- printf("%u %s %s (%s)\n", key_size(public), fp, name,
+ ra = key_selected_fingerprint(public, SSH_FP_RANDOMART);
+ printf("%u %s%s %s (%s)\n", key_size(public), pfx, fp, name,
key_type(public));
if (log_level >= SYSLOG_LEVEL_VERBOSE)
printf("%s\n", ra);
@@ -1855,16 +1858,17 @@ do_show_cert(struct passwd *pw)
fatal("%s is not a certificate", identity_file);
v00 = key->type == KEY_RSA_CERT_V00 || key->type == KEY_DSA_CERT_V00;
- key_fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
- ca_fp = key_fingerprint(key->cert->signature_key,
- SSH_FP_MD5, SSH_FP_HEX);
+ key_fp = key_selected_fingerprint(key, SSH_FP_HEX);
+ ca_fp = key_selected_fingerprint(key->cert->signature_key, SSH_FP_HEX);
printf("%s:\n", identity_file);
printf(" Type: %s %s certificate\n", key_ssh_name(key),
key_cert_type(key));
- printf(" Public key: %s %s\n", key_type(key), key_fp);
- printf(" Signing CA: %s %s\n",
- key_type(key->cert->signature_key), ca_fp);
+ printf(" Public key: %s %s%s\n", key_type(key),
+ key_fingerprint_prefix(), key_fp);
+ printf(" Signing CA: %s %s%s\n",
+ key_type(key->cert->signature_key),
+ key_fingerprint_prefix(), ca_fp);
printf(" Key ID: \"%s\"\n", key->cert->key_id);
if (!v00) {
printf(" Serial: %llu\n",
@@ -2655,13 +2659,12 @@ passphrase_again:
fclose(f);
if (!quiet) {
- char *fp = key_fingerprint(public, SSH_FP_MD5, SSH_FP_HEX);
- char *ra = key_fingerprint(public, SSH_FP_MD5,
- SSH_FP_RANDOMART);
+ char *fp = key_selected_fingerprint(public, SSH_FP_HEX);
+ char *ra = key_selected_fingerprint(public, SSH_FP_RANDOMART);
printf("Your public key has been saved in %s.\n",
identity_file);
printf("The key fingerprint is:\n");
- printf("%s %s\n", fp, comment);
+ printf("%s%s %s\n", key_fingerprint_prefix(), fp, comment);
printf("The key's randomart image is:\n");
printf("%s\n", ra);
free(ra);
diff -up openssh-6.3p1/sshconnect.c.fingerprint openssh-6.3p1/sshconnect.c
--- openssh-6.3p1/sshconnect.c.fingerprint 2013-06-01 23:31:19.000000000 +0200
+++ openssh-6.3p1/sshconnect.c 2013-10-07 14:43:54.859822036 +0200
@@ -830,10 +830,10 @@ check_host_key(char *hostname, struct so
"key for IP address '%.128s' to the list "
"of known hosts.", type, ip);
} else if (options.visual_host_key) {
- fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX);
- ra = key_fingerprint(host_key, SSH_FP_MD5,
- SSH_FP_RANDOMART);
- logit("Host key fingerprint is %s\n%s\n", fp, ra);
+ fp = key_selected_fingerprint(host_key, SSH_FP_HEX);
+ ra = key_selected_fingerprint(host_key, SSH_FP_RANDOMART);
+ logit("Host key fingerprint is %s%s\n%s\n",
+ key_fingerprint_prefix(), fp, ra);
free(ra);
free(fp);
}
@@ -871,9 +871,8 @@ check_host_key(char *hostname, struct so
else
snprintf(msg1, sizeof(msg1), ".");
/* The default */
- fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX);
- ra = key_fingerprint(host_key, SSH_FP_MD5,
- SSH_FP_RANDOMART);
+ fp = key_selected_fingerprint(host_key, SSH_FP_HEX);
+ ra = key_selected_fingerprint(host_key, SSH_FP_RANDOMART);
msg2[0] = '\0';
if (options.verify_host_key_dns) {
if (matching_host_key_dns)
@@ -888,10 +887,11 @@ check_host_key(char *hostname, struct so
snprintf(msg, sizeof(msg),
"The authenticity of host '%.200s (%s)' can't be "
"established%s\n"
- "%s key fingerprint is %s.%s%s\n%s"
+ "%s key fingerprint is %s%s.%s%s\n%s"
"Are you sure you want to continue connecting "
"(yes/no)? ",
- host, ip, msg1, type, fp,
+ host, ip, msg1, type,
+ key_fingerprint_prefix(), fp,
options.visual_host_key ? "\n" : "",
options.visual_host_key ? ra : "",
msg2);
@@ -1136,8 +1136,9 @@ verify_host_key(char *host, struct socka
int flags = 0;
char *fp;
- fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX);
- debug("Server host key: %s %s", key_type(host_key), fp);
+ fp = key_selected_fingerprint(host_key, SSH_FP_HEX);
+ debug("Server host key: %s %s%s", key_type(host_key),
+ key_fingerprint_prefix(), fp);
free(fp);
/* XXX certs are not yet supported for DNS */
@@ -1238,14 +1239,15 @@ show_other_keys(struct hostkeys *hostkey
continue;
if (!lookup_key_in_hostkeys_by_type(hostkeys, type[i], &found))
continue;
- fp = key_fingerprint(found->key, SSH_FP_MD5, SSH_FP_HEX);
- ra = key_fingerprint(found->key, SSH_FP_MD5, SSH_FP_RANDOMART);
+ fp = key_selected_fingerprint(found->key, SSH_FP_HEX);
+ ra = key_selected_fingerprint(found->key, SSH_FP_RANDOMART);
logit("WARNING: %s key found for host %s\n"
"in %s:%lu\n"
- "%s key fingerprint %s.",
+ "%s key fingerprint %s%s.",
key_type(found->key),
found->host, found->file, found->line,
- key_type(found->key), fp);
+ key_type(found->key),
+ key_fingerprint_prefix(), fp);
if (options.visual_host_key)
logit("%s", ra);
free(ra);
@@ -1260,7 +1262,7 @@ warn_changed_key(Key *host_key)
{
char *fp;
- fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX);
+ fp = key_selected_fingerprint(host_key, SSH_FP_HEX);
error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
error("@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @");
@@ -1268,8 +1270,8 @@ warn_changed_key(Key *host_key)
error("IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!");
error("Someone could be eavesdropping on you right now (man-in-the-middle attack)!");
error("It is also possible that a host key has just been changed.");
- error("The fingerprint for the %s key sent by the remote host is\n%s.",
- key_type(host_key), fp);
+ error("The fingerprint for the %s key sent by the remote host is\n%s%s.",
+ key_type(host_key),key_fingerprint_prefix(), fp);
error("Please contact your system administrator.");
free(fp);
diff -up openssh-6.3p1/sshconnect2.c.fingerprint openssh-6.3p1/sshconnect2.c
--- openssh-6.3p1/sshconnect2.c.fingerprint 2013-10-07 14:02:37.001968139 +0200
+++ openssh-6.3p1/sshconnect2.c 2013-10-07 15:20:09.403234714 +0200
@@ -590,8 +590,9 @@ input_userauth_pk_ok(int type, u_int32_t
key->type, pktype);
goto done;
}
- fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
- debug2("input_userauth_pk_ok: fp %s", fp);
+ fp = key_selected_fingerprint(key, SSH_FP_HEX);
+ debug2("input_userauth_pk_ok: fp %s%s",
+ key_fingerprint_prefix(), fp);
free(fp);
/*
@@ -1202,8 +1203,9 @@ sign_and_send_pubkey(Authctxt *authctxt,
int have_sig = 1;
char *fp;
- fp = key_fingerprint(id->key, SSH_FP_MD5, SSH_FP_HEX);
- debug3("sign_and_send_pubkey: %s %s", key_type(id->key), fp);
+ fp = key_selected_fingerprint(id->key, SSH_FP_HEX);
+ debug3("sign_and_send_pubkey: %s %s%s", key_type(id->key),
+ key_fingerprint_prefix(), fp);
free(fp);
if (key_to_blob(id->key, &blob, &bloblen) == 0) {

View file

@ -1,607 +0,0 @@
diff -up openssh-6.3p1/Makefile.in.fips openssh-6.3p1/Makefile.in
--- openssh-6.3p1/Makefile.in.fips 2013-10-11 22:24:32.850031186 +0200
+++ openssh-6.3p1/Makefile.in 2013-10-11 22:24:32.870031092 +0200
@@ -147,25 +147,25 @@ libssh.a: $(LIBSSH_OBJS)
$(RANLIB) $@
ssh$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHOBJS)
- $(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHLIBS) $(LIBS) $(GSSLIBS)
+ $(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(SSHLIBS) $(LIBS) $(GSSLIBS)
sshd$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHDOBJS)
- $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS)
+ $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS)
scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o
$(LD) -o $@ scp.o progressmeter.o bufaux.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
ssh-add$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-add.o
- $(LD) -o $@ ssh-add.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
+ $(LD) -o $@ ssh-add.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
ssh-agent$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-agent.o ssh-pkcs11-client.o
- $(LD) -o $@ ssh-agent.o ssh-pkcs11-client.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
+ $(LD) -o $@ ssh-agent.o ssh-pkcs11-client.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
ssh-keygen$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keygen.o
- $(LD) -o $@ ssh-keygen.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
+ $(LD) -o $@ ssh-keygen.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
ssh-keysign$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keysign.o roaming_dummy.o readconf.o
- $(LD) -o $@ ssh-keysign.o readconf.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
+ $(LD) -o $@ ssh-keysign.o readconf.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11.o
$(LD) -o $@ ssh-pkcs11-helper.o ssh-pkcs11.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
@@ -177,7 +177,7 @@ ssh-keycat$(EXEEXT): $(LIBCOMPAT) libssh
$(LD) -o $@ ssh-keycat.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(SSHDLIBS)
ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o roaming_dummy.o
- $(LD) -o $@ ssh-keyscan.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
+ $(LD) -o $@ ssh-keyscan.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(LIBS)
sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o sftp-server.o sftp-server-main.o
$(LD) -o $@ sftp-server.o sftp-common.o sftp-server-main.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
diff -up openssh-6.3p1/auth-rsa.c.fips openssh-6.3p1/auth-rsa.c
--- openssh-6.3p1/auth-rsa.c.fips 2013-10-24 15:43:46.019999906 +0200
+++ openssh-6.3p1/auth-rsa.c 2013-10-24 15:44:09.262890686 +0200
@@ -240,7 +240,7 @@ rsa_key_allowed_in_file(struct passwd *p
"actual %d vs. announced %d.",
file, linenum, BN_num_bits(key->rsa->n), bits);
- fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
+ fp = key_fingerprint(key, FIPS_mode() ? SSH_FP_SHA1 : SSH_FP_MD5, SSH_FP_HEX);
debug("matching key found: file %s, line %lu %s %s",
file, linenum, key_type(key), fp);
free(fp);
diff -up openssh-6.3p1/auth2-pubkey.c.fips openssh-6.3p1/auth2-pubkey.c
--- openssh-6.3p1/auth2-pubkey.c.fips 2013-10-24 15:39:05.008319990 +0200
+++ openssh-6.3p1/auth2-pubkey.c 2013-10-24 15:39:05.029319892 +0200
@@ -209,7 +209,7 @@ pubkey_auth_info(Authctxt *authctxt, con
if (key_is_cert(key)) {
fp = key_fingerprint(key->cert->signature_key,
- SSH_FP_MD5, SSH_FP_HEX);
+ FIPS_mode() ? SSH_FP_SHA1 : SSH_FP_MD5, SSH_FP_HEX);
auth_info(authctxt, "%s ID %s (serial %llu) CA %s %s%s%s",
key_type(key), key->cert->key_id,
(unsigned long long)key->cert->serial,
@@ -217,7 +217,7 @@ pubkey_auth_info(Authctxt *authctxt, con
extra == NULL ? "" : ", ", extra == NULL ? "" : extra);
free(fp);
} else {
- fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
+ fp = key_fingerprint(key, FIPS_mode() ? SSH_FP_SHA1 : SSH_FP_MD5, SSH_FP_HEX);
auth_info(authctxt, "%s %s%s%s", key_type(key), fp,
extra == NULL ? "" : ", ", extra == NULL ? "" : extra);
free(fp);
diff -up openssh-6.3p1/authfile.c.fips openssh-6.3p1/authfile.c
--- openssh-6.3p1/authfile.c.fips 2013-10-11 22:24:32.857031153 +0200
+++ openssh-6.3p1/authfile.c 2013-10-11 22:24:32.870031092 +0200
@@ -148,8 +148,14 @@ key_private_rsa1_to_blob(Key *key, Buffe
/* Allocate space for the private part of the key in the buffer. */
cp = buffer_append_space(&encrypted, buffer_len(&buffer));
- cipher_set_key_string(&ciphercontext, cipher, passphrase,
- CIPHER_ENCRYPT);
+ if (cipher_set_key_string(&ciphercontext, cipher, passphrase,
+ CIPHER_ENCRYPT) < 0) {
+ error("cipher_set_key_string failed.");
+ buffer_free(&encrypted);
+ buffer_free(&buffer);
+ return 0;
+ }
+
cipher_crypt(&ciphercontext, cp,
buffer_ptr(&buffer), buffer_len(&buffer), 0, 0);
cipher_cleanup(&ciphercontext);
@@ -472,8 +478,13 @@ key_parse_private_rsa1(Buffer *blob, con
cp = buffer_append_space(&decrypted, buffer_len(&copy));
/* Rest of the buffer is encrypted. Decrypt it using the passphrase. */
- cipher_set_key_string(&ciphercontext, cipher, passphrase,
- CIPHER_DECRYPT);
+ if (cipher_set_key_string(&ciphercontext, cipher, passphrase,
+ CIPHER_DECRYPT) < 0) {
+ error("cipher_set_key_string failed.");
+ buffer_free(&decrypted);
+ goto fail;
+ }
+
cipher_crypt(&ciphercontext, cp,
buffer_ptr(&copy), buffer_len(&copy), 0, 0);
cipher_cleanup(&ciphercontext);
diff -up openssh-6.3p1/cipher-ctr.c.fips openssh-6.3p1/cipher-ctr.c
--- openssh-6.3p1/cipher-ctr.c.fips 2013-06-02 00:07:32.000000000 +0200
+++ openssh-6.3p1/cipher-ctr.c 2013-10-11 22:24:32.870031092 +0200
@@ -138,7 +138,8 @@ evp_aes_128_ctr(void)
aes_ctr.do_cipher = ssh_aes_ctr;
#ifndef SSH_OLD_EVP
aes_ctr.flags = EVP_CIPH_CBC_MODE | EVP_CIPH_VARIABLE_LENGTH |
- EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CUSTOM_IV;
+ EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CUSTOM_IV |
+ EVP_CIPH_FLAG_FIPS;
#endif
return (&aes_ctr);
}
diff -up openssh-6.3p1/cipher.c.fips openssh-6.3p1/cipher.c
--- openssh-6.3p1/cipher.c.fips 2013-10-11 22:24:32.820031327 +0200
+++ openssh-6.3p1/cipher.c 2013-10-11 22:24:32.871031087 +0200
@@ -40,6 +40,7 @@
#include <sys/types.h>
#include <openssl/md5.h>
+#include <openssl/fips.h>
#include <string.h>
#include <stdarg.h>
@@ -86,6 +87,27 @@ static const struct Cipher ciphers[] = {
{ NULL, SSH_CIPHER_INVALID, 0, 0, 0, 0, 0, 0, NULL }
};
+static const struct Cipher fips_ciphers[] = {
+ { "none", SSH_CIPHER_NONE, 8, 0, 0, 0, 0, 0, EVP_enc_null },
+ { "des", SSH_CIPHER_DES, 8, 8, 0, 0, 0, 1, EVP_des_cbc },
+ { "3des", SSH_CIPHER_3DES, 8, 16, 0, 0, 0, 1, evp_ssh1_3des },
+ { "3des-cbc", SSH_CIPHER_SSH2, 8, 24, 0, 0, 0, 1, EVP_des_ede3_cbc },
+ { "aes128-cbc", SSH_CIPHER_SSH2, 16, 16, 0, 0, 0, 1, EVP_aes_128_cbc },
+ { "aes192-cbc", SSH_CIPHER_SSH2, 16, 24, 0, 0, 0, 1, EVP_aes_192_cbc },
+ { "aes256-cbc", SSH_CIPHER_SSH2, 16, 32, 0, 0, 0, 1, EVP_aes_256_cbc },
+ { "rijndael-cbc@lysator.liu.se",
+ SSH_CIPHER_SSH2, 16, 32, 0, 0, 0, 1, EVP_aes_256_cbc },
+ { "aes128-ctr", SSH_CIPHER_SSH2, 16, 16, 0, 0, 0, 0, EVP_aes_128_ctr },
+ { "aes192-ctr", SSH_CIPHER_SSH2, 16, 24, 0, 0, 0, 0, EVP_aes_192_ctr },
+ { "aes256-ctr", SSH_CIPHER_SSH2, 16, 32, 0, 0, 0, 0, EVP_aes_256_ctr },
+#ifdef OPENSSL_HAVE_EVPGCM
+ { "aes128-gcm@openssh.com",
+ SSH_CIPHER_SSH2, 16, 16, 12, 16, 0, 0, EVP_aes_128_gcm },
+ { "aes256-gcm@openssh.com",
+ SSH_CIPHER_SSH2, 16, 32, 12, 16, 0, 0, EVP_aes_256_gcm },
+#endif
+ { NULL, SSH_CIPHER_INVALID, 0, 0, 0, 0, 0, 0, NULL }
+};
/*--*/
/* Returns a comma-separated list of supported ciphers. */
@@ -96,7 +118,7 @@ cipher_alg_list(void)
size_t nlen, rlen = 0;
const Cipher *c;
- for (c = ciphers; c->name != NULL; c++) {
+ for (c = FIPS_mode() ? fips_ciphers : ciphers; c->name != NULL; c++) {
if (c->number != SSH_CIPHER_SSH2)
continue;
if (ret != NULL)
@@ -161,7 +183,7 @@ const Cipher *
cipher_by_name(const char *name)
{
const Cipher *c;
- for (c = ciphers; c->name != NULL; c++)
+ for (c = FIPS_mode() ? fips_ciphers : ciphers; c->name != NULL; c++)
if (strcmp(c->name, name) == 0)
return c;
return NULL;
@@ -171,7 +193,7 @@ const Cipher *
cipher_by_number(int id)
{
const Cipher *c;
- for (c = ciphers; c->name != NULL; c++)
+ for (c = FIPS_mode() ? fips_ciphers : ciphers; c->name != NULL; c++)
if (c->number == id)
return c;
return NULL;
@@ -215,7 +237,7 @@ cipher_number(const char *name)
const Cipher *c;
if (name == NULL)
return -1;
- for (c = ciphers; c->name != NULL; c++)
+ for (c = FIPS_mode() ? fips_ciphers : ciphers; c->name != NULL; c++)
if (strcasecmp(c->name, name) == 0)
return c->number;
return -1;
@@ -374,14 +396,15 @@ cipher_cleanup(CipherContext *cc)
* passphrase and using the resulting 16 bytes as the key.
*/
-void
+int
cipher_set_key_string(CipherContext *cc, const Cipher *cipher,
const char *passphrase, int do_encrypt)
{
MD5_CTX md;
u_char digest[16];
- MD5_Init(&md);
+ if (MD5_Init(&md) <= 0)
+ return -1;
MD5_Update(&md, (const u_char *)passphrase, strlen(passphrase));
MD5_Final(digest, &md);
@@ -389,6 +412,7 @@ cipher_set_key_string(CipherContext *cc,
memset(digest, 0, sizeof(digest));
memset(&md, 0, sizeof(md));
+ return 0;
}
/*
diff -up openssh-6.3p1/cipher.h.fips openssh-6.3p1/cipher.h
--- openssh-6.3p1/cipher.h.fips 2013-10-11 22:24:32.820031327 +0200
+++ openssh-6.3p1/cipher.h 2013-10-11 22:24:32.871031087 +0200
@@ -92,7 +92,7 @@ void cipher_init(CipherContext *, const
void cipher_crypt(CipherContext *, u_char *, const u_char *,
u_int, u_int, u_int);
void cipher_cleanup(CipherContext *);
-void cipher_set_key_string(CipherContext *, const Cipher *, const char *, int);
+int cipher_set_key_string(CipherContext *, const Cipher *, const char *, int);
u_int cipher_blocksize(const Cipher *);
u_int cipher_keylen(const Cipher *);
u_int cipher_authlen(const Cipher *);
diff -up openssh-6.3p1/key.c.fips openssh-6.3p1/key.c
--- openssh-6.3p1/key.c.fips 2013-10-11 22:24:32.821031322 +0200
+++ openssh-6.3p1/key.c 2013-10-11 22:24:32.871031087 +0200
@@ -40,6 +40,7 @@
#include <sys/types.h>
#include <openssl/evp.h>
+#include <openssl/fips.h>
#include <openbsd-compat/openssl-compat.h>
#include <stdarg.h>
@@ -606,9 +607,13 @@ key_fingerprint_selection(void)
char *env;
if (!rv_defined) {
- env = getenv("SSH_FINGERPRINT_TYPE");
- rv = (env && !strcmp (env, "sha")) ?
- SSH_FP_SHA1 : SSH_FP_MD5;
+ if (FIPS_mode())
+ rv = SSH_FP_SHA1;
+ else {
+ env = getenv("SSH_FINGERPRINT_TYPE");
+ rv = (env && !strcmp (env, "sha")) ?
+ SSH_FP_SHA1 : SSH_FP_MD5;
+ }
rv_defined = 1;
}
return rv;
diff -up openssh-6.3p1/mac.c.fips openssh-6.3p1/mac.c
--- openssh-6.3p1/mac.c.fips 2013-10-11 22:24:32.821031322 +0200
+++ openssh-6.3p1/mac.c 2013-10-11 22:25:35.394737186 +0200
@@ -28,6 +28,7 @@
#include <sys/types.h>
#include <openssl/hmac.h>
+#include <openssl/fips.h>
#include <stdarg.h>
#include <string.h>
@@ -60,7 +61,7 @@ struct macalg {
int etm; /* Encrypt-then-MAC */
};
-static const struct macalg macs[] = {
+static const struct macalg all_macs[] = {
/* Encrypt-and-MAC (encrypt-and-authenticate) variants */
{ "hmac-sha1", SSH_EVP, EVP_sha1, 0, 0, 0, 0 },
{ "hmac-sha1-96", SSH_EVP, EVP_sha1, 96, 0, 0, 0 },
@@ -91,6 +92,18 @@ static const struct macalg macs[] = {
{ NULL, 0, NULL, 0, 0, 0, 0 }
};
+static const struct macalg fips_macs[] = {
+ { "hmac-sha1", SSH_EVP, EVP_sha1, 0, 0, 0, 0 },
+ { "hmac-sha1-etm@openssh.com", SSH_EVP, EVP_sha1, 0, 0, 0, 1 },
+#ifdef HAVE_EVP_SHA256
+ { "hmac-sha2-256", SSH_EVP, EVP_sha256, 0, 0, 0, 0 },
+ { "hmac-sha2-512", SSH_EVP, EVP_sha512, 0, 0, 0, 0 },
+ { "hmac-sha2-256-etm@openssh.com", SSH_EVP, EVP_sha256, 0, 0, 0, 1 },
+ { "hmac-sha2-512-etm@openssh.com", SSH_EVP, EVP_sha512, 0, 0, 0, 1 },
+#endif
+ { NULL, 0, NULL, 0, 0, 0, 0 }
+};
+
/* Returns a comma-separated list of supported MACs. */
char *
mac_alg_list(void)
@@ -99,7 +112,7 @@ mac_alg_list(void)
size_t nlen, rlen = 0;
const struct macalg *m;
- for (m = macs; m->name != NULL; m++) {
+ for (m = FIPS_mode() ? fips_macs : all_macs; m->name != NULL; m++) {
if (ret != NULL)
ret[rlen++] = '\n';
nlen = strlen(m->name);
@@ -136,7 +149,7 @@ mac_setup(Mac *mac, char *name)
{
const struct macalg *m;
- for (m = macs; m->name != NULL; m++) {
+ for (m = FIPS_mode() ? fips_macs : all_macs; m->name != NULL; m++) {
if (strcmp(name, m->name) != 0)
continue;
if (mac != NULL)
diff -up openssh-6.3p1/myproposal.h.fips openssh-6.3p1/myproposal.h
--- openssh-6.3p1/myproposal.h.fips 2013-06-11 04:10:02.000000000 +0200
+++ openssh-6.3p1/myproposal.h 2013-10-11 22:24:32.872031082 +0200
@@ -114,6 +114,19 @@
#define KEX_DEFAULT_COMP "none,zlib@openssh.com,zlib"
#define KEX_DEFAULT_LANG ""
+#define KEX_FIPS_ENCRYPT \
+ "aes128-ctr,aes192-ctr,aes256-ctr," \
+ "aes128-cbc,3des-cbc," \
+ "aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se"
+#ifdef HAVE_EVP_SHA256
+#define KEX_FIPS_MAC \
+ "hmac-sha1," \
+ "hmac-sha2-256," \
+ "hmac-sha2-512"
+#else
+#define KEX_FIPS_MAC \
+ "hmac-sha1"
+#endif
static char *myproposal[PROPOSAL_MAX] = {
KEX_DEFAULT_KEX,
diff -up openssh-6.3p1/openbsd-compat/bsd-arc4random.c.fips openssh-6.3p1/openbsd-compat/bsd-arc4random.c
--- openssh-6.3p1/openbsd-compat/bsd-arc4random.c.fips 2010-03-25 22:52:02.000000000 +0100
+++ openssh-6.3p1/openbsd-compat/bsd-arc4random.c 2013-10-11 22:24:32.872031082 +0200
@@ -37,25 +37,18 @@
#define REKEY_BYTES (1 << 24)
static int rc4_ready = 0;
-static RC4_KEY rc4;
unsigned int
arc4random(void)
{
unsigned int r = 0;
- static int first_time = 1;
+ void *rp = &r;
- if (rc4_ready <= 0) {
- if (first_time)
- seed_rng();
- first_time = 0;
+ if (!rc4_ready) {
arc4random_stir();
}
+ RAND_bytes(rp, sizeof(r));
- RC4(&rc4, sizeof(r), (unsigned char *)&r, (unsigned char *)&r);
-
- rc4_ready -= sizeof(r);
-
return(r);
}
@@ -63,24 +56,11 @@ void
arc4random_stir(void)
{
unsigned char rand_buf[SEED_SIZE];
- int i;
- memset(&rc4, 0, sizeof(rc4));
if (RAND_bytes(rand_buf, sizeof(rand_buf)) <= 0)
fatal("Couldn't obtain random bytes (error %ld)",
ERR_get_error());
- RC4_set_key(&rc4, sizeof(rand_buf), rand_buf);
-
- /*
- * Discard early keystream, as per recommendations in:
- * http://www.wisdom.weizmann.ac.il/~itsik/RC4/Papers/Rc4_ksa.ps
- */
- for(i = 0; i <= 256; i += sizeof(rand_buf))
- RC4(&rc4, sizeof(rand_buf), rand_buf, rand_buf);
-
- memset(rand_buf, 0, sizeof(rand_buf));
-
- rc4_ready = REKEY_BYTES;
+ rc4_ready = 1;
}
#endif /* !HAVE_ARC4RANDOM */
diff -up openssh-6.3p1/ssh-keygen.c.fips openssh-6.3p1/ssh-keygen.c
--- openssh-6.3p1/ssh-keygen.c.fips 2013-10-24 15:45:06.055623916 +0200
+++ openssh-6.3p1/ssh-keygen.c 2013-10-24 15:45:36.906478986 +0200
@@ -730,7 +730,7 @@ do_download(struct passwd *pw)
enum fp_type fptype;
char *fp, *ra;
- fptype = print_bubblebabble ? SSH_FP_SHA1 : SSH_FP_MD5;
+ fptype = print_bubblebabble ? SSH_FP_SHA1 : (FIPS_mode() ? SSH_FP_SHA1 : SSH_FP_MD5);
rep = print_bubblebabble ? SSH_FP_BUBBLEBABBLE : SSH_FP_HEX;
pkcs11_init(0);
@@ -740,7 +740,7 @@ do_download(struct passwd *pw)
for (i = 0; i < nkeys; i++) {
if (print_fingerprint) {
fp = key_fingerprint(keys[i], fptype, rep);
- ra = key_fingerprint(keys[i], SSH_FP_MD5,
+ ra = key_fingerprint(keys[i], FIPS_mode() ? SSH_FP_SHA1 : SSH_FP_MD5,
SSH_FP_RANDOMART);
printf("%u %s %s (PKCS11 key)\n", key_size(keys[i]),
fp, key_type(keys[i]));
diff -up openssh-6.3p1/ssh.c.fips openssh-6.3p1/ssh.c
--- openssh-6.3p1/ssh.c.fips 2013-07-25 03:55:53.000000000 +0200
+++ openssh-6.3p1/ssh.c 2013-10-11 22:24:32.872031082 +0200
@@ -73,6 +73,8 @@
#include <openssl/evp.h>
#include <openssl/err.h>
+#include <openssl/fips.h>
+#include <fipscheck.h>
#include "openbsd-compat/openssl-compat.h"
#include "openbsd-compat/sys-queue.h"
@@ -253,6 +255,13 @@ main(int ac, char **av)
sanitise_stdfd();
__progname = ssh_get_progname(av[0]);
+ SSLeay_add_all_algorithms();
+ if (access("/etc/system-fips", F_OK) == 0)
+ if (! FIPSCHECK_verify(NULL, NULL))
+ if (FIPS_mode())
+ fatal("FIPS integrity verification test failed.");
+ else
+ logit("FIPS integrity verification test failed.");
#ifndef HAVE_SETPROCTITLE
/* Prepare for later setproctitle emulation */
@@ -330,6 +339,9 @@ main(int ac, char **av)
"ACD:E:F:I:KL:MNO:PQ:R:S:TVw:W:XYy")) != -1) {
switch (opt) {
case '1':
+ if (FIPS_mode()) {
+ fatal("Protocol 1 not allowed in the FIPS mode.");
+ }
options.protocol = SSH_PROTO_1;
break;
case '2':
@@ -647,7 +659,6 @@ main(int ac, char **av)
if (!host)
usage();
- OpenSSL_add_all_algorithms();
ERR_load_crypto_strings();
/* Initialize the command to execute on remote host. */
@@ -748,6 +759,10 @@ main(int ac, char **av)
seed_rng();
+ if (FIPS_mode()) {
+ logit("FIPS mode initialized");
+ }
+
if (options.user == NULL)
options.user = xstrdup(pw->pw_name);
@@ -816,6 +831,12 @@ main(int ac, char **av)
timeout_ms = options.connection_timeout * 1000;
+ if (FIPS_mode()) {
+ options.protocol &= SSH_PROTO_2;
+ if (options.protocol == 0)
+ fatal("Protocol 2 disabled by configuration but required in the FIPS mode.");
+ }
+
/* Open a connection to the remote host. */
if (ssh_connect(host, &hostaddr, options.port,
options.address_family, options.connection_attempts, &timeout_ms,
diff -up openssh-6.3p1/sshconnect2.c.fips openssh-6.3p1/sshconnect2.c
--- openssh-6.3p1/sshconnect2.c.fips 2013-10-11 22:24:32.810031374 +0200
+++ openssh-6.3p1/sshconnect2.c 2013-10-11 22:24:32.873031077 +0200
@@ -44,6 +44,8 @@
#include <vis.h>
#endif
+#include <openssl/fips.h>
+
#include "openbsd-compat/sys-queue.h"
#include "xmalloc.h"
@@ -170,6 +172,10 @@ ssh_kex2(char *host, struct sockaddr *ho
if (options.ciphers != NULL) {
myproposal[PROPOSAL_ENC_ALGS_CTOS] =
myproposal[PROPOSAL_ENC_ALGS_STOC] = options.ciphers;
+ } else if (FIPS_mode()) {
+ myproposal[PROPOSAL_ENC_ALGS_CTOS] =
+ myproposal[PROPOSAL_ENC_ALGS_STOC] = KEX_FIPS_ENCRYPT;
+
}
myproposal[PROPOSAL_ENC_ALGS_CTOS] =
compat_cipher_proposal(myproposal[PROPOSAL_ENC_ALGS_CTOS]);
@@ -185,7 +191,11 @@ ssh_kex2(char *host, struct sockaddr *ho
if (options.macs != NULL) {
myproposal[PROPOSAL_MAC_ALGS_CTOS] =
myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs;
+ } else if (FIPS_mode()) {
+ myproposal[PROPOSAL_MAC_ALGS_CTOS] =
+ myproposal[PROPOSAL_MAC_ALGS_STOC] = KEX_FIPS_MAC;
}
+
if (options.hostkeyalgorithms != NULL)
myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] =
options.hostkeyalgorithms;
diff -up openssh-6.3p1/sshd.c.fips openssh-6.3p1/sshd.c
--- openssh-6.3p1/sshd.c.fips 2013-10-11 22:24:32.842031223 +0200
+++ openssh-6.3p1/sshd.c 2013-10-11 22:24:32.873031077 +0200
@@ -76,6 +76,8 @@
#include <openssl/bn.h>
#include <openssl/md5.h>
#include <openssl/rand.h>
+#include <openssl/fips.h>
+#include <fipscheck.h>
#include "openbsd-compat/openssl-compat.h"
#ifdef HAVE_SECUREWARE
@@ -1450,6 +1452,14 @@ main(int ac, char **av)
#endif
__progname = ssh_get_progname(av[0]);
+ SSLeay_add_all_algorithms();
+ if (access("/etc/system-fips", F_OK) == 0)
+ if (! FIPSCHECK_verify(NULL, NULL))
+ if (FIPS_mode())
+ fatal("FIPS integrity verification test failed.");
+ else
+ logit("FIPS integrity verification test failed.");
+
/* Save argv. Duplicate so setproctitle emulation doesn't clobber it */
saved_argc = ac;
rexec_argc = ac;
@@ -1601,8 +1611,6 @@ main(int ac, char **av)
else
closefrom(REEXEC_DEVCRYPTO_RESERVED_FD);
- OpenSSL_add_all_algorithms();
-
/* If requested, redirect the logs to the specified logfile. */
if (logfile != NULL) {
log_redirect_stderr_to(logfile);
@@ -1773,6 +1781,10 @@ main(int ac, char **av)
debug("private host key: #%d type %d %s", i, keytype,
key_type(key ? key : pubkey));
}
+ if ((options.protocol & SSH_PROTO_1) && FIPS_mode()) {
+ logit("Disabling protocol version 1. Not allowed in the FIPS mode.");
+ options.protocol &= ~SSH_PROTO_1;
+ }
if ((options.protocol & SSH_PROTO_1) && !sensitive_data.have_ssh1_key) {
logit("Disabling protocol version 1. Could not load host key");
options.protocol &= ~SSH_PROTO_1;
@@ -1936,6 +1948,10 @@ main(int ac, char **av)
/* Initialize the random number generator. */
arc4random_stir();
+ if (FIPS_mode()) {
+ logit("FIPS mode initialized");
+ }
+
/* Chdir to the root directory so that the current disk can be
unmounted if desired. */
if (chdir("/") == -1)
@@ -2498,6 +2514,9 @@ do_ssh2_kex(void)
if (options.ciphers != NULL) {
myproposal[PROPOSAL_ENC_ALGS_CTOS] =
myproposal[PROPOSAL_ENC_ALGS_STOC] = options.ciphers;
+ } else if (FIPS_mode()) {
+ myproposal[PROPOSAL_ENC_ALGS_CTOS] =
+ myproposal[PROPOSAL_ENC_ALGS_STOC] = KEX_FIPS_ENCRYPT;
}
myproposal[PROPOSAL_ENC_ALGS_CTOS] =
compat_cipher_proposal(myproposal[PROPOSAL_ENC_ALGS_CTOS]);
@@ -2507,6 +2526,9 @@ do_ssh2_kex(void)
if (options.macs != NULL) {
myproposal[PROPOSAL_MAC_ALGS_CTOS] =
myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs;
+ } else if (FIPS_mode()) {
+ myproposal[PROPOSAL_MAC_ALGS_CTOS] =
+ myproposal[PROPOSAL_MAC_ALGS_STOC] = KEX_FIPS_MAC;
}
if (options.compression == COMP_NONE) {
myproposal[PROPOSAL_COMP_ALGS_CTOS] =

View file

@ -1,65 +0,0 @@
diff -U0 openssh-6.3p1/ChangeLog.df openssh-6.3p1/ChangeLog
--- openssh-6.3p1/ChangeLog.df 2013-10-23 22:38:03.476272461 +0200
+++ openssh-6.3p1/ChangeLog 2013-10-23 22:39:46.051788366 +0200
@@ -0,0 +1,8 @@
+20131010
+ - dtucker@cvs.openbsd.org 2013/10/08 11:42:13
+ [dh.c dh.h]
+ Increase the size of the Diffie-Hellman groups requested for a each
+ symmetric key size. New values from NIST Special Publication 800-57 with
+ the upper limit specified by RFC4419. Pointed out by Peter Backes, ok
+ djm@.
+
diff -up openssh-6.3p1/dh.c.df openssh-6.3p1/dh.c
--- openssh-6.3p1/dh.c.df 2013-07-18 08:12:07.000000000 +0200
+++ openssh-6.3p1/dh.c 2013-10-23 22:38:03.476272461 +0200
@@ -1,4 +1,4 @@
-/* $OpenBSD: dh.c,v 1.51 2013/07/02 12:31:43 markus Exp $ */
+/* $OpenBSD: dh.c,v 1.52 2013/10/08 11:42:13 dtucker Exp $ */
/*
* Copyright (c) 2000 Niels Provos. All rights reserved.
*
@@ -352,17 +352,20 @@ dh_new_group14(void)
/*
* Estimates the group order for a Diffie-Hellman group that has an
- * attack complexity approximately the same as O(2**bits). Estimate
- * with: O(exp(1.9223 * (ln q)^(1/3) (ln ln q)^(2/3)))
+ * attack complexity approximately the same as O(2**bits).
+ * Values from NIST Special Publication 800-57: Recommendation for Key
+ * Management Part 1 (rev 3) limited by the recommended maximum value
+ * from RFC4419 section 3.
*/
int
dh_estimate(int bits)
{
-
+ if (bits <= 112)
+ return 2048;
if (bits <= 128)
- return (1024); /* O(2**86) */
+ return 3072;
if (bits <= 192)
- return (2048); /* O(2**116) */
- return (4096); /* O(2**156) */
+ return 7680;
+ return 8192;
}
diff -up openssh-6.3p1/dh.h.df openssh-6.3p1/dh.h
--- openssh-6.3p1/dh.h.df 2008-06-29 14:47:04.000000000 +0200
+++ openssh-6.3p1/dh.h 2013-10-23 22:38:03.476272461 +0200
@@ -1,4 +1,4 @@
-/* $OpenBSD: dh.h,v 1.10 2008/06/26 09:19:40 djm Exp $ */
+/* $OpenBSD: dh.h,v 1.11 2013/10/08 11:42:13 dtucker Exp $ */
/*
* Copyright (c) 2000 Niels Provos. All rights reserved.
@@ -43,6 +43,7 @@ int dh_pub_is_valid(DH *, BIGNUM *);
int dh_estimate(int);
+/* Min and max values from RFC4419. */
#define DH_GRP_MIN 1024
#define DH_GRP_MAX 8192

View file

@ -30,7 +30,7 @@ diff -up openssh-6.3p1/auth-krb5.c.ccache_name openssh-6.3p1/auth-krb5.c
+ if (authctxt->krb5_ticket_file[0] == ':')
+ authctxt->krb5_ticket_file++;
+
+ len = strlen(authctxt->krb5_ticket_file) + strlen(ccache_type);
+ len = strlen(authctxt->krb5_ticket_file) + strlen(ccache_type) + 2;
authctxt->krb5_ccname = xmalloc(len);
- snprintf(authctxt->krb5_ccname, len, "FILE:%s",
+
@ -52,7 +52,7 @@ diff -up openssh-6.3p1/auth-krb5.c.ccache_name openssh-6.3p1/auth-krb5.c
#ifdef USE_PAM
if (options.use_pam)
@@ -235,10 +256,34 @@ auth_krb5_password(Authctxt *authctxt, c
@@ -235,10 +256,36 @@ auth_krb5_password(Authctxt *authctxt, c
void
krb5_cleanup_proc(Authctxt *authctxt)
{
@ -64,24 +64,26 @@ diff -up openssh-6.3p1/auth-krb5.c.ccache_name openssh-6.3p1/auth-krb5.c
krb5_cc_destroy(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache);
authctxt->krb5_fwd_ccache = NULL;
+
+ strncpy(krb5_ccname, authctxt->krb5_ccname, sizeof(krb5_ccname) - 10);
+ krb5_ccname_dir_start = strchr(krb5_ccname, ':') + 1;
+ *krb5_ccname_dir_start++ = '\0';
+ if (strcmp(krb5_ccname, "DIR") == 0) {
+ if (authctxt->krb5_ccname != NULL) {
+ strncpy(krb5_ccname, authctxt->krb5_ccname, sizeof(krb5_ccname) - 10);
+ krb5_ccname_dir_start = strchr(krb5_ccname, ':') + 1;
+ *krb5_ccname_dir_start++ = '\0';
+ if (strcmp(krb5_ccname, "DIR") == 0) {
+
+ strcat(krb5_ccname_dir_start, "/primary");
+ strcat(krb5_ccname_dir_start, "/primary");
+
+ if (stat(krb5_ccname_dir_start, &krb5_ccname_stat) == 0) {
+ if (unlink(krb5_ccname_dir_start) == 0) {
+ krb5_ccname_dir_end = strrchr(krb5_ccname_dir_start, '/');
+ *krb5_ccname_dir_end = '\0';
+ if (rmdir(krb5_ccname_dir_start) == -1)
+ debug("cache dir '%s' remove failed: %s", krb5_ccname_dir_start, strerror(errno));
+ if (stat(krb5_ccname_dir_start, &krb5_ccname_stat) == 0) {
+ if (unlink(krb5_ccname_dir_start) == 0) {
+ krb5_ccname_dir_end = strrchr(krb5_ccname_dir_start, '/');
+ *krb5_ccname_dir_end = '\0';
+ if (rmdir(krb5_ccname_dir_start) == -1)
+ debug("cache dir '%s' remove failed: %s", krb5_ccname_dir_start, strerror(errno));
+ }
+ else
+ debug("cache primary file '%s', remove failed: %s",
+ krb5_ccname_dir_start, strerror(errno)
+ );
+ }
+ else
+ debug("cache primary file '%s', remove failed: %s",
+ krb5_ccname_dir_start, strerror(errno)
+ );
+ }
+ }
}

View file

@ -1,167 +0,0 @@
diff -up openssh-6.3p1/auth-krb5.c.kuserok openssh-6.3p1/auth-krb5.c
--- openssh-6.3p1/auth-krb5.c.kuserok 2013-10-11 21:41:42.889087613 +0200
+++ openssh-6.3p1/auth-krb5.c 2013-10-11 21:41:42.905087537 +0200
@@ -55,6 +55,20 @@
extern ServerOptions options;
+int
+ssh_krb5_kuserok(krb5_context krb5_ctx, krb5_principal krb5_user, const char *client)
+{
+ if (options.use_kuserok)
+ return krb5_kuserok(krb5_ctx, krb5_user, client);
+ else {
+ char kuser[65];
+
+ if (krb5_aname_to_localname(krb5_ctx, krb5_user, sizeof(kuser), kuser))
+ return 0;
+ return strcmp(kuser, client) == 0;
+ }
+}
+
static int
krb5_init(void *context)
{
@@ -159,7 +173,7 @@ auth_krb5_password(Authctxt *authctxt, c
if (problem)
goto out;
- if (!krb5_kuserok(authctxt->krb5_ctx, authctxt->krb5_user, client)) {
+ if (!ssh_krb5_kuserok(authctxt->krb5_ctx, authctxt->krb5_user, client)) {
problem = -1;
goto out;
}
diff -up openssh-6.3p1/gss-serv-krb5.c.kuserok openssh-6.3p1/gss-serv-krb5.c
--- openssh-6.3p1/gss-serv-krb5.c.kuserok 2013-10-11 21:41:42.901087556 +0200
+++ openssh-6.3p1/gss-serv-krb5.c 2013-10-11 21:46:42.898673597 +0200
@@ -67,6 +67,7 @@ static int ssh_gssapi_krb5_cmdok(krb5_pr
int);
static krb5_context krb_context = NULL;
+extern int ssh_krb5_kuserok(krb5_context, krb5_principal, const char *);
/* Initialise the krb5 library, for the stuff that GSSAPI won't do */
@@ -116,7 +117,7 @@ ssh_gssapi_krb5_userok(ssh_gssapi_client
/* NOTE: .k5login and .k5users must opened as root, not the user,
* because if they are on a krb5-protected filesystem, user credentials
* to access these files aren't available yet. */
- if (krb5_kuserok(krb_context, princ, name) && k5login_exists) {
+ if (ssh_krb5_kuserok(krb_context, princ, name) && k5login_exists) {
retval = 1;
logit("Authorized to %s, krb5 principal %s (krb5_kuserok)",
name, (char *)client->displayname.value);
diff -up openssh-6.3p1/servconf.c.kuserok openssh-6.3p1/servconf.c
--- openssh-6.3p1/servconf.c.kuserok 2013-10-11 21:41:42.896087580 +0200
+++ openssh-6.3p1/servconf.c 2013-10-11 21:48:24.664194016 +0200
@@ -157,6 +157,7 @@ initialize_server_options(ServerOptions
options->ip_qos_interactive = -1;
options->ip_qos_bulk = -1;
options->version_addendum = NULL;
+ options->use_kuserok = -1;
}
void
@@ -310,6 +311,8 @@ fill_default_server_options(ServerOption
options->version_addendum = xstrdup("");
if (options->show_patchlevel == -1)
options->show_patchlevel = 0;
+ if (options->use_kuserok == -1)
+ options->use_kuserok = 1;
/* Turn privilege separation on by default */
if (use_privsep == -1)
@@ -336,7 +339,7 @@ typedef enum {
sPermitRootLogin, sLogFacility, sLogLevel,
sRhostsRSAAuthentication, sRSAAuthentication,
sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
- sKerberosGetAFSToken,
+ sKerberosGetAFSToken, sKerberosUseKuserok,
sKerberosTgtPassing, sChallengeResponseAuthentication,
sPasswordAuthentication, sKbdInteractiveAuthentication,
sListenAddress, sAddressFamily,
@@ -409,11 +412,13 @@ static struct {
#else
{ "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
#endif
+ { "kerberosusekuserok", sKerberosUseKuserok, SSHCFG_ALL },
#else
{ "kerberosauthentication", sUnsupported, SSHCFG_ALL },
{ "kerberosorlocalpasswd", sUnsupported, SSHCFG_GLOBAL },
{ "kerberosticketcleanup", sUnsupported, SSHCFG_GLOBAL },
{ "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
+ { "kerberosusekuserok", sUnsupported, SSHCFG_ALL },
#endif
{ "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL },
{ "afstokenpassing", sUnsupported, SSHCFG_GLOBAL },
@@ -1515,6 +1520,10 @@ process_server_config_line(ServerOptions
*activep = value;
break;
+ case sKerberosUseKuserok:
+ intptr = &options->use_kuserok;
+ goto parse_flag;
+
case sPermitOpen:
arg = strdelim(&cp);
if (!arg || *arg == '\0')
@@ -1815,6 +1824,7 @@ copy_set_server_options(ServerOptions *d
M_CP_INTOPT(max_authtries);
M_CP_INTOPT(ip_qos_interactive);
M_CP_INTOPT(ip_qos_bulk);
+ M_CP_INTOPT(use_kuserok);
M_CP_INTOPT(rekey_limit);
M_CP_INTOPT(rekey_interval);
@@ -2055,6 +2065,7 @@ dump_config(ServerOptions *o)
dump_cfg_fmtint(sUseDNS, o->use_dns);
dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding);
dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep);
+ dump_cfg_fmtint(sKerberosUseKuserok, o->use_kuserok);
/* string arguments */
dump_cfg_string(sPidFile, o->pid_file);
diff -up openssh-6.3p1/servconf.h.kuserok openssh-6.3p1/servconf.h
--- openssh-6.3p1/servconf.h.kuserok 2013-10-11 21:41:42.896087580 +0200
+++ openssh-6.3p1/servconf.h 2013-10-11 21:41:42.907087528 +0200
@@ -174,6 +174,7 @@ typedef struct {
int num_permitted_opens;
+ int use_kuserok;
char *chroot_directory;
char *revoked_keys_file;
char *trusted_user_ca_keys;
diff -up openssh-6.3p1/sshd_config.5.kuserok openssh-6.3p1/sshd_config.5
--- openssh-6.3p1/sshd_config.5.kuserok 2013-10-11 21:41:42.898087571 +0200
+++ openssh-6.3p1/sshd_config.5 2013-10-11 21:41:42.907087528 +0200
@@ -675,6 +675,10 @@ Specifies whether to automatically destr
file on logout.
The default is
.Dq yes .
+.It Cm KerberosUseKuserok
+Specifies whether to look at .k5login file for user's aliases.
+The default is
+.Dq yes .
.It Cm KexAlgorithms
Specifies the available KEX (Key Exchange) algorithms.
Multiple algorithms must be comma-separated.
@@ -833,6 +837,7 @@ Available keywords are
.Cm HostbasedUsesNameFromPacketOnly ,
.Cm KbdInteractiveAuthentication ,
.Cm KerberosAuthentication ,
+.Cm KerberosUseKuserok ,
.Cm MaxAuthTries ,
.Cm MaxSessions ,
.Cm PasswordAuthentication ,
diff -up openssh-6.3p1/sshd_config.kuserok openssh-6.3p1/sshd_config
--- openssh-6.3p1/sshd_config.kuserok 2013-10-11 21:41:42.898087571 +0200
+++ openssh-6.3p1/sshd_config 2013-10-11 21:41:42.907087528 +0200
@@ -86,6 +86,7 @@ ChallengeResponseAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
+#KerberosUseKuserok yes
# GSSAPI options
#GSSAPIAuthentication no

View file

@ -1,104 +0,0 @@
diff -up openssh-6.3p1/openbsd-compat/port-linux.c.privsep-selinux openssh-6.3p1/openbsd-compat/port-linux.c
--- openssh-6.3p1/openbsd-compat/port-linux.c.privsep-selinux 2013-10-10 14:58:20.634762245 +0200
+++ openssh-6.3p1/openbsd-compat/port-linux.c 2013-10-10 15:13:57.864306950 +0200
@@ -503,6 +503,25 @@ ssh_selinux_change_context(const char *n
free(newctx);
}
+void
+ssh_selinux_copy_context(void)
+{
+ security_context_t *ctx;
+
+ if (!ssh_selinux_enabled())
+ return;
+
+ if (getexeccon((security_context_t *)&ctx) != 0) {
+ logit("%s: getcon failed with %s", __func__, strerror (errno));
+ return;
+ }
+ if (ctx != NULL) {
+ if (setcon(ctx) != 0)
+ logit("%s: setcon failed with %s", __func__, strerror (errno));
+ freecon(ctx);
+ }
+}
+
#endif /* WITH_SELINUX */
#ifdef LINUX_OOM_ADJUST
diff -up openssh-6.3p1/openbsd-compat/port-linux.h.privsep-selinux openssh-6.3p1/openbsd-compat/port-linux.h
--- openssh-6.3p1/openbsd-compat/port-linux.h.privsep-selinux 2011-01-25 02:16:18.000000000 +0100
+++ openssh-6.3p1/openbsd-compat/port-linux.h 2013-10-10 14:58:20.634762245 +0200
@@ -24,6 +24,7 @@ int ssh_selinux_enabled(void);
void ssh_selinux_setup_pty(char *, const char *);
void ssh_selinux_setup_exec_context(char *);
void ssh_selinux_change_context(const char *);
+void ssh_selinux_copy_context(void);
void ssh_selinux_setfscreatecon(const char *);
#endif
diff -up openssh-6.3p1/session.c.privsep-selinux openssh-6.3p1/session.c
--- openssh-6.3p1/session.c.privsep-selinux 2013-10-10 14:58:20.617762326 +0200
+++ openssh-6.3p1/session.c 2013-10-10 15:13:16.520503590 +0200
@@ -1522,6 +1522,9 @@ do_setusercontext(struct passwd *pw)
pw->pw_uid);
chroot_path = percent_expand(tmp, "h", pw->pw_dir,
"u", pw->pw_name, (char *)NULL);
+#ifdef WITH_SELINUX
+ ssh_selinux_copy_context();
+#endif
safely_chroot(chroot_path, pw->pw_uid);
free(tmp);
free(chroot_path);
@@ -1544,6 +1547,12 @@ do_setusercontext(struct passwd *pw)
/* Permanently switch to the desired uid. */
permanently_set_uid(pw);
#endif
+
+#ifdef WITH_SELINUX
+ if (options.chroot_directory == NULL ||
+ strcasecmp(options.chroot_directory, "none") == 0)
+ ssh_selinux_copy_context();
+#endif
} else if (options.chroot_directory != NULL &&
strcasecmp(options.chroot_directory, "none") != 0) {
fatal("server lacks privileges to chroot to ChrootDirectory");
@@ -1808,9 +1817,6 @@ do_child(Session *s, const char *command
argv[i] = NULL;
optind = optreset = 1;
__progname = argv[0];
-#ifdef WITH_SELINUX
- ssh_selinux_change_context("sftpd_t");
-#endif
exit(sftp_server_main(i, argv, s->pw));
}
diff -up openssh-6.3p1/sshd.c.privsep-selinux openssh-6.3p1/sshd.c
--- openssh-6.3p1/sshd.c.privsep-selinux 2013-10-10 14:58:20.632762255 +0200
+++ openssh-6.3p1/sshd.c 2013-10-10 14:58:20.635762241 +0200
@@ -668,6 +668,10 @@ privsep_preauth_child(void)
/* Demote the private keys to public keys. */
demote_sensitive_data();
+#ifdef WITH_SELINUX
+ ssh_selinux_change_context("sshd_net_t");
+#endif
+
/* Change our root directory */
if (chroot(_PATH_PRIVSEP_CHROOT_DIR) == -1)
fatal("chroot(\"%s\"): %s", _PATH_PRIVSEP_CHROOT_DIR,
@@ -811,6 +815,13 @@ privsep_postauth(Authctxt *authctxt)
do_setusercontext(authctxt->pw);
skip:
+#ifdef WITH_SELINUX
+ /* switch SELinux content for root too */
+ if (authctxt->pw->pw_uid == 0) {
+ ssh_selinux_copy_context();
+ }
+#endif
+
/* It is safe now to apply the key state */
monitor_apply_keystate(pmonitor);

View file

@ -0,0 +1,16 @@
diff --git a/scp.c b/scp.c
index d98fa67..25d347b 100644
--- a/scp.c
+++ b/scp.c
@@ -638,7 +638,10 @@ toremote(char *targ, int argc, char **argv)
addargs(&alist, "%s", ssh_program);
addargs(&alist, "-x");
addargs(&alist, "-oClearAllForwardings=yes");
- addargs(&alist, "-n");
+ if (isatty(fileno(stdin)))
+ addargs(&alist, "-t");
+ else
+ addargs(&alist, "-n");
for (j = 0; j < remote_remote_args.num; j++) {
addargs(&alist, "%s",
remote_remote_args.list[j]);

View file

@ -0,0 +1,12 @@
diff --git a/ssh_config b/ssh_config
index 03a228f..49a4f6c 100644
--- a/ssh_config
+++ b/ssh_config
@@ -46,3 +46,7 @@
# VisualHostKey no
# ProxyCommand ssh -q -W %h:%p gateway.example.com
# RekeyLimit 1G 1h
+#
+# Uncomment this if you want to use .local domain
+# Host *.local
+# CheckHostIP no

View file

@ -0,0 +1,12 @@
diff --git a/session.c b/session.c
index 626a642..b186ca1 100644
--- a/session.c
+++ b/session.c
@@ -1859,6 +1859,7 @@ do_child(Session *s, const char *command)
if (s->is_subsystem == SUBSYSTEM_INT_SFTP_ERROR) {
printf("This service allows sftp connections only.\n");
+ logit("The session allows sftp connections only");
fflush(NULL);
exit(1);
} else if (s->is_subsystem == SUBSYSTEM_INT_SFTP) {

View file

@ -0,0 +1,17 @@
diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c
index 22ea8ef..2660085 100644
--- a/openbsd-compat/port-linux.c
+++ b/openbsd-compat/port-linux.c
@@ -116,7 +116,11 @@ ssh_selinux_setup_pty(char *pwname, const char *tty)
debug3("%s: setting TTY context on %s", __func__, tty);
- user_ctx = ssh_selinux_getctxbyname(pwname);
+ if (getexeccon(&user_ctx) != 0) {
+ error("%s: getexeccon: %s", __func__, strerror(errno));
+ goto out;
+ }
+
/* XXX: should these calls fatal() upon failure in enforcing mode? */

View file

@ -0,0 +1,131 @@
diff -up openssh-7.4p1/gss-serv-krb5.c.GSSAPIEnablek5users openssh-7.4p1/gss-serv-krb5.c
--- openssh-7.4p1/gss-serv-krb5.c.GSSAPIEnablek5users 2017-02-09 10:10:47.403859893 +0100
+++ openssh-7.4p1/gss-serv-krb5.c 2017-02-09 10:10:47.414859882 +0100
@@ -260,7 +260,6 @@ ssh_gssapi_krb5_cmdok(krb5_principal pri
FILE *fp;
char file[MAXPATHLEN];
char line[BUFSIZ];
- char kuser[65]; /* match krb5_kuserok() */
struct stat st;
struct passwd *pw = the_authctxt->pw;
int found_principal = 0;
@@ -269,7 +268,7 @@ ssh_gssapi_krb5_cmdok(krb5_principal pri
snprintf(file, sizeof(file), "%s/.k5users", pw->pw_dir);
/* If both .k5login and .k5users DNE, self-login is ok. */
- if (!k5login_exists && (access(file, F_OK) == -1)) {
+ if ( !options.enable_k5users || (!k5login_exists && (access(file, F_OK) == -1))) {
return ssh_krb5_kuserok(krb_context, principal, luser,
k5login_exists);
}
diff -up openssh-7.4p1/servconf.c.GSSAPIEnablek5users openssh-7.4p1/servconf.c
--- openssh-7.4p1/servconf.c.GSSAPIEnablek5users 2017-02-09 10:10:47.404859892 +0100
+++ openssh-7.4p1/servconf.c 2017-02-09 10:18:45.800385543 +0100
@@ -166,6 +166,7 @@ initialize_server_options(ServerOptions
options->ip_qos_bulk = -1;
options->version_addendum = NULL;
options->use_kuserok = -1;
+ options->enable_k5users = -1;
options->fingerprint_hash = -1;
options->disable_forwarding = -1;
}
@@ -337,6 +338,8 @@ fill_default_server_options(ServerOption
options->show_patchlevel = 0;
if (options->use_kuserok == -1)
options->use_kuserok = 1;
+ if (options->enable_k5users == -1)
+ options->enable_k5users = 0;
if (options->fwd_opts.streamlocal_bind_mask == (mode_t)-1)
options->fwd_opts.streamlocal_bind_mask = 0177;
if (options->fwd_opts.streamlocal_bind_unlink == -1)
@@ -418,7 +421,7 @@ typedef enum {
sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedKeyTypes,
sHostKeyAlgorithms,
sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
- sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
+ sGssAuthentication, sGssCleanupCreds, sGssEnablek5users, sGssStrictAcceptor,
sGssKeyEx, sGssStoreRekey, sAcceptEnv, sPermitTunnel,
sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
sUsePrivilegeSeparation, sAllowAgentForwarding,
@@ -497,12 +500,14 @@ static struct {
{ "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL },
{ "gssapikeyexchange", sGssKeyEx, SSHCFG_GLOBAL },
{ "gssapistorecredentialsonrekey", sGssStoreRekey, SSHCFG_GLOBAL },
+ { "gssapienablek5users", sGssEnablek5users, SSHCFG_ALL },
#else
{ "gssapiauthentication", sUnsupported, SSHCFG_ALL },
{ "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
{ "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL },
{ "gssapikeyexchange", sUnsupported, SSHCFG_GLOBAL },
{ "gssapistorecredentialsonrekey", sUnsupported, SSHCFG_GLOBAL },
+ { "gssapienablek5users", sUnsupported, SSHCFG_ALL },
#endif
{ "gssusesessionccache", sUnsupported, SSHCFG_GLOBAL },
{ "gssapiusesessioncredcache", sUnsupported, SSHCFG_GLOBAL },
@@ -1653,6 +1658,10 @@ process_server_config_line(ServerOptions
intptr = &options->use_kuserok;
goto parse_flag;
+ case sGssEnablek5users:
+ intptr = &options->enable_k5users;
+ goto parse_flag;
+
case sPermitOpen:
arg = strdelim(&cp);
if (!arg || *arg == '\0')
@@ -2026,6 +2035,7 @@ copy_set_server_options(ServerOptions *d
M_CP_INTOPT(ip_qos_interactive);
M_CP_INTOPT(ip_qos_bulk);
M_CP_INTOPT(use_kuserok);
+ M_CP_INTOPT(enable_k5users);
M_CP_INTOPT(rekey_limit);
M_CP_INTOPT(rekey_interval);
@@ -2319,6 +2329,7 @@ dump_config(ServerOptions *o)
dump_cfg_fmtint(sStreamLocalBindUnlink, o->fwd_opts.streamlocal_bind_unlink);
dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep);
dump_cfg_fmtint(sKerberosUseKuserok, o->use_kuserok);
+ dump_cfg_fmtint(sGssEnablek5users, o->enable_k5users);
dump_cfg_fmtint(sFingerprintHash, o->fingerprint_hash);
/* string arguments */
diff -up openssh-7.4p1/servconf.h.GSSAPIEnablek5users openssh-7.4p1/servconf.h
--- openssh-7.4p1/servconf.h.GSSAPIEnablek5users 2017-02-09 10:10:47.404859892 +0100
+++ openssh-7.4p1/servconf.h 2017-02-09 10:10:47.415859881 +0100
@@ -174,7 +174,8 @@ typedef struct {
int num_permitted_opens;
- int use_kuserok;
+ int use_kuserok;
+ int enable_k5users;
char *chroot_directory;
char *revoked_keys_file;
char *trusted_user_ca_keys;
diff -up openssh-7.4p1/sshd_config.5.GSSAPIEnablek5users openssh-7.4p1/sshd_config.5
--- openssh-7.4p1/sshd_config.5.GSSAPIEnablek5users 2017-02-09 10:10:47.415859881 +0100
+++ openssh-7.4p1/sshd_config.5 2017-02-09 10:19:29.420336796 +0100
@@ -633,6 +633,12 @@ Specifies whether key exchange based on
doesn't rely on ssh keys to verify host identity.
The default is
.Dq no .
+.It Cm GSSAPIEnablek5users
+Specifies whether to look at .k5users file for GSSAPI authentication
+access control. Further details are described in
+.Xr ksu 1 .
+The default is
+.Cm no .
.It Cm GSSAPIStrictAcceptorCheck
Determines whether to be strict about the identity of the GSSAPI acceptor
a client authenticates against.
diff -up openssh-7.4p1/sshd_config.GSSAPIEnablek5users openssh-7.4p1/sshd_config
--- openssh-7.4p1/sshd_config.GSSAPIEnablek5users 2017-02-09 10:10:47.404859892 +0100
+++ openssh-7.4p1/sshd_config 2017-02-09 10:10:47.415859881 +0100
@@ -80,6 +80,7 @@ GSSAPIAuthentication yes
GSSAPICleanupCredentials no
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no
+#GSSAPIEnablek5users no
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will

View file

@ -0,0 +1,39 @@
diff -up openssh/sshd.c.ip-opts openssh/sshd.c
--- openssh/sshd.c.ip-opts 2016-07-25 13:58:48.998507834 +0200
+++ openssh/sshd.c 2016-07-25 14:01:28.346469878 +0200
@@ -1507,12 +1507,29 @@ check_ip_options(struct ssh *ssh)
if (getsockopt(sock_in, IPPROTO_IP, IP_OPTIONS, opts,
&option_size) >= 0 && option_size != 0) {
- text[0] = '\0';
- for (i = 0; i < option_size; i++)
- snprintf(text + i*3, sizeof(text) - i*3,
- " %2.2x", opts[i]);
- fatal("Connection from %.100s port %d with IP opts: %.800s",
- ssh_remote_ipaddr(ssh), ssh_remote_port(ssh), text);
+ i = 0;
+ do {
+ switch (opts[i]) {
+ case 0:
+ case 1:
+ ++i;
+ break;
+ case 130:
+ case 133:
+ case 134:
+ i += opts[i + 1];
+ break;
+ default:
+ /* Fail, fatally, if we detect either loose or strict
+ * source routing options. */
+ text[0] = '\0';
+ for (i = 0; i < option_size; i++)
+ snprintf(text + i*3, sizeof(text) - i*3,
+ " %2.2x", opts[i]);
+ fatal("Connection from %.100s port %d with IP options:%.800s",
+ ssh_remote_ipaddr(ssh), ssh_remote_port(ssh), text);
+ }
+ } while (i < option_size);
}
return;
#endif /* IP_OPTIONS */

View file

@ -0,0 +1,40 @@
diff --git a/sshd_config.5 b/sshd_config.5
index 2320128..6244e68 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -120,6 +120,8 @@ The allow/deny directives are processed in the following order:
.Cm DenyGroups ,
and finally
.Cm AllowGroups .
+All of the specified user and group tests must succeed, before user
+is allowed to log in.
.Pp
See PATTERNS in
.Xr ssh_config 5
@@ -160,6 +162,8 @@ The allow/deny directives are processed in the following order:
.Cm DenyGroups ,
and finally
.Cm AllowGroups .
+All of the specified user and group tests must succeed, before user
+is allowed to log in.
.Pp
See PATTERNS in
.Xr ssh_config 5
@@ -430,6 +434,8 @@ The allow/deny directives are processed in the following order:
.Cm DenyGroups ,
and finally
.Cm AllowGroups .
+All of the specified user and group tests must succeed, before user
+is allowed to log in.
.Pp
See PATTERNS in
.Xr ssh_config 5
@@ -449,6 +455,8 @@ The allow/deny directives are processed in the following order:
.Cm DenyGroups ,
and finally
.Cm AllowGroups .
+All of the specified user and group tests must succeed, before user
+is allowed to log in.
.Pp
See PATTERNS in
.Xr ssh_config 5

View file

@ -0,0 +1,183 @@
diff -up openssh-7.4p1/monitor_wrap.c.audit-race openssh-7.4p1/monitor_wrap.c
--- openssh-7.4p1/monitor_wrap.c.audit-race 2017-02-09 14:07:56.870994116 +0100
+++ openssh-7.4p1/monitor_wrap.c 2017-02-09 14:07:56.874994112 +0100
@@ -1107,4 +1107,48 @@ mm_audit_destroy_sensitive_data(const ch
mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_SERVER_KEY_FREE, &m);
buffer_free(&m);
}
+
+int mm_forward_audit_messages(int fdin)
+{
+ u_char buf[4];
+ u_int blen, msg_len;
+ Buffer m;
+ int ret = 0;
+
+ debug3("%s: entering", __func__);
+ buffer_init(&m);
+ do {
+ blen = atomicio(read, fdin, buf, sizeof(buf));
+ if (blen == 0) /* closed pipe */
+ break;
+ if (blen != sizeof(buf)) {
+ error("%s: Failed to read the buffer from child", __func__);
+ ret = -1;
+ break;
+ }
+
+ msg_len = get_u32(buf);
+ if (msg_len > 256 * 1024)
+ fatal("%s: read: bad msg_len %d", __func__, msg_len);
+ buffer_clear(&m);
+ buffer_append_space(&m, msg_len);
+ if (atomicio(read, fdin, buffer_ptr(&m), msg_len) != msg_len) {
+ error("%s: Failed to read the the buffer content from the child", __func__);
+ ret = -1;
+ break;
+ }
+ if (atomicio(vwrite, pmonitor->m_recvfd, buf, blen) != blen ||
+ atomicio(vwrite, pmonitor->m_recvfd, buffer_ptr(&m), msg_len) != msg_len) {
+ error("%s: Failed to write the message to the monitor", __func__);
+ ret = -1;
+ break;
+ }
+ } while (1);
+ buffer_free(&m);
+ return ret;
+}
+void mm_set_monitor_pipe(int fd)
+{
+ pmonitor->m_recvfd = fd;
+}
#endif /* SSH_AUDIT_EVENTS */
diff -up openssh-7.4p1/monitor_wrap.h.audit-race openssh-7.4p1/monitor_wrap.h
--- openssh-7.4p1/monitor_wrap.h.audit-race 2017-02-09 14:07:56.870994116 +0100
+++ openssh-7.4p1/monitor_wrap.h 2017-02-09 14:07:56.874994112 +0100
@@ -80,6 +80,8 @@ void mm_audit_unsupported_body(int);
void mm_audit_kex_body(int, char *, char *, char *, char *, pid_t, uid_t);
void mm_audit_session_key_free_body(int, pid_t, uid_t);
void mm_audit_destroy_sensitive_data(const char *, pid_t, uid_t);
+int mm_forward_audit_messages(int);
+void mm_set_monitor_pipe(int);
#endif
struct Session;
diff -up openssh-7.4p1/session.c.audit-race openssh-7.4p1/session.c
--- openssh-7.4p1/session.c.audit-race 2017-02-09 14:07:56.871994115 +0100
+++ openssh-7.4p1/session.c 2017-02-09 14:09:44.710893783 +0100
@@ -162,6 +162,10 @@ static Session *sessions = NULL;
login_cap_t *lc;
#endif
+#ifdef SSH_AUDIT_EVENTS
+int paudit[2];
+#endif
+
static int is_child = 0;
static int in_chroot = 0;
static int have_dev_log = 1;
@@ -289,6 +293,8 @@ xauth_valid_string(const char *s)
return 1;
}
+void child_destory_sensitive_data();
+
#define USE_PIPES 1
/*
* This is called to fork and execute a command when we have no tty. This
@@ -424,6 +430,8 @@ do_exec_no_pty(Session *s, const char *c
cray_init_job(s->pw); /* set up cray jid and tmpdir */
#endif
+ child_destory_sensitive_data();
+
/* Do processing for the child (exec command etc). */
do_child(s, command);
/* NOTREACHED */
@@ -547,6 +555,9 @@ do_exec_pty(Session *s, const char *comm
/* Close the extra descriptor for the pseudo tty. */
close(ttyfd);
+ /* Do this early, so we will not block large MOTDs */
+ child_destory_sensitive_data();
+
/* record login, etc. similar to login(1) */
#ifdef _UNICOS
cray_init_job(s->pw); /* set up cray jid and tmpdir */
@@ -717,6 +728,8 @@ do_exec(Session *s, const char *command)
}
if (s->command != NULL && s->ptyfd == -1)
s->command_handle = PRIVSEP(audit_run_command(s->command));
+ if (pipe(paudit) < 0)
+ fatal("pipe: %s", strerror(errno));
#endif
if (s->ttyfd != -1)
ret = do_exec_pty(s, command);
@@ -732,6 +745,20 @@ do_exec(Session *s, const char *command)
*/
buffer_clear(&loginmsg);
+#ifdef SSH_AUDIT_EVENTS
+ close(paudit[1]);
+ if (use_privsep && ret == 0) {
+ /*
+ * Read the audit messages from forked child and send them
+ * back to monitor. We don't want to communicate directly,
+ * because the messages might get mixed up.
+ * Continue after the pipe gets closed (all messages sent).
+ */
+ ret = mm_forward_audit_messages(paudit[0]);
+ }
+ close(paudit[0]);
+#endif /* SSH_AUDIT_EVENTS */
+
return ret;
}
@@ -1542,6 +1569,33 @@ child_close_fds(void)
endpwent();
}
+void
+child_destory_sensitive_data()
+{
+#ifdef SSH_AUDIT_EVENTS
+ int pparent = paudit[1];
+ close(paudit[0]);
+ /* Hack the monitor pipe to avoid race condition with parent */
+ if (use_privsep)
+ mm_set_monitor_pipe(pparent);
+#endif
+
+ /* remove hostkey from the child's memory */
+ destroy_sensitive_data(use_privsep);
+ /*
+ * We can audit this, because we hacked the pipe to direct the
+ * messages over postauth child. But this message requires answer
+ * which we can't do using one-way pipe.
+ */
+ packet_destroy_all(0, 1);
+
+#ifdef SSH_AUDIT_EVENTS
+ /* Notify parent that we are done */
+ close(pparent);
+#endif
+
+}
+
/*
* Performs common processing for the child, such as setting up the
* environment, closing extra file descriptors, setting the user and group
@@ -1558,12 +1612,6 @@ do_child(Session *s, const char *command
struct passwd *pw = s->pw;
int r = 0;
- /* remove hostkey from the child's memory */
- destroy_sensitive_data(1);
- /* Don't audit this - both us and the parent would be talking to the
- monitor over a single socket, with no synchronization. */
- packet_destroy_all(0, 1);
-
/* Force a password change */
if (s->authctxt->force_pwchange) {
do_setusercontext(pw);

View file

@ -1,7 +1,8 @@
diff -up openssh-6.2p1/entropy.c.entropy openssh-6.2p1/entropy.c
--- openssh-6.2p1/entropy.c.entropy 2013-03-25 19:31:42.737611051 +0100
+++ openssh-6.2p1/entropy.c 2013-03-25 19:31:42.797611433 +0100
@@ -237,6 +237,9 @@ seed_rng(void)
diff --git a/entropy.c b/entropy.c
index 2d483b3..b361a04 100644
--- a/entropy.c
+++ b/entropy.c
@@ -234,6 +234,9 @@ seed_rng(void)
memset(buf, '\0', sizeof(buf));
#endif /* OPENSSL_PRNG_ONLY */
@ -11,21 +12,34 @@ diff -up openssh-6.2p1/entropy.c.entropy openssh-6.2p1/entropy.c
if (RAND_status() != 1)
fatal("PRNG is not seeded");
}
diff -up openssh-6.2p1/openbsd-compat/Makefile.in.entropy openssh-6.2p1/openbsd-compat/Makefile.in
--- openssh-6.2p1/openbsd-compat/Makefile.in.entropy 2013-03-25 19:31:42.798611440 +0100
+++ openssh-6.2p1/openbsd-compat/Makefile.in 2013-03-25 19:33:02.042116876 +0100
@@ -20,7 +20,7 @@ OPENBSD=base64.o basename.o bindresvport
diff --git a/openbsd-compat/Makefile.in b/openbsd-compat/Makefile.in
index b912dbe..9206337 100644
--- a/openbsd-compat/Makefile.in
+++ b/openbsd-compat/Makefile.in
@@ -20,7 +20,7 @@ OPENBSD=base64.o basename.o bcrypt_pbkdf.o bindresvport.o blowfish.o daemon.o di
COMPAT=bsd-arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o getrrsetbyname-ldns.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-setres_id.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o
COMPAT=arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o getrrsetbyname-ldns.o bsd-err.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-setres_id.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xcrypt.o kludge-fd_set.o
-PORTS=port-aix.o port-irix.o port-linux.o port-linux_part_2.o port-solaris.o port-tun.o port-uw.o
+PORTS=port-aix.o port-irix.o port-linux.o port-linux_part_2.o port-linux-prng.o port-solaris.o port-tun.o port-uw.o
-PORTS=port-aix.o port-irix.o port-linux.o port-linux-sshd.o port-solaris.o port-tun.o port-uw.o
+PORTS=port-aix.o port-irix.o port-linux.o port-linux-sshd.o port-linux-prng.o port-solaris.o port-tun.o port-uw.o
.c.o:
$(CC) $(CFLAGS) $(CPPFLAGS) -c $<
diff -up openssh-6.2p1/openbsd-compat/port-linux-prng.c.entropy openssh-6.2p1/openbsd-compat/port-linux-prng.c
--- openssh-6.2p1/openbsd-compat/port-linux-prng.c.entropy 2013-03-25 19:31:42.798611440 +0100
+++ openssh-6.2p1/openbsd-compat/port-linux-prng.c 2013-03-25 19:31:42.798611440 +0100
diff -up openssh-7.4p1/openbsd-compat/port-linux.h.entropy openssh-7.4p1/openbsd-compat/port-linux.h
--- openssh-7.4p1/openbsd-compat/port-linux.h.entropy 2016-12-23 18:34:27.747753563 +0100
+++ openssh-7.4p1/openbsd-compat/port-linux.h 2016-12-23 18:34:27.769753570 +0100
@@ -34,4 +34,6 @@ void oom_adjust_restore(void);
void oom_adjust_setup(void);
#endif
+void linux_seed(void);
+
#endif /* ! _PORT_LINUX_H */
diff --git a/openbsd-compat/port-linux-prng.c b/openbsd-compat/port-linux-prng.c
new file mode 100644
index 0000000..92a617c
--- /dev/null
+++ b/openbsd-compat/port-linux-prng.c
@@ -0,0 +1,59 @@
+/* $Id: port-linux.c,v 1.11.4.2 2011/02/04 00:43:08 djm Exp $ */
+
@ -59,6 +73,7 @@ diff -up openssh-6.2p1/openbsd-compat/port-linux-prng.c.entropy openssh-6.2p1/op
+
+#include "log.h"
+#include "xmalloc.h"
+#include "misc.h" /* servconf.h needs misc.h for struct ForwardOptions */
+#include "servconf.h"
+#include "port-linux.h"
+#include "key.h"
@ -68,10 +83,9 @@ diff -up openssh-6.2p1/openbsd-compat/port-linux-prng.c.entropy openssh-6.2p1/op
+void
+linux_seed(void)
+{
+ int len;
+ char *env = getenv("SSH_USE_STRONG_RNG");
+ char *random = "/dev/random";
+ size_t ienv, randlen = 14;
+ size_t len, ienv, randlen = 14;
+
+ if (!env || !strcmp(env, "0"))
+ random = "/dev/urandom";
@ -86,9 +100,10 @@ diff -up openssh-6.2p1/openbsd-compat/port-linux-prng.c.entropy openssh-6.2p1/op
+ fatal ("EOF reading %s", random);
+ }
+}
diff -up openssh-6.2p1/ssh-add.0.entropy openssh-6.2p1/ssh-add.0
--- openssh-6.2p1/ssh-add.0.entropy 2013-03-22 00:38:29.000000000 +0100
+++ openssh-6.2p1/ssh-add.0 2013-03-25 19:31:42.799611446 +0100
diff --git a/ssh-add.0 b/ssh-add.0
index ba43fee..0b2629a 100644
--- a/ssh-add.0
+++ b/ssh-add.0
@@ -82,6 +82,16 @@ ENVIRONMENT
Identifies the path of a UNIX-domain socket used to communicate
with the agent.
@ -106,10 +121,11 @@ diff -up openssh-6.2p1/ssh-add.0.entropy openssh-6.2p1/ssh-add.0
FILES
~/.ssh/identity
Contains the protocol version 1 RSA authentication identity of
diff -up openssh-6.2p1/ssh-add.1.entropy openssh-6.2p1/ssh-add.1
--- openssh-6.2p1/ssh-add.1.entropy 2012-12-07 03:06:13.000000000 +0100
+++ openssh-6.2p1/ssh-add.1 2013-03-25 19:31:42.799611446 +0100
@@ -160,6 +160,20 @@ to make this work.)
diff --git a/ssh-add.1 b/ssh-add.1
index 4812448..16305bf 100644
--- a/ssh-add.1
+++ b/ssh-add.1
@@ -161,6 +161,20 @@ to make this work.)
Identifies the path of a
.Ux Ns -domain
socket used to communicate with the agent.
@ -130,10 +146,11 @@ diff -up openssh-6.2p1/ssh-add.1.entropy openssh-6.2p1/ssh-add.1
.El
.Sh FILES
.Bl -tag -width Ds
diff -up openssh-6.2p1/ssh-agent.1.entropy openssh-6.2p1/ssh-agent.1
--- openssh-6.2p1/ssh-agent.1.entropy 2010-12-01 01:50:35.000000000 +0100
+++ openssh-6.2p1/ssh-agent.1 2013-03-25 19:31:42.800611452 +0100
@@ -198,6 +198,24 @@ sockets used to contain the connection t
diff --git a/ssh-agent.1 b/ssh-agent.1
index 281ecbd..1a9a635 100644
--- a/ssh-agent.1
+++ b/ssh-agent.1
@@ -201,6 +201,24 @@ sockets used to contain the connection to the authentication agent.
These sockets should only be readable by the owner.
The sockets should get automatically removed when the agent exits.
.El
@ -158,38 +175,11 @@ diff -up openssh-6.2p1/ssh-agent.1.entropy openssh-6.2p1/ssh-agent.1
.Sh SEE ALSO
.Xr ssh 1 ,
.Xr ssh-add 1 ,
diff -up openssh-6.2p1/sshd.8.entropy openssh-6.2p1/sshd.8
--- openssh-6.2p1/sshd.8.entropy 2013-03-25 19:31:42.752611146 +0100
+++ openssh-6.2p1/sshd.8 2013-03-25 19:31:42.800611452 +0100
@@ -945,6 +945,24 @@ concurrently for different ports, this c
started last).
The content of this file is not sensitive; it can be world-readable.
.El
+.Sh ENVIRONMENT
+.Bl -tag -width Ds -compact
+.Pp
+.It Pa SSH_USE_STRONG_RNG
+The reseeding of the OpenSSL random generator is usually done from
+.Cm /dev/urandom .
+If the
+.Cm SSH_USE_STRONG_RNG
+environment variable is set to value other than
+.Cm 0
+the OpenSSL random generator is reseeded from
+.Cm /dev/random .
+The number of bytes read is defined by the SSH_USE_STRONG_RNG value.
+Minimum is 14 bytes.
+This setting is not recommended on the computers without the hardware
+random generator because insufficient entropy causes the connection to
+be blocked until enough entropy is available.
+.El
.Sh IPV6
IPv6 address can be used everywhere where IPv4 address. In all entries must be the IPv6 address enclosed in square brackets. Note: The square brackets are metacharacters for the shell and must be escaped in shell.
.Sh SEE ALSO
diff -up openssh-6.2p1/ssh-keygen.1.entropy openssh-6.2p1/ssh-keygen.1
--- openssh-6.2p1/ssh-keygen.1.entropy 2013-01-20 12:35:06.000000000 +0100
+++ openssh-6.2p1/ssh-keygen.1 2013-03-25 19:31:42.801611459 +0100
@@ -806,6 +806,24 @@ Contains Diffie-Hellman groups used for
diff --git a/ssh-keygen.1 b/ssh-keygen.1
index 12e00d4..1b51a4a 100644
--- a/ssh-keygen.1
+++ b/ssh-keygen.1
@@ -832,6 +832,24 @@ Contains Diffie-Hellman groups used for DH-GEX.
The file format is described in
.Xr moduli 5 .
.El
@ -214,10 +204,11 @@ diff -up openssh-6.2p1/ssh-keygen.1.entropy openssh-6.2p1/ssh-keygen.1
.Sh SEE ALSO
.Xr ssh 1 ,
.Xr ssh-add 1 ,
diff -up openssh-6.2p1/ssh-keysign.8.entropy openssh-6.2p1/ssh-keysign.8
--- openssh-6.2p1/ssh-keysign.8.entropy 2010-08-31 14:41:14.000000000 +0200
+++ openssh-6.2p1/ssh-keysign.8 2013-03-25 19:31:42.801611459 +0100
@@ -78,6 +78,24 @@ must be set-uid root if host-based authe
diff --git a/ssh-keysign.8 b/ssh-keysign.8
index 69d0829..02d79f8 100644
--- a/ssh-keysign.8
+++ b/ssh-keysign.8
@@ -80,6 +80,24 @@ must be set-uid root if host-based authentication is used.
If these files exist they are assumed to contain public certificate
information corresponding with the private keys above.
.El
@ -242,10 +233,11 @@ diff -up openssh-6.2p1/ssh-keysign.8.entropy openssh-6.2p1/ssh-keysign.8
.Sh SEE ALSO
.Xr ssh 1 ,
.Xr ssh-keygen 1 ,
diff -up openssh-6.2p1/ssh.1.entropy openssh-6.2p1/ssh.1
--- openssh-6.2p1/ssh.1.entropy 2013-03-25 19:31:42.752611146 +0100
+++ openssh-6.2p1/ssh.1 2013-03-25 19:31:42.799611446 +0100
@@ -1277,6 +1277,23 @@ For more information, see the
diff --git a/ssh.1 b/ssh.1
index 929904b..f65e42f 100644
--- a/ssh.1
+++ b/ssh.1
@@ -1309,6 +1309,23 @@ For more information, see the
.Cm PermitUserEnvironment
option in
.Xr sshd_config 5 .
@ -269,3 +261,32 @@ diff -up openssh-6.2p1/ssh.1.entropy openssh-6.2p1/ssh.1
.Sh FILES
.Bl -tag -width Ds -compact
.It Pa ~/.rhosts
diff --git a/sshd.8 b/sshd.8
index c2c237f..058d37a 100644
--- a/sshd.8
+++ b/sshd.8
@@ -951,6 +951,24 @@ concurrently for different ports, this contains the process ID of the one
started last).
The content of this file is not sensitive; it can be world-readable.
.El
+.Sh ENVIRONMENT
+.Bl -tag -width Ds -compact
+.Pp
+.It Pa SSH_USE_STRONG_RNG
+The reseeding of the OpenSSL random generator is usually done from
+.Cm /dev/urandom .
+If the
+.Cm SSH_USE_STRONG_RNG
+environment variable is set to value other than
+.Cm 0
+the OpenSSL random generator is reseeded from
+.Cm /dev/random .
+The number of bytes read is defined by the SSH_USE_STRONG_RNG value.
+Minimum is 14 bytes.
+This setting is not recommended on the computers without the hardware
+random generator because insufficient entropy causes the connection to
+be blocked until enough entropy is available.
+.El
.Sh IPV6
IPv6 address can be used everywhere where IPv4 address. In all entries must be the IPv6 address enclosed in square brackets. Note: The square brackets are metacharacters for the shell and must be escaped in shell.
.Sh SEE ALSO

View file

@ -1,6 +1,7 @@
diff -up openssh-6.3p1/gss-serv-krb5.c.force_krb openssh-6.3p1/gss-serv-krb5.c
--- openssh-6.3p1/gss-serv-krb5.c.force_krb 2013-10-11 18:58:51.553948159 +0200
+++ openssh-6.3p1/gss-serv-krb5.c 2013-10-11 21:40:49.972337025 +0200
diff --git a/gss-serv-krb5.c b/gss-serv-krb5.c
index 42de994..60de320 100644
--- a/gss-serv-krb5.c
+++ b/gss-serv-krb5.c
@@ -32,7 +32,9 @@
#include <sys/types.h>
@ -11,12 +12,7 @@ diff -up openssh-6.3p1/gss-serv-krb5.c.force_krb openssh-6.3p1/gss-serv-krb5.c
#include "xmalloc.h"
#include "key.h"
@@ -40,10 +42,12 @@
#include "auth.h"
#include "log.h"
#include "servconf.h"
+#include "misc.h"
@@ -40,6 +42,7 @@
#include "buffer.h"
#include "ssh-gss.h"
@ -38,7 +34,7 @@ diff -up openssh-6.3p1/gss-serv-krb5.c.force_krb openssh-6.3p1/gss-serv-krb5.c
static krb5_context krb_context = NULL;
/* Initialise the krb5 library, for the stuff that GSSAPI won't do */
@@ -87,6 +98,7 @@ ssh_gssapi_krb5_userok(ssh_gssapi_client
@@ -87,6 +98,7 @@ ssh_gssapi_krb5_userok(ssh_gssapi_client *client, char *name)
krb5_principal princ;
int retval;
const char *errmsg;
@ -46,7 +42,7 @@ diff -up openssh-6.3p1/gss-serv-krb5.c.force_krb openssh-6.3p1/gss-serv-krb5.c
if (ssh_gssapi_krb5_init() == 0)
return 0;
@@ -98,10 +110,22 @@ ssh_gssapi_krb5_userok(ssh_gssapi_client
@@ -98,10 +110,22 @@ ssh_gssapi_krb5_userok(ssh_gssapi_client *client, char *name)
krb5_free_error_message(krb_context, errmsg);
return 0;
}
@ -70,7 +66,7 @@ diff -up openssh-6.3p1/gss-serv-krb5.c.force_krb openssh-6.3p1/gss-serv-krb5.c
} else
retval = 0;
@@ -109,6 +133,135 @@ ssh_gssapi_krb5_userok(ssh_gssapi_client
@@ -109,6 +133,135 @@ ssh_gssapi_krb5_userok(ssh_gssapi_client *client, char *name)
return retval;
}
@ -167,7 +163,7 @@ diff -up openssh-6.3p1/gss-serv-krb5.c.force_krb openssh-6.3p1/gss-serv-krb5.c
+ k5users_allowed_cmds[ncommands-1] =
+ xstrdup(pw->pw_shell);
+ k5users_allowed_cmds =
+ xrealloc(k5users_allowed_cmds, ++ncommands,
+ xreallocarray(k5users_allowed_cmds, ++ncommands,
+ sizeof(*k5users_allowed_cmds));
+ break;
+ }
@ -180,7 +176,7 @@ diff -up openssh-6.3p1/gss-serv-krb5.c.force_krb openssh-6.3p1/gss-serv-krb5.c
+ k5users_allowed_cmds[ncommands-1] =
+ xstrdup(token);
+ k5users_allowed_cmds =
+ xrealloc(k5users_allowed_cmds, ++ncommands,
+ xreallocarray(k5users_allowed_cmds, ++ncommands,
+ sizeof(*k5users_allowed_cmds));
+ token = strtok(NULL, " \t\n");
+ }
@ -206,19 +202,20 @@ diff -up openssh-6.3p1/gss-serv-krb5.c.force_krb openssh-6.3p1/gss-serv-krb5.c
/* This writes out any forwarded credentials from the structure populated
* during userauth. Called after we have setuid to the user */
diff -up openssh-6.3p1/session.c.force_krb openssh-6.3p1/session.c
--- openssh-6.3p1/session.c.force_krb 2013-10-11 18:58:51.487948468 +0200
+++ openssh-6.3p1/session.c 2013-10-11 18:58:51.563948112 +0200
@@ -823,6 +823,29 @@ do_exec(Session *s, const char *command)
debug("Forced command (key option) '%.900s'", command);
diff --git a/session.c b/session.c
index b5dc144..ba4589b 100644
--- a/session.c
+++ b/session.c
@@ -806,6 +806,29 @@ do_exec(Session *s, const char *command)
command = forced_command;
forced = "(key-option)";
}
+#ifdef GSSAPI
+#ifdef KRB5 /* k5users_allowed_cmds only available w/ GSSAPI+KRB5 */
+ else if (k5users_allowed_cmds) {
+ const char *match = command;
+ int allowed = 0, i = 0;
+
+
+ if (!match)
+ match = s->pw->pw_shell;
+ while (k5users_allowed_cmds[i]) {
@ -236,12 +233,13 @@ diff -up openssh-6.3p1/session.c.force_krb openssh-6.3p1/session.c
+#endif
+#endif
+
#ifdef SSH_AUDIT_EVENTS
if (s->command != NULL || s->command_handle != -1)
fatal("do_exec: command already set");
diff -up openssh-6.3p1/ssh-gss.h.force_krb openssh-6.3p1/ssh-gss.h
--- openssh-6.3p1/ssh-gss.h.force_krb 2013-10-11 18:58:51.558948136 +0200
+++ openssh-6.3p1/ssh-gss.h 2013-10-11 18:58:51.563948112 +0200
if (forced != NULL) {
if (IS_INTERNAL_SFTP(command)) {
s->is_subsystem = s->is_subsystem ?
diff --git a/ssh-gss.h b/ssh-gss.h
index 0374c88..509109a 100644
--- a/ssh-gss.h
+++ b/ssh-gss.h
@@ -49,6 +49,10 @@
# endif /* !HAVE_DECL_GSS_C_NT_... */
@ -253,10 +251,11 @@ diff -up openssh-6.3p1/ssh-gss.h.force_krb openssh-6.3p1/ssh-gss.h
#endif /* KRB5 */
/* draft-ietf-secsh-gsskeyex-06 */
diff -up openssh-6.3p1/sshd.8.force_krb openssh-6.3p1/sshd.8
--- openssh-6.3p1/sshd.8.force_krb 2013-10-11 18:58:51.537948234 +0200
+++ openssh-6.3p1/sshd.8 2013-10-11 18:58:51.563948112 +0200
@@ -326,6 +326,7 @@ Finally, the server and the client enter
diff --git a/sshd.8 b/sshd.8
index 058d37a..5c4f15b 100644
--- a/sshd.8
+++ b/sshd.8
@@ -327,6 +327,7 @@ Finally, the server and the client enter an authentication dialog.
The client tries to authenticate itself using
host-based authentication,
public key authentication,
@ -264,7 +263,7 @@ diff -up openssh-6.3p1/sshd.8.force_krb openssh-6.3p1/sshd.8
challenge-response authentication,
or password authentication.
.Pp
@@ -797,6 +798,12 @@ This file is used in exactly the same wa
@@ -800,6 +801,12 @@ This file is used in exactly the same way as
but allows host-based authentication without permitting login with
rlogin/rsh.
.Pp

View file

@ -0,0 +1,87 @@
diff --git a/auth-krb5.c b/auth-krb5.c
index 2b02a04..19b9364 100644
--- a/auth-krb5.c
+++ b/auth-krb5.c
@@ -375,6 +375,22 @@ cleanup:
return -1;
}
+/*
+ * Reads k5login_directory option from the krb5.conf
+ */
+krb5_error_code
+ssh_krb5_get_k5login_directory(krb5_context ctx, char **k5login_directory) {
+ profile_t p;
+ int ret = 0;
+
+ ret = krb5_get_profile(ctx, &p);
+ if (ret)
+ return ret;
+
+ return profile_get_string(p, "libdefaults", "k5login_directory", NULL, NULL,
+ k5login_directory);
+}
+
krb5_error_code
ssh_krb5_get_cctemplate(krb5_context ctx, char **ccname) {
profile_t p;
diff --git a/auth.h b/auth.h
index f9d191c..c432d2f 100644
--- a/auth.h
+++ b/auth.h
@@ -222,5 +222,7 @@ int sys_auth_passwd(Authctxt *, const char *);
#if defined(KRB5) && !defined(HEIMDAL)
#include <krb5.h>
krb5_error_code ssh_krb5_cc_gen(krb5_context, krb5_ccache *);
+krb5_error_code ssh_krb5_get_k5login_directory(krb5_context ctx,
+ char **k5login_directory);
#endif
#endif
diff --git a/gss-serv-krb5.c b/gss-serv-krb5.c
index a7c0c5f..df8cc9a 100644
--- a/gss-serv-krb5.c
+++ b/gss-serv-krb5.c
@@ -244,8 +244,27 @@ ssh_gssapi_k5login_exists()
{
char file[MAXPATHLEN];
struct passwd *pw = the_authctxt->pw;
+ char *k5login_directory = NULL;
+ int ret = 0;
+
+ ret = ssh_krb5_get_k5login_directory(krb_context, &k5login_directory);
+ debug3("%s: k5login_directory = %s (rv=%d)", __func__, k5login_directory, ret);
+ if (k5login_directory == NULL || ret != 0) {
+ /* If not set, the library will look for k5login
+ * files in the user's home directory, with the filename .k5login.
+ */
+ snprintf(file, sizeof(file), "%s/.k5login", pw->pw_dir);
+ } else {
+ /* If set, the library will look for a local user's k5login file
+ * within the named directory, with a filename corresponding to the
+ * local username.
+ */
+ snprintf(file, sizeof(file), "%s%s%s", k5login_directory,
+ k5login_directory[strlen(k5login_directory)-1] != '/' ? "/" : "",
+ pw->pw_name);
+ }
+ debug("%s: Checking existence of file %s", __func__, file);
- snprintf(file, sizeof(file), "%s/.k5login", pw->pw_dir);
return access(file, F_OK) == 0;
}
diff --git a/sshd.8 b/sshd.8
index 5c4f15b..135e290 100644
--- a/sshd.8
+++ b/sshd.8
@@ -806,6 +806,10 @@ rlogin/rsh.
These files enforce GSSAPI/Kerberos authentication access control.
Further details are described in
.Xr ksu 1 .
+The location of the k5login file depends on the configuration option
+.Cm k5login_directory
+in the
+.Xr krb5.conf 5 .
.Pp
.It Pa ~/.ssh/
This directory is the default location for all user-specific configuration

View file

@ -1,6 +1,61 @@
diff -up openssh-6.3p1/HOWTO.ssh-keycat.keycat openssh-6.3p1/HOWTO.ssh-keycat
--- openssh-6.3p1/HOWTO.ssh-keycat.keycat 2013-10-10 15:16:33.445566916 +0200
+++ openssh-6.3p1/HOWTO.ssh-keycat 2013-10-10 15:16:33.445566916 +0200
diff -up openssh-7.4p1/auth2-pubkey.c.keycat openssh-7.4p1/auth2-pubkey.c
--- openssh-7.4p1/auth2-pubkey.c.keycat 2017-02-08 14:32:33.015581448 +0100
+++ openssh-7.4p1/auth2-pubkey.c 2017-02-08 14:40:26.125216292 +0100
@@ -1043,6 +1043,14 @@ user_key_command_allowed2(struct passwd
xasprintf(&command, "%s %s", av[0], av[1]);
}
+#ifdef WITH_SELINUX
+ if (sshd_selinux_setup_env_variables() < 0) {
+ error ("failed to copy environment: %s",
+ strerror(errno));
+ _exit(127);
+ }
+#endif
+
if ((pid = subprocess("AuthorizedKeysCommand", pw, command,
ac, av, &f)) == 0)
goto out;
diff -up openssh-7.4p1/configure.ac.keycat openssh-7.4p1/configure.ac
--- openssh-7.4p1/configure.ac.keycat 2017-02-08 14:32:33.011581451 +0100
+++ openssh-7.4p1/configure.ac 2017-02-08 14:32:33.016581448 +0100
@@ -3129,6 +3129,7 @@ AC_ARG_WITH([pam],
PAM_MSG="yes"
SSHDLIBS="$SSHDLIBS -lpam"
+ KEYCATLIBS="$KEYCATLIBS -lpam"
AC_DEFINE([USE_PAM], [1],
[Define if you want to enable PAM support])
@@ -3139,6 +3140,7 @@ AC_ARG_WITH([pam],
;;
*)
SSHDLIBS="$SSHDLIBS -ldl"
+ KEYCATLIBS="$KEYCATLIBS -ldl"
;;
esac
fi
@@ -4255,6 +4257,7 @@ AC_ARG_WITH([selinux],
)
AC_SUBST([SSHLIBS])
AC_SUBST([SSHDLIBS])
+AC_SUBST([KEYCATLIBS])
# Check whether user wants Kerberos 5 support
KRB5_MSG="no"
@@ -5206,6 +5209,9 @@ fi
if test ! -z "${SSHLIBS}"; then
echo " +for ssh: ${SSHLIBS}"
fi
+if test ! -z "${KEYCATLIBS}"; then
+echo " +for ssh-keycat: ${KEYCATLIBS}"
+fi
echo ""
diff -up openssh-7.4p1/HOWTO.ssh-keycat.keycat openssh-7.4p1/HOWTO.ssh-keycat
--- openssh-7.4p1/HOWTO.ssh-keycat.keycat 2017-02-08 14:32:33.014581449 +0100
+++ openssh-7.4p1/HOWTO.ssh-keycat 2017-02-08 14:32:33.014581449 +0100
@@ -0,0 +1,12 @@
+The ssh-keycat retrieves the content of the ~/.ssh/authorized_keys
+of an user in any environment. This includes environments with
@ -14,9 +69,9 @@ diff -up openssh-6.3p1/HOWTO.ssh-keycat.keycat openssh-6.3p1/HOWTO.ssh-keycat
+ PubkeyAuthentication yes
+
+
diff -up openssh-6.3p1/Makefile.in.keycat openssh-6.3p1/Makefile.in
--- openssh-6.3p1/Makefile.in.keycat 2013-10-10 15:16:33.442566930 +0200
+++ openssh-6.3p1/Makefile.in 2013-10-10 15:16:33.445566916 +0200
diff -up openssh-7.4p1/Makefile.in.keycat openssh-7.4p1/Makefile.in
--- openssh-7.4p1/Makefile.in.keycat 2017-02-08 14:32:33.012581451 +0100
+++ openssh-7.4p1/Makefile.in 2017-02-08 14:38:28.839306815 +0100
@@ -27,6 +27,7 @@ SFTP_SERVER=$(libexecdir)/sftp-server
SSH_KEYSIGN=$(libexecdir)/ssh-keysign
SSH_LDAP_HELPER=$(libexecdir)/ssh-ldap-helper
@ -25,26 +80,34 @@ diff -up openssh-6.3p1/Makefile.in.keycat openssh-6.3p1/Makefile.in
SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
PRIVSEP_PATH=@PRIVSEP_PATH@
SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@
@@ -64,7 +65,7 @@ EXEEXT=@EXEEXT@
@@ -51,6 +52,7 @@ K5LIBS=@K5LIBS@
GSSLIBS=@GSSLIBS@
SSHLIBS=@SSHLIBS@
SSHDLIBS=@SSHDLIBS@
+KEYCATLIBS=@KEYCATLIBS@
LIBEDIT=@LIBEDIT@
AR=@AR@
AWK=@AWK@
@@ -65,7 +67,7 @@ EXEEXT=@EXEEXT@
MANFMT=@MANFMT@
INSTALL_SSH_LDAP_HELPER=@INSTALL_SSH_LDAP_HELPER@
-TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT)
+TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT) ssh-keycat$(EXEEXT)
LIBSSH_OBJS=authfd.o authfile.o bufaux.o bufbn.o buffer.o \
canohost.o channels.o cipher.o cipher-aes.o \
@@ -172,6 +173,9 @@ ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT)
LIBOPENSSH_OBJS=\
ssh_api.o \
@@ -190,6 +192,9 @@ ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT)
ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o
$(LD) -o $@ ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
$(LD) -o $@ ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat -lfipscheck $(LIBS)
+ssh-keycat$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keycat.o
+ $(LD) -o $@ ssh-keycat.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(SSHDLIBS)
+ssh-keycat$(EXEEXT): $(LIBCOMPAT) $(SSHDOBJS) libssh.a ssh-keycat.o
+ $(LD) -o $@ ssh-keycat.o bufaux.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(KEYCATLIBS) $(SSHLIBS)
+
ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o roaming_dummy.o
$(LD) -o $@ ssh-keyscan.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o
$(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
@@ -279,6 +283,7 @@ install-files:
@@ -332,6 +337,7 @@ install-files:
$(INSTALL) -m 0700 $(STRIP_OPT) ssh-ldap-helper $(DESTDIR)$(SSH_LDAP_HELPER) ; \
$(INSTALL) -m 0700 ssh-ldap-wrapper $(DESTDIR)$(SSH_LDAP_WRAPPER) ; \
fi
@ -52,37 +115,54 @@ diff -up openssh-6.3p1/Makefile.in.keycat openssh-6.3p1/Makefile.in
$(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
$(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
diff -up openssh-6.3p1/auth2-pubkey.c.keycat openssh-6.3p1/auth2-pubkey.c
--- openssh-6.3p1/auth2-pubkey.c.keycat 2013-10-10 15:16:33.429566992 +0200
+++ openssh-6.3p1/auth2-pubkey.c 2013-10-10 15:16:33.445566916 +0200
@@ -606,6 +606,14 @@ user_key_command_allowed2(struct passwd
_exit(1);
}
diff -up openssh-7.4p1/openbsd-compat/port-linux.h.keycat openssh-7.4p1/openbsd-compat/port-linux.h
--- openssh-7.4p1/openbsd-compat/port-linux.h.keycat 2017-02-08 14:32:33.009581453 +0100
+++ openssh-7.4p1/openbsd-compat/port-linux.h 2017-02-08 14:32:33.015581448 +0100
@@ -23,8 +23,10 @@ void ssh_selinux_setup_pty(char *, const
void ssh_selinux_change_context(const char *);
void ssh_selinux_setfscreatecon(const char *);
+#ifdef WITH_SELINUX
+ if (ssh_selinux_setup_env_variables() < 0) {
+ error ("failed to copy environment: %s",
+ strerror(errno));
+ _exit(127);
+ }
+#endif
+int sshd_selinux_enabled(void);
void sshd_selinux_copy_context(void);
void sshd_selinux_setup_exec_context(char *);
+int sshd_selinux_setup_env_variables(void);
#endif
#ifdef LINUX_OOM_ADJUST
diff -up openssh-7.4p1/openbsd-compat/port-linux-sshd.c.keycat openssh-7.4p1/openbsd-compat/port-linux-sshd.c
--- openssh-7.4p1/openbsd-compat/port-linux-sshd.c.keycat 2017-02-08 14:32:33.008581454 +0100
+++ openssh-7.4p1/openbsd-compat/port-linux-sshd.c 2017-02-08 14:32:33.015581448 +0100
@@ -53,6 +53,20 @@ extern Authctxt *the_authctxt;
extern int inetd_flag;
extern int rexeced_flag;
+/* Wrapper around is_selinux_enabled() to log its return value once only */
+int
+sshd_selinux_enabled(void)
+{
+ static int enabled = -1;
+
execl(options.authorized_keys_command,
options.authorized_keys_command, user_pw->pw_name, NULL);
diff -up openssh-6.3p1/openbsd-compat/port-linux.c.keycat openssh-6.3p1/openbsd-compat/port-linux.c
--- openssh-6.3p1/openbsd-compat/port-linux.c.keycat 2013-10-10 15:16:33.435566964 +0200
+++ openssh-6.3p1/openbsd-compat/port-linux.c 2013-10-10 15:32:19.946065189 +0200
@@ -313,7 +313,7 @@ ssh_selinux_getctxbyname(char *pwname,
+ if (enabled == -1) {
+ enabled = (is_selinux_enabled() == 1);
+ debug("SELinux support %s", enabled ? "enabled" : "disabled");
+ }
+
+ return (enabled);
+}
+
/* Send audit message */
static int
sshd_selinux_send_audit_message(int success, security_context_t default_context,
@@ -307,7 +321,7 @@ sshd_selinux_getctxbyname(char *pwname,
/* Setup environment variables for pam_selinux */
static int
-ssh_selinux_setup_pam_variables(void)
+ssh_selinux_setup_variables(int(*set_it)(const char *, const char *))
-sshd_selinux_setup_pam_variables(void)
+sshd_selinux_setup_variables(int(*set_it)(char *, const char *))
{
const char *reqlvl;
char *role;
@@ -324,16 +324,16 @@ ssh_selinux_setup_pam_variables(void)
@@ -318,16 +332,16 @@ sshd_selinux_setup_pam_variables(void)
ssh_selinux_get_role_level(&role, &reqlvl);
@ -102,34 +182,64 @@ diff -up openssh-6.3p1/openbsd-compat/port-linux.c.keycat openssh-6.3p1/openbsd-
if (role != NULL)
free(role);
@@ -341,6 +341,24 @@ ssh_selinux_setup_pam_variables(void)
@@ -335,6 +349,24 @@ sshd_selinux_setup_pam_variables(void)
return rv;
}
+static int
+ssh_selinux_setup_pam_variables(void)
+sshd_selinux_setup_pam_variables(void)
+{
+ return ssh_selinux_setup_variables(do_pam_putenv);
+ return sshd_selinux_setup_variables(do_pam_putenv);
+}
+
+static int
+do_setenv(char *name, char *value)
+do_setenv(char *name, const char *value)
+{
+ return setenv(name, value, 1);
+}
+
+int
+ssh_selinux_setup_env_variables(void)
+sshd_selinux_setup_env_variables(void)
+{
+ return ssh_selinux_setup_variables(do_setenv);
+ return sshd_selinux_setup_variables(do_setenv);
+}
+
/* Set the execution context to the default for the specified user */
void
ssh_selinux_setup_exec_context(char *pwname)
diff -up openssh-6.3p1/ssh-keycat.c.keycat openssh-6.3p1/ssh-keycat.c
--- openssh-6.3p1/ssh-keycat.c.keycat 2013-10-10 15:16:33.446566911 +0200
+++ openssh-6.3p1/ssh-keycat.c 2013-10-10 15:16:33.446566911 +0200
sshd_selinux_setup_exec_context(char *pwname)
@@ -343,7 +375,7 @@ sshd_selinux_setup_exec_context(char *pw
int r = 0;
security_context_t default_ctx = NULL;
- if (!ssh_selinux_enabled())
+ if (!sshd_selinux_enabled())
return;
if (options.use_pam) {
@@ -414,7 +446,7 @@ sshd_selinux_copy_context(void)
{
security_context_t *ctx;
- if (!ssh_selinux_enabled())
+ if (!sshd_selinux_enabled())
return;
if (getexeccon((security_context_t *)&ctx) != 0) {
diff -up openssh-7.4p1/platform.c.keycat openssh-7.4p1/platform.c
--- openssh-7.4p1/platform.c.keycat 2017-02-08 14:32:33.007581455 +0100
+++ openssh-7.4p1/platform.c 2017-02-08 14:32:33.015581448 +0100
@@ -99,7 +99,7 @@ platform_setusercontext(struct passwd *p
{
#ifdef WITH_SELINUX
/* Cache selinux status for later use */
- (void)ssh_selinux_enabled();
+ (void)sshd_selinux_enabled();
#endif
#ifdef USE_SOLARIS_PROJECTS
diff -up openssh-7.4p1/ssh-keycat.c.keycat openssh-7.4p1/ssh-keycat.c
--- openssh-7.4p1/ssh-keycat.c.keycat 2017-02-08 14:32:33.015581448 +0100
+++ openssh-7.4p1/ssh-keycat.c 2017-02-08 14:32:33.015581448 +0100
@@ -0,0 +1,238 @@
+/*
+ * Redistribution and use in source and binary forms, with or without

View file

@ -1,15 +1,15 @@
diff -up openssh-5.8p1/authfile.c.keyperm openssh-5.8p1/authfile.c
--- openssh-5.8p1/authfile.c.keyperm 2010-12-01 02:03:39.000000000 +0100
+++ openssh-5.8p1/authfile.c 2011-04-21 16:43:36.859648916 +0200
@@ -57,6 +57,7 @@
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
+#include <grp.h>
diff -up openssh-6.6p1/authfile.c.keyperm openssh-6.6p1/authfile.c
--- openssh-6.6p1/authfile.c.keyperm 2014-02-04 01:20:15.000000000 +0100
+++ openssh-6.6p1/authfile.c 2014-05-05 15:20:43.075246776 +0200
@@ -54,6 +54,7 @@
#include "xmalloc.h"
#include "cipher.h"
@@ -600,6 +612,13 @@ key_perm_ok(int fd, const char *filename
#include <errno.h>
#include <fcntl.h>
+#include <grp.h>
#include <stdio.h>
#include <stdarg.h>
#include <stdlib.h>
@@ -979,6 +980,13 @@ key_perm_ok(int fd, const char *filename
#ifdef HAVE_CYGWIN
if (check_ntsec(filename))
#endif

File diff suppressed because it is too large Load diff

View file

@ -0,0 +1,28 @@
diff --git a/sshd.c b/sshd.c
index a7b8b6a..24ab272 100644
--- a/sshd.c
+++ b/sshd.c
@@ -1620,6 +1620,10 @@ main(int ac, char **av)
parse_server_config(&options, rexeced_flag ? "rexec" : config_file_name,
&cfg, NULL);
+ /* 'UsePAM no' is not supported in Red Hat Enterprise Linux */
+ if (! options.use_pam)
+ logit("WARNING: 'UsePAM no' is not supported in Red Hat Enterprise Linux and may cause several problems.");
+
seed_rng();
/* Fill in default values for those options not explicitly set. */
diff --git a/sshd_config b/sshd_config
index 36cb27a..c1b7c03 100644
--- a/sshd_config
+++ b/sshd_config
@@ -101,6 +101,8 @@ GSSAPICleanupCredentials no
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
+# WARNING: 'UsePAM no' is not supported in Red Hat Enterprise Linux and may cause several
+# problems.
UsePAM yes
#AllowAgentForwarding yes

View file

@ -0,0 +1,25 @@
diff -up openssh-7.4p1/servconf.c.memory-problems openssh-7.4p1/servconf.c
--- openssh-7.4p1/servconf.c.memory-problems 2017-02-09 10:41:42.483123417 +0100
+++ openssh-7.4p1/servconf.c 2017-02-09 10:42:16.392102462 +0100
@@ -2006,6 +2006,8 @@ copy_set_server_options(ServerOptions *d
dst->n = src->n; \
} while (0)
+ u_int i;
+
M_CP_INTOPT(password_authentication);
M_CP_INTOPT(gss_authentication);
M_CP_INTOPT(pubkey_authentication);
@@ -2058,8 +2060,10 @@ copy_set_server_options(ServerOptions *d
} while(0)
#define M_CP_STRARRAYOPT(n, num_n) do {\
if (src->num_n != 0) { \
+ for (i = 0; i < dst->num_n; i++) \
+ free(dst->n[i]); \
for (dst->num_n = 0; dst->num_n < src->num_n; dst->num_n++) \
- dst->n[dst->num_n] = xstrdup(src->n[dst->num_n]); \
+ dst->n[dst->num_n] = src->n[dst->num_n]; \
} \
} while(0)
diff -up openssh-7.4p1/sshd.c.memory-problems openssh-7.4p1/sshd.c

View file

@ -0,0 +1,108 @@
diff --git a/openbsd-compat/port-linux-sshd.c b/openbsd-compat/port-linux-sshd.c
index c18524e..d04f4ed 100644
--- a/openbsd-compat/port-linux-sshd.c
+++ b/openbsd-compat/port-linux-sshd.c
@@ -409,6 +409,25 @@ sshd_selinux_setup_exec_context(char *pwname)
debug3("%s: done", __func__);
}
+void
+sshd_selinux_copy_context(void)
+{
+ security_context_t *ctx;
+
+ if (!ssh_selinux_enabled())
+ return;
+
+ if (getexeccon((security_context_t *)&ctx) != 0) {
+ logit("%s: getcon failed with %s", __func__, strerror (errno));
+ return;
+ }
+ if (ctx != NULL) {
+ if (setcon(ctx) != 0)
+ logit("%s: setcon failed with %s", __func__, strerror (errno));
+ freecon(ctx);
+ }
+}
+
#endif
#endif
diff --git a/openbsd-compat/port-linux.h b/openbsd-compat/port-linux.h
index 8ef6cc4..b18893c 100644
--- a/openbsd-compat/port-linux.h
+++ b/openbsd-compat/port-linux.h
@@ -25,6 +25,7 @@ void ssh_selinux_setup_pty(char *, const char *);
void ssh_selinux_change_context(const char *);
void ssh_selinux_setfscreatecon(const char *);
+void sshd_selinux_copy_context(void);
void sshd_selinux_setup_exec_context(char *);
#endif
diff --git a/session.c b/session.c
index 2bcf818..b5dc144 100644
--- a/session.c
+++ b/session.c
@@ -1538,6 +1538,9 @@ do_setusercontext(struct passwd *pw)
pw->pw_uid);
chroot_path = percent_expand(tmp, "h", pw->pw_dir,
"u", pw->pw_name, (char *)NULL);
+#ifdef WITH_SELINUX
+ sshd_selinux_copy_context();
+#endif
safely_chroot(chroot_path, pw->pw_uid);
free(tmp);
free(chroot_path);
@@ -1565,6 +1568,12 @@ do_setusercontext(struct passwd *pw)
/* Permanently switch to the desired uid. */
permanently_set_uid(pw);
#endif
+
+#ifdef WITH_SELINUX
+ if (options.chroot_directory == NULL ||
+ strcasecmp(options.chroot_directory, "none") == 0)
+ sshd_selinux_copy_context();
+#endif
} else if (options.chroot_directory != NULL &&
strcasecmp(options.chroot_directory, "none") != 0) {
fatal("server lacks privileges to chroot to ChrootDirectory");
@@ -1826,9 +1835,6 @@ do_child(Session *s, const char *command)
argv[i] = NULL;
optind = optreset = 1;
__progname = argv[0];
-#ifdef WITH_SELINUX
- ssh_selinux_change_context("sftpd_t");
-#endif
exit(sftp_server_main(i, argv, s->pw));
}
diff --git a/sshd.c b/sshd.c
index 07f9926..a97f8b7 100644
--- a/sshd.c
+++ b/sshd.c
@@ -632,6 +632,10 @@ privsep_preauth_child(void)
/* Demote the private keys to public keys. */
demote_sensitive_data();
+#ifdef WITH_SELINUX
+ ssh_selinux_change_context("sshd_net_t");
+#endif
+
/* Demote the child */
if (getuid() == 0 || geteuid() == 0) {
/* Change our root directory */
@@ -768,6 +772,13 @@ privsep_postauth(Authctxt *authctxt)
do_setusercontext(authctxt->pw);
skip:
+#ifdef WITH_SELINUX
+ /* switch SELinux content for root too */
+ if (authctxt->pw->pw_uid == 0) {
+ sshd_selinux_copy_context();
+ }
+#endif
+
/* It is safe now to apply the key state */
monitor_apply_keystate(pmonitor);

View file

@ -1,10 +1,11 @@
diff -up openssh-6.3p1/ssh_config.redhat openssh-6.3p1/ssh_config
--- openssh-6.3p1/ssh_config.redhat 2013-10-11 14:51:18.345876648 +0200
+++ openssh-6.3p1/ssh_config 2013-10-11 15:13:05.429829266 +0200
@@ -46,3 +46,14 @@
# VisualHostKey no
# ProxyCommand ssh -q -W %h:%p gateway.example.com
# RekeyLimit 1G 1h
diff -up openssh-7.4p1/ssh_config.redhat openssh-7.4p1/ssh_config
--- openssh-7.4p1/ssh_config.redhat 2017-02-08 15:22:30.811307915 +0100
+++ openssh-7.4p1/ssh_config 2017-02-08 15:22:30.812307915 +0100
@@ -52,3 +52,15 @@
# Uncomment this if you want to use .local domain
# Host *.local
# CheckHostIP no
+
+Host *
+ GSSAPIAuthentication yes
+# If this option is set to yes then remote X11 clients will have full access
@ -16,10 +17,10 @@ diff -up openssh-6.3p1/ssh_config.redhat openssh-6.3p1/ssh_config
+ SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
+ SendEnv LC_IDENTIFICATION LC_ALL LANGUAGE
+ SendEnv XMODIFIERS
diff -up openssh-6.3p1/sshd_config.0.redhat openssh-6.3p1/sshd_config.0
--- openssh-6.3p1/sshd_config.0.redhat 2013-09-13 08:20:43.000000000 +0200
+++ openssh-6.3p1/sshd_config.0 2013-10-11 14:51:18.345876648 +0200
@@ -653,9 +653,9 @@ DESCRIPTION
diff -up openssh-7.4p1/sshd_config.0.redhat openssh-7.4p1/sshd_config.0
--- openssh-7.4p1/sshd_config.0.redhat 2016-12-19 06:21:22.000000000 +0100
+++ openssh-7.4p1/sshd_config.0 2017-02-08 15:22:30.813307914 +0100
@@ -837,9 +837,9 @@ DESCRIPTION
SyslogFacility
Gives the facility code that is used when logging messages from
@ -32,10 +33,10 @@ diff -up openssh-6.3p1/sshd_config.0.redhat openssh-6.3p1/sshd_config.0
TCPKeepAlive
Specifies whether the system should send TCP keepalive messages
diff -up openssh-6.3p1/sshd_config.5.redhat openssh-6.3p1/sshd_config.5
--- openssh-6.3p1/sshd_config.5.redhat 2013-07-20 05:21:53.000000000 +0200
+++ openssh-6.3p1/sshd_config.5 2013-10-11 14:51:18.346876643 +0200
@@ -1095,7 +1095,7 @@ Note that this option applies to protoco
diff -up openssh-7.4p1/sshd_config.5.redhat openssh-7.4p1/sshd_config.5
--- openssh-7.4p1/sshd_config.5.redhat 2016-12-19 05:59:41.000000000 +0100
+++ openssh-7.4p1/sshd_config.5 2017-02-08 15:22:30.813307914 +0100
@@ -1393,7 +1393,7 @@ By default no subsystems are defined.
.It Cm SyslogFacility
Gives the facility code that is used when logging messages from
.Xr sshd 8 .
@ -44,10 +45,10 @@ diff -up openssh-6.3p1/sshd_config.5.redhat openssh-6.3p1/sshd_config.5
LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
The default is AUTH.
.It Cm TCPKeepAlive
diff -up openssh-6.3p1/sshd_config.redhat openssh-6.3p1/sshd_config
--- openssh-6.3p1/sshd_config.redhat 2013-10-11 14:51:18.343876657 +0200
+++ openssh-6.3p1/sshd_config 2013-10-11 14:51:18.346876643 +0200
@@ -10,6 +10,10 @@
diff -up openssh-7.4p1/sshd_config.redhat openssh-7.4p1/sshd_config
--- openssh-7.4p1/sshd_config.redhat 2016-12-19 05:59:41.000000000 +0100
+++ openssh-7.4p1/sshd_config 2017-02-08 15:33:24.705736576 +0100
@@ -10,21 +10,26 @@
# possible, but leave them commented. Uncommented options override the
# default value.
@ -58,15 +59,26 @@ diff -up openssh-6.3p1/sshd_config.redhat openssh-6.3p1/sshd_config
#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
@@ -35,6 +39,7 @@
#ListenAddress ::
-#HostKey /etc/ssh/ssh_host_rsa_key
+HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
-#HostKey /etc/ssh/ssh_host_ecdsa_key
-#HostKey /etc/ssh/ssh_host_ed25519_key
+HostKey /etc/ssh/ssh_host_ecdsa_key
+HostKey /etc/ssh/ssh_host_ed25519_key
# Ciphers and keying
#RekeyLimit default none
# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
+SyslogFacility AUTHPRIV
#LogLevel INFO
# Authentication:
@@ -70,9 +75,11 @@ AuthorizedKeysFile .ssh/authorized_keys
@@ -57,9 +62,11 @@ AuthorizedKeysFile .ssh/authorized_keys
# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
@ -78,31 +90,33 @@ diff -up openssh-6.3p1/sshd_config.redhat openssh-6.3p1/sshd_config
# Kerberos options
#KerberosAuthentication no
@@ -82,7 +89,9 @@ AuthorizedKeysFile .ssh/authorized_keys
@@ -68,8 +75,8 @@ AuthorizedKeysFile .ssh/authorized_keys
#KerberosGetAFSToken no
# GSSAPI options
#GSSAPIAuthentication no
-#GSSAPIAuthentication no
-#GSSAPICleanupCredentials yes
+GSSAPIAuthentication yes
#GSSAPICleanupCredentials yes
+GSSAPICleanupCredentials yes
+GSSAPICleanupCredentials no
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
@@ -94,11 +103,13 @@ AuthorizedKeysFile .ssh/authorized_keys
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
@@ -80,12 +87,12 @@ AuthorizedKeysFile .ssh/authorized_keys
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
#UsePAM no
-#UsePAM no
+UsePAM yes
#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
-#X11Forwarding no
+X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
@@ -120,6 +131,12 @@ UsePrivilegeSeparation sandbox # Defaul
#PermitTTY yes
@@ -108,6 +115,12 @@ AuthorizedKeysFile .ssh/authorized_keys
# no default banner path
#Banner none

View file

@ -0,0 +1,52 @@
Zseries only: Leave the hardware filedescriptors open.
All filedescriptors above 2 are getting closed when a new
sshd process to handle a new client connection is
spawned. As the process also chroot into an empty filesystem
without any device nodes, there is no chance to reopen the
files. This patch filters out the reqired fds in the
closefrom function so these are skipped in the close loop.
Author: Harald Freudenberger <freude@de.ibm.com>
---
openbsd-compat/bsd-closefrom.c | 26 ++++++++++++++++++++++++++
1 file changed, 26 insertions(+)
--- a/openbsd-compat/bsd-closefrom.c
+++ b/openbsd-compat/bsd-closefrom.c
@@ -82,7 +82,33 @@ closefrom(int lowfd)
fd = strtol(dent->d_name, &endp, 10);
if (dent->d_name != endp && *endp == '\0' &&
fd >= 0 && fd < INT_MAX && fd >= lowfd && fd != dirfd(dirp))
+#ifdef __s390__
+ {
+ /*
+ * the filedescriptors used to communicate with
+ * the device drivers to provide hardware support
+ * should survive. HF <freude@de.ibm.com>
+ */
+ char fpath[PATH_MAX], lpath[PATH_MAX];
+ len = snprintf(fpath, sizeof(fpath), "%s/%s",
+ fdpath, dent->d_name);
+ if (len > 0 && (size_t)len <= sizeof(fpath)) {
+ len = readlink(fpath, lpath, sizeof(lpath));
+ if (len > 0) {
+ lpath[len] = 0;
+ if (strstr(lpath, "dev/z90crypt")
+ || strstr(lpath, "dev/zcrypt")
+ || strstr(lpath, "dev/prandom")
+ || strstr(lpath, "dev/shm/icastats"))
+ fd = -1;
+ }
+ }
+ if (fd >= 0)
+ (void) close((int) fd);
+ }
+#else
(void) close((int) fd);
+#endif
}
(void) closedir(dirp);
} else

View file

@ -0,0 +1,98 @@
diff -up openssh-7.4p1/sftp-server.8.sftp-force-mode openssh-7.4p1/sftp-server.8
--- openssh-7.4p1/sftp-server.8.sftp-force-mode 2016-12-19 05:59:41.000000000 +0100
+++ openssh-7.4p1/sftp-server.8 2017-02-09 10:35:41.926475399 +0100
@@ -38,6 +38,7 @@
.Op Fl P Ar blacklisted_requests
.Op Fl p Ar whitelisted_requests
.Op Fl u Ar umask
+.Op Fl m Ar force_file_perms
.Ek
.Nm
.Fl Q Ar protocol_feature
@@ -138,6 +139,10 @@ Sets an explicit
.Xr umask 2
to be applied to newly-created files and directories, instead of the
user's default mask.
+.It Fl m Ar force_file_perms
+Sets explicit file permissions to be applied to newly-created files instead
+of the default or client requested mode. Numeric values include:
+777, 755, 750, 666, 644, 640, etc. Option -u is ineffective if -m is set.
.El
.Pp
On some systems,
diff -up openssh-7.4p1/sftp-server.c.sftp-force-mode openssh-7.4p1/sftp-server.c
--- openssh-7.4p1/sftp-server.c.sftp-force-mode 2017-02-09 10:22:36.498019921 +0100
+++ openssh-7.4p1/sftp-server.c 2017-02-09 10:35:07.190520959 +0100
@@ -65,6 +65,10 @@ struct sshbuf *oqueue;
/* Version of client */
static u_int version;
+/* Force file permissions */
+int permforce = 0;
+long permforcemode;
+
/* SSH2_FXP_INIT received */
static int init_done;
@@ -679,6 +683,7 @@ process_open(u_int32_t id)
Attrib a;
char *name;
int r, handle, fd, flags, mode, status = SSH2_FX_FAILURE;
+ mode_t old_umask = 0;
if ((r = sshbuf_get_cstring(iqueue, &name, NULL)) != 0 ||
(r = sshbuf_get_u32(iqueue, &pflags)) != 0 || /* portable flags */
@@ -688,6 +693,10 @@ process_open(u_int32_t id)
debug3("request %u: open flags %d", id, pflags);
flags = flags_from_portable(pflags);
mode = (a.flags & SSH2_FILEXFER_ATTR_PERMISSIONS) ? a.perm : 0666;
+ if (permforce == 1) { /* Force perm if -m is set */
+ mode = permforcemode;
+ old_umask = umask(0); /* so umask does not interfere */
+ }
logit("open \"%s\" flags %s mode 0%o",
name, string_from_portable(pflags), mode);
if (readonly &&
@@ -709,6 +718,8 @@ process_open(u_int32_t id)
}
}
}
+ if (permforce == 1)
+ (void) umask(old_umask); /* restore umask to something sane */
if (status != SSH2_FX_OK)
send_status(id, status);
free(name);
@@ -1490,7 +1501,7 @@ sftp_server_usage(void)
fprintf(stderr,
"usage: %s [-ehR] [-d start_directory] [-f log_facility] "
"[-l log_level]\n\t[-P blacklisted_requests] "
- "[-p whitelisted_requests] [-u umask]\n"
+ "[-p whitelisted_requests] [-u umask] [-m force_file_perms]\n"
" %s -Q protocol_feature\n",
__progname, __progname);
exit(1);
@@ -1516,7 +1527,7 @@ sftp_server_main(int argc, char **argv,
pw = pwcopy(user_pw);
while (!skipargs && (ch = getopt(argc, argv,
- "d:f:l:P:p:Q:u:cehR")) != -1) {
+ "d:f:l:P:p:Q:u:m:cehR")) != -1) {
switch (ch) {
case 'Q':
if (strcasecmp(optarg, "requests") != 0) {
@@ -1576,6 +1587,15 @@ sftp_server_main(int argc, char **argv,
fatal("Invalid umask \"%s\"", optarg);
(void)umask((mode_t)mask);
break;
+ case 'm':
+ /* Force permissions on file received via sftp */
+ permforce = 1;
+ permforcemode = strtol(optarg, &cp, 8);
+ if (permforcemode < 0 || permforcemode > 0777 ||
+ *cp != '\0' || (permforcemode == 0 &&
+ errno != 0))
+ fatal("Invalid file mode \"%s\"", optarg);
+ break;
case 'h':
default:
sftp_server_usage();

View file

@ -0,0 +1,98 @@
commit 0e22b79bfde45a7cf7a2e51a68ec11c4285f3b31
Author: Jakub Jelen <jjelen@redhat.com>
Date: Mon Nov 21 15:04:06 2016 +0100
systemd stuff
diff --git a/configure.ac b/configure.ac
index 2ffc369..162ce92 100644
--- a/configure.ac
+++ b/configure.ac
@@ -4265,6 +4265,30 @@ AC_ARG_WITH([kerberos5],
AC_SUBST([GSSLIBS])
AC_SUBST([K5LIBS])
+# Check whether user wants systemd support
+SYSTEMD_MSG="no"
+AC_ARG_WITH(systemd,
+ [ --with-systemd Enable systemd support],
+ [ if test "x$withval" != "xno" ; then
+ AC_PATH_TOOL([PKGCONFIG], [pkg-config], [no])
+ if test "$PKGCONFIG" != "no"; then
+ AC_MSG_CHECKING([for libsystemd])
+ if $PKGCONFIG --exists libsystemd; then
+ SYSTEMD_CFLAGS=`$PKGCONFIG --cflags libsystemd`
+ SYSTEMD_LIBS=`$PKGCONFIG --libs libsystemd`
+ CPPFLAGS="$CPPFLAGS $SYSTEMD_CFLAGS"
+ SSHDLIBS="$SSHDLIBS $SYSTEMD_LIBS"
+ AC_MSG_RESULT([yes])
+ AC_DEFINE(HAVE_SYSTEMD, 1, [Define if you want systemd support.])
+ SYSTEMD_MSG="yes"
+ else
+ AC_MSG_RESULT([no])
+ fi
+ fi
+ fi ]
+)
+
+
# Looking for programs, paths and files
PRIVSEP_PATH=/var/empty
@@ -5097,6 +5121,7 @@ echo " libedit support: $LIBEDIT_MSG"
echo " Solaris process contract support: $SPC_MSG"
echo " Solaris project support: $SP_MSG"
echo " Solaris privilege support: $SPP_MSG"
+echo " systemd support: $SYSTEMD_MSG"
echo " IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG"
echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG"
echo " BSD Auth support: $BSD_AUTH_MSG"
diff --git a/contrib/sshd.service b/contrib/sshd.service
new file mode 100644
index 0000000..e0d4923
--- /dev/null
+++ b/contrib/sshd.service
@@ -0,0 +1,16 @@
+[Unit]
+Description=OpenSSH server daemon
+Documentation=man:sshd(8) man:sshd_config(5)
+After=network.target
+
+[Service]
+Type=notify
+ExecStart=/usr/sbin/sshd -D $OPTIONS
+ExecReload=/bin/kill -HUP $MAINPID
+KillMode=process
+Restart=on-failure
+RestartPreventExitStatus=255
+
+[Install]
+WantedBy=multi-user.target
+
diff --git a/sshd.c b/sshd.c
index 816611c..b8b9d13 100644
--- a/sshd.c
+++ b/sshd.c
@@ -85,6 +85,10 @@
#include <prot.h>
#endif
+#ifdef HAVE_SYSTEMD
+#include <systemd/sd-daemon.h>
+#endif
+
#include "xmalloc.h"
#include "ssh.h"
#include "ssh2.h"
@@ -1833,6 +1837,11 @@ main(int ac, char **av)
}
}
+#ifdef HAVE_SYSTEMD
+ /* Signal systemd that we are ready to accept connections */
+ sd_notify(0, "READY=1");
+#endif
+
/* Accept a connection and return in a forked child */
server_accept_loop(&sock_in, &sock_out,
&newsock, config_s);

View file

@ -0,0 +1,27 @@
diff -up openssh-7.4p1/servconf.c.sshd-t openssh-7.4p1/servconf.c
--- openssh-7.4p1/servconf.c.sshd-t 2017-02-09 10:19:56.859306131 +0100
+++ openssh-7.4p1/servconf.c 2017-02-09 10:22:07.895104402 +0100
@@ -2337,7 +2337,7 @@ dump_config(ServerOptions *o)
dump_cfg_string(sXAuthLocation, o->xauth_location);
dump_cfg_string(sCiphers, o->ciphers ? o->ciphers : KEX_SERVER_ENCRYPT);
dump_cfg_string(sMacs, o->macs ? o->macs : KEX_SERVER_MAC);
- dump_cfg_string(sBanner, o->banner);
+ dump_cfg_string(sBanner, o->banner == NULL ? "none" : o->banner);
dump_cfg_string(sForceCommand, o->adm_forced_command);
dump_cfg_string(sChrootDirectory, o->chroot_directory);
dump_cfg_string(sTrustedUserCAKeys, o->trusted_user_ca_keys);
diff -up openssh-7.4p1/ssh.1.sshd-t openssh-7.4p1/ssh.1
--- openssh-7.4p1/ssh.1.sshd-t 2017-02-09 10:19:56.823306172 +0100
+++ openssh-7.4p1/ssh.1 2017-02-09 10:19:56.859306131 +0100
@@ -512,7 +512,11 @@ For full details of the options listed b
.It GatewayPorts
.It GlobalKnownHostsFile
.It GSSAPIAuthentication
+.It GSSAPIKeyExchange
+.It GSSAPIClientIdentity
.It GSSAPIDelegateCredentials
+.It GSSAPIRenewalForcesRekey
+.It GSSAPITrustDns
.It HashKnownHosts
.It Host
.It HostbasedAuthentication

View file

@ -0,0 +1,214 @@
diff -up openssh-7.4p1/channels.c.x11max openssh-7.4p1/channels.c
--- openssh-7.4p1/channels.c.x11max 2017-02-09 12:49:04.690996627 +0100
+++ openssh-7.4p1/channels.c 2017-02-09 12:49:04.744996547 +0100
@@ -152,8 +152,8 @@ static int all_opens_permitted = 0;
/* -- X11 forwarding */
-/* Maximum number of fake X11 displays to try. */
-#define MAX_DISPLAYS 1000
+/* Minimum port number for X11 forwarding */
+#define X11_PORT_MIN 6000
/* Saved X11 local (client) display. */
static char *x11_saved_display = NULL;
@@ -4228,7 +4228,8 @@ channel_send_window_changes(void)
*/
int
x11_create_display_inet(int x11_display_offset, int x11_use_localhost,
- int single_connection, u_int *display_numberp, int **chanids)
+ int x11_max_displays, int single_connection, u_int *display_numberp,
+ int **chanids)
{
Channel *nc = NULL;
int display_number, sock;
@@ -4240,10 +4241,15 @@ x11_create_display_inet(int x11_display_
if (chanids == NULL)
return -1;
+ /* Try to bind ports starting at 6000+X11DisplayOffset */
+ x11_max_displays = x11_max_displays + x11_display_offset;
+
for (display_number = x11_display_offset;
- display_number < MAX_DISPLAYS;
+ display_number < x11_max_displays;
display_number++) {
- port = 6000 + display_number;
+ port = X11_PORT_MIN + display_number;
+ if (port < X11_PORT_MIN) /* overflow */
+ break;
memset(&hints, 0, sizeof(hints));
hints.ai_family = IPv4or6;
hints.ai_flags = x11_use_localhost ? 0: AI_PASSIVE;
@@ -4295,7 +4301,7 @@ x11_create_display_inet(int x11_display_
if (num_socks > 0)
break;
}
- if (display_number >= MAX_DISPLAYS) {
+ if (display_number >= x11_max_displays || port < X11_PORT_MIN ) {
error("Failed to allocate internet-domain X11 display socket.");
return -1;
}
@@ -4441,7 +4447,7 @@ x11_connect_display(void)
memset(&hints, 0, sizeof(hints));
hints.ai_family = IPv4or6;
hints.ai_socktype = SOCK_STREAM;
- snprintf(strport, sizeof strport, "%u", 6000 + display_number);
+ snprintf(strport, sizeof strport, "%u", X11_PORT_MIN + display_number);
if ((gaierr = getaddrinfo(buf, strport, &hints, &aitop)) != 0) {
error("%.100s: unknown host. (%s)", buf,
ssh_gai_strerror(gaierr));
@@ -4457,7 +4463,7 @@ x11_connect_display(void)
/* Connect it to the display. */
if (connect(sock, ai->ai_addr, ai->ai_addrlen) < 0) {
debug2("connect %.100s port %u: %.100s", buf,
- 6000 + display_number, strerror(errno));
+ X11_PORT_MIN + display_number, strerror(errno));
close(sock);
continue;
}
@@ -4466,8 +4472,8 @@ x11_connect_display(void)
}
freeaddrinfo(aitop);
if (!ai) {
- error("connect %.100s port %u: %.100s", buf, 6000 + display_number,
- strerror(errno));
+ error("connect %.100s port %u: %.100s", buf,
+ X11_PORT_MIN + display_number, strerror(errno));
return -1;
}
set_nodelay(sock);
diff -up openssh-7.4p1/channels.h.x11max openssh-7.4p1/channels.h
--- openssh-7.4p1/channels.h.x11max 2017-02-09 12:49:04.744996547 +0100
+++ openssh-7.4p1/channels.h 2017-02-09 12:49:50.230929693 +0100
@@ -293,7 +293,7 @@ int permitopen_port(const char *);
void channel_set_x11_refuse_time(u_int);
int x11_connect_display(void);
-int x11_create_display_inet(int, int, int, u_int *, int **);
+int x11_create_display_inet(int, int, int, int, u_int *, int **);
int x11_input_open(int, u_int32_t, void *);
void x11_request_forwarding_with_spoofing(int, const char *, const char *,
const char *, int);
diff -up openssh-7.4p1/servconf.c.x11max openssh-7.4p1/servconf.c
--- openssh-7.4p1/servconf.c.x11max 2017-02-09 12:49:04.741996552 +0100
+++ openssh-7.4p1/servconf.c 2017-02-09 12:51:03.167822492 +0100
@@ -94,6 +94,7 @@ initialize_server_options(ServerOptions
options->print_lastlog = -1;
options->x11_forwarding = -1;
options->x11_display_offset = -1;
+ options->x11_max_displays = -1;
options->x11_use_localhost = -1;
options->permit_tty = -1;
options->permit_user_rc = -1;
@@ -242,6 +243,8 @@ fill_default_server_options(ServerOption
options->x11_forwarding = 0;
if (options->x11_display_offset == -1)
options->x11_display_offset = 10;
+ if (options->x11_max_displays == -1)
+ options->x11_max_displays = DEFAULT_MAX_DISPLAYS;
if (options->x11_use_localhost == -1)
options->x11_use_localhost = 1;
if (options->xauth_location == NULL)
@@ -416,7 +419,7 @@ typedef enum {
sPasswordAuthentication, sKbdInteractiveAuthentication,
sListenAddress, sAddressFamily,
sPrintMotd, sPrintLastLog, sIgnoreRhosts,
- sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
+ sX11Forwarding, sX11DisplayOffset, sX11MaxDisplays, sX11UseLocalhost,
sPermitTTY, sStrictModes, sEmptyPasswd, sTCPKeepAlive,
sPermitUserEnvironment, sAllowTcpForwarding, sCompression,
sRekeyLimit, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
@@ -537,6 +540,7 @@ static struct {
{ "ignoreuserknownhosts", sIgnoreUserKnownHosts, SSHCFG_GLOBAL },
{ "x11forwarding", sX11Forwarding, SSHCFG_ALL },
{ "x11displayoffset", sX11DisplayOffset, SSHCFG_ALL },
+ { "x11maxdisplays", sX11MaxDisplays, SSHCFG_ALL },
{ "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL },
{ "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL },
{ "strictmodes", sStrictModes, SSHCFG_GLOBAL },
@@ -1313,6 +1317,10 @@ process_server_config_line(ServerOptions
*intptr = value;
break;
+ case sX11MaxDisplays:
+ intptr = &options->x11_max_displays;
+ goto parse_int;
+
case sX11UseLocalhost:
intptr = &options->x11_use_localhost;
goto parse_flag;
@@ -2060,6 +2068,7 @@ copy_set_server_options(ServerOptions *d
M_CP_INTOPT(fwd_opts.streamlocal_bind_unlink);
M_CP_INTOPT(x11_display_offset);
M_CP_INTOPT(x11_forwarding);
+ M_CP_INTOPT(x11_max_displays);
M_CP_INTOPT(x11_use_localhost);
M_CP_INTOPT(permit_tty);
M_CP_INTOPT(permit_user_rc);
@@ -2312,6 +2321,7 @@ dump_config(ServerOptions *o)
#endif
dump_cfg_int(sLoginGraceTime, o->login_grace_time);
dump_cfg_int(sX11DisplayOffset, o->x11_display_offset);
+ dump_cfg_int(sX11MaxDisplays, o->x11_max_displays);
dump_cfg_int(sMaxAuthTries, o->max_authtries);
dump_cfg_int(sMaxSessions, o->max_sessions);
dump_cfg_int(sClientAliveInterval, o->client_alive_interval);
diff -up openssh-7.4p1/servconf.h.x11max openssh-7.4p1/servconf.h
--- openssh-7.4p1/servconf.h.x11max 2017-02-09 12:49:04.741996552 +0100
+++ openssh-7.4p1/servconf.h 2017-02-09 12:49:04.744996547 +0100
@@ -55,6 +55,7 @@
#define DEFAULT_AUTH_FAIL_MAX 6 /* Default for MaxAuthTries */
#define DEFAULT_SESSIONS_MAX 10 /* Default for MaxSessions */
+#define DEFAULT_MAX_DISPLAYS 1000 /* Maximum number of fake X11 displays to try. */
/* Magic name for internal sftp-server */
#define INTERNAL_SFTP_NAME "internal-sftp"
@@ -85,6 +86,7 @@ typedef struct {
int x11_forwarding; /* If true, permit inet (spoofing) X11 fwd. */
int x11_display_offset; /* What DISPLAY number to start
* searching at */
+ int x11_max_displays; /* Number of displays to search */
int x11_use_localhost; /* If true, use localhost for fake X11 server. */
char *xauth_location; /* Location of xauth program */
int permit_tty; /* If false, deny pty allocation */
diff -up openssh-7.4p1/session.c.x11max openssh-7.4p1/session.c
--- openssh-7.4p1/session.c.x11max 2017-02-09 12:49:04.742996550 +0100
+++ openssh-7.4p1/session.c 2017-02-09 12:49:04.745996546 +0100
@@ -2502,8 +2502,9 @@ session_setup_x11fwd(Session *s)
return 0;
}
if (x11_create_display_inet(options.x11_display_offset,
- options.x11_use_localhost, s->single_connection,
- &s->display_number, &s->x11_chanids) == -1) {
+ options.x11_use_localhost, options.x11_max_displays,
+ s->single_connection, &s->display_number,
+ &s->x11_chanids) == -1) {
debug("x11_create_display_inet failed.");
return 0;
}
diff -up openssh-7.4p1/sshd_config.5.x11max openssh-7.4p1/sshd_config.5
--- openssh-7.4p1/sshd_config.5.x11max 2017-02-09 12:49:04.742996550 +0100
+++ openssh-7.4p1/sshd_config.5 2017-02-09 12:51:24.656790909 +0100
@@ -1137,6 +1137,7 @@ Available keywords are
.Cm StreamLocalBindUnlink ,
.Cm TrustedUserCAKeys ,
.Cm X11DisplayOffset ,
+.Cm X11MaxDisplays ,
.Cm X11Forwarding
and
.Cm X11UseLocalHost .
@@ -1563,6 +1564,12 @@ Specifies the first display number avail
X11 forwarding.
This prevents sshd from interfering with real X11 servers.
The default is 10.
+.It Cm X11MaxDisplays
+Specifies the maximum number of displays available for
+.Xr sshd 8 Ns 's
+X11 forwarding.
+This prevents sshd from exhausting local ports.
+The default is 1000.
.It Cm X11Forwarding
Specifies whether X11 forwarding is permitted.
The argument must be

View file

@ -0,0 +1,145 @@
From 74287f5df9966a0648b4a68417451dd18f079ab8 Mon Sep 17 00:00:00 2001
From: "djm@openbsd.org" <djm@openbsd.org>
Date: Tue, 31 Jul 2018 03:10:27 +0000
Subject: [PATCH] upstream: delay bailout for invalid authentic
=?UTF-8?q?ating=20user=20until=20after=20the=20packet=20containing=20the?=
=?UTF-8?q?=20request=20has=20been=20fully=20parsed.=20Reported=20by=20Dar?=
=?UTF-8?q?iusz=20Tytko=20and=20Micha=C5=82=20Sajdak;=20ok=20deraadt?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
OpenBSD-Commit-ID: b4891882fbe413f230fe8ac8a37349b03bd0b70d
---
auth2-gss.c | 11 +++++++----
auth2-hostbased.c | 11 ++++++-----
auth2-pubkey.c | 25 +++++++++++++++----------
3 files changed, 28 insertions(+), 19 deletions(-)
diff --git a/auth2-gss.c b/auth2-gss.c
index 47308c5ce..9351e0428 100644
--- a/auth2-gss.c
+++ b/auth2-gss.c
@@ -70,9 +70,6 @@ userauth_gssapi(struct ssh *ssh)
u_int len;
u_char *doid = NULL;
- if (!authctxt->valid || authctxt->user == NULL)
- return (0);
-
mechs = packet_get_int();
if (mechs == 0) {
debug("Mechanism negotiation is not supported");
@@ -106,6 +103,12 @@ userauth_gssapi(struct ssh *ssh)
return (0);
}
+ if (!authctxt->valid || authctxt->user == NULL) {
+ debug2("%s: disabled because of invalid user", __func__);
+ free(doid);
+ return (0);
+ }
+
if (GSS_ERROR(PRIVSEP(ssh_gssapi_server_ctx(&ctxt, &goid)))) {
if (ctxt != NULL)
ssh_gssapi_delete_ctx(&ctxt);
diff --git a/auth2-hostbased.c b/auth2-hostbased.c
index 60159a56c..359393291 100644
--- a/auth2-hostbased.c
+++ b/auth2-hostbased.c
@@ -67,10 +67,6 @@ userauth_hostbased(struct ssh *ssh)
int pktype;
int authenticated = 0;
- if (!authctxt->valid) {
- debug2("userauth_hostbased: disabled because of invalid user");
- return 0;
- }
pkalg = packet_get_string(&alen);
pkblob = packet_get_string(&blen);
chost = packet_get_string(NULL);
@@ -117,6 +113,11 @@ userauth_hostbased(struct ssh *ssh)
goto done;
}
+ if (!authctxt->valid || authctxt->user == NULL) {
+ debug2("%s: disabled because of invalid user", __func__);
+ goto done;
+ }
+
service = datafellows & SSH_BUG_HBSERVICE ? "ssh-userauth" :
authctxt->service;
buffer_init(&b);
diff --git a/auth2-pubkey.c b/auth2-pubkey.c
index c4d0f7908..e1c150401 100644
--- a/auth2-pubkey.c
+++ b/auth2-pubkey.c
@@ -89,16 +89,12 @@ userauth_pubkey(struct ssh *ssh)
{
Buffer b;
Key *key = NULL;
- char *pkalg, *userstyle, *pubkey, *fp = NULL;
- u_char *pkblob, *sig;
+ char *pkalg = NULL, *userstyle = NULL, *pubkey = NULL, *fp = NULL;
+ u_char *pkblob = NULL, *sig = NULL;
u_int alen, blen, slen;
int have_sig, pktype;
int authenticated = 0;
- if (!authctxt->valid) {
- debug2("%s: disabled because of invalid user", __func__);
- return 0;
- }
have_sig = packet_get_char();
if (datafellows & SSH_BUG_PKAUTH) {
debug2("%s: SSH_BUG_PKAUTH", __func__);
@@ -167,6 +163,12 @@ userauth_pubkey(struct ssh *ssh)
} else {
buffer_put_string(&b, session_id2, session_id2_len);
}
+ if (!authctxt->valid || authctxt->user == NULL) {
+ buffer_free(&b);
+ debug2("%s: disabled because of invalid user",
+ __func__);
+ goto done;
+ }
/* reconstruct packet */
buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST);
xasprintf(&userstyle, "%s%s%s%s%s", authctxt->user,
@@ -183,7 +184,6 @@ userauth_pubkey(struct ssh *ssh)
#endif
pubkey = sshkey_format_oneline(key, options.fingerprint_hash);
auth_info(authctxt, "%s", pubkey);
-
/* test for correct signature */
authenticated = 0;
if (PRIVSEP(user_key_allowed(authctxt->pw, key, 1)) &&
@@ -194,7 +194,6 @@ userauth_pubkey(struct ssh *ssh)
free(pubkey);
}
buffer_free(&b);
- free(sig);
} else {
debug("%s: test whether pkalg/pkblob are acceptable for %s %s",
__func__, sshkey_type(key), fp);
@@ -205,6 +204,11 @@ userauth_pubkey(struct ssh *ssh)
__func__, sshkey_type(key), fp);
packet_check_eom();
+ if (!authctxt->valid || authctxt->user == NULL) {
+ debug2("%s: disabled because of invalid user",
+ __func__);
+ goto done;
+ }
/* XXX fake reply and always send PK_OK ? */
/*
* XXX this allows testing whether a user is allowed
@@ -238,6 +242,7 @@ userauth_pubkey(struct ssh *ssh)
free(pkalg);
free(pkblob);
free(fp);
+ free(sig);
return authenticated;
}

View file

@ -0,0 +1,16 @@
diff -up openssh-7.4p1/mux.c.controlPath openssh-7.4p1/mux.c
--- openssh-7.4p1/mux.c.controlPath 2017-05-04 14:49:44.629247946 +0200
+++ openssh-7.4p1/mux.c 2017-05-04 14:52:54.955109022 +0200
@@ -1290,6 +1290,12 @@ muxserver_listen(void)
oerrno = errno;
umask(old_umask);
if (muxserver_sock < 0) {
+ if (oerrno == ENAMETOOLONG) {
+ /* the error is already logged from unix_listener() */
+ error("ControlPath %s too long, "
+ "disabling multiplexing", options.control_path);
+ goto disable_mux_master;
+ }
if (oerrno == EINVAL || oerrno == EADDRINUSE) {
error("ControlSocket %s already exists, "
"disabling multiplexing", options.control_path);

File diff suppressed because it is too large Load diff

View file

@ -0,0 +1,38 @@
From ddd3d34e5c7979ca6f4a3a98a7d219a4ed3d98c2 Mon Sep 17 00:00:00 2001
From: "djm@openbsd.org" <djm@openbsd.org>
Date: Fri, 30 Dec 2016 22:08:02 +0000
Subject: [PATCH] upstream commit
fix deadlock when keys/principals command produces a lot of
output and a key is matched early; bz#2655, patch from jboning AT gmail.com
Upstream-ID: e19456429bf99087ea994432c16d00a642060afe
---
auth2-pubkey.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/auth2-pubkey.c b/auth2-pubkey.c
index 20f3309e1..70c021589 100644
--- a/auth2-pubkey.c
+++ b/auth2-pubkey.c
@@ -727,6 +727,9 @@ match_principals_command(struct passwd *user_pw, const struct sshkey *key)
ok = process_principals(f, NULL, pw, cert);
+ fclose(f);
+ f = NULL;
+
if (exited_cleanly(pid, "AuthorizedPrincipalsCommand", command) != 0)
goto out;
@@ -1050,6 +1053,9 @@ user_key_command_allowed2(struct passwd *user_pw, Key *key)
ok = check_authkeys_file(f, options.authorized_keys_command, key, pw);
+ fclose(f);
+ f = NULL;
+
if (exited_cleanly(pid, "AuthorizedKeysCommand", command) != 0)
goto out;

View file

@ -0,0 +1,50 @@
diff --git a/ssh-agent.c b/ssh-agent.c
index 1320cda..2441329 100644
--- a/ssh-agent.c
+++ b/ssh-agent.c
@@ -821,7 +821,7 @@ send:
static void
process_remove_smartcard_key(SocketEntry *e)
{
- char *provider = NULL, *pin = NULL;
+ char *provider = NULL, *pin = NULL, canonical_provider[PATH_MAX];
int r, version, success = 0;
Identity *id, *nxt;
Idtab *tab;
@@ -831,6 +831,13 @@ process_remove_smartcard_key(SocketEntry *e)
fatal("%s: buffer error: %s", __func__, ssh_err(r));
free(pin);
+ if (realpath(provider, canonical_provider) == NULL) {
+ verbose("failed PKCS#11 add of \"%.100s\": realpath: %s",
+ provider, strerror(errno));
+ goto send;
+ }
+
+ debug("%s: remove %.100s", __func__, canonical_provider);
for (version = 1; version < 3; version++) {
tab = idtab_lookup(version);
for (id = TAILQ_FIRST(&tab->idlist); id; id = nxt) {
@@ -838,18 +845,19 @@ process_remove_smartcard_key(SocketEntry *e)
/* Skip file--based keys */
if (id->provider == NULL)
continue;
- if (!strcmp(provider, id->provider)) {
+ if (!strcmp(canonical_provider, id->provider)) {
TAILQ_REMOVE(&tab->idlist, id, next);
free_identity(id);
tab->nentries--;
}
}
}
- if (pkcs11_del_provider(provider) == 0)
+ if (pkcs11_del_provider(canonical_provider) == 0)
success = 1;
else
error("process_remove_smartcard_key:"
" pkcs11_del_provider failed");
+send:
free(provider);
send_status(e, success);
}

View file

@ -0,0 +1,30 @@
commit 0fb1a617a07b8df5de188dd5a0c8bf293d4bfc0e
Author: markus@openbsd.org <markus@openbsd.org>
Date: Sat Mar 11 13:07:35 2017 +0000
upstream commit
Don't count the initial block twice when computing how
many bytes to discard for the work around for the attacks against CBC-mode.
ok djm@; report from Jean Paul, Kenny, Martin and Torben @ RHUL
Upstream-ID: f445f509a4e0a7ba3b9c0dae7311cb42458dc1e2
diff --git a/packet.c b/packet.c
index 01e2d45..2f3a2ec 100644
--- a/packet.c
+++ b/packet.c
@@ -1850,11 +1850,11 @@ ssh_packet_read_poll2(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p)
if (r != SSH_ERR_MAC_INVALID)
goto out;
logit("Corrupted MAC on input.");
- if (need > PACKET_MAX_SIZE)
+ if (need + block_size > PACKET_MAX_SIZE)
return SSH_ERR_INTERNAL_ERROR;
return ssh_packet_start_discard(ssh, enc, mac,
sshbuf_len(state->incoming_packet),
- PACKET_MAX_SIZE - need);
+ PACKET_MAX_SIZE - need - block_size);
}
/* Remove MAC from input buffer */
DBG(debug("MAC #%d ok", state->p_read.seqnr));

View file

@ -0,0 +1,574 @@
diff -up openssh-7.4p1/auth-pam.c.coverity openssh-7.4p1/auth-pam.c
diff -up openssh-7.4p1/channels.c.coverity openssh-7.4p1/channels.c
--- openssh-7.4p1/channels.c.coverity 2017-02-09 14:58:32.786064600 +0100
+++ openssh-7.4p1/channels.c 2017-02-09 15:01:28.869890219 +0100
@@ -266,11 +266,11 @@ channel_register_fds(Channel *c, int rfd
channel_max_fd = MAXIMUM(channel_max_fd, wfd);
channel_max_fd = MAXIMUM(channel_max_fd, efd);
- if (rfd != -1)
+ if (rfd >= 0)
fcntl(rfd, F_SETFD, FD_CLOEXEC);
- if (wfd != -1 && wfd != rfd)
+ if (wfd >= 0 && wfd != rfd)
fcntl(wfd, F_SETFD, FD_CLOEXEC);
- if (efd != -1 && efd != rfd && efd != wfd)
+ if (efd >= 0 && efd != rfd && efd != wfd)
fcntl(efd, F_SETFD, FD_CLOEXEC);
c->rfd = rfd;
@@ -288,11 +288,11 @@ channel_register_fds(Channel *c, int rfd
/* enable nonblocking mode */
if (nonblock) {
- if (rfd != -1)
+ if (rfd >= 0)
set_nonblock(rfd);
- if (wfd != -1)
+ if (wfd >= 0)
set_nonblock(wfd);
- if (efd != -1)
+ if (efd >= 0)
set_nonblock(efd);
}
}
diff -up openssh-7.4p1/clientloop.c.coverity openssh-7.4p1/clientloop.c
diff -up openssh-7.4p1/key.c.coverity openssh-7.4p1/key.c
diff -up openssh-7.4p1/monitor.c.coverity openssh-7.4p1/monitor.c
--- openssh-7.4p1/monitor.c.coverity 2017-02-09 14:58:32.793064593 +0100
+++ openssh-7.4p1/monitor.c 2017-02-09 14:58:32.805064581 +0100
@@ -411,7 +411,7 @@ monitor_child_preauth(Authctxt *_authctx
mm_get_keystate(pmonitor);
/* Drain any buffered messages from the child */
- while (pmonitor->m_log_recvfd != -1 && monitor_read_log(pmonitor) == 0)
+ while (pmonitor->m_log_recvfd >= 0 && monitor_read_log(pmonitor) == 0)
;
close(pmonitor->m_sendfd);
diff -up openssh-7.4p1/monitor_wrap.c.coverity openssh-7.4p1/monitor_wrap.c
--- openssh-7.4p1/monitor_wrap.c.coverity 2017-02-09 14:58:32.797064589 +0100
+++ openssh-7.4p1/monitor_wrap.c 2017-02-09 14:58:32.805064581 +0100
@@ -525,10 +525,10 @@ mm_pty_allocate(int *ptyfd, int *ttyfd,
if ((tmp1 = dup(pmonitor->m_recvfd)) == -1 ||
(tmp2 = dup(pmonitor->m_recvfd)) == -1) {
error("%s: cannot allocate fds for pty", __func__);
- if (tmp1 > 0)
+ if (tmp1 >= 0)
close(tmp1);
- if (tmp2 > 0)
- close(tmp2);
+ /*DEAD CODE if (tmp2 >= 0)
+ close(tmp2);*/
return 0;
}
close(tmp1);
diff -up openssh-7.4p1/openbsd-compat/bindresvport.c.coverity openssh-7.4p1/openbsd-compat/bindresvport.c
--- openssh-7.4p1/openbsd-compat/bindresvport.c.coverity 2016-12-19 05:59:41.000000000 +0100
+++ openssh-7.4p1/openbsd-compat/bindresvport.c 2017-02-09 14:58:32.805064581 +0100
@@ -58,7 +58,7 @@ bindresvport_sa(int sd, struct sockaddr
struct sockaddr_in6 *in6;
u_int16_t *portp;
u_int16_t port;
- socklen_t salen;
+ socklen_t salen = sizeof(struct sockaddr_storage);
int i;
if (sa == NULL) {
diff -up openssh-7.4p1/packet.c.coverity openssh-7.4p1/packet.c
diff -up openssh-7.4p1/progressmeter.c.coverity openssh-7.4p1/progressmeter.c
diff -up openssh-7.4p1/scp.c.coverity openssh-7.4p1/scp.c
--- openssh-7.4p1/scp.c.coverity 2017-02-09 14:58:32.761064625 +0100
+++ openssh-7.4p1/scp.c 2017-02-09 14:58:38.590058852 +0100
@@ -157,7 +157,7 @@ killchild(int signo)
{
if (do_cmd_pid > 1) {
kill(do_cmd_pid, signo ? signo : SIGTERM);
- waitpid(do_cmd_pid, NULL, 0);
+ (void) waitpid(do_cmd_pid, NULL, 0);
}
if (signo)
diff -up openssh-7.4p1/servconf.c.coverity openssh-7.4p1/servconf.c
--- openssh-7.4p1/servconf.c.coverity 2017-02-09 14:58:32.801064585 +0100
+++ openssh-7.4p1/servconf.c 2017-02-09 14:58:38.591058851 +0100
@@ -1544,7 +1544,7 @@ process_server_config_line(ServerOptions
fatal("%s line %d: Missing subsystem name.",
filename, linenum);
if (!*activep) {
- arg = strdelim(&cp);
+ /*arg =*/ (void) strdelim(&cp);
break;
}
for (i = 0; i < options->num_subsystems; i++)
@@ -1635,8 +1635,9 @@ process_server_config_line(ServerOptions
if (*activep && *charptr == NULL) {
*charptr = tilde_expand_filename(arg, getuid());
/* increase optional counter */
- if (intptr != NULL)
- *intptr = *intptr + 1;
+ /* DEAD CODE intptr is still NULL ;)
+ if (intptr != NULL)
+ *intptr = *intptr + 1; */
}
break;
diff -up openssh-7.4p1/serverloop.c.coverity openssh-7.4p1/serverloop.c
--- openssh-7.4p1/serverloop.c.coverity 2016-12-19 05:59:41.000000000 +0100
+++ openssh-7.4p1/serverloop.c 2017-02-09 14:58:38.592058850 +0100
@@ -125,13 +125,13 @@ notify_setup(void)
static void
notify_parent(void)
{
- if (notify_pipe[1] != -1)
+ if (notify_pipe[1] >= 0)
(void)write(notify_pipe[1], "", 1);
}
static void
notify_prepare(fd_set *readset)
{
- if (notify_pipe[0] != -1)
+ if (notify_pipe[0] >= 0)
FD_SET(notify_pipe[0], readset);
}
static void
@@ -139,8 +139,8 @@ notify_done(fd_set *readset)
{
char c;
- if (notify_pipe[0] != -1 && FD_ISSET(notify_pipe[0], readset))
- while (read(notify_pipe[0], &c, 1) != -1)
+ if (notify_pipe[0] >= 0 && FD_ISSET(notify_pipe[0], readset))
+ while (read(notify_pipe[0], &c, 1) >= 0)
debug2("notify_done: reading");
}
@@ -518,7 +518,7 @@ server_request_tun(void)
}
tun = packet_get_int();
- if (forced_tun_device != -1) {
+ if (forced_tun_device >= 0) {
if (tun != SSH_TUNID_ANY && forced_tun_device != tun)
goto done;
tun = forced_tun_device;
diff -up openssh-7.4p1/sftp.c.coverity openssh-7.4p1/sftp.c
--- openssh-7.4p1/sftp.c.coverity 2016-12-19 05:59:41.000000000 +0100
+++ openssh-7.4p1/sftp.c 2017-02-09 14:58:38.598058844 +0100
@@ -224,7 +224,7 @@ killchild(int signo)
{
if (sshpid > 1) {
kill(sshpid, SIGTERM);
- waitpid(sshpid, NULL, 0);
+ (void) waitpid(sshpid, NULL, 0);
}
_exit(1);
diff -up openssh-7.4p1/sftp-client.c.coverity openssh-7.4p1/sftp-client.c
--- openssh-7.4p1/sftp-client.c.coverity 2017-02-09 14:58:38.596058846 +0100
+++ openssh-7.4p1/sftp-client.c 2017-02-09 15:20:18.893624636 +0100
@@ -973,7 +973,7 @@ do_symlink(struct sftp_conn *conn, const
}
int
-do_fsync(struct sftp_conn *conn, u_char *handle, u_int handle_len)
+do_fsync(struct sftp_conn *conn, const u_char *handle, u_int handle_len)
{
struct sshbuf *msg;
u_int status, id;
--- openssh-7.4p1/sftp-client.h.coverity 2017-02-10 09:28:10.951155129 +0100
+++ openssh-7.4p1/sftp-client.h 2017-02-10 09:27:28.685069870 +0100
@@ -107,7 +107,7 @@ int do_hardlink(struct sftp_conn *, cons
int do_symlink(struct sftp_conn *, const char *, const char *);
/* Call fsync() on open file 'handle' */
-int do_fsync(struct sftp_conn *conn, u_char *, u_int);
+int do_fsync(struct sftp_conn *conn, const u_char *, u_int);
/*
* Download 'remote_path' to 'local_path'. Preserve permissions and times
diff -up openssh-7.4p1/ssh-agent.c.coverity openssh-7.4p1/ssh-agent.c
--- openssh-7.4p1/ssh-agent.c.coverity 2017-02-09 14:58:38.599058843 +0100
+++ openssh-7.4p1/ssh-agent.c 2017-02-09 15:29:21.938917065 +0100
@@ -1220,8 +1220,8 @@ main(int ac, char **av)
sanitise_stdfd();
/* drop */
- setegid(getgid());
- setgid(getgid());
+ (void) setegid(getgid());
+ (void) setgid(getgid());
platform_disable_tracing(0); /* strict=no */
diff -up openssh-7.4p1/sshd.c.coverity openssh-7.4p1/sshd.c
--- openssh-7.4p1/sshd.c.coverity 2017-02-09 14:58:38.600058842 +0100
+++ openssh-7.4p1/sshd.c 2017-02-09 15:30:33.403800831 +0100
@@ -679,8 +679,10 @@ privsep_preauth(Authctxt *authctxt)
privsep_preauth_child();
setproctitle("%s", "[net]");
- if (box != NULL)
+ if (box != NULL) {
ssh_sandbox_child(box);
+ free(box);
+ }
return 0;
}
@@ -1382,6 +1384,9 @@ server_accept_loop(int *sock_in, int *so
if (num_listen_socks < 0)
break;
}
+
+ if (fdset != NULL)
+ free(fdset);
}
/*
diff --git a/auth-pam.c b/auth-pam.c
index e554ec4..bd16d80 100644
--- a/auth-pam.c
+++ b/auth-pam.c
@@ -834,6 +834,8 @@ fake_password(const char *wire_password)
fatal("%s: password length too long: %zu", __func__, l);
ret = malloc(l + 1);
+ if (ret == NULL)
+ return NULL;
for (i = 0; i < l; i++)
ret[i] = junk[i % (sizeof(junk) - 1)];
ret[i] = '\0';
diff --git a/clientloop.c b/clientloop.c
index c6a4138..9b00e12 100644
--- a/clientloop.c
+++ b/clientloop.c
@@ -2290,7 +2290,7 @@ update_known_hosts(struct hostkeys_update_ctx *ctx)
free(response);
response = read_passphrase("Accept updated hostkeys? "
"(yes/no): ", RP_ECHO);
- if (strcasecmp(response, "yes") == 0)
+ if (response != NULL && strcasecmp(response, "yes") == 0)
break;
else if (quit_pending || response == NULL ||
strcasecmp(response, "no") == 0) {
diff --git a/digest-openssl.c b/digest-openssl.c
index 13b63c2..dfa9b8d 100644
--- a/digest-openssl.c
+++ b/digest-openssl.c
@@ -158,7 +158,7 @@ ssh_digest_final(struct ssh_digest_ctx *ctx, u_char *d, size_t dlen)
const struct ssh_digest *digest = ssh_digest_by_alg(ctx->alg);
u_int l = dlen;
- if (dlen > UINT_MAX)
+ if (digest == NULL || dlen > UINT_MAX)
return SSH_ERR_INVALID_ARGUMENT;
if (dlen < digest->digest_len) /* No truncation allowed */
return SSH_ERR_INVALID_ARGUMENT;
diff --git a/kex.c b/kex.c
index a30dabe..a8ac91f 100644
--- a/kex.c
+++ b/kex.c
@@ -178,7 +178,7 @@ kex_names_valid(const char *names)
char *
kex_names_cat(const char *a, const char *b)
{
- char *ret = NULL, *tmp = NULL, *cp, *p;
+ char *ret = NULL, *tmp = NULL, *cp, *p, *m;
size_t len;
if (a == NULL || *a == '\0')
@@ -195,8 +195,10 @@ kex_names_cat(const char *a, const char *b)
}
strlcpy(ret, a, len);
for ((p = strsep(&cp, ",")); p && *p != '\0'; (p = strsep(&cp, ","))) {
- if (match_list(ret, p, NULL) != NULL)
+ if ((m = match_list(ret, p, NULL)) != NULL) {
+ free(m);
continue; /* Algorithm already present */
+ }
if (strlcat(ret, ",", len) >= len ||
strlcat(ret, p, len) >= len) {
free(tmp);
@@ -651,8 +653,10 @@ choose_enc(struct sshenc *enc, char *client, char *server)
#endif
return SSH_ERR_NO_CIPHER_ALG_MATCH;
}
- if ((enc->cipher = cipher_by_name(name)) == NULL)
+ if ((enc->cipher = cipher_by_name(name)) == NULL) {
+ free(name);
return SSH_ERR_INTERNAL_ERROR;
+ }
enc->name = name;
enc->enabled = 0;
enc->iv = NULL;
@@ -670,8 +674,10 @@ choose_mac(struct ssh *ssh, struct sshmac *mac, char *client, char *server)
#endif
return SSH_ERR_NO_MAC_ALG_MATCH;
}
- if (mac_setup(mac, name) < 0)
+ if (mac_setup(mac, name) < 0) {
+ free(name);
return SSH_ERR_INTERNAL_ERROR;
+ }
/* truncate the key */
if (ssh->compat & SSH_BUG_HMAC)
mac->key_len = 16;
@@ -695,6 +701,7 @@ choose_comp(struct sshcomp *comp, char *client, char *server)
} else if (strcmp(name, "none") == 0) {
comp->type = COMP_NONE;
} else {
+ free(name);
return SSH_ERR_INTERNAL_ERROR;
}
comp->name = name;
diff --git a/readconf.c b/readconf.c
index 3e7a5d8..acc1391 100644
--- a/readconf.c
+++ b/readconf.c
@@ -1500,6 +1500,7 @@ parse_keytypes:
if (r == GLOB_NOMATCH) {
debug("%.200s line %d: include %s matched no "
"files",filename, linenum, arg2);
+ free(arg2);
continue;
} else if (r != 0 || gl.gl_pathc < 0)
fatal("%.200s line %d: glob failed for %s.",
diff --git a/servconf.c b/servconf.c
index 6ab1cb4..5f2464a 100644
--- a/servconf.c
+++ b/servconf.c
@@ -2284,8 +2284,6 @@ dump_cfg_fmtint(ServerOpCodes code, int val)
static void
dump_cfg_string(ServerOpCodes code, const char *val)
{
- if (val == NULL)
- return;
printf("%s %s\n", lookup_opcode_name(code),
val == NULL ? "none" : val);
}
diff --git a/sshconnect.c b/sshconnect.c
index 07f80cd..5d4b41b 100644
--- a/sshconnect.c
+++ b/sshconnect.c
@@ -1533,6 +1533,7 @@ maybe_add_key_to_agent(char *authfile, Key *private, char *comment,
if (options.add_keys_to_agent == 2 &&
!ask_permission("Add key %s (%s) to agent?", authfile, comment)) {
debug3("user denied adding this key");
+ close(auth_sock);
return;
}
@@ -1541,4 +1542,5 @@ maybe_add_key_to_agent(char *authfile, Key *private, char *comment,
debug("identity added to agent: %s", authfile);
else
debug("could not add identity to agent: %s (%d)", authfile, r);
+ close(auth_sock);
}
diff --git a/sshconnect2.c b/sshconnect2.c
index f31c24c..aecf765 100644
--- a/sshconnect2.c
+++ b/sshconnect2.c
@@ -1061,6 +1061,7 @@ sign_and_send_pubkey(Authctxt *authctxt, Identity *id)
if (key_to_blob(id->key, &blob, &bloblen) == 0) {
/* we cannot handle this key */
+ free(blob);
debug3("sign_and_send_pubkey: cannot handle key");
return 0;
}
@@ -1170,6 +1171,7 @@ send_pubkey_test(Authctxt *authctxt, Identity *id)
if (key_to_blob(id->key, &blob, &bloblen) == 0) {
/* we cannot handle this key */
+ free(blob);
debug3("send_pubkey_test: cannot handle key");
return 0;
}
diff --git a/sshkey.c b/sshkey.c
index 85fd1bd..58c1051 100644
--- a/sshkey.c
+++ b/sshkey.c
@@ -1375,8 +1375,6 @@ sshkey_read(struct sshkey *ret, char **cpp)
retval = 0;
/*XXXX*/
sshkey_free(k);
- if (retval != 0)
- break;
break;
default:
return SSH_ERR_INVALID_ARGUMENT;
diff --git a/krl.c b/krl.c
index e271a19..69bec99 100644
--- a/krl.c
+++ b/krl.c
@@ -1089,7 +1089,7 @@ ssh_krl_from_blob(struct sshbuf *buf, struct ssh_krl **krlp,
break;
case KRL_SECTION_SIGNATURE:
/* Handled above, but still need to stay in synch */
- sshbuf_reset(sect);
+ sshbuf_free(sect);
sect = NULL;
if ((r = sshbuf_skip_string(copy)) != 0)
goto out;
@@ -1288,7 +1288,8 @@ ssh_krl_file_contains_key(const char *path, const struct sshkey *key)
debug2("%s: checking KRL %s", __func__, path);
r = ssh_krl_check_key(krl, key);
out:
- close(fd);
+ if (fd != -1)
+ close(fd);
sshbuf_free(krlbuf);
ssh_krl_free(krl);
if (r != 0)
diff --git a/readconf.c b/readconf.c
index acc1391..c4dff15 100644
--- a/readconf.c
+++ b/readconf.c
@@ -1185,7 +1185,7 @@ parse_int:
value = cipher_number(arg);
if (value == -1)
fatal("%.200s line %d: Bad cipher '%s'.",
- filename, linenum, arg ? arg : "<NONE>");
+ filename, linenum, arg);
if (*activep && *intptr == -1)
*intptr = value;
break;
@@ -1196,7 +1196,7 @@ parse_int:
fatal("%.200s line %d: Missing argument.", filename, linenum);
if (!ciphers_valid(*arg == '+' ? arg + 1 : arg))
fatal("%.200s line %d: Bad SSH2 cipher spec '%s'.",
- filename, linenum, arg ? arg : "<NONE>");
+ filename, linenum, arg);
if (*activep && options->ciphers == NULL)
options->ciphers = xstrdup(arg);
break;
@@ -1207,7 +1207,7 @@ parse_int:
fatal("%.200s line %d: Missing argument.", filename, linenum);
if (!mac_valid(*arg == '+' ? arg + 1 : arg))
fatal("%.200s line %d: Bad SSH2 Mac spec '%s'.",
- filename, linenum, arg ? arg : "<NONE>");
+ filename, linenum, arg);
if (*activep && options->macs == NULL)
options->macs = xstrdup(arg);
break;
@@ -1220,7 +1220,7 @@ parse_int:
filename, linenum);
if (!kex_names_valid(*arg == '+' ? arg + 1 : arg))
fatal("%.200s line %d: Bad SSH2 KexAlgorithms '%s'.",
- filename, linenum, arg ? arg : "<NONE>");
+ filename, linenum, arg);
if (*activep && options->kex_algorithms == NULL)
options->kex_algorithms = xstrdup(arg);
break;
@@ -1235,7 +1235,7 @@ parse_keytypes:
filename, linenum);
if (!sshkey_names_valid2(*arg == '+' ? arg + 1 : arg, 1))
fatal("%s line %d: Bad key types '%s'.",
- filename, linenum, arg ? arg : "<NONE>");
+ filename, linenum, arg);
if (*activep && *charptr == NULL)
*charptr = xstrdup(arg);
break;
@@ -1248,7 +1248,7 @@ parse_keytypes:
value = proto_spec(arg);
if (value == SSH_PROTO_UNKNOWN)
fatal("%.200s line %d: Bad protocol spec '%s'.",
- filename, linenum, arg ? arg : "<NONE>");
+ filename, linenum, arg);
if (*activep && *intptr == SSH_PROTO_UNKNOWN)
*intptr = value;
break;
diff --git a/servconf.c b/servconf.c
index 5f2464a..4564494 100644
--- a/servconf.c
+++ b/servconf.c
@@ -1217,7 +1217,7 @@ process_server_config_line_depth(ServerOptions *options, char *line,
filename, linenum);
if (!sshkey_names_valid2(*arg == '+' ? arg + 1 : arg, 1))
fatal("%s line %d: Bad key types '%s'.",
- filename, linenum, arg ? arg : "<NONE>");
+ filename, linenum, arg);
if (*activep && *charptr == NULL)
*charptr = xstrdup(arg);
break;
@@ -1476,7 +1476,7 @@ process_server_config_line_depth(ServerOptions *options, char *line,
fatal("%s line %d: Missing argument.", filename, linenum);
if (!ciphers_valid(*arg == '+' ? arg + 1 : arg))
fatal("%s line %d: Bad SSH2 cipher spec '%s'.",
- filename, linenum, arg ? arg : "<NONE>");
+ filename, linenum, arg);
if (options->ciphers == NULL)
options->ciphers = xstrdup(arg);
break;
@@ -1487,7 +1487,7 @@ process_server_config_line_depth(ServerOptions *options, char *line,
fatal("%s line %d: Missing argument.", filename, linenum);
if (!mac_valid(*arg == '+' ? arg + 1 : arg))
fatal("%s line %d: Bad SSH2 mac spec '%s'.",
- filename, linenum, arg ? arg : "<NONE>");
+ filename, linenum, arg);
if (options->macs == NULL)
options->macs = xstrdup(arg);
break;
@@ -1500,7 +1500,7 @@ process_server_config_line_depth(ServerOptions *options, char *line,
filename, linenum);
if (!kex_names_valid(*arg == '+' ? arg + 1 : arg))
fatal("%s line %d: Bad SSH2 KexAlgorithms '%s'.",
- filename, linenum, arg ? arg : "<NONE>");
+ filename, linenum, arg);
if (options->kex_algorithms == NULL)
options->kex_algorithms = xstrdup(arg);
break;
diff --git a/ssh-pkcs11.c b/ssh-pkcs11.c
index aaf712d..62a76b3 100644
--- a/ssh-pkcs11.c
+++ b/ssh-pkcs11.c
@@ -536,8 +536,8 @@ pkcs11_fetch_keys_filter(struct pkcs11_provider *p, CK_ULONG slotidx,
X509_free(x509);
}
if (rsa && rsa->n && rsa->e &&
- pkcs11_rsa_wrap(p, slotidx, &attribs[0], rsa) == 0) {
- key = sshkey_new(KEY_UNSPEC);
+ pkcs11_rsa_wrap(p, slotidx, &attribs[0], rsa) == 0 &&
+ (key = sshkey_new(KEY_UNSPEC)) != NULL) {
key->rsa = rsa;
key->type = KEY_RSA;
key->flags |= SSHKEY_FLAG_EXT;
diff --git a/sshconnect1.c b/sshconnect1.c
index a045361..0e1a506 100644
--- a/sshconnect1.c
+++ b/sshconnect1.c
@@ -520,7 +520,8 @@ ssh_kex(char *host, struct sockaddr *hostaddr)
cookie[i] = packet_get_char();
/* Get the public key. */
- server_key = key_new(KEY_RSA1);
+ if ((server_key = key_new(KEY_RSA1)) == NULL)
+ fatal("%s: key_new(KEY_RSA1) failed", __func__);
bits = packet_get_int();
packet_get_bignum(server_key->rsa->e);
packet_get_bignum(server_key->rsa->n);
@@ -532,7 +533,8 @@ ssh_kex(char *host, struct sockaddr *hostaddr)
logit("Warning: This may be due to an old implementation of ssh.");
}
/* Get the host key. */
- host_key = key_new(KEY_RSA1);
+ if ((host_key = key_new(KEY_RSA1)) == NULL)
+ fatal("%s: key_new(KEY_RSA1) failed", __func__);
bits = packet_get_int();
packet_get_bignum(host_key->rsa->e);
packet_get_bignum(host_key->rsa->n);
diff --git a/sshkey.c b/sshkey.c
index 58c1051..6afacb5 100644
--- a/sshkey.c
+++ b/sshkey.c
@@ -1239,6 +1239,9 @@ sshkey_read(struct sshkey *ret, char **cpp)
u_long bits;
#endif /* WITH_SSH1 */
+ if (ret == NULL)
+ return SSH_ERR_INVALID_ARGUMENT;
+
cp = *cpp;
switch (ret->type) {

View file

@ -1,6 +1,44 @@
diff -up openssh-6.2p1/ctr-cavstest.c.ctr-cavs openssh-6.2p1/ctr-cavstest.c
--- openssh-6.2p1/ctr-cavstest.c.ctr-cavs 2013-03-25 21:35:52.512586671 +0100
+++ openssh-6.2p1/ctr-cavstest.c 2013-03-25 21:35:52.512586671 +0100
diff -up openssh-6.8p1/Makefile.in.ctr-cavs openssh-6.8p1/Makefile.in
--- openssh-6.8p1/Makefile.in.ctr-cavs 2015-03-18 11:22:05.493289018 +0100
+++ openssh-6.8p1/Makefile.in 2015-03-18 11:22:44.504196316 +0100
@@ -28,6 +28,7 @@ SSH_KEYSIGN=$(libexecdir)/ssh-keysign
SSH_LDAP_HELPER=$(libexecdir)/ssh-ldap-helper
SSH_LDAP_WRAPPER=$(libexecdir)/ssh-ldap-wrapper
SSH_KEYCAT=$(libexecdir)/ssh-keycat
+CTR_CAVSTEST=$(libexecdir)/ctr-cavstest
SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
PRIVSEP_PATH=@PRIVSEP_PATH@
SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@
@@ -66,7 +67,7 @@ EXEEXT=@EXEEXT@
MANFMT=@MANFMT@
INSTALL_SSH_LDAP_HELPER=@INSTALL_SSH_LDAP_HELPER@
-TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT) ssh-keycat$(EXEEXT)
+TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT) ssh-keycat$(EXEEXT) ctr-cavstest$(EXEEXT)
LIBOPENSSH_OBJS=\
ssh_api.o \
@@ -194,6 +195,9 @@ ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) l
ssh-keycat$(EXEEXT): $(LIBCOMPAT) $(SSHDOBJS) libssh.a ssh-keycat.o
$(LD) -o $@ ssh-keycat.o bufaux.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(KEYCATLIBS) $(SSHLIBS)
+ctr-cavstest$(EXEEXT): $(LIBCOMPAT) libssh.a ctr-cavstest.o
+ $(LD) -o $@ ctr-cavstest.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(LIBS)
+
ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o
$(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
@@ -326,6 +330,7 @@ install-files:
$(INSTALL) -m 0700 ssh-ldap-wrapper $(DESTDIR)$(SSH_LDAP_WRAPPER) ; \
fi
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-keycat$(EXEEXT) $(DESTDIR)$(libexecdir)/ssh-keycat$(EXEEXT)
+ $(INSTALL) -m 0755 $(STRIP_OPT) ctr-cavstest$(EXEEXT) $(DESTDIR)$(libexecdir)/ctr-cavstest$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
$(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
diff -up openssh-6.8p1/ctr-cavstest.c.ctr-cavs openssh-6.8p1/ctr-cavstest.c
--- openssh-6.8p1/ctr-cavstest.c.ctr-cavs 2015-03-18 11:22:05.521288952 +0100
+++ openssh-6.8p1/ctr-cavstest.c 2015-03-18 11:22:05.521288952 +0100
@@ -0,0 +1,208 @@
+/*
+ *
@ -95,7 +133,7 @@ diff -up openssh-6.2p1/ctr-cavstest.c.ctr-cavs openssh-6.2p1/ctr-cavstest.c
+ break;
+
+ total += n;
+ buf = xrealloc(buf, total + READ_CHUNK, 1);
+ buf = xreallocarray(buf, total + READ_CHUNK, 1);
+ } while(total < MAX_READ_SIZE);
+ return buf;
+}
@ -103,8 +141,8 @@ diff -up openssh-6.2p1/ctr-cavstest.c.ctr-cavs openssh-6.2p1/ctr-cavstest.c
+int main (int argc, char *argv[])
+{
+
+ Cipher *c;
+ CipherContext cc;
+ const struct sshcipher *c;
+ struct sshcipher_ctx *cc;
+ char *algo = "aes128-ctr";
+ char *hexkey = NULL;
+ char *hexiv = "00000000000000000000000000000000";
@ -194,11 +232,11 @@ diff -up openssh-6.2p1/ctr-cavstest.c.ctr-cavs openssh-6.2p1/ctr-cavstest.c
+ return 2;
+ }
+
+ cipher_crypt(&cc, outdata, data, datalen, 0, 0);
+ cipher_crypt(cc, 0, outdata, data, datalen, 0, 0);
+
+ free(data);
+
+ cipher_cleanup(&cc);
+ cipher_free(cc);
+
+ for (p = outdata; datalen > 0; ++p, --datalen) {
+ printf("%02X", (unsigned char)*p);
@ -210,41 +248,3 @@ diff -up openssh-6.2p1/ctr-cavstest.c.ctr-cavs openssh-6.2p1/ctr-cavstest.c
+ return 0;
+}
+
diff -up openssh-6.2p1/Makefile.in.ctr-cavs openssh-6.2p1/Makefile.in
--- openssh-6.2p1/Makefile.in.ctr-cavs 2013-03-25 21:35:52.451586280 +0100
+++ openssh-6.2p1/Makefile.in 2013-03-25 21:37:14.956114584 +0100
@@ -28,6 +28,7 @@ SSH_KEYSIGN=$(libexecdir)/ssh-keysign
SSH_LDAP_HELPER=$(libexecdir)/ssh-ldap-helper
SSH_LDAP_WRAPPER=$(libexecdir)/ssh-ldap-wrapper
SSH_KEYCAT=$(libexecdir)/ssh-keycat
+CTR_CAVSTEST=$(libexecdir)/ctr-cavstest
SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
PRIVSEP_PATH=@PRIVSEP_PATH@
SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@
@@ -65,7 +66,7 @@ EXEEXT=@EXEEXT@
MANFMT=@MANFMT@
INSTALL_SSH_LDAP_HELPER=@INSTALL_SSH_LDAP_HELPER@
-TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT) ssh-keycat$(EXEEXT)
+TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT) ssh-keycat$(EXEEXT) ctr-cavstest$(EXEEXT)
LIBSSH_OBJS=authfd.o authfile.o bufaux.o bufbn.o buffer.o \
canohost.o channels.o cipher.o cipher-aes.o \
@@ -174,6 +175,9 @@ ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) l
ssh-keycat$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keycat.o
$(LD) -o $@ ssh-keycat.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(SSHDLIBS)
+ctr-cavstest$(EXEEXT): $(LIBCOMPAT) libssh.a ctr-cavstest.o
+ $(LD) -o $@ ctr-cavstest.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(LIBS)
+
ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o roaming_dummy.o
$(LD) -o $@ ssh-keyscan.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(LIBS)
@@ -281,6 +285,7 @@ install-files:
$(INSTALL) -m 0700 ssh-ldap-wrapper $(DESTDIR)$(SSH_LDAP_WRAPPER) ; \
fi
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-keycat$(EXEEXT) $(DESTDIR)$(libexecdir)/ssh-keycat$(EXEEXT)
+ $(INSTALL) -m 0755 $(STRIP_OPT) ctr-cavstest$(EXEEXT) $(DESTDIR)$(libexecdir)/ctr-cavstest$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
$(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1

View file

@ -0,0 +1,140 @@
diff -up openssh-7.4p1/configure.ac.tcp_wrappers openssh-7.4p1/configure.ac
--- openssh-7.4p1/configure.ac.tcp_wrappers 2016-12-23 15:36:38.745411192 +0100
+++ openssh-7.4p1/configure.ac 2016-12-23 15:36:38.777411197 +0100
@@ -1491,6 +1491,62 @@ AC_ARG_WITH([skey],
]
)
+# Check whether user wants TCP wrappers support
+TCPW_MSG="no"
+AC_ARG_WITH([tcp-wrappers],
+ [ --with-tcp-wrappers[[=PATH]] Enable tcpwrappers support (optionally in PATH)],
+ [
+ if test "x$withval" != "xno" ; then
+ saved_LIBS="$LIBS"
+ saved_LDFLAGS="$LDFLAGS"
+ saved_CPPFLAGS="$CPPFLAGS"
+ if test -n "${withval}" && \
+ test "x${withval}" != "xyes"; then
+ if test -d "${withval}/lib"; then
+ if test -n "${need_dash_r}"; then
+ LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}"
+ else
+ LDFLAGS="-L${withval}/lib ${LDFLAGS}"
+ fi
+ else
+ if test -n "${need_dash_r}"; then
+ LDFLAGS="-L${withval} -R${withval} ${LDFLAGS}"
+ else
+ LDFLAGS="-L${withval} ${LDFLAGS}"
+ fi
+ fi
+ if test -d "${withval}/include"; then
+ CPPFLAGS="-I${withval}/include ${CPPFLAGS}"
+ else
+ CPPFLAGS="-I${withval} ${CPPFLAGS}"
+ fi
+ fi
+ LIBS="-lwrap $LIBS"
+ AC_MSG_CHECKING([for libwrap])
+ AC_LINK_IFELSE([AC_LANG_PROGRAM([[
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <tcpd.h>
+int deny_severity = 0, allow_severity = 0;
+ ]], [[
+ hosts_access(0);
+ ]])], [
+ AC_MSG_RESULT([yes])
+ AC_DEFINE([LIBWRAP], [1],
+ [Define if you want
+ TCP Wrappers support])
+ SSHDLIBS="$SSHDLIBS -lwrap"
+ TCPW_MSG="yes"
+ ], [
+ AC_MSG_ERROR([*** libwrap missing])
+
+ ])
+ LIBS="$saved_LIBS"
+ fi
+ ]
+)
+
# Check whether user wants to use ldns
LDNS_MSG="no"
AC_ARG_WITH(ldns,
@@ -5214,6 +5270,7 @@ echo " KerberosV support
echo " SELinux support: $SELINUX_MSG"
echo " Smartcard support: $SCARD_MSG"
echo " S/KEY support: $SKEY_MSG"
+echo " TCP Wrappers support: $TCPW_MSG"
echo " MD5 password support: $MD5_MSG"
echo " libedit support: $LIBEDIT_MSG"
echo " Solaris process contract support: $SPC_MSG"
diff -up openssh-7.4p1/sshd.8.tcp_wrappers openssh-7.4p1/sshd.8
--- openssh-7.4p1/sshd.8.tcp_wrappers 2016-12-23 15:36:38.759411194 +0100
+++ openssh-7.4p1/sshd.8 2016-12-23 15:36:38.778411197 +0100
@@ -836,6 +836,12 @@ the user's home directory becomes access
This file should be writable only by the user, and need not be
readable by anyone else.
.Pp
+.It Pa /etc/hosts.allow
+.It Pa /etc/hosts.deny
+Access controls that should be enforced by tcp-wrappers are defined here.
+Further details are described in
+.Xr hosts_access 5 .
+.Pp
.It Pa /etc/hosts.equiv
This file is for host-based authentication (see
.Xr ssh 1 ) .
@@ -960,6 +966,7 @@ IPv6 address can be used everywhere wher
.Xr ssh-keygen 1 ,
.Xr ssh-keyscan 1 ,
.Xr chroot 2 ,
+.Xr hosts_access 5 ,
.Xr login.conf 5 ,
.Xr moduli 5 ,
.Xr sshd_config 5 ,
diff -up openssh-7.4p1/sshd.c.tcp_wrappers openssh-7.4p1/sshd.c
--- openssh-7.4p1/sshd.c.tcp_wrappers 2016-12-23 15:36:38.772411196 +0100
+++ openssh-7.4p1/sshd.c 2016-12-23 15:37:15.032417028 +0100
@@ -123,6 +123,13 @@
#include "version.h"
#include "ssherr.h"
+#ifdef LIBWRAP
+#include <tcpd.h>
+#include <syslog.h>
+int allow_severity;
+int deny_severity;
+#endif /* LIBWRAP */
+
/* Re-exec fds */
#define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1)
#define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2)
@@ -2012,6 +2019,24 @@ main(int ac, char **av)
#ifdef SSH_AUDIT_EVENTS
audit_connection_from(remote_ip, remote_port);
#endif
+#ifdef LIBWRAP
+ allow_severity = options.log_facility|LOG_INFO;
+ deny_severity = options.log_facility|LOG_WARNING;
+ /* Check whether logins are denied from this host. */
+ if (packet_connection_is_on_socket()) {
+ struct request_info req;
+
+ request_init(&req, RQ_DAEMON, __progname, RQ_FILE, sock_in, 0);
+ fromhost(&req);
+
+ if (!hosts_access(&req)) {
+ debug("Connection refused by tcp wrapper");
+ refuse(&req);
+ /* NOTREACHED */
+ fatal("libwrap refuse returns");
+ }
+ }
+#endif /* LIBWRAP */
/* Log the connection. */
laddr = get_local_ipaddr(sock_in);

View file

@ -0,0 +1,517 @@
diff -up openssh-7.4p1/auth2.c.expose-pam openssh-7.4p1/auth2.c
--- openssh-7.4p1/auth2.c.expose-pam 2016-12-23 15:40:26.768447868 +0100
+++ openssh-7.4p1/auth2.c 2016-12-23 15:40:26.818447876 +0100
@@ -310,6 +310,7 @@ userauth_finish(Authctxt *authctxt, int
const char *submethod)
{
char *methods;
+ char *prev_auth_details;
int partial = 0;
if (!authctxt->valid && authenticated)
@@ -340,6 +341,18 @@ userauth_finish(Authctxt *authctxt, int
if (authctxt->postponed)
return;
+ if (authenticated || partial) {
+ prev_auth_details = authctxt->auth_details;
+ xasprintf(&authctxt->auth_details, "%s%s%s%s%s",
+ prev_auth_details ? prev_auth_details : "",
+ prev_auth_details ? ", " : "", method,
+ authctxt->last_details ? ": " : "",
+ authctxt->last_details ? authctxt->last_details : "");
+ free(prev_auth_details);
+ }
+ free(authctxt->last_details);
+ authctxt->last_details = NULL;
+
#ifdef USE_PAM
if (options.use_pam && authenticated) {
if (!PRIVSEP(do_pam_account())) {
diff -up openssh-7.4p1/auth2-gss.c.expose-pam openssh-7.4p1/auth2-gss.c
--- openssh-7.4p1/auth2-gss.c.expose-pam 2016-12-23 15:40:26.769447868 +0100
+++ openssh-7.4p1/auth2-gss.c 2016-12-23 15:40:26.818447876 +0100
@@ -276,6 +276,9 @@ input_gssapi_exchange_complete(int type,
authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user,
authctxt->pw));
+ if (authenticated)
+ authctxt->last_details = ssh_gssapi_get_displayname();
+
authctxt->postponed = 0;
dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL);
dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, NULL);
@@ -322,6 +325,9 @@ input_gssapi_mic(int type, u_int32_t ple
else
logit("GSSAPI MIC check failed");
+ if (authenticated)
+ authctxt->last_details = ssh_gssapi_get_displayname();
+
buffer_free(&b);
if (micuser != authctxt->user)
free(micuser);
diff -up openssh-7.4p1/auth2-hostbased.c.expose-pam openssh-7.4p1/auth2-hostbased.c
--- openssh-7.4p1/auth2-hostbased.c.expose-pam 2016-12-23 15:40:26.731447862 +0100
+++ openssh-7.4p1/auth2-hostbased.c 2016-12-23 15:40:26.818447876 +0100
@@ -60,7 +60,7 @@ userauth_hostbased(Authctxt *authctxt)
{
Buffer b;
Key *key = NULL;
- char *pkalg, *cuser, *chost, *service;
+ char *pkalg, *cuser, *chost, *service, *pubkey;
u_char *pkblob, *sig;
u_int alen, blen, slen;
int pktype;
@@ -140,15 +140,21 @@ userauth_hostbased(Authctxt *authctxt)
buffer_dump(&b);
#endif
- pubkey_auth_info(authctxt, key,
- "client user \"%.100s\", client host \"%.100s\"", cuser, chost);
+ pubkey = sshkey_format_oneline(key, options.fingerprint_hash);
+ auth_info(authctxt,
+ "%s, client user \"%.100s\", client host \"%.100s\"",
+ pubkey, cuser, chost);
/* test for allowed key and correct signature */
authenticated = 0;
if (PRIVSEP(hostbased_key_allowed(authctxt->pw, cuser, chost, key)) &&
PRIVSEP(key_verify(key, sig, slen, buffer_ptr(&b),
- buffer_len(&b))) == 1)
+ buffer_len(&b))) == 1) {
authenticated = 1;
+ authctxt->last_details = pubkey;
+ } else {
+ free(pubkey);
+ }
buffer_free(&b);
done:
diff -up openssh-7.4p1/auth2-pubkey.c.expose-pam openssh-7.4p1/auth2-pubkey.c
--- openssh-7.4p1/auth2-pubkey.c.expose-pam 2016-12-23 15:40:26.746447864 +0100
+++ openssh-7.4p1/auth2-pubkey.c 2016-12-23 15:40:26.819447876 +0100
@@ -79,7 +79,7 @@ userauth_pubkey(Authctxt *authctxt)
{
Buffer b;
Key *key = NULL;
- char *pkalg, *userstyle, *fp = NULL;
+ char *pkalg, *userstyle, *pubkey, *fp = NULL;
u_char *pkblob, *sig;
u_int alen, blen, slen;
int have_sig, pktype;
@@ -177,7 +177,8 @@ userauth_pubkey(Authctxt *authctxt)
#ifdef DEBUG_PK
buffer_dump(&b);
#endif
- pubkey_auth_info(authctxt, key, NULL);
+ pubkey = sshkey_format_oneline(key, options.fingerprint_hash);
+ auth_info(authctxt, "%s", pubkey);
/* test for correct signature */
authenticated = 0;
@@ -185,9 +186,12 @@ userauth_pubkey(Authctxt *authctxt)
PRIVSEP(key_verify(key, sig, slen, buffer_ptr(&b),
buffer_len(&b))) == 1) {
authenticated = 1;
+ authctxt->last_details = pubkey;
/* Record the successful key to prevent reuse */
auth2_record_userkey(authctxt, key);
key = NULL; /* Don't free below */
+ } else {
+ free(pubkey);
}
buffer_free(&b);
free(sig);
@@ -228,7 +232,7 @@ done:
void
pubkey_auth_info(Authctxt *authctxt, const Key *key, const char *fmt, ...)
{
- char *fp, *extra;
+ char *extra, *pubkey;
va_list ap;
int i;
@@ -238,27 +242,13 @@ pubkey_auth_info(Authctxt *authctxt, con
i = vasprintf(&extra, fmt, ap);
va_end(ap);
if (i < 0 || extra == NULL)
- fatal("%s: vasprintf failed", __func__);
+ fatal("%s: vasprintf failed", __func__);
}
- if (key_is_cert(key)) {
- fp = sshkey_fingerprint(key->cert->signature_key,
- options.fingerprint_hash, SSH_FP_DEFAULT);
- auth_info(authctxt, "%s ID %s (serial %llu) CA %s %s%s%s",
- key_type(key), key->cert->key_id,
- (unsigned long long)key->cert->serial,
- key_type(key->cert->signature_key),
- fp == NULL ? "(null)" : fp,
- extra == NULL ? "" : ", ", extra == NULL ? "" : extra);
- free(fp);
- } else {
- fp = sshkey_fingerprint(key, options.fingerprint_hash,
- SSH_FP_DEFAULT);
- auth_info(authctxt, "%s %s%s%s", key_type(key),
- fp == NULL ? "(null)" : fp,
- extra == NULL ? "" : ", ", extra == NULL ? "" : extra);
- free(fp);
- }
+ pubkey = sshkey_format_oneline(key, options.fingerprint_hash);
+ auth_info(authctxt, "%s%s%s", pubkey, extra == NULL ? "" : ", ",
+ extra == NULL ? "" : extra);
+ free(pubkey);
free(extra);
}
diff -up openssh-7.4p1/auth.h.expose-pam openssh-7.4p1/auth.h
--- openssh-7.4p1/auth.h.expose-pam 2016-12-23 15:40:26.782447870 +0100
+++ openssh-7.4p1/auth.h 2016-12-23 15:40:26.819447876 +0100
@@ -84,6 +84,9 @@ struct Authctxt {
struct sshkey **prev_userkeys;
u_int nprev_userkeys;
+
+ char *last_details;
+ char *auth_details;
};
/*
* Every authentication method has to handle authentication requests for
diff -up openssh-7.4p1/auth-pam.c.expose-pam openssh-7.4p1/auth-pam.c
--- openssh-7.4p1/auth-pam.c.expose-pam 2016-12-23 15:40:26.731447862 +0100
+++ openssh-7.4p1/auth-pam.c 2016-12-23 15:40:26.819447876 +0100
@@ -688,6 +688,11 @@ sshpam_init_ctx(Authctxt *authctxt)
return (NULL);
}
+ /* Notify PAM about any already successful auth methods */
+ if (options.expose_auth_methods >= EXPOSE_AUTHMETH_PAMONLY &&
+ authctxt->auth_details)
+ do_pam_putenv("SSH_USER_AUTH", authctxt->auth_details);
+
ctxt = xcalloc(1, sizeof *ctxt);
/* Start the authentication thread */
diff -up openssh-7.4p1/gss-serv.c.expose-pam openssh-7.4p1/gss-serv.c
--- openssh-7.4p1/gss-serv.c.expose-pam 2016-12-23 15:40:26.808447874 +0100
+++ openssh-7.4p1/gss-serv.c 2016-12-23 15:40:26.819447876 +0100
@@ -441,6 +441,16 @@ ssh_gssapi_do_child(char ***envp, u_int
}
/* Privileged */
+char*
+ssh_gssapi_get_displayname(void)
+{
+ if (gssapi_client.displayname.length != 0 &&
+ gssapi_client.displayname.value != NULL)
+ return strdup((char *)gssapi_client.displayname.value);
+ return NULL;
+}
+
+/* Privileged */
int
ssh_gssapi_userok(char *user, struct passwd *pw)
{
diff -up openssh-7.4p1/monitor.c.expose-pam openssh-7.4p1/monitor.c
--- openssh-7.4p1/monitor.c.expose-pam 2016-12-23 15:40:26.794447872 +0100
+++ openssh-7.4p1/monitor.c 2016-12-23 15:41:16.473455863 +0100
@@ -300,6 +300,7 @@ monitor_child_preauth(Authctxt *_authctx
{
struct mon_table *ent;
int authenticated = 0, partial = 0;
+ char *prev_auth_details;
debug3("preauth child monitor started");
@@ -330,6 +331,18 @@ monitor_child_preauth(Authctxt *_authctx
auth_submethod = NULL;
authenticated = (monitor_read(pmonitor, mon_dispatch, &ent) == 1);
+ if (authenticated) {
+ prev_auth_details = authctxt->auth_details;
+ xasprintf(&authctxt->auth_details, "%s%s%s%s%s",
+ prev_auth_details ? prev_auth_details : "",
+ prev_auth_details ? ", " : "", auth_method,
+ authctxt->last_details ? ": " : "",
+ authctxt->last_details ? authctxt->last_details : "");
+ free(prev_auth_details);
+ }
+ free(authctxt->last_details);
+ authctxt->last_details = NULL;
+
/* Special handling for multiple required authentications */
if (options.num_auth_methods != 0) {
if (authenticated &&
@@ -1417,6 +1430,10 @@ mm_answer_keyverify(int sock, Buffer *m)
debug3("%s: key %p signature %s",
__func__, key, (verified == 1) ? "verified" : "unverified");
+ if (verified == 1)
+ authctxt->last_details = sshkey_format_oneline(key,
+ options.fingerprint_hash);
+
/* If auth was successful then record key to ensure it isn't reused */
if (verified == 1 && key_blobtype == MM_USERKEY)
auth2_record_userkey(authctxt, key);
@@ -1860,6 +1877,9 @@ mm_answer_gss_userok(int sock, Buffer *m
auth_method = "gssapi-with-mic";
+ if (authenticated)
+ authctxt->last_details = ssh_gssapi_get_displayname();
+
/* Monitor loop will terminate if authenticated */
return (authenticated);
}
diff -up openssh-7.4p1/servconf.c.expose-pam openssh-7.4p1/servconf.c
--- openssh-7.4p1/servconf.c.expose-pam 2016-12-23 15:40:26.810447875 +0100
+++ openssh-7.4p1/servconf.c 2016-12-23 15:44:04.691482920 +0100
@@ -171,6 +171,7 @@ initialize_server_options(ServerOptions
options->version_addendum = NULL;
options->use_kuserok = -1;
options->enable_k5users = -1;
+ options->expose_auth_methods = -1;
options->fingerprint_hash = -1;
options->disable_forwarding = -1;
}
@@ -354,6 +355,8 @@ fill_default_server_options(ServerOption
options->use_kuserok = 1;
if (options->enable_k5users == -1)
options->enable_k5users = 0;
+ if (options->expose_auth_methods == -1)
+ options->expose_auth_methods = EXPOSE_AUTHMETH_NEVER;
if (options->fwd_opts.streamlocal_bind_mask == (mode_t)-1)
options->fwd_opts.streamlocal_bind_mask = 0177;
if (options->fwd_opts.streamlocal_bind_unlink == -1)
@@ -439,6 +442,7 @@ typedef enum {
sAuthenticationMethods, sHostKeyAgent, sPermitUserRC,
sStreamLocalBindMask, sStreamLocalBindUnlink,
sAllowStreamLocalForwarding, sFingerprintHash, sDisableForwarding,
+ sExposeAuthenticationMethods,
sDeprecated, sIgnore, sUnsupported
} ServerOpCodes;
@@ -595,6 +599,7 @@ static struct {
{ "allowstreamlocalforwarding", sAllowStreamLocalForwarding, SSHCFG_ALL },
{ "fingerprinthash", sFingerprintHash, SSHCFG_GLOBAL },
{ "disableforwarding", sDisableForwarding, SSHCFG_ALL },
+ { "exposeauthenticationmethods", sExposeAuthenticationMethods, SSHCFG_ALL },
{ NULL, sBadOption, 0 }
};
@@ -984,6 +989,12 @@ static const struct multistate multistat
{ "local", FORWARD_LOCAL },
{ NULL, -1 }
};
+static const struct multistate multistate_exposeauthmeth[] = {
+ { "never", EXPOSE_AUTHMETH_NEVER },
+ { "pam-only", EXPOSE_AUTHMETH_PAMONLY },
+ { "pam-and-env", EXPOSE_AUTHMETH_PAMENV },
+ { NULL, -1}
+};
int
process_server_config_line(ServerOptions *options, char *line,
@@ -1902,6 +1913,11 @@ process_server_config_line(ServerOptions
options->fingerprint_hash = value;
break;
+ case sExposeAuthenticationMethods:
+ intptr = &options->expose_auth_methods;
+ multistate_ptr = multistate_exposeauthmeth;
+ goto parse_multistate;
+
case sDeprecated:
case sIgnore:
case sUnsupported:
@@ -2060,6 +2076,7 @@ copy_set_server_options(ServerOptions *d
M_CP_INTOPT(enable_k5users);
M_CP_INTOPT(rekey_limit);
M_CP_INTOPT(rekey_interval);
+ M_CP_INTOPT(expose_auth_methods);
/*
* The bind_mask is a mode_t that may be unsigned, so we can't use
@@ -2176,6 +2193,8 @@ fmt_intarg(ServerOpCodes code, int val)
return fmt_multistate_int(val, multistate_tcpfwd);
case sFingerprintHash:
return ssh_digest_alg_name(val);
+ case sExposeAuthenticationMethods:
+ return fmt_multistate_int(val, multistate_exposeauthmeth);
default:
switch (val) {
case 0:
@@ -2356,6 +2375,7 @@ dump_config(ServerOptions *o)
dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep);
dump_cfg_fmtint(sKerberosUseKuserok, o->use_kuserok);
dump_cfg_fmtint(sGssEnablek5users, o->enable_k5users);
+ dump_cfg_fmtint(sExposeAuthenticationMethods, o->expose_auth_methods);
dump_cfg_fmtint(sFingerprintHash, o->fingerprint_hash);
/* string arguments */
diff -up openssh-7.4p1/servconf.h.expose-pam openssh-7.4p1/servconf.h
--- openssh-7.4p1/servconf.h.expose-pam 2016-12-23 15:40:26.810447875 +0100
+++ openssh-7.4p1/servconf.h 2016-12-23 15:40:26.821447876 +0100
@@ -48,6 +48,11 @@
#define FORWARD_LOCAL (1<<1)
#define FORWARD_ALLOW (FORWARD_REMOTE|FORWARD_LOCAL)
+/* Expose AuthenticationMethods */
+#define EXPOSE_AUTHMETH_NEVER 0
+#define EXPOSE_AUTHMETH_PAMONLY 1
+#define EXPOSE_AUTHMETH_PAMENV 2
+
#define DEFAULT_AUTH_FAIL_MAX 6 /* Default for MaxAuthTries */
#define DEFAULT_SESSIONS_MAX 10 /* Default for MaxSessions */
@@ -195,6 +200,8 @@ typedef struct {
char *auth_methods[MAX_AUTH_METHODS];
int fingerprint_hash;
+
+ int expose_auth_methods; /* EXPOSE_AUTHMETH_* above */
} ServerOptions;
/* Information about the incoming connection as used by Match */
diff -up openssh-7.4p1/session.c.expose-pam openssh-7.4p1/session.c
--- openssh-7.4p1/session.c.expose-pam 2016-12-23 15:40:26.794447872 +0100
+++ openssh-7.4p1/session.c 2016-12-23 15:40:26.821447876 +0100
@@ -997,6 +997,12 @@ copy_environment(char **source, char ***
}
*var_val++ = '\0';
+ if (options.expose_auth_methods < EXPOSE_AUTHMETH_PAMENV &&
+ strcmp(var_name, "SSH_USER_AUTH") == 0) {
+ free(var_name);
+ continue;
+ }
+
debug3("Copy environment: %s=%s", var_name, var_val);
child_set_env(env, envsize, var_name, var_val);
@@ -1173,6 +1179,11 @@ do_setup_env(Session *s, const char *she
}
#endif /* USE_PAM */
+ if (options.expose_auth_methods >= EXPOSE_AUTHMETH_PAMENV &&
+ s->authctxt->auth_details)
+ child_set_env(&env, &envsize, "SSH_USER_AUTH",
+ s->authctxt->auth_details);
+
if (auth_sock_name != NULL)
child_set_env(&env, &envsize, SSH_AUTHSOCKET_ENV_NAME,
auth_sock_name);
@@ -2561,6 +2572,9 @@ do_cleanup(Authctxt *authctxt)
if (authctxt == NULL)
return;
+ free(authctxt->auth_details);
+ authctxt->auth_details = NULL;
+
#ifdef USE_PAM
if (options.use_pam) {
sshpam_cleanup();
diff -up openssh-7.4p1/ssh.1.expose-pam openssh-7.4p1/ssh.1
--- openssh-7.4p1/ssh.1.expose-pam 2016-12-23 15:40:26.810447875 +0100
+++ openssh-7.4p1/ssh.1 2016-12-23 15:40:26.822447877 +0100
@@ -1421,6 +1421,10 @@ server IP address, and server port numbe
This variable contains the original command line if a forced command
is executed.
It can be used to extract the original arguments.
+.It Ev SSH_USER_AUTH
+This variable contains, for SSH2 only, a comma-separated list of authentication
+methods that were successfuly used to authenticate. When possible, these
+methods are extended with detailed information on the credential used.
.It Ev SSH_TTY
This is set to the name of the tty (path to the device) associated
with the current shell or command.
diff -up openssh-7.4p1/sshd_config.5.expose-pam openssh-7.4p1/sshd_config.5
--- openssh-7.4p1/sshd_config.5.expose-pam 2016-12-23 15:40:26.822447877 +0100
+++ openssh-7.4p1/sshd_config.5 2016-12-23 15:45:22.411495421 +0100
@@ -570,6 +570,21 @@ Disables all forwarding features, includ
TCP and StreamLocal.
This option overrides all other forwarding-related options and may
simplify restricted configurations.
+.It Cm ExposeAuthenticationMethods
+When using SSH2, this option controls the exposure of the list of
+successful authentication methods to PAM during the authentication
+and to the shell environment via the
+.Cm SSH_USER_AUTH
+variable. See the description of this variable for more details.
+Valid options are:
+.Cm never
+(Do not expose successful authentication methods),
+.Cm pam-only
+(Only expose them to PAM during authentication, not afterwards),
+.Cm pam-and-env
+(Expose them to PAM and keep them in the shell environment).
+The default is
+.Cm never .
.It Cm FingerprintHash
Specifies the hash algorithm used when logging key fingerprints.
Valid options are:
diff -up openssh-7.4p1/ssh-gss.h.expose-pam openssh-7.4p1/ssh-gss.h
--- openssh-7.4p1/ssh-gss.h.expose-pam 2016-12-23 15:40:26.811447875 +0100
+++ openssh-7.4p1/ssh-gss.h 2016-12-23 15:40:26.823447877 +0100
@@ -159,6 +159,7 @@ int ssh_gssapi_server_check_mech(Gssctxt
const char *);
OM_uint32 ssh_gssapi_server_ctx(Gssctxt **, gss_OID);
int ssh_gssapi_userok(char *name, struct passwd *);
+char* ssh_gssapi_get_displayname(void);
OM_uint32 ssh_gssapi_checkmic(Gssctxt *, gss_buffer_t, gss_buffer_t);
void ssh_gssapi_do_child(char ***, u_int *);
void ssh_gssapi_cleanup_creds(void);
diff -up openssh-7.4p1/sshkey.c.expose-pam openssh-7.4p1/sshkey.c
--- openssh-7.4p1/sshkey.c.expose-pam 2016-12-23 15:40:26.777447869 +0100
+++ openssh-7.4p1/sshkey.c 2016-12-23 15:40:26.823447877 +0100
@@ -57,6 +57,7 @@
#define SSHKEY_INTERNAL
#include "sshkey.h"
#include "match.h"
+#include "xmalloc.h"
/* openssh private key file format */
#define MARK_BEGIN "-----BEGIN OPENSSH PRIVATE KEY-----\n"
@@ -1191,6 +1192,30 @@ sshkey_fingerprint(const struct sshkey *
return retval;
}
+char *
+sshkey_format_oneline(const struct sshkey *key, int dgst_alg)
+{
+ char *fp, *result;
+
+ if (sshkey_is_cert(key)) {
+ fp = sshkey_fingerprint(key->cert->signature_key, dgst_alg,
+ SSH_FP_DEFAULT);
+ xasprintf(&result, "%s ID %s (serial %llu) CA %s %s",
+ sshkey_type(key), key->cert->key_id,
+ (unsigned long long)key->cert->serial,
+ sshkey_type(key->cert->signature_key),
+ fp == NULL ? "(null)" : fp);
+ free(fp);
+ } else {
+ fp = sshkey_fingerprint(key, dgst_alg, SSH_FP_DEFAULT);
+ xasprintf(&result, "%s %s", sshkey_type(key),
+ fp == NULL ? "(null)" : fp);
+ free(fp);
+ }
+
+ return result;
+}
+
#ifdef WITH_SSH1
/*
* Reads a multiple-precision integer in decimal from the buffer, and advances
diff -up openssh-7.4p1/sshkey.h.expose-pam openssh-7.4p1/sshkey.h
--- openssh-7.4p1/sshkey.h.expose-pam 2016-12-23 15:40:26.777447869 +0100
+++ openssh-7.4p1/sshkey.h 2016-12-23 15:40:26.823447877 +0100
@@ -124,6 +124,7 @@ char *sshkey_fingerprint(const struct s
int, enum sshkey_fp_rep);
int sshkey_fingerprint_raw(const struct sshkey *k,
int, u_char **retp, size_t *lenp);
+char *sshkey_format_oneline(const struct sshkey *k, int dgst_alg);
const char *sshkey_type(const struct sshkey *);
const char *sshkey_cert_type(const struct sshkey *);
int sshkey_write(const struct sshkey *, FILE *);

798
openssh-7.4p1-fips.patch Normal file
View file

@ -0,0 +1,798 @@
diff -up openssh-7.4p1/cipher.c.fips openssh-7.4p1/cipher.c
--- openssh-7.4p1/cipher.c.fips 2017-02-09 14:53:47.174347449 +0100
+++ openssh-7.4p1/cipher.c 2017-02-09 14:53:47.182347441 +0100
@@ -39,6 +39,8 @@
#include <sys/types.h>
+#include <openssl/fips.h>
+
#include <string.h>
#include <stdarg.h>
#include <stdio.h>
@@ -116,6 +118,24 @@ static const struct sshcipher ciphers[]
{ NULL, SSH_CIPHER_INVALID, 0, 0, 0, 0, 0, 0, NULL }
};
+static const struct sshcipher fips_ciphers[] = {
+ { "none", SSH_CIPHER_NONE, 8, 0, 0, 0, 0, 0, EVP_enc_null },
+ { "3des-cbc", SSH_CIPHER_SSH2, 8, 24, 0, 0, 0, 1, EVP_des_ede3_cbc },
+ { "aes128-cbc", SSH_CIPHER_SSH2, 16, 16, 0, 0, 0, 1, EVP_aes_128_cbc },
+ { "aes192-cbc", SSH_CIPHER_SSH2, 16, 24, 0, 0, 0, 1, EVP_aes_192_cbc },
+ { "aes256-cbc", SSH_CIPHER_SSH2, 16, 32, 0, 0, 0, 1, EVP_aes_256_cbc },
+ { "rijndael-cbc@lysator.liu.se",
+ SSH_CIPHER_SSH2, 16, 32, 0, 0, 0, 1, EVP_aes_256_cbc },
+ { "aes128-ctr", SSH_CIPHER_SSH2, 16, 16, 0, 0, 0, 0, EVP_aes_128_ctr },
+ { "aes192-ctr", SSH_CIPHER_SSH2, 16, 24, 0, 0, 0, 0, EVP_aes_192_ctr },
+ { "aes256-ctr", SSH_CIPHER_SSH2, 16, 32, 0, 0, 0, 0, EVP_aes_256_ctr },
+ { "aes128-gcm@openssh.com",
+ SSH_CIPHER_SSH2, 16, 16, 12, 16, 0, 0, EVP_aes_128_gcm },
+ { "aes256-gcm@openssh.com",
+ SSH_CIPHER_SSH2, 16, 32, 12, 16, 0, 0, EVP_aes_256_gcm },
+ { NULL, SSH_CIPHER_INVALID, 0, 0, 0, 0, 0, 0, NULL }
+};
+
/*--*/
/* Returns a comma-separated list of supported ciphers. */
@@ -126,7 +142,7 @@ cipher_alg_list(char sep, int auth_only)
size_t nlen, rlen = 0;
const struct sshcipher *c;
- for (c = ciphers; c->name != NULL; c++) {
+ for (c = FIPS_mode() ? fips_ciphers : ciphers; c->name != NULL; c++) {
if (c->number != SSH_CIPHER_SSH2)
continue;
if (auth_only && c->auth_len == 0)
@@ -222,7 +238,7 @@ const struct sshcipher *
cipher_by_name(const char *name)
{
const struct sshcipher *c;
- for (c = ciphers; c->name != NULL; c++)
+ for (c = FIPS_mode() ? fips_ciphers : ciphers; c->name != NULL; c++)
if (strcmp(c->name, name) == 0)
return c;
return NULL;
@@ -232,7 +248,7 @@ const struct sshcipher *
cipher_by_number(int id)
{
const struct sshcipher *c;
- for (c = ciphers; c->name != NULL; c++)
+ for (c = FIPS_mode() ? fips_ciphers : ciphers; c->name != NULL; c++)
if (c->number == id)
return c;
return NULL;
@@ -273,7 +289,7 @@ cipher_number(const char *name)
const struct sshcipher *c;
if (name == NULL)
return -1;
- for (c = ciphers; c->name != NULL; c++)
+ for (c = FIPS_mode() ? fips_ciphers : ciphers; c->name != NULL; c++)
if (strcasecmp(c->name, name) == 0)
return c->number;
return -1;
diff -up openssh-7.4p1/cipher-ctr.c.fips openssh-7.4p1/cipher-ctr.c
--- openssh-7.4p1/cipher-ctr.c.fips 2017-02-09 14:53:47.125347498 +0100
+++ openssh-7.4p1/cipher-ctr.c 2017-02-09 14:53:47.182347441 +0100
@@ -179,7 +179,8 @@ evp_aes_128_ctr(void)
aes_ctr.do_cipher = ssh_aes_ctr;
#ifndef SSH_OLD_EVP
aes_ctr.flags = EVP_CIPH_CBC_MODE | EVP_CIPH_VARIABLE_LENGTH |
- EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CUSTOM_IV;
+ EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CUSTOM_IV |
+ EVP_CIPH_FLAG_FIPS;
#endif
return (&aes_ctr);
}
diff -up openssh-7.4p1/clientloop.c.fips openssh-7.4p1/clientloop.c
--- openssh-7.4p1/clientloop.c.fips 2017-05-30 19:10:26.537505598 +0200
+++ openssh-7.4p1/clientloop.c 2017-05-30 19:10:26.571505583 +0200
@@ -2452,7 +2452,7 @@ client_input_hostkeys(void)
/* Check that the key is accepted in HostkeyAlgorithms */
if (match_pattern_list(sshkey_ssh_name(key),
options.hostkeyalgorithms ? options.hostkeyalgorithms :
- KEX_DEFAULT_PK_ALG, 0) != 1) {
+ (FIPS_mode() ? KEX_FIPS_PK_ALG : KEX_DEFAULT_PK_ALG), 0) != 1) {
debug3("%s: %s key not permitted by HostkeyAlgorithms",
__func__, sshkey_ssh_name(key));
continue;
diff -up openssh-7.4p1/dh.h.fips openssh-7.4p1/dh.h
--- openssh-7.4p1/dh.h.fips 2016-12-19 05:59:41.000000000 +0100
+++ openssh-7.4p1/dh.h 2017-02-09 14:53:47.182347441 +0100
@@ -51,6 +51,7 @@ u_int dh_estimate(int);
* Miniumum increased in light of DH precomputation attacks.
*/
#define DH_GRP_MIN 1024
+#define DH_GRP_MIN_FIPS 2048
#define DH_GRP_MAX 8192
/*
diff -up openssh-7.4p1/entropy.c.fips openssh-7.4p1/entropy.c
--- openssh-7.4p1/entropy.c.fips 2017-02-09 14:53:47.116347507 +0100
+++ openssh-7.4p1/entropy.c 2017-02-09 14:53:47.182347441 +0100
@@ -217,6 +217,9 @@ seed_rng(void)
fatal("OpenSSL version mismatch. Built against %lx, you "
"have %lx", (u_long)OPENSSL_VERSION_NUMBER, SSLeay());
+ /* clean the PRNG status when exiting the program */
+ atexit(RAND_cleanup);
+
#ifndef OPENSSL_PRNG_ONLY
if (RAND_status() == 1) {
debug3("RNG is ready, skipping seeding");
diff -up openssh-7.4p1/kex.c.fips openssh-7.4p1/kex.c
--- openssh-7.4p1/kex.c.fips 2017-02-09 14:53:47.174347449 +0100
+++ openssh-7.4p1/kex.c 2017-02-09 14:53:47.183347440 +0100
@@ -35,6 +35,7 @@
#ifdef WITH_OPENSSL
#include <openssl/crypto.h>
#include <openssl/dh.h>
+#include <openssl/fips.h>
#endif
#include "ssh2.h"
@@ -124,6 +125,28 @@ static const struct kexalg kexalgs[] = {
{ NULL, -1, -1, -1},
};
+static const struct kexalg kexalgs_fips[] = {
+ { KEX_DH14_SHA1, KEX_DH_GRP14_SHA1, 0, SSH_DIGEST_SHA1 },
+ { KEX_DH14_SHA256, KEX_DH_GRP14_SHA256, 0, SSH_DIGEST_SHA256 },
+ { KEX_DH16_SHA512, KEX_DH_GRP16_SHA512, 0, SSH_DIGEST_SHA512 },
+ { KEX_DH18_SHA512, KEX_DH_GRP18_SHA512, 0, SSH_DIGEST_SHA512 },
+ { KEX_DHGEX_SHA1, KEX_DH_GEX_SHA1, 0, SSH_DIGEST_SHA1 },
+#ifdef HAVE_EVP_SHA256
+ { KEX_DHGEX_SHA256, KEX_DH_GEX_SHA256, 0, SSH_DIGEST_SHA256 },
+#endif
+#ifdef OPENSSL_HAS_ECC
+ { KEX_ECDH_SHA2_NISTP256, KEX_ECDH_SHA2,
+ NID_X9_62_prime256v1, SSH_DIGEST_SHA256 },
+ { KEX_ECDH_SHA2_NISTP384, KEX_ECDH_SHA2, NID_secp384r1,
+ SSH_DIGEST_SHA384 },
+# ifdef OPENSSL_HAS_NISTP521
+ { KEX_ECDH_SHA2_NISTP521, KEX_ECDH_SHA2, NID_secp521r1,
+ SSH_DIGEST_SHA512 },
+# endif
+#endif
+ { NULL, -1, -1, -1},
+};
+
char *
kex_alg_list(char sep)
{
@@ -151,7 +169,7 @@ kex_alg_by_name(const char *name)
{
const struct kexalg *k;
- for (k = kexalgs; k->name != NULL; k++) {
+ for (k = (FIPS_mode() ? kexalgs_fips : kexalgs); k->name != NULL; k++) {
if (strcmp(k->name, name) == 0)
return k;
#ifdef GSSAPI
@@ -177,7 +195,10 @@ kex_names_valid(const char *names)
for ((p = strsep(&cp, ",")); p && *p != '\0';
(p = strsep(&cp, ","))) {
if (kex_alg_by_name(p) == NULL) {
- error("Unsupported KEX algorithm \"%.100s\"", p);
+ if (FIPS_mode())
+ error("\"%.100s\" is not allowed in FIPS mode", p);
+ else
+ error("Unsupported KEX algorithm \"%.100s\"", p);
free(s);
return 0;
}
diff -up openssh-7.4p1/kexgexc.c.fips openssh-7.4p1/kexgexc.c
--- openssh-7.4p1/kexgexc.c.fips 2016-12-19 05:59:41.000000000 +0100
+++ openssh-7.4p1/kexgexc.c 2017-02-09 14:53:47.183347440 +0100
@@ -28,6 +28,7 @@
#ifdef WITH_OPENSSL
+#include <openssl/fips.h>
#include <sys/types.h>
#include <openssl/dh.h>
@@ -63,7 +64,7 @@ kexgex_client(struct ssh *ssh)
nbits = dh_estimate(kex->dh_need * 8);
- kex->min = DH_GRP_MIN;
+ kex->min = FIPS_mode() ? DH_GRP_MIN_FIPS : DH_GRP_MIN;
kex->max = DH_GRP_MAX;
kex->nbits = nbits;
if (datafellows & SSH_BUG_DHGEX_LARGE)
diff -up openssh-7.4p1/kexgexs.c.fips openssh-7.4p1/kexgexs.c
--- openssh-7.4p1/kexgexs.c.fips 2016-12-19 05:59:41.000000000 +0100
+++ openssh-7.4p1/kexgexs.c 2017-02-09 14:53:47.183347440 +0100
@@ -83,9 +83,9 @@ input_kex_dh_gex_request(int type, u_int
kex->nbits = nbits;
kex->min = min;
kex->max = max;
- min = MAXIMUM(DH_GRP_MIN, min);
+ min = MAXIMUM(FIPS_mode() ? DH_GRP_MIN_FIPS : DH_GRP_MIN, min);
max = MINIMUM(DH_GRP_MAX, max);
- nbits = MAXIMUM(DH_GRP_MIN, nbits);
+ nbits = MAXIMUM(FIPS_mode() ? DH_GRP_MIN_FIPS : DH_GRP_MIN, nbits);
nbits = MINIMUM(DH_GRP_MAX, nbits);
if (kex->max < kex->min || kex->nbits < kex->min ||
diff -up openssh-7.4p1/mac.c.fips openssh-7.4p1/mac.c
--- openssh-7.4p1/mac.c.fips 2017-02-09 14:53:47.175347448 +0100
+++ openssh-7.4p1/mac.c 2017-02-09 14:53:47.183347440 +0100
@@ -27,6 +27,8 @@
#include <sys/types.h>
+#include <openssl/fips.h>
+
#include <string.h>
#include <stdio.h>
@@ -54,7 +56,7 @@ struct macalg {
int etm; /* Encrypt-then-MAC */
};
-static const struct macalg macs[] = {
+static const struct macalg all_macs[] = {
/* Encrypt-and-MAC (encrypt-and-authenticate) variants */
{ "hmac-sha1", SSH_DIGEST, SSH_DIGEST_SHA1, 0, 0, 0, 0 },
{ "hmac-sha1-96", SSH_DIGEST, SSH_DIGEST_SHA1, 96, 0, 0, 0 },
@@ -89,6 +91,24 @@ static const struct macalg macs[] = {
{ NULL, 0, 0, 0, 0, 0, 0 }
};
+static const struct macalg fips_macs[] = {
+ /* Encrypt-and-MAC (encrypt-and-authenticate) variants */
+ { "hmac-sha1", SSH_DIGEST, SSH_DIGEST_SHA1, 0, 0, 0, 0 },
+#ifdef HAVE_EVP_SHA256
+ { "hmac-sha2-256", SSH_DIGEST, SSH_DIGEST_SHA256, 0, 0, 0, 0 },
+ { "hmac-sha2-512", SSH_DIGEST, SSH_DIGEST_SHA512, 0, 0, 0, 0 },
+#endif
+
+ /* Encrypt-then-MAC variants */
+ { "hmac-sha1-etm@openssh.com", SSH_DIGEST, SSH_DIGEST_SHA1, 0, 0, 0, 1 },
+#ifdef HAVE_EVP_SHA256
+ { "hmac-sha2-256-etm@openssh.com", SSH_DIGEST, SSH_DIGEST_SHA256, 0, 0, 0, 1 },
+ { "hmac-sha2-512-etm@openssh.com", SSH_DIGEST, SSH_DIGEST_SHA512, 0, 0, 0, 1 },
+#endif
+
+ { NULL, 0, 0, 0, 0, 0, 0 }
+};
+
/* Returns a list of supported MACs separated by the specified char. */
char *
mac_alg_list(char sep)
@@ -97,7 +117,7 @@ mac_alg_list(char sep)
size_t nlen, rlen = 0;
const struct macalg *m;
- for (m = macs; m->name != NULL; m++) {
+ for (m = FIPS_mode() ? fips_macs : all_macs; m->name != NULL; m++) {
if (ret != NULL)
ret[rlen++] = sep;
nlen = strlen(m->name);
@@ -136,7 +156,7 @@ mac_setup(struct sshmac *mac, char *name
{
const struct macalg *m;
- for (m = macs; m->name != NULL; m++) {
+ for (m = FIPS_mode() ? fips_macs : all_macs; m->name != NULL; m++) {
if (strcmp(name, m->name) != 0)
continue;
if (mac != NULL)
diff -up openssh-7.4p1/Makefile.in.fips openssh-7.4p1/Makefile.in
--- openssh-7.4p1/Makefile.in.fips 2017-02-09 14:53:47.175347448 +0100
+++ openssh-7.4p1/Makefile.in 2017-02-09 14:53:47.184347440 +0100
@@ -168,25 +168,25 @@ libssh.a: $(LIBSSH_OBJS)
$(RANLIB) $@
ssh$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHOBJS)
- $(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHLIBS) $(LIBS) $(GSSLIBS)
+ $(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(SSHLIBS) $(LIBS) $(GSSLIBS)
sshd$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHDOBJS)
- $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS)
+ $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS)
scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o
$(LD) -o $@ scp.o progressmeter.o bufaux.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
ssh-add$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-add.o
- $(LD) -o $@ ssh-add.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
+ $(LD) -o $@ ssh-add.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
ssh-agent$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-agent.o ssh-pkcs11-client.o
- $(LD) -o $@ ssh-agent.o ssh-pkcs11-client.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
+ $(LD) -o $@ ssh-agent.o ssh-pkcs11-client.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
ssh-keygen$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keygen.o
- $(LD) -o $@ ssh-keygen.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
+ $(LD) -o $@ ssh-keygen.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
ssh-keysign$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keysign.o readconf.o
- $(LD) -o $@ ssh-keysign.o readconf.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
+ $(LD) -o $@ ssh-keysign.o readconf.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11.o
$(LD) -o $@ ssh-pkcs11-helper.o ssh-pkcs11.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
@@ -205,7 +205,7 @@ ssh-cavs$(EXEEXT): $(LIBCOMPAT) libssh.a
$(LD) -o $@ ssh-cavs.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o
- $(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
+ $(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(LIBS)
sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o sftp-server.o sftp-server-main.o
$(LD) -o $@ sftp-server.o sftp-common.o sftp-server-main.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
diff -up openssh-7.4p1/myproposal.h.fips openssh-7.4p1/myproposal.h
--- openssh-7.4p1/myproposal.h.fips 2017-05-30 19:10:26.535505599 +0200
+++ openssh-7.4p1/myproposal.h 2017-05-30 19:10:26.574505582 +0200
@@ -119,6 +119,14 @@
"ssh-rsa," \
"ssh-dss"
+#define KEX_FIPS_PK_ALG \
+ HOSTKEY_ECDSA_CERT_METHODS \
+ "ssh-rsa-cert-v01@openssh.com," \
+ HOSTKEY_ECDSA_METHODS \
+ "rsa-sha2-512," \
+ "rsa-sha2-256," \
+ "ssh-rsa"
+
/* the actual algorithms */
#define KEX_CLIENT_ENCRYPT \
@@ -144,6 +152,38 @@
#define KEX_CLIENT_MAC KEX_SERVER_MAC
+#define KEX_FIPS_ENCRYPT \
+ "aes128-ctr,aes192-ctr,aes256-ctr" \
+ AESGCM_CIPHER_MODES "," \
+ "aes128-cbc,3des-cbc," \
+ "aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se"
+#ifdef HAVE_EVP_SHA256
+# define KEX_DEFAULT_KEX_FIPS \
+ KEX_ECDH_METHODS \
+ KEX_SHA2_METHODS \
+ "diffie-hellman-group14-sha256"
+# define KEX_FIPS_MAC \
+ "hmac-sha1," \
+ "hmac-sha2-256," \
+ "hmac-sha2-512," \
+ "hmac-sha1-etm@openssh.com," \
+ "hmac-sha2-256-etm@openssh.com," \
+ "hmac-sha2-512-etm@openssh.com"
+#else
+# ifdef OPENSSL_HAS_NISTP521
+# define KEX_DEFAULT_KEX_FIPS \
+ "ecdh-sha2-nistp256," \
+ "ecdh-sha2-nistp384," \
+ "ecdh-sha2-nistp521"
+# else
+# define KEX_DEFAULT_KEX_FIPS \
+ "ecdh-sha2-nistp256," \
+ "ecdh-sha2-nistp384"
+# endif
+#define KEX_FIPS_MAC \
+ "hmac-sha1"
+#endif
+
#else /* WITH_OPENSSL */
#define KEX_SERVER_KEX \
diff -up openssh-7.4p1/readconf.c.fips openssh-7.4p1/readconf.c
--- openssh-7.4p1/readconf.c.fips 2017-02-09 14:53:47.185347438 +0100
+++ openssh-7.4p1/readconf.c 2017-02-09 14:56:24.840191308 +0100
@@ -2104,12 +2104,17 @@ fill_default_options(Options * options)
}
if (options->update_hostkeys == -1)
options->update_hostkeys = 0;
- if (kex_assemble_names(KEX_CLIENT_ENCRYPT, &options->ciphers) != 0 ||
- kex_assemble_names(KEX_CLIENT_MAC, &options->macs) != 0 ||
- kex_assemble_names(KEX_CLIENT_KEX, &options->kex_algorithms) != 0 ||
- kex_assemble_names(KEX_DEFAULT_PK_ALG,
+ if (kex_assemble_names((FIPS_mode() ? KEX_FIPS_ENCRYPT
+ : KEX_CLIENT_ENCRYPT), &options->ciphers) != 0 ||
+ kex_assemble_names((FIPS_mode() ? KEX_FIPS_MAC
+ : KEX_CLIENT_MAC), &options->macs) != 0 ||
+ kex_assemble_names((FIPS_mode() ? KEX_DEFAULT_KEX_FIPS
+ : KEX_CLIENT_KEX), &options->kex_algorithms) != 0 ||
+ kex_assemble_names((FIPS_mode() ? KEX_FIPS_PK_ALG
+ : KEX_DEFAULT_PK_ALG),
&options->hostbased_key_types) != 0 ||
- kex_assemble_names(KEX_DEFAULT_PK_ALG,
+ kex_assemble_names((FIPS_mode() ? KEX_FIPS_PK_ALG
+ : KEX_DEFAULT_PK_ALG),
&options->pubkey_key_types) != 0)
fatal("%s: kex_assemble_names failed", __func__);
@@ -2559,7 +2564,8 @@ dump_client_config(Options *o, const cha
char buf[8];
/* This is normally prepared in ssh_kex2 */
- if (kex_assemble_names(KEX_DEFAULT_PK_ALG, &o->hostkeyalgorithms) != 0)
+ if (kex_assemble_names((FIPS_mode() ? KEX_FIPS_PK_ALG
+ : KEX_DEFAULT_PK_ALG), &o->hostkeyalgorithms) != 0)
fatal("%s: kex_assemble_names failed", __func__);
/* Most interesting options first: user, host, port */
diff -up openssh-7.4p1/sandbox-seccomp-filter.c.fips openssh-7.4p1/sandbox-seccomp-filter.c
--- openssh-7.4p1/sandbox-seccomp-filter.c.fips 2017-02-09 14:53:47.177347446 +0100
+++ openssh-7.4p1/sandbox-seccomp-filter.c 2017-02-09 14:53:47.185347438 +0100
@@ -118,6 +118,9 @@ static const struct sock_filter preauth_
#ifdef __NR_open
SC_DENY(open, EACCES),
#endif
+#ifdef __NR_socket
+ SC_DENY(socket, EACCES),
+#endif
#ifdef __NR_openat
SC_DENY(openat, EACCES),
#endif
diff -up openssh-7.4p1/servconf.c.fips openssh-7.4p1/servconf.c
--- openssh-7.4p1/servconf.c.fips 2017-06-07 13:07:28.403983349 +0200
+++ openssh-7.4p1/servconf.c 2017-06-07 13:09:46.710997099 +0200
@@ -185,14 +185,20 @@ option_clear_or_none(const char *o)
static void
assemble_algorithms(ServerOptions *o)
{
- if (kex_assemble_names(KEX_SERVER_ENCRYPT, &o->ciphers) != 0 ||
- kex_assemble_names(KEX_SERVER_MAC, &o->macs) != 0 ||
- kex_assemble_names(KEX_SERVER_KEX, &o->kex_algorithms) != 0 ||
- kex_assemble_names(KEX_DEFAULT_PK_ALG,
+ if (kex_assemble_names((FIPS_mode() ? KEX_FIPS_ENCRYPT
+ : KEX_SERVER_ENCRYPT), &o->ciphers) != 0 ||
+ kex_assemble_names((FIPS_mode() ? KEX_FIPS_MAC
+ : KEX_SERVER_MAC), &o->macs) != 0 ||
+ kex_assemble_names((FIPS_mode() ? KEX_DEFAULT_KEX_FIPS
+ : KEX_SERVER_KEX), &o->kex_algorithms) != 0 ||
+ kex_assemble_names((FIPS_mode() ? KEX_FIPS_PK_ALG
+ : KEX_DEFAULT_PK_ALG),
&o->hostkeyalgorithms) != 0 ||
- kex_assemble_names(KEX_DEFAULT_PK_ALG,
+ kex_assemble_names((FIPS_mode() ? KEX_FIPS_PK_ALG
+ : KEX_DEFAULT_PK_ALG),
&o->hostbased_key_types) != 0 ||
- kex_assemble_names(KEX_DEFAULT_PK_ALG, &o->pubkey_key_types) != 0)
+ kex_assemble_names((FIPS_mode() ? KEX_FIPS_PK_ALG
+ : KEX_DEFAULT_PK_ALG), &o->pubkey_key_types) != 0)
fatal("kex_assemble_names failed");
}
@@ -2390,8 +2396,10 @@ dump_config(ServerOptions *o)
/* string arguments */
dump_cfg_string(sPidFile, o->pid_file);
dump_cfg_string(sXAuthLocation, o->xauth_location);
- dump_cfg_string(sCiphers, o->ciphers ? o->ciphers : KEX_SERVER_ENCRYPT);
- dump_cfg_string(sMacs, o->macs ? o->macs : KEX_SERVER_MAC);
+ dump_cfg_string(sCiphers, o->ciphers ? o->ciphers : FIPS_mode()
+ ? KEX_FIPS_ENCRYPT : KEX_SERVER_ENCRYPT);
+ dump_cfg_string(sMacs, o->macs ? o->macs : FIPS_mode()
+ ? KEX_FIPS_MAC : KEX_SERVER_MAC);
dump_cfg_string(sBanner, o->banner == NULL ? "none" : o->banner);
dump_cfg_string(sForceCommand, o->adm_forced_command);
dump_cfg_string(sChrootDirectory, o->chroot_directory);
@@ -2406,14 +2414,17 @@ dump_config(ServerOptions *o)
dump_cfg_string(sAuthorizedPrincipalsCommand, o->authorized_principals_command);
dump_cfg_string(sAuthorizedPrincipalsCommandUser, o->authorized_principals_command_user);
dump_cfg_string(sHostKeyAgent, o->host_key_agent);
- dump_cfg_string(sKexAlgorithms,
- o->kex_algorithms ? o->kex_algorithms : KEX_SERVER_KEX);
+ dump_cfg_string(sKexAlgorithms, o->kex_algorithms ? o->kex_algorithms :
+ FIPS_mode() ? KEX_DEFAULT_KEX_FIPS : KEX_SERVER_KEX);
dump_cfg_string(sHostbasedAcceptedKeyTypes, o->hostbased_key_types ?
- o->hostbased_key_types : KEX_DEFAULT_PK_ALG);
+ o->hostbased_key_types : (FIPS_mode() ? KEX_FIPS_PK_ALG
+ : KEX_DEFAULT_PK_ALG));
dump_cfg_string(sHostKeyAlgorithms, o->hostkeyalgorithms ?
- o->hostkeyalgorithms : KEX_DEFAULT_PK_ALG);
+ o->hostkeyalgorithms : (FIPS_mode() ? KEX_FIPS_PK_ALG
+ : KEX_DEFAULT_PK_ALG));
dump_cfg_string(sPubkeyAcceptedKeyTypes, o->pubkey_key_types ?
- o->pubkey_key_types : KEX_DEFAULT_PK_ALG);
+ o->pubkey_key_types : (FIPS_mode() ? KEX_FIPS_PK_ALG
+ : KEX_DEFAULT_PK_ALG));
/* string arguments requiring a lookup */
dump_cfg_string(sLogLevel, log_level_name(o->log_level));
diff -up openssh-7.4p1/ssh.c.fips openssh-7.4p1/ssh.c
--- openssh-7.4p1/ssh.c.fips 2016-12-19 05:59:41.000000000 +0100
+++ openssh-7.4p1/ssh.c 2017-02-09 14:53:47.185347438 +0100
@@ -76,6 +76,8 @@
#include <openssl/evp.h>
#include <openssl/err.h>
#endif
+#include <openssl/fips.h>
+#include <fipscheck.h>
#include "openbsd-compat/openssl-compat.h"
#include "openbsd-compat/sys-queue.h"
@@ -530,6 +532,14 @@ main(int ac, char **av)
sanitise_stdfd();
__progname = ssh_get_progname(av[0]);
+ SSLeay_add_all_algorithms();
+ if (access("/etc/system-fips", F_OK) == 0)
+ if (! FIPSCHECK_verify(NULL, NULL)){
+ if (FIPS_mode())
+ fatal("FIPS integrity verification test failed.");
+ else
+ logit("FIPS integrity verification test failed.");
+ }
#ifndef HAVE_SETPROCTITLE
/* Prepare for later setproctitle emulation */
@@ -609,6 +619,9 @@ main(int ac, char **av)
"ACD:E:F:GI:J:KL:MNO:PQ:R:S:TVw:W:XYy")) != -1) {
switch (opt) {
case '1':
+ if (FIPS_mode()) {
+ fatal("Protocol 1 not allowed in the FIPS mode.");
+ }
options.protocol = SSH_PROTO_1;
break;
case '2':
@@ -964,7 +977,6 @@ main(int ac, char **av)
host_arg = xstrdup(host);
#ifdef WITH_OPENSSL
- OpenSSL_add_all_algorithms();
ERR_load_crypto_strings();
#endif
@@ -1175,6 +1187,10 @@ main(int ac, char **av)
seed_rng();
+ if (FIPS_mode()) {
+ logit("FIPS mode initialized");
+ }
+
if (options.user == NULL)
options.user = xstrdup(pw->pw_name);
@@ -1263,6 +1279,12 @@ main(int ac, char **av)
timeout_ms = options.connection_timeout * 1000;
+ if (FIPS_mode()) {
+ options.protocol &= SSH_PROTO_2;
+ if (options.protocol == 0)
+ fatal("Protocol 2 disabled by configuration but required in the FIPS mode.");
+ }
+
/* Open a connection to the remote host. */
if (ssh_connect(host, addrs, &hostaddr, options.port,
options.address_family, options.connection_attempts,
diff -up openssh-7.4p1/sshconnect2.c.fips openssh-7.4p1/sshconnect2.c
--- openssh-7.4p1/sshconnect2.c.fips 2017-02-09 14:53:47.162347461 +0100
+++ openssh-7.4p1/sshconnect2.c 2017-02-09 14:53:47.186347437 +0100
@@ -44,6 +44,8 @@
#include <vis.h>
#endif
+#include <openssl/fips.h>
+
#include "openbsd-compat/sys-queue.h"
#include "xmalloc.h"
@@ -117,7 +119,8 @@ order_hostkeyalgs(char *host, struct soc
for (i = 0; i < options.num_system_hostfiles; i++)
load_hostkeys(hostkeys, hostname, options.system_hostfiles[i]);
- oavail = avail = xstrdup(KEX_DEFAULT_PK_ALG);
+ oavail = avail = xstrdup((FIPS_mode()
+ ? KEX_FIPS_PK_ALG : KEX_DEFAULT_PK_ALG));
maxlen = strlen(avail) + 1;
first = xmalloc(maxlen);
last = xmalloc(maxlen);
@@ -172,21 +175,26 @@ ssh_kex2(char *host, struct sockaddr *ho
#ifdef GSSAPI
if (options.gss_keyex) {
- /* Add the GSSAPI mechanisms currently supported on this
- * client to the key exchange algorithm proposal */
- orig = options.kex_algorithms;
-
- if (options.gss_trust_dns)
- gss_host = (char *)get_canonical_hostname(active_state, 1);
- else
- gss_host = host;
-
- gss = ssh_gssapi_client_mechanisms(gss_host,
- options.gss_client_identity, options.gss_kex_algorithms);
- if (gss) {
- debug("Offering GSSAPI proposal: %s", gss);
- xasprintf(&options.kex_algorithms,
- "%s,%s", gss, orig);
+ if (FIPS_mode()) {
+ logit("Disabling GSSAPIKeyExchange. Not usable in FIPS mode");
+ options.gss_keyex = 0;
+ } else {
+ /* Add the GSSAPI mechanisms currently supported on this
+ * client to the key exchange algorithm proposal */
+ orig = options.kex_algorithms;
+
+ if (options.gss_trust_dns)
+ gss_host = (char *)get_canonical_hostname(active_state, 1);
+ else
+ gss_host = host;
+
+ gss = ssh_gssapi_client_mechanisms(gss_host,
+ options.gss_client_identity, options.gss_kex_algorithms);
+ if (gss) {
+ debug("Offering GSSAPI proposal: %s", gss);
+ xasprintf(&options.kex_algorithms,
+ "%s,%s", gss, orig);
+ }
}
}
#endif
@@ -204,14 +212,16 @@ ssh_kex2(char *host, struct sockaddr *ho
myproposal[PROPOSAL_MAC_ALGS_CTOS] =
myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs;
if (options.hostkeyalgorithms != NULL) {
- if (kex_assemble_names(KEX_DEFAULT_PK_ALG,
+ if (kex_assemble_names((FIPS_mode() ? KEX_FIPS_PK_ALG
+ : KEX_DEFAULT_PK_ALG),
&options.hostkeyalgorithms) != 0)
fatal("%s: kex_assemble_namelist", __func__);
myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] =
compat_pkalg_proposal(options.hostkeyalgorithms);
} else {
/* Enforce default */
- options.hostkeyalgorithms = xstrdup(KEX_DEFAULT_PK_ALG);
+ options.hostkeyalgorithms = xstrdup((FIPS_mode()
+ ? KEX_FIPS_PK_ALG : KEX_DEFAULT_PK_ALG));
/* Prefer algorithms that we already have keys for */
myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] =
compat_pkalg_proposal(
diff -up openssh-7.4p1/sshd.c.fips openssh-7.4p1/sshd.c
--- openssh-7.4p1/sshd.c.fips 2017-02-09 14:53:47.178347445 +0100
+++ openssh-7.4p1/sshd.c 2017-02-09 14:53:47.186347437 +0100
@@ -66,6 +66,7 @@
#include <grp.h>
#include <pwd.h>
#include <signal.h>
+#include <syslog.h>
#include <stdarg.h>
#include <stdio.h>
#include <stdlib.h>
@@ -77,6 +78,8 @@
#include <openssl/dh.h>
#include <openssl/bn.h>
#include <openssl/rand.h>
+#include <openssl/fips.h>
+#include <fipscheck.h>
#include "openbsd-compat/openssl-compat.h"
#endif
@@ -1471,6 +1474,18 @@ main(int ac, char **av)
#endif
__progname = ssh_get_progname(av[0]);
+ SSLeay_add_all_algorithms();
+ if (access("/etc/system-fips", F_OK) == 0)
+ if (! FIPSCHECK_verify(NULL, NULL)) {
+ openlog(__progname, LOG_PID, LOG_AUTHPRIV);
+ if (FIPS_mode()) {
+ syslog(LOG_CRIT, "FIPS integrity verification test failed.");
+ cleanup_exit(255);
+ }
+ else
+ syslog(LOG_INFO, "FIPS integrity verification test failed.");
+ closelog();
+ }
/* Save argv. Duplicate so setproctitle emulation doesn't clobber it */
saved_argc = ac;
rexec_argc = ac;
@@ -1619,7 +1634,7 @@ main(int ac, char **av)
else
closefrom(REEXEC_DEVCRYPTO_RESERVED_FD);
-#ifdef WITH_OPENSSL
+#if 0 /* FIPS */
OpenSSL_add_all_algorithms();
#endif
@@ -1928,6 +1943,10 @@ main(int ac, char **av)
/* Reinitialize the log (because of the fork above). */
log_init(__progname, options.log_level, options.log_facility, log_stderr);
+ if (FIPS_mode()) {
+ logit("FIPS mode initialized");
+ }
+
/* Chdir to the root directory so that the current disk can be
unmounted if desired. */
if (chdir("/") == -1)
@@ -2282,10 +2301,14 @@ do_ssh2_kex(void)
if (strlen(myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS]) == 0)
orig = NULL;
- if (options.gss_keyex)
- gss = ssh_gssapi_server_mechanisms();
- else
- gss = NULL;
+ if (options.gss_keyex) {
+ if (FIPS_mode()) {
+ logit("Disabling GSSAPIKeyExchange. Not usable in FIPS mode");
+ options.gss_keyex = 0;
+ } else {
+ gss = ssh_gssapi_server_mechanisms();
+ }
+ }
if (gss && orig)
xasprintf(&newstr, "%s,%s", gss, orig);
diff -up openssh-7.4p1/sshkey.c.fips openssh-7.4p1/sshkey.c
--- openssh-7.4p1/sshkey.c.fips 2017-02-09 14:53:47.179347444 +0100
+++ openssh-7.4p1/sshkey.c 2017-02-09 14:58:02.117094971 +0100
@@ -34,6 +34,7 @@
#include <openssl/evp.h>
#include <openssl/err.h>
#include <openssl/pem.h>
+#include <openssl/fips.h>
#endif
#include "crypto_api.h"
@@ -57,6 +58,7 @@
#include "sshkey.h"
#include "match.h"
#include "xmalloc.h"
+#include "log.h"
/* openssh private key file format */
#define MARK_BEGIN "-----BEGIN OPENSSH PRIVATE KEY-----\n"
@@ -1555,6 +1557,8 @@ rsa_generate_private_key(u_int bits, RSA
}
if (!BN_set_word(f4, RSA_F4) ||
!RSA_generate_key_ex(private, bits, f4, NULL)) {
+ if (FIPS_mode())
+ logit("%s: the key length might be unsupported by FIPS mode approved key generation method", __func__);
ret = SSH_ERR_LIBCRYPTO_ERROR;
goto out;
}
@@ -3921,8 +3925,11 @@ sshkey_parse_private_fileblob_type(struc
switch (type) {
#ifdef WITH_SSH1
case KEY_RSA1:
- return sshkey_parse_private_rsa1(blob, passphrase,
- keyp, commentp);
+ if (! FIPS_mode())
+ return sshkey_parse_private_rsa1(blob, passphrase,
+ keyp, commentp);
+ error("%s: cannot parse rsa1 key in FIPS mode", __func__);
+ return SSH_ERR_KEY_TYPE_UNKNOWN;
#endif /* WITH_SSH1 */
#ifdef WITH_OPENSSL
case KEY_DSA:
@@ -3961,8 +3968,9 @@ sshkey_parse_private_fileblob(struct ssh
#ifdef WITH_SSH1
/* it's a SSH v1 key if the public key part is readable */
if (sshkey_parse_public_rsa1_fileblob(buffer, NULL, NULL) == 0) {
- return sshkey_parse_private_fileblob_type(buffer, KEY_RSA1,
- passphrase, keyp, commentp);
+ if (!FIPS_mode())
+ return sshkey_parse_private_fileblob_type(buffer, KEY_RSA1,
+ passphrase, keyp, commentp);
}
#endif /* WITH_SSH1 */
return sshkey_parse_private_fileblob_type(buffer, KEY_UNSPEC,
diff -up openssh-7.4p1/ssh-keygen.c.fips openssh-7.4p1/ssh-keygen.c
--- openssh-7.4p1/ssh-keygen.c.fips 2017-05-22 13:50:06.731776762 +0200
+++ openssh-7.4p1/ssh-keygen.c 2017-05-22 13:50:11.843773909 +0200
@@ -215,6 +215,12 @@ type_bits_valid(int type, const char *na
OPENSSL_DSA_MAX_MODULUS_BITS : OPENSSL_RSA_MAX_MODULUS_BITS;
if (*bitsp > maxbits)
fatal("key bits exceeds maximum %d", maxbits);
+ if (FIPS_mode()) {
+ if (type == KEY_DSA)
+ fatal("DSA keys are not allowed in FIPS mode");
+ if (type == KEY_ED25519)
+ fatal("ED25519 keys are not allowed in FIPS mode");
+ }
if (type == KEY_DSA && *bitsp != 1024)
fatal("DSA keys must be 1024 bits");
else if (type != KEY_ECDSA && type != KEY_ED25519 && *bitsp < 1024)

File diff suppressed because it is too large Load diff

View file

@ -0,0 +1,28 @@
From 13bd2e2d622d01dc85d22b94520a5b243d006049 Mon Sep 17 00:00:00 2001
From: "djm@openbsd.org" <djm@openbsd.org>
Date: Fri, 6 Jan 2017 03:45:41 +0000
Subject: [PATCH] upstream commit
sshd_config is documented to set
GSSAPIStrictAcceptorCheck=yes by default, so actually make it do this.
bz#2637 ok dtucker
Upstream-ID: 99ef8ac51f17f0f7aec166cb2e34228d4d72a665
---
servconf.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/servconf.c b/servconf.c
index 795ddbab7..c9105a592 100644
--- a/servconf.c
+++ b/servconf.c
@@ -270,7 +270,7 @@ fill_default_server_options(ServerOptions *options)
if (options->gss_cleanup_creds == -1)
options->gss_cleanup_creds = 1;
if (options->gss_strict_acceptor == -1)
- options->gss_strict_acceptor = 0;
+ options->gss_strict_acceptor = 1;
if (options->gss_store_rekey == -1)
options->gss_store_rekey = 0;
if (options->password_authentication == -1)

View file

@ -0,0 +1,410 @@
diff -up openssh-7.4p1/gss-genr.c.gsskexalg openssh-7.4p1/gss-genr.c
--- openssh-7.4p1/gss-genr.c.gsskexalg 2017-02-09 10:46:50.417893132 +0100
+++ openssh-7.4p1/gss-genr.c 2017-02-09 10:46:50.448893107 +0100
@@ -77,7 +77,8 @@ ssh_gssapi_oid_table_ok() {
*/
char *
-ssh_gssapi_client_mechanisms(const char *host, const char *client) {
+ssh_gssapi_client_mechanisms(const char *host, const char *client,
+ const char *kex) {
gss_OID_set gss_supported;
OM_uint32 min_status;
@@ -85,12 +86,12 @@ ssh_gssapi_client_mechanisms(const char
return NULL;
return(ssh_gssapi_kex_mechs(gss_supported, ssh_gssapi_check_mechanism,
- host, client));
+ host, client, kex));
}
char *
ssh_gssapi_kex_mechs(gss_OID_set gss_supported, ssh_gssapi_check_fn *check,
- const char *host, const char *client) {
+ const char *host, const char *client, const char *kex) {
Buffer buf;
size_t i;
int oidpos, enclen;
@@ -99,6 +100,7 @@ ssh_gssapi_kex_mechs(gss_OID_set gss_sup
char deroid[2];
const EVP_MD *evp_md = EVP_md5();
EVP_MD_CTX md;
+ char *s, *cp, *p;
if (gss_enc2oid != NULL) {
for (i = 0; gss_enc2oid[i].encoded != NULL; i++)
@@ -112,6 +114,7 @@ ssh_gssapi_kex_mechs(gss_OID_set gss_sup
buffer_init(&buf);
oidpos = 0;
+ s = cp = strdup(kex);
for (i = 0; i < gss_supported->count; i++) {
if (gss_supported->elements[i].length < 128 &&
(*check)(NULL, &(gss_supported->elements[i]), host, client)) {
@@ -130,26 +133,22 @@ ssh_gssapi_kex_mechs(gss_OID_set gss_sup
enclen = __b64_ntop(digest, EVP_MD_size(evp_md),
encoded, EVP_MD_size(evp_md) * 2);
- if (oidpos != 0)
- buffer_put_char(&buf, ',');
-
- buffer_append(&buf, KEX_GSS_GEX_SHA1_ID,
- sizeof(KEX_GSS_GEX_SHA1_ID) - 1);
- buffer_append(&buf, encoded, enclen);
- buffer_put_char(&buf, ',');
- buffer_append(&buf, KEX_GSS_GRP1_SHA1_ID,
- sizeof(KEX_GSS_GRP1_SHA1_ID) - 1);
- buffer_append(&buf, encoded, enclen);
- buffer_put_char(&buf, ',');
- buffer_append(&buf, KEX_GSS_GRP14_SHA1_ID,
- sizeof(KEX_GSS_GRP14_SHA1_ID) - 1);
- buffer_append(&buf, encoded, enclen);
+ cp = strncpy(s, kex, strlen(kex));
+ for ((p = strsep(&cp, ",")); p && *p != '\0';
+ (p = strsep(&cp, ","))) {
+ if (buffer_len(&buf) != 0)
+ buffer_put_char(&buf, ',');
+ buffer_append(&buf, p,
+ strlen(p));
+ buffer_append(&buf, encoded, enclen);
+ }
gss_enc2oid[oidpos].oid = &(gss_supported->elements[i]);
gss_enc2oid[oidpos].encoded = encoded;
oidpos++;
}
}
+ free(s);
gss_enc2oid[oidpos].oid = NULL;
gss_enc2oid[oidpos].encoded = NULL;
diff -up openssh-7.4p1/gss-serv.c.gsskexalg openssh-7.4p1/gss-serv.c
--- openssh-7.4p1/gss-serv.c.gsskexalg 2017-02-09 10:46:50.449893106 +0100
+++ openssh-7.4p1/gss-serv.c 2017-02-09 10:55:12.189422901 +0100
@@ -149,7 +149,7 @@ ssh_gssapi_server_mechanisms() {
if (supported_oids == NULL)
ssh_gssapi_prepare_supported_oids();
return (ssh_gssapi_kex_mechs(supported_oids,
- &ssh_gssapi_server_check_mech, NULL, NULL));
+ &ssh_gssapi_server_check_mech, NULL, NULL, options.gss_kex_algorithms));
}
/* Unprivileged */
diff -up openssh-7.4p1/kex.c.gsskexalg openssh-7.4p1/kex.c
--- openssh-7.4p1/kex.c.gsskexalg 2017-02-09 10:46:50.449893106 +0100
+++ openssh-7.4p1/kex.c 2017-02-09 10:55:44.008393539 +0100
@@ -248,6 +248,29 @@ kex_assemble_names(const char *def, char
return 0;
}
+/* Validate GSS KEX method name list */
+int
+gss_kex_names_valid(const char *names)
+{
+ char *s, *cp, *p;
+
+ if (names == NULL || *names == '\0')
+ return 0;
+ s = cp = strdup(names);
+ for ((p = strsep(&cp, ",")); p && *p != '\0';
+ (p = strsep(&cp, ","))) {
+ if (strncmp(p, "gss-", 4) != 0
+ || kex_alg_by_name(p) == NULL) {
+ error("Unsupported KEX algorithm \"%.100s\"", p);
+ free(s);
+ return 0;
+ }
+ }
+ debug3("gss kex names ok: [%s]", names);
+ free(s);
+ return 1;
+}
+
/* put algorithm proposal into buffer */
int
kex_prop2buf(struct sshbuf *b, char *proposal[PROPOSAL_MAX])
diff -up openssh-7.4p1/kex.h.gsskexalg openssh-7.4p1/kex.h
--- openssh-7.4p1/kex.h.gsskexalg 2017-02-09 10:46:50.452893104 +0100
+++ openssh-7.4p1/kex.h 2017-02-09 11:02:35.313012903 +0100
@@ -179,6 +179,7 @@ struct kex {
char *kex_alg_list(char);
char *kex_names_cat(const char *, const char *);
int kex_assemble_names(const char *, char **);
+int gss_kex_names_valid(const char *);
int kex_new(struct ssh *, char *[PROPOSAL_MAX], struct kex **);
int kex_setup(struct ssh *, char *[PROPOSAL_MAX]);
diff -up openssh-7.4p1/readconf.c.gsskexalg openssh-7.4p1/readconf.c
--- openssh-7.4p1/readconf.c.gsskexalg 2017-02-09 10:46:50.420893129 +0100
+++ openssh-7.4p1/readconf.c 2017-02-09 10:56:06.759372540 +0100
@@ -64,6 +64,7 @@
#include "uidswap.h"
#include "myproposal.h"
#include "digest.h"
+#include "ssh-gss.h"
/* Format of the configuration file:
@@ -161,7 +162,7 @@ typedef enum {
oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
oAddressFamily, oGssAuthentication, oGssDelegateCreds,
oGssTrustDns, oGssKeyEx, oGssClientIdentity, oGssRenewalRekey,
- oGssServerIdentity,
+ oGssServerIdentity, oGssKexAlgorithms,
oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
oSendEnv, oControlPath, oControlMaster, oControlPersist,
oHashKnownHosts,
@@ -213,6 +214,7 @@ static struct {
{ "gssapiclientidentity", oGssClientIdentity },
{ "gssapiserveridentity", oGssServerIdentity },
{ "gssapirenewalforcesrekey", oGssRenewalRekey },
+ { "gssapikexalgorithms", oGssKexAlgorithms },
#else
{ "gssapiauthentication", oUnsupported },
{ "gssapikeyexchange", oUnsupported },
@@ -220,6 +222,7 @@ static struct {
{ "gssapitrustdns", oUnsupported },
{ "gssapiclientidentity", oUnsupported },
{ "gssapirenewalforcesrekey", oUnsupported },
+ { "gssapikexalgorithms", oUnsupported },
#endif
{ "fallbacktorsh", oDeprecated },
{ "usersh", oDeprecated },
@@ -996,6 +999,18 @@ parse_time:
intptr = &options->gss_renewal_rekey;
goto parse_flag;
+ case oGssKexAlgorithms:
+ arg = strdelim(&s);
+ if (!arg || *arg == '\0')
+ fatal("%.200s line %d: Missing argument.",
+ filename, linenum);
+ if (!gss_kex_names_valid(arg))
+ fatal("%.200s line %d: Bad GSSAPI KexAlgorithms '%s'.",
+ filename, linenum, arg ? arg : "<NONE>");
+ if (*activep && options->gss_kex_algorithms == NULL)
+ options->gss_kex_algorithms = strdup(arg);
+ break;
+
case oBatchMode:
intptr = &options->batch_mode;
goto parse_flag;
@@ -1813,6 +1828,7 @@ initialize_options(Options * options)
options->gss_renewal_rekey = -1;
options->gss_client_identity = NULL;
options->gss_server_identity = NULL;
+ options->gss_kex_algorithms = NULL;
options->password_authentication = -1;
options->kbd_interactive_authentication = -1;
options->kbd_interactive_devices = NULL;
@@ -1964,6 +1980,10 @@ fill_default_options(Options * options)
options->gss_trust_dns = 0;
if (options->gss_renewal_rekey == -1)
options->gss_renewal_rekey = 0;
+#ifdef GSSAPI
+ if (options->gss_kex_algorithms == NULL)
+ options->gss_kex_algorithms = strdup(GSS_KEX_DEFAULT_KEX);
+#endif
if (options->password_authentication == -1)
options->password_authentication = 1;
if (options->kbd_interactive_authentication == -1)
diff -up openssh-7.4p1/readconf.h.gsskexalg openssh-7.4p1/readconf.h
--- openssh-7.4p1/readconf.h.gsskexalg 2017-02-09 10:46:50.420893129 +0100
+++ openssh-7.4p1/readconf.h 2017-02-09 10:46:50.450893106 +0100
@@ -51,6 +51,7 @@ typedef struct {
int gss_renewal_rekey; /* Credential renewal forces rekey */
char *gss_client_identity; /* Principal to initiate GSSAPI with */
char *gss_server_identity; /* GSSAPI target principal */
+ char *gss_kex_algorithms; /* GSSAPI kex methods to be offered by client. */
int password_authentication; /* Try password
* authentication. */
int kbd_interactive_authentication; /* Try keyboard-interactive auth. */
diff -up openssh-7.4p1/servconf.c.gsskexalg openssh-7.4p1/servconf.c
--- openssh-7.4p1/servconf.c.gsskexalg 2017-02-09 10:46:50.446893109 +0100
+++ openssh-7.4p1/servconf.c 2017-02-09 10:57:15.784309297 +0100
@@ -57,6 +57,7 @@
#include "auth.h"
#include "myproposal.h"
#include "digest.h"
+#include "ssh-gss.h"
static void add_listen_addr(ServerOptions *, char *, int);
static void add_one_listen_addr(ServerOptions *, char *, int);
@@ -117,6 +117,7 @@ initialize_server_options(ServerOptions
options->gss_cleanup_creds = -1;
options->gss_strict_acceptor = -1;
options->gss_store_rekey = -1;
+ options->gss_kex_algorithms = NULL;
options->password_authentication = -1;
options->kbd_interactive_authentication = -1;
options->challenge_response_authentication = -1;
@@ -280,6 +281,10 @@ fill_default_server_options(ServerOption
options->gss_strict_acceptor = 1;
if (options->gss_store_rekey == -1)
options->gss_store_rekey = 0;
+#ifdef GSSAPI
+ if (options->gss_kex_algorithms == NULL)
+ options->gss_kex_algorithms = strdup(GSS_KEX_DEFAULT_KEX);
+#endif
if (options->password_authentication == -1)
options->password_authentication = 1;
if (options->kbd_interactive_authentication == -1)
@@ -422,7 +425,7 @@ typedef enum {
sHostKeyAlgorithms,
sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
sGssAuthentication, sGssCleanupCreds, sGssEnablek5users, sGssStrictAcceptor,
- sGssKeyEx, sGssStoreRekey, sAcceptEnv, sPermitTunnel,
+ sGssKeyEx, sGssStoreRekey, sGssKexAlgorithms, sAcceptEnv, sPermitTunnel,
sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
sUsePrivilegeSeparation, sAllowAgentForwarding,
sHostCertificate,
@@ -501,6 +504,7 @@ static struct {
{ "gssapikeyexchange", sGssKeyEx, SSHCFG_GLOBAL },
{ "gssapistorecredentialsonrekey", sGssStoreRekey, SSHCFG_GLOBAL },
{ "gssapienablek5users", sGssEnablek5users, SSHCFG_ALL },
+ { "gssapikexalgorithms", sGssKexAlgorithms, SSHCFG_GLOBAL },
#else
{ "gssapiauthentication", sUnsupported, SSHCFG_ALL },
{ "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
@@ -508,6 +512,7 @@ static struct {
{ "gssapikeyexchange", sUnsupported, SSHCFG_GLOBAL },
{ "gssapistorecredentialsonrekey", sUnsupported, SSHCFG_GLOBAL },
{ "gssapienablek5users", sUnsupported, SSHCFG_ALL },
+ { "gssapikexalgorithms", sUnsupported, SSHCFG_GLOBAL },
#endif
{ "gssusesessionccache", sUnsupported, SSHCFG_GLOBAL },
{ "gssapiusesessioncredcache", sUnsupported, SSHCFG_GLOBAL },
@@ -1249,6 +1254,18 @@ process_server_config_line(ServerOptions
intptr = &options->gss_store_rekey;
goto parse_flag;
+ case sGssKexAlgorithms:
+ arg = strdelim(&cp);
+ if (!arg || *arg == '\0')
+ fatal("%.200s line %d: Missing argument.",
+ filename, linenum);
+ if (!gss_kex_names_valid(arg))
+ fatal("%.200s line %d: Bad GSSAPI KexAlgorithms '%s'.",
+ filename, linenum, arg ? arg : "<NONE>");
+ if (*activep && options->gss_kex_algorithms == NULL)
+ options->gss_kex_algorithms = strdup(arg);
+ break;
+
case sPasswordAuthentication:
intptr = &options->password_authentication;
goto parse_flag;
@@ -2304,6 +2321,7 @@ dump_config(ServerOptions *o)
dump_cfg_fmtint(sGssKeyEx, o->gss_keyex);
dump_cfg_fmtint(sGssStrictAcceptor, o->gss_strict_acceptor);
dump_cfg_fmtint(sGssStoreRekey, o->gss_store_rekey);
+ dump_cfg_string(sGssKexAlgorithms, o->gss_kex_algorithms);
#endif
dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication);
dump_cfg_fmtint(sKbdInteractiveAuthentication,
diff -up openssh-7.4p1/servconf.h.gsskexalg openssh-7.4p1/servconf.h
--- openssh-7.4p1/servconf.h.gsskexalg 2017-02-09 10:46:50.450893106 +0100
+++ openssh-7.4p1/servconf.h 2017-02-09 10:57:33.717292870 +0100
@@ -116,6 +116,7 @@ typedef struct {
int gss_cleanup_creds; /* If true, destroy cred cache on logout */
int gss_strict_acceptor; /* If true, restrict the GSSAPI acceptor name */
int gss_store_rekey;
+ char *gss_kex_algorithms; /* GSSAPI kex methods to be offered by client. */
int password_authentication; /* If true, permit password
* authentication. */
int kbd_interactive_authentication; /* If true, permit */
diff -up openssh-7.4p1/ssh.1.gsskexalg openssh-7.4p1/ssh.1
--- openssh-7.4p1/ssh.1.gsskexalg 2017-02-09 10:46:50.443893111 +0100
+++ openssh-7.4p1/ssh.1 2017-02-09 10:46:50.451893105 +0100
@@ -517,6 +517,7 @@ For full details of the options listed b
.It GSSAPIDelegateCredentials
.It GSSAPIRenewalForcesRekey
.It GSSAPITrustDns
+.It GSSAPIKexAlgorithms
.It HashKnownHosts
.It Host
.It HostbasedAuthentication
diff -up openssh-7.4p1/ssh_config.5.gsskexalg openssh-7.4p1/ssh_config.5
--- openssh-7.4p1/ssh_config.5.gsskexalg 2017-02-09 10:46:50.452893104 +0100
+++ openssh-7.4p1/ssh_config.5 2017-02-09 11:00:39.053122745 +0100
@@ -782,6 +782,18 @@ the name of the host being connected to.
command line will be passed untouched to the GSSAPI library.
The default is
.Dq no .
+.It Cm GSSAPIKexAlgorithms
+The list of key exchange algorithms that are offered for GSSAPI
+key exchange. Possible values are
+.Bd -literal -offset 3n
+gss-gex-sha1-,
+gss-group1-sha1-,
+gss-group14-sha1-
+.Ed
+.Pp
+The default is
+.Dq gss-gex-sha1-,gss-group1-sha1-,gss-group14-sha1- .
+This option only applies to protocol version 2 connections using GSSAPI.
.It Cm HashKnownHosts
Indicates that
.Xr ssh 1
diff -up openssh-7.4p1/sshconnect2.c.gsskexalg openssh-7.4p1/sshconnect2.c
--- openssh-7.4p1/sshconnect2.c.gsskexalg 2017-02-09 10:46:50.451893105 +0100
+++ openssh-7.4p1/sshconnect2.c 2017-02-09 10:58:08.533260973 +0100
@@ -181,7 +181,8 @@ ssh_kex2(char *host, struct sockaddr *ho
else
gss_host = host;
- gss = ssh_gssapi_client_mechanisms(gss_host, options.gss_client_identity);
+ gss = ssh_gssapi_client_mechanisms(gss_host,
+ options.gss_client_identity, options.gss_kex_algorithms);
if (gss) {
debug("Offering GSSAPI proposal: %s", gss);
xasprintf(&options.kex_algorithms,
diff -up openssh-7.4p1/sshd_config.5.gsskexalg openssh-7.4p1/sshd_config.5
--- openssh-7.4p1/sshd_config.5.gsskexalg 2017-02-09 10:46:50.452893104 +0100
+++ openssh-7.4p1/sshd_config.5 2017-02-09 11:01:55.141050861 +0100
@@ -666,6 +666,18 @@ Controls whether the user's GSSAPI crede
successful connection rekeying. This option can be used to accepted renewed
or updated credentials from a compatible client. The default is
.Dq no .
+.It Cm GSSAPIKexAlgorithms
+The list of key exchange algorithms that are accepted by GSSAPI
+key exchange. Possible values are
+.Bd -literal -offset 3n
+gss-gex-sha1-,
+gss-group1-sha1-,
+gss-group14-sha1-
+.Ed
+.Pp
+The default is
+.Dq gss-gex-sha1-,gss-group1-sha1-,gss-group14-sha1- .
+This option only applies to protocol version 2 connections using GSSAPI.
.It Cm HostbasedAcceptedKeyTypes
Specifies the key types that will be accepted for hostbased authentication
as a comma-separated pattern list.
diff -up openssh-7.4p1/ssh-gss.h.gsskexalg openssh-7.4p1/ssh-gss.h
--- openssh-7.4p1/ssh-gss.h.gsskexalg 2017-02-09 10:46:50.425893125 +0100
+++ openssh-7.4p1/ssh-gss.h 2017-02-09 10:46:50.451893105 +0100
@@ -76,6 +76,11 @@ extern char **k5users_allowed_cmds;
#define KEX_GSS_GRP14_SHA1_ID "gss-group14-sha1-"
#define KEX_GSS_GEX_SHA1_ID "gss-gex-sha1-"
+#define GSS_KEX_DEFAULT_KEX \
+ KEX_GSS_GEX_SHA1_ID "," \
+ KEX_GSS_GRP1_SHA1_ID "," \
+ KEX_GSS_GRP14_SHA1_ID
+
typedef struct {
char *filename;
char *envvar;
@@ -147,9 +152,9 @@ int ssh_gssapi_credentials_updated(Gssct
/* In the server */
typedef int ssh_gssapi_check_fn(Gssctxt **, gss_OID, const char *,
const char *);
-char *ssh_gssapi_client_mechanisms(const char *, const char *);
+char *ssh_gssapi_client_mechanisms(const char *, const char *, const char *);
char *ssh_gssapi_kex_mechs(gss_OID_set, ssh_gssapi_check_fn *, const char *,
- const char *);
+ const char *, const char *);
gss_OID ssh_gssapi_id_kex(Gssctxt *, char *, int);
int ssh_gssapi_server_check_mech(Gssctxt **,gss_OID, const char *,
const char *);

File diff suppressed because it is too large Load diff

File diff suppressed because it is too large Load diff

View file

@ -0,0 +1,611 @@
diff -up openssh-6.8p1/Makefile.in.kdf-cavs openssh-6.8p1/Makefile.in
--- openssh-6.8p1/Makefile.in.kdf-cavs 2015-03-18 11:23:46.346049359 +0100
+++ openssh-6.8p1/Makefile.in 2015-03-18 11:24:20.395968445 +0100
@@ -29,6 +29,7 @@ SSH_LDAP_HELPER=$(libexecdir)/ssh-ldap-h
SSH_LDAP_WRAPPER=$(libexecdir)/ssh-ldap-wrapper
SSH_KEYCAT=$(libexecdir)/ssh-keycat
CTR_CAVSTEST=$(libexecdir)/ctr-cavstest
+SSH_CAVS=$(libexecdir)/ssh-cavs
SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
PRIVSEP_PATH=@PRIVSEP_PATH@
SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@
@@ -67,7 +68,7 @@ EXEEXT=@EXEEXT@
MANFMT=@MANFMT@
INSTALL_SSH_LDAP_HELPER=@INSTALL_SSH_LDAP_HELPER@
-TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT) ssh-keycat$(EXEEXT) ctr-cavstest$(EXEEXT)
+TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT) ssh-keycat$(EXEEXT) ctr-cavstest$(EXEEXT) ssh-cavs$(EXEEXT)
LIBOPENSSH_OBJS=\
ssh_api.o \
@@ -198,6 +199,9 @@ ssh-keycat$(EXEEXT): $(LIBCOMPAT) $(SSHD
ctr-cavstest$(EXEEXT): $(LIBCOMPAT) libssh.a ctr-cavstest.o
$(LD) -o $@ ctr-cavstest.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(LIBS)
+ssh-cavs$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-cavs.o
+ $(LD) -o $@ ssh-cavs.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
+
ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o
$(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
@@ -331,6 +335,8 @@ install-files:
fi
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-keycat$(EXEEXT) $(DESTDIR)$(libexecdir)/ssh-keycat$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) ctr-cavstest$(EXEEXT) $(DESTDIR)$(libexecdir)/ctr-cavstest$(EXEEXT)
+ $(INSTALL) -m 0755 $(STRIP_OPT) ssh-cavs$(EXEEXT) $(DESTDIR)$(libexecdir)/ssh-cavs$(EXEEXT)
+ $(INSTALL) -m 0755 $(STRIP_OPT) ssh-cavs_driver.pl $(DESTDIR)$(libexecdir)/ssh-cavs_driver.pl
$(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
$(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
diff -up openssh-6.8p1/ssh-cavs.c.kdf-cavs openssh-6.8p1/ssh-cavs.c
--- openssh-6.8p1/ssh-cavs.c.kdf-cavs 2015-03-18 11:23:46.348049354 +0100
+++ openssh-6.8p1/ssh-cavs.c 2015-03-18 11:23:46.348049354 +0100
@@ -0,0 +1,380 @@
+/*
+ * Copyright (C) 2015, Stephan Mueller <smueller@chronox.de>
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, and the entire permission notice in its entirety,
+ * including the disclaimer of warranties.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ * products derived from this software without specific prior
+ * written permission.
+ *
+ * ALTERNATIVELY, this product may be distributed under the terms of
+ * the GNU General Public License, in which case the provisions of the GPL2
+ * are required INSTEAD OF the above restrictions. (This clause is
+ * necessary due to a potential bad interaction between the GPL and
+ * the restrictions contained in a BSD-style copyright.)
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
+ * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, ALL OF
+ * WHICH ARE HEREBY DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
+ * OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+ * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
+ * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
+ * USE OF THIS SOFTWARE, EVEN IF NOT ADVISED OF THE POSSIBILITY OF SUCH
+ * DAMAGE.
+ */
+
+#include "includes.h"
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <errno.h>
+#include <sys/types.h>
+#include <string.h>
+
+#include <openssl/bn.h>
+
+#include "xmalloc.h"
+#include "buffer.h"
+#include "key.h"
+#include "cipher.h"
+#include "kex.h"
+#include "packet.h"
+
+static int bin_char(unsigned char hex)
+{
+ if (48 <= hex && 57 >= hex)
+ return (hex - 48);
+ if (65 <= hex && 70 >= hex)
+ return (hex - 55);
+ if (97 <= hex && 102 >= hex)
+ return (hex - 87);
+ return 0;
+}
+
+/*
+ * Convert hex representation into binary string
+ * @hex input buffer with hex representation
+ * @hexlen length of hex
+ * @bin output buffer with binary data
+ * @binlen length of already allocated bin buffer (should be at least
+ * half of hexlen -- if not, only a fraction of hexlen is converted)
+ */
+static void hex2bin(const char *hex, size_t hexlen,
+ unsigned char *bin, size_t binlen)
+{
+ size_t i = 0;
+ size_t chars = (binlen > (hexlen / 2)) ? (hexlen / 2) : binlen;
+
+ for (i = 0; i < chars; i++) {
+ bin[i] = bin_char(hex[(i*2)]) << 4;
+ bin[i] |= bin_char(hex[((i*2)+1)]);
+ }
+}
+
+/*
+ * Allocate sufficient space for binary representation of hex
+ * and convert hex into bin
+ *
+ * Caller must free bin
+ * @hex input buffer with hex representation
+ * @hexlen length of hex
+ * @bin return value holding the pointer to the newly allocated buffer
+ * @binlen return value holding the allocated size of bin
+ *
+ * return: 0 on success, !0 otherwise
+ */
+static int hex2bin_alloc(const char *hex, size_t hexlen,
+ unsigned char **bin, size_t *binlen)
+{
+ unsigned char *out = NULL;
+ size_t outlen = 0;
+
+ if (!hexlen)
+ return -EINVAL;
+
+ outlen = (hexlen + 1) / 2;
+
+ out = calloc(1, outlen);
+ if (!out)
+ return -errno;
+
+ hex2bin(hex, hexlen, out, outlen);
+ *bin = out;
+ *binlen = outlen;
+ return 0;
+}
+
+static char hex_char_map_l[] = { '0', '1', '2', '3', '4', '5', '6', '7',
+ '8', '9', 'a', 'b', 'c', 'd', 'e', 'f' };
+static char hex_char_map_u[] = { '0', '1', '2', '3', '4', '5', '6', '7',
+ '8', '9', 'A', 'B', 'C', 'D', 'E', 'F' };
+static char hex_char(unsigned int bin, int u)
+{
+ if (bin < sizeof(hex_char_map_l))
+ return (u) ? hex_char_map_u[bin] : hex_char_map_l[bin];
+ return 'X';
+}
+
+/*
+ * Convert binary string into hex representation
+ * @bin input buffer with binary data
+ * @binlen length of bin
+ * @hex output buffer to store hex data
+ * @hexlen length of already allocated hex buffer (should be at least
+ * twice binlen -- if not, only a fraction of binlen is converted)
+ * @u case of hex characters (0=>lower case, 1=>upper case)
+ */
+static void bin2hex(const unsigned char *bin, size_t binlen,
+ char *hex, size_t hexlen, int u)
+{
+ size_t i = 0;
+ size_t chars = (binlen > (hexlen / 2)) ? (hexlen / 2) : binlen;
+
+ for (i = 0; i < chars; i++) {
+ hex[(i*2)] = hex_char((bin[i] >> 4), u);
+ hex[((i*2)+1)] = hex_char((bin[i] & 0x0f), u);
+ }
+}
+
+struct kdf_cavs {
+ unsigned char *K;
+ size_t Klen;
+ unsigned char *H;
+ size_t Hlen;
+ unsigned char *session_id;
+ size_t session_id_len;
+
+ unsigned int iv_len;
+ unsigned int ek_len;
+ unsigned int ik_len;
+};
+
+static int sshkdf_cavs(struct kdf_cavs *test)
+{
+ int ret = 0;
+ struct kex kex;
+ BIGNUM *Kbn = NULL;
+ int mode = 0;
+ struct newkeys *ctoskeys;
+ struct newkeys *stockeys;
+ struct ssh *ssh = NULL;
+
+#define HEXOUTLEN 500
+ char hex[HEXOUTLEN];
+
+ memset(&kex, 0, sizeof(struct kex));
+
+ Kbn = BN_new();
+ BN_bin2bn(test->K, test->Klen, Kbn);
+ if (!Kbn) {
+ printf("cannot convert K into BIGNUM\n");
+ ret = 1;
+ goto out;
+ }
+
+ kex.session_id = test->session_id;
+ kex.session_id_len = test->session_id_len;
+
+ /* setup kex */
+
+ /* select the right hash based on struct ssh_digest digests */
+ switch (test->ik_len) {
+ case 20:
+ kex.hash_alg = 2;
+ break;
+ case 32:
+ kex.hash_alg = 3;
+ break;
+ case 48:
+ kex.hash_alg = 4;
+ break;
+ case 64:
+ kex.hash_alg = 5;
+ break;
+ default:
+ printf("Wrong hash type %u\n", test->ik_len);
+ ret = 1;
+ goto out;
+ }
+
+ /* implement choose_enc */
+ for (mode = 0; mode < 2; mode++) {
+ kex.newkeys[mode] = calloc(1, sizeof(struct newkeys));
+ if (!kex.newkeys[mode]) {
+ printf("allocation of newkeys failed\n");
+ ret = 1;
+ goto out;
+ }
+ kex.newkeys[mode]->enc.iv_len = test->iv_len;
+ kex.newkeys[mode]->enc.key_len = test->ek_len;
+ kex.newkeys[mode]->enc.block_size = (test->iv_len == 64) ? 8 : 16;
+ kex.newkeys[mode]->mac.key_len = test->ik_len;
+ }
+
+ /* implement kex_choose_conf */
+ kex.we_need = kex.newkeys[0]->enc.key_len;
+ if (kex.we_need < kex.newkeys[0]->enc.block_size)
+ kex.we_need = kex.newkeys[0]->enc.block_size;
+ if (kex.we_need < kex.newkeys[0]->enc.iv_len)
+ kex.we_need = kex.newkeys[0]->enc.iv_len;
+ if (kex.we_need < kex.newkeys[0]->mac.key_len)
+ kex.we_need = kex.newkeys[0]->mac.key_len;
+
+ /* MODE_OUT (1) -> server to client
+ * MODE_IN (0) -> client to server */
+ kex.server = 1;
+
+ /* do it */
+ if ((ssh = ssh_packet_set_connection(NULL, -1, -1)) == NULL){
+ printf("Allocation error\n");
+ goto out;
+ }
+ ssh->kex = &kex;
+ kex_derive_keys_bn(ssh, test->H, test->Hlen, Kbn);
+
+ ctoskeys = kex.newkeys[0];
+ stockeys = kex.newkeys[1];
+
+ /* get data */
+ memset(hex, 0, HEXOUTLEN);
+ bin2hex(ctoskeys->enc.iv, (size_t)ctoskeys->enc.iv_len,
+ hex, HEXOUTLEN, 0);
+ printf("Initial IV (client to server) = %s\n", hex);
+ memset(hex, 0, HEXOUTLEN);
+ bin2hex(stockeys->enc.iv, (size_t)stockeys->enc.iv_len,
+ hex, HEXOUTLEN, 0);
+ printf("Initial IV (server to client) = %s\n", hex);
+
+ memset(hex, 0, HEXOUTLEN);
+ bin2hex(ctoskeys->enc.key, (size_t)ctoskeys->enc.key_len,
+ hex, HEXOUTLEN, 0);
+ printf("Encryption key (client to server) = %s\n", hex);
+ memset(hex, 0, HEXOUTLEN);
+ bin2hex(stockeys->enc.key, (size_t)stockeys->enc.key_len,
+ hex, HEXOUTLEN, 0);
+ printf("Encryption key (server to client) = %s\n", hex);
+
+ memset(hex, 0, HEXOUTLEN);
+ bin2hex(ctoskeys->mac.key, (size_t)ctoskeys->mac.key_len,
+ hex, HEXOUTLEN, 0);
+ printf("Integrity key (client to server) = %s\n", hex);
+ memset(hex, 0, HEXOUTLEN);
+ bin2hex(stockeys->mac.key, (size_t)stockeys->mac.key_len,
+ hex, HEXOUTLEN, 0);
+ printf("Integrity key (server to client) = %s\n", hex);
+
+out:
+ if (Kbn)
+ BN_free(Kbn);
+ if (kex.newkeys[0])
+ free(kex.newkeys[0]);
+ if (kex.newkeys[1])
+ free(kex.newkeys[1]);
+ if (ssh)
+ ssh_packet_close(ssh);
+ return ret;
+}
+
+static void usage(void)
+{
+ fprintf(stderr, "\nOpenSSH KDF CAVS Test\n\n");
+ fprintf(stderr, "Usage:\n");
+ fprintf(stderr, "\t-K\tShared secret string\n");
+ fprintf(stderr, "\t-H\tHash string\n");
+ fprintf(stderr, "\t-s\tSession ID string\n");
+ fprintf(stderr, "\t-i\tIV length to be generated\n");
+ fprintf(stderr, "\t-e\tEncryption key length to be generated\n");
+ fprintf(stderr, "\t-m\tMAC key length to be generated\n");
+}
+
+/*
+ * Test command example:
+ * ./ssh-cavs -K 0055d50f2d163cc07cd8a93cc7c3430c30ce786b572c01ad29fec7597000cf8618d664e2ec3dcbc8bb7a1a7eb7ef67f61cdaf291625da879186ac0a5cb27af571b59612d6a6e0627344d846271959fda61c78354aa498773d59762f8ca2d0215ec590d8633de921f920d41e47b3de6ab9a3d0869e1c826d0e4adebf8e3fb646a15dea20a410b44e969f4b791ed6a67f13f1b74234004d5fa5e87eff7abc32d49bbdf44d7b0107e8f10609233b7e2b7eff74a4daf25641de7553975dac6ac1e5117df6f6dbaa1c263d23a6c3e5a3d7d49ae8a828c1e333ac3f85fbbf57b5c1a45be45e43a7be1a4707eac779b8285522d1f531fe23f890fd38a004339932b93eda4 -H d3ab91a850febb417a25d892ec48ed5952c7a5de -s d3ab91a850febb417a25d892ec48ed5952c7a5de -i 8 -e 24 -m 20
+ *
+ * Initial IV (client to server) = 4bb320d1679dfd3a
+ * Initial IV (server to client) = 43dea6fdf263a308
+ * Encryption key (client to server) = 13048cc600b9d3cf9095aa6cf8e2ff9cf1c54ca0520c89ed
+ * Encryption key (server to client) = 1e483c5134e901aa11fc4e0a524e7ec7b75556148a222bb0
+ * Integrity key (client to server) = ecef63a092b0dcc585bdc757e01b2740af57d640
+ * Integrity key (server to client) = 7424b05f3c44a72b4ebd281fb71f9cbe7b64d479
+ */
+int main(int argc, char *argv[])
+{
+ struct kdf_cavs test;
+ int ret = 1;
+ int opt = 0;
+
+ memset(&test, 0, sizeof(struct kdf_cavs));
+ while((opt = getopt(argc, argv, "K:H:s:i:e:m:")) != -1)
+ {
+ size_t len = 0;
+ switch(opt)
+ {
+ /*
+ * CAVS K is MPINT
+ * we want a hex (i.e. the caller must ensure the
+ * following transformations already happened):
+ * 1. cut off first four bytes
+ * 2. if most significant bit of value is
+ * 1, prepend 0 byte
+ */
+ case 'K':
+ len = strlen(optarg);
+ ret = hex2bin_alloc(optarg, len,
+ &test.K, &test.Klen);
+ if (ret)
+ goto out;
+ break;
+ case 'H':
+ len = strlen(optarg);
+ ret = hex2bin_alloc(optarg, len,
+ &test.H, &test.Hlen);
+ if (ret)
+ goto out;
+ break;
+ case 's':
+ len = strlen(optarg);
+ ret = hex2bin_alloc(optarg, len,
+ &test.session_id,
+ &test.session_id_len);
+ if (ret)
+ goto out;
+ break;
+ case 'i':
+ test.iv_len = strtoul(optarg, NULL, 10);
+ break;
+ case 'e':
+ test.ek_len = strtoul(optarg, NULL, 10);
+ break;
+ case 'm':
+ test.ik_len = strtoul(optarg, NULL, 10);
+ break;
+ default:
+ usage();
+ goto out;
+ }
+ }
+
+ ret = sshkdf_cavs(&test);
+
+out:
+ if (test.session_id)
+ free(test.session_id);
+ if (test.K)
+ free(test.K);
+ if (test.H)
+ free(test.H);
+ return ret;
+
+}
diff -up openssh-6.8p1/ssh-cavs_driver.pl.kdf-cavs openssh-6.8p1/ssh-cavs_driver.pl
--- openssh-6.8p1/ssh-cavs_driver.pl.kdf-cavs 2015-03-18 11:23:46.348049354 +0100
+++ openssh-6.8p1/ssh-cavs_driver.pl 2015-03-18 11:23:46.348049354 +0100
@@ -0,0 +1,184 @@
+#!/usr/bin/env perl
+#
+# CAVS test driver for OpenSSH
+#
+# Copyright (C) 2015, Stephan Mueller <smueller@chronox.de>
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy
+# of this software and associated documentation files (the "Software"), to deal
+# in the Software without restriction, including without limitation the rights
+# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+# copies of the Software, and to permit persons to whom the Software is
+# furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in
+# all copies or substantial portions of the Software.
+#
+# NO WARRANTY
+#
+# BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
+# FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN
+# OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
+# PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
+# OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS
+# TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE
+# PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
+# REPAIR OR CORRECTION.
+#
+# IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
+# WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
+# REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
+# INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
+# OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
+# TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
+# YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
+# PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
+# POSSIBILITY OF SUCH DAMAGES.
+#
+use strict;
+use warnings;
+use IPC::Open2;
+
+# Executing a program by feeding STDIN and retrieving
+# STDOUT
+# $1: data string to be piped to the app on STDIN
+# rest: program and args
+# returns: STDOUT of program as string
+sub pipe_through_program($@) {
+ my $in = shift;
+ my @args = @_;
+
+ my ($CO, $CI);
+ my $pid = open2($CO, $CI, @args);
+
+ my $out = "";
+ my $len = length($in);
+ my $first = 1;
+ while (1) {
+ my $rin = "";
+ my $win = "";
+ # Output of prog is FD that we read
+ vec($rin,fileno($CO),1) = 1;
+ # Input of prog is FD that we write
+ # check for $first is needed because we can have NULL input
+ # that is to be written to the app
+ if ( $len > 0 || $first) {
+ (vec($win,fileno($CI),1) = 1);
+ $first=0;
+ }
+ # Let us wait for 100ms
+ my $nfound = select(my $rout=$rin, my $wout=$win, undef, 0.1);
+ if ( $wout ) {
+ my $written = syswrite($CI, $in, $len);
+ die "broken pipe" if !defined $written;
+ $len -= $written;
+ substr($in, 0, $written) = "";
+ if ($len <= 0) {
+ close $CI or die "broken pipe: $!";
+ }
+ }
+ if ( $rout ) {
+ my $tmp_out = "";
+ my $bytes_read = sysread($CO, $tmp_out, 4096);
+ $out .= $tmp_out;
+ last if ($bytes_read == 0);
+ }
+ }
+ close $CO or die "broken pipe: $!";
+ waitpid $pid, 0;
+
+ return $out;
+}
+
+# Parser of CAVS test vector file
+# $1: Test vector file
+# $2: Output file for test results
+# return: nothing
+sub parse($$) {
+ my $infile = shift;
+ my $outfile = shift;
+
+ my $out = "";
+
+ my $K = "";
+ my $H = "";
+ my $session_id = "";
+ my $ivlen = 0;
+ my $eklen = "";
+ my $iklen = "";
+
+ open(IN, "<$infile");
+ while(<IN>) {
+
+ my $line = $_;
+ chomp($line);
+ $line =~ s/\r//;
+
+ if ($line =~ /\[SHA-1\]/) {
+ $iklen = 20;
+ } elsif ($line =~ /\[SHA-256\]/) {
+ $iklen = 32;
+ } elsif ($line =~ /\[SHA-384\]/) {
+ $iklen = 48;
+ } elsif ($line =~ /\[SHA-512\]/) {
+ $iklen = 64;
+ } elsif ($line =~ /^\[IV length\s*=\s*(.*)\]/) {
+ $ivlen = $1;
+ $ivlen = $ivlen / 8;
+ } elsif ($line =~ /^\[encryption key length\s*=\s*(.*)\]/) {
+ $eklen = $1;
+ $eklen = $eklen / 8;
+ } elsif ($line =~ /^K\s*=\s*(.*)/) {
+ $K = $1;
+ $K = substr($K, 8);
+ $K = "00" . $K;
+ } elsif ($line =~ /^H\s*=\s*(.*)/) {
+ $H = $1;
+ } elsif ($line =~ /^session_id\s*=\s*(.*)/) {
+ $session_id = $1;
+ }
+ $out .= $line . "\n";
+
+ if ($K ne "" && $H ne "" && $session_id ne "" &&
+ $ivlen ne "" && $eklen ne "" && $iklen > 0) {
+ $out .= pipe_through_program("", "./ssh-cavs -H $H -K $K -s $session_id -i $ivlen -e $eklen -m $iklen");
+
+ $K = "";
+ $H = "";
+ $session_id = "";
+ }
+ }
+ close IN;
+ $out =~ s/\n/\r\n/g; # make it a dos file
+ open(OUT, ">$outfile") or die "Cannot create output file $outfile: $?";
+ print OUT $out;
+ close OUT;
+}
+
+############################################################
+#
+# let us pretend to be C :-)
+sub main() {
+
+ my $infile=$ARGV[0];
+ die "Error: Test vector file $infile not found" if (! -f $infile);
+
+ my $outfile = $infile;
+ # let us add .rsp regardless whether we could strip .req
+ $outfile =~ s/\.req$//;
+ $outfile .= ".rsp";
+ if (-f $outfile) {
+ die "Output file $outfile could not be removed: $?"
+ unless unlink($outfile);
+ }
+ print STDERR "Performing tests from source file $infile with results stored in destination file $outfile\n";
+
+ # Do the job
+ parse($infile, $outfile);
+}
+
+###########################################
+# Call it
+main();
+1;

288
openssh-7.4p1-kuserok.patch Normal file
View file

@ -0,0 +1,288 @@
diff -up openssh-7.4p1/auth-krb5.c.kuserok openssh-7.4p1/auth-krb5.c
--- openssh-7.4p1/auth-krb5.c.kuserok 2016-12-19 05:59:41.000000000 +0100
+++ openssh-7.4p1/auth-krb5.c 2017-02-09 09:20:00.958084311 +0100
@@ -54,6 +54,21 @@
extern ServerOptions options;
+int
+ssh_krb5_kuserok(krb5_context krb5_ctx, krb5_principal krb5_user, const char *client,
+ int k5login_exists)
+{
+ if (options.use_kuserok || !k5login_exists)
+ return krb5_kuserok(krb5_ctx, krb5_user, client);
+ else {
+ char kuser[65];
+
+ if (krb5_aname_to_localname(krb5_ctx, krb5_user, sizeof(kuser), kuser))
+ return 0;
+ return strcmp(kuser, client) == 0;
+ }
+}
+
static int
krb5_init(void *context)
{
@@ -157,8 +172,9 @@ auth_krb5_password(Authctxt *authctxt, c
if (problem)
goto out;
- if (!krb5_kuserok(authctxt->krb5_ctx, authctxt->krb5_user,
- authctxt->pw->pw_name)) {
+ /* Use !options.use_kuserok here to make ssh_krb5_kuserok() not
+ * depend on the existance of .k5login */
+ if (!ssh_krb5_kuserok(authctxt->krb5_ctx, authctxt->krb5_user, authctxt->pw->pw_name, !options.use_kuserok)) {
problem = -1;
goto out;
}
diff -up openssh-7.4p1/gss-serv-krb5.c.kuserok openssh-7.4p1/gss-serv-krb5.c
--- openssh-7.4p1/gss-serv-krb5.c.kuserok 2017-02-09 09:20:00.955084317 +0100
+++ openssh-7.4p1/gss-serv-krb5.c 2017-02-09 09:20:00.958084311 +0100
@@ -67,6 +67,7 @@ static int ssh_gssapi_krb5_cmdok(krb5_pr
int);
static krb5_context krb_context = NULL;
+extern int ssh_krb5_kuserok(krb5_context, krb5_principal, const char *, int);
/* Initialise the krb5 library, for the stuff that GSSAPI won't do */
@@ -92,6 +93,103 @@ ssh_gssapi_krb5_init(void)
* Returns true if the user is OK to log in, otherwise returns 0
*/
+/* The purpose of the function is to find out if a Kerberos principal is
+ * allowed to log in as the given local user. This is a general problem with
+ * Kerberized services because by design the Kerberos principals are
+ * completely independent from the local user names. This is one of the
+ * reasons why Kerberos is working well on different operating systems like
+ * Windows and UNIX/Linux. Nevertheless a relationship between a Kerberos
+ * principal and a local user name must be established because otherwise every
+ * access would be granted for every principal with a valid ticket.
+ *
+ * Since it is a general issue libkrb5 provides some functions for
+ * applications to find out about the relationship between the Kerberos
+ * principal and a local user name. They are krb5_kuserok() and
+ * krb5_aname_to_localname().
+ *
+ * krb5_kuserok() can be used to "Determine if a principal is authorized to
+ * log in as a local user" (from the MIT Kerberos documentation of this
+ * function). Which is exactly what we are looking for and should be the
+ * preferred choice. It accepts the Kerberos principal and a local user name
+ * and let libkrb5 or its plugins determine if they relate to each other or
+ * not.
+ *
+ * krb5_aname_to_localname() can use used to "Convert a principal name to a
+ * local name" (from the MIT Kerberos documentation of this function). It
+ * accepts a Kerberos principle and returns a local name and it is up to the
+ * application to do any additional checks. There are two issues using
+ * krb5_aname_to_localname(). First, since POSIX user names are case
+ * sensitive, the calling application in general has no other choice than
+ * doing a case-sensitive string comparison between the name returned by
+ * krb5_aname_to_localname() and the name used at the login prompt. When the
+ * users are provided by a case in-sensitive server, e.g. Active Directory,
+ * this might lead to login failures because the user typing the name at the
+ * login prompt might not be aware of the right case. Another issue might be
+ * caused if there are multiple alias names available for a single user. E.g.
+ * the canonical name of a user is user@group.department.example.com but there
+ * exists a shorter login name, e.g. user@example.com, to safe typing at the
+ * login prompt. Here krb5_aname_to_localname() can only return the canonical
+ * name, but if the short alias is used at the login prompt authentication
+ * will fail as well. All this can be avoided by using krb5_kuserok() and
+ * configuring krb5.conf or using a suitable plugin to meet the needs of the
+ * given environment.
+ *
+ * The Fedora and RHEL version of openssh contain two patches which modify the
+ * access control behavior:
+ * - openssh-6.6p1-kuserok.patch
+ * - openssh-6.6p1-force_krb.patch
+ *
+ * openssh-6.6p1-kuserok.patch adds a new option KerberosUseKuserok for
+ * sshd_config which controls if krb5_kuserok() is used to check if the
+ * principle is authorized or if krb5_aname_to_localname() should be used.
+ * The reason to add this patch was that krb5_kuserok() by default checks if
+ * a .k5login file exits in the users home-directory. With this the user can
+ * give access to his account for any given principal which might be
+ * in violation with company policies and it would be useful if this can be
+ * rejected. Nevertheless the patch ignores the fact that krb5_kuserok() does
+ * no only check .k5login but other sources as well and checking .k5login can
+ * be disabled for all applications in krb5.conf as well. With this new
+ * option KerberosUseKuserok set to 'no' (and this is the default for RHEL7
+ * and Fedora 21) openssh can only use krb5_aname_to_localname() with the
+ * restrictions mentioned above.
+ *
+ * openssh-6.6p1-force_krb.patch adds a ksu like behaviour to ssh, i.e. when
+ * using GSSAPI authentication only commands configured in the .k5user can be
+ * executed. Here the wrong assumption that krb5_kuserok() only checks
+ * .k5login is made as well. In contrast ksu checks .k5login directly and
+ * does not use krb5_kuserok() which might be more useful for the given
+ * purpose. Additionally this patch is not synced with
+ * openssh-6.6p1-kuserok.patch.
+ *
+ * The current patch tries to restore the usage of krb5_kuserok() so that e.g.
+ * localauth plugins can be used. It does so by adding a forth parameter to
+ * ssh_krb5_kuserok() which indicates whether .k5login exists or not. If it
+ * does not exists krb5_kuserok() is called even if KerberosUseKuserok is set
+ * to 'no' because the intent of the option is to not check .k5login and if it
+ * does not exists krb5_kuserok() returns a result without checking .k5login.
+ * If .k5login does exists and KerberosUseKuserok is 'no' we fall back to
+ * krb5_aname_to_localname(). This is in my point of view an acceptable
+ * limitation and does not break the current behaviour.
+ *
+ * Additionally with this patch ssh_krb5_kuserok() is called in
+ * ssh_gssapi_krb5_cmdok() instead of only krb5_aname_to_localname() is
+ * neither .k5login nor .k5users exists to allow plugin evaluation via
+ * krb5_kuserok() as well.
+ *
+ * I tried to keep the patch as minimal as possible, nevertheless I see some
+ * areas for improvement which, if they make sense, have to be evaluated
+ * carefully because they might change existing behaviour and cause breaks
+ * during upgrade:
+ * - I wonder if disabling .k5login usage make sense in sshd or if it should
+ * be better disabled globally in krb5.conf
+ * - if really needed openssh-6.6p1-kuserok.patch should be fixed to really
+ * only disable checking .k5login and maybe .k5users
+ * - the ksu behaviour should be configurable and maybe check the .k5login and
+ * .k5users files directly like ksu itself does
+ * - to make krb5_aname_to_localname() more useful an option for sshd to use
+ * the canonical name (the one returned by getpwnam()) instead of the name
+ * given at the login prompt might be useful */
+
static int
ssh_gssapi_krb5_userok(ssh_gssapi_client *client, char *name)
{
@@ -116,7 +214,8 @@ ssh_gssapi_krb5_userok(ssh_gssapi_client
/* NOTE: .k5login and .k5users must opened as root, not the user,
* because if they are on a krb5-protected filesystem, user credentials
* to access these files aren't available yet. */
- if (krb5_kuserok(krb_context, princ, name) && k5login_exists) {
+ if (ssh_krb5_kuserok(krb_context, princ, name, k5login_exists)
+ && k5login_exists) {
retval = 1;
logit("Authorized to %s, krb5 principal %s (krb5_kuserok)",
name, (char *)client->displayname.value);
@@ -171,9 +270,8 @@ ssh_gssapi_krb5_cmdok(krb5_principal pri
snprintf(file, sizeof(file), "%s/.k5users", pw->pw_dir);
/* If both .k5login and .k5users DNE, self-login is ok. */
if (!k5login_exists && (access(file, F_OK) == -1)) {
- return (krb5_aname_to_localname(krb_context, principal,
- sizeof(kuser), kuser) == 0) &&
- (strcmp(kuser, luser) == 0);
+ return ssh_krb5_kuserok(krb_context, principal, luser,
+ k5login_exists);
}
if ((fp = fopen(file, "r")) == NULL) {
int saved_errno = errno;
diff -up openssh-7.4p1/servconf.c.kuserok openssh-7.4p1/servconf.c
--- openssh-7.4p1/servconf.c.kuserok 2017-02-09 09:20:00.951084326 +0100
+++ openssh-7.4p1/servconf.c 2017-02-09 09:21:29.802896034 +0100
@@ -165,6 +165,7 @@ initialize_server_options(ServerOptions
options->ip_qos_interactive = -1;
options->ip_qos_bulk = -1;
options->version_addendum = NULL;
+ options->use_kuserok = -1;
options->fingerprint_hash = -1;
options->disable_forwarding = -1;
}
@@ -334,6 +335,8 @@ fill_default_server_options(ServerOption
options->version_addendum = xstrdup("");
if (options->show_patchlevel == -1)
options->show_patchlevel = 0;
+ if (options->use_kuserok == -1)
+ options->use_kuserok = 1;
if (options->fwd_opts.streamlocal_bind_mask == (mode_t)-1)
options->fwd_opts.streamlocal_bind_mask = 0177;
if (options->fwd_opts.streamlocal_bind_unlink == -1)
@@ -399,7 +402,7 @@ typedef enum {
sPermitRootLogin, sLogFacility, sLogLevel,
sRhostsRSAAuthentication, sRSAAuthentication,
sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
- sKerberosGetAFSToken,
+ sKerberosGetAFSToken, sKerberosUseKuserok,
sKerberosTgtPassing, sChallengeResponseAuthentication,
sPasswordAuthentication, sKbdInteractiveAuthentication,
sListenAddress, sAddressFamily,
@@ -478,11 +481,13 @@ static struct {
#else
{ "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
#endif
+ { "kerberosusekuserok", sKerberosUseKuserok, SSHCFG_ALL },
#else
{ "kerberosauthentication", sUnsupported, SSHCFG_ALL },
{ "kerberosorlocalpasswd", sUnsupported, SSHCFG_GLOBAL },
{ "kerberosticketcleanup", sUnsupported, SSHCFG_GLOBAL },
{ "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
+ { "kerberosusekuserok", sUnsupported, SSHCFG_ALL },
#endif
{ "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL },
{ "afstokenpassing", sUnsupported, SSHCFG_GLOBAL },
@@ -1644,6 +1649,10 @@ process_server_config_line(ServerOptions
*activep = value;
break;
+ case sKerberosUseKuserok:
+ intptr = &options->use_kuserok;
+ goto parse_flag;
+
case sPermitOpen:
arg = strdelim(&cp);
if (!arg || *arg == '\0')
@@ -2016,6 +2025,7 @@ copy_set_server_options(ServerOptions *d
M_CP_INTOPT(client_alive_interval);
M_CP_INTOPT(ip_qos_interactive);
M_CP_INTOPT(ip_qos_bulk);
+ M_CP_INTOPT(use_kuserok);
M_CP_INTOPT(rekey_limit);
M_CP_INTOPT(rekey_interval);
@@ -2308,6 +2318,7 @@ dump_config(ServerOptions *o)
dump_cfg_fmtint(sAllowStreamLocalForwarding, o->allow_streamlocal_forwarding);
dump_cfg_fmtint(sStreamLocalBindUnlink, o->fwd_opts.streamlocal_bind_unlink);
dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep);
+ dump_cfg_fmtint(sKerberosUseKuserok, o->use_kuserok);
dump_cfg_fmtint(sFingerprintHash, o->fingerprint_hash);
/* string arguments */
diff -up openssh-7.4p1/servconf.h.kuserok openssh-7.4p1/servconf.h
--- openssh-7.4p1/servconf.h.kuserok 2017-02-09 09:20:00.951084326 +0100
+++ openssh-7.4p1/servconf.h 2017-02-09 09:20:00.959084309 +0100
@@ -174,6 +174,7 @@ typedef struct {
int num_permitted_opens;
+ int use_kuserok;
char *chroot_directory;
char *revoked_keys_file;
char *trusted_user_ca_keys;
diff -up openssh-7.4p1/sshd_config.5.kuserok openssh-7.4p1/sshd_config.5
--- openssh-7.4p1/sshd_config.5.kuserok 2017-02-09 09:20:00.959084309 +0100
+++ openssh-7.4p1/sshd_config.5 2017-02-09 09:22:33.517761012 +0100
@@ -846,6 +846,10 @@ Specifies whether to automatically destr
file on logout.
The default is
.Cm yes .
+.It Cm KerberosUseKuserok
+Specifies whether to look at .k5login file for user's aliases.
+The default is
+.Cm yes .
.It Cm KexAlgorithms
Specifies the available KEX (Key Exchange) algorithms.
Multiple algorithms must be comma-separated.
@@ -1074,6 +1078,7 @@ Available keywords are
.Cm IPQoS ,
.Cm KbdInteractiveAuthentication ,
.Cm KerberosAuthentication ,
+.Cm KerberosUseKuserok ,
.Cm MaxAuthTries ,
.Cm MaxSessions ,
.Cm PasswordAuthentication ,
diff -up openssh-7.4p1/sshd_config.kuserok openssh-7.4p1/sshd_config
--- openssh-7.4p1/sshd_config.kuserok 2017-02-09 09:20:00.953084322 +0100
+++ openssh-7.4p1/sshd_config 2017-02-09 09:20:00.959084309 +0100
@@ -73,6 +73,7 @@ ChallengeResponseAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
+#KerberosUseKuserok yes
# GSSAPI options
GSSAPIAuthentication yes

View file

@ -0,0 +1,263 @@
diff -up openssh-7.4p1/dh.h.legacy openssh-7.4p1/dh.h
--- openssh-7.4p1/dh.h.legacy 2016-12-19 05:59:41.000000000 +0100
+++ openssh-7.4p1/dh.h 2017-03-02 17:00:37.640695985 +0100
@@ -50,7 +50,7 @@ u_int dh_estimate(int);
* Max value from RFC4419.
* Miniumum increased in light of DH precomputation attacks.
*/
-#define DH_GRP_MIN 2048
+#define DH_GRP_MIN 1024
#define DH_GRP_MAX 8192
/*
diff -up openssh-7.4p1/moduli.legacy openssh-7.4p1/moduli
--- openssh-7.4p1/moduli.legacy 2016-12-19 05:59:41.000000000 +0100
+++ openssh-7.4p1/moduli 2017-03-02 17:00:37.642695983 +0100
@@ -1,5 +1,83 @@
# $OpenBSD: moduli,v 1.18 2016/08/11 01:42:11 dtucker Exp $
# Time Type Tests Tries Size Generator Modulus
+20150520233853 2 6 100 1023 5 DB662973FB21C0B7BF21AB46AFD3E2002AE70C92DE6B9AEAFECF7B0A96D7ACB024B7C29DB18E70CB945FA54C7773519BC7161648AFE4939058AC40ECDBBD3636F5BF45863117E955007C9D0F9333BB4EF62F7C9F6298AB79A309C734F3CF201C61EBC3926ADD4E80968A65D9F60535164ACE7A7BFEDC1022002BB2BBA2AC62AF
+20150520233854 2 6 100 1023 5 DB662973FB21C0B7BF21AB46AFD3E2002AE70C92DE6B9AEAFECF7B0A96D7ACB024B7C29DB18E70CB945FA54C7773519BC7161648AFE4939058AC40ECDBBD3636F5BF45863117E955007C9D0F9333BB4EF62F7C9F6298AB79A309C734F3CF201C61EBC3926ADD4E80968A65D9F60535164ACE7A7BFEDC1022002BB2BBA2BCC50F
+20150520233854 2 6 100 1023 2 DB662973FB21C0B7BF21AB46AFD3E2002AE70C92DE6B9AEAFECF7B0A96D7ACB024B7C29DB18E70CB945FA54C7773519BC7161648AFE4939058AC40ECDBBD3636F5BF45863117E955007C9D0F9333BB4EF62F7C9F6298AB79A309C734F3CF201C61EBC3926ADD4E80968A65D9F60535164ACE7A7BFEDC1022002BB2BBA2C241F3
+20150520233855 2 6 100 1023 5 DB662973FB21C0B7BF21AB46AFD3E2002AE70C92DE6B9AEAFECF7B0A96D7ACB024B7C29DB18E70CB945FA54C7773519BC7161648AFE4939058AC40ECDBBD3636F5BF45863117E955007C9D0F9333BB4EF62F7C9F6298AB79A309C734F3CF201C61EBC3926ADD4E80968A65D9F60535164ACE7A7BFEDC1022002BB2BBA2DDF347
+20150520233856 2 6 100 1023 2 DB662973FB21C0B7BF21AB46AFD3E2002AE70C92DE6B9AEAFECF7B0A96D7ACB024B7C29DB18E70CB945FA54C7773519BC7161648AFE4939058AC40ECDBBD3636F5BF45863117E955007C9D0F9333BB4EF62F7C9F6298AB79A309C734F3CF201C61EBC3926ADD4E80968A65D9F60535164ACE7A7BFEDC1022002BB2BBA2E3FDBB
+20150520233857 2 6 100 1023 2 DB662973FB21C0B7BF21AB46AFD3E2002AE70C92DE6B9AEAFECF7B0A96D7ACB024B7C29DB18E70CB945FA54C7773519BC7161648AFE4939058AC40ECDBBD3636F5BF45863117E955007C9D0F9333BB4EF62F7C9F6298AB79A309C734F3CF201C61EBC3926ADD4E80968A65D9F60535164ACE7A7BFEDC1022002BB2BBA3006603
+20150520233858 2 6 100 1023 5 DB662973FB21C0B7BF21AB46AFD3E2002AE70C92DE6B9AEAFECF7B0A96D7ACB024B7C29DB18E70CB945FA54C7773519BC7161648AFE4939058AC40ECDBBD3636F5BF45863117E955007C9D0F9333BB4EF62F7C9F6298AB79A309C734F3CF201C61EBC3926ADD4E80968A65D9F60535164ACE7A7BFEDC1022002BB2BBA31D9C37
+20150520233859 2 6 100 1023 2 DB662973FB21C0B7BF21AB46AFD3E2002AE70C92DE6B9AEAFECF7B0A96D7ACB024B7C29DB18E70CB945FA54C7773519BC7161648AFE4939058AC40ECDBBD3636F5BF45863117E955007C9D0F9333BB4EF62F7C9F6298AB79A309C734F3CF201C61EBC3926ADD4E80968A65D9F60535164ACE7A7BFEDC1022002BB2BBA333355B
+20150520233900 2 6 100 1023 2 DB662973FB21C0B7BF21AB46AFD3E2002AE70C92DE6B9AEAFECF7B0A96D7ACB024B7C29DB18E70CB945FA54C7773519BC7161648AFE4939058AC40ECDBBD3636F5BF45863117E955007C9D0F9333BB4EF62F7C9F6298AB79A309C734F3CF201C61EBC3926ADD4E80968A65D9F60535164ACE7A7BFEDC1022002BB2BBA3428B23
+20150520233902 2 6 100 1023 2 DB662973FB21C0B7BF21AB46AFD3E2002AE70C92DE6B9AEAFECF7B0A96D7ACB024B7C29DB18E70CB945FA54C7773519BC7161648AFE4939058AC40ECDBBD3636F5BF45863117E955007C9D0F9333BB4EF62F7C9F6298AB79A309C734F3CF201C61EBC3926ADD4E80968A65D9F60535164ACE7A7BFEDC1022002BB2BBA37C9A43
+20150520233903 2 6 100 1023 5 DB662973FB21C0B7BF21AB46AFD3E2002AE70C92DE6B9AEAFECF7B0A96D7ACB024B7C29DB18E70CB945FA54C7773519BC7161648AFE4939058AC40ECDBBD3636F5BF45863117E955007C9D0F9333BB4EF62F7C9F6298AB79A309C734F3CF201C61EBC3926ADD4E80968A65D9F60535164ACE7A7BFEDC1022002BB2BBA384B367
+20150520233903 2 6 100 1023 2 DB662973FB21C0B7BF21AB46AFD3E2002AE70C92DE6B9AEAFECF7B0A96D7ACB024B7C29DB18E70CB945FA54C7773519BC7161648AFE4939058AC40ECDBBD3636F5BF45863117E955007C9D0F9333BB4EF62F7C9F6298AB79A309C734F3CF201C61EBC3926ADD4E80968A65D9F60535164ACE7A7BFEDC1022002BB2BBA3903453
+20150520233904 2 6 100 1023 5 DB662973FB21C0B7BF21AB46AFD3E2002AE70C92DE6B9AEAFECF7B0A96D7ACB024B7C29DB18E70CB945FA54C7773519BC7161648AFE4939058AC40ECDBBD3636F5BF45863117E955007C9D0F9333BB4EF62F7C9F6298AB79A309C734F3CF201C61EBC3926ADD4E80968A65D9F60535164ACE7A7BFEDC1022002BB2BBA3946C77
+20150520233904 2 6 100 1023 2 DB662973FB21C0B7BF21AB46AFD3E2002AE70C92DE6B9AEAFECF7B0A96D7ACB024B7C29DB18E70CB945FA54C7773519BC7161648AFE4939058AC40ECDBBD3636F5BF45863117E955007C9D0F9333BB4EF62F7C9F6298AB79A309C734F3CF201C61EBC3926ADD4E80968A65D9F60535164ACE7A7BFEDC1022002BB2BBA39F6A9B
+20150520233904 2 6 100 1023 2 DB662973FB21C0B7BF21AB46AFD3E2002AE70C92DE6B9AEAFECF7B0A96D7ACB024B7C29DB18E70CB945FA54C7773519BC7161648AFE4939058AC40ECDBBD3636F5BF45863117E955007C9D0F9333BB4EF62F7C9F6298AB79A309C734F3CF201C61EBC3926ADD4E80968A65D9F60535164ACE7A7BFEDC1022002BB2BBA3A0E88B
+20150520233905 2 6 100 1023 2 DB662973FB21C0B7BF21AB46AFD3E2002AE70C92DE6B9AEAFECF7B0A96D7ACB024B7C29DB18E70CB945FA54C7773519BC7161648AFE4939058AC40ECDBBD3636F5BF45863117E955007C9D0F9333BB4EF62F7C9F6298AB79A309C734F3CF201C61EBC3926ADD4E80968A65D9F60535164ACE7A7BFEDC1022002BB2BBA3A37763
+20150520233906 2 6 100 1023 5 DB662973FB21C0B7BF21AB46AFD3E2002AE70C92DE6B9AEAFECF7B0A96D7ACB024B7C29DB18E70CB945FA54C7773519BC7161648AFE4939058AC40ECDBBD3636F5BF45863117E955007C9D0F9333BB4EF62F7C9F6298AB79A309C734F3CF201C61EBC3926ADD4E80968A65D9F60535164ACE7A7BFEDC1022002BB2BBA3BBDD57
+20150520233906 2 6 100 1023 5 DB662973FB21C0B7BF21AB46AFD3E2002AE70C92DE6B9AEAFECF7B0A96D7ACB024B7C29DB18E70CB945FA54C7773519BC7161648AFE4939058AC40ECDBBD3636F5BF45863117E955007C9D0F9333BB4EF62F7C9F6298AB79A309C734F3CF201C61EBC3926ADD4E80968A65D9F60535164ACE7A7BFEDC1022002BB2BBA3BDCDD7
+20150520233906 2 6 100 1023 2 DB662973FB21C0B7BF21AB46AFD3E2002AE70C92DE6B9AEAFECF7B0A96D7ACB024B7C29DB18E70CB945FA54C7773519BC7161648AFE4939058AC40ECDBBD3636F5BF45863117E955007C9D0F9333BB4EF62F7C9F6298AB79A309C734F3CF201C61EBC3926ADD4E80968A65D9F60535164ACE7A7BFEDC1022002BB2BBA3BF5D73
+20150520233907 2 6 100 1023 2 DB662973FB21C0B7BF21AB46AFD3E2002AE70C92DE6B9AEAFECF7B0A96D7ACB024B7C29DB18E70CB945FA54C7773519BC7161648AFE4939058AC40ECDBBD3636F5BF45863117E955007C9D0F9333BB4EF62F7C9F6298AB79A309C734F3CF201C61EBC3926ADD4E80968A65D9F60535164ACE7A7BFEDC1022002BB2BBA3C9BB83
+20150520233908 2 6 100 1023 5 DB662973FB21C0B7BF21AB46AFD3E2002AE70C92DE6B9AEAFECF7B0A96D7ACB024B7C29DB18E70CB945FA54C7773519BC7161648AFE4939058AC40ECDBBD3636F5BF45863117E955007C9D0F9333BB4EF62F7C9F6298AB79A309C734F3CF201C61EBC3926ADD4E80968A65D9F60535164ACE7A7BFEDC1022002BB2BBA3E5ADCF
+20150520233909 2 6 100 1023 5 DB662973FB21C0B7BF21AB46AFD3E2002AE70C92DE6B9AEAFECF7B0A96D7ACB024B7C29DB18E70CB945FA54C7773519BC7161648AFE4939058AC40ECDBBD3636F5BF45863117E955007C9D0F9333BB4EF62F7C9F6298AB79A309C734F3CF201C61EBC3926ADD4E80968A65D9F60535164ACE7A7BFEDC1022002BB2BBA3F82077
+20150520233910 2 6 100 1023 5 DB662973FB21C0B7BF21AB46AFD3E2002AE70C92DE6B9AEAFECF7B0A96D7ACB024B7C29DB18E70CB945FA54C7773519BC7161648AFE4939058AC40ECDBBD3636F5BF45863117E955007C9D0F9333BB4EF62F7C9F6298AB79A309C734F3CF201C61EBC3926ADD4E80968A65D9F60535164ACE7A7BFEDC1022002BB2BBA406944F
+20150520233910 2 6 100 1023 5 DB662973FB21C0B7BF21AB46AFD3E2002AE70C92DE6B9AEAFECF7B0A96D7ACB024B7C29DB18E70CB945FA54C7773519BC7161648AFE4939058AC40ECDBBD3636F5BF45863117E955007C9D0F9333BB4EF62F7C9F6298AB79A309C734F3CF201C61EBC3926ADD4E80968A65D9F60535164ACE7A7BFEDC1022002BB2BBA40F7457
+20150520233912 2 6 100 1023 2 DB662973FB21C0B7BF21AB46AFD3E2002AE70C92DE6B9AEAFECF7B0A96D7ACB024B7C29DB18E70CB945FA54C7773519BC7161648AFE4939058AC40ECDBBD3636F5BF45863117E955007C9D0F9333BB4EF62F7C9F6298AB79A309C734F3CF201C61EBC3926ADD4E80968A65D9F60535164ACE7A7BFEDC1022002BB2BBA438733B
+20150520233913 2 6 100 1023 2 DB662973FB21C0B7BF21AB46AFD3E2002AE70C92DE6B9AEAFECF7B0A96D7ACB024B7C29DB18E70CB945FA54C7773519BC7161648AFE4939058AC40ECDBBD3636F5BF45863117E955007C9D0F9333BB4EF62F7C9F6298AB79A309C734F3CF201C61EBC3926ADD4E80968A65D9F60535164ACE7A7BFEDC1022002BB2BBA44707FB
+20150520233914 2 6 100 1023 2 DB662973FB21C0B7BF21AB46AFD3E2002AE70C92DE6B9AEAFECF7B0A96D7ACB024B7C29DB18E70CB945FA54C7773519BC7161648AFE4939058AC40ECDBBD3636F5BF45863117E955007C9D0F9333BB4EF62F7C9F6298AB79A309C734F3CF201C61EBC3926ADD4E80968A65D9F60535164ACE7A7BFEDC1022002BB2BBA4588A2B
+20150520233916 2 6 100 1023 2 DB662973FB21C0B7BF21AB46AFD3E2002AE70C92DE6B9AEAFECF7B0A96D7ACB024B7C29DB18E70CB945FA54C7773519BC7161648AFE4939058AC40ECDBBD3636F5BF45863117E955007C9D0F9333BB4EF62F7C9F6298AB79A309C734F3CF201C61EBC3926ADD4E80968A65D9F60535164ACE7A7BFEDC1022002BB2BBA48CC01B
+20150520233917 2 6 100 1023 5 DB662973FB21C0B7BF21AB46AFD3E2002AE70C92DE6B9AEAFECF7B0A96D7ACB024B7C29DB18E70CB945FA54C7773519BC7161648AFE4939058AC40ECDBBD3636F5BF45863117E955007C9D0F9333BB4EF62F7C9F6298AB79A309C734F3CF201C61EBC3926ADD4E80968A65D9F60535164ACE7A7BFEDC1022002BB2BBA4960077
+20150522025931 2 6 100 1535 5 F4EE15F22E5F49997A027769656DF0240598C9470C7D67A7D7DA2777883C1C243A6F3D04E1CFA6A0350B165ECABE89A684C11ABB7E5B93B54FD6EAC85BBA9F23C6306E485BB9AC5515ABC739CE9B1A79F7DEF6D00B643856DB903E23E7F985EDCAFF867FE15498E7EF6A91057DE337A9AAEDE941C934E65243AC7888A33C78FB2490BBA2BA06F18ECC51DE9AA54BADD061CC5BE1EA060CC3217CA11E26772BD088898D2882CB49A9FF40168E49AE6A90EE1F61132E1B6E4E7F99797DAD18DA1F
+20150522025936 2 6 100 1535 2 F4EE15F22E5F49997A027769656DF0240598C9470C7D67A7D7DA2777883C1C243A6F3D04E1CFA6A0350B165ECABE89A684C11ABB7E5B93B54FD6EAC85BBA9F23C6306E485BB9AC5515ABC739CE9B1A79F7DEF6D00B643856DB903E23E7F985EDCAFF867FE15498E7EF6A91057DE337A9AAEDE941C934E65243AC7888A33C78FB2490BBA2BA06F18ECC51DE9AA54BADD061CC5BE1EA060CC3217CA11E26772BD088898D2882CB49A9FF40168E49AE6A90EE1F61132E1B6E4E7F99797DAD3763B3
+20150522025942 2 6 100 1535 2 F4EE15F22E5F49997A027769656DF0240598C9470C7D67A7D7DA2777883C1C243A6F3D04E1CFA6A0350B165ECABE89A684C11ABB7E5B93B54FD6EAC85BBA9F23C6306E485BB9AC5515ABC739CE9B1A79F7DEF6D00B643856DB903E23E7F985EDCAFF867FE15498E7EF6A91057DE337A9AAEDE941C934E65243AC7888A33C78FB2490BBA2BA06F18ECC51DE9AA54BADD061CC5BE1EA060CC3217CA11E26772BD088898D2882CB49A9FF40168E49AE6A90EE1F61132E1B6E4E7F99797DAD702B8B
+20150522025943 2 6 100 1535 2 F4EE15F22E5F49997A027769656DF0240598C9470C7D67A7D7DA2777883C1C243A6F3D04E1CFA6A0350B165ECABE89A684C11ABB7E5B93B54FD6EAC85BBA9F23C6306E485BB9AC5515ABC739CE9B1A79F7DEF6D00B643856DB903E23E7F985EDCAFF867FE15498E7EF6A91057DE337A9AAEDE941C934E65243AC7888A33C78FB2490BBA2BA06F18ECC51DE9AA54BADD061CC5BE1EA060CC3217CA11E26772BD088898D2882CB49A9FF40168E49AE6A90EE1F61132E1B6E4E7F99797DAD77C283
+20150522025947 2 6 100 1535 2 F4EE15F22E5F49997A027769656DF0240598C9470C7D67A7D7DA2777883C1C243A6F3D04E1CFA6A0350B165ECABE89A684C11ABB7E5B93B54FD6EAC85BBA9F23C6306E485BB9AC5515ABC739CE9B1A79F7DEF6D00B643856DB903E23E7F985EDCAFF867FE15498E7EF6A91057DE337A9AAEDE941C934E65243AC7888A33C78FB2490BBA2BA06F18ECC51DE9AA54BADD061CC5BE1EA060CC3217CA11E26772BD088898D2882CB49A9FF40168E49AE6A90EE1F61132E1B6E4E7F99797DAD96C25B
+20150522025953 2 6 100 1535 2 F4EE15F22E5F49997A027769656DF0240598C9470C7D67A7D7DA2777883C1C243A6F3D04E1CFA6A0350B165ECABE89A684C11ABB7E5B93B54FD6EAC85BBA9F23C6306E485BB9AC5515ABC739CE9B1A79F7DEF6D00B643856DB903E23E7F985EDCAFF867FE15498E7EF6A91057DE337A9AAEDE941C934E65243AC7888A33C78FB2490BBA2BA06F18ECC51DE9AA54BADD061CC5BE1EA060CC3217CA11E26772BD088898D2882CB49A9FF40168E49AE6A90EE1F61132E1B6E4E7F99797DADD9B3DB
+20150522025956 2 6 100 1535 5 F4EE15F22E5F49997A027769656DF0240598C9470C7D67A7D7DA2777883C1C243A6F3D04E1CFA6A0350B165ECABE89A684C11ABB7E5B93B54FD6EAC85BBA9F23C6306E485BB9AC5515ABC739CE9B1A79F7DEF6D00B643856DB903E23E7F985EDCAFF867FE15498E7EF6A91057DE337A9AAEDE941C934E65243AC7888A33C78FB2490BBA2BA06F18ECC51DE9AA54BADD061CC5BE1EA060CC3217CA11E26772BD088898D2882CB49A9FF40168E49AE6A90EE1F61132E1B6E4E7F99797DADE84F07
+20150522025957 2 6 100 1535 2 F4EE15F22E5F49997A027769656DF0240598C9470C7D67A7D7DA2777883C1C243A6F3D04E1CFA6A0350B165ECABE89A684C11ABB7E5B93B54FD6EAC85BBA9F23C6306E485BB9AC5515ABC739CE9B1A79F7DEF6D00B643856DB903E23E7F985EDCAFF867FE15498E7EF6A91057DE337A9AAEDE941C934E65243AC7888A33C78FB2490BBA2BA06F18ECC51DE9AA54BADD061CC5BE1EA060CC3217CA11E26772BD088898D2882CB49A9FF40168E49AE6A90EE1F61132E1B6E4E7F99797DADEC1DB3
+20150522030001 2 6 100 1535 5 F4EE15F22E5F49997A027769656DF0240598C9470C7D67A7D7DA2777883C1C243A6F3D04E1CFA6A0350B165ECABE89A684C11ABB7E5B93B54FD6EAC85BBA9F23C6306E485BB9AC5515ABC739CE9B1A79F7DEF6D00B643856DB903E23E7F985EDCAFF867FE15498E7EF6A91057DE337A9AAEDE941C934E65243AC7888A33C78FB2490BBA2BA06F18ECC51DE9AA54BADD061CC5BE1EA060CC3217CA11E26772BD088898D2882CB49A9FF40168E49AE6A90EE1F61132E1B6E4E7F99797DAE0E297F
+20150522030004 2 6 100 1535 2 F4EE15F22E5F49997A027769656DF0240598C9470C7D67A7D7DA2777883C1C243A6F3D04E1CFA6A0350B165ECABE89A684C11ABB7E5B93B54FD6EAC85BBA9F23C6306E485BB9AC5515ABC739CE9B1A79F7DEF6D00B643856DB903E23E7F985EDCAFF867FE15498E7EF6A91057DE337A9AAEDE941C934E65243AC7888A33C78FB2490BBA2BA06F18ECC51DE9AA54BADD061CC5BE1EA060CC3217CA11E26772BD088898D2882CB49A9FF40168E49AE6A90EE1F61132E1B6E4E7F99797DAE2A1E23
+20150522030005 2 6 100 1535 2 F4EE15F22E5F49997A027769656DF0240598C9470C7D67A7D7DA2777883C1C243A6F3D04E1CFA6A0350B165ECABE89A684C11ABB7E5B93B54FD6EAC85BBA9F23C6306E485BB9AC5515ABC739CE9B1A79F7DEF6D00B643856DB903E23E7F985EDCAFF867FE15498E7EF6A91057DE337A9AAEDE941C934E65243AC7888A33C78FB2490BBA2BA06F18ECC51DE9AA54BADD061CC5BE1EA060CC3217CA11E26772BD088898D2882CB49A9FF40168E49AE6A90EE1F61132E1B6E4E7F99797DAE2ADE53
+20150522030008 2 6 100 1535 5 F4EE15F22E5F49997A027769656DF0240598C9470C7D67A7D7DA2777883C1C243A6F3D04E1CFA6A0350B165ECABE89A684C11ABB7E5B93B54FD6EAC85BBA9F23C6306E485BB9AC5515ABC739CE9B1A79F7DEF6D00B643856DB903E23E7F985EDCAFF867FE15498E7EF6A91057DE337A9AAEDE941C934E65243AC7888A33C78FB2490BBA2BA06F18ECC51DE9AA54BADD061CC5BE1EA060CC3217CA11E26772BD088898D2882CB49A9FF40168E49AE6A90EE1F61132E1B6E4E7F99797DAE47B9F7
+20150522030009 2 6 100 1535 2 F4EE15F22E5F49997A027769656DF0240598C9470C7D67A7D7DA2777883C1C243A6F3D04E1CFA6A0350B165ECABE89A684C11ABB7E5B93B54FD6EAC85BBA9F23C6306E485BB9AC5515ABC739CE9B1A79F7DEF6D00B643856DB903E23E7F985EDCAFF867FE15498E7EF6A91057DE337A9AAEDE941C934E65243AC7888A33C78FB2490BBA2BA06F18ECC51DE9AA54BADD061CC5BE1EA060CC3217CA11E26772BD088898D2882CB49A9FF40168E49AE6A90EE1F61132E1B6E4E7F99797DAE4E1343
+20150522030014 2 6 100 1535 2 F4EE15F22E5F49997A027769656DF0240598C9470C7D67A7D7DA2777883C1C243A6F3D04E1CFA6A0350B165ECABE89A684C11ABB7E5B93B54FD6EAC85BBA9F23C6306E485BB9AC5515ABC739CE9B1A79F7DEF6D00B643856DB903E23E7F985EDCAFF867FE15498E7EF6A91057DE337A9AAEDE941C934E65243AC7888A33C78FB2490BBA2BA06F18ECC51DE9AA54BADD061CC5BE1EA060CC3217CA11E26772BD088898D2882CB49A9FF40168E49AE6A90EE1F61132E1B6E4E7F99797DAE715CBB
+20150522030016 2 6 100 1535 5 F4EE15F22E5F49997A027769656DF0240598C9470C7D67A7D7DA2777883C1C243A6F3D04E1CFA6A0350B165ECABE89A684C11ABB7E5B93B54FD6EAC85BBA9F23C6306E485BB9AC5515ABC739CE9B1A79F7DEF6D00B643856DB903E23E7F985EDCAFF867FE15498E7EF6A91057DE337A9AAEDE941C934E65243AC7888A33C78FB2490BBA2BA06F18ECC51DE9AA54BADD061CC5BE1EA060CC3217CA11E26772BD088898D2882CB49A9FF40168E49AE6A90EE1F61132E1B6E4E7F99797DAE7BC9EF
+20150522030018 2 6 100 1535 2 F4EE15F22E5F49997A027769656DF0240598C9470C7D67A7D7DA2777883C1C243A6F3D04E1CFA6A0350B165ECABE89A684C11ABB7E5B93B54FD6EAC85BBA9F23C6306E485BB9AC5515ABC739CE9B1A79F7DEF6D00B643856DB903E23E7F985EDCAFF867FE15498E7EF6A91057DE337A9AAEDE941C934E65243AC7888A33C78FB2490BBA2BA06F18ECC51DE9AA54BADD061CC5BE1EA060CC3217CA11E26772BD088898D2882CB49A9FF40168E49AE6A90EE1F61132E1B6E4E7F99797DAE84579B
+20150522030019 2 6 100 1535 2 F4EE15F22E5F49997A027769656DF0240598C9470C7D67A7D7DA2777883C1C243A6F3D04E1CFA6A0350B165ECABE89A684C11ABB7E5B93B54FD6EAC85BBA9F23C6306E485BB9AC5515ABC739CE9B1A79F7DEF6D00B643856DB903E23E7F985EDCAFF867FE15498E7EF6A91057DE337A9AAEDE941C934E65243AC7888A33C78FB2490BBA2BA06F18ECC51DE9AA54BADD061CC5BE1EA060CC3217CA11E26772BD088898D2882CB49A9FF40168E49AE6A90EE1F61132E1B6E4E7F99797DAE8A564B
+20150522030023 2 6 100 1535 5 F4EE15F22E5F49997A027769656DF0240598C9470C7D67A7D7DA2777883C1C243A6F3D04E1CFA6A0350B165ECABE89A684C11ABB7E5B93B54FD6EAC85BBA9F23C6306E485BB9AC5515ABC739CE9B1A79F7DEF6D00B643856DB903E23E7F985EDCAFF867FE15498E7EF6A91057DE337A9AAEDE941C934E65243AC7888A33C78FB2490BBA2BA06F18ECC51DE9AA54BADD061CC5BE1EA060CC3217CA11E26772BD088898D2882CB49A9FF40168E49AE6A90EE1F61132E1B6E4E7F99797DAEAF7AD7
+20150522030025 2 6 100 1535 2 F4EE15F22E5F49997A027769656DF0240598C9470C7D67A7D7DA2777883C1C243A6F3D04E1CFA6A0350B165ECABE89A684C11ABB7E5B93B54FD6EAC85BBA9F23C6306E485BB9AC5515ABC739CE9B1A79F7DEF6D00B643856DB903E23E7F985EDCAFF867FE15498E7EF6A91057DE337A9AAEDE941C934E65243AC7888A33C78FB2490BBA2BA06F18ECC51DE9AA54BADD061CC5BE1EA060CC3217CA11E26772BD088898D2882CB49A9FF40168E49AE6A90EE1F61132E1B6E4E7F99797DAEB9DC53
+20150522030027 2 6 100 1535 5 F4EE15F22E5F49997A027769656DF0240598C9470C7D67A7D7DA2777883C1C243A6F3D04E1CFA6A0350B165ECABE89A684C11ABB7E5B93B54FD6EAC85BBA9F23C6306E485BB9AC5515ABC739CE9B1A79F7DEF6D00B643856DB903E23E7F985EDCAFF867FE15498E7EF6A91057DE337A9AAEDE941C934E65243AC7888A33C78FB2490BBA2BA06F18ECC51DE9AA54BADD061CC5BE1EA060CC3217CA11E26772BD088898D2882CB49A9FF40168E49AE6A90EE1F61132E1B6E4E7F99797DAECD976F
+20150522030034 2 6 100 1535 2 F4EE15F22E5F49997A027769656DF0240598C9470C7D67A7D7DA2777883C1C243A6F3D04E1CFA6A0350B165ECABE89A684C11ABB7E5B93B54FD6EAC85BBA9F23C6306E485BB9AC5515ABC739CE9B1A79F7DEF6D00B643856DB903E23E7F985EDCAFF867FE15498E7EF6A91057DE337A9AAEDE941C934E65243AC7888A33C78FB2490BBA2BA06F18ECC51DE9AA54BADD061CC5BE1EA060CC3217CA11E26772BD088898D2882CB49A9FF40168E49AE6A90EE1F61132E1B6E4E7F99797DAF07F063
+20150522030034 2 6 100 1535 2 F4EE15F22E5F49997A027769656DF0240598C9470C7D67A7D7DA2777883C1C243A6F3D04E1CFA6A0350B165ECABE89A684C11ABB7E5B93B54FD6EAC85BBA9F23C6306E485BB9AC5515ABC739CE9B1A79F7DEF6D00B643856DB903E23E7F985EDCAFF867FE15498E7EF6A91057DE337A9AAEDE941C934E65243AC7888A33C78FB2490BBA2BA06F18ECC51DE9AA54BADD061CC5BE1EA060CC3217CA11E26772BD088898D2882CB49A9FF40168E49AE6A90EE1F61132E1B6E4E7F99797DAF08ACBB
+20150522030037 2 6 100 1535 5 F4EE15F22E5F49997A027769656DF0240598C9470C7D67A7D7DA2777883C1C243A6F3D04E1CFA6A0350B165ECABE89A684C11ABB7E5B93B54FD6EAC85BBA9F23C6306E485BB9AC5515ABC739CE9B1A79F7DEF6D00B643856DB903E23E7F985EDCAFF867FE15498E7EF6A91057DE337A9AAEDE941C934E65243AC7888A33C78FB2490BBA2BA06F18ECC51DE9AA54BADD061CC5BE1EA060CC3217CA11E26772BD088898D2882CB49A9FF40168E49AE6A90EE1F61132E1B6E4E7F99797DAF192C07
+20150522030039 2 6 100 1535 2 F4EE15F22E5F49997A027769656DF0240598C9470C7D67A7D7DA2777883C1C243A6F3D04E1CFA6A0350B165ECABE89A684C11ABB7E5B93B54FD6EAC85BBA9F23C6306E485BB9AC5515ABC739CE9B1A79F7DEF6D00B643856DB903E23E7F985EDCAFF867FE15498E7EF6A91057DE337A9AAEDE941C934E65243AC7888A33C78FB2490BBA2BA06F18ECC51DE9AA54BADD061CC5BE1EA060CC3217CA11E26772BD088898D2882CB49A9FF40168E49AE6A90EE1F61132E1B6E4E7F99797DAF241333
+20150522030040 2 6 100 1535 2 F4EE15F22E5F49997A027769656DF0240598C9470C7D67A7D7DA2777883C1C243A6F3D04E1CFA6A0350B165ECABE89A684C11ABB7E5B93B54FD6EAC85BBA9F23C6306E485BB9AC5515ABC739CE9B1A79F7DEF6D00B643856DB903E23E7F985EDCAFF867FE15498E7EF6A91057DE337A9AAEDE941C934E65243AC7888A33C78FB2490BBA2BA06F18ECC51DE9AA54BADD061CC5BE1EA060CC3217CA11E26772BD088898D2882CB49A9FF40168E49AE6A90EE1F61132E1B6E4E7F99797DAF255B3B
+20150522030044 2 6 100 1535 5 F4EE15F22E5F49997A027769656DF0240598C9470C7D67A7D7DA2777883C1C243A6F3D04E1CFA6A0350B165ECABE89A684C11ABB7E5B93B54FD6EAC85BBA9F23C6306E485BB9AC5515ABC739CE9B1A79F7DEF6D00B643856DB903E23E7F985EDCAFF867FE15498E7EF6A91057DE337A9AAEDE941C934E65243AC7888A33C78FB2490BBA2BA06F18ECC51DE9AA54BADD061CC5BE1EA060CC3217CA11E26772BD088898D2882CB49A9FF40168E49AE6A90EE1F61132E1B6E4E7F99797DAF3DEC37
+20150522030048 2 6 100 1535 2 F4EE15F22E5F49997A027769656DF0240598C9470C7D67A7D7DA2777883C1C243A6F3D04E1CFA6A0350B165ECABE89A684C11ABB7E5B93B54FD6EAC85BBA9F23C6306E485BB9AC5515ABC739CE9B1A79F7DEF6D00B643856DB903E23E7F985EDCAFF867FE15498E7EF6A91057DE337A9AAEDE941C934E65243AC7888A33C78FB2490BBA2BA06F18ECC51DE9AA54BADD061CC5BE1EA060CC3217CA11E26772BD088898D2882CB49A9FF40168E49AE6A90EE1F61132E1B6E4E7F99797DAF60F05B
+20150522030049 2 6 100 1535 5 F4EE15F22E5F49997A027769656DF0240598C9470C7D67A7D7DA2777883C1C243A6F3D04E1CFA6A0350B165ECABE89A684C11ABB7E5B93B54FD6EAC85BBA9F23C6306E485BB9AC5515ABC739CE9B1A79F7DEF6D00B643856DB903E23E7F985EDCAFF867FE15498E7EF6A91057DE337A9AAEDE941C934E65243AC7888A33C78FB2490BBA2BA06F18ECC51DE9AA54BADD061CC5BE1EA060CC3217CA11E26772BD088898D2882CB49A9FF40168E49AE6A90EE1F61132E1B6E4E7F99797DAF6255DF
+20150522030055 2 6 100 1535 5 F4EE15F22E5F49997A027769656DF0240598C9470C7D67A7D7DA2777883C1C243A6F3D04E1CFA6A0350B165ECABE89A684C11ABB7E5B93B54FD6EAC85BBA9F23C6306E485BB9AC5515ABC739CE9B1A79F7DEF6D00B643856DB903E23E7F985EDCAFF867FE15498E7EF6A91057DE337A9AAEDE941C934E65243AC7888A33C78FB2490BBA2BA06F18ECC51DE9AA54BADD061CC5BE1EA060CC3217CA11E26772BD088898D2882CB49A9FF40168E49AE6A90EE1F61132E1B6E4E7F99797DAF8EE01F
+20150522030059 2 6 100 1535 2 F4EE15F22E5F49997A027769656DF0240598C9470C7D67A7D7DA2777883C1C243A6F3D04E1CFA6A0350B165ECABE89A684C11ABB7E5B93B54FD6EAC85BBA9F23C6306E485BB9AC5515ABC739CE9B1A79F7DEF6D00B643856DB903E23E7F985EDCAFF867FE15498E7EF6A91057DE337A9AAEDE941C934E65243AC7888A33C78FB2490BBA2BA06F18ECC51DE9AA54BADD061CC5BE1EA060CC3217CA11E26772BD088898D2882CB49A9FF40168E49AE6A90EE1F61132E1B6E4E7F99797DAFAD237B
+20150522030104 2 6 100 1535 5 F4EE15F22E5F49997A027769656DF0240598C9470C7D67A7D7DA2777883C1C243A6F3D04E1CFA6A0350B165ECABE89A684C11ABB7E5B93B54FD6EAC85BBA9F23C6306E485BB9AC5515ABC739CE9B1A79F7DEF6D00B643856DB903E23E7F985EDCAFF867FE15498E7EF6A91057DE337A9AAEDE941C934E65243AC7888A33C78FB2490BBA2BA06F18ECC51DE9AA54BADD061CC5BE1EA060CC3217CA11E26772BD088898D2882CB49A9FF40168E49AE6A90EE1F61132E1B6E4E7F99797DAFD13587
+20150522030105 2 6 100 1535 5 F4EE15F22E5F49997A027769656DF0240598C9470C7D67A7D7DA2777883C1C243A6F3D04E1CFA6A0350B165ECABE89A684C11ABB7E5B93B54FD6EAC85BBA9F23C6306E485BB9AC5515ABC739CE9B1A79F7DEF6D00B643856DB903E23E7F985EDCAFF867FE15498E7EF6A91057DE337A9AAEDE941C934E65243AC7888A33C78FB2490BBA2BA06F18ECC51DE9AA54BADD061CC5BE1EA060CC3217CA11E26772BD088898D2882CB49A9FF40168E49AE6A90EE1F61132E1B6E4E7F99797DAFD2BE6F
+20150522030108 2 6 100 1535 5 F4EE15F22E5F49997A027769656DF0240598C9470C7D67A7D7DA2777883C1C243A6F3D04E1CFA6A0350B165ECABE89A684C11ABB7E5B93B54FD6EAC85BBA9F23C6306E485BB9AC5515ABC739CE9B1A79F7DEF6D00B643856DB903E23E7F985EDCAFF867FE15498E7EF6A91057DE337A9AAEDE941C934E65243AC7888A33C78FB2490BBA2BA06F18ECC51DE9AA54BADD061CC5BE1EA060CC3217CA11E26772BD088898D2882CB49A9FF40168E49AE6A90EE1F61132E1B6E4E7F99797DAFECF32F
+20150522030112 2 6 100 1535 5 F4EE15F22E5F49997A027769656DF0240598C9470C7D67A7D7DA2777883C1C243A6F3D04E1CFA6A0350B165ECABE89A684C11ABB7E5B93B54FD6EAC85BBA9F23C6306E485BB9AC5515ABC739CE9B1A79F7DEF6D00B643856DB903E23E7F985EDCAFF867FE15498E7EF6A91057DE337A9AAEDE941C934E65243AC7888A33C78FB2490BBA2BA06F18ECC51DE9AA54BADD061CC5BE1EA060CC3217CA11E26772BD088898D2882CB49A9FF40168E49AE6A90EE1F61132E1B6E4E7F99797DAFFDEED7
+20150522030115 2 6 100 1535 2 F4EE15F22E5F49997A027769656DF0240598C9470C7D67A7D7DA2777883C1C243A6F3D04E1CFA6A0350B165ECABE89A684C11ABB7E5B93B54FD6EAC85BBA9F23C6306E485BB9AC5515ABC739CE9B1A79F7DEF6D00B643856DB903E23E7F985EDCAFF867FE15498E7EF6A91057DE337A9AAEDE941C934E65243AC7888A33C78FB2490BBA2BA06F18ECC51DE9AA54BADD061CC5BE1EA060CC3217CA11E26772BD088898D2882CB49A9FF40168E49AE6A90EE1F61132E1B6E4E7F99797DB01CAA63
+20150522030116 2 6 100 1535 5 F4EE15F22E5F49997A027769656DF0240598C9470C7D67A7D7DA2777883C1C243A6F3D04E1CFA6A0350B165ECABE89A684C11ABB7E5B93B54FD6EAC85BBA9F23C6306E485BB9AC5515ABC739CE9B1A79F7DEF6D00B643856DB903E23E7F985EDCAFF867FE15498E7EF6A91057DE337A9AAEDE941C934E65243AC7888A33C78FB2490BBA2BA06F18ECC51DE9AA54BADD061CC5BE1EA060CC3217CA11E26772BD088898D2882CB49A9FF40168E49AE6A90EE1F61132E1B6E4E7F99797DB01F3647
+20150522030119 2 6 100 1535 5 F4EE15F22E5F49997A027769656DF0240598C9470C7D67A7D7DA2777883C1C243A6F3D04E1CFA6A0350B165ECABE89A684C11ABB7E5B93B54FD6EAC85BBA9F23C6306E485BB9AC5515ABC739CE9B1A79F7DEF6D00B643856DB903E23E7F985EDCAFF867FE15498E7EF6A91057DE337A9AAEDE941C934E65243AC7888A33C78FB2490BBA2BA06F18ECC51DE9AA54BADD061CC5BE1EA060CC3217CA11E26772BD088898D2882CB49A9FF40168E49AE6A90EE1F61132E1B6E4E7F99797DB034B30F
+20150522030122 2 6 100 1535 5 F4EE15F22E5F49997A027769656DF0240598C9470C7D67A7D7DA2777883C1C243A6F3D04E1CFA6A0350B165ECABE89A684C11ABB7E5B93B54FD6EAC85BBA9F23C6306E485BB9AC5515ABC739CE9B1A79F7DEF6D00B643856DB903E23E7F985EDCAFF867FE15498E7EF6A91057DE337A9AAEDE941C934E65243AC7888A33C78FB2490BBA2BA06F18ECC51DE9AA54BADD061CC5BE1EA060CC3217CA11E26772BD088898D2882CB49A9FF40168E49AE6A90EE1F61132E1B6E4E7F99797DB04822EF
+20150522030124 2 6 100 1535 5 F4EE15F22E5F49997A027769656DF0240598C9470C7D67A7D7DA2777883C1C243A6F3D04E1CFA6A0350B165ECABE89A684C11ABB7E5B93B54FD6EAC85BBA9F23C6306E485BB9AC5515ABC739CE9B1A79F7DEF6D00B643856DB903E23E7F985EDCAFF867FE15498E7EF6A91057DE337A9AAEDE941C934E65243AC7888A33C78FB2490BBA2BA06F18ECC51DE9AA54BADD061CC5BE1EA060CC3217CA11E26772BD088898D2882CB49A9FF40168E49AE6A90EE1F61132E1B6E4E7F99797DB0528867
+20150522030131 2 6 100 1535 2 F4EE15F22E5F49997A027769656DF0240598C9470C7D67A7D7DA2777883C1C243A6F3D04E1CFA6A0350B165ECABE89A684C11ABB7E5B93B54FD6EAC85BBA9F23C6306E485BB9AC5515ABC739CE9B1A79F7DEF6D00B643856DB903E23E7F985EDCAFF867FE15498E7EF6A91057DE337A9AAEDE941C934E65243AC7888A33C78FB2490BBA2BA06F18ECC51DE9AA54BADD061CC5BE1EA060CC3217CA11E26772BD088898D2882CB49A9FF40168E49AE6A90EE1F61132E1B6E4E7F99797DB08D3CAB
+20150522030136 2 6 100 1535 5 F4EE15F22E5F49997A027769656DF0240598C9470C7D67A7D7DA2777883C1C243A6F3D04E1CFA6A0350B165ECABE89A684C11ABB7E5B93B54FD6EAC85BBA9F23C6306E485BB9AC5515ABC739CE9B1A79F7DEF6D00B643856DB903E23E7F985EDCAFF867FE15498E7EF6A91057DE337A9AAEDE941C934E65243AC7888A33C78FB2490BBA2BA06F18ECC51DE9AA54BADD061CC5BE1EA060CC3217CA11E26772BD088898D2882CB49A9FF40168E49AE6A90EE1F61132E1B6E4E7F99797DB0B10C6F
+20150522030138 2 6 100 1535 5 F4EE15F22E5F49997A027769656DF0240598C9470C7D67A7D7DA2777883C1C243A6F3D04E1CFA6A0350B165ECABE89A684C11ABB7E5B93B54FD6EAC85BBA9F23C6306E485BB9AC5515ABC739CE9B1A79F7DEF6D00B643856DB903E23E7F985EDCAFF867FE15498E7EF6A91057DE337A9AAEDE941C934E65243AC7888A33C78FB2490BBA2BA06F18ECC51DE9AA54BADD061CC5BE1EA060CC3217CA11E26772BD088898D2882CB49A9FF40168E49AE6A90EE1F61132E1B6E4E7F99797DB0C688A7
+20150522030140 2 6 100 1535 2 F4EE15F22E5F49997A027769656DF0240598C9470C7D67A7D7DA2777883C1C243A6F3D04E1CFA6A0350B165ECABE89A684C11ABB7E5B93B54FD6EAC85BBA9F23C6306E485BB9AC5515ABC739CE9B1A79F7DEF6D00B643856DB903E23E7F985EDCAFF867FE15498E7EF6A91057DE337A9AAEDE941C934E65243AC7888A33C78FB2490BBA2BA06F18ECC51DE9AA54BADD061CC5BE1EA060CC3217CA11E26772BD088898D2882CB49A9FF40168E49AE6A90EE1F61132E1B6E4E7F99797DB0CCDF9B
+20150522030141 2 6 100 1535 2 F4EE15F22E5F49997A027769656DF0240598C9470C7D67A7D7DA2777883C1C243A6F3D04E1CFA6A0350B165ECABE89A684C11ABB7E5B93B54FD6EAC85BBA9F23C6306E485BB9AC5515ABC739CE9B1A79F7DEF6D00B643856DB903E23E7F985EDCAFF867FE15498E7EF6A91057DE337A9AAEDE941C934E65243AC7888A33C78FB2490BBA2BA06F18ECC51DE9AA54BADD061CC5BE1EA060CC3217CA11E26772BD088898D2882CB49A9FF40168E49AE6A90EE1F61132E1B6E4E7F99797DB0CFD81B
+20150522030145 2 6 100 1535 2 F4EE15F22E5F49997A027769656DF0240598C9470C7D67A7D7DA2777883C1C243A6F3D04E1CFA6A0350B165ECABE89A684C11ABB7E5B93B54FD6EAC85BBA9F23C6306E485BB9AC5515ABC739CE9B1A79F7DEF6D00B643856DB903E23E7F985EDCAFF867FE15498E7EF6A91057DE337A9AAEDE941C934E65243AC7888A33C78FB2490BBA2BA06F18ECC51DE9AA54BADD061CC5BE1EA060CC3217CA11E26772BD088898D2882CB49A9FF40168E49AE6A90EE1F61132E1B6E4E7F99797DB0F59763
+20150522030148 2 6 100 1535 2 F4EE15F22E5F49997A027769656DF0240598C9470C7D67A7D7DA2777883C1C243A6F3D04E1CFA6A0350B165ECABE89A684C11ABB7E5B93B54FD6EAC85BBA9F23C6306E485BB9AC5515ABC739CE9B1A79F7DEF6D00B643856DB903E23E7F985EDCAFF867FE15498E7EF6A91057DE337A9AAEDE941C934E65243AC7888A33C78FB2490BBA2BA06F18ECC51DE9AA54BADD061CC5BE1EA060CC3217CA11E26772BD088898D2882CB49A9FF40168E49AE6A90EE1F61132E1B6E4E7F99797DB10339FB
+20150522030149 2 6 100 1535 2 F4EE15F22E5F49997A027769656DF0240598C9470C7D67A7D7DA2777883C1C243A6F3D04E1CFA6A0350B165ECABE89A684C11ABB7E5B93B54FD6EAC85BBA9F23C6306E485BB9AC5515ABC739CE9B1A79F7DEF6D00B643856DB903E23E7F985EDCAFF867FE15498E7EF6A91057DE337A9AAEDE941C934E65243AC7888A33C78FB2490BBA2BA06F18ECC51DE9AA54BADD061CC5BE1EA060CC3217CA11E26772BD088898D2882CB49A9FF40168E49AE6A90EE1F61132E1B6E4E7F99797DB10E3ACB
+20150522030150 2 6 100 1535 2 F4EE15F22E5F49997A027769656DF0240598C9470C7D67A7D7DA2777883C1C243A6F3D04E1CFA6A0350B165ECABE89A684C11ABB7E5B93B54FD6EAC85BBA9F23C6306E485BB9AC5515ABC739CE9B1A79F7DEF6D00B643856DB903E23E7F985EDCAFF867FE15498E7EF6A91057DE337A9AAEDE941C934E65243AC7888A33C78FB2490BBA2BA06F18ECC51DE9AA54BADD061CC5BE1EA060CC3217CA11E26772BD088898D2882CB49A9FF40168E49AE6A90EE1F61132E1B6E4E7F99797DB11127F3
+20150522030159 2 6 100 1535 2 F4EE15F22E5F49997A027769656DF0240598C9470C7D67A7D7DA2777883C1C243A6F3D04E1CFA6A0350B165ECABE89A684C11ABB7E5B93B54FD6EAC85BBA9F23C6306E485BB9AC5515ABC739CE9B1A79F7DEF6D00B643856DB903E23E7F985EDCAFF867FE15498E7EF6A91057DE337A9AAEDE941C934E65243AC7888A33C78FB2490BBA2BA06F18ECC51DE9AA54BADD061CC5BE1EA060CC3217CA11E26772BD088898D2882CB49A9FF40168E49AE6A90EE1F61132E1B6E4E7F99797DB15B8BDB
20160301052556 2 6 100 2047 5 DA57B18976E9C55CEAC3BFFF70419A1550258EA7359400BD4FAC8F4203B73E0BC54D62C0A2D9AA9B543FACA0290514EA426DE6FEF897CB858243511DCE5170420C799D888DCFDC4502FF49B66F34E75C00E98A55408A791FF5CFEA7C288F8E6664226A6A90BE237D2E40C207B5AD0CAEDFDA4946E63AEA351A09EF462515FED4098694241CD07E2CB7727B39B8B1B9467D72DFB908D8169F5DB3CD5A6BEBE1344C585A882508B760402E86EB9B5548A7B98635ECFCDC02FF62B29C53847142FC598ADC66F622F6E9F73BDF02B3D795C0DF23D00E5A3A7748F3E1D5B06F46D4568CE3F4CC57E67D4C36DF5C12800620698C727CC5F5BCACF3B7E17E37D19F4647
20160301052601 2 6 100 2047 2 DA57B18976E9C55CEAC3BFFF70419A1550258EA7359400BD4FAC8F4203B73E0BC54D62C0A2D9AA9B543FACA0290514EA426DE6FEF897CB858243511DCE5170420C799D888DCFDC4502FF49B66F34E75C00E98A55408A791FF5CFEA7C288F8E6664226A6A90BE237D2E40C207B5AD0CAEDFDA4946E63AEA351A09EF462515FED4098694241CD07E2CB7727B39B8B1B9467D72DFB908D8169F5DB3CD5A6BEBE1344C585A882508B760402E86EB9B5548A7B98635ECFCDC02FF62B29C53847142FC598ADC66F622F6E9F73BDF02B3D795C0DF23D00E5A3A7748F3E1D5B06F46D4568CE3F4CC57E67D4C36DF5C12800620698C727CC5F5BCACF3B7E17E37D1A5C13B
20160301052612 2 6 100 2047 5 DA57B18976E9C55CEAC3BFFF70419A1550258EA7359400BD4FAC8F4203B73E0BC54D62C0A2D9AA9B543FACA0290514EA426DE6FEF897CB858243511DCE5170420C799D888DCFDC4502FF49B66F34E75C00E98A55408A791FF5CFEA7C288F8E6664226A6A90BE237D2E40C207B5AD0CAEDFDA4946E63AEA351A09EF462515FED4098694241CD07E2CB7727B39B8B1B9467D72DFB908D8169F5DB3CD5A6BEBE1344C585A882508B760402E86EB9B5548A7B98635ECFCDC02FF62B29C53847142FC598ADC66F622F6E9F73BDF02B3D795C0DF23D00E5A3A7748F3E1D5B06F46D4568CE3F4CC57E67D4C36DF5C12800620698C727CC5F5BCACF3B7E17E37D1B7A3EF
diff -up openssh-7.4p1/myproposal.h.legacy openssh-7.4p1/myproposal.h
--- openssh-7.4p1/myproposal.h.legacy 2016-12-19 05:59:41.000000000 +0100
+++ openssh-7.4p1/myproposal.h 2017-03-02 17:05:12.353352522 +0100
@@ -96,34 +96,40 @@
KEX_SHA2_METHODS
#define KEX_SERVER_KEX KEX_COMMON_KEX \
+ "diffie-hellman-group-exchange-sha1," \
KEX_SHA2_GROUP14 \
- "diffie-hellman-group14-sha1" \
+ "diffie-hellman-group14-sha1," \
+ "diffie-hellman-group1-sha1"
#define KEX_CLIENT_KEX KEX_COMMON_KEX \
"diffie-hellman-group-exchange-sha1," \
KEX_SHA2_GROUP14 \
- "diffie-hellman-group14-sha1"
+ "diffie-hellman-group14-sha1," \
+ "diffie-hellman-group1-sha1"
#define KEX_DEFAULT_PK_ALG \
HOSTKEY_ECDSA_CERT_METHODS \
"ssh-ed25519-cert-v01@openssh.com," \
"ssh-rsa-cert-v01@openssh.com," \
+ "ssh-dss-cert-v01@openssh.com," \
HOSTKEY_ECDSA_METHODS \
"ssh-ed25519," \
"rsa-sha2-512," \
"rsa-sha2-256," \
- "ssh-rsa"
+ "ssh-rsa," \
+ "ssh-dss"
/* the actual algorithms */
-#define KEX_SERVER_ENCRYPT \
+#define KEX_CLIENT_ENCRYPT \
"chacha20-poly1305@openssh.com," \
"aes128-ctr,aes192-ctr,aes256-ctr" \
- AESGCM_CIPHER_MODES
-
-#define KEX_CLIENT_ENCRYPT KEX_SERVER_ENCRYPT "," \
+ AESGCM_CIPHER_MODES "," \
"aes128-cbc,aes192-cbc,aes256-cbc"
+#define KEX_SERVER_ENCRYPT KEX_CLIENT_ENCRYPT "," \
+ "blowfish-cbc,cast128-cbc,3des-cbc"
+
#define KEX_SERVER_MAC \
"umac-64-etm@openssh.com," \
"umac-128-etm@openssh.com," \
diff -up openssh-7.4p1/ssh_config.5.legacy openssh-7.4p1/ssh_config.5
--- openssh-7.4p1/ssh_config.5.legacy 2017-03-02 17:00:37.620696010 +0100
+++ openssh-7.4p1/ssh_config.5 2017-03-02 17:00:37.642695983 +0100
@@ -833,8 +833,9 @@ ecdsa-sha2-nistp384-cert-v01@openssh.com
ecdsa-sha2-nistp521-cert-v01@openssh.com,
ssh-ed25519-cert-v01@openssh.com,
ssh-rsa-cert-v01@openssh.com,
+ssh-dss-cert-v01@openssh.com,
ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
-ssh-ed25519,ssh-rsa
+ssh-ed25519,ssh-rsa,ssh-dss
.Ed
.Pp
The
@@ -856,8 +857,9 @@ ecdsa-sha2-nistp384-cert-v01@openssh.com
ecdsa-sha2-nistp521-cert-v01@openssh.com,
ssh-ed25519-cert-v01@openssh.com,
ssh-rsa-cert-v01@openssh.com,
+ssh-dss-cert-v01@openssh.com,
ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
-ssh-ed25519,ssh-rsa
+ssh-ed25519,ssh-rsa,ssh-dss
.Ed
.Pp
If hostkeys are known for the destination host then this default is modified
@@ -1075,7 +1077,8 @@ curve25519-sha256,curve25519-sha256@libs
ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
diffie-hellman-group-exchange-sha256,
diffie-hellman-group-exchange-sha1,
-diffie-hellman-group14-sha1
+diffie-hellman-group14-sha1,
+diffie-hellman-group1-sha1
.Ed
.Pp
The list of available key exchange algorithms may also be obtained using
@@ -1313,8 +1316,9 @@ ecdsa-sha2-nistp384-cert-v01@openssh.com
ecdsa-sha2-nistp521-cert-v01@openssh.com,
ssh-ed25519-cert-v01@openssh.com,
ssh-rsa-cert-v01@openssh.com,
+ssh-dss-cert-v01@openssh.com,
ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
-ssh-ed25519,ssh-rsa
+ssh-ed25519,ssh-rsa,ssh-dsa
.Ed
.Pp
The list of available key types may also be obtained using
diff -up openssh-7.4p1/sshd_config.5.legacy openssh-7.4p1/sshd_config.5
--- openssh-7.4p1/sshd_config.5.legacy 2017-03-02 17:00:37.636695990 +0100
+++ openssh-7.4p1/sshd_config.5 2017-03-02 17:04:17.528421067 +0100
@@ -481,7 +481,9 @@ The default is:
.Bd -literal -offset indent
chacha20-poly1305@openssh.com,
aes128-ctr,aes192-ctr,aes256-ctr,
-aes128-gcm@openssh.com,aes256-gcm@openssh.com
+aes128-gcm@openssh.com,aes256-gcm@openssh.com,
+aes128-cbc,aes192-cbc,aes256-cbc,
+blowfish-cbc,cast128-cbc,3des-cbc
.Ed
.Pp
The list of available ciphers may also be obtained using
@@ -707,8 +709,9 @@ ecdsa-sha2-nistp384-cert-v01@openssh.com
ecdsa-sha2-nistp521-cert-v01@openssh.com,
ssh-ed25519-cert-v01@openssh.com,
ssh-rsa-cert-v01@openssh.com,
+ssh-dss-cert-v01@openssh.com,
ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
-ssh-ed25519,ssh-rsa
+ssh-ed25519,ssh-rsa,ssh-dss
.Ed
.Pp
The list of available key types may also be obtained using
@@ -785,8 +788,9 @@ ecdsa-sha2-nistp384-cert-v01@openssh.com
ecdsa-sha2-nistp521-cert-v01@openssh.com,
ssh-ed25519-cert-v01@openssh.com,
ssh-rsa-cert-v01@openssh.com,
+ssh-dss-cert-v01@openssh.com,
ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
-ssh-ed25519,ssh-rsa
+ssh-ed25519,ssh-rsa,ssh-dss
.Ed
.Pp
The list of available key types may also be obtained using
@@ -926,7 +930,8 @@ The default is:
curve25519-sha256,curve25519-sha256@libssh.org,
ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
diffie-hellman-group-exchange-sha256,
-diffie-hellman-group14-sha1
+diffie-hellman-group14-sha1,
+diffie-hellman-group1-sha1
.Ed
.Pp
The list of available key exchange algorithms may also be obtained using
@@ -1040,7 +1045,8 @@ umac-64-etm@openssh.com,umac-128-etm@ope
hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,
hmac-sha1-etm@openssh.com,
umac-64@openssh.com,umac-128@openssh.com,
-hmac-sha2-256,hmac-sha2-512,hmac-sha1
+hmac-sha2-256,hmac-sha2-512,hmac-sha1,
+hmac-sha1-etm@openssh.com
.Ed
.Pp
The list of available MAC algorithms may also be obtained using
@@ -1344,8 +1350,9 @@ ecdsa-sha2-nistp384-cert-v01@openssh.com
ecdsa-sha2-nistp521-cert-v01@openssh.com,
ssh-ed25519-cert-v01@openssh.com,
ssh-rsa-cert-v01@openssh.com,
+ssh-dss-cert-v01@openssh.com,
ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
-ssh-ed25519,ssh-rsa
+ssh-ed25519,ssh-rsa,ssh-dss
.Ed
.Pp
The list of available key types may also be obtained using

View file

@ -0,0 +1,36 @@
diff -up openssh-7.4p1/contrib/ssh-copy-id.1.legacy-ssh-copy-id openssh-7.4p1/contrib/ssh-copy-id.1
--- openssh-7.4p1/contrib/ssh-copy-id.1.legacy-ssh-copy-id 2016-12-19 05:59:41.000000000 +0100
+++ openssh-7.4p1/contrib/ssh-copy-id.1 2017-02-09 09:23:25.366651136 +0100
@@ -185,6 +185,19 @@ should prove enlightening (N.B. the mode
.Fl W
option, rather than
.Xr nc 1 ) .
+.Sh ENVIRONMENT
+.Bl -tag -width Ds
+.Pp
+.It Pa SSH_COPY_ID_LEGACY
+If the
+.Cm SSH_COPY_ID_LEGACY
+environment variable is set, the
+.Nm
+is run in a legacy mode. In this mode, the
+.Nm
+doesn't check an existence of a private key and doesn't do remote checks
+of the remote server versions or if public keys are already installed.
+.El
.Sh "SEE ALSO"
.Xr ssh 1 ,
.Xr ssh-agent 1 ,
diff -up openssh-7.4p1/contrib/ssh-copy-id.legacy-ssh-copy-id openssh-7.4p1/contrib/ssh-copy-id
--- openssh-7.4p1/contrib/ssh-copy-id.legacy-ssh-copy-id 2017-02-09 09:23:25.366651136 +0100
+++ openssh-7.4p1/contrib/ssh-copy-id 2017-02-09 09:33:07.896518169 +0100
@@ -99,6 +99,9 @@ if [ -n "$SSH_AUTH_SOCK" ] && ssh-add -L
GET_ID="ssh-add -L"
fi
+# legacy environment variable implies forced copy
+[ "x$SSH_COPY_ID_LEGACY" != "x" ] && FORCED=1
+
while test "$#" -gt 0
do
[ "${SEEN_OPT_I}" ] && expr "$1" : "[-]i" >/dev/null && {

View file

@ -0,0 +1,285 @@
diff -up openssh-7.4p1/log.c.log-in-chroot openssh-7.4p1/log.c
--- openssh-7.4p1/log.c.log-in-chroot 2016-12-19 05:59:41.000000000 +0100
+++ openssh-7.4p1/log.c 2017-02-09 09:51:07.571909000 +0100
@@ -250,6 +250,11 @@ debug3(const char *fmt,...)
void
log_init(char *av0, LogLevel level, SyslogFacility facility, int on_stderr)
{
+ log_init_handler(av0, level, facility, on_stderr, 1);
+}
+
+void
+log_init_handler(char *av0, LogLevel level, SyslogFacility facility, int on_stderr, int reset_handler) {
#if defined(HAVE_OPENLOG_R) && defined(SYSLOG_DATA_INIT)
struct syslog_data sdata = SYSLOG_DATA_INIT;
#endif
@@ -273,8 +278,10 @@ log_init(char *av0, LogLevel level, Sysl
exit(1);
}
- log_handler = NULL;
- log_handler_ctx = NULL;
+ if (reset_handler) {
+ log_handler = NULL;
+ log_handler_ctx = NULL;
+ }
log_on_stderr = on_stderr;
if (on_stderr)
diff -up openssh-7.4p1/log.h.log-in-chroot openssh-7.4p1/log.h
--- openssh-7.4p1/log.h.log-in-chroot 2016-12-19 05:59:41.000000000 +0100
+++ openssh-7.4p1/log.h 2017-02-09 09:51:07.571909000 +0100
@@ -49,6 +49,7 @@ typedef enum {
typedef void (log_handler_fn)(LogLevel, const char *, void *);
void log_init(char *, LogLevel, SyslogFacility, int);
+void log_init_handler(char *, LogLevel, SyslogFacility, int, int);
void log_change_level(LogLevel);
int log_is_on_stderr(void);
void log_redirect_stderr_to(const char *);
diff -up openssh-7.4p1/monitor.c.log-in-chroot openssh-7.4p1/monitor.c
--- openssh-7.4p1/monitor.c.log-in-chroot 2017-02-09 09:51:07.554909017 +0100
+++ openssh-7.4p1/monitor.c 2017-02-09 10:05:21.067174230 +0100
@@ -307,6 +307,8 @@ monitor_child_preauth(Authctxt *_authctx
close(pmonitor->m_log_sendfd);
pmonitor->m_log_sendfd = pmonitor->m_recvfd = -1;
+ pmonitor->m_state = "preauth";
+
authctxt = _authctxt;
memset(authctxt, 0, sizeof(*authctxt));
@@ -405,6 +407,8 @@ monitor_child_postauth(struct monitor *p
close(pmonitor->m_recvfd);
pmonitor->m_recvfd = -1;
+ pmonitor->m_state = "postauth";
+
monitor_set_child_handler(pmonitor->m_pid);
signal(SIGHUP, &monitor_child_handler);
signal(SIGTERM, &monitor_child_handler);
@@ -472,7 +476,7 @@ monitor_read_log(struct monitor *pmonito
if (log_level_name(level) == NULL)
fatal("%s: invalid log level %u (corrupted message?)",
__func__, level);
- do_log2(level, "%s [preauth]", msg);
+ do_log2(level, "%s [%s]", msg, pmonitor->m_state);
buffer_free(&logmsg);
free(msg);
@@ -1719,13 +1723,28 @@ monitor_init(void)
mon = xcalloc(1, sizeof(*mon));
monitor_openfds(mon, 1);
+ mon->m_state = "";
+
return mon;
}
void
-monitor_reinit(struct monitor *mon)
+monitor_reinit(struct monitor *mon, const char *chroot_dir)
{
- monitor_openfds(mon, 0);
+ struct stat dev_log_stat;
+ char *dev_log_path;
+ int do_logfds = 0;
+
+ if (chroot_dir != NULL) {
+ xasprintf(&dev_log_path, "%s/dev/log", chroot_dir);
+
+ if (stat(dev_log_path, &dev_log_stat) != 0) {
+ debug("%s: /dev/log doesn't exist in %s chroot - will try to log via monitor using [postauth] suffix", __func__, chroot_dir);
+ do_logfds = 1;
+ }
+ free(dev_log_path);
+ }
+ monitor_openfds(mon, do_logfds);
}
#ifdef GSSAPI
diff -up openssh-7.4p1/monitor.h.log-in-chroot openssh-7.4p1/monitor.h
--- openssh-7.4p1/monitor.h.log-in-chroot 2017-02-09 09:51:07.571909000 +0100
+++ openssh-7.4p1/monitor.h 2017-02-09 10:05:49.792146561 +0100
@@ -83,10 +83,11 @@ struct monitor {
int m_log_sendfd;
struct kex **m_pkex;
pid_t m_pid;
+ char *m_state;
};
struct monitor *monitor_init(void);
-void monitor_reinit(struct monitor *);
+void monitor_reinit(struct monitor *, const char *);
struct Authctxt;
void monitor_child_preauth(struct Authctxt *, struct monitor *);
diff -up openssh-7.4p1/session.c.log-in-chroot openssh-7.4p1/session.c
--- openssh-7.4p1/session.c.log-in-chroot 2017-02-09 09:51:07.570909002 +0100
+++ openssh-7.4p1/session.c 2017-02-09 10:08:16.241005497 +0100
@@ -160,6 +160,7 @@ login_cap_t *lc;
static int is_child = 0;
static int in_chroot = 0;
+static int have_dev_log = 1;
/* Name and directory of socket for authentication agent forwarding. */
static char *auth_sock_name = NULL;
@@ -365,8 +366,8 @@ do_exec_no_pty(Session *s, const char *c
is_child = 1;
/* Child. Reinitialize the log since the pid has changed. */
- log_init(__progname, options.log_level,
- options.log_facility, log_stderr);
+ log_init_handler(__progname, options.log_level,
+ options.log_facility, log_stderr, have_dev_log);
/*
* Create a new session and process group since the 4.4BSD
@@ -523,8 +524,8 @@ do_exec_pty(Session *s, const char *comm
close(ptymaster);
/* Child. Reinitialize the log because the pid has changed. */
- log_init(__progname, options.log_level,
- options.log_facility, log_stderr);
+ log_init_handler(__progname, options.log_level,
+ options.log_facility, log_stderr, have_dev_log);
/* Close the master side of the pseudo tty. */
close(ptyfd);
@@ -619,6 +620,7 @@ do_exec(Session *s, const char *command)
int ret;
const char *forced = NULL, *tty = NULL;
char session_type[1024];
+ struct stat dev_log_stat;
if (options.adm_forced_command) {
original_command = command;
@@ -676,6 +678,10 @@ do_exec(Session *s, const char *command)
tty += 5;
}
+ if (lstat("/dev/log", &dev_log_stat) != 0) {
+ have_dev_log = 0;
+ }
+
verbose("Starting session: %s%s%s for %s from %.200s port %d id %d",
session_type,
tty == NULL ? "" : " on ",
@@ -1490,14 +1496,6 @@ child_close_fds(void)
* descriptors left by system functions. They will be closed later.
*/
endpwent();
-
- /*
- * Close any extra open file descriptors so that we don't have them
- * hanging around in clients. Note that we want to do this after
- * initgroups, because at least on Solaris 2.3 it leaves file
- * descriptors open.
- */
- closefrom(STDERR_FILENO + 1);
}
/*
@@ -1633,8 +1631,6 @@ do_child(Session *s, const char *command
exit(1);
}
- closefrom(STDERR_FILENO + 1);
-
do_rc_files(s, shell);
/* restore SIGPIPE for child */
@@ -1658,9 +1654,17 @@ do_child(Session *s, const char *command
argv[i] = NULL;
optind = optreset = 1;
__progname = argv[0];
- exit(sftp_server_main(i, argv, s->pw));
+ exit(sftp_server_main(i, argv, s->pw, have_dev_log));
}
+ /*
+ * Close any extra open file descriptors so that we don't have them
+ * hanging around in clients. Note that we want to do this after
+ * initgroups, because at least on Solaris 2.3 it leaves file
+ * descriptors open.
+ */
+ closefrom(STDERR_FILENO + 1);
+
fflush(NULL);
/* Get the last component of the shell name. */
diff -up openssh-7.4p1/sftp.h.log-in-chroot openssh-7.4p1/sftp.h
--- openssh-7.4p1/sftp.h.log-in-chroot 2016-12-19 05:59:41.000000000 +0100
+++ openssh-7.4p1/sftp.h 2017-02-09 09:51:07.572908999 +0100
@@ -97,5 +97,5 @@
struct passwd;
-int sftp_server_main(int, char **, struct passwd *);
+int sftp_server_main(int, char **, struct passwd *, int);
void sftp_server_cleanup_exit(int) __attribute__((noreturn));
diff -up openssh-7.4p1/sftp-server.c.log-in-chroot openssh-7.4p1/sftp-server.c
--- openssh-7.4p1/sftp-server.c.log-in-chroot 2017-02-09 09:51:07.572908999 +0100
+++ openssh-7.4p1/sftp-server.c 2017-02-09 10:09:39.662925141 +0100
@@ -1497,7 +1497,7 @@ sftp_server_usage(void)
}
int
-sftp_server_main(int argc, char **argv, struct passwd *user_pw)
+sftp_server_main(int argc, char **argv, struct passwd *user_pw, int reset_handler)
{
fd_set *rset, *wset;
int i, r, in, out, max, ch, skipargs = 0, log_stderr = 0;
@@ -1511,7 +1511,7 @@ sftp_server_main(int argc, char **argv,
ssh_malloc_init(); /* must be called before any mallocs */
__progname = ssh_get_progname(argv[0]);
- log_init(__progname, log_level, log_facility, log_stderr);
+ log_init_handler(__progname, log_level, log_facility, log_stderr, reset_handler);
pw = pwcopy(user_pw);
@@ -1582,7 +1582,7 @@ sftp_server_main(int argc, char **argv,
}
}
- log_init(__progname, log_level, log_facility, log_stderr);
+ log_init_handler(__progname, log_level, log_facility, log_stderr, reset_handler);
/*
* On platforms where we can, avoid making /proc/self/{mem,maps}
diff -up openssh-7.4p1/sftp-server-main.c.log-in-chroot openssh-7.4p1/sftp-server-main.c
--- openssh-7.4p1/sftp-server-main.c.log-in-chroot 2016-12-19 05:59:41.000000000 +0100
+++ openssh-7.4p1/sftp-server-main.c 2017-02-09 09:51:07.572908999 +0100
@@ -49,5 +49,5 @@ main(int argc, char **argv)
return 1;
}
- return (sftp_server_main(argc, argv, user_pw));
+ return (sftp_server_main(argc, argv, user_pw, 0));
}
diff -up openssh-7.4p1/sshd.c.log-in-chroot openssh-7.4p1/sshd.c
--- openssh-7.4p1/sshd.c.log-in-chroot 2017-02-09 09:51:07.557909015 +0100
+++ openssh-7.4p1/sshd.c 2017-02-09 09:51:07.573908998 +0100
@@ -642,7 +642,7 @@ privsep_postauth(Authctxt *authctxt)
}
/* New socket pair */
- monitor_reinit(pmonitor);
+ monitor_reinit(pmonitor, options.chroot_directory);
pmonitor->m_pid = fork();
if (pmonitor->m_pid == -1)
@@ -660,6 +660,11 @@ privsep_postauth(Authctxt *authctxt)
close(pmonitor->m_sendfd);
pmonitor->m_sendfd = -1;
+ close(pmonitor->m_log_recvfd);
+ pmonitor->m_log_recvfd = -1;
+
+ if (pmonitor->m_log_sendfd != -1)
+ set_log_handler(mm_log_handler, pmonitor);
/* Demote the private keys to public keys. */
demote_sensitive_data();

View file

@ -0,0 +1,22 @@
diff -up openssh-7.4p1/sshd.c.newline-banner openssh-7.4p1/sshd.c
--- openssh-7.4p1/sshd.c.newline-banner 2017-02-17 14:00:47.237168594 +0100
+++ openssh-7.4p1/sshd.c 2017-02-17 14:02:10.933096707 +0100
@@ -369,15 +369,15 @@ sshd_exchange_identification(struct ssh
{
u_int i;
int remote_major, remote_minor;
- char *s, *newline = "\n";
+ char *s;
char buf[256]; /* Must not be larger than remote_version. */
char remote_version[256]; /* Must be at least as big as buf. */
- xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s",
+ xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s\r\n",
PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2,
(options.show_patchlevel == 1) ? SSH_VENDOR_PATCHLEVEL : SSH_VERSION,
*options.version_addendum == '\0' ? "" : " ",
- options.version_addendum, newline);
+ options.version_addendum);
/* Send our protocol version identification. */
if (atomicio(vwrite, sock_out, server_version_string,

View file

@ -0,0 +1,36 @@
diff -up openssh-7.4p1/servconf.c.permit-root openssh-7.4p1/servconf.c
--- openssh-7.4p1/servconf.c.permit-root 2017-02-10 10:27:18.109487568 +0100
+++ openssh-7.4p1/servconf.c 2017-02-10 10:28:12.385776132 +0100
@@ -231,7 +231,7 @@ fill_default_server_options(ServerOption
if (options->login_grace_time == -1)
options->login_grace_time = 120;
if (options->permit_root_login == PERMIT_NOT_SET)
- options->permit_root_login = PERMIT_NO_PASSWD;
+ options->permit_root_login = PERMIT_YES;
if (options->ignore_rhosts == -1)
options->ignore_rhosts = 1;
if (options->ignore_user_known_hosts == -1)
diff -up openssh-7.4p1/sshd_config.5.permit-root openssh-7.4p1/sshd_config.5
--- openssh-7.4p1/sshd_config.5.permit-root 2017-02-10 10:28:24.174605582 +0100
+++ openssh-7.4p1/sshd_config.5 2017-02-10 10:28:42.254344023 +0100
@@ -1227,7 +1227,7 @@ The argument must be
or
.Cm no .
The default is
-.Cm prohibit-password .
+.Cm yes .
.Pp
If this option is set to
.Cm prohibit-password
diff -up openssh-7.4p1/sshd_config.permit-root openssh-7.4p1/sshd_config
--- openssh-7.4p1/sshd_config.permit-root 2017-02-10 10:26:52.256797645 +0100
+++ openssh-7.4p1/sshd_config 2017-02-10 10:26:52.276797405 +0100
@@ -35,7 +35,7 @@ SyslogFacility AUTHPRIV
# Authentication:
#LoginGraceTime 2m
-#PermitRootLogin prohibit-password
+#PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

View file

@ -0,0 +1,24 @@
diff -up openssh-7.4p1/ssh-agent.1.pkcs11-whitelist openssh-7.4p1/ssh-agent.1
--- openssh-7.4p1/ssh-agent.1.pkcs11-whitelist 2017-01-03 10:41:01.916331710 +0100
+++ openssh-7.4p1/ssh-agent.1 2017-01-03 10:40:06.549366029 +0100
@@ -129,7 +129,7 @@ that may be added using the
option to
.Xr ssh-add 1 .
The default is to allow loading PKCS#11 libraries from
-.Dq /usr/lib/*,/usr/local/lib/* .
+.Dq /usr/lib*/*,/usr/local/lib*/* .
PKCS#11 libraries that do not match the whitelist will be refused.
See PATTERNS in
.Xr ssh_config 5
diff -up openssh-7.4p1/ssh-agent.c.pkcs11-whitelist openssh-7.4p1/ssh-agent.c
--- openssh-7.4p1/ssh-agent.c.pkcs11-whitelist 2017-01-03 10:41:09.324327118 +0100
+++ openssh-7.4p1/ssh-agent.c 2017-01-03 10:40:21.212356939 +0100
@@ -89,7 +89,7 @@
#endif
#ifndef DEFAULT_PKCS11_WHITELIST
-# define DEFAULT_PKCS11_WHITELIST "/usr/lib/*,/usr/local/lib/*"
+# define DEFAULT_PKCS11_WHITELIST "/usr/lib*/*,/usr/local/lib*/*"
#endif
typedef enum {

View file

@ -0,0 +1,18 @@
diff --git a/serverloop.c b/serverloop.c
index b5eb3440..1535eeb2 100644
--- a/serverloop.c
+++ b/serverloop.c
@@ -225,9 +225,10 @@ wait_until_can_do_something(int connection_in, int connection_out,
uint64_t keepalive_ms =
(uint64_t)options.client_alive_interval * 1000;
- client_alive_scheduled = 1;
- if (max_time_ms == 0 || max_time_ms > keepalive_ms)
+ if (max_time_ms == 0 || max_time_ms > keepalive_ms) {
max_time_ms = keepalive_ms;
+ client_alive_scheduled = 1;
+ }
}
#if 0

File diff suppressed because it is too large Load diff

View file

@ -0,0 +1,19 @@
diff --git a/sshd.c b/sshd.c
--- a/sshd.c
+++ b/sshd.c
@@ -1551,6 +1551,15 @@ main(int ac, char **av)
continue;
key = key_load_private(options.host_key_files[i], "", NULL);
pubkey = key_load_public(options.host_key_files[i], NULL);
+
+ if ((pubkey != NULL && pubkey->type == KEY_RSA1) ||
+ (key != NULL && key->type == KEY_RSA1)) {
+ verbose("Ignoring RSA1 key %s",
+ options.host_key_files[i]);
+ key_free(key);
+ key_free(pubkey);
+ continue;
+ }
if (pubkey == NULL && key != NULL)
pubkey = key_demote(key);
sensitive_data.host_keys[i] = key;

View file

@ -0,0 +1,211 @@
From 5f1596e11d55539678c41f68aed358628d33d86f Mon Sep 17 00:00:00 2001
From: Damien Miller <djm@mindrot.org>
Date: Tue, 14 Mar 2017 13:15:18 +1100
Subject: [PATCH] support ioctls for ICA crypto card on Linux/s390
Based on patch from Eduardo Barretto; ok dtucker@
---
sandbox-seccomp-filter.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
index af5525a..6ceee33 100644
--- a/sandbox-seccomp-filter.c
+++ b/sandbox-seccomp-filter.c
@@ -223,6 +223,12 @@ static const struct sock_filter preauth_insns[] = {
SC_ALLOW_ARG(socketcall, 0, SYS_SHUTDOWN),
SC_DENY(socketcall, EACCES),
#endif
+#if defined(__NR_ioctl) && defined(__s390__)
+ /* Allow ioctls for ICA crypto card on s390 */
+ SC_ALLOW_ARG(ioctl, 1, Z90STAT_STATUS_MASK),
+ SC_ALLOW_ARG(ioctl, 1, ICARSAMODEXPO),
+ SC_ALLOW_ARG(ioctl, 1, ICARSACRT),
+#endif /* defined(__NR_ioctl) && defined(__s390__) */
/* Default deny */
BPF_STMT(BPF_RET+BPF_K, SECCOMP_FILTER_FAIL),
From 9e96b41682aed793fadbea5ccd472f862179fb02 Mon Sep 17 00:00:00 2001
From: Damien Miller <djm@mindrot.org>
Date: Tue, 14 Mar 2017 12:24:47 +1100
Subject: [PATCH] Fix weakness in seccomp-bpf sandbox arg inspection
Syscall arguments are passed via an array of 64-bit values in struct
seccomp_data, but we were only inspecting the bottom 32 bits and not
even those correctly for BE systems.
Fortunately, the only case argument inspection was used was in the
socketcall filtering so using this for sandbox escape seems
impossible.
ok dtucker
---
sandbox-seccomp-filter.c | 24 ++++++++++++++++++++----
1 file changed, 20 insertions(+), 4 deletions(-)
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
index 2e1ed2c..af5525a 100644
--- a/sandbox-seccomp-filter.c
+++ b/sandbox-seccomp-filter.c
@@ -73,6 +73,16 @@
# define SECCOMP_FILTER_FAIL SECCOMP_RET_TRAP
#endif /* SANDBOX_SECCOMP_FILTER_DEBUG */
+#if __BYTE_ORDER == __LITTLE_ENDIAN
+# define ARG_LO_OFFSET 0
+# define ARG_HI_OFFSET sizeof(uint32_t)
+#elif __BYTE_ORDER == __BIG_ENDIAN
+# define ARG_LO_OFFSET sizeof(uint32_t)
+# define ARG_HI_OFFSET 0
+#else
+#error "Unknown endianness"
+#endif
+
/* Simple helpers to avoid manual errors (but larger BPF programs). */
#define SC_DENY(_nr, _errno) \
BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_ ## _nr, 0, 1), \
@@ -81,11 +91,17 @@
BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_ ## _nr, 0, 1), \
BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW)
#define SC_ALLOW_ARG(_nr, _arg_nr, _arg_val) \
- BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_ ## _nr, 0, 4), \
- /* load first syscall argument */ \
+ BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_ ## _nr, 0, 6), \
+ /* load and test first syscall argument, low word */ \
+ BPF_STMT(BPF_LD+BPF_W+BPF_ABS, \
+ offsetof(struct seccomp_data, args[(_arg_nr)]) + ARG_LO_OFFSET), \
+ BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, \
+ ((_arg_val) & 0xFFFFFFFF), 0, 3), \
+ /* load and test first syscall argument, high word */ \
BPF_STMT(BPF_LD+BPF_W+BPF_ABS, \
- offsetof(struct seccomp_data, args[(_arg_nr)])), \
- BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, (_arg_val), 0, 1), \
+ offsetof(struct seccomp_data, args[(_arg_nr)]) + ARG_HI_OFFSET), \
+ BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, \
+ (((uint32_t)((uint64_t)(_arg_val) >> 32)) & 0xFFFFFFFF), 0, 1), \
BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW), \
/* reload syscall number; all rules expect it in accumulator */ \
BPF_STMT(BPF_LD+BPF_W+BPF_ABS, \
From 58b8cfa2a062b72139d7229ae8de567f55776f24 Mon Sep 17 00:00:00 2001
From: Damien Miller <djm@mindrot.org>
Date: Wed, 22 Mar 2017 12:43:02 +1100
Subject: [PATCH] Missing header on Linux/s390
Patch from Jakub Jelen
---
sandbox-seccomp-filter.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
index a8d472a..2831e9d 100644
--- a/sandbox-seccomp-filter.c
+++ b/sandbox-seccomp-filter.c
@@ -50,6 +50,9 @@
#include <elf.h>
#include <asm/unistd.h>
+#ifdef __s390__
+#include <asm/zcrypt.h>
+#endif
#include <errno.h>
#include <signal.h>
getuid and geteuid are needed when using an openssl engine that calls a
crypto card, e.g. ICA (libica).
Those syscalls are also needed by the distros for audit code.
Signed-off-by: Eduardo Barretto <ebarretto at linux.vnet.ibm.com>
---
sandbox-seccomp-filter.c | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
index 6e7de31..e86aa2c 100644
--- a/sandbox-seccomp-filter.c
+++ b/sandbox-seccomp-filter.c
@@ -175,6 +175,18 @@ static const struct sock_filter preauth_insns[] = {
#ifdef __NR_getpid
SC_ALLOW(getpid),
#endif
+#ifdef __NR_getuid
+ SC_ALLOW(getuid),
+#endif
+#ifdef __NR_getuid32
+ SC_ALLOW(getuid32),
+#endif
+#ifdef __NR_geteuid
+ SC_ALLOW(geteuid),
+#endif
+#ifdef __NR_geteuid32
+ SC_ALLOW(geteuid32),
+#endif
#ifdef __NR_getrandom
SC_ALLOW(getrandom),
#endif
--
1.9.1
The EP11 crypto card needs to make an ioctl call, which receives an
specific argument. This crypto card is for s390 only.
Signed-off-by: Eduardo Barretto <ebarretto@xxxxxxxxxxxxxxxxxx>
---
sandbox-seccomp-filter.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
index e86aa2c..98062f1 100644
--- a/sandbox-seccomp-filter.c
+++ b/sandbox-seccomp-filter.c
@@ -250,6 +250,8 @@ static const struct sock_filter preauth_insns[] = {
SC_ALLOW_ARG(ioctl, 1, Z90STAT_STATUS_MASK),
SC_ALLOW_ARG(ioctl, 1, ICARSAMODEXPO),
SC_ALLOW_ARG(ioctl, 1, ICARSACRT),
+ /* Allow ioctls for EP11 crypto card on s390 */
+ SC_ALLOW_ARG(ioctl, 1, ZSENDEP11CPRB),
#endif /* defined(__NR_ioctl) && defined(__s390__) */
/* Default deny */
--
1.9.1
In order to use the OpenSSL-ibmpkcs11 engine it is needed to allow flock
and ipc calls, because this engine calls OpenCryptoki (a PKCS#11
implementation) which calls the libraries that will communicate with the
crypto cards. OpenCryptoki makes use of flock and ipc and, as of now,
this is only need on s390 architecture.
Signed-off-by: Eduardo Barretto <ebarretto@xxxxxxxxxxxxxxxxxx>
---
sandbox-seccomp-filter.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
index ca75cc7..6e7de31 100644
--- a/sandbox-seccomp-filter.c
+++ b/sandbox-seccomp-filter.c
@@ -166,6 +166,9 @@ static const struct sock_filter preauth_insns[] = {
#ifdef __NR_exit_group
SC_ALLOW(exit_group),
#endif
+#if defined(__NR_flock) && defined(__s390__)
+ SC_ALLOW(flock),
+#endif
#ifdef __NR_getpgid
SC_ALLOW(getpgid),
#endif
@@ -178,6 +181,9 @@ static const struct sock_filter preauth_insns[] = {
#ifdef __NR_gettimeofday
SC_ALLOW(gettimeofday),
#endif
+#if defined(__NR_ipc) && defined(__s390__)
+ SC_ALLOW(ipc),
+#endif
#ifdef __NR_madvise
SC_ALLOW(madvise),
#endif
--
1.9.1

View file

@ -0,0 +1,11 @@
diff -up openssh-7.4p1/sandbox-seccomp-filter.c.sandbox openssh-7.4p1/sandbox-seccomp-filter.c
--- openssh-7.4p1/sandbox-seccomp-filter.c.sandbox 2017-04-21 13:30:49.692650798 +0200
+++ openssh-7.4p1/sandbox-seccomp-filter.c 2017-04-21 13:30:52.259647579 +0200
@@ -215,6 +215,7 @@ static const struct sock_filter preauth_
#endif
#ifdef __NR_socketcall
SC_ALLOW_ARG(socketcall, 0, SYS_SHUTDOWN),
+ SC_DENY(socketcall, EACCES),
#endif
/* Default deny */

View file

@ -0,0 +1,28 @@
diff -up openssh-7.4p1/kex.c.sha2 openssh-7.4p1/kex.c
--- openssh-7.4p1/kex.c.sha2 2017-02-17 18:15:53.589835864 +0100
+++ openssh-7.4p1/kex.c 2017-02-17 18:17:20.404781663 +0100
@@ -379,21 +379,14 @@ static int
kex_send_ext_info(struct ssh *ssh)
{
int r;
- char *algs;
- if ((algs = sshkey_alg_list(0, 1, ',')) == NULL)
- return SSH_ERR_ALLOC_FAIL;
if ((r = sshpkt_start(ssh, SSH2_MSG_EXT_INFO)) != 0 ||
(r = sshpkt_put_u32(ssh, 1)) != 0 ||
(r = sshpkt_put_cstring(ssh, "server-sig-algs")) != 0 ||
- (r = sshpkt_put_cstring(ssh, algs)) != 0 ||
+ (r = sshpkt_put_cstring(ssh, "rsa-sha2-256,rsa-sha2-512")) != 0 ||
(r = sshpkt_send(ssh)) != 0)
- goto out;
- /* success */
- r = 0;
- out:
- free(algs);
- return r;
+ return r;
+ return 0;
}
int

View file

@ -0,0 +1,315 @@
diff -up openssh-7.4p1/clientloop.c.fingerprint openssh-7.4p1/clientloop.c
--- openssh-7.4p1/clientloop.c.fingerprint 2016-12-23 15:38:50.520432387 +0100
+++ openssh-7.4p1/clientloop.c 2016-12-23 15:38:50.564432394 +0100
@@ -2279,7 +2279,7 @@ update_known_hosts(struct hostkeys_updat
if (ctx->keys_seen[i] != 2)
continue;
if ((fp = sshkey_fingerprint(ctx->keys[i],
- options.fingerprint_hash, SSH_FP_DEFAULT)) == NULL)
+ options.fingerprint_hash[0], SSH_FP_DEFAULT)) == NULL)
fatal("%s: sshkey_fingerprint failed", __func__);
do_log2(loglevel, "Learned new hostkey: %s %s",
sshkey_type(ctx->keys[i]), fp);
@@ -2287,7 +2287,7 @@ update_known_hosts(struct hostkeys_updat
}
for (i = 0; i < ctx->nold; i++) {
if ((fp = sshkey_fingerprint(ctx->old_keys[i],
- options.fingerprint_hash, SSH_FP_DEFAULT)) == NULL)
+ options.fingerprint_hash[0], SSH_FP_DEFAULT)) == NULL)
fatal("%s: sshkey_fingerprint failed", __func__);
do_log2(loglevel, "Deprecating obsolete hostkey: %s %s",
sshkey_type(ctx->old_keys[i]), fp);
@@ -2330,7 +2330,7 @@ update_known_hosts(struct hostkeys_updat
(r = hostfile_replace_entries(options.user_hostfiles[0],
ctx->host_str, ctx->ip_str, ctx->keys, ctx->nkeys,
options.hash_known_hosts, 0,
- options.fingerprint_hash)) != 0)
+ options.fingerprint_hash[0])) != 0)
error("%s: hostfile_replace_entries failed: %s",
__func__, ssh_err(r));
}
@@ -2443,7 +2443,7 @@ client_input_hostkeys(void)
error("%s: parse key: %s", __func__, ssh_err(r));
goto out;
}
- fp = sshkey_fingerprint(key, options.fingerprint_hash,
+ fp = sshkey_fingerprint(key, options.fingerprint_hash[0],
SSH_FP_DEFAULT);
debug3("%s: received %s key %s", __func__,
sshkey_type(key), fp);
diff -up openssh-7.4p1/readconf.c.fingerprint openssh-7.4p1/readconf.c
--- openssh-7.4p1/readconf.c.fingerprint 2016-12-23 15:38:50.559432393 +0100
+++ openssh-7.4p1/readconf.c 2016-12-23 15:38:50.565432394 +0100
@@ -1668,16 +1668,18 @@ parse_keytypes:
goto parse_string;
case oFingerprintHash:
- intptr = &options->fingerprint_hash;
- arg = strdelim(&s);
- if (!arg || *arg == '\0')
- fatal("%.200s line %d: Missing argument.",
- filename, linenum);
- if ((value = ssh_digest_alg_by_name(arg)) == -1)
- fatal("%.200s line %d: Invalid hash algorithm \"%s\".",
- filename, linenum, arg);
- if (*activep && *intptr == -1)
- *intptr = value;
+ if (*activep && options->num_fingerprint_hash == 0)
+ while ((arg = strdelim(&s)) != NULL && *arg != '\0') {
+ value = ssh_digest_alg_by_name(arg);
+ if (value == -1)
+ fatal("%s line %d: unknown fingerprints algorithm specs: %s.",
+ filename, linenum, arg);
+ if (options->num_fingerprint_hash >= SSH_DIGEST_MAX)
+ fatal("%s line %d: too many fingerprints algorithm specs.",
+ filename, linenum);
+ options->fingerprint_hash[
+ options->num_fingerprint_hash++] = value;
+ }
break;
case oUpdateHostkeys:
@@ -1905,7 +1907,7 @@ initialize_options(Options * options)
options->canonicalize_fallback_local = -1;
options->canonicalize_hostname = -1;
options->revoked_host_keys = NULL;
- options->fingerprint_hash = -1;
+ options->num_fingerprint_hash = 0;
options->update_hostkeys = -1;
options->hostbased_key_types = NULL;
options->pubkey_key_types = NULL;
@@ -2102,8 +2104,10 @@ fill_default_options(Options * options)
options->canonicalize_fallback_local = 1;
if (options->canonicalize_hostname == -1)
options->canonicalize_hostname = SSH_CANONICALISE_NO;
- if (options->fingerprint_hash == -1)
- options->fingerprint_hash = SSH_FP_HASH_DEFAULT;
+ if (options->num_fingerprint_hash == 0) {
+ options->fingerprint_hash[options->num_fingerprint_hash++] = SSH_DIGEST_SHA256;
+ options->fingerprint_hash[options->num_fingerprint_hash++] = (FIPS_mode() ? SSH_DIGEST_SHA1 : SSH_DIGEST_MD5);
+ }
if (options->update_hostkeys == -1)
options->update_hostkeys = 0;
if (kex_assemble_names(KEX_CLIENT_ENCRYPT, &options->ciphers) != 0 ||
@@ -2489,6 +2493,17 @@ dump_cfg_strarray(OpCodes code, u_int co
}
static void
+dump_cfg_fmtarray(OpCodes code, u_int count, int *vals)
+{
+ u_int i;
+
+ printf("%s", lookup_opcode_name(code));
+ for (i = 0; i < count; i++)
+ printf(" %s", fmt_intarg(code, vals[i]));
+ printf("\n");
+}
+
+static void
dump_cfg_strarray_oneline(OpCodes code, u_int count, char **vals)
{
u_int i;
@@ -2564,7 +2579,6 @@ dump_client_config(Options *o, const cha
dump_cfg_fmtint(oEnableSSHKeysign, o->enable_ssh_keysign);
dump_cfg_fmtint(oClearAllForwardings, o->clear_forwardings);
dump_cfg_fmtint(oExitOnForwardFailure, o->exit_on_forward_failure);
- dump_cfg_fmtint(oFingerprintHash, o->fingerprint_hash);
dump_cfg_fmtint(oForwardAgent, o->forward_agent);
dump_cfg_fmtint(oForwardX11, o->forward_x11);
dump_cfg_fmtint(oForwardX11Trusted, o->forward_x11_trusted);
@@ -2634,6 +2648,7 @@ dump_client_config(Options *o, const cha
dump_cfg_strarray_oneline(oGlobalKnownHostsFile, o->num_system_hostfiles, o->system_hostfiles);
dump_cfg_strarray_oneline(oUserKnownHostsFile, o->num_user_hostfiles, o->user_hostfiles);
dump_cfg_strarray(oSendEnv, o->num_send_env, o->send_env);
+ dump_cfg_fmtarray(oFingerprintHash, o->num_fingerprint_hash, o->fingerprint_hash);
/* Special cases */
diff -up openssh-7.4p1/readconf.h.fingerprint openssh-7.4p1/readconf.h
--- openssh-7.4p1/readconf.h.fingerprint 2016-12-23 15:38:50.559432393 +0100
+++ openssh-7.4p1/readconf.h 2016-12-23 15:38:50.565432394 +0100
@@ -21,6 +21,7 @@
#define MAX_SEND_ENV 256
#define SSH_MAX_HOSTS_FILES 32
#define MAX_CANON_DOMAINS 32
+#define MAX_SSH_DIGESTS 8
#define PATH_MAX_SUN (sizeof((struct sockaddr_un *)0)->sun_path)
struct allowed_cname {
@@ -162,7 +163,8 @@ typedef struct {
char *revoked_host_keys;
- int fingerprint_hash;
+ int num_fingerprint_hash;
+ int fingerprint_hash[MAX_SSH_DIGESTS];
int update_hostkeys; /* one of SSH_UPDATE_HOSTKEYS_* */
diff -up openssh-7.4p1/ssh_config.5.fingerprint openssh-7.4p1/ssh_config.5
--- openssh-7.4p1/ssh_config.5.fingerprint 2016-12-23 15:38:50.565432394 +0100
+++ openssh-7.4p1/ssh_config.5 2016-12-23 15:40:03.754444166 +0100
@@ -652,12 +652,13 @@ or
.Cm no
(the default).
.It Cm FingerprintHash
-Specifies the hash algorithm used when displaying key fingerprints.
+Specifies the hash algorithms used when displaying key fingerprints.
Valid options are:
.Cm md5
and
-.Cm sha256
-(the default).
+.Cm sha256 .
+The default is
+.Cm "sha256 md5".
.It Cm ForwardAgent
Specifies whether the connection to the authentication agent (if any)
will be forwarded to the remote machine.
diff -up openssh-7.4p1/sshconnect2.c.fingerprint openssh-7.4p1/sshconnect2.c
--- openssh-7.4p1/sshconnect2.c.fingerprint 2016-12-23 15:38:50.561432394 +0100
+++ openssh-7.4p1/sshconnect2.c 2016-12-23 15:38:50.566432394 +0100
@@ -677,7 +677,7 @@ input_userauth_pk_ok(int type, u_int32_t
key->type, pktype);
goto done;
}
- if ((fp = sshkey_fingerprint(key, options.fingerprint_hash,
+ if ((fp = sshkey_fingerprint(key, options.fingerprint_hash[0],
SSH_FP_DEFAULT)) == NULL)
goto done;
debug2("input_userauth_pk_ok: fp %s", fp);
@@ -1172,7 +1172,7 @@ sign_and_send_pubkey(Authctxt *authctxt,
int matched, ret = -1, have_sig = 1;
char *fp;
- if ((fp = sshkey_fingerprint(id->key, options.fingerprint_hash,
+ if ((fp = sshkey_fingerprint(id->key, options.fingerprint_hash[0],
SSH_FP_DEFAULT)) == NULL)
return 0;
debug3("%s: %s %s", __func__, key_type(id->key), fp);
@@ -1864,7 +1864,7 @@ userauth_hostbased(Authctxt *authctxt)
goto out;
}
- if ((fp = sshkey_fingerprint(private, options.fingerprint_hash,
+ if ((fp = sshkey_fingerprint(private, options.fingerprint_hash[0],
SSH_FP_DEFAULT)) == NULL) {
error("%s: sshkey_fingerprint failed", __func__);
goto out;
diff -up openssh-7.4p1/sshconnect.c.fingerprint openssh-7.4p1/sshconnect.c
--- openssh-7.4p1/sshconnect.c.fingerprint 2016-12-19 05:59:41.000000000 +0100
+++ openssh-7.4p1/sshconnect.c 2016-12-23 15:38:50.566432394 +0100
@@ -922,9 +922,9 @@ check_host_key(char *hostname, struct so
"of known hosts.", type, ip);
} else if (options.visual_host_key) {
fp = sshkey_fingerprint(host_key,
- options.fingerprint_hash, SSH_FP_DEFAULT);
+ options.fingerprint_hash[0], SSH_FP_DEFAULT);
ra = sshkey_fingerprint(host_key,
- options.fingerprint_hash, SSH_FP_RANDOMART);
+ options.fingerprint_hash[0], SSH_FP_RANDOMART);
if (fp == NULL || ra == NULL)
fatal("%s: sshkey_fingerprint fail", __func__);
logit("Host key fingerprint is %s\n%s", fp, ra);
@@ -966,12 +966,6 @@ check_host_key(char *hostname, struct so
else
snprintf(msg1, sizeof(msg1), ".");
/* The default */
- fp = sshkey_fingerprint(host_key,
- options.fingerprint_hash, SSH_FP_DEFAULT);
- ra = sshkey_fingerprint(host_key,
- options.fingerprint_hash, SSH_FP_RANDOMART);
- if (fp == NULL || ra == NULL)
- fatal("%s: sshkey_fingerprint fail", __func__);
msg2[0] = '\0';
if (options.verify_host_key_dns) {
if (matching_host_key_dns)
@@ -985,16 +979,28 @@ check_host_key(char *hostname, struct so
}
snprintf(msg, sizeof(msg),
"The authenticity of host '%.200s (%s)' can't be "
- "established%s\n"
- "%s key fingerprint is %s.%s%s\n%s"
+ "established%s\n", host, ip, msg1);
+ for (i = 0; i < (u_int) options.num_fingerprint_hash; i++) {
+ fp = sshkey_fingerprint(host_key,
+ options.fingerprint_hash[i], SSH_FP_DEFAULT);
+ ra = sshkey_fingerprint(host_key,
+ options.fingerprint_hash[i], SSH_FP_RANDOMART);
+ if (fp == NULL || ra == NULL)
+ fatal("%s: sshkey_fingerprint fail", __func__);
+ len = strlen(msg);
+ snprintf(msg+len, sizeof(msg)-len,
+ "%s key fingerprint is %s.%s%s\n%s",
+ type, fp,
+ options.visual_host_key ? "\n" : "",
+ options.visual_host_key ? ra : "",
+ msg2);
+ free(ra);
+ free(fp);
+ }
+ len = strlen(msg);
+ snprintf(msg+len, sizeof(msg)-len,
"Are you sure you want to continue connecting "
- "(yes/no)? ",
- host, ip, msg1, type, fp,
- options.visual_host_key ? "\n" : "",
- options.visual_host_key ? ra : "",
- msg2);
- free(ra);
- free(fp);
+ "(yes/no)? ");
if (!confirm(msg))
goto fail;
hostkey_trusted = 1; /* user explicitly confirmed */
@@ -1244,7 +1250,7 @@ verify_host_key(char *host, struct socka
struct sshkey *plain = NULL;
if ((fp = sshkey_fingerprint(host_key,
- options.fingerprint_hash, SSH_FP_DEFAULT)) == NULL) {
+ options.fingerprint_hash[0], SSH_FP_DEFAULT)) == NULL) {
error("%s: fingerprint host key: %s", __func__, ssh_err(r));
r = -1;
goto out;
@@ -1252,7 +1258,7 @@ verify_host_key(char *host, struct socka
if (sshkey_is_cert(host_key)) {
if ((cafp = sshkey_fingerprint(host_key->cert->signature_key,
- options.fingerprint_hash, SSH_FP_DEFAULT)) == NULL) {
+ options.fingerprint_hash[0], SSH_FP_DEFAULT)) == NULL) {
error("%s: fingerprint CA key: %s",
__func__, ssh_err(r));
r = -1;
@@ -1432,9 +1438,9 @@ show_other_keys(struct hostkeys *hostkey
if (!lookup_key_in_hostkeys_by_type(hostkeys, type[i], &found))
continue;
fp = sshkey_fingerprint(found->key,
- options.fingerprint_hash, SSH_FP_DEFAULT);
+ options.fingerprint_hash[0], SSH_FP_DEFAULT);
ra = sshkey_fingerprint(found->key,
- options.fingerprint_hash, SSH_FP_RANDOMART);
+ options.fingerprint_hash[0], SSH_FP_RANDOMART);
if (fp == NULL || ra == NULL)
fatal("%s: sshkey_fingerprint fail", __func__);
logit("WARNING: %s key found for host %s\n"
@@ -1457,7 +1463,7 @@ warn_changed_key(Key *host_key)
{
char *fp;
- fp = sshkey_fingerprint(host_key, options.fingerprint_hash,
+ fp = sshkey_fingerprint(host_key, options.fingerprint_hash[0],
SSH_FP_DEFAULT);
if (fp == NULL)
fatal("%s: sshkey_fingerprint fail", __func__);
diff -up openssh-7.4p1/ssh-keysign.c.fingerprint openssh-7.4p1/ssh-keysign.c
--- openssh-7.4p1/ssh-keysign.c.fingerprint 2016-12-19 05:59:41.000000000 +0100
+++ openssh-7.4p1/ssh-keysign.c 2016-12-23 15:38:50.566432394 +0100
@@ -285,7 +285,7 @@ main(int argc, char **argv)
}
}
if (!found) {
- if ((fp = sshkey_fingerprint(key, options.fingerprint_hash,
+ if ((fp = sshkey_fingerprint(key, options.fingerprint_hash[0],
SSH_FP_DEFAULT)) == NULL)
fatal("%s: sshkey_fingerprint failed", __progname);
fatal("no matching hostkey found for key %s %s",

View file

@ -0,0 +1,50 @@
From 26f96ca10ad0ec5da9b05b99de1e1ccea15a11be Mon Sep 17 00:00:00 2001
From: "djm@openbsd.org" <djm@openbsd.org>
Date: Fri, 15 Jun 2018 07:01:11 +0000
Subject: [PATCH] upstream: invalidate supplemental group cache used by
temporarily_use_uid() when the target uid differs; could cause failure to
read authorized_keys under some configurations. patch by Jakub Jelen via
bz2873; ok dtucker, markus
OpenBSD-Commit-ID: 48a345f0ee90f6c465a078eb5e89566b23abd8a1
---
uidswap.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/uidswap.c b/uidswap.c
index 8bf6b244e..1430b822a 100644
--- a/uidswap.c
+++ b/uidswap.c
@@ -49,6 +49,7 @@ static gid_t saved_egid = 0;
/* Saved effective uid. */
static int privileged = 0;
static int temporarily_use_uid_effective = 0;
+static uid_t user_groups_uid;
static gid_t *saved_egroups = NULL, *user_groups = NULL;
static int saved_egroupslen = -1, user_groupslen = -1;
@@ -92,10 +93,11 @@ temporarily_use_uid(struct passwd *pw)
fatal("getgroups: %.100s", strerror(errno));
} else { /* saved_egroupslen == 0 */
free(saved_egroups);
+ saved_egroups = NULL;
}
/* set and save the user's groups */
- if (user_groupslen == -1) {
+ if (user_groupslen == -1 || user_groups_uid != pw->pw_uid) {
if (initgroups(pw->pw_name, pw->pw_gid) < 0)
fatal("initgroups: %s: %.100s", pw->pw_name,
strerror(errno));
@@ -110,7 +112,9 @@ temporarily_use_uid(struct passwd *pw)
fatal("getgroups: %.100s", strerror(errno));
} else { /* user_groupslen == 0 */
free(user_groups);
+ user_groups = NULL;
}
+ user_groups_uid = pw->pw_uid;
}
/* Set the effective uid to the given (unprivileged) uid. */
if (setgroups(user_groupslen, user_groups) < 0)

View file

@ -0,0 +1,46 @@
Revert 3cd5103c1e1aaa59bd66f7f52f6ebbcd5deb12f9
diff --git a/servconf.c b/servconf.c
index 475076bf2..318546290 100644
--- a/servconf.c
+++ b/servconf.c
@@ -308,7 +308,7 @@ fill_default_server_options(ServerOptions *options)
if (options->max_sessions == -1)
options->max_sessions = DEFAULT_SESSIONS_MAX;
if (options->use_dns == -1)
- options->use_dns = 0;
+ options->use_dns = 1;
if (options->client_alive_interval == -1)
options->client_alive_interval = 0;
if (options->client_alive_count_max == -1)
diff --git a/sshd_config b/sshd_config
index e9045bc4d..c9042ac3c 100644
--- a/sshd_config
+++ b/sshd_config
@@ -112,7 +112,7 @@ UsePrivilegeSeparation sandbox # Default for new installations.
#ClientAliveInterval 0
#ClientAliveCountMax 3
#ShowPatchLevel no
-#UseDNS no
+#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
diff --git a/sshd_config.5 b/sshd_config.5
index 4fd93d68e..cf57c609f 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -1379,10 +1379,12 @@ should look up the remote host name and check that
should look up the remote host name, and to check that
the resolved host name for the remote IP address maps back to the
very same IP address.
+The default is
+.Dq yes .
.Pp
If this option is set to
.Cm no
-(the default) then only addresses and not host names may be used in
+then only addresses and not host names may be used in
.Pa ~/.ssh/authorized_keys
.Cm from
and

View file

@ -0,0 +1,31 @@
commit 2985d4062ebf4204bbd373456a810d558698f9f5
Author: dtucker@openbsd.org <dtucker@openbsd.org>
Date: Tue Jul 25 09:22:25 2017 +0000
upstream commit
Make WinSCP patterns for SSH_OLD_DHGEX more specific to
exclude WinSCP 5.10.x and up. bz#2748, from martin at winscp.net, ok djm@
Upstream-ID: 6fd7c32e99af3952db007aa180e73142ddbc741a
diff --git a/compat.c b/compat.c
index 156a5ea8..d82135e2 100644
--- a/compat.c
+++ b/compat.c
@@ -177,9 +177,12 @@ compat_datafellows(const char *version)
"TTSSH/2.72*", SSH_BUG_HOSTKEYS },
{ "WinSCP_release_4*,"
"WinSCP_release_5.0*,"
- "WinSCP_release_5.1*,"
- "WinSCP_release_5.5*,"
- "WinSCP_release_5.6*,"
+ "WinSCP_release_5.1,"
+ "WinSCP_release_5.1.*,"
+ "WinSCP_release_5.5,"
+ "WinSCP_release_5.5.*,"
+ "WinSCP_release_5.6,"
+ "WinSCP_release_5.6.*,"
"WinSCP_release_5.7,"
"WinSCP_release_5.7.1,"
"WinSCP_release_5.7.2,"

View file

@ -0,0 +1,35 @@
From 4d827f0d75a53d3952288ab882efbddea7ffadfe Mon Sep 17 00:00:00 2001
From: "djm@openbsd.org" <djm@openbsd.org>
Date: Tue, 4 Apr 2017 00:24:56 +0000
Subject: [PATCH] upstream commit
disallow creation (of empty files) in read-only mode;
reported by Michal Zalewski, feedback & ok deraadt@
Upstream-ID: 5d9c8f2fa8511d4ecf95322994ffe73e9283899b
---
sftp-server.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/sftp-server.c b/sftp-server.c
index 3619cdfc0..df0fb5068 100644
--- a/sftp-server.c
+++ b/sftp-server.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sftp-server.c,v 1.110 2016/09/12 01:22:38 deraadt Exp $ */
+/* $OpenBSD: sftp-server.c,v 1.111 2017/04/04 00:24:56 djm Exp $ */
/*
* Copyright (c) 2000-2004 Markus Friedl. All rights reserved.
*
@@ -691,8 +691,8 @@ process_open(u_int32_t id)
logit("open \"%s\" flags %s mode 0%o",
name, string_from_portable(pflags), mode);
if (readonly &&
- ((flags & O_ACCMODE) == O_WRONLY ||
- (flags & O_ACCMODE) == O_RDWR)) {
+ ((flags & O_ACCMODE) != O_RDONLY ||
+ (flags & (O_CREAT|O_TRUNC)) != 0)) {
verbose("Refusing open request in read-only mode");
status = SSH2_FX_PERMISSION_DENIED;
} else {

View file

@ -0,0 +1,25 @@
diff --git a/auth2-pubkey.c b/auth2-pubkey.c
index b8d1040d..0134d694 100644
--- a/auth2-pubkey.c
+++ b/auth2-pubkey.c
@@ -56,6 +56,7 @@
# include <paths.h>
#endif
#include <pwd.h>
+#include <grp.h>
#include <signal.h>
#include <stdio.h>
#include <stdarg.h>
@@ -2695,6 +2696,12 @@ subprocess(const char *tag, const char *command,
}
closefrom(STDERR_FILENO + 1);
+ if (geteuid() == 0 &&
+ initgroups(pw->pw_name, pw->pw_gid) == -1) {
+ error("%s: initgroups(%s, %u): %s", tag,
+ pw->pw_name, (u_int)pw->pw_gid, strerror(errno));
+ _exit(1);
+ }
/* Don't use permanently_set_uid() here to avoid fatal() */
if (setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) != 0) {
error("%s: setresgid %u: %s", tag, (u_int)pw->pw_gid,

View file

@ -0,0 +1,17 @@
diff --git a/ssh-pkcs11.c b/ssh-pkcs11.c
index 6be647ec..ebddf6c3 100644
--- a/ssh-pkcs11.c
+++ b/ssh-pkcs11.c
@@ -1537,10 +1537,8 @@ pkcs11_register_provider(char *provider_id, char *pin,
error("dlopen %s failed: %s", provider_id, dlerror());
goto fail;
}
- if ((getfunctionlist = dlsym(handle, "C_GetFunctionList")) == NULL) {
- error("dlsym(C_GetFunctionList) failed: %s", dlerror());
- goto fail;
- }
+ if ((getfunctionlist = dlsym(handle, "C_GetFunctionList")) == NULL)
+ fatal("dlsym(C_GetFunctionList) failed: %s", dlerror());
p = xcalloc(1, sizeof(*p));
p->name = xstrdup(provider_id);
p->handle = handle;

View file

@ -1 +1 @@
a62b88b884df0b09b8a8c5789ac9e51b openssh-6.4p1.tar.gz
SHA512 (openssh-7.4p1.tar.gz) = 4f3256f461f01366c5d5e0e45285eec65016e2643b3284b407f48f53d81087bf2c1caf7d5f7530d307a15c91c64de91446e1cba948e8fc68f82098290fe3b292