Compare commits
20 commits
| Author | SHA1 | Date | |
|---|---|---|---|
|
|
513f05f80f | ||
|
|
91484c75c8 | ||
|
|
ed68bed373 | ||
|
|
9bb59e17ee | ||
|
|
1d6d885889 | ||
|
|
5308f95f9c | ||
|
|
57d77f9250 | ||
|
|
16c223fac6 | ||
|
|
e59e91f6ab | ||
|
|
53e3b2afc3 | ||
|
|
2202381388 | ||
|
|
6348beb8a1 | ||
|
|
aa9e2ef9b3 | ||
|
|
92bc715130 | ||
|
|
95ab173057 | ||
|
|
72c0682d9d | ||
|
|
50cfa4c143 | ||
|
|
4ba46b6c82 | ||
|
|
509f103f2d | ||
|
|
da751ef47d |
94 changed files with 13373 additions and 7364 deletions
2
.gitignore
vendored
2
.gitignore
vendored
|
|
@ -1,2 +1,4 @@
|
|||
/*.tar.bz2
|
||||
/*.tar.gz
|
||||
/*.tar.gz.asc
|
||||
/DJM-GPG-KEY.gpg
|
||||
|
|
|
|||
336
gsi-openssh.spec
336
gsi-openssh.spec
|
|
@ -28,10 +28,10 @@
|
|||
# Do we want LDAP support
|
||||
%global ldap 1
|
||||
|
||||
%global openssh_ver 6.4p1
|
||||
%global openssh_rel 1
|
||||
%global openssh_ver 7.4p1
|
||||
%global openssh_rel 8
|
||||
|
||||
Summary: An implementation of the SSH protocol with GSI authentication
|
||||
Summary: An implementation of the SSH protocol with GSI authentication and HPN features
|
||||
Name: gsi-openssh
|
||||
Version: %{openssh_ver}
|
||||
Release: %{openssh_rel}%{?dist}
|
||||
|
|
@ -49,96 +49,168 @@ Source13: gsisshd-keygen
|
|||
Source99: README.sshd-and-gsisshd
|
||||
|
||||
#?
|
||||
Patch100: openssh-6.3p1-coverity.patch
|
||||
#https://bugzilla.mindrot.org/show_bug.cgi?id=1872
|
||||
Patch101: openssh-6.3p1-fingerprint.patch
|
||||
#https://bugzilla.mindrot.org/show_bug.cgi?id=1894
|
||||
#https://bugzilla.redhat.com/show_bug.cgi?id=735889
|
||||
Patch102: openssh-5.8p1-getaddrinfo.patch
|
||||
Patch100: openssh-7.4p1-coverity.patch
|
||||
#https://bugzilla.mindrot.org/show_bug.cgi?id=1889
|
||||
Patch103: openssh-5.8p1-packet.patch
|
||||
|
||||
#https://bugzilla.mindrot.org/show_bug.cgi?id=1402
|
||||
Patch200: openssh-6.4p1-audit.patch
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1171248
|
||||
# record pfs= field in CRYPTO_SESSION audit event
|
||||
Patch200: openssh-7.4p1-audit.patch
|
||||
# Do not write to one socket from more processes (#1310684)
|
||||
Patch202: openssh-6.6p1-audit-race-condition.patch
|
||||
|
||||
#https://bugzilla.mindrot.org/show_bug.cgi?id=1641 (WONTFIX)
|
||||
Patch400: openssh-6.3p1-role-mls.patch
|
||||
Patch400: openssh-7.4p1-role-mls.patch
|
||||
#https://bugzilla.redhat.com/show_bug.cgi?id=781634
|
||||
Patch404: openssh-6.3p1-privsep-selinux.patch
|
||||
Patch404: openssh-6.6p1-privsep-selinux.patch
|
||||
|
||||
#?-- unwanted child :(
|
||||
Patch501: openssh-6.3p1-ldap.patch
|
||||
Patch501: openssh-6.6p1-ldap.patch
|
||||
#?
|
||||
Patch502: openssh-6.3p1-keycat.patch
|
||||
Patch502: openssh-6.6p1-keycat.patch
|
||||
|
||||
#http6://bugzilla.mindrot.org/show_bug.cgi?id=1644
|
||||
Patch601: openssh-5.2p1-allow-ip-opts.patch
|
||||
#https://bugzilla.mindrot.org/show_bug.cgi?id=1701
|
||||
Patch602: openssh-5.9p1-randclean.patch
|
||||
#http://cvsweb.netbsd.org/cgi-bin/cvsweb.cgi/src/crypto/dist/ssh/Attic/sftp-glob.c.diff?r1=1.13&r2=1.13.12.1&f=h
|
||||
Patch603: openssh-5.8p1-glob.patch
|
||||
#https://bugzilla.mindrot.org/show_bug.cgi?id=1644
|
||||
Patch601: openssh-6.6p1-allow-ip-opts.patch
|
||||
#https://bugzilla.mindrot.org/show_bug.cgi?id=1893
|
||||
Patch604: openssh-5.8p1-keyperm.patch
|
||||
#https://bugzilla.mindrot.org/show_bug.cgi?id=1329 (WONTFIX)
|
||||
Patch605: openssh-5.8p2-remove-stale-control-socket.patch
|
||||
Patch604: openssh-6.6p1-keyperm.patch
|
||||
#https://bugzilla.mindrot.org/show_bug.cgi?id=1925
|
||||
Patch606: openssh-5.9p1-ipv6man.patch
|
||||
#?
|
||||
Patch607: openssh-5.8p2-sigpipe.patch
|
||||
#?
|
||||
Patch608: openssh-6.1p1-askpass-ld.patch
|
||||
#https://bugzilla.mindrot.org/show_bug.cgi?id=1789
|
||||
Patch609: openssh-5.5p1-x11.patch
|
||||
|
||||
#?
|
||||
Patch700: openssh-6.3p1-fips.patch
|
||||
Patch700: openssh-7.4p1-fips.patch
|
||||
#?
|
||||
Patch701: openssh-5.6p1-exit-deadlock.patch
|
||||
# drop? Patch701: openssh-5.6p1-exit-deadlock.patch
|
||||
#?
|
||||
Patch702: openssh-5.1p1-askpass-progress.patch
|
||||
#?
|
||||
Patch703: openssh-4.3p2-askpass-grab-info.patch
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=205842
|
||||
# drop? Patch704: openssh-5.9p1-edns.patch
|
||||
#?
|
||||
Patch704: openssh-5.9p1-edns.patch
|
||||
#?
|
||||
Patch705: openssh-5.1p1-scp-manpage.patch
|
||||
#?
|
||||
Patch706: openssh-5.8p1-localdomain.patch
|
||||
Patch706: openssh-6.6.1p1-localdomain.patch
|
||||
#https://bugzilla.mindrot.org/show_bug.cgi?id=1635 (WONTFIX)
|
||||
Patch707: openssh-6.3p1-redhat.patch
|
||||
Patch707: openssh-6.6p1-redhat.patch
|
||||
#https://bugzilla.mindrot.org/show_bug.cgi?id=1890 (WONTFIX) need integration to prng helper which is discontinued :)
|
||||
Patch708: openssh-6.2p1-entropy.patch
|
||||
Patch708: openssh-6.6p1-entropy.patch
|
||||
#https://bugzilla.mindrot.org/show_bug.cgi?id=1640 (WONTFIX)
|
||||
Patch709: openssh-6.2p1-vendor.patch
|
||||
# warn users for unsupported UsePAM=no (#757545)
|
||||
Patch711: openssh-6.1p1-log-usepam-no.patch
|
||||
Patch711: openssh-6.6p1-log-usepam-no.patch
|
||||
# make aes-ctr ciphers use EVP engines such as AES-NI from OpenSSL
|
||||
Patch712: openssh-6.3p1-ctr-evp-fast.patch
|
||||
# add cavs test binary for the aes-ctr
|
||||
Patch713: openssh-6.3p1-ctr-cavstest.patch
|
||||
Patch713: openssh-7.4p1-ctr-cavstest.patch
|
||||
# add SSH KDF CAVS test driver
|
||||
Patch714: openssh-7.4p1-kdf-cavs.patch
|
||||
|
||||
#http://www.sxw.org.uk/computing/patches/openssh.html
|
||||
#changed cache storage type - #848228
|
||||
Patch800: openssh-6.3p1-gsskex.patch
|
||||
Patch800: openssh-7.4p1-gsskex.patch
|
||||
#http://www.mail-archive.com/kerberos@mit.edu/msg17591.html
|
||||
Patch801: openssh-6.3p1-force_krb.patch
|
||||
Patch801: openssh-6.6p1-force_krb.patch
|
||||
# add new option GSSAPIEnablek5users and disable using ~/.k5users by default (#1169843)
|
||||
# CVE-2014-9278
|
||||
Patch802: openssh-6.6p1-GSSAPIEnablek5users.patch
|
||||
# Respect k5login_directory option in krk5.conf (#1328243)
|
||||
Patch803: openssh-6.6p1-k5login_directory.patch
|
||||
Patch900: openssh-6.1p1-gssapi-canohost.patch
|
||||
#https://bugzilla.mindrot.org/show_bug.cgi?id=1780
|
||||
Patch901: openssh-6.3p1-kuserok.patch
|
||||
Patch901: openssh-7.4p1-kuserok.patch
|
||||
# use default_ccache_name from /etc/krb5.conf (#991186)
|
||||
Patch902: openssh-6.3p1-krb5-use-default_ccache_name.patch
|
||||
# increase the size of the Diffie-Hellman groups (#1010607)
|
||||
Patch903: openssh-6.3p1-increase-size-of-DF-groups.patch
|
||||
# Change GSSAPIStrictAcceptor to yes as it ever was (#1488982)
|
||||
Patch903: openssh-7.4p1-gss-strict-acceptor.patch
|
||||
# Run ssh-copy-id in the legacy mode when SSH_COPY_ID_LEGACY variable is set (#969375
|
||||
Patch905: openssh-7.4p1-legacy-ssh-copy-id.patch
|
||||
# Use tty allocation for a remote scp (#985650)
|
||||
Patch906: openssh-6.4p1-fromto-remote.patch
|
||||
# log when a client requests an interactive session and only sftp is allowed (#1130198)
|
||||
Patch914: openssh-6.6.1p1-log-sftp-only-connections.patch
|
||||
# log via monitor in chroots without /dev/log (#1083482)
|
||||
Patch918: openssh-7.4p1-log-in-chroot.patch
|
||||
# MLS labeling according to chosen sensitivity (#1202843)
|
||||
Patch919: openssh-6.6.1p1-mls-fix-labeling.patch
|
||||
# sshd test mode show all config values (#1187597)
|
||||
Patch920: openssh-6.6p1-test-mode-all-values.patch
|
||||
# Add sftp option to force mode of created files (#1191055)
|
||||
Patch921: openssh-6.6p1-sftp-force-permission.patch
|
||||
# fix memory problem (#1223218)
|
||||
Patch924: openssh-6.6p1-memory-problems.patch
|
||||
# Enhance AllowGroups documentation in man page (#1150007)
|
||||
Patch925: openssh-6.6p1-allowGroups-documentation.patch
|
||||
# provide option GssKexAlgorithms to disable vulnerable groun1 kex
|
||||
Patch928: openssh-7.4p1-gssKexAlgorithms.patch
|
||||
# make s390 use /dev/ crypto devices -- ignore closefrom (#1318760)
|
||||
Patch935: openssh-6.6p1-s390-closefrom.patch
|
||||
# expose more information to PAM (#1312304)
|
||||
Patch938: openssh-7.4p1-expose-pam.patch
|
||||
# Move MAX_DISPLAYS to a configuration option (#1341302)
|
||||
Patch939: openssh-6.6p1-x11-max-displays.patch
|
||||
# Add systemd stuff so it can track running service (#1381997)
|
||||
Patch942: openssh-6.6p1-systemd.patch
|
||||
# Permit root login to preserve backward compatibility
|
||||
Patch943: openssh-7.4p1-permit-root-login.patch
|
||||
# Restore TCP wrappers support
|
||||
Patch944: openssh-7.4p1-debian-restore-tcp-wrappers.patch
|
||||
# Set sane whitelist for PKCS#11 modules in ssh-agent
|
||||
Patch945: openssh-7.4p1-pkcs11-whitelist.patch
|
||||
# Allow legacy algorithms and formats for key exchange after rebase
|
||||
Patch946: openssh-7.4p1-legacy-algorithms.patch
|
||||
# Show more fingerprints
|
||||
Patch947: openssh-7.4p1-show-more-fingerprints.patch
|
||||
# Fix newline in the end of server ident banner (upstream 5b9070)
|
||||
Patch948: openssh-7.4p1-newline-banner.patch
|
||||
# Do not utilize SHA1 by default for digital signatures (#1322911)
|
||||
Patch949: openssh-7.4p1-sha2-signatures.patch
|
||||
# Canonize pkcs11 provider path when removing smartcard (#2682)
|
||||
Patch950: openssh-7.4p1-canonize-pkcs11-provider.patch
|
||||
# Do not segfault sshd if it loads RSA1 keys (#2686)
|
||||
Patch951: openssh-7.4p1-rsa1-segfault.patch
|
||||
# OpenSSH 7.5 fixes CBC cipher weakness
|
||||
Patch952: openssh-7.4p1-cbc-weakness.patch
|
||||
# sandbox-seccomp filter is not denying socketcall() on ppc64le (#1443916)
|
||||
Patch953: openssh-7.4p1-sandbox-ppc64le.patch
|
||||
# ControlPath too long should not be fatal (#1447561)
|
||||
Patch954: openssh-7.4p1-ControlPath_too_long.patch
|
||||
# sandbox-seccomp for ibmca engine from upstream (#1451809)
|
||||
Patch955: openssh-7.4p1-sandbox-ibmca.patch
|
||||
# Back to UseDNS=yes by default (#1478175)
|
||||
Patch956: openssh-7.4p1-usedns-yes.patch
|
||||
# Clatch between ClientAlive timeouts and rekeying (#1480510)
|
||||
Patch957: openssh-7.4p1-rekeying-timeouts.patch
|
||||
# WinSCP 5.10+ compatibility (#1496808)
|
||||
Patch958: openssh-7.4p1-winscp-compat.patch
|
||||
# SSH AuthorizedKeysCommand hangs when output is too large (#1496467)
|
||||
Patch959: openssh-7.4p1-authorized_keys_command.patch
|
||||
# Fix for CVE-2017-15906 (#1517226)
|
||||
Patch960: openssh-7.5p1-sftp-empty-files.patch
|
||||
# Fix for CVE-2018-15473 (#1619079)
|
||||
Patch961: openssh-7.4p1-CVE-2018-15473.patch
|
||||
# invalidate supplemental group cache used by temporarily_use_uid() (#1619079)
|
||||
Patch962: openssh-7.4p1-uidswap.patch
|
||||
# CVE-2021-41617
|
||||
Patch978: openssh-8.7p1-upstream-cve-2021-41617.patch
|
||||
# upsream commit
|
||||
# b23fe83f06ee7e721033769cfa03ae840476d280
|
||||
Patch1015: openssh-9.3p1-upstream-cve-2023-38408.patch
|
||||
|
||||
# This is the patch that adds GSI support
|
||||
# Based on http://grid.ncsa.illinois.edu/ssh/dl/patch/openssh-6.4p1.patch
|
||||
Patch98: openssh-6.4p1-gsissh.patch
|
||||
# Based on http://grid.ncsa.illinois.edu/ssh/dl/patch/openssh-6.6p1.patch
|
||||
Patch98: openssh-7.4p1-gsissh.patch
|
||||
|
||||
# This is the HPN patch
|
||||
# Based on https://sourceforge.net/projects/hpnssh/files/Patches/HPN-SSH%2014v13%207.4p1/openssh-7_4_P1-hpn-14.13.diff/download
|
||||
Patch99: openssh-7.4p1-hpn-14.13-modified.patch
|
||||
|
||||
License: BSD
|
||||
Group: Applications/Internet
|
||||
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
|
||||
Requires: /sbin/nologin
|
||||
Obsoletes: %{name}-clients-fips, %{name}-server-fips
|
||||
|
||||
%if %{ldap}
|
||||
BuildRequires: openldap-devel
|
||||
|
|
@ -150,6 +222,7 @@ BuildRequires: pam-devel
|
|||
BuildRequires: tcp_wrappers-devel
|
||||
BuildRequires: fipscheck-devel >= 1.3.0
|
||||
BuildRequires: openssl-devel >= 0.9.8j
|
||||
BuildRequires: systemd-devel
|
||||
|
||||
%if %{kerberos5}
|
||||
BuildRequires: krb5-devel
|
||||
|
|
@ -157,9 +230,8 @@ BuildRequires: krb5-devel
|
|||
|
||||
%if %{gsi}
|
||||
BuildRequires: globus-gss-assist-devel >= 8
|
||||
BuildRequires: globus-gssapi-gsi >= 10
|
||||
BuildRequires: globus-common >= 14
|
||||
BuildRequires: globus-usage-devel >= 3
|
||||
BuildRequires: globus-gssapi-gsi-devel >= 12.12
|
||||
BuildRequires: globus-common-devel >= 14
|
||||
%endif
|
||||
|
||||
%if %{libedit}
|
||||
|
|
@ -167,6 +239,7 @@ BuildRequires: libedit-devel ncurses-devel
|
|||
%endif
|
||||
|
||||
%if %{WITH_SELINUX}
|
||||
Conflicts: selinux-policy < 3.13.1-92
|
||||
Requires: libselinux >= 1.27.7
|
||||
BuildRequires: libselinux-devel >= 1.27.7
|
||||
Requires: audit-libs >= 1.0.8
|
||||
|
|
@ -230,13 +303,8 @@ This version of OpenSSH has been modified to support GSI authentication.
|
|||
%prep
|
||||
%setup -q -n openssh-%{version}
|
||||
|
||||
%patch100 -p1 -b .coverity
|
||||
%patch101 -p1 -b .fingerprint
|
||||
%patch102 -p1 -b .getaddrinfo
|
||||
%patch103 -p1 -b .packet
|
||||
|
||||
%patch200 -p1 -b .audit
|
||||
|
||||
%if %{WITH_SELINUX}
|
||||
%patch400 -p1 -b .role-mls
|
||||
%patch404 -p1 -b .privsep-selinux
|
||||
|
|
@ -248,21 +316,16 @@ This version of OpenSSH has been modified to support GSI authentication.
|
|||
%patch502 -p1 -b .keycat
|
||||
|
||||
%patch601 -p1 -b .ip-opts
|
||||
%patch602 -p1 -b .randclean
|
||||
%patch603 -p1 -b .glob
|
||||
%patch604 -p1 -b .keyperm
|
||||
%patch605 -p1 -b .remove_stale
|
||||
%patch606 -p1 -b .ipv6man
|
||||
%patch607 -p1 -b .sigpipe
|
||||
%patch608 -p1 -b .askpass-ld
|
||||
%patch609 -p1 -b .x11
|
||||
|
||||
%patch700 -p1 -b .fips
|
||||
%patch701 -p1 -b .exit-deadlock
|
||||
# drop? %patch701 -p1 -b .exit-deadlock
|
||||
%patch702 -p1 -b .progress
|
||||
%patch703 -p1 -b .grab-info
|
||||
%patch704 -p1 -b .edns
|
||||
%patch705 -p1 -b .manpage
|
||||
# investigate - https://bugzilla.redhat.com/show_bug.cgi?id=205842
|
||||
# probably not needed anymore %patch704 -p1 -b .edns
|
||||
%patch706 -p1 -b .localdomain
|
||||
%patch707 -p1 -b .redhat
|
||||
%patch708 -p1 -b .entropy
|
||||
|
|
@ -270,6 +333,7 @@ This version of OpenSSH has been modified to support GSI authentication.
|
|||
%patch711 -p1 -b .log-usepam-no
|
||||
%patch712 -p1 -b .evp-ctr
|
||||
%patch713 -p1 -b .ctr-cavs
|
||||
%patch714 -p1 -b .kdf-cavs
|
||||
|
||||
%patch800 -p1 -b .gsskex
|
||||
%patch801 -p1 -b .force_krb
|
||||
|
|
@ -277,9 +341,55 @@ This version of OpenSSH has been modified to support GSI authentication.
|
|||
%patch900 -p1 -b .canohost
|
||||
%patch901 -p1 -b .kuserok
|
||||
%patch902 -p1 -b .ccache_name
|
||||
%patch903 -p1 -b .dh
|
||||
%patch903 -p1 -b .gss-strict
|
||||
%patch905 -p1 -b .legacy-ssh-copy-id
|
||||
%patch906 -p1 -b .fromto-remote
|
||||
%patch914 -p1 -b .log-sftp-only
|
||||
%patch918 -p1 -b .log-in-chroot
|
||||
%patch919 -p1 -b .mls-labels
|
||||
%patch802 -p1 -b .GSSAPIEnablek5users
|
||||
%patch803 -p1 -b .k5login
|
||||
%patch920 -p1 -b .sshd-t
|
||||
%patch921 -p1 -b .sftp-force-mode
|
||||
%patch924 -p1 -b .memory-problems
|
||||
%patch925 -p1 -b .allowGroups
|
||||
%patch928 -p1 -b .gsskexalg
|
||||
%patch935 -p1 -b .s390
|
||||
%patch938 -p1 -b .expose-pam
|
||||
%patch939 -p1 -b .x11max
|
||||
%patch942 -p1 -b .patch
|
||||
%patch943 -p1 -b .permit-root
|
||||
%patch944 -p1 -b .tcp_wrappers
|
||||
%patch945 -p1 -b .pkcs11-whitelist
|
||||
%patch946 -p1 -b .legacy
|
||||
%patch947 -p1 -b .fingerprint
|
||||
%patch948 -p1 -b .newline-banner
|
||||
%patch949 -p1 -b .sha2
|
||||
%patch950 -p1 -b .smartcard
|
||||
%patch951 -p1 -b .rsa1
|
||||
%patch952 -p1 -b .cbc
|
||||
%patch953 -p1 -b .seccomp
|
||||
%patch954 -p1 -b .ControlPath
|
||||
%patch955 -p1 -b .ibmca
|
||||
%patch956 -p1 -b .usedns
|
||||
%patch957 -p1 -b .rekey-timeout
|
||||
%patch958 -p1 -b .winscp
|
||||
%patch959 -p1 -b .large-command
|
||||
%patch960 -p1 -b .sftp-empty
|
||||
%patch961 -p1 -b .CVE-2018-15473
|
||||
%patch962 -p1 -b .uidswap
|
||||
%patch978 -p1 -b .cve-2021-41617
|
||||
|
||||
%patch200 -p1 -b .audit
|
||||
%patch202 -p1 -b .audit-race
|
||||
%patch700 -p1 -b .fips
|
||||
|
||||
%patch100 -p1 -b .coverity
|
||||
|
||||
%patch1015 -p1 -b .cve-2023-38408
|
||||
|
||||
%patch98 -p1 -b .gsi
|
||||
%patch99 -p1 -b .hpn
|
||||
|
||||
sed 's/sshd.pid/gsisshd.pid/' -i pathnames.h
|
||||
sed 's!$(piddir)/sshd.pid!$(piddir)/gsisshd.pid!' -i Makefile.in
|
||||
|
|
@ -325,20 +435,21 @@ fi
|
|||
--with-tcp-wrappers \
|
||||
--with-default-path=/usr/local/bin:/usr/bin \
|
||||
--with-superuser-path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin \
|
||||
--with-privsep-path=%{_var}/empty/gsisshd \
|
||||
--enable-vendor-patchlevel="FC-%{version}-%{release}" \
|
||||
--with-privsep-path=%{_var}/empty/sshd \
|
||||
--enable-vendor-patchlevel="RHEL7-%{openssh_ver}-%{openssh_rel}" \
|
||||
--disable-strip \
|
||||
--without-zlib-version-check \
|
||||
--with-ssl-engine \
|
||||
--with-ipaddr-display \
|
||||
--with-systemd \
|
||||
--with-ssh1 \
|
||||
%if %{ldap}
|
||||
--with-ldap \
|
||||
%endif
|
||||
--with-pam \
|
||||
%if %{WITH_SELINUX}
|
||||
--with-selinux --with-audit=linux \
|
||||
%if 0
|
||||
#seccomp_filter cannot be build right now
|
||||
%ifnarch ppc
|
||||
--with-sandbox=seccomp_filter \
|
||||
%else
|
||||
--with-sandbox=rlimit \
|
||||
|
|
@ -364,10 +475,10 @@ make SSH_PROGRAM=%{_bindir}/gsissh \
|
|||
ASKPASS_PROGRAM=%{_libexecdir}/openssh/ssh-askpass
|
||||
|
||||
# Add generation of HMAC checksums of the final stripped binaries
|
||||
%define __spec_install_post \
|
||||
%{?__debug_package:%{__debug_install_post}} \
|
||||
%{__arch_install_post} \
|
||||
%{__os_install_post} \
|
||||
%global __spec_install_post \
|
||||
%%{?__debug_package:%%{__debug_install_post}} \
|
||||
%%{__arch_install_post} \
|
||||
%%{__os_install_post} \
|
||||
fipshmac -d $RPM_BUILD_ROOT%{_libdir}/fipscheck $RPM_BUILD_ROOT%{_bindir}/gsissh $RPM_BUILD_ROOT%{_sbindir}/gsisshd \
|
||||
%{nil}
|
||||
|
||||
|
|
@ -375,7 +486,7 @@ make SSH_PROGRAM=%{_bindir}/gsissh \
|
|||
rm -rf $RPM_BUILD_ROOT
|
||||
mkdir -p -m755 $RPM_BUILD_ROOT%{_sysconfdir}/gsissh
|
||||
mkdir -p -m755 $RPM_BUILD_ROOT%{_libexecdir}/gsissh
|
||||
mkdir -p -m755 $RPM_BUILD_ROOT%{_var}/empty/gsisshd
|
||||
mkdir -p -m755 $RPM_BUILD_ROOT%{_var}/empty/sshd
|
||||
make install DESTDIR=$RPM_BUILD_ROOT
|
||||
rm -f $RPM_BUILD_ROOT%{_sysconfdir}/gsissh/ldap.conf
|
||||
|
||||
|
|
@ -395,6 +506,9 @@ install -m644 %{SOURCE12} $RPM_BUILD_ROOT/%{_unitdir}/gsisshd-keygen.service
|
|||
rm $RPM_BUILD_ROOT%{_bindir}/ssh-add
|
||||
rm $RPM_BUILD_ROOT%{_bindir}/ssh-agent
|
||||
rm $RPM_BUILD_ROOT%{_bindir}/ssh-keyscan
|
||||
rm $RPM_BUILD_ROOT%{_libexecdir}/gsissh/ctr-cavstest
|
||||
rm $RPM_BUILD_ROOT%{_libexecdir}/gsissh/ssh-cavs
|
||||
rm $RPM_BUILD_ROOT%{_libexecdir}/gsissh/ssh-cavs_driver.pl
|
||||
rm $RPM_BUILD_ROOT%{_libexecdir}/gsissh/ssh-ldap-helper
|
||||
rm $RPM_BUILD_ROOT%{_libexecdir}/gsissh/ssh-ldap-wrapper
|
||||
rm $RPM_BUILD_ROOT%{_libexecdir}/gsissh/ssh-keycat
|
||||
|
|
@ -435,26 +549,19 @@ getent passwd sshd >/dev/null || \
|
|||
%systemd_preun gsisshd.service gsisshd.socket
|
||||
|
||||
%postun server
|
||||
%systemd_postun_with_restart gsisshd.service gsisshd.socket
|
||||
|
||||
%triggerun server -- gsi-openssh-server < 5.8p2-1
|
||||
/usr/bin/systemd-sysv-convert --save gsisshd >/dev/null 2>&1 || :
|
||||
/sbin/chkconfig --del gsisshd >/dev/null 2>&1 || :
|
||||
/bin/systemctl try-restart gsisshd.service >/dev/null 2>&1 || :
|
||||
|
||||
%triggerun server -- gsi-openssh-server < 5.9p1-6
|
||||
/bin/systemctl --no-reload disable gsisshd-keygen.service >/dev/null 2>&1 || :
|
||||
%systemd_postun_with_restart gsisshd.service
|
||||
|
||||
%files
|
||||
%defattr(-,root,root)
|
||||
%doc CREDITS ChangeLog INSTALL LICENCE LICENSE.globus_usage OVERVIEW PROTOCOL* README README.platform README.privsep README.tun README.dns README.sshd-and-gsisshd TODO
|
||||
%{!?_licensedir:%global license %%doc}
|
||||
%license LICENCE
|
||||
%doc CREDITS ChangeLog INSTALL OVERVIEW PROTOCOL* README HPN-README README.platform README.privsep README.tun README.dns README.sshd-and-gsisshd TODO
|
||||
%attr(0755,root,root) %dir %{_sysconfdir}/gsissh
|
||||
%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/gsissh/moduli
|
||||
%attr(0755,root,root) %{_bindir}/gsissh-keygen
|
||||
%attr(0644,root,root) %{_mandir}/man1/gsissh-keygen.1*
|
||||
%attr(0755,root,root) %dir %{_libexecdir}/gsissh
|
||||
%attr(2755,root,ssh_keys) %{_libexecdir}/gsissh/ssh-keysign
|
||||
%attr(0755,root,root) %{_libexecdir}/gsissh/ctr-cavstest
|
||||
%attr(0644,root,root) %{_mandir}/man8/gsissh-keysign.8*
|
||||
|
||||
%files clients
|
||||
|
|
@ -473,7 +580,7 @@ getent passwd sshd >/dev/null || \
|
|||
|
||||
%files server
|
||||
%defattr(-,root,root)
|
||||
%dir %attr(0711,root,root) %{_var}/empty/gsisshd
|
||||
%dir %attr(0711,root,root) %{_var}/empty/sshd
|
||||
%attr(0755,root,root) %{_sbindir}/gsisshd
|
||||
%attr(0755,root,root) %{_sbindir}/gsisshd-keygen
|
||||
%attr(0644,root,root) %{_libdir}/fipscheck/gsisshd.hmac
|
||||
|
|
@ -491,17 +598,66 @@ getent passwd sshd >/dev/null || \
|
|||
%attr(0644,root,root) %{_unitdir}/gsisshd-keygen.service
|
||||
|
||||
%changelog
|
||||
* Tue Nov 26 2013 Mattias Ellert <mattias.ellert@fysast.uu.se> - 6.4p1-1
|
||||
- Based on openssh-6.4p1-2.fc20
|
||||
* Wed Aug 09 2023 Mattias Ellert <mattias.ellert@physics.uu.se> - 7.4p1-8
|
||||
- Based on openssh-7.4p1-23.el7_9
|
||||
|
||||
* Mon Oct 21 2013 Mattias Ellert <mattias.ellert@fysast.uu.se> - 6.3p1-2
|
||||
- Add obsoletes for -fips packages
|
||||
* Wed Nov 24 2021 Mattias Ellert <mattias.ellert@physics.uu.se> - 7.4p1-7
|
||||
- Based on openssh-7.4p1-22.el7_9
|
||||
|
||||
* Tue Oct 15 2013 Mattias Ellert <mattias.ellert@fysast.uu.se> - 6.3p1-1
|
||||
- Based on openssh-6.3p1-1.fc20
|
||||
* Fri Oct 23 2020 Frank Scheiner <scheiner@hlrs.de> - 7.4p1-6
|
||||
- Add HPN patch
|
||||
|
||||
* Wed Oct 02 2013 Mattias Ellert <mattias.ellert@fysast.uu.se> - 6.2p2-3
|
||||
- Based on openssh-6.2p2-8.fc20
|
||||
* Wed Aug 07 2019 Mattias Ellert <mattias.ellert@physics.uu.se> - 7.4p1-5
|
||||
- Based on openssh-7.4p1-21.el7
|
||||
|
||||
* Tue May 28 2019 Mattias Ellert <mattias.ellert@physics.uu.se> - 7.4p1-4
|
||||
- Change GSSAPITrustDNS default to no
|
||||
|
||||
* Wed Feb 27 2019 Mattias Ellert <mattias.ellert@physics.uu.se> - 7.4p1-3
|
||||
- Remove usage statistics collection support
|
||||
|
||||
* Tue Apr 10 2018 Mattias Ellert <mattias.ellert@physics.uu.se> - 7.4p1-2
|
||||
- Based on openssh-7.4p1-16.el7
|
||||
|
||||
* Sun Nov 12 2017 Mattias Ellert <mattias.ellert@physics.uu.se> - 7.4p1-1
|
||||
- Based on openssh-7.4p1-13.el7_4
|
||||
|
||||
* Mon Jul 31 2017 Mattias Ellert <mattias.ellert@physics.uu.se> - 6.6.1p1-8
|
||||
- Based on openssh-6.6.1p1-35.el7_3
|
||||
- Update GSI patch with more openssl 1.1.0 fixes from Globus
|
||||
|
||||
* Fri Feb 24 2017 Mattias Ellert <mattias.ellert@physics.uu.se> - 6.6.1p1-7
|
||||
- Based on openssh-6.6.1p1-33.el7_3
|
||||
|
||||
* Thu Dec 15 2016 Mattias Ellert <mattias.ellert@physics.uu.se> - 6.6.1p1-6
|
||||
- Adding mechanism OID negotiation with the introduction of micv2 OID
|
||||
|
||||
* Wed Dec 14 2016 Mattias Ellert <mattias.ellert@physics.uu.se> - 6.6.1p1-5
|
||||
- Based on openssh 6.6.1p1-31.el7
|
||||
|
||||
* Sun Jun 26 2016 Mattias Ellert <mattias.ellert@fysast.uu.se> - 6.6.1p1-4
|
||||
- Based on openssh-6.6.1p1-25.el7_2
|
||||
|
||||
* Tue Jan 19 2016 Mattias Ellert <mattias.ellert@fysast.uu.se> - 6.6.1p1-3
|
||||
- Based on openssh-6.6.1p1-23.el7_2
|
||||
|
||||
* Wed Aug 05 2015 Mattias Ellert <mattias.ellert@fysast.uu.se> - 6.6.1p1-2
|
||||
- Fix typos in gsisshd.service file
|
||||
|
||||
* Sun Jul 05 2015 Mattias Ellert <mattias.ellert@fysast.uu.se> - 6.6.1p1-1
|
||||
- Based on openssh-6.6.1p1-12.el7_1
|
||||
|
||||
* Wed Jul 16 2014 Mattias Ellert <mattias.ellert@fysast.uu.se> - 6.4p1-2
|
||||
- Based on openssh-6.4p1-8.el7
|
||||
|
||||
* Tue Jan 28 2014 Mattias Ellert <mattias.ellert@fysast.uu.se> - 6.4p1-1
|
||||
- Based on openssh-6.4p1-1.el7
|
||||
|
||||
* Thu Dec 12 2013 Mattias Ellert <mattias.ellert@fysast.uu.se> - 6.2p2-4
|
||||
- Based on openssh-6.2p2-7.fc19
|
||||
|
||||
* Tue Nov 26 2013 Mattias Ellert <mattias.ellert@fysast.uu.se> - 6.2p2-3
|
||||
- Based on openssh-6.2p2-6.fc19
|
||||
|
||||
* Fri Aug 23 2013 Mattias Ellert <mattias.ellert@fysast.uu.se> - 6.2p2-2
|
||||
- Based on openssh-6.2p2-5.fc19
|
||||
|
|
|
|||
|
|
@ -4,7 +4,7 @@
|
|||
#
|
||||
# The creation is controlled by the $AUTOCREATE_SERVER_KEYS environment
|
||||
# variable.
|
||||
AUTOCREATE_SERVER_KEYS=RSAONLY
|
||||
AUTOCREATE_SERVER_KEYS="RSA ECDSA ED25519"
|
||||
|
||||
# source function library
|
||||
. /etc/rc.d/init.d/functions
|
||||
|
|
@ -15,6 +15,7 @@ RSA1_KEY=/etc/gsissh/ssh_host_key
|
|||
RSA_KEY=/etc/gsissh/ssh_host_rsa_key
|
||||
DSA_KEY=/etc/gsissh/ssh_host_dsa_key
|
||||
ECDSA_KEY=/etc/gsissh/ssh_host_ecdsa_key
|
||||
ED25519_KEY=/etc/gsissh/ssh_host_ed25519_key
|
||||
|
||||
# pull in sysconfig settings
|
||||
[ -f /etc/sysconfig/gsisshd ] && . /etc/sysconfig/gsisshd
|
||||
|
|
@ -36,7 +37,7 @@ do_rsa1_keygen() {
|
|||
chmod 640 $RSA1_KEY
|
||||
chmod 644 $RSA1_KEY.pub
|
||||
if [ -x /sbin/restorecon ]; then
|
||||
/sbin/restorecon $RSA1_KEY.pub
|
||||
/sbin/restorecon $RSA1_KEY{,.pub}
|
||||
fi
|
||||
success $"RSA1 key generation"
|
||||
echo
|
||||
|
|
@ -57,7 +58,7 @@ do_rsa_keygen() {
|
|||
chmod 640 $RSA_KEY
|
||||
chmod 644 $RSA_KEY.pub
|
||||
if [ -x /sbin/restorecon ]; then
|
||||
/sbin/restorecon $RSA_KEY.pub
|
||||
/sbin/restorecon $RSA_KEY{,.pub}
|
||||
fi
|
||||
success $"RSA key generation"
|
||||
echo
|
||||
|
|
@ -70,7 +71,7 @@ do_rsa_keygen() {
|
|||
}
|
||||
|
||||
do_dsa_keygen() {
|
||||
if [ ! -s $DSA_KEY ]; then
|
||||
if [ ! -s $DSA_KEY -a `fips_enabled` -eq 0 ]; then
|
||||
echo -n $"Generating SSH2 DSA host key: "
|
||||
rm -f $DSA_KEY
|
||||
if test ! -f $DSA_KEY && $KEYGEN -q -t dsa -f $DSA_KEY -C '' -N '' >&/dev/null; then
|
||||
|
|
@ -78,7 +79,7 @@ do_dsa_keygen() {
|
|||
chmod 640 $DSA_KEY
|
||||
chmod 644 $DSA_KEY.pub
|
||||
if [ -x /sbin/restorecon ]; then
|
||||
/sbin/restorecon $DSA_KEY.pub
|
||||
/sbin/restorecon $DSA_KEY{,.pub}
|
||||
fi
|
||||
success $"DSA key generation"
|
||||
echo
|
||||
|
|
@ -96,10 +97,10 @@ do_ecdsa_keygen() {
|
|||
rm -f $ECDSA_KEY
|
||||
if test ! -f $ECDSA_KEY && $KEYGEN -q -t ecdsa -f $ECDSA_KEY -C '' -N '' >&/dev/null; then
|
||||
chgrp ssh_keys $ECDSA_KEY
|
||||
chmod 600 $ECDSA_KEY
|
||||
chmod 640 $ECDSA_KEY
|
||||
chmod 644 $ECDSA_KEY.pub
|
||||
if [ -x /sbin/restorecon ]; then
|
||||
/sbin/restorecon $ECDSA_KEY.pub
|
||||
/sbin/restorecon $ECDSA_KEY{,.pub}
|
||||
fi
|
||||
success $"ECDSA key generation"
|
||||
echo
|
||||
|
|
@ -111,12 +112,43 @@ do_ecdsa_keygen() {
|
|||
fi
|
||||
}
|
||||
|
||||
# Create keys if necessary
|
||||
if [ "x${AUTOCREATE_SERVER_KEYS}" != xNO ]; then
|
||||
do_rsa_keygen
|
||||
if [ "x${AUTOCREATE_SERVER_KEYS}" != xRSAONLY ]; then
|
||||
do_rsa1_keygen
|
||||
do_dsa_keygen
|
||||
do_ecdsa_keygen
|
||||
do_ed25519_keygen() {
|
||||
if [ ! -s $ED25519_KEY -a `fips_enabled` -eq 0 ]; then
|
||||
echo -n $"Generating SSH2 ED25519 host key: "
|
||||
rm -f $ED25519_KEY
|
||||
if test ! -f $ED25519_KEY && $KEYGEN -q -t ed25519 -f $ED25519_KEY -C '' -N '' >&/dev/null; then
|
||||
chgrp ssh_keys $ED25519_KEY
|
||||
chmod 640 $ED25519_KEY
|
||||
chmod 644 $ED25519_KEY.pub
|
||||
if [ -x /sbin/restorecon ]; then
|
||||
/sbin/restorecon $ED25519_KEY{,.pub}
|
||||
fi
|
||||
success $"ED25519 key generation"
|
||||
echo
|
||||
else
|
||||
failure $"ED25519 key generation"
|
||||
echo
|
||||
exit 1
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
if [ "x${AUTOCREATE_SERVER_KEYS}" == "xNO" ]; then
|
||||
exit 0
|
||||
fi
|
||||
|
||||
# legacy options
|
||||
case $AUTOCREATE_SERVER_KEYS in
|
||||
NODSA) AUTOCREATE_SERVER_KEYS="RSA ECDSA ED25519";;
|
||||
RSAONLY) AUTOCREATE_SERVER_KEYS="RSA";;
|
||||
YES) AUTOCREATE_SERVER_KEYS="DSA RSA ECDSA ED25519";;
|
||||
esac
|
||||
|
||||
for KEY in $AUTOCREATE_SERVER_KEYS; do
|
||||
case $KEY in
|
||||
DSA) do_dsa_keygen;;
|
||||
RSA) do_rsa_keygen;;
|
||||
ECDSA) do_ecdsa_keygen;;
|
||||
ED25519) do_ed25519_keygen;;
|
||||
esac
|
||||
done
|
||||
|
|
|
|||
|
|
@ -1,8 +1,11 @@
|
|||
[Unit]
|
||||
Description=gsissh Server Key Generation
|
||||
ConditionPathExists=|!/etc/gsissh/ssh_host_rsa_key
|
||||
ConditionPathExists=|!/etc/gsissh/ssh_host_dsa_key
|
||||
ConditionFileNotEmpty=|!/etc/gsissh/ssh_host_rsa_key
|
||||
ConditionFileNotEmpty=|!/etc/gsissh/ssh_host_ecdsa_key
|
||||
ConditionFileNotEmpty=|!/etc/gsissh/ssh_host_ed25519_key
|
||||
PartOf=gsisshd.service gsisshd.socket
|
||||
|
||||
[Service]
|
||||
ExecStart=/usr/sbin/gsisshd-keygen
|
||||
Type=oneshot
|
||||
RemainAfterExit=yes
|
||||
|
|
|
|||
|
|
@ -2,6 +2,8 @@
|
|||
auth required pam_sepermit.so
|
||||
auth substack password-auth
|
||||
auth include postlogin
|
||||
# Used with polkit to reauthorize users in remote sessions
|
||||
-auth optional pam_reauthorize.so prepare
|
||||
account required pam_nologin.so
|
||||
account include password-auth
|
||||
password include password-auth
|
||||
|
|
@ -10,6 +12,9 @@ session required pam_selinux.so close
|
|||
session required pam_loginuid.so
|
||||
# pam_selinux.so open should only be followed by sessions to be executed in the user context
|
||||
session required pam_selinux.so open env_params
|
||||
session required pam_namespace.so
|
||||
session optional pam_keyinit.so force revoke
|
||||
session include password-auth
|
||||
session include postlogin
|
||||
# Used with polkit to reauthorize users in remote sessions
|
||||
-session optional pam_reauthorize.so prepare
|
||||
|
|
|
|||
|
|
@ -1,10 +1,12 @@
|
|||
[Unit]
|
||||
Description=gsissh server daemon
|
||||
After=syslog.target network.target auditd.service
|
||||
Documentation=man:gsisshd(8) man:gsisshd_config(5)
|
||||
After=network.target gsisshd-keygen.service
|
||||
Wants=gsisshd-keygen.service
|
||||
|
||||
[Service]
|
||||
EnvironmentFile=/etc/sysconfig/gsisshd
|
||||
ExecStartPre=/usr/sbin/gsisshd-keygen
|
||||
Type=notify
|
||||
EnvironmentFile=-/etc/sysconfig/gsisshd
|
||||
ExecStart=/usr/sbin/gsisshd -D $OPTIONS
|
||||
ExecReload=/bin/kill -HUP $MAINPID
|
||||
KillMode=process
|
||||
|
|
|
|||
|
|
@ -1,5 +1,6 @@
|
|||
[Unit]
|
||||
Description=gsissh Server Socket
|
||||
Documentation=man:gsisshd(8) man:gsisshd_config(5)
|
||||
Conflicts=gsisshd.service
|
||||
|
||||
[Socket]
|
||||
|
|
|
|||
|
|
@ -1,12 +1,12 @@
|
|||
# Configuration file for the sshd service.
|
||||
|
||||
# The server keys are automatically generated if they ommited
|
||||
# to change the automatic creation uncomment the approprite
|
||||
# line. The default is RSAONLY
|
||||
# The server keys are automatically generated if they are missing.
|
||||
# To change the automatic creation uncomment and change the appropriate
|
||||
# line. Accepted key types are: DSA RSA ECDSA ED25519.
|
||||
# The default is "RSA ECDSA ED25519"
|
||||
|
||||
# AUTOCREATE_SERVER_KEYS=RSAONLY
|
||||
# AUTOCREATE_SERVER_KEYS=NO
|
||||
# AUTOCREATE_SERVER_KEYS=YES
|
||||
# AUTOCREATE_SERVER_KEYS=""
|
||||
# AUTOCREATE_SERVER_KEYS="RSA ECDSA ED25519"
|
||||
|
||||
# Do not change this option unless you have hardware random
|
||||
# generator and you REALLY know what you are doing
|
||||
|
|
|
|||
|
|
@ -1,7 +1,8 @@
|
|||
[Unit]
|
||||
Description=gsissh per-connection server daemon
|
||||
Documentation=man:gsisshd(8) man:gsisshd_config(5)
|
||||
Wants=gsisshd-keygen.service
|
||||
After=auditd.service gsisshd-keygen.service
|
||||
After=gsisshd-keygen.service
|
||||
|
||||
[Service]
|
||||
EnvironmentFile=-/etc/sysconfig/gsisshd
|
||||
|
|
|
|||
|
|
@ -1,7 +1,8 @@
|
|||
--- openssh-4.3p2/contrib/gnome-ssh-askpass2.c.grab-info 2006-07-17 15:10:11.000000000 +0200
|
||||
+++ openssh-4.3p2/contrib/gnome-ssh-askpass2.c 2006-07-17 15:25:04.000000000 +0200
|
||||
@@ -65,9 +65,12 @@
|
||||
err = gtk_message_dialog_new(NULL, 0,
|
||||
diff -up openssh-7.4p1/contrib/gnome-ssh-askpass2.c.grab-info openssh-7.4p1/contrib/gnome-ssh-askpass2.c
|
||||
--- openssh-7.4p1/contrib/gnome-ssh-askpass2.c.grab-info 2016-12-23 13:31:22.645213115 +0100
|
||||
+++ openssh-7.4p1/contrib/gnome-ssh-askpass2.c 2016-12-23 13:31:40.997216691 +0100
|
||||
@@ -65,9 +65,12 @@ report_failed_grab (GtkWidget *parent_wi
|
||||
err = gtk_message_dialog_new(GTK_WINDOW(parent_window), 0,
|
||||
GTK_MESSAGE_ERROR,
|
||||
GTK_BUTTONS_CLOSE,
|
||||
- "Could not grab %s. "
|
||||
|
|
@ -14,5 +15,5 @@
|
|||
+ "Either close the application which grabs the %s or "
|
||||
+ "log out and log in again to prevent this from happening.", what, what);
|
||||
gtk_window_set_position(GTK_WINDOW(err), GTK_WIN_POS_CENTER);
|
||||
gtk_label_set_line_wrap(GTK_LABEL((GTK_MESSAGE_DIALOG(err))->label),
|
||||
TRUE);
|
||||
|
||||
gtk_dialog_run(GTK_DIALOG(err));
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
diff -up openssh-5.1p1/contrib/gnome-ssh-askpass2.c.progress openssh-5.1p1/contrib/gnome-ssh-askpass2.c
|
||||
--- openssh-5.1p1/contrib/gnome-ssh-askpass2.c.progress 2008-07-23 19:05:26.000000000 +0200
|
||||
+++ openssh-5.1p1/contrib/gnome-ssh-askpass2.c 2008-07-23 19:05:26.000000000 +0200
|
||||
diff -up openssh-7.4p1/contrib/gnome-ssh-askpass2.c.progress openssh-7.4p1/contrib/gnome-ssh-askpass2.c
|
||||
--- openssh-7.4p1/contrib/gnome-ssh-askpass2.c.progress 2016-12-19 05:59:41.000000000 +0100
|
||||
+++ openssh-7.4p1/contrib/gnome-ssh-askpass2.c 2016-12-23 13:31:16.545211926 +0100
|
||||
@@ -53,6 +53,7 @@
|
||||
#include <string.h>
|
||||
#include <unistd.h>
|
||||
|
|
@ -9,7 +9,7 @@ diff -up openssh-5.1p1/contrib/gnome-ssh-askpass2.c.progress openssh-5.1p1/contr
|
|||
#include <gtk/gtk.h>
|
||||
#include <gdk/gdkx.h>
|
||||
|
||||
@@ -83,13 +84,24 @@ ok_dialog(GtkWidget *entry, gpointer dia
|
||||
@@ -81,13 +82,24 @@ ok_dialog(GtkWidget *entry, gpointer dia
|
||||
gtk_dialog_response(GTK_DIALOG(dialog), GTK_RESPONSE_OK);
|
||||
}
|
||||
|
||||
|
|
@ -30,12 +30,12 @@ diff -up openssh-5.1p1/contrib/gnome-ssh-askpass2.c.progress openssh-5.1p1/contr
|
|||
const char *failed;
|
||||
char *passphrase, *local;
|
||||
int result, grab_tries, grab_server, grab_pointer;
|
||||
- GtkWidget *dialog, *entry;
|
||||
+ GtkWidget *dialog, *entry, *progress, *hbox;
|
||||
- GtkWidget *parent_window, *dialog, *entry;
|
||||
+ GtkWidget *parent_window, *dialog, *entry, *progress, *hbox;
|
||||
GdkGrabStatus status;
|
||||
|
||||
grab_server = (getenv("GNOME_SSH_ASKPASS_GRAB_SERVER") != NULL);
|
||||
@@ -102,13 +114,31 @@ passphrase_dialog(char *message)
|
||||
@@ -104,14 +116,32 @@ passphrase_dialog(char *message)
|
||||
"%s",
|
||||
message);
|
||||
|
||||
|
|
@ -45,9 +45,11 @@ diff -up openssh-5.1p1/contrib/gnome-ssh-askpass2.c.progress openssh-5.1p1/contr
|
|||
+ gtk_widget_show(hbox);
|
||||
+
|
||||
entry = gtk_entry_new();
|
||||
- gtk_box_pack_start(GTK_BOX(GTK_DIALOG(dialog)->vbox), entry, FALSE,
|
||||
+ gtk_box_pack_start(GTK_BOX(hbox), entry, TRUE,
|
||||
FALSE, 0);
|
||||
gtk_box_pack_start(
|
||||
- GTK_BOX(gtk_dialog_get_content_area(GTK_DIALOG(dialog))), entry,
|
||||
- FALSE, FALSE, 0);
|
||||
+ GTK_BOX(hbox), entry,
|
||||
+ TRUE, FALSE, 0);
|
||||
+ gtk_entry_set_width_chars(GTK_ENTRY(entry), 2);
|
||||
gtk_entry_set_visibility(GTK_ENTRY(entry), FALSE);
|
||||
gtk_widget_grab_focus(entry);
|
||||
|
|
@ -68,7 +70,7 @@ diff -up openssh-5.1p1/contrib/gnome-ssh-askpass2.c.progress openssh-5.1p1/contr
|
|||
gtk_window_set_title(GTK_WINDOW(dialog), "OpenSSH");
|
||||
gtk_window_set_position (GTK_WINDOW(dialog), GTK_WIN_POS_CENTER);
|
||||
gtk_window_set_keep_above(GTK_WINDOW(dialog), TRUE);
|
||||
@@ -119,6 +149,8 @@ passphrase_dialog(char *message)
|
||||
@@ -120,6 +150,8 @@ passphrase_dialog(char *message)
|
||||
gtk_dialog_set_default_response(GTK_DIALOG(dialog), GTK_RESPONSE_OK);
|
||||
g_signal_connect(G_OBJECT(entry), "activate",
|
||||
G_CALLBACK(ok_dialog), dialog);
|
||||
|
|
|
|||
|
|
@ -1,18 +0,0 @@
|
|||
diff -up openssh-5.1p1/scp.1.manpage openssh-5.1p1/scp.1
|
||||
--- openssh-5.1p1/scp.1.manpage 2008-07-12 09:12:49.000000000 +0200
|
||||
+++ openssh-5.1p1/scp.1 2008-07-23 19:18:15.000000000 +0200
|
||||
@@ -66,6 +66,14 @@ treating file names containing
|
||||
as host specifiers.
|
||||
Copies between two remote hosts are also permitted.
|
||||
.Pp
|
||||
+When copying a source file to a target file which already exists,
|
||||
+.Nm
|
||||
+will replace the contents of the target file (keeping the inode).
|
||||
+.Pp
|
||||
+If the target file does not yet exist, an empty file with the target
|
||||
+file name is created, then filled with the source file contents.
|
||||
+No attempt is made at "near-atomic" transfer using temporary files.
|
||||
+.Pp
|
||||
The options are as follows:
|
||||
.Bl -tag -width Ds
|
||||
.It Fl 1
|
||||
|
|
@ -1,37 +0,0 @@
|
|||
diff -up openssh-5.2p1/canohost.c.ip-opts openssh-5.2p1/canohost.c
|
||||
--- openssh-5.2p1/canohost.c.ip-opts 2009-02-14 06:28:21.000000000 +0100
|
||||
+++ openssh-5.2p1/canohost.c 2009-09-01 15:31:29.000000000 +0200
|
||||
@@ -169,12 +169,27 @@ check_ip_options(int sock, char *ipaddr)
|
||||
option_size = sizeof(options);
|
||||
if (getsockopt(sock, ipproto, IP_OPTIONS, options,
|
||||
&option_size) >= 0 && option_size != 0) {
|
||||
- text[0] = '\0';
|
||||
- for (i = 0; i < option_size; i++)
|
||||
- snprintf(text + i*3, sizeof(text) - i*3,
|
||||
- " %2.2x", options[i]);
|
||||
- fatal("Connection from %.100s with IP options:%.800s",
|
||||
- ipaddr, text);
|
||||
+ i = 0;
|
||||
+ do {
|
||||
+ switch (options[i]) {
|
||||
+ case 0:
|
||||
+ case 1:
|
||||
+ ++i;
|
||||
+ break;
|
||||
+ case 131:
|
||||
+ case 137:
|
||||
+ /* Fail, fatally, if we detect either loose or strict
|
||||
+ * source routing options. */
|
||||
+ text[0] = '\0';
|
||||
+ for (i = 0; i < option_size; i++)
|
||||
+ snprintf(text + i*3, sizeof(text) - i*3,
|
||||
+ " %2.2x", options[i]);
|
||||
+ fatal("Connection from %.100s with IP options:%.800s",
|
||||
+ ipaddr, text);
|
||||
+ default:
|
||||
+ i += options[i + 1];
|
||||
+ }
|
||||
+ } while (i < option_size);
|
||||
}
|
||||
#endif /* IP_OPTIONS */
|
||||
}
|
||||
|
|
@ -1,7 +1,7 @@
|
|||
diff -up openssh-5.3p1/channels.c.bz595935 openssh-5.3p1/channels.c
|
||||
--- openssh-5.3p1/channels.c.bz595935 2010-08-12 14:19:28.000000000 +0200
|
||||
+++ openssh-5.3p1/channels.c 2010-08-12 14:33:51.000000000 +0200
|
||||
@@ -3185,7 +3185,7 @@ x11_create_display_inet(int x11_display_
|
||||
@@ -3990,21 +3990,24 @@ x11_create_display_inet(int x11_display_
|
||||
}
|
||||
|
||||
static int
|
||||
|
|
@ -10,14 +10,16 @@ diff -up openssh-5.3p1/channels.c.bz595935 openssh-5.3p1/channels.c
|
|||
{
|
||||
int sock;
|
||||
struct sockaddr_un addr;
|
||||
@@ -3195,11 +3195,14 @@ connect_local_xsocket_path(const char *p
|
||||
|
||||
+ if (len <= 0)
|
||||
+ return -1;
|
||||
sock = socket(AF_UNIX, SOCK_STREAM, 0);
|
||||
if (sock < 0)
|
||||
error("socket: %.100s", strerror(errno));
|
||||
memset(&addr, 0, sizeof(addr));
|
||||
addr.sun_family = AF_UNIX;
|
||||
- strlcpy(addr.sun_path, pathname, sizeof addr.sun_path);
|
||||
- if (connect(sock, (struct sockaddr *)&addr, sizeof(addr)) == 0)
|
||||
+ if (len <= 0)
|
||||
+ return -1;
|
||||
+ if (len > sizeof addr.sun_path)
|
||||
+ len = sizeof addr.sun_path;
|
||||
+ memcpy(addr.sun_path, pathname, len);
|
||||
|
|
@ -28,16 +30,13 @@ diff -up openssh-5.3p1/channels.c.bz595935 openssh-5.3p1/channels.c
|
|||
return -1;
|
||||
}
|
||||
|
||||
@@ -3207,8 +3210,21 @@ static int
|
||||
@@ -3207,8 +3210,18 @@ static int
|
||||
connect_local_xsocket(u_int dnr)
|
||||
{
|
||||
char buf[1024];
|
||||
- snprintf(buf, sizeof buf, _PATH_UNIX_X, dnr);
|
||||
- return connect_local_xsocket_path(buf);
|
||||
+ int len;
|
||||
+#ifdef linux
|
||||
+ int ret;
|
||||
+#endif
|
||||
+ int len, ret;
|
||||
+ len = snprintf(buf + 1, sizeof (buf) - 1, _PATH_UNIX_X, dnr);
|
||||
+#ifdef linux
|
||||
+ /* try abstract socket first */
|
||||
|
|
|
|||
|
|
@ -1,14 +0,0 @@
|
|||
diff -up openssh-5.6p1/channels.c.exit-deadlock openssh-5.6p1/channels.c
|
||||
--- openssh-5.6p1/channels.c.exit-deadlock 2010-08-05 15:09:48.000000000 +0200
|
||||
+++ openssh-5.6p1/channels.c 2010-08-23 12:41:43.000000000 +0200
|
||||
@@ -1647,6 +1647,10 @@ channel_handle_wfd(Channel *c, fd_set *r
|
||||
u_int dlen, olen = 0;
|
||||
int len;
|
||||
|
||||
+ if(c->wfd != -1 && buffer_len(&c->output) > 0 && c->ostate == CHAN_OUTPUT_WAIT_DRAIN) {
|
||||
+ debug("channel %d: forcing write", c->self);
|
||||
+ FD_SET(c->wfd, writeset);
|
||||
+ }
|
||||
/* Send buffered output data to the socket. */
|
||||
if (c->wfd != -1 &&
|
||||
FD_ISSET(c->wfd, writeset) &&
|
||||
|
|
@ -1,24 +0,0 @@
|
|||
diff -up openssh-5.6p1/channels.c.getaddrinfo openssh-5.6p1/channels.c
|
||||
--- openssh-5.6p1/channels.c.getaddrinfo 2012-02-14 16:12:54.427852524 +0100
|
||||
+++ openssh-5.6p1/channels.c 2012-02-14 16:13:22.818928690 +0100
|
||||
@@ -3275,6 +3275,9 @@ x11_create_display_inet(int x11_display_
|
||||
memset(&hints, 0, sizeof(hints));
|
||||
hints.ai_family = IPv4or6;
|
||||
hints.ai_flags = x11_use_localhost ? 0: AI_PASSIVE;
|
||||
+#ifdef AI_ADDRCONFIG
|
||||
+ hints.ai_flags |= AI_ADDRCONFIG;
|
||||
+#endif
|
||||
hints.ai_socktype = SOCK_STREAM;
|
||||
snprintf(strport, sizeof strport, "%d", port);
|
||||
if ((gaierr = getaddrinfo(NULL, strport, &hints, &aitop)) != 0) {
|
||||
diff -up openssh-5.6p1/sshconnect.c.getaddrinfo openssh-5.6p1/sshconnect.c
|
||||
--- openssh-5.6p1/sshconnect.c.getaddrinfo 2012-02-14 16:09:25.057964291 +0100
|
||||
+++ openssh-5.6p1/sshconnect.c 2012-02-14 16:09:25.106047007 +0100
|
||||
@@ -343,6 +343,7 @@ ssh_connect(const char *host, struct soc
|
||||
memset(&hints, 0, sizeof(hints));
|
||||
hints.ai_family = family;
|
||||
hints.ai_socktype = SOCK_STREAM;
|
||||
+ hints.ai_flags = AI_V4MAPPED | AI_ADDRCONFIG;
|
||||
snprintf(strport, sizeof strport, "%u", port);
|
||||
if ((gaierr = getaddrinfo(host, strport, &hints, &aitop)) != 0)
|
||||
fatal("%s: Could not resolve hostname %.100s: %s", __progname,
|
||||
|
|
@ -1,10 +0,0 @@
|
|||
diff -up openssh-5.8p1/sftp-glob.c.glob openssh-5.8p1/sftp-glob.c
|
||||
--- openssh-5.8p1/sftp-glob.c.glob 2011-03-07 20:17:34.000000000 +0100
|
||||
+++ openssh-5.8p1/sftp-glob.c 2011-03-07 20:18:47.000000000 +0100
|
||||
@@ -145,5 +145,5 @@ remote_glob(struct sftp_conn *conn, cons
|
||||
memset(&cur, 0, sizeof(cur));
|
||||
cur.conn = conn;
|
||||
|
||||
- return(glob(pattern, flags | GLOB_ALTDIRFUNC, errfunc, pglob));
|
||||
+ return(glob(pattern, flags | GLOB_LIMIT | GLOB_ALTDIRFUNC, errfunc, pglob));
|
||||
}
|
||||
|
|
@ -1,14 +0,0 @@
|
|||
diff -up openssh-5.8p1/sshd_config.localdomain openssh-5.8p1/sshd_config
|
||||
--- openssh-5.8p1/sshd_config.localdomain 2011-04-22 11:37:49.273648812 +0200
|
||||
+++ openssh-5.8p1/sshd_config 2011-04-22 11:39:31.758648401 +0200
|
||||
@@ -130,6 +130,10 @@ X11Forwarding yes
|
||||
# override default of no subsystems
|
||||
Subsystem sftp /usr/libexec/sftp-server
|
||||
|
||||
+# Uncomment this if you want to use .local domain
|
||||
+#Host *.local
|
||||
+# CheckHostIP no
|
||||
+
|
||||
# Example of overriding settings on a per-user basis
|
||||
#Match User anoncvs
|
||||
# X11Forwarding no
|
||||
|
|
@ -5,8 +5,8 @@ diff -up openssh-5.8p1/packet.c.packet openssh-5.8p1/packet.c
|
|||
struct sockaddr_storage from, to;
|
||||
socklen_t fromlen, tolen;
|
||||
|
||||
+ if (!active_state)
|
||||
+ if (!state)
|
||||
+ return 0;
|
||||
/* filedescriptors in and out are the same, so it's a socket */
|
||||
if (active_state->connection_in == active_state->connection_out)
|
||||
return 1;
|
||||
if (state->connection_in == -1 || state->connection_out == -1)
|
||||
return 0;
|
||||
|
||||
|
|
|
|||
|
|
@ -1,13 +0,0 @@
|
|||
diff -up openssh-5.8p2/mux.c.remove_stale openssh-5.8p2/mux.c
|
||||
--- openssh-5.8p2/mux.c.remove_stale 2011-01-14 02:01:32.000000000 +0100
|
||||
+++ openssh-5.8p2/mux.c 2011-06-09 15:27:42.556360291 +0200
|
||||
@@ -1867,6 +1867,9 @@ muxclient(const char *path)
|
||||
unlink(path);
|
||||
} else if (errno == ENOENT) {
|
||||
debug("Control socket \"%.100s\" does not exist", path);
|
||||
+ } else if (errno == ECONNREFUSED) {
|
||||
+ debug("Removing stale control socket \"%.100s\"", path);
|
||||
+ unlink(path);
|
||||
} else {
|
||||
error("Control socket connect(%.100s): %s", path,
|
||||
strerror(errno));
|
||||
|
|
@ -1,72 +0,0 @@
|
|||
diff -up openssh-5.9p1/dns.c.edns openssh-5.9p1/dns.c
|
||||
--- openssh-5.9p1/dns.c.edns 2010-08-31 14:41:14.000000000 +0200
|
||||
+++ openssh-5.9p1/dns.c 2011-09-09 08:05:27.782440497 +0200
|
||||
@@ -177,6 +177,7 @@ verify_host_key_dns(const char *hostname
|
||||
{
|
||||
u_int counter;
|
||||
int result;
|
||||
+ unsigned int rrset_flags = 0;
|
||||
struct rrsetinfo *fingerprints = NULL;
|
||||
|
||||
u_int8_t hostkey_algorithm;
|
||||
@@ -200,8 +201,19 @@ verify_host_key_dns(const char *hostname
|
||||
return -1;
|
||||
}
|
||||
|
||||
+ /*
|
||||
+ * Original getrrsetbyname function, found on OpenBSD for example,
|
||||
+ * doesn't accept any flag and prerequisite for obtaining AD bit in
|
||||
+ * DNS response is set by "options edns0" in resolv.conf.
|
||||
+ *
|
||||
+ * Our version is more clever and use RRSET_FORCE_EDNS0 flag.
|
||||
+ */
|
||||
+#ifndef HAVE_GETRRSETBYNAME
|
||||
+ rrset_flags |= RRSET_FORCE_EDNS0;
|
||||
+#endif
|
||||
result = getrrsetbyname(hostname, DNS_RDATACLASS_IN,
|
||||
- DNS_RDATATYPE_SSHFP, 0, &fingerprints);
|
||||
+ DNS_RDATATYPE_SSHFP, rrset_flags, &fingerprints);
|
||||
+
|
||||
if (result) {
|
||||
verbose("DNS lookup error: %s", dns_result_totext(result));
|
||||
return -1;
|
||||
diff -up openssh-5.9p1/openbsd-compat/getrrsetbyname.c.edns openssh-5.9p1/openbsd-compat/getrrsetbyname.c
|
||||
--- openssh-5.9p1/openbsd-compat/getrrsetbyname.c.edns 2009-07-13 03:38:23.000000000 +0200
|
||||
+++ openssh-5.9p1/openbsd-compat/getrrsetbyname.c 2011-09-09 15:03:39.930500801 +0200
|
||||
@@ -209,8 +209,8 @@ getrrsetbyname(const char *hostname, uns
|
||||
goto fail;
|
||||
}
|
||||
|
||||
- /* don't allow flags yet, unimplemented */
|
||||
- if (flags) {
|
||||
+ /* Allow RRSET_FORCE_EDNS0 flag only. */
|
||||
+ if ((flags & ~RRSET_FORCE_EDNS0) != 0) {
|
||||
result = ERRSET_INVAL;
|
||||
goto fail;
|
||||
}
|
||||
@@ -226,9 +226,9 @@ getrrsetbyname(const char *hostname, uns
|
||||
#endif /* DEBUG */
|
||||
|
||||
#ifdef RES_USE_DNSSEC
|
||||
- /* turn on DNSSEC if EDNS0 is configured */
|
||||
- if (_resp->options & RES_USE_EDNS0)
|
||||
- _resp->options |= RES_USE_DNSSEC;
|
||||
+ /* turn on DNSSEC if required */
|
||||
+ if (flags & RRSET_FORCE_EDNS0)
|
||||
+ _resp->options |= (RES_USE_EDNS0|RES_USE_DNSSEC);
|
||||
#endif /* RES_USE_DNSEC */
|
||||
|
||||
/* make query */
|
||||
diff -up openssh-5.9p1/openbsd-compat/getrrsetbyname.h.edns openssh-5.9p1/openbsd-compat/getrrsetbyname.h
|
||||
--- openssh-5.9p1/openbsd-compat/getrrsetbyname.h.edns 2007-10-26 08:26:50.000000000 +0200
|
||||
+++ openssh-5.9p1/openbsd-compat/getrrsetbyname.h 2011-09-09 08:05:27.965438689 +0200
|
||||
@@ -72,6 +72,9 @@
|
||||
#ifndef RRSET_VALIDATED
|
||||
# define RRSET_VALIDATED 1
|
||||
#endif
|
||||
+#ifndef RRSET_FORCE_EDNS0
|
||||
+# define RRSET_FORCE_EDNS0 0x0001
|
||||
+#endif
|
||||
|
||||
/*
|
||||
* Return codes for getrrsetbyname()
|
||||
|
|
@ -1,13 +0,0 @@
|
|||
diff -up openssh-5.9p0/entropy.c.randclean openssh-5.9p0/entropy.c
|
||||
--- openssh-5.9p0/entropy.c.randclean 2011-08-30 13:52:45.000000000 +0200
|
||||
+++ openssh-5.9p0/entropy.c 2011-08-30 13:57:44.630111338 +0200
|
||||
@@ -217,6 +217,9 @@ seed_rng(void)
|
||||
fatal("OpenSSL version mismatch. Built against %lx, you "
|
||||
"have %lx", (u_long)OPENSSL_VERSION_NUMBER, SSLeay());
|
||||
|
||||
+ /* clean the PRNG status when exiting the program */
|
||||
+ atexit(RAND_cleanup);
|
||||
+
|
||||
#ifndef OPENSSL_PRNG_ONLY
|
||||
if (RAND_status() == 1) {
|
||||
debug3("RNG is ready, skipping seeding");
|
||||
|
|
@ -1,18 +0,0 @@
|
|||
diff -up openssh-6.1p1/contrib/Makefile.askpass-ld openssh-6.1p1/contrib/Makefile
|
||||
--- openssh-6.1p1/contrib/Makefile.askpass-ld 2012-05-19 07:24:37.000000000 +0200
|
||||
+++ openssh-6.1p1/contrib/Makefile 2012-09-14 20:35:47.565704718 +0200
|
||||
@@ -4,12 +4,12 @@ all:
|
||||
@echo "Valid targets: gnome-ssh-askpass1 gnome-ssh-askpass2"
|
||||
|
||||
gnome-ssh-askpass1: gnome-ssh-askpass1.c
|
||||
- $(CC) `gnome-config --cflags gnome gnomeui` \
|
||||
+ $(CC) ${CFLAGS} `gnome-config --cflags gnome gnomeui` \
|
||||
gnome-ssh-askpass1.c -o gnome-ssh-askpass1 \
|
||||
`gnome-config --libs gnome gnomeui`
|
||||
|
||||
gnome-ssh-askpass2: gnome-ssh-askpass2.c
|
||||
- $(CC) `$(PKG_CONFIG) --cflags gtk+-2.0` \
|
||||
+ $(CC) ${CFLAGS} `$(PKG_CONFIG) --cflags gtk+-2.0` \
|
||||
gnome-ssh-askpass2.c -o gnome-ssh-askpass2 \
|
||||
`$(PKG_CONFIG) --libs gtk+-2.0 x11`
|
||||
|
||||
|
|
@ -12,7 +12,7 @@ diff -up openssh-6.1p1/sshconnect2.c.canohost openssh-6.1p1/sshconnect2.c
|
|||
gss_host = options.gss_server_identity;
|
||||
- else if (options.gss_trust_dns)
|
||||
+ else if (options.gss_trust_dns) {
|
||||
gss_host = get_canonical_hostname(1);
|
||||
gss_host = get_canonical_hostname(active_state, 1);
|
||||
+ if ( strcmp( gss_host, "UNKNOWN" ) == 0 )
|
||||
+ gss_host = authctxt->host;
|
||||
+ }
|
||||
|
|
|
|||
|
|
@ -1,26 +0,0 @@
|
|||
diff -up openssh-6.1p1/sshd.c.log-usepam-no openssh-6.1p1/sshd.c
|
||||
--- openssh-6.1p1/sshd.c.log-usepam-no 2012-09-14 20:54:58.000000000 +0200
|
||||
+++ openssh-6.1p1/sshd.c 2012-09-14 20:55:42.289477749 +0200
|
||||
@@ -1617,6 +1617,10 @@ main(int ac, char **av)
|
||||
parse_server_config(&options, rexeced_flag ? "rexec" : config_file_name,
|
||||
&cfg, NULL);
|
||||
|
||||
+ /* 'UsePAM no' is not supported in Fedora */
|
||||
+ if (! options.use_pam)
|
||||
+ logit("WARNING: 'UsePAM no' is not supported in Fedora and may cause several problems.");
|
||||
+
|
||||
seed_rng();
|
||||
|
||||
/* Fill in default values for those options not explicitly set. */
|
||||
diff -up openssh-6.1p1/sshd_config.log-usepam-no openssh-6.1p1/sshd_config
|
||||
--- openssh-6.1p1/sshd_config.log-usepam-no 2012-09-14 20:54:58.514255748 +0200
|
||||
+++ openssh-6.1p1/sshd_config 2012-09-14 20:54:58.551255954 +0200
|
||||
@@ -95,6 +95,8 @@ GSSAPICleanupCredentials yes
|
||||
# If you just want the PAM account and session checks to run without
|
||||
# PAM authentication, then enable this but set PasswordAuthentication
|
||||
# and ChallengeResponseAuthentication to 'no'.
|
||||
+# WARNING: 'UsePAM no' is not supported in Fedora and may cause several
|
||||
+# problems.
|
||||
#UsePAM no
|
||||
UsePAM yes
|
||||
|
||||
|
|
@ -1,7 +1,7 @@
|
|||
diff -up openssh-6.2p1/configure.ac.vendor openssh-6.2p1/configure.ac
|
||||
--- openssh-6.2p1/configure.ac.vendor 2013-03-25 19:34:01.277495179 +0100
|
||||
+++ openssh-6.2p1/configure.ac 2013-03-25 19:34:01.377495818 +0100
|
||||
@@ -4420,6 +4420,12 @@ AC_ARG_WITH([lastlog],
|
||||
diff -up openssh-7.4p1/configure.ac.vendor openssh-7.4p1/configure.ac
|
||||
--- openssh-7.4p1/configure.ac.vendor 2017-02-10 10:45:54.977836854 +0100
|
||||
+++ openssh-7.4p1/configure.ac 2017-02-10 10:45:54.995836725 +0100
|
||||
@@ -4930,6 +4930,12 @@ AC_ARG_WITH([lastlog],
|
||||
fi
|
||||
]
|
||||
)
|
||||
|
|
@ -14,7 +14,7 @@ diff -up openssh-6.2p1/configure.ac.vendor openssh-6.2p1/configure.ac
|
|||
|
||||
dnl lastlog, [uw]tmpx? detection
|
||||
dnl NOTE: set the paths in the platform section to avoid the
|
||||
@@ -4681,6 +4687,7 @@ echo " Translate v4 in v6 hack
|
||||
@@ -5194,6 +5200,7 @@ echo " Translate v4 in v6 hack
|
||||
echo " BSD Auth support: $BSD_AUTH_MSG"
|
||||
echo " Random number source: $RAND_MSG"
|
||||
echo " Privsep sandbox style: $SANDBOX_STYLE"
|
||||
|
|
@ -22,10 +22,10 @@ diff -up openssh-6.2p1/configure.ac.vendor openssh-6.2p1/configure.ac
|
|||
|
||||
echo ""
|
||||
|
||||
diff -up openssh-6.2p1/servconf.c.vendor openssh-6.2p1/servconf.c
|
||||
--- openssh-6.2p1/servconf.c.vendor 2013-03-25 19:34:01.197494668 +0100
|
||||
+++ openssh-6.2p1/servconf.c 2013-03-25 19:34:01.379495831 +0100
|
||||
@@ -128,6 +128,7 @@ initialize_server_options(ServerOptions
|
||||
diff -up openssh-7.4p1/servconf.c.vendor openssh-7.4p1/servconf.c
|
||||
--- openssh-7.4p1/servconf.c.vendor 2016-12-19 05:59:41.000000000 +0100
|
||||
+++ openssh-7.4p1/servconf.c 2017-02-10 10:45:54.995836725 +0100
|
||||
@@ -143,6 +143,7 @@ initialize_server_options(ServerOptions
|
||||
options->max_authtries = -1;
|
||||
options->max_sessions = -1;
|
||||
options->banner = NULL;
|
||||
|
|
@ -33,26 +33,25 @@ diff -up openssh-6.2p1/servconf.c.vendor openssh-6.2p1/servconf.c
|
|||
options->use_dns = -1;
|
||||
options->client_alive_interval = -1;
|
||||
options->client_alive_count_max = -1;
|
||||
@@ -287,6 +288,9 @@ fill_default_server_options(ServerOption
|
||||
@@ -325,6 +326,8 @@ fill_default_server_options(ServerOption
|
||||
options->ip_qos_bulk = IPTOS_THROUGHPUT;
|
||||
if (options->version_addendum == NULL)
|
||||
options->version_addendum = xstrdup("");
|
||||
+ if (options->show_patchlevel == -1)
|
||||
+ options->show_patchlevel = 0;
|
||||
+
|
||||
/* Turn privilege separation on by default */
|
||||
if (use_privsep == -1)
|
||||
use_privsep = PRIVSEP_NOSANDBOX;
|
||||
@@ -324,7 +328,7 @@ typedef enum {
|
||||
sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
|
||||
sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem,
|
||||
sMaxStartups, sMaxAuthTries, sMaxSessions,
|
||||
if (options->fwd_opts.streamlocal_bind_mask == (mode_t)-1)
|
||||
options->fwd_opts.streamlocal_bind_mask = 0177;
|
||||
if (options->fwd_opts.streamlocal_bind_unlink == -1)
|
||||
@@ -402,7 +405,7 @@ typedef enum {
|
||||
sIgnoreUserKnownHosts, sCiphers, sMacs, sPidFile,
|
||||
sGatewayPorts, sPubkeyAuthentication, sPubkeyAcceptedKeyTypes,
|
||||
sXAuthLocation, sSubsystem, sMaxStartups, sMaxAuthTries, sMaxSessions,
|
||||
- sBanner, sUseDNS, sHostbasedAuthentication,
|
||||
+ sBanner, sShowPatchLevel, sUseDNS, sHostbasedAuthentication,
|
||||
sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
|
||||
sClientAliveCountMax, sAuthorizedKeysFile,
|
||||
sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel,
|
||||
@@ -439,6 +443,7 @@ static struct {
|
||||
sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedKeyTypes,
|
||||
sHostKeyAlgorithms,
|
||||
sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
|
||||
@@ -528,6 +531,7 @@ static struct {
|
||||
{ "maxauthtries", sMaxAuthTries, SSHCFG_ALL },
|
||||
{ "maxsessions", sMaxSessions, SSHCFG_ALL },
|
||||
{ "banner", sBanner, SSHCFG_ALL },
|
||||
|
|
@ -60,7 +59,7 @@ diff -up openssh-6.2p1/servconf.c.vendor openssh-6.2p1/servconf.c
|
|||
{ "usedns", sUseDNS, SSHCFG_GLOBAL },
|
||||
{ "verifyreversemapping", sDeprecated, SSHCFG_GLOBAL },
|
||||
{ "reversemappingcheck", sDeprecated, SSHCFG_GLOBAL },
|
||||
@@ -1163,6 +1168,10 @@ process_server_config_line(ServerOptions
|
||||
@@ -1369,6 +1373,10 @@ process_server_config_line(ServerOptions
|
||||
multistate_ptr = multistate_privsep;
|
||||
goto parse_multistate;
|
||||
|
||||
|
|
@ -71,18 +70,18 @@ diff -up openssh-6.2p1/servconf.c.vendor openssh-6.2p1/servconf.c
|
|||
case sAllowUsers:
|
||||
while ((arg = strdelim(&cp)) && *arg != '\0') {
|
||||
if (options->num_allow_users >= MAX_ALLOW_USERS)
|
||||
@@ -1950,6 +1959,7 @@ dump_config(ServerOptions *o)
|
||||
dump_cfg_fmtint(sUseLogin, o->use_login);
|
||||
@@ -2269,6 +2277,7 @@ dump_config(ServerOptions *o)
|
||||
dump_cfg_fmtint(sPermitUserEnvironment, o->permit_user_env);
|
||||
dump_cfg_fmtint(sCompression, o->compression);
|
||||
dump_cfg_fmtint(sGatewayPorts, o->gateway_ports);
|
||||
dump_cfg_fmtint(sGatewayPorts, o->fwd_opts.gateway_ports);
|
||||
+ dump_cfg_fmtint(sShowPatchLevel, o->show_patchlevel);
|
||||
dump_cfg_fmtint(sUseDNS, o->use_dns);
|
||||
dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding);
|
||||
dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep);
|
||||
diff -up openssh-6.2p1/servconf.h.vendor openssh-6.2p1/servconf.h
|
||||
--- openssh-6.2p1/servconf.h.vendor 2013-01-09 05:56:45.000000000 +0100
|
||||
+++ openssh-6.2p1/servconf.h 2013-03-25 19:34:01.379495831 +0100
|
||||
@@ -147,6 +147,7 @@ typedef struct {
|
||||
dump_cfg_fmtint(sAllowAgentForwarding, o->allow_agent_forwarding);
|
||||
diff -up openssh-7.4p1/servconf.h.vendor openssh-7.4p1/servconf.h
|
||||
--- openssh-7.4p1/servconf.h.vendor 2016-12-19 05:59:41.000000000 +0100
|
||||
+++ openssh-7.4p1/servconf.h 2017-02-10 10:45:54.995836725 +0100
|
||||
@@ -149,6 +149,7 @@ typedef struct {
|
||||
int max_authtries;
|
||||
int max_sessions;
|
||||
char *banner; /* SSH-2 banner message */
|
||||
|
|
@ -90,39 +89,13 @@ diff -up openssh-6.2p1/servconf.h.vendor openssh-6.2p1/servconf.h
|
|||
int use_dns;
|
||||
int client_alive_interval; /*
|
||||
* poke the client this often to
|
||||
diff -up openssh-6.2p1/sshd_config.vendor openssh-6.2p1/sshd_config
|
||||
--- openssh-6.2p1/sshd_config.vendor 2013-03-25 19:34:01.380495837 +0100
|
||||
+++ openssh-6.2p1/sshd_config 2013-03-25 19:44:43.471296362 +0100
|
||||
@@ -118,6 +118,7 @@ UsePrivilegeSeparation sandbox # Defaul
|
||||
#Compression delayed
|
||||
#ClientAliveInterval 0
|
||||
#ClientAliveCountMax 3
|
||||
+#ShowPatchLevel no
|
||||
#UseDNS yes
|
||||
#PidFile /var/run/sshd.pid
|
||||
#MaxStartups 10:30:100
|
||||
diff -up openssh-6.2p1/sshd_config.0.vendor openssh-6.2p1/sshd_config.0
|
||||
--- openssh-6.2p1/sshd_config.0.vendor 2013-03-25 19:34:01.361495716 +0100
|
||||
+++ openssh-6.2p1/sshd_config.0 2013-03-25 19:34:01.381495844 +0100
|
||||
@@ -595,6 +595,11 @@ DESCRIPTION
|
||||
Defines the number of bits in the ephemeral protocol version 1
|
||||
server key. The minimum value is 512, and the default is 1024.
|
||||
|
||||
+ ShowPatchLevel
|
||||
+ Specifies whether sshd will display the specific patch level of
|
||||
+ the binary in the server identification string. The patch level
|
||||
+ is set at compile-time. The default is M-bM-^@M-^\noM-bM-^@M-^].
|
||||
+
|
||||
StrictModes
|
||||
Specifies whether sshd(8) should check file modes and ownership
|
||||
of the user's files and home directory before accepting login.
|
||||
diff -up openssh-6.2p1/sshd_config.5.vendor openssh-6.2p1/sshd_config.5
|
||||
--- openssh-6.2p1/sshd_config.5.vendor 2013-03-25 19:34:01.362495722 +0100
|
||||
+++ openssh-6.2p1/sshd_config.5 2013-03-25 19:34:01.382495850 +0100
|
||||
@@ -1019,6 +1019,14 @@ This option applies to protocol version
|
||||
.It Cm ServerKeyBits
|
||||
Defines the number of bits in the ephemeral protocol version 1 server key.
|
||||
The minimum value is 512, and the default is 1024.
|
||||
diff -up openssh-7.4p1/sshd_config.5.vendor openssh-7.4p1/sshd_config.5
|
||||
--- openssh-7.4p1/sshd_config.5.vendor 2017-02-10 10:45:54.990836761 +0100
|
||||
+++ openssh-7.4p1/sshd_config.5 2017-02-10 10:45:54.996836718 +0100
|
||||
@@ -1334,6 +1334,14 @@ an OpenSSH Key Revocation List (KRL) as
|
||||
.Xr ssh-keygen 1 .
|
||||
For more information on KRLs, see the KEY REVOCATION LISTS section in
|
||||
.Xr ssh-keygen 1 .
|
||||
+.It Cm ShowPatchLevel
|
||||
+Specifies whether
|
||||
+.Nm sshd
|
||||
|
|
@ -131,28 +104,40 @@ diff -up openssh-6.2p1/sshd_config.5.vendor openssh-6.2p1/sshd_config.5
|
|||
+The default is
|
||||
+.Dq no .
|
||||
+This option applies to protocol version 1 only.
|
||||
.It Cm StrictModes
|
||||
Specifies whether
|
||||
.Xr sshd 8
|
||||
diff -up openssh-6.2p1/sshd.c.vendor openssh-6.2p1/sshd.c
|
||||
--- openssh-6.2p1/sshd.c.vendor 2013-03-25 19:34:01.332495531 +0100
|
||||
+++ openssh-6.2p1/sshd.c 2013-03-25 19:44:11.864112092 +0100
|
||||
@@ -442,7 +442,7 @@ sshd_exchange_identification(int sock_in
|
||||
}
|
||||
.It Cm StreamLocalBindMask
|
||||
Sets the octal file creation mode mask
|
||||
.Pq umask
|
||||
diff -up openssh-7.4p1/sshd_config.vendor openssh-7.4p1/sshd_config
|
||||
--- openssh-7.4p1/sshd_config.vendor 2017-02-10 10:45:54.990836761 +0100
|
||||
+++ openssh-7.4p1/sshd_config 2017-02-10 10:45:54.996836718 +0100
|
||||
@@ -105,6 +105,7 @@ X11Forwarding yes
|
||||
#Compression delayed
|
||||
#ClientAliveInterval 0
|
||||
#ClientAliveCountMax 3
|
||||
+#ShowPatchLevel no
|
||||
#UseDNS no
|
||||
#PidFile /var/run/sshd.pid
|
||||
#MaxStartups 10:30:100
|
||||
diff -up openssh-7.4p1/sshd.c.vendor openssh-7.4p1/sshd.c
|
||||
--- openssh-7.4p1/sshd.c.vendor 2017-02-10 10:45:54.996836718 +0100
|
||||
+++ openssh-7.4p1/sshd.c 2017-02-10 10:48:41.633648667 +0100
|
||||
@@ -367,7 +367,8 @@ sshd_exchange_identification(struct ssh
|
||||
char remote_version[256]; /* Must be at least as big as buf. */
|
||||
|
||||
xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s",
|
||||
- major, minor, SSH_VERSION,
|
||||
+ major, minor, (options.show_patchlevel == 1) ? SSH_VENDOR_PATCHLEVEL : SSH_VERSION,
|
||||
- PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION,
|
||||
+ PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2,
|
||||
+ (options.show_patchlevel == 1) ? SSH_VENDOR_PATCHLEVEL : SSH_VERSION,
|
||||
*options.version_addendum == '\0' ? "" : " ",
|
||||
options.version_addendum, newline);
|
||||
|
||||
@@ -1675,7 +1675,8 @@ main(int ac, char **av)
|
||||
@@ -1654,7 +1655,8 @@ main(int ac, char **av)
|
||||
exit(1);
|
||||
}
|
||||
|
||||
- debug("sshd version %s, %s", SSH_VERSION,
|
||||
+ debug("sshd version %s, %s",
|
||||
+ (options.show_patchlevel == 1) ? SSH_VENDOR_PATCHLEVEL : SSH_VERSION,
|
||||
SSLeay_version(SSLEAY_VERSION));
|
||||
|
||||
/* Store privilege separation user for later use if required. */
|
||||
#ifdef WITH_OPENSSL
|
||||
SSLeay_version(SSLEAY_VERSION)
|
||||
#else
|
||||
|
|
|
|||
|
|
@ -1,788 +0,0 @@
|
|||
diff -up openssh-6.3p1/auth-pam.c.coverity openssh-6.3p1/auth-pam.c
|
||||
--- openssh-6.3p1/auth-pam.c.coverity 2013-06-02 00:07:32.000000000 +0200
|
||||
+++ openssh-6.3p1/auth-pam.c 2013-10-07 13:20:36.288298063 +0200
|
||||
@@ -216,7 +216,12 @@ pthread_join(sp_pthread_t thread, void *
|
||||
if (sshpam_thread_status != -1)
|
||||
return (sshpam_thread_status);
|
||||
signal(SIGCHLD, sshpam_oldsig);
|
||||
- waitpid(thread, &status, 0);
|
||||
+ while (waitpid(thread, &status, 0) < 0) {
|
||||
+ if (errno == EINTR)
|
||||
+ continue;
|
||||
+ fatal("%s: waitpid: %s", __func__,
|
||||
+ strerror(errno));
|
||||
+ }
|
||||
return (status);
|
||||
}
|
||||
#endif
|
||||
diff -up openssh-6.3p1/channels.c.coverity openssh-6.3p1/channels.c
|
||||
--- openssh-6.3p1/channels.c.coverity 2013-09-13 08:19:31.000000000 +0200
|
||||
+++ openssh-6.3p1/channels.c 2013-10-07 13:20:36.289298058 +0200
|
||||
@@ -233,11 +233,11 @@ channel_register_fds(Channel *c, int rfd
|
||||
channel_max_fd = MAX(channel_max_fd, wfd);
|
||||
channel_max_fd = MAX(channel_max_fd, efd);
|
||||
|
||||
- if (rfd != -1)
|
||||
+ if (rfd >= 0)
|
||||
fcntl(rfd, F_SETFD, FD_CLOEXEC);
|
||||
- if (wfd != -1 && wfd != rfd)
|
||||
+ if (wfd >= 0 && wfd != rfd)
|
||||
fcntl(wfd, F_SETFD, FD_CLOEXEC);
|
||||
- if (efd != -1 && efd != rfd && efd != wfd)
|
||||
+ if (efd >= 0 && efd != rfd && efd != wfd)
|
||||
fcntl(efd, F_SETFD, FD_CLOEXEC);
|
||||
|
||||
c->rfd = rfd;
|
||||
@@ -255,11 +255,11 @@ channel_register_fds(Channel *c, int rfd
|
||||
|
||||
/* enable nonblocking mode */
|
||||
if (nonblock) {
|
||||
- if (rfd != -1)
|
||||
+ if (rfd >= 0)
|
||||
set_nonblock(rfd);
|
||||
- if (wfd != -1)
|
||||
+ if (wfd >= 0)
|
||||
set_nonblock(wfd);
|
||||
- if (efd != -1)
|
||||
+ if (efd >= 0)
|
||||
set_nonblock(efd);
|
||||
}
|
||||
}
|
||||
diff -up openssh-6.3p1/clientloop.c.coverity openssh-6.3p1/clientloop.c
|
||||
--- openssh-6.3p1/clientloop.c.coverity 2013-06-10 05:07:12.000000000 +0200
|
||||
+++ openssh-6.3p1/clientloop.c 2013-10-07 13:20:36.289298058 +0200
|
||||
@@ -2068,14 +2068,15 @@ client_input_global_request(int type, u_
|
||||
char *rtype;
|
||||
int want_reply;
|
||||
int success = 0;
|
||||
+/* success is still 0 the packet is allways SSH2_MSG_REQUEST_FAILURE, isn't it? */
|
||||
|
||||
rtype = packet_get_string(NULL);
|
||||
want_reply = packet_get_char();
|
||||
debug("client_input_global_request: rtype %s want_reply %d",
|
||||
rtype, want_reply);
|
||||
if (want_reply) {
|
||||
- packet_start(success ?
|
||||
- SSH2_MSG_REQUEST_SUCCESS : SSH2_MSG_REQUEST_FAILURE);
|
||||
+ packet_start(/*success ?
|
||||
+ SSH2_MSG_REQUEST_SUCCESS :*/ SSH2_MSG_REQUEST_FAILURE);
|
||||
packet_send();
|
||||
packet_write_wait();
|
||||
}
|
||||
diff -up openssh-6.3p1/key.c.coverity openssh-6.3p1/key.c
|
||||
--- openssh-6.3p1/key.c.coverity 2013-06-01 23:41:51.000000000 +0200
|
||||
+++ openssh-6.3p1/key.c 2013-10-07 13:20:36.290298054 +0200
|
||||
@@ -807,8 +807,10 @@ key_read(Key *ret, char **cpp)
|
||||
success = 1;
|
||||
/*XXXX*/
|
||||
key_free(k);
|
||||
+/*XXXX
|
||||
if (success != 1)
|
||||
break;
|
||||
+XXXX*/
|
||||
/* advance cp: skip whitespace and data */
|
||||
while (*cp == ' ' || *cp == '\t')
|
||||
cp++;
|
||||
diff -up openssh-6.3p1/monitor.c.coverity openssh-6.3p1/monitor.c
|
||||
--- openssh-6.3p1/monitor.c.coverity 2013-07-20 05:21:53.000000000 +0200
|
||||
+++ openssh-6.3p1/monitor.c 2013-10-07 13:54:36.761314042 +0200
|
||||
@@ -449,7 +449,7 @@ monitor_child_preauth(Authctxt *_authctx
|
||||
mm_get_keystate(pmonitor);
|
||||
|
||||
/* Drain any buffered messages from the child */
|
||||
- while (pmonitor->m_log_recvfd != -1 && monitor_read_log(pmonitor) == 0)
|
||||
+ while (pmonitor->m_log_recvfd >= 0 && monitor_read_log(pmonitor) == 0)
|
||||
;
|
||||
|
||||
close(pmonitor->m_sendfd);
|
||||
@@ -1202,6 +1202,10 @@ mm_answer_keyallowed(int sock, Buffer *m
|
||||
break;
|
||||
}
|
||||
}
|
||||
+
|
||||
+ debug3("%s: key %p is %s",
|
||||
+ __func__, key, allowed ? "allowed" : "not allowed");
|
||||
+
|
||||
if (key != NULL)
|
||||
key_free(key);
|
||||
|
||||
@@ -1223,9 +1227,6 @@ mm_answer_keyallowed(int sock, Buffer *m
|
||||
free(chost);
|
||||
}
|
||||
|
||||
- debug3("%s: key %p is %s",
|
||||
- __func__, key, allowed ? "allowed" : "not allowed");
|
||||
-
|
||||
buffer_clear(m);
|
||||
buffer_put_int(m, allowed);
|
||||
buffer_put_int(m, forced_command != NULL);
|
||||
diff -up openssh-6.3p1/monitor_wrap.c.coverity openssh-6.3p1/monitor_wrap.c
|
||||
--- openssh-6.3p1/monitor_wrap.c.coverity 2013-06-02 00:07:32.000000000 +0200
|
||||
+++ openssh-6.3p1/monitor_wrap.c 2013-10-07 13:20:36.291298049 +0200
|
||||
@@ -710,10 +710,10 @@ mm_pty_allocate(int *ptyfd, int *ttyfd,
|
||||
if ((tmp1 = dup(pmonitor->m_recvfd)) == -1 ||
|
||||
(tmp2 = dup(pmonitor->m_recvfd)) == -1) {
|
||||
error("%s: cannot allocate fds for pty", __func__);
|
||||
- if (tmp1 > 0)
|
||||
+ if (tmp1 >= 0)
|
||||
close(tmp1);
|
||||
- if (tmp2 > 0)
|
||||
- close(tmp2);
|
||||
+ /*DEAD CODE if (tmp2 >= 0)
|
||||
+ close(tmp2);*/
|
||||
return 0;
|
||||
}
|
||||
close(tmp1);
|
||||
diff -up openssh-6.3p1/openbsd-compat/bindresvport.c.coverity openssh-6.3p1/openbsd-compat/bindresvport.c
|
||||
--- openssh-6.3p1/openbsd-compat/bindresvport.c.coverity 2010-12-03 00:50:26.000000000 +0100
|
||||
+++ openssh-6.3p1/openbsd-compat/bindresvport.c 2013-10-07 13:20:36.291298049 +0200
|
||||
@@ -58,7 +58,7 @@ bindresvport_sa(int sd, struct sockaddr
|
||||
struct sockaddr_in6 *in6;
|
||||
u_int16_t *portp;
|
||||
u_int16_t port;
|
||||
- socklen_t salen;
|
||||
+ socklen_t salen = sizeof(struct sockaddr_storage);
|
||||
int i;
|
||||
|
||||
if (sa == NULL) {
|
||||
diff -up openssh-6.3p1/packet.c.coverity openssh-6.3p1/packet.c
|
||||
--- openssh-6.3p1/packet.c.coverity 2013-07-18 08:12:45.000000000 +0200
|
||||
+++ openssh-6.3p1/packet.c 2013-10-07 13:20:36.291298049 +0200
|
||||
@@ -1199,6 +1199,7 @@ packet_read_poll1(void)
|
||||
case DEATTACK_DETECTED:
|
||||
packet_disconnect("crc32 compensation attack: "
|
||||
"network attack detected");
|
||||
+ break;
|
||||
case DEATTACK_DOS_DETECTED:
|
||||
packet_disconnect("deattack denial of "
|
||||
"service detected");
|
||||
diff -up openssh-6.3p1/progressmeter.c.coverity openssh-6.3p1/progressmeter.c
|
||||
--- openssh-6.3p1/progressmeter.c.coverity 2013-06-02 15:46:24.000000000 +0200
|
||||
+++ openssh-6.3p1/progressmeter.c 2013-10-07 13:42:32.377850691 +0200
|
||||
@@ -65,7 +65,7 @@ static void update_progress_meter(int);
|
||||
|
||||
static time_t start; /* start progress */
|
||||
static time_t last_update; /* last progress update */
|
||||
-static char *file; /* name of the file being transferred */
|
||||
+static const char *file; /* name of the file being transferred */
|
||||
static off_t end_pos; /* ending position of transfer */
|
||||
static off_t cur_pos; /* transfer position as of last refresh */
|
||||
static volatile off_t *counter; /* progress counter */
|
||||
@@ -247,7 +247,7 @@ update_progress_meter(int ignore)
|
||||
}
|
||||
|
||||
void
|
||||
-start_progress_meter(char *f, off_t filesize, off_t *ctr)
|
||||
+start_progress_meter(const char *f, off_t filesize, off_t *ctr)
|
||||
{
|
||||
start = last_update = monotime();
|
||||
file = f;
|
||||
diff -up openssh-6.3p1/progressmeter.h.coverity openssh-6.3p1/progressmeter.h
|
||||
--- openssh-6.3p1/progressmeter.h.coverity 2006-03-26 05:30:02.000000000 +0200
|
||||
+++ openssh-6.3p1/progressmeter.h 2013-10-07 13:20:36.292298044 +0200
|
||||
@@ -23,5 +23,5 @@
|
||||
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
*/
|
||||
|
||||
-void start_progress_meter(char *, off_t, off_t *);
|
||||
+void start_progress_meter(const char *, off_t, off_t *);
|
||||
void stop_progress_meter(void);
|
||||
diff -up openssh-6.3p1/scp.c.coverity openssh-6.3p1/scp.c
|
||||
--- openssh-6.3p1/scp.c.coverity 2013-07-18 08:11:25.000000000 +0200
|
||||
+++ openssh-6.3p1/scp.c 2013-10-07 13:20:36.292298044 +0200
|
||||
@@ -155,7 +155,7 @@ killchild(int signo)
|
||||
{
|
||||
if (do_cmd_pid > 1) {
|
||||
kill(do_cmd_pid, signo ? signo : SIGTERM);
|
||||
- waitpid(do_cmd_pid, NULL, 0);
|
||||
+ (void) waitpid(do_cmd_pid, NULL, 0);
|
||||
}
|
||||
|
||||
if (signo)
|
||||
diff -up openssh-6.3p1/servconf.c.coverity openssh-6.3p1/servconf.c
|
||||
--- openssh-6.3p1/servconf.c.coverity 2013-07-20 05:21:53.000000000 +0200
|
||||
+++ openssh-6.3p1/servconf.c 2013-10-07 13:20:36.293298039 +0200
|
||||
@@ -1323,7 +1323,7 @@ process_server_config_line(ServerOptions
|
||||
fatal("%s line %d: Missing subsystem name.",
|
||||
filename, linenum);
|
||||
if (!*activep) {
|
||||
- arg = strdelim(&cp);
|
||||
+ /*arg =*/ (void) strdelim(&cp);
|
||||
break;
|
||||
}
|
||||
for (i = 0; i < options->num_subsystems; i++)
|
||||
@@ -1414,8 +1414,9 @@ process_server_config_line(ServerOptions
|
||||
if (*activep && *charptr == NULL) {
|
||||
*charptr = tilde_expand_filename(arg, getuid());
|
||||
/* increase optional counter */
|
||||
- if (intptr != NULL)
|
||||
- *intptr = *intptr + 1;
|
||||
+ /* DEAD CODE intptr is still NULL ;)
|
||||
+ if (intptr != NULL)
|
||||
+ *intptr = *intptr + 1; */
|
||||
}
|
||||
break;
|
||||
|
||||
diff -up openssh-6.3p1/serverloop.c.coverity openssh-6.3p1/serverloop.c
|
||||
--- openssh-6.3p1/serverloop.c.coverity 2013-07-18 08:12:45.000000000 +0200
|
||||
+++ openssh-6.3p1/serverloop.c 2013-10-07 13:43:36.620537138 +0200
|
||||
@@ -147,13 +147,13 @@ notify_setup(void)
|
||||
static void
|
||||
notify_parent(void)
|
||||
{
|
||||
- if (notify_pipe[1] != -1)
|
||||
+ if (notify_pipe[1] >= 0)
|
||||
(void)write(notify_pipe[1], "", 1);
|
||||
}
|
||||
static void
|
||||
notify_prepare(fd_set *readset)
|
||||
{
|
||||
- if (notify_pipe[0] != -1)
|
||||
+ if (notify_pipe[0] >= 0)
|
||||
FD_SET(notify_pipe[0], readset);
|
||||
}
|
||||
static void
|
||||
@@ -161,8 +161,8 @@ notify_done(fd_set *readset)
|
||||
{
|
||||
char c;
|
||||
|
||||
- if (notify_pipe[0] != -1 && FD_ISSET(notify_pipe[0], readset))
|
||||
- while (read(notify_pipe[0], &c, 1) != -1)
|
||||
+ if (notify_pipe[0] >= 0 && FD_ISSET(notify_pipe[0], readset))
|
||||
+ while (read(notify_pipe[0], &c, 1) >= 0)
|
||||
debug2("notify_done: reading");
|
||||
}
|
||||
|
||||
@@ -336,7 +336,7 @@ wait_until_can_do_something(fd_set **rea
|
||||
* If we have buffered data, try to write some of that data
|
||||
* to the program.
|
||||
*/
|
||||
- if (fdin != -1 && buffer_len(&stdin_buffer) > 0)
|
||||
+ if (fdin >= 0 && buffer_len(&stdin_buffer) > 0)
|
||||
FD_SET(fdin, *writesetp);
|
||||
}
|
||||
notify_prepare(*readsetp);
|
||||
@@ -476,7 +476,7 @@ process_output(fd_set *writeset)
|
||||
int len;
|
||||
|
||||
/* Write buffered data to program stdin. */
|
||||
- if (!compat20 && fdin != -1 && FD_ISSET(fdin, writeset)) {
|
||||
+ if (!compat20 && fdin >= 0 && FD_ISSET(fdin, writeset)) {
|
||||
data = buffer_ptr(&stdin_buffer);
|
||||
dlen = buffer_len(&stdin_buffer);
|
||||
len = write(fdin, data, dlen);
|
||||
@@ -589,7 +589,7 @@ server_loop(pid_t pid, int fdin_arg, int
|
||||
set_nonblock(fdin);
|
||||
set_nonblock(fdout);
|
||||
/* we don't have stderr for interactive terminal sessions, see below */
|
||||
- if (fderr != -1)
|
||||
+ if (fderr >= 0)
|
||||
set_nonblock(fderr);
|
||||
|
||||
if (!(datafellows & SSH_BUG_IGNOREMSG) && isatty(fdin))
|
||||
@@ -613,7 +613,7 @@ server_loop(pid_t pid, int fdin_arg, int
|
||||
max_fd = MAX(connection_in, connection_out);
|
||||
max_fd = MAX(max_fd, fdin);
|
||||
max_fd = MAX(max_fd, fdout);
|
||||
- if (fderr != -1)
|
||||
+ if (fderr >= 0)
|
||||
max_fd = MAX(max_fd, fderr);
|
||||
#endif
|
||||
|
||||
@@ -643,7 +643,7 @@ server_loop(pid_t pid, int fdin_arg, int
|
||||
* If we have received eof, and there is no more pending
|
||||
* input data, cause a real eof by closing fdin.
|
||||
*/
|
||||
- if (stdin_eof && fdin != -1 && buffer_len(&stdin_buffer) == 0) {
|
||||
+ if (stdin_eof && fdin >= 0 && buffer_len(&stdin_buffer) == 0) {
|
||||
if (fdin != fdout)
|
||||
close(fdin);
|
||||
else
|
||||
@@ -739,15 +739,15 @@ server_loop(pid_t pid, int fdin_arg, int
|
||||
buffer_free(&stderr_buffer);
|
||||
|
||||
/* Close the file descriptors. */
|
||||
- if (fdout != -1)
|
||||
+ if (fdout >= 0)
|
||||
close(fdout);
|
||||
fdout = -1;
|
||||
fdout_eof = 1;
|
||||
- if (fderr != -1)
|
||||
+ if (fderr >= 0)
|
||||
close(fderr);
|
||||
fderr = -1;
|
||||
fderr_eof = 1;
|
||||
- if (fdin != -1)
|
||||
+ if (fdin >= 0)
|
||||
close(fdin);
|
||||
fdin = -1;
|
||||
|
||||
@@ -946,7 +946,7 @@ server_input_window_size(int type, u_int
|
||||
|
||||
debug("Window change received.");
|
||||
packet_check_eom();
|
||||
- if (fdin != -1)
|
||||
+ if (fdin >= 0)
|
||||
pty_change_window_size(fdin, row, col, xpixel, ypixel);
|
||||
}
|
||||
|
||||
@@ -1006,7 +1006,7 @@ server_request_tun(void)
|
||||
}
|
||||
|
||||
tun = packet_get_int();
|
||||
- if (forced_tun_device != -1) {
|
||||
+ if (forced_tun_device >= 0) {
|
||||
if (tun != SSH_TUNID_ANY && forced_tun_device != tun)
|
||||
goto done;
|
||||
tun = forced_tun_device;
|
||||
diff -up openssh-6.3p1/sftp-client.c.coverity openssh-6.3p1/sftp-client.c
|
||||
--- openssh-6.3p1/sftp-client.c.coverity 2013-07-26 00:40:00.000000000 +0200
|
||||
+++ openssh-6.3p1/sftp-client.c 2013-10-07 13:48:45.885027420 +0200
|
||||
@@ -149,7 +149,7 @@ get_msg(struct sftp_conn *conn, Buffer *
|
||||
}
|
||||
|
||||
static void
|
||||
-send_string_request(struct sftp_conn *conn, u_int id, u_int code, char *s,
|
||||
+send_string_request(struct sftp_conn *conn, u_int id, u_int code, const char *s,
|
||||
u_int len)
|
||||
{
|
||||
Buffer msg;
|
||||
@@ -165,7 +165,7 @@ send_string_request(struct sftp_conn *co
|
||||
|
||||
static void
|
||||
send_string_attrs_request(struct sftp_conn *conn, u_int id, u_int code,
|
||||
- char *s, u_int len, Attrib *a)
|
||||
+ const char *s, u_int len, Attrib *a)
|
||||
{
|
||||
Buffer msg;
|
||||
|
||||
@@ -422,7 +422,7 @@ sftp_proto_version(struct sftp_conn *con
|
||||
}
|
||||
|
||||
int
|
||||
-do_close(struct sftp_conn *conn, char *handle, u_int handle_len)
|
||||
+do_close(struct sftp_conn *conn, const char *handle, u_int handle_len)
|
||||
{
|
||||
u_int id, status;
|
||||
Buffer msg;
|
||||
@@ -447,7 +447,7 @@ do_close(struct sftp_conn *conn, char *h
|
||||
|
||||
|
||||
static int
|
||||
-do_lsreaddir(struct sftp_conn *conn, char *path, int printflag,
|
||||
+do_lsreaddir(struct sftp_conn *conn, const char *path, int printflag,
|
||||
SFTP_DIRENT ***dir)
|
||||
{
|
||||
Buffer msg;
|
||||
@@ -572,7 +572,7 @@ do_lsreaddir(struct sftp_conn *conn, cha
|
||||
}
|
||||
|
||||
int
|
||||
-do_readdir(struct sftp_conn *conn, char *path, SFTP_DIRENT ***dir)
|
||||
+do_readdir(struct sftp_conn *conn, const char *path, SFTP_DIRENT ***dir)
|
||||
{
|
||||
return(do_lsreaddir(conn, path, 0, dir));
|
||||
}
|
||||
@@ -590,7 +590,7 @@ void free_sftp_dirents(SFTP_DIRENT **s)
|
||||
}
|
||||
|
||||
int
|
||||
-do_rm(struct sftp_conn *conn, char *path)
|
||||
+do_rm(struct sftp_conn *conn, const char *path)
|
||||
{
|
||||
u_int status, id;
|
||||
|
||||
@@ -605,7 +605,7 @@ do_rm(struct sftp_conn *conn, char *path
|
||||
}
|
||||
|
||||
int
|
||||
-do_mkdir(struct sftp_conn *conn, char *path, Attrib *a, int printflag)
|
||||
+do_mkdir(struct sftp_conn *conn, const char *path, Attrib *a, int printflag)
|
||||
{
|
||||
u_int status, id;
|
||||
|
||||
@@ -621,7 +621,7 @@ do_mkdir(struct sftp_conn *conn, char *p
|
||||
}
|
||||
|
||||
int
|
||||
-do_rmdir(struct sftp_conn *conn, char *path)
|
||||
+do_rmdir(struct sftp_conn *conn, const char *path)
|
||||
{
|
||||
u_int status, id;
|
||||
|
||||
@@ -637,7 +637,7 @@ do_rmdir(struct sftp_conn *conn, char *p
|
||||
}
|
||||
|
||||
Attrib *
|
||||
-do_stat(struct sftp_conn *conn, char *path, int quiet)
|
||||
+do_stat(struct sftp_conn *conn, const char *path, int quiet)
|
||||
{
|
||||
u_int id;
|
||||
|
||||
@@ -651,7 +651,7 @@ do_stat(struct sftp_conn *conn, char *pa
|
||||
}
|
||||
|
||||
Attrib *
|
||||
-do_lstat(struct sftp_conn *conn, char *path, int quiet)
|
||||
+do_lstat(struct sftp_conn *conn, const char *path, int quiet)
|
||||
{
|
||||
u_int id;
|
||||
|
||||
@@ -685,7 +685,7 @@ do_fstat(struct sftp_conn *conn, char *h
|
||||
#endif
|
||||
|
||||
int
|
||||
-do_setstat(struct sftp_conn *conn, char *path, Attrib *a)
|
||||
+do_setstat(struct sftp_conn *conn, const char *path, Attrib *a)
|
||||
{
|
||||
u_int status, id;
|
||||
|
||||
@@ -702,7 +702,7 @@ do_setstat(struct sftp_conn *conn, char
|
||||
}
|
||||
|
||||
int
|
||||
-do_fsetstat(struct sftp_conn *conn, char *handle, u_int handle_len,
|
||||
+do_fsetstat(struct sftp_conn *conn, const char *handle, u_int handle_len,
|
||||
Attrib *a)
|
||||
{
|
||||
u_int status, id;
|
||||
@@ -719,7 +719,7 @@ do_fsetstat(struct sftp_conn *conn, char
|
||||
}
|
||||
|
||||
char *
|
||||
-do_realpath(struct sftp_conn *conn, char *path)
|
||||
+do_realpath(struct sftp_conn *conn, const char *path)
|
||||
{
|
||||
Buffer msg;
|
||||
u_int type, expected_id, count, id;
|
||||
@@ -768,7 +768,7 @@ do_realpath(struct sftp_conn *conn, char
|
||||
}
|
||||
|
||||
int
|
||||
-do_rename(struct sftp_conn *conn, char *oldpath, char *newpath)
|
||||
+do_rename(struct sftp_conn *conn, const char *oldpath, const char *newpath)
|
||||
{
|
||||
Buffer msg;
|
||||
u_int status, id;
|
||||
@@ -802,7 +802,7 @@ do_rename(struct sftp_conn *conn, char *
|
||||
}
|
||||
|
||||
int
|
||||
-do_hardlink(struct sftp_conn *conn, char *oldpath, char *newpath)
|
||||
+do_hardlink(struct sftp_conn *conn, const char *oldpath, const char *newpath)
|
||||
{
|
||||
Buffer msg;
|
||||
u_int status, id;
|
||||
@@ -835,7 +835,7 @@ do_hardlink(struct sftp_conn *conn, char
|
||||
}
|
||||
|
||||
int
|
||||
-do_symlink(struct sftp_conn *conn, char *oldpath, char *newpath)
|
||||
+do_symlink(struct sftp_conn *conn, const char *oldpath, const char *newpath)
|
||||
{
|
||||
Buffer msg;
|
||||
u_int status, id;
|
||||
@@ -987,7 +987,7 @@ send_read_request(struct sftp_conn *conn
|
||||
}
|
||||
|
||||
int
|
||||
-do_download(struct sftp_conn *conn, char *remote_path, char *local_path,
|
||||
+do_download(struct sftp_conn *conn, const char *remote_path, const char *local_path,
|
||||
Attrib *a, int pflag, int resume)
|
||||
{
|
||||
Attrib junk;
|
||||
@@ -1255,7 +1255,7 @@ do_download(struct sftp_conn *conn, char
|
||||
}
|
||||
|
||||
static int
|
||||
-download_dir_internal(struct sftp_conn *conn, char *src, char *dst,
|
||||
+download_dir_internal(struct sftp_conn *conn, const char *src, const char *dst,
|
||||
Attrib *dirattrib, int pflag, int printflag, int depth, int resume)
|
||||
{
|
||||
int i, ret = 0;
|
||||
@@ -1345,7 +1345,7 @@ download_dir_internal(struct sftp_conn *
|
||||
}
|
||||
|
||||
int
|
||||
-download_dir(struct sftp_conn *conn, char *src, char *dst,
|
||||
+download_dir(struct sftp_conn *conn, const char *src, const char *dst,
|
||||
Attrib *dirattrib, int pflag, int printflag, int resume)
|
||||
{
|
||||
char *src_canon;
|
||||
@@ -1363,7 +1363,7 @@ download_dir(struct sftp_conn *conn, cha
|
||||
}
|
||||
|
||||
int
|
||||
-do_upload(struct sftp_conn *conn, char *local_path, char *remote_path,
|
||||
+do_upload(struct sftp_conn *conn, const char *local_path, const char *remote_path,
|
||||
int pflag)
|
||||
{
|
||||
int local_fd;
|
||||
@@ -1548,7 +1548,7 @@ do_upload(struct sftp_conn *conn, char *
|
||||
}
|
||||
|
||||
static int
|
||||
-upload_dir_internal(struct sftp_conn *conn, char *src, char *dst,
|
||||
+upload_dir_internal(struct sftp_conn *conn, const char *src, const char *dst,
|
||||
int pflag, int printflag, int depth)
|
||||
{
|
||||
int ret = 0, status;
|
||||
@@ -1639,7 +1639,7 @@ upload_dir_internal(struct sftp_conn *co
|
||||
}
|
||||
|
||||
int
|
||||
-upload_dir(struct sftp_conn *conn, char *src, char *dst, int printflag,
|
||||
+upload_dir(struct sftp_conn *conn, const char *src, const char *dst, int printflag,
|
||||
int pflag)
|
||||
{
|
||||
char *dst_canon;
|
||||
@@ -1656,7 +1656,7 @@ upload_dir(struct sftp_conn *conn, char
|
||||
}
|
||||
|
||||
char *
|
||||
-path_append(char *p1, char *p2)
|
||||
+path_append(const char *p1, const char *p2)
|
||||
{
|
||||
char *ret;
|
||||
size_t len = strlen(p1) + strlen(p2) + 2;
|
||||
diff -up openssh-6.3p1/sftp-client.h.coverity openssh-6.3p1/sftp-client.h
|
||||
--- openssh-6.3p1/sftp-client.h.coverity 2013-07-25 03:56:52.000000000 +0200
|
||||
+++ openssh-6.3p1/sftp-client.h 2013-10-07 13:45:10.108080813 +0200
|
||||
@@ -56,49 +56,49 @@ struct sftp_conn *do_init(int, int, u_in
|
||||
u_int sftp_proto_version(struct sftp_conn *);
|
||||
|
||||
/* Close file referred to by 'handle' */
|
||||
-int do_close(struct sftp_conn *, char *, u_int);
|
||||
+int do_close(struct sftp_conn *, const char *, u_int);
|
||||
|
||||
/* Read contents of 'path' to NULL-terminated array 'dir' */
|
||||
-int do_readdir(struct sftp_conn *, char *, SFTP_DIRENT ***);
|
||||
+int do_readdir(struct sftp_conn *, const char *, SFTP_DIRENT ***);
|
||||
|
||||
/* Frees a NULL-terminated array of SFTP_DIRENTs (eg. from do_readdir) */
|
||||
void free_sftp_dirents(SFTP_DIRENT **);
|
||||
|
||||
/* Delete file 'path' */
|
||||
-int do_rm(struct sftp_conn *, char *);
|
||||
+int do_rm(struct sftp_conn *, const char *);
|
||||
|
||||
/* Create directory 'path' */
|
||||
-int do_mkdir(struct sftp_conn *, char *, Attrib *, int);
|
||||
+int do_mkdir(struct sftp_conn *, const char *, Attrib *, int);
|
||||
|
||||
/* Remove directory 'path' */
|
||||
-int do_rmdir(struct sftp_conn *, char *);
|
||||
+int do_rmdir(struct sftp_conn *, const char *);
|
||||
|
||||
/* Get file attributes of 'path' (follows symlinks) */
|
||||
-Attrib *do_stat(struct sftp_conn *, char *, int);
|
||||
+Attrib *do_stat(struct sftp_conn *, const char *, int);
|
||||
|
||||
/* Get file attributes of 'path' (does not follow symlinks) */
|
||||
-Attrib *do_lstat(struct sftp_conn *, char *, int);
|
||||
+Attrib *do_lstat(struct sftp_conn *, const char *, int);
|
||||
|
||||
/* Set file attributes of 'path' */
|
||||
-int do_setstat(struct sftp_conn *, char *, Attrib *);
|
||||
+int do_setstat(struct sftp_conn *, const char *, Attrib *);
|
||||
|
||||
/* Set file attributes of open file 'handle' */
|
||||
-int do_fsetstat(struct sftp_conn *, char *, u_int, Attrib *);
|
||||
+int do_fsetstat(struct sftp_conn *, const char *, u_int, Attrib *);
|
||||
|
||||
/* Canonicalise 'path' - caller must free result */
|
||||
-char *do_realpath(struct sftp_conn *, char *);
|
||||
+char *do_realpath(struct sftp_conn *, const char *);
|
||||
|
||||
/* Get statistics for filesystem hosting file at "path" */
|
||||
int do_statvfs(struct sftp_conn *, const char *, struct sftp_statvfs *, int);
|
||||
|
||||
/* Rename 'oldpath' to 'newpath' */
|
||||
-int do_rename(struct sftp_conn *, char *, char *);
|
||||
+int do_rename(struct sftp_conn *, const char *, const char *);
|
||||
|
||||
/* Link 'oldpath' to 'newpath' */
|
||||
-int do_hardlink(struct sftp_conn *, char *, char *);
|
||||
+int do_hardlink(struct sftp_conn *, const char *, const char *);
|
||||
|
||||
-/* Rename 'oldpath' to 'newpath' */
|
||||
-int do_symlink(struct sftp_conn *, char *, char *);
|
||||
+/* Symlink 'oldpath' to 'newpath' */
|
||||
+int do_symlink(struct sftp_conn *, const char *, const char *);
|
||||
|
||||
/* XXX: add callbacks to do_download/do_upload so we can do progress meter */
|
||||
|
||||
@@ -106,27 +106,27 @@ int do_symlink(struct sftp_conn *, char
|
||||
* Download 'remote_path' to 'local_path'. Preserve permissions and times
|
||||
* if 'pflag' is set
|
||||
*/
|
||||
-int do_download(struct sftp_conn *, char *, char *, Attrib *, int, int);
|
||||
+int do_download(struct sftp_conn *, const char *, const char *, Attrib *, int, int);
|
||||
|
||||
/*
|
||||
* Recursively download 'remote_directory' to 'local_directory'. Preserve
|
||||
* times if 'pflag' is set
|
||||
*/
|
||||
-int download_dir(struct sftp_conn *, char *, char *, Attrib *, int, int, int);
|
||||
+int download_dir(struct sftp_conn *, const char *, const char *, Attrib *, int, int, int);
|
||||
|
||||
/*
|
||||
* Upload 'local_path' to 'remote_path'. Preserve permissions and times
|
||||
* if 'pflag' is set
|
||||
*/
|
||||
-int do_upload(struct sftp_conn *, char *, char *, int);
|
||||
+int do_upload(struct sftp_conn *, const char *, const char *, int);
|
||||
|
||||
/*
|
||||
* Recursively upload 'local_directory' to 'remote_directory'. Preserve
|
||||
* times if 'pflag' is set
|
||||
*/
|
||||
-int upload_dir(struct sftp_conn *, char *, char *, int, int);
|
||||
+int upload_dir(struct sftp_conn *, const char *, const char *, int, int);
|
||||
|
||||
/* Concatenate paths, taking care of slashes. Caller must free result. */
|
||||
-char *path_append(char *, char *);
|
||||
+char *path_append(const char *, const char *);
|
||||
|
||||
#endif
|
||||
diff -up openssh-6.3p1/sftp.c.coverity openssh-6.3p1/sftp.c
|
||||
--- openssh-6.3p1/sftp.c.coverity 2013-07-25 03:56:52.000000000 +0200
|
||||
+++ openssh-6.3p1/sftp.c 2013-10-07 13:49:47.322727449 +0200
|
||||
@@ -213,7 +213,7 @@ killchild(int signo)
|
||||
{
|
||||
if (sshpid > 1) {
|
||||
kill(sshpid, SIGTERM);
|
||||
- waitpid(sshpid, NULL, 0);
|
||||
+ (void) waitpid(sshpid, NULL, 0);
|
||||
}
|
||||
|
||||
_exit(1);
|
||||
@@ -324,7 +324,7 @@ local_do_ls(const char *args)
|
||||
|
||||
/* Strip one path (usually the pwd) from the start of another */
|
||||
static char *
|
||||
-path_strip(char *path, char *strip)
|
||||
+path_strip(const char *path, const char *strip)
|
||||
{
|
||||
size_t len;
|
||||
|
||||
@@ -342,7 +342,7 @@ path_strip(char *path, char *strip)
|
||||
}
|
||||
|
||||
static char *
|
||||
-make_absolute(char *p, char *pwd)
|
||||
+make_absolute(char *p, const char *pwd)
|
||||
{
|
||||
char *abs_str;
|
||||
|
||||
@@ -493,7 +493,7 @@ parse_df_flags(const char *cmd, char **a
|
||||
}
|
||||
|
||||
static int
|
||||
-is_dir(char *path)
|
||||
+is_dir(const char *path)
|
||||
{
|
||||
struct stat sb;
|
||||
|
||||
@@ -505,7 +505,7 @@ is_dir(char *path)
|
||||
}
|
||||
|
||||
static int
|
||||
-remote_is_dir(struct sftp_conn *conn, char *path)
|
||||
+remote_is_dir(struct sftp_conn *conn, const char *path)
|
||||
{
|
||||
Attrib *a;
|
||||
|
||||
@@ -519,7 +519,7 @@ remote_is_dir(struct sftp_conn *conn, ch
|
||||
|
||||
/* Check whether path returned from glob(..., GLOB_MARK, ...) is a directory */
|
||||
static int
|
||||
-pathname_is_dir(char *pathname)
|
||||
+pathname_is_dir(const char *pathname)
|
||||
{
|
||||
size_t l = strlen(pathname);
|
||||
|
||||
@@ -527,7 +527,7 @@ pathname_is_dir(char *pathname)
|
||||
}
|
||||
|
||||
static int
|
||||
-process_get(struct sftp_conn *conn, char *src, char *dst, char *pwd,
|
||||
+process_get(struct sftp_conn *conn, const char *src, const char *dst, const char *pwd,
|
||||
int pflag, int rflag, int resume)
|
||||
{
|
||||
char *abs_src = NULL;
|
||||
@@ -605,7 +605,7 @@ out:
|
||||
}
|
||||
|
||||
static int
|
||||
-process_put(struct sftp_conn *conn, char *src, char *dst, char *pwd,
|
||||
+process_put(struct sftp_conn *conn, const char *src, const char *dst, const char *pwd,
|
||||
int pflag, int rflag)
|
||||
{
|
||||
char *tmp_dst = NULL;
|
||||
@@ -709,7 +709,7 @@ sdirent_comp(const void *aa, const void
|
||||
|
||||
/* sftp ls.1 replacement for directories */
|
||||
static int
|
||||
-do_ls_dir(struct sftp_conn *conn, char *path, char *strip_path, int lflag)
|
||||
+do_ls_dir(struct sftp_conn *conn, const char *path, const char *strip_path, int lflag)
|
||||
{
|
||||
int n;
|
||||
u_int c = 1, colspace = 0, columns = 1;
|
||||
@@ -794,7 +794,7 @@ do_ls_dir(struct sftp_conn *conn, char *
|
||||
|
||||
/* sftp ls.1 replacement which handles path globs */
|
||||
static int
|
||||
-do_globbed_ls(struct sftp_conn *conn, char *path, char *strip_path,
|
||||
+do_globbed_ls(struct sftp_conn *conn, const char *path, const char *strip_path,
|
||||
int lflag)
|
||||
{
|
||||
char *fname, *lname;
|
||||
@@ -875,7 +875,7 @@ do_globbed_ls(struct sftp_conn *conn, ch
|
||||
}
|
||||
|
||||
static int
|
||||
-do_df(struct sftp_conn *conn, char *path, int hflag, int iflag)
|
||||
+do_df(struct sftp_conn *conn, const char *path, int hflag, int iflag)
|
||||
{
|
||||
struct sftp_statvfs st;
|
||||
char s_used[FMT_SCALED_STRSIZE];
|
||||
diff -up openssh-6.3p1/ssh-agent.c.coverity openssh-6.3p1/ssh-agent.c
|
||||
--- openssh-6.3p1/ssh-agent.c.coverity 2013-07-20 05:22:49.000000000 +0200
|
||||
+++ openssh-6.3p1/ssh-agent.c 2013-10-07 13:20:36.296298024 +0200
|
||||
@@ -1143,8 +1143,8 @@ main(int ac, char **av)
|
||||
sanitise_stdfd();
|
||||
|
||||
/* drop */
|
||||
- setegid(getgid());
|
||||
- setgid(getgid());
|
||||
+ (void) setegid(getgid());
|
||||
+ (void) setgid(getgid());
|
||||
|
||||
#if defined(HAVE_PRCTL) && defined(PR_SET_DUMPABLE)
|
||||
/* Disable ptrace on Linux without sgid bit */
|
||||
diff -up openssh-6.3p1/sshd.c.coverity openssh-6.3p1/sshd.c
|
||||
--- openssh-6.3p1/sshd.c.coverity 2013-07-20 05:21:53.000000000 +0200
|
||||
+++ openssh-6.3p1/sshd.c 2013-10-07 13:20:36.296298024 +0200
|
||||
@@ -699,8 +699,10 @@ privsep_preauth(Authctxt *authctxt)
|
||||
if (getuid() == 0 || geteuid() == 0)
|
||||
privsep_preauth_child();
|
||||
setproctitle("%s", "[net]");
|
||||
- if (box != NULL)
|
||||
+ if (box != NULL) {
|
||||
ssh_sandbox_child(box);
|
||||
+ free(box);
|
||||
+ }
|
||||
|
||||
return 0;
|
||||
}
|
||||
@@ -1345,6 +1347,9 @@ server_accept_loop(int *sock_in, int *so
|
||||
if (num_listen_socks < 0)
|
||||
break;
|
||||
}
|
||||
+
|
||||
+ if (fdset != NULL)
|
||||
+ free(fdset);
|
||||
}
|
||||
|
||||
|
||||
|
|
@ -1,406 +0,0 @@
|
|||
diff -up openssh-6.3p1/auth-rsa.c.fingerprint openssh-6.3p1/auth-rsa.c
|
||||
diff -up openssh-6.3p1/auth.c.fingerprint openssh-6.3p1/auth.c
|
||||
--- openssh-6.3p1/auth.c.fingerprint 2013-10-07 14:02:36.998968153 +0200
|
||||
+++ openssh-6.3p1/auth.c 2013-10-07 15:42:05.243812405 +0200
|
||||
@@ -685,9 +685,10 @@ auth_key_is_revoked(Key *key)
|
||||
case 1:
|
||||
revoked:
|
||||
/* Key revoked */
|
||||
- key_fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
|
||||
+ key_fp = key_selected_fingerprint(key, SSH_FP_HEX);
|
||||
error("WARNING: authentication attempt with a revoked "
|
||||
- "%s key %s ", key_type(key), key_fp);
|
||||
+ "%s key %s%s ", key_type(key),
|
||||
+ key_fingerprint_prefix(), key_fp);
|
||||
free(key_fp);
|
||||
return 1;
|
||||
}
|
||||
diff -up openssh-6.3p1/auth2-hostbased.c.fingerprint openssh-6.3p1/auth2-hostbased.c
|
||||
--- openssh-6.3p1/auth2-hostbased.c.fingerprint 2013-10-07 14:02:36.998968153 +0200
|
||||
+++ openssh-6.3p1/auth2-hostbased.c 2013-10-07 15:43:49.747355927 +0200
|
||||
@@ -200,16 +200,18 @@ hostbased_key_allowed(struct passwd *pw,
|
||||
|
||||
if (host_status == HOST_OK) {
|
||||
if (key_is_cert(key)) {
|
||||
- fp = key_fingerprint(key->cert->signature_key,
|
||||
- SSH_FP_MD5, SSH_FP_HEX);
|
||||
+ fp = key_selected_fingerprint(key->cert->signature_key,
|
||||
+ SSH_FP_HEX);
|
||||
verbose("Accepted certificate ID \"%s\" signed by "
|
||||
- "%s CA %s from %s@%s", key->cert->key_id,
|
||||
- key_type(key->cert->signature_key), fp,
|
||||
+ "%s CA %s%s from %s@%s", key->cert->key_id,
|
||||
+ key_type(key->cert->signature_key),
|
||||
+ key_fingerprint_prefix(), fp,
|
||||
cuser, lookup);
|
||||
} else {
|
||||
- fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
|
||||
- verbose("Accepted %s public key %s from %s@%s",
|
||||
- key_type(key), fp, cuser, lookup);
|
||||
+ fp = key_selected_fingerprint(key, SSH_FP_HEX);
|
||||
+ verbose("Accepted %s public key %s%s from %s@%s",
|
||||
+ key_type(key), key_fingerprint_prefix(),
|
||||
+ fp, cuser, lookup);
|
||||
}
|
||||
free(fp);
|
||||
}
|
||||
diff -up openssh-6.3p1/auth2-pubkey.c.fingerprint openssh-6.3p1/auth2-pubkey.c
|
||||
--- openssh-6.3p1/auth2-pubkey.c.fingerprint 2013-07-18 08:10:10.000000000 +0200
|
||||
+++ openssh-6.3p1/auth2-pubkey.c 2013-10-07 15:50:44.617495624 +0200
|
||||
@@ -359,10 +359,10 @@ check_authkeys_file(FILE *f, char *file,
|
||||
continue;
|
||||
if (!key_is_cert_authority)
|
||||
continue;
|
||||
- fp = key_fingerprint(found, SSH_FP_MD5,
|
||||
- SSH_FP_HEX);
|
||||
- debug("matching CA found: file %s, line %lu, %s %s",
|
||||
- file, linenum, key_type(found), fp);
|
||||
+ fp = key_selected_fingerprint(found, SSH_FP_HEX);
|
||||
+ debug("matching CA found: file %s, line %lu, %s %s%s",
|
||||
+ file, linenum, key_type(found),
|
||||
+ key_fingerprint_prefix(), fp);
|
||||
/*
|
||||
* If the user has specified a list of principals as
|
||||
* a key option, then prefer that list to matching
|
||||
@@ -400,9 +400,9 @@ check_authkeys_file(FILE *f, char *file,
|
||||
if (key_is_cert_authority)
|
||||
continue;
|
||||
found_key = 1;
|
||||
- fp = key_fingerprint(found, SSH_FP_MD5, SSH_FP_HEX);
|
||||
- debug("matching key found: file %s, line %lu %s %s",
|
||||
- file, linenum, key_type(found), fp);
|
||||
+ fp = key_selected_fingerprint(found, SSH_FP_HEX);
|
||||
+ verbose("Found matching %s key: %s%s",
|
||||
+ key_type(found), key_fingerprint_prefix(), fp);
|
||||
free(fp);
|
||||
break;
|
||||
}
|
||||
@@ -425,13 +425,13 @@ user_cert_trusted_ca(struct passwd *pw,
|
||||
if (!key_is_cert(key) || options.trusted_user_ca_keys == NULL)
|
||||
return 0;
|
||||
|
||||
- ca_fp = key_fingerprint(key->cert->signature_key,
|
||||
- SSH_FP_MD5, SSH_FP_HEX);
|
||||
+ ca_fp = key_selected_fingerprint(key->cert->signature_key, SSH_FP_HEX);
|
||||
|
||||
if (key_in_file(key->cert->signature_key,
|
||||
options.trusted_user_ca_keys, 1) != 1) {
|
||||
- debug2("%s: CA %s %s is not listed in %s", __func__,
|
||||
- key_type(key->cert->signature_key), ca_fp,
|
||||
+ debug2("%s: CA %s%s %s is not listed in %s", __func__,
|
||||
+ key_type(key->cert->signature_key),
|
||||
+ key_fingerprint_prefix(), ca_fp,
|
||||
options.trusted_user_ca_keys);
|
||||
goto out;
|
||||
}
|
||||
diff -up openssh-6.3p1/key.c.fingerprint openssh-6.3p1/key.c
|
||||
--- openssh-6.3p1/key.c.fingerprint 2013-10-07 14:02:36.971968285 +0200
|
||||
+++ openssh-6.3p1/key.c 2013-10-07 14:02:36.999968148 +0200
|
||||
@@ -598,6 +598,34 @@ key_fingerprint(const Key *k, enum fp_ty
|
||||
return retval;
|
||||
}
|
||||
|
||||
+enum fp_type
|
||||
+key_fingerprint_selection(void)
|
||||
+{
|
||||
+ static enum fp_type rv;
|
||||
+ static char rv_defined = 0;
|
||||
+ char *env;
|
||||
+
|
||||
+ if (!rv_defined) {
|
||||
+ env = getenv("SSH_FINGERPRINT_TYPE");
|
||||
+ rv = (env && !strcmp (env, "sha")) ?
|
||||
+ SSH_FP_SHA1 : SSH_FP_MD5;
|
||||
+ rv_defined = 1;
|
||||
+ }
|
||||
+ return rv;
|
||||
+}
|
||||
+
|
||||
+char *
|
||||
+key_selected_fingerprint(Key *k, enum fp_rep dgst_rep)
|
||||
+{
|
||||
+ return key_fingerprint(k, key_fingerprint_selection(), dgst_rep);
|
||||
+}
|
||||
+
|
||||
+char *
|
||||
+key_fingerprint_prefix(void)
|
||||
+{
|
||||
+ return key_fingerprint_selection() == SSH_FP_SHA1 ? "sha1:" : "";
|
||||
+}
|
||||
+
|
||||
/*
|
||||
* Reads a multiple-precision integer in decimal from the buffer, and advances
|
||||
* the pointer. The integer must already be initialized. This function is
|
||||
diff -up openssh-6.3p1/key.h.fingerprint openssh-6.3p1/key.h
|
||||
--- openssh-6.3p1/key.h.fingerprint 2013-10-07 14:02:36.999968148 +0200
|
||||
+++ openssh-6.3p1/key.h 2013-10-07 15:44:17.574233450 +0200
|
||||
@@ -97,6 +97,9 @@ int key_equal_public(const Key *, cons
|
||||
int key_equal(const Key *, const Key *);
|
||||
char *key_fingerprint(const Key *, enum fp_type, enum fp_rep);
|
||||
u_char *key_fingerprint_raw(const Key *, enum fp_type, u_int *);
|
||||
+enum fp_type key_fingerprint_selection(void);
|
||||
+char *key_selected_fingerprint(Key *, enum fp_rep);
|
||||
+char *key_fingerprint_prefix(void);
|
||||
const char *key_type(const Key *);
|
||||
const char *key_cert_type(const Key *);
|
||||
int key_write(const Key *, FILE *);
|
||||
diff -up openssh-6.3p1/ssh-add.c.fingerprint openssh-6.3p1/ssh-add.c
|
||||
--- openssh-6.3p1/ssh-add.c.fingerprint 2013-10-07 14:02:37.000968143 +0200
|
||||
+++ openssh-6.3p1/ssh-add.c 2013-10-07 14:44:57.466515766 +0200
|
||||
@@ -326,10 +326,10 @@ list_identities(AuthenticationConnection
|
||||
key = ssh_get_next_identity(ac, &comment, version)) {
|
||||
had_identities = 1;
|
||||
if (do_fp) {
|
||||
- fp = key_fingerprint(key, SSH_FP_MD5,
|
||||
- SSH_FP_HEX);
|
||||
- printf("%d %s %s (%s)\n",
|
||||
- key_size(key), fp, comment, key_type(key));
|
||||
+ fp = key_selected_fingerprint(key, SSH_FP_HEX);
|
||||
+ printf("%d %s%s %s (%s)\n",
|
||||
+ key_size(key), key_fingerprint_prefix(),
|
||||
+ fp, comment, key_type(key));
|
||||
free(fp);
|
||||
} else {
|
||||
if (!key_write(key, stdout))
|
||||
diff -up openssh-6.3p1/ssh-agent.c.fingerprint openssh-6.3p1/ssh-agent.c
|
||||
--- openssh-6.3p1/ssh-agent.c.fingerprint 2013-10-07 14:02:37.000968143 +0200
|
||||
+++ openssh-6.3p1/ssh-agent.c 2013-10-07 15:41:11.627044336 +0200
|
||||
@@ -198,9 +198,9 @@ confirm_key(Identity *id)
|
||||
char *p;
|
||||
int ret = -1;
|
||||
|
||||
- p = key_fingerprint(id->key, SSH_FP_MD5, SSH_FP_HEX);
|
||||
- if (ask_permission("Allow use of key %s?\nKey fingerprint %s.",
|
||||
- id->comment, p))
|
||||
+ p = key_selected_fingerprint(id->key, SSH_FP_HEX);
|
||||
+ if (ask_permission("Allow use of key %s?\nKey fingerprint %s%s.",
|
||||
+ id->comment, key_fingerprint_prefix(), p))
|
||||
ret = 0;
|
||||
free(p);
|
||||
|
||||
diff -up openssh-6.3p1/ssh-keygen.c.fingerprint openssh-6.3p1/ssh-keygen.c
|
||||
--- openssh-6.3p1/ssh-keygen.c.fingerprint 2013-07-20 05:22:32.000000000 +0200
|
||||
+++ openssh-6.3p1/ssh-keygen.c 2013-10-07 14:25:52.864145038 +0200
|
||||
@@ -767,13 +767,14 @@ do_fingerprint(struct passwd *pw)
|
||||
{
|
||||
FILE *f;
|
||||
Key *public;
|
||||
- char *comment = NULL, *cp, *ep, line[16*1024], *fp, *ra;
|
||||
+ char *comment = NULL, *cp, *ep, line[16*1024], *fp, *ra, *pfx;
|
||||
int i, skip = 0, num = 0, invalid = 1;
|
||||
enum fp_rep rep;
|
||||
enum fp_type fptype;
|
||||
struct stat st;
|
||||
|
||||
- fptype = print_bubblebabble ? SSH_FP_SHA1 : SSH_FP_MD5;
|
||||
+ fptype = print_bubblebabble ? SSH_FP_SHA1 : key_fingerprint_selection();
|
||||
+ pfx = print_bubblebabble ? "" : key_fingerprint_prefix();
|
||||
rep = print_bubblebabble ? SSH_FP_BUBBLEBABBLE : SSH_FP_HEX;
|
||||
|
||||
if (!have_identity)
|
||||
@@ -785,8 +786,8 @@ do_fingerprint(struct passwd *pw)
|
||||
public = key_load_public(identity_file, &comment);
|
||||
if (public != NULL) {
|
||||
fp = key_fingerprint(public, fptype, rep);
|
||||
- ra = key_fingerprint(public, SSH_FP_MD5, SSH_FP_RANDOMART);
|
||||
- printf("%u %s %s (%s)\n", key_size(public), fp, comment,
|
||||
+ ra = key_selected_fingerprint(public, SSH_FP_RANDOMART);
|
||||
+ printf("%u %s%s %s (%s)\n", key_size(public), pfx, fp, comment,
|
||||
key_type(public));
|
||||
if (log_level >= SYSLOG_LEVEL_VERBOSE)
|
||||
printf("%s\n", ra);
|
||||
@@ -851,8 +852,8 @@ do_fingerprint(struct passwd *pw)
|
||||
}
|
||||
comment = *cp ? cp : comment;
|
||||
fp = key_fingerprint(public, fptype, rep);
|
||||
- ra = key_fingerprint(public, SSH_FP_MD5, SSH_FP_RANDOMART);
|
||||
- printf("%u %s %s (%s)\n", key_size(public), fp,
|
||||
+ ra = key_selected_fingerprint(public, SSH_FP_RANDOMART);
|
||||
+ printf("%u %s%s %s (%s)\n", key_size(public), pfx, fp,
|
||||
comment ? comment : "no comment", key_type(public));
|
||||
if (log_level >= SYSLOG_LEVEL_VERBOSE)
|
||||
printf("%s\n", ra);
|
||||
@@ -970,13 +971,15 @@ printhost(FILE *f, const char *name, Key
|
||||
if (print_fingerprint) {
|
||||
enum fp_rep rep;
|
||||
enum fp_type fptype;
|
||||
- char *fp, *ra;
|
||||
+ char *fp, *ra, *pfx;
|
||||
|
||||
- fptype = print_bubblebabble ? SSH_FP_SHA1 : SSH_FP_MD5;
|
||||
+ fptype = print_bubblebabble ? SSH_FP_SHA1 : key_fingerprint_selection();
|
||||
+ pfx = print_bubblebabble ? "" : key_fingerprint_prefix();
|
||||
rep = print_bubblebabble ? SSH_FP_BUBBLEBABBLE : SSH_FP_HEX;
|
||||
+
|
||||
fp = key_fingerprint(public, fptype, rep);
|
||||
- ra = key_fingerprint(public, SSH_FP_MD5, SSH_FP_RANDOMART);
|
||||
- printf("%u %s %s (%s)\n", key_size(public), fp, name,
|
||||
+ ra = key_selected_fingerprint(public, SSH_FP_RANDOMART);
|
||||
+ printf("%u %s%s %s (%s)\n", key_size(public), pfx, fp, name,
|
||||
key_type(public));
|
||||
if (log_level >= SYSLOG_LEVEL_VERBOSE)
|
||||
printf("%s\n", ra);
|
||||
@@ -1855,16 +1858,17 @@ do_show_cert(struct passwd *pw)
|
||||
fatal("%s is not a certificate", identity_file);
|
||||
v00 = key->type == KEY_RSA_CERT_V00 || key->type == KEY_DSA_CERT_V00;
|
||||
|
||||
- key_fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
|
||||
- ca_fp = key_fingerprint(key->cert->signature_key,
|
||||
- SSH_FP_MD5, SSH_FP_HEX);
|
||||
+ key_fp = key_selected_fingerprint(key, SSH_FP_HEX);
|
||||
+ ca_fp = key_selected_fingerprint(key->cert->signature_key, SSH_FP_HEX);
|
||||
|
||||
printf("%s:\n", identity_file);
|
||||
printf(" Type: %s %s certificate\n", key_ssh_name(key),
|
||||
key_cert_type(key));
|
||||
- printf(" Public key: %s %s\n", key_type(key), key_fp);
|
||||
- printf(" Signing CA: %s %s\n",
|
||||
- key_type(key->cert->signature_key), ca_fp);
|
||||
+ printf(" Public key: %s %s%s\n", key_type(key),
|
||||
+ key_fingerprint_prefix(), key_fp);
|
||||
+ printf(" Signing CA: %s %s%s\n",
|
||||
+ key_type(key->cert->signature_key),
|
||||
+ key_fingerprint_prefix(), ca_fp);
|
||||
printf(" Key ID: \"%s\"\n", key->cert->key_id);
|
||||
if (!v00) {
|
||||
printf(" Serial: %llu\n",
|
||||
@@ -2655,13 +2659,12 @@ passphrase_again:
|
||||
fclose(f);
|
||||
|
||||
if (!quiet) {
|
||||
- char *fp = key_fingerprint(public, SSH_FP_MD5, SSH_FP_HEX);
|
||||
- char *ra = key_fingerprint(public, SSH_FP_MD5,
|
||||
- SSH_FP_RANDOMART);
|
||||
+ char *fp = key_selected_fingerprint(public, SSH_FP_HEX);
|
||||
+ char *ra = key_selected_fingerprint(public, SSH_FP_RANDOMART);
|
||||
printf("Your public key has been saved in %s.\n",
|
||||
identity_file);
|
||||
printf("The key fingerprint is:\n");
|
||||
- printf("%s %s\n", fp, comment);
|
||||
+ printf("%s%s %s\n", key_fingerprint_prefix(), fp, comment);
|
||||
printf("The key's randomart image is:\n");
|
||||
printf("%s\n", ra);
|
||||
free(ra);
|
||||
diff -up openssh-6.3p1/sshconnect.c.fingerprint openssh-6.3p1/sshconnect.c
|
||||
--- openssh-6.3p1/sshconnect.c.fingerprint 2013-06-01 23:31:19.000000000 +0200
|
||||
+++ openssh-6.3p1/sshconnect.c 2013-10-07 14:43:54.859822036 +0200
|
||||
@@ -830,10 +830,10 @@ check_host_key(char *hostname, struct so
|
||||
"key for IP address '%.128s' to the list "
|
||||
"of known hosts.", type, ip);
|
||||
} else if (options.visual_host_key) {
|
||||
- fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX);
|
||||
- ra = key_fingerprint(host_key, SSH_FP_MD5,
|
||||
- SSH_FP_RANDOMART);
|
||||
- logit("Host key fingerprint is %s\n%s\n", fp, ra);
|
||||
+ fp = key_selected_fingerprint(host_key, SSH_FP_HEX);
|
||||
+ ra = key_selected_fingerprint(host_key, SSH_FP_RANDOMART);
|
||||
+ logit("Host key fingerprint is %s%s\n%s\n",
|
||||
+ key_fingerprint_prefix(), fp, ra);
|
||||
free(ra);
|
||||
free(fp);
|
||||
}
|
||||
@@ -871,9 +871,8 @@ check_host_key(char *hostname, struct so
|
||||
else
|
||||
snprintf(msg1, sizeof(msg1), ".");
|
||||
/* The default */
|
||||
- fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX);
|
||||
- ra = key_fingerprint(host_key, SSH_FP_MD5,
|
||||
- SSH_FP_RANDOMART);
|
||||
+ fp = key_selected_fingerprint(host_key, SSH_FP_HEX);
|
||||
+ ra = key_selected_fingerprint(host_key, SSH_FP_RANDOMART);
|
||||
msg2[0] = '\0';
|
||||
if (options.verify_host_key_dns) {
|
||||
if (matching_host_key_dns)
|
||||
@@ -888,10 +887,11 @@ check_host_key(char *hostname, struct so
|
||||
snprintf(msg, sizeof(msg),
|
||||
"The authenticity of host '%.200s (%s)' can't be "
|
||||
"established%s\n"
|
||||
- "%s key fingerprint is %s.%s%s\n%s"
|
||||
+ "%s key fingerprint is %s%s.%s%s\n%s"
|
||||
"Are you sure you want to continue connecting "
|
||||
"(yes/no)? ",
|
||||
- host, ip, msg1, type, fp,
|
||||
+ host, ip, msg1, type,
|
||||
+ key_fingerprint_prefix(), fp,
|
||||
options.visual_host_key ? "\n" : "",
|
||||
options.visual_host_key ? ra : "",
|
||||
msg2);
|
||||
@@ -1136,8 +1136,9 @@ verify_host_key(char *host, struct socka
|
||||
int flags = 0;
|
||||
char *fp;
|
||||
|
||||
- fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX);
|
||||
- debug("Server host key: %s %s", key_type(host_key), fp);
|
||||
+ fp = key_selected_fingerprint(host_key, SSH_FP_HEX);
|
||||
+ debug("Server host key: %s %s%s", key_type(host_key),
|
||||
+ key_fingerprint_prefix(), fp);
|
||||
free(fp);
|
||||
|
||||
/* XXX certs are not yet supported for DNS */
|
||||
@@ -1238,14 +1239,15 @@ show_other_keys(struct hostkeys *hostkey
|
||||
continue;
|
||||
if (!lookup_key_in_hostkeys_by_type(hostkeys, type[i], &found))
|
||||
continue;
|
||||
- fp = key_fingerprint(found->key, SSH_FP_MD5, SSH_FP_HEX);
|
||||
- ra = key_fingerprint(found->key, SSH_FP_MD5, SSH_FP_RANDOMART);
|
||||
+ fp = key_selected_fingerprint(found->key, SSH_FP_HEX);
|
||||
+ ra = key_selected_fingerprint(found->key, SSH_FP_RANDOMART);
|
||||
logit("WARNING: %s key found for host %s\n"
|
||||
"in %s:%lu\n"
|
||||
- "%s key fingerprint %s.",
|
||||
+ "%s key fingerprint %s%s.",
|
||||
key_type(found->key),
|
||||
found->host, found->file, found->line,
|
||||
- key_type(found->key), fp);
|
||||
+ key_type(found->key),
|
||||
+ key_fingerprint_prefix(), fp);
|
||||
if (options.visual_host_key)
|
||||
logit("%s", ra);
|
||||
free(ra);
|
||||
@@ -1260,7 +1262,7 @@ warn_changed_key(Key *host_key)
|
||||
{
|
||||
char *fp;
|
||||
|
||||
- fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX);
|
||||
+ fp = key_selected_fingerprint(host_key, SSH_FP_HEX);
|
||||
|
||||
error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
|
||||
error("@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @");
|
||||
@@ -1268,8 +1270,8 @@ warn_changed_key(Key *host_key)
|
||||
error("IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!");
|
||||
error("Someone could be eavesdropping on you right now (man-in-the-middle attack)!");
|
||||
error("It is also possible that a host key has just been changed.");
|
||||
- error("The fingerprint for the %s key sent by the remote host is\n%s.",
|
||||
- key_type(host_key), fp);
|
||||
+ error("The fingerprint for the %s key sent by the remote host is\n%s%s.",
|
||||
+ key_type(host_key),key_fingerprint_prefix(), fp);
|
||||
error("Please contact your system administrator.");
|
||||
|
||||
free(fp);
|
||||
diff -up openssh-6.3p1/sshconnect2.c.fingerprint openssh-6.3p1/sshconnect2.c
|
||||
--- openssh-6.3p1/sshconnect2.c.fingerprint 2013-10-07 14:02:37.001968139 +0200
|
||||
+++ openssh-6.3p1/sshconnect2.c 2013-10-07 15:20:09.403234714 +0200
|
||||
@@ -590,8 +590,9 @@ input_userauth_pk_ok(int type, u_int32_t
|
||||
key->type, pktype);
|
||||
goto done;
|
||||
}
|
||||
- fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
|
||||
- debug2("input_userauth_pk_ok: fp %s", fp);
|
||||
+ fp = key_selected_fingerprint(key, SSH_FP_HEX);
|
||||
+ debug2("input_userauth_pk_ok: fp %s%s",
|
||||
+ key_fingerprint_prefix(), fp);
|
||||
free(fp);
|
||||
|
||||
/*
|
||||
@@ -1202,8 +1203,9 @@ sign_and_send_pubkey(Authctxt *authctxt,
|
||||
int have_sig = 1;
|
||||
char *fp;
|
||||
|
||||
- fp = key_fingerprint(id->key, SSH_FP_MD5, SSH_FP_HEX);
|
||||
- debug3("sign_and_send_pubkey: %s %s", key_type(id->key), fp);
|
||||
+ fp = key_selected_fingerprint(id->key, SSH_FP_HEX);
|
||||
+ debug3("sign_and_send_pubkey: %s %s%s", key_type(id->key),
|
||||
+ key_fingerprint_prefix(), fp);
|
||||
free(fp);
|
||||
|
||||
if (key_to_blob(id->key, &blob, &bloblen) == 0) {
|
||||
|
|
@ -1,607 +0,0 @@
|
|||
diff -up openssh-6.3p1/Makefile.in.fips openssh-6.3p1/Makefile.in
|
||||
--- openssh-6.3p1/Makefile.in.fips 2013-10-11 22:24:32.850031186 +0200
|
||||
+++ openssh-6.3p1/Makefile.in 2013-10-11 22:24:32.870031092 +0200
|
||||
@@ -147,25 +147,25 @@ libssh.a: $(LIBSSH_OBJS)
|
||||
$(RANLIB) $@
|
||||
|
||||
ssh$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHOBJS)
|
||||
- $(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHLIBS) $(LIBS) $(GSSLIBS)
|
||||
+ $(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(SSHLIBS) $(LIBS) $(GSSLIBS)
|
||||
|
||||
sshd$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHDOBJS)
|
||||
- $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS)
|
||||
+ $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS)
|
||||
|
||||
scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o
|
||||
$(LD) -o $@ scp.o progressmeter.o bufaux.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
|
||||
|
||||
ssh-add$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-add.o
|
||||
- $(LD) -o $@ ssh-add.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
|
||||
+ $(LD) -o $@ ssh-add.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
|
||||
|
||||
ssh-agent$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-agent.o ssh-pkcs11-client.o
|
||||
- $(LD) -o $@ ssh-agent.o ssh-pkcs11-client.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
|
||||
+ $(LD) -o $@ ssh-agent.o ssh-pkcs11-client.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
|
||||
|
||||
ssh-keygen$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keygen.o
|
||||
- $(LD) -o $@ ssh-keygen.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
|
||||
+ $(LD) -o $@ ssh-keygen.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
|
||||
|
||||
ssh-keysign$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keysign.o roaming_dummy.o readconf.o
|
||||
- $(LD) -o $@ ssh-keysign.o readconf.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
|
||||
+ $(LD) -o $@ ssh-keysign.o readconf.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
|
||||
|
||||
ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11.o
|
||||
$(LD) -o $@ ssh-pkcs11-helper.o ssh-pkcs11.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
|
||||
@@ -177,7 +177,7 @@ ssh-keycat$(EXEEXT): $(LIBCOMPAT) libssh
|
||||
$(LD) -o $@ ssh-keycat.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(SSHDLIBS)
|
||||
|
||||
ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o roaming_dummy.o
|
||||
- $(LD) -o $@ ssh-keyscan.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
|
||||
+ $(LD) -o $@ ssh-keyscan.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(LIBS)
|
||||
|
||||
sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o sftp-server.o sftp-server-main.o
|
||||
$(LD) -o $@ sftp-server.o sftp-common.o sftp-server-main.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
|
||||
diff -up openssh-6.3p1/auth-rsa.c.fips openssh-6.3p1/auth-rsa.c
|
||||
--- openssh-6.3p1/auth-rsa.c.fips 2013-10-24 15:43:46.019999906 +0200
|
||||
+++ openssh-6.3p1/auth-rsa.c 2013-10-24 15:44:09.262890686 +0200
|
||||
@@ -240,7 +240,7 @@ rsa_key_allowed_in_file(struct passwd *p
|
||||
"actual %d vs. announced %d.",
|
||||
file, linenum, BN_num_bits(key->rsa->n), bits);
|
||||
|
||||
- fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
|
||||
+ fp = key_fingerprint(key, FIPS_mode() ? SSH_FP_SHA1 : SSH_FP_MD5, SSH_FP_HEX);
|
||||
debug("matching key found: file %s, line %lu %s %s",
|
||||
file, linenum, key_type(key), fp);
|
||||
free(fp);
|
||||
diff -up openssh-6.3p1/auth2-pubkey.c.fips openssh-6.3p1/auth2-pubkey.c
|
||||
--- openssh-6.3p1/auth2-pubkey.c.fips 2013-10-24 15:39:05.008319990 +0200
|
||||
+++ openssh-6.3p1/auth2-pubkey.c 2013-10-24 15:39:05.029319892 +0200
|
||||
@@ -209,7 +209,7 @@ pubkey_auth_info(Authctxt *authctxt, con
|
||||
|
||||
if (key_is_cert(key)) {
|
||||
fp = key_fingerprint(key->cert->signature_key,
|
||||
- SSH_FP_MD5, SSH_FP_HEX);
|
||||
+ FIPS_mode() ? SSH_FP_SHA1 : SSH_FP_MD5, SSH_FP_HEX);
|
||||
auth_info(authctxt, "%s ID %s (serial %llu) CA %s %s%s%s",
|
||||
key_type(key), key->cert->key_id,
|
||||
(unsigned long long)key->cert->serial,
|
||||
@@ -217,7 +217,7 @@ pubkey_auth_info(Authctxt *authctxt, con
|
||||
extra == NULL ? "" : ", ", extra == NULL ? "" : extra);
|
||||
free(fp);
|
||||
} else {
|
||||
- fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
|
||||
+ fp = key_fingerprint(key, FIPS_mode() ? SSH_FP_SHA1 : SSH_FP_MD5, SSH_FP_HEX);
|
||||
auth_info(authctxt, "%s %s%s%s", key_type(key), fp,
|
||||
extra == NULL ? "" : ", ", extra == NULL ? "" : extra);
|
||||
free(fp);
|
||||
diff -up openssh-6.3p1/authfile.c.fips openssh-6.3p1/authfile.c
|
||||
--- openssh-6.3p1/authfile.c.fips 2013-10-11 22:24:32.857031153 +0200
|
||||
+++ openssh-6.3p1/authfile.c 2013-10-11 22:24:32.870031092 +0200
|
||||
@@ -148,8 +148,14 @@ key_private_rsa1_to_blob(Key *key, Buffe
|
||||
/* Allocate space for the private part of the key in the buffer. */
|
||||
cp = buffer_append_space(&encrypted, buffer_len(&buffer));
|
||||
|
||||
- cipher_set_key_string(&ciphercontext, cipher, passphrase,
|
||||
- CIPHER_ENCRYPT);
|
||||
+ if (cipher_set_key_string(&ciphercontext, cipher, passphrase,
|
||||
+ CIPHER_ENCRYPT) < 0) {
|
||||
+ error("cipher_set_key_string failed.");
|
||||
+ buffer_free(&encrypted);
|
||||
+ buffer_free(&buffer);
|
||||
+ return 0;
|
||||
+ }
|
||||
+
|
||||
cipher_crypt(&ciphercontext, cp,
|
||||
buffer_ptr(&buffer), buffer_len(&buffer), 0, 0);
|
||||
cipher_cleanup(&ciphercontext);
|
||||
@@ -472,8 +478,13 @@ key_parse_private_rsa1(Buffer *blob, con
|
||||
cp = buffer_append_space(&decrypted, buffer_len(©));
|
||||
|
||||
/* Rest of the buffer is encrypted. Decrypt it using the passphrase. */
|
||||
- cipher_set_key_string(&ciphercontext, cipher, passphrase,
|
||||
- CIPHER_DECRYPT);
|
||||
+ if (cipher_set_key_string(&ciphercontext, cipher, passphrase,
|
||||
+ CIPHER_DECRYPT) < 0) {
|
||||
+ error("cipher_set_key_string failed.");
|
||||
+ buffer_free(&decrypted);
|
||||
+ goto fail;
|
||||
+ }
|
||||
+
|
||||
cipher_crypt(&ciphercontext, cp,
|
||||
buffer_ptr(©), buffer_len(©), 0, 0);
|
||||
cipher_cleanup(&ciphercontext);
|
||||
diff -up openssh-6.3p1/cipher-ctr.c.fips openssh-6.3p1/cipher-ctr.c
|
||||
--- openssh-6.3p1/cipher-ctr.c.fips 2013-06-02 00:07:32.000000000 +0200
|
||||
+++ openssh-6.3p1/cipher-ctr.c 2013-10-11 22:24:32.870031092 +0200
|
||||
@@ -138,7 +138,8 @@ evp_aes_128_ctr(void)
|
||||
aes_ctr.do_cipher = ssh_aes_ctr;
|
||||
#ifndef SSH_OLD_EVP
|
||||
aes_ctr.flags = EVP_CIPH_CBC_MODE | EVP_CIPH_VARIABLE_LENGTH |
|
||||
- EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CUSTOM_IV;
|
||||
+ EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CUSTOM_IV |
|
||||
+ EVP_CIPH_FLAG_FIPS;
|
||||
#endif
|
||||
return (&aes_ctr);
|
||||
}
|
||||
diff -up openssh-6.3p1/cipher.c.fips openssh-6.3p1/cipher.c
|
||||
--- openssh-6.3p1/cipher.c.fips 2013-10-11 22:24:32.820031327 +0200
|
||||
+++ openssh-6.3p1/cipher.c 2013-10-11 22:24:32.871031087 +0200
|
||||
@@ -40,6 +40,7 @@
|
||||
#include <sys/types.h>
|
||||
|
||||
#include <openssl/md5.h>
|
||||
+#include <openssl/fips.h>
|
||||
|
||||
#include <string.h>
|
||||
#include <stdarg.h>
|
||||
@@ -86,6 +87,27 @@ static const struct Cipher ciphers[] = {
|
||||
{ NULL, SSH_CIPHER_INVALID, 0, 0, 0, 0, 0, 0, NULL }
|
||||
};
|
||||
|
||||
+static const struct Cipher fips_ciphers[] = {
|
||||
+ { "none", SSH_CIPHER_NONE, 8, 0, 0, 0, 0, 0, EVP_enc_null },
|
||||
+ { "des", SSH_CIPHER_DES, 8, 8, 0, 0, 0, 1, EVP_des_cbc },
|
||||
+ { "3des", SSH_CIPHER_3DES, 8, 16, 0, 0, 0, 1, evp_ssh1_3des },
|
||||
+ { "3des-cbc", SSH_CIPHER_SSH2, 8, 24, 0, 0, 0, 1, EVP_des_ede3_cbc },
|
||||
+ { "aes128-cbc", SSH_CIPHER_SSH2, 16, 16, 0, 0, 0, 1, EVP_aes_128_cbc },
|
||||
+ { "aes192-cbc", SSH_CIPHER_SSH2, 16, 24, 0, 0, 0, 1, EVP_aes_192_cbc },
|
||||
+ { "aes256-cbc", SSH_CIPHER_SSH2, 16, 32, 0, 0, 0, 1, EVP_aes_256_cbc },
|
||||
+ { "rijndael-cbc@lysator.liu.se",
|
||||
+ SSH_CIPHER_SSH2, 16, 32, 0, 0, 0, 1, EVP_aes_256_cbc },
|
||||
+ { "aes128-ctr", SSH_CIPHER_SSH2, 16, 16, 0, 0, 0, 0, EVP_aes_128_ctr },
|
||||
+ { "aes192-ctr", SSH_CIPHER_SSH2, 16, 24, 0, 0, 0, 0, EVP_aes_192_ctr },
|
||||
+ { "aes256-ctr", SSH_CIPHER_SSH2, 16, 32, 0, 0, 0, 0, EVP_aes_256_ctr },
|
||||
+#ifdef OPENSSL_HAVE_EVPGCM
|
||||
+ { "aes128-gcm@openssh.com",
|
||||
+ SSH_CIPHER_SSH2, 16, 16, 12, 16, 0, 0, EVP_aes_128_gcm },
|
||||
+ { "aes256-gcm@openssh.com",
|
||||
+ SSH_CIPHER_SSH2, 16, 32, 12, 16, 0, 0, EVP_aes_256_gcm },
|
||||
+#endif
|
||||
+ { NULL, SSH_CIPHER_INVALID, 0, 0, 0, 0, 0, 0, NULL }
|
||||
+};
|
||||
/*--*/
|
||||
|
||||
/* Returns a comma-separated list of supported ciphers. */
|
||||
@@ -96,7 +118,7 @@ cipher_alg_list(void)
|
||||
size_t nlen, rlen = 0;
|
||||
const Cipher *c;
|
||||
|
||||
- for (c = ciphers; c->name != NULL; c++) {
|
||||
+ for (c = FIPS_mode() ? fips_ciphers : ciphers; c->name != NULL; c++) {
|
||||
if (c->number != SSH_CIPHER_SSH2)
|
||||
continue;
|
||||
if (ret != NULL)
|
||||
@@ -161,7 +183,7 @@ const Cipher *
|
||||
cipher_by_name(const char *name)
|
||||
{
|
||||
const Cipher *c;
|
||||
- for (c = ciphers; c->name != NULL; c++)
|
||||
+ for (c = FIPS_mode() ? fips_ciphers : ciphers; c->name != NULL; c++)
|
||||
if (strcmp(c->name, name) == 0)
|
||||
return c;
|
||||
return NULL;
|
||||
@@ -171,7 +193,7 @@ const Cipher *
|
||||
cipher_by_number(int id)
|
||||
{
|
||||
const Cipher *c;
|
||||
- for (c = ciphers; c->name != NULL; c++)
|
||||
+ for (c = FIPS_mode() ? fips_ciphers : ciphers; c->name != NULL; c++)
|
||||
if (c->number == id)
|
||||
return c;
|
||||
return NULL;
|
||||
@@ -215,7 +237,7 @@ cipher_number(const char *name)
|
||||
const Cipher *c;
|
||||
if (name == NULL)
|
||||
return -1;
|
||||
- for (c = ciphers; c->name != NULL; c++)
|
||||
+ for (c = FIPS_mode() ? fips_ciphers : ciphers; c->name != NULL; c++)
|
||||
if (strcasecmp(c->name, name) == 0)
|
||||
return c->number;
|
||||
return -1;
|
||||
@@ -374,14 +396,15 @@ cipher_cleanup(CipherContext *cc)
|
||||
* passphrase and using the resulting 16 bytes as the key.
|
||||
*/
|
||||
|
||||
-void
|
||||
+int
|
||||
cipher_set_key_string(CipherContext *cc, const Cipher *cipher,
|
||||
const char *passphrase, int do_encrypt)
|
||||
{
|
||||
MD5_CTX md;
|
||||
u_char digest[16];
|
||||
|
||||
- MD5_Init(&md);
|
||||
+ if (MD5_Init(&md) <= 0)
|
||||
+ return -1;
|
||||
MD5_Update(&md, (const u_char *)passphrase, strlen(passphrase));
|
||||
MD5_Final(digest, &md);
|
||||
|
||||
@@ -389,6 +412,7 @@ cipher_set_key_string(CipherContext *cc,
|
||||
|
||||
memset(digest, 0, sizeof(digest));
|
||||
memset(&md, 0, sizeof(md));
|
||||
+ return 0;
|
||||
}
|
||||
|
||||
/*
|
||||
diff -up openssh-6.3p1/cipher.h.fips openssh-6.3p1/cipher.h
|
||||
--- openssh-6.3p1/cipher.h.fips 2013-10-11 22:24:32.820031327 +0200
|
||||
+++ openssh-6.3p1/cipher.h 2013-10-11 22:24:32.871031087 +0200
|
||||
@@ -92,7 +92,7 @@ void cipher_init(CipherContext *, const
|
||||
void cipher_crypt(CipherContext *, u_char *, const u_char *,
|
||||
u_int, u_int, u_int);
|
||||
void cipher_cleanup(CipherContext *);
|
||||
-void cipher_set_key_string(CipherContext *, const Cipher *, const char *, int);
|
||||
+int cipher_set_key_string(CipherContext *, const Cipher *, const char *, int);
|
||||
u_int cipher_blocksize(const Cipher *);
|
||||
u_int cipher_keylen(const Cipher *);
|
||||
u_int cipher_authlen(const Cipher *);
|
||||
diff -up openssh-6.3p1/key.c.fips openssh-6.3p1/key.c
|
||||
--- openssh-6.3p1/key.c.fips 2013-10-11 22:24:32.821031322 +0200
|
||||
+++ openssh-6.3p1/key.c 2013-10-11 22:24:32.871031087 +0200
|
||||
@@ -40,6 +40,7 @@
|
||||
#include <sys/types.h>
|
||||
|
||||
#include <openssl/evp.h>
|
||||
+#include <openssl/fips.h>
|
||||
#include <openbsd-compat/openssl-compat.h>
|
||||
|
||||
#include <stdarg.h>
|
||||
@@ -606,9 +607,13 @@ key_fingerprint_selection(void)
|
||||
char *env;
|
||||
|
||||
if (!rv_defined) {
|
||||
- env = getenv("SSH_FINGERPRINT_TYPE");
|
||||
- rv = (env && !strcmp (env, "sha")) ?
|
||||
- SSH_FP_SHA1 : SSH_FP_MD5;
|
||||
+ if (FIPS_mode())
|
||||
+ rv = SSH_FP_SHA1;
|
||||
+ else {
|
||||
+ env = getenv("SSH_FINGERPRINT_TYPE");
|
||||
+ rv = (env && !strcmp (env, "sha")) ?
|
||||
+ SSH_FP_SHA1 : SSH_FP_MD5;
|
||||
+ }
|
||||
rv_defined = 1;
|
||||
}
|
||||
return rv;
|
||||
diff -up openssh-6.3p1/mac.c.fips openssh-6.3p1/mac.c
|
||||
--- openssh-6.3p1/mac.c.fips 2013-10-11 22:24:32.821031322 +0200
|
||||
+++ openssh-6.3p1/mac.c 2013-10-11 22:25:35.394737186 +0200
|
||||
@@ -28,6 +28,7 @@
|
||||
#include <sys/types.h>
|
||||
|
||||
#include <openssl/hmac.h>
|
||||
+#include <openssl/fips.h>
|
||||
|
||||
#include <stdarg.h>
|
||||
#include <string.h>
|
||||
@@ -60,7 +61,7 @@ struct macalg {
|
||||
int etm; /* Encrypt-then-MAC */
|
||||
};
|
||||
|
||||
-static const struct macalg macs[] = {
|
||||
+static const struct macalg all_macs[] = {
|
||||
/* Encrypt-and-MAC (encrypt-and-authenticate) variants */
|
||||
{ "hmac-sha1", SSH_EVP, EVP_sha1, 0, 0, 0, 0 },
|
||||
{ "hmac-sha1-96", SSH_EVP, EVP_sha1, 96, 0, 0, 0 },
|
||||
@@ -91,6 +92,18 @@ static const struct macalg macs[] = {
|
||||
{ NULL, 0, NULL, 0, 0, 0, 0 }
|
||||
};
|
||||
|
||||
+static const struct macalg fips_macs[] = {
|
||||
+ { "hmac-sha1", SSH_EVP, EVP_sha1, 0, 0, 0, 0 },
|
||||
+ { "hmac-sha1-etm@openssh.com", SSH_EVP, EVP_sha1, 0, 0, 0, 1 },
|
||||
+#ifdef HAVE_EVP_SHA256
|
||||
+ { "hmac-sha2-256", SSH_EVP, EVP_sha256, 0, 0, 0, 0 },
|
||||
+ { "hmac-sha2-512", SSH_EVP, EVP_sha512, 0, 0, 0, 0 },
|
||||
+ { "hmac-sha2-256-etm@openssh.com", SSH_EVP, EVP_sha256, 0, 0, 0, 1 },
|
||||
+ { "hmac-sha2-512-etm@openssh.com", SSH_EVP, EVP_sha512, 0, 0, 0, 1 },
|
||||
+#endif
|
||||
+ { NULL, 0, NULL, 0, 0, 0, 0 }
|
||||
+};
|
||||
+
|
||||
/* Returns a comma-separated list of supported MACs. */
|
||||
char *
|
||||
mac_alg_list(void)
|
||||
@@ -99,7 +112,7 @@ mac_alg_list(void)
|
||||
size_t nlen, rlen = 0;
|
||||
const struct macalg *m;
|
||||
|
||||
- for (m = macs; m->name != NULL; m++) {
|
||||
+ for (m = FIPS_mode() ? fips_macs : all_macs; m->name != NULL; m++) {
|
||||
if (ret != NULL)
|
||||
ret[rlen++] = '\n';
|
||||
nlen = strlen(m->name);
|
||||
@@ -136,7 +149,7 @@ mac_setup(Mac *mac, char *name)
|
||||
{
|
||||
const struct macalg *m;
|
||||
|
||||
- for (m = macs; m->name != NULL; m++) {
|
||||
+ for (m = FIPS_mode() ? fips_macs : all_macs; m->name != NULL; m++) {
|
||||
if (strcmp(name, m->name) != 0)
|
||||
continue;
|
||||
if (mac != NULL)
|
||||
diff -up openssh-6.3p1/myproposal.h.fips openssh-6.3p1/myproposal.h
|
||||
--- openssh-6.3p1/myproposal.h.fips 2013-06-11 04:10:02.000000000 +0200
|
||||
+++ openssh-6.3p1/myproposal.h 2013-10-11 22:24:32.872031082 +0200
|
||||
@@ -114,6 +114,19 @@
|
||||
#define KEX_DEFAULT_COMP "none,zlib@openssh.com,zlib"
|
||||
#define KEX_DEFAULT_LANG ""
|
||||
|
||||
+#define KEX_FIPS_ENCRYPT \
|
||||
+ "aes128-ctr,aes192-ctr,aes256-ctr," \
|
||||
+ "aes128-cbc,3des-cbc," \
|
||||
+ "aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se"
|
||||
+#ifdef HAVE_EVP_SHA256
|
||||
+#define KEX_FIPS_MAC \
|
||||
+ "hmac-sha1," \
|
||||
+ "hmac-sha2-256," \
|
||||
+ "hmac-sha2-512"
|
||||
+#else
|
||||
+#define KEX_FIPS_MAC \
|
||||
+ "hmac-sha1"
|
||||
+#endif
|
||||
|
||||
static char *myproposal[PROPOSAL_MAX] = {
|
||||
KEX_DEFAULT_KEX,
|
||||
diff -up openssh-6.3p1/openbsd-compat/bsd-arc4random.c.fips openssh-6.3p1/openbsd-compat/bsd-arc4random.c
|
||||
--- openssh-6.3p1/openbsd-compat/bsd-arc4random.c.fips 2010-03-25 22:52:02.000000000 +0100
|
||||
+++ openssh-6.3p1/openbsd-compat/bsd-arc4random.c 2013-10-11 22:24:32.872031082 +0200
|
||||
@@ -37,25 +37,18 @@
|
||||
#define REKEY_BYTES (1 << 24)
|
||||
|
||||
static int rc4_ready = 0;
|
||||
-static RC4_KEY rc4;
|
||||
|
||||
unsigned int
|
||||
arc4random(void)
|
||||
{
|
||||
unsigned int r = 0;
|
||||
- static int first_time = 1;
|
||||
+ void *rp = &r;
|
||||
|
||||
- if (rc4_ready <= 0) {
|
||||
- if (first_time)
|
||||
- seed_rng();
|
||||
- first_time = 0;
|
||||
+ if (!rc4_ready) {
|
||||
arc4random_stir();
|
||||
}
|
||||
+ RAND_bytes(rp, sizeof(r));
|
||||
|
||||
- RC4(&rc4, sizeof(r), (unsigned char *)&r, (unsigned char *)&r);
|
||||
-
|
||||
- rc4_ready -= sizeof(r);
|
||||
-
|
||||
return(r);
|
||||
}
|
||||
|
||||
@@ -63,24 +56,11 @@ void
|
||||
arc4random_stir(void)
|
||||
{
|
||||
unsigned char rand_buf[SEED_SIZE];
|
||||
- int i;
|
||||
|
||||
- memset(&rc4, 0, sizeof(rc4));
|
||||
if (RAND_bytes(rand_buf, sizeof(rand_buf)) <= 0)
|
||||
fatal("Couldn't obtain random bytes (error %ld)",
|
||||
ERR_get_error());
|
||||
- RC4_set_key(&rc4, sizeof(rand_buf), rand_buf);
|
||||
-
|
||||
- /*
|
||||
- * Discard early keystream, as per recommendations in:
|
||||
- * http://www.wisdom.weizmann.ac.il/~itsik/RC4/Papers/Rc4_ksa.ps
|
||||
- */
|
||||
- for(i = 0; i <= 256; i += sizeof(rand_buf))
|
||||
- RC4(&rc4, sizeof(rand_buf), rand_buf, rand_buf);
|
||||
-
|
||||
- memset(rand_buf, 0, sizeof(rand_buf));
|
||||
-
|
||||
- rc4_ready = REKEY_BYTES;
|
||||
+ rc4_ready = 1;
|
||||
}
|
||||
#endif /* !HAVE_ARC4RANDOM */
|
||||
|
||||
diff -up openssh-6.3p1/ssh-keygen.c.fips openssh-6.3p1/ssh-keygen.c
|
||||
--- openssh-6.3p1/ssh-keygen.c.fips 2013-10-24 15:45:06.055623916 +0200
|
||||
+++ openssh-6.3p1/ssh-keygen.c 2013-10-24 15:45:36.906478986 +0200
|
||||
@@ -730,7 +730,7 @@ do_download(struct passwd *pw)
|
||||
enum fp_type fptype;
|
||||
char *fp, *ra;
|
||||
|
||||
- fptype = print_bubblebabble ? SSH_FP_SHA1 : SSH_FP_MD5;
|
||||
+ fptype = print_bubblebabble ? SSH_FP_SHA1 : (FIPS_mode() ? SSH_FP_SHA1 : SSH_FP_MD5);
|
||||
rep = print_bubblebabble ? SSH_FP_BUBBLEBABBLE : SSH_FP_HEX;
|
||||
|
||||
pkcs11_init(0);
|
||||
@@ -740,7 +740,7 @@ do_download(struct passwd *pw)
|
||||
for (i = 0; i < nkeys; i++) {
|
||||
if (print_fingerprint) {
|
||||
fp = key_fingerprint(keys[i], fptype, rep);
|
||||
- ra = key_fingerprint(keys[i], SSH_FP_MD5,
|
||||
+ ra = key_fingerprint(keys[i], FIPS_mode() ? SSH_FP_SHA1 : SSH_FP_MD5,
|
||||
SSH_FP_RANDOMART);
|
||||
printf("%u %s %s (PKCS11 key)\n", key_size(keys[i]),
|
||||
fp, key_type(keys[i]));
|
||||
diff -up openssh-6.3p1/ssh.c.fips openssh-6.3p1/ssh.c
|
||||
--- openssh-6.3p1/ssh.c.fips 2013-07-25 03:55:53.000000000 +0200
|
||||
+++ openssh-6.3p1/ssh.c 2013-10-11 22:24:32.872031082 +0200
|
||||
@@ -73,6 +73,8 @@
|
||||
|
||||
#include <openssl/evp.h>
|
||||
#include <openssl/err.h>
|
||||
+#include <openssl/fips.h>
|
||||
+#include <fipscheck.h>
|
||||
#include "openbsd-compat/openssl-compat.h"
|
||||
#include "openbsd-compat/sys-queue.h"
|
||||
|
||||
@@ -253,6 +255,13 @@ main(int ac, char **av)
|
||||
sanitise_stdfd();
|
||||
|
||||
__progname = ssh_get_progname(av[0]);
|
||||
+ SSLeay_add_all_algorithms();
|
||||
+ if (access("/etc/system-fips", F_OK) == 0)
|
||||
+ if (! FIPSCHECK_verify(NULL, NULL))
|
||||
+ if (FIPS_mode())
|
||||
+ fatal("FIPS integrity verification test failed.");
|
||||
+ else
|
||||
+ logit("FIPS integrity verification test failed.");
|
||||
|
||||
#ifndef HAVE_SETPROCTITLE
|
||||
/* Prepare for later setproctitle emulation */
|
||||
@@ -330,6 +339,9 @@ main(int ac, char **av)
|
||||
"ACD:E:F:I:KL:MNO:PQ:R:S:TVw:W:XYy")) != -1) {
|
||||
switch (opt) {
|
||||
case '1':
|
||||
+ if (FIPS_mode()) {
|
||||
+ fatal("Protocol 1 not allowed in the FIPS mode.");
|
||||
+ }
|
||||
options.protocol = SSH_PROTO_1;
|
||||
break;
|
||||
case '2':
|
||||
@@ -647,7 +659,6 @@ main(int ac, char **av)
|
||||
if (!host)
|
||||
usage();
|
||||
|
||||
- OpenSSL_add_all_algorithms();
|
||||
ERR_load_crypto_strings();
|
||||
|
||||
/* Initialize the command to execute on remote host. */
|
||||
@@ -748,6 +759,10 @@ main(int ac, char **av)
|
||||
|
||||
seed_rng();
|
||||
|
||||
+ if (FIPS_mode()) {
|
||||
+ logit("FIPS mode initialized");
|
||||
+ }
|
||||
+
|
||||
if (options.user == NULL)
|
||||
options.user = xstrdup(pw->pw_name);
|
||||
|
||||
@@ -816,6 +831,12 @@ main(int ac, char **av)
|
||||
|
||||
timeout_ms = options.connection_timeout * 1000;
|
||||
|
||||
+ if (FIPS_mode()) {
|
||||
+ options.protocol &= SSH_PROTO_2;
|
||||
+ if (options.protocol == 0)
|
||||
+ fatal("Protocol 2 disabled by configuration but required in the FIPS mode.");
|
||||
+ }
|
||||
+
|
||||
/* Open a connection to the remote host. */
|
||||
if (ssh_connect(host, &hostaddr, options.port,
|
||||
options.address_family, options.connection_attempts, &timeout_ms,
|
||||
diff -up openssh-6.3p1/sshconnect2.c.fips openssh-6.3p1/sshconnect2.c
|
||||
--- openssh-6.3p1/sshconnect2.c.fips 2013-10-11 22:24:32.810031374 +0200
|
||||
+++ openssh-6.3p1/sshconnect2.c 2013-10-11 22:24:32.873031077 +0200
|
||||
@@ -44,6 +44,8 @@
|
||||
#include <vis.h>
|
||||
#endif
|
||||
|
||||
+#include <openssl/fips.h>
|
||||
+
|
||||
#include "openbsd-compat/sys-queue.h"
|
||||
|
||||
#include "xmalloc.h"
|
||||
@@ -170,6 +172,10 @@ ssh_kex2(char *host, struct sockaddr *ho
|
||||
if (options.ciphers != NULL) {
|
||||
myproposal[PROPOSAL_ENC_ALGS_CTOS] =
|
||||
myproposal[PROPOSAL_ENC_ALGS_STOC] = options.ciphers;
|
||||
+ } else if (FIPS_mode()) {
|
||||
+ myproposal[PROPOSAL_ENC_ALGS_CTOS] =
|
||||
+ myproposal[PROPOSAL_ENC_ALGS_STOC] = KEX_FIPS_ENCRYPT;
|
||||
+
|
||||
}
|
||||
myproposal[PROPOSAL_ENC_ALGS_CTOS] =
|
||||
compat_cipher_proposal(myproposal[PROPOSAL_ENC_ALGS_CTOS]);
|
||||
@@ -185,7 +191,11 @@ ssh_kex2(char *host, struct sockaddr *ho
|
||||
if (options.macs != NULL) {
|
||||
myproposal[PROPOSAL_MAC_ALGS_CTOS] =
|
||||
myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs;
|
||||
+ } else if (FIPS_mode()) {
|
||||
+ myproposal[PROPOSAL_MAC_ALGS_CTOS] =
|
||||
+ myproposal[PROPOSAL_MAC_ALGS_STOC] = KEX_FIPS_MAC;
|
||||
}
|
||||
+
|
||||
if (options.hostkeyalgorithms != NULL)
|
||||
myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] =
|
||||
options.hostkeyalgorithms;
|
||||
diff -up openssh-6.3p1/sshd.c.fips openssh-6.3p1/sshd.c
|
||||
--- openssh-6.3p1/sshd.c.fips 2013-10-11 22:24:32.842031223 +0200
|
||||
+++ openssh-6.3p1/sshd.c 2013-10-11 22:24:32.873031077 +0200
|
||||
@@ -76,6 +76,8 @@
|
||||
#include <openssl/bn.h>
|
||||
#include <openssl/md5.h>
|
||||
#include <openssl/rand.h>
|
||||
+#include <openssl/fips.h>
|
||||
+#include <fipscheck.h>
|
||||
#include "openbsd-compat/openssl-compat.h"
|
||||
|
||||
#ifdef HAVE_SECUREWARE
|
||||
@@ -1450,6 +1452,14 @@ main(int ac, char **av)
|
||||
#endif
|
||||
__progname = ssh_get_progname(av[0]);
|
||||
|
||||
+ SSLeay_add_all_algorithms();
|
||||
+ if (access("/etc/system-fips", F_OK) == 0)
|
||||
+ if (! FIPSCHECK_verify(NULL, NULL))
|
||||
+ if (FIPS_mode())
|
||||
+ fatal("FIPS integrity verification test failed.");
|
||||
+ else
|
||||
+ logit("FIPS integrity verification test failed.");
|
||||
+
|
||||
/* Save argv. Duplicate so setproctitle emulation doesn't clobber it */
|
||||
saved_argc = ac;
|
||||
rexec_argc = ac;
|
||||
@@ -1601,8 +1611,6 @@ main(int ac, char **av)
|
||||
else
|
||||
closefrom(REEXEC_DEVCRYPTO_RESERVED_FD);
|
||||
|
||||
- OpenSSL_add_all_algorithms();
|
||||
-
|
||||
/* If requested, redirect the logs to the specified logfile. */
|
||||
if (logfile != NULL) {
|
||||
log_redirect_stderr_to(logfile);
|
||||
@@ -1773,6 +1781,10 @@ main(int ac, char **av)
|
||||
debug("private host key: #%d type %d %s", i, keytype,
|
||||
key_type(key ? key : pubkey));
|
||||
}
|
||||
+ if ((options.protocol & SSH_PROTO_1) && FIPS_mode()) {
|
||||
+ logit("Disabling protocol version 1. Not allowed in the FIPS mode.");
|
||||
+ options.protocol &= ~SSH_PROTO_1;
|
||||
+ }
|
||||
if ((options.protocol & SSH_PROTO_1) && !sensitive_data.have_ssh1_key) {
|
||||
logit("Disabling protocol version 1. Could not load host key");
|
||||
options.protocol &= ~SSH_PROTO_1;
|
||||
@@ -1936,6 +1948,10 @@ main(int ac, char **av)
|
||||
/* Initialize the random number generator. */
|
||||
arc4random_stir();
|
||||
|
||||
+ if (FIPS_mode()) {
|
||||
+ logit("FIPS mode initialized");
|
||||
+ }
|
||||
+
|
||||
/* Chdir to the root directory so that the current disk can be
|
||||
unmounted if desired. */
|
||||
if (chdir("/") == -1)
|
||||
@@ -2498,6 +2514,9 @@ do_ssh2_kex(void)
|
||||
if (options.ciphers != NULL) {
|
||||
myproposal[PROPOSAL_ENC_ALGS_CTOS] =
|
||||
myproposal[PROPOSAL_ENC_ALGS_STOC] = options.ciphers;
|
||||
+ } else if (FIPS_mode()) {
|
||||
+ myproposal[PROPOSAL_ENC_ALGS_CTOS] =
|
||||
+ myproposal[PROPOSAL_ENC_ALGS_STOC] = KEX_FIPS_ENCRYPT;
|
||||
}
|
||||
myproposal[PROPOSAL_ENC_ALGS_CTOS] =
|
||||
compat_cipher_proposal(myproposal[PROPOSAL_ENC_ALGS_CTOS]);
|
||||
@@ -2507,6 +2526,9 @@ do_ssh2_kex(void)
|
||||
if (options.macs != NULL) {
|
||||
myproposal[PROPOSAL_MAC_ALGS_CTOS] =
|
||||
myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs;
|
||||
+ } else if (FIPS_mode()) {
|
||||
+ myproposal[PROPOSAL_MAC_ALGS_CTOS] =
|
||||
+ myproposal[PROPOSAL_MAC_ALGS_STOC] = KEX_FIPS_MAC;
|
||||
}
|
||||
if (options.compression == COMP_NONE) {
|
||||
myproposal[PROPOSAL_COMP_ALGS_CTOS] =
|
||||
|
|
@ -1,65 +0,0 @@
|
|||
diff -U0 openssh-6.3p1/ChangeLog.df openssh-6.3p1/ChangeLog
|
||||
--- openssh-6.3p1/ChangeLog.df 2013-10-23 22:38:03.476272461 +0200
|
||||
+++ openssh-6.3p1/ChangeLog 2013-10-23 22:39:46.051788366 +0200
|
||||
@@ -0,0 +1,8 @@
|
||||
+20131010
|
||||
+ - dtucker@cvs.openbsd.org 2013/10/08 11:42:13
|
||||
+ [dh.c dh.h]
|
||||
+ Increase the size of the Diffie-Hellman groups requested for a each
|
||||
+ symmetric key size. New values from NIST Special Publication 800-57 with
|
||||
+ the upper limit specified by RFC4419. Pointed out by Peter Backes, ok
|
||||
+ djm@.
|
||||
+
|
||||
diff -up openssh-6.3p1/dh.c.df openssh-6.3p1/dh.c
|
||||
--- openssh-6.3p1/dh.c.df 2013-07-18 08:12:07.000000000 +0200
|
||||
+++ openssh-6.3p1/dh.c 2013-10-23 22:38:03.476272461 +0200
|
||||
@@ -1,4 +1,4 @@
|
||||
-/* $OpenBSD: dh.c,v 1.51 2013/07/02 12:31:43 markus Exp $ */
|
||||
+/* $OpenBSD: dh.c,v 1.52 2013/10/08 11:42:13 dtucker Exp $ */
|
||||
/*
|
||||
* Copyright (c) 2000 Niels Provos. All rights reserved.
|
||||
*
|
||||
@@ -352,17 +352,20 @@ dh_new_group14(void)
|
||||
|
||||
/*
|
||||
* Estimates the group order for a Diffie-Hellman group that has an
|
||||
- * attack complexity approximately the same as O(2**bits). Estimate
|
||||
- * with: O(exp(1.9223 * (ln q)^(1/3) (ln ln q)^(2/3)))
|
||||
+ * attack complexity approximately the same as O(2**bits).
|
||||
+ * Values from NIST Special Publication 800-57: Recommendation for Key
|
||||
+ * Management Part 1 (rev 3) limited by the recommended maximum value
|
||||
+ * from RFC4419 section 3.
|
||||
*/
|
||||
|
||||
int
|
||||
dh_estimate(int bits)
|
||||
{
|
||||
-
|
||||
+ if (bits <= 112)
|
||||
+ return 2048;
|
||||
if (bits <= 128)
|
||||
- return (1024); /* O(2**86) */
|
||||
+ return 3072;
|
||||
if (bits <= 192)
|
||||
- return (2048); /* O(2**116) */
|
||||
- return (4096); /* O(2**156) */
|
||||
+ return 7680;
|
||||
+ return 8192;
|
||||
}
|
||||
diff -up openssh-6.3p1/dh.h.df openssh-6.3p1/dh.h
|
||||
--- openssh-6.3p1/dh.h.df 2008-06-29 14:47:04.000000000 +0200
|
||||
+++ openssh-6.3p1/dh.h 2013-10-23 22:38:03.476272461 +0200
|
||||
@@ -1,4 +1,4 @@
|
||||
-/* $OpenBSD: dh.h,v 1.10 2008/06/26 09:19:40 djm Exp $ */
|
||||
+/* $OpenBSD: dh.h,v 1.11 2013/10/08 11:42:13 dtucker Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (c) 2000 Niels Provos. All rights reserved.
|
||||
@@ -43,6 +43,7 @@ int dh_pub_is_valid(DH *, BIGNUM *);
|
||||
|
||||
int dh_estimate(int);
|
||||
|
||||
+/* Min and max values from RFC4419. */
|
||||
#define DH_GRP_MIN 1024
|
||||
#define DH_GRP_MAX 8192
|
||||
|
||||
|
|
@ -30,7 +30,7 @@ diff -up openssh-6.3p1/auth-krb5.c.ccache_name openssh-6.3p1/auth-krb5.c
|
|||
+ if (authctxt->krb5_ticket_file[0] == ':')
|
||||
+ authctxt->krb5_ticket_file++;
|
||||
+
|
||||
+ len = strlen(authctxt->krb5_ticket_file) + strlen(ccache_type);
|
||||
+ len = strlen(authctxt->krb5_ticket_file) + strlen(ccache_type) + 2;
|
||||
authctxt->krb5_ccname = xmalloc(len);
|
||||
- snprintf(authctxt->krb5_ccname, len, "FILE:%s",
|
||||
+
|
||||
|
|
@ -52,7 +52,7 @@ diff -up openssh-6.3p1/auth-krb5.c.ccache_name openssh-6.3p1/auth-krb5.c
|
|||
|
||||
#ifdef USE_PAM
|
||||
if (options.use_pam)
|
||||
@@ -235,10 +256,34 @@ auth_krb5_password(Authctxt *authctxt, c
|
||||
@@ -235,10 +256,36 @@ auth_krb5_password(Authctxt *authctxt, c
|
||||
void
|
||||
krb5_cleanup_proc(Authctxt *authctxt)
|
||||
{
|
||||
|
|
@ -64,24 +64,26 @@ diff -up openssh-6.3p1/auth-krb5.c.ccache_name openssh-6.3p1/auth-krb5.c
|
|||
krb5_cc_destroy(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache);
|
||||
authctxt->krb5_fwd_ccache = NULL;
|
||||
+
|
||||
+ strncpy(krb5_ccname, authctxt->krb5_ccname, sizeof(krb5_ccname) - 10);
|
||||
+ krb5_ccname_dir_start = strchr(krb5_ccname, ':') + 1;
|
||||
+ *krb5_ccname_dir_start++ = '\0';
|
||||
+ if (strcmp(krb5_ccname, "DIR") == 0) {
|
||||
+ if (authctxt->krb5_ccname != NULL) {
|
||||
+ strncpy(krb5_ccname, authctxt->krb5_ccname, sizeof(krb5_ccname) - 10);
|
||||
+ krb5_ccname_dir_start = strchr(krb5_ccname, ':') + 1;
|
||||
+ *krb5_ccname_dir_start++ = '\0';
|
||||
+ if (strcmp(krb5_ccname, "DIR") == 0) {
|
||||
+
|
||||
+ strcat(krb5_ccname_dir_start, "/primary");
|
||||
+ strcat(krb5_ccname_dir_start, "/primary");
|
||||
+
|
||||
+ if (stat(krb5_ccname_dir_start, &krb5_ccname_stat) == 0) {
|
||||
+ if (unlink(krb5_ccname_dir_start) == 0) {
|
||||
+ krb5_ccname_dir_end = strrchr(krb5_ccname_dir_start, '/');
|
||||
+ *krb5_ccname_dir_end = '\0';
|
||||
+ if (rmdir(krb5_ccname_dir_start) == -1)
|
||||
+ debug("cache dir '%s' remove failed: %s", krb5_ccname_dir_start, strerror(errno));
|
||||
+ if (stat(krb5_ccname_dir_start, &krb5_ccname_stat) == 0) {
|
||||
+ if (unlink(krb5_ccname_dir_start) == 0) {
|
||||
+ krb5_ccname_dir_end = strrchr(krb5_ccname_dir_start, '/');
|
||||
+ *krb5_ccname_dir_end = '\0';
|
||||
+ if (rmdir(krb5_ccname_dir_start) == -1)
|
||||
+ debug("cache dir '%s' remove failed: %s", krb5_ccname_dir_start, strerror(errno));
|
||||
+ }
|
||||
+ else
|
||||
+ debug("cache primary file '%s', remove failed: %s",
|
||||
+ krb5_ccname_dir_start, strerror(errno)
|
||||
+ );
|
||||
+ }
|
||||
+ else
|
||||
+ debug("cache primary file '%s', remove failed: %s",
|
||||
+ krb5_ccname_dir_start, strerror(errno)
|
||||
+ );
|
||||
+ }
|
||||
+ }
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,167 +0,0 @@
|
|||
diff -up openssh-6.3p1/auth-krb5.c.kuserok openssh-6.3p1/auth-krb5.c
|
||||
--- openssh-6.3p1/auth-krb5.c.kuserok 2013-10-11 21:41:42.889087613 +0200
|
||||
+++ openssh-6.3p1/auth-krb5.c 2013-10-11 21:41:42.905087537 +0200
|
||||
@@ -55,6 +55,20 @@
|
||||
|
||||
extern ServerOptions options;
|
||||
|
||||
+int
|
||||
+ssh_krb5_kuserok(krb5_context krb5_ctx, krb5_principal krb5_user, const char *client)
|
||||
+{
|
||||
+ if (options.use_kuserok)
|
||||
+ return krb5_kuserok(krb5_ctx, krb5_user, client);
|
||||
+ else {
|
||||
+ char kuser[65];
|
||||
+
|
||||
+ if (krb5_aname_to_localname(krb5_ctx, krb5_user, sizeof(kuser), kuser))
|
||||
+ return 0;
|
||||
+ return strcmp(kuser, client) == 0;
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
static int
|
||||
krb5_init(void *context)
|
||||
{
|
||||
@@ -159,7 +173,7 @@ auth_krb5_password(Authctxt *authctxt, c
|
||||
if (problem)
|
||||
goto out;
|
||||
|
||||
- if (!krb5_kuserok(authctxt->krb5_ctx, authctxt->krb5_user, client)) {
|
||||
+ if (!ssh_krb5_kuserok(authctxt->krb5_ctx, authctxt->krb5_user, client)) {
|
||||
problem = -1;
|
||||
goto out;
|
||||
}
|
||||
diff -up openssh-6.3p1/gss-serv-krb5.c.kuserok openssh-6.3p1/gss-serv-krb5.c
|
||||
--- openssh-6.3p1/gss-serv-krb5.c.kuserok 2013-10-11 21:41:42.901087556 +0200
|
||||
+++ openssh-6.3p1/gss-serv-krb5.c 2013-10-11 21:46:42.898673597 +0200
|
||||
@@ -67,6 +67,7 @@ static int ssh_gssapi_krb5_cmdok(krb5_pr
|
||||
int);
|
||||
|
||||
static krb5_context krb_context = NULL;
|
||||
+extern int ssh_krb5_kuserok(krb5_context, krb5_principal, const char *);
|
||||
|
||||
/* Initialise the krb5 library, for the stuff that GSSAPI won't do */
|
||||
|
||||
@@ -116,7 +117,7 @@ ssh_gssapi_krb5_userok(ssh_gssapi_client
|
||||
/* NOTE: .k5login and .k5users must opened as root, not the user,
|
||||
* because if they are on a krb5-protected filesystem, user credentials
|
||||
* to access these files aren't available yet. */
|
||||
- if (krb5_kuserok(krb_context, princ, name) && k5login_exists) {
|
||||
+ if (ssh_krb5_kuserok(krb_context, princ, name) && k5login_exists) {
|
||||
retval = 1;
|
||||
logit("Authorized to %s, krb5 principal %s (krb5_kuserok)",
|
||||
name, (char *)client->displayname.value);
|
||||
diff -up openssh-6.3p1/servconf.c.kuserok openssh-6.3p1/servconf.c
|
||||
--- openssh-6.3p1/servconf.c.kuserok 2013-10-11 21:41:42.896087580 +0200
|
||||
+++ openssh-6.3p1/servconf.c 2013-10-11 21:48:24.664194016 +0200
|
||||
@@ -157,6 +157,7 @@ initialize_server_options(ServerOptions
|
||||
options->ip_qos_interactive = -1;
|
||||
options->ip_qos_bulk = -1;
|
||||
options->version_addendum = NULL;
|
||||
+ options->use_kuserok = -1;
|
||||
}
|
||||
|
||||
void
|
||||
@@ -310,6 +311,8 @@ fill_default_server_options(ServerOption
|
||||
options->version_addendum = xstrdup("");
|
||||
if (options->show_patchlevel == -1)
|
||||
options->show_patchlevel = 0;
|
||||
+ if (options->use_kuserok == -1)
|
||||
+ options->use_kuserok = 1;
|
||||
|
||||
/* Turn privilege separation on by default */
|
||||
if (use_privsep == -1)
|
||||
@@ -336,7 +339,7 @@ typedef enum {
|
||||
sPermitRootLogin, sLogFacility, sLogLevel,
|
||||
sRhostsRSAAuthentication, sRSAAuthentication,
|
||||
sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
|
||||
- sKerberosGetAFSToken,
|
||||
+ sKerberosGetAFSToken, sKerberosUseKuserok,
|
||||
sKerberosTgtPassing, sChallengeResponseAuthentication,
|
||||
sPasswordAuthentication, sKbdInteractiveAuthentication,
|
||||
sListenAddress, sAddressFamily,
|
||||
@@ -409,11 +412,13 @@ static struct {
|
||||
#else
|
||||
{ "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
|
||||
#endif
|
||||
+ { "kerberosusekuserok", sKerberosUseKuserok, SSHCFG_ALL },
|
||||
#else
|
||||
{ "kerberosauthentication", sUnsupported, SSHCFG_ALL },
|
||||
{ "kerberosorlocalpasswd", sUnsupported, SSHCFG_GLOBAL },
|
||||
{ "kerberosticketcleanup", sUnsupported, SSHCFG_GLOBAL },
|
||||
{ "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
|
||||
+ { "kerberosusekuserok", sUnsupported, SSHCFG_ALL },
|
||||
#endif
|
||||
{ "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL },
|
||||
{ "afstokenpassing", sUnsupported, SSHCFG_GLOBAL },
|
||||
@@ -1515,6 +1520,10 @@ process_server_config_line(ServerOptions
|
||||
*activep = value;
|
||||
break;
|
||||
|
||||
+ case sKerberosUseKuserok:
|
||||
+ intptr = &options->use_kuserok;
|
||||
+ goto parse_flag;
|
||||
+
|
||||
case sPermitOpen:
|
||||
arg = strdelim(&cp);
|
||||
if (!arg || *arg == '\0')
|
||||
@@ -1815,6 +1824,7 @@ copy_set_server_options(ServerOptions *d
|
||||
M_CP_INTOPT(max_authtries);
|
||||
M_CP_INTOPT(ip_qos_interactive);
|
||||
M_CP_INTOPT(ip_qos_bulk);
|
||||
+ M_CP_INTOPT(use_kuserok);
|
||||
M_CP_INTOPT(rekey_limit);
|
||||
M_CP_INTOPT(rekey_interval);
|
||||
|
||||
@@ -2055,6 +2065,7 @@ dump_config(ServerOptions *o)
|
||||
dump_cfg_fmtint(sUseDNS, o->use_dns);
|
||||
dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding);
|
||||
dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep);
|
||||
+ dump_cfg_fmtint(sKerberosUseKuserok, o->use_kuserok);
|
||||
|
||||
/* string arguments */
|
||||
dump_cfg_string(sPidFile, o->pid_file);
|
||||
diff -up openssh-6.3p1/servconf.h.kuserok openssh-6.3p1/servconf.h
|
||||
--- openssh-6.3p1/servconf.h.kuserok 2013-10-11 21:41:42.896087580 +0200
|
||||
+++ openssh-6.3p1/servconf.h 2013-10-11 21:41:42.907087528 +0200
|
||||
@@ -174,6 +174,7 @@ typedef struct {
|
||||
|
||||
int num_permitted_opens;
|
||||
|
||||
+ int use_kuserok;
|
||||
char *chroot_directory;
|
||||
char *revoked_keys_file;
|
||||
char *trusted_user_ca_keys;
|
||||
diff -up openssh-6.3p1/sshd_config.5.kuserok openssh-6.3p1/sshd_config.5
|
||||
--- openssh-6.3p1/sshd_config.5.kuserok 2013-10-11 21:41:42.898087571 +0200
|
||||
+++ openssh-6.3p1/sshd_config.5 2013-10-11 21:41:42.907087528 +0200
|
||||
@@ -675,6 +675,10 @@ Specifies whether to automatically destr
|
||||
file on logout.
|
||||
The default is
|
||||
.Dq yes .
|
||||
+.It Cm KerberosUseKuserok
|
||||
+Specifies whether to look at .k5login file for user's aliases.
|
||||
+The default is
|
||||
+.Dq yes .
|
||||
.It Cm KexAlgorithms
|
||||
Specifies the available KEX (Key Exchange) algorithms.
|
||||
Multiple algorithms must be comma-separated.
|
||||
@@ -833,6 +837,7 @@ Available keywords are
|
||||
.Cm HostbasedUsesNameFromPacketOnly ,
|
||||
.Cm KbdInteractiveAuthentication ,
|
||||
.Cm KerberosAuthentication ,
|
||||
+.Cm KerberosUseKuserok ,
|
||||
.Cm MaxAuthTries ,
|
||||
.Cm MaxSessions ,
|
||||
.Cm PasswordAuthentication ,
|
||||
diff -up openssh-6.3p1/sshd_config.kuserok openssh-6.3p1/sshd_config
|
||||
--- openssh-6.3p1/sshd_config.kuserok 2013-10-11 21:41:42.898087571 +0200
|
||||
+++ openssh-6.3p1/sshd_config 2013-10-11 21:41:42.907087528 +0200
|
||||
@@ -86,6 +86,7 @@ ChallengeResponseAuthentication no
|
||||
#KerberosOrLocalPasswd yes
|
||||
#KerberosTicketCleanup yes
|
||||
#KerberosGetAFSToken no
|
||||
+#KerberosUseKuserok yes
|
||||
|
||||
# GSSAPI options
|
||||
#GSSAPIAuthentication no
|
||||
|
|
@ -1,104 +0,0 @@
|
|||
diff -up openssh-6.3p1/openbsd-compat/port-linux.c.privsep-selinux openssh-6.3p1/openbsd-compat/port-linux.c
|
||||
--- openssh-6.3p1/openbsd-compat/port-linux.c.privsep-selinux 2013-10-10 14:58:20.634762245 +0200
|
||||
+++ openssh-6.3p1/openbsd-compat/port-linux.c 2013-10-10 15:13:57.864306950 +0200
|
||||
@@ -503,6 +503,25 @@ ssh_selinux_change_context(const char *n
|
||||
free(newctx);
|
||||
}
|
||||
|
||||
+void
|
||||
+ssh_selinux_copy_context(void)
|
||||
+{
|
||||
+ security_context_t *ctx;
|
||||
+
|
||||
+ if (!ssh_selinux_enabled())
|
||||
+ return;
|
||||
+
|
||||
+ if (getexeccon((security_context_t *)&ctx) != 0) {
|
||||
+ logit("%s: getcon failed with %s", __func__, strerror (errno));
|
||||
+ return;
|
||||
+ }
|
||||
+ if (ctx != NULL) {
|
||||
+ if (setcon(ctx) != 0)
|
||||
+ logit("%s: setcon failed with %s", __func__, strerror (errno));
|
||||
+ freecon(ctx);
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
#endif /* WITH_SELINUX */
|
||||
|
||||
#ifdef LINUX_OOM_ADJUST
|
||||
diff -up openssh-6.3p1/openbsd-compat/port-linux.h.privsep-selinux openssh-6.3p1/openbsd-compat/port-linux.h
|
||||
--- openssh-6.3p1/openbsd-compat/port-linux.h.privsep-selinux 2011-01-25 02:16:18.000000000 +0100
|
||||
+++ openssh-6.3p1/openbsd-compat/port-linux.h 2013-10-10 14:58:20.634762245 +0200
|
||||
@@ -24,6 +24,7 @@ int ssh_selinux_enabled(void);
|
||||
void ssh_selinux_setup_pty(char *, const char *);
|
||||
void ssh_selinux_setup_exec_context(char *);
|
||||
void ssh_selinux_change_context(const char *);
|
||||
+void ssh_selinux_copy_context(void);
|
||||
void ssh_selinux_setfscreatecon(const char *);
|
||||
#endif
|
||||
|
||||
diff -up openssh-6.3p1/session.c.privsep-selinux openssh-6.3p1/session.c
|
||||
--- openssh-6.3p1/session.c.privsep-selinux 2013-10-10 14:58:20.617762326 +0200
|
||||
+++ openssh-6.3p1/session.c 2013-10-10 15:13:16.520503590 +0200
|
||||
@@ -1522,6 +1522,9 @@ do_setusercontext(struct passwd *pw)
|
||||
pw->pw_uid);
|
||||
chroot_path = percent_expand(tmp, "h", pw->pw_dir,
|
||||
"u", pw->pw_name, (char *)NULL);
|
||||
+#ifdef WITH_SELINUX
|
||||
+ ssh_selinux_copy_context();
|
||||
+#endif
|
||||
safely_chroot(chroot_path, pw->pw_uid);
|
||||
free(tmp);
|
||||
free(chroot_path);
|
||||
@@ -1544,6 +1547,12 @@ do_setusercontext(struct passwd *pw)
|
||||
/* Permanently switch to the desired uid. */
|
||||
permanently_set_uid(pw);
|
||||
#endif
|
||||
+
|
||||
+#ifdef WITH_SELINUX
|
||||
+ if (options.chroot_directory == NULL ||
|
||||
+ strcasecmp(options.chroot_directory, "none") == 0)
|
||||
+ ssh_selinux_copy_context();
|
||||
+#endif
|
||||
} else if (options.chroot_directory != NULL &&
|
||||
strcasecmp(options.chroot_directory, "none") != 0) {
|
||||
fatal("server lacks privileges to chroot to ChrootDirectory");
|
||||
@@ -1808,9 +1817,6 @@ do_child(Session *s, const char *command
|
||||
argv[i] = NULL;
|
||||
optind = optreset = 1;
|
||||
__progname = argv[0];
|
||||
-#ifdef WITH_SELINUX
|
||||
- ssh_selinux_change_context("sftpd_t");
|
||||
-#endif
|
||||
exit(sftp_server_main(i, argv, s->pw));
|
||||
}
|
||||
|
||||
diff -up openssh-6.3p1/sshd.c.privsep-selinux openssh-6.3p1/sshd.c
|
||||
--- openssh-6.3p1/sshd.c.privsep-selinux 2013-10-10 14:58:20.632762255 +0200
|
||||
+++ openssh-6.3p1/sshd.c 2013-10-10 14:58:20.635762241 +0200
|
||||
@@ -668,6 +668,10 @@ privsep_preauth_child(void)
|
||||
/* Demote the private keys to public keys. */
|
||||
demote_sensitive_data();
|
||||
|
||||
+#ifdef WITH_SELINUX
|
||||
+ ssh_selinux_change_context("sshd_net_t");
|
||||
+#endif
|
||||
+
|
||||
/* Change our root directory */
|
||||
if (chroot(_PATH_PRIVSEP_CHROOT_DIR) == -1)
|
||||
fatal("chroot(\"%s\"): %s", _PATH_PRIVSEP_CHROOT_DIR,
|
||||
@@ -811,6 +815,13 @@ privsep_postauth(Authctxt *authctxt)
|
||||
do_setusercontext(authctxt->pw);
|
||||
|
||||
skip:
|
||||
+#ifdef WITH_SELINUX
|
||||
+ /* switch SELinux content for root too */
|
||||
+ if (authctxt->pw->pw_uid == 0) {
|
||||
+ ssh_selinux_copy_context();
|
||||
+ }
|
||||
+#endif
|
||||
+
|
||||
/* It is safe now to apply the key state */
|
||||
monitor_apply_keystate(pmonitor);
|
||||
|
||||
16
openssh-6.4p1-fromto-remote.patch
Normal file
16
openssh-6.4p1-fromto-remote.patch
Normal file
|
|
@ -0,0 +1,16 @@
|
|||
diff --git a/scp.c b/scp.c
|
||||
index d98fa67..25d347b 100644
|
||||
--- a/scp.c
|
||||
+++ b/scp.c
|
||||
@@ -638,7 +638,10 @@ toremote(char *targ, int argc, char **argv)
|
||||
addargs(&alist, "%s", ssh_program);
|
||||
addargs(&alist, "-x");
|
||||
addargs(&alist, "-oClearAllForwardings=yes");
|
||||
- addargs(&alist, "-n");
|
||||
+ if (isatty(fileno(stdin)))
|
||||
+ addargs(&alist, "-t");
|
||||
+ else
|
||||
+ addargs(&alist, "-n");
|
||||
for (j = 0; j < remote_remote_args.num; j++) {
|
||||
addargs(&alist, "%s",
|
||||
remote_remote_args.list[j]);
|
||||
12
openssh-6.6.1p1-localdomain.patch
Normal file
12
openssh-6.6.1p1-localdomain.patch
Normal file
|
|
@ -0,0 +1,12 @@
|
|||
diff --git a/ssh_config b/ssh_config
|
||||
index 03a228f..49a4f6c 100644
|
||||
--- a/ssh_config
|
||||
+++ b/ssh_config
|
||||
@@ -46,3 +46,7 @@
|
||||
# VisualHostKey no
|
||||
# ProxyCommand ssh -q -W %h:%p gateway.example.com
|
||||
# RekeyLimit 1G 1h
|
||||
+#
|
||||
+# Uncomment this if you want to use .local domain
|
||||
+# Host *.local
|
||||
+# CheckHostIP no
|
||||
12
openssh-6.6.1p1-log-sftp-only-connections.patch
Normal file
12
openssh-6.6.1p1-log-sftp-only-connections.patch
Normal file
|
|
@ -0,0 +1,12 @@
|
|||
diff --git a/session.c b/session.c
|
||||
index 626a642..b186ca1 100644
|
||||
--- a/session.c
|
||||
+++ b/session.c
|
||||
@@ -1859,6 +1859,7 @@ do_child(Session *s, const char *command)
|
||||
|
||||
if (s->is_subsystem == SUBSYSTEM_INT_SFTP_ERROR) {
|
||||
printf("This service allows sftp connections only.\n");
|
||||
+ logit("The session allows sftp connections only");
|
||||
fflush(NULL);
|
||||
exit(1);
|
||||
} else if (s->is_subsystem == SUBSYSTEM_INT_SFTP) {
|
||||
17
openssh-6.6.1p1-mls-fix-labeling.patch
Normal file
17
openssh-6.6.1p1-mls-fix-labeling.patch
Normal file
|
|
@ -0,0 +1,17 @@
|
|||
diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c
|
||||
index 22ea8ef..2660085 100644
|
||||
--- a/openbsd-compat/port-linux.c
|
||||
+++ b/openbsd-compat/port-linux.c
|
||||
@@ -116,7 +116,11 @@ ssh_selinux_setup_pty(char *pwname, const char *tty)
|
||||
|
||||
debug3("%s: setting TTY context on %s", __func__, tty);
|
||||
|
||||
- user_ctx = ssh_selinux_getctxbyname(pwname);
|
||||
+ if (getexeccon(&user_ctx) != 0) {
|
||||
+ error("%s: getexeccon: %s", __func__, strerror(errno));
|
||||
+ goto out;
|
||||
+ }
|
||||
+
|
||||
|
||||
/* XXX: should these calls fatal() upon failure in enforcing mode? */
|
||||
|
||||
131
openssh-6.6p1-GSSAPIEnablek5users.patch
Normal file
131
openssh-6.6p1-GSSAPIEnablek5users.patch
Normal file
|
|
@ -0,0 +1,131 @@
|
|||
diff -up openssh-7.4p1/gss-serv-krb5.c.GSSAPIEnablek5users openssh-7.4p1/gss-serv-krb5.c
|
||||
--- openssh-7.4p1/gss-serv-krb5.c.GSSAPIEnablek5users 2017-02-09 10:10:47.403859893 +0100
|
||||
+++ openssh-7.4p1/gss-serv-krb5.c 2017-02-09 10:10:47.414859882 +0100
|
||||
@@ -260,7 +260,6 @@ ssh_gssapi_krb5_cmdok(krb5_principal pri
|
||||
FILE *fp;
|
||||
char file[MAXPATHLEN];
|
||||
char line[BUFSIZ];
|
||||
- char kuser[65]; /* match krb5_kuserok() */
|
||||
struct stat st;
|
||||
struct passwd *pw = the_authctxt->pw;
|
||||
int found_principal = 0;
|
||||
@@ -269,7 +268,7 @@ ssh_gssapi_krb5_cmdok(krb5_principal pri
|
||||
|
||||
snprintf(file, sizeof(file), "%s/.k5users", pw->pw_dir);
|
||||
/* If both .k5login and .k5users DNE, self-login is ok. */
|
||||
- if (!k5login_exists && (access(file, F_OK) == -1)) {
|
||||
+ if ( !options.enable_k5users || (!k5login_exists && (access(file, F_OK) == -1))) {
|
||||
return ssh_krb5_kuserok(krb_context, principal, luser,
|
||||
k5login_exists);
|
||||
}
|
||||
diff -up openssh-7.4p1/servconf.c.GSSAPIEnablek5users openssh-7.4p1/servconf.c
|
||||
--- openssh-7.4p1/servconf.c.GSSAPIEnablek5users 2017-02-09 10:10:47.404859892 +0100
|
||||
+++ openssh-7.4p1/servconf.c 2017-02-09 10:18:45.800385543 +0100
|
||||
@@ -166,6 +166,7 @@ initialize_server_options(ServerOptions
|
||||
options->ip_qos_bulk = -1;
|
||||
options->version_addendum = NULL;
|
||||
options->use_kuserok = -1;
|
||||
+ options->enable_k5users = -1;
|
||||
options->fingerprint_hash = -1;
|
||||
options->disable_forwarding = -1;
|
||||
}
|
||||
@@ -337,6 +338,8 @@ fill_default_server_options(ServerOption
|
||||
options->show_patchlevel = 0;
|
||||
if (options->use_kuserok == -1)
|
||||
options->use_kuserok = 1;
|
||||
+ if (options->enable_k5users == -1)
|
||||
+ options->enable_k5users = 0;
|
||||
if (options->fwd_opts.streamlocal_bind_mask == (mode_t)-1)
|
||||
options->fwd_opts.streamlocal_bind_mask = 0177;
|
||||
if (options->fwd_opts.streamlocal_bind_unlink == -1)
|
||||
@@ -418,7 +421,7 @@ typedef enum {
|
||||
sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedKeyTypes,
|
||||
sHostKeyAlgorithms,
|
||||
sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
|
||||
- sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
|
||||
+ sGssAuthentication, sGssCleanupCreds, sGssEnablek5users, sGssStrictAcceptor,
|
||||
sGssKeyEx, sGssStoreRekey, sAcceptEnv, sPermitTunnel,
|
||||
sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
|
||||
sUsePrivilegeSeparation, sAllowAgentForwarding,
|
||||
@@ -497,12 +500,14 @@ static struct {
|
||||
{ "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL },
|
||||
{ "gssapikeyexchange", sGssKeyEx, SSHCFG_GLOBAL },
|
||||
{ "gssapistorecredentialsonrekey", sGssStoreRekey, SSHCFG_GLOBAL },
|
||||
+ { "gssapienablek5users", sGssEnablek5users, SSHCFG_ALL },
|
||||
#else
|
||||
{ "gssapiauthentication", sUnsupported, SSHCFG_ALL },
|
||||
{ "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
|
||||
{ "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL },
|
||||
{ "gssapikeyexchange", sUnsupported, SSHCFG_GLOBAL },
|
||||
{ "gssapistorecredentialsonrekey", sUnsupported, SSHCFG_GLOBAL },
|
||||
+ { "gssapienablek5users", sUnsupported, SSHCFG_ALL },
|
||||
#endif
|
||||
{ "gssusesessionccache", sUnsupported, SSHCFG_GLOBAL },
|
||||
{ "gssapiusesessioncredcache", sUnsupported, SSHCFG_GLOBAL },
|
||||
@@ -1653,6 +1658,10 @@ process_server_config_line(ServerOptions
|
||||
intptr = &options->use_kuserok;
|
||||
goto parse_flag;
|
||||
|
||||
+ case sGssEnablek5users:
|
||||
+ intptr = &options->enable_k5users;
|
||||
+ goto parse_flag;
|
||||
+
|
||||
case sPermitOpen:
|
||||
arg = strdelim(&cp);
|
||||
if (!arg || *arg == '\0')
|
||||
@@ -2026,6 +2035,7 @@ copy_set_server_options(ServerOptions *d
|
||||
M_CP_INTOPT(ip_qos_interactive);
|
||||
M_CP_INTOPT(ip_qos_bulk);
|
||||
M_CP_INTOPT(use_kuserok);
|
||||
+ M_CP_INTOPT(enable_k5users);
|
||||
M_CP_INTOPT(rekey_limit);
|
||||
M_CP_INTOPT(rekey_interval);
|
||||
|
||||
@@ -2319,6 +2329,7 @@ dump_config(ServerOptions *o)
|
||||
dump_cfg_fmtint(sStreamLocalBindUnlink, o->fwd_opts.streamlocal_bind_unlink);
|
||||
dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep);
|
||||
dump_cfg_fmtint(sKerberosUseKuserok, o->use_kuserok);
|
||||
+ dump_cfg_fmtint(sGssEnablek5users, o->enable_k5users);
|
||||
dump_cfg_fmtint(sFingerprintHash, o->fingerprint_hash);
|
||||
|
||||
/* string arguments */
|
||||
diff -up openssh-7.4p1/servconf.h.GSSAPIEnablek5users openssh-7.4p1/servconf.h
|
||||
--- openssh-7.4p1/servconf.h.GSSAPIEnablek5users 2017-02-09 10:10:47.404859892 +0100
|
||||
+++ openssh-7.4p1/servconf.h 2017-02-09 10:10:47.415859881 +0100
|
||||
@@ -174,7 +174,8 @@ typedef struct {
|
||||
|
||||
int num_permitted_opens;
|
||||
|
||||
- int use_kuserok;
|
||||
+ int use_kuserok;
|
||||
+ int enable_k5users;
|
||||
char *chroot_directory;
|
||||
char *revoked_keys_file;
|
||||
char *trusted_user_ca_keys;
|
||||
diff -up openssh-7.4p1/sshd_config.5.GSSAPIEnablek5users openssh-7.4p1/sshd_config.5
|
||||
--- openssh-7.4p1/sshd_config.5.GSSAPIEnablek5users 2017-02-09 10:10:47.415859881 +0100
|
||||
+++ openssh-7.4p1/sshd_config.5 2017-02-09 10:19:29.420336796 +0100
|
||||
@@ -633,6 +633,12 @@ Specifies whether key exchange based on
|
||||
doesn't rely on ssh keys to verify host identity.
|
||||
The default is
|
||||
.Dq no .
|
||||
+.It Cm GSSAPIEnablek5users
|
||||
+Specifies whether to look at .k5users file for GSSAPI authentication
|
||||
+access control. Further details are described in
|
||||
+.Xr ksu 1 .
|
||||
+The default is
|
||||
+.Cm no .
|
||||
.It Cm GSSAPIStrictAcceptorCheck
|
||||
Determines whether to be strict about the identity of the GSSAPI acceptor
|
||||
a client authenticates against.
|
||||
diff -up openssh-7.4p1/sshd_config.GSSAPIEnablek5users openssh-7.4p1/sshd_config
|
||||
--- openssh-7.4p1/sshd_config.GSSAPIEnablek5users 2017-02-09 10:10:47.404859892 +0100
|
||||
+++ openssh-7.4p1/sshd_config 2017-02-09 10:10:47.415859881 +0100
|
||||
@@ -80,6 +80,7 @@ GSSAPIAuthentication yes
|
||||
GSSAPICleanupCredentials no
|
||||
#GSSAPIStrictAcceptorCheck yes
|
||||
#GSSAPIKeyExchange no
|
||||
+#GSSAPIEnablek5users no
|
||||
|
||||
# Set this to 'yes' to enable PAM authentication, account processing,
|
||||
# and session processing. If this is enabled, PAM authentication will
|
||||
39
openssh-6.6p1-allow-ip-opts.patch
Normal file
39
openssh-6.6p1-allow-ip-opts.patch
Normal file
|
|
@ -0,0 +1,39 @@
|
|||
diff -up openssh/sshd.c.ip-opts openssh/sshd.c
|
||||
--- openssh/sshd.c.ip-opts 2016-07-25 13:58:48.998507834 +0200
|
||||
+++ openssh/sshd.c 2016-07-25 14:01:28.346469878 +0200
|
||||
@@ -1507,12 +1507,29 @@ check_ip_options(struct ssh *ssh)
|
||||
|
||||
if (getsockopt(sock_in, IPPROTO_IP, IP_OPTIONS, opts,
|
||||
&option_size) >= 0 && option_size != 0) {
|
||||
- text[0] = '\0';
|
||||
- for (i = 0; i < option_size; i++)
|
||||
- snprintf(text + i*3, sizeof(text) - i*3,
|
||||
- " %2.2x", opts[i]);
|
||||
- fatal("Connection from %.100s port %d with IP opts: %.800s",
|
||||
- ssh_remote_ipaddr(ssh), ssh_remote_port(ssh), text);
|
||||
+ i = 0;
|
||||
+ do {
|
||||
+ switch (opts[i]) {
|
||||
+ case 0:
|
||||
+ case 1:
|
||||
+ ++i;
|
||||
+ break;
|
||||
+ case 130:
|
||||
+ case 133:
|
||||
+ case 134:
|
||||
+ i += opts[i + 1];
|
||||
+ break;
|
||||
+ default:
|
||||
+ /* Fail, fatally, if we detect either loose or strict
|
||||
+ * source routing options. */
|
||||
+ text[0] = '\0';
|
||||
+ for (i = 0; i < option_size; i++)
|
||||
+ snprintf(text + i*3, sizeof(text) - i*3,
|
||||
+ " %2.2x", opts[i]);
|
||||
+ fatal("Connection from %.100s port %d with IP options:%.800s",
|
||||
+ ssh_remote_ipaddr(ssh), ssh_remote_port(ssh), text);
|
||||
+ }
|
||||
+ } while (i < option_size);
|
||||
}
|
||||
return;
|
||||
#endif /* IP_OPTIONS */
|
||||
40
openssh-6.6p1-allowGroups-documentation.patch
Normal file
40
openssh-6.6p1-allowGroups-documentation.patch
Normal file
|
|
@ -0,0 +1,40 @@
|
|||
diff --git a/sshd_config.5 b/sshd_config.5
|
||||
index 2320128..6244e68 100644
|
||||
--- a/sshd_config.5
|
||||
+++ b/sshd_config.5
|
||||
@@ -120,6 +120,8 @@ The allow/deny directives are processed in the following order:
|
||||
.Cm DenyGroups ,
|
||||
and finally
|
||||
.Cm AllowGroups .
|
||||
+All of the specified user and group tests must succeed, before user
|
||||
+is allowed to log in.
|
||||
.Pp
|
||||
See PATTERNS in
|
||||
.Xr ssh_config 5
|
||||
@@ -160,6 +162,8 @@ The allow/deny directives are processed in the following order:
|
||||
.Cm DenyGroups ,
|
||||
and finally
|
||||
.Cm AllowGroups .
|
||||
+All of the specified user and group tests must succeed, before user
|
||||
+is allowed to log in.
|
||||
.Pp
|
||||
See PATTERNS in
|
||||
.Xr ssh_config 5
|
||||
@@ -430,6 +434,8 @@ The allow/deny directives are processed in the following order:
|
||||
.Cm DenyGroups ,
|
||||
and finally
|
||||
.Cm AllowGroups .
|
||||
+All of the specified user and group tests must succeed, before user
|
||||
+is allowed to log in.
|
||||
.Pp
|
||||
See PATTERNS in
|
||||
.Xr ssh_config 5
|
||||
@@ -449,6 +455,8 @@ The allow/deny directives are processed in the following order:
|
||||
.Cm DenyGroups ,
|
||||
and finally
|
||||
.Cm AllowGroups .
|
||||
+All of the specified user and group tests must succeed, before user
|
||||
+is allowed to log in.
|
||||
.Pp
|
||||
See PATTERNS in
|
||||
.Xr ssh_config 5
|
||||
183
openssh-6.6p1-audit-race-condition.patch
Normal file
183
openssh-6.6p1-audit-race-condition.patch
Normal file
|
|
@ -0,0 +1,183 @@
|
|||
diff -up openssh-7.4p1/monitor_wrap.c.audit-race openssh-7.4p1/monitor_wrap.c
|
||||
--- openssh-7.4p1/monitor_wrap.c.audit-race 2017-02-09 14:07:56.870994116 +0100
|
||||
+++ openssh-7.4p1/monitor_wrap.c 2017-02-09 14:07:56.874994112 +0100
|
||||
@@ -1107,4 +1107,48 @@ mm_audit_destroy_sensitive_data(const ch
|
||||
mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_SERVER_KEY_FREE, &m);
|
||||
buffer_free(&m);
|
||||
}
|
||||
+
|
||||
+int mm_forward_audit_messages(int fdin)
|
||||
+{
|
||||
+ u_char buf[4];
|
||||
+ u_int blen, msg_len;
|
||||
+ Buffer m;
|
||||
+ int ret = 0;
|
||||
+
|
||||
+ debug3("%s: entering", __func__);
|
||||
+ buffer_init(&m);
|
||||
+ do {
|
||||
+ blen = atomicio(read, fdin, buf, sizeof(buf));
|
||||
+ if (blen == 0) /* closed pipe */
|
||||
+ break;
|
||||
+ if (blen != sizeof(buf)) {
|
||||
+ error("%s: Failed to read the buffer from child", __func__);
|
||||
+ ret = -1;
|
||||
+ break;
|
||||
+ }
|
||||
+
|
||||
+ msg_len = get_u32(buf);
|
||||
+ if (msg_len > 256 * 1024)
|
||||
+ fatal("%s: read: bad msg_len %d", __func__, msg_len);
|
||||
+ buffer_clear(&m);
|
||||
+ buffer_append_space(&m, msg_len);
|
||||
+ if (atomicio(read, fdin, buffer_ptr(&m), msg_len) != msg_len) {
|
||||
+ error("%s: Failed to read the the buffer content from the child", __func__);
|
||||
+ ret = -1;
|
||||
+ break;
|
||||
+ }
|
||||
+ if (atomicio(vwrite, pmonitor->m_recvfd, buf, blen) != blen ||
|
||||
+ atomicio(vwrite, pmonitor->m_recvfd, buffer_ptr(&m), msg_len) != msg_len) {
|
||||
+ error("%s: Failed to write the message to the monitor", __func__);
|
||||
+ ret = -1;
|
||||
+ break;
|
||||
+ }
|
||||
+ } while (1);
|
||||
+ buffer_free(&m);
|
||||
+ return ret;
|
||||
+}
|
||||
+void mm_set_monitor_pipe(int fd)
|
||||
+{
|
||||
+ pmonitor->m_recvfd = fd;
|
||||
+}
|
||||
#endif /* SSH_AUDIT_EVENTS */
|
||||
diff -up openssh-7.4p1/monitor_wrap.h.audit-race openssh-7.4p1/monitor_wrap.h
|
||||
--- openssh-7.4p1/monitor_wrap.h.audit-race 2017-02-09 14:07:56.870994116 +0100
|
||||
+++ openssh-7.4p1/monitor_wrap.h 2017-02-09 14:07:56.874994112 +0100
|
||||
@@ -80,6 +80,8 @@ void mm_audit_unsupported_body(int);
|
||||
void mm_audit_kex_body(int, char *, char *, char *, char *, pid_t, uid_t);
|
||||
void mm_audit_session_key_free_body(int, pid_t, uid_t);
|
||||
void mm_audit_destroy_sensitive_data(const char *, pid_t, uid_t);
|
||||
+int mm_forward_audit_messages(int);
|
||||
+void mm_set_monitor_pipe(int);
|
||||
#endif
|
||||
|
||||
struct Session;
|
||||
diff -up openssh-7.4p1/session.c.audit-race openssh-7.4p1/session.c
|
||||
--- openssh-7.4p1/session.c.audit-race 2017-02-09 14:07:56.871994115 +0100
|
||||
+++ openssh-7.4p1/session.c 2017-02-09 14:09:44.710893783 +0100
|
||||
@@ -162,6 +162,10 @@ static Session *sessions = NULL;
|
||||
login_cap_t *lc;
|
||||
#endif
|
||||
|
||||
+#ifdef SSH_AUDIT_EVENTS
|
||||
+int paudit[2];
|
||||
+#endif
|
||||
+
|
||||
static int is_child = 0;
|
||||
static int in_chroot = 0;
|
||||
static int have_dev_log = 1;
|
||||
@@ -289,6 +293,8 @@ xauth_valid_string(const char *s)
|
||||
return 1;
|
||||
}
|
||||
|
||||
+void child_destory_sensitive_data();
|
||||
+
|
||||
#define USE_PIPES 1
|
||||
/*
|
||||
* This is called to fork and execute a command when we have no tty. This
|
||||
@@ -424,6 +430,8 @@ do_exec_no_pty(Session *s, const char *c
|
||||
cray_init_job(s->pw); /* set up cray jid and tmpdir */
|
||||
#endif
|
||||
|
||||
+ child_destory_sensitive_data();
|
||||
+
|
||||
/* Do processing for the child (exec command etc). */
|
||||
do_child(s, command);
|
||||
/* NOTREACHED */
|
||||
@@ -547,6 +555,9 @@ do_exec_pty(Session *s, const char *comm
|
||||
/* Close the extra descriptor for the pseudo tty. */
|
||||
close(ttyfd);
|
||||
|
||||
+ /* Do this early, so we will not block large MOTDs */
|
||||
+ child_destory_sensitive_data();
|
||||
+
|
||||
/* record login, etc. similar to login(1) */
|
||||
#ifdef _UNICOS
|
||||
cray_init_job(s->pw); /* set up cray jid and tmpdir */
|
||||
@@ -717,6 +728,8 @@ do_exec(Session *s, const char *command)
|
||||
}
|
||||
if (s->command != NULL && s->ptyfd == -1)
|
||||
s->command_handle = PRIVSEP(audit_run_command(s->command));
|
||||
+ if (pipe(paudit) < 0)
|
||||
+ fatal("pipe: %s", strerror(errno));
|
||||
#endif
|
||||
if (s->ttyfd != -1)
|
||||
ret = do_exec_pty(s, command);
|
||||
@@ -732,6 +745,20 @@ do_exec(Session *s, const char *command)
|
||||
*/
|
||||
buffer_clear(&loginmsg);
|
||||
|
||||
+#ifdef SSH_AUDIT_EVENTS
|
||||
+ close(paudit[1]);
|
||||
+ if (use_privsep && ret == 0) {
|
||||
+ /*
|
||||
+ * Read the audit messages from forked child and send them
|
||||
+ * back to monitor. We don't want to communicate directly,
|
||||
+ * because the messages might get mixed up.
|
||||
+ * Continue after the pipe gets closed (all messages sent).
|
||||
+ */
|
||||
+ ret = mm_forward_audit_messages(paudit[0]);
|
||||
+ }
|
||||
+ close(paudit[0]);
|
||||
+#endif /* SSH_AUDIT_EVENTS */
|
||||
+
|
||||
return ret;
|
||||
}
|
||||
|
||||
@@ -1542,6 +1569,33 @@ child_close_fds(void)
|
||||
endpwent();
|
||||
}
|
||||
|
||||
+void
|
||||
+child_destory_sensitive_data()
|
||||
+{
|
||||
+#ifdef SSH_AUDIT_EVENTS
|
||||
+ int pparent = paudit[1];
|
||||
+ close(paudit[0]);
|
||||
+ /* Hack the monitor pipe to avoid race condition with parent */
|
||||
+ if (use_privsep)
|
||||
+ mm_set_monitor_pipe(pparent);
|
||||
+#endif
|
||||
+
|
||||
+ /* remove hostkey from the child's memory */
|
||||
+ destroy_sensitive_data(use_privsep);
|
||||
+ /*
|
||||
+ * We can audit this, because we hacked the pipe to direct the
|
||||
+ * messages over postauth child. But this message requires answer
|
||||
+ * which we can't do using one-way pipe.
|
||||
+ */
|
||||
+ packet_destroy_all(0, 1);
|
||||
+
|
||||
+#ifdef SSH_AUDIT_EVENTS
|
||||
+ /* Notify parent that we are done */
|
||||
+ close(pparent);
|
||||
+#endif
|
||||
+
|
||||
+}
|
||||
+
|
||||
/*
|
||||
* Performs common processing for the child, such as setting up the
|
||||
* environment, closing extra file descriptors, setting the user and group
|
||||
@@ -1558,12 +1612,6 @@ do_child(Session *s, const char *command
|
||||
struct passwd *pw = s->pw;
|
||||
int r = 0;
|
||||
|
||||
- /* remove hostkey from the child's memory */
|
||||
- destroy_sensitive_data(1);
|
||||
- /* Don't audit this - both us and the parent would be talking to the
|
||||
- monitor over a single socket, with no synchronization. */
|
||||
- packet_destroy_all(0, 1);
|
||||
-
|
||||
/* Force a password change */
|
||||
if (s->authctxt->force_pwchange) {
|
||||
do_setusercontext(pw);
|
||||
|
|
@ -1,7 +1,8 @@
|
|||
diff -up openssh-6.2p1/entropy.c.entropy openssh-6.2p1/entropy.c
|
||||
--- openssh-6.2p1/entropy.c.entropy 2013-03-25 19:31:42.737611051 +0100
|
||||
+++ openssh-6.2p1/entropy.c 2013-03-25 19:31:42.797611433 +0100
|
||||
@@ -237,6 +237,9 @@ seed_rng(void)
|
||||
diff --git a/entropy.c b/entropy.c
|
||||
index 2d483b3..b361a04 100644
|
||||
--- a/entropy.c
|
||||
+++ b/entropy.c
|
||||
@@ -234,6 +234,9 @@ seed_rng(void)
|
||||
memset(buf, '\0', sizeof(buf));
|
||||
|
||||
#endif /* OPENSSL_PRNG_ONLY */
|
||||
|
|
@ -11,21 +12,34 @@ diff -up openssh-6.2p1/entropy.c.entropy openssh-6.2p1/entropy.c
|
|||
if (RAND_status() != 1)
|
||||
fatal("PRNG is not seeded");
|
||||
}
|
||||
diff -up openssh-6.2p1/openbsd-compat/Makefile.in.entropy openssh-6.2p1/openbsd-compat/Makefile.in
|
||||
--- openssh-6.2p1/openbsd-compat/Makefile.in.entropy 2013-03-25 19:31:42.798611440 +0100
|
||||
+++ openssh-6.2p1/openbsd-compat/Makefile.in 2013-03-25 19:33:02.042116876 +0100
|
||||
@@ -20,7 +20,7 @@ OPENBSD=base64.o basename.o bindresvport
|
||||
diff --git a/openbsd-compat/Makefile.in b/openbsd-compat/Makefile.in
|
||||
index b912dbe..9206337 100644
|
||||
--- a/openbsd-compat/Makefile.in
|
||||
+++ b/openbsd-compat/Makefile.in
|
||||
@@ -20,7 +20,7 @@ OPENBSD=base64.o basename.o bcrypt_pbkdf.o bindresvport.o blowfish.o daemon.o di
|
||||
|
||||
COMPAT=bsd-arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o getrrsetbyname-ldns.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-setres_id.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o
|
||||
COMPAT=arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o getrrsetbyname-ldns.o bsd-err.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-setres_id.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xcrypt.o kludge-fd_set.o
|
||||
|
||||
-PORTS=port-aix.o port-irix.o port-linux.o port-linux_part_2.o port-solaris.o port-tun.o port-uw.o
|
||||
+PORTS=port-aix.o port-irix.o port-linux.o port-linux_part_2.o port-linux-prng.o port-solaris.o port-tun.o port-uw.o
|
||||
-PORTS=port-aix.o port-irix.o port-linux.o port-linux-sshd.o port-solaris.o port-tun.o port-uw.o
|
||||
+PORTS=port-aix.o port-irix.o port-linux.o port-linux-sshd.o port-linux-prng.o port-solaris.o port-tun.o port-uw.o
|
||||
|
||||
.c.o:
|
||||
$(CC) $(CFLAGS) $(CPPFLAGS) -c $<
|
||||
diff -up openssh-6.2p1/openbsd-compat/port-linux-prng.c.entropy openssh-6.2p1/openbsd-compat/port-linux-prng.c
|
||||
--- openssh-6.2p1/openbsd-compat/port-linux-prng.c.entropy 2013-03-25 19:31:42.798611440 +0100
|
||||
+++ openssh-6.2p1/openbsd-compat/port-linux-prng.c 2013-03-25 19:31:42.798611440 +0100
|
||||
diff -up openssh-7.4p1/openbsd-compat/port-linux.h.entropy openssh-7.4p1/openbsd-compat/port-linux.h
|
||||
--- openssh-7.4p1/openbsd-compat/port-linux.h.entropy 2016-12-23 18:34:27.747753563 +0100
|
||||
+++ openssh-7.4p1/openbsd-compat/port-linux.h 2016-12-23 18:34:27.769753570 +0100
|
||||
@@ -34,4 +34,6 @@ void oom_adjust_restore(void);
|
||||
void oom_adjust_setup(void);
|
||||
#endif
|
||||
|
||||
+void linux_seed(void);
|
||||
+
|
||||
#endif /* ! _PORT_LINUX_H */
|
||||
diff --git a/openbsd-compat/port-linux-prng.c b/openbsd-compat/port-linux-prng.c
|
||||
new file mode 100644
|
||||
index 0000000..92a617c
|
||||
--- /dev/null
|
||||
+++ b/openbsd-compat/port-linux-prng.c
|
||||
@@ -0,0 +1,59 @@
|
||||
+/* $Id: port-linux.c,v 1.11.4.2 2011/02/04 00:43:08 djm Exp $ */
|
||||
+
|
||||
|
|
@ -59,6 +73,7 @@ diff -up openssh-6.2p1/openbsd-compat/port-linux-prng.c.entropy openssh-6.2p1/op
|
|||
+
|
||||
+#include "log.h"
|
||||
+#include "xmalloc.h"
|
||||
+#include "misc.h" /* servconf.h needs misc.h for struct ForwardOptions */
|
||||
+#include "servconf.h"
|
||||
+#include "port-linux.h"
|
||||
+#include "key.h"
|
||||
|
|
@ -68,10 +83,9 @@ diff -up openssh-6.2p1/openbsd-compat/port-linux-prng.c.entropy openssh-6.2p1/op
|
|||
+void
|
||||
+linux_seed(void)
|
||||
+{
|
||||
+ int len;
|
||||
+ char *env = getenv("SSH_USE_STRONG_RNG");
|
||||
+ char *random = "/dev/random";
|
||||
+ size_t ienv, randlen = 14;
|
||||
+ size_t len, ienv, randlen = 14;
|
||||
+
|
||||
+ if (!env || !strcmp(env, "0"))
|
||||
+ random = "/dev/urandom";
|
||||
|
|
@ -86,9 +100,10 @@ diff -up openssh-6.2p1/openbsd-compat/port-linux-prng.c.entropy openssh-6.2p1/op
|
|||
+ fatal ("EOF reading %s", random);
|
||||
+ }
|
||||
+}
|
||||
diff -up openssh-6.2p1/ssh-add.0.entropy openssh-6.2p1/ssh-add.0
|
||||
--- openssh-6.2p1/ssh-add.0.entropy 2013-03-22 00:38:29.000000000 +0100
|
||||
+++ openssh-6.2p1/ssh-add.0 2013-03-25 19:31:42.799611446 +0100
|
||||
diff --git a/ssh-add.0 b/ssh-add.0
|
||||
index ba43fee..0b2629a 100644
|
||||
--- a/ssh-add.0
|
||||
+++ b/ssh-add.0
|
||||
@@ -82,6 +82,16 @@ ENVIRONMENT
|
||||
Identifies the path of a UNIX-domain socket used to communicate
|
||||
with the agent.
|
||||
|
|
@ -106,10 +121,11 @@ diff -up openssh-6.2p1/ssh-add.0.entropy openssh-6.2p1/ssh-add.0
|
|||
FILES
|
||||
~/.ssh/identity
|
||||
Contains the protocol version 1 RSA authentication identity of
|
||||
diff -up openssh-6.2p1/ssh-add.1.entropy openssh-6.2p1/ssh-add.1
|
||||
--- openssh-6.2p1/ssh-add.1.entropy 2012-12-07 03:06:13.000000000 +0100
|
||||
+++ openssh-6.2p1/ssh-add.1 2013-03-25 19:31:42.799611446 +0100
|
||||
@@ -160,6 +160,20 @@ to make this work.)
|
||||
diff --git a/ssh-add.1 b/ssh-add.1
|
||||
index 4812448..16305bf 100644
|
||||
--- a/ssh-add.1
|
||||
+++ b/ssh-add.1
|
||||
@@ -161,6 +161,20 @@ to make this work.)
|
||||
Identifies the path of a
|
||||
.Ux Ns -domain
|
||||
socket used to communicate with the agent.
|
||||
|
|
@ -130,10 +146,11 @@ diff -up openssh-6.2p1/ssh-add.1.entropy openssh-6.2p1/ssh-add.1
|
|||
.El
|
||||
.Sh FILES
|
||||
.Bl -tag -width Ds
|
||||
diff -up openssh-6.2p1/ssh-agent.1.entropy openssh-6.2p1/ssh-agent.1
|
||||
--- openssh-6.2p1/ssh-agent.1.entropy 2010-12-01 01:50:35.000000000 +0100
|
||||
+++ openssh-6.2p1/ssh-agent.1 2013-03-25 19:31:42.800611452 +0100
|
||||
@@ -198,6 +198,24 @@ sockets used to contain the connection t
|
||||
diff --git a/ssh-agent.1 b/ssh-agent.1
|
||||
index 281ecbd..1a9a635 100644
|
||||
--- a/ssh-agent.1
|
||||
+++ b/ssh-agent.1
|
||||
@@ -201,6 +201,24 @@ sockets used to contain the connection to the authentication agent.
|
||||
These sockets should only be readable by the owner.
|
||||
The sockets should get automatically removed when the agent exits.
|
||||
.El
|
||||
|
|
@ -158,38 +175,11 @@ diff -up openssh-6.2p1/ssh-agent.1.entropy openssh-6.2p1/ssh-agent.1
|
|||
.Sh SEE ALSO
|
||||
.Xr ssh 1 ,
|
||||
.Xr ssh-add 1 ,
|
||||
diff -up openssh-6.2p1/sshd.8.entropy openssh-6.2p1/sshd.8
|
||||
--- openssh-6.2p1/sshd.8.entropy 2013-03-25 19:31:42.752611146 +0100
|
||||
+++ openssh-6.2p1/sshd.8 2013-03-25 19:31:42.800611452 +0100
|
||||
@@ -945,6 +945,24 @@ concurrently for different ports, this c
|
||||
started last).
|
||||
The content of this file is not sensitive; it can be world-readable.
|
||||
.El
|
||||
+.Sh ENVIRONMENT
|
||||
+.Bl -tag -width Ds -compact
|
||||
+.Pp
|
||||
+.It Pa SSH_USE_STRONG_RNG
|
||||
+The reseeding of the OpenSSL random generator is usually done from
|
||||
+.Cm /dev/urandom .
|
||||
+If the
|
||||
+.Cm SSH_USE_STRONG_RNG
|
||||
+environment variable is set to value other than
|
||||
+.Cm 0
|
||||
+the OpenSSL random generator is reseeded from
|
||||
+.Cm /dev/random .
|
||||
+The number of bytes read is defined by the SSH_USE_STRONG_RNG value.
|
||||
+Minimum is 14 bytes.
|
||||
+This setting is not recommended on the computers without the hardware
|
||||
+random generator because insufficient entropy causes the connection to
|
||||
+be blocked until enough entropy is available.
|
||||
+.El
|
||||
.Sh IPV6
|
||||
IPv6 address can be used everywhere where IPv4 address. In all entries must be the IPv6 address enclosed in square brackets. Note: The square brackets are metacharacters for the shell and must be escaped in shell.
|
||||
.Sh SEE ALSO
|
||||
diff -up openssh-6.2p1/ssh-keygen.1.entropy openssh-6.2p1/ssh-keygen.1
|
||||
--- openssh-6.2p1/ssh-keygen.1.entropy 2013-01-20 12:35:06.000000000 +0100
|
||||
+++ openssh-6.2p1/ssh-keygen.1 2013-03-25 19:31:42.801611459 +0100
|
||||
@@ -806,6 +806,24 @@ Contains Diffie-Hellman groups used for
|
||||
diff --git a/ssh-keygen.1 b/ssh-keygen.1
|
||||
index 12e00d4..1b51a4a 100644
|
||||
--- a/ssh-keygen.1
|
||||
+++ b/ssh-keygen.1
|
||||
@@ -832,6 +832,24 @@ Contains Diffie-Hellman groups used for DH-GEX.
|
||||
The file format is described in
|
||||
.Xr moduli 5 .
|
||||
.El
|
||||
|
|
@ -214,10 +204,11 @@ diff -up openssh-6.2p1/ssh-keygen.1.entropy openssh-6.2p1/ssh-keygen.1
|
|||
.Sh SEE ALSO
|
||||
.Xr ssh 1 ,
|
||||
.Xr ssh-add 1 ,
|
||||
diff -up openssh-6.2p1/ssh-keysign.8.entropy openssh-6.2p1/ssh-keysign.8
|
||||
--- openssh-6.2p1/ssh-keysign.8.entropy 2010-08-31 14:41:14.000000000 +0200
|
||||
+++ openssh-6.2p1/ssh-keysign.8 2013-03-25 19:31:42.801611459 +0100
|
||||
@@ -78,6 +78,24 @@ must be set-uid root if host-based authe
|
||||
diff --git a/ssh-keysign.8 b/ssh-keysign.8
|
||||
index 69d0829..02d79f8 100644
|
||||
--- a/ssh-keysign.8
|
||||
+++ b/ssh-keysign.8
|
||||
@@ -80,6 +80,24 @@ must be set-uid root if host-based authentication is used.
|
||||
If these files exist they are assumed to contain public certificate
|
||||
information corresponding with the private keys above.
|
||||
.El
|
||||
|
|
@ -242,10 +233,11 @@ diff -up openssh-6.2p1/ssh-keysign.8.entropy openssh-6.2p1/ssh-keysign.8
|
|||
.Sh SEE ALSO
|
||||
.Xr ssh 1 ,
|
||||
.Xr ssh-keygen 1 ,
|
||||
diff -up openssh-6.2p1/ssh.1.entropy openssh-6.2p1/ssh.1
|
||||
--- openssh-6.2p1/ssh.1.entropy 2013-03-25 19:31:42.752611146 +0100
|
||||
+++ openssh-6.2p1/ssh.1 2013-03-25 19:31:42.799611446 +0100
|
||||
@@ -1277,6 +1277,23 @@ For more information, see the
|
||||
diff --git a/ssh.1 b/ssh.1
|
||||
index 929904b..f65e42f 100644
|
||||
--- a/ssh.1
|
||||
+++ b/ssh.1
|
||||
@@ -1309,6 +1309,23 @@ For more information, see the
|
||||
.Cm PermitUserEnvironment
|
||||
option in
|
||||
.Xr sshd_config 5 .
|
||||
|
|
@ -269,3 +261,32 @@ diff -up openssh-6.2p1/ssh.1.entropy openssh-6.2p1/ssh.1
|
|||
.Sh FILES
|
||||
.Bl -tag -width Ds -compact
|
||||
.It Pa ~/.rhosts
|
||||
diff --git a/sshd.8 b/sshd.8
|
||||
index c2c237f..058d37a 100644
|
||||
--- a/sshd.8
|
||||
+++ b/sshd.8
|
||||
@@ -951,6 +951,24 @@ concurrently for different ports, this contains the process ID of the one
|
||||
started last).
|
||||
The content of this file is not sensitive; it can be world-readable.
|
||||
.El
|
||||
+.Sh ENVIRONMENT
|
||||
+.Bl -tag -width Ds -compact
|
||||
+.Pp
|
||||
+.It Pa SSH_USE_STRONG_RNG
|
||||
+The reseeding of the OpenSSL random generator is usually done from
|
||||
+.Cm /dev/urandom .
|
||||
+If the
|
||||
+.Cm SSH_USE_STRONG_RNG
|
||||
+environment variable is set to value other than
|
||||
+.Cm 0
|
||||
+the OpenSSL random generator is reseeded from
|
||||
+.Cm /dev/random .
|
||||
+The number of bytes read is defined by the SSH_USE_STRONG_RNG value.
|
||||
+Minimum is 14 bytes.
|
||||
+This setting is not recommended on the computers without the hardware
|
||||
+random generator because insufficient entropy causes the connection to
|
||||
+be blocked until enough entropy is available.
|
||||
+.El
|
||||
.Sh IPV6
|
||||
IPv6 address can be used everywhere where IPv4 address. In all entries must be the IPv6 address enclosed in square brackets. Note: The square brackets are metacharacters for the shell and must be escaped in shell.
|
||||
.Sh SEE ALSO
|
||||
|
|
@ -1,6 +1,7 @@
|
|||
diff -up openssh-6.3p1/gss-serv-krb5.c.force_krb openssh-6.3p1/gss-serv-krb5.c
|
||||
--- openssh-6.3p1/gss-serv-krb5.c.force_krb 2013-10-11 18:58:51.553948159 +0200
|
||||
+++ openssh-6.3p1/gss-serv-krb5.c 2013-10-11 21:40:49.972337025 +0200
|
||||
diff --git a/gss-serv-krb5.c b/gss-serv-krb5.c
|
||||
index 42de994..60de320 100644
|
||||
--- a/gss-serv-krb5.c
|
||||
+++ b/gss-serv-krb5.c
|
||||
@@ -32,7 +32,9 @@
|
||||
#include <sys/types.h>
|
||||
|
||||
|
|
@ -11,12 +12,7 @@ diff -up openssh-6.3p1/gss-serv-krb5.c.force_krb openssh-6.3p1/gss-serv-krb5.c
|
|||
|
||||
#include "xmalloc.h"
|
||||
#include "key.h"
|
||||
@@ -40,10 +42,12 @@
|
||||
#include "auth.h"
|
||||
#include "log.h"
|
||||
#include "servconf.h"
|
||||
+#include "misc.h"
|
||||
|
||||
@@ -40,6 +42,7 @@
|
||||
#include "buffer.h"
|
||||
#include "ssh-gss.h"
|
||||
|
||||
|
|
@ -38,7 +34,7 @@ diff -up openssh-6.3p1/gss-serv-krb5.c.force_krb openssh-6.3p1/gss-serv-krb5.c
|
|||
static krb5_context krb_context = NULL;
|
||||
|
||||
/* Initialise the krb5 library, for the stuff that GSSAPI won't do */
|
||||
@@ -87,6 +98,7 @@ ssh_gssapi_krb5_userok(ssh_gssapi_client
|
||||
@@ -87,6 +98,7 @@ ssh_gssapi_krb5_userok(ssh_gssapi_client *client, char *name)
|
||||
krb5_principal princ;
|
||||
int retval;
|
||||
const char *errmsg;
|
||||
|
|
@ -46,7 +42,7 @@ diff -up openssh-6.3p1/gss-serv-krb5.c.force_krb openssh-6.3p1/gss-serv-krb5.c
|
|||
|
||||
if (ssh_gssapi_krb5_init() == 0)
|
||||
return 0;
|
||||
@@ -98,10 +110,22 @@ ssh_gssapi_krb5_userok(ssh_gssapi_client
|
||||
@@ -98,10 +110,22 @@ ssh_gssapi_krb5_userok(ssh_gssapi_client *client, char *name)
|
||||
krb5_free_error_message(krb_context, errmsg);
|
||||
return 0;
|
||||
}
|
||||
|
|
@ -70,7 +66,7 @@ diff -up openssh-6.3p1/gss-serv-krb5.c.force_krb openssh-6.3p1/gss-serv-krb5.c
|
|||
} else
|
||||
retval = 0;
|
||||
|
||||
@@ -109,6 +133,135 @@ ssh_gssapi_krb5_userok(ssh_gssapi_client
|
||||
@@ -109,6 +133,135 @@ ssh_gssapi_krb5_userok(ssh_gssapi_client *client, char *name)
|
||||
return retval;
|
||||
}
|
||||
|
||||
|
|
@ -167,7 +163,7 @@ diff -up openssh-6.3p1/gss-serv-krb5.c.force_krb openssh-6.3p1/gss-serv-krb5.c
|
|||
+ k5users_allowed_cmds[ncommands-1] =
|
||||
+ xstrdup(pw->pw_shell);
|
||||
+ k5users_allowed_cmds =
|
||||
+ xrealloc(k5users_allowed_cmds, ++ncommands,
|
||||
+ xreallocarray(k5users_allowed_cmds, ++ncommands,
|
||||
+ sizeof(*k5users_allowed_cmds));
|
||||
+ break;
|
||||
+ }
|
||||
|
|
@ -180,7 +176,7 @@ diff -up openssh-6.3p1/gss-serv-krb5.c.force_krb openssh-6.3p1/gss-serv-krb5.c
|
|||
+ k5users_allowed_cmds[ncommands-1] =
|
||||
+ xstrdup(token);
|
||||
+ k5users_allowed_cmds =
|
||||
+ xrealloc(k5users_allowed_cmds, ++ncommands,
|
||||
+ xreallocarray(k5users_allowed_cmds, ++ncommands,
|
||||
+ sizeof(*k5users_allowed_cmds));
|
||||
+ token = strtok(NULL, " \t\n");
|
||||
+ }
|
||||
|
|
@ -206,19 +202,20 @@ diff -up openssh-6.3p1/gss-serv-krb5.c.force_krb openssh-6.3p1/gss-serv-krb5.c
|
|||
|
||||
/* This writes out any forwarded credentials from the structure populated
|
||||
* during userauth. Called after we have setuid to the user */
|
||||
diff -up openssh-6.3p1/session.c.force_krb openssh-6.3p1/session.c
|
||||
--- openssh-6.3p1/session.c.force_krb 2013-10-11 18:58:51.487948468 +0200
|
||||
+++ openssh-6.3p1/session.c 2013-10-11 18:58:51.563948112 +0200
|
||||
@@ -823,6 +823,29 @@ do_exec(Session *s, const char *command)
|
||||
debug("Forced command (key option) '%.900s'", command);
|
||||
diff --git a/session.c b/session.c
|
||||
index b5dc144..ba4589b 100644
|
||||
--- a/session.c
|
||||
+++ b/session.c
|
||||
@@ -806,6 +806,29 @@ do_exec(Session *s, const char *command)
|
||||
command = forced_command;
|
||||
forced = "(key-option)";
|
||||
}
|
||||
|
||||
+#ifdef GSSAPI
|
||||
+#ifdef KRB5 /* k5users_allowed_cmds only available w/ GSSAPI+KRB5 */
|
||||
+ else if (k5users_allowed_cmds) {
|
||||
+ const char *match = command;
|
||||
+ int allowed = 0, i = 0;
|
||||
+
|
||||
+
|
||||
+ if (!match)
|
||||
+ match = s->pw->pw_shell;
|
||||
+ while (k5users_allowed_cmds[i]) {
|
||||
|
|
@ -236,12 +233,13 @@ diff -up openssh-6.3p1/session.c.force_krb openssh-6.3p1/session.c
|
|||
+#endif
|
||||
+#endif
|
||||
+
|
||||
#ifdef SSH_AUDIT_EVENTS
|
||||
if (s->command != NULL || s->command_handle != -1)
|
||||
fatal("do_exec: command already set");
|
||||
diff -up openssh-6.3p1/ssh-gss.h.force_krb openssh-6.3p1/ssh-gss.h
|
||||
--- openssh-6.3p1/ssh-gss.h.force_krb 2013-10-11 18:58:51.558948136 +0200
|
||||
+++ openssh-6.3p1/ssh-gss.h 2013-10-11 18:58:51.563948112 +0200
|
||||
if (forced != NULL) {
|
||||
if (IS_INTERNAL_SFTP(command)) {
|
||||
s->is_subsystem = s->is_subsystem ?
|
||||
diff --git a/ssh-gss.h b/ssh-gss.h
|
||||
index 0374c88..509109a 100644
|
||||
--- a/ssh-gss.h
|
||||
+++ b/ssh-gss.h
|
||||
@@ -49,6 +49,10 @@
|
||||
# endif /* !HAVE_DECL_GSS_C_NT_... */
|
||||
|
||||
|
|
@ -253,10 +251,11 @@ diff -up openssh-6.3p1/ssh-gss.h.force_krb openssh-6.3p1/ssh-gss.h
|
|||
#endif /* KRB5 */
|
||||
|
||||
/* draft-ietf-secsh-gsskeyex-06 */
|
||||
diff -up openssh-6.3p1/sshd.8.force_krb openssh-6.3p1/sshd.8
|
||||
--- openssh-6.3p1/sshd.8.force_krb 2013-10-11 18:58:51.537948234 +0200
|
||||
+++ openssh-6.3p1/sshd.8 2013-10-11 18:58:51.563948112 +0200
|
||||
@@ -326,6 +326,7 @@ Finally, the server and the client enter
|
||||
diff --git a/sshd.8 b/sshd.8
|
||||
index 058d37a..5c4f15b 100644
|
||||
--- a/sshd.8
|
||||
+++ b/sshd.8
|
||||
@@ -327,6 +327,7 @@ Finally, the server and the client enter an authentication dialog.
|
||||
The client tries to authenticate itself using
|
||||
host-based authentication,
|
||||
public key authentication,
|
||||
|
|
@ -264,7 +263,7 @@ diff -up openssh-6.3p1/sshd.8.force_krb openssh-6.3p1/sshd.8
|
|||
challenge-response authentication,
|
||||
or password authentication.
|
||||
.Pp
|
||||
@@ -797,6 +798,12 @@ This file is used in exactly the same wa
|
||||
@@ -800,6 +801,12 @@ This file is used in exactly the same way as
|
||||
but allows host-based authentication without permitting login with
|
||||
rlogin/rsh.
|
||||
.Pp
|
||||
87
openssh-6.6p1-k5login_directory.patch
Normal file
87
openssh-6.6p1-k5login_directory.patch
Normal file
|
|
@ -0,0 +1,87 @@
|
|||
diff --git a/auth-krb5.c b/auth-krb5.c
|
||||
index 2b02a04..19b9364 100644
|
||||
--- a/auth-krb5.c
|
||||
+++ b/auth-krb5.c
|
||||
@@ -375,6 +375,22 @@ cleanup:
|
||||
return -1;
|
||||
}
|
||||
|
||||
+/*
|
||||
+ * Reads k5login_directory option from the krb5.conf
|
||||
+ */
|
||||
+krb5_error_code
|
||||
+ssh_krb5_get_k5login_directory(krb5_context ctx, char **k5login_directory) {
|
||||
+ profile_t p;
|
||||
+ int ret = 0;
|
||||
+
|
||||
+ ret = krb5_get_profile(ctx, &p);
|
||||
+ if (ret)
|
||||
+ return ret;
|
||||
+
|
||||
+ return profile_get_string(p, "libdefaults", "k5login_directory", NULL, NULL,
|
||||
+ k5login_directory);
|
||||
+}
|
||||
+
|
||||
krb5_error_code
|
||||
ssh_krb5_get_cctemplate(krb5_context ctx, char **ccname) {
|
||||
profile_t p;
|
||||
diff --git a/auth.h b/auth.h
|
||||
index f9d191c..c432d2f 100644
|
||||
--- a/auth.h
|
||||
+++ b/auth.h
|
||||
@@ -222,5 +222,7 @@ int sys_auth_passwd(Authctxt *, const char *);
|
||||
#if defined(KRB5) && !defined(HEIMDAL)
|
||||
#include <krb5.h>
|
||||
krb5_error_code ssh_krb5_cc_gen(krb5_context, krb5_ccache *);
|
||||
+krb5_error_code ssh_krb5_get_k5login_directory(krb5_context ctx,
|
||||
+ char **k5login_directory);
|
||||
#endif
|
||||
#endif
|
||||
diff --git a/gss-serv-krb5.c b/gss-serv-krb5.c
|
||||
index a7c0c5f..df8cc9a 100644
|
||||
--- a/gss-serv-krb5.c
|
||||
+++ b/gss-serv-krb5.c
|
||||
@@ -244,8 +244,27 @@ ssh_gssapi_k5login_exists()
|
||||
{
|
||||
char file[MAXPATHLEN];
|
||||
struct passwd *pw = the_authctxt->pw;
|
||||
+ char *k5login_directory = NULL;
|
||||
+ int ret = 0;
|
||||
+
|
||||
+ ret = ssh_krb5_get_k5login_directory(krb_context, &k5login_directory);
|
||||
+ debug3("%s: k5login_directory = %s (rv=%d)", __func__, k5login_directory, ret);
|
||||
+ if (k5login_directory == NULL || ret != 0) {
|
||||
+ /* If not set, the library will look for k5login
|
||||
+ * files in the user's home directory, with the filename .k5login.
|
||||
+ */
|
||||
+ snprintf(file, sizeof(file), "%s/.k5login", pw->pw_dir);
|
||||
+ } else {
|
||||
+ /* If set, the library will look for a local user's k5login file
|
||||
+ * within the named directory, with a filename corresponding to the
|
||||
+ * local username.
|
||||
+ */
|
||||
+ snprintf(file, sizeof(file), "%s%s%s", k5login_directory,
|
||||
+ k5login_directory[strlen(k5login_directory)-1] != '/' ? "/" : "",
|
||||
+ pw->pw_name);
|
||||
+ }
|
||||
+ debug("%s: Checking existence of file %s", __func__, file);
|
||||
|
||||
- snprintf(file, sizeof(file), "%s/.k5login", pw->pw_dir);
|
||||
return access(file, F_OK) == 0;
|
||||
}
|
||||
|
||||
diff --git a/sshd.8 b/sshd.8
|
||||
index 5c4f15b..135e290 100644
|
||||
--- a/sshd.8
|
||||
+++ b/sshd.8
|
||||
@@ -806,6 +806,10 @@ rlogin/rsh.
|
||||
These files enforce GSSAPI/Kerberos authentication access control.
|
||||
Further details are described in
|
||||
.Xr ksu 1 .
|
||||
+The location of the k5login file depends on the configuration option
|
||||
+.Cm k5login_directory
|
||||
+in the
|
||||
+.Xr krb5.conf 5 .
|
||||
.Pp
|
||||
.It Pa ~/.ssh/
|
||||
This directory is the default location for all user-specific configuration
|
||||
|
|
@ -1,6 +1,61 @@
|
|||
diff -up openssh-6.3p1/HOWTO.ssh-keycat.keycat openssh-6.3p1/HOWTO.ssh-keycat
|
||||
--- openssh-6.3p1/HOWTO.ssh-keycat.keycat 2013-10-10 15:16:33.445566916 +0200
|
||||
+++ openssh-6.3p1/HOWTO.ssh-keycat 2013-10-10 15:16:33.445566916 +0200
|
||||
diff -up openssh-7.4p1/auth2-pubkey.c.keycat openssh-7.4p1/auth2-pubkey.c
|
||||
--- openssh-7.4p1/auth2-pubkey.c.keycat 2017-02-08 14:32:33.015581448 +0100
|
||||
+++ openssh-7.4p1/auth2-pubkey.c 2017-02-08 14:40:26.125216292 +0100
|
||||
@@ -1043,6 +1043,14 @@ user_key_command_allowed2(struct passwd
|
||||
xasprintf(&command, "%s %s", av[0], av[1]);
|
||||
}
|
||||
|
||||
+#ifdef WITH_SELINUX
|
||||
+ if (sshd_selinux_setup_env_variables() < 0) {
|
||||
+ error ("failed to copy environment: %s",
|
||||
+ strerror(errno));
|
||||
+ _exit(127);
|
||||
+ }
|
||||
+#endif
|
||||
+
|
||||
if ((pid = subprocess("AuthorizedKeysCommand", pw, command,
|
||||
ac, av, &f)) == 0)
|
||||
goto out;
|
||||
diff -up openssh-7.4p1/configure.ac.keycat openssh-7.4p1/configure.ac
|
||||
--- openssh-7.4p1/configure.ac.keycat 2017-02-08 14:32:33.011581451 +0100
|
||||
+++ openssh-7.4p1/configure.ac 2017-02-08 14:32:33.016581448 +0100
|
||||
@@ -3129,6 +3129,7 @@ AC_ARG_WITH([pam],
|
||||
PAM_MSG="yes"
|
||||
|
||||
SSHDLIBS="$SSHDLIBS -lpam"
|
||||
+ KEYCATLIBS="$KEYCATLIBS -lpam"
|
||||
AC_DEFINE([USE_PAM], [1],
|
||||
[Define if you want to enable PAM support])
|
||||
|
||||
@@ -3139,6 +3140,7 @@ AC_ARG_WITH([pam],
|
||||
;;
|
||||
*)
|
||||
SSHDLIBS="$SSHDLIBS -ldl"
|
||||
+ KEYCATLIBS="$KEYCATLIBS -ldl"
|
||||
;;
|
||||
esac
|
||||
fi
|
||||
@@ -4255,6 +4257,7 @@ AC_ARG_WITH([selinux],
|
||||
)
|
||||
AC_SUBST([SSHLIBS])
|
||||
AC_SUBST([SSHDLIBS])
|
||||
+AC_SUBST([KEYCATLIBS])
|
||||
|
||||
# Check whether user wants Kerberos 5 support
|
||||
KRB5_MSG="no"
|
||||
@@ -5206,6 +5209,9 @@ fi
|
||||
if test ! -z "${SSHLIBS}"; then
|
||||
echo " +for ssh: ${SSHLIBS}"
|
||||
fi
|
||||
+if test ! -z "${KEYCATLIBS}"; then
|
||||
+echo " +for ssh-keycat: ${KEYCATLIBS}"
|
||||
+fi
|
||||
|
||||
echo ""
|
||||
|
||||
diff -up openssh-7.4p1/HOWTO.ssh-keycat.keycat openssh-7.4p1/HOWTO.ssh-keycat
|
||||
--- openssh-7.4p1/HOWTO.ssh-keycat.keycat 2017-02-08 14:32:33.014581449 +0100
|
||||
+++ openssh-7.4p1/HOWTO.ssh-keycat 2017-02-08 14:32:33.014581449 +0100
|
||||
@@ -0,0 +1,12 @@
|
||||
+The ssh-keycat retrieves the content of the ~/.ssh/authorized_keys
|
||||
+of an user in any environment. This includes environments with
|
||||
|
|
@ -14,9 +69,9 @@ diff -up openssh-6.3p1/HOWTO.ssh-keycat.keycat openssh-6.3p1/HOWTO.ssh-keycat
|
|||
+ PubkeyAuthentication yes
|
||||
+
|
||||
+
|
||||
diff -up openssh-6.3p1/Makefile.in.keycat openssh-6.3p1/Makefile.in
|
||||
--- openssh-6.3p1/Makefile.in.keycat 2013-10-10 15:16:33.442566930 +0200
|
||||
+++ openssh-6.3p1/Makefile.in 2013-10-10 15:16:33.445566916 +0200
|
||||
diff -up openssh-7.4p1/Makefile.in.keycat openssh-7.4p1/Makefile.in
|
||||
--- openssh-7.4p1/Makefile.in.keycat 2017-02-08 14:32:33.012581451 +0100
|
||||
+++ openssh-7.4p1/Makefile.in 2017-02-08 14:38:28.839306815 +0100
|
||||
@@ -27,6 +27,7 @@ SFTP_SERVER=$(libexecdir)/sftp-server
|
||||
SSH_KEYSIGN=$(libexecdir)/ssh-keysign
|
||||
SSH_LDAP_HELPER=$(libexecdir)/ssh-ldap-helper
|
||||
|
|
@ -25,26 +80,34 @@ diff -up openssh-6.3p1/Makefile.in.keycat openssh-6.3p1/Makefile.in
|
|||
SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
|
||||
PRIVSEP_PATH=@PRIVSEP_PATH@
|
||||
SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@
|
||||
@@ -64,7 +65,7 @@ EXEEXT=@EXEEXT@
|
||||
@@ -51,6 +52,7 @@ K5LIBS=@K5LIBS@
|
||||
GSSLIBS=@GSSLIBS@
|
||||
SSHLIBS=@SSHLIBS@
|
||||
SSHDLIBS=@SSHDLIBS@
|
||||
+KEYCATLIBS=@KEYCATLIBS@
|
||||
LIBEDIT=@LIBEDIT@
|
||||
AR=@AR@
|
||||
AWK=@AWK@
|
||||
@@ -65,7 +67,7 @@ EXEEXT=@EXEEXT@
|
||||
MANFMT=@MANFMT@
|
||||
INSTALL_SSH_LDAP_HELPER=@INSTALL_SSH_LDAP_HELPER@
|
||||
|
||||
-TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT)
|
||||
+TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT) ssh-keycat$(EXEEXT)
|
||||
|
||||
LIBSSH_OBJS=authfd.o authfile.o bufaux.o bufbn.o buffer.o \
|
||||
canohost.o channels.o cipher.o cipher-aes.o \
|
||||
@@ -172,6 +173,9 @@ ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT)
|
||||
LIBOPENSSH_OBJS=\
|
||||
ssh_api.o \
|
||||
@@ -190,6 +192,9 @@ ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT)
|
||||
ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o
|
||||
$(LD) -o $@ ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
|
||||
$(LD) -o $@ ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat -lfipscheck $(LIBS)
|
||||
|
||||
+ssh-keycat$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keycat.o
|
||||
+ $(LD) -o $@ ssh-keycat.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(SSHDLIBS)
|
||||
+ssh-keycat$(EXEEXT): $(LIBCOMPAT) $(SSHDOBJS) libssh.a ssh-keycat.o
|
||||
+ $(LD) -o $@ ssh-keycat.o bufaux.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(KEYCATLIBS) $(SSHLIBS)
|
||||
+
|
||||
ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o roaming_dummy.o
|
||||
$(LD) -o $@ ssh-keyscan.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
|
||||
ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o
|
||||
$(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
|
||||
|
||||
@@ -279,6 +283,7 @@ install-files:
|
||||
@@ -332,6 +337,7 @@ install-files:
|
||||
$(INSTALL) -m 0700 $(STRIP_OPT) ssh-ldap-helper $(DESTDIR)$(SSH_LDAP_HELPER) ; \
|
||||
$(INSTALL) -m 0700 ssh-ldap-wrapper $(DESTDIR)$(SSH_LDAP_WRAPPER) ; \
|
||||
fi
|
||||
|
|
@ -52,37 +115,54 @@ diff -up openssh-6.3p1/Makefile.in.keycat openssh-6.3p1/Makefile.in
|
|||
$(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
|
||||
$(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
|
||||
$(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
|
||||
diff -up openssh-6.3p1/auth2-pubkey.c.keycat openssh-6.3p1/auth2-pubkey.c
|
||||
--- openssh-6.3p1/auth2-pubkey.c.keycat 2013-10-10 15:16:33.429566992 +0200
|
||||
+++ openssh-6.3p1/auth2-pubkey.c 2013-10-10 15:16:33.445566916 +0200
|
||||
@@ -606,6 +606,14 @@ user_key_command_allowed2(struct passwd
|
||||
_exit(1);
|
||||
}
|
||||
diff -up openssh-7.4p1/openbsd-compat/port-linux.h.keycat openssh-7.4p1/openbsd-compat/port-linux.h
|
||||
--- openssh-7.4p1/openbsd-compat/port-linux.h.keycat 2017-02-08 14:32:33.009581453 +0100
|
||||
+++ openssh-7.4p1/openbsd-compat/port-linux.h 2017-02-08 14:32:33.015581448 +0100
|
||||
@@ -23,8 +23,10 @@ void ssh_selinux_setup_pty(char *, const
|
||||
void ssh_selinux_change_context(const char *);
|
||||
void ssh_selinux_setfscreatecon(const char *);
|
||||
|
||||
+#ifdef WITH_SELINUX
|
||||
+ if (ssh_selinux_setup_env_variables() < 0) {
|
||||
+ error ("failed to copy environment: %s",
|
||||
+ strerror(errno));
|
||||
+ _exit(127);
|
||||
+ }
|
||||
+#endif
|
||||
+int sshd_selinux_enabled(void);
|
||||
void sshd_selinux_copy_context(void);
|
||||
void sshd_selinux_setup_exec_context(char *);
|
||||
+int sshd_selinux_setup_env_variables(void);
|
||||
#endif
|
||||
|
||||
#ifdef LINUX_OOM_ADJUST
|
||||
diff -up openssh-7.4p1/openbsd-compat/port-linux-sshd.c.keycat openssh-7.4p1/openbsd-compat/port-linux-sshd.c
|
||||
--- openssh-7.4p1/openbsd-compat/port-linux-sshd.c.keycat 2017-02-08 14:32:33.008581454 +0100
|
||||
+++ openssh-7.4p1/openbsd-compat/port-linux-sshd.c 2017-02-08 14:32:33.015581448 +0100
|
||||
@@ -53,6 +53,20 @@ extern Authctxt *the_authctxt;
|
||||
extern int inetd_flag;
|
||||
extern int rexeced_flag;
|
||||
|
||||
+/* Wrapper around is_selinux_enabled() to log its return value once only */
|
||||
+int
|
||||
+sshd_selinux_enabled(void)
|
||||
+{
|
||||
+ static int enabled = -1;
|
||||
+
|
||||
execl(options.authorized_keys_command,
|
||||
options.authorized_keys_command, user_pw->pw_name, NULL);
|
||||
|
||||
diff -up openssh-6.3p1/openbsd-compat/port-linux.c.keycat openssh-6.3p1/openbsd-compat/port-linux.c
|
||||
--- openssh-6.3p1/openbsd-compat/port-linux.c.keycat 2013-10-10 15:16:33.435566964 +0200
|
||||
+++ openssh-6.3p1/openbsd-compat/port-linux.c 2013-10-10 15:32:19.946065189 +0200
|
||||
@@ -313,7 +313,7 @@ ssh_selinux_getctxbyname(char *pwname,
|
||||
+ if (enabled == -1) {
|
||||
+ enabled = (is_selinux_enabled() == 1);
|
||||
+ debug("SELinux support %s", enabled ? "enabled" : "disabled");
|
||||
+ }
|
||||
+
|
||||
+ return (enabled);
|
||||
+}
|
||||
+
|
||||
/* Send audit message */
|
||||
static int
|
||||
sshd_selinux_send_audit_message(int success, security_context_t default_context,
|
||||
@@ -307,7 +321,7 @@ sshd_selinux_getctxbyname(char *pwname,
|
||||
|
||||
/* Setup environment variables for pam_selinux */
|
||||
static int
|
||||
-ssh_selinux_setup_pam_variables(void)
|
||||
+ssh_selinux_setup_variables(int(*set_it)(const char *, const char *))
|
||||
-sshd_selinux_setup_pam_variables(void)
|
||||
+sshd_selinux_setup_variables(int(*set_it)(char *, const char *))
|
||||
{
|
||||
const char *reqlvl;
|
||||
char *role;
|
||||
@@ -324,16 +324,16 @@ ssh_selinux_setup_pam_variables(void)
|
||||
@@ -318,16 +332,16 @@ sshd_selinux_setup_pam_variables(void)
|
||||
|
||||
ssh_selinux_get_role_level(&role, &reqlvl);
|
||||
|
||||
|
|
@ -102,34 +182,64 @@ diff -up openssh-6.3p1/openbsd-compat/port-linux.c.keycat openssh-6.3p1/openbsd-
|
|||
|
||||
if (role != NULL)
|
||||
free(role);
|
||||
@@ -341,6 +341,24 @@ ssh_selinux_setup_pam_variables(void)
|
||||
@@ -335,6 +349,24 @@ sshd_selinux_setup_pam_variables(void)
|
||||
return rv;
|
||||
}
|
||||
|
||||
+static int
|
||||
+ssh_selinux_setup_pam_variables(void)
|
||||
+sshd_selinux_setup_pam_variables(void)
|
||||
+{
|
||||
+ return ssh_selinux_setup_variables(do_pam_putenv);
|
||||
+ return sshd_selinux_setup_variables(do_pam_putenv);
|
||||
+}
|
||||
+
|
||||
+static int
|
||||
+do_setenv(char *name, char *value)
|
||||
+do_setenv(char *name, const char *value)
|
||||
+{
|
||||
+ return setenv(name, value, 1);
|
||||
+}
|
||||
+
|
||||
+int
|
||||
+ssh_selinux_setup_env_variables(void)
|
||||
+sshd_selinux_setup_env_variables(void)
|
||||
+{
|
||||
+ return ssh_selinux_setup_variables(do_setenv);
|
||||
+ return sshd_selinux_setup_variables(do_setenv);
|
||||
+}
|
||||
+
|
||||
/* Set the execution context to the default for the specified user */
|
||||
void
|
||||
ssh_selinux_setup_exec_context(char *pwname)
|
||||
diff -up openssh-6.3p1/ssh-keycat.c.keycat openssh-6.3p1/ssh-keycat.c
|
||||
--- openssh-6.3p1/ssh-keycat.c.keycat 2013-10-10 15:16:33.446566911 +0200
|
||||
+++ openssh-6.3p1/ssh-keycat.c 2013-10-10 15:16:33.446566911 +0200
|
||||
sshd_selinux_setup_exec_context(char *pwname)
|
||||
@@ -343,7 +375,7 @@ sshd_selinux_setup_exec_context(char *pw
|
||||
int r = 0;
|
||||
security_context_t default_ctx = NULL;
|
||||
|
||||
- if (!ssh_selinux_enabled())
|
||||
+ if (!sshd_selinux_enabled())
|
||||
return;
|
||||
|
||||
if (options.use_pam) {
|
||||
@@ -414,7 +446,7 @@ sshd_selinux_copy_context(void)
|
||||
{
|
||||
security_context_t *ctx;
|
||||
|
||||
- if (!ssh_selinux_enabled())
|
||||
+ if (!sshd_selinux_enabled())
|
||||
return;
|
||||
|
||||
if (getexeccon((security_context_t *)&ctx) != 0) {
|
||||
diff -up openssh-7.4p1/platform.c.keycat openssh-7.4p1/platform.c
|
||||
--- openssh-7.4p1/platform.c.keycat 2017-02-08 14:32:33.007581455 +0100
|
||||
+++ openssh-7.4p1/platform.c 2017-02-08 14:32:33.015581448 +0100
|
||||
@@ -99,7 +99,7 @@ platform_setusercontext(struct passwd *p
|
||||
{
|
||||
#ifdef WITH_SELINUX
|
||||
/* Cache selinux status for later use */
|
||||
- (void)ssh_selinux_enabled();
|
||||
+ (void)sshd_selinux_enabled();
|
||||
#endif
|
||||
|
||||
#ifdef USE_SOLARIS_PROJECTS
|
||||
diff -up openssh-7.4p1/ssh-keycat.c.keycat openssh-7.4p1/ssh-keycat.c
|
||||
--- openssh-7.4p1/ssh-keycat.c.keycat 2017-02-08 14:32:33.015581448 +0100
|
||||
+++ openssh-7.4p1/ssh-keycat.c 2017-02-08 14:32:33.015581448 +0100
|
||||
@@ -0,0 +1,238 @@
|
||||
+/*
|
||||
+ * Redistribution and use in source and binary forms, with or without
|
||||
|
|
@ -1,15 +1,15 @@
|
|||
diff -up openssh-5.8p1/authfile.c.keyperm openssh-5.8p1/authfile.c
|
||||
--- openssh-5.8p1/authfile.c.keyperm 2010-12-01 02:03:39.000000000 +0100
|
||||
+++ openssh-5.8p1/authfile.c 2011-04-21 16:43:36.859648916 +0200
|
||||
@@ -57,6 +57,7 @@
|
||||
#include <stdlib.h>
|
||||
#include <string.h>
|
||||
#include <unistd.h>
|
||||
+#include <grp.h>
|
||||
diff -up openssh-6.6p1/authfile.c.keyperm openssh-6.6p1/authfile.c
|
||||
--- openssh-6.6p1/authfile.c.keyperm 2014-02-04 01:20:15.000000000 +0100
|
||||
+++ openssh-6.6p1/authfile.c 2014-05-05 15:20:43.075246776 +0200
|
||||
@@ -54,6 +54,7 @@
|
||||
|
||||
#include "xmalloc.h"
|
||||
#include "cipher.h"
|
||||
@@ -600,6 +612,13 @@ key_perm_ok(int fd, const char *filename
|
||||
#include <errno.h>
|
||||
#include <fcntl.h>
|
||||
+#include <grp.h>
|
||||
#include <stdio.h>
|
||||
#include <stdarg.h>
|
||||
#include <stdlib.h>
|
||||
@@ -979,6 +980,13 @@ key_perm_ok(int fd, const char *filename
|
||||
#ifdef HAVE_CYGWIN
|
||||
if (check_ntsec(filename))
|
||||
#endif
|
||||
File diff suppressed because it is too large
Load diff
28
openssh-6.6p1-log-usepam-no.patch
Normal file
28
openssh-6.6p1-log-usepam-no.patch
Normal file
|
|
@ -0,0 +1,28 @@
|
|||
diff --git a/sshd.c b/sshd.c
|
||||
index a7b8b6a..24ab272 100644
|
||||
--- a/sshd.c
|
||||
+++ b/sshd.c
|
||||
@@ -1620,6 +1620,10 @@ main(int ac, char **av)
|
||||
parse_server_config(&options, rexeced_flag ? "rexec" : config_file_name,
|
||||
&cfg, NULL);
|
||||
|
||||
+ /* 'UsePAM no' is not supported in Red Hat Enterprise Linux */
|
||||
+ if (! options.use_pam)
|
||||
+ logit("WARNING: 'UsePAM no' is not supported in Red Hat Enterprise Linux and may cause several problems.");
|
||||
+
|
||||
seed_rng();
|
||||
|
||||
/* Fill in default values for those options not explicitly set. */
|
||||
diff --git a/sshd_config b/sshd_config
|
||||
index 36cb27a..c1b7c03 100644
|
||||
--- a/sshd_config
|
||||
+++ b/sshd_config
|
||||
@@ -101,6 +101,8 @@ GSSAPICleanupCredentials no
|
||||
# If you just want the PAM account and session checks to run without
|
||||
# PAM authentication, then enable this but set PasswordAuthentication
|
||||
# and ChallengeResponseAuthentication to 'no'.
|
||||
+# WARNING: 'UsePAM no' is not supported in Red Hat Enterprise Linux and may cause several
|
||||
+# problems.
|
||||
UsePAM yes
|
||||
|
||||
#AllowAgentForwarding yes
|
||||
25
openssh-6.6p1-memory-problems.patch
Normal file
25
openssh-6.6p1-memory-problems.patch
Normal file
|
|
@ -0,0 +1,25 @@
|
|||
diff -up openssh-7.4p1/servconf.c.memory-problems openssh-7.4p1/servconf.c
|
||||
--- openssh-7.4p1/servconf.c.memory-problems 2017-02-09 10:41:42.483123417 +0100
|
||||
+++ openssh-7.4p1/servconf.c 2017-02-09 10:42:16.392102462 +0100
|
||||
@@ -2006,6 +2006,8 @@ copy_set_server_options(ServerOptions *d
|
||||
dst->n = src->n; \
|
||||
} while (0)
|
||||
|
||||
+ u_int i;
|
||||
+
|
||||
M_CP_INTOPT(password_authentication);
|
||||
M_CP_INTOPT(gss_authentication);
|
||||
M_CP_INTOPT(pubkey_authentication);
|
||||
@@ -2058,8 +2060,10 @@ copy_set_server_options(ServerOptions *d
|
||||
} while(0)
|
||||
#define M_CP_STRARRAYOPT(n, num_n) do {\
|
||||
if (src->num_n != 0) { \
|
||||
+ for (i = 0; i < dst->num_n; i++) \
|
||||
+ free(dst->n[i]); \
|
||||
for (dst->num_n = 0; dst->num_n < src->num_n; dst->num_n++) \
|
||||
- dst->n[dst->num_n] = xstrdup(src->n[dst->num_n]); \
|
||||
+ dst->n[dst->num_n] = src->n[dst->num_n]; \
|
||||
} \
|
||||
} while(0)
|
||||
|
||||
diff -up openssh-7.4p1/sshd.c.memory-problems openssh-7.4p1/sshd.c
|
||||
108
openssh-6.6p1-privsep-selinux.patch
Normal file
108
openssh-6.6p1-privsep-selinux.patch
Normal file
|
|
@ -0,0 +1,108 @@
|
|||
diff --git a/openbsd-compat/port-linux-sshd.c b/openbsd-compat/port-linux-sshd.c
|
||||
index c18524e..d04f4ed 100644
|
||||
--- a/openbsd-compat/port-linux-sshd.c
|
||||
+++ b/openbsd-compat/port-linux-sshd.c
|
||||
@@ -409,6 +409,25 @@ sshd_selinux_setup_exec_context(char *pwname)
|
||||
debug3("%s: done", __func__);
|
||||
}
|
||||
|
||||
+void
|
||||
+sshd_selinux_copy_context(void)
|
||||
+{
|
||||
+ security_context_t *ctx;
|
||||
+
|
||||
+ if (!ssh_selinux_enabled())
|
||||
+ return;
|
||||
+
|
||||
+ if (getexeccon((security_context_t *)&ctx) != 0) {
|
||||
+ logit("%s: getcon failed with %s", __func__, strerror (errno));
|
||||
+ return;
|
||||
+ }
|
||||
+ if (ctx != NULL) {
|
||||
+ if (setcon(ctx) != 0)
|
||||
+ logit("%s: setcon failed with %s", __func__, strerror (errno));
|
||||
+ freecon(ctx);
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
#endif
|
||||
#endif
|
||||
|
||||
diff --git a/openbsd-compat/port-linux.h b/openbsd-compat/port-linux.h
|
||||
index 8ef6cc4..b18893c 100644
|
||||
--- a/openbsd-compat/port-linux.h
|
||||
+++ b/openbsd-compat/port-linux.h
|
||||
@@ -25,6 +25,7 @@ void ssh_selinux_setup_pty(char *, const char *);
|
||||
void ssh_selinux_change_context(const char *);
|
||||
void ssh_selinux_setfscreatecon(const char *);
|
||||
|
||||
+void sshd_selinux_copy_context(void);
|
||||
void sshd_selinux_setup_exec_context(char *);
|
||||
#endif
|
||||
|
||||
diff --git a/session.c b/session.c
|
||||
index 2bcf818..b5dc144 100644
|
||||
--- a/session.c
|
||||
+++ b/session.c
|
||||
@@ -1538,6 +1538,9 @@ do_setusercontext(struct passwd *pw)
|
||||
pw->pw_uid);
|
||||
chroot_path = percent_expand(tmp, "h", pw->pw_dir,
|
||||
"u", pw->pw_name, (char *)NULL);
|
||||
+#ifdef WITH_SELINUX
|
||||
+ sshd_selinux_copy_context();
|
||||
+#endif
|
||||
safely_chroot(chroot_path, pw->pw_uid);
|
||||
free(tmp);
|
||||
free(chroot_path);
|
||||
@@ -1565,6 +1568,12 @@ do_setusercontext(struct passwd *pw)
|
||||
/* Permanently switch to the desired uid. */
|
||||
permanently_set_uid(pw);
|
||||
#endif
|
||||
+
|
||||
+#ifdef WITH_SELINUX
|
||||
+ if (options.chroot_directory == NULL ||
|
||||
+ strcasecmp(options.chroot_directory, "none") == 0)
|
||||
+ sshd_selinux_copy_context();
|
||||
+#endif
|
||||
} else if (options.chroot_directory != NULL &&
|
||||
strcasecmp(options.chroot_directory, "none") != 0) {
|
||||
fatal("server lacks privileges to chroot to ChrootDirectory");
|
||||
@@ -1826,9 +1835,6 @@ do_child(Session *s, const char *command)
|
||||
argv[i] = NULL;
|
||||
optind = optreset = 1;
|
||||
__progname = argv[0];
|
||||
-#ifdef WITH_SELINUX
|
||||
- ssh_selinux_change_context("sftpd_t");
|
||||
-#endif
|
||||
exit(sftp_server_main(i, argv, s->pw));
|
||||
}
|
||||
|
||||
diff --git a/sshd.c b/sshd.c
|
||||
index 07f9926..a97f8b7 100644
|
||||
--- a/sshd.c
|
||||
+++ b/sshd.c
|
||||
@@ -632,6 +632,10 @@ privsep_preauth_child(void)
|
||||
/* Demote the private keys to public keys. */
|
||||
demote_sensitive_data();
|
||||
|
||||
+#ifdef WITH_SELINUX
|
||||
+ ssh_selinux_change_context("sshd_net_t");
|
||||
+#endif
|
||||
+
|
||||
/* Demote the child */
|
||||
if (getuid() == 0 || geteuid() == 0) {
|
||||
/* Change our root directory */
|
||||
@@ -768,6 +772,13 @@ privsep_postauth(Authctxt *authctxt)
|
||||
do_setusercontext(authctxt->pw);
|
||||
|
||||
skip:
|
||||
+#ifdef WITH_SELINUX
|
||||
+ /* switch SELinux content for root too */
|
||||
+ if (authctxt->pw->pw_uid == 0) {
|
||||
+ sshd_selinux_copy_context();
|
||||
+ }
|
||||
+#endif
|
||||
+
|
||||
/* It is safe now to apply the key state */
|
||||
monitor_apply_keystate(pmonitor);
|
||||
|
||||
|
|
@ -1,10 +1,11 @@
|
|||
diff -up openssh-6.3p1/ssh_config.redhat openssh-6.3p1/ssh_config
|
||||
--- openssh-6.3p1/ssh_config.redhat 2013-10-11 14:51:18.345876648 +0200
|
||||
+++ openssh-6.3p1/ssh_config 2013-10-11 15:13:05.429829266 +0200
|
||||
@@ -46,3 +46,14 @@
|
||||
# VisualHostKey no
|
||||
# ProxyCommand ssh -q -W %h:%p gateway.example.com
|
||||
# RekeyLimit 1G 1h
|
||||
diff -up openssh-7.4p1/ssh_config.redhat openssh-7.4p1/ssh_config
|
||||
--- openssh-7.4p1/ssh_config.redhat 2017-02-08 15:22:30.811307915 +0100
|
||||
+++ openssh-7.4p1/ssh_config 2017-02-08 15:22:30.812307915 +0100
|
||||
@@ -52,3 +52,15 @@
|
||||
# Uncomment this if you want to use .local domain
|
||||
# Host *.local
|
||||
# CheckHostIP no
|
||||
+
|
||||
+Host *
|
||||
+ GSSAPIAuthentication yes
|
||||
+# If this option is set to yes then remote X11 clients will have full access
|
||||
|
|
@ -16,10 +17,10 @@ diff -up openssh-6.3p1/ssh_config.redhat openssh-6.3p1/ssh_config
|
|||
+ SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
|
||||
+ SendEnv LC_IDENTIFICATION LC_ALL LANGUAGE
|
||||
+ SendEnv XMODIFIERS
|
||||
diff -up openssh-6.3p1/sshd_config.0.redhat openssh-6.3p1/sshd_config.0
|
||||
--- openssh-6.3p1/sshd_config.0.redhat 2013-09-13 08:20:43.000000000 +0200
|
||||
+++ openssh-6.3p1/sshd_config.0 2013-10-11 14:51:18.345876648 +0200
|
||||
@@ -653,9 +653,9 @@ DESCRIPTION
|
||||
diff -up openssh-7.4p1/sshd_config.0.redhat openssh-7.4p1/sshd_config.0
|
||||
--- openssh-7.4p1/sshd_config.0.redhat 2016-12-19 06:21:22.000000000 +0100
|
||||
+++ openssh-7.4p1/sshd_config.0 2017-02-08 15:22:30.813307914 +0100
|
||||
@@ -837,9 +837,9 @@ DESCRIPTION
|
||||
|
||||
SyslogFacility
|
||||
Gives the facility code that is used when logging messages from
|
||||
|
|
@ -32,10 +33,10 @@ diff -up openssh-6.3p1/sshd_config.0.redhat openssh-6.3p1/sshd_config.0
|
|||
|
||||
TCPKeepAlive
|
||||
Specifies whether the system should send TCP keepalive messages
|
||||
diff -up openssh-6.3p1/sshd_config.5.redhat openssh-6.3p1/sshd_config.5
|
||||
--- openssh-6.3p1/sshd_config.5.redhat 2013-07-20 05:21:53.000000000 +0200
|
||||
+++ openssh-6.3p1/sshd_config.5 2013-10-11 14:51:18.346876643 +0200
|
||||
@@ -1095,7 +1095,7 @@ Note that this option applies to protoco
|
||||
diff -up openssh-7.4p1/sshd_config.5.redhat openssh-7.4p1/sshd_config.5
|
||||
--- openssh-7.4p1/sshd_config.5.redhat 2016-12-19 05:59:41.000000000 +0100
|
||||
+++ openssh-7.4p1/sshd_config.5 2017-02-08 15:22:30.813307914 +0100
|
||||
@@ -1393,7 +1393,7 @@ By default no subsystems are defined.
|
||||
.It Cm SyslogFacility
|
||||
Gives the facility code that is used when logging messages from
|
||||
.Xr sshd 8 .
|
||||
|
|
@ -44,10 +45,10 @@ diff -up openssh-6.3p1/sshd_config.5.redhat openssh-6.3p1/sshd_config.5
|
|||
LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
|
||||
The default is AUTH.
|
||||
.It Cm TCPKeepAlive
|
||||
diff -up openssh-6.3p1/sshd_config.redhat openssh-6.3p1/sshd_config
|
||||
--- openssh-6.3p1/sshd_config.redhat 2013-10-11 14:51:18.343876657 +0200
|
||||
+++ openssh-6.3p1/sshd_config 2013-10-11 14:51:18.346876643 +0200
|
||||
@@ -10,6 +10,10 @@
|
||||
diff -up openssh-7.4p1/sshd_config.redhat openssh-7.4p1/sshd_config
|
||||
--- openssh-7.4p1/sshd_config.redhat 2016-12-19 05:59:41.000000000 +0100
|
||||
+++ openssh-7.4p1/sshd_config 2017-02-08 15:33:24.705736576 +0100
|
||||
@@ -10,21 +10,26 @@
|
||||
# possible, but leave them commented. Uncommented options override the
|
||||
# default value.
|
||||
|
||||
|
|
@ -58,15 +59,26 @@ diff -up openssh-6.3p1/sshd_config.redhat openssh-6.3p1/sshd_config
|
|||
#Port 22
|
||||
#AddressFamily any
|
||||
#ListenAddress 0.0.0.0
|
||||
@@ -35,6 +39,7 @@
|
||||
#ListenAddress ::
|
||||
|
||||
-#HostKey /etc/ssh/ssh_host_rsa_key
|
||||
+HostKey /etc/ssh/ssh_host_rsa_key
|
||||
#HostKey /etc/ssh/ssh_host_dsa_key
|
||||
-#HostKey /etc/ssh/ssh_host_ecdsa_key
|
||||
-#HostKey /etc/ssh/ssh_host_ed25519_key
|
||||
+HostKey /etc/ssh/ssh_host_ecdsa_key
|
||||
+HostKey /etc/ssh/ssh_host_ed25519_key
|
||||
|
||||
# Ciphers and keying
|
||||
#RekeyLimit default none
|
||||
|
||||
# Logging
|
||||
# obsoletes QuietMode and FascistLogging
|
||||
#SyslogFacility AUTH
|
||||
+SyslogFacility AUTHPRIV
|
||||
#LogLevel INFO
|
||||
|
||||
# Authentication:
|
||||
@@ -70,9 +75,11 @@ AuthorizedKeysFile .ssh/authorized_keys
|
||||
@@ -57,9 +62,11 @@ AuthorizedKeysFile .ssh/authorized_keys
|
||||
# To disable tunneled clear text passwords, change to no here!
|
||||
#PasswordAuthentication yes
|
||||
#PermitEmptyPasswords no
|
||||
|
|
@ -78,31 +90,33 @@ diff -up openssh-6.3p1/sshd_config.redhat openssh-6.3p1/sshd_config
|
|||
|
||||
# Kerberos options
|
||||
#KerberosAuthentication no
|
||||
@@ -82,7 +89,9 @@ AuthorizedKeysFile .ssh/authorized_keys
|
||||
@@ -68,8 +75,8 @@ AuthorizedKeysFile .ssh/authorized_keys
|
||||
#KerberosGetAFSToken no
|
||||
|
||||
# GSSAPI options
|
||||
#GSSAPIAuthentication no
|
||||
-#GSSAPIAuthentication no
|
||||
-#GSSAPICleanupCredentials yes
|
||||
+GSSAPIAuthentication yes
|
||||
#GSSAPICleanupCredentials yes
|
||||
+GSSAPICleanupCredentials yes
|
||||
+GSSAPICleanupCredentials no
|
||||
|
||||
# Set this to 'yes' to enable PAM authentication, account processing,
|
||||
# and session processing. If this is enabled, PAM authentication will
|
||||
@@ -94,11 +103,13 @@ AuthorizedKeysFile .ssh/authorized_keys
|
||||
# Set this to 'yes' to enable PAM authentication, account processing,
|
||||
# and session processing. If this is enabled, PAM authentication will
|
||||
@@ -80,12 +87,12 @@ AuthorizedKeysFile .ssh/authorized_keys
|
||||
# If you just want the PAM account and session checks to run without
|
||||
# PAM authentication, then enable this but set PasswordAuthentication
|
||||
# and ChallengeResponseAuthentication to 'no'.
|
||||
#UsePAM no
|
||||
-#UsePAM no
|
||||
+UsePAM yes
|
||||
|
||||
#AllowAgentForwarding yes
|
||||
#AllowTcpForwarding yes
|
||||
#GatewayPorts no
|
||||
#X11Forwarding no
|
||||
-#X11Forwarding no
|
||||
+X11Forwarding yes
|
||||
#X11DisplayOffset 10
|
||||
#X11UseLocalhost yes
|
||||
#PrintMotd yes
|
||||
@@ -120,6 +131,12 @@ UsePrivilegeSeparation sandbox # Defaul
|
||||
#PermitTTY yes
|
||||
@@ -108,6 +115,12 @@ AuthorizedKeysFile .ssh/authorized_keys
|
||||
# no default banner path
|
||||
#Banner none
|
||||
|
||||
52
openssh-6.6p1-s390-closefrom.patch
Normal file
52
openssh-6.6p1-s390-closefrom.patch
Normal file
|
|
@ -0,0 +1,52 @@
|
|||
Zseries only: Leave the hardware filedescriptors open.
|
||||
|
||||
All filedescriptors above 2 are getting closed when a new
|
||||
sshd process to handle a new client connection is
|
||||
spawned. As the process also chroot into an empty filesystem
|
||||
without any device nodes, there is no chance to reopen the
|
||||
files. This patch filters out the reqired fds in the
|
||||
closefrom function so these are skipped in the close loop.
|
||||
|
||||
Author: Harald Freudenberger <freude@de.ibm.com>
|
||||
|
||||
---
|
||||
openbsd-compat/bsd-closefrom.c | 26 ++++++++++++++++++++++++++
|
||||
1 file changed, 26 insertions(+)
|
||||
|
||||
--- a/openbsd-compat/bsd-closefrom.c
|
||||
+++ b/openbsd-compat/bsd-closefrom.c
|
||||
@@ -82,7 +82,33 @@ closefrom(int lowfd)
|
||||
fd = strtol(dent->d_name, &endp, 10);
|
||||
if (dent->d_name != endp && *endp == '\0' &&
|
||||
fd >= 0 && fd < INT_MAX && fd >= lowfd && fd != dirfd(dirp))
|
||||
+#ifdef __s390__
|
||||
+ {
|
||||
+ /*
|
||||
+ * the filedescriptors used to communicate with
|
||||
+ * the device drivers to provide hardware support
|
||||
+ * should survive. HF <freude@de.ibm.com>
|
||||
+ */
|
||||
+ char fpath[PATH_MAX], lpath[PATH_MAX];
|
||||
+ len = snprintf(fpath, sizeof(fpath), "%s/%s",
|
||||
+ fdpath, dent->d_name);
|
||||
+ if (len > 0 && (size_t)len <= sizeof(fpath)) {
|
||||
+ len = readlink(fpath, lpath, sizeof(lpath));
|
||||
+ if (len > 0) {
|
||||
+ lpath[len] = 0;
|
||||
+ if (strstr(lpath, "dev/z90crypt")
|
||||
+ || strstr(lpath, "dev/zcrypt")
|
||||
+ || strstr(lpath, "dev/prandom")
|
||||
+ || strstr(lpath, "dev/shm/icastats"))
|
||||
+ fd = -1;
|
||||
+ }
|
||||
+ }
|
||||
+ if (fd >= 0)
|
||||
+ (void) close((int) fd);
|
||||
+ }
|
||||
+#else
|
||||
(void) close((int) fd);
|
||||
+#endif
|
||||
}
|
||||
(void) closedir(dirp);
|
||||
} else
|
||||
|
||||
98
openssh-6.6p1-sftp-force-permission.patch
Normal file
98
openssh-6.6p1-sftp-force-permission.patch
Normal file
|
|
@ -0,0 +1,98 @@
|
|||
diff -up openssh-7.4p1/sftp-server.8.sftp-force-mode openssh-7.4p1/sftp-server.8
|
||||
--- openssh-7.4p1/sftp-server.8.sftp-force-mode 2016-12-19 05:59:41.000000000 +0100
|
||||
+++ openssh-7.4p1/sftp-server.8 2017-02-09 10:35:41.926475399 +0100
|
||||
@@ -38,6 +38,7 @@
|
||||
.Op Fl P Ar blacklisted_requests
|
||||
.Op Fl p Ar whitelisted_requests
|
||||
.Op Fl u Ar umask
|
||||
+.Op Fl m Ar force_file_perms
|
||||
.Ek
|
||||
.Nm
|
||||
.Fl Q Ar protocol_feature
|
||||
@@ -138,6 +139,10 @@ Sets an explicit
|
||||
.Xr umask 2
|
||||
to be applied to newly-created files and directories, instead of the
|
||||
user's default mask.
|
||||
+.It Fl m Ar force_file_perms
|
||||
+Sets explicit file permissions to be applied to newly-created files instead
|
||||
+of the default or client requested mode. Numeric values include:
|
||||
+777, 755, 750, 666, 644, 640, etc. Option -u is ineffective if -m is set.
|
||||
.El
|
||||
.Pp
|
||||
On some systems,
|
||||
diff -up openssh-7.4p1/sftp-server.c.sftp-force-mode openssh-7.4p1/sftp-server.c
|
||||
--- openssh-7.4p1/sftp-server.c.sftp-force-mode 2017-02-09 10:22:36.498019921 +0100
|
||||
+++ openssh-7.4p1/sftp-server.c 2017-02-09 10:35:07.190520959 +0100
|
||||
@@ -65,6 +65,10 @@ struct sshbuf *oqueue;
|
||||
/* Version of client */
|
||||
static u_int version;
|
||||
|
||||
+/* Force file permissions */
|
||||
+int permforce = 0;
|
||||
+long permforcemode;
|
||||
+
|
||||
/* SSH2_FXP_INIT received */
|
||||
static int init_done;
|
||||
|
||||
@@ -679,6 +683,7 @@ process_open(u_int32_t id)
|
||||
Attrib a;
|
||||
char *name;
|
||||
int r, handle, fd, flags, mode, status = SSH2_FX_FAILURE;
|
||||
+ mode_t old_umask = 0;
|
||||
|
||||
if ((r = sshbuf_get_cstring(iqueue, &name, NULL)) != 0 ||
|
||||
(r = sshbuf_get_u32(iqueue, &pflags)) != 0 || /* portable flags */
|
||||
@@ -688,6 +693,10 @@ process_open(u_int32_t id)
|
||||
debug3("request %u: open flags %d", id, pflags);
|
||||
flags = flags_from_portable(pflags);
|
||||
mode = (a.flags & SSH2_FILEXFER_ATTR_PERMISSIONS) ? a.perm : 0666;
|
||||
+ if (permforce == 1) { /* Force perm if -m is set */
|
||||
+ mode = permforcemode;
|
||||
+ old_umask = umask(0); /* so umask does not interfere */
|
||||
+ }
|
||||
logit("open \"%s\" flags %s mode 0%o",
|
||||
name, string_from_portable(pflags), mode);
|
||||
if (readonly &&
|
||||
@@ -709,6 +718,8 @@ process_open(u_int32_t id)
|
||||
}
|
||||
}
|
||||
}
|
||||
+ if (permforce == 1)
|
||||
+ (void) umask(old_umask); /* restore umask to something sane */
|
||||
if (status != SSH2_FX_OK)
|
||||
send_status(id, status);
|
||||
free(name);
|
||||
@@ -1490,7 +1501,7 @@ sftp_server_usage(void)
|
||||
fprintf(stderr,
|
||||
"usage: %s [-ehR] [-d start_directory] [-f log_facility] "
|
||||
"[-l log_level]\n\t[-P blacklisted_requests] "
|
||||
- "[-p whitelisted_requests] [-u umask]\n"
|
||||
+ "[-p whitelisted_requests] [-u umask] [-m force_file_perms]\n"
|
||||
" %s -Q protocol_feature\n",
|
||||
__progname, __progname);
|
||||
exit(1);
|
||||
@@ -1516,7 +1527,7 @@ sftp_server_main(int argc, char **argv,
|
||||
pw = pwcopy(user_pw);
|
||||
|
||||
while (!skipargs && (ch = getopt(argc, argv,
|
||||
- "d:f:l:P:p:Q:u:cehR")) != -1) {
|
||||
+ "d:f:l:P:p:Q:u:m:cehR")) != -1) {
|
||||
switch (ch) {
|
||||
case 'Q':
|
||||
if (strcasecmp(optarg, "requests") != 0) {
|
||||
@@ -1576,6 +1587,15 @@ sftp_server_main(int argc, char **argv,
|
||||
fatal("Invalid umask \"%s\"", optarg);
|
||||
(void)umask((mode_t)mask);
|
||||
break;
|
||||
+ case 'm':
|
||||
+ /* Force permissions on file received via sftp */
|
||||
+ permforce = 1;
|
||||
+ permforcemode = strtol(optarg, &cp, 8);
|
||||
+ if (permforcemode < 0 || permforcemode > 0777 ||
|
||||
+ *cp != '\0' || (permforcemode == 0 &&
|
||||
+ errno != 0))
|
||||
+ fatal("Invalid file mode \"%s\"", optarg);
|
||||
+ break;
|
||||
case 'h':
|
||||
default:
|
||||
sftp_server_usage();
|
||||
98
openssh-6.6p1-systemd.patch
Normal file
98
openssh-6.6p1-systemd.patch
Normal file
|
|
@ -0,0 +1,98 @@
|
|||
commit 0e22b79bfde45a7cf7a2e51a68ec11c4285f3b31
|
||||
Author: Jakub Jelen <jjelen@redhat.com>
|
||||
Date: Mon Nov 21 15:04:06 2016 +0100
|
||||
|
||||
systemd stuff
|
||||
|
||||
diff --git a/configure.ac b/configure.ac
|
||||
index 2ffc369..162ce92 100644
|
||||
--- a/configure.ac
|
||||
+++ b/configure.ac
|
||||
@@ -4265,6 +4265,30 @@ AC_ARG_WITH([kerberos5],
|
||||
AC_SUBST([GSSLIBS])
|
||||
AC_SUBST([K5LIBS])
|
||||
|
||||
+# Check whether user wants systemd support
|
||||
+SYSTEMD_MSG="no"
|
||||
+AC_ARG_WITH(systemd,
|
||||
+ [ --with-systemd Enable systemd support],
|
||||
+ [ if test "x$withval" != "xno" ; then
|
||||
+ AC_PATH_TOOL([PKGCONFIG], [pkg-config], [no])
|
||||
+ if test "$PKGCONFIG" != "no"; then
|
||||
+ AC_MSG_CHECKING([for libsystemd])
|
||||
+ if $PKGCONFIG --exists libsystemd; then
|
||||
+ SYSTEMD_CFLAGS=`$PKGCONFIG --cflags libsystemd`
|
||||
+ SYSTEMD_LIBS=`$PKGCONFIG --libs libsystemd`
|
||||
+ CPPFLAGS="$CPPFLAGS $SYSTEMD_CFLAGS"
|
||||
+ SSHDLIBS="$SSHDLIBS $SYSTEMD_LIBS"
|
||||
+ AC_MSG_RESULT([yes])
|
||||
+ AC_DEFINE(HAVE_SYSTEMD, 1, [Define if you want systemd support.])
|
||||
+ SYSTEMD_MSG="yes"
|
||||
+ else
|
||||
+ AC_MSG_RESULT([no])
|
||||
+ fi
|
||||
+ fi
|
||||
+ fi ]
|
||||
+)
|
||||
+
|
||||
+
|
||||
# Looking for programs, paths and files
|
||||
|
||||
PRIVSEP_PATH=/var/empty
|
||||
@@ -5097,6 +5121,7 @@ echo " libedit support: $LIBEDIT_MSG"
|
||||
echo " Solaris process contract support: $SPC_MSG"
|
||||
echo " Solaris project support: $SP_MSG"
|
||||
echo " Solaris privilege support: $SPP_MSG"
|
||||
+echo " systemd support: $SYSTEMD_MSG"
|
||||
echo " IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG"
|
||||
echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG"
|
||||
echo " BSD Auth support: $BSD_AUTH_MSG"
|
||||
diff --git a/contrib/sshd.service b/contrib/sshd.service
|
||||
new file mode 100644
|
||||
index 0000000..e0d4923
|
||||
--- /dev/null
|
||||
+++ b/contrib/sshd.service
|
||||
@@ -0,0 +1,16 @@
|
||||
+[Unit]
|
||||
+Description=OpenSSH server daemon
|
||||
+Documentation=man:sshd(8) man:sshd_config(5)
|
||||
+After=network.target
|
||||
+
|
||||
+[Service]
|
||||
+Type=notify
|
||||
+ExecStart=/usr/sbin/sshd -D $OPTIONS
|
||||
+ExecReload=/bin/kill -HUP $MAINPID
|
||||
+KillMode=process
|
||||
+Restart=on-failure
|
||||
+RestartPreventExitStatus=255
|
||||
+
|
||||
+[Install]
|
||||
+WantedBy=multi-user.target
|
||||
+
|
||||
diff --git a/sshd.c b/sshd.c
|
||||
index 816611c..b8b9d13 100644
|
||||
--- a/sshd.c
|
||||
+++ b/sshd.c
|
||||
@@ -85,6 +85,10 @@
|
||||
#include <prot.h>
|
||||
#endif
|
||||
|
||||
+#ifdef HAVE_SYSTEMD
|
||||
+#include <systemd/sd-daemon.h>
|
||||
+#endif
|
||||
+
|
||||
#include "xmalloc.h"
|
||||
#include "ssh.h"
|
||||
#include "ssh2.h"
|
||||
@@ -1833,6 +1837,11 @@ main(int ac, char **av)
|
||||
}
|
||||
}
|
||||
|
||||
+#ifdef HAVE_SYSTEMD
|
||||
+ /* Signal systemd that we are ready to accept connections */
|
||||
+ sd_notify(0, "READY=1");
|
||||
+#endif
|
||||
+
|
||||
/* Accept a connection and return in a forked child */
|
||||
server_accept_loop(&sock_in, &sock_out,
|
||||
&newsock, config_s);
|
||||
27
openssh-6.6p1-test-mode-all-values.patch
Normal file
27
openssh-6.6p1-test-mode-all-values.patch
Normal file
|
|
@ -0,0 +1,27 @@
|
|||
diff -up openssh-7.4p1/servconf.c.sshd-t openssh-7.4p1/servconf.c
|
||||
--- openssh-7.4p1/servconf.c.sshd-t 2017-02-09 10:19:56.859306131 +0100
|
||||
+++ openssh-7.4p1/servconf.c 2017-02-09 10:22:07.895104402 +0100
|
||||
@@ -2337,7 +2337,7 @@ dump_config(ServerOptions *o)
|
||||
dump_cfg_string(sXAuthLocation, o->xauth_location);
|
||||
dump_cfg_string(sCiphers, o->ciphers ? o->ciphers : KEX_SERVER_ENCRYPT);
|
||||
dump_cfg_string(sMacs, o->macs ? o->macs : KEX_SERVER_MAC);
|
||||
- dump_cfg_string(sBanner, o->banner);
|
||||
+ dump_cfg_string(sBanner, o->banner == NULL ? "none" : o->banner);
|
||||
dump_cfg_string(sForceCommand, o->adm_forced_command);
|
||||
dump_cfg_string(sChrootDirectory, o->chroot_directory);
|
||||
dump_cfg_string(sTrustedUserCAKeys, o->trusted_user_ca_keys);
|
||||
diff -up openssh-7.4p1/ssh.1.sshd-t openssh-7.4p1/ssh.1
|
||||
--- openssh-7.4p1/ssh.1.sshd-t 2017-02-09 10:19:56.823306172 +0100
|
||||
+++ openssh-7.4p1/ssh.1 2017-02-09 10:19:56.859306131 +0100
|
||||
@@ -512,7 +512,11 @@ For full details of the options listed b
|
||||
.It GatewayPorts
|
||||
.It GlobalKnownHostsFile
|
||||
.It GSSAPIAuthentication
|
||||
+.It GSSAPIKeyExchange
|
||||
+.It GSSAPIClientIdentity
|
||||
.It GSSAPIDelegateCredentials
|
||||
+.It GSSAPIRenewalForcesRekey
|
||||
+.It GSSAPITrustDns
|
||||
.It HashKnownHosts
|
||||
.It Host
|
||||
.It HostbasedAuthentication
|
||||
214
openssh-6.6p1-x11-max-displays.patch
Normal file
214
openssh-6.6p1-x11-max-displays.patch
Normal file
|
|
@ -0,0 +1,214 @@
|
|||
diff -up openssh-7.4p1/channels.c.x11max openssh-7.4p1/channels.c
|
||||
--- openssh-7.4p1/channels.c.x11max 2017-02-09 12:49:04.690996627 +0100
|
||||
+++ openssh-7.4p1/channels.c 2017-02-09 12:49:04.744996547 +0100
|
||||
@@ -152,8 +152,8 @@ static int all_opens_permitted = 0;
|
||||
|
||||
/* -- X11 forwarding */
|
||||
|
||||
-/* Maximum number of fake X11 displays to try. */
|
||||
-#define MAX_DISPLAYS 1000
|
||||
+/* Minimum port number for X11 forwarding */
|
||||
+#define X11_PORT_MIN 6000
|
||||
|
||||
/* Saved X11 local (client) display. */
|
||||
static char *x11_saved_display = NULL;
|
||||
@@ -4228,7 +4228,8 @@ channel_send_window_changes(void)
|
||||
*/
|
||||
int
|
||||
x11_create_display_inet(int x11_display_offset, int x11_use_localhost,
|
||||
- int single_connection, u_int *display_numberp, int **chanids)
|
||||
+ int x11_max_displays, int single_connection, u_int *display_numberp,
|
||||
+ int **chanids)
|
||||
{
|
||||
Channel *nc = NULL;
|
||||
int display_number, sock;
|
||||
@@ -4240,10 +4241,15 @@ x11_create_display_inet(int x11_display_
|
||||
if (chanids == NULL)
|
||||
return -1;
|
||||
|
||||
+ /* Try to bind ports starting at 6000+X11DisplayOffset */
|
||||
+ x11_max_displays = x11_max_displays + x11_display_offset;
|
||||
+
|
||||
for (display_number = x11_display_offset;
|
||||
- display_number < MAX_DISPLAYS;
|
||||
+ display_number < x11_max_displays;
|
||||
display_number++) {
|
||||
- port = 6000 + display_number;
|
||||
+ port = X11_PORT_MIN + display_number;
|
||||
+ if (port < X11_PORT_MIN) /* overflow */
|
||||
+ break;
|
||||
memset(&hints, 0, sizeof(hints));
|
||||
hints.ai_family = IPv4or6;
|
||||
hints.ai_flags = x11_use_localhost ? 0: AI_PASSIVE;
|
||||
@@ -4295,7 +4301,7 @@ x11_create_display_inet(int x11_display_
|
||||
if (num_socks > 0)
|
||||
break;
|
||||
}
|
||||
- if (display_number >= MAX_DISPLAYS) {
|
||||
+ if (display_number >= x11_max_displays || port < X11_PORT_MIN ) {
|
||||
error("Failed to allocate internet-domain X11 display socket.");
|
||||
return -1;
|
||||
}
|
||||
@@ -4441,7 +4447,7 @@ x11_connect_display(void)
|
||||
memset(&hints, 0, sizeof(hints));
|
||||
hints.ai_family = IPv4or6;
|
||||
hints.ai_socktype = SOCK_STREAM;
|
||||
- snprintf(strport, sizeof strport, "%u", 6000 + display_number);
|
||||
+ snprintf(strport, sizeof strport, "%u", X11_PORT_MIN + display_number);
|
||||
if ((gaierr = getaddrinfo(buf, strport, &hints, &aitop)) != 0) {
|
||||
error("%.100s: unknown host. (%s)", buf,
|
||||
ssh_gai_strerror(gaierr));
|
||||
@@ -4457,7 +4463,7 @@ x11_connect_display(void)
|
||||
/* Connect it to the display. */
|
||||
if (connect(sock, ai->ai_addr, ai->ai_addrlen) < 0) {
|
||||
debug2("connect %.100s port %u: %.100s", buf,
|
||||
- 6000 + display_number, strerror(errno));
|
||||
+ X11_PORT_MIN + display_number, strerror(errno));
|
||||
close(sock);
|
||||
continue;
|
||||
}
|
||||
@@ -4466,8 +4472,8 @@ x11_connect_display(void)
|
||||
}
|
||||
freeaddrinfo(aitop);
|
||||
if (!ai) {
|
||||
- error("connect %.100s port %u: %.100s", buf, 6000 + display_number,
|
||||
- strerror(errno));
|
||||
+ error("connect %.100s port %u: %.100s", buf,
|
||||
+ X11_PORT_MIN + display_number, strerror(errno));
|
||||
return -1;
|
||||
}
|
||||
set_nodelay(sock);
|
||||
diff -up openssh-7.4p1/channels.h.x11max openssh-7.4p1/channels.h
|
||||
--- openssh-7.4p1/channels.h.x11max 2017-02-09 12:49:04.744996547 +0100
|
||||
+++ openssh-7.4p1/channels.h 2017-02-09 12:49:50.230929693 +0100
|
||||
@@ -293,7 +293,7 @@ int permitopen_port(const char *);
|
||||
|
||||
void channel_set_x11_refuse_time(u_int);
|
||||
int x11_connect_display(void);
|
||||
-int x11_create_display_inet(int, int, int, u_int *, int **);
|
||||
+int x11_create_display_inet(int, int, int, int, u_int *, int **);
|
||||
int x11_input_open(int, u_int32_t, void *);
|
||||
void x11_request_forwarding_with_spoofing(int, const char *, const char *,
|
||||
const char *, int);
|
||||
diff -up openssh-7.4p1/servconf.c.x11max openssh-7.4p1/servconf.c
|
||||
--- openssh-7.4p1/servconf.c.x11max 2017-02-09 12:49:04.741996552 +0100
|
||||
+++ openssh-7.4p1/servconf.c 2017-02-09 12:51:03.167822492 +0100
|
||||
@@ -94,6 +94,7 @@ initialize_server_options(ServerOptions
|
||||
options->print_lastlog = -1;
|
||||
options->x11_forwarding = -1;
|
||||
options->x11_display_offset = -1;
|
||||
+ options->x11_max_displays = -1;
|
||||
options->x11_use_localhost = -1;
|
||||
options->permit_tty = -1;
|
||||
options->permit_user_rc = -1;
|
||||
@@ -242,6 +243,8 @@ fill_default_server_options(ServerOption
|
||||
options->x11_forwarding = 0;
|
||||
if (options->x11_display_offset == -1)
|
||||
options->x11_display_offset = 10;
|
||||
+ if (options->x11_max_displays == -1)
|
||||
+ options->x11_max_displays = DEFAULT_MAX_DISPLAYS;
|
||||
if (options->x11_use_localhost == -1)
|
||||
options->x11_use_localhost = 1;
|
||||
if (options->xauth_location == NULL)
|
||||
@@ -416,7 +419,7 @@ typedef enum {
|
||||
sPasswordAuthentication, sKbdInteractiveAuthentication,
|
||||
sListenAddress, sAddressFamily,
|
||||
sPrintMotd, sPrintLastLog, sIgnoreRhosts,
|
||||
- sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
|
||||
+ sX11Forwarding, sX11DisplayOffset, sX11MaxDisplays, sX11UseLocalhost,
|
||||
sPermitTTY, sStrictModes, sEmptyPasswd, sTCPKeepAlive,
|
||||
sPermitUserEnvironment, sAllowTcpForwarding, sCompression,
|
||||
sRekeyLimit, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
|
||||
@@ -537,6 +540,7 @@ static struct {
|
||||
{ "ignoreuserknownhosts", sIgnoreUserKnownHosts, SSHCFG_GLOBAL },
|
||||
{ "x11forwarding", sX11Forwarding, SSHCFG_ALL },
|
||||
{ "x11displayoffset", sX11DisplayOffset, SSHCFG_ALL },
|
||||
+ { "x11maxdisplays", sX11MaxDisplays, SSHCFG_ALL },
|
||||
{ "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL },
|
||||
{ "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL },
|
||||
{ "strictmodes", sStrictModes, SSHCFG_GLOBAL },
|
||||
@@ -1313,6 +1317,10 @@ process_server_config_line(ServerOptions
|
||||
*intptr = value;
|
||||
break;
|
||||
|
||||
+ case sX11MaxDisplays:
|
||||
+ intptr = &options->x11_max_displays;
|
||||
+ goto parse_int;
|
||||
+
|
||||
case sX11UseLocalhost:
|
||||
intptr = &options->x11_use_localhost;
|
||||
goto parse_flag;
|
||||
@@ -2060,6 +2068,7 @@ copy_set_server_options(ServerOptions *d
|
||||
M_CP_INTOPT(fwd_opts.streamlocal_bind_unlink);
|
||||
M_CP_INTOPT(x11_display_offset);
|
||||
M_CP_INTOPT(x11_forwarding);
|
||||
+ M_CP_INTOPT(x11_max_displays);
|
||||
M_CP_INTOPT(x11_use_localhost);
|
||||
M_CP_INTOPT(permit_tty);
|
||||
M_CP_INTOPT(permit_user_rc);
|
||||
@@ -2312,6 +2321,7 @@ dump_config(ServerOptions *o)
|
||||
#endif
|
||||
dump_cfg_int(sLoginGraceTime, o->login_grace_time);
|
||||
dump_cfg_int(sX11DisplayOffset, o->x11_display_offset);
|
||||
+ dump_cfg_int(sX11MaxDisplays, o->x11_max_displays);
|
||||
dump_cfg_int(sMaxAuthTries, o->max_authtries);
|
||||
dump_cfg_int(sMaxSessions, o->max_sessions);
|
||||
dump_cfg_int(sClientAliveInterval, o->client_alive_interval);
|
||||
diff -up openssh-7.4p1/servconf.h.x11max openssh-7.4p1/servconf.h
|
||||
--- openssh-7.4p1/servconf.h.x11max 2017-02-09 12:49:04.741996552 +0100
|
||||
+++ openssh-7.4p1/servconf.h 2017-02-09 12:49:04.744996547 +0100
|
||||
@@ -55,6 +55,7 @@
|
||||
|
||||
#define DEFAULT_AUTH_FAIL_MAX 6 /* Default for MaxAuthTries */
|
||||
#define DEFAULT_SESSIONS_MAX 10 /* Default for MaxSessions */
|
||||
+#define DEFAULT_MAX_DISPLAYS 1000 /* Maximum number of fake X11 displays to try. */
|
||||
|
||||
/* Magic name for internal sftp-server */
|
||||
#define INTERNAL_SFTP_NAME "internal-sftp"
|
||||
@@ -85,6 +86,7 @@ typedef struct {
|
||||
int x11_forwarding; /* If true, permit inet (spoofing) X11 fwd. */
|
||||
int x11_display_offset; /* What DISPLAY number to start
|
||||
* searching at */
|
||||
+ int x11_max_displays; /* Number of displays to search */
|
||||
int x11_use_localhost; /* If true, use localhost for fake X11 server. */
|
||||
char *xauth_location; /* Location of xauth program */
|
||||
int permit_tty; /* If false, deny pty allocation */
|
||||
diff -up openssh-7.4p1/session.c.x11max openssh-7.4p1/session.c
|
||||
--- openssh-7.4p1/session.c.x11max 2017-02-09 12:49:04.742996550 +0100
|
||||
+++ openssh-7.4p1/session.c 2017-02-09 12:49:04.745996546 +0100
|
||||
@@ -2502,8 +2502,9 @@ session_setup_x11fwd(Session *s)
|
||||
return 0;
|
||||
}
|
||||
if (x11_create_display_inet(options.x11_display_offset,
|
||||
- options.x11_use_localhost, s->single_connection,
|
||||
- &s->display_number, &s->x11_chanids) == -1) {
|
||||
+ options.x11_use_localhost, options.x11_max_displays,
|
||||
+ s->single_connection, &s->display_number,
|
||||
+ &s->x11_chanids) == -1) {
|
||||
debug("x11_create_display_inet failed.");
|
||||
return 0;
|
||||
}
|
||||
diff -up openssh-7.4p1/sshd_config.5.x11max openssh-7.4p1/sshd_config.5
|
||||
--- openssh-7.4p1/sshd_config.5.x11max 2017-02-09 12:49:04.742996550 +0100
|
||||
+++ openssh-7.4p1/sshd_config.5 2017-02-09 12:51:24.656790909 +0100
|
||||
@@ -1137,6 +1137,7 @@ Available keywords are
|
||||
.Cm StreamLocalBindUnlink ,
|
||||
.Cm TrustedUserCAKeys ,
|
||||
.Cm X11DisplayOffset ,
|
||||
+.Cm X11MaxDisplays ,
|
||||
.Cm X11Forwarding
|
||||
and
|
||||
.Cm X11UseLocalHost .
|
||||
@@ -1563,6 +1564,12 @@ Specifies the first display number avail
|
||||
X11 forwarding.
|
||||
This prevents sshd from interfering with real X11 servers.
|
||||
The default is 10.
|
||||
+.It Cm X11MaxDisplays
|
||||
+Specifies the maximum number of displays available for
|
||||
+.Xr sshd 8 Ns 's
|
||||
+X11 forwarding.
|
||||
+This prevents sshd from exhausting local ports.
|
||||
+The default is 1000.
|
||||
.It Cm X11Forwarding
|
||||
Specifies whether X11 forwarding is permitted.
|
||||
The argument must be
|
||||
145
openssh-7.4p1-CVE-2018-15473.patch
Normal file
145
openssh-7.4p1-CVE-2018-15473.patch
Normal file
|
|
@ -0,0 +1,145 @@
|
|||
From 74287f5df9966a0648b4a68417451dd18f079ab8 Mon Sep 17 00:00:00 2001
|
||||
From: "djm@openbsd.org" <djm@openbsd.org>
|
||||
Date: Tue, 31 Jul 2018 03:10:27 +0000
|
||||
Subject: [PATCH] upstream: delay bailout for invalid authentic
|
||||
|
||||
=?UTF-8?q?ating=20user=20until=20after=20the=20packet=20containing=20the?=
|
||||
=?UTF-8?q?=20request=20has=20been=20fully=20parsed.=20Reported=20by=20Dar?=
|
||||
=?UTF-8?q?iusz=20Tytko=20and=20Micha=C5=82=20Sajdak;=20ok=20deraadt?=
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
OpenBSD-Commit-ID: b4891882fbe413f230fe8ac8a37349b03bd0b70d
|
||||
---
|
||||
auth2-gss.c | 11 +++++++----
|
||||
auth2-hostbased.c | 11 ++++++-----
|
||||
auth2-pubkey.c | 25 +++++++++++++++----------
|
||||
3 files changed, 28 insertions(+), 19 deletions(-)
|
||||
|
||||
diff --git a/auth2-gss.c b/auth2-gss.c
|
||||
index 47308c5ce..9351e0428 100644
|
||||
--- a/auth2-gss.c
|
||||
+++ b/auth2-gss.c
|
||||
@@ -70,9 +70,6 @@ userauth_gssapi(struct ssh *ssh)
|
||||
u_int len;
|
||||
u_char *doid = NULL;
|
||||
|
||||
- if (!authctxt->valid || authctxt->user == NULL)
|
||||
- return (0);
|
||||
-
|
||||
mechs = packet_get_int();
|
||||
if (mechs == 0) {
|
||||
debug("Mechanism negotiation is not supported");
|
||||
@@ -106,6 +103,12 @@ userauth_gssapi(struct ssh *ssh)
|
||||
return (0);
|
||||
}
|
||||
|
||||
+ if (!authctxt->valid || authctxt->user == NULL) {
|
||||
+ debug2("%s: disabled because of invalid user", __func__);
|
||||
+ free(doid);
|
||||
+ return (0);
|
||||
+ }
|
||||
+
|
||||
if (GSS_ERROR(PRIVSEP(ssh_gssapi_server_ctx(&ctxt, &goid)))) {
|
||||
if (ctxt != NULL)
|
||||
ssh_gssapi_delete_ctx(&ctxt);
|
||||
diff --git a/auth2-hostbased.c b/auth2-hostbased.c
|
||||
index 60159a56c..359393291 100644
|
||||
--- a/auth2-hostbased.c
|
||||
+++ b/auth2-hostbased.c
|
||||
@@ -67,10 +67,6 @@ userauth_hostbased(struct ssh *ssh)
|
||||
int pktype;
|
||||
int authenticated = 0;
|
||||
|
||||
- if (!authctxt->valid) {
|
||||
- debug2("userauth_hostbased: disabled because of invalid user");
|
||||
- return 0;
|
||||
- }
|
||||
pkalg = packet_get_string(&alen);
|
||||
pkblob = packet_get_string(&blen);
|
||||
chost = packet_get_string(NULL);
|
||||
@@ -117,6 +113,11 @@ userauth_hostbased(struct ssh *ssh)
|
||||
goto done;
|
||||
}
|
||||
|
||||
+ if (!authctxt->valid || authctxt->user == NULL) {
|
||||
+ debug2("%s: disabled because of invalid user", __func__);
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
service = datafellows & SSH_BUG_HBSERVICE ? "ssh-userauth" :
|
||||
authctxt->service;
|
||||
buffer_init(&b);
|
||||
diff --git a/auth2-pubkey.c b/auth2-pubkey.c
|
||||
index c4d0f7908..e1c150401 100644
|
||||
--- a/auth2-pubkey.c
|
||||
+++ b/auth2-pubkey.c
|
||||
@@ -89,16 +89,12 @@ userauth_pubkey(struct ssh *ssh)
|
||||
{
|
||||
Buffer b;
|
||||
Key *key = NULL;
|
||||
- char *pkalg, *userstyle, *pubkey, *fp = NULL;
|
||||
- u_char *pkblob, *sig;
|
||||
+ char *pkalg = NULL, *userstyle = NULL, *pubkey = NULL, *fp = NULL;
|
||||
+ u_char *pkblob = NULL, *sig = NULL;
|
||||
u_int alen, blen, slen;
|
||||
int have_sig, pktype;
|
||||
int authenticated = 0;
|
||||
|
||||
- if (!authctxt->valid) {
|
||||
- debug2("%s: disabled because of invalid user", __func__);
|
||||
- return 0;
|
||||
- }
|
||||
have_sig = packet_get_char();
|
||||
if (datafellows & SSH_BUG_PKAUTH) {
|
||||
debug2("%s: SSH_BUG_PKAUTH", __func__);
|
||||
@@ -167,6 +163,12 @@ userauth_pubkey(struct ssh *ssh)
|
||||
} else {
|
||||
buffer_put_string(&b, session_id2, session_id2_len);
|
||||
}
|
||||
+ if (!authctxt->valid || authctxt->user == NULL) {
|
||||
+ buffer_free(&b);
|
||||
+ debug2("%s: disabled because of invalid user",
|
||||
+ __func__);
|
||||
+ goto done;
|
||||
+ }
|
||||
/* reconstruct packet */
|
||||
buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST);
|
||||
xasprintf(&userstyle, "%s%s%s%s%s", authctxt->user,
|
||||
@@ -183,7 +184,6 @@ userauth_pubkey(struct ssh *ssh)
|
||||
#endif
|
||||
pubkey = sshkey_format_oneline(key, options.fingerprint_hash);
|
||||
auth_info(authctxt, "%s", pubkey);
|
||||
-
|
||||
/* test for correct signature */
|
||||
authenticated = 0;
|
||||
if (PRIVSEP(user_key_allowed(authctxt->pw, key, 1)) &&
|
||||
@@ -194,7 +194,6 @@ userauth_pubkey(struct ssh *ssh)
|
||||
free(pubkey);
|
||||
}
|
||||
buffer_free(&b);
|
||||
- free(sig);
|
||||
} else {
|
||||
debug("%s: test whether pkalg/pkblob are acceptable for %s %s",
|
||||
__func__, sshkey_type(key), fp);
|
||||
@@ -205,6 +204,11 @@ userauth_pubkey(struct ssh *ssh)
|
||||
__func__, sshkey_type(key), fp);
|
||||
packet_check_eom();
|
||||
|
||||
+ if (!authctxt->valid || authctxt->user == NULL) {
|
||||
+ debug2("%s: disabled because of invalid user",
|
||||
+ __func__);
|
||||
+ goto done;
|
||||
+ }
|
||||
/* XXX fake reply and always send PK_OK ? */
|
||||
/*
|
||||
* XXX this allows testing whether a user is allowed
|
||||
@@ -238,6 +242,7 @@ userauth_pubkey(struct ssh *ssh)
|
||||
free(pkalg);
|
||||
free(pkblob);
|
||||
free(fp);
|
||||
+ free(sig);
|
||||
return authenticated;
|
||||
}
|
||||
|
||||
16
openssh-7.4p1-ControlPath_too_long.patch
Normal file
16
openssh-7.4p1-ControlPath_too_long.patch
Normal file
|
|
@ -0,0 +1,16 @@
|
|||
diff -up openssh-7.4p1/mux.c.controlPath openssh-7.4p1/mux.c
|
||||
--- openssh-7.4p1/mux.c.controlPath 2017-05-04 14:49:44.629247946 +0200
|
||||
+++ openssh-7.4p1/mux.c 2017-05-04 14:52:54.955109022 +0200
|
||||
@@ -1290,6 +1290,12 @@ muxserver_listen(void)
|
||||
oerrno = errno;
|
||||
umask(old_umask);
|
||||
if (muxserver_sock < 0) {
|
||||
+ if (oerrno == ENAMETOOLONG) {
|
||||
+ /* the error is already logged from unix_listener() */
|
||||
+ error("ControlPath %s too long, "
|
||||
+ "disabling multiplexing", options.control_path);
|
||||
+ goto disable_mux_master;
|
||||
+ }
|
||||
if (oerrno == EINVAL || oerrno == EADDRINUSE) {
|
||||
error("ControlSocket %s already exists, "
|
||||
"disabling multiplexing", options.control_path);
|
||||
File diff suppressed because it is too large
Load diff
38
openssh-7.4p1-authorized_keys_command.patch
Normal file
38
openssh-7.4p1-authorized_keys_command.patch
Normal file
|
|
@ -0,0 +1,38 @@
|
|||
From ddd3d34e5c7979ca6f4a3a98a7d219a4ed3d98c2 Mon Sep 17 00:00:00 2001
|
||||
From: "djm@openbsd.org" <djm@openbsd.org>
|
||||
Date: Fri, 30 Dec 2016 22:08:02 +0000
|
||||
Subject: [PATCH] upstream commit
|
||||
|
||||
fix deadlock when keys/principals command produces a lot of
|
||||
output and a key is matched early; bz#2655, patch from jboning AT gmail.com
|
||||
|
||||
Upstream-ID: e19456429bf99087ea994432c16d00a642060afe
|
||||
---
|
||||
auth2-pubkey.c | 8 +++++++-
|
||||
1 file changed, 7 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/auth2-pubkey.c b/auth2-pubkey.c
|
||||
index 20f3309e1..70c021589 100644
|
||||
--- a/auth2-pubkey.c
|
||||
+++ b/auth2-pubkey.c
|
||||
@@ -727,6 +727,9 @@ match_principals_command(struct passwd *user_pw, const struct sshkey *key)
|
||||
|
||||
ok = process_principals(f, NULL, pw, cert);
|
||||
|
||||
+ fclose(f);
|
||||
+ f = NULL;
|
||||
+
|
||||
if (exited_cleanly(pid, "AuthorizedPrincipalsCommand", command) != 0)
|
||||
goto out;
|
||||
|
||||
@@ -1050,6 +1053,9 @@ user_key_command_allowed2(struct passwd *user_pw, Key *key)
|
||||
|
||||
ok = check_authkeys_file(f, options.authorized_keys_command, key, pw);
|
||||
|
||||
+ fclose(f);
|
||||
+ f = NULL;
|
||||
+
|
||||
if (exited_cleanly(pid, "AuthorizedKeysCommand", command) != 0)
|
||||
goto out;
|
||||
|
||||
|
||||
50
openssh-7.4p1-canonize-pkcs11-provider.patch
Normal file
50
openssh-7.4p1-canonize-pkcs11-provider.patch
Normal file
|
|
@ -0,0 +1,50 @@
|
|||
diff --git a/ssh-agent.c b/ssh-agent.c
|
||||
index 1320cda..2441329 100644
|
||||
--- a/ssh-agent.c
|
||||
+++ b/ssh-agent.c
|
||||
@@ -821,7 +821,7 @@ send:
|
||||
static void
|
||||
process_remove_smartcard_key(SocketEntry *e)
|
||||
{
|
||||
- char *provider = NULL, *pin = NULL;
|
||||
+ char *provider = NULL, *pin = NULL, canonical_provider[PATH_MAX];
|
||||
int r, version, success = 0;
|
||||
Identity *id, *nxt;
|
||||
Idtab *tab;
|
||||
@@ -831,6 +831,13 @@ process_remove_smartcard_key(SocketEntry *e)
|
||||
fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
||||
free(pin);
|
||||
|
||||
+ if (realpath(provider, canonical_provider) == NULL) {
|
||||
+ verbose("failed PKCS#11 add of \"%.100s\": realpath: %s",
|
||||
+ provider, strerror(errno));
|
||||
+ goto send;
|
||||
+ }
|
||||
+
|
||||
+ debug("%s: remove %.100s", __func__, canonical_provider);
|
||||
for (version = 1; version < 3; version++) {
|
||||
tab = idtab_lookup(version);
|
||||
for (id = TAILQ_FIRST(&tab->idlist); id; id = nxt) {
|
||||
@@ -838,18 +845,19 @@ process_remove_smartcard_key(SocketEntry *e)
|
||||
/* Skip file--based keys */
|
||||
if (id->provider == NULL)
|
||||
continue;
|
||||
- if (!strcmp(provider, id->provider)) {
|
||||
+ if (!strcmp(canonical_provider, id->provider)) {
|
||||
TAILQ_REMOVE(&tab->idlist, id, next);
|
||||
free_identity(id);
|
||||
tab->nentries--;
|
||||
}
|
||||
}
|
||||
}
|
||||
- if (pkcs11_del_provider(provider) == 0)
|
||||
+ if (pkcs11_del_provider(canonical_provider) == 0)
|
||||
success = 1;
|
||||
else
|
||||
error("process_remove_smartcard_key:"
|
||||
" pkcs11_del_provider failed");
|
||||
+send:
|
||||
free(provider);
|
||||
send_status(e, success);
|
||||
}
|
||||
|
||||
30
openssh-7.4p1-cbc-weakness.patch
Normal file
30
openssh-7.4p1-cbc-weakness.patch
Normal file
|
|
@ -0,0 +1,30 @@
|
|||
commit 0fb1a617a07b8df5de188dd5a0c8bf293d4bfc0e
|
||||
Author: markus@openbsd.org <markus@openbsd.org>
|
||||
Date: Sat Mar 11 13:07:35 2017 +0000
|
||||
|
||||
upstream commit
|
||||
|
||||
Don't count the initial block twice when computing how
|
||||
many bytes to discard for the work around for the attacks against CBC-mode.
|
||||
ok djm@; report from Jean Paul, Kenny, Martin and Torben @ RHUL
|
||||
|
||||
Upstream-ID: f445f509a4e0a7ba3b9c0dae7311cb42458dc1e2
|
||||
|
||||
diff --git a/packet.c b/packet.c
|
||||
index 01e2d45..2f3a2ec 100644
|
||||
--- a/packet.c
|
||||
+++ b/packet.c
|
||||
@@ -1850,11 +1850,11 @@ ssh_packet_read_poll2(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p)
|
||||
if (r != SSH_ERR_MAC_INVALID)
|
||||
goto out;
|
||||
logit("Corrupted MAC on input.");
|
||||
- if (need > PACKET_MAX_SIZE)
|
||||
+ if (need + block_size > PACKET_MAX_SIZE)
|
||||
return SSH_ERR_INTERNAL_ERROR;
|
||||
return ssh_packet_start_discard(ssh, enc, mac,
|
||||
sshbuf_len(state->incoming_packet),
|
||||
- PACKET_MAX_SIZE - need);
|
||||
+ PACKET_MAX_SIZE - need - block_size);
|
||||
}
|
||||
/* Remove MAC from input buffer */
|
||||
DBG(debug("MAC #%d ok", state->p_read.seqnr));
|
||||
574
openssh-7.4p1-coverity.patch
Normal file
574
openssh-7.4p1-coverity.patch
Normal file
|
|
@ -0,0 +1,574 @@
|
|||
diff -up openssh-7.4p1/auth-pam.c.coverity openssh-7.4p1/auth-pam.c
|
||||
diff -up openssh-7.4p1/channels.c.coverity openssh-7.4p1/channels.c
|
||||
--- openssh-7.4p1/channels.c.coverity 2017-02-09 14:58:32.786064600 +0100
|
||||
+++ openssh-7.4p1/channels.c 2017-02-09 15:01:28.869890219 +0100
|
||||
@@ -266,11 +266,11 @@ channel_register_fds(Channel *c, int rfd
|
||||
channel_max_fd = MAXIMUM(channel_max_fd, wfd);
|
||||
channel_max_fd = MAXIMUM(channel_max_fd, efd);
|
||||
|
||||
- if (rfd != -1)
|
||||
+ if (rfd >= 0)
|
||||
fcntl(rfd, F_SETFD, FD_CLOEXEC);
|
||||
- if (wfd != -1 && wfd != rfd)
|
||||
+ if (wfd >= 0 && wfd != rfd)
|
||||
fcntl(wfd, F_SETFD, FD_CLOEXEC);
|
||||
- if (efd != -1 && efd != rfd && efd != wfd)
|
||||
+ if (efd >= 0 && efd != rfd && efd != wfd)
|
||||
fcntl(efd, F_SETFD, FD_CLOEXEC);
|
||||
|
||||
c->rfd = rfd;
|
||||
@@ -288,11 +288,11 @@ channel_register_fds(Channel *c, int rfd
|
||||
|
||||
/* enable nonblocking mode */
|
||||
if (nonblock) {
|
||||
- if (rfd != -1)
|
||||
+ if (rfd >= 0)
|
||||
set_nonblock(rfd);
|
||||
- if (wfd != -1)
|
||||
+ if (wfd >= 0)
|
||||
set_nonblock(wfd);
|
||||
- if (efd != -1)
|
||||
+ if (efd >= 0)
|
||||
set_nonblock(efd);
|
||||
}
|
||||
}
|
||||
diff -up openssh-7.4p1/clientloop.c.coverity openssh-7.4p1/clientloop.c
|
||||
diff -up openssh-7.4p1/key.c.coverity openssh-7.4p1/key.c
|
||||
diff -up openssh-7.4p1/monitor.c.coverity openssh-7.4p1/monitor.c
|
||||
--- openssh-7.4p1/monitor.c.coverity 2017-02-09 14:58:32.793064593 +0100
|
||||
+++ openssh-7.4p1/monitor.c 2017-02-09 14:58:32.805064581 +0100
|
||||
@@ -411,7 +411,7 @@ monitor_child_preauth(Authctxt *_authctx
|
||||
mm_get_keystate(pmonitor);
|
||||
|
||||
/* Drain any buffered messages from the child */
|
||||
- while (pmonitor->m_log_recvfd != -1 && monitor_read_log(pmonitor) == 0)
|
||||
+ while (pmonitor->m_log_recvfd >= 0 && monitor_read_log(pmonitor) == 0)
|
||||
;
|
||||
|
||||
close(pmonitor->m_sendfd);
|
||||
diff -up openssh-7.4p1/monitor_wrap.c.coverity openssh-7.4p1/monitor_wrap.c
|
||||
--- openssh-7.4p1/monitor_wrap.c.coverity 2017-02-09 14:58:32.797064589 +0100
|
||||
+++ openssh-7.4p1/monitor_wrap.c 2017-02-09 14:58:32.805064581 +0100
|
||||
@@ -525,10 +525,10 @@ mm_pty_allocate(int *ptyfd, int *ttyfd,
|
||||
if ((tmp1 = dup(pmonitor->m_recvfd)) == -1 ||
|
||||
(tmp2 = dup(pmonitor->m_recvfd)) == -1) {
|
||||
error("%s: cannot allocate fds for pty", __func__);
|
||||
- if (tmp1 > 0)
|
||||
+ if (tmp1 >= 0)
|
||||
close(tmp1);
|
||||
- if (tmp2 > 0)
|
||||
- close(tmp2);
|
||||
+ /*DEAD CODE if (tmp2 >= 0)
|
||||
+ close(tmp2);*/
|
||||
return 0;
|
||||
}
|
||||
close(tmp1);
|
||||
diff -up openssh-7.4p1/openbsd-compat/bindresvport.c.coverity openssh-7.4p1/openbsd-compat/bindresvport.c
|
||||
--- openssh-7.4p1/openbsd-compat/bindresvport.c.coverity 2016-12-19 05:59:41.000000000 +0100
|
||||
+++ openssh-7.4p1/openbsd-compat/bindresvport.c 2017-02-09 14:58:32.805064581 +0100
|
||||
@@ -58,7 +58,7 @@ bindresvport_sa(int sd, struct sockaddr
|
||||
struct sockaddr_in6 *in6;
|
||||
u_int16_t *portp;
|
||||
u_int16_t port;
|
||||
- socklen_t salen;
|
||||
+ socklen_t salen = sizeof(struct sockaddr_storage);
|
||||
int i;
|
||||
|
||||
if (sa == NULL) {
|
||||
diff -up openssh-7.4p1/packet.c.coverity openssh-7.4p1/packet.c
|
||||
diff -up openssh-7.4p1/progressmeter.c.coverity openssh-7.4p1/progressmeter.c
|
||||
diff -up openssh-7.4p1/scp.c.coverity openssh-7.4p1/scp.c
|
||||
--- openssh-7.4p1/scp.c.coverity 2017-02-09 14:58:32.761064625 +0100
|
||||
+++ openssh-7.4p1/scp.c 2017-02-09 14:58:38.590058852 +0100
|
||||
@@ -157,7 +157,7 @@ killchild(int signo)
|
||||
{
|
||||
if (do_cmd_pid > 1) {
|
||||
kill(do_cmd_pid, signo ? signo : SIGTERM);
|
||||
- waitpid(do_cmd_pid, NULL, 0);
|
||||
+ (void) waitpid(do_cmd_pid, NULL, 0);
|
||||
}
|
||||
|
||||
if (signo)
|
||||
diff -up openssh-7.4p1/servconf.c.coverity openssh-7.4p1/servconf.c
|
||||
--- openssh-7.4p1/servconf.c.coverity 2017-02-09 14:58:32.801064585 +0100
|
||||
+++ openssh-7.4p1/servconf.c 2017-02-09 14:58:38.591058851 +0100
|
||||
@@ -1544,7 +1544,7 @@ process_server_config_line(ServerOptions
|
||||
fatal("%s line %d: Missing subsystem name.",
|
||||
filename, linenum);
|
||||
if (!*activep) {
|
||||
- arg = strdelim(&cp);
|
||||
+ /*arg =*/ (void) strdelim(&cp);
|
||||
break;
|
||||
}
|
||||
for (i = 0; i < options->num_subsystems; i++)
|
||||
@@ -1635,8 +1635,9 @@ process_server_config_line(ServerOptions
|
||||
if (*activep && *charptr == NULL) {
|
||||
*charptr = tilde_expand_filename(arg, getuid());
|
||||
/* increase optional counter */
|
||||
- if (intptr != NULL)
|
||||
- *intptr = *intptr + 1;
|
||||
+ /* DEAD CODE intptr is still NULL ;)
|
||||
+ if (intptr != NULL)
|
||||
+ *intptr = *intptr + 1; */
|
||||
}
|
||||
break;
|
||||
|
||||
diff -up openssh-7.4p1/serverloop.c.coverity openssh-7.4p1/serverloop.c
|
||||
--- openssh-7.4p1/serverloop.c.coverity 2016-12-19 05:59:41.000000000 +0100
|
||||
+++ openssh-7.4p1/serverloop.c 2017-02-09 14:58:38.592058850 +0100
|
||||
@@ -125,13 +125,13 @@ notify_setup(void)
|
||||
static void
|
||||
notify_parent(void)
|
||||
{
|
||||
- if (notify_pipe[1] != -1)
|
||||
+ if (notify_pipe[1] >= 0)
|
||||
(void)write(notify_pipe[1], "", 1);
|
||||
}
|
||||
static void
|
||||
notify_prepare(fd_set *readset)
|
||||
{
|
||||
- if (notify_pipe[0] != -1)
|
||||
+ if (notify_pipe[0] >= 0)
|
||||
FD_SET(notify_pipe[0], readset);
|
||||
}
|
||||
static void
|
||||
@@ -139,8 +139,8 @@ notify_done(fd_set *readset)
|
||||
{
|
||||
char c;
|
||||
|
||||
- if (notify_pipe[0] != -1 && FD_ISSET(notify_pipe[0], readset))
|
||||
- while (read(notify_pipe[0], &c, 1) != -1)
|
||||
+ if (notify_pipe[0] >= 0 && FD_ISSET(notify_pipe[0], readset))
|
||||
+ while (read(notify_pipe[0], &c, 1) >= 0)
|
||||
debug2("notify_done: reading");
|
||||
}
|
||||
|
||||
@@ -518,7 +518,7 @@ server_request_tun(void)
|
||||
}
|
||||
|
||||
tun = packet_get_int();
|
||||
- if (forced_tun_device != -1) {
|
||||
+ if (forced_tun_device >= 0) {
|
||||
if (tun != SSH_TUNID_ANY && forced_tun_device != tun)
|
||||
goto done;
|
||||
tun = forced_tun_device;
|
||||
diff -up openssh-7.4p1/sftp.c.coverity openssh-7.4p1/sftp.c
|
||||
--- openssh-7.4p1/sftp.c.coverity 2016-12-19 05:59:41.000000000 +0100
|
||||
+++ openssh-7.4p1/sftp.c 2017-02-09 14:58:38.598058844 +0100
|
||||
@@ -224,7 +224,7 @@ killchild(int signo)
|
||||
{
|
||||
if (sshpid > 1) {
|
||||
kill(sshpid, SIGTERM);
|
||||
- waitpid(sshpid, NULL, 0);
|
||||
+ (void) waitpid(sshpid, NULL, 0);
|
||||
}
|
||||
|
||||
_exit(1);
|
||||
diff -up openssh-7.4p1/sftp-client.c.coverity openssh-7.4p1/sftp-client.c
|
||||
--- openssh-7.4p1/sftp-client.c.coverity 2017-02-09 14:58:38.596058846 +0100
|
||||
+++ openssh-7.4p1/sftp-client.c 2017-02-09 15:20:18.893624636 +0100
|
||||
@@ -973,7 +973,7 @@ do_symlink(struct sftp_conn *conn, const
|
||||
}
|
||||
|
||||
int
|
||||
-do_fsync(struct sftp_conn *conn, u_char *handle, u_int handle_len)
|
||||
+do_fsync(struct sftp_conn *conn, const u_char *handle, u_int handle_len)
|
||||
{
|
||||
struct sshbuf *msg;
|
||||
u_int status, id;
|
||||
--- openssh-7.4p1/sftp-client.h.coverity 2017-02-10 09:28:10.951155129 +0100
|
||||
+++ openssh-7.4p1/sftp-client.h 2017-02-10 09:27:28.685069870 +0100
|
||||
@@ -107,7 +107,7 @@ int do_hardlink(struct sftp_conn *, cons
|
||||
int do_symlink(struct sftp_conn *, const char *, const char *);
|
||||
|
||||
/* Call fsync() on open file 'handle' */
|
||||
-int do_fsync(struct sftp_conn *conn, u_char *, u_int);
|
||||
+int do_fsync(struct sftp_conn *conn, const u_char *, u_int);
|
||||
|
||||
/*
|
||||
* Download 'remote_path' to 'local_path'. Preserve permissions and times
|
||||
diff -up openssh-7.4p1/ssh-agent.c.coverity openssh-7.4p1/ssh-agent.c
|
||||
--- openssh-7.4p1/ssh-agent.c.coverity 2017-02-09 14:58:38.599058843 +0100
|
||||
+++ openssh-7.4p1/ssh-agent.c 2017-02-09 15:29:21.938917065 +0100
|
||||
@@ -1220,8 +1220,8 @@ main(int ac, char **av)
|
||||
sanitise_stdfd();
|
||||
|
||||
/* drop */
|
||||
- setegid(getgid());
|
||||
- setgid(getgid());
|
||||
+ (void) setegid(getgid());
|
||||
+ (void) setgid(getgid());
|
||||
|
||||
platform_disable_tracing(0); /* strict=no */
|
||||
|
||||
diff -up openssh-7.4p1/sshd.c.coverity openssh-7.4p1/sshd.c
|
||||
--- openssh-7.4p1/sshd.c.coverity 2017-02-09 14:58:38.600058842 +0100
|
||||
+++ openssh-7.4p1/sshd.c 2017-02-09 15:30:33.403800831 +0100
|
||||
@@ -679,8 +679,10 @@ privsep_preauth(Authctxt *authctxt)
|
||||
|
||||
privsep_preauth_child();
|
||||
setproctitle("%s", "[net]");
|
||||
- if (box != NULL)
|
||||
+ if (box != NULL) {
|
||||
ssh_sandbox_child(box);
|
||||
+ free(box);
|
||||
+ }
|
||||
|
||||
return 0;
|
||||
}
|
||||
@@ -1382,6 +1384,9 @@ server_accept_loop(int *sock_in, int *so
|
||||
if (num_listen_socks < 0)
|
||||
break;
|
||||
}
|
||||
+
|
||||
+ if (fdset != NULL)
|
||||
+ free(fdset);
|
||||
}
|
||||
|
||||
/*
|
||||
diff --git a/auth-pam.c b/auth-pam.c
|
||||
index e554ec4..bd16d80 100644
|
||||
--- a/auth-pam.c
|
||||
+++ b/auth-pam.c
|
||||
@@ -834,6 +834,8 @@ fake_password(const char *wire_password)
|
||||
fatal("%s: password length too long: %zu", __func__, l);
|
||||
|
||||
ret = malloc(l + 1);
|
||||
+ if (ret == NULL)
|
||||
+ return NULL;
|
||||
for (i = 0; i < l; i++)
|
||||
ret[i] = junk[i % (sizeof(junk) - 1)];
|
||||
ret[i] = '\0';
|
||||
diff --git a/clientloop.c b/clientloop.c
|
||||
index c6a4138..9b00e12 100644
|
||||
--- a/clientloop.c
|
||||
+++ b/clientloop.c
|
||||
@@ -2290,7 +2290,7 @@ update_known_hosts(struct hostkeys_update_ctx *ctx)
|
||||
free(response);
|
||||
response = read_passphrase("Accept updated hostkeys? "
|
||||
"(yes/no): ", RP_ECHO);
|
||||
- if (strcasecmp(response, "yes") == 0)
|
||||
+ if (response != NULL && strcasecmp(response, "yes") == 0)
|
||||
break;
|
||||
else if (quit_pending || response == NULL ||
|
||||
strcasecmp(response, "no") == 0) {
|
||||
diff --git a/digest-openssl.c b/digest-openssl.c
|
||||
index 13b63c2..dfa9b8d 100644
|
||||
--- a/digest-openssl.c
|
||||
+++ b/digest-openssl.c
|
||||
@@ -158,7 +158,7 @@ ssh_digest_final(struct ssh_digest_ctx *ctx, u_char *d, size_t dlen)
|
||||
const struct ssh_digest *digest = ssh_digest_by_alg(ctx->alg);
|
||||
u_int l = dlen;
|
||||
|
||||
- if (dlen > UINT_MAX)
|
||||
+ if (digest == NULL || dlen > UINT_MAX)
|
||||
return SSH_ERR_INVALID_ARGUMENT;
|
||||
if (dlen < digest->digest_len) /* No truncation allowed */
|
||||
return SSH_ERR_INVALID_ARGUMENT;
|
||||
diff --git a/kex.c b/kex.c
|
||||
index a30dabe..a8ac91f 100644
|
||||
--- a/kex.c
|
||||
+++ b/kex.c
|
||||
@@ -178,7 +178,7 @@ kex_names_valid(const char *names)
|
||||
char *
|
||||
kex_names_cat(const char *a, const char *b)
|
||||
{
|
||||
- char *ret = NULL, *tmp = NULL, *cp, *p;
|
||||
+ char *ret = NULL, *tmp = NULL, *cp, *p, *m;
|
||||
size_t len;
|
||||
|
||||
if (a == NULL || *a == '\0')
|
||||
@@ -195,8 +195,10 @@ kex_names_cat(const char *a, const char *b)
|
||||
}
|
||||
strlcpy(ret, a, len);
|
||||
for ((p = strsep(&cp, ",")); p && *p != '\0'; (p = strsep(&cp, ","))) {
|
||||
- if (match_list(ret, p, NULL) != NULL)
|
||||
+ if ((m = match_list(ret, p, NULL)) != NULL) {
|
||||
+ free(m);
|
||||
continue; /* Algorithm already present */
|
||||
+ }
|
||||
if (strlcat(ret, ",", len) >= len ||
|
||||
strlcat(ret, p, len) >= len) {
|
||||
free(tmp);
|
||||
@@ -651,8 +653,10 @@ choose_enc(struct sshenc *enc, char *client, char *server)
|
||||
#endif
|
||||
return SSH_ERR_NO_CIPHER_ALG_MATCH;
|
||||
}
|
||||
- if ((enc->cipher = cipher_by_name(name)) == NULL)
|
||||
+ if ((enc->cipher = cipher_by_name(name)) == NULL) {
|
||||
+ free(name);
|
||||
return SSH_ERR_INTERNAL_ERROR;
|
||||
+ }
|
||||
enc->name = name;
|
||||
enc->enabled = 0;
|
||||
enc->iv = NULL;
|
||||
@@ -670,8 +674,10 @@ choose_mac(struct ssh *ssh, struct sshmac *mac, char *client, char *server)
|
||||
#endif
|
||||
return SSH_ERR_NO_MAC_ALG_MATCH;
|
||||
}
|
||||
- if (mac_setup(mac, name) < 0)
|
||||
+ if (mac_setup(mac, name) < 0) {
|
||||
+ free(name);
|
||||
return SSH_ERR_INTERNAL_ERROR;
|
||||
+ }
|
||||
/* truncate the key */
|
||||
if (ssh->compat & SSH_BUG_HMAC)
|
||||
mac->key_len = 16;
|
||||
@@ -695,6 +701,7 @@ choose_comp(struct sshcomp *comp, char *client, char *server)
|
||||
} else if (strcmp(name, "none") == 0) {
|
||||
comp->type = COMP_NONE;
|
||||
} else {
|
||||
+ free(name);
|
||||
return SSH_ERR_INTERNAL_ERROR;
|
||||
}
|
||||
comp->name = name;
|
||||
diff --git a/readconf.c b/readconf.c
|
||||
index 3e7a5d8..acc1391 100644
|
||||
--- a/readconf.c
|
||||
+++ b/readconf.c
|
||||
@@ -1500,6 +1500,7 @@ parse_keytypes:
|
||||
if (r == GLOB_NOMATCH) {
|
||||
debug("%.200s line %d: include %s matched no "
|
||||
"files",filename, linenum, arg2);
|
||||
+ free(arg2);
|
||||
continue;
|
||||
} else if (r != 0 || gl.gl_pathc < 0)
|
||||
fatal("%.200s line %d: glob failed for %s.",
|
||||
diff --git a/servconf.c b/servconf.c
|
||||
index 6ab1cb4..5f2464a 100644
|
||||
--- a/servconf.c
|
||||
+++ b/servconf.c
|
||||
@@ -2284,8 +2284,6 @@ dump_cfg_fmtint(ServerOpCodes code, int val)
|
||||
static void
|
||||
dump_cfg_string(ServerOpCodes code, const char *val)
|
||||
{
|
||||
- if (val == NULL)
|
||||
- return;
|
||||
printf("%s %s\n", lookup_opcode_name(code),
|
||||
val == NULL ? "none" : val);
|
||||
}
|
||||
diff --git a/sshconnect.c b/sshconnect.c
|
||||
index 07f80cd..5d4b41b 100644
|
||||
--- a/sshconnect.c
|
||||
+++ b/sshconnect.c
|
||||
@@ -1533,6 +1533,7 @@ maybe_add_key_to_agent(char *authfile, Key *private, char *comment,
|
||||
if (options.add_keys_to_agent == 2 &&
|
||||
!ask_permission("Add key %s (%s) to agent?", authfile, comment)) {
|
||||
debug3("user denied adding this key");
|
||||
+ close(auth_sock);
|
||||
return;
|
||||
}
|
||||
|
||||
@@ -1541,4 +1542,5 @@ maybe_add_key_to_agent(char *authfile, Key *private, char *comment,
|
||||
debug("identity added to agent: %s", authfile);
|
||||
else
|
||||
debug("could not add identity to agent: %s (%d)", authfile, r);
|
||||
+ close(auth_sock);
|
||||
}
|
||||
diff --git a/sshconnect2.c b/sshconnect2.c
|
||||
index f31c24c..aecf765 100644
|
||||
--- a/sshconnect2.c
|
||||
+++ b/sshconnect2.c
|
||||
@@ -1061,6 +1061,7 @@ sign_and_send_pubkey(Authctxt *authctxt, Identity *id)
|
||||
|
||||
if (key_to_blob(id->key, &blob, &bloblen) == 0) {
|
||||
/* we cannot handle this key */
|
||||
+ free(blob);
|
||||
debug3("sign_and_send_pubkey: cannot handle key");
|
||||
return 0;
|
||||
}
|
||||
@@ -1170,6 +1171,7 @@ send_pubkey_test(Authctxt *authctxt, Identity *id)
|
||||
|
||||
if (key_to_blob(id->key, &blob, &bloblen) == 0) {
|
||||
/* we cannot handle this key */
|
||||
+ free(blob);
|
||||
debug3("send_pubkey_test: cannot handle key");
|
||||
return 0;
|
||||
}
|
||||
diff --git a/sshkey.c b/sshkey.c
|
||||
index 85fd1bd..58c1051 100644
|
||||
--- a/sshkey.c
|
||||
+++ b/sshkey.c
|
||||
@@ -1375,8 +1375,6 @@ sshkey_read(struct sshkey *ret, char **cpp)
|
||||
retval = 0;
|
||||
/*XXXX*/
|
||||
sshkey_free(k);
|
||||
- if (retval != 0)
|
||||
- break;
|
||||
break;
|
||||
default:
|
||||
return SSH_ERR_INVALID_ARGUMENT;
|
||||
diff --git a/krl.c b/krl.c
|
||||
index e271a19..69bec99 100644
|
||||
--- a/krl.c
|
||||
+++ b/krl.c
|
||||
@@ -1089,7 +1089,7 @@ ssh_krl_from_blob(struct sshbuf *buf, struct ssh_krl **krlp,
|
||||
break;
|
||||
case KRL_SECTION_SIGNATURE:
|
||||
/* Handled above, but still need to stay in synch */
|
||||
- sshbuf_reset(sect);
|
||||
+ sshbuf_free(sect);
|
||||
sect = NULL;
|
||||
if ((r = sshbuf_skip_string(copy)) != 0)
|
||||
goto out;
|
||||
@@ -1288,7 +1288,8 @@ ssh_krl_file_contains_key(const char *path, const struct sshkey *key)
|
||||
debug2("%s: checking KRL %s", __func__, path);
|
||||
r = ssh_krl_check_key(krl, key);
|
||||
out:
|
||||
- close(fd);
|
||||
+ if (fd != -1)
|
||||
+ close(fd);
|
||||
sshbuf_free(krlbuf);
|
||||
ssh_krl_free(krl);
|
||||
if (r != 0)
|
||||
diff --git a/readconf.c b/readconf.c
|
||||
index acc1391..c4dff15 100644
|
||||
--- a/readconf.c
|
||||
+++ b/readconf.c
|
||||
@@ -1185,7 +1185,7 @@ parse_int:
|
||||
value = cipher_number(arg);
|
||||
if (value == -1)
|
||||
fatal("%.200s line %d: Bad cipher '%s'.",
|
||||
- filename, linenum, arg ? arg : "<NONE>");
|
||||
+ filename, linenum, arg);
|
||||
if (*activep && *intptr == -1)
|
||||
*intptr = value;
|
||||
break;
|
||||
@@ -1196,7 +1196,7 @@ parse_int:
|
||||
fatal("%.200s line %d: Missing argument.", filename, linenum);
|
||||
if (!ciphers_valid(*arg == '+' ? arg + 1 : arg))
|
||||
fatal("%.200s line %d: Bad SSH2 cipher spec '%s'.",
|
||||
- filename, linenum, arg ? arg : "<NONE>");
|
||||
+ filename, linenum, arg);
|
||||
if (*activep && options->ciphers == NULL)
|
||||
options->ciphers = xstrdup(arg);
|
||||
break;
|
||||
@@ -1207,7 +1207,7 @@ parse_int:
|
||||
fatal("%.200s line %d: Missing argument.", filename, linenum);
|
||||
if (!mac_valid(*arg == '+' ? arg + 1 : arg))
|
||||
fatal("%.200s line %d: Bad SSH2 Mac spec '%s'.",
|
||||
- filename, linenum, arg ? arg : "<NONE>");
|
||||
+ filename, linenum, arg);
|
||||
if (*activep && options->macs == NULL)
|
||||
options->macs = xstrdup(arg);
|
||||
break;
|
||||
@@ -1220,7 +1220,7 @@ parse_int:
|
||||
filename, linenum);
|
||||
if (!kex_names_valid(*arg == '+' ? arg + 1 : arg))
|
||||
fatal("%.200s line %d: Bad SSH2 KexAlgorithms '%s'.",
|
||||
- filename, linenum, arg ? arg : "<NONE>");
|
||||
+ filename, linenum, arg);
|
||||
if (*activep && options->kex_algorithms == NULL)
|
||||
options->kex_algorithms = xstrdup(arg);
|
||||
break;
|
||||
@@ -1235,7 +1235,7 @@ parse_keytypes:
|
||||
filename, linenum);
|
||||
if (!sshkey_names_valid2(*arg == '+' ? arg + 1 : arg, 1))
|
||||
fatal("%s line %d: Bad key types '%s'.",
|
||||
- filename, linenum, arg ? arg : "<NONE>");
|
||||
+ filename, linenum, arg);
|
||||
if (*activep && *charptr == NULL)
|
||||
*charptr = xstrdup(arg);
|
||||
break;
|
||||
@@ -1248,7 +1248,7 @@ parse_keytypes:
|
||||
value = proto_spec(arg);
|
||||
if (value == SSH_PROTO_UNKNOWN)
|
||||
fatal("%.200s line %d: Bad protocol spec '%s'.",
|
||||
- filename, linenum, arg ? arg : "<NONE>");
|
||||
+ filename, linenum, arg);
|
||||
if (*activep && *intptr == SSH_PROTO_UNKNOWN)
|
||||
*intptr = value;
|
||||
break;
|
||||
diff --git a/servconf.c b/servconf.c
|
||||
index 5f2464a..4564494 100644
|
||||
--- a/servconf.c
|
||||
+++ b/servconf.c
|
||||
@@ -1217,7 +1217,7 @@ process_server_config_line_depth(ServerOptions *options, char *line,
|
||||
filename, linenum);
|
||||
if (!sshkey_names_valid2(*arg == '+' ? arg + 1 : arg, 1))
|
||||
fatal("%s line %d: Bad key types '%s'.",
|
||||
- filename, linenum, arg ? arg : "<NONE>");
|
||||
+ filename, linenum, arg);
|
||||
if (*activep && *charptr == NULL)
|
||||
*charptr = xstrdup(arg);
|
||||
break;
|
||||
@@ -1476,7 +1476,7 @@ process_server_config_line_depth(ServerOptions *options, char *line,
|
||||
fatal("%s line %d: Missing argument.", filename, linenum);
|
||||
if (!ciphers_valid(*arg == '+' ? arg + 1 : arg))
|
||||
fatal("%s line %d: Bad SSH2 cipher spec '%s'.",
|
||||
- filename, linenum, arg ? arg : "<NONE>");
|
||||
+ filename, linenum, arg);
|
||||
if (options->ciphers == NULL)
|
||||
options->ciphers = xstrdup(arg);
|
||||
break;
|
||||
@@ -1487,7 +1487,7 @@ process_server_config_line_depth(ServerOptions *options, char *line,
|
||||
fatal("%s line %d: Missing argument.", filename, linenum);
|
||||
if (!mac_valid(*arg == '+' ? arg + 1 : arg))
|
||||
fatal("%s line %d: Bad SSH2 mac spec '%s'.",
|
||||
- filename, linenum, arg ? arg : "<NONE>");
|
||||
+ filename, linenum, arg);
|
||||
if (options->macs == NULL)
|
||||
options->macs = xstrdup(arg);
|
||||
break;
|
||||
@@ -1500,7 +1500,7 @@ process_server_config_line_depth(ServerOptions *options, char *line,
|
||||
filename, linenum);
|
||||
if (!kex_names_valid(*arg == '+' ? arg + 1 : arg))
|
||||
fatal("%s line %d: Bad SSH2 KexAlgorithms '%s'.",
|
||||
- filename, linenum, arg ? arg : "<NONE>");
|
||||
+ filename, linenum, arg);
|
||||
if (options->kex_algorithms == NULL)
|
||||
options->kex_algorithms = xstrdup(arg);
|
||||
break;
|
||||
diff --git a/ssh-pkcs11.c b/ssh-pkcs11.c
|
||||
index aaf712d..62a76b3 100644
|
||||
--- a/ssh-pkcs11.c
|
||||
+++ b/ssh-pkcs11.c
|
||||
@@ -536,8 +536,8 @@ pkcs11_fetch_keys_filter(struct pkcs11_provider *p, CK_ULONG slotidx,
|
||||
X509_free(x509);
|
||||
}
|
||||
if (rsa && rsa->n && rsa->e &&
|
||||
- pkcs11_rsa_wrap(p, slotidx, &attribs[0], rsa) == 0) {
|
||||
- key = sshkey_new(KEY_UNSPEC);
|
||||
+ pkcs11_rsa_wrap(p, slotidx, &attribs[0], rsa) == 0 &&
|
||||
+ (key = sshkey_new(KEY_UNSPEC)) != NULL) {
|
||||
key->rsa = rsa;
|
||||
key->type = KEY_RSA;
|
||||
key->flags |= SSHKEY_FLAG_EXT;
|
||||
diff --git a/sshconnect1.c b/sshconnect1.c
|
||||
index a045361..0e1a506 100644
|
||||
--- a/sshconnect1.c
|
||||
+++ b/sshconnect1.c
|
||||
@@ -520,7 +520,8 @@ ssh_kex(char *host, struct sockaddr *hostaddr)
|
||||
cookie[i] = packet_get_char();
|
||||
|
||||
/* Get the public key. */
|
||||
- server_key = key_new(KEY_RSA1);
|
||||
+ if ((server_key = key_new(KEY_RSA1)) == NULL)
|
||||
+ fatal("%s: key_new(KEY_RSA1) failed", __func__);
|
||||
bits = packet_get_int();
|
||||
packet_get_bignum(server_key->rsa->e);
|
||||
packet_get_bignum(server_key->rsa->n);
|
||||
@@ -532,7 +533,8 @@ ssh_kex(char *host, struct sockaddr *hostaddr)
|
||||
logit("Warning: This may be due to an old implementation of ssh.");
|
||||
}
|
||||
/* Get the host key. */
|
||||
- host_key = key_new(KEY_RSA1);
|
||||
+ if ((host_key = key_new(KEY_RSA1)) == NULL)
|
||||
+ fatal("%s: key_new(KEY_RSA1) failed", __func__);
|
||||
bits = packet_get_int();
|
||||
packet_get_bignum(host_key->rsa->e);
|
||||
packet_get_bignum(host_key->rsa->n);
|
||||
diff --git a/sshkey.c b/sshkey.c
|
||||
index 58c1051..6afacb5 100644
|
||||
--- a/sshkey.c
|
||||
+++ b/sshkey.c
|
||||
@@ -1239,6 +1239,9 @@ sshkey_read(struct sshkey *ret, char **cpp)
|
||||
u_long bits;
|
||||
#endif /* WITH_SSH1 */
|
||||
|
||||
+ if (ret == NULL)
|
||||
+ return SSH_ERR_INVALID_ARGUMENT;
|
||||
+
|
||||
cp = *cpp;
|
||||
|
||||
switch (ret->type) {
|
||||
|
|
@ -1,6 +1,44 @@
|
|||
diff -up openssh-6.2p1/ctr-cavstest.c.ctr-cavs openssh-6.2p1/ctr-cavstest.c
|
||||
--- openssh-6.2p1/ctr-cavstest.c.ctr-cavs 2013-03-25 21:35:52.512586671 +0100
|
||||
+++ openssh-6.2p1/ctr-cavstest.c 2013-03-25 21:35:52.512586671 +0100
|
||||
diff -up openssh-6.8p1/Makefile.in.ctr-cavs openssh-6.8p1/Makefile.in
|
||||
--- openssh-6.8p1/Makefile.in.ctr-cavs 2015-03-18 11:22:05.493289018 +0100
|
||||
+++ openssh-6.8p1/Makefile.in 2015-03-18 11:22:44.504196316 +0100
|
||||
@@ -28,6 +28,7 @@ SSH_KEYSIGN=$(libexecdir)/ssh-keysign
|
||||
SSH_LDAP_HELPER=$(libexecdir)/ssh-ldap-helper
|
||||
SSH_LDAP_WRAPPER=$(libexecdir)/ssh-ldap-wrapper
|
||||
SSH_KEYCAT=$(libexecdir)/ssh-keycat
|
||||
+CTR_CAVSTEST=$(libexecdir)/ctr-cavstest
|
||||
SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
|
||||
PRIVSEP_PATH=@PRIVSEP_PATH@
|
||||
SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@
|
||||
@@ -66,7 +67,7 @@ EXEEXT=@EXEEXT@
|
||||
MANFMT=@MANFMT@
|
||||
INSTALL_SSH_LDAP_HELPER=@INSTALL_SSH_LDAP_HELPER@
|
||||
|
||||
-TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT) ssh-keycat$(EXEEXT)
|
||||
+TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT) ssh-keycat$(EXEEXT) ctr-cavstest$(EXEEXT)
|
||||
|
||||
LIBOPENSSH_OBJS=\
|
||||
ssh_api.o \
|
||||
@@ -194,6 +195,9 @@ ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) l
|
||||
ssh-keycat$(EXEEXT): $(LIBCOMPAT) $(SSHDOBJS) libssh.a ssh-keycat.o
|
||||
$(LD) -o $@ ssh-keycat.o bufaux.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(KEYCATLIBS) $(SSHLIBS)
|
||||
|
||||
+ctr-cavstest$(EXEEXT): $(LIBCOMPAT) libssh.a ctr-cavstest.o
|
||||
+ $(LD) -o $@ ctr-cavstest.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(LIBS)
|
||||
+
|
||||
ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o
|
||||
$(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
|
||||
|
||||
@@ -326,6 +330,7 @@ install-files:
|
||||
$(INSTALL) -m 0700 ssh-ldap-wrapper $(DESTDIR)$(SSH_LDAP_WRAPPER) ; \
|
||||
fi
|
||||
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-keycat$(EXEEXT) $(DESTDIR)$(libexecdir)/ssh-keycat$(EXEEXT)
|
||||
+ $(INSTALL) -m 0755 $(STRIP_OPT) ctr-cavstest$(EXEEXT) $(DESTDIR)$(libexecdir)/ctr-cavstest$(EXEEXT)
|
||||
$(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
|
||||
$(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
|
||||
$(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
|
||||
diff -up openssh-6.8p1/ctr-cavstest.c.ctr-cavs openssh-6.8p1/ctr-cavstest.c
|
||||
--- openssh-6.8p1/ctr-cavstest.c.ctr-cavs 2015-03-18 11:22:05.521288952 +0100
|
||||
+++ openssh-6.8p1/ctr-cavstest.c 2015-03-18 11:22:05.521288952 +0100
|
||||
@@ -0,0 +1,208 @@
|
||||
+/*
|
||||
+ *
|
||||
|
|
@ -95,7 +133,7 @@ diff -up openssh-6.2p1/ctr-cavstest.c.ctr-cavs openssh-6.2p1/ctr-cavstest.c
|
|||
+ break;
|
||||
+
|
||||
+ total += n;
|
||||
+ buf = xrealloc(buf, total + READ_CHUNK, 1);
|
||||
+ buf = xreallocarray(buf, total + READ_CHUNK, 1);
|
||||
+ } while(total < MAX_READ_SIZE);
|
||||
+ return buf;
|
||||
+}
|
||||
|
|
@ -103,8 +141,8 @@ diff -up openssh-6.2p1/ctr-cavstest.c.ctr-cavs openssh-6.2p1/ctr-cavstest.c
|
|||
+int main (int argc, char *argv[])
|
||||
+{
|
||||
+
|
||||
+ Cipher *c;
|
||||
+ CipherContext cc;
|
||||
+ const struct sshcipher *c;
|
||||
+ struct sshcipher_ctx *cc;
|
||||
+ char *algo = "aes128-ctr";
|
||||
+ char *hexkey = NULL;
|
||||
+ char *hexiv = "00000000000000000000000000000000";
|
||||
|
|
@ -194,11 +232,11 @@ diff -up openssh-6.2p1/ctr-cavstest.c.ctr-cavs openssh-6.2p1/ctr-cavstest.c
|
|||
+ return 2;
|
||||
+ }
|
||||
+
|
||||
+ cipher_crypt(&cc, outdata, data, datalen, 0, 0);
|
||||
+ cipher_crypt(cc, 0, outdata, data, datalen, 0, 0);
|
||||
+
|
||||
+ free(data);
|
||||
+
|
||||
+ cipher_cleanup(&cc);
|
||||
+ cipher_free(cc);
|
||||
+
|
||||
+ for (p = outdata; datalen > 0; ++p, --datalen) {
|
||||
+ printf("%02X", (unsigned char)*p);
|
||||
|
|
@ -210,41 +248,3 @@ diff -up openssh-6.2p1/ctr-cavstest.c.ctr-cavs openssh-6.2p1/ctr-cavstest.c
|
|||
+ return 0;
|
||||
+}
|
||||
+
|
||||
diff -up openssh-6.2p1/Makefile.in.ctr-cavs openssh-6.2p1/Makefile.in
|
||||
--- openssh-6.2p1/Makefile.in.ctr-cavs 2013-03-25 21:35:52.451586280 +0100
|
||||
+++ openssh-6.2p1/Makefile.in 2013-03-25 21:37:14.956114584 +0100
|
||||
@@ -28,6 +28,7 @@ SSH_KEYSIGN=$(libexecdir)/ssh-keysign
|
||||
SSH_LDAP_HELPER=$(libexecdir)/ssh-ldap-helper
|
||||
SSH_LDAP_WRAPPER=$(libexecdir)/ssh-ldap-wrapper
|
||||
SSH_KEYCAT=$(libexecdir)/ssh-keycat
|
||||
+CTR_CAVSTEST=$(libexecdir)/ctr-cavstest
|
||||
SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
|
||||
PRIVSEP_PATH=@PRIVSEP_PATH@
|
||||
SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@
|
||||
@@ -65,7 +66,7 @@ EXEEXT=@EXEEXT@
|
||||
MANFMT=@MANFMT@
|
||||
INSTALL_SSH_LDAP_HELPER=@INSTALL_SSH_LDAP_HELPER@
|
||||
|
||||
-TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT) ssh-keycat$(EXEEXT)
|
||||
+TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT) ssh-keycat$(EXEEXT) ctr-cavstest$(EXEEXT)
|
||||
|
||||
LIBSSH_OBJS=authfd.o authfile.o bufaux.o bufbn.o buffer.o \
|
||||
canohost.o channels.o cipher.o cipher-aes.o \
|
||||
@@ -174,6 +175,9 @@ ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) l
|
||||
ssh-keycat$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keycat.o
|
||||
$(LD) -o $@ ssh-keycat.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(SSHDLIBS)
|
||||
|
||||
+ctr-cavstest$(EXEEXT): $(LIBCOMPAT) libssh.a ctr-cavstest.o
|
||||
+ $(LD) -o $@ ctr-cavstest.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(LIBS)
|
||||
+
|
||||
ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o roaming_dummy.o
|
||||
$(LD) -o $@ ssh-keyscan.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(LIBS)
|
||||
|
||||
@@ -281,6 +285,7 @@ install-files:
|
||||
$(INSTALL) -m 0700 ssh-ldap-wrapper $(DESTDIR)$(SSH_LDAP_WRAPPER) ; \
|
||||
fi
|
||||
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-keycat$(EXEEXT) $(DESTDIR)$(libexecdir)/ssh-keycat$(EXEEXT)
|
||||
+ $(INSTALL) -m 0755 $(STRIP_OPT) ctr-cavstest$(EXEEXT) $(DESTDIR)$(libexecdir)/ctr-cavstest$(EXEEXT)
|
||||
$(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
|
||||
$(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
|
||||
$(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
|
||||
140
openssh-7.4p1-debian-restore-tcp-wrappers.patch
Normal file
140
openssh-7.4p1-debian-restore-tcp-wrappers.patch
Normal file
|
|
@ -0,0 +1,140 @@
|
|||
diff -up openssh-7.4p1/configure.ac.tcp_wrappers openssh-7.4p1/configure.ac
|
||||
--- openssh-7.4p1/configure.ac.tcp_wrappers 2016-12-23 15:36:38.745411192 +0100
|
||||
+++ openssh-7.4p1/configure.ac 2016-12-23 15:36:38.777411197 +0100
|
||||
@@ -1491,6 +1491,62 @@ AC_ARG_WITH([skey],
|
||||
]
|
||||
)
|
||||
|
||||
+# Check whether user wants TCP wrappers support
|
||||
+TCPW_MSG="no"
|
||||
+AC_ARG_WITH([tcp-wrappers],
|
||||
+ [ --with-tcp-wrappers[[=PATH]] Enable tcpwrappers support (optionally in PATH)],
|
||||
+ [
|
||||
+ if test "x$withval" != "xno" ; then
|
||||
+ saved_LIBS="$LIBS"
|
||||
+ saved_LDFLAGS="$LDFLAGS"
|
||||
+ saved_CPPFLAGS="$CPPFLAGS"
|
||||
+ if test -n "${withval}" && \
|
||||
+ test "x${withval}" != "xyes"; then
|
||||
+ if test -d "${withval}/lib"; then
|
||||
+ if test -n "${need_dash_r}"; then
|
||||
+ LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}"
|
||||
+ else
|
||||
+ LDFLAGS="-L${withval}/lib ${LDFLAGS}"
|
||||
+ fi
|
||||
+ else
|
||||
+ if test -n "${need_dash_r}"; then
|
||||
+ LDFLAGS="-L${withval} -R${withval} ${LDFLAGS}"
|
||||
+ else
|
||||
+ LDFLAGS="-L${withval} ${LDFLAGS}"
|
||||
+ fi
|
||||
+ fi
|
||||
+ if test -d "${withval}/include"; then
|
||||
+ CPPFLAGS="-I${withval}/include ${CPPFLAGS}"
|
||||
+ else
|
||||
+ CPPFLAGS="-I${withval} ${CPPFLAGS}"
|
||||
+ fi
|
||||
+ fi
|
||||
+ LIBS="-lwrap $LIBS"
|
||||
+ AC_MSG_CHECKING([for libwrap])
|
||||
+ AC_LINK_IFELSE([AC_LANG_PROGRAM([[
|
||||
+#include <sys/types.h>
|
||||
+#include <sys/socket.h>
|
||||
+#include <netinet/in.h>
|
||||
+#include <tcpd.h>
|
||||
+int deny_severity = 0, allow_severity = 0;
|
||||
+ ]], [[
|
||||
+ hosts_access(0);
|
||||
+ ]])], [
|
||||
+ AC_MSG_RESULT([yes])
|
||||
+ AC_DEFINE([LIBWRAP], [1],
|
||||
+ [Define if you want
|
||||
+ TCP Wrappers support])
|
||||
+ SSHDLIBS="$SSHDLIBS -lwrap"
|
||||
+ TCPW_MSG="yes"
|
||||
+ ], [
|
||||
+ AC_MSG_ERROR([*** libwrap missing])
|
||||
+
|
||||
+ ])
|
||||
+ LIBS="$saved_LIBS"
|
||||
+ fi
|
||||
+ ]
|
||||
+)
|
||||
+
|
||||
# Check whether user wants to use ldns
|
||||
LDNS_MSG="no"
|
||||
AC_ARG_WITH(ldns,
|
||||
@@ -5214,6 +5270,7 @@ echo " KerberosV support
|
||||
echo " SELinux support: $SELINUX_MSG"
|
||||
echo " Smartcard support: $SCARD_MSG"
|
||||
echo " S/KEY support: $SKEY_MSG"
|
||||
+echo " TCP Wrappers support: $TCPW_MSG"
|
||||
echo " MD5 password support: $MD5_MSG"
|
||||
echo " libedit support: $LIBEDIT_MSG"
|
||||
echo " Solaris process contract support: $SPC_MSG"
|
||||
diff -up openssh-7.4p1/sshd.8.tcp_wrappers openssh-7.4p1/sshd.8
|
||||
--- openssh-7.4p1/sshd.8.tcp_wrappers 2016-12-23 15:36:38.759411194 +0100
|
||||
+++ openssh-7.4p1/sshd.8 2016-12-23 15:36:38.778411197 +0100
|
||||
@@ -836,6 +836,12 @@ the user's home directory becomes access
|
||||
This file should be writable only by the user, and need not be
|
||||
readable by anyone else.
|
||||
.Pp
|
||||
+.It Pa /etc/hosts.allow
|
||||
+.It Pa /etc/hosts.deny
|
||||
+Access controls that should be enforced by tcp-wrappers are defined here.
|
||||
+Further details are described in
|
||||
+.Xr hosts_access 5 .
|
||||
+.Pp
|
||||
.It Pa /etc/hosts.equiv
|
||||
This file is for host-based authentication (see
|
||||
.Xr ssh 1 ) .
|
||||
@@ -960,6 +966,7 @@ IPv6 address can be used everywhere wher
|
||||
.Xr ssh-keygen 1 ,
|
||||
.Xr ssh-keyscan 1 ,
|
||||
.Xr chroot 2 ,
|
||||
+.Xr hosts_access 5 ,
|
||||
.Xr login.conf 5 ,
|
||||
.Xr moduli 5 ,
|
||||
.Xr sshd_config 5 ,
|
||||
diff -up openssh-7.4p1/sshd.c.tcp_wrappers openssh-7.4p1/sshd.c
|
||||
--- openssh-7.4p1/sshd.c.tcp_wrappers 2016-12-23 15:36:38.772411196 +0100
|
||||
+++ openssh-7.4p1/sshd.c 2016-12-23 15:37:15.032417028 +0100
|
||||
@@ -123,6 +123,13 @@
|
||||
#include "version.h"
|
||||
#include "ssherr.h"
|
||||
|
||||
+#ifdef LIBWRAP
|
||||
+#include <tcpd.h>
|
||||
+#include <syslog.h>
|
||||
+int allow_severity;
|
||||
+int deny_severity;
|
||||
+#endif /* LIBWRAP */
|
||||
+
|
||||
/* Re-exec fds */
|
||||
#define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1)
|
||||
#define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2)
|
||||
@@ -2012,6 +2019,24 @@ main(int ac, char **av)
|
||||
#ifdef SSH_AUDIT_EVENTS
|
||||
audit_connection_from(remote_ip, remote_port);
|
||||
#endif
|
||||
+#ifdef LIBWRAP
|
||||
+ allow_severity = options.log_facility|LOG_INFO;
|
||||
+ deny_severity = options.log_facility|LOG_WARNING;
|
||||
+ /* Check whether logins are denied from this host. */
|
||||
+ if (packet_connection_is_on_socket()) {
|
||||
+ struct request_info req;
|
||||
+
|
||||
+ request_init(&req, RQ_DAEMON, __progname, RQ_FILE, sock_in, 0);
|
||||
+ fromhost(&req);
|
||||
+
|
||||
+ if (!hosts_access(&req)) {
|
||||
+ debug("Connection refused by tcp wrapper");
|
||||
+ refuse(&req);
|
||||
+ /* NOTREACHED */
|
||||
+ fatal("libwrap refuse returns");
|
||||
+ }
|
||||
+ }
|
||||
+#endif /* LIBWRAP */
|
||||
|
||||
/* Log the connection. */
|
||||
laddr = get_local_ipaddr(sock_in);
|
||||
517
openssh-7.4p1-expose-pam.patch
Normal file
517
openssh-7.4p1-expose-pam.patch
Normal file
|
|
@ -0,0 +1,517 @@
|
|||
diff -up openssh-7.4p1/auth2.c.expose-pam openssh-7.4p1/auth2.c
|
||||
--- openssh-7.4p1/auth2.c.expose-pam 2016-12-23 15:40:26.768447868 +0100
|
||||
+++ openssh-7.4p1/auth2.c 2016-12-23 15:40:26.818447876 +0100
|
||||
@@ -310,6 +310,7 @@ userauth_finish(Authctxt *authctxt, int
|
||||
const char *submethod)
|
||||
{
|
||||
char *methods;
|
||||
+ char *prev_auth_details;
|
||||
int partial = 0;
|
||||
|
||||
if (!authctxt->valid && authenticated)
|
||||
@@ -340,6 +341,18 @@ userauth_finish(Authctxt *authctxt, int
|
||||
if (authctxt->postponed)
|
||||
return;
|
||||
|
||||
+ if (authenticated || partial) {
|
||||
+ prev_auth_details = authctxt->auth_details;
|
||||
+ xasprintf(&authctxt->auth_details, "%s%s%s%s%s",
|
||||
+ prev_auth_details ? prev_auth_details : "",
|
||||
+ prev_auth_details ? ", " : "", method,
|
||||
+ authctxt->last_details ? ": " : "",
|
||||
+ authctxt->last_details ? authctxt->last_details : "");
|
||||
+ free(prev_auth_details);
|
||||
+ }
|
||||
+ free(authctxt->last_details);
|
||||
+ authctxt->last_details = NULL;
|
||||
+
|
||||
#ifdef USE_PAM
|
||||
if (options.use_pam && authenticated) {
|
||||
if (!PRIVSEP(do_pam_account())) {
|
||||
diff -up openssh-7.4p1/auth2-gss.c.expose-pam openssh-7.4p1/auth2-gss.c
|
||||
--- openssh-7.4p1/auth2-gss.c.expose-pam 2016-12-23 15:40:26.769447868 +0100
|
||||
+++ openssh-7.4p1/auth2-gss.c 2016-12-23 15:40:26.818447876 +0100
|
||||
@@ -276,6 +276,9 @@ input_gssapi_exchange_complete(int type,
|
||||
authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user,
|
||||
authctxt->pw));
|
||||
|
||||
+ if (authenticated)
|
||||
+ authctxt->last_details = ssh_gssapi_get_displayname();
|
||||
+
|
||||
authctxt->postponed = 0;
|
||||
dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL);
|
||||
dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, NULL);
|
||||
@@ -322,6 +325,9 @@ input_gssapi_mic(int type, u_int32_t ple
|
||||
else
|
||||
logit("GSSAPI MIC check failed");
|
||||
|
||||
+ if (authenticated)
|
||||
+ authctxt->last_details = ssh_gssapi_get_displayname();
|
||||
+
|
||||
buffer_free(&b);
|
||||
if (micuser != authctxt->user)
|
||||
free(micuser);
|
||||
diff -up openssh-7.4p1/auth2-hostbased.c.expose-pam openssh-7.4p1/auth2-hostbased.c
|
||||
--- openssh-7.4p1/auth2-hostbased.c.expose-pam 2016-12-23 15:40:26.731447862 +0100
|
||||
+++ openssh-7.4p1/auth2-hostbased.c 2016-12-23 15:40:26.818447876 +0100
|
||||
@@ -60,7 +60,7 @@ userauth_hostbased(Authctxt *authctxt)
|
||||
{
|
||||
Buffer b;
|
||||
Key *key = NULL;
|
||||
- char *pkalg, *cuser, *chost, *service;
|
||||
+ char *pkalg, *cuser, *chost, *service, *pubkey;
|
||||
u_char *pkblob, *sig;
|
||||
u_int alen, blen, slen;
|
||||
int pktype;
|
||||
@@ -140,15 +140,21 @@ userauth_hostbased(Authctxt *authctxt)
|
||||
buffer_dump(&b);
|
||||
#endif
|
||||
|
||||
- pubkey_auth_info(authctxt, key,
|
||||
- "client user \"%.100s\", client host \"%.100s\"", cuser, chost);
|
||||
+ pubkey = sshkey_format_oneline(key, options.fingerprint_hash);
|
||||
+ auth_info(authctxt,
|
||||
+ "%s, client user \"%.100s\", client host \"%.100s\"",
|
||||
+ pubkey, cuser, chost);
|
||||
|
||||
/* test for allowed key and correct signature */
|
||||
authenticated = 0;
|
||||
if (PRIVSEP(hostbased_key_allowed(authctxt->pw, cuser, chost, key)) &&
|
||||
PRIVSEP(key_verify(key, sig, slen, buffer_ptr(&b),
|
||||
- buffer_len(&b))) == 1)
|
||||
+ buffer_len(&b))) == 1) {
|
||||
authenticated = 1;
|
||||
+ authctxt->last_details = pubkey;
|
||||
+ } else {
|
||||
+ free(pubkey);
|
||||
+ }
|
||||
|
||||
buffer_free(&b);
|
||||
done:
|
||||
diff -up openssh-7.4p1/auth2-pubkey.c.expose-pam openssh-7.4p1/auth2-pubkey.c
|
||||
--- openssh-7.4p1/auth2-pubkey.c.expose-pam 2016-12-23 15:40:26.746447864 +0100
|
||||
+++ openssh-7.4p1/auth2-pubkey.c 2016-12-23 15:40:26.819447876 +0100
|
||||
@@ -79,7 +79,7 @@ userauth_pubkey(Authctxt *authctxt)
|
||||
{
|
||||
Buffer b;
|
||||
Key *key = NULL;
|
||||
- char *pkalg, *userstyle, *fp = NULL;
|
||||
+ char *pkalg, *userstyle, *pubkey, *fp = NULL;
|
||||
u_char *pkblob, *sig;
|
||||
u_int alen, blen, slen;
|
||||
int have_sig, pktype;
|
||||
@@ -177,7 +177,8 @@ userauth_pubkey(Authctxt *authctxt)
|
||||
#ifdef DEBUG_PK
|
||||
buffer_dump(&b);
|
||||
#endif
|
||||
- pubkey_auth_info(authctxt, key, NULL);
|
||||
+ pubkey = sshkey_format_oneline(key, options.fingerprint_hash);
|
||||
+ auth_info(authctxt, "%s", pubkey);
|
||||
|
||||
/* test for correct signature */
|
||||
authenticated = 0;
|
||||
@@ -185,9 +186,12 @@ userauth_pubkey(Authctxt *authctxt)
|
||||
PRIVSEP(key_verify(key, sig, slen, buffer_ptr(&b),
|
||||
buffer_len(&b))) == 1) {
|
||||
authenticated = 1;
|
||||
+ authctxt->last_details = pubkey;
|
||||
/* Record the successful key to prevent reuse */
|
||||
auth2_record_userkey(authctxt, key);
|
||||
key = NULL; /* Don't free below */
|
||||
+ } else {
|
||||
+ free(pubkey);
|
||||
}
|
||||
buffer_free(&b);
|
||||
free(sig);
|
||||
@@ -228,7 +232,7 @@ done:
|
||||
void
|
||||
pubkey_auth_info(Authctxt *authctxt, const Key *key, const char *fmt, ...)
|
||||
{
|
||||
- char *fp, *extra;
|
||||
+ char *extra, *pubkey;
|
||||
va_list ap;
|
||||
int i;
|
||||
|
||||
@@ -238,27 +242,13 @@ pubkey_auth_info(Authctxt *authctxt, con
|
||||
i = vasprintf(&extra, fmt, ap);
|
||||
va_end(ap);
|
||||
if (i < 0 || extra == NULL)
|
||||
- fatal("%s: vasprintf failed", __func__);
|
||||
+ fatal("%s: vasprintf failed", __func__);
|
||||
}
|
||||
|
||||
- if (key_is_cert(key)) {
|
||||
- fp = sshkey_fingerprint(key->cert->signature_key,
|
||||
- options.fingerprint_hash, SSH_FP_DEFAULT);
|
||||
- auth_info(authctxt, "%s ID %s (serial %llu) CA %s %s%s%s",
|
||||
- key_type(key), key->cert->key_id,
|
||||
- (unsigned long long)key->cert->serial,
|
||||
- key_type(key->cert->signature_key),
|
||||
- fp == NULL ? "(null)" : fp,
|
||||
- extra == NULL ? "" : ", ", extra == NULL ? "" : extra);
|
||||
- free(fp);
|
||||
- } else {
|
||||
- fp = sshkey_fingerprint(key, options.fingerprint_hash,
|
||||
- SSH_FP_DEFAULT);
|
||||
- auth_info(authctxt, "%s %s%s%s", key_type(key),
|
||||
- fp == NULL ? "(null)" : fp,
|
||||
- extra == NULL ? "" : ", ", extra == NULL ? "" : extra);
|
||||
- free(fp);
|
||||
- }
|
||||
+ pubkey = sshkey_format_oneline(key, options.fingerprint_hash);
|
||||
+ auth_info(authctxt, "%s%s%s", pubkey, extra == NULL ? "" : ", ",
|
||||
+ extra == NULL ? "" : extra);
|
||||
+ free(pubkey);
|
||||
free(extra);
|
||||
}
|
||||
|
||||
diff -up openssh-7.4p1/auth.h.expose-pam openssh-7.4p1/auth.h
|
||||
--- openssh-7.4p1/auth.h.expose-pam 2016-12-23 15:40:26.782447870 +0100
|
||||
+++ openssh-7.4p1/auth.h 2016-12-23 15:40:26.819447876 +0100
|
||||
@@ -84,6 +84,9 @@ struct Authctxt {
|
||||
|
||||
struct sshkey **prev_userkeys;
|
||||
u_int nprev_userkeys;
|
||||
+
|
||||
+ char *last_details;
|
||||
+ char *auth_details;
|
||||
};
|
||||
/*
|
||||
* Every authentication method has to handle authentication requests for
|
||||
diff -up openssh-7.4p1/auth-pam.c.expose-pam openssh-7.4p1/auth-pam.c
|
||||
--- openssh-7.4p1/auth-pam.c.expose-pam 2016-12-23 15:40:26.731447862 +0100
|
||||
+++ openssh-7.4p1/auth-pam.c 2016-12-23 15:40:26.819447876 +0100
|
||||
@@ -688,6 +688,11 @@ sshpam_init_ctx(Authctxt *authctxt)
|
||||
return (NULL);
|
||||
}
|
||||
|
||||
+ /* Notify PAM about any already successful auth methods */
|
||||
+ if (options.expose_auth_methods >= EXPOSE_AUTHMETH_PAMONLY &&
|
||||
+ authctxt->auth_details)
|
||||
+ do_pam_putenv("SSH_USER_AUTH", authctxt->auth_details);
|
||||
+
|
||||
ctxt = xcalloc(1, sizeof *ctxt);
|
||||
|
||||
/* Start the authentication thread */
|
||||
diff -up openssh-7.4p1/gss-serv.c.expose-pam openssh-7.4p1/gss-serv.c
|
||||
--- openssh-7.4p1/gss-serv.c.expose-pam 2016-12-23 15:40:26.808447874 +0100
|
||||
+++ openssh-7.4p1/gss-serv.c 2016-12-23 15:40:26.819447876 +0100
|
||||
@@ -441,6 +441,16 @@ ssh_gssapi_do_child(char ***envp, u_int
|
||||
}
|
||||
|
||||
/* Privileged */
|
||||
+char*
|
||||
+ssh_gssapi_get_displayname(void)
|
||||
+{
|
||||
+ if (gssapi_client.displayname.length != 0 &&
|
||||
+ gssapi_client.displayname.value != NULL)
|
||||
+ return strdup((char *)gssapi_client.displayname.value);
|
||||
+ return NULL;
|
||||
+}
|
||||
+
|
||||
+/* Privileged */
|
||||
int
|
||||
ssh_gssapi_userok(char *user, struct passwd *pw)
|
||||
{
|
||||
diff -up openssh-7.4p1/monitor.c.expose-pam openssh-7.4p1/monitor.c
|
||||
--- openssh-7.4p1/monitor.c.expose-pam 2016-12-23 15:40:26.794447872 +0100
|
||||
+++ openssh-7.4p1/monitor.c 2016-12-23 15:41:16.473455863 +0100
|
||||
@@ -300,6 +300,7 @@ monitor_child_preauth(Authctxt *_authctx
|
||||
{
|
||||
struct mon_table *ent;
|
||||
int authenticated = 0, partial = 0;
|
||||
+ char *prev_auth_details;
|
||||
|
||||
debug3("preauth child monitor started");
|
||||
|
||||
@@ -330,6 +331,18 @@ monitor_child_preauth(Authctxt *_authctx
|
||||
auth_submethod = NULL;
|
||||
authenticated = (monitor_read(pmonitor, mon_dispatch, &ent) == 1);
|
||||
|
||||
+ if (authenticated) {
|
||||
+ prev_auth_details = authctxt->auth_details;
|
||||
+ xasprintf(&authctxt->auth_details, "%s%s%s%s%s",
|
||||
+ prev_auth_details ? prev_auth_details : "",
|
||||
+ prev_auth_details ? ", " : "", auth_method,
|
||||
+ authctxt->last_details ? ": " : "",
|
||||
+ authctxt->last_details ? authctxt->last_details : "");
|
||||
+ free(prev_auth_details);
|
||||
+ }
|
||||
+ free(authctxt->last_details);
|
||||
+ authctxt->last_details = NULL;
|
||||
+
|
||||
/* Special handling for multiple required authentications */
|
||||
if (options.num_auth_methods != 0) {
|
||||
if (authenticated &&
|
||||
@@ -1417,6 +1430,10 @@ mm_answer_keyverify(int sock, Buffer *m)
|
||||
debug3("%s: key %p signature %s",
|
||||
__func__, key, (verified == 1) ? "verified" : "unverified");
|
||||
|
||||
+ if (verified == 1)
|
||||
+ authctxt->last_details = sshkey_format_oneline(key,
|
||||
+ options.fingerprint_hash);
|
||||
+
|
||||
/* If auth was successful then record key to ensure it isn't reused */
|
||||
if (verified == 1 && key_blobtype == MM_USERKEY)
|
||||
auth2_record_userkey(authctxt, key);
|
||||
@@ -1860,6 +1877,9 @@ mm_answer_gss_userok(int sock, Buffer *m
|
||||
|
||||
auth_method = "gssapi-with-mic";
|
||||
|
||||
+ if (authenticated)
|
||||
+ authctxt->last_details = ssh_gssapi_get_displayname();
|
||||
+
|
||||
/* Monitor loop will terminate if authenticated */
|
||||
return (authenticated);
|
||||
}
|
||||
diff -up openssh-7.4p1/servconf.c.expose-pam openssh-7.4p1/servconf.c
|
||||
--- openssh-7.4p1/servconf.c.expose-pam 2016-12-23 15:40:26.810447875 +0100
|
||||
+++ openssh-7.4p1/servconf.c 2016-12-23 15:44:04.691482920 +0100
|
||||
@@ -171,6 +171,7 @@ initialize_server_options(ServerOptions
|
||||
options->version_addendum = NULL;
|
||||
options->use_kuserok = -1;
|
||||
options->enable_k5users = -1;
|
||||
+ options->expose_auth_methods = -1;
|
||||
options->fingerprint_hash = -1;
|
||||
options->disable_forwarding = -1;
|
||||
}
|
||||
@@ -354,6 +355,8 @@ fill_default_server_options(ServerOption
|
||||
options->use_kuserok = 1;
|
||||
if (options->enable_k5users == -1)
|
||||
options->enable_k5users = 0;
|
||||
+ if (options->expose_auth_methods == -1)
|
||||
+ options->expose_auth_methods = EXPOSE_AUTHMETH_NEVER;
|
||||
if (options->fwd_opts.streamlocal_bind_mask == (mode_t)-1)
|
||||
options->fwd_opts.streamlocal_bind_mask = 0177;
|
||||
if (options->fwd_opts.streamlocal_bind_unlink == -1)
|
||||
@@ -439,6 +442,7 @@ typedef enum {
|
||||
sAuthenticationMethods, sHostKeyAgent, sPermitUserRC,
|
||||
sStreamLocalBindMask, sStreamLocalBindUnlink,
|
||||
sAllowStreamLocalForwarding, sFingerprintHash, sDisableForwarding,
|
||||
+ sExposeAuthenticationMethods,
|
||||
sDeprecated, sIgnore, sUnsupported
|
||||
} ServerOpCodes;
|
||||
|
||||
@@ -595,6 +599,7 @@ static struct {
|
||||
{ "allowstreamlocalforwarding", sAllowStreamLocalForwarding, SSHCFG_ALL },
|
||||
{ "fingerprinthash", sFingerprintHash, SSHCFG_GLOBAL },
|
||||
{ "disableforwarding", sDisableForwarding, SSHCFG_ALL },
|
||||
+ { "exposeauthenticationmethods", sExposeAuthenticationMethods, SSHCFG_ALL },
|
||||
{ NULL, sBadOption, 0 }
|
||||
};
|
||||
|
||||
@@ -984,6 +989,12 @@ static const struct multistate multistat
|
||||
{ "local", FORWARD_LOCAL },
|
||||
{ NULL, -1 }
|
||||
};
|
||||
+static const struct multistate multistate_exposeauthmeth[] = {
|
||||
+ { "never", EXPOSE_AUTHMETH_NEVER },
|
||||
+ { "pam-only", EXPOSE_AUTHMETH_PAMONLY },
|
||||
+ { "pam-and-env", EXPOSE_AUTHMETH_PAMENV },
|
||||
+ { NULL, -1}
|
||||
+};
|
||||
|
||||
int
|
||||
process_server_config_line(ServerOptions *options, char *line,
|
||||
@@ -1902,6 +1913,11 @@ process_server_config_line(ServerOptions
|
||||
options->fingerprint_hash = value;
|
||||
break;
|
||||
|
||||
+ case sExposeAuthenticationMethods:
|
||||
+ intptr = &options->expose_auth_methods;
|
||||
+ multistate_ptr = multistate_exposeauthmeth;
|
||||
+ goto parse_multistate;
|
||||
+
|
||||
case sDeprecated:
|
||||
case sIgnore:
|
||||
case sUnsupported:
|
||||
@@ -2060,6 +2076,7 @@ copy_set_server_options(ServerOptions *d
|
||||
M_CP_INTOPT(enable_k5users);
|
||||
M_CP_INTOPT(rekey_limit);
|
||||
M_CP_INTOPT(rekey_interval);
|
||||
+ M_CP_INTOPT(expose_auth_methods);
|
||||
|
||||
/*
|
||||
* The bind_mask is a mode_t that may be unsigned, so we can't use
|
||||
@@ -2176,6 +2193,8 @@ fmt_intarg(ServerOpCodes code, int val)
|
||||
return fmt_multistate_int(val, multistate_tcpfwd);
|
||||
case sFingerprintHash:
|
||||
return ssh_digest_alg_name(val);
|
||||
+ case sExposeAuthenticationMethods:
|
||||
+ return fmt_multistate_int(val, multistate_exposeauthmeth);
|
||||
default:
|
||||
switch (val) {
|
||||
case 0:
|
||||
@@ -2356,6 +2375,7 @@ dump_config(ServerOptions *o)
|
||||
dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep);
|
||||
dump_cfg_fmtint(sKerberosUseKuserok, o->use_kuserok);
|
||||
dump_cfg_fmtint(sGssEnablek5users, o->enable_k5users);
|
||||
+ dump_cfg_fmtint(sExposeAuthenticationMethods, o->expose_auth_methods);
|
||||
dump_cfg_fmtint(sFingerprintHash, o->fingerprint_hash);
|
||||
|
||||
/* string arguments */
|
||||
diff -up openssh-7.4p1/servconf.h.expose-pam openssh-7.4p1/servconf.h
|
||||
--- openssh-7.4p1/servconf.h.expose-pam 2016-12-23 15:40:26.810447875 +0100
|
||||
+++ openssh-7.4p1/servconf.h 2016-12-23 15:40:26.821447876 +0100
|
||||
@@ -48,6 +48,11 @@
|
||||
#define FORWARD_LOCAL (1<<1)
|
||||
#define FORWARD_ALLOW (FORWARD_REMOTE|FORWARD_LOCAL)
|
||||
|
||||
+/* Expose AuthenticationMethods */
|
||||
+#define EXPOSE_AUTHMETH_NEVER 0
|
||||
+#define EXPOSE_AUTHMETH_PAMONLY 1
|
||||
+#define EXPOSE_AUTHMETH_PAMENV 2
|
||||
+
|
||||
#define DEFAULT_AUTH_FAIL_MAX 6 /* Default for MaxAuthTries */
|
||||
#define DEFAULT_SESSIONS_MAX 10 /* Default for MaxSessions */
|
||||
|
||||
@@ -195,6 +200,8 @@ typedef struct {
|
||||
char *auth_methods[MAX_AUTH_METHODS];
|
||||
|
||||
int fingerprint_hash;
|
||||
+
|
||||
+ int expose_auth_methods; /* EXPOSE_AUTHMETH_* above */
|
||||
} ServerOptions;
|
||||
|
||||
/* Information about the incoming connection as used by Match */
|
||||
diff -up openssh-7.4p1/session.c.expose-pam openssh-7.4p1/session.c
|
||||
--- openssh-7.4p1/session.c.expose-pam 2016-12-23 15:40:26.794447872 +0100
|
||||
+++ openssh-7.4p1/session.c 2016-12-23 15:40:26.821447876 +0100
|
||||
@@ -997,6 +997,12 @@ copy_environment(char **source, char ***
|
||||
}
|
||||
*var_val++ = '\0';
|
||||
|
||||
+ if (options.expose_auth_methods < EXPOSE_AUTHMETH_PAMENV &&
|
||||
+ strcmp(var_name, "SSH_USER_AUTH") == 0) {
|
||||
+ free(var_name);
|
||||
+ continue;
|
||||
+ }
|
||||
+
|
||||
debug3("Copy environment: %s=%s", var_name, var_val);
|
||||
child_set_env(env, envsize, var_name, var_val);
|
||||
|
||||
@@ -1173,6 +1179,11 @@ do_setup_env(Session *s, const char *she
|
||||
}
|
||||
#endif /* USE_PAM */
|
||||
|
||||
+ if (options.expose_auth_methods >= EXPOSE_AUTHMETH_PAMENV &&
|
||||
+ s->authctxt->auth_details)
|
||||
+ child_set_env(&env, &envsize, "SSH_USER_AUTH",
|
||||
+ s->authctxt->auth_details);
|
||||
+
|
||||
if (auth_sock_name != NULL)
|
||||
child_set_env(&env, &envsize, SSH_AUTHSOCKET_ENV_NAME,
|
||||
auth_sock_name);
|
||||
@@ -2561,6 +2572,9 @@ do_cleanup(Authctxt *authctxt)
|
||||
if (authctxt == NULL)
|
||||
return;
|
||||
|
||||
+ free(authctxt->auth_details);
|
||||
+ authctxt->auth_details = NULL;
|
||||
+
|
||||
#ifdef USE_PAM
|
||||
if (options.use_pam) {
|
||||
sshpam_cleanup();
|
||||
diff -up openssh-7.4p1/ssh.1.expose-pam openssh-7.4p1/ssh.1
|
||||
--- openssh-7.4p1/ssh.1.expose-pam 2016-12-23 15:40:26.810447875 +0100
|
||||
+++ openssh-7.4p1/ssh.1 2016-12-23 15:40:26.822447877 +0100
|
||||
@@ -1421,6 +1421,10 @@ server IP address, and server port numbe
|
||||
This variable contains the original command line if a forced command
|
||||
is executed.
|
||||
It can be used to extract the original arguments.
|
||||
+.It Ev SSH_USER_AUTH
|
||||
+This variable contains, for SSH2 only, a comma-separated list of authentication
|
||||
+methods that were successfuly used to authenticate. When possible, these
|
||||
+methods are extended with detailed information on the credential used.
|
||||
.It Ev SSH_TTY
|
||||
This is set to the name of the tty (path to the device) associated
|
||||
with the current shell or command.
|
||||
diff -up openssh-7.4p1/sshd_config.5.expose-pam openssh-7.4p1/sshd_config.5
|
||||
--- openssh-7.4p1/sshd_config.5.expose-pam 2016-12-23 15:40:26.822447877 +0100
|
||||
+++ openssh-7.4p1/sshd_config.5 2016-12-23 15:45:22.411495421 +0100
|
||||
@@ -570,6 +570,21 @@ Disables all forwarding features, includ
|
||||
TCP and StreamLocal.
|
||||
This option overrides all other forwarding-related options and may
|
||||
simplify restricted configurations.
|
||||
+.It Cm ExposeAuthenticationMethods
|
||||
+When using SSH2, this option controls the exposure of the list of
|
||||
+successful authentication methods to PAM during the authentication
|
||||
+and to the shell environment via the
|
||||
+.Cm SSH_USER_AUTH
|
||||
+variable. See the description of this variable for more details.
|
||||
+Valid options are:
|
||||
+.Cm never
|
||||
+(Do not expose successful authentication methods),
|
||||
+.Cm pam-only
|
||||
+(Only expose them to PAM during authentication, not afterwards),
|
||||
+.Cm pam-and-env
|
||||
+(Expose them to PAM and keep them in the shell environment).
|
||||
+The default is
|
||||
+.Cm never .
|
||||
.It Cm FingerprintHash
|
||||
Specifies the hash algorithm used when logging key fingerprints.
|
||||
Valid options are:
|
||||
diff -up openssh-7.4p1/ssh-gss.h.expose-pam openssh-7.4p1/ssh-gss.h
|
||||
--- openssh-7.4p1/ssh-gss.h.expose-pam 2016-12-23 15:40:26.811447875 +0100
|
||||
+++ openssh-7.4p1/ssh-gss.h 2016-12-23 15:40:26.823447877 +0100
|
||||
@@ -159,6 +159,7 @@ int ssh_gssapi_server_check_mech(Gssctxt
|
||||
const char *);
|
||||
OM_uint32 ssh_gssapi_server_ctx(Gssctxt **, gss_OID);
|
||||
int ssh_gssapi_userok(char *name, struct passwd *);
|
||||
+char* ssh_gssapi_get_displayname(void);
|
||||
OM_uint32 ssh_gssapi_checkmic(Gssctxt *, gss_buffer_t, gss_buffer_t);
|
||||
void ssh_gssapi_do_child(char ***, u_int *);
|
||||
void ssh_gssapi_cleanup_creds(void);
|
||||
diff -up openssh-7.4p1/sshkey.c.expose-pam openssh-7.4p1/sshkey.c
|
||||
--- openssh-7.4p1/sshkey.c.expose-pam 2016-12-23 15:40:26.777447869 +0100
|
||||
+++ openssh-7.4p1/sshkey.c 2016-12-23 15:40:26.823447877 +0100
|
||||
@@ -57,6 +57,7 @@
|
||||
#define SSHKEY_INTERNAL
|
||||
#include "sshkey.h"
|
||||
#include "match.h"
|
||||
+#include "xmalloc.h"
|
||||
|
||||
/* openssh private key file format */
|
||||
#define MARK_BEGIN "-----BEGIN OPENSSH PRIVATE KEY-----\n"
|
||||
@@ -1191,6 +1192,30 @@ sshkey_fingerprint(const struct sshkey *
|
||||
return retval;
|
||||
}
|
||||
|
||||
+char *
|
||||
+sshkey_format_oneline(const struct sshkey *key, int dgst_alg)
|
||||
+{
|
||||
+ char *fp, *result;
|
||||
+
|
||||
+ if (sshkey_is_cert(key)) {
|
||||
+ fp = sshkey_fingerprint(key->cert->signature_key, dgst_alg,
|
||||
+ SSH_FP_DEFAULT);
|
||||
+ xasprintf(&result, "%s ID %s (serial %llu) CA %s %s",
|
||||
+ sshkey_type(key), key->cert->key_id,
|
||||
+ (unsigned long long)key->cert->serial,
|
||||
+ sshkey_type(key->cert->signature_key),
|
||||
+ fp == NULL ? "(null)" : fp);
|
||||
+ free(fp);
|
||||
+ } else {
|
||||
+ fp = sshkey_fingerprint(key, dgst_alg, SSH_FP_DEFAULT);
|
||||
+ xasprintf(&result, "%s %s", sshkey_type(key),
|
||||
+ fp == NULL ? "(null)" : fp);
|
||||
+ free(fp);
|
||||
+ }
|
||||
+
|
||||
+ return result;
|
||||
+}
|
||||
+
|
||||
#ifdef WITH_SSH1
|
||||
/*
|
||||
* Reads a multiple-precision integer in decimal from the buffer, and advances
|
||||
diff -up openssh-7.4p1/sshkey.h.expose-pam openssh-7.4p1/sshkey.h
|
||||
--- openssh-7.4p1/sshkey.h.expose-pam 2016-12-23 15:40:26.777447869 +0100
|
||||
+++ openssh-7.4p1/sshkey.h 2016-12-23 15:40:26.823447877 +0100
|
||||
@@ -124,6 +124,7 @@ char *sshkey_fingerprint(const struct s
|
||||
int, enum sshkey_fp_rep);
|
||||
int sshkey_fingerprint_raw(const struct sshkey *k,
|
||||
int, u_char **retp, size_t *lenp);
|
||||
+char *sshkey_format_oneline(const struct sshkey *k, int dgst_alg);
|
||||
const char *sshkey_type(const struct sshkey *);
|
||||
const char *sshkey_cert_type(const struct sshkey *);
|
||||
int sshkey_write(const struct sshkey *, FILE *);
|
||||
798
openssh-7.4p1-fips.patch
Normal file
798
openssh-7.4p1-fips.patch
Normal file
|
|
@ -0,0 +1,798 @@
|
|||
diff -up openssh-7.4p1/cipher.c.fips openssh-7.4p1/cipher.c
|
||||
--- openssh-7.4p1/cipher.c.fips 2017-02-09 14:53:47.174347449 +0100
|
||||
+++ openssh-7.4p1/cipher.c 2017-02-09 14:53:47.182347441 +0100
|
||||
@@ -39,6 +39,8 @@
|
||||
|
||||
#include <sys/types.h>
|
||||
|
||||
+#include <openssl/fips.h>
|
||||
+
|
||||
#include <string.h>
|
||||
#include <stdarg.h>
|
||||
#include <stdio.h>
|
||||
@@ -116,6 +118,24 @@ static const struct sshcipher ciphers[]
|
||||
{ NULL, SSH_CIPHER_INVALID, 0, 0, 0, 0, 0, 0, NULL }
|
||||
};
|
||||
|
||||
+static const struct sshcipher fips_ciphers[] = {
|
||||
+ { "none", SSH_CIPHER_NONE, 8, 0, 0, 0, 0, 0, EVP_enc_null },
|
||||
+ { "3des-cbc", SSH_CIPHER_SSH2, 8, 24, 0, 0, 0, 1, EVP_des_ede3_cbc },
|
||||
+ { "aes128-cbc", SSH_CIPHER_SSH2, 16, 16, 0, 0, 0, 1, EVP_aes_128_cbc },
|
||||
+ { "aes192-cbc", SSH_CIPHER_SSH2, 16, 24, 0, 0, 0, 1, EVP_aes_192_cbc },
|
||||
+ { "aes256-cbc", SSH_CIPHER_SSH2, 16, 32, 0, 0, 0, 1, EVP_aes_256_cbc },
|
||||
+ { "rijndael-cbc@lysator.liu.se",
|
||||
+ SSH_CIPHER_SSH2, 16, 32, 0, 0, 0, 1, EVP_aes_256_cbc },
|
||||
+ { "aes128-ctr", SSH_CIPHER_SSH2, 16, 16, 0, 0, 0, 0, EVP_aes_128_ctr },
|
||||
+ { "aes192-ctr", SSH_CIPHER_SSH2, 16, 24, 0, 0, 0, 0, EVP_aes_192_ctr },
|
||||
+ { "aes256-ctr", SSH_CIPHER_SSH2, 16, 32, 0, 0, 0, 0, EVP_aes_256_ctr },
|
||||
+ { "aes128-gcm@openssh.com",
|
||||
+ SSH_CIPHER_SSH2, 16, 16, 12, 16, 0, 0, EVP_aes_128_gcm },
|
||||
+ { "aes256-gcm@openssh.com",
|
||||
+ SSH_CIPHER_SSH2, 16, 32, 12, 16, 0, 0, EVP_aes_256_gcm },
|
||||
+ { NULL, SSH_CIPHER_INVALID, 0, 0, 0, 0, 0, 0, NULL }
|
||||
+};
|
||||
+
|
||||
/*--*/
|
||||
|
||||
/* Returns a comma-separated list of supported ciphers. */
|
||||
@@ -126,7 +142,7 @@ cipher_alg_list(char sep, int auth_only)
|
||||
size_t nlen, rlen = 0;
|
||||
const struct sshcipher *c;
|
||||
|
||||
- for (c = ciphers; c->name != NULL; c++) {
|
||||
+ for (c = FIPS_mode() ? fips_ciphers : ciphers; c->name != NULL; c++) {
|
||||
if (c->number != SSH_CIPHER_SSH2)
|
||||
continue;
|
||||
if (auth_only && c->auth_len == 0)
|
||||
@@ -222,7 +238,7 @@ const struct sshcipher *
|
||||
cipher_by_name(const char *name)
|
||||
{
|
||||
const struct sshcipher *c;
|
||||
- for (c = ciphers; c->name != NULL; c++)
|
||||
+ for (c = FIPS_mode() ? fips_ciphers : ciphers; c->name != NULL; c++)
|
||||
if (strcmp(c->name, name) == 0)
|
||||
return c;
|
||||
return NULL;
|
||||
@@ -232,7 +248,7 @@ const struct sshcipher *
|
||||
cipher_by_number(int id)
|
||||
{
|
||||
const struct sshcipher *c;
|
||||
- for (c = ciphers; c->name != NULL; c++)
|
||||
+ for (c = FIPS_mode() ? fips_ciphers : ciphers; c->name != NULL; c++)
|
||||
if (c->number == id)
|
||||
return c;
|
||||
return NULL;
|
||||
@@ -273,7 +289,7 @@ cipher_number(const char *name)
|
||||
const struct sshcipher *c;
|
||||
if (name == NULL)
|
||||
return -1;
|
||||
- for (c = ciphers; c->name != NULL; c++)
|
||||
+ for (c = FIPS_mode() ? fips_ciphers : ciphers; c->name != NULL; c++)
|
||||
if (strcasecmp(c->name, name) == 0)
|
||||
return c->number;
|
||||
return -1;
|
||||
diff -up openssh-7.4p1/cipher-ctr.c.fips openssh-7.4p1/cipher-ctr.c
|
||||
--- openssh-7.4p1/cipher-ctr.c.fips 2017-02-09 14:53:47.125347498 +0100
|
||||
+++ openssh-7.4p1/cipher-ctr.c 2017-02-09 14:53:47.182347441 +0100
|
||||
@@ -179,7 +179,8 @@ evp_aes_128_ctr(void)
|
||||
aes_ctr.do_cipher = ssh_aes_ctr;
|
||||
#ifndef SSH_OLD_EVP
|
||||
aes_ctr.flags = EVP_CIPH_CBC_MODE | EVP_CIPH_VARIABLE_LENGTH |
|
||||
- EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CUSTOM_IV;
|
||||
+ EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CUSTOM_IV |
|
||||
+ EVP_CIPH_FLAG_FIPS;
|
||||
#endif
|
||||
return (&aes_ctr);
|
||||
}
|
||||
diff -up openssh-7.4p1/clientloop.c.fips openssh-7.4p1/clientloop.c
|
||||
--- openssh-7.4p1/clientloop.c.fips 2017-05-30 19:10:26.537505598 +0200
|
||||
+++ openssh-7.4p1/clientloop.c 2017-05-30 19:10:26.571505583 +0200
|
||||
@@ -2452,7 +2452,7 @@ client_input_hostkeys(void)
|
||||
/* Check that the key is accepted in HostkeyAlgorithms */
|
||||
if (match_pattern_list(sshkey_ssh_name(key),
|
||||
options.hostkeyalgorithms ? options.hostkeyalgorithms :
|
||||
- KEX_DEFAULT_PK_ALG, 0) != 1) {
|
||||
+ (FIPS_mode() ? KEX_FIPS_PK_ALG : KEX_DEFAULT_PK_ALG), 0) != 1) {
|
||||
debug3("%s: %s key not permitted by HostkeyAlgorithms",
|
||||
__func__, sshkey_ssh_name(key));
|
||||
continue;
|
||||
diff -up openssh-7.4p1/dh.h.fips openssh-7.4p1/dh.h
|
||||
--- openssh-7.4p1/dh.h.fips 2016-12-19 05:59:41.000000000 +0100
|
||||
+++ openssh-7.4p1/dh.h 2017-02-09 14:53:47.182347441 +0100
|
||||
@@ -51,6 +51,7 @@ u_int dh_estimate(int);
|
||||
* Miniumum increased in light of DH precomputation attacks.
|
||||
*/
|
||||
#define DH_GRP_MIN 1024
|
||||
+#define DH_GRP_MIN_FIPS 2048
|
||||
#define DH_GRP_MAX 8192
|
||||
|
||||
/*
|
||||
diff -up openssh-7.4p1/entropy.c.fips openssh-7.4p1/entropy.c
|
||||
--- openssh-7.4p1/entropy.c.fips 2017-02-09 14:53:47.116347507 +0100
|
||||
+++ openssh-7.4p1/entropy.c 2017-02-09 14:53:47.182347441 +0100
|
||||
@@ -217,6 +217,9 @@ seed_rng(void)
|
||||
fatal("OpenSSL version mismatch. Built against %lx, you "
|
||||
"have %lx", (u_long)OPENSSL_VERSION_NUMBER, SSLeay());
|
||||
|
||||
+ /* clean the PRNG status when exiting the program */
|
||||
+ atexit(RAND_cleanup);
|
||||
+
|
||||
#ifndef OPENSSL_PRNG_ONLY
|
||||
if (RAND_status() == 1) {
|
||||
debug3("RNG is ready, skipping seeding");
|
||||
diff -up openssh-7.4p1/kex.c.fips openssh-7.4p1/kex.c
|
||||
--- openssh-7.4p1/kex.c.fips 2017-02-09 14:53:47.174347449 +0100
|
||||
+++ openssh-7.4p1/kex.c 2017-02-09 14:53:47.183347440 +0100
|
||||
@@ -35,6 +35,7 @@
|
||||
#ifdef WITH_OPENSSL
|
||||
#include <openssl/crypto.h>
|
||||
#include <openssl/dh.h>
|
||||
+#include <openssl/fips.h>
|
||||
#endif
|
||||
|
||||
#include "ssh2.h"
|
||||
@@ -124,6 +125,28 @@ static const struct kexalg kexalgs[] = {
|
||||
{ NULL, -1, -1, -1},
|
||||
};
|
||||
|
||||
+static const struct kexalg kexalgs_fips[] = {
|
||||
+ { KEX_DH14_SHA1, KEX_DH_GRP14_SHA1, 0, SSH_DIGEST_SHA1 },
|
||||
+ { KEX_DH14_SHA256, KEX_DH_GRP14_SHA256, 0, SSH_DIGEST_SHA256 },
|
||||
+ { KEX_DH16_SHA512, KEX_DH_GRP16_SHA512, 0, SSH_DIGEST_SHA512 },
|
||||
+ { KEX_DH18_SHA512, KEX_DH_GRP18_SHA512, 0, SSH_DIGEST_SHA512 },
|
||||
+ { KEX_DHGEX_SHA1, KEX_DH_GEX_SHA1, 0, SSH_DIGEST_SHA1 },
|
||||
+#ifdef HAVE_EVP_SHA256
|
||||
+ { KEX_DHGEX_SHA256, KEX_DH_GEX_SHA256, 0, SSH_DIGEST_SHA256 },
|
||||
+#endif
|
||||
+#ifdef OPENSSL_HAS_ECC
|
||||
+ { KEX_ECDH_SHA2_NISTP256, KEX_ECDH_SHA2,
|
||||
+ NID_X9_62_prime256v1, SSH_DIGEST_SHA256 },
|
||||
+ { KEX_ECDH_SHA2_NISTP384, KEX_ECDH_SHA2, NID_secp384r1,
|
||||
+ SSH_DIGEST_SHA384 },
|
||||
+# ifdef OPENSSL_HAS_NISTP521
|
||||
+ { KEX_ECDH_SHA2_NISTP521, KEX_ECDH_SHA2, NID_secp521r1,
|
||||
+ SSH_DIGEST_SHA512 },
|
||||
+# endif
|
||||
+#endif
|
||||
+ { NULL, -1, -1, -1},
|
||||
+};
|
||||
+
|
||||
char *
|
||||
kex_alg_list(char sep)
|
||||
{
|
||||
@@ -151,7 +169,7 @@ kex_alg_by_name(const char *name)
|
||||
{
|
||||
const struct kexalg *k;
|
||||
|
||||
- for (k = kexalgs; k->name != NULL; k++) {
|
||||
+ for (k = (FIPS_mode() ? kexalgs_fips : kexalgs); k->name != NULL; k++) {
|
||||
if (strcmp(k->name, name) == 0)
|
||||
return k;
|
||||
#ifdef GSSAPI
|
||||
@@ -177,7 +195,10 @@ kex_names_valid(const char *names)
|
||||
for ((p = strsep(&cp, ",")); p && *p != '\0';
|
||||
(p = strsep(&cp, ","))) {
|
||||
if (kex_alg_by_name(p) == NULL) {
|
||||
- error("Unsupported KEX algorithm \"%.100s\"", p);
|
||||
+ if (FIPS_mode())
|
||||
+ error("\"%.100s\" is not allowed in FIPS mode", p);
|
||||
+ else
|
||||
+ error("Unsupported KEX algorithm \"%.100s\"", p);
|
||||
free(s);
|
||||
return 0;
|
||||
}
|
||||
diff -up openssh-7.4p1/kexgexc.c.fips openssh-7.4p1/kexgexc.c
|
||||
--- openssh-7.4p1/kexgexc.c.fips 2016-12-19 05:59:41.000000000 +0100
|
||||
+++ openssh-7.4p1/kexgexc.c 2017-02-09 14:53:47.183347440 +0100
|
||||
@@ -28,6 +28,7 @@
|
||||
|
||||
#ifdef WITH_OPENSSL
|
||||
|
||||
+#include <openssl/fips.h>
|
||||
#include <sys/types.h>
|
||||
|
||||
#include <openssl/dh.h>
|
||||
@@ -63,7 +64,7 @@ kexgex_client(struct ssh *ssh)
|
||||
|
||||
nbits = dh_estimate(kex->dh_need * 8);
|
||||
|
||||
- kex->min = DH_GRP_MIN;
|
||||
+ kex->min = FIPS_mode() ? DH_GRP_MIN_FIPS : DH_GRP_MIN;
|
||||
kex->max = DH_GRP_MAX;
|
||||
kex->nbits = nbits;
|
||||
if (datafellows & SSH_BUG_DHGEX_LARGE)
|
||||
diff -up openssh-7.4p1/kexgexs.c.fips openssh-7.4p1/kexgexs.c
|
||||
--- openssh-7.4p1/kexgexs.c.fips 2016-12-19 05:59:41.000000000 +0100
|
||||
+++ openssh-7.4p1/kexgexs.c 2017-02-09 14:53:47.183347440 +0100
|
||||
@@ -83,9 +83,9 @@ input_kex_dh_gex_request(int type, u_int
|
||||
kex->nbits = nbits;
|
||||
kex->min = min;
|
||||
kex->max = max;
|
||||
- min = MAXIMUM(DH_GRP_MIN, min);
|
||||
+ min = MAXIMUM(FIPS_mode() ? DH_GRP_MIN_FIPS : DH_GRP_MIN, min);
|
||||
max = MINIMUM(DH_GRP_MAX, max);
|
||||
- nbits = MAXIMUM(DH_GRP_MIN, nbits);
|
||||
+ nbits = MAXIMUM(FIPS_mode() ? DH_GRP_MIN_FIPS : DH_GRP_MIN, nbits);
|
||||
nbits = MINIMUM(DH_GRP_MAX, nbits);
|
||||
|
||||
if (kex->max < kex->min || kex->nbits < kex->min ||
|
||||
diff -up openssh-7.4p1/mac.c.fips openssh-7.4p1/mac.c
|
||||
--- openssh-7.4p1/mac.c.fips 2017-02-09 14:53:47.175347448 +0100
|
||||
+++ openssh-7.4p1/mac.c 2017-02-09 14:53:47.183347440 +0100
|
||||
@@ -27,6 +27,8 @@
|
||||
|
||||
#include <sys/types.h>
|
||||
|
||||
+#include <openssl/fips.h>
|
||||
+
|
||||
#include <string.h>
|
||||
#include <stdio.h>
|
||||
|
||||
@@ -54,7 +56,7 @@ struct macalg {
|
||||
int etm; /* Encrypt-then-MAC */
|
||||
};
|
||||
|
||||
-static const struct macalg macs[] = {
|
||||
+static const struct macalg all_macs[] = {
|
||||
/* Encrypt-and-MAC (encrypt-and-authenticate) variants */
|
||||
{ "hmac-sha1", SSH_DIGEST, SSH_DIGEST_SHA1, 0, 0, 0, 0 },
|
||||
{ "hmac-sha1-96", SSH_DIGEST, SSH_DIGEST_SHA1, 96, 0, 0, 0 },
|
||||
@@ -89,6 +91,24 @@ static const struct macalg macs[] = {
|
||||
{ NULL, 0, 0, 0, 0, 0, 0 }
|
||||
};
|
||||
|
||||
+static const struct macalg fips_macs[] = {
|
||||
+ /* Encrypt-and-MAC (encrypt-and-authenticate) variants */
|
||||
+ { "hmac-sha1", SSH_DIGEST, SSH_DIGEST_SHA1, 0, 0, 0, 0 },
|
||||
+#ifdef HAVE_EVP_SHA256
|
||||
+ { "hmac-sha2-256", SSH_DIGEST, SSH_DIGEST_SHA256, 0, 0, 0, 0 },
|
||||
+ { "hmac-sha2-512", SSH_DIGEST, SSH_DIGEST_SHA512, 0, 0, 0, 0 },
|
||||
+#endif
|
||||
+
|
||||
+ /* Encrypt-then-MAC variants */
|
||||
+ { "hmac-sha1-etm@openssh.com", SSH_DIGEST, SSH_DIGEST_SHA1, 0, 0, 0, 1 },
|
||||
+#ifdef HAVE_EVP_SHA256
|
||||
+ { "hmac-sha2-256-etm@openssh.com", SSH_DIGEST, SSH_DIGEST_SHA256, 0, 0, 0, 1 },
|
||||
+ { "hmac-sha2-512-etm@openssh.com", SSH_DIGEST, SSH_DIGEST_SHA512, 0, 0, 0, 1 },
|
||||
+#endif
|
||||
+
|
||||
+ { NULL, 0, 0, 0, 0, 0, 0 }
|
||||
+};
|
||||
+
|
||||
/* Returns a list of supported MACs separated by the specified char. */
|
||||
char *
|
||||
mac_alg_list(char sep)
|
||||
@@ -97,7 +117,7 @@ mac_alg_list(char sep)
|
||||
size_t nlen, rlen = 0;
|
||||
const struct macalg *m;
|
||||
|
||||
- for (m = macs; m->name != NULL; m++) {
|
||||
+ for (m = FIPS_mode() ? fips_macs : all_macs; m->name != NULL; m++) {
|
||||
if (ret != NULL)
|
||||
ret[rlen++] = sep;
|
||||
nlen = strlen(m->name);
|
||||
@@ -136,7 +156,7 @@ mac_setup(struct sshmac *mac, char *name
|
||||
{
|
||||
const struct macalg *m;
|
||||
|
||||
- for (m = macs; m->name != NULL; m++) {
|
||||
+ for (m = FIPS_mode() ? fips_macs : all_macs; m->name != NULL; m++) {
|
||||
if (strcmp(name, m->name) != 0)
|
||||
continue;
|
||||
if (mac != NULL)
|
||||
diff -up openssh-7.4p1/Makefile.in.fips openssh-7.4p1/Makefile.in
|
||||
--- openssh-7.4p1/Makefile.in.fips 2017-02-09 14:53:47.175347448 +0100
|
||||
+++ openssh-7.4p1/Makefile.in 2017-02-09 14:53:47.184347440 +0100
|
||||
@@ -168,25 +168,25 @@ libssh.a: $(LIBSSH_OBJS)
|
||||
$(RANLIB) $@
|
||||
|
||||
ssh$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHOBJS)
|
||||
- $(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHLIBS) $(LIBS) $(GSSLIBS)
|
||||
+ $(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(SSHLIBS) $(LIBS) $(GSSLIBS)
|
||||
|
||||
sshd$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHDOBJS)
|
||||
- $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS)
|
||||
+ $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS)
|
||||
|
||||
scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o
|
||||
$(LD) -o $@ scp.o progressmeter.o bufaux.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
|
||||
|
||||
ssh-add$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-add.o
|
||||
- $(LD) -o $@ ssh-add.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
|
||||
+ $(LD) -o $@ ssh-add.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
|
||||
|
||||
ssh-agent$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-agent.o ssh-pkcs11-client.o
|
||||
- $(LD) -o $@ ssh-agent.o ssh-pkcs11-client.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
|
||||
+ $(LD) -o $@ ssh-agent.o ssh-pkcs11-client.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
|
||||
|
||||
ssh-keygen$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keygen.o
|
||||
- $(LD) -o $@ ssh-keygen.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
|
||||
+ $(LD) -o $@ ssh-keygen.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
|
||||
|
||||
ssh-keysign$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keysign.o readconf.o
|
||||
- $(LD) -o $@ ssh-keysign.o readconf.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
|
||||
+ $(LD) -o $@ ssh-keysign.o readconf.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
|
||||
|
||||
ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11.o
|
||||
$(LD) -o $@ ssh-pkcs11-helper.o ssh-pkcs11.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
|
||||
@@ -205,7 +205,7 @@ ssh-cavs$(EXEEXT): $(LIBCOMPAT) libssh.a
|
||||
$(LD) -o $@ ssh-cavs.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
|
||||
|
||||
ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o
|
||||
- $(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
|
||||
+ $(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(LIBS)
|
||||
|
||||
sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o sftp-server.o sftp-server-main.o
|
||||
$(LD) -o $@ sftp-server.o sftp-common.o sftp-server-main.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
|
||||
diff -up openssh-7.4p1/myproposal.h.fips openssh-7.4p1/myproposal.h
|
||||
--- openssh-7.4p1/myproposal.h.fips 2017-05-30 19:10:26.535505599 +0200
|
||||
+++ openssh-7.4p1/myproposal.h 2017-05-30 19:10:26.574505582 +0200
|
||||
@@ -119,6 +119,14 @@
|
||||
"ssh-rsa," \
|
||||
"ssh-dss"
|
||||
|
||||
+#define KEX_FIPS_PK_ALG \
|
||||
+ HOSTKEY_ECDSA_CERT_METHODS \
|
||||
+ "ssh-rsa-cert-v01@openssh.com," \
|
||||
+ HOSTKEY_ECDSA_METHODS \
|
||||
+ "rsa-sha2-512," \
|
||||
+ "rsa-sha2-256," \
|
||||
+ "ssh-rsa"
|
||||
+
|
||||
/* the actual algorithms */
|
||||
|
||||
#define KEX_CLIENT_ENCRYPT \
|
||||
@@ -144,6 +152,38 @@
|
||||
|
||||
#define KEX_CLIENT_MAC KEX_SERVER_MAC
|
||||
|
||||
+#define KEX_FIPS_ENCRYPT \
|
||||
+ "aes128-ctr,aes192-ctr,aes256-ctr" \
|
||||
+ AESGCM_CIPHER_MODES "," \
|
||||
+ "aes128-cbc,3des-cbc," \
|
||||
+ "aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se"
|
||||
+#ifdef HAVE_EVP_SHA256
|
||||
+# define KEX_DEFAULT_KEX_FIPS \
|
||||
+ KEX_ECDH_METHODS \
|
||||
+ KEX_SHA2_METHODS \
|
||||
+ "diffie-hellman-group14-sha256"
|
||||
+# define KEX_FIPS_MAC \
|
||||
+ "hmac-sha1," \
|
||||
+ "hmac-sha2-256," \
|
||||
+ "hmac-sha2-512," \
|
||||
+ "hmac-sha1-etm@openssh.com," \
|
||||
+ "hmac-sha2-256-etm@openssh.com," \
|
||||
+ "hmac-sha2-512-etm@openssh.com"
|
||||
+#else
|
||||
+# ifdef OPENSSL_HAS_NISTP521
|
||||
+# define KEX_DEFAULT_KEX_FIPS \
|
||||
+ "ecdh-sha2-nistp256," \
|
||||
+ "ecdh-sha2-nistp384," \
|
||||
+ "ecdh-sha2-nistp521"
|
||||
+# else
|
||||
+# define KEX_DEFAULT_KEX_FIPS \
|
||||
+ "ecdh-sha2-nistp256," \
|
||||
+ "ecdh-sha2-nistp384"
|
||||
+# endif
|
||||
+#define KEX_FIPS_MAC \
|
||||
+ "hmac-sha1"
|
||||
+#endif
|
||||
+
|
||||
#else /* WITH_OPENSSL */
|
||||
|
||||
#define KEX_SERVER_KEX \
|
||||
diff -up openssh-7.4p1/readconf.c.fips openssh-7.4p1/readconf.c
|
||||
--- openssh-7.4p1/readconf.c.fips 2017-02-09 14:53:47.185347438 +0100
|
||||
+++ openssh-7.4p1/readconf.c 2017-02-09 14:56:24.840191308 +0100
|
||||
@@ -2104,12 +2104,17 @@ fill_default_options(Options * options)
|
||||
}
|
||||
if (options->update_hostkeys == -1)
|
||||
options->update_hostkeys = 0;
|
||||
- if (kex_assemble_names(KEX_CLIENT_ENCRYPT, &options->ciphers) != 0 ||
|
||||
- kex_assemble_names(KEX_CLIENT_MAC, &options->macs) != 0 ||
|
||||
- kex_assemble_names(KEX_CLIENT_KEX, &options->kex_algorithms) != 0 ||
|
||||
- kex_assemble_names(KEX_DEFAULT_PK_ALG,
|
||||
+ if (kex_assemble_names((FIPS_mode() ? KEX_FIPS_ENCRYPT
|
||||
+ : KEX_CLIENT_ENCRYPT), &options->ciphers) != 0 ||
|
||||
+ kex_assemble_names((FIPS_mode() ? KEX_FIPS_MAC
|
||||
+ : KEX_CLIENT_MAC), &options->macs) != 0 ||
|
||||
+ kex_assemble_names((FIPS_mode() ? KEX_DEFAULT_KEX_FIPS
|
||||
+ : KEX_CLIENT_KEX), &options->kex_algorithms) != 0 ||
|
||||
+ kex_assemble_names((FIPS_mode() ? KEX_FIPS_PK_ALG
|
||||
+ : KEX_DEFAULT_PK_ALG),
|
||||
&options->hostbased_key_types) != 0 ||
|
||||
- kex_assemble_names(KEX_DEFAULT_PK_ALG,
|
||||
+ kex_assemble_names((FIPS_mode() ? KEX_FIPS_PK_ALG
|
||||
+ : KEX_DEFAULT_PK_ALG),
|
||||
&options->pubkey_key_types) != 0)
|
||||
fatal("%s: kex_assemble_names failed", __func__);
|
||||
|
||||
@@ -2559,7 +2564,8 @@ dump_client_config(Options *o, const cha
|
||||
char buf[8];
|
||||
|
||||
/* This is normally prepared in ssh_kex2 */
|
||||
- if (kex_assemble_names(KEX_DEFAULT_PK_ALG, &o->hostkeyalgorithms) != 0)
|
||||
+ if (kex_assemble_names((FIPS_mode() ? KEX_FIPS_PK_ALG
|
||||
+ : KEX_DEFAULT_PK_ALG), &o->hostkeyalgorithms) != 0)
|
||||
fatal("%s: kex_assemble_names failed", __func__);
|
||||
|
||||
/* Most interesting options first: user, host, port */
|
||||
diff -up openssh-7.4p1/sandbox-seccomp-filter.c.fips openssh-7.4p1/sandbox-seccomp-filter.c
|
||||
--- openssh-7.4p1/sandbox-seccomp-filter.c.fips 2017-02-09 14:53:47.177347446 +0100
|
||||
+++ openssh-7.4p1/sandbox-seccomp-filter.c 2017-02-09 14:53:47.185347438 +0100
|
||||
@@ -118,6 +118,9 @@ static const struct sock_filter preauth_
|
||||
#ifdef __NR_open
|
||||
SC_DENY(open, EACCES),
|
||||
#endif
|
||||
+#ifdef __NR_socket
|
||||
+ SC_DENY(socket, EACCES),
|
||||
+#endif
|
||||
#ifdef __NR_openat
|
||||
SC_DENY(openat, EACCES),
|
||||
#endif
|
||||
diff -up openssh-7.4p1/servconf.c.fips openssh-7.4p1/servconf.c
|
||||
--- openssh-7.4p1/servconf.c.fips 2017-06-07 13:07:28.403983349 +0200
|
||||
+++ openssh-7.4p1/servconf.c 2017-06-07 13:09:46.710997099 +0200
|
||||
@@ -185,14 +185,20 @@ option_clear_or_none(const char *o)
|
||||
static void
|
||||
assemble_algorithms(ServerOptions *o)
|
||||
{
|
||||
- if (kex_assemble_names(KEX_SERVER_ENCRYPT, &o->ciphers) != 0 ||
|
||||
- kex_assemble_names(KEX_SERVER_MAC, &o->macs) != 0 ||
|
||||
- kex_assemble_names(KEX_SERVER_KEX, &o->kex_algorithms) != 0 ||
|
||||
- kex_assemble_names(KEX_DEFAULT_PK_ALG,
|
||||
+ if (kex_assemble_names((FIPS_mode() ? KEX_FIPS_ENCRYPT
|
||||
+ : KEX_SERVER_ENCRYPT), &o->ciphers) != 0 ||
|
||||
+ kex_assemble_names((FIPS_mode() ? KEX_FIPS_MAC
|
||||
+ : KEX_SERVER_MAC), &o->macs) != 0 ||
|
||||
+ kex_assemble_names((FIPS_mode() ? KEX_DEFAULT_KEX_FIPS
|
||||
+ : KEX_SERVER_KEX), &o->kex_algorithms) != 0 ||
|
||||
+ kex_assemble_names((FIPS_mode() ? KEX_FIPS_PK_ALG
|
||||
+ : KEX_DEFAULT_PK_ALG),
|
||||
&o->hostkeyalgorithms) != 0 ||
|
||||
- kex_assemble_names(KEX_DEFAULT_PK_ALG,
|
||||
+ kex_assemble_names((FIPS_mode() ? KEX_FIPS_PK_ALG
|
||||
+ : KEX_DEFAULT_PK_ALG),
|
||||
&o->hostbased_key_types) != 0 ||
|
||||
- kex_assemble_names(KEX_DEFAULT_PK_ALG, &o->pubkey_key_types) != 0)
|
||||
+ kex_assemble_names((FIPS_mode() ? KEX_FIPS_PK_ALG
|
||||
+ : KEX_DEFAULT_PK_ALG), &o->pubkey_key_types) != 0)
|
||||
fatal("kex_assemble_names failed");
|
||||
}
|
||||
|
||||
@@ -2390,8 +2396,10 @@ dump_config(ServerOptions *o)
|
||||
/* string arguments */
|
||||
dump_cfg_string(sPidFile, o->pid_file);
|
||||
dump_cfg_string(sXAuthLocation, o->xauth_location);
|
||||
- dump_cfg_string(sCiphers, o->ciphers ? o->ciphers : KEX_SERVER_ENCRYPT);
|
||||
- dump_cfg_string(sMacs, o->macs ? o->macs : KEX_SERVER_MAC);
|
||||
+ dump_cfg_string(sCiphers, o->ciphers ? o->ciphers : FIPS_mode()
|
||||
+ ? KEX_FIPS_ENCRYPT : KEX_SERVER_ENCRYPT);
|
||||
+ dump_cfg_string(sMacs, o->macs ? o->macs : FIPS_mode()
|
||||
+ ? KEX_FIPS_MAC : KEX_SERVER_MAC);
|
||||
dump_cfg_string(sBanner, o->banner == NULL ? "none" : o->banner);
|
||||
dump_cfg_string(sForceCommand, o->adm_forced_command);
|
||||
dump_cfg_string(sChrootDirectory, o->chroot_directory);
|
||||
@@ -2406,14 +2414,17 @@ dump_config(ServerOptions *o)
|
||||
dump_cfg_string(sAuthorizedPrincipalsCommand, o->authorized_principals_command);
|
||||
dump_cfg_string(sAuthorizedPrincipalsCommandUser, o->authorized_principals_command_user);
|
||||
dump_cfg_string(sHostKeyAgent, o->host_key_agent);
|
||||
- dump_cfg_string(sKexAlgorithms,
|
||||
- o->kex_algorithms ? o->kex_algorithms : KEX_SERVER_KEX);
|
||||
+ dump_cfg_string(sKexAlgorithms, o->kex_algorithms ? o->kex_algorithms :
|
||||
+ FIPS_mode() ? KEX_DEFAULT_KEX_FIPS : KEX_SERVER_KEX);
|
||||
dump_cfg_string(sHostbasedAcceptedKeyTypes, o->hostbased_key_types ?
|
||||
- o->hostbased_key_types : KEX_DEFAULT_PK_ALG);
|
||||
+ o->hostbased_key_types : (FIPS_mode() ? KEX_FIPS_PK_ALG
|
||||
+ : KEX_DEFAULT_PK_ALG));
|
||||
dump_cfg_string(sHostKeyAlgorithms, o->hostkeyalgorithms ?
|
||||
- o->hostkeyalgorithms : KEX_DEFAULT_PK_ALG);
|
||||
+ o->hostkeyalgorithms : (FIPS_mode() ? KEX_FIPS_PK_ALG
|
||||
+ : KEX_DEFAULT_PK_ALG));
|
||||
dump_cfg_string(sPubkeyAcceptedKeyTypes, o->pubkey_key_types ?
|
||||
- o->pubkey_key_types : KEX_DEFAULT_PK_ALG);
|
||||
+ o->pubkey_key_types : (FIPS_mode() ? KEX_FIPS_PK_ALG
|
||||
+ : KEX_DEFAULT_PK_ALG));
|
||||
|
||||
/* string arguments requiring a lookup */
|
||||
dump_cfg_string(sLogLevel, log_level_name(o->log_level));
|
||||
diff -up openssh-7.4p1/ssh.c.fips openssh-7.4p1/ssh.c
|
||||
--- openssh-7.4p1/ssh.c.fips 2016-12-19 05:59:41.000000000 +0100
|
||||
+++ openssh-7.4p1/ssh.c 2017-02-09 14:53:47.185347438 +0100
|
||||
@@ -76,6 +76,8 @@
|
||||
#include <openssl/evp.h>
|
||||
#include <openssl/err.h>
|
||||
#endif
|
||||
+#include <openssl/fips.h>
|
||||
+#include <fipscheck.h>
|
||||
#include "openbsd-compat/openssl-compat.h"
|
||||
#include "openbsd-compat/sys-queue.h"
|
||||
|
||||
@@ -530,6 +532,14 @@ main(int ac, char **av)
|
||||
sanitise_stdfd();
|
||||
|
||||
__progname = ssh_get_progname(av[0]);
|
||||
+ SSLeay_add_all_algorithms();
|
||||
+ if (access("/etc/system-fips", F_OK) == 0)
|
||||
+ if (! FIPSCHECK_verify(NULL, NULL)){
|
||||
+ if (FIPS_mode())
|
||||
+ fatal("FIPS integrity verification test failed.");
|
||||
+ else
|
||||
+ logit("FIPS integrity verification test failed.");
|
||||
+ }
|
||||
|
||||
#ifndef HAVE_SETPROCTITLE
|
||||
/* Prepare for later setproctitle emulation */
|
||||
@@ -609,6 +619,9 @@ main(int ac, char **av)
|
||||
"ACD:E:F:GI:J:KL:MNO:PQ:R:S:TVw:W:XYy")) != -1) {
|
||||
switch (opt) {
|
||||
case '1':
|
||||
+ if (FIPS_mode()) {
|
||||
+ fatal("Protocol 1 not allowed in the FIPS mode.");
|
||||
+ }
|
||||
options.protocol = SSH_PROTO_1;
|
||||
break;
|
||||
case '2':
|
||||
@@ -964,7 +977,6 @@ main(int ac, char **av)
|
||||
host_arg = xstrdup(host);
|
||||
|
||||
#ifdef WITH_OPENSSL
|
||||
- OpenSSL_add_all_algorithms();
|
||||
ERR_load_crypto_strings();
|
||||
#endif
|
||||
|
||||
@@ -1175,6 +1187,10 @@ main(int ac, char **av)
|
||||
|
||||
seed_rng();
|
||||
|
||||
+ if (FIPS_mode()) {
|
||||
+ logit("FIPS mode initialized");
|
||||
+ }
|
||||
+
|
||||
if (options.user == NULL)
|
||||
options.user = xstrdup(pw->pw_name);
|
||||
|
||||
@@ -1263,6 +1279,12 @@ main(int ac, char **av)
|
||||
|
||||
timeout_ms = options.connection_timeout * 1000;
|
||||
|
||||
+ if (FIPS_mode()) {
|
||||
+ options.protocol &= SSH_PROTO_2;
|
||||
+ if (options.protocol == 0)
|
||||
+ fatal("Protocol 2 disabled by configuration but required in the FIPS mode.");
|
||||
+ }
|
||||
+
|
||||
/* Open a connection to the remote host. */
|
||||
if (ssh_connect(host, addrs, &hostaddr, options.port,
|
||||
options.address_family, options.connection_attempts,
|
||||
diff -up openssh-7.4p1/sshconnect2.c.fips openssh-7.4p1/sshconnect2.c
|
||||
--- openssh-7.4p1/sshconnect2.c.fips 2017-02-09 14:53:47.162347461 +0100
|
||||
+++ openssh-7.4p1/sshconnect2.c 2017-02-09 14:53:47.186347437 +0100
|
||||
@@ -44,6 +44,8 @@
|
||||
#include <vis.h>
|
||||
#endif
|
||||
|
||||
+#include <openssl/fips.h>
|
||||
+
|
||||
#include "openbsd-compat/sys-queue.h"
|
||||
|
||||
#include "xmalloc.h"
|
||||
@@ -117,7 +119,8 @@ order_hostkeyalgs(char *host, struct soc
|
||||
for (i = 0; i < options.num_system_hostfiles; i++)
|
||||
load_hostkeys(hostkeys, hostname, options.system_hostfiles[i]);
|
||||
|
||||
- oavail = avail = xstrdup(KEX_DEFAULT_PK_ALG);
|
||||
+ oavail = avail = xstrdup((FIPS_mode()
|
||||
+ ? KEX_FIPS_PK_ALG : KEX_DEFAULT_PK_ALG));
|
||||
maxlen = strlen(avail) + 1;
|
||||
first = xmalloc(maxlen);
|
||||
last = xmalloc(maxlen);
|
||||
@@ -172,21 +175,26 @@ ssh_kex2(char *host, struct sockaddr *ho
|
||||
|
||||
#ifdef GSSAPI
|
||||
if (options.gss_keyex) {
|
||||
- /* Add the GSSAPI mechanisms currently supported on this
|
||||
- * client to the key exchange algorithm proposal */
|
||||
- orig = options.kex_algorithms;
|
||||
-
|
||||
- if (options.gss_trust_dns)
|
||||
- gss_host = (char *)get_canonical_hostname(active_state, 1);
|
||||
- else
|
||||
- gss_host = host;
|
||||
-
|
||||
- gss = ssh_gssapi_client_mechanisms(gss_host,
|
||||
- options.gss_client_identity, options.gss_kex_algorithms);
|
||||
- if (gss) {
|
||||
- debug("Offering GSSAPI proposal: %s", gss);
|
||||
- xasprintf(&options.kex_algorithms,
|
||||
- "%s,%s", gss, orig);
|
||||
+ if (FIPS_mode()) {
|
||||
+ logit("Disabling GSSAPIKeyExchange. Not usable in FIPS mode");
|
||||
+ options.gss_keyex = 0;
|
||||
+ } else {
|
||||
+ /* Add the GSSAPI mechanisms currently supported on this
|
||||
+ * client to the key exchange algorithm proposal */
|
||||
+ orig = options.kex_algorithms;
|
||||
+
|
||||
+ if (options.gss_trust_dns)
|
||||
+ gss_host = (char *)get_canonical_hostname(active_state, 1);
|
||||
+ else
|
||||
+ gss_host = host;
|
||||
+
|
||||
+ gss = ssh_gssapi_client_mechanisms(gss_host,
|
||||
+ options.gss_client_identity, options.gss_kex_algorithms);
|
||||
+ if (gss) {
|
||||
+ debug("Offering GSSAPI proposal: %s", gss);
|
||||
+ xasprintf(&options.kex_algorithms,
|
||||
+ "%s,%s", gss, orig);
|
||||
+ }
|
||||
}
|
||||
}
|
||||
#endif
|
||||
@@ -204,14 +212,16 @@ ssh_kex2(char *host, struct sockaddr *ho
|
||||
myproposal[PROPOSAL_MAC_ALGS_CTOS] =
|
||||
myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs;
|
||||
if (options.hostkeyalgorithms != NULL) {
|
||||
- if (kex_assemble_names(KEX_DEFAULT_PK_ALG,
|
||||
+ if (kex_assemble_names((FIPS_mode() ? KEX_FIPS_PK_ALG
|
||||
+ : KEX_DEFAULT_PK_ALG),
|
||||
&options.hostkeyalgorithms) != 0)
|
||||
fatal("%s: kex_assemble_namelist", __func__);
|
||||
myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] =
|
||||
compat_pkalg_proposal(options.hostkeyalgorithms);
|
||||
} else {
|
||||
/* Enforce default */
|
||||
- options.hostkeyalgorithms = xstrdup(KEX_DEFAULT_PK_ALG);
|
||||
+ options.hostkeyalgorithms = xstrdup((FIPS_mode()
|
||||
+ ? KEX_FIPS_PK_ALG : KEX_DEFAULT_PK_ALG));
|
||||
/* Prefer algorithms that we already have keys for */
|
||||
myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] =
|
||||
compat_pkalg_proposal(
|
||||
diff -up openssh-7.4p1/sshd.c.fips openssh-7.4p1/sshd.c
|
||||
--- openssh-7.4p1/sshd.c.fips 2017-02-09 14:53:47.178347445 +0100
|
||||
+++ openssh-7.4p1/sshd.c 2017-02-09 14:53:47.186347437 +0100
|
||||
@@ -66,6 +66,7 @@
|
||||
#include <grp.h>
|
||||
#include <pwd.h>
|
||||
#include <signal.h>
|
||||
+#include <syslog.h>
|
||||
#include <stdarg.h>
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
@@ -77,6 +78,8 @@
|
||||
#include <openssl/dh.h>
|
||||
#include <openssl/bn.h>
|
||||
#include <openssl/rand.h>
|
||||
+#include <openssl/fips.h>
|
||||
+#include <fipscheck.h>
|
||||
#include "openbsd-compat/openssl-compat.h"
|
||||
#endif
|
||||
|
||||
@@ -1471,6 +1474,18 @@ main(int ac, char **av)
|
||||
#endif
|
||||
__progname = ssh_get_progname(av[0]);
|
||||
|
||||
+ SSLeay_add_all_algorithms();
|
||||
+ if (access("/etc/system-fips", F_OK) == 0)
|
||||
+ if (! FIPSCHECK_verify(NULL, NULL)) {
|
||||
+ openlog(__progname, LOG_PID, LOG_AUTHPRIV);
|
||||
+ if (FIPS_mode()) {
|
||||
+ syslog(LOG_CRIT, "FIPS integrity verification test failed.");
|
||||
+ cleanup_exit(255);
|
||||
+ }
|
||||
+ else
|
||||
+ syslog(LOG_INFO, "FIPS integrity verification test failed.");
|
||||
+ closelog();
|
||||
+ }
|
||||
/* Save argv. Duplicate so setproctitle emulation doesn't clobber it */
|
||||
saved_argc = ac;
|
||||
rexec_argc = ac;
|
||||
@@ -1619,7 +1634,7 @@ main(int ac, char **av)
|
||||
else
|
||||
closefrom(REEXEC_DEVCRYPTO_RESERVED_FD);
|
||||
|
||||
-#ifdef WITH_OPENSSL
|
||||
+#if 0 /* FIPS */
|
||||
OpenSSL_add_all_algorithms();
|
||||
#endif
|
||||
|
||||
@@ -1928,6 +1943,10 @@ main(int ac, char **av)
|
||||
/* Reinitialize the log (because of the fork above). */
|
||||
log_init(__progname, options.log_level, options.log_facility, log_stderr);
|
||||
|
||||
+ if (FIPS_mode()) {
|
||||
+ logit("FIPS mode initialized");
|
||||
+ }
|
||||
+
|
||||
/* Chdir to the root directory so that the current disk can be
|
||||
unmounted if desired. */
|
||||
if (chdir("/") == -1)
|
||||
@@ -2282,10 +2301,14 @@ do_ssh2_kex(void)
|
||||
if (strlen(myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS]) == 0)
|
||||
orig = NULL;
|
||||
|
||||
- if (options.gss_keyex)
|
||||
- gss = ssh_gssapi_server_mechanisms();
|
||||
- else
|
||||
- gss = NULL;
|
||||
+ if (options.gss_keyex) {
|
||||
+ if (FIPS_mode()) {
|
||||
+ logit("Disabling GSSAPIKeyExchange. Not usable in FIPS mode");
|
||||
+ options.gss_keyex = 0;
|
||||
+ } else {
|
||||
+ gss = ssh_gssapi_server_mechanisms();
|
||||
+ }
|
||||
+ }
|
||||
|
||||
if (gss && orig)
|
||||
xasprintf(&newstr, "%s,%s", gss, orig);
|
||||
diff -up openssh-7.4p1/sshkey.c.fips openssh-7.4p1/sshkey.c
|
||||
--- openssh-7.4p1/sshkey.c.fips 2017-02-09 14:53:47.179347444 +0100
|
||||
+++ openssh-7.4p1/sshkey.c 2017-02-09 14:58:02.117094971 +0100
|
||||
@@ -34,6 +34,7 @@
|
||||
#include <openssl/evp.h>
|
||||
#include <openssl/err.h>
|
||||
#include <openssl/pem.h>
|
||||
+#include <openssl/fips.h>
|
||||
#endif
|
||||
|
||||
#include "crypto_api.h"
|
||||
@@ -57,6 +58,7 @@
|
||||
#include "sshkey.h"
|
||||
#include "match.h"
|
||||
#include "xmalloc.h"
|
||||
+#include "log.h"
|
||||
|
||||
/* openssh private key file format */
|
||||
#define MARK_BEGIN "-----BEGIN OPENSSH PRIVATE KEY-----\n"
|
||||
@@ -1555,6 +1557,8 @@ rsa_generate_private_key(u_int bits, RSA
|
||||
}
|
||||
if (!BN_set_word(f4, RSA_F4) ||
|
||||
!RSA_generate_key_ex(private, bits, f4, NULL)) {
|
||||
+ if (FIPS_mode())
|
||||
+ logit("%s: the key length might be unsupported by FIPS mode approved key generation method", __func__);
|
||||
ret = SSH_ERR_LIBCRYPTO_ERROR;
|
||||
goto out;
|
||||
}
|
||||
@@ -3921,8 +3925,11 @@ sshkey_parse_private_fileblob_type(struc
|
||||
switch (type) {
|
||||
#ifdef WITH_SSH1
|
||||
case KEY_RSA1:
|
||||
- return sshkey_parse_private_rsa1(blob, passphrase,
|
||||
- keyp, commentp);
|
||||
+ if (! FIPS_mode())
|
||||
+ return sshkey_parse_private_rsa1(blob, passphrase,
|
||||
+ keyp, commentp);
|
||||
+ error("%s: cannot parse rsa1 key in FIPS mode", __func__);
|
||||
+ return SSH_ERR_KEY_TYPE_UNKNOWN;
|
||||
#endif /* WITH_SSH1 */
|
||||
#ifdef WITH_OPENSSL
|
||||
case KEY_DSA:
|
||||
@@ -3961,8 +3968,9 @@ sshkey_parse_private_fileblob(struct ssh
|
||||
#ifdef WITH_SSH1
|
||||
/* it's a SSH v1 key if the public key part is readable */
|
||||
if (sshkey_parse_public_rsa1_fileblob(buffer, NULL, NULL) == 0) {
|
||||
- return sshkey_parse_private_fileblob_type(buffer, KEY_RSA1,
|
||||
- passphrase, keyp, commentp);
|
||||
+ if (!FIPS_mode())
|
||||
+ return sshkey_parse_private_fileblob_type(buffer, KEY_RSA1,
|
||||
+ passphrase, keyp, commentp);
|
||||
}
|
||||
#endif /* WITH_SSH1 */
|
||||
return sshkey_parse_private_fileblob_type(buffer, KEY_UNSPEC,
|
||||
diff -up openssh-7.4p1/ssh-keygen.c.fips openssh-7.4p1/ssh-keygen.c
|
||||
--- openssh-7.4p1/ssh-keygen.c.fips 2017-05-22 13:50:06.731776762 +0200
|
||||
+++ openssh-7.4p1/ssh-keygen.c 2017-05-22 13:50:11.843773909 +0200
|
||||
@@ -215,6 +215,12 @@ type_bits_valid(int type, const char *na
|
||||
OPENSSL_DSA_MAX_MODULUS_BITS : OPENSSL_RSA_MAX_MODULUS_BITS;
|
||||
if (*bitsp > maxbits)
|
||||
fatal("key bits exceeds maximum %d", maxbits);
|
||||
+ if (FIPS_mode()) {
|
||||
+ if (type == KEY_DSA)
|
||||
+ fatal("DSA keys are not allowed in FIPS mode");
|
||||
+ if (type == KEY_ED25519)
|
||||
+ fatal("ED25519 keys are not allowed in FIPS mode");
|
||||
+ }
|
||||
if (type == KEY_DSA && *bitsp != 1024)
|
||||
fatal("DSA keys must be 1024 bits");
|
||||
else if (type != KEY_ECDSA && type != KEY_ED25519 && *bitsp < 1024)
|
||||
File diff suppressed because it is too large
Load diff
28
openssh-7.4p1-gss-strict-acceptor.patch
Normal file
28
openssh-7.4p1-gss-strict-acceptor.patch
Normal file
|
|
@ -0,0 +1,28 @@
|
|||
From 13bd2e2d622d01dc85d22b94520a5b243d006049 Mon Sep 17 00:00:00 2001
|
||||
From: "djm@openbsd.org" <djm@openbsd.org>
|
||||
Date: Fri, 6 Jan 2017 03:45:41 +0000
|
||||
Subject: [PATCH] upstream commit
|
||||
|
||||
sshd_config is documented to set
|
||||
GSSAPIStrictAcceptorCheck=yes by default, so actually make it do this.
|
||||
bz#2637 ok dtucker
|
||||
|
||||
Upstream-ID: 99ef8ac51f17f0f7aec166cb2e34228d4d72a665
|
||||
---
|
||||
servconf.c | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/servconf.c b/servconf.c
|
||||
index 795ddbab7..c9105a592 100644
|
||||
--- a/servconf.c
|
||||
+++ b/servconf.c
|
||||
@@ -270,7 +270,7 @@ fill_default_server_options(ServerOptions *options)
|
||||
if (options->gss_cleanup_creds == -1)
|
||||
options->gss_cleanup_creds = 1;
|
||||
if (options->gss_strict_acceptor == -1)
|
||||
- options->gss_strict_acceptor = 0;
|
||||
+ options->gss_strict_acceptor = 1;
|
||||
if (options->gss_store_rekey == -1)
|
||||
options->gss_store_rekey = 0;
|
||||
if (options->password_authentication == -1)
|
||||
|
||||
410
openssh-7.4p1-gssKexAlgorithms.patch
Normal file
410
openssh-7.4p1-gssKexAlgorithms.patch
Normal file
|
|
@ -0,0 +1,410 @@
|
|||
diff -up openssh-7.4p1/gss-genr.c.gsskexalg openssh-7.4p1/gss-genr.c
|
||||
--- openssh-7.4p1/gss-genr.c.gsskexalg 2017-02-09 10:46:50.417893132 +0100
|
||||
+++ openssh-7.4p1/gss-genr.c 2017-02-09 10:46:50.448893107 +0100
|
||||
@@ -77,7 +77,8 @@ ssh_gssapi_oid_table_ok() {
|
||||
*/
|
||||
|
||||
char *
|
||||
-ssh_gssapi_client_mechanisms(const char *host, const char *client) {
|
||||
+ssh_gssapi_client_mechanisms(const char *host, const char *client,
|
||||
+ const char *kex) {
|
||||
gss_OID_set gss_supported;
|
||||
OM_uint32 min_status;
|
||||
|
||||
@@ -85,12 +86,12 @@ ssh_gssapi_client_mechanisms(const char
|
||||
return NULL;
|
||||
|
||||
return(ssh_gssapi_kex_mechs(gss_supported, ssh_gssapi_check_mechanism,
|
||||
- host, client));
|
||||
+ host, client, kex));
|
||||
}
|
||||
|
||||
char *
|
||||
ssh_gssapi_kex_mechs(gss_OID_set gss_supported, ssh_gssapi_check_fn *check,
|
||||
- const char *host, const char *client) {
|
||||
+ const char *host, const char *client, const char *kex) {
|
||||
Buffer buf;
|
||||
size_t i;
|
||||
int oidpos, enclen;
|
||||
@@ -99,6 +100,7 @@ ssh_gssapi_kex_mechs(gss_OID_set gss_sup
|
||||
char deroid[2];
|
||||
const EVP_MD *evp_md = EVP_md5();
|
||||
EVP_MD_CTX md;
|
||||
+ char *s, *cp, *p;
|
||||
|
||||
if (gss_enc2oid != NULL) {
|
||||
for (i = 0; gss_enc2oid[i].encoded != NULL; i++)
|
||||
@@ -112,6 +114,7 @@ ssh_gssapi_kex_mechs(gss_OID_set gss_sup
|
||||
buffer_init(&buf);
|
||||
|
||||
oidpos = 0;
|
||||
+ s = cp = strdup(kex);
|
||||
for (i = 0; i < gss_supported->count; i++) {
|
||||
if (gss_supported->elements[i].length < 128 &&
|
||||
(*check)(NULL, &(gss_supported->elements[i]), host, client)) {
|
||||
@@ -130,26 +133,22 @@ ssh_gssapi_kex_mechs(gss_OID_set gss_sup
|
||||
enclen = __b64_ntop(digest, EVP_MD_size(evp_md),
|
||||
encoded, EVP_MD_size(evp_md) * 2);
|
||||
|
||||
- if (oidpos != 0)
|
||||
- buffer_put_char(&buf, ',');
|
||||
-
|
||||
- buffer_append(&buf, KEX_GSS_GEX_SHA1_ID,
|
||||
- sizeof(KEX_GSS_GEX_SHA1_ID) - 1);
|
||||
- buffer_append(&buf, encoded, enclen);
|
||||
- buffer_put_char(&buf, ',');
|
||||
- buffer_append(&buf, KEX_GSS_GRP1_SHA1_ID,
|
||||
- sizeof(KEX_GSS_GRP1_SHA1_ID) - 1);
|
||||
- buffer_append(&buf, encoded, enclen);
|
||||
- buffer_put_char(&buf, ',');
|
||||
- buffer_append(&buf, KEX_GSS_GRP14_SHA1_ID,
|
||||
- sizeof(KEX_GSS_GRP14_SHA1_ID) - 1);
|
||||
- buffer_append(&buf, encoded, enclen);
|
||||
+ cp = strncpy(s, kex, strlen(kex));
|
||||
+ for ((p = strsep(&cp, ",")); p && *p != '\0';
|
||||
+ (p = strsep(&cp, ","))) {
|
||||
+ if (buffer_len(&buf) != 0)
|
||||
+ buffer_put_char(&buf, ',');
|
||||
+ buffer_append(&buf, p,
|
||||
+ strlen(p));
|
||||
+ buffer_append(&buf, encoded, enclen);
|
||||
+ }
|
||||
|
||||
gss_enc2oid[oidpos].oid = &(gss_supported->elements[i]);
|
||||
gss_enc2oid[oidpos].encoded = encoded;
|
||||
oidpos++;
|
||||
}
|
||||
}
|
||||
+ free(s);
|
||||
gss_enc2oid[oidpos].oid = NULL;
|
||||
gss_enc2oid[oidpos].encoded = NULL;
|
||||
|
||||
diff -up openssh-7.4p1/gss-serv.c.gsskexalg openssh-7.4p1/gss-serv.c
|
||||
--- openssh-7.4p1/gss-serv.c.gsskexalg 2017-02-09 10:46:50.449893106 +0100
|
||||
+++ openssh-7.4p1/gss-serv.c 2017-02-09 10:55:12.189422901 +0100
|
||||
@@ -149,7 +149,7 @@ ssh_gssapi_server_mechanisms() {
|
||||
if (supported_oids == NULL)
|
||||
ssh_gssapi_prepare_supported_oids();
|
||||
return (ssh_gssapi_kex_mechs(supported_oids,
|
||||
- &ssh_gssapi_server_check_mech, NULL, NULL));
|
||||
+ &ssh_gssapi_server_check_mech, NULL, NULL, options.gss_kex_algorithms));
|
||||
}
|
||||
|
||||
/* Unprivileged */
|
||||
diff -up openssh-7.4p1/kex.c.gsskexalg openssh-7.4p1/kex.c
|
||||
--- openssh-7.4p1/kex.c.gsskexalg 2017-02-09 10:46:50.449893106 +0100
|
||||
+++ openssh-7.4p1/kex.c 2017-02-09 10:55:44.008393539 +0100
|
||||
@@ -248,6 +248,29 @@ kex_assemble_names(const char *def, char
|
||||
return 0;
|
||||
}
|
||||
|
||||
+/* Validate GSS KEX method name list */
|
||||
+int
|
||||
+gss_kex_names_valid(const char *names)
|
||||
+{
|
||||
+ char *s, *cp, *p;
|
||||
+
|
||||
+ if (names == NULL || *names == '\0')
|
||||
+ return 0;
|
||||
+ s = cp = strdup(names);
|
||||
+ for ((p = strsep(&cp, ",")); p && *p != '\0';
|
||||
+ (p = strsep(&cp, ","))) {
|
||||
+ if (strncmp(p, "gss-", 4) != 0
|
||||
+ || kex_alg_by_name(p) == NULL) {
|
||||
+ error("Unsupported KEX algorithm \"%.100s\"", p);
|
||||
+ free(s);
|
||||
+ return 0;
|
||||
+ }
|
||||
+ }
|
||||
+ debug3("gss kex names ok: [%s]", names);
|
||||
+ free(s);
|
||||
+ return 1;
|
||||
+}
|
||||
+
|
||||
/* put algorithm proposal into buffer */
|
||||
int
|
||||
kex_prop2buf(struct sshbuf *b, char *proposal[PROPOSAL_MAX])
|
||||
diff -up openssh-7.4p1/kex.h.gsskexalg openssh-7.4p1/kex.h
|
||||
--- openssh-7.4p1/kex.h.gsskexalg 2017-02-09 10:46:50.452893104 +0100
|
||||
+++ openssh-7.4p1/kex.h 2017-02-09 11:02:35.313012903 +0100
|
||||
@@ -179,6 +179,7 @@ struct kex {
|
||||
char *kex_alg_list(char);
|
||||
char *kex_names_cat(const char *, const char *);
|
||||
int kex_assemble_names(const char *, char **);
|
||||
+int gss_kex_names_valid(const char *);
|
||||
|
||||
int kex_new(struct ssh *, char *[PROPOSAL_MAX], struct kex **);
|
||||
int kex_setup(struct ssh *, char *[PROPOSAL_MAX]);
|
||||
diff -up openssh-7.4p1/readconf.c.gsskexalg openssh-7.4p1/readconf.c
|
||||
--- openssh-7.4p1/readconf.c.gsskexalg 2017-02-09 10:46:50.420893129 +0100
|
||||
+++ openssh-7.4p1/readconf.c 2017-02-09 10:56:06.759372540 +0100
|
||||
@@ -64,6 +64,7 @@
|
||||
#include "uidswap.h"
|
||||
#include "myproposal.h"
|
||||
#include "digest.h"
|
||||
+#include "ssh-gss.h"
|
||||
|
||||
/* Format of the configuration file:
|
||||
|
||||
@@ -161,7 +162,7 @@ typedef enum {
|
||||
oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
|
||||
oAddressFamily, oGssAuthentication, oGssDelegateCreds,
|
||||
oGssTrustDns, oGssKeyEx, oGssClientIdentity, oGssRenewalRekey,
|
||||
- oGssServerIdentity,
|
||||
+ oGssServerIdentity, oGssKexAlgorithms,
|
||||
oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
|
||||
oSendEnv, oControlPath, oControlMaster, oControlPersist,
|
||||
oHashKnownHosts,
|
||||
@@ -213,6 +214,7 @@ static struct {
|
||||
{ "gssapiclientidentity", oGssClientIdentity },
|
||||
{ "gssapiserveridentity", oGssServerIdentity },
|
||||
{ "gssapirenewalforcesrekey", oGssRenewalRekey },
|
||||
+ { "gssapikexalgorithms", oGssKexAlgorithms },
|
||||
#else
|
||||
{ "gssapiauthentication", oUnsupported },
|
||||
{ "gssapikeyexchange", oUnsupported },
|
||||
@@ -220,6 +222,7 @@ static struct {
|
||||
{ "gssapitrustdns", oUnsupported },
|
||||
{ "gssapiclientidentity", oUnsupported },
|
||||
{ "gssapirenewalforcesrekey", oUnsupported },
|
||||
+ { "gssapikexalgorithms", oUnsupported },
|
||||
#endif
|
||||
{ "fallbacktorsh", oDeprecated },
|
||||
{ "usersh", oDeprecated },
|
||||
@@ -996,6 +999,18 @@ parse_time:
|
||||
intptr = &options->gss_renewal_rekey;
|
||||
goto parse_flag;
|
||||
|
||||
+ case oGssKexAlgorithms:
|
||||
+ arg = strdelim(&s);
|
||||
+ if (!arg || *arg == '\0')
|
||||
+ fatal("%.200s line %d: Missing argument.",
|
||||
+ filename, linenum);
|
||||
+ if (!gss_kex_names_valid(arg))
|
||||
+ fatal("%.200s line %d: Bad GSSAPI KexAlgorithms '%s'.",
|
||||
+ filename, linenum, arg ? arg : "<NONE>");
|
||||
+ if (*activep && options->gss_kex_algorithms == NULL)
|
||||
+ options->gss_kex_algorithms = strdup(arg);
|
||||
+ break;
|
||||
+
|
||||
case oBatchMode:
|
||||
intptr = &options->batch_mode;
|
||||
goto parse_flag;
|
||||
@@ -1813,6 +1828,7 @@ initialize_options(Options * options)
|
||||
options->gss_renewal_rekey = -1;
|
||||
options->gss_client_identity = NULL;
|
||||
options->gss_server_identity = NULL;
|
||||
+ options->gss_kex_algorithms = NULL;
|
||||
options->password_authentication = -1;
|
||||
options->kbd_interactive_authentication = -1;
|
||||
options->kbd_interactive_devices = NULL;
|
||||
@@ -1964,6 +1980,10 @@ fill_default_options(Options * options)
|
||||
options->gss_trust_dns = 0;
|
||||
if (options->gss_renewal_rekey == -1)
|
||||
options->gss_renewal_rekey = 0;
|
||||
+#ifdef GSSAPI
|
||||
+ if (options->gss_kex_algorithms == NULL)
|
||||
+ options->gss_kex_algorithms = strdup(GSS_KEX_DEFAULT_KEX);
|
||||
+#endif
|
||||
if (options->password_authentication == -1)
|
||||
options->password_authentication = 1;
|
||||
if (options->kbd_interactive_authentication == -1)
|
||||
diff -up openssh-7.4p1/readconf.h.gsskexalg openssh-7.4p1/readconf.h
|
||||
--- openssh-7.4p1/readconf.h.gsskexalg 2017-02-09 10:46:50.420893129 +0100
|
||||
+++ openssh-7.4p1/readconf.h 2017-02-09 10:46:50.450893106 +0100
|
||||
@@ -51,6 +51,7 @@ typedef struct {
|
||||
int gss_renewal_rekey; /* Credential renewal forces rekey */
|
||||
char *gss_client_identity; /* Principal to initiate GSSAPI with */
|
||||
char *gss_server_identity; /* GSSAPI target principal */
|
||||
+ char *gss_kex_algorithms; /* GSSAPI kex methods to be offered by client. */
|
||||
int password_authentication; /* Try password
|
||||
* authentication. */
|
||||
int kbd_interactive_authentication; /* Try keyboard-interactive auth. */
|
||||
diff -up openssh-7.4p1/servconf.c.gsskexalg openssh-7.4p1/servconf.c
|
||||
--- openssh-7.4p1/servconf.c.gsskexalg 2017-02-09 10:46:50.446893109 +0100
|
||||
+++ openssh-7.4p1/servconf.c 2017-02-09 10:57:15.784309297 +0100
|
||||
@@ -57,6 +57,7 @@
|
||||
#include "auth.h"
|
||||
#include "myproposal.h"
|
||||
#include "digest.h"
|
||||
+#include "ssh-gss.h"
|
||||
|
||||
static void add_listen_addr(ServerOptions *, char *, int);
|
||||
static void add_one_listen_addr(ServerOptions *, char *, int);
|
||||
@@ -117,6 +117,7 @@ initialize_server_options(ServerOptions
|
||||
options->gss_cleanup_creds = -1;
|
||||
options->gss_strict_acceptor = -1;
|
||||
options->gss_store_rekey = -1;
|
||||
+ options->gss_kex_algorithms = NULL;
|
||||
options->password_authentication = -1;
|
||||
options->kbd_interactive_authentication = -1;
|
||||
options->challenge_response_authentication = -1;
|
||||
@@ -280,6 +281,10 @@ fill_default_server_options(ServerOption
|
||||
options->gss_strict_acceptor = 1;
|
||||
if (options->gss_store_rekey == -1)
|
||||
options->gss_store_rekey = 0;
|
||||
+#ifdef GSSAPI
|
||||
+ if (options->gss_kex_algorithms == NULL)
|
||||
+ options->gss_kex_algorithms = strdup(GSS_KEX_DEFAULT_KEX);
|
||||
+#endif
|
||||
if (options->password_authentication == -1)
|
||||
options->password_authentication = 1;
|
||||
if (options->kbd_interactive_authentication == -1)
|
||||
@@ -422,7 +425,7 @@ typedef enum {
|
||||
sHostKeyAlgorithms,
|
||||
sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
|
||||
sGssAuthentication, sGssCleanupCreds, sGssEnablek5users, sGssStrictAcceptor,
|
||||
- sGssKeyEx, sGssStoreRekey, sAcceptEnv, sPermitTunnel,
|
||||
+ sGssKeyEx, sGssStoreRekey, sGssKexAlgorithms, sAcceptEnv, sPermitTunnel,
|
||||
sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
|
||||
sUsePrivilegeSeparation, sAllowAgentForwarding,
|
||||
sHostCertificate,
|
||||
@@ -501,6 +504,7 @@ static struct {
|
||||
{ "gssapikeyexchange", sGssKeyEx, SSHCFG_GLOBAL },
|
||||
{ "gssapistorecredentialsonrekey", sGssStoreRekey, SSHCFG_GLOBAL },
|
||||
{ "gssapienablek5users", sGssEnablek5users, SSHCFG_ALL },
|
||||
+ { "gssapikexalgorithms", sGssKexAlgorithms, SSHCFG_GLOBAL },
|
||||
#else
|
||||
{ "gssapiauthentication", sUnsupported, SSHCFG_ALL },
|
||||
{ "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
|
||||
@@ -508,6 +512,7 @@ static struct {
|
||||
{ "gssapikeyexchange", sUnsupported, SSHCFG_GLOBAL },
|
||||
{ "gssapistorecredentialsonrekey", sUnsupported, SSHCFG_GLOBAL },
|
||||
{ "gssapienablek5users", sUnsupported, SSHCFG_ALL },
|
||||
+ { "gssapikexalgorithms", sUnsupported, SSHCFG_GLOBAL },
|
||||
#endif
|
||||
{ "gssusesessionccache", sUnsupported, SSHCFG_GLOBAL },
|
||||
{ "gssapiusesessioncredcache", sUnsupported, SSHCFG_GLOBAL },
|
||||
@@ -1249,6 +1254,18 @@ process_server_config_line(ServerOptions
|
||||
intptr = &options->gss_store_rekey;
|
||||
goto parse_flag;
|
||||
|
||||
+ case sGssKexAlgorithms:
|
||||
+ arg = strdelim(&cp);
|
||||
+ if (!arg || *arg == '\0')
|
||||
+ fatal("%.200s line %d: Missing argument.",
|
||||
+ filename, linenum);
|
||||
+ if (!gss_kex_names_valid(arg))
|
||||
+ fatal("%.200s line %d: Bad GSSAPI KexAlgorithms '%s'.",
|
||||
+ filename, linenum, arg ? arg : "<NONE>");
|
||||
+ if (*activep && options->gss_kex_algorithms == NULL)
|
||||
+ options->gss_kex_algorithms = strdup(arg);
|
||||
+ break;
|
||||
+
|
||||
case sPasswordAuthentication:
|
||||
intptr = &options->password_authentication;
|
||||
goto parse_flag;
|
||||
@@ -2304,6 +2321,7 @@ dump_config(ServerOptions *o)
|
||||
dump_cfg_fmtint(sGssKeyEx, o->gss_keyex);
|
||||
dump_cfg_fmtint(sGssStrictAcceptor, o->gss_strict_acceptor);
|
||||
dump_cfg_fmtint(sGssStoreRekey, o->gss_store_rekey);
|
||||
+ dump_cfg_string(sGssKexAlgorithms, o->gss_kex_algorithms);
|
||||
#endif
|
||||
dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication);
|
||||
dump_cfg_fmtint(sKbdInteractiveAuthentication,
|
||||
diff -up openssh-7.4p1/servconf.h.gsskexalg openssh-7.4p1/servconf.h
|
||||
--- openssh-7.4p1/servconf.h.gsskexalg 2017-02-09 10:46:50.450893106 +0100
|
||||
+++ openssh-7.4p1/servconf.h 2017-02-09 10:57:33.717292870 +0100
|
||||
@@ -116,6 +116,7 @@ typedef struct {
|
||||
int gss_cleanup_creds; /* If true, destroy cred cache on logout */
|
||||
int gss_strict_acceptor; /* If true, restrict the GSSAPI acceptor name */
|
||||
int gss_store_rekey;
|
||||
+ char *gss_kex_algorithms; /* GSSAPI kex methods to be offered by client. */
|
||||
int password_authentication; /* If true, permit password
|
||||
* authentication. */
|
||||
int kbd_interactive_authentication; /* If true, permit */
|
||||
diff -up openssh-7.4p1/ssh.1.gsskexalg openssh-7.4p1/ssh.1
|
||||
--- openssh-7.4p1/ssh.1.gsskexalg 2017-02-09 10:46:50.443893111 +0100
|
||||
+++ openssh-7.4p1/ssh.1 2017-02-09 10:46:50.451893105 +0100
|
||||
@@ -517,6 +517,7 @@ For full details of the options listed b
|
||||
.It GSSAPIDelegateCredentials
|
||||
.It GSSAPIRenewalForcesRekey
|
||||
.It GSSAPITrustDns
|
||||
+.It GSSAPIKexAlgorithms
|
||||
.It HashKnownHosts
|
||||
.It Host
|
||||
.It HostbasedAuthentication
|
||||
diff -up openssh-7.4p1/ssh_config.5.gsskexalg openssh-7.4p1/ssh_config.5
|
||||
--- openssh-7.4p1/ssh_config.5.gsskexalg 2017-02-09 10:46:50.452893104 +0100
|
||||
+++ openssh-7.4p1/ssh_config.5 2017-02-09 11:00:39.053122745 +0100
|
||||
@@ -782,6 +782,18 @@ the name of the host being connected to.
|
||||
command line will be passed untouched to the GSSAPI library.
|
||||
The default is
|
||||
.Dq no .
|
||||
+.It Cm GSSAPIKexAlgorithms
|
||||
+The list of key exchange algorithms that are offered for GSSAPI
|
||||
+key exchange. Possible values are
|
||||
+.Bd -literal -offset 3n
|
||||
+gss-gex-sha1-,
|
||||
+gss-group1-sha1-,
|
||||
+gss-group14-sha1-
|
||||
+.Ed
|
||||
+.Pp
|
||||
+The default is
|
||||
+.Dq gss-gex-sha1-,gss-group1-sha1-,gss-group14-sha1- .
|
||||
+This option only applies to protocol version 2 connections using GSSAPI.
|
||||
.It Cm HashKnownHosts
|
||||
Indicates that
|
||||
.Xr ssh 1
|
||||
diff -up openssh-7.4p1/sshconnect2.c.gsskexalg openssh-7.4p1/sshconnect2.c
|
||||
--- openssh-7.4p1/sshconnect2.c.gsskexalg 2017-02-09 10:46:50.451893105 +0100
|
||||
+++ openssh-7.4p1/sshconnect2.c 2017-02-09 10:58:08.533260973 +0100
|
||||
@@ -181,7 +181,8 @@ ssh_kex2(char *host, struct sockaddr *ho
|
||||
else
|
||||
gss_host = host;
|
||||
|
||||
- gss = ssh_gssapi_client_mechanisms(gss_host, options.gss_client_identity);
|
||||
+ gss = ssh_gssapi_client_mechanisms(gss_host,
|
||||
+ options.gss_client_identity, options.gss_kex_algorithms);
|
||||
if (gss) {
|
||||
debug("Offering GSSAPI proposal: %s", gss);
|
||||
xasprintf(&options.kex_algorithms,
|
||||
diff -up openssh-7.4p1/sshd_config.5.gsskexalg openssh-7.4p1/sshd_config.5
|
||||
--- openssh-7.4p1/sshd_config.5.gsskexalg 2017-02-09 10:46:50.452893104 +0100
|
||||
+++ openssh-7.4p1/sshd_config.5 2017-02-09 11:01:55.141050861 +0100
|
||||
@@ -666,6 +666,18 @@ Controls whether the user's GSSAPI crede
|
||||
successful connection rekeying. This option can be used to accepted renewed
|
||||
or updated credentials from a compatible client. The default is
|
||||
.Dq no .
|
||||
+.It Cm GSSAPIKexAlgorithms
|
||||
+The list of key exchange algorithms that are accepted by GSSAPI
|
||||
+key exchange. Possible values are
|
||||
+.Bd -literal -offset 3n
|
||||
+gss-gex-sha1-,
|
||||
+gss-group1-sha1-,
|
||||
+gss-group14-sha1-
|
||||
+.Ed
|
||||
+.Pp
|
||||
+The default is
|
||||
+.Dq gss-gex-sha1-,gss-group1-sha1-,gss-group14-sha1- .
|
||||
+This option only applies to protocol version 2 connections using GSSAPI.
|
||||
.It Cm HostbasedAcceptedKeyTypes
|
||||
Specifies the key types that will be accepted for hostbased authentication
|
||||
as a comma-separated pattern list.
|
||||
diff -up openssh-7.4p1/ssh-gss.h.gsskexalg openssh-7.4p1/ssh-gss.h
|
||||
--- openssh-7.4p1/ssh-gss.h.gsskexalg 2017-02-09 10:46:50.425893125 +0100
|
||||
+++ openssh-7.4p1/ssh-gss.h 2017-02-09 10:46:50.451893105 +0100
|
||||
@@ -76,6 +76,11 @@ extern char **k5users_allowed_cmds;
|
||||
#define KEX_GSS_GRP14_SHA1_ID "gss-group14-sha1-"
|
||||
#define KEX_GSS_GEX_SHA1_ID "gss-gex-sha1-"
|
||||
|
||||
+#define GSS_KEX_DEFAULT_KEX \
|
||||
+ KEX_GSS_GEX_SHA1_ID "," \
|
||||
+ KEX_GSS_GRP1_SHA1_ID "," \
|
||||
+ KEX_GSS_GRP14_SHA1_ID
|
||||
+
|
||||
typedef struct {
|
||||
char *filename;
|
||||
char *envvar;
|
||||
@@ -147,9 +152,9 @@ int ssh_gssapi_credentials_updated(Gssct
|
||||
/* In the server */
|
||||
typedef int ssh_gssapi_check_fn(Gssctxt **, gss_OID, const char *,
|
||||
const char *);
|
||||
-char *ssh_gssapi_client_mechanisms(const char *, const char *);
|
||||
+char *ssh_gssapi_client_mechanisms(const char *, const char *, const char *);
|
||||
char *ssh_gssapi_kex_mechs(gss_OID_set, ssh_gssapi_check_fn *, const char *,
|
||||
- const char *);
|
||||
+ const char *, const char *);
|
||||
gss_OID ssh_gssapi_id_kex(Gssctxt *, char *, int);
|
||||
int ssh_gssapi_server_check_mech(Gssctxt **,gss_OID, const char *,
|
||||
const char *);
|
||||
File diff suppressed because it is too large
Load diff
2314
openssh-7.4p1-hpn-14.13-modified.patch
Normal file
2314
openssh-7.4p1-hpn-14.13-modified.patch
Normal file
File diff suppressed because it is too large
Load diff
611
openssh-7.4p1-kdf-cavs.patch
Normal file
611
openssh-7.4p1-kdf-cavs.patch
Normal file
|
|
@ -0,0 +1,611 @@
|
|||
diff -up openssh-6.8p1/Makefile.in.kdf-cavs openssh-6.8p1/Makefile.in
|
||||
--- openssh-6.8p1/Makefile.in.kdf-cavs 2015-03-18 11:23:46.346049359 +0100
|
||||
+++ openssh-6.8p1/Makefile.in 2015-03-18 11:24:20.395968445 +0100
|
||||
@@ -29,6 +29,7 @@ SSH_LDAP_HELPER=$(libexecdir)/ssh-ldap-h
|
||||
SSH_LDAP_WRAPPER=$(libexecdir)/ssh-ldap-wrapper
|
||||
SSH_KEYCAT=$(libexecdir)/ssh-keycat
|
||||
CTR_CAVSTEST=$(libexecdir)/ctr-cavstest
|
||||
+SSH_CAVS=$(libexecdir)/ssh-cavs
|
||||
SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
|
||||
PRIVSEP_PATH=@PRIVSEP_PATH@
|
||||
SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@
|
||||
@@ -67,7 +68,7 @@ EXEEXT=@EXEEXT@
|
||||
MANFMT=@MANFMT@
|
||||
INSTALL_SSH_LDAP_HELPER=@INSTALL_SSH_LDAP_HELPER@
|
||||
|
||||
-TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT) ssh-keycat$(EXEEXT) ctr-cavstest$(EXEEXT)
|
||||
+TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT) ssh-keycat$(EXEEXT) ctr-cavstest$(EXEEXT) ssh-cavs$(EXEEXT)
|
||||
|
||||
LIBOPENSSH_OBJS=\
|
||||
ssh_api.o \
|
||||
@@ -198,6 +199,9 @@ ssh-keycat$(EXEEXT): $(LIBCOMPAT) $(SSHD
|
||||
ctr-cavstest$(EXEEXT): $(LIBCOMPAT) libssh.a ctr-cavstest.o
|
||||
$(LD) -o $@ ctr-cavstest.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(LIBS)
|
||||
|
||||
+ssh-cavs$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-cavs.o
|
||||
+ $(LD) -o $@ ssh-cavs.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
|
||||
+
|
||||
ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o
|
||||
$(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
|
||||
|
||||
@@ -331,6 +335,8 @@ install-files:
|
||||
fi
|
||||
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-keycat$(EXEEXT) $(DESTDIR)$(libexecdir)/ssh-keycat$(EXEEXT)
|
||||
$(INSTALL) -m 0755 $(STRIP_OPT) ctr-cavstest$(EXEEXT) $(DESTDIR)$(libexecdir)/ctr-cavstest$(EXEEXT)
|
||||
+ $(INSTALL) -m 0755 $(STRIP_OPT) ssh-cavs$(EXEEXT) $(DESTDIR)$(libexecdir)/ssh-cavs$(EXEEXT)
|
||||
+ $(INSTALL) -m 0755 $(STRIP_OPT) ssh-cavs_driver.pl $(DESTDIR)$(libexecdir)/ssh-cavs_driver.pl
|
||||
$(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
|
||||
$(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
|
||||
$(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
|
||||
diff -up openssh-6.8p1/ssh-cavs.c.kdf-cavs openssh-6.8p1/ssh-cavs.c
|
||||
--- openssh-6.8p1/ssh-cavs.c.kdf-cavs 2015-03-18 11:23:46.348049354 +0100
|
||||
+++ openssh-6.8p1/ssh-cavs.c 2015-03-18 11:23:46.348049354 +0100
|
||||
@@ -0,0 +1,380 @@
|
||||
+/*
|
||||
+ * Copyright (C) 2015, Stephan Mueller <smueller@chronox.de>
|
||||
+ *
|
||||
+ * Redistribution and use in source and binary forms, with or without
|
||||
+ * modification, are permitted provided that the following conditions
|
||||
+ * are met:
|
||||
+ * 1. Redistributions of source code must retain the above copyright
|
||||
+ * notice, and the entire permission notice in its entirety,
|
||||
+ * including the disclaimer of warranties.
|
||||
+ * 2. Redistributions in binary form must reproduce the above copyright
|
||||
+ * notice, this list of conditions and the following disclaimer in the
|
||||
+ * documentation and/or other materials provided with the distribution.
|
||||
+ * 3. The name of the author may not be used to endorse or promote
|
||||
+ * products derived from this software without specific prior
|
||||
+ * written permission.
|
||||
+ *
|
||||
+ * ALTERNATIVELY, this product may be distributed under the terms of
|
||||
+ * the GNU General Public License, in which case the provisions of the GPL2
|
||||
+ * are required INSTEAD OF the above restrictions. (This clause is
|
||||
+ * necessary due to a potential bad interaction between the GPL and
|
||||
+ * the restrictions contained in a BSD-style copyright.)
|
||||
+ *
|
||||
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
|
||||
+ * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
|
||||
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, ALL OF
|
||||
+ * WHICH ARE HEREBY DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE
|
||||
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
|
||||
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
|
||||
+ * OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
|
||||
+ * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
|
||||
+ * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
||||
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
|
||||
+ * USE OF THIS SOFTWARE, EVEN IF NOT ADVISED OF THE POSSIBILITY OF SUCH
|
||||
+ * DAMAGE.
|
||||
+ */
|
||||
+
|
||||
+#include "includes.h"
|
||||
+
|
||||
+#include <stdio.h>
|
||||
+#include <stdlib.h>
|
||||
+#include <errno.h>
|
||||
+#include <sys/types.h>
|
||||
+#include <string.h>
|
||||
+
|
||||
+#include <openssl/bn.h>
|
||||
+
|
||||
+#include "xmalloc.h"
|
||||
+#include "buffer.h"
|
||||
+#include "key.h"
|
||||
+#include "cipher.h"
|
||||
+#include "kex.h"
|
||||
+#include "packet.h"
|
||||
+
|
||||
+static int bin_char(unsigned char hex)
|
||||
+{
|
||||
+ if (48 <= hex && 57 >= hex)
|
||||
+ return (hex - 48);
|
||||
+ if (65 <= hex && 70 >= hex)
|
||||
+ return (hex - 55);
|
||||
+ if (97 <= hex && 102 >= hex)
|
||||
+ return (hex - 87);
|
||||
+ return 0;
|
||||
+}
|
||||
+
|
||||
+/*
|
||||
+ * Convert hex representation into binary string
|
||||
+ * @hex input buffer with hex representation
|
||||
+ * @hexlen length of hex
|
||||
+ * @bin output buffer with binary data
|
||||
+ * @binlen length of already allocated bin buffer (should be at least
|
||||
+ * half of hexlen -- if not, only a fraction of hexlen is converted)
|
||||
+ */
|
||||
+static void hex2bin(const char *hex, size_t hexlen,
|
||||
+ unsigned char *bin, size_t binlen)
|
||||
+{
|
||||
+ size_t i = 0;
|
||||
+ size_t chars = (binlen > (hexlen / 2)) ? (hexlen / 2) : binlen;
|
||||
+
|
||||
+ for (i = 0; i < chars; i++) {
|
||||
+ bin[i] = bin_char(hex[(i*2)]) << 4;
|
||||
+ bin[i] |= bin_char(hex[((i*2)+1)]);
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
+/*
|
||||
+ * Allocate sufficient space for binary representation of hex
|
||||
+ * and convert hex into bin
|
||||
+ *
|
||||
+ * Caller must free bin
|
||||
+ * @hex input buffer with hex representation
|
||||
+ * @hexlen length of hex
|
||||
+ * @bin return value holding the pointer to the newly allocated buffer
|
||||
+ * @binlen return value holding the allocated size of bin
|
||||
+ *
|
||||
+ * return: 0 on success, !0 otherwise
|
||||
+ */
|
||||
+static int hex2bin_alloc(const char *hex, size_t hexlen,
|
||||
+ unsigned char **bin, size_t *binlen)
|
||||
+{
|
||||
+ unsigned char *out = NULL;
|
||||
+ size_t outlen = 0;
|
||||
+
|
||||
+ if (!hexlen)
|
||||
+ return -EINVAL;
|
||||
+
|
||||
+ outlen = (hexlen + 1) / 2;
|
||||
+
|
||||
+ out = calloc(1, outlen);
|
||||
+ if (!out)
|
||||
+ return -errno;
|
||||
+
|
||||
+ hex2bin(hex, hexlen, out, outlen);
|
||||
+ *bin = out;
|
||||
+ *binlen = outlen;
|
||||
+ return 0;
|
||||
+}
|
||||
+
|
||||
+static char hex_char_map_l[] = { '0', '1', '2', '3', '4', '5', '6', '7',
|
||||
+ '8', '9', 'a', 'b', 'c', 'd', 'e', 'f' };
|
||||
+static char hex_char_map_u[] = { '0', '1', '2', '3', '4', '5', '6', '7',
|
||||
+ '8', '9', 'A', 'B', 'C', 'D', 'E', 'F' };
|
||||
+static char hex_char(unsigned int bin, int u)
|
||||
+{
|
||||
+ if (bin < sizeof(hex_char_map_l))
|
||||
+ return (u) ? hex_char_map_u[bin] : hex_char_map_l[bin];
|
||||
+ return 'X';
|
||||
+}
|
||||
+
|
||||
+/*
|
||||
+ * Convert binary string into hex representation
|
||||
+ * @bin input buffer with binary data
|
||||
+ * @binlen length of bin
|
||||
+ * @hex output buffer to store hex data
|
||||
+ * @hexlen length of already allocated hex buffer (should be at least
|
||||
+ * twice binlen -- if not, only a fraction of binlen is converted)
|
||||
+ * @u case of hex characters (0=>lower case, 1=>upper case)
|
||||
+ */
|
||||
+static void bin2hex(const unsigned char *bin, size_t binlen,
|
||||
+ char *hex, size_t hexlen, int u)
|
||||
+{
|
||||
+ size_t i = 0;
|
||||
+ size_t chars = (binlen > (hexlen / 2)) ? (hexlen / 2) : binlen;
|
||||
+
|
||||
+ for (i = 0; i < chars; i++) {
|
||||
+ hex[(i*2)] = hex_char((bin[i] >> 4), u);
|
||||
+ hex[((i*2)+1)] = hex_char((bin[i] & 0x0f), u);
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
+struct kdf_cavs {
|
||||
+ unsigned char *K;
|
||||
+ size_t Klen;
|
||||
+ unsigned char *H;
|
||||
+ size_t Hlen;
|
||||
+ unsigned char *session_id;
|
||||
+ size_t session_id_len;
|
||||
+
|
||||
+ unsigned int iv_len;
|
||||
+ unsigned int ek_len;
|
||||
+ unsigned int ik_len;
|
||||
+};
|
||||
+
|
||||
+static int sshkdf_cavs(struct kdf_cavs *test)
|
||||
+{
|
||||
+ int ret = 0;
|
||||
+ struct kex kex;
|
||||
+ BIGNUM *Kbn = NULL;
|
||||
+ int mode = 0;
|
||||
+ struct newkeys *ctoskeys;
|
||||
+ struct newkeys *stockeys;
|
||||
+ struct ssh *ssh = NULL;
|
||||
+
|
||||
+#define HEXOUTLEN 500
|
||||
+ char hex[HEXOUTLEN];
|
||||
+
|
||||
+ memset(&kex, 0, sizeof(struct kex));
|
||||
+
|
||||
+ Kbn = BN_new();
|
||||
+ BN_bin2bn(test->K, test->Klen, Kbn);
|
||||
+ if (!Kbn) {
|
||||
+ printf("cannot convert K into BIGNUM\n");
|
||||
+ ret = 1;
|
||||
+ goto out;
|
||||
+ }
|
||||
+
|
||||
+ kex.session_id = test->session_id;
|
||||
+ kex.session_id_len = test->session_id_len;
|
||||
+
|
||||
+ /* setup kex */
|
||||
+
|
||||
+ /* select the right hash based on struct ssh_digest digests */
|
||||
+ switch (test->ik_len) {
|
||||
+ case 20:
|
||||
+ kex.hash_alg = 2;
|
||||
+ break;
|
||||
+ case 32:
|
||||
+ kex.hash_alg = 3;
|
||||
+ break;
|
||||
+ case 48:
|
||||
+ kex.hash_alg = 4;
|
||||
+ break;
|
||||
+ case 64:
|
||||
+ kex.hash_alg = 5;
|
||||
+ break;
|
||||
+ default:
|
||||
+ printf("Wrong hash type %u\n", test->ik_len);
|
||||
+ ret = 1;
|
||||
+ goto out;
|
||||
+ }
|
||||
+
|
||||
+ /* implement choose_enc */
|
||||
+ for (mode = 0; mode < 2; mode++) {
|
||||
+ kex.newkeys[mode] = calloc(1, sizeof(struct newkeys));
|
||||
+ if (!kex.newkeys[mode]) {
|
||||
+ printf("allocation of newkeys failed\n");
|
||||
+ ret = 1;
|
||||
+ goto out;
|
||||
+ }
|
||||
+ kex.newkeys[mode]->enc.iv_len = test->iv_len;
|
||||
+ kex.newkeys[mode]->enc.key_len = test->ek_len;
|
||||
+ kex.newkeys[mode]->enc.block_size = (test->iv_len == 64) ? 8 : 16;
|
||||
+ kex.newkeys[mode]->mac.key_len = test->ik_len;
|
||||
+ }
|
||||
+
|
||||
+ /* implement kex_choose_conf */
|
||||
+ kex.we_need = kex.newkeys[0]->enc.key_len;
|
||||
+ if (kex.we_need < kex.newkeys[0]->enc.block_size)
|
||||
+ kex.we_need = kex.newkeys[0]->enc.block_size;
|
||||
+ if (kex.we_need < kex.newkeys[0]->enc.iv_len)
|
||||
+ kex.we_need = kex.newkeys[0]->enc.iv_len;
|
||||
+ if (kex.we_need < kex.newkeys[0]->mac.key_len)
|
||||
+ kex.we_need = kex.newkeys[0]->mac.key_len;
|
||||
+
|
||||
+ /* MODE_OUT (1) -> server to client
|
||||
+ * MODE_IN (0) -> client to server */
|
||||
+ kex.server = 1;
|
||||
+
|
||||
+ /* do it */
|
||||
+ if ((ssh = ssh_packet_set_connection(NULL, -1, -1)) == NULL){
|
||||
+ printf("Allocation error\n");
|
||||
+ goto out;
|
||||
+ }
|
||||
+ ssh->kex = &kex;
|
||||
+ kex_derive_keys_bn(ssh, test->H, test->Hlen, Kbn);
|
||||
+
|
||||
+ ctoskeys = kex.newkeys[0];
|
||||
+ stockeys = kex.newkeys[1];
|
||||
+
|
||||
+ /* get data */
|
||||
+ memset(hex, 0, HEXOUTLEN);
|
||||
+ bin2hex(ctoskeys->enc.iv, (size_t)ctoskeys->enc.iv_len,
|
||||
+ hex, HEXOUTLEN, 0);
|
||||
+ printf("Initial IV (client to server) = %s\n", hex);
|
||||
+ memset(hex, 0, HEXOUTLEN);
|
||||
+ bin2hex(stockeys->enc.iv, (size_t)stockeys->enc.iv_len,
|
||||
+ hex, HEXOUTLEN, 0);
|
||||
+ printf("Initial IV (server to client) = %s\n", hex);
|
||||
+
|
||||
+ memset(hex, 0, HEXOUTLEN);
|
||||
+ bin2hex(ctoskeys->enc.key, (size_t)ctoskeys->enc.key_len,
|
||||
+ hex, HEXOUTLEN, 0);
|
||||
+ printf("Encryption key (client to server) = %s\n", hex);
|
||||
+ memset(hex, 0, HEXOUTLEN);
|
||||
+ bin2hex(stockeys->enc.key, (size_t)stockeys->enc.key_len,
|
||||
+ hex, HEXOUTLEN, 0);
|
||||
+ printf("Encryption key (server to client) = %s\n", hex);
|
||||
+
|
||||
+ memset(hex, 0, HEXOUTLEN);
|
||||
+ bin2hex(ctoskeys->mac.key, (size_t)ctoskeys->mac.key_len,
|
||||
+ hex, HEXOUTLEN, 0);
|
||||
+ printf("Integrity key (client to server) = %s\n", hex);
|
||||
+ memset(hex, 0, HEXOUTLEN);
|
||||
+ bin2hex(stockeys->mac.key, (size_t)stockeys->mac.key_len,
|
||||
+ hex, HEXOUTLEN, 0);
|
||||
+ printf("Integrity key (server to client) = %s\n", hex);
|
||||
+
|
||||
+out:
|
||||
+ if (Kbn)
|
||||
+ BN_free(Kbn);
|
||||
+ if (kex.newkeys[0])
|
||||
+ free(kex.newkeys[0]);
|
||||
+ if (kex.newkeys[1])
|
||||
+ free(kex.newkeys[1]);
|
||||
+ if (ssh)
|
||||
+ ssh_packet_close(ssh);
|
||||
+ return ret;
|
||||
+}
|
||||
+
|
||||
+static void usage(void)
|
||||
+{
|
||||
+ fprintf(stderr, "\nOpenSSH KDF CAVS Test\n\n");
|
||||
+ fprintf(stderr, "Usage:\n");
|
||||
+ fprintf(stderr, "\t-K\tShared secret string\n");
|
||||
+ fprintf(stderr, "\t-H\tHash string\n");
|
||||
+ fprintf(stderr, "\t-s\tSession ID string\n");
|
||||
+ fprintf(stderr, "\t-i\tIV length to be generated\n");
|
||||
+ fprintf(stderr, "\t-e\tEncryption key length to be generated\n");
|
||||
+ fprintf(stderr, "\t-m\tMAC key length to be generated\n");
|
||||
+}
|
||||
+
|
||||
+/*
|
||||
+ * Test command example:
|
||||
+ * ./ssh-cavs -K 0055d50f2d163cc07cd8a93cc7c3430c30ce786b572c01ad29fec7597000cf8618d664e2ec3dcbc8bb7a1a7eb7ef67f61cdaf291625da879186ac0a5cb27af571b59612d6a6e0627344d846271959fda61c78354aa498773d59762f8ca2d0215ec590d8633de921f920d41e47b3de6ab9a3d0869e1c826d0e4adebf8e3fb646a15dea20a410b44e969f4b791ed6a67f13f1b74234004d5fa5e87eff7abc32d49bbdf44d7b0107e8f10609233b7e2b7eff74a4daf25641de7553975dac6ac1e5117df6f6dbaa1c263d23a6c3e5a3d7d49ae8a828c1e333ac3f85fbbf57b5c1a45be45e43a7be1a4707eac779b8285522d1f531fe23f890fd38a004339932b93eda4 -H d3ab91a850febb417a25d892ec48ed5952c7a5de -s d3ab91a850febb417a25d892ec48ed5952c7a5de -i 8 -e 24 -m 20
|
||||
+ *
|
||||
+ * Initial IV (client to server) = 4bb320d1679dfd3a
|
||||
+ * Initial IV (server to client) = 43dea6fdf263a308
|
||||
+ * Encryption key (client to server) = 13048cc600b9d3cf9095aa6cf8e2ff9cf1c54ca0520c89ed
|
||||
+ * Encryption key (server to client) = 1e483c5134e901aa11fc4e0a524e7ec7b75556148a222bb0
|
||||
+ * Integrity key (client to server) = ecef63a092b0dcc585bdc757e01b2740af57d640
|
||||
+ * Integrity key (server to client) = 7424b05f3c44a72b4ebd281fb71f9cbe7b64d479
|
||||
+ */
|
||||
+int main(int argc, char *argv[])
|
||||
+{
|
||||
+ struct kdf_cavs test;
|
||||
+ int ret = 1;
|
||||
+ int opt = 0;
|
||||
+
|
||||
+ memset(&test, 0, sizeof(struct kdf_cavs));
|
||||
+ while((opt = getopt(argc, argv, "K:H:s:i:e:m:")) != -1)
|
||||
+ {
|
||||
+ size_t len = 0;
|
||||
+ switch(opt)
|
||||
+ {
|
||||
+ /*
|
||||
+ * CAVS K is MPINT
|
||||
+ * we want a hex (i.e. the caller must ensure the
|
||||
+ * following transformations already happened):
|
||||
+ * 1. cut off first four bytes
|
||||
+ * 2. if most significant bit of value is
|
||||
+ * 1, prepend 0 byte
|
||||
+ */
|
||||
+ case 'K':
|
||||
+ len = strlen(optarg);
|
||||
+ ret = hex2bin_alloc(optarg, len,
|
||||
+ &test.K, &test.Klen);
|
||||
+ if (ret)
|
||||
+ goto out;
|
||||
+ break;
|
||||
+ case 'H':
|
||||
+ len = strlen(optarg);
|
||||
+ ret = hex2bin_alloc(optarg, len,
|
||||
+ &test.H, &test.Hlen);
|
||||
+ if (ret)
|
||||
+ goto out;
|
||||
+ break;
|
||||
+ case 's':
|
||||
+ len = strlen(optarg);
|
||||
+ ret = hex2bin_alloc(optarg, len,
|
||||
+ &test.session_id,
|
||||
+ &test.session_id_len);
|
||||
+ if (ret)
|
||||
+ goto out;
|
||||
+ break;
|
||||
+ case 'i':
|
||||
+ test.iv_len = strtoul(optarg, NULL, 10);
|
||||
+ break;
|
||||
+ case 'e':
|
||||
+ test.ek_len = strtoul(optarg, NULL, 10);
|
||||
+ break;
|
||||
+ case 'm':
|
||||
+ test.ik_len = strtoul(optarg, NULL, 10);
|
||||
+ break;
|
||||
+ default:
|
||||
+ usage();
|
||||
+ goto out;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ ret = sshkdf_cavs(&test);
|
||||
+
|
||||
+out:
|
||||
+ if (test.session_id)
|
||||
+ free(test.session_id);
|
||||
+ if (test.K)
|
||||
+ free(test.K);
|
||||
+ if (test.H)
|
||||
+ free(test.H);
|
||||
+ return ret;
|
||||
+
|
||||
+}
|
||||
diff -up openssh-6.8p1/ssh-cavs_driver.pl.kdf-cavs openssh-6.8p1/ssh-cavs_driver.pl
|
||||
--- openssh-6.8p1/ssh-cavs_driver.pl.kdf-cavs 2015-03-18 11:23:46.348049354 +0100
|
||||
+++ openssh-6.8p1/ssh-cavs_driver.pl 2015-03-18 11:23:46.348049354 +0100
|
||||
@@ -0,0 +1,184 @@
|
||||
+#!/usr/bin/env perl
|
||||
+#
|
||||
+# CAVS test driver for OpenSSH
|
||||
+#
|
||||
+# Copyright (C) 2015, Stephan Mueller <smueller@chronox.de>
|
||||
+#
|
||||
+# Permission is hereby granted, free of charge, to any person obtaining a copy
|
||||
+# of this software and associated documentation files (the "Software"), to deal
|
||||
+# in the Software without restriction, including without limitation the rights
|
||||
+# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
||||
+# copies of the Software, and to permit persons to whom the Software is
|
||||
+# furnished to do so, subject to the following conditions:
|
||||
+#
|
||||
+# The above copyright notice and this permission notice shall be included in
|
||||
+# all copies or substantial portions of the Software.
|
||||
+#
|
||||
+# NO WARRANTY
|
||||
+#
|
||||
+# BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
|
||||
+# FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN
|
||||
+# OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
|
||||
+# PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
|
||||
+# OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
|
||||
+# MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS
|
||||
+# TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE
|
||||
+# PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
|
||||
+# REPAIR OR CORRECTION.
|
||||
+#
|
||||
+# IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
|
||||
+# WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
|
||||
+# REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
|
||||
+# INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
|
||||
+# OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
|
||||
+# TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
|
||||
+# YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
|
||||
+# PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
|
||||
+# POSSIBILITY OF SUCH DAMAGES.
|
||||
+#
|
||||
+use strict;
|
||||
+use warnings;
|
||||
+use IPC::Open2;
|
||||
+
|
||||
+# Executing a program by feeding STDIN and retrieving
|
||||
+# STDOUT
|
||||
+# $1: data string to be piped to the app on STDIN
|
||||
+# rest: program and args
|
||||
+# returns: STDOUT of program as string
|
||||
+sub pipe_through_program($@) {
|
||||
+ my $in = shift;
|
||||
+ my @args = @_;
|
||||
+
|
||||
+ my ($CO, $CI);
|
||||
+ my $pid = open2($CO, $CI, @args);
|
||||
+
|
||||
+ my $out = "";
|
||||
+ my $len = length($in);
|
||||
+ my $first = 1;
|
||||
+ while (1) {
|
||||
+ my $rin = "";
|
||||
+ my $win = "";
|
||||
+ # Output of prog is FD that we read
|
||||
+ vec($rin,fileno($CO),1) = 1;
|
||||
+ # Input of prog is FD that we write
|
||||
+ # check for $first is needed because we can have NULL input
|
||||
+ # that is to be written to the app
|
||||
+ if ( $len > 0 || $first) {
|
||||
+ (vec($win,fileno($CI),1) = 1);
|
||||
+ $first=0;
|
||||
+ }
|
||||
+ # Let us wait for 100ms
|
||||
+ my $nfound = select(my $rout=$rin, my $wout=$win, undef, 0.1);
|
||||
+ if ( $wout ) {
|
||||
+ my $written = syswrite($CI, $in, $len);
|
||||
+ die "broken pipe" if !defined $written;
|
||||
+ $len -= $written;
|
||||
+ substr($in, 0, $written) = "";
|
||||
+ if ($len <= 0) {
|
||||
+ close $CI or die "broken pipe: $!";
|
||||
+ }
|
||||
+ }
|
||||
+ if ( $rout ) {
|
||||
+ my $tmp_out = "";
|
||||
+ my $bytes_read = sysread($CO, $tmp_out, 4096);
|
||||
+ $out .= $tmp_out;
|
||||
+ last if ($bytes_read == 0);
|
||||
+ }
|
||||
+ }
|
||||
+ close $CO or die "broken pipe: $!";
|
||||
+ waitpid $pid, 0;
|
||||
+
|
||||
+ return $out;
|
||||
+}
|
||||
+
|
||||
+# Parser of CAVS test vector file
|
||||
+# $1: Test vector file
|
||||
+# $2: Output file for test results
|
||||
+# return: nothing
|
||||
+sub parse($$) {
|
||||
+ my $infile = shift;
|
||||
+ my $outfile = shift;
|
||||
+
|
||||
+ my $out = "";
|
||||
+
|
||||
+ my $K = "";
|
||||
+ my $H = "";
|
||||
+ my $session_id = "";
|
||||
+ my $ivlen = 0;
|
||||
+ my $eklen = "";
|
||||
+ my $iklen = "";
|
||||
+
|
||||
+ open(IN, "<$infile");
|
||||
+ while(<IN>) {
|
||||
+
|
||||
+ my $line = $_;
|
||||
+ chomp($line);
|
||||
+ $line =~ s/\r//;
|
||||
+
|
||||
+ if ($line =~ /\[SHA-1\]/) {
|
||||
+ $iklen = 20;
|
||||
+ } elsif ($line =~ /\[SHA-256\]/) {
|
||||
+ $iklen = 32;
|
||||
+ } elsif ($line =~ /\[SHA-384\]/) {
|
||||
+ $iklen = 48;
|
||||
+ } elsif ($line =~ /\[SHA-512\]/) {
|
||||
+ $iklen = 64;
|
||||
+ } elsif ($line =~ /^\[IV length\s*=\s*(.*)\]/) {
|
||||
+ $ivlen = $1;
|
||||
+ $ivlen = $ivlen / 8;
|
||||
+ } elsif ($line =~ /^\[encryption key length\s*=\s*(.*)\]/) {
|
||||
+ $eklen = $1;
|
||||
+ $eklen = $eklen / 8;
|
||||
+ } elsif ($line =~ /^K\s*=\s*(.*)/) {
|
||||
+ $K = $1;
|
||||
+ $K = substr($K, 8);
|
||||
+ $K = "00" . $K;
|
||||
+ } elsif ($line =~ /^H\s*=\s*(.*)/) {
|
||||
+ $H = $1;
|
||||
+ } elsif ($line =~ /^session_id\s*=\s*(.*)/) {
|
||||
+ $session_id = $1;
|
||||
+ }
|
||||
+ $out .= $line . "\n";
|
||||
+
|
||||
+ if ($K ne "" && $H ne "" && $session_id ne "" &&
|
||||
+ $ivlen ne "" && $eklen ne "" && $iklen > 0) {
|
||||
+ $out .= pipe_through_program("", "./ssh-cavs -H $H -K $K -s $session_id -i $ivlen -e $eklen -m $iklen");
|
||||
+
|
||||
+ $K = "";
|
||||
+ $H = "";
|
||||
+ $session_id = "";
|
||||
+ }
|
||||
+ }
|
||||
+ close IN;
|
||||
+ $out =~ s/\n/\r\n/g; # make it a dos file
|
||||
+ open(OUT, ">$outfile") or die "Cannot create output file $outfile: $?";
|
||||
+ print OUT $out;
|
||||
+ close OUT;
|
||||
+}
|
||||
+
|
||||
+############################################################
|
||||
+#
|
||||
+# let us pretend to be C :-)
|
||||
+sub main() {
|
||||
+
|
||||
+ my $infile=$ARGV[0];
|
||||
+ die "Error: Test vector file $infile not found" if (! -f $infile);
|
||||
+
|
||||
+ my $outfile = $infile;
|
||||
+ # let us add .rsp regardless whether we could strip .req
|
||||
+ $outfile =~ s/\.req$//;
|
||||
+ $outfile .= ".rsp";
|
||||
+ if (-f $outfile) {
|
||||
+ die "Output file $outfile could not be removed: $?"
|
||||
+ unless unlink($outfile);
|
||||
+ }
|
||||
+ print STDERR "Performing tests from source file $infile with results stored in destination file $outfile\n";
|
||||
+
|
||||
+ # Do the job
|
||||
+ parse($infile, $outfile);
|
||||
+}
|
||||
+
|
||||
+###########################################
|
||||
+# Call it
|
||||
+main();
|
||||
+1;
|
||||
288
openssh-7.4p1-kuserok.patch
Normal file
288
openssh-7.4p1-kuserok.patch
Normal file
|
|
@ -0,0 +1,288 @@
|
|||
diff -up openssh-7.4p1/auth-krb5.c.kuserok openssh-7.4p1/auth-krb5.c
|
||||
--- openssh-7.4p1/auth-krb5.c.kuserok 2016-12-19 05:59:41.000000000 +0100
|
||||
+++ openssh-7.4p1/auth-krb5.c 2017-02-09 09:20:00.958084311 +0100
|
||||
@@ -54,6 +54,21 @@
|
||||
|
||||
extern ServerOptions options;
|
||||
|
||||
+int
|
||||
+ssh_krb5_kuserok(krb5_context krb5_ctx, krb5_principal krb5_user, const char *client,
|
||||
+ int k5login_exists)
|
||||
+{
|
||||
+ if (options.use_kuserok || !k5login_exists)
|
||||
+ return krb5_kuserok(krb5_ctx, krb5_user, client);
|
||||
+ else {
|
||||
+ char kuser[65];
|
||||
+
|
||||
+ if (krb5_aname_to_localname(krb5_ctx, krb5_user, sizeof(kuser), kuser))
|
||||
+ return 0;
|
||||
+ return strcmp(kuser, client) == 0;
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
static int
|
||||
krb5_init(void *context)
|
||||
{
|
||||
@@ -157,8 +172,9 @@ auth_krb5_password(Authctxt *authctxt, c
|
||||
if (problem)
|
||||
goto out;
|
||||
|
||||
- if (!krb5_kuserok(authctxt->krb5_ctx, authctxt->krb5_user,
|
||||
- authctxt->pw->pw_name)) {
|
||||
+ /* Use !options.use_kuserok here to make ssh_krb5_kuserok() not
|
||||
+ * depend on the existance of .k5login */
|
||||
+ if (!ssh_krb5_kuserok(authctxt->krb5_ctx, authctxt->krb5_user, authctxt->pw->pw_name, !options.use_kuserok)) {
|
||||
problem = -1;
|
||||
goto out;
|
||||
}
|
||||
diff -up openssh-7.4p1/gss-serv-krb5.c.kuserok openssh-7.4p1/gss-serv-krb5.c
|
||||
--- openssh-7.4p1/gss-serv-krb5.c.kuserok 2017-02-09 09:20:00.955084317 +0100
|
||||
+++ openssh-7.4p1/gss-serv-krb5.c 2017-02-09 09:20:00.958084311 +0100
|
||||
@@ -67,6 +67,7 @@ static int ssh_gssapi_krb5_cmdok(krb5_pr
|
||||
int);
|
||||
|
||||
static krb5_context krb_context = NULL;
|
||||
+extern int ssh_krb5_kuserok(krb5_context, krb5_principal, const char *, int);
|
||||
|
||||
/* Initialise the krb5 library, for the stuff that GSSAPI won't do */
|
||||
|
||||
@@ -92,6 +93,103 @@ ssh_gssapi_krb5_init(void)
|
||||
* Returns true if the user is OK to log in, otherwise returns 0
|
||||
*/
|
||||
|
||||
+/* The purpose of the function is to find out if a Kerberos principal is
|
||||
+ * allowed to log in as the given local user. This is a general problem with
|
||||
+ * Kerberized services because by design the Kerberos principals are
|
||||
+ * completely independent from the local user names. This is one of the
|
||||
+ * reasons why Kerberos is working well on different operating systems like
|
||||
+ * Windows and UNIX/Linux. Nevertheless a relationship between a Kerberos
|
||||
+ * principal and a local user name must be established because otherwise every
|
||||
+ * access would be granted for every principal with a valid ticket.
|
||||
+ *
|
||||
+ * Since it is a general issue libkrb5 provides some functions for
|
||||
+ * applications to find out about the relationship between the Kerberos
|
||||
+ * principal and a local user name. They are krb5_kuserok() and
|
||||
+ * krb5_aname_to_localname().
|
||||
+ *
|
||||
+ * krb5_kuserok() can be used to "Determine if a principal is authorized to
|
||||
+ * log in as a local user" (from the MIT Kerberos documentation of this
|
||||
+ * function). Which is exactly what we are looking for and should be the
|
||||
+ * preferred choice. It accepts the Kerberos principal and a local user name
|
||||
+ * and let libkrb5 or its plugins determine if they relate to each other or
|
||||
+ * not.
|
||||
+ *
|
||||
+ * krb5_aname_to_localname() can use used to "Convert a principal name to a
|
||||
+ * local name" (from the MIT Kerberos documentation of this function). It
|
||||
+ * accepts a Kerberos principle and returns a local name and it is up to the
|
||||
+ * application to do any additional checks. There are two issues using
|
||||
+ * krb5_aname_to_localname(). First, since POSIX user names are case
|
||||
+ * sensitive, the calling application in general has no other choice than
|
||||
+ * doing a case-sensitive string comparison between the name returned by
|
||||
+ * krb5_aname_to_localname() and the name used at the login prompt. When the
|
||||
+ * users are provided by a case in-sensitive server, e.g. Active Directory,
|
||||
+ * this might lead to login failures because the user typing the name at the
|
||||
+ * login prompt might not be aware of the right case. Another issue might be
|
||||
+ * caused if there are multiple alias names available for a single user. E.g.
|
||||
+ * the canonical name of a user is user@group.department.example.com but there
|
||||
+ * exists a shorter login name, e.g. user@example.com, to safe typing at the
|
||||
+ * login prompt. Here krb5_aname_to_localname() can only return the canonical
|
||||
+ * name, but if the short alias is used at the login prompt authentication
|
||||
+ * will fail as well. All this can be avoided by using krb5_kuserok() and
|
||||
+ * configuring krb5.conf or using a suitable plugin to meet the needs of the
|
||||
+ * given environment.
|
||||
+ *
|
||||
+ * The Fedora and RHEL version of openssh contain two patches which modify the
|
||||
+ * access control behavior:
|
||||
+ * - openssh-6.6p1-kuserok.patch
|
||||
+ * - openssh-6.6p1-force_krb.patch
|
||||
+ *
|
||||
+ * openssh-6.6p1-kuserok.patch adds a new option KerberosUseKuserok for
|
||||
+ * sshd_config which controls if krb5_kuserok() is used to check if the
|
||||
+ * principle is authorized or if krb5_aname_to_localname() should be used.
|
||||
+ * The reason to add this patch was that krb5_kuserok() by default checks if
|
||||
+ * a .k5login file exits in the users home-directory. With this the user can
|
||||
+ * give access to his account for any given principal which might be
|
||||
+ * in violation with company policies and it would be useful if this can be
|
||||
+ * rejected. Nevertheless the patch ignores the fact that krb5_kuserok() does
|
||||
+ * no only check .k5login but other sources as well and checking .k5login can
|
||||
+ * be disabled for all applications in krb5.conf as well. With this new
|
||||
+ * option KerberosUseKuserok set to 'no' (and this is the default for RHEL7
|
||||
+ * and Fedora 21) openssh can only use krb5_aname_to_localname() with the
|
||||
+ * restrictions mentioned above.
|
||||
+ *
|
||||
+ * openssh-6.6p1-force_krb.patch adds a ksu like behaviour to ssh, i.e. when
|
||||
+ * using GSSAPI authentication only commands configured in the .k5user can be
|
||||
+ * executed. Here the wrong assumption that krb5_kuserok() only checks
|
||||
+ * .k5login is made as well. In contrast ksu checks .k5login directly and
|
||||
+ * does not use krb5_kuserok() which might be more useful for the given
|
||||
+ * purpose. Additionally this patch is not synced with
|
||||
+ * openssh-6.6p1-kuserok.patch.
|
||||
+ *
|
||||
+ * The current patch tries to restore the usage of krb5_kuserok() so that e.g.
|
||||
+ * localauth plugins can be used. It does so by adding a forth parameter to
|
||||
+ * ssh_krb5_kuserok() which indicates whether .k5login exists or not. If it
|
||||
+ * does not exists krb5_kuserok() is called even if KerberosUseKuserok is set
|
||||
+ * to 'no' because the intent of the option is to not check .k5login and if it
|
||||
+ * does not exists krb5_kuserok() returns a result without checking .k5login.
|
||||
+ * If .k5login does exists and KerberosUseKuserok is 'no' we fall back to
|
||||
+ * krb5_aname_to_localname(). This is in my point of view an acceptable
|
||||
+ * limitation and does not break the current behaviour.
|
||||
+ *
|
||||
+ * Additionally with this patch ssh_krb5_kuserok() is called in
|
||||
+ * ssh_gssapi_krb5_cmdok() instead of only krb5_aname_to_localname() is
|
||||
+ * neither .k5login nor .k5users exists to allow plugin evaluation via
|
||||
+ * krb5_kuserok() as well.
|
||||
+ *
|
||||
+ * I tried to keep the patch as minimal as possible, nevertheless I see some
|
||||
+ * areas for improvement which, if they make sense, have to be evaluated
|
||||
+ * carefully because they might change existing behaviour and cause breaks
|
||||
+ * during upgrade:
|
||||
+ * - I wonder if disabling .k5login usage make sense in sshd or if it should
|
||||
+ * be better disabled globally in krb5.conf
|
||||
+ * - if really needed openssh-6.6p1-kuserok.patch should be fixed to really
|
||||
+ * only disable checking .k5login and maybe .k5users
|
||||
+ * - the ksu behaviour should be configurable and maybe check the .k5login and
|
||||
+ * .k5users files directly like ksu itself does
|
||||
+ * - to make krb5_aname_to_localname() more useful an option for sshd to use
|
||||
+ * the canonical name (the one returned by getpwnam()) instead of the name
|
||||
+ * given at the login prompt might be useful */
|
||||
+
|
||||
static int
|
||||
ssh_gssapi_krb5_userok(ssh_gssapi_client *client, char *name)
|
||||
{
|
||||
@@ -116,7 +214,8 @@ ssh_gssapi_krb5_userok(ssh_gssapi_client
|
||||
/* NOTE: .k5login and .k5users must opened as root, not the user,
|
||||
* because if they are on a krb5-protected filesystem, user credentials
|
||||
* to access these files aren't available yet. */
|
||||
- if (krb5_kuserok(krb_context, princ, name) && k5login_exists) {
|
||||
+ if (ssh_krb5_kuserok(krb_context, princ, name, k5login_exists)
|
||||
+ && k5login_exists) {
|
||||
retval = 1;
|
||||
logit("Authorized to %s, krb5 principal %s (krb5_kuserok)",
|
||||
name, (char *)client->displayname.value);
|
||||
@@ -171,9 +270,8 @@ ssh_gssapi_krb5_cmdok(krb5_principal pri
|
||||
snprintf(file, sizeof(file), "%s/.k5users", pw->pw_dir);
|
||||
/* If both .k5login and .k5users DNE, self-login is ok. */
|
||||
if (!k5login_exists && (access(file, F_OK) == -1)) {
|
||||
- return (krb5_aname_to_localname(krb_context, principal,
|
||||
- sizeof(kuser), kuser) == 0) &&
|
||||
- (strcmp(kuser, luser) == 0);
|
||||
+ return ssh_krb5_kuserok(krb_context, principal, luser,
|
||||
+ k5login_exists);
|
||||
}
|
||||
if ((fp = fopen(file, "r")) == NULL) {
|
||||
int saved_errno = errno;
|
||||
diff -up openssh-7.4p1/servconf.c.kuserok openssh-7.4p1/servconf.c
|
||||
--- openssh-7.4p1/servconf.c.kuserok 2017-02-09 09:20:00.951084326 +0100
|
||||
+++ openssh-7.4p1/servconf.c 2017-02-09 09:21:29.802896034 +0100
|
||||
@@ -165,6 +165,7 @@ initialize_server_options(ServerOptions
|
||||
options->ip_qos_interactive = -1;
|
||||
options->ip_qos_bulk = -1;
|
||||
options->version_addendum = NULL;
|
||||
+ options->use_kuserok = -1;
|
||||
options->fingerprint_hash = -1;
|
||||
options->disable_forwarding = -1;
|
||||
}
|
||||
@@ -334,6 +335,8 @@ fill_default_server_options(ServerOption
|
||||
options->version_addendum = xstrdup("");
|
||||
if (options->show_patchlevel == -1)
|
||||
options->show_patchlevel = 0;
|
||||
+ if (options->use_kuserok == -1)
|
||||
+ options->use_kuserok = 1;
|
||||
if (options->fwd_opts.streamlocal_bind_mask == (mode_t)-1)
|
||||
options->fwd_opts.streamlocal_bind_mask = 0177;
|
||||
if (options->fwd_opts.streamlocal_bind_unlink == -1)
|
||||
@@ -399,7 +402,7 @@ typedef enum {
|
||||
sPermitRootLogin, sLogFacility, sLogLevel,
|
||||
sRhostsRSAAuthentication, sRSAAuthentication,
|
||||
sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
|
||||
- sKerberosGetAFSToken,
|
||||
+ sKerberosGetAFSToken, sKerberosUseKuserok,
|
||||
sKerberosTgtPassing, sChallengeResponseAuthentication,
|
||||
sPasswordAuthentication, sKbdInteractiveAuthentication,
|
||||
sListenAddress, sAddressFamily,
|
||||
@@ -478,11 +481,13 @@ static struct {
|
||||
#else
|
||||
{ "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
|
||||
#endif
|
||||
+ { "kerberosusekuserok", sKerberosUseKuserok, SSHCFG_ALL },
|
||||
#else
|
||||
{ "kerberosauthentication", sUnsupported, SSHCFG_ALL },
|
||||
{ "kerberosorlocalpasswd", sUnsupported, SSHCFG_GLOBAL },
|
||||
{ "kerberosticketcleanup", sUnsupported, SSHCFG_GLOBAL },
|
||||
{ "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
|
||||
+ { "kerberosusekuserok", sUnsupported, SSHCFG_ALL },
|
||||
#endif
|
||||
{ "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL },
|
||||
{ "afstokenpassing", sUnsupported, SSHCFG_GLOBAL },
|
||||
@@ -1644,6 +1649,10 @@ process_server_config_line(ServerOptions
|
||||
*activep = value;
|
||||
break;
|
||||
|
||||
+ case sKerberosUseKuserok:
|
||||
+ intptr = &options->use_kuserok;
|
||||
+ goto parse_flag;
|
||||
+
|
||||
case sPermitOpen:
|
||||
arg = strdelim(&cp);
|
||||
if (!arg || *arg == '\0')
|
||||
@@ -2016,6 +2025,7 @@ copy_set_server_options(ServerOptions *d
|
||||
M_CP_INTOPT(client_alive_interval);
|
||||
M_CP_INTOPT(ip_qos_interactive);
|
||||
M_CP_INTOPT(ip_qos_bulk);
|
||||
+ M_CP_INTOPT(use_kuserok);
|
||||
M_CP_INTOPT(rekey_limit);
|
||||
M_CP_INTOPT(rekey_interval);
|
||||
|
||||
@@ -2308,6 +2318,7 @@ dump_config(ServerOptions *o)
|
||||
dump_cfg_fmtint(sAllowStreamLocalForwarding, o->allow_streamlocal_forwarding);
|
||||
dump_cfg_fmtint(sStreamLocalBindUnlink, o->fwd_opts.streamlocal_bind_unlink);
|
||||
dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep);
|
||||
+ dump_cfg_fmtint(sKerberosUseKuserok, o->use_kuserok);
|
||||
dump_cfg_fmtint(sFingerprintHash, o->fingerprint_hash);
|
||||
|
||||
/* string arguments */
|
||||
diff -up openssh-7.4p1/servconf.h.kuserok openssh-7.4p1/servconf.h
|
||||
--- openssh-7.4p1/servconf.h.kuserok 2017-02-09 09:20:00.951084326 +0100
|
||||
+++ openssh-7.4p1/servconf.h 2017-02-09 09:20:00.959084309 +0100
|
||||
@@ -174,6 +174,7 @@ typedef struct {
|
||||
|
||||
int num_permitted_opens;
|
||||
|
||||
+ int use_kuserok;
|
||||
char *chroot_directory;
|
||||
char *revoked_keys_file;
|
||||
char *trusted_user_ca_keys;
|
||||
diff -up openssh-7.4p1/sshd_config.5.kuserok openssh-7.4p1/sshd_config.5
|
||||
--- openssh-7.4p1/sshd_config.5.kuserok 2017-02-09 09:20:00.959084309 +0100
|
||||
+++ openssh-7.4p1/sshd_config.5 2017-02-09 09:22:33.517761012 +0100
|
||||
@@ -846,6 +846,10 @@ Specifies whether to automatically destr
|
||||
file on logout.
|
||||
The default is
|
||||
.Cm yes .
|
||||
+.It Cm KerberosUseKuserok
|
||||
+Specifies whether to look at .k5login file for user's aliases.
|
||||
+The default is
|
||||
+.Cm yes .
|
||||
.It Cm KexAlgorithms
|
||||
Specifies the available KEX (Key Exchange) algorithms.
|
||||
Multiple algorithms must be comma-separated.
|
||||
@@ -1074,6 +1078,7 @@ Available keywords are
|
||||
.Cm IPQoS ,
|
||||
.Cm KbdInteractiveAuthentication ,
|
||||
.Cm KerberosAuthentication ,
|
||||
+.Cm KerberosUseKuserok ,
|
||||
.Cm MaxAuthTries ,
|
||||
.Cm MaxSessions ,
|
||||
.Cm PasswordAuthentication ,
|
||||
diff -up openssh-7.4p1/sshd_config.kuserok openssh-7.4p1/sshd_config
|
||||
--- openssh-7.4p1/sshd_config.kuserok 2017-02-09 09:20:00.953084322 +0100
|
||||
+++ openssh-7.4p1/sshd_config 2017-02-09 09:20:00.959084309 +0100
|
||||
@@ -73,6 +73,7 @@ ChallengeResponseAuthentication no
|
||||
#KerberosOrLocalPasswd yes
|
||||
#KerberosTicketCleanup yes
|
||||
#KerberosGetAFSToken no
|
||||
+#KerberosUseKuserok yes
|
||||
|
||||
# GSSAPI options
|
||||
GSSAPIAuthentication yes
|
||||
263
openssh-7.4p1-legacy-algorithms.patch
Normal file
263
openssh-7.4p1-legacy-algorithms.patch
Normal file
|
|
@ -0,0 +1,263 @@
|
|||
diff -up openssh-7.4p1/dh.h.legacy openssh-7.4p1/dh.h
|
||||
--- openssh-7.4p1/dh.h.legacy 2016-12-19 05:59:41.000000000 +0100
|
||||
+++ openssh-7.4p1/dh.h 2017-03-02 17:00:37.640695985 +0100
|
||||
@@ -50,7 +50,7 @@ u_int dh_estimate(int);
|
||||
* Max value from RFC4419.
|
||||
* Miniumum increased in light of DH precomputation attacks.
|
||||
*/
|
||||
-#define DH_GRP_MIN 2048
|
||||
+#define DH_GRP_MIN 1024
|
||||
#define DH_GRP_MAX 8192
|
||||
|
||||
/*
|
||||
diff -up openssh-7.4p1/moduli.legacy openssh-7.4p1/moduli
|
||||
--- openssh-7.4p1/moduli.legacy 2016-12-19 05:59:41.000000000 +0100
|
||||
+++ openssh-7.4p1/moduli 2017-03-02 17:00:37.642695983 +0100
|
||||
@@ -1,5 +1,83 @@
|
||||
# $OpenBSD: moduli,v 1.18 2016/08/11 01:42:11 dtucker Exp $
|
||||
# Time Type Tests Tries Size Generator Modulus
|
||||
+20150520233853 2 6 100 1023 5 DB662973FB21C0B7BF21AB46AFD3E2002AE70C92DE6B9AEAFECF7B0A96D7ACB024B7C29DB18E70CB945FA54C7773519BC7161648AFE4939058AC40ECDBBD3636F5BF45863117E955007C9D0F9333BB4EF62F7C9F6298AB79A309C734F3CF201C61EBC3926ADD4E80968A65D9F60535164ACE7A7BFEDC1022002BB2BBA2AC62AF
|
||||
+20150520233854 2 6 100 1023 5 DB662973FB21C0B7BF21AB46AFD3E2002AE70C92DE6B9AEAFECF7B0A96D7ACB024B7C29DB18E70CB945FA54C7773519BC7161648AFE4939058AC40ECDBBD3636F5BF45863117E955007C9D0F9333BB4EF62F7C9F6298AB79A309C734F3CF201C61EBC3926ADD4E80968A65D9F60535164ACE7A7BFEDC1022002BB2BBA2BCC50F
|
||||
+20150520233854 2 6 100 1023 2 DB662973FB21C0B7BF21AB46AFD3E2002AE70C92DE6B9AEAFECF7B0A96D7ACB024B7C29DB18E70CB945FA54C7773519BC7161648AFE4939058AC40ECDBBD3636F5BF45863117E955007C9D0F9333BB4EF62F7C9F6298AB79A309C734F3CF201C61EBC3926ADD4E80968A65D9F60535164ACE7A7BFEDC1022002BB2BBA2C241F3
|
||||
+20150520233855 2 6 100 1023 5 DB662973FB21C0B7BF21AB46AFD3E2002AE70C92DE6B9AEAFECF7B0A96D7ACB024B7C29DB18E70CB945FA54C7773519BC7161648AFE4939058AC40ECDBBD3636F5BF45863117E955007C9D0F9333BB4EF62F7C9F6298AB79A309C734F3CF201C61EBC3926ADD4E80968A65D9F60535164ACE7A7BFEDC1022002BB2BBA2DDF347
|
||||
+20150520233856 2 6 100 1023 2 DB662973FB21C0B7BF21AB46AFD3E2002AE70C92DE6B9AEAFECF7B0A96D7ACB024B7C29DB18E70CB945FA54C7773519BC7161648AFE4939058AC40ECDBBD3636F5BF45863117E955007C9D0F9333BB4EF62F7C9F6298AB79A309C734F3CF201C61EBC3926ADD4E80968A65D9F60535164ACE7A7BFEDC1022002BB2BBA2E3FDBB
|
||||
+20150520233857 2 6 100 1023 2 DB662973FB21C0B7BF21AB46AFD3E2002AE70C92DE6B9AEAFECF7B0A96D7ACB024B7C29DB18E70CB945FA54C7773519BC7161648AFE4939058AC40ECDBBD3636F5BF45863117E955007C9D0F9333BB4EF62F7C9F6298AB79A309C734F3CF201C61EBC3926ADD4E80968A65D9F60535164ACE7A7BFEDC1022002BB2BBA3006603
|
||||
+20150520233858 2 6 100 1023 5 DB662973FB21C0B7BF21AB46AFD3E2002AE70C92DE6B9AEAFECF7B0A96D7ACB024B7C29DB18E70CB945FA54C7773519BC7161648AFE4939058AC40ECDBBD3636F5BF45863117E955007C9D0F9333BB4EF62F7C9F6298AB79A309C734F3CF201C61EBC3926ADD4E80968A65D9F60535164ACE7A7BFEDC1022002BB2BBA31D9C37
|
||||
+20150520233859 2 6 100 1023 2 DB662973FB21C0B7BF21AB46AFD3E2002AE70C92DE6B9AEAFECF7B0A96D7ACB024B7C29DB18E70CB945FA54C7773519BC7161648AFE4939058AC40ECDBBD3636F5BF45863117E955007C9D0F9333BB4EF62F7C9F6298AB79A309C734F3CF201C61EBC3926ADD4E80968A65D9F60535164ACE7A7BFEDC1022002BB2BBA333355B
|
||||
+20150520233900 2 6 100 1023 2 DB662973FB21C0B7BF21AB46AFD3E2002AE70C92DE6B9AEAFECF7B0A96D7ACB024B7C29DB18E70CB945FA54C7773519BC7161648AFE4939058AC40ECDBBD3636F5BF45863117E955007C9D0F9333BB4EF62F7C9F6298AB79A309C734F3CF201C61EBC3926ADD4E80968A65D9F60535164ACE7A7BFEDC1022002BB2BBA3428B23
|
||||
+20150520233902 2 6 100 1023 2 DB662973FB21C0B7BF21AB46AFD3E2002AE70C92DE6B9AEAFECF7B0A96D7ACB024B7C29DB18E70CB945FA54C7773519BC7161648AFE4939058AC40ECDBBD3636F5BF45863117E955007C9D0F9333BB4EF62F7C9F6298AB79A309C734F3CF201C61EBC3926ADD4E80968A65D9F60535164ACE7A7BFEDC1022002BB2BBA37C9A43
|
||||
+20150520233903 2 6 100 1023 5 DB662973FB21C0B7BF21AB46AFD3E2002AE70C92DE6B9AEAFECF7B0A96D7ACB024B7C29DB18E70CB945FA54C7773519BC7161648AFE4939058AC40ECDBBD3636F5BF45863117E955007C9D0F9333BB4EF62F7C9F6298AB79A309C734F3CF201C61EBC3926ADD4E80968A65D9F60535164ACE7A7BFEDC1022002BB2BBA384B367
|
||||
+20150520233903 2 6 100 1023 2 DB662973FB21C0B7BF21AB46AFD3E2002AE70C92DE6B9AEAFECF7B0A96D7ACB024B7C29DB18E70CB945FA54C7773519BC7161648AFE4939058AC40ECDBBD3636F5BF45863117E955007C9D0F9333BB4EF62F7C9F6298AB79A309C734F3CF201C61EBC3926ADD4E80968A65D9F60535164ACE7A7BFEDC1022002BB2BBA3903453
|
||||
+20150520233904 2 6 100 1023 5 DB662973FB21C0B7BF21AB46AFD3E2002AE70C92DE6B9AEAFECF7B0A96D7ACB024B7C29DB18E70CB945FA54C7773519BC7161648AFE4939058AC40ECDBBD3636F5BF45863117E955007C9D0F9333BB4EF62F7C9F6298AB79A309C734F3CF201C61EBC3926ADD4E80968A65D9F60535164ACE7A7BFEDC1022002BB2BBA3946C77
|
||||
+20150520233904 2 6 100 1023 2 DB662973FB21C0B7BF21AB46AFD3E2002AE70C92DE6B9AEAFECF7B0A96D7ACB024B7C29DB18E70CB945FA54C7773519BC7161648AFE4939058AC40ECDBBD3636F5BF45863117E955007C9D0F9333BB4EF62F7C9F6298AB79A309C734F3CF201C61EBC3926ADD4E80968A65D9F60535164ACE7A7BFEDC1022002BB2BBA39F6A9B
|
||||
+20150520233904 2 6 100 1023 2 DB662973FB21C0B7BF21AB46AFD3E2002AE70C92DE6B9AEAFECF7B0A96D7ACB024B7C29DB18E70CB945FA54C7773519BC7161648AFE4939058AC40ECDBBD3636F5BF45863117E955007C9D0F9333BB4EF62F7C9F6298AB79A309C734F3CF201C61EBC3926ADD4E80968A65D9F60535164ACE7A7BFEDC1022002BB2BBA3A0E88B
|
||||
+20150520233905 2 6 100 1023 2 DB662973FB21C0B7BF21AB46AFD3E2002AE70C92DE6B9AEAFECF7B0A96D7ACB024B7C29DB18E70CB945FA54C7773519BC7161648AFE4939058AC40ECDBBD3636F5BF45863117E955007C9D0F9333BB4EF62F7C9F6298AB79A309C734F3CF201C61EBC3926ADD4E80968A65D9F60535164ACE7A7BFEDC1022002BB2BBA3A37763
|
||||
+20150520233906 2 6 100 1023 5 DB662973FB21C0B7BF21AB46AFD3E2002AE70C92DE6B9AEAFECF7B0A96D7ACB024B7C29DB18E70CB945FA54C7773519BC7161648AFE4939058AC40ECDBBD3636F5BF45863117E955007C9D0F9333BB4EF62F7C9F6298AB79A309C734F3CF201C61EBC3926ADD4E80968A65D9F60535164ACE7A7BFEDC1022002BB2BBA3BBDD57
|
||||
+20150520233906 2 6 100 1023 5 DB662973FB21C0B7BF21AB46AFD3E2002AE70C92DE6B9AEAFECF7B0A96D7ACB024B7C29DB18E70CB945FA54C7773519BC7161648AFE4939058AC40ECDBBD3636F5BF45863117E955007C9D0F9333BB4EF62F7C9F6298AB79A309C734F3CF201C61EBC3926ADD4E80968A65D9F60535164ACE7A7BFEDC1022002BB2BBA3BDCDD7
|
||||
+20150520233906 2 6 100 1023 2 DB662973FB21C0B7BF21AB46AFD3E2002AE70C92DE6B9AEAFECF7B0A96D7ACB024B7C29DB18E70CB945FA54C7773519BC7161648AFE4939058AC40ECDBBD3636F5BF45863117E955007C9D0F9333BB4EF62F7C9F6298AB79A309C734F3CF201C61EBC3926ADD4E80968A65D9F60535164ACE7A7BFEDC1022002BB2BBA3BF5D73
|
||||
+20150520233907 2 6 100 1023 2 DB662973FB21C0B7BF21AB46AFD3E2002AE70C92DE6B9AEAFECF7B0A96D7ACB024B7C29DB18E70CB945FA54C7773519BC7161648AFE4939058AC40ECDBBD3636F5BF45863117E955007C9D0F9333BB4EF62F7C9F6298AB79A309C734F3CF201C61EBC3926ADD4E80968A65D9F60535164ACE7A7BFEDC1022002BB2BBA3C9BB83
|
||||
+20150520233908 2 6 100 1023 5 DB662973FB21C0B7BF21AB46AFD3E2002AE70C92DE6B9AEAFECF7B0A96D7ACB024B7C29DB18E70CB945FA54C7773519BC7161648AFE4939058AC40ECDBBD3636F5BF45863117E955007C9D0F9333BB4EF62F7C9F6298AB79A309C734F3CF201C61EBC3926ADD4E80968A65D9F60535164ACE7A7BFEDC1022002BB2BBA3E5ADCF
|
||||
+20150520233909 2 6 100 1023 5 DB662973FB21C0B7BF21AB46AFD3E2002AE70C92DE6B9AEAFECF7B0A96D7ACB024B7C29DB18E70CB945FA54C7773519BC7161648AFE4939058AC40ECDBBD3636F5BF45863117E955007C9D0F9333BB4EF62F7C9F6298AB79A309C734F3CF201C61EBC3926ADD4E80968A65D9F60535164ACE7A7BFEDC1022002BB2BBA3F82077
|
||||
+20150520233910 2 6 100 1023 5 DB662973FB21C0B7BF21AB46AFD3E2002AE70C92DE6B9AEAFECF7B0A96D7ACB024B7C29DB18E70CB945FA54C7773519BC7161648AFE4939058AC40ECDBBD3636F5BF45863117E955007C9D0F9333BB4EF62F7C9F6298AB79A309C734F3CF201C61EBC3926ADD4E80968A65D9F60535164ACE7A7BFEDC1022002BB2BBA406944F
|
||||
+20150520233910 2 6 100 1023 5 DB662973FB21C0B7BF21AB46AFD3E2002AE70C92DE6B9AEAFECF7B0A96D7ACB024B7C29DB18E70CB945FA54C7773519BC7161648AFE4939058AC40ECDBBD3636F5BF45863117E955007C9D0F9333BB4EF62F7C9F6298AB79A309C734F3CF201C61EBC3926ADD4E80968A65D9F60535164ACE7A7BFEDC1022002BB2BBA40F7457
|
||||
+20150520233912 2 6 100 1023 2 DB662973FB21C0B7BF21AB46AFD3E2002AE70C92DE6B9AEAFECF7B0A96D7ACB024B7C29DB18E70CB945FA54C7773519BC7161648AFE4939058AC40ECDBBD3636F5BF45863117E955007C9D0F9333BB4EF62F7C9F6298AB79A309C734F3CF201C61EBC3926ADD4E80968A65D9F60535164ACE7A7BFEDC1022002BB2BBA438733B
|
||||
+20150520233913 2 6 100 1023 2 DB662973FB21C0B7BF21AB46AFD3E2002AE70C92DE6B9AEAFECF7B0A96D7ACB024B7C29DB18E70CB945FA54C7773519BC7161648AFE4939058AC40ECDBBD3636F5BF45863117E955007C9D0F9333BB4EF62F7C9F6298AB79A309C734F3CF201C61EBC3926ADD4E80968A65D9F60535164ACE7A7BFEDC1022002BB2BBA44707FB
|
||||
+20150520233914 2 6 100 1023 2 DB662973FB21C0B7BF21AB46AFD3E2002AE70C92DE6B9AEAFECF7B0A96D7ACB024B7C29DB18E70CB945FA54C7773519BC7161648AFE4939058AC40ECDBBD3636F5BF45863117E955007C9D0F9333BB4EF62F7C9F6298AB79A309C734F3CF201C61EBC3926ADD4E80968A65D9F60535164ACE7A7BFEDC1022002BB2BBA4588A2B
|
||||
+20150520233916 2 6 100 1023 2 DB662973FB21C0B7BF21AB46AFD3E2002AE70C92DE6B9AEAFECF7B0A96D7ACB024B7C29DB18E70CB945FA54C7773519BC7161648AFE4939058AC40ECDBBD3636F5BF45863117E955007C9D0F9333BB4EF62F7C9F6298AB79A309C734F3CF201C61EBC3926ADD4E80968A65D9F60535164ACE7A7BFEDC1022002BB2BBA48CC01B
|
||||
+20150520233917 2 6 100 1023 5 DB662973FB21C0B7BF21AB46AFD3E2002AE70C92DE6B9AEAFECF7B0A96D7ACB024B7C29DB18E70CB945FA54C7773519BC7161648AFE4939058AC40ECDBBD3636F5BF45863117E955007C9D0F9333BB4EF62F7C9F6298AB79A309C734F3CF201C61EBC3926ADD4E80968A65D9F60535164ACE7A7BFEDC1022002BB2BBA4960077
|
||||
+20150522025931 2 6 100 1535 5 F4EE15F22E5F49997A027769656DF0240598C9470C7D67A7D7DA2777883C1C243A6F3D04E1CFA6A0350B165ECABE89A684C11ABB7E5B93B54FD6EAC85BBA9F23C6306E485BB9AC5515ABC739CE9B1A79F7DEF6D00B643856DB903E23E7F985EDCAFF867FE15498E7EF6A91057DE337A9AAEDE941C934E65243AC7888A33C78FB2490BBA2BA06F18ECC51DE9AA54BADD061CC5BE1EA060CC3217CA11E26772BD088898D2882CB49A9FF40168E49AE6A90EE1F61132E1B6E4E7F99797DAD18DA1F
|
||||
+20150522025936 2 6 100 1535 2 F4EE15F22E5F49997A027769656DF0240598C9470C7D67A7D7DA2777883C1C243A6F3D04E1CFA6A0350B165ECABE89A684C11ABB7E5B93B54FD6EAC85BBA9F23C6306E485BB9AC5515ABC739CE9B1A79F7DEF6D00B643856DB903E23E7F985EDCAFF867FE15498E7EF6A91057DE337A9AAEDE941C934E65243AC7888A33C78FB2490BBA2BA06F18ECC51DE9AA54BADD061CC5BE1EA060CC3217CA11E26772BD088898D2882CB49A9FF40168E49AE6A90EE1F61132E1B6E4E7F99797DAD3763B3
|
||||
+20150522025942 2 6 100 1535 2 F4EE15F22E5F49997A027769656DF0240598C9470C7D67A7D7DA2777883C1C243A6F3D04E1CFA6A0350B165ECABE89A684C11ABB7E5B93B54FD6EAC85BBA9F23C6306E485BB9AC5515ABC739CE9B1A79F7DEF6D00B643856DB903E23E7F985EDCAFF867FE15498E7EF6A91057DE337A9AAEDE941C934E65243AC7888A33C78FB2490BBA2BA06F18ECC51DE9AA54BADD061CC5BE1EA060CC3217CA11E26772BD088898D2882CB49A9FF40168E49AE6A90EE1F61132E1B6E4E7F99797DAD702B8B
|
||||
+20150522025943 2 6 100 1535 2 F4EE15F22E5F49997A027769656DF0240598C9470C7D67A7D7DA2777883C1C243A6F3D04E1CFA6A0350B165ECABE89A684C11ABB7E5B93B54FD6EAC85BBA9F23C6306E485BB9AC5515ABC739CE9B1A79F7DEF6D00B643856DB903E23E7F985EDCAFF867FE15498E7EF6A91057DE337A9AAEDE941C934E65243AC7888A33C78FB2490BBA2BA06F18ECC51DE9AA54BADD061CC5BE1EA060CC3217CA11E26772BD088898D2882CB49A9FF40168E49AE6A90EE1F61132E1B6E4E7F99797DAD77C283
|
||||
+20150522025947 2 6 100 1535 2 F4EE15F22E5F49997A027769656DF0240598C9470C7D67A7D7DA2777883C1C243A6F3D04E1CFA6A0350B165ECABE89A684C11ABB7E5B93B54FD6EAC85BBA9F23C6306E485BB9AC5515ABC739CE9B1A79F7DEF6D00B643856DB903E23E7F985EDCAFF867FE15498E7EF6A91057DE337A9AAEDE941C934E65243AC7888A33C78FB2490BBA2BA06F18ECC51DE9AA54BADD061CC5BE1EA060CC3217CA11E26772BD088898D2882CB49A9FF40168E49AE6A90EE1F61132E1B6E4E7F99797DAD96C25B
|
||||
+20150522025953 2 6 100 1535 2 F4EE15F22E5F49997A027769656DF0240598C9470C7D67A7D7DA2777883C1C243A6F3D04E1CFA6A0350B165ECABE89A684C11ABB7E5B93B54FD6EAC85BBA9F23C6306E485BB9AC5515ABC739CE9B1A79F7DEF6D00B643856DB903E23E7F985EDCAFF867FE15498E7EF6A91057DE337A9AAEDE941C934E65243AC7888A33C78FB2490BBA2BA06F18ECC51DE9AA54BADD061CC5BE1EA060CC3217CA11E26772BD088898D2882CB49A9FF40168E49AE6A90EE1F61132E1B6E4E7F99797DADD9B3DB
|
||||
+20150522025956 2 6 100 1535 5 F4EE15F22E5F49997A027769656DF0240598C9470C7D67A7D7DA2777883C1C243A6F3D04E1CFA6A0350B165ECABE89A684C11ABB7E5B93B54FD6EAC85BBA9F23C6306E485BB9AC5515ABC739CE9B1A79F7DEF6D00B643856DB903E23E7F985EDCAFF867FE15498E7EF6A91057DE337A9AAEDE941C934E65243AC7888A33C78FB2490BBA2BA06F18ECC51DE9AA54BADD061CC5BE1EA060CC3217CA11E26772BD088898D2882CB49A9FF40168E49AE6A90EE1F61132E1B6E4E7F99797DADE84F07
|
||||
+20150522025957 2 6 100 1535 2 F4EE15F22E5F49997A027769656DF0240598C9470C7D67A7D7DA2777883C1C243A6F3D04E1CFA6A0350B165ECABE89A684C11ABB7E5B93B54FD6EAC85BBA9F23C6306E485BB9AC5515ABC739CE9B1A79F7DEF6D00B643856DB903E23E7F985EDCAFF867FE15498E7EF6A91057DE337A9AAEDE941C934E65243AC7888A33C78FB2490BBA2BA06F18ECC51DE9AA54BADD061CC5BE1EA060CC3217CA11E26772BD088898D2882CB49A9FF40168E49AE6A90EE1F61132E1B6E4E7F99797DADEC1DB3
|
||||
+20150522030001 2 6 100 1535 5 F4EE15F22E5F49997A027769656DF0240598C9470C7D67A7D7DA2777883C1C243A6F3D04E1CFA6A0350B165ECABE89A684C11ABB7E5B93B54FD6EAC85BBA9F23C6306E485BB9AC5515ABC739CE9B1A79F7DEF6D00B643856DB903E23E7F985EDCAFF867FE15498E7EF6A91057DE337A9AAEDE941C934E65243AC7888A33C78FB2490BBA2BA06F18ECC51DE9AA54BADD061CC5BE1EA060CC3217CA11E26772BD088898D2882CB49A9FF40168E49AE6A90EE1F61132E1B6E4E7F99797DAE0E297F
|
||||
+20150522030004 2 6 100 1535 2 F4EE15F22E5F49997A027769656DF0240598C9470C7D67A7D7DA2777883C1C243A6F3D04E1CFA6A0350B165ECABE89A684C11ABB7E5B93B54FD6EAC85BBA9F23C6306E485BB9AC5515ABC739CE9B1A79F7DEF6D00B643856DB903E23E7F985EDCAFF867FE15498E7EF6A91057DE337A9AAEDE941C934E65243AC7888A33C78FB2490BBA2BA06F18ECC51DE9AA54BADD061CC5BE1EA060CC3217CA11E26772BD088898D2882CB49A9FF40168E49AE6A90EE1F61132E1B6E4E7F99797DAE2A1E23
|
||||
+20150522030005 2 6 100 1535 2 F4EE15F22E5F49997A027769656DF0240598C9470C7D67A7D7DA2777883C1C243A6F3D04E1CFA6A0350B165ECABE89A684C11ABB7E5B93B54FD6EAC85BBA9F23C6306E485BB9AC5515ABC739CE9B1A79F7DEF6D00B643856DB903E23E7F985EDCAFF867FE15498E7EF6A91057DE337A9AAEDE941C934E65243AC7888A33C78FB2490BBA2BA06F18ECC51DE9AA54BADD061CC5BE1EA060CC3217CA11E26772BD088898D2882CB49A9FF40168E49AE6A90EE1F61132E1B6E4E7F99797DAE2ADE53
|
||||
+20150522030008 2 6 100 1535 5 F4EE15F22E5F49997A027769656DF0240598C9470C7D67A7D7DA2777883C1C243A6F3D04E1CFA6A0350B165ECABE89A684C11ABB7E5B93B54FD6EAC85BBA9F23C6306E485BB9AC5515ABC739CE9B1A79F7DEF6D00B643856DB903E23E7F985EDCAFF867FE15498E7EF6A91057DE337A9AAEDE941C934E65243AC7888A33C78FB2490BBA2BA06F18ECC51DE9AA54BADD061CC5BE1EA060CC3217CA11E26772BD088898D2882CB49A9FF40168E49AE6A90EE1F61132E1B6E4E7F99797DAE47B9F7
|
||||
+20150522030009 2 6 100 1535 2 F4EE15F22E5F49997A027769656DF0240598C9470C7D67A7D7DA2777883C1C243A6F3D04E1CFA6A0350B165ECABE89A684C11ABB7E5B93B54FD6EAC85BBA9F23C6306E485BB9AC5515ABC739CE9B1A79F7DEF6D00B643856DB903E23E7F985EDCAFF867FE15498E7EF6A91057DE337A9AAEDE941C934E65243AC7888A33C78FB2490BBA2BA06F18ECC51DE9AA54BADD061CC5BE1EA060CC3217CA11E26772BD088898D2882CB49A9FF40168E49AE6A90EE1F61132E1B6E4E7F99797DAE4E1343
|
||||
+20150522030014 2 6 100 1535 2 F4EE15F22E5F49997A027769656DF0240598C9470C7D67A7D7DA2777883C1C243A6F3D04E1CFA6A0350B165ECABE89A684C11ABB7E5B93B54FD6EAC85BBA9F23C6306E485BB9AC5515ABC739CE9B1A79F7DEF6D00B643856DB903E23E7F985EDCAFF867FE15498E7EF6A91057DE337A9AAEDE941C934E65243AC7888A33C78FB2490BBA2BA06F18ECC51DE9AA54BADD061CC5BE1EA060CC3217CA11E26772BD088898D2882CB49A9FF40168E49AE6A90EE1F61132E1B6E4E7F99797DAE715CBB
|
||||
+20150522030016 2 6 100 1535 5 F4EE15F22E5F49997A027769656DF0240598C9470C7D67A7D7DA2777883C1C243A6F3D04E1CFA6A0350B165ECABE89A684C11ABB7E5B93B54FD6EAC85BBA9F23C6306E485BB9AC5515ABC739CE9B1A79F7DEF6D00B643856DB903E23E7F985EDCAFF867FE15498E7EF6A91057DE337A9AAEDE941C934E65243AC7888A33C78FB2490BBA2BA06F18ECC51DE9AA54BADD061CC5BE1EA060CC3217CA11E26772BD088898D2882CB49A9FF40168E49AE6A90EE1F61132E1B6E4E7F99797DAE7BC9EF
|
||||
+20150522030018 2 6 100 1535 2 F4EE15F22E5F49997A027769656DF0240598C9470C7D67A7D7DA2777883C1C243A6F3D04E1CFA6A0350B165ECABE89A684C11ABB7E5B93B54FD6EAC85BBA9F23C6306E485BB9AC5515ABC739CE9B1A79F7DEF6D00B643856DB903E23E7F985EDCAFF867FE15498E7EF6A91057DE337A9AAEDE941C934E65243AC7888A33C78FB2490BBA2BA06F18ECC51DE9AA54BADD061CC5BE1EA060CC3217CA11E26772BD088898D2882CB49A9FF40168E49AE6A90EE1F61132E1B6E4E7F99797DAE84579B
|
||||
+20150522030019 2 6 100 1535 2 F4EE15F22E5F49997A027769656DF0240598C9470C7D67A7D7DA2777883C1C243A6F3D04E1CFA6A0350B165ECABE89A684C11ABB7E5B93B54FD6EAC85BBA9F23C6306E485BB9AC5515ABC739CE9B1A79F7DEF6D00B643856DB903E23E7F985EDCAFF867FE15498E7EF6A91057DE337A9AAEDE941C934E65243AC7888A33C78FB2490BBA2BA06F18ECC51DE9AA54BADD061CC5BE1EA060CC3217CA11E26772BD088898D2882CB49A9FF40168E49AE6A90EE1F61132E1B6E4E7F99797DAE8A564B
|
||||
+20150522030023 2 6 100 1535 5 F4EE15F22E5F49997A027769656DF0240598C9470C7D67A7D7DA2777883C1C243A6F3D04E1CFA6A0350B165ECABE89A684C11ABB7E5B93B54FD6EAC85BBA9F23C6306E485BB9AC5515ABC739CE9B1A79F7DEF6D00B643856DB903E23E7F985EDCAFF867FE15498E7EF6A91057DE337A9AAEDE941C934E65243AC7888A33C78FB2490BBA2BA06F18ECC51DE9AA54BADD061CC5BE1EA060CC3217CA11E26772BD088898D2882CB49A9FF40168E49AE6A90EE1F61132E1B6E4E7F99797DAEAF7AD7
|
||||
+20150522030025 2 6 100 1535 2 F4EE15F22E5F49997A027769656DF0240598C9470C7D67A7D7DA2777883C1C243A6F3D04E1CFA6A0350B165ECABE89A684C11ABB7E5B93B54FD6EAC85BBA9F23C6306E485BB9AC5515ABC739CE9B1A79F7DEF6D00B643856DB903E23E7F985EDCAFF867FE15498E7EF6A91057DE337A9AAEDE941C934E65243AC7888A33C78FB2490BBA2BA06F18ECC51DE9AA54BADD061CC5BE1EA060CC3217CA11E26772BD088898D2882CB49A9FF40168E49AE6A90EE1F61132E1B6E4E7F99797DAEB9DC53
|
||||
+20150522030027 2 6 100 1535 5 F4EE15F22E5F49997A027769656DF0240598C9470C7D67A7D7DA2777883C1C243A6F3D04E1CFA6A0350B165ECABE89A684C11ABB7E5B93B54FD6EAC85BBA9F23C6306E485BB9AC5515ABC739CE9B1A79F7DEF6D00B643856DB903E23E7F985EDCAFF867FE15498E7EF6A91057DE337A9AAEDE941C934E65243AC7888A33C78FB2490BBA2BA06F18ECC51DE9AA54BADD061CC5BE1EA060CC3217CA11E26772BD088898D2882CB49A9FF40168E49AE6A90EE1F61132E1B6E4E7F99797DAECD976F
|
||||
+20150522030034 2 6 100 1535 2 F4EE15F22E5F49997A027769656DF0240598C9470C7D67A7D7DA2777883C1C243A6F3D04E1CFA6A0350B165ECABE89A684C11ABB7E5B93B54FD6EAC85BBA9F23C6306E485BB9AC5515ABC739CE9B1A79F7DEF6D00B643856DB903E23E7F985EDCAFF867FE15498E7EF6A91057DE337A9AAEDE941C934E65243AC7888A33C78FB2490BBA2BA06F18ECC51DE9AA54BADD061CC5BE1EA060CC3217CA11E26772BD088898D2882CB49A9FF40168E49AE6A90EE1F61132E1B6E4E7F99797DAF07F063
|
||||
+20150522030034 2 6 100 1535 2 F4EE15F22E5F49997A027769656DF0240598C9470C7D67A7D7DA2777883C1C243A6F3D04E1CFA6A0350B165ECABE89A684C11ABB7E5B93B54FD6EAC85BBA9F23C6306E485BB9AC5515ABC739CE9B1A79F7DEF6D00B643856DB903E23E7F985EDCAFF867FE15498E7EF6A91057DE337A9AAEDE941C934E65243AC7888A33C78FB2490BBA2BA06F18ECC51DE9AA54BADD061CC5BE1EA060CC3217CA11E26772BD088898D2882CB49A9FF40168E49AE6A90EE1F61132E1B6E4E7F99797DAF08ACBB
|
||||
+20150522030037 2 6 100 1535 5 F4EE15F22E5F49997A027769656DF0240598C9470C7D67A7D7DA2777883C1C243A6F3D04E1CFA6A0350B165ECABE89A684C11ABB7E5B93B54FD6EAC85BBA9F23C6306E485BB9AC5515ABC739CE9B1A79F7DEF6D00B643856DB903E23E7F985EDCAFF867FE15498E7EF6A91057DE337A9AAEDE941C934E65243AC7888A33C78FB2490BBA2BA06F18ECC51DE9AA54BADD061CC5BE1EA060CC3217CA11E26772BD088898D2882CB49A9FF40168E49AE6A90EE1F61132E1B6E4E7F99797DAF192C07
|
||||
+20150522030039 2 6 100 1535 2 F4EE15F22E5F49997A027769656DF0240598C9470C7D67A7D7DA2777883C1C243A6F3D04E1CFA6A0350B165ECABE89A684C11ABB7E5B93B54FD6EAC85BBA9F23C6306E485BB9AC5515ABC739CE9B1A79F7DEF6D00B643856DB903E23E7F985EDCAFF867FE15498E7EF6A91057DE337A9AAEDE941C934E65243AC7888A33C78FB2490BBA2BA06F18ECC51DE9AA54BADD061CC5BE1EA060CC3217CA11E26772BD088898D2882CB49A9FF40168E49AE6A90EE1F61132E1B6E4E7F99797DAF241333
|
||||
+20150522030040 2 6 100 1535 2 F4EE15F22E5F49997A027769656DF0240598C9470C7D67A7D7DA2777883C1C243A6F3D04E1CFA6A0350B165ECABE89A684C11ABB7E5B93B54FD6EAC85BBA9F23C6306E485BB9AC5515ABC739CE9B1A79F7DEF6D00B643856DB903E23E7F985EDCAFF867FE15498E7EF6A91057DE337A9AAEDE941C934E65243AC7888A33C78FB2490BBA2BA06F18ECC51DE9AA54BADD061CC5BE1EA060CC3217CA11E26772BD088898D2882CB49A9FF40168E49AE6A90EE1F61132E1B6E4E7F99797DAF255B3B
|
||||
+20150522030044 2 6 100 1535 5 F4EE15F22E5F49997A027769656DF0240598C9470C7D67A7D7DA2777883C1C243A6F3D04E1CFA6A0350B165ECABE89A684C11ABB7E5B93B54FD6EAC85BBA9F23C6306E485BB9AC5515ABC739CE9B1A79F7DEF6D00B643856DB903E23E7F985EDCAFF867FE15498E7EF6A91057DE337A9AAEDE941C934E65243AC7888A33C78FB2490BBA2BA06F18ECC51DE9AA54BADD061CC5BE1EA060CC3217CA11E26772BD088898D2882CB49A9FF40168E49AE6A90EE1F61132E1B6E4E7F99797DAF3DEC37
|
||||
+20150522030048 2 6 100 1535 2 F4EE15F22E5F49997A027769656DF0240598C9470C7D67A7D7DA2777883C1C243A6F3D04E1CFA6A0350B165ECABE89A684C11ABB7E5B93B54FD6EAC85BBA9F23C6306E485BB9AC5515ABC739CE9B1A79F7DEF6D00B643856DB903E23E7F985EDCAFF867FE15498E7EF6A91057DE337A9AAEDE941C934E65243AC7888A33C78FB2490BBA2BA06F18ECC51DE9AA54BADD061CC5BE1EA060CC3217CA11E26772BD088898D2882CB49A9FF40168E49AE6A90EE1F61132E1B6E4E7F99797DAF60F05B
|
||||
+20150522030049 2 6 100 1535 5 F4EE15F22E5F49997A027769656DF0240598C9470C7D67A7D7DA2777883C1C243A6F3D04E1CFA6A0350B165ECABE89A684C11ABB7E5B93B54FD6EAC85BBA9F23C6306E485BB9AC5515ABC739CE9B1A79F7DEF6D00B643856DB903E23E7F985EDCAFF867FE15498E7EF6A91057DE337A9AAEDE941C934E65243AC7888A33C78FB2490BBA2BA06F18ECC51DE9AA54BADD061CC5BE1EA060CC3217CA11E26772BD088898D2882CB49A9FF40168E49AE6A90EE1F61132E1B6E4E7F99797DAF6255DF
|
||||
+20150522030055 2 6 100 1535 5 F4EE15F22E5F49997A027769656DF0240598C9470C7D67A7D7DA2777883C1C243A6F3D04E1CFA6A0350B165ECABE89A684C11ABB7E5B93B54FD6EAC85BBA9F23C6306E485BB9AC5515ABC739CE9B1A79F7DEF6D00B643856DB903E23E7F985EDCAFF867FE15498E7EF6A91057DE337A9AAEDE941C934E65243AC7888A33C78FB2490BBA2BA06F18ECC51DE9AA54BADD061CC5BE1EA060CC3217CA11E26772BD088898D2882CB49A9FF40168E49AE6A90EE1F61132E1B6E4E7F99797DAF8EE01F
|
||||
+20150522030059 2 6 100 1535 2 F4EE15F22E5F49997A027769656DF0240598C9470C7D67A7D7DA2777883C1C243A6F3D04E1CFA6A0350B165ECABE89A684C11ABB7E5B93B54FD6EAC85BBA9F23C6306E485BB9AC5515ABC739CE9B1A79F7DEF6D00B643856DB903E23E7F985EDCAFF867FE15498E7EF6A91057DE337A9AAEDE941C934E65243AC7888A33C78FB2490BBA2BA06F18ECC51DE9AA54BADD061CC5BE1EA060CC3217CA11E26772BD088898D2882CB49A9FF40168E49AE6A90EE1F61132E1B6E4E7F99797DAFAD237B
|
||||
+20150522030104 2 6 100 1535 5 F4EE15F22E5F49997A027769656DF0240598C9470C7D67A7D7DA2777883C1C243A6F3D04E1CFA6A0350B165ECABE89A684C11ABB7E5B93B54FD6EAC85BBA9F23C6306E485BB9AC5515ABC739CE9B1A79F7DEF6D00B643856DB903E23E7F985EDCAFF867FE15498E7EF6A91057DE337A9AAEDE941C934E65243AC7888A33C78FB2490BBA2BA06F18ECC51DE9AA54BADD061CC5BE1EA060CC3217CA11E26772BD088898D2882CB49A9FF40168E49AE6A90EE1F61132E1B6E4E7F99797DAFD13587
|
||||
+20150522030105 2 6 100 1535 5 F4EE15F22E5F49997A027769656DF0240598C9470C7D67A7D7DA2777883C1C243A6F3D04E1CFA6A0350B165ECABE89A684C11ABB7E5B93B54FD6EAC85BBA9F23C6306E485BB9AC5515ABC739CE9B1A79F7DEF6D00B643856DB903E23E7F985EDCAFF867FE15498E7EF6A91057DE337A9AAEDE941C934E65243AC7888A33C78FB2490BBA2BA06F18ECC51DE9AA54BADD061CC5BE1EA060CC3217CA11E26772BD088898D2882CB49A9FF40168E49AE6A90EE1F61132E1B6E4E7F99797DAFD2BE6F
|
||||
+20150522030108 2 6 100 1535 5 F4EE15F22E5F49997A027769656DF0240598C9470C7D67A7D7DA2777883C1C243A6F3D04E1CFA6A0350B165ECABE89A684C11ABB7E5B93B54FD6EAC85BBA9F23C6306E485BB9AC5515ABC739CE9B1A79F7DEF6D00B643856DB903E23E7F985EDCAFF867FE15498E7EF6A91057DE337A9AAEDE941C934E65243AC7888A33C78FB2490BBA2BA06F18ECC51DE9AA54BADD061CC5BE1EA060CC3217CA11E26772BD088898D2882CB49A9FF40168E49AE6A90EE1F61132E1B6E4E7F99797DAFECF32F
|
||||
+20150522030112 2 6 100 1535 5 F4EE15F22E5F49997A027769656DF0240598C9470C7D67A7D7DA2777883C1C243A6F3D04E1CFA6A0350B165ECABE89A684C11ABB7E5B93B54FD6EAC85BBA9F23C6306E485BB9AC5515ABC739CE9B1A79F7DEF6D00B643856DB903E23E7F985EDCAFF867FE15498E7EF6A91057DE337A9AAEDE941C934E65243AC7888A33C78FB2490BBA2BA06F18ECC51DE9AA54BADD061CC5BE1EA060CC3217CA11E26772BD088898D2882CB49A9FF40168E49AE6A90EE1F61132E1B6E4E7F99797DAFFDEED7
|
||||
+20150522030115 2 6 100 1535 2 F4EE15F22E5F49997A027769656DF0240598C9470C7D67A7D7DA2777883C1C243A6F3D04E1CFA6A0350B165ECABE89A684C11ABB7E5B93B54FD6EAC85BBA9F23C6306E485BB9AC5515ABC739CE9B1A79F7DEF6D00B643856DB903E23E7F985EDCAFF867FE15498E7EF6A91057DE337A9AAEDE941C934E65243AC7888A33C78FB2490BBA2BA06F18ECC51DE9AA54BADD061CC5BE1EA060CC3217CA11E26772BD088898D2882CB49A9FF40168E49AE6A90EE1F61132E1B6E4E7F99797DB01CAA63
|
||||
+20150522030116 2 6 100 1535 5 F4EE15F22E5F49997A027769656DF0240598C9470C7D67A7D7DA2777883C1C243A6F3D04E1CFA6A0350B165ECABE89A684C11ABB7E5B93B54FD6EAC85BBA9F23C6306E485BB9AC5515ABC739CE9B1A79F7DEF6D00B643856DB903E23E7F985EDCAFF867FE15498E7EF6A91057DE337A9AAEDE941C934E65243AC7888A33C78FB2490BBA2BA06F18ECC51DE9AA54BADD061CC5BE1EA060CC3217CA11E26772BD088898D2882CB49A9FF40168E49AE6A90EE1F61132E1B6E4E7F99797DB01F3647
|
||||
+20150522030119 2 6 100 1535 5 F4EE15F22E5F49997A027769656DF0240598C9470C7D67A7D7DA2777883C1C243A6F3D04E1CFA6A0350B165ECABE89A684C11ABB7E5B93B54FD6EAC85BBA9F23C6306E485BB9AC5515ABC739CE9B1A79F7DEF6D00B643856DB903E23E7F985EDCAFF867FE15498E7EF6A91057DE337A9AAEDE941C934E65243AC7888A33C78FB2490BBA2BA06F18ECC51DE9AA54BADD061CC5BE1EA060CC3217CA11E26772BD088898D2882CB49A9FF40168E49AE6A90EE1F61132E1B6E4E7F99797DB034B30F
|
||||
+20150522030122 2 6 100 1535 5 F4EE15F22E5F49997A027769656DF0240598C9470C7D67A7D7DA2777883C1C243A6F3D04E1CFA6A0350B165ECABE89A684C11ABB7E5B93B54FD6EAC85BBA9F23C6306E485BB9AC5515ABC739CE9B1A79F7DEF6D00B643856DB903E23E7F985EDCAFF867FE15498E7EF6A91057DE337A9AAEDE941C934E65243AC7888A33C78FB2490BBA2BA06F18ECC51DE9AA54BADD061CC5BE1EA060CC3217CA11E26772BD088898D2882CB49A9FF40168E49AE6A90EE1F61132E1B6E4E7F99797DB04822EF
|
||||
+20150522030124 2 6 100 1535 5 F4EE15F22E5F49997A027769656DF0240598C9470C7D67A7D7DA2777883C1C243A6F3D04E1CFA6A0350B165ECABE89A684C11ABB7E5B93B54FD6EAC85BBA9F23C6306E485BB9AC5515ABC739CE9B1A79F7DEF6D00B643856DB903E23E7F985EDCAFF867FE15498E7EF6A91057DE337A9AAEDE941C934E65243AC7888A33C78FB2490BBA2BA06F18ECC51DE9AA54BADD061CC5BE1EA060CC3217CA11E26772BD088898D2882CB49A9FF40168E49AE6A90EE1F61132E1B6E4E7F99797DB0528867
|
||||
+20150522030131 2 6 100 1535 2 F4EE15F22E5F49997A027769656DF0240598C9470C7D67A7D7DA2777883C1C243A6F3D04E1CFA6A0350B165ECABE89A684C11ABB7E5B93B54FD6EAC85BBA9F23C6306E485BB9AC5515ABC739CE9B1A79F7DEF6D00B643856DB903E23E7F985EDCAFF867FE15498E7EF6A91057DE337A9AAEDE941C934E65243AC7888A33C78FB2490BBA2BA06F18ECC51DE9AA54BADD061CC5BE1EA060CC3217CA11E26772BD088898D2882CB49A9FF40168E49AE6A90EE1F61132E1B6E4E7F99797DB08D3CAB
|
||||
+20150522030136 2 6 100 1535 5 F4EE15F22E5F49997A027769656DF0240598C9470C7D67A7D7DA2777883C1C243A6F3D04E1CFA6A0350B165ECABE89A684C11ABB7E5B93B54FD6EAC85BBA9F23C6306E485BB9AC5515ABC739CE9B1A79F7DEF6D00B643856DB903E23E7F985EDCAFF867FE15498E7EF6A91057DE337A9AAEDE941C934E65243AC7888A33C78FB2490BBA2BA06F18ECC51DE9AA54BADD061CC5BE1EA060CC3217CA11E26772BD088898D2882CB49A9FF40168E49AE6A90EE1F61132E1B6E4E7F99797DB0B10C6F
|
||||
+20150522030138 2 6 100 1535 5 F4EE15F22E5F49997A027769656DF0240598C9470C7D67A7D7DA2777883C1C243A6F3D04E1CFA6A0350B165ECABE89A684C11ABB7E5B93B54FD6EAC85BBA9F23C6306E485BB9AC5515ABC739CE9B1A79F7DEF6D00B643856DB903E23E7F985EDCAFF867FE15498E7EF6A91057DE337A9AAEDE941C934E65243AC7888A33C78FB2490BBA2BA06F18ECC51DE9AA54BADD061CC5BE1EA060CC3217CA11E26772BD088898D2882CB49A9FF40168E49AE6A90EE1F61132E1B6E4E7F99797DB0C688A7
|
||||
+20150522030140 2 6 100 1535 2 F4EE15F22E5F49997A027769656DF0240598C9470C7D67A7D7DA2777883C1C243A6F3D04E1CFA6A0350B165ECABE89A684C11ABB7E5B93B54FD6EAC85BBA9F23C6306E485BB9AC5515ABC739CE9B1A79F7DEF6D00B643856DB903E23E7F985EDCAFF867FE15498E7EF6A91057DE337A9AAEDE941C934E65243AC7888A33C78FB2490BBA2BA06F18ECC51DE9AA54BADD061CC5BE1EA060CC3217CA11E26772BD088898D2882CB49A9FF40168E49AE6A90EE1F61132E1B6E4E7F99797DB0CCDF9B
|
||||
+20150522030141 2 6 100 1535 2 F4EE15F22E5F49997A027769656DF0240598C9470C7D67A7D7DA2777883C1C243A6F3D04E1CFA6A0350B165ECABE89A684C11ABB7E5B93B54FD6EAC85BBA9F23C6306E485BB9AC5515ABC739CE9B1A79F7DEF6D00B643856DB903E23E7F985EDCAFF867FE15498E7EF6A91057DE337A9AAEDE941C934E65243AC7888A33C78FB2490BBA2BA06F18ECC51DE9AA54BADD061CC5BE1EA060CC3217CA11E26772BD088898D2882CB49A9FF40168E49AE6A90EE1F61132E1B6E4E7F99797DB0CFD81B
|
||||
+20150522030145 2 6 100 1535 2 F4EE15F22E5F49997A027769656DF0240598C9470C7D67A7D7DA2777883C1C243A6F3D04E1CFA6A0350B165ECABE89A684C11ABB7E5B93B54FD6EAC85BBA9F23C6306E485BB9AC5515ABC739CE9B1A79F7DEF6D00B643856DB903E23E7F985EDCAFF867FE15498E7EF6A91057DE337A9AAEDE941C934E65243AC7888A33C78FB2490BBA2BA06F18ECC51DE9AA54BADD061CC5BE1EA060CC3217CA11E26772BD088898D2882CB49A9FF40168E49AE6A90EE1F61132E1B6E4E7F99797DB0F59763
|
||||
+20150522030148 2 6 100 1535 2 F4EE15F22E5F49997A027769656DF0240598C9470C7D67A7D7DA2777883C1C243A6F3D04E1CFA6A0350B165ECABE89A684C11ABB7E5B93B54FD6EAC85BBA9F23C6306E485BB9AC5515ABC739CE9B1A79F7DEF6D00B643856DB903E23E7F985EDCAFF867FE15498E7EF6A91057DE337A9AAEDE941C934E65243AC7888A33C78FB2490BBA2BA06F18ECC51DE9AA54BADD061CC5BE1EA060CC3217CA11E26772BD088898D2882CB49A9FF40168E49AE6A90EE1F61132E1B6E4E7F99797DB10339FB
|
||||
+20150522030149 2 6 100 1535 2 F4EE15F22E5F49997A027769656DF0240598C9470C7D67A7D7DA2777883C1C243A6F3D04E1CFA6A0350B165ECABE89A684C11ABB7E5B93B54FD6EAC85BBA9F23C6306E485BB9AC5515ABC739CE9B1A79F7DEF6D00B643856DB903E23E7F985EDCAFF867FE15498E7EF6A91057DE337A9AAEDE941C934E65243AC7888A33C78FB2490BBA2BA06F18ECC51DE9AA54BADD061CC5BE1EA060CC3217CA11E26772BD088898D2882CB49A9FF40168E49AE6A90EE1F61132E1B6E4E7F99797DB10E3ACB
|
||||
+20150522030150 2 6 100 1535 2 F4EE15F22E5F49997A027769656DF0240598C9470C7D67A7D7DA2777883C1C243A6F3D04E1CFA6A0350B165ECABE89A684C11ABB7E5B93B54FD6EAC85BBA9F23C6306E485BB9AC5515ABC739CE9B1A79F7DEF6D00B643856DB903E23E7F985EDCAFF867FE15498E7EF6A91057DE337A9AAEDE941C934E65243AC7888A33C78FB2490BBA2BA06F18ECC51DE9AA54BADD061CC5BE1EA060CC3217CA11E26772BD088898D2882CB49A9FF40168E49AE6A90EE1F61132E1B6E4E7F99797DB11127F3
|
||||
+20150522030159 2 6 100 1535 2 F4EE15F22E5F49997A027769656DF0240598C9470C7D67A7D7DA2777883C1C243A6F3D04E1CFA6A0350B165ECABE89A684C11ABB7E5B93B54FD6EAC85BBA9F23C6306E485BB9AC5515ABC739CE9B1A79F7DEF6D00B643856DB903E23E7F985EDCAFF867FE15498E7EF6A91057DE337A9AAEDE941C934E65243AC7888A33C78FB2490BBA2BA06F18ECC51DE9AA54BADD061CC5BE1EA060CC3217CA11E26772BD088898D2882CB49A9FF40168E49AE6A90EE1F61132E1B6E4E7F99797DB15B8BDB
|
||||
20160301052556 2 6 100 2047 5 DA57B18976E9C55CEAC3BFFF70419A1550258EA7359400BD4FAC8F4203B73E0BC54D62C0A2D9AA9B543FACA0290514EA426DE6FEF897CB858243511DCE5170420C799D888DCFDC4502FF49B66F34E75C00E98A55408A791FF5CFEA7C288F8E6664226A6A90BE237D2E40C207B5AD0CAEDFDA4946E63AEA351A09EF462515FED4098694241CD07E2CB7727B39B8B1B9467D72DFB908D8169F5DB3CD5A6BEBE1344C585A882508B760402E86EB9B5548A7B98635ECFCDC02FF62B29C53847142FC598ADC66F622F6E9F73BDF02B3D795C0DF23D00E5A3A7748F3E1D5B06F46D4568CE3F4CC57E67D4C36DF5C12800620698C727CC5F5BCACF3B7E17E37D19F4647
|
||||
20160301052601 2 6 100 2047 2 DA57B18976E9C55CEAC3BFFF70419A1550258EA7359400BD4FAC8F4203B73E0BC54D62C0A2D9AA9B543FACA0290514EA426DE6FEF897CB858243511DCE5170420C799D888DCFDC4502FF49B66F34E75C00E98A55408A791FF5CFEA7C288F8E6664226A6A90BE237D2E40C207B5AD0CAEDFDA4946E63AEA351A09EF462515FED4098694241CD07E2CB7727B39B8B1B9467D72DFB908D8169F5DB3CD5A6BEBE1344C585A882508B760402E86EB9B5548A7B98635ECFCDC02FF62B29C53847142FC598ADC66F622F6E9F73BDF02B3D795C0DF23D00E5A3A7748F3E1D5B06F46D4568CE3F4CC57E67D4C36DF5C12800620698C727CC5F5BCACF3B7E17E37D1A5C13B
|
||||
20160301052612 2 6 100 2047 5 DA57B18976E9C55CEAC3BFFF70419A1550258EA7359400BD4FAC8F4203B73E0BC54D62C0A2D9AA9B543FACA0290514EA426DE6FEF897CB858243511DCE5170420C799D888DCFDC4502FF49B66F34E75C00E98A55408A791FF5CFEA7C288F8E6664226A6A90BE237D2E40C207B5AD0CAEDFDA4946E63AEA351A09EF462515FED4098694241CD07E2CB7727B39B8B1B9467D72DFB908D8169F5DB3CD5A6BEBE1344C585A882508B760402E86EB9B5548A7B98635ECFCDC02FF62B29C53847142FC598ADC66F622F6E9F73BDF02B3D795C0DF23D00E5A3A7748F3E1D5B06F46D4568CE3F4CC57E67D4C36DF5C12800620698C727CC5F5BCACF3B7E17E37D1B7A3EF
|
||||
diff -up openssh-7.4p1/myproposal.h.legacy openssh-7.4p1/myproposal.h
|
||||
--- openssh-7.4p1/myproposal.h.legacy 2016-12-19 05:59:41.000000000 +0100
|
||||
+++ openssh-7.4p1/myproposal.h 2017-03-02 17:05:12.353352522 +0100
|
||||
@@ -96,34 +96,40 @@
|
||||
KEX_SHA2_METHODS
|
||||
|
||||
#define KEX_SERVER_KEX KEX_COMMON_KEX \
|
||||
+ "diffie-hellman-group-exchange-sha1," \
|
||||
KEX_SHA2_GROUP14 \
|
||||
- "diffie-hellman-group14-sha1" \
|
||||
+ "diffie-hellman-group14-sha1," \
|
||||
+ "diffie-hellman-group1-sha1"
|
||||
|
||||
#define KEX_CLIENT_KEX KEX_COMMON_KEX \
|
||||
"diffie-hellman-group-exchange-sha1," \
|
||||
KEX_SHA2_GROUP14 \
|
||||
- "diffie-hellman-group14-sha1"
|
||||
+ "diffie-hellman-group14-sha1," \
|
||||
+ "diffie-hellman-group1-sha1"
|
||||
|
||||
#define KEX_DEFAULT_PK_ALG \
|
||||
HOSTKEY_ECDSA_CERT_METHODS \
|
||||
"ssh-ed25519-cert-v01@openssh.com," \
|
||||
"ssh-rsa-cert-v01@openssh.com," \
|
||||
+ "ssh-dss-cert-v01@openssh.com," \
|
||||
HOSTKEY_ECDSA_METHODS \
|
||||
"ssh-ed25519," \
|
||||
"rsa-sha2-512," \
|
||||
"rsa-sha2-256," \
|
||||
- "ssh-rsa"
|
||||
+ "ssh-rsa," \
|
||||
+ "ssh-dss"
|
||||
|
||||
/* the actual algorithms */
|
||||
|
||||
-#define KEX_SERVER_ENCRYPT \
|
||||
+#define KEX_CLIENT_ENCRYPT \
|
||||
"chacha20-poly1305@openssh.com," \
|
||||
"aes128-ctr,aes192-ctr,aes256-ctr" \
|
||||
- AESGCM_CIPHER_MODES
|
||||
-
|
||||
-#define KEX_CLIENT_ENCRYPT KEX_SERVER_ENCRYPT "," \
|
||||
+ AESGCM_CIPHER_MODES "," \
|
||||
"aes128-cbc,aes192-cbc,aes256-cbc"
|
||||
|
||||
+#define KEX_SERVER_ENCRYPT KEX_CLIENT_ENCRYPT "," \
|
||||
+ "blowfish-cbc,cast128-cbc,3des-cbc"
|
||||
+
|
||||
#define KEX_SERVER_MAC \
|
||||
"umac-64-etm@openssh.com," \
|
||||
"umac-128-etm@openssh.com," \
|
||||
diff -up openssh-7.4p1/ssh_config.5.legacy openssh-7.4p1/ssh_config.5
|
||||
--- openssh-7.4p1/ssh_config.5.legacy 2017-03-02 17:00:37.620696010 +0100
|
||||
+++ openssh-7.4p1/ssh_config.5 2017-03-02 17:00:37.642695983 +0100
|
||||
@@ -833,8 +833,9 @@ ecdsa-sha2-nistp384-cert-v01@openssh.com
|
||||
ecdsa-sha2-nistp521-cert-v01@openssh.com,
|
||||
ssh-ed25519-cert-v01@openssh.com,
|
||||
ssh-rsa-cert-v01@openssh.com,
|
||||
+ssh-dss-cert-v01@openssh.com,
|
||||
ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
|
||||
-ssh-ed25519,ssh-rsa
|
||||
+ssh-ed25519,ssh-rsa,ssh-dss
|
||||
.Ed
|
||||
.Pp
|
||||
The
|
||||
@@ -856,8 +857,9 @@ ecdsa-sha2-nistp384-cert-v01@openssh.com
|
||||
ecdsa-sha2-nistp521-cert-v01@openssh.com,
|
||||
ssh-ed25519-cert-v01@openssh.com,
|
||||
ssh-rsa-cert-v01@openssh.com,
|
||||
+ssh-dss-cert-v01@openssh.com,
|
||||
ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
|
||||
-ssh-ed25519,ssh-rsa
|
||||
+ssh-ed25519,ssh-rsa,ssh-dss
|
||||
.Ed
|
||||
.Pp
|
||||
If hostkeys are known for the destination host then this default is modified
|
||||
@@ -1075,7 +1077,8 @@ curve25519-sha256,curve25519-sha256@libs
|
||||
ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
|
||||
diffie-hellman-group-exchange-sha256,
|
||||
diffie-hellman-group-exchange-sha1,
|
||||
-diffie-hellman-group14-sha1
|
||||
+diffie-hellman-group14-sha1,
|
||||
+diffie-hellman-group1-sha1
|
||||
.Ed
|
||||
.Pp
|
||||
The list of available key exchange algorithms may also be obtained using
|
||||
@@ -1313,8 +1316,9 @@ ecdsa-sha2-nistp384-cert-v01@openssh.com
|
||||
ecdsa-sha2-nistp521-cert-v01@openssh.com,
|
||||
ssh-ed25519-cert-v01@openssh.com,
|
||||
ssh-rsa-cert-v01@openssh.com,
|
||||
+ssh-dss-cert-v01@openssh.com,
|
||||
ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
|
||||
-ssh-ed25519,ssh-rsa
|
||||
+ssh-ed25519,ssh-rsa,ssh-dsa
|
||||
.Ed
|
||||
.Pp
|
||||
The list of available key types may also be obtained using
|
||||
diff -up openssh-7.4p1/sshd_config.5.legacy openssh-7.4p1/sshd_config.5
|
||||
--- openssh-7.4p1/sshd_config.5.legacy 2017-03-02 17:00:37.636695990 +0100
|
||||
+++ openssh-7.4p1/sshd_config.5 2017-03-02 17:04:17.528421067 +0100
|
||||
@@ -481,7 +481,9 @@ The default is:
|
||||
.Bd -literal -offset indent
|
||||
chacha20-poly1305@openssh.com,
|
||||
aes128-ctr,aes192-ctr,aes256-ctr,
|
||||
-aes128-gcm@openssh.com,aes256-gcm@openssh.com
|
||||
+aes128-gcm@openssh.com,aes256-gcm@openssh.com,
|
||||
+aes128-cbc,aes192-cbc,aes256-cbc,
|
||||
+blowfish-cbc,cast128-cbc,3des-cbc
|
||||
.Ed
|
||||
.Pp
|
||||
The list of available ciphers may also be obtained using
|
||||
@@ -707,8 +709,9 @@ ecdsa-sha2-nistp384-cert-v01@openssh.com
|
||||
ecdsa-sha2-nistp521-cert-v01@openssh.com,
|
||||
ssh-ed25519-cert-v01@openssh.com,
|
||||
ssh-rsa-cert-v01@openssh.com,
|
||||
+ssh-dss-cert-v01@openssh.com,
|
||||
ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
|
||||
-ssh-ed25519,ssh-rsa
|
||||
+ssh-ed25519,ssh-rsa,ssh-dss
|
||||
.Ed
|
||||
.Pp
|
||||
The list of available key types may also be obtained using
|
||||
@@ -785,8 +788,9 @@ ecdsa-sha2-nistp384-cert-v01@openssh.com
|
||||
ecdsa-sha2-nistp521-cert-v01@openssh.com,
|
||||
ssh-ed25519-cert-v01@openssh.com,
|
||||
ssh-rsa-cert-v01@openssh.com,
|
||||
+ssh-dss-cert-v01@openssh.com,
|
||||
ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
|
||||
-ssh-ed25519,ssh-rsa
|
||||
+ssh-ed25519,ssh-rsa,ssh-dss
|
||||
.Ed
|
||||
.Pp
|
||||
The list of available key types may also be obtained using
|
||||
@@ -926,7 +930,8 @@ The default is:
|
||||
curve25519-sha256,curve25519-sha256@libssh.org,
|
||||
ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
|
||||
diffie-hellman-group-exchange-sha256,
|
||||
-diffie-hellman-group14-sha1
|
||||
+diffie-hellman-group14-sha1,
|
||||
+diffie-hellman-group1-sha1
|
||||
.Ed
|
||||
.Pp
|
||||
The list of available key exchange algorithms may also be obtained using
|
||||
@@ -1040,7 +1045,8 @@ umac-64-etm@openssh.com,umac-128-etm@ope
|
||||
hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,
|
||||
hmac-sha1-etm@openssh.com,
|
||||
umac-64@openssh.com,umac-128@openssh.com,
|
||||
-hmac-sha2-256,hmac-sha2-512,hmac-sha1
|
||||
+hmac-sha2-256,hmac-sha2-512,hmac-sha1,
|
||||
+hmac-sha1-etm@openssh.com
|
||||
.Ed
|
||||
.Pp
|
||||
The list of available MAC algorithms may also be obtained using
|
||||
@@ -1344,8 +1350,9 @@ ecdsa-sha2-nistp384-cert-v01@openssh.com
|
||||
ecdsa-sha2-nistp521-cert-v01@openssh.com,
|
||||
ssh-ed25519-cert-v01@openssh.com,
|
||||
ssh-rsa-cert-v01@openssh.com,
|
||||
+ssh-dss-cert-v01@openssh.com,
|
||||
ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
|
||||
-ssh-ed25519,ssh-rsa
|
||||
+ssh-ed25519,ssh-rsa,ssh-dss
|
||||
.Ed
|
||||
.Pp
|
||||
The list of available key types may also be obtained using
|
||||
36
openssh-7.4p1-legacy-ssh-copy-id.patch
Normal file
36
openssh-7.4p1-legacy-ssh-copy-id.patch
Normal file
|
|
@ -0,0 +1,36 @@
|
|||
diff -up openssh-7.4p1/contrib/ssh-copy-id.1.legacy-ssh-copy-id openssh-7.4p1/contrib/ssh-copy-id.1
|
||||
--- openssh-7.4p1/contrib/ssh-copy-id.1.legacy-ssh-copy-id 2016-12-19 05:59:41.000000000 +0100
|
||||
+++ openssh-7.4p1/contrib/ssh-copy-id.1 2017-02-09 09:23:25.366651136 +0100
|
||||
@@ -185,6 +185,19 @@ should prove enlightening (N.B. the mode
|
||||
.Fl W
|
||||
option, rather than
|
||||
.Xr nc 1 ) .
|
||||
+.Sh ENVIRONMENT
|
||||
+.Bl -tag -width Ds
|
||||
+.Pp
|
||||
+.It Pa SSH_COPY_ID_LEGACY
|
||||
+If the
|
||||
+.Cm SSH_COPY_ID_LEGACY
|
||||
+environment variable is set, the
|
||||
+.Nm
|
||||
+is run in a legacy mode. In this mode, the
|
||||
+.Nm
|
||||
+doesn't check an existence of a private key and doesn't do remote checks
|
||||
+of the remote server versions or if public keys are already installed.
|
||||
+.El
|
||||
.Sh "SEE ALSO"
|
||||
.Xr ssh 1 ,
|
||||
.Xr ssh-agent 1 ,
|
||||
diff -up openssh-7.4p1/contrib/ssh-copy-id.legacy-ssh-copy-id openssh-7.4p1/contrib/ssh-copy-id
|
||||
--- openssh-7.4p1/contrib/ssh-copy-id.legacy-ssh-copy-id 2017-02-09 09:23:25.366651136 +0100
|
||||
+++ openssh-7.4p1/contrib/ssh-copy-id 2017-02-09 09:33:07.896518169 +0100
|
||||
@@ -99,6 +99,9 @@ if [ -n "$SSH_AUTH_SOCK" ] && ssh-add -L
|
||||
GET_ID="ssh-add -L"
|
||||
fi
|
||||
|
||||
+# legacy environment variable implies forced copy
|
||||
+[ "x$SSH_COPY_ID_LEGACY" != "x" ] && FORCED=1
|
||||
+
|
||||
while test "$#" -gt 0
|
||||
do
|
||||
[ "${SEEN_OPT_I}" ] && expr "$1" : "[-]i" >/dev/null && {
|
||||
285
openssh-7.4p1-log-in-chroot.patch
Normal file
285
openssh-7.4p1-log-in-chroot.patch
Normal file
|
|
@ -0,0 +1,285 @@
|
|||
diff -up openssh-7.4p1/log.c.log-in-chroot openssh-7.4p1/log.c
|
||||
--- openssh-7.4p1/log.c.log-in-chroot 2016-12-19 05:59:41.000000000 +0100
|
||||
+++ openssh-7.4p1/log.c 2017-02-09 09:51:07.571909000 +0100
|
||||
@@ -250,6 +250,11 @@ debug3(const char *fmt,...)
|
||||
void
|
||||
log_init(char *av0, LogLevel level, SyslogFacility facility, int on_stderr)
|
||||
{
|
||||
+ log_init_handler(av0, level, facility, on_stderr, 1);
|
||||
+}
|
||||
+
|
||||
+void
|
||||
+log_init_handler(char *av0, LogLevel level, SyslogFacility facility, int on_stderr, int reset_handler) {
|
||||
#if defined(HAVE_OPENLOG_R) && defined(SYSLOG_DATA_INIT)
|
||||
struct syslog_data sdata = SYSLOG_DATA_INIT;
|
||||
#endif
|
||||
@@ -273,8 +278,10 @@ log_init(char *av0, LogLevel level, Sysl
|
||||
exit(1);
|
||||
}
|
||||
|
||||
- log_handler = NULL;
|
||||
- log_handler_ctx = NULL;
|
||||
+ if (reset_handler) {
|
||||
+ log_handler = NULL;
|
||||
+ log_handler_ctx = NULL;
|
||||
+ }
|
||||
|
||||
log_on_stderr = on_stderr;
|
||||
if (on_stderr)
|
||||
diff -up openssh-7.4p1/log.h.log-in-chroot openssh-7.4p1/log.h
|
||||
--- openssh-7.4p1/log.h.log-in-chroot 2016-12-19 05:59:41.000000000 +0100
|
||||
+++ openssh-7.4p1/log.h 2017-02-09 09:51:07.571909000 +0100
|
||||
@@ -49,6 +49,7 @@ typedef enum {
|
||||
typedef void (log_handler_fn)(LogLevel, const char *, void *);
|
||||
|
||||
void log_init(char *, LogLevel, SyslogFacility, int);
|
||||
+void log_init_handler(char *, LogLevel, SyslogFacility, int, int);
|
||||
void log_change_level(LogLevel);
|
||||
int log_is_on_stderr(void);
|
||||
void log_redirect_stderr_to(const char *);
|
||||
diff -up openssh-7.4p1/monitor.c.log-in-chroot openssh-7.4p1/monitor.c
|
||||
--- openssh-7.4p1/monitor.c.log-in-chroot 2017-02-09 09:51:07.554909017 +0100
|
||||
+++ openssh-7.4p1/monitor.c 2017-02-09 10:05:21.067174230 +0100
|
||||
@@ -307,6 +307,8 @@ monitor_child_preauth(Authctxt *_authctx
|
||||
close(pmonitor->m_log_sendfd);
|
||||
pmonitor->m_log_sendfd = pmonitor->m_recvfd = -1;
|
||||
|
||||
+ pmonitor->m_state = "preauth";
|
||||
+
|
||||
authctxt = _authctxt;
|
||||
memset(authctxt, 0, sizeof(*authctxt));
|
||||
|
||||
@@ -405,6 +407,8 @@ monitor_child_postauth(struct monitor *p
|
||||
close(pmonitor->m_recvfd);
|
||||
pmonitor->m_recvfd = -1;
|
||||
|
||||
+ pmonitor->m_state = "postauth";
|
||||
+
|
||||
monitor_set_child_handler(pmonitor->m_pid);
|
||||
signal(SIGHUP, &monitor_child_handler);
|
||||
signal(SIGTERM, &monitor_child_handler);
|
||||
@@ -472,7 +476,7 @@ monitor_read_log(struct monitor *pmonito
|
||||
if (log_level_name(level) == NULL)
|
||||
fatal("%s: invalid log level %u (corrupted message?)",
|
||||
__func__, level);
|
||||
- do_log2(level, "%s [preauth]", msg);
|
||||
+ do_log2(level, "%s [%s]", msg, pmonitor->m_state);
|
||||
|
||||
buffer_free(&logmsg);
|
||||
free(msg);
|
||||
@@ -1719,13 +1723,28 @@ monitor_init(void)
|
||||
mon = xcalloc(1, sizeof(*mon));
|
||||
monitor_openfds(mon, 1);
|
||||
|
||||
+ mon->m_state = "";
|
||||
+
|
||||
return mon;
|
||||
}
|
||||
|
||||
void
|
||||
-monitor_reinit(struct monitor *mon)
|
||||
+monitor_reinit(struct monitor *mon, const char *chroot_dir)
|
||||
{
|
||||
- monitor_openfds(mon, 0);
|
||||
+ struct stat dev_log_stat;
|
||||
+ char *dev_log_path;
|
||||
+ int do_logfds = 0;
|
||||
+
|
||||
+ if (chroot_dir != NULL) {
|
||||
+ xasprintf(&dev_log_path, "%s/dev/log", chroot_dir);
|
||||
+
|
||||
+ if (stat(dev_log_path, &dev_log_stat) != 0) {
|
||||
+ debug("%s: /dev/log doesn't exist in %s chroot - will try to log via monitor using [postauth] suffix", __func__, chroot_dir);
|
||||
+ do_logfds = 1;
|
||||
+ }
|
||||
+ free(dev_log_path);
|
||||
+ }
|
||||
+ monitor_openfds(mon, do_logfds);
|
||||
}
|
||||
|
||||
#ifdef GSSAPI
|
||||
diff -up openssh-7.4p1/monitor.h.log-in-chroot openssh-7.4p1/monitor.h
|
||||
--- openssh-7.4p1/monitor.h.log-in-chroot 2017-02-09 09:51:07.571909000 +0100
|
||||
+++ openssh-7.4p1/monitor.h 2017-02-09 10:05:49.792146561 +0100
|
||||
@@ -83,10 +83,11 @@ struct monitor {
|
||||
int m_log_sendfd;
|
||||
struct kex **m_pkex;
|
||||
pid_t m_pid;
|
||||
+ char *m_state;
|
||||
};
|
||||
|
||||
struct monitor *monitor_init(void);
|
||||
-void monitor_reinit(struct monitor *);
|
||||
+void monitor_reinit(struct monitor *, const char *);
|
||||
|
||||
struct Authctxt;
|
||||
void monitor_child_preauth(struct Authctxt *, struct monitor *);
|
||||
diff -up openssh-7.4p1/session.c.log-in-chroot openssh-7.4p1/session.c
|
||||
--- openssh-7.4p1/session.c.log-in-chroot 2017-02-09 09:51:07.570909002 +0100
|
||||
+++ openssh-7.4p1/session.c 2017-02-09 10:08:16.241005497 +0100
|
||||
@@ -160,6 +160,7 @@ login_cap_t *lc;
|
||||
|
||||
static int is_child = 0;
|
||||
static int in_chroot = 0;
|
||||
+static int have_dev_log = 1;
|
||||
|
||||
/* Name and directory of socket for authentication agent forwarding. */
|
||||
static char *auth_sock_name = NULL;
|
||||
@@ -365,8 +366,8 @@ do_exec_no_pty(Session *s, const char *c
|
||||
is_child = 1;
|
||||
|
||||
/* Child. Reinitialize the log since the pid has changed. */
|
||||
- log_init(__progname, options.log_level,
|
||||
- options.log_facility, log_stderr);
|
||||
+ log_init_handler(__progname, options.log_level,
|
||||
+ options.log_facility, log_stderr, have_dev_log);
|
||||
|
||||
/*
|
||||
* Create a new session and process group since the 4.4BSD
|
||||
@@ -523,8 +524,8 @@ do_exec_pty(Session *s, const char *comm
|
||||
close(ptymaster);
|
||||
|
||||
/* Child. Reinitialize the log because the pid has changed. */
|
||||
- log_init(__progname, options.log_level,
|
||||
- options.log_facility, log_stderr);
|
||||
+ log_init_handler(__progname, options.log_level,
|
||||
+ options.log_facility, log_stderr, have_dev_log);
|
||||
/* Close the master side of the pseudo tty. */
|
||||
close(ptyfd);
|
||||
|
||||
@@ -619,6 +620,7 @@ do_exec(Session *s, const char *command)
|
||||
int ret;
|
||||
const char *forced = NULL, *tty = NULL;
|
||||
char session_type[1024];
|
||||
+ struct stat dev_log_stat;
|
||||
|
||||
if (options.adm_forced_command) {
|
||||
original_command = command;
|
||||
@@ -676,6 +678,10 @@ do_exec(Session *s, const char *command)
|
||||
tty += 5;
|
||||
}
|
||||
|
||||
+ if (lstat("/dev/log", &dev_log_stat) != 0) {
|
||||
+ have_dev_log = 0;
|
||||
+ }
|
||||
+
|
||||
verbose("Starting session: %s%s%s for %s from %.200s port %d id %d",
|
||||
session_type,
|
||||
tty == NULL ? "" : " on ",
|
||||
@@ -1490,14 +1496,6 @@ child_close_fds(void)
|
||||
* descriptors left by system functions. They will be closed later.
|
||||
*/
|
||||
endpwent();
|
||||
-
|
||||
- /*
|
||||
- * Close any extra open file descriptors so that we don't have them
|
||||
- * hanging around in clients. Note that we want to do this after
|
||||
- * initgroups, because at least on Solaris 2.3 it leaves file
|
||||
- * descriptors open.
|
||||
- */
|
||||
- closefrom(STDERR_FILENO + 1);
|
||||
}
|
||||
|
||||
/*
|
||||
@@ -1633,8 +1631,6 @@ do_child(Session *s, const char *command
|
||||
exit(1);
|
||||
}
|
||||
|
||||
- closefrom(STDERR_FILENO + 1);
|
||||
-
|
||||
do_rc_files(s, shell);
|
||||
|
||||
/* restore SIGPIPE for child */
|
||||
@@ -1658,9 +1654,17 @@ do_child(Session *s, const char *command
|
||||
argv[i] = NULL;
|
||||
optind = optreset = 1;
|
||||
__progname = argv[0];
|
||||
- exit(sftp_server_main(i, argv, s->pw));
|
||||
+ exit(sftp_server_main(i, argv, s->pw, have_dev_log));
|
||||
}
|
||||
|
||||
+ /*
|
||||
+ * Close any extra open file descriptors so that we don't have them
|
||||
+ * hanging around in clients. Note that we want to do this after
|
||||
+ * initgroups, because at least on Solaris 2.3 it leaves file
|
||||
+ * descriptors open.
|
||||
+ */
|
||||
+ closefrom(STDERR_FILENO + 1);
|
||||
+
|
||||
fflush(NULL);
|
||||
|
||||
/* Get the last component of the shell name. */
|
||||
diff -up openssh-7.4p1/sftp.h.log-in-chroot openssh-7.4p1/sftp.h
|
||||
--- openssh-7.4p1/sftp.h.log-in-chroot 2016-12-19 05:59:41.000000000 +0100
|
||||
+++ openssh-7.4p1/sftp.h 2017-02-09 09:51:07.572908999 +0100
|
||||
@@ -97,5 +97,5 @@
|
||||
|
||||
struct passwd;
|
||||
|
||||
-int sftp_server_main(int, char **, struct passwd *);
|
||||
+int sftp_server_main(int, char **, struct passwd *, int);
|
||||
void sftp_server_cleanup_exit(int) __attribute__((noreturn));
|
||||
diff -up openssh-7.4p1/sftp-server.c.log-in-chroot openssh-7.4p1/sftp-server.c
|
||||
--- openssh-7.4p1/sftp-server.c.log-in-chroot 2017-02-09 09:51:07.572908999 +0100
|
||||
+++ openssh-7.4p1/sftp-server.c 2017-02-09 10:09:39.662925141 +0100
|
||||
@@ -1497,7 +1497,7 @@ sftp_server_usage(void)
|
||||
}
|
||||
|
||||
int
|
||||
-sftp_server_main(int argc, char **argv, struct passwd *user_pw)
|
||||
+sftp_server_main(int argc, char **argv, struct passwd *user_pw, int reset_handler)
|
||||
{
|
||||
fd_set *rset, *wset;
|
||||
int i, r, in, out, max, ch, skipargs = 0, log_stderr = 0;
|
||||
@@ -1511,7 +1511,7 @@ sftp_server_main(int argc, char **argv,
|
||||
|
||||
ssh_malloc_init(); /* must be called before any mallocs */
|
||||
__progname = ssh_get_progname(argv[0]);
|
||||
- log_init(__progname, log_level, log_facility, log_stderr);
|
||||
+ log_init_handler(__progname, log_level, log_facility, log_stderr, reset_handler);
|
||||
|
||||
pw = pwcopy(user_pw);
|
||||
|
||||
@@ -1582,7 +1582,7 @@ sftp_server_main(int argc, char **argv,
|
||||
}
|
||||
}
|
||||
|
||||
- log_init(__progname, log_level, log_facility, log_stderr);
|
||||
+ log_init_handler(__progname, log_level, log_facility, log_stderr, reset_handler);
|
||||
|
||||
/*
|
||||
* On platforms where we can, avoid making /proc/self/{mem,maps}
|
||||
diff -up openssh-7.4p1/sftp-server-main.c.log-in-chroot openssh-7.4p1/sftp-server-main.c
|
||||
--- openssh-7.4p1/sftp-server-main.c.log-in-chroot 2016-12-19 05:59:41.000000000 +0100
|
||||
+++ openssh-7.4p1/sftp-server-main.c 2017-02-09 09:51:07.572908999 +0100
|
||||
@@ -49,5 +49,5 @@ main(int argc, char **argv)
|
||||
return 1;
|
||||
}
|
||||
|
||||
- return (sftp_server_main(argc, argv, user_pw));
|
||||
+ return (sftp_server_main(argc, argv, user_pw, 0));
|
||||
}
|
||||
diff -up openssh-7.4p1/sshd.c.log-in-chroot openssh-7.4p1/sshd.c
|
||||
--- openssh-7.4p1/sshd.c.log-in-chroot 2017-02-09 09:51:07.557909015 +0100
|
||||
+++ openssh-7.4p1/sshd.c 2017-02-09 09:51:07.573908998 +0100
|
||||
@@ -642,7 +642,7 @@ privsep_postauth(Authctxt *authctxt)
|
||||
}
|
||||
|
||||
/* New socket pair */
|
||||
- monitor_reinit(pmonitor);
|
||||
+ monitor_reinit(pmonitor, options.chroot_directory);
|
||||
|
||||
pmonitor->m_pid = fork();
|
||||
if (pmonitor->m_pid == -1)
|
||||
@@ -660,6 +660,11 @@ privsep_postauth(Authctxt *authctxt)
|
||||
|
||||
close(pmonitor->m_sendfd);
|
||||
pmonitor->m_sendfd = -1;
|
||||
+ close(pmonitor->m_log_recvfd);
|
||||
+ pmonitor->m_log_recvfd = -1;
|
||||
+
|
||||
+ if (pmonitor->m_log_sendfd != -1)
|
||||
+ set_log_handler(mm_log_handler, pmonitor);
|
||||
|
||||
/* Demote the private keys to public keys. */
|
||||
demote_sensitive_data();
|
||||
22
openssh-7.4p1-newline-banner.patch
Normal file
22
openssh-7.4p1-newline-banner.patch
Normal file
|
|
@ -0,0 +1,22 @@
|
|||
diff -up openssh-7.4p1/sshd.c.newline-banner openssh-7.4p1/sshd.c
|
||||
--- openssh-7.4p1/sshd.c.newline-banner 2017-02-17 14:00:47.237168594 +0100
|
||||
+++ openssh-7.4p1/sshd.c 2017-02-17 14:02:10.933096707 +0100
|
||||
@@ -369,15 +369,15 @@ sshd_exchange_identification(struct ssh
|
||||
{
|
||||
u_int i;
|
||||
int remote_major, remote_minor;
|
||||
- char *s, *newline = "\n";
|
||||
+ char *s;
|
||||
char buf[256]; /* Must not be larger than remote_version. */
|
||||
char remote_version[256]; /* Must be at least as big as buf. */
|
||||
|
||||
- xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s",
|
||||
+ xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s\r\n",
|
||||
PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2,
|
||||
(options.show_patchlevel == 1) ? SSH_VENDOR_PATCHLEVEL : SSH_VERSION,
|
||||
*options.version_addendum == '\0' ? "" : " ",
|
||||
- options.version_addendum, newline);
|
||||
+ options.version_addendum);
|
||||
|
||||
/* Send our protocol version identification. */
|
||||
if (atomicio(vwrite, sock_out, server_version_string,
|
||||
36
openssh-7.4p1-permit-root-login.patch
Normal file
36
openssh-7.4p1-permit-root-login.patch
Normal file
|
|
@ -0,0 +1,36 @@
|
|||
diff -up openssh-7.4p1/servconf.c.permit-root openssh-7.4p1/servconf.c
|
||||
--- openssh-7.4p1/servconf.c.permit-root 2017-02-10 10:27:18.109487568 +0100
|
||||
+++ openssh-7.4p1/servconf.c 2017-02-10 10:28:12.385776132 +0100
|
||||
@@ -231,7 +231,7 @@ fill_default_server_options(ServerOption
|
||||
if (options->login_grace_time == -1)
|
||||
options->login_grace_time = 120;
|
||||
if (options->permit_root_login == PERMIT_NOT_SET)
|
||||
- options->permit_root_login = PERMIT_NO_PASSWD;
|
||||
+ options->permit_root_login = PERMIT_YES;
|
||||
if (options->ignore_rhosts == -1)
|
||||
options->ignore_rhosts = 1;
|
||||
if (options->ignore_user_known_hosts == -1)
|
||||
diff -up openssh-7.4p1/sshd_config.5.permit-root openssh-7.4p1/sshd_config.5
|
||||
--- openssh-7.4p1/sshd_config.5.permit-root 2017-02-10 10:28:24.174605582 +0100
|
||||
+++ openssh-7.4p1/sshd_config.5 2017-02-10 10:28:42.254344023 +0100
|
||||
@@ -1227,7 +1227,7 @@ The argument must be
|
||||
or
|
||||
.Cm no .
|
||||
The default is
|
||||
-.Cm prohibit-password .
|
||||
+.Cm yes .
|
||||
.Pp
|
||||
If this option is set to
|
||||
.Cm prohibit-password
|
||||
diff -up openssh-7.4p1/sshd_config.permit-root openssh-7.4p1/sshd_config
|
||||
--- openssh-7.4p1/sshd_config.permit-root 2017-02-10 10:26:52.256797645 +0100
|
||||
+++ openssh-7.4p1/sshd_config 2017-02-10 10:26:52.276797405 +0100
|
||||
@@ -35,7 +35,7 @@ SyslogFacility AUTHPRIV
|
||||
# Authentication:
|
||||
|
||||
#LoginGraceTime 2m
|
||||
-#PermitRootLogin prohibit-password
|
||||
+#PermitRootLogin yes
|
||||
#StrictModes yes
|
||||
#MaxAuthTries 6
|
||||
#MaxSessions 10
|
||||
24
openssh-7.4p1-pkcs11-whitelist.patch
Normal file
24
openssh-7.4p1-pkcs11-whitelist.patch
Normal file
|
|
@ -0,0 +1,24 @@
|
|||
diff -up openssh-7.4p1/ssh-agent.1.pkcs11-whitelist openssh-7.4p1/ssh-agent.1
|
||||
--- openssh-7.4p1/ssh-agent.1.pkcs11-whitelist 2017-01-03 10:41:01.916331710 +0100
|
||||
+++ openssh-7.4p1/ssh-agent.1 2017-01-03 10:40:06.549366029 +0100
|
||||
@@ -129,7 +129,7 @@ that may be added using the
|
||||
option to
|
||||
.Xr ssh-add 1 .
|
||||
The default is to allow loading PKCS#11 libraries from
|
||||
-.Dq /usr/lib/*,/usr/local/lib/* .
|
||||
+.Dq /usr/lib*/*,/usr/local/lib*/* .
|
||||
PKCS#11 libraries that do not match the whitelist will be refused.
|
||||
See PATTERNS in
|
||||
.Xr ssh_config 5
|
||||
diff -up openssh-7.4p1/ssh-agent.c.pkcs11-whitelist openssh-7.4p1/ssh-agent.c
|
||||
--- openssh-7.4p1/ssh-agent.c.pkcs11-whitelist 2017-01-03 10:41:09.324327118 +0100
|
||||
+++ openssh-7.4p1/ssh-agent.c 2017-01-03 10:40:21.212356939 +0100
|
||||
@@ -89,7 +89,7 @@
|
||||
#endif
|
||||
|
||||
#ifndef DEFAULT_PKCS11_WHITELIST
|
||||
-# define DEFAULT_PKCS11_WHITELIST "/usr/lib/*,/usr/local/lib/*"
|
||||
+# define DEFAULT_PKCS11_WHITELIST "/usr/lib*/*,/usr/local/lib*/*"
|
||||
#endif
|
||||
|
||||
typedef enum {
|
||||
18
openssh-7.4p1-rekeying-timeouts.patch
Normal file
18
openssh-7.4p1-rekeying-timeouts.patch
Normal file
|
|
@ -0,0 +1,18 @@
|
|||
diff --git a/serverloop.c b/serverloop.c
|
||||
index b5eb3440..1535eeb2 100644
|
||||
--- a/serverloop.c
|
||||
+++ b/serverloop.c
|
||||
@@ -225,9 +225,10 @@ wait_until_can_do_something(int connection_in, int connection_out,
|
||||
uint64_t keepalive_ms =
|
||||
(uint64_t)options.client_alive_interval * 1000;
|
||||
|
||||
- client_alive_scheduled = 1;
|
||||
- if (max_time_ms == 0 || max_time_ms > keepalive_ms)
|
||||
+ if (max_time_ms == 0 || max_time_ms > keepalive_ms) {
|
||||
max_time_ms = keepalive_ms;
|
||||
+ client_alive_scheduled = 1;
|
||||
+ }
|
||||
}
|
||||
|
||||
#if 0
|
||||
|
||||
File diff suppressed because it is too large
Load diff
19
openssh-7.4p1-rsa1-segfault.patch
Normal file
19
openssh-7.4p1-rsa1-segfault.patch
Normal file
|
|
@ -0,0 +1,19 @@
|
|||
diff --git a/sshd.c b/sshd.c
|
||||
--- a/sshd.c
|
||||
+++ b/sshd.c
|
||||
@@ -1551,6 +1551,15 @@ main(int ac, char **av)
|
||||
continue;
|
||||
key = key_load_private(options.host_key_files[i], "", NULL);
|
||||
pubkey = key_load_public(options.host_key_files[i], NULL);
|
||||
+
|
||||
+ if ((pubkey != NULL && pubkey->type == KEY_RSA1) ||
|
||||
+ (key != NULL && key->type == KEY_RSA1)) {
|
||||
+ verbose("Ignoring RSA1 key %s",
|
||||
+ options.host_key_files[i]);
|
||||
+ key_free(key);
|
||||
+ key_free(pubkey);
|
||||
+ continue;
|
||||
+ }
|
||||
if (pubkey == NULL && key != NULL)
|
||||
pubkey = key_demote(key);
|
||||
sensitive_data.host_keys[i] = key;
|
||||
211
openssh-7.4p1-sandbox-ibmca.patch
Normal file
211
openssh-7.4p1-sandbox-ibmca.patch
Normal file
|
|
@ -0,0 +1,211 @@
|
|||
From 5f1596e11d55539678c41f68aed358628d33d86f Mon Sep 17 00:00:00 2001
|
||||
From: Damien Miller <djm@mindrot.org>
|
||||
Date: Tue, 14 Mar 2017 13:15:18 +1100
|
||||
Subject: [PATCH] support ioctls for ICA crypto card on Linux/s390
|
||||
|
||||
Based on patch from Eduardo Barretto; ok dtucker@
|
||||
---
|
||||
sandbox-seccomp-filter.c | 6 ++++++
|
||||
1 file changed, 6 insertions(+)
|
||||
|
||||
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
|
||||
index af5525a..6ceee33 100644
|
||||
--- a/sandbox-seccomp-filter.c
|
||||
+++ b/sandbox-seccomp-filter.c
|
||||
@@ -223,6 +223,12 @@ static const struct sock_filter preauth_insns[] = {
|
||||
SC_ALLOW_ARG(socketcall, 0, SYS_SHUTDOWN),
|
||||
SC_DENY(socketcall, EACCES),
|
||||
#endif
|
||||
+#if defined(__NR_ioctl) && defined(__s390__)
|
||||
+ /* Allow ioctls for ICA crypto card on s390 */
|
||||
+ SC_ALLOW_ARG(ioctl, 1, Z90STAT_STATUS_MASK),
|
||||
+ SC_ALLOW_ARG(ioctl, 1, ICARSAMODEXPO),
|
||||
+ SC_ALLOW_ARG(ioctl, 1, ICARSACRT),
|
||||
+#endif /* defined(__NR_ioctl) && defined(__s390__) */
|
||||
|
||||
/* Default deny */
|
||||
BPF_STMT(BPF_RET+BPF_K, SECCOMP_FILTER_FAIL),
|
||||
|
||||
From 9e96b41682aed793fadbea5ccd472f862179fb02 Mon Sep 17 00:00:00 2001
|
||||
From: Damien Miller <djm@mindrot.org>
|
||||
Date: Tue, 14 Mar 2017 12:24:47 +1100
|
||||
Subject: [PATCH] Fix weakness in seccomp-bpf sandbox arg inspection
|
||||
|
||||
Syscall arguments are passed via an array of 64-bit values in struct
|
||||
seccomp_data, but we were only inspecting the bottom 32 bits and not
|
||||
even those correctly for BE systems.
|
||||
|
||||
Fortunately, the only case argument inspection was used was in the
|
||||
socketcall filtering so using this for sandbox escape seems
|
||||
impossible.
|
||||
|
||||
ok dtucker
|
||||
---
|
||||
sandbox-seccomp-filter.c | 24 ++++++++++++++++++++----
|
||||
1 file changed, 20 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
|
||||
index 2e1ed2c..af5525a 100644
|
||||
--- a/sandbox-seccomp-filter.c
|
||||
+++ b/sandbox-seccomp-filter.c
|
||||
@@ -73,6 +73,16 @@
|
||||
# define SECCOMP_FILTER_FAIL SECCOMP_RET_TRAP
|
||||
#endif /* SANDBOX_SECCOMP_FILTER_DEBUG */
|
||||
|
||||
+#if __BYTE_ORDER == __LITTLE_ENDIAN
|
||||
+# define ARG_LO_OFFSET 0
|
||||
+# define ARG_HI_OFFSET sizeof(uint32_t)
|
||||
+#elif __BYTE_ORDER == __BIG_ENDIAN
|
||||
+# define ARG_LO_OFFSET sizeof(uint32_t)
|
||||
+# define ARG_HI_OFFSET 0
|
||||
+#else
|
||||
+#error "Unknown endianness"
|
||||
+#endif
|
||||
+
|
||||
/* Simple helpers to avoid manual errors (but larger BPF programs). */
|
||||
#define SC_DENY(_nr, _errno) \
|
||||
BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_ ## _nr, 0, 1), \
|
||||
@@ -81,11 +91,17 @@
|
||||
BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_ ## _nr, 0, 1), \
|
||||
BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW)
|
||||
#define SC_ALLOW_ARG(_nr, _arg_nr, _arg_val) \
|
||||
- BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_ ## _nr, 0, 4), \
|
||||
- /* load first syscall argument */ \
|
||||
+ BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_ ## _nr, 0, 6), \
|
||||
+ /* load and test first syscall argument, low word */ \
|
||||
+ BPF_STMT(BPF_LD+BPF_W+BPF_ABS, \
|
||||
+ offsetof(struct seccomp_data, args[(_arg_nr)]) + ARG_LO_OFFSET), \
|
||||
+ BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, \
|
||||
+ ((_arg_val) & 0xFFFFFFFF), 0, 3), \
|
||||
+ /* load and test first syscall argument, high word */ \
|
||||
BPF_STMT(BPF_LD+BPF_W+BPF_ABS, \
|
||||
- offsetof(struct seccomp_data, args[(_arg_nr)])), \
|
||||
- BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, (_arg_val), 0, 1), \
|
||||
+ offsetof(struct seccomp_data, args[(_arg_nr)]) + ARG_HI_OFFSET), \
|
||||
+ BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, \
|
||||
+ (((uint32_t)((uint64_t)(_arg_val) >> 32)) & 0xFFFFFFFF), 0, 1), \
|
||||
BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW), \
|
||||
/* reload syscall number; all rules expect it in accumulator */ \
|
||||
BPF_STMT(BPF_LD+BPF_W+BPF_ABS, \
|
||||
|
||||
From 58b8cfa2a062b72139d7229ae8de567f55776f24 Mon Sep 17 00:00:00 2001
|
||||
From: Damien Miller <djm@mindrot.org>
|
||||
Date: Wed, 22 Mar 2017 12:43:02 +1100
|
||||
Subject: [PATCH] Missing header on Linux/s390
|
||||
|
||||
Patch from Jakub Jelen
|
||||
---
|
||||
sandbox-seccomp-filter.c | 3 +++
|
||||
1 file changed, 3 insertions(+)
|
||||
|
||||
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
|
||||
index a8d472a..2831e9d 100644
|
||||
--- a/sandbox-seccomp-filter.c
|
||||
+++ b/sandbox-seccomp-filter.c
|
||||
@@ -50,6 +50,9 @@
|
||||
#include <elf.h>
|
||||
|
||||
#include <asm/unistd.h>
|
||||
+#ifdef __s390__
|
||||
+#include <asm/zcrypt.h>
|
||||
+#endif
|
||||
|
||||
#include <errno.h>
|
||||
#include <signal.h>
|
||||
|
||||
getuid and geteuid are needed when using an openssl engine that calls a
|
||||
crypto card, e.g. ICA (libica).
|
||||
Those syscalls are also needed by the distros for audit code.
|
||||
|
||||
Signed-off-by: Eduardo Barretto <ebarretto at linux.vnet.ibm.com>
|
||||
---
|
||||
sandbox-seccomp-filter.c | 12 ++++++++++++
|
||||
1 file changed, 12 insertions(+)
|
||||
|
||||
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
|
||||
index 6e7de31..e86aa2c 100644
|
||||
--- a/sandbox-seccomp-filter.c
|
||||
+++ b/sandbox-seccomp-filter.c
|
||||
@@ -175,6 +175,18 @@ static const struct sock_filter preauth_insns[] = {
|
||||
#ifdef __NR_getpid
|
||||
SC_ALLOW(getpid),
|
||||
#endif
|
||||
+#ifdef __NR_getuid
|
||||
+ SC_ALLOW(getuid),
|
||||
+#endif
|
||||
+#ifdef __NR_getuid32
|
||||
+ SC_ALLOW(getuid32),
|
||||
+#endif
|
||||
+#ifdef __NR_geteuid
|
||||
+ SC_ALLOW(geteuid),
|
||||
+#endif
|
||||
+#ifdef __NR_geteuid32
|
||||
+ SC_ALLOW(geteuid32),
|
||||
+#endif
|
||||
#ifdef __NR_getrandom
|
||||
SC_ALLOW(getrandom),
|
||||
#endif
|
||||
--
|
||||
1.9.1
|
||||
|
||||
The EP11 crypto card needs to make an ioctl call, which receives an
|
||||
specific argument. This crypto card is for s390 only.
|
||||
|
||||
Signed-off-by: Eduardo Barretto <ebarretto@xxxxxxxxxxxxxxxxxx>
|
||||
---
|
||||
sandbox-seccomp-filter.c | 2 ++
|
||||
1 file changed, 2 insertions(+)
|
||||
|
||||
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
|
||||
index e86aa2c..98062f1 100644
|
||||
--- a/sandbox-seccomp-filter.c
|
||||
+++ b/sandbox-seccomp-filter.c
|
||||
@@ -250,6 +250,8 @@ static const struct sock_filter preauth_insns[] = {
|
||||
SC_ALLOW_ARG(ioctl, 1, Z90STAT_STATUS_MASK),
|
||||
SC_ALLOW_ARG(ioctl, 1, ICARSAMODEXPO),
|
||||
SC_ALLOW_ARG(ioctl, 1, ICARSACRT),
|
||||
+ /* Allow ioctls for EP11 crypto card on s390 */
|
||||
+ SC_ALLOW_ARG(ioctl, 1, ZSENDEP11CPRB),
|
||||
#endif /* defined(__NR_ioctl) && defined(__s390__) */
|
||||
|
||||
/* Default deny */
|
||||
--
|
||||
1.9.1
|
||||
|
||||
In order to use the OpenSSL-ibmpkcs11 engine it is needed to allow flock
|
||||
and ipc calls, because this engine calls OpenCryptoki (a PKCS#11
|
||||
implementation) which calls the libraries that will communicate with the
|
||||
crypto cards. OpenCryptoki makes use of flock and ipc and, as of now,
|
||||
this is only need on s390 architecture.
|
||||
|
||||
Signed-off-by: Eduardo Barretto <ebarretto@xxxxxxxxxxxxxxxxxx>
|
||||
---
|
||||
sandbox-seccomp-filter.c | 6 ++++++
|
||||
1 file changed, 6 insertions(+)
|
||||
|
||||
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
|
||||
index ca75cc7..6e7de31 100644
|
||||
--- a/sandbox-seccomp-filter.c
|
||||
+++ b/sandbox-seccomp-filter.c
|
||||
@@ -166,6 +166,9 @@ static const struct sock_filter preauth_insns[] = {
|
||||
#ifdef __NR_exit_group
|
||||
SC_ALLOW(exit_group),
|
||||
#endif
|
||||
+#if defined(__NR_flock) && defined(__s390__)
|
||||
+ SC_ALLOW(flock),
|
||||
+#endif
|
||||
#ifdef __NR_getpgid
|
||||
SC_ALLOW(getpgid),
|
||||
#endif
|
||||
@@ -178,6 +181,9 @@ static const struct sock_filter preauth_insns[] = {
|
||||
#ifdef __NR_gettimeofday
|
||||
SC_ALLOW(gettimeofday),
|
||||
#endif
|
||||
+#if defined(__NR_ipc) && defined(__s390__)
|
||||
+ SC_ALLOW(ipc),
|
||||
+#endif
|
||||
#ifdef __NR_madvise
|
||||
SC_ALLOW(madvise),
|
||||
#endif
|
||||
--
|
||||
1.9.1
|
||||
11
openssh-7.4p1-sandbox-ppc64le.patch
Normal file
11
openssh-7.4p1-sandbox-ppc64le.patch
Normal file
|
|
@ -0,0 +1,11 @@
|
|||
diff -up openssh-7.4p1/sandbox-seccomp-filter.c.sandbox openssh-7.4p1/sandbox-seccomp-filter.c
|
||||
--- openssh-7.4p1/sandbox-seccomp-filter.c.sandbox 2017-04-21 13:30:49.692650798 +0200
|
||||
+++ openssh-7.4p1/sandbox-seccomp-filter.c 2017-04-21 13:30:52.259647579 +0200
|
||||
@@ -215,6 +215,7 @@ static const struct sock_filter preauth_
|
||||
#endif
|
||||
#ifdef __NR_socketcall
|
||||
SC_ALLOW_ARG(socketcall, 0, SYS_SHUTDOWN),
|
||||
+ SC_DENY(socketcall, EACCES),
|
||||
#endif
|
||||
|
||||
/* Default deny */
|
||||
28
openssh-7.4p1-sha2-signatures.patch
Normal file
28
openssh-7.4p1-sha2-signatures.patch
Normal file
|
|
@ -0,0 +1,28 @@
|
|||
diff -up openssh-7.4p1/kex.c.sha2 openssh-7.4p1/kex.c
|
||||
--- openssh-7.4p1/kex.c.sha2 2017-02-17 18:15:53.589835864 +0100
|
||||
+++ openssh-7.4p1/kex.c 2017-02-17 18:17:20.404781663 +0100
|
||||
@@ -379,21 +379,14 @@ static int
|
||||
kex_send_ext_info(struct ssh *ssh)
|
||||
{
|
||||
int r;
|
||||
- char *algs;
|
||||
|
||||
- if ((algs = sshkey_alg_list(0, 1, ',')) == NULL)
|
||||
- return SSH_ERR_ALLOC_FAIL;
|
||||
if ((r = sshpkt_start(ssh, SSH2_MSG_EXT_INFO)) != 0 ||
|
||||
(r = sshpkt_put_u32(ssh, 1)) != 0 ||
|
||||
(r = sshpkt_put_cstring(ssh, "server-sig-algs")) != 0 ||
|
||||
- (r = sshpkt_put_cstring(ssh, algs)) != 0 ||
|
||||
+ (r = sshpkt_put_cstring(ssh, "rsa-sha2-256,rsa-sha2-512")) != 0 ||
|
||||
(r = sshpkt_send(ssh)) != 0)
|
||||
- goto out;
|
||||
- /* success */
|
||||
- r = 0;
|
||||
- out:
|
||||
- free(algs);
|
||||
- return r;
|
||||
+ return r;
|
||||
+ return 0;
|
||||
}
|
||||
|
||||
int
|
||||
315
openssh-7.4p1-show-more-fingerprints.patch
Normal file
315
openssh-7.4p1-show-more-fingerprints.patch
Normal file
|
|
@ -0,0 +1,315 @@
|
|||
diff -up openssh-7.4p1/clientloop.c.fingerprint openssh-7.4p1/clientloop.c
|
||||
--- openssh-7.4p1/clientloop.c.fingerprint 2016-12-23 15:38:50.520432387 +0100
|
||||
+++ openssh-7.4p1/clientloop.c 2016-12-23 15:38:50.564432394 +0100
|
||||
@@ -2279,7 +2279,7 @@ update_known_hosts(struct hostkeys_updat
|
||||
if (ctx->keys_seen[i] != 2)
|
||||
continue;
|
||||
if ((fp = sshkey_fingerprint(ctx->keys[i],
|
||||
- options.fingerprint_hash, SSH_FP_DEFAULT)) == NULL)
|
||||
+ options.fingerprint_hash[0], SSH_FP_DEFAULT)) == NULL)
|
||||
fatal("%s: sshkey_fingerprint failed", __func__);
|
||||
do_log2(loglevel, "Learned new hostkey: %s %s",
|
||||
sshkey_type(ctx->keys[i]), fp);
|
||||
@@ -2287,7 +2287,7 @@ update_known_hosts(struct hostkeys_updat
|
||||
}
|
||||
for (i = 0; i < ctx->nold; i++) {
|
||||
if ((fp = sshkey_fingerprint(ctx->old_keys[i],
|
||||
- options.fingerprint_hash, SSH_FP_DEFAULT)) == NULL)
|
||||
+ options.fingerprint_hash[0], SSH_FP_DEFAULT)) == NULL)
|
||||
fatal("%s: sshkey_fingerprint failed", __func__);
|
||||
do_log2(loglevel, "Deprecating obsolete hostkey: %s %s",
|
||||
sshkey_type(ctx->old_keys[i]), fp);
|
||||
@@ -2330,7 +2330,7 @@ update_known_hosts(struct hostkeys_updat
|
||||
(r = hostfile_replace_entries(options.user_hostfiles[0],
|
||||
ctx->host_str, ctx->ip_str, ctx->keys, ctx->nkeys,
|
||||
options.hash_known_hosts, 0,
|
||||
- options.fingerprint_hash)) != 0)
|
||||
+ options.fingerprint_hash[0])) != 0)
|
||||
error("%s: hostfile_replace_entries failed: %s",
|
||||
__func__, ssh_err(r));
|
||||
}
|
||||
@@ -2443,7 +2443,7 @@ client_input_hostkeys(void)
|
||||
error("%s: parse key: %s", __func__, ssh_err(r));
|
||||
goto out;
|
||||
}
|
||||
- fp = sshkey_fingerprint(key, options.fingerprint_hash,
|
||||
+ fp = sshkey_fingerprint(key, options.fingerprint_hash[0],
|
||||
SSH_FP_DEFAULT);
|
||||
debug3("%s: received %s key %s", __func__,
|
||||
sshkey_type(key), fp);
|
||||
diff -up openssh-7.4p1/readconf.c.fingerprint openssh-7.4p1/readconf.c
|
||||
--- openssh-7.4p1/readconf.c.fingerprint 2016-12-23 15:38:50.559432393 +0100
|
||||
+++ openssh-7.4p1/readconf.c 2016-12-23 15:38:50.565432394 +0100
|
||||
@@ -1668,16 +1668,18 @@ parse_keytypes:
|
||||
goto parse_string;
|
||||
|
||||
case oFingerprintHash:
|
||||
- intptr = &options->fingerprint_hash;
|
||||
- arg = strdelim(&s);
|
||||
- if (!arg || *arg == '\0')
|
||||
- fatal("%.200s line %d: Missing argument.",
|
||||
- filename, linenum);
|
||||
- if ((value = ssh_digest_alg_by_name(arg)) == -1)
|
||||
- fatal("%.200s line %d: Invalid hash algorithm \"%s\".",
|
||||
- filename, linenum, arg);
|
||||
- if (*activep && *intptr == -1)
|
||||
- *intptr = value;
|
||||
+ if (*activep && options->num_fingerprint_hash == 0)
|
||||
+ while ((arg = strdelim(&s)) != NULL && *arg != '\0') {
|
||||
+ value = ssh_digest_alg_by_name(arg);
|
||||
+ if (value == -1)
|
||||
+ fatal("%s line %d: unknown fingerprints algorithm specs: %s.",
|
||||
+ filename, linenum, arg);
|
||||
+ if (options->num_fingerprint_hash >= SSH_DIGEST_MAX)
|
||||
+ fatal("%s line %d: too many fingerprints algorithm specs.",
|
||||
+ filename, linenum);
|
||||
+ options->fingerprint_hash[
|
||||
+ options->num_fingerprint_hash++] = value;
|
||||
+ }
|
||||
break;
|
||||
|
||||
case oUpdateHostkeys:
|
||||
@@ -1905,7 +1907,7 @@ initialize_options(Options * options)
|
||||
options->canonicalize_fallback_local = -1;
|
||||
options->canonicalize_hostname = -1;
|
||||
options->revoked_host_keys = NULL;
|
||||
- options->fingerprint_hash = -1;
|
||||
+ options->num_fingerprint_hash = 0;
|
||||
options->update_hostkeys = -1;
|
||||
options->hostbased_key_types = NULL;
|
||||
options->pubkey_key_types = NULL;
|
||||
@@ -2102,8 +2104,10 @@ fill_default_options(Options * options)
|
||||
options->canonicalize_fallback_local = 1;
|
||||
if (options->canonicalize_hostname == -1)
|
||||
options->canonicalize_hostname = SSH_CANONICALISE_NO;
|
||||
- if (options->fingerprint_hash == -1)
|
||||
- options->fingerprint_hash = SSH_FP_HASH_DEFAULT;
|
||||
+ if (options->num_fingerprint_hash == 0) {
|
||||
+ options->fingerprint_hash[options->num_fingerprint_hash++] = SSH_DIGEST_SHA256;
|
||||
+ options->fingerprint_hash[options->num_fingerprint_hash++] = (FIPS_mode() ? SSH_DIGEST_SHA1 : SSH_DIGEST_MD5);
|
||||
+ }
|
||||
if (options->update_hostkeys == -1)
|
||||
options->update_hostkeys = 0;
|
||||
if (kex_assemble_names(KEX_CLIENT_ENCRYPT, &options->ciphers) != 0 ||
|
||||
@@ -2489,6 +2493,17 @@ dump_cfg_strarray(OpCodes code, u_int co
|
||||
}
|
||||
|
||||
static void
|
||||
+dump_cfg_fmtarray(OpCodes code, u_int count, int *vals)
|
||||
+{
|
||||
+ u_int i;
|
||||
+
|
||||
+ printf("%s", lookup_opcode_name(code));
|
||||
+ for (i = 0; i < count; i++)
|
||||
+ printf(" %s", fmt_intarg(code, vals[i]));
|
||||
+ printf("\n");
|
||||
+}
|
||||
+
|
||||
+static void
|
||||
dump_cfg_strarray_oneline(OpCodes code, u_int count, char **vals)
|
||||
{
|
||||
u_int i;
|
||||
@@ -2564,7 +2579,6 @@ dump_client_config(Options *o, const cha
|
||||
dump_cfg_fmtint(oEnableSSHKeysign, o->enable_ssh_keysign);
|
||||
dump_cfg_fmtint(oClearAllForwardings, o->clear_forwardings);
|
||||
dump_cfg_fmtint(oExitOnForwardFailure, o->exit_on_forward_failure);
|
||||
- dump_cfg_fmtint(oFingerprintHash, o->fingerprint_hash);
|
||||
dump_cfg_fmtint(oForwardAgent, o->forward_agent);
|
||||
dump_cfg_fmtint(oForwardX11, o->forward_x11);
|
||||
dump_cfg_fmtint(oForwardX11Trusted, o->forward_x11_trusted);
|
||||
@@ -2634,6 +2648,7 @@ dump_client_config(Options *o, const cha
|
||||
dump_cfg_strarray_oneline(oGlobalKnownHostsFile, o->num_system_hostfiles, o->system_hostfiles);
|
||||
dump_cfg_strarray_oneline(oUserKnownHostsFile, o->num_user_hostfiles, o->user_hostfiles);
|
||||
dump_cfg_strarray(oSendEnv, o->num_send_env, o->send_env);
|
||||
+ dump_cfg_fmtarray(oFingerprintHash, o->num_fingerprint_hash, o->fingerprint_hash);
|
||||
|
||||
/* Special cases */
|
||||
|
||||
diff -up openssh-7.4p1/readconf.h.fingerprint openssh-7.4p1/readconf.h
|
||||
--- openssh-7.4p1/readconf.h.fingerprint 2016-12-23 15:38:50.559432393 +0100
|
||||
+++ openssh-7.4p1/readconf.h 2016-12-23 15:38:50.565432394 +0100
|
||||
@@ -21,6 +21,7 @@
|
||||
#define MAX_SEND_ENV 256
|
||||
#define SSH_MAX_HOSTS_FILES 32
|
||||
#define MAX_CANON_DOMAINS 32
|
||||
+#define MAX_SSH_DIGESTS 8
|
||||
#define PATH_MAX_SUN (sizeof((struct sockaddr_un *)0)->sun_path)
|
||||
|
||||
struct allowed_cname {
|
||||
@@ -162,7 +163,8 @@ typedef struct {
|
||||
|
||||
char *revoked_host_keys;
|
||||
|
||||
- int fingerprint_hash;
|
||||
+ int num_fingerprint_hash;
|
||||
+ int fingerprint_hash[MAX_SSH_DIGESTS];
|
||||
|
||||
int update_hostkeys; /* one of SSH_UPDATE_HOSTKEYS_* */
|
||||
|
||||
diff -up openssh-7.4p1/ssh_config.5.fingerprint openssh-7.4p1/ssh_config.5
|
||||
--- openssh-7.4p1/ssh_config.5.fingerprint 2016-12-23 15:38:50.565432394 +0100
|
||||
+++ openssh-7.4p1/ssh_config.5 2016-12-23 15:40:03.754444166 +0100
|
||||
@@ -652,12 +652,13 @@ or
|
||||
.Cm no
|
||||
(the default).
|
||||
.It Cm FingerprintHash
|
||||
-Specifies the hash algorithm used when displaying key fingerprints.
|
||||
+Specifies the hash algorithms used when displaying key fingerprints.
|
||||
Valid options are:
|
||||
.Cm md5
|
||||
and
|
||||
-.Cm sha256
|
||||
-(the default).
|
||||
+.Cm sha256 .
|
||||
+The default is
|
||||
+.Cm "sha256 md5".
|
||||
.It Cm ForwardAgent
|
||||
Specifies whether the connection to the authentication agent (if any)
|
||||
will be forwarded to the remote machine.
|
||||
diff -up openssh-7.4p1/sshconnect2.c.fingerprint openssh-7.4p1/sshconnect2.c
|
||||
--- openssh-7.4p1/sshconnect2.c.fingerprint 2016-12-23 15:38:50.561432394 +0100
|
||||
+++ openssh-7.4p1/sshconnect2.c 2016-12-23 15:38:50.566432394 +0100
|
||||
@@ -677,7 +677,7 @@ input_userauth_pk_ok(int type, u_int32_t
|
||||
key->type, pktype);
|
||||
goto done;
|
||||
}
|
||||
- if ((fp = sshkey_fingerprint(key, options.fingerprint_hash,
|
||||
+ if ((fp = sshkey_fingerprint(key, options.fingerprint_hash[0],
|
||||
SSH_FP_DEFAULT)) == NULL)
|
||||
goto done;
|
||||
debug2("input_userauth_pk_ok: fp %s", fp);
|
||||
@@ -1172,7 +1172,7 @@ sign_and_send_pubkey(Authctxt *authctxt,
|
||||
int matched, ret = -1, have_sig = 1;
|
||||
char *fp;
|
||||
|
||||
- if ((fp = sshkey_fingerprint(id->key, options.fingerprint_hash,
|
||||
+ if ((fp = sshkey_fingerprint(id->key, options.fingerprint_hash[0],
|
||||
SSH_FP_DEFAULT)) == NULL)
|
||||
return 0;
|
||||
debug3("%s: %s %s", __func__, key_type(id->key), fp);
|
||||
@@ -1864,7 +1864,7 @@ userauth_hostbased(Authctxt *authctxt)
|
||||
goto out;
|
||||
}
|
||||
|
||||
- if ((fp = sshkey_fingerprint(private, options.fingerprint_hash,
|
||||
+ if ((fp = sshkey_fingerprint(private, options.fingerprint_hash[0],
|
||||
SSH_FP_DEFAULT)) == NULL) {
|
||||
error("%s: sshkey_fingerprint failed", __func__);
|
||||
goto out;
|
||||
diff -up openssh-7.4p1/sshconnect.c.fingerprint openssh-7.4p1/sshconnect.c
|
||||
--- openssh-7.4p1/sshconnect.c.fingerprint 2016-12-19 05:59:41.000000000 +0100
|
||||
+++ openssh-7.4p1/sshconnect.c 2016-12-23 15:38:50.566432394 +0100
|
||||
@@ -922,9 +922,9 @@ check_host_key(char *hostname, struct so
|
||||
"of known hosts.", type, ip);
|
||||
} else if (options.visual_host_key) {
|
||||
fp = sshkey_fingerprint(host_key,
|
||||
- options.fingerprint_hash, SSH_FP_DEFAULT);
|
||||
+ options.fingerprint_hash[0], SSH_FP_DEFAULT);
|
||||
ra = sshkey_fingerprint(host_key,
|
||||
- options.fingerprint_hash, SSH_FP_RANDOMART);
|
||||
+ options.fingerprint_hash[0], SSH_FP_RANDOMART);
|
||||
if (fp == NULL || ra == NULL)
|
||||
fatal("%s: sshkey_fingerprint fail", __func__);
|
||||
logit("Host key fingerprint is %s\n%s", fp, ra);
|
||||
@@ -966,12 +966,6 @@ check_host_key(char *hostname, struct so
|
||||
else
|
||||
snprintf(msg1, sizeof(msg1), ".");
|
||||
/* The default */
|
||||
- fp = sshkey_fingerprint(host_key,
|
||||
- options.fingerprint_hash, SSH_FP_DEFAULT);
|
||||
- ra = sshkey_fingerprint(host_key,
|
||||
- options.fingerprint_hash, SSH_FP_RANDOMART);
|
||||
- if (fp == NULL || ra == NULL)
|
||||
- fatal("%s: sshkey_fingerprint fail", __func__);
|
||||
msg2[0] = '\0';
|
||||
if (options.verify_host_key_dns) {
|
||||
if (matching_host_key_dns)
|
||||
@@ -985,16 +979,28 @@ check_host_key(char *hostname, struct so
|
||||
}
|
||||
snprintf(msg, sizeof(msg),
|
||||
"The authenticity of host '%.200s (%s)' can't be "
|
||||
- "established%s\n"
|
||||
- "%s key fingerprint is %s.%s%s\n%s"
|
||||
+ "established%s\n", host, ip, msg1);
|
||||
+ for (i = 0; i < (u_int) options.num_fingerprint_hash; i++) {
|
||||
+ fp = sshkey_fingerprint(host_key,
|
||||
+ options.fingerprint_hash[i], SSH_FP_DEFAULT);
|
||||
+ ra = sshkey_fingerprint(host_key,
|
||||
+ options.fingerprint_hash[i], SSH_FP_RANDOMART);
|
||||
+ if (fp == NULL || ra == NULL)
|
||||
+ fatal("%s: sshkey_fingerprint fail", __func__);
|
||||
+ len = strlen(msg);
|
||||
+ snprintf(msg+len, sizeof(msg)-len,
|
||||
+ "%s key fingerprint is %s.%s%s\n%s",
|
||||
+ type, fp,
|
||||
+ options.visual_host_key ? "\n" : "",
|
||||
+ options.visual_host_key ? ra : "",
|
||||
+ msg2);
|
||||
+ free(ra);
|
||||
+ free(fp);
|
||||
+ }
|
||||
+ len = strlen(msg);
|
||||
+ snprintf(msg+len, sizeof(msg)-len,
|
||||
"Are you sure you want to continue connecting "
|
||||
- "(yes/no)? ",
|
||||
- host, ip, msg1, type, fp,
|
||||
- options.visual_host_key ? "\n" : "",
|
||||
- options.visual_host_key ? ra : "",
|
||||
- msg2);
|
||||
- free(ra);
|
||||
- free(fp);
|
||||
+ "(yes/no)? ");
|
||||
if (!confirm(msg))
|
||||
goto fail;
|
||||
hostkey_trusted = 1; /* user explicitly confirmed */
|
||||
@@ -1244,7 +1250,7 @@ verify_host_key(char *host, struct socka
|
||||
struct sshkey *plain = NULL;
|
||||
|
||||
if ((fp = sshkey_fingerprint(host_key,
|
||||
- options.fingerprint_hash, SSH_FP_DEFAULT)) == NULL) {
|
||||
+ options.fingerprint_hash[0], SSH_FP_DEFAULT)) == NULL) {
|
||||
error("%s: fingerprint host key: %s", __func__, ssh_err(r));
|
||||
r = -1;
|
||||
goto out;
|
||||
@@ -1252,7 +1258,7 @@ verify_host_key(char *host, struct socka
|
||||
|
||||
if (sshkey_is_cert(host_key)) {
|
||||
if ((cafp = sshkey_fingerprint(host_key->cert->signature_key,
|
||||
- options.fingerprint_hash, SSH_FP_DEFAULT)) == NULL) {
|
||||
+ options.fingerprint_hash[0], SSH_FP_DEFAULT)) == NULL) {
|
||||
error("%s: fingerprint CA key: %s",
|
||||
__func__, ssh_err(r));
|
||||
r = -1;
|
||||
@@ -1432,9 +1438,9 @@ show_other_keys(struct hostkeys *hostkey
|
||||
if (!lookup_key_in_hostkeys_by_type(hostkeys, type[i], &found))
|
||||
continue;
|
||||
fp = sshkey_fingerprint(found->key,
|
||||
- options.fingerprint_hash, SSH_FP_DEFAULT);
|
||||
+ options.fingerprint_hash[0], SSH_FP_DEFAULT);
|
||||
ra = sshkey_fingerprint(found->key,
|
||||
- options.fingerprint_hash, SSH_FP_RANDOMART);
|
||||
+ options.fingerprint_hash[0], SSH_FP_RANDOMART);
|
||||
if (fp == NULL || ra == NULL)
|
||||
fatal("%s: sshkey_fingerprint fail", __func__);
|
||||
logit("WARNING: %s key found for host %s\n"
|
||||
@@ -1457,7 +1463,7 @@ warn_changed_key(Key *host_key)
|
||||
{
|
||||
char *fp;
|
||||
|
||||
- fp = sshkey_fingerprint(host_key, options.fingerprint_hash,
|
||||
+ fp = sshkey_fingerprint(host_key, options.fingerprint_hash[0],
|
||||
SSH_FP_DEFAULT);
|
||||
if (fp == NULL)
|
||||
fatal("%s: sshkey_fingerprint fail", __func__);
|
||||
diff -up openssh-7.4p1/ssh-keysign.c.fingerprint openssh-7.4p1/ssh-keysign.c
|
||||
--- openssh-7.4p1/ssh-keysign.c.fingerprint 2016-12-19 05:59:41.000000000 +0100
|
||||
+++ openssh-7.4p1/ssh-keysign.c 2016-12-23 15:38:50.566432394 +0100
|
||||
@@ -285,7 +285,7 @@ main(int argc, char **argv)
|
||||
}
|
||||
}
|
||||
if (!found) {
|
||||
- if ((fp = sshkey_fingerprint(key, options.fingerprint_hash,
|
||||
+ if ((fp = sshkey_fingerprint(key, options.fingerprint_hash[0],
|
||||
SSH_FP_DEFAULT)) == NULL)
|
||||
fatal("%s: sshkey_fingerprint failed", __progname);
|
||||
fatal("no matching hostkey found for key %s %s",
|
||||
50
openssh-7.4p1-uidswap.patch
Normal file
50
openssh-7.4p1-uidswap.patch
Normal file
|
|
@ -0,0 +1,50 @@
|
|||
From 26f96ca10ad0ec5da9b05b99de1e1ccea15a11be Mon Sep 17 00:00:00 2001
|
||||
From: "djm@openbsd.org" <djm@openbsd.org>
|
||||
Date: Fri, 15 Jun 2018 07:01:11 +0000
|
||||
Subject: [PATCH] upstream: invalidate supplemental group cache used by
|
||||
|
||||
temporarily_use_uid() when the target uid differs; could cause failure to
|
||||
read authorized_keys under some configurations. patch by Jakub Jelen via
|
||||
bz2873; ok dtucker, markus
|
||||
|
||||
OpenBSD-Commit-ID: 48a345f0ee90f6c465a078eb5e89566b23abd8a1
|
||||
---
|
||||
uidswap.c | 8 ++++++--
|
||||
1 file changed, 6 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/uidswap.c b/uidswap.c
|
||||
index 8bf6b244e..1430b822a 100644
|
||||
--- a/uidswap.c
|
||||
+++ b/uidswap.c
|
||||
@@ -49,6 +49,7 @@ static gid_t saved_egid = 0;
|
||||
/* Saved effective uid. */
|
||||
static int privileged = 0;
|
||||
static int temporarily_use_uid_effective = 0;
|
||||
+static uid_t user_groups_uid;
|
||||
static gid_t *saved_egroups = NULL, *user_groups = NULL;
|
||||
static int saved_egroupslen = -1, user_groupslen = -1;
|
||||
|
||||
@@ -92,10 +93,11 @@ temporarily_use_uid(struct passwd *pw)
|
||||
fatal("getgroups: %.100s", strerror(errno));
|
||||
} else { /* saved_egroupslen == 0 */
|
||||
free(saved_egroups);
|
||||
+ saved_egroups = NULL;
|
||||
}
|
||||
|
||||
/* set and save the user's groups */
|
||||
- if (user_groupslen == -1) {
|
||||
+ if (user_groupslen == -1 || user_groups_uid != pw->pw_uid) {
|
||||
if (initgroups(pw->pw_name, pw->pw_gid) < 0)
|
||||
fatal("initgroups: %s: %.100s", pw->pw_name,
|
||||
strerror(errno));
|
||||
@@ -110,7 +112,9 @@ temporarily_use_uid(struct passwd *pw)
|
||||
fatal("getgroups: %.100s", strerror(errno));
|
||||
} else { /* user_groupslen == 0 */
|
||||
free(user_groups);
|
||||
+ user_groups = NULL;
|
||||
}
|
||||
+ user_groups_uid = pw->pw_uid;
|
||||
}
|
||||
/* Set the effective uid to the given (unprivileged) uid. */
|
||||
if (setgroups(user_groupslen, user_groups) < 0)
|
||||
|
||||
46
openssh-7.4p1-usedns-yes.patch
Normal file
46
openssh-7.4p1-usedns-yes.patch
Normal file
|
|
@ -0,0 +1,46 @@
|
|||
Revert 3cd5103c1e1aaa59bd66f7f52f6ebbcd5deb12f9
|
||||
|
||||
diff --git a/servconf.c b/servconf.c
|
||||
index 475076bf2..318546290 100644
|
||||
--- a/servconf.c
|
||||
+++ b/servconf.c
|
||||
@@ -308,7 +308,7 @@ fill_default_server_options(ServerOptions *options)
|
||||
if (options->max_sessions == -1)
|
||||
options->max_sessions = DEFAULT_SESSIONS_MAX;
|
||||
if (options->use_dns == -1)
|
||||
- options->use_dns = 0;
|
||||
+ options->use_dns = 1;
|
||||
if (options->client_alive_interval == -1)
|
||||
options->client_alive_interval = 0;
|
||||
if (options->client_alive_count_max == -1)
|
||||
diff --git a/sshd_config b/sshd_config
|
||||
index e9045bc4d..c9042ac3c 100644
|
||||
--- a/sshd_config
|
||||
+++ b/sshd_config
|
||||
@@ -112,7 +112,7 @@ UsePrivilegeSeparation sandbox # Default for new installations.
|
||||
#ClientAliveInterval 0
|
||||
#ClientAliveCountMax 3
|
||||
#ShowPatchLevel no
|
||||
-#UseDNS no
|
||||
+#UseDNS yes
|
||||
#PidFile /var/run/sshd.pid
|
||||
#MaxStartups 10:30:100
|
||||
#PermitTunnel no
|
||||
diff --git a/sshd_config.5 b/sshd_config.5
|
||||
index 4fd93d68e..cf57c609f 100644
|
||||
--- a/sshd_config.5
|
||||
+++ b/sshd_config.5
|
||||
@@ -1379,10 +1379,12 @@ should look up the remote host name and check that
|
||||
should look up the remote host name, and to check that
|
||||
the resolved host name for the remote IP address maps back to the
|
||||
very same IP address.
|
||||
+The default is
|
||||
+.Dq yes .
|
||||
.Pp
|
||||
If this option is set to
|
||||
.Cm no
|
||||
-(the default) then only addresses and not host names may be used in
|
||||
+then only addresses and not host names may be used in
|
||||
.Pa ~/.ssh/authorized_keys
|
||||
.Cm from
|
||||
and
|
||||
31
openssh-7.4p1-winscp-compat.patch
Normal file
31
openssh-7.4p1-winscp-compat.patch
Normal file
|
|
@ -0,0 +1,31 @@
|
|||
commit 2985d4062ebf4204bbd373456a810d558698f9f5
|
||||
Author: dtucker@openbsd.org <dtucker@openbsd.org>
|
||||
Date: Tue Jul 25 09:22:25 2017 +0000
|
||||
|
||||
upstream commit
|
||||
|
||||
Make WinSCP patterns for SSH_OLD_DHGEX more specific to
|
||||
exclude WinSCP 5.10.x and up. bz#2748, from martin at winscp.net, ok djm@
|
||||
|
||||
Upstream-ID: 6fd7c32e99af3952db007aa180e73142ddbc741a
|
||||
|
||||
diff --git a/compat.c b/compat.c
|
||||
index 156a5ea8..d82135e2 100644
|
||||
--- a/compat.c
|
||||
+++ b/compat.c
|
||||
@@ -177,9 +177,12 @@ compat_datafellows(const char *version)
|
||||
"TTSSH/2.72*", SSH_BUG_HOSTKEYS },
|
||||
{ "WinSCP_release_4*,"
|
||||
"WinSCP_release_5.0*,"
|
||||
- "WinSCP_release_5.1*,"
|
||||
- "WinSCP_release_5.5*,"
|
||||
- "WinSCP_release_5.6*,"
|
||||
+ "WinSCP_release_5.1,"
|
||||
+ "WinSCP_release_5.1.*,"
|
||||
+ "WinSCP_release_5.5,"
|
||||
+ "WinSCP_release_5.5.*,"
|
||||
+ "WinSCP_release_5.6,"
|
||||
+ "WinSCP_release_5.6.*,"
|
||||
"WinSCP_release_5.7,"
|
||||
"WinSCP_release_5.7.1,"
|
||||
"WinSCP_release_5.7.2,"
|
||||
35
openssh-7.5p1-sftp-empty-files.patch
Normal file
35
openssh-7.5p1-sftp-empty-files.patch
Normal file
|
|
@ -0,0 +1,35 @@
|
|||
From 4d827f0d75a53d3952288ab882efbddea7ffadfe Mon Sep 17 00:00:00 2001
|
||||
From: "djm@openbsd.org" <djm@openbsd.org>
|
||||
Date: Tue, 4 Apr 2017 00:24:56 +0000
|
||||
Subject: [PATCH] upstream commit
|
||||
|
||||
disallow creation (of empty files) in read-only mode;
|
||||
reported by Michal Zalewski, feedback & ok deraadt@
|
||||
|
||||
Upstream-ID: 5d9c8f2fa8511d4ecf95322994ffe73e9283899b
|
||||
---
|
||||
sftp-server.c | 6 +++---
|
||||
1 file changed, 3 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/sftp-server.c b/sftp-server.c
|
||||
index 3619cdfc0..df0fb5068 100644
|
||||
--- a/sftp-server.c
|
||||
+++ b/sftp-server.c
|
||||
@@ -1,4 +1,4 @@
|
||||
-/* $OpenBSD: sftp-server.c,v 1.110 2016/09/12 01:22:38 deraadt Exp $ */
|
||||
+/* $OpenBSD: sftp-server.c,v 1.111 2017/04/04 00:24:56 djm Exp $ */
|
||||
/*
|
||||
* Copyright (c) 2000-2004 Markus Friedl. All rights reserved.
|
||||
*
|
||||
@@ -691,8 +691,8 @@ process_open(u_int32_t id)
|
||||
logit("open \"%s\" flags %s mode 0%o",
|
||||
name, string_from_portable(pflags), mode);
|
||||
if (readonly &&
|
||||
- ((flags & O_ACCMODE) == O_WRONLY ||
|
||||
- (flags & O_ACCMODE) == O_RDWR)) {
|
||||
+ ((flags & O_ACCMODE) != O_RDONLY ||
|
||||
+ (flags & (O_CREAT|O_TRUNC)) != 0)) {
|
||||
verbose("Refusing open request in read-only mode");
|
||||
status = SSH2_FX_PERMISSION_DENIED;
|
||||
} else {
|
||||
|
||||
25
openssh-8.7p1-upstream-cve-2021-41617.patch
Normal file
25
openssh-8.7p1-upstream-cve-2021-41617.patch
Normal file
|
|
@ -0,0 +1,25 @@
|
|||
diff --git a/auth2-pubkey.c b/auth2-pubkey.c
|
||||
index b8d1040d..0134d694 100644
|
||||
--- a/auth2-pubkey.c
|
||||
+++ b/auth2-pubkey.c
|
||||
@@ -56,6 +56,7 @@
|
||||
# include <paths.h>
|
||||
#endif
|
||||
#include <pwd.h>
|
||||
+#include <grp.h>
|
||||
#include <signal.h>
|
||||
#include <stdio.h>
|
||||
#include <stdarg.h>
|
||||
@@ -2695,6 +2696,12 @@ subprocess(const char *tag, const char *command,
|
||||
}
|
||||
closefrom(STDERR_FILENO + 1);
|
||||
|
||||
+ if (geteuid() == 0 &&
|
||||
+ initgroups(pw->pw_name, pw->pw_gid) == -1) {
|
||||
+ error("%s: initgroups(%s, %u): %s", tag,
|
||||
+ pw->pw_name, (u_int)pw->pw_gid, strerror(errno));
|
||||
+ _exit(1);
|
||||
+ }
|
||||
/* Don't use permanently_set_uid() here to avoid fatal() */
|
||||
if (setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) != 0) {
|
||||
error("%s: setresgid %u: %s", tag, (u_int)pw->pw_gid,
|
||||
17
openssh-9.3p1-upstream-cve-2023-38408.patch
Normal file
17
openssh-9.3p1-upstream-cve-2023-38408.patch
Normal file
|
|
@ -0,0 +1,17 @@
|
|||
diff --git a/ssh-pkcs11.c b/ssh-pkcs11.c
|
||||
index 6be647ec..ebddf6c3 100644
|
||||
--- a/ssh-pkcs11.c
|
||||
+++ b/ssh-pkcs11.c
|
||||
@@ -1537,10 +1537,8 @@ pkcs11_register_provider(char *provider_id, char *pin,
|
||||
error("dlopen %s failed: %s", provider_id, dlerror());
|
||||
goto fail;
|
||||
}
|
||||
- if ((getfunctionlist = dlsym(handle, "C_GetFunctionList")) == NULL) {
|
||||
- error("dlsym(C_GetFunctionList) failed: %s", dlerror());
|
||||
- goto fail;
|
||||
- }
|
||||
+ if ((getfunctionlist = dlsym(handle, "C_GetFunctionList")) == NULL)
|
||||
+ fatal("dlsym(C_GetFunctionList) failed: %s", dlerror());
|
||||
p = xcalloc(1, sizeof(*p));
|
||||
p->name = xstrdup(provider_id);
|
||||
p->handle = handle;
|
||||
2
sources
2
sources
|
|
@ -1 +1 @@
|
|||
a62b88b884df0b09b8a8c5789ac9e51b openssh-6.4p1.tar.gz
|
||||
SHA512 (openssh-7.4p1.tar.gz) = 4f3256f461f01366c5d5e0e45285eec65016e2643b3284b407f48f53d81087bf2c1caf7d5f7530d307a15c91c64de91446e1cba948e8fc68f82098290fe3b292
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue