packages/openssh
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

update to openssh-8.8p1

Browse Source
This commit is contained in:
kircher 2021-10-28 16:38:19 +08:00
parent 11347d6ff5
commit f9d1ddf07d
67 changed files with 3842 additions and 7868 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

60
CVE-2018-15919.patch
View File

@ -1,60 +0,0 @@
From 4286e434ab29c077a42d52c97e7a2e92f93fc1c3 Mon Sep 17 00:00:00 2001
From: zhuqingfu <zhuqingfu1@huawei.com>
Date: Tue, 15 Sep 2020 15:09:52 +0800
Subject: [PATCH] CVE-2018-15919
---
auth.h | 1 +
auth2-gss.c | 1 +
auth2.c | 4 ++++
3 files changed, 6 insertions(+)
diff --git a/auth.h b/auth.h
index c3a92df..1127fdf 100644
--- a/auth.h
+++ b/auth.h
@@ -58,6 +58,7 @@ struct Authctxt {
int attempt;
int failures;
int server_caused_failure;
+ int server_caused_gssapi_failure;
int force_pwchange;
char *user; /* username sent by the client */
char *service;
diff --git a/auth2-gss.c b/auth2-gss.c
index 4708375..6008319 100644
--- a/auth2-gss.c
+++ b/auth2-gss.c
@@ -156,6 +156,7 @@ userauth_gssapi(struct ssh *ssh)
ssh_gssapi_delete_ctx(&ctxt);
free(doid);
authctxt->server_caused_failure = 1;
+ authctxt->server_caused_gssapi_failure = 1;
return (0);
}
diff --git a/auth2.c b/auth2.c
index 956b9cf..2c4fc97 100644
--- a/auth2.c
+++ b/auth2.c
@@ -345,6 +345,7 @@ if (options.check_user_splash)
auth2_authctxt_reset_info(authctxt);
authctxt->postponed = 0;
authctxt->server_caused_failure = 0;
+ authctxt->server_caused_gssapi_failure = 0;
/* try to authenticate user */
m = authmethod_lookup(authctxt, method);
@@ -442,6 +443,9 @@ userauth_finish(struct ssh *ssh, int authenticated, const char *method,
if (!partial && !authctxt->server_caused_failure &&
(authctxt->attempt > 1 || strcmp(method, "none") != 0))
authctxt->failures++;
+ if (!partial && authctxt->server_caused_gssapi_failure &&
+ (authctxt->attempt > 1 || strcmp(method, "none") != 0))
+ authctxt->failures++;
if (authctxt->failures >= options.max_authtries) {
#ifdef SSH_AUDIT_EVENTS
PRIVSEP(audit_event(ssh, SSH_LOGIN_EXCEED_MAXTRIES));
--
1.8.3.1

202
CVE-2020-12062-1.patch
View File

@ -1,202 +0,0 @@
From aad87b88fc2536b1ea023213729aaf4eaabe1894 Mon Sep 17 00:00:00 2001
From: "djm@openbsd.org" <djm@openbsd.org>
Date: Fri, 1 May 2020 06:31:42 +0000
Subject: [PATCH] upstream: when receving a file in sink(), be careful to send
at
most a single error response after the file has been opened. Otherwise the
source() and sink() can become desyncronised. Reported by Daniel Goujot,
Georges-Axel Jaloyan, Ryan Lahfa, and David Naccache.
ok deraadt@ markus@
OpenBSD-Commit-ID: 6c14d233c97349cb811a8f7921ded3ae7d9e0035
---
scp.c | 96 ++++++++++++++++++++++++++++++++++++-----------------------
1 file changed, 59 insertions(+), 37 deletions(-)
diff --git a/scp.c b/scp.c
index 812ab5301..439025980 100644
--- a/scp.c
+++ b/scp.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: scp.c,v 1.207 2020/01/23 07:10:22 dtucker Exp $ */
+/* $OpenBSD: scp.c,v 1.209 2020/05/01 06:31:42 djm Exp $ */
/*
* scp - secure remote copy. This is basically patched BSD rcp which
* uses ssh to do the data transfer (instead of using rcmd).
@@ -374,6 +374,7 @@ BUF *allocbuf(BUF *, int, int);
void lostconn(int);
int okname(char *);
void run_err(const char *,...);
+int note_err(const char *,...);
void verifydir(char *);
struct passwd *pwd;
@@ -1231,9 +1232,6 @@ sink(int argc, char **argv, const char *src)
{
static BUF buffer;
struct stat stb;
- enum {
- YES, NO, DISPLAYED
- } wrerr;
BUF *bp;
off_t i;
size_t j, count;
@@ -1241,7 +1239,7 @@ sink(int argc, char **argv, const char *src)
mode_t mode, omode, mask;
off_t size, statbytes;
unsigned long long ull;
- int setimes, targisdir, wrerrno = 0;
+ int setimes, targisdir, wrerr;
char ch, *cp, *np, *targ, *why, *vect[1], buf[2048], visbuf[2048];
char **patterns = NULL;
size_t n, npatterns = 0;
@@ -1450,8 +1448,13 @@ bad: run_err("%s: %s", np, strerror(errno));
continue;
}
cp = bp->buf;
- wrerr = NO;
+ wrerr = 0;
+ /*
+ * NB. do not use run_err() unless immediately followed by
+ * exit() below as it may send a spurious reply that might
+ * desyncronise us from the peer. Use note_err() instead.
+ */
statbytes = 0;
if (showprogress)
start_progress_meter(curfile, size, &statbytes);
@@ -1476,11 +1479,12 @@ bad: run_err("%s: %s", np, strerror(errno));
if (count == bp->cnt) {
/* Keep reading so we stay sync'd up. */
- if (wrerr == NO) {
+ if (!wrerr) {
if (atomicio(vwrite, ofd, bp->buf,
count) != count) {
- wrerr = YES;
- wrerrno = errno;
+ note_err("%s: %s", np,
+ strerror(errno));
+ wrerr = 1;
}
}
count = 0;
@@ -1488,16 +1492,14 @@ bad: run_err("%s: %s", np, strerror(errno));
}
}
unset_nonblock(remin);
- if (count != 0 && wrerr == NO &&
+ if (count != 0 && !wrerr &&
atomicio(vwrite, ofd, bp->buf, count) != count) {
- wrerr = YES;
- wrerrno = errno;
- }
- if (wrerr == NO && (!exists || S_ISREG(stb.st_mode)) &&
- ftruncate(ofd, size) != 0) {
- run_err("%s: truncate: %s", np, strerror(errno));
- wrerr = DISPLAYED;
+ note_err("%s: %s", np, strerror(errno));
+ wrerr = 1;
}
+ if (!wrerr && (!exists || S_ISREG(stb.st_mode)) &&
+ ftruncate(ofd, size) != 0)
+ note_err("%s: truncate: %s", np, strerror(errno));
if (pflag) {
if (exists || omode != mode)
#ifdef HAVE_FCHMOD
@@ -1505,9 +1507,8 @@ bad: run_err("%s: %s", np, strerror(errno));
#else /* HAVE_FCHMOD */
if (chmod(np, omode)) {
#endif /* HAVE_FCHMOD */
- run_err("%s: set mode: %s",
+ note_err("%s: set mode: %s",
np, strerror(errno));
- wrerr = DISPLAYED;
}
} else {
if (!exists && omode != mode)
@@ -1516,36 +1517,25 @@ bad: run_err("%s: %s", np, strerror(errno));
#else /* HAVE_FCHMOD */
if (chmod(np, omode & ~mask)) {
#endif /* HAVE_FCHMOD */
- run_err("%s: set mode: %s",
+ note_err("%s: set mode: %s",
np, strerror(errno));
- wrerr = DISPLAYED;
}
}
- if (close(ofd) == -1) {
- wrerr = YES;
- wrerrno = errno;
- }
+ if (close(ofd) == -1)
+ note_err(np, "%s: close: %s", np, strerror(errno));
(void) response();
if (showprogress)
stop_progress_meter();
- if (setimes && wrerr == NO) {
+ if (setimes && !wrerr) {
setimes = 0;
if (utimes(np, tv) == -1) {
- run_err("%s: set times: %s",
+ note_err("%s: set times: %s",
np, strerror(errno));
- wrerr = DISPLAYED;
}
}
- switch (wrerr) {
- case YES:
- run_err("%s: %s", np, strerror(wrerrno));
- break;
- case NO:
+ /* If no error was noted then signal success for this file */
+ if (note_err(NULL) == 0)
(void) atomicio(vwrite, remout, "", 1);
- break;
- case DISPLAYED:
- break;
- }
}
done:
for (n = 0; n < npatterns; n++)
@@ -1633,6 +1623,38 @@ run_err(const char *fmt,...)
}
}
+/*
+ * Notes a sink error for sending at the end of a file transfer. Returns 0 if
+ * no error has been noted or -1 otherwise. Use note_err(NULL) to flush
+ * any active error at the end of the transfer.
+ */
+int
+note_err(const char *fmt, ...)
+{
+ static char *emsg;
+ va_list ap;
+
+ /* Replay any previously-noted error */
+ if (fmt == NULL) {
+ if (emsg == NULL)
+ return 0;
+ run_err("%s", emsg);
+ free(emsg);
+ emsg = NULL;
+ return -1;
+ }
+
+ errs++;
+ /* Prefer first-noted error */
+ if (emsg != NULL)
+ return -1;
+
+ va_start(ap, fmt);
+ vasnmprintf(&emsg, INT_MAX, NULL, fmt, ap);
+ va_end(ap);
+ return -1;
+}
+
void
verifydir(char *cp)
{

34
CVE-2020-12062-2.patch
View File

@ -1,34 +0,0 @@
From 955854cafca88e0cdcd3d09ca1ad4ada465364a1 Mon Sep 17 00:00:00 2001
From: "djm@openbsd.org" <djm@openbsd.org>
Date: Wed, 6 May 2020 20:57:38 +0000
Subject: [PATCH] upstream: another case where a utimes() failure could make
scp send
a desynchronising error; reminded by Aymeric Vincent ok deraadt markus
OpenBSD-Commit-ID: 2ea611d34d8ff6d703a7a8bf858aa5dbfbfa7381
---
scp.c | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)
diff --git a/scp.c b/scp.c
index 439025980..b4492a062 100644
--- a/scp.c
+++ b/scp.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: scp.c,v 1.209 2020/05/01 06:31:42 djm Exp $ */
+/* $OpenBSD: scp.c,v 1.210 2020/05/06 20:57:38 djm Exp $ */
/*
* scp - secure remote copy. This is basically patched BSD rcp which
* uses ssh to do the data transfer (instead of using rcmd).
@@ -1427,9 +1427,7 @@ sink(int argc, char **argv, const char *src)
sink(1, vect, src);
if (setimes) {
setimes = 0;
- if (utimes(vect[0], tv) == -1)
- run_err("%s: set times: %s",
- vect[0], strerror(errno));
+ (void) utimes(vect[0], tv);
}
if (mod_flag)
(void) chmod(vect[0], mode);

92
CVE-2020-14145.patch
View File

@ -1,92 +0,0 @@
From b3855ff053f5078ec3d3c653cdaedefaa5fc362d Mon Sep 17 00:00:00 2001
From: "djm@openbsd.org" <djm@openbsd.org>
Date: Fri, 18 Sep 2020 05:23:03 +0000
Subject: upstream: tweak the client hostkey preference ordering algorithm to
prefer the default ordering if the user has a key that matches the
best-preference default algorithm.
feedback and ok markus@
OpenBSD-Commit-ID: a92dd7d7520ddd95c0a16786a7519e6d0167d35f
---
sshconnect2.c | 41 ++++++++++++++++++++++++++++++++++++++---
1 file changed, 38 insertions(+), 3 deletions(-)
diff --git a/sshconnect2.c b/sshconnect2.c
index 347e348c..f64aae66 100644
--- a/sshconnect2.c
+++ b/sshconnect2.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sshconnect2.c,v 1.320 2020/02/06 22:48:23 djm Exp $ */
+/* $OpenBSD: sshconnect2.c,v 1.326 2020/09/18 05:23:03 djm Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
* Copyright (c) 2008 Damien Miller. All rights reserved.
@@ -102,12 +102,25 @@ verify_host_key_callback(struct sshkey *hostkey, struct ssh *ssh)
return 0;
}
+/* Returns the first item from a comma-separated algorithm list */
+static char *
+first_alg(const char *algs)
+{
+ char *ret, *cp;
+
+ ret = xstrdup(algs);
+ if ((cp = strchr(ret, ',')) != NULL)
+ *cp = '\0';
+ return ret;
+}
+
static char *
order_hostkeyalgs(char *host, struct sockaddr *hostaddr, u_short port)
{
- char *oavail, *avail, *first, *last, *alg, *hostname, *ret;
+ char *oavail = NULL, *avail = NULL, *first = NULL, *last = NULL;
+ char *alg = NULL, *hostname = NULL, *ret = NULL, *best = NULL;
size_t maxlen;
- struct hostkeys *hostkeys;
+ struct hostkeys *hostkeys = NULL;
int ktype;
u_int i;
@@ -119,6 +132,26 @@ order_hostkeyalgs(char *host, struct sockaddr *hostaddr, u_short port)
for (i = 0; i < options.num_system_hostfiles; i++)
load_hostkeys(hostkeys, hostname, options.system_hostfiles[i]);
+ /*
+ * If a plain public key exists that matches the type of the best
+ * preference HostkeyAlgorithms, then use the whole list as is.
+ * Note that we ignore whether the best preference algorithm is a
+ * certificate type, as sshconnect.c will downgrade certs to
+ * plain keys if necessary.
+ */
+ best = first_alg(options.hostkeyalgorithms);
+ if (lookup_key_in_hostkeys_by_type(hostkeys,
+ sshkey_type_plain(sshkey_type_from_name(best)), NULL)) {
+ debug3("%s: have matching best-preference key type %s, "
+ "using HostkeyAlgorithms verbatim", __func__, best);
+ ret = xstrdup(options.hostkeyalgorithms);
+ goto out;
+ }
+
+ /*
+ * Otherwise, prefer the host key algorithms that match known keys
+ * while keeping the ordering of HostkeyAlgorithms as much as possible.
+ */
oavail = avail = xstrdup(options.hostkeyalgorithms);
maxlen = strlen(avail) + 1;
first = xmalloc(maxlen);
@@ -159,6 +192,8 @@ order_hostkeyalgs(char *host, struct sockaddr *hostaddr, u_short port)
if (*first != '\0')
debug3("%s: prefer hostkeyalgs: %s", __func__, first);
+ out:
+ free(best);
free(first);
free(last);
free(hostname);
--
cgit v1.2.3

159
add-strict-scp-check-for-CVE-2020-15778.patch
View File

@ -1,159 +0,0 @@
From 2e0b74242220a97926d006719d1ac6e113918e2b Mon Sep 17 00:00:00 2001
From: seuzw <930zhaowei@163.com>
Date: Thu, 20 May 2021 20:23:30 +0800
Subject: [PATCH] add strict-scp-check for CVE-2020-15778
---
servconf.c | 12 ++++++++++++
servconf.h | 1 +
session.c | 50 ++++++++++++++++++++++++++++++++++++++++++++++++++
3 files changed, 63 insertions(+)
diff --git a/servconf.c b/servconf.c
index 76147f9..4e0401f 100644
--- a/servconf.c
+++ b/servconf.c
@@ -90,6 +90,7 @@ initialize_server_options(ServerOptions *options)
{
memset(options, 0, sizeof(*options));
+ options->strict_scp_check = -1;
/* Portable-specific options */
options->use_pam = -1;
@@ -330,6 +331,8 @@ fill_default_server_options(ServerOptions *options)
_PATH_HOST_XMSS_KEY_FILE, 0);
#endif /* WITH_XMSS */
}
+ if (options->strict_scp_check == -1)
+ options->strict_scp_check = 0;
/* No certificates by default */
if (options->num_ports == 0)
options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
@@ -540,6 +543,7 @@ fill_default_server_options(ServerOptions *options)
/* Keyword tokens. */
typedef enum {
sBadOption, /* == unknown option */
+ sStrictScpCheck,
/* Portable-specific options */
sUsePAM,
/* Standard Options */
@@ -598,6 +602,7 @@ static struct {
#else
{ "usepam", sUnsupported, SSHCFG_GLOBAL },
#endif
+ { "strictscpcheck", sStrictScpCheck, SSHCFG_GLOBAL },
{ "pamauthenticationviakbdint", sDeprecated, SSHCFG_GLOBAL },
/* Standard Options */
{ "port", sPort, SSHCFG_GLOBAL },
@@ -1372,6 +1377,11 @@ process_server_config_line_depth(ServerOptions *options, char *line,
/* Standard Options */
case sBadOption:
return -1;
+
+ case sStrictScpCheck:
+ intptr = &options->strict_scp_check;
+ goto parse_flag;
+
case sPort:
/* ignore ports from configfile if cmdline specifies ports */
if (options->ports_from_cmdline)
@@ -2556,6 +2566,7 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth)
dst->n = src->n; \
} while (0)
+ M_CP_INTOPT(strict_scp_check);
M_CP_INTOPT(password_authentication);
M_CP_INTOPT(gss_authentication);
M_CP_INTOPT(pubkey_authentication);
@@ -2846,6 +2857,7 @@ dump_config(ServerOptions *o)
#ifdef USE_PAM
dump_cfg_fmtint(sUsePAM, o->use_pam);
#endif
+ dump_cfg_fmtint(sStrictScpCheck, o->strict_scp_check);
dump_cfg_int(sLoginGraceTime, o->login_grace_time);
dump_cfg_int(sX11DisplayOffset, o->x11_display_offset);
dump_cfg_int(sX11MaxDisplays, o->x11_max_displays);
diff --git a/servconf.h b/servconf.h
index 2c16b5a..e37dc25 100644
--- a/servconf.h
+++ b/servconf.h
@@ -192,6 +192,7 @@ typedef struct {
* disconnect the session
*/
+ int strict_scp_check;
u_int num_authkeys_files; /* Files containing public keys */
char **authorized_keys_files;
diff --git a/session.c b/session.c
index 607f17a..383c8ee 100644
--- a/session.c
+++ b/session.c
@@ -175,6 +175,50 @@ static char *auth_sock_dir = NULL;
/* removes the agent forwarding socket */
+int scp_check(const char *command)
+{
+ debug("Entering scp check");
+ int check = 0;
+ if (command == NULL) {
+ debug("scp check succeeded for shell mode");
+ return check;
+ }
+ int lc = strlen(command);
+ char special_characters[] = "|;&$><`\\!\n";
+ int ls = strlen(special_characters);
+ int count_char[128] = {0};
+
+ for (int i = 0; i < ls; i++) {
+ count_char[special_characters[i]] = 1;
+ }
+
+ char scp_prefix[6] = "scp -";
+ int lp = 5;
+
+ if (lc <= lp) {
+ debug("scp check succeeded for length");
+ return check;
+ }
+
+ for (int i = 0; i < lp; i++) {
+ if (command[i] - scp_prefix[i]) {
+ debug("scp check succeeded for prefix");
+ return check;
+ }
+ }
+
+ for (int i = lp; i < lc; i++) {
+ if (command[i] > 0 && command[i] < 128) {
+ if (count_char[command[i]]) {
+ check = 1;
+ debug("scp check failed at %d: %c", i, command[i]);
+ break;
+ }
+ }
+ }
+ return check;
+}
+
static void
auth_sock_cleanup_proc(struct passwd *pw)
{
@@ -696,6 +740,12 @@ do_exec(struct ssh *ssh, Session *s, const char *command)
command = auth_opts->force_command;
forced = "(key-option)";
}
+
+ if (options.strict_scp_check && scp_check(command)) {
+ verbose("Special characters not allowed in scp");
+ return 1;
+ }
+
#ifdef GSSAPI
#ifdef KRB5 /* k5users_allowed_cmds only available w/ GSSAPI+KRB5 */
else if (k5users_allowed_cmds) {
--
2.23.0

34
backport-CVE-2021-41617-1.patch
View File

@ -1,34 +0,0 @@
From f3cbe43e28fe71427d41cfe3a17125b972710455 Mon Sep 17 00:00:00 2001
From: "djm@openbsd.org" <djm@openbsd.org>
Date: Sun, 26 Sep 2021 14:01:03 +0000
Subject: upstream: need initgroups() before setresgid(); reported by anton@,
ok deraadt@
OpenBSD-Commit-ID: 6aa003ee658b316960d94078f2a16edbc25087ce
---
auth.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/auth.c b/auth.c
index c73444a..e510a05 100644
--- a/auth.c
+++ b/auth.c
@@ -852,6 +852,13 @@ subprocess(const char *tag, struct passwd *pw, const char *command,
}
closefrom(STDERR_FILENO + 1);
+ if (geteuid() == 0 &&
+ initgroups(pw->pw_name, pw->pw_gid) == -1) {
+ error("%s: initgroups(%s, %u): %s", tag,
+ pw->pw_name, (u_int)pw->pw_gid, strerror(errno));
+ _exit(1);
+ }
+
/* Don't use permanently_set_uid() here to avoid fatal() */
if (setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) == -1) {
error("%s: setresgid %u: %s", tag, (u_int)pw->pw_gid,
--
1.8.3.1

28
backport-CVE-2021-41617-2.patch
View File

@ -1,28 +0,0 @@
From f3cbe43e28fe71427d41cfe3a17125b972710455 Mon Sep 17 00:00:00 2001
From: "djm@openbsd.org" <djm@openbsd.org>
Date: Sun, 26 Sep 2021 14:01:03 +0000
Subject: upstream: need initgroups() before setresgid(); reported by anton@,
ok deraadt@
OpenBSD-Commit-ID: 6aa003ee658b316960d94078f2a16edbc25087ce
---
auth.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/auth.c b/auth.c
index e510a05..46b56cf 100644
--- a/auth.c
+++ b/auth.c
@@ -39,6 +39,7 @@
# include <paths.h>
#endif
#include <pwd.h>
+#include <grp.h>
#ifdef HAVE_LOGIN_H
#include <login.h>
#endif
--
1.8.3.1

46
backport-move-closefrom-to-before-first-malloc.patch
View File

@ -1,46 +0,0 @@
From c9f7bba2e6f70b7ac1f5ea190d890cb5162ce127 Mon Sep 17 00:00:00 2001
From: Darren Tucker <dtucker@dtucker.net>
Date: Fri, 25 Jun 2021 15:08:18 +1000
Subject: Move closefrom() to before first malloc.
When built against tcmalloc, tcmalloc allocates a descriptor for its
internal use, so calling closefrom() afterward causes the descriptor
number to be reused resulting in a corrupted connection. Moving the
closefrom a little earlier should resolve this. From kircherlike at
outlook.com via bz#3321, ok djm@
---
ssh.c | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/ssh.c b/ssh.c
index cf8c018e..0343cba3 100644
--- a/ssh.c
+++ b/ssh.c
@@ -609,6 +609,12 @@ main(int ac, char **av)
/* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
sanitise_stdfd();
+ /*
+ * Discard other fds that are hanging around. These can cause problem
+ * with backgrounded ssh processes started by ControlPersist.
+ */
+ closefrom(STDERR_FILENO + 1);
+
__progname = ssh_get_progname(av[0]);
#if OPENSSL_VERSION_NUMBER < 0x10100000L
SSLeay_add_all_algorithms();
@@ -638,12 +644,6 @@ main(int ac, char **av)
debug("FIPS mode initialized");
}
- /*
- * Discard other fds that are hanging around. These can cause problem
- * with backgrounded ssh processes started by ControlPersist.
- */
- closefrom(STDERR_FILENO + 1);
-
/* Get user data. */
pw = getpwuid(getuid());
if (!pw) {
--
cgit v1.2.3

322
backport-upstream-Refactor-private-key-parsing.-Eliminates-a-.patch
View File

@ -1,322 +0,0 @@
From 3779b50ee952078018a5d9e1df20977f4355df17 Mon Sep 17 00:00:00 2001
From: "djm@openbsd.org" <djm@openbsd.org>
Date: Sat, 11 Apr 2020 10:16:11 +0000
Subject: [PATCH] upstream: Refactor private key parsing. Eliminates a fair bit
of
duplicated code and fixes oss-fuzz#20074 (NULL deref) caused by a missing key
type check in the ECDSA_CERT parsing path.
feedback and ok markus@
OpenBSD-Commit-ID: 4711981d88afb7196d228f7baad9be1d3b20f9c9
Conflict:NA
Reference: https://github.com/openssh/openssh-portable/commit/3779b50ee952078018a5d9e1df20977f4355df17
---
sshkey.c | 187 ++++++++++++++-------------------------------------------------
1 file changed, 40 insertions(+), 147 deletions(-)
diff --git a/sshkey.c b/sshkey.c
index 3a9e0f3..96be57e 100644
--- a/sshkey.c
+++ b/sshkey.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sshkey.c,v 1.99 2020/01/21 05:56:56 djm Exp $ */
+/* $OpenBSD: sshkey.c,v 1.108 2020/04/11 10:16:11 djm Exp $ */
/*
* Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.
* Copyright (c) 2008 Alexander von Gernler. All rights reserved.
@@ -3512,38 +3512,52 @@ sshkey_private_deserialize(struct sshbuf *buf, struct sshkey **kp)
if ((r = sshbuf_get_cstring(buf, &tname, NULL)) != 0)
goto out;
type = sshkey_type_from_name(tname);
- switch (type) {
-#ifdef WITH_OPENSSL
- case KEY_DSA:
+ if (sshkey_type_is_cert(type)) {
+ /*
+ * Certificate key private keys begin with the certificate
+ * itself. Make sure this matches the type of the enclosing
+ * private key.
+ */
+ if ((r = sshkey_froms(buf, &k)) != 0)
+ goto out;
+ if (k->type != type) {
+ r = SSH_ERR_KEY_CERT_MISMATCH;
+ goto out;
+ }
+ /* For ECDSA keys, the group must match too */
+ if (k->type == KEY_ECDSA &&
+ k->ecdsa_nid != sshkey_ecdsa_nid_from_name(tname)) {
+ r = SSH_ERR_KEY_CERT_MISMATCH;
+ goto out;
+ }
+ } else {
if ((k = sshkey_new(type)) == NULL) {
r = SSH_ERR_ALLOC_FAIL;
goto out;
}
+ }
+ switch (type) {
+#ifdef WITH_OPENSSL
+ case KEY_DSA:
if ((r = sshbuf_get_bignum2(buf, &dsa_p)) != 0 ||
(r = sshbuf_get_bignum2(buf, &dsa_q)) != 0 ||
(r = sshbuf_get_bignum2(buf, &dsa_g)) != 0 ||
- (r = sshbuf_get_bignum2(buf, &dsa_pub_key)) != 0 ||
- (r = sshbuf_get_bignum2(buf, &dsa_priv_key)) != 0)
+ (r = sshbuf_get_bignum2(buf, &dsa_pub_key)) != 0)
goto out;
if (!DSA_set0_pqg(k->dsa, dsa_p, dsa_q, dsa_g)) {
r = SSH_ERR_LIBCRYPTO_ERROR;
goto out;
}
dsa_p = dsa_q = dsa_g = NULL; /* transferred */
- if (!DSA_set0_key(k->dsa, dsa_pub_key, dsa_priv_key)) {
+ if (!DSA_set0_key(k->dsa, dsa_pub_key, NULL)) {
r = SSH_ERR_LIBCRYPTO_ERROR;
goto out;
}
- dsa_pub_key = dsa_priv_key = NULL; /* transferred */
- break;
+ dsa_pub_key = NULL; /* transferred */
+ /* FALLTHROUGH */
case KEY_DSA_CERT:
- if ((r = sshkey_froms(buf, &k)) != 0 ||
- (r = sshbuf_get_bignum2(buf, &dsa_priv_key)) != 0)
+ if ((r = sshbuf_get_bignum2(buf, &dsa_priv_key)) != 0)
goto out;
- if (k->type != type) {
- r = SSH_ERR_INVALID_FORMAT;
- goto out;
- }
if (!DSA_set0_key(k->dsa, NULL, dsa_priv_key)) {
r = SSH_ERR_LIBCRYPTO_ERROR;
goto out;
@@ -3552,10 +3566,6 @@ sshkey_private_deserialize(struct sshbuf *buf, struct sshkey **kp)
break;
# ifdef OPENSSL_HAS_ECC
case KEY_ECDSA:
- if ((k = sshkey_new(type)) == NULL) {
- r = SSH_ERR_ALLOC_FAIL;
- goto out;
- }
if ((k->ecdsa_nid = sshkey_ecdsa_nid_from_name(tname)) == -1) {
r = SSH_ERR_INVALID_ARGUMENT;
goto out;
@@ -3571,27 +3581,12 @@ sshkey_private_deserialize(struct sshbuf *buf, struct sshkey **kp)
r = SSH_ERR_LIBCRYPTO_ERROR;
goto out;
}
- if ((r = sshbuf_get_eckey(buf, k->ecdsa)) != 0 ||
- (r = sshbuf_get_bignum2(buf, &exponent)))
- goto out;
- if (EC_KEY_set_private_key(k->ecdsa, exponent) != 1) {
- r = SSH_ERR_LIBCRYPTO_ERROR;
- goto out;
- }
- if ((r = sshkey_ec_validate_public(EC_KEY_get0_group(k->ecdsa),
- EC_KEY_get0_public_key(k->ecdsa))) != 0 ||
- (r = sshkey_ec_validate_private(k->ecdsa)) != 0)
+ if ((r = sshbuf_get_eckey(buf, k->ecdsa)) != 0)
goto out;
- break;
+ /* FALLTHROUGH */
case KEY_ECDSA_CERT:
- if ((r = sshkey_froms(buf, &k)) != 0 ||
- (r = sshbuf_get_bignum2(buf, &exponent)) != 0)
- goto out;
- if (k->type != type ||
- k->ecdsa_nid != sshkey_ecdsa_nid_from_name(tname)) {
- r = SSH_ERR_INVALID_FORMAT;
+ if ((r = sshbuf_get_bignum2(buf, &exponent)) != 0)
goto out;
- }
if (EC_KEY_set_private_key(k->ecdsa, exponent) != 1) {
r = SSH_ERR_LIBCRYPTO_ERROR;
goto out;
@@ -3602,10 +3597,6 @@ sshkey_private_deserialize(struct sshbuf *buf, struct sshkey **kp)
goto out;
break;
case KEY_ECDSA_SK:
- if ((k = sshkey_new(type)) == NULL) {
- r = SSH_ERR_ALLOC_FAIL;
- goto out;
- }
if ((k->ecdsa_nid = sshkey_ecdsa_nid_from_name(tname)) == -1) {
r = SSH_ERR_INVALID_ARGUMENT;
goto out;
@@ -3638,8 +3629,6 @@ sshkey_private_deserialize(struct sshbuf *buf, struct sshkey **kp)
goto out;
break;
case KEY_ECDSA_SK_CERT:
- if ((r = sshkey_froms(buf, &k)) != 0)
- goto out;
if ((k->sk_key_handle = sshbuf_new()) == NULL ||
(k->sk_reserved = sshbuf_new()) == NULL) {
r = SSH_ERR_ALLOC_FAIL;
@@ -3657,43 +3646,21 @@ sshkey_private_deserialize(struct sshbuf *buf, struct sshkey **kp)
break;
# endif /* OPENSSL_HAS_ECC */
case KEY_RSA:
- if ((k = sshkey_new(type)) == NULL) {
- r = SSH_ERR_ALLOC_FAIL;
- goto out;
- }
if ((r = sshbuf_get_bignum2(buf, &rsa_n)) != 0 ||
- (r = sshbuf_get_bignum2(buf, &rsa_e)) != 0 ||
- (r = sshbuf_get_bignum2(buf, &rsa_d)) != 0 ||
- (r = sshbuf_get_bignum2(buf, &rsa_iqmp)) != 0 ||
- (r = sshbuf_get_bignum2(buf, &rsa_p)) != 0 ||
- (r = sshbuf_get_bignum2(buf, &rsa_q)) != 0)
- goto out;
- if (!RSA_set0_key(k->rsa, rsa_n, rsa_e, rsa_d)) {
- r = SSH_ERR_LIBCRYPTO_ERROR;
+ (r = sshbuf_get_bignum2(buf, &rsa_e)) != 0)
goto out;
- }
- rsa_n = rsa_e = rsa_d = NULL; /* transferred */
- if (!RSA_set0_factors(k->rsa, rsa_p, rsa_q)) {
+ if (!RSA_set0_key(k->rsa, rsa_n, rsa_e, NULL)) {
r = SSH_ERR_LIBCRYPTO_ERROR;
goto out;
}
- rsa_p = rsa_q = NULL; /* transferred */
- if ((r = check_rsa_length(k->rsa)) != 0)
- goto out;
- if ((r = ssh_rsa_complete_crt_parameters(k, rsa_iqmp)) != 0)
- goto out;
- break;
+ rsa_n = rsa_e = NULL; /* transferred */
+ /* FALLTHROUGH */
case KEY_RSA_CERT:
- if ((r = sshkey_froms(buf, &k)) != 0 ||
- (r = sshbuf_get_bignum2(buf, &rsa_d)) != 0 ||
+ if ((r = sshbuf_get_bignum2(buf, &rsa_d)) != 0 ||
(r = sshbuf_get_bignum2(buf, &rsa_iqmp)) != 0 ||
(r = sshbuf_get_bignum2(buf, &rsa_p)) != 0 ||
(r = sshbuf_get_bignum2(buf, &rsa_q)) != 0)
goto out;
- if (k->type != type) {
- r = SSH_ERR_INVALID_FORMAT;
- goto out;
- }
if (!RSA_set0_key(k->rsa, NULL, NULL, rsa_d)) {
r = SSH_ERR_LIBCRYPTO_ERROR;
goto out;
@@ -3711,30 +3678,10 @@ sshkey_private_deserialize(struct sshbuf *buf, struct sshkey **kp)
break;
#endif /* WITH_OPENSSL */
case KEY_ED25519:
- if ((k = sshkey_new(type)) == NULL) {
- r = SSH_ERR_ALLOC_FAIL;
- goto out;
- }
- if ((r = sshbuf_get_string(buf, &ed25519_pk, &pklen)) != 0 ||
- (r = sshbuf_get_string(buf, &ed25519_sk, &sklen)) != 0)
- goto out;
- if (pklen != ED25519_PK_SZ || sklen != ED25519_SK_SZ) {
- r = SSH_ERR_INVALID_FORMAT;
- goto out;
- }
- k->ed25519_pk = ed25519_pk;
- k->ed25519_sk = ed25519_sk;
- ed25519_pk = ed25519_sk = NULL;
- break;
case KEY_ED25519_CERT:
- if ((r = sshkey_froms(buf, &k)) != 0 ||
- (r = sshbuf_get_string(buf, &ed25519_pk, &pklen)) != 0 ||
+ if ((r = sshbuf_get_string(buf, &ed25519_pk, &pklen)) != 0 ||
(r = sshbuf_get_string(buf, &ed25519_sk, &sklen)) != 0)
goto out;
- if (k->type != type) {
- r = SSH_ERR_INVALID_FORMAT;
- goto out;
- }
if (pklen != ED25519_PK_SZ || sklen != ED25519_SK_SZ) {
r = SSH_ERR_INVALID_FORMAT;
goto out;
@@ -3744,38 +3691,9 @@ sshkey_private_deserialize(struct sshbuf *buf, struct sshkey **kp)
ed25519_pk = ed25519_sk = NULL; /* transferred */
break;
case KEY_ED25519_SK:
- if ((k = sshkey_new(type)) == NULL) {
- r = SSH_ERR_ALLOC_FAIL;
- goto out;
- }
- if ((r = sshbuf_get_string(buf, &ed25519_pk, &pklen)) != 0)
- goto out;
- if (pklen != ED25519_PK_SZ) {
- r = SSH_ERR_INVALID_FORMAT;
- goto out;
- }
- if ((k->sk_key_handle = sshbuf_new()) == NULL ||
- (k->sk_reserved = sshbuf_new()) == NULL) {
- r = SSH_ERR_ALLOC_FAIL;
- goto out;
- }
- if ((r = sshbuf_get_cstring(buf, &k->sk_application,
- NULL)) != 0 ||
- (r = sshbuf_get_u8(buf, &k->sk_flags)) != 0 ||
- (r = sshbuf_get_stringb(buf, k->sk_key_handle)) != 0 ||
- (r = sshbuf_get_stringb(buf, k->sk_reserved)) != 0)
- goto out;
- k->ed25519_pk = ed25519_pk;
- ed25519_pk = NULL;
- break;
case KEY_ED25519_SK_CERT:
- if ((r = sshkey_froms(buf, &k)) != 0 ||
- (r = sshbuf_get_string(buf, &ed25519_pk, &pklen)) != 0)
- goto out;
- if (k->type != type) {
- r = SSH_ERR_INVALID_FORMAT;
+ if ((r = sshbuf_get_string(buf, &ed25519_pk, &pklen)) != 0)
goto out;
- }
if (pklen != ED25519_PK_SZ) {
r = SSH_ERR_INVALID_FORMAT;
goto out;
@@ -3796,10 +3714,7 @@ sshkey_private_deserialize(struct sshbuf *buf, struct sshkey **kp)
break;
#ifdef WITH_XMSS
case KEY_XMSS:
- if ((k = sshkey_new(type)) == NULL) {
- r = SSH_ERR_ALLOC_FAIL;
- goto out;
- }
+ case KEY_XMSS_CERT:
if ((r = sshbuf_get_cstring(buf, &xmss_name, NULL)) != 0 ||
(r = sshkey_xmss_init(k, xmss_name)) != 0 ||
(r = sshbuf_get_string(buf, &xmss_pk, &pklen)) != 0 ||
@@ -3817,28 +3732,6 @@ sshkey_private_deserialize(struct sshbuf *buf, struct sshkey **kp)
if ((r = sshkey_xmss_deserialize_state_opt(k, buf)) != 0)
goto out;
break;
- case KEY_XMSS_CERT:
- if ((r = sshkey_froms(buf, &k)) != 0 ||
- (r = sshbuf_get_cstring(buf, &xmss_name, NULL)) != 0 ||
- (r = sshbuf_get_string(buf, &xmss_pk, &pklen)) != 0 ||
- (r = sshbuf_get_string(buf, &xmss_sk, &sklen)) != 0)
- goto out;
- if (k->type != type || strcmp(xmss_name, k->xmss_name) != 0) {
- r = SSH_ERR_INVALID_FORMAT;
- goto out;
- }
- if (pklen != sshkey_xmss_pklen(k) ||
- sklen != sshkey_xmss_sklen(k)) {
- r = SSH_ERR_INVALID_FORMAT;
- goto out;
- }
- k->xmss_pk = xmss_pk;
- k->xmss_sk = xmss_sk;
- xmss_pk = xmss_sk = NULL;
- /* optional internal state */
- if ((r = sshkey_xmss_deserialize_state_opt(k, buf)) != 0)
- goto out;
- break;
#endif /* WITH_XMSS */
default:
r = SSH_ERR_KEY_TYPE_UNKNOWN;
--
1.8.3.1

32
backport-upstream-Remove-debug-message-from-sigchld-handler.patch
View File

@ -1,32 +0,0 @@
From a35d3e911e193a652bd09eed40907e3e165b0a7b Mon Sep 17 00:00:00 2001
From: "dtucker@openbsd.org" <dtucker@openbsd.org>
Date: Fri, 5 Feb 2021 02:20:23 +0000
Subject: upstream: Remove debug message from sigchld handler. While this
works on OpenBSD it can cause problems on other platforms. From kircherlike
at outlook.com via bz#3259, ok djm@
OpenBSD-Commit_ID: 3e241d7ac1ee77e3de3651780b5dc47b283a7668
Conflict:NA
Reference:https://anongit.mindrot.org/openssh.git/commit/?id=a35d3e911e193a652bd09eed40907e3e165b0a7b
---
sshd.c | 2 --
1 file changed, 2 deletions(-)
diff --git a/sshd.c b/sshd.c
index c291a5e..23fb202 100644
--- a/sshd.c
+++ b/sshd.c
@@ -364,8 +364,6 @@ main_sigchld_handler(int sig)
pid_t pid;
int status;
- debug("main_sigchld_handler: %s", strsignal(sig));
-
while ((pid = waitpid(-1, &status, WNOHANG)) > 0 ||
(pid == -1 && errno == EINTR))
;
--
1.8.3.1

25
bugfix-debug3-to-verbose-in-command.patch
View File

@ -1,25 +0,0 @@
From ed070c21ae68170e1cead6f5be16482d4f73ae2b Mon Sep 17 00:00:00 2001
From: kircher <majun65@huawei.com>
Date: Thu, 5 Mar 2020 21:02:06 +0800
Subject: [PATCH] d2v
---
monitor_wrap.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/monitor_wrap.c b/monitor_wrap.c
index 7f5a8fa..6ebcda1 100644
--- a/monitor_wrap.c
+++ b/monitor_wrap.c
@@ -928,7 +928,7 @@ mm_audit_run_command(const char *command)
int r;
int handle;
- debug3("%s entering command %s", __func__, command);
+ verbose("%s entering command %s", __func__, command);
if ((m = sshbuf_new()) == NULL)
fatal("%s: sshbuf_new failed", __func__);
--
2.19.1

6
bugfix-openssh-6.6p1-log-usepam-no.patch
View File

@ -22,8 +22,8 @@ index c6c03ae..c291a5e 100644
- logit("WARNING: 'UsePAM no' is not supported in Fedora and may cause several problems."); - logit("WARNING: 'UsePAM no' is not supported in Fedora and may cause several problems.");
+ logit("WARNING: 'UsePAM no' is not supported in openEuler and may cause several problems."); + logit("WARNING: 'UsePAM no' is not supported in openEuler and may cause several problems.");
/* Fill in default values for those options not explicitly set. */ #ifdef WITH_OPENSSL
fill_default_server_options(&options); if (options.moduli_file != NULL)
diff --git a/sshd_config b/sshd_config diff --git a/sshd_config b/sshd_config
index e125992..ebc28b3 100644 index e125992..ebc28b3 100644
--- a/sshd_config --- a/sshd_config
@ -31,7 +31,7 @@ index e125992..ebc28b3 100644
@@ -87,7 +87,7 @@ AuthorizedKeysFile .ssh/authorized_keys @@ -87,7 +87,7 @@ AuthorizedKeysFile .ssh/authorized_keys
# If you just want the PAM account and session checks to run without # If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication # PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'. # and KbdInteractiveAuthentication to 'no'.
-# WARNING: 'UsePAM no' is not supported in Fedora and may cause several -# WARNING: 'UsePAM no' is not supported in Fedora and may cause several
+# WARNING: 'UsePAM no' is not supported in openEuler and may cause several +# WARNING: 'UsePAM no' is not supported in openEuler and may cause several
# problems. # problems.

8
bugfix-openssh-add-option-check-username-splash.patch
View File

@ -97,14 +97,14 @@ index ebc28b3..b121450 100644
--- a/sshd_config --- a/sshd_config
+++ b/sshd_config +++ b/sshd_config
@@ -125,6 +125,8 @@ Subsystem sftp /usr/libexec/sftp-server @@ -125,6 +125,8 @@ Subsystem sftp /usr/libexec/sftp-server
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# PermitTTY no # PermitTTY no
# ForceCommand cvs server # ForceCommand cvs server
+#CheckUserSplash yes +#CheckUserSplash yes
+ +
# To modify the system-wide ssh configuration, create a *.conf file under
# /etc/ssh/sshd_config.d/ which will be automatically included below
Include /etc/ssh/sshd_config.d/*.conf
-- --
2.23.0 2.23.0

55
feature-openssh-7.4-hima-sftpserver-oom-and-fix.patch
View File

@ -6,8 +6,8 @@ Subject: [PATCH] sync patch, add new judgement and
Signed-off-by: s00467541 <shenyining@huawei.com> Signed-off-by: s00467541 <shenyining@huawei.com>
--- ---
sftp-server.c | 702 +++++++++++++++++++++++++++++++++++++++++++++++++- sftp-server.c | 703 +++++++++++++++++++++++++++++++++++++++++++++++++-
1 file changed, 691 insertions(+), 11 deletions(-) 1 file changed, 691 insertions(+), 12 deletions(-)
diff --git a/sftp-server.c b/sftp-server.c diff --git a/sftp-server.c b/sftp-server.c
index 01d6f8f..682c19a 100644 index 01d6f8f..682c19a 100644
@ -43,7 +43,7 @@ index 01d6f8f..682c19a 100644
+ +
char *sftp_realpath(const char *, char *); /* sftp-realpath.c */ char *sftp_realpath(const char *, char *); /* sftp-realpath.c */
/* Our verbosity */ /* Maximum data read that we are willing to accept */
@@ -89,6 +106,452 @@ struct Stat { @@ -89,6 +106,452 @@ struct Stat {
Attrib attrib; Attrib attrib;
}; };
@ -500,7 +500,7 @@ index 01d6f8f..682c19a 100644
@@ -695,6 +1158,15 @@ process_open(u_int32_t id) @@ -695,6 +1158,15 @@ process_open(u_int32_t id)
(r = sshbuf_get_u32(iqueue, &pflags)) != 0 || /* portable flags */ (r = sshbuf_get_u32(iqueue, &pflags)) != 0 || /* portable flags */
(r = decode_attrib(iqueue, &a)) != 0) (r = decode_attrib(iqueue, &a)) != 0)
fatal("%s: buffer error: %s", __func__, ssh_err(r)); fatal_fr(r, "parse");
+ /* add begin 2013/10/12 SR-0000287268 */ + /* add begin 2013/10/12 SR-0000287268 */
+ if (RETURN_OK != path_permition_check(name,FLAG_PERMITOP)) + if (RETURN_OK != path_permition_check(name,FLAG_PERMITOP))
+ { + {
@ -524,7 +524,7 @@ index 01d6f8f..682c19a 100644
@@ -759,6 +1233,17 @@ process_read(u_int32_t id) @@ -759,6 +1233,17 @@ process_read(u_int32_t id)
(r = sshbuf_get_u32(iqueue, &len)) != 0) (r = sshbuf_get_u32(iqueue, &len)) != 0)
fatal("%s: buffer error: %s", __func__, ssh_err(r)); fatal_fr(r, "parse");
+ /* add begin 2013/10/12 SR-0000287268*/ + /* add begin 2013/10/12 SR-0000287268*/
+ char *path = NULL; + char *path = NULL;
@ -537,12 +537,12 @@ index 01d6f8f..682c19a 100644
+ } + }
+ /* add end 2013/10/12 SR-0000287268*/ + /* add end 2013/10/12 SR-0000287268*/
+ +
debug("request %u: read \"%s\" (handle %d) off %llu len %d", debug("request %u: read \"%s\" (handle %d) off %llu len %u",
id, handle_to_name(handle), handle, (unsigned long long)off, len); id, handle_to_name(handle), handle, (unsigned long long)off, len);
if (len > sizeof buf) { if ((fd = handle_to_fd(handle)) == -1)
@@ -800,6 +1285,18 @@ process_write(u_int32_t id) @@ -800,6 +1285,18 @@ process_write(u_int32_t id)
(r = sshbuf_get_string(iqueue, &data, &len)) != 0) (r = sshbuf_get_string(iqueue, &data, &len)) != 0)
fatal("%s: buffer error: %s", __func__, ssh_err(r)); fatal_fr(r, "parse");
+ /* add begin 2013/10/12 SR-0000287268*/ + /* add begin 2013/10/12 SR-0000287268*/
+ char *path = NULL; + char *path = NULL;
@ -559,19 +559,20 @@ index 01d6f8f..682c19a 100644
debug("request %u: write \"%s\" (handle %d) off %llu len %zu", debug("request %u: write \"%s\" (handle %d) off %llu len %zu",
id, handle_to_name(handle), handle, (unsigned long long)off, len); id, handle_to_name(handle), handle, (unsigned long long)off, len);
fd = handle_to_fd(handle); fd = handle_to_fd(handle);
@@ -813,16 +1310,30 @@ process_write(u_int32_t id) @@ -813,17 +1310,30 @@ process_write(u_int32_t id)
error("process_write: seek failed"); strerror(errno));
} else { } else {
/* XXX ATOMICIO ? */ /* XXX ATOMICIO ? */
- ret = write(fd, data, len); - ret = write(fd, data, len);
- if (ret == -1) { - if (ret == -1) {
- error("process_write: write failed");
- status = errno_to_portable(errno); - status = errno_to_portable(errno);
- error_f("write \"%.100s\": %s",
- handle_to_name(handle), strerror(errno));
- } else if ((size_t)ret == len) { - } else if ((size_t)ret == len) {
- status = SSH2_FX_OK; - status = SSH2_FX_OK;
- handle_update_write(handle, ret); - handle_update_write(handle, ret);
- } else { - } else {
- debug2("nothing at all written"); - debug2_f("nothing at all written");
+ /* add begin sftp oom fix */ + /* add begin sftp oom fix */
+ if (storage_flag == 1) + if (storage_flag == 1)
+ debug("cflag is %d",cflag); + debug("cflag is %d",cflag);
@ -601,7 +602,7 @@ index 01d6f8f..682c19a 100644
} }
@@ -841,6 +1352,16 @@ process_do_stat(u_int32_t id, int do_lstat) @@ -841,6 +1352,16 @@ process_do_stat(u_int32_t id, int do_lstat)
if ((r = sshbuf_get_cstring(iqueue, &name, NULL)) != 0) if ((r = sshbuf_get_cstring(iqueue, &name, NULL)) != 0)
fatal("%s: buffer error: %s", __func__, ssh_err(r)); fatal_fr(r, "parse");
+ /* add begin 2013/10/12 SR-0000287268 */ + /* add begin 2013/10/12 SR-0000287268 */
+ if (RETURN_OK != path_permition_check(name,FLAG_PERMITOP)) + if (RETURN_OK != path_permition_check(name,FLAG_PERMITOP))
@ -619,7 +620,7 @@ index 01d6f8f..682c19a 100644
@@ -877,6 +1398,16 @@ process_fstat(u_int32_t id) @@ -877,6 +1398,16 @@ process_fstat(u_int32_t id)
if ((r = get_handle(iqueue, &handle)) != 0) if ((r = get_handle(iqueue, &handle)) != 0)
fatal("%s: buffer error: %s", __func__, ssh_err(r)); fatal_fr(r, "parse");
+ +
+ char *path = NULL; + char *path = NULL;
+ path = handle_to_name(handle); + path = handle_to_name(handle);
@ -635,7 +636,7 @@ index 01d6f8f..682c19a 100644
fd = handle_to_fd(handle); fd = handle_to_fd(handle);
@@ -929,6 +1460,14 @@ process_setstat(u_int32_t id) @@ -929,6 +1460,14 @@ process_setstat(u_int32_t id)
(r = decode_attrib(iqueue, &a)) != 0) (r = decode_attrib(iqueue, &a)) != 0)
fatal("%s: buffer error: %s", __func__, ssh_err(r)); fatal_fr(r, "parse");
+ if (RETURN_OK != path_permition_check(name,FLAG_PROTECTDIR)) + if (RETURN_OK != path_permition_check(name,FLAG_PROTECTDIR))
+ { + {
@ -664,7 +665,7 @@ index 01d6f8f..682c19a 100644
name, (unsigned long long)a.size); name, (unsigned long long)a.size);
@@ -1040,6 +1586,14 @@ process_opendir(u_int32_t id) @@ -1040,6 +1586,14 @@ process_opendir(u_int32_t id)
if ((r = sshbuf_get_cstring(iqueue, &path, NULL)) != 0) if ((r = sshbuf_get_cstring(iqueue, &path, NULL)) != 0)
fatal("%s: buffer error: %s", __func__, ssh_err(r)); fatal_fr(r, "parse");
+ if (RETURN_OK != path_permition_check(path,FLAG_PERMITOP)) + if (RETURN_OK != path_permition_check(path,FLAG_PERMITOP))
+ { + {
@ -690,7 +691,7 @@ index 01d6f8f..682c19a 100644
stats[count].long_name = ls_file(dp->d_name, &st, 0, 0); stats[count].long_name = ls_file(dp->d_name, &st, 0, 0);
@@ -1125,6 +1683,14 @@ process_remove(u_int32_t id) @@ -1125,6 +1683,14 @@ process_remove(u_int32_t id)
if ((r = sshbuf_get_cstring(iqueue, &name, NULL)) != 0) if ((r = sshbuf_get_cstring(iqueue, &name, NULL)) != 0)
fatal("%s: buffer error: %s", __func__, ssh_err(r)); fatal_fr(r, "parse");
+ if (RETURN_OK != path_permition_check(name,FLAG_PROTECTDIR)) + if (RETURN_OK != path_permition_check(name,FLAG_PROTECTDIR))
+ { + {
@ -705,7 +706,7 @@ index 01d6f8f..682c19a 100644
r = unlink(name); r = unlink(name);
@@ -1144,6 +1710,14 @@ process_mkdir(u_int32_t id) @@ -1144,6 +1710,14 @@ process_mkdir(u_int32_t id)
(r = decode_attrib(iqueue, &a)) != 0) (r = decode_attrib(iqueue, &a)) != 0)
fatal("%s: buffer error: %s", __func__, ssh_err(r)); fatal_fr(r, "parse");
+ if (RETURN_OK != path_permition_check(name,FLAG_PERMITOP)) + if (RETURN_OK != path_permition_check(name,FLAG_PERMITOP))
+ { + {
@ -720,7 +721,7 @@ index 01d6f8f..682c19a 100644
debug3("request %u: mkdir", id); debug3("request %u: mkdir", id);
@@ -1163,6 +1737,14 @@ process_rmdir(u_int32_t id) @@ -1163,6 +1737,14 @@ process_rmdir(u_int32_t id)
if ((r = sshbuf_get_cstring(iqueue, &name, NULL)) != 0) if ((r = sshbuf_get_cstring(iqueue, &name, NULL)) != 0)
fatal("%s: buffer error: %s", __func__, ssh_err(r)); fatal_fr(r, "parse");
+ if (RETURN_OK != path_permition_check(name,FLAG_PROTECTDIR)) + if (RETURN_OK != path_permition_check(name,FLAG_PROTECTDIR))
+ { + {
@ -750,7 +751,7 @@ index 01d6f8f..682c19a 100644
attrib_clear(&s.attrib); attrib_clear(&s.attrib);
@@ -1209,6 +1795,16 @@ process_rename(u_int32_t id) @@ -1209,6 +1795,16 @@ process_rename(u_int32_t id)
(r = sshbuf_get_cstring(iqueue, &newpath, NULL)) != 0) (r = sshbuf_get_cstring(iqueue, &newpath, NULL)) != 0)
fatal("%s: buffer error: %s", __func__, ssh_err(r)); fatal_fr(r, "parse");
+ if ((RETURN_OK != path_permition_check(oldpath,FLAG_PROTECTDIR)) + if ((RETURN_OK != path_permition_check(oldpath,FLAG_PROTECTDIR))
+ || (RETURN_OK != path_permition_check(newpath,FLAG_PROTECTDIR))) + || (RETURN_OK != path_permition_check(newpath,FLAG_PROTECTDIR)))
@ -767,7 +768,7 @@ index 01d6f8f..682c19a 100644
status = SSH2_FX_FAILURE; status = SSH2_FX_FAILURE;
@@ -1268,6 +1864,14 @@ process_readlink(u_int32_t id) @@ -1268,6 +1864,14 @@ process_readlink(u_int32_t id)
if ((r = sshbuf_get_cstring(iqueue, &path, NULL)) != 0) if ((r = sshbuf_get_cstring(iqueue, &path, NULL)) != 0)
fatal("%s: buffer error: %s", __func__, ssh_err(r)); fatal_fr(r, "parse");
+ if (RETURN_OK != path_permition_check(path,FLAG_PERMITOP)) + if (RETURN_OK != path_permition_check(path,FLAG_PERMITOP))
+ { + {
@ -782,7 +783,7 @@ index 01d6f8f..682c19a 100644
if ((len = readlink(path, buf, sizeof(buf) - 1)) == -1) if ((len = readlink(path, buf, sizeof(buf) - 1)) == -1)
@@ -1293,6 +1897,16 @@ process_symlink(u_int32_t id) @@ -1293,6 +1897,16 @@ process_symlink(u_int32_t id)
(r = sshbuf_get_cstring(iqueue, &newpath, NULL)) != 0) (r = sshbuf_get_cstring(iqueue, &newpath, NULL)) != 0)
fatal("%s: buffer error: %s", __func__, ssh_err(r)); fatal_fr(r, "parse");
+ if ((RETURN_OK != path_permition_check(oldpath,FLAG_PROTECTDIR)) + if ((RETURN_OK != path_permition_check(oldpath,FLAG_PROTECTDIR))
+ || (RETURN_OK != path_permition_check(newpath,FLAG_PROTECTDIR))) + || (RETURN_OK != path_permition_check(newpath,FLAG_PROTECTDIR)))
@ -799,7 +800,7 @@ index 01d6f8f..682c19a 100644
/* this will fail if 'newpath' exists */ /* this will fail if 'newpath' exists */
@@ -1313,6 +1927,16 @@ process_extended_posix_rename(u_int32_t id) @@ -1313,6 +1927,16 @@ process_extended_posix_rename(u_int32_t id)
(r = sshbuf_get_cstring(iqueue, &newpath, NULL)) != 0) (r = sshbuf_get_cstring(iqueue, &newpath, NULL)) != 0)
fatal("%s: buffer error: %s", __func__, ssh_err(r)); fatal_fr(r, "parse");
+ if ((RETURN_OK != path_permition_check(oldpath,FLAG_PROTECTDIR)) + if ((RETURN_OK != path_permition_check(oldpath,FLAG_PROTECTDIR))
+ || (RETURN_OK != path_permition_check(newpath,FLAG_PROTECTDIR))) + || (RETURN_OK != path_permition_check(newpath,FLAG_PROTECTDIR)))
@ -817,7 +818,7 @@ index 01d6f8f..682c19a 100644
@@ -1331,6 +1955,15 @@ process_extended_statvfs(u_int32_t id) @@ -1331,6 +1955,15 @@ process_extended_statvfs(u_int32_t id)
if ((r = sshbuf_get_cstring(iqueue, &path, NULL)) != 0) if ((r = sshbuf_get_cstring(iqueue, &path, NULL)) != 0)
fatal("%s: buffer error: %s", __func__, ssh_err(r)); fatal_fr(r, "parse");
+ +
+ if (RETURN_OK != path_permition_check(path,FLAG_PERMITOP)) + if (RETURN_OK != path_permition_check(path,FLAG_PERMITOP))
+ { + {
@ -833,7 +834,7 @@ index 01d6f8f..682c19a 100644
@@ -1349,6 +1982,17 @@ process_extended_fstatvfs(u_int32_t id) @@ -1349,6 +1982,17 @@ process_extended_fstatvfs(u_int32_t id)
if ((r = get_handle(iqueue, &handle)) != 0) if ((r = get_handle(iqueue, &handle)) != 0)
fatal("%s: buffer error: %s", __func__, ssh_err(r)); fatal_fr(r, "parse");
+ +
+ char *path = NULL; + char *path = NULL;
+ path = handle_to_name(handle); + path = handle_to_name(handle);
@ -850,7 +851,7 @@ index 01d6f8f..682c19a 100644
if ((fd = handle_to_fd(handle)) < 0) { if ((fd = handle_to_fd(handle)) < 0) {
@@ -1371,6 +2015,15 @@ process_extended_hardlink(u_int32_t id) @@ -1371,6 +2015,15 @@ process_extended_hardlink(u_int32_t id)
(r = sshbuf_get_cstring(iqueue, &newpath, NULL)) != 0) (r = sshbuf_get_cstring(iqueue, &newpath, NULL)) != 0)
fatal("%s: buffer error: %s", __func__, ssh_err(r)); fatal_fr(r, "parse");
+ if ((RETURN_OK != path_permition_check(oldpath,FLAG_PROTECTDIR)) + if ((RETURN_OK != path_permition_check(oldpath,FLAG_PROTECTDIR))
+ || (RETURN_OK != path_permition_check(newpath,FLAG_PROTECTDIR))) + || (RETURN_OK != path_permition_check(newpath,FLAG_PROTECTDIR)))
@ -867,7 +868,7 @@ index 01d6f8f..682c19a 100644
@@ -1387,6 +2040,17 @@ process_extended_fsync(u_int32_t id) @@ -1387,6 +2040,17 @@ process_extended_fsync(u_int32_t id)
if ((r = get_handle(iqueue, &handle)) != 0) if ((r = get_handle(iqueue, &handle)) != 0)
fatal("%s: buffer error: %s", __func__, ssh_err(r)); fatal_fr(r, "parse");
+ +
+ char *path = NULL; + char *path = NULL;
+ path = handle_to_name(handle); + path = handle_to_name(handle);

29
openssh-4.3p2-askpass-grab-info.patch
View File

@ -1,19 +1,18 @@
diff -up openssh-7.4p1/contrib/gnome-ssh-askpass2.c.grab-info openssh-7.4p1/contrib/gnome-ssh-askpass2.c diff -up openssh-8.6p1/contrib/gnome-ssh-askpass2.c.grab-info openssh-8.6p1/contrib/gnome-ssh-askpass2.c
--- openssh-7.4p1/contrib/gnome-ssh-askpass2.c.grab-info 2016-12-23 13:31:22.645213115 +0100 --- openssh-8.6p1/contrib/gnome-ssh-askpass2.c.grab-info 2021-04-19 13:57:11.720113536 +0200
+++ openssh-7.4p1/contrib/gnome-ssh-askpass2.c 2016-12-23 13:31:40.997216691 +0100 +++ openssh-8.6p1/contrib/gnome-ssh-askpass2.c 2021-04-19 13:59:29.842163204 +0200
@@ -65,9 +65,12 @@ report_failed_grab (GtkWidget *parent_wi @@ -70,8 +70,12 @@ report_failed_grab (GtkWidget *parent_wi
err = gtk_message_dialog_new(GTK_WINDOW(parent_window), 0, err = gtk_message_dialog_new(GTK_WINDOW(parent_window), 0,
GTK_MESSAGE_ERROR, GTK_MESSAGE_ERROR, GTK_BUTTONS_CLOSE,
GTK_BUTTONS_CLOSE, - "Could not grab %s. A malicious client may be eavesdropping "
- "Could not grab %s. " - "on your session.", what);
- "A malicious client may be eavesdropping " + "SSH password dialog could not grab the %s input.\n"
- "on your session.", what); + "This might be caused by application such as screensaver, "
+ "SSH password dialog could not grab the %s input.\n" + "however it could also mean that someone may be eavesdropping "
+ "This might be caused by application such as screensaver, " + "on your session.\n"
+ "however it could also mean that someone may be eavesdropping " + "Either close the application which grabs the %s or "
+ "on your session.\n" + "log out and log in again to prevent this from happening.", what, what);
+ "Either close the application which grabs the %s or "
+ "log out and log in again to prevent this from happening.", what, what);
gtk_window_set_position(GTK_WINDOW(err), GTK_WIN_POS_CENTER); gtk_window_set_position(GTK_WINDOW(err), GTK_WIN_POS_CENTER);
gtk_dialog_run(GTK_DIALOG(err)); gtk_dialog_run(GTK_DIALOG(err));

39
openssh-5.1p1-askpass-progress.patch
View File

@ -2,15 +2,15 @@ diff -up openssh-7.4p1/contrib/gnome-ssh-askpass2.c.progress openssh-7.4p1/contr
--- openssh-7.4p1/contrib/gnome-ssh-askpass2.c.progress 2016-12-19 05:59:41.000000000 +0100 --- openssh-7.4p1/contrib/gnome-ssh-askpass2.c.progress 2016-12-19 05:59:41.000000000 +0100
+++ openssh-7.4p1/contrib/gnome-ssh-askpass2.c 2016-12-23 13:31:16.545211926 +0100 +++ openssh-7.4p1/contrib/gnome-ssh-askpass2.c 2016-12-23 13:31:16.545211926 +0100
@@ -53,6 +53,7 @@ @@ -53,6 +53,7 @@
#include <string.h>
#include <unistd.h> #include <unistd.h>
#include <X11/Xlib.h> #include <X11/Xlib.h>
+#include <glib.h> +#include <glib.h>
#include <gtk/gtk.h> #include <gtk/gtk.h>
#include <gdk/gdkx.h> #include <gdk/gdkx.h>
#include <gdk/gdkkeysyms.h>
@@ -81,14 +82,25 @@ ok_dialog(GtkWidget *entry, gpointer dia @@ -81,14 +82,25 @@ ok_dialog(GtkWidget *entry, gpointer dia
gtk_dialog_response(GTK_DIALOG(dialog), GTK_RESPONSE_OK); return 1;
} }
+static void +static void
@ -34,39 +34,44 @@ diff -up openssh-7.4p1/contrib/gnome-ssh-askpass2.c.progress openssh-7.4p1/contr
- GtkWidget *parent_window, *dialog, *entry; - GtkWidget *parent_window, *dialog, *entry;
+ GtkWidget *parent_window, *dialog, *entry, *progress, *hbox; + GtkWidget *parent_window, *dialog, *entry, *progress, *hbox;
GdkGrabStatus status; GdkGrabStatus status;
GdkColor fg, bg;
int fg_set = 0, bg_set = 0;
@@ -104,14 +116,19 @@ passphrase_dialog(char *message)
gtk_widget_modify_bg(dialog, GTK_STATE_NORMAL, &bg);
grab_server = (getenv("GNOME_SSH_ASKPASS_GRAB_SERVER") != NULL); if (prompt_type == PROMPT_ENTRY || prompt_type == PROMPT_NONE) {
@@ -104,16 +116,37 @@ passphrase_dialog(char *message)
gtk_window_set_keep_above(GTK_WINDOW(dialog), TRUE);
if (prompt_type == PROMPT_ENTRY) {
+ hbox = gtk_hbox_new(FALSE, 0); + hbox = gtk_hbox_new(FALSE, 0);
+ gtk_box_pack_start(GTK_BOX(GTK_DIALOG(dialog)->vbox), hbox, FALSE, + gtk_box_pack_start(GTK_BOX(GTK_DIALOG(dialog)->vbox), hbox, FALSE,
+ FALSE, 0); + FALSE, 0);
+ gtk_widget_show(hbox); + gtk_widget_show(hbox);
+ +
entry = gtk_entry_new(); entry = gtk_entry_new();
if (fg_set)
gtk_widget_modify_fg(entry, GTK_STATE_NORMAL, &fg);
if (bg_set)
gtk_widget_modify_bg(entry, GTK_STATE_NORMAL, &bg);
gtk_box_pack_start( gtk_box_pack_start(
- GTK_BOX(gtk_dialog_get_content_area(GTK_DIALOG(dialog))), - GTK_BOX(gtk_dialog_get_content_area(GTK_DIALOG(dialog))),
- entry, FALSE, FALSE, 0); - entry, FALSE, FALSE, 0);
+ GTK_BOX(hbox), entry, + GTK_BOX(hbox), entry, TRUE, FALSE, 0);
+ TRUE, FALSE, 0);
+ gtk_entry_set_width_chars(GTK_ENTRY(entry), 2); + gtk_entry_set_width_chars(GTK_ENTRY(entry), 2);
gtk_entry_set_visibility(GTK_ENTRY(entry), FALSE); gtk_entry_set_visibility(GTK_ENTRY(entry), FALSE);
gtk_widget_grab_focus(entry); gtk_widget_grab_focus(entry);
gtk_widget_show(entry); if (prompt_type == PROMPT_ENTRY) {
/* Make <enter> close dialog */ @@ -130,6 +145,22 @@ passphrase_dialog(char *message)
g_signal_connect(G_OBJECT(entry), "activate", g_signal_connect(G_OBJECT(entry), "key_press_event",
G_CALLBACK(ok_dialog), dialog); G_CALLBACK(check_none), dialog);
}
+ +
+ hbox = gtk_hbox_new(FALSE, 0); + hbox = gtk_hbox_new(FALSE, 0);
+ gtk_box_pack_start(GTK_BOX(GTK_DIALOG(dialog)->vbox), hbox, FALSE, + gtk_box_pack_start(GTK_BOX(GTK_DIALOG(dialog)->vbox),
+ FALSE, 8); + hbox, FALSE, FALSE, 8);
+ gtk_widget_show(hbox); + gtk_widget_show(hbox);
+ +
+ progress = gtk_progress_bar_new(); + progress = gtk_progress_bar_new();
+ +
+ gtk_progress_bar_set_text(GTK_PROGRESS_BAR(progress), "Passphrase length hidden intentionally"); + gtk_progress_bar_set_text(GTK_PROGRESS_BAR(progress),
+ "Passphrase length hidden intentionally");
+ gtk_box_pack_start(GTK_BOX(hbox), progress, TRUE, + gtk_box_pack_start(GTK_BOX(hbox), progress, TRUE,
+ TRUE, 5); + TRUE, 5);
+ gtk_widget_show(progress); + gtk_widget_show(progress);

120
openssh-6.6.1p1-log-in-chroot.patch
View File

@ -1,19 +1,19 @@
diff -up openssh-7.4p1/log.c.log-in-chroot openssh-7.4p1/log.c diff -up openssh-8.6p1/log.c.log-in-chroot openssh-8.6p1/log.c
--- openssh-7.4p1/log.c.log-in-chroot 2016-12-19 05:59:41.000000000 +0100 --- openssh-8.6p1/log.c.log-in-chroot 2021-04-16 05:55:25.000000000 +0200
+++ openssh-7.4p1/log.c 2016-12-23 15:14:33.330168088 +0100 +++ openssh-8.6p1/log.c 2021-04-19 14:43:08.544843434 +0200
@@ -250,6 +250,11 @@ debug3(const char *fmt,...) @@ -194,6 +194,11 @@ void
void log_init(const char *av0, LogLevel level, SyslogFacility facility,
log_init(char *av0, LogLevel level, SyslogFacility facility, int on_stderr) int on_stderr)
{ {
+ log_init_handler(av0, level, facility, on_stderr, 1); + log_init_handler(av0, level, facility, on_stderr, 1);
+} +}
+ +
+void +void
+log_init_handler(char *av0, LogLevel level, SyslogFacility facility, int on_stderr, int reset_handler) { +log_init_handler(const char *av0, LogLevel level, SyslogFacility facility, int on_stderr, int reset_handler) {
#if defined(HAVE_OPENLOG_R) && defined(SYSLOG_DATA_INIT) #if defined(HAVE_OPENLOG_R) && defined(SYSLOG_DATA_INIT)
struct syslog_data sdata = SYSLOG_DATA_INIT; struct syslog_data sdata = SYSLOG_DATA_INIT;
#endif #endif
@@ -273,8 +278,10 @@ log_init(char *av0, LogLevel level, Sysl @@ -206,8 +211,10 @@ log_init(const char *av0, LogLevel level
exit(1); exit(1);
} }
@ -26,21 +26,21 @@ diff -up openssh-7.4p1/log.c.log-in-chroot openssh-7.4p1/log.c
log_on_stderr = on_stderr; log_on_stderr = on_stderr;
if (on_stderr) if (on_stderr)
diff -up openssh-7.4p1/log.h.log-in-chroot openssh-7.4p1/log.h diff -up openssh-8.6p1/log.h.log-in-chroot openssh-8.6p1/log.h
--- openssh-7.4p1/log.h.log-in-chroot 2016-12-19 05:59:41.000000000 +0100 --- openssh-8.6p1/log.h.log-in-chroot 2021-04-19 14:43:08.544843434 +0200
+++ openssh-7.4p1/log.h 2016-12-23 15:14:33.330168088 +0100 +++ openssh-8.6p1/log.h 2021-04-19 14:56:46.931042176 +0200
@@ -49,6 +49,7 @@ typedef enum { @@ -52,6 +52,7 @@ typedef enum {
typedef void (log_handler_fn)(LogLevel, const char *, void *); typedef void (log_handler_fn)(LogLevel, int, const char *, void *);
void log_init(char *, LogLevel, SyslogFacility, int); void log_init(const char *, LogLevel, SyslogFacility, int);
+void log_init_handler(char *, LogLevel, SyslogFacility, int, int); +void log_init_handler(const char *, LogLevel, SyslogFacility, int, int);
LogLevel log_level_get(void); LogLevel log_level_get(void);
int log_change_level(LogLevel); int log_change_level(LogLevel);
int log_is_on_stderr(void); int log_is_on_stderr(void);
diff -up openssh-7.4p1/monitor.c.log-in-chroot openssh-7.4p1/monitor.c diff -up openssh-8.6p1/monitor.c.log-in-chroot openssh-8.6p1/monitor.c
--- openssh-7.4p1/monitor.c.log-in-chroot 2016-12-23 15:14:33.311168085 +0100 --- openssh-8.6p1/monitor.c.log-in-chroot 2021-04-19 14:43:08.526843298 +0200
+++ openssh-7.4p1/monitor.c 2016-12-23 15:16:42.154193100 +0100 +++ openssh-8.6p1/monitor.c 2021-04-19 14:55:25.286424043 +0200
@@ -307,6 +307,8 @@ monitor_child_preauth(Authctxt *_authctx @@ -297,6 +297,8 @@ monitor_child_preauth(struct ssh *ssh, s
close(pmonitor->m_log_sendfd); close(pmonitor->m_log_sendfd);
pmonitor->m_log_sendfd = pmonitor->m_recvfd = -1; pmonitor->m_log_sendfd = pmonitor->m_recvfd = -1;
@ -49,7 +49,7 @@ diff -up openssh-7.4p1/monitor.c.log-in-chroot openssh-7.4p1/monitor.c
authctxt = (Authctxt *)ssh->authctxt; authctxt = (Authctxt *)ssh->authctxt;
memset(authctxt, 0, sizeof(*authctxt)); memset(authctxt, 0, sizeof(*authctxt));
ssh->authctxt = authctxt; ssh->authctxt = authctxt;
@@ -405,6 +407,8 @@ monitor_child_postauth(struct monitor *p @@ -408,6 +410,8 @@ monitor_child_postauth(struct ssh *ssh,
close(pmonitor->m_recvfd); close(pmonitor->m_recvfd);
pmonitor->m_recvfd = -1; pmonitor->m_recvfd = -1;
@ -58,16 +58,16 @@ diff -up openssh-7.4p1/monitor.c.log-in-chroot openssh-7.4p1/monitor.c
monitor_set_child_handler(pmonitor->m_pid); monitor_set_child_handler(pmonitor->m_pid);
ssh_signal(SIGHUP, &monitor_child_handler); ssh_signal(SIGHUP, &monitor_child_handler);
ssh_signal(SIGTERM, &monitor_child_handler); ssh_signal(SIGTERM, &monitor_child_handler);
@@ -472,7 +476,7 @@ monitor_read_log(struct monitor *pmonito @@ -480,7 +484,7 @@ monitor_read_log(struct monitor *pmonito
/* Log it */
if (log_level_name(level) == NULL) if (log_level_name(level) == NULL)
fatal("%s: invalid log level %u (corrupted message?)", fatal_f("invalid log level %u (corrupted message?)", level);
__func__, level); - sshlogdirect(level, forced, "%s [preauth]", msg);
- do_log2(level, "%s [preauth]", msg); + sshlogdirect(level, forced, "%s [%s]", msg, pmonitor->m_state);
+ do_log2(level, "%s [%s]", msg, pmonitor->m_state);
sshbuf_free(logmsg); sshbuf_free(logmsg);
free(msg); free(msg);
@@ -1719,13 +1723,28 @@ monitor_init(void) @@ -1868,13 +1872,28 @@ monitor_init(void)
mon = xcalloc(1, sizeof(*mon)); mon = xcalloc(1, sizeof(*mon));
monitor_openfds(mon, 1); monitor_openfds(mon, 1);
@ -89,7 +89,7 @@ diff -up openssh-7.4p1/monitor.c.log-in-chroot openssh-7.4p1/monitor.c
+ xasprintf(&dev_log_path, "%s/dev/log", chroot_dir); + xasprintf(&dev_log_path, "%s/dev/log", chroot_dir);
+ +
+ if (stat(dev_log_path, &dev_log_stat) != 0) { + if (stat(dev_log_path, &dev_log_stat) != 0) {
+ debug("%s: /dev/log doesn't exist in %s chroot - will try to log via monitor using [postauth] suffix", __func__, chroot_dir); + debug_f("/dev/log doesn't exist in %s chroot - will try to log via monitor using [postauth] suffix", chroot_dir);
+ do_logfds = 1; + do_logfds = 1;
+ } + }
+ free(dev_log_path); + free(dev_log_path);
@ -98,10 +98,10 @@ diff -up openssh-7.4p1/monitor.c.log-in-chroot openssh-7.4p1/monitor.c
} }
#ifdef GSSAPI #ifdef GSSAPI
diff -up openssh-7.4p1/monitor.h.log-in-chroot openssh-7.4p1/monitor.h diff -up openssh-8.6p1/monitor.h.log-in-chroot openssh-8.6p1/monitor.h
--- openssh-7.4p1/monitor.h.log-in-chroot 2016-12-23 15:14:33.330168088 +0100 --- openssh-8.6p1/monitor.h.log-in-chroot 2021-04-19 14:43:08.527843305 +0200
+++ openssh-7.4p1/monitor.h 2016-12-23 15:16:28.372190424 +0100 +++ openssh-8.6p1/monitor.h 2021-04-19 14:43:08.545843441 +0200
@@ -83,10 +83,11 @@ struct monitor { @@ -80,10 +80,11 @@ struct monitor {
int m_log_sendfd; int m_log_sendfd;
struct kex **m_pkex; struct kex **m_pkex;
pid_t m_pid; pid_t m_pid;
@ -114,9 +114,9 @@ diff -up openssh-7.4p1/monitor.h.log-in-chroot openssh-7.4p1/monitor.h
struct Authctxt; struct Authctxt;
void monitor_child_preauth(struct ssh *, struct monitor *); void monitor_child_preauth(struct ssh *, struct monitor *);
diff -up openssh-7.4p1/session.c.log-in-chroot openssh-7.4p1/session.c diff -up openssh-8.6p1/session.c.log-in-chroot openssh-8.6p1/session.c
--- openssh-7.4p1/session.c.log-in-chroot 2016-12-23 15:14:33.319168086 +0100 --- openssh-8.6p1/session.c.log-in-chroot 2021-04-19 14:43:08.534843358 +0200
+++ openssh-7.4p1/session.c 2016-12-23 15:18:18.742211853 +0100 +++ openssh-8.6p1/session.c 2021-04-19 14:43:08.545843441 +0200
@@ -160,6 +160,7 @@ login_cap_t *lc; @@ -160,6 +160,7 @@ login_cap_t *lc;
static int is_child = 0; static int is_child = 0;
@ -125,7 +125,7 @@ diff -up openssh-7.4p1/session.c.log-in-chroot openssh-7.4p1/session.c
/* File containing userauth info, if ExposeAuthInfo set */ /* File containing userauth info, if ExposeAuthInfo set */
static char *auth_info_file = NULL; static char *auth_info_file = NULL;
@@ -619,6 +620,7 @@ do_exec(Session *s, const char *command) @@ -661,6 +662,7 @@ do_exec(struct ssh *ssh, Session *s, con
int ret; int ret;
const char *forced = NULL, *tty = NULL; const char *forced = NULL, *tty = NULL;
char session_type[1024]; char session_type[1024];
@ -133,7 +133,7 @@ diff -up openssh-7.4p1/session.c.log-in-chroot openssh-7.4p1/session.c
if (options.adm_forced_command) { if (options.adm_forced_command) {
original_command = command; original_command = command;
@@ -676,6 +678,10 @@ do_exec(Session *s, const char *command) @@ -720,6 +722,10 @@ do_exec(struct ssh *ssh, Session *s, con
tty += 5; tty += 5;
} }
@ -144,10 +144,10 @@ diff -up openssh-7.4p1/session.c.log-in-chroot openssh-7.4p1/session.c
verbose("Starting session: %s%s%s for %s from %.200s port %d id %d", verbose("Starting session: %s%s%s for %s from %.200s port %d id %d",
session_type, session_type,
tty == NULL ? "" : " on ", tty == NULL ? "" : " on ",
@@ -1486,14 +1492,6 @@ child_close_fds(void) @@ -1524,14 +1530,6 @@ child_close_fds(struct ssh *ssh)
* descriptors left by system functions. They will be closed later.
*/ /* Stop directing logs to a high-numbered fd before we close it */
endpwent(); log_redirect_stderr_to(NULL);
- -
- /* - /*
- * Close any extra open file descriptors so that we don't have them - * Close any extra open file descriptors so that we don't have them
@ -159,7 +159,7 @@ diff -up openssh-7.4p1/session.c.log-in-chroot openssh-7.4p1/session.c
} }
/* /*
@@ -1629,8 +1627,6 @@ do_child(Session *s, const char *command @@ -1665,8 +1663,6 @@ do_child(struct ssh *ssh, Session *s, co
exit(1); exit(1);
} }
@ -168,7 +168,7 @@ diff -up openssh-7.4p1/session.c.log-in-chroot openssh-7.4p1/session.c
do_rc_files(ssh, s, shell); do_rc_files(ssh, s, shell);
/* restore SIGPIPE for child */ /* restore SIGPIPE for child */
@@ -1653,9 +1649,17 @@ do_child(Session *s, const char *command @@ -1691,9 +1687,17 @@ do_child(struct ssh *ssh, Session *s, co
argv[i] = NULL; argv[i] = NULL;
optind = optreset = 1; optind = optreset = 1;
__progname = argv[0]; __progname = argv[0];
@ -187,9 +187,9 @@ diff -up openssh-7.4p1/session.c.log-in-chroot openssh-7.4p1/session.c
fflush(NULL); fflush(NULL);
/* Get the last component of the shell name. */ /* Get the last component of the shell name. */
diff -up openssh-7.4p1/sftp.h.log-in-chroot openssh-7.4p1/sftp.h diff -up openssh-8.6p1/sftp.h.log-in-chroot openssh-8.6p1/sftp.h
--- openssh-7.4p1/sftp.h.log-in-chroot 2016-12-19 05:59:41.000000000 +0100 --- openssh-8.6p1/sftp.h.log-in-chroot 2021-04-16 05:55:25.000000000 +0200
+++ openssh-7.4p1/sftp.h 2016-12-23 15:14:33.331168088 +0100 +++ openssh-8.6p1/sftp.h 2021-04-19 14:43:08.545843441 +0200
@@ -97,5 +97,5 @@ @@ -97,5 +97,5 @@
struct passwd; struct passwd;
@ -197,10 +197,10 @@ diff -up openssh-7.4p1/sftp.h.log-in-chroot openssh-7.4p1/sftp.h
-int sftp_server_main(int, char **, struct passwd *); -int sftp_server_main(int, char **, struct passwd *);
+int sftp_server_main(int, char **, struct passwd *, int); +int sftp_server_main(int, char **, struct passwd *, int);
void sftp_server_cleanup_exit(int) __attribute__((noreturn)); void sftp_server_cleanup_exit(int) __attribute__((noreturn));
diff -up openssh-7.4p1/sftp-server.c.log-in-chroot openssh-7.4p1/sftp-server.c diff -up openssh-8.6p1/sftp-server.c.log-in-chroot openssh-8.6p1/sftp-server.c
--- openssh-7.4p1/sftp-server.c.log-in-chroot 2016-12-19 05:59:41.000000000 +0100 --- openssh-8.6p1/sftp-server.c.log-in-chroot 2021-04-16 05:55:25.000000000 +0200
+++ openssh-7.4p1/sftp-server.c 2016-12-23 15:14:33.331168088 +0100 +++ openssh-8.6p1/sftp-server.c 2021-04-19 14:43:08.545843441 +0200
@@ -1497,7 +1497,7 @@ sftp_server_usage(void) @@ -1644,7 +1644,7 @@ sftp_server_usage(void)
} }
int int
@ -209,7 +209,7 @@ diff -up openssh-7.4p1/sftp-server.c.log-in-chroot openssh-7.4p1/sftp-server.c
{ {
fd_set *rset, *wset; fd_set *rset, *wset;
int i, r, in, out, max, ch, skipargs = 0, log_stderr = 0; int i, r, in, out, max, ch, skipargs = 0, log_stderr = 0;
@@ -1511,7 +1511,7 @@ sftp_server_main(int argc, char **argv, @@ -1657,7 +1657,7 @@ sftp_server_main(int argc, char **argv,
extern char *__progname; extern char *__progname;
__progname = ssh_get_progname(argv[0]); __progname = ssh_get_progname(argv[0]);
@ -218,7 +218,7 @@ diff -up openssh-7.4p1/sftp-server.c.log-in-chroot openssh-7.4p1/sftp-server.c
pw = pwcopy(user_pw); pw = pwcopy(user_pw);
@@ -1582,7 +1582,7 @@ sftp_server_main(int argc, char **argv, @@ -1730,7 +1730,7 @@ sftp_server_main(int argc, char **argv,
} }
} }
@ -227,20 +227,20 @@ diff -up openssh-7.4p1/sftp-server.c.log-in-chroot openssh-7.4p1/sftp-server.c
/* /*
* On platforms where we can, avoid making /proc/self/{mem,maps} * On platforms where we can, avoid making /proc/self/{mem,maps}
diff -up openssh-7.4p1/sftp-server-main.c.log-in-chroot openssh-7.4p1/sftp-server-main.c diff -up openssh-8.6p1/sftp-server-main.c.log-in-chroot openssh-8.6p1/sftp-server-main.c
--- openssh-7.4p1/sftp-server-main.c.log-in-chroot 2016-12-19 05:59:41.000000000 +0100 --- openssh-8.6p1/sftp-server-main.c.log-in-chroot 2021-04-16 05:55:25.000000000 +0200
+++ openssh-7.4p1/sftp-server-main.c 2016-12-23 15:14:33.331168088 +0100 +++ openssh-8.6p1/sftp-server-main.c 2021-04-19 14:43:08.545843441 +0200
@@ -49,5 +49,5 @@ main(int argc, char **argv) @@ -50,5 +50,5 @@ main(int argc, char **argv)
return 1; return 1;
} }
- return (sftp_server_main(argc, argv, user_pw)); - return (sftp_server_main(argc, argv, user_pw));
+ return (sftp_server_main(argc, argv, user_pw, 0)); + return (sftp_server_main(argc, argv, user_pw, 0));
} }
diff -up openssh-7.4p1/sshd.c.log-in-chroot openssh-7.4p1/sshd.c diff -up openssh-8.6p1/sshd.c.log-in-chroot openssh-8.6p1/sshd.c
--- openssh-7.4p1/sshd.c.log-in-chroot 2016-12-23 15:14:33.328168088 +0100 --- openssh-8.6p1/sshd.c.log-in-chroot 2021-04-19 14:43:08.543843426 +0200
+++ openssh-7.4p1/sshd.c 2016-12-23 15:14:33.332168088 +0100 +++ openssh-8.6p1/sshd.c 2021-04-19 14:43:08.545843441 +0200
@@ -650,7 +650,7 @@ privsep_postauth(Authctxt *authctxt) @@ -559,7 +559,7 @@ privsep_postauth(struct ssh *ssh, Authct
} }
/* New socket pair */ /* New socket pair */
@ -249,7 +249,7 @@ diff -up openssh-7.4p1/sshd.c.log-in-chroot openssh-7.4p1/sshd.c
pmonitor->m_pid = fork(); pmonitor->m_pid = fork();
if (pmonitor->m_pid == -1) if (pmonitor->m_pid == -1)
@@ -668,6 +668,11 @@ privsep_postauth(Authctxt *authctxt) @@ -578,6 +578,11 @@ privsep_postauth(struct ssh *ssh, Authct
close(pmonitor->m_sendfd); close(pmonitor->m_sendfd);
pmonitor->m_sendfd = -1; pmonitor->m_sendfd = -1;

19
openssh-6.6.1p1-selinux-contexts.patch
View File

@ -34,19 +34,19 @@ index 8f32464..18a2ca4 100644
+ +
+ contexts_path = selinux_openssh_contexts_path(); + contexts_path = selinux_openssh_contexts_path();
+ if (contexts_path == NULL) { + if (contexts_path == NULL) {
+ debug3("%s: Failed to get the path to SELinux context", __func__); + debug3_f("Failed to get the path to SELinux context");
+ return; + return;
+ } + }
+ +
+ if ((contexts_file = fopen(contexts_path, "r")) == NULL) { + if ((contexts_file = fopen(contexts_path, "r")) == NULL) {
+ debug("%s: Failed to open SELinux context file", __func__); + debug_f("Failed to open SELinux context file");
+ return; + return;
+ } + }
+ +
+ if (fstat(fileno(contexts_file), &sb) != 0 || + if (fstat(fileno(contexts_file), &sb) != 0 ||
+ sb.st_uid != 0 || (sb.st_mode & 022) != 0) { + sb.st_uid != 0 || (sb.st_mode & 022) != 0) {
+ logit("%s: SELinux context file needs to be owned by root" + logit_f("SELinux context file needs to be owned by root"
+ " and not writable by anyone else", __func__); + " and not writable by anyone else");
+ fclose(contexts_file); + fclose(contexts_file);
+ return; + return;
+ } + }
@ -70,7 +70,7 @@ index 8f32464..18a2ca4 100644
+ if (arg && strcmp(arg, "privsep_preauth") == 0) { + if (arg && strcmp(arg, "privsep_preauth") == 0) {
+ arg = strdelim(&cp); + arg = strdelim(&cp);
+ if (!arg || *arg == '\0') { + if (!arg || *arg == '\0') {
+ debug("%s: privsep_preauth is empty", __func__); + debug_f("privsep_preauth is empty");
+ fclose(contexts_file); + fclose(contexts_file);
+ return; + return;
+ } + }
@ -80,8 +80,8 @@ index 8f32464..18a2ca4 100644
+ fclose(contexts_file); + fclose(contexts_file);
+ +
+ if (preauth_context == NULL) { + if (preauth_context == NULL) {
+ debug("%s: Unable to find 'privsep_preauth' option in" + debug_f("Unable to find 'privsep_preauth' option in"
+ " SELinux context file", __func__); + " SELinux context file");
+ return; + return;
+ } + }
+ +
@ -101,10 +101,11 @@ index 22ea8ef..1fc963d 100644
if ((cx = index(cx + 1, ':'))) if ((cx = index(cx + 1, ':')))
strlcat(newctx, cx, newlen); strlcat(newctx, cx, newlen);
- debug3("%s: setting context from '%s' to '%s'", __func__, - debug3("%s: setting context from '%s' to '%s'", __func__,
+ debug("%s: setting context from '%s' to '%s'", __func__, + debug_f("setting context from '%s' to '%s'",
oldctx, newctx); oldctx, newctx);
if (setcon(newctx) < 0) if (setcon(newctx) < 0)
switchlog("%s: setcon %s from %s failed with %s", __func__, do_log2(log_level, "%s: setcon %s from %s failed with %s",
__func__, newctx, oldctx, strerror(errno));
diff --git a/openbsd-compat/port-linux.h b/openbsd-compat/port-linux.h diff --git a/openbsd-compat/port-linux.h b/openbsd-compat/port-linux.h
index cb51f99..8b7cda2 100644 index cb51f99..8b7cda2 100644
--- a/openbsd-compat/port-linux.h --- a/openbsd-compat/port-linux.h

12
openssh-6.6p1-GSSAPIEnablek5users.patch
View File

@ -28,7 +28,7 @@ diff -up openssh-7.4p1/servconf.c.GSSAPIEnablek5users openssh-7.4p1/servconf.c
+ options->enable_k5users = -1; + options->enable_k5users = -1;
options->password_authentication = -1; options->password_authentication = -1;
options->kbd_interactive_authentication = -1; options->kbd_interactive_authentication = -1;
options->challenge_response_authentication = -1; options->permit_empty_passwd = -1;
@@ -345,6 +346,8 @@ fill_default_server_options(ServerOption @@ -345,6 +346,8 @@ fill_default_server_options(ServerOption
#endif #endif
if (options->use_kuserok == -1) if (options->use_kuserok == -1)
@ -39,8 +39,8 @@ diff -up openssh-7.4p1/servconf.c.GSSAPIEnablek5users openssh-7.4p1/servconf.c
options->password_authentication = 1; options->password_authentication = 1;
if (options->kbd_interactive_authentication == -1) if (options->kbd_interactive_authentication == -1)
@@ -418,7 +421,7 @@ typedef enum { @@ -418,7 +421,7 @@ typedef enum {
sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedKeyTypes, sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedAlgorithms,
sHostKeyAlgorithms, sHostKeyAlgorithms, sPerSourceMaxStartups, sPerSourceNetBlockSize,
sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile, sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
- sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor, - sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
+ sGssAuthentication, sGssCleanupCreds, sGssEnablek5users, sGssStrictAcceptor, + sGssAuthentication, sGssCleanupCreds, sGssEnablek5users, sGssStrictAcceptor,
@ -72,9 +72,9 @@ diff -up openssh-7.4p1/servconf.c.GSSAPIEnablek5users openssh-7.4p1/servconf.c
+ intptr = &options->enable_k5users; + intptr = &options->enable_k5users;
+ goto parse_flag; + goto parse_flag;
+ +
case sPermitListen: case sMatch:
case sPermitOpen: if (cmdline)
if (opcode == sPermitListen) { fatal("Match directive not supported as a command-line "
@@ -2026,6 +2035,7 @@ copy_set_server_options(ServerOptions *d @@ -2026,6 +2035,7 @@ copy_set_server_options(ServerOptions *d
M_CP_INTOPT(ip_qos_interactive); M_CP_INTOPT(ip_qos_interactive);
M_CP_INTOPT(ip_qos_bulk); M_CP_INTOPT(ip_qos_bulk);

257
openssh-6.6p1-ctr-cavstest.patch
View File

@ -1,257 +0,0 @@
diff -up openssh-6.8p1/Makefile.in.ctr-cavs openssh-6.8p1/Makefile.in
--- openssh-6.8p1/Makefile.in.ctr-cavs 2015-03-18 11:22:05.493289018 +0100
+++ openssh-6.8p1/Makefile.in 2015-03-18 11:22:44.504196316 +0100
@@ -28,6 +28,7 @@ SSH_KEYSIGN=$(libexecdir)/ssh-keysign
SSH_LDAP_HELPER=$(libexecdir)/ssh-ldap-helper
SSH_LDAP_WRAPPER=$(libexecdir)/ssh-ldap-wrapper
SSH_KEYCAT=$(libexecdir)/ssh-keycat
+CTR_CAVSTEST=$(libexecdir)/ctr-cavstest
SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
SSH_SK_HELPER=$(libexecdir)/ssh-sk-helper
PRIVSEP_PATH=@PRIVSEP_PATH@
@@ -66,7 +67,7 @@ EXEEXT=@EXEEXT@
.SUFFIXES: .lo
-TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) ssh-ldap-helper$(EXEEXT) ssh-keycat$(EXEEXT)
+TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) ssh-ldap-helper$(EXEEXT) ssh-keycat$(EXEEXT) ctr-cavstest$(EXEEXT)
XMSS_OBJS=\
ssh-xmss.o \
@@ -194,6 +195,9 @@ ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) l
ssh-keycat$(EXEEXT): $(LIBCOMPAT) $(SSHDOBJS) libssh.a ssh-keycat.o uidswap.o
$(LD) -o $@ ssh-keycat.o uidswap.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(KEYCATLIBS) $(LIBS)
+ctr-cavstest$(EXEEXT): $(LIBCOMPAT) libssh.a ctr-cavstest.o
+ $(LD) -o $@ ctr-cavstest.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(LIBS)
+
ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHKEYSCAN_OBJS)
$(LD) -o $@ $(SSHKEYSCAN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
@@ -326,6 +330,7 @@ install-files:
$(INSTALL) -m 0700 ssh-ldap-wrapper $(DESTDIR)$(SSH_LDAP_WRAPPER) ; \
fi
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-keycat$(EXEEXT) $(DESTDIR)$(libexecdir)/ssh-keycat$(EXEEXT)
+ $(INSTALL) -m 0755 $(STRIP_OPT) ctr-cavstest$(EXEEXT) $(DESTDIR)$(libexecdir)/ctr-cavstest$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
$(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
diff -up openssh-6.8p1/ctr-cavstest.c.ctr-cavs openssh-6.8p1/ctr-cavstest.c
--- openssh-6.8p1/ctr-cavstest.c.ctr-cavs 2015-03-18 11:22:05.521288952 +0100
+++ openssh-6.8p1/ctr-cavstest.c 2015-03-18 11:22:05.521288952 +0100
@@ -0,0 +1,215 @@
+/*
+ *
+ * invocation (all of the following are equal):
+ * ./ctr-cavstest --algo aes128-ctr --key 987212980144b6a632e864031f52dacc --mode encrypt --data a6deca405eef2e8e4609abf3c3ccf4a6
+ * ./ctr-cavstest --algo aes128-ctr --key 987212980144b6a632e864031f52dacc --mode encrypt --data a6deca405eef2e8e4609abf3c3ccf4a6 --iv 00000000000000000000000000000000
+ * echo -n a6deca405eef2e8e4609abf3c3ccf4a6 | ./ctr-cavstest --algo aes128-ctr --key 987212980144b6a632e864031f52dacc --mode encrypt
+ */
+
+#include "includes.h"
+
+#include <sys/types.h>
+#include <sys/param.h>
+#include <stdarg.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <ctype.h>
+
+#include "xmalloc.h"
+#include "log.h"
+#include "ssherr.h"
+#include "cipher.h"
+
+/* compatibility with old or broken OpenSSL versions */
+#include "openbsd-compat/openssl-compat.h"
+
+void usage(void) {
+ fprintf(stderr, "Usage: ctr-cavstest --algo <ssh-crypto-algorithm>\n"
+ " --key <hexadecimal-key> --mode <encrypt|decrypt>\n"
+ " [--iv <hexadecimal-iv>] --data <hexadecimal-data>\n\n"
+ "Hexadecimal output is printed to stdout.\n"
+ "Hexadecimal input data can be alternatively read from stdin.\n");
+ exit(1);
+}
+
+void *fromhex(char *hex, size_t *len)
+{
+ unsigned char *bin;
+ char *p;
+ size_t n = 0;
+ int shift = 4;
+ unsigned char out = 0;
+ unsigned char *optr;
+
+ bin = xmalloc(strlen(hex)/2);
+ optr = bin;
+
+ for (p = hex; *p != '\0'; ++p) {
+ unsigned char c;
+
+ c = *p;
+ if (isspace(c))
+ continue;
+
+ if (c >= '0' && c <= '9') {
+ c = c - '0';
+ } else if (c >= 'A' && c <= 'F') {
+ c = c - 'A' + 10;
+ } else if (c >= 'a' && c <= 'f') {
+ c = c - 'a' + 10;
+ } else {
+ /* truncate on nonhex cipher */
+ break;
+ }
+
+ out |= c << shift;
+ shift = (shift + 4) % 8;
+
+ if (shift) {
+ *(optr++) = out;
+ out = 0;
+ ++n;
+ }
+ }
+
+ *len = n;
+ return bin;
+}
+
+#define READ_CHUNK 4096
+#define MAX_READ_SIZE 1024*1024*100
+char *read_stdin(void)
+{
+ char *buf;
+ size_t n, total = 0;
+
+ buf = xmalloc(READ_CHUNK);
+
+ do {
+ n = fread(buf + total, 1, READ_CHUNK, stdin);
+ if (n < READ_CHUNK) /* terminate on short read */
+ break;
+
+ total += n;
+ buf = xreallocarray(buf, total + READ_CHUNK, 1);
+ } while(total < MAX_READ_SIZE);
+ return buf;
+}
+
+int main (int argc, char *argv[])
+{
+
+ const struct sshcipher *c;
+ struct sshcipher_ctx *cc;
+ char *algo = "aes128-ctr";
+ char *hexkey = NULL;
+ char *hexiv = "00000000000000000000000000000000";
+ char *hexdata = NULL;
+ char *p;
+ int i, r;
+ int encrypt = 1;
+ void *key;
+ size_t keylen;
+ void *iv;
+ size_t ivlen;
+ void *data;
+ size_t datalen;
+ void *outdata;
+
+ for (i = 1; i < argc; ++i) {
+ if (strcmp(argv[i], "--algo") == 0) {
+ algo = argv[++i];
+ } else if (strcmp(argv[i], "--key") == 0) {
+ hexkey = argv[++i];
+ } else if (strcmp(argv[i], "--mode") == 0) {
+ ++i;
+ if (argv[i] == NULL) {
+ usage();
+ }
+ if (strncmp(argv[i], "enc", 3) == 0) {
+ encrypt = 1;
+ } else if (strncmp(argv[i], "dec", 3) == 0) {
+ encrypt = 0;
+ } else {
+ usage();
+ }
+ } else if (strcmp(argv[i], "--iv") == 0) {
+ hexiv = argv[++i];
+ } else if (strcmp(argv[i], "--data") == 0) {
+ hexdata = argv[++i];
+ }
+ }
+
+ if (hexkey == NULL || algo == NULL) {
+ usage();
+ }
+
+ OpenSSL_add_all_algorithms();
+
+ c = cipher_by_name(algo);
+ if (c == NULL) {
+ fprintf(stderr, "Error: unknown algorithm\n");
+ return 2;
+ }
+
+ if (hexdata == NULL) {
+ hexdata = read_stdin();
+ } else {
+ hexdata = xstrdup(hexdata);
+ }
+
+ key = fromhex(hexkey, &keylen);
+
+ if (keylen != 16 && keylen != 24 && keylen == 32) {
+ fprintf(stderr, "Error: unsupported key length\n");
+ return 2;
+ }
+
+ iv = fromhex(hexiv, &ivlen);
+
+ if (ivlen != 16) {
+ fprintf(stderr, "Error: unsupported iv length\n");
+ return 2;
+ }
+
+ data = fromhex(hexdata, &datalen);
+
+ if (data == NULL || datalen == 0) {
+ fprintf(stderr, "Error: no data to encrypt/decrypt\n");
+ return 2;
+ }
+
+ if ((r = cipher_init(&cc, c, key, keylen, iv, ivlen, encrypt)) != 0) {
+ fprintf(stderr, "Error: cipher_init failed: %s\n", ssh_err(r));
+ return 2;
+ }
+
+ free(key);
+ free(iv);
+
+ outdata = malloc(datalen);
+ if(outdata == NULL) {
+ fprintf(stderr, "Error: memory allocation failure\n");
+ return 2;
+ }
+
+ if ((r = cipher_crypt(cc, 0, outdata, data, datalen, 0, 0)) != 0) {
+ fprintf(stderr, "Error: cipher_crypt failed: %s\n", ssh_err(r));
+ return 2;
+ }
+
+ free(data);
+
+ cipher_free(cc);
+
+ for (p = outdata; datalen > 0; ++p, --datalen) {
+ printf("%02X", (unsigned char)*p);
+ }
+
+ free(outdata);
+
+ printf("\n");
+ return 0;
+}
+

45
openssh-6.6p1-keycat.patch
View File

@ -1,10 +1,10 @@
diff -up openssh/auth.c.keycat openssh/misc.c diff -up openssh/misc.c.keycat openssh/misc.c
--- openssh/auth.c.keycat 2015-06-24 10:57:50.158849606 +0200 --- openssh/misc.c.keycat 2015-06-24 10:57:50.158849606 +0200
+++ openssh/auth.c 2015-06-24 11:04:23.989868638 +0200 +++ openssh/misc.c 2015-06-24 11:04:23.989868638 +0200
@@ -966,6 +966,14 @@ subprocess(const char *tag, struct passw @@ -966,6 +966,13 @@ subprocess(const char *tag, struct passw
error("%s: dup2: %s", tag, strerror(errno));
_exit(1); _exit(1);
} }
+#ifdef WITH_SELINUX +#ifdef WITH_SELINUX
+ if (sshd_selinux_setup_env_variables() < 0) { + if (sshd_selinux_setup_env_variables() < 0) {
+ error ("failed to copy environment: %s", + error ("failed to copy environment: %s",
@ -12,10 +12,9 @@ diff -up openssh/auth.c.keycat openssh/misc.c
+ _exit(127); + _exit(127);
+ } + }
+#endif +#endif
+ if (env != NULL)
execve(av[0], av, child_env); execve(av[0], av, env);
error("%s exec \"%s\": %s", tag, command, strerror(errno)); else
_exit(127);
diff -up openssh/HOWTO.ssh-keycat.keycat openssh/HOWTO.ssh-keycat diff -up openssh/HOWTO.ssh-keycat.keycat openssh/HOWTO.ssh-keycat
--- openssh/HOWTO.ssh-keycat.keycat 2015-06-24 10:57:50.157849608 +0200 --- openssh/HOWTO.ssh-keycat.keycat 2015-06-24 10:57:50.157849608 +0200
+++ openssh/HOWTO.ssh-keycat 2015-06-24 10:57:50.157849608 +0200 +++ openssh/HOWTO.ssh-keycat 2015-06-24 10:57:50.157849608 +0200
@ -36,16 +35,16 @@ diff -up openssh/Makefile.in.keycat openssh/Makefile.in
--- openssh/Makefile.in.keycat 2015-06-24 10:57:50.152849621 +0200 --- openssh/Makefile.in.keycat 2015-06-24 10:57:50.152849621 +0200
+++ openssh/Makefile.in 2015-06-24 10:57:50.157849608 +0200 +++ openssh/Makefile.in 2015-06-24 10:57:50.157849608 +0200
@@ -27,6 +27,7 @@ SFTP_SERVER=$(libexecdir)/sftp-server @@ -27,6 +27,7 @@ SFTP_SERVER=$(libexecdir)/sftp-server
ASKPASS_PROGRAM=$(libexecdir)/ssh-askpass
SFTP_SERVER=$(libexecdir)/sftp-server
SSH_KEYSIGN=$(libexecdir)/ssh-keysign SSH_KEYSIGN=$(libexecdir)/ssh-keysign
SSH_LDAP_HELPER=$(libexecdir)/ssh-ldap-helper
SSH_LDAP_WRAPPER=$(libexecdir)/ssh-ldap-wrapper
+SSH_KEYCAT=$(libexecdir)/ssh-keycat +SSH_KEYCAT=$(libexecdir)/ssh-keycat
SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
SSH_SK_HELPER=$(libexecdir)/ssh-sk-helper SSH_SK_HELPER=$(libexecdir)/ssh-sk-helper
PRIVSEP_PATH=@PRIVSEP_PATH@ PRIVSEP_PATH=@PRIVSEP_PATH@
@@ -52,6 +52,7 @@ K5LIBS=@K5LIBS@ @@ -52,6 +52,7 @@ K5LIBS=@K5LIBS@
K5LIBS=@K5LIBS@
GSSLIBS=@GSSLIBS@ GSSLIBS=@GSSLIBS@
SSHLIBS=@SSHLIBS@
SSHDLIBS=@SSHDLIBS@ SSHDLIBS=@SSHDLIBS@
+KEYCATLIBS=@KEYCATLIBS@ +KEYCATLIBS=@KEYCATLIBS@
LIBEDIT=@LIBEDIT@ LIBEDIT=@LIBEDIT@
@ -55,25 +54,25 @@ diff -up openssh/Makefile.in.keycat openssh/Makefile.in
.SUFFIXES: .lo .SUFFIXES: .lo
-TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) ssh-ldap-helper$(EXEEXT) -TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT)
+TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) ssh-ldap-helper$(EXEEXT) ssh-keycat$(EXEEXT) +TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) ssh-keycat$(EXEEXT)
XMSS_OBJS=\ XMSS_OBJS=\
ssh-xmss.o \ ssh-xmss.o \
@@ -190,6 +191,9 @@ ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) @@ -190,6 +191,9 @@ ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT)
ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o ssh-sk-helper$(EXEEXT): $(LIBCOMPAT) libssh.a $(SKHELPER_OBJS)
$(LD) -o $@ ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat -lfipscheck $(LIBS) $(LDAPLIBS) $(LD) -o $@ $(SKHELPER_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS) $(LIBFIDO2)
+ssh-keycat$(EXEEXT): $(LIBCOMPAT) $(SSHDOBJS) libssh.a ssh-keycat.o uidswap.o +ssh-keycat$(EXEEXT): $(LIBCOMPAT) $(SSHDOBJS) libssh.a ssh-keycat.o uidswap.o
+ $(LD) -o $@ ssh-keycat.o uidswap.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(KEYCATLIBS) $(LIBS) + $(LD) -o $@ ssh-keycat.o uidswap.o $(LDFLAGS) -lssh -lopenbsd-compat $(KEYCATLIBS) $(LIBS)
+ +
ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHKEYSCAN_OBJS) ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHKEYSCAN_OBJS)
$(LD) -o $@ $(SSHKEYSCAN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) $(LD) -o $@ $(SSHKEYSCAN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
@@ -321,6 +325,7 @@ install-files: @@ -321,6 +325,7 @@ install-files:
$(INSTALL) -m 0700 $(STRIP_OPT) ssh-ldap-helper $(DESTDIR)$(SSH_LDAP_HELPER) ; \ $(INSTALL) -m 4711 $(STRIP_OPT) ssh-keysign$(EXEEXT) $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT)
$(INSTALL) -m 0700 ssh-ldap-wrapper $(DESTDIR)$(SSH_LDAP_WRAPPER) ; \ $(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
fi $(INSTALL) -m 0755 $(STRIP_OPT) ssh-sk-helper$(EXEEXT) $(DESTDIR)$(SSH_SK_HELPER)$(EXEEXT)
+ $(INSTALL) -m 0755 $(STRIP_OPT) ssh-keycat$(EXEEXT) $(DESTDIR)$(libexecdir)/ssh-keycat$(EXEEXT) + $(INSTALL) -m 0755 $(STRIP_OPT) ssh-keycat$(EXEEXT) $(DESTDIR)$(libexecdir)/ssh-keycat$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT) $(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT) $(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
@ -466,16 +465,16 @@ index 3bbccfd..6481f1f 100644
esac esac
fi fi
@@ -4042,6 +4044,7 @@ AC_ARG_WITH([selinux], @@ -4042,6 +4044,7 @@ AC_ARG_WITH([selinux],
fi ]
) )
AC_SUBST([SSHLIBS])
AC_SUBST([SSHDLIBS]) AC_SUBST([SSHDLIBS])
+AC_SUBST([KEYCATLIBS]) +AC_SUBST([KEYCATLIBS])
# Check whether user wants Kerberos 5 support # Check whether user wants Kerberos 5 support
KRB5_MSG="no" KRB5_MSG="no"
@@ -5031,6 +5034,9 @@ fi @@ -5031,6 +5034,9 @@ fi
if test ! -z "${SSHLIBS}"; then if test ! -z "${SSHDLIBS}"; then
echo " +for ssh: ${SSHLIBS}" echo " +for sshd: ${SSHDLIBS}"
fi fi
+if test ! -z "${KEYCATLIBS}"; then +if test ! -z "${KEYCATLIBS}"; then
+echo " +for ssh-keycat: ${KEYCATLIBS}" +echo " +for ssh-keycat: ${KEYCATLIBS}"

26
openssh-6.6p1-kuserok.patch
View File

@ -182,7 +182,7 @@ diff -up openssh-7.4p1/servconf.c.kuserok openssh-7.4p1/servconf.c
+ options->use_kuserok = -1; + options->use_kuserok = -1;
options->password_authentication = -1; options->password_authentication = -1;
options->kbd_interactive_authentication = -1; options->kbd_interactive_authentication = -1;
options->challenge_response_authentication = -1; options->permit_empty_passwd = -1;
@@ -278,6 +279,8 @@ fill_default_server_options(ServerOption @@ -278,6 +279,8 @@ fill_default_server_options(ServerOption
if (options->gss_kex_algorithms == NULL) if (options->gss_kex_algorithms == NULL)
options->gss_kex_algorithms = strdup(GSS_KEX_DEFAULT_KEX); options->gss_kex_algorithms = strdup(GSS_KEX_DEFAULT_KEX);
@ -193,14 +193,14 @@ diff -up openssh-7.4p1/servconf.c.kuserok openssh-7.4p1/servconf.c
options->password_authentication = 1; options->password_authentication = 1;
if (options->kbd_interactive_authentication == -1) if (options->kbd_interactive_authentication == -1)
@@ -399,7 +402,7 @@ typedef enum { @@ -399,7 +402,7 @@ typedef enum {
sPermitRootLogin, sLogFacility, sLogLevel, sPort, sHostKeyFile, sLoginGraceTime,
sRhostsRSAAuthentication, sRSAAuthentication, sPermitRootLogin, sLogFacility, sLogLevel, sLogVerbose,
sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup, sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
- sKerberosGetAFSToken, sKerberosUniqueCCache, - sKerberosGetAFSToken, sKerberosUniqueCCache,
+ sKerberosGetAFSToken, sKerberosUniqueCCache, sKerberosUseKuserok, + sKerberosGetAFSToken, sKerberosUniqueCCache, sKerberosUseKuserok,
sChallengeResponseAuthentication, sPasswordAuthentication,
sPasswordAuthentication, sKbdInteractiveAuthentication, sKbdInteractiveAuthentication, sListenAddress, sAddressFamily,
sListenAddress, sAddressFamily, sPrintMotd, sPrintLastLog, sIgnoreRhosts,
@@ -478,12 +481,14 @@ static struct { @@ -478,12 +481,14 @@ static struct {
{ "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL }, { "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
#endif #endif
@ -217,16 +217,16 @@ diff -up openssh-7.4p1/servconf.c.kuserok openssh-7.4p1/servconf.c
{ "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL }, { "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL },
{ "afstokenpassing", sUnsupported, SSHCFG_GLOBAL }, { "afstokenpassing", sUnsupported, SSHCFG_GLOBAL },
@@ -1644,6 +1649,10 @@ process_server_config_line(ServerOptions @@ -1644,6 +1649,10 @@ process_server_config_line(ServerOptions
*activep = (inc_flags & SSHCFG_NEVERMATCH) ? 0 : value; }
break; break;
+ case sKerberosUseKuserok: + case sKerberosUseKuserok:
+ intptr = &options->use_kuserok; + intptr = &options->use_kuserok;
+ goto parse_flag; + goto parse_flag;
+ +
case sPermitListen: case sMatch:
case sPermitOpen: if (cmdline)
if (opcode == sPermitListen) { fatal("Match directive not supported as a command-line "
@@ -2016,6 +2025,7 @@ copy_set_server_options(ServerOptions *d @@ -2016,6 +2025,7 @@ copy_set_server_options(ServerOptions *d
M_CP_INTOPT(client_alive_interval); M_CP_INTOPT(client_alive_interval);
M_CP_INTOPT(ip_qos_interactive); M_CP_INTOPT(ip_qos_interactive);

8
openssh-6.6p1-privsep-selinux.patch
View File

@ -13,7 +13,7 @@ diff -up openssh-7.4p1/openbsd-compat/port-linux-sshd.c.privsep-selinux openssh-
--- openssh-7.4p1/openbsd-compat/port-linux-sshd.c.privsep-selinux 2016-12-23 18:58:52.973122201 +0100 --- openssh-7.4p1/openbsd-compat/port-linux-sshd.c.privsep-selinux 2016-12-23 18:58:52.973122201 +0100
+++ openssh-7.4p1/openbsd-compat/port-linux-sshd.c 2016-12-23 18:58:52.974122201 +0100 +++ openssh-7.4p1/openbsd-compat/port-linux-sshd.c 2016-12-23 18:58:52.974122201 +0100
@@ -419,6 +419,28 @@ sshd_selinux_setup_exec_context(char *pw @@ -419,6 +419,28 @@ sshd_selinux_setup_exec_context(char *pw
debug3("%s: done", __func__); debug3_f("done");
} }
+void +void
@ -25,15 +25,15 @@ diff -up openssh-7.4p1/openbsd-compat/port-linux-sshd.c.privsep-selinux openssh-
+ return; + return;
+ +
+ if (getexeccon((security_context_t *)&ctx) != 0) { + if (getexeccon((security_context_t *)&ctx) != 0) {
+ logit("%s: getexeccon failed with %s", __func__, strerror(errno)); + logit_f("getexeccon failed with %s", strerror(errno));
+ return; + return;
+ } + }
+ if (ctx != NULL) { + if (ctx != NULL) {
+ /* unset exec context before we will lose this capabililty */ + /* unset exec context before we will lose this capabililty */
+ if (setexeccon(NULL) != 0) + if (setexeccon(NULL) != 0)
+ fatal("%s: setexeccon failed with %s", __func__, strerror(errno)); + fatal_f("setexeccon failed with %s", strerror(errno));
+ if (setcon(ctx) != 0) + if (setcon(ctx) != 0)
+ fatal("%s: setcon failed with %s", __func__, strerror(errno)); + fatal_f("setcon failed with %s", strerror(errno));
+ freecon(ctx); + freecon(ctx);
+ } + }
+} +}

502
openssh-6.7p1-coverity.patch
View File

@ -1,21 +1,259 @@
diff -up openssh-8.5p1/addr.c.coverity openssh-8.5p1/addr.c
--- openssh-8.5p1/addr.c.coverity 2021-03-02 11:31:47.000000000 +0100
+++ openssh-8.5p1/addr.c 2021-03-24 12:03:33.782968159 +0100
@@ -312,8 +312,10 @@ addr_pton(const char *p, struct xaddr *n
if (p == NULL || getaddrinfo(p, NULL, &hints, &ai) != 0)
return -1;
- if (ai == NULL || ai->ai_addr == NULL)
+ if (ai == NULL || ai->ai_addr == NULL) {
+ freeaddrinfo(ai);
return -1;
+ }
if (n != NULL && addr_sa_to_xaddr(ai->ai_addr, ai->ai_addrlen,
n) == -1) {
@@ -336,12 +338,16 @@ addr_sa_pton(const char *h, const char *
if (h == NULL || getaddrinfo(h, s, &hints, &ai) != 0)
return -1;
- if (ai == NULL || ai->ai_addr == NULL)
+ if (ai == NULL || ai->ai_addr == NULL) {
+ freeaddrinfo(ai);
return -1;
+ }
if (sa != NULL) {
- if (slen < ai->ai_addrlen)
+ if (slen < ai->ai_addrlen) {
+ freeaddrinfo(ai);
return -1;
+ }
memcpy(sa, &ai->ai_addr, ai->ai_addrlen);
}
diff -up openssh-8.5p1/auth-krb5.c.coverity openssh-8.5p1/auth-krb5.c
--- openssh-8.5p1/auth-krb5.c.coverity 2021-03-24 12:03:33.724967756 +0100
+++ openssh-8.5p1/auth-krb5.c 2021-03-24 12:03:33.782968159 +0100
@@ -426,6 +426,7 @@ ssh_krb5_cc_new_unique(krb5_context ctx,
umask(old_umask);
if (tmpfd == -1) {
logit("mkstemp(): %.100s", strerror(oerrno));
+ free(ccname);
return oerrno;
}
@@ -433,6 +434,7 @@ ssh_krb5_cc_new_unique(krb5_context ctx,
oerrno = errno;
logit("fchmod(): %.100s", strerror(oerrno));
close(tmpfd);
+ free(ccname);
return oerrno;
}
/* make sure the KRB5CCNAME is set for non-standard location */
diff -up openssh-8.5p1/auth-options.c.coverity openssh-8.5p1/auth-options.c
--- openssh-8.5p1/auth-options.c.coverity 2021-03-02 11:31:47.000000000 +0100
+++ openssh-8.5p1/auth-options.c 2021-03-24 12:03:33.782968159 +0100
@@ -706,6 +708,7 @@ serialise_array(struct sshbuf *m, char *
return r;
}
/* success */
+ sshbuf_free(b);
return 0;
}
diff -up openssh-7.4p1/channels.c.coverity openssh-7.4p1/channels.c diff -up openssh-7.4p1/channels.c.coverity openssh-7.4p1/channels.c
--- openssh-7.4p1/channels.c.coverity 2016-12-23 16:40:26.881788686 +0100 --- openssh-7.4p1/channels.c.coverity 2016-12-23 16:40:26.881788686 +0100
+++ openssh-7.4p1/channels.c 2016-12-23 16:42:36.244818763 +0100 +++ openssh-7.4p1/channels.c 2016-12-23 16:42:36.244818763 +0100
@@ -288,11 +288,11 @@ channel_register_fds(Channel *c, int rfd @@ -1875,7 +1875,7 @@ channel_post_connecting(struct ssh *ssh,
debug("channel %d: connection failed: %s",
c->self, strerror(err));
/* Try next address, if any */
- if ((sock = connect_next(&c->connect_ctx)) > 0) {
+ if ((sock = connect_next(&c->connect_ctx)) >= 0) {
close(c->sock);
c->sock = c->rfd = c->wfd = sock;
channel_find_maxfd(ssh->chanctxt);
@@ -3804,7 +3804,7 @@ int
channel_request_remote_forwarding(struct ssh *ssh, struct Forward *fwd)
{
int r, success = 0, idx = -1;
- char *host_to_connect, *listen_host, *listen_path;
+ char *host_to_connect = NULL, *listen_host = NULL, *listen_path = NULL;
int port_to_connect, listen_port;
/* enable nonblocking mode */ /* Send the forward request to the remote side. */
if (nonblock) { @@ -3832,7 +3832,6 @@ channel_request_remote_forwarding(struct
- if (rfd != -1) success = 1;
+ if (rfd >= 0) if (success) {
set_nonblock(rfd); /* Record that connection to this host/port is permitted. */
- if (wfd != -1) - host_to_connect = listen_host = listen_path = NULL;
+ if (wfd >= 0) port_to_connect = listen_port = 0;
set_nonblock(wfd); if (fwd->connect_path != NULL) {
- if (efd != -1) host_to_connect = xstrdup(fwd->connect_path);
+ if (efd >= 0) @@ -3853,6 +3852,9 @@ channel_request_remote_forwarding(struct
set_nonblock(efd); host_to_connect, port_to_connect,
listen_host, listen_path, listen_port, NULL);
} }
+ free(host_to_connect);
+ free(listen_host);
+ free(listen_path);
return idx;
} }
diff -up openssh-8.5p1/compat.c.coverity openssh-8.5p1/compat.c
--- openssh-8.5p1/compat.c.coverity 2021-03-24 12:03:33.768968062 +0100
+++ openssh-8.5p1/compat.c 2021-03-24 12:03:33.783968166 +0100
@@ -191,10 +191,12 @@ compat_kex_proposal(struct ssh *ssh, cha
return p;
debug2_f("original KEX proposal: %s", p);
if ((ssh->compat & SSH_BUG_CURVE25519PAD) != 0)
+ /* coverity[overwrite_var : FALSE] */
if ((p = match_filter_denylist(p,
"curve25519-sha256@libssh.org")) == NULL)
fatal("match_filter_denylist failed");
if ((ssh->compat & SSH_OLD_DHGEX) != 0) {
+ /* coverity[overwrite_var : FALSE] */
if ((p = match_filter_denylist(p,
"diffie-hellman-group-exchange-sha256,"
"diffie-hellman-group-exchange-sha1")) == NULL)
diff -up openssh-8.5p1/dns.c.coverity openssh-8.5p1/dns.c
--- openssh-8.5p1/dns.c.coverity 2021-03-02 11:31:47.000000000 +0100
+++ openssh-8.5p1/dns.c 2021-03-24 12:03:33.783968166 +0100
@@ -282,6 +282,7 @@ verify_host_key_dns(const char *hostname
&hostkey_digest, &hostkey_digest_len, hostkey)) {
error("Error calculating key fingerprint.");
freerrset(fingerprints);
+ free(dnskey_digest);
return -1;
}
diff -up openssh-8.5p1/gss-genr.c.coverity openssh-8.5p1/gss-genr.c
--- openssh-8.5p1/gss-genr.c.coverity 2021-03-26 11:52:46.613942552 +0100
+++ openssh-8.5p1/gss-genr.c 2021-03-26 11:54:37.881726318 +0100
@@ -167,8 +167,9 @@ ssh_gssapi_kex_mechs(gss_OID_set gss_sup
enclen = __b64_ntop(digest,
ssh_digest_bytes(SSH_DIGEST_MD5), encoded,
ssh_digest_bytes(SSH_DIGEST_MD5) * 2);
-
+#pragma GCC diagnostic ignored "-Wstringop-overflow"
cp = strncpy(s, kex, strlen(kex));
+#pragma pop
for ((p = strsep(&cp, ",")); p && *p != '\0';
(p = strsep(&cp, ","))) {
if (sshbuf_len(buf) != 0 &&
diff -up openssh-8.5p1/kexgssc.c.coverity openssh-8.5p1/kexgssc.c
--- openssh-8.5p1/kexgssc.c.coverity 2021-03-24 12:03:33.711967665 +0100
+++ openssh-8.5p1/kexgssc.c 2021-03-24 12:03:33.783968166 +0100
@@ -98,8 +98,10 @@ kexgss_client(struct ssh *ssh)
default:
fatal_f("Unexpected KEX type %d", kex->kex_type);
}
- if (r != 0)
+ if (r != 0) {
+ ssh_gssapi_delete_ctx(&ctxt);
return r;
+ }
token_ptr = GSS_C_NO_BUFFER;
diff -up openssh-8.5p1/krl.c.coverity openssh-8.5p1/krl.c
--- openssh-8.5p1/krl.c.coverity 2021-03-02 11:31:47.000000000 +0100
+++ openssh-8.5p1/krl.c 2021-03-24 12:03:33.783968166 +0100
@@ -1209,6 +1209,7 @@ ssh_krl_from_blob(struct sshbuf *buf, st
sshkey_free(key);
sshbuf_free(copy);
sshbuf_free(sect);
+ /* coverity[leaked_storage : FALSE] */
return r;
}
@@ -1261,6 +1262,7 @@ is_key_revoked(struct ssh_krl *krl, cons
return r;
erb = RB_FIND(revoked_blob_tree, &krl->revoked_sha1s, &rb);
free(rb.blob);
+ rb.blob = NULL; /* make coverity happy */
if (erb != NULL) {
KRL_DBG(("revoked by key SHA1"));
return SSH_ERR_KEY_REVOKED;
@@ -1271,6 +1273,7 @@ is_key_revoked(struct ssh_krl *krl, cons
return r;
erb = RB_FIND(revoked_blob_tree, &krl->revoked_sha256s, &rb);
free(rb.blob);
+ rb.blob = NULL; /* make coverity happy */
if (erb != NULL) {
KRL_DBG(("revoked by key SHA256"));
return SSH_ERR_KEY_REVOKED;
@@ -1282,6 +1285,7 @@ is_key_revoked(struct ssh_krl *krl, cons
return r;
erb = RB_FIND(revoked_blob_tree, &krl->revoked_keys, &rb);
free(rb.blob);
+ rb.blob = NULL; /* make coverity happy */
if (erb != NULL) {
KRL_DBG(("revoked by explicit key"));
return SSH_ERR_KEY_REVOKED;
diff -up openssh-8.5p1/loginrec.c.coverity openssh-8.5p1/loginrec.c
--- openssh-8.5p1/loginrec.c.coverity 2021-03-24 13:18:53.793225885 +0100
+++ openssh-8.5p1/loginrec.c 2021-03-24 13:21:27.948404751 +0100
@@ -690,9 +690,11 @@ construct_utmp(struct logininfo *li,
*/
/* Use strncpy because we don't necessarily want null termination */
+ /* coverity[buffer_size_warning : FALSE] */
strncpy(ut->ut_name, li->username,
MIN_SIZEOF(ut->ut_name, li->username));
# ifdef HAVE_HOST_IN_UTMP
+ /* coverity[buffer_size_warning : FALSE] */
strncpy(ut->ut_host, li->hostname,
MIN_SIZEOF(ut->ut_host, li->hostname));
# endif
@@ -1690,6 +1692,7 @@ record_failed_login(struct ssh *ssh, con
memset(&ut, 0, sizeof(ut));
/* strncpy because we don't necessarily want nul termination */
+ /* coverity[buffer_size_warning : FALSE] */
strncpy(ut.ut_user, username, sizeof(ut.ut_user));
strlcpy(ut.ut_line, "ssh:notty", sizeof(ut.ut_line));
@@ -1699,6 +1702,7 @@ record_failed_login(struct ssh *ssh, con
ut.ut_pid = getpid();
/* strncpy because we don't necessarily want nul termination */
+ /* coverity[buffer_size_warning : FALSE] */
strncpy(ut.ut_host, hostname, sizeof(ut.ut_host));
if (ssh_packet_connection_is_on_socket(ssh) &&
diff -up openssh-8.5p1/misc.c.coverity openssh-8.5p1/misc.c
--- openssh-8.5p1/misc.c.coverity 2021-03-24 12:03:33.745967902 +0100
+++ openssh-8.5p1/misc.c 2021-03-24 13:31:47.037079617 +0100
@@ -1425,6 +1425,8 @@ sanitise_stdfd(void)
}
if (nullfd > STDERR_FILENO)
close(nullfd);
+ /* coverity[leaked_handle : FALSE]*/
+ /* coverity[leaked_handle : FALSE]*/
}
char *
@@ -2511,6 +2513,7 @@ stdfd_devnull(int do_stdin, int do_stdou
}
if (devnull > STDERR_FILENO)
close(devnull);
+ /* coverity[leaked_handle : FALSE]*/
return ret;
}
diff -up openssh-8.5p1/moduli.c.coverity openssh-8.5p1/moduli.c
--- openssh-8.5p1/moduli.c.coverity 2021-03-02 11:31:47.000000000 +0100
+++ openssh-8.5p1/moduli.c 2021-03-24 12:03:33.784968173 +0100
@@ -476,6 +476,7 @@ write_checkpoint(char *cpfile, u_int32_t
else
logit("failed to write to checkpoint file '%s': %s", cpfile,
strerror(errno));
+ /* coverity[leaked_storage : FALSE] */
}
static unsigned long
diff -up openssh-7.4p1/monitor.c.coverity openssh-7.4p1/monitor.c diff -up openssh-7.4p1/monitor.c.coverity openssh-7.4p1/monitor.c
--- openssh-7.4p1/monitor.c.coverity 2016-12-23 16:40:26.888788688 +0100 --- openssh-7.4p1/monitor.c.coverity 2016-12-23 16:40:26.888788688 +0100
+++ openssh-7.4p1/monitor.c 2016-12-23 16:40:26.900788691 +0100 +++ openssh-7.4p1/monitor.c 2016-12-23 16:40:26.900788691 +0100
@ -28,13 +266,22 @@ diff -up openssh-7.4p1/monitor.c.coverity openssh-7.4p1/monitor.c
; ;
if (pmonitor->m_recvfd >= 0) if (pmonitor->m_recvfd >= 0)
@@ -1678,7 +1678,7 @@ mm_answer_pty(struct ssh *ssh, int sock,
s->ptymaster = s->ptyfd;
debug3_f("tty %s ptyfd %d", s->tty, s->ttyfd);
-
+ /* coverity[leaked_handle : FALSE] */
return (0);
error:
diff -up openssh-7.4p1/monitor_wrap.c.coverity openssh-7.4p1/monitor_wrap.c diff -up openssh-7.4p1/monitor_wrap.c.coverity openssh-7.4p1/monitor_wrap.c
--- openssh-7.4p1/monitor_wrap.c.coverity 2016-12-23 16:40:26.892788689 +0100 --- openssh-7.4p1/monitor_wrap.c.coverity 2016-12-23 16:40:26.892788689 +0100
+++ openssh-7.4p1/monitor_wrap.c 2016-12-23 16:40:26.900788691 +0100 +++ openssh-7.4p1/monitor_wrap.c 2016-12-23 16:40:26.900788691 +0100
@@ -525,10 +525,10 @@ mm_pty_allocate(int *ptyfd, int *ttyfd, @@ -525,10 +525,10 @@ mm_pty_allocate(int *ptyfd, int *ttyfd,
if ((tmp1 = dup(pmonitor->m_recvfd)) == -1 || if ((tmp1 = dup(pmonitor->m_recvfd)) == -1 ||
(tmp2 = dup(pmonitor->m_recvfd)) == -1) { (tmp2 = dup(pmonitor->m_recvfd)) == -1) {
error("%s: cannot allocate fds for pty", __func__); error_f("cannot allocate fds for pty");
- if (tmp1 > 0) - if (tmp1 > 0)
+ if (tmp1 >= 0) + if (tmp1 >= 0)
close(tmp1); close(tmp1);
@ -57,30 +304,67 @@ diff -up openssh-7.4p1/openbsd-compat/bindresvport.c.coverity openssh-7.4p1/open
int i; int i;
if (sa == NULL) { if (sa == NULL) {
diff -up openssh-7.4p1/scp.c.coverity openssh-7.4p1/scp.c diff -up openssh-8.7p1/openbsd-compat/bsd-pselect.c.coverity openssh-8.7p1/openbsd-compat/bsd-pselect.c
--- openssh-7.4p1/scp.c.coverity 2016-12-23 16:40:26.856788681 +0100 --- openssh-8.7p1/openbsd-compat/bsd-pselect.c.coverity 2021-08-30 16:36:11.357288009 +0200
+++ openssh-7.4p1/scp.c 2016-12-23 16:40:26.901788691 +0100 +++ openssh-8.7p1/openbsd-compat/bsd-pselect.c 2021-08-30 16:37:21.791897976 +0200
@@ -157,7 +157,7 @@ killchild(int signo) @@ -113,13 +113,13 @@ pselect_notify_setup(void)
static void
pselect_notify_parent(void)
{
- if (notify_pipe[1] != -1)
+ if (notify_pipe[1] >= 0)
(void)write(notify_pipe[1], "", 1);
}
static void
pselect_notify_prepare(fd_set *readset)
{
- if (notify_pipe[0] != -1)
+ if (notify_pipe[0] >= 0)
FD_SET(notify_pipe[0], readset);
}
static void
@@ -127,8 +127,8 @@ pselect_notify_done(fd_set *readset)
{
char c;
- if (notify_pipe[0] != -1 && FD_ISSET(notify_pipe[0], readset)) {
- while (read(notify_pipe[0], &c, 1) != -1)
+ if (notify_pipe[0] >= 0 && FD_ISSET(notify_pipe[0], readset)) {
+ while (read(notify_pipe[0], &c, 1) >= 0)
debug2_f("reading");
FD_CLR(notify_pipe[0], readset);
}
diff -up openssh-8.5p1/readconf.c.coverity openssh-8.5p1/readconf.c
--- openssh-8.5p1/readconf.c.coverity 2021-03-24 12:03:33.778968131 +0100
+++ openssh-8.5p1/readconf.c 2021-03-24 12:03:33.785968180 +0100
@@ -1847,6 +1847,7 @@ parse_pubkey_algos:
} else if (r != 0) {
error("%.200s line %d: glob failed for %s.",
filename, linenum, arg2);
+ free(arg2);
goto out;
}
free(arg2);
diff -up openssh-8.7p1/scp.c.coverity openssh-8.7p1/scp.c
--- openssh-8.7p1/scp.c.coverity 2021-08-30 16:23:35.389741329 +0200
+++ openssh-8.7p1/scp.c 2021-08-30 16:27:04.854555296 +0200
@@ -186,11 +186,11 @@ killchild(int signo)
{ {
if (do_cmd_pid > 1) { if (do_cmd_pid > 1) {
kill(do_cmd_pid, signo ? signo : SIGTERM); kill(do_cmd_pid, signo ? signo : SIGTERM);
- waitpid(do_cmd_pid, NULL, 0); - waitpid(do_cmd_pid, NULL, 0);
+ (void) waitpid(do_cmd_pid, NULL, 0); + (void) waitpid(do_cmd_pid, NULL, 0);
} }
if (do_cmd_pid2 > 1) {
kill(do_cmd_pid2, signo ? signo : SIGTERM);
- waitpid(do_cmd_pid2, NULL, 0);
+ (void) waitpid(do_cmd_pid2, NULL, 0);
}
if (signo) if (signo)
diff -up openssh-7.4p1/servconf.c.coverity openssh-7.4p1/servconf.c diff -up openssh-7.4p1/servconf.c.coverity openssh-7.4p1/servconf.c
--- openssh-7.4p1/servconf.c.coverity 2016-12-23 16:40:26.896788690 +0100 --- openssh-7.4p1/servconf.c.coverity 2016-12-23 16:40:26.896788690 +0100
+++ openssh-7.4p1/servconf.c 2016-12-23 16:40:26.901788691 +0100 +++ openssh-7.4p1/servconf.c 2016-12-23 16:40:26.901788691 +0100
@@ -1547,7 +1547,7 @@ process_server_config_line(ServerOptions
fatal("%s line %d: Missing subsystem name.",
filename, linenum);
if (!*activep) {
- arg = strdelim(&cp);
+ /*arg =*/ (void) strdelim(&cp);
break;
}
for (i = 0; i < options->num_subsystems; i++)
@@ -1638,8 +1638,9 @@ process_server_config_line(ServerOptions @@ -1638,8 +1638,9 @@ process_server_config_line(ServerOptions
if (*activep && *charptr == NULL) { if (*activep && *charptr == NULL) {
*charptr = tilde_expand_filename(arg, getuid()); *charptr = tilde_expand_filename(arg, getuid());
@ -93,38 +377,11 @@ diff -up openssh-7.4p1/servconf.c.coverity openssh-7.4p1/servconf.c
} }
break; break;
diff -up openssh-7.4p1/serverloop.c.coverity openssh-7.4p1/serverloop.c diff -up openssh-8.7p1/serverloop.c.coverity openssh-8.7p1/serverloop.c
--- openssh-7.4p1/serverloop.c.coverity 2016-12-19 05:59:41.000000000 +0100 --- openssh-8.7p1/serverloop.c.coverity 2021-08-20 06:03:49.000000000 +0200
+++ openssh-7.4p1/serverloop.c 2016-12-23 16:40:26.902788691 +0100 +++ openssh-8.7p1/serverloop.c 2021-08-30 16:28:22.416226981 +0200
@@ -125,13 +125,13 @@ notify_setup(void) @@ -547,7 +547,7 @@ server_request_tun(struct ssh *ssh)
static void debug_f("invalid tun");
notify_parent(void)
{
- if (notify_pipe[1] != -1)
+ if (notify_pipe[1] >= 0)
(void)write(notify_pipe[1], "", 1);
}
static void
notify_prepare(fd_set *readset)
{
- if (notify_pipe[0] != -1)
+ if (notify_pipe[0] >= 0)
FD_SET(notify_pipe[0], readset);
}
static void
@@ -139,8 +139,8 @@ notify_done(fd_set *readset)
{
char c;
- if (notify_pipe[0] != -1 && FD_ISSET(notify_pipe[0], readset))
- while (read(notify_pipe[0], &c, 1) != -1)
+ if (notify_pipe[0] >= 0 && FD_ISSET(notify_pipe[0], readset))
+ while (read(notify_pipe[0], &c, 1) >= 0)
debug2("%s: reading", __func__);
}
@@ -518,7 +518,7 @@ server_request_tun(void)
debug("%s: invalid tun", __func__);
goto done; goto done;
} }
- if (auth_opts->force_tun_device != -1) { - if (auth_opts->force_tun_device != -1) {
@ -132,6 +389,24 @@ diff -up openssh-7.4p1/serverloop.c.coverity openssh-7.4p1/serverloop.c
if (tun != SSH_TUNID_ANY && if (tun != SSH_TUNID_ANY &&
auth_opts->force_tun_device != (int)tun) auth_opts->force_tun_device != (int)tun)
goto done; goto done;
diff -up openssh-8.5p1/session.c.coverity openssh-8.5p1/session.c
--- openssh-8.5p1/session.c.coverity 2021-03-24 12:03:33.777968124 +0100
+++ openssh-8.5p1/session.c 2021-03-24 12:03:33.786968187 +0100
@@ -1223,12 +1223,14 @@ do_setup_env(struct ssh *ssh, Session *s
/* Environment specified by admin */
for (i = 0; i < options.num_setenv; i++) {
cp = xstrdup(options.setenv[i]);
+ /* coverity[overwrite_var : FALSE] */
if ((value = strchr(cp, '=')) == NULL) {
/* shouldn't happen; vars are checked in servconf.c */
fatal("Invalid config SetEnv: %s", options.setenv[i]);
}
*value++ = '\0';
child_set_env(&env, &envsize, cp, value);
+ free(cp);
}
/* SSH_CLIENT deprecated */
diff -up openssh-7.4p1/sftp.c.coverity openssh-7.4p1/sftp.c diff -up openssh-7.4p1/sftp.c.coverity openssh-7.4p1/sftp.c
--- openssh-7.4p1/sftp.c.coverity 2016-12-19 05:59:41.000000000 +0100 --- openssh-7.4p1/sftp.c.coverity 2016-12-19 05:59:41.000000000 +0100
+++ openssh-7.4p1/sftp.c 2016-12-23 16:40:26.903788691 +0100 +++ openssh-7.4p1/sftp.c 2016-12-23 16:40:26.903788691 +0100
@ -144,9 +419,45 @@ diff -up openssh-7.4p1/sftp.c.coverity openssh-7.4p1/sftp.c
} }
_exit(1); _exit(1);
@@ -762,6 +762,8 @@ process_put(struct sftp_conn *conn, cons
fflag || global_fflag) == -1)
err = -1;
}
+ free(abs_dst);
+ abs_dst = NULL;
}
out:
@@ -985,6 +987,7 @@ do_globbed_ls(struct sftp_conn *conn, co
if (lflag & LS_LONG_VIEW) {
if (g.gl_statv[i] == NULL) {
error("no stat information for %s", fname);
+ free(fname);
continue;
}
lname = ls_file(fname, g.gl_statv[i], 1,
diff -up openssh-8.5p1/sk-usbhid.c.coverity openssh-8.5p1/sk-usbhid.c
--- openssh-8.5p1/sk-usbhid.c.coverity 2021-03-02 11:31:47.000000000 +0100
+++ openssh-8.5p1/sk-usbhid.c 2021-03-24 12:03:33.786968187 +0100
@@ -1256,6 +1256,7 @@ sk_load_resident_keys(const char *pin, s
freezero(rks[i], sizeof(*rks[i]));
}
free(rks);
+ free(device);
return ret;
}
diff -up openssh-7.4p1/ssh-agent.c.coverity openssh-7.4p1/ssh-agent.c diff -up openssh-7.4p1/ssh-agent.c.coverity openssh-7.4p1/ssh-agent.c
--- openssh-7.4p1/ssh-agent.c.coverity 2016-12-19 05:59:41.000000000 +0100 --- openssh-7.4p1/ssh-agent.c.coverity 2016-12-19 05:59:41.000000000 +0100
+++ openssh-7.4p1/ssh-agent.c 2016-12-23 16:40:26.903788691 +0100 +++ openssh-7.4p1/ssh-agent.c 2016-12-23 16:40:26.903788691 +0100
@@ -869,6 +869,7 @@ sanitize_pkcs11_provider(const char *pro
if (pkcs11_uri_parse(provider, uri) != 0) {
error("Failed to parse PKCS#11 URI");
+ pkcs11_uri_cleanup(uri);
return NULL;
}
/* validate also provider from URI */
@@ -1220,8 +1220,8 @@ main(int ac, char **av) @@ -1220,8 +1220,8 @@ main(int ac, char **av)
sanitise_stdfd(); sanitise_stdfd();
@ -158,6 +469,17 @@ diff -up openssh-7.4p1/ssh-agent.c.coverity openssh-7.4p1/ssh-agent.c
platform_disable_tracing(0); /* strict=no */ platform_disable_tracing(0); /* strict=no */
diff -up openssh-8.5p1/ssh.c.coverity openssh-8.5p1/ssh.c
--- openssh-8.5p1/ssh.c.coverity 2021-03-24 12:03:33.779968138 +0100
+++ openssh-8.5p1/ssh.c 2021-03-24 12:03:33.786968187 +0100
@@ -1746,6 +1746,7 @@ control_persist_detach(void)
close(muxserver_sock);
muxserver_sock = -1;
options.control_master = SSHCTL_MASTER_NO;
+ /* coverity[leaked_handle: FALSE]*/
muxclient(options.control_path);
/* muxclient() doesn't return on success. */
fatal("Failed to connect to new control master");
diff -up openssh-7.4p1/sshd.c.coverity openssh-7.4p1/sshd.c diff -up openssh-7.4p1/sshd.c.coverity openssh-7.4p1/sshd.c
--- openssh-7.4p1/sshd.c.coverity 2016-12-23 16:40:26.897788690 +0100 --- openssh-7.4p1/sshd.c.coverity 2016-12-23 16:40:26.897788690 +0100
+++ openssh-7.4p1/sshd.c 2016-12-23 16:40:26.904788692 +0100 +++ openssh-7.4p1/sshd.c 2016-12-23 16:40:26.904788692 +0100
@ -183,3 +505,67 @@ diff -up openssh-7.4p1/sshd.c.coverity openssh-7.4p1/sshd.c
} }
/* /*
@@ -2474,7 +2479,7 @@ do_ssh2_kex(struct ssh *ssh)
if (options.rekey_limit || options.rekey_interval)
ssh_packet_set_rekey_limits(ssh, options.rekey_limit,
options.rekey_interval);
-
+ /* coverity[leaked_storage : FALSE]*/
myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal(
ssh, list_hostkey_types());
@@ -2519,8 +2524,11 @@ do_ssh2_kex(struct ssh *ssh)
if (newstr)
myproposal[PROPOSAL_KEX_ALGS] = newstr;
- else
+ else {
fatal("No supported key exchange algorithms");
+ free(gss);
+ }
+ /* coverity[leaked_storage: FALSE]*/
}
#endif
diff -up openssh-8.5p1/ssh-keygen.c.coverity openssh-8.5p1/ssh-keygen.c
--- openssh-8.5p1/ssh-keygen.c.coverity 2021-03-24 12:03:33.780968145 +0100
+++ openssh-8.5p1/ssh-keygen.c 2021-03-24 12:03:33.787968194 +0100
@@ -2332,6 +2332,9 @@ update_krl_from_file(struct passwd *pw,
r = ssh_krl_revoke_key_sha256(krl, blob, blen);
if (r != 0)
fatal_fr(r, "revoke key failed");
+ freezero(blob, blen);
+ blob = NULL;
+ blen = 0;
} else {
if (strncasecmp(cp, "key:", 4) == 0) {
cp += 4;
@@ -2879,6 +2882,7 @@ do_moduli_screen(const char *out_file, c
} else if (strncmp(opts[i], "start-line=", 11) == 0) {
start_lineno = strtoul(opts[i]+11, NULL, 10);
} else if (strncmp(opts[i], "checkpoint=", 11) == 0) {
+ free(checkpoint);
checkpoint = xstrdup(opts[i]+11);
} else if (strncmp(opts[i], "generator=", 10) == 0) {
generator_wanted = (u_int32_t)strtonum(
@@ -2920,6 +2924,9 @@ do_moduli_screen(const char *out_file, c
#else /* WITH_OPENSSL */
fatal("Moduli screening is not supported");
#endif /* WITH_OPENSSL */
+ free(checkpoint);
+ if (in != stdin)
+ fclose(in);
}
static char *
diff -up openssh-8.5p1/sshsig.c.coverity openssh-8.5p1/sshsig.c
--- openssh-8.5p1/sshsig.c.coverity 2021-03-02 11:31:47.000000000 +0100
+++ openssh-8.5p1/sshsig.c 2021-03-24 12:03:33.787968194 +0100
@@ -515,6 +515,7 @@ hash_file(int fd, const char *hashalg, s
oerrno = errno;
error_f("read: %s", strerror(errno));
ssh_digest_free(ctx);
+ ctx = NULL;
errno = oerrno;
r = SSH_ERR_SYSTEM_ERROR;
goto out;

618
openssh-6.7p1-kdf-cavs.patch
View File

@ -1,618 +0,0 @@
diff -up openssh-6.8p1/Makefile.in.kdf-cavs openssh-6.8p1/Makefile.in
--- openssh-6.8p1/Makefile.in.kdf-cavs 2015-03-18 11:23:46.346049359 +0100
+++ openssh-6.8p1/Makefile.in 2015-03-18 11:24:20.395968445 +0100
@@ -29,6 +29,7 @@ SSH_LDAP_HELPER=$(libexecdir)/ssh-ldap-h
SSH_LDAP_WRAPPER=$(libexecdir)/ssh-ldap-wrapper
SSH_KEYCAT=$(libexecdir)/ssh-keycat
CTR_CAVSTEST=$(libexecdir)/ctr-cavstest
+SSH_CAVS=$(libexecdir)/ssh-cavs
SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
SSH_SK_HELPER=$(libexecdir)/ssh-sk-helper
PRIVSEP_PATH=@PRIVSEP_PATH@
@@ -67,7 +68,7 @@ EXEEXT=@EXEEXT@
.SUFFIXES: .lo
-TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) ssh-ldap-helper$(EXEEXT) ssh-keycat$(EXEEXT) ctr-cavstest$(EXEEXT)
+TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) ssh-ldap-helper$(EXEEXT) ssh-keycat$(EXEEXT) ctr-cavstest$(EXEEXT) ssh-cavs$(EXEEXT)
XMSS_OBJS=\
ssh-xmss.o \
@@ -198,6 +199,9 @@ ssh-keycat$(EXEEXT): $(LIBCOMPAT) $(SSHD
ctr-cavstest$(EXEEXT): $(LIBCOMPAT) libssh.a ctr-cavstest.o
$(LD) -o $@ ctr-cavstest.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(LIBS)
+ssh-cavs$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-cavs.o $(SKOBJS)
+ $(LD) -o $@ ssh-cavs.o $(SKOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
+
ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHKEYSCAN_OBJS)
$(LD) -o $@ $(SSHKEYSCAN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
@@ -331,6 +335,8 @@ install-files:
fi
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-keycat$(EXEEXT) $(DESTDIR)$(libexecdir)/ssh-keycat$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) ctr-cavstest$(EXEEXT) $(DESTDIR)$(libexecdir)/ctr-cavstest$(EXEEXT)
+ $(INSTALL) -m 0755 $(STRIP_OPT) ssh-cavs$(EXEEXT) $(DESTDIR)$(libexecdir)/ssh-cavs$(EXEEXT)
+ $(INSTALL) -m 0755 $(STRIP_OPT) ssh-cavs_driver.pl $(DESTDIR)$(libexecdir)/ssh-cavs_driver.pl
$(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
$(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
diff -up openssh-6.8p1/ssh-cavs.c.kdf-cavs openssh-6.8p1/ssh-cavs.c
--- openssh-6.8p1/ssh-cavs.c.kdf-cavs 2015-03-18 11:23:46.348049354 +0100
+++ openssh-6.8p1/ssh-cavs.c 2015-03-18 11:23:46.348049354 +0100
@@ -0,0 +1,387 @@
+/*
+ * Copyright (C) 2015, Stephan Mueller <smueller@chronox.de>
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, and the entire permission notice in its entirety,
+ * including the disclaimer of warranties.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ * products derived from this software without specific prior
+ * written permission.
+ *
+ * ALTERNATIVELY, this product may be distributed under the terms of
+ * the GNU General Public License, in which case the provisions of the GPL2
+ * are required INSTEAD OF the above restrictions. (This clause is
+ * necessary due to a potential bad interaction between the GPL and
+ * the restrictions contained in a BSD-style copyright.)
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
+ * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, ALL OF
+ * WHICH ARE HEREBY DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
+ * OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+ * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
+ * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
+ * USE OF THIS SOFTWARE, EVEN IF NOT ADVISED OF THE POSSIBILITY OF SUCH
+ * DAMAGE.
+ */
+
+#include "includes.h"
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <errno.h>
+#include <sys/types.h>
+#include <string.h>
+
+#include <openssl/bn.h>
+
+#include "xmalloc.h"
+#include "sshbuf.h"
+#include "sshkey.h"
+#include "cipher.h"
+#include "kex.h"
+#include "packet.h"
+#include "digest.h"
+
+static int bin_char(unsigned char hex)
+{
+ if (48 <= hex && 57 >= hex)
+ return (hex - 48);
+ if (65 <= hex && 70 >= hex)
+ return (hex - 55);
+ if (97 <= hex && 102 >= hex)
+ return (hex - 87);
+ return 0;
+}
+
+/*
+ * Convert hex representation into binary string
+ * @hex input buffer with hex representation
+ * @hexlen length of hex
+ * @bin output buffer with binary data
+ * @binlen length of already allocated bin buffer (should be at least
+ * half of hexlen -- if not, only a fraction of hexlen is converted)
+ */
+static void hex2bin(const char *hex, size_t hexlen,
+ unsigned char *bin, size_t binlen)
+{
+ size_t i = 0;
+ size_t chars = (binlen > (hexlen / 2)) ? (hexlen / 2) : binlen;
+
+ for (i = 0; i < chars; i++) {
+ bin[i] = bin_char(hex[(i*2)]) << 4;
+ bin[i] |= bin_char(hex[((i*2)+1)]);
+ }
+}
+
+/*
+ * Allocate sufficient space for binary representation of hex
+ * and convert hex into bin
+ *
+ * Caller must free bin
+ * @hex input buffer with hex representation
+ * @hexlen length of hex
+ * @bin return value holding the pointer to the newly allocated buffer
+ * @binlen return value holding the allocated size of bin
+ *
+ * return: 0 on success, !0 otherwise
+ */
+static int hex2bin_alloc(const char *hex, size_t hexlen,
+ unsigned char **bin, size_t *binlen)
+{
+ unsigned char *out = NULL;
+ size_t outlen = 0;
+
+ if (!hexlen)
+ return -EINVAL;
+
+ outlen = (hexlen + 1) / 2;
+
+ out = calloc(1, outlen);
+ if (!out)
+ return -errno;
+
+ hex2bin(hex, hexlen, out, outlen);
+ *bin = out;
+ *binlen = outlen;
+ return 0;
+}
+
+static char hex_char_map_l[] = { '0', '1', '2', '3', '4', '5', '6', '7',
+ '8', '9', 'a', 'b', 'c', 'd', 'e', 'f' };
+static char hex_char_map_u[] = { '0', '1', '2', '3', '4', '5', '6', '7',
+ '8', '9', 'A', 'B', 'C', 'D', 'E', 'F' };
+static char hex_char(unsigned int bin, int u)
+{
+ if (bin < sizeof(hex_char_map_l))
+ return (u) ? hex_char_map_u[bin] : hex_char_map_l[bin];
+ return 'X';
+}
+
+/*
+ * Convert binary string into hex representation
+ * @bin input buffer with binary data
+ * @binlen length of bin
+ * @hex output buffer to store hex data
+ * @hexlen length of already allocated hex buffer (should be at least
+ * twice binlen -- if not, only a fraction of binlen is converted)
+ * @u case of hex characters (0=>lower case, 1=>upper case)
+ */
+static void bin2hex(const unsigned char *bin, size_t binlen,
+ char *hex, size_t hexlen, int u)
+{
+ size_t i = 0;
+ size_t chars = (binlen > (hexlen / 2)) ? (hexlen / 2) : binlen;
+
+ for (i = 0; i < chars; i++) {
+ hex[(i*2)] = hex_char((bin[i] >> 4), u);
+ hex[((i*2)+1)] = hex_char((bin[i] & 0x0f), u);
+ }
+}
+
+struct kdf_cavs {
+ unsigned char *K;
+ size_t Klen;
+ unsigned char *H;
+ size_t Hlen;
+ unsigned char *session_id;
+ size_t session_id_len;
+
+ unsigned int iv_len;
+ unsigned int ek_len;
+ unsigned int ik_len;
+};
+
+static int sshkdf_cavs(struct kdf_cavs *test)
+{
+ int ret = 0;
+ struct kex kex;
+ struct sshbuf *Kb = NULL;
+ BIGNUM *Kbn = NULL;
+ int mode = 0;
+ struct newkeys *ctoskeys;
+ struct newkeys *stockeys;
+ struct ssh *ssh = NULL;
+
+#define HEXOUTLEN 500
+ char hex[HEXOUTLEN];
+
+ memset(&kex, 0, sizeof(struct kex));
+
+ Kbn = BN_new();
+ BN_bin2bn(test->K, test->Klen, Kbn);
+ if (!Kbn) {
+ printf("cannot convert K into bignum\n");
+ ret = 1;
+ goto out;
+ }
+ Kb = sshbuf_new();
+ if (!Kb) {
+ printf("cannot convert K into sshbuf\n");
+ ret = 1;
+ goto out;
+ }
+ sshbuf_put_bignum2(Kb, Kbn);
+
+ kex.session_id = test->session_id;
+ kex.session_id_len = test->session_id_len;
+
+ /* setup kex */
+
+ /* select the right hash based on struct ssh_digest digests */
+ switch (test->ik_len) {
+ case 20:
+ kex.hash_alg = SSH_DIGEST_SHA1;
+ break;
+ case 32:
+ kex.hash_alg = SSH_DIGEST_SHA256;
+ break;
+ case 48:
+ kex.hash_alg = SSH_DIGEST_SHA384;
+ break;
+ case 64:
+ kex.hash_alg = SSH_DIGEST_SHA512;
+ break;
+ default:
+ printf("Wrong hash type %u\n", test->ik_len);
+ ret = 1;
+ goto out;
+ }
+
+ /* implement choose_enc */
+ for (mode = 0; mode < 2; mode++) {
+ kex.newkeys[mode] = calloc(1, sizeof(struct newkeys));
+ if (!kex.newkeys[mode]) {
+ printf("allocation of newkeys failed\n");
+ ret = 1;
+ goto out;
+ }
+ kex.newkeys[mode]->enc.iv_len = test->iv_len;
+ kex.newkeys[mode]->enc.key_len = test->ek_len;
+ kex.newkeys[mode]->enc.block_size = (test->iv_len == 64) ? 8 : 16;
+ kex.newkeys[mode]->mac.key_len = test->ik_len;
+ }
+
+ /* implement kex_choose_conf */
+ kex.we_need = kex.newkeys[0]->enc.key_len;
+ if (kex.we_need < kex.newkeys[0]->enc.block_size)
+ kex.we_need = kex.newkeys[0]->enc.block_size;
+ if (kex.we_need < kex.newkeys[0]->enc.iv_len)
+ kex.we_need = kex.newkeys[0]->enc.iv_len;
+ if (kex.we_need < kex.newkeys[0]->mac.key_len)
+ kex.we_need = kex.newkeys[0]->mac.key_len;
+
+ /* MODE_OUT (1) -> server to client
+ * MODE_IN (0) -> client to server */
+ kex.server = 1;
+
+ /* do it */
+ if ((ssh = ssh_packet_set_connection(NULL, -1, -1)) == NULL){
+ printf("Allocation error\n");
+ goto out;
+ }
+ ssh->kex = &kex;
+ kex_derive_keys(ssh, test->H, test->Hlen, Kb);
+
+ ctoskeys = kex.newkeys[0];
+ stockeys = kex.newkeys[1];
+
+ /* get data */
+ memset(hex, 0, HEXOUTLEN);
+ bin2hex(ctoskeys->enc.iv, (size_t)ctoskeys->enc.iv_len,
+ hex, HEXOUTLEN, 0);
+ printf("Initial IV (client to server) = %s\n", hex);
+ memset(hex, 0, HEXOUTLEN);
+ bin2hex(stockeys->enc.iv, (size_t)stockeys->enc.iv_len,
+ hex, HEXOUTLEN, 0);
+ printf("Initial IV (server to client) = %s\n", hex);
+
+ memset(hex, 0, HEXOUTLEN);
+ bin2hex(ctoskeys->enc.key, (size_t)ctoskeys->enc.key_len,
+ hex, HEXOUTLEN, 0);
+ printf("Encryption key (client to server) = %s\n", hex);
+ memset(hex, 0, HEXOUTLEN);
+ bin2hex(stockeys->enc.key, (size_t)stockeys->enc.key_len,
+ hex, HEXOUTLEN, 0);
+ printf("Encryption key (server to client) = %s\n", hex);
+
+ memset(hex, 0, HEXOUTLEN);
+ bin2hex(ctoskeys->mac.key, (size_t)ctoskeys->mac.key_len,
+ hex, HEXOUTLEN, 0);
+ printf("Integrity key (client to server) = %s\n", hex);
+ memset(hex, 0, HEXOUTLEN);
+ bin2hex(stockeys->mac.key, (size_t)stockeys->mac.key_len,
+ hex, HEXOUTLEN, 0);
+ printf("Integrity key (server to client) = %s\n", hex);
+
+out:
+ if (Kbn)
+ BN_free(Kbn);
+ if (Kb)
+ sshbuf_free(Kb);
+ if (ssh)
+ ssh_packet_close(ssh);
+ return ret;
+}
+
+static void usage(void)
+{
+ fprintf(stderr, "\nOpenSSH KDF CAVS Test\n\n");
+ fprintf(stderr, "Usage:\n");
+ fprintf(stderr, "\t-K\tShared secret string\n");
+ fprintf(stderr, "\t-H\tHash string\n");
+ fprintf(stderr, "\t-s\tSession ID string\n");
+ fprintf(stderr, "\t-i\tIV length to be generated\n");
+ fprintf(stderr, "\t-e\tEncryption key length to be generated\n");
+ fprintf(stderr, "\t-m\tMAC key length to be generated\n");
+}
+
+/*
+ * Test command example:
+ * ./ssh-cavs -K 0055d50f2d163cc07cd8a93cc7c3430c30ce786b572c01ad29fec7597000cf8618d664e2ec3dcbc8bb7a1a7eb7ef67f61cdaf291625da879186ac0a5cb27af571b59612d6a6e0627344d846271959fda61c78354aa498773d59762f8ca2d0215ec590d8633de921f920d41e47b3de6ab9a3d0869e1c826d0e4adebf8e3fb646a15dea20a410b44e969f4b791ed6a67f13f1b74234004d5fa5e87eff7abc32d49bbdf44d7b0107e8f10609233b7e2b7eff74a4daf25641de7553975dac6ac1e5117df6f6dbaa1c263d23a6c3e5a3d7d49ae8a828c1e333ac3f85fbbf57b5c1a45be45e43a7be1a4707eac779b8285522d1f531fe23f890fd38a004339932b93eda4 -H d3ab91a850febb417a25d892ec48ed5952c7a5de -s d3ab91a850febb417a25d892ec48ed5952c7a5de -i 8 -e 24 -m 20
+ *
+ * Initial IV (client to server) = 4bb320d1679dfd3a
+ * Initial IV (server to client) = 43dea6fdf263a308
+ * Encryption key (client to server) = 13048cc600b9d3cf9095aa6cf8e2ff9cf1c54ca0520c89ed
+ * Encryption key (server to client) = 1e483c5134e901aa11fc4e0a524e7ec7b75556148a222bb0
+ * Integrity key (client to server) = ecef63a092b0dcc585bdc757e01b2740af57d640
+ * Integrity key (server to client) = 7424b05f3c44a72b4ebd281fb71f9cbe7b64d479
+ */
+int main(int argc, char *argv[])
+{
+ struct kdf_cavs test;
+ int ret = 1;
+ int opt = 0;
+
+ memset(&test, 0, sizeof(struct kdf_cavs));
+ while((opt = getopt(argc, argv, "K:H:s:i:e:m:")) != -1)
+ {
+ size_t len = 0;
+ switch(opt)
+ {
+ /*
+ * CAVS K is MPINT
+ * we want a hex (i.e. the caller must ensure the
+ * following transformations already happened):
+ * 1. cut off first four bytes
+ * 2. if most significant bit of value is
+ * 1, prepend 0 byte
+ */
+ case 'K':
+ len = strlen(optarg);
+ ret = hex2bin_alloc(optarg, len,
+ &test.K, &test.Klen);
+ if (ret)
+ goto out;
+ break;
+ case 'H':
+ len = strlen(optarg);
+ ret = hex2bin_alloc(optarg, len,
+ &test.H, &test.Hlen);
+ if (ret)
+ goto out;
+ break;
+ case 's':
+ len = strlen(optarg);
+ ret = hex2bin_alloc(optarg, len,
+ &test.session_id,
+ &test.session_id_len);
+ if (ret)
+ goto out;
+ break;
+ case 'i':
+ test.iv_len = strtoul(optarg, NULL, 10);
+ break;
+ case 'e':
+ test.ek_len = strtoul(optarg, NULL, 10);
+ break;
+ case 'm':
+ test.ik_len = strtoul(optarg, NULL, 10);
+ break;
+ default:
+ usage();
+ goto out;
+ }
+ }
+
+ ret = sshkdf_cavs(&test);
+
+out:
+ if (test.session_id)
+ free(test.session_id);
+ if (test.K)
+ free(test.K);
+ if (test.H)
+ free(test.H);
+ return ret;
+
+}
diff -up openssh-6.8p1/ssh-cavs_driver.pl.kdf-cavs openssh-6.8p1/ssh-cavs_driver.pl
--- openssh-6.8p1/ssh-cavs_driver.pl.kdf-cavs 2015-03-18 11:23:46.348049354 +0100
+++ openssh-6.8p1/ssh-cavs_driver.pl 2015-03-18 11:23:46.348049354 +0100
@@ -0,0 +1,184 @@
+#!/usr/bin/env perl
+#
+# CAVS test driver for OpenSSH
+#
+# Copyright (C) 2015, Stephan Mueller <smueller@chronox.de>
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy
+# of this software and associated documentation files (the "Software"), to deal
+# in the Software without restriction, including without limitation the rights
+# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+# copies of the Software, and to permit persons to whom the Software is
+# furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in
+# all copies or substantial portions of the Software.
+#
+# NO WARRANTY
+#
+# BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
+# FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN
+# OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
+# PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
+# OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS
+# TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE
+# PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
+# REPAIR OR CORRECTION.
+#
+# IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
+# WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
+# REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
+# INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
+# OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
+# TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
+# YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
+# PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
+# POSSIBILITY OF SUCH DAMAGES.
+#
+use strict;
+use warnings;
+use IPC::Open2;
+
+# Executing a program by feeding STDIN and retrieving
+# STDOUT
+# $1: data string to be piped to the app on STDIN
+# rest: program and args
+# returns: STDOUT of program as string
+sub pipe_through_program($@) {
+ my $in = shift;
+ my @args = @_;
+
+ my ($CO, $CI);
+ my $pid = open2($CO, $CI, @args);
+
+ my $out = "";
+ my $len = length($in);
+ my $first = 1;
+ while (1) {
+ my $rin = "";
+ my $win = "";
+ # Output of prog is FD that we read
+ vec($rin,fileno($CO),1) = 1;
+ # Input of prog is FD that we write
+ # check for $first is needed because we can have NULL input
+ # that is to be written to the app
+ if ( $len > 0 || $first) {
+ (vec($win,fileno($CI),1) = 1);
+ $first=0;
+ }
+ # Let us wait for 100ms
+ my $nfound = select(my $rout=$rin, my $wout=$win, undef, 0.1);
+ if ( $wout ) {
+ my $written = syswrite($CI, $in, $len);
+ die "broken pipe" if !defined $written;
+ $len -= $written;
+ substr($in, 0, $written) = "";
+ if ($len <= 0) {
+ close $CI or die "broken pipe: $!";
+ }
+ }
+ if ( $rout ) {
+ my $tmp_out = "";
+ my $bytes_read = sysread($CO, $tmp_out, 4096);
+ $out .= $tmp_out;
+ last if ($bytes_read == 0);
+ }
+ }
+ close $CO or die "broken pipe: $!";
+ waitpid $pid, 0;
+
+ return $out;
+}
+
+# Parser of CAVS test vector file
+# $1: Test vector file
+# $2: Output file for test results
+# return: nothing
+sub parse($$) {
+ my $infile = shift;
+ my $outfile = shift;
+
+ my $out = "";
+
+ my $K = "";
+ my $H = "";
+ my $session_id = "";
+ my $ivlen = 0;
+ my $eklen = "";
+ my $iklen = "";
+
+ open(IN, "<$infile");
+ while(<IN>) {
+
+ my $line = $_;
+ chomp($line);
+ $line =~ s/\r//;
+
+ if ($line =~ /\[SHA-1\]/) {
+ $iklen = 20;
+ } elsif ($line =~ /\[SHA-256\]/) {
+ $iklen = 32;
+ } elsif ($line =~ /\[SHA-384\]/) {
+ $iklen = 48;
+ } elsif ($line =~ /\[SHA-512\]/) {
+ $iklen = 64;
+ } elsif ($line =~ /^\[IV length\s*=\s*(.*)\]/) {
+ $ivlen = $1;
+ $ivlen = $ivlen / 8;
+ } elsif ($line =~ /^\[encryption key length\s*=\s*(.*)\]/) {
+ $eklen = $1;
+ $eklen = $eklen / 8;
+ } elsif ($line =~ /^K\s*=\s*(.*)/) {
+ $K = $1;
+ $K = substr($K, 8);
+ $K = "00" . $K;
+ } elsif ($line =~ /^H\s*=\s*(.*)/) {
+ $H = $1;
+ } elsif ($line =~ /^session_id\s*=\s*(.*)/) {
+ $session_id = $1;
+ }
+ $out .= $line . "\n";
+
+ if ($K ne "" && $H ne "" && $session_id ne "" &&
+ $ivlen ne "" && $eklen ne "" && $iklen > 0) {
+ $out .= pipe_through_program("", "./ssh-cavs -H $H -K $K -s $session_id -i $ivlen -e $eklen -m $iklen");
+
+ $K = "";
+ $H = "";
+ $session_id = "";
+ }
+ }
+ close IN;
+ $out =~ s/\n/\r\n/g; # make it a dos file
+ open(OUT, ">$outfile") or die "Cannot create output file $outfile: $?";
+ print OUT $out;
+ close OUT;
+}
+
+############################################################
+#
+# let us pretend to be C :-)
+sub main() {
+
+ my $infile=$ARGV[0];
+ die "Error: Test vector file $infile not found" if (! -f $infile);
+
+ my $outfile = $infile;
+ # let us add .rsp regardless whether we could strip .req
+ $outfile =~ s/\.req$//;
+ $outfile .= ".rsp";
+ if (-f $outfile) {
+ die "Output file $outfile could not be removed: $?"
+ unless unlink($outfile);
+ }
+ print STDERR "Performing tests from source file $infile with results stored in destination file $outfile\n";
+
+ # Do the job
+ parse($infile, $outfile);
+}
+
+###########################################
+# Call it
+main();
+1;

2748
openssh-6.7p1-ldap.patch
View File

File diff suppressed because it is too large Load Diff

16
openssh-6.7p1-sftp-force-permission.patch
View File

@ -2,21 +2,23 @@ diff -up openssh-7.2p2/sftp-server.8.sftp-force-mode openssh-7.2p2/sftp-server.8
--- openssh-7.2p2/sftp-server.8.sftp-force-mode 2016-03-09 19:04:48.000000000 +0100 --- openssh-7.2p2/sftp-server.8.sftp-force-mode 2016-03-09 19:04:48.000000000 +0100
+++ openssh-7.2p2/sftp-server.8 2016-06-23 16:18:20.463854117 +0200 +++ openssh-7.2p2/sftp-server.8 2016-06-23 16:18:20.463854117 +0200
@@ -38,6 +38,7 @@ @@ -38,6 +38,7 @@
.Op Fl P Ar blacklisted_requests .Op Fl P Ar denied_requests
.Op Fl p Ar whitelisted_requests .Op Fl p Ar allowed_requests
.Op Fl u Ar umask .Op Fl u Ar umask
+.Op Fl m Ar force_file_perms +.Op Fl m Ar force_file_perms
.Ek .Ek
.Nm .Nm
.Fl Q Ar protocol_feature .Fl Q Ar protocol_feature
@@ -138,6 +139,10 @@ Sets an explicit @@ -138,6 +139,12 @@ Sets an explicit
.Xr umask 2 .Xr umask 2
to be applied to newly-created files and directories, instead of the to be applied to newly-created files and directories, instead of the
user's default mask. user's default mask.
+.It Fl m Ar force_file_perms +.It Fl m Ar force_file_perms
+Sets explicit file permissions to be applied to newly-created files instead +Sets explicit file permissions to be applied to newly-created files instead
+of the default or client requested mode. Numeric values include: +of the default or client requested mode. Numeric values include:
+777, 755, 750, 666, 644, 640, etc. Option -u is ineffective if -m is set. +777, 755, 750, 666, 644, 640, etc. Using both -m and -u switches makes the
+umask (-u) effective only for newly created directories and explicit mode (-m)
+for newly created files.
.El .El
.Pp .Pp
On some systems, On some systems,
@ -65,9 +67,9 @@ diff -up openssh-7.2p2/sftp-server.c.sftp-force-mode openssh-7.2p2/sftp-server.c
@@ -1494,7 +1505,7 @@ sftp_server_usage(void) @@ -1494,7 +1505,7 @@ sftp_server_usage(void)
fprintf(stderr, fprintf(stderr,
"usage: %s [-ehR] [-d start_directory] [-f log_facility] " "usage: %s [-ehR] [-d start_directory] [-f log_facility] "
"[-l log_level]\n\t[-P blacklisted_requests] " "[-l log_level]\n\t[-P denied_requests] "
- "[-p whitelisted_requests] [-u umask]\n" - "[-p allowed_requests] [-u umask]\n"
+ "[-p whitelisted_requests] [-u umask] [-m force_file_perms]\n" + "[-p allowed_requests] [-u umask] [-m force_file_perms]\n"
" %s -Q protocol_feature\n", " %s -Q protocol_feature\n",
__progname, __progname); __progname, __progname);
exit(1); exit(1);

16
openssh-7.1p2-audit-race-condition.patch
View File

@ -13,33 +13,33 @@ diff -up openssh-7.4p1/monitor_wrap.c.audit-race openssh-7.4p1/monitor_wrap.c
+ struct sshbuf *m; + struct sshbuf *m;
+ int r, ret = 0; + int r, ret = 0;
+ +
+ debug3("%s: entering", __func__); + debug3_f("entering");
+ if ((m = sshbuf_new()) == NULL) + if ((m = sshbuf_new()) == NULL)
+ fatal("%s: sshbuf_new failed", __func__); + fatal_f("sshbuf_new failed");
+ do { + do {
+ blen = atomicio(read, fdin, buf, sizeof(buf)); + blen = atomicio(read, fdin, buf, sizeof(buf));
+ if (blen == 0) /* closed pipe */ + if (blen == 0) /* closed pipe */
+ break; + break;
+ if (blen != sizeof(buf)) { + if (blen != sizeof(buf)) {
+ error("%s: Failed to read the buffer from child", __func__); + error_f("Failed to read the buffer from child");
+ ret = -1; + ret = -1;
+ break; + break;
+ } + }
+ +
+ msg_len = get_u32(buf); + msg_len = get_u32(buf);
+ if (msg_len > 256 * 1024) + if (msg_len > 256 * 1024)
+ fatal("%s: read: bad msg_len %d", __func__, msg_len); + fatal_f("read: bad msg_len %d", msg_len);
+ sshbuf_reset(m); + sshbuf_reset(m);
+ if ((r = sshbuf_reserve(m, msg_len, NULL)) != 0) + if ((r = sshbuf_reserve(m, msg_len, NULL)) != 0)
+ fatal("%s: buffer error: %s", __func__, ssh_err(r)); + fatal_fr(r, "buffer error");
+ if (atomicio(read, fdin, sshbuf_mutable_ptr(m), msg_len) != msg_len) { + if (atomicio(read, fdin, sshbuf_mutable_ptr(m), msg_len) != msg_len) {
+ error("%s: Failed to read the the buffer content from the child", __func__); + error_f("Failed to read the the buffer content from the child");
+ ret = -1; + ret = -1;
+ break; + break;
+ } + }
+ if (atomicio(vwrite, pmonitor->m_recvfd, buf, blen) != blen || + if (atomicio(vwrite, pmonitor->m_recvfd, buf, blen) != blen ||
+ atomicio(vwrite, pmonitor->m_recvfd, sshbuf_mutable_ptr(m), msg_len) != msg_len) { + atomicio(vwrite, pmonitor->m_recvfd, sshbuf_mutable_ptr(m), msg_len) != msg_len) {
+ error("%s: Failed to write the message to the monitor", __func__); + error_f("Failed to write the message to the monitor");
+ ret = -1; + ret = -1;
+ break; + break;
+ } + }
@ -137,7 +137,7 @@ diff -up openssh-7.4p1/session.c.audit-race openssh-7.4p1/session.c
} }
@@ -1538,6 +1565,34 @@ child_close_fds(void) @@ -1538,6 +1565,34 @@ child_close_fds(void)
endpwent(); log_redirect_stderr_to(NULL);
} }
+void +void

4
openssh-7.2p2-k5login_directory.patch
View File

@ -49,7 +49,7 @@ index a7c0c5f..df8cc9a 100644
+ int ret = 0; + int ret = 0;
+ +
+ ret = ssh_krb5_get_k5login_directory(krb_context, &k5login_directory); + ret = ssh_krb5_get_k5login_directory(krb_context, &k5login_directory);
+ debug3("%s: k5login_directory = %s (rv=%d)", __func__, k5login_directory, ret); + debug3_f("k5login_directory = %s (rv=%d)", k5login_directory, ret);
+ if (k5login_directory == NULL || ret != 0) { + if (k5login_directory == NULL || ret != 0) {
+ /* If not set, the library will look for k5login + /* If not set, the library will look for k5login
+ * files in the user's home directory, with the filename .k5login. + * files in the user's home directory, with the filename .k5login.
@ -64,7 +64,7 @@ index a7c0c5f..df8cc9a 100644
+ k5login_directory[strlen(k5login_directory)-1] != '/' ? "/" : "", + k5login_directory[strlen(k5login_directory)-1] != '/' ? "/" : "",
+ pw->pw_name); + pw->pw_name);
+ } + }
+ debug("%s: Checking existence of file %s", __func__, file); + debug_f("Checking existence of file %s", file);
- snprintf(file, sizeof(file), "%s/.k5login", pw->pw_dir); - snprintf(file, sizeof(file), "%s/.k5login", pw->pw_dir);
return access(file, F_OK) == 0; return access(file, F_OK) == 0;

4
openssh-7.3p1-x11-max-displays.patch
View File

@ -110,8 +110,8 @@ diff -up openssh-7.4p1/servconf.c.x11max openssh-7.4p1/servconf.c
options->x11_use_localhost = 1; options->x11_use_localhost = 1;
if (options->xauth_location == NULL) if (options->xauth_location == NULL)
@@ -419,7 +422,7 @@ typedef enum { @@ -419,7 +422,7 @@ typedef enum {
sPasswordAuthentication, sKbdInteractiveAuthentication, sPasswordAuthentication,
sListenAddress, sAddressFamily, sKbdInteractiveAuthentication, sListenAddress, sAddressFamily,
sPrintMotd, sPrintLastLog, sIgnoreRhosts, sPrintMotd, sPrintLastLog, sIgnoreRhosts,
- sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost, - sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
+ sX11Forwarding, sX11DisplayOffset, sX11MaxDisplays, sX11UseLocalhost, + sX11Forwarding, sX11DisplayOffset, sX11MaxDisplays, sX11UseLocalhost,

441
openssh-7.6p1-audit.patch
View File

File diff suppressed because it is too large Load Diff

76
openssh-7.6p1-cleanup-selinux.patch
View File

@ -2,9 +2,9 @@ diff -up openssh/auth2-pubkey.c.refactor openssh/auth2-pubkey.c
--- openssh/auth2-pubkey.c.refactor 2019-04-04 13:19:12.188821236 +0200 --- openssh/auth2-pubkey.c.refactor 2019-04-04 13:19:12.188821236 +0200
+++ openssh/auth2-pubkey.c 2019-04-04 13:19:12.276822078 +0200 +++ openssh/auth2-pubkey.c 2019-04-04 13:19:12.276822078 +0200
@@ -72,6 +72,9 @@ @@ -72,6 +72,9 @@
/* import */
extern ServerOptions options; extern ServerOptions options;
extern u_char *session_id2;
extern u_int session_id2_len;
+extern int inetd_flag; +extern int inetd_flag;
+extern int rexeced_flag; +extern int rexeced_flag;
+extern Authctxt *the_authctxt; +extern Authctxt *the_authctxt;
@ -12,59 +12,59 @@ diff -up openssh/auth2-pubkey.c.refactor openssh/auth2-pubkey.c
static char * static char *
format_key(const struct sshkey *key) format_key(const struct sshkey *key)
@@ -511,7 +514,8 @@ match_principals_command(struct ssh *ssh @@ -511,7 +514,8 @@ match_principals_command(struct ssh *ssh
if ((pid = subprocess("AuthorizedPrincipalsCommand", command,
if ((pid = subprocess("AuthorizedPrincipalsCommand", runas_pw, command,
ac, av, &f, ac, av, &f,
- SSH_SUBPROCESS_STDOUT_CAPTURE|SSH_SUBPROCESS_STDERR_DISCARD)) == 0) SSH_SUBPROCESS_STDOUT_CAPTURE|SSH_SUBPROCESS_STDERR_DISCARD,
+ SSH_SUBPROCESS_STDOUT_CAPTURE|SSH_SUBPROCESS_STDERR_DISCARD, - runas_pw, temporarily_use_uid, restore_uid)) == 0)
+ runas_pw, temporarily_use_uid, restore_uid,
+ (inetd_flag && !rexeced_flag), the_authctxt)) == 0) + (inetd_flag && !rexeced_flag), the_authctxt)) == 0)
goto out; goto out;
uid_swapped = 1; uid_swapped = 1;
@@ -981,7 +985,8 @@ user_key_command_allowed2(struct ssh *ss @@ -981,7 +985,8 @@ user_key_command_allowed2(struct ssh *ss
if ((pid = subprocess("AuthorizedKeysCommand", command,
if ((pid = subprocess("AuthorizedKeysCommand", runas_pw, command,
ac, av, &f, ac, av, &f,
- SSH_SUBPROCESS_STDOUT_CAPTURE|SSH_SUBPROCESS_STDERR_DISCARD)) == 0) SSH_SUBPROCESS_STDOUT_CAPTURE|SSH_SUBPROCESS_STDERR_DISCARD,
+ SSH_SUBPROCESS_STDOUT_CAPTURE|SSH_SUBPROCESS_STDERR_DISCARD, - runas_pw, temporarily_use_uid, restore_uid)) == 0)
+ runas_pw, temporarily_use_uid, restore_uid,
+ (inetd_flag && !rexeced_flag), the_authctxt)) == 0) + (inetd_flag && !rexeced_flag), the_authctxt)) == 0)
goto out; goto out;
uid_swapped = 1; uid_swapped = 1;
diff -up openssh/auth.c.refactor openssh/auth.c diff -up openssh/misc.c.refactor openssh/misc.c
--- openssh/auth.c.refactor 2019-04-04 13:19:12.235821686 +0200 --- openssh/misc.c.refactor 2019-04-04 13:19:12.235821686 +0200
+++ openssh/auth.c 2019-04-04 13:19:12.276822078 +0200 +++ openssh/misc.c 2019-04-04 13:19:12.276822078 +0200
@@ -756,7 +756,8 @@ auth_get_canonical_hostname(struct ssh * @@ -756,7 +756,8 @@ auth_get_canonical_hostname(struct ssh *
*/
pid_t pid_t
subprocess(const char *tag, struct passwd *pw, const char *command, subprocess(const char *tag, const char *command,
- int ac, char **av, FILE **child, u_int flags) int ac, char **av, FILE **child, u_int flags,
+ int ac, char **av, FILE **child, u_int flags, int inetd, - struct passwd *pw, privdrop_fn *drop_privs, privrestore_fn *restore_privs)
+ void *the_authctxt) + struct passwd *pw, privdrop_fn *drop_privs,
+ privrestore_fn *restore_privs, int inetd, void *the_authctxt)
{ {
FILE *f = NULL; FILE *f = NULL;
struct stat st; struct stat st;
@@ -872,7 +873,7 @@ subprocess(const char *tag, struct passw @@ -872,7 +873,7 @@ subprocess(const char *tag, struct passw
_exit(1);
} }
#ifdef WITH_SELINUX #ifdef WITH_SELINUX
- if (sshd_selinux_setup_env_variables() < 0) { - if (sshd_selinux_setup_env_variables() < 0) {
+ if (sshd_selinux_setup_env_variables(inetd, the_authctxt) < 0) { + if (sshd_selinux_setup_env_variables(inetd, the_authctxt) < 0) {
error ("failed to copy environment: %s", error ("failed to copy environment: %s",
strerror(errno)); strerror(errno));
_exit(127); _exit(127);
diff -up openssh/auth.h.refactor openssh/auth.h diff -up openssh/misc.h.refactor openssh/misc.h
--- openssh/auth.h.refactor 2019-04-04 13:19:12.251821839 +0200 --- openssh/misc.h.refactor 2019-04-04 13:19:12.251821839 +0200
+++ openssh/auth.h 2019-04-04 13:19:12.276822078 +0200 +++ openssh/misc.h 2019-04-04 13:19:12.276822078 +0200
@@ -235,7 +235,7 @@ struct passwd *fakepw(void); @@ -235,7 +235,7 @@ struct passwd *fakepw(void);
#define SSH_SUBPROCESS_STDOUT_CAPTURE (1<<1) /* Redirect stdout */ #define SSH_SUBPROCESS_UNSAFE_PATH (1<<3) /* Don't check for safe cmd */
#define SSH_SUBPROCESS_STDERR_DISCARD (1<<2) /* Discard stderr */ #define SSH_SUBPROCESS_PRESERVE_ENV (1<<4) /* Keep parent environment */
pid_t subprocess(const char *, struct passwd *, pid_t subprocess(const char *, const char *, int, char **, FILE **, u_int,
- const char *, int, char **, FILE **, u_int flags); - struct passwd *, privdrop_fn *, privrestore_fn *);
+ const char *, int, char **, FILE **, u_int flags, int, void *); + struct passwd *, privdrop_fn *, privrestore_fn *, int, void *);
int sys_auth_passwd(struct ssh *, const char *);
typedef struct arglist arglist;
struct arglist {
diff -up openssh/openbsd-compat/port-linux.h.refactor openssh/openbsd-compat/port-linux.h diff -up openssh/openbsd-compat/port-linux.h.refactor openssh/openbsd-compat/port-linux.h
--- openssh/openbsd-compat/port-linux.h.refactor 2019-04-04 13:19:12.256821887 +0200 --- openssh/openbsd-compat/port-linux.h.refactor 2019-04-04 13:19:12.256821887 +0200
+++ openssh/openbsd-compat/port-linux.h 2019-04-04 13:19:12.276822078 +0200 +++ openssh/openbsd-compat/port-linux.h 2019-04-04 13:19:12.276822078 +0200
@ -145,7 +145,7 @@ diff -up openssh/openbsd-compat/port-linux-sshd.c.refactor openssh/openbsd-compa
char *role; char *role;
@@ -342,11 +339,11 @@ sshd_selinux_setup_variables(int(*set_it @@ -342,11 +339,11 @@ sshd_selinux_setup_variables(int(*set_it
debug3("%s: setting execution context", __func__); debug3_f("setting execution context");
- ssh_selinux_get_role_level(&role, &reqlvl); - ssh_selinux_get_role_level(&role, &reqlvl);
+ ssh_selinux_get_role_level(&role, &reqlvl, the_authctxt); + ssh_selinux_get_role_level(&role, &reqlvl, the_authctxt);
@ -203,10 +203,10 @@ diff -up openssh/openbsd-compat/port-linux-sshd.c.refactor openssh/openbsd-compa
+ if (sshd_selinux_setup_pam_variables(inetd, pam_setenv, authctxt)) { + if (sshd_selinux_setup_pam_variables(inetd, pam_setenv, authctxt)) {
switch (security_getenforce()) { switch (security_getenforce()) {
case -1: case -1:
fatal("%s: security_getenforce() failed", __func__); fatal_f("security_getenforce() failed");
@@ -410,7 +411,7 @@ sshd_selinux_setup_exec_context(char *pw @@ -410,7 +411,7 @@ sshd_selinux_setup_exec_context(char *pw
debug3("%s: setting execution context", __func__); debug3_f("setting execution context");
- r = sshd_selinux_getctxbyname(pwname, &default_ctx, &user_ctx); - r = sshd_selinux_getctxbyname(pwname, &default_ctx, &user_ctx);
+ r = sshd_selinux_getctxbyname(pwname, &default_ctx, &user_ctx, inetd, authctxt); + r = sshd_selinux_getctxbyname(pwname, &default_ctx, &user_ctx, inetd, authctxt);
@ -269,3 +269,15 @@ diff -up openssh/sshd.c.refactor openssh/sshd.c
#endif #endif
#ifdef USE_PAM #ifdef USE_PAM
if (options.use_pam) { if (options.use_pam) {
diff -up openssh/sshconnect.c.refactor openssh/sshconnect.c
--- openssh/sshconnect.c.refactor 2021-02-24 00:12:03.065325046 +0100
+++ openssh/sshconnect.c 2021-02-24 00:12:12.126449544 +0100
@@ -892,7 +892,7 @@ load_hostkeys_command(struct hostkeys *h
if ((pid = subprocess(tag, command, ac, av, &f,
SSH_SUBPROCESS_STDOUT_CAPTURE|SSH_SUBPROCESS_UNSAFE_PATH|
- SSH_SUBPROCESS_PRESERVE_ENV, NULL, NULL, NULL)) == 0)
+ SSH_SUBPROCESS_PRESERVE_ENV, NULL, NULL, NULL, 0, NULL)) == 0)
goto out;
load_hostkeys_file(hostkeys, hostfile_hostname, tag, f, 1);

323
openssh-7.7p1-fips.patch
View File

@ -1,6 +1,6 @@
diff -up openssh-8.0p1/cipher-ctr.c.fips openssh-8.0p1/cipher-ctr.c diff -up openssh-8.6p1/cipher-ctr.c.fips openssh-8.6p1/cipher-ctr.c
--- openssh-8.0p1/cipher-ctr.c.fips 2019-07-23 14:55:45.326525641 +0200 --- openssh-8.6p1/cipher-ctr.c.fips 2021-04-19 16:53:02.994577324 +0200
+++ openssh-8.0p1/cipher-ctr.c 2019-07-23 14:55:45.401526401 +0200 +++ openssh-8.6p1/cipher-ctr.c 2021-04-19 16:53:03.064577862 +0200
@@ -179,7 +179,8 @@ evp_aes_128_ctr(void) @@ -179,7 +179,8 @@ evp_aes_128_ctr(void)
aes_ctr.do_cipher = ssh_aes_ctr; aes_ctr.do_cipher = ssh_aes_ctr;
#ifndef SSH_OLD_EVP #ifndef SSH_OLD_EVP
@ -11,10 +11,10 @@ diff -up openssh-8.0p1/cipher-ctr.c.fips openssh-8.0p1/cipher-ctr.c
#endif #endif
return (&aes_ctr); return (&aes_ctr);
} }
diff -up openssh-8.0p1/dh.c.fips openssh-8.0p1/dh.c diff -up openssh-8.6p1/dh.c.fips openssh-8.6p1/dh.c
--- openssh-8.0p1/dh.c.fips 2019-04-18 00:52:57.000000000 +0200 --- openssh-8.6p1/dh.c.fips 2021-04-16 05:55:25.000000000 +0200
+++ openssh-8.0p1/dh.c 2019-07-23 14:55:45.401526401 +0200 +++ openssh-8.6p1/dh.c 2021-04-19 16:58:47.750263410 +0200
@@ -152,6 +152,12 @@ choose_dh(int min, int wantbits, int max @@ -164,6 +164,12 @@ choose_dh(int min, int wantbits, int max
int best, bestcount, which, linenum; int best, bestcount, which, linenum;
struct dhgroup dhg; struct dhgroup dhg;
@ -24,10 +24,10 @@ diff -up openssh-8.0p1/dh.c.fips openssh-8.0p1/dh.c
+ return (dh_new_group_fallback(max)); + return (dh_new_group_fallback(max));
+ } + }
+ +
if ((f = fopen(_PATH_DH_MODULI, "r")) == NULL) { if ((f = fopen(get_moduli_filename(), "r")) == NULL) {
logit("WARNING: could not open %s (%s), using fixed modulus", logit("WARNING: could not open %s (%s), using fixed modulus",
_PATH_DH_MODULI, strerror(errno)); get_moduli_filename(), strerror(errno));
@@ -489,4 +495,38 @@ dh_estimate(int bits) @@ -502,4 +508,38 @@ dh_estimate(int bits)
return 8192; return 8192;
} }
@ -66,21 +66,21 @@ diff -up openssh-8.0p1/dh.c.fips openssh-8.0p1/dh.c
+} +}
+ +
#endif /* WITH_OPENSSL */ #endif /* WITH_OPENSSL */
diff -up openssh-8.0p1/dh.h.fips openssh-8.0p1/dh.h diff -up openssh-8.6p1/dh.h.fips openssh-8.6p1/dh.h
--- openssh-8.0p1/dh.h.fips 2019-04-18 00:52:57.000000000 +0200 --- openssh-8.6p1/dh.h.fips 2021-04-19 16:53:03.064577862 +0200
+++ openssh-8.0p1/dh.h 2019-07-23 14:55:45.401526401 +0200 +++ openssh-8.6p1/dh.h 2021-04-19 16:59:31.951616078 +0200
@@ -43,6 +43,7 @@ DH *dh_new_group_fallback(int); @@ -45,6 +45,7 @@ DH *dh_new_group_fallback(int);
int dh_gen_key(DH *, int); int dh_gen_key(DH *, int);
int dh_pub_is_valid(const DH *, const BIGNUM *); int dh_pub_is_valid(const DH *, const BIGNUM *);
+int dh_is_known_group(const DH *); +int dh_is_known_group(const DH *);
u_int dh_estimate(int); u_int dh_estimate(int);
void dh_set_moduli_file(const char *);
diff -up openssh-8.0p1/kex.c.fips openssh-8.0p1/kex.c diff -up openssh-8.6p1/kex.c.fips openssh-8.6p1/kex.c
--- openssh-8.0p1/kex.c.fips 2019-07-23 14:55:45.395526340 +0200 --- openssh-8.6p1/kex.c.fips 2021-04-19 16:53:03.058577815 +0200
+++ openssh-8.0p1/kex.c 2019-07-23 14:55:45.402526411 +0200 +++ openssh-8.6p1/kex.c 2021-04-19 16:53:03.065577869 +0200
@@ -199,7 +199,10 @@ kex_names_valid(const char *names) @@ -203,7 +203,10 @@ kex_names_valid(const char *names)
for ((p = strsep(&cp, ",")); p && *p != '\0'; for ((p = strsep(&cp, ",")); p && *p != '\0';
(p = strsep(&cp, ","))) { (p = strsep(&cp, ","))) {
if (kex_alg_by_name(p) == NULL) { if (kex_alg_by_name(p) == NULL) {
@ -92,9 +92,9 @@ diff -up openssh-8.0p1/kex.c.fips openssh-8.0p1/kex.c
free(s); free(s);
return 0; return 0;
} }
diff -up openssh-8.0p1/kexgexc.c.fips openssh-8.0p1/kexgexc.c diff -up openssh-8.6p1/kexgexc.c.fips openssh-8.6p1/kexgexc.c
--- openssh-8.0p1/kexgexc.c.fips 2019-04-18 00:52:57.000000000 +0200 --- openssh-8.6p1/kexgexc.c.fips 2021-04-16 05:55:25.000000000 +0200
+++ openssh-8.0p1/kexgexc.c 2019-07-23 14:55:45.402526411 +0200 +++ openssh-8.6p1/kexgexc.c 2021-04-19 16:53:03.065577869 +0200
@@ -28,6 +28,7 @@ @@ -28,6 +28,7 @@
#ifdef WITH_OPENSSL #ifdef WITH_OPENSSL
@ -103,7 +103,7 @@ diff -up openssh-8.0p1/kexgexc.c.fips openssh-8.0p1/kexgexc.c
#include <sys/types.h> #include <sys/types.h>
#include <openssl/dh.h> #include <openssl/dh.h>
@@ -113,6 +114,10 @@ input_kex_dh_gex_group(int type, u_int32 @@ -115,6 +116,10 @@ input_kex_dh_gex_group(int type, u_int32
r = SSH_ERR_ALLOC_FAIL; r = SSH_ERR_ALLOC_FAIL;
goto out; goto out;
} }
@ -114,56 +114,12 @@ diff -up openssh-8.0p1/kexgexc.c.fips openssh-8.0p1/kexgexc.c
p = g = NULL; /* belong to kex->dh now */ p = g = NULL; /* belong to kex->dh now */
/* generate and send 'e', client DH public key */ /* generate and send 'e', client DH public key */
diff -up openssh-8.0p1/Makefile.in.fips openssh-8.0p1/Makefile.in diff -up openssh-8.6p1/myproposal.h.fips openssh-8.6p1/myproposal.h
--- openssh-8.0p1/Makefile.in.fips 2019-07-23 14:55:45.396526350 +0200 --- openssh-8.6p1/myproposal.h.fips 2021-04-16 05:55:25.000000000 +0200
+++ openssh-8.0p1/Makefile.in 2019-07-23 14:55:45.402526411 +0200 +++ openssh-8.6p1/myproposal.h 2021-04-19 16:53:03.065577869 +0200
@@ -180,25 +180,25 @@ libssh.a: $(LIBSSH_OBJS) @@ -57,6 +57,18 @@
$(RANLIB) $@ "rsa-sha2-512," \
"rsa-sha2-256"
ssh$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHOBJS)
- $(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHLIBS) $(LIBS) $(GSSLIBS)
+ $(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(SSHLIBS) $(LIBS) $(GSSLIBS)
sshd$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHDOBJS)
- $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS)
+ $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS)
scp$(EXEEXT): $(LIBCOMPAT) libssh.a $(SCP_OBJS)
$(LD) -o $@ $(SCP_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
ssh-add$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHADD_OBJS)
- $(LD) -o $@ $(SSHADD_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
+ $(LD) -o $@ $(SSHADD_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
ssh-agent$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHAGENT_OBJS)
- $(LD) -o $@ $(SSHAGENT_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
+ $(LD) -o $@ $(SSHAGENT_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
ssh-keygen$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHKEYGEN_OBJS)
- $(LD) -o $@ $(SSHKEYGEN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
+ $(LD) -o $@ $(SSHKEYGEN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
ssh-keysign$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHKEYSIGN_OBJS)
- $(LD) -o $@ $(SSHKEYSIGN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
+ $(LD) -o $@ $(SSHKEYSIGN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a $(P11HELPER_OBJS)
$(LD) -o $@ $(P11HELPER_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
@@ -216,7 +216,7 @@ ssh-cavs$(EXEEXT): $(LIBCOMPAT) libssh.a
$(LD) -o $@ ssh-cavs.o $(SKOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHKEYSCAN_OBJS)
- $(LD) -o $@ $(SSHKEYSCAN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
+ $(LD) -o $@ $(SSHKEYSCAN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(LIBS)
sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a $(SFTPSERVER_OBJS)
$(LD) -o $@ $(SFTPSERVER_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
diff -up openssh-8.0p1/myproposal.h.fips openssh-8.0p1/myproposal.h
--- openssh-8.0p1/myproposal.h.fips 2019-04-18 00:52:57.000000000 +0200
+++ openssh-8.0p1/myproposal.h 2019-07-23 14:55:45.402526411 +0200
@@ -111,6 +111,20 @@
"rsa-sha2-256," \
"ssh-rsa"
+#define KEX_FIPS_PK_ALG \ +#define KEX_FIPS_PK_ALG \
+ "ecdsa-sha2-nistp256-cert-v01@openssh.com," \ + "ecdsa-sha2-nistp256-cert-v01@openssh.com," \
@ -171,18 +127,16 @@ diff -up openssh-8.0p1/myproposal.h.fips openssh-8.0p1/myproposal.h
+ "ecdsa-sha2-nistp521-cert-v01@openssh.com," \ + "ecdsa-sha2-nistp521-cert-v01@openssh.com," \
+ "rsa-sha2-512-cert-v01@openssh.com," \ + "rsa-sha2-512-cert-v01@openssh.com," \
+ "rsa-sha2-256-cert-v01@openssh.com," \ + "rsa-sha2-256-cert-v01@openssh.com," \
+ "ssh-rsa-cert-v01@openssh.com," \
+ "ecdsa-sha2-nistp256," \ + "ecdsa-sha2-nistp256," \
+ "ecdsa-sha2-nistp384," \ + "ecdsa-sha2-nistp384," \
+ "ecdsa-sha2-nistp521," \ + "ecdsa-sha2-nistp521," \
+ "rsa-sha2-512," \ + "rsa-sha2-512," \
+ "rsa-sha2-256," \ + "rsa-sha2-256," \
+ "ssh-rsa"
+ +
#define KEX_SERVER_ENCRYPT \ #define KEX_SERVER_ENCRYPT \
"chacha20-poly1305@openssh.com," \ "chacha20-poly1305@openssh.com," \
"aes128-ctr,aes192-ctr,aes256-ctr," \ "aes128-ctr,aes192-ctr,aes256-ctr," \
@@ -134,6 +142,27 @@ @@ -78,6 +92,27 @@
#define KEX_CLIENT_MAC KEX_SERVER_MAC #define KEX_CLIENT_MAC KEX_SERVER_MAC
@ -209,36 +163,36 @@ diff -up openssh-8.0p1/myproposal.h.fips openssh-8.0p1/myproposal.h
+ +
/* Not a KEX value, but here so all the algorithm defaults are together */ /* Not a KEX value, but here so all the algorithm defaults are together */
#define SSH_ALLOWED_CA_SIGALGS \ #define SSH_ALLOWED_CA_SIGALGS \
"ecdsa-sha2-nistp256," \ "ssh-ed25519," \
diff -up openssh-8.0p1/readconf.c.fips openssh-8.0p1/readconf.c diff -up openssh-8.6p1/readconf.c.fips openssh-8.6p1/readconf.c
--- openssh-8.0p1/readconf.c.fips 2019-07-23 14:55:45.334525723 +0200 --- openssh-8.6p1/readconf.c.fips 2021-04-19 16:53:02.999577362 +0200
+++ openssh-8.0p1/readconf.c 2019-07-23 14:55:45.402526411 +0200 +++ openssh-8.6p1/readconf.c 2021-04-19 16:53:03.065577869 +0200
@@ -2179,11 +2179,16 @@ fill_default_options(Options * options) @@ -2538,11 +2538,16 @@ fill_default_options(Options * options)
all_key = sshkey_alg_list(0, 0, 1, ','); all_key = sshkey_alg_list(0, 0, 1, ',');
all_sig = sshkey_alg_list(0, 1, 1, ','); all_sig = sshkey_alg_list(0, 1, 1, ',');
/* remove unsupported algos from default lists */ /* remove unsupported algos from default lists */
- def_cipher = match_filter_whitelist(KEX_CLIENT_ENCRYPT, all_cipher); - def_cipher = match_filter_allowlist(KEX_CLIENT_ENCRYPT, all_cipher);
- def_mac = match_filter_whitelist(KEX_CLIENT_MAC, all_mac); - def_mac = match_filter_allowlist(KEX_CLIENT_MAC, all_mac);
- def_kex = match_filter_whitelist(KEX_CLIENT_KEX, all_kex); - def_kex = match_filter_allowlist(KEX_CLIENT_KEX, all_kex);
- def_key = match_filter_whitelist(KEX_DEFAULT_PK_ALG, all_key); - def_key = match_filter_allowlist(KEX_DEFAULT_PK_ALG, all_key);
- def_sig = match_filter_whitelist(SSH_ALLOWED_CA_SIGALGS, all_sig); - def_sig = match_filter_allowlist(SSH_ALLOWED_CA_SIGALGS, all_sig);
+ def_cipher = match_filter_whitelist((FIPS_mode() ? + def_cipher = match_filter_allowlist((FIPS_mode() ?
+ KEX_FIPS_ENCRYPT : KEX_CLIENT_ENCRYPT), all_cipher); + KEX_FIPS_ENCRYPT : KEX_CLIENT_ENCRYPT), all_cipher);
+ def_mac = match_filter_whitelist((FIPS_mode() ? + def_mac = match_filter_allowlist((FIPS_mode() ?
+ KEX_FIPS_MAC : KEX_CLIENT_MAC), all_mac); + KEX_FIPS_MAC : KEX_CLIENT_MAC), all_mac);
+ def_kex = match_filter_whitelist((FIPS_mode() ? + def_kex = match_filter_allowlist((FIPS_mode() ?
+ KEX_DEFAULT_KEX_FIPS : KEX_CLIENT_KEX), all_kex); + KEX_DEFAULT_KEX_FIPS : KEX_CLIENT_KEX), all_kex);
+ def_key = match_filter_whitelist((FIPS_mode() ? + def_key = match_filter_allowlist((FIPS_mode() ?
+ KEX_FIPS_PK_ALG : KEX_DEFAULT_PK_ALG), all_key); + KEX_FIPS_PK_ALG : KEX_DEFAULT_PK_ALG), all_key);
+ def_sig = match_filter_whitelist((FIPS_mode() ? + def_sig = match_filter_allowlist((FIPS_mode() ?
+ KEX_FIPS_PK_ALG : SSH_ALLOWED_CA_SIGALGS), all_sig); + KEX_FIPS_PK_ALG : SSH_ALLOWED_CA_SIGALGS), all_sig);
#define ASSEMBLE(what, defaults, all) \ #define ASSEMBLE(what, defaults, all) \
do { \ do { \
if ((r = kex_assemble_names(&options->what, \ if ((r = kex_assemble_names(&options->what, \
diff -up openssh-8.0p1/sandbox-seccomp-filter.c.fips openssh-8.0p1/sandbox-seccomp-filter.c diff -up openssh-8.6p1/sandbox-seccomp-filter.c.fips openssh-8.6p1/sandbox-seccomp-filter.c
--- openssh-8.0p1/sandbox-seccomp-filter.c.fips 2019-07-23 14:55:45.373526117 +0200 --- openssh-8.6p1/sandbox-seccomp-filter.c.fips 2021-04-19 16:53:03.034577631 +0200
+++ openssh-8.0p1/sandbox-seccomp-filter.c 2019-07-23 14:55:45.402526411 +0200 +++ openssh-8.6p1/sandbox-seccomp-filter.c 2021-04-19 16:53:03.065577869 +0200
@@ -137,6 +137,9 @@ static const struct sock_filter preauth_ @@ -160,6 +160,9 @@ static const struct sock_filter preauth_
#ifdef __NR_open #ifdef __NR_open
SC_DENY(__NR_open, EACCES), SC_DENY(__NR_open, EACCES),
#endif #endif
@ -248,75 +202,57 @@ diff -up openssh-8.0p1/sandbox-seccomp-filter.c.fips openssh-8.0p1/sandbox-secco
#ifdef __NR_openat #ifdef __NR_openat
SC_DENY(__NR_openat, EACCES), SC_DENY(__NR_openat, EACCES),
#endif #endif
diff -up openssh-8.0p1/servconf.c.fips openssh-8.0p1/servconf.c diff -up openssh-8.6p1/servconf.c.fips openssh-8.6p1/servconf.c
--- openssh-8.0p1/servconf.c.fips 2019-07-23 14:55:45.361525996 +0200 --- openssh-8.6p1/servconf.c.fips 2021-04-19 16:53:03.027577577 +0200
+++ openssh-8.0p1/servconf.c 2019-07-23 14:55:45.403526421 +0200 +++ openssh-8.6p1/servconf.c 2021-04-19 16:53:03.066577877 +0200
@@ -208,11 +208,16 @@ assemble_algorithms(ServerOptions *o) @@ -226,11 +226,16 @@ assemble_algorithms(ServerOptions *o)
all_key = sshkey_alg_list(0, 0, 1, ','); all_key = sshkey_alg_list(0, 0, 1, ',');
all_sig = sshkey_alg_list(0, 1, 1, ','); all_sig = sshkey_alg_list(0, 1, 1, ',');
/* remove unsupported algos from default lists */ /* remove unsupported algos from default lists */
- def_cipher = match_filter_whitelist(KEX_SERVER_ENCRYPT, all_cipher); - def_cipher = match_filter_allowlist(KEX_SERVER_ENCRYPT, all_cipher);
- def_mac = match_filter_whitelist(KEX_SERVER_MAC, all_mac); - def_mac = match_filter_allowlist(KEX_SERVER_MAC, all_mac);
- def_kex = match_filter_whitelist(KEX_SERVER_KEX, all_kex); - def_kex = match_filter_allowlist(KEX_SERVER_KEX, all_kex);
- def_key = match_filter_whitelist(KEX_DEFAULT_PK_ALG, all_key); - def_key = match_filter_allowlist(KEX_DEFAULT_PK_ALG, all_key);
- def_sig = match_filter_whitelist(SSH_ALLOWED_CA_SIGALGS, all_sig); - def_sig = match_filter_allowlist(SSH_ALLOWED_CA_SIGALGS, all_sig);
+ def_cipher = match_filter_whitelist((FIPS_mode() ? + def_cipher = match_filter_allowlist((FIPS_mode() ?
+ KEX_FIPS_ENCRYPT : KEX_SERVER_ENCRYPT), all_cipher); + KEX_FIPS_ENCRYPT : KEX_SERVER_ENCRYPT), all_cipher);
+ def_mac = match_filter_whitelist((FIPS_mode() ? + def_mac = match_filter_allowlist((FIPS_mode() ?
+ KEX_FIPS_MAC : KEX_SERVER_MAC), all_mac); + KEX_FIPS_MAC : KEX_SERVER_MAC), all_mac);
+ def_kex = match_filter_whitelist((FIPS_mode() ? + def_kex = match_filter_allowlist((FIPS_mode() ?
+ KEX_DEFAULT_KEX_FIPS : KEX_SERVER_KEX), all_kex); + KEX_DEFAULT_KEX_FIPS : KEX_SERVER_KEX), all_kex);
+ def_key = match_filter_whitelist((FIPS_mode() ? + def_key = match_filter_allowlist((FIPS_mode() ?
+ KEX_FIPS_PK_ALG : KEX_DEFAULT_PK_ALG), all_key); + KEX_FIPS_PK_ALG : KEX_DEFAULT_PK_ALG), all_key);
+ def_sig = match_filter_whitelist((FIPS_mode() ? + def_sig = match_filter_allowlist((FIPS_mode() ?
+ KEX_FIPS_PK_ALG : SSH_ALLOWED_CA_SIGALGS), all_sig); + KEX_FIPS_PK_ALG : SSH_ALLOWED_CA_SIGALGS), all_sig);
#define ASSEMBLE(what, defaults, all) \ #define ASSEMBLE(what, defaults, all) \
do { \ do { \
if ((r = kex_assemble_names(&o->what, defaults, all)) != 0) \ if ((r = kex_assemble_names(&o->what, defaults, all)) != 0) \
diff -up openssh-8.0p1/ssh.c.fips openssh-8.0p1/ssh.c diff -up openssh-8.6p1/ssh.c.fips openssh-8.6p1/ssh.c
--- openssh-8.0p1/ssh.c.fips 2019-07-23 14:55:45.378526168 +0200 --- openssh-8.6p1/ssh.c.fips 2021-04-19 16:53:03.038577662 +0200
+++ openssh-8.0p1/ssh.c 2019-07-23 14:55:45.403526421 +0200 +++ openssh-8.6p1/ssh.c 2021-04-19 16:53:03.066577877 +0200
@@ -76,6 +76,8 @@ @@ -77,6 +77,7 @@
#include <openssl/evp.h> #include <openssl/evp.h>
#include <openssl/err.h> #include <openssl/err.h>
#endif #endif
+#include <openssl/crypto.h> +#include <openssl/crypto.h>
+#include <fipscheck.h>
#include "openbsd-compat/openssl-compat.h" #include "openbsd-compat/openssl-compat.h"
#include "openbsd-compat/sys-queue.h" #include "openbsd-compat/sys-queue.h"
@@ -600,6 +602,16 @@ main(int ac, char **av) @@ -1516,6 +1517,10 @@ main(int ac, char **av)
sanitise_stdfd(); exit(0);
}
__progname = ssh_get_progname(av[0]);
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ SSLeay_add_all_algorithms();
+#endif
+ if (access("/etc/system-fips", F_OK) == 0)
+ if (! FIPSCHECK_verify(NULL, NULL)){
+ if (FIPS_mode())
+ fatal("FIPS integrity verification test failed.");
+ else
+ logit("FIPS integrity verification test failed.");
+ }
#ifndef HAVE_SETPROCTITLE
/* Prepare for later setproctitle emulation */
@@ -614,6 +626,10 @@ main(int ac, char **av)
seed_rng();
+ if (FIPS_mode()) { + if (FIPS_mode()) {
+ debug("FIPS mode initialized"); + debug("FIPS mode initialized");
+ } + }
+ +
/* /* Expand SecurityKeyProvider if it refers to an environment variable */
* Discard other fds that are hanging around. These can cause problem if (options.sk_provider != NULL && *options.sk_provider == '$' &&
* with backgrounded ssh processes started by ControlPersist. strlen(options.sk_provider) > 1) {
diff -up openssh-8.0p1/sshconnect2.c.fips openssh-8.0p1/sshconnect2.c diff -up openssh-8.6p1/sshconnect2.c.fips openssh-8.6p1/sshconnect2.c
--- openssh-8.0p1/sshconnect2.c.fips 2019-07-23 14:55:45.336525743 +0200 --- openssh-8.6p1/sshconnect2.c.fips 2021-04-19 16:53:03.055577792 +0200
+++ openssh-8.0p1/sshconnect2.c 2019-07-23 14:55:45.403526421 +0200 +++ openssh-8.6p1/sshconnect2.c 2021-04-19 16:53:03.066577877 +0200
@@ -44,6 +44,8 @@ @@ -45,6 +45,8 @@
#include <vis.h> #include <vis.h>
#endif #endif
@ -325,7 +261,7 @@ diff -up openssh-8.0p1/sshconnect2.c.fips openssh-8.0p1/sshconnect2.c
#include "openbsd-compat/sys-queue.h" #include "openbsd-compat/sys-queue.h"
#include "xmalloc.h" #include "xmalloc.h"
@@ -198,29 +203,34 @@ ssh_kex2(struct ssh *ssh, char *host, st @@ -269,36 +271,41 @@ ssh_kex2(struct ssh *ssh, char *host, st
#if defined(GSSAPI) && defined(WITH_OPENSSL) #if defined(GSSAPI) && defined(WITH_OPENSSL)
if (options.gss_keyex) { if (options.gss_keyex) {
@ -333,13 +269,39 @@ diff -up openssh-8.0p1/sshconnect2.c.fips openssh-8.0p1/sshconnect2.c
- * client to the key exchange algorithm proposal */ - * client to the key exchange algorithm proposal */
- orig = myproposal[PROPOSAL_KEX_ALGS]; - orig = myproposal[PROPOSAL_KEX_ALGS];
- -
- if (options.gss_server_identity) - if (options.gss_server_identity) {
- gss_host = xstrdup(options.gss_server_identity); - gss_host = xstrdup(options.gss_server_identity);
- else if (options.gss_trust_dns) - } else if (options.gss_trust_dns) {
- gss_host = remote_hostname(ssh); - gss_host = remote_hostname(ssh);
- else - /* Fall back to specified host if we are using proxy command
- * and can not use DNS on that socket */
- if (strcmp(gss_host, "UNKNOWN") == 0) {
- free(gss_host);
+ if (FIPS_mode()) {
+ logit("Disabling GSSAPIKeyExchange. Not usable in FIPS mode");
+ options.gss_keyex = 0;
+ } else {
+ /* Add the GSSAPI mechanisms currently supported on this
+ * client to the key exchange algorithm proposal */
+ orig = myproposal[PROPOSAL_KEX_ALGS];
+
+ if (options.gss_server_identity) {
+ gss_host = xstrdup(options.gss_server_identity);
+ } else if (options.gss_trust_dns) {
+ gss_host = remote_hostname(ssh);
+ /* Fall back to specified host if we are using proxy command
+ * and can not use DNS on that socket */
+ if (strcmp(gss_host, "UNKNOWN") == 0) {
+ free(gss_host);
+ gss_host = xstrdup(host);
+ }
+ } else {
gss_host = xstrdup(host);
}
- } else {
- gss_host = xstrdup(host); - gss_host = xstrdup(host);
- - }
- gss = ssh_gssapi_client_mechanisms(gss_host, - gss = ssh_gssapi_client_mechanisms(gss_host,
- options.gss_client_identity, options.gss_kex_algorithms); - options.gss_client_identity, options.gss_kex_algorithms);
- if (gss) { - if (gss) {
@ -352,21 +314,6 @@ diff -up openssh-8.0p1/sshconnect2.c.fips openssh-8.0p1/sshconnect2.c
- orig = myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS]; - orig = myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS];
- xasprintf(&myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS], - xasprintf(&myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS],
- "%s,null", orig); - "%s,null", orig);
+ if (FIPS_mode()) {
+ logit("Disabling GSSAPIKeyExchange. Not usable in FIPS mode");
+ options.gss_keyex = 0;
+ } else {
+ /* Add the GSSAPI mechanisms currently supported on this
+ * client to the key exchange algorithm proposal */
+ orig = myproposal[PROPOSAL_KEX_ALGS];
+
+ if (options.gss_server_identity)
+ gss_host = xstrdup(options.gss_server_identity);
+ else if (options.gss_trust_dns)
+ gss_host = remote_hostname(ssh);
+ else
+ gss_host = xstrdup(host);
+
+ gss = ssh_gssapi_client_mechanisms(gss_host, + gss = ssh_gssapi_client_mechanisms(gss_host,
+ options.gss_client_identity, options.gss_kex_algorithms); + options.gss_client_identity, options.gss_kex_algorithms);
+ if (gss) { + if (gss) {
@ -383,9 +330,9 @@ diff -up openssh-8.0p1/sshconnect2.c.fips openssh-8.0p1/sshconnect2.c
} }
} }
#endif #endif
diff -up openssh-8.0p1/sshd.c.fips openssh-8.0p1/sshd.c diff -up openssh-8.6p1/sshd.c.fips openssh-8.6p1/sshd.c
--- openssh-8.0p1/sshd.c.fips 2019-07-23 14:55:45.398526371 +0200 --- openssh-8.6p1/sshd.c.fips 2021-04-19 16:53:03.060577831 +0200
+++ openssh-8.0p1/sshd.c 2019-07-23 14:55:45.403526421 +0200 +++ openssh-8.6p1/sshd.c 2021-04-19 16:57:45.827769340 +0200
@@ -66,6 +66,7 @@ @@ -66,6 +66,7 @@
#include <grp.h> #include <grp.h>
#include <pwd.h> #include <pwd.h>
@ -394,35 +341,23 @@ diff -up openssh-8.0p1/sshd.c.fips openssh-8.0p1/sshd.c
#include <stdarg.h> #include <stdarg.h>
#include <stdio.h> #include <stdio.h>
#include <stdlib.h> #include <stdlib.h>
@@ -77,6 +78,8 @@ @@ -77,6 +78,7 @@
#include <openssl/dh.h> #include <openssl/dh.h>
#include <openssl/bn.h> #include <openssl/bn.h>
#include <openssl/rand.h> #include <openssl/rand.h>
+#include <openssl/crypto.h> +#include <openssl/crypto.h>
+#include <fipscheck.h>
#include "openbsd-compat/openssl-compat.h" #include "openbsd-compat/openssl-compat.h"
#endif #endif
@@ -1529,6 +1532,18 @@ main(int ac, char **av) @@ -1619,6 +1621,7 @@ main(int ac, char **av)
#endif #endif
__progname = ssh_get_progname(av[0]); __progname = ssh_get_progname(av[0]);
+ OpenSSL_add_all_algorithms(); + OpenSSL_add_all_algorithms();
+ if (access("/etc/system-fips", F_OK) == 0)
+ if (! FIPSCHECK_verify(NULL, NULL)) {
+ openlog(__progname, LOG_PID, LOG_AUTHPRIV);
+ if (FIPS_mode()) {
+ syslog(LOG_CRIT, "FIPS integrity verification test failed.");
+ cleanup_exit(255);
+ }
+ else
+ syslog(LOG_INFO, "FIPS integrity verification test failed.");
+ closelog();
+ }
/* Save argv. Duplicate so setproctitle emulation doesn't clobber it */ /* Save argv. Duplicate so setproctitle emulation doesn't clobber it */
saved_argc = ac; saved_argc = ac;
rexec_argc = ac; rexec_argc = ac;
@@ -1992,6 +2007,10 @@ main(int ac, char **av) @@ -2110,6 +2113,10 @@ main(int ac, char **av)
/* Reinitialize the log (because of the fork above). */ /* Reinitialize the log (because of the fork above). */
log_init(__progname, options.log_level, options.log_facility, log_stderr); log_init(__progname, options.log_level, options.log_facility, log_stderr);
@ -430,10 +365,10 @@ diff -up openssh-8.0p1/sshd.c.fips openssh-8.0p1/sshd.c
+ debug("FIPS mode initialized"); + debug("FIPS mode initialized");
+ } + }
+ +
/* Chdir to the root directory so that the current disk can be /*
unmounted if desired. */ * Chdir to the root directory so that the current disk can be
if (chdir("/") == -1) * unmounted if desired.
@@ -2382,10 +2401,14 @@ do_ssh2_kex(struct ssh *ssh) @@ -2494,10 +2501,14 @@ do_ssh2_kex(struct ssh *ssh)
if (strlen(myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS]) == 0) if (strlen(myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS]) == 0)
orig = NULL; orig = NULL;
@ -452,9 +387,9 @@ diff -up openssh-8.0p1/sshd.c.fips openssh-8.0p1/sshd.c
if (gss && orig) if (gss && orig)
xasprintf(&newstr, "%s,%s", gss, orig); xasprintf(&newstr, "%s,%s", gss, orig);
diff -up openssh-8.0p1/sshkey.c.fips openssh-8.0p1/sshkey.c diff -up openssh-8.6p1/sshkey.c.fips openssh-8.6p1/sshkey.c
--- openssh-8.0p1/sshkey.c.fips 2019-07-23 14:55:45.398526371 +0200 --- openssh-8.6p1/sshkey.c.fips 2021-04-19 16:53:03.061577838 +0200
+++ openssh-8.0p1/sshkey.c 2019-07-23 14:55:45.404526431 +0200 +++ openssh-8.6p1/sshkey.c 2021-04-19 16:53:03.067577885 +0200
@@ -34,6 +34,7 @@ @@ -34,6 +34,7 @@
#include <openssl/evp.h> #include <openssl/evp.h>
#include <openssl/err.h> #include <openssl/err.h>
@ -471,19 +406,19 @@ diff -up openssh-8.0p1/sshkey.c.fips openssh-8.0p1/sshkey.c
#include "ssh-sk.h" #include "ssh-sk.h"
#ifdef WITH_XMSS #ifdef WITH_XMSS
@@ -1591,6 +1593,8 @@ rsa_generate_private_key(u_int bits, RSA @@ -1705,6 +1707,8 @@ rsa_generate_private_key(u_int bits, RSA
} }
if (!BN_set_word(f4, RSA_F4) || if (!BN_set_word(f4, RSA_F4) ||
!RSA_generate_key_ex(private, bits, f4, NULL)) { !RSA_generate_key_ex(private, bits, f4, NULL)) {
+ if (FIPS_mode()) + if (FIPS_mode())
+ logit("%s: the key length might be unsupported by FIPS mode approved key generation method", __func__); + logit_f("the key length might be unsupported by FIPS mode approved key generation method");
ret = SSH_ERR_LIBCRYPTO_ERROR; ret = SSH_ERR_LIBCRYPTO_ERROR;
goto out; goto out;
} }
diff -up openssh-8.0p1/ssh-keygen.c.fips openssh-8.0p1/ssh-keygen.c diff -up openssh-8.6p1/ssh-keygen.c.fips openssh-8.6p1/ssh-keygen.c
--- openssh-8.0p1/ssh-keygen.c.fips 2019-07-23 14:55:45.391526300 +0200 --- openssh-8.6p1/ssh-keygen.c.fips 2021-04-19 16:53:03.038577662 +0200
+++ openssh-8.0p1/ssh-keygen.c 2019-07-23 14:57:54.118830056 +0200 +++ openssh-8.6p1/ssh-keygen.c 2021-04-19 16:53:03.068577892 +0200
@@ -199,6 +199,12 @@ type_bits_valid(int type, const char *na @@ -205,6 +205,12 @@ type_bits_valid(int type, const char *na
#endif #endif
} }
#ifdef WITH_OPENSSL #ifdef WITH_OPENSSL
@ -496,7 +431,7 @@ diff -up openssh-8.0p1/ssh-keygen.c.fips openssh-8.0p1/ssh-keygen.c
switch (type) { switch (type) {
case KEY_DSA: case KEY_DSA:
if (*bitsp != 1024) if (*bitsp != 1024)
@@ -1029,9 +1035,17 @@ do_gen_all_hostkeys(struct passwd *pw) @@ -1098,9 +1104,17 @@ do_gen_all_hostkeys(struct passwd *pw)
first = 1; first = 1;
printf("%s: generating new host keys: ", __progname); printf("%s: generating new host keys: ", __progname);
} }
@ -513,5 +448,5 @@ diff -up openssh-8.0p1/ssh-keygen.c.fips openssh-8.0p1/ssh-keygen.c
fflush(stdout); fflush(stdout);
- type = sshkey_type_from_name(key_types[i].key_type); - type = sshkey_type_from_name(key_types[i].key_type);
if ((fd = mkstemp(prv_tmp)) == -1) { if ((fd = mkstemp(prv_tmp)) == -1) {
error("Could not save your public key in %s: %s", error("Could not save your private key in %s: %s",
prv_tmp, strerror(errno)); prv_tmp, strerror(errno));

278
openssh-7.7p1-gssapi-new-unique.patch
View File

@ -1,7 +1,26 @@
diff --git a/auth-krb5.c b/auth-krb5.c diff -up openssh-8.6p1/auth.h.ccache_name openssh-8.6p1/auth.h
index a5a81ed2..63f877f2 100644 --- openssh-8.6p1/auth.h.ccache_name 2021-04-19 14:05:10.820744325 +0200
--- a/auth-krb5.c +++ openssh-8.6p1/auth.h 2021-04-19 14:05:10.853744569 +0200
+++ b/auth-krb5.c @@ -83,6 +83,7 @@ struct Authctxt {
krb5_principal krb5_user;
char *krb5_ticket_file;
char *krb5_ccname;
+ int krb5_set_env;
#endif
struct sshbuf *loginmsg;
@@ -231,7 +232,7 @@ struct passwd *fakepw(void);
int sys_auth_passwd(struct ssh *, const char *);
#if defined(KRB5) && !defined(HEIMDAL)
-krb5_error_code ssh_krb5_cc_gen(krb5_context, krb5_ccache *);
+krb5_error_code ssh_krb5_cc_new_unique(krb5_context, krb5_ccache *, int *);
#endif
#endif /* AUTH_H */
diff -up openssh-8.6p1/auth-krb5.c.ccache_name openssh-8.6p1/auth-krb5.c
--- openssh-8.6p1/auth-krb5.c.ccache_name 2021-04-16 05:55:25.000000000 +0200
+++ openssh-8.6p1/auth-krb5.c 2021-04-19 14:40:55.142832954 +0200
@@ -51,6 +51,7 @@ @@ -51,6 +51,7 @@
#include <unistd.h> #include <unistd.h>
#include <string.h> #include <string.h>
@ -10,7 +29,7 @@ index a5a81ed2..63f877f2 100644
extern ServerOptions options; extern ServerOptions options;
@@ -77,7 +78,7 @@ auth_krb5_password(Authctxt *authctxt, const char *password) @@ -77,7 +78,7 @@ auth_krb5_password(Authctxt *authctxt, c
#endif #endif
krb5_error_code problem; krb5_error_code problem;
krb5_ccache ccache = NULL; krb5_ccache ccache = NULL;
@ -19,24 +38,18 @@ index a5a81ed2..63f877f2 100644
char *client, *platform_client; char *client, *platform_client;
const char *errmsg; const char *errmsg;
@@ -163,7 +164,8 @@ auth_krb5_password(Authctxt *authctxt, const char *password) @@ -163,8 +164,8 @@ auth_krb5_password(Authctxt *authctxt, c
goto out; goto out;
} }
- problem = ssh_krb5_cc_gen(authctxt->krb5_ctx, &authctxt->krb5_fwd_ccache); - problem = ssh_krb5_cc_gen(authctxt->krb5_ctx,
- &authctxt->krb5_fwd_ccache);
+ problem = ssh_krb5_cc_new_unique(authctxt->krb5_ctx, + problem = ssh_krb5_cc_new_unique(authctxt->krb5_ctx,
+ &authctxt->krb5_fwd_ccache, &authctxt->krb5_set_env); + &authctxt->krb5_fwd_ccache, &authctxt->krb5_set_env);
if (problem) if (problem)
goto out; goto out;
@@ -172,21 +174,20 @@ auth_krb5_password(Authctxt *authctxt, const char *password) @@ -179,15 +180,14 @@ auth_krb5_password(Authctxt *authctxt, c
if (problem)
goto out;
- problem= krb5_cc_store_cred(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache,
+ problem = krb5_cc_store_cred(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache,
&creds);
if (problem)
goto out; goto out;
#endif #endif
@ -57,7 +70,7 @@ index a5a81ed2..63f877f2 100644
do_pam_putenv("KRB5CCNAME", authctxt->krb5_ccname); do_pam_putenv("KRB5CCNAME", authctxt->krb5_ccname);
#endif #endif
@@ -222,11 +223,54 @@ auth_krb5_password(Authctxt *authctxt, const char *password) @@ -223,11 +223,54 @@ auth_krb5_password(Authctxt *authctxt, c
void void
krb5_cleanup_proc(Authctxt *authctxt) krb5_cleanup_proc(Authctxt *authctxt)
{ {
@ -113,7 +126,7 @@ index a5a81ed2..63f877f2 100644
if (authctxt->krb5_user) { if (authctxt->krb5_user) {
krb5_free_principal(authctxt->krb5_ctx, authctxt->krb5_user); krb5_free_principal(authctxt->krb5_ctx, authctxt->krb5_user);
authctxt->krb5_user = NULL; authctxt->krb5_user = NULL;
@@ -237,36 +281,188 @@ krb5_cleanup_proc(Authctxt *authctxt) @@ -238,36 +281,188 @@ krb5_cleanup_proc(Authctxt *authctxt)
} }
} }
@ -151,7 +164,7 @@ index a5a81ed2..63f877f2 100644
+ssh_krb5_expand_template(char **result, const char *template) { +ssh_krb5_expand_template(char **result, const char *template) {
+ char *p_n, *p_o, *r, *tmp_template; + char *p_n, *p_o, *r, *tmp_template;
+ +
+ debug3("%s: called, template = %s", __func__, template); + debug3_f("called, template = %s", template);
+ if (template == NULL) + if (template == NULL)
+ return -1; + return -1;
+ +
@ -179,7 +192,7 @@ index a5a81ed2..63f877f2 100644
+ } else { + } else {
+ p_o = strchr(p_n, '}') + 1; + p_o = strchr(p_n, '}') + 1;
+ *p_o = '\0'; + *p_o = '\0';
+ debug("%s: unsupported token %s in %s", __func__, p_n, template); + debug_f("unsupported token %s in %s", p_n, template);
+ /* unknown token, fallback to the default */ + /* unknown token, fallback to the default */
+ goto cleanup; + goto cleanup;
+ } + }
@ -198,16 +211,13 @@ index a5a81ed2..63f877f2 100644
+ return -1; + return -1;
+} +}
+ +
krb5_error_code +krb5_error_code
-ssh_krb5_cc_gen(krb5_context ctx, krb5_ccache *ccache) {
- int tmpfd, ret, oerrno;
- char ccname[40];
+ssh_krb5_get_cctemplate(krb5_context ctx, char **ccname) { +ssh_krb5_get_cctemplate(krb5_context ctx, char **ccname) {
+ profile_t p; + profile_t p;
+ int ret = 0; + int ret = 0;
+ char *value = NULL; + char *value = NULL;
+ +
+ debug3("%s: called", __func__); + debug3_f("called");
+ ret = krb5_get_profile(ctx, &p); + ret = krb5_get_profile(ctx, &p);
+ if (ret) + if (ret)
+ return ret; + return ret;
@ -218,11 +228,14 @@ index a5a81ed2..63f877f2 100644
+ +
+ ret = ssh_krb5_expand_template(ccname, value); + ret = ssh_krb5_expand_template(ccname, value);
+ +
+ debug3("%s: returning with ccname = %s", __func__, *ccname); + debug3_f("returning with ccname = %s", *ccname);
+ return ret; + return ret;
+} +}
+ +
+krb5_error_code krb5_error_code
-ssh_krb5_cc_gen(krb5_context ctx, krb5_ccache *ccache) {
- int tmpfd, ret, oerrno;
- char ccname[40];
+ssh_krb5_cc_new_unique(krb5_context ctx, krb5_ccache *ccache, int *need_environment) { +ssh_krb5_cc_new_unique(krb5_context ctx, krb5_ccache *ccache, int *need_environment) {
+ int tmpfd, ret, oerrno, type_len; + int tmpfd, ret, oerrno, type_len;
+ char *ccname = NULL; + char *ccname = NULL;
@ -242,7 +255,7 @@ index a5a81ed2..63f877f2 100644
- logit("mkstemp(): %.100s", strerror(oerrno)); - logit("mkstemp(): %.100s", strerror(oerrno));
- return oerrno; - return oerrno;
- } - }
+ debug3("%s: called", __func__); + debug3_f("called");
+ if (need_environment) + if (need_environment)
+ *need_environment = 0; + *need_environment = 0;
+ ret = ssh_krb5_get_cctemplate(ctx, &ccname); + ret = ssh_krb5_get_cctemplate(ctx, &ccname);
@ -283,7 +296,7 @@ index a5a81ed2..63f877f2 100644
- close(tmpfd); - close(tmpfd);
- return (krb5_cc_resolve(ctx, ccname, ccache)); - return (krb5_cc_resolve(ctx, ccname, ccache));
+ debug3("%s: setting default ccname to %s", __func__, ccname); + debug3_f("setting default ccname to %s", ccname);
+ /* set the default with already expanded user IDs */ + /* set the default with already expanded user IDs */
+ ret = krb5_cc_set_default_name(ctx, ccname); + ret = krb5_cc_set_default_name(ctx, ccname);
+ if (ret) + if (ret)
@ -304,13 +317,13 @@ index a5a81ed2..63f877f2 100644
+ * a primary cache for this collection, if it supports that (non-FILE) + * a primary cache for this collection, if it supports that (non-FILE)
+ */ + */
+ if (krb5_cc_support_switch(ctx, type)) { + if (krb5_cc_support_switch(ctx, type)) {
+ debug3("%s: calling cc_new_unique(%s)", __func__, ccname); + debug3_f("calling cc_new_unique(%s)", ccname);
+ ret = krb5_cc_new_unique(ctx, type, NULL, ccache); + ret = krb5_cc_new_unique(ctx, type, NULL, ccache);
+ free(type); + free(type);
+ if (ret) + if (ret)
+ return ret; + return ret;
+ +
+ debug3("%s: calling cc_switch()", __func__); + debug3_f("calling cc_switch()");
+ return krb5_cc_switch(ctx, *ccache); + return krb5_cc_switch(ctx, *ccache);
+ } else { + } else {
+ /* Otherwise, we can not create a unique ccname here (either + /* Otherwise, we can not create a unique ccname here (either
@ -318,36 +331,47 @@ index a5a81ed2..63f877f2 100644
+ * collections + * collections
+ */ + */
+ free(type); + free(type);
+ debug3("%s: calling cc_resolve(%s)", __func__, ccname); + debug3_f("calling cc_resolve(%s)", ccname);
+ return (krb5_cc_resolve(ctx, ccname, ccache)); + return (krb5_cc_resolve(ctx, ccname, ccache));
+ } + }
} }
#endif /* !HEIMDAL */ #endif /* !HEIMDAL */
#endif /* KRB5 */ #endif /* KRB5 */
diff --git a/auth.h b/auth.h diff -up openssh-8.6p1/gss-serv.c.ccache_name openssh-8.6p1/gss-serv.c
index 29491df9..fdab5040 100644 --- openssh-8.6p1/gss-serv.c.ccache_name 2021-04-19 14:05:10.844744503 +0200
--- a/auth.h +++ openssh-8.6p1/gss-serv.c 2021-04-19 14:05:10.854744577 +0200
+++ b/auth.h @@ -413,13 +413,15 @@ ssh_gssapi_cleanup_creds(void)
@@ -82,6 +82,7 @@ struct Authctxt { }
krb5_principal krb5_user;
char *krb5_ticket_file;
char *krb5_ccname;
+ int krb5_set_env;
#endif
struct sshbuf *loginmsg;
@@ -238,7 +239,7 @@ int sys_auth_passwd(struct ssh *, const char *); /* As user */
int sys_auth_passwd(struct ssh *, const char *); -void
+int
ssh_gssapi_storecreds(void)
{
if (gssapi_client.mech && gssapi_client.mech->storecreds) {
- (*gssapi_client.mech->storecreds)(&gssapi_client);
+ return (*gssapi_client.mech->storecreds)(&gssapi_client);
} else
debug("ssh_gssapi_storecreds: Not a GSSAPI mechanism");
+
+ return 0;
}
#if defined(KRB5) && !defined(HEIMDAL) /* This allows GSSAPI methods to do things to the child's environment based
-krb5_error_code ssh_krb5_cc_gen(krb5_context, krb5_ccache *); @@ -499,9 +501,7 @@ ssh_gssapi_rekey_creds(void) {
+krb5_error_code ssh_krb5_cc_new_unique(krb5_context, krb5_ccache *, int *); char *envstr;
#endif #endif
#endif /* AUTH_H */ - if (gssapi_client.store.filename == NULL &&
diff -up openssh-7.9p1/gss-serv-krb5.c.ccache_name openssh-7.9p1/gss-serv-krb5.c - gssapi_client.store.envval == NULL &&
--- openssh-7.9p1/gss-serv-krb5.c.ccache_name 2019-03-01 15:17:42.708611802 +0100 - gssapi_client.store.envvar == NULL)
+++ openssh-7.9p1/gss-serv-krb5.c 2019-03-01 15:17:42.713611844 +0100 + if (gssapi_client.store.envval == NULL)
return;
ok = PRIVSEP(ssh_gssapi_update_creds(&gssapi_client.store));
diff -up openssh-8.6p1/gss-serv-krb5.c.ccache_name openssh-8.6p1/gss-serv-krb5.c
--- openssh-8.6p1/gss-serv-krb5.c.ccache_name 2021-04-19 14:05:10.852744562 +0200
+++ openssh-8.6p1/gss-serv-krb5.c 2021-04-19 14:05:10.854744577 +0200
@@ -267,7 +267,7 @@ ssh_gssapi_krb5_cmdok(krb5_principal pri @@ -267,7 +267,7 @@ ssh_gssapi_krb5_cmdok(krb5_principal pri
/* This writes out any forwarded credentials from the structure populated /* This writes out any forwarded credentials from the structure populated
* during userauth. Called after we have setuid to the user */ * during userauth. Called after we have setuid to the user */
@ -450,7 +474,7 @@ diff -up openssh-7.9p1/gss-serv-krb5.c.ccache_name openssh-7.9p1/gss-serv-krb5.c
do_pam_putenv(client->store.envvar, client->store.envval); do_pam_putenv(client->store.envvar, client->store.envval);
#endif #endif
@@ -361,7 +355,7 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_cl @@ -364,7 +354,7 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_cl
client->store.data = krb_context; client->store.data = krb_context;
@ -459,43 +483,10 @@ diff -up openssh-7.9p1/gss-serv-krb5.c.ccache_name openssh-7.9p1/gss-serv-krb5.c
} }
int int
diff --git a/gss-serv.c b/gss-serv.c diff -up openssh-8.6p1/servconf.c.ccache_name openssh-8.6p1/servconf.c
index 6cae720e..16e55cbc 100644 --- openssh-8.6p1/servconf.c.ccache_name 2021-04-19 14:05:10.848744532 +0200
--- a/gss-serv.c +++ openssh-8.6p1/servconf.c 2021-04-19 14:05:10.854744577 +0200
+++ b/gss-serv.c @@ -136,6 +136,7 @@ initialize_server_options(ServerOptions
@@ -320,13 +320,15 @@ ssh_gssapi_getclient(Gssctxt *ctx, ssh_gssapi_client *client)
}
/* As user */
-void
+int
ssh_gssapi_storecreds(void)
{
if (gssapi_client.mech && gssapi_client.mech->storecreds) {
- (*gssapi_client.mech->storecreds)(&gssapi_client);
+ return (*gssapi_client.mech->storecreds)(&gssapi_client);
} else
debug("ssh_gssapi_storecreds: Not a GSSAPI mechanism");
+
+ return 0;
}
/* This allows GSSAPI methods to do things to the childs environment based
@@ -498,9 +500,7 @@ ssh_gssapi_rekey_creds() {
char *envstr;
#endif
- if (gssapi_client.store.filename == NULL &&
- gssapi_client.store.envval == NULL &&
- gssapi_client.store.envvar == NULL)
+ if (gssapi_client.store.envval == NULL)
return;
ok = PRIVSEP(ssh_gssapi_update_creds(&gssapi_client.store));
diff -up openssh-7.9p1/servconf.c.ccache_name openssh-7.9p1/servconf.c
--- openssh-7.9p1/servconf.c.ccache_name 2019-03-01 15:17:42.704611768 +0100
+++ openssh-7.9p1/servconf.c 2019-03-01 15:17:42.713611844 +0100
@@ -123,6 +123,7 @@ initialize_server_options(ServerOptions
options->kerberos_or_local_passwd = -1; options->kerberos_or_local_passwd = -1;
options->kerberos_ticket_cleanup = -1; options->kerberos_ticket_cleanup = -1;
options->kerberos_get_afs_token = -1; options->kerberos_get_afs_token = -1;
@ -503,7 +494,7 @@ diff -up openssh-7.9p1/servconf.c.ccache_name openssh-7.9p1/servconf.c
options->gss_authentication=-1; options->gss_authentication=-1;
options->gss_keyex = -1; options->gss_keyex = -1;
options->gss_cleanup_creds = -1; options->gss_cleanup_creds = -1;
@@ -315,6 +316,8 @@ fill_default_server_options(ServerOptions *options) @@ -359,6 +360,8 @@ fill_default_server_options(ServerOption
options->kerberos_ticket_cleanup = 1; options->kerberos_ticket_cleanup = 1;
if (options->kerberos_get_afs_token == -1) if (options->kerberos_get_afs_token == -1)
options->kerberos_get_afs_token = 0; options->kerberos_get_afs_token = 0;
@ -512,17 +503,17 @@ diff -up openssh-7.9p1/servconf.c.ccache_name openssh-7.9p1/servconf.c
if (options->gss_authentication == -1) if (options->gss_authentication == -1)
options->gss_authentication = 0; options->gss_authentication = 0;
if (options->gss_keyex == -1) if (options->gss_keyex == -1)
@@ -447,7 +450,8 @@ typedef enum { @@ -506,7 +509,8 @@ typedef enum {
sPermitRootLogin, sLogFacility, sLogLevel, sPort, sHostKeyFile, sLoginGraceTime,
sRhostsRSAAuthentication, sRSAAuthentication, sPermitRootLogin, sLogFacility, sLogLevel, sLogVerbose,
sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup, sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
- sKerberosGetAFSToken, sChallengeResponseAuthentication, - sKerberosGetAFSToken, sPasswordAuthentication,
+ sKerberosGetAFSToken, sKerberosUniqueCCache, + sKerberosGetAFSToken, sKerberosUniqueCCache,
+ sChallengeResponseAuthentication, + sPasswordAuthentication,
sPasswordAuthentication, sKbdInteractiveAuthentication, sKbdInteractiveAuthentication, sListenAddress, sAddressFamily,
sListenAddress, sAddressFamily, sPrintMotd, sPrintLastLog, sIgnoreRhosts,
sPrintMotd, sPrintLastLog, sIgnoreRhosts, sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
@@ -526,11 +530,13 @@ static struct { @@ -593,11 +597,13 @@ static struct {
#else #else
{ "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL }, { "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
#endif #endif
@ -536,7 +527,7 @@ diff -up openssh-7.9p1/servconf.c.ccache_name openssh-7.9p1/servconf.c
#endif #endif
{ "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL }, { "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL },
{ "afstokenpassing", sUnsupported, SSHCFG_GLOBAL }, { "afstokenpassing", sUnsupported, SSHCFG_GLOBAL },
@@ -1437,6 +1443,10 @@ process_server_config_line(ServerOptions *options, char *line, @@ -1573,6 +1579,10 @@ process_server_config_line_depth(ServerO
intptr = &options->kerberos_get_afs_token; intptr = &options->kerberos_get_afs_token;
goto parse_flag; goto parse_flag;
@ -547,7 +538,7 @@ diff -up openssh-7.9p1/servconf.c.ccache_name openssh-7.9p1/servconf.c
case sGssAuthentication: case sGssAuthentication:
intptr = &options->gss_authentication; intptr = &options->gss_authentication;
goto parse_flag; goto parse_flag;
@@ -2507,6 +2517,7 @@ dump_config(ServerOptions *o) @@ -2891,6 +2901,7 @@ dump_config(ServerOptions *o)
# ifdef USE_AFS # ifdef USE_AFS
dump_cfg_fmtint(sKerberosGetAFSToken, o->kerberos_get_afs_token); dump_cfg_fmtint(sKerberosGetAFSToken, o->kerberos_get_afs_token);
# endif # endif
@ -555,11 +546,10 @@ diff -up openssh-7.9p1/servconf.c.ccache_name openssh-7.9p1/servconf.c
#endif #endif
#ifdef GSSAPI #ifdef GSSAPI
dump_cfg_fmtint(sGssAuthentication, o->gss_authentication); dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
diff --git a/servconf.h b/servconf.h diff -up openssh-8.6p1/servconf.h.ccache_name openssh-8.6p1/servconf.h
index db8362c6..4fa42d64 100644 --- openssh-8.6p1/servconf.h.ccache_name 2021-04-19 14:05:10.848744532 +0200
--- a/servconf.h +++ openssh-8.6p1/servconf.h 2021-04-19 14:05:10.855744584 +0200
+++ b/servconf.h @@ -140,6 +140,8 @@ typedef struct {
@@ -123,6 +123,8 @@ typedef struct {
* file on logout. */ * file on logout. */
int kerberos_get_afs_token; /* If true, try to get AFS token if int kerberos_get_afs_token; /* If true, try to get AFS token if
* authenticated with Kerberos. */ * authenticated with Kerberos. */
@ -568,13 +558,12 @@ index db8362c6..4fa42d64 100644
int gss_authentication; /* If true, permit GSSAPI authentication */ int gss_authentication; /* If true, permit GSSAPI authentication */
int gss_keyex; /* If true, permit GSSAPI key exchange */ int gss_keyex; /* If true, permit GSSAPI key exchange */
int gss_cleanup_creds; /* If true, destroy cred cache on logout */ int gss_cleanup_creds; /* If true, destroy cred cache on logout */
diff --git a/session.c b/session.c diff -up openssh-8.6p1/session.c.ccache_name openssh-8.6p1/session.c
index 85df6a27..480a5ead 100644 --- openssh-8.6p1/session.c.ccache_name 2021-04-19 14:05:10.852744562 +0200
--- a/session.c +++ openssh-8.6p1/session.c 2021-04-19 14:05:10.855744584 +0200
+++ b/session.c @@ -1038,7 +1038,8 @@ do_setup_env(struct ssh *ssh, Session *s
@@ -1033,7 +1033,8 @@ do_setup_env(struct ssh *ssh, Session *s, const char *shell)
/* Allow any GSSAPI methods that we've used to alter /* Allow any GSSAPI methods that we've used to alter
* the childs environment as they see fit * the child's environment as they see fit
*/ */
- ssh_gssapi_do_child(&env, &envsize); - ssh_gssapi_do_child(&env, &envsize);
+ if (s->authctxt->krb5_set_env) + if (s->authctxt->krb5_set_env)
@ -582,7 +571,7 @@ index 85df6a27..480a5ead 100644
#endif #endif
/* Set basic environment. */ /* Set basic environment. */
@@ -1105,7 +1106,7 @@ do_setup_env(struct ssh *ssh, Session *s, const char *shell) @@ -1114,7 +1115,7 @@ do_setup_env(struct ssh *ssh, Session *s
} }
#endif #endif
#ifdef KRB5 #ifdef KRB5
@ -591,33 +580,10 @@ index 85df6a27..480a5ead 100644
child_set_env(&env, &envsize, "KRB5CCNAME", child_set_env(&env, &envsize, "KRB5CCNAME",
s->authctxt->krb5_ccname); s->authctxt->krb5_ccname);
#endif #endif
diff --git a/ssh-gss.h b/ssh-gss.h diff -up openssh-8.6p1/sshd.c.ccache_name openssh-8.6p1/sshd.c
index 6593e422..245178af 100644 --- openssh-8.6p1/sshd.c.ccache_name 2021-04-19 14:05:10.849744540 +0200
--- a/ssh-gss.h +++ openssh-8.6p1/sshd.c 2021-04-19 14:05:10.855744584 +0200
+++ b/ssh-gss.h @@ -2284,7 +2284,7 @@ main(int ac, char **av)
@@ -83,7 +82,7 @@ typedef struct ssh_gssapi_mech_struct {
int (*dochild) (ssh_gssapi_client *);
int (*userok) (ssh_gssapi_client *, char *);
int (*localname) (ssh_gssapi_client *, char **);
- void (*storecreds) (ssh_gssapi_client *);
+ int (*storecreds) (ssh_gssapi_client *);
int (*updatecreds) (ssh_gssapi_ccache *, ssh_gssapi_client *);
} ssh_gssapi_mech;
@@ -127,7 +126,7 @@ int ssh_gssapi_userok(char *name);
OM_uint32 ssh_gssapi_checkmic(Gssctxt *, gss_buffer_t, gss_buffer_t);
void ssh_gssapi_do_child(char ***, u_int *);
void ssh_gssapi_cleanup_creds(void);
-void ssh_gssapi_storecreds(void);
+int ssh_gssapi_storecreds(void);
const char *ssh_gssapi_displayname(void);
char *ssh_gssapi_server_mechanisms(void);
diff --git a/sshd.c b/sshd.c
index edbe815c..89514e8a 100644
--- a/sshd.c
+++ b/sshd.c
@@ -2162,7 +2162,7 @@ main(int ac, char **av)
#ifdef GSSAPI #ifdef GSSAPI
if (options.gss_authentication) { if (options.gss_authentication) {
temporarily_use_uid(authctxt->pw); temporarily_use_uid(authctxt->pw);
@ -626,11 +592,10 @@ index edbe815c..89514e8a 100644
restore_uid(); restore_uid();
} }
#endif #endif
diff --git a/sshd_config.5 b/sshd_config.5 diff -up openssh-8.6p1/sshd_config.5.ccache_name openssh-8.6p1/sshd_config.5
index c0683d4a..2349f477 100644 --- openssh-8.6p1/sshd_config.5.ccache_name 2021-04-19 14:05:10.849744540 +0200
--- a/sshd_config.5 +++ openssh-8.6p1/sshd_config.5 2021-04-19 14:05:10.856744592 +0200
+++ b/sshd_config.5 @@ -939,6 +939,14 @@ Specifies whether to automatically destr
@@ -860,6 +860,14 @@ Specifies whether to automatically destroy the user's ticket cache
file on logout. file on logout.
The default is The default is
.Cm yes . .Cm yes .
@ -645,3 +610,24 @@ index c0683d4a..2349f477 100644
.It Cm KexAlgorithms .It Cm KexAlgorithms
Specifies the available KEX (Key Exchange) algorithms. Specifies the available KEX (Key Exchange) algorithms.
Multiple algorithms must be comma-separated. Multiple algorithms must be comma-separated.
diff -up openssh-8.6p1/ssh-gss.h.ccache_name openssh-8.6p1/ssh-gss.h
--- openssh-8.6p1/ssh-gss.h.ccache_name 2021-04-19 14:05:10.852744562 +0200
+++ openssh-8.6p1/ssh-gss.h 2021-04-19 14:05:10.855744584 +0200
@@ -114,7 +114,7 @@ typedef struct ssh_gssapi_mech_struct {
int (*dochild) (ssh_gssapi_client *);
int (*userok) (ssh_gssapi_client *, char *);
int (*localname) (ssh_gssapi_client *, char **);
- void (*storecreds) (ssh_gssapi_client *);
+ int (*storecreds) (ssh_gssapi_client *);
int (*updatecreds) (ssh_gssapi_ccache *, ssh_gssapi_client *);
} ssh_gssapi_mech;
@@ -175,7 +175,7 @@ int ssh_gssapi_userok(char *name, struct
OM_uint32 ssh_gssapi_checkmic(Gssctxt *, gss_buffer_t, gss_buffer_t);
void ssh_gssapi_do_child(char ***, u_int *);
void ssh_gssapi_cleanup_creds(void);
-void ssh_gssapi_storecreds(void);
+int ssh_gssapi_storecreds(void);
const char *ssh_gssapi_displayname(void);
char *ssh_gssapi_server_mechanisms(void);

42
openssh-7.7p1.patch
View File

@ -1,13 +1,16 @@
diff -up openssh/ssh_config.redhat openssh/ssh_config diff -up openssh/ssh_config.redhat openssh/ssh_config
--- openssh/ssh_config.redhat 2020-02-11 23:28:35.000000000 +0100 --- openssh/ssh_config.redhat 2020-02-11 23:28:35.000000000 +0100
+++ openssh/ssh_config 2020-02-13 18:13:39.180641839 +0100 +++ openssh/ssh_config 2020-02-13 18:13:39.180641839 +0100
@@ -43,3 +43,7 @@ @@ -43,3 +43,10 @@
# VisualHostKey no
# ProxyCommand ssh -q -W %h:%p gateway.example.com # ProxyCommand ssh -q -W %h:%p gateway.example.com
# RekeyLimit 1G 1h # RekeyLimit 1G 1h
# UserKnownHostsFile ~/.ssh/known_hosts.d/%k
+# +#
+# To modify the system-wide ssh configuration, create a *.conf file under +# This system is following system-wide crypto policy.
+# /etc/ssh/ssh_config.d/ which will be automatically included below +# To modify the crypto properties (Ciphers, MACs, ...), create a *.conf
+# file under /etc/ssh/ssh_config.d/ which will be automatically
+# included below. For more information, see manual page for
+# update-crypto-policies(8) and ssh_config(5).
+Include /etc/ssh/ssh_config.d/*.conf +Include /etc/ssh/ssh_config.d/*.conf
diff -up openssh/ssh_config_redhat.redhat openssh/ssh_config_redhat diff -up openssh/ssh_config_redhat.redhat openssh/ssh_config_redhat
--- openssh/ssh_config_redhat.redhat 2020-02-13 18:13:39.180641839 +0100 --- openssh/ssh_config_redhat.redhat 2020-02-13 18:13:39.180641839 +0100
@ -65,10 +68,14 @@ diff -up openssh/sshd_config.5.redhat openssh/sshd_config.5
diff -up openssh/sshd_config.redhat openssh/sshd_config diff -up openssh/sshd_config.redhat openssh/sshd_config
--- openssh/sshd_config.redhat 2020-02-11 23:28:35.000000000 +0100 --- openssh/sshd_config.redhat 2020-02-11 23:28:35.000000000 +0100
+++ openssh/sshd_config 2020-02-13 18:20:16.349913681 +0100 +++ openssh/sshd_config 2020-02-13 18:20:16.349913681 +0100
@@ -10,6 +10,10 @@ @@ -10,6 +10,14 @@
# possible, but leave them commented. Uncommented options override the # possible, but leave them commented. Uncommented options override the
# default value. # default value.
+# To modify the system-wide sshd configuration, create a *.conf file under
+# /etc/ssh/sshd_config.d/ which will be automatically included below
+Include /etc/ssh/sshd_config.d/*.conf
+
+# If you want to change the port on a SELinux system, you have to tell +# If you want to change the port on a SELinux system, you have to tell
+# SELinux about this change. +# SELinux about this change.
+# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER +# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER
@ -76,30 +83,19 @@ diff -up openssh/sshd_config.redhat openssh/sshd_config
#Port 22 #Port 22
#AddressFamily any #AddressFamily any
#ListenAddress 0.0.0.0 #ListenAddress 0.0.0.0
@@ -114,3 +118,7 @@ Subsystem sftp /usr/libexec/sftp-server
# AllowTcpForwarding no
# PermitTTY no
# ForceCommand cvs server
+
+# To modify the system-wide ssh configuration, create a *.conf file under
+# /etc/ssh/sshd_config.d/ which will be automatically included below
+Include /etc/ssh/sshd_config.d/*.conf
diff -up openssh/sshd_config_redhat.redhat openssh/sshd_config_redhat diff -up openssh/sshd_config_redhat.redhat openssh/sshd_config_redhat
--- openssh/sshd_config_redhat.redhat 2020-02-13 18:14:02.268006439 +0100 --- openssh/sshd_config_redhat.redhat 2020-02-13 18:14:02.268006439 +0100
+++ openssh/sshd_config_redhat 2020-02-13 18:19:20.765035947 +0100 +++ openssh/sshd_config_redhat 2020-02-13 18:19:20.765035947 +0100
@@ -0,0 +1,31 @@ @@ -0,0 +1,28 @@
+# System-wide Crypto policy:
+# This system is following system-wide crypto policy. The changes to +# This system is following system-wide crypto policy. The changes to
+# Ciphers, MACs, KexAlgoritms and GSSAPIKexAlgorithsm will not have any +# crypto properties (Ciphers, MACs, ...) will not have any effect in
+# effect here. They will be overridden by command-line options passed on +# this or following included files. To override some configuration option,
+# the server start up. +# write it before this block or include it before this file.
+# To opt out, uncomment a line with redefinition of CRYPTO_POLICY= +# Please, see manual pages for update-crypto-policies(8) and sshd_config(5).
+# variable in /etc/sysconfig/sshd to overwrite the policy. +Include /etc/crypto-policies/back-ends/opensshserver.config
+# For more information, see manual page for update-crypto-policies(8).
+ +
+SyslogFacility AUTHPRIV +SyslogFacility AUTHPRIV
+ +
+PasswordAuthentication yes
+ChallengeResponseAuthentication no +ChallengeResponseAuthentication no
+ +
+GSSAPIAuthentication yes +GSSAPIAuthentication yes

24
openssh-7.8p1-UsePAM-warning.patch
View File

@ -1,7 +1,7 @@
diff --git a/sshd.c b/sshd.c diff -up openssh-8.6p1/sshd.c.log-usepam-no openssh-8.6p1/sshd.c
--- a/sshd.c --- openssh-8.6p1/sshd.c.log-usepam-no 2021-04-19 14:00:45.099735129 +0200
+++ b/sshd.c +++ openssh-8.6p1/sshd.c 2021-04-19 14:03:21.140920974 +0200
@@ -1701,6 +1701,10 @@ main(int ac, char **av) @@ -1749,6 +1749,10 @@ main(int ac, char **av)
parse_server_config(&options, rexeced_flag ? "rexec" : config_file_name, parse_server_config(&options, rexeced_flag ? "rexec" : config_file_name,
cfg, &includes, NULL); cfg, &includes, NULL);
@ -9,16 +9,16 @@ diff --git a/sshd.c b/sshd.c
+ if (! options.use_pam) + if (! options.use_pam)
+ logit("WARNING: 'UsePAM no' is not supported in Fedora and may cause several problems."); + logit("WARNING: 'UsePAM no' is not supported in Fedora and may cause several problems.");
+ +
/* Fill in default values for those options not explicitly set. */ #ifdef WITH_OPENSSL
fill_default_server_options(&options); if (options.moduli_file != NULL)
dh_set_moduli_file(options.moduli_file);
diff --git a/sshd_config b/sshd_config diff -up openssh-8.6p1/sshd_config.log-usepam-no openssh-8.6p1/sshd_config
--- a/sshd_config --- openssh-8.6p1/sshd_config.log-usepam-no 2021-04-19 14:00:45.098735121 +0200
+++ b/sshd_config +++ openssh-8.6p1/sshd_config 2021-04-19 14:00:45.099735129 +0200
@@ -101,6 +101,8 @@ GSSAPICleanupCredentials no @@ -87,6 +87,8 @@ AuthorizedKeysFile .ssh/authorized_keys
# If you just want the PAM account and session checks to run without # If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication # PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'. # and KbdInteractiveAuthentication to 'no'.
+# WARNING: 'UsePAM no' is not supported in Fedora and may cause several +# WARNING: 'UsePAM no' is not supported in Fedora and may cause several
+# problems. +# problems.
#UsePAM no #UsePAM no

108
openssh-7.8p1-role-mls.patch
View File

@ -52,7 +52,7 @@ diff -up openssh/auth2-gss.c.role-mls openssh/auth2-gss.c
gss_buffer_desc mic, gssbuf; gss_buffer_desc mic, gssbuf;
const char *displayname; const char *displayname;
@@ -298,7 +299,13 @@ input_gssapi_mic(int type, u_int32_t ple @@ -298,7 +299,13 @@ input_gssapi_mic(int type, u_int32_t ple
fatal("%s: sshbuf_new failed", __func__); fatal_f("sshbuf_new failed");
mic.value = p; mic.value = p;
mic.length = len; mic.length = len;
- ssh_gssapi_buildmic(b, authctxt->user, authctxt->service, - ssh_gssapi_buildmic(b, authctxt->user, authctxt->service,
@ -63,7 +63,7 @@ diff -up openssh/auth2-gss.c.role-mls openssh/auth2-gss.c
+#endif +#endif
+ micuser = authctxt->user; + micuser = authctxt->user;
+ ssh_gssapi_buildmic(b, micuser, authctxt->service, + ssh_gssapi_buildmic(b, micuser, authctxt->service,
"gssapi-with-mic"); "gssapi-with-mic", ssh->kex->session_id);
if ((gssbuf.value = sshbuf_mutable_ptr(b)) == NULL) if ((gssbuf.value = sshbuf_mutable_ptr(b)) == NULL)
@@ -311,6 +318,8 @@ input_gssapi_mic(int type, u_int32_t ple @@ -311,6 +318,8 @@ input_gssapi_mic(int type, u_int32_t ple
@ -80,7 +80,7 @@ diff -up openssh/auth2-hostbased.c.role-mls openssh/auth2-hostbased.c
+++ openssh/auth2-hostbased.c 2018-08-22 11:14:56.816430924 +0200 +++ openssh/auth2-hostbased.c 2018-08-22 11:14:56.816430924 +0200
@@ -123,7 +123,16 @@ userauth_hostbased(struct ssh *ssh) @@ -123,7 +123,16 @@ userauth_hostbased(struct ssh *ssh)
/* reconstruct packet */ /* reconstruct packet */
if ((r = sshbuf_put_string(b, session_id2, session_id2_len)) != 0 || if ((r = sshbuf_put_stringb(b, ssh->kex->session_id)) != 0 ||
(r = sshbuf_put_u8(b, SSH2_MSG_USERAUTH_REQUEST)) != 0 || (r = sshbuf_put_u8(b, SSH2_MSG_USERAUTH_REQUEST)) != 0 ||
+#ifdef WITH_SELINUX +#ifdef WITH_SELINUX
+ (authctxt->role + (authctxt->role
@ -154,20 +154,6 @@ diff -up openssh/auth-pam.h.role-mls openssh/auth-pam.h
char ** fetch_pam_environment(void); char ** fetch_pam_environment(void);
char ** fetch_pam_child_environment(void); char ** fetch_pam_child_environment(void);
void free_pam_environment(char **); void free_pam_environment(char **);
diff -up openssh/configure.ac.role-mls openssh/configure.ac
--- openssh/configure.ac.role-mls 2018-08-20 07:57:29.000000000 +0200
+++ openssh/configure.ac 2018-08-22 11:14:56.820430957 +0200
@@ -4241,10 +4241,7 @@ AC_ARG_WITH([selinux],
LIBS="$LIBS -lselinux"
],
AC_MSG_ERROR([SELinux support requires libselinux library]))
- SSHLIBS="$SSHLIBS $LIBSELINUX"
- SSHDLIBS="$SSHDLIBS $LIBSELINUX"
AC_CHECK_FUNCS([getseuserbyname get_default_context_with_level])
- LIBS="$save_LIBS"
fi ]
)
AC_SUBST([SSHLIBS])
diff -up openssh/misc.c.role-mls openssh/misc.c diff -up openssh/misc.c.role-mls openssh/misc.c
--- openssh/misc.c.role-mls 2018-08-20 07:57:29.000000000 +0200 --- openssh/misc.c.role-mls 2018-08-20 07:57:29.000000000 +0200
+++ openssh/misc.c 2018-08-22 11:14:56.817430932 +0200 +++ openssh/misc.c 2018-08-22 11:14:56.817430932 +0200
@ -193,10 +179,10 @@ diff -up openssh/misc.c.role-mls openssh/misc.c
} }
return NULL; return NULL;
} }
diff -up openssh/monitor.c.role-mls openssh/monitor.c diff -up openssh-8.6p1/monitor.c.role-mls openssh-8.6p1/monitor.c
--- openssh/monitor.c.role-mls 2018-08-20 07:57:29.000000000 +0200 --- openssh-8.6p1/monitor.c.role-mls 2021-04-16 05:55:25.000000000 +0200
+++ openssh/monitor.c 2018-08-22 11:19:56.006844867 +0200 +++ openssh-8.6p1/monitor.c 2021-05-21 14:21:56.719414087 +0200
@@ -115,6 +115,9 @@ int mm_answer_sign(int, struct sshbuf *) @@ -117,6 +117,9 @@ int mm_answer_sign(struct ssh *, int, st
int mm_answer_pwnamallow(struct ssh *, int, struct sshbuf *); int mm_answer_pwnamallow(struct ssh *, int, struct sshbuf *);
int mm_answer_auth2_read_banner(struct ssh *, int, struct sshbuf *); int mm_answer_auth2_read_banner(struct ssh *, int, struct sshbuf *);
int mm_answer_authserv(struct ssh *, int, struct sshbuf *); int mm_answer_authserv(struct ssh *, int, struct sshbuf *);
@ -206,7 +192,7 @@ diff -up openssh/monitor.c.role-mls openssh/monitor.c
int mm_answer_authpassword(struct ssh *, int, struct sshbuf *); int mm_answer_authpassword(struct ssh *, int, struct sshbuf *);
int mm_answer_bsdauthquery(struct ssh *, int, struct sshbuf *); int mm_answer_bsdauthquery(struct ssh *, int, struct sshbuf *);
int mm_answer_bsdauthrespond(struct ssh *, int, struct sshbuf *); int mm_answer_bsdauthrespond(struct ssh *, int, struct sshbuf *);
@@ -189,6 +192,9 @@ struct mon_table mon_dispatch_proto20[] @@ -195,6 +198,9 @@ struct mon_table mon_dispatch_proto20[]
{MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign}, {MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign},
{MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow}, {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},
{MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv}, {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv},
@ -216,7 +202,7 @@ diff -up openssh/monitor.c.role-mls openssh/monitor.c
{MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner}, {MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner},
{MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword}, {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},
#ifdef USE_PAM #ifdef USE_PAM
@@ -796,6 +802,9 @@ mm_answer_pwnamallow(int sock, struct ss @@ -803,6 +809,9 @@ mm_answer_pwnamallow(struct ssh *ssh, in
/* Allow service/style information on the auth context */ /* Allow service/style information on the auth context */
monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1); monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1);
@ -226,7 +212,7 @@ diff -up openssh/monitor.c.role-mls openssh/monitor.c
monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1); monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1);
#ifdef USE_PAM #ifdef USE_PAM
@@ -842,6 +851,26 @@ mm_answer_authserv(int sock, struct sshb @@ -877,6 +886,26 @@ key_base_type_match(const char *method,
return found; return found;
} }
@ -238,8 +224,8 @@ diff -up openssh/monitor.c.role-mls openssh/monitor.c
+ monitor_permit_authentications(1); + monitor_permit_authentications(1);
+ +
+ if ((r = sshbuf_get_cstring(m, &authctxt->role, NULL)) != 0) + if ((r = sshbuf_get_cstring(m, &authctxt->role, NULL)) != 0)
+ fatal("%s: buffer error: %s", __func__, ssh_err(r)); + fatal_f("buffer error: %s", ssh_err(r));
+ debug3("%s: role=%s", __func__, authctxt->role); + debug3_f("role=%s", authctxt->role);
+ +
+ if (strlen(authctxt->role) == 0) { + if (strlen(authctxt->role) == 0) {
+ free(authctxt->role); + free(authctxt->role);
@ -253,7 +239,7 @@ diff -up openssh/monitor.c.role-mls openssh/monitor.c
int int
mm_answer_authpassword(struct ssh *ssh, int sock, struct sshbuf *m) mm_answer_authpassword(struct ssh *ssh, int sock, struct sshbuf *m)
{ {
@@ -1218,7 +1247,7 @@ monitor_valid_userblob(u_char *data, u_i @@ -1251,7 +1280,7 @@ monitor_valid_userblob(struct ssh *ssh,
{ {
struct sshbuf *b; struct sshbuf *b;
const u_char *p; const u_char *p;
@ -262,16 +248,16 @@ diff -up openssh/monitor.c.role-mls openssh/monitor.c
size_t len; size_t len;
u_char type; u_char type;
int r, fail = 0; int r, fail = 0;
@@ -1251,6 +1280,8 @@ monitor_valid_userblob(u_char *data, u_i @@ -1282,6 +1311,8 @@ monitor_valid_userblob(struct ssh *ssh,
fail++; fail++;
if ((r = sshbuf_get_cstring(b, &cp, NULL)) != 0) if ((r = sshbuf_get_cstring(b, &cp, NULL)) != 0)
fatal("%s: buffer error: %s", __func__, ssh_err(r)); fatal_fr(r, "parse userstyle");
+ if ((s = strchr(cp, '/')) != NULL) + if ((s = strchr(cp, '/')) != NULL)
+ *s = '\0'; + *s = '\0';
xasprintf(&userstyle, "%s%s%s", authctxt->user, xasprintf(&userstyle, "%s%s%s", authctxt->user,
authctxt->style ? ":" : "", authctxt->style ? ":" : "",
authctxt->style ? authctxt->style : ""); authctxt->style ? authctxt->style : "");
@@ -1286,7 +1317,7 @@ monitor_valid_hostbasedblob(u_char *data @@ -1317,7 +1348,7 @@ monitor_valid_hostbasedblob(const u_char
{ {
struct sshbuf *b; struct sshbuf *b;
const u_char *p; const u_char *p;
@ -280,11 +266,11 @@ diff -up openssh/monitor.c.role-mls openssh/monitor.c
size_t len; size_t len;
int r, fail = 0; int r, fail = 0;
u_char type; u_char type;
@@ -1308,6 +1339,8 @@ monitor_valid_hostbasedblob(u_char *data @@ -1338,6 +1370,8 @@ monitor_valid_hostbasedblob(const u_char
fail++; fail++;
if ((r = sshbuf_get_cstring(b, &cp, NULL)) != 0) if ((r = sshbuf_get_cstring(b, &cp, NULL)) != 0)
fatal("%s: buffer error: %s", __func__, ssh_err(r)); fatal_fr(r, "parse userstyle");
+ if ((s = strchr(p, '/')) != NULL) + if ((s = strchr(cp, '/')) != NULL)
+ *s = '\0'; + *s = '\0';
xasprintf(&userstyle, "%s%s%s", authctxt->user, xasprintf(&userstyle, "%s%s%s", authctxt->user,
authctxt->style ? ":" : "", authctxt->style ? ":" : "",
@ -319,12 +305,12 @@ diff -up openssh/monitor_wrap.c.role-mls openssh/monitor_wrap.c
+ int r; + int r;
+ struct sshbuf *m; + struct sshbuf *m;
+ +
+ debug3("%s entering", __func__); + debug3_f("entering");
+ +
+ if ((m = sshbuf_new()) == NULL) + if ((m = sshbuf_new()) == NULL)
+ fatal("%s: sshbuf_new failed", __func__); + fatal_f("sshbuf_new failed");
+ if ((r = sshbuf_put_cstring(m, role ? role : "")) != 0) + if ((r = sshbuf_put_cstring(m, role ? role : "")) != 0)
+ fatal("%s: buffer error: %s", __func__, ssh_err(r)); + fatal_f("buffer error: %s", ssh_err(r));
+ mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHROLE, m); + mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHROLE, m);
+ +
+ sshbuf_free(m); + sshbuf_free(m);
@ -338,8 +324,8 @@ diff -up openssh/monitor_wrap.h.role-mls openssh/monitor_wrap.h
--- openssh/monitor_wrap.h.role-mls 2018-08-22 11:14:56.818430941 +0200 --- openssh/monitor_wrap.h.role-mls 2018-08-22 11:14:56.818430941 +0200
+++ openssh/monitor_wrap.h 2018-08-22 11:22:10.439929513 +0200 +++ openssh/monitor_wrap.h 2018-08-22 11:22:10.439929513 +0200
@@ -44,6 +44,9 @@ DH *mm_choose_dh(int, int, int); @@ -44,6 +44,9 @@ DH *mm_choose_dh(int, int, int);
int mm_sshkey_sign(struct ssh *, struct sshkey *, u_char **, size_t *, const u_char *, size_t, const char *, const char *,
const u_char *, size_t, const char *, const char *, u_int compat); const char *, u_int compat);
void mm_inform_authserv(char *, char *); void mm_inform_authserv(char *, char *);
+#ifdef WITH_SELINUX +#ifdef WITH_SELINUX
+void mm_inform_authrole(char *); +void mm_inform_authrole(char *);
@ -351,7 +337,7 @@ diff -up openssh/openbsd-compat/Makefile.in.role-mls openssh/openbsd-compat/Make
--- openssh/openbsd-compat/Makefile.in.role-mls 2018-08-20 07:57:29.000000000 +0200 --- openssh/openbsd-compat/Makefile.in.role-mls 2018-08-20 07:57:29.000000000 +0200
+++ openssh/openbsd-compat/Makefile.in 2018-08-22 11:14:56.819430949 +0200 +++ openssh/openbsd-compat/Makefile.in 2018-08-22 11:14:56.819430949 +0200
@@ -92,7 +92,8 @@ PORTS= port-aix.o \ @@ -92,7 +92,8 @@ PORTS= port-aix.o \
port-linux.o \ port-prngd.o \
port-solaris.o \ port-solaris.o \
port-net.o \ port-net.o \
- port-uw.o - port-uw.o
@ -371,7 +357,7 @@ diff -up openssh/openbsd-compat/port-linux.c.role-mls openssh/openbsd-compat/por
-void -void
-ssh_selinux_setup_exec_context(char *pwname) -ssh_selinux_setup_exec_context(char *pwname)
-{ -{
- security_context_t user_ctx = NULL; - char *user_ctx = NULL;
- -
- if (!ssh_selinux_enabled()) - if (!ssh_selinux_enabled())
- return; - return;
@ -407,7 +393,7 @@ diff -up openssh/openbsd-compat/port-linux.c.role-mls openssh/openbsd-compat/por
- user_ctx = ssh_selinux_getctxbyname(pwname); - user_ctx = ssh_selinux_getctxbyname(pwname);
+ if (getexeccon(&user_ctx) != 0) { + if (getexeccon(&user_ctx) != 0) {
+ error("%s: getexeccon: %s", __func__, strerror(errno)); + error_f("getexeccon: %s", strerror(errno));
+ goto out; + goto out;
+ } + }
+ +
@ -432,7 +418,7 @@ diff -up openssh/openbsd-compat/port-linux.h.role-mls openssh/openbsd-compat/por
diff -up openssh/openbsd-compat/port-linux-sshd.c.role-mls openssh/openbsd-compat/port-linux-sshd.c diff -up openssh/openbsd-compat/port-linux-sshd.c.role-mls openssh/openbsd-compat/port-linux-sshd.c
--- openssh/openbsd-compat/port-linux-sshd.c.role-mls 2018-08-22 11:14:56.819430949 +0200 --- openssh/openbsd-compat/port-linux-sshd.c.role-mls 2018-08-22 11:14:56.819430949 +0200
+++ openssh/openbsd-compat/port-linux-sshd.c 2018-08-22 11:14:56.819430949 +0200 +++ openssh/openbsd-compat/port-linux-sshd.c 2018-08-22 11:14:56.819430949 +0200
@@ -0,0 +1,425 @@ @@ -0,0 +1,421 @@
+/* +/*
+ * Copyright (c) 2005 Daniel Walsh <dwalsh@redhat.com> + * Copyright (c) 2005 Daniel Walsh <dwalsh@redhat.com>
+ * Copyright (c) 2014 Petr Lautrbach <plautrba@redhat.com> + * Copyright (c) 2014 Petr Lautrbach <plautrba@redhat.com>
@ -544,7 +530,7 @@ diff -up openssh/openbsd-compat/port-linux-sshd.c.role-mls openssh/openbsd-compa
+ access_vector_t bit; + access_vector_t bit;
+ security_class_t class; + security_class_t class;
+ +
+ debug("%s: src:%s dst:%s", __func__, src, dst); + debug_f("src:%s dst:%s", src, dst);
+ class = string_to_security_class("context"); + class = string_to_security_class("context");
+ if (!class) { + if (!class) {
+ error("string_to_security_class failed to translate security class context"); + error("string_to_security_class failed to translate security class context");
@ -706,7 +692,7 @@ diff -up openssh/openbsd-compat/port-linux-sshd.c.role-mls openssh/openbsd-compa
+ /* we actually don't change level */ + /* we actually don't change level */
+ reqlvl = ""; + reqlvl = "";
+ +
+ debug("%s: current connection level '%s'", __func__, reqlvl); + debug_f("current connection level '%s'", reqlvl);
+ +
+ } + }
+ +
@ -734,8 +720,8 @@ diff -up openssh/openbsd-compat/port-linux-sshd.c.role-mls openssh/openbsd-compa
+ } + }
+ } + }
+ if (r != 0) { + if (r != 0) {
+ error("%s: Failed to get default SELinux security " + error_f("Failed to get default SELinux security "
+ "context for %s", __func__, pwname); + "context for %s", pwname);
+ } + }
+ +
+#ifdef HAVE_GETSEUSERBYNAME +#ifdef HAVE_GETSEUSERBYNAME
@ -760,7 +746,7 @@ diff -up openssh/openbsd-compat/port-linux-sshd.c.role-mls openssh/openbsd-compa
+ char *use_current; + char *use_current;
+ int rv; + int rv;
+ +
+ debug3("%s: setting execution context", __func__); + debug3_f("setting execution context");
+ +
+ ssh_selinux_get_role_level(&role, &reqlvl); + ssh_selinux_get_role_level(&role, &reqlvl);
+ +
@ -797,32 +783,30 @@ diff -up openssh/openbsd-compat/port-linux-sshd.c.role-mls openssh/openbsd-compa
+ if (sshd_selinux_setup_pam_variables()) { + if (sshd_selinux_setup_pam_variables()) {
+ switch (security_getenforce()) { + switch (security_getenforce()) {
+ case -1: + case -1:
+ fatal("%s: security_getenforce() failed", __func__); + fatal_f("security_getenforce() failed");
+ case 0: + case 0:
+ error("%s: SELinux PAM variable setup failure. Continuing in permissive mode.", + error_f("SELinux PAM variable setup failure. Continuing in permissive mode.");
+ __func__);
+ break; + break;
+ default: + default:
+ fatal("%s: SELinux PAM variable setup failure. Aborting connection.", + fatal_f("SELinux PAM variable setup failure. Aborting connection.");
+ __func__);
+ } + }
+ } + }
+ return; + return;
+ } + }
+ +
+ debug3("%s: setting execution context", __func__); + debug3_f("setting execution context");
+ +
+ r = sshd_selinux_getctxbyname(pwname, &default_ctx, &user_ctx); + r = sshd_selinux_getctxbyname(pwname, &default_ctx, &user_ctx);
+ if (r >= 0) { + if (r >= 0) {
+ r = setexeccon(user_ctx); + r = setexeccon(user_ctx);
+ if (r < 0) { + if (r < 0) {
+ error("%s: Failed to set SELinux execution context %s for %s", + error_f("Failed to set SELinux execution context %s for %s",
+ __func__, user_ctx, pwname); + user_ctx, pwname);
+ } + }
+#ifdef HAVE_SETKEYCREATECON +#ifdef HAVE_SETKEYCREATECON
+ else if (setkeycreatecon(user_ctx) < 0) { + else if (setkeycreatecon(user_ctx) < 0) {
+ error("%s: Failed to set SELinux keyring creation context %s for %s", + error_f("Failed to set SELinux keyring creation context %s for %s",
+ __func__, user_ctx, pwname); + user_ctx, pwname);
+ } + }
+#endif +#endif
+ } + }
@ -837,14 +821,12 @@ diff -up openssh/openbsd-compat/port-linux-sshd.c.role-mls openssh/openbsd-compa
+ if (r < 0) { + if (r < 0) {
+ switch (security_getenforce()) { + switch (security_getenforce()) {
+ case -1: + case -1:
+ fatal("%s: security_getenforce() failed", __func__); + fatal_f("security_getenforce() failed");
+ case 0: + case 0:
+ error("%s: SELinux failure. Continuing in permissive mode.", + error_f("ELinux failure. Continuing in permissive mode.");
+ __func__);
+ break; + break;
+ default: + default:
+ fatal("%s: SELinux failure. Aborting connection.", + fatal_f("SELinux failure. Aborting connection.");
+ __func__);
+ } + }
+ } + }
+ if (user_ctx != NULL && user_ctx != default_ctx) + if (user_ctx != NULL && user_ctx != default_ctx)
@ -852,7 +834,7 @@ diff -up openssh/openbsd-compat/port-linux-sshd.c.role-mls openssh/openbsd-compa
+ if (default_ctx != NULL) + if (default_ctx != NULL)
+ freecon(default_ctx); + freecon(default_ctx);
+ +
+ debug3("%s: done", __func__); + debug3_f("done");
+} +}
+ +
+#endif +#endif

31
openssh-7.9p1-ssh-copy-id.patch
View File

@ -1,31 +0,0 @@
diff -up openssh-7.9p1/contrib/ssh-copy-id.ssh-copy-id openssh-7.9p1/contrib/ssh-copy-id
--- openssh-7.9p1/contrib/ssh-copy-id.ssh-copy-id 2018-10-17 02:01:20.000000000 +0200
+++ openssh-7.9p1/contrib/ssh-copy-id 2019-01-23 20:49:30.513393667 +0100
@@ -112,7 +112,8 @@ do
usage
}
- OPT= OPTARG=
+ OPT=
+ OPTARG=
# implement something like getopt to avoid Solaris pain
case "$1" in
-i?*|-o?*|-p?*)
@@ -261,7 +262,7 @@ populate_new_ids() {
fi
if [ -z "$NEW_IDS" ] ; then
printf '\n%s: WARNING: All keys were skipped because they already exist on the remote system.\n' "$0" >&2
- printf '\t\t(if you think this is a mistake, you may want to use -f option)\n\n' "$0" >&2
+ printf '\t\t(if you think this is a mistake, you may want to use -f option)\n\n' >&2
exit 0
fi
printf '%s: INFO: %d key(s) remain to be installed -- if you are prompted now it is to install the new keys\n' "$0" "$(printf '%s\n' "$NEW_IDS" | wc -l)" >&2
@@ -296,7 +297,7 @@ case "$REMOTE_VERSION" in
# in ssh below - to defend against quirky remote shells: use 'exec sh -c' to get POSIX;
# 'cd' to be at $HOME; add a newline if it's missing; and all on one line, because tcsh.
[ "$DRY_RUN" ] || printf '%s\n' "$NEW_IDS" | \
- ssh "$@" "exec sh -c 'cd ; umask 077 ; mkdir -p .ssh && { [ -z "'`tail -1c .ssh/authorized_keys 2>/dev/null`'" ] || echo >> .ssh/authorized_keys ; } && cat >> .ssh/authorized_keys || exit 1 ; if type restorecon >/dev/null 2>&1 ; then restorecon -F .ssh .ssh/authorized_keys ; fi'" \
+ ssh "$@" "exec sh -c 'cd ; umask 077 ; mkdir -p .ssh && { [ -z "'`tail -1c .ssh/authorized_keys 2>/dev/null`'" ] || echo >> .ssh/authorized_keys || exit 1; } && cat >> .ssh/authorized_keys || exit 1 ; if type restorecon >/dev/null 2>&1 ; then restorecon -F .ssh .ssh/authorized_keys ; fi'" \
|| exit 1
ADDED=$(printf '%s\n' "$NEW_IDS" | wc -l)
;;

440
openssh-8.0p1-crypto-policies.patch
View File

@ -1,29 +1,60 @@
diff -up openssh/ssh_config.5.crypto-policies openssh/ssh_config.5 diff -up openssh-8.7p1/ssh_config.5.crypto-policies openssh-8.7p1/ssh_config.5
--- openssh/ssh_config.5.crypto-policies 2020-02-07 15:05:55.665451715 +0100 --- openssh-8.7p1/ssh_config.5.crypto-policies 2021-08-30 13:29:00.174292872 +0200
+++ openssh/ssh_config.5 2020-02-07 15:07:11.632641922 +0100 +++ openssh-8.7p1/ssh_config.5 2021-08-30 13:31:32.009548808 +0200
@@ -361,15 +361,15 @@ domains. @@ -373,17 +373,13 @@ or
causes no CNAMEs to be considered for canonicalization.
This is the default behaviour.
.It Cm CASignatureAlgorithms .It Cm CASignatureAlgorithms
Specifies which algorithms are allowed for signing of certificates
by certificate authorities (CAs).
-The default is:
-.Bd -literal -offset indent
-ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
-ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
-.Ed
-.Pp
.Xr ssh 1
will not accept host certificates signed using algorithms other than those
specified.
+.Pp
+The default is handled system-wide by +The default is handled system-wide by
+.Xr crypto-policies 7 . +.Xr crypto-policies 7 .
+To see the defaults and how to modify this default, see manual page +To see the defaults and how to modify this default, see manual page
+.Xr update-crypto-policies 8 . +.Xr update-crypto-policies 8 .
+.Pp +.Pp
.It Cm CertificateFile Specifies which algorithms are allowed for signing of certificates
Specifies a file from which the user's certificate is read. by certificate authorities (CAs).
A corresponding private key must be provided separately in order -The default is:
@@ -453,12 +453,10 @@ aes256-gcm@openssh.com -.Bd -literal -offset indent
-ssh-ed25519,ecdsa-sha2-nistp256,
-ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
-sk-ssh-ed25519@openssh.com,
-sk-ecdsa-sha2-nistp256@openssh.com,
-rsa-sha2-512,rsa-sha2-256
-.Ed
-.Pp
If the specified list begins with a
.Sq +
character, then the specified algorithms will be appended to the default set
@@ -445,20 +441,25 @@ If the option is set to
(the default),
the check will not be executed.
.It Cm Ciphers
+The default is handled system-wide by
+.Xr crypto-policies 7 .
+To see the defaults and how to modify this default, see manual page
+.Xr update-crypto-policies 8 .
+.Pp
Specifies the ciphers allowed and their order of preference.
Multiple ciphers must be comma-separated.
If the specified list begins with a
.Sq +
-character, then the specified ciphers will be appended to the default set
-instead of replacing them.
+character, then the specified ciphers will be appended to the built-in
+openssh default set instead of replacing them.
If the specified list begins with a
.Sq -
character, then the specified ciphers (including wildcards) will be removed
-from the default set instead of replacing them.
+from the built-in openssh default set instead of replacing them.
If the specified list begins with a
.Sq ^
character, then the specified ciphers will be placed at the head of the
-default set.
+built-in openssh default set.
.Pp
The supported ciphers are:
.Bd -literal -offset indent
@@ -474,13 +475,6 @@ aes256-gcm@openssh.com
chacha20-poly1305@openssh.com chacha20-poly1305@openssh.com
.Ed .Ed
.Pp .Pp
@ -33,30 +64,60 @@ diff -up openssh/ssh_config.5.crypto-policies openssh/ssh_config.5
-aes128-ctr,aes192-ctr,aes256-ctr, -aes128-ctr,aes192-ctr,aes256-ctr,
-aes128-gcm@openssh.com,aes256-gcm@openssh.com -aes128-gcm@openssh.com,aes256-gcm@openssh.com
-.Ed -.Ed
-.Pp
The list of available ciphers may also be obtained using
.Qq ssh -Q cipher .
.It Cm ClearAllForwardings
@@ -874,6 +868,11 @@ command line will be passed untouched to
The default is
.Dq no .
.It Cm GSSAPIKexAlgorithms
+The default is handled system-wide by +The default is handled system-wide by
+.Xr crypto-policies 7 . +.Xr crypto-policies 7 .
+To see the defaults and how to modify this default, see manual page +To see the defaults and how to modify this default, see manual page
+.Xr update-crypto-policies 8 . +.Xr update-crypto-policies 8 .
.Pp +.Pp
The list of available ciphers may also be obtained using The list of key exchange algorithms that are offered for GSSAPI
.Qq ssh -Q cipher . key exchange. Possible values are
@@ -824,8 +822,10 @@ gss-nistp256-sha256-, .Bd -literal -offset 3n
@@ -886,10 +885,8 @@ gss-nistp256-sha256-,
gss-curve25519-sha256- gss-curve25519-sha256-
.Ed .Ed
.Pp .Pp
-The default is -The default is
-.Dq gss-gex-sha1-,gss-group14-sha1- . -.Dq gss-group14-sha256-,gss-group16-sha512-,gss-nistp256-sha256-,
-gss-curve25519-sha256-,gss-group14-sha1-,gss-gex-sha1- .
This option only applies to connections using GSSAPI.
+.Pp
.It Cm HashKnownHosts
Indicates that
.Xr ssh 1
@@ -1219,29 +1216,25 @@ it may be zero or more of:
and
.Cm pam .
.It Cm KexAlgorithms
+The default is handled system-wide by +The default is handled system-wide by
+.Xr crypto-policies 7 . +.Xr crypto-policies 7 .
+To see the defaults and how to modify this default, see manual page +To see the defaults and how to modify this default, see manual page
+.Xr update-crypto-policies 8 . +.Xr update-crypto-policies 8 .
This option only applies to protocol version 2 connections using GSSAPI. +.Pp
.It Cm HashKnownHosts Specifies the available KEX (Key Exchange) algorithms.
Indicates that Multiple algorithms must be comma-separated.
@@ -1162,15 +1162,10 @@ If the specified list begins with a If the specified list begins with a
.Sq +
-character, then the specified algorithms will be appended to the default set
-instead of replacing them.
+character, then the specified algorithms will be appended to the built-in
+openssh default set instead of replacing them.
If the specified list begins with a
.Sq -
character, then the specified algorithms (including wildcards) will be removed
-from the default set instead of replacing them.
+from the built-in openssh default set instead of replacing them.
If the specified list begins with a
.Sq ^ .Sq ^
character, then the specified methods will be placed at the head of the character, then the specified algorithms will be placed at the head of the
default set. -default set.
-The default is: -The default is:
-.Bd -literal -offset indent -.Bd -literal -offset indent
-curve25519-sha256,curve25519-sha256@libssh.org, -curve25519-sha256,curve25519-sha256@libssh.org,
@ -66,14 +127,42 @@ diff -up openssh/ssh_config.5.crypto-policies openssh/ssh_config.5
-diffie-hellman-group18-sha512, -diffie-hellman-group18-sha512,
-diffie-hellman-group14-sha256 -diffie-hellman-group14-sha256
-.Ed -.Ed
+built-in openssh default set.
.Pp
The list of available key exchange algorithms may also be obtained using
.Qq ssh -Q kex .
@@ -1351,37 +1344,33 @@ function, and all code in the
file.
This option is intended for debugging and no overrides are enabled by default.
.It Cm MACs
+The default is handled system-wide by +The default is handled system-wide by
+.Xr crypto-policies 7 . +.Xr crypto-policies 7 .
+To see the defaults and how to modify this default, see manual page +To see the defaults and how to modify this default, see manual page
+.Xr update-crypto-policies 8 . +.Xr update-crypto-policies 8 .
+.Pp
Specifies the MAC (message authentication code) algorithms
in order of preference.
The MAC algorithm is used for data integrity protection.
Multiple algorithms must be comma-separated.
If the specified list begins with a
.Sq +
-character, then the specified algorithms will be appended to the default set
-instead of replacing them.
+character, then the specified algorithms will be appended to the built-in
+openssh default set instead of replacing them.
If the specified list begins with a
.Sq -
character, then the specified algorithms (including wildcards) will be removed
-from the default set instead of replacing them.
+from the built-in openssh default set instead of replacing them.
If the specified list begins with a
.Sq ^
character, then the specified algorithms will be placed at the head of the
-default set.
+built-in openssh default set.
.Pp .Pp
The list of available key exchange algorithms may also be obtained using The algorithms that contain
.Qq ssh -Q kex . .Qq -etm
@@ -1252,14 +1247,10 @@ The algorithms that contain
calculate the MAC after encryption (encrypt-then-mac). calculate the MAC after encryption (encrypt-then-mac).
These are considered safer and their use recommended. These are considered safer and their use recommended.
.Pp .Pp
@ -85,65 +174,113 @@ diff -up openssh/ssh_config.5.crypto-policies openssh/ssh_config.5
-umac-64@openssh.com,umac-128@openssh.com, -umac-64@openssh.com,umac-128@openssh.com,
-hmac-sha2-256,hmac-sha2-512,hmac-sha1 -hmac-sha2-256,hmac-sha2-512,hmac-sha1
-.Ed -.Ed
-.Pp
The list of available MAC algorithms may also be obtained using
.Qq ssh -Q mac .
.It Cm NoHostAuthenticationForLocalhost
@@ -1553,36 +1542,25 @@ instead of continuing to execute and pas
The default is
.Cm no .
.It Cm PubkeyAcceptedAlgorithms
+The default is handled system-wide by +The default is handled system-wide by
+.Xr crypto-policies 7 . +.Xr crypto-policies 7 .
+To see the defaults and how to modify this default, see manual page +To see the defaults and how to modify this default, see manual page
+.Xr update-crypto-policies 8 . +.Xr update-crypto-policies 8 .
.Pp +.Pp
The list of available MAC algorithms may also be obtained using Specifies the signature algorithms that will be used for public key
.Qq ssh -Q mac . authentication as a comma-separated list of patterns.
@@ -1407,22 +1398,10 @@ If the specified list begins with a If the specified list begins with a
.Sq +
-character, then the algorithms after it will be appended to the default
-instead of replacing it.
+character, then the algorithms after it will be appended to the built-in
+openssh default instead of replacing it.
If the specified list begins with a
.Sq -
character, then the specified algorithms (including wildcards) will be removed
-from the default set instead of replacing them.
+from the built-in openssh default set instead of replacing them.
If the specified list begins with a
.Sq ^ .Sq ^
character, then the specified key types will be placed at the head of the character, then the specified algorithms will be placed at the head of the
default set. -default set.
-The default for this option is: -The default for this option is:
-.Bd -literal -offset 3n -.Bd -literal -offset 3n
-ssh-ed25519-cert-v01@openssh.com,
-ecdsa-sha2-nistp256-cert-v01@openssh.com, -ecdsa-sha2-nistp256-cert-v01@openssh.com,
-ecdsa-sha2-nistp384-cert-v01@openssh.com, -ecdsa-sha2-nistp384-cert-v01@openssh.com,
-ecdsa-sha2-nistp521-cert-v01@openssh.com, -ecdsa-sha2-nistp521-cert-v01@openssh.com,
-sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,
-ssh-ed25519-cert-v01@openssh.com,
-sk-ssh-ed25519-cert-v01@openssh.com, -sk-ssh-ed25519-cert-v01@openssh.com,
-sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,
-rsa-sha2-512-cert-v01@openssh.com, -rsa-sha2-512-cert-v01@openssh.com,
-rsa-sha2-256-cert-v01@openssh.com, -rsa-sha2-256-cert-v01@openssh.com,
-ssh-rsa-cert-v01@openssh.com, -ssh-ed25519,
-ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, -ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
-sk-ssh-ed25519@openssh.com,
-sk-ecdsa-sha2-nistp256@openssh.com, -sk-ecdsa-sha2-nistp256@openssh.com,
-ssh-ed25519,sk-ssh-ed25519@openssh.com, -rsa-sha2-512,rsa-sha2-256
-rsa-sha2-512,rsa-sha2-256,ssh-rsa
-.Ed -.Ed
+built-in openssh default set.
.Pp
The list of available signature algorithms may also be obtained using
.Qq ssh -Q PubkeyAcceptedAlgorithms .
diff -up openssh-8.7p1/sshd_config.5.crypto-policies openssh-8.7p1/sshd_config.5
--- openssh-8.7p1/sshd_config.5.crypto-policies 2021-08-30 13:29:00.157292731 +0200
+++ openssh-8.7p1/sshd_config.5 2021-08-30 13:32:16.263918533 +0200
@@ -373,17 +373,13 @@ If the argument is
then no banner is displayed.
By default, no banner is displayed.
.It Cm CASignatureAlgorithms
+The default is handled system-wide by +The default is handled system-wide by
+.Xr crypto-policies 7 . +.Xr crypto-policies 7 .
+To see the defaults and how to modify this default, see manual page +To see the defaults and how to modify this default, see manual page
+.Xr update-crypto-policies 8 . +.Xr update-crypto-policies 8 .
.Pp +.Pp
The list of available key types may also be obtained using
.Qq ssh -Q PubkeyAcceptedKeyTypes .
diff -up openssh/sshd_config.5.crypto-policies openssh/sshd_config.5
--- openssh/sshd_config.5.crypto-policies 2020-02-07 15:05:55.639451308 +0100
+++ openssh/sshd_config.5 2020-02-07 15:05:55.672451825 +0100
@@ -377,14 +377,14 @@ By default, no banner is displayed.
.It Cm CASignatureAlgorithms
Specifies which algorithms are allowed for signing of certificates Specifies which algorithms are allowed for signing of certificates
by certificate authorities (CAs). by certificate authorities (CAs).
-The default is: -The default is:
-.Bd -literal -offset indent -.Bd -literal -offset indent
-ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, -ssh-ed25519,ecdsa-sha2-nistp256,
-ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa -ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
-sk-ssh-ed25519@openssh.com,
-sk-ecdsa-sha2-nistp256@openssh.com,
-rsa-sha2-512,rsa-sha2-256
-.Ed -.Ed
-.Pp -.Pp
Certificates signed using other algorithms will not be accepted for If the specified list begins with a
public key or host-based authentication. .Sq +
+.Pp character, then the specified algorithms will be appended to the default set
@@ -450,20 +446,25 @@ The default is
indicating not to
.Xr chroot 2 .
.It Cm Ciphers
+The default is handled system-wide by +The default is handled system-wide by
+.Xr crypto-policies 7 . +.Xr crypto-policies 7 .
+To see the defaults and how to modify this default, see manual page +To see the defaults and how to modify this default, see manual page
+.Xr update-crypto-policies 8 . +.Xr update-crypto-policies 8 .
+.Pp +.Pp
.It Cm ChallengeResponseAuthentication Specifies the ciphers allowed.
Specifies whether challenge-response authentication is allowed (e.g. via Multiple ciphers must be comma-separated.
PAM or through authentication styles supported in If the specified list begins with a
@@ -486,12 +486,10 @@ aes256-gcm@openssh.com .Sq +
-character, then the specified ciphers will be appended to the default set
-instead of replacing them.
+character, then the specified ciphers will be appended to the built-in
+openssh default set instead of replacing them.
If the specified list begins with a
.Sq -
character, then the specified ciphers (including wildcards) will be removed
-from the default set instead of replacing them.
+from the built-in openssh default set instead of replacing them.
If the specified list begins with a
.Sq ^
character, then the specified ciphers will be placed at the head of the
-default set.
+built-in openssh default set.
.Pp
The supported ciphers are:
.Pp
@@ -490,13 +491,6 @@ aes256-gcm@openssh.com
chacha20-poly1305@openssh.com chacha20-poly1305@openssh.com
.El .El
.Pp .Pp
@ -153,55 +290,107 @@ diff -up openssh/sshd_config.5.crypto-policies openssh/sshd_config.5
-aes128-ctr,aes192-ctr,aes256-ctr, -aes128-ctr,aes192-ctr,aes256-ctr,
-aes128-gcm@openssh.com,aes256-gcm@openssh.com -aes128-gcm@openssh.com,aes256-gcm@openssh.com
-.Ed -.Ed
+The default is handled system-wide by -.Pp
+.Xr crypto-policies 7 .
+To see the defaults and how to modify this default, see manual page
+.Xr update-crypto-policies 8 .
.Pp
The list of available ciphers may also be obtained using The list of available ciphers may also be obtained using
.Qq ssh -Q cipher . .Qq ssh -Q cipher .
@@ -693,8 +691,10 @@ gss-nistp256-sha256-, .It Cm ClientAliveCountMax
gss-curve25519-sha256- @@ -685,21 +679,22 @@ For this to work
.Ed .Cm GSSAPIKeyExchange
.Pp needs to be enabled in the server and also used by the client.
-The default is .It Cm GSSAPIKexAlgorithms
-.Dq gss-gex-sha1-,gss-group14-sha1- .
+The default is handled system-wide by +The default is handled system-wide by
+.Xr crypto-policies 7 . +.Xr crypto-policies 7 .
+To see the defaults and how to modify this default, see manual page +To see the defaults and how to modify this default, see manual page
+.Xr update-crypto-policies 8 . +.Xr update-crypto-policies 8 .
This option only applies to protocol version 2 connections using GSSAPI. +.Pp
.It Cm HostbasedAcceptedKeyTypes The list of key exchange algorithms that are accepted by GSSAPI
Specifies the key types that will be accepted for hostbased authentication key exchange. Possible values are
@@ -794,22 +794,10 @@ environment variable. .Bd -literal -offset 3n
-gss-gex-sha1-,
-gss-group1-sha1-,
-gss-group14-sha1-,
-gss-group14-sha256-,
-gss-group16-sha512-,
-gss-nistp256-sha256-,
+gss-gex-sha1-
+gss-group1-sha1-
+gss-group14-sha1-
+gss-group14-sha256-
+gss-group16-sha512-
+gss-nistp256-sha256-
gss-curve25519-sha256-
.Ed
-.Pp
-The default is
-.Dq gss-group14-sha256-,gss-group16-sha512-,gss-nistp256-sha256-,
-gss-curve25519-sha256-,gss-group14-sha1-,gss-gex-sha1- .
This option only applies to connections using GSSAPI.
.It Cm HostbasedAcceptedAlgorithms
Specifies the signature algorithms that will be accepted for hostbased
@@ -799,26 +794,13 @@ is specified, the location of the socket
.Ev SSH_AUTH_SOCK
environment variable.
.It Cm HostKeyAlgorithms .It Cm HostKeyAlgorithms
Specifies the host key algorithms +The default is handled system-wide by
+.Xr crypto-policies 7 .
+To see the defaults and how to modify this default, see manual page
+.Xr update-crypto-policies 8 .
+.Pp
Specifies the host key signature algorithms
that the server offers. that the server offers.
-The default for this option is: -The default for this option is:
-.Bd -literal -offset 3n -.Bd -literal -offset 3n
-ssh-ed25519-cert-v01@openssh.com,
-ecdsa-sha2-nistp256-cert-v01@openssh.com, -ecdsa-sha2-nistp256-cert-v01@openssh.com,
-ecdsa-sha2-nistp384-cert-v01@openssh.com, -ecdsa-sha2-nistp384-cert-v01@openssh.com,
-ecdsa-sha2-nistp521-cert-v01@openssh.com, -ecdsa-sha2-nistp521-cert-v01@openssh.com,
-sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,
-ssh-ed25519-cert-v01@openssh.com,
-sk-ssh-ed25519-cert-v01@openssh.com, -sk-ssh-ed25519-cert-v01@openssh.com,
-sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,
-rsa-sha2-512-cert-v01@openssh.com, -rsa-sha2-512-cert-v01@openssh.com,
-rsa-sha2-256-cert-v01@openssh.com, -rsa-sha2-256-cert-v01@openssh.com,
-ssh-rsa-cert-v01@openssh.com, -ssh-rsa-cert-v01@openssh.com,
-ssh-ed25519,
-ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, -ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
-sk-ssh-ed25519@openssh.com,
-sk-ecdsa-sha2-nistp256@openssh.com, -sk-ecdsa-sha2-nistp256@openssh.com,
-ssh-ed25519,sk-ssh-ed25519@openssh.com,
-rsa-sha2-512,rsa-sha2-256,ssh-rsa -rsa-sha2-512,rsa-sha2-256,ssh-rsa
-.Ed -.Ed
-.Pp
The list of available signature algorithms may also be obtained using
.Qq ssh -Q HostKeyAlgorithms .
.It Cm IgnoreRhosts
@@ -965,20 +947,25 @@ Specifies whether to look at .k5login fi
The default is
.Cm yes .
.It Cm KexAlgorithms
+The default is handled system-wide by +The default is handled system-wide by
+.Xr crypto-policies 7 . +.Xr crypto-policies 7 .
+To see the defaults and how to modify this default, see manual page +To see the defaults and how to modify this default, see manual page
+.Xr update-crypto-policies 8 . +.Xr update-crypto-policies 8 .
+.Pp
Specifies the available KEX (Key Exchange) algorithms.
Multiple algorithms must be comma-separated.
Alternately if the specified list begins with a
.Sq +
-character, then the specified algorithms will be appended to the default set
-instead of replacing them.
+character, then the specified algorithms will be appended to the built-in
+openssh default set instead of replacing them.
If the specified list begins with a
.Sq -
character, then the specified algorithms (including wildcards) will be removed
-from the default set instead of replacing them.
+from the built-in openssh default set instead of replacing them.
If the specified list begins with a
.Sq ^
character, then the specified algorithms will be placed at the head of the
-default set.
+built-in openssh default set.
The supported algorithms are:
.Pp .Pp
The list of available key types may also be obtained using .Bl -item -compact -offset indent
.Qq ssh -Q HostKeyAlgorithms . @@ -1010,15 +997,6 @@ ecdh-sha2-nistp521
@@ -987,14 +975,10 @@ ecdh-sha2-nistp521 sntrup761x25519-sha512@openssh.com
sntrup4591761x25519-sha512@tinyssh.org
.El .El
.Pp .Pp
-The default is: -The default is:
@ -212,14 +401,42 @@ diff -up openssh/sshd_config.5.crypto-policies openssh/sshd_config.5
-diffie-hellman-group16-sha512,diffie-hellman-group18-sha512, -diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,
-diffie-hellman-group14-sha256 -diffie-hellman-group14-sha256
-.Ed -.Ed
-.Pp
The list of available key exchange algorithms may also be obtained using
.Qq ssh -Q KexAlgorithms .
.It Cm ListenAddress
@@ -1104,21 +1082,26 @@ function, and all code in the
file.
This option is intended for debugging and no overrides are enabled by default.
.It Cm MACs
+The default is handled system-wide by +The default is handled system-wide by
+.Xr crypto-policies 7 . +.Xr crypto-policies 7 .
+To see the defaults and how to modify this default, see manual page +To see the defaults and how to modify this default, see manual page
+.Xr update-crypto-policies 8 . +.Xr update-crypto-policies 8 .
+.Pp
Specifies the available MAC (message authentication code) algorithms.
The MAC algorithm is used for data integrity protection.
Multiple algorithms must be comma-separated.
If the specified list begins with a
.Sq +
-character, then the specified algorithms will be appended to the default set
-instead of replacing them.
+character, then the specified algorithms will be appended to the built-in
+openssh default set instead of replacing them.
If the specified list begins with a
.Sq -
character, then the specified algorithms (including wildcards) will be removed
-from the default set instead of replacing them.
+from the built-in openssh default set instead of replacing them.
If the specified list begins with a
.Sq ^
character, then the specified algorithms will be placed at the head of the
-default set.
+built-in openssh default set.
.Pp .Pp
The list of available key exchange algorithms may also be obtained using The algorithms that contain
.Qq ssh -Q KexAlgorithms . .Qq -etm
@@ -1121,14 +1105,10 @@ umac-64-etm@openssh.com @@ -1161,15 +1144,6 @@ umac-64-etm@openssh.com
umac-128-etm@openssh.com umac-128-etm@openssh.com
.El .El
.Pp .Pp
@ -231,37 +448,54 @@ diff -up openssh/sshd_config.5.crypto-policies openssh/sshd_config.5
-umac-64@openssh.com,umac-128@openssh.com, -umac-64@openssh.com,umac-128@openssh.com,
-hmac-sha2-256,hmac-sha2-512,hmac-sha1 -hmac-sha2-256,hmac-sha2-512,hmac-sha1
-.Ed -.Ed
-.Pp
The list of available MAC algorithms may also be obtained using
.Qq ssh -Q mac .
.It Cm Match
@@ -1548,37 +1522,25 @@ or equivalent.)
The default is
.Cm yes .
.It Cm PubkeyAcceptedAlgorithms
+The default is handled system-wide by +The default is handled system-wide by
+.Xr crypto-policies 7 . +.Xr crypto-policies 7 .
+To see the defaults and how to modify this default, see manual page +To see the defaults and how to modify this default, see manual page
+.Xr update-crypto-policies 8 . +.Xr update-crypto-policies 8 .
.Pp +.Pp
The list of available MAC algorithms may also be obtained using Specifies the signature algorithms that will be accepted for public key
.Qq ssh -Q mac . authentication as a list of comma-separated patterns.
@@ -1492,22 +1472,10 @@ If the specified list begins with a Alternately if the specified list begins with a
.Sq +
-character, then the specified algorithms will be appended to the default set
-instead of replacing them.
+character, then the specified algorithms will be appended to the built-in
+openssh default set instead of replacing them.
If the specified list begins with a
.Sq -
character, then the specified algorithms (including wildcards) will be removed
-from the default set instead of replacing them.
+from the built-in openssh default set instead of replacing them.
If the specified list begins with a
.Sq ^ .Sq ^
character, then the specified key types will be placed at the head of the character, then the specified algorithms will be placed at the head of the
default set. -default set.
-The default for this option is: -The default for this option is:
-.Bd -literal -offset 3n -.Bd -literal -offset 3n
-ssh-ed25519-cert-v01@openssh.com,
-ecdsa-sha2-nistp256-cert-v01@openssh.com, -ecdsa-sha2-nistp256-cert-v01@openssh.com,
-ecdsa-sha2-nistp384-cert-v01@openssh.com, -ecdsa-sha2-nistp384-cert-v01@openssh.com,
-ecdsa-sha2-nistp521-cert-v01@openssh.com, -ecdsa-sha2-nistp521-cert-v01@openssh.com,
-sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,
-ssh-ed25519-cert-v01@openssh.com,
-sk-ssh-ed25519-cert-v01@openssh.com, -sk-ssh-ed25519-cert-v01@openssh.com,
-sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,
-rsa-sha2-512-cert-v01@openssh.com, -rsa-sha2-512-cert-v01@openssh.com,
-rsa-sha2-256-cert-v01@openssh.com, -rsa-sha2-256-cert-v01@openssh.com,
-ssh-rsa-cert-v01@openssh.com, -ssh-rsa-cert-v01@openssh.com,
-ssh-ed25519,
-ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, -ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
-sk-ssh-ed25519@openssh.com,
-sk-ecdsa-sha2-nistp256@openssh.com, -sk-ecdsa-sha2-nistp256@openssh.com,
-ssh-ed25519,sk-ssh-ed25519@openssh.com,
-rsa-sha2-512,rsa-sha2-256,ssh-rsa -rsa-sha2-512,rsa-sha2-256,ssh-rsa
-.Ed -.Ed
+The default is handled system-wide by +built-in openssh default set.
+.Xr crypto-policies 7 .
+To see the defaults and how to modify this default, see manual page
+.Xr update-crypto-policies 8 .
.Pp .Pp
The list of available key types may also be obtained using The list of available signature algorithms may also be obtained using
.Qq ssh -Q PubkeyAcceptedKeyTypes . .Qq ssh -Q PubkeyAcceptedAlgorithms .

344
openssh-8.0p1-gssapi-keyex.patch
View File

@ -5,7 +5,7 @@ index e7549470..b68c1710 100644
@@ -109,6 +109,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \ @@ -109,6 +109,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
kex.o kexdh.o kexgex.o kexecdh.o kexc25519.o \ kex.o kexdh.o kexgex.o kexecdh.o kexc25519.o \
kexgexc.o kexgexs.o \ kexgexc.o kexgexs.o \
sntrup4591761.o kexsntrup4591761x25519.o kexgen.o \ kexsntrup761x25519.o sntrup761.o kexgen.o \
+ kexgssc.o \ + kexgssc.o \
sftp-realpath.o platform-pledge.o platform-tracing.o platform-misc.o \ sftp-realpath.o platform-pledge.o platform-tracing.o platform-misc.o \
sshbuf-io.o sshbuf-io.o
@ -17,13 +17,12 @@ index e7549470..b68c1710 100644
- auth2-gss.o gss-serv.o gss-serv-krb5.o \ - auth2-gss.o gss-serv.o gss-serv-krb5.o \
+ auth2-gss.o gss-serv.o gss-serv-krb5.o kexgsss.o \ + auth2-gss.o gss-serv.o gss-serv-krb5.o kexgsss.o \
loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \ loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \
sftp-server.o sftp-common.o \ srclimit.o sftp-server.o sftp-common.o \
sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \ sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \
diff --git a/auth.c b/auth.c diff -up a/auth.c.gsskex b/auth.c
index 086b8ebb..687c57b4 100644 --- a/auth.c.gsskex 2021-08-20 06:03:49.000000000 +0200
--- a/auth.c +++ b/auth.c 2021-08-27 12:41:51.262788953 +0200
+++ b/auth.c @@ -402,7 +402,8 @@ auth_root_allowed(struct ssh *ssh, const
@@ -400,7 +400,8 @@ auth_root_allowed(struct ssh *ssh, const char *method)
case PERMIT_NO_PASSWD: case PERMIT_NO_PASSWD:
if (strcmp(method, "publickey") == 0 || if (strcmp(method, "publickey") == 0 ||
strcmp(method, "hostbased") == 0 || strcmp(method, "hostbased") == 0 ||
@ -33,18 +32,15 @@ index 086b8ebb..687c57b4 100644
return 1; return 1;
break; break;
case PERMIT_FORCED_ONLY: case PERMIT_FORCED_ONLY:
@@ -724,99 +725,6 @@ fakepw(void) @@ -730,97 +731,6 @@ fakepw(void)
return (&fake);
} }
-/* /*
- * Returns the remote DNS hostname as a string. The returned string must not - * Returns the remote DNS hostname as a string. The returned string must not
- * be freed. NB. this will usually trigger a DNS query the first time it is - * be freed. NB. this will usually trigger a DNS query the first time it is
- * called. - * called.
- * This function does additional checks on the hostname to mitigate some - * This function does additional checks on the hostname to mitigate some
- * attacks on legacy rhosts-style authentication. - * attacks on based on conflation of hostnames and IP addresses.
- * XXX is RhostsRSAAuthentication vulnerable to these?
- * XXX Can we remove these checks? (or if not, remove RhostsRSAAuthentication?)
- */ - */
- -
-static char * -static char *
@ -130,15 +126,16 @@ index 086b8ebb..687c57b4 100644
- return xstrdup(name); - return xstrdup(name);
-} -}
- -
/* -/*
* Return the canonical name of the host in the other side of the current * Return the canonical name of the host in the other side of the current
* connection. The host name is cached, so it is efficient to call this * connection. The host name is cached, so it is efficient to call this
* several times.
diff --git a/auth2-gss.c b/auth2-gss.c diff --git a/auth2-gss.c b/auth2-gss.c
index 9351e042..d6446c0c 100644 index 9351e042..d6446c0c 100644
--- a/auth2-gss.c --- a/auth2-gss.c
+++ b/auth2-gss.c +++ b/auth2-gss.c
@@ -1,7 +1,7 @@ @@ -1,7 +1,7 @@
/* $OpenBSD: auth2-gss.c,v 1.29 2018/07/31 03:10:27 djm Exp $ */ /* $OpenBSD: auth2-gss.c,v 1.32 2021/01/27 10:15:08 djm Exp $ */
/* /*
- * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. - * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
@ -165,19 +162,19 @@ index 9351e042..d6446c0c 100644
+ +
+ if ((r = sshpkt_get_string(ssh, &p, &len)) != 0 || + if ((r = sshpkt_get_string(ssh, &p, &len)) != 0 ||
+ (r = sshpkt_get_end(ssh)) != 0) + (r = sshpkt_get_end(ssh)) != 0)
+ fatal("%s: %s", __func__, ssh_err(r)); + fatal_fr(r, "parsing");
+ +
+ if ((b = sshbuf_new()) == NULL) + if ((b = sshbuf_new()) == NULL)
+ fatal("%s: sshbuf_new failed", __func__); + fatal_f("sshbuf_new failed");
+ +
+ mic.value = p; + mic.value = p;
+ mic.length = len; + mic.length = len;
+ +
+ ssh_gssapi_buildmic(b, authctxt->user, authctxt->service, + ssh_gssapi_buildmic(b, authctxt->user, authctxt->service,
+ "gssapi-keyex"); + "gssapi-keyex", ssh->kex->session_id);
+ +
+ if ((gssbuf.value = sshbuf_mutable_ptr(b)) == NULL) + if ((gssbuf.value = sshbuf_mutable_ptr(b)) == NULL)
+ fatal("%s: sshbuf_mutable_ptr failed", __func__); + fatal_f("sshbuf_mutable_ptr failed");
+ gssbuf.length = sshbuf_len(b); + gssbuf.length = sshbuf_len(b);
+ +
+ /* gss_kex_context is NULL with privsep, so we can't check it here */ + /* gss_kex_context is NULL with privsep, so we can't check it here */
@ -197,7 +194,7 @@ index 9351e042..d6446c0c 100644
* how to check local user kuserok and the like) * how to check local user kuserok and the like)
@@ -260,7 +302,8 @@ input_gssapi_exchange_complete(int type, u_int32_t plen, struct ssh *ssh) @@ -260,7 +302,8 @@ input_gssapi_exchange_complete(int type, u_int32_t plen, struct ssh *ssh)
if ((r = sshpkt_get_end(ssh)) != 0) if ((r = sshpkt_get_end(ssh)) != 0)
fatal("%s: %s", __func__, ssh_err(r)); fatal_fr(r, "parse packet");
- authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user)); - authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user));
+ authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user, + authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user,
@ -441,7 +438,7 @@ index d56257b4..763a63ff 100644
--- a/gss-genr.c --- a/gss-genr.c
+++ b/gss-genr.c +++ b/gss-genr.c
@@ -1,7 +1,7 @@ @@ -1,7 +1,7 @@
/* $OpenBSD: gss-genr.c,v 1.26 2018/07/10 09:13:30 djm Exp $ */ /* $OpenBSD: gss-genr.c,v 1.28 2021/01/27 10:05:28 djm Exp $ */
/* /*
- * Copyright (c) 2001-2007 Simon Wilkinson. All rights reserved. - * Copyright (c) 2001-2007 Simon Wilkinson. All rights reserved.
@ -449,7 +446,7 @@ index d56257b4..763a63ff 100644
* *
* Redistribution and use in source and binary forms, with or without * Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions * modification, are permitted provided that the following conditions
@@ -41,12 +41,36 @@ @@ -41,9 +41,33 @@
#include "sshbuf.h" #include "sshbuf.h"
#include "log.h" #include "log.h"
#include "ssh2.h" #include "ssh2.h"
@ -461,9 +458,6 @@ index d56257b4..763a63ff 100644
#include "ssh-gss.h" #include "ssh-gss.h"
extern u_char *session_id2;
extern u_int session_id2_len;
+typedef struct { +typedef struct {
+ char *encoded; + char *encoded;
+ gss_OID oid; + gss_OID oid;
@ -486,7 +480,7 @@ index d56257b4..763a63ff 100644
/* sshbuf_get for gss_buffer_desc */ /* sshbuf_get for gss_buffer_desc */
int int
ssh_gssapi_get_buffer_desc(struct sshbuf *b, gss_buffer_desc *g) ssh_gssapi_get_buffer_desc(struct sshbuf *b, gss_buffer_desc *g)
@@ -62,6 +86,162 @@ ssh_gssapi_get_buffer_desc(struct sshbuf *b, gss_buffer_desc *g) @@ -62,6 +86,159 @@ ssh_gssapi_get_buffer_desc(struct sshbuf *b, gss_buffer_desc *g)
return 0; return 0;
} }
@ -548,7 +542,7 @@ index d56257b4..763a63ff 100644
+ (gss_supported->count + 1)); + (gss_supported->count + 1));
+ +
+ if ((buf = sshbuf_new()) == NULL) + if ((buf = sshbuf_new()) == NULL)
+ fatal("%s: sshbuf_new failed", __func__); + fatal_f("sshbuf_new failed");
+ +
+ oidpos = 0; + oidpos = 0;
+ s = cp = xstrdup(kex); + s = cp = xstrdup(kex);
@ -565,8 +559,7 @@ index d56257b4..763a63ff 100644
+ gss_supported->elements[i].elements, + gss_supported->elements[i].elements,
+ gss_supported->elements[i].length)) != 0 || + gss_supported->elements[i].length)) != 0 ||
+ (r = ssh_digest_final(md, digest, sizeof(digest))) != 0) + (r = ssh_digest_final(md, digest, sizeof(digest))) != 0)
+ fatal("%s: digest failed: %s", __func__, + fatal_fr(r, "digest failed");
+ ssh_err(r));
+ ssh_digest_free(md); + ssh_digest_free(md);
+ md = NULL; + md = NULL;
+ +
@ -581,12 +574,10 @@ index d56257b4..763a63ff 100644
+ (p = strsep(&cp, ","))) { + (p = strsep(&cp, ","))) {
+ if (sshbuf_len(buf) != 0 && + if (sshbuf_len(buf) != 0 &&
+ (r = sshbuf_put_u8(buf, ',')) != 0) + (r = sshbuf_put_u8(buf, ',')) != 0)
+ fatal("%s: sshbuf_put_u8 error: %s", + fatal_fr(r, "sshbuf_put_u8 error");
+ __func__, ssh_err(r));
+ if ((r = sshbuf_put(buf, p, strlen(p))) != 0 || + if ((r = sshbuf_put(buf, p, strlen(p))) != 0 ||
+ (r = sshbuf_put(buf, encoded, enclen)) != 0) + (r = sshbuf_put(buf, encoded, enclen)) != 0)
+ fatal("%s: sshbuf_put error: %s", + fatal_fr(r, "sshbuf_put error");
+ __func__, ssh_err(r));
+ } + }
+ +
+ gss_enc2oid[oidpos].oid = &(gss_supported->elements[i]); + gss_enc2oid[oidpos].oid = &(gss_supported->elements[i]);
@ -599,7 +590,7 @@ index d56257b4..763a63ff 100644
+ gss_enc2oid[oidpos].encoded = NULL; + gss_enc2oid[oidpos].encoded = NULL;
+ +
+ if ((mechs = sshbuf_dup_string(buf)) == NULL) + if ((mechs = sshbuf_dup_string(buf)) == NULL)
+ fatal("%s: sshbuf_dup_string failed", __func__); + fatal_f("sshbuf_dup_string failed");
+ +
+ sshbuf_free(buf); + sshbuf_free(buf);
+ +
@ -721,7 +712,7 @@ index d56257b4..763a63ff 100644
+ +
void void
ssh_gssapi_buildmic(struct sshbuf *b, const char *user, const char *service, ssh_gssapi_buildmic(struct sshbuf *b, const char *user, const char *service,
const char *context) const char *context, const struct sshbuf *session_id)
@@ -273,11 +500,16 @@ ssh_gssapi_buildmic(struct sshbuf *b, const char *user, const char *service, @@ -273,11 +500,16 @@ ssh_gssapi_buildmic(struct sshbuf *b, const char *user, const char *service,
} }
@ -964,7 +955,7 @@ index ab3a15f0..6ce56e92 100644
--- a/gss-serv.c --- a/gss-serv.c
+++ b/gss-serv.c +++ b/gss-serv.c
@@ -1,7 +1,7 @@ @@ -1,7 +1,7 @@
/* $OpenBSD: gss-serv.c,v 1.31 2018/07/09 21:37:55 markus Exp $ */ /* $OpenBSD: gss-serv.c,v 1.32 2020/03/13 03:17:07 djm Exp $ */
/* /*
- * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. - * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
@ -1123,10 +1114,10 @@ index ab3a15f0..6ce56e92 100644
+ +
+ if (gssapi_client.store.data != NULL) { + if (gssapi_client.store.data != NULL) {
+ if ((problem = krb5_cc_resolve(gssapi_client.store.data, gssapi_client.store.envval, &ccache))) { + if ((problem = krb5_cc_resolve(gssapi_client.store.data, gssapi_client.store.envval, &ccache))) {
+ debug("%s: krb5_cc_resolve(): %.100s", __func__, + debug_f("krb5_cc_resolve(): %.100s",
+ krb5_get_err_text(gssapi_client.store.data, problem)); + krb5_get_err_text(gssapi_client.store.data, problem));
+ } else if ((problem = krb5_cc_destroy(gssapi_client.store.data, ccache))) { + } else if ((problem = krb5_cc_destroy(gssapi_client.store.data, ccache))) {
+ debug("%s: krb5_cc_destroy(): %.100s", __func__, + debug_f("krb5_cc_destroy(): %.100s",
+ krb5_get_err_text(gssapi_client.store.data, problem)); + krb5_get_err_text(gssapi_client.store.data, problem));
+ } else { + } else {
+ krb5_free_context(gssapi_client.store.data); + krb5_free_context(gssapi_client.store.data);
@ -1375,7 +1366,7 @@ index ce85f043..574c7609 100644
@@ -698,6 +755,9 @@ kex_free(struct kex *kex) @@ -698,6 +755,9 @@ kex_free(struct kex *kex)
sshbuf_free(kex->server_version); sshbuf_free(kex->server_version);
sshbuf_free(kex->client_pub); sshbuf_free(kex->client_pub);
free(kex->session_id); sshbuf_free(kex->session_id);
+#ifdef GSSAPI +#ifdef GSSAPI
+ free(kex->gss_host); + free(kex->gss_host);
+#endif /* GSSAPI */ +#endif /* GSSAPI */
@ -1389,7 +1380,7 @@ index a5ae6ac0..fe714141 100644
@@ -102,6 +102,15 @@ enum kex_exchange { @@ -102,6 +102,15 @@ enum kex_exchange {
KEX_ECDH_SHA2, KEX_ECDH_SHA2,
KEX_C25519_SHA256, KEX_C25519_SHA256,
KEX_KEM_SNTRUP4591761X25519_SHA512, KEX_KEM_SNTRUP761X25519_SHA512,
+#ifdef GSSAPI +#ifdef GSSAPI
+ KEX_GSS_GRP1_SHA1, + KEX_GSS_GRP1_SHA1,
+ KEX_GSS_GRP14_SHA1, + KEX_GSS_GRP14_SHA1,
@ -1498,7 +1489,7 @@ new file mode 100644
index 00000000..f6e1405e index 00000000..f6e1405e
--- /dev/null --- /dev/null
+++ b/kexgssc.c +++ b/kexgssc.c
@@ -0,0 +1,606 @@ @@ -0,0 +1,599 @@
+/* +/*
+ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved. + * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
+ * + *
@ -1597,7 +1588,7 @@ index 00000000..f6e1405e
+ r = kex_c25519_keypair(kex); + r = kex_c25519_keypair(kex);
+ break; + break;
+ default: + default:
+ fatal("%s: Unexpected KEX type %d", __func__, kex->kex_type); + fatal_f("Unexpected KEX type %d", kex->kex_type);
+ } + }
+ if (r != 0) + if (r != 0)
+ return r; + return r;
@ -1785,7 +1776,7 @@ index 00000000..f6e1405e
+ server_blob, + server_blob,
+ shared_secret, + shared_secret,
+ hash, &hashlen)) != 0) + hash, &hashlen)) != 0)
+ fatal("%s: Unexpected KEX type %d", __func__, kex->kex_type); + fatal_f("Unexpected KEX type %d", kex->kex_type);
+ +
+ gssbuf.value = hash; + gssbuf.value = hash;
+ gssbuf.length = hashlen; + gssbuf.length = hashlen;
@ -2074,13 +2065,6 @@ index 00000000..f6e1405e
+ +
+ gss_release_buffer(&min_status, &msg_tok); + gss_release_buffer(&min_status, &msg_tok);
+ +
+ /* save session id */
+ if (kex->session_id == NULL) {
+ kex->session_id_len = hashlen;
+ kex->session_id = xmalloc(kex->session_id_len);
+ memcpy(kex->session_id, hash, kex->session_id_len);
+ }
+
+ if (kex->gss_deleg_creds) + if (kex->gss_deleg_creds)
+ ssh_gssapi_credentials_updated(ctxt); + ssh_gssapi_credentials_updated(ctxt);
+ +
@ -2202,12 +2186,12 @@ index 00000000..60bc02de
+ free(mechs); + free(mechs);
+ } + }
+ +
+ debug2("%s: Identifying %s", __func__, kex->name); + debug2_f("Identifying %s", kex->name);
+ oid = ssh_gssapi_id_kex(NULL, kex->name, kex->kex_type); + oid = ssh_gssapi_id_kex(NULL, kex->name, kex->kex_type);
+ if (oid == GSS_C_NO_OID) + if (oid == GSS_C_NO_OID)
+ fatal("Unknown gssapi mechanism"); + fatal("Unknown gssapi mechanism");
+ +
+ debug2("%s: Acquiring credentials", __func__); + debug2_f("Acquiring credentials");
+ +
+ if (GSS_ERROR(PRIVSEP(ssh_gssapi_server_ctx(&ctxt, oid)))) + if (GSS_ERROR(PRIVSEP(ssh_gssapi_server_ctx(&ctxt, oid))))
+ fatal("Unable to acquire credentials for the server"); + fatal("Unable to acquire credentials for the server");
@ -2242,7 +2226,7 @@ index 00000000..60bc02de
+ &shared_secret); + &shared_secret);
+ break; + break;
+ default: + default:
+ fatal("%s: Unexpected KEX type %d", __func__, kex->kex_type); + fatal_f("Unexpected KEX type %d", kex->kex_type);
+ } + }
+ if (r != 0) + if (r != 0)
+ goto out; + goto out;
@ -2398,12 +2382,12 @@ index 00000000..60bc02de
+ if ((mechs = ssh_gssapi_server_mechanisms())) + if ((mechs = ssh_gssapi_server_mechanisms()))
+ free(mechs); + free(mechs);
+ +
+ debug2("%s: Identifying %s", __func__, kex->name); + debug2_f("Identifying %s", kex->name);
+ oid = ssh_gssapi_id_kex(NULL, kex->name, kex->kex_type); + oid = ssh_gssapi_id_kex(NULL, kex->name, kex->kex_type);
+ if (oid == GSS_C_NO_OID) + if (oid == GSS_C_NO_OID)
+ fatal("Unknown gssapi mechanism"); + fatal("Unknown gssapi mechanism");
+ +
+ debug2("%s: Acquiring credentials", __func__); + debug2_f("Acquiring credentials");
+ +
+ if (GSS_ERROR(PRIVSEP(ssh_gssapi_server_ctx(&ctxt, oid)))) + if (GSS_ERROR(PRIVSEP(ssh_gssapi_server_ctx(&ctxt, oid))))
+ fatal("Unable to acquire credentials for the server"); + fatal("Unable to acquire credentials for the server");
@ -2641,44 +2625,44 @@ index 2ce89fe9..ebf76c7f 100644
monitor_permit(mon_dispatch, MONITOR_REQ_PTY, 1); monitor_permit(mon_dispatch, MONITOR_REQ_PTY, 1);
@@ -1713,6 +1730,17 @@ monitor_apply_keystate(struct ssh *ssh, struct monitor *pmonitor) @@ -1713,6 +1730,17 @@ monitor_apply_keystate(struct ssh *ssh, struct monitor *pmonitor)
# ifdef OPENSSL_HAS_ECC # ifdef OPENSSL_HAS_ECC
kex->kex[KEX_ECDH_SHA2] = kex_gen_server; kex->kex[KEX_ECDH_SHA2] = kex_gen_server;
# endif # endif
+# ifdef GSSAPI +# ifdef GSSAPI
+ if (options.gss_keyex) { + if (options.gss_keyex) {
+ kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_server; + kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_server;
+ kex->kex[KEX_GSS_GRP14_SHA1] = kexgss_server; + kex->kex[KEX_GSS_GRP14_SHA1] = kexgss_server;
+ kex->kex[KEX_GSS_GRP14_SHA256] = kexgss_server; + kex->kex[KEX_GSS_GRP14_SHA256] = kexgss_server;
+ kex->kex[KEX_GSS_GRP16_SHA512] = kexgss_server; + kex->kex[KEX_GSS_GRP16_SHA512] = kexgss_server;
+ kex->kex[KEX_GSS_GEX_SHA1] = kexgssgex_server; + kex->kex[KEX_GSS_GEX_SHA1] = kexgssgex_server;
+ kex->kex[KEX_GSS_NISTP256_SHA256] = kexgss_server; + kex->kex[KEX_GSS_NISTP256_SHA256] = kexgss_server;
+ kex->kex[KEX_GSS_C25519_SHA256] = kexgss_server; + kex->kex[KEX_GSS_C25519_SHA256] = kexgss_server;
+ } + }
+# endif +# endif
#endif /* WITH_OPENSSL */ #endif /* WITH_OPENSSL */
kex->kex[KEX_C25519_SHA256] = kex_gen_server; kex->kex[KEX_C25519_SHA256] = kex_gen_server;
kex->kex[KEX_KEM_SNTRUP4591761X25519_SHA512] = kex_gen_server; kex->kex[KEX_KEM_SNTRUP761X25519_SHA512] = kex_gen_server;
@@ -1806,8 +1834,8 @@ mm_answer_gss_setup_ctx(struct ssh *ssh, int sock, struct sshbuf *m) @@ -1806,8 +1834,8 @@ mm_answer_gss_setup_ctx(struct ssh *ssh, int sock, struct sshbuf *m)
u_char *p; u_char *p;
int r; int r;
- if (!options.gss_authentication) - if (!options.gss_authentication)
- fatal("%s: GSSAPI authentication not enabled", __func__); - fatal_f("GSSAPI authentication not enabled");
+ if (!options.gss_authentication && !options.gss_keyex) + if (!options.gss_authentication && !options.gss_keyex)
+ fatal("%s: GSSAPI not enabled", __func__); + fatal_f("GSSAPI not enabled");
if ((r = sshbuf_get_string(m, &p, &len)) != 0) if ((r = sshbuf_get_string(m, &p, &len)) != 0)
fatal("%s: buffer error: %s", __func__, ssh_err(r)); fatal_fr(r, "parse");
@@ -1839,8 +1867,8 @@ mm_answer_gss_accept_ctx(struct ssh *ssh, int sock, struct sshbuf *m) @@ -1839,8 +1867,8 @@ mm_answer_gss_accept_ctx(struct ssh *ssh, int sock, struct sshbuf *m)
OM_uint32 flags = 0; /* GSI needs this */ OM_uint32 flags = 0; /* GSI needs this */
int r; int r;
- if (!options.gss_authentication) - if (!options.gss_authentication)
- fatal("%s: GSSAPI authentication not enabled", __func__); - fatal_f("GSSAPI authentication not enabled");
+ if (!options.gss_authentication && !options.gss_keyex) + if (!options.gss_authentication && !options.gss_keyex)
+ fatal("%s: GSSAPI not enabled", __func__); + fatal_f("GSSAPI not enabled");
if ((r = ssh_gssapi_get_buffer_desc(m, &in)) != 0) if ((r = ssh_gssapi_get_buffer_desc(m, &in)) != 0)
fatal("%s: buffer error: %s", __func__, ssh_err(r)); fatal_fr(r, "ssh_gssapi_get_buffer_desc");
@@ -1860,6 +1888,7 @@ mm_answer_gss_accept_ctx(struct ssh *ssh, int sock, struct sshbuf *m) @@ -1860,6 +1888,7 @@ mm_answer_gss_accept_ctx(struct ssh *ssh, int sock, struct sshbuf *m)
monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0); monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0);
monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1); monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1);
@ -2692,9 +2676,9 @@ index 2ce89fe9..ebf76c7f 100644
int r; int r;
- if (!options.gss_authentication) - if (!options.gss_authentication)
- fatal("%s: GSSAPI authentication not enabled", __func__); - fatal_f("GSSAPI authentication not enabled");
+ if (!options.gss_authentication && !options.gss_keyex) + if (!options.gss_authentication && !options.gss_keyex)
+ fatal("%s: GSSAPI not enabled", __func__); + fatal_f("GSSAPI not enabled");
if ((r = ssh_gssapi_get_buffer_desc(m, &gssbuf)) != 0 || if ((r = ssh_gssapi_get_buffer_desc(m, &gssbuf)) != 0 ||
(r = ssh_gssapi_get_buffer_desc(m, &mic)) != 0) (r = ssh_gssapi_get_buffer_desc(m, &mic)) != 0)
@ -2707,13 +2691,13 @@ index 2ce89fe9..ebf76c7f 100644
const char *displayname; const char *displayname;
- if (!options.gss_authentication) - if (!options.gss_authentication)
- fatal("%s: GSSAPI authentication not enabled", __func__); - fatal_f("GSSAPI authentication not enabled");
+ if (!options.gss_authentication && !options.gss_keyex) + if (!options.gss_authentication && !options.gss_keyex)
+ fatal("%s: GSSAPI not enabled", __func__); + fatal_f("GSSAPI not enabled");
- authenticated = authctxt->valid && ssh_gssapi_userok(authctxt->user); - authenticated = authctxt->valid && ssh_gssapi_userok(authctxt->user);
+ if ((r = sshbuf_get_u32(m, &kex)) != 0) + if ((r = sshbuf_get_u32(m, &kex)) != 0)
+ fatal("%s: buffer error: %s", __func__, ssh_err(r)); + fatal_fr(r, "buffer error");
+ +
+ authenticated = authctxt->valid && + authenticated = authctxt->valid &&
+ ssh_gssapi_userok(authctxt->user, authctxt->pw, kex); + ssh_gssapi_userok(authctxt->user, authctxt->pw, kex);
@ -2721,7 +2705,7 @@ index 2ce89fe9..ebf76c7f 100644
sshbuf_reset(m); sshbuf_reset(m);
if ((r = sshbuf_put_u32(m, authenticated)) != 0) if ((r = sshbuf_put_u32(m, authenticated)) != 0)
@@ -1913,7 +1946,11 @@ mm_answer_gss_userok(struct ssh *ssh, int sock, struct sshbuf *m) @@ -1913,7 +1946,11 @@ mm_answer_gss_userok(struct ssh *ssh, int sock, struct sshbuf *m)
debug3("%s: sending result %d", __func__, authenticated); debug3_f("sending result %d", authenticated);
mm_request_send(sock, MONITOR_ANS_GSSUSEROK, m); mm_request_send(sock, MONITOR_ANS_GSSUSEROK, m);
- auth_method = "gssapi-with-mic"; - auth_method = "gssapi-with-mic";
@ -2733,7 +2717,7 @@ index 2ce89fe9..ebf76c7f 100644
if ((displayname = ssh_gssapi_displayname()) != NULL) if ((displayname = ssh_gssapi_displayname()) != NULL)
auth2_record_info(authctxt, "%s", displayname); auth2_record_info(authctxt, "%s", displayname);
@@ -1921,5 +1958,85 @@ mm_answer_gss_userok(struct ssh *ssh, int sock, struct sshbuf *m) @@ -1921,5 +1958,84 @@ mm_answer_gss_userok(struct ssh *ssh, int sock, struct sshbuf *m)
/* Monitor loop will terminate if authenticated */ /* Monitor loop will terminate if authenticated */
return (authenticated); return (authenticated);
} }
@ -2749,16 +2733,15 @@ index 2ce89fe9..ebf76c7f 100644
+ int r; + int r;
+ +
+ if (!options.gss_authentication && !options.gss_keyex) + if (!options.gss_authentication && !options.gss_keyex)
+ fatal("%s: GSSAPI not enabled", __func__); + fatal_f("GSSAPI not enabled");
+ +
+ if ((r = sshbuf_get_string(m, &p, &len)) != 0) + if ((r = sshbuf_get_string(m, &p, &len)) != 0)
+ fatal("%s: buffer error: %s", __func__, ssh_err(r)); + fatal_fr(r, "buffer error");
+ data.value = p; + data.value = p;
+ data.length = len; + data.length = len;
+ /* Lengths of SHA-1, SHA-256 and SHA-512 hashes that are used */ + /* Lengths of SHA-1, SHA-256 and SHA-512 hashes that are used */
+ if (data.length != 20 && data.length != 32 && data.length != 64) + if (data.length != 20 && data.length != 32 && data.length != 64)
+ fatal("%s: data length incorrect: %d", __func__, + fatal_f("data length incorrect: %d", (int) data.length);
+ (int) data.length);
+ +
+ /* Save the session ID on the first time around */ + /* Save the session ID on the first time around */
+ if (session_id2_len == 0) { + if (session_id2_len == 0) {
@ -2774,7 +2757,7 @@ index 2ce89fe9..ebf76c7f 100644
+ +
+ if ((r = sshbuf_put_u32(m, major)) != 0 || + if ((r = sshbuf_put_u32(m, major)) != 0 ||
+ (r = sshbuf_put_string(m, hash.value, hash.length)) != 0) + (r = sshbuf_put_string(m, hash.value, hash.length)) != 0)
+ fatal("%s: buffer error: %s", __func__, ssh_err(r)); + fatal_fr(r, "buffer error");
+ +
+ mm_request_send(socket, MONITOR_ANS_GSSSIGN, m); + mm_request_send(socket, MONITOR_ANS_GSSSIGN, m);
+ +
@ -2795,12 +2778,12 @@ index 2ce89fe9..ebf76c7f 100644
+ int r, ok; + int r, ok;
+ +
+ if (!options.gss_authentication && !options.gss_keyex) + if (!options.gss_authentication && !options.gss_keyex)
+ fatal("%s: GSSAPI not enabled", __func__); + fatal_f("GSSAPI not enabled");
+ +
+ if ((r = sshbuf_get_string(m, (u_char **)&store.filename, NULL)) != 0 || + if ((r = sshbuf_get_string(m, (u_char **)&store.filename, NULL)) != 0 ||
+ (r = sshbuf_get_string(m, (u_char **)&store.envvar, NULL)) != 0 || + (r = sshbuf_get_string(m, (u_char **)&store.envvar, NULL)) != 0 ||
+ (r = sshbuf_get_string(m, (u_char **)&store.envval, NULL)) != 0) + (r = sshbuf_get_string(m, (u_char **)&store.envval, NULL)) != 0)
+ fatal("%s: buffer error: %s", __func__, ssh_err(r)); + fatal_fr(r, "buffer error");
+ +
+ ok = ssh_gssapi_update_creds(&store); + ok = ssh_gssapi_update_creds(&store);
+ +
@ -2810,7 +2793,7 @@ index 2ce89fe9..ebf76c7f 100644
+ +
+ sshbuf_reset(m); + sshbuf_reset(m);
+ if ((r = sshbuf_put_u32(m, ok)) != 0) + if ((r = sshbuf_put_u32(m, ok)) != 0)
+ fatal("%s: buffer error: %s", __func__, ssh_err(r)); + fatal_fr(r, "buffer error");
+ +
+ mm_request_send(socket, MONITOR_ANS_GSSUPCREDS, m); + mm_request_send(socket, MONITOR_ANS_GSSUPCREDS, m);
+ +
@ -2847,14 +2830,14 @@ index 001a8fa1..6edb509a 100644
int r, authenticated = 0; int r, authenticated = 0;
if ((m = sshbuf_new()) == NULL) if ((m = sshbuf_new()) == NULL)
fatal("%s: sshbuf_new failed", __func__); fatal_f("sshbuf_new failed");
+ if ((r = sshbuf_put_u32(m, kex)) != 0) + if ((r = sshbuf_put_u32(m, kex)) != 0)
+ fatal("%s: buffer error: %s", __func__, ssh_err(r)); + fatal_fr(r, "buffer error");
mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_GSSUSEROK, m); mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_GSSUSEROK, m);
mm_request_receive_expect(pmonitor->m_recvfd, mm_request_receive_expect(pmonitor->m_recvfd,
@@ -1012,4 +1014,57 @@ mm_ssh_gssapi_userok(char *user) @@ -1012,4 +1014,57 @@ mm_ssh_gssapi_userok(char *user)
debug3("%s: user %sauthenticated",__func__, authenticated ? "" : "not "); debug3_f("user %sauthenticated", authenticated ? "" : "not ");
return (authenticated); return (authenticated);
} }
+ +
@ -2866,16 +2849,16 @@ index 001a8fa1..6edb509a 100644
+ int r; + int r;
+ +
+ if ((m = sshbuf_new()) == NULL) + if ((m = sshbuf_new()) == NULL)
+ fatal("%s: sshbuf_new failed", __func__); + fatal_f("sshbuf_new failed");
+ if ((r = sshbuf_put_string(m, data->value, data->length)) != 0) + if ((r = sshbuf_put_string(m, data->value, data->length)) != 0)
+ fatal("%s: buffer error: %s", __func__, ssh_err(r)); + fatal_fr(r, "buffer error");
+ +
+ mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_GSSSIGN, m); + mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_GSSSIGN, m);
+ mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_GSSSIGN, m); + mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_GSSSIGN, m);
+ +
+ if ((r = sshbuf_get_u32(m, &major)) != 0 || + if ((r = sshbuf_get_u32(m, &major)) != 0 ||
+ (r = ssh_gssapi_get_buffer_desc(m, hash)) != 0) + (r = ssh_gssapi_get_buffer_desc(m, hash)) != 0)
+ fatal("%s: buffer error: %s", __func__, ssh_err(r)); + fatal_fr(r, "buffer error");
+ +
+ sshbuf_free(m); + sshbuf_free(m);
+ +
@ -2889,7 +2872,7 @@ index 001a8fa1..6edb509a 100644
+ int r, ok; + int r, ok;
+ +
+ if ((m = sshbuf_new()) == NULL) + if ((m = sshbuf_new()) == NULL)
+ fatal("%s: sshbuf_new failed", __func__); + fatal_f("sshbuf_new failed");
+ +
+ if ((r = sshbuf_put_cstring(m, + if ((r = sshbuf_put_cstring(m,
+ store->filename ? store->filename : "")) != 0 || + store->filename ? store->filename : "")) != 0 ||
@ -2897,13 +2880,13 @@ index 001a8fa1..6edb509a 100644
+ store->envvar ? store->envvar : "")) != 0 || + store->envvar ? store->envvar : "")) != 0 ||
+ (r = sshbuf_put_cstring(m, + (r = sshbuf_put_cstring(m,
+ store->envval ? store->envval : "")) != 0) + store->envval ? store->envval : "")) != 0)
+ fatal("%s: buffer error: %s", __func__, ssh_err(r)); + fatal_fr(r, "buffer error");
+ +
+ mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_GSSUPCREDS, m); + mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_GSSUPCREDS, m);
+ mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_GSSUPCREDS, m); + mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_GSSUPCREDS, m);
+ +
+ if ((r = sshbuf_get_u32(m, &ok)) != 0) + if ((r = sshbuf_get_u32(m, &ok)) != 0)
+ fatal("%s: buffer error: %s", __func__, ssh_err(r)); + fatal_fr(r, "buffer error");
+ +
+ sshbuf_free(m); + sshbuf_free(m);
+ +
@ -2927,10 +2910,9 @@ index 23ab096a..485590c1 100644
#endif #endif
#ifdef USE_PAM #ifdef USE_PAM
diff --git a/readconf.c b/readconf.c diff -up a/readconf.c.gsskex b/readconf.c
index f3cac6b3..da8022dd 100644 --- a/readconf.c.gsskex 2021-08-20 06:03:49.000000000 +0200
--- a/readconf.c +++ b/readconf.c 2021-08-27 12:25:42.556421509 +0200
+++ b/readconf.c
@@ -67,6 +67,7 @@ @@ -67,6 +67,7 @@
#include "uidswap.h" #include "uidswap.h"
#include "myproposal.h" #include "myproposal.h"
@ -2939,7 +2921,7 @@ index f3cac6b3..da8022dd 100644
/* Format of the configuration file: /* Format of the configuration file:
@@ -160,6 +161,8 @@ typedef enum { @@ -161,6 +162,8 @@ typedef enum {
oClearAllForwardings, oNoHostAuthenticationForLocalhost, oClearAllForwardings, oNoHostAuthenticationForLocalhost,
oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout, oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
oAddressFamily, oGssAuthentication, oGssDelegateCreds, oAddressFamily, oGssAuthentication, oGssDelegateCreds,
@ -2948,7 +2930,7 @@ index f3cac6b3..da8022dd 100644
oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly, oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
oSendEnv, oSetEnv, oControlPath, oControlMaster, oControlPersist, oSendEnv, oSetEnv, oControlPath, oControlMaster, oControlPersist,
oHashKnownHosts, oHashKnownHosts,
@@ -204,10 +207,22 @@ static struct { @@ -206,10 +209,22 @@ static struct {
/* Sometimes-unsupported options */ /* Sometimes-unsupported options */
#if defined(GSSAPI) #if defined(GSSAPI)
{ "gssapiauthentication", oGssAuthentication }, { "gssapiauthentication", oGssAuthentication },
@ -2971,7 +2953,7 @@ index f3cac6b3..da8022dd 100644
#endif #endif
#ifdef ENABLE_PKCS11 #ifdef ENABLE_PKCS11
{ "pkcs11provider", oPKCS11Provider }, { "pkcs11provider", oPKCS11Provider },
@@ -1029,10 +1044,42 @@ parse_time: @@ -1113,10 +1128,42 @@ parse_time:
intptr = &options->gss_authentication; intptr = &options->gss_authentication;
goto parse_flag; goto parse_flag;
@ -3000,7 +2982,7 @@ index f3cac6b3..da8022dd 100644
+ goto parse_flag; + goto parse_flag;
+ +
+ case oGssKexAlgorithms: + case oGssKexAlgorithms:
+ arg = strdelim(&s); + arg = argv_next(&ac, &av);
+ if (!arg || *arg == '\0') + if (!arg || *arg == '\0')
+ fatal("%.200s line %d: Missing argument.", + fatal("%.200s line %d: Missing argument.",
+ filename, linenum); + filename, linenum);
@ -3014,9 +2996,9 @@ index f3cac6b3..da8022dd 100644
case oBatchMode: case oBatchMode:
intptr = &options->batch_mode; intptr = &options->batch_mode;
goto parse_flag; goto parse_flag;
@@ -1911,7 +1958,13 @@ initialize_options(Options * options) @@ -2306,7 +2353,13 @@ initialize_options(Options * options)
options->fwd_opts.streamlocal_bind_unlink = -1;
options->pubkey_authentication = -1; options->pubkey_authentication = -1;
options->challenge_response_authentication = -1;
options->gss_authentication = -1; options->gss_authentication = -1;
+ options->gss_keyex = -1; + options->gss_keyex = -1;
options->gss_deleg_creds = -1; options->gss_deleg_creds = -1;
@ -3028,8 +3010,8 @@ index f3cac6b3..da8022dd 100644
options->password_authentication = -1; options->password_authentication = -1;
options->kbd_interactive_authentication = -1; options->kbd_interactive_authentication = -1;
options->kbd_interactive_devices = NULL; options->kbd_interactive_devices = NULL;
@@ -2059,8 +2112,18 @@ fill_default_options(Options * options) @@ -2463,8 +2516,18 @@ fill_default_options(Options * options)
options->challenge_response_authentication = 1; options->pubkey_authentication = 1;
if (options->gss_authentication == -1) if (options->gss_authentication == -1)
options->gss_authentication = 0; options->gss_authentication = 0;
+ if (options->gss_keyex == -1) + if (options->gss_keyex == -1)
@ -3047,7 +3029,7 @@ index f3cac6b3..da8022dd 100644
if (options->password_authentication == -1) if (options->password_authentication == -1)
options->password_authentication = 1; options->password_authentication = 1;
if (options->kbd_interactive_authentication == -1) if (options->kbd_interactive_authentication == -1)
@@ -2702,7 +2765,14 @@ dump_client_config(Options *o, const char *host) @@ -3246,7 +3309,14 @@ dump_client_config(Options *o, const cha
dump_cfg_fmtint(oGatewayPorts, o->fwd_opts.gateway_ports); dump_cfg_fmtint(oGatewayPorts, o->fwd_opts.gateway_ports);
#ifdef GSSAPI #ifdef GSSAPI
dump_cfg_fmtint(oGssAuthentication, o->gss_authentication); dump_cfg_fmtint(oGssAuthentication, o->gss_authentication);
@ -3062,13 +3044,12 @@ index f3cac6b3..da8022dd 100644
#endif /* GSSAPI */ #endif /* GSSAPI */
dump_cfg_fmtint(oHashKnownHosts, o->hash_known_hosts); dump_cfg_fmtint(oHashKnownHosts, o->hash_known_hosts);
dump_cfg_fmtint(oHostbasedAuthentication, o->hostbased_authentication); dump_cfg_fmtint(oHostbasedAuthentication, o->hostbased_authentication);
diff --git a/readconf.h b/readconf.h diff -up a/readconf.h.gsskex b/readconf.h
index feedb3d2..a8a8870d 100644 --- a/readconf.h.gsskex 2021-08-27 12:05:29.248142431 +0200
--- a/readconf.h +++ b/readconf.h 2021-08-27 12:22:19.270679852 +0200
+++ b/readconf.h @@ -39,7 +39,13 @@ typedef struct {
@@ -41,7 +41,13 @@ typedef struct { int pubkey_authentication; /* Try ssh2 pubkey authentication. */
int challenge_response_authentication; int hostbased_authentication; /* ssh2's rhosts_rsa */
/* Try S/Key or TIS, authentication. */
int gss_authentication; /* Try GSS authentication */ int gss_authentication; /* Try GSS authentication */
+ int gss_keyex; /* Try GSS key exchange */ + int gss_keyex; /* Try GSS key exchange */
int gss_deleg_creds; /* Delegate GSS credentials */ int gss_deleg_creds; /* Delegate GSS credentials */
@ -3080,11 +3061,10 @@ index feedb3d2..a8a8870d 100644
int password_authentication; /* Try password int password_authentication; /* Try password
* authentication. */ * authentication. */
int kbd_interactive_authentication; /* Try keyboard-interactive auth. */ int kbd_interactive_authentication; /* Try keyboard-interactive auth. */
diff --git a/servconf.c b/servconf.c diff -up a/servconf.c.gsskex b/servconf.c
index 70f5f73f..191575a1 100644 --- a/servconf.c.gsskex 2021-08-20 06:03:49.000000000 +0200
--- a/servconf.c +++ b/servconf.c 2021-08-27 12:28:15.887735189 +0200
+++ b/servconf.c @@ -70,6 +70,7 @@
@@ -69,6 +69,7 @@
#include "auth.h" #include "auth.h"
#include "myproposal.h" #include "myproposal.h"
#include "digest.h" #include "digest.h"
@ -3092,7 +3072,7 @@ index 70f5f73f..191575a1 100644
static void add_listen_addr(ServerOptions *, const char *, static void add_listen_addr(ServerOptions *, const char *,
const char *, int); const char *, int);
@@ -133,8 +134,11 @@ initialize_server_options(ServerOptions *options) @@ -136,8 +137,11 @@ initialize_server_options(ServerOptions
options->kerberos_ticket_cleanup = -1; options->kerberos_ticket_cleanup = -1;
options->kerberos_get_afs_token = -1; options->kerberos_get_afs_token = -1;
options->gss_authentication=-1; options->gss_authentication=-1;
@ -3103,8 +3083,8 @@ index 70f5f73f..191575a1 100644
+ options->gss_kex_algorithms = NULL; + options->gss_kex_algorithms = NULL;
options->password_authentication = -1; options->password_authentication = -1;
options->kbd_interactive_authentication = -1; options->kbd_interactive_authentication = -1;
options->challenge_response_authentication = -1; options->permit_empty_passwd = -1;
@@ -375,10 +379,18 @@ fill_default_server_options(ServerOptions *options) @@ -356,10 +360,18 @@ fill_default_server_options(ServerOption
options->kerberos_get_afs_token = 0; options->kerberos_get_afs_token = 0;
if (options->gss_authentication == -1) if (options->gss_authentication == -1)
options->gss_authentication = 0; options->gss_authentication = 0;
@ -3123,15 +3103,15 @@ index 70f5f73f..191575a1 100644
if (options->password_authentication == -1) if (options->password_authentication == -1)
options->password_authentication = 1; options->password_authentication = 1;
if (options->kbd_interactive_authentication == -1) if (options->kbd_interactive_authentication == -1)
@@ -531,6 +543,7 @@ typedef enum { @@ -506,6 +518,7 @@ typedef enum {
sHostKeyAlgorithms, sHostKeyAlgorithms, sPerSourceMaxStartups, sPerSourceNetBlockSize,
sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile, sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor, sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
+ sGssKeyEx, sGssKexAlgorithms, sGssStoreRekey, + sGssKeyEx, sGssKexAlgorithms, sGssStoreRekey,
sAcceptEnv, sSetEnv, sPermitTunnel, sAcceptEnv, sSetEnv, sPermitTunnel,
sMatch, sPermitOpen, sPermitListen, sForceCommand, sChrootDirectory, sMatch, sPermitOpen, sPermitListen, sForceCommand, sChrootDirectory,
sUsePrivilegeSeparation, sAllowAgentForwarding, sUsePrivilegeSeparation, sAllowAgentForwarding,
@@ -607,12 +620,22 @@ static struct { @@ -587,12 +600,22 @@ static struct {
#ifdef GSSAPI #ifdef GSSAPI
{ "gssapiauthentication", sGssAuthentication, SSHCFG_ALL }, { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
{ "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL }, { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
@ -3153,8 +3133,8 @@ index 70f5f73f..191575a1 100644
+ { "gssapiusesessioncredcache", sUnsupported, SSHCFG_GLOBAL }, + { "gssapiusesessioncredcache", sUnsupported, SSHCFG_GLOBAL },
{ "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
{ "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
{ "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, { "challengeresponseauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, /* alias */
@@ -1548,6 +1571,10 @@ process_server_config_line_depth(ServerOptions *options, char *line, @@ -1576,6 +1599,10 @@ process_server_config_line_depth(ServerO
intptr = &options->gss_authentication; intptr = &options->gss_authentication;
goto parse_flag; goto parse_flag;
@ -3165,7 +3145,7 @@ index 70f5f73f..191575a1 100644
case sGssCleanupCreds: case sGssCleanupCreds:
intptr = &options->gss_cleanup_creds; intptr = &options->gss_cleanup_creds;
goto parse_flag; goto parse_flag;
@@ -1556,6 +1583,22 @@ process_server_config_line_depth(ServerOptions *options, char *line, @@ -1584,6 +1611,22 @@ process_server_config_line_depth(ServerO
intptr = &options->gss_strict_acceptor; intptr = &options->gss_strict_acceptor;
goto parse_flag; goto parse_flag;
@ -3174,7 +3154,7 @@ index 70f5f73f..191575a1 100644
+ goto parse_flag; + goto parse_flag;
+ +
+ case sGssKexAlgorithms: + case sGssKexAlgorithms:
+ arg = strdelim(&cp); + arg = argv_next(&ac, &av);
+ if (!arg || *arg == '\0') + if (!arg || *arg == '\0')
+ fatal("%.200s line %d: Missing argument.", + fatal("%.200s line %d: Missing argument.",
+ filename, linenum); + filename, linenum);
@ -3188,7 +3168,7 @@ index 70f5f73f..191575a1 100644
case sPasswordAuthentication: case sPasswordAuthentication:
intptr = &options->password_authentication; intptr = &options->password_authentication;
goto parse_flag; goto parse_flag;
@@ -2777,6 +2820,10 @@ dump_config(ServerOptions *o) @@ -2892,6 +2935,10 @@ dump_config(ServerOptions *o)
#ifdef GSSAPI #ifdef GSSAPI
dump_cfg_fmtint(sGssAuthentication, o->gss_authentication); dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds); dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds);
@ -3246,14 +3226,14 @@ index 36180d07..70dd3665 100644
--- a/ssh-gss.h --- a/ssh-gss.h
+++ b/ssh-gss.h +++ b/ssh-gss.h
@@ -1,6 +1,6 @@ @@ -1,6 +1,6 @@
/* $OpenBSD: ssh-gss.h,v 1.14 2018/07/10 09:13:30 djm Exp $ */ /* $OpenBSD: ssh-gss.h,v 1.15 2021/01/27 10:05:28 djm Exp $ */
/* /*
- * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. - * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
+ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved. + * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
* *
* Redistribution and use in source and binary forms, with or without * Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions * modification, are permitted provided that the following conditions
@@ -61,10 +61,30 @@ @@ -61,10 +61,34 @@
#define SSH_GSS_OIDTYPE 0x06 #define SSH_GSS_OIDTYPE 0x06
@ -3273,8 +3253,12 @@ index 36180d07..70dd3665 100644
+#define KEX_GSS_C25519_SHA256_ID "gss-curve25519-sha256-" +#define KEX_GSS_C25519_SHA256_ID "gss-curve25519-sha256-"
+ +
+#define GSS_KEX_DEFAULT_KEX \ +#define GSS_KEX_DEFAULT_KEX \
+ KEX_GSS_GEX_SHA1_ID "," \ + KEX_GSS_GRP14_SHA256_ID "," \
+ KEX_GSS_GRP14_SHA1_ID + KEX_GSS_GRP16_SHA512_ID "," \
+ KEX_GSS_NISTP256_SHA256_ID "," \
+ KEX_GSS_C25519_SHA256_ID "," \
+ KEX_GSS_GRP14_SHA1_ID "," \
+ KEX_GSS_GEX_SHA1_ID
+ +
typedef struct { typedef struct {
char *filename; char *filename;
@ -3328,7 +3312,7 @@ index 36180d07..70dd3665 100644
@@ -123,17 +149,33 @@ void ssh_gssapi_delete_ctx(Gssctxt **); @@ -123,17 +149,33 @@ void ssh_gssapi_delete_ctx(Gssctxt **);
OM_uint32 ssh_gssapi_sign(Gssctxt *, gss_buffer_t, gss_buffer_t); OM_uint32 ssh_gssapi_sign(Gssctxt *, gss_buffer_t, gss_buffer_t);
void ssh_gssapi_buildmic(struct sshbuf *, const char *, void ssh_gssapi_buildmic(struct sshbuf *, const char *,
const char *, const char *); const char *, const char *, const struct sshbuf *);
-int ssh_gssapi_check_mechanism(Gssctxt **, gss_OID, const char *); -int ssh_gssapi_check_mechanism(Gssctxt **, gss_OID, const char *);
+int ssh_gssapi_check_mechanism(Gssctxt **, gss_OID, const char *, const char *); +int ssh_gssapi_check_mechanism(Gssctxt **, gss_OID, const char *, const char *);
+OM_uint32 ssh_gssapi_client_identity(Gssctxt *, const char *); +OM_uint32 ssh_gssapi_client_identity(Gssctxt *, const char *);
@ -3378,7 +3362,7 @@ index 60de6087..db5c65bc 100644
+.It GSSAPITrustDns +.It GSSAPITrustDns
.It HashKnownHosts .It HashKnownHosts
.It Host .It Host
.It HostbasedAuthentication .It HostbasedAcceptedAlgorithms
@@ -579,6 +585,8 @@ flag), @@ -579,6 +585,8 @@ flag),
(supported message integrity codes), (supported message integrity codes),
.Ar kex .Ar kex
@ -3429,7 +3413,7 @@ diff --git a/ssh_config.5 b/ssh_config.5
index 06a32d31..3f490697 100644 index 06a32d31..3f490697 100644
--- a/ssh_config.5 --- a/ssh_config.5
+++ b/ssh_config.5 +++ b/ssh_config.5
@@ -766,10 +766,67 @@ The default is @@ -766,10 +766,68 @@ The default is
Specifies whether user authentication based on GSSAPI is allowed. Specifies whether user authentication based on GSSAPI is allowed.
The default is The default is
.Cm no . .Cm no .
@ -3492,8 +3476,9 @@ index 06a32d31..3f490697 100644
+.Ed +.Ed
+.Pp +.Pp
+The default is +The default is
+.Dq gss-gex-sha1-,gss-group14-sha1- . +.Dq gss-group14-sha256-,gss-group16-sha512-,gss-nistp256-sha256-,
+This option only applies to protocol version 2 connections using GSSAPI. +gss-curve25519-sha256-,gss-group14-sha1-,gss-gex-sha1- .
+This option only applies to connections using GSSAPI.
.It Cm HashKnownHosts .It Cm HashKnownHosts
Indicates that Indicates that
.Xr ssh 1 .Xr ssh 1
@ -3521,9 +3506,9 @@ index af00fb30..03bc87eb 100644
+ +
xxx_host = host; xxx_host = host;
xxx_hostaddr = hostaddr; xxx_hostaddr = hostaddr;
xxx_conn_info = cinfo;
@@ -206,6 +209,35 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port) @@ -206,6 +209,42 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port)
compat_pkalg_proposal(options.hostkeyalgorithms); compat_pkalg_proposal(ssh, options.hostkeyalgorithms);
} }
+#if defined(GSSAPI) && defined(WITH_OPENSSL) +#if defined(GSSAPI) && defined(WITH_OPENSSL)
@ -3532,12 +3517,19 @@ index af00fb30..03bc87eb 100644
+ * client to the key exchange algorithm proposal */ + * client to the key exchange algorithm proposal */
+ orig = myproposal[PROPOSAL_KEX_ALGS]; + orig = myproposal[PROPOSAL_KEX_ALGS];
+ +
+ if (options.gss_server_identity) + if (options.gss_server_identity) {
+ gss_host = xstrdup(options.gss_server_identity); + gss_host = xstrdup(options.gss_server_identity);
+ else if (options.gss_trust_dns) + } else if (options.gss_trust_dns) {
+ gss_host = remote_hostname(ssh); + gss_host = remote_hostname(ssh);
+ else + /* Fall back to specified host if we are using proxy command
+ * and can not use DNS on that socket */
+ if (strcmp(gss_host, "UNKNOWN") == 0) {
+ free(gss_host);
+ gss_host = xstrdup(host);
+ }
+ } else {
+ gss_host = xstrdup(host); + gss_host = xstrdup(host);
+ }
+ +
+ gss = ssh_gssapi_client_mechanisms(gss_host, + gss = ssh_gssapi_client_mechanisms(gss_host,
+ options.gss_client_identity, options.gss_kex_algorithms); + options.gss_client_identity, options.gss_kex_algorithms);
@ -3576,7 +3568,7 @@ index af00fb30..03bc87eb 100644
+# endif +# endif
+#endif /* WITH_OPENSSL */ +#endif /* WITH_OPENSSL */
ssh->kex->kex[KEX_C25519_SHA256] = kex_gen_client; ssh->kex->kex[KEX_C25519_SHA256] = kex_gen_client;
ssh->kex->kex[KEX_KEM_SNTRUP4591761X25519_SHA512] = kex_gen_client; ssh->kex->kex[KEX_KEM_SNTRUP761X25519_SHA512] = kex_gen_client;
ssh->kex->verify_host_key=&verify_host_key_callback; ssh->kex->verify_host_key=&verify_host_key_callback;
+#if defined(GSSAPI) && defined(WITH_OPENSSL) +#if defined(GSSAPI) && defined(WITH_OPENSSL)
@ -3592,7 +3584,7 @@ index af00fb30..03bc87eb 100644
/* remove ext-info from the KEX proposals for rekeying */ /* remove ext-info from the KEX proposals for rekeying */
myproposal[PROPOSAL_KEX_ALGS] = myproposal[PROPOSAL_KEX_ALGS] =
compat_kex_proposal(options.kex_algorithms); compat_kex_proposal(ssh, options.kex_algorithms);
+#if defined(GSSAPI) && defined(WITH_OPENSSL) +#if defined(GSSAPI) && defined(WITH_OPENSSL)
+ /* repair myproposal after it was crumpled by the */ + /* repair myproposal after it was crumpled by the */
+ /* ext-info removal above */ + /* ext-info removal above */
@ -3604,7 +3596,7 @@ index af00fb30..03bc87eb 100644
+ } + }
+#endif +#endif
if ((r = kex_prop2buf(ssh->kex->my, myproposal)) != 0) if ((r = kex_prop2buf(ssh->kex->my, myproposal)) != 0)
fatal("kex_prop2buf: %s", ssh_err(r)); fatal_r(r, "kex_prop2buf");
@@ -330,6 +392,7 @@ static int input_gssapi_response(int type, u_int32_t, struct ssh *); @@ -330,6 +392,7 @@ static int input_gssapi_response(int type, u_int32_t, struct ssh *);
static int input_gssapi_token(int type, u_int32_t, struct ssh *); static int input_gssapi_token(int type, u_int32_t, struct ssh *);
@ -3626,18 +3618,25 @@ index af00fb30..03bc87eb 100644
{"gssapi-with-mic", {"gssapi-with-mic",
userauth_gssapi, userauth_gssapi,
userauth_gssapi_cleanup, userauth_gssapi_cleanup,
@@ -716,12 +784,25 @@ userauth_gssapi(struct ssh *ssh) @@ -716,12 +784,32 @@ userauth_gssapi(struct ssh *ssh)
OM_uint32 min; OM_uint32 min;
int r, ok = 0; int r, ok = 0;
gss_OID mech = NULL; gss_OID mech = NULL;
+ char *gss_host; + char *gss_host = NULL;
+ +
+ if (options.gss_server_identity) + if (options.gss_server_identity) {
+ gss_host = xstrdup(options.gss_server_identity); + gss_host = xstrdup(options.gss_server_identity);
+ else if (options.gss_trust_dns) + } else if (options.gss_trust_dns) {
+ gss_host = remote_hostname(ssh); + gss_host = remote_hostname(ssh);
+ else + /* Fall back to specified host if we are using proxy command
+ * and can not use DNS on that socket */
+ if (strcmp(gss_host, "UNKNOWN") == 0) {
+ free(gss_host);
+ gss_host = xstrdup(authctxt->host);
+ }
+ } else {
+ gss_host = xstrdup(authctxt->host); + gss_host = xstrdup(authctxt->host);
+ }
/* Try one GSSAPI method at a time, rather than sending them all at /* Try one GSSAPI method at a time, rather than sending them all at
* once. */ * once. */
@ -3695,13 +3694,13 @@ index af00fb30..03bc87eb 100644
+ } + }
+ +
+ if ((b = sshbuf_new()) == NULL) + if ((b = sshbuf_new()) == NULL)
+ fatal("%s: sshbuf_new failed", __func__); + fatal_f("sshbuf_new failed");
+ +
+ ssh_gssapi_buildmic(b, authctxt->server_user, authctxt->service, + ssh_gssapi_buildmic(b, authctxt->server_user, authctxt->service,
+ "gssapi-keyex"); + "gssapi-keyex", ssh->kex->session_id);
+ +
+ if ((gssbuf.value = sshbuf_mutable_ptr(b)) == NULL) + if ((gssbuf.value = sshbuf_mutable_ptr(b)) == NULL)
+ fatal("%s: sshbuf_mutable_ptr failed", __func__); + fatal_f("sshbuf_mutable_ptr failed");
+ gssbuf.length = sshbuf_len(b); + gssbuf.length = sshbuf_len(b);
+ +
+ if (GSS_ERROR(ssh_gssapi_sign(gss_kex_context, &gssbuf, &mic))) { + if (GSS_ERROR(ssh_gssapi_sign(gss_kex_context, &gssbuf, &mic))) {
@ -3715,7 +3714,7 @@ index af00fb30..03bc87eb 100644
+ (r = sshpkt_put_cstring(ssh, authctxt->method->name)) != 0 || + (r = sshpkt_put_cstring(ssh, authctxt->method->name)) != 0 ||
+ (r = sshpkt_put_string(ssh, mic.value, mic.length)) != 0 || + (r = sshpkt_put_string(ssh, mic.value, mic.length)) != 0 ||
+ (r = sshpkt_send(ssh)) != 0) + (r = sshpkt_send(ssh)) != 0)
+ fatal("%s: %s", __func__, ssh_err(r)); + fatal_fr(r, "parsing");
+ +
+ sshbuf_free(b); + sshbuf_free(b);
+ gss_release_buffer(&ms, &mic); + gss_release_buffer(&ms, &mic);
@ -3732,11 +3731,11 @@ index 60b2aaf7..d92f03aa 100644
+++ b/sshd.c +++ b/sshd.c
@@ -817,8 +817,8 @@ notify_hostkeys(struct ssh *ssh) @@ -817,8 +817,8 @@ notify_hostkeys(struct ssh *ssh)
} }
debug3("%s: sent %u hostkeys", __func__, nkeys); debug3_f("sent %u hostkeys", nkeys);
if (nkeys == 0) if (nkeys == 0)
- fatal("%s: no hostkeys", __func__); - fatal_f("no hostkeys");
- if ((r = sshpkt_send(ssh)) != 0) - if ((r = sshpkt_send(ssh)) != 0)
+ debug3("%s: no hostkeys", __func__); + debug3_f("no hostkeys");
+ else if ((r = sshpkt_send(ssh)) != 0) + else if ((r = sshpkt_send(ssh)) != 0)
sshpkt_fatal(ssh, r, "%s: send", __func__); sshpkt_fatal(ssh, r, "%s: send", __func__);
sshbuf_free(buf); sshbuf_free(buf);
@ -3753,7 +3752,7 @@ index 60b2aaf7..d92f03aa 100644
} }
@@ -2347,6 +2348,48 @@ do_ssh2_kex(struct ssh *ssh) @@ -2347,6 +2348,48 @@ do_ssh2_kex(struct ssh *ssh)
myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal( myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal(
list_hostkey_types()); ssh, list_hostkey_types());
+#if defined(GSSAPI) && defined(WITH_OPENSSL) +#if defined(GSSAPI) && defined(WITH_OPENSSL)
+ { + {
@ -3799,7 +3798,7 @@ index 60b2aaf7..d92f03aa 100644
+ +
/* start key exchange */ /* start key exchange */
if ((r = kex_setup(ssh, myproposal)) != 0) if ((r = kex_setup(ssh, myproposal)) != 0)
fatal("kex_setup: %s", ssh_err(r)); fatal_r(r, "kex_setup");
@@ -2362,7 +2405,18 @@ do_ssh2_kex(struct ssh *ssh) @@ -2362,7 +2405,18 @@ do_ssh2_kex(struct ssh *ssh)
# ifdef OPENSSL_HAS_ECC # ifdef OPENSSL_HAS_ECC
kex->kex[KEX_ECDH_SHA2] = kex_gen_server; kex->kex[KEX_ECDH_SHA2] = kex_gen_server;
@ -3818,7 +3817,7 @@ index 60b2aaf7..d92f03aa 100644
+# endif +# endif
+#endif /* WITH_OPENSSL */ +#endif /* WITH_OPENSSL */
kex->kex[KEX_C25519_SHA256] = kex_gen_server; kex->kex[KEX_C25519_SHA256] = kex_gen_server;
kex->kex[KEX_KEM_SNTRUP4591761X25519_SHA512] = kex_gen_server; kex->kex[KEX_KEM_SNTRUP761X25519_SHA512] = kex_gen_server;
kex->load_host_public_key=&get_hostkey_public_by_type; kex->load_host_public_key=&get_hostkey_public_by_type;
diff --git a/sshd_config b/sshd_config diff --git a/sshd_config b/sshd_config
index 19b7c91a..2c48105f 100644 index 19b7c91a..2c48105f 100644
@ -3849,7 +3848,7 @@ index 70ccea44..f6b41a2f 100644
.It Cm GSSAPIStrictAcceptorCheck .It Cm GSSAPIStrictAcceptorCheck
Determines whether to be strict about the identity of the GSSAPI acceptor Determines whether to be strict about the identity of the GSSAPI acceptor
a client authenticates against. a client authenticates against.
@@ -660,6 +665,31 @@ machine's default store. @@ -660,6 +665,32 @@ machine's default store.
This facility is provided to assist with operation on multi homed machines. This facility is provided to assist with operation on multi homed machines.
The default is The default is
.Cm yes . .Cm yes .
@ -3876,11 +3875,12 @@ index 70ccea44..f6b41a2f 100644
+.Ed +.Ed
+.Pp +.Pp
+The default is +The default is
+.Dq gss-gex-sha1-,gss-group14-sha1- . +.Dq gss-group14-sha256-,gss-group16-sha512-,gss-nistp256-sha256-,
+This option only applies to protocol version 2 connections using GSSAPI. +gss-curve25519-sha256-,gss-group14-sha1-,gss-gex-sha1- .
.It Cm HostbasedAcceptedKeyTypes +This option only applies to connections using GSSAPI.
Specifies the key types that will be accepted for hostbased authentication .It Cm HostbasedAcceptedAlgorithms
as a list of comma-separated patterns. Specifies the signature algorithms that will be accepted for hostbased
authentication as a list of comma-separated patterns.
diff --git a/sshkey.c b/sshkey.c diff --git a/sshkey.c b/sshkey.c
index 57995ee6..fd5b7724 100644 index 57995ee6..fd5b7724 100644
--- a/sshkey.c --- a/sshkey.c

12
openssh-8.0p1-keygen-strip-doseol.patch Normal file
View File

@ -0,0 +1,12 @@
diff -up openssh-8.0p1/ssh-keygen.c.strip-doseol openssh-8.0p1/ssh-keygen.c
--- openssh-8.0p1/ssh-keygen.c.strip-doseol 2021-03-18 17:41:34.472404994 +0100
+++ openssh-8.0p1/ssh-keygen.c 2021-03-18 17:41:55.255538761 +0100
@@ -901,7 +901,7 @@ do_fingerprint(struct passwd *pw)
while (getline(&line, &linesize, f) != -1) {
lnum++;
cp = line;
- cp[strcspn(cp, "\n")] = '\0';
+ cp[strcspn(cp, "\r\n")] = '\0';
/* Trim leading space and comments */
cp = line + strspn(line, " \t");
if (*cp == '#' || *cp == '\0')

2
openssh-8.0p1-openssl-kdf.patch
View File

@ -96,7 +96,7 @@ index b6f041f4..1fbce2bb 100644
+ goto out; + goto out;
+ } + }
+ r = EVP_KDF_ctrl(ctx, EVP_KDF_CTRL_SET_SSHKDF_SESSION_ID, + r = EVP_KDF_ctrl(ctx, EVP_KDF_CTRL_SET_SSHKDF_SESSION_ID,
+ kex->session_id, kex->session_id_len); + sshbuf_ptr(kex->session_id), sshbuf_len(kex->session_id));
+ if (r != 1) { + if (r != 1) {
+ r = SSH_ERR_LIBCRYPTO_ERROR; + r = SSH_ERR_LIBCRYPTO_ERROR;
+ goto out; + goto out;

3298
openssh-8.0p1-pkcs11-uri.patch
View File

File diff suppressed because it is too large Load Diff

44
openssh-8.0p1-preserve-pam-errors.patch Normal file
View File

@ -0,0 +1,44 @@
diff -up openssh-8.0p1/auth-pam.c.preserve-pam-errors openssh-8.0p1/auth-pam.c
--- openssh-8.0p1/auth-pam.c.preserve-pam-errors 2021-03-31 17:03:15.618592347 +0200
+++ openssh-8.0p1/auth-pam.c 2021-03-31 17:06:58.115220014 +0200
@@ -511,7 +511,11 @@ sshpam_thread(void *ctxtp)
goto auth_fail;
if (!do_pam_account()) {
- sshpam_err = PAM_ACCT_EXPIRED;
+ /* Preserve PAM_PERM_DENIED and PAM_USER_UNKNOWN.
+ * Backward compatibility for other errors. */
+ if (sshpam_err != PAM_PERM_DENIED
+ && sshpam_err != PAM_USER_UNKNOWN)
+ sshpam_err = PAM_ACCT_EXPIRED;
goto auth_fail;
}
if (sshpam_authctxt->force_pwchange) {
@@ -568,8 +572,10 @@ sshpam_thread(void *ctxtp)
pam_strerror(sshpam_handle, sshpam_err))) != 0)
fatal("%s: buffer error: %s", __func__, ssh_err(r));
/* XXX - can't do much about an error here */
- if (sshpam_err == PAM_ACCT_EXPIRED)
- ssh_msg_send(ctxt->pam_csock, PAM_ACCT_EXPIRED, buffer);
+ if (sshpam_err == PAM_PERM_DENIED
+ || sshpam_err == PAM_USER_UNKNOWN
+ || sshpam_err == PAM_ACCT_EXPIRED)
+ ssh_msg_send(ctxt->pam_csock, sshpam_err, buffer);
else if (sshpam_maxtries_reached)
ssh_msg_send(ctxt->pam_csock, PAM_MAXTRIES, buffer);
else
@@ -856,10 +862,12 @@ sshpam_query(void *ctx, char **name, cha
plen++;
free(msg);
break;
+ case PAM_USER_UNKNOWN:
+ case PAM_PERM_DENIED:
case PAM_ACCT_EXPIRED:
+ sshpam_account_status = 0;
+ /* FALLTHROUGH */
case PAM_MAXTRIES:
- if (type == PAM_ACCT_EXPIRED)
- sshpam_account_status = 0;
if (type == PAM_MAXTRIES)
sshpam_set_maxtries_reached(1);
/* FALLTHROUGH */

2
openssh-8.2p1-visibility.patch
View File

@ -26,7 +26,7 @@ index dca158de..afdcb1d2 100644
-int -int
+int __attribute__((visibility("default"))) +int __attribute__((visibility("default")))
sk_sign(uint32_t alg, const uint8_t *message, size_t message_len, sk_sign(uint32_t alg, const uint8_t *data, size_t datalen,
const char *application, const uint8_t *key_handle, size_t key_handle_len, const char *application, const uint8_t *key_handle, size_t key_handle_len,
uint8_t flags, const char *pin, struct sk_option **options, uint8_t flags, const char *pin, struct sk_option **options,
@@ -518,7 +518,7 @@ sk_sign(uint32_t alg, const uint8_t *message, size_t message_len, @@ -518,7 +518,7 @@ sk_sign(uint32_t alg, const uint8_t *message, size_t message_len,

30
openssh-8.2p1-x11-without-ipv6.patch Normal file
View File

@ -0,0 +1,30 @@
diff --git a/channels.c b/channels.c
--- a/channels.c
+++ b/channels.c
@@ -3933,16 +3933,26 @@ x11_create_display_inet(int x11_display_
if (ai->ai_family == AF_INET6)
sock_set_v6only(sock);
if (x11_use_localhost)
set_reuseaddr(sock);
if (bind(sock, ai->ai_addr, ai->ai_addrlen) == -1) {
debug2_f("bind port %d: %.100s", port,
strerror(errno));
close(sock);
+
+ /* do not remove successfully opened
+ * sockets if the request failed because
+ * the protocol IPv4/6 is not available
+ * (e.g. IPv6 may be disabled while being
+ * supported)
+ */
+ if (EADDRNOTAVAIL == errno)
+ continue;
+
for (n = 0; n < num_socks; n++)
close(socks[n]);
num_socks = 0;
break;
}
socks[num_socks++] = sock;
if (num_socks == NUM_SOCKS)
break;

BIN
openssh-8.2p1.tar.gz
View File

Binary file not shown.

14
openssh-8.2p1.tar.gz.asc
View File

@ -1,14 +0,0 @@
-----BEGIN PGP SIGNATURE-----
iQHDBAABCgAdFiEEWcIRjtIG2SfmZ+vj0+X1a22SDTAFAl5F7e8ACgkQ0+X1a22S
DTBoGQx+Lw7zBdx+GFg4T5uDbpN3zXcscEvPRfKCP07WGVnQsSOqbfa9v0coSnAK
thE0R1iVr/uwFQ+MsgUWFWUQ4yWmKCiIFrnmuX8rqtN3NJBa2PG2mUGi/eAYsctW
ZFPT2B9Is264TWi94/p1dQaDM7tFxqtsLePvq+hPY5IFOu5y5bpEMFCXFHC1TNko
nY3dP2ij3IVjeBSEfotjbE04EUaoOlLh8g65vZV1vQDSIMHoqZ9cWmdtdonK8BNf
ql2JU5RM5+NJk69quQM6RruDfJ6W0XelDaO286u33Loyl1mDAXXT6z8ooSipryHF
OcM2FYUgI42GLfrmpqOsUD0z6GHcUpHWD30wlQkPwX7VWRWQlXORUnVwRTF94TFs
nMOvFOWn7oCn5SVwZXBWitgZ6DGzVdsi1E7WZZZlSbxFgXMFYqCqKL1+dSlcN66l
lRlC/kldYgeRV+OwCM0MPHok77A8W+nwNxWMj56HNnUMJXm3rZTs1MKmKKLfksEr
PlC6zMmFgClq6RayKqHwp14bwAxqsg==
=t8DJ
-----END PGP SIGNATURE-----

46
openssh-8.7p1-scp-kill-switch.patch Normal file
View File

@ -0,0 +1,46 @@
diff -up openssh-8.7p1/pathnames.h.kill-scp openssh-8.7p1/pathnames.h
--- openssh-8.7p1/pathnames.h.kill-scp 2021-09-16 11:37:57.240171687 +0200
+++ openssh-8.7p1/pathnames.h 2021-09-16 11:42:29.183427917 +0200
@@ -42,6 +42,7 @@
#define _PATH_HOST_XMSS_KEY_FILE SSHDIR "/ssh_host_xmss_key"
#define _PATH_HOST_RSA_KEY_FILE SSHDIR "/ssh_host_rsa_key"
#define _PATH_DH_MODULI SSHDIR "/moduli"
+#define _PATH_SCP_KILL_SWITCH SSHDIR "/disable_scp"
#ifndef _PATH_SSH_PROGRAM
#define _PATH_SSH_PROGRAM "/usr/bin/ssh"
diff -up openssh-8.7p1/scp.1.kill-scp openssh-8.7p1/scp.1
--- openssh-8.7p1/scp.1.kill-scp 2021-09-16 12:09:02.646714578 +0200
+++ openssh-8.7p1/scp.1 2021-09-16 12:26:49.978628226 +0200
@@ -278,6 +278,13 @@ to print debugging messages about their
This is helpful in
debugging connection, authentication, and configuration problems.
.El
+.Pp
+Usage of SCP protocol can be blocked by creating a world-readable
+.Ar /etc/ssh/disable_scp
+file. If this file exists, when SCP protocol is in use (either remotely or
+via the
+.Fl O
+option), the program will exit.
.Sh EXIT STATUS
.Ex -std scp
.Sh SEE ALSO
diff -up openssh-8.7p1/scp.c.kill-scp openssh-8.7p1/scp.c
--- openssh-8.7p1/scp.c.kill-scp 2021-09-16 11:42:56.013650519 +0200
+++ openssh-8.7p1/scp.c 2021-09-16 11:53:03.249713836 +0200
@@ -596,6 +596,14 @@ main(int argc, char **argv)
if (iamremote)
mode = MODE_SCP;
+ if (mode == MODE_SCP) {
+ FILE *f = fopen(_PATH_SCP_KILL_SWITCH, "r");
+ if (f != NULL) {
+ fclose(f);
+ fatal("SCP protocol is forbidden via %s", _PATH_SCP_KILL_SWITCH);
+ }
+ }
+
if ((pwd = getpwuid(userid = getuid())) == NULL)
fatal("unknown user %u", (u_int) userid);

129
openssh-8.7p1-sftp-default-protocol.patch Normal file
View File

@ -0,0 +1,129 @@
diff --git a/scp.1 b/scp.1
index 68aac04b..a96e95ad 100644
--- a/scp.1
+++ b/scp.1
@@ -8,9 +8,9 @@
.\"
.\" Created: Sun May 7 00:14:37 1995 ylo
.\"
-.\" $OpenBSD: scp.1,v 1.100 2021/08/11 14:07:54 naddy Exp $
+.\" $OpenBSD: scp.1,v 1.101 2021/09/08 23:31:39 djm Exp $
.\"
-.Dd $Mdocdate: August 11 2021 $
+.Dd $Mdocdate: September 8 2021 $
.Dt SCP 1
.Os
.Sh NAME
@@ -18,7 +18,7 @@
.Nd OpenSSH secure file copy
.Sh SYNOPSIS
.Nm scp
-.Op Fl 346ABCOpqRrsTv
+.Op Fl 346ABCOpqRrTv
.Op Fl c Ar cipher
.Op Fl D Ar sftp_server_path
.Op Fl F Ar ssh_config
@@ -37,9 +37,6 @@ It uses
.Xr ssh 1
for data transfer, and uses the same authentication and provides the
same security as a login session.
-The scp protocol requires execution of the remote user's shell to perform
-.Xr glob 3
-pattern matching.
.Pp
.Nm
will ask for passwords or passphrases if they are needed for
@@ -79,7 +76,9 @@ The options are as follows:
Copies between two remote hosts are transferred through the local host.
Without this option the data is copied directly between the two remote
hosts.
-Note that, when using the legacy SCP protocol (the default), this option
+Note that, when using the legacy SCP protocol (via the
+.Fl O
+flag), this option
selects batch mode for the second host as
.Nm
cannot ask for passwords or passphrases for both hosts.
@@ -146,9 +145,10 @@ Limits the used bandwidth, specified in Kbit/s.
.It Fl O
Use the legacy SCP protocol for file transfers instead of the SFTP protocol.
Forcing the use of the SCP protocol may be necessary for servers that do
-not implement SFTP or for backwards-compatibility for particular filename
-wildcard patterns.
-This mode is the default.
+not implement SFTP, for backwards-compatibility for particular filename
+wildcard patterns and for expanding paths with a
+.Sq ~
+prefix for older SFTP servers.
.It Fl o Ar ssh_option
Can be used to pass options to
.Nm ssh
@@ -258,16 +258,6 @@ to use for the encrypted connection.
The program must understand
.Xr ssh 1
options.
-.It Fl s
-Use the SFTP protocol for file transfers instead of the legacy SCP protocol.
-Using SFTP avoids invoking a shell on the remote side and provides
-more predictable filename handling, as the SCP protocol
-relied on the remote shell for expanding
-.Xr glob 3
-wildcards.
-.Pp
-A near-future release of OpenSSH will make the SFTP protocol the default.
-This option will be deleted before the end of 2022.
.It Fl T
Disable strict filename checking.
By default when copying files from a remote host to a local directory
@@ -299,11 +289,23 @@ debugging connection, authentication, and configuration problems.
.Xr ssh_config 5 ,
.Xr sftp-server 8 ,
.Xr sshd 8
+.Sh CAVEATS
+The original scp protocol (selected by the
+.Fl O
+flag) requires execution of the remote user's shell to perform
+.Xr glob 3
+pattern matching.
+This requires careful quoting of any characters that have special meaning to
+the remote shell, such as quote characters.
.Sh HISTORY
.Nm
is based on the rcp program in
.Bx
source code from the Regents of the University of California.
+.Pp
+Since OpenSSH 8.8 (8.7 in Red Hat/Fedora builds),
+.Nm
+has use the SFTP protocol for transfers by default.
.Sh AUTHORS
.An Timo Rinne Aq Mt tri@iki.fi
.An Tatu Ylonen Aq Mt ylo@cs.hut.fi
diff --git a/scp.c b/scp.c
index e039350c..c7cf7529 100644
--- a/scp.c
+++ b/scp.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: scp.c,v 1.239 2021/09/20 06:53:56 djm Exp $ */
+/* $OpenBSD: scp.c,v 1.233 2021/09/08 23:31:39 djm Exp $ */
/*
* scp - secure remote copy. This is basically patched BSD rcp which
* uses ssh to do the data transfer (instead of using rcmd).
@@ -448,7 +448,7 @@ main(int argc, char **argv)
const char *errstr;
extern char *optarg;
extern int optind;
- enum scp_mode_e mode = MODE_SCP;
+ enum scp_mode_e mode = MODE_SFTP;
char *sftp_direct = NULL;
/* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
@@ -1983,7 +1983,7 @@ void
usage(void)
{
(void) fprintf(stderr,
- "usage: scp [-346ABCOpqRrsTv] [-c cipher] [-D sftp_server_path] [-F ssh_config]\n"
+ "usage: scp [-346ABCOpqRrTv] [-c cipher] [-D sftp_server_path] [-F ssh_config]\n"
" [-i identity_file] [-J destination] [-l limit]\n"
" [-o ssh_option] [-P port] [-S program] source ... target\n");
exit(1);

BIN
openssh-8.8p1.tar.gz Normal file
View File

Binary file not shown.

16
openssh-8.8p1.tar.gz.asc Normal file
View File

@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEcWi5g4FaXu9ZpK39Kj9BTnNgYLoFAmFQfp8ACgkQKj9BTnNg
YLq2SQ/8C3iOHTkyqX82FYt0SKkybebe9b2iBPr91HQOUmx+U3I+vgrSWArXabWJ
uSu0b685RQKlcr7UjEtPk6g0cm45NoJFjju9ljvnOFfZw73V3a5qX15Lx4xRnkRx
v1LJn6Yh12PKLWL4/A1qPQnfAObVwq/BF0BR01FfXLAOt5+lFwYvg79HpE+69b0r
KtcIEpsyTEn2lSKSWD7q4lpe6Z/iR+XzBKfnB6JJXhKyHiDV63hlAJk9Pt3mIvS6
tnE9/7GDawvi+Tsl018kw3wsf6aHVSQ+O+vzcDgfy0vDJVGjD6Ec9it9FvikXJh6
3pSTBYuUJdt+CAQYvmEui73v4nrkfouHXsxqgzEDZaTwIZC4wPrvNYxUaIyirWlc
l4/YSnxSxSiYbvPa5eYRBvXvoWbnQXjPOkuhjETxz/KTcHirQpWE9eldi0jHcKUa
FVu9YqMPAjIUd1Jj4vC5bgH7v5cLeEMm/AetMvKsJs+rhY9NZaKpiqOqU2m6Geb+
sQSXHNTeA8uOlrHim4SmYHtmfglVbH5lIroiUqtRzjbOhMhqUb+yN9+aAxe0bwmN
VcFMSThlbmYokb9bkQryY2I/FfXb997vxgF6v15Z8d9e8HH2zc2Irj1HYXG4Bf3o
WCiSvd8+Tr/FxS2Gn8qj/vgSPWXT0d0Hy4zHW9JeT/jn3RtIYhU=
=EnoG
-----END PGP SIGNATURE-----

133
openssh.spec
View File

@ -6,10 +6,10 @@
%{?no_gtk2:%global gtk2 0} %{?no_gtk2:%global gtk2 0}
%global sshd_uid 74 %global sshd_uid 74
%global openssh_release 15 %global openssh_release 1
Name: openssh Name: openssh
Version: 8.2p1 Version: 8.8p1
Release: %{openssh_release} Release: %{openssh_release}
URL: http://www.openssh.com/portable.html URL: http://www.openssh.com/portable.html
License: BSD License: BSD
@ -18,7 +18,7 @@ Summary: An open source implementation of SSH protocol version 2
Source0: https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz Source0: https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz
Source1: https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz.asc Source1: https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz.asc
Source2: sshd.pam Source2: sshd.pam
Source4: http://prdownloads.sourceforge.net/pamsshagentauth/pam_ssh_agent_auth/pam_ssh_agent_auth-0.10.3.tar.bz2 Source4: http://prdownloads.sourceforge.net/pamsshagentauth/pam_ssh_agent_auth/pam_ssh_agent_auth-0.10.4.tar.gz
Source5: pam_ssh_agent-rmheaders Source5: pam_ssh_agent-rmheaders
Source6: ssh-keycat.pam Source6: ssh-keycat.pam
Source7: sshd.sysconfig Source7: sshd.sysconfig
@ -27,8 +27,8 @@ Source10: sshd.socket
Source11: sshd.service Source11: sshd.service
Source12: sshd-keygen@.service Source12: sshd-keygen@.service
Source13: sshd-keygen Source13: sshd-keygen
Source14: sshd.tmpfiles
Source15: sshd-keygen.target Source15: sshd-keygen.target
Source16: ssh-agent.service
Patch0: openssh-6.7p1-coverity.patch Patch0: openssh-6.7p1-coverity.patch
Patch1: openssh-7.6p1-audit.patch Patch1: openssh-7.6p1-audit.patch
Patch2: openssh-7.1p2-audit-race-condition.patch Patch2: openssh-7.1p2-audit-race-condition.patch
@ -40,7 +40,6 @@ Patch7: pam_ssh_agent_auth-0.10.2-compat.patch
Patch8: pam_ssh_agent_auth-0.10.2-dereference.patch Patch8: pam_ssh_agent_auth-0.10.2-dereference.patch
Patch9: openssh-7.8p1-role-mls.patch Patch9: openssh-7.8p1-role-mls.patch
Patch10: openssh-6.6p1-privsep-selinux.patch Patch10: openssh-6.6p1-privsep-selinux.patch
Patch11: openssh-6.7p1-ldap.patch
Patch12: openssh-6.6p1-keycat.patch Patch12: openssh-6.6p1-keycat.patch
Patch13: openssh-6.6p1-allow-ip-opts.patch Patch13: openssh-6.6p1-allow-ip-opts.patch
Patch14: openssh-6.6p1-keyperm.patch Patch14: openssh-6.6p1-keyperm.patch
@ -53,8 +52,6 @@ Patch20: openssh-4.3p2-askpass-grab-info.patch
Patch21: openssh-7.7p1.patch Patch21: openssh-7.7p1.patch
Patch22: openssh-7.8p1-UsePAM-warning.patch Patch22: openssh-7.8p1-UsePAM-warning.patch
Patch23: openssh-6.3p1-ctr-evp-fast.patch Patch23: openssh-6.3p1-ctr-evp-fast.patch
Patch24: openssh-6.6p1-ctr-cavstest.patch
Patch25: openssh-6.7p1-kdf-cavs.patch
Patch26: openssh-8.0p1-gssapi-keyex.patch Patch26: openssh-8.0p1-gssapi-keyex.patch
Patch27: openssh-6.6p1-force_krb.patch Patch27: openssh-6.6p1-force_krb.patch
Patch28: openssh-6.6p1-GSSAPIEnablek5users.patch Patch28: openssh-6.6p1-GSSAPIEnablek5users.patch
@ -74,36 +71,28 @@ Patch41: openssh-7.6p1-cleanup-selinux.patch
Patch42: openssh-7.5p1-sandbox.patch Patch42: openssh-7.5p1-sandbox.patch
Patch43: openssh-8.0p1-pkcs11-uri.patch Patch43: openssh-8.0p1-pkcs11-uri.patch
Patch44: openssh-7.8p1-scp-ipv6.patch Patch44: openssh-7.8p1-scp-ipv6.patch
Patch45: openssh-7.9p1-ssh-copy-id.patch
Patch46: openssh-8.0p1-crypto-policies.patch Patch46: openssh-8.0p1-crypto-policies.patch
Patch47: openssh-8.0p1-openssl-evp.patch Patch47: openssh-8.0p1-openssl-evp.patch
Patch48: openssh-8.0p1-openssl-kdf.patch Patch48: openssh-8.0p1-openssl-kdf.patch
Patch49: openssh-8.2p1-visibility.patch Patch49: openssh-8.2p1-visibility.patch
Patch50: bugfix-sftp-when-parse_user_host_path-empty-path-should-be-allowed.patch Patch50: openssh-8.2p1-x11-without-ipv6.patch
Patch51: bugfix-openssh-6.6p1-log-usepam-no.patch Patch51: openssh-8.0p1-keygen-strip-doseol.patch
Patch52: bugfix-openssh-add-option-check-username-splash.patch Patch52: openssh-8.0p1-preserve-pam-errors.patch
Patch53: feature-openssh-7.4-hima-sftpserver-oom-and-fix.patch Patch53: openssh-8.7p1-scp-kill-switch.patch
Patch54: bugfix-openssh-fix-sftpserver.patch
Patch55: bugfix-debug3-to-verbose-in-command.patch Patch54: bugfix-sftp-when-parse_user_host_path-empty-path-should-be-allowed.patch
Patch56: set-sshd-config.patch Patch55: bugfix-openssh-6.6p1-log-usepam-no.patch
Patch57: CVE-2020-12062-1.patch Patch56: bugfix-openssh-add-option-check-username-splash.patch
Patch58: CVE-2020-12062-2.patch Patch57: feature-openssh-7.4-hima-sftpserver-oom-and-fix.patch
Patch59: upstream-expose-vasnmprintf.patch Patch58: bugfix-openssh-fix-sftpserver.patch
Patch60: CVE-2018-15919.patch Patch59: set-sshd-config.patch
Patch61: CVE-2020-14145.patch
Patch62: add-strict-scp-check-for-CVE-2020-15778.patch
Patch63: backport-move-closefrom-to-before-first-malloc.patch
Patch64: backport-upstream-Remove-debug-message-from-sigchld-handler.patch
Patch65: backport-upstream-Refactor-private-key-parsing.-Eliminates-a-.patch
Patch66: backport-CVE-2021-41617-1.patch
Patch67: backport-CVE-2021-41617-2.patch
Requires: /sbin/nologin Requires: /sbin/nologin
Requires: libselinux >= 2.3-5 audit-libs >= 1.0.8 Requires: libselinux >= 2.3-5 audit-libs >= 1.0.8
Requires: openssh-server = %{version}-%{release} Requires: openssh-server = %{version}-%{release}
BuildRequires: gtk2-devel libX11-devel openldap-devel autoconf automake perl-interpreter perl-generators BuildRequires: gtk2-devel libX11-devel openldap-devel autoconf automake perl-interpreter perl-generators
BuildRequires: zlib-devel audit-libs-devel >= 2.0.5 util-linux groff pam-devel fipscheck-devel >= 1.3.0 BuildRequires: zlib-devel audit-libs-devel >= 2.0.5 util-linux groff pam-devel
BuildRequires: openssl-devel >= 0.9.8j perl-podlators systemd-devel gcc p11-kit-devel krb5-devel BuildRequires: openssl-devel >= 0.9.8j perl-podlators systemd-devel gcc p11-kit-devel krb5-devel
BuildRequires: libedit-devel ncurses-devel libselinux-devel >= 2.3-5 audit-libs >= 1.0.8 xauth gnupg2 BuildRequires: libedit-devel ncurses-devel libselinux-devel >= 2.3-5 audit-libs >= 1.0.8 xauth gnupg2
@ -112,7 +101,6 @@ Recommends: p11-kit
%package clients %package clients
Summary: An open source SSH client applications Summary: An open source SSH client applications
Requires: openssh = %{version}-%{release} Requires: openssh = %{version}-%{release}
Requires: fipscheck-lib%{_isa} >= 1.3.0
Requires: crypto-policies >= 20180306-1 Requires: crypto-policies >= 20180306-1
%package server %package server
@ -120,14 +108,9 @@ Summary: An open source SSH server daemon
Requires: openssh = %{version}-%{release} Requires: openssh = %{version}-%{release}
Requires(pre): shadow Requires(pre): shadow
Requires: pam >= 1.0.1-3 Requires: pam >= 1.0.1-3
Requires: fipscheck-lib%{_isa} >= 1.3.0
Requires: crypto-policies >= 20180306-1 Requires: crypto-policies >= 20180306-1
%{?systemd_requires} %{?systemd_requires}
%package ldap
Summary: A LDAP support for open source SSH server daemon
Requires: openssh = %{version}-%{release}
%package keycat %package keycat
Summary: A mls keycat backend for openssh Summary: A mls keycat backend for openssh
Requires: openssh = %{version}-%{release} Requires: openssh = %{version}-%{release}
@ -135,17 +118,11 @@ Requires: openssh = %{version}-%{release}
%package askpass %package askpass
Summary: A passphrase dialog for OpenSSH and X Summary: A passphrase dialog for OpenSSH and X
Requires: openssh = %{version}-%{release} Requires: openssh = %{version}-%{release}
Obsoletes: openssh-askpass-gnome
Provides: openssh-askpass-gnome
%package cavs
Summary: CAVS tests for FIPS validation
Requires: openssh = %{version}-%{release}
%package -n pam_ssh_agent_auth %package -n pam_ssh_agent_auth
Summary: PAM module for authentication with ssh-agent Summary: PAM module for authentication with ssh-agent
Version: 0.10.3 Version: 0.10.4
Release: 9.%{openssh_release} Release: 4.%{openssh_release}
License: BSD License: BSD
%description %description
@ -165,10 +142,6 @@ into and executing commands on a remote machine. This package contains
the secure shell daemon (sshd). The sshd daemon allows SSH clients to the secure shell daemon (sshd). The sshd daemon allows SSH clients to
securely connect to your SSH server. securely connect to your SSH server.
%description ldap
OpenSSH LDAP backend is a way how to distribute the authorized tokens
among the servers in the network.
%description keycat %description keycat
OpenSSH mls keycat is backend for using the authorized keys in the OpenSSH mls keycat is backend for using the authorized keys in the
openssh in the mls mode. openssh in the mls mode.
@ -178,10 +151,6 @@ OpenSSH is a free version of SSH (Secure SHell), a program for logging
into and executing commands on a remote machine. This package contains into and executing commands on a remote machine. This package contains
an X11 passphrase dialog for OpenSSH. an X11 passphrase dialog for OpenSSH.
%description cavs
This package contains test binaries and scripts to make FIPS validation
easier. Now contains CTR and KDF CAVS test driver.
%description -n pam_ssh_agent_auth %description -n pam_ssh_agent_auth
Provides PAM module for the use of authentication with ssh-agent. Through the use of the\ Provides PAM module for the use of authentication with ssh-agent. Through the use of the\
forwarding of ssh-agent connection it also allows to authenticate with remote ssh-agent \ forwarding of ssh-agent connection it also allows to authenticate with remote ssh-agent \
@ -192,7 +161,7 @@ instance. The module is most useful for su and sudo service stacks.
%prep %prep
%setup -q -a 4 %setup -q -a 4
pushd pam_ssh_agent_auth-0.10.3 pushd pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4
%patch3 -p2 -b .psaa-build %patch3 -p2 -b .psaa-build
%patch4 -p2 -b .psaa-seteuid %patch4 -p2 -b .psaa-seteuid
%patch5 -p2 -b .psaa-visibility %patch5 -p2 -b .psaa-visibility
@ -205,7 +174,6 @@ popd
%patch9 -p1 -b .role-mls %patch9 -p1 -b .role-mls
%patch10 -p1 -b .privsep-selinux %patch10 -p1 -b .privsep-selinux
%patch11 -p1 -b .ldap
%patch12 -p1 -b .keycat %patch12 -p1 -b .keycat
%patch13 -p1 -b .ip-opts %patch13 -p1 -b .ip-opts
%patch14 -p1 -b .keyperm %patch14 -p1 -b .keyperm
@ -217,8 +185,6 @@ popd
%patch21 -p1 %patch21 -p1
%patch22 -p1 -b .log-usepam-no %patch22 -p1 -b .log-usepam-no
%patch23 -p1 -b .evp-ctr %patch23 -p1 -b .evp-ctr
%patch24 -p1 -b .ctr-cavs
%patch25 -p1 -b .kdf-cavs
%patch26 -p1 -b .gsskex %patch26 -p1 -b .gsskex
%patch27 -p1 -b .force_krb %patch27 -p1 -b .force_krb
%patch29 -p1 -b .ccache_name %patch29 -p1 -b .ccache_name
@ -238,37 +204,28 @@ popd
%patch42 -p1 -b .sandbox %patch42 -p1 -b .sandbox
%patch43 -p1 -b .pkcs11-uri %patch43 -p1 -b .pkcs11-uri
%patch44 -p1 -b .scp-ipv6 %patch44 -p1 -b .scp-ipv6
%patch45 -p1 -b .ssh-copy-id
%patch46 -p1 -b .crypto-policies %patch46 -p1 -b .crypto-policies
%patch47 -p1 -b .openssl-evp %patch47 -p1 -b .openssl-evp
%patch48 -p1 -b .openssl-kdf %patch48 -p1 -b .openssl-kdf
%patch49 -p1 -b .visibility %patch49 -p1 -b .visibility
%patch50 -p1 -b .x11-ipv6
%patch51 -p1 -b .keygen-strip-doseol
%patch52 -p1 -b .preserve-pam-errors
%patch53 -p1 -b .kill-scp
%patch1 -p1 -b .audit %patch1 -p1 -b .audit
%patch2 -p1 -b .audit-race %patch2 -p1 -b .audit-race
%patch18 -p1 -b .fips %patch18 -p1 -b .fips
%patch0 -p1 -b .coverity %patch0 -p1 -b .coverity
%patch50 -p1
%patch51 -p1
%patch52 -p1
%patch53 -p1
%patch54 -p1 %patch54 -p1
%patch55 -p1 %patch55 -p1
%patch56 -p1 %patch56 -p1
%patch57 -p1 %patch57 -p1
%patch58 -p1 %patch58 -p1
%patch59 -p1 %patch59 -p1
%patch60 -p1
%patch61 -p1
%patch62 -p1
%patch63 -p1
%patch64 -p1
%patch65 -p1
%patch66 -p1
%patch67 -p1
autoreconf autoreconf
pushd pam_ssh_agent_auth-0.10.3 pushd pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4
autoreconf autoreconf
popd popd
@ -308,7 +265,7 @@ fi
--with-privsep-path=%{_var}/empty/sshd --disable-strip \ --with-privsep-path=%{_var}/empty/sshd --disable-strip \
--without-zlib-version-check --with-ssl-engine --with-ipaddr-display \ --without-zlib-version-check --with-ssl-engine --with-ipaddr-display \
--with-pie=no --without-hardening --with-systemd --with-default-pkcs11-provider=yes \ --with-pie=no --without-hardening --with-systemd --with-default-pkcs11-provider=yes \
--with-ldap --with-pam --with-selinux --with-audit=linux \ --with-pam --with-selinux --with-audit=linux --with-security-key-buildin=yes \
%ifnarch riscv64 %ifnarch riscv64
--with-sandbox=seccomp_filter \ --with-sandbox=seccomp_filter \
%endif %endif
@ -329,18 +286,13 @@ else
fi fi
popd popd
pushd pam_ssh_agent_auth-0.10.3 pushd pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4
LDFLAGS="$SAVE_LDFLAGS" LDFLAGS="$SAVE_LDFLAGS"
%configure --with-selinux --libexecdir=/%{_libdir}/security --with-mantype=man \ %configure --with-selinux --libexecdir=/%{_libdir}/security --with-mantype=man \
--without-openssl-header-check --without-openssl-header-check
make make
popd popd
%global __spec_install_post \
%%{?__debug_package:%%{__debug_install_post}} %%{__arch_install_post} %%{__os_install_post} \
fipshmac -d $RPM_BUILD_ROOT%{_libdir}/fipscheck $RPM_BUILD_ROOT%{_bindir}/ssh $RPM_BUILD_ROOT%{_sbindir}/sshd \
%{nil}
%check %check
#to run tests use "--with check" #to run tests use "--with check"
%if %{?_with_check:1}%{!?_with_check:0} %if %{?_with_check:1}%{!?_with_check:0}
@ -355,12 +307,9 @@ mkdir -p -m755 $RPM_BUILD_ROOT%{_var}/empty/sshd
%make_install %make_install
rm -f $RPM_BUILD_ROOT%{_sysconfdir}/ssh/ldap.conf
install -d $RPM_BUILD_ROOT/etc/pam.d/ install -d $RPM_BUILD_ROOT/etc/pam.d/
install -d $RPM_BUILD_ROOT/etc/sysconfig/ install -d $RPM_BUILD_ROOT/etc/sysconfig/
install -d $RPM_BUILD_ROOT%{_libexecdir}/openssh install -d $RPM_BUILD_ROOT%{_libexecdir}/openssh
install -d $RPM_BUILD_ROOT%{_libdir}/fipscheck
install -m644 %{SOURCE2} $RPM_BUILD_ROOT/etc/pam.d/sshd install -m644 %{SOURCE2} $RPM_BUILD_ROOT/etc/pam.d/sshd
install -m644 %{SOURCE6} $RPM_BUILD_ROOT/etc/pam.d/ssh-keycat install -m644 %{SOURCE6} $RPM_BUILD_ROOT/etc/pam.d/ssh-keycat
install -m644 %{SOURCE7} $RPM_BUILD_ROOT/etc/sysconfig/sshd install -m644 %{SOURCE7} $RPM_BUILD_ROOT/etc/sysconfig/sshd
@ -371,10 +320,11 @@ install -m644 %{SOURCE10} $RPM_BUILD_ROOT/%{_unitdir}/sshd.socket
install -m644 %{SOURCE11} $RPM_BUILD_ROOT/%{_unitdir}/sshd.service install -m644 %{SOURCE11} $RPM_BUILD_ROOT/%{_unitdir}/sshd.service
install -m644 %{SOURCE12} $RPM_BUILD_ROOT/%{_unitdir}/sshd-keygen@.service install -m644 %{SOURCE12} $RPM_BUILD_ROOT/%{_unitdir}/sshd-keygen@.service
install -m644 %{SOURCE15} $RPM_BUILD_ROOT/%{_unitdir}/sshd-keygen.target install -m644 %{SOURCE15} $RPM_BUILD_ROOT/%{_unitdir}/sshd-keygen.target
install -d -m755 $RPM_BUILD_ROOT/%{_userunitdir}
install -m644 %{SOURCE16} $RPM_BUILD_ROOT/%{_userunitdir}/ssh-agent.service
install -m744 %{SOURCE13} $RPM_BUILD_ROOT/%{_libexecdir}/openssh/sshd-keygen install -m744 %{SOURCE13} $RPM_BUILD_ROOT/%{_libexecdir}/openssh/sshd-keygen
install -m755 contrib/ssh-copy-id $RPM_BUILD_ROOT%{_bindir}/ install -m755 contrib/ssh-copy-id $RPM_BUILD_ROOT%{_bindir}/
install contrib/ssh-copy-id.1 $RPM_BUILD_ROOT%{_mandir}/man1/ install contrib/ssh-copy-id.1 $RPM_BUILD_ROOT%{_mandir}/man1/
install -m644 -D %{SOURCE14} $RPM_BUILD_ROOT%{_tmpfilesdir}/%{name}.conf
install contrib/gnome-ssh-askpass $RPM_BUILD_ROOT%{_libexecdir}/openssh/gnome-ssh-askpass install contrib/gnome-ssh-askpass $RPM_BUILD_ROOT%{_libexecdir}/openssh/gnome-ssh-askpass
ln -s gnome-ssh-askpass $RPM_BUILD_ROOT%{_libexecdir}/openssh/ssh-askpass ln -s gnome-ssh-askpass $RPM_BUILD_ROOT%{_libexecdir}/openssh/ssh-askpass
@ -384,7 +334,7 @@ install -m 755 contrib/redhat/gnome-ssh-askpass.sh $RPM_BUILD_ROOT%{_sysconfdir}
perl -pi -e "s|$RPM_BUILD_ROOT||g" $RPM_BUILD_ROOT%{_mandir}/man*/* perl -pi -e "s|$RPM_BUILD_ROOT||g" $RPM_BUILD_ROOT%{_mandir}/man*/*
pushd pam_ssh_agent_auth-0.10.3 pushd pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4
make install DESTDIR=$RPM_BUILD_ROOT make install DESTDIR=$RPM_BUILD_ROOT
popd popd
@ -417,7 +367,6 @@ getent passwd sshd >/dev/null || \
%files clients %files clients
%attr(0755,root,root) %{_bindir}/ssh %attr(0755,root,root) %{_bindir}/ssh
%attr(0644,root,root) %{_libdir}/fipscheck/ssh.hmac
%attr(0755,root,root) %{_bindir}/scp %attr(0755,root,root) %{_bindir}/scp
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/ssh_config %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/ssh_config
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/ssh_config.d/05-redhat.conf %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/ssh_config.d/05-redhat.conf
@ -428,11 +377,11 @@ getent passwd sshd >/dev/null || \
%attr(0755,root,root) %{_bindir}/ssh-copy-id %attr(0755,root,root) %{_bindir}/ssh-copy-id
%attr(0755,root,root) %{_libexecdir}/openssh/ssh-pkcs11-helper %attr(0755,root,root) %{_libexecdir}/openssh/ssh-pkcs11-helper
%attr(0755,root,root) %{_libexecdir}/openssh/ssh-sk-helper %attr(0755,root,root) %{_libexecdir}/openssh/ssh-sk-helper
%attr(0755,root,root) %{_userunitdir}/ssh-agent.service
%files server %files server
%dir %attr(0711,root,root) %{_var}/empty/sshd %dir %attr(0711,root,root) %{_var}/empty/sshd
%attr(0755,root,root) %{_sbindir}/sshd %attr(0755,root,root) %{_sbindir}/sshd
%attr(0644,root,root) %{_libdir}/fipscheck/sshd.hmac
%attr(0755,root,root) %{_libexecdir}/openssh/sftp-server %attr(0755,root,root) %{_libexecdir}/openssh/sftp-server
%attr(0755,root,root) %{_libexecdir}/openssh/sshd-keygen %attr(0755,root,root) %{_libexecdir}/openssh/sshd-keygen
%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/sshd_config %attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/sshd_config
@ -443,11 +392,6 @@ getent passwd sshd >/dev/null || \
%attr(0644,root,root) %{_unitdir}/sshd.socket %attr(0644,root,root) %{_unitdir}/sshd.socket
%attr(0644,root,root) %{_unitdir}/sshd-keygen@.service %attr(0644,root,root) %{_unitdir}/sshd-keygen@.service
%attr(0644,root,root) %{_unitdir}/sshd-keygen.target %attr(0644,root,root) %{_unitdir}/sshd-keygen.target
%attr(0644,root,root) %{_tmpfilesdir}/openssh.conf
%files ldap
%attr(0755,root,root) %{_libexecdir}/openssh/ssh-ldap-helper
%attr(0755,root,root) %{_libexecdir}/openssh/ssh-ldap-wrapper
%files keycat %files keycat
%attr(0755,root,root) %{_libexecdir}/openssh/ssh-keycat %attr(0755,root,root) %{_libexecdir}/openssh/ssh-keycat
@ -458,18 +402,13 @@ getent passwd sshd >/dev/null || \
%attr(0755,root,root) %{_libexecdir}/openssh/gnome-ssh-askpass %attr(0755,root,root) %{_libexecdir}/openssh/gnome-ssh-askpass
%attr(0755,root,root) %{_libexecdir}/openssh/ssh-askpass %attr(0755,root,root) %{_libexecdir}/openssh/ssh-askpass
%files cavs
%attr(0755,root,root) %{_libexecdir}/openssh/ctr-cavstest
%attr(0755,root,root) %{_libexecdir}/openssh/ssh-cavs
%attr(0755,root,root) %{_libexecdir}/openssh/ssh-cavs_driver.pl
%files -n pam_ssh_agent_auth %files -n pam_ssh_agent_auth
%license pam_ssh_agent_auth-0.10.3/OPENSSH_LICENSE %license pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/OPENSSH_LICENSE
%attr(0755,root,root) %{_libdir}/security/pam_ssh_agent_auth.so %attr(0755,root,root) %{_libdir}/security/pam_ssh_agent_auth.so
%files help %files help
%doc ChangeLog OVERVIEW PROTOCOL* README README.privsep README.tun README.dns TODO openssh-lpk-openldap.schema %doc ChangeLog OVERVIEW PROTOCOL* README README.privsep README.tun README.dns TODO
%doc openssh-lpk-sun.schema ldap.conf openssh-lpk-openldap.ldif openssh-lpk-sun.ldif HOWTO.ssh-keycat HOWTO.ldap-keys %doc HOWTO.ssh-keycat
%attr(0644,root,root) %{_mandir}/man1/scp.1* %attr(0644,root,root) %{_mandir}/man1/scp.1*
%attr(0644,root,root) %{_mandir}/man1/ssh*.1* %attr(0644,root,root) %{_mandir}/man1/ssh*.1*
%attr(0644,root,root) %{_mandir}/man1/sftp.1* %attr(0644,root,root) %{_mandir}/man1/sftp.1*
@ -480,6 +419,12 @@ getent passwd sshd >/dev/null || \
%attr(0644,root,root) %{_mandir}/man8/sftp-server.8* %attr(0644,root,root) %{_mandir}/man8/sftp-server.8*
%changelog %changelog
* Thu Oct 28 2021 kircher<kircherlike@outlook.com> - 8.8P1-1
- Type:bugfix
- CVE:NA
- SUG:NA
- DESC:update to openssh-8.8p1
* Fri Oct 8 2021 renmingshuai<renmingshuai@hauwei.com> - 8.2P1-15 * Fri Oct 8 2021 renmingshuai<renmingshuai@hauwei.com> - 8.2P1-15
- Type:cves - Type:cves
- CVE:CVE-2021-41617 - CVE:CVE-2021-41617

4
openssh.yaml
View File

@ -1,4 +0,0 @@
version_control: git
src_repo: https://anongit.mindrot.org/openssh.git
tag_prefix: V.
seperator: _

1
pam_ssh_agent-rmheaders
View File

@ -9,7 +9,6 @@ buffer.c
cleanup.c cleanup.c
cipher.h cipher.h
compat.h compat.h
defines.h
entropy.c entropy.c
entropy.h entropy.h
fatal.c fatal.c

154
pam_ssh_agent_auth-0.10.2-compat.patch
View File

@ -1,6 +1,6 @@
diff -up openssh/pam_ssh_agent_auth-0.10.3/get_command_line.c.psaa-compat openssh/pam_ssh_agent_auth-0.10.3/get_command_line.c diff -up openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/get_command_line.c.psaa-compat openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/get_command_line.c
--- openssh/pam_ssh_agent_auth-0.10.3/get_command_line.c.psaa-compat 2016-11-13 04:24:32.000000000 +0100 --- openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/get_command_line.c.psaa-compat 2019-07-08 18:36:13.000000000 +0200
+++ openssh/pam_ssh_agent_auth-0.10.3/get_command_line.c 2020-02-07 10:43:05.011757956 +0100 +++ openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/get_command_line.c 2020-09-23 10:52:16.424001475 +0200
@@ -27,6 +27,7 @@ @@ -27,6 +27,7 @@
* or implied, of Jamie Beverly. * or implied, of Jamie Beverly.
*/ */
@ -9,7 +9,7 @@ diff -up openssh/pam_ssh_agent_auth-0.10.3/get_command_line.c.psaa-compat openss
#include <stdio.h> #include <stdio.h>
#include <errno.h> #include <errno.h>
#include <string.h> #include <string.h>
@@ -65,8 +66,8 @@ proc_pid_cmdline(char *** inargv) @@ -66,8 +67,8 @@ proc_pid_cmdline(char *** inargv)
case EOF: case EOF:
case '\0': case '\0':
if (len > 0) { if (len > 0) {
@ -20,7 +20,7 @@ diff -up openssh/pam_ssh_agent_auth-0.10.3/get_command_line.c.psaa-compat openss
strncpy(argv[count++], argbuf, len); strncpy(argv[count++], argbuf, len);
memset(argbuf, '\0', MAX_LEN_PER_CMDLINE_ARG + 1); memset(argbuf, '\0', MAX_LEN_PER_CMDLINE_ARG + 1);
len = 0; len = 0;
@@ -105,9 +106,9 @@ pamsshagentauth_free_command_line(char * @@ -106,9 +107,9 @@ pamsshagentauth_free_command_line(char *
{ {
size_t i; size_t i;
for (i = 0; i < n_args; i++) for (i = 0; i < n_args; i++)
@ -32,9 +32,9 @@ diff -up openssh/pam_ssh_agent_auth-0.10.3/get_command_line.c.psaa-compat openss
return; return;
} }
diff -up openssh/pam_ssh_agent_auth-0.10.3/identity.h.psaa-compat openssh/pam_ssh_agent_auth-0.10.3/identity.h diff -up openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/identity.h.psaa-compat openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/identity.h
--- openssh/pam_ssh_agent_auth-0.10.3/identity.h.psaa-compat 2016-11-13 04:24:32.000000000 +0100 --- openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/identity.h.psaa-compat 2019-07-08 18:36:13.000000000 +0200
+++ openssh/pam_ssh_agent_auth-0.10.3/identity.h 2020-02-07 10:43:05.011757956 +0100 +++ openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/identity.h 2020-09-23 10:52:16.424001475 +0200
@@ -30,8 +30,8 @@ @@ -30,8 +30,8 @@
#include "openbsd-compat/sys-queue.h" #include "openbsd-compat/sys-queue.h"
#include "xmalloc.h" #include "xmalloc.h"
@ -55,9 +55,9 @@ diff -up openssh/pam_ssh_agent_auth-0.10.3/identity.h.psaa-compat openssh/pam_ss
char *filename; /* comment for agent-only keys */ char *filename; /* comment for agent-only keys */
int tried; int tried;
int isprivate; /* key points to the private key */ int isprivate; /* key points to the private key */
diff -up openssh/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c.psaa-compat openssh/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c diff -up openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/iterate_ssh_agent_keys.c.psaa-compat openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/iterate_ssh_agent_keys.c
--- openssh/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c.psaa-compat 2020-02-07 10:43:05.009757925 +0100 --- openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/iterate_ssh_agent_keys.c.psaa-compat 2020-09-23 10:52:16.421001434 +0200
+++ openssh/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c 2020-02-07 10:43:05.012757972 +0100 +++ openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/iterate_ssh_agent_keys.c 2020-09-23 10:52:16.424001475 +0200
@@ -36,8 +36,8 @@ @@ -36,8 +36,8 @@
#include "openbsd-compat/sys-queue.h" #include "openbsd-compat/sys-queue.h"
#include "xmalloc.h" #include "xmalloc.h"
@ -285,10 +285,10 @@ diff -up openssh/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c.psaa-compat
EVP_cleanup(); EVP_cleanup();
return retval; return retval;
} }
diff -up openssh/pam_ssh_agent_auth-0.10.3/pam_ssh_agent_auth.c.psaa-compat openssh/pam_ssh_agent_auth-0.10.3/pam_ssh_agent_auth.c diff -up openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/pam_ssh_agent_auth.c.psaa-compat openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/pam_ssh_agent_auth.c
--- openssh/pam_ssh_agent_auth-0.10.3/pam_ssh_agent_auth.c.psaa-compat 2020-02-07 10:43:05.010757940 +0100 --- openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/pam_ssh_agent_auth.c.psaa-compat 2020-09-23 10:52:16.423001461 +0200
+++ openssh/pam_ssh_agent_auth-0.10.3/pam_ssh_agent_auth.c 2020-02-07 10:43:05.012757972 +0100 +++ openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/pam_ssh_agent_auth.c 2020-09-23 10:53:10.631727657 +0200
@@ -104,7 +104,7 @@ pam_sm_authenticate(pam_handle_t * pamh, @@ -106,7 +106,7 @@ pam_sm_authenticate(pam_handle_t * pamh,
* a patch 8-) * a patch 8-)
*/ */
#if ! HAVE___PROGNAME || HAVE_BUNDLE #if ! HAVE___PROGNAME || HAVE_BUNDLE
@ -297,7 +297,7 @@ diff -up openssh/pam_ssh_agent_auth-0.10.3/pam_ssh_agent_auth.c.psaa-compat open
#endif #endif
for(i = argc, argv_ptr = (char **) argv; i > 0; ++argv_ptr, i--) { for(i = argc, argv_ptr = (char **) argv; i > 0; ++argv_ptr, i--) {
@@ -130,11 +130,11 @@ pam_sm_authenticate(pam_handle_t * pamh, @@ -132,11 +132,11 @@ pam_sm_authenticate(pam_handle_t * pamh,
#endif #endif
} }
@ -311,7 +311,7 @@ diff -up openssh/pam_ssh_agent_auth-0.10.3/pam_ssh_agent_auth.c.psaa-compat open
if(ruser_ptr) { if(ruser_ptr) {
strncpy(ruser, ruser_ptr, sizeof(ruser) - 1); strncpy(ruser, ruser_ptr, sizeof(ruser) - 1);
@@ -149,12 +149,12 @@ pam_sm_authenticate(pam_handle_t * pamh, @@ -151,12 +151,12 @@ pam_sm_authenticate(pam_handle_t * pamh,
#ifdef ENABLE_SUDO_HACK #ifdef ENABLE_SUDO_HACK
if( (strlen(sudo_service_name) > 0) && strncasecmp(servicename, sudo_service_name, sizeof(sudo_service_name) - 1) == 0 && getenv("SUDO_USER") ) { if( (strlen(sudo_service_name) > 0) && strncasecmp(servicename, sudo_service_name, sizeof(sudo_service_name) - 1) == 0 && getenv("SUDO_USER") ) {
strncpy(ruser, getenv("SUDO_USER"), sizeof(ruser) - 1 ); strncpy(ruser, getenv("SUDO_USER"), sizeof(ruser) - 1 );
@ -326,7 +326,7 @@ diff -up openssh/pam_ssh_agent_auth-0.10.3/pam_ssh_agent_auth.c.psaa-compat open
goto cleanexit; goto cleanexit;
} }
strncpy(ruser, getpwuid(getuid())->pw_name, sizeof(ruser) - 1); strncpy(ruser, getpwuid(getuid())->pw_name, sizeof(ruser) - 1);
@@ -163,11 +163,11 @@ pam_sm_authenticate(pam_handle_t * pamh, @@ -165,11 +165,11 @@ pam_sm_authenticate(pam_handle_t * pamh,
/* Might as well explicitely confirm the user exists here */ /* Might as well explicitely confirm the user exists here */
if(! getpwnam(ruser) ) { if(! getpwnam(ruser) ) {
@ -340,7 +340,7 @@ diff -up openssh/pam_ssh_agent_auth-0.10.3/pam_ssh_agent_auth.c.psaa-compat open
goto cleanexit; goto cleanexit;
} }
@@ -177,8 +177,8 @@ pam_sm_authenticate(pam_handle_t * pamh, @@ -179,8 +179,8 @@ pam_sm_authenticate(pam_handle_t * pamh,
*/ */
parse_authorized_key_file(user, authorized_keys_file_input); parse_authorized_key_file(user, authorized_keys_file_input);
} else { } else {
@ -351,7 +351,7 @@ diff -up openssh/pam_ssh_agent_auth-0.10.3/pam_ssh_agent_auth.c.psaa-compat open
} }
/* /*
@@ -187,19 +187,19 @@ pam_sm_authenticate(pam_handle_t * pamh, @@ -189,7 +189,7 @@ pam_sm_authenticate(pam_handle_t * pamh,
*/ */
if(user && strlen(ruser) > 0) { if(user && strlen(ruser) > 0) {
@ -359,11 +359,26 @@ diff -up openssh/pam_ssh_agent_auth-0.10.3/pam_ssh_agent_auth.c.psaa-compat open
+ verbose("Attempting authentication: `%s' as `%s' using %s", ruser, user, authorized_keys_file); + verbose("Attempting authentication: `%s' as `%s' using %s", ruser, user, authorized_keys_file);
/* /*
* Attempt to read data from the sshd if we're being called as an auth agent.
@@ -197,10 +197,10 @@ pam_sm_authenticate(pam_handle_t * pamh,
const char* ssh_user_auth = pam_getenv(pamh, "SSH_AUTH_INFO_0");
int sshd_service = strncasecmp(servicename, sshd_service_name, sizeof(sshd_service_name) - 1);
if (sshd_service == 0 && ssh_user_auth != NULL) {
- pamsshagentauth_verbose("Got SSH_AUTH_INFO_0: `%.20s...'", ssh_user_auth);
+ verbose("Got SSH_AUTH_INFO_0: `%.20s...'", ssh_user_auth);
if (userauth_pubkey_from_pam(ruser, ssh_user_auth) > 0) {
retval = PAM_SUCCESS;
- pamsshagentauth_logit("Authenticated (sshd): `%s' as `%s' using %s", ruser, user, authorized_keys_file);
+ logit("Authenticated (sshd): `%s' as `%s' using %s", ruser, user, authorized_keys_file);
goto cleanexit;
}
}
@@ -208,13 +208,13 @@ pam_sm_authenticate(pam_handle_t * pamh,
* this pw_uid is used to validate the SSH_AUTH_SOCK, and so must be the uid of the ruser invoking the program, not the target-user * this pw_uid is used to validate the SSH_AUTH_SOCK, and so must be the uid of the ruser invoking the program, not the target-user
*/ */
if(pamsshagentauth_find_authorized_keys(user, ruser, servicename)) { /* getpwnam(ruser)->pw_uid)) { */ if(pamsshagentauth_find_authorized_keys(user, ruser, servicename)) { /* getpwnam(ruser)->pw_uid)) { */
- pamsshagentauth_logit("Authenticated: `%s' as `%s' using %s", ruser, user, authorized_keys_file); - pamsshagentauth_logit("Authenticated (agent): `%s' as `%s' using %s", ruser, user, authorized_keys_file);
+ logit("Authenticated: `%s' as `%s' using %s", ruser, user, authorized_keys_file); + logit("Authenticated (agent): `%s' as `%s' using %s", ruser, user, authorized_keys_file);
retval = PAM_SUCCESS; retval = PAM_SUCCESS;
} else { } else {
- pamsshagentauth_logit("Failed Authentication: `%s' as `%s' using %s", ruser, user, authorized_keys_file); - pamsshagentauth_logit("Failed Authentication: `%s' as `%s' using %s", ruser, user, authorized_keys_file);
@ -375,9 +390,9 @@ diff -up openssh/pam_ssh_agent_auth-0.10.3/pam_ssh_agent_auth.c.psaa-compat open
} }
cleanexit: cleanexit:
diff -up openssh/pam_ssh_agent_auth-0.10.3/pam_user_authorized_keys.c.psaa-compat openssh/pam_ssh_agent_auth-0.10.3/pam_user_authorized_keys.c diff -up openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/pam_user_authorized_keys.c.psaa-compat openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/pam_user_authorized_keys.c
--- openssh/pam_ssh_agent_auth-0.10.3/pam_user_authorized_keys.c.psaa-compat 2016-11-13 04:24:32.000000000 +0100 --- openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/pam_user_authorized_keys.c.psaa-compat 2019-07-08 18:36:13.000000000 +0200
+++ openssh/pam_ssh_agent_auth-0.10.3/pam_user_authorized_keys.c 2020-02-07 10:43:05.012757972 +0100 +++ openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/pam_user_authorized_keys.c 2020-09-23 10:52:16.424001475 +0200
@@ -66,8 +66,8 @@ @@ -66,8 +66,8 @@
#include "xmalloc.h" #include "xmalloc.h"
#include "match.h" #include "match.h"
@ -442,9 +457,9 @@ diff -up openssh/pam_ssh_agent_auth-0.10.3/pam_user_authorized_keys.c.psaa-compa
{ {
return return
pamsshagentauth_user_key_allowed2(getpwuid(authorized_keys_file_allowed_owner_uid), pamsshagentauth_user_key_allowed2(getpwuid(authorized_keys_file_allowed_owner_uid),
diff -up openssh/pam_ssh_agent_auth-0.10.3/pam_user_authorized_keys.h.psaa-compat openssh/pam_ssh_agent_auth-0.10.3/pam_user_authorized_keys.h diff -up openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/pam_user_authorized_keys.h.psaa-compat openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/pam_user_authorized_keys.h
--- openssh/pam_ssh_agent_auth-0.10.3/pam_user_authorized_keys.h.psaa-compat 2016-11-13 04:24:32.000000000 +0100 --- openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/pam_user_authorized_keys.h.psaa-compat 2019-07-08 18:36:13.000000000 +0200
+++ openssh/pam_ssh_agent_auth-0.10.3/pam_user_authorized_keys.h 2020-02-07 10:43:05.012757972 +0100 +++ openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/pam_user_authorized_keys.h 2020-09-23 10:52:16.424001475 +0200
@@ -32,7 +32,7 @@ @@ -32,7 +32,7 @@
#define _PAM_USER_KEY_ALLOWED_H #define _PAM_USER_KEY_ALLOWED_H
@ -454,9 +469,9 @@ diff -up openssh/pam_ssh_agent_auth-0.10.3/pam_user_authorized_keys.h.psaa-compa
void parse_authorized_key_file(const char *, const char *); void parse_authorized_key_file(const char *, const char *);
#endif #endif
diff -up openssh/pam_ssh_agent_auth-0.10.3/pam_user_key_allowed2.c.psaa-compat openssh/pam_ssh_agent_auth-0.10.3/pam_user_key_allowed2.c diff -up openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/pam_user_key_allowed2.c.psaa-compat openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/pam_user_key_allowed2.c
--- openssh/pam_ssh_agent_auth-0.10.3/pam_user_key_allowed2.c.psaa-compat 2016-11-13 04:24:32.000000000 +0100 --- openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/pam_user_key_allowed2.c.psaa-compat 2019-07-08 18:36:13.000000000 +0200
+++ openssh/pam_ssh_agent_auth-0.10.3/pam_user_key_allowed2.c 2020-02-07 10:43:05.012757972 +0100 +++ openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/pam_user_key_allowed2.c 2020-09-23 10:52:16.424001475 +0200
@@ -45,44 +45,46 @@ @@ -45,44 +45,46 @@
#include "xmalloc.h" #include "xmalloc.h"
#include "ssh.h" #include "ssh.h"
@ -731,9 +746,9 @@ diff -up openssh/pam_ssh_agent_auth-0.10.3/pam_user_key_allowed2.c.psaa-compat o
+ restore_uid(); + restore_uid();
return found_key; return found_key;
} }
diff -up openssh/pam_ssh_agent_auth-0.10.3/pam_user_key_allowed2.h.psaa-compat openssh/pam_ssh_agent_auth-0.10.3/pam_user_key_allowed2.h diff -up openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/pam_user_key_allowed2.h.psaa-compat openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/pam_user_key_allowed2.h
--- openssh/pam_ssh_agent_auth-0.10.3/pam_user_key_allowed2.h.psaa-compat 2016-11-13 04:24:32.000000000 +0100 --- openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/pam_user_key_allowed2.h.psaa-compat 2019-07-08 18:36:13.000000000 +0200
+++ openssh/pam_ssh_agent_auth-0.10.3/pam_user_key_allowed2.h 2020-02-07 10:43:05.012757972 +0100 +++ openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/pam_user_key_allowed2.h 2020-09-23 10:52:16.424001475 +0200
@@ -32,7 +32,7 @@ @@ -32,7 +32,7 @@
#define _PAM_USER_KEY_ALLOWED_H #define _PAM_USER_KEY_ALLOWED_H
@ -744,9 +759,9 @@ diff -up openssh/pam_ssh_agent_auth-0.10.3/pam_user_key_allowed2.h.psaa-compat o
+int pamsshagentauth_user_key_command_allowed2(char *, char *, struct passwd *, struct sshkey *); +int pamsshagentauth_user_key_command_allowed2(char *, char *, struct passwd *, struct sshkey *);
#endif #endif
diff -up openssh/pam_ssh_agent_auth-0.10.3/secure_filename.c.psaa-compat openssh/pam_ssh_agent_auth-0.10.3/secure_filename.c diff -up openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/secure_filename.c.psaa-compat openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/secure_filename.c
--- openssh/pam_ssh_agent_auth-0.10.3/secure_filename.c.psaa-compat 2016-11-13 04:24:32.000000000 +0100 --- openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/secure_filename.c.psaa-compat 2019-07-08 18:36:13.000000000 +0200
+++ openssh/pam_ssh_agent_auth-0.10.3/secure_filename.c 2020-02-07 10:43:05.012757972 +0100 +++ openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/secure_filename.c 2020-09-23 10:52:16.424001475 +0200
@@ -53,8 +53,8 @@ @@ -53,8 +53,8 @@
#include "xmalloc.h" #include "xmalloc.h"
#include "match.h" #include "match.h"
@ -788,9 +803,9 @@ diff -up openssh/pam_ssh_agent_auth-0.10.3/secure_filename.c.psaa-compat openssh
buf); buf);
break; break;
} }
diff -up openssh/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.c.psaa-compat openssh/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.c diff -up openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/userauth_pubkey_from_id.c.psaa-compat openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/userauth_pubkey_from_id.c
--- openssh/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.c.psaa-compat 2016-11-13 04:24:32.000000000 +0100 --- openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/userauth_pubkey_from_id.c.psaa-compat 2019-07-08 18:36:13.000000000 +0200
+++ openssh/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.c 2020-02-07 10:43:23.520048960 +0100 +++ openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/userauth_pubkey_from_id.c 2020-09-23 10:52:16.424001475 +0200
@@ -37,10 +37,11 @@ @@ -37,10 +37,11 @@
#include "xmalloc.h" #include "xmalloc.h"
#include "ssh.h" #include "ssh.h"
@ -887,9 +902,9 @@ diff -up openssh/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.c.psaa-compat
CRYPTO_cleanup_all_ex_data(); CRYPTO_cleanup_all_ex_data();
return authenticated; return authenticated;
} }
diff -up openssh/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.h.psaa-compat openssh/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.h diff -up openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/userauth_pubkey_from_id.h.psaa-compat openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/userauth_pubkey_from_id.h
--- openssh/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.h.psaa-compat 2016-11-13 04:24:32.000000000 +0100 --- openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/userauth_pubkey_from_id.h.psaa-compat 2019-07-08 18:36:13.000000000 +0200
+++ openssh/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.h 2020-02-07 10:43:05.013757988 +0100 +++ openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/userauth_pubkey_from_id.h 2020-09-23 10:52:16.424001475 +0200
@@ -31,7 +31,7 @@ @@ -31,7 +31,7 @@
#ifndef _USERAUTH_PUBKEY_FROM_ID_H #ifndef _USERAUTH_PUBKEY_FROM_ID_H
#define _USERAUTH_PUBKEY_FROM_ID_H #define _USERAUTH_PUBKEY_FROM_ID_H
@ -900,9 +915,9 @@ diff -up openssh/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.h.psaa-compat
+int userauth_pubkey_from_id(const char *, Identity *, struct sshbuf *); +int userauth_pubkey_from_id(const char *, Identity *, struct sshbuf *);
#endif #endif
diff -up openssh/pam_ssh_agent_auth-0.10.3/uuencode.c.psaa-compat openssh/pam_ssh_agent_auth-0.10.3/uuencode.c diff -up openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/uuencode.c.psaa-compat openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/uuencode.c
--- openssh/pam_ssh_agent_auth-0.10.3/uuencode.c.psaa-compat 2016-11-13 04:24:32.000000000 +0100 --- openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/uuencode.c.psaa-compat 2019-07-08 18:36:13.000000000 +0200
+++ openssh/pam_ssh_agent_auth-0.10.3/uuencode.c 2020-02-07 10:43:05.013757988 +0100 +++ openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/uuencode.c 2020-09-23 10:52:16.424001475 +0200
@@ -56,7 +56,7 @@ pamsshagentauth_uudecode(const char *src @@ -56,7 +56,7 @@ pamsshagentauth_uudecode(const char *src
/* and remove trailing whitespace because __b64_pton needs this */ /* and remove trailing whitespace because __b64_pton needs this */
*p = '\0'; *p = '\0';
@ -928,3 +943,50 @@ diff -up openssh/pam_ssh_agent_auth-0.10.3/uuencode.c.psaa-compat openssh/pam_ss
- pamsshagentauth_xfree(buf); - pamsshagentauth_xfree(buf);
+ free(buf); + free(buf);
} }
--- openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/userauth_pubkey_from_pam.c.compat 2020-09-23 11:32:30.783695267 +0200
+++ openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/userauth_pubkey_from_pam.c 2020-09-23 11:33:21.383389036 +0200
@@ -33,7 +33,8 @@
#include <string.h>
#include "defines.h"
-#include "key.h"
+#include <includes.h>
+#include "sshkey.h"
#include "log.h"
#include "pam_user_authorized_keys.h"
@@ -42,28 +42,28 @@
int authenticated = 0;
const char method[] = "publickey ";
- char* ai = pamsshagentauth_xstrdup(ssh_auth_info);
+ char* ai = xstrdup(ssh_auth_info);
char* saveptr;
char* auth_line = strtok_r(ai, "\n", &saveptr);
while (auth_line != NULL) {
if (strncmp(auth_line, method, sizeof(method) - 1) == 0) {
char* key_str = auth_line + sizeof(method) - 1;
- Key* key = pamsshagentauth_key_new(KEY_UNSPEC);
+ struct sshkey* key = sshkey_new(KEY_UNSPEC);
if (key == NULL) {
continue;
}
- int r = pamsshagentauth_key_read(key, &key_str);
+ int r = sshkey_read(key, &key_str);
if (r == 1) {
if (pam_user_key_allowed(ruser, key)) {
authenticated = 1;
- pamsshagentauth_key_free(key);
+ sshkey_free(key);
break;
}
} else {
- pamsshagentauth_verbose("Failed to create key for %s: %d", auth_line, r);
+ verbose("Failed to create key for %s: %d", auth_line, r);
}
- pamsshagentauth_key_free(key);
+ sshkey_free(key);
}
auth_line = strtok_r(NULL, "\n", &saveptr);
}

BIN
pam_ssh_agent_auth-0.10.3.tar.bz2
View File

Binary file not shown.

BIN
pam_ssh_agent_auth-0.10.4.tar.gz Normal file
View File

Binary file not shown.

4
pam_ssh_agent_auth-0.9.3-build.patch
View File

@ -174,8 +174,8 @@ diff -up openssh-7.4p1/pam_ssh_agent_auth-0.10.3/Makefile.in.psaa-build openssh-
ED25519OBJS=ed25519-donna/ed25519.o ED25519OBJS=ed25519-donna/ed25519.o
-PAM_SSH_AGENT_AUTH_OBJS=pam_user_key_allowed2.o iterate_ssh_agent_keys.o userauth_pubkey_from_id.o pam_user_authorized_keys.o get_command_line.o -PAM_SSH_AGENT_AUTH_OBJS=pam_user_key_allowed2.o iterate_ssh_agent_keys.o userauth_pubkey_from_id.o pam_user_authorized_keys.o get_command_line.o userauth_pubkey_from_pam.o
+PAM_SSH_AGENT_AUTH_OBJS=pam_user_key_allowed2.o iterate_ssh_agent_keys.o userauth_pubkey_from_id.o pam_user_authorized_keys.o get_command_line.o secure_filename.o +PAM_SSH_AGENT_AUTH_OBJS=pam_user_key_allowed2.o iterate_ssh_agent_keys.o userauth_pubkey_from_id.o pam_user_authorized_keys.o get_command_line.o userauth_pubkey_from_pam.o secure_filename.o
MANPAGES_IN = pam_ssh_agent_auth.pod MANPAGES_IN = pam_ssh_agent_auth.pod

58
set-sshd-config.patch
View File

@ -1,17 +1,26 @@
From 8f2d1c4f30dd88e36ed4c9b5771c92c878378125 Mon Sep 17 00:00:00 2001 From ca0b2bcd17a2c0e1682b8125960ac81e08d0f6dd Mon Sep 17 00:00:00 2001
From: kircher <majun65@huawei.com> From: kircher <kircherlike@outlook.com>
Date: Thu, 16 Apr 2020 19:25:27 +0800 Date: Wed, 27 Oct 2021 16:51:41 +0800
Subject: [PATCH] sshd_config Subject: [PATCH] set
--- ---
sshd_config | 28 ++++++++++++++++++---------- sshd_config | 32 +++++++++++++++++++-------------
1 file changed, 18 insertions(+), 10 deletions(-) 1 file changed, 19 insertions(+), 13 deletions(-)
diff --git a/sshd_config b/sshd_config diff --git a/sshd_config b/sshd_config
index b121450..e8e6299 100644 index 42ecf9b..67739b2 100644
--- a/sshd_config --- a/sshd_config
+++ b/sshd_config +++ b/sshd_config
@@ -19,21 +19,22 @@ @@ -12,7 +12,7 @@
# To modify the system-wide sshd configuration, create a *.conf file under
# /etc/ssh/sshd_config.d/ which will be automatically included below
-Include /etc/ssh/sshd_config.d/*.conf
+#Include /etc/ssh/sshd_config.d/*.conf
# If you want to change the port on a SELinux system, you have to tell
# SELinux about this change.
@@ -23,21 +23,22 @@ Include /etc/ssh/sshd_config.d/*.conf
#ListenAddress 0.0.0.0 #ListenAddress 0.0.0.0
#ListenAddress :: #ListenAddress ::
@ -38,19 +47,21 @@ index b121450..e8e6299 100644
#StrictModes yes #StrictModes yes
#MaxAuthTries 6 #MaxAuthTries 6
#MaxSessions 10 #MaxSessions 10
@@ -60,9 +61,11 @@ AuthorizedKeysFile .ssh/authorized_keys @@ -62,11 +63,11 @@ AuthorizedKeysFile .ssh/authorized_keys
#IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here! # To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes -#PasswordAuthentication yes
#PermitEmptyPasswords no
+PasswordAuthentication yes +PasswordAuthentication yes
#PermitEmptyPasswords no
# Change to no to disable s/key passwords # Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes -#KbdInteractiveAuthentication yes
+ChallengeResponseAuthentication no +KbdInteractiveAuthentication no
# Kerberos options # Kerberos options
#KerberosAuthentication no #KerberosAuthentication no
@@ -72,8 +75,8 @@ AuthorizedKeysFile .ssh/authorized_keys @@ -76,8 +77,8 @@ AuthorizedKeysFile .ssh/authorized_keys
#KerberosUseKuserok yes #KerberosUseKuserok yes
# GSSAPI options # GSSAPI options
@ -61,8 +72,8 @@ index b121450..e8e6299 100644
#GSSAPIStrictAcceptorCheck yes #GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no #GSSAPIKeyExchange no
#GSSAPIEnablek5users no #GSSAPIEnablek5users no
@@ -89,16 +92,16 @@ AuthorizedKeysFile .ssh/authorized_keys @@ -93,16 +94,16 @@ AuthorizedKeysFile .ssh/authorized_keys
# and ChallengeResponseAuthentication to 'no'. # and KbdInteractiveAuthentication to 'no'.
# WARNING: 'UsePAM no' is not supported in openEuler and may cause several # WARNING: 'UsePAM no' is not supported in openEuler and may cause several
# problems. # problems.
-#UsePAM no -#UsePAM no
@ -81,7 +92,7 @@ index b121450..e8e6299 100644
#PrintLastLog yes #PrintLastLog yes
#TCPKeepAlive yes #TCPKeepAlive yes
#PermitUserEnvironment no #PermitUserEnvironment no
@@ -115,6 +118,11 @@ AuthorizedKeysFile .ssh/authorized_keys @@ -119,8 +120,13 @@ AuthorizedKeysFile .ssh/authorized_keys
# no default banner path # no default banner path
#Banner none #Banner none
@ -91,14 +102,11 @@ index b121450..e8e6299 100644
+AcceptEnv XMODIFIERS +AcceptEnv XMODIFIERS
+ +
# override default of no subsystems # override default of no subsystems
Subsystem sftp /usr/libexec/sftp-server -Subsystem sftp /usr/libexec/sftp-server
+Subsystem sftp /usr/libexec/openssh/sftp-server
@@ -129,4 +137,4 @@ Subsystem sftp /usr/libexec/sftp-server # Example of overriding settings on a per-user basis
#Match User anoncvs
# To modify the system-wide ssh configuration, create a *.conf file under
# /etc/ssh/sshd_config.d/ which will be automatically included below
-Include /etc/ssh/sshd_config.d/*.conf
+#Include /etc/ssh/sshd_config.d/*.conf
-- --
2.19.1 1.8.3.1

14
ssh-agent.service Normal file
View File

@ -0,0 +1,14 @@
# Requires SSH_AUTH_SOCK="$XDG_RUNTIME_DIR/ssh-agent.socket"
# set in environment, handled for example in plasma via
# /etc/xdg/plasma-workspace/env/ssh-agent.sh
[Unit]
ConditionEnvironment=!SSH_AGENT_PID
Description=OpenSSH key agent
Documentation=man:ssh-agent(1) man:ssh-add(1) man:ssh(1)
[Service]
Environment=SSH_AUTH_SOCK=%t/ssh-agent.socket
ExecStart=/usr/bin/ssh-agent -a $SSH_AUTH_SOCK
PassEnvironment=SSH_AGENT_PID
SuccessExitStatus=2
Type=forking

4
sshd-keygen
View File

@ -31,8 +31,8 @@ fi
# sanitize permissions # sanitize permissions
/usr/bin/chgrp ssh_keys $KEY /usr/bin/chgrp ssh_keys $KEY
/usr/bin/chmod 400 $KEY /usr/bin/chmod 640 $KEY
/usr/bin/chmod 400 $KEY.pub /usr/bin/chmod 644 $KEY.pub
if [[ -x /usr/sbin/restorecon ]]; then if [[ -x /usr/sbin/restorecon ]]; then
/usr/sbin/restorecon $KEY{,.pub} /usr/sbin/restorecon $KEY{,.pub}
fi fi

4
sshd.service
View File

@ -6,10 +6,8 @@ Wants=sshd-keygen.target
[Service] [Service]
Type=notify Type=notify
EnvironmentFile=-/etc/crypto-policies/back-ends/opensshserver.config
EnvironmentFile=-/etc/sysconfig/sshd-permitrootlogin
EnvironmentFile=-/etc/sysconfig/sshd EnvironmentFile=-/etc/sysconfig/sshd
ExecStart=/usr/sbin/sshd -D $OPTIONS $CRYPTO_POLICY $PERMITROOTLOGIN ExecStart=/usr/sbin/sshd -D $OPTIONS
ExecReload=/bin/kill -HUP $MAINPID ExecReload=/bin/kill -HUP $MAINPID
KillMode=process KillMode=process
Restart=on-failure Restart=on-failure

4
sshd.sysconfig
View File

@ -5,7 +5,3 @@
# example using systemctl enable sshd-keygen@dsa.service to allow creation # example using systemctl enable sshd-keygen@dsa.service to allow creation
# of DSA key or systemctl mask sshd-keygen@rsa.service to disable RSA key # of DSA key or systemctl mask sshd-keygen@rsa.service to disable RSA key
# creation. # creation.
# System-wide crypto policy:
# To opt-out, uncomment the following line
# CRYPTO_POLICY=

1
sshd.tmpfiles
View File

@ -1 +0,0 @@
d /var/empty/sshd 711 root root -

4
sshd@.service
View File

@ -5,8 +5,6 @@ Wants=sshd-keygen.target
After=sshd-keygen.target After=sshd-keygen.target
[Service] [Service]
EnvironmentFile=-/etc/crypto-policies/back-ends/opensshserver.config
EnvironmentFile=-/etc/sysconfig/sshd-permitrootlogin
EnvironmentFile=-/etc/sysconfig/sshd EnvironmentFile=-/etc/sysconfig/sshd
ExecStart=-/usr/sbin/sshd -i $OPTIONS $CRYPTO_POLICY $PERMITROOTLOGIN ExecStart=-/usr/sbin/sshd -i $OPTIONS
StandardInput=socket StandardInput=socket

59
upstream-expose-vasnmprintf.patch
View File

@ -1,59 +0,0 @@
From 31909696c4620c431dd55f6cd15db65c4e9b98da Mon Sep 17 00:00:00 2001
From: "djm@openbsd.org" <djm@openbsd.org>
Date: Fri, 1 May 2020 06:28:52 +0000
Subject: [PATCH] upstream: expose vasnmprintf(); ok (as part of other commit)
markus
deraadt
OpenBSD-Commit-ID: 2e80cea441c599631a870fd40307d2ade5a7f9b5
---
utf8.c | 5 ++---
utf8.h | 3 ++-
2 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/utf8.c b/utf8.c
index f83401996..7f63b25ae 100644
--- a/utf8.c
+++ b/utf8.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: utf8.c,v 1.8 2018/08/21 13:56:27 schwarze Exp $ */
+/* $OpenBSD: utf8.c,v 1.11 2020/05/01 06:28:52 djm Exp $ */
/*
* Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
*
@@ -43,7 +43,6 @@
static int dangerous_locale(void);
static int grow_dst(char **, size_t *, size_t, char **, size_t);
-static int vasnmprintf(char **, size_t, int *, const char *, va_list);
/*
@@ -101,7 +100,7 @@ grow_dst(char **dst, size_t *sz, size_t maxsz, char **dp, size_t need)
* written is returned in *wp.
*/
-static int
+int
vasnmprintf(char **str, size_t maxsz, int *wp, const char *fmt, va_list ap)
{
char *src; /* Source string returned from vasprintf. */
diff --git a/utf8.h b/utf8.h
index 20a11dc59..9d6d9a32c 100644
--- a/utf8.h
+++ b/utf8.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: utf8.h,v 1.1 2016/05/25 23:48:45 schwarze Exp $ */
+/* $OpenBSD: utf8.h,v 1.3 2020/05/01 06:28:52 djm Exp $ */
/*
* Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
*
@@ -15,6 +15,7 @@
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
+int vasnmprintf(char **, size_t, int *, const char *, va_list);
int mprintf(const char *, ...)
__attribute__((format(printf, 1, 2)));
int fmprintf(FILE *, const char *, ...)