From 13073f8d9ccec27646453f729aaa2952ae86ad01 Mon Sep 17 00:00:00 2001 From: Jakub Jelen Date: Fri, 19 Feb 2016 14:42:33 +0100 Subject: [PATCH] openssh-7.2p1-1 (#1312870) --- .gitignore | 1 + openssh-6.6.1p1-log-in-chroot.patch | 15 +- openssh-6.6.1p1-selinux-contexts.patch | 2 +- openssh-6.6p1-GSSAPIEnablek5users.patch | 2 +- openssh-6.6p1-ctr-cavstest.patch | 4 +- openssh-6.6p1-keycat.patch | 4 +- openssh-6.6p1-kuserok.patch | 4 +- openssh-6.6p1-privsep-selinux.patch | 26 +- openssh-6.6p1-role-mls.patch | 2 +- openssh-6.6p1-set_remote_ipaddr.patch | 2 +- openssh-6.7p1-coverity.patch | 4 +- openssh-6.7p1-fips.patch | 16 +- openssh-6.7p1-kdf-cavs.patch | 8 +- openssh-6.7p1-ldap.patch | 16 +- openssh-7.0p1-gssKexAlgorithms.patch | 4 +- openssh-7.0p1-show-more-fingerprints.patch | 21 +- openssh-7.1p1-hostkeyalgorithms.patch | 46 -- openssh-7.1p1-ssh-copy-id.patch | 532 ------------------ openssh-7.1p2-audit-race-condition.patch | 2 +- openssh-7.1p2-fallback-x11-untrusted.patch | 387 ------------- ...1-audit.patch => openssh-7.2p1-audit.patch | 380 ++++++------- ...gsskex.patch => openssh-7.2p1-gsskex.patch | 353 ++++++------ openssh.spec | 28 +- ...ssh_agent_auth-0.9.3-agent_structure.patch | 13 + sources | 2 +- 25 files changed, 430 insertions(+), 1444 deletions(-) delete mode 100644 openssh-7.1p1-hostkeyalgorithms.patch delete mode 100644 openssh-7.1p1-ssh-copy-id.patch delete mode 100644 openssh-7.1p2-fallback-x11-untrusted.patch rename openssh-6.7p1-audit.patch => openssh-7.2p1-audit.patch (84%) rename openssh-6.6p1-gsskex.patch => openssh-7.2p1-gsskex.patch (88%) diff --git a/.gitignore b/.gitignore index 9ad2894..6dd51a0 100644 --- a/.gitignore +++ b/.gitignore @@ -20,3 +20,4 @@ pam_ssh_agent_auth-0.9.2.tar.bz2 /openssh-7.1p1.tar.gz /openssh-7.1p2.tar.gz /pam_ssh_agent_auth-0.10.2.tar.bz2 +/openssh-7.2p1.tar.gz diff --git a/openssh-6.6.1p1-log-in-chroot.patch b/openssh-6.6.1p1-log-in-chroot.patch index 7590812..5889005 100644 --- a/openssh-6.6.1p1-log-in-chroot.patch +++ b/openssh-6.6.1p1-log-in-chroot.patch @@ -117,15 +117,14 @@ diff -up openssh-6.8p1/monitor.h.log-in-chroot openssh-6.8p1/monitor.h diff -up openssh-6.8p1/session.c.log-in-chroot openssh-6.8p1/session.c --- openssh-6.8p1/session.c.log-in-chroot 2015-03-18 12:59:29.675022359 +0100 +++ openssh-6.8p1/session.c 2015-03-18 12:59:29.696022308 +0100 -@@ -161,6 +161,8 @@ login_cap_t *lc; +@@ -161,6 +161,7 @@ login_cap_t *lc; static int is_child = 0; - + static int in_chroot = 0; +static int have_dev_log = 1; -+ + /* Name and directory of socket for authentication agent forwarding. */ static char *auth_sock_name = NULL; - static char *auth_sock_dir = NULL; @@ -506,8 +508,8 @@ do_exec_no_pty(Session *s, const char *c is_child = 1; @@ -150,8 +149,8 @@ diff -up openssh-6.8p1/session.c.log-in-chroot openssh-6.8p1/session.c @@ -780,6 +782,7 @@ do_exec(Session *s, const char *command) int ret; - const char *forced = NULL; - char session_type[1024], *tty = NULL; + const char *forced = NULL, *tty = NULL; + char session_type[1024]; + struct stat dev_log_stat; if (options.adm_forced_command) { @@ -164,7 +163,7 @@ diff -up openssh-6.8p1/session.c.log-in-chroot openssh-6.8p1/session.c + have_dev_log = 0; + } + - verbose("Starting session: %s%s%s for %s from %.200s port %d", + verbose("Starting session: %s%s%s for %s from %.200s port %d id %d", session_type, tty == NULL ? "" : " on ", @@ -1678,14 +1685,6 @@ child_close_fds(void) @@ -233,8 +232,8 @@ diff -up openssh-6.8p1/sftp-server.c.log-in-chroot openssh-6.8p1/sftp-server.c fd_set *rset, *wset; int i, r, in, out, max, ch, skipargs = 0, log_stderr = 0; @@ -1515,7 +1515,7 @@ sftp_server_main(int argc, char **argv, - extern char *__progname; + ssh_malloc_init(); /* must be called before any mallocs */ __progname = ssh_get_progname(argv[0]); - log_init(__progname, log_level, log_facility, log_stderr); + log_init_handler(__progname, log_level, log_facility, log_stderr, reset_handler); diff --git a/openssh-6.6.1p1-selinux-contexts.patch b/openssh-6.6.1p1-selinux-contexts.patch index 052843f..5a9233b 100644 --- a/openssh-6.6.1p1-selinux-contexts.patch +++ b/openssh-6.6.1p1-selinux-contexts.patch @@ -115,7 +115,7 @@ index 2871fe9..39b9c08 100644 + sshd_selinux_change_privsep_preauth_context(); #endif - /* Change our root directory */ + /* Demote the child */ diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c index 12c014e..c5ef2ff 100644 --- a/openbsd-compat/port-linux.c diff --git a/openssh-6.6p1-GSSAPIEnablek5users.patch b/openssh-6.6p1-GSSAPIEnablek5users.patch index ae0e5b2..16333c3 100644 --- a/openssh-6.6p1-GSSAPIEnablek5users.patch +++ b/openssh-6.6p1-GSSAPIEnablek5users.patch @@ -106,9 +106,9 @@ diff -up openssh-7.0p1/sshd_config.5.GSSAPIEnablek5users openssh-7.0p1/sshd_conf --- openssh-7.0p1/sshd_config.5.GSSAPIEnablek5users 2015-08-12 11:27:44.023407950 +0200 +++ openssh-7.0p1/sshd_config.5 2015-08-12 11:27:44.048407911 +0200 @@ -633,6 +633,12 @@ on logout. + on logout. The default is .Dq yes . - Note that this option applies to protocol version 2 only. +.It Cm GSSAPIEnablek5users +Specifies whether to look at .k5users file for GSSAPI authentication +access control. Further details are described in diff --git a/openssh-6.6p1-ctr-cavstest.patch b/openssh-6.6p1-ctr-cavstest.patch index db9f47b..591ae6c 100644 --- a/openssh-6.6p1-ctr-cavstest.patch +++ b/openssh-6.6p1-ctr-cavstest.patch @@ -25,8 +25,8 @@ diff -up openssh-6.8p1/Makefile.in.ctr-cavs openssh-6.8p1/Makefile.in +ctr-cavstest$(EXEEXT): $(LIBCOMPAT) libssh.a ctr-cavstest.o + $(LD) -o $@ ctr-cavstest.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(LIBS) + - ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o roaming_dummy.o - $(LD) -o $@ ssh-keyscan.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) + ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o + $(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) @@ -326,6 +330,7 @@ install-files: $(INSTALL) -m 0700 ssh-ldap-wrapper $(DESTDIR)$(SSH_LDAP_WRAPPER) ; \ diff --git a/openssh-6.6p1-keycat.patch b/openssh-6.6p1-keycat.patch index 6018554..8d86014 100644 --- a/openssh-6.6p1-keycat.patch +++ b/openssh-6.6p1-keycat.patch @@ -59,8 +59,8 @@ diff -up openssh/Makefile.in.keycat openssh/Makefile.in +ssh-keycat$(EXEEXT): $(LIBCOMPAT) $(SSHDOBJS) libssh.a ssh-keycat.o + $(LD) -o $@ ssh-keycat.o bufaux.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(SSHDLIBS) $(SSHLIBS) + - ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o roaming_dummy.o - $(LD) -o $@ ssh-keyscan.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) + ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o + $(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) @@ -321,6 +325,7 @@ install-files: $(INSTALL) -m 0700 $(STRIP_OPT) ssh-ldap-helper $(DESTDIR)$(SSH_LDAP_HELPER) ; \ diff --git a/openssh-6.6p1-kuserok.patch b/openssh-6.6p1-kuserok.patch index 0e6215d..ebb0196 100644 --- a/openssh-6.6p1-kuserok.patch +++ b/openssh-6.6p1-kuserok.patch @@ -190,8 +190,8 @@ diff -up openssh-7.0p1/servconf.c.kuserok openssh-7.0p1/servconf.c + if (options->use_kuserok == -1) + options->use_kuserok = 1; - if (kex_assemble_names(KEX_SERVER_ENCRYPT, &options->ciphers) != 0 || - kex_assemble_names(KEX_SERVER_MAC, &options->macs) != 0 || + assemble_algorithms(options); + @@ -404,7 +407,7 @@ typedef enum { sKeyRegenerationTime, sPermitRootLogin, sLogFacility, sLogLevel, sRhostsRSAAuthentication, sRSAAuthentication, diff --git a/openssh-6.6p1-privsep-selinux.patch b/openssh-6.6p1-privsep-selinux.patch index d7817e5..3433fd6 100644 --- a/openssh-6.6p1-privsep-selinux.patch +++ b/openssh-6.6p1-privsep-selinux.patch @@ -47,15 +47,6 @@ diff --git a/session.c b/session.c index 2bcf818..b5dc144 100644 --- a/session.c +++ b/session.c -@@ -1532,7 +1532,7 @@ void - do_setusercontext(struct passwd *pw) - { - char *chroot_path, *tmp; --#ifdef USE_LIBIAF -+#if defined(USE_LIBIAF) || defined(WITH_SELINUX) - int doing_chroot = 0; - #endif - @@ -1538,6 +1538,9 @@ do_setusercontext(struct passwd *pw) pw->pw_uid); chroot_path = percent_expand(tmp, "h", pw->pw_dir, @@ -66,22 +57,13 @@ index 2bcf818..b5dc144 100644 safely_chroot(chroot_path, pw->pw_uid); free(tmp); free(chroot_path); -@@ -1557,7 +1557,7 @@ do_setusercontext(struct passwd *pw) - /* Make sure we don't attempt to chroot again */ - free(options.chroot_directory); - options.chroot_directory = NULL; --#ifdef USE_LIBIAF -+#if defined(USE_LIBIAF) || defined(WITH_SELINUX) - doing_chroot = 1; - #endif - } @@ -1565,6 +1568,11 @@ do_setusercontext(struct passwd *pw) /* Permanently switch to the desired uid. */ permanently_set_uid(pw); #endif + +#ifdef WITH_SELINUX -+ if (doing_chroot == 0) ++ if (in_chroot == 0) + sshd_selinux_copy_context(); +#endif } else if (options.chroot_directory != NULL && @@ -119,9 +101,9 @@ index 07f9926..a97f8b7 100644 + ssh_selinux_change_context("sshd_net_t"); +#endif + - /* Change our root directory */ - if (chroot(_PATH_PRIVSEP_CHROOT_DIR) == -1) - fatal("chroot(\"%s\"): %s", _PATH_PRIVSEP_CHROOT_DIR, + /* Demote the child */ + if (getuid() == 0 || geteuid() == 0) { + /* Change our root directory */ @@ -755,6 +755,9 @@ privsep_postauth(Authctxt *authctxt) #ifdef DISABLE_FD_PASSING diff --git a/openssh-6.6p1-role-mls.patch b/openssh-6.6p1-role-mls.patch index 0c9d422..5ec22c4 100644 --- a/openssh-6.6p1-role-mls.patch +++ b/openssh-6.6p1-role-mls.patch @@ -355,7 +355,7 @@ diff -up openssh-6.8p1/monitor_wrap.h.role-mls openssh-6.8p1/monitor_wrap.h +++ openssh-6.8p1/monitor_wrap.h 2015-03-18 11:10:32.343936171 +0100 @@ -42,6 +42,9 @@ int mm_is_monitor(void); DH *mm_choose_dh(int, int, int); - int mm_key_sign(Key *, u_char **, u_int *, const u_char *, u_int); + int mm_key_sign(Key *, u_char **, u_int *, const u_char *, u_int, const char *); void mm_inform_authserv(char *, char *); +#ifdef WITH_SELINUX +void mm_inform_authrole(char *); diff --git a/openssh-6.6p1-set_remote_ipaddr.patch b/openssh-6.6p1-set_remote_ipaddr.patch index 14ff48c..f601e3d 100644 --- a/openssh-6.6p1-set_remote_ipaddr.patch +++ b/openssh-6.6p1-set_remote_ipaddr.patch @@ -59,9 +59,9 @@ diff -up openssh-6.8p1/sshconnect.c.set_remote_ipaddr openssh-6.8p1/sshconnect.c --- openssh-6.8p1/sshconnect.c.set_remote_ipaddr 2015-03-17 06:49:20.000000000 +0100 +++ openssh-6.8p1/sshconnect.c 2015-03-18 12:40:58.096788804 +0100 @@ -65,6 +65,7 @@ - #include "version.h" #include "authfile.h" #include "ssherr.h" + #include "authfd.h" +#include "canohost.h" char *client_version_string = NULL; diff --git a/openssh-6.7p1-coverity.patch b/openssh-6.7p1-coverity.patch index 4b8a26f..8834903 100644 --- a/openssh-6.7p1-coverity.patch +++ b/openssh-6.7p1-coverity.patch @@ -415,8 +415,8 @@ diff -up openssh-6.8p1/sshd.c.coverity openssh-6.8p1/sshd.c --- openssh-6.8p1/sshd.c.coverity 2015-03-18 17:21:51.893264839 +0100 +++ openssh-6.8p1/sshd.c 2015-03-18 17:21:58.284251454 +0100 @@ -778,8 +778,10 @@ privsep_preauth(Authctxt *authctxt) - if (getuid() == 0 || geteuid() == 0) - privsep_preauth_child(); + + privsep_preauth_child(); setproctitle("%s", "[net]"); - if (box != NULL) + if (box != NULL) { diff --git a/openssh-6.7p1-fips.patch b/openssh-6.7p1-fips.patch index 62f9e26..4845a2a 100644 --- a/openssh-6.7p1-fips.patch +++ b/openssh-6.7p1-fips.patch @@ -92,7 +92,7 @@ diff -up openssh-7.0p1/dh.h.fips openssh-7.0p1/dh.h @@ -46,6 +46,7 @@ u_int dh_estimate(int); /* Min and max values from RFC4419. */ - #define DH_GRP_MIN 1024 + #define DH_GRP_MIN 2048 +#define DH_GRP_MIN_FIPS 2048 #define DH_GRP_MAX 8192 @@ -296,18 +296,18 @@ diff -up openssh-7.0p1/Makefile.in.fips openssh-7.0p1/Makefile.in - $(LD) -o $@ ssh-keygen.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) + $(LD) -o $@ ssh-keygen.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS) - ssh-keysign$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keysign.o roaming_dummy.o readconf.o -- $(LD) -o $@ ssh-keysign.o readconf.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) -+ $(LD) -o $@ ssh-keysign.o readconf.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS) + ssh-keysign$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keysign.o readconf.o +- $(LD) -o $@ ssh-keysign.o readconf.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) ++ $(LD) -o $@ ssh-keysign.o readconf.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS) ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11.o $(LD) -o $@ ssh-pkcs11-helper.o ssh-pkcs11.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS) @@ -204,7 +204,7 @@ ssh-cavs$(EXEEXT): $(LIBCOMPAT) libssh.a - $(LD) -o $@ ssh-cavs.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) + $(LD) -o $@ ssh-cavs.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) - ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o roaming_dummy.o -- $(LD) -o $@ ssh-keyscan.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) -+ $(LD) -o $@ ssh-keyscan.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(LIBS) + ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o +- $(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) ++ $(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(LIBS) sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o sftp-server.o sftp-server-main.o $(LD) -o $@ sftp-server.o sftp-common.o sftp-server-main.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) diff --git a/openssh-6.7p1-kdf-cavs.patch b/openssh-6.7p1-kdf-cavs.patch index d219791..2f5874a 100644 --- a/openssh-6.7p1-kdf-cavs.patch +++ b/openssh-6.7p1-kdf-cavs.patch @@ -22,11 +22,11 @@ diff -up openssh-6.8p1/Makefile.in.kdf-cavs openssh-6.8p1/Makefile.in ctr-cavstest$(EXEEXT): $(LIBCOMPAT) libssh.a ctr-cavstest.o $(LD) -o $@ ctr-cavstest.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(LIBS) -+ssh-cavs$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-cavs.o roaming_dummy.o -+ $(LD) -o $@ ssh-cavs.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) ++ssh-cavs$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-cavs.o ++ $(LD) -o $@ ssh-cavs.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) + - ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o roaming_dummy.o - $(LD) -o $@ ssh-keyscan.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) + ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o + $(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) @@ -331,6 +335,8 @@ install-files: fi diff --git a/openssh-6.7p1-ldap.patch b/openssh-6.7p1-ldap.patch index a555579..1c3cb3e 100644 --- a/openssh-6.7p1-ldap.patch +++ b/openssh-6.7p1-ldap.patch @@ -148,8 +148,8 @@ diff -up openssh-6.8p1/Makefile.in.ldap openssh-6.8p1/Makefile.in LIBOPENSSH_OBJS=\ ssh_api.o \ @@ -112,8 +115,8 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw - sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \ - sandbox-seccomp-filter.o sandbox-capsicum.o + sandbox-seccomp-filter.o sandbox-capsicum.o sandbox-pledge.o \ + sandbox-solaris.o -MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out -MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 sshd_config.5 ssh_config.5 @@ -165,8 +165,8 @@ diff -up openssh-6.8p1/Makefile.in.ldap openssh-6.8p1/Makefile.in +ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o sshbuf-getput-basic.o ssherr.o + $(LD) -o $@ ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o sshbuf-getput-basic.o ssherr.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS) + - ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o roaming_dummy.o - $(LD) -o $@ ssh-keyscan.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) + ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o + $(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) @@ -311,6 +317,10 @@ install-files: $(INSTALL) -m 0755 $(STRIP_OPT) sshd$(EXEEXT) $(DESTDIR)$(sbindir)/sshd$(EXEEXT) @@ -187,9 +187,9 @@ diff -up openssh-6.8p1/Makefile.in.ldap openssh-6.8p1/Makefile.in + $(INSTALL) -m 644 ssh-ldap-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-ldap-helper.8 ; \ + $(INSTALL) -m 644 ssh-ldap.conf.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/ssh-ldap.conf.5 ; \ + fi - -rm -f $(DESTDIR)$(bindir)/slogin - ln -s ./ssh$(EXEEXT) $(DESTDIR)$(bindir)/slogin - -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1 + + install-sysconf: + if [ ! -d $(DESTDIR)$(sysconfdir) ]; then \ @@ -356,6 +370,13 @@ install-sysconf: else \ echo "$(DESTDIR)$(sysconfdir)/moduli already exists, install will not overwrite"; \ @@ -218,9 +218,9 @@ diff -up openssh-6.8p1/Makefile.in.ldap openssh-6.8p1/Makefile.in -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8 + -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-ldap-helper.8 - -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1 regress-prep: + [ -d `pwd`/regress ] || mkdir -p `pwd`/regress diff -up openssh-6.8p1/configure.ac.ldap openssh-6.8p1/configure.ac --- openssh-6.8p1/configure.ac.ldap 2015-03-17 06:49:20.000000000 +0100 +++ openssh-6.8p1/configure.ac 2015-03-18 11:11:29.030801464 +0100 diff --git a/openssh-7.0p1-gssKexAlgorithms.patch b/openssh-7.0p1-gssKexAlgorithms.patch index 6a469ff..6988f2f 100644 --- a/openssh-7.0p1-gssKexAlgorithms.patch +++ b/openssh-7.0p1-gssKexAlgorithms.patch @@ -95,9 +95,9 @@ diff -up openssh-7.0p1/kex.c.gsskexalg openssh-7.0p1/kex.c --- openssh-7.0p1/kex.c.gsskexalg 2015-08-19 12:28:38.078518839 +0200 +++ openssh-7.0p1/kex.c 2015-08-19 12:30:13.249306371 +0200 @@ -50,6 +50,7 @@ + #include "misc.h" #include "dispatch.h" #include "monitor.h" - #include "roaming.h" +#include "xmalloc.h" #include "ssherr.h" @@ -336,9 +336,9 @@ diff -up openssh-7.0p1/ssh_config.5.gsskexalg openssh-7.0p1/ssh_config.5 --- openssh-7.0p1/ssh_config.5.gsskexalg 2015-08-19 12:28:38.028518950 +0200 +++ openssh-7.0p1/ssh_config.5 2015-08-19 12:28:38.082518830 +0200 @@ -786,6 +786,18 @@ command line will be passed untouched to + command line will be passed untouched to the GSSAPI library. The default is .Dq no . - This option only applies to protocol version 2 connections using GSSAPI. +.It Cm GSSAPIKexAlgorithms +The list of key exchange algorithms that are offered for GSSAPI +key exchange. Possible values are diff --git a/openssh-7.0p1-show-more-fingerprints.patch b/openssh-7.0p1-show-more-fingerprints.patch index 52f9535..52c7d73 100644 --- a/openssh-7.0p1-show-more-fingerprints.patch +++ b/openssh-7.0p1-show-more-fingerprints.patch @@ -199,7 +199,7 @@ index f41960c..e12932f 100644 + options.fingerprint_hash[0], SSH_FP_RANDOMART); if (fp == NULL || ra == NULL) fatal("%s: sshkey_fingerprint fail", __func__); - logit("Host key fingerprint is %s\n%s\n", fp, ra); + logit("Host key fingerprint is %s\n%s", fp, ra); @@ -964,12 +964,6 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port, else snprintf(msg1, sizeof(msg1), "."); @@ -295,14 +295,14 @@ index 7751031..82ed92e 100644 goto done; debug2("input_userauth_pk_ok: fp %s", fp); @@ -1009,7 +1009,7 @@ sign_and_send_pubkey(Authctxt *authctxt, Identity *id) - int have_sig = 1; + int matched, ret = -1, have_sig = 1; char *fp; - if ((fp = sshkey_fingerprint(id->key, options.fingerprint_hash, + if ((fp = sshkey_fingerprint(id->key, options.fingerprint_hash[0], SSH_FP_DEFAULT)) == NULL) return 0; - debug3("sign_and_send_pubkey: %s %s", key_type(id->key), fp); + debug3("%s: %s %s", __func__, key_type(id->key), fp); @@ -1635,7 +1635,7 @@ userauth_hostbased(Authctxt *authctxt) goto out; } @@ -323,10 +323,23 @@ index 1dca3e2..23bff7d 100644 - if ((fp = sshkey_fingerprint(key, options.fingerprint_hash, + if ((fp = sshkey_fingerprint(key, options.fingerprint_hash[0], SSH_FP_DEFAULT)) == NULL) - fatal("%s: sshkey_fingerprint failed", __func__); + fatal("%s: sshkey_fingerprint failed", __progname); fatal("no matching hostkey found for key %s %s", -- 2.1.0 +diff --git a/sshconnect.c b/sshconnect.c +index de7ace6..f16e606 100644 +--- a/sshconnect.c ++++ b/sshconnect.c +@@ -1262,7 +1262,7 @@ verify_host_key(char *host, struct sockaddr *hostaddr, Key *host_key) + + if (sshkey_is_cert(host_key)) { + if ((cafp = sshkey_fingerprint(host_key->cert->signature_key, +- options.fingerprint_hash, SSH_FP_DEFAULT)) == NULL) { ++ options.fingerprint_hash[0], SSH_FP_DEFAULT)) == NULL) { + error("%s: fingerprint CA key: %s", + __func__, ssh_err(r)); + r = -1; diff --git a/openssh-7.1p1-hostkeyalgorithms.patch b/openssh-7.1p1-hostkeyalgorithms.patch deleted file mode 100644 index 4a22cdc..0000000 --- a/openssh-7.1p1-hostkeyalgorithms.patch +++ /dev/null @@ -1,46 +0,0 @@ -diff --git a/readconf.c b/readconf.c -index 374e741..23d74fb 100644 ---- a/readconf.c -+++ b/readconf.c -@@ -2229,6 +2229,10 @@ dump_client_config(Options *o, const char *host) - int i; - char vbuf[5]; - -+ /* This is normally prepared in ssh_kex2 */ -+ if (kex_assemble_names(KEX_DEFAULT_PK_ALG, &o->hostkeyalgorithms) != 0) -+ fatal("%s: kex_assemble_names failed", __func__); -+ - /* Most interesting options first: user, host, port */ - dump_cfg_string(oUser, o->user); - dump_cfg_string(oHostName, host); -@@ -2289,7 +2293,7 @@ dump_client_config(Options *o, const char *host) - dump_cfg_string(oBindAddress, o->bind_address); - dump_cfg_string(oCiphers, o->ciphers ? o->ciphers : KEX_CLIENT_ENCRYPT); - dump_cfg_string(oControlPath, o->control_path); -- dump_cfg_string(oHostKeyAlgorithms, o->hostkeyalgorithms ? o->hostkeyalgorithms : KEX_DEFAULT_PK_ALG); -+ dump_cfg_string(oHostKeyAlgorithms, o->hostkeyalgorithms); - dump_cfg_string(oHostKeyAlias, o->host_key_alias); - dump_cfg_string(oHostbasedKeyTypes, o->hostbased_key_types); - dump_cfg_string(oKbdInteractiveDevices, o->kbd_interactive_devices); -diff --git a/servconf.c b/servconf.c -index 04404a4..08c8139 100644 ---- a/servconf.c -+++ b/servconf.c -@@ -242,8 +242,6 @@ fill_default_server_options(ServerOptions *options) - options->hostbased_authentication = 0; - if (options->hostbased_uses_name_from_packet_only == -1) - options->hostbased_uses_name_from_packet_only = 0; -- if (options->hostkeyalgorithms == NULL) -- options->hostkeyalgorithms = xstrdup(KEX_DEFAULT_PK_ALG); - if (options->rsa_authentication == -1) - options->rsa_authentication = 1; - if (options->pubkey_authentication == -1) -@@ -329,6 +327,8 @@ fill_default_server_options(ServerOptions *options) - kex_assemble_names(KEX_SERVER_MAC, &options->macs) != 0 || - kex_assemble_names(KEX_SERVER_KEX, &options->kex_algorithms) != 0 || - kex_assemble_names(KEX_DEFAULT_PK_ALG, -+ &options->hostkeyalgorithms) != 0 || -+ kex_assemble_names(KEX_DEFAULT_PK_ALG, - &options->hostbased_key_types) != 0 || - kex_assemble_names(KEX_DEFAULT_PK_ALG, - &options->pubkey_key_types) != 0) diff --git a/openssh-7.1p1-ssh-copy-id.patch b/openssh-7.1p1-ssh-copy-id.patch deleted file mode 100644 index a4e6f7d..0000000 --- a/openssh-7.1p1-ssh-copy-id.patch +++ /dev/null @@ -1,532 +0,0 @@ -From 1a52b2d612b1d0c2a15dfcdc8da560704909ec72 Mon Sep 17 00:00:00 2001 -From: Philip Hands -Date: Sat, 27 Jul 2013 14:16:52 +0100 -Subject: [PATCH] echo --> printf "%s: ERROR... (for consistency) - ---- - ssh-copy-id | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git $1/contrib/ssh-copy-id $1/contrib/ssh-copy-id -index ae88e99..516b87f 100755 ---- $1/contrib/ssh-copy-id -+++ $1/contrib/ssh-copy-id -@@ -200,7 +200,7 @@ populate_new_ids() { - umask 0177 - local L_TMP_ID_FILE=$(mktemp ~/.ssh/ssh-copy-id_id.XXXXXXXXXX) - if test $? -ne 0 || test "x$L_TMP_ID_FILE" = "x" ; then -- echo "mktemp failed" 1>&2 -+ printf '%s: ERROR: mktemp failed\n' "$0" >&2 - exit 1 - fi - trap "rm -f $L_TMP_ID_FILE ${L_TMP_ID_FILE}.pub" EXIT TERM INT QUIT --- -1.9.1 - - - -From baebbb9e18e4a1af7554d939710eacb665a24b68 Mon Sep 17 00:00:00 2001 -From: Philip Hands -Date: Wed, 25 Nov 2015 17:05:39 +0100 -Subject: [PATCH] Deal with remote user shell being e.g. tcsh (fixes: 2206) - -as suggested by Jakub Jelen ---- - ssh-copy-id | 6 ++---- - 1 file changed, 2 insertions(+), 4 deletions(-) - -diff --git $1/contrib/ssh-copy-id $1/contrib/ssh-copy-id -index 516b87f..6a0447a 100755 ---- $1/contrib/ssh-copy-id -+++ $1/contrib/ssh-copy-id -@@ -269,10 +269,8 @@ case "$REMOTE_VERSION" in - *) - # Assuming that the remote host treats ~/.ssh/authorized_keys as one might expect - populate_new_ids 0 -- [ "$DRY_RUN" ] || printf '%s\n' "$NEW_IDS" | ssh "$@" " -- umask 077 ; -- mkdir -p .ssh && cat >> .ssh/authorized_keys || exit 1 ; -- if type restorecon >/dev/null 2>&1 ; then restorecon -F .ssh .ssh/authorized_keys ; fi" \ -+ [ "$DRY_RUN" ] || printf '%s\n' "$NEW_IDS" | \ -+ ssh "$@" "exec sh -c 'umask 077 ; mkdir -p .ssh && cat >> .ssh/authorized_keys || exit 1 ; if type restorecon >/dev/null 2>&1 ; then restorecon -F .ssh .ssh/authorized_keys ; fi'" \ - || exit 1 - ADDED=$(printf '%s\n' "$NEW_IDS" | wc -l) - ;; --- -1.9.1 - - - -From 35f05e39cda8670b3f6797330a3e521fda509a4c Mon Sep 17 00:00:00 2001 -From: Philip Hands -Date: Wed, 25 Nov 2015 21:14:00 +0100 -Subject: [PATCH] set LogLevel to ensure that it's not set to 'None' (closes: - 2214) - -As pointed out by Sami Haahtinen , -the LogLevel is set to 'None' we'll not get the -Permission Denied we're looking for. ---- - ssh-copy-id | 1 + - 1 file changed, 1 insertion(+) - -diff --git $1/contrib/ssh-copy-id $1/contrib/ssh-copy-id -index 6a0447a..70d3866 100755 ---- $1/contrib/ssh-copy-id -+++ $1/contrib/ssh-copy-id -@@ -215,6 +215,7 @@ populate_new_ids() { - # The point being that if file based, ssh needs the private key, which it cannot - # find if only given the contents of the .pub file in an unrelated tmpfile - ssh -i "${PRIV_ID_FILE:-$L_TMP_ID_FILE}" \ -+ -o LogLevel=INFO \ - -o PreferredAuthentications=publickey \ - -o IdentitiesOnly=yes "$@" exit 2>$L_TMP_ID_FILE.stderr -Date: Wed, 25 Nov 2015 22:30:43 +0100 -Subject: [PATCH] set ControlPath=none (closes: 2488) -MIME-Version: 1.0 -Content-Type: text/plain; charset=utf8 -Content-Transfer-Encoding: 8bit - -Thanks to Salvador Fandiño for the patch -This seems to be the same problem as described in 2195 ---- - ssh-copy-id | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git $1/contrib/ssh-copy-id $1/contrib/ssh-copy-id -index 70d3866..7df7fad 100755 ---- $1/contrib/ssh-copy-id -+++ $1/contrib/ssh-copy-id -@@ -215,6 +215,7 @@ populate_new_ids() { - # The point being that if file based, ssh needs the private key, which it cannot - # find if only given the contents of the .pub file in an unrelated tmpfile - ssh -i "${PRIV_ID_FILE:-$L_TMP_ID_FILE}" \ -+ -o ControlPath=none \ - -o LogLevel=INFO \ - -o PreferredAuthentications=publickey \ - -o IdentitiesOnly=yes "$@" exit 2>$L_TMP_ID_FILE.stderr &2 - } - --REMOTE_VERSION=$(ssh -v -o PreferredAuthentications=',' "$@" 2>&1 | -+REMOTE_VERSION=$(ssh -v -o PreferredAuthentications=',' -o ControlPath=none "$@" 2>&1 | - sed -ne 's/.*remote software version //p') - - case "$REMOTE_VERSION" in --- -1.9.1 - - - -From 6fa6f1e3dbec32636e77d01228ceecfa3851c7e8 Mon Sep 17 00:00:00 2001 -From: Philip Hands -Date: Wed, 25 Nov 2015 23:24:13 +0100 -Subject: [PATCH] add -f (forced) option to install keys unconditionally - (closes: 2110) - -Thanks for the patch from Petr Lautrbach -which inspired this. ---- - ssh-copy-id | 15 +++++++++++++-- - ssh-copy-id.1 | 5 +++++ - 2 files changed, 18 insertions(+), 2 deletions(-) - -diff --git $1/contrib/ssh-copy-id $1/contrib/ssh-copy-id -index 7df7fad..3121171 100755 ---- $1/contrib/ssh-copy-id -+++ $1/contrib/ssh-copy-id -@@ -59,7 +59,10 @@ fi - DEFAULT_PUB_ID_FILE=$(ls -t ${HOME}/.ssh/id*.pub 2>/dev/null | grep -v -- '-cert.pub$' | head -n 1) - - usage () { -- printf 'Usage: %s [-h|-?|-n] [-i [identity_file]] [-p port] [[-o ] ...] [user@]hostname\n' "$0" >&2 -+ printf 'Usage: %s [-h|-?|-f|-n] [-i [identity_file]] [-p port] [[-o ] ...] [user@]hostname\n' "$0" >&2 -+ printf '\t-f: force mode -- copy keys without trying to check if they are already installed\n' >&2 -+ printf '\t-n: dry run -- no keys are actually copied\n' >&2 -+ printf '\t-h|-?: print this help\n' >&2 - exit 1 - } - -@@ -121,7 +124,7 @@ do - } - shift - ;; -- -n|-h|-\?) -+ -f|-n|-h|-\?) - OPT="$1" - OPTARG= - shift -@@ -154,6 +157,9 @@ do - -o|-p) - SSH_OPTS="${SSH_OPTS:+$SSH_OPTS }$OPT '$(quote "$OPTARG")'" - ;; -+ -f) -+ FORCED=1 -+ ;; - -n) - DRY_RUN=1 - ;; -@@ -194,6 +200,11 @@ fi - populate_new_ids() { - local L_SUCCESS="$1" - -+ if [ "$FORCED" ] ; then -+ NEW_IDS=$(eval $GET_ID) -+ return -+ fi -+ - # repopulate "$@" inside this function - eval set -- "$SSH_OPTS" - -diff --git $1/contrib/ssh-copy-id.1 $1/contrib/ssh-copy-id.1 -index 67a59e4..8850cce 100644 ---- $1/contrib/ssh-copy-id.1 -+++ $1/contrib/ssh-copy-id.1 -@@ -29,6 +29,7 @@ THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - .Nd use locally available keys to authorise logins on a remote machine - .Sh SYNOPSIS - .Nm -+.Op Fl f - .Op Fl n - .Op Fl i Op Ar identity_file - .Op Fl p Ar port -@@ -76,6 +77,10 @@ is used. - Note that this can be used to ensure that the keys copied have the - comment one prefers and/or extra options applied, by ensuring that the - key file has these set as preferred before the copy is attempted. -+.It Fl f -+Forced mode: doesn't check if the keys are present on the remote server. -+This means that it does not need the private key. Of course, this can result -+in more than one copy of the key being installed on the remote system. - .It Fl n - do a dry-run. Instead of installing keys on the remote system simply - prints the key(s) that would have been installed. --- -1.9.1 - - - -From ab185eea5a03cdd846c909d83e5dd0a07a44fb54 Mon Sep 17 00:00:00 2001 -From: Philip Hands -Date: Wed, 25 Nov 2015 23:47:06 +0100 -Subject: [PATCH] deal with #2331 by suggesting the use of the -f option - ---- - ssh-copy-id | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git $1/contrib/ssh-copy-id $1/contrib/ssh-copy-id -index 3121171..8666cea 100755 ---- $1/contrib/ssh-copy-id -+++ $1/contrib/ssh-copy-id -@@ -250,7 +250,8 @@ populate_new_ids() { - exit 1 - fi - if [ -z "$NEW_IDS" ] ; then -- printf '\n%s: WARNING: All keys were skipped because they already exist on the remote system.\n\n' "$0" >&2 -+ printf '\n%s: WARNING: All keys were skipped because they already exist on the remote system.\n' "$0" >&2 -+ printf '\t\t(if you think this is a mistake, you may want to use -f option)\n\n' "$0" >&2 - exit 0 - fi - printf '%s: INFO: %d key(s) remain to be installed -- if you are prompted now it is to install the new keys\n' "$0" "$(printf '%s\n' "$NEW_IDS" | wc -l)" >&2 --- -1.9.1 - - - -From de78897ada50ed12f4b0c9faa6e935ce82ee49a6 Mon Sep 17 00:00:00 2001 -From: Philip Hands -Date: Thu, 26 Nov 2015 00:25:56 +0100 -Subject: [PATCH] handle keys with missing trailing newline (closes: 2350) - ---- - ssh-copy-id | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git $1/contrib/ssh-copy-id $1/contrib/ssh-copy-id -index 8666cea..362b49b 100755 ---- $1/contrib/ssh-copy-id -+++ $1/contrib/ssh-copy-id -@@ -218,7 +218,7 @@ populate_new_ids() { - printf '%s: INFO: attempting to log in with the new key(s), to filter out any that are already installed\n' "$0" >&2 - NEW_IDS=$( - eval $GET_ID | { -- while read ID ; do -+ while read ID || [ "$ID" ] ; do - printf '%s\n' "$ID" > $L_TMP_ID_FILE - - # the next line assumes $PRIV_ID_FILE only set if using a single id file - this --- -1.9.1 - - - -From 6b903ab99a3f0107bb0dbde748a4372033bab00c Mon Sep 17 00:00:00 2001 -From: Philip Hands -Date: Thu, 26 Nov 2015 00:36:09 +0100 -Subject: [PATCH] add a cd to ensure we're in the remote's home directory - (closes: 2349) - ---- - ssh-copy-id | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git $1/contrib/ssh-copy-id $1/contrib/ssh-copy-id -index 362b49b..2932936 100755 ---- $1/contrib/ssh-copy-id -+++ $1/contrib/ssh-copy-id -@@ -284,7 +284,7 @@ case "$REMOTE_VERSION" in - # Assuming that the remote host treats ~/.ssh/authorized_keys as one might expect - populate_new_ids 0 - [ "$DRY_RUN" ] || printf '%s\n' "$NEW_IDS" | \ -- ssh "$@" "exec sh -c 'umask 077 ; mkdir -p .ssh && cat >> .ssh/authorized_keys || exit 1 ; if type restorecon >/dev/null 2>&1 ; then restorecon -F .ssh .ssh/authorized_keys ; fi'" \ -+ ssh "$@" "exec sh -c 'cd ; umask 077 ; mkdir -p .ssh && cat >> .ssh/authorized_keys || exit 1 ; if type restorecon >/dev/null 2>&1 ; then restorecon -F .ssh .ssh/authorized_keys ; fi'" \ - || exit 1 - ADDED=$(printf '%s\n' "$NEW_IDS" | wc -l) - ;; --- -1.9.1 - - - -From 441892cbf4ff96fd96908582b8170f51890b5deb Mon Sep 17 00:00:00 2001 -From: Philip Hands -Date: Sat, 28 Nov 2015 14:42:36 +0100 -Subject: [PATCH] add comment about why the ugly one-line remote command is as - it is - -In case anyone looks here for the details: - * tcsh doesn't support multi-line strings, - which is why it's a one-liner. - * tcsh doesn't do 2>&1, and fish doesn't do - 'command || command' which is why we're runnig this under - sh (which is very likely to be a POSIX shell on any vaguely - Unix-like system) - * The 'cd' is there to make sure we're in the home dir, because - there was a bug report about having a cd in ~/.bashrc that resulted - in a .ssh being created elsewhere. - * the 'exec' ensures that we're not relying on anything beyond the - (hopefully POSIX) shell that's available as 'sh' on the remote system ---- - ssh-copy-id | 1 + - 1 file changed, 1 insertion(+) - -diff --git $1/contrib/ssh-copy-id $1/contrib/ssh-copy-id -index 2932936..04c03eb 100755 ---- $1/contrib/ssh-copy-id -+++ $1/contrib/ssh-copy-id -@@ -283,6 +283,7 @@ case "$REMOTE_VERSION" in - *) - # Assuming that the remote host treats ~/.ssh/authorized_keys as one might expect - populate_new_ids 0 -+ # in ssh below - to defend against quirky remote shells: use 'exec sh -c' to get POSIX; 'cd' to be at $HOME; and all on one line, because tcsh. - [ "$DRY_RUN" ] || printf '%s\n' "$NEW_IDS" | \ - ssh "$@" "exec sh -c 'cd ; umask 077 ; mkdir -p .ssh && cat >> .ssh/authorized_keys || exit 1 ; if type restorecon >/dev/null 2>&1 ; then restorecon -F .ssh .ssh/authorized_keys ; fi'" \ - || exit 1 --- -1.9.1 - - - -From 8b59b122d321b97badd15c41e1a22863aa922a02 Mon Sep 17 00:00:00 2001 -From: Philip Hands -Date: Sat, 28 Nov 2015 14:46:47 +0100 -Subject: [PATCH] with '-f' there's no need to have access to the private key - ---- - ssh-copy-id | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git $1/contrib/ssh-copy-id $1/contrib/ssh-copy-id -index 04c03eb..d3ff83b 100755 ---- $1/contrib/ssh-copy-id -+++ $1/contrib/ssh-copy-id -@@ -80,7 +80,7 @@ use_id_file() { - PUB_ID_FILE="$L_ID_FILE.pub" - fi - -- PRIV_ID_FILE=$(dirname "$PUB_ID_FILE")/$(basename "$PUB_ID_FILE" .pub) -+ [ "$FORCED" ] || PRIV_ID_FILE=$(dirname "$PUB_ID_FILE")/$(basename "$PUB_ID_FILE" .pub) - - # check that the files are readable - for f in $PUB_ID_FILE $PRIV_ID_FILE ; do --- -1.9.1 - - - -From 1b931894de0614099255244be789ad097fd0948a Mon Sep 17 00:00:00 2001 -From: Philip Hands -Date: Sat, 28 Nov 2015 14:47:35 +0100 -Subject: [PATCH] if the private key is missing, point out that '-f' might be - what's needed - ---- - ssh-copy-id | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - -diff --git $1/contrib/ssh-copy-id $1/contrib/ssh-copy-id -index d3ff83b..f0b01aa 100755 ---- $1/contrib/ssh-copy-id -+++ $1/contrib/ssh-copy-id -@@ -85,7 +85,9 @@ use_id_file() { - # check that the files are readable - for f in $PUB_ID_FILE $PRIV_ID_FILE ; do - ErrMSG=$( { : < $f ; } 2>&1 ) || { -- printf "\n%s: ERROR: failed to open ID file '%s': %s\n\n" "$0" "$f" "$(printf "%s\n" "$ErrMSG" | sed -e 's/.*: *//')" -+ local L_PRIVMSG="" -+ [ "$f" = "$PRIV_ID_FILE" ] && L_PRIVMSG=" (to install the contents of '$PUB_ID_FILE' anyway, look at the -f option)" -+ printf "\n%s: ERROR: failed to open ID file '%s': %s\n" "$0" "$f" "$(printf "%s\n%s\n" "$ErrMSG" "$L_PRIVMSG" | sed -e 's/.*: *//')" - exit 1 - } - done --- -1.9.1 - - - -From fd3e8b115e160a1332773cd8e06a3305d0d680ab Mon Sep 17 00:00:00 2001 -From: Philip Hands -Date: Sat, 28 Nov 2015 21:10:39 +0100 -Subject: [PATCH] +INFO message to mitigate the surprise described in #2196 - ---- - ssh-copy-id | 1 + - 1 file changed, 1 insertion(+) - -diff --git $1/contrib/ssh-copy-id $1/contrib/ssh-copy-id -index f0b01aa..994194e 100755 ---- $1/contrib/ssh-copy-id -+++ $1/contrib/ssh-copy-id -@@ -91,6 +91,7 @@ use_id_file() { - exit 1 - } - done -+ printf '%s: INFO: Source of key(s) to be installed: "%s"\n' "$0" $PUB_ID_FILE >&2 - GET_ID="cat \"$PUB_ID_FILE\"" - } - --- -1.9.1 - - - -From 783ef08b0a757402aba67313f08f8dbfa9bf85f3 Mon Sep 17 00:00:00 2001 -From: Philip Hands -Date: Mon, 30 Nov 2015 20:46:19 +0100 -Subject: [PATCH] deal with $HOME and id filenames that include a space - ---- - ssh-copy-id | 15 ++++++++------- - 1 file changed, 8 insertions(+), 7 deletions(-) - -diff --git $1/contrib/ssh-copy-id $1/contrib/ssh-copy-id -index 994194e..afde8b1 100755 ---- $1/contrib/ssh-copy-id -+++ $1/contrib/ssh-copy-id -@@ -56,7 +56,7 @@ then - fi - fi - --DEFAULT_PUB_ID_FILE=$(ls -t ${HOME}/.ssh/id*.pub 2>/dev/null | grep -v -- '-cert.pub$' | head -n 1) -+DEFAULT_PUB_ID_FILE="$HOME/$(cd "$HOME" ; ls -t .ssh/id*.pub 2>/dev/null | grep -v -- '-cert.pub$' | head -n 1)" - - usage () { - printf 'Usage: %s [-h|-?|-f|-n] [-i [identity_file]] [-p port] [[-o ] ...] [user@]hostname\n' "$0" >&2 -@@ -83,15 +83,15 @@ use_id_file() { - [ "$FORCED" ] || PRIV_ID_FILE=$(dirname "$PUB_ID_FILE")/$(basename "$PUB_ID_FILE" .pub) - - # check that the files are readable -- for f in $PUB_ID_FILE $PRIV_ID_FILE ; do -- ErrMSG=$( { : < $f ; } 2>&1 ) || { -+ for f in "$PUB_ID_FILE" ${PRIV_ID_FILE:+"$PRIV_ID_FILE"} ; do -+ ErrMSG=$( { : < "$f" ; } 2>&1 ) || { - local L_PRIVMSG="" - [ "$f" = "$PRIV_ID_FILE" ] && L_PRIVMSG=" (to install the contents of '$PUB_ID_FILE' anyway, look at the -f option)" - printf "\n%s: ERROR: failed to open ID file '%s': %s\n" "$0" "$f" "$(printf "%s\n%s\n" "$ErrMSG" "$L_PRIVMSG" | sed -e 's/.*: *//')" - exit 1 - } - done -- printf '%s: INFO: Source of key(s) to be installed: "%s"\n' "$0" $PUB_ID_FILE >&2 -+ printf '%s: INFO: Source of key(s) to be installed: "%s"\n' "$0" "$PUB_ID_FILE" >&2 - GET_ID="cat \"$PUB_ID_FILE\"" - } - -@@ -217,12 +217,13 @@ populate_new_ids() { - printf '%s: ERROR: mktemp failed\n' "$0" >&2 - exit 1 - fi -- trap "rm -f $L_TMP_ID_FILE ${L_TMP_ID_FILE}.pub" EXIT TERM INT QUIT -+ local L_CLEANUP="rm -f \"$L_TMP_ID_FILE\" \"${L_TMP_ID_FILE}.stderr\"" -+ trap "$L_CLEANUP" EXIT TERM INT QUIT - printf '%s: INFO: attempting to log in with the new key(s), to filter out any that are already installed\n' "$0" >&2 - NEW_IDS=$( - eval $GET_ID | { - while read ID || [ "$ID" ] ; do -- printf '%s\n' "$ID" > $L_TMP_ID_FILE -+ printf '%s\n' "$ID" > "$L_TMP_ID_FILE" - - # the next line assumes $PRIV_ID_FILE only set if using a single id file - this - # assumption will break if we implement the possibility of multiple -i options. -@@ -246,7 +247,7 @@ populate_new_ids() { - done - } - ) -- rm -f $L_TMP_ID_FILE* && trap - EXIT TERM INT QUIT -+ eval "$L_CLEANUP" && trap - EXIT TERM INT QUIT - - if expr "$NEW_IDS" : "^ERROR: " >/dev/null ; then - printf '\n%s: %s\n\n' "$0" "$NEW_IDS" >&2 --- -1.9.1 - - -diff --git a/contrib/ssh-copy-id b/contrib/ssh-copy-id -index afde8b1..cd52764 100644 ---- a/contrib/ssh-copy-id -+++ b/contrib/ssh-copy-id -@@ -99,6 +99,8 @@ if [ -n "$SSH_AUTH_SOCK" ] && ssh-add -L >/dev/null 2>&1 ; then - GET_ID="ssh-add -L" - fi - -+[ "x$SSH_COPY_ID_LEGACY" != "x" ] && FORCED=1 -+ - while test "$#" -gt 0 - do - [ "${SEEN_OPT_I}" ] && expr "$1" : "[-]i" >/dev/null && { -diff --git a/contrib/ssh-copy-id.1 b/contrib/ssh-copy-id.1 -index 8850cce..62f112d 100644 ---- a/contrib/ssh-copy-id.1 -+++ b/contrib/ssh-copy-id.1 -@@ -185,6 +185,22 @@ should prove enlightening (N.B. the modern approach is to use the - .Fl W - option, rather than - .Xr nc 1 ) . -+.Sh ENVIRONMENT -+.Bl -tag -width Ds -+.Pp -+.It Pa SSH_COPY_ID_LEGACY -+If the -+.Cm SSH_COPY_ID_LEGACY -+environment variable is set, the -+.Nm -+is run in a legacy mode. In this mode, the -+.Nm -+doesn't check an existence of a private key and doesn't do remote checks -+of the remote server versions or if public keys are already installed -+(equivalent to -+.Fl f -+switch). -+.El - .Sh "SEE ALSO" - .Xr ssh 1 , - .Xr ssh-agent 1 , diff --git a/openssh-7.1p2-audit-race-condition.patch b/openssh-7.1p2-audit-race-condition.patch index 04039a7..0a58fb4 100644 --- a/openssh-7.1p2-audit-race-condition.patch +++ b/openssh-7.1p2-audit-race-condition.patch @@ -77,7 +77,7 @@ index 8949fd1..9afb764 100644 +#endif + static int is_child = 0; - + static int in_chroot = 0; static int have_dev_log = 1; @@ -875,6 +879,8 @@ do_exec(Session *s, const char *command) } diff --git a/openssh-7.1p2-fallback-x11-untrusted.patch b/openssh-7.1p2-fallback-x11-untrusted.patch deleted file mode 100644 index 3fdf5fe..0000000 --- a/openssh-7.1p2-fallback-x11-untrusted.patch +++ /dev/null @@ -1,387 +0,0 @@ -From f98a09cacff7baad8748c9aa217afd155a4d493f Mon Sep 17 00:00:00 2001 -From: "mmcc@openbsd.org" -Date: Tue, 20 Oct 2015 03:36:35 +0000 -Subject: [PATCH] upstream commit - -Replace a function-local allocation with stack memory. - -ok djm@ - -Upstream-ID: c09fbbab637053a2ab9f33ca142b4e20a4c5a17e ---- - clientloop.c | 9 ++------- - 1 file changed, 2 insertions(+), 7 deletions(-) - -diff --git a/clientloop.c b/clientloop.c -index 87ceb3d..1e05cba 100644 ---- a/clientloop.c -+++ b/clientloop.c -@@ -311,11 +311,10 @@ client_x11_get_proto(const char *display, const char *xauth_path, - static char proto[512], data[512]; - FILE *f; - int got_data = 0, generated = 0, do_unlink = 0, i; -- char *xauthdir, *xauthfile; -+ char xauthdir[PATH_MAX] = "", xauthfile[PATH_MAX] = ""; - struct stat st; - u_int now, x11_timeout_real; - -- xauthdir = xauthfile = NULL; - *_proto = proto; - *_data = data; - proto[0] = data[0] = '\0'; -@@ -343,8 +342,6 @@ client_x11_get_proto(const char *display, const char *xauth_path, - display = xdisplay; - } - if (trusted == 0) { -- xauthdir = xmalloc(PATH_MAX); -- xauthfile = xmalloc(PATH_MAX); - mktemp_proto(xauthdir, PATH_MAX); - /* - * The authentication cookie should briefly outlive -@@ -407,8 +404,6 @@ client_x11_get_proto(const char *display, const char *xauth_path, - unlink(xauthfile); - rmdir(xauthdir); - } -- free(xauthdir); -- free(xauthfile); - - /* - * If we didn't get authentication data, just make up some --- -2.5.0 - -From ed4ce82dbfa8a3a3c8ea6fa0db113c71e234416c Mon Sep 17 00:00:00 2001 -From: "djm@openbsd.org" -Date: Wed, 13 Jan 2016 23:04:47 +0000 -Subject: [PATCH] upstream commit - -eliminate fallback from untrusted X11 forwarding to trusted - forwarding when the X server disables the SECURITY extension; Reported by - Thomas Hoger; ok deraadt@ - -Upstream-ID: f76195bd2064615a63ef9674a0e4096b0713f938 ---- - clientloop.c | 114 ++++++++++++++++++++++++++++++++++++----------------------- - clientloop.h | 4 +-- - mux.c | 22 ++++++------ - ssh.c | 23 +++++------- - 4 files changed, 93 insertions(+), 70 deletions(-) - -diff --git a/clientloop.c b/clientloop.c -index f555451..c0386d5 100644 ---- a/clientloop.c -+++ b/clientloop.c -@@ -288,6 +288,9 @@ client_x11_display_valid(const char *display) - { - size_t i, dlen; - -+ if (display == NULL) -+ return 0; -+ - dlen = strlen(display); - for (i = 0; i < dlen; i++) { - if (!isalnum((u_char)display[i]) && -@@ -301,34 +304,33 @@ client_x11_display_valid(const char *display) - - #define SSH_X11_PROTO "MIT-MAGIC-COOKIE-1" - #define X11_TIMEOUT_SLACK 60 --void -+int - client_x11_get_proto(const char *display, const char *xauth_path, - u_int trusted, u_int timeout, char **_proto, char **_data) - { -- char cmd[1024]; -- char line[512]; -- char xdisplay[512]; -+ char cmd[1024], line[512], xdisplay[512]; -+ char xauthfile[PATH_MAX], xauthdir[PATH_MAX]; - static char proto[512], data[512]; - FILE *f; -- int got_data = 0, generated = 0, do_unlink = 0, i; -- char xauthdir[PATH_MAX] = "", xauthfile[PATH_MAX] = ""; -+ int got_data = 0, generated = 0, do_unlink = 0, i, r; - struct stat st; - u_int now, x11_timeout_real; - - *_proto = proto; - *_data = data; -- proto[0] = data[0] = '\0'; -+ proto[0] = data[0] = xauthfile[0] = xauthdir[0] = '\0'; - -- if (xauth_path == NULL ||(stat(xauth_path, &st) == -1)) { -- debug("No xauth program."); -- } else if (!client_x11_display_valid(display)) { -- logit("DISPLAY '%s' invalid, falling back to fake xauth data", -+ if (!client_x11_display_valid(display)) { -+ logit("DISPLAY \"%s\" invalid; disabling X11 forwarding", - display); -- } else { -- if (display == NULL) { -- debug("x11_get_proto: DISPLAY not set"); -- return; -- } -+ return -1; -+ } -+ if (xauth_path != NULL && stat(xauth_path, &st) == -1) { -+ debug("No xauth program."); -+ xauth_path = NULL; -+ } -+ -+ if (xauth_path != NULL) { - /* - * Handle FamilyLocal case where $DISPLAY does - * not match an authorization entry. For this we -@@ -337,43 +339,60 @@ client_x11_get_proto(const char *display, const char *xauth_path, - * is not perfect. - */ - if (strncmp(display, "localhost:", 10) == 0) { -- snprintf(xdisplay, sizeof(xdisplay), "unix:%s", -- display + 10); -+ if ((r = snprintf(xdisplay, sizeof(xdisplay), "unix:%s", -+ display + 10)) < 0 || -+ (size_t)r >= sizeof(xdisplay)) { -+ error("%s: display name too long", __func__); -+ return -1; -+ } - display = xdisplay; - } - if (trusted == 0) { -- mktemp_proto(xauthdir, PATH_MAX); - /* -+ * Generate an untrusted X11 auth cookie. -+ * - * The authentication cookie should briefly outlive - * ssh's willingness to forward X11 connections to - * avoid nasty fail-open behaviour in the X server. - */ -+ mktemp_proto(xauthdir, sizeof(xauthdir)); -+ if (mkdtemp(xauthdir) == NULL) { -+ error("%s: mkdtemp: %s", -+ __func__, strerror(errno)); -+ return -1; -+ } -+ do_unlink = 1; -+ if ((r = snprintf(xauthfile, sizeof(xauthfile), -+ "%s/xauthfile", xauthdir)) < 0 || -+ (size_t)r >= sizeof(xauthfile)) { -+ error("%s: xauthfile path too long", __func__); -+ unlink(xauthfile); -+ rmdir(xauthdir); -+ return -1; -+ } -+ - if (timeout >= UINT_MAX - X11_TIMEOUT_SLACK) - x11_timeout_real = UINT_MAX; - else - x11_timeout_real = timeout + X11_TIMEOUT_SLACK; -- if (mkdtemp(xauthdir) != NULL) { -- do_unlink = 1; -- snprintf(xauthfile, PATH_MAX, "%s/xauthfile", -- xauthdir); -- snprintf(cmd, sizeof(cmd), -- "%s -f %s generate %s " SSH_X11_PROTO -- " untrusted timeout %u 2>" _PATH_DEVNULL, -- xauth_path, xauthfile, display, -- x11_timeout_real); -- debug2("x11_get_proto: %s", cmd); -- if (x11_refuse_time == 0) { -- now = monotime() + 1; -- if (UINT_MAX - timeout < now) -- x11_refuse_time = UINT_MAX; -- else -- x11_refuse_time = now + timeout; -- channel_set_x11_refuse_time( -- x11_refuse_time); -- } -- if (system(cmd) == 0) -- generated = 1; -+ if ((r = snprintf(cmd, sizeof(cmd), -+ "%s -f %s generate %s " SSH_X11_PROTO -+ " untrusted timeout %u 2>" _PATH_DEVNULL, -+ xauth_path, xauthfile, display, -+ x11_timeout_real)) < 0 || -+ (size_t)r >= sizeof(cmd)) -+ fatal("%s: cmd too long", __func__); -+ debug2("%s: %s", __func__, cmd); -+ if (x11_refuse_time == 0) { -+ now = monotime() + 1; -+ if (UINT_MAX - timeout < now) -+ x11_refuse_time = UINT_MAX; -+ else -+ x11_refuse_time = now + timeout; -+ channel_set_x11_refuse_time(x11_refuse_time); - } -+ if (system(cmd) == 0) -+ generated = 1; - } - - /* -@@ -395,9 +414,7 @@ client_x11_get_proto(const char *display, const char *xauth_path, - got_data = 1; - if (f) - pclose(f); -- } else -- error("Warning: untrusted X11 forwarding setup failed: " -- "xauth key data not generated"); -+ } - } - - if (do_unlink) { -@@ -405,6 +422,13 @@ client_x11_get_proto(const char *display, const char *xauth_path, - rmdir(xauthdir); - } - -+ /* Don't fall back to fake X11 data for untrusted forwarding */ -+ if (!trusted && !got_data) { -+ error("Warning: untrusted X11 forwarding setup failed: " -+ "xauth key data not generated"); -+ return -1; -+ } -+ - /* - * If we didn't get authentication data, just make up some - * data. The forwarding code will check the validity of the -@@ -427,6 +451,8 @@ client_x11_get_proto(const char *display, const char *xauth_path, - rnd >>= 8; - } - } -+ -+ return 0; - } - - /* -diff --git a/clientloop.h b/clientloop.h -index 338d451..f4d4c69 100644 ---- a/clientloop.h -+++ b/clientloop.h -@@ -39,7 +39,7 @@ - - /* Client side main loop for the interactive session. */ - int client_loop(int, int, int); --void client_x11_get_proto(const char *, const char *, u_int, u_int, -+int client_x11_get_proto(const char *, const char *, u_int, u_int, - char **, char **); - void client_global_request_reply_fwd(int, u_int32_t, void *); - void client_session2_setup(int, int, int, const char *, struct termios *, -diff --git a/mux.c b/mux.c -index f9c3af6..6bf53eb 100644 ---- a/mux.c -+++ b/mux.c -@@ -1354,16 +1354,18 @@ mux_session_confirm(int id, int success, void *arg) - char *proto, *data; - - /* Get reasonable local authentication information. */ -- client_x11_get_proto(display, options.xauth_location, -+ if (client_x11_get_proto(display, options.xauth_location, - options.forward_x11_trusted, options.forward_x11_timeout, -- &proto, &data); -- /* Request forwarding with authentication spoofing. */ -- debug("Requesting X11 forwarding with authentication " -- "spoofing."); -- x11_request_forwarding_with_spoofing(id, display, proto, -- data, 1); -- client_expect_confirm(id, "X11 forwarding", CONFIRM_WARN); -- /* XXX exit_on_forward_failure */ -+ &proto, &data) == 0) { -+ /* Request forwarding with authentication spoofing. */ -+ debug("Requesting X11 forwarding with authentication " -+ "spoofing."); -+ x11_request_forwarding_with_spoofing(id, display, proto, -+ data, 1); -+ /* XXX exit_on_forward_failure */ -+ client_expect_confirm(id, "X11 forwarding", -+ CONFIRM_WARN); -+ } - } - - if (cctx->want_agent_fwd && options.forward_agent) { -diff --git a/ssh.c b/ssh.c -index 81704ab..096c5b5 100644 ---- a/ssh.c -+++ b/ssh.c -@@ -1626,6 +1626,7 @@ ssh_session(void) - struct winsize ws; - char *cp; - const char *display; -+ char *proto = NULL, *data = NULL; - - /* Enable compression if requested. */ - if (options.compression) { -@@ -1696,13 +1697,9 @@ ssh_session(void) - display = getenv("DISPLAY"); - if (display == NULL && options.forward_x11) - debug("X11 forwarding requested but DISPLAY not set"); -- if (options.forward_x11 && display != NULL) { -- char *proto, *data; -- /* Get reasonable local authentication information. */ -- client_x11_get_proto(display, options.xauth_location, -- options.forward_x11_trusted, -- options.forward_x11_timeout, -- &proto, &data); -+ if (options.forward_x11 && client_x11_get_proto(display, -+ options.xauth_location, options.forward_x11_trusted, -+ options.forward_x11_timeout, &proto, &data) == 0) { - /* Request forwarding with authentication spoofing. */ - debug("Requesting X11 forwarding with authentication " - "spoofing."); -@@ -1792,6 +1789,7 @@ ssh_session2_setup(int id, int success, void *arg) - extern char **environ; - const char *display; - int interactive = tty_flag; -+ char *proto = NULL, *data = NULL; - - if (!success) - return; /* No need for error message, channels code sens one */ -@@ -1799,12 +1797,9 @@ ssh_session2_setup(int id, int success, void *arg) - display = getenv("DISPLAY"); - if (display == NULL && options.forward_x11) - debug("X11 forwarding requested but DISPLAY not set"); -- if (options.forward_x11 && display != NULL) { -- char *proto, *data; -- /* Get reasonable local authentication information. */ -- client_x11_get_proto(display, options.xauth_location, -- options.forward_x11_trusted, -- options.forward_x11_timeout, &proto, &data); -+ if (options.forward_x11 && client_x11_get_proto(display, -+ options.xauth_location, options.forward_x11_trusted, -+ options.forward_x11_timeout, &proto, &data) == 0) { - /* Request forwarding with authentication spoofing. */ - debug("Requesting X11 forwarding with authentication " - "spoofing."); --- -2.5.0 - -From 5658ef2501e785fbbdf5de2dc33b1ff7a4dca73a Mon Sep 17 00:00:00 2001 -From: "millert@openbsd.org" -Date: Mon, 1 Feb 2016 21:18:17 +0000 -Subject: upstream commit - -Avoid ugly "DISPLAY "(null)" invalid; disabling X11 - forwarding" message when DISPLAY is not set. This could also result in a - crash on systems with a printf that doesn't handle NULL. OK djm@ - -Upstream-ID: 20ee0cfbda678a247264c20ed75362042b90b412 ---- - clientloop.c | 7 ++++--- - 1 file changed, 4 insertions(+), 3 deletions(-) - -diff --git a/clientloop.c b/clientloop.c -index f8f9a3f..f0a08f2 100644 ---- a/clientloop.c -+++ b/clientloop.c -@@ -318,8 +318,9 @@ client_x11_get_proto(const char *display, const char *xauth_path, - proto[0] = data[0] = xauthfile[0] = xauthdir[0] = '\0'; - - if (!client_x11_display_valid(display)) { -- logit("DISPLAY \"%s\" invalid; disabling X11 forwarding", -- display); -+ if (display != NULL) -+ logit("DISPLAY \"%s\" invalid; disabling X11 forwarding", -+ display); - return -1; - } - if (xauth_path != NULL && stat(xauth_path, &st) == -1) { --- -cgit v0.11.2 - - diff --git a/openssh-6.7p1-audit.patch b/openssh-7.2p1-audit.patch similarity index 84% rename from openssh-6.7p1-audit.patch rename to openssh-7.2p1-audit.patch index 106cda1..e7574b5 100644 --- a/openssh-6.7p1-audit.patch +++ b/openssh-7.2p1-audit.patch @@ -1,6 +1,6 @@ -diff -up openssh-7.0p1/audit-bsm.c.audit openssh-7.0p1/audit-bsm.c ---- openssh-7.0p1/audit-bsm.c.audit 2015-08-11 10:57:29.000000000 +0200 -+++ openssh-7.0p1/audit-bsm.c 2015-08-12 11:33:00.409914290 +0200 +diff -up openssh-7.2p1/audit-bsm.c.audit openssh-7.2p1/audit-bsm.c +--- openssh-7.2p1/audit-bsm.c.audit 2016-02-12 11:47:25.000000000 +0100 ++++ openssh-7.2p1/audit-bsm.c 2016-02-12 18:24:34.212825181 +0100 @@ -375,10 +375,23 @@ audit_connection_from(const char *host, #endif } @@ -80,9 +80,9 @@ diff -up openssh-7.0p1/audit-bsm.c.audit openssh-7.0p1/audit-bsm.c + /* not implemented */ +} #endif /* BSM */ -diff -up openssh-7.0p1/audit.c.audit openssh-7.0p1/audit.c ---- openssh-7.0p1/audit.c.audit 2015-08-11 10:57:29.000000000 +0200 -+++ openssh-7.0p1/audit.c 2015-08-12 11:33:00.410914289 +0200 +diff -up openssh-7.2p1/audit.c.audit openssh-7.2p1/audit.c +--- openssh-7.2p1/audit.c.audit 2016-02-12 11:47:25.000000000 +0100 ++++ openssh-7.2p1/audit.c 2016-02-12 18:24:34.216825179 +0100 @@ -28,6 +28,7 @@ #include @@ -280,9 +280,9 @@ diff -up openssh-7.0p1/audit.c.audit openssh-7.0p1/audit.c } # endif /* !defined CUSTOM_SSH_AUDIT_EVENTS */ #endif /* SSH_AUDIT_EVENTS */ -diff -up openssh-7.0p1/audit.h.audit openssh-7.0p1/audit.h ---- openssh-7.0p1/audit.h.audit 2015-08-11 10:57:29.000000000 +0200 -+++ openssh-7.0p1/audit.h 2015-08-12 11:33:00.410914289 +0200 +diff -up openssh-7.2p1/audit.h.audit openssh-7.2p1/audit.h +--- openssh-7.2p1/audit.h.audit 2016-02-12 11:47:25.000000000 +0100 ++++ openssh-7.2p1/audit.h 2016-02-12 18:24:34.216825179 +0100 @@ -28,6 +28,7 @@ # define _SSH_AUDIT_H @@ -318,9 +318,9 @@ diff -up openssh-7.0p1/audit.h.audit openssh-7.0p1/audit.h +void audit_generate_ephemeral_server_key(const char *); #endif /* _SSH_AUDIT_H */ -diff -up openssh-7.0p1/audit-linux.c.audit openssh-7.0p1/audit-linux.c ---- openssh-7.0p1/audit-linux.c.audit 2015-08-11 10:57:29.000000000 +0200 -+++ openssh-7.0p1/audit-linux.c 2015-08-12 11:33:00.411914287 +0200 +diff -up openssh-7.2p1/audit-linux.c.audit openssh-7.2p1/audit-linux.c +--- openssh-7.2p1/audit-linux.c.audit 2016-02-12 11:47:25.000000000 +0100 ++++ openssh-7.2p1/audit-linux.c 2016-02-12 18:24:34.219825178 +0100 @@ -35,13 +35,25 @@ #include "log.h" @@ -712,9 +712,9 @@ diff -up openssh-7.0p1/audit-linux.c.audit openssh-7.0p1/audit-linux.c + error("cannot write into audit"); +} #endif /* USE_LINUX_AUDIT */ -diff -up openssh-7.0p1/auditstub.c.audit openssh-7.0p1/auditstub.c ---- openssh-7.0p1/auditstub.c.audit 2015-08-12 11:33:00.411914287 +0200 -+++ openssh-7.0p1/auditstub.c 2015-08-12 11:33:00.411914287 +0200 +diff -up openssh-7.2p1/auditstub.c.audit openssh-7.2p1/auditstub.c +--- openssh-7.2p1/auditstub.c.audit 2016-02-12 18:24:34.219825178 +0100 ++++ openssh-7.2p1/auditstub.c 2016-02-12 18:24:34.219825178 +0100 @@ -0,0 +1,50 @@ +/* $Id: auditstub.c,v 1.1 jfch Exp $ */ + @@ -766,9 +766,9 @@ diff -up openssh-7.0p1/auditstub.c.audit openssh-7.0p1/auditstub.c +audit_session_key_free_body(int ctos, pid_t pid, uid_t uid) +{ +} -diff -up openssh-7.0p1/auth2.c.audit openssh-7.0p1/auth2.c ---- openssh-7.0p1/auth2.c.audit 2015-08-12 11:33:00.349914384 +0200 -+++ openssh-7.0p1/auth2.c 2015-08-12 11:33:00.411914287 +0200 +diff -up openssh-7.2p1/auth2.c.audit openssh-7.2p1/auth2.c +--- openssh-7.2p1/auth2.c.audit 2016-02-12 18:24:34.148825205 +0100 ++++ openssh-7.2p1/auth2.c 2016-02-12 18:24:34.219825178 +0100 @@ -249,9 +249,6 @@ input_userauth_request(int type, u_int32 } else { logit("input_userauth_request: invalid user %s", user); @@ -779,9 +779,9 @@ diff -up openssh-7.0p1/auth2.c.audit openssh-7.0p1/auth2.c } #ifdef USE_PAM if (options.use_pam) -diff -up openssh-7.0p1/auth2-hostbased.c.audit openssh-7.0p1/auth2-hostbased.c ---- openssh-7.0p1/auth2-hostbased.c.audit 2015-08-12 11:33:00.303914456 +0200 -+++ openssh-7.0p1/auth2-hostbased.c 2015-08-12 11:33:00.412914286 +0200 +diff -up openssh-7.2p1/auth2-hostbased.c.audit openssh-7.2p1/auth2-hostbased.c +--- openssh-7.2p1/auth2-hostbased.c.audit 2016-02-12 18:24:34.109825220 +0100 ++++ openssh-7.2p1/auth2-hostbased.c 2016-02-12 18:24:34.220825178 +0100 @@ -146,7 +146,7 @@ userauth_hostbased(Authctxt *authctxt) /* test for allowed key and correct signature */ authenticated = 0; @@ -810,10 +810,10 @@ diff -up openssh-7.0p1/auth2-hostbased.c.audit openssh-7.0p1/auth2-hostbased.c /* return 1 if given hostkey is allowed */ int hostbased_key_allowed(struct passwd *pw, const char *cuser, char *chost, -diff -up openssh-7.0p1/auth2-pubkey.c.audit openssh-7.0p1/auth2-pubkey.c ---- openssh-7.0p1/auth2-pubkey.c.audit 2015-08-12 11:33:00.318914432 +0200 -+++ openssh-7.0p1/auth2-pubkey.c 2015-08-12 11:33:00.412914286 +0200 -@@ -175,7 +175,7 @@ userauth_pubkey(Authctxt *authctxt) +diff -up openssh-7.2p1/auth2-pubkey.c.audit openssh-7.2p1/auth2-pubkey.c +--- openssh-7.2p1/auth2-pubkey.c.audit 2016-02-12 18:24:34.122825215 +0100 ++++ openssh-7.2p1/auth2-pubkey.c 2016-02-12 18:24:34.220825178 +0100 +@@ -178,7 +178,7 @@ userauth_pubkey(Authctxt *authctxt) /* test for correct signature */ authenticated = 0; if (PRIVSEP(user_key_allowed(authctxt->pw, key, 1)) && @@ -822,7 +822,7 @@ diff -up openssh-7.0p1/auth2-pubkey.c.audit openssh-7.0p1/auth2-pubkey.c buffer_len(&b))) == 1) { authenticated = 1; /* Record the successful key to prevent reuse */ -@@ -253,6 +253,18 @@ pubkey_auth_info(Authctxt *authctxt, con +@@ -258,6 +258,18 @@ pubkey_auth_info(Authctxt *authctxt, con free(extra); } @@ -841,10 +841,10 @@ diff -up openssh-7.0p1/auth2-pubkey.c.audit openssh-7.0p1/auth2-pubkey.c /* * Splits 's' into an argument vector. Handles quoted string and basic * escape characters (\\, \", \'). Caller must free the argument vector -diff -up openssh-7.0p1/auth.c.audit openssh-7.0p1/auth.c ---- openssh-7.0p1/auth.c.audit 2015-08-11 10:57:29.000000000 +0200 -+++ openssh-7.0p1/auth.c 2015-08-12 11:33:00.412914286 +0200 -@@ -645,9 +645,6 @@ getpwnamallow(const char *user) +diff -up openssh-7.2p1/auth.c.audit openssh-7.2p1/auth.c +--- openssh-7.2p1/auth.c.audit 2016-02-12 18:24:34.148825205 +0100 ++++ openssh-7.2p1/auth.c 2016-02-12 18:24:34.220825178 +0100 +@@ -646,9 +646,6 @@ getpwnamallow(const char *user) record_failed_login(user, get_canonical_hostname(options.use_dns), "ssh"); #endif @@ -854,9 +854,9 @@ diff -up openssh-7.0p1/auth.c.audit openssh-7.0p1/auth.c return (NULL); } if (!allowed_user(pw)) -diff -up openssh-7.0p1/auth.h.audit openssh-7.0p1/auth.h ---- openssh-7.0p1/auth.h.audit 2015-08-12 11:33:00.302914457 +0200 -+++ openssh-7.0p1/auth.h 2015-08-12 11:33:00.412914286 +0200 +diff -up openssh-7.2p1/auth.h.audit openssh-7.2p1/auth.h +--- openssh-7.2p1/auth.h.audit 2016-02-12 18:24:34.108825221 +0100 ++++ openssh-7.2p1/auth.h 2016-02-12 18:32:46.085636046 +0100 @@ -195,6 +195,7 @@ void abandon_challenge_response(Authctxt char *expand_authorized_keys(const char *, struct passwd *pw); @@ -868,14 +868,14 @@ diff -up openssh-7.0p1/auth.h.audit openssh-7.0p1/auth.h @@ -213,6 +214,7 @@ int get_hostkey_index(Key *, int, struc int ssh1_session_key(BIGNUM *); int sshd_hostkey_sign(Key *, Key *, u_char **, size_t *, - const u_char *, size_t, u_int); + const u_char *, size_t, const char *, u_int); +int hostbased_key_verify(const Key *, const u_char *, u_int, const u_char *, u_int); /* debug messages during authentication */ void auth_debug_add(const char *fmt,...) __attribute__((format(printf, 1, 2))); -diff -up openssh-7.0p1/auth-rsa.c.audit openssh-7.0p1/auth-rsa.c ---- openssh-7.0p1/auth-rsa.c.audit 2015-08-11 10:57:29.000000000 +0200 -+++ openssh-7.0p1/auth-rsa.c 2015-08-12 11:33:00.412914286 +0200 +diff -up openssh-7.2p1/auth-rsa.c.audit openssh-7.2p1/auth-rsa.c +--- openssh-7.2p1/auth-rsa.c.audit 2016-02-12 11:47:25.000000000 +0100 ++++ openssh-7.2p1/auth-rsa.c 2016-02-12 18:24:34.221825177 +0100 @@ -95,7 +95,10 @@ auth_rsa_verify_response(Key *key, BIGNU { u_char buf[32], mdbuf[16]; @@ -912,9 +912,9 @@ diff -up openssh-7.0p1/auth-rsa.c.audit openssh-7.0p1/auth-rsa.c } /* -diff -up openssh-7.0p1/cipher.c.audit openssh-7.0p1/cipher.c ---- openssh-7.0p1/cipher.c.audit 2015-08-11 10:57:29.000000000 +0200 -+++ openssh-7.0p1/cipher.c 2015-08-12 11:33:00.412914286 +0200 +diff -up openssh-7.2p1/cipher.c.audit openssh-7.2p1/cipher.c +--- openssh-7.2p1/cipher.c.audit 2016-02-12 11:47:25.000000000 +0100 ++++ openssh-7.2p1/cipher.c 2016-02-12 18:24:34.221825177 +0100 @@ -57,26 +57,6 @@ extern const EVP_CIPHER *evp_ssh1_3des(v extern int ssh1_3des_iv(EVP_CIPHER_CTX *, int, u_char *, int); #endif @@ -942,9 +942,9 @@ diff -up openssh-7.0p1/cipher.c.audit openssh-7.0p1/cipher.c static const struct sshcipher ciphers[] = { #ifdef WITH_SSH1 { "des", SSH_CIPHER_DES, 8, 8, 0, 0, 0, 1, EVP_des_cbc }, -diff -up openssh-7.0p1/cipher.h.audit openssh-7.0p1/cipher.h ---- openssh-7.0p1/cipher.h.audit 2015-08-11 10:57:29.000000000 +0200 -+++ openssh-7.0p1/cipher.h 2015-08-12 11:33:00.413914284 +0200 +diff -up openssh-7.2p1/cipher.h.audit openssh-7.2p1/cipher.h +--- openssh-7.2p1/cipher.h.audit 2016-02-12 11:47:25.000000000 +0100 ++++ openssh-7.2p1/cipher.h 2016-02-12 18:24:34.221825177 +0100 @@ -62,7 +62,26 @@ #define CIPHER_ENCRYPT 1 #define CIPHER_DECRYPT 0 @@ -973,9 +973,9 @@ diff -up openssh-7.0p1/cipher.h.audit openssh-7.0p1/cipher.h struct sshcipher_ctx { int plaintext; int encrypt; -diff -up openssh-7.0p1/kex.c.audit openssh-7.0p1/kex.c ---- openssh-7.0p1/kex.c.audit 2015-08-12 11:33:00.351914381 +0200 -+++ openssh-7.0p1/kex.c 2015-08-12 11:33:00.413914284 +0200 +diff -up openssh-7.2p1/kex.c.audit openssh-7.2p1/kex.c +--- openssh-7.2p1/kex.c.audit 2016-02-12 18:24:34.201825185 +0100 ++++ openssh-7.2p1/kex.c 2016-02-12 18:24:34.221825177 +0100 @@ -54,6 +54,7 @@ #include "ssherr.h" #include "sshbuf.h" @@ -984,7 +984,7 @@ diff -up openssh-7.0p1/kex.c.audit openssh-7.0p1/kex.c #ifdef GSSAPI #include "ssh-gss.h" -@@ -549,8 +550,12 @@ choose_enc(struct sshenc *enc, char *cli +@@ -669,8 +670,12 @@ choose_enc(struct sshenc *enc, char *cli { char *name = match_list(client, server, NULL); @@ -998,7 +998,7 @@ diff -up openssh-7.0p1/kex.c.audit openssh-7.0p1/kex.c if ((enc->cipher = cipher_by_name(name)) == NULL) return SSH_ERR_INTERNAL_ERROR; enc->name = name; -@@ -568,8 +573,12 @@ choose_mac(struct ssh *ssh, struct sshma +@@ -688,8 +693,12 @@ choose_mac(struct ssh *ssh, struct sshma { char *name = match_list(client, server, NULL); @@ -1012,7 +1012,7 @@ diff -up openssh-7.0p1/kex.c.audit openssh-7.0p1/kex.c if (mac_setup(mac, name) < 0) return SSH_ERR_INTERNAL_ERROR; /* truncate the key */ -@@ -586,8 +595,12 @@ choose_comp(struct sshcomp *comp, char * +@@ -706,8 +715,12 @@ choose_comp(struct sshcomp *comp, char * { char *name = match_list(client, server, NULL); @@ -1026,7 +1026,7 @@ diff -up openssh-7.0p1/kex.c.audit openssh-7.0p1/kex.c if (strcmp(name, "zlib@openssh.com") == 0) { comp->type = COMP_DELAYED; } else if (strcmp(name, "zlib") == 0) { -@@ -753,6 +766,10 @@ kex_choose_conf(struct ssh *ssh) +@@ -878,6 +891,10 @@ kex_choose_conf(struct ssh *ssh) dh_need = MAX(dh_need, newkeys->enc.block_size); dh_need = MAX(dh_need, newkeys->enc.iv_len); dh_need = MAX(dh_need, newkeys->mac.key_len); @@ -1037,7 +1037,7 @@ diff -up openssh-7.0p1/kex.c.audit openssh-7.0p1/kex.c } /* XXX need runden? */ kex->we_need = need; -@@ -928,3 +945,34 @@ dump_digest(char *msg, u_char *digest, i +@@ -1052,3 +1069,34 @@ dump_digest(char *msg, u_char *digest, i sshbuf_dump_data(digest, len, stderr); } #endif @@ -1054,7 +1054,7 @@ diff -up openssh-7.0p1/kex.c.audit openssh-7.0p1/kex.c + } + + if (enc->iv) { -+ memset(enc->iv, 0, enc->block_size); ++ memset(enc->iv, 0, enc->iv_len); + free(enc->iv); + } + @@ -1072,10 +1072,10 @@ diff -up openssh-7.0p1/kex.c.audit openssh-7.0p1/kex.c + memset(&newkeys->comp, 0, sizeof(newkeys->comp)); +} + -diff -up openssh-7.0p1/kex.h.audit openssh-7.0p1/kex.h ---- openssh-7.0p1/kex.h.audit 2015-08-12 11:33:00.352914379 +0200 -+++ openssh-7.0p1/kex.h 2015-08-12 11:33:00.413914284 +0200 -@@ -202,6 +202,8 @@ int kexgss_client(struct ssh *); +diff -up openssh-7.2p1/kex.h.audit openssh-7.2p1/kex.h +--- openssh-7.2p1/kex.h.audit 2016-02-12 18:24:34.201825185 +0100 ++++ openssh-7.2p1/kex.h 2016-02-12 18:24:34.222825177 +0100 +@@ -206,6 +206,8 @@ int kexgss_client(struct ssh *); int kexgss_server(struct ssh *); #endif @@ -1084,9 +1084,9 @@ diff -up openssh-7.0p1/kex.h.audit openssh-7.0p1/kex.h int kex_dh_hash(const char *, const char *, const u_char *, size_t, const u_char *, size_t, const u_char *, size_t, const BIGNUM *, const BIGNUM *, const BIGNUM *, u_char *, size_t *); -diff -up openssh-7.0p1/key.h.audit openssh-7.0p1/key.h ---- openssh-7.0p1/key.h.audit 2015-08-12 11:33:00.413914284 +0200 -+++ openssh-7.0p1/key.h 2015-08-12 11:33:45.908843298 +0200 +diff -up openssh-7.2p1/key.h.audit openssh-7.2p1/key.h +--- openssh-7.2p1/key.h.audit 2016-02-12 11:47:25.000000000 +0100 ++++ openssh-7.2p1/key.h 2016-02-12 18:24:34.222825177 +0100 @@ -50,6 +50,7 @@ typedef struct sshkey Key; #define key_ecdsa_bits_to_nid sshkey_ecdsa_bits_to_nid #define key_ecdsa_key_to_nid sshkey_ecdsa_key_to_nid @@ -1095,9 +1095,9 @@ diff -up openssh-7.0p1/key.h.audit openssh-7.0p1/key.h #define key_type_plain sshkey_type_plain #define key_curve_name_to_nid sshkey_curve_name_to_nid #define key_curve_nid_to_bits sshkey_curve_nid_to_bits -diff -up openssh-7.0p1/mac.c.audit openssh-7.0p1/mac.c ---- openssh-7.0p1/mac.c.audit 2015-08-11 10:57:29.000000000 +0200 -+++ openssh-7.0p1/mac.c 2015-08-12 11:33:00.413914284 +0200 +diff -up openssh-7.2p1/mac.c.audit openssh-7.2p1/mac.c +--- openssh-7.2p1/mac.c.audit 2016-02-12 11:47:25.000000000 +0100 ++++ openssh-7.2p1/mac.c 2016-02-12 18:24:34.222825177 +0100 @@ -226,6 +226,20 @@ mac_clear(struct sshmac *mac) mac->umac_ctx = NULL; } @@ -1119,9 +1119,9 @@ diff -up openssh-7.0p1/mac.c.audit openssh-7.0p1/mac.c /* XXX copied from ciphers_valid */ #define MAC_SEP "," int -diff -up openssh-7.0p1/mac.h.audit openssh-7.0p1/mac.h ---- openssh-7.0p1/mac.h.audit 2015-08-11 10:57:29.000000000 +0200 -+++ openssh-7.0p1/mac.h 2015-08-12 11:33:00.413914284 +0200 +diff -up openssh-7.2p1/mac.h.audit openssh-7.2p1/mac.h +--- openssh-7.2p1/mac.h.audit 2016-02-12 11:47:25.000000000 +0100 ++++ openssh-7.2p1/mac.h 2016-02-12 18:24:34.222825177 +0100 @@ -47,5 +47,6 @@ int mac_init(struct sshmac *); int mac_compute(struct sshmac *, u_int32_t, const u_char *, int, u_char *, size_t); @@ -1129,30 +1129,30 @@ diff -up openssh-7.0p1/mac.h.audit openssh-7.0p1/mac.h +void mac_destroy(struct sshmac *); #endif /* SSHMAC_H */ -diff -up openssh-7.0p1/Makefile.in.audit openssh-7.0p1/Makefile.in ---- openssh-7.0p1/Makefile.in.audit 2015-08-12 11:33:00.402914301 +0200 -+++ openssh-7.0p1/Makefile.in 2015-08-12 11:33:00.414914283 +0200 -@@ -98,7 +98,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \ - sc25519.o ge25519.o fe25519.o ed25519.o verify.o hash.o blocks.o \ +diff -up openssh-7.2p1/Makefile.in.audit openssh-7.2p1/Makefile.in +--- openssh-7.2p1/Makefile.in.audit 2016-02-12 18:24:34.222825177 +0100 ++++ openssh-7.2p1/Makefile.in 2016-02-12 18:33:38.858629492 +0100 +@@ -99,7 +99,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \ kex.o kexdh.o kexgex.o kexecdh.o kexc25519.o \ kexdhc.o kexgexc.o kexecdhc.o kexc25519c.o \ -- kexdhs.o kexgexs.o kexecdhs.o kexc25519s.o -+ kexdhs.o kexgexs.o kexecdhs.o kexc25519s.o auditstub.o + kexdhs.o kexgexs.o kexecdhs.o kexc25519s.o \ +- platform-pledge.o ++ platform-pledge.o auditstub.o SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \ - sshconnect.o sshconnect1.o sshconnect2.o mux.o \ -diff -up openssh-7.0p1/monitor.c.audit openssh-7.0p1/monitor.c ---- openssh-7.0p1/monitor.c.audit 2015-08-12 11:33:00.378914339 +0200 -+++ openssh-7.0p1/monitor.c 2015-08-12 11:33:00.414914283 +0200 -@@ -102,6 +102,7 @@ + sshconnect.o sshconnect1.o sshconnect2.o mux.o +diff -up openssh-7.2p1/monitor.c.audit openssh-7.2p1/monitor.c +--- openssh-7.2p1/monitor.c.audit 2016-02-12 18:24:34.176825195 +0100 ++++ openssh-7.2p1/monitor.c 2016-02-12 18:34:05.184629882 +0100 +@@ -101,6 +101,7 @@ + #include "compat.h" #include "ssh2.h" - #include "roaming.h" #include "authfd.h" +#include "audit.h" #include "match.h" #include "ssherr.h" -@@ -117,6 +118,8 @@ extern Buffer auth_debug; +@@ -116,6 +117,8 @@ extern Buffer auth_debug; extern int auth_debug_init; extern Buffer loginmsg; @@ -1161,7 +1161,7 @@ diff -up openssh-7.0p1/monitor.c.audit openssh-7.0p1/monitor.c /* State exported from the child */ static struct sshbuf *child_state; -@@ -167,6 +170,11 @@ int mm_answer_gss_updatecreds(int, Buffe +@@ -166,6 +169,11 @@ int mm_answer_gss_updatecreds(int, Buffe #ifdef SSH_AUDIT_EVENTS int mm_answer_audit_event(int, Buffer *); int mm_answer_audit_command(int, Buffer *); @@ -1173,7 +1173,7 @@ diff -up openssh-7.0p1/monitor.c.audit openssh-7.0p1/monitor.c #endif static int monitor_read_log(struct monitor *); -@@ -226,6 +234,10 @@ struct mon_table mon_dispatch_proto20[] +@@ -225,6 +233,10 @@ struct mon_table mon_dispatch_proto20[] #endif #ifdef SSH_AUDIT_EVENTS {MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event}, @@ -1184,7 +1184,7 @@ diff -up openssh-7.0p1/monitor.c.audit openssh-7.0p1/monitor.c #endif #ifdef BSD_AUTH {MONITOR_REQ_BSDAUTHQUERY, MON_ISAUTH, mm_answer_bsdauthquery}, -@@ -264,6 +276,11 @@ struct mon_table mon_dispatch_postauth20 +@@ -263,6 +275,11 @@ struct mon_table mon_dispatch_postauth20 #ifdef SSH_AUDIT_EVENTS {MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event}, {MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT, mm_answer_audit_command}, @@ -1196,7 +1196,7 @@ diff -up openssh-7.0p1/monitor.c.audit openssh-7.0p1/monitor.c #endif {0, 0, NULL} }; -@@ -296,6 +313,10 @@ struct mon_table mon_dispatch_proto15[] +@@ -295,6 +312,10 @@ struct mon_table mon_dispatch_proto15[] #endif #ifdef SSH_AUDIT_EVENTS {MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event}, @@ -1207,7 +1207,7 @@ diff -up openssh-7.0p1/monitor.c.audit openssh-7.0p1/monitor.c #endif #endif /* WITH_SSH1 */ {0, 0, NULL} -@@ -309,6 +330,11 @@ struct mon_table mon_dispatch_postauth15 +@@ -308,6 +329,11 @@ struct mon_table mon_dispatch_postauth15 #ifdef SSH_AUDIT_EVENTS {MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event}, {MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT|MON_ONCE, mm_answer_audit_command}, @@ -1219,7 +1219,7 @@ diff -up openssh-7.0p1/monitor.c.audit openssh-7.0p1/monitor.c #endif #endif /* WITH_SSH1 */ {0, 0, NULL} -@@ -1467,9 +1493,11 @@ mm_answer_keyverify(int sock, Buffer *m) +@@ -1464,9 +1490,11 @@ mm_answer_keyverify(int sock, Buffer *m) Key *key; u_char *signature, *data, *blob; u_int signaturelen, datalen, bloblen; @@ -1231,7 +1231,7 @@ diff -up openssh-7.0p1/monitor.c.audit openssh-7.0p1/monitor.c blob = buffer_get_string(m, &bloblen); signature = buffer_get_string(m, &signaturelen); data = buffer_get_string(m, &datalen); -@@ -1477,6 +1505,8 @@ mm_answer_keyverify(int sock, Buffer *m) +@@ -1474,6 +1502,8 @@ mm_answer_keyverify(int sock, Buffer *m) if (hostbased_cuser == NULL || hostbased_chost == NULL || !monitor_allowed_key(blob, bloblen)) fatal("%s: bad key, not previously allowed", __func__); @@ -1240,7 +1240,7 @@ diff -up openssh-7.0p1/monitor.c.audit openssh-7.0p1/monitor.c key = key_from_blob(blob, bloblen); if (key == NULL) -@@ -1497,7 +1527,17 @@ mm_answer_keyverify(int sock, Buffer *m) +@@ -1494,7 +1524,17 @@ mm_answer_keyverify(int sock, Buffer *m) if (!valid_data) fatal("%s: bad signature data blob", __func__); @@ -1259,7 +1259,7 @@ diff -up openssh-7.0p1/monitor.c.audit openssh-7.0p1/monitor.c debug3("%s: key %p signature %s", __func__, key, (verified == 1) ? "verified" : "unverified"); -@@ -1558,6 +1598,12 @@ mm_session_close(Session *s) +@@ -1555,6 +1595,12 @@ mm_session_close(Session *s) debug3("%s: tty %s ptyfd %d", __func__, s->tty, s->ptyfd); session_pty_cleanup2(s); } @@ -1272,7 +1272,7 @@ diff -up openssh-7.0p1/monitor.c.audit openssh-7.0p1/monitor.c session_unused(s->self); } -@@ -1840,6 +1886,8 @@ mm_answer_term(int sock, Buffer *req) +@@ -1837,6 +1883,8 @@ mm_answer_term(int sock, Buffer *req) sshpam_cleanup(); #endif @@ -1281,7 +1281,7 @@ diff -up openssh-7.0p1/monitor.c.audit openssh-7.0p1/monitor.c while (waitpid(pmonitor->m_pid, &status, 0) == -1) if (errno != EINTR) exit(1); -@@ -1882,11 +1930,43 @@ mm_answer_audit_command(int socket, Buff +@@ -1879,11 +1927,43 @@ mm_answer_audit_command(int socket, Buff { u_int len; char *cmd; @@ -1326,7 +1326,7 @@ diff -up openssh-7.0p1/monitor.c.audit openssh-7.0p1/monitor.c free(cmd); return (0); } -@@ -1943,6 +2023,7 @@ monitor_apply_keystate(struct monitor *p +@@ -1940,6 +2020,7 @@ monitor_apply_keystate(struct monitor *p void mm_get_keystate(struct monitor *pmonitor) { @@ -1334,7 +1334,7 @@ diff -up openssh-7.0p1/monitor.c.audit openssh-7.0p1/monitor.c debug3("%s: Waiting for new keys", __func__); if ((child_state = sshbuf_new()) == NULL) -@@ -1950,6 +2031,21 @@ mm_get_keystate(struct monitor *pmonitor +@@ -1947,6 +2028,21 @@ mm_get_keystate(struct monitor *pmonitor mm_request_receive_expect(pmonitor->m_sendfd, MONITOR_REQ_KEYEXPORT, child_state); debug3("%s: GOT new keys", __func__); @@ -1356,7 +1356,7 @@ diff -up openssh-7.0p1/monitor.c.audit openssh-7.0p1/monitor.c } -@@ -2216,3 +2312,86 @@ mm_answer_gss_updatecreds(int socket, Bu +@@ -2213,3 +2309,86 @@ mm_answer_gss_updatecreds(int socket, Bu #endif /* GSSAPI */ @@ -1443,9 +1443,9 @@ diff -up openssh-7.0p1/monitor.c.audit openssh-7.0p1/monitor.c + return 0; +} +#endif /* SSH_AUDIT_EVENTS */ -diff -up openssh-7.0p1/monitor.h.audit openssh-7.0p1/monitor.h ---- openssh-7.0p1/monitor.h.audit 2015-08-12 11:33:00.378914339 +0200 -+++ openssh-7.0p1/monitor.h 2015-08-12 11:33:00.414914283 +0200 +diff -up openssh-7.2p1/monitor.h.audit openssh-7.2p1/monitor.h +--- openssh-7.2p1/monitor.h.audit 2016-02-12 18:24:34.177825194 +0100 ++++ openssh-7.2p1/monitor.h 2016-02-12 18:24:34.224825176 +0100 @@ -69,7 +69,13 @@ enum monitor_reqtype { MONITOR_REQ_PAM_QUERY = 106, MONITOR_ANS_PAM_QUERY = 107, MONITOR_REQ_PAM_RESPOND = 108, MONITOR_ANS_PAM_RESPOND = 109, @@ -1461,9 +1461,9 @@ diff -up openssh-7.0p1/monitor.h.audit openssh-7.0p1/monitor.h }; -diff -up openssh-7.0p1/monitor_wrap.c.audit openssh-7.0p1/monitor_wrap.c ---- openssh-7.0p1/monitor_wrap.c.audit 2015-08-12 11:33:00.353914378 +0200 -+++ openssh-7.0p1/monitor_wrap.c 2015-08-12 11:33:00.414914283 +0200 +diff -up openssh-7.2p1/monitor_wrap.c.audit openssh-7.2p1/monitor_wrap.c +--- openssh-7.2p1/monitor_wrap.c.audit 2016-02-12 18:24:34.151825204 +0100 ++++ openssh-7.2p1/monitor_wrap.c 2016-02-12 18:24:34.224825176 +0100 @@ -462,7 +462,7 @@ mm_key_allowed(enum mm_keytype type, cha */ @@ -1611,9 +1611,9 @@ diff -up openssh-7.0p1/monitor_wrap.c.audit openssh-7.0p1/monitor_wrap.c + buffer_free(&m); +} +#endif /* SSH_AUDIT_EVENTS */ -diff -up openssh-7.0p1/monitor_wrap.h.audit openssh-7.0p1/monitor_wrap.h ---- openssh-7.0p1/monitor_wrap.h.audit 2015-08-12 11:33:00.353914378 +0200 -+++ openssh-7.0p1/monitor_wrap.h 2015-08-12 11:33:00.415914281 +0200 +diff -up openssh-7.2p1/monitor_wrap.h.audit openssh-7.2p1/monitor_wrap.h +--- openssh-7.2p1/monitor_wrap.h.audit 2016-02-12 18:24:34.152825204 +0100 ++++ openssh-7.2p1/monitor_wrap.h 2016-02-12 18:24:34.224825176 +0100 @@ -52,7 +52,8 @@ int mm_key_allowed(enum mm_keytype, char int mm_user_key_allowed(struct passwd *, Key *, int); int mm_hostbased_key_allowed(struct passwd *, char *, char *, Key *); @@ -1638,9 +1638,9 @@ diff -up openssh-7.0p1/monitor_wrap.h.audit openssh-7.0p1/monitor_wrap.h #endif struct Session; -diff -up openssh-7.0p1/packet.c.audit openssh-7.0p1/packet.c ---- openssh-7.0p1/packet.c.audit 2015-08-12 11:33:00.288914479 +0200 -+++ openssh-7.0p1/packet.c 2015-08-12 11:33:00.415914281 +0200 +diff -up openssh-7.2p1/packet.c.audit openssh-7.2p1/packet.c +--- openssh-7.2p1/packet.c.audit 2016-02-12 18:24:34.095825226 +0100 ++++ openssh-7.2p1/packet.c 2016-02-12 18:43:47.268638489 +0100 @@ -67,6 +67,7 @@ #include "key.h" /* typedefs XXX */ @@ -1649,7 +1649,7 @@ diff -up openssh-7.0p1/packet.c.audit openssh-7.0p1/packet.c #include "crc32.h" #include "deattack.h" #include "compat.h" -@@ -449,6 +450,13 @@ ssh_packet_get_connection_out(struct ssh +@@ -456,6 +457,13 @@ ssh_packet_get_connection_out(struct ssh return ssh->state->connection_out; } @@ -1663,7 +1663,7 @@ diff -up openssh-7.0p1/packet.c.audit openssh-7.0p1/packet.c /* * Returns the IP-address of the remote host as a string. The returned * string must not be freed. -@@ -479,13 +487,6 @@ ssh_packet_close(struct ssh *ssh) +@@ -500,13 +508,6 @@ ssh_packet_close(struct ssh *ssh) if (!state->initialized) return; state->initialized = 0; @@ -1677,7 +1677,7 @@ diff -up openssh-7.0p1/packet.c.audit openssh-7.0p1/packet.c sshbuf_free(state->input); sshbuf_free(state->output); sshbuf_free(state->outgoing_packet); -@@ -517,14 +518,24 @@ ssh_packet_close(struct ssh *ssh) +@@ -538,12 +539,22 @@ ssh_packet_close(struct ssh *ssh) inflateEnd(stream); } } @@ -1692,10 +1692,8 @@ diff -up openssh-7.0p1/packet.c.audit openssh-7.0p1/packet.c + error("%s: cipher_cleanup failed: %s", __func__, ssh_err(r)); + audit_session_key_free(2); + } - if (ssh->remote_ipaddr) { - free(ssh->remote_ipaddr); - ssh->remote_ipaddr = NULL; - } + free(ssh->remote_ipaddr); + ssh->remote_ipaddr = NULL; + if (state->connection_in == state->connection_out) { + shutdown(state->connection_out, SHUT_RDWR); + close(state->connection_out); @@ -1706,15 +1704,15 @@ diff -up openssh-7.0p1/packet.c.audit openssh-7.0p1/packet.c free(ssh->state); ssh->state = NULL; } -@@ -944,6 +955,7 @@ ssh_set_newkeys(struct ssh *ssh, int mod - } - if (state->newkeys[mode] != NULL) { - debug("set_newkeys: rekeying"); +@@ -968,6 +979,7 @@ ssh_set_newkeys(struct ssh *ssh, int mod + (unsigned long long)state->p_read.blocks, + (unsigned long long)state->p_send.bytes, + (unsigned long long)state->p_send.blocks); + audit_session_key_free(mode); if ((r = cipher_cleanup(cc)) != 0) return r; enc = &state->newkeys[mode]->enc; -@@ -2292,6 +2304,75 @@ ssh_packet_get_output(struct ssh *ssh) +@@ -2408,6 +2420,75 @@ ssh_packet_get_output(struct ssh *ssh) return (void *)ssh->state->output; } @@ -1787,55 +1785,13 @@ diff -up openssh-7.0p1/packet.c.audit openssh-7.0p1/packet.c + } +} + - /* XXX TODO update roaming to new API (does not work anyway) */ - /* - * Save the state for the real connection, and use a separate state when -@@ -2301,18 +2382,12 @@ void - ssh_packet_backup_state(struct ssh *ssh, - struct ssh *backup_state) - { -- struct ssh *tmp; -- - close(ssh->state->connection_in); - ssh->state->connection_in = -1; - close(ssh->state->connection_out); - ssh->state->connection_out = -1; -- if (backup_state) -- tmp = backup_state; -- else -- tmp = ssh_alloc_session_state(); - backup_state = ssh; -- ssh = tmp; -+ ssh = ssh_alloc_session_state(); - } - - /* XXX FIXME FIXME FIXME */ -@@ -2331,9 +2406,7 @@ ssh_packet_restore_state(struct ssh *ssh - backup_state = ssh; - ssh = tmp; - ssh->state->connection_in = backup_state->state->connection_in; -- backup_state->state->connection_in = -1; - ssh->state->connection_out = backup_state->state->connection_out; -- backup_state->state->connection_out = -1; - len = sshbuf_len(backup_state->state->input); - if (len > 0) { - if ((r = sshbuf_putb(ssh->state->input, -@@ -2342,6 +2415,11 @@ ssh_packet_restore_state(struct ssh *ssh - sshbuf_reset(backup_state->state->input); - add_recv_bytes(len); - } -+ backup_state->state->connection_in = -1; -+ backup_state->state->connection_out = -1; -+ packet_destroy_state(backup_state->state); -+ free(backup_state); -+ backup_state = NULL; - } - /* Reset after_authentication and reset compression in post-auth privsep */ -diff -up openssh-7.0p1/packet.h.audit openssh-7.0p1/packet.h ---- openssh-7.0p1/packet.h.audit 2015-08-11 10:57:29.000000000 +0200 -+++ openssh-7.0p1/packet.h 2015-08-12 11:33:00.415914281 +0200 -@@ -189,7 +189,7 @@ int sshpkt_get_end(struct ssh *ssh); + static int + ssh_packet_set_postauth(struct ssh *ssh) +diff -up openssh-7.2p1/packet.h.audit openssh-7.2p1/packet.h +--- openssh-7.2p1/packet.h.audit 2016-02-12 11:47:25.000000000 +0100 ++++ openssh-7.2p1/packet.h 2016-02-12 18:24:34.226825175 +0100 +@@ -186,7 +186,7 @@ int sshpkt_get_end(struct ssh *ssh); const u_char *sshpkt_ptr(struct ssh *, size_t *lenp); /* OLD API */ @@ -1844,16 +1800,16 @@ diff -up openssh-7.0p1/packet.h.audit openssh-7.0p1/packet.h #include "opacket.h" #if !defined(WITH_OPENSSL) -@@ -203,4 +203,5 @@ extern struct ssh *active_state; +@@ -200,4 +200,5 @@ extern struct ssh *active_state; # undef EC_POINT #endif +void packet_destroy_all(int, int); #endif /* PACKET_H */ -diff -up openssh-7.0p1/sandbox-seccomp-filter.c.audit openssh-7.0p1/sandbox-seccomp-filter.c ---- openssh-7.0p1/sandbox-seccomp-filter.c.audit 2015-08-12 11:33:00.394914314 +0200 -+++ openssh-7.0p1/sandbox-seccomp-filter.c 2015-08-12 11:33:00.415914281 +0200 -@@ -150,6 +150,12 @@ static const struct sock_filter preauth_ +diff -up openssh-7.2p1/sandbox-seccomp-filter.c.audit openssh-7.2p1/sandbox-seccomp-filter.c +--- openssh-7.2p1/sandbox-seccomp-filter.c.audit 2016-02-12 18:24:34.193825188 +0100 ++++ openssh-7.2p1/sandbox-seccomp-filter.c 2016-02-12 18:24:34.226825175 +0100 +@@ -153,6 +153,12 @@ static const struct sock_filter preauth_ #ifdef __NR_gettimeofday SC_ALLOW(gettimeofday), #endif @@ -1866,9 +1822,9 @@ diff -up openssh-7.0p1/sandbox-seccomp-filter.c.audit openssh-7.0p1/sandbox-secc #ifdef __NR_madvise SC_ALLOW(madvise), #endif -diff -up openssh-7.0p1/session.c.audit openssh-7.0p1/session.c ---- openssh-7.0p1/session.c.audit 2015-08-12 11:33:00.379914337 +0200 -+++ openssh-7.0p1/session.c 2015-08-12 11:33:00.416914280 +0200 +diff -up openssh-7.2p1/session.c.audit openssh-7.2p1/session.c +--- openssh-7.2p1/session.c.audit 2016-02-12 18:24:34.177825194 +0100 ++++ openssh-7.2p1/session.c 2016-02-12 18:24:34.226825175 +0100 @@ -139,7 +139,7 @@ extern int log_stderr; extern int debug_flag; extern u_int utmp_len; @@ -1894,7 +1850,7 @@ diff -up openssh-7.0p1/session.c.audit openssh-7.0p1/session.c s->ptymaster = ptymaster; packet_set_interactive(1, @@ -853,15 +861,19 @@ do_exec(Session *s, const char *command) - get_remote_port()); + s->self); #ifdef SSH_AUDIT_EVENTS + if (s->command != NULL || s->command_handle != -1) @@ -1915,7 +1871,7 @@ diff -up openssh-7.0p1/session.c.audit openssh-7.0p1/session.c #endif if (s->ttyfd != -1) ret = do_exec_pty(s, command); -@@ -1704,7 +1716,10 @@ do_child(Session *s, const char *command +@@ -1695,7 +1707,10 @@ do_child(Session *s, const char *command int r = 0; /* remove hostkey from the child's memory */ @@ -1927,7 +1883,7 @@ diff -up openssh-7.0p1/session.c.audit openssh-7.0p1/session.c /* Force a password change */ if (s->authctxt->force_pwchange) { -@@ -1934,6 +1949,7 @@ session_unused(int id) +@@ -1925,6 +1940,7 @@ session_unused(int id) sessions[id].ttyfd = -1; sessions[id].ptymaster = -1; sessions[id].x11_chanids = NULL; @@ -1935,7 +1891,7 @@ diff -up openssh-7.0p1/session.c.audit openssh-7.0p1/session.c sessions[id].next_unused = sessions_first_unused; sessions_first_unused = id; } -@@ -2016,6 +2032,19 @@ session_open(Authctxt *authctxt, int cha +@@ -2007,6 +2023,19 @@ session_open(Authctxt *authctxt, int cha } Session * @@ -1955,7 +1911,7 @@ diff -up openssh-7.0p1/session.c.audit openssh-7.0p1/session.c session_by_tty(char *tty) { int i; -@@ -2532,6 +2561,32 @@ session_exit_message(Session *s, int sta +@@ -2523,6 +2552,32 @@ session_exit_message(Session *s, int sta chan_write_failed(c); } @@ -1988,8 +1944,8 @@ diff -up openssh-7.0p1/session.c.audit openssh-7.0p1/session.c void session_close(Session *s) { -@@ -2540,6 +2595,10 @@ session_close(Session *s) - debug("session_close: session %d pid %ld", s->self, (long)s->pid); +@@ -2531,6 +2586,10 @@ session_close(Session *s) + if (s->ttyfd != -1) session_pty_cleanup(s); +#ifdef SSH_AUDIT_EVENTS @@ -1999,7 +1955,7 @@ diff -up openssh-7.0p1/session.c.audit openssh-7.0p1/session.c free(s->term); free(s->display); free(s->x11_chanids); -@@ -2754,6 +2813,15 @@ do_authenticated2(Authctxt *authctxt) +@@ -2745,6 +2804,15 @@ do_authenticated2(Authctxt *authctxt) server_loop2(authctxt); } @@ -2015,16 +1971,16 @@ diff -up openssh-7.0p1/session.c.audit openssh-7.0p1/session.c void do_cleanup(Authctxt *authctxt) { -@@ -2802,5 +2870,5 @@ do_cleanup(Authctxt *authctxt) +@@ -2793,5 +2861,5 @@ do_cleanup(Authctxt *authctxt) * or if running in monitor. */ if (!use_privsep || mm_is_monitor()) - session_destroy_all(session_pty_cleanup2); + session_destroy_all(do_cleanup_one_session); } -diff -up openssh-7.0p1/session.h.audit openssh-7.0p1/session.h ---- openssh-7.0p1/session.h.audit 2015-08-11 10:57:29.000000000 +0200 -+++ openssh-7.0p1/session.h 2015-08-12 11:33:00.416914280 +0200 +diff -up openssh-7.2p1/session.h.audit openssh-7.2p1/session.h +--- openssh-7.2p1/session.h.audit 2016-02-12 11:47:25.000000000 +0100 ++++ openssh-7.2p1/session.h 2016-02-12 18:24:34.226825175 +0100 @@ -61,6 +61,12 @@ struct Session { char *name; char *val; @@ -2049,18 +2005,18 @@ diff -up openssh-7.0p1/session.h.audit openssh-7.0p1/session.h Session *session_by_tty(char *); void session_close(Session *); void do_setusercontext(struct passwd *); -diff -up openssh-7.0p1/sshd.c.audit openssh-7.0p1/sshd.c ---- openssh-7.0p1/sshd.c.audit 2015-08-12 11:33:00.388914323 +0200 -+++ openssh-7.0p1/sshd.c 2015-08-12 11:33:00.417914278 +0200 -@@ -122,6 +122,7 @@ +diff -up openssh-7.2p1/sshd.c.audit openssh-7.2p1/sshd.c +--- openssh-7.2p1/sshd.c.audit 2016-02-12 18:24:34.189825190 +0100 ++++ openssh-7.2p1/sshd.c 2016-02-12 18:44:44.650639338 +0100 +@@ -121,6 +121,7 @@ + #include "ssh-gss.h" #endif #include "monitor_wrap.h" - #include "roaming.h" +#include "audit.h" #include "ssh-sandbox.h" #include "version.h" #include "ssherr.h" -@@ -261,7 +262,7 @@ Buffer loginmsg; +@@ -260,7 +261,7 @@ Buffer loginmsg; struct passwd *privsep_pw = NULL; /* Prototypes for various functions defined later in this file. */ @@ -2069,7 +2025,7 @@ diff -up openssh-7.0p1/sshd.c.audit openssh-7.0p1/sshd.c void demote_sensitive_data(void); #ifdef WITH_SSH1 -@@ -282,6 +283,15 @@ close_listen_socks(void) +@@ -281,6 +282,15 @@ close_listen_socks(void) num_listen_socks = -1; } @@ -2085,7 +2041,7 @@ diff -up openssh-7.0p1/sshd.c.audit openssh-7.0p1/sshd.c static void close_startup_pipes(void) { -@@ -561,22 +571,45 @@ sshd_exchange_identification(int sock_in +@@ -560,22 +570,45 @@ sshd_exchange_identification(int sock_in } } @@ -2134,7 +2090,7 @@ diff -up openssh-7.0p1/sshd.c.audit openssh-7.0p1/sshd.c key_free(sensitive_data.host_certificates[i]); sensitive_data.host_certificates[i] = NULL; } -@@ -590,6 +623,8 @@ void +@@ -589,6 +622,8 @@ void demote_sensitive_data(void) { Key *tmp; @@ -2143,7 +2099,7 @@ diff -up openssh-7.0p1/sshd.c.audit openssh-7.0p1/sshd.c int i; if (sensitive_data.server_key) { -@@ -598,13 +633,25 @@ demote_sensitive_data(void) +@@ -597,13 +632,25 @@ demote_sensitive_data(void) sensitive_data.server_key = tmp; } @@ -2169,7 +2125,7 @@ diff -up openssh-7.0p1/sshd.c.audit openssh-7.0p1/sshd.c } /* Certs do not need demotion */ } -@@ -676,7 +723,7 @@ privsep_preauth(Authctxt *authctxt) +@@ -675,7 +722,7 @@ privsep_preauth(Authctxt *authctxt) if (use_privsep == PRIVSEP_ON) box = ssh_sandbox_init(pmonitor); @@ -2191,7 +2147,7 @@ diff -up openssh-7.0p1/sshd.c.audit openssh-7.0p1/sshd.c monitor_child_postauth(pmonitor); /* NEVERREACHED */ -@@ -1292,6 +1345,7 @@ server_accept_loop(int *sock_in, int *so +@@ -1293,6 +1346,7 @@ server_accept_loop(int *sock_in, int *so if (received_sigterm) { logit("Received signal %d; terminating.", (int) received_sigterm); @@ -2199,7 +2155,7 @@ diff -up openssh-7.0p1/sshd.c.audit openssh-7.0p1/sshd.c close_listen_socks(); if (options.pid_file != NULL) unlink(options.pid_file); -@@ -2255,6 +2309,7 @@ main(int ac, char **av) +@@ -2256,6 +2310,7 @@ main(int ac, char **av) */ if (use_privsep) { mm_send_keystate(pmonitor); @@ -2207,7 +2163,7 @@ diff -up openssh-7.0p1/sshd.c.audit openssh-7.0p1/sshd.c exit(0); } -@@ -2300,7 +2355,7 @@ main(int ac, char **av) +@@ -2301,7 +2356,7 @@ main(int ac, char **av) privsep_postauth(authctxt); /* the monitor process [priv] will not return */ if (!compat20) @@ -2216,7 +2172,7 @@ diff -up openssh-7.0p1/sshd.c.audit openssh-7.0p1/sshd.c } packet_set_timeout(options.client_alive_interval, -@@ -2314,6 +2369,9 @@ main(int ac, char **av) +@@ -2315,6 +2370,9 @@ main(int ac, char **av) do_authenticated(authctxt); /* The connection has been terminated. */ @@ -2226,7 +2182,7 @@ diff -up openssh-7.0p1/sshd.c.audit openssh-7.0p1/sshd.c packet_get_bytes(&ibytes, &obytes); verbose("Transferred: sent %llu, received %llu bytes", (unsigned long long)obytes, (unsigned long long)ibytes); -@@ -2474,6 +2532,10 @@ do_ssh1_kex(void) +@@ -2475,6 +2533,10 @@ do_ssh1_kex(void) if (cookie[i] != packet_get_char()) packet_disconnect("IP Spoofing check bytes do not match."); @@ -2237,7 +2193,7 @@ diff -up openssh-7.0p1/sshd.c.audit openssh-7.0p1/sshd.c debug("Encryption type: %.200s", cipher_name(cipher_type)); /* Get the encrypted integer. */ -@@ -2533,7 +2595,7 @@ do_ssh1_kex(void) +@@ -2534,7 +2596,7 @@ do_ssh1_kex(void) } /* Destroy the private and public keys. No longer. */ @@ -2246,7 +2202,7 @@ diff -up openssh-7.0p1/sshd.c.audit openssh-7.0p1/sshd.c if (use_privsep) mm_ssh1_session_id(session_id); -@@ -2705,6 +2767,16 @@ do_ssh2_kex(void) +@@ -2708,6 +2770,16 @@ do_ssh2_kex(void) void cleanup_exit(int i) { @@ -2263,7 +2219,7 @@ diff -up openssh-7.0p1/sshd.c.audit openssh-7.0p1/sshd.c if (the_authctxt) { do_cleanup(the_authctxt); if (use_privsep && privsep_is_preauth && -@@ -2716,9 +2788,14 @@ cleanup_exit(int i) +@@ -2719,9 +2791,14 @@ cleanup_exit(int i) pmonitor->m_pid, strerror(errno)); } } @@ -2279,10 +2235,10 @@ diff -up openssh-7.0p1/sshd.c.audit openssh-7.0p1/sshd.c audit_event(SSH_CONNECTION_ABANDON); #endif _exit(i); -diff -up openssh-7.0p1/sshkey.c.audit openssh-7.0p1/sshkey.c ---- openssh-7.0p1/sshkey.c.audit 2015-08-11 10:57:29.000000000 +0200 -+++ openssh-7.0p1/sshkey.c 2015-08-12 11:33:00.417914278 +0200 -@@ -299,6 +299,33 @@ sshkey_type_is_valid_ca(int type) +diff -up openssh-7.2p1/sshkey.c.audit openssh-7.2p1/sshkey.c +--- openssh-7.2p1/sshkey.c.audit 2016-02-12 18:24:34.157825202 +0100 ++++ openssh-7.2p1/sshkey.c 2016-02-12 18:24:34.228825175 +0100 +@@ -303,6 +303,33 @@ sshkey_type_is_valid_ca(int type) } int @@ -2316,10 +2272,10 @@ diff -up openssh-7.0p1/sshkey.c.audit openssh-7.0p1/sshkey.c sshkey_is_cert(const struct sshkey *k) { if (k == NULL) -diff -up openssh-7.0p1/sshkey.h.audit openssh-7.0p1/sshkey.h ---- openssh-7.0p1/sshkey.h.audit 2015-08-11 10:57:29.000000000 +0200 -+++ openssh-7.0p1/sshkey.h 2015-08-12 11:33:00.417914278 +0200 -@@ -132,6 +132,7 @@ u_int sshkey_size(const struct sshkey +diff -up openssh-7.2p1/sshkey.h.audit openssh-7.2p1/sshkey.h +--- openssh-7.2p1/sshkey.h.audit 2016-02-12 18:24:34.157825202 +0100 ++++ openssh-7.2p1/sshkey.h 2016-02-12 18:24:34.228825175 +0100 +@@ -133,6 +133,7 @@ u_int sshkey_size(const struct sshkey int sshkey_generate(int type, u_int bits, struct sshkey **keyp); int sshkey_from_private(const struct sshkey *, struct sshkey **); int sshkey_type_from_name(const char *); diff --git a/openssh-6.6p1-gsskex.patch b/openssh-7.2p1-gsskex.patch similarity index 88% rename from openssh-6.6p1-gsskex.patch rename to openssh-7.2p1-gsskex.patch index 2feb7b5..ab08b96 100644 --- a/openssh-6.6p1-gsskex.patch +++ b/openssh-7.2p1-gsskex.patch @@ -1,6 +1,6 @@ -diff -up openssh-7.0p1/auth2.c.gsskex openssh-7.0p1/auth2.c ---- openssh-7.0p1/auth2.c.gsskex 2015-08-12 11:15:43.625548999 +0200 -+++ openssh-7.0p1/auth2.c 2015-08-12 11:15:43.692548892 +0200 +diff -up openssh-7.2p1/auth2.c.gsskex openssh-7.2p1/auth2.c +--- openssh-7.2p1/auth2.c.gsskex 2016-02-19 10:01:04.829969345 +0100 ++++ openssh-7.2p1/auth2.c 2016-02-19 10:01:04.865969325 +0100 @@ -70,6 +70,7 @@ extern Authmethod method_passwd; extern Authmethod method_kbdint; extern Authmethod method_hostbased; @@ -17,9 +17,9 @@ diff -up openssh-7.0p1/auth2.c.gsskex openssh-7.0p1/auth2.c &method_gssapi, #endif &method_passwd, -diff -up openssh-7.0p1/auth2-gss.c.gsskex openssh-7.0p1/auth2-gss.c ---- openssh-7.0p1/auth2-gss.c.gsskex 2015-08-12 11:15:43.624549001 +0200 -+++ openssh-7.0p1/auth2-gss.c 2015-08-12 11:15:43.692548892 +0200 +diff -up openssh-7.2p1/auth2-gss.c.gsskex openssh-7.2p1/auth2-gss.c +--- openssh-7.2p1/auth2-gss.c.gsskex 2016-02-19 10:01:04.829969345 +0100 ++++ openssh-7.2p1/auth2-gss.c 2016-02-19 10:01:04.865969325 +0100 @@ -31,6 +31,7 @@ #include @@ -102,10 +102,21 @@ diff -up openssh-7.0p1/auth2-gss.c.gsskex openssh-7.0p1/auth2-gss.c Authmethod method_gssapi = { "gssapi-with-mic", userauth_gssapi, -diff -up openssh-7.0p1/clientloop.c.gsskex openssh-7.0p1/clientloop.c ---- openssh-7.0p1/clientloop.c.gsskex 2015-08-11 10:57:29.000000000 +0200 -+++ openssh-7.0p1/clientloop.c 2015-08-12 11:15:43.693548890 +0200 -@@ -115,6 +115,10 @@ +diff -up openssh-7.2p1/auth.c.gsskex openssh-7.2p1/auth.c +--- openssh-7.2p1/auth.c.gsskex 2016-02-12 11:47:25.000000000 +0100 ++++ openssh-7.2p1/auth.c 2016-02-19 10:01:04.866969324 +0100 +@@ -354,6 +354,7 @@ auth_root_allowed(const char *method) + case PERMIT_NO_PASSWD: + if (strcmp(method, "publickey") == 0 || + strcmp(method, "hostbased") == 0 || ++ strcmp(method, "gssapi-keyex") == 0 || + strcmp(method, "gssapi-with-mic") == 0) + return 1; + break; +diff -up openssh-7.2p1/clientloop.c.gsskex openssh-7.2p1/clientloop.c +--- openssh-7.2p1/clientloop.c.gsskex 2016-02-12 11:47:25.000000000 +0100 ++++ openssh-7.2p1/clientloop.c 2016-02-19 10:01:04.866969324 +0100 +@@ -114,6 +114,10 @@ #include "ssherr.h" #include "hostfile.h" @@ -116,11 +127,14 @@ diff -up openssh-7.0p1/clientloop.c.gsskex openssh-7.0p1/clientloop.c /* import options */ extern Options options; -@@ -1610,6 +1614,15 @@ client_loop(int have_pty, int escape_cha +@@ -1662,9 +1666,18 @@ client_loop(int have_pty, int escape_cha + break; + /* Do channel operations unless rekeying in progress. */ - if (!rekeying) { +- if (!ssh_packet_is_rekeying(active_state)) ++ if (!ssh_packet_is_rekeying(active_state)) { channel_after_select(readset, writeset); -+ + +#ifdef GSSAPI + if (options.gss_renewal_rekey && + ssh_gssapi_credentials_updated(GSS_C_NO_CONTEXT)) { @@ -128,14 +142,15 @@ diff -up openssh-7.0p1/clientloop.c.gsskex openssh-7.0p1/clientloop.c + need_rekeying = 1; + } +#endif ++ } + - if (need_rekeying || packet_need_rekeying()) { - debug("need rekeying"); - active_state->kex->done = 0; -diff -up openssh-7.0p1/configure.ac.gsskex openssh-7.0p1/configure.ac ---- openssh-7.0p1/configure.ac.gsskex 2015-08-12 11:15:43.675548919 +0200 -+++ openssh-7.0p1/configure.ac 2015-08-12 11:15:43.694548889 +0200 -@@ -625,6 +625,30 @@ main() { if (NSVersionOfRunTimeLibrary(" + /* Buffer input from the connection. */ + client_process_net_input(readset); + +diff -up openssh-7.2p1/configure.ac.gsskex openssh-7.2p1/configure.ac +--- openssh-7.2p1/configure.ac.gsskex 2016-02-19 10:01:04.857969329 +0100 ++++ openssh-7.2p1/configure.ac 2016-02-19 10:01:04.867969323 +0100 +@@ -632,6 +632,30 @@ main() { if (NSVersionOfRunTimeLibrary(" [Use tunnel device compatibility to OpenBSD]) AC_DEFINE([SSH_TUN_PREPEND_AF], [1], [Prepend the address family to IP tunnel traffic]) @@ -166,9 +181,9 @@ diff -up openssh-7.0p1/configure.ac.gsskex openssh-7.0p1/configure.ac m4_pattern_allow([AU_IPv]) AC_CHECK_DECL([AU_IPv4], [], AC_DEFINE([AU_IPv4], [0], [System only supports IPv4 audit records]) -diff -up openssh-7.0p1/gss-genr.c.gsskex openssh-7.0p1/gss-genr.c ---- openssh-7.0p1/gss-genr.c.gsskex 2015-08-11 10:57:29.000000000 +0200 -+++ openssh-7.0p1/gss-genr.c 2015-08-12 11:15:43.694548889 +0200 +diff -up openssh-7.2p1/gss-genr.c.gsskex openssh-7.2p1/gss-genr.c +--- openssh-7.2p1/gss-genr.c.gsskex 2016-02-12 11:47:25.000000000 +0100 ++++ openssh-7.2p1/gss-genr.c 2016-02-19 10:01:04.867969323 +0100 @@ -41,12 +41,167 @@ #include "buffer.h" #include "log.h" @@ -506,9 +521,9 @@ diff -up openssh-7.0p1/gss-genr.c.gsskex openssh-7.0p1/gss-genr.c +} + #endif /* GSSAPI */ -diff -up openssh-7.0p1/gss-serv.c.gsskex openssh-7.0p1/gss-serv.c ---- openssh-7.0p1/gss-serv.c.gsskex 2015-08-11 10:57:29.000000000 +0200 -+++ openssh-7.0p1/gss-serv.c 2015-08-12 11:15:43.694548889 +0200 +diff -up openssh-7.2p1/gss-serv.c.gsskex openssh-7.2p1/gss-serv.c +--- openssh-7.2p1/gss-serv.c.gsskex 2016-02-12 11:47:25.000000000 +0100 ++++ openssh-7.2p1/gss-serv.c 2016-02-19 10:01:04.867969323 +0100 @@ -45,17 +45,19 @@ #include "session.h" #include "misc.h" @@ -791,9 +806,9 @@ diff -up openssh-7.0p1/gss-serv.c.gsskex openssh-7.0p1/gss-serv.c } #endif -diff -up openssh-7.0p1/gss-serv-krb5.c.gsskex openssh-7.0p1/gss-serv-krb5.c ---- openssh-7.0p1/gss-serv-krb5.c.gsskex 2015-08-11 10:57:29.000000000 +0200 -+++ openssh-7.0p1/gss-serv-krb5.c 2015-08-12 11:15:43.694548889 +0200 +diff -up openssh-7.2p1/gss-serv-krb5.c.gsskex openssh-7.2p1/gss-serv-krb5.c +--- openssh-7.2p1/gss-serv-krb5.c.gsskex 2016-02-12 11:47:25.000000000 +0100 ++++ openssh-7.2p1/gss-serv-krb5.c 2016-02-19 10:01:04.867969323 +0100 @@ -121,7 +121,7 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_cl krb5_error_code problem; krb5_principal princ; @@ -921,10 +936,10 @@ diff -up openssh-7.0p1/gss-serv-krb5.c.gsskex openssh-7.0p1/gss-serv-krb5.c }; #endif /* KRB5 */ -diff -up openssh-7.0p1/kex.c.gsskex openssh-7.0p1/kex.c ---- openssh-7.0p1/kex.c.gsskex 2015-08-11 10:57:29.000000000 +0200 -+++ openssh-7.0p1/kex.c 2015-08-12 11:15:43.695548887 +0200 -@@ -55,6 +55,10 @@ +diff -up openssh-7.2p1/kex.c.gsskex openssh-7.2p1/kex.c +--- openssh-7.2p1/kex.c.gsskex 2016-02-12 11:47:25.000000000 +0100 ++++ openssh-7.2p1/kex.c 2016-02-19 10:01:04.868969323 +0100 +@@ -54,6 +54,10 @@ #include "sshbuf.h" #include "digest.h" @@ -935,7 +950,7 @@ diff -up openssh-7.0p1/kex.c.gsskex openssh-7.0p1/kex.c #if OPENSSL_VERSION_NUMBER >= 0x00907000L # if defined(HAVE_EVP_SHA256) # define evp_ssh_sha256 EVP_sha256 -@@ -95,6 +99,11 @@ static const struct kexalg kexalgs[] = { +@@ -107,6 +111,11 @@ static const struct kexalg kexalgs[] = { #if defined(HAVE_EVP_SHA256) || !defined(WITH_OPENSSL) { KEX_CURVE25519_SHA256, KEX_C25519_SHA256, 0, SSH_DIGEST_SHA256 }, #endif /* HAVE_EVP_SHA256 || !WITH_OPENSSL */ @@ -947,7 +962,7 @@ diff -up openssh-7.0p1/kex.c.gsskex openssh-7.0p1/kex.c { NULL, -1, -1, -1}, }; -@@ -128,6 +137,12 @@ kex_alg_by_name(const char *name) +@@ -140,6 +149,12 @@ kex_alg_by_name(const char *name) for (k = kexalgs; k->name != NULL; k++) { if (strcmp(k->name, name) == 0) return k; @@ -960,9 +975,9 @@ diff -up openssh-7.0p1/kex.c.gsskex openssh-7.0p1/kex.c } return NULL; } -diff -up openssh-7.0p1/kexgssc.c.gsskex openssh-7.0p1/kexgssc.c ---- openssh-7.0p1/kexgssc.c.gsskex 2015-08-12 11:15:43.695548887 +0200 -+++ openssh-7.0p1/kexgssc.c 2015-08-12 11:15:43.695548887 +0200 +diff -up openssh-7.2p1/kexgssc.c.gsskex openssh-7.2p1/kexgssc.c +--- openssh-7.2p1/kexgssc.c.gsskex 2016-02-19 10:01:04.868969323 +0100 ++++ openssh-7.2p1/kexgssc.c 2016-02-19 10:01:04.868969323 +0100 @@ -0,0 +1,338 @@ +/* + * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved. @@ -1302,9 +1317,9 @@ diff -up openssh-7.0p1/kexgssc.c.gsskex openssh-7.0p1/kexgssc.c +} + +#endif /* GSSAPI */ -diff -up openssh-7.0p1/kexgsss.c.gsskex openssh-7.0p1/kexgsss.c ---- openssh-7.0p1/kexgsss.c.gsskex 2015-08-12 11:15:43.695548887 +0200 -+++ openssh-7.0p1/kexgsss.c 2015-08-12 11:15:43.695548887 +0200 +diff -up openssh-7.2p1/kexgsss.c.gsskex openssh-7.2p1/kexgsss.c +--- openssh-7.2p1/kexgsss.c.gsskex 2016-02-19 10:01:04.868969323 +0100 ++++ openssh-7.2p1/kexgsss.c 2016-02-19 10:01:04.868969323 +0100 @@ -0,0 +1,295 @@ +/* + * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved. @@ -1601,10 +1616,10 @@ diff -up openssh-7.0p1/kexgsss.c.gsskex openssh-7.0p1/kexgsss.c + return 0; +} +#endif /* GSSAPI */ -diff -up openssh-7.0p1/kex.h.gsskex openssh-7.0p1/kex.h ---- openssh-7.0p1/kex.h.gsskex 2015-08-11 10:57:29.000000000 +0200 -+++ openssh-7.0p1/kex.h 2015-08-12 11:17:44.694354889 +0200 -@@ -93,6 +93,11 @@ enum kex_exchange { +diff -up openssh-7.2p1/kex.h.gsskex openssh-7.2p1/kex.h +--- openssh-7.2p1/kex.h.gsskex 2016-02-12 11:47:25.000000000 +0100 ++++ openssh-7.2p1/kex.h 2016-02-19 10:01:04.868969323 +0100 +@@ -92,6 +92,11 @@ enum kex_exchange { KEX_DH_GEX_SHA256, KEX_ECDH_SHA2, KEX_C25519_SHA256, @@ -1616,7 +1631,7 @@ diff -up openssh-7.0p1/kex.h.gsskex openssh-7.0p1/kex.h KEX_MAX }; -@@ -139,6 +144,12 @@ struct kex { +@@ -140,6 +145,12 @@ struct kex { u_int flags; int hash_alg; int ec_nid; @@ -1629,7 +1644,7 @@ diff -up openssh-7.0p1/kex.h.gsskex openssh-7.0p1/kex.h char *client_version_string; char *server_version_string; char *failed_choice; -@@ -186,6 +197,10 @@ int kexecdh_client(struct ssh *); +@@ -189,6 +200,10 @@ int kexecdh_client(struct ssh *); int kexecdh_server(struct ssh *); int kexc25519_client(struct ssh *); int kexc25519_server(struct ssh *); @@ -1640,9 +1655,9 @@ diff -up openssh-7.0p1/kex.h.gsskex openssh-7.0p1/kex.h int kex_dh_hash(const char *, const char *, const u_char *, size_t, const u_char *, size_t, const u_char *, size_t, -diff -up openssh-7.0p1/Makefile.in.gsskex openssh-7.0p1/Makefile.in ---- openssh-7.0p1/Makefile.in.gsskex 2015-08-12 11:15:43.686548901 +0200 -+++ openssh-7.0p1/Makefile.in 2015-08-12 11:15:43.695548887 +0200 +diff -up openssh-7.2p1/Makefile.in.gsskex openssh-7.2p1/Makefile.in +--- openssh-7.2p1/Makefile.in.gsskex 2016-02-19 10:01:04.864969325 +0100 ++++ openssh-7.2p1/Makefile.in 2016-02-19 10:01:04.868969323 +0100 @@ -90,6 +90,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \ readpass.o rsa.o ttymodes.o xmalloc.o addrmatch.o \ atomicio.o key.o dispatch.o mac.o uidswap.o uuencode.o misc.o \ @@ -1659,11 +1674,11 @@ diff -up openssh-7.0p1/Makefile.in.gsskex openssh-7.0p1/Makefile.in + auth2-gss.o gss-serv.o gss-serv-krb5.o kexgsss.o \ loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \ sftp-server.o sftp-common.o \ - roaming_common.o roaming_serv.o \ -diff -up openssh-7.0p1/monitor.c.gsskex openssh-7.0p1/monitor.c ---- openssh-7.0p1/monitor.c.gsskex 2015-08-12 11:15:43.626548998 +0200 -+++ openssh-7.0p1/monitor.c 2015-08-12 11:15:43.696548885 +0200 -@@ -160,6 +160,8 @@ int mm_answer_gss_setup_ctx(int, Buffer + sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \ +diff -up openssh-7.2p1/monitor.c.gsskex openssh-7.2p1/monitor.c +--- openssh-7.2p1/monitor.c.gsskex 2016-02-19 10:01:04.830969345 +0100 ++++ openssh-7.2p1/monitor.c 2016-02-19 10:01:04.869969322 +0100 +@@ -159,6 +159,8 @@ int mm_answer_gss_setup_ctx(int, Buffer int mm_answer_gss_accept_ctx(int, Buffer *); int mm_answer_gss_userok(int, Buffer *); int mm_answer_gss_checkmic(int, Buffer *); @@ -1672,7 +1687,7 @@ diff -up openssh-7.0p1/monitor.c.gsskex openssh-7.0p1/monitor.c #endif #ifdef SSH_AUDIT_EVENTS -@@ -240,11 +242,18 @@ struct mon_table mon_dispatch_proto20[] +@@ -239,11 +241,18 @@ struct mon_table mon_dispatch_proto20[] {MONITOR_REQ_GSSSTEP, MON_ISAUTH, mm_answer_gss_accept_ctx}, {MONITOR_REQ_GSSUSEROK, MON_AUTH, mm_answer_gss_userok}, {MONITOR_REQ_GSSCHECKMIC, MON_ISAUTH, mm_answer_gss_checkmic}, @@ -1691,7 +1706,7 @@ diff -up openssh-7.0p1/monitor.c.gsskex openssh-7.0p1/monitor.c #ifdef WITH_OPENSSL {MONITOR_REQ_MODULI, 0, mm_answer_moduli}, #endif -@@ -359,6 +368,10 @@ monitor_child_preauth(Authctxt *_authctx +@@ -358,6 +367,10 @@ monitor_child_preauth(Authctxt *_authctx /* Permit requests for moduli and signatures */ monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1); monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1); @@ -1702,7 +1717,7 @@ diff -up openssh-7.0p1/monitor.c.gsskex openssh-7.0p1/monitor.c } else { mon_dispatch = mon_dispatch_proto15; -@@ -467,6 +480,10 @@ monitor_child_postauth(struct monitor *p +@@ -466,6 +479,10 @@ monitor_child_postauth(struct monitor *p monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1); monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1); monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); @@ -1713,7 +1728,7 @@ diff -up openssh-7.0p1/monitor.c.gsskex openssh-7.0p1/monitor.c } else { mon_dispatch = mon_dispatch_postauth15; monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); -@@ -1896,6 +1913,13 @@ monitor_apply_keystate(struct monitor *p +@@ -1893,6 +1910,13 @@ monitor_apply_keystate(struct monitor *p # endif #endif /* WITH_OPENSSL */ kex->kex[KEX_C25519_SHA256] = kexc25519_server; @@ -1727,7 +1742,7 @@ diff -up openssh-7.0p1/monitor.c.gsskex openssh-7.0p1/monitor.c kex->load_host_public_key=&get_hostkey_public_by_type; kex->load_host_private_key=&get_hostkey_private_by_type; kex->host_key_index=&get_hostkey_index; -@@ -1995,6 +2019,9 @@ mm_answer_gss_setup_ctx(int sock, Buffer +@@ -1992,6 +2016,9 @@ mm_answer_gss_setup_ctx(int sock, Buffer OM_uint32 major; u_int len; @@ -1737,7 +1752,7 @@ diff -up openssh-7.0p1/monitor.c.gsskex openssh-7.0p1/monitor.c goid.elements = buffer_get_string(m, &len); goid.length = len; -@@ -2022,6 +2049,9 @@ mm_answer_gss_accept_ctx(int sock, Buffe +@@ -2019,6 +2046,9 @@ mm_answer_gss_accept_ctx(int sock, Buffe OM_uint32 flags = 0; /* GSI needs this */ u_int len; @@ -1747,7 +1762,7 @@ diff -up openssh-7.0p1/monitor.c.gsskex openssh-7.0p1/monitor.c in.value = buffer_get_string(m, &len); in.length = len; major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags); -@@ -2039,6 +2069,7 @@ mm_answer_gss_accept_ctx(int sock, Buffe +@@ -2036,6 +2066,7 @@ mm_answer_gss_accept_ctx(int sock, Buffe monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0); monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1); monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1); @@ -1755,7 +1770,7 @@ diff -up openssh-7.0p1/monitor.c.gsskex openssh-7.0p1/monitor.c } return (0); } -@@ -2050,6 +2081,9 @@ mm_answer_gss_checkmic(int sock, Buffer +@@ -2047,6 +2078,9 @@ mm_answer_gss_checkmic(int sock, Buffer OM_uint32 ret; u_int len; @@ -1765,7 +1780,7 @@ diff -up openssh-7.0p1/monitor.c.gsskex openssh-7.0p1/monitor.c gssbuf.value = buffer_get_string(m, &len); gssbuf.length = len; mic.value = buffer_get_string(m, &len); -@@ -2076,7 +2110,11 @@ mm_answer_gss_userok(int sock, Buffer *m +@@ -2073,7 +2107,11 @@ mm_answer_gss_userok(int sock, Buffer *m { int authenticated; @@ -1778,7 +1793,7 @@ diff -up openssh-7.0p1/monitor.c.gsskex openssh-7.0p1/monitor.c buffer_clear(m); buffer_put_int(m, authenticated); -@@ -2089,5 +2127,73 @@ mm_answer_gss_userok(int sock, Buffer *m +@@ -2086,5 +2124,73 @@ mm_answer_gss_userok(int sock, Buffer *m /* Monitor loop will terminate if authenticated */ return (authenticated); } @@ -1852,9 +1867,9 @@ diff -up openssh-7.0p1/monitor.c.gsskex openssh-7.0p1/monitor.c + #endif /* GSSAPI */ -diff -up openssh-7.0p1/monitor.h.gsskex openssh-7.0p1/monitor.h ---- openssh-7.0p1/monitor.h.gsskex 2015-08-12 11:15:43.626548998 +0200 -+++ openssh-7.0p1/monitor.h 2015-08-12 11:15:43.696548885 +0200 +diff -up openssh-7.2p1/monitor.h.gsskex openssh-7.2p1/monitor.h +--- openssh-7.2p1/monitor.h.gsskex 2016-02-19 10:01:04.830969345 +0100 ++++ openssh-7.2p1/monitor.h 2016-02-19 10:01:04.869969322 +0100 @@ -60,6 +60,8 @@ enum monitor_reqtype { #ifdef WITH_SELINUX MONITOR_REQ_AUTHROLE = 80, @@ -1864,9 +1879,9 @@ diff -up openssh-7.0p1/monitor.h.gsskex openssh-7.0p1/monitor.h MONITOR_REQ_PAM_START = 100, MONITOR_REQ_PAM_ACCOUNT = 102, MONITOR_ANS_PAM_ACCOUNT = 103, -diff -up openssh-7.0p1/monitor_wrap.c.gsskex openssh-7.0p1/monitor_wrap.c ---- openssh-7.0p1/monitor_wrap.c.gsskex 2015-08-12 11:15:43.626548998 +0200 -+++ openssh-7.0p1/monitor_wrap.c 2015-08-12 11:15:43.697548884 +0200 +diff -up openssh-7.2p1/monitor_wrap.c.gsskex openssh-7.2p1/monitor_wrap.c +--- openssh-7.2p1/monitor_wrap.c.gsskex 2016-02-19 10:01:04.830969345 +0100 ++++ openssh-7.2p1/monitor_wrap.c 2016-02-19 10:01:04.869969322 +0100 @@ -1087,7 +1087,7 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss } @@ -1927,9 +1942,9 @@ diff -up openssh-7.0p1/monitor_wrap.c.gsskex openssh-7.0p1/monitor_wrap.c + #endif /* GSSAPI */ -diff -up openssh-7.0p1/monitor_wrap.h.gsskex openssh-7.0p1/monitor_wrap.h ---- openssh-7.0p1/monitor_wrap.h.gsskex 2015-08-12 11:15:43.626548998 +0200 -+++ openssh-7.0p1/monitor_wrap.h 2015-08-12 11:15:43.697548884 +0200 +diff -up openssh-7.2p1/monitor_wrap.h.gsskex openssh-7.2p1/monitor_wrap.h +--- openssh-7.2p1/monitor_wrap.h.gsskex 2016-02-19 10:01:04.830969345 +0100 ++++ openssh-7.2p1/monitor_wrap.h 2016-02-19 10:01:04.869969322 +0100 @@ -61,8 +61,10 @@ BIGNUM *mm_auth_rsa_generate_challenge(K OM_uint32 mm_ssh_gssapi_server_ctx(Gssctxt **, gss_OID); OM_uint32 mm_ssh_gssapi_accept_ctx(Gssctxt *, @@ -1942,10 +1957,10 @@ diff -up openssh-7.0p1/monitor_wrap.h.gsskex openssh-7.0p1/monitor_wrap.h #endif #ifdef USE_PAM -diff -up openssh-7.0p1/readconf.c.gsskex openssh-7.0p1/readconf.c ---- openssh-7.0p1/readconf.c.gsskex 2015-08-11 10:57:29.000000000 +0200 -+++ openssh-7.0p1/readconf.c 2015-08-12 11:15:43.697548884 +0200 -@@ -147,6 +147,8 @@ typedef enum { +diff -up openssh-7.2p1/readconf.c.gsskex openssh-7.2p1/readconf.c +--- openssh-7.2p1/readconf.c.gsskex 2016-02-12 11:47:25.000000000 +0100 ++++ openssh-7.2p1/readconf.c 2016-02-19 10:01:04.870969322 +0100 +@@ -148,6 +148,8 @@ typedef enum { oClearAllForwardings, oNoHostAuthenticationForLocalhost, oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout, oAddressFamily, oGssAuthentication, oGssDelegateCreds, @@ -1954,7 +1969,7 @@ diff -up openssh-7.0p1/readconf.c.gsskex openssh-7.0p1/readconf.c oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly, oSendEnv, oControlPath, oControlMaster, oControlPersist, oHashKnownHosts, -@@ -192,10 +194,19 @@ static struct { +@@ -193,10 +195,19 @@ static struct { { "afstokenpassing", oUnsupported }, #if defined(GSSAPI) { "gssapiauthentication", oGssAuthentication }, @@ -1974,7 +1989,7 @@ diff -up openssh-7.0p1/readconf.c.gsskex openssh-7.0p1/readconf.c #endif { "fallbacktorsh", oDeprecated }, { "usersh", oDeprecated }, -@@ -894,10 +905,30 @@ parse_time: +@@ -926,10 +937,30 @@ parse_time: intptr = &options->gss_authentication; goto parse_flag; @@ -2005,7 +2020,7 @@ diff -up openssh-7.0p1/readconf.c.gsskex openssh-7.0p1/readconf.c case oBatchMode: intptr = &options->batch_mode; goto parse_flag; -@@ -1601,7 +1632,12 @@ initialize_options(Options * options) +@@ -1648,7 +1679,12 @@ initialize_options(Options * options) options->pubkey_authentication = -1; options->challenge_response_authentication = -1; options->gss_authentication = -1; @@ -2018,7 +2033,7 @@ diff -up openssh-7.0p1/readconf.c.gsskex openssh-7.0p1/readconf.c options->password_authentication = -1; options->kbd_interactive_authentication = -1; options->kbd_interactive_devices = NULL; -@@ -1729,8 +1765,14 @@ fill_default_options(Options * options) +@@ -1777,8 +1813,14 @@ fill_default_options(Options * options) options->challenge_response_authentication = 1; if (options->gss_authentication == -1) options->gss_authentication = 0; @@ -2033,9 +2048,9 @@ diff -up openssh-7.0p1/readconf.c.gsskex openssh-7.0p1/readconf.c if (options->password_authentication == -1) options->password_authentication = 1; if (options->kbd_interactive_authentication == -1) -diff -up openssh-7.0p1/readconf.h.gsskex openssh-7.0p1/readconf.h ---- openssh-7.0p1/readconf.h.gsskex 2015-08-11 10:57:29.000000000 +0200 -+++ openssh-7.0p1/readconf.h 2015-08-12 11:15:43.697548884 +0200 +diff -up openssh-7.2p1/readconf.h.gsskex openssh-7.2p1/readconf.h +--- openssh-7.2p1/readconf.h.gsskex 2016-02-12 11:47:25.000000000 +0100 ++++ openssh-7.2p1/readconf.h 2016-02-19 10:01:04.870969322 +0100 @@ -45,7 +45,12 @@ typedef struct { int challenge_response_authentication; /* Try S/Key or TIS, authentication. */ @@ -2049,9 +2064,9 @@ diff -up openssh-7.0p1/readconf.h.gsskex openssh-7.0p1/readconf.h int password_authentication; /* Try password * authentication. */ int kbd_interactive_authentication; /* Try keyboard-interactive auth. */ -diff -up openssh-7.0p1/regress/cert-hostkey.sh.gsskex openssh-7.0p1/regress/cert-hostkey.sh ---- openssh-7.0p1/regress/cert-hostkey.sh.gsskex 2015-08-12 11:15:43.698548882 +0200 -+++ openssh-7.0p1/regress/cert-hostkey.sh 2015-08-12 11:16:52.511438554 +0200 +diff -up openssh-7.2p1/regress/cert-hostkey.sh.gsskex openssh-7.2p1/regress/cert-hostkey.sh +--- openssh-7.2p1/regress/cert-hostkey.sh.gsskex 2016-02-12 11:47:25.000000000 +0100 ++++ openssh-7.2p1/regress/cert-hostkey.sh 2016-02-19 10:01:04.870969322 +0100 @@ -46,7 +46,7 @@ touch $OBJ/host_revoked_plain touch $OBJ/host_revoked_cert cp $OBJ/host_ca_key.pub $OBJ/host_revoked_ca @@ -2061,9 +2076,9 @@ diff -up openssh-7.0p1/regress/cert-hostkey.sh.gsskex openssh-7.0p1/regress/cert # Prepare certificate, plain key and CA KRLs ${SSHKEYGEN} -kf $OBJ/host_krl_empty || fatal "KRL init failed" -diff -up openssh-7.0p1/regress/cert-userkey.sh.gsskex openssh-7.0p1/regress/cert-userkey.sh ---- openssh-7.0p1/regress/cert-userkey.sh.gsskex 2015-08-12 11:15:43.698548882 +0200 -+++ openssh-7.0p1/regress/cert-userkey.sh 2015-08-12 11:20:30.110089677 +0200 +diff -up openssh-7.2p1/regress/cert-userkey.sh.gsskex openssh-7.2p1/regress/cert-userkey.sh +--- openssh-7.2p1/regress/cert-userkey.sh.gsskex 2016-02-12 11:47:25.000000000 +0100 ++++ openssh-7.2p1/regress/cert-userkey.sh 2016-02-19 10:01:04.870969322 +0100 @@ -7,7 +7,7 @@ rm -f $OBJ/authorized_keys_$USER $OBJ/us cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak cp $OBJ/ssh_proxy $OBJ/ssh_proxy_bak @@ -2073,9 +2088,9 @@ diff -up openssh-7.0p1/regress/cert-userkey.sh.gsskex openssh-7.0p1/regress/cert kname() { n=`echo "$1" | sed 's/^dsa/ssh-dss/;s/^rsa/ssh-rsa/;s/^ed/ssh-ed/'` -diff -up openssh-7.0p1/regress/kextype.sh.gsskex openssh-7.0p1/regress/kextype.sh ---- openssh-7.0p1/regress/kextype.sh.gsskex 2015-08-11 10:57:29.000000000 +0200 -+++ openssh-7.0p1/regress/kextype.sh 2015-08-12 11:15:43.698548882 +0200 +diff -up openssh-7.2p1/regress/kextype.sh.gsskex openssh-7.2p1/regress/kextype.sh +--- openssh-7.2p1/regress/kextype.sh.gsskex 2016-02-12 11:47:25.000000000 +0100 ++++ openssh-7.2p1/regress/kextype.sh 2016-02-19 10:01:04.870969322 +0100 @@ -14,6 +14,9 @@ echo "KexAlgorithms=$KEXOPT" >> $OBJ/ssh tries="1 2 3 4" @@ -2086,9 +2101,9 @@ diff -up openssh-7.0p1/regress/kextype.sh.gsskex openssh-7.0p1/regress/kextype.s verbose "kex $k" for i in $tries; do ${SSH} -F $OBJ/ssh_proxy -o KexAlgorithms=$k x true -diff -up openssh-7.0p1/regress/rekey.sh.gsskex openssh-7.0p1/regress/rekey.sh ---- openssh-7.0p1/regress/rekey.sh.gsskex 2015-08-11 10:57:29.000000000 +0200 -+++ openssh-7.0p1/regress/rekey.sh 2015-08-12 11:15:43.698548882 +0200 +diff -up openssh-7.2p1/regress/rekey.sh.gsskex openssh-7.2p1/regress/rekey.sh +--- openssh-7.2p1/regress/rekey.sh.gsskex 2016-02-12 11:47:25.000000000 +0100 ++++ openssh-7.2p1/regress/rekey.sh 2016-02-19 10:01:04.870969322 +0100 @@ -38,6 +38,9 @@ increase_datafile_size 300 opts="" @@ -2109,9 +2124,9 @@ diff -up openssh-7.0p1/regress/rekey.sh.gsskex openssh-7.0p1/regress/rekey.sh verbose "client rekey $c $kex" ssh_data_rekeying "KexAlgorithms=$kex" -oRekeyLimit=256k -oCiphers=$c done -diff -up openssh-7.0p1/servconf.c.gsskex openssh-7.0p1/servconf.c ---- openssh-7.0p1/servconf.c.gsskex 2015-08-12 11:15:43.676548918 +0200 -+++ openssh-7.0p1/servconf.c 2015-08-12 11:22:32.686893730 +0200 +diff -up openssh-7.2p1/servconf.c.gsskex openssh-7.2p1/servconf.c +--- openssh-7.2p1/servconf.c.gsskex 2016-02-19 10:01:04.857969329 +0100 ++++ openssh-7.2p1/servconf.c 2016-02-19 10:01:04.870969322 +0100 @@ -117,8 +117,10 @@ initialize_server_options(ServerOptions options->kerberos_ticket_cleanup = -1; options->kerberos_get_afs_token = -1; @@ -2123,7 +2138,7 @@ diff -up openssh-7.0p1/servconf.c.gsskex openssh-7.0p1/servconf.c options->password_authentication = -1; options->kbd_interactive_authentication = -1; options->challenge_response_authentication = -1; -@@ -276,10 +278,14 @@ fill_default_server_options(ServerOption +@@ -288,10 +290,14 @@ fill_default_server_options(ServerOption options->kerberos_get_afs_token = 0; if (options->gss_authentication == -1) options->gss_authentication = 0; @@ -2138,7 +2153,7 @@ diff -up openssh-7.0p1/servconf.c.gsskex openssh-7.0p1/servconf.c if (options->password_authentication == -1) options->password_authentication = 1; if (options->kbd_interactive_authentication == -1) -@@ -415,7 +421,7 @@ typedef enum { +@@ -422,7 +428,7 @@ typedef enum { sHostKeyAlgorithms, sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile, sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor, @@ -2147,7 +2162,7 @@ diff -up openssh-7.0p1/servconf.c.gsskex openssh-7.0p1/servconf.c sMatch, sPermitOpen, sForceCommand, sChrootDirectory, sUsePrivilegeSeparation, sAllowAgentForwarding, sHostCertificate, -@@ -489,11 +495,17 @@ static struct { +@@ -496,11 +502,17 @@ static struct { { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL }, { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL }, { "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL }, @@ -2165,7 +2180,7 @@ diff -up openssh-7.0p1/servconf.c.gsskex openssh-7.0p1/servconf.c { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, -@@ -1235,6 +1247,10 @@ process_server_config_line(ServerOptions +@@ -1246,6 +1258,10 @@ process_server_config_line(ServerOptions intptr = &options->gss_authentication; goto parse_flag; @@ -2176,7 +2191,7 @@ diff -up openssh-7.0p1/servconf.c.gsskex openssh-7.0p1/servconf.c case sGssCleanupCreds: intptr = &options->gss_cleanup_creds; goto parse_flag; -@@ -1243,6 +1259,10 @@ process_server_config_line(ServerOptions +@@ -1254,6 +1270,10 @@ process_server_config_line(ServerOptions intptr = &options->gss_strict_acceptor; goto parse_flag; @@ -2187,7 +2202,7 @@ diff -up openssh-7.0p1/servconf.c.gsskex openssh-7.0p1/servconf.c case sPasswordAuthentication: intptr = &options->password_authentication; goto parse_flag; -@@ -2255,6 +2275,9 @@ dump_config(ServerOptions *o) +@@ -2274,6 +2294,9 @@ dump_config(ServerOptions *o) #ifdef GSSAPI dump_cfg_fmtint(sGssAuthentication, o->gss_authentication); dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds); @@ -2197,9 +2212,9 @@ diff -up openssh-7.0p1/servconf.c.gsskex openssh-7.0p1/servconf.c #endif dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication); dump_cfg_fmtint(sKbdInteractiveAuthentication, -diff -up openssh-7.0p1/servconf.h.gsskex openssh-7.0p1/servconf.h ---- openssh-7.0p1/servconf.h.gsskex 2015-08-12 11:15:43.676548918 +0200 -+++ openssh-7.0p1/servconf.h 2015-08-12 11:15:43.700548879 +0200 +diff -up openssh-7.2p1/servconf.h.gsskex openssh-7.2p1/servconf.h +--- openssh-7.2p1/servconf.h.gsskex 2016-02-19 10:01:04.857969329 +0100 ++++ openssh-7.2p1/servconf.h 2016-02-19 10:01:04.871969321 +0100 @@ -118,8 +118,10 @@ typedef struct { int kerberos_get_afs_token; /* If true, try to get AFS token if * authenticated with Kerberos. */ @@ -2211,19 +2226,18 @@ diff -up openssh-7.0p1/servconf.h.gsskex openssh-7.0p1/servconf.h int password_authentication; /* If true, permit password * authentication. */ int kbd_interactive_authentication; /* If true, permit */ -diff -up openssh-7.0p1/ssh_config.5.gsskex openssh-7.0p1/ssh_config.5 ---- openssh-7.0p1/ssh_config.5.gsskex 2015-08-11 10:57:29.000000000 +0200 -+++ openssh-7.0p1/ssh_config.5 2015-08-12 11:15:43.700548879 +0200 -@@ -749,11 +749,43 @@ Specifies whether user authentication ba +diff -up openssh-7.2p1/ssh_config.5.gsskex openssh-7.2p1/ssh_config.5 +--- openssh-7.2p1/ssh_config.5.gsskex 2016-02-19 10:01:04.871969321 +0100 ++++ openssh-7.2p1/ssh_config.5 2016-02-19 10:05:58.630146245 +0100 +@@ -824,10 +824,40 @@ The default is + Specifies whether user authentication based on GSSAPI is allowed. The default is .Dq no . - Note that this option applies to protocol version 2 only. +.It Cm GSSAPIKeyExchange +Specifies whether key exchange based on GSSAPI may be used. When using +GSSAPI key exchange the server need not have a host key. +The default is +.Dq no . -+Note that this option applies to protocol version 2 only. +.It Cm GSSAPIClientIdentity +If set, specifies the GSSAPI client identity that ssh should use when +connecting to the server. The default is unset, which means that the default @@ -2237,8 +2251,6 @@ diff -up openssh-7.0p1/ssh_config.5.gsskex openssh-7.0p1/ssh_config.5 Forward (delegate) credentials to the server. The default is .Dq no . --Note that this option applies to protocol version 2 only. -+Note that this option applies to protocol version 2 connections using GSSAPI. +.It Cm GSSAPIRenewalForcesRekey +If set to +.Dq yes @@ -2255,13 +2267,12 @@ diff -up openssh-7.0p1/ssh_config.5.gsskex openssh-7.0p1/ssh_config.5 +command line will be passed untouched to the GSSAPI library. +The default is +.Dq no . -+This option only applies to protocol version 2 connections using GSSAPI. .It Cm HashKnownHosts Indicates that .Xr ssh 1 -diff -up openssh-7.0p1/ssh_config.gsskex openssh-7.0p1/ssh_config ---- openssh-7.0p1/ssh_config.gsskex 2015-08-12 11:15:43.667548932 +0200 -+++ openssh-7.0p1/ssh_config 2015-08-12 11:15:43.700548879 +0200 +diff -up openssh-7.2p1/ssh_config.gsskex openssh-7.2p1/ssh_config +--- openssh-7.2p1/ssh_config.gsskex 2016-02-19 10:01:04.852969332 +0100 ++++ openssh-7.2p1/ssh_config 2016-02-19 10:01:04.871969321 +0100 @@ -26,6 +26,8 @@ # HostbasedAuthentication no # GSSAPIAuthentication no @@ -2271,10 +2282,10 @@ diff -up openssh-7.0p1/ssh_config.gsskex openssh-7.0p1/ssh_config # BatchMode no # CheckHostIP yes # AddressFamily any -diff -up openssh-7.0p1/sshconnect2.c.gsskex openssh-7.0p1/sshconnect2.c ---- openssh-7.0p1/sshconnect2.c.gsskex 2015-08-11 10:57:29.000000000 +0200 -+++ openssh-7.0p1/sshconnect2.c 2015-08-12 11:25:12.486644393 +0200 -@@ -160,9 +160,34 @@ ssh_kex2(char *host, struct sockaddr *ho +diff -up openssh-7.2p1/sshconnect2.c.gsskex openssh-7.2p1/sshconnect2.c +--- openssh-7.2p1/sshconnect2.c.gsskex 2016-02-12 11:47:25.000000000 +0100 ++++ openssh-7.2p1/sshconnect2.c 2016-02-19 10:01:04.872969321 +0100 +@@ -161,9 +161,34 @@ ssh_kex2(char *host, struct sockaddr *ho struct kex *kex; int r; @@ -2306,10 +2317,10 @@ diff -up openssh-7.0p1/sshconnect2.c.gsskex openssh-7.0p1/sshconnect2.c + } +#endif + - myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal( - options.kex_algorithms); - myproposal[PROPOSAL_ENC_ALGS_CTOS] = -@@ -193,6 +218,17 @@ ssh_kex2(char *host, struct sockaddr *ho + if ((s = kex_names_cat(options.kex_algorithms, "ext-info-c")) == NULL) + fatal("%s: kex_names_cat", __func__); + myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(s); +@@ -195,6 +220,17 @@ ssh_kex2(char *host, struct sockaddr *ho order_hostkeyalgs(host, hostaddr, port)); } @@ -2327,7 +2338,7 @@ diff -up openssh-7.0p1/sshconnect2.c.gsskex openssh-7.0p1/sshconnect2.c if (options.rekey_limit || options.rekey_interval) packet_set_rekey_limits((u_int32_t)options.rekey_limit, (time_t)options.rekey_interval); -@@ -210,11 +246,31 @@ ssh_kex2(char *host, struct sockaddr *ho +@@ -212,11 +248,31 @@ ssh_kex2(char *host, struct sockaddr *ho kex->kex[KEX_ECDH_SHA2] = kexecdh_client; # endif #endif @@ -2358,8 +2369,8 @@ diff -up openssh-7.0p1/sshconnect2.c.gsskex openssh-7.0p1/sshconnect2.c + dispatch_run(DISPATCH_BLOCK, &kex->done, active_state); - if (options.use_roaming && !kex->roaming) { -@@ -306,6 +362,7 @@ int input_gssapi_token(int type, u_int32 + /* remove ext-info from the KEX proposals for rekeying */ +@@ -311,6 +367,7 @@ int input_gssapi_token(int type, u_int32 int input_gssapi_hash(int type, u_int32_t, void *); int input_gssapi_error(int, u_int32_t, void *); int input_gssapi_errtok(int, u_int32_t, void *); @@ -2367,7 +2378,7 @@ diff -up openssh-7.0p1/sshconnect2.c.gsskex openssh-7.0p1/sshconnect2.c #endif void userauth(Authctxt *, char *); -@@ -321,6 +378,11 @@ static char *authmethods_get(void); +@@ -326,6 +383,11 @@ static char *authmethods_get(void); Authmethod authmethods[] = { #ifdef GSSAPI @@ -2379,7 +2390,7 @@ diff -up openssh-7.0p1/sshconnect2.c.gsskex openssh-7.0p1/sshconnect2.c {"gssapi-with-mic", userauth_gssapi, NULL, -@@ -627,19 +689,31 @@ userauth_gssapi(Authctxt *authctxt) +@@ -656,19 +718,31 @@ userauth_gssapi(Authctxt *authctxt) static u_int mech = 0; OM_uint32 min; int ok = 0; @@ -2413,7 +2424,7 @@ diff -up openssh-7.0p1/sshconnect2.c.gsskex openssh-7.0p1/sshconnect2.c ok = 1; /* Mechanism works */ } else { mech++; -@@ -736,8 +810,8 @@ input_gssapi_response(int type, u_int32_ +@@ -765,8 +839,8 @@ input_gssapi_response(int type, u_int32_ { Authctxt *authctxt = ctxt; Gssctxt *gssctxt; @@ -2424,7 +2435,7 @@ diff -up openssh-7.0p1/sshconnect2.c.gsskex openssh-7.0p1/sshconnect2.c if (authctxt == NULL) fatal("input_gssapi_response: no authentication context"); -@@ -850,6 +924,48 @@ input_gssapi_error(int type, u_int32_t p +@@ -879,6 +953,48 @@ input_gssapi_error(int type, u_int32_t p free(lang); return 0; } @@ -2473,10 +2484,10 @@ diff -up openssh-7.0p1/sshconnect2.c.gsskex openssh-7.0p1/sshconnect2.c #endif /* GSSAPI */ int -diff -up openssh-7.0p1/sshd.c.gsskex openssh-7.0p1/sshd.c ---- openssh-7.0p1/sshd.c.gsskex 2015-08-12 11:15:43.679548913 +0200 -+++ openssh-7.0p1/sshd.c 2015-08-12 11:15:43.702548876 +0200 -@@ -1043,8 +1043,9 @@ notify_hostkeys(struct ssh *ssh) +diff -up openssh-7.2p1/sshd.c.gsskex openssh-7.2p1/sshd.c +--- openssh-7.2p1/sshd.c.gsskex 2016-02-19 10:01:04.860969328 +0100 ++++ openssh-7.2p1/sshd.c 2016-02-19 10:01:04.872969321 +0100 +@@ -974,8 +974,9 @@ notify_hostkeys(struct ssh *ssh) } debug3("%s: sent %d hostkeys", __func__, nkeys); if (nkeys == 0) @@ -2488,7 +2499,7 @@ diff -up openssh-7.0p1/sshd.c.gsskex openssh-7.0p1/sshd.c sshbuf_free(buf); } -@@ -1843,10 +1843,13 @@ main(int ac, char **av) +@@ -1845,10 +1846,13 @@ main(int ac, char **av) logit("Disabling protocol version 1. Could not load host key"); options.protocol &= ~SSH_PROTO_1; } @@ -2502,7 +2513,7 @@ diff -up openssh-7.0p1/sshd.c.gsskex openssh-7.0p1/sshd.c if (!(options.protocol & (SSH_PROTO_1|SSH_PROTO_2))) { logit("sshd: no hostkeys available -- exiting."); exit(1); -@@ -2582,6 +2585,48 @@ do_ssh2_kex(void) +@@ -2586,6 +2590,48 @@ do_ssh2_kex(void) myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal( list_hostkey_types()); @@ -2551,7 +2562,7 @@ diff -up openssh-7.0p1/sshd.c.gsskex openssh-7.0p1/sshd.c /* start key exchange */ if ((r = kex_setup(active_state, myproposal)) != 0) fatal("kex_setup: %s", ssh_err(r)); -@@ -2596,6 +2641,13 @@ do_ssh2_kex(void) +@@ -2600,6 +2646,13 @@ do_ssh2_kex(void) # endif #endif kex->kex[KEX_C25519_SHA256] = kexc25519_server; @@ -2565,23 +2576,22 @@ diff -up openssh-7.0p1/sshd.c.gsskex openssh-7.0p1/sshd.c kex->server = 1; kex->client_version_string=client_version_string; kex->server_version_string=server_version_string; -diff -up openssh-7.0p1/sshd_config.5.gsskex openssh-7.0p1/sshd_config.5 ---- openssh-7.0p1/sshd_config.5.gsskex 2015-08-12 11:15:43.677548916 +0200 -+++ openssh-7.0p1/sshd_config.5 2015-08-12 11:15:43.702548876 +0200 -@@ -621,6 +621,12 @@ Specifies whether user authentication ba +diff -up openssh-7.2p1/sshd_config.5.gsskex openssh-7.2p1/sshd_config.5 +--- openssh-7.2p1/sshd_config.5.gsskex 2016-02-19 10:01:04.858969329 +0100 ++++ openssh-7.2p1/sshd_config.5 2016-02-19 10:06:26.651172355 +0100 +@@ -623,6 +623,11 @@ The default is + Specifies whether user authentication based on GSSAPI is allowed. The default is .Dq no . - Note that this option applies to protocol version 2 only. +.It Cm GSSAPIKeyExchange +Specifies whether key exchange based on GSSAPI is allowed. GSSAPI key exchange +doesn't rely on ssh keys to verify host identity. +The default is +.Dq no . -+Note that this option applies to protocol version 2 only. .It Cm GSSAPICleanupCredentials Specifies whether to automatically destroy the user's credentials cache on logout. -@@ -642,6 +648,11 @@ machine's default store. +@@ -643,6 +648,11 @@ machine's default store. This facility is provided to assist with operation on multi homed machines. The default is .Dq yes . @@ -2593,9 +2603,9 @@ diff -up openssh-7.0p1/sshd_config.5.gsskex openssh-7.0p1/sshd_config.5 .It Cm HostbasedAcceptedKeyTypes Specifies the key types that will be accepted for hostbased authentication as a comma-separated pattern list. -diff -up openssh-7.0p1/sshd_config.gsskex openssh-7.0p1/sshd_config ---- openssh-7.0p1/sshd_config.gsskex 2015-08-12 11:15:43.679548913 +0200 -+++ openssh-7.0p1/sshd_config 2015-08-12 11:15:43.702548876 +0200 +diff -up openssh-7.2p1/sshd_config.gsskex openssh-7.2p1/sshd_config +--- openssh-7.2p1/sshd_config.gsskex 2016-02-19 10:01:04.860969328 +0100 ++++ openssh-7.2p1/sshd_config 2016-02-19 10:01:04.873969320 +0100 @@ -91,6 +91,8 @@ ChallengeResponseAuthentication no # GSSAPI options GSSAPIAuthentication yes @@ -2605,9 +2615,9 @@ diff -up openssh-7.0p1/sshd_config.gsskex openssh-7.0p1/sshd_config # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will -diff -up openssh-7.0p1/ssh-gss.h.gsskex openssh-7.0p1/ssh-gss.h ---- openssh-7.0p1/ssh-gss.h.gsskex 2015-08-11 10:57:29.000000000 +0200 -+++ openssh-7.0p1/ssh-gss.h 2015-08-12 11:15:43.702548876 +0200 +diff -up openssh-7.2p1/ssh-gss.h.gsskex openssh-7.2p1/ssh-gss.h +--- openssh-7.2p1/ssh-gss.h.gsskex 2016-02-12 11:47:25.000000000 +0100 ++++ openssh-7.2p1/ssh-gss.h 2016-02-19 10:01:04.873969320 +0100 @@ -1,6 +1,6 @@ /* $OpenBSD: ssh-gss.h,v 1.11 2014/02/26 20:28:44 djm Exp $ */ /* @@ -2707,21 +2717,20 @@ diff -up openssh-7.0p1/ssh-gss.h.gsskex openssh-7.0p1/ssh-gss.h #endif /* GSSAPI */ #endif /* _SSH_GSS_H */ - -diff -up openssh-7.1p1/sshkey.c.gsskex openssh-7.1p1/sshkey.c ---- openssh-7.1p1/sshkey.c.gsskex 2015-09-17 15:54:32.135673460 +0200 -+++ openssh-7.1p1/sshkey.c 2015-09-17 15:55:23.014666159 +0200 -@@ -112,6 +112,7 @@ static const struct keytype keytypes[] = +diff -up openssh-7.2p1/sshkey.c.gsskex openssh-7.2p1/sshkey.c +--- openssh-7.2p1/sshkey.c.gsskex 2016-02-12 11:47:25.000000000 +0100 ++++ openssh-7.2p1/sshkey.c 2016-02-19 10:01:04.874969320 +0100 +@@ -115,6 +115,7 @@ static const struct keytype keytypes[] = # endif /* OPENSSL_HAS_NISTP521 */ # endif /* OPENSSL_HAS_ECC */ #endif /* WITH_OPENSSL */ -+ { "null", "null", KEY_NULL, 0, 0 }, - { NULL, NULL, -1, -1, 0 } ++ { "null", "null", KEY_NULL, 0, 0, 1 }, + { NULL, NULL, -1, -1, 0, 0 } }; -diff -up openssh-7.1p1/sshkey.h.gsskex openssh-7.1p1/sshkey.h ---- openssh-7.1p1/sshkey.h.gsskex 2015-09-17 15:54:32.135673460 +0200 -+++ openssh-7.1p1/sshkey.h 2015-09-17 15:55:45.885662877 +0200 +diff -up openssh-7.2p1/sshkey.h.gsskex openssh-7.2p1/sshkey.h +--- openssh-7.2p1/sshkey.h.gsskex 2016-02-12 11:47:25.000000000 +0100 ++++ openssh-7.2p1/sshkey.h 2016-02-19 10:01:04.874969320 +0100 @@ -62,6 +62,7 @@ enum sshkey_types { KEY_DSA_CERT, KEY_ECDSA_CERT, @@ -2730,15 +2739,3 @@ diff -up openssh-7.1p1/sshkey.h.gsskex openssh-7.1p1/sshkey.h KEY_UNSPEC }; -diff --git a/auth.c b/auth.c -index 4d1fbbe..5db39c4 100644 ---- a/auth.c -+++ b/auth.c -@@ -354,6 +354,7 @@ auth_root_allowed(const char *method) - case PERMIT_NO_PASSWD: - if (strcmp(method, "publickey") == 0 || - strcmp(method, "hostbased") == 0 || -+ strcmp(method, "gssapi-keyex") == 0 || - strcmp(method, "gssapi-with-mic") == 0) - return 1; - break; diff --git a/openssh.spec b/openssh.spec index 50c85a6..54ee536 100644 --- a/openssh.spec +++ b/openssh.spec @@ -65,10 +65,10 @@ %endif # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1 -%global openssh_ver 7.1p2 -%global openssh_rel 4 +%global openssh_ver 7.2p1 +%global openssh_rel 1 %global pam_ssh_agent_ver 0.10.2 -%global pam_ssh_agent_rel 1 +%global pam_ssh_agent_rel 2 Summary: An open source implementation of SSH protocol versions 1 and 2 Name: openssh @@ -105,7 +105,7 @@ Patch103: openssh-5.8p1-packet.patch #https://bugzilla.mindrot.org/show_bug.cgi?id=1402 # https://bugzilla.redhat.com/show_bug.cgi?id=1171248 # record pfs= field in CRYPTO_SESSION audit event -Patch200: openssh-6.7p1-audit.patch +Patch200: openssh-7.2p1-audit.patch # Audit race condition in forked child (#1310684) Patch201: openssh-7.1p2-audit-race-condition.patch @@ -143,7 +143,7 @@ Patch607: openssh-5.8p2-sigpipe.patch Patch609: openssh-5.5p1-x11.patch #? -Patch700: openssh-6.7p1-fips.patch +Patch700: openssh-7.2p1-fips.patch #? Patch702: openssh-5.1p1-askpass-progress.patch #? @@ -168,7 +168,7 @@ Patch714: openssh-6.7p1-kdf-cavs.patch #http://www.sxw.org.uk/computing/patches/openssh.html #changed cache storage type - #848228 -Patch800: openssh-6.6p1-gsskex.patch +Patch800: openssh-7.2p1-gsskex.patch #http://www.mail-archive.com/kerberos@mit.edu/msg17591.html Patch801: openssh-6.6p1-force_krb.patch # add new option GSSAPIEnablek5users and disable using ~/.k5users by default (#1169843) @@ -225,17 +225,9 @@ Patch931: openssh-6.9p1-scp-progressmeter.patch Patch932: openssh-7.0p1-gssKexAlgorithms.patch # Possibility to validate legacy systems by more fingerprints (#1249626)(#2439) Patch933: openssh-7.0p1-show-more-fingerprints.patch -# Brokend HostKeyAlgorthms on server using + sign -# from http://lists.mindrot.org/pipermail/openssh-unix-dev/2015-August/034324.html -Patch934: openssh-7.1p1-hostkeyalgorithms.patch -# Updated version of ssh-copy-id -# http://git.hands.com/ssh-copy-id -Patch935: openssh-7.1p1-ssh-copy-id.patch # Preserve IUTF8 tty mode flag over ssh connections (#1270248) # https://bugzilla.mindrot.org/show_bug.cgi?id=2477 Patch936: openssh-7.1p1-iutf8.patch -# CVE-2016-1908: possible fallback from untrusted to trusted X11 forwarding -Patch937: openssh-7.1p2-fallback-x11-untrusted.patch License: BSD @@ -469,10 +461,7 @@ popd %patch931 -p1 -b .progressmeter %patch932 -p1 -b .gsskexalg %patch933 -p1 -b .fingerprint -%patch934 -p1 -b .hostkey -%patch935 -p1 -b .ssh-copy-id %patch936 -p1 -b .iutf8 -%patch937 -p1 -b .x11-fallback %patch200 -p1 -b .audit %patch201 -p1 -b .audit-race @@ -734,8 +723,6 @@ getent passwd sshd >/dev/null || \ %attr(0755,root,root) %{_bindir}/scp %attr(0644,root,root) %{_mandir}/man1/scp.1* %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/ssh_config -%attr(0755,root,root) %{_bindir}/slogin -%attr(0644,root,root) %{_mandir}/man1/slogin.1* %attr(0644,root,root) %{_mandir}/man5/ssh_config.5* %if ! %{rescue} %attr(0755,root,root) %{_bindir}/ssh-agent @@ -813,6 +800,9 @@ getent passwd sshd >/dev/null || \ %endif %changelog +* Mon Feb 29 2016 Jakub Jelen 7.2p1-1 + 0.10.2-2 +- New upstream release (#1312870) + * Wed Feb 24 2016 Jakub Jelen 7.1p2-4.1 + 0.10.2-1 - Fix race condition in auditing events when using multiplexing (#1308295) - Fix X11 forwarding CVE according to upstream diff --git a/pam_ssh_agent_auth-0.9.3-agent_structure.patch b/pam_ssh_agent_auth-0.9.3-agent_structure.patch index b7d8d40..1cab72c 100644 --- a/pam_ssh_agent_auth-0.9.3-agent_structure.patch +++ b/pam_ssh_agent_auth-0.9.3-agent_structure.patch @@ -104,3 +104,16 @@ diff -up openssh-7.1p2/pam_ssh_agent_auth-0.10.2/userauth_pubkey_from_id.c.psaa- goto user_auth_clean_exit; /* test for correct signature */ +diff --git a/pam_ssh_agent_auth-0.10.2/userauth_pubkey_from_id.c b/pam_ssh_agent_auth-0.10.2/userauth_pubkey_from_id.c +--- a/pam_ssh_agent_auth-0.10.2/userauth_pubkey_from_id.c ++++ b/pam_ssh_agent_auth-0.10.2/userauth_pubkey_from_id.c +@@ -85,7 +85,7 @@ userauth_pubkey_from_id(const char *ruser, Identity * id, Buffer * session_id2) + buffer_put_cstring(&b, pkalg); + buffer_put_string(&b, pkblob, blen); + +- if(ssh_agent_sign(id->ac->fd, id->key, &sig, &slen, buffer_ptr(&b), buffer_len(&b), 0) != 0) ++ if(ssh_agent_sign(id->ac->fd, id->key, &sig, &slen, buffer_ptr(&b), buffer_len(&b), NULL, 0) != 0) + goto user_auth_clean_exit; + + /* test for correct signature */ + diff --git a/sources b/sources index 596b1c0..24cfbd5 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ a212baca7ce11d596bd8dcb222859ace pam_ssh_agent_auth-0.10.2.tar.bz2 -4d8547670e2a220d5ef805ad9e47acf2 openssh-7.1p2.tar.gz +b984775f0cfff1f7ff18b8797fce8a28 openssh-7.2p1.tar.gz