forked from rpms/openssh
import openssh-8.0p1-10.el8
This commit is contained in:
parent
75ca0870c6
commit
21c06f7ba4
@ -1,25 +1,29 @@
|
|||||||
diff -up openssh-7.4p1/channels.c.coverity openssh-7.4p1/channels.c
|
diff -up openssh-8.0p1/channels.c.coverity openssh-8.0p1/channels.c
|
||||||
--- openssh-7.4p1/channels.c.coverity 2016-12-23 16:40:26.881788686 +0100
|
--- openssh-8.0p1/channels.c.coverity 2021-06-21 10:59:17.297473319 +0200
|
||||||
+++ openssh-7.4p1/channels.c 2016-12-23 16:42:36.244818763 +0100
|
+++ openssh-8.0p1/channels.c 2021-06-21 11:11:32.467290400 +0200
|
||||||
@@ -288,11 +288,11 @@ channel_register_fds(Channel *c, int rfd
|
@@ -341,15 +341,15 @@ channel_register_fds(struct ssh *ssh, Ch
|
||||||
|
* restore their blocking state on exit to avoid interfering
|
||||||
/* enable nonblocking mode */
|
* with other programs that follow.
|
||||||
if (nonblock) {
|
*/
|
||||||
- if (rfd != -1)
|
- if (rfd != -1 && !isatty(rfd) && fcntl(rfd, F_GETFL) == 0) {
|
||||||
+ if (rfd >= 0)
|
+ if (rfd >= 0 && !isatty(rfd) && fcntl(rfd, F_GETFL) == 0) {
|
||||||
|
c->restore_block |= CHANNEL_RESTORE_RFD;
|
||||||
set_nonblock(rfd);
|
set_nonblock(rfd);
|
||||||
- if (wfd != -1)
|
}
|
||||||
+ if (wfd >= 0)
|
- if (wfd != -1 && !isatty(wfd) && fcntl(wfd, F_GETFL) == 0) {
|
||||||
|
+ if (wfd >= 0 && !isatty(wfd) && fcntl(wfd, F_GETFL) == 0) {
|
||||||
|
c->restore_block |= CHANNEL_RESTORE_WFD;
|
||||||
set_nonblock(wfd);
|
set_nonblock(wfd);
|
||||||
- if (efd != -1)
|
}
|
||||||
+ if (efd >= 0)
|
- if (efd != -1 && !isatty(efd) && fcntl(efd, F_GETFL) == 0) {
|
||||||
|
+ if (efd >= 0 && !isatty(efd) && fcntl(efd, F_GETFL) == 0) {
|
||||||
|
c->restore_block |= CHANNEL_RESTORE_EFD;
|
||||||
set_nonblock(efd);
|
set_nonblock(efd);
|
||||||
}
|
}
|
||||||
}
|
diff -up openssh-8.0p1/monitor.c.coverity openssh-8.0p1/monitor.c
|
||||||
diff -up openssh-7.4p1/monitor.c.coverity openssh-7.4p1/monitor.c
|
--- openssh-8.0p1/monitor.c.coverity 2021-06-21 10:59:17.282473202 +0200
|
||||||
--- openssh-7.4p1/monitor.c.coverity 2016-12-23 16:40:26.888788688 +0100
|
+++ openssh-8.0p1/monitor.c 2021-06-21 10:59:17.297473319 +0200
|
||||||
+++ openssh-7.4p1/monitor.c 2016-12-23 16:40:26.900788691 +0100
|
@@ -401,7 +401,7 @@ monitor_child_preauth(struct ssh *ssh, s
|
||||||
@@ -411,7 +411,7 @@ monitor_child_preauth(Authctxt *_authctx
|
|
||||||
mm_get_keystate(ssh, pmonitor);
|
mm_get_keystate(ssh, pmonitor);
|
||||||
|
|
||||||
/* Drain any buffered messages from the child */
|
/* Drain any buffered messages from the child */
|
||||||
|
@ -296,17 +296,17 @@ diff -up openssh-7.9p1/sshconnect2.c.fips openssh-7.9p1/sshconnect2.c
|
|||||||
#include "openbsd-compat/sys-queue.h"
|
#include "openbsd-compat/sys-queue.h"
|
||||||
|
|
||||||
#include "xmalloc.h"
|
#include "xmalloc.h"
|
||||||
@@ -117,7 +117,8 @@ order_hostkeyalgs(char *host, struct soc
|
@@ -148,7 +150,8 @@ order_hostkeyalgs(char *host, struct soc
|
||||||
for (i = 0; i < options.num_system_hostfiles; i++)
|
* Otherwise, prefer the host key algorithms that match known keys
|
||||||
load_hostkeys(hostkeys, hostname, options.system_hostfiles[i]);
|
* while keeping the ordering of HostkeyAlgorithms as much as possible.
|
||||||
|
*/
|
||||||
- oavail = avail = xstrdup(KEX_DEFAULT_PK_ALG);
|
- oavail = avail = xstrdup(KEX_DEFAULT_PK_ALG);
|
||||||
+ oavail = avail = xstrdup((FIPS_mode()
|
+ oavail = avail = xstrdup((FIPS_mode()
|
||||||
+ ? KEX_FIPS_PK_ALG : KEX_DEFAULT_PK_ALG));
|
+ ? KEX_FIPS_PK_ALG : KEX_DEFAULT_PK_ALG));
|
||||||
maxlen = strlen(avail) + 1;
|
maxlen = strlen(avail) + 1;
|
||||||
first = xmalloc(maxlen);
|
first = xmalloc(maxlen);
|
||||||
last = xmalloc(maxlen);
|
last = xmalloc(maxlen);
|
||||||
@@ -185,14 +185,16 @@ ssh_kex2(char *host, struct sockaddr *ho
|
@@ -229,14 +232,16 @@ ssh_kex2(struct ssh *ssh, char *host, st
|
||||||
if (options.hostkeyalgorithms != NULL) {
|
if (options.hostkeyalgorithms != NULL) {
|
||||||
all_key = sshkey_alg_list(0, 0, 1, ',');
|
all_key = sshkey_alg_list(0, 0, 1, ',');
|
||||||
if (kex_assemble_names(&options.hostkeyalgorithms,
|
if (kex_assemble_names(&options.hostkeyalgorithms,
|
||||||
|
@ -284,7 +284,7 @@ diff -up openssh/monitor.c.role-mls openssh/monitor.c
|
|||||||
fail++;
|
fail++;
|
||||||
if ((r = sshbuf_get_cstring(b, &cp, NULL)) != 0)
|
if ((r = sshbuf_get_cstring(b, &cp, NULL)) != 0)
|
||||||
fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
||||||
+ if ((s = strchr(p, '/')) != NULL)
|
+ if ((s = strchr(cp, '/')) != NULL)
|
||||||
+ *s = '\0';
|
+ *s = '\0';
|
||||||
xasprintf(&userstyle, "%s%s%s", authctxt->user,
|
xasprintf(&userstyle, "%s%s%s", authctxt->user,
|
||||||
authctxt->style ? ":" : "",
|
authctxt->style ? ":" : "",
|
||||||
|
@ -11,6 +11,17 @@ diff -up openssh-7.9p1/contrib/ssh-copy-id.ssh-copy-id openssh-7.9p1/contrib/ssh
|
|||||||
# implement something like getopt to avoid Solaris pain
|
# implement something like getopt to avoid Solaris pain
|
||||||
case "$1" in
|
case "$1" in
|
||||||
-i?*|-o?*|-p?*)
|
-i?*|-o?*|-p?*)
|
||||||
|
@@ -185,8 +185,8 @@
|
||||||
|
usage
|
||||||
|
fi
|
||||||
|
|
||||||
|
-# drop trailing colon
|
||||||
|
-USER_HOST=$(printf "%s\n" "$1" | sed 's/:$//')
|
||||||
|
+# don't drop trailing colon because it can be a valid ipv6 address
|
||||||
|
+USER_HOST=$(printf "%s\n" "$1")
|
||||||
|
# tack the hostname onto SSH_OPTS
|
||||||
|
SSH_OPTS="${SSH_OPTS:+$SSH_OPTS }'$(quote "$USER_HOST")'"
|
||||||
|
# and populate "$@" for later use (only way to get proper quoting of options)
|
||||||
@@ -261,7 +262,7 @@ populate_new_ids() {
|
@@ -261,7 +262,7 @@ populate_new_ids() {
|
||||||
fi
|
fi
|
||||||
if [ -z "$NEW_IDS" ] ; then
|
if [ -z "$NEW_IDS" ] ; then
|
||||||
|
33
SOURCES/openssh-8.0p1-channel-limits.patch
Normal file
33
SOURCES/openssh-8.0p1-channel-limits.patch
Normal file
@ -0,0 +1,33 @@
|
|||||||
|
diff -up openssh-8.0p1/channels.c.channel-limits openssh-8.0p1/channels.c
|
||||||
|
--- openssh-8.0p1/channels.c.channel-limits 2021-03-16 12:17:58.905576511 +0100
|
||||||
|
+++ openssh-8.0p1/channels.c 2021-03-16 12:17:58.925576667 +0100
|
||||||
|
@@ -354,6 +354,7 @@ channel_new(struct ssh *ssh, char *ctype
|
||||||
|
struct ssh_channels *sc = ssh->chanctxt;
|
||||||
|
u_int i, found;
|
||||||
|
Channel *c;
|
||||||
|
+ int r;
|
||||||
|
|
||||||
|
/* Try to find a free slot where to put the new channel. */
|
||||||
|
for (i = 0; i < sc->channels_alloc; i++) {
|
||||||
|
@@ -383,6 +384,8 @@ channel_new(struct ssh *ssh, char *ctype
|
||||||
|
(c->output = sshbuf_new()) == NULL ||
|
||||||
|
(c->extended = sshbuf_new()) == NULL)
|
||||||
|
fatal("%s: sshbuf_new failed", __func__);
|
||||||
|
+ if ((r = sshbuf_set_max_size(c->input, CHAN_INPUT_MAX)) != 0)
|
||||||
|
+ fatal("%s: sshbuf_set_max_size: %s", __func__, ssh_err(r));
|
||||||
|
c->ostate = CHAN_OUTPUT_OPEN;
|
||||||
|
c->istate = CHAN_INPUT_OPEN;
|
||||||
|
channel_register_fds(ssh, c, rfd, wfd, efd, extusage, nonblock, 0);
|
||||||
|
diff -up openssh-8.0p1/channels.h.channel-limits openssh-8.0p1/channels.h
|
||||||
|
--- openssh-8.0p1/channels.h.channel-limits 2021-03-16 12:17:58.868576223 +0100
|
||||||
|
+++ openssh-8.0p1/channels.h 2021-03-16 12:17:58.907576527 +0100
|
||||||
|
@@ -215,6 +215,9 @@ struct Channel {
|
||||||
|
/* Read buffer size */
|
||||||
|
#define CHAN_RBUF (16*1024)
|
||||||
|
|
||||||
|
+/* Maximum channel input buffer size */
|
||||||
|
+#define CHAN_INPUT_MAX (16*1024*1024)
|
||||||
|
+
|
||||||
|
/* Hard limit on number of channels */
|
||||||
|
#define CHANNELS_MAX_CHANNELS (16*1024)
|
||||||
|
|
127
SOURCES/openssh-8.0p1-cve-2020-14145.patch
Normal file
127
SOURCES/openssh-8.0p1-cve-2020-14145.patch
Normal file
@ -0,0 +1,127 @@
|
|||||||
|
diff -up openssh-8.0p1/hostfile.c.cve-2020-14145 openssh-8.0p1/hostfile.c
|
||||||
|
--- openssh-8.0p1/hostfile.c.cve-2020-14145 2019-04-18 00:52:57.000000000 +0200
|
||||||
|
+++ openssh-8.0p1/hostfile.c 2021-05-17 16:53:38.694577251 +0200
|
||||||
|
@@ -409,6 +409,18 @@ lookup_key_in_hostkeys_by_type(struct ho
|
||||||
|
found) == HOST_FOUND);
|
||||||
|
}
|
||||||
|
|
||||||
|
+int
|
||||||
|
+lookup_marker_in_hostkeys(struct hostkeys *hostkeys, int want_marker)
|
||||||
|
+{
|
||||||
|
+ u_int i;
|
||||||
|
+
|
||||||
|
+ for (i = 0; i < hostkeys->num_entries; i++) {
|
||||||
|
+ if (hostkeys->entries[i].marker == (HostkeyMarker)want_marker)
|
||||||
|
+ return 1;
|
||||||
|
+ }
|
||||||
|
+ return 0;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
static int
|
||||||
|
write_host_entry(FILE *f, const char *host, const char *ip,
|
||||||
|
const struct sshkey *key, int store_hash)
|
||||||
|
diff -up openssh-8.0p1/hostfile.h.cve-2020-14145 openssh-8.0p1/hostfile.h
|
||||||
|
--- openssh-8.0p1/hostfile.h.cve-2020-14145 2019-04-18 00:52:57.000000000 +0200
|
||||||
|
+++ openssh-8.0p1/hostfile.h 2021-05-17 16:53:38.694577251 +0200
|
||||||
|
@@ -39,6 +39,7 @@ HostStatus check_key_in_hostkeys(struct
|
||||||
|
const struct hostkey_entry **);
|
||||||
|
int lookup_key_in_hostkeys_by_type(struct hostkeys *, int,
|
||||||
|
const struct hostkey_entry **);
|
||||||
|
+int lookup_marker_in_hostkeys(struct hostkeys *, int);
|
||||||
|
|
||||||
|
int hostfile_read_key(char **, u_int *, struct sshkey *);
|
||||||
|
int add_host_to_hostfile(const char *, const char *,
|
||||||
|
diff -up openssh-8.0p1/sshconnect2.c.cve-2020-14145 openssh-8.0p1/sshconnect2.c
|
||||||
|
--- openssh-8.0p1/sshconnect2.c.cve-2020-14145 2021-05-17 16:53:38.610576561 +0200
|
||||||
|
+++ openssh-8.0p1/sshconnect2.c 2021-05-17 16:54:58.169230103 +0200
|
||||||
|
@@ -98,12 +98,25 @@ verify_host_key_callback(struct sshkey *
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
+/* Returns the first item from a comma-separated algorithm list */
|
||||||
|
+static char *
|
||||||
|
+first_alg(const char *algs)
|
||||||
|
+{
|
||||||
|
+ char *ret, *cp;
|
||||||
|
+
|
||||||
|
+ ret = xstrdup(algs);
|
||||||
|
+ if ((cp = strchr(ret, ',')) != NULL)
|
||||||
|
+ *cp = '\0';
|
||||||
|
+ return ret;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
static char *
|
||||||
|
order_hostkeyalgs(char *host, struct sockaddr *hostaddr, u_short port)
|
||||||
|
{
|
||||||
|
- char *oavail, *avail, *first, *last, *alg, *hostname, *ret;
|
||||||
|
+ char *oavail = NULL, *avail = NULL, *first = NULL, *last = NULL;
|
||||||
|
+ char *alg = NULL, *hostname = NULL, *ret = NULL, *best = NULL;
|
||||||
|
size_t maxlen;
|
||||||
|
- struct hostkeys *hostkeys;
|
||||||
|
+ struct hostkeys *hostkeys = NULL;
|
||||||
|
int ktype;
|
||||||
|
u_int i;
|
||||||
|
|
||||||
|
@@ -115,6 +128,26 @@ order_hostkeyalgs(char *host, struct soc
|
||||||
|
for (i = 0; i < options.num_system_hostfiles; i++)
|
||||||
|
load_hostkeys(hostkeys, hostname, options.system_hostfiles[i]);
|
||||||
|
|
||||||
|
+ /*
|
||||||
|
+ * If a plain public key exists that matches the type of the best
|
||||||
|
+ * preference HostkeyAlgorithms, then use the whole list as is.
|
||||||
|
+ * Note that we ignore whether the best preference algorithm is a
|
||||||
|
+ * certificate type, as sshconnect.c will downgrade certs to
|
||||||
|
+ * plain keys if necessary.
|
||||||
|
+ */
|
||||||
|
+ best = first_alg(options.hostkeyalgorithms);
|
||||||
|
+ if (lookup_key_in_hostkeys_by_type(hostkeys,
|
||||||
|
+ sshkey_type_plain(sshkey_type_from_name(best)), NULL)) {
|
||||||
|
+ debug3("%s: have matching best-preference key type %s, "
|
||||||
|
+ "using HostkeyAlgorithms verbatim", __func__, best);
|
||||||
|
+ ret = xstrdup(options.hostkeyalgorithms);
|
||||||
|
+ goto out;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ /*
|
||||||
|
+ * Otherwise, prefer the host key algorithms that match known keys
|
||||||
|
+ * while keeping the ordering of HostkeyAlgorithms as much as possible.
|
||||||
|
+ */
|
||||||
|
oavail = avail = xstrdup(KEX_DEFAULT_PK_ALG);
|
||||||
|
maxlen = strlen(avail) + 1;
|
||||||
|
first = xmalloc(maxlen);
|
||||||
|
@@ -131,11 +164,23 @@ order_hostkeyalgs(char *host, struct soc
|
||||||
|
while ((alg = strsep(&avail, ",")) && *alg != '\0') {
|
||||||
|
if ((ktype = sshkey_type_from_name(alg)) == KEY_UNSPEC)
|
||||||
|
fatal("%s: unknown alg %s", __func__, alg);
|
||||||
|
+ /*
|
||||||
|
+ * If we have a @cert-authority marker in known_hosts then
|
||||||
|
+ * prefer all certificate algorithms.
|
||||||
|
+ */
|
||||||
|
+ if (sshkey_type_is_cert(ktype) &&
|
||||||
|
+ lookup_marker_in_hostkeys(hostkeys, MRK_CA)) {
|
||||||
|
+ ALG_APPEND(first, alg);
|
||||||
|
+ continue;
|
||||||
|
+ }
|
||||||
|
+ /* If the key appears in known_hosts then prefer it */
|
||||||
|
if (lookup_key_in_hostkeys_by_type(hostkeys,
|
||||||
|
- sshkey_type_plain(ktype), NULL))
|
||||||
|
+ sshkey_type_plain(ktype), NULL)) {
|
||||||
|
ALG_APPEND(first, alg);
|
||||||
|
- else
|
||||||
|
- ALG_APPEND(last, alg);
|
||||||
|
+ continue;
|
||||||
|
+ }
|
||||||
|
+ /* Otherwise, put it last */
|
||||||
|
+ ALG_APPEND(last, alg);
|
||||||
|
}
|
||||||
|
#undef ALG_APPEND
|
||||||
|
xasprintf(&ret, "%s%s%s", first,
|
||||||
|
@@ -143,6 +188,8 @@ order_hostkeyalgs(char *host, struct soc
|
||||||
|
if (*first != '\0')
|
||||||
|
debug3("%s: prefer hostkeyalgs: %s", __func__, first);
|
||||||
|
|
||||||
|
+ out:
|
||||||
|
+ free(best);
|
||||||
|
free(first);
|
||||||
|
free(last);
|
||||||
|
free(hostname);
|
12
SOURCES/openssh-8.0p1-keygen-strip-doseol.patch
Normal file
12
SOURCES/openssh-8.0p1-keygen-strip-doseol.patch
Normal file
@ -0,0 +1,12 @@
|
|||||||
|
diff -up openssh-8.0p1/ssh-keygen.c.strip-doseol openssh-8.0p1/ssh-keygen.c
|
||||||
|
--- openssh-8.0p1/ssh-keygen.c.strip-doseol 2021-03-18 17:41:34.472404994 +0100
|
||||||
|
+++ openssh-8.0p1/ssh-keygen.c 2021-03-18 17:41:55.255538761 +0100
|
||||||
|
@@ -901,7 +901,7 @@ do_fingerprint(struct passwd *pw)
|
||||||
|
while (getline(&line, &linesize, f) != -1) {
|
||||||
|
lnum++;
|
||||||
|
cp = line;
|
||||||
|
- cp[strcspn(cp, "\n")] = '\0';
|
||||||
|
+ cp[strcspn(cp, "\r\n")] = '\0';
|
||||||
|
/* Trim leading space and comments */
|
||||||
|
cp = line + strspn(line, " \t");
|
||||||
|
if (*cp == '#' || *cp == '\0')
|
@ -1167,7 +1167,7 @@ new file mode 100644
|
|||||||
index 00000000..e1a7b4e0
|
index 00000000..e1a7b4e0
|
||||||
--- /dev/null
|
--- /dev/null
|
||||||
+++ b/ssh-pkcs11-uri.c
|
+++ b/ssh-pkcs11-uri.c
|
||||||
@@ -0,0 +1,421 @@
|
@@ -0,0 +1,425 @@
|
||||||
+/*
|
+/*
|
||||||
+ * Copyright (c) 2017 Red Hat
|
+ * Copyright (c) 2017 Red Hat
|
||||||
+ *
|
+ *
|
||||||
@ -1419,6 +1419,10 @@ index 00000000..e1a7b4e0
|
|||||||
+void
|
+void
|
||||||
+pkcs11_uri_cleanup(struct pkcs11_uri *pkcs11)
|
+pkcs11_uri_cleanup(struct pkcs11_uri *pkcs11)
|
||||||
+{
|
+{
|
||||||
|
+ if (pkcs11 == NULL) {
|
||||||
|
+ return;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
+ free(pkcs11->id);
|
+ free(pkcs11->id);
|
||||||
+ free(pkcs11->module_path);
|
+ free(pkcs11->module_path);
|
||||||
+ free(pkcs11->token);
|
+ free(pkcs11->token);
|
||||||
@ -2677,6 +2681,9 @@ index 70f06bff..59332945 100644
|
|||||||
+ }
|
+ }
|
||||||
+
|
+
|
||||||
+ provider_uri = pkcs11_uri_get(uri);
|
+ provider_uri = pkcs11_uri_get(uri);
|
||||||
|
+ if (pin == NULL && uri->pin != NULL) {
|
||||||
|
+ pin = uri->pin;
|
||||||
|
+ }
|
||||||
+ nkeys = 0;
|
+ nkeys = 0;
|
||||||
+ for (i = 0; i < p->module->nslots; i++) {
|
+ for (i = 0; i < p->module->nslots; i++) {
|
||||||
+ token = &p->module->slotinfo[i].token;
|
+ token = &p->module->slotinfo[i].token;
|
||||||
@ -2712,9 +2719,6 @@ index 70f06bff..59332945 100644
|
|||||||
+ provider_uri, (unsigned long)i,
|
+ provider_uri, (unsigned long)i,
|
||||||
token->label, token->manufacturerID, token->model,
|
token->label, token->manufacturerID, token->model,
|
||||||
token->serialNumber, token->flags);
|
token->serialNumber, token->flags);
|
||||||
+ if (pin == NULL && uri->pin != NULL) {
|
|
||||||
+ pin = uri->pin;
|
|
||||||
+ }
|
|
||||||
/*
|
/*
|
||||||
- * open session, login with pin and retrieve public
|
- * open session, login with pin and retrieve public
|
||||||
- * keys (if keyp is provided)
|
- * keys (if keyp is provided)
|
||||||
@ -2741,8 +2745,8 @@ index 70f06bff..59332945 100644
|
|||||||
+ uri->object = label;
|
+ uri->object = label;
|
||||||
+ }
|
+ }
|
||||||
}
|
}
|
||||||
+ pin = NULL; /* Will be cleaned up with URI */
|
|
||||||
}
|
}
|
||||||
|
+ pin = NULL; /* Will be cleaned up with URI */
|
||||||
|
|
||||||
/* now owned by caller */
|
/* now owned by caller */
|
||||||
*providerp = p;
|
*providerp = p;
|
||||||
|
44
SOURCES/openssh-8.0p1-preserve-pam-errors.patch
Normal file
44
SOURCES/openssh-8.0p1-preserve-pam-errors.patch
Normal file
@ -0,0 +1,44 @@
|
|||||||
|
diff -up openssh-8.0p1/auth-pam.c.preserve-pam-errors openssh-8.0p1/auth-pam.c
|
||||||
|
--- openssh-8.0p1/auth-pam.c.preserve-pam-errors 2021-03-31 17:03:15.618592347 +0200
|
||||||
|
+++ openssh-8.0p1/auth-pam.c 2021-03-31 17:06:58.115220014 +0200
|
||||||
|
@@ -511,7 +511,11 @@ sshpam_thread(void *ctxtp)
|
||||||
|
goto auth_fail;
|
||||||
|
|
||||||
|
if (!do_pam_account()) {
|
||||||
|
- sshpam_err = PAM_ACCT_EXPIRED;
|
||||||
|
+ /* Preserve PAM_PERM_DENIED and PAM_USER_UNKNOWN.
|
||||||
|
+ * Backward compatibility for other errors. */
|
||||||
|
+ if (sshpam_err != PAM_PERM_DENIED
|
||||||
|
+ && sshpam_err != PAM_USER_UNKNOWN)
|
||||||
|
+ sshpam_err = PAM_ACCT_EXPIRED;
|
||||||
|
goto auth_fail;
|
||||||
|
}
|
||||||
|
if (sshpam_authctxt->force_pwchange) {
|
||||||
|
@@ -568,8 +572,10 @@ sshpam_thread(void *ctxtp)
|
||||||
|
pam_strerror(sshpam_handle, sshpam_err))) != 0)
|
||||||
|
fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
||||||
|
/* XXX - can't do much about an error here */
|
||||||
|
- if (sshpam_err == PAM_ACCT_EXPIRED)
|
||||||
|
- ssh_msg_send(ctxt->pam_csock, PAM_ACCT_EXPIRED, buffer);
|
||||||
|
+ if (sshpam_err == PAM_PERM_DENIED
|
||||||
|
+ || sshpam_err == PAM_USER_UNKNOWN
|
||||||
|
+ || sshpam_err == PAM_ACCT_EXPIRED)
|
||||||
|
+ ssh_msg_send(ctxt->pam_csock, sshpam_err, buffer);
|
||||||
|
else if (sshpam_maxtries_reached)
|
||||||
|
ssh_msg_send(ctxt->pam_csock, PAM_MAXTRIES, buffer);
|
||||||
|
else
|
||||||
|
@@ -856,10 +862,12 @@ sshpam_query(void *ctx, char **name, cha
|
||||||
|
plen++;
|
||||||
|
free(msg);
|
||||||
|
break;
|
||||||
|
+ case PAM_USER_UNKNOWN:
|
||||||
|
+ case PAM_PERM_DENIED:
|
||||||
|
case PAM_ACCT_EXPIRED:
|
||||||
|
+ sshpam_account_status = 0;
|
||||||
|
+ /* FALLTHROUGH */
|
||||||
|
case PAM_MAXTRIES:
|
||||||
|
- if (type == PAM_ACCT_EXPIRED)
|
||||||
|
- sshpam_account_status = 0;
|
||||||
|
if (type == PAM_MAXTRIES)
|
||||||
|
sshpam_set_maxtries_reached(1);
|
||||||
|
/* FALLTHROUGH */
|
311
SOURCES/openssh-8.0p1-restore-nonblock.patch
Normal file
311
SOURCES/openssh-8.0p1-restore-nonblock.patch
Normal file
@ -0,0 +1,311 @@
|
|||||||
|
diff -up openssh-8.0p1/channels.c.restore-nonblock openssh-8.0p1/channels.c
|
||||||
|
--- openssh-8.0p1/channels.c.restore-nonblock 2021-06-21 10:44:26.380559612 +0200
|
||||||
|
+++ openssh-8.0p1/channels.c 2021-06-21 10:48:47.754579151 +0200
|
||||||
|
@@ -333,7 +333,27 @@ channel_register_fds(struct ssh *ssh, Ch
|
||||||
|
#endif
|
||||||
|
|
||||||
|
/* enable nonblocking mode */
|
||||||
|
- if (nonblock) {
|
||||||
|
+ c->restore_block = 0;
|
||||||
|
+ if (nonblock == CHANNEL_NONBLOCK_STDIO) {
|
||||||
|
+ /*
|
||||||
|
+ * Special handling for stdio file descriptors: do not set
|
||||||
|
+ * non-blocking mode if they are TTYs. Otherwise prepare to
|
||||||
|
+ * restore their blocking state on exit to avoid interfering
|
||||||
|
+ * with other programs that follow.
|
||||||
|
+ */
|
||||||
|
+ if (rfd != -1 && !isatty(rfd) && fcntl(rfd, F_GETFL) == 0) {
|
||||||
|
+ c->restore_block |= CHANNEL_RESTORE_RFD;
|
||||||
|
+ set_nonblock(rfd);
|
||||||
|
+ }
|
||||||
|
+ if (wfd != -1 && !isatty(wfd) && fcntl(wfd, F_GETFL) == 0) {
|
||||||
|
+ c->restore_block |= CHANNEL_RESTORE_WFD;
|
||||||
|
+ set_nonblock(wfd);
|
||||||
|
+ }
|
||||||
|
+ if (efd != -1 && !isatty(efd) && fcntl(efd, F_GETFL) == 0) {
|
||||||
|
+ c->restore_block |= CHANNEL_RESTORE_EFD;
|
||||||
|
+ set_nonblock(efd);
|
||||||
|
+ }
|
||||||
|
+ } else if (nonblock) {
|
||||||
|
if (rfd != -1)
|
||||||
|
set_nonblock(rfd);
|
||||||
|
if (wfd != -1)
|
||||||
|
@@ -422,17 +442,23 @@ channel_find_maxfd(struct ssh_channels *
|
||||||
|
}
|
||||||
|
|
||||||
|
int
|
||||||
|
-channel_close_fd(struct ssh *ssh, int *fdp)
|
||||||
|
+channel_close_fd(struct ssh *ssh, Channel *c, int *fdp)
|
||||||
|
{
|
||||||
|
struct ssh_channels *sc = ssh->chanctxt;
|
||||||
|
- int ret = 0, fd = *fdp;
|
||||||
|
+ int ret, fd = *fdp;
|
||||||
|
|
||||||
|
- if (fd != -1) {
|
||||||
|
- ret = close(fd);
|
||||||
|
- *fdp = -1;
|
||||||
|
- if (fd == sc->channel_max_fd)
|
||||||
|
- channel_find_maxfd(sc);
|
||||||
|
- }
|
||||||
|
+ if (fd == -1)
|
||||||
|
+ return 0;
|
||||||
|
+
|
||||||
|
+ if ((*fdp == c->rfd && (c->restore_block & CHANNEL_RESTORE_RFD) != 0) ||
|
||||||
|
+ (*fdp == c->wfd && (c->restore_block & CHANNEL_RESTORE_WFD) != 0) ||
|
||||||
|
+ (*fdp == c->efd && (c->restore_block & CHANNEL_RESTORE_EFD) != 0))
|
||||||
|
+ (void)fcntl(*fdp, F_SETFL, 0); /* restore blocking */
|
||||||
|
+
|
||||||
|
+ ret = close(fd);
|
||||||
|
+ *fdp = -1;
|
||||||
|
+ if (fd == sc->channel_max_fd)
|
||||||
|
+ channel_find_maxfd(sc);
|
||||||
|
return ret;
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -442,13 +468,13 @@ channel_close_fds(struct ssh *ssh, Chann
|
||||||
|
{
|
||||||
|
int sock = c->sock, rfd = c->rfd, wfd = c->wfd, efd = c->efd;
|
||||||
|
|
||||||
|
- channel_close_fd(ssh, &c->sock);
|
||||||
|
+ channel_close_fd(ssh, c, &c->sock);
|
||||||
|
if (rfd != sock)
|
||||||
|
- channel_close_fd(ssh, &c->rfd);
|
||||||
|
+ channel_close_fd(ssh, c, &c->rfd);
|
||||||
|
if (wfd != sock && wfd != rfd)
|
||||||
|
- channel_close_fd(ssh, &c->wfd);
|
||||||
|
+ channel_close_fd(ssh, c, &c->wfd);
|
||||||
|
if (efd != sock && efd != rfd && efd != wfd)
|
||||||
|
- channel_close_fd(ssh, &c->efd);
|
||||||
|
+ channel_close_fd(ssh, c, &c->efd);
|
||||||
|
}
|
||||||
|
|
||||||
|
static void
|
||||||
|
@@ -681,7 +707,7 @@ channel_stop_listening(struct ssh *ssh)
|
||||||
|
case SSH_CHANNEL_X11_LISTENER:
|
||||||
|
case SSH_CHANNEL_UNIX_LISTENER:
|
||||||
|
case SSH_CHANNEL_RUNIX_LISTENER:
|
||||||
|
- channel_close_fd(ssh, &c->sock);
|
||||||
|
+ channel_close_fd(ssh, c, &c->sock);
|
||||||
|
channel_free(ssh, c);
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
@@ -1487,7 +1513,8 @@ channel_decode_socks5(Channel *c, struct
|
||||||
|
|
||||||
|
Channel *
|
||||||
|
channel_connect_stdio_fwd(struct ssh *ssh,
|
||||||
|
- const char *host_to_connect, u_short port_to_connect, int in, int out)
|
||||||
|
+ const char *host_to_connect, u_short port_to_connect,
|
||||||
|
+ int in, int out, int nonblock)
|
||||||
|
{
|
||||||
|
Channel *c;
|
||||||
|
|
||||||
|
@@ -1495,7 +1522,7 @@ channel_connect_stdio_fwd(struct ssh *ss
|
||||||
|
|
||||||
|
c = channel_new(ssh, "stdio-forward", SSH_CHANNEL_OPENING, in, out,
|
||||||
|
-1, CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT,
|
||||||
|
- 0, "stdio-forward", /*nonblock*/0);
|
||||||
|
+ 0, "stdio-forward", nonblock);
|
||||||
|
|
||||||
|
c->path = xstrdup(host_to_connect);
|
||||||
|
c->host_port = port_to_connect;
|
||||||
|
@@ -1650,7 +1677,7 @@ channel_post_x11_listener(struct ssh *ss
|
||||||
|
if (c->single_connection) {
|
||||||
|
oerrno = errno;
|
||||||
|
debug2("single_connection: closing X11 listener.");
|
||||||
|
- channel_close_fd(ssh, &c->sock);
|
||||||
|
+ channel_close_fd(ssh, c, &c->sock);
|
||||||
|
chan_mark_dead(ssh, c);
|
||||||
|
errno = oerrno;
|
||||||
|
}
|
||||||
|
@@ -2087,7 +2114,7 @@ channel_handle_efd_write(struct ssh *ssh
|
||||||
|
return 1;
|
||||||
|
if (len <= 0) {
|
||||||
|
debug2("channel %d: closing write-efd %d", c->self, c->efd);
|
||||||
|
- channel_close_fd(ssh, &c->efd);
|
||||||
|
+ channel_close_fd(ssh, c, &c->efd);
|
||||||
|
} else {
|
||||||
|
if ((r = sshbuf_consume(c->extended, len)) != 0) {
|
||||||
|
fatal("%s: channel %d: consume: %s",
|
||||||
|
@@ -2119,7 +2146,7 @@ channel_handle_efd_read(struct ssh *ssh,
|
||||||
|
if (len <= 0) {
|
||||||
|
debug2("channel %d: closing read-efd %d",
|
||||||
|
c->self, c->efd);
|
||||||
|
- channel_close_fd(ssh, &c->efd);
|
||||||
|
+ channel_close_fd(ssh, c, &c->efd);
|
||||||
|
} else {
|
||||||
|
if (c->extended_usage == CHAN_EXTENDED_IGNORE) {
|
||||||
|
debug3("channel %d: discard efd",
|
||||||
|
diff -up openssh-8.0p1/channels.h.restore-nonblock openssh-8.0p1/channels.h
|
||||||
|
--- openssh-8.0p1/channels.h.restore-nonblock 2021-06-21 10:44:26.380559612 +0200
|
||||||
|
+++ openssh-8.0p1/channels.h 2021-06-21 10:44:26.387559665 +0200
|
||||||
|
@@ -63,6 +63,16 @@
|
||||||
|
|
||||||
|
#define CHANNEL_CANCEL_PORT_STATIC -1
|
||||||
|
|
||||||
|
+/* nonblocking flags for channel_new */
|
||||||
|
+#define CHANNEL_NONBLOCK_LEAVE 0 /* don't modify non-blocking state */
|
||||||
|
+#define CHANNEL_NONBLOCK_SET 1 /* set non-blocking state */
|
||||||
|
+#define CHANNEL_NONBLOCK_STDIO 2 /* set non-blocking and restore on close */
|
||||||
|
+
|
||||||
|
+/* c->restore_block mask flags */
|
||||||
|
+#define CHANNEL_RESTORE_RFD 0x01
|
||||||
|
+#define CHANNEL_RESTORE_WFD 0x02
|
||||||
|
+#define CHANNEL_RESTORE_EFD 0x04
|
||||||
|
+
|
||||||
|
/* TCP forwarding */
|
||||||
|
#define FORWARD_DENY 0
|
||||||
|
#define FORWARD_REMOTE (1)
|
||||||
|
@@ -131,6 +141,7 @@ struct Channel {
|
||||||
|
* to a matching pre-select handler.
|
||||||
|
* this way post-select handlers are not
|
||||||
|
* accidentally called if a FD gets reused */
|
||||||
|
+ int restore_block; /* fd mask to restore blocking status */
|
||||||
|
struct sshbuf *input; /* data read from socket, to be sent over
|
||||||
|
* encrypted connection */
|
||||||
|
struct sshbuf *output; /* data received over encrypted connection for
|
||||||
|
@@ -258,7 +269,7 @@ void channel_register_filter(struct ssh
|
||||||
|
void channel_register_status_confirm(struct ssh *, int,
|
||||||
|
channel_confirm_cb *, channel_confirm_abandon_cb *, void *);
|
||||||
|
void channel_cancel_cleanup(struct ssh *, int);
|
||||||
|
-int channel_close_fd(struct ssh *, int *);
|
||||||
|
+int channel_close_fd(struct ssh *, Channel *, int *);
|
||||||
|
void channel_send_window_changes(struct ssh *);
|
||||||
|
|
||||||
|
/* mux proxy support */
|
||||||
|
@@ -305,7 +316,7 @@ Channel *channel_connect_to_port(struct
|
||||||
|
char *, char *, int *, const char **);
|
||||||
|
Channel *channel_connect_to_path(struct ssh *, const char *, char *, char *);
|
||||||
|
Channel *channel_connect_stdio_fwd(struct ssh *, const char*,
|
||||||
|
- u_short, int, int);
|
||||||
|
+ u_short, int, int, int);
|
||||||
|
Channel *channel_connect_by_listen_address(struct ssh *, const char *,
|
||||||
|
u_short, char *, char *);
|
||||||
|
Channel *channel_connect_by_listen_path(struct ssh *, const char *,
|
||||||
|
diff -up openssh-8.0p1/clientloop.c.restore-nonblock openssh-8.0p1/clientloop.c
|
||||||
|
--- openssh-8.0p1/clientloop.c.restore-nonblock 2021-06-21 10:44:26.290558923 +0200
|
||||||
|
+++ openssh-8.0p1/clientloop.c 2021-06-21 10:44:26.387559665 +0200
|
||||||
|
@@ -1436,14 +1436,6 @@ client_loop(struct ssh *ssh, int have_pt
|
||||||
|
if (have_pty)
|
||||||
|
leave_raw_mode(options.request_tty == REQUEST_TTY_FORCE);
|
||||||
|
|
||||||
|
- /* restore blocking io */
|
||||||
|
- if (!isatty(fileno(stdin)))
|
||||||
|
- unset_nonblock(fileno(stdin));
|
||||||
|
- if (!isatty(fileno(stdout)))
|
||||||
|
- unset_nonblock(fileno(stdout));
|
||||||
|
- if (!isatty(fileno(stderr)))
|
||||||
|
- unset_nonblock(fileno(stderr));
|
||||||
|
-
|
||||||
|
/*
|
||||||
|
* If there was no shell or command requested, there will be no remote
|
||||||
|
* exit status to be returned. In that case, clear error code if the
|
||||||
|
diff -up openssh-8.0p1/mux.c.restore-nonblock openssh-8.0p1/mux.c
|
||||||
|
--- openssh-8.0p1/mux.c.restore-nonblock 2019-04-18 00:52:57.000000000 +0200
|
||||||
|
+++ openssh-8.0p1/mux.c 2021-06-21 10:50:51.007537336 +0200
|
||||||
|
@@ -454,14 +454,6 @@ mux_master_process_new_session(struct ss
|
||||||
|
if (cctx->want_tty && tcgetattr(new_fd[0], &cctx->tio) == -1)
|
||||||
|
error("%s: tcgetattr: %s", __func__, strerror(errno));
|
||||||
|
|
||||||
|
- /* enable nonblocking unless tty */
|
||||||
|
- if (!isatty(new_fd[0]))
|
||||||
|
- set_nonblock(new_fd[0]);
|
||||||
|
- if (!isatty(new_fd[1]))
|
||||||
|
- set_nonblock(new_fd[1]);
|
||||||
|
- if (!isatty(new_fd[2]))
|
||||||
|
- set_nonblock(new_fd[2]);
|
||||||
|
-
|
||||||
|
window = CHAN_SES_WINDOW_DEFAULT;
|
||||||
|
packetmax = CHAN_SES_PACKET_DEFAULT;
|
||||||
|
if (cctx->want_tty) {
|
||||||
|
@@ -471,7 +463,7 @@ mux_master_process_new_session(struct ss
|
||||||
|
|
||||||
|
nc = channel_new(ssh, "session", SSH_CHANNEL_OPENING,
|
||||||
|
new_fd[0], new_fd[1], new_fd[2], window, packetmax,
|
||||||
|
- CHAN_EXTENDED_WRITE, "client-session", /*nonblock*/0);
|
||||||
|
+ CHAN_EXTENDED_WRITE, "client-session", CHANNEL_NONBLOCK_STDIO);
|
||||||
|
|
||||||
|
nc->ctl_chan = c->self; /* link session -> control channel */
|
||||||
|
c->remote_id = nc->self; /* link control -> session channel */
|
||||||
|
@@ -1033,13 +1025,8 @@ mux_master_process_stdio_fwd(struct ssh
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
- /* enable nonblocking unless tty */
|
||||||
|
- if (!isatty(new_fd[0]))
|
||||||
|
- set_nonblock(new_fd[0]);
|
||||||
|
- if (!isatty(new_fd[1]))
|
||||||
|
- set_nonblock(new_fd[1]);
|
||||||
|
-
|
||||||
|
- nc = channel_connect_stdio_fwd(ssh, chost, cport, new_fd[0], new_fd[1]);
|
||||||
|
+ nc = channel_connect_stdio_fwd(ssh, chost, cport, new_fd[0], new_fd[1],
|
||||||
|
+ CHANNEL_NONBLOCK_STDIO);
|
||||||
|
free(chost);
|
||||||
|
|
||||||
|
nc->ctl_chan = c->self; /* link session -> control channel */
|
||||||
|
diff -up openssh-8.0p1/nchan.c.restore-nonblock openssh-8.0p1/nchan.c
|
||||||
|
--- openssh-8.0p1/nchan.c.restore-nonblock 2021-06-21 10:44:26.388559673 +0200
|
||||||
|
+++ openssh-8.0p1/nchan.c 2021-06-21 10:52:42.685405537 +0200
|
||||||
|
@@ -387,7 +387,7 @@ chan_shutdown_write(struct ssh *ssh, Cha
|
||||||
|
strerror(errno));
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
- if (channel_close_fd(ssh, &c->wfd) < 0) {
|
||||||
|
+ if (channel_close_fd(ssh, c, &c->wfd) < 0) {
|
||||||
|
logit("channel %d: %s: close() failed for "
|
||||||
|
"fd %d [i%d o%d]: %.100s",
|
||||||
|
c->self, __func__, c->wfd, c->istate, c->ostate,
|
||||||
|
@@ -417,7 +417,7 @@ chan_shutdown_read(struct ssh *ssh, Chan
|
||||||
|
strerror(errno));
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
- if (channel_close_fd(ssh, &c->rfd) < 0) {
|
||||||
|
+ if (channel_close_fd(ssh, c, &c->rfd) < 0) {
|
||||||
|
logit("channel %d: %s: close() failed for "
|
||||||
|
"fd %d [i%d o%d]: %.100s",
|
||||||
|
c->self, __func__, c->rfd, c->istate, c->ostate,
|
||||||
|
@@ -437,7 +437,7 @@ chan_shutdown_extended_read(struct ssh *
|
||||||
|
debug2("channel %d: %s (i%d o%d sock %d wfd %d efd %d [%s])",
|
||||||
|
c->self, __func__, c->istate, c->ostate, c->sock, c->rfd, c->efd,
|
||||||
|
channel_format_extended_usage(c));
|
||||||
|
- if (channel_close_fd(ssh, &c->efd) < 0) {
|
||||||
|
+ if (channel_close_fd(ssh, c, &c->efd) < 0) {
|
||||||
|
logit("channel %d: %s: close() failed for "
|
||||||
|
"extended fd %d [i%d o%d]: %.100s",
|
||||||
|
c->self, __func__, c->efd, c->istate, c->ostate,
|
||||||
|
diff -up openssh-8.0p1/ssh.c.restore-nonblock openssh-8.0p1/ssh.c
|
||||||
|
--- openssh-8.0p1/ssh.c.restore-nonblock 2021-06-21 10:44:26.389559681 +0200
|
||||||
|
+++ openssh-8.0p1/ssh.c 2021-06-21 10:54:47.651377045 +0200
|
||||||
|
@@ -1709,7 +1709,8 @@ ssh_init_stdio_forwarding(struct ssh *ss
|
||||||
|
(out = dup(STDOUT_FILENO)) < 0)
|
||||||
|
fatal("channel_connect_stdio_fwd: dup() in/out failed");
|
||||||
|
if ((c = channel_connect_stdio_fwd(ssh, options.stdio_forward_host,
|
||||||
|
- options.stdio_forward_port, in, out)) == NULL)
|
||||||
|
+ options.stdio_forward_port, in, out,
|
||||||
|
+ CHANNEL_NONBLOCK_STDIO)) == NULL)
|
||||||
|
fatal("%s: channel_connect_stdio_fwd failed", __func__);
|
||||||
|
channel_register_cleanup(ssh, c->self, client_cleanup_stdio_fwd, 0);
|
||||||
|
channel_register_open_confirm(ssh, c->self, ssh_stdio_confirm, NULL);
|
||||||
|
@@ -1862,14 +1863,6 @@ ssh_session2_open(struct ssh *ssh)
|
||||||
|
if (in < 0 || out < 0 || err < 0)
|
||||||
|
fatal("dup() in/out/err failed");
|
||||||
|
|
||||||
|
- /* enable nonblocking unless tty */
|
||||||
|
- if (!isatty(in))
|
||||||
|
- set_nonblock(in);
|
||||||
|
- if (!isatty(out))
|
||||||
|
- set_nonblock(out);
|
||||||
|
- if (!isatty(err))
|
||||||
|
- set_nonblock(err);
|
||||||
|
-
|
||||||
|
window = CHAN_SES_WINDOW_DEFAULT;
|
||||||
|
packetmax = CHAN_SES_PACKET_DEFAULT;
|
||||||
|
if (tty_flag) {
|
||||||
|
@@ -1879,7 +1872,7 @@ ssh_session2_open(struct ssh *ssh)
|
||||||
|
c = channel_new(ssh,
|
||||||
|
"session", SSH_CHANNEL_OPENING, in, out, err,
|
||||||
|
window, packetmax, CHAN_EXTENDED_WRITE,
|
||||||
|
- "client-session", /*nonblock*/0);
|
||||||
|
+ "client-session", CHANNEL_NONBLOCK_STDIO);
|
||||||
|
|
||||||
|
debug3("%s: channel_new: %d", __func__, c->self);
|
||||||
|
|
16
SOURCES/openssh-8.0p1-sftp-timespeccmp.patch
Normal file
16
SOURCES/openssh-8.0p1-sftp-timespeccmp.patch
Normal file
@ -0,0 +1,16 @@
|
|||||||
|
diff -up openssh-8.0p1/sftp.c.original openssh-8.0p1/sftp.c
|
||||||
|
--- openssh-8.0p1/sftp.c.original 2020-12-22 17:05:02.105698989 +0900
|
||||||
|
+++ openssh-8.0p1/sftp.c 2020-12-22 17:05:42.922035780 +0900
|
||||||
|
@@ -937,7 +937,11 @@ sglob_comp(const void *aa, const void *b
|
||||||
|
return (rmul * strcmp(ap, bp));
|
||||||
|
else if (sort_flag & LS_TIME_SORT) {
|
||||||
|
#if defined(HAVE_STRUCT_STAT_ST_MTIM)
|
||||||
|
- return (rmul * timespeccmp(&as->st_mtim, &bs->st_mtim, <));
|
||||||
|
+ if (timespeccmp(&as->st_mtim, &bs->st_mtim, <)){
|
||||||
|
+ return rmul;
|
||||||
|
+ } else {
|
||||||
|
+ return -rmul;
|
||||||
|
+ }
|
||||||
|
#elif defined(HAVE_STRUCT_STAT_ST_MTIME)
|
||||||
|
return (rmul * NCMP(as->st_mtime, bs->st_mtime));
|
||||||
|
#else
|
97
SOURCES/openssh-8.0p1-sshd_config.patch
Normal file
97
SOURCES/openssh-8.0p1-sshd_config.patch
Normal file
@ -0,0 +1,97 @@
|
|||||||
|
diff --git a/servconf.c b/servconf.c
|
||||||
|
index ffac5d2c..340045b2 100644
|
||||||
|
--- a/servconf.c
|
||||||
|
+++ b/servconf.c
|
||||||
|
@@ -1042,7 +1042,7 @@ match_cfg_line(char **condition, int line, struct connection_info *ci)
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
if (strcasecmp(attrib, "user") == 0) {
|
||||||
|
- if (ci == NULL) {
|
||||||
|
+ if (ci == NULL || (ci->test && ci->user == NULL)) {
|
||||||
|
result = 0;
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
@@ -1054,7 +1054,7 @@ match_cfg_line(char **condition, int line, struct connection_info *ci)
|
||||||
|
debug("user %.100s matched 'User %.100s' at "
|
||||||
|
"line %d", ci->user, arg, line);
|
||||||
|
} else if (strcasecmp(attrib, "group") == 0) {
|
||||||
|
- if (ci == NULL) {
|
||||||
|
+ if (ci == NULL || (ci->test && ci->user == NULL)) {
|
||||||
|
result = 0;
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
@@ -1067,7 +1067,7 @@ match_cfg_line(char **condition, int line, struct connection_info *ci)
|
||||||
|
result = 0;
|
||||||
|
}
|
||||||
|
} else if (strcasecmp(attrib, "host") == 0) {
|
||||||
|
- if (ci == NULL) {
|
||||||
|
+ if (ci == NULL || (ci->test && ci->host == NULL)) {
|
||||||
|
result = 0;
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
@@ -1079,7 +1079,7 @@ match_cfg_line(char **condition, int line, struct connection_info *ci)
|
||||||
|
debug("connection from %.100s matched 'Host "
|
||||||
|
"%.100s' at line %d", ci->host, arg, line);
|
||||||
|
} else if (strcasecmp(attrib, "address") == 0) {
|
||||||
|
- if (ci == NULL) {
|
||||||
|
+ if (ci == NULL || (ci->test && ci->address == NULL)) {
|
||||||
|
result = 0;
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
@@ -1098,7 +1098,7 @@ match_cfg_line(char **condition, int line, struct connection_info *ci)
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
} else if (strcasecmp(attrib, "localaddress") == 0){
|
||||||
|
- if (ci == NULL) {
|
||||||
|
+ if (ci == NULL || (ci->test && ci->laddress == NULL)) {
|
||||||
|
result = 0;
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
@@ -1124,7 +1124,7 @@ match_cfg_line(char **condition, int line, struct connection_info *ci)
|
||||||
|
arg);
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
- if (ci == NULL) {
|
||||||
|
+ if (ci == NULL || (ci->test && ci->lport == -1)) {
|
||||||
|
result = 0;
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
@@ -1138,10 +1138,12 @@ match_cfg_line(char **condition, int line, struct connection_info *ci)
|
||||||
|
else
|
||||||
|
result = 0;
|
||||||
|
} else if (strcasecmp(attrib, "rdomain") == 0) {
|
||||||
|
- if (ci == NULL || ci->rdomain == NULL) {
|
||||||
|
+ if (ci == NULL || (ci->test && ci->rdomain == NULL)) {
|
||||||
|
result = 0;
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
+ if (ci->rdomain == NULL)
|
||||||
|
+ match_test_missing_fatal("RDomain", "rdomain");
|
||||||
|
if (match_pattern_list(ci->rdomain, arg, 0) != 1)
|
||||||
|
result = 0;
|
||||||
|
else
|
||||||
|
diff --git a/servconf.h b/servconf.h
|
||||||
|
index 54e0a8d8..5483da05 100644
|
||||||
|
--- a/servconf.h
|
||||||
|
+++ b/servconf.h
|
||||||
|
@@ -221,6 +221,8 @@ struct connection_info {
|
||||||
|
const char *laddress; /* local address */
|
||||||
|
int lport; /* local port */
|
||||||
|
const char *rdomain; /* routing domain if available */
|
||||||
|
+ int test; /* test mode, allow some attributes to be
|
||||||
|
+ * unspecified */
|
||||||
|
};
|
||||||
|
|
||||||
|
|
||||||
|
diff --git a/sshd.c b/sshd.c
|
||||||
|
index cbd3bce9..1fcde502 100644
|
||||||
|
--- a/sshd.c
|
||||||
|
+++ b/sshd.c
|
||||||
|
@@ -1843,6 +1843,7 @@ main(int ac, char **av)
|
||||||
|
*/
|
||||||
|
if (connection_info == NULL)
|
||||||
|
connection_info = get_connection_info(ssh, 0, 0);
|
||||||
|
+ connection_info->test = 1;
|
||||||
|
parse_server_match_config(&options, connection_info);
|
||||||
|
dump_config(&options);
|
||||||
|
}
|
@ -66,7 +66,7 @@
|
|||||||
|
|
||||||
# Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
|
# Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
|
||||||
%global openssh_ver 8.0p1
|
%global openssh_ver 8.0p1
|
||||||
%global openssh_rel 5
|
%global openssh_rel 10
|
||||||
%global pam_ssh_agent_ver 0.10.3
|
%global pam_ssh_agent_ver 0.10.3
|
||||||
%global pam_ssh_agent_rel 7
|
%global pam_ssh_agent_rel 7
|
||||||
|
|
||||||
@ -230,6 +230,21 @@ Patch970: openssh-8.0p1-rdomain.patch
|
|||||||
# Do not fail X11 forwarding if IPv6 is disabled (#1662189)
|
# Do not fail X11 forwarding if IPv6 is disabled (#1662189)
|
||||||
# https://bugzilla.mindrot.org/show_bug.cgi?id=2143
|
# https://bugzilla.mindrot.org/show_bug.cgi?id=2143
|
||||||
Patch971: openssh-8.0p1-x11-without-ipv6.patch
|
Patch971: openssh-8.0p1-x11-without-ipv6.patch
|
||||||
|
# Client window fix (#1913041)
|
||||||
|
Patch972: openssh-8.0p1-channel-limits.patch
|
||||||
|
# SFTP sort upon the modification time (#1909988)
|
||||||
|
# https://bugzilla.mindrot.org/show_bug.cgi?id=3248
|
||||||
|
Patch973: openssh-8.0p1-sftp-timespeccmp.patch
|
||||||
|
# ssh-keygen printing fingerprint issue with Windows keys (#1901518)
|
||||||
|
Patch974: openssh-8.0p1-keygen-strip-doseol.patch
|
||||||
|
# sshd provides PAM an incorrect error code (#1879503)
|
||||||
|
Patch975: openssh-8.0p1-preserve-pam-errors.patch
|
||||||
|
# ssh incorrectly restores the blocking mode on standard output (#1942901)
|
||||||
|
Patch976: openssh-8.0p1-restore-nonblock.patch
|
||||||
|
# CVE 2020-14145
|
||||||
|
Patch977: openssh-8.0p1-cve-2020-14145.patch
|
||||||
|
# sshd -T requires -C when "Match" is used in sshd_config (#1836277)
|
||||||
|
Patch978: openssh-8.0p1-sshd_config.patch
|
||||||
|
|
||||||
License: BSD
|
License: BSD
|
||||||
Group: Applications/Internet
|
Group: Applications/Internet
|
||||||
@ -448,6 +463,13 @@ popd
|
|||||||
%patch969 -p1 -b .keygen-sha2
|
%patch969 -p1 -b .keygen-sha2
|
||||||
%patch970 -p1 -b .rdomain
|
%patch970 -p1 -b .rdomain
|
||||||
%patch971 -p1 -b .x11-ipv6
|
%patch971 -p1 -b .x11-ipv6
|
||||||
|
%patch972 -p1 -b .channel-limits
|
||||||
|
%patch973 -p1 -b .sftp-timespeccmp
|
||||||
|
%patch974 -p1 -b .keygen-strip-doseol
|
||||||
|
%patch975 -p1 -b .preserve-pam-errors
|
||||||
|
%patch976 -p1 -b .restore-nonblock
|
||||||
|
%patch977 -p1 -b .cve-2020-14145
|
||||||
|
%patch978 -p1 -b .sshd_config
|
||||||
|
|
||||||
%patch200 -p1 -b .audit
|
%patch200 -p1 -b .audit
|
||||||
%patch201 -p1 -b .audit-race
|
%patch201 -p1 -b .audit-race
|
||||||
@ -739,6 +761,28 @@ getent passwd sshd >/dev/null || \
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Mon Jun 21 2021 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.0p1-10
|
||||||
|
- sshd -T requires -C when "Match" is used in sshd_config (#1836277)
|
||||||
|
|
||||||
|
* Wed Jun 02 2021 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.0p1-9
|
||||||
|
- CVE-2020-14145 openssh: Observable Discrepancy leading to an information
|
||||||
|
leak in the algorithm negotiation (#1882252)
|
||||||
|
- Hostbased ssh authentication fails if session ID contains a '/' (#1944125)
|
||||||
|
|
||||||
|
* Mon Apr 26 2021 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.0p1-8
|
||||||
|
- ssh doesn't restore the blocking mode on standard output (#1942901)
|
||||||
|
|
||||||
|
* Fri Apr 09 2021 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.0p1-7 + 0.10.3-7
|
||||||
|
- SFTP sort upon the modification time (#1909988)
|
||||||
|
- ssh-keygen printing fingerprint issue with Windows keys (#1901518)
|
||||||
|
- PIN is lost when iterating over tokens when adding pkcs11 keys to ssh-agent (#1843372)
|
||||||
|
- ssh-agent segfaults during ssh-add -s pkcs11 (#1868996)
|
||||||
|
- ssh-copy-id could not resolve ipv6 address ends with colon (#1933517)
|
||||||
|
- sshd provides PAM an incorrect error code (#1879503)
|
||||||
|
|
||||||
|
* Tue Mar 16 2021 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.0p1-6 + 0.10.3-7
|
||||||
|
- Openssh client window fix (#1913041)
|
||||||
|
|
||||||
* Tue Mar 24 2020 Jakub Jelen <jjelen@redhat.com> - 8.0p1-5 + 0.10.3-7
|
* Tue Mar 24 2020 Jakub Jelen <jjelen@redhat.com> - 8.0p1-5 + 0.10.3-7
|
||||||
- Do not print "no slots" warning by default (#1744220)
|
- Do not print "no slots" warning by default (#1744220)
|
||||||
- Unbreak connecting using gssapi through proxy commands (#1749862)
|
- Unbreak connecting using gssapi through proxy commands (#1749862)
|
||||||
|
Loading…
Reference in New Issue
Block a user