openssh-8.2p1-1 + 0.10.3-9

This commit is contained in:
Jakub Jelen 2020-02-17 11:57:13 +01:00
parent ee9cb005b3
commit 51f5c1c99f
25 changed files with 932 additions and 876 deletions

2
.gitignore vendored
View File

@ -38,3 +38,5 @@ pam_ssh_agent_auth-0.9.2.tar.bz2
/openssh-8.0p1.tar.gz.asc /openssh-8.0p1.tar.gz.asc
/openssh-8.1p1.tar.gz /openssh-8.1p1.tar.gz
/openssh-8.1p1.tar.gz.asc /openssh-8.1p1.tar.gz.asc
/openssh-8.2p1.tar.gz
/openssh-8.2p1.tar.gz.asc

View File

@ -9,7 +9,7 @@ diff -up openssh-7.4p1/contrib/gnome-ssh-askpass2.c.progress openssh-7.4p1/contr
#include <gtk/gtk.h> #include <gtk/gtk.h>
#include <gdk/gdkx.h> #include <gdk/gdkx.h>
@@ -81,13 +82,24 @@ ok_dialog(GtkWidget *entry, gpointer dia @@ -81,14 +82,25 @@ ok_dialog(GtkWidget *entry, gpointer dia
gtk_dialog_response(GTK_DIALOG(dialog), GTK_RESPONSE_OK); gtk_dialog_response(GTK_DIALOG(dialog), GTK_RESPONSE_OK);
} }
@ -25,20 +25,21 @@ diff -up openssh-7.4p1/contrib/gnome-ssh-askpass2.c.progress openssh-7.4p1/contr
+} +}
+ +
static int static int
passphrase_dialog(char *message) passphrase_dialog(char *message, int prompt_type)
{ {
const char *failed; const char *failed;
char *passphrase, *local; char *passphrase, *local;
int result, grab_tries, grab_server, grab_pointer; int result, grab_tries, grab_server, grab_pointer;
int buttons, default_response;
- GtkWidget *parent_window, *dialog, *entry; - GtkWidget *parent_window, *dialog, *entry;
+ GtkWidget *parent_window, *dialog, *entry, *progress, *hbox; + GtkWidget *parent_window, *dialog, *entry, *progress, *hbox;
GdkGrabStatus status; GdkGrabStatus status;
grab_server = (getenv("GNOME_SSH_ASKPASS_GRAB_SERVER") != NULL); grab_server = (getenv("GNOME_SSH_ASKPASS_GRAB_SERVER") != NULL);
@@ -104,14 +116,32 @@ passphrase_dialog(char *message) @@ -104,16 +116,37 @@ passphrase_dialog(char *message)
"%s", gtk_window_set_keep_above(GTK_WINDOW(dialog), TRUE);
message);
if (prompt_type == PROMPT_ENTRY) {
+ hbox = gtk_hbox_new(FALSE, 0); + hbox = gtk_hbox_new(FALSE, 0);
+ gtk_box_pack_start(GTK_BOX(GTK_DIALOG(dialog)->vbox), hbox, FALSE, + gtk_box_pack_start(GTK_BOX(GTK_DIALOG(dialog)->vbox), hbox, FALSE,
+ FALSE, 0); + FALSE, 0);
@ -46,15 +47,18 @@ diff -up openssh-7.4p1/contrib/gnome-ssh-askpass2.c.progress openssh-7.4p1/contr
+ +
entry = gtk_entry_new(); entry = gtk_entry_new();
gtk_box_pack_start( gtk_box_pack_start(
- GTK_BOX(gtk_dialog_get_content_area(GTK_DIALOG(dialog))), entry, - GTK_BOX(gtk_dialog_get_content_area(GTK_DIALOG(dialog))),
- FALSE, FALSE, 0); - entry, FALSE, FALSE, 0);
+ GTK_BOX(hbox), entry, + GTK_BOX(hbox), entry,
+ TRUE, FALSE, 0); + TRUE, FALSE, 0);
+ gtk_entry_set_width_chars(GTK_ENTRY(entry), 2); + gtk_entry_set_width_chars(GTK_ENTRY(entry), 2);
gtk_entry_set_visibility(GTK_ENTRY(entry), FALSE); gtk_entry_set_visibility(GTK_ENTRY(entry), FALSE);
gtk_widget_grab_focus(entry); gtk_widget_grab_focus(entry);
gtk_widget_show(entry); gtk_widget_show(entry);
/* Make <enter> close dialog */
g_signal_connect(G_OBJECT(entry), "activate",
G_CALLBACK(ok_dialog), dialog);
+
+ hbox = gtk_hbox_new(FALSE, 0); + hbox = gtk_hbox_new(FALSE, 0);
+ gtk_box_pack_start(GTK_BOX(GTK_DIALOG(dialog)->vbox), hbox, FALSE, + gtk_box_pack_start(GTK_BOX(GTK_DIALOG(dialog)->vbox), hbox, FALSE,
+ FALSE, 8); + FALSE, 8);
@ -66,16 +70,9 @@ diff -up openssh-7.4p1/contrib/gnome-ssh-askpass2.c.progress openssh-7.4p1/contr
+ gtk_box_pack_start(GTK_BOX(hbox), progress, TRUE, + gtk_box_pack_start(GTK_BOX(hbox), progress, TRUE,
+ TRUE, 5); + TRUE, 5);
+ gtk_widget_show(progress); + gtk_widget_show(progress);
+
gtk_window_set_title(GTK_WINDOW(dialog), "OpenSSH");
gtk_window_set_position (GTK_WINDOW(dialog), GTK_WIN_POS_CENTER);
gtk_window_set_keep_above(GTK_WINDOW(dialog), TRUE);
@@ -120,6 +150,8 @@ passphrase_dialog(char *message)
gtk_dialog_set_default_response(GTK_DIALOG(dialog), GTK_RESPONSE_OK);
g_signal_connect(G_OBJECT(entry), "activate",
G_CALLBACK(ok_dialog), dialog);
+ g_signal_connect(G_OBJECT(entry), "changed", + g_signal_connect(G_OBJECT(entry), "changed",
+ G_CALLBACK(move_progress), progress); + G_CALLBACK(move_progress), progress);
+
}
gtk_window_set_keep_above(GTK_WINDOW(dialog), TRUE); /* Grab focus */

View File

@ -56,8 +56,8 @@ diff -up openssh-7.4p1/monitor.c.log-in-chroot openssh-7.4p1/monitor.c
+ pmonitor->m_state = "postauth"; + pmonitor->m_state = "postauth";
+ +
monitor_set_child_handler(pmonitor->m_pid); monitor_set_child_handler(pmonitor->m_pid);
signal(SIGHUP, &monitor_child_handler); ssh_signal(SIGHUP, &monitor_child_handler);
signal(SIGTERM, &monitor_child_handler); ssh_signal(SIGTERM, &monitor_child_handler);
@@ -472,7 +476,7 @@ monitor_read_log(struct monitor *pmonito @@ -472,7 +476,7 @@ monitor_read_log(struct monitor *pmonito
if (log_level_name(level) == NULL) if (log_level_name(level) == NULL)
fatal("%s: invalid log level %u (corrupted message?)", fatal("%s: invalid log level %u (corrupted message?)",

View File

@ -122,7 +122,7 @@ diff -up openssh-7.4p1/sshd_config.GSSAPIEnablek5users openssh-7.4p1/sshd_config
--- openssh-7.4p1/sshd_config.GSSAPIEnablek5users 2016-12-23 15:18:40.616216100 +0100 --- openssh-7.4p1/sshd_config.GSSAPIEnablek5users 2016-12-23 15:18:40.616216100 +0100
+++ openssh-7.4p1/sshd_config 2016-12-23 15:18:40.631216103 +0100 +++ openssh-7.4p1/sshd_config 2016-12-23 15:18:40.631216103 +0100
@@ -80,6 +80,7 @@ GSSAPIAuthentication yes @@ -80,6 +80,7 @@ GSSAPIAuthentication yes
GSSAPICleanupCredentials no #GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes #GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no #GSSAPIKeyExchange no
+#GSSAPIEnablek5users no +#GSSAPIEnablek5users no

View File

@ -7,14 +7,14 @@ diff -up openssh-6.8p1/Makefile.in.ctr-cavs openssh-6.8p1/Makefile.in
SSH_KEYCAT=$(libexecdir)/ssh-keycat SSH_KEYCAT=$(libexecdir)/ssh-keycat
+CTR_CAVSTEST=$(libexecdir)/ctr-cavstest +CTR_CAVSTEST=$(libexecdir)/ctr-cavstest
SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
SSH_SK_HELPER=$(libexecdir)/ssh-sk-helper
PRIVSEP_PATH=@PRIVSEP_PATH@ PRIVSEP_PATH=@PRIVSEP_PATH@
SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@
@@ -66,7 +67,7 @@ EXEEXT=@EXEEXT@ @@ -66,7 +67,7 @@ EXEEXT=@EXEEXT@
MKDIR_P=@MKDIR_P@
INSTALL_SSH_LDAP_HELPER=@INSTALL_SSH_LDAP_HELPER@
-TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT) ssh-keycat$(EXEEXT) .SUFFIXES: .lo
+TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT) ssh-keycat$(EXEEXT) ctr-cavstest$(EXEEXT)
-TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) ssh-ldap-helper$(EXEEXT) ssh-keycat$(EXEEXT)
+TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) ssh-ldap-helper$(EXEEXT) ssh-keycat$(EXEEXT) ctr-cavstest$(EXEEXT)
XMSS_OBJS=\ XMSS_OBJS=\
ssh-xmss.o \ ssh-xmss.o \
@ -25,8 +25,8 @@ diff -up openssh-6.8p1/Makefile.in.ctr-cavs openssh-6.8p1/Makefile.in
+ctr-cavstest$(EXEEXT): $(LIBCOMPAT) libssh.a ctr-cavstest.o +ctr-cavstest$(EXEEXT): $(LIBCOMPAT) libssh.a ctr-cavstest.o
+ $(LD) -o $@ ctr-cavstest.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(LIBS) + $(LD) -o $@ ctr-cavstest.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(LIBS)
+ +
ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHKEYSCAN_OBJS)
$(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) $(LD) -o $@ $(SSHKEYSCAN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
@@ -326,6 +330,7 @@ install-files: @@ -326,6 +330,7 @@ install-files:
$(INSTALL) -m 0700 ssh-ldap-wrapper $(DESTDIR)$(SSH_LDAP_WRAPPER) ; \ $(INSTALL) -m 0700 ssh-ldap-wrapper $(DESTDIR)$(SSH_LDAP_WRAPPER) ; \

View File

@ -41,22 +41,22 @@ diff -up openssh/Makefile.in.keycat openssh/Makefile.in
SSH_LDAP_WRAPPER=$(libexecdir)/ssh-ldap-wrapper SSH_LDAP_WRAPPER=$(libexecdir)/ssh-ldap-wrapper
+SSH_KEYCAT=$(libexecdir)/ssh-keycat +SSH_KEYCAT=$(libexecdir)/ssh-keycat
SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
SSH_SK_HELPER=$(libexecdir)/ssh-sk-helper
PRIVSEP_PATH=@PRIVSEP_PATH@ PRIVSEP_PATH=@PRIVSEP_PATH@
SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@
@@ -52,6 +52,7 @@ K5LIBS=@K5LIBS@ @@ -52,6 +52,7 @@ K5LIBS=@K5LIBS@
GSSLIBS=@GSSLIBS@ GSSLIBS=@GSSLIBS@
SSHLIBS=@SSHLIBS@ SSHLIBS=@SSHLIBS@
SSHDLIBS=@SSHDLIBS@ SSHDLIBS=@SSHDLIBS@
+KEYCATLIBS=@KEYCATLIBS@ +KEYCATLIBS=@KEYCATLIBS@
LIBEDIT=@LIBEDIT@ LIBEDIT=@LIBEDIT@
LIBFIDO2=@LIBFIDO2@
AR=@AR@ AR=@AR@
AWK=@AWK@
@@ -65,7 +66,7 @@ EXEEXT=@EXEEXT@ @@ -65,7 +66,7 @@ EXEEXT=@EXEEXT@
MKDIR_P=@MKDIR_P@
INSTALL_SSH_LDAP_HELPER=@INSTALL_SSH_LDAP_HELPER@
-TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT) .SUFFIXES: .lo
+TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT) ssh-keycat$(EXEEXT)
-TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) ssh-ldap-helper$(EXEEXT)
+TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) ssh-ldap-helper$(EXEEXT) ssh-keycat$(EXEEXT)
XMSS_OBJS=\ XMSS_OBJS=\
ssh-xmss.o \ ssh-xmss.o \
@ -67,8 +67,8 @@ diff -up openssh/Makefile.in.keycat openssh/Makefile.in
+ssh-keycat$(EXEEXT): $(LIBCOMPAT) $(SSHDOBJS) libssh.a ssh-keycat.o uidswap.o +ssh-keycat$(EXEEXT): $(LIBCOMPAT) $(SSHDOBJS) libssh.a ssh-keycat.o uidswap.o
+ $(LD) -o $@ ssh-keycat.o uidswap.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(KEYCATLIBS) $(LIBS) + $(LD) -o $@ ssh-keycat.o uidswap.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(KEYCATLIBS) $(LIBS)
+ +
ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHKEYSCAN_OBJS)
$(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) $(LD) -o $@ $(SSHKEYSCAN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
@@ -321,6 +325,7 @@ install-files: @@ -321,6 +325,7 @@ install-files:
$(INSTALL) -m 0700 $(STRIP_OPT) ssh-ldap-helper $(DESTDIR)$(SSH_LDAP_HELPER) ; \ $(INSTALL) -m 0700 $(STRIP_OPT) ssh-ldap-helper $(DESTDIR)$(SSH_LDAP_HELPER) ; \

View File

@ -217,7 +217,7 @@ diff -up openssh-7.4p1/servconf.c.kuserok openssh-7.4p1/servconf.c
{ "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL }, { "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL },
{ "afstokenpassing", sUnsupported, SSHCFG_GLOBAL }, { "afstokenpassing", sUnsupported, SSHCFG_GLOBAL },
@@ -1644,6 +1649,10 @@ process_server_config_line(ServerOptions @@ -1644,6 +1649,10 @@ process_server_config_line(ServerOptions
*activep = value; *activep = (inc_flags & SSHCFG_NEVERMATCH) ? 0 : value;
break; break;
+ case sKerberosUseKuserok: + case sKerberosUseKuserok:
@ -286,4 +286,4 @@ diff -up openssh-7.4p1/sshd_config.kuserok openssh-7.4p1/sshd_config
+#KerberosUseKuserok yes +#KerberosUseKuserok yes
# GSSAPI options # GSSAPI options
GSSAPIAuthentication yes #GSSAPIAuthentication no

View File

@ -136,11 +136,11 @@ diff -up openssh-7.4p1/sftp.c.coverity openssh-7.4p1/sftp.c
--- openssh-7.4p1/sftp.c.coverity 2016-12-19 05:59:41.000000000 +0100 --- openssh-7.4p1/sftp.c.coverity 2016-12-19 05:59:41.000000000 +0100
+++ openssh-7.4p1/sftp.c 2016-12-23 16:40:26.903788691 +0100 +++ openssh-7.4p1/sftp.c 2016-12-23 16:40:26.903788691 +0100
@@ -224,7 +224,7 @@ killchild(int signo) @@ -224,7 +224,7 @@ killchild(int signo)
{ pid = sshpid;
if (sshpid > 1) { if (pid > 1) {
kill(sshpid, SIGTERM); kill(pid, SIGTERM);
- waitpid(sshpid, NULL, 0); - waitpid(pid, NULL, 0);
+ (void) waitpid(sshpid, NULL, 0); + (void) waitpid(pid, NULL, 0);
} }
_exit(1); _exit(1);

View File

@ -7,14 +7,14 @@ diff -up openssh-6.8p1/Makefile.in.kdf-cavs openssh-6.8p1/Makefile.in
CTR_CAVSTEST=$(libexecdir)/ctr-cavstest CTR_CAVSTEST=$(libexecdir)/ctr-cavstest
+SSH_CAVS=$(libexecdir)/ssh-cavs +SSH_CAVS=$(libexecdir)/ssh-cavs
SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
SSH_SK_HELPER=$(libexecdir)/ssh-sk-helper
PRIVSEP_PATH=@PRIVSEP_PATH@ PRIVSEP_PATH=@PRIVSEP_PATH@
SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@
@@ -67,7 +68,7 @@ EXEEXT=@EXEEXT@ @@ -67,7 +68,7 @@ EXEEXT=@EXEEXT@
MKDIR_P=@MKDIR_P@
INSTALL_SSH_LDAP_HELPER=@INSTALL_SSH_LDAP_HELPER@
-TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT) ssh-keycat$(EXEEXT) ctr-cavstest$(EXEEXT) .SUFFIXES: .lo
+TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT) ssh-keycat$(EXEEXT) ctr-cavstest$(EXEEXT) ssh-cavs$(EXEEXT)
-TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) ssh-ldap-helper$(EXEEXT) ssh-keycat$(EXEEXT) ctr-cavstest$(EXEEXT)
+TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) ssh-ldap-helper$(EXEEXT) ssh-keycat$(EXEEXT) ctr-cavstest$(EXEEXT) ssh-cavs$(EXEEXT)
XMSS_OBJS=\ XMSS_OBJS=\
ssh-xmss.o \ ssh-xmss.o \
@ -22,11 +22,11 @@ diff -up openssh-6.8p1/Makefile.in.kdf-cavs openssh-6.8p1/Makefile.in
ctr-cavstest$(EXEEXT): $(LIBCOMPAT) libssh.a ctr-cavstest.o ctr-cavstest$(EXEEXT): $(LIBCOMPAT) libssh.a ctr-cavstest.o
$(LD) -o $@ ctr-cavstest.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(LIBS) $(LD) -o $@ ctr-cavstest.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(LIBS)
+ssh-cavs$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-cavs.o +ssh-cavs$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-cavs.o $(SKOBJS)
+ $(LD) -o $@ ssh-cavs.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) + $(LD) -o $@ ssh-cavs.o $(SKOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
+ +
ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHKEYSCAN_OBJS)
$(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) $(LD) -o $@ $(SSHKEYSCAN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
@@ -331,6 +335,8 @@ install-files: @@ -331,6 +335,8 @@ install-files:
fi fi

View File

@ -134,52 +134,54 @@ diff -up openssh-6.8p1/Makefile.in.ldap openssh-6.8p1/Makefile.in
+SSH_LDAP_HELPER=$(libexecdir)/ssh-ldap-helper +SSH_LDAP_HELPER=$(libexecdir)/ssh-ldap-helper
+SSH_LDAP_WRAPPER=$(libexecdir)/ssh-ldap-wrapper +SSH_LDAP_WRAPPER=$(libexecdir)/ssh-ldap-wrapper
SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
SSH_SK_HELPER=$(libexecdir)/ssh-sk-helper
PRIVSEP_PATH=@PRIVSEP_PATH@ PRIVSEP_PATH=@PRIVSEP_PATH@
SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@
@@ -50,6 +50,7 @@ @@ -50,6 +50,7 @@
CFLAGS=@CFLAGS@
CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@ CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
PICFLAG=@PICFLAG@
LIBS=@LIBS@ LIBS=@LIBS@
+LDAPLIBS=@LDAPLIBS@ +LDAPLIBS=@LDAPLIBS@
K5LIBS=@K5LIBS@ K5LIBS=@K5LIBS@
GSSLIBS=@GSSLIBS@ GSSLIBS=@GSSLIBS@
SSHLIBS=@SSHLIBS@ SSHLIBS=@SSHLIBS@
@@ -61,8 +63,9 @@ XAUTH_PATH=@XAUTH_PATH@ @@ -61,10 +63,11 @@ XAUTH_PATH=@XAUTH_PATH@
EXEEXT=@EXEEXT@ EXEEXT=@EXEEXT@
MANFMT=@MANFMT@ MANFMT=@MANFMT@
MKDIR_P=@MKDIR_P@ MKDIR_P=@MKDIR_P@
+INSTALL_SSH_LDAP_HELPER=@INSTALL_SSH_LDAP_HELPER@ +INSTALL_SSH_LDAP_HELPER=@INSTALL_SSH_LDAP_HELPER@
-TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) .SUFFIXES: .lo
+TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT)
-TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT)
+TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) ssh-ldap-helper$(EXEEXT)
XMSS_OBJS=\ XMSS_OBJS=\
ssh-xmss.o \ ssh-xmss.o \
@@ -112,8 +115,8 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw @@ -112,8 +115,8 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw
sandbox-seccomp-filter.o sandbox-capsicum.o sandbox-pledge.o \
sandbox-solaris.o uidswap.o
-MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out SFTP_OBJS= sftp.o sftp-client.o sftp-common.o sftp-glob.o progressmeter.o
-MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 sshd_config.5 ssh_config.5
+MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out ssh-ldap-helper.8.out ssh-ldap.conf.5.out -MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out ssh-sk-helper.8.out sshd_config.5.out ssh_config.5.out
+MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 sshd_config.5 ssh_config.5 ssh-ldap-helper.8 ssh-ldap.conf.5 -MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 ssh-sk-helper.8 sshd_config.5 ssh_config.5
+MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out ssh-sk-helper.8.out sshd_config.5.out ssh_config.5.out ssh-ldap-helper.8.out ssh-ldap.conf.5.out
+MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 ssh-sk-helper.8 sshd_config.5 ssh_config.5 ssh-ldap-helper.8 ssh-ldap.conf.5
MANTYPE = @MANTYPE@ MANTYPE = @MANTYPE@
CONFIGFILES=sshd_config.out ssh_config.out moduli.out CONFIGFILES=sshd_config.out ssh_config.out moduli.out
@@ -184,6 +187,9 @@ ssh-keysign$(EXEEXT): $(LIBCOMPAT) libss @@ -184,6 +187,9 @@ ssh-keysign$(EXEEXT): $(LIBCOMPAT) libss
ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11.o ssh-sk-helper$(EXEEXT): $(LIBCOMPAT) libssh.a $(SKHELPER_OBJS)
$(LD) -o $@ ssh-pkcs11-helper.o ssh-pkcs11.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS) $(LD) -o $@ $(SKHELPER_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS) $(LIBFIDO2)
+ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o +ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o
+ $(LD) -o $@ ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat -lfipscheck $(LIBS) $(LDAPLIBS) + $(LD) -o $@ ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat -lfipscheck $(LIBS) $(LDAPLIBS)
+ +
ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHKEYSCAN_OBJS)
$(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) $(LD) -o $@ $(SSHKEYSCAN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
@@ -311,6 +317,10 @@ install-files: @@ -311,6 +317,10 @@ install-files:
$(INSTALL) -m 0755 $(STRIP_OPT) sshd$(EXEEXT) $(DESTDIR)$(sbindir)/sshd$(EXEEXT)
$(INSTALL) -m 4711 $(STRIP_OPT) ssh-keysign$(EXEEXT) $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT) $(INSTALL) -m 4711 $(STRIP_OPT) ssh-keysign$(EXEEXT) $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT) $(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-sk-helper$(EXEEXT) $(DESTDIR)$(SSH_SK_HELPER)$(EXEEXT)
+ if test ! -z "$(INSTALL_SSH_LDAP_HELPER)" ; then \ + if test ! -z "$(INSTALL_SSH_LDAP_HELPER)" ; then \
+ $(INSTALL) -m 0700 $(STRIP_OPT) ssh-ldap-helper $(DESTDIR)$(SSH_LDAP_HELPER) ; \ + $(INSTALL) -m 0700 $(STRIP_OPT) ssh-ldap-helper $(DESTDIR)$(SSH_LDAP_HELPER) ; \
+ $(INSTALL) -m 0700 ssh-ldap-wrapper $(DESTDIR)$(SSH_LDAP_WRAPPER) ; \ + $(INSTALL) -m 0700 ssh-ldap-wrapper $(DESTDIR)$(SSH_LDAP_WRAPPER) ; \
@ -188,9 +190,9 @@ diff -up openssh-6.8p1/Makefile.in.ldap openssh-6.8p1/Makefile.in
$(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT) $(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
$(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1 $(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
@@ -327,6 +337,10 @@ install-files: @@ -327,6 +337,10 @@ install-files:
$(INSTALL) -m 644 sftp-server.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8
$(INSTALL) -m 644 ssh-keysign.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8 $(INSTALL) -m 644 ssh-keysign.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8
$(INSTALL) -m 644 ssh-pkcs11-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8 $(INSTALL) -m 644 ssh-pkcs11-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
$(INSTALL) -m 644 ssh-sk-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-sk-helper.8
+ if test ! -z "$(INSTALL_SSH_LDAP_HELPER)" ; then \ + if test ! -z "$(INSTALL_SSH_LDAP_HELPER)" ; then \
+ $(INSTALL) -m 644 ssh-ldap-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-ldap-helper.8 ; \ + $(INSTALL) -m 644 ssh-ldap-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-ldap-helper.8 ; \
+ $(INSTALL) -m 644 ssh-ldap.conf.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/ssh-ldap.conf.5 ; \ + $(INSTALL) -m 644 ssh-ldap.conf.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/ssh-ldap.conf.5 ; \
@ -213,18 +215,18 @@ diff -up openssh-6.8p1/Makefile.in.ldap openssh-6.8p1/Makefile.in
host-key: ssh-keygen$(EXEEXT) host-key: ssh-keygen$(EXEEXT)
@if [ -z "$(DESTDIR)" ] ; then \ @if [ -z "$(DESTDIR)" ] ; then \
@@ -419,6 +440,8 @@ uninstall: @@ -419,6 +440,8 @@ uninstall:
-rm -r $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
-rm -f $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT) -rm -f $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT)
-rm -f $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT) -rm -f $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
-rm -f $(DESTDIR)$(SSH_SK_HELPER)$(EXEEXT)
+ -rm -f $(DESTDIR)$(SSH_LDAP_HELPER)$(EXEEXT) + -rm -f $(DESTDIR)$(SSH_LDAP_HELPER)$(EXEEXT)
+ -rm -f $(DESTDIR)$(SSH_LDAP_WRAPPER)$(EXEEXT) + -rm -f $(DESTDIR)$(SSH_LDAP_WRAPPER)$(EXEEXT)
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1
@@ -430,6 +453,7 @@ uninstall: @@ -430,6 +453,7 @@ uninstall:
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-sk-helper.8
+ -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-ldap-helper.8 + -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-ldap-helper.8
regress-prep: regress-prep:
@ -233,8 +235,8 @@ diff -up openssh-6.8p1/configure.ac.ldap openssh-6.8p1/configure.ac
--- openssh-6.8p1/configure.ac.ldap 2015-03-17 06:49:20.000000000 +0100 --- openssh-6.8p1/configure.ac.ldap 2015-03-17 06:49:20.000000000 +0100
+++ openssh-6.8p1/configure.ac 2015-03-18 11:11:29.030801464 +0100 +++ openssh-6.8p1/configure.ac 2015-03-18 11:11:29.030801464 +0100
@@ -1605,6 +1605,110 @@ if test "x$use_pie" != "xno"; then @@ -1605,6 +1605,110 @@ if test "x$use_pie" != "xno"; then
fi CFLAGS="$SAVED_CFLAGS"
fi AC_SUBST([PICFLAG])
+# Check whether user wants LDAP support +# Check whether user wants LDAP support
+LDAP_MSG="no" +LDAP_MSG="no"

View File

@ -3,8 +3,8 @@ diff -up openssh/servconf.c.sshdt openssh/servconf.c
+++ openssh/servconf.c 2015-06-24 11:44:39.734745802 +0200 +++ openssh/servconf.c 2015-06-24 11:44:39.734745802 +0200
@@ -2317,7 +2317,7 @@ dump_config(ServerOptions *o) @@ -2317,7 +2317,7 @@ dump_config(ServerOptions *o)
dump_cfg_string(sXAuthLocation, o->xauth_location); dump_cfg_string(sXAuthLocation, o->xauth_location);
dump_cfg_string(sCiphers, o->ciphers ? o->ciphers : KEX_SERVER_ENCRYPT); dump_cfg_string(sCiphers, o->ciphers);
dump_cfg_string(sMacs, o->macs ? o->macs : KEX_SERVER_MAC); dump_cfg_string(sMacs, o->macs);
- dump_cfg_string(sBanner, o->banner); - dump_cfg_string(sBanner, o->banner);
+ dump_cfg_string(sBanner, o->banner != NULL ? o->banner : "none"); + dump_cfg_string(sBanner, o->banner != NULL ? o->banner : "none");
dump_cfg_string(sForceCommand, o->adm_forced_command); dump_cfg_string(sForceCommand, o->adm_forced_command);

View File

@ -747,20 +747,21 @@ diff -up openssh/auth2-hostbased.c.audit openssh/auth2-hostbased.c
chost, key)) && chost, key)) &&
- PRIVSEP(sshkey_verify(key, sig, slen, - PRIVSEP(sshkey_verify(key, sig, slen,
+ PRIVSEP(hostbased_key_verify(ssh, key, sig, slen, + PRIVSEP(hostbased_key_verify(ssh, key, sig, slen,
sshbuf_ptr(b), sshbuf_len(b), pkalg, ssh->compat)) == 0) sshbuf_ptr(b), sshbuf_len(b), pkalg, ssh->compat, NULL)) == 0)
authenticated = 1; authenticated = 1;
@@ -175,6 +175,19 @@ done: @@ -175,6 +175,20 @@ done:
return authenticated; return authenticated;
} }
+int +int
+hostbased_key_verify(struct ssh *ssh, const struct sshkey *key, const u_char *sig, +hostbased_key_verify(struct ssh *ssh, const struct sshkey *key, const u_char *sig,
+ size_t slen, const u_char *data, size_t datalen, const char *pkalg, u_int compat) + size_t slen, const u_char *data, size_t datalen, const char *pkalg, u_int compat,
+ struct sshkey_sig_details **detailsp)
+{ +{
+ int rv; + int rv;
+ +
+ rv = sshkey_verify(key, sig, slen, data, datalen, pkalg, compat); + rv = sshkey_verify(key, sig, slen, data, datalen, pkalg, compat, detailsp);
+#ifdef SSH_AUDIT_EVENTS +#ifdef SSH_AUDIT_EVENTS
+ audit_key(ssh, 0, &rv, key); + audit_key(ssh, 0, &rv, key);
+#endif +#endif
@ -781,18 +782,19 @@ diff -up openssh/auth2-pubkey.c.audit openssh/auth2-pubkey.c
+ PRIVSEP(user_key_verify(ssh, key, sig, slen, + PRIVSEP(user_key_verify(ssh, key, sig, slen,
sshbuf_ptr(b), sshbuf_len(b), sshbuf_ptr(b), sshbuf_len(b),
(ssh->compat & SSH_BUG_SIGTYPE) == 0 ? pkalg : NULL, (ssh->compat & SSH_BUG_SIGTYPE) == 0 ? pkalg : NULL,
ssh->compat)) == 0) { ssh->compat, &sig_details)) == 0) {
@@ -278,6 +278,19 @@ done: @@ -278,6 +278,20 @@ done:
return authenticated; return authenticated;
} }
+int +int
+user_key_verify(struct ssh *ssh, const struct sshkey *key, const u_char *sig, +user_key_verify(struct ssh *ssh, const struct sshkey *key, const u_char *sig,
+ size_t slen, const u_char *data, size_t datalen, const char *pkalg, u_int compat) + size_t slen, const u_char *data, size_t datalen, const char *pkalg, u_int compat,
+ struct sshkey_sig_details **detailsp)
+{ +{
+ int rv; + int rv;
+ +
+ rv = sshkey_verify(key, sig, slen, data, datalen, pkalg, compat); + rv = sshkey_verify(key, sig, slen, data, datalen, pkalg, compat, detailsp);
+#ifdef SSH_AUDIT_EVENTS +#ifdef SSH_AUDIT_EVENTS
+ audit_key(ssh, 1, &rv, key); + audit_key(ssh, 1, &rv, key);
+#endif +#endif
@ -832,7 +834,7 @@ diff -up openssh/auth.h.audit openssh/auth.h
char *expand_authorized_keys(const char *, struct passwd *pw); char *expand_authorized_keys(const char *, struct passwd *pw);
char *authorized_principals_file(struct passwd *); char *authorized_principals_file(struct passwd *);
+int user_key_verify(struct ssh *, const struct sshkey *, const u_char *, size_t, +int user_key_verify(struct ssh *, const struct sshkey *, const u_char *, size_t,
+ const u_char *, size_t, const char *, u_int); + const u_char *, size_t, const char *, u_int, struct sshkey_sig_details **);
FILE *auth_openkeyfile(const char *, struct passwd *, int); FILE *auth_openkeyfile(const char *, struct passwd *, int);
FILE *auth_openprincipals(const char *, struct passwd *, int); FILE *auth_openprincipals(const char *, struct passwd *, int);
@ -841,7 +843,7 @@ diff -up openssh/auth.h.audit openssh/auth.h
int sshd_hostkey_sign(struct ssh *, struct sshkey *, struct sshkey *, int sshd_hostkey_sign(struct ssh *, struct sshkey *, struct sshkey *,
u_char **, size_t *, const u_char *, size_t, const char *); u_char **, size_t *, const u_char *, size_t, const char *);
+int hostbased_key_verify(struct ssh *, const struct sshkey *, const u_char *, size_t, +int hostbased_key_verify(struct ssh *, const struct sshkey *, const u_char *, size_t,
+ const u_char *, size_t, const char *, u_int); + const u_char *, size_t, const char *, u_int, struct sshkey_sig_details **);
/* Key / cert options linkage to auth layer */ /* Key / cert options linkage to auth layer */
const struct sshauthopt *auth_options(struct ssh *); const struct sshauthopt *auth_options(struct ssh *);
@ -973,9 +975,9 @@ diff -up openssh/kex.c.audit openssh/kex.c
+#endif +#endif
return SSH_ERR_NO_COMPRESS_ALG_MATCH; return SSH_ERR_NO_COMPRESS_ALG_MATCH;
+ } + }
#ifdef WITH_ZLIB
if (strcmp(name, "zlib@openssh.com") == 0) { if (strcmp(name, "zlib@openssh.com") == 0) {
comp->type = COMP_DELAYED; comp->type = COMP_DELAYED;
} else if (strcmp(name, "zlib") == 0) {
@@ -933,7 +946,7 @@ kex_choose_conf(struct ssh *ssh) @@ -933,7 +946,7 @@ kex_choose_conf(struct ssh *ssh)
nenc = ctos ? PROPOSAL_ENC_ALGS_CTOS : PROPOSAL_ENC_ALGS_STOC; nenc = ctos ? PROPOSAL_ENC_ALGS_CTOS : PROPOSAL_ENC_ALGS_STOC;
nmac = ctos ? PROPOSAL_MAC_ALGS_CTOS : PROPOSAL_MAC_ALGS_STOC; nmac = ctos ? PROPOSAL_MAC_ALGS_CTOS : PROPOSAL_MAC_ALGS_STOC;
@ -1091,16 +1093,15 @@ diff -up openssh/mac.h.audit openssh/mac.h
diff -up openssh/Makefile.in.audit openssh/Makefile.in diff -up openssh/Makefile.in.audit openssh/Makefile.in
--- openssh/Makefile.in.audit 2019-04-03 17:02:20.705885965 +0200 --- openssh/Makefile.in.audit 2019-04-03 17:02:20.705885965 +0200
+++ openssh/Makefile.in 2019-04-03 17:02:20.715886060 +0200 +++ openssh/Makefile.in 2019-04-03 17:02:20.715886060 +0200
@@ -109,7 +109,8 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \ @@ -109,7 +109,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
kexgexc.o kexgexs.o \
sntrup4591761.o kexsntrup4591761x25519.o kexgen.o \ sntrup4591761.o kexsntrup4591761x25519.o kexgen.o \
kexgssc.o \ kexgssc.o \
- platform-pledge.o platform-tracing.o platform-misc.o sftp-realpath.o platform-pledge.o platform-tracing.o platform-misc.o \
+ platform-pledge.o platform-tracing.o platform-misc.o \ - sshbuf-io.o
+ auditstub.o + sshbuf-io.o auditstub.o
SKOBJS= ssh-sk-client.o
SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \
diff -up openssh/monitor.c.audit openssh/monitor.c diff -up openssh/monitor.c.audit openssh/monitor.c
--- openssh/monitor.c.audit 2019-04-03 17:02:20.674885671 +0200 --- openssh/monitor.c.audit 2019-04-03 17:02:20.674885671 +0200
+++ openssh/monitor.c 2019-04-03 17:03:17.201421405 +0200 +++ openssh/monitor.c 2019-04-03 17:03:17.201421405 +0200
@ -1111,7 +1112,7 @@ diff -up openssh/monitor.c.audit openssh/monitor.c
+#include "audit.h" +#include "audit.h"
#include "match.h" #include "match.h"
#include "ssherr.h" #include "ssherr.h"
#include "sk-api.h"
@@ -107,6 +108,8 @@ extern u_char session_id[]; @@ -107,6 +108,8 @@ extern u_char session_id[];
extern struct sshbuf *loginmsg; extern struct sshbuf *loginmsg;
extern struct sshauthopt *auth_opts; /* XXX move to permanent ssh->authctxt? */ extern struct sshauthopt *auth_opts; /* XXX move to permanent ssh->authctxt? */
@ -1157,16 +1158,16 @@ diff -up openssh/monitor.c.audit openssh/monitor.c
{0, 0, NULL} {0, 0, NULL}
}; };
@@ -1445,8 +1462,10 @@ mm_answer_keyverify(struct ssh *ssh, int @@ -1445,8 +1462,10 @@ mm_answer_keyverify(struct ssh *ssh, int
char *sigalg;
size_t signaturelen, datalen, bloblen; size_t signaturelen, datalen, bloblen;
int r, ret, valid_data = 0, encoded_ret; int r, ret, req_presence = 0, valid_data = 0, encoded_ret;
struct sshkey_sig_details *sig_details = NULL;
+ int type = 0; + int type = 0;
- if ((r = sshbuf_get_string(m, &blob, &bloblen)) != 0 || - if ((r = sshbuf_get_string_direct(m, &blob, &bloblen)) != 0 ||
+ if ((r = sshbuf_get_u32(m, &type)) != 0 || + if ((r = sshbuf_get_u32(m, &type)) != 0 ||
+ (r = sshbuf_get_string(m, &blob, &bloblen)) != 0 || + (r = sshbuf_get_string_direct(m, &blob, &bloblen)) != 0 ||
(r = sshbuf_get_string(m, &signature, &signaturelen)) != 0 || (r = sshbuf_get_string_direct(m, &signature, &signaturelen)) != 0 ||
(r = sshbuf_get_string(m, &data, &datalen)) != 0 || (r = sshbuf_get_string_direct(m, &data, &datalen)) != 0 ||
(r = sshbuf_get_cstring(m, &sigalg, NULL)) != 0) (r = sshbuf_get_cstring(m, &sigalg, NULL)) != 0)
@@ -1455,6 +1474,8 @@ mm_answer_keyverify(struct ssh *ssh, int @@ -1455,6 +1474,8 @@ mm_answer_keyverify(struct ssh *ssh, int
if (hostbased_cuser == NULL || hostbased_chost == NULL || if (hostbased_cuser == NULL || hostbased_chost == NULL ||
@ -1177,19 +1178,19 @@ diff -up openssh/monitor.c.audit openssh/monitor.c
/* Empty signature algorithm means NULL. */ /* Empty signature algorithm means NULL. */
if (*sigalg == '\0') { if (*sigalg == '\0') {
@@ -1470,21 +1491,24 @@ mm_answer_keyverify(struct ssh *ssh, int @@ -1470,25 +1491,28 @@ mm_answer_keyverify(struct ssh *ssh, int
case MM_USERKEY: case MM_USERKEY:
valid_data = monitor_valid_userblob(data, datalen); valid_data = monitor_valid_userblob(data, datalen);
auth_method = "publickey"; auth_method = "publickey";
+ ret = user_key_verify(ssh, key, signature, signaturelen, data, + ret = user_key_verify(ssh, key, signature, signaturelen, data,
+ datalen, sigalg, ssh->compat); + datalen, sigalg, ssh->compat, &sig_details);
break; break;
case MM_HOSTKEY: case MM_HOSTKEY:
valid_data = monitor_valid_hostbasedblob(data, datalen, valid_data = monitor_valid_hostbasedblob(data, datalen,
hostbased_cuser, hostbased_chost); hostbased_cuser, hostbased_chost);
+ ret = hostbased_key_verify(ssh, key, signature, signaturelen, data,
+ datalen, sigalg, ssh->compat);
auth_method = "hostbased"; auth_method = "hostbased";
+ ret = hostbased_key_verify(ssh, key, signature, signaturelen, data,
+ datalen, sigalg, ssh->compat, &sig_details);
break; break;
default: default:
valid_data = 0; valid_data = 0;
@ -1199,11 +1200,15 @@ diff -up openssh/monitor.c.audit openssh/monitor.c
if (!valid_data) if (!valid_data)
fatal("%s: bad signature data blob", __func__); fatal("%s: bad signature data blob", __func__);
if ((fp = sshkey_fingerprint(key, options.fingerprint_hash,
SSH_FP_DEFAULT)) == NULL)
fatal("%s: sshkey_fingerprint failed", __func__);
- ret = sshkey_verify(key, signature, signaturelen, data, datalen, - ret = sshkey_verify(key, signature, signaturelen, data, datalen,
- sigalg, ssh->compat); - sigalg, ssh->compat, &sig_details);
debug3("%s: %s %p signature %s", __func__, auth_method, key, debug3("%s: %s %p signature %s%s%s", __func__, auth_method, key,
(ret == 0) ? "verified" : "unverified"); (ret == 0) ? "verified" : "unverified",
auth2_record_key(authctxt, ret == 0, key); (ret != 0) ? ": " : "", (ret != 0) ? ssh_err(ret) : "");
@@ -1536,13 +1560,19 @@ mm_record_login(struct ssh *ssh, Session @@ -1536,13 +1560,19 @@ mm_record_login(struct ssh *ssh, Session
} }
@ -1459,11 +1464,11 @@ diff -up openssh/monitor_wrap.c.audit openssh/monitor_wrap.c
int int
-mm_sshkey_verify(const struct sshkey *key, const u_char *sig, size_t siglen, -mm_sshkey_verify(const struct sshkey *key, const u_char *sig, size_t siglen,
+mm_sshkey_verify(enum mm_keytype type, const struct sshkey *key, const u_char *sig, size_t siglen, +mm_sshkey_verify(enum mm_keytype type, const struct sshkey *key, const u_char *sig, size_t siglen,
const u_char *data, size_t datalen, const char *sigalg, u_int compat) const u_char *data, size_t datalen, const char *sigalg, u_int compat,
struct sshkey_sig_details **sig_detailsp)
{ {
struct sshbuf *m;
@@ -525,7 +525,8 @@ mm_sshkey_verify(const struct sshkey *ke @@ -525,7 +525,8 @@ mm_sshkey_verify(const struct sshkey *ke
*sig_detailsp = NULL;
if ((m = sshbuf_new()) == NULL) if ((m = sshbuf_new()) == NULL)
fatal("%s: sshbuf_new failed", __func__); fatal("%s: sshbuf_new failed", __func__);
- if ((r = sshkey_puts(key, m)) != 0 || - if ((r = sshkey_puts(key, m)) != 0 ||
@ -1472,22 +1477,24 @@ diff -up openssh/monitor_wrap.c.audit openssh/monitor_wrap.c
(r = sshbuf_put_string(m, sig, siglen)) != 0 || (r = sshbuf_put_string(m, sig, siglen)) != 0 ||
(r = sshbuf_put_string(m, data, datalen)) != 0 || (r = sshbuf_put_string(m, data, datalen)) != 0 ||
(r = sshbuf_put_cstring(m, sigalg == NULL ? "" : sigalg)) != 0) (r = sshbuf_put_cstring(m, sigalg == NULL ? "" : sigalg)) != 0)
@@ -547,6 +548,20 @@ mm_sshkey_verify(const struct sshkey *ke @@ -547,6 +548,22 @@ mm_sshkey_verify(const struct sshkey *ke
return 0; return 0;
} }
+int +int
+mm_hostbased_key_verify(struct ssh *ssh, const struct sshkey *key, const u_char *sig, size_t siglen, +mm_hostbased_key_verify(struct ssh *ssh, const struct sshkey *key, const u_char *sig, size_t siglen,
+ const u_char *data, size_t datalen, const char *pkalg, u_int compat) + const u_char *data, size_t datalen, const char *pkalg, u_int compat,
+ struct sshkey_sig_details **detailsp)
+{ +{
+ return mm_sshkey_verify(MM_HOSTKEY, key, sig, siglen, data, datalen, pkalg, compat); + return mm_sshkey_verify(MM_HOSTKEY, key, sig, siglen, data, datalen, pkalg, compat, detailsp);
+} +}
+ +
+int +int
+mm_user_key_verify(struct ssh *ssh, const struct sshkey *key, const u_char *sig, size_t siglen, +mm_user_key_verify(struct ssh *ssh, const struct sshkey *key, const u_char *sig, size_t siglen,
+ const u_char *data, size_t datalen, const char *pkalg, u_int compat) + const u_char *data, size_t datalen, const char *pkalg, u_int compat,
+ struct sshkey_sig_details **detailsp)
+{ +{
+ return mm_sshkey_verify(MM_USERKEY, key, sig, siglen, data, datalen, pkalg, compat); + return mm_sshkey_verify(MM_USERKEY, key, sig, siglen, data, datalen, pkalg, compat, detailsp);
+} +}
+ +
void void
@ -1632,9 +1639,9 @@ diff -up openssh/monitor_wrap.h.audit openssh/monitor_wrap.h
const char *, struct sshkey *); const char *, struct sshkey *);
-int mm_sshkey_verify(const struct sshkey *, const u_char *, size_t, -int mm_sshkey_verify(const struct sshkey *, const u_char *, size_t,
+int mm_hostbased_key_verify(struct ssh *, const struct sshkey *, const u_char *, size_t, +int mm_hostbased_key_verify(struct ssh *, const struct sshkey *, const u_char *, size_t,
+ const u_char *, size_t, const char *, u_int); + const u_char *, size_t, const char *, u_int, struct sshkey_sig_details **);
+int mm_user_key_verify(struct ssh*, const struct sshkey *, const u_char *, size_t, +int mm_user_key_verify(struct ssh*, const struct sshkey *, const u_char *, size_t,
const u_char *, size_t, const char *, u_int); const u_char *, size_t, const char *, u_int, struct sshkey_sig_details **);
#ifdef GSSAPI #ifdef GSSAPI
@@ -82,7 +84,12 @@ void mm_sshpam_free_ctx(void *); @@ -82,7 +84,12 @@ void mm_sshpam_free_ctx(void *);
@ -1655,7 +1662,7 @@ diff -up openssh/packet.c.audit openssh/packet.c
--- openssh/packet.c.audit 2019-03-27 23:26:14.000000000 +0100 --- openssh/packet.c.audit 2019-03-27 23:26:14.000000000 +0100
+++ openssh/packet.c 2019-04-03 17:02:20.716886069 +0200 +++ openssh/packet.c 2019-04-03 17:02:20.716886069 +0200
@@ -77,6 +77,7 @@ @@ -77,6 +77,7 @@
#include <zlib.h> #endif
#include "xmalloc.h" #include "xmalloc.h"
+#include "audit.h" +#include "audit.h"
@ -1705,7 +1712,7 @@ diff -up openssh/packet.c.audit openssh/packet.c
kex_free_newkeys(state->newkeys[mode]); /* current keys */ kex_free_newkeys(state->newkeys[mode]); /* current keys */
state->newkeys[mode] = NULL; state->newkeys[mode] = NULL;
@@ -636,8 +641,18 @@ ssh_packet_close_internal(struct ssh *ss @@ -636,8 +641,18 @@ ssh_packet_close_internal(struct ssh *ss
} #endif /* WITH_ZLIB */
cipher_free(state->send_context); cipher_free(state->send_context);
cipher_free(state->receive_context); cipher_free(state->receive_context);
+ if (had_keys && state->server_side) { + if (had_keys && state->server_side) {
@ -2041,7 +2048,7 @@ diff -up openssh/sshd.c.audit openssh/sshd.c
+void demote_sensitive_data(struct ssh *); +void demote_sensitive_data(struct ssh *);
static void do_ssh2_kex(struct ssh *); static void do_ssh2_kex(struct ssh *);
/* static char *listener_proctitle;
@@ -278,6 +279,15 @@ close_listen_socks(void) @@ -278,6 +279,15 @@ close_listen_socks(void)
num_listen_socks = -1; num_listen_socks = -1;
} }
@ -2314,5 +2321,5 @@ diff -up openssh/sshkey.h.audit openssh/sshkey.h
int sshkey_type_from_name(const char *); int sshkey_type_from_name(const char *);
+int sshkey_is_private(const struct sshkey *); +int sshkey_is_private(const struct sshkey *);
int sshkey_is_cert(const struct sshkey *); int sshkey_is_cert(const struct sshkey *);
int sshkey_is_sk(const struct sshkey *);
int sshkey_type_is_cert(int); int sshkey_type_is_cert(int);
int sshkey_type_plain(int);

View File

@ -11,19 +11,6 @@ diff -up openssh-8.0p1/cipher-ctr.c.fips openssh-8.0p1/cipher-ctr.c
#endif #endif
return (&aes_ctr); return (&aes_ctr);
} }
diff -up openssh-8.0p1/clientloop.c.fips openssh-8.0p1/clientloop.c
--- openssh-8.0p1/clientloop.c.fips 2019-07-23 14:55:45.331525692 +0200
+++ openssh-8.0p1/clientloop.c 2019-07-23 14:55:45.401526401 +0200
@@ -2049,7 +2049,8 @@ key_accepted_by_hostkeyalgs(const struct
{
const char *ktype = sshkey_ssh_name(key);
const char *hostkeyalgs = options.hostkeyalgorithms != NULL ?
- options.hostkeyalgorithms : KEX_DEFAULT_PK_ALG;
+ options.hostkeyalgorithms : (FIPS_mode() ?
+ KEX_FIPS_PK_ALG : KEX_DEFAULT_PK_ALG);
if (key == NULL || key->type == KEY_UNSPEC)
return 0;
diff -up openssh-8.0p1/dh.c.fips openssh-8.0p1/dh.c diff -up openssh-8.0p1/dh.c.fips openssh-8.0p1/dh.c
--- openssh-8.0p1/dh.c.fips 2019-04-18 00:52:57.000000000 +0200 --- openssh-8.0p1/dh.c.fips 2019-04-18 00:52:57.000000000 +0200
+++ openssh-8.0p1/dh.c 2019-07-23 14:55:45.401526401 +0200 +++ openssh-8.0p1/dh.c 2019-07-23 14:55:45.401526401 +0200
@ -141,126 +128,113 @@ diff -up openssh-8.0p1/Makefile.in.fips openssh-8.0p1/Makefile.in
- $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS) - $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS)
+ $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS) + $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS)
scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o scp$(EXEEXT): $(LIBCOMPAT) libssh.a $(SCP_OBJS)
$(LD) -o $@ scp.o progressmeter.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) $(LD) -o $@ $(SCP_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
ssh-add$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-add.o ssh-add$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHADD_OBJS)
- $(LD) -o $@ ssh-add.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) - $(LD) -o $@ $(SSHADD_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
+ $(LD) -o $@ ssh-add.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS) + $(LD) -o $@ $(SSHADD_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
ssh-agent$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-agent.o ssh-pkcs11-client.o ssh-agent$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHAGENT_OBJS)
- $(LD) -o $@ ssh-agent.o ssh-pkcs11-client.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) - $(LD) -o $@ $(SSHAGENT_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
+ $(LD) -o $@ ssh-agent.o ssh-pkcs11-client.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS) + $(LD) -o $@ $(SSHAGENT_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
ssh-keygen$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keygen.o sshsig.o ssh-keygen$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHKEYGEN_OBJS)
- $(LD) -o $@ ssh-keygen.o sshsig.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) - $(LD) -o $@ $(SSHKEYGEN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
+ $(LD) -o $@ ssh-keygen.o sshsig.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS) + $(LD) -o $@ $(SSHKEYGEN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
ssh-keysign$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keysign.o readconf.o uidswap.o compat.o ssh-keysign$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHKEYSIGN_OBJS)
- $(LD) -o $@ ssh-keysign.o readconf.o uidswap.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) - $(LD) -o $@ $(SSHKEYSIGN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
+ $(LD) -o $@ ssh-keysign.o readconf.o uidswap.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS) + $(LD) -o $@ $(SSHKEYSIGN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11.o ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a $(P11HELPER_OBJS)
$(LD) -o $@ ssh-pkcs11-helper.o ssh-pkcs11.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS) $(LD) -o $@ $(P11HELPER_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
@@ -216,7 +216,7 @@ ssh-cavs$(EXEEXT): $(LIBCOMPAT) libssh.a @@ -216,7 +216,7 @@ ssh-cavs$(EXEEXT): $(LIBCOMPAT) libssh.a
$(LD) -o $@ ssh-cavs.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) $(LD) -o $@ ssh-cavs.o $(SKOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHKEYSCAN_OBJS)
- $(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) - $(LD) -o $@ $(SSHKEYSCAN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
+ $(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(LIBS) + $(LD) -o $@ $(SSHKEYSCAN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(LIBS)
sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o sftp-server.o sftp-realpath.o sftp-server-main.o sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a $(SFTPSERVER_OBJS)
$(LD) -o $@ sftp-server.o sftp-common.o sftp-realpath.o sftp-server-main.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) $(LD) -o $@ $(SFTPSERVER_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
diff -up openssh-8.0p1/myproposal.h.fips openssh-8.0p1/myproposal.h diff -up openssh-8.0p1/myproposal.h.fips openssh-8.0p1/myproposal.h
--- openssh-8.0p1/myproposal.h.fips 2019-04-18 00:52:57.000000000 +0200 --- openssh-8.0p1/myproposal.h.fips 2019-04-18 00:52:57.000000000 +0200
+++ openssh-8.0p1/myproposal.h 2019-07-23 14:55:45.402526411 +0200 +++ openssh-8.0p1/myproposal.h 2019-07-23 14:55:45.402526411 +0200
@@ -111,6 +111,16 @@ @@ -111,6 +111,20 @@
"rsa-sha2-256," \ "rsa-sha2-256," \
"ssh-rsa" "ssh-rsa"
+#define KEX_FIPS_PK_ALG \ +#define KEX_FIPS_PK_ALG \
+ HOSTKEY_ECDSA_CERT_METHODS \ + "ecdsa-sha2-nistp256-cert-v01@openssh.com," \
+ "ecdsa-sha2-nistp384-cert-v01@openssh.com," \
+ "ecdsa-sha2-nistp521-cert-v01@openssh.com," \
+ "rsa-sha2-512-cert-v01@openssh.com," \ + "rsa-sha2-512-cert-v01@openssh.com," \
+ "rsa-sha2-256-cert-v01@openssh.com," \ + "rsa-sha2-256-cert-v01@openssh.com," \
+ "ssh-rsa-cert-v01@openssh.com," \ + "ssh-rsa-cert-v01@openssh.com," \
+ HOSTKEY_ECDSA_METHODS \ + "ecdsa-sha2-nistp256," \
+ "ecdsa-sha2-nistp384," \
+ "ecdsa-sha2-nistp521," \
+ "rsa-sha2-512," \ + "rsa-sha2-512," \
+ "rsa-sha2-256," \ + "rsa-sha2-256," \
+ "ssh-rsa" + "ssh-rsa"
+ +
/* the actual algorithms */
#define KEX_SERVER_ENCRYPT \ #define KEX_SERVER_ENCRYPT \
@@ -134,6 +142,38 @@ "chacha20-poly1305@openssh.com," \
"aes128-ctr,aes192-ctr,aes256-ctr," \
@@ -134,6 +142,27 @@
#define KEX_CLIENT_MAC KEX_SERVER_MAC #define KEX_CLIENT_MAC KEX_SERVER_MAC
+#define KEX_FIPS_ENCRYPT \ +#define KEX_FIPS_ENCRYPT \
+ "aes128-ctr,aes192-ctr,aes256-ctr," \ + "aes128-ctr,aes192-ctr,aes256-ctr," \
+ "aes128-cbc,3des-cbc," \ + "aes128-cbc,3des-cbc," \
+ "aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se" \ + "aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se," \
+ AESGCM_CIPHER_MODES + "aes128-gcm@openssh.com,aes256-gcm@openssh.com"
+#ifdef HAVE_EVP_SHA256 +#define KEX_DEFAULT_KEX_FIPS \
+# define KEX_DEFAULT_KEX_FIPS \ + "ecdh-sha2-nistp256," \
+ KEX_ECDH_METHODS \ + "ecdh-sha2-nistp384," \
+ KEX_SHA2_METHODS \ + "ecdh-sha2-nistp521," \
+ "diffie-hellman-group-exchange-sha256," \
+ "diffie-hellman-group16-sha512," \
+ "diffie-hellman-group18-sha512," \
+ "diffie-hellman-group14-sha256" + "diffie-hellman-group14-sha256"
+# define KEX_FIPS_MAC \ +#define KEX_FIPS_MAC \
+ "hmac-sha1," \ + "hmac-sha1," \
+ "hmac-sha2-256," \ + "hmac-sha2-256," \
+ "hmac-sha2-512," \ + "hmac-sha2-512," \
+ "hmac-sha1-etm@openssh.com," \ + "hmac-sha1-etm@openssh.com," \
+ "hmac-sha2-256-etm@openssh.com," \ + "hmac-sha2-256-etm@openssh.com," \
+ "hmac-sha2-512-etm@openssh.com" + "hmac-sha2-512-etm@openssh.com"
+#else
+# ifdef OPENSSL_HAS_NISTP521
+# define KEX_DEFAULT_KEX_FIPS \
+ "ecdh-sha2-nistp256," \
+ "ecdh-sha2-nistp384," \
+ "ecdh-sha2-nistp521"
+# else
+# define KEX_DEFAULT_KEX_FIPS \
+ "ecdh-sha2-nistp256," \
+ "ecdh-sha2-nistp384"
+# endif
+#define KEX_FIPS_MAC \
+ "hmac-sha1"
+#endif
+ +
/* Not a KEX value, but here so all the algorithm defaults are together */ /* Not a KEX value, but here so all the algorithm defaults are together */
#define SSH_ALLOWED_CA_SIGALGS \ #define SSH_ALLOWED_CA_SIGALGS \
HOSTKEY_ECDSA_METHODS \ "ecdsa-sha2-nistp256," \
diff -up openssh-8.0p1/readconf.c.fips openssh-8.0p1/readconf.c diff -up openssh-8.0p1/readconf.c.fips openssh-8.0p1/readconf.c
--- openssh-8.0p1/readconf.c.fips 2019-07-23 14:55:45.334525723 +0200 --- openssh-8.0p1/readconf.c.fips 2019-07-23 14:55:45.334525723 +0200
+++ openssh-8.0p1/readconf.c 2019-07-23 14:55:45.402526411 +0200 +++ openssh-8.0p1/readconf.c 2019-07-23 14:55:45.402526411 +0200
@@ -2179,18 +2179,19 @@ fill_default_options(Options * options) @@ -2179,11 +2179,16 @@ fill_default_options(Options * options)
all_kex = kex_alg_list(',');
all_key = sshkey_alg_list(0, 0, 1, ','); all_key = sshkey_alg_list(0, 0, 1, ',');
all_sig = sshkey_alg_list(0, 1, 1, ','); all_sig = sshkey_alg_list(0, 1, 1, ',');
-#define ASSEMBLE(what, defaults, all) \ /* remove unsupported algos from default lists */
+#define ASSEMBLE(what, defaults, fips_defaults, all) \ - def_cipher = match_filter_whitelist(KEX_CLIENT_ENCRYPT, all_cipher);
- def_mac = match_filter_whitelist(KEX_CLIENT_MAC, all_mac);
- def_kex = match_filter_whitelist(KEX_CLIENT_KEX, all_kex);
- def_key = match_filter_whitelist(KEX_DEFAULT_PK_ALG, all_key);
- def_sig = match_filter_whitelist(SSH_ALLOWED_CA_SIGALGS, all_sig);
+ def_cipher = match_filter_whitelist((FIPS_mode() ?
+ KEX_FIPS_ENCRYPT : KEX_CLIENT_ENCRYPT), all_cipher);
+ def_mac = match_filter_whitelist((FIPS_mode() ?
+ KEX_FIPS_MAC : KEX_CLIENT_MAC), all_mac);
+ def_kex = match_filter_whitelist((FIPS_mode() ?
+ KEX_DEFAULT_KEX_FIPS : KEX_CLIENT_KEX), all_kex);
+ def_key = match_filter_whitelist((FIPS_mode() ?
+ KEX_FIPS_PK_ALG : KEX_DEFAULT_PK_ALG), all_key);
+ def_sig = match_filter_whitelist((FIPS_mode() ?
+ KEX_FIPS_PK_ALG : SSH_ALLOWED_CA_SIGALGS), all_sig);
#define ASSEMBLE(what, defaults, all) \
do { \ do { \
if ((r = kex_assemble_names(&options->what, \ if ((r = kex_assemble_names(&options->what, \
- defaults, all)) != 0) \
+ (FIPS_mode() ? fips_defaults : defaults), \
+ all)) != 0) \
fatal("%s: %s: %s", __func__, #what, ssh_err(r)); \
} while (0)
- ASSEMBLE(ciphers, KEX_CLIENT_ENCRYPT, all_cipher);
- ASSEMBLE(macs, KEX_CLIENT_MAC, all_mac);
- ASSEMBLE(kex_algorithms, KEX_CLIENT_KEX, all_kex);
- ASSEMBLE(hostbased_key_types, KEX_DEFAULT_PK_ALG, all_key);
- ASSEMBLE(pubkey_key_types, KEX_DEFAULT_PK_ALG, all_key);
- ASSEMBLE(ca_sign_algorithms, SSH_ALLOWED_CA_SIGALGS, all_sig);
+ ASSEMBLE(ciphers, KEX_CLIENT_ENCRYPT, KEX_FIPS_ENCRYPT, all_cipher);
+ ASSEMBLE(macs, KEX_CLIENT_MAC, KEX_FIPS_MAC, all_mac);
+ ASSEMBLE(kex_algorithms, KEX_CLIENT_KEX, KEX_DEFAULT_KEX_FIPS, all_kex);
+ ASSEMBLE(hostbased_key_types, KEX_DEFAULT_PK_ALG, KEX_FIPS_PK_ALG, all_key);
+ ASSEMBLE(pubkey_key_types, KEX_DEFAULT_PK_ALG, KEX_FIPS_PK_ALG, all_key);
+ ASSEMBLE(ca_sign_algorithms, SSH_ALLOWED_CA_SIGALGS, KEX_FIPS_PK_ALG, all_sig);
#undef ASSEMBLE
free(all_cipher);
free(all_mac);
diff -up openssh-8.0p1/sandbox-seccomp-filter.c.fips openssh-8.0p1/sandbox-seccomp-filter.c diff -up openssh-8.0p1/sandbox-seccomp-filter.c.fips openssh-8.0p1/sandbox-seccomp-filter.c
--- openssh-8.0p1/sandbox-seccomp-filter.c.fips 2019-07-23 14:55:45.373526117 +0200 --- openssh-8.0p1/sandbox-seccomp-filter.c.fips 2019-07-23 14:55:45.373526117 +0200
+++ openssh-8.0p1/sandbox-seccomp-filter.c 2019-07-23 14:55:45.402526411 +0200 +++ openssh-8.0p1/sandbox-seccomp-filter.c 2019-07-23 14:55:45.402526411 +0200
@ -277,35 +251,28 @@ diff -up openssh-8.0p1/sandbox-seccomp-filter.c.fips openssh-8.0p1/sandbox-secco
diff -up openssh-8.0p1/servconf.c.fips openssh-8.0p1/servconf.c diff -up openssh-8.0p1/servconf.c.fips openssh-8.0p1/servconf.c
--- openssh-8.0p1/servconf.c.fips 2019-07-23 14:55:45.361525996 +0200 --- openssh-8.0p1/servconf.c.fips 2019-07-23 14:55:45.361525996 +0200
+++ openssh-8.0p1/servconf.c 2019-07-23 14:55:45.403526421 +0200 +++ openssh-8.0p1/servconf.c 2019-07-23 14:55:45.403526421 +0200
@@ -208,18 +208,19 @@ assemble_algorithms(ServerOptions *o) @@ -208,11 +208,16 @@ assemble_algorithms(ServerOptions *o)
all_kex = kex_alg_list(',');
all_key = sshkey_alg_list(0, 0, 1, ','); all_key = sshkey_alg_list(0, 0, 1, ',');
all_sig = sshkey_alg_list(0, 1, 1, ','); all_sig = sshkey_alg_list(0, 1, 1, ',');
-#define ASSEMBLE(what, defaults, all) \ /* remove unsupported algos from default lists */
+#define ASSEMBLE(what, defaults, fips_defaults, all) \ - def_cipher = match_filter_whitelist(KEX_SERVER_ENCRYPT, all_cipher);
- def_mac = match_filter_whitelist(KEX_SERVER_MAC, all_mac);
- def_kex = match_filter_whitelist(KEX_SERVER_KEX, all_kex);
- def_key = match_filter_whitelist(KEX_DEFAULT_PK_ALG, all_key);
- def_sig = match_filter_whitelist(SSH_ALLOWED_CA_SIGALGS, all_sig);
+ def_cipher = match_filter_whitelist((FIPS_mode() ?
+ KEX_FIPS_ENCRYPT : KEX_SERVER_ENCRYPT), all_cipher);
+ def_mac = match_filter_whitelist((FIPS_mode() ?
+ KEX_FIPS_MAC : KEX_SERVER_MAC), all_mac);
+ def_kex = match_filter_whitelist((FIPS_mode() ?
+ KEX_DEFAULT_KEX_FIPS : KEX_SERVER_KEX), all_kex);
+ def_key = match_filter_whitelist((FIPS_mode() ?
+ KEX_FIPS_PK_ALG : KEX_DEFAULT_PK_ALG), all_key);
+ def_sig = match_filter_whitelist((FIPS_mode() ?
+ KEX_FIPS_PK_ALG : SSH_ALLOWED_CA_SIGALGS), all_sig);
#define ASSEMBLE(what, defaults, all) \
do { \ do { \
- if ((r = kex_assemble_names(&o->what, defaults, all)) != 0) \ if ((r = kex_assemble_names(&o->what, defaults, all)) != 0) \
+ if ((r = kex_assemble_names(&o->what, (FIPS_mode() \
+ ? fips_defaults : defaults), all)) != 0) \
fatal("%s: %s: %s", __func__, #what, ssh_err(r)); \
} while (0)
- ASSEMBLE(ciphers, KEX_SERVER_ENCRYPT, all_cipher);
- ASSEMBLE(macs, KEX_SERVER_MAC, all_mac);
- ASSEMBLE(kex_algorithms, KEX_SERVER_KEX, all_kex);
- ASSEMBLE(hostkeyalgorithms, KEX_DEFAULT_PK_ALG, all_key);
- ASSEMBLE(hostbased_key_types, KEX_DEFAULT_PK_ALG, all_key);
- ASSEMBLE(pubkey_key_types, KEX_DEFAULT_PK_ALG, all_key);
- ASSEMBLE(ca_sign_algorithms, SSH_ALLOWED_CA_SIGALGS, all_sig);
+ ASSEMBLE(ciphers, KEX_SERVER_ENCRYPT, KEX_FIPS_ENCRYPT, all_cipher);
+ ASSEMBLE(macs, KEX_SERVER_MAC, KEX_FIPS_MAC, all_mac);
+ ASSEMBLE(kex_algorithms, KEX_SERVER_KEX, KEX_DEFAULT_KEX_FIPS, all_kex);
+ ASSEMBLE(hostkeyalgorithms, KEX_DEFAULT_PK_ALG, KEX_FIPS_PK_ALG, all_key);
+ ASSEMBLE(hostbased_key_types, KEX_DEFAULT_PK_ALG, KEX_FIPS_PK_ALG, all_key);
+ ASSEMBLE(pubkey_key_types, KEX_DEFAULT_PK_ALG, KEX_FIPS_PK_ALG, all_key);
+ ASSEMBLE(ca_sign_algorithms, SSH_ALLOWED_CA_SIGALGS, KEX_FIPS_PK_ALG, all_sig);
#undef ASSEMBLE
free(all_cipher);
free(all_mac);
diff -up openssh-8.0p1/ssh.c.fips openssh-8.0p1/ssh.c diff -up openssh-8.0p1/ssh.c.fips openssh-8.0p1/ssh.c
--- openssh-8.0p1/ssh.c.fips 2019-07-23 14:55:45.378526168 +0200 --- openssh-8.0p1/ssh.c.fips 2019-07-23 14:55:45.378526168 +0200
+++ openssh-8.0p1/ssh.c 2019-07-23 14:55:45.403526421 +0200 +++ openssh-8.0p1/ssh.c 2019-07-23 14:55:45.403526421 +0200
@ -358,35 +325,6 @@ diff -up openssh-8.0p1/sshconnect2.c.fips openssh-8.0p1/sshconnect2.c
#include "openbsd-compat/sys-queue.h" #include "openbsd-compat/sys-queue.h"
#include "xmalloc.h" #include "xmalloc.h"
@@ -115,7 +117,8 @@ order_hostkeyalgs(char *host, struct soc
for (i = 0; i < options.num_system_hostfiles; i++)
load_hostkeys(hostkeys, hostname, options.system_hostfiles[i]);
- oavail = avail = xstrdup(KEX_DEFAULT_PK_ALG);
+ oavail = avail = xstrdup((FIPS_mode()
+ ? KEX_FIPS_PK_ALG : KEX_DEFAULT_PK_ALG));
maxlen = strlen(avail) + 1;
first = xmalloc(maxlen);
last = xmalloc(maxlen);
@@ -182,14 +185,16 @@ ssh_kex2(struct ssh *ssh, char *host, st
if (options.hostkeyalgorithms != NULL) {
all_key = sshkey_alg_list(0, 0, 1, ',');
if (kex_assemble_names(&options.hostkeyalgorithms,
- KEX_DEFAULT_PK_ALG, all_key) != 0)
+ (FIPS_mode() ? KEX_FIPS_PK_ALG : KEX_DEFAULT_PK_ALG),
+ all_key) != 0)
fatal("%s: kex_assemble_namelist", __func__);
free(all_key);
myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] =
compat_pkalg_proposal(options.hostkeyalgorithms);
} else {
/* Enforce default */
- options.hostkeyalgorithms = xstrdup(KEX_DEFAULT_PK_ALG);
+ options.hostkeyalgorithms = xstrdup((FIPS_mode()
+ ? KEX_FIPS_PK_ALG : KEX_DEFAULT_PK_ALG));
/* Prefer algorithms that we already have keys for */
myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] =
compat_pkalg_proposal(
@@ -198,29 +203,34 @@ ssh_kex2(struct ssh *ssh, char *host, st @@ -198,29 +203,34 @@ ssh_kex2(struct ssh *ssh, char *host, st
#if defined(GSSAPI) && defined(WITH_OPENSSL) #if defined(GSSAPI) && defined(WITH_OPENSSL)
@ -530,9 +468,9 @@ diff -up openssh-8.0p1/sshkey.c.fips openssh-8.0p1/sshkey.c
#include "sshkey.h" #include "sshkey.h"
#include "match.h" #include "match.h"
+#include "log.h" +#include "log.h"
#include "ssh-sk.h"
#ifdef WITH_XMSS #ifdef WITH_XMSS
#include "sshkey-xmss.h"
@@ -1591,6 +1593,8 @@ rsa_generate_private_key(u_int bits, RSA @@ -1591,6 +1593,8 @@ rsa_generate_private_key(u_int bits, RSA
} }
if (!BN_set_word(f4, RSA_F4) || if (!BN_set_word(f4, RSA_F4) ||

View File

@ -1,7 +1,7 @@
diff -up openssh-7.7p1/ssh_config.redhat openssh-7.7p1/ssh_config diff -up openssh/ssh_config.redhat openssh/ssh_config
--- openssh-7.7p1/ssh_config.redhat 2018-04-02 07:38:28.000000000 +0200 --- openssh/ssh_config.redhat 2020-02-11 23:28:35.000000000 +0100
+++ openssh-7.7p1/ssh_config 2018-07-03 10:44:06.522245125 +0200 +++ openssh/ssh_config 2020-02-13 18:13:39.180641839 +0100
@@ -44,3 +44,7 @@ @@ -43,3 +43,7 @@
# VisualHostKey no # VisualHostKey no
# ProxyCommand ssh -q -W %h:%p gateway.example.com # ProxyCommand ssh -q -W %h:%p gateway.example.com
# RekeyLimit 1G 1h # RekeyLimit 1G 1h
@ -9,9 +9,9 @@ diff -up openssh-7.7p1/ssh_config.redhat openssh-7.7p1/ssh_config
+# To modify the system-wide ssh configuration, create a *.conf file under +# To modify the system-wide ssh configuration, create a *.conf file under
+# /etc/ssh/ssh_config.d/ which will be automatically included below +# /etc/ssh/ssh_config.d/ which will be automatically included below
+Include /etc/ssh/ssh_config.d/*.conf +Include /etc/ssh/ssh_config.d/*.conf
diff -up openssh-7.7p1/ssh_config_redhat.redhat openssh-7.7p1/ssh_config_redhat diff -up openssh/ssh_config_redhat.redhat openssh/ssh_config_redhat
--- openssh-7.7p1/ssh_config_redhat.redhat 2018-07-03 10:44:06.522245125 +0200 --- openssh/ssh_config_redhat.redhat 2020-02-13 18:13:39.180641839 +0100
+++ openssh-7.7p1/ssh_config_redhat 2018-07-03 10:44:06.522245125 +0200 +++ openssh/ssh_config_redhat 2020-02-13 18:13:39.180641839 +0100
@@ -0,0 +1,21 @@ @@ -0,0 +1,21 @@
+# The options here are in the "Match final block" to be applied as the last +# The options here are in the "Match final block" to be applied as the last
+# options and could be potentially overwritten by the user configuration +# options and could be potentially overwritten by the user configuration
@ -34,11 +34,10 @@ diff -up openssh-7.7p1/ssh_config_redhat.redhat openssh-7.7p1/ssh_config_redhat
+ +
+# Uncomment this if you want to use .local domain +# Uncomment this if you want to use .local domain
+# Host *.local +# Host *.local
+# CheckHostIP no diff -up openssh/sshd_config.0.redhat openssh/sshd_config.0
diff -up openssh-7.7p1/sshd_config.0.redhat openssh-7.7p1/sshd_config.0 --- openssh/sshd_config.0.redhat 2020-02-12 14:30:04.000000000 +0100
--- openssh-7.7p1/sshd_config.0.redhat 2018-04-02 07:39:27.000000000 +0200 +++ openssh/sshd_config.0 2020-02-13 18:13:39.181641855 +0100
+++ openssh-7.7p1/sshd_config.0 2018-07-03 10:44:06.523245133 +0200 @@ -970,9 +970,9 @@ DESCRIPTION
@@ -872,9 +872,9 @@ DESCRIPTION
SyslogFacility SyslogFacility
Gives the facility code that is used when logging messages from Gives the facility code that is used when logging messages from
@ -51,10 +50,10 @@ diff -up openssh-7.7p1/sshd_config.0.redhat openssh-7.7p1/sshd_config.0
TCPKeepAlive TCPKeepAlive
Specifies whether the system should send TCP keepalive messages Specifies whether the system should send TCP keepalive messages
diff -up openssh-7.7p1/sshd_config.5.redhat openssh-7.7p1/sshd_config.5 diff -up openssh/sshd_config.5.redhat openssh/sshd_config.5
--- openssh-7.7p1/sshd_config.5.redhat 2018-04-02 07:38:28.000000000 +0200 --- openssh/sshd_config.5.redhat 2020-02-11 23:28:35.000000000 +0100
+++ openssh-7.7p1/sshd_config.5 2018-07-03 10:44:06.523245133 +0200 +++ openssh/sshd_config.5 2020-02-13 18:13:39.181641855 +0100
@@ -1461,7 +1461,7 @@ By default no subsystems are defined. @@ -1614,7 +1614,7 @@ By default no subsystems are defined.
.It Cm SyslogFacility .It Cm SyslogFacility
Gives the facility code that is used when logging messages from Gives the facility code that is used when logging messages from
.Xr sshd 8 . .Xr sshd 8 .
@ -63,9 +62,9 @@ diff -up openssh-7.7p1/sshd_config.5.redhat openssh-7.7p1/sshd_config.5
LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
The default is AUTH. The default is AUTH.
.It Cm TCPKeepAlive .It Cm TCPKeepAlive
diff -up openssh-7.7p1/sshd_config.redhat openssh-7.7p1/sshd_config diff -up openssh/sshd_config.redhat openssh/sshd_config
--- openssh-7.7p1/sshd_config.redhat 2018-04-02 07:38:28.000000000 +0200 --- openssh/sshd_config.redhat 2020-02-11 23:28:35.000000000 +0100
+++ openssh-7.7p1/sshd_config 2018-07-03 10:45:16.950782466 +0200 +++ openssh/sshd_config 2020-02-13 18:20:16.349913681 +0100
@@ -10,6 +10,10 @@ @@ -10,6 +10,10 @@
# possible, but leave them commented. Uncommented options override the # possible, but leave them commented. Uncommented options override the
# default value. # default value.
@ -77,10 +76,18 @@ diff -up openssh-7.7p1/sshd_config.redhat openssh-7.7p1/sshd_config
#Port 22 #Port 22
#AddressFamily any #AddressFamily any
#ListenAddress 0.0.0.0 #ListenAddress 0.0.0.0
@@ -16,8 +20,18 @@ @@ -114,3 +118,7 @@ Subsystem sftp /usr/libexec/sftp-server
# Ciphers and keying # AllowTcpForwarding no
#RekeyLimit default none # PermitTTY no
# ForceCommand cvs server
+
+# To modify the system-wide ssh configuration, create a *.conf file under
+# /etc/ssh/sshd_config.d/ which will be automatically included below
+Include /etc/ssh/sshd_config.d/*.conf
diff -up openssh/sshd_config_redhat.redhat openssh/sshd_config_redhat
--- openssh/sshd_config_redhat.redhat 2020-02-13 18:14:02.268006439 +0100
+++ openssh/sshd_config_redhat 2020-02-13 18:19:20.765035947 +0100
@@ -0,0 +1,31 @@
+# System-wide Crypto policy: +# System-wide Crypto policy:
+# This system is following system-wide crypto policy. The changes to +# This system is following system-wide crypto policy. The changes to
+# Ciphers, MACs, KexAlgoritms and GSSAPIKexAlgorithsm will not have any +# Ciphers, MACs, KexAlgoritms and GSSAPIKexAlgorithsm will not have any
@ -90,69 +97,25 @@ diff -up openssh-7.7p1/sshd_config.redhat openssh-7.7p1/sshd_config
+# variable in /etc/sysconfig/sshd to overwrite the policy. +# variable in /etc/sysconfig/sshd to overwrite the policy.
+# For more information, see manual page for update-crypto-policies(8). +# For more information, see manual page for update-crypto-policies(8).
+ +
# Logging
#SyslogFacility AUTH
+SyslogFacility AUTHPRIV +SyslogFacility AUTHPRIV
#LogLevel INFO +
# Authentication:
@@ -56,9 +70,11 @@ AuthorizedKeysFile .ssh/authorized_keys
# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
+PasswordAuthentication yes +PasswordAuthentication yes
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
+ChallengeResponseAuthentication no +ChallengeResponseAuthentication no
+
# Kerberos options
#KerberosAuthentication no
@@ -67,8 +83,8 @@ AuthorizedKeysFile .ssh/authorized_keys
#KerberosGetAFSToken no
# GSSAPI options
-#GSSAPIAuthentication no
-#GSSAPICleanupCredentials yes
+GSSAPIAuthentication yes +GSSAPIAuthentication yes
+GSSAPICleanupCredentials no +GSSAPICleanupCredentials no
+
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
@@ -79,16 +95,20 @@ AuthorizedKeysFile .ssh/authorized_keys
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
-#UsePAM no
+UsePAM yes +UsePAM yes
+
#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
-#X11Forwarding no
+X11Forwarding yes +X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
-#PrintMotd yes
+ +
+# It is recommended to use pam_motd in /etc/pam.d/sshd instead of PrintMotd, +# It is recommended to use pam_motd in /etc/pam.d/sshd instead of PrintMotd,
+# as it is more configurable and versatile than the built-in version. +# as it is more configurable and versatile than the built-in version.
+PrintMotd no +PrintMotd no
+ +
#PrintLastLog yes
#TCPKeepAlive yes
#PermitUserEnvironment no
@@ -106,6 +126,12 @@ AuthorizedKeysFile .ssh/authorized_keys
# no default banner path
#Banner none
+# Accept locale-related environment variables +# Accept locale-related environment variables
+AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES +AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
+AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT +AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
+AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE +AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
+AcceptEnv XMODIFIERS +AcceptEnv XMODIFIERS
+ +
# override default of no subsystems
Subsystem sftp /usr/libexec/sftp-server

View File

@ -3,7 +3,7 @@ diff --git a/sshd.c b/sshd.c
+++ b/sshd.c +++ b/sshd.c
@@ -1701,6 +1701,10 @@ main(int ac, char **av) @@ -1701,6 +1701,10 @@ main(int ac, char **av)
parse_server_config(&options, rexeced_flag ? "rexec" : config_file_name, parse_server_config(&options, rexeced_flag ? "rexec" : config_file_name,
cfg, NULL); cfg, &includes, NULL);
+ /* 'UsePAM no' is not supported in Fedora */ + /* 'UsePAM no' is not supported in Fedora */
+ if (! options.use_pam) + if (! options.use_pam)
@ -21,6 +21,6 @@ diff --git a/sshd_config b/sshd_config
# and ChallengeResponseAuthentication to 'no'. # and ChallengeResponseAuthentication to 'no'.
+# WARNING: 'UsePAM no' is not supported in Fedora and may cause several +# WARNING: 'UsePAM no' is not supported in Fedora and may cause several
+# problems. +# problems.
UsePAM yes #UsePAM no
#AllowAgentForwarding yes #AllowAgentForwarding yes

View File

@ -339,7 +339,7 @@ diff -up openssh/monitor_wrap.h.role-mls openssh/monitor_wrap.h
+++ openssh/monitor_wrap.h 2018-08-22 11:22:10.439929513 +0200 +++ openssh/monitor_wrap.h 2018-08-22 11:22:10.439929513 +0200
@@ -44,6 +44,9 @@ DH *mm_choose_dh(int, int, int); @@ -44,6 +44,9 @@ DH *mm_choose_dh(int, int, int);
int mm_sshkey_sign(struct ssh *, struct sshkey *, u_char **, size_t *, int mm_sshkey_sign(struct ssh *, struct sshkey *, u_char **, size_t *,
const u_char *, size_t, const char *, u_int compat); const u_char *, size_t, const char *, const char *, u_int compat);
void mm_inform_authserv(char *, char *); void mm_inform_authserv(char *, char *);
+#ifdef WITH_SELINUX +#ifdef WITH_SELINUX
+void mm_inform_authrole(char *); +void mm_inform_authrole(char *);
@ -359,7 +359,7 @@ diff -up openssh/openbsd-compat/Makefile.in.role-mls openssh/openbsd-compat/Make
+ port-linux-sshd.o + port-linux-sshd.o
.c.o: .c.o:
$(CC) $(CFLAGS) $(CPPFLAGS) -c $< $(CC) $(CFLAGS_NOPIE) $(PICFLAG) $(CPPFLAGS) -c $<
diff -up openssh/openbsd-compat/port-linux.c.role-mls openssh/openbsd-compat/port-linux.c diff -up openssh/openbsd-compat/port-linux.c.role-mls openssh/openbsd-compat/port-linux.c
--- openssh/openbsd-compat/port-linux.c.role-mls 2018-08-20 07:57:29.000000000 +0200 --- openssh/openbsd-compat/port-linux.c.role-mls 2018-08-20 07:57:29.000000000 +0200
+++ openssh/openbsd-compat/port-linux.c 2018-08-22 11:14:56.819430949 +0200 +++ openssh/openbsd-compat/port-linux.c 2018-08-22 11:14:56.819430949 +0200

View File

@ -1,7 +1,29 @@
diff -up openssh-8.0p1/ssh_config.5.crypto-policies openssh-8.0p1/ssh_config.5 diff -up openssh/ssh_config.5.crypto-policies openssh/ssh_config.5
--- openssh-8.0p1/ssh_config.5.crypto-policies 2019-05-13 14:04:01.999099570 +0200 --- openssh/ssh_config.5.crypto-policies 2020-02-07 15:05:55.665451715 +0100
+++ openssh-8.0p1/ssh_config.5 2019-05-13 14:12:36.343923071 +0200 +++ openssh/ssh_config.5 2020-02-07 15:07:11.632641922 +0100
@@ -445,12 +445,10 @@ aes256-gcm@openssh.com @@ -361,15 +361,15 @@ domains.
.It Cm CASignatureAlgorithms
Specifies which algorithms are allowed for signing of certificates
by certificate authorities (CAs).
-The default is:
-.Bd -literal -offset indent
-ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
-ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
-.Ed
-.Pp
.Xr ssh 1
will not accept host certificates signed using algorithms other than those
specified.
+.Pp
+The default is handled system-wide by
+.Xr crypto-policies 7 .
+To see the defaults and how to modify this default, see manual page
+.Xr update-crypto-policies 8 .
+.Pp
.It Cm CertificateFile
Specifies a file from which the user's certificate is read.
A corresponding private key must be provided separately in order
@@ -453,12 +453,10 @@ aes256-gcm@openssh.com
chacha20-poly1305@openssh.com chacha20-poly1305@openssh.com
.Ed .Ed
.Pp .Pp
@ -18,7 +40,7 @@ diff -up openssh-8.0p1/ssh_config.5.crypto-policies openssh-8.0p1/ssh_config.5
.Pp .Pp
The list of available ciphers may also be obtained using The list of available ciphers may also be obtained using
.Qq ssh -Q cipher . .Qq ssh -Q cipher .
@@ -812,8 +810,10 @@ gss-nistp256-sha256-, @@ -824,8 +822,10 @@ gss-nistp256-sha256-,
gss-curve25519-sha256- gss-curve25519-sha256-
.Ed .Ed
.Pp .Pp
@ -31,7 +53,7 @@ diff -up openssh-8.0p1/ssh_config.5.crypto-policies openssh-8.0p1/ssh_config.5
This option only applies to protocol version 2 connections using GSSAPI. This option only applies to protocol version 2 connections using GSSAPI.
.It Cm HashKnownHosts .It Cm HashKnownHosts
Indicates that Indicates that
@@ -1123,16 +1123,10 @@ If the specified value begins with a @@ -1162,15 +1162,10 @@ If the specified list begins with a
.Sq ^ .Sq ^
character, then the specified methods will be placed at the head of the character, then the specified methods will be placed at the head of the
default set. default set.
@ -42,8 +64,7 @@ diff -up openssh-8.0p1/ssh_config.5.crypto-policies openssh-8.0p1/ssh_config.5
-diffie-hellman-group-exchange-sha256, -diffie-hellman-group-exchange-sha256,
-diffie-hellman-group16-sha512, -diffie-hellman-group16-sha512,
-diffie-hellman-group18-sha512, -diffie-hellman-group18-sha512,
-diffie-hellman-group14-sha256, -diffie-hellman-group14-sha256
-diffie-hellman-group14-sha1
-.Ed -.Ed
+The default is handled system-wide by +The default is handled system-wide by
+.Xr crypto-policies 7 . +.Xr crypto-policies 7 .
@ -52,7 +73,7 @@ diff -up openssh-8.0p1/ssh_config.5.crypto-policies openssh-8.0p1/ssh_config.5
.Pp .Pp
The list of available key exchange algorithms may also be obtained using The list of available key exchange algorithms may also be obtained using
.Qq ssh -Q kex . .Qq ssh -Q kex .
@@ -1210,14 +1204,10 @@ The algorithms that contain @@ -1252,14 +1247,10 @@ The algorithms that contain
calculate the MAC after encryption (encrypt-then-mac). calculate the MAC after encryption (encrypt-then-mac).
These are considered safer and their use recommended. These are considered safer and their use recommended.
.Pp .Pp
@ -71,7 +92,7 @@ diff -up openssh-8.0p1/ssh_config.5.crypto-policies openssh-8.0p1/ssh_config.5
.Pp .Pp
The list of available MAC algorithms may also be obtained using The list of available MAC algorithms may also be obtained using
.Qq ssh -Q mac . .Qq ssh -Q mac .
@@ -1361,17 +1351,10 @@ If the specified value begins with a @@ -1407,22 +1398,10 @@ If the specified list begins with a
.Sq ^ .Sq ^
character, then the specified key types will be placed at the head of the character, then the specified key types will be placed at the head of the
default set. default set.
@ -80,11 +101,16 @@ diff -up openssh-8.0p1/ssh_config.5.crypto-policies openssh-8.0p1/ssh_config.5
-ecdsa-sha2-nistp256-cert-v01@openssh.com, -ecdsa-sha2-nistp256-cert-v01@openssh.com,
-ecdsa-sha2-nistp384-cert-v01@openssh.com, -ecdsa-sha2-nistp384-cert-v01@openssh.com,
-ecdsa-sha2-nistp521-cert-v01@openssh.com, -ecdsa-sha2-nistp521-cert-v01@openssh.com,
-sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,
-ssh-ed25519-cert-v01@openssh.com, -ssh-ed25519-cert-v01@openssh.com,
-rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com, -sk-ssh-ed25519-cert-v01@openssh.com,
-rsa-sha2-512-cert-v01@openssh.com,
-rsa-sha2-256-cert-v01@openssh.com,
-ssh-rsa-cert-v01@openssh.com, -ssh-rsa-cert-v01@openssh.com,
-ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, -ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
-ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa -sk-ecdsa-sha2-nistp256@openssh.com,
-ssh-ed25519,sk-ssh-ed25519@openssh.com,
-rsa-sha2-512,rsa-sha2-256,ssh-rsa
-.Ed -.Ed
+The default is handled system-wide by +The default is handled system-wide by
+.Xr crypto-policies 7 . +.Xr crypto-policies 7 .
@ -92,11 +118,32 @@ diff -up openssh-8.0p1/ssh_config.5.crypto-policies openssh-8.0p1/ssh_config.5
+.Xr update-crypto-policies 8 . +.Xr update-crypto-policies 8 .
.Pp .Pp
The list of available key types may also be obtained using The list of available key types may also be obtained using
.Qq ssh -Q key . .Qq ssh -Q PubkeyAcceptedKeyTypes .
diff -up openssh-8.0p1/sshd_config.5.crypto-policies openssh-8.0p1/sshd_config.5 diff -up openssh/sshd_config.5.crypto-policies openssh/sshd_config.5
--- openssh-8.0p1/sshd_config.5.crypto-policies 2019-05-13 14:12:41.226968863 +0200 --- openssh/sshd_config.5.crypto-policies 2020-02-07 15:05:55.639451308 +0100
+++ openssh-8.0p1/sshd_config.5 2019-05-13 14:15:14.581406997 +0200 +++ openssh/sshd_config.5 2020-02-07 15:05:55.672451825 +0100
@@ -490,12 +490,10 @@ aes256-gcm@openssh.com @@ -377,14 +377,14 @@ By default, no banner is displayed.
.It Cm CASignatureAlgorithms
Specifies which algorithms are allowed for signing of certificates
by certificate authorities (CAs).
-The default is:
-.Bd -literal -offset indent
-ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
-ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
-.Ed
-.Pp
Certificates signed using other algorithms will not be accepted for
public key or host-based authentication.
+.Pp
+The default is handled system-wide by
+.Xr crypto-policies 7 .
+To see the defaults and how to modify this default, see manual page
+.Xr update-crypto-policies 8 .
+.Pp
.It Cm ChallengeResponseAuthentication
Specifies whether challenge-response authentication is allowed (e.g. via
PAM or through authentication styles supported in
@@ -486,12 +486,10 @@ aes256-gcm@openssh.com
chacha20-poly1305@openssh.com chacha20-poly1305@openssh.com
.El .El
.Pp .Pp
@ -113,7 +160,7 @@ diff -up openssh-8.0p1/sshd_config.5.crypto-policies openssh-8.0p1/sshd_config.5
.Pp .Pp
The list of available ciphers may also be obtained using The list of available ciphers may also be obtained using
.Qq ssh -Q cipher . .Qq ssh -Q cipher .
@@ -700,8 +698,10 @@ gss-nistp256-sha256-, @@ -693,8 +691,10 @@ gss-nistp256-sha256-,
gss-curve25519-sha256- gss-curve25519-sha256-
.Ed .Ed
.Pp .Pp
@ -126,7 +173,7 @@ diff -up openssh-8.0p1/sshd_config.5.crypto-policies openssh-8.0p1/sshd_config.5
This option only applies to protocol version 2 connections using GSSAPI. This option only applies to protocol version 2 connections using GSSAPI.
.It Cm HostbasedAcceptedKeyTypes .It Cm HostbasedAcceptedKeyTypes
Specifies the key types that will be accepted for hostbased authentication Specifies the key types that will be accepted for hostbased authentication
@@ -792,17 +792,10 @@ environment variable. @@ -794,22 +794,10 @@ environment variable.
.It Cm HostKeyAlgorithms .It Cm HostKeyAlgorithms
Specifies the host key algorithms Specifies the host key algorithms
that the server offers. that the server offers.
@ -135,11 +182,16 @@ diff -up openssh-8.0p1/sshd_config.5.crypto-policies openssh-8.0p1/sshd_config.5
-ecdsa-sha2-nistp256-cert-v01@openssh.com, -ecdsa-sha2-nistp256-cert-v01@openssh.com,
-ecdsa-sha2-nistp384-cert-v01@openssh.com, -ecdsa-sha2-nistp384-cert-v01@openssh.com,
-ecdsa-sha2-nistp521-cert-v01@openssh.com, -ecdsa-sha2-nistp521-cert-v01@openssh.com,
-sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,
-ssh-ed25519-cert-v01@openssh.com, -ssh-ed25519-cert-v01@openssh.com,
-rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com, -sk-ssh-ed25519-cert-v01@openssh.com,
-rsa-sha2-512-cert-v01@openssh.com,
-rsa-sha2-256-cert-v01@openssh.com,
-ssh-rsa-cert-v01@openssh.com, -ssh-rsa-cert-v01@openssh.com,
-ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, -ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
-ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa -sk-ecdsa-sha2-nistp256@openssh.com,
-ssh-ed25519,sk-ssh-ed25519@openssh.com,
-rsa-sha2-512,rsa-sha2-256,ssh-rsa
-.Ed -.Ed
+The default is handled system-wide by +The default is handled system-wide by
+.Xr crypto-policies 7 . +.Xr crypto-policies 7 .
@ -147,9 +199,9 @@ diff -up openssh-8.0p1/sshd_config.5.crypto-policies openssh-8.0p1/sshd_config.5
+.Xr update-crypto-policies 8 . +.Xr update-crypto-policies 8 .
.Pp .Pp
The list of available key types may also be obtained using The list of available key types may also be obtained using
.Qq ssh -Q key . .Qq ssh -Q HostKeyAlgorithms .
@@ -960,14 +953,10 @@ ecdh-sha2-nistp384 @@ -987,14 +975,10 @@ ecdh-sha2-nistp521
ecdh-sha2-nistp521 sntrup4591761x25519-sha512@tinyssh.org
.El .El
.Pp .Pp
-The default is: -The default is:
@ -158,7 +210,7 @@ diff -up openssh-8.0p1/sshd_config.5.crypto-policies openssh-8.0p1/sshd_config.5
-ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521, -ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
-diffie-hellman-group-exchange-sha256, -diffie-hellman-group-exchange-sha256,
-diffie-hellman-group16-sha512,diffie-hellman-group18-sha512, -diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,
-diffie-hellman-group14-sha256,diffie-hellman-group14-sha1 -diffie-hellman-group14-sha256
-.Ed -.Ed
+The default is handled system-wide by +The default is handled system-wide by
+.Xr crypto-policies 7 . +.Xr crypto-policies 7 .
@ -166,8 +218,8 @@ diff -up openssh-8.0p1/sshd_config.5.crypto-policies openssh-8.0p1/sshd_config.5
+.Xr update-crypto-policies 8 . +.Xr update-crypto-policies 8 .
.Pp .Pp
The list of available key exchange algorithms may also be obtained using The list of available key exchange algorithms may also be obtained using
.Qq ssh -Q kex . .Qq ssh -Q KexAlgorithms .
@@ -1090,14 +1079,10 @@ umac-64-etm@openssh.com @@ -1121,14 +1105,10 @@ umac-64-etm@openssh.com
umac-128-etm@openssh.com umac-128-etm@openssh.com
.El .El
.Pp .Pp
@ -186,7 +238,7 @@ diff -up openssh-8.0p1/sshd_config.5.crypto-policies openssh-8.0p1/sshd_config.5
.Pp .Pp
The list of available MAC algorithms may also be obtained using The list of available MAC algorithms may also be obtained using
.Qq ssh -Q mac . .Qq ssh -Q mac .
@@ -1455,17 +1440,10 @@ If the specified value begins with a @@ -1492,22 +1472,10 @@ If the specified list begins with a
.Sq ^ .Sq ^
character, then the specified key types will be placed at the head of the character, then the specified key types will be placed at the head of the
default set. default set.
@ -195,11 +247,16 @@ diff -up openssh-8.0p1/sshd_config.5.crypto-policies openssh-8.0p1/sshd_config.5
-ecdsa-sha2-nistp256-cert-v01@openssh.com, -ecdsa-sha2-nistp256-cert-v01@openssh.com,
-ecdsa-sha2-nistp384-cert-v01@openssh.com, -ecdsa-sha2-nistp384-cert-v01@openssh.com,
-ecdsa-sha2-nistp521-cert-v01@openssh.com, -ecdsa-sha2-nistp521-cert-v01@openssh.com,
-sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,
-ssh-ed25519-cert-v01@openssh.com, -ssh-ed25519-cert-v01@openssh.com,
-rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com, -sk-ssh-ed25519-cert-v01@openssh.com,
-rsa-sha2-512-cert-v01@openssh.com,
-rsa-sha2-256-cert-v01@openssh.com,
-ssh-rsa-cert-v01@openssh.com, -ssh-rsa-cert-v01@openssh.com,
-ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, -ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
-ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa -sk-ecdsa-sha2-nistp256@openssh.com,
-ssh-ed25519,sk-ssh-ed25519@openssh.com,
-rsa-sha2-512,rsa-sha2-256,ssh-rsa
-.Ed -.Ed
+The default is handled system-wide by +The default is handled system-wide by
+.Xr crypto-policies 7 . +.Xr crypto-policies 7 .
@ -207,4 +264,4 @@ diff -up openssh-8.0p1/sshd_config.5.crypto-policies openssh-8.0p1/sshd_config.5
+.Xr update-crypto-policies 8 . +.Xr update-crypto-policies 8 .
.Pp .Pp
The list of available key types may also be obtained using The list of available key types may also be obtained using
.Qq ssh -Q key . .Qq ssh -Q PubkeyAcceptedKeyTypes .

File diff suppressed because it is too large Load Diff

File diff suppressed because it is too large Load Diff

View File

@ -1,45 +0,0 @@
commit 7e929163ed40f9ce90060a3ca6df558c3d901379
Author: Jakub Jelen <jjelen@redhat.com>
Date: Wed Nov 13 12:57:05 2019 +0100
seccomp: Allow clock_nanosleep() to make OpenSSH working with latest glibc
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
index b5cda70b..be239767 100644
--- a/sandbox-seccomp-filter.c
+++ b/sandbox-seccomp-filter.c
@@ -242,6 +242,9 @@ static const struct sock_filter preauth_insns[] = {
#ifdef __NR_nanosleep
SC_ALLOW(__NR_nanosleep),
#endif
+#ifdef __NR_clock_nanosleep
+ SC_ALLOW(__NR_clock_nanosleep),
+#endif
#ifdef __NR__newselect
SC_ALLOW(__NR__newselect),
#endif
commit 500c30eaf88f26e4a74b06717fe04afec7a7516f
Author: Jakub Jelen <jjelen@redhat.com>
Date: Wed Nov 27 11:06:55 2019 +0100
sandbox-seccomp: Allow clock_nanosleep on ARM
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
index be239767..3ef30c9d 100644
--- a/sandbox-seccomp-filter.c
+++ b/sandbox-seccomp-filter.c
@@ -245,6 +245,12 @@ static const struct sock_filter preauth_insns[] = {
#ifdef __NR_clock_nanosleep
SC_ALLOW(__NR_clock_nanosleep),
#endif
+#ifdef __NR_clock_nanosleep_time64
+ SC_ALLOW(__NR_clock_nanosleep_time64),
+#endif
+#ifdef __NR_clock_gettime64
+ SC_ALLOW(__NR_clock_gettime64),
+#endif
#ifdef __NR__newselect
SC_ALLOW(__NR__newselect),
#endif

View File

@ -0,0 +1,40 @@
diff --git a/regress/misc/sk-dummy/sk-dummy.c b/regress/misc/sk-dummy/sk-dummy.c
index dca158de..afdcb1d2 100644
--- a/regress/misc/sk-dummy/sk-dummy.c
+++ b/regress/misc/sk-dummy/sk-dummy.c
@@ -71,7 +71,7 @@ skdebug(const char *func, const char *fmt, ...)
#endif
}
-uint32_t
+uint32_t __attribute__((visibility("default")))
sk_api_version(void)
{
return SSH_SK_VERSION_MAJOR;
@@ -220,7 +220,7 @@ check_options(struct sk_option **options)
return 0;
}
-int
+int __attribute__((visibility("default")))
sk_enroll(uint32_t alg, const uint8_t *challenge, size_t challenge_len,
const char *application, uint8_t flags, const char *pin,
struct sk_option **options, struct sk_enroll_response **enroll_response)
@@ -467,7 +467,7 @@ sig_ed25519(const uint8_t *message, size_t message_len,
return ret;
}
-int
+int __attribute__((visibility("default")))
sk_sign(uint32_t alg, const uint8_t *message, size_t message_len,
const char *application, const uint8_t *key_handle, size_t key_handle_len,
uint8_t flags, const char *pin, struct sk_option **options,
@@ -518,7 +518,7 @@ sk_sign(uint32_t alg, const uint8_t *message, size_t message_len,
return ret;
}
-int
+int __attribute__((visibility("default")))
sk_load_resident_keys(const char *pin, struct sk_option **options,
struct sk_resident_key ***rks, size_t *nrks)
{

View File

@ -65,10 +65,10 @@
%endif %endif
# Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1 # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
%global openssh_ver 8.1p1 %global openssh_ver 8.2p1
%global openssh_rel 4 %global openssh_rel 1
%global pam_ssh_agent_ver 0.10.3 %global pam_ssh_agent_ver 0.10.3
%global pam_ssh_agent_rel 8 %global pam_ssh_agent_rel 9
Summary: An open source implementation of SSH protocol version 2 Summary: An open source implementation of SSH protocol version 2
Name: openssh Name: openssh
@ -196,7 +196,8 @@ Patch949: openssh-7.6p1-cleanup-selinux.patch
# Sandbox adjustments for s390 and audit # Sandbox adjustments for s390 and audit
Patch950: openssh-7.5p1-sandbox.patch Patch950: openssh-7.5p1-sandbox.patch
# PKCS#11 URIs (upstream #2817, 2nd iteration) # PKCS#11 URIs (upstream #2817, 2nd iteration)
# git diff upstream/master > ~/devel/fedora/openssh/openssh-8.0p1-pkcs11-uri.patch # https://github.com/Jakuje/openssh-portable/commits/jjelen-pkcs11
# git show > ~/devel/fedora/openssh/openssh-8.0p1-pkcs11-uri.patch
Patch951: openssh-8.0p1-pkcs11-uri.patch Patch951: openssh-8.0p1-pkcs11-uri.patch
# Unbreak scp between two IPv6 hosts (#1620333) # Unbreak scp between two IPv6 hosts (#1620333)
Patch953: openssh-7.8p1-scp-ipv6.patch Patch953: openssh-7.8p1-scp-ipv6.patch
@ -210,8 +211,8 @@ Patch962: openssh-8.0p1-crypto-policies.patch
Patch963: openssh-8.0p1-openssl-evp.patch Patch963: openssh-8.0p1-openssl-evp.patch
# Use OpenSSL KDF (#1631761) # Use OpenSSL KDF (#1631761)
Patch964: openssh-8.0p1-openssl-kdf.patch Patch964: openssh-8.0p1-openssl-kdf.patch
# Unbreak seccomp filter with latest glibc (#1771946, #1777054) # sk-dummy.so built with -fvisibility=hidden does not work
Patch965: openssh-8.1p1-seccomp-nanosleep.patch Patch965: openssh-8.2p1-visibility.patch
License: BSD License: BSD
Requires: /sbin/nologin Requires: /sbin/nologin
@ -295,7 +296,7 @@ Requires: openssh = %{version}-%{release}
%package -n pam_ssh_agent_auth %package -n pam_ssh_agent_auth
Summary: PAM module for authentication with ssh-agent Summary: PAM module for authentication with ssh-agent
Version: %{pam_ssh_agent_ver} Version: %{pam_ssh_agent_ver}
Release: %{pam_ssh_agent_rel}.%{openssh_rel}%{?dist}%{?rescue_rel}.2 Release: %{pam_ssh_agent_rel}.%{openssh_rel}%{?dist}%{?rescue_rel}
License: BSD License: BSD
%description %description
@ -412,7 +413,7 @@ popd
%patch962 -p1 -b .crypto-policies %patch962 -p1 -b .crypto-policies
%patch963 -p1 -b .openssl-evp %patch963 -p1 -b .openssl-evp
%patch964 -p1 -b .openssl-kdf %patch964 -p1 -b .openssl-kdf
%patch965 -p1 -b .seccomp-nanosleep %patch965 -p1 -b .visibility
%patch200 -p1 -b .audit %patch200 -p1 -b .audit
%patch201 -p1 -b .audit-race %patch201 -p1 -b .audit-race
@ -427,7 +428,7 @@ popd
%build %build
# the -fvisibility=hidden is needed for clean build of the pam_ssh_agent_auth # the -fvisibility=hidden is needed for clean build of the pam_ssh_agent_auth
# and it makes the ssh build more clean and even optimized better # it is needed for lib(open)ssh build too since it is linked to the pam module too
CFLAGS="$RPM_OPT_FLAGS -fvisibility=hidden"; export CFLAGS CFLAGS="$RPM_OPT_FLAGS -fvisibility=hidden"; export CFLAGS
%if %{rescue} %if %{rescue}
CFLAGS="$CFLAGS -Os" CFLAGS="$CFLAGS -Os"
@ -556,6 +557,7 @@ make tests
rm -rf $RPM_BUILD_ROOT rm -rf $RPM_BUILD_ROOT
mkdir -p -m755 $RPM_BUILD_ROOT%{_sysconfdir}/ssh mkdir -p -m755 $RPM_BUILD_ROOT%{_sysconfdir}/ssh
mkdir -p -m755 $RPM_BUILD_ROOT%{_sysconfdir}/ssh/ssh_config.d mkdir -p -m755 $RPM_BUILD_ROOT%{_sysconfdir}/ssh/ssh_config.d
mkdir -p -m755 $RPM_BUILD_ROOT%{_sysconfdir}/ssh/sshd_config.d
mkdir -p -m755 $RPM_BUILD_ROOT%{_libexecdir}/openssh mkdir -p -m755 $RPM_BUILD_ROOT%{_libexecdir}/openssh
mkdir -p -m755 $RPM_BUILD_ROOT%{_var}/empty/sshd mkdir -p -m755 $RPM_BUILD_ROOT%{_var}/empty/sshd
make install DESTDIR=$RPM_BUILD_ROOT make install DESTDIR=$RPM_BUILD_ROOT
@ -569,6 +571,7 @@ install -m644 %{SOURCE2} $RPM_BUILD_ROOT/etc/pam.d/sshd
install -m644 %{SOURCE6} $RPM_BUILD_ROOT/etc/pam.d/ssh-keycat install -m644 %{SOURCE6} $RPM_BUILD_ROOT/etc/pam.d/ssh-keycat
install -m644 %{SOURCE7} $RPM_BUILD_ROOT/etc/sysconfig/sshd install -m644 %{SOURCE7} $RPM_BUILD_ROOT/etc/sysconfig/sshd
install -m644 ssh_config_redhat $RPM_BUILD_ROOT/etc/ssh/ssh_config.d/05-redhat.conf install -m644 ssh_config_redhat $RPM_BUILD_ROOT/etc/ssh/ssh_config.d/05-redhat.conf
install -m644 sshd_config_redhat $RPM_BUILD_ROOT/etc/ssh/sshd_config.d/05-redhat.conf
install -d -m755 $RPM_BUILD_ROOT/%{_unitdir} install -d -m755 $RPM_BUILD_ROOT/%{_unitdir}
install -m644 %{SOURCE9} $RPM_BUILD_ROOT/%{_unitdir}/sshd@.service install -m644 %{SOURCE9} $RPM_BUILD_ROOT/%{_unitdir}/sshd@.service
install -m644 %{SOURCE10} $RPM_BUILD_ROOT/%{_unitdir}/sshd.socket install -m644 %{SOURCE10} $RPM_BUILD_ROOT/%{_unitdir}/sshd.socket
@ -650,12 +653,14 @@ getent passwd sshd >/dev/null || \
%attr(0755,root,root) %{_bindir}/sftp %attr(0755,root,root) %{_bindir}/sftp
%attr(0755,root,root) %{_bindir}/ssh-copy-id %attr(0755,root,root) %{_bindir}/ssh-copy-id
%attr(0755,root,root) %{_libexecdir}/openssh/ssh-pkcs11-helper %attr(0755,root,root) %{_libexecdir}/openssh/ssh-pkcs11-helper
%attr(0755,root,root) %{_libexecdir}/openssh/ssh-sk-helper
%attr(0644,root,root) %{_mandir}/man1/ssh-agent.1* %attr(0644,root,root) %{_mandir}/man1/ssh-agent.1*
%attr(0644,root,root) %{_mandir}/man1/ssh-add.1* %attr(0644,root,root) %{_mandir}/man1/ssh-add.1*
%attr(0644,root,root) %{_mandir}/man1/ssh-keyscan.1* %attr(0644,root,root) %{_mandir}/man1/ssh-keyscan.1*
%attr(0644,root,root) %{_mandir}/man1/sftp.1* %attr(0644,root,root) %{_mandir}/man1/sftp.1*
%attr(0644,root,root) %{_mandir}/man1/ssh-copy-id.1* %attr(0644,root,root) %{_mandir}/man1/ssh-copy-id.1*
%attr(0644,root,root) %{_mandir}/man8/ssh-pkcs11-helper.8* %attr(0644,root,root) %{_mandir}/man8/ssh-pkcs11-helper.8*
%attr(0644,root,root) %{_mandir}/man8/ssh-sk-helper.8*
%endif %endif
%if ! %{rescue} %if ! %{rescue}
@ -670,6 +675,8 @@ getent passwd sshd >/dev/null || \
%attr(0644,root,root) %{_mandir}/man8/sshd.8* %attr(0644,root,root) %{_mandir}/man8/sshd.8*
%attr(0644,root,root) %{_mandir}/man8/sftp-server.8* %attr(0644,root,root) %{_mandir}/man8/sftp-server.8*
%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/sshd_config %attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/sshd_config
%dir %attr(0700,root,root) %{_sysconfdir}/ssh/sshd_config.d/
%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/sshd_config.d/05-redhat.conf
%attr(0644,root,root) %config(noreplace) /etc/pam.d/sshd %attr(0644,root,root) %config(noreplace) /etc/pam.d/sshd
%attr(0640,root,root) %config(noreplace) /etc/sysconfig/sshd %attr(0640,root,root) %config(noreplace) /etc/sysconfig/sshd
%attr(0644,root,root) %{_unitdir}/sshd.service %attr(0644,root,root) %{_unitdir}/sshd.service
@ -715,6 +722,13 @@ getent passwd sshd >/dev/null || \
%endif %endif
%changelog %changelog
* Mon Feb 17 2020 Jakub Jelen <jjelen@redhat.com> - 8.2p1-1 + 0.10.3-9
- New upstrem reelase (#1803290)
- New /etc/ssh/sshd_config.d drop in directory
- Support for U2F security keys
- Correctly report invalid key permissions (#1801459)
- Do not write bogus information on stderr in FIPS mode (#1778224)
* Mon Feb 03 2020 Jakub Jelen <jjelen@redhat.com> - 8.1p1-4 + 0.10.3-8 * Mon Feb 03 2020 Jakub Jelen <jjelen@redhat.com> - 8.1p1-4 + 0.10.3-8
- Unbreak seccomp filter on ARM (#1796267) - Unbreak seccomp filter on ARM (#1796267)

View File

@ -1,6 +1,6 @@
diff -up openssh/pam_ssh_agent_auth-0.10.3/get_command_line.c.psaa-compat openssh/pam_ssh_agent_auth-0.10.3/get_command_line.c diff -up openssh/pam_ssh_agent_auth-0.10.3/get_command_line.c.psaa-compat openssh/pam_ssh_agent_auth-0.10.3/get_command_line.c
--- openssh/pam_ssh_agent_auth-0.10.3/get_command_line.c.psaa-compat 2016-11-13 04:24:32.000000000 +0100 --- openssh/pam_ssh_agent_auth-0.10.3/get_command_line.c.psaa-compat 2016-11-13 04:24:32.000000000 +0100
+++ openssh/pam_ssh_agent_auth-0.10.3/get_command_line.c 2018-08-24 10:22:56.281930322 +0200 +++ openssh/pam_ssh_agent_auth-0.10.3/get_command_line.c 2020-02-07 10:43:05.011757956 +0100
@@ -27,6 +27,7 @@ @@ -27,6 +27,7 @@
* or implied, of Jamie Beverly. * or implied, of Jamie Beverly.
*/ */
@ -34,7 +34,7 @@ diff -up openssh/pam_ssh_agent_auth-0.10.3/get_command_line.c.psaa-compat openss
diff -up openssh/pam_ssh_agent_auth-0.10.3/identity.h.psaa-compat openssh/pam_ssh_agent_auth-0.10.3/identity.h diff -up openssh/pam_ssh_agent_auth-0.10.3/identity.h.psaa-compat openssh/pam_ssh_agent_auth-0.10.3/identity.h
--- openssh/pam_ssh_agent_auth-0.10.3/identity.h.psaa-compat 2016-11-13 04:24:32.000000000 +0100 --- openssh/pam_ssh_agent_auth-0.10.3/identity.h.psaa-compat 2016-11-13 04:24:32.000000000 +0100
+++ openssh/pam_ssh_agent_auth-0.10.3/identity.h 2018-08-24 10:18:05.009393312 +0200 +++ openssh/pam_ssh_agent_auth-0.10.3/identity.h 2020-02-07 10:43:05.011757956 +0100
@@ -30,8 +30,8 @@ @@ -30,8 +30,8 @@
#include "openbsd-compat/sys-queue.h" #include "openbsd-compat/sys-queue.h"
#include "xmalloc.h" #include "xmalloc.h"
@ -56,8 +56,8 @@ diff -up openssh/pam_ssh_agent_auth-0.10.3/identity.h.psaa-compat openssh/pam_ss
int tried; int tried;
int isprivate; /* key points to the private key */ int isprivate; /* key points to the private key */
diff -up openssh/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c.psaa-compat openssh/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c diff -up openssh/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c.psaa-compat openssh/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c
--- openssh/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c.psaa-compat 2018-08-24 10:18:05.007393297 +0200 --- openssh/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c.psaa-compat 2020-02-07 10:43:05.009757925 +0100
+++ openssh/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c 2018-08-24 10:18:32.937612513 +0200 +++ openssh/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c 2020-02-07 10:43:05.012757972 +0100
@@ -36,8 +36,8 @@ @@ -36,8 +36,8 @@
#include "openbsd-compat/sys-queue.h" #include "openbsd-compat/sys-queue.h"
#include "xmalloc.h" #include "xmalloc.h"
@ -119,7 +119,7 @@ diff -up openssh/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c.psaa-compat
const char * ruser, const char * servicename) const char * ruser, const char * servicename)
{ {
u_char *cookie = NULL; u_char *cookie = NULL;
@@ -114,22 +116,23 @@ pamsshagentauth_session_id2_gen(Buffer * @@ -114,22 +120,23 @@ pamsshagentauth_session_id2_gen(Buffer *
char ** reported_argv = NULL; char ** reported_argv = NULL;
size_t count = 0; size_t count = 0;
char * action_logbuf = NULL; char * action_logbuf = NULL;
@ -147,13 +147,7 @@ diff -up openssh/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c.psaa-compat
} }
cookie[i] = (u_char) rnd; cookie[i] = (u_char) rnd;
rnd >>= 8; rnd >>= 8;
@@ -139,12 +141,13 @@ pamsshagentauth_session_id2_gen(Buffer * @@ -144,7 +151,8 @@ pamsshagentauth_session_id2_gen(Buffer *
if (count > 0) {
free_logbuf = 1;
action_logbuf = log_action(reported_argv, count);
- agent_action(&action_agentbuf, reported_argv, count);
+ agent_action(&action_agentbuf, reported_argv, count);
pamsshagentauth_free_command_line(reported_argv, count);
} }
else { else {
action_logbuf = "unknown on this platform"; action_logbuf = "unknown on this platform";
@ -163,7 +157,7 @@ diff -up openssh/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c.psaa-compat
} }
/* /*
@@ -161,35 +163,39 @@ pamsshagentauth_session_id2_gen(Buffer * @@ -161,35 +169,39 @@ pamsshagentauth_session_id2_gen(Buffer *
retc = getcwd(pwd, sizeof(pwd) - 1); retc = getcwd(pwd, sizeof(pwd) - 1);
time(&ts); time(&ts);
@ -207,6 +201,14 @@ diff -up openssh/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c.psaa-compat
- pamsshagentauth_buffer_free(&action_agentbuf); - pamsshagentauth_buffer_free(&action_agentbuf);
+ free(action_logbuf); + free(action_logbuf);
+ sshbuf_free(action_agentbuf); + sshbuf_free(action_agentbuf);
+ }
+ /* debug3("hostname: %s", hostname); */
+ if (reti >= 0) {
+ if ((r = sshbuf_put_cstring(*session_id2, hostname)) != 0)
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
+ } else {
+ if ((r = sshbuf_put_cstring(*session_id2, "")) != 0)
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
} }
- /* pamsshagentauth_debug3("hostname: %s", hostname); */ - /* pamsshagentauth_debug3("hostname: %s", hostname); */
- if(reti >= 0) - if(reti >= 0)
@ -215,21 +217,13 @@ diff -up openssh/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c.psaa-compat
- pamsshagentauth_buffer_put_cstring(session_id2, ""); - pamsshagentauth_buffer_put_cstring(session_id2, "");
- /* pamsshagentauth_debug3("ts: %ld", ts); */ - /* pamsshagentauth_debug3("ts: %ld", ts); */
- pamsshagentauth_buffer_put_int64(session_id2, (uint64_t) ts); - pamsshagentauth_buffer_put_int64(session_id2, (uint64_t) ts);
+ /* debug3("hostname: %s", hostname); */
+ if (reti >= 0) {
+ if ((r = sshbuf_put_cstring(*session_id2, hostname)) != 0)
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
+ } else {
+ if ((r = sshbuf_put_cstring(*session_id2, "")) != 0)
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
+ }
+ /* debug3("ts: %ld", ts); */ + /* debug3("ts: %ld", ts); */
+ if ((r = sshbuf_put_u64(*session_id2, (uint64_t) ts)) != 0) + if ((r = sshbuf_put_u64(*session_id2, (uint64_t) ts)) != 0)
+ fatal("%s: buffer error: %s", __func__, ssh_err(r)); + fatal("%s: buffer error: %s", __func__, ssh_err(r));
free(cookie); free(cookie);
return; return;
@@ -278,7 +280,8 @@ ssh_get_authentication_connection_for_ui @@ -278,7 +290,8 @@ ssh_get_authentication_connection_for_ui
auth = xmalloc(sizeof(*auth)); auth = xmalloc(sizeof(*auth));
auth->fd = sock; auth->fd = sock;
@ -239,7 +233,7 @@ diff -up openssh/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c.psaa-compat
auth->howmany = 0; auth->howmany = 0;
return auth; return auth;
@@ -287,43 +289,42 @@ ssh_get_authentication_connection_for_ui @@ -287,9 +300,9 @@ ssh_get_authentication_connection_for_ui
int int
pamsshagentauth_find_authorized_keys(const char * user, const char * ruser, const char * servicename) pamsshagentauth_find_authorized_keys(const char * user, const char * ruser, const char * servicename)
{ {
@ -251,11 +245,8 @@ diff -up openssh/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c.psaa-compat
AuthenticationConnection *ac; AuthenticationConnection *ac;
char *comment; char *comment;
uint8_t retval = 0; uint8_t retval = 0;
uid_t uid = getpwnam(ruser)->pw_uid; @@ -299,31 +312,30 @@ pamsshagentauth_find_authorized_keys(con
pamsshagentauth_session_id2_gen(&session_id2, user, ruser, servicename);
OpenSSL_add_all_digests();
- pamsshagentauth_session_id2_gen(&session_id2, user, ruser, servicename);
+ pamsshagentauth_session_id2_gen(&session_id2, user, ruser, servicename);
if ((ac = ssh_get_authentication_connection_for_uid(uid))) { if ((ac = ssh_get_authentication_connection_for_uid(uid))) {
- pamsshagentauth_verbose("Contacted ssh-agent of user %s (%u)", ruser, uid); - pamsshagentauth_verbose("Contacted ssh-agent of user %s (%u)", ruser, uid);
@ -295,8 +286,8 @@ diff -up openssh/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c.psaa-compat
return retval; return retval;
} }
diff -up openssh/pam_ssh_agent_auth-0.10.3/pam_ssh_agent_auth.c.psaa-compat openssh/pam_ssh_agent_auth-0.10.3/pam_ssh_agent_auth.c diff -up openssh/pam_ssh_agent_auth-0.10.3/pam_ssh_agent_auth.c.psaa-compat openssh/pam_ssh_agent_auth-0.10.3/pam_ssh_agent_auth.c
--- openssh/pam_ssh_agent_auth-0.10.3/pam_ssh_agent_auth.c.psaa-compat 2018-08-24 10:18:05.008393305 +0200 --- openssh/pam_ssh_agent_auth-0.10.3/pam_ssh_agent_auth.c.psaa-compat 2020-02-07 10:43:05.010757940 +0100
+++ openssh/pam_ssh_agent_auth-0.10.3/pam_ssh_agent_auth.c 2018-08-24 10:18:05.009393312 +0200 +++ openssh/pam_ssh_agent_auth-0.10.3/pam_ssh_agent_auth.c 2020-02-07 10:43:05.012757972 +0100
@@ -104,7 +104,7 @@ pam_sm_authenticate(pam_handle_t * pamh, @@ -104,7 +104,7 @@ pam_sm_authenticate(pam_handle_t * pamh,
* a patch 8-) * a patch 8-)
*/ */
@ -386,7 +377,7 @@ diff -up openssh/pam_ssh_agent_auth-0.10.3/pam_ssh_agent_auth.c.psaa-compat open
cleanexit: cleanexit:
diff -up openssh/pam_ssh_agent_auth-0.10.3/pam_user_authorized_keys.c.psaa-compat openssh/pam_ssh_agent_auth-0.10.3/pam_user_authorized_keys.c diff -up openssh/pam_ssh_agent_auth-0.10.3/pam_user_authorized_keys.c.psaa-compat openssh/pam_ssh_agent_auth-0.10.3/pam_user_authorized_keys.c
--- openssh/pam_ssh_agent_auth-0.10.3/pam_user_authorized_keys.c.psaa-compat 2016-11-13 04:24:32.000000000 +0100 --- openssh/pam_ssh_agent_auth-0.10.3/pam_user_authorized_keys.c.psaa-compat 2016-11-13 04:24:32.000000000 +0100
+++ openssh/pam_ssh_agent_auth-0.10.3/pam_user_authorized_keys.c 2018-08-24 10:18:05.009393312 +0200 +++ openssh/pam_ssh_agent_auth-0.10.3/pam_user_authorized_keys.c 2020-02-07 10:43:05.012757972 +0100
@@ -66,8 +66,8 @@ @@ -66,8 +66,8 @@
#include "xmalloc.h" #include "xmalloc.h"
#include "match.h" #include "match.h"
@ -453,7 +444,7 @@ diff -up openssh/pam_ssh_agent_auth-0.10.3/pam_user_authorized_keys.c.psaa-compa
pamsshagentauth_user_key_allowed2(getpwuid(authorized_keys_file_allowed_owner_uid), pamsshagentauth_user_key_allowed2(getpwuid(authorized_keys_file_allowed_owner_uid),
diff -up openssh/pam_ssh_agent_auth-0.10.3/pam_user_authorized_keys.h.psaa-compat openssh/pam_ssh_agent_auth-0.10.3/pam_user_authorized_keys.h diff -up openssh/pam_ssh_agent_auth-0.10.3/pam_user_authorized_keys.h.psaa-compat openssh/pam_ssh_agent_auth-0.10.3/pam_user_authorized_keys.h
--- openssh/pam_ssh_agent_auth-0.10.3/pam_user_authorized_keys.h.psaa-compat 2016-11-13 04:24:32.000000000 +0100 --- openssh/pam_ssh_agent_auth-0.10.3/pam_user_authorized_keys.h.psaa-compat 2016-11-13 04:24:32.000000000 +0100
+++ openssh/pam_ssh_agent_auth-0.10.3/pam_user_authorized_keys.h 2018-08-24 10:18:05.010393320 +0200 +++ openssh/pam_ssh_agent_auth-0.10.3/pam_user_authorized_keys.h 2020-02-07 10:43:05.012757972 +0100
@@ -32,7 +32,7 @@ @@ -32,7 +32,7 @@
#define _PAM_USER_KEY_ALLOWED_H #define _PAM_USER_KEY_ALLOWED_H
@ -465,7 +456,7 @@ diff -up openssh/pam_ssh_agent_auth-0.10.3/pam_user_authorized_keys.h.psaa-compa
#endif #endif
diff -up openssh/pam_ssh_agent_auth-0.10.3/pam_user_key_allowed2.c.psaa-compat openssh/pam_ssh_agent_auth-0.10.3/pam_user_key_allowed2.c diff -up openssh/pam_ssh_agent_auth-0.10.3/pam_user_key_allowed2.c.psaa-compat openssh/pam_ssh_agent_auth-0.10.3/pam_user_key_allowed2.c
--- openssh/pam_ssh_agent_auth-0.10.3/pam_user_key_allowed2.c.psaa-compat 2016-11-13 04:24:32.000000000 +0100 --- openssh/pam_ssh_agent_auth-0.10.3/pam_user_key_allowed2.c.psaa-compat 2016-11-13 04:24:32.000000000 +0100
+++ openssh/pam_ssh_agent_auth-0.10.3/pam_user_key_allowed2.c 2018-08-24 10:18:05.010393320 +0200 +++ openssh/pam_ssh_agent_auth-0.10.3/pam_user_key_allowed2.c 2020-02-07 10:43:05.012757972 +0100
@@ -45,44 +45,46 @@ @@ -45,44 +45,46 @@
#include "xmalloc.h" #include "xmalloc.h"
#include "ssh.h" #include "ssh.h"
@ -742,7 +733,7 @@ diff -up openssh/pam_ssh_agent_auth-0.10.3/pam_user_key_allowed2.c.psaa-compat o
} }
diff -up openssh/pam_ssh_agent_auth-0.10.3/pam_user_key_allowed2.h.psaa-compat openssh/pam_ssh_agent_auth-0.10.3/pam_user_key_allowed2.h diff -up openssh/pam_ssh_agent_auth-0.10.3/pam_user_key_allowed2.h.psaa-compat openssh/pam_ssh_agent_auth-0.10.3/pam_user_key_allowed2.h
--- openssh/pam_ssh_agent_auth-0.10.3/pam_user_key_allowed2.h.psaa-compat 2016-11-13 04:24:32.000000000 +0100 --- openssh/pam_ssh_agent_auth-0.10.3/pam_user_key_allowed2.h.psaa-compat 2016-11-13 04:24:32.000000000 +0100
+++ openssh/pam_ssh_agent_auth-0.10.3/pam_user_key_allowed2.h 2018-08-24 10:18:05.010393320 +0200 +++ openssh/pam_ssh_agent_auth-0.10.3/pam_user_key_allowed2.h 2020-02-07 10:43:05.012757972 +0100
@@ -32,7 +32,7 @@ @@ -32,7 +32,7 @@
#define _PAM_USER_KEY_ALLOWED_H #define _PAM_USER_KEY_ALLOWED_H
@ -755,7 +746,7 @@ diff -up openssh/pam_ssh_agent_auth-0.10.3/pam_user_key_allowed2.h.psaa-compat o
#endif #endif
diff -up openssh/pam_ssh_agent_auth-0.10.3/secure_filename.c.psaa-compat openssh/pam_ssh_agent_auth-0.10.3/secure_filename.c diff -up openssh/pam_ssh_agent_auth-0.10.3/secure_filename.c.psaa-compat openssh/pam_ssh_agent_auth-0.10.3/secure_filename.c
--- openssh/pam_ssh_agent_auth-0.10.3/secure_filename.c.psaa-compat 2016-11-13 04:24:32.000000000 +0100 --- openssh/pam_ssh_agent_auth-0.10.3/secure_filename.c.psaa-compat 2016-11-13 04:24:32.000000000 +0100
+++ openssh/pam_ssh_agent_auth-0.10.3/secure_filename.c 2018-08-24 10:18:05.010393320 +0200 +++ openssh/pam_ssh_agent_auth-0.10.3/secure_filename.c 2020-02-07 10:43:05.012757972 +0100
@@ -53,8 +53,8 @@ @@ -53,8 +53,8 @@
#include "xmalloc.h" #include "xmalloc.h"
#include "match.h" #include "match.h"
@ -799,7 +790,7 @@ diff -up openssh/pam_ssh_agent_auth-0.10.3/secure_filename.c.psaa-compat openssh
} }
diff -up openssh/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.c.psaa-compat openssh/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.c diff -up openssh/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.c.psaa-compat openssh/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.c
--- openssh/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.c.psaa-compat 2016-11-13 04:24:32.000000000 +0100 --- openssh/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.c.psaa-compat 2016-11-13 04:24:32.000000000 +0100
+++ openssh/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.c 2018-08-24 10:22:13.202657025 +0200 +++ openssh/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.c 2020-02-07 10:43:23.520048960 +0100
@@ -37,10 +37,11 @@ @@ -37,10 +37,11 @@
#include "xmalloc.h" #include "xmalloc.h"
#include "ssh.h" #include "ssh.h"
@ -814,7 +805,7 @@ diff -up openssh/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.c.psaa-compat
#include "pathnames.h" #include "pathnames.h"
#include "misc.h" #include "misc.h"
#include "secure_filename.h" #include "secure_filename.h"
@@ -48,54 +48,59 @@ @@ -48,54 +49,59 @@
#include "identity.h" #include "identity.h"
#include "pam_user_authorized_keys.h" #include "pam_user_authorized_keys.h"
@ -833,8 +824,8 @@ diff -up openssh/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.c.psaa-compat
char *pkalg = NULL; char *pkalg = NULL;
u_char *pkblob = NULL, *sig = NULL; u_char *pkblob = NULL, *sig = NULL;
- u_int blen = 0, slen = 0; - u_int blen = 0, slen = 0;
+ size_t blen = 0, slen = 0;
- int authenticated = 0; - int authenticated = 0;
+ size_t blen = 0, slen = 0;
+ int r, authenticated = 0; + int r, authenticated = 0;
- pkalg = (char *) key_ssh_name(id->key); - pkalg = (char *) key_ssh_name(id->key);
@ -879,7 +870,7 @@ diff -up openssh/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.c.psaa-compat
/* test for correct signature */ /* test for correct signature */
- if(pamsshagentauth_key_verify(id->key, sig, slen, pamsshagentauth_buffer_ptr(&b), pamsshagentauth_buffer_len(&b)) == 1) - if(pamsshagentauth_key_verify(id->key, sig, slen, pamsshagentauth_buffer_ptr(&b), pamsshagentauth_buffer_len(&b)) == 1)
+ if (sshkey_verify(id->key, sig, slen, sshbuf_ptr(b), sshbuf_len(b), NULL, 0) == 0) + if (sshkey_verify(id->key, sig, slen, sshbuf_ptr(b), sshbuf_len(b), NULL, 0, NULL) == 0)
authenticated = 1; authenticated = 1;
user_auth_clean_exit: user_auth_clean_exit:
@ -898,7 +889,7 @@ diff -up openssh/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.c.psaa-compat
} }
diff -up openssh/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.h.psaa-compat openssh/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.h diff -up openssh/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.h.psaa-compat openssh/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.h
--- openssh/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.h.psaa-compat 2016-11-13 04:24:32.000000000 +0100 --- openssh/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.h.psaa-compat 2016-11-13 04:24:32.000000000 +0100
+++ openssh/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.h 2018-08-24 10:18:05.010393320 +0200 +++ openssh/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.h 2020-02-07 10:43:05.013757988 +0100
@@ -31,7 +31,7 @@ @@ -31,7 +31,7 @@
#ifndef _USERAUTH_PUBKEY_FROM_ID_H #ifndef _USERAUTH_PUBKEY_FROM_ID_H
#define _USERAUTH_PUBKEY_FROM_ID_H #define _USERAUTH_PUBKEY_FROM_ID_H
@ -911,7 +902,7 @@ diff -up openssh/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.h.psaa-compat
#endif #endif
diff -up openssh/pam_ssh_agent_auth-0.10.3/uuencode.c.psaa-compat openssh/pam_ssh_agent_auth-0.10.3/uuencode.c diff -up openssh/pam_ssh_agent_auth-0.10.3/uuencode.c.psaa-compat openssh/pam_ssh_agent_auth-0.10.3/uuencode.c
--- openssh/pam_ssh_agent_auth-0.10.3/uuencode.c.psaa-compat 2016-11-13 04:24:32.000000000 +0100 --- openssh/pam_ssh_agent_auth-0.10.3/uuencode.c.psaa-compat 2016-11-13 04:24:32.000000000 +0100
+++ openssh/pam_ssh_agent_auth-0.10.3/uuencode.c 2018-08-24 10:18:05.010393320 +0200 +++ openssh/pam_ssh_agent_auth-0.10.3/uuencode.c 2020-02-07 10:43:05.013757988 +0100
@@ -56,7 +56,7 @@ pamsshagentauth_uudecode(const char *src @@ -56,7 +56,7 @@ pamsshagentauth_uudecode(const char *src
/* and remove trailing whitespace because __b64_pton needs this */ /* and remove trailing whitespace because __b64_pton needs this */
*p = '\0'; *p = '\0';

View File

@ -159,15 +159,17 @@ diff -up openssh-7.4p1/pam_ssh_agent_auth-0.10.3/Makefile.in.psaa-build openssh-
LIBS=@LIBS@ LIBS=@LIBS@
AR=@AR@ AR=@AR@
AWK=@AWK@ AWK=@AWK@
@@ -61,7 +61,7 @@ INSTALL=@INSTALL@ @@ -61,8 +61,8 @@ INSTALL=@INSTALL@
PERL=@PERL@ PERL=@PERL@
SED=@SED@ SED=@SED@
ENT=@ENT@ ENT=@ENT@
-LDFLAGS=-L. -Lopenbsd-compat/ @LDFLAGS@ -LDFLAGS=-L. -Lopenbsd-compat/ @LDFLAGS@
-LDFLAGS_SHARED = @LDFLAGS_SHARED@
+LDFLAGS=-L.. -L../openbsd-compat/ @LDFLAGS@ +LDFLAGS=-L.. -L../openbsd-compat/ @LDFLAGS@
LDFLAGS_SHARED = @LDFLAGS_SHARED@ +LDFLAGS_SHARED =-Wl,-z,defs @LDFLAGS_SHARED@
EXEEXT=@EXEEXT@ EXEEXT=@EXEEXT@
INSTALL_SSH_PRNG_CMDS=@INSTALL_SSH_PRNG_CMDS@
@@ -74,7 +74,7 @@ SSHOBJS=xmalloc.o atomicio.o authfd.o bu @@ -74,7 +74,7 @@ SSHOBJS=xmalloc.o atomicio.o authfd.o bu
ED25519OBJS=ed25519-donna/ed25519.o ED25519OBJS=ed25519-donna/ed25519.o
@ -189,8 +191,8 @@ diff -up openssh-7.4p1/pam_ssh_agent_auth-0.10.3/Makefile.in.psaa-build openssh-
-pam_ssh_agent_auth.so: $(LIBCOMPAT) $(SSHOBJS) $(ED25519OBJS) $(PAM_SSH_AGENT_AUTH_OBJS) pam_ssh_agent_auth.o -pam_ssh_agent_auth.so: $(LIBCOMPAT) $(SSHOBJS) $(ED25519OBJS) $(PAM_SSH_AGENT_AUTH_OBJS) pam_ssh_agent_auth.o
- $(LD) $(LDFLAGS_SHARED) -o $@ $(SSHOBJS) $(ED25519OBJS) $(PAM_SSH_AGENT_AUTH_OBJS) $(LDFLAGS) -lopenbsd-compat pam_ssh_agent_auth.o $(LIBS) -lpam - $(LD) $(LDFLAGS_SHARED) -o $@ $(SSHOBJS) $(ED25519OBJS) $(PAM_SSH_AGENT_AUTH_OBJS) $(LDFLAGS) -lopenbsd-compat pam_ssh_agent_auth.o $(LIBS) -lpam
+pam_ssh_agent_auth.so: $(PAM_SSH_AGENT_AUTH_OBJS) pam_ssh_agent_auth.o ../uidswap.o +pam_ssh_agent_auth.so: $(PAM_SSH_AGENT_AUTH_OBJS) pam_ssh_agent_auth.o ../uidswap.o ../ssh-sk-client.o
+ $(LD) $(LDFLAGS_SHARED) -o $@ $(PAM_SSH_AGENT_AUTH_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat pam_ssh_agent_auth.o ../uidswap.o $(LIBS) -lpam + $(LD) $(LDFLAGS_SHARED) -o $@ $(PAM_SSH_AGENT_AUTH_OBJS) ../ssh-sk-client.o $(LDFLAGS) -lssh -lopenbsd-compat pam_ssh_agent_auth.o ../uidswap.o $(LIBS) -lpam
$(MANPAGES): $(MANPAGES_IN) $(MANPAGES): $(MANPAGES_IN)
pod2man --section=8 --release=v0.10.3 --name=pam_ssh_agent_auth --official --center "PAM" pam_ssh_agent_auth.pod > pam_ssh_agent_auth.8 pod2man --section=8 --release=v0.10.3 --name=pam_ssh_agent_auth --official --center "PAM" pam_ssh_agent_auth.pod > pam_ssh_agent_auth.8

View File

@ -1,4 +1,4 @@
SHA512 (openssh-8.1p1.tar.gz) = b987ea4ffd4ab0c94110723860273b06ed8ffb4d21cbd99ca144a4722dc55f4bf86f6253d500386b6bee7af50f066e2aa2dd095d50746509a10e11221d39d925 SHA512 (openssh-8.2p1.tar.gz) = c4db64e52a3a4c410de9de49f9cb104dd493b10250af3599b92457dd986277b3fd99a6f51cec94892fd1be5bd0369c5757262ea7805f0de464b245c3d34c120a
SHA512 (openssh-8.1p1.tar.gz.asc) = f36458ef8822376a5b305cfbc971f5d2db8bf2f48fea9a957e02ef2fc27a48bacb59495587fee81fa2d89bca6250a8fb407e1f5a7dae7ceb361ab332c0771344 SHA512 (openssh-8.2p1.tar.gz.asc) = e6d091289d62d3a01d5978e3c26f72d8ea6979c345fbebc215515185ea567c959f5b17e32052d752829ab4c6bc537fd977f7aa02cf0a23280da63fd9d880f303
SHA512 (DJM-GPG-KEY.gpg) = db1191ed9b6495999e05eed2ef863fb5179bdb63e94850f192dad68eed8579836f88fbcfffd9f28524fe1457aff8cd248ee3e0afc112c8f609b99a34b80ecc0d SHA512 (DJM-GPG-KEY.gpg) = db1191ed9b6495999e05eed2ef863fb5179bdb63e94850f192dad68eed8579836f88fbcfffd9f28524fe1457aff8cd248ee3e0afc112c8f609b99a34b80ecc0d
SHA512 (pam_ssh_agent_auth-0.10.3.tar.bz2) = d75062c4e46b0b011f46aed9704a99049995fea8b5115ff7ee26dad7e93cbcf54a8af7efc6b521109d77dc03c6f5284574d2e1b84c6829cec25610f24fb4bd66 SHA512 (pam_ssh_agent_auth-0.10.3.tar.bz2) = d75062c4e46b0b011f46aed9704a99049995fea8b5115ff7ee26dad7e93cbcf54a8af7efc6b521109d77dc03c6f5284574d2e1b84c6829cec25610f24fb4bd66