forked from rpms/openssh
openssh-8.2p1-1 + 0.10.3-9
This commit is contained in:
parent
ee9cb005b3
commit
51f5c1c99f
2
.gitignore
vendored
2
.gitignore
vendored
@ -38,3 +38,5 @@ pam_ssh_agent_auth-0.9.2.tar.bz2
|
|||||||
/openssh-8.0p1.tar.gz.asc
|
/openssh-8.0p1.tar.gz.asc
|
||||||
/openssh-8.1p1.tar.gz
|
/openssh-8.1p1.tar.gz
|
||||||
/openssh-8.1p1.tar.gz.asc
|
/openssh-8.1p1.tar.gz.asc
|
||||||
|
/openssh-8.2p1.tar.gz
|
||||||
|
/openssh-8.2p1.tar.gz.asc
|
||||||
|
@ -9,7 +9,7 @@ diff -up openssh-7.4p1/contrib/gnome-ssh-askpass2.c.progress openssh-7.4p1/contr
|
|||||||
#include <gtk/gtk.h>
|
#include <gtk/gtk.h>
|
||||||
#include <gdk/gdkx.h>
|
#include <gdk/gdkx.h>
|
||||||
|
|
||||||
@@ -81,13 +82,24 @@ ok_dialog(GtkWidget *entry, gpointer dia
|
@@ -81,14 +82,25 @@ ok_dialog(GtkWidget *entry, gpointer dia
|
||||||
gtk_dialog_response(GTK_DIALOG(dialog), GTK_RESPONSE_OK);
|
gtk_dialog_response(GTK_DIALOG(dialog), GTK_RESPONSE_OK);
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -25,20 +25,21 @@ diff -up openssh-7.4p1/contrib/gnome-ssh-askpass2.c.progress openssh-7.4p1/contr
|
|||||||
+}
|
+}
|
||||||
+
|
+
|
||||||
static int
|
static int
|
||||||
passphrase_dialog(char *message)
|
passphrase_dialog(char *message, int prompt_type)
|
||||||
{
|
{
|
||||||
const char *failed;
|
const char *failed;
|
||||||
char *passphrase, *local;
|
char *passphrase, *local;
|
||||||
int result, grab_tries, grab_server, grab_pointer;
|
int result, grab_tries, grab_server, grab_pointer;
|
||||||
|
int buttons, default_response;
|
||||||
- GtkWidget *parent_window, *dialog, *entry;
|
- GtkWidget *parent_window, *dialog, *entry;
|
||||||
+ GtkWidget *parent_window, *dialog, *entry, *progress, *hbox;
|
+ GtkWidget *parent_window, *dialog, *entry, *progress, *hbox;
|
||||||
GdkGrabStatus status;
|
GdkGrabStatus status;
|
||||||
|
|
||||||
grab_server = (getenv("GNOME_SSH_ASKPASS_GRAB_SERVER") != NULL);
|
grab_server = (getenv("GNOME_SSH_ASKPASS_GRAB_SERVER") != NULL);
|
||||||
@@ -104,14 +116,32 @@ passphrase_dialog(char *message)
|
@@ -104,16 +116,37 @@ passphrase_dialog(char *message)
|
||||||
"%s",
|
gtk_window_set_keep_above(GTK_WINDOW(dialog), TRUE);
|
||||||
message);
|
|
||||||
|
|
||||||
|
if (prompt_type == PROMPT_ENTRY) {
|
||||||
+ hbox = gtk_hbox_new(FALSE, 0);
|
+ hbox = gtk_hbox_new(FALSE, 0);
|
||||||
+ gtk_box_pack_start(GTK_BOX(GTK_DIALOG(dialog)->vbox), hbox, FALSE,
|
+ gtk_box_pack_start(GTK_BOX(GTK_DIALOG(dialog)->vbox), hbox, FALSE,
|
||||||
+ FALSE, 0);
|
+ FALSE, 0);
|
||||||
@ -46,15 +47,18 @@ diff -up openssh-7.4p1/contrib/gnome-ssh-askpass2.c.progress openssh-7.4p1/contr
|
|||||||
+
|
+
|
||||||
entry = gtk_entry_new();
|
entry = gtk_entry_new();
|
||||||
gtk_box_pack_start(
|
gtk_box_pack_start(
|
||||||
- GTK_BOX(gtk_dialog_get_content_area(GTK_DIALOG(dialog))), entry,
|
- GTK_BOX(gtk_dialog_get_content_area(GTK_DIALOG(dialog))),
|
||||||
- FALSE, FALSE, 0);
|
- entry, FALSE, FALSE, 0);
|
||||||
+ GTK_BOX(hbox), entry,
|
+ GTK_BOX(hbox), entry,
|
||||||
+ TRUE, FALSE, 0);
|
+ TRUE, FALSE, 0);
|
||||||
+ gtk_entry_set_width_chars(GTK_ENTRY(entry), 2);
|
+ gtk_entry_set_width_chars(GTK_ENTRY(entry), 2);
|
||||||
gtk_entry_set_visibility(GTK_ENTRY(entry), FALSE);
|
gtk_entry_set_visibility(GTK_ENTRY(entry), FALSE);
|
||||||
gtk_widget_grab_focus(entry);
|
gtk_widget_grab_focus(entry);
|
||||||
gtk_widget_show(entry);
|
gtk_widget_show(entry);
|
||||||
|
/* Make <enter> close dialog */
|
||||||
|
g_signal_connect(G_OBJECT(entry), "activate",
|
||||||
|
G_CALLBACK(ok_dialog), dialog);
|
||||||
|
+
|
||||||
+ hbox = gtk_hbox_new(FALSE, 0);
|
+ hbox = gtk_hbox_new(FALSE, 0);
|
||||||
+ gtk_box_pack_start(GTK_BOX(GTK_DIALOG(dialog)->vbox), hbox, FALSE,
|
+ gtk_box_pack_start(GTK_BOX(GTK_DIALOG(dialog)->vbox), hbox, FALSE,
|
||||||
+ FALSE, 8);
|
+ FALSE, 8);
|
||||||
@ -66,16 +70,9 @@ diff -up openssh-7.4p1/contrib/gnome-ssh-askpass2.c.progress openssh-7.4p1/contr
|
|||||||
+ gtk_box_pack_start(GTK_BOX(hbox), progress, TRUE,
|
+ gtk_box_pack_start(GTK_BOX(hbox), progress, TRUE,
|
||||||
+ TRUE, 5);
|
+ TRUE, 5);
|
||||||
+ gtk_widget_show(progress);
|
+ gtk_widget_show(progress);
|
||||||
+
|
|
||||||
gtk_window_set_title(GTK_WINDOW(dialog), "OpenSSH");
|
|
||||||
gtk_window_set_position (GTK_WINDOW(dialog), GTK_WIN_POS_CENTER);
|
|
||||||
gtk_window_set_keep_above(GTK_WINDOW(dialog), TRUE);
|
|
||||||
@@ -120,6 +150,8 @@ passphrase_dialog(char *message)
|
|
||||||
gtk_dialog_set_default_response(GTK_DIALOG(dialog), GTK_RESPONSE_OK);
|
|
||||||
g_signal_connect(G_OBJECT(entry), "activate",
|
|
||||||
G_CALLBACK(ok_dialog), dialog);
|
|
||||||
+ g_signal_connect(G_OBJECT(entry), "changed",
|
+ g_signal_connect(G_OBJECT(entry), "changed",
|
||||||
+ G_CALLBACK(move_progress), progress);
|
+ G_CALLBACK(move_progress), progress);
|
||||||
|
+
|
||||||
|
}
|
||||||
|
|
||||||
gtk_window_set_keep_above(GTK_WINDOW(dialog), TRUE);
|
/* Grab focus */
|
||||||
|
|
||||||
|
@ -56,8 +56,8 @@ diff -up openssh-7.4p1/monitor.c.log-in-chroot openssh-7.4p1/monitor.c
|
|||||||
+ pmonitor->m_state = "postauth";
|
+ pmonitor->m_state = "postauth";
|
||||||
+
|
+
|
||||||
monitor_set_child_handler(pmonitor->m_pid);
|
monitor_set_child_handler(pmonitor->m_pid);
|
||||||
signal(SIGHUP, &monitor_child_handler);
|
ssh_signal(SIGHUP, &monitor_child_handler);
|
||||||
signal(SIGTERM, &monitor_child_handler);
|
ssh_signal(SIGTERM, &monitor_child_handler);
|
||||||
@@ -472,7 +476,7 @@ monitor_read_log(struct monitor *pmonito
|
@@ -472,7 +476,7 @@ monitor_read_log(struct monitor *pmonito
|
||||||
if (log_level_name(level) == NULL)
|
if (log_level_name(level) == NULL)
|
||||||
fatal("%s: invalid log level %u (corrupted message?)",
|
fatal("%s: invalid log level %u (corrupted message?)",
|
||||||
|
@ -122,7 +122,7 @@ diff -up openssh-7.4p1/sshd_config.GSSAPIEnablek5users openssh-7.4p1/sshd_config
|
|||||||
--- openssh-7.4p1/sshd_config.GSSAPIEnablek5users 2016-12-23 15:18:40.616216100 +0100
|
--- openssh-7.4p1/sshd_config.GSSAPIEnablek5users 2016-12-23 15:18:40.616216100 +0100
|
||||||
+++ openssh-7.4p1/sshd_config 2016-12-23 15:18:40.631216103 +0100
|
+++ openssh-7.4p1/sshd_config 2016-12-23 15:18:40.631216103 +0100
|
||||||
@@ -80,6 +80,7 @@ GSSAPIAuthentication yes
|
@@ -80,6 +80,7 @@ GSSAPIAuthentication yes
|
||||||
GSSAPICleanupCredentials no
|
#GSSAPICleanupCredentials yes
|
||||||
#GSSAPIStrictAcceptorCheck yes
|
#GSSAPIStrictAcceptorCheck yes
|
||||||
#GSSAPIKeyExchange no
|
#GSSAPIKeyExchange no
|
||||||
+#GSSAPIEnablek5users no
|
+#GSSAPIEnablek5users no
|
||||||
|
@ -7,14 +7,14 @@ diff -up openssh-6.8p1/Makefile.in.ctr-cavs openssh-6.8p1/Makefile.in
|
|||||||
SSH_KEYCAT=$(libexecdir)/ssh-keycat
|
SSH_KEYCAT=$(libexecdir)/ssh-keycat
|
||||||
+CTR_CAVSTEST=$(libexecdir)/ctr-cavstest
|
+CTR_CAVSTEST=$(libexecdir)/ctr-cavstest
|
||||||
SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
|
SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
|
||||||
|
SSH_SK_HELPER=$(libexecdir)/ssh-sk-helper
|
||||||
PRIVSEP_PATH=@PRIVSEP_PATH@
|
PRIVSEP_PATH=@PRIVSEP_PATH@
|
||||||
SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@
|
|
||||||
@@ -66,7 +67,7 @@ EXEEXT=@EXEEXT@
|
@@ -66,7 +67,7 @@ EXEEXT=@EXEEXT@
|
||||||
MKDIR_P=@MKDIR_P@
|
|
||||||
INSTALL_SSH_LDAP_HELPER=@INSTALL_SSH_LDAP_HELPER@
|
|
||||||
|
|
||||||
-TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT) ssh-keycat$(EXEEXT)
|
.SUFFIXES: .lo
|
||||||
+TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT) ssh-keycat$(EXEEXT) ctr-cavstest$(EXEEXT)
|
|
||||||
|
-TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) ssh-ldap-helper$(EXEEXT) ssh-keycat$(EXEEXT)
|
||||||
|
+TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) ssh-ldap-helper$(EXEEXT) ssh-keycat$(EXEEXT) ctr-cavstest$(EXEEXT)
|
||||||
|
|
||||||
XMSS_OBJS=\
|
XMSS_OBJS=\
|
||||||
ssh-xmss.o \
|
ssh-xmss.o \
|
||||||
@ -25,8 +25,8 @@ diff -up openssh-6.8p1/Makefile.in.ctr-cavs openssh-6.8p1/Makefile.in
|
|||||||
+ctr-cavstest$(EXEEXT): $(LIBCOMPAT) libssh.a ctr-cavstest.o
|
+ctr-cavstest$(EXEEXT): $(LIBCOMPAT) libssh.a ctr-cavstest.o
|
||||||
+ $(LD) -o $@ ctr-cavstest.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(LIBS)
|
+ $(LD) -o $@ ctr-cavstest.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(LIBS)
|
||||||
+
|
+
|
||||||
ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o
|
ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHKEYSCAN_OBJS)
|
||||||
$(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
|
$(LD) -o $@ $(SSHKEYSCAN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
|
||||||
|
|
||||||
@@ -326,6 +330,7 @@ install-files:
|
@@ -326,6 +330,7 @@ install-files:
|
||||||
$(INSTALL) -m 0700 ssh-ldap-wrapper $(DESTDIR)$(SSH_LDAP_WRAPPER) ; \
|
$(INSTALL) -m 0700 ssh-ldap-wrapper $(DESTDIR)$(SSH_LDAP_WRAPPER) ; \
|
||||||
|
@ -41,22 +41,22 @@ diff -up openssh/Makefile.in.keycat openssh/Makefile.in
|
|||||||
SSH_LDAP_WRAPPER=$(libexecdir)/ssh-ldap-wrapper
|
SSH_LDAP_WRAPPER=$(libexecdir)/ssh-ldap-wrapper
|
||||||
+SSH_KEYCAT=$(libexecdir)/ssh-keycat
|
+SSH_KEYCAT=$(libexecdir)/ssh-keycat
|
||||||
SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
|
SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
|
||||||
|
SSH_SK_HELPER=$(libexecdir)/ssh-sk-helper
|
||||||
PRIVSEP_PATH=@PRIVSEP_PATH@
|
PRIVSEP_PATH=@PRIVSEP_PATH@
|
||||||
SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@
|
|
||||||
@@ -52,6 +52,7 @@ K5LIBS=@K5LIBS@
|
@@ -52,6 +52,7 @@ K5LIBS=@K5LIBS@
|
||||||
GSSLIBS=@GSSLIBS@
|
GSSLIBS=@GSSLIBS@
|
||||||
SSHLIBS=@SSHLIBS@
|
SSHLIBS=@SSHLIBS@
|
||||||
SSHDLIBS=@SSHDLIBS@
|
SSHDLIBS=@SSHDLIBS@
|
||||||
+KEYCATLIBS=@KEYCATLIBS@
|
+KEYCATLIBS=@KEYCATLIBS@
|
||||||
LIBEDIT=@LIBEDIT@
|
LIBEDIT=@LIBEDIT@
|
||||||
|
LIBFIDO2=@LIBFIDO2@
|
||||||
AR=@AR@
|
AR=@AR@
|
||||||
AWK=@AWK@
|
|
||||||
@@ -65,7 +66,7 @@ EXEEXT=@EXEEXT@
|
@@ -65,7 +66,7 @@ EXEEXT=@EXEEXT@
|
||||||
MKDIR_P=@MKDIR_P@
|
|
||||||
INSTALL_SSH_LDAP_HELPER=@INSTALL_SSH_LDAP_HELPER@
|
|
||||||
|
|
||||||
-TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT)
|
.SUFFIXES: .lo
|
||||||
+TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT) ssh-keycat$(EXEEXT)
|
|
||||||
|
-TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) ssh-ldap-helper$(EXEEXT)
|
||||||
|
+TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) ssh-ldap-helper$(EXEEXT) ssh-keycat$(EXEEXT)
|
||||||
|
|
||||||
XMSS_OBJS=\
|
XMSS_OBJS=\
|
||||||
ssh-xmss.o \
|
ssh-xmss.o \
|
||||||
@ -67,8 +67,8 @@ diff -up openssh/Makefile.in.keycat openssh/Makefile.in
|
|||||||
+ssh-keycat$(EXEEXT): $(LIBCOMPAT) $(SSHDOBJS) libssh.a ssh-keycat.o uidswap.o
|
+ssh-keycat$(EXEEXT): $(LIBCOMPAT) $(SSHDOBJS) libssh.a ssh-keycat.o uidswap.o
|
||||||
+ $(LD) -o $@ ssh-keycat.o uidswap.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(KEYCATLIBS) $(LIBS)
|
+ $(LD) -o $@ ssh-keycat.o uidswap.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(KEYCATLIBS) $(LIBS)
|
||||||
+
|
+
|
||||||
ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o
|
ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHKEYSCAN_OBJS)
|
||||||
$(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
|
$(LD) -o $@ $(SSHKEYSCAN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
|
||||||
|
|
||||||
@@ -321,6 +325,7 @@ install-files:
|
@@ -321,6 +325,7 @@ install-files:
|
||||||
$(INSTALL) -m 0700 $(STRIP_OPT) ssh-ldap-helper $(DESTDIR)$(SSH_LDAP_HELPER) ; \
|
$(INSTALL) -m 0700 $(STRIP_OPT) ssh-ldap-helper $(DESTDIR)$(SSH_LDAP_HELPER) ; \
|
||||||
|
@ -217,7 +217,7 @@ diff -up openssh-7.4p1/servconf.c.kuserok openssh-7.4p1/servconf.c
|
|||||||
{ "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL },
|
{ "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL },
|
||||||
{ "afstokenpassing", sUnsupported, SSHCFG_GLOBAL },
|
{ "afstokenpassing", sUnsupported, SSHCFG_GLOBAL },
|
||||||
@@ -1644,6 +1649,10 @@ process_server_config_line(ServerOptions
|
@@ -1644,6 +1649,10 @@ process_server_config_line(ServerOptions
|
||||||
*activep = value;
|
*activep = (inc_flags & SSHCFG_NEVERMATCH) ? 0 : value;
|
||||||
break;
|
break;
|
||||||
|
|
||||||
+ case sKerberosUseKuserok:
|
+ case sKerberosUseKuserok:
|
||||||
@ -286,4 +286,4 @@ diff -up openssh-7.4p1/sshd_config.kuserok openssh-7.4p1/sshd_config
|
|||||||
+#KerberosUseKuserok yes
|
+#KerberosUseKuserok yes
|
||||||
|
|
||||||
# GSSAPI options
|
# GSSAPI options
|
||||||
GSSAPIAuthentication yes
|
#GSSAPIAuthentication no
|
||||||
|
@ -136,11 +136,11 @@ diff -up openssh-7.4p1/sftp.c.coverity openssh-7.4p1/sftp.c
|
|||||||
--- openssh-7.4p1/sftp.c.coverity 2016-12-19 05:59:41.000000000 +0100
|
--- openssh-7.4p1/sftp.c.coverity 2016-12-19 05:59:41.000000000 +0100
|
||||||
+++ openssh-7.4p1/sftp.c 2016-12-23 16:40:26.903788691 +0100
|
+++ openssh-7.4p1/sftp.c 2016-12-23 16:40:26.903788691 +0100
|
||||||
@@ -224,7 +224,7 @@ killchild(int signo)
|
@@ -224,7 +224,7 @@ killchild(int signo)
|
||||||
{
|
pid = sshpid;
|
||||||
if (sshpid > 1) {
|
if (pid > 1) {
|
||||||
kill(sshpid, SIGTERM);
|
kill(pid, SIGTERM);
|
||||||
- waitpid(sshpid, NULL, 0);
|
- waitpid(pid, NULL, 0);
|
||||||
+ (void) waitpid(sshpid, NULL, 0);
|
+ (void) waitpid(pid, NULL, 0);
|
||||||
}
|
}
|
||||||
|
|
||||||
_exit(1);
|
_exit(1);
|
||||||
|
@ -7,14 +7,14 @@ diff -up openssh-6.8p1/Makefile.in.kdf-cavs openssh-6.8p1/Makefile.in
|
|||||||
CTR_CAVSTEST=$(libexecdir)/ctr-cavstest
|
CTR_CAVSTEST=$(libexecdir)/ctr-cavstest
|
||||||
+SSH_CAVS=$(libexecdir)/ssh-cavs
|
+SSH_CAVS=$(libexecdir)/ssh-cavs
|
||||||
SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
|
SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
|
||||||
|
SSH_SK_HELPER=$(libexecdir)/ssh-sk-helper
|
||||||
PRIVSEP_PATH=@PRIVSEP_PATH@
|
PRIVSEP_PATH=@PRIVSEP_PATH@
|
||||||
SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@
|
|
||||||
@@ -67,7 +68,7 @@ EXEEXT=@EXEEXT@
|
@@ -67,7 +68,7 @@ EXEEXT=@EXEEXT@
|
||||||
MKDIR_P=@MKDIR_P@
|
|
||||||
INSTALL_SSH_LDAP_HELPER=@INSTALL_SSH_LDAP_HELPER@
|
|
||||||
|
|
||||||
-TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT) ssh-keycat$(EXEEXT) ctr-cavstest$(EXEEXT)
|
.SUFFIXES: .lo
|
||||||
+TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT) ssh-keycat$(EXEEXT) ctr-cavstest$(EXEEXT) ssh-cavs$(EXEEXT)
|
|
||||||
|
-TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) ssh-ldap-helper$(EXEEXT) ssh-keycat$(EXEEXT) ctr-cavstest$(EXEEXT)
|
||||||
|
+TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) ssh-ldap-helper$(EXEEXT) ssh-keycat$(EXEEXT) ctr-cavstest$(EXEEXT) ssh-cavs$(EXEEXT)
|
||||||
|
|
||||||
XMSS_OBJS=\
|
XMSS_OBJS=\
|
||||||
ssh-xmss.o \
|
ssh-xmss.o \
|
||||||
@ -22,11 +22,11 @@ diff -up openssh-6.8p1/Makefile.in.kdf-cavs openssh-6.8p1/Makefile.in
|
|||||||
ctr-cavstest$(EXEEXT): $(LIBCOMPAT) libssh.a ctr-cavstest.o
|
ctr-cavstest$(EXEEXT): $(LIBCOMPAT) libssh.a ctr-cavstest.o
|
||||||
$(LD) -o $@ ctr-cavstest.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(LIBS)
|
$(LD) -o $@ ctr-cavstest.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(LIBS)
|
||||||
|
|
||||||
+ssh-cavs$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-cavs.o
|
+ssh-cavs$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-cavs.o $(SKOBJS)
|
||||||
+ $(LD) -o $@ ssh-cavs.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
|
+ $(LD) -o $@ ssh-cavs.o $(SKOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
|
||||||
+
|
+
|
||||||
ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o
|
ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHKEYSCAN_OBJS)
|
||||||
$(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
|
$(LD) -o $@ $(SSHKEYSCAN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
|
||||||
|
|
||||||
@@ -331,6 +335,8 @@ install-files:
|
@@ -331,6 +335,8 @@ install-files:
|
||||||
fi
|
fi
|
||||||
|
@ -134,52 +134,54 @@ diff -up openssh-6.8p1/Makefile.in.ldap openssh-6.8p1/Makefile.in
|
|||||||
+SSH_LDAP_HELPER=$(libexecdir)/ssh-ldap-helper
|
+SSH_LDAP_HELPER=$(libexecdir)/ssh-ldap-helper
|
||||||
+SSH_LDAP_WRAPPER=$(libexecdir)/ssh-ldap-wrapper
|
+SSH_LDAP_WRAPPER=$(libexecdir)/ssh-ldap-wrapper
|
||||||
SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
|
SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
|
||||||
|
SSH_SK_HELPER=$(libexecdir)/ssh-sk-helper
|
||||||
PRIVSEP_PATH=@PRIVSEP_PATH@
|
PRIVSEP_PATH=@PRIVSEP_PATH@
|
||||||
SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@
|
|
||||||
@@ -50,6 +50,7 @@
|
@@ -50,6 +50,7 @@
|
||||||
CFLAGS=@CFLAGS@
|
|
||||||
CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
|
CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
|
||||||
|
PICFLAG=@PICFLAG@
|
||||||
LIBS=@LIBS@
|
LIBS=@LIBS@
|
||||||
+LDAPLIBS=@LDAPLIBS@
|
+LDAPLIBS=@LDAPLIBS@
|
||||||
K5LIBS=@K5LIBS@
|
K5LIBS=@K5LIBS@
|
||||||
GSSLIBS=@GSSLIBS@
|
GSSLIBS=@GSSLIBS@
|
||||||
SSHLIBS=@SSHLIBS@
|
SSHLIBS=@SSHLIBS@
|
||||||
@@ -61,8 +63,9 @@ XAUTH_PATH=@XAUTH_PATH@
|
@@ -61,10 +63,11 @@ XAUTH_PATH=@XAUTH_PATH@
|
||||||
EXEEXT=@EXEEXT@
|
EXEEXT=@EXEEXT@
|
||||||
MANFMT=@MANFMT@
|
MANFMT=@MANFMT@
|
||||||
MKDIR_P=@MKDIR_P@
|
MKDIR_P=@MKDIR_P@
|
||||||
+INSTALL_SSH_LDAP_HELPER=@INSTALL_SSH_LDAP_HELPER@
|
+INSTALL_SSH_LDAP_HELPER=@INSTALL_SSH_LDAP_HELPER@
|
||||||
|
|
||||||
-TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT)
|
.SUFFIXES: .lo
|
||||||
+TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT)
|
|
||||||
|
-TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT)
|
||||||
|
+TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) ssh-ldap-helper$(EXEEXT)
|
||||||
|
|
||||||
XMSS_OBJS=\
|
XMSS_OBJS=\
|
||||||
ssh-xmss.o \
|
ssh-xmss.o \
|
||||||
@@ -112,8 +115,8 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw
|
@@ -112,8 +115,8 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw
|
||||||
sandbox-seccomp-filter.o sandbox-capsicum.o sandbox-pledge.o \
|
|
||||||
sandbox-solaris.o uidswap.o
|
|
||||||
|
|
||||||
-MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out
|
SFTP_OBJS= sftp.o sftp-client.o sftp-common.o sftp-glob.o progressmeter.o
|
||||||
-MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 sshd_config.5 ssh_config.5
|
|
||||||
+MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out ssh-ldap-helper.8.out ssh-ldap.conf.5.out
|
-MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out ssh-sk-helper.8.out sshd_config.5.out ssh_config.5.out
|
||||||
+MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 sshd_config.5 ssh_config.5 ssh-ldap-helper.8 ssh-ldap.conf.5
|
-MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 ssh-sk-helper.8 sshd_config.5 ssh_config.5
|
||||||
|
+MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out ssh-sk-helper.8.out sshd_config.5.out ssh_config.5.out ssh-ldap-helper.8.out ssh-ldap.conf.5.out
|
||||||
|
+MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 ssh-sk-helper.8 sshd_config.5 ssh_config.5 ssh-ldap-helper.8 ssh-ldap.conf.5
|
||||||
MANTYPE = @MANTYPE@
|
MANTYPE = @MANTYPE@
|
||||||
|
|
||||||
CONFIGFILES=sshd_config.out ssh_config.out moduli.out
|
CONFIGFILES=sshd_config.out ssh_config.out moduli.out
|
||||||
@@ -184,6 +187,9 @@ ssh-keysign$(EXEEXT): $(LIBCOMPAT) libss
|
@@ -184,6 +187,9 @@ ssh-keysign$(EXEEXT): $(LIBCOMPAT) libss
|
||||||
ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11.o
|
ssh-sk-helper$(EXEEXT): $(LIBCOMPAT) libssh.a $(SKHELPER_OBJS)
|
||||||
$(LD) -o $@ ssh-pkcs11-helper.o ssh-pkcs11.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
|
$(LD) -o $@ $(SKHELPER_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS) $(LIBFIDO2)
|
||||||
|
|
||||||
+ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o
|
+ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o
|
||||||
+ $(LD) -o $@ ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat -lfipscheck $(LIBS) $(LDAPLIBS)
|
+ $(LD) -o $@ ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat -lfipscheck $(LIBS) $(LDAPLIBS)
|
||||||
+
|
+
|
||||||
ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o
|
ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHKEYSCAN_OBJS)
|
||||||
$(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
|
$(LD) -o $@ $(SSHKEYSCAN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
|
||||||
|
|
||||||
@@ -311,6 +317,10 @@ install-files:
|
@@ -311,6 +317,10 @@ install-files:
|
||||||
$(INSTALL) -m 0755 $(STRIP_OPT) sshd$(EXEEXT) $(DESTDIR)$(sbindir)/sshd$(EXEEXT)
|
|
||||||
$(INSTALL) -m 4711 $(STRIP_OPT) ssh-keysign$(EXEEXT) $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT)
|
$(INSTALL) -m 4711 $(STRIP_OPT) ssh-keysign$(EXEEXT) $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT)
|
||||||
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
|
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
|
||||||
|
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-sk-helper$(EXEEXT) $(DESTDIR)$(SSH_SK_HELPER)$(EXEEXT)
|
||||||
+ if test ! -z "$(INSTALL_SSH_LDAP_HELPER)" ; then \
|
+ if test ! -z "$(INSTALL_SSH_LDAP_HELPER)" ; then \
|
||||||
+ $(INSTALL) -m 0700 $(STRIP_OPT) ssh-ldap-helper $(DESTDIR)$(SSH_LDAP_HELPER) ; \
|
+ $(INSTALL) -m 0700 $(STRIP_OPT) ssh-ldap-helper $(DESTDIR)$(SSH_LDAP_HELPER) ; \
|
||||||
+ $(INSTALL) -m 0700 ssh-ldap-wrapper $(DESTDIR)$(SSH_LDAP_WRAPPER) ; \
|
+ $(INSTALL) -m 0700 ssh-ldap-wrapper $(DESTDIR)$(SSH_LDAP_WRAPPER) ; \
|
||||||
@ -188,9 +190,9 @@ diff -up openssh-6.8p1/Makefile.in.ldap openssh-6.8p1/Makefile.in
|
|||||||
$(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
|
$(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
|
||||||
$(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
|
$(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
|
||||||
@@ -327,6 +337,10 @@ install-files:
|
@@ -327,6 +337,10 @@ install-files:
|
||||||
$(INSTALL) -m 644 sftp-server.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8
|
|
||||||
$(INSTALL) -m 644 ssh-keysign.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8
|
$(INSTALL) -m 644 ssh-keysign.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8
|
||||||
$(INSTALL) -m 644 ssh-pkcs11-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
|
$(INSTALL) -m 644 ssh-pkcs11-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
|
||||||
|
$(INSTALL) -m 644 ssh-sk-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-sk-helper.8
|
||||||
+ if test ! -z "$(INSTALL_SSH_LDAP_HELPER)" ; then \
|
+ if test ! -z "$(INSTALL_SSH_LDAP_HELPER)" ; then \
|
||||||
+ $(INSTALL) -m 644 ssh-ldap-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-ldap-helper.8 ; \
|
+ $(INSTALL) -m 644 ssh-ldap-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-ldap-helper.8 ; \
|
||||||
+ $(INSTALL) -m 644 ssh-ldap.conf.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/ssh-ldap.conf.5 ; \
|
+ $(INSTALL) -m 644 ssh-ldap.conf.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/ssh-ldap.conf.5 ; \
|
||||||
@ -213,18 +215,18 @@ diff -up openssh-6.8p1/Makefile.in.ldap openssh-6.8p1/Makefile.in
|
|||||||
host-key: ssh-keygen$(EXEEXT)
|
host-key: ssh-keygen$(EXEEXT)
|
||||||
@if [ -z "$(DESTDIR)" ] ; then \
|
@if [ -z "$(DESTDIR)" ] ; then \
|
||||||
@@ -419,6 +440,8 @@ uninstall:
|
@@ -419,6 +440,8 @@ uninstall:
|
||||||
-rm -r $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
|
|
||||||
-rm -f $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT)
|
-rm -f $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT)
|
||||||
-rm -f $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
|
-rm -f $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
|
||||||
|
-rm -f $(DESTDIR)$(SSH_SK_HELPER)$(EXEEXT)
|
||||||
+ -rm -f $(DESTDIR)$(SSH_LDAP_HELPER)$(EXEEXT)
|
+ -rm -f $(DESTDIR)$(SSH_LDAP_HELPER)$(EXEEXT)
|
||||||
+ -rm -f $(DESTDIR)$(SSH_LDAP_WRAPPER)$(EXEEXT)
|
+ -rm -f $(DESTDIR)$(SSH_LDAP_WRAPPER)$(EXEEXT)
|
||||||
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
|
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
|
||||||
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1
|
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1
|
||||||
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1
|
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1
|
||||||
@@ -430,6 +453,7 @@ uninstall:
|
@@ -430,6 +453,7 @@ uninstall:
|
||||||
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8
|
|
||||||
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8
|
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8
|
||||||
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
|
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
|
||||||
|
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-sk-helper.8
|
||||||
+ -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-ldap-helper.8
|
+ -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-ldap-helper.8
|
||||||
|
|
||||||
regress-prep:
|
regress-prep:
|
||||||
@ -233,8 +235,8 @@ diff -up openssh-6.8p1/configure.ac.ldap openssh-6.8p1/configure.ac
|
|||||||
--- openssh-6.8p1/configure.ac.ldap 2015-03-17 06:49:20.000000000 +0100
|
--- openssh-6.8p1/configure.ac.ldap 2015-03-17 06:49:20.000000000 +0100
|
||||||
+++ openssh-6.8p1/configure.ac 2015-03-18 11:11:29.030801464 +0100
|
+++ openssh-6.8p1/configure.ac 2015-03-18 11:11:29.030801464 +0100
|
||||||
@@ -1605,6 +1605,110 @@ if test "x$use_pie" != "xno"; then
|
@@ -1605,6 +1605,110 @@ if test "x$use_pie" != "xno"; then
|
||||||
fi
|
CFLAGS="$SAVED_CFLAGS"
|
||||||
fi
|
AC_SUBST([PICFLAG])
|
||||||
|
|
||||||
+# Check whether user wants LDAP support
|
+# Check whether user wants LDAP support
|
||||||
+LDAP_MSG="no"
|
+LDAP_MSG="no"
|
||||||
|
@ -3,8 +3,8 @@ diff -up openssh/servconf.c.sshdt openssh/servconf.c
|
|||||||
+++ openssh/servconf.c 2015-06-24 11:44:39.734745802 +0200
|
+++ openssh/servconf.c 2015-06-24 11:44:39.734745802 +0200
|
||||||
@@ -2317,7 +2317,7 @@ dump_config(ServerOptions *o)
|
@@ -2317,7 +2317,7 @@ dump_config(ServerOptions *o)
|
||||||
dump_cfg_string(sXAuthLocation, o->xauth_location);
|
dump_cfg_string(sXAuthLocation, o->xauth_location);
|
||||||
dump_cfg_string(sCiphers, o->ciphers ? o->ciphers : KEX_SERVER_ENCRYPT);
|
dump_cfg_string(sCiphers, o->ciphers);
|
||||||
dump_cfg_string(sMacs, o->macs ? o->macs : KEX_SERVER_MAC);
|
dump_cfg_string(sMacs, o->macs);
|
||||||
- dump_cfg_string(sBanner, o->banner);
|
- dump_cfg_string(sBanner, o->banner);
|
||||||
+ dump_cfg_string(sBanner, o->banner != NULL ? o->banner : "none");
|
+ dump_cfg_string(sBanner, o->banner != NULL ? o->banner : "none");
|
||||||
dump_cfg_string(sForceCommand, o->adm_forced_command);
|
dump_cfg_string(sForceCommand, o->adm_forced_command);
|
||||||
|
@ -747,20 +747,21 @@ diff -up openssh/auth2-hostbased.c.audit openssh/auth2-hostbased.c
|
|||||||
chost, key)) &&
|
chost, key)) &&
|
||||||
- PRIVSEP(sshkey_verify(key, sig, slen,
|
- PRIVSEP(sshkey_verify(key, sig, slen,
|
||||||
+ PRIVSEP(hostbased_key_verify(ssh, key, sig, slen,
|
+ PRIVSEP(hostbased_key_verify(ssh, key, sig, slen,
|
||||||
sshbuf_ptr(b), sshbuf_len(b), pkalg, ssh->compat)) == 0)
|
sshbuf_ptr(b), sshbuf_len(b), pkalg, ssh->compat, NULL)) == 0)
|
||||||
authenticated = 1;
|
authenticated = 1;
|
||||||
|
|
||||||
@@ -175,6 +175,19 @@ done:
|
@@ -175,6 +175,20 @@ done:
|
||||||
return authenticated;
|
return authenticated;
|
||||||
}
|
}
|
||||||
|
|
||||||
+int
|
+int
|
||||||
+hostbased_key_verify(struct ssh *ssh, const struct sshkey *key, const u_char *sig,
|
+hostbased_key_verify(struct ssh *ssh, const struct sshkey *key, const u_char *sig,
|
||||||
+ size_t slen, const u_char *data, size_t datalen, const char *pkalg, u_int compat)
|
+ size_t slen, const u_char *data, size_t datalen, const char *pkalg, u_int compat,
|
||||||
|
+ struct sshkey_sig_details **detailsp)
|
||||||
+{
|
+{
|
||||||
+ int rv;
|
+ int rv;
|
||||||
+
|
+
|
||||||
+ rv = sshkey_verify(key, sig, slen, data, datalen, pkalg, compat);
|
+ rv = sshkey_verify(key, sig, slen, data, datalen, pkalg, compat, detailsp);
|
||||||
+#ifdef SSH_AUDIT_EVENTS
|
+#ifdef SSH_AUDIT_EVENTS
|
||||||
+ audit_key(ssh, 0, &rv, key);
|
+ audit_key(ssh, 0, &rv, key);
|
||||||
+#endif
|
+#endif
|
||||||
@ -781,18 +782,19 @@ diff -up openssh/auth2-pubkey.c.audit openssh/auth2-pubkey.c
|
|||||||
+ PRIVSEP(user_key_verify(ssh, key, sig, slen,
|
+ PRIVSEP(user_key_verify(ssh, key, sig, slen,
|
||||||
sshbuf_ptr(b), sshbuf_len(b),
|
sshbuf_ptr(b), sshbuf_len(b),
|
||||||
(ssh->compat & SSH_BUG_SIGTYPE) == 0 ? pkalg : NULL,
|
(ssh->compat & SSH_BUG_SIGTYPE) == 0 ? pkalg : NULL,
|
||||||
ssh->compat)) == 0) {
|
ssh->compat, &sig_details)) == 0) {
|
||||||
@@ -278,6 +278,19 @@ done:
|
@@ -278,6 +278,20 @@ done:
|
||||||
return authenticated;
|
return authenticated;
|
||||||
}
|
}
|
||||||
|
|
||||||
+int
|
+int
|
||||||
+user_key_verify(struct ssh *ssh, const struct sshkey *key, const u_char *sig,
|
+user_key_verify(struct ssh *ssh, const struct sshkey *key, const u_char *sig,
|
||||||
+ size_t slen, const u_char *data, size_t datalen, const char *pkalg, u_int compat)
|
+ size_t slen, const u_char *data, size_t datalen, const char *pkalg, u_int compat,
|
||||||
|
+ struct sshkey_sig_details **detailsp)
|
||||||
+{
|
+{
|
||||||
+ int rv;
|
+ int rv;
|
||||||
+
|
+
|
||||||
+ rv = sshkey_verify(key, sig, slen, data, datalen, pkalg, compat);
|
+ rv = sshkey_verify(key, sig, slen, data, datalen, pkalg, compat, detailsp);
|
||||||
+#ifdef SSH_AUDIT_EVENTS
|
+#ifdef SSH_AUDIT_EVENTS
|
||||||
+ audit_key(ssh, 1, &rv, key);
|
+ audit_key(ssh, 1, &rv, key);
|
||||||
+#endif
|
+#endif
|
||||||
@ -832,7 +834,7 @@ diff -up openssh/auth.h.audit openssh/auth.h
|
|||||||
char *expand_authorized_keys(const char *, struct passwd *pw);
|
char *expand_authorized_keys(const char *, struct passwd *pw);
|
||||||
char *authorized_principals_file(struct passwd *);
|
char *authorized_principals_file(struct passwd *);
|
||||||
+int user_key_verify(struct ssh *, const struct sshkey *, const u_char *, size_t,
|
+int user_key_verify(struct ssh *, const struct sshkey *, const u_char *, size_t,
|
||||||
+ const u_char *, size_t, const char *, u_int);
|
+ const u_char *, size_t, const char *, u_int, struct sshkey_sig_details **);
|
||||||
|
|
||||||
FILE *auth_openkeyfile(const char *, struct passwd *, int);
|
FILE *auth_openkeyfile(const char *, struct passwd *, int);
|
||||||
FILE *auth_openprincipals(const char *, struct passwd *, int);
|
FILE *auth_openprincipals(const char *, struct passwd *, int);
|
||||||
@ -841,7 +843,7 @@ diff -up openssh/auth.h.audit openssh/auth.h
|
|||||||
int sshd_hostkey_sign(struct ssh *, struct sshkey *, struct sshkey *,
|
int sshd_hostkey_sign(struct ssh *, struct sshkey *, struct sshkey *,
|
||||||
u_char **, size_t *, const u_char *, size_t, const char *);
|
u_char **, size_t *, const u_char *, size_t, const char *);
|
||||||
+int hostbased_key_verify(struct ssh *, const struct sshkey *, const u_char *, size_t,
|
+int hostbased_key_verify(struct ssh *, const struct sshkey *, const u_char *, size_t,
|
||||||
+ const u_char *, size_t, const char *, u_int);
|
+ const u_char *, size_t, const char *, u_int, struct sshkey_sig_details **);
|
||||||
|
|
||||||
/* Key / cert options linkage to auth layer */
|
/* Key / cert options linkage to auth layer */
|
||||||
const struct sshauthopt *auth_options(struct ssh *);
|
const struct sshauthopt *auth_options(struct ssh *);
|
||||||
@ -973,9 +975,9 @@ diff -up openssh/kex.c.audit openssh/kex.c
|
|||||||
+#endif
|
+#endif
|
||||||
return SSH_ERR_NO_COMPRESS_ALG_MATCH;
|
return SSH_ERR_NO_COMPRESS_ALG_MATCH;
|
||||||
+ }
|
+ }
|
||||||
|
#ifdef WITH_ZLIB
|
||||||
if (strcmp(name, "zlib@openssh.com") == 0) {
|
if (strcmp(name, "zlib@openssh.com") == 0) {
|
||||||
comp->type = COMP_DELAYED;
|
comp->type = COMP_DELAYED;
|
||||||
} else if (strcmp(name, "zlib") == 0) {
|
|
||||||
@@ -933,7 +946,7 @@ kex_choose_conf(struct ssh *ssh)
|
@@ -933,7 +946,7 @@ kex_choose_conf(struct ssh *ssh)
|
||||||
nenc = ctos ? PROPOSAL_ENC_ALGS_CTOS : PROPOSAL_ENC_ALGS_STOC;
|
nenc = ctos ? PROPOSAL_ENC_ALGS_CTOS : PROPOSAL_ENC_ALGS_STOC;
|
||||||
nmac = ctos ? PROPOSAL_MAC_ALGS_CTOS : PROPOSAL_MAC_ALGS_STOC;
|
nmac = ctos ? PROPOSAL_MAC_ALGS_CTOS : PROPOSAL_MAC_ALGS_STOC;
|
||||||
@ -1091,16 +1093,15 @@ diff -up openssh/mac.h.audit openssh/mac.h
|
|||||||
diff -up openssh/Makefile.in.audit openssh/Makefile.in
|
diff -up openssh/Makefile.in.audit openssh/Makefile.in
|
||||||
--- openssh/Makefile.in.audit 2019-04-03 17:02:20.705885965 +0200
|
--- openssh/Makefile.in.audit 2019-04-03 17:02:20.705885965 +0200
|
||||||
+++ openssh/Makefile.in 2019-04-03 17:02:20.715886060 +0200
|
+++ openssh/Makefile.in 2019-04-03 17:02:20.715886060 +0200
|
||||||
@@ -109,7 +109,8 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
|
@@ -109,7 +109,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
|
||||||
kexgexc.o kexgexs.o \
|
|
||||||
sntrup4591761.o kexsntrup4591761x25519.o kexgen.o \
|
sntrup4591761.o kexsntrup4591761x25519.o kexgen.o \
|
||||||
kexgssc.o \
|
kexgssc.o \
|
||||||
- platform-pledge.o platform-tracing.o platform-misc.o
|
sftp-realpath.o platform-pledge.o platform-tracing.o platform-misc.o \
|
||||||
+ platform-pledge.o platform-tracing.o platform-misc.o \
|
- sshbuf-io.o
|
||||||
+ auditstub.o
|
+ sshbuf-io.o auditstub.o
|
||||||
|
|
||||||
|
SKOBJS= ssh-sk-client.o
|
||||||
|
|
||||||
SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \
|
|
||||||
diff -up openssh/monitor.c.audit openssh/monitor.c
|
diff -up openssh/monitor.c.audit openssh/monitor.c
|
||||||
--- openssh/monitor.c.audit 2019-04-03 17:02:20.674885671 +0200
|
--- openssh/monitor.c.audit 2019-04-03 17:02:20.674885671 +0200
|
||||||
+++ openssh/monitor.c 2019-04-03 17:03:17.201421405 +0200
|
+++ openssh/monitor.c 2019-04-03 17:03:17.201421405 +0200
|
||||||
@ -1111,7 +1112,7 @@ diff -up openssh/monitor.c.audit openssh/monitor.c
|
|||||||
+#include "audit.h"
|
+#include "audit.h"
|
||||||
#include "match.h"
|
#include "match.h"
|
||||||
#include "ssherr.h"
|
#include "ssherr.h"
|
||||||
|
#include "sk-api.h"
|
||||||
@@ -107,6 +108,8 @@ extern u_char session_id[];
|
@@ -107,6 +108,8 @@ extern u_char session_id[];
|
||||||
extern struct sshbuf *loginmsg;
|
extern struct sshbuf *loginmsg;
|
||||||
extern struct sshauthopt *auth_opts; /* XXX move to permanent ssh->authctxt? */
|
extern struct sshauthopt *auth_opts; /* XXX move to permanent ssh->authctxt? */
|
||||||
@ -1157,16 +1158,16 @@ diff -up openssh/monitor.c.audit openssh/monitor.c
|
|||||||
{0, 0, NULL}
|
{0, 0, NULL}
|
||||||
};
|
};
|
||||||
@@ -1445,8 +1462,10 @@ mm_answer_keyverify(struct ssh *ssh, int
|
@@ -1445,8 +1462,10 @@ mm_answer_keyverify(struct ssh *ssh, int
|
||||||
char *sigalg;
|
|
||||||
size_t signaturelen, datalen, bloblen;
|
size_t signaturelen, datalen, bloblen;
|
||||||
int r, ret, valid_data = 0, encoded_ret;
|
int r, ret, req_presence = 0, valid_data = 0, encoded_ret;
|
||||||
|
struct sshkey_sig_details *sig_details = NULL;
|
||||||
+ int type = 0;
|
+ int type = 0;
|
||||||
|
|
||||||
- if ((r = sshbuf_get_string(m, &blob, &bloblen)) != 0 ||
|
- if ((r = sshbuf_get_string_direct(m, &blob, &bloblen)) != 0 ||
|
||||||
+ if ((r = sshbuf_get_u32(m, &type)) != 0 ||
|
+ if ((r = sshbuf_get_u32(m, &type)) != 0 ||
|
||||||
+ (r = sshbuf_get_string(m, &blob, &bloblen)) != 0 ||
|
+ (r = sshbuf_get_string_direct(m, &blob, &bloblen)) != 0 ||
|
||||||
(r = sshbuf_get_string(m, &signature, &signaturelen)) != 0 ||
|
(r = sshbuf_get_string_direct(m, &signature, &signaturelen)) != 0 ||
|
||||||
(r = sshbuf_get_string(m, &data, &datalen)) != 0 ||
|
(r = sshbuf_get_string_direct(m, &data, &datalen)) != 0 ||
|
||||||
(r = sshbuf_get_cstring(m, &sigalg, NULL)) != 0)
|
(r = sshbuf_get_cstring(m, &sigalg, NULL)) != 0)
|
||||||
@@ -1455,6 +1474,8 @@ mm_answer_keyverify(struct ssh *ssh, int
|
@@ -1455,6 +1474,8 @@ mm_answer_keyverify(struct ssh *ssh, int
|
||||||
if (hostbased_cuser == NULL || hostbased_chost == NULL ||
|
if (hostbased_cuser == NULL || hostbased_chost == NULL ||
|
||||||
@ -1177,19 +1178,19 @@ diff -up openssh/monitor.c.audit openssh/monitor.c
|
|||||||
|
|
||||||
/* Empty signature algorithm means NULL. */
|
/* Empty signature algorithm means NULL. */
|
||||||
if (*sigalg == '\0') {
|
if (*sigalg == '\0') {
|
||||||
@@ -1470,21 +1491,24 @@ mm_answer_keyverify(struct ssh *ssh, int
|
@@ -1470,25 +1491,28 @@ mm_answer_keyverify(struct ssh *ssh, int
|
||||||
case MM_USERKEY:
|
case MM_USERKEY:
|
||||||
valid_data = monitor_valid_userblob(data, datalen);
|
valid_data = monitor_valid_userblob(data, datalen);
|
||||||
auth_method = "publickey";
|
auth_method = "publickey";
|
||||||
+ ret = user_key_verify(ssh, key, signature, signaturelen, data,
|
+ ret = user_key_verify(ssh, key, signature, signaturelen, data,
|
||||||
+ datalen, sigalg, ssh->compat);
|
+ datalen, sigalg, ssh->compat, &sig_details);
|
||||||
break;
|
break;
|
||||||
case MM_HOSTKEY:
|
case MM_HOSTKEY:
|
||||||
valid_data = monitor_valid_hostbasedblob(data, datalen,
|
valid_data = monitor_valid_hostbasedblob(data, datalen,
|
||||||
hostbased_cuser, hostbased_chost);
|
hostbased_cuser, hostbased_chost);
|
||||||
+ ret = hostbased_key_verify(ssh, key, signature, signaturelen, data,
|
|
||||||
+ datalen, sigalg, ssh->compat);
|
|
||||||
auth_method = "hostbased";
|
auth_method = "hostbased";
|
||||||
|
+ ret = hostbased_key_verify(ssh, key, signature, signaturelen, data,
|
||||||
|
+ datalen, sigalg, ssh->compat, &sig_details);
|
||||||
break;
|
break;
|
||||||
default:
|
default:
|
||||||
valid_data = 0;
|
valid_data = 0;
|
||||||
@ -1199,11 +1200,15 @@ diff -up openssh/monitor.c.audit openssh/monitor.c
|
|||||||
if (!valid_data)
|
if (!valid_data)
|
||||||
fatal("%s: bad signature data blob", __func__);
|
fatal("%s: bad signature data blob", __func__);
|
||||||
|
|
||||||
|
if ((fp = sshkey_fingerprint(key, options.fingerprint_hash,
|
||||||
|
SSH_FP_DEFAULT)) == NULL)
|
||||||
|
fatal("%s: sshkey_fingerprint failed", __func__);
|
||||||
|
|
||||||
- ret = sshkey_verify(key, signature, signaturelen, data, datalen,
|
- ret = sshkey_verify(key, signature, signaturelen, data, datalen,
|
||||||
- sigalg, ssh->compat);
|
- sigalg, ssh->compat, &sig_details);
|
||||||
debug3("%s: %s %p signature %s", __func__, auth_method, key,
|
debug3("%s: %s %p signature %s%s%s", __func__, auth_method, key,
|
||||||
(ret == 0) ? "verified" : "unverified");
|
(ret == 0) ? "verified" : "unverified",
|
||||||
auth2_record_key(authctxt, ret == 0, key);
|
(ret != 0) ? ": " : "", (ret != 0) ? ssh_err(ret) : "");
|
||||||
@@ -1536,13 +1560,19 @@ mm_record_login(struct ssh *ssh, Session
|
@@ -1536,13 +1560,19 @@ mm_record_login(struct ssh *ssh, Session
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -1459,11 +1464,11 @@ diff -up openssh/monitor_wrap.c.audit openssh/monitor_wrap.c
|
|||||||
int
|
int
|
||||||
-mm_sshkey_verify(const struct sshkey *key, const u_char *sig, size_t siglen,
|
-mm_sshkey_verify(const struct sshkey *key, const u_char *sig, size_t siglen,
|
||||||
+mm_sshkey_verify(enum mm_keytype type, const struct sshkey *key, const u_char *sig, size_t siglen,
|
+mm_sshkey_verify(enum mm_keytype type, const struct sshkey *key, const u_char *sig, size_t siglen,
|
||||||
const u_char *data, size_t datalen, const char *sigalg, u_int compat)
|
const u_char *data, size_t datalen, const char *sigalg, u_int compat,
|
||||||
|
struct sshkey_sig_details **sig_detailsp)
|
||||||
{
|
{
|
||||||
struct sshbuf *m;
|
|
||||||
@@ -525,7 +525,8 @@ mm_sshkey_verify(const struct sshkey *ke
|
@@ -525,7 +525,8 @@ mm_sshkey_verify(const struct sshkey *ke
|
||||||
|
*sig_detailsp = NULL;
|
||||||
if ((m = sshbuf_new()) == NULL)
|
if ((m = sshbuf_new()) == NULL)
|
||||||
fatal("%s: sshbuf_new failed", __func__);
|
fatal("%s: sshbuf_new failed", __func__);
|
||||||
- if ((r = sshkey_puts(key, m)) != 0 ||
|
- if ((r = sshkey_puts(key, m)) != 0 ||
|
||||||
@ -1472,22 +1477,24 @@ diff -up openssh/monitor_wrap.c.audit openssh/monitor_wrap.c
|
|||||||
(r = sshbuf_put_string(m, sig, siglen)) != 0 ||
|
(r = sshbuf_put_string(m, sig, siglen)) != 0 ||
|
||||||
(r = sshbuf_put_string(m, data, datalen)) != 0 ||
|
(r = sshbuf_put_string(m, data, datalen)) != 0 ||
|
||||||
(r = sshbuf_put_cstring(m, sigalg == NULL ? "" : sigalg)) != 0)
|
(r = sshbuf_put_cstring(m, sigalg == NULL ? "" : sigalg)) != 0)
|
||||||
@@ -547,6 +548,20 @@ mm_sshkey_verify(const struct sshkey *ke
|
@@ -547,6 +548,22 @@ mm_sshkey_verify(const struct sshkey *ke
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
+int
|
+int
|
||||||
+mm_hostbased_key_verify(struct ssh *ssh, const struct sshkey *key, const u_char *sig, size_t siglen,
|
+mm_hostbased_key_verify(struct ssh *ssh, const struct sshkey *key, const u_char *sig, size_t siglen,
|
||||||
+ const u_char *data, size_t datalen, const char *pkalg, u_int compat)
|
+ const u_char *data, size_t datalen, const char *pkalg, u_int compat,
|
||||||
|
+ struct sshkey_sig_details **detailsp)
|
||||||
+{
|
+{
|
||||||
+ return mm_sshkey_verify(MM_HOSTKEY, key, sig, siglen, data, datalen, pkalg, compat);
|
+ return mm_sshkey_verify(MM_HOSTKEY, key, sig, siglen, data, datalen, pkalg, compat, detailsp);
|
||||||
+}
|
+}
|
||||||
+
|
+
|
||||||
+int
|
+int
|
||||||
+mm_user_key_verify(struct ssh *ssh, const struct sshkey *key, const u_char *sig, size_t siglen,
|
+mm_user_key_verify(struct ssh *ssh, const struct sshkey *key, const u_char *sig, size_t siglen,
|
||||||
+ const u_char *data, size_t datalen, const char *pkalg, u_int compat)
|
+ const u_char *data, size_t datalen, const char *pkalg, u_int compat,
|
||||||
|
+ struct sshkey_sig_details **detailsp)
|
||||||
+{
|
+{
|
||||||
+ return mm_sshkey_verify(MM_USERKEY, key, sig, siglen, data, datalen, pkalg, compat);
|
+ return mm_sshkey_verify(MM_USERKEY, key, sig, siglen, data, datalen, pkalg, compat, detailsp);
|
||||||
+}
|
+}
|
||||||
+
|
+
|
||||||
void
|
void
|
||||||
@ -1632,9 +1639,9 @@ diff -up openssh/monitor_wrap.h.audit openssh/monitor_wrap.h
|
|||||||
const char *, struct sshkey *);
|
const char *, struct sshkey *);
|
||||||
-int mm_sshkey_verify(const struct sshkey *, const u_char *, size_t,
|
-int mm_sshkey_verify(const struct sshkey *, const u_char *, size_t,
|
||||||
+int mm_hostbased_key_verify(struct ssh *, const struct sshkey *, const u_char *, size_t,
|
+int mm_hostbased_key_verify(struct ssh *, const struct sshkey *, const u_char *, size_t,
|
||||||
+ const u_char *, size_t, const char *, u_int);
|
+ const u_char *, size_t, const char *, u_int, struct sshkey_sig_details **);
|
||||||
+int mm_user_key_verify(struct ssh*, const struct sshkey *, const u_char *, size_t,
|
+int mm_user_key_verify(struct ssh*, const struct sshkey *, const u_char *, size_t,
|
||||||
const u_char *, size_t, const char *, u_int);
|
const u_char *, size_t, const char *, u_int, struct sshkey_sig_details **);
|
||||||
|
|
||||||
#ifdef GSSAPI
|
#ifdef GSSAPI
|
||||||
@@ -82,7 +84,12 @@ void mm_sshpam_free_ctx(void *);
|
@@ -82,7 +84,12 @@ void mm_sshpam_free_ctx(void *);
|
||||||
@ -1655,7 +1662,7 @@ diff -up openssh/packet.c.audit openssh/packet.c
|
|||||||
--- openssh/packet.c.audit 2019-03-27 23:26:14.000000000 +0100
|
--- openssh/packet.c.audit 2019-03-27 23:26:14.000000000 +0100
|
||||||
+++ openssh/packet.c 2019-04-03 17:02:20.716886069 +0200
|
+++ openssh/packet.c 2019-04-03 17:02:20.716886069 +0200
|
||||||
@@ -77,6 +77,7 @@
|
@@ -77,6 +77,7 @@
|
||||||
#include <zlib.h>
|
#endif
|
||||||
|
|
||||||
#include "xmalloc.h"
|
#include "xmalloc.h"
|
||||||
+#include "audit.h"
|
+#include "audit.h"
|
||||||
@ -1705,7 +1712,7 @@ diff -up openssh/packet.c.audit openssh/packet.c
|
|||||||
kex_free_newkeys(state->newkeys[mode]); /* current keys */
|
kex_free_newkeys(state->newkeys[mode]); /* current keys */
|
||||||
state->newkeys[mode] = NULL;
|
state->newkeys[mode] = NULL;
|
||||||
@@ -636,8 +641,18 @@ ssh_packet_close_internal(struct ssh *ss
|
@@ -636,8 +641,18 @@ ssh_packet_close_internal(struct ssh *ss
|
||||||
}
|
#endif /* WITH_ZLIB */
|
||||||
cipher_free(state->send_context);
|
cipher_free(state->send_context);
|
||||||
cipher_free(state->receive_context);
|
cipher_free(state->receive_context);
|
||||||
+ if (had_keys && state->server_side) {
|
+ if (had_keys && state->server_side) {
|
||||||
@ -2041,7 +2048,7 @@ diff -up openssh/sshd.c.audit openssh/sshd.c
|
|||||||
+void demote_sensitive_data(struct ssh *);
|
+void demote_sensitive_data(struct ssh *);
|
||||||
static void do_ssh2_kex(struct ssh *);
|
static void do_ssh2_kex(struct ssh *);
|
||||||
|
|
||||||
/*
|
static char *listener_proctitle;
|
||||||
@@ -278,6 +279,15 @@ close_listen_socks(void)
|
@@ -278,6 +279,15 @@ close_listen_socks(void)
|
||||||
num_listen_socks = -1;
|
num_listen_socks = -1;
|
||||||
}
|
}
|
||||||
@ -2314,5 +2321,5 @@ diff -up openssh/sshkey.h.audit openssh/sshkey.h
|
|||||||
int sshkey_type_from_name(const char *);
|
int sshkey_type_from_name(const char *);
|
||||||
+int sshkey_is_private(const struct sshkey *);
|
+int sshkey_is_private(const struct sshkey *);
|
||||||
int sshkey_is_cert(const struct sshkey *);
|
int sshkey_is_cert(const struct sshkey *);
|
||||||
|
int sshkey_is_sk(const struct sshkey *);
|
||||||
int sshkey_type_is_cert(int);
|
int sshkey_type_is_cert(int);
|
||||||
int sshkey_type_plain(int);
|
|
||||||
|
@ -11,19 +11,6 @@ diff -up openssh-8.0p1/cipher-ctr.c.fips openssh-8.0p1/cipher-ctr.c
|
|||||||
#endif
|
#endif
|
||||||
return (&aes_ctr);
|
return (&aes_ctr);
|
||||||
}
|
}
|
||||||
diff -up openssh-8.0p1/clientloop.c.fips openssh-8.0p1/clientloop.c
|
|
||||||
--- openssh-8.0p1/clientloop.c.fips 2019-07-23 14:55:45.331525692 +0200
|
|
||||||
+++ openssh-8.0p1/clientloop.c 2019-07-23 14:55:45.401526401 +0200
|
|
||||||
@@ -2049,7 +2049,8 @@ key_accepted_by_hostkeyalgs(const struct
|
|
||||||
{
|
|
||||||
const char *ktype = sshkey_ssh_name(key);
|
|
||||||
const char *hostkeyalgs = options.hostkeyalgorithms != NULL ?
|
|
||||||
- options.hostkeyalgorithms : KEX_DEFAULT_PK_ALG;
|
|
||||||
+ options.hostkeyalgorithms : (FIPS_mode() ?
|
|
||||||
+ KEX_FIPS_PK_ALG : KEX_DEFAULT_PK_ALG);
|
|
||||||
|
|
||||||
if (key == NULL || key->type == KEY_UNSPEC)
|
|
||||||
return 0;
|
|
||||||
diff -up openssh-8.0p1/dh.c.fips openssh-8.0p1/dh.c
|
diff -up openssh-8.0p1/dh.c.fips openssh-8.0p1/dh.c
|
||||||
--- openssh-8.0p1/dh.c.fips 2019-04-18 00:52:57.000000000 +0200
|
--- openssh-8.0p1/dh.c.fips 2019-04-18 00:52:57.000000000 +0200
|
||||||
+++ openssh-8.0p1/dh.c 2019-07-23 14:55:45.401526401 +0200
|
+++ openssh-8.0p1/dh.c 2019-07-23 14:55:45.401526401 +0200
|
||||||
@ -141,126 +128,113 @@ diff -up openssh-8.0p1/Makefile.in.fips openssh-8.0p1/Makefile.in
|
|||||||
- $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS)
|
- $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS)
|
||||||
+ $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS)
|
+ $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS)
|
||||||
|
|
||||||
scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o
|
scp$(EXEEXT): $(LIBCOMPAT) libssh.a $(SCP_OBJS)
|
||||||
$(LD) -o $@ scp.o progressmeter.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
|
$(LD) -o $@ $(SCP_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
|
||||||
|
|
||||||
ssh-add$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-add.o
|
ssh-add$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHADD_OBJS)
|
||||||
- $(LD) -o $@ ssh-add.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
|
- $(LD) -o $@ $(SSHADD_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
|
||||||
+ $(LD) -o $@ ssh-add.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
|
+ $(LD) -o $@ $(SSHADD_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
|
||||||
|
|
||||||
ssh-agent$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-agent.o ssh-pkcs11-client.o
|
ssh-agent$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHAGENT_OBJS)
|
||||||
- $(LD) -o $@ ssh-agent.o ssh-pkcs11-client.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
|
- $(LD) -o $@ $(SSHAGENT_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
|
||||||
+ $(LD) -o $@ ssh-agent.o ssh-pkcs11-client.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
|
+ $(LD) -o $@ $(SSHAGENT_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
|
||||||
|
|
||||||
ssh-keygen$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keygen.o sshsig.o
|
ssh-keygen$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHKEYGEN_OBJS)
|
||||||
- $(LD) -o $@ ssh-keygen.o sshsig.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
|
- $(LD) -o $@ $(SSHKEYGEN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
|
||||||
+ $(LD) -o $@ ssh-keygen.o sshsig.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
|
+ $(LD) -o $@ $(SSHKEYGEN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
|
||||||
|
|
||||||
ssh-keysign$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keysign.o readconf.o uidswap.o compat.o
|
ssh-keysign$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHKEYSIGN_OBJS)
|
||||||
- $(LD) -o $@ ssh-keysign.o readconf.o uidswap.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
|
- $(LD) -o $@ $(SSHKEYSIGN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
|
||||||
+ $(LD) -o $@ ssh-keysign.o readconf.o uidswap.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
|
+ $(LD) -o $@ $(SSHKEYSIGN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
|
||||||
|
|
||||||
ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11.o
|
ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a $(P11HELPER_OBJS)
|
||||||
$(LD) -o $@ ssh-pkcs11-helper.o ssh-pkcs11.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
|
$(LD) -o $@ $(P11HELPER_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
|
||||||
@@ -216,7 +216,7 @@ ssh-cavs$(EXEEXT): $(LIBCOMPAT) libssh.a
|
@@ -216,7 +216,7 @@ ssh-cavs$(EXEEXT): $(LIBCOMPAT) libssh.a
|
||||||
$(LD) -o $@ ssh-cavs.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
|
$(LD) -o $@ ssh-cavs.o $(SKOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
|
||||||
|
|
||||||
ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o
|
ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHKEYSCAN_OBJS)
|
||||||
- $(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
|
- $(LD) -o $@ $(SSHKEYSCAN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
|
||||||
+ $(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(LIBS)
|
+ $(LD) -o $@ $(SSHKEYSCAN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(LIBS)
|
||||||
|
|
||||||
sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o sftp-server.o sftp-realpath.o sftp-server-main.o
|
sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a $(SFTPSERVER_OBJS)
|
||||||
$(LD) -o $@ sftp-server.o sftp-common.o sftp-realpath.o sftp-server-main.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
|
$(LD) -o $@ $(SFTPSERVER_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
|
||||||
diff -up openssh-8.0p1/myproposal.h.fips openssh-8.0p1/myproposal.h
|
diff -up openssh-8.0p1/myproposal.h.fips openssh-8.0p1/myproposal.h
|
||||||
--- openssh-8.0p1/myproposal.h.fips 2019-04-18 00:52:57.000000000 +0200
|
--- openssh-8.0p1/myproposal.h.fips 2019-04-18 00:52:57.000000000 +0200
|
||||||
+++ openssh-8.0p1/myproposal.h 2019-07-23 14:55:45.402526411 +0200
|
+++ openssh-8.0p1/myproposal.h 2019-07-23 14:55:45.402526411 +0200
|
||||||
@@ -111,6 +111,16 @@
|
@@ -111,6 +111,20 @@
|
||||||
"rsa-sha2-256," \
|
"rsa-sha2-256," \
|
||||||
"ssh-rsa"
|
"ssh-rsa"
|
||||||
|
|
||||||
+#define KEX_FIPS_PK_ALG \
|
+#define KEX_FIPS_PK_ALG \
|
||||||
+ HOSTKEY_ECDSA_CERT_METHODS \
|
+ "ecdsa-sha2-nistp256-cert-v01@openssh.com," \
|
||||||
|
+ "ecdsa-sha2-nistp384-cert-v01@openssh.com," \
|
||||||
|
+ "ecdsa-sha2-nistp521-cert-v01@openssh.com," \
|
||||||
+ "rsa-sha2-512-cert-v01@openssh.com," \
|
+ "rsa-sha2-512-cert-v01@openssh.com," \
|
||||||
+ "rsa-sha2-256-cert-v01@openssh.com," \
|
+ "rsa-sha2-256-cert-v01@openssh.com," \
|
||||||
+ "ssh-rsa-cert-v01@openssh.com," \
|
+ "ssh-rsa-cert-v01@openssh.com," \
|
||||||
+ HOSTKEY_ECDSA_METHODS \
|
+ "ecdsa-sha2-nistp256," \
|
||||||
|
+ "ecdsa-sha2-nistp384," \
|
||||||
|
+ "ecdsa-sha2-nistp521," \
|
||||||
+ "rsa-sha2-512," \
|
+ "rsa-sha2-512," \
|
||||||
+ "rsa-sha2-256," \
|
+ "rsa-sha2-256," \
|
||||||
+ "ssh-rsa"
|
+ "ssh-rsa"
|
||||||
+
|
+
|
||||||
/* the actual algorithms */
|
|
||||||
|
|
||||||
#define KEX_SERVER_ENCRYPT \
|
#define KEX_SERVER_ENCRYPT \
|
||||||
@@ -134,6 +142,38 @@
|
"chacha20-poly1305@openssh.com," \
|
||||||
|
"aes128-ctr,aes192-ctr,aes256-ctr," \
|
||||||
|
@@ -134,6 +142,27 @@
|
||||||
|
|
||||||
#define KEX_CLIENT_MAC KEX_SERVER_MAC
|
#define KEX_CLIENT_MAC KEX_SERVER_MAC
|
||||||
|
|
||||||
+#define KEX_FIPS_ENCRYPT \
|
+#define KEX_FIPS_ENCRYPT \
|
||||||
+ "aes128-ctr,aes192-ctr,aes256-ctr," \
|
+ "aes128-ctr,aes192-ctr,aes256-ctr," \
|
||||||
+ "aes128-cbc,3des-cbc," \
|
+ "aes128-cbc,3des-cbc," \
|
||||||
+ "aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se" \
|
+ "aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se," \
|
||||||
+ AESGCM_CIPHER_MODES
|
+ "aes128-gcm@openssh.com,aes256-gcm@openssh.com"
|
||||||
+#ifdef HAVE_EVP_SHA256
|
+#define KEX_DEFAULT_KEX_FIPS \
|
||||||
+# define KEX_DEFAULT_KEX_FIPS \
|
+ "ecdh-sha2-nistp256," \
|
||||||
+ KEX_ECDH_METHODS \
|
+ "ecdh-sha2-nistp384," \
|
||||||
+ KEX_SHA2_METHODS \
|
+ "ecdh-sha2-nistp521," \
|
||||||
|
+ "diffie-hellman-group-exchange-sha256," \
|
||||||
|
+ "diffie-hellman-group16-sha512," \
|
||||||
|
+ "diffie-hellman-group18-sha512," \
|
||||||
+ "diffie-hellman-group14-sha256"
|
+ "diffie-hellman-group14-sha256"
|
||||||
+# define KEX_FIPS_MAC \
|
+#define KEX_FIPS_MAC \
|
||||||
+ "hmac-sha1," \
|
+ "hmac-sha1," \
|
||||||
+ "hmac-sha2-256," \
|
+ "hmac-sha2-256," \
|
||||||
+ "hmac-sha2-512," \
|
+ "hmac-sha2-512," \
|
||||||
+ "hmac-sha1-etm@openssh.com," \
|
+ "hmac-sha1-etm@openssh.com," \
|
||||||
+ "hmac-sha2-256-etm@openssh.com," \
|
+ "hmac-sha2-256-etm@openssh.com," \
|
||||||
+ "hmac-sha2-512-etm@openssh.com"
|
+ "hmac-sha2-512-etm@openssh.com"
|
||||||
+#else
|
|
||||||
+# ifdef OPENSSL_HAS_NISTP521
|
|
||||||
+# define KEX_DEFAULT_KEX_FIPS \
|
|
||||||
+ "ecdh-sha2-nistp256," \
|
|
||||||
+ "ecdh-sha2-nistp384," \
|
|
||||||
+ "ecdh-sha2-nistp521"
|
|
||||||
+# else
|
|
||||||
+# define KEX_DEFAULT_KEX_FIPS \
|
|
||||||
+ "ecdh-sha2-nistp256," \
|
|
||||||
+ "ecdh-sha2-nistp384"
|
|
||||||
+# endif
|
|
||||||
+#define KEX_FIPS_MAC \
|
|
||||||
+ "hmac-sha1"
|
|
||||||
+#endif
|
|
||||||
+
|
+
|
||||||
/* Not a KEX value, but here so all the algorithm defaults are together */
|
/* Not a KEX value, but here so all the algorithm defaults are together */
|
||||||
#define SSH_ALLOWED_CA_SIGALGS \
|
#define SSH_ALLOWED_CA_SIGALGS \
|
||||||
HOSTKEY_ECDSA_METHODS \
|
"ecdsa-sha2-nistp256," \
|
||||||
diff -up openssh-8.0p1/readconf.c.fips openssh-8.0p1/readconf.c
|
diff -up openssh-8.0p1/readconf.c.fips openssh-8.0p1/readconf.c
|
||||||
--- openssh-8.0p1/readconf.c.fips 2019-07-23 14:55:45.334525723 +0200
|
--- openssh-8.0p1/readconf.c.fips 2019-07-23 14:55:45.334525723 +0200
|
||||||
+++ openssh-8.0p1/readconf.c 2019-07-23 14:55:45.402526411 +0200
|
+++ openssh-8.0p1/readconf.c 2019-07-23 14:55:45.402526411 +0200
|
||||||
@@ -2179,18 +2179,19 @@ fill_default_options(Options * options)
|
@@ -2179,11 +2179,16 @@ fill_default_options(Options * options)
|
||||||
all_kex = kex_alg_list(',');
|
|
||||||
all_key = sshkey_alg_list(0, 0, 1, ',');
|
all_key = sshkey_alg_list(0, 0, 1, ',');
|
||||||
all_sig = sshkey_alg_list(0, 1, 1, ',');
|
all_sig = sshkey_alg_list(0, 1, 1, ',');
|
||||||
-#define ASSEMBLE(what, defaults, all) \
|
/* remove unsupported algos from default lists */
|
||||||
+#define ASSEMBLE(what, defaults, fips_defaults, all) \
|
- def_cipher = match_filter_whitelist(KEX_CLIENT_ENCRYPT, all_cipher);
|
||||||
|
- def_mac = match_filter_whitelist(KEX_CLIENT_MAC, all_mac);
|
||||||
|
- def_kex = match_filter_whitelist(KEX_CLIENT_KEX, all_kex);
|
||||||
|
- def_key = match_filter_whitelist(KEX_DEFAULT_PK_ALG, all_key);
|
||||||
|
- def_sig = match_filter_whitelist(SSH_ALLOWED_CA_SIGALGS, all_sig);
|
||||||
|
+ def_cipher = match_filter_whitelist((FIPS_mode() ?
|
||||||
|
+ KEX_FIPS_ENCRYPT : KEX_CLIENT_ENCRYPT), all_cipher);
|
||||||
|
+ def_mac = match_filter_whitelist((FIPS_mode() ?
|
||||||
|
+ KEX_FIPS_MAC : KEX_CLIENT_MAC), all_mac);
|
||||||
|
+ def_kex = match_filter_whitelist((FIPS_mode() ?
|
||||||
|
+ KEX_DEFAULT_KEX_FIPS : KEX_CLIENT_KEX), all_kex);
|
||||||
|
+ def_key = match_filter_whitelist((FIPS_mode() ?
|
||||||
|
+ KEX_FIPS_PK_ALG : KEX_DEFAULT_PK_ALG), all_key);
|
||||||
|
+ def_sig = match_filter_whitelist((FIPS_mode() ?
|
||||||
|
+ KEX_FIPS_PK_ALG : SSH_ALLOWED_CA_SIGALGS), all_sig);
|
||||||
|
#define ASSEMBLE(what, defaults, all) \
|
||||||
do { \
|
do { \
|
||||||
if ((r = kex_assemble_names(&options->what, \
|
if ((r = kex_assemble_names(&options->what, \
|
||||||
- defaults, all)) != 0) \
|
|
||||||
+ (FIPS_mode() ? fips_defaults : defaults), \
|
|
||||||
+ all)) != 0) \
|
|
||||||
fatal("%s: %s: %s", __func__, #what, ssh_err(r)); \
|
|
||||||
} while (0)
|
|
||||||
- ASSEMBLE(ciphers, KEX_CLIENT_ENCRYPT, all_cipher);
|
|
||||||
- ASSEMBLE(macs, KEX_CLIENT_MAC, all_mac);
|
|
||||||
- ASSEMBLE(kex_algorithms, KEX_CLIENT_KEX, all_kex);
|
|
||||||
- ASSEMBLE(hostbased_key_types, KEX_DEFAULT_PK_ALG, all_key);
|
|
||||||
- ASSEMBLE(pubkey_key_types, KEX_DEFAULT_PK_ALG, all_key);
|
|
||||||
- ASSEMBLE(ca_sign_algorithms, SSH_ALLOWED_CA_SIGALGS, all_sig);
|
|
||||||
+ ASSEMBLE(ciphers, KEX_CLIENT_ENCRYPT, KEX_FIPS_ENCRYPT, all_cipher);
|
|
||||||
+ ASSEMBLE(macs, KEX_CLIENT_MAC, KEX_FIPS_MAC, all_mac);
|
|
||||||
+ ASSEMBLE(kex_algorithms, KEX_CLIENT_KEX, KEX_DEFAULT_KEX_FIPS, all_kex);
|
|
||||||
+ ASSEMBLE(hostbased_key_types, KEX_DEFAULT_PK_ALG, KEX_FIPS_PK_ALG, all_key);
|
|
||||||
+ ASSEMBLE(pubkey_key_types, KEX_DEFAULT_PK_ALG, KEX_FIPS_PK_ALG, all_key);
|
|
||||||
+ ASSEMBLE(ca_sign_algorithms, SSH_ALLOWED_CA_SIGALGS, KEX_FIPS_PK_ALG, all_sig);
|
|
||||||
#undef ASSEMBLE
|
|
||||||
free(all_cipher);
|
|
||||||
free(all_mac);
|
|
||||||
diff -up openssh-8.0p1/sandbox-seccomp-filter.c.fips openssh-8.0p1/sandbox-seccomp-filter.c
|
diff -up openssh-8.0p1/sandbox-seccomp-filter.c.fips openssh-8.0p1/sandbox-seccomp-filter.c
|
||||||
--- openssh-8.0p1/sandbox-seccomp-filter.c.fips 2019-07-23 14:55:45.373526117 +0200
|
--- openssh-8.0p1/sandbox-seccomp-filter.c.fips 2019-07-23 14:55:45.373526117 +0200
|
||||||
+++ openssh-8.0p1/sandbox-seccomp-filter.c 2019-07-23 14:55:45.402526411 +0200
|
+++ openssh-8.0p1/sandbox-seccomp-filter.c 2019-07-23 14:55:45.402526411 +0200
|
||||||
@ -277,35 +251,28 @@ diff -up openssh-8.0p1/sandbox-seccomp-filter.c.fips openssh-8.0p1/sandbox-secco
|
|||||||
diff -up openssh-8.0p1/servconf.c.fips openssh-8.0p1/servconf.c
|
diff -up openssh-8.0p1/servconf.c.fips openssh-8.0p1/servconf.c
|
||||||
--- openssh-8.0p1/servconf.c.fips 2019-07-23 14:55:45.361525996 +0200
|
--- openssh-8.0p1/servconf.c.fips 2019-07-23 14:55:45.361525996 +0200
|
||||||
+++ openssh-8.0p1/servconf.c 2019-07-23 14:55:45.403526421 +0200
|
+++ openssh-8.0p1/servconf.c 2019-07-23 14:55:45.403526421 +0200
|
||||||
@@ -208,18 +208,19 @@ assemble_algorithms(ServerOptions *o)
|
@@ -208,11 +208,16 @@ assemble_algorithms(ServerOptions *o)
|
||||||
all_kex = kex_alg_list(',');
|
|
||||||
all_key = sshkey_alg_list(0, 0, 1, ',');
|
all_key = sshkey_alg_list(0, 0, 1, ',');
|
||||||
all_sig = sshkey_alg_list(0, 1, 1, ',');
|
all_sig = sshkey_alg_list(0, 1, 1, ',');
|
||||||
-#define ASSEMBLE(what, defaults, all) \
|
/* remove unsupported algos from default lists */
|
||||||
+#define ASSEMBLE(what, defaults, fips_defaults, all) \
|
- def_cipher = match_filter_whitelist(KEX_SERVER_ENCRYPT, all_cipher);
|
||||||
|
- def_mac = match_filter_whitelist(KEX_SERVER_MAC, all_mac);
|
||||||
|
- def_kex = match_filter_whitelist(KEX_SERVER_KEX, all_kex);
|
||||||
|
- def_key = match_filter_whitelist(KEX_DEFAULT_PK_ALG, all_key);
|
||||||
|
- def_sig = match_filter_whitelist(SSH_ALLOWED_CA_SIGALGS, all_sig);
|
||||||
|
+ def_cipher = match_filter_whitelist((FIPS_mode() ?
|
||||||
|
+ KEX_FIPS_ENCRYPT : KEX_SERVER_ENCRYPT), all_cipher);
|
||||||
|
+ def_mac = match_filter_whitelist((FIPS_mode() ?
|
||||||
|
+ KEX_FIPS_MAC : KEX_SERVER_MAC), all_mac);
|
||||||
|
+ def_kex = match_filter_whitelist((FIPS_mode() ?
|
||||||
|
+ KEX_DEFAULT_KEX_FIPS : KEX_SERVER_KEX), all_kex);
|
||||||
|
+ def_key = match_filter_whitelist((FIPS_mode() ?
|
||||||
|
+ KEX_FIPS_PK_ALG : KEX_DEFAULT_PK_ALG), all_key);
|
||||||
|
+ def_sig = match_filter_whitelist((FIPS_mode() ?
|
||||||
|
+ KEX_FIPS_PK_ALG : SSH_ALLOWED_CA_SIGALGS), all_sig);
|
||||||
|
#define ASSEMBLE(what, defaults, all) \
|
||||||
do { \
|
do { \
|
||||||
- if ((r = kex_assemble_names(&o->what, defaults, all)) != 0) \
|
if ((r = kex_assemble_names(&o->what, defaults, all)) != 0) \
|
||||||
+ if ((r = kex_assemble_names(&o->what, (FIPS_mode() \
|
|
||||||
+ ? fips_defaults : defaults), all)) != 0) \
|
|
||||||
fatal("%s: %s: %s", __func__, #what, ssh_err(r)); \
|
|
||||||
} while (0)
|
|
||||||
- ASSEMBLE(ciphers, KEX_SERVER_ENCRYPT, all_cipher);
|
|
||||||
- ASSEMBLE(macs, KEX_SERVER_MAC, all_mac);
|
|
||||||
- ASSEMBLE(kex_algorithms, KEX_SERVER_KEX, all_kex);
|
|
||||||
- ASSEMBLE(hostkeyalgorithms, KEX_DEFAULT_PK_ALG, all_key);
|
|
||||||
- ASSEMBLE(hostbased_key_types, KEX_DEFAULT_PK_ALG, all_key);
|
|
||||||
- ASSEMBLE(pubkey_key_types, KEX_DEFAULT_PK_ALG, all_key);
|
|
||||||
- ASSEMBLE(ca_sign_algorithms, SSH_ALLOWED_CA_SIGALGS, all_sig);
|
|
||||||
+ ASSEMBLE(ciphers, KEX_SERVER_ENCRYPT, KEX_FIPS_ENCRYPT, all_cipher);
|
|
||||||
+ ASSEMBLE(macs, KEX_SERVER_MAC, KEX_FIPS_MAC, all_mac);
|
|
||||||
+ ASSEMBLE(kex_algorithms, KEX_SERVER_KEX, KEX_DEFAULT_KEX_FIPS, all_kex);
|
|
||||||
+ ASSEMBLE(hostkeyalgorithms, KEX_DEFAULT_PK_ALG, KEX_FIPS_PK_ALG, all_key);
|
|
||||||
+ ASSEMBLE(hostbased_key_types, KEX_DEFAULT_PK_ALG, KEX_FIPS_PK_ALG, all_key);
|
|
||||||
+ ASSEMBLE(pubkey_key_types, KEX_DEFAULT_PK_ALG, KEX_FIPS_PK_ALG, all_key);
|
|
||||||
+ ASSEMBLE(ca_sign_algorithms, SSH_ALLOWED_CA_SIGALGS, KEX_FIPS_PK_ALG, all_sig);
|
|
||||||
#undef ASSEMBLE
|
|
||||||
free(all_cipher);
|
|
||||||
free(all_mac);
|
|
||||||
diff -up openssh-8.0p1/ssh.c.fips openssh-8.0p1/ssh.c
|
diff -up openssh-8.0p1/ssh.c.fips openssh-8.0p1/ssh.c
|
||||||
--- openssh-8.0p1/ssh.c.fips 2019-07-23 14:55:45.378526168 +0200
|
--- openssh-8.0p1/ssh.c.fips 2019-07-23 14:55:45.378526168 +0200
|
||||||
+++ openssh-8.0p1/ssh.c 2019-07-23 14:55:45.403526421 +0200
|
+++ openssh-8.0p1/ssh.c 2019-07-23 14:55:45.403526421 +0200
|
||||||
@ -358,35 +325,6 @@ diff -up openssh-8.0p1/sshconnect2.c.fips openssh-8.0p1/sshconnect2.c
|
|||||||
#include "openbsd-compat/sys-queue.h"
|
#include "openbsd-compat/sys-queue.h"
|
||||||
|
|
||||||
#include "xmalloc.h"
|
#include "xmalloc.h"
|
||||||
@@ -115,7 +117,8 @@ order_hostkeyalgs(char *host, struct soc
|
|
||||||
for (i = 0; i < options.num_system_hostfiles; i++)
|
|
||||||
load_hostkeys(hostkeys, hostname, options.system_hostfiles[i]);
|
|
||||||
|
|
||||||
- oavail = avail = xstrdup(KEX_DEFAULT_PK_ALG);
|
|
||||||
+ oavail = avail = xstrdup((FIPS_mode()
|
|
||||||
+ ? KEX_FIPS_PK_ALG : KEX_DEFAULT_PK_ALG));
|
|
||||||
maxlen = strlen(avail) + 1;
|
|
||||||
first = xmalloc(maxlen);
|
|
||||||
last = xmalloc(maxlen);
|
|
||||||
@@ -182,14 +185,16 @@ ssh_kex2(struct ssh *ssh, char *host, st
|
|
||||||
if (options.hostkeyalgorithms != NULL) {
|
|
||||||
all_key = sshkey_alg_list(0, 0, 1, ',');
|
|
||||||
if (kex_assemble_names(&options.hostkeyalgorithms,
|
|
||||||
- KEX_DEFAULT_PK_ALG, all_key) != 0)
|
|
||||||
+ (FIPS_mode() ? KEX_FIPS_PK_ALG : KEX_DEFAULT_PK_ALG),
|
|
||||||
+ all_key) != 0)
|
|
||||||
fatal("%s: kex_assemble_namelist", __func__);
|
|
||||||
free(all_key);
|
|
||||||
myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] =
|
|
||||||
compat_pkalg_proposal(options.hostkeyalgorithms);
|
|
||||||
} else {
|
|
||||||
/* Enforce default */
|
|
||||||
- options.hostkeyalgorithms = xstrdup(KEX_DEFAULT_PK_ALG);
|
|
||||||
+ options.hostkeyalgorithms = xstrdup((FIPS_mode()
|
|
||||||
+ ? KEX_FIPS_PK_ALG : KEX_DEFAULT_PK_ALG));
|
|
||||||
/* Prefer algorithms that we already have keys for */
|
|
||||||
myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] =
|
|
||||||
compat_pkalg_proposal(
|
|
||||||
@@ -198,29 +203,34 @@ ssh_kex2(struct ssh *ssh, char *host, st
|
@@ -198,29 +203,34 @@ ssh_kex2(struct ssh *ssh, char *host, st
|
||||||
|
|
||||||
#if defined(GSSAPI) && defined(WITH_OPENSSL)
|
#if defined(GSSAPI) && defined(WITH_OPENSSL)
|
||||||
@ -530,9 +468,9 @@ diff -up openssh-8.0p1/sshkey.c.fips openssh-8.0p1/sshkey.c
|
|||||||
#include "sshkey.h"
|
#include "sshkey.h"
|
||||||
#include "match.h"
|
#include "match.h"
|
||||||
+#include "log.h"
|
+#include "log.h"
|
||||||
|
#include "ssh-sk.h"
|
||||||
|
|
||||||
#ifdef WITH_XMSS
|
#ifdef WITH_XMSS
|
||||||
#include "sshkey-xmss.h"
|
|
||||||
@@ -1591,6 +1593,8 @@ rsa_generate_private_key(u_int bits, RSA
|
@@ -1591,6 +1593,8 @@ rsa_generate_private_key(u_int bits, RSA
|
||||||
}
|
}
|
||||||
if (!BN_set_word(f4, RSA_F4) ||
|
if (!BN_set_word(f4, RSA_F4) ||
|
||||||
|
@ -1,7 +1,7 @@
|
|||||||
diff -up openssh-7.7p1/ssh_config.redhat openssh-7.7p1/ssh_config
|
diff -up openssh/ssh_config.redhat openssh/ssh_config
|
||||||
--- openssh-7.7p1/ssh_config.redhat 2018-04-02 07:38:28.000000000 +0200
|
--- openssh/ssh_config.redhat 2020-02-11 23:28:35.000000000 +0100
|
||||||
+++ openssh-7.7p1/ssh_config 2018-07-03 10:44:06.522245125 +0200
|
+++ openssh/ssh_config 2020-02-13 18:13:39.180641839 +0100
|
||||||
@@ -44,3 +44,7 @@
|
@@ -43,3 +43,7 @@
|
||||||
# VisualHostKey no
|
# VisualHostKey no
|
||||||
# ProxyCommand ssh -q -W %h:%p gateway.example.com
|
# ProxyCommand ssh -q -W %h:%p gateway.example.com
|
||||||
# RekeyLimit 1G 1h
|
# RekeyLimit 1G 1h
|
||||||
@ -9,9 +9,9 @@ diff -up openssh-7.7p1/ssh_config.redhat openssh-7.7p1/ssh_config
|
|||||||
+# To modify the system-wide ssh configuration, create a *.conf file under
|
+# To modify the system-wide ssh configuration, create a *.conf file under
|
||||||
+# /etc/ssh/ssh_config.d/ which will be automatically included below
|
+# /etc/ssh/ssh_config.d/ which will be automatically included below
|
||||||
+Include /etc/ssh/ssh_config.d/*.conf
|
+Include /etc/ssh/ssh_config.d/*.conf
|
||||||
diff -up openssh-7.7p1/ssh_config_redhat.redhat openssh-7.7p1/ssh_config_redhat
|
diff -up openssh/ssh_config_redhat.redhat openssh/ssh_config_redhat
|
||||||
--- openssh-7.7p1/ssh_config_redhat.redhat 2018-07-03 10:44:06.522245125 +0200
|
--- openssh/ssh_config_redhat.redhat 2020-02-13 18:13:39.180641839 +0100
|
||||||
+++ openssh-7.7p1/ssh_config_redhat 2018-07-03 10:44:06.522245125 +0200
|
+++ openssh/ssh_config_redhat 2020-02-13 18:13:39.180641839 +0100
|
||||||
@@ -0,0 +1,21 @@
|
@@ -0,0 +1,21 @@
|
||||||
+# The options here are in the "Match final block" to be applied as the last
|
+# The options here are in the "Match final block" to be applied as the last
|
||||||
+# options and could be potentially overwritten by the user configuration
|
+# options and could be potentially overwritten by the user configuration
|
||||||
@ -34,11 +34,10 @@ diff -up openssh-7.7p1/ssh_config_redhat.redhat openssh-7.7p1/ssh_config_redhat
|
|||||||
+
|
+
|
||||||
+# Uncomment this if you want to use .local domain
|
+# Uncomment this if you want to use .local domain
|
||||||
+# Host *.local
|
+# Host *.local
|
||||||
+# CheckHostIP no
|
diff -up openssh/sshd_config.0.redhat openssh/sshd_config.0
|
||||||
diff -up openssh-7.7p1/sshd_config.0.redhat openssh-7.7p1/sshd_config.0
|
--- openssh/sshd_config.0.redhat 2020-02-12 14:30:04.000000000 +0100
|
||||||
--- openssh-7.7p1/sshd_config.0.redhat 2018-04-02 07:39:27.000000000 +0200
|
+++ openssh/sshd_config.0 2020-02-13 18:13:39.181641855 +0100
|
||||||
+++ openssh-7.7p1/sshd_config.0 2018-07-03 10:44:06.523245133 +0200
|
@@ -970,9 +970,9 @@ DESCRIPTION
|
||||||
@@ -872,9 +872,9 @@ DESCRIPTION
|
|
||||||
|
|
||||||
SyslogFacility
|
SyslogFacility
|
||||||
Gives the facility code that is used when logging messages from
|
Gives the facility code that is used when logging messages from
|
||||||
@ -51,10 +50,10 @@ diff -up openssh-7.7p1/sshd_config.0.redhat openssh-7.7p1/sshd_config.0
|
|||||||
|
|
||||||
TCPKeepAlive
|
TCPKeepAlive
|
||||||
Specifies whether the system should send TCP keepalive messages
|
Specifies whether the system should send TCP keepalive messages
|
||||||
diff -up openssh-7.7p1/sshd_config.5.redhat openssh-7.7p1/sshd_config.5
|
diff -up openssh/sshd_config.5.redhat openssh/sshd_config.5
|
||||||
--- openssh-7.7p1/sshd_config.5.redhat 2018-04-02 07:38:28.000000000 +0200
|
--- openssh/sshd_config.5.redhat 2020-02-11 23:28:35.000000000 +0100
|
||||||
+++ openssh-7.7p1/sshd_config.5 2018-07-03 10:44:06.523245133 +0200
|
+++ openssh/sshd_config.5 2020-02-13 18:13:39.181641855 +0100
|
||||||
@@ -1461,7 +1461,7 @@ By default no subsystems are defined.
|
@@ -1614,7 +1614,7 @@ By default no subsystems are defined.
|
||||||
.It Cm SyslogFacility
|
.It Cm SyslogFacility
|
||||||
Gives the facility code that is used when logging messages from
|
Gives the facility code that is used when logging messages from
|
||||||
.Xr sshd 8 .
|
.Xr sshd 8 .
|
||||||
@ -63,9 +62,9 @@ diff -up openssh-7.7p1/sshd_config.5.redhat openssh-7.7p1/sshd_config.5
|
|||||||
LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
|
LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
|
||||||
The default is AUTH.
|
The default is AUTH.
|
||||||
.It Cm TCPKeepAlive
|
.It Cm TCPKeepAlive
|
||||||
diff -up openssh-7.7p1/sshd_config.redhat openssh-7.7p1/sshd_config
|
diff -up openssh/sshd_config.redhat openssh/sshd_config
|
||||||
--- openssh-7.7p1/sshd_config.redhat 2018-04-02 07:38:28.000000000 +0200
|
--- openssh/sshd_config.redhat 2020-02-11 23:28:35.000000000 +0100
|
||||||
+++ openssh-7.7p1/sshd_config 2018-07-03 10:45:16.950782466 +0200
|
+++ openssh/sshd_config 2020-02-13 18:20:16.349913681 +0100
|
||||||
@@ -10,6 +10,10 @@
|
@@ -10,6 +10,10 @@
|
||||||
# possible, but leave them commented. Uncommented options override the
|
# possible, but leave them commented. Uncommented options override the
|
||||||
# default value.
|
# default value.
|
||||||
@ -77,10 +76,18 @@ diff -up openssh-7.7p1/sshd_config.redhat openssh-7.7p1/sshd_config
|
|||||||
#Port 22
|
#Port 22
|
||||||
#AddressFamily any
|
#AddressFamily any
|
||||||
#ListenAddress 0.0.0.0
|
#ListenAddress 0.0.0.0
|
||||||
@@ -16,8 +20,18 @@
|
@@ -114,3 +118,7 @@ Subsystem sftp /usr/libexec/sftp-server
|
||||||
# Ciphers and keying
|
# AllowTcpForwarding no
|
||||||
#RekeyLimit default none
|
# PermitTTY no
|
||||||
|
# ForceCommand cvs server
|
||||||
|
+
|
||||||
|
+# To modify the system-wide ssh configuration, create a *.conf file under
|
||||||
|
+# /etc/ssh/sshd_config.d/ which will be automatically included below
|
||||||
|
+Include /etc/ssh/sshd_config.d/*.conf
|
||||||
|
diff -up openssh/sshd_config_redhat.redhat openssh/sshd_config_redhat
|
||||||
|
--- openssh/sshd_config_redhat.redhat 2020-02-13 18:14:02.268006439 +0100
|
||||||
|
+++ openssh/sshd_config_redhat 2020-02-13 18:19:20.765035947 +0100
|
||||||
|
@@ -0,0 +1,31 @@
|
||||||
+# System-wide Crypto policy:
|
+# System-wide Crypto policy:
|
||||||
+# This system is following system-wide crypto policy. The changes to
|
+# This system is following system-wide crypto policy. The changes to
|
||||||
+# Ciphers, MACs, KexAlgoritms and GSSAPIKexAlgorithsm will not have any
|
+# Ciphers, MACs, KexAlgoritms and GSSAPIKexAlgorithsm will not have any
|
||||||
@ -90,69 +97,25 @@ diff -up openssh-7.7p1/sshd_config.redhat openssh-7.7p1/sshd_config
|
|||||||
+# variable in /etc/sysconfig/sshd to overwrite the policy.
|
+# variable in /etc/sysconfig/sshd to overwrite the policy.
|
||||||
+# For more information, see manual page for update-crypto-policies(8).
|
+# For more information, see manual page for update-crypto-policies(8).
|
||||||
+
|
+
|
||||||
# Logging
|
|
||||||
#SyslogFacility AUTH
|
|
||||||
+SyslogFacility AUTHPRIV
|
+SyslogFacility AUTHPRIV
|
||||||
#LogLevel INFO
|
+
|
||||||
|
|
||||||
# Authentication:
|
|
||||||
@@ -56,9 +70,11 @@ AuthorizedKeysFile .ssh/authorized_keys
|
|
||||||
# To disable tunneled clear text passwords, change to no here!
|
|
||||||
#PasswordAuthentication yes
|
|
||||||
#PermitEmptyPasswords no
|
|
||||||
+PasswordAuthentication yes
|
+PasswordAuthentication yes
|
||||||
|
|
||||||
# Change to no to disable s/key passwords
|
|
||||||
#ChallengeResponseAuthentication yes
|
|
||||||
+ChallengeResponseAuthentication no
|
+ChallengeResponseAuthentication no
|
||||||
|
+
|
||||||
# Kerberos options
|
|
||||||
#KerberosAuthentication no
|
|
||||||
@@ -67,8 +83,8 @@ AuthorizedKeysFile .ssh/authorized_keys
|
|
||||||
#KerberosGetAFSToken no
|
|
||||||
|
|
||||||
# GSSAPI options
|
|
||||||
-#GSSAPIAuthentication no
|
|
||||||
-#GSSAPICleanupCredentials yes
|
|
||||||
+GSSAPIAuthentication yes
|
+GSSAPIAuthentication yes
|
||||||
+GSSAPICleanupCredentials no
|
+GSSAPICleanupCredentials no
|
||||||
|
+
|
||||||
# Set this to 'yes' to enable PAM authentication, account processing,
|
|
||||||
# and session processing. If this is enabled, PAM authentication will
|
|
||||||
@@ -79,16 +95,20 @@ AuthorizedKeysFile .ssh/authorized_keys
|
|
||||||
# If you just want the PAM account and session checks to run without
|
|
||||||
# PAM authentication, then enable this but set PasswordAuthentication
|
|
||||||
# and ChallengeResponseAuthentication to 'no'.
|
|
||||||
-#UsePAM no
|
|
||||||
+UsePAM yes
|
+UsePAM yes
|
||||||
|
+
|
||||||
#AllowAgentForwarding yes
|
|
||||||
#AllowTcpForwarding yes
|
|
||||||
#GatewayPorts no
|
|
||||||
-#X11Forwarding no
|
|
||||||
+X11Forwarding yes
|
+X11Forwarding yes
|
||||||
#X11DisplayOffset 10
|
|
||||||
#X11UseLocalhost yes
|
|
||||||
#PermitTTY yes
|
|
||||||
-#PrintMotd yes
|
|
||||||
+
|
+
|
||||||
+# It is recommended to use pam_motd in /etc/pam.d/sshd instead of PrintMotd,
|
+# It is recommended to use pam_motd in /etc/pam.d/sshd instead of PrintMotd,
|
||||||
+# as it is more configurable and versatile than the built-in version.
|
+# as it is more configurable and versatile than the built-in version.
|
||||||
+PrintMotd no
|
+PrintMotd no
|
||||||
+
|
+
|
||||||
#PrintLastLog yes
|
|
||||||
#TCPKeepAlive yes
|
|
||||||
#PermitUserEnvironment no
|
|
||||||
@@ -106,6 +126,12 @@ AuthorizedKeysFile .ssh/authorized_keys
|
|
||||||
# no default banner path
|
|
||||||
#Banner none
|
|
||||||
|
|
||||||
+# Accept locale-related environment variables
|
+# Accept locale-related environment variables
|
||||||
+AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
|
+AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
|
||||||
+AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
|
+AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
|
||||||
+AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
|
+AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
|
||||||
+AcceptEnv XMODIFIERS
|
+AcceptEnv XMODIFIERS
|
||||||
+
|
+
|
||||||
# override default of no subsystems
|
|
||||||
Subsystem sftp /usr/libexec/sftp-server
|
|
||||||
|
|
||||||
|
@ -3,7 +3,7 @@ diff --git a/sshd.c b/sshd.c
|
|||||||
+++ b/sshd.c
|
+++ b/sshd.c
|
||||||
@@ -1701,6 +1701,10 @@ main(int ac, char **av)
|
@@ -1701,6 +1701,10 @@ main(int ac, char **av)
|
||||||
parse_server_config(&options, rexeced_flag ? "rexec" : config_file_name,
|
parse_server_config(&options, rexeced_flag ? "rexec" : config_file_name,
|
||||||
cfg, NULL);
|
cfg, &includes, NULL);
|
||||||
|
|
||||||
+ /* 'UsePAM no' is not supported in Fedora */
|
+ /* 'UsePAM no' is not supported in Fedora */
|
||||||
+ if (! options.use_pam)
|
+ if (! options.use_pam)
|
||||||
@ -21,6 +21,6 @@ diff --git a/sshd_config b/sshd_config
|
|||||||
# and ChallengeResponseAuthentication to 'no'.
|
# and ChallengeResponseAuthentication to 'no'.
|
||||||
+# WARNING: 'UsePAM no' is not supported in Fedora and may cause several
|
+# WARNING: 'UsePAM no' is not supported in Fedora and may cause several
|
||||||
+# problems.
|
+# problems.
|
||||||
UsePAM yes
|
#UsePAM no
|
||||||
|
|
||||||
#AllowAgentForwarding yes
|
#AllowAgentForwarding yes
|
||||||
|
@ -339,7 +339,7 @@ diff -up openssh/monitor_wrap.h.role-mls openssh/monitor_wrap.h
|
|||||||
+++ openssh/monitor_wrap.h 2018-08-22 11:22:10.439929513 +0200
|
+++ openssh/monitor_wrap.h 2018-08-22 11:22:10.439929513 +0200
|
||||||
@@ -44,6 +44,9 @@ DH *mm_choose_dh(int, int, int);
|
@@ -44,6 +44,9 @@ DH *mm_choose_dh(int, int, int);
|
||||||
int mm_sshkey_sign(struct ssh *, struct sshkey *, u_char **, size_t *,
|
int mm_sshkey_sign(struct ssh *, struct sshkey *, u_char **, size_t *,
|
||||||
const u_char *, size_t, const char *, u_int compat);
|
const u_char *, size_t, const char *, const char *, u_int compat);
|
||||||
void mm_inform_authserv(char *, char *);
|
void mm_inform_authserv(char *, char *);
|
||||||
+#ifdef WITH_SELINUX
|
+#ifdef WITH_SELINUX
|
||||||
+void mm_inform_authrole(char *);
|
+void mm_inform_authrole(char *);
|
||||||
@ -359,7 +359,7 @@ diff -up openssh/openbsd-compat/Makefile.in.role-mls openssh/openbsd-compat/Make
|
|||||||
+ port-linux-sshd.o
|
+ port-linux-sshd.o
|
||||||
|
|
||||||
.c.o:
|
.c.o:
|
||||||
$(CC) $(CFLAGS) $(CPPFLAGS) -c $<
|
$(CC) $(CFLAGS_NOPIE) $(PICFLAG) $(CPPFLAGS) -c $<
|
||||||
diff -up openssh/openbsd-compat/port-linux.c.role-mls openssh/openbsd-compat/port-linux.c
|
diff -up openssh/openbsd-compat/port-linux.c.role-mls openssh/openbsd-compat/port-linux.c
|
||||||
--- openssh/openbsd-compat/port-linux.c.role-mls 2018-08-20 07:57:29.000000000 +0200
|
--- openssh/openbsd-compat/port-linux.c.role-mls 2018-08-20 07:57:29.000000000 +0200
|
||||||
+++ openssh/openbsd-compat/port-linux.c 2018-08-22 11:14:56.819430949 +0200
|
+++ openssh/openbsd-compat/port-linux.c 2018-08-22 11:14:56.819430949 +0200
|
||||||
|
@ -1,7 +1,29 @@
|
|||||||
diff -up openssh-8.0p1/ssh_config.5.crypto-policies openssh-8.0p1/ssh_config.5
|
diff -up openssh/ssh_config.5.crypto-policies openssh/ssh_config.5
|
||||||
--- openssh-8.0p1/ssh_config.5.crypto-policies 2019-05-13 14:04:01.999099570 +0200
|
--- openssh/ssh_config.5.crypto-policies 2020-02-07 15:05:55.665451715 +0100
|
||||||
+++ openssh-8.0p1/ssh_config.5 2019-05-13 14:12:36.343923071 +0200
|
+++ openssh/ssh_config.5 2020-02-07 15:07:11.632641922 +0100
|
||||||
@@ -445,12 +445,10 @@ aes256-gcm@openssh.com
|
@@ -361,15 +361,15 @@ domains.
|
||||||
|
.It Cm CASignatureAlgorithms
|
||||||
|
Specifies which algorithms are allowed for signing of certificates
|
||||||
|
by certificate authorities (CAs).
|
||||||
|
-The default is:
|
||||||
|
-.Bd -literal -offset indent
|
||||||
|
-ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
|
||||||
|
-ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
|
||||||
|
-.Ed
|
||||||
|
-.Pp
|
||||||
|
.Xr ssh 1
|
||||||
|
will not accept host certificates signed using algorithms other than those
|
||||||
|
specified.
|
||||||
|
+.Pp
|
||||||
|
+The default is handled system-wide by
|
||||||
|
+.Xr crypto-policies 7 .
|
||||||
|
+To see the defaults and how to modify this default, see manual page
|
||||||
|
+.Xr update-crypto-policies 8 .
|
||||||
|
+.Pp
|
||||||
|
.It Cm CertificateFile
|
||||||
|
Specifies a file from which the user's certificate is read.
|
||||||
|
A corresponding private key must be provided separately in order
|
||||||
|
@@ -453,12 +453,10 @@ aes256-gcm@openssh.com
|
||||||
chacha20-poly1305@openssh.com
|
chacha20-poly1305@openssh.com
|
||||||
.Ed
|
.Ed
|
||||||
.Pp
|
.Pp
|
||||||
@ -18,7 +40,7 @@ diff -up openssh-8.0p1/ssh_config.5.crypto-policies openssh-8.0p1/ssh_config.5
|
|||||||
.Pp
|
.Pp
|
||||||
The list of available ciphers may also be obtained using
|
The list of available ciphers may also be obtained using
|
||||||
.Qq ssh -Q cipher .
|
.Qq ssh -Q cipher .
|
||||||
@@ -812,8 +810,10 @@ gss-nistp256-sha256-,
|
@@ -824,8 +822,10 @@ gss-nistp256-sha256-,
|
||||||
gss-curve25519-sha256-
|
gss-curve25519-sha256-
|
||||||
.Ed
|
.Ed
|
||||||
.Pp
|
.Pp
|
||||||
@ -31,7 +53,7 @@ diff -up openssh-8.0p1/ssh_config.5.crypto-policies openssh-8.0p1/ssh_config.5
|
|||||||
This option only applies to protocol version 2 connections using GSSAPI.
|
This option only applies to protocol version 2 connections using GSSAPI.
|
||||||
.It Cm HashKnownHosts
|
.It Cm HashKnownHosts
|
||||||
Indicates that
|
Indicates that
|
||||||
@@ -1123,16 +1123,10 @@ If the specified value begins with a
|
@@ -1162,15 +1162,10 @@ If the specified list begins with a
|
||||||
.Sq ^
|
.Sq ^
|
||||||
character, then the specified methods will be placed at the head of the
|
character, then the specified methods will be placed at the head of the
|
||||||
default set.
|
default set.
|
||||||
@ -42,8 +64,7 @@ diff -up openssh-8.0p1/ssh_config.5.crypto-policies openssh-8.0p1/ssh_config.5
|
|||||||
-diffie-hellman-group-exchange-sha256,
|
-diffie-hellman-group-exchange-sha256,
|
||||||
-diffie-hellman-group16-sha512,
|
-diffie-hellman-group16-sha512,
|
||||||
-diffie-hellman-group18-sha512,
|
-diffie-hellman-group18-sha512,
|
||||||
-diffie-hellman-group14-sha256,
|
-diffie-hellman-group14-sha256
|
||||||
-diffie-hellman-group14-sha1
|
|
||||||
-.Ed
|
-.Ed
|
||||||
+The default is handled system-wide by
|
+The default is handled system-wide by
|
||||||
+.Xr crypto-policies 7 .
|
+.Xr crypto-policies 7 .
|
||||||
@ -52,7 +73,7 @@ diff -up openssh-8.0p1/ssh_config.5.crypto-policies openssh-8.0p1/ssh_config.5
|
|||||||
.Pp
|
.Pp
|
||||||
The list of available key exchange algorithms may also be obtained using
|
The list of available key exchange algorithms may also be obtained using
|
||||||
.Qq ssh -Q kex .
|
.Qq ssh -Q kex .
|
||||||
@@ -1210,14 +1204,10 @@ The algorithms that contain
|
@@ -1252,14 +1247,10 @@ The algorithms that contain
|
||||||
calculate the MAC after encryption (encrypt-then-mac).
|
calculate the MAC after encryption (encrypt-then-mac).
|
||||||
These are considered safer and their use recommended.
|
These are considered safer and their use recommended.
|
||||||
.Pp
|
.Pp
|
||||||
@ -71,7 +92,7 @@ diff -up openssh-8.0p1/ssh_config.5.crypto-policies openssh-8.0p1/ssh_config.5
|
|||||||
.Pp
|
.Pp
|
||||||
The list of available MAC algorithms may also be obtained using
|
The list of available MAC algorithms may also be obtained using
|
||||||
.Qq ssh -Q mac .
|
.Qq ssh -Q mac .
|
||||||
@@ -1361,17 +1351,10 @@ If the specified value begins with a
|
@@ -1407,22 +1398,10 @@ If the specified list begins with a
|
||||||
.Sq ^
|
.Sq ^
|
||||||
character, then the specified key types will be placed at the head of the
|
character, then the specified key types will be placed at the head of the
|
||||||
default set.
|
default set.
|
||||||
@ -80,11 +101,16 @@ diff -up openssh-8.0p1/ssh_config.5.crypto-policies openssh-8.0p1/ssh_config.5
|
|||||||
-ecdsa-sha2-nistp256-cert-v01@openssh.com,
|
-ecdsa-sha2-nistp256-cert-v01@openssh.com,
|
||||||
-ecdsa-sha2-nistp384-cert-v01@openssh.com,
|
-ecdsa-sha2-nistp384-cert-v01@openssh.com,
|
||||||
-ecdsa-sha2-nistp521-cert-v01@openssh.com,
|
-ecdsa-sha2-nistp521-cert-v01@openssh.com,
|
||||||
|
-sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,
|
||||||
-ssh-ed25519-cert-v01@openssh.com,
|
-ssh-ed25519-cert-v01@openssh.com,
|
||||||
-rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,
|
-sk-ssh-ed25519-cert-v01@openssh.com,
|
||||||
|
-rsa-sha2-512-cert-v01@openssh.com,
|
||||||
|
-rsa-sha2-256-cert-v01@openssh.com,
|
||||||
-ssh-rsa-cert-v01@openssh.com,
|
-ssh-rsa-cert-v01@openssh.com,
|
||||||
-ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
|
-ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
|
||||||
-ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
|
-sk-ecdsa-sha2-nistp256@openssh.com,
|
||||||
|
-ssh-ed25519,sk-ssh-ed25519@openssh.com,
|
||||||
|
-rsa-sha2-512,rsa-sha2-256,ssh-rsa
|
||||||
-.Ed
|
-.Ed
|
||||||
+The default is handled system-wide by
|
+The default is handled system-wide by
|
||||||
+.Xr crypto-policies 7 .
|
+.Xr crypto-policies 7 .
|
||||||
@ -92,11 +118,32 @@ diff -up openssh-8.0p1/ssh_config.5.crypto-policies openssh-8.0p1/ssh_config.5
|
|||||||
+.Xr update-crypto-policies 8 .
|
+.Xr update-crypto-policies 8 .
|
||||||
.Pp
|
.Pp
|
||||||
The list of available key types may also be obtained using
|
The list of available key types may also be obtained using
|
||||||
.Qq ssh -Q key .
|
.Qq ssh -Q PubkeyAcceptedKeyTypes .
|
||||||
diff -up openssh-8.0p1/sshd_config.5.crypto-policies openssh-8.0p1/sshd_config.5
|
diff -up openssh/sshd_config.5.crypto-policies openssh/sshd_config.5
|
||||||
--- openssh-8.0p1/sshd_config.5.crypto-policies 2019-05-13 14:12:41.226968863 +0200
|
--- openssh/sshd_config.5.crypto-policies 2020-02-07 15:05:55.639451308 +0100
|
||||||
+++ openssh-8.0p1/sshd_config.5 2019-05-13 14:15:14.581406997 +0200
|
+++ openssh/sshd_config.5 2020-02-07 15:05:55.672451825 +0100
|
||||||
@@ -490,12 +490,10 @@ aes256-gcm@openssh.com
|
@@ -377,14 +377,14 @@ By default, no banner is displayed.
|
||||||
|
.It Cm CASignatureAlgorithms
|
||||||
|
Specifies which algorithms are allowed for signing of certificates
|
||||||
|
by certificate authorities (CAs).
|
||||||
|
-The default is:
|
||||||
|
-.Bd -literal -offset indent
|
||||||
|
-ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
|
||||||
|
-ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
|
||||||
|
-.Ed
|
||||||
|
-.Pp
|
||||||
|
Certificates signed using other algorithms will not be accepted for
|
||||||
|
public key or host-based authentication.
|
||||||
|
+.Pp
|
||||||
|
+The default is handled system-wide by
|
||||||
|
+.Xr crypto-policies 7 .
|
||||||
|
+To see the defaults and how to modify this default, see manual page
|
||||||
|
+.Xr update-crypto-policies 8 .
|
||||||
|
+.Pp
|
||||||
|
.It Cm ChallengeResponseAuthentication
|
||||||
|
Specifies whether challenge-response authentication is allowed (e.g. via
|
||||||
|
PAM or through authentication styles supported in
|
||||||
|
@@ -486,12 +486,10 @@ aes256-gcm@openssh.com
|
||||||
chacha20-poly1305@openssh.com
|
chacha20-poly1305@openssh.com
|
||||||
.El
|
.El
|
||||||
.Pp
|
.Pp
|
||||||
@ -113,7 +160,7 @@ diff -up openssh-8.0p1/sshd_config.5.crypto-policies openssh-8.0p1/sshd_config.5
|
|||||||
.Pp
|
.Pp
|
||||||
The list of available ciphers may also be obtained using
|
The list of available ciphers may also be obtained using
|
||||||
.Qq ssh -Q cipher .
|
.Qq ssh -Q cipher .
|
||||||
@@ -700,8 +698,10 @@ gss-nistp256-sha256-,
|
@@ -693,8 +691,10 @@ gss-nistp256-sha256-,
|
||||||
gss-curve25519-sha256-
|
gss-curve25519-sha256-
|
||||||
.Ed
|
.Ed
|
||||||
.Pp
|
.Pp
|
||||||
@ -126,7 +173,7 @@ diff -up openssh-8.0p1/sshd_config.5.crypto-policies openssh-8.0p1/sshd_config.5
|
|||||||
This option only applies to protocol version 2 connections using GSSAPI.
|
This option only applies to protocol version 2 connections using GSSAPI.
|
||||||
.It Cm HostbasedAcceptedKeyTypes
|
.It Cm HostbasedAcceptedKeyTypes
|
||||||
Specifies the key types that will be accepted for hostbased authentication
|
Specifies the key types that will be accepted for hostbased authentication
|
||||||
@@ -792,17 +792,10 @@ environment variable.
|
@@ -794,22 +794,10 @@ environment variable.
|
||||||
.It Cm HostKeyAlgorithms
|
.It Cm HostKeyAlgorithms
|
||||||
Specifies the host key algorithms
|
Specifies the host key algorithms
|
||||||
that the server offers.
|
that the server offers.
|
||||||
@ -135,11 +182,16 @@ diff -up openssh-8.0p1/sshd_config.5.crypto-policies openssh-8.0p1/sshd_config.5
|
|||||||
-ecdsa-sha2-nistp256-cert-v01@openssh.com,
|
-ecdsa-sha2-nistp256-cert-v01@openssh.com,
|
||||||
-ecdsa-sha2-nistp384-cert-v01@openssh.com,
|
-ecdsa-sha2-nistp384-cert-v01@openssh.com,
|
||||||
-ecdsa-sha2-nistp521-cert-v01@openssh.com,
|
-ecdsa-sha2-nistp521-cert-v01@openssh.com,
|
||||||
|
-sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,
|
||||||
-ssh-ed25519-cert-v01@openssh.com,
|
-ssh-ed25519-cert-v01@openssh.com,
|
||||||
-rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,
|
-sk-ssh-ed25519-cert-v01@openssh.com,
|
||||||
|
-rsa-sha2-512-cert-v01@openssh.com,
|
||||||
|
-rsa-sha2-256-cert-v01@openssh.com,
|
||||||
-ssh-rsa-cert-v01@openssh.com,
|
-ssh-rsa-cert-v01@openssh.com,
|
||||||
-ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
|
-ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
|
||||||
-ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
|
-sk-ecdsa-sha2-nistp256@openssh.com,
|
||||||
|
-ssh-ed25519,sk-ssh-ed25519@openssh.com,
|
||||||
|
-rsa-sha2-512,rsa-sha2-256,ssh-rsa
|
||||||
-.Ed
|
-.Ed
|
||||||
+The default is handled system-wide by
|
+The default is handled system-wide by
|
||||||
+.Xr crypto-policies 7 .
|
+.Xr crypto-policies 7 .
|
||||||
@ -147,9 +199,9 @@ diff -up openssh-8.0p1/sshd_config.5.crypto-policies openssh-8.0p1/sshd_config.5
|
|||||||
+.Xr update-crypto-policies 8 .
|
+.Xr update-crypto-policies 8 .
|
||||||
.Pp
|
.Pp
|
||||||
The list of available key types may also be obtained using
|
The list of available key types may also be obtained using
|
||||||
.Qq ssh -Q key .
|
.Qq ssh -Q HostKeyAlgorithms .
|
||||||
@@ -960,14 +953,10 @@ ecdh-sha2-nistp384
|
@@ -987,14 +975,10 @@ ecdh-sha2-nistp521
|
||||||
ecdh-sha2-nistp521
|
sntrup4591761x25519-sha512@tinyssh.org
|
||||||
.El
|
.El
|
||||||
.Pp
|
.Pp
|
||||||
-The default is:
|
-The default is:
|
||||||
@ -158,7 +210,7 @@ diff -up openssh-8.0p1/sshd_config.5.crypto-policies openssh-8.0p1/sshd_config.5
|
|||||||
-ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
|
-ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
|
||||||
-diffie-hellman-group-exchange-sha256,
|
-diffie-hellman-group-exchange-sha256,
|
||||||
-diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,
|
-diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,
|
||||||
-diffie-hellman-group14-sha256,diffie-hellman-group14-sha1
|
-diffie-hellman-group14-sha256
|
||||||
-.Ed
|
-.Ed
|
||||||
+The default is handled system-wide by
|
+The default is handled system-wide by
|
||||||
+.Xr crypto-policies 7 .
|
+.Xr crypto-policies 7 .
|
||||||
@ -166,8 +218,8 @@ diff -up openssh-8.0p1/sshd_config.5.crypto-policies openssh-8.0p1/sshd_config.5
|
|||||||
+.Xr update-crypto-policies 8 .
|
+.Xr update-crypto-policies 8 .
|
||||||
.Pp
|
.Pp
|
||||||
The list of available key exchange algorithms may also be obtained using
|
The list of available key exchange algorithms may also be obtained using
|
||||||
.Qq ssh -Q kex .
|
.Qq ssh -Q KexAlgorithms .
|
||||||
@@ -1090,14 +1079,10 @@ umac-64-etm@openssh.com
|
@@ -1121,14 +1105,10 @@ umac-64-etm@openssh.com
|
||||||
umac-128-etm@openssh.com
|
umac-128-etm@openssh.com
|
||||||
.El
|
.El
|
||||||
.Pp
|
.Pp
|
||||||
@ -186,7 +238,7 @@ diff -up openssh-8.0p1/sshd_config.5.crypto-policies openssh-8.0p1/sshd_config.5
|
|||||||
.Pp
|
.Pp
|
||||||
The list of available MAC algorithms may also be obtained using
|
The list of available MAC algorithms may also be obtained using
|
||||||
.Qq ssh -Q mac .
|
.Qq ssh -Q mac .
|
||||||
@@ -1455,17 +1440,10 @@ If the specified value begins with a
|
@@ -1492,22 +1472,10 @@ If the specified list begins with a
|
||||||
.Sq ^
|
.Sq ^
|
||||||
character, then the specified key types will be placed at the head of the
|
character, then the specified key types will be placed at the head of the
|
||||||
default set.
|
default set.
|
||||||
@ -195,11 +247,16 @@ diff -up openssh-8.0p1/sshd_config.5.crypto-policies openssh-8.0p1/sshd_config.5
|
|||||||
-ecdsa-sha2-nistp256-cert-v01@openssh.com,
|
-ecdsa-sha2-nistp256-cert-v01@openssh.com,
|
||||||
-ecdsa-sha2-nistp384-cert-v01@openssh.com,
|
-ecdsa-sha2-nistp384-cert-v01@openssh.com,
|
||||||
-ecdsa-sha2-nistp521-cert-v01@openssh.com,
|
-ecdsa-sha2-nistp521-cert-v01@openssh.com,
|
||||||
|
-sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,
|
||||||
-ssh-ed25519-cert-v01@openssh.com,
|
-ssh-ed25519-cert-v01@openssh.com,
|
||||||
-rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,
|
-sk-ssh-ed25519-cert-v01@openssh.com,
|
||||||
|
-rsa-sha2-512-cert-v01@openssh.com,
|
||||||
|
-rsa-sha2-256-cert-v01@openssh.com,
|
||||||
-ssh-rsa-cert-v01@openssh.com,
|
-ssh-rsa-cert-v01@openssh.com,
|
||||||
-ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
|
-ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
|
||||||
-ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
|
-sk-ecdsa-sha2-nistp256@openssh.com,
|
||||||
|
-ssh-ed25519,sk-ssh-ed25519@openssh.com,
|
||||||
|
-rsa-sha2-512,rsa-sha2-256,ssh-rsa
|
||||||
-.Ed
|
-.Ed
|
||||||
+The default is handled system-wide by
|
+The default is handled system-wide by
|
||||||
+.Xr crypto-policies 7 .
|
+.Xr crypto-policies 7 .
|
||||||
@ -207,4 +264,4 @@ diff -up openssh-8.0p1/sshd_config.5.crypto-policies openssh-8.0p1/sshd_config.5
|
|||||||
+.Xr update-crypto-policies 8 .
|
+.Xr update-crypto-policies 8 .
|
||||||
.Pp
|
.Pp
|
||||||
The list of available key types may also be obtained using
|
The list of available key types may also be obtained using
|
||||||
.Qq ssh -Q key .
|
.Qq ssh -Q PubkeyAcceptedKeyTypes .
|
||||||
|
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
@ -1,45 +0,0 @@
|
|||||||
commit 7e929163ed40f9ce90060a3ca6df558c3d901379
|
|
||||||
Author: Jakub Jelen <jjelen@redhat.com>
|
|
||||||
Date: Wed Nov 13 12:57:05 2019 +0100
|
|
||||||
|
|
||||||
seccomp: Allow clock_nanosleep() to make OpenSSH working with latest glibc
|
|
||||||
|
|
||||||
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
|
|
||||||
index b5cda70b..be239767 100644
|
|
||||||
--- a/sandbox-seccomp-filter.c
|
|
||||||
+++ b/sandbox-seccomp-filter.c
|
|
||||||
@@ -242,6 +242,9 @@ static const struct sock_filter preauth_insns[] = {
|
|
||||||
#ifdef __NR_nanosleep
|
|
||||||
SC_ALLOW(__NR_nanosleep),
|
|
||||||
#endif
|
|
||||||
+#ifdef __NR_clock_nanosleep
|
|
||||||
+ SC_ALLOW(__NR_clock_nanosleep),
|
|
||||||
+#endif
|
|
||||||
#ifdef __NR__newselect
|
|
||||||
SC_ALLOW(__NR__newselect),
|
|
||||||
#endif
|
|
||||||
|
|
||||||
commit 500c30eaf88f26e4a74b06717fe04afec7a7516f
|
|
||||||
Author: Jakub Jelen <jjelen@redhat.com>
|
|
||||||
Date: Wed Nov 27 11:06:55 2019 +0100
|
|
||||||
|
|
||||||
sandbox-seccomp: Allow clock_nanosleep on ARM
|
|
||||||
|
|
||||||
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
|
|
||||||
index be239767..3ef30c9d 100644
|
|
||||||
--- a/sandbox-seccomp-filter.c
|
|
||||||
+++ b/sandbox-seccomp-filter.c
|
|
||||||
@@ -245,6 +245,12 @@ static const struct sock_filter preauth_insns[] = {
|
|
||||||
#ifdef __NR_clock_nanosleep
|
|
||||||
SC_ALLOW(__NR_clock_nanosleep),
|
|
||||||
#endif
|
|
||||||
+#ifdef __NR_clock_nanosleep_time64
|
|
||||||
+ SC_ALLOW(__NR_clock_nanosleep_time64),
|
|
||||||
+#endif
|
|
||||||
+#ifdef __NR_clock_gettime64
|
|
||||||
+ SC_ALLOW(__NR_clock_gettime64),
|
|
||||||
+#endif
|
|
||||||
#ifdef __NR__newselect
|
|
||||||
SC_ALLOW(__NR__newselect),
|
|
||||||
#endif
|
|
||||||
|
|
40
openssh-8.2p1-visibility.patch
Normal file
40
openssh-8.2p1-visibility.patch
Normal file
@ -0,0 +1,40 @@
|
|||||||
|
diff --git a/regress/misc/sk-dummy/sk-dummy.c b/regress/misc/sk-dummy/sk-dummy.c
|
||||||
|
index dca158de..afdcb1d2 100644
|
||||||
|
--- a/regress/misc/sk-dummy/sk-dummy.c
|
||||||
|
+++ b/regress/misc/sk-dummy/sk-dummy.c
|
||||||
|
@@ -71,7 +71,7 @@ skdebug(const char *func, const char *fmt, ...)
|
||||||
|
#endif
|
||||||
|
}
|
||||||
|
|
||||||
|
-uint32_t
|
||||||
|
+uint32_t __attribute__((visibility("default")))
|
||||||
|
sk_api_version(void)
|
||||||
|
{
|
||||||
|
return SSH_SK_VERSION_MAJOR;
|
||||||
|
@@ -220,7 +220,7 @@ check_options(struct sk_option **options)
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
-int
|
||||||
|
+int __attribute__((visibility("default")))
|
||||||
|
sk_enroll(uint32_t alg, const uint8_t *challenge, size_t challenge_len,
|
||||||
|
const char *application, uint8_t flags, const char *pin,
|
||||||
|
struct sk_option **options, struct sk_enroll_response **enroll_response)
|
||||||
|
@@ -467,7 +467,7 @@ sig_ed25519(const uint8_t *message, size_t message_len,
|
||||||
|
return ret;
|
||||||
|
}
|
||||||
|
|
||||||
|
-int
|
||||||
|
+int __attribute__((visibility("default")))
|
||||||
|
sk_sign(uint32_t alg, const uint8_t *message, size_t message_len,
|
||||||
|
const char *application, const uint8_t *key_handle, size_t key_handle_len,
|
||||||
|
uint8_t flags, const char *pin, struct sk_option **options,
|
||||||
|
@@ -518,7 +518,7 @@ sk_sign(uint32_t alg, const uint8_t *message, size_t message_len,
|
||||||
|
return ret;
|
||||||
|
}
|
||||||
|
|
||||||
|
-int
|
||||||
|
+int __attribute__((visibility("default")))
|
||||||
|
sk_load_resident_keys(const char *pin, struct sk_option **options,
|
||||||
|
struct sk_resident_key ***rks, size_t *nrks)
|
||||||
|
{
|
32
openssh.spec
32
openssh.spec
@ -65,10 +65,10 @@
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
# Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
|
# Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
|
||||||
%global openssh_ver 8.1p1
|
%global openssh_ver 8.2p1
|
||||||
%global openssh_rel 4
|
%global openssh_rel 1
|
||||||
%global pam_ssh_agent_ver 0.10.3
|
%global pam_ssh_agent_ver 0.10.3
|
||||||
%global pam_ssh_agent_rel 8
|
%global pam_ssh_agent_rel 9
|
||||||
|
|
||||||
Summary: An open source implementation of SSH protocol version 2
|
Summary: An open source implementation of SSH protocol version 2
|
||||||
Name: openssh
|
Name: openssh
|
||||||
@ -196,7 +196,8 @@ Patch949: openssh-7.6p1-cleanup-selinux.patch
|
|||||||
# Sandbox adjustments for s390 and audit
|
# Sandbox adjustments for s390 and audit
|
||||||
Patch950: openssh-7.5p1-sandbox.patch
|
Patch950: openssh-7.5p1-sandbox.patch
|
||||||
# PKCS#11 URIs (upstream #2817, 2nd iteration)
|
# PKCS#11 URIs (upstream #2817, 2nd iteration)
|
||||||
# git diff upstream/master > ~/devel/fedora/openssh/openssh-8.0p1-pkcs11-uri.patch
|
# https://github.com/Jakuje/openssh-portable/commits/jjelen-pkcs11
|
||||||
|
# git show > ~/devel/fedora/openssh/openssh-8.0p1-pkcs11-uri.patch
|
||||||
Patch951: openssh-8.0p1-pkcs11-uri.patch
|
Patch951: openssh-8.0p1-pkcs11-uri.patch
|
||||||
# Unbreak scp between two IPv6 hosts (#1620333)
|
# Unbreak scp between two IPv6 hosts (#1620333)
|
||||||
Patch953: openssh-7.8p1-scp-ipv6.patch
|
Patch953: openssh-7.8p1-scp-ipv6.patch
|
||||||
@ -210,8 +211,8 @@ Patch962: openssh-8.0p1-crypto-policies.patch
|
|||||||
Patch963: openssh-8.0p1-openssl-evp.patch
|
Patch963: openssh-8.0p1-openssl-evp.patch
|
||||||
# Use OpenSSL KDF (#1631761)
|
# Use OpenSSL KDF (#1631761)
|
||||||
Patch964: openssh-8.0p1-openssl-kdf.patch
|
Patch964: openssh-8.0p1-openssl-kdf.patch
|
||||||
# Unbreak seccomp filter with latest glibc (#1771946, #1777054)
|
# sk-dummy.so built with -fvisibility=hidden does not work
|
||||||
Patch965: openssh-8.1p1-seccomp-nanosleep.patch
|
Patch965: openssh-8.2p1-visibility.patch
|
||||||
|
|
||||||
License: BSD
|
License: BSD
|
||||||
Requires: /sbin/nologin
|
Requires: /sbin/nologin
|
||||||
@ -295,7 +296,7 @@ Requires: openssh = %{version}-%{release}
|
|||||||
%package -n pam_ssh_agent_auth
|
%package -n pam_ssh_agent_auth
|
||||||
Summary: PAM module for authentication with ssh-agent
|
Summary: PAM module for authentication with ssh-agent
|
||||||
Version: %{pam_ssh_agent_ver}
|
Version: %{pam_ssh_agent_ver}
|
||||||
Release: %{pam_ssh_agent_rel}.%{openssh_rel}%{?dist}%{?rescue_rel}.2
|
Release: %{pam_ssh_agent_rel}.%{openssh_rel}%{?dist}%{?rescue_rel}
|
||||||
License: BSD
|
License: BSD
|
||||||
|
|
||||||
%description
|
%description
|
||||||
@ -412,7 +413,7 @@ popd
|
|||||||
%patch962 -p1 -b .crypto-policies
|
%patch962 -p1 -b .crypto-policies
|
||||||
%patch963 -p1 -b .openssl-evp
|
%patch963 -p1 -b .openssl-evp
|
||||||
%patch964 -p1 -b .openssl-kdf
|
%patch964 -p1 -b .openssl-kdf
|
||||||
%patch965 -p1 -b .seccomp-nanosleep
|
%patch965 -p1 -b .visibility
|
||||||
|
|
||||||
%patch200 -p1 -b .audit
|
%patch200 -p1 -b .audit
|
||||||
%patch201 -p1 -b .audit-race
|
%patch201 -p1 -b .audit-race
|
||||||
@ -427,7 +428,7 @@ popd
|
|||||||
|
|
||||||
%build
|
%build
|
||||||
# the -fvisibility=hidden is needed for clean build of the pam_ssh_agent_auth
|
# the -fvisibility=hidden is needed for clean build of the pam_ssh_agent_auth
|
||||||
# and it makes the ssh build more clean and even optimized better
|
# it is needed for lib(open)ssh build too since it is linked to the pam module too
|
||||||
CFLAGS="$RPM_OPT_FLAGS -fvisibility=hidden"; export CFLAGS
|
CFLAGS="$RPM_OPT_FLAGS -fvisibility=hidden"; export CFLAGS
|
||||||
%if %{rescue}
|
%if %{rescue}
|
||||||
CFLAGS="$CFLAGS -Os"
|
CFLAGS="$CFLAGS -Os"
|
||||||
@ -556,6 +557,7 @@ make tests
|
|||||||
rm -rf $RPM_BUILD_ROOT
|
rm -rf $RPM_BUILD_ROOT
|
||||||
mkdir -p -m755 $RPM_BUILD_ROOT%{_sysconfdir}/ssh
|
mkdir -p -m755 $RPM_BUILD_ROOT%{_sysconfdir}/ssh
|
||||||
mkdir -p -m755 $RPM_BUILD_ROOT%{_sysconfdir}/ssh/ssh_config.d
|
mkdir -p -m755 $RPM_BUILD_ROOT%{_sysconfdir}/ssh/ssh_config.d
|
||||||
|
mkdir -p -m755 $RPM_BUILD_ROOT%{_sysconfdir}/ssh/sshd_config.d
|
||||||
mkdir -p -m755 $RPM_BUILD_ROOT%{_libexecdir}/openssh
|
mkdir -p -m755 $RPM_BUILD_ROOT%{_libexecdir}/openssh
|
||||||
mkdir -p -m755 $RPM_BUILD_ROOT%{_var}/empty/sshd
|
mkdir -p -m755 $RPM_BUILD_ROOT%{_var}/empty/sshd
|
||||||
make install DESTDIR=$RPM_BUILD_ROOT
|
make install DESTDIR=$RPM_BUILD_ROOT
|
||||||
@ -569,6 +571,7 @@ install -m644 %{SOURCE2} $RPM_BUILD_ROOT/etc/pam.d/sshd
|
|||||||
install -m644 %{SOURCE6} $RPM_BUILD_ROOT/etc/pam.d/ssh-keycat
|
install -m644 %{SOURCE6} $RPM_BUILD_ROOT/etc/pam.d/ssh-keycat
|
||||||
install -m644 %{SOURCE7} $RPM_BUILD_ROOT/etc/sysconfig/sshd
|
install -m644 %{SOURCE7} $RPM_BUILD_ROOT/etc/sysconfig/sshd
|
||||||
install -m644 ssh_config_redhat $RPM_BUILD_ROOT/etc/ssh/ssh_config.d/05-redhat.conf
|
install -m644 ssh_config_redhat $RPM_BUILD_ROOT/etc/ssh/ssh_config.d/05-redhat.conf
|
||||||
|
install -m644 sshd_config_redhat $RPM_BUILD_ROOT/etc/ssh/sshd_config.d/05-redhat.conf
|
||||||
install -d -m755 $RPM_BUILD_ROOT/%{_unitdir}
|
install -d -m755 $RPM_BUILD_ROOT/%{_unitdir}
|
||||||
install -m644 %{SOURCE9} $RPM_BUILD_ROOT/%{_unitdir}/sshd@.service
|
install -m644 %{SOURCE9} $RPM_BUILD_ROOT/%{_unitdir}/sshd@.service
|
||||||
install -m644 %{SOURCE10} $RPM_BUILD_ROOT/%{_unitdir}/sshd.socket
|
install -m644 %{SOURCE10} $RPM_BUILD_ROOT/%{_unitdir}/sshd.socket
|
||||||
@ -650,12 +653,14 @@ getent passwd sshd >/dev/null || \
|
|||||||
%attr(0755,root,root) %{_bindir}/sftp
|
%attr(0755,root,root) %{_bindir}/sftp
|
||||||
%attr(0755,root,root) %{_bindir}/ssh-copy-id
|
%attr(0755,root,root) %{_bindir}/ssh-copy-id
|
||||||
%attr(0755,root,root) %{_libexecdir}/openssh/ssh-pkcs11-helper
|
%attr(0755,root,root) %{_libexecdir}/openssh/ssh-pkcs11-helper
|
||||||
|
%attr(0755,root,root) %{_libexecdir}/openssh/ssh-sk-helper
|
||||||
%attr(0644,root,root) %{_mandir}/man1/ssh-agent.1*
|
%attr(0644,root,root) %{_mandir}/man1/ssh-agent.1*
|
||||||
%attr(0644,root,root) %{_mandir}/man1/ssh-add.1*
|
%attr(0644,root,root) %{_mandir}/man1/ssh-add.1*
|
||||||
%attr(0644,root,root) %{_mandir}/man1/ssh-keyscan.1*
|
%attr(0644,root,root) %{_mandir}/man1/ssh-keyscan.1*
|
||||||
%attr(0644,root,root) %{_mandir}/man1/sftp.1*
|
%attr(0644,root,root) %{_mandir}/man1/sftp.1*
|
||||||
%attr(0644,root,root) %{_mandir}/man1/ssh-copy-id.1*
|
%attr(0644,root,root) %{_mandir}/man1/ssh-copy-id.1*
|
||||||
%attr(0644,root,root) %{_mandir}/man8/ssh-pkcs11-helper.8*
|
%attr(0644,root,root) %{_mandir}/man8/ssh-pkcs11-helper.8*
|
||||||
|
%attr(0644,root,root) %{_mandir}/man8/ssh-sk-helper.8*
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
%if ! %{rescue}
|
%if ! %{rescue}
|
||||||
@ -670,6 +675,8 @@ getent passwd sshd >/dev/null || \
|
|||||||
%attr(0644,root,root) %{_mandir}/man8/sshd.8*
|
%attr(0644,root,root) %{_mandir}/man8/sshd.8*
|
||||||
%attr(0644,root,root) %{_mandir}/man8/sftp-server.8*
|
%attr(0644,root,root) %{_mandir}/man8/sftp-server.8*
|
||||||
%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/sshd_config
|
%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/sshd_config
|
||||||
|
%dir %attr(0700,root,root) %{_sysconfdir}/ssh/sshd_config.d/
|
||||||
|
%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/sshd_config.d/05-redhat.conf
|
||||||
%attr(0644,root,root) %config(noreplace) /etc/pam.d/sshd
|
%attr(0644,root,root) %config(noreplace) /etc/pam.d/sshd
|
||||||
%attr(0640,root,root) %config(noreplace) /etc/sysconfig/sshd
|
%attr(0640,root,root) %config(noreplace) /etc/sysconfig/sshd
|
||||||
%attr(0644,root,root) %{_unitdir}/sshd.service
|
%attr(0644,root,root) %{_unitdir}/sshd.service
|
||||||
@ -715,6 +722,13 @@ getent passwd sshd >/dev/null || \
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Mon Feb 17 2020 Jakub Jelen <jjelen@redhat.com> - 8.2p1-1 + 0.10.3-9
|
||||||
|
- New upstrem reelase (#1803290)
|
||||||
|
- New /etc/ssh/sshd_config.d drop in directory
|
||||||
|
- Support for U2F security keys
|
||||||
|
- Correctly report invalid key permissions (#1801459)
|
||||||
|
- Do not write bogus information on stderr in FIPS mode (#1778224)
|
||||||
|
|
||||||
* Mon Feb 03 2020 Jakub Jelen <jjelen@redhat.com> - 8.1p1-4 + 0.10.3-8
|
* Mon Feb 03 2020 Jakub Jelen <jjelen@redhat.com> - 8.1p1-4 + 0.10.3-8
|
||||||
- Unbreak seccomp filter on ARM (#1796267)
|
- Unbreak seccomp filter on ARM (#1796267)
|
||||||
|
|
||||||
|
@ -1,6 +1,6 @@
|
|||||||
diff -up openssh/pam_ssh_agent_auth-0.10.3/get_command_line.c.psaa-compat openssh/pam_ssh_agent_auth-0.10.3/get_command_line.c
|
diff -up openssh/pam_ssh_agent_auth-0.10.3/get_command_line.c.psaa-compat openssh/pam_ssh_agent_auth-0.10.3/get_command_line.c
|
||||||
--- openssh/pam_ssh_agent_auth-0.10.3/get_command_line.c.psaa-compat 2016-11-13 04:24:32.000000000 +0100
|
--- openssh/pam_ssh_agent_auth-0.10.3/get_command_line.c.psaa-compat 2016-11-13 04:24:32.000000000 +0100
|
||||||
+++ openssh/pam_ssh_agent_auth-0.10.3/get_command_line.c 2018-08-24 10:22:56.281930322 +0200
|
+++ openssh/pam_ssh_agent_auth-0.10.3/get_command_line.c 2020-02-07 10:43:05.011757956 +0100
|
||||||
@@ -27,6 +27,7 @@
|
@@ -27,6 +27,7 @@
|
||||||
* or implied, of Jamie Beverly.
|
* or implied, of Jamie Beverly.
|
||||||
*/
|
*/
|
||||||
@ -34,7 +34,7 @@ diff -up openssh/pam_ssh_agent_auth-0.10.3/get_command_line.c.psaa-compat openss
|
|||||||
|
|
||||||
diff -up openssh/pam_ssh_agent_auth-0.10.3/identity.h.psaa-compat openssh/pam_ssh_agent_auth-0.10.3/identity.h
|
diff -up openssh/pam_ssh_agent_auth-0.10.3/identity.h.psaa-compat openssh/pam_ssh_agent_auth-0.10.3/identity.h
|
||||||
--- openssh/pam_ssh_agent_auth-0.10.3/identity.h.psaa-compat 2016-11-13 04:24:32.000000000 +0100
|
--- openssh/pam_ssh_agent_auth-0.10.3/identity.h.psaa-compat 2016-11-13 04:24:32.000000000 +0100
|
||||||
+++ openssh/pam_ssh_agent_auth-0.10.3/identity.h 2018-08-24 10:18:05.009393312 +0200
|
+++ openssh/pam_ssh_agent_auth-0.10.3/identity.h 2020-02-07 10:43:05.011757956 +0100
|
||||||
@@ -30,8 +30,8 @@
|
@@ -30,8 +30,8 @@
|
||||||
#include "openbsd-compat/sys-queue.h"
|
#include "openbsd-compat/sys-queue.h"
|
||||||
#include "xmalloc.h"
|
#include "xmalloc.h"
|
||||||
@ -56,8 +56,8 @@ diff -up openssh/pam_ssh_agent_auth-0.10.3/identity.h.psaa-compat openssh/pam_ss
|
|||||||
int tried;
|
int tried;
|
||||||
int isprivate; /* key points to the private key */
|
int isprivate; /* key points to the private key */
|
||||||
diff -up openssh/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c.psaa-compat openssh/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c
|
diff -up openssh/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c.psaa-compat openssh/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c
|
||||||
--- openssh/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c.psaa-compat 2018-08-24 10:18:05.007393297 +0200
|
--- openssh/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c.psaa-compat 2020-02-07 10:43:05.009757925 +0100
|
||||||
+++ openssh/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c 2018-08-24 10:18:32.937612513 +0200
|
+++ openssh/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c 2020-02-07 10:43:05.012757972 +0100
|
||||||
@@ -36,8 +36,8 @@
|
@@ -36,8 +36,8 @@
|
||||||
#include "openbsd-compat/sys-queue.h"
|
#include "openbsd-compat/sys-queue.h"
|
||||||
#include "xmalloc.h"
|
#include "xmalloc.h"
|
||||||
@ -119,7 +119,7 @@ diff -up openssh/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c.psaa-compat
|
|||||||
const char * ruser, const char * servicename)
|
const char * ruser, const char * servicename)
|
||||||
{
|
{
|
||||||
u_char *cookie = NULL;
|
u_char *cookie = NULL;
|
||||||
@@ -114,22 +116,23 @@ pamsshagentauth_session_id2_gen(Buffer *
|
@@ -114,22 +120,23 @@ pamsshagentauth_session_id2_gen(Buffer *
|
||||||
char ** reported_argv = NULL;
|
char ** reported_argv = NULL;
|
||||||
size_t count = 0;
|
size_t count = 0;
|
||||||
char * action_logbuf = NULL;
|
char * action_logbuf = NULL;
|
||||||
@ -147,13 +147,7 @@ diff -up openssh/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c.psaa-compat
|
|||||||
}
|
}
|
||||||
cookie[i] = (u_char) rnd;
|
cookie[i] = (u_char) rnd;
|
||||||
rnd >>= 8;
|
rnd >>= 8;
|
||||||
@@ -139,12 +141,13 @@ pamsshagentauth_session_id2_gen(Buffer *
|
@@ -144,7 +151,8 @@ pamsshagentauth_session_id2_gen(Buffer *
|
||||||
if (count > 0) {
|
|
||||||
free_logbuf = 1;
|
|
||||||
action_logbuf = log_action(reported_argv, count);
|
|
||||||
- agent_action(&action_agentbuf, reported_argv, count);
|
|
||||||
+ agent_action(&action_agentbuf, reported_argv, count);
|
|
||||||
pamsshagentauth_free_command_line(reported_argv, count);
|
|
||||||
}
|
}
|
||||||
else {
|
else {
|
||||||
action_logbuf = "unknown on this platform";
|
action_logbuf = "unknown on this platform";
|
||||||
@ -163,7 +157,7 @@ diff -up openssh/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c.psaa-compat
|
|||||||
}
|
}
|
||||||
|
|
||||||
/*
|
/*
|
||||||
@@ -161,35 +163,39 @@ pamsshagentauth_session_id2_gen(Buffer *
|
@@ -161,35 +169,39 @@ pamsshagentauth_session_id2_gen(Buffer *
|
||||||
retc = getcwd(pwd, sizeof(pwd) - 1);
|
retc = getcwd(pwd, sizeof(pwd) - 1);
|
||||||
time(&ts);
|
time(&ts);
|
||||||
|
|
||||||
@ -207,6 +201,14 @@ diff -up openssh/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c.psaa-compat
|
|||||||
- pamsshagentauth_buffer_free(&action_agentbuf);
|
- pamsshagentauth_buffer_free(&action_agentbuf);
|
||||||
+ free(action_logbuf);
|
+ free(action_logbuf);
|
||||||
+ sshbuf_free(action_agentbuf);
|
+ sshbuf_free(action_agentbuf);
|
||||||
|
+ }
|
||||||
|
+ /* debug3("hostname: %s", hostname); */
|
||||||
|
+ if (reti >= 0) {
|
||||||
|
+ if ((r = sshbuf_put_cstring(*session_id2, hostname)) != 0)
|
||||||
|
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
||||||
|
+ } else {
|
||||||
|
+ if ((r = sshbuf_put_cstring(*session_id2, "")) != 0)
|
||||||
|
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
||||||
}
|
}
|
||||||
- /* pamsshagentauth_debug3("hostname: %s", hostname); */
|
- /* pamsshagentauth_debug3("hostname: %s", hostname); */
|
||||||
- if(reti >= 0)
|
- if(reti >= 0)
|
||||||
@ -215,21 +217,13 @@ diff -up openssh/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c.psaa-compat
|
|||||||
- pamsshagentauth_buffer_put_cstring(session_id2, "");
|
- pamsshagentauth_buffer_put_cstring(session_id2, "");
|
||||||
- /* pamsshagentauth_debug3("ts: %ld", ts); */
|
- /* pamsshagentauth_debug3("ts: %ld", ts); */
|
||||||
- pamsshagentauth_buffer_put_int64(session_id2, (uint64_t) ts);
|
- pamsshagentauth_buffer_put_int64(session_id2, (uint64_t) ts);
|
||||||
+ /* debug3("hostname: %s", hostname); */
|
|
||||||
+ if (reti >= 0) {
|
|
||||||
+ if ((r = sshbuf_put_cstring(*session_id2, hostname)) != 0)
|
|
||||||
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
|
||||||
+ } else {
|
|
||||||
+ if ((r = sshbuf_put_cstring(*session_id2, "")) != 0)
|
|
||||||
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
|
||||||
+ }
|
|
||||||
+ /* debug3("ts: %ld", ts); */
|
+ /* debug3("ts: %ld", ts); */
|
||||||
+ if ((r = sshbuf_put_u64(*session_id2, (uint64_t) ts)) != 0)
|
+ if ((r = sshbuf_put_u64(*session_id2, (uint64_t) ts)) != 0)
|
||||||
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
||||||
|
|
||||||
free(cookie);
|
free(cookie);
|
||||||
return;
|
return;
|
||||||
@@ -278,7 +280,8 @@ ssh_get_authentication_connection_for_ui
|
@@ -278,7 +290,8 @@ ssh_get_authentication_connection_for_ui
|
||||||
|
|
||||||
auth = xmalloc(sizeof(*auth));
|
auth = xmalloc(sizeof(*auth));
|
||||||
auth->fd = sock;
|
auth->fd = sock;
|
||||||
@ -239,7 +233,7 @@ diff -up openssh/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c.psaa-compat
|
|||||||
auth->howmany = 0;
|
auth->howmany = 0;
|
||||||
|
|
||||||
return auth;
|
return auth;
|
||||||
@@ -287,43 +289,42 @@ ssh_get_authentication_connection_for_ui
|
@@ -287,9 +300,9 @@ ssh_get_authentication_connection_for_ui
|
||||||
int
|
int
|
||||||
pamsshagentauth_find_authorized_keys(const char * user, const char * ruser, const char * servicename)
|
pamsshagentauth_find_authorized_keys(const char * user, const char * ruser, const char * servicename)
|
||||||
{
|
{
|
||||||
@ -251,11 +245,8 @@ diff -up openssh/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c.psaa-compat
|
|||||||
AuthenticationConnection *ac;
|
AuthenticationConnection *ac;
|
||||||
char *comment;
|
char *comment;
|
||||||
uint8_t retval = 0;
|
uint8_t retval = 0;
|
||||||
uid_t uid = getpwnam(ruser)->pw_uid;
|
@@ -299,31 +312,30 @@ pamsshagentauth_find_authorized_keys(con
|
||||||
|
pamsshagentauth_session_id2_gen(&session_id2, user, ruser, servicename);
|
||||||
OpenSSL_add_all_digests();
|
|
||||||
- pamsshagentauth_session_id2_gen(&session_id2, user, ruser, servicename);
|
|
||||||
+ pamsshagentauth_session_id2_gen(&session_id2, user, ruser, servicename);
|
|
||||||
|
|
||||||
if ((ac = ssh_get_authentication_connection_for_uid(uid))) {
|
if ((ac = ssh_get_authentication_connection_for_uid(uid))) {
|
||||||
- pamsshagentauth_verbose("Contacted ssh-agent of user %s (%u)", ruser, uid);
|
- pamsshagentauth_verbose("Contacted ssh-agent of user %s (%u)", ruser, uid);
|
||||||
@ -295,8 +286,8 @@ diff -up openssh/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c.psaa-compat
|
|||||||
return retval;
|
return retval;
|
||||||
}
|
}
|
||||||
diff -up openssh/pam_ssh_agent_auth-0.10.3/pam_ssh_agent_auth.c.psaa-compat openssh/pam_ssh_agent_auth-0.10.3/pam_ssh_agent_auth.c
|
diff -up openssh/pam_ssh_agent_auth-0.10.3/pam_ssh_agent_auth.c.psaa-compat openssh/pam_ssh_agent_auth-0.10.3/pam_ssh_agent_auth.c
|
||||||
--- openssh/pam_ssh_agent_auth-0.10.3/pam_ssh_agent_auth.c.psaa-compat 2018-08-24 10:18:05.008393305 +0200
|
--- openssh/pam_ssh_agent_auth-0.10.3/pam_ssh_agent_auth.c.psaa-compat 2020-02-07 10:43:05.010757940 +0100
|
||||||
+++ openssh/pam_ssh_agent_auth-0.10.3/pam_ssh_agent_auth.c 2018-08-24 10:18:05.009393312 +0200
|
+++ openssh/pam_ssh_agent_auth-0.10.3/pam_ssh_agent_auth.c 2020-02-07 10:43:05.012757972 +0100
|
||||||
@@ -104,7 +104,7 @@ pam_sm_authenticate(pam_handle_t * pamh,
|
@@ -104,7 +104,7 @@ pam_sm_authenticate(pam_handle_t * pamh,
|
||||||
* a patch 8-)
|
* a patch 8-)
|
||||||
*/
|
*/
|
||||||
@ -386,7 +377,7 @@ diff -up openssh/pam_ssh_agent_auth-0.10.3/pam_ssh_agent_auth.c.psaa-compat open
|
|||||||
cleanexit:
|
cleanexit:
|
||||||
diff -up openssh/pam_ssh_agent_auth-0.10.3/pam_user_authorized_keys.c.psaa-compat openssh/pam_ssh_agent_auth-0.10.3/pam_user_authorized_keys.c
|
diff -up openssh/pam_ssh_agent_auth-0.10.3/pam_user_authorized_keys.c.psaa-compat openssh/pam_ssh_agent_auth-0.10.3/pam_user_authorized_keys.c
|
||||||
--- openssh/pam_ssh_agent_auth-0.10.3/pam_user_authorized_keys.c.psaa-compat 2016-11-13 04:24:32.000000000 +0100
|
--- openssh/pam_ssh_agent_auth-0.10.3/pam_user_authorized_keys.c.psaa-compat 2016-11-13 04:24:32.000000000 +0100
|
||||||
+++ openssh/pam_ssh_agent_auth-0.10.3/pam_user_authorized_keys.c 2018-08-24 10:18:05.009393312 +0200
|
+++ openssh/pam_ssh_agent_auth-0.10.3/pam_user_authorized_keys.c 2020-02-07 10:43:05.012757972 +0100
|
||||||
@@ -66,8 +66,8 @@
|
@@ -66,8 +66,8 @@
|
||||||
#include "xmalloc.h"
|
#include "xmalloc.h"
|
||||||
#include "match.h"
|
#include "match.h"
|
||||||
@ -453,7 +444,7 @@ diff -up openssh/pam_ssh_agent_auth-0.10.3/pam_user_authorized_keys.c.psaa-compa
|
|||||||
pamsshagentauth_user_key_allowed2(getpwuid(authorized_keys_file_allowed_owner_uid),
|
pamsshagentauth_user_key_allowed2(getpwuid(authorized_keys_file_allowed_owner_uid),
|
||||||
diff -up openssh/pam_ssh_agent_auth-0.10.3/pam_user_authorized_keys.h.psaa-compat openssh/pam_ssh_agent_auth-0.10.3/pam_user_authorized_keys.h
|
diff -up openssh/pam_ssh_agent_auth-0.10.3/pam_user_authorized_keys.h.psaa-compat openssh/pam_ssh_agent_auth-0.10.3/pam_user_authorized_keys.h
|
||||||
--- openssh/pam_ssh_agent_auth-0.10.3/pam_user_authorized_keys.h.psaa-compat 2016-11-13 04:24:32.000000000 +0100
|
--- openssh/pam_ssh_agent_auth-0.10.3/pam_user_authorized_keys.h.psaa-compat 2016-11-13 04:24:32.000000000 +0100
|
||||||
+++ openssh/pam_ssh_agent_auth-0.10.3/pam_user_authorized_keys.h 2018-08-24 10:18:05.010393320 +0200
|
+++ openssh/pam_ssh_agent_auth-0.10.3/pam_user_authorized_keys.h 2020-02-07 10:43:05.012757972 +0100
|
||||||
@@ -32,7 +32,7 @@
|
@@ -32,7 +32,7 @@
|
||||||
#define _PAM_USER_KEY_ALLOWED_H
|
#define _PAM_USER_KEY_ALLOWED_H
|
||||||
|
|
||||||
@ -465,7 +456,7 @@ diff -up openssh/pam_ssh_agent_auth-0.10.3/pam_user_authorized_keys.h.psaa-compa
|
|||||||
#endif
|
#endif
|
||||||
diff -up openssh/pam_ssh_agent_auth-0.10.3/pam_user_key_allowed2.c.psaa-compat openssh/pam_ssh_agent_auth-0.10.3/pam_user_key_allowed2.c
|
diff -up openssh/pam_ssh_agent_auth-0.10.3/pam_user_key_allowed2.c.psaa-compat openssh/pam_ssh_agent_auth-0.10.3/pam_user_key_allowed2.c
|
||||||
--- openssh/pam_ssh_agent_auth-0.10.3/pam_user_key_allowed2.c.psaa-compat 2016-11-13 04:24:32.000000000 +0100
|
--- openssh/pam_ssh_agent_auth-0.10.3/pam_user_key_allowed2.c.psaa-compat 2016-11-13 04:24:32.000000000 +0100
|
||||||
+++ openssh/pam_ssh_agent_auth-0.10.3/pam_user_key_allowed2.c 2018-08-24 10:18:05.010393320 +0200
|
+++ openssh/pam_ssh_agent_auth-0.10.3/pam_user_key_allowed2.c 2020-02-07 10:43:05.012757972 +0100
|
||||||
@@ -45,44 +45,46 @@
|
@@ -45,44 +45,46 @@
|
||||||
#include "xmalloc.h"
|
#include "xmalloc.h"
|
||||||
#include "ssh.h"
|
#include "ssh.h"
|
||||||
@ -742,7 +733,7 @@ diff -up openssh/pam_ssh_agent_auth-0.10.3/pam_user_key_allowed2.c.psaa-compat o
|
|||||||
}
|
}
|
||||||
diff -up openssh/pam_ssh_agent_auth-0.10.3/pam_user_key_allowed2.h.psaa-compat openssh/pam_ssh_agent_auth-0.10.3/pam_user_key_allowed2.h
|
diff -up openssh/pam_ssh_agent_auth-0.10.3/pam_user_key_allowed2.h.psaa-compat openssh/pam_ssh_agent_auth-0.10.3/pam_user_key_allowed2.h
|
||||||
--- openssh/pam_ssh_agent_auth-0.10.3/pam_user_key_allowed2.h.psaa-compat 2016-11-13 04:24:32.000000000 +0100
|
--- openssh/pam_ssh_agent_auth-0.10.3/pam_user_key_allowed2.h.psaa-compat 2016-11-13 04:24:32.000000000 +0100
|
||||||
+++ openssh/pam_ssh_agent_auth-0.10.3/pam_user_key_allowed2.h 2018-08-24 10:18:05.010393320 +0200
|
+++ openssh/pam_ssh_agent_auth-0.10.3/pam_user_key_allowed2.h 2020-02-07 10:43:05.012757972 +0100
|
||||||
@@ -32,7 +32,7 @@
|
@@ -32,7 +32,7 @@
|
||||||
#define _PAM_USER_KEY_ALLOWED_H
|
#define _PAM_USER_KEY_ALLOWED_H
|
||||||
|
|
||||||
@ -755,7 +746,7 @@ diff -up openssh/pam_ssh_agent_auth-0.10.3/pam_user_key_allowed2.h.psaa-compat o
|
|||||||
#endif
|
#endif
|
||||||
diff -up openssh/pam_ssh_agent_auth-0.10.3/secure_filename.c.psaa-compat openssh/pam_ssh_agent_auth-0.10.3/secure_filename.c
|
diff -up openssh/pam_ssh_agent_auth-0.10.3/secure_filename.c.psaa-compat openssh/pam_ssh_agent_auth-0.10.3/secure_filename.c
|
||||||
--- openssh/pam_ssh_agent_auth-0.10.3/secure_filename.c.psaa-compat 2016-11-13 04:24:32.000000000 +0100
|
--- openssh/pam_ssh_agent_auth-0.10.3/secure_filename.c.psaa-compat 2016-11-13 04:24:32.000000000 +0100
|
||||||
+++ openssh/pam_ssh_agent_auth-0.10.3/secure_filename.c 2018-08-24 10:18:05.010393320 +0200
|
+++ openssh/pam_ssh_agent_auth-0.10.3/secure_filename.c 2020-02-07 10:43:05.012757972 +0100
|
||||||
@@ -53,8 +53,8 @@
|
@@ -53,8 +53,8 @@
|
||||||
#include "xmalloc.h"
|
#include "xmalloc.h"
|
||||||
#include "match.h"
|
#include "match.h"
|
||||||
@ -799,7 +790,7 @@ diff -up openssh/pam_ssh_agent_auth-0.10.3/secure_filename.c.psaa-compat openssh
|
|||||||
}
|
}
|
||||||
diff -up openssh/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.c.psaa-compat openssh/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.c
|
diff -up openssh/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.c.psaa-compat openssh/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.c
|
||||||
--- openssh/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.c.psaa-compat 2016-11-13 04:24:32.000000000 +0100
|
--- openssh/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.c.psaa-compat 2016-11-13 04:24:32.000000000 +0100
|
||||||
+++ openssh/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.c 2018-08-24 10:22:13.202657025 +0200
|
+++ openssh/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.c 2020-02-07 10:43:23.520048960 +0100
|
||||||
@@ -37,10 +37,11 @@
|
@@ -37,10 +37,11 @@
|
||||||
#include "xmalloc.h"
|
#include "xmalloc.h"
|
||||||
#include "ssh.h"
|
#include "ssh.h"
|
||||||
@ -814,7 +805,7 @@ diff -up openssh/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.c.psaa-compat
|
|||||||
#include "pathnames.h"
|
#include "pathnames.h"
|
||||||
#include "misc.h"
|
#include "misc.h"
|
||||||
#include "secure_filename.h"
|
#include "secure_filename.h"
|
||||||
@@ -48,54 +48,59 @@
|
@@ -48,54 +49,59 @@
|
||||||
#include "identity.h"
|
#include "identity.h"
|
||||||
#include "pam_user_authorized_keys.h"
|
#include "pam_user_authorized_keys.h"
|
||||||
|
|
||||||
@ -833,8 +824,8 @@ diff -up openssh/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.c.psaa-compat
|
|||||||
char *pkalg = NULL;
|
char *pkalg = NULL;
|
||||||
u_char *pkblob = NULL, *sig = NULL;
|
u_char *pkblob = NULL, *sig = NULL;
|
||||||
- u_int blen = 0, slen = 0;
|
- u_int blen = 0, slen = 0;
|
||||||
+ size_t blen = 0, slen = 0;
|
|
||||||
- int authenticated = 0;
|
- int authenticated = 0;
|
||||||
|
+ size_t blen = 0, slen = 0;
|
||||||
+ int r, authenticated = 0;
|
+ int r, authenticated = 0;
|
||||||
|
|
||||||
- pkalg = (char *) key_ssh_name(id->key);
|
- pkalg = (char *) key_ssh_name(id->key);
|
||||||
@ -879,7 +870,7 @@ diff -up openssh/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.c.psaa-compat
|
|||||||
|
|
||||||
/* test for correct signature */
|
/* test for correct signature */
|
||||||
- if(pamsshagentauth_key_verify(id->key, sig, slen, pamsshagentauth_buffer_ptr(&b), pamsshagentauth_buffer_len(&b)) == 1)
|
- if(pamsshagentauth_key_verify(id->key, sig, slen, pamsshagentauth_buffer_ptr(&b), pamsshagentauth_buffer_len(&b)) == 1)
|
||||||
+ if (sshkey_verify(id->key, sig, slen, sshbuf_ptr(b), sshbuf_len(b), NULL, 0) == 0)
|
+ if (sshkey_verify(id->key, sig, slen, sshbuf_ptr(b), sshbuf_len(b), NULL, 0, NULL) == 0)
|
||||||
authenticated = 1;
|
authenticated = 1;
|
||||||
|
|
||||||
user_auth_clean_exit:
|
user_auth_clean_exit:
|
||||||
@ -898,7 +889,7 @@ diff -up openssh/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.c.psaa-compat
|
|||||||
}
|
}
|
||||||
diff -up openssh/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.h.psaa-compat openssh/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.h
|
diff -up openssh/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.h.psaa-compat openssh/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.h
|
||||||
--- openssh/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.h.psaa-compat 2016-11-13 04:24:32.000000000 +0100
|
--- openssh/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.h.psaa-compat 2016-11-13 04:24:32.000000000 +0100
|
||||||
+++ openssh/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.h 2018-08-24 10:18:05.010393320 +0200
|
+++ openssh/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.h 2020-02-07 10:43:05.013757988 +0100
|
||||||
@@ -31,7 +31,7 @@
|
@@ -31,7 +31,7 @@
|
||||||
#ifndef _USERAUTH_PUBKEY_FROM_ID_H
|
#ifndef _USERAUTH_PUBKEY_FROM_ID_H
|
||||||
#define _USERAUTH_PUBKEY_FROM_ID_H
|
#define _USERAUTH_PUBKEY_FROM_ID_H
|
||||||
@ -911,7 +902,7 @@ diff -up openssh/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.h.psaa-compat
|
|||||||
#endif
|
#endif
|
||||||
diff -up openssh/pam_ssh_agent_auth-0.10.3/uuencode.c.psaa-compat openssh/pam_ssh_agent_auth-0.10.3/uuencode.c
|
diff -up openssh/pam_ssh_agent_auth-0.10.3/uuencode.c.psaa-compat openssh/pam_ssh_agent_auth-0.10.3/uuencode.c
|
||||||
--- openssh/pam_ssh_agent_auth-0.10.3/uuencode.c.psaa-compat 2016-11-13 04:24:32.000000000 +0100
|
--- openssh/pam_ssh_agent_auth-0.10.3/uuencode.c.psaa-compat 2016-11-13 04:24:32.000000000 +0100
|
||||||
+++ openssh/pam_ssh_agent_auth-0.10.3/uuencode.c 2018-08-24 10:18:05.010393320 +0200
|
+++ openssh/pam_ssh_agent_auth-0.10.3/uuencode.c 2020-02-07 10:43:05.013757988 +0100
|
||||||
@@ -56,7 +56,7 @@ pamsshagentauth_uudecode(const char *src
|
@@ -56,7 +56,7 @@ pamsshagentauth_uudecode(const char *src
|
||||||
/* and remove trailing whitespace because __b64_pton needs this */
|
/* and remove trailing whitespace because __b64_pton needs this */
|
||||||
*p = '\0';
|
*p = '\0';
|
||||||
|
@ -159,15 +159,17 @@ diff -up openssh-7.4p1/pam_ssh_agent_auth-0.10.3/Makefile.in.psaa-build openssh-
|
|||||||
LIBS=@LIBS@
|
LIBS=@LIBS@
|
||||||
AR=@AR@
|
AR=@AR@
|
||||||
AWK=@AWK@
|
AWK=@AWK@
|
||||||
@@ -61,7 +61,7 @@ INSTALL=@INSTALL@
|
@@ -61,8 +61,8 @@ INSTALL=@INSTALL@
|
||||||
PERL=@PERL@
|
PERL=@PERL@
|
||||||
SED=@SED@
|
SED=@SED@
|
||||||
ENT=@ENT@
|
ENT=@ENT@
|
||||||
-LDFLAGS=-L. -Lopenbsd-compat/ @LDFLAGS@
|
-LDFLAGS=-L. -Lopenbsd-compat/ @LDFLAGS@
|
||||||
|
-LDFLAGS_SHARED = @LDFLAGS_SHARED@
|
||||||
+LDFLAGS=-L.. -L../openbsd-compat/ @LDFLAGS@
|
+LDFLAGS=-L.. -L../openbsd-compat/ @LDFLAGS@
|
||||||
LDFLAGS_SHARED = @LDFLAGS_SHARED@
|
+LDFLAGS_SHARED =-Wl,-z,defs @LDFLAGS_SHARED@
|
||||||
EXEEXT=@EXEEXT@
|
EXEEXT=@EXEEXT@
|
||||||
|
|
||||||
|
INSTALL_SSH_PRNG_CMDS=@INSTALL_SSH_PRNG_CMDS@
|
||||||
@@ -74,7 +74,7 @@ SSHOBJS=xmalloc.o atomicio.o authfd.o bu
|
@@ -74,7 +74,7 @@ SSHOBJS=xmalloc.o atomicio.o authfd.o bu
|
||||||
|
|
||||||
ED25519OBJS=ed25519-donna/ed25519.o
|
ED25519OBJS=ed25519-donna/ed25519.o
|
||||||
@ -189,8 +191,8 @@ diff -up openssh-7.4p1/pam_ssh_agent_auth-0.10.3/Makefile.in.psaa-build openssh-
|
|||||||
|
|
||||||
-pam_ssh_agent_auth.so: $(LIBCOMPAT) $(SSHOBJS) $(ED25519OBJS) $(PAM_SSH_AGENT_AUTH_OBJS) pam_ssh_agent_auth.o
|
-pam_ssh_agent_auth.so: $(LIBCOMPAT) $(SSHOBJS) $(ED25519OBJS) $(PAM_SSH_AGENT_AUTH_OBJS) pam_ssh_agent_auth.o
|
||||||
- $(LD) $(LDFLAGS_SHARED) -o $@ $(SSHOBJS) $(ED25519OBJS) $(PAM_SSH_AGENT_AUTH_OBJS) $(LDFLAGS) -lopenbsd-compat pam_ssh_agent_auth.o $(LIBS) -lpam
|
- $(LD) $(LDFLAGS_SHARED) -o $@ $(SSHOBJS) $(ED25519OBJS) $(PAM_SSH_AGENT_AUTH_OBJS) $(LDFLAGS) -lopenbsd-compat pam_ssh_agent_auth.o $(LIBS) -lpam
|
||||||
+pam_ssh_agent_auth.so: $(PAM_SSH_AGENT_AUTH_OBJS) pam_ssh_agent_auth.o ../uidswap.o
|
+pam_ssh_agent_auth.so: $(PAM_SSH_AGENT_AUTH_OBJS) pam_ssh_agent_auth.o ../uidswap.o ../ssh-sk-client.o
|
||||||
+ $(LD) $(LDFLAGS_SHARED) -o $@ $(PAM_SSH_AGENT_AUTH_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat pam_ssh_agent_auth.o ../uidswap.o $(LIBS) -lpam
|
+ $(LD) $(LDFLAGS_SHARED) -o $@ $(PAM_SSH_AGENT_AUTH_OBJS) ../ssh-sk-client.o $(LDFLAGS) -lssh -lopenbsd-compat pam_ssh_agent_auth.o ../uidswap.o $(LIBS) -lpam
|
||||||
|
|
||||||
$(MANPAGES): $(MANPAGES_IN)
|
$(MANPAGES): $(MANPAGES_IN)
|
||||||
pod2man --section=8 --release=v0.10.3 --name=pam_ssh_agent_auth --official --center "PAM" pam_ssh_agent_auth.pod > pam_ssh_agent_auth.8
|
pod2man --section=8 --release=v0.10.3 --name=pam_ssh_agent_auth --official --center "PAM" pam_ssh_agent_auth.pod > pam_ssh_agent_auth.8
|
||||||
|
4
sources
4
sources
@ -1,4 +1,4 @@
|
|||||||
SHA512 (openssh-8.1p1.tar.gz) = b987ea4ffd4ab0c94110723860273b06ed8ffb4d21cbd99ca144a4722dc55f4bf86f6253d500386b6bee7af50f066e2aa2dd095d50746509a10e11221d39d925
|
SHA512 (openssh-8.2p1.tar.gz) = c4db64e52a3a4c410de9de49f9cb104dd493b10250af3599b92457dd986277b3fd99a6f51cec94892fd1be5bd0369c5757262ea7805f0de464b245c3d34c120a
|
||||||
SHA512 (openssh-8.1p1.tar.gz.asc) = f36458ef8822376a5b305cfbc971f5d2db8bf2f48fea9a957e02ef2fc27a48bacb59495587fee81fa2d89bca6250a8fb407e1f5a7dae7ceb361ab332c0771344
|
SHA512 (openssh-8.2p1.tar.gz.asc) = e6d091289d62d3a01d5978e3c26f72d8ea6979c345fbebc215515185ea567c959f5b17e32052d752829ab4c6bc537fd977f7aa02cf0a23280da63fd9d880f303
|
||||||
SHA512 (DJM-GPG-KEY.gpg) = db1191ed9b6495999e05eed2ef863fb5179bdb63e94850f192dad68eed8579836f88fbcfffd9f28524fe1457aff8cd248ee3e0afc112c8f609b99a34b80ecc0d
|
SHA512 (DJM-GPG-KEY.gpg) = db1191ed9b6495999e05eed2ef863fb5179bdb63e94850f192dad68eed8579836f88fbcfffd9f28524fe1457aff8cd248ee3e0afc112c8f609b99a34b80ecc0d
|
||||||
SHA512 (pam_ssh_agent_auth-0.10.3.tar.bz2) = d75062c4e46b0b011f46aed9704a99049995fea8b5115ff7ee26dad7e93cbcf54a8af7efc6b521109d77dc03c6f5284574d2e1b84c6829cec25610f24fb4bd66
|
SHA512 (pam_ssh_agent_auth-0.10.3.tar.bz2) = d75062c4e46b0b011f46aed9704a99049995fea8b5115ff7ee26dad7e93cbcf54a8af7efc6b521109d77dc03c6f5284574d2e1b84c6829cec25610f24fb4bd66
|
||||||
|
Loading…
Reference in New Issue
Block a user