forked from rpms/openssh
		
	openssh-8.2p1-1 + 0.10.3-9
This commit is contained in:
		
							parent
							
								
									ee9cb005b3
								
							
						
					
					
						commit
						51f5c1c99f
					
				
							
								
								
									
										2
									
								
								.gitignore
									
									
									
									
										vendored
									
									
								
							
							
						
						
									
										2
									
								
								.gitignore
									
									
									
									
										vendored
									
									
								
							| @ -38,3 +38,5 @@ pam_ssh_agent_auth-0.9.2.tar.bz2 | |||||||
| /openssh-8.0p1.tar.gz.asc | /openssh-8.0p1.tar.gz.asc | ||||||
| /openssh-8.1p1.tar.gz | /openssh-8.1p1.tar.gz | ||||||
| /openssh-8.1p1.tar.gz.asc | /openssh-8.1p1.tar.gz.asc | ||||||
|  | /openssh-8.2p1.tar.gz | ||||||
|  | /openssh-8.2p1.tar.gz.asc | ||||||
|  | |||||||
| @ -9,7 +9,7 @@ diff -up openssh-7.4p1/contrib/gnome-ssh-askpass2.c.progress openssh-7.4p1/contr | |||||||
|  #include <gtk/gtk.h> |  #include <gtk/gtk.h> | ||||||
|  #include <gdk/gdkx.h> |  #include <gdk/gdkx.h> | ||||||
|   |   | ||||||
| @@ -81,13 +82,24 @@ ok_dialog(GtkWidget *entry, gpointer dia
 | @@ -81,14 +82,25 @@ ok_dialog(GtkWidget *entry, gpointer dia
 | ||||||
|  	gtk_dialog_response(GTK_DIALOG(dialog), GTK_RESPONSE_OK); |  	gtk_dialog_response(GTK_DIALOG(dialog), GTK_RESPONSE_OK); | ||||||
|  } |  } | ||||||
|   |   | ||||||
| @ -25,57 +25,54 @@ diff -up openssh-7.4p1/contrib/gnome-ssh-askpass2.c.progress openssh-7.4p1/contr | |||||||
| +}
 | +}
 | ||||||
| +
 | +
 | ||||||
|  static int |  static int | ||||||
|  passphrase_dialog(char *message) |  passphrase_dialog(char *message, int prompt_type) | ||||||
|  { |  { | ||||||
|  	const char *failed; |  	const char *failed; | ||||||
|  	char *passphrase, *local; |  	char *passphrase, *local; | ||||||
|  	int result, grab_tries, grab_server, grab_pointer; |  	int result, grab_tries, grab_server, grab_pointer; | ||||||
|  |  	int buttons, default_response; | ||||||
| -	GtkWidget *parent_window, *dialog, *entry;
 | -	GtkWidget *parent_window, *dialog, *entry;
 | ||||||
| +	GtkWidget *parent_window, *dialog, *entry, *progress, *hbox;
 | +	GtkWidget *parent_window, *dialog, *entry, *progress, *hbox;
 | ||||||
|  	GdkGrabStatus status; |  	GdkGrabStatus status; | ||||||
|   |   | ||||||
|  	grab_server = (getenv("GNOME_SSH_ASKPASS_GRAB_SERVER") != NULL); |  	grab_server = (getenv("GNOME_SSH_ASKPASS_GRAB_SERVER") != NULL); | ||||||
| @@ -104,14 +116,32 @@ passphrase_dialog(char *message)
 | @@ -104,16 +116,37 @@ passphrase_dialog(char *message)
 | ||||||
|  					"%s", |  	gtk_window_set_keep_above(GTK_WINDOW(dialog), TRUE); | ||||||
|  					message); |  | ||||||
|   |   | ||||||
| +	hbox = gtk_hbox_new(FALSE, 0);
 |  	if (prompt_type == PROMPT_ENTRY) { | ||||||
| +	gtk_box_pack_start(GTK_BOX(GTK_DIALOG(dialog)->vbox), hbox, FALSE,
 | +		hbox = gtk_hbox_new(FALSE, 0);
 | ||||||
| +	    FALSE, 0);
 | +		gtk_box_pack_start(GTK_BOX(GTK_DIALOG(dialog)->vbox), hbox, FALSE,
 | ||||||
| +	gtk_widget_show(hbox);
 | +		    FALSE, 0);
 | ||||||
|  | +		gtk_widget_show(hbox);
 | ||||||
| +
 | +
 | ||||||
|  	entry = gtk_entry_new(); | 		entry = gtk_entry_new(); | ||||||
|  	gtk_box_pack_start( | 		gtk_box_pack_start( | ||||||
| -	    GTK_BOX(gtk_dialog_get_content_area(GTK_DIALOG(dialog))), entry,
 | -		    GTK_BOX(gtk_dialog_get_content_area(GTK_DIALOG(dialog))),
 | ||||||
| -	    FALSE, FALSE, 0);
 | -		    entry, FALSE, FALSE, 0);
 | ||||||
| +	    GTK_BOX(hbox), entry,
 | +		    GTK_BOX(hbox), entry,
 | ||||||
| +	    TRUE, FALSE, 0);
 | +		    TRUE, FALSE, 0);
 | ||||||
| +	gtk_entry_set_width_chars(GTK_ENTRY(entry), 2);
 | +		gtk_entry_set_width_chars(GTK_ENTRY(entry), 2);
 | ||||||
|  	gtk_entry_set_visibility(GTK_ENTRY(entry), FALSE); |  		gtk_entry_set_visibility(GTK_ENTRY(entry), FALSE); | ||||||
|  	gtk_widget_grab_focus(entry); |  		gtk_widget_grab_focus(entry); | ||||||
|  	gtk_widget_show(entry); |  		gtk_widget_show(entry); | ||||||
|   |  		/* Make <enter> close dialog */ | ||||||
| +	hbox = gtk_hbox_new(FALSE, 0);
 |  		g_signal_connect(G_OBJECT(entry), "activate", | ||||||
| +	gtk_box_pack_start(GTK_BOX(GTK_DIALOG(dialog)->vbox), hbox, FALSE,
 |  				 G_CALLBACK(ok_dialog), dialog); | ||||||
|  | +
 | ||||||
|  | +		hbox = gtk_hbox_new(FALSE, 0);
 | ||||||
|  | +		gtk_box_pack_start(GTK_BOX(GTK_DIALOG(dialog)->vbox), hbox, FALSE,
 | ||||||
| +	    FALSE, 8);
 | +	    FALSE, 8);
 | ||||||
| +	gtk_widget_show(hbox);
 | +		gtk_widget_show(hbox);
 | ||||||
| +
 | +
 | ||||||
| +	progress = gtk_progress_bar_new();
 | +		progress = gtk_progress_bar_new();
 | ||||||
| +	
 |  | ||||||
| +	gtk_progress_bar_set_text(GTK_PROGRESS_BAR(progress), "Passphrase length hidden intentionally");
 |  | ||||||
| +	gtk_box_pack_start(GTK_BOX(hbox), progress, TRUE,
 |  | ||||||
| +	    TRUE, 5);
 |  | ||||||
| +	gtk_widget_show(progress);
 |  | ||||||
| +
 | +
 | ||||||
|  	gtk_window_set_title(GTK_WINDOW(dialog), "OpenSSH"); | +		gtk_progress_bar_set_text(GTK_PROGRESS_BAR(progress), "Passphrase length hidden intentionally");
 | ||||||
|  	gtk_window_set_position (GTK_WINDOW(dialog), GTK_WIN_POS_CENTER); | +		gtk_box_pack_start(GTK_BOX(hbox), progress, TRUE,
 | ||||||
|  	gtk_window_set_keep_above(GTK_WINDOW(dialog), TRUE); | +		    TRUE, 5);
 | ||||||
| @@ -120,6 +150,8 @@ passphrase_dialog(char *message)
 | +		gtk_widget_show(progress);
 | ||||||
|  	gtk_dialog_set_default_response(GTK_DIALOG(dialog), GTK_RESPONSE_OK); | +		g_signal_connect(G_OBJECT(entry), "changed",
 | ||||||
|  	g_signal_connect(G_OBJECT(entry), "activate", | +				 G_CALLBACK(move_progress), progress);
 | ||||||
|  			 G_CALLBACK(ok_dialog), dialog); | +
 | ||||||
| +	g_signal_connect(G_OBJECT(entry), "changed",
 |  	} | ||||||
| +			 G_CALLBACK(move_progress), progress);
 |  | ||||||
|   |  | ||||||
|  	gtk_window_set_keep_above(GTK_WINDOW(dialog), TRUE); |  | ||||||
|   |   | ||||||
|  |  	/* Grab focus */ | ||||||
|  | |||||||
| @ -56,8 +56,8 @@ diff -up openssh-7.4p1/monitor.c.log-in-chroot openssh-7.4p1/monitor.c | |||||||
| +	pmonitor->m_state = "postauth";
 | +	pmonitor->m_state = "postauth";
 | ||||||
| +
 | +
 | ||||||
|  	monitor_set_child_handler(pmonitor->m_pid); |  	monitor_set_child_handler(pmonitor->m_pid); | ||||||
|  	signal(SIGHUP, &monitor_child_handler); |  	ssh_signal(SIGHUP, &monitor_child_handler); | ||||||
|  	signal(SIGTERM, &monitor_child_handler); |  	ssh_signal(SIGTERM, &monitor_child_handler); | ||||||
| @@ -472,7 +476,7 @@ monitor_read_log(struct monitor *pmonito
 | @@ -472,7 +476,7 @@ monitor_read_log(struct monitor *pmonito
 | ||||||
|  	if (log_level_name(level) == NULL) |  	if (log_level_name(level) == NULL) | ||||||
|  		fatal("%s: invalid log level %u (corrupted message?)", |  		fatal("%s: invalid log level %u (corrupted message?)", | ||||||
|  | |||||||
| @ -122,7 +122,7 @@ diff -up openssh-7.4p1/sshd_config.GSSAPIEnablek5users openssh-7.4p1/sshd_config | |||||||
| --- openssh-7.4p1/sshd_config.GSSAPIEnablek5users	2016-12-23 15:18:40.616216100 +0100
 | --- openssh-7.4p1/sshd_config.GSSAPIEnablek5users	2016-12-23 15:18:40.616216100 +0100
 | ||||||
| +++ openssh-7.4p1/sshd_config	2016-12-23 15:18:40.631216103 +0100
 | +++ openssh-7.4p1/sshd_config	2016-12-23 15:18:40.631216103 +0100
 | ||||||
| @@ -80,6 +80,7 @@ GSSAPIAuthentication yes
 | @@ -80,6 +80,7 @@ GSSAPIAuthentication yes
 | ||||||
|  GSSAPICleanupCredentials no |  #GSSAPICleanupCredentials yes | ||||||
|  #GSSAPIStrictAcceptorCheck yes |  #GSSAPIStrictAcceptorCheck yes | ||||||
|  #GSSAPIKeyExchange no |  #GSSAPIKeyExchange no | ||||||
| +#GSSAPIEnablek5users no
 | +#GSSAPIEnablek5users no
 | ||||||
|  | |||||||
| @ -7,14 +7,14 @@ diff -up openssh-6.8p1/Makefile.in.ctr-cavs openssh-6.8p1/Makefile.in | |||||||
|  SSH_KEYCAT=$(libexecdir)/ssh-keycat |  SSH_KEYCAT=$(libexecdir)/ssh-keycat | ||||||
| +CTR_CAVSTEST=$(libexecdir)/ctr-cavstest
 | +CTR_CAVSTEST=$(libexecdir)/ctr-cavstest
 | ||||||
|  SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper |  SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper | ||||||
|  |  SSH_SK_HELPER=$(libexecdir)/ssh-sk-helper | ||||||
|  PRIVSEP_PATH=@PRIVSEP_PATH@ |  PRIVSEP_PATH=@PRIVSEP_PATH@ | ||||||
|  SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@ |  | ||||||
| @@ -66,7 +67,7 @@ EXEEXT=@EXEEXT@
 | @@ -66,7 +67,7 @@ EXEEXT=@EXEEXT@
 | ||||||
|  MKDIR_P=@MKDIR_P@ |  | ||||||
|  INSTALL_SSH_LDAP_HELPER=@INSTALL_SSH_LDAP_HELPER@ |  | ||||||
|   |   | ||||||
| -TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT) ssh-keycat$(EXEEXT)
 |  .SUFFIXES: .lo | ||||||
| +TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT) ssh-keycat$(EXEEXT) ctr-cavstest$(EXEEXT)
 |   | ||||||
|  | -TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) ssh-ldap-helper$(EXEEXT) ssh-keycat$(EXEEXT)
 | ||||||
|  | +TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) ssh-ldap-helper$(EXEEXT) ssh-keycat$(EXEEXT) ctr-cavstest$(EXEEXT)
 | ||||||
|   |   | ||||||
|  XMSS_OBJS=\ |  XMSS_OBJS=\ | ||||||
|  	ssh-xmss.o \ |  	ssh-xmss.o \ | ||||||
| @ -25,8 +25,8 @@ diff -up openssh-6.8p1/Makefile.in.ctr-cavs openssh-6.8p1/Makefile.in | |||||||
| +ctr-cavstest$(EXEEXT): $(LIBCOMPAT) libssh.a ctr-cavstest.o
 | +ctr-cavstest$(EXEEXT): $(LIBCOMPAT) libssh.a ctr-cavstest.o
 | ||||||
| +	$(LD) -o $@ ctr-cavstest.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(LIBS)
 | +	$(LD) -o $@ ctr-cavstest.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(LIBS)
 | ||||||
| +
 | +
 | ||||||
|  ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o |  ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHKEYSCAN_OBJS) | ||||||
|  	$(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) |  	$(LD) -o $@ $(SSHKEYSCAN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) | ||||||
|   |   | ||||||
| @@ -326,6 +330,7 @@ install-files:
 | @@ -326,6 +330,7 @@ install-files:
 | ||||||
|  		$(INSTALL) -m 0700 ssh-ldap-wrapper $(DESTDIR)$(SSH_LDAP_WRAPPER) ; \ |  		$(INSTALL) -m 0700 ssh-ldap-wrapper $(DESTDIR)$(SSH_LDAP_WRAPPER) ; \ | ||||||
|  | |||||||
| @ -41,22 +41,22 @@ diff -up openssh/Makefile.in.keycat openssh/Makefile.in | |||||||
|  SSH_LDAP_WRAPPER=$(libexecdir)/ssh-ldap-wrapper |  SSH_LDAP_WRAPPER=$(libexecdir)/ssh-ldap-wrapper | ||||||
| +SSH_KEYCAT=$(libexecdir)/ssh-keycat
 | +SSH_KEYCAT=$(libexecdir)/ssh-keycat
 | ||||||
|  SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper |  SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper | ||||||
|  |  SSH_SK_HELPER=$(libexecdir)/ssh-sk-helper | ||||||
|  PRIVSEP_PATH=@PRIVSEP_PATH@ |  PRIVSEP_PATH=@PRIVSEP_PATH@ | ||||||
|  SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@ |  | ||||||
| @@ -52,6 +52,7 @@ K5LIBS=@K5LIBS@
 | @@ -52,6 +52,7 @@ K5LIBS=@K5LIBS@
 | ||||||
|  GSSLIBS=@GSSLIBS@ |  GSSLIBS=@GSSLIBS@ | ||||||
|  SSHLIBS=@SSHLIBS@ |  SSHLIBS=@SSHLIBS@ | ||||||
|  SSHDLIBS=@SSHDLIBS@ |  SSHDLIBS=@SSHDLIBS@ | ||||||
| +KEYCATLIBS=@KEYCATLIBS@
 | +KEYCATLIBS=@KEYCATLIBS@
 | ||||||
|  LIBEDIT=@LIBEDIT@ |  LIBEDIT=@LIBEDIT@ | ||||||
|  |  LIBFIDO2=@LIBFIDO2@ | ||||||
|  AR=@AR@ |  AR=@AR@ | ||||||
|  AWK=@AWK@ |  | ||||||
| @@ -65,7 +66,7 @@ EXEEXT=@EXEEXT@
 | @@ -65,7 +66,7 @@ EXEEXT=@EXEEXT@
 | ||||||
|  MKDIR_P=@MKDIR_P@ |  | ||||||
|  INSTALL_SSH_LDAP_HELPER=@INSTALL_SSH_LDAP_HELPER@ |  | ||||||
|   |   | ||||||
| -TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT)
 |  .SUFFIXES: .lo | ||||||
| +TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT) ssh-keycat$(EXEEXT)
 |   | ||||||
|  | -TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) ssh-ldap-helper$(EXEEXT)
 | ||||||
|  | +TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) ssh-ldap-helper$(EXEEXT) ssh-keycat$(EXEEXT)
 | ||||||
|   |   | ||||||
|  XMSS_OBJS=\ |  XMSS_OBJS=\ | ||||||
|  	ssh-xmss.o \ |  	ssh-xmss.o \ | ||||||
| @ -67,8 +67,8 @@ diff -up openssh/Makefile.in.keycat openssh/Makefile.in | |||||||
| +ssh-keycat$(EXEEXT): $(LIBCOMPAT) $(SSHDOBJS) libssh.a ssh-keycat.o uidswap.o
 | +ssh-keycat$(EXEEXT): $(LIBCOMPAT) $(SSHDOBJS) libssh.a ssh-keycat.o uidswap.o
 | ||||||
| +	$(LD) -o $@ ssh-keycat.o uidswap.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(KEYCATLIBS) $(LIBS)
 | +	$(LD) -o $@ ssh-keycat.o uidswap.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(KEYCATLIBS) $(LIBS)
 | ||||||
| +
 | +
 | ||||||
|  ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o |  ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHKEYSCAN_OBJS) | ||||||
|  	$(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) |  	$(LD) -o $@ $(SSHKEYSCAN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) | ||||||
|   |   | ||||||
| @@ -321,6 +325,7 @@ install-files:
 | @@ -321,6 +325,7 @@ install-files:
 | ||||||
|  		$(INSTALL) -m 0700 $(STRIP_OPT) ssh-ldap-helper $(DESTDIR)$(SSH_LDAP_HELPER) ; \ |  		$(INSTALL) -m 0700 $(STRIP_OPT) ssh-ldap-helper $(DESTDIR)$(SSH_LDAP_HELPER) ; \ | ||||||
|  | |||||||
| @ -217,7 +217,7 @@ diff -up openssh-7.4p1/servconf.c.kuserok openssh-7.4p1/servconf.c | |||||||
|  	{ "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL }, |  	{ "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL }, | ||||||
|  	{ "afstokenpassing", sUnsupported, SSHCFG_GLOBAL }, |  	{ "afstokenpassing", sUnsupported, SSHCFG_GLOBAL }, | ||||||
| @@ -1644,6 +1649,10 @@ process_server_config_line(ServerOptions
 | @@ -1644,6 +1649,10 @@ process_server_config_line(ServerOptions
 | ||||||
|  		*activep = value; |  		*activep = (inc_flags & SSHCFG_NEVERMATCH) ? 0 : value; | ||||||
|  		break; |  		break; | ||||||
|   |   | ||||||
| +	case sKerberosUseKuserok:
 | +	case sKerberosUseKuserok:
 | ||||||
| @ -286,4 +286,4 @@ diff -up openssh-7.4p1/sshd_config.kuserok openssh-7.4p1/sshd_config | |||||||
| +#KerberosUseKuserok yes
 | +#KerberosUseKuserok yes
 | ||||||
|   |   | ||||||
|  # GSSAPI options |  # GSSAPI options | ||||||
|  GSSAPIAuthentication yes |  #GSSAPIAuthentication no | ||||||
|  | |||||||
| @ -136,11 +136,11 @@ diff -up openssh-7.4p1/sftp.c.coverity openssh-7.4p1/sftp.c | |||||||
| --- openssh-7.4p1/sftp.c.coverity	2016-12-19 05:59:41.000000000 +0100
 | --- openssh-7.4p1/sftp.c.coverity	2016-12-19 05:59:41.000000000 +0100
 | ||||||
| +++ openssh-7.4p1/sftp.c	2016-12-23 16:40:26.903788691 +0100
 | +++ openssh-7.4p1/sftp.c	2016-12-23 16:40:26.903788691 +0100
 | ||||||
| @@ -224,7 +224,7 @@ killchild(int signo)
 | @@ -224,7 +224,7 @@ killchild(int signo)
 | ||||||
|  { |  	pid = sshpid; | ||||||
|  	if (sshpid > 1) { |  	if (pid > 1) { | ||||||
|  		kill(sshpid, SIGTERM); |  		kill(pid, SIGTERM); | ||||||
| -		waitpid(sshpid, NULL, 0);
 | -		waitpid(pid, NULL, 0);
 | ||||||
| +		(void) waitpid(sshpid, NULL, 0);
 | +		(void) waitpid(pid, NULL, 0);
 | ||||||
|  	} |  	} | ||||||
|   |   | ||||||
|  	_exit(1); |  	_exit(1); | ||||||
|  | |||||||
| @ -7,14 +7,14 @@ diff -up openssh-6.8p1/Makefile.in.kdf-cavs openssh-6.8p1/Makefile.in | |||||||
|  CTR_CAVSTEST=$(libexecdir)/ctr-cavstest |  CTR_CAVSTEST=$(libexecdir)/ctr-cavstest | ||||||
| +SSH_CAVS=$(libexecdir)/ssh-cavs
 | +SSH_CAVS=$(libexecdir)/ssh-cavs
 | ||||||
|  SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper |  SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper | ||||||
|  |  SSH_SK_HELPER=$(libexecdir)/ssh-sk-helper | ||||||
|  PRIVSEP_PATH=@PRIVSEP_PATH@ |  PRIVSEP_PATH=@PRIVSEP_PATH@ | ||||||
|  SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@ |  | ||||||
| @@ -67,7 +68,7 @@ EXEEXT=@EXEEXT@
 | @@ -67,7 +68,7 @@ EXEEXT=@EXEEXT@
 | ||||||
|  MKDIR_P=@MKDIR_P@ |  | ||||||
|  INSTALL_SSH_LDAP_HELPER=@INSTALL_SSH_LDAP_HELPER@ |  | ||||||
|   |   | ||||||
| -TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT) ssh-keycat$(EXEEXT) ctr-cavstest$(EXEEXT)
 |  .SUFFIXES: .lo | ||||||
| +TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT) ssh-keycat$(EXEEXT) ctr-cavstest$(EXEEXT) ssh-cavs$(EXEEXT)
 |   | ||||||
|  | -TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) ssh-ldap-helper$(EXEEXT) ssh-keycat$(EXEEXT) ctr-cavstest$(EXEEXT)
 | ||||||
|  | +TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) ssh-ldap-helper$(EXEEXT) ssh-keycat$(EXEEXT) ctr-cavstest$(EXEEXT) ssh-cavs$(EXEEXT)
 | ||||||
|   |   | ||||||
|  XMSS_OBJS=\ |  XMSS_OBJS=\ | ||||||
|  	ssh-xmss.o \ |  	ssh-xmss.o \ | ||||||
| @ -22,11 +22,11 @@ diff -up openssh-6.8p1/Makefile.in.kdf-cavs openssh-6.8p1/Makefile.in | |||||||
|  ctr-cavstest$(EXEEXT): $(LIBCOMPAT) libssh.a ctr-cavstest.o |  ctr-cavstest$(EXEEXT): $(LIBCOMPAT) libssh.a ctr-cavstest.o | ||||||
|  	$(LD) -o $@ ctr-cavstest.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(LIBS) |  	$(LD) -o $@ ctr-cavstest.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(LIBS) | ||||||
|   |   | ||||||
| +ssh-cavs$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-cavs.o
 | +ssh-cavs$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-cavs.o $(SKOBJS)
 | ||||||
| +	$(LD) -o $@ ssh-cavs.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
 | +	$(LD) -o $@ ssh-cavs.o $(SKOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
 | ||||||
| +
 | +
 | ||||||
|  ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o |  ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHKEYSCAN_OBJS) | ||||||
|  	$(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) |  	$(LD) -o $@ $(SSHKEYSCAN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) | ||||||
|   |   | ||||||
| @@ -331,6 +335,8 @@ install-files:
 | @@ -331,6 +335,8 @@ install-files:
 | ||||||
|  	fi |  	fi | ||||||
|  | |||||||
| @ -134,52 +134,54 @@ diff -up openssh-6.8p1/Makefile.in.ldap openssh-6.8p1/Makefile.in | |||||||
| +SSH_LDAP_HELPER=$(libexecdir)/ssh-ldap-helper
 | +SSH_LDAP_HELPER=$(libexecdir)/ssh-ldap-helper
 | ||||||
| +SSH_LDAP_WRAPPER=$(libexecdir)/ssh-ldap-wrapper
 | +SSH_LDAP_WRAPPER=$(libexecdir)/ssh-ldap-wrapper
 | ||||||
|  SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper |  SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper | ||||||
|  |  SSH_SK_HELPER=$(libexecdir)/ssh-sk-helper | ||||||
|  PRIVSEP_PATH=@PRIVSEP_PATH@ |  PRIVSEP_PATH=@PRIVSEP_PATH@ | ||||||
|  SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@ |  | ||||||
| @@ -50,6 +50,7 @@
 | @@ -50,6 +50,7 @@
 | ||||||
|  CFLAGS=@CFLAGS@ |  | ||||||
|  CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@ |  CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@ | ||||||
|  |  PICFLAG=@PICFLAG@ | ||||||
|  LIBS=@LIBS@ |  LIBS=@LIBS@ | ||||||
| +LDAPLIBS=@LDAPLIBS@
 | +LDAPLIBS=@LDAPLIBS@
 | ||||||
|  K5LIBS=@K5LIBS@ |  K5LIBS=@K5LIBS@ | ||||||
|  GSSLIBS=@GSSLIBS@ |  GSSLIBS=@GSSLIBS@ | ||||||
|  SSHLIBS=@SSHLIBS@ |  SSHLIBS=@SSHLIBS@ | ||||||
| @@ -61,8 +63,9 @@ XAUTH_PATH=@XAUTH_PATH@
 | @@ -61,10 +63,11 @@ XAUTH_PATH=@XAUTH_PATH@
 | ||||||
|  EXEEXT=@EXEEXT@ |  EXEEXT=@EXEEXT@ | ||||||
|  MANFMT=@MANFMT@ |  MANFMT=@MANFMT@ | ||||||
|  MKDIR_P=@MKDIR_P@ |  MKDIR_P=@MKDIR_P@ | ||||||
| +INSTALL_SSH_LDAP_HELPER=@INSTALL_SSH_LDAP_HELPER@
 | +INSTALL_SSH_LDAP_HELPER=@INSTALL_SSH_LDAP_HELPER@
 | ||||||
|   |   | ||||||
| -TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT)
 |  .SUFFIXES: .lo | ||||||
| +TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT)
 |   | ||||||
|  | -TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT)
 | ||||||
|  | +TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) ssh-ldap-helper$(EXEEXT)
 | ||||||
|   |   | ||||||
|  XMSS_OBJS=\ |  XMSS_OBJS=\ | ||||||
|  	ssh-xmss.o \ |  	ssh-xmss.o \ | ||||||
| @@ -112,8 +115,8 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw
 | @@ -112,8 +115,8 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw
 | ||||||
|  	sandbox-seccomp-filter.o sandbox-capsicum.o sandbox-pledge.o \ |  | ||||||
|  	sandbox-solaris.o uidswap.o |  | ||||||
|   |   | ||||||
| -MANPAGES	= moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out
 |  SFTP_OBJS=	sftp.o sftp-client.o sftp-common.o sftp-glob.o progressmeter.o | ||||||
| -MANPAGES_IN	= moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 sshd_config.5 ssh_config.5
 |   | ||||||
| +MANPAGES	= moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out ssh-ldap-helper.8.out ssh-ldap.conf.5.out
 | -MANPAGES	= moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out ssh-sk-helper.8.out sshd_config.5.out ssh_config.5.out
 | ||||||
| +MANPAGES_IN	= moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 sshd_config.5 ssh_config.5 ssh-ldap-helper.8 ssh-ldap.conf.5
 | -MANPAGES_IN	= moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 ssh-sk-helper.8 sshd_config.5 ssh_config.5
 | ||||||
|  | +MANPAGES	= moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out ssh-sk-helper.8.out sshd_config.5.out ssh_config.5.out ssh-ldap-helper.8.out ssh-ldap.conf.5.out
 | ||||||
|  | +MANPAGES_IN	= moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 ssh-sk-helper.8 sshd_config.5 ssh_config.5 ssh-ldap-helper.8 ssh-ldap.conf.5
 | ||||||
|  MANTYPE		= @MANTYPE@ |  MANTYPE		= @MANTYPE@ | ||||||
|   |   | ||||||
|  CONFIGFILES=sshd_config.out ssh_config.out moduli.out |  CONFIGFILES=sshd_config.out ssh_config.out moduli.out | ||||||
| @@ -184,6 +187,9 @@ ssh-keysign$(EXEEXT): $(LIBCOMPAT) libss
 | @@ -184,6 +187,9 @@ ssh-keysign$(EXEEXT): $(LIBCOMPAT) libss
 | ||||||
|  ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11.o |  ssh-sk-helper$(EXEEXT): $(LIBCOMPAT) libssh.a $(SKHELPER_OBJS) | ||||||
|  	$(LD) -o $@ ssh-pkcs11-helper.o ssh-pkcs11.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS) |  	$(LD) -o $@ $(SKHELPER_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS) $(LIBFIDO2) | ||||||
|   |   | ||||||
| +ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o
 | +ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o
 | ||||||
| +	$(LD) -o $@ ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat -lfipscheck $(LIBS) $(LDAPLIBS)
 | +	$(LD) -o $@ ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat -lfipscheck $(LIBS) $(LDAPLIBS)
 | ||||||
| +
 | +
 | ||||||
|  ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o |  ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHKEYSCAN_OBJS) | ||||||
|  	$(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) |  	$(LD) -o $@ $(SSHKEYSCAN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) | ||||||
|   |   | ||||||
| @@ -311,6 +317,10 @@ install-files:
 | @@ -311,6 +317,10 @@ install-files:
 | ||||||
|  	$(INSTALL) -m 0755 $(STRIP_OPT) sshd$(EXEEXT) $(DESTDIR)$(sbindir)/sshd$(EXEEXT) |  | ||||||
|  	$(INSTALL) -m 4711 $(STRIP_OPT) ssh-keysign$(EXEEXT) $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT) |  	$(INSTALL) -m 4711 $(STRIP_OPT) ssh-keysign$(EXEEXT) $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT) | ||||||
|  	$(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT) |  	$(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT) | ||||||
|  |  	$(INSTALL) -m 0755 $(STRIP_OPT) ssh-sk-helper$(EXEEXT) $(DESTDIR)$(SSH_SK_HELPER)$(EXEEXT) | ||||||
| +	if test ! -z "$(INSTALL_SSH_LDAP_HELPER)" ; then \
 | +	if test ! -z "$(INSTALL_SSH_LDAP_HELPER)" ; then \
 | ||||||
| +		$(INSTALL) -m 0700 $(STRIP_OPT) ssh-ldap-helper $(DESTDIR)$(SSH_LDAP_HELPER) ; \
 | +		$(INSTALL) -m 0700 $(STRIP_OPT) ssh-ldap-helper $(DESTDIR)$(SSH_LDAP_HELPER) ; \
 | ||||||
| +		$(INSTALL) -m 0700 ssh-ldap-wrapper $(DESTDIR)$(SSH_LDAP_WRAPPER) ; \
 | +		$(INSTALL) -m 0700 ssh-ldap-wrapper $(DESTDIR)$(SSH_LDAP_WRAPPER) ; \
 | ||||||
| @ -188,9 +190,9 @@ diff -up openssh-6.8p1/Makefile.in.ldap openssh-6.8p1/Makefile.in | |||||||
|  	$(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT) |  	$(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT) | ||||||
|  	$(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1 |  	$(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1 | ||||||
| @@ -327,6 +337,10 @@ install-files:
 | @@ -327,6 +337,10 @@ install-files:
 | ||||||
|  	$(INSTALL) -m 644 sftp-server.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8 |  | ||||||
|  	$(INSTALL) -m 644 ssh-keysign.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8 |  	$(INSTALL) -m 644 ssh-keysign.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8 | ||||||
|  	$(INSTALL) -m 644 ssh-pkcs11-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8 |  	$(INSTALL) -m 644 ssh-pkcs11-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8 | ||||||
|  |  	$(INSTALL) -m 644 ssh-sk-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-sk-helper.8 | ||||||
| +	if test ! -z "$(INSTALL_SSH_LDAP_HELPER)" ; then \
 | +	if test ! -z "$(INSTALL_SSH_LDAP_HELPER)" ; then \
 | ||||||
| +		$(INSTALL) -m 644 ssh-ldap-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-ldap-helper.8 ; \
 | +		$(INSTALL) -m 644 ssh-ldap-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-ldap-helper.8 ; \
 | ||||||
| +		$(INSTALL) -m 644 ssh-ldap.conf.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/ssh-ldap.conf.5 ; \
 | +		$(INSTALL) -m 644 ssh-ldap.conf.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/ssh-ldap.conf.5 ; \
 | ||||||
| @ -213,18 +215,18 @@ diff -up openssh-6.8p1/Makefile.in.ldap openssh-6.8p1/Makefile.in | |||||||
|  host-key: ssh-keygen$(EXEEXT) |  host-key: ssh-keygen$(EXEEXT) | ||||||
|  	@if [ -z "$(DESTDIR)" ] ; then \ |  	@if [ -z "$(DESTDIR)" ] ; then \ | ||||||
| @@ -419,6 +440,8 @@ uninstall:
 | @@ -419,6 +440,8 @@ uninstall:
 | ||||||
|  	-rm -r $(DESTDIR)$(SFTP_SERVER)$(EXEEXT) |  | ||||||
|  	-rm -f $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT) |  	-rm -f $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT) | ||||||
|  	-rm -f $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT) |  	-rm -f $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT) | ||||||
|  |  	-rm -f $(DESTDIR)$(SSH_SK_HELPER)$(EXEEXT) | ||||||
| +	-rm -f $(DESTDIR)$(SSH_LDAP_HELPER)$(EXEEXT)
 | +	-rm -f $(DESTDIR)$(SSH_LDAP_HELPER)$(EXEEXT)
 | ||||||
| +	-rm -f $(DESTDIR)$(SSH_LDAP_WRAPPER)$(EXEEXT)
 | +	-rm -f $(DESTDIR)$(SSH_LDAP_WRAPPER)$(EXEEXT)
 | ||||||
|  	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1 |  	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1 | ||||||
|  	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1 |  	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1 | ||||||
|  	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1 |  	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1 | ||||||
| @@ -430,6 +453,7 @@ uninstall:
 | @@ -430,6 +453,7 @@ uninstall:
 | ||||||
|  	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8 |  | ||||||
|  	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8 |  	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8 | ||||||
|  	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8 |  	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8 | ||||||
|  |  	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-sk-helper.8 | ||||||
| +	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-ldap-helper.8
 | +	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-ldap-helper.8
 | ||||||
|   |   | ||||||
|  regress-prep: |  regress-prep: | ||||||
| @ -233,8 +235,8 @@ diff -up openssh-6.8p1/configure.ac.ldap openssh-6.8p1/configure.ac | |||||||
| --- openssh-6.8p1/configure.ac.ldap	2015-03-17 06:49:20.000000000 +0100
 | --- openssh-6.8p1/configure.ac.ldap	2015-03-17 06:49:20.000000000 +0100
 | ||||||
| +++ openssh-6.8p1/configure.ac	2015-03-18 11:11:29.030801464 +0100
 | +++ openssh-6.8p1/configure.ac	2015-03-18 11:11:29.030801464 +0100
 | ||||||
| @@ -1605,6 +1605,110 @@ if test "x$use_pie" != "xno"; then
 | @@ -1605,6 +1605,110 @@ if test "x$use_pie" != "xno"; then
 | ||||||
|  	fi |  CFLAGS="$SAVED_CFLAGS" | ||||||
|  fi |  AC_SUBST([PICFLAG]) | ||||||
|   |   | ||||||
| +# Check whether user wants LDAP support
 | +# Check whether user wants LDAP support
 | ||||||
| +LDAP_MSG="no"
 | +LDAP_MSG="no"
 | ||||||
|  | |||||||
| @ -3,8 +3,8 @@ diff -up openssh/servconf.c.sshdt openssh/servconf.c | |||||||
| +++ openssh/servconf.c	2015-06-24 11:44:39.734745802 +0200
 | +++ openssh/servconf.c	2015-06-24 11:44:39.734745802 +0200
 | ||||||
| @@ -2317,7 +2317,7 @@ dump_config(ServerOptions *o)
 | @@ -2317,7 +2317,7 @@ dump_config(ServerOptions *o)
 | ||||||
|  	dump_cfg_string(sXAuthLocation, o->xauth_location); |  	dump_cfg_string(sXAuthLocation, o->xauth_location); | ||||||
|  	dump_cfg_string(sCiphers, o->ciphers ? o->ciphers : KEX_SERVER_ENCRYPT); |  	dump_cfg_string(sCiphers, o->ciphers); | ||||||
|  	dump_cfg_string(sMacs, o->macs ? o->macs : KEX_SERVER_MAC); |  	dump_cfg_string(sMacs, o->macs); | ||||||
| -	dump_cfg_string(sBanner, o->banner);
 | -	dump_cfg_string(sBanner, o->banner);
 | ||||||
| +	dump_cfg_string(sBanner, o->banner != NULL ? o->banner : "none");
 | +	dump_cfg_string(sBanner, o->banner != NULL ? o->banner : "none");
 | ||||||
|  	dump_cfg_string(sForceCommand, o->adm_forced_command); |  	dump_cfg_string(sForceCommand, o->adm_forced_command); | ||||||
|  | |||||||
| @ -747,20 +747,21 @@ diff -up openssh/auth2-hostbased.c.audit openssh/auth2-hostbased.c | |||||||
|  	    chost, key)) && |  	    chost, key)) && | ||||||
| -	    PRIVSEP(sshkey_verify(key, sig, slen,
 | -	    PRIVSEP(sshkey_verify(key, sig, slen,
 | ||||||
| +	    PRIVSEP(hostbased_key_verify(ssh, key, sig, slen,
 | +	    PRIVSEP(hostbased_key_verify(ssh, key, sig, slen,
 | ||||||
|  	    sshbuf_ptr(b), sshbuf_len(b), pkalg, ssh->compat)) == 0) |  	    sshbuf_ptr(b), sshbuf_len(b), pkalg, ssh->compat, NULL)) == 0) | ||||||
|  		authenticated = 1; |  		authenticated = 1; | ||||||
|   |   | ||||||
| @@ -175,6 +175,19 @@ done:
 | @@ -175,6 +175,20 @@ done:
 | ||||||
|  	return authenticated; |  	return authenticated; | ||||||
|  } |  } | ||||||
|   |   | ||||||
| +int
 | +int
 | ||||||
| +hostbased_key_verify(struct ssh *ssh, const struct sshkey *key, const u_char *sig,
 | +hostbased_key_verify(struct ssh *ssh, const struct sshkey *key, const u_char *sig,
 | ||||||
| +    size_t slen, const u_char *data, size_t datalen, const char *pkalg, u_int compat)
 | +    size_t slen, const u_char *data, size_t datalen, const char *pkalg, u_int compat,
 | ||||||
|  | +    struct sshkey_sig_details **detailsp)
 | ||||||
| +{
 | +{
 | ||||||
| +	int rv;
 | +	int rv;
 | ||||||
| +
 | +
 | ||||||
| +	rv = sshkey_verify(key, sig, slen, data, datalen, pkalg, compat);
 | +	rv = sshkey_verify(key, sig, slen, data, datalen, pkalg, compat, detailsp);
 | ||||||
| +#ifdef SSH_AUDIT_EVENTS
 | +#ifdef SSH_AUDIT_EVENTS
 | ||||||
| +	audit_key(ssh, 0, &rv, key);
 | +	audit_key(ssh, 0, &rv, key);
 | ||||||
| +#endif
 | +#endif
 | ||||||
| @ -781,18 +782,19 @@ diff -up openssh/auth2-pubkey.c.audit openssh/auth2-pubkey.c | |||||||
| +		    PRIVSEP(user_key_verify(ssh, key, sig, slen,
 | +		    PRIVSEP(user_key_verify(ssh, key, sig, slen,
 | ||||||
|  		    sshbuf_ptr(b), sshbuf_len(b), |  		    sshbuf_ptr(b), sshbuf_len(b), | ||||||
|  		    (ssh->compat & SSH_BUG_SIGTYPE) == 0 ? pkalg : NULL, |  		    (ssh->compat & SSH_BUG_SIGTYPE) == 0 ? pkalg : NULL, | ||||||
|  		    ssh->compat)) == 0) { |  		    ssh->compat, &sig_details)) == 0) { | ||||||
| @@ -278,6 +278,19 @@ done:
 | @@ -278,6 +278,20 @@ done:
 | ||||||
|  	return authenticated; |  	return authenticated; | ||||||
|  } |  } | ||||||
|   |   | ||||||
| +int
 | +int
 | ||||||
| +user_key_verify(struct ssh *ssh, const struct sshkey *key, const u_char *sig,
 | +user_key_verify(struct ssh *ssh, const struct sshkey *key, const u_char *sig,
 | ||||||
| +    size_t slen, const u_char *data, size_t datalen, const char *pkalg, u_int compat)
 | +    size_t slen, const u_char *data, size_t datalen, const char *pkalg, u_int compat,
 | ||||||
|  | +    struct sshkey_sig_details **detailsp)
 | ||||||
| +{
 | +{
 | ||||||
| +	int rv;
 | +	int rv;
 | ||||||
| +
 | +
 | ||||||
| +	rv = sshkey_verify(key, sig, slen, data, datalen, pkalg, compat);
 | +	rv = sshkey_verify(key, sig, slen, data, datalen, pkalg, compat, detailsp);
 | ||||||
| +#ifdef SSH_AUDIT_EVENTS
 | +#ifdef SSH_AUDIT_EVENTS
 | ||||||
| +	audit_key(ssh, 1, &rv, key);
 | +	audit_key(ssh, 1, &rv, key);
 | ||||||
| +#endif
 | +#endif
 | ||||||
| @ -832,7 +834,7 @@ diff -up openssh/auth.h.audit openssh/auth.h | |||||||
|  char	*expand_authorized_keys(const char *, struct passwd *pw); |  char	*expand_authorized_keys(const char *, struct passwd *pw); | ||||||
|  char	*authorized_principals_file(struct passwd *); |  char	*authorized_principals_file(struct passwd *); | ||||||
| +int	 user_key_verify(struct ssh *, const struct sshkey *, const u_char *, size_t,
 | +int	 user_key_verify(struct ssh *, const struct sshkey *, const u_char *, size_t,
 | ||||||
| +    const u_char *, size_t, const char *, u_int);
 | +    const u_char *, size_t, const char *, u_int, struct sshkey_sig_details **);
 | ||||||
|   |   | ||||||
|  FILE	*auth_openkeyfile(const char *, struct passwd *, int); |  FILE	*auth_openkeyfile(const char *, struct passwd *, int); | ||||||
|  FILE	*auth_openprincipals(const char *, struct passwd *, int); |  FILE	*auth_openprincipals(const char *, struct passwd *, int); | ||||||
| @ -841,7 +843,7 @@ diff -up openssh/auth.h.audit openssh/auth.h | |||||||
|  int	 sshd_hostkey_sign(struct ssh *, struct sshkey *, struct sshkey *, |  int	 sshd_hostkey_sign(struct ssh *, struct sshkey *, struct sshkey *, | ||||||
|      u_char **, size_t *, const u_char *, size_t, const char *); |      u_char **, size_t *, const u_char *, size_t, const char *); | ||||||
| +int	 hostbased_key_verify(struct ssh *, const struct sshkey *, const u_char *, size_t,
 | +int	 hostbased_key_verify(struct ssh *, const struct sshkey *, const u_char *, size_t,
 | ||||||
| +    const u_char *, size_t, const char *, u_int);
 | +    const u_char *, size_t, const char *, u_int, struct sshkey_sig_details **);
 | ||||||
|   |   | ||||||
|  /* Key / cert options linkage to auth layer */ |  /* Key / cert options linkage to auth layer */ | ||||||
|  const struct sshauthopt *auth_options(struct ssh *); |  const struct sshauthopt *auth_options(struct ssh *); | ||||||
| @ -973,9 +975,9 @@ diff -up openssh/kex.c.audit openssh/kex.c | |||||||
| +#endif
 | +#endif
 | ||||||
|  		return SSH_ERR_NO_COMPRESS_ALG_MATCH; |  		return SSH_ERR_NO_COMPRESS_ALG_MATCH; | ||||||
| +	}
 | +	}
 | ||||||
|  |  #ifdef WITH_ZLIB | ||||||
|  	if (strcmp(name, "zlib@openssh.com") == 0) { |  	if (strcmp(name, "zlib@openssh.com") == 0) { | ||||||
|  		comp->type = COMP_DELAYED; |  		comp->type = COMP_DELAYED; | ||||||
|  	} else if (strcmp(name, "zlib") == 0) { |  | ||||||
| @@ -933,7 +946,7 @@ kex_choose_conf(struct ssh *ssh)
 | @@ -933,7 +946,7 @@ kex_choose_conf(struct ssh *ssh)
 | ||||||
|  		nenc  = ctos ? PROPOSAL_ENC_ALGS_CTOS  : PROPOSAL_ENC_ALGS_STOC; |  		nenc  = ctos ? PROPOSAL_ENC_ALGS_CTOS  : PROPOSAL_ENC_ALGS_STOC; | ||||||
|  		nmac  = ctos ? PROPOSAL_MAC_ALGS_CTOS  : PROPOSAL_MAC_ALGS_STOC; |  		nmac  = ctos ? PROPOSAL_MAC_ALGS_CTOS  : PROPOSAL_MAC_ALGS_STOC; | ||||||
| @ -1091,16 +1093,15 @@ diff -up openssh/mac.h.audit openssh/mac.h | |||||||
| diff -up openssh/Makefile.in.audit openssh/Makefile.in
 | diff -up openssh/Makefile.in.audit openssh/Makefile.in
 | ||||||
| --- openssh/Makefile.in.audit	2019-04-03 17:02:20.705885965 +0200
 | --- openssh/Makefile.in.audit	2019-04-03 17:02:20.705885965 +0200
 | ||||||
| +++ openssh/Makefile.in	2019-04-03 17:02:20.715886060 +0200
 | +++ openssh/Makefile.in	2019-04-03 17:02:20.715886060 +0200
 | ||||||
| @@ -109,7 +109,8 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
 | @@ -109,7 +109,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
 | ||||||
|  	kexgexc.o kexgexs.o \ |  | ||||||
|  	sntrup4591761.o kexsntrup4591761x25519.o kexgen.o \ |  	sntrup4591761.o kexsntrup4591761x25519.o kexgen.o \ | ||||||
|  	kexgssc.o \ |  	kexgssc.o \ | ||||||
| -	platform-pledge.o platform-tracing.o platform-misc.o
 | 	sftp-realpath.o platform-pledge.o platform-tracing.o platform-misc.o \ | ||||||
| +	platform-pledge.o platform-tracing.o platform-misc.o \
 | -	sshbuf-io.o
 | ||||||
| +	auditstub.o
 | +	sshbuf-io.o auditstub.o
 | ||||||
|   |   | ||||||
|  |  SKOBJS=	ssh-sk-client.o | ||||||
|   |   | ||||||
|  SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \ |  | ||||||
| diff -up openssh/monitor.c.audit openssh/monitor.c
 | diff -up openssh/monitor.c.audit openssh/monitor.c
 | ||||||
| --- openssh/monitor.c.audit	2019-04-03 17:02:20.674885671 +0200
 | --- openssh/monitor.c.audit	2019-04-03 17:02:20.674885671 +0200
 | ||||||
| +++ openssh/monitor.c	2019-04-03 17:03:17.201421405 +0200
 | +++ openssh/monitor.c	2019-04-03 17:03:17.201421405 +0200
 | ||||||
| @ -1111,7 +1112,7 @@ diff -up openssh/monitor.c.audit openssh/monitor.c | |||||||
| +#include "audit.h"
 | +#include "audit.h"
 | ||||||
|  #include "match.h" |  #include "match.h" | ||||||
|  #include "ssherr.h" |  #include "ssherr.h" | ||||||
|   |  #include "sk-api.h" | ||||||
| @@ -107,6 +108,8 @@ extern u_char session_id[];
 | @@ -107,6 +108,8 @@ extern u_char session_id[];
 | ||||||
|  extern struct sshbuf *loginmsg; |  extern struct sshbuf *loginmsg; | ||||||
|  extern struct sshauthopt *auth_opts; /* XXX move to permanent ssh->authctxt? */ |  extern struct sshauthopt *auth_opts; /* XXX move to permanent ssh->authctxt? */ | ||||||
| @ -1157,16 +1158,16 @@ diff -up openssh/monitor.c.audit openssh/monitor.c | |||||||
|      {0, 0, NULL} |      {0, 0, NULL} | ||||||
|  }; |  }; | ||||||
| @@ -1445,8 +1462,10 @@ mm_answer_keyverify(struct ssh *ssh, int
 | @@ -1445,8 +1462,10 @@ mm_answer_keyverify(struct ssh *ssh, int
 | ||||||
|  	char *sigalg; |  | ||||||
|  	size_t signaturelen, datalen, bloblen; |  	size_t signaturelen, datalen, bloblen; | ||||||
|  	int r, ret, valid_data = 0, encoded_ret; |  	int r, ret, req_presence = 0, valid_data = 0, encoded_ret; | ||||||
|  |  	struct sshkey_sig_details *sig_details = NULL; | ||||||
| +	int type = 0;
 | +	int type = 0;
 | ||||||
|   |   | ||||||
| -	if ((r = sshbuf_get_string(m, &blob, &bloblen)) != 0 ||
 | -	if ((r = sshbuf_get_string_direct(m, &blob, &bloblen)) != 0 ||
 | ||||||
| +	if ((r = sshbuf_get_u32(m, &type)) != 0 ||
 | +	if ((r = sshbuf_get_u32(m, &type)) != 0 ||
 | ||||||
| +	    (r = sshbuf_get_string(m, &blob, &bloblen)) != 0 ||
 | +	    (r = sshbuf_get_string_direct(m, &blob, &bloblen)) != 0 ||
 | ||||||
|  	    (r = sshbuf_get_string(m, &signature, &signaturelen)) != 0 || |  	    (r = sshbuf_get_string_direct(m, &signature, &signaturelen)) != 0 || | ||||||
|  	    (r = sshbuf_get_string(m, &data, &datalen)) != 0 || |  	    (r = sshbuf_get_string_direct(m, &data, &datalen)) != 0 || | ||||||
|  	    (r = sshbuf_get_cstring(m, &sigalg, NULL)) != 0) |  	    (r = sshbuf_get_cstring(m, &sigalg, NULL)) != 0) | ||||||
| @@ -1455,6 +1474,8 @@ mm_answer_keyverify(struct ssh *ssh, int
 | @@ -1455,6 +1474,8 @@ mm_answer_keyverify(struct ssh *ssh, int
 | ||||||
|  	if (hostbased_cuser == NULL || hostbased_chost == NULL || |  	if (hostbased_cuser == NULL || hostbased_chost == NULL || | ||||||
| @ -1177,19 +1178,19 @@ diff -up openssh/monitor.c.audit openssh/monitor.c | |||||||
|   |   | ||||||
|  	/* Empty signature algorithm means NULL. */ |  	/* Empty signature algorithm means NULL. */ | ||||||
|  	if (*sigalg == '\0') { |  	if (*sigalg == '\0') { | ||||||
| @@ -1470,21 +1491,24 @@ mm_answer_keyverify(struct ssh *ssh, int
 | @@ -1470,25 +1491,28 @@ mm_answer_keyverify(struct ssh *ssh, int
 | ||||||
|  	case MM_USERKEY: |  	case MM_USERKEY: | ||||||
|  		valid_data = monitor_valid_userblob(data, datalen); |  		valid_data = monitor_valid_userblob(data, datalen); | ||||||
|  		auth_method = "publickey"; |  		auth_method = "publickey"; | ||||||
| +		ret = user_key_verify(ssh, key, signature, signaturelen, data,
 | +		ret = user_key_verify(ssh, key, signature, signaturelen, data,
 | ||||||
| +		    datalen, sigalg, ssh->compat);
 | +		    datalen, sigalg, ssh->compat, &sig_details);
 | ||||||
|  		break; |  		break; | ||||||
|  	case MM_HOSTKEY: |  	case MM_HOSTKEY: | ||||||
|  		valid_data = monitor_valid_hostbasedblob(data, datalen, |  		valid_data = monitor_valid_hostbasedblob(data, datalen, | ||||||
|  		    hostbased_cuser, hostbased_chost); |  		    hostbased_cuser, hostbased_chost); | ||||||
| +		ret = hostbased_key_verify(ssh, key, signature, signaturelen, data,
 |  | ||||||
| +		    datalen, sigalg, ssh->compat);
 |  | ||||||
|  		auth_method = "hostbased"; |  		auth_method = "hostbased"; | ||||||
|  | +		ret = hostbased_key_verify(ssh, key, signature, signaturelen, data,
 | ||||||
|  | +		    datalen, sigalg, ssh->compat, &sig_details);
 | ||||||
|  		break; |  		break; | ||||||
|  	default: |  	default: | ||||||
|  		valid_data = 0; |  		valid_data = 0; | ||||||
| @ -1199,11 +1200,15 @@ diff -up openssh/monitor.c.audit openssh/monitor.c | |||||||
|  	if (!valid_data) |  	if (!valid_data) | ||||||
|  		fatal("%s: bad signature data blob", __func__); |  		fatal("%s: bad signature data blob", __func__); | ||||||
|   |   | ||||||
|  |  	if ((fp = sshkey_fingerprint(key, options.fingerprint_hash, | ||||||
|  |  	    SSH_FP_DEFAULT)) == NULL) | ||||||
|  |  		fatal("%s: sshkey_fingerprint failed", __func__); | ||||||
|  |   | ||||||
| -	ret = sshkey_verify(key, signature, signaturelen, data, datalen,
 | -	ret = sshkey_verify(key, signature, signaturelen, data, datalen,
 | ||||||
| -	    sigalg, ssh->compat);
 | -	    sigalg, ssh->compat, &sig_details);
 | ||||||
|  	debug3("%s: %s %p signature %s", __func__, auth_method, key, |  	debug3("%s: %s %p signature %s%s%s", __func__, auth_method, key, | ||||||
|  	    (ret == 0) ? "verified" : "unverified"); |  	    (ret == 0) ? "verified" : "unverified", | ||||||
|  	auth2_record_key(authctxt, ret == 0, key); |  	    (ret != 0) ? ": " : "", (ret != 0) ? ssh_err(ret) : ""); | ||||||
| @@ -1536,13 +1560,19 @@ mm_record_login(struct ssh *ssh, Session
 | @@ -1536,13 +1560,19 @@ mm_record_login(struct ssh *ssh, Session
 | ||||||
|  } |  } | ||||||
|   |   | ||||||
| @ -1459,11 +1464,11 @@ diff -up openssh/monitor_wrap.c.audit openssh/monitor_wrap.c | |||||||
|  int |  int | ||||||
| -mm_sshkey_verify(const struct sshkey *key, const u_char *sig, size_t siglen,
 | -mm_sshkey_verify(const struct sshkey *key, const u_char *sig, size_t siglen,
 | ||||||
| +mm_sshkey_verify(enum mm_keytype type, const struct sshkey *key, const u_char *sig, size_t siglen,
 | +mm_sshkey_verify(enum mm_keytype type, const struct sshkey *key, const u_char *sig, size_t siglen,
 | ||||||
|      const u_char *data, size_t datalen, const char *sigalg, u_int compat) |      const u_char *data, size_t datalen, const char *sigalg, u_int compat, | ||||||
|  |      struct sshkey_sig_details **sig_detailsp) | ||||||
|  { |  { | ||||||
|  	struct sshbuf *m; |  | ||||||
| @@ -525,7 +525,8 @@ mm_sshkey_verify(const struct sshkey *ke
 | @@ -525,7 +525,8 @@ mm_sshkey_verify(const struct sshkey *ke
 | ||||||
|   |  		*sig_detailsp = NULL; | ||||||
|  	if ((m = sshbuf_new()) == NULL) |  	if ((m = sshbuf_new()) == NULL) | ||||||
|  		fatal("%s: sshbuf_new failed", __func__); |  		fatal("%s: sshbuf_new failed", __func__); | ||||||
| -	if ((r = sshkey_puts(key, m)) != 0 ||
 | -	if ((r = sshkey_puts(key, m)) != 0 ||
 | ||||||
| @ -1472,22 +1477,24 @@ diff -up openssh/monitor_wrap.c.audit openssh/monitor_wrap.c | |||||||
|  	    (r = sshbuf_put_string(m, sig, siglen)) != 0 || |  	    (r = sshbuf_put_string(m, sig, siglen)) != 0 || | ||||||
|  	    (r = sshbuf_put_string(m, data, datalen)) != 0 || |  	    (r = sshbuf_put_string(m, data, datalen)) != 0 || | ||||||
|  	    (r = sshbuf_put_cstring(m, sigalg == NULL ? "" : sigalg)) != 0) |  	    (r = sshbuf_put_cstring(m, sigalg == NULL ? "" : sigalg)) != 0) | ||||||
| @@ -547,6 +548,20 @@ mm_sshkey_verify(const struct sshkey *ke
 | @@ -547,6 +548,22 @@ mm_sshkey_verify(const struct sshkey *ke
 | ||||||
|  	return 0; |  	return 0; | ||||||
|  } |  } | ||||||
|   |   | ||||||
| +int
 | +int
 | ||||||
| +mm_hostbased_key_verify(struct ssh *ssh, const struct sshkey *key, const u_char *sig, size_t siglen,
 | +mm_hostbased_key_verify(struct ssh *ssh, const struct sshkey *key, const u_char *sig, size_t siglen,
 | ||||||
| +    const u_char *data, size_t datalen, const char *pkalg, u_int compat)
 | +    const u_char *data, size_t datalen, const char *pkalg, u_int compat,
 | ||||||
|  | +    struct sshkey_sig_details **detailsp)
 | ||||||
| +{
 | +{
 | ||||||
| +	return mm_sshkey_verify(MM_HOSTKEY, key, sig, siglen, data, datalen, pkalg, compat);
 | +	return mm_sshkey_verify(MM_HOSTKEY, key, sig, siglen, data, datalen, pkalg, compat, detailsp);
 | ||||||
| +}
 | +}
 | ||||||
| +
 | +
 | ||||||
| +int
 | +int
 | ||||||
| +mm_user_key_verify(struct ssh *ssh, const struct sshkey *key, const u_char *sig, size_t siglen,
 | +mm_user_key_verify(struct ssh *ssh, const struct sshkey *key, const u_char *sig, size_t siglen,
 | ||||||
| +    const u_char *data, size_t datalen, const char *pkalg, u_int compat)
 | +    const u_char *data, size_t datalen, const char *pkalg, u_int compat,
 | ||||||
|  | +    struct sshkey_sig_details **detailsp)
 | ||||||
| +{
 | +{
 | ||||||
| +	return mm_sshkey_verify(MM_USERKEY, key, sig, siglen, data, datalen, pkalg, compat);
 | +	return mm_sshkey_verify(MM_USERKEY, key, sig, siglen, data, datalen, pkalg, compat, detailsp);
 | ||||||
| +}
 | +}
 | ||||||
| +
 | +
 | ||||||
|  void |  void | ||||||
| @ -1632,9 +1639,9 @@ diff -up openssh/monitor_wrap.h.audit openssh/monitor_wrap.h | |||||||
|      const char *, struct sshkey *); |      const char *, struct sshkey *); | ||||||
| -int mm_sshkey_verify(const struct sshkey *, const u_char *, size_t,
 | -int mm_sshkey_verify(const struct sshkey *, const u_char *, size_t,
 | ||||||
| +int mm_hostbased_key_verify(struct ssh *, const struct sshkey *, const u_char *, size_t,
 | +int mm_hostbased_key_verify(struct ssh *, const struct sshkey *, const u_char *, size_t,
 | ||||||
| +    const u_char *, size_t, const char *, u_int);
 | +    const u_char *, size_t, const char *, u_int, struct sshkey_sig_details **);
 | ||||||
| +int mm_user_key_verify(struct ssh*, const struct sshkey *, const u_char *, size_t,
 | +int mm_user_key_verify(struct ssh*, const struct sshkey *, const u_char *, size_t,
 | ||||||
|      const u_char *, size_t, const char *, u_int); |      const u_char *, size_t, const char *, u_int, struct sshkey_sig_details **); | ||||||
|   |   | ||||||
|  #ifdef GSSAPI |  #ifdef GSSAPI | ||||||
| @@ -82,7 +84,12 @@ void mm_sshpam_free_ctx(void *);
 | @@ -82,7 +84,12 @@ void mm_sshpam_free_ctx(void *);
 | ||||||
| @ -1655,7 +1662,7 @@ diff -up openssh/packet.c.audit openssh/packet.c | |||||||
| --- openssh/packet.c.audit	2019-03-27 23:26:14.000000000 +0100
 | --- openssh/packet.c.audit	2019-03-27 23:26:14.000000000 +0100
 | ||||||
| +++ openssh/packet.c	2019-04-03 17:02:20.716886069 +0200
 | +++ openssh/packet.c	2019-04-03 17:02:20.716886069 +0200
 | ||||||
| @@ -77,6 +77,7 @@
 | @@ -77,6 +77,7 @@
 | ||||||
|  #include <zlib.h> |  #endif | ||||||
|   |   | ||||||
|  #include "xmalloc.h" |  #include "xmalloc.h" | ||||||
| +#include "audit.h"
 | +#include "audit.h"
 | ||||||
| @ -1705,7 +1712,7 @@ diff -up openssh/packet.c.audit openssh/packet.c | |||||||
|  		kex_free_newkeys(state->newkeys[mode]);	/* current keys */ |  		kex_free_newkeys(state->newkeys[mode]);	/* current keys */ | ||||||
|  		state->newkeys[mode] = NULL; |  		state->newkeys[mode] = NULL; | ||||||
| @@ -636,8 +641,18 @@ ssh_packet_close_internal(struct ssh *ss
 | @@ -636,8 +641,18 @@ ssh_packet_close_internal(struct ssh *ss
 | ||||||
|  	} |  #endif	/* WITH_ZLIB */ | ||||||
|  	cipher_free(state->send_context); |  	cipher_free(state->send_context); | ||||||
|  	cipher_free(state->receive_context); |  	cipher_free(state->receive_context); | ||||||
| +	if (had_keys && state->server_side) {
 | +	if (had_keys && state->server_side) {
 | ||||||
| @ -2041,7 +2048,7 @@ diff -up openssh/sshd.c.audit openssh/sshd.c | |||||||
| +void demote_sensitive_data(struct ssh *);
 | +void demote_sensitive_data(struct ssh *);
 | ||||||
|  static void do_ssh2_kex(struct ssh *); |  static void do_ssh2_kex(struct ssh *); | ||||||
|   |   | ||||||
|  /* |  static char *listener_proctitle; | ||||||
| @@ -278,6 +279,15 @@ close_listen_socks(void)
 | @@ -278,6 +279,15 @@ close_listen_socks(void)
 | ||||||
|  	num_listen_socks = -1; |  	num_listen_socks = -1; | ||||||
|  } |  } | ||||||
| @ -2314,5 +2321,5 @@ diff -up openssh/sshkey.h.audit openssh/sshkey.h | |||||||
|  int	 sshkey_type_from_name(const char *); |  int	 sshkey_type_from_name(const char *); | ||||||
| +int	 sshkey_is_private(const struct sshkey *);
 | +int	 sshkey_is_private(const struct sshkey *);
 | ||||||
|  int	 sshkey_is_cert(const struct sshkey *); |  int	 sshkey_is_cert(const struct sshkey *); | ||||||
|  |  int	 sshkey_is_sk(const struct sshkey *); | ||||||
|  int	 sshkey_type_is_cert(int); |  int	 sshkey_type_is_cert(int); | ||||||
|  int	 sshkey_type_plain(int); |  | ||||||
|  | |||||||
| @ -11,19 +11,6 @@ diff -up openssh-8.0p1/cipher-ctr.c.fips openssh-8.0p1/cipher-ctr.c | |||||||
|  #endif |  #endif | ||||||
|  	return (&aes_ctr); |  	return (&aes_ctr); | ||||||
|  } |  } | ||||||
| diff -up openssh-8.0p1/clientloop.c.fips openssh-8.0p1/clientloop.c
 |  | ||||||
| --- openssh-8.0p1/clientloop.c.fips	2019-07-23 14:55:45.331525692 +0200
 |  | ||||||
| +++ openssh-8.0p1/clientloop.c	2019-07-23 14:55:45.401526401 +0200
 |  | ||||||
| @@ -2049,7 +2049,8 @@ key_accepted_by_hostkeyalgs(const struct
 |  | ||||||
|  { |  | ||||||
|  	const char *ktype = sshkey_ssh_name(key); |  | ||||||
|  	const char *hostkeyalgs = options.hostkeyalgorithms != NULL ? |  | ||||||
| -	    options.hostkeyalgorithms : KEX_DEFAULT_PK_ALG;
 |  | ||||||
| +	    options.hostkeyalgorithms : (FIPS_mode() ?
 |  | ||||||
| +	    KEX_FIPS_PK_ALG : KEX_DEFAULT_PK_ALG);
 |  | ||||||
|   |  | ||||||
|  	if (key == NULL || key->type == KEY_UNSPEC) |  | ||||||
|  		return 0; |  | ||||||
| diff -up openssh-8.0p1/dh.c.fips openssh-8.0p1/dh.c
 | diff -up openssh-8.0p1/dh.c.fips openssh-8.0p1/dh.c
 | ||||||
| --- openssh-8.0p1/dh.c.fips	2019-04-18 00:52:57.000000000 +0200
 | --- openssh-8.0p1/dh.c.fips	2019-04-18 00:52:57.000000000 +0200
 | ||||||
| +++ openssh-8.0p1/dh.c	2019-07-23 14:55:45.401526401 +0200
 | +++ openssh-8.0p1/dh.c	2019-07-23 14:55:45.401526401 +0200
 | ||||||
| @ -141,126 +128,113 @@ diff -up openssh-8.0p1/Makefile.in.fips openssh-8.0p1/Makefile.in | |||||||
| -	$(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS)
 | -	$(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS)
 | ||||||
| +	$(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS)
 | +	$(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS)
 | ||||||
|   |   | ||||||
|  scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o |  scp$(EXEEXT): $(LIBCOMPAT) libssh.a $(SCP_OBJS) | ||||||
|  	$(LD) -o $@ scp.o progressmeter.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) |  	$(LD) -o $@ $(SCP_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) | ||||||
|   |   | ||||||
|  ssh-add$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-add.o |  ssh-add$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHADD_OBJS) | ||||||
| -	$(LD) -o $@ ssh-add.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
 | -	$(LD) -o $@ $(SSHADD_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
 | ||||||
| +	$(LD) -o $@ ssh-add.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
 | +	$(LD) -o $@ $(SSHADD_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
 | ||||||
|   |   | ||||||
|  ssh-agent$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-agent.o ssh-pkcs11-client.o |  ssh-agent$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHAGENT_OBJS) | ||||||
| -	$(LD) -o $@ ssh-agent.o ssh-pkcs11-client.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
 | -	$(LD) -o $@ $(SSHAGENT_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
 | ||||||
| +	$(LD) -o $@ ssh-agent.o ssh-pkcs11-client.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
 | +	$(LD) -o $@ $(SSHAGENT_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
 | ||||||
|   |   | ||||||
|  ssh-keygen$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keygen.o sshsig.o |  ssh-keygen$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHKEYGEN_OBJS) | ||||||
| -	$(LD) -o $@ ssh-keygen.o sshsig.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
 | -	$(LD) -o $@ $(SSHKEYGEN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
 | ||||||
| +	$(LD) -o $@ ssh-keygen.o sshsig.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
 | +	$(LD) -o $@ $(SSHKEYGEN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
 | ||||||
|   |   | ||||||
|  ssh-keysign$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keysign.o readconf.o uidswap.o compat.o |  ssh-keysign$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHKEYSIGN_OBJS) | ||||||
| -	$(LD) -o $@ ssh-keysign.o readconf.o uidswap.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
 | -	$(LD) -o $@ $(SSHKEYSIGN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
 | ||||||
| +	$(LD) -o $@ ssh-keysign.o readconf.o uidswap.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
 | +	$(LD) -o $@ $(SSHKEYSIGN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
 | ||||||
|   |   | ||||||
|  ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11.o |  ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a $(P11HELPER_OBJS) | ||||||
|  	$(LD) -o $@ ssh-pkcs11-helper.o ssh-pkcs11.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS) |  	$(LD) -o $@ $(P11HELPER_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS) | ||||||
| @@ -216,7 +216,7 @@ ssh-cavs$(EXEEXT): $(LIBCOMPAT) libssh.a
 | @@ -216,7 +216,7 @@ ssh-cavs$(EXEEXT): $(LIBCOMPAT) libssh.a
 | ||||||
|  	$(LD) -o $@ ssh-cavs.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) |  	$(LD) -o $@ ssh-cavs.o $(SKOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) | ||||||
|   |   | ||||||
|  ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o |  ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHKEYSCAN_OBJS) | ||||||
| -	$(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
 | -	$(LD) -o $@ $(SSHKEYSCAN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
 | ||||||
| +	$(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(LIBS)
 | +	$(LD) -o $@ $(SSHKEYSCAN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(LIBS)
 | ||||||
|   |   | ||||||
|  sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o sftp-server.o sftp-realpath.o sftp-server-main.o |  sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a $(SFTPSERVER_OBJS) | ||||||
|  	$(LD) -o $@ sftp-server.o sftp-common.o sftp-realpath.o sftp-server-main.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) |  	$(LD) -o $@ $(SFTPSERVER_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) | ||||||
| diff -up openssh-8.0p1/myproposal.h.fips openssh-8.0p1/myproposal.h
 | diff -up openssh-8.0p1/myproposal.h.fips openssh-8.0p1/myproposal.h
 | ||||||
| --- openssh-8.0p1/myproposal.h.fips	2019-04-18 00:52:57.000000000 +0200
 | --- openssh-8.0p1/myproposal.h.fips	2019-04-18 00:52:57.000000000 +0200
 | ||||||
| +++ openssh-8.0p1/myproposal.h	2019-07-23 14:55:45.402526411 +0200
 | +++ openssh-8.0p1/myproposal.h	2019-07-23 14:55:45.402526411 +0200
 | ||||||
| @@ -111,6 +111,16 @@
 | @@ -111,6 +111,20 @@
 | ||||||
|  	"rsa-sha2-256," \ |  	"rsa-sha2-256," \ | ||||||
|  	"ssh-rsa" |  	"ssh-rsa" | ||||||
|   |   | ||||||
| +#define	KEX_FIPS_PK_ALG	\
 | +#define	KEX_FIPS_PK_ALG	\
 | ||||||
| +	HOSTKEY_ECDSA_CERT_METHODS \
 | +	"ecdsa-sha2-nistp256-cert-v01@openssh.com," \
 | ||||||
|  | +	"ecdsa-sha2-nistp384-cert-v01@openssh.com," \
 | ||||||
|  | +	"ecdsa-sha2-nistp521-cert-v01@openssh.com," \
 | ||||||
| +	"rsa-sha2-512-cert-v01@openssh.com," \
 | +	"rsa-sha2-512-cert-v01@openssh.com," \
 | ||||||
| +	"rsa-sha2-256-cert-v01@openssh.com," \
 | +	"rsa-sha2-256-cert-v01@openssh.com," \
 | ||||||
| +	"ssh-rsa-cert-v01@openssh.com," \
 | +	"ssh-rsa-cert-v01@openssh.com," \
 | ||||||
| +	HOSTKEY_ECDSA_METHODS \
 | +	"ecdsa-sha2-nistp256," \
 | ||||||
|  | +	"ecdsa-sha2-nistp384," \
 | ||||||
|  | +	"ecdsa-sha2-nistp521," \
 | ||||||
| +	"rsa-sha2-512," \
 | +	"rsa-sha2-512," \
 | ||||||
| +	"rsa-sha2-256," \
 | +	"rsa-sha2-256," \
 | ||||||
| +	"ssh-rsa"
 | +	"ssh-rsa"
 | ||||||
| +
 | +
 | ||||||
|  /* the actual algorithms */ |  #define	KEX_SERVER_ENCRYPT \ | ||||||
|   |  	"chacha20-poly1305@openssh.com," \ | ||||||
|  #define KEX_SERVER_ENCRYPT \ |  	"aes128-ctr,aes192-ctr,aes256-ctr," \ | ||||||
| @@ -134,6 +142,38 @@
 | @@ -134,6 +142,27 @@
 | ||||||
|   |   | ||||||
|  #define KEX_CLIENT_MAC KEX_SERVER_MAC |  #define KEX_CLIENT_MAC KEX_SERVER_MAC | ||||||
|   |   | ||||||
| +#define	KEX_FIPS_ENCRYPT \
 | +#define	KEX_FIPS_ENCRYPT \
 | ||||||
| +	"aes128-ctr,aes192-ctr,aes256-ctr," \
 | +	"aes128-ctr,aes192-ctr,aes256-ctr," \
 | ||||||
| +	"aes128-cbc,3des-cbc," \
 | +	"aes128-cbc,3des-cbc," \
 | ||||||
| +	"aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se" \
 | +	"aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se," \
 | ||||||
| +	AESGCM_CIPHER_MODES
 | +	"aes128-gcm@openssh.com,aes256-gcm@openssh.com"
 | ||||||
| +#ifdef HAVE_EVP_SHA256
 | +#define KEX_DEFAULT_KEX_FIPS		\
 | ||||||
| +# define KEX_DEFAULT_KEX_FIPS		\
 | +	"ecdh-sha2-nistp256," \
 | ||||||
| +	KEX_ECDH_METHODS \
 | +	"ecdh-sha2-nistp384," \
 | ||||||
| +	KEX_SHA2_METHODS \
 | +	"ecdh-sha2-nistp521," \
 | ||||||
|  | +	"diffie-hellman-group-exchange-sha256," \
 | ||||||
|  | +	"diffie-hellman-group16-sha512," \
 | ||||||
|  | +	"diffie-hellman-group18-sha512," \
 | ||||||
| +	"diffie-hellman-group14-sha256"
 | +	"diffie-hellman-group14-sha256"
 | ||||||
| +# define KEX_FIPS_MAC \
 | +#define KEX_FIPS_MAC \
 | ||||||
| +	"hmac-sha1," \
 | +	"hmac-sha1," \
 | ||||||
| +	"hmac-sha2-256," \
 | +	"hmac-sha2-256," \
 | ||||||
| +	"hmac-sha2-512," \
 | +	"hmac-sha2-512," \
 | ||||||
| +	"hmac-sha1-etm@openssh.com," \
 | +	"hmac-sha1-etm@openssh.com," \
 | ||||||
| +	"hmac-sha2-256-etm@openssh.com," \
 | +	"hmac-sha2-256-etm@openssh.com," \
 | ||||||
| +	"hmac-sha2-512-etm@openssh.com"
 | +	"hmac-sha2-512-etm@openssh.com"
 | ||||||
| +#else
 |  | ||||||
| +# ifdef OPENSSL_HAS_NISTP521
 |  | ||||||
| +#  define KEX_DEFAULT_KEX_FIPS		\
 |  | ||||||
| +	"ecdh-sha2-nistp256," \
 |  | ||||||
| +	"ecdh-sha2-nistp384," \
 |  | ||||||
| +	"ecdh-sha2-nistp521"
 |  | ||||||
| +# else
 |  | ||||||
| +#  define KEX_DEFAULT_KEX_FIPS		\
 |  | ||||||
| +	"ecdh-sha2-nistp256," \
 |  | ||||||
| +	"ecdh-sha2-nistp384"
 |  | ||||||
| +# endif
 |  | ||||||
| +#define        KEX_FIPS_MAC \
 |  | ||||||
| +       "hmac-sha1"
 |  | ||||||
| +#endif
 |  | ||||||
| +
 | +
 | ||||||
|  /* Not a KEX value, but here so all the algorithm defaults are together */ |  /* Not a KEX value, but here so all the algorithm defaults are together */ | ||||||
|  #define	SSH_ALLOWED_CA_SIGALGS	\ |  #define	SSH_ALLOWED_CA_SIGALGS	\ | ||||||
|  	HOSTKEY_ECDSA_METHODS \ |  	"ecdsa-sha2-nistp256," \ | ||||||
| diff -up openssh-8.0p1/readconf.c.fips openssh-8.0p1/readconf.c
 | diff -up openssh-8.0p1/readconf.c.fips openssh-8.0p1/readconf.c
 | ||||||
| --- openssh-8.0p1/readconf.c.fips	2019-07-23 14:55:45.334525723 +0200
 | --- openssh-8.0p1/readconf.c.fips	2019-07-23 14:55:45.334525723 +0200
 | ||||||
| +++ openssh-8.0p1/readconf.c	2019-07-23 14:55:45.402526411 +0200
 | +++ openssh-8.0p1/readconf.c	2019-07-23 14:55:45.402526411 +0200
 | ||||||
| @@ -2179,18 +2179,19 @@ fill_default_options(Options * options)
 | @@ -2179,11 +2179,16 @@ fill_default_options(Options * options)
 | ||||||
|  	all_kex = kex_alg_list(','); |  | ||||||
|  	all_key = sshkey_alg_list(0, 0, 1, ','); |  	all_key = sshkey_alg_list(0, 0, 1, ','); | ||||||
|  	all_sig = sshkey_alg_list(0, 1, 1, ','); |  	all_sig = sshkey_alg_list(0, 1, 1, ','); | ||||||
| -#define ASSEMBLE(what, defaults, all) \
 |  	/* remove unsupported algos from default lists */ | ||||||
| +#define ASSEMBLE(what, defaults, fips_defaults, all) \
 | -	def_cipher = match_filter_whitelist(KEX_CLIENT_ENCRYPT, all_cipher);
 | ||||||
|  | -	def_mac = match_filter_whitelist(KEX_CLIENT_MAC, all_mac);
 | ||||||
|  | -	def_kex = match_filter_whitelist(KEX_CLIENT_KEX, all_kex);
 | ||||||
|  | -	def_key = match_filter_whitelist(KEX_DEFAULT_PK_ALG, all_key);
 | ||||||
|  | -	def_sig = match_filter_whitelist(SSH_ALLOWED_CA_SIGALGS, all_sig);
 | ||||||
|  | +	def_cipher = match_filter_whitelist((FIPS_mode() ?
 | ||||||
|  | +	    KEX_FIPS_ENCRYPT : KEX_CLIENT_ENCRYPT), all_cipher);
 | ||||||
|  | +	def_mac = match_filter_whitelist((FIPS_mode() ?
 | ||||||
|  | +	    KEX_FIPS_MAC : KEX_CLIENT_MAC), all_mac);
 | ||||||
|  | +	def_kex = match_filter_whitelist((FIPS_mode() ?
 | ||||||
|  | +	    KEX_DEFAULT_KEX_FIPS : KEX_CLIENT_KEX), all_kex);
 | ||||||
|  | +	def_key = match_filter_whitelist((FIPS_mode() ?
 | ||||||
|  | +	    KEX_FIPS_PK_ALG : KEX_DEFAULT_PK_ALG), all_key);
 | ||||||
|  | +	def_sig = match_filter_whitelist((FIPS_mode() ?
 | ||||||
|  | +	    KEX_FIPS_PK_ALG : SSH_ALLOWED_CA_SIGALGS), all_sig);
 | ||||||
|  |  #define ASSEMBLE(what, defaults, all) \ | ||||||
|  	do { \ |  	do { \ | ||||||
|  		if ((r = kex_assemble_names(&options->what, \ |  		if ((r = kex_assemble_names(&options->what, \ | ||||||
| -		    defaults, all)) != 0) \
 |  | ||||||
| +		    (FIPS_mode() ? fips_defaults : defaults), \
 |  | ||||||
| +		    all)) != 0) \
 |  | ||||||
|  			fatal("%s: %s: %s", __func__, #what, ssh_err(r)); \ |  | ||||||
|  	} while (0) |  | ||||||
| -	ASSEMBLE(ciphers, KEX_CLIENT_ENCRYPT, all_cipher);
 |  | ||||||
| -	ASSEMBLE(macs, KEX_CLIENT_MAC, all_mac);
 |  | ||||||
| -	ASSEMBLE(kex_algorithms, KEX_CLIENT_KEX, all_kex);
 |  | ||||||
| -	ASSEMBLE(hostbased_key_types, KEX_DEFAULT_PK_ALG, all_key);
 |  | ||||||
| -	ASSEMBLE(pubkey_key_types, KEX_DEFAULT_PK_ALG, all_key);
 |  | ||||||
| -	ASSEMBLE(ca_sign_algorithms, SSH_ALLOWED_CA_SIGALGS, all_sig);
 |  | ||||||
| +	ASSEMBLE(ciphers, KEX_CLIENT_ENCRYPT, KEX_FIPS_ENCRYPT, all_cipher);
 |  | ||||||
| +	ASSEMBLE(macs, KEX_CLIENT_MAC, KEX_FIPS_MAC, all_mac);
 |  | ||||||
| +	ASSEMBLE(kex_algorithms, KEX_CLIENT_KEX, KEX_DEFAULT_KEX_FIPS, all_kex);
 |  | ||||||
| +	ASSEMBLE(hostbased_key_types, KEX_DEFAULT_PK_ALG, KEX_FIPS_PK_ALG, all_key);
 |  | ||||||
| +	ASSEMBLE(pubkey_key_types, KEX_DEFAULT_PK_ALG, KEX_FIPS_PK_ALG, all_key);
 |  | ||||||
| +	ASSEMBLE(ca_sign_algorithms, SSH_ALLOWED_CA_SIGALGS, KEX_FIPS_PK_ALG, all_sig);
 |  | ||||||
|  #undef ASSEMBLE |  | ||||||
|  	free(all_cipher); |  | ||||||
|  	free(all_mac); |  | ||||||
| diff -up openssh-8.0p1/sandbox-seccomp-filter.c.fips openssh-8.0p1/sandbox-seccomp-filter.c
 | diff -up openssh-8.0p1/sandbox-seccomp-filter.c.fips openssh-8.0p1/sandbox-seccomp-filter.c
 | ||||||
| --- openssh-8.0p1/sandbox-seccomp-filter.c.fips	2019-07-23 14:55:45.373526117 +0200
 | --- openssh-8.0p1/sandbox-seccomp-filter.c.fips	2019-07-23 14:55:45.373526117 +0200
 | ||||||
| +++ openssh-8.0p1/sandbox-seccomp-filter.c	2019-07-23 14:55:45.402526411 +0200
 | +++ openssh-8.0p1/sandbox-seccomp-filter.c	2019-07-23 14:55:45.402526411 +0200
 | ||||||
| @ -277,35 +251,28 @@ diff -up openssh-8.0p1/sandbox-seccomp-filter.c.fips openssh-8.0p1/sandbox-secco | |||||||
| diff -up openssh-8.0p1/servconf.c.fips openssh-8.0p1/servconf.c
 | diff -up openssh-8.0p1/servconf.c.fips openssh-8.0p1/servconf.c
 | ||||||
| --- openssh-8.0p1/servconf.c.fips	2019-07-23 14:55:45.361525996 +0200
 | --- openssh-8.0p1/servconf.c.fips	2019-07-23 14:55:45.361525996 +0200
 | ||||||
| +++ openssh-8.0p1/servconf.c	2019-07-23 14:55:45.403526421 +0200
 | +++ openssh-8.0p1/servconf.c	2019-07-23 14:55:45.403526421 +0200
 | ||||||
| @@ -208,18 +208,19 @@ assemble_algorithms(ServerOptions *o)
 | @@ -208,11 +208,16 @@ assemble_algorithms(ServerOptions *o)
 | ||||||
|  	all_kex = kex_alg_list(','); |  | ||||||
|  	all_key = sshkey_alg_list(0, 0, 1, ','); |  	all_key = sshkey_alg_list(0, 0, 1, ','); | ||||||
|  	all_sig = sshkey_alg_list(0, 1, 1, ','); |  	all_sig = sshkey_alg_list(0, 1, 1, ','); | ||||||
| -#define ASSEMBLE(what, defaults, all) \
 |  	/* remove unsupported algos from default lists */ | ||||||
| +#define ASSEMBLE(what, defaults, fips_defaults, all) \
 | -	def_cipher = match_filter_whitelist(KEX_SERVER_ENCRYPT, all_cipher);
 | ||||||
|  | -	def_mac = match_filter_whitelist(KEX_SERVER_MAC, all_mac);
 | ||||||
|  | -	def_kex = match_filter_whitelist(KEX_SERVER_KEX, all_kex);
 | ||||||
|  | -	def_key = match_filter_whitelist(KEX_DEFAULT_PK_ALG, all_key);
 | ||||||
|  | -	def_sig = match_filter_whitelist(SSH_ALLOWED_CA_SIGALGS, all_sig);
 | ||||||
|  | +	def_cipher = match_filter_whitelist((FIPS_mode() ?
 | ||||||
|  | +	    KEX_FIPS_ENCRYPT : KEX_SERVER_ENCRYPT), all_cipher);
 | ||||||
|  | +	def_mac = match_filter_whitelist((FIPS_mode() ?
 | ||||||
|  | +	    KEX_FIPS_MAC : KEX_SERVER_MAC), all_mac);
 | ||||||
|  | +	def_kex = match_filter_whitelist((FIPS_mode() ?
 | ||||||
|  | +	    KEX_DEFAULT_KEX_FIPS : KEX_SERVER_KEX), all_kex);
 | ||||||
|  | +	def_key = match_filter_whitelist((FIPS_mode() ?
 | ||||||
|  | +	    KEX_FIPS_PK_ALG : KEX_DEFAULT_PK_ALG), all_key);
 | ||||||
|  | +	def_sig = match_filter_whitelist((FIPS_mode() ?
 | ||||||
|  | +	    KEX_FIPS_PK_ALG : SSH_ALLOWED_CA_SIGALGS), all_sig);
 | ||||||
|  |  #define ASSEMBLE(what, defaults, all) \ | ||||||
|  	do { \ |  	do { \ | ||||||
| -		if ((r = kex_assemble_names(&o->what, defaults, all)) != 0) \
 |  		if ((r = kex_assemble_names(&o->what, defaults, all)) != 0) \ | ||||||
| +		if ((r = kex_assemble_names(&o->what, (FIPS_mode() \
 |  | ||||||
| +		    ? fips_defaults : defaults), all)) != 0) \
 |  | ||||||
|  			fatal("%s: %s: %s", __func__, #what, ssh_err(r)); \ |  | ||||||
|  	} while (0) |  | ||||||
| -	ASSEMBLE(ciphers, KEX_SERVER_ENCRYPT, all_cipher);
 |  | ||||||
| -	ASSEMBLE(macs, KEX_SERVER_MAC, all_mac);
 |  | ||||||
| -	ASSEMBLE(kex_algorithms, KEX_SERVER_KEX, all_kex);
 |  | ||||||
| -	ASSEMBLE(hostkeyalgorithms, KEX_DEFAULT_PK_ALG, all_key);
 |  | ||||||
| -	ASSEMBLE(hostbased_key_types, KEX_DEFAULT_PK_ALG, all_key);
 |  | ||||||
| -	ASSEMBLE(pubkey_key_types, KEX_DEFAULT_PK_ALG, all_key);
 |  | ||||||
| -	ASSEMBLE(ca_sign_algorithms, SSH_ALLOWED_CA_SIGALGS, all_sig);
 |  | ||||||
| +	ASSEMBLE(ciphers, KEX_SERVER_ENCRYPT, KEX_FIPS_ENCRYPT, all_cipher);
 |  | ||||||
| +	ASSEMBLE(macs, KEX_SERVER_MAC, KEX_FIPS_MAC, all_mac);
 |  | ||||||
| +	ASSEMBLE(kex_algorithms, KEX_SERVER_KEX, KEX_DEFAULT_KEX_FIPS, all_kex);
 |  | ||||||
| +	ASSEMBLE(hostkeyalgorithms, KEX_DEFAULT_PK_ALG, KEX_FIPS_PK_ALG, all_key);
 |  | ||||||
| +	ASSEMBLE(hostbased_key_types, KEX_DEFAULT_PK_ALG, KEX_FIPS_PK_ALG, all_key);
 |  | ||||||
| +	ASSEMBLE(pubkey_key_types, KEX_DEFAULT_PK_ALG, KEX_FIPS_PK_ALG, all_key);
 |  | ||||||
| +	ASSEMBLE(ca_sign_algorithms, SSH_ALLOWED_CA_SIGALGS, KEX_FIPS_PK_ALG, all_sig);
 |  | ||||||
|  #undef ASSEMBLE |  | ||||||
|  	free(all_cipher); |  | ||||||
|  	free(all_mac); |  | ||||||
| diff -up openssh-8.0p1/ssh.c.fips openssh-8.0p1/ssh.c
 | diff -up openssh-8.0p1/ssh.c.fips openssh-8.0p1/ssh.c
 | ||||||
| --- openssh-8.0p1/ssh.c.fips	2019-07-23 14:55:45.378526168 +0200
 | --- openssh-8.0p1/ssh.c.fips	2019-07-23 14:55:45.378526168 +0200
 | ||||||
| +++ openssh-8.0p1/ssh.c	2019-07-23 14:55:45.403526421 +0200
 | +++ openssh-8.0p1/ssh.c	2019-07-23 14:55:45.403526421 +0200
 | ||||||
| @ -358,35 +325,6 @@ diff -up openssh-8.0p1/sshconnect2.c.fips openssh-8.0p1/sshconnect2.c | |||||||
|  #include "openbsd-compat/sys-queue.h" |  #include "openbsd-compat/sys-queue.h" | ||||||
|   |   | ||||||
|  #include "xmalloc.h" |  #include "xmalloc.h" | ||||||
| @@ -115,7 +117,8 @@ order_hostkeyalgs(char *host, struct soc
 |  | ||||||
|  	for (i = 0; i < options.num_system_hostfiles; i++) |  | ||||||
|  		load_hostkeys(hostkeys, hostname, options.system_hostfiles[i]); |  | ||||||
|   |  | ||||||
| -	oavail = avail = xstrdup(KEX_DEFAULT_PK_ALG);
 |  | ||||||
| +	oavail = avail = xstrdup((FIPS_mode()
 |  | ||||||
| +	    ? KEX_FIPS_PK_ALG : KEX_DEFAULT_PK_ALG));
 |  | ||||||
|  	maxlen = strlen(avail) + 1; |  | ||||||
|  	first = xmalloc(maxlen); |  | ||||||
|  	last = xmalloc(maxlen); |  | ||||||
| @@ -182,14 +185,16 @@ ssh_kex2(struct ssh *ssh, char *host, st
 |  | ||||||
|  	if (options.hostkeyalgorithms != NULL) { |  | ||||||
|  		all_key = sshkey_alg_list(0, 0, 1, ','); |  | ||||||
|  		if (kex_assemble_names(&options.hostkeyalgorithms, |  | ||||||
| -		    KEX_DEFAULT_PK_ALG, all_key) != 0)
 |  | ||||||
| +		    (FIPS_mode() ? KEX_FIPS_PK_ALG : KEX_DEFAULT_PK_ALG),
 |  | ||||||
| +		    all_key) != 0)
 |  | ||||||
|  			fatal("%s: kex_assemble_namelist", __func__); |  | ||||||
|  		free(all_key); |  | ||||||
|  		myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = |  | ||||||
|  		    compat_pkalg_proposal(options.hostkeyalgorithms); |  | ||||||
|  	} else { |  | ||||||
|  		/* Enforce default */ |  | ||||||
| -		options.hostkeyalgorithms = xstrdup(KEX_DEFAULT_PK_ALG);
 |  | ||||||
| +		options.hostkeyalgorithms = xstrdup((FIPS_mode()
 |  | ||||||
| +		    ? KEX_FIPS_PK_ALG : KEX_DEFAULT_PK_ALG));
 |  | ||||||
|  		/* Prefer algorithms that we already have keys for */ |  | ||||||
|  		myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = |  | ||||||
|  		    compat_pkalg_proposal( |  | ||||||
| @@ -198,29 +203,34 @@ ssh_kex2(struct ssh *ssh, char *host, st
 | @@ -198,29 +203,34 @@ ssh_kex2(struct ssh *ssh, char *host, st
 | ||||||
|   |   | ||||||
|  #if defined(GSSAPI) && defined(WITH_OPENSSL) |  #if defined(GSSAPI) && defined(WITH_OPENSSL) | ||||||
| @ -530,9 +468,9 @@ diff -up openssh-8.0p1/sshkey.c.fips openssh-8.0p1/sshkey.c | |||||||
|  #include "sshkey.h" |  #include "sshkey.h" | ||||||
|  #include "match.h" |  #include "match.h" | ||||||
| +#include "log.h"
 | +#include "log.h"
 | ||||||
|  |  #include "ssh-sk.h" | ||||||
|   |   | ||||||
|  #ifdef WITH_XMSS |  #ifdef WITH_XMSS | ||||||
|  #include "sshkey-xmss.h" |  | ||||||
| @@ -1591,6 +1593,8 @@ rsa_generate_private_key(u_int bits, RSA
 | @@ -1591,6 +1593,8 @@ rsa_generate_private_key(u_int bits, RSA
 | ||||||
|  	} |  	} | ||||||
|  	if (!BN_set_word(f4, RSA_F4) || |  	if (!BN_set_word(f4, RSA_F4) || | ||||||
|  | |||||||
| @ -1,7 +1,7 @@ | |||||||
| diff -up openssh-7.7p1/ssh_config.redhat openssh-7.7p1/ssh_config
 | diff -up openssh/ssh_config.redhat openssh/ssh_config
 | ||||||
| --- openssh-7.7p1/ssh_config.redhat	2018-04-02 07:38:28.000000000 +0200
 | --- openssh/ssh_config.redhat	2020-02-11 23:28:35.000000000 +0100
 | ||||||
| +++ openssh-7.7p1/ssh_config	2018-07-03 10:44:06.522245125 +0200
 | +++ openssh/ssh_config	2020-02-13 18:13:39.180641839 +0100
 | ||||||
| @@ -44,3 +44,7 @@
 | @@ -43,3 +43,7 @@
 | ||||||
|  #   VisualHostKey no |  #   VisualHostKey no | ||||||
|  #   ProxyCommand ssh -q -W %h:%p gateway.example.com |  #   ProxyCommand ssh -q -W %h:%p gateway.example.com | ||||||
|  #   RekeyLimit 1G 1h |  #   RekeyLimit 1G 1h | ||||||
| @ -9,9 +9,9 @@ diff -up openssh-7.7p1/ssh_config.redhat openssh-7.7p1/ssh_config | |||||||
| +# To modify the system-wide ssh configuration, create a  *.conf  file under
 | +# To modify the system-wide ssh configuration, create a  *.conf  file under
 | ||||||
| +#  /etc/ssh/ssh_config.d/  which will be automatically included below
 | +#  /etc/ssh/ssh_config.d/  which will be automatically included below
 | ||||||
| +Include /etc/ssh/ssh_config.d/*.conf
 | +Include /etc/ssh/ssh_config.d/*.conf
 | ||||||
| diff -up openssh-7.7p1/ssh_config_redhat.redhat openssh-7.7p1/ssh_config_redhat
 | diff -up openssh/ssh_config_redhat.redhat openssh/ssh_config_redhat
 | ||||||
| --- openssh-7.7p1/ssh_config_redhat.redhat	2018-07-03 10:44:06.522245125 +0200
 | --- openssh/ssh_config_redhat.redhat	2020-02-13 18:13:39.180641839 +0100
 | ||||||
| +++ openssh-7.7p1/ssh_config_redhat	2018-07-03 10:44:06.522245125 +0200
 | +++ openssh/ssh_config_redhat	2020-02-13 18:13:39.180641839 +0100
 | ||||||
| @@ -0,0 +1,21 @@
 | @@ -0,0 +1,21 @@
 | ||||||
| +# The options here are in the "Match final block" to be applied as the last
 | +# The options here are in the "Match final block" to be applied as the last
 | ||||||
| +# options and could be potentially overwritten by the user configuration
 | +# options and could be potentially overwritten by the user configuration
 | ||||||
| @ -34,11 +34,10 @@ diff -up openssh-7.7p1/ssh_config_redhat.redhat openssh-7.7p1/ssh_config_redhat | |||||||
| +
 | +
 | ||||||
| +# Uncomment this if you want to use .local domain
 | +# Uncomment this if you want to use .local domain
 | ||||||
| +# Host *.local
 | +# Host *.local
 | ||||||
| +#   CheckHostIP no
 | diff -up openssh/sshd_config.0.redhat openssh/sshd_config.0
 | ||||||
| diff -up openssh-7.7p1/sshd_config.0.redhat openssh-7.7p1/sshd_config.0
 | --- openssh/sshd_config.0.redhat	2020-02-12 14:30:04.000000000 +0100
 | ||||||
| --- openssh-7.7p1/sshd_config.0.redhat	2018-04-02 07:39:27.000000000 +0200
 | +++ openssh/sshd_config.0	2020-02-13 18:13:39.181641855 +0100
 | ||||||
| +++ openssh-7.7p1/sshd_config.0	2018-07-03 10:44:06.523245133 +0200
 | @@ -970,9 +970,9 @@ DESCRIPTION
 | ||||||
| @@ -872,9 +872,9 @@ DESCRIPTION
 |  | ||||||
|   |   | ||||||
|       SyslogFacility |       SyslogFacility | ||||||
|               Gives the facility code that is used when logging messages from |               Gives the facility code that is used when logging messages from | ||||||
| @ -51,10 +50,10 @@ diff -up openssh-7.7p1/sshd_config.0.redhat openssh-7.7p1/sshd_config.0 | |||||||
|   |   | ||||||
|       TCPKeepAlive |       TCPKeepAlive | ||||||
|               Specifies whether the system should send TCP keepalive messages |               Specifies whether the system should send TCP keepalive messages | ||||||
| diff -up openssh-7.7p1/sshd_config.5.redhat openssh-7.7p1/sshd_config.5
 | diff -up openssh/sshd_config.5.redhat openssh/sshd_config.5
 | ||||||
| --- openssh-7.7p1/sshd_config.5.redhat	2018-04-02 07:38:28.000000000 +0200
 | --- openssh/sshd_config.5.redhat	2020-02-11 23:28:35.000000000 +0100
 | ||||||
| +++ openssh-7.7p1/sshd_config.5	2018-07-03 10:44:06.523245133 +0200
 | +++ openssh/sshd_config.5	2020-02-13 18:13:39.181641855 +0100
 | ||||||
| @@ -1461,7 +1461,7 @@ By default no subsystems are defined.
 | @@ -1614,7 +1614,7 @@ By default no subsystems are defined.
 | ||||||
|  .It Cm SyslogFacility |  .It Cm SyslogFacility | ||||||
|  Gives the facility code that is used when logging messages from |  Gives the facility code that is used when logging messages from | ||||||
|  .Xr sshd 8 . |  .Xr sshd 8 . | ||||||
| @ -63,9 +62,9 @@ diff -up openssh-7.7p1/sshd_config.5.redhat openssh-7.7p1/sshd_config.5 | |||||||
|  LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. |  LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. | ||||||
|  The default is AUTH. |  The default is AUTH. | ||||||
|  .It Cm TCPKeepAlive |  .It Cm TCPKeepAlive | ||||||
| diff -up openssh-7.7p1/sshd_config.redhat openssh-7.7p1/sshd_config
 | diff -up openssh/sshd_config.redhat openssh/sshd_config
 | ||||||
| --- openssh-7.7p1/sshd_config.redhat	2018-04-02 07:38:28.000000000 +0200
 | --- openssh/sshd_config.redhat	2020-02-11 23:28:35.000000000 +0100
 | ||||||
| +++ openssh-7.7p1/sshd_config	2018-07-03 10:45:16.950782466 +0200
 | +++ openssh/sshd_config	2020-02-13 18:20:16.349913681 +0100
 | ||||||
| @@ -10,6 +10,10 @@
 | @@ -10,6 +10,10 @@
 | ||||||
|  # possible, but leave them commented.  Uncommented options override the |  # possible, but leave them commented.  Uncommented options override the | ||||||
|  # default value. |  # default value. | ||||||
| @ -77,10 +76,18 @@ diff -up openssh-7.7p1/sshd_config.redhat openssh-7.7p1/sshd_config | |||||||
|  #Port 22 |  #Port 22 | ||||||
|  #AddressFamily any |  #AddressFamily any | ||||||
|  #ListenAddress 0.0.0.0 |  #ListenAddress 0.0.0.0 | ||||||
| @@ -16,8 +20,18 @@
 | @@ -114,3 +118,7 @@ Subsystem	sftp	/usr/libexec/sftp-server
 | ||||||
|  # Ciphers and keying |  #	AllowTcpForwarding no | ||||||
|  #RekeyLimit default none |  #	PermitTTY no | ||||||
|   |  #	ForceCommand cvs server | ||||||
|  | +
 | ||||||
|  | +# To modify the system-wide ssh configuration, create a  *.conf  file under
 | ||||||
|  | +#  /etc/ssh/sshd_config.d/  which will be automatically included below
 | ||||||
|  | +Include /etc/ssh/sshd_config.d/*.conf
 | ||||||
|  | diff -up openssh/sshd_config_redhat.redhat openssh/sshd_config_redhat
 | ||||||
|  | --- openssh/sshd_config_redhat.redhat	2020-02-13 18:14:02.268006439 +0100
 | ||||||
|  | +++ openssh/sshd_config_redhat	2020-02-13 18:19:20.765035947 +0100
 | ||||||
|  | @@ -0,0 +1,31 @@
 | ||||||
| +# System-wide Crypto policy:
 | +# System-wide Crypto policy:
 | ||||||
| +# This system is following system-wide crypto policy. The changes to
 | +# This system is following system-wide crypto policy. The changes to
 | ||||||
| +# Ciphers, MACs, KexAlgoritms and GSSAPIKexAlgorithsm will not have any
 | +# Ciphers, MACs, KexAlgoritms and GSSAPIKexAlgorithsm will not have any
 | ||||||
| @ -90,69 +97,25 @@ diff -up openssh-7.7p1/sshd_config.redhat openssh-7.7p1/sshd_config | |||||||
| +# variable in  /etc/sysconfig/sshd  to overwrite the policy.
 | +# variable in  /etc/sysconfig/sshd  to overwrite the policy.
 | ||||||
| +# For more information, see manual page for update-crypto-policies(8).
 | +# For more information, see manual page for update-crypto-policies(8).
 | ||||||
| +
 | +
 | ||||||
|  # Logging |  | ||||||
|  #SyslogFacility AUTH |  | ||||||
| +SyslogFacility AUTHPRIV
 | +SyslogFacility AUTHPRIV
 | ||||||
|  #LogLevel INFO | +
 | ||||||
|   |  | ||||||
|  # Authentication: |  | ||||||
| @@ -56,9 +70,11 @@ AuthorizedKeysFile	.ssh/authorized_keys
 |  | ||||||
|  # To disable tunneled clear text passwords, change to no here! |  | ||||||
|  #PasswordAuthentication yes |  | ||||||
|  #PermitEmptyPasswords no |  | ||||||
| +PasswordAuthentication yes
 | +PasswordAuthentication yes
 | ||||||
|   |  | ||||||
|  # Change to no to disable s/key passwords |  | ||||||
|  #ChallengeResponseAuthentication yes |  | ||||||
| +ChallengeResponseAuthentication no
 | +ChallengeResponseAuthentication no
 | ||||||
|   | +
 | ||||||
|  # Kerberos options |  | ||||||
|  #KerberosAuthentication no |  | ||||||
| @@ -67,8 +83,8 @@ AuthorizedKeysFile	.ssh/authorized_keys
 |  | ||||||
|  #KerberosGetAFSToken no |  | ||||||
|   |  | ||||||
|  # GSSAPI options |  | ||||||
| -#GSSAPIAuthentication no
 |  | ||||||
| -#GSSAPICleanupCredentials yes
 |  | ||||||
| +GSSAPIAuthentication yes
 | +GSSAPIAuthentication yes
 | ||||||
| +GSSAPICleanupCredentials no
 | +GSSAPICleanupCredentials no
 | ||||||
|   | +
 | ||||||
|  # Set this to 'yes' to enable PAM authentication, account processing, |  | ||||||
|  # and session processing. If this is enabled, PAM authentication will |  | ||||||
| @@ -79,16 +95,20 @@ AuthorizedKeysFile	.ssh/authorized_keys
 |  | ||||||
|  # If you just want the PAM account and session checks to run without |  | ||||||
|  # PAM authentication, then enable this but set PasswordAuthentication |  | ||||||
|  # and ChallengeResponseAuthentication to 'no'. |  | ||||||
| -#UsePAM no
 |  | ||||||
| +UsePAM yes
 | +UsePAM yes
 | ||||||
|   | +
 | ||||||
|  #AllowAgentForwarding yes |  | ||||||
|  #AllowTcpForwarding yes |  | ||||||
|  #GatewayPorts no |  | ||||||
| -#X11Forwarding no
 |  | ||||||
| +X11Forwarding yes
 | +X11Forwarding yes
 | ||||||
|  #X11DisplayOffset 10 |  | ||||||
|  #X11UseLocalhost yes |  | ||||||
|  #PermitTTY yes |  | ||||||
| -#PrintMotd yes
 |  | ||||||
| +
 | +
 | ||||||
| +# It is recommended to use pam_motd in /etc/pam.d/sshd instead of PrintMotd,
 | +# It is recommended to use pam_motd in /etc/pam.d/sshd instead of PrintMotd,
 | ||||||
| +# as it is more configurable and versatile than the built-in version.
 | +# as it is more configurable and versatile than the built-in version.
 | ||||||
| +PrintMotd no
 | +PrintMotd no
 | ||||||
| +
 | +
 | ||||||
|  #PrintLastLog yes |  | ||||||
|  #TCPKeepAlive yes |  | ||||||
|  #PermitUserEnvironment no |  | ||||||
| @@ -106,6 +126,12 @@ AuthorizedKeysFile	.ssh/authorized_keys
 |  | ||||||
|  # no default banner path |  | ||||||
|  #Banner none |  | ||||||
|   |  | ||||||
| +# Accept locale-related environment variables
 | +# Accept locale-related environment variables
 | ||||||
| +AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
 | +AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
 | ||||||
| +AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
 | +AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
 | ||||||
| +AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
 | +AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
 | ||||||
| +AcceptEnv XMODIFIERS
 | +AcceptEnv XMODIFIERS
 | ||||||
| +
 | +
 | ||||||
|  # override default of no subsystems |  | ||||||
|  Subsystem	sftp	/usr/libexec/sftp-server |  | ||||||
|   |  | ||||||
|  | |||||||
| @ -3,7 +3,7 @@ diff --git a/sshd.c b/sshd.c | |||||||
| +++ b/sshd.c
 | +++ b/sshd.c
 | ||||||
| @@ -1701,6 +1701,10 @@ main(int ac, char **av)
 | @@ -1701,6 +1701,10 @@ main(int ac, char **av)
 | ||||||
|  	parse_server_config(&options, rexeced_flag ? "rexec" : config_file_name, |  	parse_server_config(&options, rexeced_flag ? "rexec" : config_file_name, | ||||||
|  	    cfg, NULL); |  	    cfg, &includes, NULL); | ||||||
|   |   | ||||||
| +	/* 'UsePAM no' is not supported in Fedora */
 | +	/* 'UsePAM no' is not supported in Fedora */
 | ||||||
| +	if (! options.use_pam)
 | +	if (! options.use_pam)
 | ||||||
| @ -21,6 +21,6 @@ diff --git a/sshd_config b/sshd_config | |||||||
|  # and ChallengeResponseAuthentication to 'no'. |  # and ChallengeResponseAuthentication to 'no'. | ||||||
| +# WARNING: 'UsePAM no' is not supported in Fedora and may cause several
 | +# WARNING: 'UsePAM no' is not supported in Fedora and may cause several
 | ||||||
| +# problems.
 | +# problems.
 | ||||||
|  UsePAM yes |  #UsePAM no | ||||||
|   |   | ||||||
|  #AllowAgentForwarding yes |  #AllowAgentForwarding yes | ||||||
|  | |||||||
| @ -339,7 +339,7 @@ diff -up openssh/monitor_wrap.h.role-mls openssh/monitor_wrap.h | |||||||
| +++ openssh/monitor_wrap.h	2018-08-22 11:22:10.439929513 +0200
 | +++ openssh/monitor_wrap.h	2018-08-22 11:22:10.439929513 +0200
 | ||||||
| @@ -44,6 +44,9 @@ DH *mm_choose_dh(int, int, int);
 | @@ -44,6 +44,9 @@ DH *mm_choose_dh(int, int, int);
 | ||||||
|  int mm_sshkey_sign(struct ssh *, struct sshkey *, u_char **, size_t *, |  int mm_sshkey_sign(struct ssh *, struct sshkey *, u_char **, size_t *, | ||||||
|      const u_char *, size_t, const char *, u_int compat); |      const u_char *, size_t, const char *, const char *, u_int compat); | ||||||
|  void mm_inform_authserv(char *, char *); |  void mm_inform_authserv(char *, char *); | ||||||
| +#ifdef WITH_SELINUX
 | +#ifdef WITH_SELINUX
 | ||||||
| +void mm_inform_authrole(char *);
 | +void mm_inform_authrole(char *);
 | ||||||
| @ -359,7 +359,7 @@ diff -up openssh/openbsd-compat/Makefile.in.role-mls openssh/openbsd-compat/Make | |||||||
| +	port-linux-sshd.o
 | +	port-linux-sshd.o
 | ||||||
|   |   | ||||||
|  .c.o: |  .c.o: | ||||||
|  	$(CC) $(CFLAGS) $(CPPFLAGS) -c $< |  	$(CC) $(CFLAGS_NOPIE) $(PICFLAG) $(CPPFLAGS) -c $< | ||||||
| diff -up openssh/openbsd-compat/port-linux.c.role-mls openssh/openbsd-compat/port-linux.c
 | diff -up openssh/openbsd-compat/port-linux.c.role-mls openssh/openbsd-compat/port-linux.c
 | ||||||
| --- openssh/openbsd-compat/port-linux.c.role-mls	2018-08-20 07:57:29.000000000 +0200
 | --- openssh/openbsd-compat/port-linux.c.role-mls	2018-08-20 07:57:29.000000000 +0200
 | ||||||
| +++ openssh/openbsd-compat/port-linux.c	2018-08-22 11:14:56.819430949 +0200
 | +++ openssh/openbsd-compat/port-linux.c	2018-08-22 11:14:56.819430949 +0200
 | ||||||
|  | |||||||
| @ -1,7 +1,29 @@ | |||||||
| diff -up openssh-8.0p1/ssh_config.5.crypto-policies openssh-8.0p1/ssh_config.5
 | diff -up openssh/ssh_config.5.crypto-policies openssh/ssh_config.5
 | ||||||
| --- openssh-8.0p1/ssh_config.5.crypto-policies	2019-05-13 14:04:01.999099570 +0200
 | --- openssh/ssh_config.5.crypto-policies	2020-02-07 15:05:55.665451715 +0100
 | ||||||
| +++ openssh-8.0p1/ssh_config.5	2019-05-13 14:12:36.343923071 +0200
 | +++ openssh/ssh_config.5	2020-02-07 15:07:11.632641922 +0100
 | ||||||
| @@ -445,12 +445,10 @@ aes256-gcm@openssh.com
 | @@ -361,15 +361,15 @@ domains.
 | ||||||
|  |  .It Cm CASignatureAlgorithms | ||||||
|  |  Specifies which algorithms are allowed for signing of certificates | ||||||
|  |  by certificate authorities (CAs). | ||||||
|  | -The default is:
 | ||||||
|  | -.Bd -literal -offset indent
 | ||||||
|  | -ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
 | ||||||
|  | -ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
 | ||||||
|  | -.Ed
 | ||||||
|  | -.Pp
 | ||||||
|  |  .Xr ssh 1 | ||||||
|  |  will not accept host certificates signed using algorithms other than those | ||||||
|  |  specified. | ||||||
|  | +.Pp
 | ||||||
|  | +The default is handled system-wide by
 | ||||||
|  | +.Xr crypto-policies 7 .
 | ||||||
|  | +To see the defaults and how to modify this default, see manual page
 | ||||||
|  | +.Xr update-crypto-policies 8 .
 | ||||||
|  | +.Pp
 | ||||||
|  |  .It Cm CertificateFile | ||||||
|  |  Specifies a file from which the user's certificate is read. | ||||||
|  |  A corresponding private key must be provided separately in order | ||||||
|  | @@ -453,12 +453,10 @@ aes256-gcm@openssh.com
 | ||||||
|  chacha20-poly1305@openssh.com |  chacha20-poly1305@openssh.com | ||||||
|  .Ed |  .Ed | ||||||
|  .Pp |  .Pp | ||||||
| @ -18,7 +40,7 @@ diff -up openssh-8.0p1/ssh_config.5.crypto-policies openssh-8.0p1/ssh_config.5 | |||||||
|  .Pp |  .Pp | ||||||
|  The list of available ciphers may also be obtained using |  The list of available ciphers may also be obtained using | ||||||
|  .Qq ssh -Q cipher . |  .Qq ssh -Q cipher . | ||||||
| @@ -812,8 +810,10 @@ gss-nistp256-sha256-,
 | @@ -824,8 +822,10 @@ gss-nistp256-sha256-,
 | ||||||
|  gss-curve25519-sha256- |  gss-curve25519-sha256- | ||||||
|  .Ed |  .Ed | ||||||
|  .Pp |  .Pp | ||||||
| @ -31,7 +53,7 @@ diff -up openssh-8.0p1/ssh_config.5.crypto-policies openssh-8.0p1/ssh_config.5 | |||||||
|  This option only applies to protocol version 2 connections using GSSAPI. |  This option only applies to protocol version 2 connections using GSSAPI. | ||||||
|  .It Cm HashKnownHosts |  .It Cm HashKnownHosts | ||||||
|  Indicates that |  Indicates that | ||||||
| @@ -1123,16 +1123,10 @@ If the specified value begins with a
 | @@ -1162,15 +1162,10 @@ If the specified list begins with a
 | ||||||
|  .Sq ^ |  .Sq ^ | ||||||
|  character, then the specified methods will be placed at the head of the |  character, then the specified methods will be placed at the head of the | ||||||
|  default set. |  default set. | ||||||
| @ -42,8 +64,7 @@ diff -up openssh-8.0p1/ssh_config.5.crypto-policies openssh-8.0p1/ssh_config.5 | |||||||
| -diffie-hellman-group-exchange-sha256,
 | -diffie-hellman-group-exchange-sha256,
 | ||||||
| -diffie-hellman-group16-sha512,
 | -diffie-hellman-group16-sha512,
 | ||||||
| -diffie-hellman-group18-sha512,
 | -diffie-hellman-group18-sha512,
 | ||||||
| -diffie-hellman-group14-sha256,
 | -diffie-hellman-group14-sha256
 | ||||||
| -diffie-hellman-group14-sha1
 |  | ||||||
| -.Ed
 | -.Ed
 | ||||||
| +The default is handled system-wide by
 | +The default is handled system-wide by
 | ||||||
| +.Xr crypto-policies 7 .
 | +.Xr crypto-policies 7 .
 | ||||||
| @ -52,7 +73,7 @@ diff -up openssh-8.0p1/ssh_config.5.crypto-policies openssh-8.0p1/ssh_config.5 | |||||||
|  .Pp |  .Pp | ||||||
|  The list of available key exchange algorithms may also be obtained using |  The list of available key exchange algorithms may also be obtained using | ||||||
|  .Qq ssh -Q kex . |  .Qq ssh -Q kex . | ||||||
| @@ -1210,14 +1204,10 @@ The algorithms that contain
 | @@ -1252,14 +1247,10 @@ The algorithms that contain
 | ||||||
|  calculate the MAC after encryption (encrypt-then-mac). |  calculate the MAC after encryption (encrypt-then-mac). | ||||||
|  These are considered safer and their use recommended. |  These are considered safer and their use recommended. | ||||||
|  .Pp |  .Pp | ||||||
| @ -71,7 +92,7 @@ diff -up openssh-8.0p1/ssh_config.5.crypto-policies openssh-8.0p1/ssh_config.5 | |||||||
|  .Pp |  .Pp | ||||||
|  The list of available MAC algorithms may also be obtained using |  The list of available MAC algorithms may also be obtained using | ||||||
|  .Qq ssh -Q mac . |  .Qq ssh -Q mac . | ||||||
| @@ -1361,17 +1351,10 @@ If the specified value begins with a
 | @@ -1407,22 +1398,10 @@ If the specified list begins with a
 | ||||||
|  .Sq ^ |  .Sq ^ | ||||||
|  character, then the specified key types will be placed at the head of the |  character, then the specified key types will be placed at the head of the | ||||||
|  default set. |  default set. | ||||||
| @ -80,11 +101,16 @@ diff -up openssh-8.0p1/ssh_config.5.crypto-policies openssh-8.0p1/ssh_config.5 | |||||||
| -ecdsa-sha2-nistp256-cert-v01@openssh.com,
 | -ecdsa-sha2-nistp256-cert-v01@openssh.com,
 | ||||||
| -ecdsa-sha2-nistp384-cert-v01@openssh.com,
 | -ecdsa-sha2-nistp384-cert-v01@openssh.com,
 | ||||||
| -ecdsa-sha2-nistp521-cert-v01@openssh.com,
 | -ecdsa-sha2-nistp521-cert-v01@openssh.com,
 | ||||||
|  | -sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,
 | ||||||
| -ssh-ed25519-cert-v01@openssh.com,
 | -ssh-ed25519-cert-v01@openssh.com,
 | ||||||
| -rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,
 | -sk-ssh-ed25519-cert-v01@openssh.com,
 | ||||||
|  | -rsa-sha2-512-cert-v01@openssh.com,
 | ||||||
|  | -rsa-sha2-256-cert-v01@openssh.com,
 | ||||||
| -ssh-rsa-cert-v01@openssh.com,
 | -ssh-rsa-cert-v01@openssh.com,
 | ||||||
| -ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
 | -ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
 | ||||||
| -ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
 | -sk-ecdsa-sha2-nistp256@openssh.com,
 | ||||||
|  | -ssh-ed25519,sk-ssh-ed25519@openssh.com,
 | ||||||
|  | -rsa-sha2-512,rsa-sha2-256,ssh-rsa
 | ||||||
| -.Ed
 | -.Ed
 | ||||||
| +The default is handled system-wide by
 | +The default is handled system-wide by
 | ||||||
| +.Xr crypto-policies 7 .
 | +.Xr crypto-policies 7 .
 | ||||||
| @ -92,11 +118,32 @@ diff -up openssh-8.0p1/ssh_config.5.crypto-policies openssh-8.0p1/ssh_config.5 | |||||||
| +.Xr update-crypto-policies 8 .
 | +.Xr update-crypto-policies 8 .
 | ||||||
|  .Pp |  .Pp | ||||||
|  The list of available key types may also be obtained using |  The list of available key types may also be obtained using | ||||||
|  .Qq ssh -Q key . |  .Qq ssh -Q PubkeyAcceptedKeyTypes . | ||||||
| diff -up openssh-8.0p1/sshd_config.5.crypto-policies openssh-8.0p1/sshd_config.5
 | diff -up openssh/sshd_config.5.crypto-policies openssh/sshd_config.5
 | ||||||
| --- openssh-8.0p1/sshd_config.5.crypto-policies	2019-05-13 14:12:41.226968863 +0200
 | --- openssh/sshd_config.5.crypto-policies	2020-02-07 15:05:55.639451308 +0100
 | ||||||
| +++ openssh-8.0p1/sshd_config.5	2019-05-13 14:15:14.581406997 +0200
 | +++ openssh/sshd_config.5	2020-02-07 15:05:55.672451825 +0100
 | ||||||
| @@ -490,12 +490,10 @@ aes256-gcm@openssh.com
 | @@ -377,14 +377,14 @@ By default, no banner is displayed.
 | ||||||
|  |  .It Cm CASignatureAlgorithms | ||||||
|  |  Specifies which algorithms are allowed for signing of certificates | ||||||
|  |  by certificate authorities (CAs). | ||||||
|  | -The default is:
 | ||||||
|  | -.Bd -literal -offset indent
 | ||||||
|  | -ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
 | ||||||
|  | -ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
 | ||||||
|  | -.Ed
 | ||||||
|  | -.Pp
 | ||||||
|  |  Certificates signed using other algorithms will not be accepted for | ||||||
|  |  public key or host-based authentication. | ||||||
|  | +.Pp
 | ||||||
|  | +The default is handled system-wide by
 | ||||||
|  | +.Xr crypto-policies 7 .
 | ||||||
|  | +To see the defaults and how to modify this default, see manual page
 | ||||||
|  | +.Xr update-crypto-policies 8 .
 | ||||||
|  | +.Pp
 | ||||||
|  |  .It Cm ChallengeResponseAuthentication | ||||||
|  |  Specifies whether challenge-response authentication is allowed (e.g. via | ||||||
|  |  PAM or through authentication styles supported in | ||||||
|  | @@ -486,12 +486,10 @@ aes256-gcm@openssh.com
 | ||||||
|  chacha20-poly1305@openssh.com |  chacha20-poly1305@openssh.com | ||||||
|  .El |  .El | ||||||
|  .Pp |  .Pp | ||||||
| @ -113,7 +160,7 @@ diff -up openssh-8.0p1/sshd_config.5.crypto-policies openssh-8.0p1/sshd_config.5 | |||||||
|  .Pp |  .Pp | ||||||
|  The list of available ciphers may also be obtained using |  The list of available ciphers may also be obtained using | ||||||
|  .Qq ssh -Q cipher . |  .Qq ssh -Q cipher . | ||||||
| @@ -700,8 +698,10 @@ gss-nistp256-sha256-,
 | @@ -693,8 +691,10 @@ gss-nistp256-sha256-,
 | ||||||
|  gss-curve25519-sha256- |  gss-curve25519-sha256- | ||||||
|  .Ed |  .Ed | ||||||
|  .Pp |  .Pp | ||||||
| @ -126,7 +173,7 @@ diff -up openssh-8.0p1/sshd_config.5.crypto-policies openssh-8.0p1/sshd_config.5 | |||||||
|  This option only applies to protocol version 2 connections using GSSAPI. |  This option only applies to protocol version 2 connections using GSSAPI. | ||||||
|  .It Cm HostbasedAcceptedKeyTypes |  .It Cm HostbasedAcceptedKeyTypes | ||||||
|  Specifies the key types that will be accepted for hostbased authentication |  Specifies the key types that will be accepted for hostbased authentication | ||||||
| @@ -792,17 +792,10 @@ environment variable.
 | @@ -794,22 +794,10 @@ environment variable.
 | ||||||
|  .It Cm HostKeyAlgorithms |  .It Cm HostKeyAlgorithms | ||||||
|  Specifies the host key algorithms |  Specifies the host key algorithms | ||||||
|  that the server offers. |  that the server offers. | ||||||
| @ -135,11 +182,16 @@ diff -up openssh-8.0p1/sshd_config.5.crypto-policies openssh-8.0p1/sshd_config.5 | |||||||
| -ecdsa-sha2-nistp256-cert-v01@openssh.com,
 | -ecdsa-sha2-nistp256-cert-v01@openssh.com,
 | ||||||
| -ecdsa-sha2-nistp384-cert-v01@openssh.com,
 | -ecdsa-sha2-nistp384-cert-v01@openssh.com,
 | ||||||
| -ecdsa-sha2-nistp521-cert-v01@openssh.com,
 | -ecdsa-sha2-nistp521-cert-v01@openssh.com,
 | ||||||
|  | -sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,
 | ||||||
| -ssh-ed25519-cert-v01@openssh.com,
 | -ssh-ed25519-cert-v01@openssh.com,
 | ||||||
| -rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,
 | -sk-ssh-ed25519-cert-v01@openssh.com,
 | ||||||
|  | -rsa-sha2-512-cert-v01@openssh.com,
 | ||||||
|  | -rsa-sha2-256-cert-v01@openssh.com,
 | ||||||
| -ssh-rsa-cert-v01@openssh.com,
 | -ssh-rsa-cert-v01@openssh.com,
 | ||||||
| -ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
 | -ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
 | ||||||
| -ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
 | -sk-ecdsa-sha2-nistp256@openssh.com,
 | ||||||
|  | -ssh-ed25519,sk-ssh-ed25519@openssh.com,
 | ||||||
|  | -rsa-sha2-512,rsa-sha2-256,ssh-rsa
 | ||||||
| -.Ed
 | -.Ed
 | ||||||
| +The default is handled system-wide by
 | +The default is handled system-wide by
 | ||||||
| +.Xr crypto-policies 7 .
 | +.Xr crypto-policies 7 .
 | ||||||
| @ -147,9 +199,9 @@ diff -up openssh-8.0p1/sshd_config.5.crypto-policies openssh-8.0p1/sshd_config.5 | |||||||
| +.Xr update-crypto-policies 8 .
 | +.Xr update-crypto-policies 8 .
 | ||||||
|  .Pp |  .Pp | ||||||
|  The list of available key types may also be obtained using |  The list of available key types may also be obtained using | ||||||
|  .Qq ssh -Q key . |  .Qq ssh -Q HostKeyAlgorithms . | ||||||
| @@ -960,14 +953,10 @@ ecdh-sha2-nistp384
 | @@ -987,14 +975,10 @@ ecdh-sha2-nistp521
 | ||||||
|  ecdh-sha2-nistp521 |  sntrup4591761x25519-sha512@tinyssh.org | ||||||
|  .El |  .El | ||||||
|  .Pp |  .Pp | ||||||
| -The default is:
 | -The default is:
 | ||||||
| @ -158,7 +210,7 @@ diff -up openssh-8.0p1/sshd_config.5.crypto-policies openssh-8.0p1/sshd_config.5 | |||||||
| -ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
 | -ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
 | ||||||
| -diffie-hellman-group-exchange-sha256,
 | -diffie-hellman-group-exchange-sha256,
 | ||||||
| -diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,
 | -diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,
 | ||||||
| -diffie-hellman-group14-sha256,diffie-hellman-group14-sha1
 | -diffie-hellman-group14-sha256
 | ||||||
| -.Ed
 | -.Ed
 | ||||||
| +The default is handled system-wide by
 | +The default is handled system-wide by
 | ||||||
| +.Xr crypto-policies 7 .
 | +.Xr crypto-policies 7 .
 | ||||||
| @ -166,8 +218,8 @@ diff -up openssh-8.0p1/sshd_config.5.crypto-policies openssh-8.0p1/sshd_config.5 | |||||||
| +.Xr update-crypto-policies 8 .
 | +.Xr update-crypto-policies 8 .
 | ||||||
|  .Pp |  .Pp | ||||||
|  The list of available key exchange algorithms may also be obtained using |  The list of available key exchange algorithms may also be obtained using | ||||||
|  .Qq ssh -Q kex . |  .Qq ssh -Q KexAlgorithms . | ||||||
| @@ -1090,14 +1079,10 @@ umac-64-etm@openssh.com
 | @@ -1121,14 +1105,10 @@ umac-64-etm@openssh.com
 | ||||||
|  umac-128-etm@openssh.com |  umac-128-etm@openssh.com | ||||||
|  .El |  .El | ||||||
|  .Pp |  .Pp | ||||||
| @ -186,7 +238,7 @@ diff -up openssh-8.0p1/sshd_config.5.crypto-policies openssh-8.0p1/sshd_config.5 | |||||||
|  .Pp |  .Pp | ||||||
|  The list of available MAC algorithms may also be obtained using |  The list of available MAC algorithms may also be obtained using | ||||||
|  .Qq ssh -Q mac . |  .Qq ssh -Q mac . | ||||||
| @@ -1455,17 +1440,10 @@ If the specified value begins with a
 | @@ -1492,22 +1472,10 @@ If the specified list begins with a
 | ||||||
|  .Sq ^ |  .Sq ^ | ||||||
|  character, then the specified key types will be placed at the head of the |  character, then the specified key types will be placed at the head of the | ||||||
|  default set. |  default set. | ||||||
| @ -195,11 +247,16 @@ diff -up openssh-8.0p1/sshd_config.5.crypto-policies openssh-8.0p1/sshd_config.5 | |||||||
| -ecdsa-sha2-nistp256-cert-v01@openssh.com,
 | -ecdsa-sha2-nistp256-cert-v01@openssh.com,
 | ||||||
| -ecdsa-sha2-nistp384-cert-v01@openssh.com,
 | -ecdsa-sha2-nistp384-cert-v01@openssh.com,
 | ||||||
| -ecdsa-sha2-nistp521-cert-v01@openssh.com,
 | -ecdsa-sha2-nistp521-cert-v01@openssh.com,
 | ||||||
|  | -sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,
 | ||||||
| -ssh-ed25519-cert-v01@openssh.com,
 | -ssh-ed25519-cert-v01@openssh.com,
 | ||||||
| -rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,
 | -sk-ssh-ed25519-cert-v01@openssh.com,
 | ||||||
|  | -rsa-sha2-512-cert-v01@openssh.com,
 | ||||||
|  | -rsa-sha2-256-cert-v01@openssh.com,
 | ||||||
| -ssh-rsa-cert-v01@openssh.com,
 | -ssh-rsa-cert-v01@openssh.com,
 | ||||||
| -ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
 | -ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
 | ||||||
| -ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
 | -sk-ecdsa-sha2-nistp256@openssh.com,
 | ||||||
|  | -ssh-ed25519,sk-ssh-ed25519@openssh.com,
 | ||||||
|  | -rsa-sha2-512,rsa-sha2-256,ssh-rsa
 | ||||||
| -.Ed
 | -.Ed
 | ||||||
| +The default is handled system-wide by
 | +The default is handled system-wide by
 | ||||||
| +.Xr crypto-policies 7 .
 | +.Xr crypto-policies 7 .
 | ||||||
| @ -207,4 +264,4 @@ diff -up openssh-8.0p1/sshd_config.5.crypto-policies openssh-8.0p1/sshd_config.5 | |||||||
| +.Xr update-crypto-policies 8 .
 | +.Xr update-crypto-policies 8 .
 | ||||||
|  .Pp |  .Pp | ||||||
|  The list of available key types may also be obtained using |  The list of available key types may also be obtained using | ||||||
|  .Qq ssh -Q key . |  .Qq ssh -Q PubkeyAcceptedKeyTypes . | ||||||
|  | |||||||
										
											
												File diff suppressed because it is too large
												Load Diff
											
										
									
								
							
										
											
												File diff suppressed because it is too large
												Load Diff
											
										
									
								
							| @ -1,45 +0,0 @@ | |||||||
| commit 7e929163ed40f9ce90060a3ca6df558c3d901379 |  | ||||||
| Author: Jakub Jelen <jjelen@redhat.com> |  | ||||||
| Date:   Wed Nov 13 12:57:05 2019 +0100 |  | ||||||
| 
 |  | ||||||
|     seccomp: Allow clock_nanosleep() to make OpenSSH working with latest glibc |  | ||||||
| 
 |  | ||||||
| diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
 |  | ||||||
| index b5cda70b..be239767 100644
 |  | ||||||
| --- a/sandbox-seccomp-filter.c
 |  | ||||||
| +++ b/sandbox-seccomp-filter.c
 |  | ||||||
| @@ -242,6 +242,9 @@ static const struct sock_filter preauth_insns[] = {
 |  | ||||||
|  #ifdef __NR_nanosleep |  | ||||||
|  	SC_ALLOW(__NR_nanosleep), |  | ||||||
|  #endif |  | ||||||
| +#ifdef __NR_clock_nanosleep
 |  | ||||||
| +	SC_ALLOW(__NR_clock_nanosleep),
 |  | ||||||
| +#endif
 |  | ||||||
|  #ifdef __NR__newselect |  | ||||||
|  	SC_ALLOW(__NR__newselect), |  | ||||||
|  #endif |  | ||||||
| 
 |  | ||||||
| commit 500c30eaf88f26e4a74b06717fe04afec7a7516f |  | ||||||
| Author: Jakub Jelen <jjelen@redhat.com> |  | ||||||
| Date:   Wed Nov 27 11:06:55 2019 +0100 |  | ||||||
| 
 |  | ||||||
|     sandbox-seccomp: Allow clock_nanosleep on ARM |  | ||||||
| 
 |  | ||||||
| diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
 |  | ||||||
| index be239767..3ef30c9d 100644
 |  | ||||||
| --- a/sandbox-seccomp-filter.c
 |  | ||||||
| +++ b/sandbox-seccomp-filter.c
 |  | ||||||
| @@ -245,6 +245,12 @@ static const struct sock_filter preauth_insns[] = {
 |  | ||||||
|  #ifdef __NR_clock_nanosleep |  | ||||||
|  	SC_ALLOW(__NR_clock_nanosleep), |  | ||||||
|  #endif |  | ||||||
| +#ifdef __NR_clock_nanosleep_time64
 |  | ||||||
| +	SC_ALLOW(__NR_clock_nanosleep_time64),
 |  | ||||||
| +#endif
 |  | ||||||
| +#ifdef __NR_clock_gettime64
 |  | ||||||
| +	SC_ALLOW(__NR_clock_gettime64),
 |  | ||||||
| +#endif
 |  | ||||||
|  #ifdef __NR__newselect |  | ||||||
|  	SC_ALLOW(__NR__newselect), |  | ||||||
|  #endif |  | ||||||
| 
 |  | ||||||
							
								
								
									
										40
									
								
								openssh-8.2p1-visibility.patch
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										40
									
								
								openssh-8.2p1-visibility.patch
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,40 @@ | |||||||
|  | diff --git a/regress/misc/sk-dummy/sk-dummy.c b/regress/misc/sk-dummy/sk-dummy.c
 | ||||||
|  | index dca158de..afdcb1d2 100644
 | ||||||
|  | --- a/regress/misc/sk-dummy/sk-dummy.c
 | ||||||
|  | +++ b/regress/misc/sk-dummy/sk-dummy.c
 | ||||||
|  | @@ -71,7 +71,7 @@ skdebug(const char *func, const char *fmt, ...)
 | ||||||
|  |  #endif | ||||||
|  |  } | ||||||
|  |   | ||||||
|  | -uint32_t
 | ||||||
|  | +uint32_t __attribute__((visibility("default")))
 | ||||||
|  |  sk_api_version(void) | ||||||
|  |  { | ||||||
|  |  	return SSH_SK_VERSION_MAJOR; | ||||||
|  | @@ -220,7 +220,7 @@ check_options(struct sk_option **options)
 | ||||||
|  |  	return 0; | ||||||
|  |  } | ||||||
|  |   | ||||||
|  | -int
 | ||||||
|  | +int __attribute__((visibility("default")))
 | ||||||
|  |  sk_enroll(uint32_t alg, const uint8_t *challenge, size_t challenge_len, | ||||||
|  |      const char *application, uint8_t flags, const char *pin, | ||||||
|  |      struct sk_option **options, struct sk_enroll_response **enroll_response) | ||||||
|  | @@ -467,7 +467,7 @@ sig_ed25519(const uint8_t *message, size_t message_len,
 | ||||||
|  |  	return ret; | ||||||
|  |  } | ||||||
|  |   | ||||||
|  | -int
 | ||||||
|  | +int __attribute__((visibility("default")))
 | ||||||
|  |  sk_sign(uint32_t alg, const uint8_t *message, size_t message_len, | ||||||
|  |      const char *application, const uint8_t *key_handle, size_t key_handle_len, | ||||||
|  |      uint8_t flags, const char *pin, struct sk_option **options, | ||||||
|  | @@ -518,7 +518,7 @@ sk_sign(uint32_t alg, const uint8_t *message, size_t message_len,
 | ||||||
|  |  	return ret; | ||||||
|  |  } | ||||||
|  |   | ||||||
|  | -int
 | ||||||
|  | +int __attribute__((visibility("default")))
 | ||||||
|  |  sk_load_resident_keys(const char *pin, struct sk_option **options, | ||||||
|  |      struct sk_resident_key ***rks, size_t *nrks) | ||||||
|  |  { | ||||||
							
								
								
									
										32
									
								
								openssh.spec
									
									
									
									
									
								
							
							
						
						
									
										32
									
								
								openssh.spec
									
									
									
									
									
								
							| @ -65,10 +65,10 @@ | |||||||
| %endif | %endif | ||||||
| 
 | 
 | ||||||
| # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1 | # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1 | ||||||
| %global openssh_ver 8.1p1 | %global openssh_ver 8.2p1 | ||||||
| %global openssh_rel 4 | %global openssh_rel 1 | ||||||
| %global pam_ssh_agent_ver 0.10.3 | %global pam_ssh_agent_ver 0.10.3 | ||||||
| %global pam_ssh_agent_rel 8 | %global pam_ssh_agent_rel 9 | ||||||
| 
 | 
 | ||||||
| Summary: An open source implementation of SSH protocol version 2 | Summary: An open source implementation of SSH protocol version 2 | ||||||
| Name: openssh | Name: openssh | ||||||
| @ -196,7 +196,8 @@ Patch949: openssh-7.6p1-cleanup-selinux.patch | |||||||
| # Sandbox adjustments for s390 and audit | # Sandbox adjustments for s390 and audit | ||||||
| Patch950: openssh-7.5p1-sandbox.patch | Patch950: openssh-7.5p1-sandbox.patch | ||||||
| # PKCS#11 URIs (upstream #2817, 2nd iteration) | # PKCS#11 URIs (upstream #2817, 2nd iteration) | ||||||
| # git diff upstream/master > ~/devel/fedora/openssh/openssh-8.0p1-pkcs11-uri.patch | # https://github.com/Jakuje/openssh-portable/commits/jjelen-pkcs11 | ||||||
|  | # git show > ~/devel/fedora/openssh/openssh-8.0p1-pkcs11-uri.patch | ||||||
| Patch951: openssh-8.0p1-pkcs11-uri.patch | Patch951: openssh-8.0p1-pkcs11-uri.patch | ||||||
| # Unbreak scp between two IPv6 hosts (#1620333) | # Unbreak scp between two IPv6 hosts (#1620333) | ||||||
| Patch953: openssh-7.8p1-scp-ipv6.patch | Patch953: openssh-7.8p1-scp-ipv6.patch | ||||||
| @ -210,8 +211,8 @@ Patch962: openssh-8.0p1-crypto-policies.patch | |||||||
| Patch963: openssh-8.0p1-openssl-evp.patch | Patch963: openssh-8.0p1-openssl-evp.patch | ||||||
| # Use OpenSSL KDF (#1631761) | # Use OpenSSL KDF (#1631761) | ||||||
| Patch964: openssh-8.0p1-openssl-kdf.patch | Patch964: openssh-8.0p1-openssl-kdf.patch | ||||||
| # Unbreak seccomp filter with latest glibc (#1771946, #1777054) | # sk-dummy.so built with -fvisibility=hidden does not work | ||||||
| Patch965: openssh-8.1p1-seccomp-nanosleep.patch | Patch965: openssh-8.2p1-visibility.patch | ||||||
| 
 | 
 | ||||||
| License: BSD | License: BSD | ||||||
| Requires: /sbin/nologin | Requires: /sbin/nologin | ||||||
| @ -295,7 +296,7 @@ Requires: openssh = %{version}-%{release} | |||||||
| %package -n pam_ssh_agent_auth | %package -n pam_ssh_agent_auth | ||||||
| Summary: PAM module for authentication with ssh-agent | Summary: PAM module for authentication with ssh-agent | ||||||
| Version: %{pam_ssh_agent_ver} | Version: %{pam_ssh_agent_ver} | ||||||
| Release: %{pam_ssh_agent_rel}.%{openssh_rel}%{?dist}%{?rescue_rel}.2 | Release: %{pam_ssh_agent_rel}.%{openssh_rel}%{?dist}%{?rescue_rel} | ||||||
| License: BSD | License: BSD | ||||||
| 
 | 
 | ||||||
| %description | %description | ||||||
| @ -412,7 +413,7 @@ popd | |||||||
| %patch962 -p1 -b .crypto-policies | %patch962 -p1 -b .crypto-policies | ||||||
| %patch963 -p1 -b .openssl-evp | %patch963 -p1 -b .openssl-evp | ||||||
| %patch964 -p1 -b .openssl-kdf | %patch964 -p1 -b .openssl-kdf | ||||||
| %patch965 -p1 -b .seccomp-nanosleep | %patch965 -p1 -b .visibility | ||||||
| 
 | 
 | ||||||
| %patch200 -p1 -b .audit | %patch200 -p1 -b .audit | ||||||
| %patch201 -p1 -b .audit-race | %patch201 -p1 -b .audit-race | ||||||
| @ -427,7 +428,7 @@ popd | |||||||
| 
 | 
 | ||||||
| %build | %build | ||||||
| # the -fvisibility=hidden is needed for clean build of the pam_ssh_agent_auth | # the -fvisibility=hidden is needed for clean build of the pam_ssh_agent_auth | ||||||
| # and it makes the ssh build more clean and even optimized better | # it is needed for lib(open)ssh build too since it is linked to the pam module too | ||||||
| CFLAGS="$RPM_OPT_FLAGS -fvisibility=hidden"; export CFLAGS | CFLAGS="$RPM_OPT_FLAGS -fvisibility=hidden"; export CFLAGS | ||||||
| %if %{rescue} | %if %{rescue} | ||||||
| CFLAGS="$CFLAGS -Os" | CFLAGS="$CFLAGS -Os" | ||||||
| @ -556,6 +557,7 @@ make tests | |||||||
| rm -rf $RPM_BUILD_ROOT | rm -rf $RPM_BUILD_ROOT | ||||||
| mkdir -p -m755 $RPM_BUILD_ROOT%{_sysconfdir}/ssh | mkdir -p -m755 $RPM_BUILD_ROOT%{_sysconfdir}/ssh | ||||||
| mkdir -p -m755 $RPM_BUILD_ROOT%{_sysconfdir}/ssh/ssh_config.d | mkdir -p -m755 $RPM_BUILD_ROOT%{_sysconfdir}/ssh/ssh_config.d | ||||||
|  | mkdir -p -m755 $RPM_BUILD_ROOT%{_sysconfdir}/ssh/sshd_config.d | ||||||
| mkdir -p -m755 $RPM_BUILD_ROOT%{_libexecdir}/openssh | mkdir -p -m755 $RPM_BUILD_ROOT%{_libexecdir}/openssh | ||||||
| mkdir -p -m755 $RPM_BUILD_ROOT%{_var}/empty/sshd | mkdir -p -m755 $RPM_BUILD_ROOT%{_var}/empty/sshd | ||||||
| make install DESTDIR=$RPM_BUILD_ROOT | make install DESTDIR=$RPM_BUILD_ROOT | ||||||
| @ -569,6 +571,7 @@ install -m644 %{SOURCE2} $RPM_BUILD_ROOT/etc/pam.d/sshd | |||||||
| install -m644 %{SOURCE6} $RPM_BUILD_ROOT/etc/pam.d/ssh-keycat | install -m644 %{SOURCE6} $RPM_BUILD_ROOT/etc/pam.d/ssh-keycat | ||||||
| install -m644 %{SOURCE7} $RPM_BUILD_ROOT/etc/sysconfig/sshd | install -m644 %{SOURCE7} $RPM_BUILD_ROOT/etc/sysconfig/sshd | ||||||
| install -m644 ssh_config_redhat $RPM_BUILD_ROOT/etc/ssh/ssh_config.d/05-redhat.conf | install -m644 ssh_config_redhat $RPM_BUILD_ROOT/etc/ssh/ssh_config.d/05-redhat.conf | ||||||
|  | install -m644 sshd_config_redhat $RPM_BUILD_ROOT/etc/ssh/sshd_config.d/05-redhat.conf | ||||||
| install -d -m755 $RPM_BUILD_ROOT/%{_unitdir} | install -d -m755 $RPM_BUILD_ROOT/%{_unitdir} | ||||||
| install -m644 %{SOURCE9} $RPM_BUILD_ROOT/%{_unitdir}/sshd@.service | install -m644 %{SOURCE9} $RPM_BUILD_ROOT/%{_unitdir}/sshd@.service | ||||||
| install -m644 %{SOURCE10} $RPM_BUILD_ROOT/%{_unitdir}/sshd.socket | install -m644 %{SOURCE10} $RPM_BUILD_ROOT/%{_unitdir}/sshd.socket | ||||||
| @ -650,12 +653,14 @@ getent passwd sshd >/dev/null || \ | |||||||
| %attr(0755,root,root) %{_bindir}/sftp | %attr(0755,root,root) %{_bindir}/sftp | ||||||
| %attr(0755,root,root) %{_bindir}/ssh-copy-id | %attr(0755,root,root) %{_bindir}/ssh-copy-id | ||||||
| %attr(0755,root,root) %{_libexecdir}/openssh/ssh-pkcs11-helper | %attr(0755,root,root) %{_libexecdir}/openssh/ssh-pkcs11-helper | ||||||
|  | %attr(0755,root,root) %{_libexecdir}/openssh/ssh-sk-helper | ||||||
| %attr(0644,root,root) %{_mandir}/man1/ssh-agent.1* | %attr(0644,root,root) %{_mandir}/man1/ssh-agent.1* | ||||||
| %attr(0644,root,root) %{_mandir}/man1/ssh-add.1* | %attr(0644,root,root) %{_mandir}/man1/ssh-add.1* | ||||||
| %attr(0644,root,root) %{_mandir}/man1/ssh-keyscan.1* | %attr(0644,root,root) %{_mandir}/man1/ssh-keyscan.1* | ||||||
| %attr(0644,root,root) %{_mandir}/man1/sftp.1* | %attr(0644,root,root) %{_mandir}/man1/sftp.1* | ||||||
| %attr(0644,root,root) %{_mandir}/man1/ssh-copy-id.1* | %attr(0644,root,root) %{_mandir}/man1/ssh-copy-id.1* | ||||||
| %attr(0644,root,root) %{_mandir}/man8/ssh-pkcs11-helper.8* | %attr(0644,root,root) %{_mandir}/man8/ssh-pkcs11-helper.8* | ||||||
|  | %attr(0644,root,root) %{_mandir}/man8/ssh-sk-helper.8* | ||||||
| %endif | %endif | ||||||
| 
 | 
 | ||||||
| %if ! %{rescue} | %if ! %{rescue} | ||||||
| @ -670,6 +675,8 @@ getent passwd sshd >/dev/null || \ | |||||||
| %attr(0644,root,root) %{_mandir}/man8/sshd.8* | %attr(0644,root,root) %{_mandir}/man8/sshd.8* | ||||||
| %attr(0644,root,root) %{_mandir}/man8/sftp-server.8* | %attr(0644,root,root) %{_mandir}/man8/sftp-server.8* | ||||||
| %attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/sshd_config | %attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/sshd_config | ||||||
|  | %dir %attr(0700,root,root) %{_sysconfdir}/ssh/sshd_config.d/ | ||||||
|  | %attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/sshd_config.d/05-redhat.conf | ||||||
| %attr(0644,root,root) %config(noreplace) /etc/pam.d/sshd | %attr(0644,root,root) %config(noreplace) /etc/pam.d/sshd | ||||||
| %attr(0640,root,root) %config(noreplace) /etc/sysconfig/sshd | %attr(0640,root,root) %config(noreplace) /etc/sysconfig/sshd | ||||||
| %attr(0644,root,root) %{_unitdir}/sshd.service | %attr(0644,root,root) %{_unitdir}/sshd.service | ||||||
| @ -715,6 +722,13 @@ getent passwd sshd >/dev/null || \ | |||||||
| %endif | %endif | ||||||
| 
 | 
 | ||||||
| %changelog | %changelog | ||||||
|  | * Mon Feb 17 2020 Jakub Jelen <jjelen@redhat.com> - 8.2p1-1 + 0.10.3-9 | ||||||
|  | - New upstrem reelase (#1803290) | ||||||
|  | - New /etc/ssh/sshd_config.d drop in directory | ||||||
|  | - Support for U2F security keys | ||||||
|  | - Correctly report invalid key permissions (#1801459) | ||||||
|  | - Do not write bogus information on stderr in FIPS mode (#1778224) | ||||||
|  | 
 | ||||||
| * Mon Feb 03 2020 Jakub Jelen <jjelen@redhat.com> - 8.1p1-4 + 0.10.3-8 | * Mon Feb 03 2020 Jakub Jelen <jjelen@redhat.com> - 8.1p1-4 + 0.10.3-8 | ||||||
| - Unbreak seccomp filter on ARM (#1796267) | - Unbreak seccomp filter on ARM (#1796267) | ||||||
| 
 | 
 | ||||||
|  | |||||||
| @ -1,6 +1,6 @@ | |||||||
| diff -up openssh/pam_ssh_agent_auth-0.10.3/get_command_line.c.psaa-compat openssh/pam_ssh_agent_auth-0.10.3/get_command_line.c
 | diff -up openssh/pam_ssh_agent_auth-0.10.3/get_command_line.c.psaa-compat openssh/pam_ssh_agent_auth-0.10.3/get_command_line.c
 | ||||||
| --- openssh/pam_ssh_agent_auth-0.10.3/get_command_line.c.psaa-compat	2016-11-13 04:24:32.000000000 +0100
 | --- openssh/pam_ssh_agent_auth-0.10.3/get_command_line.c.psaa-compat	2016-11-13 04:24:32.000000000 +0100
 | ||||||
| +++ openssh/pam_ssh_agent_auth-0.10.3/get_command_line.c	2018-08-24 10:22:56.281930322 +0200
 | +++ openssh/pam_ssh_agent_auth-0.10.3/get_command_line.c	2020-02-07 10:43:05.011757956 +0100
 | ||||||
| @@ -27,6 +27,7 @@
 | @@ -27,6 +27,7 @@
 | ||||||
|   * or implied, of Jamie Beverly. |   * or implied, of Jamie Beverly. | ||||||
|   */ |   */ | ||||||
| @ -34,7 +34,7 @@ diff -up openssh/pam_ssh_agent_auth-0.10.3/get_command_line.c.psaa-compat openss | |||||||
|   |   | ||||||
| diff -up openssh/pam_ssh_agent_auth-0.10.3/identity.h.psaa-compat openssh/pam_ssh_agent_auth-0.10.3/identity.h
 | diff -up openssh/pam_ssh_agent_auth-0.10.3/identity.h.psaa-compat openssh/pam_ssh_agent_auth-0.10.3/identity.h
 | ||||||
| --- openssh/pam_ssh_agent_auth-0.10.3/identity.h.psaa-compat	2016-11-13 04:24:32.000000000 +0100
 | --- openssh/pam_ssh_agent_auth-0.10.3/identity.h.psaa-compat	2016-11-13 04:24:32.000000000 +0100
 | ||||||
| +++ openssh/pam_ssh_agent_auth-0.10.3/identity.h	2018-08-24 10:18:05.009393312 +0200
 | +++ openssh/pam_ssh_agent_auth-0.10.3/identity.h	2020-02-07 10:43:05.011757956 +0100
 | ||||||
| @@ -30,8 +30,8 @@
 | @@ -30,8 +30,8 @@
 | ||||||
|  #include "openbsd-compat/sys-queue.h" |  #include "openbsd-compat/sys-queue.h" | ||||||
|  #include "xmalloc.h" |  #include "xmalloc.h" | ||||||
| @ -56,8 +56,8 @@ diff -up openssh/pam_ssh_agent_auth-0.10.3/identity.h.psaa-compat openssh/pam_ss | |||||||
|      int tried; |      int tried; | ||||||
|      int isprivate;      /* key points to the private key */ |      int isprivate;      /* key points to the private key */ | ||||||
| diff -up openssh/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c.psaa-compat openssh/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c
 | diff -up openssh/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c.psaa-compat openssh/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c
 | ||||||
| --- openssh/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c.psaa-compat	2018-08-24 10:18:05.007393297 +0200
 | --- openssh/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c.psaa-compat	2020-02-07 10:43:05.009757925 +0100
 | ||||||
| +++ openssh/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c	2018-08-24 10:18:32.937612513 +0200
 | +++ openssh/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c	2020-02-07 10:43:05.012757972 +0100
 | ||||||
| @@ -36,8 +36,8 @@
 | @@ -36,8 +36,8 @@
 | ||||||
|  #include "openbsd-compat/sys-queue.h" |  #include "openbsd-compat/sys-queue.h" | ||||||
|  #include "xmalloc.h" |  #include "xmalloc.h" | ||||||
| @ -119,7 +119,7 @@ diff -up openssh/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c.psaa-compat | |||||||
|                                  const char * ruser, const char * servicename) |                                  const char * ruser, const char * servicename) | ||||||
|  { |  { | ||||||
|      u_char *cookie = NULL; |      u_char *cookie = NULL; | ||||||
| @@ -114,22 +116,23 @@ pamsshagentauth_session_id2_gen(Buffer *
 | @@ -114,22 +120,23 @@ pamsshagentauth_session_id2_gen(Buffer *
 | ||||||
|      char ** reported_argv = NULL; |      char ** reported_argv = NULL; | ||||||
|      size_t count = 0; |      size_t count = 0; | ||||||
|      char * action_logbuf = NULL; |      char * action_logbuf = NULL; | ||||||
| @ -147,13 +147,7 @@ diff -up openssh/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c.psaa-compat | |||||||
|          } |          } | ||||||
|          cookie[i] = (u_char) rnd; |          cookie[i] = (u_char) rnd; | ||||||
|          rnd >>= 8; |          rnd >>= 8; | ||||||
| @@ -139,12 +141,13 @@ pamsshagentauth_session_id2_gen(Buffer *
 | @@ -144,7 +151,8 @@ pamsshagentauth_session_id2_gen(Buffer *
 | ||||||
|      if (count > 0) {  |  | ||||||
|          free_logbuf = 1; |  | ||||||
|          action_logbuf = log_action(reported_argv, count); |  | ||||||
| -        agent_action(&action_agentbuf, reported_argv, count);
 |  | ||||||
| +        agent_action(&action_agentbuf, reported_argv, count);
 |  | ||||||
|          pamsshagentauth_free_command_line(reported_argv, count); |  | ||||||
|      } |      } | ||||||
|      else { |      else { | ||||||
|          action_logbuf = "unknown on this platform"; |          action_logbuf = "unknown on this platform"; | ||||||
| @ -163,7 +157,7 @@ diff -up openssh/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c.psaa-compat | |||||||
|      } |      } | ||||||
|       |       | ||||||
|      /* |      /* | ||||||
| @@ -161,35 +163,39 @@ pamsshagentauth_session_id2_gen(Buffer *
 | @@ -161,35 +169,39 @@ pamsshagentauth_session_id2_gen(Buffer *
 | ||||||
|      retc = getcwd(pwd, sizeof(pwd) - 1); |      retc = getcwd(pwd, sizeof(pwd) - 1); | ||||||
|      time(&ts); |      time(&ts); | ||||||
|   |   | ||||||
| @ -207,6 +201,14 @@ diff -up openssh/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c.psaa-compat | |||||||
| -        pamsshagentauth_buffer_free(&action_agentbuf);
 | -        pamsshagentauth_buffer_free(&action_agentbuf);
 | ||||||
| +        free(action_logbuf);
 | +        free(action_logbuf);
 | ||||||
| +        sshbuf_free(action_agentbuf);
 | +        sshbuf_free(action_agentbuf);
 | ||||||
|  | +    }
 | ||||||
|  | +    /* debug3("hostname: %s", hostname); */
 | ||||||
|  | +    if (reti >= 0) {
 | ||||||
|  | +        if ((r = sshbuf_put_cstring(*session_id2, hostname)) != 0)
 | ||||||
|  | +            fatal("%s: buffer error: %s", __func__, ssh_err(r));
 | ||||||
|  | +    } else {
 | ||||||
|  | +        if ((r = sshbuf_put_cstring(*session_id2, "")) != 0)
 | ||||||
|  | +            fatal("%s: buffer error: %s", __func__, ssh_err(r));
 | ||||||
|      } |      } | ||||||
| -    /* pamsshagentauth_debug3("hostname: %s", hostname); */
 | -    /* pamsshagentauth_debug3("hostname: %s", hostname); */
 | ||||||
| -    if(reti >= 0)
 | -    if(reti >= 0)
 | ||||||
| @ -215,21 +217,13 @@ diff -up openssh/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c.psaa-compat | |||||||
| -        pamsshagentauth_buffer_put_cstring(session_id2, "");
 | -        pamsshagentauth_buffer_put_cstring(session_id2, "");
 | ||||||
| -    /* pamsshagentauth_debug3("ts: %ld", ts); */
 | -    /* pamsshagentauth_debug3("ts: %ld", ts); */
 | ||||||
| -    pamsshagentauth_buffer_put_int64(session_id2, (uint64_t) ts);
 | -    pamsshagentauth_buffer_put_int64(session_id2, (uint64_t) ts);
 | ||||||
| +    /* debug3("hostname: %s", hostname); */
 |  | ||||||
| +    if (reti >= 0) {
 |  | ||||||
| +        if ((r = sshbuf_put_cstring(*session_id2, hostname)) != 0)
 |  | ||||||
| +            fatal("%s: buffer error: %s", __func__, ssh_err(r));
 |  | ||||||
| +    } else {
 |  | ||||||
| +        if ((r = sshbuf_put_cstring(*session_id2, "")) != 0)
 |  | ||||||
| +            fatal("%s: buffer error: %s", __func__, ssh_err(r));
 |  | ||||||
| +    }
 |  | ||||||
| +    /* debug3("ts: %ld", ts); */
 | +    /* debug3("ts: %ld", ts); */
 | ||||||
| +    if ((r = sshbuf_put_u64(*session_id2, (uint64_t) ts)) != 0)
 | +    if ((r = sshbuf_put_u64(*session_id2, (uint64_t) ts)) != 0)
 | ||||||
| +        fatal("%s: buffer error: %s", __func__, ssh_err(r));
 | +        fatal("%s: buffer error: %s", __func__, ssh_err(r));
 | ||||||
|   |   | ||||||
|      free(cookie); |      free(cookie); | ||||||
|      return; |      return; | ||||||
| @@ -278,7 +280,8 @@ ssh_get_authentication_connection_for_ui
 | @@ -278,7 +290,8 @@ ssh_get_authentication_connection_for_ui
 | ||||||
|   |   | ||||||
|  	auth = xmalloc(sizeof(*auth)); |  	auth = xmalloc(sizeof(*auth)); | ||||||
|  	auth->fd = sock; |  	auth->fd = sock; | ||||||
| @ -239,7 +233,7 @@ diff -up openssh/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c.psaa-compat | |||||||
|  	auth->howmany = 0; |  	auth->howmany = 0; | ||||||
|   |   | ||||||
|  	return auth; |  	return auth; | ||||||
| @@ -287,43 +289,42 @@ ssh_get_authentication_connection_for_ui
 | @@ -287,9 +300,9 @@ ssh_get_authentication_connection_for_ui
 | ||||||
|  int |  int | ||||||
|  pamsshagentauth_find_authorized_keys(const char * user, const char * ruser, const char * servicename) |  pamsshagentauth_find_authorized_keys(const char * user, const char * ruser, const char * servicename) | ||||||
|  { |  { | ||||||
| @ -251,11 +245,8 @@ diff -up openssh/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c.psaa-compat | |||||||
|      AuthenticationConnection *ac; |      AuthenticationConnection *ac; | ||||||
|      char *comment; |      char *comment; | ||||||
|      uint8_t retval = 0; |      uint8_t retval = 0; | ||||||
|      uid_t uid = getpwnam(ruser)->pw_uid; | @@ -299,31 +312,30 @@ pamsshagentauth_find_authorized_keys(con
 | ||||||
|   |      pamsshagentauth_session_id2_gen(&session_id2, user, ruser, servicename); | ||||||
|      OpenSSL_add_all_digests(); |  | ||||||
| -    pamsshagentauth_session_id2_gen(&session_id2, user, ruser, servicename);
 |  | ||||||
| +    pamsshagentauth_session_id2_gen(&session_id2, user, ruser, servicename);
 |  | ||||||
|   |   | ||||||
|      if ((ac = ssh_get_authentication_connection_for_uid(uid))) { |      if ((ac = ssh_get_authentication_connection_for_uid(uid))) { | ||||||
| -        pamsshagentauth_verbose("Contacted ssh-agent of user %s (%u)", ruser, uid);
 | -        pamsshagentauth_verbose("Contacted ssh-agent of user %s (%u)", ruser, uid);
 | ||||||
| @ -295,8 +286,8 @@ diff -up openssh/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c.psaa-compat | |||||||
|      return retval; |      return retval; | ||||||
|  } |  } | ||||||
| diff -up openssh/pam_ssh_agent_auth-0.10.3/pam_ssh_agent_auth.c.psaa-compat openssh/pam_ssh_agent_auth-0.10.3/pam_ssh_agent_auth.c
 | diff -up openssh/pam_ssh_agent_auth-0.10.3/pam_ssh_agent_auth.c.psaa-compat openssh/pam_ssh_agent_auth-0.10.3/pam_ssh_agent_auth.c
 | ||||||
| --- openssh/pam_ssh_agent_auth-0.10.3/pam_ssh_agent_auth.c.psaa-compat	2018-08-24 10:18:05.008393305 +0200
 | --- openssh/pam_ssh_agent_auth-0.10.3/pam_ssh_agent_auth.c.psaa-compat	2020-02-07 10:43:05.010757940 +0100
 | ||||||
| +++ openssh/pam_ssh_agent_auth-0.10.3/pam_ssh_agent_auth.c	2018-08-24 10:18:05.009393312 +0200
 | +++ openssh/pam_ssh_agent_auth-0.10.3/pam_ssh_agent_auth.c	2020-02-07 10:43:05.012757972 +0100
 | ||||||
| @@ -104,7 +104,7 @@ pam_sm_authenticate(pam_handle_t * pamh,
 | @@ -104,7 +104,7 @@ pam_sm_authenticate(pam_handle_t * pamh,
 | ||||||
|   * a patch 8-) |   * a patch 8-) | ||||||
|   */ |   */ | ||||||
| @ -386,7 +377,7 @@ diff -up openssh/pam_ssh_agent_auth-0.10.3/pam_ssh_agent_auth.c.psaa-compat open | |||||||
|  cleanexit: |  cleanexit: | ||||||
| diff -up openssh/pam_ssh_agent_auth-0.10.3/pam_user_authorized_keys.c.psaa-compat openssh/pam_ssh_agent_auth-0.10.3/pam_user_authorized_keys.c
 | diff -up openssh/pam_ssh_agent_auth-0.10.3/pam_user_authorized_keys.c.psaa-compat openssh/pam_ssh_agent_auth-0.10.3/pam_user_authorized_keys.c
 | ||||||
| --- openssh/pam_ssh_agent_auth-0.10.3/pam_user_authorized_keys.c.psaa-compat	2016-11-13 04:24:32.000000000 +0100
 | --- openssh/pam_ssh_agent_auth-0.10.3/pam_user_authorized_keys.c.psaa-compat	2016-11-13 04:24:32.000000000 +0100
 | ||||||
| +++ openssh/pam_ssh_agent_auth-0.10.3/pam_user_authorized_keys.c	2018-08-24 10:18:05.009393312 +0200
 | +++ openssh/pam_ssh_agent_auth-0.10.3/pam_user_authorized_keys.c	2020-02-07 10:43:05.012757972 +0100
 | ||||||
| @@ -66,8 +66,8 @@
 | @@ -66,8 +66,8 @@
 | ||||||
|  #include "xmalloc.h" |  #include "xmalloc.h" | ||||||
|  #include "match.h" |  #include "match.h" | ||||||
| @ -453,7 +444,7 @@ diff -up openssh/pam_ssh_agent_auth-0.10.3/pam_user_authorized_keys.c.psaa-compa | |||||||
|          pamsshagentauth_user_key_allowed2(getpwuid(authorized_keys_file_allowed_owner_uid), |          pamsshagentauth_user_key_allowed2(getpwuid(authorized_keys_file_allowed_owner_uid), | ||||||
| diff -up openssh/pam_ssh_agent_auth-0.10.3/pam_user_authorized_keys.h.psaa-compat openssh/pam_ssh_agent_auth-0.10.3/pam_user_authorized_keys.h
 | diff -up openssh/pam_ssh_agent_auth-0.10.3/pam_user_authorized_keys.h.psaa-compat openssh/pam_ssh_agent_auth-0.10.3/pam_user_authorized_keys.h
 | ||||||
| --- openssh/pam_ssh_agent_auth-0.10.3/pam_user_authorized_keys.h.psaa-compat	2016-11-13 04:24:32.000000000 +0100
 | --- openssh/pam_ssh_agent_auth-0.10.3/pam_user_authorized_keys.h.psaa-compat	2016-11-13 04:24:32.000000000 +0100
 | ||||||
| +++ openssh/pam_ssh_agent_auth-0.10.3/pam_user_authorized_keys.h	2018-08-24 10:18:05.010393320 +0200
 | +++ openssh/pam_ssh_agent_auth-0.10.3/pam_user_authorized_keys.h	2020-02-07 10:43:05.012757972 +0100
 | ||||||
| @@ -32,7 +32,7 @@
 | @@ -32,7 +32,7 @@
 | ||||||
|  #define _PAM_USER_KEY_ALLOWED_H |  #define _PAM_USER_KEY_ALLOWED_H | ||||||
|   |   | ||||||
| @ -465,7 +456,7 @@ diff -up openssh/pam_ssh_agent_auth-0.10.3/pam_user_authorized_keys.h.psaa-compa | |||||||
|  #endif |  #endif | ||||||
| diff -up openssh/pam_ssh_agent_auth-0.10.3/pam_user_key_allowed2.c.psaa-compat openssh/pam_ssh_agent_auth-0.10.3/pam_user_key_allowed2.c
 | diff -up openssh/pam_ssh_agent_auth-0.10.3/pam_user_key_allowed2.c.psaa-compat openssh/pam_ssh_agent_auth-0.10.3/pam_user_key_allowed2.c
 | ||||||
| --- openssh/pam_ssh_agent_auth-0.10.3/pam_user_key_allowed2.c.psaa-compat	2016-11-13 04:24:32.000000000 +0100
 | --- openssh/pam_ssh_agent_auth-0.10.3/pam_user_key_allowed2.c.psaa-compat	2016-11-13 04:24:32.000000000 +0100
 | ||||||
| +++ openssh/pam_ssh_agent_auth-0.10.3/pam_user_key_allowed2.c	2018-08-24 10:18:05.010393320 +0200
 | +++ openssh/pam_ssh_agent_auth-0.10.3/pam_user_key_allowed2.c	2020-02-07 10:43:05.012757972 +0100
 | ||||||
| @@ -45,44 +45,46 @@
 | @@ -45,44 +45,46 @@
 | ||||||
|  #include "xmalloc.h" |  #include "xmalloc.h" | ||||||
|  #include "ssh.h" |  #include "ssh.h" | ||||||
| @ -742,7 +733,7 @@ diff -up openssh/pam_ssh_agent_auth-0.10.3/pam_user_key_allowed2.c.psaa-compat o | |||||||
|  } |  } | ||||||
| diff -up openssh/pam_ssh_agent_auth-0.10.3/pam_user_key_allowed2.h.psaa-compat openssh/pam_ssh_agent_auth-0.10.3/pam_user_key_allowed2.h
 | diff -up openssh/pam_ssh_agent_auth-0.10.3/pam_user_key_allowed2.h.psaa-compat openssh/pam_ssh_agent_auth-0.10.3/pam_user_key_allowed2.h
 | ||||||
| --- openssh/pam_ssh_agent_auth-0.10.3/pam_user_key_allowed2.h.psaa-compat	2016-11-13 04:24:32.000000000 +0100
 | --- openssh/pam_ssh_agent_auth-0.10.3/pam_user_key_allowed2.h.psaa-compat	2016-11-13 04:24:32.000000000 +0100
 | ||||||
| +++ openssh/pam_ssh_agent_auth-0.10.3/pam_user_key_allowed2.h	2018-08-24 10:18:05.010393320 +0200
 | +++ openssh/pam_ssh_agent_auth-0.10.3/pam_user_key_allowed2.h	2020-02-07 10:43:05.012757972 +0100
 | ||||||
| @@ -32,7 +32,7 @@
 | @@ -32,7 +32,7 @@
 | ||||||
|  #define _PAM_USER_KEY_ALLOWED_H |  #define _PAM_USER_KEY_ALLOWED_H | ||||||
|   |   | ||||||
| @ -755,7 +746,7 @@ diff -up openssh/pam_ssh_agent_auth-0.10.3/pam_user_key_allowed2.h.psaa-compat o | |||||||
|  #endif |  #endif | ||||||
| diff -up openssh/pam_ssh_agent_auth-0.10.3/secure_filename.c.psaa-compat openssh/pam_ssh_agent_auth-0.10.3/secure_filename.c
 | diff -up openssh/pam_ssh_agent_auth-0.10.3/secure_filename.c.psaa-compat openssh/pam_ssh_agent_auth-0.10.3/secure_filename.c
 | ||||||
| --- openssh/pam_ssh_agent_auth-0.10.3/secure_filename.c.psaa-compat	2016-11-13 04:24:32.000000000 +0100
 | --- openssh/pam_ssh_agent_auth-0.10.3/secure_filename.c.psaa-compat	2016-11-13 04:24:32.000000000 +0100
 | ||||||
| +++ openssh/pam_ssh_agent_auth-0.10.3/secure_filename.c	2018-08-24 10:18:05.010393320 +0200
 | +++ openssh/pam_ssh_agent_auth-0.10.3/secure_filename.c	2020-02-07 10:43:05.012757972 +0100
 | ||||||
| @@ -53,8 +53,8 @@
 | @@ -53,8 +53,8 @@
 | ||||||
|  #include "xmalloc.h" |  #include "xmalloc.h" | ||||||
|  #include "match.h" |  #include "match.h" | ||||||
| @ -799,7 +790,7 @@ diff -up openssh/pam_ssh_agent_auth-0.10.3/secure_filename.c.psaa-compat openssh | |||||||
|  		} |  		} | ||||||
| diff -up openssh/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.c.psaa-compat openssh/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.c
 | diff -up openssh/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.c.psaa-compat openssh/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.c
 | ||||||
| --- openssh/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.c.psaa-compat	2016-11-13 04:24:32.000000000 +0100
 | --- openssh/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.c.psaa-compat	2016-11-13 04:24:32.000000000 +0100
 | ||||||
| +++ openssh/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.c	2018-08-24 10:22:13.202657025 +0200
 | +++ openssh/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.c	2020-02-07 10:43:23.520048960 +0100
 | ||||||
| @@ -37,10 +37,11 @@
 | @@ -37,10 +37,11 @@
 | ||||||
|  #include "xmalloc.h" |  #include "xmalloc.h" | ||||||
|  #include "ssh.h" |  #include "ssh.h" | ||||||
| @ -814,7 +805,7 @@ diff -up openssh/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.c.psaa-compat | |||||||
|  #include "pathnames.h" |  #include "pathnames.h" | ||||||
|  #include "misc.h" |  #include "misc.h" | ||||||
|  #include "secure_filename.h" |  #include "secure_filename.h" | ||||||
| @@ -48,54 +48,59 @@
 | @@ -48,54 +49,59 @@
 | ||||||
|  #include "identity.h" |  #include "identity.h" | ||||||
|  #include "pam_user_authorized_keys.h" |  #include "pam_user_authorized_keys.h" | ||||||
|   |   | ||||||
| @ -833,8 +824,8 @@ diff -up openssh/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.c.psaa-compat | |||||||
|      char           *pkalg = NULL; |      char           *pkalg = NULL; | ||||||
|      u_char         *pkblob = NULL, *sig = NULL; |      u_char         *pkblob = NULL, *sig = NULL; | ||||||
| -    u_int           blen = 0, slen = 0;
 | -    u_int           blen = 0, slen = 0;
 | ||||||
| +    size_t          blen = 0, slen = 0;
 |  | ||||||
| -    int             authenticated = 0;
 | -    int             authenticated = 0;
 | ||||||
|  | +    size_t          blen = 0, slen = 0;
 | ||||||
| +    int             r, authenticated = 0;
 | +    int             r, authenticated = 0;
 | ||||||
|   |   | ||||||
| -    pkalg = (char *) key_ssh_name(id->key);
 | -    pkalg = (char *) key_ssh_name(id->key);
 | ||||||
| @ -879,7 +870,7 @@ diff -up openssh/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.c.psaa-compat | |||||||
|   |   | ||||||
|      /* test for correct signature */ |      /* test for correct signature */ | ||||||
| -    if(pamsshagentauth_key_verify(id->key, sig, slen, pamsshagentauth_buffer_ptr(&b), pamsshagentauth_buffer_len(&b)) == 1)
 | -    if(pamsshagentauth_key_verify(id->key, sig, slen, pamsshagentauth_buffer_ptr(&b), pamsshagentauth_buffer_len(&b)) == 1)
 | ||||||
| +    if (sshkey_verify(id->key, sig, slen, sshbuf_ptr(b), sshbuf_len(b), NULL, 0) == 0)
 | +    if (sshkey_verify(id->key, sig, slen, sshbuf_ptr(b), sshbuf_len(b), NULL, 0, NULL) == 0)
 | ||||||
|          authenticated = 1; |          authenticated = 1; | ||||||
|   |   | ||||||
|    user_auth_clean_exit: |    user_auth_clean_exit: | ||||||
| @ -898,7 +889,7 @@ diff -up openssh/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.c.psaa-compat | |||||||
|  } |  } | ||||||
| diff -up openssh/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.h.psaa-compat openssh/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.h
 | diff -up openssh/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.h.psaa-compat openssh/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.h
 | ||||||
| --- openssh/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.h.psaa-compat	2016-11-13 04:24:32.000000000 +0100
 | --- openssh/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.h.psaa-compat	2016-11-13 04:24:32.000000000 +0100
 | ||||||
| +++ openssh/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.h	2018-08-24 10:18:05.010393320 +0200
 | +++ openssh/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.h	2020-02-07 10:43:05.013757988 +0100
 | ||||||
| @@ -31,7 +31,7 @@
 | @@ -31,7 +31,7 @@
 | ||||||
|  #ifndef _USERAUTH_PUBKEY_FROM_ID_H |  #ifndef _USERAUTH_PUBKEY_FROM_ID_H | ||||||
|  #define _USERAUTH_PUBKEY_FROM_ID_H |  #define _USERAUTH_PUBKEY_FROM_ID_H | ||||||
| @ -911,7 +902,7 @@ diff -up openssh/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.h.psaa-compat | |||||||
|  #endif |  #endif | ||||||
| diff -up openssh/pam_ssh_agent_auth-0.10.3/uuencode.c.psaa-compat openssh/pam_ssh_agent_auth-0.10.3/uuencode.c
 | diff -up openssh/pam_ssh_agent_auth-0.10.3/uuencode.c.psaa-compat openssh/pam_ssh_agent_auth-0.10.3/uuencode.c
 | ||||||
| --- openssh/pam_ssh_agent_auth-0.10.3/uuencode.c.psaa-compat	2016-11-13 04:24:32.000000000 +0100
 | --- openssh/pam_ssh_agent_auth-0.10.3/uuencode.c.psaa-compat	2016-11-13 04:24:32.000000000 +0100
 | ||||||
| +++ openssh/pam_ssh_agent_auth-0.10.3/uuencode.c	2018-08-24 10:18:05.010393320 +0200
 | +++ openssh/pam_ssh_agent_auth-0.10.3/uuencode.c	2020-02-07 10:43:05.013757988 +0100
 | ||||||
| @@ -56,7 +56,7 @@ pamsshagentauth_uudecode(const char *src
 | @@ -56,7 +56,7 @@ pamsshagentauth_uudecode(const char *src
 | ||||||
|  	/* and remove trailing whitespace because __b64_pton needs this */ |  	/* and remove trailing whitespace because __b64_pton needs this */ | ||||||
|  	*p = '\0'; |  	*p = '\0'; | ||||||
|  | |||||||
| @ -159,15 +159,17 @@ diff -up openssh-7.4p1/pam_ssh_agent_auth-0.10.3/Makefile.in.psaa-build openssh- | |||||||
|  LIBS=@LIBS@ |  LIBS=@LIBS@ | ||||||
|  AR=@AR@ |  AR=@AR@ | ||||||
|  AWK=@AWK@ |  AWK=@AWK@ | ||||||
| @@ -61,7 +61,7 @@ INSTALL=@INSTALL@
 | @@ -61,8 +61,8 @@ INSTALL=@INSTALL@
 | ||||||
|  PERL=@PERL@ |  PERL=@PERL@ | ||||||
|  SED=@SED@ |  SED=@SED@ | ||||||
|  ENT=@ENT@ |  ENT=@ENT@ | ||||||
| -LDFLAGS=-L. -Lopenbsd-compat/ @LDFLAGS@
 | -LDFLAGS=-L. -Lopenbsd-compat/ @LDFLAGS@
 | ||||||
|  | -LDFLAGS_SHARED = @LDFLAGS_SHARED@
 | ||||||
| +LDFLAGS=-L.. -L../openbsd-compat/ @LDFLAGS@
 | +LDFLAGS=-L.. -L../openbsd-compat/ @LDFLAGS@
 | ||||||
|  LDFLAGS_SHARED = @LDFLAGS_SHARED@ | +LDFLAGS_SHARED =-Wl,-z,defs @LDFLAGS_SHARED@
 | ||||||
|  EXEEXT=@EXEEXT@ |  EXEEXT=@EXEEXT@ | ||||||
|   |   | ||||||
|  |  INSTALL_SSH_PRNG_CMDS=@INSTALL_SSH_PRNG_CMDS@ | ||||||
| @@ -74,7 +74,7 @@ SSHOBJS=xmalloc.o atomicio.o authfd.o bu
 | @@ -74,7 +74,7 @@ SSHOBJS=xmalloc.o atomicio.o authfd.o bu
 | ||||||
|   |   | ||||||
|  ED25519OBJS=ed25519-donna/ed25519.o |  ED25519OBJS=ed25519-donna/ed25519.o | ||||||
| @ -189,8 +191,8 @@ diff -up openssh-7.4p1/pam_ssh_agent_auth-0.10.3/Makefile.in.psaa-build openssh- | |||||||
|   |   | ||||||
| -pam_ssh_agent_auth.so: $(LIBCOMPAT) $(SSHOBJS) $(ED25519OBJS) $(PAM_SSH_AGENT_AUTH_OBJS)  pam_ssh_agent_auth.o
 | -pam_ssh_agent_auth.so: $(LIBCOMPAT) $(SSHOBJS) $(ED25519OBJS) $(PAM_SSH_AGENT_AUTH_OBJS)  pam_ssh_agent_auth.o
 | ||||||
| -	$(LD) $(LDFLAGS_SHARED) -o $@ $(SSHOBJS) $(ED25519OBJS) $(PAM_SSH_AGENT_AUTH_OBJS) $(LDFLAGS) -lopenbsd-compat pam_ssh_agent_auth.o $(LIBS) -lpam
 | -	$(LD) $(LDFLAGS_SHARED) -o $@ $(SSHOBJS) $(ED25519OBJS) $(PAM_SSH_AGENT_AUTH_OBJS) $(LDFLAGS) -lopenbsd-compat pam_ssh_agent_auth.o $(LIBS) -lpam
 | ||||||
| +pam_ssh_agent_auth.so: $(PAM_SSH_AGENT_AUTH_OBJS)  pam_ssh_agent_auth.o ../uidswap.o
 | +pam_ssh_agent_auth.so: $(PAM_SSH_AGENT_AUTH_OBJS)  pam_ssh_agent_auth.o ../uidswap.o ../ssh-sk-client.o
 | ||||||
| +	$(LD) $(LDFLAGS_SHARED) -o $@ $(PAM_SSH_AGENT_AUTH_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat pam_ssh_agent_auth.o ../uidswap.o $(LIBS) -lpam
 | +	$(LD) $(LDFLAGS_SHARED) -o $@ $(PAM_SSH_AGENT_AUTH_OBJS) ../ssh-sk-client.o $(LDFLAGS) -lssh -lopenbsd-compat pam_ssh_agent_auth.o ../uidswap.o $(LIBS) -lpam
 | ||||||
|   |   | ||||||
|  $(MANPAGES): $(MANPAGES_IN) |  $(MANPAGES): $(MANPAGES_IN) | ||||||
|  	pod2man --section=8 --release=v0.10.3 --name=pam_ssh_agent_auth --official --center "PAM" pam_ssh_agent_auth.pod > pam_ssh_agent_auth.8 |  	pod2man --section=8 --release=v0.10.3 --name=pam_ssh_agent_auth --official --center "PAM" pam_ssh_agent_auth.pod > pam_ssh_agent_auth.8 | ||||||
|  | |||||||
							
								
								
									
										4
									
								
								sources
									
									
									
									
									
								
							
							
						
						
									
										4
									
								
								sources
									
									
									
									
									
								
							| @ -1,4 +1,4 @@ | |||||||
| SHA512 (openssh-8.1p1.tar.gz) = b987ea4ffd4ab0c94110723860273b06ed8ffb4d21cbd99ca144a4722dc55f4bf86f6253d500386b6bee7af50f066e2aa2dd095d50746509a10e11221d39d925 | SHA512 (openssh-8.2p1.tar.gz) = c4db64e52a3a4c410de9de49f9cb104dd493b10250af3599b92457dd986277b3fd99a6f51cec94892fd1be5bd0369c5757262ea7805f0de464b245c3d34c120a | ||||||
| SHA512 (openssh-8.1p1.tar.gz.asc) = f36458ef8822376a5b305cfbc971f5d2db8bf2f48fea9a957e02ef2fc27a48bacb59495587fee81fa2d89bca6250a8fb407e1f5a7dae7ceb361ab332c0771344 | SHA512 (openssh-8.2p1.tar.gz.asc) = e6d091289d62d3a01d5978e3c26f72d8ea6979c345fbebc215515185ea567c959f5b17e32052d752829ab4c6bc537fd977f7aa02cf0a23280da63fd9d880f303 | ||||||
| SHA512 (DJM-GPG-KEY.gpg) = db1191ed9b6495999e05eed2ef863fb5179bdb63e94850f192dad68eed8579836f88fbcfffd9f28524fe1457aff8cd248ee3e0afc112c8f609b99a34b80ecc0d | SHA512 (DJM-GPG-KEY.gpg) = db1191ed9b6495999e05eed2ef863fb5179bdb63e94850f192dad68eed8579836f88fbcfffd9f28524fe1457aff8cd248ee3e0afc112c8f609b99a34b80ecc0d | ||||||
| SHA512 (pam_ssh_agent_auth-0.10.3.tar.bz2) = d75062c4e46b0b011f46aed9704a99049995fea8b5115ff7ee26dad7e93cbcf54a8af7efc6b521109d77dc03c6f5284574d2e1b84c6829cec25610f24fb4bd66 | SHA512 (pam_ssh_agent_auth-0.10.3.tar.bz2) = d75062c4e46b0b011f46aed9704a99049995fea8b5115ff7ee26dad7e93cbcf54a8af7efc6b521109d77dc03c6f5284574d2e1b84c6829cec25610f24fb4bd66 | ||||||
|  | |||||||
		Loading…
	
		Reference in New Issue
	
	Block a user