rebase to openssh-7.4p1-1

* Drop unaccepted (unapplying) coverity patches
 * Drop server support for SSH1 (server)
 * Workaround #2641 for systemd
 * UseLogin is gone
 * Drop upstream commit 28652bca
 * Tighten seccomp filter (cache credentials before entering sandbox) (#1395288)
This commit is contained in:
Jakub Jelen 2017-01-02 15:42:13 +01:00
parent 4189cebf7a
commit 6cf9b8e61b
29 changed files with 1777 additions and 2667 deletions

1
.gitignore vendored
View File

@ -23,3 +23,4 @@ pam_ssh_agent_auth-0.9.2.tar.bz2
/openssh-7.2p1.tar.gz /openssh-7.2p1.tar.gz
/openssh-7.2p2.tar.gz /openssh-7.2p2.tar.gz
/openssh-7.3p1.tar.gz /openssh-7.3p1.tar.gz
/openssh-7.4p1.tar.gz

View File

@ -1,7 +1,8 @@
--- openssh-4.3p2/contrib/gnome-ssh-askpass2.c.grab-info 2006-07-17 15:10:11.000000000 +0200 diff -up openssh-7.4p1/contrib/gnome-ssh-askpass2.c.grab-info openssh-7.4p1/contrib/gnome-ssh-askpass2.c
+++ openssh-4.3p2/contrib/gnome-ssh-askpass2.c 2006-07-17 15:25:04.000000000 +0200 --- openssh-7.4p1/contrib/gnome-ssh-askpass2.c.grab-info 2016-12-23 13:31:22.645213115 +0100
@@ -65,9 +65,12 @@ +++ openssh-7.4p1/contrib/gnome-ssh-askpass2.c 2016-12-23 13:31:40.997216691 +0100
err = gtk_message_dialog_new(NULL, 0, @@ -65,9 +65,12 @@ report_failed_grab (GtkWidget *parent_wi
err = gtk_message_dialog_new(GTK_WINDOW(parent_window), 0,
GTK_MESSAGE_ERROR, GTK_MESSAGE_ERROR,
GTK_BUTTONS_CLOSE, GTK_BUTTONS_CLOSE,
- "Could not grab %s. " - "Could not grab %s. "
@ -14,5 +15,5 @@
+ "Either close the application which grabs the %s or " + "Either close the application which grabs the %s or "
+ "log out and log in again to prevent this from happening.", what, what); + "log out and log in again to prevent this from happening.", what, what);
gtk_window_set_position(GTK_WINDOW(err), GTK_WIN_POS_CENTER); gtk_window_set_position(GTK_WINDOW(err), GTK_WIN_POS_CENTER);
gtk_label_set_line_wrap(GTK_LABEL((GTK_MESSAGE_DIALOG(err))->label),
TRUE); gtk_dialog_run(GTK_DIALOG(err));

View File

@ -1,6 +1,6 @@
diff -up openssh-5.1p1/contrib/gnome-ssh-askpass2.c.progress openssh-5.1p1/contrib/gnome-ssh-askpass2.c diff -up openssh-7.4p1/contrib/gnome-ssh-askpass2.c.progress openssh-7.4p1/contrib/gnome-ssh-askpass2.c
--- openssh-5.1p1/contrib/gnome-ssh-askpass2.c.progress 2008-07-23 19:05:26.000000000 +0200 --- openssh-7.4p1/contrib/gnome-ssh-askpass2.c.progress 2016-12-19 05:59:41.000000000 +0100
+++ openssh-5.1p1/contrib/gnome-ssh-askpass2.c 2008-07-23 19:05:26.000000000 +0200 +++ openssh-7.4p1/contrib/gnome-ssh-askpass2.c 2016-12-23 13:31:16.545211926 +0100
@@ -53,6 +53,7 @@ @@ -53,6 +53,7 @@
#include <string.h> #include <string.h>
#include <unistd.h> #include <unistd.h>
@ -9,7 +9,7 @@ diff -up openssh-5.1p1/contrib/gnome-ssh-askpass2.c.progress openssh-5.1p1/contr
#include <gtk/gtk.h> #include <gtk/gtk.h>
#include <gdk/gdkx.h> #include <gdk/gdkx.h>
@@ -83,13 +84,24 @@ ok_dialog(GtkWidget *entry, gpointer dia @@ -81,13 +82,24 @@ ok_dialog(GtkWidget *entry, gpointer dia
gtk_dialog_response(GTK_DIALOG(dialog), GTK_RESPONSE_OK); gtk_dialog_response(GTK_DIALOG(dialog), GTK_RESPONSE_OK);
} }
@ -30,12 +30,12 @@ diff -up openssh-5.1p1/contrib/gnome-ssh-askpass2.c.progress openssh-5.1p1/contr
const char *failed; const char *failed;
char *passphrase, *local; char *passphrase, *local;
int result, grab_tries, grab_server, grab_pointer; int result, grab_tries, grab_server, grab_pointer;
- GtkWidget *dialog, *entry; - GtkWidget *parent_window, *dialog, *entry;
+ GtkWidget *dialog, *entry, *progress, *hbox; + GtkWidget *parent_window, *dialog, *entry, *progress, *hbox;
GdkGrabStatus status; GdkGrabStatus status;
grab_server = (getenv("GNOME_SSH_ASKPASS_GRAB_SERVER") != NULL); grab_server = (getenv("GNOME_SSH_ASKPASS_GRAB_SERVER") != NULL);
@@ -102,13 +114,31 @@ passphrase_dialog(char *message) @@ -104,14 +116,32 @@ passphrase_dialog(char *message)
"%s", "%s",
message); message);
@ -45,9 +45,11 @@ diff -up openssh-5.1p1/contrib/gnome-ssh-askpass2.c.progress openssh-5.1p1/contr
+ gtk_widget_show(hbox); + gtk_widget_show(hbox);
+ +
entry = gtk_entry_new(); entry = gtk_entry_new();
- gtk_box_pack_start(GTK_BOX(GTK_DIALOG(dialog)->vbox), entry, FALSE, gtk_box_pack_start(
+ gtk_box_pack_start(GTK_BOX(hbox), entry, TRUE, - GTK_BOX(gtk_dialog_get_content_area(GTK_DIALOG(dialog))), entry,
FALSE, 0); - FALSE, FALSE, 0);
+ GTK_BOX(hbox), entry,
+ TRUE, FALSE, 0);
+ gtk_entry_set_width_chars(GTK_ENTRY(entry), 2); + gtk_entry_set_width_chars(GTK_ENTRY(entry), 2);
gtk_entry_set_visibility(GTK_ENTRY(entry), FALSE); gtk_entry_set_visibility(GTK_ENTRY(entry), FALSE);
gtk_widget_grab_focus(entry); gtk_widget_grab_focus(entry);
@ -68,7 +70,7 @@ diff -up openssh-5.1p1/contrib/gnome-ssh-askpass2.c.progress openssh-5.1p1/contr
gtk_window_set_title(GTK_WINDOW(dialog), "OpenSSH"); gtk_window_set_title(GTK_WINDOW(dialog), "OpenSSH");
gtk_window_set_position (GTK_WINDOW(dialog), GTK_WIN_POS_CENTER); gtk_window_set_position (GTK_WINDOW(dialog), GTK_WIN_POS_CENTER);
gtk_window_set_keep_above(GTK_WINDOW(dialog), TRUE); gtk_window_set_keep_above(GTK_WINDOW(dialog), TRUE);
@@ -119,6 +149,8 @@ passphrase_dialog(char *message) @@ -120,6 +150,8 @@ passphrase_dialog(char *message)
gtk_dialog_set_default_response(GTK_DIALOG(dialog), GTK_RESPONSE_OK); gtk_dialog_set_default_response(GTK_DIALOG(dialog), GTK_RESPONSE_OK);
g_signal_connect(G_OBJECT(entry), "activate", g_signal_connect(G_OBJECT(entry), "activate",
G_CALLBACK(ok_dialog), dialog); G_CALLBACK(ok_dialog), dialog);

View File

@ -1,7 +1,7 @@
diff -up openssh-7.0p1/configure.ac.vendor openssh-7.0p1/configure.ac diff -up openssh-7.4p1/configure.ac.vendor openssh-7.4p1/configure.ac
--- openssh-7.0p1/configure.ac.vendor 2015-08-12 11:14:54.102628399 +0200 --- openssh-7.4p1/configure.ac.vendor 2016-12-23 13:34:51.681253844 +0100
+++ openssh-7.0p1/configure.ac 2015-08-12 11:14:54.129628356 +0200 +++ openssh-7.4p1/configure.ac 2016-12-23 13:34:51.694253847 +0100
@@ -4776,6 +4776,12 @@ AC_ARG_WITH([lastlog], @@ -4930,6 +4930,12 @@ AC_ARG_WITH([lastlog],
fi fi
] ]
) )
@ -14,7 +14,7 @@ diff -up openssh-7.0p1/configure.ac.vendor openssh-7.0p1/configure.ac
dnl lastlog, [uw]tmpx? detection dnl lastlog, [uw]tmpx? detection
dnl NOTE: set the paths in the platform section to avoid the dnl NOTE: set the paths in the platform section to avoid the
@@ -5038,6 +5044,7 @@ echo " Translate v4 in v6 hack @@ -5194,6 +5200,7 @@ echo " Translate v4 in v6 hack
echo " BSD Auth support: $BSD_AUTH_MSG" echo " BSD Auth support: $BSD_AUTH_MSG"
echo " Random number source: $RAND_MSG" echo " Random number source: $RAND_MSG"
echo " Privsep sandbox style: $SANDBOX_STYLE" echo " Privsep sandbox style: $SANDBOX_STYLE"
@ -22,10 +22,10 @@ diff -up openssh-7.0p1/configure.ac.vendor openssh-7.0p1/configure.ac
echo "" echo ""
diff -up openssh-7.0p1/servconf.c.vendor openssh-7.0p1/servconf.c diff -up openssh-7.4p1/servconf.c.vendor openssh-7.4p1/servconf.c
--- openssh-7.0p1/servconf.c.vendor 2015-08-11 10:57:29.000000000 +0200 --- openssh-7.4p1/servconf.c.vendor 2016-12-19 05:59:41.000000000 +0100
+++ openssh-7.0p1/servconf.c 2015-08-12 11:15:33.201565712 +0200 +++ openssh-7.4p1/servconf.c 2016-12-23 13:36:07.555268628 +0100
@@ -149,6 +149,7 @@ initialize_server_options(ServerOptions @@ -143,6 +143,7 @@ initialize_server_options(ServerOptions
options->max_authtries = -1; options->max_authtries = -1;
options->max_sessions = -1; options->max_sessions = -1;
options->banner = NULL; options->banner = NULL;
@ -33,7 +33,7 @@ diff -up openssh-7.0p1/servconf.c.vendor openssh-7.0p1/servconf.c
options->use_dns = -1; options->use_dns = -1;
options->client_alive_interval = -1; options->client_alive_interval = -1;
options->client_alive_count_max = -1; options->client_alive_count_max = -1;
@@ -335,6 +336,8 @@ fill_default_server_options(ServerOption @@ -325,6 +326,8 @@ fill_default_server_options(ServerOption
options->ip_qos_bulk = IPTOS_THROUGHPUT; options->ip_qos_bulk = IPTOS_THROUGHPUT;
if (options->version_addendum == NULL) if (options->version_addendum == NULL)
options->version_addendum = xstrdup(""); options->version_addendum = xstrdup("");
@ -42,8 +42,8 @@ diff -up openssh-7.0p1/servconf.c.vendor openssh-7.0p1/servconf.c
if (options->fwd_opts.streamlocal_bind_mask == (mode_t)-1) if (options->fwd_opts.streamlocal_bind_mask == (mode_t)-1)
options->fwd_opts.streamlocal_bind_mask = 0177; options->fwd_opts.streamlocal_bind_mask = 0177;
if (options->fwd_opts.streamlocal_bind_unlink == -1) if (options->fwd_opts.streamlocal_bind_unlink == -1)
@@ -407,7 +410,7 @@ typedef enum { @@ -402,7 +405,7 @@ typedef enum {
sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile, sIgnoreUserKnownHosts, sCiphers, sMacs, sPidFile,
sGatewayPorts, sPubkeyAuthentication, sPubkeyAcceptedKeyTypes, sGatewayPorts, sPubkeyAuthentication, sPubkeyAcceptedKeyTypes,
sXAuthLocation, sSubsystem, sMaxStartups, sMaxAuthTries, sMaxSessions, sXAuthLocation, sSubsystem, sMaxStartups, sMaxAuthTries, sMaxSessions,
- sBanner, sUseDNS, sHostbasedAuthentication, - sBanner, sUseDNS, sHostbasedAuthentication,
@ -51,7 +51,7 @@ diff -up openssh-7.0p1/servconf.c.vendor openssh-7.0p1/servconf.c
sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedKeyTypes, sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedKeyTypes,
sHostKeyAlgorithms, sHostKeyAlgorithms,
sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile, sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
@@ -529,6 +532,7 @@ static struct { @@ -528,6 +531,7 @@ static struct {
{ "maxauthtries", sMaxAuthTries, SSHCFG_ALL }, { "maxauthtries", sMaxAuthTries, SSHCFG_ALL },
{ "maxsessions", sMaxSessions, SSHCFG_ALL }, { "maxsessions", sMaxSessions, SSHCFG_ALL },
{ "banner", sBanner, SSHCFG_ALL }, { "banner", sBanner, SSHCFG_ALL },
@ -59,7 +59,7 @@ diff -up openssh-7.0p1/servconf.c.vendor openssh-7.0p1/servconf.c
{ "usedns", sUseDNS, SSHCFG_GLOBAL }, { "usedns", sUseDNS, SSHCFG_GLOBAL },
{ "verifyreversemapping", sDeprecated, SSHCFG_GLOBAL }, { "verifyreversemapping", sDeprecated, SSHCFG_GLOBAL },
{ "reversemappingcheck", sDeprecated, SSHCFG_GLOBAL }, { "reversemappingcheck", sDeprecated, SSHCFG_GLOBAL },
@@ -1389,6 +1393,10 @@ process_server_config_line(ServerOptions @@ -1369,6 +1373,10 @@ process_server_config_line(ServerOptions
multistate_ptr = multistate_privsep; multistate_ptr = multistate_privsep;
goto parse_multistate; goto parse_multistate;
@ -70,18 +70,18 @@ diff -up openssh-7.0p1/servconf.c.vendor openssh-7.0p1/servconf.c
case sAllowUsers: case sAllowUsers:
while ((arg = strdelim(&cp)) && *arg != '\0') { while ((arg = strdelim(&cp)) && *arg != '\0') {
if (options->num_allow_users >= MAX_ALLOW_USERS) if (options->num_allow_users >= MAX_ALLOW_USERS)
@@ -2266,6 +2274,7 @@ dump_config(ServerOptions *o) @@ -2269,6 +2277,7 @@ dump_config(ServerOptions *o)
dump_cfg_fmtint(sUseLogin, o->use_login); dump_cfg_fmtint(sPermitUserEnvironment, o->permit_user_env);
dump_cfg_fmtint(sCompression, o->compression); dump_cfg_fmtint(sCompression, o->compression);
dump_cfg_fmtint(sGatewayPorts, o->fwd_opts.gateway_ports); dump_cfg_fmtint(sGatewayPorts, o->fwd_opts.gateway_ports);
+ dump_cfg_fmtint(sShowPatchLevel, o->show_patchlevel); + dump_cfg_fmtint(sShowPatchLevel, o->show_patchlevel);
dump_cfg_fmtint(sUseDNS, o->use_dns); dump_cfg_fmtint(sUseDNS, o->use_dns);
dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding); dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding);
dump_cfg_fmtint(sAllowAgentForwarding, o->allow_agent_forwarding); dump_cfg_fmtint(sAllowAgentForwarding, o->allow_agent_forwarding);
diff -up openssh-7.0p1/servconf.h.vendor openssh-7.0p1/servconf.h diff -up openssh-7.4p1/servconf.h.vendor openssh-7.4p1/servconf.h
--- openssh-7.0p1/servconf.h.vendor 2015-08-11 10:57:29.000000000 +0200 --- openssh-7.4p1/servconf.h.vendor 2016-12-19 05:59:41.000000000 +0100
+++ openssh-7.0p1/servconf.h 2015-08-12 11:14:54.130628355 +0200 +++ openssh-7.4p1/servconf.h 2016-12-23 13:34:51.694253847 +0100
@@ -155,6 +155,7 @@ typedef struct { @@ -149,6 +149,7 @@ typedef struct {
int max_authtries; int max_authtries;
int max_sessions; int max_sessions;
char *banner; /* SSH-2 banner message */ char *banner; /* SSH-2 banner message */
@ -89,12 +89,12 @@ diff -up openssh-7.0p1/servconf.h.vendor openssh-7.0p1/servconf.h
int use_dns; int use_dns;
int client_alive_interval; /* int client_alive_interval; /*
* poke the client this often to * poke the client this often to
diff -up openssh-7.0p1/sshd_config.0.vendor openssh-7.0p1/sshd_config.0 diff -up openssh-7.4p1/sshd_config.0.vendor openssh-7.4p1/sshd_config.0
--- openssh-7.0p1/sshd_config.0.vendor 2015-08-12 11:14:54.125628363 +0200 --- openssh-7.4p1/sshd_config.0.vendor 2016-12-23 13:34:51.695253847 +0100
+++ openssh-7.0p1/sshd_config.0 2015-08-12 11:14:54.130628355 +0200 +++ openssh-7.4p1/sshd_config.0 2016-12-23 13:36:53.146277511 +0100
@@ -841,6 +841,11 @@ DESCRIPTION @@ -792,6 +792,11 @@ DESCRIPTION
Defines the number of bits in the ephemeral protocol version 1 ssh-keygen(1). For more information on KRLs, see the KEY
server key. The default and minimum value is 1024. REVOCATION LISTS section in ssh-keygen(1).
+ ShowPatchLevel + ShowPatchLevel
+ Specifies whether sshd will display the specific patch level of + Specifies whether sshd will display the specific patch level of
@ -104,13 +104,13 @@ diff -up openssh-7.0p1/sshd_config.0.vendor openssh-7.0p1/sshd_config.0
StreamLocalBindMask StreamLocalBindMask
Sets the octal file creation mode mask (umask) used when creating Sets the octal file creation mode mask (umask) used when creating
a Unix-domain socket file for local or remote port forwarding. a Unix-domain socket file for local or remote port forwarding.
diff -up openssh-7.0p1/sshd_config.5.vendor openssh-7.0p1/sshd_config.5 diff -up openssh-7.4p1/sshd_config.5.vendor openssh-7.4p1/sshd_config.5
--- openssh-7.0p1/sshd_config.5.vendor 2015-08-12 11:14:54.125628363 +0200 --- openssh-7.4p1/sshd_config.5.vendor 2016-12-23 13:34:51.695253847 +0100
+++ openssh-7.0p1/sshd_config.5 2015-08-12 11:14:54.131628353 +0200 +++ openssh-7.4p1/sshd_config.5 2016-12-23 13:37:17.482282253 +0100
@@ -1411,6 +1411,13 @@ This option applies to protocol version @@ -1334,6 +1334,13 @@ an OpenSSH Key Revocation List (KRL) as
.It Cm ServerKeyBits .Xr ssh-keygen 1 .
Defines the number of bits in the ephemeral protocol version 1 server key. For more information on KRLs, see the KEY REVOCATION LISTS section in
The default and minimum value is 1024. .Xr ssh-keygen 1 .
+.It Cm ShowPatchLevel +.It Cm ShowPatchLevel
+Specifies whether +Specifies whether
+.Nm sshd +.Nm sshd
@ -121,10 +121,10 @@ diff -up openssh-7.0p1/sshd_config.5.vendor openssh-7.0p1/sshd_config.5
.It Cm StreamLocalBindMask .It Cm StreamLocalBindMask
Sets the octal file creation mode mask Sets the octal file creation mode mask
.Pq umask .Pq umask
diff -up openssh-7.0p1/sshd_config.vendor openssh-7.0p1/sshd_config diff -up openssh-7.4p1/sshd_config.vendor openssh-7.4p1/sshd_config
--- openssh-7.0p1/sshd_config.vendor 2015-08-12 11:14:54.125628363 +0200 --- openssh-7.4p1/sshd_config.vendor 2016-12-23 13:34:51.690253846 +0100
+++ openssh-7.0p1/sshd_config 2015-08-12 11:14:54.131628353 +0200 +++ openssh-7.4p1/sshd_config 2016-12-23 13:34:51.695253847 +0100
@@ -119,6 +119,7 @@ UsePrivilegeSeparation sandbox # Defaul @@ -105,6 +105,7 @@ X11Forwarding yes
#Compression delayed #Compression delayed
#ClientAliveInterval 0 #ClientAliveInterval 0
#ClientAliveCountMax 3 #ClientAliveCountMax 3
@ -132,19 +132,20 @@ diff -up openssh-7.0p1/sshd_config.vendor openssh-7.0p1/sshd_config
#UseDNS no #UseDNS no
#PidFile /var/run/sshd.pid #PidFile /var/run/sshd.pid
#MaxStartups 10:30:100 #MaxStartups 10:30:100
diff -up openssh-7.0p1/sshd.c.vendor openssh-7.0p1/sshd.c diff -up openssh-7.4p1/sshd.c.vendor openssh-7.4p1/sshd.c
--- openssh-7.0p1/sshd.c.vendor 2015-08-12 11:14:54.100628403 +0200 --- openssh-7.4p1/sshd.c.vendor 2016-12-23 13:34:51.682253844 +0100
+++ openssh-7.0p1/sshd.c 2015-08-12 11:14:54.131628353 +0200 +++ openssh-7.4p1/sshd.c 2016-12-23 13:38:32.434296856 +0100
@@ -432,7 +432,7 @@ sshd_exchange_identification(int sock_in @@ -367,7 +367,8 @@ sshd_exchange_identification(struct ssh
} char remote_version[256]; /* Must be at least as big as buf. */
xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s", xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s",
- major, minor, SSH_VERSION, - PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION,
+ major, minor, (options.show_patchlevel == 1) ? SSH_VENDOR_PATCHLEVEL : SSH_VERSION, + PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2,
+ (options.show_patchlevel == 1) ? SSH_VENDOR_PATCHLEVEL : SSH_VERSION,
*options.version_addendum == '\0' ? "" : " ", *options.version_addendum == '\0' ? "" : " ",
options.version_addendum, newline); options.version_addendum, newline);
@@ -1749,7 +1749,8 @@ main(int ac, char **av) @@ -1650,7 +1651,8 @@ main(int ac, char **av)
exit(1); exit(1);
} }

View File

@ -1,7 +1,7 @@
diff -up openssh-6.8p1/log.c.log-in-chroot openssh-6.8p1/log.c diff -up openssh-7.4p1/log.c.log-in-chroot openssh-7.4p1/log.c
--- openssh-6.8p1/log.c.log-in-chroot 2015-03-17 06:49:20.000000000 +0100 --- openssh-7.4p1/log.c.log-in-chroot 2016-12-19 05:59:41.000000000 +0100
+++ openssh-6.8p1/log.c 2015-03-18 12:59:29.694022313 +0100 +++ openssh-7.4p1/log.c 2016-12-23 15:14:33.330168088 +0100
@@ -241,6 +241,11 @@ debug3(const char *fmt,...) @@ -250,6 +250,11 @@ debug3(const char *fmt,...)
void void
log_init(char *av0, LogLevel level, SyslogFacility facility, int on_stderr) log_init(char *av0, LogLevel level, SyslogFacility facility, int on_stderr)
{ {
@ -13,7 +13,7 @@ diff -up openssh-6.8p1/log.c.log-in-chroot openssh-6.8p1/log.c
#if defined(HAVE_OPENLOG_R) && defined(SYSLOG_DATA_INIT) #if defined(HAVE_OPENLOG_R) && defined(SYSLOG_DATA_INIT)
struct syslog_data sdata = SYSLOG_DATA_INIT; struct syslog_data sdata = SYSLOG_DATA_INIT;
#endif #endif
@@ -264,8 +269,10 @@ log_init(char *av0, LogLevel level, Sysl @@ -273,8 +278,10 @@ log_init(char *av0, LogLevel level, Sysl
exit(1); exit(1);
} }
@ -26,9 +26,9 @@ diff -up openssh-6.8p1/log.c.log-in-chroot openssh-6.8p1/log.c
log_on_stderr = on_stderr; log_on_stderr = on_stderr;
if (on_stderr) if (on_stderr)
diff -up openssh-6.8p1/log.h.log-in-chroot openssh-6.8p1/log.h diff -up openssh-7.4p1/log.h.log-in-chroot openssh-7.4p1/log.h
--- openssh-6.8p1/log.h.log-in-chroot 2015-03-17 06:49:20.000000000 +0100 --- openssh-7.4p1/log.h.log-in-chroot 2016-12-19 05:59:41.000000000 +0100
+++ openssh-6.8p1/log.h 2015-03-18 12:59:29.694022313 +0100 +++ openssh-7.4p1/log.h 2016-12-23 15:14:33.330168088 +0100
@@ -49,6 +49,7 @@ typedef enum { @@ -49,6 +49,7 @@ typedef enum {
typedef void (log_handler_fn)(LogLevel, const char *, void *); typedef void (log_handler_fn)(LogLevel, const char *, void *);
@ -37,10 +37,10 @@ diff -up openssh-6.8p1/log.h.log-in-chroot openssh-6.8p1/log.h
void log_change_level(LogLevel); void log_change_level(LogLevel);
int log_is_on_stderr(void); int log_is_on_stderr(void);
void log_redirect_stderr_to(const char *); void log_redirect_stderr_to(const char *);
diff -up openssh-6.8p1/monitor.c.log-in-chroot openssh-6.8p1/monitor.c diff -up openssh-7.4p1/monitor.c.log-in-chroot openssh-7.4p1/monitor.c
--- openssh-6.8p1/monitor.c.log-in-chroot 2015-03-18 12:59:29.669022374 +0100 --- openssh-7.4p1/monitor.c.log-in-chroot 2016-12-23 15:14:33.311168085 +0100
+++ openssh-6.8p1/monitor.c 2015-03-18 13:01:52.894671198 +0100 +++ openssh-7.4p1/monitor.c 2016-12-23 15:16:42.154193100 +0100
@@ -357,6 +357,8 @@ monitor_child_preauth(Authctxt *_authctx @@ -307,6 +307,8 @@ monitor_child_preauth(Authctxt *_authctx
close(pmonitor->m_log_sendfd); close(pmonitor->m_log_sendfd);
pmonitor->m_log_sendfd = pmonitor->m_recvfd = -1; pmonitor->m_log_sendfd = pmonitor->m_recvfd = -1;
@ -49,7 +49,7 @@ diff -up openssh-6.8p1/monitor.c.log-in-chroot openssh-6.8p1/monitor.c
authctxt = _authctxt; authctxt = _authctxt;
memset(authctxt, 0, sizeof(*authctxt)); memset(authctxt, 0, sizeof(*authctxt));
@@ -465,6 +467,8 @@ monitor_child_postauth(struct monitor *p @@ -405,6 +407,8 @@ monitor_child_postauth(struct monitor *p
close(pmonitor->m_recvfd); close(pmonitor->m_recvfd);
pmonitor->m_recvfd = -1; pmonitor->m_recvfd = -1;
@ -58,7 +58,7 @@ diff -up openssh-6.8p1/monitor.c.log-in-chroot openssh-6.8p1/monitor.c
monitor_set_child_handler(pmonitor->m_pid); monitor_set_child_handler(pmonitor->m_pid);
signal(SIGHUP, &monitor_child_handler); signal(SIGHUP, &monitor_child_handler);
signal(SIGTERM, &monitor_child_handler); signal(SIGTERM, &monitor_child_handler);
@@ -566,7 +570,7 @@ monitor_read_log(struct monitor *pmonito @@ -472,7 +476,7 @@ monitor_read_log(struct monitor *pmonito
if (log_level_name(level) == NULL) if (log_level_name(level) == NULL)
fatal("%s: invalid log level %u (corrupted message?)", fatal("%s: invalid log level %u (corrupted message?)",
__func__, level); __func__, level);
@ -67,9 +67,9 @@ diff -up openssh-6.8p1/monitor.c.log-in-chroot openssh-6.8p1/monitor.c
buffer_free(&logmsg); buffer_free(&logmsg);
free(msg); free(msg);
@@ -1998,13 +2002,28 @@ monitor_init(void) @@ -1719,13 +1723,28 @@ monitor_init(void)
(ssh_packet_comp_free_func *)mm_zfree); mon = xcalloc(1, sizeof(*mon));
} monitor_openfds(mon, 1);
+ mon->m_state = ""; + mon->m_state = "";
+ +
@ -98,11 +98,11 @@ diff -up openssh-6.8p1/monitor.c.log-in-chroot openssh-6.8p1/monitor.c
} }
#ifdef GSSAPI #ifdef GSSAPI
diff -up openssh-6.8p1/monitor.h.log-in-chroot openssh-6.8p1/monitor.h diff -up openssh-7.4p1/monitor.h.log-in-chroot openssh-7.4p1/monitor.h
--- openssh-6.8p1/monitor.h.log-in-chroot 2015-03-18 12:59:29.695022310 +0100 --- openssh-7.4p1/monitor.h.log-in-chroot 2016-12-23 15:14:33.330168088 +0100
+++ openssh-6.8p1/monitor.h 2015-03-18 13:02:56.926514197 +0100 +++ openssh-7.4p1/monitor.h 2016-12-23 15:16:28.372190424 +0100
@@ -83,10 +83,11 @@ struct monitor { @@ -83,10 +83,11 @@ struct monitor {
struct mm_master *m_zlib; int m_log_sendfd;
struct kex **m_pkex; struct kex **m_pkex;
pid_t m_pid; pid_t m_pid;
+ char *m_state; + char *m_state;
@ -111,13 +111,13 @@ diff -up openssh-6.8p1/monitor.h.log-in-chroot openssh-6.8p1/monitor.h
struct monitor *monitor_init(void); struct monitor *monitor_init(void);
-void monitor_reinit(struct monitor *); -void monitor_reinit(struct monitor *);
+void monitor_reinit(struct monitor *, const char *); +void monitor_reinit(struct monitor *, const char *);
void monitor_sync(struct monitor *);
struct Authctxt; struct Authctxt;
diff -up openssh-6.8p1/session.c.log-in-chroot openssh-6.8p1/session.c void monitor_child_preauth(struct Authctxt *, struct monitor *);
--- openssh-6.8p1/session.c.log-in-chroot 2015-03-18 12:59:29.675022359 +0100 diff -up openssh-7.4p1/session.c.log-in-chroot openssh-7.4p1/session.c
+++ openssh-6.8p1/session.c 2015-03-18 12:59:29.696022308 +0100 --- openssh-7.4p1/session.c.log-in-chroot 2016-12-23 15:14:33.319168086 +0100
@@ -161,6 +161,7 @@ login_cap_t *lc; +++ openssh-7.4p1/session.c 2016-12-23 15:18:18.742211853 +0100
@@ -160,6 +160,7 @@ login_cap_t *lc;
static int is_child = 0; static int is_child = 0;
static int in_chroot = 0; static int in_chroot = 0;
@ -125,7 +125,7 @@ diff -up openssh-6.8p1/session.c.log-in-chroot openssh-6.8p1/session.c
/* Name and directory of socket for authentication agent forwarding. */ /* Name and directory of socket for authentication agent forwarding. */
static char *auth_sock_name = NULL; static char *auth_sock_name = NULL;
@@ -506,8 +508,8 @@ do_exec_no_pty(Session *s, const char *c @@ -365,8 +366,8 @@ do_exec_no_pty(Session *s, const char *c
is_child = 1; is_child = 1;
/* Child. Reinitialize the log since the pid has changed. */ /* Child. Reinitialize the log since the pid has changed. */
@ -136,7 +136,7 @@ diff -up openssh-6.8p1/session.c.log-in-chroot openssh-6.8p1/session.c
/* /*
* Create a new session and process group since the 4.4BSD * Create a new session and process group since the 4.4BSD
@@ -675,8 +677,8 @@ do_exec_pty(Session *s, const char *comm @@ -523,8 +524,8 @@ do_exec_pty(Session *s, const char *comm
close(ptymaster); close(ptymaster);
/* Child. Reinitialize the log because the pid has changed. */ /* Child. Reinitialize the log because the pid has changed. */
@ -147,7 +147,7 @@ diff -up openssh-6.8p1/session.c.log-in-chroot openssh-6.8p1/session.c
/* Close the master side of the pseudo tty. */ /* Close the master side of the pseudo tty. */
close(ptyfd); close(ptyfd);
@@ -780,6 +782,7 @@ do_exec(Session *s, const char *command) @@ -619,6 +620,7 @@ do_exec(Session *s, const char *command)
int ret; int ret;
const char *forced = NULL, *tty = NULL; const char *forced = NULL, *tty = NULL;
char session_type[1024]; char session_type[1024];
@ -155,7 +155,7 @@ diff -up openssh-6.8p1/session.c.log-in-chroot openssh-6.8p1/session.c
if (options.adm_forced_command) { if (options.adm_forced_command) {
original_command = command; original_command = command;
@@ -837,6 +840,10 @@ do_exec(Session *s, const char *command) @@ -676,6 +678,10 @@ do_exec(Session *s, const char *command)
tty += 5; tty += 5;
} }
@ -166,7 +166,7 @@ diff -up openssh-6.8p1/session.c.log-in-chroot openssh-6.8p1/session.c
verbose("Starting session: %s%s%s for %s from %.200s port %d id %d", verbose("Starting session: %s%s%s for %s from %.200s port %d id %d",
session_type, session_type,
tty == NULL ? "" : " on ", tty == NULL ? "" : " on ",
@@ -1678,14 +1685,6 @@ child_close_fds(void) @@ -1486,14 +1492,6 @@ child_close_fds(void)
* descriptors left by system functions. They will be closed later. * descriptors left by system functions. They will be closed later.
*/ */
endpwent(); endpwent();
@ -181,16 +181,16 @@ diff -up openssh-6.8p1/session.c.log-in-chroot openssh-6.8p1/session.c
} }
/* /*
@@ -1831,8 +1830,6 @@ do_child(Session *s, const char *command @@ -1629,8 +1627,6 @@ do_child(Session *s, const char *command
exit(1); exit(1);
} }
- closefrom(STDERR_FILENO + 1); - closefrom(STDERR_FILENO + 1);
- -
if (!options.use_login) do_rc_files(s, shell);
do_rc_files(s, shell);
@@ -1856,9 +1853,17 @@ do_child(Session *s, const char *command /* restore SIGPIPE for child */
@@ -1653,9 +1649,17 @@ do_child(Session *s, const char *command
argv[i] = NULL; argv[i] = NULL;
optind = optreset = 1; optind = optreset = 1;
__progname = argv[0]; __progname = argv[0];
@ -208,21 +208,21 @@ diff -up openssh-6.8p1/session.c.log-in-chroot openssh-6.8p1/session.c
+ +
fflush(NULL); fflush(NULL);
if (options.use_login) { /* Get the last component of the shell name. */
diff -up openssh-6.8p1/sftp-server-main.c.log-in-chroot openssh-6.8p1/sftp-server-main.c diff -up openssh-7.4p1/sftp.h.log-in-chroot openssh-7.4p1/sftp.h
--- openssh-6.8p1/sftp-server-main.c.log-in-chroot 2015-03-17 06:49:20.000000000 +0100 --- openssh-7.4p1/sftp.h.log-in-chroot 2016-12-19 05:59:41.000000000 +0100
+++ openssh-6.8p1/sftp-server-main.c 2015-03-18 12:59:29.696022308 +0100 +++ openssh-7.4p1/sftp.h 2016-12-23 15:14:33.331168088 +0100
@@ -47,5 +47,5 @@ main(int argc, char **argv) @@ -97,5 +97,5 @@
return 1;
}
- return (sftp_server_main(argc, argv, user_pw)); struct passwd;
+ return (sftp_server_main(argc, argv, user_pw, 0));
} -int sftp_server_main(int, char **, struct passwd *);
diff -up openssh-6.8p1/sftp-server.c.log-in-chroot openssh-6.8p1/sftp-server.c +int sftp_server_main(int, char **, struct passwd *, int);
--- openssh-6.8p1/sftp-server.c.log-in-chroot 2015-03-17 06:49:20.000000000 +0100 void sftp_server_cleanup_exit(int) __attribute__((noreturn));
+++ openssh-6.8p1/sftp-server.c 2015-03-18 13:03:52.510377911 +0100 diff -up openssh-7.4p1/sftp-server.c.log-in-chroot openssh-7.4p1/sftp-server.c
@@ -1502,7 +1502,7 @@ sftp_server_usage(void) --- openssh-7.4p1/sftp-server.c.log-in-chroot 2016-12-19 05:59:41.000000000 +0100
+++ openssh-7.4p1/sftp-server.c 2016-12-23 15:14:33.331168088 +0100
@@ -1497,7 +1497,7 @@ sftp_server_usage(void)
} }
int int
@ -231,7 +231,7 @@ diff -up openssh-6.8p1/sftp-server.c.log-in-chroot openssh-6.8p1/sftp-server.c
{ {
fd_set *rset, *wset; fd_set *rset, *wset;
int i, r, in, out, max, ch, skipargs = 0, log_stderr = 0; int i, r, in, out, max, ch, skipargs = 0, log_stderr = 0;
@@ -1515,7 +1515,7 @@ sftp_server_main(int argc, char **argv, @@ -1511,7 +1511,7 @@ sftp_server_main(int argc, char **argv,
ssh_malloc_init(); /* must be called before any mallocs */ ssh_malloc_init(); /* must be called before any mallocs */
__progname = ssh_get_progname(argv[0]); __progname = ssh_get_progname(argv[0]);
@ -240,7 +240,7 @@ diff -up openssh-6.8p1/sftp-server.c.log-in-chroot openssh-6.8p1/sftp-server.c
pw = pwcopy(user_pw); pw = pwcopy(user_pw);
@@ -1586,7 +1586,7 @@ sftp_server_main(int argc, char **argv, @@ -1582,7 +1582,7 @@ sftp_server_main(int argc, char **argv,
} }
} }
@ -249,20 +249,20 @@ diff -up openssh-6.8p1/sftp-server.c.log-in-chroot openssh-6.8p1/sftp-server.c
/* /*
* On platforms where we can, avoid making /proc/self/{mem,maps} * On platforms where we can, avoid making /proc/self/{mem,maps}
diff -up openssh-6.8p1/sftp.h.log-in-chroot openssh-6.8p1/sftp.h diff -up openssh-7.4p1/sftp-server-main.c.log-in-chroot openssh-7.4p1/sftp-server-main.c
--- openssh-6.8p1/sftp.h.log-in-chroot 2015-03-17 06:49:20.000000000 +0100 --- openssh-7.4p1/sftp-server-main.c.log-in-chroot 2016-12-19 05:59:41.000000000 +0100
+++ openssh-6.8p1/sftp.h 2015-03-18 12:59:29.696022308 +0100 +++ openssh-7.4p1/sftp-server-main.c 2016-12-23 15:14:33.331168088 +0100
@@ -97,5 +97,5 @@ @@ -49,5 +49,5 @@ main(int argc, char **argv)
return 1;
}
struct passwd; - return (sftp_server_main(argc, argv, user_pw));
+ return (sftp_server_main(argc, argv, user_pw, 0));
-int sftp_server_main(int, char **, struct passwd *); }
+int sftp_server_main(int, char **, struct passwd *, int); diff -up openssh-7.4p1/sshd.c.log-in-chroot openssh-7.4p1/sshd.c
void sftp_server_cleanup_exit(int) __attribute__((noreturn)); --- openssh-7.4p1/sshd.c.log-in-chroot 2016-12-23 15:14:33.328168088 +0100
diff -up openssh-6.8p1/sshd.c.log-in-chroot openssh-6.8p1/sshd.c +++ openssh-7.4p1/sshd.c 2016-12-23 15:14:33.332168088 +0100
--- openssh-6.8p1/sshd.c.log-in-chroot 2015-03-18 12:59:29.691022320 +0100 @@ -650,7 +650,7 @@ privsep_postauth(Authctxt *authctxt)
+++ openssh-6.8p1/sshd.c 2015-03-18 12:59:29.697022305 +0100
@@ -744,7 +744,7 @@ privsep_postauth(Authctxt *authctxt)
} }
/* New socket pair */ /* New socket pair */
@ -271,7 +271,7 @@ diff -up openssh-6.8p1/sshd.c.log-in-chroot openssh-6.8p1/sshd.c
pmonitor->m_pid = fork(); pmonitor->m_pid = fork();
if (pmonitor->m_pid == -1) if (pmonitor->m_pid == -1)
@@ -762,6 +762,11 @@ privsep_postauth(Authctxt *authctxt) @@ -668,6 +668,11 @@ privsep_postauth(Authctxt *authctxt)
close(pmonitor->m_sendfd); close(pmonitor->m_sendfd);
pmonitor->m_sendfd = -1; pmonitor->m_sendfd = -1;

View File

@ -1,7 +1,7 @@
diff -up openssh-7.0p1/gss-serv-krb5.c.GSSAPIEnablek5users openssh-7.0p1/gss-serv-krb5.c diff -up openssh-7.4p1/gss-serv-krb5.c.GSSAPIEnablek5users openssh-7.4p1/gss-serv-krb5.c
--- openssh-7.0p1/gss-serv-krb5.c.GSSAPIEnablek5users 2015-08-12 11:27:44.022407951 +0200 --- openssh-7.4p1/gss-serv-krb5.c.GSSAPIEnablek5users 2016-12-23 15:18:40.615216100 +0100
+++ openssh-7.0p1/gss-serv-krb5.c 2015-08-12 11:27:44.047407912 +0200 +++ openssh-7.4p1/gss-serv-krb5.c 2016-12-23 15:18:40.628216102 +0100
@@ -260,7 +260,6 @@ ssh_gssapi_krb5_cmdok(krb5_principal pri @@ -279,7 +279,6 @@ ssh_gssapi_krb5_cmdok(krb5_principal pri
FILE *fp; FILE *fp;
char file[MAXPATHLEN]; char file[MAXPATHLEN];
char line[BUFSIZ] = ""; char line[BUFSIZ] = "";
@ -9,7 +9,7 @@ diff -up openssh-7.0p1/gss-serv-krb5.c.GSSAPIEnablek5users openssh-7.0p1/gss-ser
struct stat st; struct stat st;
struct passwd *pw = the_authctxt->pw; struct passwd *pw = the_authctxt->pw;
int found_principal = 0; int found_principal = 0;
@@ -269,7 +268,7 @@ ssh_gssapi_krb5_cmdok(krb5_principal pri @@ -288,7 +287,7 @@ ssh_gssapi_krb5_cmdok(krb5_principal pri
snprintf(file, sizeof(file), "%s/.k5users", pw->pw_dir); snprintf(file, sizeof(file), "%s/.k5users", pw->pw_dir);
/* If both .k5login and .k5users DNE, self-login is ok. */ /* If both .k5login and .k5users DNE, self-login is ok. */
@ -18,27 +18,27 @@ diff -up openssh-7.0p1/gss-serv-krb5.c.GSSAPIEnablek5users openssh-7.0p1/gss-ser
return ssh_krb5_kuserok(krb_context, principal, luser, return ssh_krb5_kuserok(krb_context, principal, luser,
k5login_exists); k5login_exists);
} }
diff -up openssh-7.0p1/servconf.c.GSSAPIEnablek5users openssh-7.0p1/servconf.c diff -up openssh-7.4p1/servconf.c.GSSAPIEnablek5users openssh-7.4p1/servconf.c
--- openssh-7.0p1/servconf.c.GSSAPIEnablek5users 2015-08-12 11:27:44.036407930 +0200 --- openssh-7.4p1/servconf.c.GSSAPIEnablek5users 2016-12-23 15:18:40.615216100 +0100
+++ openssh-7.0p1/servconf.c 2015-08-12 11:28:49.087306430 +0200 +++ openssh-7.4p1/servconf.c 2016-12-23 15:35:36.354401156 +0100
@@ -173,6 +173,7 @@ initialize_server_options(ServerOptions @@ -168,6 +168,7 @@ initialize_server_options(ServerOptions
options->version_addendum = NULL;
options->fingerprint_hash = -1; options->fingerprint_hash = -1;
options->disable_forwarding = -1;
options->use_kuserok = -1; options->use_kuserok = -1;
+ options->enable_k5users = -1; + options->enable_k5users = -1;
} }
/* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */ /* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */
@@ -351,6 +352,8 @@ fill_default_server_options(ServerOption @@ -345,6 +346,8 @@ fill_default_server_options(ServerOption
options->fwd_opts.streamlocal_bind_unlink = 0; options->disable_forwarding = 0;
if (options->fingerprint_hash == -1)
options->fingerprint_hash = SSH_FP_HASH_DEFAULT;
+ if (options->enable_k5users == -1)
+ options->enable_k5users = 0;
if (options->use_kuserok == -1) if (options->use_kuserok == -1)
options->use_kuserok = 1; options->use_kuserok = 1;
+ if (options->enable_k5users == -1)
+ options->enable_k5users = 0;
@@ -423,7 +426,7 @@ typedef enum { assemble_algorithms(options);
@@ -418,7 +421,7 @@ typedef enum {
sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedKeyTypes, sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedKeyTypes,
sHostKeyAlgorithms, sHostKeyAlgorithms,
sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile, sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
@ -47,7 +47,7 @@ diff -up openssh-7.0p1/servconf.c.GSSAPIEnablek5users openssh-7.0p1/servconf.c
sGssKeyEx, sGssStoreRekey, sAcceptEnv, sPermitTunnel, sGssKeyEx, sGssStoreRekey, sAcceptEnv, sPermitTunnel,
sMatch, sPermitOpen, sForceCommand, sChrootDirectory, sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
sUsePrivilegeSeparation, sAllowAgentForwarding, sUsePrivilegeSeparation, sAllowAgentForwarding,
@@ -502,12 +505,14 @@ static struct { @@ -497,12 +500,14 @@ static struct {
{ "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL }, { "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL },
{ "gssapikeyexchange", sGssKeyEx, SSHCFG_GLOBAL }, { "gssapikeyexchange", sGssKeyEx, SSHCFG_GLOBAL },
{ "gssapistorecredentialsonrekey", sGssStoreRekey, SSHCFG_GLOBAL }, { "gssapistorecredentialsonrekey", sGssStoreRekey, SSHCFG_GLOBAL },
@ -62,7 +62,7 @@ diff -up openssh-7.0p1/servconf.c.GSSAPIEnablek5users openssh-7.0p1/servconf.c
#endif #endif
{ "gssusesessionccache", sUnsupported, SSHCFG_GLOBAL }, { "gssusesessionccache", sUnsupported, SSHCFG_GLOBAL },
{ "gssapiusesessioncredcache", sUnsupported, SSHCFG_GLOBAL }, { "gssapiusesessioncredcache", sUnsupported, SSHCFG_GLOBAL },
@@ -1680,6 +1685,10 @@ process_server_config_line(ServerOptions @@ -1653,6 +1658,10 @@ process_server_config_line(ServerOptions
intptr = &options->use_kuserok; intptr = &options->use_kuserok;
goto parse_flag; goto parse_flag;
@ -73,7 +73,7 @@ diff -up openssh-7.0p1/servconf.c.GSSAPIEnablek5users openssh-7.0p1/servconf.c
case sPermitOpen: case sPermitOpen:
arg = strdelim(&cp); arg = strdelim(&cp);
if (!arg || *arg == '\0') if (!arg || *arg == '\0')
@@ -2035,6 +2044,7 @@ copy_set_server_options(ServerOptions *d @@ -2026,6 +2035,7 @@ copy_set_server_options(ServerOptions *d
M_CP_INTOPT(ip_qos_interactive); M_CP_INTOPT(ip_qos_interactive);
M_CP_INTOPT(ip_qos_bulk); M_CP_INTOPT(ip_qos_bulk);
M_CP_INTOPT(use_kuserok); M_CP_INTOPT(use_kuserok);
@ -81,7 +81,7 @@ diff -up openssh-7.0p1/servconf.c.GSSAPIEnablek5users openssh-7.0p1/servconf.c
M_CP_INTOPT(rekey_limit); M_CP_INTOPT(rekey_limit);
M_CP_INTOPT(rekey_interval); M_CP_INTOPT(rekey_interval);
@@ -2317,6 +2327,7 @@ dump_config(ServerOptions *o) @@ -2320,6 +2330,7 @@ dump_config(ServerOptions *o)
dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep); dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep);
dump_cfg_fmtint(sFingerprintHash, o->fingerprint_hash); dump_cfg_fmtint(sFingerprintHash, o->fingerprint_hash);
dump_cfg_fmtint(sKerberosUseKuserok, o->use_kuserok); dump_cfg_fmtint(sKerberosUseKuserok, o->use_kuserok);
@ -89,10 +89,10 @@ diff -up openssh-7.0p1/servconf.c.GSSAPIEnablek5users openssh-7.0p1/servconf.c
/* string arguments */ /* string arguments */
dump_cfg_string(sPidFile, o->pid_file); dump_cfg_string(sPidFile, o->pid_file);
diff -up openssh-7.0p1/servconf.h.GSSAPIEnablek5users openssh-7.0p1/servconf.h diff -up openssh-7.4p1/servconf.h.GSSAPIEnablek5users openssh-7.4p1/servconf.h
--- openssh-7.0p1/servconf.h.GSSAPIEnablek5users 2015-08-12 11:27:44.022407951 +0200 --- openssh-7.4p1/servconf.h.GSSAPIEnablek5users 2016-12-23 15:18:40.616216100 +0100
+++ openssh-7.0p1/servconf.h 2015-08-12 11:27:44.048407911 +0200 +++ openssh-7.4p1/servconf.h 2016-12-23 15:18:40.629216102 +0100
@@ -180,7 +180,8 @@ typedef struct { @@ -174,7 +174,8 @@ typedef struct {
int num_permitted_opens; int num_permitted_opens;
@ -102,26 +102,26 @@ diff -up openssh-7.0p1/servconf.h.GSSAPIEnablek5users openssh-7.0p1/servconf.h
char *chroot_directory; char *chroot_directory;
char *revoked_keys_file; char *revoked_keys_file;
char *trusted_user_ca_keys; char *trusted_user_ca_keys;
diff -up openssh-7.0p1/sshd_config.5.GSSAPIEnablek5users openssh-7.0p1/sshd_config.5 diff -up openssh-7.4p1/sshd_config.5.GSSAPIEnablek5users openssh-7.4p1/sshd_config.5
--- openssh-7.0p1/sshd_config.5.GSSAPIEnablek5users 2015-08-12 11:27:44.023407950 +0200 --- openssh-7.4p1/sshd_config.5.GSSAPIEnablek5users 2016-12-23 15:18:40.630216103 +0100
+++ openssh-7.0p1/sshd_config.5 2015-08-12 11:27:44.048407911 +0200 +++ openssh-7.4p1/sshd_config.5 2016-12-23 15:36:21.607408435 +0100
@@ -633,6 +633,12 @@ on logout. @@ -628,6 +628,12 @@ Specifies whether to automatically destr
on logout. on logout.
The default is The default is
.Dq yes . .Cm yes .
+.It Cm GSSAPIEnablek5users +.It Cm GSSAPIEnablek5users
+Specifies whether to look at .k5users file for GSSAPI authentication +Specifies whether to look at .k5users file for GSSAPI authentication
+access control. Further details are described in +access control. Further details are described in
+.Xr ksu 1 . +.Xr ksu 1 .
+The default is +The default is
+.Dq no . +.Cm no .
.It Cm GSSAPIStrictAcceptorCheck .It Cm GSSAPIKeyExchange
Determines whether to be strict about the identity of the GSSAPI acceptor Specifies whether key exchange based on GSSAPI is allowed. GSSAPI key exchange
a client authenticates against. doesn't rely on ssh keys to verify host identity.
diff -up openssh-7.0p1/sshd_config.GSSAPIEnablek5users openssh-7.0p1/sshd_config diff -up openssh-7.4p1/sshd_config.GSSAPIEnablek5users openssh-7.4p1/sshd_config
--- openssh-7.0p1/sshd_config.GSSAPIEnablek5users 2015-08-12 11:27:44.023407950 +0200 --- openssh-7.4p1/sshd_config.GSSAPIEnablek5users 2016-12-23 15:18:40.616216100 +0100
+++ openssh-7.0p1/sshd_config 2015-08-12 11:27:44.048407911 +0200 +++ openssh-7.4p1/sshd_config 2016-12-23 15:18:40.631216103 +0100
@@ -94,6 +94,7 @@ GSSAPIAuthentication yes @@ -80,6 +80,7 @@ GSSAPIAuthentication yes
GSSAPICleanupCredentials no GSSAPICleanupCredentials no
#GSSAPIStrictAcceptorCheck yes #GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no #GSSAPIKeyExchange no

View File

@ -142,7 +142,7 @@ diff -up openssh-6.8p1/ctr-cavstest.c.ctr-cavs openssh-6.8p1/ctr-cavstest.c
+{ +{
+ +
+ const struct sshcipher *c; + const struct sshcipher *c;
+ struct sshcipher_ctx cc; + struct sshcipher_ctx *cc;
+ char *algo = "aes128-ctr"; + char *algo = "aes128-ctr";
+ char *hexkey = NULL; + char *hexkey = NULL;
+ char *hexiv = "00000000000000000000000000000000"; + char *hexiv = "00000000000000000000000000000000";
@ -232,11 +232,11 @@ diff -up openssh-6.8p1/ctr-cavstest.c.ctr-cavs openssh-6.8p1/ctr-cavstest.c
+ return 2; + return 2;
+ } + }
+ +
+ cipher_crypt(&cc, 0, outdata, data, datalen, 0, 0); + cipher_crypt(cc, 0, outdata, data, datalen, 0, 0);
+ +
+ free(data); + free(data);
+ +
+ cipher_cleanup(&cc); + cipher_free(cc);
+ +
+ for (p = outdata; datalen > 0; ++p, --datalen) { + for (p = outdata; datalen > 0; ++p, --datalen) {
+ printf("%02X", (unsigned char)*p); + printf("%02X", (unsigned char)*p);

View File

@ -1,8 +1,7 @@
diff --git a/entropy.c b/entropy.c diff -up openssh-7.4p1/entropy.c.entropy openssh-7.4p1/entropy.c
index 1e9d52a..d24e724 100644 --- openssh-7.4p1/entropy.c.entropy 2016-12-19 05:59:41.000000000 +0100
--- a/entropy.c +++ openssh-7.4p1/entropy.c 2016-12-23 18:34:27.769753570 +0100
+++ b/entropy.c @@ -229,6 +229,9 @@ seed_rng(void)
@@ -227,6 +227,9 @@ seed_rng(void)
memset(buf, '\0', sizeof(buf)); memset(buf, '\0', sizeof(buf));
#endif /* OPENSSL_PRNG_ONLY */ #endif /* OPENSSL_PRNG_ONLY */
@ -12,24 +11,31 @@ index 1e9d52a..d24e724 100644
if (RAND_status() != 1) if (RAND_status() != 1)
fatal("PRNG is not seeded"); fatal("PRNG is not seeded");
} }
diff --git a/openbsd-compat/Makefile.in b/openbsd-compat/Makefile.in diff -up openssh-7.4p1/openbsd-compat/Makefile.in.entropy openssh-7.4p1/openbsd-compat/Makefile.in
index 843225d..041bbab 100644 --- openssh-7.4p1/openbsd-compat/Makefile.in.entropy 2016-12-23 18:34:53.715762155 +0100
--- a/openbsd-compat/Makefile.in +++ openssh-7.4p1/openbsd-compat/Makefile.in 2016-12-23 18:35:15.890769493 +0100
+++ b/openbsd-compat/Makefile.in @@ -20,7 +20,7 @@ OPENBSD=base64.o basename.o bcrypt_pbkdf
@@ -20,7 +20,7 @@ OPENBSD=base64.o basename.o bcrypt_pbkdf.o bindresvport.o blowfish.o daemon.o di
COMPAT=arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o getrrsetbyname-ldns.o bsd-err.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-setres_id.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o kludge-fd_set.o COMPAT=arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o getrrsetbyname-ldns.o bsd-err.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-setres_id.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xcrypt.o kludge-fd_set.o
-PORTS=port-aix.o port-irix.o port-linux.o port-linux-sshd.o port-solaris.o port-tun.o port-uw.o -PORTS=port-aix.o port-irix.o port-linux.o port-linux-sshd.o port-solaris.o port-tun.o port-uw.o
+PORTS=port-aix.o port-irix.o port-linux.o port-linux-sshd.o port-linux-prng.o port-solaris.o port-tun.o port-uw.o +PORTS=port-aix.o port-irix.o port-linux.o port-linux-sshd.o port-linux-prng.o port-solaris.o port-tun.o port-uw.o
.c.o: .c.o:
$(CC) $(CFLAGS) $(CPPFLAGS) -c $< $(CC) $(CFLAGS) $(CPPFLAGS) -c $<
diff --git a/openbsd-compat/port-linux-prng.c b/openbsd-compat/port-linux-prng.c diff -up openssh-7.4p1/openbsd-compat/port-linux.h.entropy openssh-7.4p1/openbsd-compat/port-linux.h
new file mode 100644 --- openssh-7.4p1/openbsd-compat/port-linux.h.entropy 2016-12-23 18:34:27.747753563 +0100
index 0000000..da84bf2 +++ openssh-7.4p1/openbsd-compat/port-linux.h 2016-12-23 18:34:27.769753570 +0100
--- /dev/null @@ -34,4 +34,6 @@ void oom_adjust_restore(void);
+++ b/openbsd-compat/port-linux-prng.c void oom_adjust_setup(void);
#endif
+void linux_seed(void);
+
#endif /* ! _PORT_LINUX_H */
diff -up openssh-7.4p1/openbsd-compat/port-linux-prng.c.entropy openssh-7.4p1/openbsd-compat/port-linux-prng.c
--- openssh-7.4p1/openbsd-compat/port-linux-prng.c.entropy 2016-12-23 18:34:27.769753570 +0100
+++ openssh-7.4p1/openbsd-compat/port-linux-prng.c 2016-12-23 18:34:27.769753570 +0100
@@ -0,0 +1,59 @@ @@ -0,0 +1,59 @@
+/* $Id: port-linux.c,v 1.11.4.2 2011/02/04 00:43:08 djm Exp $ */ +/* $Id: port-linux.c,v 1.11.4.2 2011/02/04 00:43:08 djm Exp $ */
+ +
@ -90,11 +96,37 @@ index 0000000..da84bf2
+ fatal ("EOF reading %s", random); + fatal ("EOF reading %s", random);
+ } + }
+} +}
diff --git a/ssh-add.0 b/ssh-add.0 diff -up openssh-7.4p1/ssh.1.entropy openssh-7.4p1/ssh.1
index f16165a..17d22cf 100644 --- openssh-7.4p1/ssh.1.entropy 2016-12-23 18:34:27.754753565 +0100
--- a/ssh-add.0 +++ openssh-7.4p1/ssh.1 2016-12-23 18:34:27.770753571 +0100
+++ b/ssh-add.0 @@ -1441,6 +1441,23 @@ For more information, see the
@@ -82,6 +82,16 @@ ENVIRONMENT .Cm PermitUserEnvironment
option in
.Xr sshd_config 5 .
+.Sh ENVIRONMENT
+.Bl -tag -width Ds -compact
+.It Ev SSH_USE_STRONG_RNG
+The reseeding of the OpenSSL random generator is usually done from
+.Cm /dev/urandom .
+If the
+.Cm SSH_USE_STRONG_RNG
+environment variable is set to value other than
+.Cm 0
+the OpenSSL random generator is reseeded from
+.Cm /dev/random .
+The number of bytes read is defined by the SSH_USE_STRONG_RNG value.
+Minimum is 14 bytes.
+This setting is not recommended on the computers without the hardware
+random generator because insufficient entropy causes the connection to
+be blocked until enough entropy is available.
+.El
.Sh FILES
.Bl -tag -width Ds -compact
.It Pa ~/.rhosts
diff -up openssh-7.4p1/ssh-add.0.entropy openssh-7.4p1/ssh-add.0
--- openssh-7.4p1/ssh-add.0.entropy 2016-12-19 06:21:21.000000000 +0100
+++ openssh-7.4p1/ssh-add.0 2016-12-23 18:34:27.770753571 +0100
@@ -88,6 +88,16 @@ ENVIRONMENT
Identifies the path of a UNIX-domain socket used to communicate Identifies the path of a UNIX-domain socket used to communicate
with the agent. with the agent.
@ -111,11 +143,10 @@ index f16165a..17d22cf 100644
FILES FILES
~/.ssh/identity ~/.ssh/identity
Contains the protocol version 1 RSA authentication identity of Contains the protocol version 1 RSA authentication identity of
diff --git a/ssh-add.1 b/ssh-add.1 diff -up openssh-7.4p1/ssh-add.1.entropy openssh-7.4p1/ssh-add.1
index 04d1840..db883a4 100644 --- openssh-7.4p1/ssh-add.1.entropy 2016-12-19 05:59:41.000000000 +0100
--- a/ssh-add.1 +++ openssh-7.4p1/ssh-add.1 2016-12-23 18:34:27.770753571 +0100
+++ b/ssh-add.1 @@ -171,6 +171,20 @@ to make this work.)
@@ -170,6 +170,20 @@ to make this work.)
Identifies the path of a Identifies the path of a
.Ux Ns -domain .Ux Ns -domain
socket used to communicate with the agent. socket used to communicate with the agent.
@ -136,11 +167,10 @@ index 04d1840..db883a4 100644
.El .El
.Sh FILES .Sh FILES
.Bl -tag -width Ds .Bl -tag -width Ds
diff --git a/ssh-agent.1 b/ssh-agent.1 diff -up openssh-7.4p1/ssh-agent.1.entropy openssh-7.4p1/ssh-agent.1
index d7e791b..7332f0d 100644 --- openssh-7.4p1/ssh-agent.1.entropy 2016-12-19 05:59:41.000000000 +0100
--- a/ssh-agent.1 +++ openssh-7.4p1/ssh-agent.1 2016-12-23 18:34:27.770753571 +0100
+++ b/ssh-agent.1 @@ -214,6 +214,24 @@ sockets used to contain the connection t
@@ -189,6 +189,24 @@ sockets used to contain the connection to the authentication agent.
These sockets should only be readable by the owner. These sockets should only be readable by the owner.
The sockets should get automatically removed when the agent exits. The sockets should get automatically removed when the agent exits.
.El .El
@ -165,97 +195,10 @@ index d7e791b..7332f0d 100644
.Sh SEE ALSO .Sh SEE ALSO
.Xr ssh 1 , .Xr ssh 1 ,
.Xr ssh-add 1 , .Xr ssh-add 1 ,
diff --git a/ssh-keygen.1 b/ssh-keygen.1 diff -up openssh-7.4p1/sshd.8.entropy openssh-7.4p1/sshd.8
index 276dacc..a09d9b1 100644 --- openssh-7.4p1/sshd.8.entropy 2016-12-23 18:34:27.755753566 +0100
--- a/ssh-keygen.1 +++ openssh-7.4p1/sshd.8 2016-12-23 18:34:27.770753571 +0100
+++ b/ssh-keygen.1 @@ -920,6 +920,24 @@ concurrently for different ports, this c
@@ -841,6 +841,24 @@ Contains Diffie-Hellman groups used for DH-GEX.
The file format is described in
.Xr moduli 5 .
.El
+.Sh ENVIRONMENT
+.Bl -tag -width Ds -compact
+.Pp
+.It Pa SSH_USE_STRONG_RNG
+The reseeding of the OpenSSL random generator is usually done from
+.Cm /dev/urandom .
+If the
+.Cm SSH_USE_STRONG_RNG
+environment variable is set to value other than
+.Cm 0
+the OpenSSL random generator is reseeded from
+.Cm /dev/random .
+The number of bytes read is defined by the SSH_USE_STRONG_RNG value.
+Minimum is 14 bytes.
+This setting is not recommended on the computers without the hardware
+random generator because insufficient entropy causes the connection to
+be blocked until enough entropy is available.
+.El
.Sh SEE ALSO
.Xr ssh 1 ,
.Xr ssh-add 1 ,
diff --git a/ssh-keysign.8 b/ssh-keysign.8
index 69d0829..02d79f8 100644
--- a/ssh-keysign.8
+++ b/ssh-keysign.8
@@ -80,6 +80,24 @@ must be set-uid root if host-based authentication is used.
If these files exist they are assumed to contain public certificate
information corresponding with the private keys above.
.El
+.Sh ENVIRONMENT
+.Bl -tag -width Ds -compact
+.Pp
+.It Pa SSH_USE_STRONG_RNG
+The reseeding of the OpenSSL random generator is usually done from
+.Cm /dev/urandom .
+If the
+.Cm SSH_USE_STRONG_RNG
+environment variable is set to value other than
+.Cm 0
+the OpenSSL random generator is reseeded from
+.Cm /dev/random .
+The number of bytes read is defined by the SSH_USE_STRONG_RNG value.
+Minimum is 14 bytes.
+This setting is not recommended on the computers without the hardware
+random generator because insufficient entropy causes the connection to
+be blocked until enough entropy is available.
+.El
.Sh SEE ALSO
.Xr ssh 1 ,
.Xr ssh-keygen 1 ,
diff --git a/ssh.1 b/ssh.1
index 4a476c2..410a04a 100644
--- a/ssh.1
+++ b/ssh.1
@@ -1299,6 +1299,23 @@ For more information, see the
.Cm PermitUserEnvironment
option in
.Xr sshd_config 5 .
+.Sh ENVIRONMENT
+.Bl -tag -width Ds -compact
+.It Ev SSH_USE_STRONG_RNG
+The reseeding of the OpenSSL random generator is usually done from
+.Cm /dev/urandom .
+If the
+.Cm SSH_USE_STRONG_RNG
+environment variable is set to value other than
+.Cm 0
+the OpenSSL random generator is reseeded from
+.Cm /dev/random .
+The number of bytes read is defined by the SSH_USE_STRONG_RNG value.
+Minimum is 14 bytes.
+This setting is not recommended on the computers without the hardware
+random generator because insufficient entropy causes the connection to
+be blocked until enough entropy is available.
+.El
.Sh FILES
.Bl -tag -width Ds -compact
.It Pa ~/.rhosts
diff --git a/sshd.8 b/sshd.8
index cb866b5..adcaaf9 100644
--- a/sshd.8
+++ b/sshd.8
@@ -945,6 +945,24 @@ concurrently for different ports, this contains the process ID of the one
started last). started last).
The content of this file is not sensitive; it can be world-readable. The content of this file is not sensitive; it can be world-readable.
.El .El
@ -280,13 +223,59 @@ index cb866b5..adcaaf9 100644
.Sh IPV6 .Sh IPV6
IPv6 address can be used everywhere where IPv4 address. In all entries must be the IPv6 address enclosed in square brackets. Note: The square brackets are metacharacters for the shell and must be escaped in shell. IPv6 address can be used everywhere where IPv4 address. In all entries must be the IPv6 address enclosed in square brackets. Note: The square brackets are metacharacters for the shell and must be escaped in shell.
.Sh SEE ALSO .Sh SEE ALSO
diff -up openssh-6.8p1/openbsd-compat/port-linux.h.coverity openssh-6.8p1/openbsd-compat/port-linux.h diff -up openssh-7.4p1/ssh-keygen.1.entropy openssh-7.4p1/ssh-keygen.1
--- openssh-6.8p1/openbsd-compat/port-linux.h.coverity 2015-03-18 17:21:51.861264906 +0100 --- openssh-7.4p1/ssh-keygen.1.entropy 2016-12-19 05:59:41.000000000 +0100
+++ openssh-6.8p1/openbsd-compat/port-linux.h 2015-03-18 17:21:51.897264831 +0100 +++ openssh-7.4p1/ssh-keygen.1 2016-12-23 18:34:27.770753571 +0100
@@ -37,4 +37,6 @@ void oom_adjust_restore(void); @@ -848,6 +848,24 @@ Contains Diffie-Hellman groups used for
void oom_adjust_setup(void); The file format is described in
#endif .Xr moduli 5 .
.El
+void linux_seed(void); +.Sh ENVIRONMENT
+ +.Bl -tag -width Ds -compact
#endif /* ! _PORT_LINUX_H */ +.Pp
+.It Pa SSH_USE_STRONG_RNG
+The reseeding of the OpenSSL random generator is usually done from
+.Cm /dev/urandom .
+If the
+.Cm SSH_USE_STRONG_RNG
+environment variable is set to value other than
+.Cm 0
+the OpenSSL random generator is reseeded from
+.Cm /dev/random .
+The number of bytes read is defined by the SSH_USE_STRONG_RNG value.
+Minimum is 14 bytes.
+This setting is not recommended on the computers without the hardware
+random generator because insufficient entropy causes the connection to
+be blocked until enough entropy is available.
+.El
.Sh SEE ALSO
.Xr ssh 1 ,
.Xr ssh-add 1 ,
diff -up openssh-7.4p1/ssh-keysign.8.entropy openssh-7.4p1/ssh-keysign.8
--- openssh-7.4p1/ssh-keysign.8.entropy 2016-12-19 05:59:41.000000000 +0100
+++ openssh-7.4p1/ssh-keysign.8 2016-12-23 18:34:27.770753571 +0100
@@ -80,6 +80,24 @@ must be set-uid root if host-based authe
If these files exist they are assumed to contain public certificate
information corresponding with the private keys above.
.El
+.Sh ENVIRONMENT
+.Bl -tag -width Ds -compact
+.Pp
+.It Pa SSH_USE_STRONG_RNG
+The reseeding of the OpenSSL random generator is usually done from
+.Cm /dev/urandom .
+If the
+.Cm SSH_USE_STRONG_RNG
+environment variable is set to value other than
+.Cm 0
+the OpenSSL random generator is reseeded from
+.Cm /dev/random .
+The number of bytes read is defined by the SSH_USE_STRONG_RNG value.
+Minimum is 14 bytes.
+This setting is not recommended on the computers without the hardware
+random generator because insufficient entropy causes the connection to
+be blocked until enough entropy is available.
+.El
.Sh SEE ALSO
.Xr ssh 1 ,
.Xr ssh-keygen 1 ,

View File

@ -1,7 +1,7 @@
diff -up openssh-7.0p1/auth-krb5.c.kuserok openssh-7.0p1/auth-krb5.c diff -up openssh-7.4p1/auth-krb5.c.kuserok openssh-7.4p1/auth-krb5.c
--- openssh-7.0p1/auth-krb5.c.kuserok 2015-08-11 10:57:29.000000000 +0200 --- openssh-7.4p1/auth-krb5.c.kuserok 2016-12-23 14:36:07.640465939 +0100
+++ openssh-7.0p1/auth-krb5.c 2015-08-12 11:26:21.874536127 +0200 +++ openssh-7.4p1/auth-krb5.c 2016-12-23 14:36:07.644465936 +0100
@@ -55,6 +55,21 @@ @@ -56,6 +56,21 @@
extern ServerOptions options; extern ServerOptions options;
@ -23,7 +23,7 @@ diff -up openssh-7.0p1/auth-krb5.c.kuserok openssh-7.0p1/auth-krb5.c
static int static int
krb5_init(void *context) krb5_init(void *context)
{ {
@@ -158,8 +173,9 @@ auth_krb5_password(Authctxt *authctxt, c @@ -160,8 +175,9 @@ auth_krb5_password(Authctxt *authctxt, c
if (problem) if (problem)
goto out; goto out;
@ -35,9 +35,9 @@ diff -up openssh-7.0p1/auth-krb5.c.kuserok openssh-7.0p1/auth-krb5.c
problem = -1; problem = -1;
goto out; goto out;
} }
diff -up openssh-7.0p1/gss-serv-krb5.c.kuserok openssh-7.0p1/gss-serv-krb5.c diff -up openssh-7.4p1/gss-serv-krb5.c.kuserok openssh-7.4p1/gss-serv-krb5.c
--- openssh-7.0p1/gss-serv-krb5.c.kuserok 2015-08-12 11:26:21.868536137 +0200 --- openssh-7.4p1/gss-serv-krb5.c.kuserok 2016-12-23 14:36:07.640465939 +0100
+++ openssh-7.0p1/gss-serv-krb5.c 2015-08-12 11:26:21.875536126 +0200 +++ openssh-7.4p1/gss-serv-krb5.c 2016-12-23 14:36:07.644465936 +0100
@@ -67,6 +67,7 @@ static int ssh_gssapi_krb5_cmdok(krb5_pr @@ -67,6 +67,7 @@ static int ssh_gssapi_krb5_cmdok(krb5_pr
int); int);
@ -160,7 +160,7 @@ diff -up openssh-7.0p1/gss-serv-krb5.c.kuserok openssh-7.0p1/gss-serv-krb5.c
retval = 1; retval = 1;
logit("Authorized to %s, krb5 principal %s (krb5_kuserok)", logit("Authorized to %s, krb5 principal %s (krb5_kuserok)",
name, (char *)client->displayname.value); name, (char *)client->displayname.value);
@@ -171,9 +270,8 @@ ssh_gssapi_krb5_cmdok(krb5_principal pri @@ -190,9 +289,8 @@ ssh_gssapi_krb5_cmdok(krb5_principal pri
snprintf(file, sizeof(file), "%s/.k5users", pw->pw_dir); snprintf(file, sizeof(file), "%s/.k5users", pw->pw_dir);
/* If both .k5login and .k5users DNE, self-login is ok. */ /* If both .k5login and .k5users DNE, self-login is ok. */
if (!k5login_exists && (access(file, F_OK) == -1)) { if (!k5login_exists && (access(file, F_OK) == -1)) {
@ -172,28 +172,28 @@ diff -up openssh-7.0p1/gss-serv-krb5.c.kuserok openssh-7.0p1/gss-serv-krb5.c
} }
if ((fp = fopen(file, "r")) == NULL) { if ((fp = fopen(file, "r")) == NULL) {
int saved_errno = errno; int saved_errno = errno;
diff -up openssh-7.0p1/servconf.c.kuserok openssh-7.0p1/servconf.c diff -up openssh-7.4p1/servconf.c.kuserok openssh-7.4p1/servconf.c
--- openssh-7.0p1/servconf.c.kuserok 2015-08-12 11:26:21.865536141 +0200 --- openssh-7.4p1/servconf.c.kuserok 2016-12-23 14:36:07.630465944 +0100
+++ openssh-7.0p1/servconf.c 2015-08-12 11:27:14.126454598 +0200 +++ openssh-7.4p1/servconf.c 2016-12-23 15:11:52.278133344 +0100
@@ -172,6 +172,7 @@ initialize_server_options(ServerOptions @@ -167,6 +167,7 @@ initialize_server_options(ServerOptions
options->ip_qos_bulk = -1;
options->version_addendum = NULL; options->version_addendum = NULL;
options->fingerprint_hash = -1; options->fingerprint_hash = -1;
options->disable_forwarding = -1;
+ options->use_kuserok = -1; + options->use_kuserok = -1;
} }
/* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */ /* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */
@@ -350,6 +351,8 @@ fill_default_server_options(ServerOption @@ -342,6 +343,8 @@ fill_default_server_options(ServerOption
options->fwd_opts.streamlocal_bind_unlink = 0;
if (options->fingerprint_hash == -1)
options->fingerprint_hash = SSH_FP_HASH_DEFAULT; options->fingerprint_hash = SSH_FP_HASH_DEFAULT;
if (options->disable_forwarding == -1)
options->disable_forwarding = 0;
+ if (options->use_kuserok == -1) + if (options->use_kuserok == -1)
+ options->use_kuserok = 1; + options->use_kuserok = 1;
assemble_algorithms(options); assemble_algorithms(options);
@@ -404,7 +407,7 @@ typedef enum { @@ -399,7 +402,7 @@ typedef enum {
sKeyRegenerationTime, sPermitRootLogin, sLogFacility, sLogLevel, sPermitRootLogin, sLogFacility, sLogLevel,
sRhostsRSAAuthentication, sRSAAuthentication, sRhostsRSAAuthentication, sRSAAuthentication,
sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup, sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
- sKerberosGetAFSToken, - sKerberosGetAFSToken,
@ -201,7 +201,7 @@ diff -up openssh-7.0p1/servconf.c.kuserok openssh-7.0p1/servconf.c
sKerberosTgtPassing, sChallengeResponseAuthentication, sKerberosTgtPassing, sChallengeResponseAuthentication,
sPasswordAuthentication, sKbdInteractiveAuthentication, sPasswordAuthentication, sKbdInteractiveAuthentication,
sListenAddress, sAddressFamily, sListenAddress, sAddressFamily,
@@ -483,11 +486,13 @@ static struct { @@ -478,11 +481,13 @@ static struct {
#else #else
{ "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL }, { "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
#endif #endif
@ -215,7 +215,7 @@ diff -up openssh-7.0p1/servconf.c.kuserok openssh-7.0p1/servconf.c
#endif #endif
{ "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL }, { "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL },
{ "afstokenpassing", sUnsupported, SSHCFG_GLOBAL }, { "afstokenpassing", sUnsupported, SSHCFG_GLOBAL },
@@ -1671,6 +1676,10 @@ process_server_config_line(ServerOptions @@ -1644,6 +1649,10 @@ process_server_config_line(ServerOptions
*activep = value; *activep = value;
break; break;
@ -226,15 +226,15 @@ diff -up openssh-7.0p1/servconf.c.kuserok openssh-7.0p1/servconf.c
case sPermitOpen: case sPermitOpen:
arg = strdelim(&cp); arg = strdelim(&cp);
if (!arg || *arg == '\0') if (!arg || *arg == '\0')
@@ -2023,6 +2032,7 @@ copy_set_server_options(ServerOptions *d @@ -2016,6 +2025,7 @@ copy_set_server_options(ServerOptions *d
M_CP_INTOPT(max_authtries); M_CP_INTOPT(client_alive_interval);
M_CP_INTOPT(ip_qos_interactive); M_CP_INTOPT(ip_qos_interactive);
M_CP_INTOPT(ip_qos_bulk); M_CP_INTOPT(ip_qos_bulk);
+ M_CP_INTOPT(use_kuserok); + M_CP_INTOPT(use_kuserok);
M_CP_INTOPT(rekey_limit); M_CP_INTOPT(rekey_limit);
M_CP_INTOPT(rekey_interval); M_CP_INTOPT(rekey_interval);
@@ -2304,6 +2314,7 @@ dump_config(ServerOptions *o) @@ -2309,6 +2319,7 @@ dump_config(ServerOptions *o)
dump_cfg_fmtint(sStreamLocalBindUnlink, o->fwd_opts.streamlocal_bind_unlink); dump_cfg_fmtint(sStreamLocalBindUnlink, o->fwd_opts.streamlocal_bind_unlink);
dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep); dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep);
dump_cfg_fmtint(sFingerprintHash, o->fingerprint_hash); dump_cfg_fmtint(sFingerprintHash, o->fingerprint_hash);
@ -242,10 +242,10 @@ diff -up openssh-7.0p1/servconf.c.kuserok openssh-7.0p1/servconf.c
/* string arguments */ /* string arguments */
dump_cfg_string(sPidFile, o->pid_file); dump_cfg_string(sPidFile, o->pid_file);
diff -up openssh-7.0p1/servconf.h.kuserok openssh-7.0p1/servconf.h diff -up openssh-7.4p1/servconf.h.kuserok openssh-7.4p1/servconf.h
--- openssh-7.0p1/servconf.h.kuserok 2015-08-12 11:26:21.865536141 +0200 --- openssh-7.4p1/servconf.h.kuserok 2016-12-23 14:36:07.630465944 +0100
+++ openssh-7.0p1/servconf.h 2015-08-12 11:26:21.876536124 +0200 +++ openssh-7.4p1/servconf.h 2016-12-23 14:36:07.645465936 +0100
@@ -180,6 +180,7 @@ typedef struct { @@ -174,6 +174,7 @@ typedef struct {
int num_permitted_opens; int num_permitted_opens;
@ -253,21 +253,21 @@ diff -up openssh-7.0p1/servconf.h.kuserok openssh-7.0p1/servconf.h
char *chroot_directory; char *chroot_directory;
char *revoked_keys_file; char *revoked_keys_file;
char *trusted_user_ca_keys; char *trusted_user_ca_keys;
diff -up openssh-7.0p1/sshd_config.5.kuserok openssh-7.0p1/sshd_config.5 diff -up openssh-7.4p1/sshd_config.5.kuserok openssh-7.4p1/sshd_config.5
--- openssh-7.0p1/sshd_config.5.kuserok 2015-08-12 11:26:21.867536138 +0200 --- openssh-7.4p1/sshd_config.5.kuserok 2016-12-23 14:36:07.637465940 +0100
+++ openssh-7.0p1/sshd_config.5 2015-08-12 11:26:21.877536123 +0200 +++ openssh-7.4p1/sshd_config.5 2016-12-23 15:14:03.117162222 +0100
@@ -872,6 +872,10 @@ Specifies whether to automatically destr @@ -850,6 +850,10 @@ Specifies whether to automatically destr
file on logout. file on logout.
The default is The default is
.Dq yes . .Cm yes .
+.It Cm KerberosUseKuserok +.It Cm KerberosUseKuserok
+Specifies whether to look at .k5login file for user's aliases. +Specifies whether to look at .k5login file for user's aliases.
+The default is +The default is
+.Dq yes . +.Cm yes .
.It Cm KexAlgorithms .It Cm KexAlgorithms
Specifies the available KEX (Key Exchange) algorithms. Specifies the available KEX (Key Exchange) algorithms.
Multiple algorithms must be comma-separated. Multiple algorithms must be comma-separated.
@@ -1116,6 +1120,7 @@ Available keywords are @@ -1078,6 +1082,7 @@ Available keywords are
.Cm IPQoS , .Cm IPQoS ,
.Cm KbdInteractiveAuthentication , .Cm KbdInteractiveAuthentication ,
.Cm KerberosAuthentication , .Cm KerberosAuthentication ,
@ -275,10 +275,10 @@ diff -up openssh-7.0p1/sshd_config.5.kuserok openssh-7.0p1/sshd_config.5
.Cm MaxAuthTries , .Cm MaxAuthTries ,
.Cm MaxSessions , .Cm MaxSessions ,
.Cm PasswordAuthentication , .Cm PasswordAuthentication ,
diff -up openssh-7.0p1/sshd_config.kuserok openssh-7.0p1/sshd_config diff -up openssh-7.4p1/sshd_config.kuserok openssh-7.4p1/sshd_config
--- openssh-7.0p1/sshd_config.kuserok 2015-08-12 11:26:21.867536138 +0200 --- openssh-7.4p1/sshd_config.kuserok 2016-12-23 14:36:07.631465943 +0100
+++ openssh-7.0p1/sshd_config 2015-08-12 11:26:21.876536124 +0200 +++ openssh-7.4p1/sshd_config 2016-12-23 14:36:07.646465935 +0100
@@ -87,6 +87,7 @@ ChallengeResponseAuthentication no @@ -73,6 +73,7 @@ ChallengeResponseAuthentication no
#KerberosOrLocalPasswd yes #KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes #KerberosTicketCleanup yes
#KerberosGetAFSToken no #KerberosGetAFSToken no

View File

@ -1,8 +1,18 @@
diff --git a/openbsd-compat/port-linux-sshd.c b/openbsd-compat/port-linux-sshd.c diff -up openssh-7.4p1/openbsd-compat/port-linux.h.privsep-selinux openssh-7.4p1/openbsd-compat/port-linux.h
index c18524e..d04f4ed 100644 --- openssh-7.4p1/openbsd-compat/port-linux.h.privsep-selinux 2016-12-23 18:58:52.972122201 +0100
--- a/openbsd-compat/port-linux-sshd.c +++ openssh-7.4p1/openbsd-compat/port-linux.h 2016-12-23 18:58:52.974122201 +0100
+++ b/openbsd-compat/port-linux-sshd.c @@ -23,6 +23,7 @@ void ssh_selinux_setup_pty(char *, const
@@ -409,6 +409,28 @@ sshd_selinux_setup_exec_context(char *pwname) void ssh_selinux_change_context(const char *);
void ssh_selinux_setfscreatecon(const char *);
+void sshd_selinux_copy_context(void);
void sshd_selinux_setup_exec_context(char *);
#endif
diff -up openssh-7.4p1/openbsd-compat/port-linux-sshd.c.privsep-selinux openssh-7.4p1/openbsd-compat/port-linux-sshd.c
--- openssh-7.4p1/openbsd-compat/port-linux-sshd.c.privsep-selinux 2016-12-23 18:58:52.973122201 +0100
+++ openssh-7.4p1/openbsd-compat/port-linux-sshd.c 2016-12-23 18:58:52.974122201 +0100
@@ -419,6 +419,28 @@ sshd_selinux_setup_exec_context(char *pw
debug3("%s: done", __func__); debug3("%s: done", __func__);
} }
@ -31,23 +41,19 @@ index c18524e..d04f4ed 100644
#endif #endif
#endif #endif
diff --git a/openbsd-compat/port-linux.h b/openbsd-compat/port-linux.h diff -up openssh-7.4p1/session.c.privsep-selinux openssh-7.4p1/session.c
index 8ef6cc4..b18893c 100644 --- openssh-7.4p1/session.c.privsep-selinux 2016-12-19 05:59:41.000000000 +0100
--- a/openbsd-compat/port-linux.h +++ openssh-7.4p1/session.c 2016-12-23 18:58:52.974122201 +0100
+++ b/openbsd-compat/port-linux.h @@ -1331,7 +1331,7 @@ do_setusercontext(struct passwd *pw)
@@ -25,6 +25,7 @@ void ssh_selinux_setup_pty(char *, const char *);
void ssh_selinux_change_context(const char *);
void ssh_selinux_setfscreatecon(const char *);
+void sshd_selinux_copy_context(void); platform_setusercontext(pw);
void sshd_selinux_setup_exec_context(char *);
#endif
diff --git a/session.c b/session.c - if (platform_privileged_uidswap()) {
index 2bcf818..b5dc144 100644 + if (platform_privileged_uidswap() && (!is_child || !use_privsep)) {
--- a/session.c #ifdef HAVE_LOGIN_CAP
+++ b/session.c if (setusercontext(lc, pw, pw->pw_uid,
@@ -1538,6 +1538,9 @@ do_setusercontext(struct passwd *pw) (LOGIN_SETALL & ~(LOGIN_SETPATH|LOGIN_SETUSER))) < 0) {
@@ -1361,6 +1361,9 @@ do_setusercontext(struct passwd *pw)
pw->pw_uid); pw->pw_uid);
chroot_path = percent_expand(tmp, "h", pw->pw_dir, chroot_path = percent_expand(tmp, "h", pw->pw_dir,
"u", pw->pw_name, (char *)NULL); "u", pw->pw_name, (char *)NULL);
@ -57,7 +63,7 @@ index 2bcf818..b5dc144 100644
safely_chroot(chroot_path, pw->pw_uid); safely_chroot(chroot_path, pw->pw_uid);
free(tmp); free(tmp);
free(chroot_path); free(chroot_path);
@@ -1565,6 +1568,11 @@ do_setusercontext(struct passwd *pw) @@ -1396,6 +1399,11 @@ do_setusercontext(struct passwd *pw)
/* Permanently switch to the desired uid. */ /* Permanently switch to the desired uid. */
permanently_set_uid(pw); permanently_set_uid(pw);
#endif #endif
@ -69,7 +75,7 @@ index 2bcf818..b5dc144 100644
} else if (options.chroot_directory != NULL && } else if (options.chroot_directory != NULL &&
strcasecmp(options.chroot_directory, "none") != 0) { strcasecmp(options.chroot_directory, "none") != 0) {
fatal("server lacks privileges to chroot to ChrootDirectory"); fatal("server lacks privileges to chroot to ChrootDirectory");
@@ -1588,9 +1588,6 @@ do_pwchange(Session *s) @@ -1413,9 +1421,6 @@ do_pwchange(Session *s)
if (s->ttyfd != -1) { if (s->ttyfd != -1) {
fprintf(stderr, fprintf(stderr,
"You must change your password now and login again!\n"); "You must change your password now and login again!\n");
@ -79,7 +85,7 @@ index 2bcf818..b5dc144 100644
#ifdef PASSWD_NEEDS_USERNAME #ifdef PASSWD_NEEDS_USERNAME
execl(_PATH_PASSWD_PROG, "passwd", s->pw->pw_name, execl(_PATH_PASSWD_PROG, "passwd", s->pw->pw_name,
(char *)NULL); (char *)NULL);
@@ -1826,9 +1835,6 @@ do_child(Session *s, const char *command) @@ -1625,9 +1630,6 @@ do_child(Session *s, const char *command
argv[i] = NULL; argv[i] = NULL;
optind = optreset = 1; optind = optreset = 1;
__progname = argv[0]; __progname = argv[0];
@ -89,11 +95,10 @@ index 2bcf818..b5dc144 100644
exit(sftp_server_main(i, argv, s->pw)); exit(sftp_server_main(i, argv, s->pw));
} }
diff --git a/sshd.c b/sshd.c diff -up openssh-7.4p1/sshd.c.privsep-selinux openssh-7.4p1/sshd.c
index 07f9926..a97f8b7 100644 --- openssh-7.4p1/sshd.c.privsep-selinux 2016-12-23 18:58:52.973122201 +0100
--- a/sshd.c +++ openssh-7.4p1/sshd.c 2016-12-23 18:59:13.808124269 +0100
+++ b/sshd.c @@ -540,6 +540,10 @@ privsep_preauth_child(void)
@@ -632,6 +632,10 @@ privsep_preauth_child(void)
/* Demote the private keys to public keys. */ /* Demote the private keys to public keys. */
demote_sensitive_data(); demote_sensitive_data();
@ -104,26 +109,13 @@ index 07f9926..a97f8b7 100644
/* Demote the child */ /* Demote the child */
if (getuid() == 0 || geteuid() == 0) { if (getuid() == 0 || geteuid() == 0) {
/* Change our root directory */ /* Change our root directory */
@@ -755,6 +755,9 @@ privsep_postauth(Authctxt *authctxt) @@ -633,6 +637,9 @@ privsep_postauth(Authctxt *authctxt)
{
#ifdef DISABLE_FD_PASSING #ifdef DISABLE_FD_PASSING
if (1) { if (1) {
+#elif defined(WITH_SELINUX) +#elif defined(WITH_SELINUX)
+ if (options.use_login) { + if (0) {
+ /* even root user can be confined by SELinux */ + /* even root user can be confined by SELinux */
#else #else
if (authctxt->pw->pw_uid == 0 || options.use_login) { if (authctxt->pw->pw_uid == 0) {
#endif #endif
diff --git a/session.c b/session.c
index 684f867..09048bc 100644
--- a/session.c
+++ b/session.c
@@ -1538,7 +1538,7 @@ do_setusercontext(struct passwd *pw)
platform_setusercontext(pw);
- if (platform_privileged_uidswap()) {
+ if (platform_privileged_uidswap() && (!is_child || !use_privsep)) {
#ifdef HAVE_LOGIN_CAP
if (setusercontext(lc, pw, pw->pw_uid,
(LOGIN_SETALL & ~(LOGIN_SETPATH|LOGIN_SETUSER))) < 0) {

View File

@ -1,8 +1,7 @@
diff --git a/ssh_config b/ssh_config diff -up openssh-7.4p1/ssh_config.redhat openssh-7.4p1/ssh_config
index 49a4f6c..3f83c40 100644 --- openssh-7.4p1/ssh_config.redhat 2016-12-19 05:59:41.000000000 +0100
--- a/ssh_config +++ openssh-7.4p1/ssh_config 2016-12-23 13:32:00.045220402 +0100
+++ b/ssh_config @@ -48,3 +48,7 @@
@@ -46,3 +46,7 @@
# VisualHostKey no # VisualHostKey no
# ProxyCommand ssh -q -W %h:%p gateway.example.com # ProxyCommand ssh -q -W %h:%p gateway.example.com
# RekeyLimit 1G 1h # RekeyLimit 1G 1h
@ -10,9 +9,9 @@ index 49a4f6c..3f83c40 100644
+# To modify the system-wide ssh configuration, create a *.conf file under +# To modify the system-wide ssh configuration, create a *.conf file under
+# /etc/ssh/ssh_config.d/ which will be automatically included below +# /etc/ssh/ssh_config.d/ which will be automatically included below
+Include /etc/ssh/ssh_config.d/*.conf +Include /etc/ssh/ssh_config.d/*.conf
diff --git a/ssh_config_redhat b/ssh_config_redhat diff -up openssh-7.4p1/ssh_config_redhat.redhat openssh-7.4p1/ssh_config_redhat
--- /dev/null --- openssh-7.4p1/ssh_config_redhat.redhat 2016-12-23 13:32:00.045220402 +0100
+++ b/ssh_config_redhat +++ openssh-7.4p1/ssh_config_redhat 2016-12-23 13:32:00.045220402 +0100
@@ -0,0 +1,20 @@ @@ -0,0 +1,20 @@
+# Follow system-wide Crypto Poliicy, if defined: +# Follow system-wide Crypto Poliicy, if defined:
+Include /etc/crypto-policies/back-ends/openssh.txt +Include /etc/crypto-policies/back-ends/openssh.txt
@ -34,11 +33,38 @@ diff --git a/ssh_config_redhat b/ssh_config_redhat
+ SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT + SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
+ SendEnv LC_IDENTIFICATION LC_ALL LANGUAGE + SendEnv LC_IDENTIFICATION LC_ALL LANGUAGE
+ SendEnv XMODIFIERS + SendEnv XMODIFIERS
diff --git a/sshd_config b/sshd_config diff -up openssh-7.4p1/sshd_config.0.redhat openssh-7.4p1/sshd_config.0
index c735429..e68ddee 100644 --- openssh-7.4p1/sshd_config.0.redhat 2016-12-19 06:21:22.000000000 +0100
--- a/sshd_config +++ openssh-7.4p1/sshd_config.0 2016-12-23 13:32:00.045220402 +0100
+++ b/sshd_config @@ -837,9 +837,9 @@ DESCRIPTION
@@ -10,6 +10,10 @@
SyslogFacility
Gives the facility code that is used when logging messages from
- sshd(8). The possible values are: DAEMON, USER, AUTH, LOCAL0,
- LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. The
- default is AUTH.
+ sshd(8). The possible values are: DAEMON, USER, AUTH, AUTHPRIV,
+ LOCAL0, LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
+ The default is AUTH.
TCPKeepAlive
Specifies whether the system should send TCP keepalive messages
diff -up openssh-7.4p1/sshd_config.5.redhat openssh-7.4p1/sshd_config.5
--- openssh-7.4p1/sshd_config.5.redhat 2016-12-19 05:59:41.000000000 +0100
+++ openssh-7.4p1/sshd_config.5 2016-12-23 13:32:00.046220403 +0100
@@ -1393,7 +1393,7 @@ By default no subsystems are defined.
.It Cm SyslogFacility
Gives the facility code that is used when logging messages from
.Xr sshd 8 .
-The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2,
+The possible values are: DAEMON, USER, AUTH, AUTHPRIV, LOCAL0, LOCAL1, LOCAL2,
LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
The default is AUTH.
.It Cm TCPKeepAlive
diff -up openssh-7.4p1/sshd_config.redhat openssh-7.4p1/sshd_config
--- openssh-7.4p1/sshd_config.redhat 2016-12-19 05:59:41.000000000 +0100
+++ openssh-7.4p1/sshd_config 2016-12-23 13:33:05.386233133 +0100
@@ -10,21 +10,26 @@
# possible, but leave them commented. Uncommented options override the # possible, but leave them commented. Uncommented options override the
# default value. # default value.
@ -49,10 +75,8 @@ index c735429..e68ddee 100644
#Port 22 #Port 22
#AddressFamily any #AddressFamily any
#ListenAddress 0.0.0.0 #ListenAddress 0.0.0.0
@@ -21,10 +25,10 @@ #ListenAddress ::
# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
-#HostKey /etc/ssh/ssh_host_rsa_key -#HostKey /etc/ssh/ssh_host_rsa_key
+HostKey /etc/ssh/ssh_host_rsa_key +HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key #HostKey /etc/ssh/ssh_host_dsa_key
@ -61,9 +85,8 @@ index c735429..e68ddee 100644
+HostKey /etc/ssh/ssh_host_ecdsa_key +HostKey /etc/ssh/ssh_host_ecdsa_key
+HostKey /etc/ssh/ssh_host_ed25519_key +HostKey /etc/ssh/ssh_host_ed25519_key
# Lifetime and size of ephemeral version 1 server key # Ciphers and keying
#KeyRegenerationInterval 1h #RekeyLimit default none
@@ -36,6 +40,7 @@
# Logging # Logging
#SyslogFacility AUTH #SyslogFacility AUTH
@ -71,7 +94,7 @@ index c735429..e68ddee 100644
#LogLevel INFO #LogLevel INFO
# Authentication: # Authentication:
@@ -71,9 +76,11 @@ AuthorizedKeysFile .ssh/authorized_keys @@ -57,9 +62,11 @@ AuthorizedKeysFile .ssh/authorized_keys
# To disable tunneled clear text passwords, change to no here! # To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes #PasswordAuthentication yes
#PermitEmptyPasswords no #PermitEmptyPasswords no
@ -83,7 +106,7 @@ index c735429..e68ddee 100644
# Kerberos options # Kerberos options
#KerberosAuthentication no #KerberosAuthentication no
@@ -82,8 +89,8 @@ AuthorizedKeysFile .ssh/authorized_keys @@ -68,8 +75,8 @@ AuthorizedKeysFile .ssh/authorized_keys
#KerberosGetAFSToken no #KerberosGetAFSToken no
# GSSAPI options # GSSAPI options
@ -94,7 +117,7 @@ index c735429..e68ddee 100644
# Set this to 'yes' to enable PAM authentication, account processing, # Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will # and session processing. If this is enabled, PAM authentication will
@@ -94,12 +101,12 @@ AuthorizedKeysFile .ssh/authorized_keys @@ -80,12 +87,12 @@ AuthorizedKeysFile .ssh/authorized_keys
# If you just want the PAM account and session checks to run without # If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication # PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'. # and ChallengeResponseAuthentication to 'no'.
@ -109,7 +132,7 @@ index c735429..e68ddee 100644
#X11DisplayOffset 10 #X11DisplayOffset 10
#X11UseLocalhost yes #X11UseLocalhost yes
#PermitTTY yes #PermitTTY yes
@@ -122,6 +129,12 @@ UsePrivilegeSeparation sandbox # Default for new installations. @@ -108,6 +115,12 @@ AuthorizedKeysFile .ssh/authorized_keys
# no default banner path # no default banner path
#Banner none #Banner none
@ -122,33 +145,3 @@ index c735429..e68ddee 100644
# override default of no subsystems # override default of no subsystems
Subsystem sftp /usr/libexec/sftp-server Subsystem sftp /usr/libexec/sftp-server
diff --git a/sshd_config.0 b/sshd_config.0
index 413c260..87e7ee7 100644
--- a/sshd_config.0
+++ b/sshd_config.0
@@ -675,9 +675,9 @@ DESCRIPTION
SyslogFacility
Gives the facility code that is used when logging messages from
- sshd(8). The possible values are: DAEMON, USER, AUTH, LOCAL0,
- LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. The
- default is AUTH.
+ sshd(8). The possible values are: DAEMON, USER, AUTH, AUTHPRIV,
+ LOCAL0, LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
+ The default is AUTH.
TCPKeepAlive
Specifies whether the system should send TCP keepalive messages
diff --git a/sshd_config.5 b/sshd_config.5
index ce71efe..12465c2 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -1131,7 +1131,7 @@ Note that this option applies to protocol version 2 only.
.It Cm SyslogFacility
Gives the facility code that is used when logging messages from
.Xr sshd 8 .
-The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2,
+The possible values are: DAEMON, USER, AUTH, AUTHPRIV, LOCAL0, LOCAL1, LOCAL2,
LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
The default is AUTH.
.It Cm TCPKeepAlive

View File

@ -1,157 +1,6 @@
diff -up openssh/auth-pam.c.role-mls openssh/auth-pam.c diff -up openssh-7.4p1/auth2.c.role-mls openssh-7.4p1/auth2.c
--- openssh/auth-pam.c.role-mls 2016-07-24 13:50:13.000000000 +0200 --- openssh-7.4p1/auth2.c.role-mls 2016-12-19 05:59:41.000000000 +0100
+++ openssh/auth-pam.c 2016-07-26 12:37:48.793593333 +0200 +++ openssh-7.4p1/auth2.c 2016-12-23 12:19:58.587459379 +0100
@@ -1095,7 +1095,7 @@ is_pam_session_open(void)
* during the ssh authentication process.
*/
int
-do_pam_putenv(char *name, char *value)
+do_pam_putenv(char *name, const char *value)
{
int ret = 1;
#ifdef HAVE_PAM_PUTENV
diff -up openssh/auth-pam.h.role-mls openssh/auth-pam.h
--- openssh/auth-pam.h.role-mls 2016-07-24 13:50:13.000000000 +0200
+++ openssh/auth-pam.h 2016-07-26 12:37:48.793593333 +0200
@@ -38,7 +38,7 @@ void do_pam_session(void);
void do_pam_set_tty(const char *);
void do_pam_setcred(int );
void do_pam_chauthtok(void);
-int do_pam_putenv(char *, char *);
+int do_pam_putenv(char *, const char *);
char ** fetch_pam_environment(void);
char ** fetch_pam_child_environment(void);
void free_pam_environment(char **);
diff -up openssh/auth.h.role-mls openssh/auth.h
--- openssh/auth.h.role-mls 2016-07-24 13:50:13.000000000 +0200
+++ openssh/auth.h 2016-07-26 12:37:48.793593333 +0200
@@ -62,6 +62,9 @@ struct Authctxt {
char *service;
struct passwd *pw; /* set if 'valid' */
char *style;
+#ifdef WITH_SELINUX
+ char *role;
+#endif
void *kbdintctxt;
char *info; /* Extra info for next auth_log */
#ifdef BSD_AUTH
diff -up openssh/auth1.c.role-mls openssh/auth1.c
--- openssh/auth1.c.role-mls 2016-07-24 13:50:13.000000000 +0200
+++ openssh/auth1.c 2016-07-26 12:37:48.793593333 +0200
@@ -384,6 +384,9 @@ do_authentication(Authctxt *authctxt)
{
u_int ulen;
char *user, *style = NULL;
+#ifdef WITH_SELINUX
+ char *role=NULL;
+#endif
/* Get the name of the user that we wish to log in as. */
packet_read_expect(SSH_CMSG_USER);
@@ -392,11 +395,24 @@ do_authentication(Authctxt *authctxt)
user = packet_get_cstring(&ulen);
packet_check_eom();
+#ifdef WITH_SELINUX
+ if ((role = strchr(user, '/')) != NULL)
+ *role++ = '\0';
+#endif
+
if ((style = strchr(user, ':')) != NULL)
*style++ = '\0';
+#ifdef WITH_SELINUX
+ else
+ if (role && (style = strchr(role, ':')) != NULL)
+ *style++ = '\0';
+#endif
authctxt->user = user;
authctxt->style = style;
+#ifdef WITH_SELINUX
+ authctxt->role = role;
+#endif
/* Verify that the user is a valid user. */
if ((authctxt->pw = PRIVSEP(getpwnamallow(user))) != NULL)
diff -up openssh/auth2-gss.c.role-mls openssh/auth2-gss.c
--- openssh/auth2-gss.c.role-mls 2016-07-24 13:50:13.000000000 +0200
+++ openssh/auth2-gss.c 2016-07-26 12:37:48.794593332 +0200
@@ -255,6 +255,7 @@ input_gssapi_mic(int type, u_int32_t ple
Authctxt *authctxt = ctxt;
Gssctxt *gssctxt;
int authenticated = 0;
+ char *micuser;
Buffer b;
gss_buffer_desc mic, gssbuf;
u_int len;
@@ -267,7 +268,13 @@ input_gssapi_mic(int type, u_int32_t ple
mic.value = packet_get_string(&len);
mic.length = len;
- ssh_gssapi_buildmic(&b, authctxt->user, authctxt->service,
+#ifdef WITH_SELINUX
+ if (authctxt->role && (strlen(authctxt->role) > 0))
+ xasprintf(&micuser, "%s/%s", authctxt->user, authctxt->role);
+ else
+#endif
+ micuser = authctxt->user;
+ ssh_gssapi_buildmic(&b, micuser, authctxt->service,
"gssapi-with-mic");
gssbuf.value = buffer_ptr(&b);
@@ -279,6 +286,8 @@ input_gssapi_mic(int type, u_int32_t ple
logit("GSSAPI MIC check failed");
buffer_free(&b);
+ if (micuser != authctxt->user)
+ free(micuser);
free(mic.value);
authctxt->postponed = 0;
diff -up openssh/auth2-hostbased.c.role-mls openssh/auth2-hostbased.c
--- openssh/auth2-hostbased.c.role-mls 2016-07-24 13:50:13.000000000 +0200
+++ openssh/auth2-hostbased.c 2016-07-26 12:37:48.794593332 +0200
@@ -121,7 +121,15 @@ userauth_hostbased(Authctxt *authctxt)
buffer_put_string(&b, session_id2, session_id2_len);
/* reconstruct packet */
buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST);
- buffer_put_cstring(&b, authctxt->user);
+#ifdef WITH_SELINUX
+ if (authctxt->role) {
+ buffer_put_int(&b, strlen(authctxt->user)+strlen(authctxt->role)+1);
+ buffer_append(&b, authctxt->user, strlen(authctxt->user));
+ buffer_put_char(&b, '/');
+ buffer_append(&b, authctxt->role, strlen(authctxt->role));
+ } else
+#endif
+ buffer_put_cstring(&b, authctxt->user);
buffer_put_cstring(&b, service);
buffer_put_cstring(&b, "hostbased");
buffer_put_string(&b, pkalg, alen);
diff -up openssh/auth2-pubkey.c.role-mls openssh/auth2-pubkey.c
--- openssh/auth2-pubkey.c.role-mls 2016-07-24 13:50:13.000000000 +0200
+++ openssh/auth2-pubkey.c 2016-07-26 12:37:48.794593332 +0200
@@ -151,9 +151,15 @@ userauth_pubkey(Authctxt *authctxt)
}
/* reconstruct packet */
buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST);
- xasprintf(&userstyle, "%s%s%s", authctxt->user,
+ xasprintf(&userstyle, "%s%s%s%s%s", authctxt->user,
authctxt->style ? ":" : "",
- authctxt->style ? authctxt->style : "");
+ authctxt->style ? authctxt->style : "",
+#ifdef WITH_SELINUX
+ authctxt->role ? "/" : "",
+ authctxt->role ? authctxt->role : "");
+#else
+ "", "");
+#endif
buffer_put_cstring(&b, userstyle);
free(userstyle);
buffer_put_cstring(&b,
diff -up openssh/auth2.c.role-mls openssh/auth2.c
--- openssh/auth2.c.role-mls 2016-07-24 13:50:13.000000000 +0200
+++ openssh/auth2.c 2016-07-26 12:37:48.794593332 +0200
@@ -215,6 +215,9 @@ input_userauth_request(int type, u_int32 @@ -215,6 +215,9 @@ input_userauth_request(int type, u_int32
Authctxt *authctxt = ctxt; Authctxt *authctxt = ctxt;
Authmethod *m = NULL; Authmethod *m = NULL;
@ -191,9 +40,122 @@ diff -up openssh/auth2.c.role-mls openssh/auth2.c
userauth_banner(); userauth_banner();
if (auth2_setup_methods_lists(authctxt) != 0) if (auth2_setup_methods_lists(authctxt) != 0)
packet_disconnect("no authentication methods enabled"); packet_disconnect("no authentication methods enabled");
diff -up openssh/misc.c.role-mls openssh/misc.c diff -up openssh-7.4p1/auth2-gss.c.role-mls openssh-7.4p1/auth2-gss.c
--- openssh/misc.c.role-mls 2016-07-24 13:50:13.000000000 +0200 --- openssh-7.4p1/auth2-gss.c.role-mls 2016-12-19 05:59:41.000000000 +0100
+++ openssh/misc.c 2016-07-26 12:37:48.794593332 +0200 +++ openssh-7.4p1/auth2-gss.c 2016-12-23 12:19:58.586459382 +0100
@@ -255,6 +255,7 @@ input_gssapi_mic(int type, u_int32_t ple
Authctxt *authctxt = ctxt;
Gssctxt *gssctxt;
int authenticated = 0;
+ char *micuser;
Buffer b;
gss_buffer_desc mic, gssbuf;
u_int len;
@@ -267,7 +268,13 @@ input_gssapi_mic(int type, u_int32_t ple
mic.value = packet_get_string(&len);
mic.length = len;
- ssh_gssapi_buildmic(&b, authctxt->user, authctxt->service,
+#ifdef WITH_SELINUX
+ if (authctxt->role && (strlen(authctxt->role) > 0))
+ xasprintf(&micuser, "%s/%s", authctxt->user, authctxt->role);
+ else
+#endif
+ micuser = authctxt->user;
+ ssh_gssapi_buildmic(&b, micuser, authctxt->service,
"gssapi-with-mic");
gssbuf.value = buffer_ptr(&b);
@@ -279,6 +286,8 @@ input_gssapi_mic(int type, u_int32_t ple
logit("GSSAPI MIC check failed");
buffer_free(&b);
+ if (micuser != authctxt->user)
+ free(micuser);
free(mic.value);
authctxt->postponed = 0;
diff -up openssh-7.4p1/auth2-hostbased.c.role-mls openssh-7.4p1/auth2-hostbased.c
--- openssh-7.4p1/auth2-hostbased.c.role-mls 2016-12-19 05:59:41.000000000 +0100
+++ openssh-7.4p1/auth2-hostbased.c 2016-12-23 12:19:58.586459382 +0100
@@ -121,7 +121,15 @@ userauth_hostbased(Authctxt *authctxt)
buffer_put_string(&b, session_id2, session_id2_len);
/* reconstruct packet */
buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST);
- buffer_put_cstring(&b, authctxt->user);
+#ifdef WITH_SELINUX
+ if (authctxt->role) {
+ buffer_put_int(&b, strlen(authctxt->user)+strlen(authctxt->role)+1);
+ buffer_append(&b, authctxt->user, strlen(authctxt->user));
+ buffer_put_char(&b, '/');
+ buffer_append(&b, authctxt->role, strlen(authctxt->role));
+ } else
+#endif
+ buffer_put_cstring(&b, authctxt->user);
buffer_put_cstring(&b, service);
buffer_put_cstring(&b, "hostbased");
buffer_put_string(&b, pkalg, alen);
diff -up openssh-7.4p1/auth2-pubkey.c.role-mls openssh-7.4p1/auth2-pubkey.c
--- openssh-7.4p1/auth2-pubkey.c.role-mls 2016-12-19 05:59:41.000000000 +0100
+++ openssh-7.4p1/auth2-pubkey.c 2016-12-23 12:19:58.587459379 +0100
@@ -151,9 +151,15 @@ userauth_pubkey(Authctxt *authctxt)
}
/* reconstruct packet */
buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST);
- xasprintf(&userstyle, "%s%s%s", authctxt->user,
+ xasprintf(&userstyle, "%s%s%s%s%s", authctxt->user,
authctxt->style ? ":" : "",
- authctxt->style ? authctxt->style : "");
+ authctxt->style ? authctxt->style : "",
+#ifdef WITH_SELINUX
+ authctxt->role ? "/" : "",
+ authctxt->role ? authctxt->role : "");
+#else
+ "", "");
+#endif
buffer_put_cstring(&b, userstyle);
free(userstyle);
buffer_put_cstring(&b,
diff -up openssh-7.4p1/auth.h.role-mls openssh-7.4p1/auth.h
--- openssh-7.4p1/auth.h.role-mls 2016-12-19 05:59:41.000000000 +0100
+++ openssh-7.4p1/auth.h 2016-12-23 12:19:43.478510375 +0100
@@ -62,6 +62,9 @@ struct Authctxt {
char *service;
struct passwd *pw; /* set if 'valid' */
char *style;
+#ifdef WITH_SELINUX
+ char *role;
+#endif
void *kbdintctxt;
char *info; /* Extra info for next auth_log */
#ifdef BSD_AUTH
diff -up openssh-7.4p1/auth-pam.c.role-mls openssh-7.4p1/auth-pam.c
--- openssh-7.4p1/auth-pam.c.role-mls 2016-12-19 05:59:41.000000000 +0100
+++ openssh-7.4p1/auth-pam.c 2016-12-23 12:19:43.477510378 +0100
@@ -1087,7 +1087,7 @@ is_pam_session_open(void)
* during the ssh authentication process.
*/
int
-do_pam_putenv(char *name, char *value)
+do_pam_putenv(char *name, const char *value)
{
int ret = 1;
#ifdef HAVE_PAM_PUTENV
diff -up openssh-7.4p1/auth-pam.h.role-mls openssh-7.4p1/auth-pam.h
--- openssh-7.4p1/auth-pam.h.role-mls 2016-12-23 12:19:43.478510375 +0100
+++ openssh-7.4p1/auth-pam.h 2016-12-23 12:21:44.698101234 +0100
@@ -31,7 +31,7 @@ u_int do_pam_account(void);
void do_pam_session(void);
void do_pam_setcred(int );
void do_pam_chauthtok(void);
-int do_pam_putenv(char *, char *);
+int do_pam_putenv(char *, const char *);
char ** fetch_pam_environment(void);
char ** fetch_pam_child_environment(void);
void free_pam_environment(char **);
diff -up openssh-7.4p1/misc.c.role-mls openssh-7.4p1/misc.c
--- openssh-7.4p1/misc.c.role-mls 2016-12-19 05:59:41.000000000 +0100
+++ openssh-7.4p1/misc.c 2016-12-23 12:19:58.587459379 +0100
@@ -432,6 +432,7 @@ char * @@ -432,6 +432,7 @@ char *
colon(char *cp) colon(char *cp)
{ {
@ -216,10 +178,10 @@ diff -up openssh/misc.c.role-mls openssh/misc.c
} }
return NULL; return NULL;
} }
diff -up openssh/monitor.c.role-mls openssh/monitor.c diff -up openssh-7.4p1/monitor.c.role-mls openssh-7.4p1/monitor.c
--- openssh/monitor.c.role-mls 2016-07-24 13:50:13.000000000 +0200 --- openssh-7.4p1/monitor.c.role-mls 2016-12-19 05:59:41.000000000 +0100
+++ openssh/monitor.c 2016-07-26 12:44:19.363379490 +0200 +++ openssh-7.4p1/monitor.c 2016-12-23 12:23:03.503835248 +0100
@@ -128,6 +128,9 @@ int mm_answer_sign(int, Buffer *); @@ -127,6 +127,9 @@ int mm_answer_sign(int, Buffer *);
int mm_answer_pwnamallow(int, Buffer *); int mm_answer_pwnamallow(int, Buffer *);
int mm_answer_auth2_read_banner(int, Buffer *); int mm_answer_auth2_read_banner(int, Buffer *);
int mm_answer_authserv(int, Buffer *); int mm_answer_authserv(int, Buffer *);
@ -229,7 +191,7 @@ diff -up openssh/monitor.c.role-mls openssh/monitor.c
int mm_answer_authpassword(int, Buffer *); int mm_answer_authpassword(int, Buffer *);
int mm_answer_bsdauthquery(int, Buffer *); int mm_answer_bsdauthquery(int, Buffer *);
int mm_answer_bsdauthrespond(int, Buffer *); int mm_answer_bsdauthrespond(int, Buffer *);
@@ -207,6 +210,9 @@ struct mon_table mon_dispatch_proto20[] @@ -202,6 +205,9 @@ struct mon_table mon_dispatch_proto20[]
{MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign}, {MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign},
{MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow}, {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},
{MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv}, {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv},
@ -239,17 +201,17 @@ diff -up openssh/monitor.c.role-mls openssh/monitor.c
{MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner}, {MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner},
{MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword}, {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},
#ifdef USE_PAM #ifdef USE_PAM
@@ -863,6 +869,9 @@ mm_answer_pwnamallow(int sock, Buffer *m @@ -769,6 +775,9 @@ mm_answer_pwnamallow(int sock, Buffer *m
else {
/* Allow service/style information on the auth context */ /* Allow service/style information on the auth context */
monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1); monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1);
+#ifdef WITH_SELINUX +#ifdef WITH_SELINUX
+ monitor_permit(mon_dispatch, MONITOR_REQ_AUTHROLE, 1); + monitor_permit(mon_dispatch, MONITOR_REQ_AUTHROLE, 1);
+#endif +#endif
monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1); monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1);
}
#ifdef USE_PAM #ifdef USE_PAM
@@ -904,6 +913,25 @@ mm_answer_authserv(int sock, Buffer *m) @@ -810,6 +819,25 @@ mm_answer_authserv(int sock, Buffer *m)
return (0); return (0);
} }
@ -275,7 +237,7 @@ diff -up openssh/monitor.c.role-mls openssh/monitor.c
int int
mm_answer_authpassword(int sock, Buffer *m) mm_answer_authpassword(int sock, Buffer *m)
{ {
@@ -1300,7 +1328,7 @@ monitor_valid_userblob(u_char *data, u_i @@ -1208,7 +1236,7 @@ monitor_valid_userblob(u_char *data, u_i
{ {
Buffer b; Buffer b;
u_char *p; u_char *p;
@ -284,7 +246,7 @@ diff -up openssh/monitor.c.role-mls openssh/monitor.c
u_int len; u_int len;
int fail = 0; int fail = 0;
@@ -1326,6 +1354,8 @@ monitor_valid_userblob(u_char *data, u_i @@ -1234,6 +1262,8 @@ monitor_valid_userblob(u_char *data, u_i
if (buffer_get_char(&b) != SSH2_MSG_USERAUTH_REQUEST) if (buffer_get_char(&b) != SSH2_MSG_USERAUTH_REQUEST)
fail++; fail++;
cp = buffer_get_cstring(&b, NULL); cp = buffer_get_cstring(&b, NULL);
@ -293,7 +255,7 @@ diff -up openssh/monitor.c.role-mls openssh/monitor.c
xasprintf(&userstyle, "%s%s%s", authctxt->user, xasprintf(&userstyle, "%s%s%s", authctxt->user,
authctxt->style ? ":" : "", authctxt->style ? ":" : "",
authctxt->style ? authctxt->style : ""); authctxt->style ? authctxt->style : "");
@@ -1361,7 +1391,7 @@ monitor_valid_hostbasedblob(u_char *data @@ -1269,7 +1299,7 @@ monitor_valid_hostbasedblob(u_char *data
char *chost) char *chost)
{ {
Buffer b; Buffer b;
@ -302,7 +264,7 @@ diff -up openssh/monitor.c.role-mls openssh/monitor.c
u_int len; u_int len;
int fail = 0; int fail = 0;
@@ -1378,6 +1408,8 @@ monitor_valid_hostbasedblob(u_char *data @@ -1286,6 +1316,8 @@ monitor_valid_hostbasedblob(u_char *data
if (buffer_get_char(&b) != SSH2_MSG_USERAUTH_REQUEST) if (buffer_get_char(&b) != SSH2_MSG_USERAUTH_REQUEST)
fail++; fail++;
p = buffer_get_cstring(&b, NULL); p = buffer_get_cstring(&b, NULL);
@ -311,9 +273,9 @@ diff -up openssh/monitor.c.role-mls openssh/monitor.c
xasprintf(&userstyle, "%s%s%s", authctxt->user, xasprintf(&userstyle, "%s%s%s", authctxt->user,
authctxt->style ? ":" : "", authctxt->style ? ":" : "",
authctxt->style ? authctxt->style : ""); authctxt->style ? authctxt->style : "");
diff -up openssh/monitor.h.role-mls openssh/monitor.h diff -up openssh-7.4p1/monitor.h.role-mls openssh-7.4p1/monitor.h
--- openssh/monitor.h.role-mls 2016-07-24 13:50:13.000000000 +0200 --- openssh-7.4p1/monitor.h.role-mls 2016-12-19 05:59:41.000000000 +0100
+++ openssh/monitor.h 2016-07-26 12:37:48.795593331 +0200 +++ openssh-7.4p1/monitor.h 2016-12-23 12:19:58.588459376 +0100
@@ -57,6 +57,10 @@ enum monitor_reqtype { @@ -57,6 +57,10 @@ enum monitor_reqtype {
MONITOR_REQ_GSSCHECKMIC = 48, MONITOR_ANS_GSSCHECKMIC = 49, MONITOR_REQ_GSSCHECKMIC = 48, MONITOR_ANS_GSSCHECKMIC = 49,
MONITOR_REQ_TERM = 50, MONITOR_REQ_TERM = 50,
@ -325,10 +287,10 @@ diff -up openssh/monitor.h.role-mls openssh/monitor.h
MONITOR_REQ_PAM_START = 100, MONITOR_REQ_PAM_START = 100,
MONITOR_REQ_PAM_ACCOUNT = 102, MONITOR_ANS_PAM_ACCOUNT = 103, MONITOR_REQ_PAM_ACCOUNT = 102, MONITOR_ANS_PAM_ACCOUNT = 103,
MONITOR_REQ_PAM_INIT_CTX = 104, MONITOR_ANS_PAM_INIT_CTX = 105, MONITOR_REQ_PAM_INIT_CTX = 104, MONITOR_ANS_PAM_INIT_CTX = 105,
diff -up openssh/monitor_wrap.c.role-mls openssh/monitor_wrap.c diff -up openssh-7.4p1/monitor_wrap.c.role-mls openssh-7.4p1/monitor_wrap.c
--- openssh/monitor_wrap.c.role-mls 2016-07-24 13:50:13.000000000 +0200 --- openssh-7.4p1/monitor_wrap.c.role-mls 2016-12-19 05:59:41.000000000 +0100
+++ openssh/monitor_wrap.c 2016-07-26 12:37:48.795593331 +0200 +++ openssh-7.4p1/monitor_wrap.c 2016-12-23 12:19:58.588459376 +0100
@@ -346,6 +346,25 @@ mm_inform_authserv(char *service, char * @@ -345,6 +345,25 @@ mm_inform_authserv(char *service, char *
buffer_free(&m); buffer_free(&m);
} }
@ -354,9 +316,9 @@ diff -up openssh/monitor_wrap.c.role-mls openssh/monitor_wrap.c
/* Do the password authentication */ /* Do the password authentication */
int int
mm_auth_password(Authctxt *authctxt, char *password) mm_auth_password(Authctxt *authctxt, char *password)
diff -up openssh/monitor_wrap.h.role-mls openssh/monitor_wrap.h diff -up openssh-7.4p1/monitor_wrap.h.role-mls openssh-7.4p1/monitor_wrap.h
--- openssh/monitor_wrap.h.role-mls 2016-07-24 13:50:13.000000000 +0200 --- openssh-7.4p1/monitor_wrap.h.role-mls 2016-12-19 05:59:41.000000000 +0100
+++ openssh/monitor_wrap.h 2016-07-26 12:37:48.795593331 +0200 +++ openssh-7.4p1/monitor_wrap.h 2016-12-23 12:19:58.588459376 +0100
@@ -42,6 +42,9 @@ int mm_is_monitor(void); @@ -42,6 +42,9 @@ int mm_is_monitor(void);
DH *mm_choose_dh(int, int, int); DH *mm_choose_dh(int, int, int);
int mm_key_sign(Key *, u_char **, u_int *, const u_char *, u_int, const char *); int mm_key_sign(Key *, u_char **, u_int *, const u_char *, u_int, const char *);
@ -367,21 +329,90 @@ diff -up openssh/monitor_wrap.h.role-mls openssh/monitor_wrap.h
struct passwd *mm_getpwnamallow(const char *); struct passwd *mm_getpwnamallow(const char *);
char *mm_auth2_read_banner(void); char *mm_auth2_read_banner(void);
int mm_auth_password(struct Authctxt *, char *); int mm_auth_password(struct Authctxt *, char *);
diff -up openssh/openbsd-compat/Makefile.in.role-mls openssh/openbsd-compat/Makefile.in diff -up openssh-7.4p1/openbsd-compat/Makefile.in.role-mls openssh-7.4p1/openbsd-compat/Makefile.in
--- openssh/openbsd-compat/Makefile.in.role-mls 2016-07-24 13:50:13.000000000 +0200 --- openssh-7.4p1/openbsd-compat/Makefile.in.role-mls 2016-12-23 12:19:58.588459376 +0100
+++ openssh/openbsd-compat/Makefile.in 2016-07-26 12:37:48.795593331 +0200 +++ openssh-7.4p1/openbsd-compat/Makefile.in 2016-12-23 12:24:06.042643938 +0100
@@ -20,7 +20,7 @@ OPENBSD=base64.o basename.o bcrypt_pbkdf @@ -20,7 +20,7 @@ OPENBSD=base64.o basename.o bcrypt_pbkdf
COMPAT=arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o getrrsetbyname-ldns.o bsd-err.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-setres_id.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o kludge-fd_set.o COMPAT=arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o getrrsetbyname-ldns.o bsd-err.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-setres_id.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xcrypt.o kludge-fd_set.o
-PORTS=port-aix.o port-irix.o port-linux.o port-solaris.o port-tun.o port-uw.o -PORTS=port-aix.o port-irix.o port-linux.o port-solaris.o port-tun.o port-uw.o
+PORTS=port-aix.o port-irix.o port-linux.o port-linux-sshd.o port-solaris.o port-tun.o port-uw.o +PORTS=port-aix.o port-irix.o port-linux.o port-linux-sshd.o port-solaris.o port-tun.o port-uw.o
.c.o: .c.o:
$(CC) $(CFLAGS) $(CPPFLAGS) -c $< $(CC) $(CFLAGS) $(CPPFLAGS) -c $<
diff -up openssh/openbsd-compat/port-linux-sshd.c.role-mls openssh/openbsd-compat/port-linux-sshd.c diff -up openssh-7.4p1/openbsd-compat/port-linux.c.role-mls openssh-7.4p1/openbsd-compat/port-linux.c
--- openssh/openbsd-compat/port-linux-sshd.c.role-mls 2016-07-26 12:37:48.796593331 +0200 --- openssh-7.4p1/openbsd-compat/port-linux.c.role-mls 2016-12-19 05:59:41.000000000 +0100
+++ openssh/openbsd-compat/port-linux-sshd.c 2016-07-26 12:37:48.796593331 +0200 +++ openssh-7.4p1/openbsd-compat/port-linux.c 2016-12-23 12:19:58.590459369 +0100
@@ -101,37 +101,6 @@ ssh_selinux_getctxbyname(char *pwname)
return sc;
}
-/* Set the execution context to the default for the specified user */
-void
-ssh_selinux_setup_exec_context(char *pwname)
-{
- security_context_t user_ctx = NULL;
-
- if (!ssh_selinux_enabled())
- return;
-
- debug3("%s: setting execution context", __func__);
-
- user_ctx = ssh_selinux_getctxbyname(pwname);
- if (setexeccon(user_ctx) != 0) {
- switch (security_getenforce()) {
- case -1:
- fatal("%s: security_getenforce() failed", __func__);
- case 0:
- error("%s: Failed to set SELinux execution "
- "context for %s", __func__, pwname);
- break;
- default:
- fatal("%s: Failed to set SELinux execution context "
- "for %s (in enforcing mode)", __func__, pwname);
- }
- }
- if (user_ctx != NULL)
- freecon(user_ctx);
-
- debug3("%s: done", __func__);
-}
-
/* Set the TTY context for the specified user */
void
ssh_selinux_setup_pty(char *pwname, const char *tty)
@@ -145,7 +114,11 @@ ssh_selinux_setup_pty(char *pwname, cons
debug3("%s: setting TTY context on %s", __func__, tty);
- user_ctx = ssh_selinux_getctxbyname(pwname);
+ if (getexeccon(&user_ctx) != 0) {
+ error("%s: getexeccon: %s", __func__, strerror(errno));
+ goto out;
+ }
+
/* XXX: should these calls fatal() upon failure in enforcing mode? */
diff -up openssh-7.4p1/openbsd-compat/port-linux.h.role-mls openssh-7.4p1/openbsd-compat/port-linux.h
--- openssh-7.4p1/openbsd-compat/port-linux.h.role-mls 2016-12-19 05:59:41.000000000 +0100
+++ openssh-7.4p1/openbsd-compat/port-linux.h 2016-12-23 12:19:58.591459365 +0100
@@ -20,9 +20,10 @@
#ifdef WITH_SELINUX
int ssh_selinux_enabled(void);
void ssh_selinux_setup_pty(char *, const char *);
-void ssh_selinux_setup_exec_context(char *);
void ssh_selinux_change_context(const char *);
void ssh_selinux_setfscreatecon(const char *);
+
+void sshd_selinux_setup_exec_context(char *);
#endif
#ifdef LINUX_OOM_ADJUST
diff -up openssh-7.4p1/openbsd-compat/port-linux-sshd.c.role-mls openssh-7.4p1/openbsd-compat/port-linux-sshd.c
--- openssh-7.4p1/openbsd-compat/port-linux-sshd.c.role-mls 2016-12-23 12:19:58.590459369 +0100
+++ openssh-7.4p1/openbsd-compat/port-linux-sshd.c 2016-12-23 12:19:58.590459369 +0100
@@ -0,0 +1,424 @@ @@ -0,0 +1,424 @@
+/* +/*
+ * Copyright (c) 2005 Daniel Walsh <dwalsh@redhat.com> + * Copyright (c) 2005 Daniel Walsh <dwalsh@redhat.com>
@ -807,79 +838,10 @@ diff -up openssh/openbsd-compat/port-linux-sshd.c.role-mls openssh/openbsd-compa
+#endif +#endif
+#endif +#endif
+ +
diff -up openssh/openbsd-compat/port-linux.c.role-mls openssh/openbsd-compat/port-linux.c diff -up openssh-7.4p1/platform.c.role-mls openssh-7.4p1/platform.c
--- openssh/openbsd-compat/port-linux.c.role-mls 2016-07-24 13:50:13.000000000 +0200 --- openssh-7.4p1/platform.c.role-mls 2016-12-19 05:59:41.000000000 +0100
+++ openssh/openbsd-compat/port-linux.c 2016-07-26 12:37:48.796593331 +0200 +++ openssh-7.4p1/platform.c 2016-12-23 12:19:58.591459365 +0100
@@ -103,37 +103,6 @@ ssh_selinux_getctxbyname(char *pwname) @@ -184,7 +184,7 @@ platform_setusercontext_post_groups(stru
return sc;
}
-/* Set the execution context to the default for the specified user */
-void
-ssh_selinux_setup_exec_context(char *pwname)
-{
- security_context_t user_ctx = NULL;
-
- if (!ssh_selinux_enabled())
- return;
-
- debug3("%s: setting execution context", __func__);
-
- user_ctx = ssh_selinux_getctxbyname(pwname);
- if (setexeccon(user_ctx) != 0) {
- switch (security_getenforce()) {
- case -1:
- fatal("%s: security_getenforce() failed", __func__);
- case 0:
- error("%s: Failed to set SELinux execution "
- "context for %s", __func__, pwname);
- break;
- default:
- fatal("%s: Failed to set SELinux execution context "
- "for %s (in enforcing mode)", __func__, pwname);
- }
- }
- if (user_ctx != NULL)
- freecon(user_ctx);
-
- debug3("%s: done", __func__);
-}
-
/* Set the TTY context for the specified user */
void
ssh_selinux_setup_pty(char *pwname, const char *tty)
@@ -147,7 +116,11 @@ ssh_selinux_setup_pty(char *pwname, cons
debug3("%s: setting TTY context on %s", __func__, tty);
- user_ctx = ssh_selinux_getctxbyname(pwname);
+ if (getexeccon(&user_ctx) != 0) {
+ error("%s: getexeccon: %s", __func__, strerror(errno));
+ goto out;
+ }
+
/* XXX: should these calls fatal() upon failure in enforcing mode? */
diff -up openssh/openbsd-compat/port-linux.h.role-mls openssh/openbsd-compat/port-linux.h
--- openssh/openbsd-compat/port-linux.h.role-mls 2016-07-24 13:50:13.000000000 +0200
+++ openssh/openbsd-compat/port-linux.h 2016-07-26 12:37:48.796593331 +0200
@@ -22,9 +22,10 @@
#ifdef WITH_SELINUX
int ssh_selinux_enabled(void);
void ssh_selinux_setup_pty(char *, const char *);
-void ssh_selinux_setup_exec_context(char *);
void ssh_selinux_change_context(const char *);
void ssh_selinux_setfscreatecon(const char *);
+
+void sshd_selinux_setup_exec_context(char *);
#endif
#ifdef LINUX_OOM_ADJUST
diff -up openssh/platform.c.role-mls openssh/platform.c
--- openssh/platform.c.role-mls 2016-07-24 13:50:13.000000000 +0200
+++ openssh/platform.c 2016-07-26 12:37:48.796593331 +0200
@@ -186,7 +186,7 @@ platform_setusercontext_post_groups(stru
} }
#endif /* HAVE_SETPCRED */ #endif /* HAVE_SETPCRED */
#ifdef WITH_SELINUX #ifdef WITH_SELINUX
@ -888,10 +850,10 @@ diff -up openssh/platform.c.role-mls openssh/platform.c
#endif #endif
} }
diff -up openssh/sshd.c.role-mls openssh/sshd.c diff -up openssh-7.4p1/sshd.c.role-mls openssh-7.4p1/sshd.c
--- openssh/sshd.c.role-mls 2016-07-24 13:50:13.000000000 +0200 --- openssh-7.4p1/sshd.c.role-mls 2016-12-19 05:59:41.000000000 +0100
+++ openssh/sshd.c 2016-07-26 12:37:48.796593331 +0200 +++ openssh-7.4p1/sshd.c 2016-12-23 12:19:58.591459365 +0100
@@ -2295,6 +2295,9 @@ main(int ac, char **av) @@ -2053,6 +2053,9 @@ main(int ac, char **av)
restore_uid(); restore_uid();
} }
#endif #endif

View File

@ -1,22 +1,7 @@
diff -up openssh-6.8p1/channels.c.coverity openssh-6.8p1/channels.c diff -up openssh-7.4p1/channels.c.coverity openssh-7.4p1/channels.c
--- openssh-6.8p1/channels.c.coverity 2015-03-18 17:21:51.815265002 +0100 --- openssh-7.4p1/channels.c.coverity 2016-12-23 16:40:26.881788686 +0100
+++ openssh-6.8p1/channels.c 2015-03-18 17:21:51.896264833 +0100 +++ openssh-7.4p1/channels.c 2016-12-23 16:42:36.244818763 +0100
@@ -243,11 +243,11 @@ channel_register_fds(Channel *c, int rfd @@ -288,11 +288,11 @@ channel_register_fds(Channel *c, int rfd
channel_max_fd = MAX(channel_max_fd, wfd);
channel_max_fd = MAX(channel_max_fd, efd);
- if (rfd != -1)
+ if (rfd >= 0)
fcntl(rfd, F_SETFD, FD_CLOEXEC);
- if (wfd != -1 && wfd != rfd)
+ if (wfd >= 0 && wfd != rfd)
fcntl(wfd, F_SETFD, FD_CLOEXEC);
- if (efd != -1 && efd != rfd && efd != wfd)
+ if (efd >= 0 && efd != rfd && efd != wfd)
fcntl(efd, F_SETFD, FD_CLOEXEC);
c->rfd = rfd;
@@ -265,11 +265,11 @@ channel_register_fds(Channel *c, int rfd
/* enable nonblocking mode */ /* enable nonblocking mode */
if (nonblock) { if (nonblock) {
@ -31,10 +16,10 @@ diff -up openssh-6.8p1/channels.c.coverity openssh-6.8p1/channels.c
set_nonblock(efd); set_nonblock(efd);
} }
} }
diff -up openssh-6.8p1/monitor.c.coverity openssh-6.8p1/monitor.c diff -up openssh-7.4p1/monitor.c.coverity openssh-7.4p1/monitor.c
--- openssh-6.8p1/monitor.c.coverity 2015-03-18 17:21:51.887264852 +0100 --- openssh-7.4p1/monitor.c.coverity 2016-12-23 16:40:26.888788688 +0100
+++ openssh-6.8p1/monitor.c 2015-03-18 17:21:51.897264831 +0100 +++ openssh-7.4p1/monitor.c 2016-12-23 16:40:26.900788691 +0100
@@ -444,7 +444,7 @@ monitor_child_preauth(Authctxt *_authctx @@ -411,7 +411,7 @@ monitor_child_preauth(Authctxt *_authctx
mm_get_keystate(pmonitor); mm_get_keystate(pmonitor);
/* Drain any buffered messages from the child */ /* Drain any buffered messages from the child */
@ -43,10 +28,10 @@ diff -up openssh-6.8p1/monitor.c.coverity openssh-6.8p1/monitor.c
; ;
close(pmonitor->m_sendfd); close(pmonitor->m_sendfd);
diff -up openssh-6.8p1/monitor_wrap.c.coverity openssh-6.8p1/monitor_wrap.c diff -up openssh-7.4p1/monitor_wrap.c.coverity openssh-7.4p1/monitor_wrap.c
--- openssh-6.8p1/monitor_wrap.c.coverity 2015-03-18 17:21:51.888264849 +0100 --- openssh-7.4p1/monitor_wrap.c.coverity 2016-12-23 16:40:26.892788689 +0100
+++ openssh-6.8p1/monitor_wrap.c 2015-03-18 17:21:51.897264831 +0100 +++ openssh-7.4p1/monitor_wrap.c 2016-12-23 16:40:26.900788691 +0100
@@ -533,10 +533,10 @@ mm_pty_allocate(int *ptyfd, int *ttyfd, @@ -525,10 +525,10 @@ mm_pty_allocate(int *ptyfd, int *ttyfd,
if ((tmp1 = dup(pmonitor->m_recvfd)) == -1 || if ((tmp1 = dup(pmonitor->m_recvfd)) == -1 ||
(tmp2 = dup(pmonitor->m_recvfd)) == -1) { (tmp2 = dup(pmonitor->m_recvfd)) == -1) {
error("%s: cannot allocate fds for pty", __func__); error("%s: cannot allocate fds for pty", __func__);
@ -60,9 +45,9 @@ diff -up openssh-6.8p1/monitor_wrap.c.coverity openssh-6.8p1/monitor_wrap.c
return 0; return 0;
} }
close(tmp1); close(tmp1);
diff -up openssh-6.8p1/openbsd-compat/bindresvport.c.coverity openssh-6.8p1/openbsd-compat/bindresvport.c diff -up openssh-7.4p1/openbsd-compat/bindresvport.c.coverity openssh-7.4p1/openbsd-compat/bindresvport.c
--- openssh-6.8p1/openbsd-compat/bindresvport.c.coverity 2015-03-17 06:49:20.000000000 +0100 --- openssh-7.4p1/openbsd-compat/bindresvport.c.coverity 2016-12-19 05:59:41.000000000 +0100
+++ openssh-6.8p1/openbsd-compat/bindresvport.c 2015-03-18 17:21:51.897264831 +0100 +++ openssh-7.4p1/openbsd-compat/bindresvport.c 2016-12-23 16:40:26.901788691 +0100
@@ -58,7 +58,7 @@ bindresvport_sa(int sd, struct sockaddr @@ -58,7 +58,7 @@ bindresvport_sa(int sd, struct sockaddr
struct sockaddr_in6 *in6; struct sockaddr_in6 *in6;
u_int16_t *portp; u_int16_t *portp;
@ -72,10 +57,10 @@ diff -up openssh-6.8p1/openbsd-compat/bindresvport.c.coverity openssh-6.8p1/open
int i; int i;
if (sa == NULL) { if (sa == NULL) {
diff -up openssh-6.8p1/scp.c.coverity openssh-6.8p1/scp.c diff -up openssh-7.4p1/scp.c.coverity openssh-7.4p1/scp.c
--- openssh-6.8p1/scp.c.coverity 2015-03-18 17:21:51.868264891 +0100 --- openssh-7.4p1/scp.c.coverity 2016-12-23 16:40:26.856788681 +0100
+++ openssh-6.8p1/scp.c 2015-03-18 17:21:58.281251460 +0100 +++ openssh-7.4p1/scp.c 2016-12-23 16:40:26.901788691 +0100
@@ -156,7 +156,7 @@ killchild(int signo) @@ -157,7 +157,7 @@ killchild(int signo)
{ {
if (do_cmd_pid > 1) { if (do_cmd_pid > 1) {
kill(do_cmd_pid, signo ? signo : SIGTERM); kill(do_cmd_pid, signo ? signo : SIGTERM);
@ -84,10 +69,10 @@ diff -up openssh-6.8p1/scp.c.coverity openssh-6.8p1/scp.c
} }
if (signo) if (signo)
diff -up openssh-6.8p1/servconf.c.coverity openssh-6.8p1/servconf.c diff -up openssh-7.4p1/servconf.c.coverity openssh-7.4p1/servconf.c
--- openssh-6.8p1/servconf.c.coverity 2015-03-18 17:21:51.893264839 +0100 --- openssh-7.4p1/servconf.c.coverity 2016-12-23 16:40:26.896788690 +0100
+++ openssh-6.8p1/servconf.c 2015-03-18 17:21:58.281251460 +0100 +++ openssh-7.4p1/servconf.c 2016-12-23 16:40:26.901788691 +0100
@@ -1475,7 +1475,7 @@ process_server_config_line(ServerOptions @@ -1547,7 +1547,7 @@ process_server_config_line(ServerOptions
fatal("%s line %d: Missing subsystem name.", fatal("%s line %d: Missing subsystem name.",
filename, linenum); filename, linenum);
if (!*activep) { if (!*activep) {
@ -96,7 +81,7 @@ diff -up openssh-6.8p1/servconf.c.coverity openssh-6.8p1/servconf.c
break; break;
} }
for (i = 0; i < options->num_subsystems; i++) for (i = 0; i < options->num_subsystems; i++)
@@ -1566,8 +1566,9 @@ process_server_config_line(ServerOptions @@ -1638,8 +1638,9 @@ process_server_config_line(ServerOptions
if (*activep && *charptr == NULL) { if (*activep && *charptr == NULL) {
*charptr = tilde_expand_filename(arg, getuid()); *charptr = tilde_expand_filename(arg, getuid());
/* increase optional counter */ /* increase optional counter */
@ -108,10 +93,10 @@ diff -up openssh-6.8p1/servconf.c.coverity openssh-6.8p1/servconf.c
} }
break; break;
diff -up openssh-6.8p1/serverloop.c.coverity openssh-6.8p1/serverloop.c diff -up openssh-7.4p1/serverloop.c.coverity openssh-7.4p1/serverloop.c
--- openssh-6.8p1/serverloop.c.coverity 2015-03-17 06:49:20.000000000 +0100 --- openssh-7.4p1/serverloop.c.coverity 2016-12-19 05:59:41.000000000 +0100
+++ openssh-6.8p1/serverloop.c 2015-03-18 17:28:45.616436080 +0100 +++ openssh-7.4p1/serverloop.c 2016-12-23 16:40:26.902788691 +0100
@@ -147,13 +147,13 @@ notify_setup(void) @@ -125,13 +125,13 @@ notify_setup(void)
static void static void
notify_parent(void) notify_parent(void)
{ {
@ -127,7 +112,7 @@ diff -up openssh-6.8p1/serverloop.c.coverity openssh-6.8p1/serverloop.c
FD_SET(notify_pipe[0], readset); FD_SET(notify_pipe[0], readset);
} }
static void static void
@@ -161,8 +161,8 @@ notify_done(fd_set *readset) @@ -139,8 +139,8 @@ notify_done(fd_set *readset)
{ {
char c; char c;
@ -138,80 +123,7 @@ diff -up openssh-6.8p1/serverloop.c.coverity openssh-6.8p1/serverloop.c
debug2("notify_done: reading"); debug2("notify_done: reading");
} }
@@ -337,7 +337,7 @@ wait_until_can_do_something(fd_set **rea @@ -518,7 +518,7 @@ server_request_tun(void)
* If we have buffered data, try to write some of that data
* to the program.
*/
- if (fdin != -1 && buffer_len(&stdin_buffer) > 0)
+ if (fdin >= 0 && buffer_len(&stdin_buffer) > 0)
FD_SET(fdin, *writesetp);
}
notify_prepare(*readsetp);
@@ -477,7 +477,7 @@ process_output(fd_set *writeset)
int len;
/* Write buffered data to program stdin. */
- if (!compat20 && fdin != -1 && FD_ISSET(fdin, writeset)) {
+ if (!compat20 && fdin >= 0 && FD_ISSET(fdin, writeset)) {
data = buffer_ptr(&stdin_buffer);
dlen = buffer_len(&stdin_buffer);
len = write(fdin, data, dlen);
@@ -590,7 +590,7 @@ server_loop(pid_t pid, int fdin_arg, int
set_nonblock(fdin);
set_nonblock(fdout);
/* we don't have stderr for interactive terminal sessions, see below */
- if (fderr != -1)
+ if (fderr >= 0)
set_nonblock(fderr);
if (!(datafellows & SSH_BUG_IGNOREMSG) && isatty(fdin))
@@ -614,7 +614,7 @@ server_loop(pid_t pid, int fdin_arg, int
max_fd = MAX(connection_in, connection_out);
max_fd = MAX(max_fd, fdin);
max_fd = MAX(max_fd, fdout);
- if (fderr != -1)
+ if (fderr >= 0)
max_fd = MAX(max_fd, fderr);
#endif
@@ -644,7 +644,7 @@ server_loop(pid_t pid, int fdin_arg, int
* If we have received eof, and there is no more pending
* input data, cause a real eof by closing fdin.
*/
- if (stdin_eof && fdin != -1 && buffer_len(&stdin_buffer) == 0) {
+ if (stdin_eof && fdin >= 0 && buffer_len(&stdin_buffer) == 0) {
if (fdin != fdout)
close(fdin);
else
@@ -740,15 +740,15 @@ server_loop(pid_t pid, int fdin_arg, int
buffer_free(&stderr_buffer);
/* Close the file descriptors. */
- if (fdout != -1)
+ if (fdout >= 0)
close(fdout);
fdout = -1;
fdout_eof = 1;
- if (fderr != -1)
+ if (fderr >= 0)
close(fderr);
fderr = -1;
fderr_eof = 1;
- if (fdin != -1)
+ if (fdin >= 0)
close(fdin);
fdin = -1;
@@ -950,7 +950,7 @@ server_input_window_size(int type, u_int
debug("Window change received.");
packet_check_eom();
- if (fdin != -1)
+ if (fdin >= 0)
pty_change_window_size(fdin, row, col, xpixel, ypixel);
return 0;
}
@@ -1043,7 +1043,7 @@ server_request_tun(void)
} }
tun = packet_get_int(); tun = packet_get_int();
@ -220,10 +132,10 @@ diff -up openssh-6.8p1/serverloop.c.coverity openssh-6.8p1/serverloop.c
if (tun != SSH_TUNID_ANY && forced_tun_device != tun) if (tun != SSH_TUNID_ANY && forced_tun_device != tun)
goto done; goto done;
tun = forced_tun_device; tun = forced_tun_device;
diff -up openssh-6.8p1/sftp.c.coverity openssh-6.8p1/sftp.c diff -up openssh-7.4p1/sftp.c.coverity openssh-7.4p1/sftp.c
--- openssh-6.8p1/sftp.c.coverity 2015-03-17 06:49:20.000000000 +0100 --- openssh-7.4p1/sftp.c.coverity 2016-12-19 05:59:41.000000000 +0100
+++ openssh-6.8p1/sftp.c 2015-03-18 17:21:58.283251456 +0100 +++ openssh-7.4p1/sftp.c 2016-12-23 16:40:26.903788691 +0100
@@ -223,7 +223,7 @@ killchild(int signo) @@ -224,7 +224,7 @@ killchild(int signo)
{ {
if (sshpid > 1) { if (sshpid > 1) {
kill(sshpid, SIGTERM); kill(sshpid, SIGTERM);
@ -232,10 +144,10 @@ diff -up openssh-6.8p1/sftp.c.coverity openssh-6.8p1/sftp.c
} }
_exit(1); _exit(1);
diff -up openssh-6.8p1/ssh-agent.c.coverity openssh-6.8p1/ssh-agent.c diff -up openssh-7.4p1/ssh-agent.c.coverity openssh-7.4p1/ssh-agent.c
--- openssh-6.8p1/ssh-agent.c.coverity 2015-03-17 06:49:20.000000000 +0100 --- openssh-7.4p1/ssh-agent.c.coverity 2016-12-19 05:59:41.000000000 +0100
+++ openssh-6.8p1/ssh-agent.c 2015-03-18 17:21:58.284251454 +0100 +++ openssh-7.4p1/ssh-agent.c 2016-12-23 16:40:26.903788691 +0100
@@ -1166,8 +1166,8 @@ main(int ac, char **av) @@ -1220,8 +1220,8 @@ main(int ac, char **av)
sanitise_stdfd(); sanitise_stdfd();
/* drop */ /* drop */
@ -246,10 +158,10 @@ diff -up openssh-6.8p1/ssh-agent.c.coverity openssh-6.8p1/ssh-agent.c
platform_disable_tracing(0); /* strict=no */ platform_disable_tracing(0); /* strict=no */
diff -up openssh-6.8p1/sshd.c.coverity openssh-6.8p1/sshd.c diff -up openssh-7.4p1/sshd.c.coverity openssh-7.4p1/sshd.c
--- openssh-6.8p1/sshd.c.coverity 2015-03-18 17:21:51.893264839 +0100 --- openssh-7.4p1/sshd.c.coverity 2016-12-23 16:40:26.897788690 +0100
+++ openssh-6.8p1/sshd.c 2015-03-18 17:21:58.284251454 +0100 +++ openssh-7.4p1/sshd.c 2016-12-23 16:40:26.904788692 +0100
@@ -778,8 +778,10 @@ privsep_preauth(Authctxt *authctxt) @@ -691,8 +691,10 @@ privsep_preauth(Authctxt *authctxt)
privsep_preauth_child(); privsep_preauth_child();
setproctitle("%s", "[net]"); setproctitle("%s", "[net]");
@ -261,7 +173,7 @@ diff -up openssh-6.8p1/sshd.c.coverity openssh-6.8p1/sshd.c
return 0; return 0;
} }
@@ -1518,6 +1520,9 @@ server_accept_loop(int *sock_in, int *so @@ -1386,6 +1388,9 @@ server_accept_loop(int *sock_in, int *so
if (num_listen_socks < 0) if (num_listen_socks < 0)
break; break;
} }

View File

@ -1,7 +1,7 @@
diff -up openssh/configure.ac.tcp_wrappers openssh/configure.ac diff -up openssh-7.4p1/configure.ac.tcp_wrappers openssh-7.4p1/configure.ac
--- openssh/configure.ac.tcp_wrappers 2015-06-24 11:41:04.519293694 +0200 --- openssh-7.4p1/configure.ac.tcp_wrappers 2016-12-23 15:36:38.745411192 +0100
+++ openssh/configure.ac 2015-06-24 11:41:04.556293600 +0200 +++ openssh-7.4p1/configure.ac 2016-12-23 15:36:38.777411197 +0100
@@ -1448,6 +1448,62 @@ AC_ARG_WITH([skey], @@ -1491,6 +1491,62 @@ AC_ARG_WITH([skey],
] ]
) )
@ -64,7 +64,7 @@ diff -up openssh/configure.ac.tcp_wrappers openssh/configure.ac
# Check whether user wants to use ldns # Check whether user wants to use ldns
LDNS_MSG="no" LDNS_MSG="no"
AC_ARG_WITH(ldns, AC_ARG_WITH(ldns,
@@ -5034,6 +5090,7 @@ echo " KerberosV support @@ -5214,6 +5270,7 @@ echo " KerberosV support
echo " SELinux support: $SELINUX_MSG" echo " SELinux support: $SELINUX_MSG"
echo " Smartcard support: $SCARD_MSG" echo " Smartcard support: $SCARD_MSG"
echo " S/KEY support: $SKEY_MSG" echo " S/KEY support: $SKEY_MSG"
@ -72,10 +72,10 @@ diff -up openssh/configure.ac.tcp_wrappers openssh/configure.ac
echo " MD5 password support: $MD5_MSG" echo " MD5 password support: $MD5_MSG"
echo " libedit support: $LIBEDIT_MSG" echo " libedit support: $LIBEDIT_MSG"
echo " Solaris process contract support: $SPC_MSG" echo " Solaris process contract support: $SPC_MSG"
diff -up openssh/sshd.8.tcp_wrappers openssh/sshd.8 diff -up openssh-7.4p1/sshd.8.tcp_wrappers openssh-7.4p1/sshd.8
--- openssh/sshd.8.tcp_wrappers 2015-06-24 11:41:04.527293674 +0200 --- openssh-7.4p1/sshd.8.tcp_wrappers 2016-12-23 15:36:38.759411194 +0100
+++ openssh/sshd.8 2015-06-24 11:41:04.556293600 +0200 +++ openssh-7.4p1/sshd.8 2016-12-23 15:36:38.778411197 +0100
@@ -860,6 +860,12 @@ the user's home directory becomes access @@ -836,6 +836,12 @@ the user's home directory becomes access
This file should be writable only by the user, and need not be This file should be writable only by the user, and need not be
readable by anyone else. readable by anyone else.
.Pp .Pp
@ -88,7 +88,7 @@ diff -up openssh/sshd.8.tcp_wrappers openssh/sshd.8
.It Pa /etc/hosts.equiv .It Pa /etc/hosts.equiv
This file is for host-based authentication (see This file is for host-based authentication (see
.Xr ssh 1 ) . .Xr ssh 1 ) .
@@ -983,6 +989,7 @@ IPv6 address can be used everywhere wher @@ -960,6 +966,7 @@ IPv6 address can be used everywhere wher
.Xr ssh-keygen 1 , .Xr ssh-keygen 1 ,
.Xr ssh-keyscan 1 , .Xr ssh-keyscan 1 ,
.Xr chroot 2 , .Xr chroot 2 ,
@ -96,10 +96,10 @@ diff -up openssh/sshd.8.tcp_wrappers openssh/sshd.8
.Xr login.conf 5 , .Xr login.conf 5 ,
.Xr moduli 5 , .Xr moduli 5 ,
.Xr sshd_config 5 , .Xr sshd_config 5 ,
diff -up openssh/sshd.c.tcp_wrappers openssh/sshd.c diff -up openssh-7.4p1/sshd.c.tcp_wrappers openssh-7.4p1/sshd.c
--- openssh/sshd.c.tcp_wrappers 2015-06-24 11:41:04.549293618 +0200 --- openssh-7.4p1/sshd.c.tcp_wrappers 2016-12-23 15:36:38.772411196 +0100
+++ openssh/sshd.c 2015-06-24 11:41:53.331169536 +0200 +++ openssh-7.4p1/sshd.c 2016-12-23 15:37:15.032417028 +0100
@@ -125,6 +125,13 @@ @@ -123,6 +123,13 @@
#include "version.h" #include "version.h"
#include "ssherr.h" #include "ssherr.h"
@ -110,10 +110,10 @@ diff -up openssh/sshd.c.tcp_wrappers openssh/sshd.c
+int deny_severity; +int deny_severity;
+#endif /* LIBWRAP */ +#endif /* LIBWRAP */
+ +
#ifndef O_NOCTTY /* Re-exec fds */
#define O_NOCTTY 0 #define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1)
#endif #define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2)
@@ -2158,6 +2165,24 @@ main(int ac, char **av) @@ -2012,6 +2019,24 @@ main(int ac, char **av)
#ifdef SSH_AUDIT_EVENTS #ifdef SSH_AUDIT_EVENTS
audit_connection_from(remote_ip, remote_port); audit_connection_from(remote_ip, remote_port);
#endif #endif

View File

@ -1,8 +1,7 @@
diff --git a/servconf.c b/servconf.c diff -up openssh-7.4p1/servconf.c.memory openssh-7.4p1/servconf.c
index ad5869b..0255ed3 100644 --- openssh-7.4p1/servconf.c.memory 2016-12-23 15:37:48.181422360 +0100
--- a/servconf.c +++ openssh-7.4p1/servconf.c 2016-12-23 15:38:30.189429116 +0100
+++ b/servconf.c @@ -2006,6 +2006,8 @@ copy_set_server_options(ServerOptions *d
@@ -1910,6 +1910,8 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth)
dst->n = src->n; \ dst->n = src->n; \
} while (0) } while (0)
@ -10,8 +9,8 @@ index ad5869b..0255ed3 100644
+ +
M_CP_INTOPT(password_authentication); M_CP_INTOPT(password_authentication);
M_CP_INTOPT(gss_authentication); M_CP_INTOPT(gss_authentication);
M_CP_INTOPT(rsa_authentication); M_CP_INTOPT(pubkey_authentication);
@@ -1947,8 +1949,10 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth) @@ -2058,8 +2060,10 @@ copy_set_server_options(ServerOptions *d
} while(0) } while(0)
#define M_CP_STRARRAYOPT(n, num_n) do {\ #define M_CP_STRARRAYOPT(n, num_n) do {\
if (src->num_n != 0) { \ if (src->num_n != 0) { \

View File

@ -1,23 +1,7 @@
From e1d58c44bd911e5ee4dddb6205e16eb9a03cc736 Mon Sep 17 00:00:00 2001 diff -up openssh-7.4p1/clientloop.c.fingerprint openssh-7.4p1/clientloop.c
From: Jakub Jelen <jjelen@redhat.com> --- openssh-7.4p1/clientloop.c.fingerprint 2016-12-23 15:38:50.520432387 +0100
Date: Fri, 7 Aug 2015 10:18:54 +0200 +++ openssh-7.4p1/clientloop.c 2016-12-23 15:38:50.564432394 +0100
Subject: [PATCH] Possibility tu specify more fingerprint algorithms on client @@ -2279,7 +2279,7 @@ update_known_hosts(struct hostkeys_updat
side for smother transition
---
clientloop.c | 8 ++++----
readconf.c | 43 +++++++++++++++++++++++++++++--------------
readconf.h | 4 +++-
ssh_config.5 | 4 ++--
sshconnect.c | 48 +++++++++++++++++++++++++++---------------------
sshconnect2.c | 6 +++---
6 files changed, 68 insertions(+), 45 deletions(-)
diff --git a/clientloop.c b/clientloop.c
index 87ceb3d..4553114 100644
--- a/clientloop.c
+++ b/clientloop.c
@@ -2194,7 +2194,7 @@ update_known_hosts(struct hostkeys_update_ctx *ctx)
if (ctx->keys_seen[i] != 2) if (ctx->keys_seen[i] != 2)
continue; continue;
if ((fp = sshkey_fingerprint(ctx->keys[i], if ((fp = sshkey_fingerprint(ctx->keys[i],
@ -26,7 +10,7 @@ index 87ceb3d..4553114 100644
fatal("%s: sshkey_fingerprint failed", __func__); fatal("%s: sshkey_fingerprint failed", __func__);
do_log2(loglevel, "Learned new hostkey: %s %s", do_log2(loglevel, "Learned new hostkey: %s %s",
sshkey_type(ctx->keys[i]), fp); sshkey_type(ctx->keys[i]), fp);
@@ -2202,7 +2202,7 @@ update_known_hosts(struct hostkeys_update_ctx *ctx) @@ -2287,7 +2287,7 @@ update_known_hosts(struct hostkeys_updat
} }
for (i = 0; i < ctx->nold; i++) { for (i = 0; i < ctx->nold; i++) {
if ((fp = sshkey_fingerprint(ctx->old_keys[i], if ((fp = sshkey_fingerprint(ctx->old_keys[i],
@ -35,7 +19,7 @@ index 87ceb3d..4553114 100644
fatal("%s: sshkey_fingerprint failed", __func__); fatal("%s: sshkey_fingerprint failed", __func__);
do_log2(loglevel, "Deprecating obsolete hostkey: %s %s", do_log2(loglevel, "Deprecating obsolete hostkey: %s %s",
sshkey_type(ctx->old_keys[i]), fp); sshkey_type(ctx->old_keys[i]), fp);
@@ -2245,7 +2245,7 @@ update_known_hosts(struct hostkeys_update_ctx *ctx) @@ -2330,7 +2330,7 @@ update_known_hosts(struct hostkeys_updat
(r = hostfile_replace_entries(options.user_hostfiles[0], (r = hostfile_replace_entries(options.user_hostfiles[0],
ctx->host_str, ctx->ip_str, ctx->keys, ctx->nkeys, ctx->host_str, ctx->ip_str, ctx->keys, ctx->nkeys,
options.hash_known_hosts, 0, options.hash_known_hosts, 0,
@ -44,7 +28,7 @@ index 87ceb3d..4553114 100644
error("%s: hostfile_replace_entries failed: %s", error("%s: hostfile_replace_entries failed: %s",
__func__, ssh_err(r)); __func__, ssh_err(r));
} }
@@ -2358,7 +2358,7 @@ client_input_hostkeys(void) @@ -2443,7 +2443,7 @@ client_input_hostkeys(void)
error("%s: parse key: %s", __func__, ssh_err(r)); error("%s: parse key: %s", __func__, ssh_err(r));
goto out; goto out;
} }
@ -53,11 +37,10 @@ index 87ceb3d..4553114 100644
SSH_FP_DEFAULT); SSH_FP_DEFAULT);
debug3("%s: received %s key %s", __func__, debug3("%s: received %s key %s", __func__,
sshkey_type(key), fp); sshkey_type(key), fp);
diff --git a/readconf.c b/readconf.c diff -up openssh-7.4p1/readconf.c.fingerprint openssh-7.4p1/readconf.c
index 1d03bdf..6af4c62 100644 --- openssh-7.4p1/readconf.c.fingerprint 2016-12-23 15:38:50.559432393 +0100
--- a/readconf.c +++ openssh-7.4p1/readconf.c 2016-12-23 15:38:50.565432394 +0100
+++ b/readconf.c @@ -1668,16 +1668,18 @@ parse_keytypes:
@@ -1471,16 +1471,18 @@ parse_keytypes:
goto parse_string; goto parse_string;
case oFingerprintHash: case oFingerprintHash:
@ -86,7 +69,7 @@ index 1d03bdf..6af4c62 100644
break; break;
case oUpdateHostkeys: case oUpdateHostkeys:
@@ -1673,7 +1675,7 @@ initialize_options(Options * options) @@ -1905,7 +1907,7 @@ initialize_options(Options * options)
options->canonicalize_fallback_local = -1; options->canonicalize_fallback_local = -1;
options->canonicalize_hostname = -1; options->canonicalize_hostname = -1;
options->revoked_host_keys = NULL; options->revoked_host_keys = NULL;
@ -95,7 +78,7 @@ index 1d03bdf..6af4c62 100644
options->update_hostkeys = -1; options->update_hostkeys = -1;
options->hostbased_key_types = NULL; options->hostbased_key_types = NULL;
options->pubkey_key_types = NULL; options->pubkey_key_types = NULL;
@@ -1851,8 +1853,10 @@ fill_default_options(Options * options) @@ -2102,8 +2104,10 @@ fill_default_options(Options * options)
options->canonicalize_fallback_local = 1; options->canonicalize_fallback_local = 1;
if (options->canonicalize_hostname == -1) if (options->canonicalize_hostname == -1)
options->canonicalize_hostname = SSH_CANONICALISE_NO; options->canonicalize_hostname = SSH_CANONICALISE_NO;
@ -108,7 +91,7 @@ index 1d03bdf..6af4c62 100644
if (options->update_hostkeys == -1) if (options->update_hostkeys == -1)
options->update_hostkeys = 0; options->update_hostkeys = 0;
if (kex_assemble_names(KEX_CLIENT_ENCRYPT, &options->ciphers) != 0 || if (kex_assemble_names(KEX_CLIENT_ENCRYPT, &options->ciphers) != 0 ||
@@ -2189,6 +2193,17 @@ dump_cfg_strarray(OpCodes code, u_int count, char **vals) @@ -2489,6 +2493,17 @@ dump_cfg_strarray(OpCodes code, u_int co
} }
static void static void
@ -126,7 +109,7 @@ index 1d03bdf..6af4c62 100644
dump_cfg_strarray_oneline(OpCodes code, u_int count, char **vals) dump_cfg_strarray_oneline(OpCodes code, u_int count, char **vals)
{ {
u_int i; u_int i;
@@ -2259,7 +2274,6 @@ dump_client_config(Options *o, const char *host) @@ -2564,7 +2579,6 @@ dump_client_config(Options *o, const cha
dump_cfg_fmtint(oEnableSSHKeysign, o->enable_ssh_keysign); dump_cfg_fmtint(oEnableSSHKeysign, o->enable_ssh_keysign);
dump_cfg_fmtint(oClearAllForwardings, o->clear_forwardings); dump_cfg_fmtint(oClearAllForwardings, o->clear_forwardings);
dump_cfg_fmtint(oExitOnForwardFailure, o->exit_on_forward_failure); dump_cfg_fmtint(oExitOnForwardFailure, o->exit_on_forward_failure);
@ -134,7 +117,7 @@ index 1d03bdf..6af4c62 100644
dump_cfg_fmtint(oForwardAgent, o->forward_agent); dump_cfg_fmtint(oForwardAgent, o->forward_agent);
dump_cfg_fmtint(oForwardX11, o->forward_x11); dump_cfg_fmtint(oForwardX11, o->forward_x11);
dump_cfg_fmtint(oForwardX11Trusted, o->forward_x11_trusted); dump_cfg_fmtint(oForwardX11Trusted, o->forward_x11_trusted);
@@ -2328,6 +2342,7 @@ dump_client_config(Options *o, const char *host) @@ -2634,6 +2648,7 @@ dump_client_config(Options *o, const cha
dump_cfg_strarray_oneline(oGlobalKnownHostsFile, o->num_system_hostfiles, o->system_hostfiles); dump_cfg_strarray_oneline(oGlobalKnownHostsFile, o->num_system_hostfiles, o->system_hostfiles);
dump_cfg_strarray_oneline(oUserKnownHostsFile, o->num_user_hostfiles, o->user_hostfiles); dump_cfg_strarray_oneline(oUserKnownHostsFile, o->num_user_hostfiles, o->user_hostfiles);
dump_cfg_strarray(oSendEnv, o->num_send_env, o->send_env); dump_cfg_strarray(oSendEnv, o->num_send_env, o->send_env);
@ -142,10 +125,9 @@ index 1d03bdf..6af4c62 100644
/* Special cases */ /* Special cases */
diff --git a/readconf.h b/readconf.h diff -up openssh-7.4p1/readconf.h.fingerprint openssh-7.4p1/readconf.h
index bb2d552..d817f92 100644 --- openssh-7.4p1/readconf.h.fingerprint 2016-12-23 15:38:50.559432393 +0100
--- a/readconf.h +++ openssh-7.4p1/readconf.h 2016-12-23 15:38:50.565432394 +0100
+++ b/readconf.h
@@ -21,6 +21,7 @@ @@ -21,6 +21,7 @@
#define MAX_SEND_ENV 256 #define MAX_SEND_ENV 256
#define SSH_MAX_HOSTS_FILES 32 #define SSH_MAX_HOSTS_FILES 32
@ -154,7 +136,7 @@ index bb2d552..d817f92 100644
#define PATH_MAX_SUN (sizeof((struct sockaddr_un *)0)->sun_path) #define PATH_MAX_SUN (sizeof((struct sockaddr_un *)0)->sun_path)
struct allowed_cname { struct allowed_cname {
@@ -146,7 +147,8 @@ typedef struct { @@ -162,7 +163,8 @@ typedef struct {
char *revoked_host_keys; char *revoked_host_keys;
@ -164,31 +146,60 @@ index bb2d552..d817f92 100644
int update_hostkeys; /* one of SSH_UPDATE_HOSTKEYS_* */ int update_hostkeys; /* one of SSH_UPDATE_HOSTKEYS_* */
diff --git a/ssh_config.5 b/ssh_config.5 diff -up openssh-7.4p1/ssh_config.5.fingerprint openssh-7.4p1/ssh_config.5
index 5b0975f..e8e6458 100644 --- openssh-7.4p1/ssh_config.5.fingerprint 2016-12-23 15:38:50.565432394 +0100
--- a/ssh_config.5 +++ openssh-7.4p1/ssh_config.5 2016-12-23 15:40:03.754444166 +0100
+++ b/ssh_config.5 @@ -652,12 +652,13 @@ or
@@ -647,13 +647,13 @@ or .Cm no
The default is (the default).
.Dq no .
.It Cm FingerprintHash .It Cm FingerprintHash
-Specifies the hash algorithm used when displaying key fingerprints. -Specifies the hash algorithm used when displaying key fingerprints.
+Specifies the hash algorithms used when displaying key fingerprints. +Specifies the hash algorithms used when displaying key fingerprints.
Valid options are: Valid options are:
.Dq md5 .Cm md5
and and
.Dq sha256 . -.Cm sha256
The default is -(the default).
-.Dq sha256 . +.Cm sha256 .
+.Dq "sha256 md5". +The default is
+.Cm "sha256 md5".
.It Cm ForwardAgent .It Cm ForwardAgent
Specifies whether the connection to the authentication agent (if any) Specifies whether the connection to the authentication agent (if any)
will be forwarded to the remote machine. will be forwarded to the remote machine.
diff --git a/sshconnect.c b/sshconnect.c diff -up openssh-7.4p1/sshconnect2.c.fingerprint openssh-7.4p1/sshconnect2.c
index f41960c..e12932f 100644 --- openssh-7.4p1/sshconnect2.c.fingerprint 2016-12-23 15:38:50.561432394 +0100
--- a/sshconnect.c +++ openssh-7.4p1/sshconnect2.c 2016-12-23 15:38:50.566432394 +0100
+++ b/sshconnect.c @@ -677,7 +677,7 @@ input_userauth_pk_ok(int type, u_int32_t
@@ -920,9 +920,9 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port, key->type, pktype);
goto done;
}
- if ((fp = sshkey_fingerprint(key, options.fingerprint_hash,
+ if ((fp = sshkey_fingerprint(key, options.fingerprint_hash[0],
SSH_FP_DEFAULT)) == NULL)
goto done;
debug2("input_userauth_pk_ok: fp %s", fp);
@@ -1172,7 +1172,7 @@ sign_and_send_pubkey(Authctxt *authctxt,
int matched, ret = -1, have_sig = 1;
char *fp;
- if ((fp = sshkey_fingerprint(id->key, options.fingerprint_hash,
+ if ((fp = sshkey_fingerprint(id->key, options.fingerprint_hash[0],
SSH_FP_DEFAULT)) == NULL)
return 0;
debug3("%s: %s %s", __func__, key_type(id->key), fp);
@@ -1864,7 +1864,7 @@ userauth_hostbased(Authctxt *authctxt)
goto out;
}
- if ((fp = sshkey_fingerprint(private, options.fingerprint_hash,
+ if ((fp = sshkey_fingerprint(private, options.fingerprint_hash[0],
SSH_FP_DEFAULT)) == NULL) {
error("%s: sshkey_fingerprint failed", __func__);
goto out;
diff -up openssh-7.4p1/sshconnect.c.fingerprint openssh-7.4p1/sshconnect.c
--- openssh-7.4p1/sshconnect.c.fingerprint 2016-12-19 05:59:41.000000000 +0100
+++ openssh-7.4p1/sshconnect.c 2016-12-23 15:38:50.566432394 +0100
@@ -922,9 +922,9 @@ check_host_key(char *hostname, struct so
"of known hosts.", type, ip); "of known hosts.", type, ip);
} else if (options.visual_host_key) { } else if (options.visual_host_key) {
fp = sshkey_fingerprint(host_key, fp = sshkey_fingerprint(host_key,
@ -200,7 +211,7 @@ index f41960c..e12932f 100644
if (fp == NULL || ra == NULL) if (fp == NULL || ra == NULL)
fatal("%s: sshkey_fingerprint fail", __func__); fatal("%s: sshkey_fingerprint fail", __func__);
logit("Host key fingerprint is %s\n%s", fp, ra); logit("Host key fingerprint is %s\n%s", fp, ra);
@@ -964,12 +964,6 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port, @@ -966,12 +966,6 @@ check_host_key(char *hostname, struct so
else else
snprintf(msg1, sizeof(msg1), "."); snprintf(msg1, sizeof(msg1), ".");
/* The default */ /* The default */
@ -213,14 +224,14 @@ index f41960c..e12932f 100644
msg2[0] = '\0'; msg2[0] = '\0';
if (options.verify_host_key_dns) { if (options.verify_host_key_dns) {
if (matching_host_key_dns) if (matching_host_key_dns)
@@ -983,16 +977,28 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port, @@ -985,16 +979,28 @@ check_host_key(char *hostname, struct so
} }
snprintf(msg, sizeof(msg), snprintf(msg, sizeof(msg),
"The authenticity of host '%.200s (%s)' can't be " "The authenticity of host '%.200s (%s)' can't be "
- "established%s\n" - "established%s\n"
- "%s key fingerprint is %s.%s%s\n%s" - "%s key fingerprint is %s.%s%s\n%s"
+ "established%s\n", host, ip, msg1); + "established%s\n", host, ip, msg1);
+ for (i = 0; i < options.num_fingerprint_hash; i++) { + for (i = 0; i < (u_int) options.num_fingerprint_hash; i++) {
+ fp = sshkey_fingerprint(host_key, + fp = sshkey_fingerprint(host_key,
+ options.fingerprint_hash[i], SSH_FP_DEFAULT); + options.fingerprint_hash[i], SSH_FP_DEFAULT);
+ ra = sshkey_fingerprint(host_key, + ra = sshkey_fingerprint(host_key,
@ -251,7 +262,7 @@ index f41960c..e12932f 100644
if (!confirm(msg)) if (!confirm(msg))
goto fail; goto fail;
hostkey_trusted = 1; /* user explicitly confirmed */ hostkey_trusted = 1; /* user explicitly confirmed */
@@ -1241,7 +1247,7 @@ verify_host_key(char *host, struct sockaddr *hostaddr, Key *host_key) @@ -1244,7 +1250,7 @@ verify_host_key(char *host, struct socka
struct sshkey *plain = NULL; struct sshkey *plain = NULL;
if ((fp = sshkey_fingerprint(host_key, if ((fp = sshkey_fingerprint(host_key,
@ -260,7 +271,16 @@ index f41960c..e12932f 100644
error("%s: fingerprint host key: %s", __func__, ssh_err(r)); error("%s: fingerprint host key: %s", __func__, ssh_err(r));
r = -1; r = -1;
goto out; goto out;
@@ -1405,9 +1411,9 @@ show_other_keys(struct hostkeys *hostkeys, Key *key) @@ -1252,7 +1258,7 @@ verify_host_key(char *host, struct socka
if (sshkey_is_cert(host_key)) {
if ((cafp = sshkey_fingerprint(host_key->cert->signature_key,
- options.fingerprint_hash, SSH_FP_DEFAULT)) == NULL) {
+ options.fingerprint_hash[0], SSH_FP_DEFAULT)) == NULL) {
error("%s: fingerprint CA key: %s",
__func__, ssh_err(r));
r = -1;
@@ -1432,9 +1438,9 @@ show_other_keys(struct hostkeys *hostkey
if (!lookup_key_in_hostkeys_by_type(hostkeys, type[i], &found)) if (!lookup_key_in_hostkeys_by_type(hostkeys, type[i], &found))
continue; continue;
fp = sshkey_fingerprint(found->key, fp = sshkey_fingerprint(found->key,
@ -272,7 +292,7 @@ index f41960c..e12932f 100644
if (fp == NULL || ra == NULL) if (fp == NULL || ra == NULL)
fatal("%s: sshkey_fingerprint fail", __func__); fatal("%s: sshkey_fingerprint fail", __func__);
logit("WARNING: %s key found for host %s\n" logit("WARNING: %s key found for host %s\n"
@@ -1430,7 +1436,7 @@ warn_changed_key(Key *host_key) @@ -1457,7 +1463,7 @@ warn_changed_key(Key *host_key)
{ {
char *fp; char *fp;
@ -281,42 +301,10 @@ index f41960c..e12932f 100644
SSH_FP_DEFAULT); SSH_FP_DEFAULT);
if (fp == NULL) if (fp == NULL)
fatal("%s: sshkey_fingerprint fail", __func__); fatal("%s: sshkey_fingerprint fail", __func__);
diff --git a/sshconnect2.c b/sshconnect2.c diff -up openssh-7.4p1/ssh-keysign.c.fingerprint openssh-7.4p1/ssh-keysign.c
index 7751031..82ed92e 100644 --- openssh-7.4p1/ssh-keysign.c.fingerprint 2016-12-19 05:59:41.000000000 +0100
--- a/sshconnect2.c +++ openssh-7.4p1/ssh-keysign.c 2016-12-23 15:38:50.566432394 +0100
+++ b/sshconnect2.c @@ -285,7 +285,7 @@ main(int argc, char **argv)
@@ -589,7 +589,7 @@ input_userauth_pk_ok(int type, u_int32_t seq, void *ctxt)
key->type, pktype);
goto done;
}
- if ((fp = sshkey_fingerprint(key, options.fingerprint_hash,
+ if ((fp = sshkey_fingerprint(key, options.fingerprint_hash[0],
SSH_FP_DEFAULT)) == NULL)
goto done;
debug2("input_userauth_pk_ok: fp %s", fp);
@@ -1009,7 +1009,7 @@ sign_and_send_pubkey(Authctxt *authctxt, Identity *id)
int matched, ret = -1, have_sig = 1;
char *fp;
- if ((fp = sshkey_fingerprint(id->key, options.fingerprint_hash,
+ if ((fp = sshkey_fingerprint(id->key, options.fingerprint_hash[0],
SSH_FP_DEFAULT)) == NULL)
return 0;
debug3("%s: %s %s", __func__, key_type(id->key), fp);
@@ -1635,7 +1635,7 @@ userauth_hostbased(Authctxt *authctxt)
goto out;
}
- if ((fp = sshkey_fingerprint(private, options.fingerprint_hash,
+ if ((fp = sshkey_fingerprint(private, options.fingerprint_hash[0],
SSH_FP_DEFAULT)) == NULL) {
error("%s: sshkey_fingerprint failed", __func__);
goto out;
diff --git a/ssh-keysign.c b/ssh-keysign.c
index 1dca3e2..23bff7d 100644
--- a/ssh-keysign.c
+++ b/ssh-keysign.c
@@ -275,7 +275,7 @@ main(int argc, char **argv)
} }
} }
if (!found) { if (!found) {
@ -325,21 +313,3 @@ index 1dca3e2..23bff7d 100644
SSH_FP_DEFAULT)) == NULL) SSH_FP_DEFAULT)) == NULL)
fatal("%s: sshkey_fingerprint failed", __progname); fatal("%s: sshkey_fingerprint failed", __progname);
fatal("no matching hostkey found for key %s %s", fatal("no matching hostkey found for key %s %s",
--
2.1.0
diff --git a/sshconnect.c b/sshconnect.c
index de7ace6..f16e606 100644
--- a/sshconnect.c
+++ b/sshconnect.c
@@ -1262,7 +1262,7 @@ verify_host_key(char *host, struct sockaddr *hostaddr, Key *host_key)
if (sshkey_is_cert(host_key)) {
if ((cafp = sshkey_fingerprint(host_key->cert->signature_key,
- options.fingerprint_hash, SSH_FP_DEFAULT)) == NULL) {
+ options.fingerprint_hash[0], SSH_FP_DEFAULT)) == NULL) {
error("%s: fingerprint CA key: %s",
__func__, ssh_err(r));
r = -1;

View File

@ -1,7 +1,7 @@
diff -up openssh-7.1p1/ssh_config.5.gss-docs openssh-7.1p1/ssh_config.5 diff -up openssh-7.4p1/ssh_config.5.gss-docs openssh-7.4p1/ssh_config.5
--- openssh-7.1p1/ssh_config.5.gss-docs 2015-12-10 15:28:47.451966457 +0100 --- openssh-7.4p1/ssh_config.5.gss-docs 2016-12-23 14:28:34.051714486 +0100
+++ openssh-7.1p1/ssh_config.5 2015-12-10 15:30:28.070738047 +0100 +++ openssh-7.4p1/ssh_config.5 2016-12-23 14:34:24.568522417 +0100
@@ -773,15 +773,26 @@ Note that this option applies to protoco @@ -765,10 +765,19 @@ The default is
If set to If set to
.Dq yes .Dq yes
then renewal of the client's GSSAPI credentials will force the rekeying of the then renewal of the client's GSSAPI credentials will force the rekeying of the
@ -19,6 +19,11 @@ diff -up openssh-7.1p1/ssh_config.5.gss-docs openssh-7.1p1/ssh_config.5
+For this to work +For this to work
+.Cm GSSAPIKeyExchange +.Cm GSSAPIKeyExchange
+needs to be enabled in the server and also used by the client. +needs to be enabled in the server and also used by the client.
.It Cm GSSAPIServerIdentity
If set, specifies the GSSAPI server identity that ssh should expect when
connecting to the server. The default is unset, which means that the
@@ -776,9 +785,11 @@ expected GSSAPI server identity will be
hostname.
.It Cm GSSAPITrustDns .It Cm GSSAPITrustDns
Set to Set to
-.Dq yes to indicate that the DNS is trusted to securely canonicalize -.Dq yes to indicate that the DNS is trusted to securely canonicalize
@ -31,10 +36,10 @@ diff -up openssh-7.1p1/ssh_config.5.gss-docs openssh-7.1p1/ssh_config.5
command line will be passed untouched to the GSSAPI library. command line will be passed untouched to the GSSAPI library.
The default is The default is
.Dq no . .Dq no .
diff -up openssh-7.1p1/sshd_config.5.gss-docs openssh-7.1p1/sshd_config.5 diff -up openssh-7.4p1/sshd_config.5.gss-docs openssh-7.4p1/sshd_config.5
--- openssh-7.1p1/sshd_config.5.gss-docs 2015-12-10 15:28:47.453966452 +0100 --- openssh-7.4p1/sshd_config.5.gss-docs 2016-12-23 14:28:34.043714490 +0100
+++ openssh-7.1p1/sshd_config.5 2015-12-10 15:28:47.461966434 +0100 +++ openssh-7.4p1/sshd_config.5 2016-12-23 14:28:34.051714486 +0100
@@ -653,6 +653,10 @@ Controls whether the user's GSSAPI crede @@ -652,6 +652,10 @@ Controls whether the user's GSSAPI crede
successful connection rekeying. This option can be used to accepted renewed successful connection rekeying. This option can be used to accepted renewed
or updated credentials from a compatible client. The default is or updated credentials from a compatible client. The default is
.Dq no . .Dq no .

View File

@ -1,7 +1,7 @@
diff -up openssh-7.3p1/monitor_wrap.c.audit-race openssh-7.3p1/monitor_wrap.c diff -up openssh-7.4p1/monitor_wrap.c.audit-race openssh-7.4p1/monitor_wrap.c
--- openssh-7.3p1/monitor_wrap.c.audit-race 2016-12-15 14:27:22.376603747 +0100 --- openssh-7.4p1/monitor_wrap.c.audit-race 2016-12-23 16:35:52.694685771 +0100
+++ openssh-7.3p1/monitor_wrap.c 2016-12-15 14:27:22.381603742 +0100 +++ openssh-7.4p1/monitor_wrap.c 2016-12-23 16:35:52.697685772 +0100
@@ -1256,4 +1256,48 @@ mm_audit_destroy_sensitive_data(const ch @@ -1107,4 +1107,48 @@ mm_audit_destroy_sensitive_data(const ch
mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_SERVER_KEY_FREE, &m); mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_SERVER_KEY_FREE, &m);
buffer_free(&m); buffer_free(&m);
} }
@ -50,10 +50,10 @@ diff -up openssh-7.3p1/monitor_wrap.c.audit-race openssh-7.3p1/monitor_wrap.c
+ pmonitor->m_recvfd = fd; + pmonitor->m_recvfd = fd;
+} +}
#endif /* SSH_AUDIT_EVENTS */ #endif /* SSH_AUDIT_EVENTS */
diff -up openssh-7.3p1/monitor_wrap.h.audit-race openssh-7.3p1/monitor_wrap.h diff -up openssh-7.4p1/monitor_wrap.h.audit-race openssh-7.4p1/monitor_wrap.h
--- openssh-7.3p1/monitor_wrap.h.audit-race 2016-12-15 14:27:22.376603747 +0100 --- openssh-7.4p1/monitor_wrap.h.audit-race 2016-12-23 16:35:52.694685771 +0100
+++ openssh-7.3p1/monitor_wrap.h 2016-12-15 14:27:22.381603742 +0100 +++ openssh-7.4p1/monitor_wrap.h 2016-12-23 16:35:52.698685772 +0100
@@ -88,6 +88,8 @@ void mm_audit_unsupported_body(int); @@ -83,6 +83,8 @@ void mm_audit_unsupported_body(int);
void mm_audit_kex_body(int, char *, char *, char *, char *, pid_t, uid_t); void mm_audit_kex_body(int, char *, char *, char *, char *, pid_t, uid_t);
void mm_audit_session_key_free_body(int, pid_t, uid_t); void mm_audit_session_key_free_body(int, pid_t, uid_t);
void mm_audit_destroy_sensitive_data(const char *, pid_t, uid_t); void mm_audit_destroy_sensitive_data(const char *, pid_t, uid_t);
@ -62,10 +62,10 @@ diff -up openssh-7.3p1/monitor_wrap.h.audit-race openssh-7.3p1/monitor_wrap.h
#endif #endif
struct Session; struct Session;
diff -up openssh-7.3p1/session.c.audit-race openssh-7.3p1/session.c diff -up openssh-7.4p1/session.c.audit-race openssh-7.4p1/session.c
--- openssh-7.3p1/session.c.audit-race 2016-12-15 14:27:22.378603745 +0100 --- openssh-7.4p1/session.c.audit-race 2016-12-23 16:35:52.695685771 +0100
+++ openssh-7.3p1/session.c 2016-12-15 14:27:22.382603741 +0100 +++ openssh-7.4p1/session.c 2016-12-23 16:37:26.339730596 +0100
@@ -164,6 +164,10 @@ static Session *sessions = NULL; @@ -162,6 +162,10 @@ static Session *sessions = NULL;
login_cap_t *lc; login_cap_t *lc;
#endif #endif
@ -76,8 +76,8 @@ diff -up openssh-7.3p1/session.c.audit-race openssh-7.3p1/session.c
static int is_child = 0; static int is_child = 0;
static int in_chroot = 0; static int in_chroot = 0;
static int have_dev_log = 1; static int have_dev_log = 1;
@@ -457,6 +457,8 @@ do_authenticated1(Authctxt *authctxt) @@ -289,6 +293,8 @@ xauth_valid_string(const char *s)
} return 1;
} }
+void child_destory_sensitive_data(); +void child_destory_sensitive_data();
@ -85,7 +85,7 @@ diff -up openssh-7.3p1/session.c.audit-race openssh-7.3p1/session.c
#define USE_PIPES 1 #define USE_PIPES 1
/* /*
* This is called to fork and execute a command when we have no tty. This * This is called to fork and execute a command when we have no tty. This
@@ -588,6 +592,8 @@ do_exec_no_pty(Session *s, const char *c @@ -424,6 +430,8 @@ do_exec_no_pty(Session *s, const char *c
cray_init_job(s->pw); /* set up cray jid and tmpdir */ cray_init_job(s->pw); /* set up cray jid and tmpdir */
#endif #endif
@ -94,7 +94,7 @@ diff -up openssh-7.3p1/session.c.audit-race openssh-7.3p1/session.c
/* Do processing for the child (exec command etc). */ /* Do processing for the child (exec command etc). */
do_child(s, command); do_child(s, command);
/* NOTREACHED */ /* NOTREACHED */
@@ -722,6 +728,9 @@ do_exec_pty(Session *s, const char *comm @@ -547,6 +555,9 @@ do_exec_pty(Session *s, const char *comm
/* Close the extra descriptor for the pseudo tty. */ /* Close the extra descriptor for the pseudo tty. */
close(ttyfd); close(ttyfd);
@ -102,9 +102,9 @@ diff -up openssh-7.3p1/session.c.audit-race openssh-7.3p1/session.c
+ child_destory_sensitive_data(); + child_destory_sensitive_data();
+ +
/* record login, etc. similar to login(1) */ /* record login, etc. similar to login(1) */
#ifndef HAVE_OSF_SIA #ifdef _UNICOS
if (!(options.use_login && command == NULL)) { cray_init_job(s->pw); /* set up cray jid and tmpdir */
@@ -903,6 +912,8 @@ do_exec(Session *s, const char *command) @@ -717,6 +728,8 @@ do_exec(Session *s, const char *command)
} }
if (s->command != NULL && s->ptyfd == -1) if (s->command != NULL && s->ptyfd == -1)
s->command_handle = PRIVSEP(audit_run_command(s->command)); s->command_handle = PRIVSEP(audit_run_command(s->command));
@ -113,7 +113,7 @@ diff -up openssh-7.3p1/session.c.audit-race openssh-7.3p1/session.c
#endif #endif
if (s->ttyfd != -1) if (s->ttyfd != -1)
ret = do_exec_pty(s, command); ret = do_exec_pty(s, command);
@@ -918,6 +929,20 @@ do_exec(Session *s, const char *command) @@ -732,6 +745,20 @@ do_exec(Session *s, const char *command)
*/ */
buffer_clear(&loginmsg); buffer_clear(&loginmsg);
@ -134,7 +134,7 @@ diff -up openssh-7.3p1/session.c.audit-race openssh-7.3p1/session.c
return ret; return ret;
} }
@@ -1751,6 +1776,33 @@ child_close_fds(void) @@ -1538,6 +1565,33 @@ child_close_fds(void)
endpwent(); endpwent();
} }
@ -168,7 +168,7 @@ diff -up openssh-7.3p1/session.c.audit-race openssh-7.3p1/session.c
/* /*
* Performs common processing for the child, such as setting up the * Performs common processing for the child, such as setting up the
* environment, closing extra file descriptors, setting the user and group * environment, closing extra file descriptors, setting the user and group
@@ -1768,12 +1820,6 @@ do_child(Session *s, const char *command @@ -1554,12 +1608,6 @@ do_child(Session *s, const char *command
struct passwd *pw = s->pw; struct passwd *pw = s->pw;
int r = 0; int r = 0;

File diff suppressed because it is too large Load Diff

View File

@ -1,6 +1,6 @@
diff -up openssh-7.2p1/cipher.c.fips openssh-7.2p1/cipher.c diff -up openssh-7.4p1/cipher.c.fips openssh-7.4p1/cipher.c
--- openssh-7.2p1/cipher.c.fips 2016-02-12 18:53:56.083665235 +0100 --- openssh-7.4p1/cipher.c.fips 2016-12-23 16:37:49.290741582 +0100
+++ openssh-7.2p1/cipher.c 2016-02-12 18:53:56.090665235 +0100 +++ openssh-7.4p1/cipher.c 2016-12-23 16:37:49.300741586 +0100
@@ -39,6 +39,8 @@ @@ -39,6 +39,8 @@
#include <sys/types.h> #include <sys/types.h>
@ -10,7 +10,7 @@ diff -up openssh-7.2p1/cipher.c.fips openssh-7.2p1/cipher.c
#include <string.h> #include <string.h>
#include <stdarg.h> #include <stdarg.h>
#include <stdio.h> #include <stdio.h>
@@ -99,6 +101,26 @@ static const struct sshcipher ciphers[] @@ -116,6 +118,20 @@ static const struct sshcipher ciphers[]
{ NULL, SSH_CIPHER_INVALID, 0, 0, 0, 0, 0, 0, NULL } { NULL, SSH_CIPHER_INVALID, 0, 0, 0, 0, 0, 0, NULL }
}; };
@ -25,19 +25,13 @@ diff -up openssh-7.2p1/cipher.c.fips openssh-7.2p1/cipher.c
+ { "aes128-ctr", SSH_CIPHER_SSH2, 16, 16, 0, 0, 0, 0, EVP_aes_128_ctr }, + { "aes128-ctr", SSH_CIPHER_SSH2, 16, 16, 0, 0, 0, 0, EVP_aes_128_ctr },
+ { "aes192-ctr", SSH_CIPHER_SSH2, 16, 24, 0, 0, 0, 0, EVP_aes_192_ctr }, + { "aes192-ctr", SSH_CIPHER_SSH2, 16, 24, 0, 0, 0, 0, EVP_aes_192_ctr },
+ { "aes256-ctr", SSH_CIPHER_SSH2, 16, 32, 0, 0, 0, 0, EVP_aes_256_ctr }, + { "aes256-ctr", SSH_CIPHER_SSH2, 16, 32, 0, 0, 0, 0, EVP_aes_256_ctr },
+#ifdef OPENSSL_HAVE_EVPGCM
+ { "aes128-gcm@openssh.com",
+ SSH_CIPHER_SSH2, 16, 16, 12, 16, 0, 0, EVP_aes_128_gcm },
+ { "aes256-gcm@openssh.com",
+ SSH_CIPHER_SSH2, 16, 32, 12, 16, 0, 0, EVP_aes_256_gcm },
+#endif
+ { NULL, SSH_CIPHER_INVALID, 0, 0, 0, 0, 0, 0, NULL } + { NULL, SSH_CIPHER_INVALID, 0, 0, 0, 0, 0, 0, NULL }
+}; +};
+ +
/*--*/ /*--*/
/* Returns a comma-separated list of supported ciphers. */ /* Returns a comma-separated list of supported ciphers. */
@@ -109,7 +131,7 @@ cipher_alg_list(char sep, int auth_only) @@ -126,7 +142,7 @@ cipher_alg_list(char sep, int auth_only)
size_t nlen, rlen = 0; size_t nlen, rlen = 0;
const struct sshcipher *c; const struct sshcipher *c;
@ -46,7 +40,7 @@ diff -up openssh-7.2p1/cipher.c.fips openssh-7.2p1/cipher.c
if (c->number != SSH_CIPHER_SSH2) if (c->number != SSH_CIPHER_SSH2)
continue; continue;
if (auth_only && c->auth_len == 0) if (auth_only && c->auth_len == 0)
@@ -193,7 +215,7 @@ const struct sshcipher * @@ -222,7 +238,7 @@ const struct sshcipher *
cipher_by_name(const char *name) cipher_by_name(const char *name)
{ {
const struct sshcipher *c; const struct sshcipher *c;
@ -55,7 +49,7 @@ diff -up openssh-7.2p1/cipher.c.fips openssh-7.2p1/cipher.c
if (strcmp(c->name, name) == 0) if (strcmp(c->name, name) == 0)
return c; return c;
return NULL; return NULL;
@@ -203,7 +225,7 @@ const struct sshcipher * @@ -232,7 +248,7 @@ const struct sshcipher *
cipher_by_number(int id) cipher_by_number(int id)
{ {
const struct sshcipher *c; const struct sshcipher *c;
@ -64,7 +58,7 @@ diff -up openssh-7.2p1/cipher.c.fips openssh-7.2p1/cipher.c
if (c->number == id) if (c->number == id)
return c; return c;
return NULL; return NULL;
@@ -244,7 +266,7 @@ cipher_number(const char *name) @@ -273,7 +289,7 @@ cipher_number(const char *name)
const struct sshcipher *c; const struct sshcipher *c;
if (name == NULL) if (name == NULL)
return -1; return -1;
@ -73,9 +67,9 @@ diff -up openssh-7.2p1/cipher.c.fips openssh-7.2p1/cipher.c
if (strcasecmp(c->name, name) == 0) if (strcasecmp(c->name, name) == 0)
return c->number; return c->number;
return -1; return -1;
diff -up openssh-7.2p1/cipher-ctr.c.fips openssh-7.2p1/cipher-ctr.c diff -up openssh-7.4p1/cipher-ctr.c.fips openssh-7.4p1/cipher-ctr.c
--- openssh-7.2p1/cipher-ctr.c.fips 2016-02-12 18:53:56.013665228 +0100 --- openssh-7.4p1/cipher-ctr.c.fips 2016-12-23 16:37:49.225741551 +0100
+++ openssh-7.2p1/cipher-ctr.c 2016-02-12 18:53:56.090665235 +0100 +++ openssh-7.4p1/cipher-ctr.c 2016-12-23 16:37:49.297741585 +0100
@@ -179,7 +179,8 @@ evp_aes_128_ctr(void) @@ -179,7 +179,8 @@ evp_aes_128_ctr(void)
aes_ctr.do_cipher = ssh_aes_ctr; aes_ctr.do_cipher = ssh_aes_ctr;
#ifndef SSH_OLD_EVP #ifndef SSH_OLD_EVP
@ -86,10 +80,10 @@ diff -up openssh-7.2p1/cipher-ctr.c.fips openssh-7.2p1/cipher-ctr.c
#endif #endif
return (&aes_ctr); return (&aes_ctr);
} }
diff -up openssh-7.2p1/dh.h.fips openssh-7.2p1/dh.h diff -up openssh-7.4p1/dh.h.fips openssh-7.4p1/dh.h
--- openssh-7.2p1/dh.h.fips 2016-02-12 18:53:56.090665235 +0100 --- openssh-7.4p1/dh.h.fips 2016-12-19 05:59:41.000000000 +0100
+++ openssh-7.2p1/dh.h 2016-02-12 18:54:48.425670204 +0100 +++ openssh-7.4p1/dh.h 2016-12-23 16:37:49.297741585 +0100
@@ -49,6 +49,7 @@ u_int dh_estimate(int); @@ -51,6 +51,7 @@ u_int dh_estimate(int);
* Miniumum increased in light of DH precomputation attacks. * Miniumum increased in light of DH precomputation attacks.
*/ */
#define DH_GRP_MIN 2048 #define DH_GRP_MIN 2048
@ -97,9 +91,9 @@ diff -up openssh-7.2p1/dh.h.fips openssh-7.2p1/dh.h
#define DH_GRP_MAX 8192 #define DH_GRP_MAX 8192
/* /*
diff -up openssh-7.2p1/entropy.c.fips openssh-7.2p1/entropy.c diff -up openssh-7.4p1/entropy.c.fips openssh-7.4p1/entropy.c
--- openssh-7.2p1/entropy.c.fips 2016-02-12 18:53:56.005665227 +0100 --- openssh-7.4p1/entropy.c.fips 2016-12-23 16:37:49.219741548 +0100
+++ openssh-7.2p1/entropy.c 2016-02-12 18:53:56.091665235 +0100 +++ openssh-7.4p1/entropy.c 2016-12-23 16:37:49.297741585 +0100
@@ -217,6 +217,9 @@ seed_rng(void) @@ -217,6 +217,9 @@ seed_rng(void)
fatal("OpenSSL version mismatch. Built against %lx, you " fatal("OpenSSL version mismatch. Built against %lx, you "
"have %lx", (u_long)OPENSSL_VERSION_NUMBER, SSLeay()); "have %lx", (u_long)OPENSSL_VERSION_NUMBER, SSLeay());
@ -110,9 +104,9 @@ diff -up openssh-7.2p1/entropy.c.fips openssh-7.2p1/entropy.c
#ifndef OPENSSL_PRNG_ONLY #ifndef OPENSSL_PRNG_ONLY
if (RAND_status() == 1) { if (RAND_status() == 1) {
debug3("RNG is ready, skipping seeding"); debug3("RNG is ready, skipping seeding");
diff -up openssh-7.2p1/kex.c.fips openssh-7.2p1/kex.c diff -up openssh-7.4p1/kex.c.fips openssh-7.4p1/kex.c
--- openssh-7.2p1/kex.c.fips 2016-02-12 18:53:56.084665234 +0100 --- openssh-7.4p1/kex.c.fips 2016-12-23 16:37:49.290741582 +0100
+++ openssh-7.2p1/kex.c 2016-02-12 18:53:56.091665235 +0100 +++ openssh-7.4p1/kex.c 2016-12-23 16:37:49.300741586 +0100
@@ -35,6 +35,7 @@ @@ -35,6 +35,7 @@
#ifdef WITH_OPENSSL #ifdef WITH_OPENSSL
#include <openssl/crypto.h> #include <openssl/crypto.h>
@ -121,13 +115,11 @@ diff -up openssh-7.2p1/kex.c.fips openssh-7.2p1/kex.c
#endif #endif
#include "ssh2.h" #include "ssh2.h"
@@ -121,6 +122,25 @@ static const struct kexalg kexalgs[] = { @@ -125,6 +126,23 @@ static const struct kexalg kexalgs[] = {
{ NULL, -1, -1, -1}, { NULL, -1, -1, -1},
}; };
+static const struct kexalg kexalgs_fips[] = { +static const struct kexalg kexalgs_fips[] = {
+ { KEX_DH14, KEX_DH_GRP14_SHA1, 0, SSH_DIGEST_SHA1 },
+ { KEX_DHGEX_SHA1, KEX_DH_GEX_SHA1, 0, SSH_DIGEST_SHA1 },
+#ifdef HAVE_EVP_SHA256 +#ifdef HAVE_EVP_SHA256
+ { KEX_DHGEX_SHA256, KEX_DH_GEX_SHA256, 0, SSH_DIGEST_SHA256 }, + { KEX_DHGEX_SHA256, KEX_DH_GEX_SHA256, 0, SSH_DIGEST_SHA256 },
+#endif +#endif
@ -147,7 +139,7 @@ diff -up openssh-7.2p1/kex.c.fips openssh-7.2p1/kex.c
char * char *
kex_alg_list(char sep) kex_alg_list(char sep)
{ {
@@ -148,7 +168,7 @@ kex_alg_by_name(const char *name) @@ -152,7 +170,7 @@ kex_alg_by_name(const char *name)
{ {
const struct kexalg *k; const struct kexalg *k;
@ -156,7 +148,7 @@ diff -up openssh-7.2p1/kex.c.fips openssh-7.2p1/kex.c
if (strcmp(k->name, name) == 0) if (strcmp(k->name, name) == 0)
return k; return k;
#ifdef GSSAPI #ifdef GSSAPI
@@ -174,7 +194,10 @@ kex_names_valid(const char *names) @@ -178,7 +196,10 @@ kex_names_valid(const char *names)
for ((p = strsep(&cp, ",")); p && *p != '\0'; for ((p = strsep(&cp, ",")); p && *p != '\0';
(p = strsep(&cp, ","))) { (p = strsep(&cp, ","))) {
if (kex_alg_by_name(p) == NULL) { if (kex_alg_by_name(p) == NULL) {
@ -168,17 +160,17 @@ diff -up openssh-7.2p1/kex.c.fips openssh-7.2p1/kex.c
free(s); free(s);
return 0; return 0;
} }
diff -up openssh-7.2p1/kexgexc.c.fips openssh-7.2p1/kexgexc.c diff -up openssh-7.4p1/kexgexc.c.fips openssh-7.4p1/kexgexc.c
--- openssh-7.2p1/kexgexc.c.fips 2016-02-12 11:47:25.000000000 +0100 --- openssh-7.4p1/kexgexc.c.fips 2016-12-19 05:59:41.000000000 +0100
+++ openssh-7.2p1/kexgexc.c 2016-02-12 18:53:56.091665235 +0100 +++ openssh-7.4p1/kexgexc.c 2016-12-23 16:38:38.727763540 +0100
@@ -28,6 +28,7 @@ @@ -28,6 +28,7 @@
#ifdef WITH_OPENSSL #ifdef WITH_OPENSSL
+#include <openssl/fips.h> +#include <openssl/fips.h>
#include <sys/param.h>
#include <sys/types.h> #include <sys/types.h>
#include <openssl/dh.h>
@@ -63,7 +64,7 @@ kexgex_client(struct ssh *ssh) @@ -63,7 +64,7 @@ kexgex_client(struct ssh *ssh)
nbits = dh_estimate(kex->dh_need * 8); nbits = dh_estimate(kex->dh_need * 8);
@ -188,24 +180,24 @@ diff -up openssh-7.2p1/kexgexc.c.fips openssh-7.2p1/kexgexc.c
kex->max = DH_GRP_MAX; kex->max = DH_GRP_MAX;
kex->nbits = nbits; kex->nbits = nbits;
if (datafellows & SSH_BUG_DHGEX_LARGE) if (datafellows & SSH_BUG_DHGEX_LARGE)
diff -up openssh-7.2p1/kexgexs.c.fips openssh-7.2p1/kexgexs.c diff -up openssh-7.4p1/kexgexs.c.fips openssh-7.4p1/kexgexs.c
--- openssh-7.2p1/kexgexs.c.fips 2016-02-12 11:47:25.000000000 +0100 --- openssh-7.4p1/kexgexs.c.fips 2016-12-23 16:37:49.297741585 +0100
+++ openssh-7.2p1/kexgexs.c 2016-02-12 18:53:56.091665235 +0100 +++ openssh-7.4p1/kexgexs.c 2016-12-23 16:39:35.009776626 +0100
@@ -83,9 +83,9 @@ input_kex_dh_gex_request(int type, u_int @@ -83,9 +83,9 @@ input_kex_dh_gex_request(int type, u_int
kex->nbits = nbits; kex->nbits = nbits;
kex->min = min; kex->min = min;
kex->max = max; kex->max = max;
- min = MAX(DH_GRP_MIN, min); - min = MAXIMUM(DH_GRP_MIN, min);
+ min = MAX(FIPS_mode() ? DH_GRP_MIN_FIPS : DH_GRP_MIN, min); + min = MAXIMUM(FIPS_mode() ? DH_GRP_MIN_FIPS : DH_GRP_MIN, min);
max = MIN(DH_GRP_MAX, max); max = MINIMUM(DH_GRP_MAX, max);
- nbits = MAX(DH_GRP_MIN, nbits); - nbits = MAXIMUM(DH_GRP_MIN, nbits);
+ nbits = MAX(FIPS_mode() ? DH_GRP_MIN_FIPS : DH_GRP_MIN, nbits); + nbits = MAXIMUM(FIPS_mode() ? DH_GRP_MIN_FIPS : DH_GRP_MIN, nbits);
nbits = MIN(DH_GRP_MAX, nbits); nbits = MINIMUM(DH_GRP_MAX, nbits);
if (kex->max < kex->min || kex->nbits < kex->min || if (kex->max < kex->min || kex->nbits < kex->min ||
diff -up openssh-7.2p1/mac.c.fips openssh-7.2p1/mac.c diff -up openssh-7.4p1/mac.c.fips openssh-7.4p1/mac.c
--- openssh-7.2p1/mac.c.fips 2016-02-12 18:53:56.084665234 +0100 --- openssh-7.4p1/mac.c.fips 2016-12-23 16:37:49.291741582 +0100
+++ openssh-7.2p1/mac.c 2016-02-12 18:53:56.091665235 +0100 +++ openssh-7.4p1/mac.c 2016-12-23 16:37:49.298741585 +0100
@@ -27,6 +27,8 @@ @@ -27,6 +27,8 @@
#include <sys/types.h> #include <sys/types.h>
@ -224,7 +216,7 @@ diff -up openssh-7.2p1/mac.c.fips openssh-7.2p1/mac.c
/* Encrypt-and-MAC (encrypt-and-authenticate) variants */ /* Encrypt-and-MAC (encrypt-and-authenticate) variants */
{ "hmac-sha1", SSH_DIGEST, SSH_DIGEST_SHA1, 0, 0, 0, 0 }, { "hmac-sha1", SSH_DIGEST, SSH_DIGEST_SHA1, 0, 0, 0, 0 },
{ "hmac-sha1-96", SSH_DIGEST, SSH_DIGEST_SHA1, 96, 0, 0, 0 }, { "hmac-sha1-96", SSH_DIGEST, SSH_DIGEST_SHA1, 96, 0, 0, 0 },
@@ -85,6 +87,24 @@ static const struct macalg macs[] = { @@ -89,6 +91,24 @@ static const struct macalg macs[] = {
{ NULL, 0, 0, 0, 0, 0, 0 } { NULL, 0, 0, 0, 0, 0, 0 }
}; };
@ -249,7 +241,7 @@ diff -up openssh-7.2p1/mac.c.fips openssh-7.2p1/mac.c
/* Returns a list of supported MACs separated by the specified char. */ /* Returns a list of supported MACs separated by the specified char. */
char * char *
mac_alg_list(char sep) mac_alg_list(char sep)
@@ -93,7 +113,7 @@ mac_alg_list(char sep) @@ -97,7 +117,7 @@ mac_alg_list(char sep)
size_t nlen, rlen = 0; size_t nlen, rlen = 0;
const struct macalg *m; const struct macalg *m;
@ -258,7 +250,7 @@ diff -up openssh-7.2p1/mac.c.fips openssh-7.2p1/mac.c
if (ret != NULL) if (ret != NULL)
ret[rlen++] = sep; ret[rlen++] = sep;
nlen = strlen(m->name); nlen = strlen(m->name);
@@ -132,7 +152,7 @@ mac_setup(struct sshmac *mac, char *name @@ -136,7 +156,7 @@ mac_setup(struct sshmac *mac, char *name
{ {
const struct macalg *m; const struct macalg *m;
@ -267,10 +259,10 @@ diff -up openssh-7.2p1/mac.c.fips openssh-7.2p1/mac.c
if (strcmp(name, m->name) != 0) if (strcmp(name, m->name) != 0)
continue; continue;
if (mac != NULL) if (mac != NULL)
diff -up openssh-7.2p1/Makefile.in.fips openssh-7.2p1/Makefile.in diff -up openssh-7.4p1/Makefile.in.fips openssh-7.4p1/Makefile.in
--- openssh-7.2p1/Makefile.in.fips 2016-02-12 18:53:56.085665235 +0100 --- openssh-7.4p1/Makefile.in.fips 2016-12-23 16:37:49.291741582 +0100
+++ openssh-7.2p1/Makefile.in 2016-02-12 18:53:56.092665235 +0100 +++ openssh-7.4p1/Makefile.in 2016-12-23 16:37:49.298741585 +0100
@@ -168,25 +168,25 @@ libssh.a: $(LIBSSH_OBJS) @@ -169,25 +169,25 @@ libssh.a: $(LIBSSH_OBJS)
$(RANLIB) $@ $(RANLIB) $@
ssh$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHOBJS) ssh$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHOBJS)
@ -302,7 +294,7 @@ diff -up openssh-7.2p1/Makefile.in.fips openssh-7.2p1/Makefile.in
ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11.o ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11.o
$(LD) -o $@ ssh-pkcs11-helper.o ssh-pkcs11.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS) $(LD) -o $@ ssh-pkcs11-helper.o ssh-pkcs11.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
@@ -204,7 +204,7 @@ ssh-cavs$(EXEEXT): $(LIBCOMPAT) libssh.a @@ -205,7 +205,7 @@ ssh-cavs$(EXEEXT): $(LIBCOMPAT) libssh.a
$(LD) -o $@ ssh-cavs.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) $(LD) -o $@ ssh-cavs.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o
@ -311,18 +303,16 @@ diff -up openssh-7.2p1/Makefile.in.fips openssh-7.2p1/Makefile.in
sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o sftp-server.o sftp-server-main.o sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o sftp-server.o sftp-server-main.o
$(LD) -o $@ sftp-server.o sftp-common.o sftp-server-main.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) $(LD) -o $@ sftp-server.o sftp-common.o sftp-server-main.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
diff -up openssh-7.2p1/myproposal.h.fips openssh-7.2p1/myproposal.h diff -up openssh-7.4p1/myproposal.h.fips openssh-7.4p1/myproposal.h
--- openssh-7.2p1/myproposal.h.fips 2016-02-12 18:53:56.092665235 +0100 --- openssh-7.4p1/myproposal.h.fips 2016-12-19 05:59:41.000000000 +0100
+++ openssh-7.2p1/myproposal.h 2016-02-12 18:55:42.137675304 +0100 +++ openssh-7.4p1/myproposal.h 2016-12-23 16:37:49.300741586 +0100
@@ -129,6 +129,28 @@ @@ -138,6 +138,26 @@
#define KEX_CLIENT_MAC KEX_SERVER_MAC #define KEX_CLIENT_MAC KEX_SERVER_MAC
+#define KEX_DEFAULT_KEX_FIPS \ +#define KEX_DEFAULT_KEX_FIPS \
+ KEX_ECDH_METHODS \ + KEX_ECDH_METHODS \
+ KEX_SHA2_METHODS \ + KEX_SHA2_METHODS
+ "diffie-hellman-group-exchange-sha1," \
+ "diffie-hellman-group14-sha1"
+#define KEX_FIPS_ENCRYPT \ +#define KEX_FIPS_ENCRYPT \
+ "aes128-ctr,aes192-ctr,aes256-ctr," \ + "aes128-ctr,aes192-ctr,aes256-ctr," \
+ "aes128-cbc,3des-cbc," \ + "aes128-cbc,3des-cbc," \
@ -343,10 +333,31 @@ diff -up openssh-7.2p1/myproposal.h.fips openssh-7.2p1/myproposal.h
#else /* WITH_OPENSSL */ #else /* WITH_OPENSSL */
#define KEX_SERVER_KEX \ #define KEX_SERVER_KEX \
diff -up openssh-7.2p1/readconf.c.fips openssh-7.2p1/readconf.c diff -up openssh-7.4p1/pam_ssh_agent_auth-0.10.2/pam_user_key_allowed2.c.fips openssh-7.4p1/pam_ssh_agent_auth-0.10.2/pam_user_key_allowed2.c
--- openssh-7.2p1/readconf.c.fips 2016-02-12 18:53:56.073665234 +0100 --- openssh-7.4p1/pam_ssh_agent_auth-0.10.2/pam_user_key_allowed2.c.fips 2016-12-23 16:37:49.185741531 +0100
+++ openssh-7.2p1/readconf.c 2016-02-12 18:53:56.092665235 +0100 +++ openssh-7.4p1/pam_ssh_agent_auth-0.10.2/pam_user_key_allowed2.c 2016-12-23 16:37:49.300741586 +0100
@@ -1969,9 +1969,12 @@ fill_default_options(Options * options) @@ -55,6 +55,7 @@
#include "secure_filename.h"
#include "uidswap.h"
#include <unistd.h>
+#include <openssl/crypto.h>
#include "identity.h"
@@ -104,7 +105,8 @@ pamsshagentauth_check_authkeys_file(FILE
found_key = 1;
logit("matching key found: file/command %s, line %lu", file,
linenum);
- fp = sshkey_fingerprint(found, SSH_DIGEST_MD5, SSH_FP_HEX);
+ fp = sshkey_fingerprint(found, FIPS_mode() ? SSH_DIGEST_SHA1 : SSH_DIGEST_MD5,
+ SSH_FP_HEX);
logit("Found matching %s key: %s",
key_type(found), fp);
free(fp);
diff -up openssh-7.4p1/readconf.c.fips openssh-7.4p1/readconf.c
--- openssh-7.4p1/readconf.c.fips 2016-12-23 16:37:49.274741574 +0100
+++ openssh-7.4p1/readconf.c 2016-12-23 16:37:49.298741585 +0100
@@ -2110,9 +2110,12 @@ fill_default_options(Options * options)
} }
if (options->update_hostkeys == -1) if (options->update_hostkeys == -1)
options->update_hostkeys = 0; options->update_hostkeys = 0;
@ -362,10 +373,23 @@ diff -up openssh-7.2p1/readconf.c.fips openssh-7.2p1/readconf.c
kex_assemble_names(KEX_DEFAULT_PK_ALG, kex_assemble_names(KEX_DEFAULT_PK_ALG,
&options->hostbased_key_types) != 0 || &options->hostbased_key_types) != 0 ||
kex_assemble_names(KEX_DEFAULT_PK_ALG, kex_assemble_names(KEX_DEFAULT_PK_ALG,
diff -up openssh-7.2p1/servconf.c.fips openssh-7.2p1/servconf.c diff -up openssh-7.4p1/sandbox-seccomp-filter.c.fips openssh-7.4p1/sandbox-seccomp-filter.c
--- openssh-7.2p1/servconf.c.fips 2016-02-12 18:53:56.068665233 +0100 --- openssh-7.4p1/sandbox-seccomp-filter.c.fips 2016-12-23 16:37:49.292741583 +0100
+++ openssh-7.2p1/servconf.c 2016-02-12 18:56:52.185681954 +0100 +++ openssh-7.4p1/sandbox-seccomp-filter.c 2016-12-23 16:37:49.300741586 +0100
@@ -188,9 +188,12 @@ option_clear_or_none(const char *o) @@ -118,6 +118,9 @@ static const struct sock_filter preauth_
#ifdef __NR_open
SC_DENY(open, EACCES),
#endif
+#ifdef __NR_socket
+ SC_DENY(socket, EACCES),
+#endif
#ifdef __NR_openat
SC_DENY(openat, EACCES),
#endif
diff -up openssh-7.4p1/servconf.c.fips openssh-7.4p1/servconf.c
--- openssh-7.4p1/servconf.c.fips 2016-12-23 16:37:49.285741579 +0100
+++ openssh-7.4p1/servconf.c 2016-12-23 16:37:49.299741586 +0100
@@ -185,9 +185,12 @@ option_clear_or_none(const char *o)
static void static void
assemble_algorithms(ServerOptions *o) assemble_algorithms(ServerOptions *o)
{ {
@ -381,7 +405,7 @@ diff -up openssh-7.2p1/servconf.c.fips openssh-7.2p1/servconf.c
kex_assemble_names(KEX_DEFAULT_PK_ALG, kex_assemble_names(KEX_DEFAULT_PK_ALG,
&o->hostkeyalgorithms) != 0 || &o->hostkeyalgorithms) != 0 ||
kex_assemble_names(KEX_DEFAULT_PK_ALG, kex_assemble_names(KEX_DEFAULT_PK_ALG,
@@ -2376,8 +2379,10 @@ dump_config(ServerOptions *o) @@ -2390,8 +2393,10 @@ dump_config(ServerOptions *o)
/* string arguments */ /* string arguments */
dump_cfg_string(sPidFile, o->pid_file); dump_cfg_string(sPidFile, o->pid_file);
dump_cfg_string(sXAuthLocation, o->xauth_location); dump_cfg_string(sXAuthLocation, o->xauth_location);
@ -394,7 +418,7 @@ diff -up openssh-7.2p1/servconf.c.fips openssh-7.2p1/servconf.c
dump_cfg_string(sBanner, o->banner != NULL ? o->banner : "none"); dump_cfg_string(sBanner, o->banner != NULL ? o->banner : "none");
dump_cfg_string(sForceCommand, o->adm_forced_command); dump_cfg_string(sForceCommand, o->adm_forced_command);
dump_cfg_string(sChrootDirectory, o->chroot_directory); dump_cfg_string(sChrootDirectory, o->chroot_directory);
@@ -2392,8 +2397,8 @@ dump_config(ServerOptions *o) @@ -2406,8 +2411,8 @@ dump_config(ServerOptions *o)
dump_cfg_string(sAuthorizedPrincipalsCommand, o->authorized_principals_command); dump_cfg_string(sAuthorizedPrincipalsCommand, o->authorized_principals_command);
dump_cfg_string(sAuthorizedPrincipalsCommandUser, o->authorized_principals_command_user); dump_cfg_string(sAuthorizedPrincipalsCommandUser, o->authorized_principals_command_user);
dump_cfg_string(sHostKeyAgent, o->host_key_agent); dump_cfg_string(sHostKeyAgent, o->host_key_agent);
@ -405,10 +429,10 @@ diff -up openssh-7.2p1/servconf.c.fips openssh-7.2p1/servconf.c
dump_cfg_string(sHostbasedAcceptedKeyTypes, o->hostbased_key_types ? dump_cfg_string(sHostbasedAcceptedKeyTypes, o->hostbased_key_types ?
o->hostbased_key_types : KEX_DEFAULT_PK_ALG); o->hostbased_key_types : KEX_DEFAULT_PK_ALG);
dump_cfg_string(sHostKeyAlgorithms, o->hostkeyalgorithms ? dump_cfg_string(sHostKeyAlgorithms, o->hostkeyalgorithms ?
diff -up openssh-7.2p1/ssh.c.fips openssh-7.2p1/ssh.c diff -up openssh-7.4p1/ssh.c.fips openssh-7.4p1/ssh.c
--- openssh-7.2p1/ssh.c.fips 2016-02-12 11:47:25.000000000 +0100 --- openssh-7.4p1/ssh.c.fips 2016-12-19 05:59:41.000000000 +0100
+++ openssh-7.2p1/ssh.c 2016-02-12 18:53:56.093665236 +0100 +++ openssh-7.4p1/ssh.c 2016-12-23 16:37:49.299741586 +0100
@@ -75,6 +75,8 @@ @@ -76,6 +76,8 @@
#include <openssl/evp.h> #include <openssl/evp.h>
#include <openssl/err.h> #include <openssl/err.h>
#endif #endif
@ -417,7 +441,7 @@ diff -up openssh-7.2p1/ssh.c.fips openssh-7.2p1/ssh.c
#include "openbsd-compat/openssl-compat.h" #include "openbsd-compat/openssl-compat.h"
#include "openbsd-compat/sys-queue.h" #include "openbsd-compat/sys-queue.h"
@@ -531,6 +533,14 @@ main(int ac, char **av) @@ -530,6 +532,14 @@ main(int ac, char **av)
sanitise_stdfd(); sanitise_stdfd();
__progname = ssh_get_progname(av[0]); __progname = ssh_get_progname(av[0]);
@ -432,7 +456,7 @@ diff -up openssh-7.2p1/ssh.c.fips openssh-7.2p1/ssh.c
#ifndef HAVE_SETPROCTITLE #ifndef HAVE_SETPROCTITLE
/* Prepare for later setproctitle emulation */ /* Prepare for later setproctitle emulation */
@@ -608,6 +618,9 @@ main(int ac, char **av) @@ -609,6 +619,9 @@ main(int ac, char **av)
"ACD:E:F:GI:J:KL:MNO:PQ:R:S:TVw:W:XYy")) != -1) { "ACD:E:F:GI:J:KL:MNO:PQ:R:S:TVw:W:XYy")) != -1) {
switch (opt) { switch (opt) {
case '1': case '1':
@ -442,7 +466,7 @@ diff -up openssh-7.2p1/ssh.c.fips openssh-7.2p1/ssh.c
options.protocol = SSH_PROTO_1; options.protocol = SSH_PROTO_1;
break; break;
case '2': case '2':
@@ -952,7 +965,6 @@ main(int ac, char **av) @@ -964,7 +977,6 @@ main(int ac, char **av)
host_arg = xstrdup(host); host_arg = xstrdup(host);
#ifdef WITH_OPENSSL #ifdef WITH_OPENSSL
@ -450,7 +474,7 @@ diff -up openssh-7.2p1/ssh.c.fips openssh-7.2p1/ssh.c
ERR_load_crypto_strings(); ERR_load_crypto_strings();
#endif #endif
@@ -1126,6 +1138,10 @@ main(int ac, char **av) @@ -1175,6 +1187,10 @@ main(int ac, char **av)
seed_rng(); seed_rng();
@ -461,7 +485,7 @@ diff -up openssh-7.2p1/ssh.c.fips openssh-7.2p1/ssh.c
if (options.user == NULL) if (options.user == NULL)
options.user = xstrdup(pw->pw_name); options.user = xstrdup(pw->pw_name);
@@ -1206,6 +1222,12 @@ main(int ac, char **av) @@ -1263,6 +1279,12 @@ main(int ac, char **av)
timeout_ms = options.connection_timeout * 1000; timeout_ms = options.connection_timeout * 1000;
@ -474,9 +498,9 @@ diff -up openssh-7.2p1/ssh.c.fips openssh-7.2p1/ssh.c
/* Open a connection to the remote host. */ /* Open a connection to the remote host. */
if (ssh_connect(host, addrs, &hostaddr, options.port, if (ssh_connect(host, addrs, &hostaddr, options.port,
options.address_family, options.connection_attempts, options.address_family, options.connection_attempts,
diff -up openssh-7.2p1/sshconnect2.c.fips openssh-7.2p1/sshconnect2.c diff -up openssh-7.4p1/sshconnect2.c.fips openssh-7.4p1/sshconnect2.c
--- openssh-7.2p1/sshconnect2.c.fips 2016-02-12 18:53:56.074665234 +0100 --- openssh-7.4p1/sshconnect2.c.fips 2016-12-23 16:37:49.275741574 +0100
+++ openssh-7.2p1/sshconnect2.c 2016-02-12 18:53:56.094665236 +0100 +++ openssh-7.4p1/sshconnect2.c 2016-12-23 16:37:49.299741586 +0100
@@ -44,6 +44,8 @@ @@ -44,6 +44,8 @@
#include <vis.h> #include <vis.h>
#endif #endif
@ -486,7 +510,7 @@ diff -up openssh-7.2p1/sshconnect2.c.fips openssh-7.2p1/sshconnect2.c
#include "openbsd-compat/sys-queue.h" #include "openbsd-compat/sys-queue.h"
#include "xmalloc.h" #include "xmalloc.h"
@@ -171,21 +173,26 @@ ssh_kex2(char *host, struct sockaddr *ho @@ -172,21 +174,26 @@ ssh_kex2(char *host, struct sockaddr *ho
#ifdef GSSAPI #ifdef GSSAPI
if (options.gss_keyex) { if (options.gss_keyex) {
@ -528,9 +552,9 @@ diff -up openssh-7.2p1/sshconnect2.c.fips openssh-7.2p1/sshconnect2.c
} }
} }
#endif #endif
diff -up openssh-7.2p1/sshd.c.fips openssh-7.2p1/sshd.c diff -up openssh-7.4p1/sshd.c.fips openssh-7.4p1/sshd.c
--- openssh-7.2p1/sshd.c.fips 2016-02-12 18:53:56.088665235 +0100 --- openssh-7.4p1/sshd.c.fips 2016-12-23 16:37:49.293741583 +0100
+++ openssh-7.2p1/sshd.c 2016-02-12 18:53:56.094665236 +0100 +++ openssh-7.4p1/sshd.c 2016-12-23 16:37:49.299741586 +0100
@@ -66,6 +66,7 @@ @@ -66,6 +66,7 @@
#include <grp.h> #include <grp.h>
#include <pwd.h> #include <pwd.h>
@ -548,7 +572,7 @@ diff -up openssh-7.2p1/sshd.c.fips openssh-7.2p1/sshd.c
#include "openbsd-compat/openssl-compat.h" #include "openbsd-compat/openssl-compat.h"
#endif #endif
@@ -1555,6 +1558,18 @@ main(int ac, char **av) @@ -1475,6 +1478,18 @@ main(int ac, char **av)
#endif #endif
__progname = ssh_get_progname(av[0]); __progname = ssh_get_progname(av[0]);
@ -567,7 +591,7 @@ diff -up openssh-7.2p1/sshd.c.fips openssh-7.2p1/sshd.c
/* Save argv. Duplicate so setproctitle emulation doesn't clobber it */ /* Save argv. Duplicate so setproctitle emulation doesn't clobber it */
saved_argc = ac; saved_argc = ac;
rexec_argc = ac; rexec_argc = ac;
@@ -1707,7 +1722,7 @@ main(int ac, char **av) @@ -1623,7 +1638,7 @@ main(int ac, char **av)
else else
closefrom(REEXEC_DEVCRYPTO_RESERVED_FD); closefrom(REEXEC_DEVCRYPTO_RESERVED_FD);
@ -576,18 +600,7 @@ diff -up openssh-7.2p1/sshd.c.fips openssh-7.2p1/sshd.c
OpenSSL_add_all_algorithms(); OpenSSL_add_all_algorithms();
#endif #endif
@@ -1906,6 +1921,10 @@ main(int ac, char **av) @@ -1937,6 +1952,10 @@ main(int ac, char **av)
sshkey_type(pubkey) : sshkey_ssh_name(pubkey), fp);
free(fp);
}
+ if ((options.protocol & SSH_PROTO_1) && FIPS_mode()) {
+ logit("Disabling protocol version 1. Not allowed in the FIPS mode.");
+ options.protocol &= ~SSH_PROTO_1;
+ }
if ((options.protocol & SSH_PROTO_1) && !sensitive_data.have_ssh1_key) {
logit("Disabling protocol version 1. Could not load host key");
options.protocol &= ~SSH_PROTO_1;
@@ -2074,6 +2093,10 @@ main(int ac, char **av)
/* Reinitialize the log (because of the fork above). */ /* Reinitialize the log (because of the fork above). */
log_init(__progname, options.log_level, options.log_facility, log_stderr); log_init(__progname, options.log_level, options.log_facility, log_stderr);
@ -598,7 +611,7 @@ diff -up openssh-7.2p1/sshd.c.fips openssh-7.2p1/sshd.c
/* Chdir to the root directory so that the current disk can be /* Chdir to the root directory so that the current disk can be
unmounted if desired. */ unmounted if desired. */
if (chdir("/") == -1) if (chdir("/") == -1)
@@ -2695,10 +2718,14 @@ do_ssh2_kex(void) @@ -2309,10 +2328,14 @@ do_ssh2_kex(void)
if (strlen(myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS]) == 0) if (strlen(myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS]) == 0)
orig = NULL; orig = NULL;
@ -617,10 +630,10 @@ diff -up openssh-7.2p1/sshd.c.fips openssh-7.2p1/sshd.c
if (gss && orig) if (gss && orig)
xasprintf(&newstr, "%s,%s", gss, orig); xasprintf(&newstr, "%s,%s", gss, orig);
diff -up openssh-7.2p1/sshkey.c.fips openssh-7.2p1/sshkey.c diff -up openssh-7.4p1/sshkey.c.fips openssh-7.4p1/sshkey.c
--- openssh-7.2p1/sshkey.c.fips 2016-02-12 18:53:56.089665235 +0100 --- openssh-7.4p1/sshkey.c.fips 2016-12-23 16:37:49.293741583 +0100
+++ openssh-7.2p1/sshkey.c 2016-02-12 18:53:56.095665236 +0100 +++ openssh-7.4p1/sshkey.c 2016-12-23 16:37:49.300741586 +0100
@@ -35,6 +35,7 @@ @@ -34,6 +34,7 @@
#include <openssl/evp.h> #include <openssl/evp.h>
#include <openssl/err.h> #include <openssl/err.h>
#include <openssl/pem.h> #include <openssl/pem.h>
@ -628,7 +641,7 @@ diff -up openssh-7.2p1/sshkey.c.fips openssh-7.2p1/sshkey.c
#endif #endif
#include "crypto_api.h" #include "crypto_api.h"
@@ -58,6 +58,7 @@ @@ -56,6 +57,7 @@
#include "digest.h" #include "digest.h"
#define SSHKEY_INTERNAL #define SSHKEY_INTERNAL
#include "sshkey.h" #include "sshkey.h"
@ -636,7 +649,7 @@ diff -up openssh-7.2p1/sshkey.c.fips openssh-7.2p1/sshkey.c
#include "match.h" #include "match.h"
#include "xmalloc.h" #include "xmalloc.h"
@@ -1554,6 +1555,8 @@ rsa_generate_private_key(u_int bits, RSA @@ -1580,6 +1582,8 @@ rsa_generate_private_key(u_int bits, RSA
} }
if (!BN_set_word(f4, RSA_F4) || if (!BN_set_word(f4, RSA_F4) ||
!RSA_generate_key_ex(private, bits, f4, NULL)) { !RSA_generate_key_ex(private, bits, f4, NULL)) {
@ -645,85 +658,3 @@ diff -up openssh-7.2p1/sshkey.c.fips openssh-7.2p1/sshkey.c
ret = SSH_ERR_LIBCRYPTO_ERROR; ret = SSH_ERR_LIBCRYPTO_ERROR;
goto out; goto out;
} }
diff --git a/pam_ssh_agent_auth-0.10.2/pam_user_key_allowed2.c b/pam_ssh_agent_auth-0.10.2/pam_user_key_allowed2.c
index 688b1b1..a3c1541 100644
--- a/pam_ssh_agent_auth-0.10.2/pam_user_key_allowed2.c
+++ b/pam_ssh_agent_auth-0.10.2/pam_user_key_allowed2.c
@@ -55,6 +55,7 @@
#include "secure_filename.h"
#include "uidswap.h"
#include <unistd.h>
+#include <openssl/crypto.h>
#include "identity.h"
@@ -104,7 +105,8 @@ pamsshagentauth_check_authkeys_file(FILE * f, char *file, Key * key)
found_key = 1;
logit("matching key found: file/command %s, line %lu", file,
linenum);
- fp = sshkey_fingerprint(found, SSH_DIGEST_MD5, SSH_FP_HEX);
+ fp = sshkey_fingerprint(found, FIPS_mode() ? SSH_DIGEST_SHA1 : SSH_DIGEST_MD5,
+ SSH_FP_HEX);
logit("Found matching %s key: %s",
key_type(found), fp);
free(fp);
diff --git a/cipher.c b/cipher.c
index f282907..51bbffb 100644
--- a/cipher.c
+++ b/cipher.c
@@ -112,12 +112,6 @@ static const struct sshcipher fips_ciphers[] = {
{ "aes128-ctr", SSH_CIPHER_SSH2, 16, 16, 0, 0, 0, 0, EVP_aes_128_ctr },
{ "aes192-ctr", SSH_CIPHER_SSH2, 16, 24, 0, 0, 0, 0, EVP_aes_192_ctr },
{ "aes256-ctr", SSH_CIPHER_SSH2, 16, 32, 0, 0, 0, 0, EVP_aes_256_ctr },
-#ifdef OPENSSL_HAVE_EVPGCM
- { "aes128-gcm@openssh.com",
- SSH_CIPHER_SSH2, 16, 16, 12, 16, 0, 0, EVP_aes_128_gcm },
- { "aes256-gcm@openssh.com",
- SSH_CIPHER_SSH2, 16, 32, 12, 16, 0, 0, EVP_aes_256_gcm },
-#endif
{ NULL, SSH_CIPHER_INVALID, 0, 0, 0, 0, 0, 0, NULL }
};
diff --git a/kex.c b/kex.c
index f07a636..4ce5843 100644
--- a/kex.c
+++ b/kex.c
@@ -123,8 +123,6 @@ static const struct kexalg kexalgs[] = {
};
static const struct kexalg kexalgs_fips[] = {
- { KEX_DH14, KEX_DH_GRP14_SHA1, 0, SSH_DIGEST_SHA1 },
- { KEX_DHGEX_SHA1, KEX_DH_GEX_SHA1, 0, SSH_DIGEST_SHA1 },
#ifdef HAVE_EVP_SHA256
{ KEX_DHGEX_SHA256, KEX_DH_GEX_SHA256, 0, SSH_DIGEST_SHA256 },
#endif
diff --git a/myproposal.h b/myproposal.h
index 7efe312..bcf2ae1 100644
--- a/myproposal.h
+++ b/myproposal.h
@@ -131,9 +131,7 @@
#define KEX_DEFAULT_KEX_FIPS \
KEX_ECDH_METHODS \
- KEX_SHA2_METHODS \
- "diffie-hellman-group-exchange-sha1," \
- "diffie-hellman-group14-sha1"
+ KEX_SHA2_METHODS
#define KEX_FIPS_ENCRYPT \
"aes128-ctr,aes192-ctr,aes256-ctr," \
"aes128-cbc,3des-cbc," \
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
index a3975eb..5224084 100644
--- a/sandbox-seccomp-filter.c
+++ b/sandbox-seccomp-filter.c
@@ -112,6 +112,9 @@ static const struct sock_filter preauth_insns[] = {
#ifdef __NR_open
SC_DENY(open, EACCES),
#endif
+#ifdef __NR_socket
+ SC_DENY(socket, EACCES),
+#endif
#ifdef __NR_openat
SC_DENY(openat, EACCES),
#endif

View File

@ -1,6 +1,6 @@
diff -up openssh-7.2p1/auth2.c.gsskex openssh-7.2p1/auth2.c diff -up openssh-7.4p1/auth2.c.gsskex openssh-7.4p1/auth2.c
--- openssh-7.2p1/auth2.c.gsskex 2016-02-19 10:01:04.829969345 +0100 --- openssh-7.4p1/auth2.c.gsskex 2016-12-23 13:38:53.685300997 +0100
+++ openssh-7.2p1/auth2.c 2016-02-19 10:01:04.865969325 +0100 +++ openssh-7.4p1/auth2.c 2016-12-23 13:38:53.725301005 +0100
@@ -70,6 +70,7 @@ extern Authmethod method_passwd; @@ -70,6 +70,7 @@ extern Authmethod method_passwd;
extern Authmethod method_kbdint; extern Authmethod method_kbdint;
extern Authmethod method_hostbased; extern Authmethod method_hostbased;
@ -17,9 +17,9 @@ diff -up openssh-7.2p1/auth2.c.gsskex openssh-7.2p1/auth2.c
&method_gssapi, &method_gssapi,
#endif #endif
&method_passwd, &method_passwd,
diff -up openssh-7.2p1/auth2-gss.c.gsskex openssh-7.2p1/auth2-gss.c diff -up openssh-7.4p1/auth2-gss.c.gsskex openssh-7.4p1/auth2-gss.c
--- openssh-7.2p1/auth2-gss.c.gsskex 2016-02-19 10:01:04.829969345 +0100 --- openssh-7.4p1/auth2-gss.c.gsskex 2016-12-23 13:38:53.685300997 +0100
+++ openssh-7.2p1/auth2-gss.c 2016-02-19 10:01:04.865969325 +0100 +++ openssh-7.4p1/auth2-gss.c 2016-12-23 13:38:53.725301005 +0100
@@ -31,6 +31,7 @@ @@ -31,6 +31,7 @@
#include <sys/types.h> #include <sys/types.h>
@ -102,21 +102,10 @@ diff -up openssh-7.2p1/auth2-gss.c.gsskex openssh-7.2p1/auth2-gss.c
Authmethod method_gssapi = { Authmethod method_gssapi = {
"gssapi-with-mic", "gssapi-with-mic",
userauth_gssapi, userauth_gssapi,
diff -up openssh-7.2p1/auth.c.gsskex openssh-7.2p1/auth.c diff -up openssh-7.4p1/clientloop.c.gsskex openssh-7.4p1/clientloop.c
--- openssh-7.2p1/auth.c.gsskex 2016-02-12 11:47:25.000000000 +0100 --- openssh-7.4p1/clientloop.c.gsskex 2016-12-19 05:59:41.000000000 +0100
+++ openssh-7.2p1/auth.c 2016-02-19 10:01:04.866969324 +0100 +++ openssh-7.4p1/clientloop.c 2016-12-23 13:38:53.725301005 +0100
@@ -354,6 +354,7 @@ auth_root_allowed(const char *method) @@ -113,6 +113,10 @@
case PERMIT_NO_PASSWD:
if (strcmp(method, "publickey") == 0 ||
strcmp(method, "hostbased") == 0 ||
+ strcmp(method, "gssapi-keyex") == 0 ||
strcmp(method, "gssapi-with-mic") == 0)
return 1;
break;
diff -up openssh-7.2p1/clientloop.c.gsskex openssh-7.2p1/clientloop.c
--- openssh-7.2p1/clientloop.c.gsskex 2016-02-12 11:47:25.000000000 +0100
+++ openssh-7.2p1/clientloop.c 2016-02-19 10:01:04.866969324 +0100
@@ -114,6 +114,10 @@
#include "ssherr.h" #include "ssherr.h"
#include "hostfile.h" #include "hostfile.h"
@ -127,7 +116,7 @@ diff -up openssh-7.2p1/clientloop.c.gsskex openssh-7.2p1/clientloop.c
/* import options */ /* import options */
extern Options options; extern Options options;
@@ -1662,9 +1666,18 @@ client_loop(int have_pty, int escape_cha @@ -1664,9 +1668,18 @@ client_loop(int have_pty, int escape_cha
break; break;
/* Do channel operations unless rekeying in progress. */ /* Do channel operations unless rekeying in progress. */
@ -137,7 +126,7 @@ diff -up openssh-7.2p1/clientloop.c.gsskex openssh-7.2p1/clientloop.c
+#ifdef GSSAPI +#ifdef GSSAPI
+ if (options.gss_renewal_rekey && + if (options.gss_renewal_rekey &&
+ ssh_gssapi_credentials_updated(GSS_C_NO_CONTEXT)) { + ssh_gssapi_credentials_updated(NULL)) {
+ debug("credentials updated - forcing rekey"); + debug("credentials updated - forcing rekey");
+ need_rekeying = 1; + need_rekeying = 1;
+ } + }
@ -147,10 +136,10 @@ diff -up openssh-7.2p1/clientloop.c.gsskex openssh-7.2p1/clientloop.c
/* Buffer input from the connection. */ /* Buffer input from the connection. */
client_process_net_input(readset); client_process_net_input(readset);
diff -up openssh-7.2p1/configure.ac.gsskex openssh-7.2p1/configure.ac diff -up openssh-7.4p1/configure.ac.gsskex openssh-7.4p1/configure.ac
--- openssh-7.2p1/configure.ac.gsskex 2016-02-19 10:01:04.857969329 +0100 --- openssh-7.4p1/configure.ac.gsskex 2016-12-23 13:38:53.716301003 +0100
+++ openssh-7.2p1/configure.ac 2016-02-19 10:01:04.867969323 +0100 +++ openssh-7.4p1/configure.ac 2016-12-23 13:38:53.726301005 +0100
@@ -632,6 +632,30 @@ main() { if (NSVersionOfRunTimeLibrary(" @@ -623,6 +623,30 @@ main() { if (NSVersionOfRunTimeLibrary("
[Use tunnel device compatibility to OpenBSD]) [Use tunnel device compatibility to OpenBSD])
AC_DEFINE([SSH_TUN_PREPEND_AF], [1], AC_DEFINE([SSH_TUN_PREPEND_AF], [1],
[Prepend the address family to IP tunnel traffic]) [Prepend the address family to IP tunnel traffic])
@ -181,10 +170,10 @@ diff -up openssh-7.2p1/configure.ac.gsskex openssh-7.2p1/configure.ac
m4_pattern_allow([AU_IPv]) m4_pattern_allow([AU_IPv])
AC_CHECK_DECL([AU_IPv4], [], AC_CHECK_DECL([AU_IPv4], [],
AC_DEFINE([AU_IPv4], [0], [System only supports IPv4 audit records]) AC_DEFINE([AU_IPv4], [0], [System only supports IPv4 audit records])
diff -up openssh-7.2p1/gss-genr.c.gsskex openssh-7.2p1/gss-genr.c diff -up openssh-7.4p1/gss-genr.c.gsskex openssh-7.4p1/gss-genr.c
--- openssh-7.2p1/gss-genr.c.gsskex 2016-02-12 11:47:25.000000000 +0100 --- openssh-7.4p1/gss-genr.c.gsskex 2016-12-19 05:59:41.000000000 +0100
+++ openssh-7.2p1/gss-genr.c 2016-02-19 10:01:04.867969323 +0100 +++ openssh-7.4p1/gss-genr.c 2016-12-23 13:38:53.726301005 +0100
@@ -41,12 +41,167 @@ @@ -40,12 +40,167 @@
#include "buffer.h" #include "buffer.h"
#include "log.h" #include "log.h"
#include "ssh2.h" #include "ssh2.h"
@ -352,7 +341,7 @@ diff -up openssh-7.2p1/gss-genr.c.gsskex openssh-7.2p1/gss-genr.c
/* Check that the OID in a data stream matches that in the context */ /* Check that the OID in a data stream matches that in the context */
int int
ssh_gssapi_check_oid(Gssctxt *ctx, void *data, size_t len) ssh_gssapi_check_oid(Gssctxt *ctx, void *data, size_t len)
@@ -199,7 +354,7 @@ ssh_gssapi_init_ctx(Gssctxt *ctx, int de @@ -198,7 +353,7 @@ ssh_gssapi_init_ctx(Gssctxt *ctx, int de
} }
ctx->major = gss_init_sec_context(&ctx->minor, ctx->major = gss_init_sec_context(&ctx->minor,
@ -361,7 +350,7 @@ diff -up openssh-7.2p1/gss-genr.c.gsskex openssh-7.2p1/gss-genr.c
GSS_C_MUTUAL_FLAG | GSS_C_INTEG_FLAG | deleg_flag, GSS_C_MUTUAL_FLAG | GSS_C_INTEG_FLAG | deleg_flag,
0, NULL, recv_tok, NULL, send_tok, flags, NULL); 0, NULL, recv_tok, NULL, send_tok, flags, NULL);
@@ -229,8 +384,42 @@ ssh_gssapi_import_name(Gssctxt *ctx, con @@ -228,8 +383,42 @@ ssh_gssapi_import_name(Gssctxt *ctx, con
} }
OM_uint32 OM_uint32
@ -404,7 +393,7 @@ diff -up openssh-7.2p1/gss-genr.c.gsskex openssh-7.2p1/gss-genr.c
if ((ctx->major = gss_get_mic(&ctx->minor, ctx->context, if ((ctx->major = gss_get_mic(&ctx->minor, ctx->context,
GSS_C_QOP_DEFAULT, buffer, hash))) GSS_C_QOP_DEFAULT, buffer, hash)))
ssh_gssapi_error(ctx); ssh_gssapi_error(ctx);
@@ -238,6 +427,19 @@ ssh_gssapi_sign(Gssctxt *ctx, gss_buffer @@ -237,6 +426,19 @@ ssh_gssapi_sign(Gssctxt *ctx, gss_buffer
return (ctx->major); return (ctx->major);
} }
@ -424,7 +413,7 @@ diff -up openssh-7.2p1/gss-genr.c.gsskex openssh-7.2p1/gss-genr.c
void void
ssh_gssapi_buildmic(Buffer *b, const char *user, const char *service, ssh_gssapi_buildmic(Buffer *b, const char *user, const char *service,
const char *context) const char *context)
@@ -251,11 +453,16 @@ ssh_gssapi_buildmic(Buffer *b, const cha @@ -250,11 +452,16 @@ ssh_gssapi_buildmic(Buffer *b, const cha
} }
int int
@ -442,7 +431,7 @@ diff -up openssh-7.2p1/gss-genr.c.gsskex openssh-7.2p1/gss-genr.c
/* RFC 4462 says we MUST NOT do SPNEGO */ /* RFC 4462 says we MUST NOT do SPNEGO */
if (oid->length == spnego_oid.length && if (oid->length == spnego_oid.length &&
@@ -265,6 +472,10 @@ ssh_gssapi_check_mechanism(Gssctxt **ctx @@ -264,6 +471,10 @@ ssh_gssapi_check_mechanism(Gssctxt **ctx
ssh_gssapi_build_ctx(ctx); ssh_gssapi_build_ctx(ctx);
ssh_gssapi_set_oid(*ctx, oid); ssh_gssapi_set_oid(*ctx, oid);
major = ssh_gssapi_import_name(*ctx, host); major = ssh_gssapi_import_name(*ctx, host);
@ -453,7 +442,7 @@ diff -up openssh-7.2p1/gss-genr.c.gsskex openssh-7.2p1/gss-genr.c
if (!GSS_ERROR(major)) { if (!GSS_ERROR(major)) {
major = ssh_gssapi_init_ctx(*ctx, 0, GSS_C_NO_BUFFER, &token, major = ssh_gssapi_init_ctx(*ctx, 0, GSS_C_NO_BUFFER, &token,
NULL); NULL);
@@ -274,10 +485,66 @@ ssh_gssapi_check_mechanism(Gssctxt **ctx @@ -273,10 +484,66 @@ ssh_gssapi_check_mechanism(Gssctxt **ctx
GSS_C_NO_BUFFER); GSS_C_NO_BUFFER);
} }
@ -521,9 +510,9 @@ diff -up openssh-7.2p1/gss-genr.c.gsskex openssh-7.2p1/gss-genr.c
+} +}
+ +
#endif /* GSSAPI */ #endif /* GSSAPI */
diff -up openssh-7.2p1/gss-serv.c.gsskex openssh-7.2p1/gss-serv.c diff -up openssh-7.4p1/gss-serv.c.gsskex openssh-7.4p1/gss-serv.c
--- openssh-7.2p1/gss-serv.c.gsskex 2016-02-12 11:47:25.000000000 +0100 --- openssh-7.4p1/gss-serv.c.gsskex 2016-12-19 05:59:41.000000000 +0100
+++ openssh-7.2p1/gss-serv.c 2016-02-19 10:01:04.867969323 +0100 +++ openssh-7.4p1/gss-serv.c 2016-12-23 13:38:53.727301005 +0100
@@ -45,17 +45,19 @@ @@ -45,17 +45,19 @@
#include "session.h" #include "session.h"
#include "misc.h" #include "misc.h"
@ -536,9 +525,10 @@ diff -up openssh-7.2p1/gss-serv.c.gsskex openssh-7.2p1/gss-serv.c
extern ServerOptions options; extern ServerOptions options;
static ssh_gssapi_client gssapi_client = static ssh_gssapi_client gssapi_client =
{ GSS_C_EMPTY_BUFFER, GSS_C_EMPTY_BUFFER, - { GSS_C_EMPTY_BUFFER, GSS_C_EMPTY_BUFFER,
- GSS_C_NO_CREDENTIAL, NULL, {NULL, NULL, NULL, NULL}}; - GSS_C_NO_CREDENTIAL, NULL, {NULL, NULL, NULL, NULL}};
+ GSS_C_NO_CREDENTIAL, GSS_C_NO_NAME, {NULL, NULL, NULL}, 0, 0}; + { GSS_C_EMPTY_BUFFER, GSS_C_EMPTY_BUFFER, GSS_C_NO_CREDENTIAL,
+ GSS_C_NO_NAME, NULL, {NULL, NULL, NULL, NULL, NULL}, 0, 0};
ssh_gssapi_mech gssapi_null_mech = ssh_gssapi_mech gssapi_null_mech =
- { NULL, NULL, {0, NULL}, NULL, NULL, NULL, NULL}; - { NULL, NULL, {0, NULL}, NULL, NULL, NULL, NULL};
@ -805,9 +795,9 @@ diff -up openssh-7.2p1/gss-serv.c.gsskex openssh-7.2p1/gss-serv.c
} }
#endif #endif
diff -up openssh-7.2p1/gss-serv-krb5.c.gsskex openssh-7.2p1/gss-serv-krb5.c diff -up openssh-7.4p1/gss-serv-krb5.c.gsskex openssh-7.4p1/gss-serv-krb5.c
--- openssh-7.2p1/gss-serv-krb5.c.gsskex 2016-02-12 11:47:25.000000000 +0100 --- openssh-7.4p1/gss-serv-krb5.c.gsskex 2016-12-19 05:59:41.000000000 +0100
+++ openssh-7.2p1/gss-serv-krb5.c 2016-02-19 10:01:04.867969323 +0100 +++ openssh-7.4p1/gss-serv-krb5.c 2016-12-23 13:38:53.727301005 +0100
@@ -121,7 +121,7 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_cl @@ -121,7 +121,7 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_cl
krb5_error_code problem; krb5_error_code problem;
krb5_principal princ; krb5_principal princ;
@ -935,9 +925,9 @@ diff -up openssh-7.2p1/gss-serv-krb5.c.gsskex openssh-7.2p1/gss-serv-krb5.c
}; };
#endif /* KRB5 */ #endif /* KRB5 */
diff -up openssh-7.2p1/kex.c.gsskex openssh-7.2p1/kex.c diff -up openssh-7.4p1/kex.c.gsskex openssh-7.4p1/kex.c
--- openssh-7.2p1/kex.c.gsskex 2016-02-12 11:47:25.000000000 +0100 --- openssh-7.4p1/kex.c.gsskex 2016-12-19 05:59:41.000000000 +0100
+++ openssh-7.2p1/kex.c 2016-02-19 10:01:04.868969323 +0100 +++ openssh-7.4p1/kex.c 2016-12-23 13:39:56.064313151 +0100
@@ -54,6 +54,10 @@ @@ -54,6 +54,10 @@
#include "sshbuf.h" #include "sshbuf.h"
#include "digest.h" #include "digest.h"
@ -949,9 +939,9 @@ diff -up openssh-7.2p1/kex.c.gsskex openssh-7.2p1/kex.c
#if OPENSSL_VERSION_NUMBER >= 0x00907000L #if OPENSSL_VERSION_NUMBER >= 0x00907000L
# if defined(HAVE_EVP_SHA256) # if defined(HAVE_EVP_SHA256)
# define evp_ssh_sha256 EVP_sha256 # define evp_ssh_sha256 EVP_sha256
@@ -107,6 +111,11 @@ static const struct kexalg kexalgs[] = { @@ -111,6 +115,11 @@ static const struct kexalg kexalgs[] = {
#if defined(HAVE_EVP_SHA256) || !defined(WITH_OPENSSL)
{ KEX_CURVE25519_SHA256, KEX_C25519_SHA256, 0, SSH_DIGEST_SHA256 }, { KEX_CURVE25519_SHA256, KEX_C25519_SHA256, 0, SSH_DIGEST_SHA256 },
{ KEX_CURVE25519_SHA256_OLD, KEX_C25519_SHA256, 0, SSH_DIGEST_SHA256 },
#endif /* HAVE_EVP_SHA256 || !WITH_OPENSSL */ #endif /* HAVE_EVP_SHA256 || !WITH_OPENSSL */
+#ifdef GSSAPI +#ifdef GSSAPI
+ { KEX_GSS_GEX_SHA1_ID, KEX_GSS_GEX_SHA1, 0, SSH_DIGEST_SHA1 }, + { KEX_GSS_GEX_SHA1_ID, KEX_GSS_GEX_SHA1, 0, SSH_DIGEST_SHA1 },
@ -961,7 +951,7 @@ diff -up openssh-7.2p1/kex.c.gsskex openssh-7.2p1/kex.c
{ NULL, -1, -1, -1}, { NULL, -1, -1, -1},
}; };
@@ -140,6 +149,12 @@ kex_alg_by_name(const char *name) @@ -144,6 +153,12 @@ kex_alg_by_name(const char *name)
for (k = kexalgs; k->name != NULL; k++) { for (k = kexalgs; k->name != NULL; k++) {
if (strcmp(k->name, name) == 0) if (strcmp(k->name, name) == 0)
return k; return k;
@ -974,9 +964,9 @@ diff -up openssh-7.2p1/kex.c.gsskex openssh-7.2p1/kex.c
} }
return NULL; return NULL;
} }
diff -up openssh-7.2p1/kexgssc.c.gsskex openssh-7.2p1/kexgssc.c diff -up openssh-7.4p1/kexgssc.c.gsskex openssh-7.4p1/kexgssc.c
--- openssh-7.2p1/kexgssc.c.gsskex 2016-02-19 10:01:04.868969323 +0100 --- openssh-7.4p1/kexgssc.c.gsskex 2016-12-23 13:38:53.727301005 +0100
+++ openssh-7.2p1/kexgssc.c 2016-02-19 10:01:04.868969323 +0100 +++ openssh-7.4p1/kexgssc.c 2016-12-23 13:38:53.727301005 +0100
@@ -0,0 +1,338 @@ @@ -0,0 +1,338 @@
+/* +/*
+ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved. + * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
@ -1316,9 +1306,9 @@ diff -up openssh-7.2p1/kexgssc.c.gsskex openssh-7.2p1/kexgssc.c
+} +}
+ +
+#endif /* GSSAPI */ +#endif /* GSSAPI */
diff -up openssh-7.2p1/kexgsss.c.gsskex openssh-7.2p1/kexgsss.c diff -up openssh-7.4p1/kexgsss.c.gsskex openssh-7.4p1/kexgsss.c
--- openssh-7.2p1/kexgsss.c.gsskex 2016-02-19 10:01:04.868969323 +0100 --- openssh-7.4p1/kexgsss.c.gsskex 2016-12-23 13:38:53.728301005 +0100
+++ openssh-7.2p1/kexgsss.c 2016-02-19 10:01:04.868969323 +0100 +++ openssh-7.4p1/kexgsss.c 2016-12-23 13:38:53.728301005 +0100
@@ -0,0 +1,297 @@ @@ -0,0 +1,297 @@
+/* +/*
+ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved. + * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
@ -1617,10 +1607,10 @@ diff -up openssh-7.2p1/kexgsss.c.gsskex openssh-7.2p1/kexgsss.c
+ return 0; + return 0;
+} +}
+#endif /* GSSAPI */ +#endif /* GSSAPI */
diff -up openssh-7.2p1/kex.h.gsskex openssh-7.2p1/kex.h diff -up openssh-7.4p1/kex.h.gsskex openssh-7.4p1/kex.h
--- openssh-7.2p1/kex.h.gsskex 2016-02-12 11:47:25.000000000 +0100 --- openssh-7.4p1/kex.h.gsskex 2016-12-19 05:59:41.000000000 +0100
+++ openssh-7.2p1/kex.h 2016-02-19 10:01:04.868969323 +0100 +++ openssh-7.4p1/kex.h 2016-12-23 13:38:53.728301005 +0100
@@ -92,6 +92,11 @@ enum kex_exchange { @@ -99,6 +99,11 @@ enum kex_exchange {
KEX_DH_GEX_SHA256, KEX_DH_GEX_SHA256,
KEX_ECDH_SHA2, KEX_ECDH_SHA2,
KEX_C25519_SHA256, KEX_C25519_SHA256,
@ -1632,7 +1622,7 @@ diff -up openssh-7.2p1/kex.h.gsskex openssh-7.2p1/kex.h
KEX_MAX KEX_MAX
}; };
@@ -140,6 +145,12 @@ struct kex { @@ -147,6 +152,12 @@ struct kex {
u_int flags; u_int flags;
int hash_alg; int hash_alg;
int ec_nid; int ec_nid;
@ -1645,7 +1635,7 @@ diff -up openssh-7.2p1/kex.h.gsskex openssh-7.2p1/kex.h
char *client_version_string; char *client_version_string;
char *server_version_string; char *server_version_string;
char *failed_choice; char *failed_choice;
@@ -189,6 +200,10 @@ int kexecdh_client(struct ssh *); @@ -196,6 +207,10 @@ int kexecdh_client(struct ssh *);
int kexecdh_server(struct ssh *); int kexecdh_server(struct ssh *);
int kexc25519_client(struct ssh *); int kexc25519_client(struct ssh *);
int kexc25519_server(struct ssh *); int kexc25519_server(struct ssh *);
@ -1656,10 +1646,10 @@ diff -up openssh-7.2p1/kex.h.gsskex openssh-7.2p1/kex.h
int kex_dh_hash(int, const char *, const char *, int kex_dh_hash(int, const char *, const char *,
const u_char *, size_t, const u_char *, size_t, const u_char *, size_t, const u_char *, size_t, const u_char *, size_t, const u_char *, size_t,
diff -up openssh/Makefile.in.gsskex openssh/Makefile.in diff -up openssh-7.4p1/Makefile.in.gsskex openssh-7.4p1/Makefile.in
--- openssh/Makefile.in.gsskex 2016-07-25 14:11:42.978324182 +0200 --- openssh-7.4p1/Makefile.in.gsskex 2016-12-23 13:38:53.723301004 +0100
+++ openssh/Makefile.in 2016-07-25 14:14:15.560289050 +0200 +++ openssh-7.4p1/Makefile.in 2016-12-23 13:40:32.226320197 +0100
@@ -90,6 +90,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \ @@ -91,6 +91,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
readpass.o rsa.o ttymodes.o xmalloc.o addrmatch.o \ readpass.o rsa.o ttymodes.o xmalloc.o addrmatch.o \
atomicio.o key.o dispatch.o mac.o uidswap.o uuencode.o misc.o utf8.o \ atomicio.o key.o dispatch.o mac.o uidswap.o uuencode.o misc.o utf8.o \
monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-rsa.o dh.o \ monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-rsa.o dh.o \
@ -1667,19 +1657,19 @@ diff -up openssh/Makefile.in.gsskex openssh/Makefile.in
msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o umac128.o \ msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o umac128.o \
ssh-pkcs11.o smult_curve25519_ref.o \ ssh-pkcs11.o smult_curve25519_ref.o \
poly1305.o chacha.o cipher-chachapoly.o \ poly1305.o chacha.o cipher-chachapoly.o \
@@ -111,7 +112,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw @@ -112,7 +113,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw
auth-skey.o auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o \ auth-skey.o auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o \
auth2-none.o auth2-passwd.o auth2-pubkey.o \ auth2-none.o auth2-passwd.o auth2-pubkey.o \
monitor_mm.o monitor.o monitor_wrap.o auth-krb5.o \ monitor.o monitor_wrap.o auth-krb5.o \
- auth2-gss.o gss-serv.o gss-serv-krb5.o \ - auth2-gss.o gss-serv.o gss-serv-krb5.o \
+ auth2-gss.o gss-serv.o gss-serv-krb5.o kexgsss.o \ + auth2-gss.o gss-serv.o gss-serv-krb5.o kexgsss.o \
loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \ loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \
sftp-server.o sftp-common.o \ sftp-server.o sftp-common.o \
sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \ sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \
diff -up openssh-7.2p1/monitor.c.gsskex openssh-7.2p1/monitor.c diff -up openssh-7.4p1/monitor.c.gsskex openssh-7.4p1/monitor.c
--- openssh-7.2p1/monitor.c.gsskex 2016-02-19 10:01:04.830969345 +0100 --- openssh-7.4p1/monitor.c.gsskex 2016-12-23 13:38:53.687300997 +0100
+++ openssh-7.2p1/monitor.c 2016-02-19 10:01:04.869969322 +0100 +++ openssh-7.4p1/monitor.c 2016-12-23 13:45:49.347381091 +0100
@@ -159,6 +159,8 @@ int mm_answer_gss_setup_ctx(int, Buffer @@ -160,6 +160,8 @@ int mm_answer_gss_setup_ctx(int, Buffer
int mm_answer_gss_accept_ctx(int, Buffer *); int mm_answer_gss_accept_ctx(int, Buffer *);
int mm_answer_gss_userok(int, Buffer *); int mm_answer_gss_userok(int, Buffer *);
int mm_answer_gss_checkmic(int, Buffer *); int mm_answer_gss_checkmic(int, Buffer *);
@ -1688,10 +1678,10 @@ diff -up openssh-7.2p1/monitor.c.gsskex openssh-7.2p1/monitor.c
#endif #endif
#ifdef SSH_AUDIT_EVENTS #ifdef SSH_AUDIT_EVENTS
@@ -239,11 +241,18 @@ struct mon_table mon_dispatch_proto20[] @@ -236,11 +238,18 @@ struct mon_table mon_dispatch_proto20[]
{MONITOR_REQ_GSSSTEP, MON_ISAUTH, mm_answer_gss_accept_ctx}, {MONITOR_REQ_GSSSTEP, 0, mm_answer_gss_accept_ctx},
{MONITOR_REQ_GSSUSEROK, MON_AUTH, mm_answer_gss_userok}, {MONITOR_REQ_GSSUSEROK, MON_ONCE|MON_AUTHDECIDE, mm_answer_gss_userok},
{MONITOR_REQ_GSSCHECKMIC, MON_ISAUTH, mm_answer_gss_checkmic}, {MONITOR_REQ_GSSCHECKMIC, MON_ONCE, mm_answer_gss_checkmic},
+ {MONITOR_REQ_GSSSIGN, MON_ONCE, mm_answer_gss_sign}, + {MONITOR_REQ_GSSSIGN, MON_ONCE, mm_answer_gss_sign},
#endif #endif
{0, 0, NULL} {0, 0, NULL}
@ -1707,29 +1697,29 @@ diff -up openssh-7.2p1/monitor.c.gsskex openssh-7.2p1/monitor.c
#ifdef WITH_OPENSSL #ifdef WITH_OPENSSL
{MONITOR_REQ_MODULI, 0, mm_answer_moduli}, {MONITOR_REQ_MODULI, 0, mm_answer_moduli},
#endif #endif
@@ -358,6 +367,10 @@ monitor_child_preauth(Authctxt *_authctx @@ -307,6 +316,10 @@ monitor_child_preauth(Authctxt *_authctx
/* Permit requests for moduli and signatures */ /* Permit requests for moduli and signatures */
monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1); monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1); monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
+#ifdef GSSAPI +#ifdef GSSAPI
+ /* and for the GSSAPI key exchange */ + /* and for the GSSAPI key exchange */
+ monitor_permit(mon_dispatch, MONITOR_REQ_GSSSETUP, 1); + monitor_permit(mon_dispatch, MONITOR_REQ_GSSSETUP, 1);
+#endif +#endif
} else {
mon_dispatch = mon_dispatch_proto15;
@@ -466,6 +479,10 @@ monitor_child_postauth(struct monitor *p /* The first few requests do not require asynchronous access */
monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1); while (!authenticated) {
monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1); @@ -406,6 +419,10 @@ monitor_child_postauth(struct monitor *p
monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
+#ifdef GSSAPI +#ifdef GSSAPI
+ /* and for the GSSAPI key exchange */ + /* and for the GSSAPI key exchange */
+ monitor_permit(mon_dispatch, MONITOR_REQ_GSSSETUP, 1); + monitor_permit(mon_dispatch, MONITOR_REQ_GSSSETUP, 1);
+#endif +#endif
} else {
mon_dispatch = mon_dispatch_postauth15; if (!no_pty_flag) {
monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); monitor_permit(mon_dispatch, MONITOR_REQ_PTY, 1);
@@ -1893,6 +1910,13 @@ monitor_apply_keystate(struct monitor *p @@ -1633,6 +1650,13 @@ monitor_apply_keystate(struct monitor *p
# endif # endif
#endif /* WITH_OPENSSL */ #endif /* WITH_OPENSSL */
kex->kex[KEX_C25519_SHA256] = kexc25519_server; kex->kex[KEX_C25519_SHA256] = kexc25519_server;
@ -1743,27 +1733,25 @@ diff -up openssh-7.2p1/monitor.c.gsskex openssh-7.2p1/monitor.c
kex->load_host_public_key=&get_hostkey_public_by_type; kex->load_host_public_key=&get_hostkey_public_by_type;
kex->load_host_private_key=&get_hostkey_private_by_type; kex->load_host_private_key=&get_hostkey_private_by_type;
kex->host_key_index=&get_hostkey_index; kex->host_key_index=&get_hostkey_index;
@@ -1992,6 +2016,9 @@ mm_answer_gss_setup_ctx(int sock, Buffer @@ -1712,7 +1736,7 @@ mm_answer_gss_setup_ctx(int sock, Buffer
OM_uint32 major; OM_uint32 major;
u_int len; u_int len;
- if (!options.gss_authentication)
+ if (!options.gss_authentication && !options.gss_keyex) + if (!options.gss_authentication && !options.gss_keyex)
+ fatal("In GSSAPI monitor when GSSAPI is disabled"); fatal("%s: GSSAPI authentication not enabled", __func__);
+
goid.elements = buffer_get_string(m, &len);
goid.length = len;
@@ -2019,6 +2046,9 @@ mm_answer_gss_accept_ctx(int sock, Buffe goid.elements = buffer_get_string(m, &len);
@@ -1742,7 +1766,7 @@ mm_answer_gss_accept_ctx(int sock, Buffe
OM_uint32 flags = 0; /* GSI needs this */ OM_uint32 flags = 0; /* GSI needs this */
u_int len; u_int len;
- if (!options.gss_authentication)
+ if (!options.gss_authentication && !options.gss_keyex) + if (!options.gss_authentication && !options.gss_keyex)
+ fatal("In GSSAPI monitor when GSSAPI is disabled"); fatal("%s: GSSAPI authentication not enabled", __func__);
+
in.value = buffer_get_string(m, &len); in.value = buffer_get_string(m, &len);
in.length = len; @@ -1762,6 +1786,7 @@ mm_answer_gss_accept_ctx(int sock, Buffe
major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags);
@@ -2036,6 +2066,7 @@ mm_answer_gss_accept_ctx(int sock, Buffe
monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0); monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0);
monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1); monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1);
monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1); monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1);
@ -1771,30 +1759,30 @@ diff -up openssh-7.2p1/monitor.c.gsskex openssh-7.2p1/monitor.c
} }
return (0); return (0);
} }
@@ -2047,6 +2078,9 @@ mm_answer_gss_checkmic(int sock, Buffer @@ -1773,7 +1798,7 @@ mm_answer_gss_checkmic(int sock, Buffer
OM_uint32 ret; OM_uint32 ret;
u_int len; u_int len;
- if (!options.gss_authentication)
+ if (!options.gss_authentication && !options.gss_keyex) + if (!options.gss_authentication && !options.gss_keyex)
+ fatal("In GSSAPI monitor when GSSAPI is disabled"); fatal("%s: GSSAPI authentication not enabled", __func__);
+
gssbuf.value = buffer_get_string(m, &len); gssbuf.value = buffer_get_string(m, &len);
gssbuf.length = len; @@ -1802,10 +1827,11 @@ mm_answer_gss_userok(int sock, Buffer *m
mic.value = buffer_get_string(m, &len);
@@ -2073,7 +2107,11 @@ mm_answer_gss_userok(int sock, Buffer *m
{ {
int authenticated; int authenticated;
- authenticated = authctxt->valid && ssh_gssapi_userok(authctxt->user); - if (!options.gss_authentication)
+ if (!options.gss_authentication && !options.gss_keyex) + if (!options.gss_authentication && !options.gss_keyex)
+ fatal("In GSSAPI monitor when GSSAPI is disabled"); fatal("%s: GSSAPI authentication not enabled", __func__);
+
- authenticated = authctxt->valid && ssh_gssapi_userok(authctxt->user);
+ authenticated = authctxt->valid && + authenticated = authctxt->valid &&
+ ssh_gssapi_userok(authctxt->user, authctxt->pw); + ssh_gssapi_userok(authctxt->user, authctxt->pw);
buffer_clear(m); buffer_clear(m);
buffer_put_int(m, authenticated); buffer_put_int(m, authenticated);
@@ -2086,5 +2124,73 @@ mm_answer_gss_userok(int sock, Buffer *m @@ -1818,5 +1844,73 @@ mm_answer_gss_userok(int sock, Buffer *m
/* Monitor loop will terminate if authenticated */ /* Monitor loop will terminate if authenticated */
return (authenticated); return (authenticated);
} }
@ -1868,9 +1856,9 @@ diff -up openssh-7.2p1/monitor.c.gsskex openssh-7.2p1/monitor.c
+ +
#endif /* GSSAPI */ #endif /* GSSAPI */
diff -up openssh-7.2p1/monitor.h.gsskex openssh-7.2p1/monitor.h diff -up openssh-7.4p1/monitor.h.gsskex openssh-7.4p1/monitor.h
--- openssh-7.2p1/monitor.h.gsskex 2016-02-19 10:01:04.830969345 +0100 --- openssh-7.4p1/monitor.h.gsskex 2016-12-23 13:38:53.687300997 +0100
+++ openssh-7.2p1/monitor.h 2016-02-19 10:01:04.869969322 +0100 +++ openssh-7.4p1/monitor.h 2016-12-23 13:38:53.729301005 +0100
@@ -60,6 +60,8 @@ enum monitor_reqtype { @@ -60,6 +60,8 @@ enum monitor_reqtype {
#ifdef WITH_SELINUX #ifdef WITH_SELINUX
MONITOR_REQ_AUTHROLE = 80, MONITOR_REQ_AUTHROLE = 80,
@ -1880,10 +1868,10 @@ diff -up openssh-7.2p1/monitor.h.gsskex openssh-7.2p1/monitor.h
MONITOR_REQ_PAM_START = 100, MONITOR_REQ_PAM_START = 100,
MONITOR_REQ_PAM_ACCOUNT = 102, MONITOR_ANS_PAM_ACCOUNT = 103, MONITOR_REQ_PAM_ACCOUNT = 102, MONITOR_ANS_PAM_ACCOUNT = 103,
diff -up openssh-7.2p1/monitor_wrap.c.gsskex openssh-7.2p1/monitor_wrap.c diff -up openssh-7.4p1/monitor_wrap.c.gsskex openssh-7.4p1/monitor_wrap.c
--- openssh-7.2p1/monitor_wrap.c.gsskex 2016-02-19 10:01:04.830969345 +0100 --- openssh-7.4p1/monitor_wrap.c.gsskex 2016-12-23 13:38:53.687300997 +0100
+++ openssh-7.2p1/monitor_wrap.c 2016-02-19 10:01:04.869969322 +0100 +++ openssh-7.4p1/monitor_wrap.c 2016-12-23 13:38:53.729301005 +0100
@@ -1087,7 +1087,7 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss @@ -943,7 +943,7 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss
} }
int int
@ -1892,7 +1880,7 @@ diff -up openssh-7.2p1/monitor_wrap.c.gsskex openssh-7.2p1/monitor_wrap.c
{ {
Buffer m; Buffer m;
int authenticated = 0; int authenticated = 0;
@@ -1104,5 +1104,50 @@ mm_ssh_gssapi_userok(char *user) @@ -960,5 +960,50 @@ mm_ssh_gssapi_userok(char *user)
debug3("%s: user %sauthenticated",__func__, authenticated ? "" : "not "); debug3("%s: user %sauthenticated",__func__, authenticated ? "" : "not ");
return (authenticated); return (authenticated);
} }
@ -1943,10 +1931,10 @@ diff -up openssh-7.2p1/monitor_wrap.c.gsskex openssh-7.2p1/monitor_wrap.c
+ +
#endif /* GSSAPI */ #endif /* GSSAPI */
diff -up openssh-7.2p1/monitor_wrap.h.gsskex openssh-7.2p1/monitor_wrap.h diff -up openssh-7.4p1/monitor_wrap.h.gsskex openssh-7.4p1/monitor_wrap.h
--- openssh-7.2p1/monitor_wrap.h.gsskex 2016-02-19 10:01:04.830969345 +0100 --- openssh-7.4p1/monitor_wrap.h.gsskex 2016-12-23 13:38:53.687300997 +0100
+++ openssh-7.2p1/monitor_wrap.h 2016-02-19 10:01:04.869969322 +0100 +++ openssh-7.4p1/monitor_wrap.h 2016-12-23 13:38:53.729301005 +0100
@@ -61,8 +61,10 @@ BIGNUM *mm_auth_rsa_generate_challenge(K @@ -58,8 +58,10 @@ int mm_key_verify(Key *, u_char *, u_int
OM_uint32 mm_ssh_gssapi_server_ctx(Gssctxt **, gss_OID); OM_uint32 mm_ssh_gssapi_server_ctx(Gssctxt **, gss_OID);
OM_uint32 mm_ssh_gssapi_accept_ctx(Gssctxt *, OM_uint32 mm_ssh_gssapi_accept_ctx(Gssctxt *,
gss_buffer_desc *, gss_buffer_desc *, OM_uint32 *); gss_buffer_desc *, gss_buffer_desc *, OM_uint32 *);
@ -1958,10 +1946,10 @@ diff -up openssh-7.2p1/monitor_wrap.h.gsskex openssh-7.2p1/monitor_wrap.h
#endif #endif
#ifdef USE_PAM #ifdef USE_PAM
diff -up openssh-7.2p1/readconf.c.gsskex openssh-7.2p1/readconf.c diff -up openssh-7.4p1/readconf.c.gsskex openssh-7.4p1/readconf.c
--- openssh-7.2p1/readconf.c.gsskex 2016-02-12 11:47:25.000000000 +0100 --- openssh-7.4p1/readconf.c.gsskex 2016-12-19 05:59:41.000000000 +0100
+++ openssh-7.2p1/readconf.c 2016-02-19 10:01:04.870969322 +0100 +++ openssh-7.4p1/readconf.c 2016-12-23 13:38:53.730301005 +0100
@@ -148,6 +148,8 @@ typedef enum { @@ -160,6 +160,8 @@ typedef enum {
oClearAllForwardings, oNoHostAuthenticationForLocalhost, oClearAllForwardings, oNoHostAuthenticationForLocalhost,
oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout, oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
oAddressFamily, oGssAuthentication, oGssDelegateCreds, oAddressFamily, oGssAuthentication, oGssDelegateCreds,
@ -1970,7 +1958,7 @@ diff -up openssh-7.2p1/readconf.c.gsskex openssh-7.2p1/readconf.c
oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly, oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
oSendEnv, oControlPath, oControlMaster, oControlPersist, oSendEnv, oControlPath, oControlMaster, oControlPersist,
oHashKnownHosts, oHashKnownHosts,
@@ -193,10 +195,19 @@ static struct { @@ -205,10 +207,19 @@ static struct {
{ "afstokenpassing", oUnsupported }, { "afstokenpassing", oUnsupported },
#if defined(GSSAPI) #if defined(GSSAPI)
{ "gssapiauthentication", oGssAuthentication }, { "gssapiauthentication", oGssAuthentication },
@ -1990,7 +1978,7 @@ diff -up openssh-7.2p1/readconf.c.gsskex openssh-7.2p1/readconf.c
#endif #endif
{ "fallbacktorsh", oDeprecated }, { "fallbacktorsh", oDeprecated },
{ "usersh", oDeprecated }, { "usersh", oDeprecated },
@@ -926,10 +937,30 @@ parse_time: @@ -961,10 +972,30 @@ parse_time:
intptr = &options->gss_authentication; intptr = &options->gss_authentication;
goto parse_flag; goto parse_flag;
@ -2021,7 +2009,7 @@ diff -up openssh-7.2p1/readconf.c.gsskex openssh-7.2p1/readconf.c
case oBatchMode: case oBatchMode:
intptr = &options->batch_mode; intptr = &options->batch_mode;
goto parse_flag; goto parse_flag;
@@ -1648,7 +1679,12 @@ initialize_options(Options * options) @@ -1776,7 +1807,12 @@ initialize_options(Options * options)
options->pubkey_authentication = -1; options->pubkey_authentication = -1;
options->challenge_response_authentication = -1; options->challenge_response_authentication = -1;
options->gss_authentication = -1; options->gss_authentication = -1;
@ -2034,7 +2022,7 @@ diff -up openssh-7.2p1/readconf.c.gsskex openssh-7.2p1/readconf.c
options->password_authentication = -1; options->password_authentication = -1;
options->kbd_interactive_authentication = -1; options->kbd_interactive_authentication = -1;
options->kbd_interactive_devices = NULL; options->kbd_interactive_devices = NULL;
@@ -1777,8 +1813,14 @@ fill_default_options(Options * options) @@ -1920,8 +1956,14 @@ fill_default_options(Options * options)
options->challenge_response_authentication = 1; options->challenge_response_authentication = 1;
if (options->gss_authentication == -1) if (options->gss_authentication == -1)
options->gss_authentication = 0; options->gss_authentication = 0;
@ -2049,9 +2037,9 @@ diff -up openssh-7.2p1/readconf.c.gsskex openssh-7.2p1/readconf.c
if (options->password_authentication == -1) if (options->password_authentication == -1)
options->password_authentication = 1; options->password_authentication = 1;
if (options->kbd_interactive_authentication == -1) if (options->kbd_interactive_authentication == -1)
diff -up openssh-7.2p1/readconf.h.gsskex openssh-7.2p1/readconf.h diff -up openssh-7.4p1/readconf.h.gsskex openssh-7.4p1/readconf.h
--- openssh-7.2p1/readconf.h.gsskex 2016-02-12 11:47:25.000000000 +0100 --- openssh-7.4p1/readconf.h.gsskex 2016-12-19 05:59:41.000000000 +0100
+++ openssh-7.2p1/readconf.h 2016-02-19 10:01:04.870969322 +0100 +++ openssh-7.4p1/readconf.h 2016-12-23 13:38:53.730301005 +0100
@@ -45,7 +45,12 @@ typedef struct { @@ -45,7 +45,12 @@ typedef struct {
int challenge_response_authentication; int challenge_response_authentication;
/* Try S/Key or TIS, authentication. */ /* Try S/Key or TIS, authentication. */
@ -2065,9 +2053,9 @@ diff -up openssh-7.2p1/readconf.h.gsskex openssh-7.2p1/readconf.h
int password_authentication; /* Try password int password_authentication; /* Try password
* authentication. */ * authentication. */
int kbd_interactive_authentication; /* Try keyboard-interactive auth. */ int kbd_interactive_authentication; /* Try keyboard-interactive auth. */
diff -up openssh/regress/cert-hostkey.sh.gsskex openssh/regress/cert-hostkey.sh diff -up openssh-7.4p1/regress/cert-hostkey.sh.gsskex openssh-7.4p1/regress/cert-hostkey.sh
--- openssh/regress/cert-hostkey.sh.gsskex 2016-07-25 14:11:42.986324181 +0200 --- openssh-7.4p1/regress/cert-hostkey.sh.gsskex 2016-12-19 05:59:41.000000000 +0100
+++ openssh/regress/cert-hostkey.sh 2016-07-25 14:15:17.784274722 +0200 +++ openssh-7.4p1/regress/cert-hostkey.sh 2016-12-23 13:38:53.731301006 +0100
@@ -59,7 +59,7 @@ touch $OBJ/host_revoked_plain @@ -59,7 +59,7 @@ touch $OBJ/host_revoked_plain
touch $OBJ/host_revoked_cert touch $OBJ/host_revoked_cert
cat $OBJ/host_ca_key.pub $OBJ/host_ca_key2.pub > $OBJ/host_revoked_ca cat $OBJ/host_ca_key.pub $OBJ/host_ca_key2.pub > $OBJ/host_revoked_ca
@ -2077,9 +2065,9 @@ diff -up openssh/regress/cert-hostkey.sh.gsskex openssh/regress/cert-hostkey.sh
if echo "$PLAIN_TYPES" | grep '^rsa$' >/dev/null 2>&1 ; then if echo "$PLAIN_TYPES" | grep '^rsa$' >/dev/null 2>&1 ; then
PLAIN_TYPES="$PLAIN_TYPES rsa-sha2-256 rsa-sha2-512" PLAIN_TYPES="$PLAIN_TYPES rsa-sha2-256 rsa-sha2-512"
diff -up openssh/regress/cert-userkey.sh.gsskex openssh/regress/cert-userkey.sh diff -up openssh-7.4p1/regress/cert-userkey.sh.gsskex openssh-7.4p1/regress/cert-userkey.sh
--- openssh/regress/cert-userkey.sh.gsskex 2016-07-25 14:11:42.986324181 +0200 --- openssh-7.4p1/regress/cert-userkey.sh.gsskex 2016-12-19 05:59:41.000000000 +0100
+++ openssh/regress/cert-userkey.sh 2016-07-25 14:15:36.769270354 +0200 +++ openssh-7.4p1/regress/cert-userkey.sh 2016-12-23 13:38:53.731301006 +0100
@@ -7,7 +7,7 @@ rm -f $OBJ/authorized_keys_$USER $OBJ/us @@ -7,7 +7,7 @@ rm -f $OBJ/authorized_keys_$USER $OBJ/us
cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
cp $OBJ/ssh_proxy $OBJ/ssh_proxy_bak cp $OBJ/ssh_proxy $OBJ/ssh_proxy_bak
@ -2089,9 +2077,9 @@ diff -up openssh/regress/cert-userkey.sh.gsskex openssh/regress/cert-userkey.sh
if echo "$PLAIN_TYPES" | grep '^rsa$' >/dev/null 2>&1 ; then if echo "$PLAIN_TYPES" | grep '^rsa$' >/dev/null 2>&1 ; then
PLAIN_TYPES="$PLAIN_TYPES rsa-sha2-256 rsa-sha2-512" PLAIN_TYPES="$PLAIN_TYPES rsa-sha2-256 rsa-sha2-512"
diff -up openssh/regress/kextype.sh.gsskex openssh/regress/kextype.sh diff -up openssh-7.4p1/regress/kextype.sh.gsskex openssh-7.4p1/regress/kextype.sh
--- openssh/regress/kextype.sh.gsskex 2016-07-24 13:50:13.000000000 +0200 --- openssh-7.4p1/regress/kextype.sh.gsskex 2016-12-19 05:59:41.000000000 +0100
+++ openssh/regress/kextype.sh 2016-07-25 14:11:42.987324180 +0200 +++ openssh-7.4p1/regress/kextype.sh 2016-12-23 13:38:53.731301006 +0100
@@ -14,6 +14,9 @@ echo "KexAlgorithms=$KEXOPT" >> $OBJ/ssh @@ -14,6 +14,9 @@ echo "KexAlgorithms=$KEXOPT" >> $OBJ/ssh
tries="1 2 3 4" tries="1 2 3 4"
@ -2102,9 +2090,9 @@ diff -up openssh/regress/kextype.sh.gsskex openssh/regress/kextype.sh
verbose "kex $k" verbose "kex $k"
for i in $tries; do for i in $tries; do
${SSH} -F $OBJ/ssh_proxy -o KexAlgorithms=$k x true ${SSH} -F $OBJ/ssh_proxy -o KexAlgorithms=$k x true
diff -up openssh-7.2p1/regress/rekey.sh.gsskex openssh-7.2p1/regress/rekey.sh diff -up openssh-7.4p1/regress/rekey.sh.gsskex openssh-7.4p1/regress/rekey.sh
--- openssh-7.2p1/regress/rekey.sh.gsskex 2016-02-12 11:47:25.000000000 +0100 --- openssh-7.4p1/regress/rekey.sh.gsskex 2016-12-19 05:59:41.000000000 +0100
+++ openssh-7.2p1/regress/rekey.sh 2016-02-19 10:01:04.870969322 +0100 +++ openssh-7.4p1/regress/rekey.sh 2016-12-23 13:38:53.731301006 +0100
@@ -38,6 +38,9 @@ increase_datafile_size 300 @@ -38,6 +38,9 @@ increase_datafile_size 300
opts="" opts=""
@ -2125,10 +2113,10 @@ diff -up openssh-7.2p1/regress/rekey.sh.gsskex openssh-7.2p1/regress/rekey.sh
verbose "client rekey $c $kex" verbose "client rekey $c $kex"
ssh_data_rekeying "KexAlgorithms=$kex" -oRekeyLimit=256k -oCiphers=$c ssh_data_rekeying "KexAlgorithms=$kex" -oRekeyLimit=256k -oCiphers=$c
done done
diff -up openssh-7.2p1/servconf.c.gsskex openssh-7.2p1/servconf.c diff -up openssh-7.4p1/servconf.c.gsskex openssh-7.4p1/servconf.c
--- openssh-7.2p1/servconf.c.gsskex 2016-02-19 10:01:04.857969329 +0100 --- openssh-7.4p1/servconf.c.gsskex 2016-12-23 13:38:53.717301003 +0100
+++ openssh-7.2p1/servconf.c 2016-02-19 10:01:04.870969322 +0100 +++ openssh-7.4p1/servconf.c 2016-12-23 13:38:53.732301006 +0100
@@ -117,8 +117,10 @@ initialize_server_options(ServerOptions @@ -113,8 +113,10 @@ initialize_server_options(ServerOptions
options->kerberos_ticket_cleanup = -1; options->kerberos_ticket_cleanup = -1;
options->kerberos_get_afs_token = -1; options->kerberos_get_afs_token = -1;
options->gss_authentication=-1; options->gss_authentication=-1;
@ -2139,7 +2127,7 @@ diff -up openssh-7.2p1/servconf.c.gsskex openssh-7.2p1/servconf.c
options->password_authentication = -1; options->password_authentication = -1;
options->kbd_interactive_authentication = -1; options->kbd_interactive_authentication = -1;
options->challenge_response_authentication = -1; options->challenge_response_authentication = -1;
@@ -288,10 +290,14 @@ fill_default_server_options(ServerOption @@ -268,10 +270,14 @@ fill_default_server_options(ServerOption
options->kerberos_get_afs_token = 0; options->kerberos_get_afs_token = 0;
if (options->gss_authentication == -1) if (options->gss_authentication == -1)
options->gss_authentication = 0; options->gss_authentication = 0;
@ -2154,7 +2142,7 @@ diff -up openssh-7.2p1/servconf.c.gsskex openssh-7.2p1/servconf.c
if (options->password_authentication == -1) if (options->password_authentication == -1)
options->password_authentication = 1; options->password_authentication = 1;
if (options->kbd_interactive_authentication == -1) if (options->kbd_interactive_authentication == -1)
@@ -422,7 +428,7 @@ typedef enum { @@ -410,7 +416,7 @@ typedef enum {
sHostKeyAlgorithms, sHostKeyAlgorithms,
sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile, sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor, sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
@ -2163,7 +2151,7 @@ diff -up openssh-7.2p1/servconf.c.gsskex openssh-7.2p1/servconf.c
sMatch, sPermitOpen, sForceCommand, sChrootDirectory, sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
sUsePrivilegeSeparation, sAllowAgentForwarding, sUsePrivilegeSeparation, sAllowAgentForwarding,
sHostCertificate, sHostCertificate,
@@ -496,11 +502,17 @@ static struct { @@ -484,11 +490,17 @@ static struct {
{ "gssapiauthentication", sGssAuthentication, SSHCFG_ALL }, { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
{ "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL }, { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
{ "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL }, { "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL },
@ -2181,7 +2169,7 @@ diff -up openssh-7.2p1/servconf.c.gsskex openssh-7.2p1/servconf.c
{ "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
{ "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
{ "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL },
@@ -1246,6 +1258,10 @@ process_server_config_line(ServerOptions @@ -1211,6 +1223,10 @@ process_server_config_line(ServerOptions
intptr = &options->gss_authentication; intptr = &options->gss_authentication;
goto parse_flag; goto parse_flag;
@ -2192,7 +2180,7 @@ diff -up openssh-7.2p1/servconf.c.gsskex openssh-7.2p1/servconf.c
case sGssCleanupCreds: case sGssCleanupCreds:
intptr = &options->gss_cleanup_creds; intptr = &options->gss_cleanup_creds;
goto parse_flag; goto parse_flag;
@@ -1254,6 +1270,10 @@ process_server_config_line(ServerOptions @@ -1219,6 +1235,10 @@ process_server_config_line(ServerOptions
intptr = &options->gss_strict_acceptor; intptr = &options->gss_strict_acceptor;
goto parse_flag; goto parse_flag;
@ -2203,7 +2191,7 @@ diff -up openssh-7.2p1/servconf.c.gsskex openssh-7.2p1/servconf.c
case sPasswordAuthentication: case sPasswordAuthentication:
intptr = &options->password_authentication; intptr = &options->password_authentication;
goto parse_flag; goto parse_flag;
@@ -2274,6 +2294,9 @@ dump_config(ServerOptions *o) @@ -2257,6 +2277,9 @@ dump_config(ServerOptions *o)
#ifdef GSSAPI #ifdef GSSAPI
dump_cfg_fmtint(sGssAuthentication, o->gss_authentication); dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds); dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds);
@ -2213,10 +2201,10 @@ diff -up openssh-7.2p1/servconf.c.gsskex openssh-7.2p1/servconf.c
#endif #endif
dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication); dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication);
dump_cfg_fmtint(sKbdInteractiveAuthentication, dump_cfg_fmtint(sKbdInteractiveAuthentication,
diff -up openssh-7.2p1/servconf.h.gsskex openssh-7.2p1/servconf.h diff -up openssh-7.4p1/servconf.h.gsskex openssh-7.4p1/servconf.h
--- openssh-7.2p1/servconf.h.gsskex 2016-02-19 10:01:04.857969329 +0100 --- openssh-7.4p1/servconf.h.gsskex 2016-12-23 13:38:53.717301003 +0100
+++ openssh-7.2p1/servconf.h 2016-02-19 10:01:04.871969321 +0100 +++ openssh-7.4p1/servconf.h 2016-12-23 13:38:53.732301006 +0100
@@ -118,8 +118,10 @@ typedef struct { @@ -112,8 +112,10 @@ typedef struct {
int kerberos_get_afs_token; /* If true, try to get AFS token if int kerberos_get_afs_token; /* If true, try to get AFS token if
* authenticated with Kerberos. */ * authenticated with Kerberos. */
int gss_authentication; /* If true, permit GSSAPI authentication */ int gss_authentication; /* If true, permit GSSAPI authentication */
@ -2227,31 +2215,26 @@ diff -up openssh-7.2p1/servconf.h.gsskex openssh-7.2p1/servconf.h
int password_authentication; /* If true, permit password int password_authentication; /* If true, permit password
* authentication. */ * authentication. */
int kbd_interactive_authentication; /* If true, permit */ int kbd_interactive_authentication; /* If true, permit */
diff -up openssh-7.2p1/ssh_config.5.gsskex openssh-7.2p1/ssh_config.5 diff -up openssh-7.4p1/ssh_config.5.gsskex openssh-7.4p1/ssh_config.5
--- openssh-7.2p1/ssh_config.5.gsskex 2016-02-19 10:01:04.871969321 +0100 --- openssh-7.4p1/ssh_config.5.gsskex 2016-12-23 13:38:53.732301006 +0100
+++ openssh-7.2p1/ssh_config.5 2016-02-19 10:05:58.630146245 +0100 +++ openssh-7.4p1/ssh_config.5 2016-12-23 13:48:00.502331870 +0100
@@ -824,10 +824,40 @@ The default is @@ -748,10 +748,40 @@ The default is
Specifies whether user authentication based on GSSAPI is allowed. Specifies whether user authentication based on GSSAPI is allowed.
The default is The default is
.Dq no . .Cm no .
+.It Cm GSSAPIClientIdentity
+If set, specifies the GSSAPI client identity that ssh should use when
+connecting to the server. The default is unset, which means that the default
+identity will be used.
.It Cm GSSAPIDelegateCredentials
Forward (delegate) credentials to the server.
The default is
.Cm no .
+.It Cm GSSAPIKeyExchange +.It Cm GSSAPIKeyExchange
+Specifies whether key exchange based on GSSAPI may be used. When using +Specifies whether key exchange based on GSSAPI may be used. When using
+GSSAPI key exchange the server need not have a host key. +GSSAPI key exchange the server need not have a host key.
+The default is +The default is
+.Dq no . +.Dq no .
+.It Cm GSSAPIClientIdentity
+If set, specifies the GSSAPI client identity that ssh should use when
+connecting to the server. The default is unset, which means that the default
+identity will be used.
+.It Cm GSSAPIServerIdentity
+If set, specifies the GSSAPI server identity that ssh should expect when
+connecting to the server. The default is unset, which means that the
+expected GSSAPI server identity will be determined from the target
+hostname.
.It Cm GSSAPIDelegateCredentials
Forward (delegate) credentials to the server.
The default is
.Dq no .
+.It Cm GSSAPIRenewalForcesRekey +.It Cm GSSAPIRenewalForcesRekey
+If set to +If set to
+.Dq yes +.Dq yes
@ -2260,6 +2243,11 @@ diff -up openssh-7.2p1/ssh_config.5.gsskex openssh-7.2p1/ssh_config.5
+credentials to a session on the server. +credentials to a session on the server.
+The default is +The default is
+.Dq no . +.Dq no .
+.It Cm GSSAPIServerIdentity
+If set, specifies the GSSAPI server identity that ssh should expect when
+connecting to the server. The default is unset, which means that the
+expected GSSAPI server identity will be determined from the target
+hostname.
+.It Cm GSSAPITrustDns +.It Cm GSSAPITrustDns
+Set to +Set to
+.Dq yes to indicate that the DNS is trusted to securely canonicalize +.Dq yes to indicate that the DNS is trusted to securely canonicalize
@ -2271,9 +2259,9 @@ diff -up openssh-7.2p1/ssh_config.5.gsskex openssh-7.2p1/ssh_config.5
.It Cm HashKnownHosts .It Cm HashKnownHosts
Indicates that Indicates that
.Xr ssh 1 .Xr ssh 1
diff -up openssh-7.2p1/ssh_config.gsskex openssh-7.2p1/ssh_config diff -up openssh-7.4p1/ssh_config.gsskex openssh-7.4p1/ssh_config
--- openssh-7.2p1/ssh_config.gsskex 2016-02-19 10:01:04.852969332 +0100 --- openssh-7.4p1/ssh_config.gsskex 2016-12-23 13:38:53.708301001 +0100
+++ openssh-7.2p1/ssh_config 2016-02-19 10:01:04.871969321 +0100 +++ openssh-7.4p1/ssh_config 2016-12-23 13:38:53.733301006 +0100
@@ -26,6 +26,8 @@ @@ -26,6 +26,8 @@
# HostbasedAuthentication no # HostbasedAuthentication no
# GSSAPIAuthentication no # GSSAPIAuthentication no
@ -2283,10 +2271,10 @@ diff -up openssh-7.2p1/ssh_config.gsskex openssh-7.2p1/ssh_config
# BatchMode no # BatchMode no
# CheckHostIP yes # CheckHostIP yes
# AddressFamily any # AddressFamily any
diff -up openssh-7.2p1/sshconnect2.c.gsskex openssh-7.2p1/sshconnect2.c diff -up openssh-7.4p1/sshconnect2.c.gsskex openssh-7.4p1/sshconnect2.c
--- openssh-7.2p1/sshconnect2.c.gsskex 2016-02-12 11:47:25.000000000 +0100 --- openssh-7.4p1/sshconnect2.c.gsskex 2016-12-19 05:59:41.000000000 +0100
+++ openssh-7.2p1/sshconnect2.c 2016-02-19 10:01:04.872969321 +0100 +++ openssh-7.4p1/sshconnect2.c 2016-12-23 13:38:53.733301006 +0100
@@ -161,9 +161,34 @@ ssh_kex2(char *host, struct sockaddr *ho @@ -162,9 +162,34 @@ ssh_kex2(char *host, struct sockaddr *ho
struct kex *kex; struct kex *kex;
int r; int r;
@ -2321,7 +2309,7 @@ diff -up openssh-7.2p1/sshconnect2.c.gsskex openssh-7.2p1/sshconnect2.c
if ((s = kex_names_cat(options.kex_algorithms, "ext-info-c")) == NULL) if ((s = kex_names_cat(options.kex_algorithms, "ext-info-c")) == NULL)
fatal("%s: kex_names_cat", __func__); fatal("%s: kex_names_cat", __func__);
myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(s); myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(s);
@@ -195,6 +220,17 @@ ssh_kex2(char *host, struct sockaddr *ho @@ -192,6 +217,17 @@ ssh_kex2(char *host, struct sockaddr *ho
order_hostkeyalgs(host, hostaddr, port)); order_hostkeyalgs(host, hostaddr, port));
} }
@ -2379,7 +2367,7 @@ diff -up openssh-7.2p1/sshconnect2.c.gsskex openssh-7.2p1/sshconnect2.c
#endif #endif
void userauth(Authctxt *, char *); void userauth(Authctxt *, char *);
@@ -326,6 +383,11 @@ static char *authmethods_get(void); @@ -327,6 +384,11 @@ static char *authmethods_get(void);
Authmethod authmethods[] = { Authmethod authmethods[] = {
#ifdef GSSAPI #ifdef GSSAPI
@ -2391,7 +2379,7 @@ diff -up openssh-7.2p1/sshconnect2.c.gsskex openssh-7.2p1/sshconnect2.c
{"gssapi-with-mic", {"gssapi-with-mic",
userauth_gssapi, userauth_gssapi,
NULL, NULL,
@@ -656,19 +718,31 @@ userauth_gssapi(Authctxt *authctxt) @@ -652,19 +714,31 @@ userauth_gssapi(Authctxt *authctxt)
static u_int mech = 0; static u_int mech = 0;
OM_uint32 min; OM_uint32 min;
int ok = 0; int ok = 0;
@ -2425,7 +2413,7 @@ diff -up openssh-7.2p1/sshconnect2.c.gsskex openssh-7.2p1/sshconnect2.c
ok = 1; /* Mechanism works */ ok = 1; /* Mechanism works */
} else { } else {
mech++; mech++;
@@ -765,8 +839,8 @@ input_gssapi_response(int type, u_int32_ @@ -761,8 +835,8 @@ input_gssapi_response(int type, u_int32_
{ {
Authctxt *authctxt = ctxt; Authctxt *authctxt = ctxt;
Gssctxt *gssctxt; Gssctxt *gssctxt;
@ -2436,7 +2424,7 @@ diff -up openssh-7.2p1/sshconnect2.c.gsskex openssh-7.2p1/sshconnect2.c
if (authctxt == NULL) if (authctxt == NULL)
fatal("input_gssapi_response: no authentication context"); fatal("input_gssapi_response: no authentication context");
@@ -879,6 +953,48 @@ input_gssapi_error(int type, u_int32_t p @@ -875,6 +949,48 @@ input_gssapi_error(int type, u_int32_t p
free(lang); free(lang);
return 0; return 0;
} }
@ -2509,21 +2497,17 @@ diff -up openssh-7.2p1/sshd.c.gsskex openssh-7.2p1/sshd.c
sshbuf_free(buf); sshbuf_free(buf);
} }
@@ -1845,10 +1846,13 @@ main(int ac, char **av) @@ -1739,7 +1740,8 @@ main(int ac, char **av)
logit("Disabling protocol version 1. Could not load host key"); key ? "private" : "agent", i, sshkey_ssh_name(pubkey), fp);
options.protocol &= ~SSH_PROTO_1; free(fp);
} }
+#ifndef GSSAPI - if (!sensitive_data.have_ssh2_key) {
+ /* The GSSAPI key exchange can run without a host key */ + /* The GSSAPI key exchange can run without a host key */
if ((options.protocol & SSH_PROTO_2) && !sensitive_data.have_ssh2_key) { + if (!sensitive_data.have_ssh2_key && !options.gss_keyex) {
logit("Disabling protocol version 2. Could not load host key");
options.protocol &= ~SSH_PROTO_2;
}
+#endif
if (!(options.protocol & (SSH_PROTO_1|SSH_PROTO_2))) {
logit("sshd: no hostkeys available -- exiting."); logit("sshd: no hostkeys available -- exiting.");
exit(1); exit(1);
@@ -2586,6 +2590,48 @@ do_ssh2_kex(void) }
@@ -2196,6 +2198,48 @@ do_ssh2_kex(void)
myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal( myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal(
list_hostkey_types()); list_hostkey_types());
@ -2572,7 +2556,7 @@ diff -up openssh-7.2p1/sshd.c.gsskex openssh-7.2p1/sshd.c
/* start key exchange */ /* start key exchange */
if ((r = kex_setup(active_state, myproposal)) != 0) if ((r = kex_setup(active_state, myproposal)) != 0)
fatal("kex_setup: %s", ssh_err(r)); fatal("kex_setup: %s", ssh_err(r));
@@ -2600,6 +2646,13 @@ do_ssh2_kex(void) @@ -2213,6 +2257,13 @@ do_ssh2_kex(void)
# endif # endif
#endif #endif
kex->kex[KEX_C25519_SHA256] = kexc25519_server; kex->kex[KEX_C25519_SHA256] = kexc25519_server;
@ -2586,25 +2570,25 @@ diff -up openssh-7.2p1/sshd.c.gsskex openssh-7.2p1/sshd.c
kex->server = 1; kex->server = 1;
kex->client_version_string=client_version_string; kex->client_version_string=client_version_string;
kex->server_version_string=server_version_string; kex->server_version_string=server_version_string;
diff -up openssh-7.2p1/sshd_config.5.gsskex openssh-7.2p1/sshd_config.5 diff -up openssh-7.4p1/sshd_config.5.gsskex openssh-7.4p1/sshd_config.5
--- openssh-7.2p1/sshd_config.5.gsskex 2016-02-19 10:01:04.858969329 +0100 --- openssh-7.4p1/sshd_config.5.gsskex 2016-12-23 13:38:53.734301006 +0100
+++ openssh-7.2p1/sshd_config.5 2016-02-19 10:06:26.651172355 +0100 +++ openssh-7.4p1/sshd_config.5 2016-12-23 13:48:57.825310358 +0100
@@ -623,6 +623,11 @@ The default is @@ -628,6 +628,11 @@ Specifies whether to automatically destr
Specifies whether user authentication based on GSSAPI is allowed. on logout.
The default is The default is
.Dq no . .Cm yes .
+.It Cm GSSAPIKeyExchange +.It Cm GSSAPIKeyExchange
+Specifies whether key exchange based on GSSAPI is allowed. GSSAPI key exchange +Specifies whether key exchange based on GSSAPI is allowed. GSSAPI key exchange
+doesn't rely on ssh keys to verify host identity. +doesn't rely on ssh keys to verify host identity.
+The default is +The default is
+.Dq no . +.Dq no .
.It Cm GSSAPICleanupCredentials .It Cm GSSAPIStrictAcceptorCheck
Specifies whether to automatically destroy the user's credentials cache Determines whether to be strict about the identity of the GSSAPI acceptor
on logout. a client authenticates against.
@@ -643,6 +648,11 @@ machine's default store. @@ -642,6 +647,11 @@ machine's default store.
This facility is provided to assist with operation on multi homed machines. This facility is provided to assist with operation on multi homed machines.
The default is The default is
.Dq yes . .Cm yes .
+.It Cm GSSAPIStoreCredentialsOnRekey +.It Cm GSSAPIStoreCredentialsOnRekey
+Controls whether the user's GSSAPI credentials should be updated following a +Controls whether the user's GSSAPI credentials should be updated following a
+successful connection rekeying. This option can be used to accepted renewed +successful connection rekeying. This option can be used to accepted renewed
@ -2613,10 +2597,10 @@ diff -up openssh-7.2p1/sshd_config.5.gsskex openssh-7.2p1/sshd_config.5
.It Cm HostbasedAcceptedKeyTypes .It Cm HostbasedAcceptedKeyTypes
Specifies the key types that will be accepted for hostbased authentication Specifies the key types that will be accepted for hostbased authentication
as a comma-separated pattern list. as a comma-separated pattern list.
diff -up openssh-7.2p1/sshd_config.gsskex openssh-7.2p1/sshd_config diff -up openssh-7.4p1/sshd_config.gsskex openssh-7.4p1/sshd_config
--- openssh-7.2p1/sshd_config.gsskex 2016-02-19 10:01:04.860969328 +0100 --- openssh-7.4p1/sshd_config.gsskex 2016-12-23 13:38:53.719301003 +0100
+++ openssh-7.2p1/sshd_config 2016-02-19 10:01:04.873969320 +0100 +++ openssh-7.4p1/sshd_config 2016-12-23 13:38:53.734301006 +0100
@@ -91,6 +91,8 @@ ChallengeResponseAuthentication no @@ -77,6 +77,8 @@ ChallengeResponseAuthentication no
# GSSAPI options # GSSAPI options
GSSAPIAuthentication yes GSSAPIAuthentication yes
GSSAPICleanupCredentials no GSSAPICleanupCredentials no
@ -2625,9 +2609,9 @@ diff -up openssh-7.2p1/sshd_config.gsskex openssh-7.2p1/sshd_config
# Set this to 'yes' to enable PAM authentication, account processing, # Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will # and session processing. If this is enabled, PAM authentication will
diff -up openssh-7.2p1/ssh-gss.h.gsskex openssh-7.2p1/ssh-gss.h diff -up openssh-7.4p1/ssh-gss.h.gsskex openssh-7.4p1/ssh-gss.h
--- openssh-7.2p1/ssh-gss.h.gsskex 2016-02-12 11:47:25.000000000 +0100 --- openssh-7.4p1/ssh-gss.h.gsskex 2016-12-19 05:59:41.000000000 +0100
+++ openssh-7.2p1/ssh-gss.h 2016-02-19 10:01:04.873969320 +0100 +++ openssh-7.4p1/ssh-gss.h 2016-12-23 13:38:53.734301006 +0100
@@ -1,6 +1,6 @@ @@ -1,6 +1,6 @@
/* $OpenBSD: ssh-gss.h,v 1.11 2014/02/26 20:28:44 djm Exp $ */ /* $OpenBSD: ssh-gss.h,v 1.11 2014/02/26 20:28:44 djm Exp $ */
/* /*
@ -2727,10 +2711,10 @@ diff -up openssh-7.2p1/ssh-gss.h.gsskex openssh-7.2p1/ssh-gss.h
#endif /* GSSAPI */ #endif /* GSSAPI */
#endif /* _SSH_GSS_H */ #endif /* _SSH_GSS_H */
diff -up openssh-7.2p1/sshkey.c.gsskex openssh-7.2p1/sshkey.c diff -up openssh-7.4p1/sshkey.c.gsskex openssh-7.4p1/sshkey.c
--- openssh-7.2p1/sshkey.c.gsskex 2016-02-12 11:47:25.000000000 +0100 --- openssh-7.4p1/sshkey.c.gsskex 2016-12-19 05:59:41.000000000 +0100
+++ openssh-7.2p1/sshkey.c 2016-02-19 10:01:04.874969320 +0100 +++ openssh-7.4p1/sshkey.c 2016-12-23 13:38:53.735301006 +0100
@@ -115,6 +115,7 @@ static const struct keytype keytypes[] = @@ -114,6 +114,7 @@ static const struct keytype keytypes[] =
# endif /* OPENSSL_HAS_NISTP521 */ # endif /* OPENSSL_HAS_NISTP521 */
# endif /* OPENSSL_HAS_ECC */ # endif /* OPENSSL_HAS_ECC */
#endif /* WITH_OPENSSL */ #endif /* WITH_OPENSSL */
@ -2738,9 +2722,9 @@ diff -up openssh-7.2p1/sshkey.c.gsskex openssh-7.2p1/sshkey.c
{ NULL, NULL, -1, -1, 0, 0 } { NULL, NULL, -1, -1, 0, 0 }
}; };
diff -up openssh-7.2p1/sshkey.h.gsskex openssh-7.2p1/sshkey.h diff -up openssh-7.4p1/sshkey.h.gsskex openssh-7.4p1/sshkey.h
--- openssh-7.2p1/sshkey.h.gsskex 2016-02-12 11:47:25.000000000 +0100 --- openssh-7.4p1/sshkey.h.gsskex 2016-12-19 05:59:41.000000000 +0100
+++ openssh-7.2p1/sshkey.h 2016-02-19 10:01:04.874969320 +0100 +++ openssh-7.4p1/sshkey.h 2016-12-23 13:38:53.735301006 +0100
@@ -62,6 +62,7 @@ enum sshkey_types { @@ -62,6 +62,7 @@ enum sshkey_types {
KEY_DSA_CERT, KEY_DSA_CERT,
KEY_ECDSA_CERT, KEY_ECDSA_CERT,
@ -2749,11 +2733,18 @@ diff -up openssh-7.2p1/sshkey.h.gsskex openssh-7.2p1/sshkey.h
KEY_UNSPEC KEY_UNSPEC
}; };
diff --git a/auth.c b/auth.c diff -up openssh-7.4p1/auth.c.gsskex openssh-7.4p1/auth.c
index e0f7639..a5a346e 100644 --- openssh-7.4p1/auth.c.gsskex 2016-12-19 05:59:41.000000000 +0100
--- a/auth.c +++ openssh-7.4p1/auth.c 2016-12-23 13:38:53.735301006 +0100
+++ b/auth.c @@ -372,6 +372,7 @@ auth_root_allowed(const char *method)
@@ -784,99 +784,6 @@ fakepw(void) case PERMIT_NO_PASSWD:
if (strcmp(method, "publickey") == 0 ||
strcmp(method, "hostbased") == 0 ||
+ strcmp(method, "gssapi-keyex") == 0 ||
strcmp(method, "gssapi-with-mic") == 0)
return 1;
break;
@@ -795,99 +796,6 @@ fakepw(void)
} }
/* /*
@ -2853,11 +2844,10 @@ index e0f7639..a5a346e 100644
* Return the canonical name of the host in the other side of the current * Return the canonical name of the host in the other side of the current
* connection. The host name is cached, so it is efficient to call this * connection. The host name is cached, so it is efficient to call this
* several times. * several times.
diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c diff -up openssh-7.4p1/openbsd-compat/port-linux.c.gsskex openssh-7.4p1/openbsd-compat/port-linux.c
index 80729b3..93a1b04 100644 --- openssh-7.4p1/openbsd-compat/port-linux.c.gsskex 2016-12-23 13:38:53.688300997 +0100
--- a/openbsd-compat/port-linux.c +++ openssh-7.4p1/openbsd-compat/port-linux.c 2016-12-23 13:38:53.735301006 +0100
+++ b/openbsd-compat/port-linux.c @@ -30,6 +30,8 @@
@@ -32,6 +32,8 @@
#include "log.h" #include "log.h"
#include "xmalloc.h" #include "xmalloc.h"
#include "port-linux.h" #include "port-linux.h"
@ -2866,7 +2856,7 @@ index 80729b3..93a1b04 100644
#ifdef WITH_SELINUX #ifdef WITH_SELINUX
#include <selinux/selinux.h> #include <selinux/selinux.h>
@@ -286,4 +288,121 @@ oom_adjust_restore(void) @@ -279,4 +281,121 @@ oom_adjust_restore(void)
return; return;
} }
#endif /* LINUX_OOM_ADJUST */ #endif /* LINUX_OOM_ADJUST */
@ -2988,11 +2978,10 @@ index 80729b3..93a1b04 100644
+ } + }
+} +}
#endif /* WITH_SELINUX || LINUX_OOM_ADJUST */ #endif /* WITH_SELINUX || LINUX_OOM_ADJUST */
diff --git a/openbsd-compat/port-linux.h b/openbsd-compat/port-linux.h diff -up openssh-7.4p1/openbsd-compat/port-linux.h.gsskex openssh-7.4p1/openbsd-compat/port-linux.h
index e2ca8a1..6c5ac3f 100644 --- openssh-7.4p1/openbsd-compat/port-linux.h.gsskex 2016-12-23 13:38:53.712301002 +0100
--- a/openbsd-compat/port-linux.h +++ openssh-7.4p1/openbsd-compat/port-linux.h 2016-12-23 13:38:53.735301006 +0100
+++ b/openbsd-compat/port-linux.h @@ -16,6 +16,7 @@
@@ -18,6 +18,7 @@
#ifndef _PORT_LINUX_H #ifndef _PORT_LINUX_H
#define _PORT_LINUX_H #define _PORT_LINUX_H
@ -3000,7 +2989,7 @@ index e2ca8a1..6c5ac3f 100644
#ifdef WITH_SELINUX #ifdef WITH_SELINUX
int ssh_selinux_enabled(void); int ssh_selinux_enabled(void);
@@ -39,4 +40,8 @@ void oom_adjust_setup(void); @@ -36,4 +37,8 @@ void oom_adjust_setup(void);
void linux_seed(void); void linux_seed(void);
@ -3009,18 +2998,3 @@ index e2ca8a1..6c5ac3f 100644
+ +
+ +
#endif /* ! _PORT_LINUX_H */ #endif /* ! _PORT_LINUX_H */
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
index 3e6f982..4c2653f 100644
--- a/sandbox-seccomp-filter.c
+++ b/sandbox-seccomp-filter.c
@@ -213,6 +213,9 @@ static const struct sock_filter preauth_insns[] = {
#ifdef __NR_write
SC_ALLOW(write),
#endif
+#ifdef __NR_futex
+ SC_ALLOW(futex), /* for GSSAPI Kex */
+#endif
#ifdef __NR_socketcall
SC_ALLOW_ARG(socketcall, 0, SYS_SHUTDOWN),
#endif

View File

@ -1,14 +1,10 @@
diff --git a/sshd.c b/sshd.c diff --git a/sshd.c b/sshd.c
--- a/sshd.c --- a/sshd.c
+++ b/sshd.c +++ b/sshd.c
@@ -1701,6 +1701,14 @@ main(int ac, char **av) @@ -1701,6 +1701,10 @@ main(int ac, char **av)
parse_server_config(&options, rexeced_flag ? "rexec" : config_file_name, parse_server_config(&options, rexeced_flag ? "rexec" : config_file_name,
&cfg, NULL); &cfg, NULL);
+ /* 'UseLogin yes' is not supported in Fedora */
+ if (options.use_login == 1)
+ logit("WARNING: 'UseLogin yes' is not supported in Fedora and may cause several problems.");
+
+ /* 'UsePAM no' is not supported in Fedora */ + /* 'UsePAM no' is not supported in Fedora */
+ if (! options.use_pam) + if (! options.use_pam)
+ logit("WARNING: 'UsePAM no' is not supported in Fedora and may cause several problems."); + logit("WARNING: 'UsePAM no' is not supported in Fedora and may cause several problems.");
@ -28,12 +24,3 @@ diff --git a/sshd_config b/sshd_config
UsePAM yes UsePAM yes
#AllowAgentForwarding yes #AllowAgentForwarding yes
@@ -113,6 +115,8 @@ X11Forwarding yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
+# WARNING: 'UseLogin yes' is not supported in Fedora and may cause several
+# problems.
#UseLogin no
#UsePrivilegeSeparation sandbox
#PermitUserEnvironment no

View File

@ -1,6 +1,6 @@
diff -up openssh-7.2p2/auth2.c.expose-pam openssh-7.2p2/auth2.c diff -up openssh-7.4p1/auth2.c.expose-pam openssh-7.4p1/auth2.c
--- openssh-7.2p2/auth2.c.expose-pam 2016-07-18 12:30:12.064783302 +0200 --- openssh-7.4p1/auth2.c.expose-pam 2016-12-23 15:40:26.768447868 +0100
+++ openssh-7.2p2/auth2.c 2016-07-18 12:30:12.124783255 +0200 +++ openssh-7.4p1/auth2.c 2016-12-23 15:40:26.818447876 +0100
@@ -310,6 +310,7 @@ userauth_finish(Authctxt *authctxt, int @@ -310,6 +310,7 @@ userauth_finish(Authctxt *authctxt, int
const char *submethod) const char *submethod)
{ {
@ -28,9 +28,9 @@ diff -up openssh-7.2p2/auth2.c.expose-pam openssh-7.2p2/auth2.c
#ifdef USE_PAM #ifdef USE_PAM
if (options.use_pam && authenticated) { if (options.use_pam && authenticated) {
if (!PRIVSEP(do_pam_account())) { if (!PRIVSEP(do_pam_account())) {
diff -up openssh-7.2p2/auth2-gss.c.expose-pam openssh-7.2p2/auth2-gss.c diff -up openssh-7.4p1/auth2-gss.c.expose-pam openssh-7.4p1/auth2-gss.c
--- openssh-7.2p2/auth2-gss.c.expose-pam 2016-07-18 12:30:12.123783256 +0200 --- openssh-7.4p1/auth2-gss.c.expose-pam 2016-12-23 15:40:26.769447868 +0100
+++ openssh-7.2p2/auth2-gss.c 2016-07-18 12:32:08.034692086 +0200 +++ openssh-7.4p1/auth2-gss.c 2016-12-23 15:40:26.818447876 +0100
@@ -276,6 +276,9 @@ input_gssapi_exchange_complete(int type, @@ -276,6 +276,9 @@ input_gssapi_exchange_complete(int type,
authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user, authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user,
authctxt->pw)); authctxt->pw));
@ -51,9 +51,9 @@ diff -up openssh-7.2p2/auth2-gss.c.expose-pam openssh-7.2p2/auth2-gss.c
buffer_free(&b); buffer_free(&b);
if (micuser != authctxt->user) if (micuser != authctxt->user)
free(micuser); free(micuser);
diff -up openssh-7.2p2/auth2-hostbased.c.expose-pam openssh-7.2p2/auth2-hostbased.c diff -up openssh-7.4p1/auth2-hostbased.c.expose-pam openssh-7.4p1/auth2-hostbased.c
--- openssh-7.2p2/auth2-hostbased.c.expose-pam 2016-07-18 12:30:12.027783331 +0200 --- openssh-7.4p1/auth2-hostbased.c.expose-pam 2016-12-23 15:40:26.731447862 +0100
+++ openssh-7.2p2/auth2-hostbased.c 2016-07-18 12:30:12.124783255 +0200 +++ openssh-7.4p1/auth2-hostbased.c 2016-12-23 15:40:26.818447876 +0100
@@ -60,7 +60,7 @@ userauth_hostbased(Authctxt *authctxt) @@ -60,7 +60,7 @@ userauth_hostbased(Authctxt *authctxt)
{ {
Buffer b; Buffer b;
@ -88,9 +88,9 @@ diff -up openssh-7.2p2/auth2-hostbased.c.expose-pam openssh-7.2p2/auth2-hostbase
buffer_free(&b); buffer_free(&b);
done: done:
diff -up openssh-7.2p2/auth2-pubkey.c.expose-pam openssh-7.2p2/auth2-pubkey.c diff -up openssh-7.4p1/auth2-pubkey.c.expose-pam openssh-7.4p1/auth2-pubkey.c
--- openssh-7.2p2/auth2-pubkey.c.expose-pam 2016-07-18 12:30:12.039783322 +0200 --- openssh-7.4p1/auth2-pubkey.c.expose-pam 2016-12-23 15:40:26.746447864 +0100
+++ openssh-7.2p2/auth2-pubkey.c 2016-07-18 12:30:12.124783255 +0200 +++ openssh-7.4p1/auth2-pubkey.c 2016-12-23 15:40:26.819447876 +0100
@@ -79,7 +79,7 @@ userauth_pubkey(Authctxt *authctxt) @@ -79,7 +79,7 @@ userauth_pubkey(Authctxt *authctxt)
{ {
Buffer b; Buffer b;
@ -100,7 +100,7 @@ diff -up openssh-7.2p2/auth2-pubkey.c.expose-pam openssh-7.2p2/auth2-pubkey.c
u_char *pkblob, *sig; u_char *pkblob, *sig;
u_int alen, blen, slen; u_int alen, blen, slen;
int have_sig, pktype; int have_sig, pktype;
@@ -173,7 +173,8 @@ userauth_pubkey(Authctxt *authctxt) @@ -177,7 +177,8 @@ userauth_pubkey(Authctxt *authctxt)
#ifdef DEBUG_PK #ifdef DEBUG_PK
buffer_dump(&b); buffer_dump(&b);
#endif #endif
@ -110,7 +110,7 @@ diff -up openssh-7.2p2/auth2-pubkey.c.expose-pam openssh-7.2p2/auth2-pubkey.c
/* test for correct signature */ /* test for correct signature */
authenticated = 0; authenticated = 0;
@@ -181,9 +182,12 @@ userauth_pubkey(Authctxt *authctxt) @@ -185,9 +186,12 @@ userauth_pubkey(Authctxt *authctxt)
PRIVSEP(key_verify(key, sig, slen, buffer_ptr(&b), PRIVSEP(key_verify(key, sig, slen, buffer_ptr(&b),
buffer_len(&b))) == 1) { buffer_len(&b))) == 1) {
authenticated = 1; authenticated = 1;
@ -123,7 +123,7 @@ diff -up openssh-7.2p2/auth2-pubkey.c.expose-pam openssh-7.2p2/auth2-pubkey.c
} }
buffer_free(&b); buffer_free(&b);
free(sig); free(sig);
@@ -224,7 +228,7 @@ done: @@ -228,7 +232,7 @@ done:
void void
pubkey_auth_info(Authctxt *authctxt, const Key *key, const char *fmt, ...) pubkey_auth_info(Authctxt *authctxt, const Key *key, const char *fmt, ...)
{ {
@ -132,7 +132,7 @@ diff -up openssh-7.2p2/auth2-pubkey.c.expose-pam openssh-7.2p2/auth2-pubkey.c
va_list ap; va_list ap;
int i; int i;
@@ -234,27 +238,13 @@ pubkey_auth_info(Authctxt *authctxt, con @@ -238,27 +242,13 @@ pubkey_auth_info(Authctxt *authctxt, con
i = vasprintf(&extra, fmt, ap); i = vasprintf(&extra, fmt, ap);
va_end(ap); va_end(ap);
if (i < 0 || extra == NULL) if (i < 0 || extra == NULL)
@ -165,9 +165,9 @@ diff -up openssh-7.2p2/auth2-pubkey.c.expose-pam openssh-7.2p2/auth2-pubkey.c
free(extra); free(extra);
} }
diff -up openssh-7.2p2/auth.h.expose-pam openssh-7.2p2/auth.h diff -up openssh-7.4p1/auth.h.expose-pam openssh-7.4p1/auth.h
--- openssh-7.2p2/auth.h.expose-pam 2016-07-18 12:30:12.077783292 +0200 --- openssh-7.4p1/auth.h.expose-pam 2016-12-23 15:40:26.782447870 +0100
+++ openssh-7.2p2/auth.h 2016-07-18 12:30:12.123783256 +0200 +++ openssh-7.4p1/auth.h 2016-12-23 15:40:26.819447876 +0100
@@ -84,6 +84,9 @@ struct Authctxt { @@ -84,6 +84,9 @@ struct Authctxt {
struct sshkey **prev_userkeys; struct sshkey **prev_userkeys;
@ -178,10 +178,10 @@ diff -up openssh-7.2p2/auth.h.expose-pam openssh-7.2p2/auth.h
}; };
/* /*
* Every authentication method has to handle authentication requests for * Every authentication method has to handle authentication requests for
diff -up openssh-7.2p2/auth-pam.c.expose-pam openssh-7.2p2/auth-pam.c diff -up openssh-7.4p1/auth-pam.c.expose-pam openssh-7.4p1/auth-pam.c
--- openssh-7.2p2/auth-pam.c.expose-pam 2016-07-18 12:30:12.026783332 +0200 --- openssh-7.4p1/auth-pam.c.expose-pam 2016-12-23 15:40:26.731447862 +0100
+++ openssh-7.2p2/auth-pam.c 2016-07-18 12:30:12.123783256 +0200 +++ openssh-7.4p1/auth-pam.c 2016-12-23 15:40:26.819447876 +0100
@@ -689,6 +689,11 @@ sshpam_init_ctx(Authctxt *authctxt) @@ -688,6 +688,11 @@ sshpam_init_ctx(Authctxt *authctxt)
return (NULL); return (NULL);
} }
@ -193,9 +193,9 @@ diff -up openssh-7.2p2/auth-pam.c.expose-pam openssh-7.2p2/auth-pam.c
ctxt = xcalloc(1, sizeof *ctxt); ctxt = xcalloc(1, sizeof *ctxt);
/* Start the authentication thread */ /* Start the authentication thread */
diff -up openssh-7.2p2/gss-serv.c.expose-pam openssh-7.2p2/gss-serv.c diff -up openssh-7.4p1/gss-serv.c.expose-pam openssh-7.4p1/gss-serv.c
--- openssh-7.2p2/gss-serv.c.expose-pam 2016-07-18 12:30:12.124783255 +0200 --- openssh-7.4p1/gss-serv.c.expose-pam 2016-12-23 15:40:26.808447874 +0100
+++ openssh-7.2p2/gss-serv.c 2016-07-18 12:33:08.835644264 +0200 +++ openssh-7.4p1/gss-serv.c 2016-12-23 15:40:26.819447876 +0100
@@ -441,6 +441,16 @@ ssh_gssapi_do_child(char ***envp, u_int @@ -441,6 +441,16 @@ ssh_gssapi_do_child(char ***envp, u_int
} }
@ -213,10 +213,10 @@ diff -up openssh-7.2p2/gss-serv.c.expose-pam openssh-7.2p2/gss-serv.c
int int
ssh_gssapi_userok(char *user, struct passwd *pw) ssh_gssapi_userok(char *user, struct passwd *pw)
{ {
diff -up openssh-7.2p2/monitor.c.expose-pam openssh-7.2p2/monitor.c diff -up openssh-7.4p1/monitor.c.expose-pam openssh-7.4p1/monitor.c
--- openssh-7.2p2/monitor.c.expose-pam 2016-07-18 12:30:12.093783279 +0200 --- openssh-7.4p1/monitor.c.expose-pam 2016-12-23 15:40:26.794447872 +0100
+++ openssh-7.2p2/monitor.c 2016-07-18 12:30:12.124783255 +0200 +++ openssh-7.4p1/monitor.c 2016-12-23 15:41:16.473455863 +0100
@@ -349,6 +349,7 @@ monitor_child_preauth(Authctxt *_authctx @@ -300,6 +300,7 @@ monitor_child_preauth(Authctxt *_authctx
{ {
struct mon_table *ent; struct mon_table *ent;
int authenticated = 0, partial = 0; int authenticated = 0, partial = 0;
@ -224,7 +224,7 @@ diff -up openssh-7.2p2/monitor.c.expose-pam openssh-7.2p2/monitor.c
debug3("preauth child monitor started"); debug3("preauth child monitor started");
@@ -386,6 +387,18 @@ monitor_child_preauth(Authctxt *_authctx @@ -330,6 +331,18 @@ monitor_child_preauth(Authctxt *_authctx
auth_submethod = NULL; auth_submethod = NULL;
authenticated = (monitor_read(pmonitor, mon_dispatch, &ent) == 1); authenticated = (monitor_read(pmonitor, mon_dispatch, &ent) == 1);
@ -242,8 +242,8 @@ diff -up openssh-7.2p2/monitor.c.expose-pam openssh-7.2p2/monitor.c
+ +
/* Special handling for multiple required authentications */ /* Special handling for multiple required authentications */
if (options.num_auth_methods != 0) { if (options.num_auth_methods != 0) {
if (!compat20) if (authenticated &&
@@ -1498,6 +1511,10 @@ mm_answer_keyverify(int sock, Buffer *m) @@ -1417,6 +1430,10 @@ mm_answer_keyverify(int sock, Buffer *m)
debug3("%s: key %p signature %s", debug3("%s: key %p signature %s",
__func__, key, (verified == 1) ? "verified" : "unverified"); __func__, key, (verified == 1) ? "verified" : "unverified");
@ -254,7 +254,7 @@ diff -up openssh-7.2p2/monitor.c.expose-pam openssh-7.2p2/monitor.c
/* If auth was successful then record key to ensure it isn't reused */ /* If auth was successful then record key to ensure it isn't reused */
if (verified == 1 && key_blobtype == MM_USERKEY) if (verified == 1 && key_blobtype == MM_USERKEY)
auth2_record_userkey(authctxt, key); auth2_record_userkey(authctxt, key);
@@ -2140,6 +2157,9 @@ mm_answer_gss_userok(int sock, Buffer *m @@ -1860,6 +1877,9 @@ mm_answer_gss_userok(int sock, Buffer *m
auth_method = "gssapi-with-mic"; auth_method = "gssapi-with-mic";
@ -264,43 +264,43 @@ diff -up openssh-7.2p2/monitor.c.expose-pam openssh-7.2p2/monitor.c
/* Monitor loop will terminate if authenticated */ /* Monitor loop will terminate if authenticated */
return (authenticated); return (authenticated);
} }
diff -up openssh-7.2p2/servconf.c.expose-pam openssh-7.2p2/servconf.c diff -up openssh-7.4p1/servconf.c.expose-pam openssh-7.4p1/servconf.c
--- openssh-7.2p2/servconf.c.expose-pam 2016-07-18 12:30:12.112783264 +0200 --- openssh-7.4p1/servconf.c.expose-pam 2016-12-23 15:40:26.810447875 +0100
+++ openssh-7.2p2/servconf.c 2016-07-18 12:34:38.170574004 +0200 +++ openssh-7.4p1/servconf.c 2016-12-23 15:44:04.691482920 +0100
@@ -176,6 +176,7 @@ initialize_server_options(ServerOptions @@ -171,6 +171,7 @@ initialize_server_options(ServerOptions
options->fingerprint_hash = -1; options->disable_forwarding = -1;
options->use_kuserok = -1; options->use_kuserok = -1;
options->enable_k5users = -1; options->enable_k5users = -1;
+ options->expose_auth_methods = -1; + options->expose_auth_methods = -1;
} }
/* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */ /* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */
@@ -374,6 +375,8 @@ fill_default_server_options(ServerOption @@ -354,6 +355,8 @@ fill_default_server_options(ServerOption
options->enable_k5users = 0;
if (options->use_kuserok == -1)
options->use_kuserok = 1; options->use_kuserok = 1;
if (options->enable_k5users == -1)
options->enable_k5users = 0;
+ if (options->expose_auth_methods == -1) + if (options->expose_auth_methods == -1)
+ options->expose_auth_methods = EXPOSE_AUTHMETH_NEVER; + options->expose_auth_methods = EXPOSE_AUTHMETH_NEVER;
assemble_algorithms(options); assemble_algorithms(options);
@@ -451,6 +454,7 @@ typedef enum { @@ -439,6 +442,7 @@ typedef enum {
sAuthenticationMethods, sHostKeyAgent, sPermitUserRC, sAuthenticationMethods, sHostKeyAgent, sPermitUserRC,
sStreamLocalBindMask, sStreamLocalBindUnlink, sStreamLocalBindMask, sStreamLocalBindUnlink,
sAllowStreamLocalForwarding, sFingerprintHash, sAllowStreamLocalForwarding, sFingerprintHash, sDisableForwarding,
+ sExposeAuthenticationMethods, + sExposeAuthenticationMethods,
sDeprecated, sUnsupported sDeprecated, sIgnore, sUnsupported
} ServerOpCodes; } ServerOpCodes;
@@ -606,6 +610,7 @@ static struct { @@ -595,6 +599,7 @@ static struct {
{ "streamlocalbindunlink", sStreamLocalBindUnlink, SSHCFG_ALL },
{ "allowstreamlocalforwarding", sAllowStreamLocalForwarding, SSHCFG_ALL }, { "allowstreamlocalforwarding", sAllowStreamLocalForwarding, SSHCFG_ALL },
{ "fingerprinthash", sFingerprintHash, SSHCFG_GLOBAL }, { "fingerprinthash", sFingerprintHash, SSHCFG_GLOBAL },
{ "disableforwarding", sDisableForwarding, SSHCFG_ALL },
+ { "exposeauthenticationmethods", sExposeAuthenticationMethods, SSHCFG_ALL }, + { "exposeauthenticationmethods", sExposeAuthenticationMethods, SSHCFG_ALL },
{ NULL, sBadOption, 0 } { NULL, sBadOption, 0 }
}; };
@@ -994,6 +999,12 @@ static const struct multistate multistat @@ -984,6 +989,12 @@ static const struct multistate multistat
{ "local", FORWARD_LOCAL }, { "local", FORWARD_LOCAL },
{ NULL, -1 } { NULL, -1 }
}; };
@ -313,7 +313,7 @@ diff -up openssh-7.2p2/servconf.c.expose-pam openssh-7.2p2/servconf.c
int int
process_server_config_line(ServerOptions *options, char *line, process_server_config_line(ServerOptions *options, char *line,
@@ -1918,6 +1929,11 @@ process_server_config_line(ServerOptions @@ -1902,6 +1913,11 @@ process_server_config_line(ServerOptions
options->fingerprint_hash = value; options->fingerprint_hash = value;
break; break;
@ -323,9 +323,9 @@ diff -up openssh-7.2p2/servconf.c.expose-pam openssh-7.2p2/servconf.c
+ goto parse_multistate; + goto parse_multistate;
+ +
case sDeprecated: case sDeprecated:
logit("%s line %d: Deprecated option %s", case sIgnore:
filename, linenum, arg); case sUnsupported:
@@ -2076,6 +2092,7 @@ copy_set_server_options(ServerOptions *d @@ -2060,6 +2076,7 @@ copy_set_server_options(ServerOptions *d
M_CP_INTOPT(enable_k5users); M_CP_INTOPT(enable_k5users);
M_CP_INTOPT(rekey_limit); M_CP_INTOPT(rekey_limit);
M_CP_INTOPT(rekey_interval); M_CP_INTOPT(rekey_interval);
@ -333,16 +333,16 @@ diff -up openssh-7.2p2/servconf.c.expose-pam openssh-7.2p2/servconf.c
/* /*
* The bind_mask is a mode_t that may be unsigned, so we can't use * The bind_mask is a mode_t that may be unsigned, so we can't use
@@ -2181,6 +2198,8 @@ fmt_intarg(ServerOpCodes code, int val) @@ -2176,6 +2193,8 @@ fmt_intarg(ServerOpCodes code, int val)
return fmt_multistate_int(val, multistate_tcpfwd); return fmt_multistate_int(val, multistate_tcpfwd);
case sFingerprintHash: case sFingerprintHash:
return ssh_digest_alg_name(val); return ssh_digest_alg_name(val);
+ case sExposeAuthenticationMethods: + case sExposeAuthenticationMethods:
+ return fmt_multistate_int(val, multistate_exposeauthmeth); + return fmt_multistate_int(val, multistate_exposeauthmeth);
case sProtocol: default:
switch (val) { switch (val) {
case SSH_PROTO_1: case 0:
@@ -2374,6 +2393,7 @@ dump_config(ServerOptions *o) @@ -2356,6 +2375,7 @@ dump_config(ServerOptions *o)
dump_cfg_fmtint(sFingerprintHash, o->fingerprint_hash); dump_cfg_fmtint(sFingerprintHash, o->fingerprint_hash);
dump_cfg_fmtint(sKerberosUseKuserok, o->use_kuserok); dump_cfg_fmtint(sKerberosUseKuserok, o->use_kuserok);
dump_cfg_fmtint(sGssEnablek5users, o->enable_k5users); dump_cfg_fmtint(sGssEnablek5users, o->enable_k5users);
@ -350,9 +350,9 @@ diff -up openssh-7.2p2/servconf.c.expose-pam openssh-7.2p2/servconf.c
/* string arguments */ /* string arguments */
dump_cfg_string(sPidFile, o->pid_file); dump_cfg_string(sPidFile, o->pid_file);
diff -up openssh-7.2p2/servconf.h.expose-pam openssh-7.2p2/servconf.h diff -up openssh-7.4p1/servconf.h.expose-pam openssh-7.4p1/servconf.h
--- openssh-7.2p2/servconf.h.expose-pam 2016-07-18 12:30:12.112783264 +0200 --- openssh-7.4p1/servconf.h.expose-pam 2016-12-23 15:40:26.810447875 +0100
+++ openssh-7.2p2/servconf.h 2016-07-18 12:30:12.125783254 +0200 +++ openssh-7.4p1/servconf.h 2016-12-23 15:40:26.821447876 +0100
@@ -48,6 +48,11 @@ @@ -48,6 +48,11 @@
#define FORWARD_LOCAL (1<<1) #define FORWARD_LOCAL (1<<1)
#define FORWARD_ALLOW (FORWARD_REMOTE|FORWARD_LOCAL) #define FORWARD_ALLOW (FORWARD_REMOTE|FORWARD_LOCAL)
@ -365,7 +365,7 @@ diff -up openssh-7.2p2/servconf.h.expose-pam openssh-7.2p2/servconf.h
#define DEFAULT_AUTH_FAIL_MAX 6 /* Default for MaxAuthTries */ #define DEFAULT_AUTH_FAIL_MAX 6 /* Default for MaxAuthTries */
#define DEFAULT_SESSIONS_MAX 10 /* Default for MaxSessions */ #define DEFAULT_SESSIONS_MAX 10 /* Default for MaxSessions */
@@ -201,6 +206,8 @@ typedef struct { @@ -195,6 +200,8 @@ typedef struct {
char *auth_methods[MAX_AUTH_METHODS]; char *auth_methods[MAX_AUTH_METHODS];
int fingerprint_hash; int fingerprint_hash;
@ -374,10 +374,10 @@ diff -up openssh-7.2p2/servconf.h.expose-pam openssh-7.2p2/servconf.h
} ServerOptions; } ServerOptions;
/* Information about the incoming connection as used by Match */ /* Information about the incoming connection as used by Match */
diff -up openssh-7.2p2/session.c.expose-pam openssh-7.2p2/session.c diff -up openssh-7.4p1/session.c.expose-pam openssh-7.4p1/session.c
--- openssh-7.2p2/session.c.expose-pam 2016-07-18 12:30:12.120783258 +0200 --- openssh-7.4p1/session.c.expose-pam 2016-12-23 15:40:26.794447872 +0100
+++ openssh-7.2p2/session.c 2016-07-18 12:30:12.125783254 +0200 +++ openssh-7.4p1/session.c 2016-12-23 15:40:26.821447876 +0100
@@ -1180,6 +1180,12 @@ copy_environment(char **source, char *** @@ -997,6 +997,12 @@ copy_environment(char **source, char ***
} }
*var_val++ = '\0'; *var_val++ = '\0';
@ -390,7 +390,7 @@ diff -up openssh-7.2p2/session.c.expose-pam openssh-7.2p2/session.c
debug3("Copy environment: %s=%s", var_name, var_val); debug3("Copy environment: %s=%s", var_name, var_val);
child_set_env(env, envsize, var_name, var_val); child_set_env(env, envsize, var_name, var_val);
@@ -1359,6 +1365,11 @@ do_setup_env(Session *s, const char *she @@ -1173,6 +1179,11 @@ do_setup_env(Session *s, const char *she
} }
#endif /* USE_PAM */ #endif /* USE_PAM */
@ -402,7 +402,7 @@ diff -up openssh-7.2p2/session.c.expose-pam openssh-7.2p2/session.c
if (auth_sock_name != NULL) if (auth_sock_name != NULL)
child_set_env(&env, &envsize, SSH_AUTHSOCKET_ENV_NAME, child_set_env(&env, &envsize, SSH_AUTHSOCKET_ENV_NAME,
auth_sock_name); auth_sock_name);
@@ -2798,6 +2809,9 @@ do_cleanup(Authctxt *authctxt) @@ -2561,6 +2572,9 @@ do_cleanup(Authctxt *authctxt)
if (authctxt == NULL) if (authctxt == NULL)
return; return;
@ -412,10 +412,10 @@ diff -up openssh-7.2p2/session.c.expose-pam openssh-7.2p2/session.c
#ifdef USE_PAM #ifdef USE_PAM
if (options.use_pam) { if (options.use_pam) {
sshpam_cleanup(); sshpam_cleanup();
diff -up openssh-7.2p2/ssh.1.expose-pam openssh-7.2p2/ssh.1 diff -up openssh-7.4p1/ssh.1.expose-pam openssh-7.4p1/ssh.1
--- openssh-7.2p2/ssh.1.expose-pam 2016-07-18 12:30:12.112783264 +0200 --- openssh-7.4p1/ssh.1.expose-pam 2016-12-23 15:40:26.810447875 +0100
+++ openssh-7.2p2/ssh.1 2016-07-18 12:30:12.126783253 +0200 +++ openssh-7.4p1/ssh.1 2016-12-23 15:40:26.822447877 +0100
@@ -1396,6 +1396,10 @@ server IP address, and server port numbe @@ -1421,6 +1421,10 @@ server IP address, and server port numbe
This variable contains the original command line if a forced command This variable contains the original command line if a forced command
is executed. is executed.
It can be used to extract the original arguments. It can be used to extract the original arguments.
@ -426,13 +426,13 @@ diff -up openssh-7.2p2/ssh.1.expose-pam openssh-7.2p2/ssh.1
.It Ev SSH_TTY .It Ev SSH_TTY
This is set to the name of the tty (path to the device) associated This is set to the name of the tty (path to the device) associated
with the current shell or command. with the current shell or command.
diff -up openssh-7.2p2/sshd_config.5.expose-pam openssh-7.2p2/sshd_config.5 diff -up openssh-7.4p1/sshd_config.5.expose-pam openssh-7.4p1/sshd_config.5
--- openssh-7.2p2/sshd_config.5.expose-pam 2016-07-18 12:30:12.113783263 +0200 --- openssh-7.4p1/sshd_config.5.expose-pam 2016-12-23 15:40:26.822447877 +0100
+++ openssh-7.2p2/sshd_config.5 2016-07-18 12:30:12.126783253 +0200 +++ openssh-7.4p1/sshd_config.5 2016-12-23 15:45:22.411495421 +0100
@@ -570,6 +570,21 @@ and finally @@ -570,6 +570,21 @@ Disables all forwarding features, includ
See PATTERNS in TCP and StreamLocal.
.Xr ssh_config 5 This option overrides all other forwarding-related options and may
for more information on patterns. simplify restricted configurations.
+.It Cm ExposeAuthenticationMethods +.It Cm ExposeAuthenticationMethods
+When using SSH2, this option controls the exposure of the list of +When using SSH2, this option controls the exposure of the list of
+successful authentication methods to PAM during the authentication +successful authentication methods to PAM during the authentication
@ -440,20 +440,20 @@ diff -up openssh-7.2p2/sshd_config.5.expose-pam openssh-7.2p2/sshd_config.5
+.Cm SSH_USER_AUTH +.Cm SSH_USER_AUTH
+variable. See the description of this variable for more details. +variable. See the description of this variable for more details.
+Valid options are: +Valid options are:
+.Dq never +.Cm never
+(Do not expose successful authentication methods), +(Do not expose successful authentication methods),
+.Dq pam-only +.Cm pam-only
+(Only expose them to PAM during authentication, not afterwards), +(Only expose them to PAM during authentication, not afterwards),
+.Dq pam-and-env +.Cm pam-and-env
+(Expose them to PAM and keep them in the shell environment). +(Expose them to PAM and keep them in the shell environment).
+The default is +The default is
+.Dq never . +.Cm never .
.It Cm FingerprintHash .It Cm FingerprintHash
Specifies the hash algorithm used when logging key fingerprints. Specifies the hash algorithm used when logging key fingerprints.
Valid options are: Valid options are:
diff -up openssh-7.2p2/ssh-gss.h.expose-pam openssh-7.2p2/ssh-gss.h diff -up openssh-7.4p1/ssh-gss.h.expose-pam openssh-7.4p1/ssh-gss.h
--- openssh-7.2p2/ssh-gss.h.expose-pam 2016-07-18 12:30:12.125783254 +0200 --- openssh-7.4p1/ssh-gss.h.expose-pam 2016-12-23 15:40:26.811447875 +0100
+++ openssh-7.2p2/ssh-gss.h 2016-07-18 12:35:01.906555328 +0200 +++ openssh-7.4p1/ssh-gss.h 2016-12-23 15:40:26.823447877 +0100
@@ -159,6 +159,7 @@ int ssh_gssapi_server_check_mech(Gssctxt @@ -159,6 +159,7 @@ int ssh_gssapi_server_check_mech(Gssctxt
const char *); const char *);
OM_uint32 ssh_gssapi_server_ctx(Gssctxt **, gss_OID); OM_uint32 ssh_gssapi_server_ctx(Gssctxt **, gss_OID);
@ -462,10 +462,10 @@ diff -up openssh-7.2p2/ssh-gss.h.expose-pam openssh-7.2p2/ssh-gss.h
OM_uint32 ssh_gssapi_checkmic(Gssctxt *, gss_buffer_t, gss_buffer_t); OM_uint32 ssh_gssapi_checkmic(Gssctxt *, gss_buffer_t, gss_buffer_t);
void ssh_gssapi_do_child(char ***, u_int *); void ssh_gssapi_do_child(char ***, u_int *);
void ssh_gssapi_cleanup_creds(void); void ssh_gssapi_cleanup_creds(void);
diff -up openssh-7.2p2/sshkey.c.expose-pam openssh-7.2p2/sshkey.c diff -up openssh-7.4p1/sshkey.c.expose-pam openssh-7.4p1/sshkey.c
--- openssh-7.2p2/sshkey.c.expose-pam 2016-07-18 12:30:12.071783296 +0200 --- openssh-7.4p1/sshkey.c.expose-pam 2016-12-23 15:40:26.777447869 +0100
+++ openssh-7.2p2/sshkey.c 2016-07-18 12:30:12.126783253 +0200 +++ openssh-7.4p1/sshkey.c 2016-12-23 15:40:26.823447877 +0100
@@ -58,6 +58,7 @@ @@ -57,6 +57,7 @@
#define SSHKEY_INTERNAL #define SSHKEY_INTERNAL
#include "sshkey.h" #include "sshkey.h"
#include "match.h" #include "match.h"
@ -473,7 +473,7 @@ diff -up openssh-7.2p2/sshkey.c.expose-pam openssh-7.2p2/sshkey.c
/* openssh private key file format */ /* openssh private key file format */
#define MARK_BEGIN "-----BEGIN OPENSSH PRIVATE KEY-----\n" #define MARK_BEGIN "-----BEGIN OPENSSH PRIVATE KEY-----\n"
@@ -1190,6 +1191,30 @@ sshkey_fingerprint(const struct sshkey * @@ -1191,6 +1192,30 @@ sshkey_fingerprint(const struct sshkey *
return retval; return retval;
} }
@ -504,9 +504,9 @@ diff -up openssh-7.2p2/sshkey.c.expose-pam openssh-7.2p2/sshkey.c
#ifdef WITH_SSH1 #ifdef WITH_SSH1
/* /*
* Reads a multiple-precision integer in decimal from the buffer, and advances * Reads a multiple-precision integer in decimal from the buffer, and advances
diff -up openssh-7.2p2/sshkey.h.expose-pam openssh-7.2p2/sshkey.h diff -up openssh-7.4p1/sshkey.h.expose-pam openssh-7.4p1/sshkey.h
--- openssh-7.2p2/sshkey.h.expose-pam 2016-07-18 12:30:12.071783296 +0200 --- openssh-7.4p1/sshkey.h.expose-pam 2016-12-23 15:40:26.777447869 +0100
+++ openssh-7.2p2/sshkey.h 2016-07-18 12:30:12.127783252 +0200 +++ openssh-7.4p1/sshkey.h 2016-12-23 15:40:26.823447877 +0100
@@ -124,6 +124,7 @@ char *sshkey_fingerprint(const struct s @@ -124,6 +124,7 @@ char *sshkey_fingerprint(const struct s
int, enum sshkey_fp_rep); int, enum sshkey_fp_rep);
int sshkey_fingerprint_raw(const struct sshkey *k, int sshkey_fingerprint_raw(const struct sshkey *k,

View File

@ -1,48 +0,0 @@
From 28652bca29046f62c7045e933e6b931de1d16737 Mon Sep 17 00:00:00 2001
From: "markus@openbsd.org" <markus@openbsd.org>
Date: Mon, 19 Sep 2016 19:02:19 +0000
Subject: upstream commit
move inbound NEWKEYS handling to kex layer; otherwise
early NEWKEYS causes NULL deref; found by Robert Swiecki/honggfuzz; fixed
with & ok djm@
Upstream-ID: 9a68b882892e9f51dc7bfa9f5a423858af358b2f
---
kex.c | 4 +++-
packet.c | 6 ++----
2 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/kex.c b/kex.c
index f4c130f..8800d40 100644
--- a/kex.c
+++ b/kex.c
@@ -425,6 +425,8 @@ kex_input_newkeys(int type, u_int32_t seq, void *ctxt)
ssh_dispatch_set(ssh, SSH2_MSG_NEWKEYS, &kex_protocol_error);
if ((r = sshpkt_get_end(ssh)) != 0)
return r;
+ if ((r = ssh_set_newkeys(ssh, MODE_IN)) != 0)
+ return r;
kex->done = 1;
sshbuf_reset(kex->peer);
/* sshbuf_reset(kex->my); */
diff --git a/packet.c b/packet.c
index 711091d..fb316ac 100644
--- a/packet.c
+++ b/packet.c
@@ -1907,9 +1907,7 @@ ssh_packet_read_poll2(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p)
return r;
return SSH_ERR_PROTOCOL_ERROR;
}
- if (*typep == SSH2_MSG_NEWKEYS)
- r = ssh_set_newkeys(ssh, MODE_IN);
- else if (*typep == SSH2_MSG_USERAUTH_SUCCESS && !state->server_side)
+ if (*typep == SSH2_MSG_USERAUTH_SUCCESS && !state->server_side)
r = ssh_packet_enable_delayed_compress(ssh);
else
r = 0;
--
cgit v0.12
0

File diff suppressed because it is too large Load Diff

View File

@ -1,7 +1,7 @@
diff -up openssh-6.6p1/channels.c.x11max openssh-6.6p1/channels.c diff -up openssh-7.4p1/channels.c.x11max openssh-7.4p1/channels.c
--- openssh-6.6p1/channels.c.x11max 2016-06-27 16:28:49.803631684 +0200 --- openssh-7.4p1/channels.c.x11max 2016-12-23 15:46:32.071506625 +0100
+++ openssh-6.6p1/channels.c 2016-06-27 16:28:49.814631678 +0200 +++ openssh-7.4p1/channels.c 2016-12-23 15:46:32.139506636 +0100
@@ -138,8 +138,8 @@ static int all_opens_permitted = 0; @@ -152,8 +152,8 @@ static int all_opens_permitted = 0;
/* -- X11 forwarding */ /* -- X11 forwarding */
@ -12,7 +12,7 @@ diff -up openssh-6.6p1/channels.c.x11max openssh-6.6p1/channels.c
/* Saved X11 local (client) display. */ /* Saved X11 local (client) display. */
static char *x11_saved_display = NULL; static char *x11_saved_display = NULL;
@@ -3445,7 +3445,8 @@ channel_send_window_changes(void) @@ -4228,7 +4228,8 @@ channel_send_window_changes(void)
*/ */
int int
x11_create_display_inet(int x11_display_offset, int x11_use_localhost, x11_create_display_inet(int x11_display_offset, int x11_use_localhost,
@ -22,7 +22,7 @@ diff -up openssh-6.6p1/channels.c.x11max openssh-6.6p1/channels.c
{ {
Channel *nc = NULL; Channel *nc = NULL;
int display_number, sock; int display_number, sock;
@@ -3457,10 +3458,15 @@ x11_create_display_inet(int x11_display_ @@ -4240,10 +4241,15 @@ x11_create_display_inet(int x11_display_
if (chanids == NULL) if (chanids == NULL)
return -1; return -1;
@ -40,7 +40,7 @@ diff -up openssh-6.6p1/channels.c.x11max openssh-6.6p1/channels.c
memset(&hints, 0, sizeof(hints)); memset(&hints, 0, sizeof(hints));
hints.ai_family = IPv4or6; hints.ai_family = IPv4or6;
hints.ai_flags = x11_use_localhost ? 0: AI_PASSIVE; hints.ai_flags = x11_use_localhost ? 0: AI_PASSIVE;
@@ -3512,7 +3518,7 @@ x11_create_display_inet(int x11_display_ @@ -4295,7 +4301,7 @@ x11_create_display_inet(int x11_display_
if (num_socks > 0) if (num_socks > 0)
break; break;
} }
@ -49,7 +49,7 @@ diff -up openssh-6.6p1/channels.c.x11max openssh-6.6p1/channels.c
error("Failed to allocate internet-domain X11 display socket."); error("Failed to allocate internet-domain X11 display socket.");
return -1; return -1;
} }
@@ -3658,7 +3664,7 @@ x11_connect_display(void) @@ -4441,7 +4447,7 @@ x11_connect_display(void)
memset(&hints, 0, sizeof(hints)); memset(&hints, 0, sizeof(hints));
hints.ai_family = IPv4or6; hints.ai_family = IPv4or6;
hints.ai_socktype = SOCK_STREAM; hints.ai_socktype = SOCK_STREAM;
@ -58,7 +58,7 @@ diff -up openssh-6.6p1/channels.c.x11max openssh-6.6p1/channels.c
if ((gaierr = getaddrinfo(buf, strport, &hints, &aitop)) != 0) { if ((gaierr = getaddrinfo(buf, strport, &hints, &aitop)) != 0) {
error("%.100s: unknown host. (%s)", buf, error("%.100s: unknown host. (%s)", buf,
ssh_gai_strerror(gaierr)); ssh_gai_strerror(gaierr));
@@ -3674,7 +3680,7 @@ x11_connect_display(void) @@ -4457,7 +4463,7 @@ x11_connect_display(void)
/* Connect it to the display. */ /* Connect it to the display. */
if (connect(sock, ai->ai_addr, ai->ai_addrlen) < 0) { if (connect(sock, ai->ai_addr, ai->ai_addrlen) < 0) {
debug2("connect %.100s port %u: %.100s", buf, debug2("connect %.100s port %u: %.100s", buf,
@ -67,7 +67,7 @@ diff -up openssh-6.6p1/channels.c.x11max openssh-6.6p1/channels.c
close(sock); close(sock);
continue; continue;
} }
@@ -3683,8 +3689,8 @@ x11_connect_display(void) @@ -4466,8 +4472,8 @@ x11_connect_display(void)
} }
freeaddrinfo(aitop); freeaddrinfo(aitop);
if (!ai) { if (!ai) {
@ -78,10 +78,10 @@ diff -up openssh-6.6p1/channels.c.x11max openssh-6.6p1/channels.c
return -1; return -1;
} }
set_nodelay(sock); set_nodelay(sock);
diff -up openssh-6.6p1/channels.h.x11max openssh-6.6p1/channels.h diff -up openssh-7.4p1/channels.h.x11max openssh-7.4p1/channels.h
--- openssh-6.6p1/channels.h.x11max 2016-06-27 16:28:49.814631678 +0200 --- openssh-7.4p1/channels.h.x11max 2016-12-19 05:59:41.000000000 +0100
+++ openssh-6.6p1/channels.h 2016-06-27 16:31:18.925557840 +0200 +++ openssh-7.4p1/channels.h 2016-12-23 15:46:32.139506636 +0100
@@ -281,7 +281,7 @@ int permitopen_port(const char *); @@ -293,7 +293,7 @@ int permitopen_port(const char *);
void channel_set_x11_refuse_time(u_int); void channel_set_x11_refuse_time(u_int);
int x11_connect_display(void); int x11_connect_display(void);
@ -90,10 +90,10 @@ diff -up openssh-6.6p1/channels.h.x11max openssh-6.6p1/channels.h
int x11_input_open(int, u_int32_t, void *); int x11_input_open(int, u_int32_t, void *);
void x11_request_forwarding_with_spoofing(int, const char *, const char *, void x11_request_forwarding_with_spoofing(int, const char *, const char *,
const char *, int); const char *, int);
diff -up openssh-6.6p1/servconf.c.x11max openssh-6.6p1/servconf.c diff -up openssh-7.4p1/servconf.c.x11max openssh-7.4p1/servconf.c
--- openssh-6.6p1/servconf.c.x11max 2016-06-27 16:28:49.808631681 +0200 --- openssh-7.4p1/servconf.c.x11max 2016-12-23 15:46:32.133506635 +0100
+++ openssh-6.6p1/servconf.c 2016-06-27 16:30:46.941573678 +0200 +++ openssh-7.4p1/servconf.c 2016-12-23 15:47:27.320519121 +0100
@@ -92,6 +92,7 @@ initialize_server_options(ServerOptions @@ -95,6 +95,7 @@ initialize_server_options(ServerOptions
options->print_lastlog = -1; options->print_lastlog = -1;
options->x11_forwarding = -1; options->x11_forwarding = -1;
options->x11_display_offset = -1; options->x11_display_offset = -1;
@ -101,7 +101,7 @@ diff -up openssh-6.6p1/servconf.c.x11max openssh-6.6p1/servconf.c
options->x11_use_localhost = -1; options->x11_use_localhost = -1;
options->permit_tty = -1; options->permit_tty = -1;
options->permit_user_rc = -1; options->permit_user_rc = -1;
@@ -219,6 +220,8 @@ fill_default_server_options(ServerOption @@ -243,6 +244,8 @@ fill_default_server_options(ServerOption
options->x11_forwarding = 0; options->x11_forwarding = 0;
if (options->x11_display_offset == -1) if (options->x11_display_offset == -1)
options->x11_display_offset = 10; options->x11_display_offset = 10;
@ -110,16 +110,16 @@ diff -up openssh-6.6p1/servconf.c.x11max openssh-6.6p1/servconf.c
if (options->x11_use_localhost == -1) if (options->x11_use_localhost == -1)
options->x11_use_localhost = 1; options->x11_use_localhost = 1;
if (options->xauth_location == NULL) if (options->xauth_location == NULL)
@@ -364,7 +367,7 @@ typedef enum { @@ -419,7 +422,7 @@ typedef enum {
sPasswordAuthentication, sKbdInteractiveAuthentication, sPasswordAuthentication, sKbdInteractiveAuthentication,
sListenAddress, sAddressFamily, sListenAddress, sAddressFamily,
sPrintMotd, sPrintLastLog, sIgnoreRhosts, sPrintMotd, sPrintLastLog, sIgnoreRhosts,
- sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost, - sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
+ sX11Forwarding, sX11DisplayOffset, sX11MaxDisplays, sX11UseLocalhost, + sX11Forwarding, sX11DisplayOffset, sX11MaxDisplays, sX11UseLocalhost,
sPermitTTY, sStrictModes, sEmptyPasswd, sTCPKeepAlive, sPermitTTY, sStrictModes, sEmptyPasswd, sTCPKeepAlive,
sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression, sPermitUserEnvironment, sAllowTcpForwarding, sCompression,
sRekeyLimit, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups, sRekeyLimit, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
@@ -476,6 +479,7 @@ static struct { @@ -540,6 +543,7 @@ static struct {
{ "ignoreuserknownhosts", sIgnoreUserKnownHosts, SSHCFG_GLOBAL }, { "ignoreuserknownhosts", sIgnoreUserKnownHosts, SSHCFG_GLOBAL },
{ "x11forwarding", sX11Forwarding, SSHCFG_ALL }, { "x11forwarding", sX11Forwarding, SSHCFG_ALL },
{ "x11displayoffset", sX11DisplayOffset, SSHCFG_ALL }, { "x11displayoffset", sX11DisplayOffset, SSHCFG_ALL },
@ -127,9 +127,9 @@ diff -up openssh-6.6p1/servconf.c.x11max openssh-6.6p1/servconf.c
{ "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL }, { "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL },
{ "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL }, { "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL },
{ "strictmodes", sStrictModes, SSHCFG_GLOBAL }, { "strictmodes", sStrictModes, SSHCFG_GLOBAL },
@@ -1202,6 +1206,10 @@ process_server_config_line(ServerOptions @@ -1316,6 +1320,10 @@ process_server_config_line(ServerOptions
intptr = &options->x11_display_offset; *intptr = value;
goto parse_int; break;
+ case sX11MaxDisplays: + case sX11MaxDisplays:
+ intptr = &options->x11_max_displays; + intptr = &options->x11_max_displays;
@ -138,7 +138,7 @@ diff -up openssh-6.6p1/servconf.c.x11max openssh-6.6p1/servconf.c
case sX11UseLocalhost: case sX11UseLocalhost:
intptr = &options->x11_use_localhost; intptr = &options->x11_use_localhost;
goto parse_flag; goto parse_flag;
@@ -1889,6 +1897,7 @@ copy_set_server_options(ServerOptions *d @@ -2063,6 +2071,7 @@ copy_set_server_options(ServerOptions *d
M_CP_INTOPT(fwd_opts.streamlocal_bind_unlink); M_CP_INTOPT(fwd_opts.streamlocal_bind_unlink);
M_CP_INTOPT(x11_display_offset); M_CP_INTOPT(x11_display_offset);
M_CP_INTOPT(x11_forwarding); M_CP_INTOPT(x11_forwarding);
@ -146,17 +146,17 @@ diff -up openssh-6.6p1/servconf.c.x11max openssh-6.6p1/servconf.c
M_CP_INTOPT(x11_use_localhost); M_CP_INTOPT(x11_use_localhost);
M_CP_INTOPT(permit_tty); M_CP_INTOPT(permit_tty);
M_CP_INTOPT(permit_user_rc); M_CP_INTOPT(permit_user_rc);
@@ -2106,6 +2115,7 @@ dump_config(ServerOptions *o) @@ -2315,6 +2324,7 @@ dump_config(ServerOptions *o)
#endif
dump_cfg_int(sLoginGraceTime, o->login_grace_time); dump_cfg_int(sLoginGraceTime, o->login_grace_time);
dump_cfg_int(sKeyRegenerationTime, o->key_regeneration_time);
dump_cfg_int(sX11DisplayOffset, o->x11_display_offset); dump_cfg_int(sX11DisplayOffset, o->x11_display_offset);
+ dump_cfg_int(sX11MaxDisplays, o->x11_max_displays); + dump_cfg_int(sX11MaxDisplays, o->x11_max_displays);
dump_cfg_int(sMaxAuthTries, o->max_authtries); dump_cfg_int(sMaxAuthTries, o->max_authtries);
dump_cfg_int(sMaxSessions, o->max_sessions); dump_cfg_int(sMaxSessions, o->max_sessions);
dump_cfg_int(sClientAliveInterval, o->client_alive_interval); dump_cfg_int(sClientAliveInterval, o->client_alive_interval);
diff -up openssh-6.6p1/servconf.h.x11max openssh-6.6p1/servconf.h diff -up openssh-7.4p1/servconf.h.x11max openssh-7.4p1/servconf.h
--- openssh-6.6p1/servconf.h.x11max 2016-06-27 16:28:49.809631681 +0200 --- openssh-7.4p1/servconf.h.x11max 2016-12-23 15:46:32.133506635 +0100
+++ openssh-6.6p1/servconf.h 2016-06-27 16:28:49.815631678 +0200 +++ openssh-7.4p1/servconf.h 2016-12-23 15:46:32.140506636 +0100
@@ -55,6 +55,7 @@ @@ -55,6 +55,7 @@
#define DEFAULT_AUTH_FAIL_MAX 6 /* Default for MaxAuthTries */ #define DEFAULT_AUTH_FAIL_MAX 6 /* Default for MaxAuthTries */
@ -173,10 +173,10 @@ diff -up openssh-6.6p1/servconf.h.x11max openssh-6.6p1/servconf.h
int x11_use_localhost; /* If true, use localhost for fake X11 server. */ int x11_use_localhost; /* If true, use localhost for fake X11 server. */
char *xauth_location; /* Location of xauth program */ char *xauth_location; /* Location of xauth program */
int permit_tty; /* If false, deny pty allocation */ int permit_tty; /* If false, deny pty allocation */
diff -up openssh-6.6p1/session.c.x11max openssh-6.6p1/session.c diff -up openssh-7.4p1/session.c.x11max openssh-7.4p1/session.c
--- openssh-6.6p1/session.c.x11max 2016-06-27 16:28:49.809631681 +0200 --- openssh-7.4p1/session.c.x11max 2016-12-23 15:46:32.136506636 +0100
+++ openssh-6.6p1/session.c 2016-06-27 16:28:49.815631678 +0200 +++ openssh-7.4p1/session.c 2016-12-23 15:46:32.141506636 +0100
@@ -2741,8 +2741,9 @@ session_setup_x11fwd(Session *s) @@ -2518,8 +2518,9 @@ session_setup_x11fwd(Session *s)
return 0; return 0;
} }
if (x11_create_display_inet(options.x11_display_offset, if (x11_create_display_inet(options.x11_display_offset,
@ -188,10 +188,10 @@ diff -up openssh-6.6p1/session.c.x11max openssh-6.6p1/session.c
debug("x11_create_display_inet failed."); debug("x11_create_display_inet failed.");
return 0; return 0;
} }
diff -up openssh-6.6p1/sshd_config.5.x11max openssh-6.6p1/sshd_config.5 diff -up openssh-7.4p1/sshd_config.5.x11max openssh-7.4p1/sshd_config.5
--- openssh-6.6p1/sshd_config.5.x11max 2016-06-27 16:28:49.809631681 +0200 --- openssh-7.4p1/sshd_config.5.x11max 2016-12-23 15:46:32.134506635 +0100
+++ openssh-6.6p1/sshd_config.5 2016-06-27 16:32:01.253536879 +0200 +++ openssh-7.4p1/sshd_config.5 2016-12-23 15:46:32.141506636 +0100
@@ -930,6 +930,7 @@ Available keywords are @@ -1133,6 +1133,7 @@ Available keywords are
.Cm StreamLocalBindUnlink , .Cm StreamLocalBindUnlink ,
.Cm TrustedUserCAKeys , .Cm TrustedUserCAKeys ,
.Cm X11DisplayOffset , .Cm X11DisplayOffset ,
@ -199,7 +199,7 @@ diff -up openssh-6.6p1/sshd_config.5.x11max openssh-6.6p1/sshd_config.5
.Cm X11Forwarding .Cm X11Forwarding
and and
.Cm X11UseLocalHost . .Cm X11UseLocalHost .
@@ -1339,6 +1340,12 @@ Specifies the first display number avail @@ -1566,6 +1567,12 @@ Specifies the first display number avail
X11 forwarding. X11 forwarding.
This prevents sshd from interfering with real X11 servers. This prevents sshd from interfering with real X11 servers.
The default is 10. The default is 10.

View File

@ -0,0 +1,12 @@
diff -up openssh-7.4p1/sshd.c.daemon openssh-7.4p1/sshd.c
--- openssh-7.4p1/sshd.c.daemon 2017-01-02 15:32:56.618447579 +0100
+++ openssh-7.4p1/sshd.c 2017-01-02 15:33:07.606442751 +0100
@@ -1943,7 +1943,7 @@ main(int ac, char **av)
* terminal, and fork. The original process exits.
*/
already_daemon = daemonized();
- if (!(debug_flag || inetd_flag || no_daemon_flag || already_daemon)) {
+ if (!(debug_flag || inetd_flag || no_daemon_flag /*|| already_daemon*/)) {
if (daemon(0, 0) < 0)
fatal("daemon() failed: %.200s", strerror(errno));

View File

@ -65,10 +65,10 @@
%endif %endif
# Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1 # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
%global openssh_ver 7.3p1 %global openssh_ver 7.4p1
%global openssh_rel 7 %global openssh_rel 1
%global pam_ssh_agent_ver 0.10.2 %global pam_ssh_agent_ver 0.10.2
%global pam_ssh_agent_rel 4 %global pam_ssh_agent_rel 5
Summary: An open source implementation of SSH protocol versions 1 and 2 Summary: An open source implementation of SSH protocol versions 1 and 2
Name: openssh Name: openssh
@ -223,10 +223,10 @@ Patch939: openssh-7.2p2-s390-closefrom.patch
Patch940: openssh-7.2p2-expose-pam.patch Patch940: openssh-7.2p2-expose-pam.patch
# Rework SELinux context handling with chroot (#1357860) # Rework SELinux context handling with chroot (#1357860)
Patch942: openssh-7.2p2-chroot-capabilities.patch Patch942: openssh-7.2p2-chroot-capabilities.patch
# Null dereference in newkeys code (#1380297)
Patch943: openssh-7.3p1-null-deref.patch
# Move MAX_DISPLAYS to a configuration option (#1341302) # Move MAX_DISPLAYS to a configuration option (#1341302)
Patch944: openssh-7.3p1-x11-max-displays.patch Patch944: openssh-7.3p1-x11-max-displays.patch
# Temporary workaround for upstream (#2641)
Patch945: openssh-7.4p1-daemon.patch
License: BSD License: BSD
@ -459,8 +459,8 @@ popd
%patch939 -p1 -b .s390-dev %patch939 -p1 -b .s390-dev
%patch940 -p1 -b .expose-pam %patch940 -p1 -b .expose-pam
%patch942 -p1 -b .chroot-cap %patch942 -p1 -b .chroot-cap
%patch943 -p1 -b .deref
%patch944 -p1 -b .x11max %patch944 -p1 -b .x11max
%patch945 -p1 -b .daemon
%patch200 -p1 -b .audit %patch200 -p1 -b .audit
%patch201 -p1 -b .audit-race %patch201 -p1 -b .audit-race

View File

@ -1,2 +1,2 @@
a212baca7ce11d596bd8dcb222859ace pam_ssh_agent_auth-0.10.2.tar.bz2 SHA512 (openssh-7.4p1.tar.gz) = 4f3256f461f01366c5d5e0e45285eec65016e2643b3284b407f48f53d81087bf2c1caf7d5f7530d307a15c91c64de91446e1cba948e8fc68f82098290fe3b292
dfadd9f035d38ce5d58a3bf130b86d08 openssh-7.3p1.tar.gz SHA512 (pam_ssh_agent_auth-0.10.2.tar.bz2) = b4b9bc4486d873f236f7c54874c996e24f344f889dfda3beadb12b97cbb89078028a103a4a7175cd919fb0a12fd5bcefef50420510ae5eff9252e494e0124b38