rebase to openssh-6.2p1 (#924727)

ACSS was removed from upstream sources
This commit is contained in:
Petr Lautrbach 2013-04-04 16:42:32 +02:00
parent 811ec1dd36
commit 8a29dedfa7
20 changed files with 1141 additions and 1151 deletions

1
.gitignore vendored
View File

@ -8,3 +8,4 @@ pam_ssh_agent_auth-0.9.2.tar.bz2
/pam_ssh_agent_auth-0.9.3.tar.bz2 /pam_ssh_agent_auth-0.9.3.tar.bz2
/openssh-6.0p1-noacss.tar.bz2 /openssh-6.0p1-noacss.tar.bz2
/openssh-6.1p1-noacss.tar.bz2 /openssh-6.1p1-noacss.tar.bz2
/openssh-6.2p1.tar.gz

View File

@ -1,6 +1,6 @@
diff -up openssh-6.0p1/audit-bsm.c.audit1 openssh-6.0p1/audit-bsm.c diff -up openssh-6.2p1/audit-bsm.c.audit1 openssh-6.2p1/audit-bsm.c
--- openssh-6.0p1/audit-bsm.c.audit1 2012-02-24 00:40:43.000000000 +0100 --- openssh-6.2p1/audit-bsm.c.audit1 2012-02-24 00:40:43.000000000 +0100
+++ openssh-6.0p1/audit-bsm.c 2012-08-06 20:33:24.416382804 +0200 +++ openssh-6.2p1/audit-bsm.c 2013-03-25 17:18:30.934758118 +0100
@@ -375,10 +375,23 @@ audit_connection_from(const char *host, @@ -375,10 +375,23 @@ audit_connection_from(const char *host,
#endif #endif
} }
@ -26,9 +26,9 @@ diff -up openssh-6.0p1/audit-bsm.c.audit1 openssh-6.0p1/audit-bsm.c
} }
void void
diff -up openssh-6.0p1/audit.c.audit1 openssh-6.0p1/audit.c diff -up openssh-6.2p1/audit.c.audit1 openssh-6.2p1/audit.c
--- openssh-6.0p1/audit.c.audit1 2011-01-17 11:15:30.000000000 +0100 --- openssh-6.2p1/audit.c.audit1 2011-01-17 11:15:30.000000000 +0100
+++ openssh-6.0p1/audit.c 2012-08-06 20:33:24.417382801 +0200 +++ openssh-6.2p1/audit.c 2013-03-25 17:18:30.934758118 +0100
@@ -140,6 +140,17 @@ audit_event(ssh_audit_event_t event) @@ -140,6 +140,17 @@ audit_event(ssh_audit_event_t event)
} }
@ -79,9 +79,9 @@ diff -up openssh-6.0p1/audit.c.audit1 openssh-6.0p1/audit.c
+ +
# endif /* !defined CUSTOM_SSH_AUDIT_EVENTS */ # endif /* !defined CUSTOM_SSH_AUDIT_EVENTS */
#endif /* SSH_AUDIT_EVENTS */ #endif /* SSH_AUDIT_EVENTS */
diff -up openssh-6.0p1/audit.h.audit1 openssh-6.0p1/audit.h diff -up openssh-6.2p1/audit.h.audit1 openssh-6.2p1/audit.h
--- openssh-6.0p1/audit.h.audit1 2011-01-17 11:15:30.000000000 +0100 --- openssh-6.2p1/audit.h.audit1 2011-01-17 11:15:30.000000000 +0100
+++ openssh-6.0p1/audit.h 2012-08-06 20:33:24.417382801 +0200 +++ openssh-6.2p1/audit.h 2013-03-25 17:18:30.934758118 +0100
@@ -49,9 +49,11 @@ typedef enum ssh_audit_event_type ssh_au @@ -49,9 +49,11 @@ typedef enum ssh_audit_event_type ssh_au
void audit_connection_from(const char *, int); void audit_connection_from(const char *, int);
@ -95,9 +95,9 @@ diff -up openssh-6.0p1/audit.h.audit1 openssh-6.0p1/audit.h
ssh_audit_event_t audit_classify_auth(const char *); ssh_audit_event_t audit_classify_auth(const char *);
#endif /* _SSH_AUDIT_H */ #endif /* _SSH_AUDIT_H */
diff -up openssh-6.0p1/audit-linux.c.audit1 openssh-6.0p1/audit-linux.c diff -up openssh-6.2p1/audit-linux.c.audit1 openssh-6.2p1/audit-linux.c
--- openssh-6.0p1/audit-linux.c.audit1 2011-01-17 11:15:30.000000000 +0100 --- openssh-6.2p1/audit-linux.c.audit1 2011-01-17 11:15:30.000000000 +0100
+++ openssh-6.0p1/audit-linux.c 2012-08-06 20:33:24.416382804 +0200 +++ openssh-6.2p1/audit-linux.c 2013-03-25 17:18:30.934758118 +0100
@@ -35,13 +35,20 @@ @@ -35,13 +35,20 @@
#include "log.h" #include "log.h"
@ -313,9 +313,9 @@ diff -up openssh-6.0p1/audit-linux.c.audit1 openssh-6.0p1/audit-linux.c
break; break;
default: default:
diff -up openssh-6.0p1/monitor.c.audit1 openssh-6.0p1/monitor.c diff -up openssh-6.2p1/monitor.c.audit1 openssh-6.2p1/monitor.c
--- openssh-6.0p1/monitor.c.audit1 2012-08-06 20:33:24.410382828 +0200 --- openssh-6.2p1/monitor.c.audit1 2013-03-25 17:18:30.913757986 +0100
+++ openssh-6.0p1/monitor.c 2012-08-06 20:33:24.418382797 +0200 +++ openssh-6.2p1/monitor.c 2013-03-25 17:18:30.935758124 +0100
@@ -185,6 +185,7 @@ int mm_answer_gss_checkmic(int, Buffer * @@ -185,6 +185,7 @@ int mm_answer_gss_checkmic(int, Buffer *
#ifdef SSH_AUDIT_EVENTS #ifdef SSH_AUDIT_EVENTS
int mm_answer_audit_event(int, Buffer *); int mm_answer_audit_event(int, Buffer *);
@ -340,7 +340,7 @@ diff -up openssh-6.0p1/monitor.c.audit1 openssh-6.0p1/monitor.c
#endif #endif
{0, 0, NULL} {0, 0, NULL}
}; };
@@ -1427,6 +1430,12 @@ mm_session_close(Session *s) @@ -1433,6 +1436,12 @@ mm_session_close(Session *s)
debug3("%s: tty %s ptyfd %d", __func__, s->tty, s->ptyfd); debug3("%s: tty %s ptyfd %d", __func__, s->tty, s->ptyfd);
session_pty_cleanup2(s); session_pty_cleanup2(s);
} }
@ -353,7 +353,7 @@ diff -up openssh-6.0p1/monitor.c.audit1 openssh-6.0p1/monitor.c
session_unused(s->self); session_unused(s->self);
} }
@@ -1751,11 +1760,44 @@ mm_answer_audit_command(int socket, Buff @@ -1755,11 +1764,44 @@ mm_answer_audit_command(int socket, Buff
{ {
u_int len; u_int len;
char *cmd; char *cmd;
@ -399,21 +399,24 @@ diff -up openssh-6.0p1/monitor.c.audit1 openssh-6.0p1/monitor.c
xfree(cmd); xfree(cmd);
return (0); return (0);
} }
diff -up openssh-6.0p1/monitor.h.audit1 openssh-6.0p1/monitor.h diff -up openssh-6.2p1/monitor.h.audit1 openssh-6.2p1/monitor.h
--- openssh-6.0p1/monitor.h.audit1 2011-06-20 06:42:23.000000000 +0200 --- openssh-6.2p1/monitor.h.audit1 2013-03-25 17:18:30.935758124 +0100
+++ openssh-6.0p1/monitor.h 2012-08-06 20:33:24.418382797 +0200 +++ openssh-6.2p1/monitor.h 2013-03-25 17:24:53.474078078 +0100
@@ -60,6 +60,7 @@ enum monitor_reqtype { @@ -68,7 +68,9 @@ enum monitor_reqtype {
MONITOR_REQ_PAM_RESPOND, MONITOR_ANS_PAM_RESPOND, MONITOR_REQ_PAM_QUERY = 106, MONITOR_ANS_PAM_QUERY = 107,
MONITOR_REQ_PAM_FREE_CTX, MONITOR_ANS_PAM_FREE_CTX, MONITOR_REQ_PAM_RESPOND = 108, MONITOR_ANS_PAM_RESPOND = 109,
MONITOR_REQ_AUDIT_EVENT, MONITOR_REQ_AUDIT_COMMAND, MONITOR_REQ_PAM_FREE_CTX = 110, MONITOR_ANS_PAM_FREE_CTX = 111,
+ MONITOR_ANS_AUDIT_COMMAND, MONITOR_REQ_AUDIT_END_COMMAND, - MONITOR_REQ_AUDIT_EVENT = 112, MONITOR_REQ_AUDIT_COMMAND = 113,
MONITOR_REQ_TERM, + MONITOR_REQ_AUDIT_EVENT = 112,
MONITOR_REQ_JPAKE_STEP1, MONITOR_ANS_JPAKE_STEP1, + MONITOR_REQ_AUDIT_COMMAND = 114, MONITOR_ANS_AUDIT_COMMAND = 115,
MONITOR_REQ_JPAKE_GET_PWDATA, MONITOR_ANS_JPAKE_GET_PWDATA, + MONITOR_REQ_AUDIT_END_COMMAND = 116
diff -up openssh-6.0p1/monitor_wrap.c.audit1 openssh-6.0p1/monitor_wrap.c
--- openssh-6.0p1/monitor_wrap.c.audit1 2012-08-06 20:33:24.384382930 +0200 };
+++ openssh-6.0p1/monitor_wrap.c 2012-08-06 20:33:24.419382793 +0200
@@ -1188,10 +1188,11 @@ mm_audit_event(ssh_audit_event_t event) diff -up openssh-6.2p1/monitor_wrap.c.audit1 openssh-6.2p1/monitor_wrap.c
--- openssh-6.2p1/monitor_wrap.c.audit1 2013-03-25 17:18:30.913757986 +0100
+++ openssh-6.2p1/monitor_wrap.c 2013-03-25 17:18:30.936758131 +0100
@@ -1189,10 +1189,11 @@ mm_audit_event(ssh_audit_event_t event)
buffer_free(&m); buffer_free(&m);
} }
@ -426,7 +429,7 @@ diff -up openssh-6.0p1/monitor_wrap.c.audit1 openssh-6.0p1/monitor_wrap.c
debug3("%s entering command %s", __func__, command); debug3("%s entering command %s", __func__, command);
@@ -1199,6 +1200,26 @@ mm_audit_run_command(const char *command @@ -1200,6 +1201,26 @@ mm_audit_run_command(const char *command
buffer_put_cstring(&m, command); buffer_put_cstring(&m, command);
mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_COMMAND, &m); mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_COMMAND, &m);
@ -453,9 +456,9 @@ diff -up openssh-6.0p1/monitor_wrap.c.audit1 openssh-6.0p1/monitor_wrap.c
buffer_free(&m); buffer_free(&m);
} }
#endif /* SSH_AUDIT_EVENTS */ #endif /* SSH_AUDIT_EVENTS */
diff -up openssh-6.0p1/monitor_wrap.h.audit1 openssh-6.0p1/monitor_wrap.h diff -up openssh-6.2p1/monitor_wrap.h.audit1 openssh-6.2p1/monitor_wrap.h
--- openssh-6.0p1/monitor_wrap.h.audit1 2011-06-20 06:42:23.000000000 +0200 --- openssh-6.2p1/monitor_wrap.h.audit1 2011-06-20 06:42:23.000000000 +0200
+++ openssh-6.0p1/monitor_wrap.h 2012-08-06 20:33:24.419382793 +0200 +++ openssh-6.2p1/monitor_wrap.h 2013-03-25 17:18:30.936758131 +0100
@@ -74,7 +74,8 @@ void mm_sshpam_free_ctx(void *); @@ -74,7 +74,8 @@ void mm_sshpam_free_ctx(void *);
#ifdef SSH_AUDIT_EVENTS #ifdef SSH_AUDIT_EVENTS
#include "audit.h" #include "audit.h"
@ -466,10 +469,10 @@ diff -up openssh-6.0p1/monitor_wrap.h.audit1 openssh-6.0p1/monitor_wrap.h
#endif #endif
struct Session; struct Session;
diff -up openssh-6.0p1/session.c.audit1 openssh-6.0p1/session.c diff -up openssh-6.2p1/session.c.audit1 openssh-6.2p1/session.c
--- openssh-6.0p1/session.c.audit1 2011-11-04 00:55:24.000000000 +0100 --- openssh-6.2p1/session.c.audit1 2013-03-15 01:22:37.000000000 +0100
+++ openssh-6.0p1/session.c 2012-08-06 20:33:24.420382789 +0200 +++ openssh-6.2p1/session.c 2013-03-25 17:18:30.937758137 +0100
@@ -742,6 +742,14 @@ do_exec_pty(Session *s, const char *comm @@ -745,6 +745,14 @@ do_exec_pty(Session *s, const char *comm
/* Parent. Close the slave side of the pseudo tty. */ /* Parent. Close the slave side of the pseudo tty. */
close(ttyfd); close(ttyfd);
@ -484,7 +487,7 @@ diff -up openssh-6.0p1/session.c.audit1 openssh-6.0p1/session.c
/* Enter interactive session. */ /* Enter interactive session. */
s->ptymaster = ptymaster; s->ptymaster = ptymaster;
packet_set_interactive(1, packet_set_interactive(1,
@@ -813,15 +821,19 @@ do_exec(Session *s, const char *command) @@ -816,15 +824,19 @@ do_exec(Session *s, const char *command)
} }
#ifdef SSH_AUDIT_EVENTS #ifdef SSH_AUDIT_EVENTS
@ -506,7 +509,7 @@ diff -up openssh-6.0p1/session.c.audit1 openssh-6.0p1/session.c
#endif #endif
if (s->ttyfd != -1) if (s->ttyfd != -1)
ret = do_exec_pty(s, command); ret = do_exec_pty(s, command);
@@ -1848,6 +1860,7 @@ session_unused(int id) @@ -1856,6 +1868,7 @@ session_unused(int id)
sessions[id].ttyfd = -1; sessions[id].ttyfd = -1;
sessions[id].ptymaster = -1; sessions[id].ptymaster = -1;
sessions[id].x11_chanids = NULL; sessions[id].x11_chanids = NULL;
@ -514,7 +517,7 @@ diff -up openssh-6.0p1/session.c.audit1 openssh-6.0p1/session.c
sessions[id].next_unused = sessions_first_unused; sessions[id].next_unused = sessions_first_unused;
sessions_first_unused = id; sessions_first_unused = id;
} }
@@ -1930,6 +1943,19 @@ session_open(Authctxt *authctxt, int cha @@ -1938,6 +1951,19 @@ session_open(Authctxt *authctxt, int cha
} }
Session * Session *
@ -534,7 +537,7 @@ diff -up openssh-6.0p1/session.c.audit1 openssh-6.0p1/session.c
session_by_tty(char *tty) session_by_tty(char *tty)
{ {
int i; int i;
@@ -2455,6 +2481,30 @@ session_exit_message(Session *s, int sta @@ -2463,6 +2489,30 @@ session_exit_message(Session *s, int sta
chan_write_failed(c); chan_write_failed(c);
} }
@ -565,7 +568,7 @@ diff -up openssh-6.0p1/session.c.audit1 openssh-6.0p1/session.c
void void
session_close(Session *s) session_close(Session *s)
{ {
@@ -2463,6 +2513,10 @@ session_close(Session *s) @@ -2471,6 +2521,10 @@ session_close(Session *s)
debug("session_close: session %d pid %ld", s->self, (long)s->pid); debug("session_close: session %d pid %ld", s->self, (long)s->pid);
if (s->ttyfd != -1) if (s->ttyfd != -1)
session_pty_cleanup(s); session_pty_cleanup(s);
@ -576,7 +579,7 @@ diff -up openssh-6.0p1/session.c.audit1 openssh-6.0p1/session.c
if (s->term) if (s->term)
xfree(s->term); xfree(s->term);
if (s->display) if (s->display)
@@ -2682,6 +2736,15 @@ do_authenticated2(Authctxt *authctxt) @@ -2690,6 +2744,15 @@ do_authenticated2(Authctxt *authctxt)
server_loop2(authctxt); server_loop2(authctxt);
} }
@ -592,16 +595,16 @@ diff -up openssh-6.0p1/session.c.audit1 openssh-6.0p1/session.c
void void
do_cleanup(Authctxt *authctxt) do_cleanup(Authctxt *authctxt)
{ {
@@ -2730,5 +2793,5 @@ do_cleanup(Authctxt *authctxt) @@ -2738,5 +2801,5 @@ do_cleanup(Authctxt *authctxt)
* or if running in monitor. * or if running in monitor.
*/ */
if (!use_privsep || mm_is_monitor()) if (!use_privsep || mm_is_monitor())
- session_destroy_all(session_pty_cleanup2); - session_destroy_all(session_pty_cleanup2);
+ session_destroy_all(do_cleanup_one_session); + session_destroy_all(do_cleanup_one_session);
} }
diff -up openssh-6.0p1/session.h.audit1 openssh-6.0p1/session.h diff -up openssh-6.2p1/session.h.audit1 openssh-6.2p1/session.h
--- openssh-6.0p1/session.h.audit1 2008-05-19 07:34:50.000000000 +0200 --- openssh-6.2p1/session.h.audit1 2008-05-19 07:34:50.000000000 +0200
+++ openssh-6.0p1/session.h 2012-08-06 20:33:24.420382789 +0200 +++ openssh-6.2p1/session.h 2013-03-25 17:18:30.937758137 +0100
@@ -60,6 +60,12 @@ struct Session { @@ -60,6 +60,12 @@ struct Session {
char *name; char *name;
char *val; char *val;
@ -626,10 +629,10 @@ diff -up openssh-6.0p1/session.h.audit1 openssh-6.0p1/session.h
Session *session_by_tty(char *); Session *session_by_tty(char *);
void session_close(Session *); void session_close(Session *);
void do_setusercontext(struct passwd *); void do_setusercontext(struct passwd *);
diff -up openssh-6.0p1/sshd.c.audit1 openssh-6.0p1/sshd.c diff -up openssh-6.2p1/sshd.c.audit1 openssh-6.2p1/sshd.c
--- openssh-6.0p1/sshd.c.audit1 2012-08-06 20:33:24.392382898 +0200 --- openssh-6.2p1/sshd.c.audit1 2013-03-25 17:18:30.919758024 +0100
+++ openssh-6.0p1/sshd.c 2012-08-06 20:33:24.421382785 +0200 +++ openssh-6.2p1/sshd.c 2013-03-25 17:18:30.937758137 +0100
@@ -2381,7 +2381,8 @@ cleanup_exit(int i) @@ -2409,7 +2409,8 @@ cleanup_exit(int i)
} }
#ifdef SSH_AUDIT_EVENTS #ifdef SSH_AUDIT_EVENTS
/* done after do_cleanup so it can cancel the PAM auth 'thread' */ /* done after do_cleanup so it can cancel the PAM auth 'thread' */

View File

@ -1,19 +1,7 @@
diff -up openssh-5.9p1/Makefile.in.audit3 openssh-5.9p1/Makefile.in diff -up openssh-6.2p1/audit-bsm.c.audit3 openssh-6.2p1/audit-bsm.c
--- openssh-5.9p1/Makefile.in.audit3 2011-08-05 22:15:18.000000000 +0200 --- openssh-6.2p1/audit-bsm.c.audit3 2013-03-25 17:30:41.329102631 +0100
+++ openssh-5.9p1/Makefile.in 2011-09-14 07:05:58.337520327 +0200 +++ openssh-6.2p1/audit-bsm.c 2013-03-25 17:30:41.338102682 +0100
@@ -71,7 +71,7 @@ LIBSSH_OBJS=acss.o authfd.o authfile.o b @@ -473,4 +473,16 @@ audit_event(ssh_audit_event_t event)
monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-rsa.o dh.o \
kexdh.o kexgex.o kexdhc.o kexgexc.o bufec.o kexecdh.o kexecdhc.o \
msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o jpake.o \
- schnorr.o ssh-pkcs11.o
+ schnorr.o ssh-pkcs11.o auditstub.o
SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \
sshconnect.o sshconnect1.o sshconnect2.o mux.o \
diff -up openssh-5.9p1/audit-bsm.c.audit3 openssh-5.9p1/audit-bsm.c
--- openssh-5.9p1/audit-bsm.c.audit3 2011-09-14 07:05:56.719459048 +0200
+++ openssh-5.9p1/audit-bsm.c 2011-09-14 07:05:58.430520147 +0200
@@ -396,4 +396,16 @@ audit_event(ssh_audit_event_t event)
debug("%s: unhandled event %d", __func__, event); debug("%s: unhandled event %d", __func__, event);
} }
} }
@ -30,9 +18,88 @@ diff -up openssh-5.9p1/audit-bsm.c.audit3 openssh-5.9p1/audit-bsm.c
+ /* not implemented */ + /* not implemented */
+} +}
#endif /* BSM */ #endif /* BSM */
diff -up openssh-5.9p1/audit-linux.c.audit3 openssh-5.9p1/audit-linux.c diff -up openssh-6.2p1/audit.c.audit3 openssh-6.2p1/audit.c
--- openssh-5.9p1/audit-linux.c.audit3 2011-09-14 07:05:56.820460613 +0200 --- openssh-6.2p1/audit.c.audit3 2013-03-25 17:30:41.330102636 +0100
+++ openssh-5.9p1/audit-linux.c 2011-09-14 07:07:29.651459660 +0200 +++ openssh-6.2p1/audit.c 2013-03-25 17:30:41.339102688 +0100
@@ -28,6 +28,7 @@
#include <stdarg.h>
#include <string.h>
+#include <unistd.h>
#ifdef SSH_AUDIT_EVENTS
@@ -36,6 +37,8 @@
#include "key.h"
#include "hostfile.h"
#include "auth.h"
+#include "ssh-gss.h"
+#include "monitor_wrap.h"
#include "xmalloc.h"
/*
@@ -128,6 +131,18 @@ audit_key(int host_user, int *rv, const
xfree(fp);
}
+void
+audit_unsupported(int what)
+{
+ PRIVSEP(audit_unsupported_body(what));
+}
+
+void
+audit_kex(int ctos, char *enc, char *mac, char *comp)
+{
+ PRIVSEP(audit_kex_body(ctos, enc, mac, comp, getpid(), getuid()));
+}
+
# ifndef CUSTOM_SSH_AUDIT_EVENTS
/*
* Null implementations of audit functions.
@@ -238,5 +253,26 @@ audit_keyusage(int host_user, const char
host_user ? "pubkey" : "hostbased", geteuid(), audit_username(), type, bits,
key_fingerprint_prefix(), fp, rv);
}
+
+/*
+ * This will be called when the protocol negotiation fails.
+ */
+void
+audit_unsupported_body(int what)
+{
+ debug("audit unsupported protocol euid %d type %d", geteuid(), what);
+}
+
+/*
+ * This will be called on succesfull protocol negotiation.
+ */
+void
+audit_kex_body(int ctos, char *enc, char *mac, char *compress, pid_t pid,
+ uid_t uid)
+{
+ debug("audit protocol negotiation euid %d direction %d cipher %s mac %s compresion %s from pid %ld uid %u",
+ (unsigned)geteuid(), ctos, enc, mac, compress, (long)pid,
+ (unsigned)uid);
+}
# endif /* !defined CUSTOM_SSH_AUDIT_EVENTS */
#endif /* SSH_AUDIT_EVENTS */
diff -up openssh-6.2p1/audit.h.audit3 openssh-6.2p1/audit.h
--- openssh-6.2p1/audit.h.audit3 2013-03-25 17:30:41.330102636 +0100
+++ openssh-6.2p1/audit.h 2013-03-25 17:30:41.339102688 +0100
@@ -58,5 +58,9 @@ void audit_end_command(int, const char
ssh_audit_event_t audit_classify_auth(const char *);
int audit_keyusage(int, const char *, unsigned, char *, int);
void audit_key(int, int *, const Key *);
+void audit_unsupported(int);
+void audit_kex(int, char *, char *, char *);
+void audit_unsupported_body(int);
+void audit_kex_body(int, char *, char *, char *, pid_t, uid_t);
#endif /* _SSH_AUDIT_H */
diff -up openssh-6.2p1/audit-linux.c.audit3 openssh-6.2p1/audit-linux.c
--- openssh-6.2p1/audit-linux.c.audit3 2013-03-25 17:30:41.331102642 +0100
+++ openssh-6.2p1/audit-linux.c 2013-03-25 17:30:41.339102688 +0100
@@ -40,6 +40,8 @@ @@ -40,6 +40,8 @@
#include "auth.h" #include "auth.h"
#include "servconf.h" #include "servconf.h"
@ -103,88 +170,9 @@ diff -up openssh-5.9p1/audit-linux.c.audit3 openssh-5.9p1/audit-linux.c
+} +}
+ +
#endif /* USE_LINUX_AUDIT */ #endif /* USE_LINUX_AUDIT */
diff -up openssh-5.9p1/audit.c.audit3 openssh-5.9p1/audit.c diff -up openssh-6.2p1/auditstub.c.audit3 openssh-6.2p1/auditstub.c
--- openssh-5.9p1/audit.c.audit3 2011-09-14 07:05:56.937585272 +0200 --- openssh-6.2p1/auditstub.c.audit3 2013-03-25 17:30:41.340102694 +0100
+++ openssh-5.9p1/audit.c 2011-09-14 07:05:58.646521393 +0200 +++ openssh-6.2p1/auditstub.c 2013-03-25 17:30:41.340102694 +0100
@@ -28,6 +28,7 @@
#include <stdarg.h>
#include <string.h>
+#include <unistd.h>
#ifdef SSH_AUDIT_EVENTS
@@ -36,6 +37,8 @@
#include "key.h"
#include "hostfile.h"
#include "auth.h"
+#include "ssh-gss.h"
+#include "monitor_wrap.h"
#include "xmalloc.h"
/*
@@ -128,6 +131,18 @@ audit_key(int host_user, int *rv, const
xfree(fp);
}
+void
+audit_unsupported(int what)
+{
+ PRIVSEP(audit_unsupported_body(what));
+}
+
+void
+audit_kex(int ctos, char *enc, char *mac, char *comp)
+{
+ PRIVSEP(audit_kex_body(ctos, enc, mac, comp, getpid(), getuid()));
+}
+
# ifndef CUSTOM_SSH_AUDIT_EVENTS
/*
* Null implementations of audit functions.
@@ -238,5 +253,26 @@ audit_keyusage(int host_user, const char
host_user ? "pubkey" : "hostbased", geteuid(), audit_username(), type, bits,
key_fingerprint_prefix(), fp, rv);
}
+
+/*
+ * This will be called when the protocol negotiation fails.
+ */
+void
+audit_unsupported_body(int what)
+{
+ debug("audit unsupported protocol euid %d type %d", geteuid(), what);
+}
+
+/*
+ * This will be called on succesfull protocol negotiation.
+ */
+void
+audit_kex_body(int ctos, char *enc, char *mac, char *compress, pid_t pid,
+ uid_t uid)
+{
+ debug("audit protocol negotiation euid %d direction %d cipher %s mac %s compresion %s from pid %ld uid %u",
+ (unsigned)geteuid(), ctos, enc, mac, compress, (long)pid,
+ (unsigned)uid);
+}
# endif /* !defined CUSTOM_SSH_AUDIT_EVENTS */
#endif /* SSH_AUDIT_EVENTS */
diff -up openssh-5.9p1/audit.h.audit3 openssh-5.9p1/audit.h
--- openssh-5.9p1/audit.h.audit3 2011-09-14 07:05:57.391522394 +0200
+++ openssh-5.9p1/audit.h 2011-09-14 07:05:58.766586362 +0200
@@ -58,5 +58,9 @@ void audit_end_command(int, const char
ssh_audit_event_t audit_classify_auth(const char *);
int audit_keyusage(int, const char *, unsigned, char *, int);
void audit_key(int, int *, const Key *);
+void audit_unsupported(int);
+void audit_kex(int, char *, char *, char *);
+void audit_unsupported_body(int);
+void audit_kex_body(int, char *, char *, char *, pid_t, uid_t);
#endif /* _SSH_AUDIT_H */
diff -up openssh-5.9p1/auditstub.c.audit3 openssh-5.9p1/auditstub.c
--- openssh-5.9p1/auditstub.c.audit3 2011-09-14 07:05:58.866461077 +0200
+++ openssh-5.9p1/auditstub.c 2011-09-14 07:05:58.870569033 +0200
@@ -0,0 +1,39 @@ @@ -0,0 +1,39 @@
+/* $Id: auditstub.c,v 1.1 jfch Exp $ */ +/* $Id: auditstub.c,v 1.1 jfch Exp $ */
+ +
@ -225,30 +213,32 @@ diff -up openssh-5.9p1/auditstub.c.audit3 openssh-5.9p1/auditstub.c
+{ +{
+} +}
+ +
diff -up openssh-5.9p1/cipher.c.audit3 openssh-5.9p1/cipher.c diff -up openssh-6.2p1/cipher.c.audit3 openssh-6.2p1/cipher.c
--- openssh-5.9p1/cipher.c.audit3 2011-09-07 15:05:09.000000000 +0200 --- openssh-6.2p1/cipher.c.audit3 2013-03-25 17:30:41.340102694 +0100
+++ openssh-5.9p1/cipher.c 2011-09-14 07:05:58.955582581 +0200 +++ openssh-6.2p1/cipher.c 2013-03-25 17:32:33.117743548 +0100
@@ -60,15 +60,7 @@ extern void ssh1_3des_iv(EVP_CIPHER_CTX @@ -58,17 +58,7 @@ extern const EVP_CIPHER *evp_ssh1_bf(voi
extern const EVP_CIPHER *evp_aes_128_ctr(void); extern const EVP_CIPHER *evp_ssh1_3des(void);
extern void ssh_aes_ctr_iv(EVP_CIPHER_CTX *, int, u_char *, u_int); extern void ssh1_3des_iv(EVP_CIPHER_CTX *, int, u_char *, int);
-struct Cipher { -struct Cipher {
- char *name; - char *name;
- int number; /* for ssh1 only */ - int number; /* for ssh1 only */
- u_int block_size; - u_int block_size;
- u_int key_len; - u_int key_len;
- u_int iv_len; /* defaults to block_size */
- u_int auth_len;
- u_int discard_len; - u_int discard_len;
- u_int cbc_mode; - u_int cbc_mode;
- const EVP_CIPHER *(*evptype)(void); - const EVP_CIPHER *(*evptype)(void);
-} ciphers[] = { -} ciphers[] = {
+struct Cipher ciphers[] = { +struct Cipher ciphers[] = {
{ "none", SSH_CIPHER_NONE, 8, 0, 0, 0, EVP_enc_null }, { "none", SSH_CIPHER_NONE, 8, 0, 0, 0, 0, 0, EVP_enc_null },
{ "des", SSH_CIPHER_DES, 8, 8, 0, 1, EVP_des_cbc }, { "des", SSH_CIPHER_DES, 8, 8, 0, 0, 0, 1, EVP_des_cbc },
{ "3des", SSH_CIPHER_3DES, 8, 16, 0, 1, evp_ssh1_3des }, { "3des", SSH_CIPHER_3DES, 8, 16, 0, 0, 0, 1, evp_ssh1_3des },
diff -up openssh-5.9p1/cipher.h.audit3 openssh-5.9p1/cipher.h diff -up openssh-6.2p1/cipher.h.audit3 openssh-6.2p1/cipher.h
--- openssh-5.9p1/cipher.h.audit3 2009-01-28 06:38:41.000000000 +0100 --- openssh-6.2p1/cipher.h.audit3 2013-03-25 17:30:41.341102699 +0100
+++ openssh-5.9p1/cipher.h 2011-09-14 07:05:59.063459363 +0200 +++ openssh-6.2p1/cipher.h 2013-03-25 17:32:45.338813408 +0100
@@ -61,7 +61,16 @@ @@ -61,7 +61,18 @@
typedef struct Cipher Cipher; typedef struct Cipher Cipher;
typedef struct CipherContext CipherContext; typedef struct CipherContext CipherContext;
@ -258,6 +248,8 @@ diff -up openssh-5.9p1/cipher.h.audit3 openssh-5.9p1/cipher.h
+ int number; /* for ssh1 only */ + int number; /* for ssh1 only */
+ u_int block_size; + u_int block_size;
+ u_int key_len; + u_int key_len;
+ u_int iv_len; /* defaults to block_size */
+ u_int auth_len;
+ u_int discard_len; + u_int discard_len;
+ u_int cbc_mode; + u_int cbc_mode;
+ const EVP_CIPHER *(*evptype)(void); + const EVP_CIPHER *(*evptype)(void);
@ -265,10 +257,10 @@ diff -up openssh-5.9p1/cipher.h.audit3 openssh-5.9p1/cipher.h
+ +
struct CipherContext { struct CipherContext {
int plaintext; int plaintext;
EVP_CIPHER_CTX evp; int encrypt;
diff -up openssh-5.9p1/kex.c.audit3 openssh-5.9p1/kex.c diff -up openssh-6.2p1/kex.c.audit3 openssh-6.2p1/kex.c
--- openssh-5.9p1/kex.c.audit3 2010-09-24 14:11:14.000000000 +0200 --- openssh-6.2p1/kex.c.audit3 2013-01-09 06:12:19.000000000 +0100
+++ openssh-5.9p1/kex.c 2011-09-14 07:05:59.171457800 +0200 +++ openssh-6.2p1/kex.c 2013-03-25 17:33:40.352129450 +0100
@@ -49,6 +49,7 @@ @@ -49,6 +49,7 @@
#include "dispatch.h" #include "dispatch.h"
#include "monitor.h" #include "monitor.h"
@ -277,7 +269,7 @@ diff -up openssh-5.9p1/kex.c.audit3 openssh-5.9p1/kex.c
#if OPENSSL_VERSION_NUMBER >= 0x00907000L #if OPENSSL_VERSION_NUMBER >= 0x00907000L
# if defined(HAVE_EVP_SHA256) # if defined(HAVE_EVP_SHA256)
@@ -286,9 +287,13 @@ static void @@ -296,9 +297,13 @@ static void
choose_enc(Enc *enc, char *client, char *server) choose_enc(Enc *enc, char *client, char *server)
{ {
char *name = match_list(client, server, NULL); char *name = match_list(client, server, NULL);
@ -292,7 +284,7 @@ diff -up openssh-5.9p1/kex.c.audit3 openssh-5.9p1/kex.c
if ((enc->cipher = cipher_by_name(name)) == NULL) if ((enc->cipher = cipher_by_name(name)) == NULL)
fatal("matching cipher is not supported: %s", name); fatal("matching cipher is not supported: %s", name);
enc->name = name; enc->name = name;
@@ -303,9 +308,13 @@ static void @@ -314,9 +319,13 @@ static void
choose_mac(Mac *mac, char *client, char *server) choose_mac(Mac *mac, char *client, char *server)
{ {
char *name = match_list(client, server, NULL); char *name = match_list(client, server, NULL);
@ -307,7 +299,7 @@ diff -up openssh-5.9p1/kex.c.audit3 openssh-5.9p1/kex.c
if (mac_setup(mac, name) < 0) if (mac_setup(mac, name) < 0)
fatal("unsupported mac %s", name); fatal("unsupported mac %s", name);
/* truncate the key */ /* truncate the key */
@@ -320,8 +329,12 @@ static void @@ -331,8 +340,12 @@ static void
choose_comp(Comp *comp, char *client, char *server) choose_comp(Comp *comp, char *client, char *server)
{ {
char *name = match_list(client, server, NULL); char *name = match_list(client, server, NULL);
@ -321,9 +313,9 @@ diff -up openssh-5.9p1/kex.c.audit3 openssh-5.9p1/kex.c
if (strcmp(name, "zlib@openssh.com") == 0) { if (strcmp(name, "zlib@openssh.com") == 0) {
comp->type = COMP_DELAYED; comp->type = COMP_DELAYED;
} else if (strcmp(name, "zlib") == 0) { } else if (strcmp(name, "zlib") == 0) {
@@ -446,6 +459,9 @@ kex_choose_conf(Kex *kex) @@ -460,6 +473,9 @@ kex_choose_conf(Kex *kex)
newkeys->enc.name, newkeys->enc.name,
newkeys->mac.name, authlen == 0 ? newkeys->mac.name : "<implicit>",
newkeys->comp.name); newkeys->comp.name);
+#ifdef SSH_AUDIT_EVENTS +#ifdef SSH_AUDIT_EVENTS
+ audit_kex(ctos, newkeys->enc.name, newkeys->mac.name, newkeys->comp.name); + audit_kex(ctos, newkeys->enc.name, newkeys->mac.name, newkeys->comp.name);
@ -331,9 +323,21 @@ diff -up openssh-5.9p1/kex.c.audit3 openssh-5.9p1/kex.c
} }
choose_kex(kex, cprop[PROPOSAL_KEX_ALGS], sprop[PROPOSAL_KEX_ALGS]); choose_kex(kex, cprop[PROPOSAL_KEX_ALGS], sprop[PROPOSAL_KEX_ALGS]);
choose_hostkeyalg(kex, cprop[PROPOSAL_SERVER_HOST_KEY_ALGS], choose_hostkeyalg(kex, cprop[PROPOSAL_SERVER_HOST_KEY_ALGS],
diff -up openssh-5.9p1/monitor.c.audit3 openssh-5.9p1/monitor.c diff -up openssh-6.2p1/Makefile.in.audit3 openssh-6.2p1/Makefile.in
--- openssh-5.9p1/monitor.c.audit3 2011-09-14 07:05:57.952459820 +0200 --- openssh-6.2p1/Makefile.in.audit3 2013-03-25 17:30:41.337102676 +0100
+++ openssh-5.9p1/monitor.c 2011-09-14 07:05:59.272520466 +0200 +++ openssh-6.2p1/Makefile.in 2013-03-25 17:33:18.833004685 +0100
@@ -73,7 +73,7 @@ LIBSSH_OBJS=authfd.o authfile.o bufaux.o
monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-rsa.o dh.o \
kexdh.o kexgex.o kexdhc.o kexgexc.o bufec.o kexecdh.o kexecdhc.o \
msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o umac128.o \
- jpake.o schnorr.o ssh-pkcs11.o krl.o
+ jpake.o schnorr.o ssh-pkcs11.o krl.o auditstub.o
SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \
sshconnect.o sshconnect1.o sshconnect2.o mux.o \
diff -up openssh-6.2p1/monitor.c.audit3 openssh-6.2p1/monitor.c
--- openssh-6.2p1/monitor.c.audit3 2013-03-25 17:30:41.333102653 +0100
+++ openssh-6.2p1/monitor.c 2013-03-25 17:30:41.344102717 +0100
@@ -97,6 +97,7 @@ @@ -97,6 +97,7 @@
#include "ssh2.h" #include "ssh2.h"
#include "jpake.h" #include "jpake.h"
@ -342,7 +346,7 @@ diff -up openssh-5.9p1/monitor.c.audit3 openssh-5.9p1/monitor.c
#ifdef GSSAPI #ifdef GSSAPI
static Gssctxt *gsscontext = NULL; static Gssctxt *gsscontext = NULL;
@@ -187,6 +188,8 @@ int mm_answer_gss_checkmic(int, Buffer * @@ -186,6 +187,8 @@ int mm_answer_gss_checkmic(int, Buffer *
int mm_answer_audit_event(int, Buffer *); int mm_answer_audit_event(int, Buffer *);
int mm_answer_audit_command(int, Buffer *); int mm_answer_audit_command(int, Buffer *);
int mm_answer_audit_end_command(int, Buffer *); int mm_answer_audit_end_command(int, Buffer *);
@ -360,7 +364,7 @@ diff -up openssh-5.9p1/monitor.c.audit3 openssh-5.9p1/monitor.c
#endif #endif
#ifdef BSD_AUTH #ifdef BSD_AUTH
{MONITOR_REQ_BSDAUTHQUERY, MON_ISAUTH, mm_answer_bsdauthquery}, {MONITOR_REQ_BSDAUTHQUERY, MON_ISAUTH, mm_answer_bsdauthquery},
@@ -275,6 +280,8 @@ struct mon_table mon_dispatch_postauth20 @@ -274,6 +279,8 @@ struct mon_table mon_dispatch_postauth20
{MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event}, {MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
{MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT, mm_answer_audit_command}, {MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT, mm_answer_audit_command},
{MONITOR_REQ_AUDIT_END_COMMAND, MON_PERMIT, mm_answer_audit_end_command}, {MONITOR_REQ_AUDIT_END_COMMAND, MON_PERMIT, mm_answer_audit_end_command},
@ -369,7 +373,7 @@ diff -up openssh-5.9p1/monitor.c.audit3 openssh-5.9p1/monitor.c
#endif #endif
{0, 0, NULL} {0, 0, NULL}
}; };
@@ -306,6 +313,8 @@ struct mon_table mon_dispatch_proto15[] @@ -305,6 +312,8 @@ struct mon_table mon_dispatch_proto15[]
#endif #endif
#ifdef SSH_AUDIT_EVENTS #ifdef SSH_AUDIT_EVENTS
{MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event}, {MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
@ -378,7 +382,7 @@ diff -up openssh-5.9p1/monitor.c.audit3 openssh-5.9p1/monitor.c
#endif #endif
{0, 0, NULL} {0, 0, NULL}
}; };
@@ -318,6 +327,8 @@ struct mon_table mon_dispatch_postauth15 @@ -317,6 +326,8 @@ struct mon_table mon_dispatch_postauth15
{MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event}, {MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
{MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT|MON_ONCE, mm_answer_audit_command}, {MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT|MON_ONCE, mm_answer_audit_command},
{MONITOR_REQ_AUDIT_END_COMMAND, MON_PERMIT, mm_answer_audit_end_command}, {MONITOR_REQ_AUDIT_END_COMMAND, MON_PERMIT, mm_answer_audit_end_command},
@ -387,7 +391,7 @@ diff -up openssh-5.9p1/monitor.c.audit3 openssh-5.9p1/monitor.c
#endif #endif
{0, 0, NULL} {0, 0, NULL}
}; };
@@ -2383,3 +2394,47 @@ mm_answer_jpake_check_confirm(int sock, @@ -2397,3 +2408,47 @@ mm_answer_jpake_check_confirm(int sock,
} }
#endif /* JPAKE */ #endif /* JPAKE */
@ -435,22 +439,24 @@ diff -up openssh-5.9p1/monitor.c.audit3 openssh-5.9p1/monitor.c
+} +}
+ +
+#endif /* SSH_AUDIT_EVENTS */ +#endif /* SSH_AUDIT_EVENTS */
diff -up openssh-5.9p1/monitor.h.audit3 openssh-5.9p1/monitor.h diff -up openssh-6.2p1/monitor.h.audit3 openssh-6.2p1/monitor.h
--- openssh-5.9p1/monitor.h.audit3 2011-09-14 07:05:55.510580908 +0200 --- openssh-6.2p1/monitor.h.audit3 2013-03-25 17:30:41.345102722 +0100
+++ openssh-5.9p1/monitor.h 2011-09-14 07:05:59.378647273 +0200 +++ openssh-6.2p1/monitor.h 2013-03-25 17:31:57.314538661 +0100
@@ -61,6 +61,8 @@ enum monitor_reqtype { @@ -70,7 +70,9 @@ enum monitor_reqtype {
MONITOR_REQ_PAM_FREE_CTX, MONITOR_ANS_PAM_FREE_CTX, MONITOR_REQ_PAM_FREE_CTX = 110, MONITOR_ANS_PAM_FREE_CTX = 111,
MONITOR_REQ_AUDIT_EVENT, MONITOR_REQ_AUDIT_COMMAND, MONITOR_REQ_AUDIT_EVENT = 112,
MONITOR_ANS_AUDIT_COMMAND, MONITOR_REQ_AUDIT_END_COMMAND, MONITOR_REQ_AUDIT_COMMAND = 114, MONITOR_ANS_AUDIT_COMMAND = 115,
+ MONITOR_REQ_AUDIT_UNSUPPORTED, MONITOR_ANS_AUDIT_UNSUPPORTED, - MONITOR_REQ_AUDIT_END_COMMAND = 116
+ MONITOR_REQ_AUDIT_KEX, MONITOR_ANS_AUDIT_KEX, + MONITOR_REQ_AUDIT_END_COMMAND = 116,
MONITOR_REQ_TERM, + MONITOR_REQ_AUDIT_UNSUPPORTED = 118, MONITOR_ANS_AUDIT_UNSUPPORTED = 119,
MONITOR_REQ_JPAKE_STEP1, MONITOR_ANS_JPAKE_STEP1, + MONITOR_REQ_AUDIT_KEX = 120, MONITOR_ANS_AUDIT_KEX = 121
MONITOR_REQ_JPAKE_GET_PWDATA, MONITOR_ANS_JPAKE_GET_PWDATA,
diff -up openssh-5.9p1/monitor_wrap.c.audit3 openssh-5.9p1/monitor_wrap.c };
--- openssh-5.9p1/monitor_wrap.c.audit3 2011-09-14 07:05:58.059501118 +0200
+++ openssh-5.9p1/monitor_wrap.c 2011-09-14 07:05:59.511503364 +0200 diff -up openssh-6.2p1/monitor_wrap.c.audit3 openssh-6.2p1/monitor_wrap.c
@@ -1505,3 +1505,41 @@ mm_jpake_check_confirm(const BIGNUM *k, --- openssh-6.2p1/monitor_wrap.c.audit3 2013-03-25 17:30:41.334102659 +0100
+++ openssh-6.2p1/monitor_wrap.c 2013-03-25 17:30:41.346102728 +0100
@@ -1486,3 +1486,41 @@ mm_jpake_check_confirm(const BIGNUM *k,
return success; return success;
} }
#endif /* JPAKE */ #endif /* JPAKE */
@ -492,10 +498,10 @@ diff -up openssh-5.9p1/monitor_wrap.c.audit3 openssh-5.9p1/monitor_wrap.c
+ buffer_free(&m); + buffer_free(&m);
+} +}
+#endif /* SSH_AUDIT_EVENTS */ +#endif /* SSH_AUDIT_EVENTS */
diff -up openssh-5.9p1/monitor_wrap.h.audit3 openssh-5.9p1/monitor_wrap.h diff -up openssh-6.2p1/monitor_wrap.h.audit3 openssh-6.2p1/monitor_wrap.h
--- openssh-5.9p1/monitor_wrap.h.audit3 2011-09-14 07:05:58.171521245 +0200 --- openssh-6.2p1/monitor_wrap.h.audit3 2013-03-25 17:30:41.334102659 +0100
+++ openssh-5.9p1/monitor_wrap.h 2011-09-14 07:05:59.624646515 +0200 +++ openssh-6.2p1/monitor_wrap.h 2013-03-25 17:30:41.346102728 +0100
@@ -78,6 +78,8 @@ void mm_sshpam_free_ctx(void *); @@ -77,6 +77,8 @@ void mm_sshpam_free_ctx(void *);
void mm_audit_event(ssh_audit_event_t); void mm_audit_event(ssh_audit_event_t);
int mm_audit_run_command(const char *); int mm_audit_run_command(const char *);
void mm_audit_end_command(int, const char *); void mm_audit_end_command(int, const char *);
@ -504,9 +510,9 @@ diff -up openssh-5.9p1/monitor_wrap.h.audit3 openssh-5.9p1/monitor_wrap.h
#endif #endif
struct Session; struct Session;
diff -up openssh-5.9p1/sshd.c.audit3 openssh-5.9p1/sshd.c diff -up openssh-6.2p1/sshd.c.audit3 openssh-6.2p1/sshd.c
--- openssh-5.9p1/sshd.c.audit3 2011-09-14 07:05:56.554583874 +0200 --- openssh-6.2p1/sshd.c.audit3 2013-03-25 17:30:41.326102613 +0100
+++ openssh-5.9p1/sshd.c 2011-09-14 07:05:59.828466112 +0200 +++ openssh-6.2p1/sshd.c 2013-03-25 17:30:41.348102740 +0100
@@ -118,6 +118,7 @@ @@ -118,6 +118,7 @@
#endif #endif
#include "monitor_wrap.h" #include "monitor_wrap.h"
@ -515,7 +521,7 @@ diff -up openssh-5.9p1/sshd.c.audit3 openssh-5.9p1/sshd.c
#include "ssh-sandbox.h" #include "ssh-sandbox.h"
#include "version.h" #include "version.h"
@@ -2209,6 +2210,10 @@ do_ssh1_kex(void) @@ -2241,6 +2242,10 @@ do_ssh1_kex(void)
if (cookie[i] != packet_get_char()) if (cookie[i] != packet_get_char())
packet_disconnect("IP Spoofing check bytes do not match."); packet_disconnect("IP Spoofing check bytes do not match.");

View File

@ -1,6 +1,6 @@
diff -up openssh-6.1p1/audit-bsm.c.audit4 openssh-6.1p1/audit-bsm.c diff -up openssh-6.2p1/audit-bsm.c.audit4 openssh-6.2p1/audit-bsm.c
--- openssh-6.1p1/audit-bsm.c.audit4 2012-11-28 14:20:38.990185823 +0100 --- openssh-6.2p1/audit-bsm.c.audit4 2013-03-25 17:34:16.034337746 +0100
+++ openssh-6.1p1/audit-bsm.c 2012-11-28 14:20:38.995185800 +0100 +++ openssh-6.2p1/audit-bsm.c 2013-03-25 17:34:16.042337793 +0100
@@ -485,4 +485,10 @@ audit_kex_body(int ctos, char *enc, char @@ -485,4 +485,10 @@ audit_kex_body(int ctos, char *enc, char
{ {
/* not implemented */ /* not implemented */
@ -12,9 +12,9 @@ diff -up openssh-6.1p1/audit-bsm.c.audit4 openssh-6.1p1/audit-bsm.c
+ /* not implemented */ + /* not implemented */
+} +}
#endif /* BSM */ #endif /* BSM */
diff -up openssh-6.1p1/audit.c.audit4 openssh-6.1p1/audit.c diff -up openssh-6.2p1/audit.c.audit4 openssh-6.2p1/audit.c
--- openssh-6.1p1/audit.c.audit4 2012-11-28 14:20:38.990185823 +0100 --- openssh-6.2p1/audit.c.audit4 2013-03-25 17:34:16.035337752 +0100
+++ openssh-6.1p1/audit.c 2012-11-28 14:20:38.995185800 +0100 +++ openssh-6.2p1/audit.c 2013-03-25 17:34:16.042337793 +0100
@@ -143,6 +143,12 @@ audit_kex(int ctos, char *enc, char *mac @@ -143,6 +143,12 @@ audit_kex(int ctos, char *enc, char *mac
PRIVSEP(audit_kex_body(ctos, enc, mac, comp, getpid(), getuid())); PRIVSEP(audit_kex_body(ctos, enc, mac, comp, getpid(), getuid()));
} }
@ -44,9 +44,9 @@ diff -up openssh-6.1p1/audit.c.audit4 openssh-6.1p1/audit.c
+} +}
# endif /* !defined CUSTOM_SSH_AUDIT_EVENTS */ # endif /* !defined CUSTOM_SSH_AUDIT_EVENTS */
#endif /* SSH_AUDIT_EVENTS */ #endif /* SSH_AUDIT_EVENTS */
diff -up openssh-6.1p1/audit.h.audit4 openssh-6.1p1/audit.h diff -up openssh-6.2p1/audit.h.audit4 openssh-6.2p1/audit.h
--- openssh-6.1p1/audit.h.audit4 2012-11-28 14:20:38.990185823 +0100 --- openssh-6.2p1/audit.h.audit4 2013-03-25 17:34:16.035337752 +0100
+++ openssh-6.1p1/audit.h 2012-11-28 14:20:38.995185800 +0100 +++ openssh-6.2p1/audit.h 2013-03-25 17:34:16.043337799 +0100
@@ -62,5 +62,7 @@ void audit_unsupported(int); @@ -62,5 +62,7 @@ void audit_unsupported(int);
void audit_kex(int, char *, char *, char *); void audit_kex(int, char *, char *, char *);
void audit_unsupported_body(int); void audit_unsupported_body(int);
@ -55,9 +55,9 @@ diff -up openssh-6.1p1/audit.h.audit4 openssh-6.1p1/audit.h
+void audit_session_key_free_body(int ctos, pid_t, uid_t); +void audit_session_key_free_body(int ctos, pid_t, uid_t);
#endif /* _SSH_AUDIT_H */ #endif /* _SSH_AUDIT_H */
diff -up openssh-6.1p1/audit-linux.c.audit4 openssh-6.1p1/audit-linux.c diff -up openssh-6.2p1/audit-linux.c.audit4 openssh-6.2p1/audit-linux.c
--- openssh-6.1p1/audit-linux.c.audit4 2012-11-28 14:20:38.990185823 +0100 --- openssh-6.2p1/audit-linux.c.audit4 2013-03-25 17:34:16.035337752 +0100
+++ openssh-6.1p1/audit-linux.c 2012-11-28 14:20:38.995185800 +0100 +++ openssh-6.2p1/audit-linux.c 2013-03-25 17:34:16.043337799 +0100
@@ -294,6 +294,8 @@ audit_unsupported_body(int what) @@ -294,6 +294,8 @@ audit_unsupported_body(int what)
#endif #endif
} }
@ -108,9 +108,9 @@ diff -up openssh-6.1p1/audit-linux.c.audit4 openssh-6.1p1/audit-linux.c
+} +}
+ +
#endif /* USE_LINUX_AUDIT */ #endif /* USE_LINUX_AUDIT */
diff -up openssh-6.1p1/auditstub.c.audit4 openssh-6.1p1/auditstub.c diff -up openssh-6.2p1/auditstub.c.audit4 openssh-6.2p1/auditstub.c
--- openssh-6.1p1/auditstub.c.audit4 2012-11-28 14:20:38.990185823 +0100 --- openssh-6.2p1/auditstub.c.audit4 2013-03-25 17:34:16.035337752 +0100
+++ openssh-6.1p1/auditstub.c 2012-11-28 14:20:38.995185800 +0100 +++ openssh-6.2p1/auditstub.c 2013-03-25 17:34:16.043337799 +0100
@@ -27,6 +27,8 @@ @@ -27,6 +27,8 @@
* Red Hat author: Jan F. Chadima <jchadima@redhat.com> * Red Hat author: Jan F. Chadima <jchadima@redhat.com>
*/ */
@ -133,10 +133,10 @@ diff -up openssh-6.1p1/auditstub.c.audit4 openssh-6.1p1/auditstub.c
+audit_session_key_free_body(int ctos, pid_t pid, uid_t uid) +audit_session_key_free_body(int ctos, pid_t pid, uid_t uid)
+{ +{
+} +}
diff -up openssh-6.1p1/kex.c.audit4 openssh-6.1p1/kex.c diff -up openssh-6.2p1/kex.c.audit4 openssh-6.2p1/kex.c
--- openssh-6.1p1/kex.c.audit4 2012-11-28 14:20:38.991185818 +0100 --- openssh-6.2p1/kex.c.audit4 2013-03-25 17:34:16.036337758 +0100
+++ openssh-6.1p1/kex.c 2012-11-28 14:20:38.995185800 +0100 +++ openssh-6.2p1/kex.c 2013-03-25 17:34:16.044337804 +0100
@@ -624,3 +624,34 @@ dump_digest(char *msg, u_char *digest, i @@ -640,3 +640,34 @@ dump_digest(char *msg, u_char *digest, i
fprintf(stderr, "\n"); fprintf(stderr, "\n");
} }
#endif #endif
@ -171,10 +171,10 @@ diff -up openssh-6.1p1/kex.c.audit4 openssh-6.1p1/kex.c
+ memset(&newkeys->comp, 0, sizeof(newkeys->comp)); + memset(&newkeys->comp, 0, sizeof(newkeys->comp));
+} +}
+ +
diff -up openssh-6.1p1/kex.h.audit4 openssh-6.1p1/kex.h diff -up openssh-6.2p1/kex.h.audit4 openssh-6.2p1/kex.h
--- openssh-6.1p1/kex.h.audit4 2010-09-24 14:11:14.000000000 +0200 --- openssh-6.2p1/kex.h.audit4 2013-01-09 06:12:19.000000000 +0100
+++ openssh-6.1p1/kex.h 2012-11-28 14:20:38.996185795 +0100 +++ openssh-6.2p1/kex.h 2013-03-25 17:34:16.044337804 +0100
@@ -156,6 +156,8 @@ void kexgex_server(Kex *); @@ -158,6 +158,8 @@ void kexgex_server(Kex *);
void kexecdh_client(Kex *); void kexecdh_client(Kex *);
void kexecdh_server(Kex *); void kexecdh_server(Kex *);
@ -183,10 +183,10 @@ diff -up openssh-6.1p1/kex.h.audit4 openssh-6.1p1/kex.h
void void
kex_dh_hash(char *, char *, char *, int, char *, int, u_char *, int, kex_dh_hash(char *, char *, char *, int, char *, int, u_char *, int,
BIGNUM *, BIGNUM *, BIGNUM *, u_char **, u_int *); BIGNUM *, BIGNUM *, BIGNUM *, u_char **, u_int *);
diff -up openssh-6.1p1/mac.c.audit4 openssh-6.1p1/mac.c diff -up openssh-6.2p1/mac.c.audit4 openssh-6.2p1/mac.c
--- openssh-6.1p1/mac.c.audit4 2012-06-30 00:34:59.000000000 +0200 --- openssh-6.2p1/mac.c.audit4 2012-12-12 01:00:37.000000000 +0100
+++ openssh-6.1p1/mac.c 2012-11-28 14:20:38.996185795 +0100 +++ openssh-6.2p1/mac.c 2013-03-25 17:34:16.044337804 +0100
@@ -169,6 +169,20 @@ mac_clear(Mac *mac) @@ -199,6 +199,20 @@ mac_clear(Mac *mac)
mac->umac_ctx = NULL; mac->umac_ctx = NULL;
} }
@ -207,17 +207,17 @@ diff -up openssh-6.1p1/mac.c.audit4 openssh-6.1p1/mac.c
/* XXX copied from ciphers_valid */ /* XXX copied from ciphers_valid */
#define MAC_SEP "," #define MAC_SEP ","
int int
diff -up openssh-6.1p1/mac.h.audit4 openssh-6.1p1/mac.h diff -up openssh-6.2p1/mac.h.audit4 openssh-6.2p1/mac.h
--- openssh-6.1p1/mac.h.audit4 2007-06-11 06:01:42.000000000 +0200 --- openssh-6.2p1/mac.h.audit4 2007-06-11 06:01:42.000000000 +0200
+++ openssh-6.1p1/mac.h 2012-11-28 14:20:38.996185795 +0100 +++ openssh-6.2p1/mac.h 2013-03-25 17:34:16.045337810 +0100
@@ -28,3 +28,4 @@ int mac_setup(Mac *, char *); @@ -28,3 +28,4 @@ int mac_setup(Mac *, char *);
int mac_init(Mac *); int mac_init(Mac *);
u_char *mac_compute(Mac *, u_int32_t, u_char *, int); u_char *mac_compute(Mac *, u_int32_t, u_char *, int);
void mac_clear(Mac *); void mac_clear(Mac *);
+void mac_destroy(Mac *); +void mac_destroy(Mac *);
diff -up openssh-6.1p1/monitor.c.audit4 openssh-6.1p1/monitor.c diff -up openssh-6.2p1/monitor.c.audit4 openssh-6.2p1/monitor.c
--- openssh-6.1p1/monitor.c.audit4 2012-11-28 14:20:38.992185813 +0100 --- openssh-6.2p1/monitor.c.audit4 2013-03-25 17:34:16.037337763 +0100
+++ openssh-6.1p1/monitor.c 2012-11-28 17:02:17.677045093 +0100 +++ openssh-6.2p1/monitor.c 2013-03-25 17:34:16.046337816 +0100
@@ -189,6 +189,7 @@ int mm_answer_audit_command(int, Buffer @@ -189,6 +189,7 @@ int mm_answer_audit_command(int, Buffer
int mm_answer_audit_end_command(int, Buffer *); int mm_answer_audit_end_command(int, Buffer *);
int mm_answer_audit_unsupported_body(int, Buffer *); int mm_answer_audit_unsupported_body(int, Buffer *);
@ -226,7 +226,7 @@ diff -up openssh-6.1p1/monitor.c.audit4 openssh-6.1p1/monitor.c
#endif #endif
static int monitor_read_log(struct monitor *); static int monitor_read_log(struct monitor *);
@@ -241,6 +242,7 @@ struct mon_table mon_dispatch_proto20[] @@ -242,6 +243,7 @@ struct mon_table mon_dispatch_proto20[]
{MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event}, {MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
{MONITOR_REQ_AUDIT_UNSUPPORTED, MON_PERMIT, mm_answer_audit_unsupported_body}, {MONITOR_REQ_AUDIT_UNSUPPORTED, MON_PERMIT, mm_answer_audit_unsupported_body},
{MONITOR_REQ_AUDIT_KEX, MON_PERMIT, mm_answer_audit_kex_body}, {MONITOR_REQ_AUDIT_KEX, MON_PERMIT, mm_answer_audit_kex_body},
@ -234,7 +234,7 @@ diff -up openssh-6.1p1/monitor.c.audit4 openssh-6.1p1/monitor.c
#endif #endif
#ifdef BSD_AUTH #ifdef BSD_AUTH
{MONITOR_REQ_BSDAUTHQUERY, MON_ISAUTH, mm_answer_bsdauthquery}, {MONITOR_REQ_BSDAUTHQUERY, MON_ISAUTH, mm_answer_bsdauthquery},
@@ -280,6 +282,7 @@ struct mon_table mon_dispatch_postauth20 @@ -281,6 +283,7 @@ struct mon_table mon_dispatch_postauth20
{MONITOR_REQ_AUDIT_END_COMMAND, MON_PERMIT, mm_answer_audit_end_command}, {MONITOR_REQ_AUDIT_END_COMMAND, MON_PERMIT, mm_answer_audit_end_command},
{MONITOR_REQ_AUDIT_UNSUPPORTED, MON_PERMIT, mm_answer_audit_unsupported_body}, {MONITOR_REQ_AUDIT_UNSUPPORTED, MON_PERMIT, mm_answer_audit_unsupported_body},
{MONITOR_REQ_AUDIT_KEX, MON_PERMIT, mm_answer_audit_kex_body}, {MONITOR_REQ_AUDIT_KEX, MON_PERMIT, mm_answer_audit_kex_body},
@ -242,7 +242,7 @@ diff -up openssh-6.1p1/monitor.c.audit4 openssh-6.1p1/monitor.c
#endif #endif
{0, 0, NULL} {0, 0, NULL}
}; };
@@ -313,6 +316,7 @@ struct mon_table mon_dispatch_proto15[] @@ -314,6 +317,7 @@ struct mon_table mon_dispatch_proto15[]
{MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event}, {MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
{MONITOR_REQ_AUDIT_UNSUPPORTED, MON_PERMIT, mm_answer_audit_unsupported_body}, {MONITOR_REQ_AUDIT_UNSUPPORTED, MON_PERMIT, mm_answer_audit_unsupported_body},
{MONITOR_REQ_AUDIT_KEX, MON_PERMIT, mm_answer_audit_kex_body}, {MONITOR_REQ_AUDIT_KEX, MON_PERMIT, mm_answer_audit_kex_body},
@ -250,7 +250,7 @@ diff -up openssh-6.1p1/monitor.c.audit4 openssh-6.1p1/monitor.c
#endif #endif
{0, 0, NULL} {0, 0, NULL}
}; };
@@ -327,6 +331,7 @@ struct mon_table mon_dispatch_postauth15 @@ -328,6 +332,7 @@ struct mon_table mon_dispatch_postauth15
{MONITOR_REQ_AUDIT_END_COMMAND, MON_PERMIT, mm_answer_audit_end_command}, {MONITOR_REQ_AUDIT_END_COMMAND, MON_PERMIT, mm_answer_audit_end_command},
{MONITOR_REQ_AUDIT_UNSUPPORTED, MON_PERMIT, mm_answer_audit_unsupported_body}, {MONITOR_REQ_AUDIT_UNSUPPORTED, MON_PERMIT, mm_answer_audit_unsupported_body},
{MONITOR_REQ_AUDIT_KEX, MON_PERMIT, mm_answer_audit_kex_body}, {MONITOR_REQ_AUDIT_KEX, MON_PERMIT, mm_answer_audit_kex_body},
@ -258,18 +258,7 @@ diff -up openssh-6.1p1/monitor.c.audit4 openssh-6.1p1/monitor.c
#endif #endif
{0, 0, NULL} {0, 0, NULL}
}; };
@@ -448,10 +453,6 @@ monitor_child_preauth(Authctxt *_authctx @@ -1957,11 +1962,13 @@ mm_get_keystate(struct monitor *pmonitor
#endif
}
- /* Drain any buffered messages from the child */
- while (pmonitor->m_log_recvfd >= 0 && monitor_read_log(pmonitor) == 0)
- ;
-
if (!authctxt->valid)
fatal("%s: authenticated invalid user", __func__);
if (strcmp(auth_method, "unknown") == 0)
@@ -1950,11 +1951,13 @@ mm_get_keystate(struct monitor *pmonitor
blob = buffer_get_string(&m, &bloblen); blob = buffer_get_string(&m, &bloblen);
current_keys[MODE_OUT] = mm_newkeys_from_blob(blob, bloblen); current_keys[MODE_OUT] = mm_newkeys_from_blob(blob, bloblen);
@ -283,7 +272,7 @@ diff -up openssh-6.1p1/monitor.c.audit4 openssh-6.1p1/monitor.c
xfree(blob); xfree(blob);
/* Now get sequence numbers for the packets */ /* Now get sequence numbers for the packets */
@@ -2000,6 +2003,21 @@ mm_get_keystate(struct monitor *pmonitor @@ -2007,6 +2014,21 @@ mm_get_keystate(struct monitor *pmonitor
} }
buffer_free(&m); buffer_free(&m);
@ -305,7 +294,7 @@ diff -up openssh-6.1p1/monitor.c.audit4 openssh-6.1p1/monitor.c
} }
@@ -2444,4 +2462,22 @@ mm_answer_audit_kex_body(int sock, Buffe @@ -2451,4 +2473,22 @@ mm_answer_audit_kex_body(int sock, Buffe
return 0; return 0;
} }
@ -328,21 +317,23 @@ diff -up openssh-6.1p1/monitor.c.audit4 openssh-6.1p1/monitor.c
+ return 0; + return 0;
+} +}
#endif /* SSH_AUDIT_EVENTS */ #endif /* SSH_AUDIT_EVENTS */
diff -up openssh-6.1p1/monitor.h.audit4 openssh-6.1p1/monitor.h diff -up openssh-6.2p1/monitor.h.audit4 openssh-6.2p1/monitor.h
--- openssh-6.1p1/monitor.h.audit4 2012-11-28 14:20:38.992185813 +0100 --- openssh-6.2p1/monitor.h.audit4 2013-03-25 17:34:16.046337816 +0100
+++ openssh-6.1p1/monitor.h 2012-11-28 14:20:38.997185790 +0100 +++ openssh-6.2p1/monitor.h 2013-03-25 17:35:01.408602217 +0100
@@ -63,6 +63,7 @@ enum monitor_reqtype { @@ -72,7 +72,8 @@ enum monitor_reqtype {
MONITOR_ANS_AUDIT_COMMAND, MONITOR_REQ_AUDIT_END_COMMAND, MONITOR_REQ_AUDIT_COMMAND = 114, MONITOR_ANS_AUDIT_COMMAND = 115,
MONITOR_REQ_AUDIT_UNSUPPORTED, MONITOR_ANS_AUDIT_UNSUPPORTED, MONITOR_REQ_AUDIT_END_COMMAND = 116,
MONITOR_REQ_AUDIT_KEX, MONITOR_ANS_AUDIT_KEX, MONITOR_REQ_AUDIT_UNSUPPORTED = 118, MONITOR_ANS_AUDIT_UNSUPPORTED = 119,
+ MONITOR_REQ_AUDIT_SESSION_KEY_FREE, MONITOR_ANS_AUDIT_SESSION_KEY_FREE, - MONITOR_REQ_AUDIT_KEX = 120, MONITOR_ANS_AUDIT_KEX = 121
MONITOR_REQ_TERM, + MONITOR_REQ_AUDIT_KEX = 120, MONITOR_ANS_AUDIT_KEX = 121,
MONITOR_REQ_JPAKE_STEP1, MONITOR_ANS_JPAKE_STEP1, + MONITOR_REQ_AUDIT_SESSION_KEY_FREE = 122, MONITOR_ANS_AUDIT_SESSION_KEY_FREE = 123
MONITOR_REQ_JPAKE_GET_PWDATA, MONITOR_ANS_JPAKE_GET_PWDATA,
diff -up openssh-6.1p1/monitor_wrap.c.audit4 openssh-6.1p1/monitor_wrap.c };
--- openssh-6.1p1/monitor_wrap.c.audit4 2012-11-28 14:20:38.992185813 +0100
+++ openssh-6.1p1/monitor_wrap.c 2012-11-28 14:20:38.997185790 +0100 diff -up openssh-6.2p1/monitor_wrap.c.audit4 openssh-6.2p1/monitor_wrap.c
@@ -653,12 +653,14 @@ mm_send_keystate(struct monitor *monitor --- openssh-6.2p1/monitor_wrap.c.audit4 2013-03-25 17:34:16.038337769 +0100
+++ openssh-6.2p1/monitor_wrap.c 2013-03-25 17:34:16.047337822 +0100
@@ -654,12 +654,14 @@ mm_send_keystate(struct monitor *monitor
fatal("%s: conversion of newkeys failed", __func__); fatal("%s: conversion of newkeys failed", __func__);
buffer_put_string(&m, blob, bloblen); buffer_put_string(&m, blob, bloblen);
@ -357,7 +348,7 @@ diff -up openssh-6.1p1/monitor_wrap.c.audit4 openssh-6.1p1/monitor_wrap.c
xfree(blob); xfree(blob);
packet_get_state(MODE_OUT, &seqnr, &blocks, &packets, &bytes); packet_get_state(MODE_OUT, &seqnr, &blocks, &packets, &bytes);
@@ -1522,4 +1524,19 @@ mm_audit_kex_body(int ctos, char *cipher @@ -1523,4 +1525,19 @@ mm_audit_kex_body(int ctos, char *cipher
buffer_free(&m); buffer_free(&m);
} }
@ -377,9 +368,9 @@ diff -up openssh-6.1p1/monitor_wrap.c.audit4 openssh-6.1p1/monitor_wrap.c
+ buffer_free(&m); + buffer_free(&m);
+} +}
#endif /* SSH_AUDIT_EVENTS */ #endif /* SSH_AUDIT_EVENTS */
diff -up openssh-6.1p1/monitor_wrap.h.audit4 openssh-6.1p1/monitor_wrap.h diff -up openssh-6.2p1/monitor_wrap.h.audit4 openssh-6.2p1/monitor_wrap.h
--- openssh-6.1p1/monitor_wrap.h.audit4 2012-11-28 14:20:38.992185813 +0100 --- openssh-6.2p1/monitor_wrap.h.audit4 2013-03-25 17:34:16.039337775 +0100
+++ openssh-6.1p1/monitor_wrap.h 2012-11-28 14:20:38.997185790 +0100 +++ openssh-6.2p1/monitor_wrap.h 2013-03-25 17:34:16.047337822 +0100
@@ -79,6 +79,7 @@ int mm_audit_run_command(const char *); @@ -79,6 +79,7 @@ int mm_audit_run_command(const char *);
void mm_audit_end_command(int, const char *); void mm_audit_end_command(int, const char *);
void mm_audit_unsupported_body(int); void mm_audit_unsupported_body(int);
@ -388,9 +379,9 @@ diff -up openssh-6.1p1/monitor_wrap.h.audit4 openssh-6.1p1/monitor_wrap.h
#endif #endif
struct Session; struct Session;
diff -up openssh-6.1p1/packet.c.audit4 openssh-6.1p1/packet.c diff -up openssh-6.2p1/packet.c.audit4 openssh-6.2p1/packet.c
--- openssh-6.1p1/packet.c.audit4 2012-11-28 14:20:38.973185902 +0100 --- openssh-6.2p1/packet.c.audit4 2013-03-25 17:34:16.014337629 +0100
+++ openssh-6.1p1/packet.c 2012-11-28 14:20:38.998185785 +0100 +++ openssh-6.2p1/packet.c 2013-03-25 17:42:26.519176337 +0100
@@ -60,6 +60,7 @@ @@ -60,6 +60,7 @@
#include <signal.h> #include <signal.h>
@ -472,7 +463,7 @@ diff -up openssh-6.1p1/packet.c.audit4 openssh-6.1p1/packet.c
void void
set_newkeys(int mode) set_newkeys(int mode)
{ {
@@ -754,18 +782,9 @@ set_newkeys(int mode) @@ -754,21 +782,9 @@ set_newkeys(int mode)
} }
if (active_state->newkeys[mode] != NULL) { if (active_state->newkeys[mode] != NULL) {
debug("set_newkeys: rekeying"); debug("set_newkeys: rekeying");
@ -482,6 +473,9 @@ diff -up openssh-6.1p1/packet.c.audit4 openssh-6.1p1/packet.c
- mac = &active_state->newkeys[mode]->mac; - mac = &active_state->newkeys[mode]->mac;
- comp = &active_state->newkeys[mode]->comp; - comp = &active_state->newkeys[mode]->comp;
- mac_clear(mac); - mac_clear(mac);
- memset(enc->iv, 0, enc->iv_len);
- memset(enc->key, 0, enc->key_len);
- memset(mac->key, 0, mac->key_len);
- xfree(enc->name); - xfree(enc->name);
- xfree(enc->iv); - xfree(enc->iv);
- xfree(enc->key); - xfree(enc->key);
@ -493,7 +487,7 @@ diff -up openssh-6.1p1/packet.c.audit4 openssh-6.1p1/packet.c
} }
active_state->newkeys[mode] = kex_get_newkeys(mode); active_state->newkeys[mode] = kex_get_newkeys(mode);
if (active_state->newkeys[mode] == NULL) if (active_state->newkeys[mode] == NULL)
@@ -1921,6 +1940,47 @@ packet_get_newkeys(int mode) @@ -1971,6 +1987,47 @@ packet_get_newkeys(int mode)
return (void *)active_state->newkeys[mode]; return (void *)active_state->newkeys[mode];
} }
@ -541,7 +535,7 @@ diff -up openssh-6.1p1/packet.c.audit4 openssh-6.1p1/packet.c
/* /*
* Save the state for the real connection, and use a separate state when * Save the state for the real connection, and use a separate state when
* resuming a suspended connection. * resuming a suspended connection.
@@ -1928,18 +1988,12 @@ packet_get_newkeys(int mode) @@ -1978,18 +2035,12 @@ packet_get_newkeys(int mode)
void void
packet_backup_state(void) packet_backup_state(void)
{ {
@ -561,7 +555,7 @@ diff -up openssh-6.1p1/packet.c.audit4 openssh-6.1p1/packet.c
} }
/* /*
@@ -1956,9 +2010,7 @@ packet_restore_state(void) @@ -2006,9 +2057,7 @@ packet_restore_state(void)
backup_state = active_state; backup_state = active_state;
active_state = tmp; active_state = tmp;
active_state->connection_in = backup_state->connection_in; active_state->connection_in = backup_state->connection_in;
@ -571,7 +565,7 @@ diff -up openssh-6.1p1/packet.c.audit4 openssh-6.1p1/packet.c
len = buffer_len(&backup_state->input); len = buffer_len(&backup_state->input);
if (len > 0) { if (len > 0) {
buf = buffer_ptr(&backup_state->input); buf = buffer_ptr(&backup_state->input);
@@ -1966,4 +2018,10 @@ packet_restore_state(void) @@ -2016,4 +2065,10 @@ packet_restore_state(void)
buffer_clear(&backup_state->input); buffer_clear(&backup_state->input);
add_recv_bytes(len); add_recv_bytes(len);
} }
@ -582,19 +576,19 @@ diff -up openssh-6.1p1/packet.c.audit4 openssh-6.1p1/packet.c
+ backup_state = NULL; + backup_state = NULL;
} }
+ +
diff -up openssh-6.1p1/packet.h.audit4 openssh-6.1p1/packet.h diff -up openssh-6.2p1/packet.h.audit4 openssh-6.2p1/packet.h
--- openssh-6.1p1/packet.h.audit4 2012-02-10 22:19:21.000000000 +0100 --- openssh-6.2p1/packet.h.audit4 2012-02-10 22:19:21.000000000 +0100
+++ openssh-6.1p1/packet.h 2012-11-28 14:20:38.998185785 +0100 +++ openssh-6.2p1/packet.h 2013-03-25 17:34:16.049337834 +0100
@@ -123,4 +123,5 @@ void packet_restore_state(void); @@ -123,4 +123,5 @@ void packet_restore_state(void);
void *packet_get_input(void); void *packet_get_input(void);
void *packet_get_output(void); void *packet_get_output(void);
+void packet_destroy_all(int, int); +void packet_destroy_all(int, int);
#endif /* PACKET_H */ #endif /* PACKET_H */
diff -up openssh-6.1p1/session.c.audit4 openssh-6.1p1/session.c diff -up openssh-6.2p1/session.c.audit4 openssh-6.2p1/session.c
--- openssh-6.1p1/session.c.audit4 2012-11-28 14:20:38.983185855 +0100 --- openssh-6.2p1/session.c.audit4 2013-03-25 17:34:16.023337682 +0100
+++ openssh-6.1p1/session.c 2012-11-28 14:20:38.998185785 +0100 +++ openssh-6.2p1/session.c 2013-03-25 17:34:16.050337839 +0100
@@ -1634,6 +1634,9 @@ do_child(Session *s, const char *command @@ -1642,6 +1642,9 @@ do_child(Session *s, const char *command
/* remove hostkey from the child's memory */ /* remove hostkey from the child's memory */
destroy_sensitive_data(); destroy_sensitive_data();
@ -604,10 +598,10 @@ diff -up openssh-6.1p1/session.c.audit4 openssh-6.1p1/session.c
/* Force a password change */ /* Force a password change */
if (s->authctxt->force_pwchange) { if (s->authctxt->force_pwchange) {
diff -up openssh-6.1p1/sshd.c.audit4 openssh-6.1p1/sshd.c diff -up openssh-6.2p1/sshd.c.audit4 openssh-6.2p1/sshd.c
--- openssh-6.1p1/sshd.c.audit4 2012-11-28 14:20:38.993185808 +0100 --- openssh-6.2p1/sshd.c.audit4 2013-03-25 17:34:16.039337775 +0100
+++ openssh-6.1p1/sshd.c 2012-11-28 14:20:38.999185780 +0100 +++ openssh-6.2p1/sshd.c 2013-03-25 17:34:16.050337839 +0100
@@ -692,6 +692,8 @@ privsep_preauth(Authctxt *authctxt) @@ -701,6 +701,8 @@ privsep_preauth(Authctxt *authctxt)
} }
} }
@ -616,7 +610,7 @@ diff -up openssh-6.1p1/sshd.c.audit4 openssh-6.1p1/sshd.c
static void static void
privsep_postauth(Authctxt *authctxt) privsep_postauth(Authctxt *authctxt)
{ {
@@ -716,6 +718,10 @@ privsep_postauth(Authctxt *authctxt) @@ -725,6 +727,10 @@ privsep_postauth(Authctxt *authctxt)
else if (pmonitor->m_pid != 0) { else if (pmonitor->m_pid != 0) {
verbose("User child is on pid %ld", (long)pmonitor->m_pid); verbose("User child is on pid %ld", (long)pmonitor->m_pid);
buffer_clear(&loginmsg); buffer_clear(&loginmsg);
@ -627,7 +621,7 @@ diff -up openssh-6.1p1/sshd.c.audit4 openssh-6.1p1/sshd.c
monitor_child_postauth(pmonitor); monitor_child_postauth(pmonitor);
/* NEVERREACHED */ /* NEVERREACHED */
@@ -2016,6 +2022,7 @@ main(int ac, char **av) @@ -2033,6 +2039,7 @@ main(int ac, char **av)
*/ */
if (use_privsep) { if (use_privsep) {
mm_send_keystate(pmonitor); mm_send_keystate(pmonitor);
@ -635,7 +629,7 @@ diff -up openssh-6.1p1/sshd.c.audit4 openssh-6.1p1/sshd.c
exit(0); exit(0);
} }
@@ -2068,6 +2075,8 @@ main(int ac, char **av) @@ -2085,6 +2092,8 @@ main(int ac, char **av)
do_authenticated(authctxt); do_authenticated(authctxt);
/* The connection has been terminated. */ /* The connection has been terminated. */
@ -644,7 +638,7 @@ diff -up openssh-6.1p1/sshd.c.audit4 openssh-6.1p1/sshd.c
packet_get_state(MODE_IN, NULL, NULL, NULL, &ibytes); packet_get_state(MODE_IN, NULL, NULL, NULL, &ibytes);
packet_get_state(MODE_OUT, NULL, NULL, NULL, &obytes); packet_get_state(MODE_OUT, NULL, NULL, NULL, &obytes);
verbose("Transferred: sent %llu, received %llu bytes", verbose("Transferred: sent %llu, received %llu bytes",
@@ -2385,6 +2394,16 @@ do_ssh2_kex(void) @@ -2402,6 +2411,16 @@ do_ssh2_kex(void)
void void
cleanup_exit(int i) cleanup_exit(int i)
{ {
@ -661,7 +655,7 @@ diff -up openssh-6.1p1/sshd.c.audit4 openssh-6.1p1/sshd.c
if (the_authctxt) { if (the_authctxt) {
do_cleanup(the_authctxt); do_cleanup(the_authctxt);
if (use_privsep && privsep_is_preauth && pmonitor->m_pid > 1) { if (use_privsep && privsep_is_preauth && pmonitor->m_pid > 1) {
@@ -2395,6 +2414,8 @@ cleanup_exit(int i) @@ -2412,6 +2431,8 @@ cleanup_exit(int i)
pmonitor->m_pid, strerror(errno)); pmonitor->m_pid, strerror(errno));
} }
} }

View File

@ -1,6 +1,6 @@
diff -up openssh-6.0p1/audit-bsm.c.audit5 openssh-6.0p1/audit-bsm.c diff -up openssh-6.2p1/audit-bsm.c.audit5 openssh-6.2p1/audit-bsm.c
--- openssh-6.0p1/audit-bsm.c.audit5 2012-08-06 20:37:50.036345216 +0200 --- openssh-6.2p1/audit-bsm.c.audit5 2013-03-25 17:43:27.495526587 +0100
+++ openssh-6.0p1/audit-bsm.c 2012-08-06 20:37:50.046345177 +0200 +++ openssh-6.2p1/audit-bsm.c 2013-03-25 17:43:27.502526627 +0100
@@ -491,4 +491,22 @@ audit_session_key_free_body(int ctos, pi @@ -491,4 +491,22 @@ audit_session_key_free_body(int ctos, pi
{ {
/* not implemented */ /* not implemented */
@ -24,9 +24,9 @@ diff -up openssh-6.0p1/audit-bsm.c.audit5 openssh-6.0p1/audit-bsm.c
+ /* not implemented */ + /* not implemented */
+} +}
#endif /* BSM */ #endif /* BSM */
diff -up openssh-6.0p1/audit.c.audit5 openssh-6.0p1/audit.c diff -up openssh-6.2p1/audit.c.audit5 openssh-6.2p1/audit.c
--- openssh-6.0p1/audit.c.audit5 2012-08-06 20:37:50.036345216 +0200 --- openssh-6.2p1/audit.c.audit5 2013-03-25 17:43:27.495526587 +0100
+++ openssh-6.0p1/audit.c 2012-08-06 20:37:50.047345173 +0200 +++ openssh-6.2p1/audit.c 2013-03-25 17:43:27.502526627 +0100
@@ -290,5 +290,24 @@ audit_session_key_free_body(int ctos, pi @@ -290,5 +290,24 @@ audit_session_key_free_body(int ctos, pi
debug("audit session key discard euid %u direction %d from pid %ld uid %u", debug("audit session key discard euid %u direction %d from pid %ld uid %u",
(unsigned)geteuid(), ctos, (long)pid, (unsigned)uid); (unsigned)geteuid(), ctos, (long)pid, (unsigned)uid);
@ -52,9 +52,9 @@ diff -up openssh-6.0p1/audit.c.audit5 openssh-6.0p1/audit.c
+} +}
# endif /* !defined CUSTOM_SSH_AUDIT_EVENTS */ # endif /* !defined CUSTOM_SSH_AUDIT_EVENTS */
#endif /* SSH_AUDIT_EVENTS */ #endif /* SSH_AUDIT_EVENTS */
diff -up openssh-6.0p1/audit.h.audit5 openssh-6.0p1/audit.h diff -up openssh-6.2p1/audit.h.audit5 openssh-6.2p1/audit.h
--- openssh-6.0p1/audit.h.audit5 2012-08-06 20:37:50.037345212 +0200 --- openssh-6.2p1/audit.h.audit5 2013-03-25 17:43:27.496526593 +0100
+++ openssh-6.0p1/audit.h 2012-08-06 20:37:50.047345173 +0200 +++ openssh-6.2p1/audit.h 2013-03-25 17:43:27.502526627 +0100
@@ -48,6 +48,8 @@ enum ssh_audit_event_type { @@ -48,6 +48,8 @@ enum ssh_audit_event_type {
}; };
typedef enum ssh_audit_event_type ssh_audit_event_t; typedef enum ssh_audit_event_type ssh_audit_event_t;
@ -72,9 +72,9 @@ diff -up openssh-6.0p1/audit.h.audit5 openssh-6.0p1/audit.h
+void audit_generate_ephemeral_server_key(const char *); +void audit_generate_ephemeral_server_key(const char *);
#endif /* _SSH_AUDIT_H */ #endif /* _SSH_AUDIT_H */
diff -up openssh-6.0p1/audit-linux.c.audit5 openssh-6.0p1/audit-linux.c diff -up openssh-6.2p1/audit-linux.c.audit5 openssh-6.2p1/audit-linux.c
--- openssh-6.0p1/audit-linux.c.audit5 2012-08-06 20:37:50.037345212 +0200 --- openssh-6.2p1/audit-linux.c.audit5 2013-03-25 17:43:27.496526593 +0100
+++ openssh-6.0p1/audit-linux.c 2012-08-06 20:37:50.046345177 +0200 +++ openssh-6.2p1/audit-linux.c 2013-03-25 17:43:27.503526633 +0100
@@ -356,4 +356,50 @@ audit_session_key_free_body(int ctos, pi @@ -356,4 +356,50 @@ audit_session_key_free_body(int ctos, pi
error("cannot write into audit"); error("cannot write into audit");
} }
@ -126,10 +126,10 @@ diff -up openssh-6.0p1/audit-linux.c.audit5 openssh-6.0p1/audit-linux.c
+ error("cannot write into audit"); + error("cannot write into audit");
+} +}
#endif /* USE_LINUX_AUDIT */ #endif /* USE_LINUX_AUDIT */
diff -up openssh-6.0p1/key.c.audit5 openssh-6.0p1/key.c diff -up openssh-6.2p1/key.c.audit5 openssh-6.2p1/key.c
--- openssh-6.0p1/key.c.audit5 2012-08-06 20:37:49.992345388 +0200 --- openssh-6.2p1/key.c.audit5 2013-03-25 17:43:27.465526415 +0100
+++ openssh-6.0p1/key.c 2012-08-06 20:37:50.048345169 +0200 +++ openssh-6.2p1/key.c 2013-03-25 17:43:27.503526633 +0100
@@ -1794,6 +1794,30 @@ key_demote(const Key *k) @@ -1809,6 +1809,30 @@ key_demote(const Key *k)
} }
int int
@ -160,10 +160,10 @@ diff -up openssh-6.0p1/key.c.audit5 openssh-6.0p1/key.c
key_is_cert(const Key *k) key_is_cert(const Key *k)
{ {
if (k == NULL) if (k == NULL)
diff -up openssh-6.0p1/key.h.audit5 openssh-6.0p1/key.h diff -up openssh-6.2p1/key.h.audit5 openssh-6.2p1/key.h
--- openssh-6.0p1/key.h.audit5 2012-08-06 20:37:49.993345384 +0200 --- openssh-6.2p1/key.h.audit5 2013-03-25 17:43:27.465526415 +0100
+++ openssh-6.0p1/key.h 2012-08-06 20:37:50.049345165 +0200 +++ openssh-6.2p1/key.h 2013-03-25 17:43:27.503526633 +0100
@@ -109,6 +109,7 @@ Key *key_generate(int, u_int); @@ -110,6 +110,7 @@ Key *key_generate(int, u_int);
Key *key_from_private(const Key *); Key *key_from_private(const Key *);
int key_type_from_name(char *); int key_type_from_name(char *);
int key_is_cert(const Key *); int key_is_cert(const Key *);
@ -171,9 +171,9 @@ diff -up openssh-6.0p1/key.h.audit5 openssh-6.0p1/key.h
int key_type_plain(int); int key_type_plain(int);
int key_to_certified(Key *, int); int key_to_certified(Key *, int);
int key_drop_cert(Key *); int key_drop_cert(Key *);
diff -up openssh-6.0p1/monitor.c.audit5 openssh-6.0p1/monitor.c diff -up openssh-6.2p1/monitor.c.audit5 openssh-6.2p1/monitor.c
--- openssh-6.0p1/monitor.c.audit5 2012-08-06 20:37:50.040345200 +0200 --- openssh-6.2p1/monitor.c.audit5 2013-03-25 17:43:27.497526599 +0100
+++ openssh-6.0p1/monitor.c 2012-08-06 20:37:50.049345165 +0200 +++ openssh-6.2p1/monitor.c 2013-03-25 17:43:27.504526639 +0100
@@ -114,6 +114,8 @@ extern Buffer auth_debug; @@ -114,6 +114,8 @@ extern Buffer auth_debug;
extern int auth_debug_init; extern int auth_debug_init;
extern Buffer loginmsg; extern Buffer loginmsg;
@ -223,7 +223,7 @@ diff -up openssh-6.0p1/monitor.c.audit5 openssh-6.0p1/monitor.c
#endif #endif
{0, 0, NULL} {0, 0, NULL}
}; };
@@ -1744,6 +1751,8 @@ mm_answer_term(int sock, Buffer *req) @@ -1752,6 +1759,8 @@ mm_answer_term(int sock, Buffer *req)
sshpam_cleanup(); sshpam_cleanup();
#endif #endif
@ -232,7 +232,7 @@ diff -up openssh-6.0p1/monitor.c.audit5 openssh-6.0p1/monitor.c
while (waitpid(pmonitor->m_pid, &status, 0) == -1) while (waitpid(pmonitor->m_pid, &status, 0) == -1)
if (errno != EINTR) if (errno != EINTR)
exit(1); exit(1);
@@ -2485,4 +2494,25 @@ mm_answer_audit_session_key_free_body(in @@ -2491,4 +2500,25 @@ mm_answer_audit_session_key_free_body(in
mm_request_send(sock, MONITOR_ANS_AUDIT_SESSION_KEY_FREE, m); mm_request_send(sock, MONITOR_ANS_AUDIT_SESSION_KEY_FREE, m);
return 0; return 0;
} }
@ -258,21 +258,23 @@ diff -up openssh-6.0p1/monitor.c.audit5 openssh-6.0p1/monitor.c
+ return 0; + return 0;
+} +}
#endif /* SSH_AUDIT_EVENTS */ #endif /* SSH_AUDIT_EVENTS */
diff -up openssh-6.0p1/monitor.h.audit5 openssh-6.0p1/monitor.h diff -up openssh-6.2p1/monitor.h.audit5 openssh-6.2p1/monitor.h
--- openssh-6.0p1/monitor.h.audit5 2012-08-06 20:37:50.040345200 +0200 --- openssh-6.2p1/monitor.h.audit5 2013-03-25 17:43:27.504526639 +0100
+++ openssh-6.0p1/monitor.h 2012-08-06 20:37:50.050345161 +0200 +++ openssh-6.2p1/monitor.h 2013-03-25 17:44:08.717763090 +0100
@@ -64,6 +64,7 @@ enum monitor_reqtype { @@ -73,7 +73,8 @@ enum monitor_reqtype {
MONITOR_REQ_AUDIT_UNSUPPORTED, MONITOR_ANS_AUDIT_UNSUPPORTED, MONITOR_REQ_AUDIT_END_COMMAND = 116,
MONITOR_REQ_AUDIT_KEX, MONITOR_ANS_AUDIT_KEX, MONITOR_REQ_AUDIT_UNSUPPORTED = 118, MONITOR_ANS_AUDIT_UNSUPPORTED = 119,
MONITOR_REQ_AUDIT_SESSION_KEY_FREE, MONITOR_ANS_AUDIT_SESSION_KEY_FREE, MONITOR_REQ_AUDIT_KEX = 120, MONITOR_ANS_AUDIT_KEX = 121,
+ MONITOR_REQ_AUDIT_SERVER_KEY_FREE, MONITOR_ANS_AUDIT_SERVER_KEY_FREE, - MONITOR_REQ_AUDIT_SESSION_KEY_FREE = 122, MONITOR_ANS_AUDIT_SESSION_KEY_FREE = 123
MONITOR_REQ_TERM, + MONITOR_REQ_AUDIT_SESSION_KEY_FREE = 122, MONITOR_ANS_AUDIT_SESSION_KEY_FREE = 123,
MONITOR_REQ_JPAKE_STEP1, MONITOR_ANS_JPAKE_STEP1, + MONITOR_REQ_AUDIT_SERVER_KEY_FREE = 124, MONITOR_ANS_AUDIT_SERVER_KEY_FREE = 125
MONITOR_REQ_JPAKE_GET_PWDATA, MONITOR_ANS_JPAKE_GET_PWDATA,
diff -up openssh-6.0p1/monitor_wrap.c.audit5 openssh-6.0p1/monitor_wrap.c };
--- openssh-6.0p1/monitor_wrap.c.audit5 2012-08-06 20:37:50.041345196 +0200
+++ openssh-6.0p1/monitor_wrap.c 2012-08-06 20:37:50.050345161 +0200 diff -up openssh-6.2p1/monitor_wrap.c.audit5 openssh-6.2p1/monitor_wrap.c
@@ -1539,4 +1539,20 @@ mm_audit_session_key_free_body(int ctos, --- openssh-6.2p1/monitor_wrap.c.audit5 2013-03-25 17:43:27.498526604 +0100
+++ openssh-6.2p1/monitor_wrap.c 2013-03-25 17:43:27.505526645 +0100
@@ -1540,4 +1540,20 @@ mm_audit_session_key_free_body(int ctos,
&m); &m);
buffer_free(&m); buffer_free(&m);
} }
@ -293,9 +295,9 @@ diff -up openssh-6.0p1/monitor_wrap.c.audit5 openssh-6.0p1/monitor_wrap.c
+ buffer_free(&m); + buffer_free(&m);
+} +}
#endif /* SSH_AUDIT_EVENTS */ #endif /* SSH_AUDIT_EVENTS */
diff -up openssh-6.0p1/monitor_wrap.h.audit5 openssh-6.0p1/monitor_wrap.h diff -up openssh-6.2p1/monitor_wrap.h.audit5 openssh-6.2p1/monitor_wrap.h
--- openssh-6.0p1/monitor_wrap.h.audit5 2012-08-06 20:37:50.041345196 +0200 --- openssh-6.2p1/monitor_wrap.h.audit5 2013-03-25 17:43:27.498526604 +0100
+++ openssh-6.0p1/monitor_wrap.h 2012-08-06 20:37:50.051345157 +0200 +++ openssh-6.2p1/monitor_wrap.h 2013-03-25 17:43:27.505526645 +0100
@@ -80,6 +80,7 @@ void mm_audit_end_command(int, const cha @@ -80,6 +80,7 @@ void mm_audit_end_command(int, const cha
void mm_audit_unsupported_body(int); void mm_audit_unsupported_body(int);
void mm_audit_kex_body(int, char *, char *, char *, pid_t, uid_t); void mm_audit_kex_body(int, char *, char *, char *, pid_t, uid_t);
@ -304,9 +306,9 @@ diff -up openssh-6.0p1/monitor_wrap.h.audit5 openssh-6.0p1/monitor_wrap.h
#endif #endif
struct Session; struct Session;
diff -up openssh-6.0p1/session.c.audit5 openssh-6.0p1/session.c diff -up openssh-6.2p1/session.c.audit5 openssh-6.2p1/session.c
--- openssh-6.0p1/session.c.audit5 2012-08-06 20:37:50.043345189 +0200 --- openssh-6.2p1/session.c.audit5 2013-03-25 17:43:27.499526610 +0100
+++ openssh-6.0p1/session.c 2012-08-06 20:37:50.052345153 +0200 +++ openssh-6.2p1/session.c 2013-03-25 17:43:27.506526650 +0100
@@ -136,7 +136,7 @@ extern int log_stderr; @@ -136,7 +136,7 @@ extern int log_stderr;
extern int debug_flag; extern int debug_flag;
extern u_int utmp_len; extern u_int utmp_len;
@ -316,7 +318,7 @@ diff -up openssh-6.0p1/session.c.audit5 openssh-6.0p1/session.c
extern Buffer loginmsg; extern Buffer loginmsg;
/* original command from peer. */ /* original command from peer. */
@@ -1633,7 +1633,7 @@ do_child(Session *s, const char *command @@ -1641,7 +1641,7 @@ do_child(Session *s, const char *command
int r = 0; int r = 0;
/* remove hostkey from the child's memory */ /* remove hostkey from the child's memory */
@ -325,9 +327,9 @@ diff -up openssh-6.0p1/session.c.audit5 openssh-6.0p1/session.c
/* Don't audit this - both us and the parent would be talking to the /* Don't audit this - both us and the parent would be talking to the
monitor over a single socket, with no synchronization. */ monitor over a single socket, with no synchronization. */
packet_destroy_all(0, 1); packet_destroy_all(0, 1);
diff -up openssh-6.0p1/sshd.c.audit5 openssh-6.0p1/sshd.c diff -up openssh-6.2p1/sshd.c.audit5 openssh-6.2p1/sshd.c
--- openssh-6.0p1/sshd.c.audit5 2012-08-06 20:37:50.044345185 +0200 --- openssh-6.2p1/sshd.c.audit5 2013-03-25 17:43:27.500526616 +0100
+++ openssh-6.0p1/sshd.c 2012-08-06 20:37:50.053345149 +0200 +++ openssh-6.2p1/sshd.c 2013-03-25 17:43:27.506526650 +0100
@@ -255,7 +255,7 @@ Buffer loginmsg; @@ -255,7 +255,7 @@ Buffer loginmsg;
struct passwd *privsep_pw = NULL; struct passwd *privsep_pw = NULL;
@ -353,7 +355,7 @@ diff -up openssh-6.0p1/sshd.c.audit5 openssh-6.0p1/sshd.c
static void static void
close_startup_pipes(void) close_startup_pipes(void)
{ {
@@ -534,22 +543,47 @@ sshd_exchange_identification(int sock_in @@ -545,22 +554,47 @@ sshd_exchange_identification(int sock_in
} }
} }
@ -404,7 +406,7 @@ diff -up openssh-6.0p1/sshd.c.audit5 openssh-6.0p1/sshd.c
key_free(sensitive_data.host_certificates[i]); key_free(sensitive_data.host_certificates[i]);
sensitive_data.host_certificates[i] = NULL; sensitive_data.host_certificates[i] = NULL;
} }
@@ -563,6 +597,8 @@ void @@ -574,6 +608,8 @@ void
demote_sensitive_data(void) demote_sensitive_data(void)
{ {
Key *tmp; Key *tmp;
@ -413,7 +415,7 @@ diff -up openssh-6.0p1/sshd.c.audit5 openssh-6.0p1/sshd.c
int i; int i;
if (sensitive_data.server_key) { if (sensitive_data.server_key) {
@@ -571,13 +607,27 @@ demote_sensitive_data(void) @@ -582,13 +618,27 @@ demote_sensitive_data(void)
sensitive_data.server_key = tmp; sensitive_data.server_key = tmp;
} }
@ -441,7 +443,7 @@ diff -up openssh-6.0p1/sshd.c.audit5 openssh-6.0p1/sshd.c
} }
/* Certs do not need demotion */ /* Certs do not need demotion */
} }
@@ -1149,6 +1199,7 @@ server_accept_loop(int *sock_in, int *so @@ -1160,6 +1210,7 @@ server_accept_loop(int *sock_in, int *so
if (received_sigterm) { if (received_sigterm) {
logit("Received signal %d; terminating.", logit("Received signal %d; terminating.",
(int) received_sigterm); (int) received_sigterm);
@ -449,7 +451,7 @@ diff -up openssh-6.0p1/sshd.c.audit5 openssh-6.0p1/sshd.c
close_listen_socks(); close_listen_socks();
unlink(options.pid_file); unlink(options.pid_file);
exit(received_sigterm == SIGTERM ? 0 : 255); exit(received_sigterm == SIGTERM ? 0 : 255);
@@ -2054,7 +2105,7 @@ main(int ac, char **av) @@ -2082,7 +2133,7 @@ main(int ac, char **av)
privsep_postauth(authctxt); privsep_postauth(authctxt);
/* the monitor process [priv] will not return */ /* the monitor process [priv] will not return */
if (!compat20) if (!compat20)
@ -458,7 +460,7 @@ diff -up openssh-6.0p1/sshd.c.audit5 openssh-6.0p1/sshd.c
} }
packet_set_timeout(options.client_alive_interval, packet_set_timeout(options.client_alive_interval,
@@ -2065,6 +2116,7 @@ main(int ac, char **av) @@ -2093,6 +2144,7 @@ main(int ac, char **av)
/* The connection has been terminated. */ /* The connection has been terminated. */
packet_destroy_all(1, 1); packet_destroy_all(1, 1);
@ -466,7 +468,7 @@ diff -up openssh-6.0p1/sshd.c.audit5 openssh-6.0p1/sshd.c
packet_get_state(MODE_IN, NULL, NULL, NULL, &ibytes); packet_get_state(MODE_IN, NULL, NULL, NULL, &ibytes);
packet_get_state(MODE_OUT, NULL, NULL, NULL, &obytes); packet_get_state(MODE_OUT, NULL, NULL, NULL, &obytes);
@@ -2293,7 +2345,7 @@ do_ssh1_kex(void) @@ -2321,7 +2373,7 @@ do_ssh1_kex(void)
session_id[i] = session_key[i] ^ session_key[i + 16]; session_id[i] = session_key[i] ^ session_key[i + 16];
} }
/* Destroy the private and public keys. No longer. */ /* Destroy the private and public keys. No longer. */
@ -475,7 +477,7 @@ diff -up openssh-6.0p1/sshd.c.audit5 openssh-6.0p1/sshd.c
if (use_privsep) if (use_privsep)
mm_ssh1_session_id(session_id); mm_ssh1_session_id(session_id);
@@ -2404,6 +2456,8 @@ cleanup_exit(int i) @@ -2432,6 +2484,8 @@ cleanup_exit(int i)
} }
} }
is_privsep_child = use_privsep && pmonitor != NULL && !mm_is_monitor(); is_privsep_child = use_privsep && pmonitor != NULL && !mm_is_monitor();

View File

@ -1,6 +1,6 @@
diff -up openssh-6.1p1/auth-pam.c.coverity openssh-6.1p1/auth-pam.c diff -up openssh-6.2p1/auth-pam.c.coverity openssh-6.2p1/auth-pam.c
--- openssh-6.1p1/auth-pam.c.coverity 2009-07-12 14:07:21.000000000 +0200 --- openssh-6.2p1/auth-pam.c.coverity 2009-07-12 14:07:21.000000000 +0200
+++ openssh-6.1p1/auth-pam.c 2012-09-14 21:16:41.264906486 +0200 +++ openssh-6.2p1/auth-pam.c 2013-03-22 09:49:37.341595458 +0100
@@ -216,7 +216,12 @@ pthread_join(sp_pthread_t thread, void * @@ -216,7 +216,12 @@ pthread_join(sp_pthread_t thread, void *
if (sshpam_thread_status != -1) if (sshpam_thread_status != -1)
return (sshpam_thread_status); return (sshpam_thread_status);
@ -15,30 +15,9 @@ diff -up openssh-6.1p1/auth-pam.c.coverity openssh-6.1p1/auth-pam.c
return (status); return (status);
} }
#endif #endif
diff -up openssh-6.1p1/clientloop.c.coverity openssh-6.1p1/clientloop.c diff -up openssh-6.2p1/channels.c.coverity openssh-6.2p1/channels.c
--- openssh-6.1p1/clientloop.c.coverity 2012-06-20 14:31:27.000000000 +0200 --- openssh-6.2p1/channels.c.coverity 2012-12-02 23:50:55.000000000 +0100
+++ openssh-6.1p1/clientloop.c 2012-09-14 21:16:41.267906501 +0200 +++ openssh-6.2p1/channels.c 2013-03-22 09:49:37.344595444 +0100
@@ -2006,14 +2006,15 @@ client_input_global_request(int type, u_
char *rtype;
int want_reply;
int success = 0;
+/* success is still 0 the packet is allways SSH2_MSG_REQUEST_FAILURE, isn't it? */
rtype = packet_get_string(NULL);
want_reply = packet_get_char();
debug("client_input_global_request: rtype %s want_reply %d",
rtype, want_reply);
if (want_reply) {
- packet_start(success ?
- SSH2_MSG_REQUEST_SUCCESS : SSH2_MSG_REQUEST_FAILURE);
+ packet_start(/*success ?
+ SSH2_MSG_REQUEST_SUCCESS :*/ SSH2_MSG_REQUEST_FAILURE);
packet_send();
packet_write_wait();
}
diff -up openssh-6.1p1/channels.c.coverity openssh-6.1p1/channels.c
--- openssh-6.1p1/channels.c.coverity 2012-04-23 10:21:05.000000000 +0200
+++ openssh-6.1p1/channels.c 2012-09-14 21:16:41.272906528 +0200
@@ -232,11 +232,11 @@ channel_register_fds(Channel *c, int rfd @@ -232,11 +232,11 @@ channel_register_fds(Channel *c, int rfd
channel_max_fd = MAX(channel_max_fd, wfd); channel_max_fd = MAX(channel_max_fd, wfd);
channel_max_fd = MAX(channel_max_fd, efd); channel_max_fd = MAX(channel_max_fd, efd);
@ -69,9 +48,30 @@ diff -up openssh-6.1p1/channels.c.coverity openssh-6.1p1/channels.c
set_nonblock(efd); set_nonblock(efd);
} }
} }
diff -up openssh-6.1p1/key.c.coverity openssh-6.1p1/key.c diff -up openssh-6.2p1/clientloop.c.coverity openssh-6.2p1/clientloop.c
--- openssh-6.1p1/key.c.coverity 2012-06-30 12:05:02.000000000 +0200 --- openssh-6.2p1/clientloop.c.coverity 2013-01-09 05:55:51.000000000 +0100
+++ openssh-6.1p1/key.c 2012-09-14 21:16:41.274906537 +0200 +++ openssh-6.2p1/clientloop.c 2013-03-22 09:49:37.342595453 +0100
@@ -2061,14 +2061,15 @@ client_input_global_request(int type, u_
char *rtype;
int want_reply;
int success = 0;
+/* success is still 0 the packet is allways SSH2_MSG_REQUEST_FAILURE, isn't it? */
rtype = packet_get_string(NULL);
want_reply = packet_get_char();
debug("client_input_global_request: rtype %s want_reply %d",
rtype, want_reply);
if (want_reply) {
- packet_start(success ?
- SSH2_MSG_REQUEST_SUCCESS : SSH2_MSG_REQUEST_FAILURE);
+ packet_start(/*success ?
+ SSH2_MSG_REQUEST_SUCCESS :*/ SSH2_MSG_REQUEST_FAILURE);
packet_send();
packet_write_wait();
}
diff -up openssh-6.2p1/key.c.coverity openssh-6.2p1/key.c
--- openssh-6.2p1/key.c.coverity 2013-01-18 01:44:05.000000000 +0100
+++ openssh-6.2p1/key.c 2013-03-22 09:49:37.345595440 +0100
@@ -808,8 +808,10 @@ key_read(Key *ret, char **cpp) @@ -808,8 +808,10 @@ key_read(Key *ret, char **cpp)
success = 1; success = 1;
/*XXXX*/ /*XXXX*/
@ -83,19 +83,19 @@ diff -up openssh-6.1p1/key.c.coverity openssh-6.1p1/key.c
/* advance cp: skip whitespace and data */ /* advance cp: skip whitespace and data */
while (*cp == ' ' || *cp == '\t') while (*cp == ' ' || *cp == '\t')
cp++; cp++;
diff -up openssh-6.1p1/monitor.c.coverity openssh-6.1p1/monitor.c diff -up openssh-6.2p1/monitor.c.coverity openssh-6.2p1/monitor.c
--- openssh-6.1p1/monitor.c.coverity 2012-06-30 00:33:17.000000000 +0200 --- openssh-6.2p1/monitor.c.coverity 2012-12-12 00:44:39.000000000 +0100
+++ openssh-6.1p1/monitor.c 2012-09-14 21:16:41.277906552 +0200 +++ openssh-6.2p1/monitor.c 2013-03-22 12:19:55.189921353 +0100
@@ -420,7 +420,7 @@ monitor_child_preauth(Authctxt *_authctx @@ -449,7 +449,7 @@ monitor_child_preauth(Authctxt *_authctx
} mm_get_keystate(pmonitor);
/* Drain any buffered messages from the child */ /* Drain any buffered messages from the child */
- while (pmonitor->m_log_recvfd != -1 && monitor_read_log(pmonitor) == 0) - while (pmonitor->m_log_recvfd != -1 && monitor_read_log(pmonitor) == 0)
+ while (pmonitor->m_log_recvfd >= 0 && monitor_read_log(pmonitor) == 0) + while (pmonitor->m_log_recvfd >= 0 && monitor_read_log(pmonitor) == 0)
; ;
if (!authctxt->valid) close(pmonitor->m_sendfd);
@@ -1159,6 +1159,10 @@ mm_answer_keyallowed(int sock, Buffer *m @@ -1194,6 +1194,10 @@ mm_answer_keyallowed(int sock, Buffer *m
break; break;
} }
} }
@ -106,7 +106,7 @@ diff -up openssh-6.1p1/monitor.c.coverity openssh-6.1p1/monitor.c
if (key != NULL) if (key != NULL)
key_free(key); key_free(key);
@@ -1180,9 +1184,6 @@ mm_answer_keyallowed(int sock, Buffer *m @@ -1216,9 +1220,6 @@ mm_answer_keyallowed(int sock, Buffer *m
xfree(chost); xfree(chost);
} }
@ -116,10 +116,10 @@ diff -up openssh-6.1p1/monitor.c.coverity openssh-6.1p1/monitor.c
buffer_clear(m); buffer_clear(m);
buffer_put_int(m, allowed); buffer_put_int(m, allowed);
buffer_put_int(m, forced_command != NULL); buffer_put_int(m, forced_command != NULL);
diff -up openssh-6.1p1/monitor_wrap.c.coverity openssh-6.1p1/monitor_wrap.c diff -up openssh-6.2p1/monitor_wrap.c.coverity openssh-6.2p1/monitor_wrap.c
--- openssh-6.1p1/monitor_wrap.c.coverity 2011-06-20 06:42:23.000000000 +0200 --- openssh-6.2p1/monitor_wrap.c.coverity 2013-01-09 06:12:19.000000000 +0100
+++ openssh-6.1p1/monitor_wrap.c 2012-09-14 21:16:41.280906568 +0200 +++ openssh-6.2p1/monitor_wrap.c 2013-03-22 09:49:37.347595431 +0100
@@ -707,10 +707,10 @@ mm_pty_allocate(int *ptyfd, int *ttyfd, @@ -708,10 +708,10 @@ mm_pty_allocate(int *ptyfd, int *ttyfd,
if ((tmp1 = dup(pmonitor->m_recvfd)) == -1 || if ((tmp1 = dup(pmonitor->m_recvfd)) == -1 ||
(tmp2 = dup(pmonitor->m_recvfd)) == -1) { (tmp2 = dup(pmonitor->m_recvfd)) == -1) {
error("%s: cannot allocate fds for pty", __func__); error("%s: cannot allocate fds for pty", __func__);
@ -133,9 +133,9 @@ diff -up openssh-6.1p1/monitor_wrap.c.coverity openssh-6.1p1/monitor_wrap.c
return 0; return 0;
} }
close(tmp1); close(tmp1);
diff -up openssh-6.1p1/openbsd-compat/bindresvport.c.coverity openssh-6.1p1/openbsd-compat/bindresvport.c diff -up openssh-6.2p1/openbsd-compat/bindresvport.c.coverity openssh-6.2p1/openbsd-compat/bindresvport.c
--- openssh-6.1p1/openbsd-compat/bindresvport.c.coverity 2010-12-03 00:50:26.000000000 +0100 --- openssh-6.2p1/openbsd-compat/bindresvport.c.coverity 2010-12-03 00:50:26.000000000 +0100
+++ openssh-6.1p1/openbsd-compat/bindresvport.c 2012-09-14 21:16:41.281906573 +0200 +++ openssh-6.2p1/openbsd-compat/bindresvport.c 2013-03-22 09:49:37.347595431 +0100
@@ -58,7 +58,7 @@ bindresvport_sa(int sd, struct sockaddr @@ -58,7 +58,7 @@ bindresvport_sa(int sd, struct sockaddr
struct sockaddr_in6 *in6; struct sockaddr_in6 *in6;
u_int16_t *portp; u_int16_t *portp;
@ -145,10 +145,10 @@ diff -up openssh-6.1p1/openbsd-compat/bindresvport.c.coverity openssh-6.1p1/open
int i; int i;
if (sa == NULL) { if (sa == NULL) {
diff -up openssh-6.1p1/packet.c.coverity openssh-6.1p1/packet.c diff -up openssh-6.2p1/packet.c.coverity openssh-6.2p1/packet.c
--- openssh-6.1p1/packet.c.coverity 2012-03-09 00:28:07.000000000 +0100 --- openssh-6.2p1/packet.c.coverity 2013-02-12 01:03:59.000000000 +0100
+++ openssh-6.1p1/packet.c 2012-09-14 21:16:41.284906588 +0200 +++ openssh-6.2p1/packet.c 2013-03-22 09:49:37.348595426 +0100
@@ -1177,6 +1177,7 @@ packet_read_poll1(void) @@ -1192,6 +1192,7 @@ packet_read_poll1(void)
case DEATTACK_DETECTED: case DEATTACK_DETECTED:
packet_disconnect("crc32 compensation attack: " packet_disconnect("crc32 compensation attack: "
"network attack detected"); "network attack detected");
@ -156,7 +156,7 @@ diff -up openssh-6.1p1/packet.c.coverity openssh-6.1p1/packet.c
case DEATTACK_DOS_DETECTED: case DEATTACK_DOS_DETECTED:
packet_disconnect("deattack denial of " packet_disconnect("deattack denial of "
"service detected"); "service detected");
@@ -1678,7 +1679,7 @@ void @@ -1728,7 +1729,7 @@ void
packet_write_wait(void) packet_write_wait(void)
{ {
fd_set *setp; fd_set *setp;
@ -165,9 +165,9 @@ diff -up openssh-6.1p1/packet.c.coverity openssh-6.1p1/packet.c
struct timeval start, timeout, *timeoutp = NULL; struct timeval start, timeout, *timeoutp = NULL;
setp = (fd_set *)xcalloc(howmany(active_state->connection_out + 1, setp = (fd_set *)xcalloc(howmany(active_state->connection_out + 1,
diff -up openssh-6.1p1/progressmeter.c.coverity openssh-6.1p1/progressmeter.c diff -up openssh-6.2p1/progressmeter.c.coverity openssh-6.2p1/progressmeter.c
--- openssh-6.1p1/progressmeter.c.coverity 2006-08-05 04:39:40.000000000 +0200 --- openssh-6.2p1/progressmeter.c.coverity 2006-08-05 04:39:40.000000000 +0200
+++ openssh-6.1p1/progressmeter.c 2012-09-14 21:16:41.285906593 +0200 +++ openssh-6.2p1/progressmeter.c 2013-03-22 09:49:37.349595422 +0100
@@ -65,7 +65,7 @@ static void update_progress_meter(int); @@ -65,7 +65,7 @@ static void update_progress_meter(int);
static time_t start; /* start progress */ static time_t start; /* start progress */
@ -186,9 +186,9 @@ diff -up openssh-6.1p1/progressmeter.c.coverity openssh-6.1p1/progressmeter.c
{ {
start = last_update = time(NULL); start = last_update = time(NULL);
file = f; file = f;
diff -up openssh-6.1p1/progressmeter.h.coverity openssh-6.1p1/progressmeter.h diff -up openssh-6.2p1/progressmeter.h.coverity openssh-6.2p1/progressmeter.h
--- openssh-6.1p1/progressmeter.h.coverity 2006-03-26 05:30:02.000000000 +0200 --- openssh-6.2p1/progressmeter.h.coverity 2006-03-26 05:30:02.000000000 +0200
+++ openssh-6.1p1/progressmeter.h 2012-09-14 21:16:41.286906598 +0200 +++ openssh-6.2p1/progressmeter.h 2013-03-22 09:49:37.349595422 +0100
@@ -23,5 +23,5 @@ @@ -23,5 +23,5 @@
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/ */
@ -196,9 +196,9 @@ diff -up openssh-6.1p1/progressmeter.h.coverity openssh-6.1p1/progressmeter.h
-void start_progress_meter(char *, off_t, off_t *); -void start_progress_meter(char *, off_t, off_t *);
+void start_progress_meter(const char *, off_t, off_t *); +void start_progress_meter(const char *, off_t, off_t *);
void stop_progress_meter(void); void stop_progress_meter(void);
diff -up openssh-6.1p1/scp.c.coverity openssh-6.1p1/scp.c diff -up openssh-6.2p1/scp.c.coverity openssh-6.2p1/scp.c
--- openssh-6.1p1/scp.c.coverity 2011-09-22 13:38:01.000000000 +0200 --- openssh-6.2p1/scp.c.coverity 2013-03-20 02:55:15.000000000 +0100
+++ openssh-6.1p1/scp.c 2012-09-14 21:16:41.288906608 +0200 +++ openssh-6.2p1/scp.c 2013-03-22 09:49:37.349595422 +0100
@@ -155,7 +155,7 @@ killchild(int signo) @@ -155,7 +155,7 @@ killchild(int signo)
{ {
if (do_cmd_pid > 1) { if (do_cmd_pid > 1) {
@ -208,10 +208,10 @@ diff -up openssh-6.1p1/scp.c.coverity openssh-6.1p1/scp.c
} }
if (signo) if (signo)
diff -up openssh-6.1p1/servconf.c.coverity openssh-6.1p1/servconf.c diff -up openssh-6.2p1/servconf.c.coverity openssh-6.2p1/servconf.c
--- openssh-6.1p1/servconf.c.coverity 2012-07-31 04:22:38.000000000 +0200 --- openssh-6.2p1/servconf.c.coverity 2013-02-12 01:02:08.000000000 +0100
+++ openssh-6.1p1/servconf.c 2012-09-14 21:16:41.291906623 +0200 +++ openssh-6.2p1/servconf.c 2013-03-22 09:49:37.350595418 +0100
@@ -1249,7 +1249,7 @@ process_server_config_line(ServerOptions @@ -1268,7 +1268,7 @@ process_server_config_line(ServerOptions
fatal("%s line %d: Missing subsystem name.", fatal("%s line %d: Missing subsystem name.",
filename, linenum); filename, linenum);
if (!*activep) { if (!*activep) {
@ -220,7 +220,7 @@ diff -up openssh-6.1p1/servconf.c.coverity openssh-6.1p1/servconf.c
break; break;
} }
for (i = 0; i < options->num_subsystems; i++) for (i = 0; i < options->num_subsystems; i++)
@@ -1340,8 +1340,9 @@ process_server_config_line(ServerOptions @@ -1359,8 +1359,9 @@ process_server_config_line(ServerOptions
if (*activep && *charptr == NULL) { if (*activep && *charptr == NULL) {
*charptr = tilde_expand_filename(arg, getuid()); *charptr = tilde_expand_filename(arg, getuid());
/* increase optional counter */ /* increase optional counter */
@ -232,9 +232,9 @@ diff -up openssh-6.1p1/servconf.c.coverity openssh-6.1p1/servconf.c
} }
break; break;
diff -up openssh-6.1p1/serverloop.c.coverity openssh-6.1p1/serverloop.c diff -up openssh-6.2p1/serverloop.c.coverity openssh-6.2p1/serverloop.c
--- openssh-6.1p1/serverloop.c.coverity 2012-06-20 14:31:27.000000000 +0200 --- openssh-6.2p1/serverloop.c.coverity 2012-12-07 03:07:47.000000000 +0100
+++ openssh-6.1p1/serverloop.c 2012-09-14 21:16:41.294906638 +0200 +++ openssh-6.2p1/serverloop.c 2013-03-22 09:49:37.351595413 +0100
@@ -147,13 +147,13 @@ notify_setup(void) @@ -147,13 +147,13 @@ notify_setup(void)
static void static void
notify_parent(void) notify_parent(void)
@ -335,7 +335,7 @@ diff -up openssh-6.1p1/serverloop.c.coverity openssh-6.1p1/serverloop.c
pty_change_window_size(fdin, row, col, xpixel, ypixel); pty_change_window_size(fdin, row, col, xpixel, ypixel);
} }
@@ -996,7 +996,7 @@ server_request_tun(void) @@ -1003,7 +1003,7 @@ server_request_tun(void)
} }
tun = packet_get_int(); tun = packet_get_int();
@ -344,10 +344,10 @@ diff -up openssh-6.1p1/serverloop.c.coverity openssh-6.1p1/serverloop.c
if (tun != SSH_TUNID_ANY && forced_tun_device != tun) if (tun != SSH_TUNID_ANY && forced_tun_device != tun)
goto done; goto done;
tun = forced_tun_device; tun = forced_tun_device;
diff -up openssh-6.1p1/sftp.c.coverity openssh-6.1p1/sftp.c diff -up openssh-6.2p1/sftp.c.coverity openssh-6.2p1/sftp.c
--- openssh-6.1p1/sftp.c.coverity 2012-06-30 00:33:32.000000000 +0200 --- openssh-6.2p1/sftp.c.coverity 2013-02-22 23:12:24.000000000 +0100
+++ openssh-6.1p1/sftp.c 2012-09-14 21:16:41.297906653 +0200 +++ openssh-6.2p1/sftp.c 2013-03-22 09:49:37.352595409 +0100
@@ -206,7 +206,7 @@ killchild(int signo) @@ -202,7 +202,7 @@ killchild(int signo)
{ {
if (sshpid > 1) { if (sshpid > 1) {
kill(sshpid, SIGTERM); kill(sshpid, SIGTERM);
@ -356,7 +356,7 @@ diff -up openssh-6.1p1/sftp.c.coverity openssh-6.1p1/sftp.c
} }
_exit(1); _exit(1);
@@ -316,7 +316,7 @@ local_do_ls(const char *args) @@ -312,7 +312,7 @@ local_do_ls(const char *args)
/* Strip one path (usually the pwd) from the start of another */ /* Strip one path (usually the pwd) from the start of another */
static char * static char *
@ -365,7 +365,7 @@ diff -up openssh-6.1p1/sftp.c.coverity openssh-6.1p1/sftp.c
{ {
size_t len; size_t len;
@@ -334,7 +334,7 @@ path_strip(char *path, char *strip) @@ -330,7 +330,7 @@ path_strip(char *path, char *strip)
} }
static char * static char *
@ -374,7 +374,7 @@ diff -up openssh-6.1p1/sftp.c.coverity openssh-6.1p1/sftp.c
{ {
char *abs_str; char *abs_str;
@@ -482,7 +482,7 @@ parse_df_flags(const char *cmd, char **a @@ -478,7 +478,7 @@ parse_df_flags(const char *cmd, char **a
} }
static int static int
@ -383,7 +383,7 @@ diff -up openssh-6.1p1/sftp.c.coverity openssh-6.1p1/sftp.c
{ {
struct stat sb; struct stat sb;
@@ -494,7 +494,7 @@ is_dir(char *path) @@ -490,7 +490,7 @@ is_dir(char *path)
} }
static int static int
@ -392,7 +392,7 @@ diff -up openssh-6.1p1/sftp.c.coverity openssh-6.1p1/sftp.c
{ {
Attrib *a; Attrib *a;
@@ -508,7 +508,7 @@ remote_is_dir(struct sftp_conn *conn, ch @@ -504,7 +504,7 @@ remote_is_dir(struct sftp_conn *conn, ch
/* Check whether path returned from glob(..., GLOB_MARK, ...) is a directory */ /* Check whether path returned from glob(..., GLOB_MARK, ...) is a directory */
static int static int
@ -401,7 +401,7 @@ diff -up openssh-6.1p1/sftp.c.coverity openssh-6.1p1/sftp.c
{ {
size_t l = strlen(pathname); size_t l = strlen(pathname);
@@ -516,7 +516,7 @@ pathname_is_dir(char *pathname) @@ -512,7 +512,7 @@ pathname_is_dir(char *pathname)
} }
static int static int
@ -410,7 +410,7 @@ diff -up openssh-6.1p1/sftp.c.coverity openssh-6.1p1/sftp.c
int pflag, int rflag) int pflag, int rflag)
{ {
char *abs_src = NULL; char *abs_src = NULL;
@@ -590,7 +590,7 @@ out: @@ -586,7 +586,7 @@ out:
} }
static int static int
@ -419,7 +419,7 @@ diff -up openssh-6.1p1/sftp.c.coverity openssh-6.1p1/sftp.c
int pflag, int rflag) int pflag, int rflag)
{ {
char *tmp_dst = NULL; char *tmp_dst = NULL;
@@ -695,7 +695,7 @@ sdirent_comp(const void *aa, const void @@ -691,7 +691,7 @@ sdirent_comp(const void *aa, const void
/* sftp ls.1 replacement for directories */ /* sftp ls.1 replacement for directories */
static int static int
@ -428,7 +428,7 @@ diff -up openssh-6.1p1/sftp.c.coverity openssh-6.1p1/sftp.c
{ {
int n; int n;
u_int c = 1, colspace = 0, columns = 1; u_int c = 1, colspace = 0, columns = 1;
@@ -780,7 +780,7 @@ do_ls_dir(struct sftp_conn *conn, char * @@ -776,7 +776,7 @@ do_ls_dir(struct sftp_conn *conn, char *
/* sftp ls.1 replacement which handles path globs */ /* sftp ls.1 replacement which handles path globs */
static int static int
@ -437,7 +437,7 @@ diff -up openssh-6.1p1/sftp.c.coverity openssh-6.1p1/sftp.c
int lflag) int lflag)
{ {
char *fname, *lname; char *fname, *lname;
@@ -861,7 +861,7 @@ do_globbed_ls(struct sftp_conn *conn, ch @@ -857,7 +857,7 @@ do_globbed_ls(struct sftp_conn *conn, ch
} }
static int static int
@ -446,9 +446,9 @@ diff -up openssh-6.1p1/sftp.c.coverity openssh-6.1p1/sftp.c
{ {
struct sftp_statvfs st; struct sftp_statvfs st;
char s_used[FMT_SCALED_STRSIZE]; char s_used[FMT_SCALED_STRSIZE];
diff -up openssh-6.1p1/sftp-client.c.coverity openssh-6.1p1/sftp-client.c diff -up openssh-6.2p1/sftp-client.c.coverity openssh-6.2p1/sftp-client.c
--- openssh-6.1p1/sftp-client.c.coverity 2012-07-02 14:15:39.000000000 +0200 --- openssh-6.2p1/sftp-client.c.coverity 2012-07-02 14:15:39.000000000 +0200
+++ openssh-6.1p1/sftp-client.c 2012-09-14 21:18:16.891332281 +0200 +++ openssh-6.2p1/sftp-client.c 2013-03-22 09:49:37.353595404 +0100
@@ -149,7 +149,7 @@ get_msg(struct sftp_conn *conn, Buffer * @@ -149,7 +149,7 @@ get_msg(struct sftp_conn *conn, Buffer *
} }
@ -656,9 +656,9 @@ diff -up openssh-6.1p1/sftp-client.c.coverity openssh-6.1p1/sftp-client.c
{ {
char *ret; char *ret;
size_t len = strlen(p1) + strlen(p2) + 2; size_t len = strlen(p1) + strlen(p2) + 2;
diff -up openssh-6.1p1/sftp-client.h.coverity openssh-6.1p1/sftp-client.h diff -up openssh-6.2p1/sftp-client.h.coverity openssh-6.2p1/sftp-client.h
--- openssh-6.1p1/sftp-client.h.coverity 2010-12-04 23:02:48.000000000 +0100 --- openssh-6.2p1/sftp-client.h.coverity 2010-12-04 23:02:48.000000000 +0100
+++ openssh-6.1p1/sftp-client.h 2012-09-14 21:16:41.301906674 +0200 +++ openssh-6.2p1/sftp-client.h 2013-03-22 09:49:37.353595404 +0100
@@ -56,49 +56,49 @@ struct sftp_conn *do_init(int, int, u_in @@ -56,49 +56,49 @@ struct sftp_conn *do_init(int, int, u_in
u_int sftp_proto_version(struct sftp_conn *); u_int sftp_proto_version(struct sftp_conn *);
@ -756,9 +756,9 @@ diff -up openssh-6.1p1/sftp-client.h.coverity openssh-6.1p1/sftp-client.h
+char *path_append(const char *, const char *); +char *path_append(const char *, const char *);
#endif #endif
diff -up openssh-6.1p1/ssh-agent.c.coverity openssh-6.1p1/ssh-agent.c diff -up openssh-6.2p1/ssh-agent.c.coverity openssh-6.2p1/ssh-agent.c
--- openssh-6.1p1/ssh-agent.c.coverity 2011-06-03 06:14:16.000000000 +0200 --- openssh-6.2p1/ssh-agent.c.coverity 2011-06-03 06:14:16.000000000 +0200
+++ openssh-6.1p1/ssh-agent.c 2012-09-14 21:16:41.303906683 +0200 +++ openssh-6.2p1/ssh-agent.c 2013-03-22 09:49:37.354595400 +0100
@@ -1147,8 +1147,8 @@ main(int ac, char **av) @@ -1147,8 +1147,8 @@ main(int ac, char **av)
sanitise_stdfd(); sanitise_stdfd();
@ -770,10 +770,10 @@ diff -up openssh-6.1p1/ssh-agent.c.coverity openssh-6.1p1/ssh-agent.c
#if defined(HAVE_PRCTL) && defined(PR_SET_DUMPABLE) #if defined(HAVE_PRCTL) && defined(PR_SET_DUMPABLE)
/* Disable ptrace on Linux without sgid bit */ /* Disable ptrace on Linux without sgid bit */
diff -up openssh-6.1p1/sshd.c.coverity openssh-6.1p1/sshd.c diff -up openssh-6.2p1/sshd.c.coverity openssh-6.2p1/sshd.c
--- openssh-6.1p1/sshd.c.coverity 2012-07-31 04:21:34.000000000 +0200 --- openssh-6.2p1/sshd.c.coverity 2013-02-12 01:04:48.000000000 +0100
+++ openssh-6.1p1/sshd.c 2012-09-14 21:16:41.307906705 +0200 +++ openssh-6.2p1/sshd.c 2013-03-22 09:49:37.355595396 +0100
@@ -682,8 +682,10 @@ privsep_preauth(Authctxt *authctxt) @@ -691,8 +691,10 @@ privsep_preauth(Authctxt *authctxt)
if (getuid() == 0 || geteuid() == 0) if (getuid() == 0 || geteuid() == 0)
privsep_preauth_child(); privsep_preauth_child();
setproctitle("%s", "[net]"); setproctitle("%s", "[net]");
@ -785,7 +785,7 @@ diff -up openssh-6.1p1/sshd.c.coverity openssh-6.1p1/sshd.c
return 0; return 0;
} }
@@ -1311,6 +1313,9 @@ server_accept_loop(int *sock_in, int *so @@ -1320,6 +1322,9 @@ server_accept_loop(int *sock_in, int *so
if (num_listen_socks < 0) if (num_listen_socks < 0)
break; break;
} }
@ -795,7 +795,7 @@ diff -up openssh-6.1p1/sshd.c.coverity openssh-6.1p1/sshd.c
} }
@@ -1768,7 +1773,7 @@ main(int ac, char **av) @@ -1806,7 +1811,7 @@ main(int ac, char **av)
/* Chdir to the root directory so that the current disk can be /* Chdir to the root directory so that the current disk can be
unmounted if desired. */ unmounted if desired. */

View File

@ -1,6 +1,6 @@
diff -up openssh-5.9p1/ctr-cavstest.c.ctr-cavs openssh-5.9p1/ctr-cavstest.c diff -up openssh-6.2p1/ctr-cavstest.c.ctr-cavs openssh-6.2p1/ctr-cavstest.c
--- openssh-5.9p1/ctr-cavstest.c.ctr-cavs 2012-01-13 15:59:06.584283289 +0100 --- openssh-6.2p1/ctr-cavstest.c.ctr-cavs 2013-03-25 21:35:52.512586671 +0100
+++ openssh-5.9p1/ctr-cavstest.c 2012-01-13 18:21:33.791941027 +0100 +++ openssh-6.2p1/ctr-cavstest.c 2013-03-25 21:35:52.512586671 +0100
@@ -0,0 +1,208 @@ @@ -0,0 +1,208 @@
+/* +/*
+ * + *
@ -194,7 +194,7 @@ diff -up openssh-5.9p1/ctr-cavstest.c.ctr-cavs openssh-5.9p1/ctr-cavstest.c
+ return 2; + return 2;
+ } + }
+ +
+ cipher_crypt(&cc, outdata, data, datalen); + cipher_crypt(&cc, outdata, data, datalen, 0, 0);
+ +
+ xfree(data); + xfree(data);
+ +
@ -210,9 +210,9 @@ diff -up openssh-5.9p1/ctr-cavstest.c.ctr-cavs openssh-5.9p1/ctr-cavstest.c
+ return 0; + return 0;
+} +}
+ +
diff -up openssh-5.9p1/Makefile.in.ctr-cavs openssh-5.9p1/Makefile.in diff -up openssh-6.2p1/Makefile.in.ctr-cavs openssh-6.2p1/Makefile.in
--- openssh-5.9p1/Makefile.in.ctr-cavs 2012-01-13 15:59:06.539282357 +0100 --- openssh-6.2p1/Makefile.in.ctr-cavs 2013-03-25 21:35:52.451586280 +0100
+++ openssh-5.9p1/Makefile.in 2012-01-13 15:59:06.588283373 +0100 +++ openssh-6.2p1/Makefile.in 2013-03-25 21:37:14.956114584 +0100
@@ -28,6 +28,7 @@ SSH_KEYSIGN=$(libexecdir)/ssh-keysign @@ -28,6 +28,7 @@ SSH_KEYSIGN=$(libexecdir)/ssh-keysign
SSH_LDAP_HELPER=$(libexecdir)/ssh-ldap-helper SSH_LDAP_HELPER=$(libexecdir)/ssh-ldap-helper
SSH_LDAP_WRAPPER=$(libexecdir)/ssh-ldap-wrapper SSH_LDAP_WRAPPER=$(libexecdir)/ssh-ldap-wrapper
@ -221,16 +221,16 @@ diff -up openssh-5.9p1/Makefile.in.ctr-cavs openssh-5.9p1/Makefile.in
SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
PRIVSEP_PATH=@PRIVSEP_PATH@ PRIVSEP_PATH=@PRIVSEP_PATH@
SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@ SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@
@@ -63,7 +64,7 @@ EXEEXT=@EXEEXT@ @@ -65,7 +66,7 @@ EXEEXT=@EXEEXT@
MANFMT=@MANFMT@ MANFMT=@MANFMT@
INSTALL_SSH_LDAP_HELPER=@INSTALL_SSH_LDAP_HELPER@ INSTALL_SSH_LDAP_HELPER=@INSTALL_SSH_LDAP_HELPER@
-TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT) ssh-keycat$(EXEEXT) -TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT) ssh-keycat$(EXEEXT)
+TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT) ssh-keycat$(EXEEXT) ctr-cavstest$(EXEEXT) +TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT) ssh-keycat$(EXEEXT) ctr-cavstest$(EXEEXT)
LIBSSH_OBJS=acss.o authfd.o authfile.o bufaux.o bufbn.o buffer.o \ LIBSSH_OBJS=authfd.o authfile.o bufaux.o bufbn.o buffer.o \
canohost.o channels.o cipher.o cipher-acss.o cipher-aes.o \ canohost.o channels.o cipher.o cipher-aes.o \
@@ -171,6 +172,9 @@ ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) l @@ -174,6 +175,9 @@ ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) l
ssh-keycat$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keycat.o ssh-keycat$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keycat.o
$(LD) -o $@ ssh-keycat.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(SSHDLIBS) $(LD) -o $@ ssh-keycat.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(SSHDLIBS)
@ -240,7 +240,7 @@ diff -up openssh-5.9p1/Makefile.in.ctr-cavs openssh-5.9p1/Makefile.in
ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o roaming_dummy.o ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o roaming_dummy.o
$(LD) -o $@ ssh-keyscan.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(LIBS) $(LD) -o $@ ssh-keyscan.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(LIBS)
@@ -271,6 +275,7 @@ install-files: @@ -281,6 +285,7 @@ install-files:
$(INSTALL) -m 0700 ssh-ldap-wrapper $(DESTDIR)$(SSH_LDAP_WRAPPER) ; \ $(INSTALL) -m 0700 ssh-ldap-wrapper $(DESTDIR)$(SSH_LDAP_WRAPPER) ; \
fi fi
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-keycat$(EXEEXT) $(DESTDIR)$(libexecdir)/ssh-keycat$(EXEEXT) $(INSTALL) -m 0755 $(STRIP_OPT) ssh-keycat$(EXEEXT) $(DESTDIR)$(libexecdir)/ssh-keycat$(EXEEXT)

View File

@ -1,6 +1,6 @@
diff -up openssh-6.0p1/entropy.c.entropy openssh-6.0p1/entropy.c diff -up openssh-6.2p1/entropy.c.entropy openssh-6.2p1/entropy.c
--- openssh-6.0p1/entropy.c.entropy 2012-08-06 20:51:59.131033413 +0200 --- openssh-6.2p1/entropy.c.entropy 2013-03-25 19:31:42.737611051 +0100
+++ openssh-6.0p1/entropy.c 2012-08-06 20:51:59.171033257 +0200 +++ openssh-6.2p1/entropy.c 2013-03-25 19:31:42.797611433 +0100
@@ -237,6 +237,9 @@ seed_rng(void) @@ -237,6 +237,9 @@ seed_rng(void)
memset(buf, '\0', sizeof(buf)); memset(buf, '\0', sizeof(buf));
@ -11,21 +11,21 @@ diff -up openssh-6.0p1/entropy.c.entropy openssh-6.0p1/entropy.c
if (RAND_status() != 1) if (RAND_status() != 1)
fatal("PRNG is not seeded"); fatal("PRNG is not seeded");
} }
diff -up openssh-6.0p1/openbsd-compat/Makefile.in.entropy openssh-6.0p1/openbsd-compat/Makefile.in diff -up openssh-6.2p1/openbsd-compat/Makefile.in.entropy openssh-6.2p1/openbsd-compat/Makefile.in
--- openssh-6.0p1/openbsd-compat/Makefile.in.entropy 2012-08-06 20:51:59.100033534 +0200 --- openssh-6.2p1/openbsd-compat/Makefile.in.entropy 2013-03-25 19:31:42.798611440 +0100
+++ openssh-6.0p1/openbsd-compat/Makefile.in 2012-08-06 20:51:59.171033257 +0200 +++ openssh-6.2p1/openbsd-compat/Makefile.in 2013-03-25 19:33:02.042116876 +0100
@@ -20,7 +20,7 @@ OPENBSD=base64.o basename.o bindresvport @@ -20,7 +20,7 @@ OPENBSD=base64.o basename.o bindresvport
COMPAT=bsd-arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o getrrsetbyname-ldns.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o COMPAT=bsd-arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o getrrsetbyname-ldns.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-setres_id.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o
-PORTS=port-aix.o port-irix.o port-linux.o port-linux_part_2.o port-solaris.o port-tun.o port-uw.o -PORTS=port-aix.o port-irix.o port-linux.o port-linux_part_2.o port-solaris.o port-tun.o port-uw.o
+PORTS=port-aix.o port-irix.o port-linux.o port-linux_part_2.o port-linux-prng.o port-solaris.o port-tun.o port-uw.o +PORTS=port-aix.o port-irix.o port-linux.o port-linux_part_2.o port-linux-prng.o port-solaris.o port-tun.o port-uw.o
.c.o: .c.o:
$(CC) $(CFLAGS) $(CPPFLAGS) -c $< $(CC) $(CFLAGS) $(CPPFLAGS) -c $<
diff -up openssh-6.0p1/openbsd-compat/port-linux-prng.c.entropy openssh-6.0p1/openbsd-compat/port-linux-prng.c diff -up openssh-6.2p1/openbsd-compat/port-linux-prng.c.entropy openssh-6.2p1/openbsd-compat/port-linux-prng.c
--- openssh-6.0p1/openbsd-compat/port-linux-prng.c.entropy 2012-08-06 20:51:59.171033257 +0200 --- openssh-6.2p1/openbsd-compat/port-linux-prng.c.entropy 2013-03-25 19:31:42.798611440 +0100
+++ openssh-6.0p1/openbsd-compat/port-linux-prng.c 2012-08-06 20:51:59.171033257 +0200 +++ openssh-6.2p1/openbsd-compat/port-linux-prng.c 2013-03-25 19:31:42.798611440 +0100
@@ -0,0 +1,59 @@ @@ -0,0 +1,59 @@
+/* $Id: port-linux.c,v 1.11.4.2 2011/02/04 00:43:08 djm Exp $ */ +/* $Id: port-linux.c,v 1.11.4.2 2011/02/04 00:43:08 djm Exp $ */
+ +
@ -86,37 +86,10 @@ diff -up openssh-6.0p1/openbsd-compat/port-linux-prng.c.entropy openssh-6.0p1/op
+ fatal ("EOF reading %s", random); + fatal ("EOF reading %s", random);
+ } + }
+} +}
diff -up openssh-6.0p1/ssh.1.entropy openssh-6.0p1/ssh.1 diff -up openssh-6.2p1/ssh-add.0.entropy openssh-6.2p1/ssh-add.0
--- openssh-6.0p1/ssh.1.entropy 2012-08-06 20:51:59.139033382 +0200 --- openssh-6.2p1/ssh-add.0.entropy 2013-03-22 00:38:29.000000000 +0100
+++ openssh-6.0p1/ssh.1 2012-08-06 20:51:59.174033245 +0200 +++ openssh-6.2p1/ssh-add.0 2013-03-25 19:31:42.799611446 +0100
@@ -1269,6 +1269,23 @@ For more information, see the @@ -82,6 +82,16 @@ ENVIRONMENT
.Cm PermitUserEnvironment
option in
.Xr sshd_config 5 .
+.Sh ENVIRONMENT
+.Bl -tag -width Ds -compact
+.It Ev SSH_USE_STRONG_RNG
+The reseeding of the OpenSSL random generator is usually done from
+.Cm /dev/urandom .
+If the
+.Cm SSH_USE_STRONG_RNG
+environment variable is set to value other than
+.Cm 0
+the OpenSSL random generator is reseeded from
+.Cm /dev/random .
+The number of bytes read is defined by the SSH_USE_STRONG_RNG value.
+Minimum is 6 bytes.
+This setting is not recommended on the computers without the hardware
+random generator because insufficient entropy causes the connection to
+be blocked until enough entropy is available.
+.El
.Sh FILES
.Bl -tag -width Ds -compact
.It Pa ~/.rhosts
diff -up openssh-6.1p1/ssh-add.0.entropy openssh-6.1p1/ssh-add.0
--- openssh-6.1p1/ssh-add.0.entropy 2012-11-12 13:11:42.717393364 +0100
+++ openssh-6.1p1/ssh-add.0 2012-11-12 13:12:46.288108790 +0100
@@ -81,6 +81,16 @@ ENVIRONMENT
Identifies the path of a UNIX-domain socket used to communicate Identifies the path of a UNIX-domain socket used to communicate
with the agent. with the agent.
@ -133,9 +106,9 @@ diff -up openssh-6.1p1/ssh-add.0.entropy openssh-6.1p1/ssh-add.0
FILES FILES
~/.ssh/identity ~/.ssh/identity
Contains the protocol version 1 RSA authentication identity of Contains the protocol version 1 RSA authentication identity of
diff -up openssh-6.1p1/ssh-add.1.entropy openssh-6.1p1/ssh-add.1 diff -up openssh-6.2p1/ssh-add.1.entropy openssh-6.2p1/ssh-add.1
--- openssh-6.1p1/ssh-add.1.entropy 2011-10-18 07:06:33.000000000 +0200 --- openssh-6.2p1/ssh-add.1.entropy 2012-12-07 03:06:13.000000000 +0100
+++ openssh-6.1p1/ssh-add.1 2012-11-12 13:11:24.711476108 +0100 +++ openssh-6.2p1/ssh-add.1 2013-03-25 19:31:42.799611446 +0100
@@ -160,6 +160,20 @@ to make this work.) @@ -160,6 +160,20 @@ to make this work.)
Identifies the path of a Identifies the path of a
.Ux Ns -domain .Ux Ns -domain
@ -157,10 +130,9 @@ diff -up openssh-6.1p1/ssh-add.1.entropy openssh-6.1p1/ssh-add.1
.El .El
.Sh FILES .Sh FILES
.Bl -tag -width Ds .Bl -tag -width Ds
.It Pa ~/.ssh/identity diff -up openssh-6.2p1/ssh-agent.1.entropy openssh-6.2p1/ssh-agent.1
diff -up openssh-6.0p1/ssh-agent.1.entropy openssh-6.0p1/ssh-agent.1 --- openssh-6.2p1/ssh-agent.1.entropy 2010-12-01 01:50:35.000000000 +0100
--- openssh-6.0p1/ssh-agent.1.entropy 2010-12-01 01:50:35.000000000 +0100 +++ openssh-6.2p1/ssh-agent.1 2013-03-25 19:31:42.800611452 +0100
+++ openssh-6.0p1/ssh-agent.1 2012-08-06 20:51:59.172033253 +0200
@@ -198,6 +198,24 @@ sockets used to contain the connection t @@ -198,6 +198,24 @@ sockets used to contain the connection t
These sockets should only be readable by the owner. These sockets should only be readable by the owner.
The sockets should get automatically removed when the agent exits. The sockets should get automatically removed when the agent exits.
@ -186,10 +158,10 @@ diff -up openssh-6.0p1/ssh-agent.1.entropy openssh-6.0p1/ssh-agent.1
.Sh SEE ALSO .Sh SEE ALSO
.Xr ssh 1 , .Xr ssh 1 ,
.Xr ssh-add 1 , .Xr ssh-add 1 ,
diff -up openssh-6.0p1/sshd.8.entropy openssh-6.0p1/sshd.8 diff -up openssh-6.2p1/sshd.8.entropy openssh-6.2p1/sshd.8
--- openssh-6.0p1/sshd.8.entropy 2012-08-06 20:51:59.139033382 +0200 --- openssh-6.2p1/sshd.8.entropy 2013-03-25 19:31:42.752611146 +0100
+++ openssh-6.0p1/sshd.8 2012-08-06 20:51:59.174033245 +0200 +++ openssh-6.2p1/sshd.8 2013-03-25 19:31:42.800611452 +0100
@@ -943,6 +943,24 @@ concurrently for different ports, this c @@ -945,6 +945,24 @@ concurrently for different ports, this c
started last). started last).
The content of this file is not sensitive; it can be world-readable. The content of this file is not sensitive; it can be world-readable.
.El .El
@ -214,10 +186,10 @@ diff -up openssh-6.0p1/sshd.8.entropy openssh-6.0p1/sshd.8
.Sh IPV6 .Sh IPV6
IPv6 address can be used everywhere where IPv4 address. In all entries must be the IPv6 address enclosed in square brackets. Note: The square brackets are metacharacters for the shell and must be escaped in shell. IPv6 address can be used everywhere where IPv4 address. In all entries must be the IPv6 address enclosed in square brackets. Note: The square brackets are metacharacters for the shell and must be escaped in shell.
.Sh SEE ALSO .Sh SEE ALSO
diff -up openssh-6.0p1/ssh-keygen.1.entropy openssh-6.0p1/ssh-keygen.1 diff -up openssh-6.2p1/ssh-keygen.1.entropy openssh-6.2p1/ssh-keygen.1
--- openssh-6.0p1/ssh-keygen.1.entropy 2011-10-18 07:05:21.000000000 +0200 --- openssh-6.2p1/ssh-keygen.1.entropy 2013-01-20 12:35:06.000000000 +0100
+++ openssh-6.0p1/ssh-keygen.1 2012-08-06 20:51:59.173033249 +0200 +++ openssh-6.2p1/ssh-keygen.1 2013-03-25 19:31:42.801611459 +0100
@@ -675,6 +675,24 @@ Contains Diffie-Hellman groups used for @@ -806,6 +806,24 @@ Contains Diffie-Hellman groups used for
The file format is described in The file format is described in
.Xr moduli 5 . .Xr moduli 5 .
.El .El
@ -242,9 +214,9 @@ diff -up openssh-6.0p1/ssh-keygen.1.entropy openssh-6.0p1/ssh-keygen.1
.Sh SEE ALSO .Sh SEE ALSO
.Xr ssh 1 , .Xr ssh 1 ,
.Xr ssh-add 1 , .Xr ssh-add 1 ,
diff -up openssh-6.0p1/ssh-keysign.8.entropy openssh-6.0p1/ssh-keysign.8 diff -up openssh-6.2p1/ssh-keysign.8.entropy openssh-6.2p1/ssh-keysign.8
--- openssh-6.0p1/ssh-keysign.8.entropy 2010-08-31 14:41:14.000000000 +0200 --- openssh-6.2p1/ssh-keysign.8.entropy 2010-08-31 14:41:14.000000000 +0200
+++ openssh-6.0p1/ssh-keysign.8 2012-08-06 20:51:59.173033249 +0200 +++ openssh-6.2p1/ssh-keysign.8 2013-03-25 19:31:42.801611459 +0100
@@ -78,6 +78,24 @@ must be set-uid root if host-based authe @@ -78,6 +78,24 @@ must be set-uid root if host-based authe
If these files exist they are assumed to contain public certificate If these files exist they are assumed to contain public certificate
information corresponding with the private keys above. information corresponding with the private keys above.
@ -270,3 +242,30 @@ diff -up openssh-6.0p1/ssh-keysign.8.entropy openssh-6.0p1/ssh-keysign.8
.Sh SEE ALSO .Sh SEE ALSO
.Xr ssh 1 , .Xr ssh 1 ,
.Xr ssh-keygen 1 , .Xr ssh-keygen 1 ,
diff -up openssh-6.2p1/ssh.1.entropy openssh-6.2p1/ssh.1
--- openssh-6.2p1/ssh.1.entropy 2013-03-25 19:31:42.752611146 +0100
+++ openssh-6.2p1/ssh.1 2013-03-25 19:31:42.799611446 +0100
@@ -1277,6 +1277,23 @@ For more information, see the
.Cm PermitUserEnvironment
option in
.Xr sshd_config 5 .
+.Sh ENVIRONMENT
+.Bl -tag -width Ds -compact
+.It Ev SSH_USE_STRONG_RNG
+The reseeding of the OpenSSL random generator is usually done from
+.Cm /dev/urandom .
+If the
+.Cm SSH_USE_STRONG_RNG
+environment variable is set to value other than
+.Cm 0
+the OpenSSL random generator is reseeded from
+.Cm /dev/random .
+The number of bytes read is defined by the SSH_USE_STRONG_RNG value.
+Minimum is 6 bytes.
+This setting is not recommended on the computers without the hardware
+random generator because insufficient entropy causes the connection to
+be blocked until enough entropy is available.
+.El
.Sh FILES
.Bl -tag -width Ds -compact
.It Pa ~/.rhosts

View File

@ -1,6 +1,6 @@
diff -up openssh-5.8p1/auth2-hostbased.c.fingerprint openssh-5.8p1/auth2-hostbased.c diff -up openssh-6.2p1/auth2-hostbased.c.fingerprint openssh-6.2p1/auth2-hostbased.c
--- openssh-5.8p1/auth2-hostbased.c.fingerprint 2010-08-05 05:04:50.000000000 +0200 --- openssh-6.2p1/auth2-hostbased.c.fingerprint 2010-08-05 05:04:50.000000000 +0200
+++ openssh-5.8p1/auth2-hostbased.c 2011-02-25 09:17:18.000000000 +0100 +++ openssh-6.2p1/auth2-hostbased.c 2013-03-22 12:20:49.009685008 +0100
@@ -196,16 +196,18 @@ hostbased_key_allowed(struct passwd *pw, @@ -196,16 +196,18 @@ hostbased_key_allowed(struct passwd *pw,
if (host_status == HOST_OK) { if (host_status == HOST_OK) {
@ -27,10 +27,10 @@ diff -up openssh-5.8p1/auth2-hostbased.c.fingerprint openssh-5.8p1/auth2-hostbas
} }
xfree(fp); xfree(fp);
} }
diff -up openssh-5.8p1/auth2-pubkey.c.fingerprint openssh-5.8p1/auth2-pubkey.c diff -up openssh-6.2p1/auth2-pubkey.c.fingerprint openssh-6.2p1/auth2-pubkey.c
--- openssh-5.8p1/auth2-pubkey.c.fingerprint 2010-12-01 01:50:14.000000000 +0100 --- openssh-6.2p1/auth2-pubkey.c.fingerprint 2013-02-15 00:28:56.000000000 +0100
+++ openssh-5.8p1/auth2-pubkey.c 2011-02-25 09:17:18.000000000 +0100 +++ openssh-6.2p1/auth2-pubkey.c 2013-03-22 12:20:49.009685008 +0100
@@ -319,10 +319,10 @@ user_key_allowed2(struct passwd *pw, Key @@ -317,10 +317,10 @@ check_authkeys_file(FILE *f, char *file,
continue; continue;
if (!key_is_cert_authority) if (!key_is_cert_authority)
continue; continue;
@ -45,7 +45,7 @@ diff -up openssh-5.8p1/auth2-pubkey.c.fingerprint openssh-5.8p1/auth2-pubkey.c
/* /*
* If the user has specified a list of principals as * If the user has specified a list of principals as
* a key option, then prefer that list to matching * a key option, then prefer that list to matching
@@ -362,9 +362,9 @@ user_key_allowed2(struct passwd *pw, Key @@ -360,9 +360,9 @@ check_authkeys_file(FILE *f, char *file,
found_key = 1; found_key = 1;
debug("matching key found: file %s, line %lu", debug("matching key found: file %s, line %lu",
file, linenum); file, linenum);
@ -58,7 +58,7 @@ diff -up openssh-5.8p1/auth2-pubkey.c.fingerprint openssh-5.8p1/auth2-pubkey.c
xfree(fp); xfree(fp);
break; break;
} }
@@ -388,13 +388,13 @@ user_cert_trusted_ca(struct passwd *pw, @@ -384,13 +384,13 @@ user_cert_trusted_ca(struct passwd *pw,
if (!key_is_cert(key) || options.trusted_user_ca_keys == NULL) if (!key_is_cert(key) || options.trusted_user_ca_keys == NULL)
return 0; return 0;
@ -76,12 +76,12 @@ diff -up openssh-5.8p1/auth2-pubkey.c.fingerprint openssh-5.8p1/auth2-pubkey.c
options.trusted_user_ca_keys); options.trusted_user_ca_keys);
goto out; goto out;
} }
diff -up openssh-5.8p1/auth.c.fingerprint openssh-5.8p1/auth.c diff -up openssh-6.2p1/auth.c.fingerprint openssh-6.2p1/auth.c
--- openssh-5.8p1/auth.c.fingerprint 2010-12-01 02:21:51.000000000 +0100 --- openssh-6.2p1/auth.c.fingerprint 2013-03-12 01:31:05.000000000 +0100
+++ openssh-5.8p1/auth.c 2011-02-25 09:17:18.000000000 +0100 +++ openssh-6.2p1/auth.c 2013-03-22 12:22:32.515230386 +0100
@@ -639,9 +639,10 @@ auth_key_is_revoked(Key *key) @@ -663,9 +663,10 @@ auth_key_is_revoked(Key *key)
return 1;
case 1: case 1:
revoked:
/* Key revoked */ /* Key revoked */
- key_fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX); - key_fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
+ key_fp = key_selected_fingerprint(key, SSH_FP_HEX); + key_fp = key_selected_fingerprint(key, SSH_FP_HEX);
@ -92,10 +92,10 @@ diff -up openssh-5.8p1/auth.c.fingerprint openssh-5.8p1/auth.c
xfree(key_fp); xfree(key_fp);
return 1; return 1;
} }
diff -up openssh-5.8p1/auth-rsa.c.fingerprint openssh-5.8p1/auth-rsa.c diff -up openssh-6.2p1/auth-rsa.c.fingerprint openssh-6.2p1/auth-rsa.c
--- openssh-5.8p1/auth-rsa.c.fingerprint 2010-12-04 23:01:47.000000000 +0100 --- openssh-6.2p1/auth-rsa.c.fingerprint 2012-10-30 22:58:59.000000000 +0100
+++ openssh-5.8p1/auth-rsa.c 2011-02-25 09:17:18.000000000 +0100 +++ openssh-6.2p1/auth-rsa.c 2013-03-22 12:20:49.011684999 +0100
@@ -318,9 +318,9 @@ auth_rsa(Authctxt *authctxt, BIGNUM *cli @@ -328,9 +328,9 @@ auth_rsa(Authctxt *authctxt, BIGNUM *cli
* options; this will be reset if the options cause the * options; this will be reset if the options cause the
* authentication to be rejected. * authentication to be rejected.
*/ */
@ -108,10 +108,10 @@ diff -up openssh-5.8p1/auth-rsa.c.fingerprint openssh-5.8p1/auth-rsa.c
xfree(fp); xfree(fp);
key_free(key); key_free(key);
diff -up openssh-5.8p1/key.c.fingerprint openssh-5.8p1/key.c diff -up openssh-6.2p1/key.c.fingerprint openssh-6.2p1/key.c
--- openssh-5.8p1/key.c.fingerprint 2011-02-04 01:48:34.000000000 +0100 --- openssh-6.2p1/key.c.fingerprint 2013-03-22 12:20:48.971685175 +0100
+++ openssh-5.8p1/key.c 2011-02-25 09:18:16.000000000 +0100 +++ openssh-6.2p1/key.c 2013-03-22 12:20:49.012684995 +0100
@@ -594,6 +594,34 @@ key_fingerprint(Key *k, enum fp_type dgs @@ -599,6 +599,34 @@ key_fingerprint(Key *k, enum fp_type dgs
return retval; return retval;
} }
@ -146,23 +146,23 @@ diff -up openssh-5.8p1/key.c.fingerprint openssh-5.8p1/key.c
/* /*
* Reads a multiple-precision integer in decimal from the buffer, and advances * Reads a multiple-precision integer in decimal from the buffer, and advances
* the pointer. The integer must already be initialized. This function is * the pointer. The integer must already be initialized. This function is
diff -up openssh-5.8p1/key.h.fingerprint openssh-5.8p1/key.h diff -up openssh-6.2p1/key.h.fingerprint openssh-6.2p1/key.h
--- openssh-5.8p1/key.h.fingerprint 2010-11-05 00:19:49.000000000 +0100 --- openssh-6.2p1/key.h.fingerprint 2013-01-18 01:44:05.000000000 +0100
+++ openssh-5.8p1/key.h 2011-02-25 09:17:18.000000000 +0100 +++ openssh-6.2p1/key.h 2013-03-22 12:23:35.308954528 +0100
@@ -96,6 +96,9 @@ int key_equal_public(const Key *, cons @@ -97,6 +97,9 @@ int key_equal_public(const Key *, cons
int key_equal(const Key *, const Key *); int key_equal(const Key *, const Key *);
char *key_fingerprint(Key *, enum fp_type, enum fp_rep); char *key_fingerprint(Key *, enum fp_type, enum fp_rep);
u_char *key_fingerprint_raw(Key *, enum fp_type, u_int *); u_char *key_fingerprint_raw(const Key *, enum fp_type, u_int *);
+enum fp_type key_fingerprint_selection(void); +enum fp_type key_fingerprint_selection(void);
+char *key_selected_fingerprint(Key *, enum fp_rep); +char *key_selected_fingerprint(Key *, enum fp_rep);
+char *key_fingerprint_prefix(void); +char *key_fingerprint_prefix(void);
const char *key_type(const Key *); const char *key_type(const Key *);
const char *key_cert_type(const Key *); const char *key_cert_type(const Key *);
int key_write(const Key *, FILE *); int key_write(const Key *, FILE *);
diff -up openssh-5.8p1/ssh-add.c.fingerprint openssh-5.8p1/ssh-add.c diff -up openssh-6.2p1/ssh-add.c.fingerprint openssh-6.2p1/ssh-add.c
--- openssh-5.8p1/ssh-add.c.fingerprint 2010-11-11 04:17:02.000000000 +0100 --- openssh-6.2p1/ssh-add.c.fingerprint 2012-12-07 03:07:03.000000000 +0100
+++ openssh-5.8p1/ssh-add.c 2011-02-25 09:17:18.000000000 +0100 +++ openssh-6.2p1/ssh-add.c 2013-03-22 12:20:49.029684920 +0100
@@ -280,10 +280,10 @@ list_identities(AuthenticationConnection @@ -326,10 +326,10 @@ list_identities(AuthenticationConnection
key = ssh_get_next_identity(ac, &comment, version)) { key = ssh_get_next_identity(ac, &comment, version)) {
had_identities = 1; had_identities = 1;
if (do_fp) { if (do_fp) {
@ -177,9 +177,9 @@ diff -up openssh-5.8p1/ssh-add.c.fingerprint openssh-5.8p1/ssh-add.c
xfree(fp); xfree(fp);
} else { } else {
if (!key_write(key, stdout)) if (!key_write(key, stdout))
diff -up openssh-5.8p1/ssh-agent.c.fingerprint openssh-5.8p1/ssh-agent.c diff -up openssh-6.2p1/ssh-agent.c.fingerprint openssh-6.2p1/ssh-agent.c
--- openssh-5.8p1/ssh-agent.c.fingerprint 2010-12-01 01:50:35.000000000 +0100 --- openssh-6.2p1/ssh-agent.c.fingerprint 2013-03-22 12:20:48.979685140 +0100
+++ openssh-5.8p1/ssh-agent.c 2011-02-25 09:17:18.000000000 +0100 +++ openssh-6.2p1/ssh-agent.c 2013-03-22 12:20:49.030684916 +0100
@@ -199,9 +199,9 @@ confirm_key(Identity *id) @@ -199,9 +199,9 @@ confirm_key(Identity *id)
char *p; char *p;
int ret = -1; int ret = -1;
@ -193,10 +193,10 @@ diff -up openssh-5.8p1/ssh-agent.c.fingerprint openssh-5.8p1/ssh-agent.c
ret = 0; ret = 0;
xfree(p); xfree(p);
diff -up openssh-5.8p1/sshconnect2.c.fingerprint openssh-5.8p1/sshconnect2.c diff -up openssh-6.2p1/sshconnect2.c.fingerprint openssh-6.2p1/sshconnect2.c
--- openssh-5.8p1/sshconnect2.c.fingerprint 2010-12-01 02:21:51.000000000 +0100 --- openssh-6.2p1/sshconnect2.c.fingerprint 2013-03-20 02:55:15.000000000 +0100
+++ openssh-5.8p1/sshconnect2.c 2011-02-25 09:17:18.000000000 +0100 +++ openssh-6.2p1/sshconnect2.c 2013-03-22 12:20:49.031684912 +0100
@@ -590,8 +590,9 @@ input_userauth_pk_ok(int type, u_int32_t @@ -592,8 +592,9 @@ input_userauth_pk_ok(int type, u_int32_t
key->type, pktype); key->type, pktype);
goto done; goto done;
} }
@ -208,7 +208,7 @@ diff -up openssh-5.8p1/sshconnect2.c.fingerprint openssh-5.8p1/sshconnect2.c
xfree(fp); xfree(fp);
/* /*
@@ -1203,8 +1204,9 @@ sign_and_send_pubkey(Authctxt *authctxt, @@ -1205,8 +1206,9 @@ sign_and_send_pubkey(Authctxt *authctxt,
int have_sig = 1; int have_sig = 1;
char *fp; char *fp;
@ -220,10 +220,10 @@ diff -up openssh-5.8p1/sshconnect2.c.fingerprint openssh-5.8p1/sshconnect2.c
xfree(fp); xfree(fp);
if (key_to_blob(id->key, &blob, &bloblen) == 0) { if (key_to_blob(id->key, &blob, &bloblen) == 0) {
diff -up openssh-5.8p1/sshconnect.c.fingerprint openssh-5.8p1/sshconnect.c diff -up openssh-6.2p1/sshconnect.c.fingerprint openssh-6.2p1/sshconnect.c
--- openssh-5.8p1/sshconnect.c.fingerprint 2011-01-16 13:17:59.000000000 +0100 --- openssh-6.2p1/sshconnect.c.fingerprint 2012-09-17 05:25:44.000000000 +0200
+++ openssh-5.8p1/sshconnect.c 2011-02-25 09:17:18.000000000 +0100 +++ openssh-6.2p1/sshconnect.c 2013-03-22 12:20:49.032684907 +0100
@@ -798,10 +798,10 @@ check_host_key(char *hostname, struct so @@ -824,10 +824,10 @@ check_host_key(char *hostname, struct so
"key for IP address '%.128s' to the list " "key for IP address '%.128s' to the list "
"of known hosts.", type, ip); "of known hosts.", type, ip);
} else if (options.visual_host_key) { } else if (options.visual_host_key) {
@ -238,7 +238,7 @@ diff -up openssh-5.8p1/sshconnect.c.fingerprint openssh-5.8p1/sshconnect.c
xfree(ra); xfree(ra);
xfree(fp); xfree(fp);
} }
@@ -838,9 +838,8 @@ check_host_key(char *hostname, struct so @@ -865,9 +865,8 @@ check_host_key(char *hostname, struct so
else else
snprintf(msg1, sizeof(msg1), "."); snprintf(msg1, sizeof(msg1), ".");
/* The default */ /* The default */
@ -250,7 +250,7 @@ diff -up openssh-5.8p1/sshconnect.c.fingerprint openssh-5.8p1/sshconnect.c
msg2[0] = '\0'; msg2[0] = '\0';
if (options.verify_host_key_dns) { if (options.verify_host_key_dns) {
if (matching_host_key_dns) if (matching_host_key_dns)
@@ -855,10 +854,11 @@ check_host_key(char *hostname, struct so @@ -882,10 +881,11 @@ check_host_key(char *hostname, struct so
snprintf(msg, sizeof(msg), snprintf(msg, sizeof(msg),
"The authenticity of host '%.200s (%s)' can't be " "The authenticity of host '%.200s (%s)' can't be "
"established%s\n" "established%s\n"
@ -264,7 +264,7 @@ diff -up openssh-5.8p1/sshconnect.c.fingerprint openssh-5.8p1/sshconnect.c
options.visual_host_key ? "\n" : "", options.visual_host_key ? "\n" : "",
options.visual_host_key ? ra : "", options.visual_host_key ? ra : "",
msg2); msg2);
@@ -1104,8 +1104,9 @@ verify_host_key(char *host, struct socka @@ -1130,8 +1130,9 @@ verify_host_key(char *host, struct socka
int flags = 0; int flags = 0;
char *fp; char *fp;
@ -276,7 +276,7 @@ diff -up openssh-5.8p1/sshconnect.c.fingerprint openssh-5.8p1/sshconnect.c
xfree(fp); xfree(fp);
/* XXX certs are not yet supported for DNS */ /* XXX certs are not yet supported for DNS */
@@ -1214,14 +1215,15 @@ show_other_keys(struct hostkeys *hostkey @@ -1232,14 +1233,15 @@ show_other_keys(struct hostkeys *hostkey
continue; continue;
if (!lookup_key_in_hostkeys_by_type(hostkeys, type[i], &found)) if (!lookup_key_in_hostkeys_by_type(hostkeys, type[i], &found))
continue; continue;
@ -296,7 +296,7 @@ diff -up openssh-5.8p1/sshconnect.c.fingerprint openssh-5.8p1/sshconnect.c
if (options.visual_host_key) if (options.visual_host_key)
logit("%s", ra); logit("%s", ra);
xfree(ra); xfree(ra);
@@ -1236,7 +1238,7 @@ warn_changed_key(Key *host_key) @@ -1254,7 +1256,7 @@ warn_changed_key(Key *host_key)
{ {
char *fp; char *fp;
@ -305,7 +305,7 @@ diff -up openssh-5.8p1/sshconnect.c.fingerprint openssh-5.8p1/sshconnect.c
error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@"); error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
error("@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @"); error("@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @");
@@ -1244,8 +1246,8 @@ warn_changed_key(Key *host_key) @@ -1262,8 +1264,8 @@ warn_changed_key(Key *host_key)
error("IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!"); error("IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!");
error("Someone could be eavesdropping on you right now (man-in-the-middle attack)!"); error("Someone could be eavesdropping on you right now (man-in-the-middle attack)!");
error("It is also possible that a host key has just been changed."); error("It is also possible that a host key has just been changed.");
@ -316,10 +316,10 @@ diff -up openssh-5.8p1/sshconnect.c.fingerprint openssh-5.8p1/sshconnect.c
error("Please contact your system administrator."); error("Please contact your system administrator.");
xfree(fp); xfree(fp);
diff -up openssh-5.8p1/ssh-keygen.c.fingerprint openssh-5.8p1/ssh-keygen.c diff -up openssh-6.2p1/ssh-keygen.c.fingerprint openssh-6.2p1/ssh-keygen.c
--- openssh-5.8p1/ssh-keygen.c.fingerprint 2011-01-11 07:20:31.000000000 +0100 --- openssh-6.2p1/ssh-keygen.c.fingerprint 2013-02-12 01:03:36.000000000 +0100
+++ openssh-5.8p1/ssh-keygen.c 2011-02-25 09:17:18.000000000 +0100 +++ openssh-6.2p1/ssh-keygen.c 2013-03-22 12:20:49.033684903 +0100
@@ -714,13 +714,14 @@ do_fingerprint(struct passwd *pw) @@ -767,13 +767,14 @@ do_fingerprint(struct passwd *pw)
{ {
FILE *f; FILE *f;
Key *public; Key *public;
@ -336,7 +336,7 @@ diff -up openssh-5.8p1/ssh-keygen.c.fingerprint openssh-5.8p1/ssh-keygen.c
rep = print_bubblebabble ? SSH_FP_BUBBLEBABBLE : SSH_FP_HEX; rep = print_bubblebabble ? SSH_FP_BUBBLEBABBLE : SSH_FP_HEX;
if (!have_identity) if (!have_identity)
@@ -732,8 +733,8 @@ do_fingerprint(struct passwd *pw) @@ -785,8 +786,8 @@ do_fingerprint(struct passwd *pw)
public = key_load_public(identity_file, &comment); public = key_load_public(identity_file, &comment);
if (public != NULL) { if (public != NULL) {
fp = key_fingerprint(public, fptype, rep); fp = key_fingerprint(public, fptype, rep);
@ -347,7 +347,7 @@ diff -up openssh-5.8p1/ssh-keygen.c.fingerprint openssh-5.8p1/ssh-keygen.c
key_type(public)); key_type(public));
if (log_level >= SYSLOG_LEVEL_VERBOSE) if (log_level >= SYSLOG_LEVEL_VERBOSE)
printf("%s\n", ra); printf("%s\n", ra);
@@ -798,8 +799,8 @@ do_fingerprint(struct passwd *pw) @@ -851,8 +852,8 @@ do_fingerprint(struct passwd *pw)
} }
comment = *cp ? cp : comment; comment = *cp ? cp : comment;
fp = key_fingerprint(public, fptype, rep); fp = key_fingerprint(public, fptype, rep);
@ -358,7 +358,7 @@ diff -up openssh-5.8p1/ssh-keygen.c.fingerprint openssh-5.8p1/ssh-keygen.c
comment ? comment : "no comment", key_type(public)); comment ? comment : "no comment", key_type(public));
if (log_level >= SYSLOG_LEVEL_VERBOSE) if (log_level >= SYSLOG_LEVEL_VERBOSE)
printf("%s\n", ra); printf("%s\n", ra);
@@ -823,13 +824,15 @@ printhost(FILE *f, const char *name, Key @@ -970,13 +971,15 @@ printhost(FILE *f, const char *name, Key
if (print_fingerprint) { if (print_fingerprint) {
enum fp_rep rep; enum fp_rep rep;
enum fp_type fptype; enum fp_type fptype;
@ -378,7 +378,7 @@ diff -up openssh-5.8p1/ssh-keygen.c.fingerprint openssh-5.8p1/ssh-keygen.c
key_type(public)); key_type(public));
if (log_level >= SYSLOG_LEVEL_VERBOSE) if (log_level >= SYSLOG_LEVEL_VERBOSE)
printf("%s\n", ra); printf("%s\n", ra);
@@ -1695,16 +1698,17 @@ do_show_cert(struct passwd *pw) @@ -1854,16 +1857,17 @@ do_show_cert(struct passwd *pw)
fatal("%s is not a certificate", identity_file); fatal("%s is not a certificate", identity_file);
v00 = key->type == KEY_RSA_CERT_V00 || key->type == KEY_DSA_CERT_V00; v00 = key->type == KEY_RSA_CERT_V00 || key->type == KEY_DSA_CERT_V00;
@ -402,7 +402,7 @@ diff -up openssh-5.8p1/ssh-keygen.c.fingerprint openssh-5.8p1/ssh-keygen.c
printf(" Key ID: \"%s\"\n", key->cert->key_id); printf(" Key ID: \"%s\"\n", key->cert->key_id);
if (!v00) { if (!v00) {
printf(" Serial: %llu\n", printf(" Serial: %llu\n",
@@ -2249,13 +2253,12 @@ passphrase_again: @@ -2651,13 +2655,12 @@ passphrase_again:
fclose(f); fclose(f);
if (!quiet) { if (!quiet) {

View File

@ -1,6 +1,6 @@
diff -up openssh-5.9p1/authfile.c.fips openssh-5.9p1/authfile.c diff -up openssh-6.2p1/authfile.c.fips openssh-6.2p1/authfile.c
--- openssh-5.9p1/authfile.c.fips 2012-07-17 20:57:35.078155160 +0200 --- openssh-6.2p1/authfile.c.fips 2013-03-27 13:14:49.164683482 +0100
+++ openssh-5.9p1/authfile.c 2012-07-17 20:57:35.086155338 +0200 +++ openssh-6.2p1/authfile.c 2013-03-27 13:14:49.177683431 +0100
@@ -148,8 +148,14 @@ key_private_rsa1_to_blob(Key *key, Buffe @@ -148,8 +148,14 @@ key_private_rsa1_to_blob(Key *key, Buffe
/* Allocate space for the private part of the key in the buffer. */ /* Allocate space for the private part of the key in the buffer. */
cp = buffer_append_space(&encrypted, buffer_len(&buffer)); cp = buffer_append_space(&encrypted, buffer_len(&buffer));
@ -9,14 +9,14 @@ diff -up openssh-5.9p1/authfile.c.fips openssh-5.9p1/authfile.c
- CIPHER_ENCRYPT); - CIPHER_ENCRYPT);
+ if (cipher_set_key_string(&ciphercontext, cipher, passphrase, + if (cipher_set_key_string(&ciphercontext, cipher, passphrase,
+ CIPHER_ENCRYPT) < 0) { + CIPHER_ENCRYPT) < 0) {
+ error("cipher_set_key_string failed."); + error("cipher_set_key_string failed.");
+ buffer_free(&encrypted); + buffer_free(&encrypted);
+ buffer_free(&buffer); + buffer_free(&buffer);
+ return 0; + return 0;
+ } + }
+ +
cipher_crypt(&ciphercontext, cp, cipher_crypt(&ciphercontext, cp,
buffer_ptr(&buffer), buffer_len(&buffer)); buffer_ptr(&buffer), buffer_len(&buffer), 0, 0);
cipher_cleanup(&ciphercontext); cipher_cleanup(&ciphercontext);
@@ -472,8 +478,13 @@ key_parse_private_rsa1(Buffer *blob, con @@ -472,8 +478,13 @@ key_parse_private_rsa1(Buffer *blob, con
cp = buffer_append_space(&decrypted, buffer_len(&copy)); cp = buffer_append_space(&decrypted, buffer_len(&copy));
@ -26,17 +26,17 @@ diff -up openssh-5.9p1/authfile.c.fips openssh-5.9p1/authfile.c
- CIPHER_DECRYPT); - CIPHER_DECRYPT);
+ if (cipher_set_key_string(&ciphercontext, cipher, passphrase, + if (cipher_set_key_string(&ciphercontext, cipher, passphrase,
+ CIPHER_DECRYPT) < 0) { + CIPHER_DECRYPT) < 0) {
+ error("cipher_set_key_string failed."); + error("cipher_set_key_string failed.");
+ buffer_free(&decrypted); + buffer_free(&decrypted);
+ goto fail; + goto fail;
+ } + }
+ +
cipher_crypt(&ciphercontext, cp, cipher_crypt(&ciphercontext, cp,
buffer_ptr(&copy), buffer_len(&copy)); buffer_ptr(&copy), buffer_len(&copy), 0, 0);
cipher_cleanup(&ciphercontext); cipher_cleanup(&ciphercontext);
diff -up openssh-5.9p1/cipher.c.fips openssh-5.9p1/cipher.c diff -up openssh-6.2p1/cipher.c.fips openssh-6.2p1/cipher.c
--- openssh-5.9p1/cipher.c.fips 2012-07-17 20:57:34.988153164 +0200 --- openssh-6.2p1/cipher.c.fips 2013-03-27 13:14:49.087683788 +0100
+++ openssh-5.9p1/cipher.c 2012-07-17 20:57:35.086155338 +0200 +++ openssh-6.2p1/cipher.c 2013-03-27 13:14:49.177683431 +0100
@@ -40,6 +40,7 @@ @@ -40,6 +40,7 @@
#include <sys/types.h> #include <sys/types.h>
@ -45,30 +45,35 @@ diff -up openssh-5.9p1/cipher.c.fips openssh-5.9p1/cipher.c
#include <string.h> #include <string.h>
#include <stdarg.h> #include <stdarg.h>
@@ -86,6 +87,22 @@ struct Cipher ciphers[] = { @@ -89,6 +90,27 @@ struct Cipher ciphers[] = {
{ NULL, SSH_CIPHER_INVALID, 0, 0, 0, 0, NULL } { NULL, SSH_CIPHER_INVALID, 0, 0, 0, 0, 0, 0, NULL }
}; };
+struct Cipher fips_ciphers[] = { +struct Cipher fips_ciphers[] = {
+ { "none", SSH_CIPHER_NONE, 8, 0, 0, 0, EVP_enc_null }, + { "none", SSH_CIPHER_NONE, 8, 0, 0, 0, 0, 0, EVP_enc_null },
+ { "3des", SSH_CIPHER_3DES, 8, 16, 0, 1, evp_ssh1_3des }, + { "3des", SSH_CIPHER_3DES, 8, 16, 0, 0, 0, 1, evp_ssh1_3des },
+ +
+ { "3des-cbc", SSH_CIPHER_SSH2, 8, 24, 0, 1, EVP_des_ede3_cbc }, + { "3des-cbc", SSH_CIPHER_SSH2, 8, 24, 0, 0, 0, 1, EVP_des_ede3_cbc },
+ { "aes128-cbc", SSH_CIPHER_SSH2, 16, 16, 0, 1, EVP_aes_128_cbc }, + { "aes128-cbc", SSH_CIPHER_SSH2, 16, 16, 0, 0, 0, 1, EVP_aes_128_cbc },
+ { "aes192-cbc", SSH_CIPHER_SSH2, 16, 24, 0, 1, EVP_aes_192_cbc }, + { "aes192-cbc", SSH_CIPHER_SSH2, 16, 24, 0, 0, 0, 1, EVP_aes_192_cbc },
+ { "aes256-cbc", SSH_CIPHER_SSH2, 16, 32, 0, 1, EVP_aes_256_cbc }, + { "aes256-cbc", SSH_CIPHER_SSH2, 16, 32, 0, 0, 0, 1, EVP_aes_256_cbc },
+ { "rijndael-cbc@lysator.liu.se", + { "rijndael-cbc@lysator.liu.se",
+ SSH_CIPHER_SSH2, 16, 32, 0, 1, EVP_aes_256_cbc }, + SSH_CIPHER_SSH2, 16, 32, 0, 0, 0, 1, EVP_aes_256_cbc },
+ { "aes128-ctr", SSH_CIPHER_SSH2, 16, 16, 0, 0, evp_aes_128_ctr }, + { "aes128-ctr", SSH_CIPHER_SSH2, 16, 16, 0, 0, 0, 0, EVP_aes_128_ctr },
+ { "aes192-ctr", SSH_CIPHER_SSH2, 16, 24, 0, 0, evp_aes_128_ctr }, + { "aes192-ctr", SSH_CIPHER_SSH2, 16, 24, 0, 0, 0, 0, EVP_aes_128_ctr },
+ { "aes256-ctr", SSH_CIPHER_SSH2, 16, 32, 0, 0, evp_aes_128_ctr }, + { "aes256-ctr", SSH_CIPHER_SSH2, 16, 32, 0, 0, 0, 0, EVP_aes_128_ctr },
+ { NULL, SSH_CIPHER_INVALID, 0, 0, 0, 0, NULL } +#ifdef OPENSSL_HAVE_EVPGCM
+ { "aes128-gcm@openssh.com",
+ SSH_CIPHER_SSH2, 16, 16, 12, 16, 0, 0, EVP_aes_128_gcm },
+ { "aes256-gcm@openssh.com",
+ SSH_CIPHER_SSH2, 16, 32, 12, 16, 0, 0, EVP_aes_256_gcm },
+#endif
+ { NULL, SSH_CIPHER_INVALID, 0, 0, 0, 0, 0, NULL }
+}; +};
+
/*--*/ /*--*/
u_int u_int
@@ -128,7 +145,7 @@ Cipher * @@ -143,7 +165,7 @@ Cipher *
cipher_by_name(const char *name) cipher_by_name(const char *name)
{ {
Cipher *c; Cipher *c;
@ -77,7 +82,7 @@ diff -up openssh-5.9p1/cipher.c.fips openssh-5.9p1/cipher.c
if (strcmp(c->name, name) == 0) if (strcmp(c->name, name) == 0)
return c; return c;
return NULL; return NULL;
@@ -138,7 +155,7 @@ Cipher * @@ -153,7 +175,7 @@ Cipher *
cipher_by_number(int id) cipher_by_number(int id)
{ {
Cipher *c; Cipher *c;
@ -86,7 +91,7 @@ diff -up openssh-5.9p1/cipher.c.fips openssh-5.9p1/cipher.c
if (c->number == id) if (c->number == id)
return c; return c;
return NULL; return NULL;
@@ -182,7 +199,7 @@ cipher_number(const char *name) @@ -197,7 +219,7 @@ cipher_number(const char *name)
Cipher *c; Cipher *c;
if (name == NULL) if (name == NULL)
return -1; return -1;
@ -95,7 +100,7 @@ diff -up openssh-5.9p1/cipher.c.fips openssh-5.9p1/cipher.c
if (strcasecmp(c->name, name) == 0) if (strcasecmp(c->name, name) == 0)
return c->number; return c->number;
return -1; return -1;
@@ -289,14 +306,15 @@ cipher_cleanup(CipherContext *cc) @@ -356,14 +378,15 @@ cipher_cleanup(CipherContext *cc)
* passphrase and using the resulting 16 bytes as the key. * passphrase and using the resulting 16 bytes as the key.
*/ */
@ -113,7 +118,7 @@ diff -up openssh-5.9p1/cipher.c.fips openssh-5.9p1/cipher.c
MD5_Update(&md, (const u_char *)passphrase, strlen(passphrase)); MD5_Update(&md, (const u_char *)passphrase, strlen(passphrase));
MD5_Final(digest, &md); MD5_Final(digest, &md);
@@ -304,6 +322,7 @@ cipher_set_key_string(CipherContext *cc, @@ -371,6 +394,7 @@ cipher_set_key_string(CipherContext *cc,
memset(digest, 0, sizeof(digest)); memset(digest, 0, sizeof(digest));
memset(&md, 0, sizeof(md)); memset(&md, 0, sizeof(md));
@ -121,10 +126,10 @@ diff -up openssh-5.9p1/cipher.c.fips openssh-5.9p1/cipher.c
} }
/* /*
diff -up openssh-5.9p1/cipher-ctr.c.fips openssh-5.9p1/cipher-ctr.c diff -up openssh-6.2p1/cipher-ctr.c.fips openssh-6.2p1/cipher-ctr.c
--- openssh-5.9p1/cipher-ctr.c.fips 2010-10-07 13:06:42.000000000 +0200 --- openssh-6.2p1/cipher-ctr.c.fips 2013-01-20 12:31:30.000000000 +0100
+++ openssh-5.9p1/cipher-ctr.c 2012-07-17 20:57:35.086155338 +0200 +++ openssh-6.2p1/cipher-ctr.c 2013-03-27 13:14:49.177683431 +0100
@@ -140,7 +140,8 @@ evp_aes_128_ctr(void) @@ -138,7 +138,8 @@ evp_aes_128_ctr(void)
aes_ctr.do_cipher = ssh_aes_ctr; aes_ctr.do_cipher = ssh_aes_ctr;
#ifndef SSH_OLD_EVP #ifndef SSH_OLD_EVP
aes_ctr.flags = EVP_CIPH_CBC_MODE | EVP_CIPH_VARIABLE_LENGTH | aes_ctr.flags = EVP_CIPH_CBC_MODE | EVP_CIPH_VARIABLE_LENGTH |
@ -134,21 +139,21 @@ diff -up openssh-5.9p1/cipher-ctr.c.fips openssh-5.9p1/cipher-ctr.c
#endif #endif
return (&aes_ctr); return (&aes_ctr);
} }
diff -up openssh-5.9p1/cipher.h.fips openssh-5.9p1/cipher.h diff -up openssh-6.2p1/cipher.h.fips openssh-6.2p1/cipher.h
--- openssh-5.9p1/cipher.h.fips 2012-07-17 20:57:34.989153186 +0200 --- openssh-6.2p1/cipher.h.fips 2013-03-27 13:14:49.088683784 +0100
+++ openssh-5.9p1/cipher.h 2012-07-17 20:57:35.087155360 +0200 +++ openssh-6.2p1/cipher.h 2013-03-27 13:14:49.177683431 +0100
@@ -87,7 +87,7 @@ void cipher_init(CipherContext *, Ciphe @@ -91,7 +91,7 @@ void cipher_init(CipherContext *, Ciphe
const u_char *, u_int, int); void cipher_crypt(CipherContext *, u_char *, const u_char *,
void cipher_crypt(CipherContext *, u_char *, const u_char *, u_int); u_int, u_int, u_int);
void cipher_cleanup(CipherContext *); void cipher_cleanup(CipherContext *);
-void cipher_set_key_string(CipherContext *, Cipher *, const char *, int); -void cipher_set_key_string(CipherContext *, Cipher *, const char *, int);
+int cipher_set_key_string(CipherContext *, Cipher *, const char *, int); +int cipher_set_key_string(CipherContext *, Cipher *, const char *, int);
u_int cipher_blocksize(const Cipher *); u_int cipher_blocksize(const Cipher *);
u_int cipher_keylen(const Cipher *); u_int cipher_keylen(const Cipher *);
u_int cipher_is_cbc(const Cipher *); u_int cipher_authlen(const Cipher *);
diff -up openssh-5.9p1/key.c.fips openssh-5.9p1/key.c diff -up openssh-6.2p1/key.c.fips openssh-6.2p1/key.c
--- openssh-5.9p1/key.c.fips 2012-07-17 20:57:35.007153585 +0200 --- openssh-6.2p1/key.c.fips 2013-03-27 13:14:49.100683736 +0100
+++ openssh-5.9p1/key.c 2012-07-17 20:57:35.087155360 +0200 +++ openssh-6.2p1/key.c 2013-03-27 13:14:49.178683427 +0100
@@ -40,6 +40,7 @@ @@ -40,6 +40,7 @@
#include <sys/types.h> #include <sys/types.h>
@ -157,7 +162,7 @@ diff -up openssh-5.9p1/key.c.fips openssh-5.9p1/key.c
#include <openbsd-compat/openssl-compat.h> #include <openbsd-compat/openssl-compat.h>
#include <stdarg.h> #include <stdarg.h>
@@ -602,9 +603,13 @@ key_fingerprint_selection(void) @@ -607,9 +608,13 @@ key_fingerprint_selection(void)
char *env; char *env;
if (!rv_defined) { if (!rv_defined) {
@ -174,9 +179,9 @@ diff -up openssh-5.9p1/key.c.fips openssh-5.9p1/key.c
rv_defined = 1; rv_defined = 1;
} }
return rv; return rv;
diff -up openssh-5.9p1/mac.c.fips openssh-5.9p1/mac.c diff -up openssh-6.2p1/mac.c.fips openssh-6.2p1/mac.c
--- openssh-5.9p1/mac.c.fips 2012-07-17 20:57:34.996153341 +0200 --- openssh-6.2p1/mac.c.fips 2013-03-27 13:14:49.093683764 +0100
+++ openssh-5.9p1/mac.c 2012-07-17 20:58:35.584497499 +0200 +++ openssh-6.2p1/mac.c 2013-03-27 13:16:33.524266158 +0100
@@ -28,6 +28,7 @@ @@ -28,6 +28,7 @@
#include <sys/types.h> #include <sys/types.h>
@ -185,32 +190,35 @@ diff -up openssh-5.9p1/mac.c.fips openssh-5.9p1/mac.c
#include <stdarg.h> #include <stdarg.h>
#include <string.h> #include <string.h>
@@ -47,14 +48,14 @@ @@ -50,7 +51,7 @@
#define SSH_EVP 1 /* OpenSSL EVP-based MAC */
#define SSH_UMAC 2 /* UMAC (not integrated with OpenSSL) */ #define SSH_UMAC 2 /* UMAC (not integrated with OpenSSL) */
#define SSH_UMAC128 3
-struct { -struct {
+struct Macs { +struct Macs {
char *name; char *name;
int type; int type;
const EVP_MD * (*mdfunc)(void); const EVP_MD * (*mdfunc)(void);
int truncatebits; /* truncate digest if != 0 */ @@ -58,7 +59,9 @@ struct {
int key_len; /* just for UMAC */ int key_len; /* just for UMAC */
int len; /* just for UMAC */ int len; /* just for UMAC */
int etm; /* Encrypt-then-MAC */
-} macs[] = { -} macs[] = {
+} all_macs[] = { +};
{ "hmac-sha1", SSH_EVP, EVP_sha1, 0, -1, -1 }, +
{ "hmac-sha1-96", SSH_EVP, EVP_sha1, 96, -1, -1 }, +struct Macs all_macs[] = {
#ifdef HAVE_EVP_SHA256 /* Encrypt-and-MAC (encrypt-and-authenticate) variants */
@@ -71,9 +72,19 @@ struct { { "hmac-sha1", SSH_EVP, EVP_sha1, 0, 0, 0, 0 },
{ NULL, 0, NULL, 0, -1, -1 } { "hmac-sha1-96", SSH_EVP, EVP_sha1, 96, 0, 0, 0 },
@@ -89,9 +92,19 @@ struct {
{ NULL, 0, NULL, 0, 0, 0, 0 }
}; };
+struct Macs fips_macs[] = { +struct Macs fips_macs[] = {
+ { "hmac-sha1", SSH_EVP, EVP_sha1, 0, -1, -1 }, + { "hmac-sha1", SSH_EVP, EVP_sha1, 0, 0, 0, 0 },
+#ifdef HAVE_EVP_SHA256 +#ifdef HAVE_EVP_SHA256
+ { "hmac-sha2-256", SSH_EVP, EVP_sha256, 0, -1, -1 }, + { "hmac-sha2-256", SSH_EVP, EVP_sha256, 0, 0, 0, 0 },
+ { "hmac-sha2-512", SSH_EVP, EVP_sha512, 0, -1, -1 }, + { "hmac-sha2-512", SSH_EVP, EVP_sha512, 0, 0, 0, 0 },
+#endif +#endif
+ { NULL, 0, NULL, 0, -1, -1 } + { NULL, 0, NULL, 0, -1, -1 }
+}; +};
@ -222,7 +230,7 @@ diff -up openssh-5.9p1/mac.c.fips openssh-5.9p1/mac.c
int evp_len; int evp_len;
mac->type = macs[which].type; mac->type = macs[which].type;
if (mac->type == SSH_EVP) { if (mac->type == SSH_EVP) {
@@ -94,6 +105,7 @@ int @@ -113,6 +126,7 @@ int
mac_setup(Mac *mac, char *name) mac_setup(Mac *mac, char *name)
{ {
int i; int i;
@ -230,19 +238,19 @@ diff -up openssh-5.9p1/mac.c.fips openssh-5.9p1/mac.c
for (i = 0; macs[i].name; i++) { for (i = 0; macs[i].name; i++) {
if (strcmp(name, macs[i].name) == 0) { if (strcmp(name, macs[i].name) == 0) {
diff -up openssh-5.9p1/Makefile.in.fips openssh-5.9p1/Makefile.in diff -up openssh-6.2p1/Makefile.in.fips openssh-6.2p1/Makefile.in
--- openssh-5.9p1/Makefile.in.fips 2012-07-17 20:57:35.069154962 +0200 --- openssh-6.2p1/Makefile.in.fips 2013-03-27 13:14:49.155683518 +0100
+++ openssh-5.9p1/Makefile.in 2012-07-17 20:57:35.086155338 +0200 +++ openssh-6.2p1/Makefile.in 2013-03-27 13:14:49.178683427 +0100
@@ -142,25 +142,25 @@ libssh.a: $(LIBSSH_OBJS) @@ -145,25 +145,25 @@ libssh.a: $(LIBSSH_OBJS)
$(RANLIB) $@ $(RANLIB) $@
ssh$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHOBJS) ssh$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHOBJS)
- $(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHLIBS) $(LIBS) - $(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHLIBS) $(LIBS) $(GSSLIBS)
+ $(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(SSHLIBS) $(LIBS) + $(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(SSHLIBS) $(LIBS) $(GSSLIBS)
sshd$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHDOBJS) sshd$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHDOBJS)
- $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) - $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS)
+ $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(SSHDLIBS) $(LIBS) + $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS)
scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o
$(LD) -o $@ scp.o progressmeter.o bufaux.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) $(LD) -o $@ scp.o progressmeter.o bufaux.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
@ -265,7 +273,7 @@ diff -up openssh-5.9p1/Makefile.in.fips openssh-5.9p1/Makefile.in
ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11.o ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11.o
$(LD) -o $@ ssh-pkcs11-helper.o ssh-pkcs11.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS) $(LD) -o $@ ssh-pkcs11-helper.o ssh-pkcs11.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
@@ -172,7 +172,7 @@ ssh-keycat$(EXEEXT): $(LIBCOMPAT) libssh @@ -175,7 +175,7 @@ ssh-keycat$(EXEEXT): $(LIBCOMPAT) libssh
$(LD) -o $@ ssh-keycat.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(SSHDLIBS) $(LD) -o $@ ssh-keycat.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(SSHDLIBS)
ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o roaming_dummy.o ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o roaming_dummy.o
@ -274,10 +282,10 @@ diff -up openssh-5.9p1/Makefile.in.fips openssh-5.9p1/Makefile.in
sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o sftp-server.o sftp-server-main.o sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o sftp-server.o sftp-server-main.o
$(LD) -o $@ sftp-server.o sftp-common.o sftp-server-main.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) $(LD) -o $@ sftp-server.o sftp-common.o sftp-server-main.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
diff -up openssh-5.9p1/myproposal.h.fips openssh-5.9p1/myproposal.h diff -up openssh-6.2p1/myproposal.h.fips openssh-6.2p1/myproposal.h
--- openssh-5.9p1/myproposal.h.fips 2011-08-17 02:29:03.000000000 +0200 --- openssh-6.2p1/myproposal.h.fips 2013-01-09 06:12:19.000000000 +0100
+++ openssh-5.9p1/myproposal.h 2012-07-17 21:01:12.685982807 +0200 +++ openssh-6.2p1/myproposal.h 2013-03-27 13:14:49.178683427 +0100
@@ -97,6 +97,19 @@ @@ -106,6 +106,19 @@
#define KEX_DEFAULT_COMP "none,zlib@openssh.com,zlib" #define KEX_DEFAULT_COMP "none,zlib@openssh.com,zlib"
#define KEX_DEFAULT_LANG "" #define KEX_DEFAULT_LANG ""
@ -297,9 +305,9 @@ diff -up openssh-5.9p1/myproposal.h.fips openssh-5.9p1/myproposal.h
static char *myproposal[PROPOSAL_MAX] = { static char *myproposal[PROPOSAL_MAX] = {
KEX_DEFAULT_KEX, KEX_DEFAULT_KEX,
diff -up openssh-5.9p1/openbsd-compat/bsd-arc4random.c.fips openssh-5.9p1/openbsd-compat/bsd-arc4random.c diff -up openssh-6.2p1/openbsd-compat/bsd-arc4random.c.fips openssh-6.2p1/openbsd-compat/bsd-arc4random.c
--- openssh-5.9p1/openbsd-compat/bsd-arc4random.c.fips 2010-03-25 22:52:02.000000000 +0100 --- openssh-6.2p1/openbsd-compat/bsd-arc4random.c.fips 2010-03-25 22:52:02.000000000 +0100
+++ openssh-5.9p1/openbsd-compat/bsd-arc4random.c 2012-07-17 20:57:35.087155360 +0200 +++ openssh-6.2p1/openbsd-compat/bsd-arc4random.c 2013-03-27 13:14:49.179683423 +0100
@@ -37,25 +37,18 @@ @@ -37,25 +37,18 @@
#define REKEY_BYTES (1 << 24) #define REKEY_BYTES (1 << 24)
@ -355,9 +363,9 @@ diff -up openssh-5.9p1/openbsd-compat/bsd-arc4random.c.fips openssh-5.9p1/openbs
} }
#endif /* !HAVE_ARC4RANDOM */ #endif /* !HAVE_ARC4RANDOM */
diff -up openssh-5.9p1/ssh.c.fips openssh-5.9p1/ssh.c diff -up openssh-6.2p1/ssh.c.fips openssh-6.2p1/ssh.c
--- openssh-5.9p1/ssh.c.fips 2011-08-05 22:18:16.000000000 +0200 --- openssh-6.2p1/ssh.c.fips 2012-07-06 05:45:01.000000000 +0200
+++ openssh-5.9p1/ssh.c 2012-07-17 20:57:35.088155382 +0200 +++ openssh-6.2p1/ssh.c 2013-03-27 13:14:49.179683423 +0100
@@ -73,6 +73,8 @@ @@ -73,6 +73,8 @@
#include <openssl/evp.h> #include <openssl/evp.h>
@ -388,7 +396,7 @@ diff -up openssh-5.9p1/ssh.c.fips openssh-5.9p1/ssh.c
options.protocol = SSH_PROTO_1; options.protocol = SSH_PROTO_1;
break; break;
case '2': case '2':
@@ -630,7 +639,6 @@ main(int ac, char **av) @@ -632,7 +641,6 @@ main(int ac, char **av)
if (!host) if (!host)
usage(); usage();
@ -396,7 +404,7 @@ diff -up openssh-5.9p1/ssh.c.fips openssh-5.9p1/ssh.c
ERR_load_crypto_strings(); ERR_load_crypto_strings();
/* Initialize the command to execute on remote host. */ /* Initialize the command to execute on remote host. */
@@ -721,6 +729,10 @@ main(int ac, char **av) @@ -722,6 +730,10 @@ main(int ac, char **av)
seed_rng(); seed_rng();
@ -407,7 +415,7 @@ diff -up openssh-5.9p1/ssh.c.fips openssh-5.9p1/ssh.c
if (options.user == NULL) if (options.user == NULL)
options.user = xstrdup(pw->pw_name); options.user = xstrdup(pw->pw_name);
@@ -789,6 +801,12 @@ main(int ac, char **av) @@ -790,6 +802,12 @@ main(int ac, char **av)
timeout_ms = options.connection_timeout * 1000; timeout_ms = options.connection_timeout * 1000;
@ -420,9 +428,9 @@ diff -up openssh-5.9p1/ssh.c.fips openssh-5.9p1/ssh.c
/* Open a connection to the remote host. */ /* Open a connection to the remote host. */
if (ssh_connect(host, &hostaddr, options.port, if (ssh_connect(host, &hostaddr, options.port,
options.address_family, options.connection_attempts, &timeout_ms, options.address_family, options.connection_attempts, &timeout_ms,
diff -up openssh-5.9p1/sshconnect2.c.fips openssh-5.9p1/sshconnect2.c diff -up openssh-6.2p1/sshconnect2.c.fips openssh-6.2p1/sshconnect2.c
--- openssh-5.9p1/sshconnect2.c.fips 2012-07-17 20:57:34.955152432 +0200 --- openssh-6.2p1/sshconnect2.c.fips 2013-03-27 13:14:49.066683871 +0100
+++ openssh-5.9p1/sshconnect2.c 2012-07-17 20:57:35.088155382 +0200 +++ openssh-6.2p1/sshconnect2.c 2013-03-27 13:14:49.179683423 +0100
@@ -44,6 +44,8 @@ @@ -44,6 +44,8 @@
#include <vis.h> #include <vis.h>
#endif #endif
@ -455,9 +463,9 @@ diff -up openssh-5.9p1/sshconnect2.c.fips openssh-5.9p1/sshconnect2.c
if (options.hostkeyalgorithms != NULL) if (options.hostkeyalgorithms != NULL)
myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] =
options.hostkeyalgorithms; options.hostkeyalgorithms;
diff -up openssh-5.9p1/sshd.c.fips openssh-5.9p1/sshd.c diff -up openssh-6.2p1/sshd.c.fips openssh-6.2p1/sshd.c
--- openssh-5.9p1/sshd.c.fips 2012-07-17 20:57:35.049154517 +0200 --- openssh-6.2p1/sshd.c.fips 2013-03-27 13:14:49.146683554 +0100
+++ openssh-5.9p1/sshd.c 2012-07-17 20:57:35.089155405 +0200 +++ openssh-6.2p1/sshd.c 2013-03-27 13:14:49.180683419 +0100
@@ -76,6 +76,8 @@ @@ -76,6 +76,8 @@
#include <openssl/bn.h> #include <openssl/bn.h>
#include <openssl/md5.h> #include <openssl/md5.h>
@ -467,7 +475,7 @@ diff -up openssh-5.9p1/sshd.c.fips openssh-5.9p1/sshd.c
#include "openbsd-compat/openssl-compat.h" #include "openbsd-compat/openssl-compat.h"
#ifdef HAVE_SECUREWARE #ifdef HAVE_SECUREWARE
@@ -1395,6 +1397,11 @@ main(int ac, char **av) @@ -1423,6 +1425,11 @@ main(int ac, char **av)
#endif #endif
__progname = ssh_get_progname(av[0]); __progname = ssh_get_progname(av[0]);
@ -479,7 +487,7 @@ diff -up openssh-5.9p1/sshd.c.fips openssh-5.9p1/sshd.c
/* Save argv. Duplicate so setproctitle emulation doesn't clobber it */ /* Save argv. Duplicate so setproctitle emulation doesn't clobber it */
saved_argc = ac; saved_argc = ac;
rexec_argc = ac; rexec_argc = ac;
@@ -1554,8 +1561,6 @@ main(int ac, char **av) @@ -1571,8 +1578,6 @@ main(int ac, char **av)
else else
closefrom(REEXEC_DEVCRYPTO_RESERVED_FD); closefrom(REEXEC_DEVCRYPTO_RESERVED_FD);
@ -488,7 +496,7 @@ diff -up openssh-5.9p1/sshd.c.fips openssh-5.9p1/sshd.c
/* /*
* Force logging to stderr until we have loaded the private host * Force logging to stderr until we have loaded the private host
* key (unless started from inetd) * key (unless started from inetd)
@@ -1673,6 +1678,10 @@ main(int ac, char **av) @@ -1715,6 +1720,10 @@ main(int ac, char **av)
debug("private host key: #%d type %d %s", i, key->type, debug("private host key: #%d type %d %s", i, key->type,
key_type(key)); key_type(key));
} }
@ -499,7 +507,7 @@ diff -up openssh-5.9p1/sshd.c.fips openssh-5.9p1/sshd.c
if ((options.protocol & SSH_PROTO_1) && !sensitive_data.have_ssh1_key) { if ((options.protocol & SSH_PROTO_1) && !sensitive_data.have_ssh1_key) {
logit("Disabling protocol version 1. Could not load host key"); logit("Disabling protocol version 1. Could not load host key");
options.protocol &= ~SSH_PROTO_1; options.protocol &= ~SSH_PROTO_1;
@@ -1837,6 +1846,10 @@ main(int ac, char **av) @@ -1878,6 +1887,10 @@ main(int ac, char **av)
/* Initialize the random number generator. */ /* Initialize the random number generator. */
arc4random_stir(); arc4random_stir();
@ -510,7 +518,7 @@ diff -up openssh-5.9p1/sshd.c.fips openssh-5.9p1/sshd.c
/* Chdir to the root directory so that the current disk can be /* Chdir to the root directory so that the current disk can be
unmounted if desired. */ unmounted if desired. */
(void) chdir("/"); (void) chdir("/");
@@ -2379,6 +2392,9 @@ do_ssh2_kex(void) @@ -2420,6 +2433,9 @@ do_ssh2_kex(void)
if (options.ciphers != NULL) { if (options.ciphers != NULL) {
myproposal[PROPOSAL_ENC_ALGS_CTOS] = myproposal[PROPOSAL_ENC_ALGS_CTOS] =
myproposal[PROPOSAL_ENC_ALGS_STOC] = options.ciphers; myproposal[PROPOSAL_ENC_ALGS_STOC] = options.ciphers;
@ -520,7 +528,7 @@ diff -up openssh-5.9p1/sshd.c.fips openssh-5.9p1/sshd.c
} }
myproposal[PROPOSAL_ENC_ALGS_CTOS] = myproposal[PROPOSAL_ENC_ALGS_CTOS] =
compat_cipher_proposal(myproposal[PROPOSAL_ENC_ALGS_CTOS]); compat_cipher_proposal(myproposal[PROPOSAL_ENC_ALGS_CTOS]);
@@ -2388,6 +2404,9 @@ do_ssh2_kex(void) @@ -2429,6 +2445,9 @@ do_ssh2_kex(void)
if (options.macs != NULL) { if (options.macs != NULL) {
myproposal[PROPOSAL_MAC_ALGS_CTOS] = myproposal[PROPOSAL_MAC_ALGS_CTOS] =
myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs; myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs;

View File

@ -1,6 +1,6 @@
diff -up openssh-5.8p2/gss-serv-krb5.c.force_krb openssh-5.8p2/gss-serv-krb5.c diff -up openssh-6.2p1/gss-serv-krb5.c.force_krb openssh-6.2p1/gss-serv-krb5.c
--- openssh-5.8p2/gss-serv-krb5.c.force_krb 2006-09-01 07:38:36.000000000 +0200 --- openssh-6.2p1/gss-serv-krb5.c.force_krb 2013-03-25 20:04:53.807817333 +0100
+++ openssh-5.8p2/gss-serv-krb5.c 2011-05-19 03:41:45.801109545 +0200 +++ openssh-6.2p1/gss-serv-krb5.c 2013-03-25 20:04:53.818817403 +0100
@@ -32,7 +32,9 @@ @@ -32,7 +32,9 @@
#include <sys/types.h> #include <sys/types.h>
@ -216,10 +216,10 @@ diff -up openssh-5.8p2/gss-serv-krb5.c.force_krb openssh-5.8p2/gss-serv-krb5.c
/* This writes out any forwarded credentials from the structure populated /* This writes out any forwarded credentials from the structure populated
* during userauth. Called after we have setuid to the user */ * during userauth. Called after we have setuid to the user */
diff -up openssh-5.8p2/session.c.force_krb openssh-5.8p2/session.c diff -up openssh-6.2p1/session.c.force_krb openssh-6.2p1/session.c
--- openssh-5.8p2/session.c.force_krb 2011-05-19 03:41:41.000000000 +0200 --- openssh-6.2p1/session.c.force_krb 2013-03-25 20:04:53.724816810 +0100
+++ openssh-5.8p2/session.c 2011-05-19 03:43:32.437173662 +0200 +++ openssh-6.2p1/session.c 2013-03-25 20:04:53.818817403 +0100
@@ -820,6 +820,29 @@ do_exec(Session *s, const char *command) @@ -823,6 +823,29 @@ do_exec(Session *s, const char *command)
debug("Forced command (key option) '%.900s'", command); debug("Forced command (key option) '%.900s'", command);
} }
@ -249,9 +249,9 @@ diff -up openssh-5.8p2/session.c.force_krb openssh-5.8p2/session.c
#ifdef SSH_AUDIT_EVENTS #ifdef SSH_AUDIT_EVENTS
if (s->command != NULL || s->command_handle != -1) if (s->command != NULL || s->command_handle != -1)
fatal("do_exec: command already set"); fatal("do_exec: command already set");
diff -up openssh-5.8p2/sshd.8.force_krb openssh-5.8p2/sshd.8 diff -up openssh-6.2p1/sshd.8.force_krb openssh-6.2p1/sshd.8
--- openssh-5.8p2/sshd.8.force_krb 2011-05-19 03:41:30.582114401 +0200 --- openssh-6.2p1/sshd.8.force_krb 2013-03-25 20:04:53.787817207 +0100
+++ openssh-5.8p2/sshd.8 2011-05-19 03:41:46.159106308 +0200 +++ openssh-6.2p1/sshd.8 2013-03-25 20:04:53.819817409 +0100
@@ -323,6 +323,7 @@ Finally, the server and the client enter @@ -323,6 +323,7 @@ Finally, the server and the client enter
The client tries to authenticate itself using The client tries to authenticate itself using
host-based authentication, host-based authentication,
@ -273,13 +273,13 @@ diff -up openssh-5.8p2/sshd.8.force_krb openssh-5.8p2/sshd.8
.It Pa ~/.ssh/ .It Pa ~/.ssh/
This directory is the default location for all user-specific configuration This directory is the default location for all user-specific configuration
and authentication information. and authentication information.
diff -up openssh-5.8p2/ssh-gss.h.force_krb openssh-5.8p2/ssh-gss.h diff -up openssh-6.2p1/ssh-gss.h.force_krb openssh-6.2p1/ssh-gss.h
--- openssh-5.8p2/ssh-gss.h.force_krb 2007-06-12 15:40:39.000000000 +0200 --- openssh-6.2p1/ssh-gss.h.force_krb 2013-03-25 20:04:53.819817409 +0100
+++ openssh-5.8p2/ssh-gss.h 2011-05-19 03:41:46.302234118 +0200 +++ openssh-6.2p1/ssh-gss.h 2013-03-25 20:05:26.463023197 +0100
@@ -48,6 +48,10 @@ @@ -49,6 +49,10 @@
#define GSS_C_NT_HOSTBASED_SERVICE gss_nt_service_name # endif /* !HAVE_DECL_GSS_C_NT_... */
#endif /* GSS_C_NT_... */
#endif /* !HEIMDAL */ # endif /* !HEIMDAL */
+ +
+/* .k5users support */ +/* .k5users support */
+extern char **k5users_allowed_cmds; +extern char **k5users_allowed_cmds;

View File

@ -1,6 +1,6 @@
diff -up openssh-6.1p1/auth2.c.gsskex openssh-6.1p1/auth2.c diff -up openssh-6.2p1/auth2.c.gsskex openssh-6.2p1/auth2.c
--- openssh-6.1p1/auth2.c.gsskex 2012-11-30 13:58:08.871298935 +0100 --- openssh-6.2p1/auth2.c.gsskex 2013-03-27 13:19:11.062624591 +0100
+++ openssh-6.1p1/auth2.c 2012-11-30 13:58:08.946298649 +0100 +++ openssh-6.2p1/auth2.c 2013-03-27 13:19:11.140624271 +0100
@@ -69,6 +69,7 @@ extern Authmethod method_passwd; @@ -69,6 +69,7 @@ extern Authmethod method_passwd;
extern Authmethod method_kbdint; extern Authmethod method_kbdint;
extern Authmethod method_hostbased; extern Authmethod method_hostbased;
@ -17,9 +17,9 @@ diff -up openssh-6.1p1/auth2.c.gsskex openssh-6.1p1/auth2.c
&method_gssapi, &method_gssapi,
#endif #endif
#ifdef JPAKE #ifdef JPAKE
diff -up openssh-6.1p1/auth2-gss.c.gsskex openssh-6.1p1/auth2-gss.c diff -up openssh-6.2p1/auth2-gss.c.gsskex openssh-6.2p1/auth2-gss.c
--- openssh-6.1p1/auth2-gss.c.gsskex 2012-11-30 13:58:08.871298935 +0100 --- openssh-6.2p1/auth2-gss.c.gsskex 2013-03-27 13:19:11.062624591 +0100
+++ openssh-6.1p1/auth2-gss.c 2012-11-30 13:59:19.622985133 +0100 +++ openssh-6.2p1/auth2-gss.c 2013-03-27 13:19:11.141624267 +0100
@@ -52,6 +52,40 @@ static void input_gssapi_mic(int type, u @@ -52,6 +52,40 @@ static void input_gssapi_mic(int type, u
static void input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt); static void input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt);
static void input_gssapi_errtok(int, u_int32_t, void *); static void input_gssapi_errtok(int, u_int32_t, void *);
@ -94,9 +94,9 @@ diff -up openssh-6.1p1/auth2-gss.c.gsskex openssh-6.1p1/auth2-gss.c
Authmethod method_gssapi = { Authmethod method_gssapi = {
"gssapi-with-mic", "gssapi-with-mic",
userauth_gssapi, userauth_gssapi,
diff -up openssh-6.1p1/auth-krb5.c.gsskex openssh-6.1p1/auth-krb5.c diff -up openssh-6.2p1/auth-krb5.c.gsskex openssh-6.2p1/auth-krb5.c
--- openssh-6.1p1/auth-krb5.c.gsskex 2012-04-26 01:52:15.000000000 +0200 --- openssh-6.2p1/auth-krb5.c.gsskex 2012-04-26 01:52:15.000000000 +0200
+++ openssh-6.1p1/auth-krb5.c 2012-11-30 13:58:08.947298647 +0100 +++ openssh-6.2p1/auth-krb5.c 2013-03-27 13:19:11.140624271 +0100
@@ -50,6 +50,7 @@ @@ -50,6 +50,7 @@
#include <errno.h> #include <errno.h>
#include <unistd.h> #include <unistd.h>
@ -203,9 +203,9 @@ diff -up openssh-6.1p1/auth-krb5.c.gsskex openssh-6.1p1/auth-krb5.c
return (krb5_cc_resolve(ctx, ccname, ccache)); return (krb5_cc_resolve(ctx, ccname, ccache));
} }
diff -up openssh-6.1p1/ChangeLog.gssapi.gsskex openssh-6.1p1/ChangeLog.gssapi diff -up openssh-6.2p1/ChangeLog.gssapi.gsskex openssh-6.2p1/ChangeLog.gssapi
--- openssh-6.1p1/ChangeLog.gssapi.gsskex 2012-11-30 13:58:08.947298647 +0100 --- openssh-6.2p1/ChangeLog.gssapi.gsskex 2013-03-27 13:19:11.143624259 +0100
+++ openssh-6.1p1/ChangeLog.gssapi 2012-11-30 13:58:08.947298647 +0100 +++ openssh-6.2p1/ChangeLog.gssapi 2013-03-27 13:19:11.143624259 +0100
@@ -0,0 +1,113 @@ @@ -0,0 +1,113 @@
+20110101 +20110101
+ - Finally update for OpenSSH 5.6p1 + - Finally update for OpenSSH 5.6p1
@ -320,9 +320,9 @@ diff -up openssh-6.1p1/ChangeLog.gssapi.gsskex openssh-6.1p1/ChangeLog.gssapi
+ add support for GssapiTrustDns option for gssapi-with-mic + add support for GssapiTrustDns option for gssapi-with-mic
+ (from jbasney AT ncsa.uiuc.edu) + (from jbasney AT ncsa.uiuc.edu)
+ <gssapi-with-mic support is Bugzilla #1008> + <gssapi-with-mic support is Bugzilla #1008>
diff -up openssh-6.1p1/clientloop.c.gsskex openssh-6.1p1/clientloop.c diff -up openssh-6.2p1/clientloop.c.gsskex openssh-6.2p1/clientloop.c
--- openssh-6.1p1/clientloop.c.gsskex 2012-11-30 13:58:08.781299279 +0100 --- openssh-6.2p1/clientloop.c.gsskex 2013-03-27 13:19:11.001624842 +0100
+++ openssh-6.1p1/clientloop.c 2012-11-30 13:58:08.948298644 +0100 +++ openssh-6.2p1/clientloop.c 2013-03-27 13:19:11.141624267 +0100
@@ -111,6 +111,10 @@ @@ -111,6 +111,10 @@
#include "msg.h" #include "msg.h"
#include "roaming.h" #include "roaming.h"
@ -334,7 +334,7 @@ diff -up openssh-6.1p1/clientloop.c.gsskex openssh-6.1p1/clientloop.c
/* import options */ /* import options */
extern Options options; extern Options options;
@@ -1544,6 +1548,15 @@ client_loop(int have_pty, int escape_cha @@ -1599,6 +1603,15 @@ client_loop(int have_pty, int escape_cha
/* Do channel operations unless rekeying in progress. */ /* Do channel operations unless rekeying in progress. */
if (!rekeying) { if (!rekeying) {
channel_after_select(readset, writeset); channel_after_select(readset, writeset);
@ -350,10 +350,10 @@ diff -up openssh-6.1p1/clientloop.c.gsskex openssh-6.1p1/clientloop.c
if (need_rekeying || packet_need_rekeying()) { if (need_rekeying || packet_need_rekeying()) {
debug("need rekeying"); debug("need rekeying");
xxx_kex->done = 0; xxx_kex->done = 0;
diff -up openssh-6.1p1/configure.ac.gsskex openssh-6.1p1/configure.ac diff -up openssh-6.2p1/configure.ac.gsskex openssh-6.2p1/configure.ac
--- openssh-6.1p1/configure.ac.gsskex 2012-11-30 13:58:08.934298697 +0100 --- openssh-6.2p1/configure.ac.gsskex 2013-03-27 13:19:11.128624320 +0100
+++ openssh-6.1p1/configure.ac 2012-11-30 13:58:08.949298640 +0100 +++ openssh-6.2p1/configure.ac 2013-03-27 13:19:11.142624263 +0100
@@ -545,6 +545,30 @@ main() { if (NSVersionOfRunTimeLibrary(" @@ -533,6 +533,30 @@ main() { if (NSVersionOfRunTimeLibrary("
[Use tunnel device compatibility to OpenBSD]) [Use tunnel device compatibility to OpenBSD])
AC_DEFINE([SSH_TUN_PREPEND_AF], [1], AC_DEFINE([SSH_TUN_PREPEND_AF], [1],
[Prepend the address family to IP tunnel traffic]) [Prepend the address family to IP tunnel traffic])
@ -384,9 +384,9 @@ diff -up openssh-6.1p1/configure.ac.gsskex openssh-6.1p1/configure.ac
m4_pattern_allow([AU_IPv]) m4_pattern_allow([AU_IPv])
AC_CHECK_DECL([AU_IPv4], [], AC_CHECK_DECL([AU_IPv4], [],
AC_DEFINE([AU_IPv4], [0], [System only supports IPv4 audit records]) AC_DEFINE([AU_IPv4], [0], [System only supports IPv4 audit records])
diff -up openssh-6.1p1/gss-genr.c.gsskex openssh-6.1p1/gss-genr.c diff -up openssh-6.2p1/gss-genr.c.gsskex openssh-6.2p1/gss-genr.c
--- openssh-6.1p1/gss-genr.c.gsskex 2009-06-22 08:11:07.000000000 +0200 --- openssh-6.2p1/gss-genr.c.gsskex 2009-06-22 08:11:07.000000000 +0200
+++ openssh-6.1p1/gss-genr.c 2012-11-30 13:58:08.949298640 +0100 +++ openssh-6.2p1/gss-genr.c 2013-03-27 13:19:11.142624263 +0100
@@ -1,7 +1,7 @@ @@ -1,7 +1,7 @@
/* $OpenBSD: gss-genr.c,v 1.20 2009/06/22 05:39:28 dtucker Exp $ */ /* $OpenBSD: gss-genr.c,v 1.20 2009/06/22 05:39:28 dtucker Exp $ */
@ -734,9 +734,9 @@ diff -up openssh-6.1p1/gss-genr.c.gsskex openssh-6.1p1/gss-genr.c
+} +}
+ +
#endif /* GSSAPI */ #endif /* GSSAPI */
diff -up openssh-6.1p1/gss-serv.c.gsskex openssh-6.1p1/gss-serv.c diff -up openssh-6.2p1/gss-serv.c.gsskex openssh-6.2p1/gss-serv.c
--- openssh-6.1p1/gss-serv.c.gsskex 2011-08-05 22:16:46.000000000 +0200 --- openssh-6.2p1/gss-serv.c.gsskex 2011-08-05 22:16:46.000000000 +0200
+++ openssh-6.1p1/gss-serv.c 2012-11-30 13:58:08.949298640 +0100 +++ openssh-6.2p1/gss-serv.c 2013-03-27 13:19:11.142624263 +0100
@@ -45,15 +45,20 @@ @@ -45,15 +45,20 @@
#include "channels.h" #include "channels.h"
#include "session.h" #include "session.h"
@ -1075,9 +1075,9 @@ diff -up openssh-6.1p1/gss-serv.c.gsskex openssh-6.1p1/gss-serv.c
} }
#endif #endif
diff -up openssh-6.1p1/gss-serv-krb5.c.gsskex openssh-6.1p1/gss-serv-krb5.c diff -up openssh-6.2p1/gss-serv-krb5.c.gsskex openssh-6.2p1/gss-serv-krb5.c
--- openssh-6.1p1/gss-serv-krb5.c.gsskex 2006-09-01 07:38:36.000000000 +0200 --- openssh-6.2p1/gss-serv-krb5.c.gsskex 2006-09-01 07:38:36.000000000 +0200
+++ openssh-6.1p1/gss-serv-krb5.c 2012-11-30 13:58:08.949298640 +0100 +++ openssh-6.2p1/gss-serv-krb5.c 2013-03-27 13:19:11.143624259 +0100
@@ -1,7 +1,7 @@ @@ -1,7 +1,7 @@
/* $OpenBSD: gss-serv-krb5.c,v 1.7 2006/08/03 03:34:42 deraadt Exp $ */ /* $OpenBSD: gss-serv-krb5.c,v 1.7 2006/08/03 03:34:42 deraadt Exp $ */
@ -1200,9 +1200,9 @@ diff -up openssh-6.1p1/gss-serv-krb5.c.gsskex openssh-6.1p1/gss-serv-krb5.c
}; };
#endif /* KRB5 */ #endif /* KRB5 */
diff -up openssh-6.1p1/kex.c.gsskex openssh-6.1p1/kex.c diff -up openssh-6.2p1/kex.c.gsskex openssh-6.2p1/kex.c
--- openssh-6.1p1/kex.c.gsskex 2012-11-30 13:58:08.820299131 +0100 --- openssh-6.2p1/kex.c.gsskex 2013-03-27 13:19:11.039624686 +0100
+++ openssh-6.1p1/kex.c 2012-11-30 13:58:08.950298635 +0100 +++ openssh-6.2p1/kex.c 2013-03-27 13:19:11.143624259 +0100
@@ -51,6 +51,10 @@ @@ -51,6 +51,10 @@
#include "roaming.h" #include "roaming.h"
#include "audit.h" #include "audit.h"
@ -1214,7 +1214,7 @@ diff -up openssh-6.1p1/kex.c.gsskex openssh-6.1p1/kex.c
#if OPENSSL_VERSION_NUMBER >= 0x00907000L #if OPENSSL_VERSION_NUMBER >= 0x00907000L
# if defined(HAVE_EVP_SHA256) # if defined(HAVE_EVP_SHA256)
# define evp_ssh_sha256 EVP_sha256 # define evp_ssh_sha256 EVP_sha256
@@ -371,6 +375,20 @@ choose_kex(Kex *k, char *client, char *s @@ -382,6 +386,20 @@ choose_kex(Kex *k, char *client, char *s
k->kex_type = KEX_ECDH_SHA2; k->kex_type = KEX_ECDH_SHA2;
k->evp_md = kex_ecdh_name_to_evpmd(k->name); k->evp_md = kex_ecdh_name_to_evpmd(k->name);
#endif #endif
@ -1235,9 +1235,9 @@ diff -up openssh-6.1p1/kex.c.gsskex openssh-6.1p1/kex.c
} else } else
fatal("bad kex alg %s", k->name); fatal("bad kex alg %s", k->name);
} }
diff -up openssh-6.1p1/kexgssc.c.gsskex openssh-6.1p1/kexgssc.c diff -up openssh-6.2p1/kexgssc.c.gsskex openssh-6.2p1/kexgssc.c
--- openssh-6.1p1/kexgssc.c.gsskex 2012-11-30 13:58:08.950298635 +0100 --- openssh-6.2p1/kexgssc.c.gsskex 2013-03-27 13:19:11.143624259 +0100
+++ openssh-6.1p1/kexgssc.c 2012-11-30 13:58:08.950298635 +0100 +++ openssh-6.2p1/kexgssc.c 2013-03-27 13:19:11.143624259 +0100
@@ -0,0 +1,334 @@ @@ -0,0 +1,334 @@
+/* +/*
+ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved. + * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
@ -1573,9 +1573,9 @@ diff -up openssh-6.1p1/kexgssc.c.gsskex openssh-6.1p1/kexgssc.c
+} +}
+ +
+#endif /* GSSAPI */ +#endif /* GSSAPI */
diff -up openssh-6.1p1/kexgsss.c.gsskex openssh-6.1p1/kexgsss.c diff -up openssh-6.2p1/kexgsss.c.gsskex openssh-6.2p1/kexgsss.c
--- openssh-6.1p1/kexgsss.c.gsskex 2012-11-30 13:58:08.950298635 +0100 --- openssh-6.2p1/kexgsss.c.gsskex 2013-03-27 13:19:11.144624254 +0100
+++ openssh-6.1p1/kexgsss.c 2012-11-30 13:58:08.950298635 +0100 +++ openssh-6.2p1/kexgsss.c 2013-03-27 13:19:11.144624254 +0100
@@ -0,0 +1,288 @@ @@ -0,0 +1,288 @@
+/* +/*
+ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved. + * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
@ -1865,9 +1865,9 @@ diff -up openssh-6.1p1/kexgsss.c.gsskex openssh-6.1p1/kexgsss.c
+ ssh_gssapi_rekey_creds(); + ssh_gssapi_rekey_creds();
+} +}
+#endif /* GSSAPI */ +#endif /* GSSAPI */
diff -up openssh-6.1p1/kex.h.gsskex openssh-6.1p1/kex.h diff -up openssh-6.2p1/kex.h.gsskex openssh-6.2p1/kex.h
--- openssh-6.1p1/kex.h.gsskex 2012-11-30 13:58:08.820299131 +0100 --- openssh-6.2p1/kex.h.gsskex 2013-03-27 13:19:11.039624686 +0100
+++ openssh-6.1p1/kex.h 2012-11-30 13:58:08.950298635 +0100 +++ openssh-6.2p1/kex.h 2013-03-27 13:19:11.144624254 +0100
@@ -73,6 +73,9 @@ enum kex_exchange { @@ -73,6 +73,9 @@ enum kex_exchange {
KEX_DH_GEX_SHA1, KEX_DH_GEX_SHA1,
KEX_DH_GEX_SHA256, KEX_DH_GEX_SHA256,
@ -1878,7 +1878,7 @@ diff -up openssh-6.1p1/kex.h.gsskex openssh-6.1p1/kex.h
KEX_MAX KEX_MAX
}; };
@@ -129,6 +132,12 @@ struct Kex { @@ -131,6 +134,12 @@ struct Kex {
sig_atomic_t done; sig_atomic_t done;
int flags; int flags;
const EVP_MD *evp_md; const EVP_MD *evp_md;
@ -1891,7 +1891,7 @@ diff -up openssh-6.1p1/kex.h.gsskex openssh-6.1p1/kex.h
char *client_version_string; char *client_version_string;
char *server_version_string; char *server_version_string;
int (*verify_host_key)(Key *); int (*verify_host_key)(Key *);
@@ -156,6 +165,11 @@ void kexgex_server(Kex *); @@ -158,6 +167,11 @@ void kexgex_server(Kex *);
void kexecdh_client(Kex *); void kexecdh_client(Kex *);
void kexecdh_server(Kex *); void kexecdh_server(Kex *);
@ -1903,9 +1903,9 @@ diff -up openssh-6.1p1/kex.h.gsskex openssh-6.1p1/kex.h
void newkeys_destroy(Newkeys *newkeys); void newkeys_destroy(Newkeys *newkeys);
void void
diff -up openssh-6.1p1/key.c.gsskex openssh-6.1p1/key.c diff -up openssh-6.2p1/key.c.gsskex openssh-6.2p1/key.c
--- openssh-6.1p1/key.c.gsskex 2012-11-30 13:58:08.912298779 +0100 --- openssh-6.2p1/key.c.gsskex 2013-03-27 13:19:11.102624427 +0100
+++ openssh-6.1p1/key.c 2012-11-30 13:58:08.951298630 +0100 +++ openssh-6.2p1/key.c 2013-03-27 13:19:11.144624254 +0100
@@ -1011,6 +1011,8 @@ key_ssh_name_from_type_nid(int type, int @@ -1011,6 +1011,8 @@ key_ssh_name_from_type_nid(int type, int
} }
break; break;
@ -1924,9 +1924,9 @@ diff -up openssh-6.1p1/key.c.gsskex openssh-6.1p1/key.c
} }
debug2("key_type_from_name: unknown key type '%s'", name); debug2("key_type_from_name: unknown key type '%s'", name);
diff -up openssh-6.1p1/key.h.gsskex openssh-6.1p1/key.h diff -up openssh-6.2p1/key.h.gsskex openssh-6.2p1/key.h
--- openssh-6.1p1/key.h.gsskex 2012-11-30 13:58:08.827299104 +0100 --- openssh-6.2p1/key.h.gsskex 2013-03-27 13:19:11.046624657 +0100
+++ openssh-6.1p1/key.h 2012-11-30 13:58:08.951298630 +0100 +++ openssh-6.2p1/key.h 2013-03-27 13:19:11.145624250 +0100
@@ -44,6 +44,7 @@ enum types { @@ -44,6 +44,7 @@ enum types {
KEY_ECDSA_CERT, KEY_ECDSA_CERT,
KEY_RSA_CERT_V00, KEY_RSA_CERT_V00,
@ -1935,18 +1935,18 @@ diff -up openssh-6.1p1/key.h.gsskex openssh-6.1p1/key.h
KEY_UNSPEC KEY_UNSPEC
}; };
enum fp_type { enum fp_type {
diff -up openssh-6.1p1/Makefile.in.gsskex openssh-6.1p1/Makefile.in diff -up openssh-6.2p1/Makefile.in.gsskex openssh-6.2p1/Makefile.in
--- openssh-6.1p1/Makefile.in.gsskex 2012-11-30 13:58:08.945298652 +0100 --- openssh-6.2p1/Makefile.in.gsskex 2013-03-27 13:19:11.138624279 +0100
+++ openssh-6.1p1/Makefile.in 2012-11-30 13:58:08.951298630 +0100 +++ openssh-6.2p1/Makefile.in 2013-03-27 13:19:11.145624250 +0100
@@ -75,6 +75,7 @@ LIBSSH_OBJS=acss.o authfd.o authfile.o b @@ -77,6 +77,7 @@ LIBSSH_OBJS=authfd.o authfile.o bufaux.o
atomicio.o key.o dispatch.o kex.o mac.o uidswap.o uuencode.o misc.o \ atomicio.o key.o dispatch.o kex.o mac.o uidswap.o uuencode.o misc.o \
monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-rsa.o dh.o \ monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-rsa.o dh.o \
kexdh.o kexgex.o kexdhc.o kexgexc.o bufec.o kexecdh.o kexecdhc.o \ kexdh.o kexgex.o kexdhc.o kexgexc.o bufec.o kexecdh.o kexecdhc.o \
+ kexgssc.o \ + kexgssc.o \
msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o jpake.o \ msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o umac128.o \
schnorr.o ssh-pkcs11.o auditstub.o jpake.o schnorr.o ssh-pkcs11.o krl.o auditstub.o
@@ -91,7 +92,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw @@ -93,7 +94,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw
auth2-none.o auth2-passwd.o auth2-pubkey.o auth2-jpake.o \ auth2-none.o auth2-passwd.o auth2-pubkey.o auth2-jpake.o \
monitor_mm.o monitor.o monitor_wrap.o kexdhs.o kexgexs.o kexecdhs.o \ monitor_mm.o monitor.o monitor_wrap.o kexdhs.o kexgexs.o kexecdhs.o \
auth-krb5.o \ auth-krb5.o \
@ -1955,9 +1955,9 @@ diff -up openssh-6.1p1/Makefile.in.gsskex openssh-6.1p1/Makefile.in
loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \ loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \
sftp-server.o sftp-common.o \ sftp-server.o sftp-common.o \
roaming_common.o roaming_serv.o \ roaming_common.o roaming_serv.o \
diff -up openssh-6.1p1/monitor.c.gsskex openssh-6.1p1/monitor.c diff -up openssh-6.2p1/monitor.c.gsskex openssh-6.2p1/monitor.c
--- openssh-6.1p1/monitor.c.gsskex 2012-11-30 13:58:08.873298927 +0100 --- openssh-6.2p1/monitor.c.gsskex 2013-03-27 13:19:11.063624587 +0100
+++ openssh-6.1p1/monitor.c 2012-11-30 13:58:08.952298626 +0100 +++ openssh-6.2p1/monitor.c 2013-03-27 13:19:11.145624250 +0100
@@ -186,6 +186,8 @@ int mm_answer_gss_setup_ctx(int, Buffer @@ -186,6 +186,8 @@ int mm_answer_gss_setup_ctx(int, Buffer
int mm_answer_gss_accept_ctx(int, Buffer *); int mm_answer_gss_accept_ctx(int, Buffer *);
int mm_answer_gss_userok(int, Buffer *); int mm_answer_gss_userok(int, Buffer *);
@ -1999,7 +1999,7 @@ diff -up openssh-6.1p1/monitor.c.gsskex openssh-6.1p1/monitor.c
} else { } else {
mon_dispatch = mon_dispatch_proto15; mon_dispatch = mon_dispatch_proto15;
@@ -516,6 +529,10 @@ monitor_child_postauth(struct monitor *p @@ -519,6 +532,10 @@ monitor_child_postauth(struct monitor *p
monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1); monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1); monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
@ -2010,7 +2010,7 @@ diff -up openssh-6.1p1/monitor.c.gsskex openssh-6.1p1/monitor.c
} else { } else {
mon_dispatch = mon_dispatch_postauth15; mon_dispatch = mon_dispatch_postauth15;
monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
@@ -1948,6 +1965,13 @@ mm_get_kex(Buffer *m) @@ -1950,6 +1967,13 @@ mm_get_kex(Buffer *m)
kex->kex[KEX_DH_GEX_SHA1] = kexgex_server; kex->kex[KEX_DH_GEX_SHA1] = kexgex_server;
kex->kex[KEX_DH_GEX_SHA256] = kexgex_server; kex->kex[KEX_DH_GEX_SHA256] = kexgex_server;
kex->kex[KEX_ECDH_SHA2] = kexecdh_server; kex->kex[KEX_ECDH_SHA2] = kexecdh_server;
@ -2024,7 +2024,7 @@ diff -up openssh-6.1p1/monitor.c.gsskex openssh-6.1p1/monitor.c
kex->server = 1; kex->server = 1;
kex->hostkey_type = buffer_get_int(m); kex->hostkey_type = buffer_get_int(m);
kex->kex_type = buffer_get_int(m); kex->kex_type = buffer_get_int(m);
@@ -2171,6 +2195,9 @@ mm_answer_gss_setup_ctx(int sock, Buffer @@ -2173,6 +2197,9 @@ mm_answer_gss_setup_ctx(int sock, Buffer
OM_uint32 major; OM_uint32 major;
u_int len; u_int len;
@ -2034,7 +2034,7 @@ diff -up openssh-6.1p1/monitor.c.gsskex openssh-6.1p1/monitor.c
goid.elements = buffer_get_string(m, &len); goid.elements = buffer_get_string(m, &len);
goid.length = len; goid.length = len;
@@ -2198,6 +2225,9 @@ mm_answer_gss_accept_ctx(int sock, Buffe @@ -2200,6 +2227,9 @@ mm_answer_gss_accept_ctx(int sock, Buffe
OM_uint32 flags = 0; /* GSI needs this */ OM_uint32 flags = 0; /* GSI needs this */
u_int len; u_int len;
@ -2044,7 +2044,7 @@ diff -up openssh-6.1p1/monitor.c.gsskex openssh-6.1p1/monitor.c
in.value = buffer_get_string(m, &len); in.value = buffer_get_string(m, &len);
in.length = len; in.length = len;
major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags); major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags);
@@ -2215,6 +2245,7 @@ mm_answer_gss_accept_ctx(int sock, Buffe @@ -2217,6 +2247,7 @@ mm_answer_gss_accept_ctx(int sock, Buffe
monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0); monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0);
monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1); monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1);
monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1); monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1);
@ -2052,7 +2052,7 @@ diff -up openssh-6.1p1/monitor.c.gsskex openssh-6.1p1/monitor.c
} }
return (0); return (0);
} }
@@ -2226,6 +2257,9 @@ mm_answer_gss_checkmic(int sock, Buffer @@ -2228,6 +2259,9 @@ mm_answer_gss_checkmic(int sock, Buffer
OM_uint32 ret; OM_uint32 ret;
u_int len; u_int len;
@ -2062,7 +2062,7 @@ diff -up openssh-6.1p1/monitor.c.gsskex openssh-6.1p1/monitor.c
gssbuf.value = buffer_get_string(m, &len); gssbuf.value = buffer_get_string(m, &len);
gssbuf.length = len; gssbuf.length = len;
mic.value = buffer_get_string(m, &len); mic.value = buffer_get_string(m, &len);
@@ -2252,7 +2286,11 @@ mm_answer_gss_userok(int sock, Buffer *m @@ -2254,7 +2288,11 @@ mm_answer_gss_userok(int sock, Buffer *m
{ {
int authenticated; int authenticated;
@ -2075,7 +2075,7 @@ diff -up openssh-6.1p1/monitor.c.gsskex openssh-6.1p1/monitor.c
buffer_clear(m); buffer_clear(m);
buffer_put_int(m, authenticated); buffer_put_int(m, authenticated);
@@ -2265,6 +2303,74 @@ mm_answer_gss_userok(int sock, Buffer *m @@ -2267,6 +2305,74 @@ mm_answer_gss_userok(int sock, Buffer *m
/* Monitor loop will terminate if authenticated */ /* Monitor loop will terminate if authenticated */
return (authenticated); return (authenticated);
} }
@ -2150,22 +2150,22 @@ diff -up openssh-6.1p1/monitor.c.gsskex openssh-6.1p1/monitor.c
#endif /* GSSAPI */ #endif /* GSSAPI */
#ifdef JPAKE #ifdef JPAKE
diff -up openssh-6.1p1/monitor.h.gsskex openssh-6.1p1/monitor.h diff -up openssh-6.2p1/monitor.h.gsskex openssh-6.2p1/monitor.h
--- openssh-6.1p1/monitor.h.gsskex 2012-11-30 13:58:08.873298927 +0100 --- openssh-6.2p1/monitor.h.gsskex 2013-03-27 13:19:11.063624587 +0100
+++ openssh-6.1p1/monitor.h 2012-11-30 13:58:08.952298626 +0100 +++ openssh-6.2p1/monitor.h 2013-03-27 13:19:11.146624246 +0100
@@ -56,6 +56,8 @@ enum monitor_reqtype { @@ -64,6 +64,8 @@ enum monitor_reqtype {
MONITOR_REQ_GSSSTEP, MONITOR_ANS_GSSSTEP, #ifdef WITH_SELINUX
MONITOR_REQ_GSSUSEROK, MONITOR_ANS_GSSUSEROK, MONITOR_REQ_AUTHROLE = 80,
MONITOR_REQ_GSSCHECKMIC, MONITOR_ANS_GSSCHECKMIC, #endif
+ MONITOR_REQ_GSSSIGN, MONITOR_ANS_GSSSIGN, + MONITOR_REQ_GSSSIGN = 82, MONITOR_ANS_GSSSIGN = 83,
+ MONITOR_REQ_GSSUPCREDS, MONITOR_ANS_GSSUPCREDS, + MONITOR_REQ_GSSUPCREDS = 84, MONITOR_ANS_GSSUPCREDS = 85,
MONITOR_REQ_PAM_START,
MONITOR_REQ_PAM_ACCOUNT, MONITOR_ANS_PAM_ACCOUNT, MONITOR_REQ_PAM_START = 100,
MONITOR_REQ_PAM_INIT_CTX, MONITOR_ANS_PAM_INIT_CTX, MONITOR_REQ_PAM_ACCOUNT = 102, MONITOR_ANS_PAM_ACCOUNT = 103,
diff -up openssh-6.1p1/monitor_wrap.c.gsskex openssh-6.1p1/monitor_wrap.c diff -up openssh-6.2p1/monitor_wrap.c.gsskex openssh-6.2p1/monitor_wrap.c
--- openssh-6.1p1/monitor_wrap.c.gsskex 2012-11-30 13:58:08.873298927 +0100 --- openssh-6.2p1/monitor_wrap.c.gsskex 2013-03-27 13:19:11.064624583 +0100
+++ openssh-6.1p1/monitor_wrap.c 2012-11-30 13:58:08.952298626 +0100 +++ openssh-6.2p1/monitor_wrap.c 2013-03-27 13:19:11.146624246 +0100
@@ -1326,7 +1326,7 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss @@ -1327,7 +1327,7 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss
} }
int int
@ -2174,7 +2174,7 @@ diff -up openssh-6.1p1/monitor_wrap.c.gsskex openssh-6.1p1/monitor_wrap.c
{ {
Buffer m; Buffer m;
int authenticated = 0; int authenticated = 0;
@@ -1343,6 +1343,51 @@ mm_ssh_gssapi_userok(char *user) @@ -1344,6 +1344,51 @@ mm_ssh_gssapi_userok(char *user)
debug3("%s: user %sauthenticated",__func__, authenticated ? "" : "not "); debug3("%s: user %sauthenticated",__func__, authenticated ? "" : "not ");
return (authenticated); return (authenticated);
} }
@ -2226,9 +2226,9 @@ diff -up openssh-6.1p1/monitor_wrap.c.gsskex openssh-6.1p1/monitor_wrap.c
#endif /* GSSAPI */ #endif /* GSSAPI */
#ifdef JPAKE #ifdef JPAKE
diff -up openssh-6.1p1/monitor_wrap.h.gsskex openssh-6.1p1/monitor_wrap.h diff -up openssh-6.2p1/monitor_wrap.h.gsskex openssh-6.2p1/monitor_wrap.h
--- openssh-6.1p1/monitor_wrap.h.gsskex 2012-11-30 13:58:08.874298923 +0100 --- openssh-6.2p1/monitor_wrap.h.gsskex 2013-03-27 13:19:11.064624583 +0100
+++ openssh-6.1p1/monitor_wrap.h 2012-11-30 13:58:08.953298623 +0100 +++ openssh-6.2p1/monitor_wrap.h 2013-03-27 13:19:11.146624246 +0100
@@ -62,8 +62,10 @@ BIGNUM *mm_auth_rsa_generate_challenge(K @@ -62,8 +62,10 @@ BIGNUM *mm_auth_rsa_generate_challenge(K
OM_uint32 mm_ssh_gssapi_server_ctx(Gssctxt **, gss_OID); OM_uint32 mm_ssh_gssapi_server_ctx(Gssctxt **, gss_OID);
OM_uint32 mm_ssh_gssapi_accept_ctx(Gssctxt *, OM_uint32 mm_ssh_gssapi_accept_ctx(Gssctxt *,
@ -2241,9 +2241,9 @@ diff -up openssh-6.1p1/monitor_wrap.h.gsskex openssh-6.1p1/monitor_wrap.h
#endif #endif
#ifdef USE_PAM #ifdef USE_PAM
diff -up openssh-6.1p1/readconf.c.gsskex openssh-6.1p1/readconf.c diff -up openssh-6.2p1/readconf.c.gsskex openssh-6.2p1/readconf.c
--- openssh-6.1p1/readconf.c.gsskex 2011-10-02 09:59:03.000000000 +0200 --- openssh-6.2p1/readconf.c.gsskex 2011-10-02 09:59:03.000000000 +0200
+++ openssh-6.1p1/readconf.c 2012-11-30 13:58:08.953298623 +0100 +++ openssh-6.2p1/readconf.c 2013-03-27 13:19:11.147624242 +0100
@@ -129,6 +129,8 @@ typedef enum { @@ -129,6 +129,8 @@ typedef enum {
oClearAllForwardings, oNoHostAuthenticationForLocalhost, oClearAllForwardings, oNoHostAuthenticationForLocalhost,
oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout, oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
@ -2332,9 +2332,9 @@ diff -up openssh-6.1p1/readconf.c.gsskex openssh-6.1p1/readconf.c
if (options->password_authentication == -1) if (options->password_authentication == -1)
options->password_authentication = 1; options->password_authentication = 1;
if (options->kbd_interactive_authentication == -1) if (options->kbd_interactive_authentication == -1)
diff -up openssh-6.1p1/readconf.h.gsskex openssh-6.1p1/readconf.h diff -up openssh-6.2p1/readconf.h.gsskex openssh-6.2p1/readconf.h
--- openssh-6.1p1/readconf.h.gsskex 2011-10-02 09:59:03.000000000 +0200 --- openssh-6.2p1/readconf.h.gsskex 2011-10-02 09:59:03.000000000 +0200
+++ openssh-6.1p1/readconf.h 2012-11-30 13:58:08.953298623 +0100 +++ openssh-6.2p1/readconf.h 2013-03-27 13:19:11.147624242 +0100
@@ -48,7 +48,12 @@ typedef struct { @@ -48,7 +48,12 @@ typedef struct {
int challenge_response_authentication; int challenge_response_authentication;
/* Try S/Key or TIS, authentication. */ /* Try S/Key or TIS, authentication. */
@ -2348,9 +2348,9 @@ diff -up openssh-6.1p1/readconf.h.gsskex openssh-6.1p1/readconf.h
int password_authentication; /* Try password int password_authentication; /* Try password
* authentication. */ * authentication. */
int kbd_interactive_authentication; /* Try keyboard-interactive auth. */ int kbd_interactive_authentication; /* Try keyboard-interactive auth. */
diff -up openssh-6.1p1/servconf.c.gsskex openssh-6.1p1/servconf.c diff -up openssh-6.2p1/servconf.c.gsskex openssh-6.2p1/servconf.c
--- openssh-6.1p1/servconf.c.gsskex 2012-11-30 13:58:08.935298693 +0100 --- openssh-6.2p1/servconf.c.gsskex 2013-03-27 13:19:11.128624320 +0100
+++ openssh-6.1p1/servconf.c 2012-11-30 13:58:08.954298621 +0100 +++ openssh-6.2p1/servconf.c 2013-03-27 13:19:11.147624242 +0100
@@ -102,7 +102,10 @@ initialize_server_options(ServerOptions @@ -102,7 +102,10 @@ initialize_server_options(ServerOptions
options->kerberos_ticket_cleanup = -1; options->kerberos_ticket_cleanup = -1;
options->kerberos_get_afs_token = -1; options->kerberos_get_afs_token = -1;
@ -2409,7 +2409,7 @@ diff -up openssh-6.1p1/servconf.c.gsskex openssh-6.1p1/servconf.c
{ "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
{ "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
{ "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL },
@@ -1046,10 +1067,22 @@ process_server_config_line(ServerOptions @@ -1054,10 +1075,22 @@ process_server_config_line(ServerOptions
intptr = &options->gss_authentication; intptr = &options->gss_authentication;
goto parse_flag; goto parse_flag;
@ -2432,7 +2432,7 @@ diff -up openssh-6.1p1/servconf.c.gsskex openssh-6.1p1/servconf.c
case sPasswordAuthentication: case sPasswordAuthentication:
intptr = &options->password_authentication; intptr = &options->password_authentication;
goto parse_flag; goto parse_flag;
@@ -1929,6 +1962,9 @@ dump_config(ServerOptions *o) @@ -1938,6 +1971,9 @@ dump_config(ServerOptions *o)
#ifdef GSSAPI #ifdef GSSAPI
dump_cfg_fmtint(sGssAuthentication, o->gss_authentication); dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds); dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds);
@ -2442,10 +2442,10 @@ diff -up openssh-6.1p1/servconf.c.gsskex openssh-6.1p1/servconf.c
#endif #endif
#ifdef JPAKE #ifdef JPAKE
dump_cfg_fmtint(sZeroKnowledgePasswordAuthentication, dump_cfg_fmtint(sZeroKnowledgePasswordAuthentication,
diff -up openssh-6.1p1/servconf.h.gsskex openssh-6.1p1/servconf.h diff -up openssh-6.2p1/servconf.h.gsskex openssh-6.2p1/servconf.h
--- openssh-6.1p1/servconf.h.gsskex 2012-11-30 13:58:08.935298693 +0100 --- openssh-6.2p1/servconf.h.gsskex 2013-03-27 13:19:11.128624320 +0100
+++ openssh-6.1p1/servconf.h 2012-11-30 13:58:08.954298621 +0100 +++ openssh-6.2p1/servconf.h 2013-03-27 13:19:11.147624242 +0100
@@ -104,7 +104,10 @@ typedef struct { @@ -110,7 +110,10 @@ typedef struct {
int kerberos_get_afs_token; /* If true, try to get AFS token if int kerberos_get_afs_token; /* If true, try to get AFS token if
* authenticated with Kerberos. */ * authenticated with Kerberos. */
int gss_authentication; /* If true, permit GSSAPI authentication */ int gss_authentication; /* If true, permit GSSAPI authentication */
@ -2456,10 +2456,10 @@ diff -up openssh-6.1p1/servconf.h.gsskex openssh-6.1p1/servconf.h
int password_authentication; /* If true, permit password int password_authentication; /* If true, permit password
* authentication. */ * authentication. */
int kbd_interactive_authentication; /* If true, permit */ int kbd_interactive_authentication; /* If true, permit */
diff -up openssh-6.1p1/ssh_config.5.gsskex openssh-6.1p1/ssh_config.5 diff -up openssh-6.2p1/ssh_config.5.gsskex openssh-6.2p1/ssh_config.5
--- openssh-6.1p1/ssh_config.5.gsskex 2012-07-02 10:53:38.000000000 +0200 --- openssh-6.2p1/ssh_config.5.gsskex 2013-01-09 06:12:19.000000000 +0100
+++ openssh-6.1p1/ssh_config.5 2012-11-30 13:58:08.954298621 +0100 +++ openssh-6.2p1/ssh_config.5 2013-03-27 13:19:11.148624238 +0100
@@ -527,11 +527,43 @@ Specifies whether user authentication ba @@ -530,11 +530,43 @@ Specifies whether user authentication ba
The default is The default is
.Dq no . .Dq no .
Note that this option applies to protocol version 2 only. Note that this option applies to protocol version 2 only.
@ -2504,9 +2504,9 @@ diff -up openssh-6.1p1/ssh_config.5.gsskex openssh-6.1p1/ssh_config.5
.It Cm HashKnownHosts .It Cm HashKnownHosts
Indicates that Indicates that
.Xr ssh 1 .Xr ssh 1
diff -up openssh-6.1p1/ssh_config.gsskex openssh-6.1p1/ssh_config diff -up openssh-6.2p1/ssh_config.gsskex openssh-6.2p1/ssh_config
--- openssh-6.1p1/ssh_config.gsskex 2012-11-30 13:58:08.927298724 +0100 --- openssh-6.2p1/ssh_config.gsskex 2013-03-27 13:19:11.120624353 +0100
+++ openssh-6.1p1/ssh_config 2012-11-30 13:58:08.954298621 +0100 +++ openssh-6.2p1/ssh_config 2013-03-27 13:19:11.148624238 +0100
@@ -26,6 +26,8 @@ @@ -26,6 +26,8 @@
# HostbasedAuthentication no # HostbasedAuthentication no
# GSSAPIAuthentication no # GSSAPIAuthentication no
@ -2516,9 +2516,9 @@ diff -up openssh-6.1p1/ssh_config.gsskex openssh-6.1p1/ssh_config
# BatchMode no # BatchMode no
# CheckHostIP yes # CheckHostIP yes
# AddressFamily any # AddressFamily any
diff -up openssh-6.1p1/sshconnect2.c.gsskex openssh-6.1p1/sshconnect2.c diff -up openssh-6.2p1/sshconnect2.c.gsskex openssh-6.2p1/sshconnect2.c
--- openssh-6.1p1/sshconnect2.c.gsskex 2012-11-30 13:58:08.913298775 +0100 --- openssh-6.2p1/sshconnect2.c.gsskex 2013-03-27 13:19:11.104624419 +0100
+++ openssh-6.1p1/sshconnect2.c 2012-11-30 13:58:08.955298617 +0100 +++ openssh-6.2p1/sshconnect2.c 2013-03-27 13:19:11.149624234 +0100
@@ -162,9 +162,34 @@ ssh_kex2(char *host, struct sockaddr *ho @@ -162,9 +162,34 @@ ssh_kex2(char *host, struct sockaddr *ho
{ {
Kex *kex; Kex *kex;
@ -2603,7 +2603,7 @@ diff -up openssh-6.1p1/sshconnect2.c.gsskex openssh-6.1p1/sshconnect2.c
xxx_kex = kex; xxx_kex = kex;
dispatch_run(DISPATCH_BLOCK, &kex->done, kex); dispatch_run(DISPATCH_BLOCK, &kex->done, kex);
@@ -315,6 +371,7 @@ void input_gssapi_token(int type, u_int3 @@ -316,6 +372,7 @@ void input_gssapi_token(int type, u_int3
void input_gssapi_hash(int type, u_int32_t, void *); void input_gssapi_hash(int type, u_int32_t, void *);
void input_gssapi_error(int, u_int32_t, void *); void input_gssapi_error(int, u_int32_t, void *);
void input_gssapi_errtok(int, u_int32_t, void *); void input_gssapi_errtok(int, u_int32_t, void *);
@ -2611,7 +2611,7 @@ diff -up openssh-6.1p1/sshconnect2.c.gsskex openssh-6.1p1/sshconnect2.c
#endif #endif
void userauth(Authctxt *, char *); void userauth(Authctxt *, char *);
@@ -330,6 +387,11 @@ static char *authmethods_get(void); @@ -331,6 +388,11 @@ static char *authmethods_get(void);
Authmethod authmethods[] = { Authmethod authmethods[] = {
#ifdef GSSAPI #ifdef GSSAPI
@ -2623,7 +2623,7 @@ diff -up openssh-6.1p1/sshconnect2.c.gsskex openssh-6.1p1/sshconnect2.c
{"gssapi-with-mic", {"gssapi-with-mic",
userauth_gssapi, userauth_gssapi,
NULL, NULL,
@@ -637,19 +699,31 @@ userauth_gssapi(Authctxt *authctxt) @@ -638,19 +700,31 @@ userauth_gssapi(Authctxt *authctxt)
static u_int mech = 0; static u_int mech = 0;
OM_uint32 min; OM_uint32 min;
int ok = 0; int ok = 0;
@ -2657,7 +2657,7 @@ diff -up openssh-6.1p1/sshconnect2.c.gsskex openssh-6.1p1/sshconnect2.c
ok = 1; /* Mechanism works */ ok = 1; /* Mechanism works */
} else { } else {
mech++; mech++;
@@ -746,8 +820,8 @@ input_gssapi_response(int type, u_int32_ @@ -747,8 +821,8 @@ input_gssapi_response(int type, u_int32_
{ {
Authctxt *authctxt = ctxt; Authctxt *authctxt = ctxt;
Gssctxt *gssctxt; Gssctxt *gssctxt;
@ -2668,7 +2668,7 @@ diff -up openssh-6.1p1/sshconnect2.c.gsskex openssh-6.1p1/sshconnect2.c
if (authctxt == NULL) if (authctxt == NULL)
fatal("input_gssapi_response: no authentication context"); fatal("input_gssapi_response: no authentication context");
@@ -857,6 +931,48 @@ input_gssapi_error(int type, u_int32_t p @@ -858,6 +932,48 @@ input_gssapi_error(int type, u_int32_t p
xfree(msg); xfree(msg);
xfree(lang); xfree(lang);
} }
@ -2717,9 +2717,9 @@ diff -up openssh-6.1p1/sshconnect2.c.gsskex openssh-6.1p1/sshconnect2.c
#endif /* GSSAPI */ #endif /* GSSAPI */
int int
diff -up openssh-6.1p1/sshd.c.gsskex openssh-6.1p1/sshd.c diff -up openssh-6.2p1/sshd.c.gsskex openssh-6.2p1/sshd.c
--- openssh-6.1p1/sshd.c.gsskex 2012-11-30 13:58:08.940298674 +0100 --- openssh-6.2p1/sshd.c.gsskex 2013-03-27 13:19:11.133624300 +0100
+++ openssh-6.1p1/sshd.c 2012-11-30 13:58:08.955298617 +0100 +++ openssh-6.2p1/sshd.c 2013-03-27 13:19:11.149624234 +0100
@@ -124,6 +124,10 @@ @@ -124,6 +124,10 @@
#include "ssh-sandbox.h" #include "ssh-sandbox.h"
#include "version.h" #include "version.h"
@ -2731,7 +2731,7 @@ diff -up openssh-6.1p1/sshd.c.gsskex openssh-6.1p1/sshd.c
#ifdef LIBWRAP #ifdef LIBWRAP
#include <tcpd.h> #include <tcpd.h>
#include <syslog.h> #include <syslog.h>
@@ -1723,10 +1727,13 @@ main(int ac, char **av) @@ -1733,10 +1737,13 @@ main(int ac, char **av)
logit("Disabling protocol version 1. Could not load host key"); logit("Disabling protocol version 1. Could not load host key");
options.protocol &= ~SSH_PROTO_1; options.protocol &= ~SSH_PROTO_1;
} }
@ -2745,7 +2745,7 @@ diff -up openssh-6.1p1/sshd.c.gsskex openssh-6.1p1/sshd.c
if (!(options.protocol & (SSH_PROTO_1|SSH_PROTO_2))) { if (!(options.protocol & (SSH_PROTO_1|SSH_PROTO_2))) {
logit("sshd: no hostkeys available -- exiting."); logit("sshd: no hostkeys available -- exiting.");
exit(1); exit(1);
@@ -2058,6 +2065,60 @@ main(int ac, char **av) @@ -2068,6 +2075,60 @@ main(int ac, char **av)
/* Log the connection. */ /* Log the connection. */
verbose("Connection from %.500s port %d", remote_ip, remote_port); verbose("Connection from %.500s port %d", remote_ip, remote_port);
@ -2806,7 +2806,7 @@ diff -up openssh-6.1p1/sshd.c.gsskex openssh-6.1p1/sshd.c
/* /*
* We don't want to listen forever unless the other side * We don't want to listen forever unless the other side
* successfully authenticates itself. So we set up an alarm which is * successfully authenticates itself. So we set up an alarm which is
@@ -2456,6 +2517,48 @@ do_ssh2_kex(void) @@ -2466,6 +2527,48 @@ do_ssh2_kex(void)
myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = list_hostkey_types(); myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = list_hostkey_types();
@ -2855,7 +2855,7 @@ diff -up openssh-6.1p1/sshd.c.gsskex openssh-6.1p1/sshd.c
/* start key exchange */ /* start key exchange */
kex = kex_setup(myproposal); kex = kex_setup(myproposal);
kex->kex[KEX_DH_GRP1_SHA1] = kexdh_server; kex->kex[KEX_DH_GRP1_SHA1] = kexdh_server;
@@ -2463,6 +2566,13 @@ do_ssh2_kex(void) @@ -2473,6 +2576,13 @@ do_ssh2_kex(void)
kex->kex[KEX_DH_GEX_SHA1] = kexgex_server; kex->kex[KEX_DH_GEX_SHA1] = kexgex_server;
kex->kex[KEX_DH_GEX_SHA256] = kexgex_server; kex->kex[KEX_DH_GEX_SHA256] = kexgex_server;
kex->kex[KEX_ECDH_SHA2] = kexecdh_server; kex->kex[KEX_ECDH_SHA2] = kexecdh_server;
@ -2869,10 +2869,10 @@ diff -up openssh-6.1p1/sshd.c.gsskex openssh-6.1p1/sshd.c
kex->server = 1; kex->server = 1;
kex->client_version_string=client_version_string; kex->client_version_string=client_version_string;
kex->server_version_string=server_version_string; kex->server_version_string=server_version_string;
diff -up openssh-6.1p1/sshd_config.5.gsskex openssh-6.1p1/sshd_config.5 diff -up openssh-6.2p1/sshd_config.5.gsskex openssh-6.2p1/sshd_config.5
--- openssh-6.1p1/sshd_config.5.gsskex 2012-11-30 13:58:08.935298693 +0100 --- openssh-6.2p1/sshd_config.5.gsskex 2013-03-27 13:19:11.129624316 +0100
+++ openssh-6.1p1/sshd_config.5 2012-11-30 13:58:08.956298613 +0100 +++ openssh-6.2p1/sshd_config.5 2013-03-27 13:19:11.150624230 +0100
@@ -462,12 +462,40 @@ Specifies whether user authentication ba @@ -481,12 +481,40 @@ Specifies whether user authentication ba
The default is The default is
.Dq no . .Dq no .
Note that this option applies to protocol version 2 only. Note that this option applies to protocol version 2 only.
@ -2913,9 +2913,9 @@ diff -up openssh-6.1p1/sshd_config.5.gsskex openssh-6.1p1/sshd_config.5
.It Cm HostbasedAuthentication .It Cm HostbasedAuthentication
Specifies whether rhosts or /etc/hosts.equiv authentication together Specifies whether rhosts or /etc/hosts.equiv authentication together
with successful public key client host authentication is allowed with successful public key client host authentication is allowed
diff -up openssh-6.1p1/sshd_config.gsskex openssh-6.1p1/sshd_config diff -up openssh-6.2p1/sshd_config.gsskex openssh-6.2p1/sshd_config
--- openssh-6.1p1/sshd_config.gsskex 2012-11-30 13:58:08.940298674 +0100 --- openssh-6.2p1/sshd_config.gsskex 2013-03-27 13:19:11.133624300 +0100
+++ openssh-6.1p1/sshd_config 2012-11-30 13:58:08.956298613 +0100 +++ openssh-6.2p1/sshd_config 2013-03-27 13:19:11.150624230 +0100
@@ -89,6 +89,8 @@ ChallengeResponseAuthentication no @@ -89,6 +89,8 @@ ChallengeResponseAuthentication no
GSSAPIAuthentication yes GSSAPIAuthentication yes
#GSSAPICleanupCredentials yes #GSSAPICleanupCredentials yes
@ -2925,9 +2925,9 @@ diff -up openssh-6.1p1/sshd_config.gsskex openssh-6.1p1/sshd_config
# Set this to 'yes' to enable PAM authentication, account processing, # Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will # and session processing. If this is enabled, PAM authentication will
diff -up openssh-6.1p1/ssh-gss.h.gsskex openssh-6.1p1/ssh-gss.h diff -up openssh-6.2p1/ssh-gss.h.gsskex openssh-6.2p1/ssh-gss.h
--- openssh-6.1p1/ssh-gss.h.gsskex 2007-06-12 15:40:39.000000000 +0200 --- openssh-6.2p1/ssh-gss.h.gsskex 2013-02-25 01:24:44.000000000 +0100
+++ openssh-6.1p1/ssh-gss.h 2012-11-30 13:58:08.956298613 +0100 +++ openssh-6.2p1/ssh-gss.h 2013-03-27 13:19:11.150624230 +0100
@@ -1,6 +1,6 @@ @@ -1,6 +1,6 @@
/* $OpenBSD: ssh-gss.h,v 1.10 2007/06/12 08:20:00 djm Exp $ */ /* $OpenBSD: ssh-gss.h,v 1.10 2007/06/12 08:20:00 djm Exp $ */
/* /*
@ -2936,7 +2936,7 @@ diff -up openssh-6.1p1/ssh-gss.h.gsskex openssh-6.1p1/ssh-gss.h
* *
* Redistribution and use in source and binary forms, with or without * Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions * modification, are permitted provided that the following conditions
@@ -60,10 +60,22 @@ @@ -61,10 +61,22 @@
#define SSH_GSS_OIDTYPE 0x06 #define SSH_GSS_OIDTYPE 0x06
@ -2959,7 +2959,7 @@ diff -up openssh-6.1p1/ssh-gss.h.gsskex openssh-6.1p1/ssh-gss.h
void *data; void *data;
} ssh_gssapi_ccache; } ssh_gssapi_ccache;
@@ -71,8 +83,11 @@ typedef struct { @@ -72,8 +84,11 @@ typedef struct {
gss_buffer_desc displayname; gss_buffer_desc displayname;
gss_buffer_desc exportedname; gss_buffer_desc exportedname;
gss_cred_id_t creds; gss_cred_id_t creds;
@ -2971,7 +2971,7 @@ diff -up openssh-6.1p1/ssh-gss.h.gsskex openssh-6.1p1/ssh-gss.h
} ssh_gssapi_client; } ssh_gssapi_client;
typedef struct ssh_gssapi_mech_struct { typedef struct ssh_gssapi_mech_struct {
@@ -83,6 +98,7 @@ typedef struct ssh_gssapi_mech_struct { @@ -84,6 +99,7 @@ typedef struct ssh_gssapi_mech_struct {
int (*userok) (ssh_gssapi_client *, char *); int (*userok) (ssh_gssapi_client *, char *);
int (*localname) (ssh_gssapi_client *, char **); int (*localname) (ssh_gssapi_client *, char **);
void (*storecreds) (ssh_gssapi_client *); void (*storecreds) (ssh_gssapi_client *);
@ -2979,7 +2979,7 @@ diff -up openssh-6.1p1/ssh-gss.h.gsskex openssh-6.1p1/ssh-gss.h
} ssh_gssapi_mech; } ssh_gssapi_mech;
typedef struct { typedef struct {
@@ -93,10 +109,11 @@ typedef struct { @@ -94,10 +110,11 @@ typedef struct {
gss_OID oid; /* client */ gss_OID oid; /* client */
gss_cred_id_t creds; /* server */ gss_cred_id_t creds; /* server */
gss_name_t client; /* server */ gss_name_t client; /* server */
@ -2992,7 +2992,7 @@ diff -up openssh-6.1p1/ssh-gss.h.gsskex openssh-6.1p1/ssh-gss.h
int ssh_gssapi_check_oid(Gssctxt *, void *, size_t); int ssh_gssapi_check_oid(Gssctxt *, void *, size_t);
void ssh_gssapi_set_oid_data(Gssctxt *, void *, size_t); void ssh_gssapi_set_oid_data(Gssctxt *, void *, size_t);
@@ -116,16 +133,30 @@ void ssh_gssapi_build_ctx(Gssctxt **); @@ -117,16 +134,30 @@ void ssh_gssapi_build_ctx(Gssctxt **);
void ssh_gssapi_delete_ctx(Gssctxt **); void ssh_gssapi_delete_ctx(Gssctxt **);
OM_uint32 ssh_gssapi_sign(Gssctxt *, gss_buffer_t, gss_buffer_t); OM_uint32 ssh_gssapi_sign(Gssctxt *, gss_buffer_t, gss_buffer_t);
void ssh_gssapi_buildmic(Buffer *, const char *, const char *, const char *); void ssh_gssapi_buildmic(Buffer *, const char *, const char *, const char *);

View File

@ -1,7 +1,7 @@
diff -up openssh-6.1p1/auth2-pubkey.c.keycat openssh-6.1p1/auth2-pubkey.c diff -up openssh-6.2p1/auth2-pubkey.c.keycat openssh-6.2p1/auth2-pubkey.c
--- openssh-6.1p1/auth2-pubkey.c.keycat 2013-02-14 17:39:21.000000000 +0100 --- openssh-6.2p1/auth2-pubkey.c.keycat 2013-03-25 21:34:17.779978851 +0100
+++ openssh-6.1p1/auth2-pubkey.c 2013-02-14 17:40:42.600050510 +0100 +++ openssh-6.2p1/auth2-pubkey.c 2013-03-25 21:34:17.798978973 +0100
@@ -571,6 +571,14 @@ user_key_command_allowed2(struct passwd @@ -573,6 +573,14 @@ user_key_command_allowed2(struct passwd
_exit(1); _exit(1);
} }
@ -16,9 +16,9 @@ diff -up openssh-6.1p1/auth2-pubkey.c.keycat openssh-6.1p1/auth2-pubkey.c
execl(options.authorized_keys_command, execl(options.authorized_keys_command,
options.authorized_keys_command, user_pw->pw_name, NULL); options.authorized_keys_command, user_pw->pw_name, NULL);
diff -up openssh-6.1p1/HOWTO.ssh-keycat.keycat openssh-6.1p1/HOWTO.ssh-keycat diff -up openssh-6.2p1/HOWTO.ssh-keycat.keycat openssh-6.2p1/HOWTO.ssh-keycat
--- openssh-6.1p1/HOWTO.ssh-keycat.keycat 2013-02-14 17:39:21.148382013 +0100 --- openssh-6.2p1/HOWTO.ssh-keycat.keycat 2013-03-25 21:34:17.798978973 +0100
+++ openssh-6.1p1/HOWTO.ssh-keycat 2013-02-14 17:39:21.148382013 +0100 +++ openssh-6.2p1/HOWTO.ssh-keycat 2013-03-25 21:34:17.798978973 +0100
@@ -0,0 +1,12 @@ @@ -0,0 +1,12 @@
+The ssh-keycat retrieves the content of the ~/.ssh/authorized_keys +The ssh-keycat retrieves the content of the ~/.ssh/authorized_keys
+of an user in any environment. This includes environments with +of an user in any environment. This includes environments with
@ -32,9 +32,9 @@ diff -up openssh-6.1p1/HOWTO.ssh-keycat.keycat openssh-6.1p1/HOWTO.ssh-keycat
+ PubkeyAuthentication yes + PubkeyAuthentication yes
+ +
+ +
diff -up openssh-6.1p1/Makefile.in.keycat openssh-6.1p1/Makefile.in diff -up openssh-6.2p1/Makefile.in.keycat openssh-6.2p1/Makefile.in
--- openssh-6.1p1/Makefile.in.keycat 2013-02-14 17:39:21.143382033 +0100 --- openssh-6.2p1/Makefile.in.keycat 2013-03-25 21:34:17.793978941 +0100
+++ openssh-6.1p1/Makefile.in 2013-02-14 17:39:21.148382013 +0100 +++ openssh-6.2p1/Makefile.in 2013-03-25 21:35:48.282559562 +0100
@@ -27,6 +27,7 @@ SFTP_SERVER=$(libexecdir)/sftp-server @@ -27,6 +27,7 @@ SFTP_SERVER=$(libexecdir)/sftp-server
SSH_KEYSIGN=$(libexecdir)/ssh-keysign SSH_KEYSIGN=$(libexecdir)/ssh-keysign
SSH_LDAP_HELPER=$(libexecdir)/ssh-ldap-helper SSH_LDAP_HELPER=$(libexecdir)/ssh-ldap-helper
@ -43,16 +43,16 @@ diff -up openssh-6.1p1/Makefile.in.keycat openssh-6.1p1/Makefile.in
SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
PRIVSEP_PATH=@PRIVSEP_PATH@ PRIVSEP_PATH=@PRIVSEP_PATH@
SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@ SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@
@@ -62,7 +63,7 @@ EXEEXT=@EXEEXT@ @@ -64,7 +65,7 @@ EXEEXT=@EXEEXT@
MANFMT=@MANFMT@ MANFMT=@MANFMT@
INSTALL_SSH_LDAP_HELPER=@INSTALL_SSH_LDAP_HELPER@ INSTALL_SSH_LDAP_HELPER=@INSTALL_SSH_LDAP_HELPER@
-TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT) -TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT)
+TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT) ssh-keycat$(EXEEXT) +TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT) ssh-keycat$(EXEEXT)
LIBSSH_OBJS=acss.o authfd.o authfile.o bufaux.o bufbn.o buffer.o \ LIBSSH_OBJS=authfd.o authfile.o bufaux.o bufbn.o buffer.o \
canohost.o channels.o cipher.o cipher-acss.o cipher-aes.o \ canohost.o channels.o cipher.o cipher-aes.o \
@@ -168,6 +169,9 @@ ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) @@ -170,6 +171,9 @@ ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT)
ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o
$(LD) -o $@ ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS) $(LD) -o $@ ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
@ -62,7 +62,7 @@ diff -up openssh-6.1p1/Makefile.in.keycat openssh-6.1p1/Makefile.in
ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o roaming_dummy.o ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o roaming_dummy.o
$(LD) -o $@ ssh-keyscan.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) $(LD) -o $@ ssh-keyscan.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
@@ -267,6 +271,7 @@ install-files: @@ -276,6 +280,7 @@ install-files:
$(INSTALL) -m 0700 $(STRIP_OPT) ssh-ldap-helper $(DESTDIR)$(SSH_LDAP_HELPER) ; \ $(INSTALL) -m 0700 $(STRIP_OPT) ssh-ldap-helper $(DESTDIR)$(SSH_LDAP_HELPER) ; \
$(INSTALL) -m 0700 ssh-ldap-wrapper $(DESTDIR)$(SSH_LDAP_WRAPPER) ; \ $(INSTALL) -m 0700 ssh-ldap-wrapper $(DESTDIR)$(SSH_LDAP_WRAPPER) ; \
fi fi
@ -70,9 +70,9 @@ diff -up openssh-6.1p1/Makefile.in.keycat openssh-6.1p1/Makefile.in
$(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT) $(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT) $(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
$(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1 $(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
diff -up openssh-6.1p1/openbsd-compat/port-linux.c.keycat openssh-6.1p1/openbsd-compat/port-linux.c diff -up openssh-6.2p1/openbsd-compat/port-linux.c.keycat openssh-6.2p1/openbsd-compat/port-linux.c
--- openssh-6.1p1/openbsd-compat/port-linux.c.keycat 2013-02-14 17:39:21.126382101 +0100 --- openssh-6.2p1/openbsd-compat/port-linux.c.keycat 2013-03-25 21:34:17.785978890 +0100
+++ openssh-6.1p1/openbsd-compat/port-linux.c 2013-02-14 17:39:21.149382009 +0100 +++ openssh-6.2p1/openbsd-compat/port-linux.c 2013-03-25 21:34:17.800978986 +0100
@@ -315,7 +315,7 @@ ssh_selinux_getctxbyname(char *pwname, @@ -315,7 +315,7 @@ ssh_selinux_getctxbyname(char *pwname,
/* Setup environment variables for pam_selinux */ /* Setup environment variables for pam_selinux */
@ -127,9 +127,9 @@ diff -up openssh-6.1p1/openbsd-compat/port-linux.c.keycat openssh-6.1p1/openbsd-
/* Set the execution context to the default for the specified user */ /* Set the execution context to the default for the specified user */
void void
ssh_selinux_setup_exec_context(char *pwname) ssh_selinux_setup_exec_context(char *pwname)
diff -up openssh-6.1p1/ssh-keycat.c.keycat openssh-6.1p1/ssh-keycat.c diff -up openssh-6.2p1/ssh-keycat.c.keycat openssh-6.2p1/ssh-keycat.c
--- openssh-6.1p1/ssh-keycat.c.keycat 2013-02-14 17:39:21.149382009 +0100 --- openssh-6.2p1/ssh-keycat.c.keycat 2013-03-25 21:34:17.800978986 +0100
+++ openssh-6.1p1/ssh-keycat.c 2013-02-14 17:39:21.149382009 +0100 +++ openssh-6.2p1/ssh-keycat.c 2013-03-25 21:34:17.800978986 +0100
@@ -0,0 +1,238 @@ @@ -0,0 +1,238 @@
+/* +/*
+ * Redistribution and use in source and binary forms, with or without + * Redistribution and use in source and binary forms, with or without

View File

@ -1,6 +1,6 @@
diff -up openssh-6.1p1/auth-krb5.c.kuserok openssh-6.1p1/auth-krb5.c diff -up openssh-6.2p1/auth-krb5.c.kuserok openssh-6.2p1/auth-krb5.c
--- openssh-6.1p1/auth-krb5.c.kuserok 2012-09-14 21:08:16.941496194 +0200 --- openssh-6.2p1/auth-krb5.c.kuserok 2013-03-25 20:06:51.295558062 +0100
+++ openssh-6.1p1/auth-krb5.c 2012-09-14 21:08:17.063496896 +0200 +++ openssh-6.2p1/auth-krb5.c 2013-03-25 20:06:51.318558207 +0100
@@ -55,6 +55,20 @@ @@ -55,6 +55,20 @@
extern ServerOptions options; extern ServerOptions options;
@ -31,9 +31,9 @@ diff -up openssh-6.1p1/auth-krb5.c.kuserok openssh-6.1p1/auth-krb5.c
problem = -1; problem = -1;
goto out; goto out;
} }
diff -up openssh-6.1p1/gss-serv-krb5.c.kuserok openssh-6.1p1/gss-serv-krb5.c diff -up openssh-6.2p1/gss-serv-krb5.c.kuserok openssh-6.2p1/gss-serv-krb5.c
--- openssh-6.1p1/gss-serv-krb5.c.kuserok 2012-09-14 21:08:17.019496642 +0200 --- openssh-6.2p1/gss-serv-krb5.c.kuserok 2013-03-25 20:06:51.311558163 +0100
+++ openssh-6.1p1/gss-serv-krb5.c 2012-09-14 21:08:17.065496906 +0200 +++ openssh-6.2p1/gss-serv-krb5.c 2013-03-25 20:06:51.319558214 +0100
@@ -68,6 +68,7 @@ static int ssh_gssapi_krb5_cmdok(krb5_pr @@ -68,6 +68,7 @@ static int ssh_gssapi_krb5_cmdok(krb5_pr
int); int);
@ -51,10 +51,10 @@ diff -up openssh-6.1p1/gss-serv-krb5.c.kuserok openssh-6.1p1/gss-serv-krb5.c
retval = 1; retval = 1;
logit("Authorized to %s, krb5 principal %s (krb5_kuserok)", logit("Authorized to %s, krb5 principal %s (krb5_kuserok)",
luser, (char *)client->displayname.value); luser, (char *)client->displayname.value);
diff -up openssh-6.1p1/servconf.c.kuserok openssh-6.1p1/servconf.c diff -up openssh-6.2p1/servconf.c.kuserok openssh-6.2p1/servconf.c
--- openssh-6.1p1/servconf.c.kuserok 2012-09-14 21:08:16.989496471 +0200 --- openssh-6.2p1/servconf.c.kuserok 2013-03-25 20:06:51.305558125 +0100
+++ openssh-6.1p1/servconf.c 2012-09-14 21:09:30.864868698 +0200 +++ openssh-6.2p1/servconf.c 2013-03-25 20:06:51.319558214 +0100
@@ -152,6 +152,7 @@ initialize_server_options(ServerOptions @@ -150,6 +150,7 @@ initialize_server_options(ServerOptions
options->ip_qos_interactive = -1; options->ip_qos_interactive = -1;
options->ip_qos_bulk = -1; options->ip_qos_bulk = -1;
options->version_addendum = NULL; options->version_addendum = NULL;
@ -62,7 +62,7 @@ diff -up openssh-6.1p1/servconf.c.kuserok openssh-6.1p1/servconf.c
} }
void void
@@ -301,6 +302,8 @@ fill_default_server_options(ServerOption @@ -299,6 +300,8 @@ fill_default_server_options(ServerOption
options->version_addendum = xstrdup(""); options->version_addendum = xstrdup("");
if (options->show_patchlevel == -1) if (options->show_patchlevel == -1)
options->show_patchlevel = 0; options->show_patchlevel = 0;
@ -71,7 +71,7 @@ diff -up openssh-6.1p1/servconf.c.kuserok openssh-6.1p1/servconf.c
/* Turn privilege separation on by default */ /* Turn privilege separation on by default */
if (use_privsep == -1) if (use_privsep == -1)
@@ -327,7 +330,7 @@ typedef enum { @@ -325,7 +328,7 @@ typedef enum {
sPermitRootLogin, sLogFacility, sLogLevel, sPermitRootLogin, sLogFacility, sLogLevel,
sRhostsRSAAuthentication, sRSAAuthentication, sRhostsRSAAuthentication, sRSAAuthentication,
sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup, sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
@ -80,7 +80,7 @@ diff -up openssh-6.1p1/servconf.c.kuserok openssh-6.1p1/servconf.c
sKerberosTgtPassing, sChallengeResponseAuthentication, sKerberosTgtPassing, sChallengeResponseAuthentication,
sPasswordAuthentication, sKbdInteractiveAuthentication, sPasswordAuthentication, sKbdInteractiveAuthentication,
sListenAddress, sAddressFamily, sListenAddress, sAddressFamily,
@@ -399,11 +402,13 @@ static struct { @@ -397,11 +400,13 @@ static struct {
#else #else
{ "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL }, { "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
#endif #endif
@ -94,7 +94,7 @@ diff -up openssh-6.1p1/servconf.c.kuserok openssh-6.1p1/servconf.c
#endif #endif
{ "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL }, { "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL },
{ "afstokenpassing", sUnsupported, SSHCFG_GLOBAL }, { "afstokenpassing", sUnsupported, SSHCFG_GLOBAL },
@@ -1486,6 +1491,10 @@ process_server_config_line(ServerOptions @@ -1460,6 +1465,10 @@ process_server_config_line(ServerOptions
*activep = value; *activep = value;
break; break;
@ -105,7 +105,7 @@ diff -up openssh-6.1p1/servconf.c.kuserok openssh-6.1p1/servconf.c
case sPermitOpen: case sPermitOpen:
arg = strdelim(&cp); arg = strdelim(&cp);
if (!arg || *arg == '\0') if (!arg || *arg == '\0')
@@ -1769,6 +1778,7 @@ copy_set_server_options(ServerOptions *d @@ -1761,6 +1770,7 @@ copy_set_server_options(ServerOptions *d
M_CP_INTOPT(max_authtries); M_CP_INTOPT(max_authtries);
M_CP_INTOPT(ip_qos_interactive); M_CP_INTOPT(ip_qos_interactive);
M_CP_INTOPT(ip_qos_bulk); M_CP_INTOPT(ip_qos_bulk);
@ -113,7 +113,7 @@ diff -up openssh-6.1p1/servconf.c.kuserok openssh-6.1p1/servconf.c
/* See comment in servconf.h */ /* See comment in servconf.h */
COPY_MATCH_STRING_OPTS(); COPY_MATCH_STRING_OPTS();
@@ -2005,6 +2015,7 @@ dump_config(ServerOptions *o) @@ -1999,6 +2009,7 @@ dump_config(ServerOptions *o)
dump_cfg_fmtint(sUseDNS, o->use_dns); dump_cfg_fmtint(sUseDNS, o->use_dns);
dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding); dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding);
dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep); dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep);
@ -121,10 +121,10 @@ diff -up openssh-6.1p1/servconf.c.kuserok openssh-6.1p1/servconf.c
/* string arguments */ /* string arguments */
dump_cfg_string(sPidFile, o->pid_file); dump_cfg_string(sPidFile, o->pid_file);
diff -up openssh-6.1p1/servconf.h.kuserok openssh-6.1p1/servconf.h diff -up openssh-6.2p1/servconf.h.kuserok openssh-6.2p1/servconf.h
--- openssh-6.1p1/servconf.h.kuserok 2012-09-14 21:08:16.990496476 +0200 --- openssh-6.2p1/servconf.h.kuserok 2013-03-25 20:06:51.305558125 +0100
+++ openssh-6.1p1/servconf.h 2012-09-14 21:08:17.071496942 +0200 +++ openssh-6.2p1/servconf.h 2013-03-25 20:06:51.320558220 +0100
@@ -169,6 +169,7 @@ typedef struct { @@ -173,6 +173,7 @@ typedef struct {
int num_permitted_opens; int num_permitted_opens;
@ -132,10 +132,10 @@ diff -up openssh-6.1p1/servconf.h.kuserok openssh-6.1p1/servconf.h
char *chroot_directory; char *chroot_directory;
char *revoked_keys_file; char *revoked_keys_file;
char *trusted_user_ca_keys; char *trusted_user_ca_keys;
diff -up openssh-6.1p1/sshd_config.kuserok openssh-6.1p1/sshd_config diff -up openssh-6.2p1/sshd_config.kuserok openssh-6.2p1/sshd_config
--- openssh-6.1p1/sshd_config.kuserok 2012-09-14 21:08:17.002496545 +0200 --- openssh-6.2p1/sshd_config.kuserok 2013-03-25 20:06:51.308558144 +0100
+++ openssh-6.1p1/sshd_config 2012-09-14 21:08:17.074496957 +0200 +++ openssh-6.2p1/sshd_config 2013-03-25 20:06:51.320558220 +0100
@@ -79,6 +79,7 @@ ChallengeResponseAuthentication no @@ -83,6 +83,7 @@ ChallengeResponseAuthentication no
#KerberosOrLocalPasswd yes #KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes #KerberosTicketCleanup yes
#KerberosGetAFSToken no #KerberosGetAFSToken no
@ -143,10 +143,10 @@ diff -up openssh-6.1p1/sshd_config.kuserok openssh-6.1p1/sshd_config
# GSSAPI options # GSSAPI options
#GSSAPIAuthentication no #GSSAPIAuthentication no
diff -up openssh-6.1p1/sshd_config.5.kuserok openssh-6.1p1/sshd_config.5 diff -up openssh-6.2p1/sshd_config.5.kuserok openssh-6.2p1/sshd_config.5
--- openssh-6.1p1/sshd_config.5.kuserok 2012-09-14 21:08:17.004496556 +0200 --- openssh-6.2p1/sshd_config.5.kuserok 2013-03-25 20:06:51.308558144 +0100
+++ openssh-6.1p1/sshd_config.5 2012-09-14 21:08:17.073496952 +0200 +++ openssh-6.2p1/sshd_config.5 2013-03-25 20:08:34.249207272 +0100
@@ -618,6 +618,10 @@ Specifies whether to automatically destr @@ -660,6 +660,10 @@ Specifies whether to automatically destr
file on logout. file on logout.
The default is The default is
.Dq yes . .Dq yes .
@ -157,11 +157,11 @@ diff -up openssh-6.1p1/sshd_config.5.kuserok openssh-6.1p1/sshd_config.5
.It Cm KexAlgorithms .It Cm KexAlgorithms
Specifies the available KEX (Key Exchange) algorithms. Specifies the available KEX (Key Exchange) algorithms.
Multiple algorithms must be comma-separated. Multiple algorithms must be comma-separated.
@@ -767,6 +771,7 @@ Available keywords are @@ -819,6 +823,7 @@ Available keywords are
.Cm HostbasedUsesNameFromPacketOnly , .Cm HostbasedUsesNameFromPacketOnly ,
.Cm KbdInteractiveAuthentication , .Cm KbdInteractiveAuthentication ,
.Cm KerberosAuthentication , .Cm KerberosAuthentication ,
+.Cm KerberosUseKuserok , +.Cm KerberosUseKuserok ,
.Cm MaxAuthTries , .Cm MaxAuthTries ,
.Cm MaxSessions , .Cm MaxSessions ,
.Cm PubkeyAuthentication , .Cm PasswordAuthentication ,

View File

@ -1,7 +1,7 @@
diff -up openssh-6.1p1/configure.ac.ldap openssh-6.1p1/configure.ac diff -up openssh-6.2p1/configure.ac.ldap openssh-6.2p1/configure.ac
--- openssh-6.1p1/configure.ac.ldap 2012-07-06 03:49:29.000000000 +0200 --- openssh-6.2p1/configure.ac.ldap 2013-03-20 02:55:15.000000000 +0100
+++ openssh-6.1p1/configure.ac 2012-11-01 13:35:14.830280116 +0100 +++ openssh-6.2p1/configure.ac 2013-03-25 21:27:15.888248071 +0100
@@ -1512,6 +1512,106 @@ AC_ARG_WITH([audit], @@ -1509,6 +1509,106 @@ AC_ARG_WITH([audit],
esac ] esac ]
) )
@ -108,9 +108,9 @@ diff -up openssh-6.1p1/configure.ac.ldap openssh-6.1p1/configure.ac
dnl Checks for library functions. Please keep in alphabetical order dnl Checks for library functions. Please keep in alphabetical order
AC_CHECK_FUNCS([ \ AC_CHECK_FUNCS([ \
arc4random \ arc4random \
diff -up openssh-6.1p1/HOWTO.ldap-keys.ldap openssh-6.1p1/HOWTO.ldap-keys diff -up openssh-6.2p1/HOWTO.ldap-keys.ldap openssh-6.2p1/HOWTO.ldap-keys
--- openssh-6.1p1/HOWTO.ldap-keys.ldap 2012-11-01 12:57:17.915280385 +0100 --- openssh-6.2p1/HOWTO.ldap-keys.ldap 2013-03-25 21:27:15.889248078 +0100
+++ openssh-6.1p1/HOWTO.ldap-keys 2012-11-01 12:57:17.915280385 +0100 +++ openssh-6.2p1/HOWTO.ldap-keys 2013-03-25 21:27:15.889248078 +0100
@@ -0,0 +1,108 @@ @@ -0,0 +1,108 @@
+ +
+HOW TO START +HOW TO START
@ -220,9 +220,9 @@ diff -up openssh-6.1p1/HOWTO.ldap-keys.ldap openssh-6.1p1/HOWTO.ldap-keys
+5) Author +5) Author
+ Jan F. Chadima <jchadima@redhat.com> + Jan F. Chadima <jchadima@redhat.com>
+ +
diff -up openssh-6.1p1/ldapbody.c.ldap openssh-6.1p1/ldapbody.c diff -up openssh-6.2p1/ldapbody.c.ldap openssh-6.2p1/ldapbody.c
--- openssh-6.1p1/ldapbody.c.ldap 2012-11-01 12:57:17.916280385 +0100 --- openssh-6.2p1/ldapbody.c.ldap 2013-03-25 21:27:15.889248078 +0100
+++ openssh-6.1p1/ldapbody.c 2012-11-01 12:57:17.916280385 +0100 +++ openssh-6.2p1/ldapbody.c 2013-03-25 21:27:15.889248078 +0100
@@ -0,0 +1,494 @@ @@ -0,0 +1,494 @@
+/* $OpenBSD: ldapbody.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* $OpenBSD: ldapbody.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
+/* +/*
@ -718,9 +718,9 @@ diff -up openssh-6.1p1/ldapbody.c.ldap openssh-6.1p1/ldapbody.c
+ return; + return;
+} +}
+ +
diff -up openssh-6.1p1/ldapbody.h.ldap openssh-6.1p1/ldapbody.h diff -up openssh-6.2p1/ldapbody.h.ldap openssh-6.2p1/ldapbody.h
--- openssh-6.1p1/ldapbody.h.ldap 2012-11-01 12:57:17.916280385 +0100 --- openssh-6.2p1/ldapbody.h.ldap 2013-03-25 21:27:15.889248078 +0100
+++ openssh-6.1p1/ldapbody.h 2012-11-01 12:57:17.916280385 +0100 +++ openssh-6.2p1/ldapbody.h 2013-03-25 21:27:15.889248078 +0100
@@ -0,0 +1,37 @@ @@ -0,0 +1,37 @@
+/* $OpenBSD: ldapbody.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* $OpenBSD: ldapbody.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
+/* +/*
@ -759,9 +759,9 @@ diff -up openssh-6.1p1/ldapbody.h.ldap openssh-6.1p1/ldapbody.h
+ +
+#endif /* LDAPBODY_H */ +#endif /* LDAPBODY_H */
+ +
diff -up openssh-6.1p1/ldapconf.c.ldap openssh-6.1p1/ldapconf.c diff -up openssh-6.2p1/ldapconf.c.ldap openssh-6.2p1/ldapconf.c
--- openssh-6.1p1/ldapconf.c.ldap 2012-11-01 12:57:17.917280385 +0100 --- openssh-6.2p1/ldapconf.c.ldap 2013-03-25 21:27:15.890248084 +0100
+++ openssh-6.1p1/ldapconf.c 2012-11-01 12:57:17.917280385 +0100 +++ openssh-6.2p1/ldapconf.c 2013-03-25 21:27:15.890248084 +0100
@@ -0,0 +1,682 @@ @@ -0,0 +1,682 @@
+/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
+/* +/*
@ -1445,9 +1445,9 @@ diff -up openssh-6.1p1/ldapconf.c.ldap openssh-6.1p1/ldapconf.c
+ dump_cfg_string(lSSH_Filter, options.ssh_filter); + dump_cfg_string(lSSH_Filter, options.ssh_filter);
+} +}
+ +
diff -up openssh-6.1p1/ldapconf.h.ldap openssh-6.1p1/ldapconf.h diff -up openssh-6.2p1/ldapconf.h.ldap openssh-6.2p1/ldapconf.h
--- openssh-6.1p1/ldapconf.h.ldap 2012-11-01 12:57:17.918280385 +0100 --- openssh-6.2p1/ldapconf.h.ldap 2013-03-25 21:27:15.891248091 +0100
+++ openssh-6.1p1/ldapconf.h 2012-11-01 12:57:17.918280385 +0100 +++ openssh-6.2p1/ldapconf.h 2013-03-25 21:27:15.891248091 +0100
@@ -0,0 +1,71 @@ @@ -0,0 +1,71 @@
+/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
+/* +/*
@ -1520,9 +1520,9 @@ diff -up openssh-6.1p1/ldapconf.h.ldap openssh-6.1p1/ldapconf.h
+void dump_config(void); +void dump_config(void);
+ +
+#endif /* LDAPCONF_H */ +#endif /* LDAPCONF_H */
diff -up openssh-6.1p1/ldap.conf.ldap openssh-6.1p1/ldap.conf diff -up openssh-6.2p1/ldap.conf.ldap openssh-6.2p1/ldap.conf
--- openssh-6.1p1/ldap.conf.ldap 2012-11-01 12:57:17.918280385 +0100 --- openssh-6.2p1/ldap.conf.ldap 2013-03-25 21:27:15.891248091 +0100
+++ openssh-6.1p1/ldap.conf 2012-11-01 12:57:17.918280385 +0100 +++ openssh-6.2p1/ldap.conf 2013-03-25 21:27:15.891248091 +0100
@@ -0,0 +1,88 @@ @@ -0,0 +1,88 @@
+# $Id: openssh-5.5p1-ldap.patch,v 1.3 2010/07/07 13:48:36 jfch2222 Exp $ +# $Id: openssh-5.5p1-ldap.patch,v 1.3 2010/07/07 13:48:36 jfch2222 Exp $
+# +#
@ -1612,9 +1612,9 @@ diff -up openssh-6.1p1/ldap.conf.ldap openssh-6.1p1/ldap.conf
+#tls_cert +#tls_cert
+#tls_key +#tls_key
+ +
diff -up openssh-6.1p1/ldap-helper.c.ldap openssh-6.1p1/ldap-helper.c diff -up openssh-6.2p1/ldap-helper.c.ldap openssh-6.2p1/ldap-helper.c
--- openssh-6.1p1/ldap-helper.c.ldap 2012-11-01 12:57:17.919280385 +0100 --- openssh-6.2p1/ldap-helper.c.ldap 2013-03-25 21:27:15.892248097 +0100
+++ openssh-6.1p1/ldap-helper.c 2012-11-01 12:57:17.919280385 +0100 +++ openssh-6.2p1/ldap-helper.c 2013-03-25 21:27:15.892248097 +0100
@@ -0,0 +1,155 @@ @@ -0,0 +1,155 @@
+/* $OpenBSD: ssh-pka-ldap.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* $OpenBSD: ssh-pka-ldap.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
+/* +/*
@ -1771,9 +1771,9 @@ diff -up openssh-6.1p1/ldap-helper.c.ldap openssh-6.1p1/ldap-helper.c
+void *buffer_get_string(Buffer *b, u_int *l) { return NULL; } +void *buffer_get_string(Buffer *b, u_int *l) { return NULL; }
+void buffer_put_string(Buffer *b, const void *f, u_int l) {} +void buffer_put_string(Buffer *b, const void *f, u_int l) {}
+ +
diff -up openssh-6.1p1/ldap-helper.h.ldap openssh-6.1p1/ldap-helper.h diff -up openssh-6.2p1/ldap-helper.h.ldap openssh-6.2p1/ldap-helper.h
--- openssh-6.1p1/ldap-helper.h.ldap 2012-11-01 12:57:17.919280385 +0100 --- openssh-6.2p1/ldap-helper.h.ldap 2013-03-25 21:27:15.892248097 +0100
+++ openssh-6.1p1/ldap-helper.h 2012-11-01 12:57:17.919280385 +0100 +++ openssh-6.2p1/ldap-helper.h 2013-03-25 21:27:15.892248097 +0100
@@ -0,0 +1,32 @@ @@ -0,0 +1,32 @@
+/* $OpenBSD: ldap-helper.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* $OpenBSD: ldap-helper.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
+/* +/*
@ -1807,9 +1807,9 @@ diff -up openssh-6.1p1/ldap-helper.h.ldap openssh-6.1p1/ldap-helper.h
+extern int config_warning_config_file; +extern int config_warning_config_file;
+ +
+#endif /* LDAP_HELPER_H */ +#endif /* LDAP_HELPER_H */
diff -up openssh-6.1p1/ldapincludes.h.ldap openssh-6.1p1/ldapincludes.h diff -up openssh-6.2p1/ldapincludes.h.ldap openssh-6.2p1/ldapincludes.h
--- openssh-6.1p1/ldapincludes.h.ldap 2012-11-01 12:57:17.920280385 +0100 --- openssh-6.2p1/ldapincludes.h.ldap 2013-03-25 21:27:15.892248097 +0100
+++ openssh-6.1p1/ldapincludes.h 2012-11-01 12:57:17.920280385 +0100 +++ openssh-6.2p1/ldapincludes.h 2013-03-25 21:27:15.892248097 +0100
@@ -0,0 +1,41 @@ @@ -0,0 +1,41 @@
+/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
+/* +/*
@ -1852,9 +1852,9 @@ diff -up openssh-6.1p1/ldapincludes.h.ldap openssh-6.1p1/ldapincludes.h
+#endif +#endif
+ +
+#endif /* LDAPINCLUDES_H */ +#endif /* LDAPINCLUDES_H */
diff -up openssh-6.1p1/ldapmisc.c.ldap openssh-6.1p1/ldapmisc.c diff -up openssh-6.2p1/ldapmisc.c.ldap openssh-6.2p1/ldapmisc.c
--- openssh-6.1p1/ldapmisc.c.ldap 2012-11-01 12:57:17.920280385 +0100 --- openssh-6.2p1/ldapmisc.c.ldap 2013-03-25 21:27:15.893248104 +0100
+++ openssh-6.1p1/ldapmisc.c 2012-11-01 12:57:17.920280385 +0100 +++ openssh-6.2p1/ldapmisc.c 2013-03-25 21:27:15.893248104 +0100
@@ -0,0 +1,79 @@ @@ -0,0 +1,79 @@
+ +
+#include "ldapincludes.h" +#include "ldapincludes.h"
@ -1935,9 +1935,9 @@ diff -up openssh-6.1p1/ldapmisc.c.ldap openssh-6.1p1/ldapmisc.c
+} +}
+#endif +#endif
+ +
diff -up openssh-6.1p1/ldapmisc.h.ldap openssh-6.1p1/ldapmisc.h diff -up openssh-6.2p1/ldapmisc.h.ldap openssh-6.2p1/ldapmisc.h
--- openssh-6.1p1/ldapmisc.h.ldap 2012-11-01 12:57:17.921280385 +0100 --- openssh-6.2p1/ldapmisc.h.ldap 2013-03-25 21:27:15.893248104 +0100
+++ openssh-6.1p1/ldapmisc.h 2012-11-01 12:57:17.921280385 +0100 +++ openssh-6.2p1/ldapmisc.h 2013-03-25 21:27:15.893248104 +0100
@@ -0,0 +1,35 @@ @@ -0,0 +1,35 @@
+/* $OpenBSD: ldapbody.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* $OpenBSD: ldapbody.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
+/* +/*
@ -1974,9 +1974,9 @@ diff -up openssh-6.1p1/ldapmisc.h.ldap openssh-6.1p1/ldapmisc.h
+ +
+#endif /* LDAPMISC_H */ +#endif /* LDAPMISC_H */
+ +
diff -up openssh-6.1p1/Makefile.in.ldap openssh-6.1p1/Makefile.in diff -up openssh-6.2p1/Makefile.in.ldap openssh-6.2p1/Makefile.in
--- openssh-6.1p1/Makefile.in.ldap 2012-11-01 12:57:17.750280385 +0100 --- openssh-6.2p1/Makefile.in.ldap 2013-03-25 21:27:15.850247822 +0100
+++ openssh-6.1p1/Makefile.in 2012-11-01 12:57:17.922280385 +0100 +++ openssh-6.2p1/Makefile.in 2013-03-25 21:27:57.356518817 +0100
@@ -25,6 +25,8 @@ SSH_PROGRAM=@bindir@/ssh @@ -25,6 +25,8 @@ SSH_PROGRAM=@bindir@/ssh
ASKPASS_PROGRAM=$(libexecdir)/ssh-askpass ASKPASS_PROGRAM=$(libexecdir)/ssh-askpass
SFTP_SERVER=$(libexecdir)/sftp-server SFTP_SERVER=$(libexecdir)/sftp-server
@ -1986,7 +1986,7 @@ diff -up openssh-6.1p1/Makefile.in.ldap openssh-6.1p1/Makefile.in
SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
PRIVSEP_PATH=@PRIVSEP_PATH@ PRIVSEP_PATH=@PRIVSEP_PATH@
SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@ SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@
@@ -58,8 +60,9 @@ XAUTH_PATH=@XAUTH_PATH@ @@ -60,8 +62,9 @@ XAUTH_PATH=@XAUTH_PATH@
LDFLAGS=-L. -Lopenbsd-compat/ @LDFLAGS@ LDFLAGS=-L. -Lopenbsd-compat/ @LDFLAGS@
EXEEXT=@EXEEXT@ EXEEXT=@EXEEXT@
MANFMT=@MANFMT@ MANFMT=@MANFMT@
@ -1995,9 +1995,9 @@ diff -up openssh-6.1p1/Makefile.in.ldap openssh-6.1p1/Makefile.in
-TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) -TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT)
+TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT) +TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT)
LIBSSH_OBJS=acss.o authfd.o authfile.o bufaux.o bufbn.o buffer.o \ LIBSSH_OBJS=authfd.o authfile.o bufaux.o bufbn.o buffer.o \
canohost.o channels.o cipher.o cipher-acss.o cipher-aes.o \ canohost.o channels.o cipher.o cipher-aes.o \
@@ -93,8 +96,8 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw @@ -95,8 +98,8 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw
sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \ sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \
sandbox-seccomp-filter.o sandbox-seccomp-filter.o
@ -2008,7 +2008,7 @@ diff -up openssh-6.1p1/Makefile.in.ldap openssh-6.1p1/Makefile.in
MANTYPE = @MANTYPE@ MANTYPE = @MANTYPE@
CONFIGFILES=sshd_config.out ssh_config.out moduli.out CONFIGFILES=sshd_config.out ssh_config.out moduli.out
@@ -162,6 +165,9 @@ ssh-keysign$(EXEEXT): $(LIBCOMPAT) libss @@ -164,6 +167,9 @@ ssh-keysign$(EXEEXT): $(LIBCOMPAT) libss
ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11.o ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11.o
$(LD) -o $@ ssh-pkcs11-helper.o ssh-pkcs11.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS) $(LD) -o $@ ssh-pkcs11-helper.o ssh-pkcs11.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
@ -2018,7 +2018,7 @@ diff -up openssh-6.1p1/Makefile.in.ldap openssh-6.1p1/Makefile.in
ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o roaming_dummy.o ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o roaming_dummy.o
$(LD) -o $@ ssh-keyscan.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) $(LD) -o $@ ssh-keyscan.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
@@ -257,6 +263,10 @@ install-files: @@ -266,6 +272,10 @@ install-files:
$(INSTALL) -m 0755 $(STRIP_OPT) sshd$(EXEEXT) $(DESTDIR)$(sbindir)/sshd$(EXEEXT) $(INSTALL) -m 0755 $(STRIP_OPT) sshd$(EXEEXT) $(DESTDIR)$(sbindir)/sshd$(EXEEXT)
$(INSTALL) -m 4711 $(STRIP_OPT) ssh-keysign$(EXEEXT) $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT) $(INSTALL) -m 4711 $(STRIP_OPT) ssh-keysign$(EXEEXT) $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT) $(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
@ -2029,7 +2029,7 @@ diff -up openssh-6.1p1/Makefile.in.ldap openssh-6.1p1/Makefile.in
$(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT) $(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT) $(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
$(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1 $(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
@@ -273,6 +283,10 @@ install-files: @@ -282,6 +292,10 @@ install-files:
$(INSTALL) -m 644 sftp-server.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8 $(INSTALL) -m 644 sftp-server.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8
$(INSTALL) -m 644 ssh-keysign.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8 $(INSTALL) -m 644 ssh-keysign.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8
$(INSTALL) -m 644 ssh-pkcs11-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8 $(INSTALL) -m 644 ssh-pkcs11-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
@ -2040,7 +2040,7 @@ diff -up openssh-6.1p1/Makefile.in.ldap openssh-6.1p1/Makefile.in
-rm -f $(DESTDIR)$(bindir)/slogin -rm -f $(DESTDIR)$(bindir)/slogin
ln -s ./ssh$(EXEEXT) $(DESTDIR)$(bindir)/slogin ln -s ./ssh$(EXEEXT) $(DESTDIR)$(bindir)/slogin
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1
@@ -302,6 +316,13 @@ install-sysconf: @@ -311,6 +325,13 @@ install-sysconf:
else \ else \
echo "$(DESTDIR)$(sysconfdir)/moduli already exists, install will not overwrite"; \ echo "$(DESTDIR)$(sysconfdir)/moduli already exists, install will not overwrite"; \
fi fi
@ -2054,7 +2054,7 @@ diff -up openssh-6.1p1/Makefile.in.ldap openssh-6.1p1/Makefile.in
host-key: ssh-keygen$(EXEEXT) host-key: ssh-keygen$(EXEEXT)
@if [ -z "$(DESTDIR)" ] ; then \ @if [ -z "$(DESTDIR)" ] ; then \
@@ -359,6 +380,8 @@ uninstall: @@ -368,6 +389,8 @@ uninstall:
-rm -r $(DESTDIR)$(SFTP_SERVER)$(EXEEXT) -rm -r $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
-rm -f $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT) -rm -f $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT)
-rm -f $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT) -rm -f $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
@ -2063,17 +2063,17 @@ diff -up openssh-6.1p1/Makefile.in.ldap openssh-6.1p1/Makefile.in
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1
@@ -370,6 +393,7 @@ uninstall: @@ -379,6 +402,7 @@ uninstall:
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
+ -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-ldap-helper.8 + -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-ldap-helper.8
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1
tests interop-tests: $(TARGETS) regress/modpipe$(EXEEXT): $(srcdir)/regress/modpipe.c
diff -up openssh-6.1p1/openssh-lpk-openldap.schema.ldap openssh-6.1p1/openssh-lpk-openldap.schema diff -up openssh-6.2p1/openssh-lpk-openldap.schema.ldap openssh-6.2p1/openssh-lpk-openldap.schema
--- openssh-6.1p1/openssh-lpk-openldap.schema.ldap 2012-11-01 12:57:17.922280385 +0100 --- openssh-6.2p1/openssh-lpk-openldap.schema.ldap 2013-03-25 21:27:15.894248110 +0100
+++ openssh-6.1p1/openssh-lpk-openldap.schema 2012-11-01 12:57:17.922280385 +0100 +++ openssh-6.2p1/openssh-lpk-openldap.schema 2013-03-25 21:27:15.894248110 +0100
@@ -0,0 +1,21 @@ @@ -0,0 +1,21 @@
+# +#
+# LDAP Public Key Patch schema for use with openssh-ldappubkey +# LDAP Public Key Patch schema for use with openssh-ldappubkey
@ -2096,9 +2096,9 @@ diff -up openssh-6.1p1/openssh-lpk-openldap.schema.ldap openssh-6.1p1/openssh-lp
+ DESC 'MANDATORY: OpenSSH LPK objectclass' + DESC 'MANDATORY: OpenSSH LPK objectclass'
+ MUST ( sshPublicKey $ uid ) + MUST ( sshPublicKey $ uid )
+ ) + )
diff -up openssh-6.1p1/openssh-lpk-sun.schema.ldap openssh-6.1p1/openssh-lpk-sun.schema diff -up openssh-6.2p1/openssh-lpk-sun.schema.ldap openssh-6.2p1/openssh-lpk-sun.schema
--- openssh-6.1p1/openssh-lpk-sun.schema.ldap 2012-11-01 12:57:17.922280385 +0100 --- openssh-6.2p1/openssh-lpk-sun.schema.ldap 2013-03-25 21:27:15.894248110 +0100
+++ openssh-6.1p1/openssh-lpk-sun.schema 2012-11-01 12:57:17.922280385 +0100 +++ openssh-6.2p1/openssh-lpk-sun.schema 2013-03-25 21:27:15.894248110 +0100
@@ -0,0 +1,23 @@ @@ -0,0 +1,23 @@
+# +#
+# LDAP Public Key Patch schema for use with openssh-ldappubkey +# LDAP Public Key Patch schema for use with openssh-ldappubkey
@ -2123,9 +2123,9 @@ diff -up openssh-6.1p1/openssh-lpk-sun.schema.ldap openssh-6.1p1/openssh-lpk-sun
+ DESC 'MANDATORY: OpenSSH LPK objectclass' + DESC 'MANDATORY: OpenSSH LPK objectclass'
+ MUST ( sshPublicKey $ uid ) + MUST ( sshPublicKey $ uid )
+ ) + )
diff -up openssh-6.1p1/ssh-ldap.conf.5.ldap openssh-6.1p1/ssh-ldap.conf.5 diff -up openssh-6.2p1/ssh-ldap.conf.5.ldap openssh-6.2p1/ssh-ldap.conf.5
--- openssh-6.1p1/ssh-ldap.conf.5.ldap 2012-11-01 12:57:17.923280385 +0100 --- openssh-6.2p1/ssh-ldap.conf.5.ldap 2013-03-25 21:27:15.895248117 +0100
+++ openssh-6.1p1/ssh-ldap.conf.5 2012-11-01 12:57:17.923280385 +0100 +++ openssh-6.2p1/ssh-ldap.conf.5 2013-03-25 21:27:15.895248117 +0100
@@ -0,0 +1,376 @@ @@ -0,0 +1,376 @@
+.\" $OpenBSD: ssh-ldap.conf.5,v 1.1 2010/02/10 23:20:38 markus Exp $ +.\" $OpenBSD: ssh-ldap.conf.5,v 1.1 2010/02/10 23:20:38 markus Exp $
+.\" +.\"
@ -2503,9 +2503,9 @@ diff -up openssh-6.1p1/ssh-ldap.conf.5.ldap openssh-6.1p1/ssh-ldap.conf.5
+OpenSSH 5.5 + PKA-LDAP . +OpenSSH 5.5 + PKA-LDAP .
+.Sh AUTHORS +.Sh AUTHORS
+.An Jan F. Chadima Aq jchadima@redhat.com +.An Jan F. Chadima Aq jchadima@redhat.com
diff -up openssh-6.1p1/ssh-ldap-helper.8.ldap openssh-6.1p1/ssh-ldap-helper.8 diff -up openssh-6.2p1/ssh-ldap-helper.8.ldap openssh-6.2p1/ssh-ldap-helper.8
--- openssh-6.1p1/ssh-ldap-helper.8.ldap 2012-11-01 12:57:17.924280385 +0100 --- openssh-6.2p1/ssh-ldap-helper.8.ldap 2013-03-25 21:27:15.895248117 +0100
+++ openssh-6.1p1/ssh-ldap-helper.8 2012-11-01 12:57:17.924280385 +0100 +++ openssh-6.2p1/ssh-ldap-helper.8 2013-03-25 21:27:15.895248117 +0100
@@ -0,0 +1,79 @@ @@ -0,0 +1,79 @@
+.\" $OpenBSD: ssh-ldap-helper.8,v 1.1 2010/02/10 23:20:38 markus Exp $ +.\" $OpenBSD: ssh-ldap-helper.8,v 1.1 2010/02/10 23:20:38 markus Exp $
+.\" +.\"
@ -2586,9 +2586,9 @@ diff -up openssh-6.1p1/ssh-ldap-helper.8.ldap openssh-6.1p1/ssh-ldap-helper.8
+OpenSSH 5.5 + PKA-LDAP . +OpenSSH 5.5 + PKA-LDAP .
+.Sh AUTHORS +.Sh AUTHORS
+.An Jan F. Chadima Aq jchadima@redhat.com +.An Jan F. Chadima Aq jchadima@redhat.com
diff -up openssh-6.1p1/ssh-ldap-wrapper.ldap openssh-6.1p1/ssh-ldap-wrapper diff -up openssh-6.2p1/ssh-ldap-wrapper.ldap openssh-6.2p1/ssh-ldap-wrapper
--- openssh-6.1p1/ssh-ldap-wrapper.ldap 2012-11-01 12:57:17.924280385 +0100 --- openssh-6.2p1/ssh-ldap-wrapper.ldap 2013-03-25 21:27:15.896248124 +0100
+++ openssh-6.1p1/ssh-ldap-wrapper 2012-11-01 12:57:17.924280385 +0100 +++ openssh-6.2p1/ssh-ldap-wrapper 2013-03-25 21:27:15.896248124 +0100
@@ -0,0 +1,4 @@ @@ -0,0 +1,4 @@
+#!/bin/sh +#!/bin/sh
+ +

View File

@ -1,7 +1,44 @@
diff -up openssh-6.1p1/auth1.c.role-mls openssh-6.1p1/auth1.c diff -up openssh-6.2p1/auth.h.role-mls openssh-6.2p1/auth.h
--- openssh-6.1p1/auth1.c.role-mls 2012-11-28 17:06:43.657990103 +0100 --- openssh-6.2p1/auth.h.role-mls 2013-03-25 17:47:00.565746862 +0100
+++ openssh-6.1p1/auth1.c 2012-11-28 17:06:43.699989959 +0100 +++ openssh-6.2p1/auth.h 2013-03-25 17:47:00.602747073 +0100
@@ -384,6 +384,9 @@ do_authentication(Authctxt *authctxt) @@ -59,6 +59,9 @@ struct Authctxt {
char *service;
struct passwd *pw; /* set if 'valid' */
char *style;
+#ifdef WITH_SELINUX
+ char *role;
+#endif
void *kbdintctxt;
void *jpake_ctx;
#ifdef BSD_AUTH
diff -up openssh-6.2p1/auth-pam.c.role-mls openssh-6.2p1/auth-pam.c
--- openssh-6.2p1/auth-pam.c.role-mls 2013-03-25 17:47:00.535746690 +0100
+++ openssh-6.2p1/auth-pam.c 2013-03-25 17:47:00.602747073 +0100
@@ -1074,7 +1074,7 @@ is_pam_session_open(void)
* during the ssh authentication process.
*/
int
-do_pam_putenv(char *name, char *value)
+do_pam_putenv(char *name, const char *value)
{
int ret = 1;
#ifdef HAVE_PAM_PUTENV
diff -up openssh-6.2p1/auth-pam.h.role-mls openssh-6.2p1/auth-pam.h
--- openssh-6.2p1/auth-pam.h.role-mls 2004-09-11 14:17:26.000000000 +0200
+++ openssh-6.2p1/auth-pam.h 2013-03-25 17:47:00.602747073 +0100
@@ -38,7 +38,7 @@ void do_pam_session(void);
void do_pam_set_tty(const char *);
void do_pam_setcred(int );
void do_pam_chauthtok(void);
-int do_pam_putenv(char *, char *);
+int do_pam_putenv(char *, const char *);
char ** fetch_pam_environment(void);
char ** fetch_pam_child_environment(void);
void free_pam_environment(char **);
diff -up openssh-6.2p1/auth1.c.role-mls openssh-6.2p1/auth1.c
--- openssh-6.2p1/auth1.c.role-mls 2012-12-02 23:53:20.000000000 +0100
+++ openssh-6.2p1/auth1.c 2013-03-25 17:47:00.600747062 +0100
@@ -386,6 +386,9 @@ do_authentication(Authctxt *authctxt)
{ {
u_int ulen; u_int ulen;
char *user, *style = NULL; char *user, *style = NULL;
@ -11,7 +48,7 @@ diff -up openssh-6.1p1/auth1.c.role-mls openssh-6.1p1/auth1.c
/* Get the name of the user that we wish to log in as. */ /* Get the name of the user that we wish to log in as. */
packet_read_expect(SSH_CMSG_USER); packet_read_expect(SSH_CMSG_USER);
@@ -392,11 +395,24 @@ do_authentication(Authctxt *authctxt) @@ -394,11 +397,24 @@ do_authentication(Authctxt *authctxt)
user = packet_get_cstring(&ulen); user = packet_get_cstring(&ulen);
packet_check_eom(); packet_check_eom();
@ -36,9 +73,9 @@ diff -up openssh-6.1p1/auth1.c.role-mls openssh-6.1p1/auth1.c
/* Verify that the user is a valid user. */ /* Verify that the user is a valid user. */
if ((authctxt->pw = PRIVSEP(getpwnamallow(user))) != NULL) if ((authctxt->pw = PRIVSEP(getpwnamallow(user))) != NULL)
diff -up openssh-6.1p1/auth2.c.role-mls openssh-6.1p1/auth2.c diff -up openssh-6.2p1/auth2.c.role-mls openssh-6.2p1/auth2.c
--- openssh-6.1p1/auth2.c.role-mls 2012-11-28 17:06:43.661990089 +0100 --- openssh-6.2p1/auth2.c.role-mls 2013-03-25 17:47:00.556746810 +0100
+++ openssh-6.1p1/auth2.c 2012-11-28 17:11:09.058916613 +0100 +++ openssh-6.2p1/auth2.c 2013-03-25 17:47:00.600747062 +0100
@@ -218,6 +218,9 @@ input_userauth_request(int type, u_int32 @@ -218,6 +218,9 @@ input_userauth_request(int type, u_int32
Authctxt *authctxt = ctxt; Authctxt *authctxt = ctxt;
Authmethod *m = NULL; Authmethod *m = NULL;
@ -78,9 +115,9 @@ diff -up openssh-6.1p1/auth2.c.role-mls openssh-6.1p1/auth2.c
userauth_banner(); userauth_banner();
if (auth2_setup_methods_lists(authctxt) != 0) if (auth2_setup_methods_lists(authctxt) != 0)
packet_disconnect("no authentication methods enabled"); packet_disconnect("no authentication methods enabled");
diff -up openssh-6.1p1/auth2-gss.c.role-mls openssh-6.1p1/auth2-gss.c diff -up openssh-6.2p1/auth2-gss.c.role-mls openssh-6.2p1/auth2-gss.c
--- openssh-6.1p1/auth2-gss.c.role-mls 2011-05-05 06:04:11.000000000 +0200 --- openssh-6.2p1/auth2-gss.c.role-mls 2012-12-02 23:53:20.000000000 +0100
+++ openssh-6.1p1/auth2-gss.c 2012-11-28 17:06:43.700989956 +0100 +++ openssh-6.2p1/auth2-gss.c 2013-03-25 17:47:00.601747067 +0100
@@ -260,6 +260,7 @@ input_gssapi_mic(int type, u_int32_t ple @@ -260,6 +260,7 @@ input_gssapi_mic(int type, u_int32_t ple
Authctxt *authctxt = ctxt; Authctxt *authctxt = ctxt;
Gssctxt *gssctxt; Gssctxt *gssctxt;
@ -113,9 +150,9 @@ diff -up openssh-6.1p1/auth2-gss.c.role-mls openssh-6.1p1/auth2-gss.c
xfree(mic.value); xfree(mic.value);
authctxt->postponed = 0; authctxt->postponed = 0;
diff -up openssh-6.1p1/auth2-hostbased.c.role-mls openssh-6.1p1/auth2-hostbased.c diff -up openssh-6.2p1/auth2-hostbased.c.role-mls openssh-6.2p1/auth2-hostbased.c
--- openssh-6.1p1/auth2-hostbased.c.role-mls 2012-11-28 17:06:43.669990062 +0100 --- openssh-6.2p1/auth2-hostbased.c.role-mls 2013-03-25 17:47:00.565746862 +0100
+++ openssh-6.1p1/auth2-hostbased.c 2012-11-28 17:06:43.700989956 +0100 +++ openssh-6.2p1/auth2-hostbased.c 2013-03-25 17:47:00.601747067 +0100
@@ -106,7 +106,15 @@ userauth_hostbased(Authctxt *authctxt) @@ -106,7 +106,15 @@ userauth_hostbased(Authctxt *authctxt)
buffer_put_string(&b, session_id2, session_id2_len); buffer_put_string(&b, session_id2, session_id2_len);
/* reconstruct packet */ /* reconstruct packet */
@ -133,10 +170,10 @@ diff -up openssh-6.1p1/auth2-hostbased.c.role-mls openssh-6.1p1/auth2-hostbased.
buffer_put_cstring(&b, service); buffer_put_cstring(&b, service);
buffer_put_cstring(&b, "hostbased"); buffer_put_cstring(&b, "hostbased");
buffer_put_string(&b, pkalg, alen); buffer_put_string(&b, pkalg, alen);
diff -up openssh-6.1p1/auth2-pubkey.c.role-mls openssh-6.1p1/auth2-pubkey.c diff -up openssh-6.2p1/auth2-pubkey.c.role-mls openssh-6.2p1/auth2-pubkey.c
--- openssh-6.1p1/auth2-pubkey.c.role-mls 2012-11-28 17:06:43.669990062 +0100 --- openssh-6.2p1/auth2-pubkey.c.role-mls 2013-03-25 17:47:00.565746862 +0100
+++ openssh-6.1p1/auth2-pubkey.c 2012-11-28 17:06:43.700989956 +0100 +++ openssh-6.2p1/auth2-pubkey.c 2013-03-25 17:47:00.601747067 +0100
@@ -121,7 +121,15 @@ userauth_pubkey(Authctxt *authctxt) @@ -127,7 +127,15 @@ userauth_pubkey(Authctxt *authctxt)
} }
/* reconstruct packet */ /* reconstruct packet */
buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST); buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST);
@ -153,46 +190,9 @@ diff -up openssh-6.1p1/auth2-pubkey.c.role-mls openssh-6.1p1/auth2-pubkey.c
buffer_put_cstring(&b, buffer_put_cstring(&b,
datafellows & SSH_BUG_PKSERVICE ? datafellows & SSH_BUG_PKSERVICE ?
"ssh-userauth" : "ssh-userauth" :
diff -up openssh-6.1p1/auth.h.role-mls openssh-6.1p1/auth.h diff -up openssh-6.2p1/misc.c.role-mls openssh-6.2p1/misc.c
--- openssh-6.1p1/auth.h.role-mls 2012-11-28 17:06:43.669990062 +0100 --- openssh-6.2p1/misc.c.role-mls 2011-09-22 13:34:36.000000000 +0200
+++ openssh-6.1p1/auth.h 2012-11-28 17:06:43.699989959 +0100 +++ openssh-6.2p1/misc.c 2013-03-25 17:47:00.603747079 +0100
@@ -59,6 +59,9 @@ struct Authctxt {
char *service;
struct passwd *pw; /* set if 'valid' */
char *style;
+#ifdef WITH_SELINUX
+ char *role;
+#endif
void *kbdintctxt;
void *jpake_ctx;
#ifdef BSD_AUTH
diff -up openssh-6.1p1/auth-pam.c.role-mls openssh-6.1p1/auth-pam.c
--- openssh-6.1p1/auth-pam.c.role-mls 2012-11-28 17:06:43.638990168 +0100
+++ openssh-6.1p1/auth-pam.c 2012-11-28 17:06:43.699989959 +0100
@@ -1074,7 +1074,7 @@ is_pam_session_open(void)
* during the ssh authentication process.
*/
int
-do_pam_putenv(char *name, char *value)
+do_pam_putenv(char *name, const char *value)
{
int ret = 1;
#ifdef HAVE_PAM_PUTENV
diff -up openssh-6.1p1/auth-pam.h.role-mls openssh-6.1p1/auth-pam.h
--- openssh-6.1p1/auth-pam.h.role-mls 2004-09-11 14:17:26.000000000 +0200
+++ openssh-6.1p1/auth-pam.h 2012-11-28 17:06:43.699989959 +0100
@@ -38,7 +38,7 @@ void do_pam_session(void);
void do_pam_set_tty(const char *);
void do_pam_setcred(int );
void do_pam_chauthtok(void);
-int do_pam_putenv(char *, char *);
+int do_pam_putenv(char *, const char *);
char ** fetch_pam_environment(void);
char ** fetch_pam_child_environment(void);
void free_pam_environment(char **);
diff -up openssh-6.1p1/misc.c.role-mls openssh-6.1p1/misc.c
--- openssh-6.1p1/misc.c.role-mls 2011-09-22 13:34:36.000000000 +0200
+++ openssh-6.1p1/misc.c 2012-11-28 17:06:43.701989952 +0100
@@ -427,6 +427,7 @@ char * @@ -427,6 +427,7 @@ char *
colon(char *cp) colon(char *cp)
{ {
@ -215,9 +215,9 @@ diff -up openssh-6.1p1/misc.c.role-mls openssh-6.1p1/misc.c
} }
return NULL; return NULL;
} }
diff -up openssh-6.1p1/monitor.c.role-mls openssh-6.1p1/monitor.c diff -up openssh-6.2p1/monitor.c.role-mls openssh-6.2p1/monitor.c
--- openssh-6.1p1/monitor.c.role-mls 2012-11-28 17:06:43.686990004 +0100 --- openssh-6.2p1/monitor.c.role-mls 2013-03-25 17:47:00.587746987 +0100
+++ openssh-6.1p1/monitor.c 2012-11-28 17:06:43.701989952 +0100 +++ openssh-6.2p1/monitor.c 2013-03-25 17:47:00.604747085 +0100
@@ -148,6 +148,9 @@ int mm_answer_sign(int, Buffer *); @@ -148,6 +148,9 @@ int mm_answer_sign(int, Buffer *);
int mm_answer_pwnamallow(int, Buffer *); int mm_answer_pwnamallow(int, Buffer *);
int mm_answer_auth2_read_banner(int, Buffer *); int mm_answer_auth2_read_banner(int, Buffer *);
@ -228,7 +228,7 @@ diff -up openssh-6.1p1/monitor.c.role-mls openssh-6.1p1/monitor.c
int mm_answer_authpassword(int, Buffer *); int mm_answer_authpassword(int, Buffer *);
int mm_answer_bsdauthquery(int, Buffer *); int mm_answer_bsdauthquery(int, Buffer *);
int mm_answer_bsdauthrespond(int, Buffer *); int mm_answer_bsdauthrespond(int, Buffer *);
@@ -231,6 +234,9 @@ struct mon_table mon_dispatch_proto20[] @@ -232,6 +235,9 @@ struct mon_table mon_dispatch_proto20[]
{MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign}, {MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign},
{MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow}, {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},
{MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv}, {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv},
@ -238,7 +238,7 @@ diff -up openssh-6.1p1/monitor.c.role-mls openssh-6.1p1/monitor.c
{MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner}, {MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner},
{MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword}, {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},
#ifdef USE_PAM #ifdef USE_PAM
@@ -838,6 +844,9 @@ mm_answer_pwnamallow(int sock, Buffer *m @@ -846,6 +852,9 @@ mm_answer_pwnamallow(int sock, Buffer *m
else { else {
/* Allow service/style information on the auth context */ /* Allow service/style information on the auth context */
monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1); monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1);
@ -248,7 +248,7 @@ diff -up openssh-6.1p1/monitor.c.role-mls openssh-6.1p1/monitor.c
monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1); monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1);
} }
#ifdef USE_PAM #ifdef USE_PAM
@@ -881,6 +890,25 @@ mm_answer_authserv(int sock, Buffer *m) @@ -889,6 +898,25 @@ mm_answer_authserv(int sock, Buffer *m)
return (0); return (0);
} }
@ -274,7 +274,7 @@ diff -up openssh-6.1p1/monitor.c.role-mls openssh-6.1p1/monitor.c
int int
mm_answer_authpassword(int sock, Buffer *m) mm_answer_authpassword(int sock, Buffer *m)
{ {
@@ -1251,7 +1279,7 @@ static int @@ -1262,7 +1290,7 @@ static int
monitor_valid_userblob(u_char *data, u_int datalen) monitor_valid_userblob(u_char *data, u_int datalen)
{ {
Buffer b; Buffer b;
@ -283,7 +283,7 @@ diff -up openssh-6.1p1/monitor.c.role-mls openssh-6.1p1/monitor.c
u_int len; u_int len;
int fail = 0; int fail = 0;
@@ -1277,6 +1305,8 @@ monitor_valid_userblob(u_char *data, u_i @@ -1288,6 +1316,8 @@ monitor_valid_userblob(u_char *data, u_i
if (buffer_get_char(&b) != SSH2_MSG_USERAUTH_REQUEST) if (buffer_get_char(&b) != SSH2_MSG_USERAUTH_REQUEST)
fail++; fail++;
p = buffer_get_string(&b, NULL); p = buffer_get_string(&b, NULL);
@ -292,7 +292,7 @@ diff -up openssh-6.1p1/monitor.c.role-mls openssh-6.1p1/monitor.c
if (strcmp(authctxt->user, p) != 0) { if (strcmp(authctxt->user, p) != 0) {
logit("wrong user name passed to monitor: expected %s != %.100s", logit("wrong user name passed to monitor: expected %s != %.100s",
authctxt->user, p); authctxt->user, p);
@@ -1308,7 +1338,7 @@ monitor_valid_hostbasedblob(u_char *data @@ -1319,7 +1349,7 @@ monitor_valid_hostbasedblob(u_char *data
char *chost) char *chost)
{ {
Buffer b; Buffer b;
@ -301,7 +301,7 @@ diff -up openssh-6.1p1/monitor.c.role-mls openssh-6.1p1/monitor.c
u_int len; u_int len;
int fail = 0; int fail = 0;
@@ -1325,6 +1355,8 @@ monitor_valid_hostbasedblob(u_char *data @@ -1336,6 +1366,8 @@ monitor_valid_hostbasedblob(u_char *data
if (buffer_get_char(&b) != SSH2_MSG_USERAUTH_REQUEST) if (buffer_get_char(&b) != SSH2_MSG_USERAUTH_REQUEST)
fail++; fail++;
p = buffer_get_string(&b, NULL); p = buffer_get_string(&b, NULL);
@ -310,22 +310,22 @@ diff -up openssh-6.1p1/monitor.c.role-mls openssh-6.1p1/monitor.c
if (strcmp(authctxt->user, p) != 0) { if (strcmp(authctxt->user, p) != 0) {
logit("wrong user name passed to monitor: expected %s != %.100s", logit("wrong user name passed to monitor: expected %s != %.100s",
authctxt->user, p); authctxt->user, p);
diff -up openssh-6.1p1/monitor.h.role-mls openssh-6.1p1/monitor.h diff -up openssh-6.2p1/monitor.h.role-mls openssh-6.2p1/monitor.h
--- openssh-6.1p1/monitor.h.role-mls 2012-11-28 17:06:43.686990004 +0100 --- openssh-6.2p1/monitor.h.role-mls 2013-03-25 17:47:00.605747090 +0100
+++ openssh-6.1p1/monitor.h 2012-11-28 17:06:43.701989952 +0100 +++ openssh-6.2p1/monitor.h 2013-03-25 17:50:00.824775483 +0100
@@ -31,6 +31,9 @@ @@ -61,6 +61,9 @@ enum monitor_reqtype {
enum monitor_reqtype { MONITOR_REQ_JPAKE_STEP2 = 56, MONITOR_ANS_JPAKE_STEP2 = 57,
MONITOR_REQ_MODULI, MONITOR_ANS_MODULI, MONITOR_REQ_JPAKE_KEY_CONFIRM = 58, MONITOR_ANS_JPAKE_KEY_CONFIRM = 59,
MONITOR_REQ_FREE, MONITOR_REQ_AUTHSERV, MONITOR_REQ_JPAKE_CHECK_CONFIRM = 60, MONITOR_ANS_JPAKE_CHECK_CONFIRM = 61,
+#ifdef WITH_SELINUX +#ifdef WITH_SELINUX
+ MONITOR_REQ_AUTHROLE, + MONITOR_REQ_AUTHROLE = 80,
+#endif +#endif
MONITOR_REQ_SIGN, MONITOR_ANS_SIGN,
MONITOR_REQ_PWNAM, MONITOR_ANS_PWNAM, MONITOR_REQ_PAM_START = 100,
MONITOR_REQ_AUTH2_READ_BANNER, MONITOR_ANS_AUTH2_READ_BANNER, MONITOR_REQ_PAM_ACCOUNT = 102, MONITOR_ANS_PAM_ACCOUNT = 103,
diff -up openssh-6.1p1/monitor_wrap.c.role-mls openssh-6.1p1/monitor_wrap.c diff -up openssh-6.2p1/monitor_wrap.c.role-mls openssh-6.2p1/monitor_wrap.c
--- openssh-6.1p1/monitor_wrap.c.role-mls 2012-11-28 17:06:43.686990004 +0100 --- openssh-6.2p1/monitor_wrap.c.role-mls 2013-03-25 17:47:00.588746993 +0100
+++ openssh-6.1p1/monitor_wrap.c 2012-11-28 17:06:43.702989948 +0100 +++ openssh-6.2p1/monitor_wrap.c 2013-03-25 17:47:00.605747090 +0100
@@ -336,6 +336,25 @@ mm_inform_authserv(char *service, char * @@ -336,6 +336,25 @@ mm_inform_authserv(char *service, char *
buffer_free(&m); buffer_free(&m);
} }
@ -352,9 +352,9 @@ diff -up openssh-6.1p1/monitor_wrap.c.role-mls openssh-6.1p1/monitor_wrap.c
/* Do the password authentication */ /* Do the password authentication */
int int
mm_auth_password(Authctxt *authctxt, char *password) mm_auth_password(Authctxt *authctxt, char *password)
diff -up openssh-6.1p1/monitor_wrap.h.role-mls openssh-6.1p1/monitor_wrap.h diff -up openssh-6.2p1/monitor_wrap.h.role-mls openssh-6.2p1/monitor_wrap.h
--- openssh-6.1p1/monitor_wrap.h.role-mls 2012-11-28 17:06:43.686990004 +0100 --- openssh-6.2p1/monitor_wrap.h.role-mls 2013-03-25 17:47:00.588746993 +0100
+++ openssh-6.1p1/monitor_wrap.h 2012-11-28 17:06:43.702989948 +0100 +++ openssh-6.2p1/monitor_wrap.h 2013-03-25 17:47:00.605747090 +0100
@@ -42,6 +42,9 @@ int mm_is_monitor(void); @@ -42,6 +42,9 @@ int mm_is_monitor(void);
DH *mm_choose_dh(int, int, int); DH *mm_choose_dh(int, int, int);
int mm_key_sign(Key *, u_char **, u_int *, u_char *, u_int); int mm_key_sign(Key *, u_char **, u_int *, u_char *, u_int);
@ -365,21 +365,21 @@ diff -up openssh-6.1p1/monitor_wrap.h.role-mls openssh-6.1p1/monitor_wrap.h
struct passwd *mm_getpwnamallow(const char *); struct passwd *mm_getpwnamallow(const char *);
char *mm_auth2_read_banner(void); char *mm_auth2_read_banner(void);
int mm_auth_password(struct Authctxt *, char *); int mm_auth_password(struct Authctxt *, char *);
diff -up openssh-6.1p1/openbsd-compat/Makefile.in.role-mls openssh-6.1p1/openbsd-compat/Makefile.in diff -up openssh-6.2p1/openbsd-compat/Makefile.in.role-mls openssh-6.2p1/openbsd-compat/Makefile.in
--- openssh-6.1p1/openbsd-compat/Makefile.in.role-mls 2011-11-04 01:25:25.000000000 +0100 --- openssh-6.2p1/openbsd-compat/Makefile.in.role-mls 2013-03-25 17:47:00.606747096 +0100
+++ openssh-6.1p1/openbsd-compat/Makefile.in 2012-11-28 17:06:43.702989948 +0100 +++ openssh-6.2p1/openbsd-compat/Makefile.in 2013-03-25 17:50:36.024979473 +0100
@@ -20,7 +20,7 @@ OPENBSD=base64.o basename.o bindresvport @@ -20,7 +20,7 @@ OPENBSD=base64.o basename.o bindresvport
COMPAT=bsd-arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o getrrsetbyname-ldns.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o COMPAT=bsd-arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o getrrsetbyname-ldns.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-setres_id.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o
-PORTS=port-aix.o port-irix.o port-linux.o port-solaris.o port-tun.o port-uw.o -PORTS=port-aix.o port-irix.o port-linux.o port-solaris.o port-tun.o port-uw.o
+PORTS=port-aix.o port-irix.o port-linux.o port-linux_part_2.o port-solaris.o port-tun.o port-uw.o +PORTS=port-aix.o port-irix.o port-linux.o port-linux_part_2.o port-solaris.o port-tun.o port-uw.o
.c.o: .c.o:
$(CC) $(CFLAGS) $(CPPFLAGS) -c $< $(CC) $(CFLAGS) $(CPPFLAGS) -c $<
diff -up openssh-6.1p1/openbsd-compat/port-linux.c.role-mls openssh-6.1p1/openbsd-compat/port-linux.c diff -up openssh-6.2p1/openbsd-compat/port-linux.c.role-mls openssh-6.2p1/openbsd-compat/port-linux.c
--- openssh-6.1p1/openbsd-compat/port-linux.c.role-mls 2012-03-09 00:25:18.000000000 +0100 --- openssh-6.2p1/openbsd-compat/port-linux.c.role-mls 2012-03-09 00:25:18.000000000 +0100
+++ openssh-6.1p1/openbsd-compat/port-linux.c 2012-11-28 17:06:43.702989948 +0100 +++ openssh-6.2p1/openbsd-compat/port-linux.c 2013-03-25 17:47:00.606747096 +0100
@@ -31,68 +31,271 @@ @@ -31,68 +31,271 @@
#include "log.h" #include "log.h"
@ -840,9 +840,9 @@ diff -up openssh-6.1p1/openbsd-compat/port-linux.c.role-mls openssh-6.1p1/openbs
#endif /* WITH_SELINUX */ #endif /* WITH_SELINUX */
#ifdef LINUX_OOM_ADJUST #ifdef LINUX_OOM_ADJUST
diff -up openssh-6.1p1/openbsd-compat/port-linux_part_2.c.role-mls openssh-6.1p1/openbsd-compat/port-linux_part_2.c diff -up openssh-6.2p1/openbsd-compat/port-linux_part_2.c.role-mls openssh-6.2p1/openbsd-compat/port-linux_part_2.c
--- openssh-6.1p1/openbsd-compat/port-linux_part_2.c.role-mls 2012-11-28 17:06:43.703989944 +0100 --- openssh-6.2p1/openbsd-compat/port-linux_part_2.c.role-mls 2013-03-25 17:47:00.607747102 +0100
+++ openssh-6.1p1/openbsd-compat/port-linux_part_2.c 2012-11-28 17:06:43.703989944 +0100 +++ openssh-6.2p1/openbsd-compat/port-linux_part_2.c 2013-03-25 17:47:00.607747102 +0100
@@ -0,0 +1,75 @@ @@ -0,0 +1,75 @@
+/* $Id: port-linux.c,v 1.11.4.2 2011/02/04 00:43:08 djm Exp $ */ +/* $Id: port-linux.c,v 1.11.4.2 2011/02/04 00:43:08 djm Exp $ */
+ +
@ -919,10 +919,10 @@ diff -up openssh-6.1p1/openbsd-compat/port-linux_part_2.c.role-mls openssh-6.1p1
+#endif /* WITH_SELINUX */ +#endif /* WITH_SELINUX */
+ +
+#endif /* WITH_SELINUX || LINUX_OOM_ADJUST */ +#endif /* WITH_SELINUX || LINUX_OOM_ADJUST */
diff -up openssh-6.1p1/sshd.c.role-mls openssh-6.1p1/sshd.c diff -up openssh-6.2p1/sshd.c.role-mls openssh-6.2p1/sshd.c
--- openssh-6.1p1/sshd.c.role-mls 2012-11-28 17:06:43.688989996 +0100 --- openssh-6.2p1/sshd.c.role-mls 2013-03-25 17:47:00.589746999 +0100
+++ openssh-6.1p1/sshd.c 2012-11-28 17:06:43.703989944 +0100 +++ openssh-6.2p1/sshd.c 2013-03-25 17:47:00.607747102 +0100
@@ -2101,6 +2101,9 @@ main(int ac, char **av) @@ -2118,6 +2118,9 @@ main(int ac, char **av)
restore_uid(); restore_uid();
} }
#endif #endif

View File

@ -1,7 +1,7 @@
diff -up openssh-6.1p1/configure.ac.vendor openssh-6.1p1/configure.ac diff -up openssh-6.2p1/configure.ac.vendor openssh-6.2p1/configure.ac
--- openssh-6.1p1/configure.ac.vendor 2012-09-14 20:36:49.153085211 +0200 --- openssh-6.2p1/configure.ac.vendor 2013-03-25 19:34:01.277495179 +0100
+++ openssh-6.1p1/configure.ac 2012-09-14 20:36:49.559088133 +0200 +++ openssh-6.2p1/configure.ac 2013-03-25 19:34:01.377495818 +0100
@@ -4303,6 +4303,12 @@ AC_ARG_WITH([lastlog], @@ -4420,6 +4420,12 @@ AC_ARG_WITH([lastlog],
fi fi
] ]
) )
@ -14,7 +14,7 @@ diff -up openssh-6.1p1/configure.ac.vendor openssh-6.1p1/configure.ac
dnl lastlog, [uw]tmpx? detection dnl lastlog, [uw]tmpx? detection
dnl NOTE: set the paths in the platform section to avoid the dnl NOTE: set the paths in the platform section to avoid the
@@ -4529,6 +4535,7 @@ echo " Translate v4 in v6 hack @@ -4681,6 +4687,7 @@ echo " Translate v4 in v6 hack
echo " BSD Auth support: $BSD_AUTH_MSG" echo " BSD Auth support: $BSD_AUTH_MSG"
echo " Random number source: $RAND_MSG" echo " Random number source: $RAND_MSG"
echo " Privsep sandbox style: $SANDBOX_STYLE" echo " Privsep sandbox style: $SANDBOX_STYLE"
@ -22,9 +22,9 @@ diff -up openssh-6.1p1/configure.ac.vendor openssh-6.1p1/configure.ac
echo "" echo ""
diff -up openssh-6.1p1/servconf.c.vendor openssh-6.1p1/servconf.c diff -up openssh-6.2p1/servconf.c.vendor openssh-6.2p1/servconf.c
--- openssh-6.1p1/servconf.c.vendor 2012-09-14 20:36:49.124085002 +0200 --- openssh-6.2p1/servconf.c.vendor 2013-03-25 19:34:01.197494668 +0100
+++ openssh-6.1p1/servconf.c 2012-09-14 20:50:34.995972516 +0200 +++ openssh-6.2p1/servconf.c 2013-03-25 19:34:01.379495831 +0100
@@ -128,6 +128,7 @@ initialize_server_options(ServerOptions @@ -128,6 +128,7 @@ initialize_server_options(ServerOptions
options->max_authtries = -1; options->max_authtries = -1;
options->max_sessions = -1; options->max_sessions = -1;
@ -33,7 +33,7 @@ diff -up openssh-6.1p1/servconf.c.vendor openssh-6.1p1/servconf.c
options->use_dns = -1; options->use_dns = -1;
options->client_alive_interval = -1; options->client_alive_interval = -1;
options->client_alive_count_max = -1; options->client_alive_count_max = -1;
@@ -289,6 +290,9 @@ fill_default_server_options(ServerOption @@ -287,6 +288,9 @@ fill_default_server_options(ServerOption
options->ip_qos_bulk = IPTOS_THROUGHPUT; options->ip_qos_bulk = IPTOS_THROUGHPUT;
if (options->version_addendum == NULL) if (options->version_addendum == NULL)
options->version_addendum = xstrdup(""); options->version_addendum = xstrdup("");
@ -43,7 +43,7 @@ diff -up openssh-6.1p1/servconf.c.vendor openssh-6.1p1/servconf.c
/* Turn privilege separation on by default */ /* Turn privilege separation on by default */
if (use_privsep == -1) if (use_privsep == -1)
use_privsep = PRIVSEP_NOSANDBOX; use_privsep = PRIVSEP_NOSANDBOX;
@@ -326,7 +330,7 @@ typedef enum { @@ -324,7 +328,7 @@ typedef enum {
sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile, sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem,
sMaxStartups, sMaxAuthTries, sMaxSessions, sMaxStartups, sMaxAuthTries, sMaxSessions,
@ -52,7 +52,7 @@ diff -up openssh-6.1p1/servconf.c.vendor openssh-6.1p1/servconf.c
sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
sClientAliveCountMax, sAuthorizedKeysFile, sClientAliveCountMax, sAuthorizedKeysFile,
sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel, sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel,
@@ -441,6 +445,7 @@ static struct { @@ -439,6 +443,7 @@ static struct {
{ "maxauthtries", sMaxAuthTries, SSHCFG_ALL }, { "maxauthtries", sMaxAuthTries, SSHCFG_ALL },
{ "maxsessions", sMaxSessions, SSHCFG_ALL }, { "maxsessions", sMaxSessions, SSHCFG_ALL },
{ "banner", sBanner, SSHCFG_ALL }, { "banner", sBanner, SSHCFG_ALL },
@ -60,7 +60,7 @@ diff -up openssh-6.1p1/servconf.c.vendor openssh-6.1p1/servconf.c
{ "usedns", sUseDNS, SSHCFG_GLOBAL }, { "usedns", sUseDNS, SSHCFG_GLOBAL },
{ "verifyreversemapping", sDeprecated, SSHCFG_GLOBAL }, { "verifyreversemapping", sDeprecated, SSHCFG_GLOBAL },
{ "reversemappingcheck", sDeprecated, SSHCFG_GLOBAL }, { "reversemappingcheck", sDeprecated, SSHCFG_GLOBAL },
@@ -1162,6 +1167,10 @@ process_server_config_line(ServerOptions @@ -1163,6 +1168,10 @@ process_server_config_line(ServerOptions
multistate_ptr = multistate_privsep; multistate_ptr = multistate_privsep;
goto parse_multistate; goto parse_multistate;
@ -71,7 +71,7 @@ diff -up openssh-6.1p1/servconf.c.vendor openssh-6.1p1/servconf.c
case sAllowUsers: case sAllowUsers:
while ((arg = strdelim(&cp)) && *arg != '\0') { while ((arg = strdelim(&cp)) && *arg != '\0') {
if (options->num_allow_users >= MAX_ALLOW_USERS) if (options->num_allow_users >= MAX_ALLOW_USERS)
@@ -1956,6 +1965,7 @@ dump_config(ServerOptions *o) @@ -1950,6 +1959,7 @@ dump_config(ServerOptions *o)
dump_cfg_fmtint(sUseLogin, o->use_login); dump_cfg_fmtint(sUseLogin, o->use_login);
dump_cfg_fmtint(sCompression, o->compression); dump_cfg_fmtint(sCompression, o->compression);
dump_cfg_fmtint(sGatewayPorts, o->gateway_ports); dump_cfg_fmtint(sGatewayPorts, o->gateway_ports);
@ -79,10 +79,10 @@ diff -up openssh-6.1p1/servconf.c.vendor openssh-6.1p1/servconf.c
dump_cfg_fmtint(sUseDNS, o->use_dns); dump_cfg_fmtint(sUseDNS, o->use_dns);
dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding); dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding);
dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep); dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep);
diff -up openssh-6.1p1/servconf.h.vendor openssh-6.1p1/servconf.h diff -up openssh-6.2p1/servconf.h.vendor openssh-6.2p1/servconf.h
--- openssh-6.1p1/servconf.h.vendor 2012-09-14 20:36:49.125085009 +0200 --- openssh-6.2p1/servconf.h.vendor 2013-01-09 05:56:45.000000000 +0100
+++ openssh-6.1p1/servconf.h 2012-09-14 20:36:49.564088168 +0200 +++ openssh-6.2p1/servconf.h 2013-03-25 19:34:01.379495831 +0100
@@ -140,6 +140,7 @@ typedef struct { @@ -147,6 +147,7 @@ typedef struct {
int max_authtries; int max_authtries;
int max_sessions; int max_sessions;
char *banner; /* SSH-2 banner message */ char *banner; /* SSH-2 banner message */
@ -90,21 +90,21 @@ diff -up openssh-6.1p1/servconf.h.vendor openssh-6.1p1/servconf.h
int use_dns; int use_dns;
int client_alive_interval; /* int client_alive_interval; /*
* poke the client this often to * poke the client this often to
diff -up openssh-6.1p1/sshd_config.vendor openssh-6.1p1/sshd_config diff -up openssh-6.2p1/sshd_config.vendor openssh-6.2p1/sshd_config
--- openssh-6.1p1/sshd_config.vendor 2012-09-14 20:36:49.507087759 +0200 --- openssh-6.2p1/sshd_config.vendor 2013-03-25 19:34:01.380495837 +0100
+++ openssh-6.1p1/sshd_config 2012-09-14 20:36:49.565088175 +0200 +++ openssh-6.2p1/sshd_config 2013-03-25 19:44:43.471296362 +0100
@@ -114,6 +114,7 @@ UsePrivilegeSeparation sandbox # Defaul @@ -118,6 +118,7 @@ UsePrivilegeSeparation sandbox # Defaul
#Compression delayed #Compression delayed
#ClientAliveInterval 0 #ClientAliveInterval 0
#ClientAliveCountMax 3 #ClientAliveCountMax 3
+#ShowPatchLevel no +#ShowPatchLevel no
#UseDNS yes #UseDNS yes
#PidFile /var/run/sshd.pid #PidFile /var/run/sshd.pid
#MaxStartups 10 #MaxStartups 10:30:100
diff -up openssh-6.1p1/sshd_config.0.vendor openssh-6.1p1/sshd_config.0 diff -up openssh-6.2p1/sshd_config.0.vendor openssh-6.2p1/sshd_config.0
--- openssh-6.1p1/sshd_config.0.vendor 2012-09-14 20:36:49.510087780 +0200 --- openssh-6.2p1/sshd_config.0.vendor 2013-03-25 19:34:01.361495716 +0100
+++ openssh-6.1p1/sshd_config.0 2012-09-14 20:36:49.567088190 +0200 +++ openssh-6.2p1/sshd_config.0 2013-03-25 19:34:01.381495844 +0100
@@ -558,6 +558,11 @@ DESCRIPTION @@ -595,6 +595,11 @@ DESCRIPTION
Defines the number of bits in the ephemeral protocol version 1 Defines the number of bits in the ephemeral protocol version 1
server key. The minimum value is 512, and the default is 1024. server key. The minimum value is 512, and the default is 1024.
@ -116,10 +116,10 @@ diff -up openssh-6.1p1/sshd_config.0.vendor openssh-6.1p1/sshd_config.0
StrictModes StrictModes
Specifies whether sshd(8) should check file modes and ownership Specifies whether sshd(8) should check file modes and ownership
of the user's files and home directory before accepting login. of the user's files and home directory before accepting login.
diff -up openssh-6.1p1/sshd_config.5.vendor openssh-6.1p1/sshd_config.5 diff -up openssh-6.2p1/sshd_config.5.vendor openssh-6.2p1/sshd_config.5
--- openssh-6.1p1/sshd_config.5.vendor 2012-09-14 20:36:49.512087794 +0200 --- openssh-6.2p1/sshd_config.5.vendor 2013-03-25 19:34:01.362495722 +0100
+++ openssh-6.1p1/sshd_config.5 2012-09-14 20:36:49.568088198 +0200 +++ openssh-6.2p1/sshd_config.5 2013-03-25 19:34:01.382495850 +0100
@@ -978,6 +978,14 @@ This option applies to protocol version @@ -1019,6 +1019,14 @@ This option applies to protocol version
.It Cm ServerKeyBits .It Cm ServerKeyBits
Defines the number of bits in the ephemeral protocol version 1 server key. Defines the number of bits in the ephemeral protocol version 1 server key.
The minimum value is 512, and the default is 1024. The minimum value is 512, and the default is 1024.
@ -134,10 +134,10 @@ diff -up openssh-6.1p1/sshd_config.5.vendor openssh-6.1p1/sshd_config.5
.It Cm StrictModes .It Cm StrictModes
Specifies whether Specifies whether
.Xr sshd 8 .Xr sshd 8
diff -up openssh-6.1p1/sshd.c.vendor openssh-6.1p1/sshd.c diff -up openssh-6.2p1/sshd.c.vendor openssh-6.2p1/sshd.c
--- openssh-6.1p1/sshd.c.vendor 2012-09-14 20:36:49.399086981 +0200 --- openssh-6.2p1/sshd.c.vendor 2013-03-25 19:34:01.332495531 +0100
+++ openssh-6.1p1/sshd.c 2012-09-14 20:47:30.696088744 +0200 +++ openssh-6.2p1/sshd.c 2013-03-25 19:44:11.864112092 +0100
@@ -433,7 +433,7 @@ sshd_exchange_identification(int sock_in @@ -442,7 +442,7 @@ sshd_exchange_identification(int sock_in
} }
xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s", xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s",
@ -146,13 +146,13 @@ diff -up openssh-6.1p1/sshd.c.vendor openssh-6.1p1/sshd.c
*options.version_addendum == '\0' ? "" : " ", *options.version_addendum == '\0' ? "" : " ",
options.version_addendum, newline); options.version_addendum, newline);
@@ -1635,7 +1635,8 @@ main(int ac, char **av) @@ -1675,7 +1675,8 @@ main(int ac, char **av)
exit(1); exit(1);
} }
- debug("sshd version %.100s", SSH_RELEASE); - debug("sshd version %s, %s", SSH_VERSION,
+ debug("sshd version %.100s", + debug("sshd version %s, %s",
+ (options.show_patchlevel == 1) ? SSH_VENDOR_PATCHLEVEL : SSH_RELEASE); + (options.show_patchlevel == 1) ? SSH_VENDOR_PATCHLEVEL : SSH_VERSION,
SSLeay_version(SSLEAY_VERSION));
/* Store privilege separation user for later use if required. */ /* Store privilege separation user for later use if required. */
if ((privsep_pw = getpwnam(SSH_PRIVSEP_USER)) == NULL) {

View File

@ -1,21 +0,0 @@
#!/bin/sh
#
# Remove the ACSS implementation from OpenSSH, and disable its use so that the
# rest of the package can still be built.
#
> acss.c
patch -sp0 << EOF
--- cipher.c.orig 2005-07-17 09:02:10.000000000 +0200
+++ cipher.c 2005-09-06 14:52:06.000000000 +0200
@@ -45,6 +45,9 @@
/* compatibility with old or broken OpenSSL versions */
#include "openbsd-compat/openssl-compat.h"
+#undef USE_CIPHER_ACSS
+#undef EVP_acss
+#define EVP_acss NULL
extern const EVP_CIPHER *evp_ssh1_bf(void);
extern const EVP_CIPHER *evp_ssh1_3des(void);
EOF
echo "Well done."

View File

@ -66,10 +66,10 @@
%endif %endif
# Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1 # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
%define openssh_ver 6.1p1 %define openssh_ver 6.2p1
%define openssh_rel 7 %define openssh_rel 1
%define pam_ssh_agent_ver 0.9.3 %define pam_ssh_agent_ver 0.9.3
%define pam_ssh_agent_rel 3 %define pam_ssh_agent_rel 4
Summary: An open source implementation of SSH protocol versions 1 and 2 Summary: An open source implementation of SSH protocol versions 1 and 2
Name: openssh Name: openssh
@ -82,8 +82,7 @@ URL: http://www.openssh.com/portable.html
# This package differs from the upstream OpenSSH tarball in that # This package differs from the upstream OpenSSH tarball in that
# the ACSS cipher is removed by running openssh-nukeacss.sh in # the ACSS cipher is removed by running openssh-nukeacss.sh in
# the unpacked source directory. # the unpacked source directory.
Source0: openssh-%{version}-noacss.tar.bz2 Source0: openssh-%{version}.tar.gz
Source1: openssh-nukeacss.sh
Source2: sshd.pam Source2: sshd.pam
Source3: sshd.init Source3: sshd.init
Source4: http://prdownloads.sourceforge.net/pamsshagentauth/pam_ssh_agent_auth/pam_ssh_agent_auth-%{pam_ssh_agent_ver}.tar.bz2 Source4: http://prdownloads.sourceforge.net/pamsshagentauth/pam_ssh_agent_auth/pam_ssh_agent_auth-%{pam_ssh_agent_ver}.tar.bz2
@ -100,9 +99,9 @@ Source13: sshd-keygen
Patch0: openssh-5.9p1-wIm.patch Patch0: openssh-5.9p1-wIm.patch
#? #?
Patch100: openssh-6.1p1-coverity.patch Patch100: openssh-6.2p1-coverity.patch
#https://bugzilla.mindrot.org/show_bug.cgi?id=1872 #https://bugzilla.mindrot.org/show_bug.cgi?id=1872
Patch101: openssh-5.8p1-fingerprint.patch Patch101: openssh-6.2p1-fingerprint.patch
#https://bugzilla.mindrot.org/show_bug.cgi?id=1894 #https://bugzilla.mindrot.org/show_bug.cgi?id=1894
#https://bugzilla.redhat.com/show_bug.cgi?id=735889 #https://bugzilla.redhat.com/show_bug.cgi?id=735889
Patch102: openssh-5.8p1-getaddrinfo.patch Patch102: openssh-5.8p1-getaddrinfo.patch
@ -114,15 +113,15 @@ Patch104: openssh-6.1p1-authenticationmethods.patch
#https://bugzilla.mindrot.org/show_bug.cgi?id=1402 #https://bugzilla.mindrot.org/show_bug.cgi?id=1402
Patch200: openssh-5.8p1-audit0.patch Patch200: openssh-5.8p1-audit0.patch
# -"- # -"-
Patch201: openssh-6.0p1-audit1.patch Patch201: openssh-6.2p1-audit1.patch
# -"- # -"-
Patch202: openssh-5.9p1-audit2.patch Patch202: openssh-5.9p1-audit2.patch
# -"- # -"-
Patch203: openssh-5.9p1-audit3.patch Patch203: openssh-6.2p1-audit3.patch
# -"- # -"-
Patch204: openssh-6.1p1-audit4.patch Patch204: openssh-6.2p1-audit4.patch
# -"- # -"-
Patch205: openssh-6.0p1-audit5.patch Patch205: openssh-6.2p1-audit5.patch
# --- pam_ssh-agent --- # --- pam_ssh-agent ---
# make it build reusing the openssh sources # make it build reusing the openssh sources
@ -132,7 +131,7 @@ Patch301: pam_ssh_agent_auth-0.9.2-seteuid.patch
# explicitly make pam callbacks visible # explicitly make pam callbacks visible
Patch302: pam_ssh_agent_auth-0.9.2-visibility.patch Patch302: pam_ssh_agent_auth-0.9.2-visibility.patch
#https://bugzilla.mindrot.org/show_bug.cgi?id=1641 (WONTFIX) #https://bugzilla.mindrot.org/show_bug.cgi?id=1641 (WONTFIX)
Patch400: openssh-6.1p1-role-mls.patch Patch400: openssh-6.2p1-role-mls.patch
#? #?
#Patch402: openssh-5.9p1-sftp-chroot.patch #Patch402: openssh-5.9p1-sftp-chroot.patch
#https://bugzilla.mindrot.org/show_bug.cgi?id=1940 #https://bugzilla.mindrot.org/show_bug.cgi?id=1940
@ -143,9 +142,9 @@ Patch404: openssh-6.1p1-privsep-selinux.patch
#https://bugzilla.mindrot.org/show_bug.cgi?id=1663 #https://bugzilla.mindrot.org/show_bug.cgi?id=1663
Patch500: openssh-6.1p1-akc.patch Patch500: openssh-6.1p1-akc.patch
#?-- unwanted child :( #?-- unwanted child :(
Patch501: openssh-6.0p1-ldap.patch Patch501: openssh-6.2p1-ldap.patch
#? #?
Patch502: openssh-5.9p1-keycat.patch Patch502: openssh-6.2p1-keycat.patch
#https://bugzilla.mindrot.org/show_bug.cgi?id=1668 #https://bugzilla.mindrot.org/show_bug.cgi?id=1668
#Patch600: openssh-5.9p1-keygen.patch #Patch600: openssh-5.9p1-keygen.patch
@ -169,7 +168,7 @@ Patch608: openssh-6.1p1-askpass-ld.patch
Patch609: openssh-5.5p1-x11.patch Patch609: openssh-5.5p1-x11.patch
#? #?
Patch700: openssh-5.9p1-fips.patch Patch700: openssh-6.2p1-fips.patch
#? #?
Patch701: openssh-5.6p1-exit-deadlock.patch Patch701: openssh-5.6p1-exit-deadlock.patch
#? #?
@ -185,9 +184,9 @@ Patch706: openssh-5.8p1-localdomain.patch
#https://bugzilla.mindrot.org/show_bug.cgi?id=1635 (WONTFIX) #https://bugzilla.mindrot.org/show_bug.cgi?id=1635 (WONTFIX)
Patch707: openssh-6.1p1-redhat.patch Patch707: openssh-6.1p1-redhat.patch
#https://bugzilla.mindrot.org/show_bug.cgi?id=1890 (WONTFIX) need integration to prng helper which is discontinued :) #https://bugzilla.mindrot.org/show_bug.cgi?id=1890 (WONTFIX) need integration to prng helper which is discontinued :)
Patch708: openssh-6.0p1-entropy.patch Patch708: openssh-6.2p1-entropy.patch
#https://bugzilla.mindrot.org/show_bug.cgi?id=1640 (WONTFIX) #https://bugzilla.mindrot.org/show_bug.cgi?id=1640 (WONTFIX)
Patch709: openssh-6.1p1-vendor.patch Patch709: openssh-6.2p1-vendor.patch
#? #?
Patch710: openssh-5.9p1-copy-id-restorecon.patch Patch710: openssh-5.9p1-copy-id-restorecon.patch
# warn users for unsupported UsePAM=no (#757545) # warn users for unsupported UsePAM=no (#757545)
@ -195,17 +194,17 @@ Patch711: openssh-6.1p1-log-usepam-no.patch
# make aes-ctr ciphers use EVP engines such as AES-NI from OpenSSL # make aes-ctr ciphers use EVP engines such as AES-NI from OpenSSL
Patch712: openssh-5.9p1-ctr-evp-fast.patch Patch712: openssh-5.9p1-ctr-evp-fast.patch
# add cavs test binary for the aes-ctr # add cavs test binary for the aes-ctr
Patch713: openssh-5.9p1-ctr-cavstest.patch Patch713: openssh-6.2p1-ctr-cavstest.patch
#http://www.sxw.org.uk/computing/patches/openssh.html #http://www.sxw.org.uk/computing/patches/openssh.html
#changed cache storage type - #848228 #changed cache storage type - #848228
Patch800: openssh-6.1p1-gsskex.patch Patch800: openssh-6.2p1-gsskex.patch
#http://www.mail-archive.com/kerberos@mit.edu/msg17591.html #http://www.mail-archive.com/kerberos@mit.edu/msg17591.html
Patch801: openssh-5.8p2-force_krb.patch Patch801: openssh-6.2p1-force_krb.patch
Patch900: openssh-6.1p1-gssapi-canohost.patch Patch900: openssh-6.1p1-gssapi-canohost.patch
#https://bugzilla.mindrot.org/show_bug.cgi?id=1780 #https://bugzilla.mindrot.org/show_bug.cgi?id=1780
Patch901: openssh-6.1p1-kuserok.patch Patch901: openssh-6.2p1-kuserok.patch
#https://bugzilla.redhat.com/show_bug.cgi?id=841065 #https://bugzilla.redhat.com/show_bug.cgi?id=841065
Patch902: openssh-6.1p1-man-moduli.patch Patch902: openssh-6.1p1-man-moduli.patch
# obsolete RequiredAuthentications options # obsolete RequiredAuthentications options
@ -393,7 +392,7 @@ The module is most useful for su and sudo service stacks.
%patch101 -p1 -b .fingerprint %patch101 -p1 -b .fingerprint
%patch102 -p1 -b .getaddrinfo %patch102 -p1 -b .getaddrinfo
%patch103 -p1 -b .packet %patch103 -p1 -b .packet
%patch104 -p1 -b .authenticationmethods # %patch104 -p1 -b .authenticationmethods
%patch200 -p1 -b .audit0 %patch200 -p1 -b .audit0
%patch201 -p1 -b .audit1 %patch201 -p1 -b .audit1
@ -414,18 +413,18 @@ popd
%if %{WITH_SELINUX} %if %{WITH_SELINUX}
%patch400 -p1 -b .role-mls %patch400 -p1 -b .role-mls
#%patch402 -p1 -b .sftp-chroot # %patch402 -p1 -b .sftp-chroot
#%patch403 -p1 -b .sesandbox # %patch403 -p1 -b .sesandbox
%patch404 -p1 -b .privsep-selinux %patch404 -p1 -b .privsep-selinux
%endif %endif
%patch500 -p1 -b .akc # %patch500 -p1 -b .akc
%if %{ldap} %if %{ldap}
%patch501 -p1 -b .ldap %patch501 -p1 -b .ldap
%endif %endif
%patch502 -p1 -b .keycat %patch502 -p1 -b .keycat
#%patch600 -p1 -b .keygen # %patch600 -p1 -b .keygen
%patch601 -p1 -b .ip-opts %patch601 -p1 -b .ip-opts
%patch602 -p1 -b .randclean %patch602 -p1 -b .randclean
%patch603 -p1 -b .glob %patch603 -p1 -b .glob
@ -446,7 +445,7 @@ popd
%patch707 -p1 -b .redhat %patch707 -p1 -b .redhat
%patch708 -p1 -b .entropy %patch708 -p1 -b .entropy
%patch709 -p1 -b .vendor %patch709 -p1 -b .vendor
%patch710 -p1 -b .restorecon # %patch710 -p1 -b .restorecon
%patch711 -p1 -b .log-usepam-no %patch711 -p1 -b .log-usepam-no
%patch712 -p1 -b .evp-ctr %patch712 -p1 -b .evp-ctr
%patch713 -p1 -b .ctr-cavs %patch713 -p1 -b .ctr-cavs
@ -456,9 +455,9 @@ popd
%patch900 -p1 -b .canohost %patch900 -p1 -b .canohost
%patch901 -p1 -b .kuserok %patch901 -p1 -b .kuserok
%patch902 -p1 -b .man-moduli # %patch902 -p1 -b .man-moduli
%patch903 -p1 -b .required-authentication # %patch903 -p1 -b .required-authentication
%patch904 -p1 -b .max-startups # %patch904 -p1 -b .max-startups
%if 0 %if 0
# Nothing here yet # Nothing here yet

View File

@ -1,2 +1 @@
9872ca1983e566ff5a89c240529e223d pam_ssh_agent_auth-0.9.3.tar.bz2 7b2d9dd75b5cf267ea1737ec75500316 openssh-6.2p1.tar.gz
688b37a843ea1c9217f45b1f5c21b791 openssh-6.1p1-noacss.tar.bz2