forked from rpms/openssh
rebase to openssh-6.6p1
This commit is contained in:
parent
d75575229f
commit
94c6f8ddcc
1
.gitignore
vendored
1
.gitignore
vendored
@ -12,3 +12,4 @@ pam_ssh_agent_auth-0.9.2.tar.bz2
|
||||
/openssh-6.2p2.tar.gz
|
||||
/openssh-6.3p1.tar.gz
|
||||
/openssh-6.4p1.tar.gz
|
||||
/openssh-6.6p1.tar.gz
|
||||
|
@ -1,5 +1,5 @@
|
||||
diff --git a/ChangeLog b/ChangeLog
|
||||
index 29d70ec..a0fb67e 100644
|
||||
index 38de846..1603a07 100644
|
||||
--- a/ChangeLog
|
||||
+++ b/ChangeLog
|
||||
@@ -1,3 +1,14 @@
|
||||
@ -14,14 +14,14 @@ index 29d70ec..a0fb67e 100644
|
||||
+
|
||||
+ Reported by mcv21 AT cam.ac.uk
|
||||
+
|
||||
20131010
|
||||
- dtucker@cvs.openbsd.org 2013/10/08 11:42:13
|
||||
[dh.c dh.h]
|
||||
20140313
|
||||
- (djm) Release OpenSSH 6.6
|
||||
|
||||
diff --git a/sshconnect.c b/sshconnect.c
|
||||
index ddc167e..4d8c718 100644
|
||||
index 394cca8..e636f33 100644
|
||||
--- a/sshconnect.c
|
||||
+++ b/sshconnect.c
|
||||
@@ -1136,30 +1136,40 @@ verify_host_key(char *host, struct sockaddr *hostaddr, Key *host_key)
|
||||
@@ -1219,30 +1219,40 @@ verify_host_key(char *host, struct sockaddr *hostaddr, Key *host_key)
|
||||
{
|
||||
int flags = 0;
|
||||
char *fp;
|
@ -1,7 +1,8 @@
|
||||
diff -up openssh-5.2p1/canohost.c.ip-opts openssh-5.2p1/canohost.c
|
||||
--- openssh-5.2p1/canohost.c.ip-opts 2009-02-14 06:28:21.000000000 +0100
|
||||
+++ openssh-5.2p1/canohost.c 2009-09-01 15:31:29.000000000 +0200
|
||||
@@ -169,12 +169,27 @@ check_ip_options(int sock, char *ipaddr)
|
||||
diff --git a/canohost.c b/canohost.c
|
||||
index a61a8c9..97ce58c 100644
|
||||
--- a/canohost.c
|
||||
+++ b/canohost.c
|
||||
@@ -165,12 +165,29 @@ check_ip_options(int sock, char *ipaddr)
|
||||
option_size = sizeof(options);
|
||||
if (getsockopt(sock, ipproto, IP_OPTIONS, options,
|
||||
&option_size) >= 0 && option_size != 0) {
|
||||
@ -18,8 +19,12 @@ diff -up openssh-5.2p1/canohost.c.ip-opts openssh-5.2p1/canohost.c
|
||||
+ case 1:
|
||||
+ ++i;
|
||||
+ break;
|
||||
+ case 131:
|
||||
+ case 137:
|
||||
+ case 130:
|
||||
+ case 133:
|
||||
+ case 134:
|
||||
+ i += options[i + 1];
|
||||
+ break;
|
||||
+ default:
|
||||
+ /* Fail, fatally, if we detect either loose or strict
|
||||
+ * source routing options. */
|
||||
+ text[0] = '\0';
|
||||
@ -28,8 +33,6 @@ diff -up openssh-5.2p1/canohost.c.ip-opts openssh-5.2p1/canohost.c
|
||||
+ " %2.2x", options[i]);
|
||||
+ fatal("Connection from %.100s with IP options:%.800s",
|
||||
+ ipaddr, text);
|
||||
+ default:
|
||||
+ i += options[i + 1];
|
||||
+ }
|
||||
+ } while (i < option_size);
|
||||
}
|
@ -1,6 +1,47 @@
|
||||
diff -up openssh-6.2p1/ctr-cavstest.c.ctr-cavs openssh-6.2p1/ctr-cavstest.c
|
||||
--- openssh-6.2p1/ctr-cavstest.c.ctr-cavs 2013-03-25 21:35:52.512586671 +0100
|
||||
+++ openssh-6.2p1/ctr-cavstest.c 2013-03-25 21:35:52.512586671 +0100
|
||||
diff --git a/Makefile.in b/Makefile.in
|
||||
index 4ab6717..581b121 100644
|
||||
--- a/Makefile.in
|
||||
+++ b/Makefile.in
|
||||
@@ -28,6 +28,7 @@ SSH_KEYSIGN=$(libexecdir)/ssh-keysign
|
||||
SSH_LDAP_HELPER=$(libexecdir)/ssh-ldap-helper
|
||||
SSH_LDAP_WRAPPER=$(libexecdir)/ssh-ldap-wrapper
|
||||
SSH_KEYCAT=$(libexecdir)/ssh-keycat
|
||||
+CTR_CAVSTEST=$(libexecdir)/ctr-cavstest
|
||||
SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
|
||||
PRIVSEP_PATH=@PRIVSEP_PATH@
|
||||
SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@
|
||||
@@ -65,7 +66,7 @@ EXEEXT=@EXEEXT@
|
||||
MANFMT=@MANFMT@
|
||||
INSTALL_SSH_LDAP_HELPER=@INSTALL_SSH_LDAP_HELPER@
|
||||
|
||||
-TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT) ssh-keycat$(EXEEXT)
|
||||
+TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT) ssh-keycat$(EXEEXT) ctr-cavstest$(EXEEXT)
|
||||
|
||||
LIBSSH_OBJS=authfd.o authfile.o bufaux.o bufbn.o buffer.o \
|
||||
canohost.o channels.o cipher.o cipher-aes.o \
|
||||
@@ -180,6 +181,9 @@ ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ldapconf.o ldapbody.o ldapmisc.o
|
||||
ssh-keycat$(EXEEXT): $(LIBCOMPAT) $(SSHDOBJS) libssh.a ssh-keycat.o
|
||||
$(LD) -o $@ ssh-keycat.o bufaux.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(SSHDLIBS) $(SSHLIBS)
|
||||
|
||||
+ctr-cavstest$(EXEEXT): $(LIBCOMPAT) libssh.a ctr-cavstest.o
|
||||
+ $(LD) -o $@ ctr-cavstest.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(LIBS)
|
||||
+
|
||||
ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o roaming_dummy.o
|
||||
$(LD) -o $@ ssh-keyscan.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
|
||||
|
||||
@@ -288,6 +292,7 @@ install-files:
|
||||
$(INSTALL) -m 0700 ssh-ldap-wrapper $(DESTDIR)$(SSH_LDAP_WRAPPER) ; \
|
||||
fi
|
||||
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-keycat$(EXEEXT) $(DESTDIR)$(libexecdir)/ssh-keycat$(EXEEXT)
|
||||
+ $(INSTALL) -m 0755 $(STRIP_OPT) ctr-cavstest$(EXEEXT) $(DESTDIR)$(libexecdir)/ctr-cavstest$(EXEEXT)
|
||||
$(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
|
||||
$(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
|
||||
$(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
|
||||
diff --git a/ctr-cavstest.c b/ctr-cavstest.c
|
||||
new file mode 100644
|
||||
index 0000000..bbcbe8a
|
||||
--- /dev/null
|
||||
+++ b/ctr-cavstest.c
|
||||
@@ -0,0 +1,208 @@
|
||||
+/*
|
||||
+ *
|
||||
@ -103,7 +144,7 @@ diff -up openssh-6.2p1/ctr-cavstest.c.ctr-cavs openssh-6.2p1/ctr-cavstest.c
|
||||
+int main (int argc, char *argv[])
|
||||
+{
|
||||
+
|
||||
+ Cipher *c;
|
||||
+ const Cipher *c;
|
||||
+ CipherContext cc;
|
||||
+ char *algo = "aes128-ctr";
|
||||
+ char *hexkey = NULL;
|
||||
@ -194,7 +235,7 @@ diff -up openssh-6.2p1/ctr-cavstest.c.ctr-cavs openssh-6.2p1/ctr-cavstest.c
|
||||
+ return 2;
|
||||
+ }
|
||||
+
|
||||
+ cipher_crypt(&cc, outdata, data, datalen, 0, 0);
|
||||
+ cipher_crypt(&cc, 0, outdata, data, datalen, 0, 0);
|
||||
+
|
||||
+ free(data);
|
||||
+
|
||||
@ -210,41 +251,3 @@ diff -up openssh-6.2p1/ctr-cavstest.c.ctr-cavs openssh-6.2p1/ctr-cavstest.c
|
||||
+ return 0;
|
||||
+}
|
||||
+
|
||||
diff -up openssh-6.2p1/Makefile.in.ctr-cavs openssh-6.2p1/Makefile.in
|
||||
--- openssh-6.2p1/Makefile.in.ctr-cavs 2013-03-25 21:35:52.451586280 +0100
|
||||
+++ openssh-6.2p1/Makefile.in 2013-03-25 21:37:14.956114584 +0100
|
||||
@@ -28,6 +28,7 @@ SSH_KEYSIGN=$(libexecdir)/ssh-keysign
|
||||
SSH_LDAP_HELPER=$(libexecdir)/ssh-ldap-helper
|
||||
SSH_LDAP_WRAPPER=$(libexecdir)/ssh-ldap-wrapper
|
||||
SSH_KEYCAT=$(libexecdir)/ssh-keycat
|
||||
+CTR_CAVSTEST=$(libexecdir)/ctr-cavstest
|
||||
SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
|
||||
PRIVSEP_PATH=@PRIVSEP_PATH@
|
||||
SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@
|
||||
@@ -65,7 +66,7 @@ EXEEXT=@EXEEXT@
|
||||
MANFMT=@MANFMT@
|
||||
INSTALL_SSH_LDAP_HELPER=@INSTALL_SSH_LDAP_HELPER@
|
||||
|
||||
-TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT) ssh-keycat$(EXEEXT)
|
||||
+TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT) ssh-keycat$(EXEEXT) ctr-cavstest$(EXEEXT)
|
||||
|
||||
LIBSSH_OBJS=authfd.o authfile.o bufaux.o bufbn.o buffer.o \
|
||||
canohost.o channels.o cipher.o cipher-aes.o \
|
||||
@@ -174,6 +175,9 @@ ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) l
|
||||
ssh-keycat$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keycat.o
|
||||
$(LD) -o $@ ssh-keycat.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(SSHDLIBS)
|
||||
|
||||
+ctr-cavstest$(EXEEXT): $(LIBCOMPAT) libssh.a ctr-cavstest.o
|
||||
+ $(LD) -o $@ ctr-cavstest.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(LIBS)
|
||||
+
|
||||
ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o roaming_dummy.o
|
||||
$(LD) -o $@ ssh-keyscan.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(LIBS)
|
||||
|
||||
@@ -281,6 +285,7 @@ install-files:
|
||||
$(INSTALL) -m 0700 ssh-ldap-wrapper $(DESTDIR)$(SSH_LDAP_WRAPPER) ; \
|
||||
fi
|
||||
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-keycat$(EXEEXT) $(DESTDIR)$(libexecdir)/ssh-keycat$(EXEEXT)
|
||||
+ $(INSTALL) -m 0755 $(STRIP_OPT) ctr-cavstest$(EXEEXT) $(DESTDIR)$(libexecdir)/ctr-cavstest$(EXEEXT)
|
||||
$(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
|
||||
$(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
|
||||
$(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
|
@ -1,7 +1,8 @@
|
||||
diff -up openssh-6.2p1/entropy.c.entropy openssh-6.2p1/entropy.c
|
||||
--- openssh-6.2p1/entropy.c.entropy 2013-03-25 19:31:42.737611051 +0100
|
||||
+++ openssh-6.2p1/entropy.c 2013-03-25 19:31:42.797611433 +0100
|
||||
@@ -237,6 +237,9 @@ seed_rng(void)
|
||||
diff --git a/entropy.c b/entropy.c
|
||||
index 2d483b3..b361a04 100644
|
||||
--- a/entropy.c
|
||||
+++ b/entropy.c
|
||||
@@ -234,6 +234,9 @@ seed_rng(void)
|
||||
memset(buf, '\0', sizeof(buf));
|
||||
|
||||
#endif /* OPENSSL_PRNG_ONLY */
|
||||
@ -11,21 +12,24 @@ diff -up openssh-6.2p1/entropy.c.entropy openssh-6.2p1/entropy.c
|
||||
if (RAND_status() != 1)
|
||||
fatal("PRNG is not seeded");
|
||||
}
|
||||
diff -up openssh-6.2p1/openbsd-compat/Makefile.in.entropy openssh-6.2p1/openbsd-compat/Makefile.in
|
||||
--- openssh-6.2p1/openbsd-compat/Makefile.in.entropy 2013-03-25 19:31:42.798611440 +0100
|
||||
+++ openssh-6.2p1/openbsd-compat/Makefile.in 2013-03-25 19:33:02.042116876 +0100
|
||||
@@ -20,7 +20,7 @@ OPENBSD=base64.o basename.o bindresvport
|
||||
diff --git a/openbsd-compat/Makefile.in b/openbsd-compat/Makefile.in
|
||||
index b912dbe..9206337 100644
|
||||
--- a/openbsd-compat/Makefile.in
|
||||
+++ b/openbsd-compat/Makefile.in
|
||||
@@ -20,7 +20,7 @@ OPENBSD=base64.o basename.o bcrypt_pbkdf.o bindresvport.o blowfish.o daemon.o di
|
||||
|
||||
COMPAT=bsd-arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o getrrsetbyname-ldns.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-setres_id.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o
|
||||
COMPAT=arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o getrrsetbyname-ldns.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-setres_id.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o
|
||||
|
||||
-PORTS=port-aix.o port-irix.o port-linux.o port-linux_part_2.o port-solaris.o port-tun.o port-uw.o
|
||||
+PORTS=port-aix.o port-irix.o port-linux.o port-linux_part_2.o port-linux-prng.o port-solaris.o port-tun.o port-uw.o
|
||||
-PORTS=port-aix.o port-irix.o port-linux.o port-linux-sshd.o port-solaris.o port-tun.o port-uw.o
|
||||
+PORTS=port-aix.o port-irix.o port-linux.o port-linux-sshd.o port-linux-prng.o port-solaris.o port-tun.o port-uw.o
|
||||
|
||||
.c.o:
|
||||
$(CC) $(CFLAGS) $(CPPFLAGS) -c $<
|
||||
diff -up openssh-6.2p1/openbsd-compat/port-linux-prng.c.entropy openssh-6.2p1/openbsd-compat/port-linux-prng.c
|
||||
--- openssh-6.2p1/openbsd-compat/port-linux-prng.c.entropy 2013-03-25 19:31:42.798611440 +0100
|
||||
+++ openssh-6.2p1/openbsd-compat/port-linux-prng.c 2013-03-25 19:31:42.798611440 +0100
|
||||
diff --git a/openbsd-compat/port-linux-prng.c b/openbsd-compat/port-linux-prng.c
|
||||
new file mode 100644
|
||||
index 0000000..92a617c
|
||||
--- /dev/null
|
||||
+++ b/openbsd-compat/port-linux-prng.c
|
||||
@@ -0,0 +1,59 @@
|
||||
+/* $Id: port-linux.c,v 1.11.4.2 2011/02/04 00:43:08 djm Exp $ */
|
||||
+
|
||||
@ -86,9 +90,10 @@ diff -up openssh-6.2p1/openbsd-compat/port-linux-prng.c.entropy openssh-6.2p1/op
|
||||
+ fatal ("EOF reading %s", random);
|
||||
+ }
|
||||
+}
|
||||
diff -up openssh-6.2p1/ssh-add.0.entropy openssh-6.2p1/ssh-add.0
|
||||
--- openssh-6.2p1/ssh-add.0.entropy 2013-03-22 00:38:29.000000000 +0100
|
||||
+++ openssh-6.2p1/ssh-add.0 2013-03-25 19:31:42.799611446 +0100
|
||||
diff --git a/ssh-add.0 b/ssh-add.0
|
||||
index ba43fee..0b2629a 100644
|
||||
--- a/ssh-add.0
|
||||
+++ b/ssh-add.0
|
||||
@@ -82,6 +82,16 @@ ENVIRONMENT
|
||||
Identifies the path of a UNIX-domain socket used to communicate
|
||||
with the agent.
|
||||
@ -106,10 +111,11 @@ diff -up openssh-6.2p1/ssh-add.0.entropy openssh-6.2p1/ssh-add.0
|
||||
FILES
|
||||
~/.ssh/identity
|
||||
Contains the protocol version 1 RSA authentication identity of
|
||||
diff -up openssh-6.2p1/ssh-add.1.entropy openssh-6.2p1/ssh-add.1
|
||||
--- openssh-6.2p1/ssh-add.1.entropy 2012-12-07 03:06:13.000000000 +0100
|
||||
+++ openssh-6.2p1/ssh-add.1 2013-03-25 19:31:42.799611446 +0100
|
||||
@@ -160,6 +160,20 @@ to make this work.)
|
||||
diff --git a/ssh-add.1 b/ssh-add.1
|
||||
index 4812448..16305bf 100644
|
||||
--- a/ssh-add.1
|
||||
+++ b/ssh-add.1
|
||||
@@ -161,6 +161,20 @@ to make this work.)
|
||||
Identifies the path of a
|
||||
.Ux Ns -domain
|
||||
socket used to communicate with the agent.
|
||||
@ -130,10 +136,11 @@ diff -up openssh-6.2p1/ssh-add.1.entropy openssh-6.2p1/ssh-add.1
|
||||
.El
|
||||
.Sh FILES
|
||||
.Bl -tag -width Ds
|
||||
diff -up openssh-6.2p1/ssh-agent.1.entropy openssh-6.2p1/ssh-agent.1
|
||||
--- openssh-6.2p1/ssh-agent.1.entropy 2010-12-01 01:50:35.000000000 +0100
|
||||
+++ openssh-6.2p1/ssh-agent.1 2013-03-25 19:31:42.800611452 +0100
|
||||
@@ -198,6 +198,24 @@ sockets used to contain the connection t
|
||||
diff --git a/ssh-agent.1 b/ssh-agent.1
|
||||
index 281ecbd..1a9a635 100644
|
||||
--- a/ssh-agent.1
|
||||
+++ b/ssh-agent.1
|
||||
@@ -201,6 +201,24 @@ sockets used to contain the connection to the authentication agent.
|
||||
These sockets should only be readable by the owner.
|
||||
The sockets should get automatically removed when the agent exits.
|
||||
.El
|
||||
@ -158,38 +165,11 @@ diff -up openssh-6.2p1/ssh-agent.1.entropy openssh-6.2p1/ssh-agent.1
|
||||
.Sh SEE ALSO
|
||||
.Xr ssh 1 ,
|
||||
.Xr ssh-add 1 ,
|
||||
diff -up openssh-6.2p1/sshd.8.entropy openssh-6.2p1/sshd.8
|
||||
--- openssh-6.2p1/sshd.8.entropy 2013-03-25 19:31:42.752611146 +0100
|
||||
+++ openssh-6.2p1/sshd.8 2013-03-25 19:31:42.800611452 +0100
|
||||
@@ -945,6 +945,24 @@ concurrently for different ports, this c
|
||||
started last).
|
||||
The content of this file is not sensitive; it can be world-readable.
|
||||
.El
|
||||
+.Sh ENVIRONMENT
|
||||
+.Bl -tag -width Ds -compact
|
||||
+.Pp
|
||||
+.It Pa SSH_USE_STRONG_RNG
|
||||
+The reseeding of the OpenSSL random generator is usually done from
|
||||
+.Cm /dev/urandom .
|
||||
+If the
|
||||
+.Cm SSH_USE_STRONG_RNG
|
||||
+environment variable is set to value other than
|
||||
+.Cm 0
|
||||
+the OpenSSL random generator is reseeded from
|
||||
+.Cm /dev/random .
|
||||
+The number of bytes read is defined by the SSH_USE_STRONG_RNG value.
|
||||
+Minimum is 14 bytes.
|
||||
+This setting is not recommended on the computers without the hardware
|
||||
+random generator because insufficient entropy causes the connection to
|
||||
+be blocked until enough entropy is available.
|
||||
+.El
|
||||
.Sh IPV6
|
||||
IPv6 address can be used everywhere where IPv4 address. In all entries must be the IPv6 address enclosed in square brackets. Note: The square brackets are metacharacters for the shell and must be escaped in shell.
|
||||
.Sh SEE ALSO
|
||||
diff -up openssh-6.2p1/ssh-keygen.1.entropy openssh-6.2p1/ssh-keygen.1
|
||||
--- openssh-6.2p1/ssh-keygen.1.entropy 2013-01-20 12:35:06.000000000 +0100
|
||||
+++ openssh-6.2p1/ssh-keygen.1 2013-03-25 19:31:42.801611459 +0100
|
||||
@@ -806,6 +806,24 @@ Contains Diffie-Hellman groups used for
|
||||
diff --git a/ssh-keygen.1 b/ssh-keygen.1
|
||||
index 12e00d4..1b51a4a 100644
|
||||
--- a/ssh-keygen.1
|
||||
+++ b/ssh-keygen.1
|
||||
@@ -832,6 +832,24 @@ Contains Diffie-Hellman groups used for DH-GEX.
|
||||
The file format is described in
|
||||
.Xr moduli 5 .
|
||||
.El
|
||||
@ -214,10 +194,11 @@ diff -up openssh-6.2p1/ssh-keygen.1.entropy openssh-6.2p1/ssh-keygen.1
|
||||
.Sh SEE ALSO
|
||||
.Xr ssh 1 ,
|
||||
.Xr ssh-add 1 ,
|
||||
diff -up openssh-6.2p1/ssh-keysign.8.entropy openssh-6.2p1/ssh-keysign.8
|
||||
--- openssh-6.2p1/ssh-keysign.8.entropy 2010-08-31 14:41:14.000000000 +0200
|
||||
+++ openssh-6.2p1/ssh-keysign.8 2013-03-25 19:31:42.801611459 +0100
|
||||
@@ -78,6 +78,24 @@ must be set-uid root if host-based authe
|
||||
diff --git a/ssh-keysign.8 b/ssh-keysign.8
|
||||
index 69d0829..02d79f8 100644
|
||||
--- a/ssh-keysign.8
|
||||
+++ b/ssh-keysign.8
|
||||
@@ -80,6 +80,24 @@ must be set-uid root if host-based authentication is used.
|
||||
If these files exist they are assumed to contain public certificate
|
||||
information corresponding with the private keys above.
|
||||
.El
|
||||
@ -242,10 +223,11 @@ diff -up openssh-6.2p1/ssh-keysign.8.entropy openssh-6.2p1/ssh-keysign.8
|
||||
.Sh SEE ALSO
|
||||
.Xr ssh 1 ,
|
||||
.Xr ssh-keygen 1 ,
|
||||
diff -up openssh-6.2p1/ssh.1.entropy openssh-6.2p1/ssh.1
|
||||
--- openssh-6.2p1/ssh.1.entropy 2013-03-25 19:31:42.752611146 +0100
|
||||
+++ openssh-6.2p1/ssh.1 2013-03-25 19:31:42.799611446 +0100
|
||||
@@ -1277,6 +1277,23 @@ For more information, see the
|
||||
diff --git a/ssh.1 b/ssh.1
|
||||
index 929904b..f65e42f 100644
|
||||
--- a/ssh.1
|
||||
+++ b/ssh.1
|
||||
@@ -1309,6 +1309,23 @@ For more information, see the
|
||||
.Cm PermitUserEnvironment
|
||||
option in
|
||||
.Xr sshd_config 5 .
|
||||
@ -269,3 +251,32 @@ diff -up openssh-6.2p1/ssh.1.entropy openssh-6.2p1/ssh.1
|
||||
.Sh FILES
|
||||
.Bl -tag -width Ds -compact
|
||||
.It Pa ~/.rhosts
|
||||
diff --git a/sshd.8 b/sshd.8
|
||||
index c2c237f..058d37a 100644
|
||||
--- a/sshd.8
|
||||
+++ b/sshd.8
|
||||
@@ -951,6 +951,24 @@ concurrently for different ports, this contains the process ID of the one
|
||||
started last).
|
||||
The content of this file is not sensitive; it can be world-readable.
|
||||
.El
|
||||
+.Sh ENVIRONMENT
|
||||
+.Bl -tag -width Ds -compact
|
||||
+.Pp
|
||||
+.It Pa SSH_USE_STRONG_RNG
|
||||
+The reseeding of the OpenSSL random generator is usually done from
|
||||
+.Cm /dev/urandom .
|
||||
+If the
|
||||
+.Cm SSH_USE_STRONG_RNG
|
||||
+environment variable is set to value other than
|
||||
+.Cm 0
|
||||
+the OpenSSL random generator is reseeded from
|
||||
+.Cm /dev/random .
|
||||
+The number of bytes read is defined by the SSH_USE_STRONG_RNG value.
|
||||
+Minimum is 14 bytes.
|
||||
+This setting is not recommended on the computers without the hardware
|
||||
+random generator because insufficient entropy causes the connection to
|
||||
+be blocked until enough entropy is available.
|
||||
+.El
|
||||
.Sh IPV6
|
||||
IPv6 address can be used everywhere where IPv4 address. In all entries must be the IPv6 address enclosed in square brackets. Note: The square brackets are metacharacters for the shell and must be escaped in shell.
|
||||
.Sh SEE ALSO
|
@ -1,7 +1,7 @@
|
||||
diff -up openssh-6.3p1/auth-rsa.c.fingerprint openssh-6.3p1/auth-rsa.c
|
||||
diff -up openssh-6.3p1/auth.c.fingerprint openssh-6.3p1/auth.c
|
||||
--- openssh-6.3p1/auth.c.fingerprint 2013-10-07 14:02:36.998968153 +0200
|
||||
+++ openssh-6.3p1/auth.c 2013-10-07 15:42:05.243812405 +0200
|
||||
diff --git a/auth.c b/auth.c
|
||||
index 9a36f1d..420a85b 100644
|
||||
--- a/auth.c
|
||||
+++ b/auth.c
|
||||
@@ -685,9 +685,10 @@ auth_key_is_revoked(Key *key)
|
||||
case 1:
|
||||
revoked:
|
||||
@ -15,10 +15,11 @@ diff -up openssh-6.3p1/auth.c.fingerprint openssh-6.3p1/auth.c
|
||||
free(key_fp);
|
||||
return 1;
|
||||
}
|
||||
diff -up openssh-6.3p1/auth2-hostbased.c.fingerprint openssh-6.3p1/auth2-hostbased.c
|
||||
--- openssh-6.3p1/auth2-hostbased.c.fingerprint 2013-10-07 14:02:36.998968153 +0200
|
||||
+++ openssh-6.3p1/auth2-hostbased.c 2013-10-07 15:43:49.747355927 +0200
|
||||
@@ -200,16 +200,18 @@ hostbased_key_allowed(struct passwd *pw,
|
||||
diff --git a/auth2-hostbased.c b/auth2-hostbased.c
|
||||
index 488008f..eca0069 100644
|
||||
--- a/auth2-hostbased.c
|
||||
+++ b/auth2-hostbased.c
|
||||
@@ -206,16 +206,18 @@ hostbased_key_allowed(struct passwd *pw, const char *cuser, char *chost,
|
||||
|
||||
if (host_status == HOST_OK) {
|
||||
if (key_is_cert(key)) {
|
||||
@ -44,10 +45,11 @@ diff -up openssh-6.3p1/auth2-hostbased.c.fingerprint openssh-6.3p1/auth2-hostbas
|
||||
}
|
||||
free(fp);
|
||||
}
|
||||
diff -up openssh-6.3p1/auth2-pubkey.c.fingerprint openssh-6.3p1/auth2-pubkey.c
|
||||
--- openssh-6.3p1/auth2-pubkey.c.fingerprint 2013-07-18 08:10:10.000000000 +0200
|
||||
+++ openssh-6.3p1/auth2-pubkey.c 2013-10-07 15:50:44.617495624 +0200
|
||||
@@ -359,10 +359,10 @@ check_authkeys_file(FILE *f, char *file,
|
||||
diff --git a/auth2-pubkey.c b/auth2-pubkey.c
|
||||
index 0fd27bb..749b11a 100644
|
||||
--- a/auth2-pubkey.c
|
||||
+++ b/auth2-pubkey.c
|
||||
@@ -365,10 +365,10 @@ check_authkeys_file(FILE *f, char *file, Key* key, struct passwd *pw)
|
||||
continue;
|
||||
if (!key_is_cert_authority)
|
||||
continue;
|
||||
@ -62,7 +64,7 @@ diff -up openssh-6.3p1/auth2-pubkey.c.fingerprint openssh-6.3p1/auth2-pubkey.c
|
||||
/*
|
||||
* If the user has specified a list of principals as
|
||||
* a key option, then prefer that list to matching
|
||||
@@ -400,9 +400,9 @@ check_authkeys_file(FILE *f, char *file,
|
||||
@@ -406,9 +406,9 @@ check_authkeys_file(FILE *f, char *file, Key* key, struct passwd *pw)
|
||||
if (key_is_cert_authority)
|
||||
continue;
|
||||
found_key = 1;
|
||||
@ -75,7 +77,7 @@ diff -up openssh-6.3p1/auth2-pubkey.c.fingerprint openssh-6.3p1/auth2-pubkey.c
|
||||
free(fp);
|
||||
break;
|
||||
}
|
||||
@@ -425,13 +425,13 @@ user_cert_trusted_ca(struct passwd *pw,
|
||||
@@ -431,13 +431,13 @@ user_cert_trusted_ca(struct passwd *pw, Key *key)
|
||||
if (!key_is_cert(key) || options.trusted_user_ca_keys == NULL)
|
||||
return 0;
|
||||
|
||||
@ -93,10 +95,11 @@ diff -up openssh-6.3p1/auth2-pubkey.c.fingerprint openssh-6.3p1/auth2-pubkey.c
|
||||
options.trusted_user_ca_keys);
|
||||
goto out;
|
||||
}
|
||||
diff -up openssh-6.3p1/key.c.fingerprint openssh-6.3p1/key.c
|
||||
--- openssh-6.3p1/key.c.fingerprint 2013-10-07 14:02:36.971968285 +0200
|
||||
+++ openssh-6.3p1/key.c 2013-10-07 14:02:36.999968148 +0200
|
||||
@@ -598,6 +598,34 @@ key_fingerprint(const Key *k, enum fp_ty
|
||||
diff --git a/key.c b/key.c
|
||||
index 168e1b7..eb98ea8 100644
|
||||
--- a/key.c
|
||||
+++ b/key.c
|
||||
@@ -628,6 +628,34 @@ key_fingerprint(const Key *k, enum fp_type dgst_type, enum fp_rep dgst_rep)
|
||||
return retval;
|
||||
}
|
||||
|
||||
@ -131,10 +134,11 @@ diff -up openssh-6.3p1/key.c.fingerprint openssh-6.3p1/key.c
|
||||
/*
|
||||
* Reads a multiple-precision integer in decimal from the buffer, and advances
|
||||
* the pointer. The integer must already be initialized. This function is
|
||||
diff -up openssh-6.3p1/key.h.fingerprint openssh-6.3p1/key.h
|
||||
--- openssh-6.3p1/key.h.fingerprint 2013-10-07 14:02:36.999968148 +0200
|
||||
+++ openssh-6.3p1/key.h 2013-10-07 15:44:17.574233450 +0200
|
||||
@@ -97,6 +97,9 @@ int key_equal_public(const Key *, cons
|
||||
diff --git a/key.h b/key.h
|
||||
index d8ad13d..0e3eea5 100644
|
||||
--- a/key.h
|
||||
+++ b/key.h
|
||||
@@ -104,6 +104,9 @@ int key_equal_public(const Key *, const Key *);
|
||||
int key_equal(const Key *, const Key *);
|
||||
char *key_fingerprint(const Key *, enum fp_type, enum fp_rep);
|
||||
u_char *key_fingerprint_raw(const Key *, enum fp_type, u_int *);
|
||||
@ -144,10 +148,11 @@ diff -up openssh-6.3p1/key.h.fingerprint openssh-6.3p1/key.h
|
||||
const char *key_type(const Key *);
|
||||
const char *key_cert_type(const Key *);
|
||||
int key_write(const Key *, FILE *);
|
||||
diff -up openssh-6.3p1/ssh-add.c.fingerprint openssh-6.3p1/ssh-add.c
|
||||
--- openssh-6.3p1/ssh-add.c.fingerprint 2013-10-07 14:02:37.000968143 +0200
|
||||
+++ openssh-6.3p1/ssh-add.c 2013-10-07 14:44:57.466515766 +0200
|
||||
@@ -326,10 +326,10 @@ list_identities(AuthenticationConnection
|
||||
diff --git a/ssh-add.c b/ssh-add.c
|
||||
index 3421452..691949f 100644
|
||||
--- a/ssh-add.c
|
||||
+++ b/ssh-add.c
|
||||
@@ -330,10 +330,10 @@ list_identities(AuthenticationConnection *ac, int do_fp)
|
||||
key = ssh_get_next_identity(ac, &comment, version)) {
|
||||
had_identities = 1;
|
||||
if (do_fp) {
|
||||
@ -162,9 +167,10 @@ diff -up openssh-6.3p1/ssh-add.c.fingerprint openssh-6.3p1/ssh-add.c
|
||||
free(fp);
|
||||
} else {
|
||||
if (!key_write(key, stdout))
|
||||
diff -up openssh-6.3p1/ssh-agent.c.fingerprint openssh-6.3p1/ssh-agent.c
|
||||
--- openssh-6.3p1/ssh-agent.c.fingerprint 2013-10-07 14:02:37.000968143 +0200
|
||||
+++ openssh-6.3p1/ssh-agent.c 2013-10-07 15:41:11.627044336 +0200
|
||||
diff --git a/ssh-agent.c b/ssh-agent.c
|
||||
index ba24612..117fdde 100644
|
||||
--- a/ssh-agent.c
|
||||
+++ b/ssh-agent.c
|
||||
@@ -198,9 +198,9 @@ confirm_key(Identity *id)
|
||||
char *p;
|
||||
int ret = -1;
|
||||
@ -178,10 +184,11 @@ diff -up openssh-6.3p1/ssh-agent.c.fingerprint openssh-6.3p1/ssh-agent.c
|
||||
ret = 0;
|
||||
free(p);
|
||||
|
||||
diff -up openssh-6.3p1/ssh-keygen.c.fingerprint openssh-6.3p1/ssh-keygen.c
|
||||
--- openssh-6.3p1/ssh-keygen.c.fingerprint 2013-07-20 05:22:32.000000000 +0200
|
||||
+++ openssh-6.3p1/ssh-keygen.c 2013-10-07 14:25:52.864145038 +0200
|
||||
@@ -767,13 +767,14 @@ do_fingerprint(struct passwd *pw)
|
||||
diff --git a/ssh-keygen.c b/ssh-keygen.c
|
||||
index 2a316bc..482dc1c 100644
|
||||
--- a/ssh-keygen.c
|
||||
+++ b/ssh-keygen.c
|
||||
@@ -783,13 +783,14 @@ do_fingerprint(struct passwd *pw)
|
||||
{
|
||||
FILE *f;
|
||||
Key *public;
|
||||
@ -198,7 +205,7 @@ diff -up openssh-6.3p1/ssh-keygen.c.fingerprint openssh-6.3p1/ssh-keygen.c
|
||||
rep = print_bubblebabble ? SSH_FP_BUBBLEBABBLE : SSH_FP_HEX;
|
||||
|
||||
if (!have_identity)
|
||||
@@ -785,8 +786,8 @@ do_fingerprint(struct passwd *pw)
|
||||
@@ -801,8 +802,8 @@ do_fingerprint(struct passwd *pw)
|
||||
public = key_load_public(identity_file, &comment);
|
||||
if (public != NULL) {
|
||||
fp = key_fingerprint(public, fptype, rep);
|
||||
@ -209,7 +216,7 @@ diff -up openssh-6.3p1/ssh-keygen.c.fingerprint openssh-6.3p1/ssh-keygen.c
|
||||
key_type(public));
|
||||
if (log_level >= SYSLOG_LEVEL_VERBOSE)
|
||||
printf("%s\n", ra);
|
||||
@@ -851,8 +852,8 @@ do_fingerprint(struct passwd *pw)
|
||||
@@ -867,8 +868,8 @@ do_fingerprint(struct passwd *pw)
|
||||
}
|
||||
comment = *cp ? cp : comment;
|
||||
fp = key_fingerprint(public, fptype, rep);
|
||||
@ -220,7 +227,7 @@ diff -up openssh-6.3p1/ssh-keygen.c.fingerprint openssh-6.3p1/ssh-keygen.c
|
||||
comment ? comment : "no comment", key_type(public));
|
||||
if (log_level >= SYSLOG_LEVEL_VERBOSE)
|
||||
printf("%s\n", ra);
|
||||
@@ -970,13 +971,15 @@ printhost(FILE *f, const char *name, Key
|
||||
@@ -986,13 +987,15 @@ printhost(FILE *f, const char *name, Key *public, int ca, int hash)
|
||||
if (print_fingerprint) {
|
||||
enum fp_rep rep;
|
||||
enum fp_type fptype;
|
||||
@ -240,7 +247,7 @@ diff -up openssh-6.3p1/ssh-keygen.c.fingerprint openssh-6.3p1/ssh-keygen.c
|
||||
key_type(public));
|
||||
if (log_level >= SYSLOG_LEVEL_VERBOSE)
|
||||
printf("%s\n", ra);
|
||||
@@ -1855,16 +1858,17 @@ do_show_cert(struct passwd *pw)
|
||||
@@ -1878,16 +1881,17 @@ do_show_cert(struct passwd *pw)
|
||||
fatal("%s is not a certificate", identity_file);
|
||||
v00 = key->type == KEY_RSA_CERT_V00 || key->type == KEY_DSA_CERT_V00;
|
||||
|
||||
@ -264,7 +271,7 @@ diff -up openssh-6.3p1/ssh-keygen.c.fingerprint openssh-6.3p1/ssh-keygen.c
|
||||
printf(" Key ID: \"%s\"\n", key->cert->key_id);
|
||||
if (!v00) {
|
||||
printf(" Serial: %llu\n",
|
||||
@@ -2655,13 +2659,12 @@ passphrase_again:
|
||||
@@ -2686,13 +2690,12 @@ passphrase_again:
|
||||
fclose(f);
|
||||
|
||||
if (!quiet) {
|
||||
@ -281,10 +288,11 @@ diff -up openssh-6.3p1/ssh-keygen.c.fingerprint openssh-6.3p1/ssh-keygen.c
|
||||
printf("The key's randomart image is:\n");
|
||||
printf("%s\n", ra);
|
||||
free(ra);
|
||||
diff -up openssh-6.3p1/sshconnect.c.fingerprint openssh-6.3p1/sshconnect.c
|
||||
--- openssh-6.3p1/sshconnect.c.fingerprint 2013-06-01 23:31:19.000000000 +0200
|
||||
+++ openssh-6.3p1/sshconnect.c 2013-10-07 14:43:54.859822036 +0200
|
||||
@@ -830,10 +830,10 @@ check_host_key(char *hostname, struct so
|
||||
diff --git a/sshconnect.c b/sshconnect.c
|
||||
index 573d7a8..394cca8 100644
|
||||
--- a/sshconnect.c
|
||||
+++ b/sshconnect.c
|
||||
@@ -914,10 +914,10 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port,
|
||||
"key for IP address '%.128s' to the list "
|
||||
"of known hosts.", type, ip);
|
||||
} else if (options.visual_host_key) {
|
||||
@ -299,7 +307,7 @@ diff -up openssh-6.3p1/sshconnect.c.fingerprint openssh-6.3p1/sshconnect.c
|
||||
free(ra);
|
||||
free(fp);
|
||||
}
|
||||
@@ -871,9 +871,8 @@ check_host_key(char *hostname, struct so
|
||||
@@ -955,9 +955,8 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port,
|
||||
else
|
||||
snprintf(msg1, sizeof(msg1), ".");
|
||||
/* The default */
|
||||
@ -311,7 +319,7 @@ diff -up openssh-6.3p1/sshconnect.c.fingerprint openssh-6.3p1/sshconnect.c
|
||||
msg2[0] = '\0';
|
||||
if (options.verify_host_key_dns) {
|
||||
if (matching_host_key_dns)
|
||||
@@ -888,10 +887,11 @@ check_host_key(char *hostname, struct so
|
||||
@@ -972,10 +971,11 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port,
|
||||
snprintf(msg, sizeof(msg),
|
||||
"The authenticity of host '%.200s (%s)' can't be "
|
||||
"established%s\n"
|
||||
@ -325,7 +333,7 @@ diff -up openssh-6.3p1/sshconnect.c.fingerprint openssh-6.3p1/sshconnect.c
|
||||
options.visual_host_key ? "\n" : "",
|
||||
options.visual_host_key ? ra : "",
|
||||
msg2);
|
||||
@@ -1136,8 +1136,9 @@ verify_host_key(char *host, struct socka
|
||||
@@ -1220,8 +1220,9 @@ verify_host_key(char *host, struct sockaddr *hostaddr, Key *host_key)
|
||||
int flags = 0;
|
||||
char *fp;
|
||||
|
||||
@ -337,7 +345,7 @@ diff -up openssh-6.3p1/sshconnect.c.fingerprint openssh-6.3p1/sshconnect.c
|
||||
free(fp);
|
||||
|
||||
/* XXX certs are not yet supported for DNS */
|
||||
@@ -1238,14 +1239,15 @@ show_other_keys(struct hostkeys *hostkey
|
||||
@@ -1327,14 +1328,15 @@ show_other_keys(struct hostkeys *hostkeys, Key *key)
|
||||
continue;
|
||||
if (!lookup_key_in_hostkeys_by_type(hostkeys, type[i], &found))
|
||||
continue;
|
||||
@ -357,7 +365,7 @@ diff -up openssh-6.3p1/sshconnect.c.fingerprint openssh-6.3p1/sshconnect.c
|
||||
if (options.visual_host_key)
|
||||
logit("%s", ra);
|
||||
free(ra);
|
||||
@@ -1260,7 +1262,7 @@ warn_changed_key(Key *host_key)
|
||||
@@ -1349,7 +1351,7 @@ warn_changed_key(Key *host_key)
|
||||
{
|
||||
char *fp;
|
||||
|
||||
@ -366,7 +374,7 @@ diff -up openssh-6.3p1/sshconnect.c.fingerprint openssh-6.3p1/sshconnect.c
|
||||
|
||||
error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
|
||||
error("@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @");
|
||||
@@ -1268,8 +1270,8 @@ warn_changed_key(Key *host_key)
|
||||
@@ -1357,8 +1359,8 @@ warn_changed_key(Key *host_key)
|
||||
error("IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!");
|
||||
error("Someone could be eavesdropping on you right now (man-in-the-middle attack)!");
|
||||
error("It is also possible that a host key has just been changed.");
|
||||
@ -377,10 +385,11 @@ diff -up openssh-6.3p1/sshconnect.c.fingerprint openssh-6.3p1/sshconnect.c
|
||||
error("Please contact your system administrator.");
|
||||
|
||||
free(fp);
|
||||
diff -up openssh-6.3p1/sshconnect2.c.fingerprint openssh-6.3p1/sshconnect2.c
|
||||
--- openssh-6.3p1/sshconnect2.c.fingerprint 2013-10-07 14:02:37.001968139 +0200
|
||||
+++ openssh-6.3p1/sshconnect2.c 2013-10-07 15:20:09.403234714 +0200
|
||||
@@ -590,8 +590,9 @@ input_userauth_pk_ok(int type, u_int32_t
|
||||
diff --git a/sshconnect2.c b/sshconnect2.c
|
||||
index 7f4ff41..adbbfc7 100644
|
||||
--- a/sshconnect2.c
|
||||
+++ b/sshconnect2.c
|
||||
@@ -577,8 +577,9 @@ input_userauth_pk_ok(int type, u_int32_t seq, void *ctxt)
|
||||
key->type, pktype);
|
||||
goto done;
|
||||
}
|
||||
@ -392,7 +401,7 @@ diff -up openssh-6.3p1/sshconnect2.c.fingerprint openssh-6.3p1/sshconnect2.c
|
||||
free(fp);
|
||||
|
||||
/*
|
||||
@@ -1202,8 +1203,9 @@ sign_and_send_pubkey(Authctxt *authctxt,
|
||||
@@ -986,8 +987,9 @@ sign_and_send_pubkey(Authctxt *authctxt, Identity *id)
|
||||
int have_sig = 1;
|
||||
char *fp;
|
||||
|
@ -1,6 +1,8 @@
|
||||
diff -up openssh-6.3p1/HOWTO.ssh-keycat.keycat openssh-6.3p1/HOWTO.ssh-keycat
|
||||
--- openssh-6.3p1/HOWTO.ssh-keycat.keycat 2013-10-10 15:16:33.445566916 +0200
|
||||
+++ openssh-6.3p1/HOWTO.ssh-keycat 2013-10-10 15:16:33.445566916 +0200
|
||||
diff --git a/HOWTO.ssh-keycat b/HOWTO.ssh-keycat
|
||||
new file mode 100644
|
||||
index 0000000..630ec62
|
||||
--- /dev/null
|
||||
+++ b/HOWTO.ssh-keycat
|
||||
@@ -0,0 +1,12 @@
|
||||
+The ssh-keycat retrieves the content of the ~/.ssh/authorized_keys
|
||||
+of an user in any environment. This includes environments with
|
||||
@ -14,9 +16,10 @@ diff -up openssh-6.3p1/HOWTO.ssh-keycat.keycat openssh-6.3p1/HOWTO.ssh-keycat
|
||||
+ PubkeyAuthentication yes
|
||||
+
|
||||
+
|
||||
diff -up openssh-6.3p1/Makefile.in.keycat openssh-6.3p1/Makefile.in
|
||||
--- openssh-6.3p1/Makefile.in.keycat 2013-10-10 15:16:33.442566930 +0200
|
||||
+++ openssh-6.3p1/Makefile.in 2013-10-10 15:16:33.445566916 +0200
|
||||
diff --git a/Makefile.in b/Makefile.in
|
||||
index 411eadb..4ab6717 100644
|
||||
--- a/Makefile.in
|
||||
+++ b/Makefile.in
|
||||
@@ -27,6 +27,7 @@ SFTP_SERVER=$(libexecdir)/sftp-server
|
||||
SSH_KEYSIGN=$(libexecdir)/ssh-keysign
|
||||
SSH_LDAP_HELPER=$(libexecdir)/ssh-ldap-helper
|
||||
@ -34,17 +37,17 @@ diff -up openssh-6.3p1/Makefile.in.keycat openssh-6.3p1/Makefile.in
|
||||
|
||||
LIBSSH_OBJS=authfd.o authfile.o bufaux.o bufbn.o buffer.o \
|
||||
canohost.o channels.o cipher.o cipher-aes.o \
|
||||
@@ -172,6 +173,9 @@ ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT)
|
||||
@@ -176,6 +177,9 @@ ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11
|
||||
ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o
|
||||
$(LD) -o $@ ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
|
||||
|
||||
+ssh-keycat$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keycat.o
|
||||
+ $(LD) -o $@ ssh-keycat.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(SSHDLIBS)
|
||||
+ssh-keycat$(EXEEXT): $(LIBCOMPAT) $(SSHDOBJS) libssh.a ssh-keycat.o
|
||||
+ $(LD) -o $@ ssh-keycat.o bufaux.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(SSHDLIBS) $(SSHLIBS)
|
||||
+
|
||||
ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o roaming_dummy.o
|
||||
$(LD) -o $@ ssh-keyscan.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
|
||||
|
||||
@@ -279,6 +283,7 @@ install-files:
|
||||
@@ -283,6 +287,7 @@ install-files:
|
||||
$(INSTALL) -m 0700 $(STRIP_OPT) ssh-ldap-helper $(DESTDIR)$(SSH_LDAP_HELPER) ; \
|
||||
$(INSTALL) -m 0700 ssh-ldap-wrapper $(DESTDIR)$(SSH_LDAP_WRAPPER) ; \
|
||||
fi
|
||||
@ -52,15 +55,16 @@ diff -up openssh-6.3p1/Makefile.in.keycat openssh-6.3p1/Makefile.in
|
||||
$(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
|
||||
$(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
|
||||
$(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
|
||||
diff -up openssh-6.3p1/auth2-pubkey.c.keycat openssh-6.3p1/auth2-pubkey.c
|
||||
--- openssh-6.3p1/auth2-pubkey.c.keycat 2013-10-10 15:16:33.429566992 +0200
|
||||
+++ openssh-6.3p1/auth2-pubkey.c 2013-10-10 15:16:33.445566916 +0200
|
||||
@@ -606,6 +606,14 @@ user_key_command_allowed2(struct passwd
|
||||
diff --git a/auth2-pubkey.c b/auth2-pubkey.c
|
||||
index c0ae0d4..cb0f931 100644
|
||||
--- a/auth2-pubkey.c
|
||||
+++ b/auth2-pubkey.c
|
||||
@@ -600,6 +600,14 @@ user_key_command_allowed2(struct passwd *user_pw, Key *key)
|
||||
_exit(1);
|
||||
}
|
||||
|
||||
+#ifdef WITH_SELINUX
|
||||
+ if (ssh_selinux_setup_env_variables() < 0) {
|
||||
+ if (sshd_selinux_setup_env_variables() < 0) {
|
||||
+ error ("failed to copy environment: %s",
|
||||
+ strerror(errno));
|
||||
+ _exit(127);
|
||||
@ -70,19 +74,41 @@ diff -up openssh-6.3p1/auth2-pubkey.c.keycat openssh-6.3p1/auth2-pubkey.c
|
||||
execl(options.authorized_keys_command,
|
||||
options.authorized_keys_command, user_pw->pw_name, NULL);
|
||||
|
||||
diff -up openssh-6.3p1/openbsd-compat/port-linux.c.keycat openssh-6.3p1/openbsd-compat/port-linux.c
|
||||
--- openssh-6.3p1/openbsd-compat/port-linux.c.keycat 2013-10-10 15:16:33.435566964 +0200
|
||||
+++ openssh-6.3p1/openbsd-compat/port-linux.c 2013-10-10 15:32:19.946065189 +0200
|
||||
@@ -313,7 +313,7 @@ ssh_selinux_getctxbyname(char *pwname,
|
||||
diff --git a/openbsd-compat/port-linux-sshd.c b/openbsd-compat/port-linux-sshd.c
|
||||
index d04f4ed..0077dd7 100644
|
||||
--- a/openbsd-compat/port-linux-sshd.c
|
||||
+++ b/openbsd-compat/port-linux-sshd.c
|
||||
@@ -53,6 +53,20 @@ extern Authctxt *the_authctxt;
|
||||
extern int inetd_flag;
|
||||
extern int rexeced_flag;
|
||||
|
||||
+/* Wrapper around is_selinux_enabled() to log its return value once only */
|
||||
+int
|
||||
+sshd_selinux_enabled(void)
|
||||
+{
|
||||
+ static int enabled = -1;
|
||||
+
|
||||
+ if (enabled == -1) {
|
||||
+ enabled = (is_selinux_enabled() == 1);
|
||||
+ debug("SELinux support %s", enabled ? "enabled" : "disabled");
|
||||
+ }
|
||||
+
|
||||
+ return (enabled);
|
||||
+}
|
||||
+
|
||||
/* Send audit message */
|
||||
static int
|
||||
sshd_selinux_send_audit_message(int success, security_context_t default_context,
|
||||
@@ -307,7 +321,7 @@ sshd_selinux_getctxbyname(char *pwname,
|
||||
|
||||
/* Setup environment variables for pam_selinux */
|
||||
static int
|
||||
-ssh_selinux_setup_pam_variables(void)
|
||||
+ssh_selinux_setup_variables(int(*set_it)(const char *, const char *))
|
||||
-sshd_selinux_setup_pam_variables(void)
|
||||
+sshd_selinux_setup_variables(int(*set_it)(char *, const char *))
|
||||
{
|
||||
const char *reqlvl;
|
||||
char *role;
|
||||
@@ -324,16 +324,16 @@ ssh_selinux_setup_pam_variables(void)
|
||||
@@ -318,16 +332,16 @@ sshd_selinux_setup_pam_variables(void)
|
||||
|
||||
ssh_selinux_get_role_level(&role, &reqlvl);
|
||||
|
||||
@ -102,34 +128,82 @@ diff -up openssh-6.3p1/openbsd-compat/port-linux.c.keycat openssh-6.3p1/openbsd-
|
||||
|
||||
if (role != NULL)
|
||||
free(role);
|
||||
@@ -341,6 +341,24 @@ ssh_selinux_setup_pam_variables(void)
|
||||
@@ -335,6 +349,24 @@ sshd_selinux_setup_pam_variables(void)
|
||||
return rv;
|
||||
}
|
||||
|
||||
+static int
|
||||
+ssh_selinux_setup_pam_variables(void)
|
||||
+sshd_selinux_setup_pam_variables(void)
|
||||
+{
|
||||
+ return ssh_selinux_setup_variables(do_pam_putenv);
|
||||
+ return sshd_selinux_setup_variables(do_pam_putenv);
|
||||
+}
|
||||
+
|
||||
+static int
|
||||
+do_setenv(char *name, char *value)
|
||||
+do_setenv(char *name, const char *value)
|
||||
+{
|
||||
+ return setenv(name, value, 1);
|
||||
+}
|
||||
+
|
||||
+int
|
||||
+ssh_selinux_setup_env_variables(void)
|
||||
+sshd_selinux_setup_env_variables(void)
|
||||
+{
|
||||
+ return ssh_selinux_setup_variables(do_setenv);
|
||||
+ return sshd_selinux_setup_variables(do_setenv);
|
||||
+}
|
||||
+
|
||||
/* Set the execution context to the default for the specified user */
|
||||
void
|
||||
ssh_selinux_setup_exec_context(char *pwname)
|
||||
diff -up openssh-6.3p1/ssh-keycat.c.keycat openssh-6.3p1/ssh-keycat.c
|
||||
--- openssh-6.3p1/ssh-keycat.c.keycat 2013-10-10 15:16:33.446566911 +0200
|
||||
+++ openssh-6.3p1/ssh-keycat.c 2013-10-10 15:16:33.446566911 +0200
|
||||
sshd_selinux_setup_exec_context(char *pwname)
|
||||
@@ -343,7 +375,7 @@ sshd_selinux_setup_exec_context(char *pwname)
|
||||
int r = 0;
|
||||
security_context_t default_ctx = NULL;
|
||||
|
||||
- if (!ssh_selinux_enabled())
|
||||
+ if (!sshd_selinux_enabled())
|
||||
return;
|
||||
|
||||
if (options.use_pam) {
|
||||
@@ -414,7 +446,7 @@ sshd_selinux_copy_context(void)
|
||||
{
|
||||
security_context_t *ctx;
|
||||
|
||||
- if (!ssh_selinux_enabled())
|
||||
+ if (!sshd_selinux_enabled())
|
||||
return;
|
||||
|
||||
if (getexeccon((security_context_t *)&ctx) != 0) {
|
||||
diff --git a/openbsd-compat/port-linux.h b/openbsd-compat/port-linux.h
|
||||
index b18893c..cb51f99 100644
|
||||
--- a/openbsd-compat/port-linux.h
|
||||
+++ b/openbsd-compat/port-linux.h
|
||||
@@ -25,8 +25,10 @@ void ssh_selinux_setup_pty(char *, const char *);
|
||||
void ssh_selinux_change_context(const char *);
|
||||
void ssh_selinux_setfscreatecon(const char *);
|
||||
|
||||
+int sshd_selinux_enabled(void);
|
||||
void sshd_selinux_copy_context(void);
|
||||
void sshd_selinux_setup_exec_context(char *);
|
||||
+int sshd_selinux_setup_env_variables(void);
|
||||
#endif
|
||||
|
||||
#ifdef LINUX_OOM_ADJUST
|
||||
diff --git a/platform.c b/platform.c
|
||||
index 0d39ab2..0dae387 100644
|
||||
--- a/platform.c
|
||||
+++ b/platform.c
|
||||
@@ -102,7 +102,7 @@ platform_setusercontext(struct passwd *pw)
|
||||
{
|
||||
#ifdef WITH_SELINUX
|
||||
/* Cache selinux status for later use */
|
||||
- (void)ssh_selinux_enabled();
|
||||
+ (void)sshd_selinux_enabled();
|
||||
#endif
|
||||
|
||||
#ifdef USE_SOLARIS_PROJECTS
|
||||
diff --git a/ssh-keycat.c b/ssh-keycat.c
|
||||
new file mode 100644
|
||||
index 0000000..f8ed7af
|
||||
--- /dev/null
|
||||
+++ b/ssh-keycat.c
|
||||
@@ -0,0 +1,238 @@
|
||||
+/*
|
||||
+ * Redistribution and use in source and binary forms, with or without
|
@ -1,15 +1,15 @@
|
||||
diff -up openssh-5.8p1/authfile.c.keyperm openssh-5.8p1/authfile.c
|
||||
--- openssh-5.8p1/authfile.c.keyperm 2010-12-01 02:03:39.000000000 +0100
|
||||
+++ openssh-5.8p1/authfile.c 2011-04-21 16:43:36.859648916 +0200
|
||||
@@ -57,6 +57,7 @@
|
||||
#include <stdlib.h>
|
||||
#include <string.h>
|
||||
#include <unistd.h>
|
||||
+#include <grp.h>
|
||||
diff -up openssh-6.6p1/authfile.c.keyperm openssh-6.6p1/authfile.c
|
||||
--- openssh-6.6p1/authfile.c.keyperm 2014-02-04 01:20:15.000000000 +0100
|
||||
+++ openssh-6.6p1/authfile.c 2014-05-05 15:20:43.075246776 +0200
|
||||
@@ -54,6 +54,7 @@
|
||||
|
||||
#include "xmalloc.h"
|
||||
#include "cipher.h"
|
||||
@@ -600,6 +612,13 @@ key_perm_ok(int fd, const char *filename
|
||||
#include <errno.h>
|
||||
#include <fcntl.h>
|
||||
+#include <grp.h>
|
||||
#include <stdarg.h>
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
@@ -979,6 +980,13 @@ key_perm_ok(int fd, const char *filename
|
||||
#ifdef HAVE_CYGWIN
|
||||
if (check_ntsec(filename))
|
||||
#endif
|
File diff suppressed because it is too large
Load Diff
@ -1,7 +1,8 @@
|
||||
diff -up openssh-6.1p1/sshd.c.log-usepam-no openssh-6.1p1/sshd.c
|
||||
--- openssh-6.1p1/sshd.c.log-usepam-no 2012-09-14 20:54:58.000000000 +0200
|
||||
+++ openssh-6.1p1/sshd.c 2012-09-14 20:55:42.289477749 +0200
|
||||
@@ -1617,6 +1617,10 @@ main(int ac, char **av)
|
||||
diff --git a/sshd.c b/sshd.c
|
||||
index a7b8b6a..24ab272 100644
|
||||
--- a/sshd.c
|
||||
+++ b/sshd.c
|
||||
@@ -1620,6 +1620,10 @@ main(int ac, char **av)
|
||||
parse_server_config(&options, rexeced_flag ? "rexec" : config_file_name,
|
||||
&cfg, NULL);
|
||||
|
||||
@ -12,15 +13,16 @@ diff -up openssh-6.1p1/sshd.c.log-usepam-no openssh-6.1p1/sshd.c
|
||||
seed_rng();
|
||||
|
||||
/* Fill in default values for those options not explicitly set. */
|
||||
diff -up openssh-6.1p1/sshd_config.log-usepam-no openssh-6.1p1/sshd_config
|
||||
--- openssh-6.1p1/sshd_config.log-usepam-no 2012-09-14 20:54:58.514255748 +0200
|
||||
+++ openssh-6.1p1/sshd_config 2012-09-14 20:54:58.551255954 +0200
|
||||
@@ -95,6 +95,8 @@ GSSAPICleanupCredentials no
|
||||
diff --git a/sshd_config b/sshd_config
|
||||
index 36cb27a..c1b7c03 100644
|
||||
--- a/sshd_config
|
||||
+++ b/sshd_config
|
||||
@@ -101,6 +101,8 @@ GSSAPICleanupCredentials no
|
||||
# If you just want the PAM account and session checks to run without
|
||||
# PAM authentication, then enable this but set PasswordAuthentication
|
||||
# and ChallengeResponseAuthentication to 'no'.
|
||||
+# WARNING: 'UsePAM no' is not supported in Fedora and may cause several
|
||||
+# problems.
|
||||
#UsePAM no
|
||||
UsePAM yes
|
||||
|
||||
#AllowAgentForwarding yes
|
@ -1,12 +1,13 @@
|
||||
diff -up openssh-6.3p1/openbsd-compat/port-linux.c.privsep-selinux openssh-6.3p1/openbsd-compat/port-linux.c
|
||||
--- openssh-6.3p1/openbsd-compat/port-linux.c.privsep-selinux 2013-10-10 14:58:20.634762245 +0200
|
||||
+++ openssh-6.3p1/openbsd-compat/port-linux.c 2013-10-10 15:13:57.864306950 +0200
|
||||
@@ -503,6 +503,25 @@ ssh_selinux_change_context(const char *n
|
||||
free(newctx);
|
||||
diff --git a/openbsd-compat/port-linux-sshd.c b/openbsd-compat/port-linux-sshd.c
|
||||
index c18524e..d04f4ed 100644
|
||||
--- a/openbsd-compat/port-linux-sshd.c
|
||||
+++ b/openbsd-compat/port-linux-sshd.c
|
||||
@@ -409,6 +409,25 @@ sshd_selinux_setup_exec_context(char *pwname)
|
||||
debug3("%s: done", __func__);
|
||||
}
|
||||
|
||||
+void
|
||||
+ssh_selinux_copy_context(void)
|
||||
+sshd_selinux_copy_context(void)
|
||||
+{
|
||||
+ security_context_t *ctx;
|
||||
+
|
||||
@ -24,34 +25,36 @@ diff -up openssh-6.3p1/openbsd-compat/port-linux.c.privsep-selinux openssh-6.3p1
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
#endif /* WITH_SELINUX */
|
||||
|
||||
#ifdef LINUX_OOM_ADJUST
|
||||
diff -up openssh-6.3p1/openbsd-compat/port-linux.h.privsep-selinux openssh-6.3p1/openbsd-compat/port-linux.h
|
||||
--- openssh-6.3p1/openbsd-compat/port-linux.h.privsep-selinux 2011-01-25 02:16:18.000000000 +0100
|
||||
+++ openssh-6.3p1/openbsd-compat/port-linux.h 2013-10-10 14:58:20.634762245 +0200
|
||||
@@ -24,6 +24,7 @@ int ssh_selinux_enabled(void);
|
||||
void ssh_selinux_setup_pty(char *, const char *);
|
||||
void ssh_selinux_setup_exec_context(char *);
|
||||
void ssh_selinux_change_context(const char *);
|
||||
+void ssh_selinux_copy_context(void);
|
||||
void ssh_selinux_setfscreatecon(const char *);
|
||||
#endif
|
||||
#endif
|
||||
|
||||
diff -up openssh-6.3p1/session.c.privsep-selinux openssh-6.3p1/session.c
|
||||
--- openssh-6.3p1/session.c.privsep-selinux 2013-10-10 14:58:20.617762326 +0200
|
||||
+++ openssh-6.3p1/session.c 2013-10-10 15:13:16.520503590 +0200
|
||||
@@ -1522,6 +1522,9 @@ do_setusercontext(struct passwd *pw)
|
||||
diff --git a/openbsd-compat/port-linux.h b/openbsd-compat/port-linux.h
|
||||
index 8ef6cc4..b18893c 100644
|
||||
--- a/openbsd-compat/port-linux.h
|
||||
+++ b/openbsd-compat/port-linux.h
|
||||
@@ -25,6 +25,7 @@ void ssh_selinux_setup_pty(char *, const char *);
|
||||
void ssh_selinux_change_context(const char *);
|
||||
void ssh_selinux_setfscreatecon(const char *);
|
||||
|
||||
+void sshd_selinux_copy_context(void);
|
||||
void sshd_selinux_setup_exec_context(char *);
|
||||
#endif
|
||||
|
||||
diff --git a/session.c b/session.c
|
||||
index 2bcf818..b5dc144 100644
|
||||
--- a/session.c
|
||||
+++ b/session.c
|
||||
@@ -1538,6 +1538,9 @@ do_setusercontext(struct passwd *pw)
|
||||
pw->pw_uid);
|
||||
chroot_path = percent_expand(tmp, "h", pw->pw_dir,
|
||||
"u", pw->pw_name, (char *)NULL);
|
||||
+#ifdef WITH_SELINUX
|
||||
+ ssh_selinux_copy_context();
|
||||
+ sshd_selinux_copy_context();
|
||||
+#endif
|
||||
safely_chroot(chroot_path, pw->pw_uid);
|
||||
free(tmp);
|
||||
free(chroot_path);
|
||||
@@ -1544,6 +1547,12 @@ do_setusercontext(struct passwd *pw)
|
||||
@@ -1565,6 +1568,12 @@ do_setusercontext(struct passwd *pw)
|
||||
/* Permanently switch to the desired uid. */
|
||||
permanently_set_uid(pw);
|
||||
#endif
|
||||
@ -59,12 +62,12 @@ diff -up openssh-6.3p1/session.c.privsep-selinux openssh-6.3p1/session.c
|
||||
+#ifdef WITH_SELINUX
|
||||
+ if (options.chroot_directory == NULL ||
|
||||
+ strcasecmp(options.chroot_directory, "none") == 0)
|
||||
+ ssh_selinux_copy_context();
|
||||
+ sshd_selinux_copy_context();
|
||||
+#endif
|
||||
} else if (options.chroot_directory != NULL &&
|
||||
strcasecmp(options.chroot_directory, "none") != 0) {
|
||||
fatal("server lacks privileges to chroot to ChrootDirectory");
|
||||
@@ -1808,9 +1817,6 @@ do_child(Session *s, const char *command
|
||||
@@ -1826,9 +1835,6 @@ do_child(Session *s, const char *command)
|
||||
argv[i] = NULL;
|
||||
optind = optreset = 1;
|
||||
__progname = argv[0];
|
||||
@ -74,10 +77,11 @@ diff -up openssh-6.3p1/session.c.privsep-selinux openssh-6.3p1/session.c
|
||||
exit(sftp_server_main(i, argv, s->pw));
|
||||
}
|
||||
|
||||
diff -up openssh-6.3p1/sshd.c.privsep-selinux openssh-6.3p1/sshd.c
|
||||
--- openssh-6.3p1/sshd.c.privsep-selinux 2013-10-10 14:58:20.632762255 +0200
|
||||
+++ openssh-6.3p1/sshd.c 2013-10-10 14:58:20.635762241 +0200
|
||||
@@ -668,6 +668,10 @@ privsep_preauth_child(void)
|
||||
diff --git a/sshd.c b/sshd.c
|
||||
index 07f9926..a97f8b7 100644
|
||||
--- a/sshd.c
|
||||
+++ b/sshd.c
|
||||
@@ -632,6 +632,10 @@ privsep_preauth_child(void)
|
||||
/* Demote the private keys to public keys. */
|
||||
demote_sensitive_data();
|
||||
|
||||
@ -88,14 +92,14 @@ diff -up openssh-6.3p1/sshd.c.privsep-selinux openssh-6.3p1/sshd.c
|
||||
/* Change our root directory */
|
||||
if (chroot(_PATH_PRIVSEP_CHROOT_DIR) == -1)
|
||||
fatal("chroot(\"%s\"): %s", _PATH_PRIVSEP_CHROOT_DIR,
|
||||
@@ -811,6 +815,13 @@ privsep_postauth(Authctxt *authctxt)
|
||||
@@ -768,6 +772,13 @@ privsep_postauth(Authctxt *authctxt)
|
||||
do_setusercontext(authctxt->pw);
|
||||
|
||||
skip:
|
||||
+#ifdef WITH_SELINUX
|
||||
+ /* switch SELinux content for root too */
|
||||
+ if (authctxt->pw->pw_uid == 0) {
|
||||
+ ssh_selinux_copy_context();
|
||||
+ sshd_selinux_copy_context();
|
||||
+ }
|
||||
+#endif
|
||||
+
|
@ -1,6 +1,7 @@
|
||||
diff -up openssh-6.3p1/ssh_config.redhat openssh-6.3p1/ssh_config
|
||||
--- openssh-6.3p1/ssh_config.redhat 2013-10-11 14:51:18.345876648 +0200
|
||||
+++ openssh-6.3p1/ssh_config 2013-10-11 15:13:05.429829266 +0200
|
||||
diff --git a/ssh_config b/ssh_config
|
||||
index 03a228f..6d1abaf 100644
|
||||
--- a/ssh_config
|
||||
+++ b/ssh_config
|
||||
@@ -46,3 +46,14 @@
|
||||
# VisualHostKey no
|
||||
# ProxyCommand ssh -q -W %h:%p gateway.example.com
|
||||
@ -16,37 +17,10 @@ diff -up openssh-6.3p1/ssh_config.redhat openssh-6.3p1/ssh_config
|
||||
+ SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
|
||||
+ SendEnv LC_IDENTIFICATION LC_ALL LANGUAGE
|
||||
+ SendEnv XMODIFIERS
|
||||
diff -up openssh-6.3p1/sshd_config.0.redhat openssh-6.3p1/sshd_config.0
|
||||
--- openssh-6.3p1/sshd_config.0.redhat 2013-09-13 08:20:43.000000000 +0200
|
||||
+++ openssh-6.3p1/sshd_config.0 2013-10-11 14:51:18.345876648 +0200
|
||||
@@ -653,9 +653,9 @@ DESCRIPTION
|
||||
|
||||
SyslogFacility
|
||||
Gives the facility code that is used when logging messages from
|
||||
- sshd(8). The possible values are: DAEMON, USER, AUTH, LOCAL0,
|
||||
- LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. The
|
||||
- default is AUTH.
|
||||
+ sshd(8). The possible values are: DAEMON, USER, AUTH, AUTHPRIV,
|
||||
+ LOCAL0, LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
|
||||
+ The default is AUTH.
|
||||
|
||||
TCPKeepAlive
|
||||
Specifies whether the system should send TCP keepalive messages
|
||||
diff -up openssh-6.3p1/sshd_config.5.redhat openssh-6.3p1/sshd_config.5
|
||||
--- openssh-6.3p1/sshd_config.5.redhat 2013-07-20 05:21:53.000000000 +0200
|
||||
+++ openssh-6.3p1/sshd_config.5 2013-10-11 14:51:18.346876643 +0200
|
||||
@@ -1095,7 +1095,7 @@ Note that this option applies to protoco
|
||||
.It Cm SyslogFacility
|
||||
Gives the facility code that is used when logging messages from
|
||||
.Xr sshd 8 .
|
||||
-The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2,
|
||||
+The possible values are: DAEMON, USER, AUTH, AUTHPRIV, LOCAL0, LOCAL1, LOCAL2,
|
||||
LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
|
||||
The default is AUTH.
|
||||
.It Cm TCPKeepAlive
|
||||
diff -up openssh-6.3p1/sshd_config.redhat openssh-6.3p1/sshd_config
|
||||
--- openssh-6.3p1/sshd_config.redhat 2013-10-11 14:51:18.343876657 +0200
|
||||
+++ openssh-6.3p1/sshd_config 2013-10-11 14:51:18.346876643 +0200
|
||||
diff --git a/sshd_config b/sshd_config
|
||||
index c735429..e68ddee 100644
|
||||
--- a/sshd_config
|
||||
+++ b/sshd_config
|
||||
@@ -10,6 +10,10 @@
|
||||
# possible, but leave them commented. Uncommented options override the
|
||||
# default value.
|
||||
@ -58,7 +32,7 @@ diff -up openssh-6.3p1/sshd_config.redhat openssh-6.3p1/sshd_config
|
||||
#Port 22
|
||||
#AddressFamily any
|
||||
#ListenAddress 0.0.0.0
|
||||
@@ -21,9 +25,9 @@
|
||||
@@ -21,10 +25,10 @@
|
||||
# HostKey for protocol version 1
|
||||
#HostKey /etc/ssh/ssh_host_key
|
||||
# HostKeys for protocol version 2
|
||||
@ -66,11 +40,13 @@ diff -up openssh-6.3p1/sshd_config.redhat openssh-6.3p1/sshd_config
|
||||
+HostKey /etc/ssh/ssh_host_rsa_key
|
||||
#HostKey /etc/ssh/ssh_host_dsa_key
|
||||
-#HostKey /etc/ssh/ssh_host_ecdsa_key
|
||||
-#HostKey /etc/ssh/ssh_host_ed25519_key
|
||||
+HostKey /etc/ssh/ssh_host_ecdsa_key
|
||||
+HostKey /etc/ssh/ssh_host_ed25519_key
|
||||
|
||||
# Lifetime and size of ephemeral version 1 server key
|
||||
#KeyRegenerationInterval 1h
|
||||
@@ -35,6 +39,7 @@
|
||||
@@ -36,6 +40,7 @@
|
||||
# Logging
|
||||
# obsoletes QuietMode and FascistLogging
|
||||
#SyslogFacility AUTH
|
||||
@ -78,7 +54,7 @@ diff -up openssh-6.3p1/sshd_config.redhat openssh-6.3p1/sshd_config
|
||||
#LogLevel INFO
|
||||
|
||||
# Authentication:
|
||||
@@ -70,9 +75,11 @@ AuthorizedKeysFile .ssh/authorized_keys
|
||||
@@ -71,9 +76,11 @@ AuthorizedKeysFile .ssh/authorized_keys
|
||||
# To disable tunneled clear text passwords, change to no here!
|
||||
#PasswordAuthentication yes
|
||||
#PermitEmptyPasswords no
|
||||
@ -90,31 +66,33 @@ diff -up openssh-6.3p1/sshd_config.redhat openssh-6.3p1/sshd_config
|
||||
|
||||
# Kerberos options
|
||||
#KerberosAuthentication no
|
||||
@@ -82,7 +89,9 @@ AuthorizedKeysFile .ssh/authorized_keys
|
||||
@@ -82,8 +89,8 @@ AuthorizedKeysFile .ssh/authorized_keys
|
||||
#KerberosGetAFSToken no
|
||||
|
||||
# GSSAPI options
|
||||
#GSSAPIAuthentication no
|
||||
-#GSSAPIAuthentication no
|
||||
-#GSSAPICleanupCredentials yes
|
||||
+GSSAPIAuthentication yes
|
||||
#GSSAPICleanupCredentials yes
|
||||
+GSSAPICleanupCredentials no
|
||||
|
||||
# Set this to 'yes' to enable PAM authentication, account processing,
|
||||
# and session processing. If this is enabled, PAM authentication will
|
||||
@@ -94,11 +103,13 @@ AuthorizedKeysFile .ssh/authorized_keys
|
||||
# Set this to 'yes' to enable PAM authentication, account processing,
|
||||
# and session processing. If this is enabled, PAM authentication will
|
||||
@@ -94,12 +101,12 @@ AuthorizedKeysFile .ssh/authorized_keys
|
||||
# If you just want the PAM account and session checks to run without
|
||||
# PAM authentication, then enable this but set PasswordAuthentication
|
||||
# and ChallengeResponseAuthentication to 'no'.
|
||||
#UsePAM no
|
||||
-#UsePAM no
|
||||
+UsePAM yes
|
||||
|
||||
#AllowAgentForwarding yes
|
||||
#AllowTcpForwarding yes
|
||||
#GatewayPorts no
|
||||
#X11Forwarding no
|
||||
-#X11Forwarding no
|
||||
+X11Forwarding yes
|
||||
#X11DisplayOffset 10
|
||||
#X11UseLocalhost yes
|
||||
#PrintMotd yes
|
||||
@@ -120,6 +131,12 @@ UsePrivilegeSeparation sandbox # Defaul
|
||||
#PermitTTY yes
|
||||
@@ -122,6 +129,12 @@ UsePrivilegeSeparation sandbox # Default for new installations.
|
||||
# no default banner path
|
||||
#Banner none
|
||||
|
||||
@ -127,3 +105,33 @@ diff -up openssh-6.3p1/sshd_config.redhat openssh-6.3p1/sshd_config
|
||||
# override default of no subsystems
|
||||
Subsystem sftp /usr/libexec/sftp-server
|
||||
|
||||
diff --git a/sshd_config.0 b/sshd_config.0
|
||||
index 413c260..87e7ee7 100644
|
||||
--- a/sshd_config.0
|
||||
+++ b/sshd_config.0
|
||||
@@ -675,9 +675,9 @@ DESCRIPTION
|
||||
|
||||
SyslogFacility
|
||||
Gives the facility code that is used when logging messages from
|
||||
- sshd(8). The possible values are: DAEMON, USER, AUTH, LOCAL0,
|
||||
- LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. The
|
||||
- default is AUTH.
|
||||
+ sshd(8). The possible values are: DAEMON, USER, AUTH, AUTHPRIV,
|
||||
+ LOCAL0, LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
|
||||
+ The default is AUTH.
|
||||
|
||||
TCPKeepAlive
|
||||
Specifies whether the system should send TCP keepalive messages
|
||||
diff --git a/sshd_config.5 b/sshd_config.5
|
||||
index ce71efe..12465c2 100644
|
||||
--- a/sshd_config.5
|
||||
+++ b/sshd_config.5
|
||||
@@ -1131,7 +1131,7 @@ Note that this option applies to protocol version 2 only.
|
||||
.It Cm SyslogFacility
|
||||
Gives the facility code that is used when logging messages from
|
||||
.Xr sshd 8 .
|
||||
-The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2,
|
||||
+The possible values are: DAEMON, USER, AUTH, AUTHPRIV, LOCAL0, LOCAL1, LOCAL2,
|
||||
LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
|
||||
The default is AUTH.
|
||||
.It Cm TCPKeepAlive
|
@ -1,7 +1,8 @@
|
||||
diff -up openssh-6.3p1/auth-pam.c.role-mls openssh-6.3p1/auth-pam.c
|
||||
--- openssh-6.3p1/auth-pam.c.role-mls 2013-10-10 14:34:43.799494546 +0200
|
||||
+++ openssh-6.3p1/auth-pam.c 2013-10-10 14:34:43.835494375 +0200
|
||||
@@ -1071,7 +1071,7 @@ is_pam_session_open(void)
|
||||
diff --git a/auth-pam.c b/auth-pam.c
|
||||
index d789bad..cd1a775 100644
|
||||
--- a/auth-pam.c
|
||||
+++ b/auth-pam.c
|
||||
@@ -1068,7 +1068,7 @@ is_pam_session_open(void)
|
||||
* during the ssh authentication process.
|
||||
*/
|
||||
int
|
||||
@ -10,9 +11,10 @@ diff -up openssh-6.3p1/auth-pam.c.role-mls openssh-6.3p1/auth-pam.c
|
||||
{
|
||||
int ret = 1;
|
||||
#ifdef HAVE_PAM_PUTENV
|
||||
diff -up openssh-6.3p1/auth-pam.h.role-mls openssh-6.3p1/auth-pam.h
|
||||
--- openssh-6.3p1/auth-pam.h.role-mls 2004-09-11 14:17:26.000000000 +0200
|
||||
+++ openssh-6.3p1/auth-pam.h 2013-10-10 14:34:43.835494375 +0200
|
||||
diff --git a/auth-pam.h b/auth-pam.h
|
||||
index a1a2b52..b109a5a 100644
|
||||
--- a/auth-pam.h
|
||||
+++ b/auth-pam.h
|
||||
@@ -38,7 +38,7 @@ void do_pam_session(void);
|
||||
void do_pam_set_tty(const char *);
|
||||
void do_pam_setcred(int );
|
||||
@ -22,9 +24,10 @@ diff -up openssh-6.3p1/auth-pam.h.role-mls openssh-6.3p1/auth-pam.h
|
||||
char ** fetch_pam_environment(void);
|
||||
char ** fetch_pam_child_environment(void);
|
||||
void free_pam_environment(char **);
|
||||
diff -up openssh-6.3p1/auth.h.role-mls openssh-6.3p1/auth.h
|
||||
--- openssh-6.3p1/auth.h.role-mls 2013-10-10 14:34:43.834494379 +0200
|
||||
+++ openssh-6.3p1/auth.h 2013-10-10 14:38:45.060348227 +0200
|
||||
diff --git a/auth.h b/auth.h
|
||||
index 124e597..4605588 100644
|
||||
--- a/auth.h
|
||||
+++ b/auth.h
|
||||
@@ -59,6 +59,9 @@ struct Authctxt {
|
||||
char *service;
|
||||
struct passwd *pw; /* set if 'valid' */
|
||||
@ -34,10 +37,11 @@ diff -up openssh-6.3p1/auth.h.role-mls openssh-6.3p1/auth.h
|
||||
+#endif
|
||||
void *kbdintctxt;
|
||||
char *info; /* Extra info for next auth_log */
|
||||
void *jpake_ctx;
|
||||
diff -up openssh-6.3p1/auth1.c.role-mls openssh-6.3p1/auth1.c
|
||||
--- openssh-6.3p1/auth1.c.role-mls 2013-06-02 00:01:24.000000000 +0200
|
||||
+++ openssh-6.3p1/auth1.c 2013-10-10 14:34:43.835494375 +0200
|
||||
#ifdef BSD_AUTH
|
||||
diff --git a/auth1.c b/auth1.c
|
||||
index 0f870b3..df040bb 100644
|
||||
--- a/auth1.c
|
||||
+++ b/auth1.c
|
||||
@@ -381,6 +381,9 @@ do_authentication(Authctxt *authctxt)
|
||||
{
|
||||
u_int ulen;
|
||||
@ -73,10 +77,11 @@ diff -up openssh-6.3p1/auth1.c.role-mls openssh-6.3p1/auth1.c
|
||||
|
||||
/* Verify that the user is a valid user. */
|
||||
if ((authctxt->pw = PRIVSEP(getpwnamallow(user))) != NULL)
|
||||
diff -up openssh-6.3p1/auth2-gss.c.role-mls openssh-6.3p1/auth2-gss.c
|
||||
--- openssh-6.3p1/auth2-gss.c.role-mls 2013-06-01 23:31:18.000000000 +0200
|
||||
+++ openssh-6.3p1/auth2-gss.c 2013-10-10 14:34:43.836494370 +0200
|
||||
@@ -256,6 +256,7 @@ input_gssapi_mic(int type, u_int32_t ple
|
||||
diff --git a/auth2-gss.c b/auth2-gss.c
|
||||
index c28a705..4756dd7 100644
|
||||
--- a/auth2-gss.c
|
||||
+++ b/auth2-gss.c
|
||||
@@ -251,6 +251,7 @@ input_gssapi_mic(int type, u_int32_t plen, void *ctxt)
|
||||
Authctxt *authctxt = ctxt;
|
||||
Gssctxt *gssctxt;
|
||||
int authenticated = 0;
|
||||
@ -84,7 +89,7 @@ diff -up openssh-6.3p1/auth2-gss.c.role-mls openssh-6.3p1/auth2-gss.c
|
||||
Buffer b;
|
||||
gss_buffer_desc mic, gssbuf;
|
||||
u_int len;
|
||||
@@ -268,7 +269,13 @@ input_gssapi_mic(int type, u_int32_t ple
|
||||
@@ -263,7 +264,13 @@ input_gssapi_mic(int type, u_int32_t plen, void *ctxt)
|
||||
mic.value = packet_get_string(&len);
|
||||
mic.length = len;
|
||||
|
||||
@ -99,7 +104,7 @@ diff -up openssh-6.3p1/auth2-gss.c.role-mls openssh-6.3p1/auth2-gss.c
|
||||
"gssapi-with-mic");
|
||||
|
||||
gssbuf.value = buffer_ptr(&b);
|
||||
@@ -280,6 +287,8 @@ input_gssapi_mic(int type, u_int32_t ple
|
||||
@@ -275,6 +282,8 @@ input_gssapi_mic(int type, u_int32_t plen, void *ctxt)
|
||||
logit("GSSAPI MIC check failed");
|
||||
|
||||
buffer_free(&b);
|
||||
@ -108,10 +113,11 @@ diff -up openssh-6.3p1/auth2-gss.c.role-mls openssh-6.3p1/auth2-gss.c
|
||||
free(mic.value);
|
||||
|
||||
authctxt->postponed = 0;
|
||||
diff -up openssh-6.3p1/auth2-hostbased.c.role-mls openssh-6.3p1/auth2-hostbased.c
|
||||
--- openssh-6.3p1/auth2-hostbased.c.role-mls 2013-10-10 14:34:43.818494455 +0200
|
||||
+++ openssh-6.3p1/auth2-hostbased.c 2013-10-10 14:34:43.836494370 +0200
|
||||
@@ -106,7 +106,15 @@ userauth_hostbased(Authctxt *authctxt)
|
||||
diff --git a/auth2-hostbased.c b/auth2-hostbased.c
|
||||
index eca0069..95d678e 100644
|
||||
--- a/auth2-hostbased.c
|
||||
+++ b/auth2-hostbased.c
|
||||
@@ -112,7 +112,15 @@ userauth_hostbased(Authctxt *authctxt)
|
||||
buffer_put_string(&b, session_id2, session_id2_len);
|
||||
/* reconstruct packet */
|
||||
buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST);
|
||||
@ -128,10 +134,11 @@ diff -up openssh-6.3p1/auth2-hostbased.c.role-mls openssh-6.3p1/auth2-hostbased.
|
||||
buffer_put_cstring(&b, service);
|
||||
buffer_put_cstring(&b, "hostbased");
|
||||
buffer_put_string(&b, pkalg, alen);
|
||||
diff -up openssh-6.3p1/auth2-pubkey.c.role-mls openssh-6.3p1/auth2-pubkey.c
|
||||
--- openssh-6.3p1/auth2-pubkey.c.role-mls 2013-10-10 14:34:43.836494370 +0200
|
||||
+++ openssh-6.3p1/auth2-pubkey.c 2013-10-10 14:57:17.452062486 +0200
|
||||
@@ -127,9 +127,11 @@ userauth_pubkey(Authctxt *authctxt)
|
||||
diff --git a/auth2-pubkey.c b/auth2-pubkey.c
|
||||
index 749b11a..c0ae0d4 100644
|
||||
--- a/auth2-pubkey.c
|
||||
+++ b/auth2-pubkey.c
|
||||
@@ -133,9 +133,11 @@ userauth_pubkey(Authctxt *authctxt)
|
||||
}
|
||||
/* reconstruct packet */
|
||||
buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST);
|
||||
@ -145,10 +152,11 @@ diff -up openssh-6.3p1/auth2-pubkey.c.role-mls openssh-6.3p1/auth2-pubkey.c
|
||||
buffer_put_cstring(&b, userstyle);
|
||||
free(userstyle);
|
||||
buffer_put_cstring(&b,
|
||||
diff -up openssh-6.3p1/auth2.c.role-mls openssh-6.3p1/auth2.c
|
||||
--- openssh-6.3p1/auth2.c.role-mls 2013-10-10 14:34:43.819494451 +0200
|
||||
+++ openssh-6.3p1/auth2.c 2013-10-10 14:34:43.835494375 +0200
|
||||
@@ -221,6 +221,9 @@ input_userauth_request(int type, u_int32
|
||||
diff --git a/auth2.c b/auth2.c
|
||||
index a5490c0..5f4f26f 100644
|
||||
--- a/auth2.c
|
||||
+++ b/auth2.c
|
||||
@@ -215,6 +215,9 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
|
||||
Authctxt *authctxt = ctxt;
|
||||
Authmethod *m = NULL;
|
||||
char *user, *service, *method, *style = NULL;
|
||||
@ -158,7 +166,7 @@ diff -up openssh-6.3p1/auth2.c.role-mls openssh-6.3p1/auth2.c
|
||||
int authenticated = 0;
|
||||
|
||||
if (authctxt == NULL)
|
||||
@@ -232,6 +235,11 @@ input_userauth_request(int type, u_int32
|
||||
@@ -226,6 +229,11 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
|
||||
debug("userauth-request for user %s service %s method %s", user, service, method);
|
||||
debug("attempt %d failures %d", authctxt->attempt, authctxt->failures);
|
||||
|
||||
@ -170,7 +178,7 @@ diff -up openssh-6.3p1/auth2.c.role-mls openssh-6.3p1/auth2.c
|
||||
if ((style = strchr(user, ':')) != NULL)
|
||||
*style++ = 0;
|
||||
|
||||
@@ -254,8 +262,15 @@ input_userauth_request(int type, u_int32
|
||||
@@ -251,8 +259,15 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
|
||||
use_privsep ? " [net]" : "");
|
||||
authctxt->service = xstrdup(service);
|
||||
authctxt->style = style ? xstrdup(style) : NULL;
|
||||
@ -187,10 +195,11 @@ diff -up openssh-6.3p1/auth2.c.role-mls openssh-6.3p1/auth2.c
|
||||
userauth_banner();
|
||||
if (auth2_setup_methods_lists(authctxt) != 0)
|
||||
packet_disconnect("no authentication methods enabled");
|
||||
diff -up openssh-6.3p1/misc.c.role-mls openssh-6.3p1/misc.c
|
||||
--- openssh-6.3p1/misc.c.role-mls 2013-08-08 04:50:06.000000000 +0200
|
||||
+++ openssh-6.3p1/misc.c 2013-10-10 14:34:43.836494370 +0200
|
||||
@@ -429,6 +429,7 @@ char *
|
||||
diff --git a/misc.c b/misc.c
|
||||
index e4c8c32..f31cd91 100644
|
||||
--- a/misc.c
|
||||
+++ b/misc.c
|
||||
@@ -430,6 +430,7 @@ char *
|
||||
colon(char *cp)
|
||||
{
|
||||
int flag = 0;
|
||||
@ -198,7 +207,7 @@ diff -up openssh-6.3p1/misc.c.role-mls openssh-6.3p1/misc.c
|
||||
|
||||
if (*cp == ':') /* Leading colon is part of file name. */
|
||||
return NULL;
|
||||
@@ -444,6 +445,13 @@ colon(char *cp)
|
||||
@@ -445,6 +446,13 @@ colon(char *cp)
|
||||
return (cp);
|
||||
if (*cp == '/')
|
||||
return NULL;
|
||||
@ -212,10 +221,11 @@ diff -up openssh-6.3p1/misc.c.role-mls openssh-6.3p1/misc.c
|
||||
}
|
||||
return NULL;
|
||||
}
|
||||
diff -up openssh-6.3p1/monitor.c.role-mls openssh-6.3p1/monitor.c
|
||||
--- openssh-6.3p1/monitor.c.role-mls 2013-10-10 14:34:43.821494441 +0200
|
||||
+++ openssh-6.3p1/monitor.c 2013-10-10 14:54:57.933725463 +0200
|
||||
@@ -149,6 +149,9 @@ int mm_answer_sign(int, Buffer *);
|
||||
diff --git a/monitor.c b/monitor.c
|
||||
index 531c4f9..229fada 100644
|
||||
--- a/monitor.c
|
||||
+++ b/monitor.c
|
||||
@@ -145,6 +145,9 @@ int mm_answer_sign(int, Buffer *);
|
||||
int mm_answer_pwnamallow(int, Buffer *);
|
||||
int mm_answer_auth2_read_banner(int, Buffer *);
|
||||
int mm_answer_authserv(int, Buffer *);
|
||||
@ -225,7 +235,7 @@ diff -up openssh-6.3p1/monitor.c.role-mls openssh-6.3p1/monitor.c
|
||||
int mm_answer_authpassword(int, Buffer *);
|
||||
int mm_answer_bsdauthquery(int, Buffer *);
|
||||
int mm_answer_bsdauthrespond(int, Buffer *);
|
||||
@@ -233,6 +236,9 @@ struct mon_table mon_dispatch_proto20[]
|
||||
@@ -219,6 +222,9 @@ struct mon_table mon_dispatch_proto20[] = {
|
||||
{MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign},
|
||||
{MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},
|
||||
{MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv},
|
||||
@ -235,7 +245,7 @@ diff -up openssh-6.3p1/monitor.c.role-mls openssh-6.3p1/monitor.c
|
||||
{MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner},
|
||||
{MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},
|
||||
#ifdef USE_PAM
|
||||
@@ -853,6 +859,9 @@ mm_answer_pwnamallow(int sock, Buffer *m
|
||||
@@ -805,6 +811,9 @@ mm_answer_pwnamallow(int sock, Buffer *m)
|
||||
else {
|
||||
/* Allow service/style information on the auth context */
|
||||
monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1);
|
||||
@ -245,7 +255,7 @@ diff -up openssh-6.3p1/monitor.c.role-mls openssh-6.3p1/monitor.c
|
||||
monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1);
|
||||
}
|
||||
#ifdef USE_PAM
|
||||
@@ -894,6 +903,25 @@ mm_answer_authserv(int sock, Buffer *m)
|
||||
@@ -846,6 +855,25 @@ mm_answer_authserv(int sock, Buffer *m)
|
||||
return (0);
|
||||
}
|
||||
|
||||
@ -271,7 +281,7 @@ diff -up openssh-6.3p1/monitor.c.role-mls openssh-6.3p1/monitor.c
|
||||
int
|
||||
mm_answer_authpassword(int sock, Buffer *m)
|
||||
{
|
||||
@@ -1269,7 +1297,7 @@ static int
|
||||
@@ -1220,7 +1248,7 @@ static int
|
||||
monitor_valid_userblob(u_char *data, u_int datalen)
|
||||
{
|
||||
Buffer b;
|
||||
@ -280,7 +290,7 @@ diff -up openssh-6.3p1/monitor.c.role-mls openssh-6.3p1/monitor.c
|
||||
u_int len;
|
||||
int fail = 0;
|
||||
|
||||
@@ -1295,6 +1323,8 @@ monitor_valid_userblob(u_char *data, u_i
|
||||
@@ -1246,6 +1274,8 @@ monitor_valid_userblob(u_char *data, u_int datalen)
|
||||
if (buffer_get_char(&b) != SSH2_MSG_USERAUTH_REQUEST)
|
||||
fail++;
|
||||
p = buffer_get_cstring(&b, NULL);
|
||||
@ -289,7 +299,7 @@ diff -up openssh-6.3p1/monitor.c.role-mls openssh-6.3p1/monitor.c
|
||||
xasprintf(&userstyle, "%s%s%s", authctxt->user,
|
||||
authctxt->style ? ":" : "",
|
||||
authctxt->style ? authctxt->style : "");
|
||||
@@ -1330,7 +1360,7 @@ monitor_valid_hostbasedblob(u_char *data
|
||||
@@ -1281,7 +1311,7 @@ monitor_valid_hostbasedblob(u_char *data, u_int datalen, char *cuser,
|
||||
char *chost)
|
||||
{
|
||||
Buffer b;
|
||||
@ -298,7 +308,7 @@ diff -up openssh-6.3p1/monitor.c.role-mls openssh-6.3p1/monitor.c
|
||||
u_int len;
|
||||
int fail = 0;
|
||||
|
||||
@@ -1347,6 +1377,8 @@ monitor_valid_hostbasedblob(u_char *data
|
||||
@@ -1298,6 +1328,8 @@ monitor_valid_hostbasedblob(u_char *data, u_int datalen, char *cuser,
|
||||
if (buffer_get_char(&b) != SSH2_MSG_USERAUTH_REQUEST)
|
||||
fail++;
|
||||
p = buffer_get_cstring(&b, NULL);
|
||||
@ -307,23 +317,26 @@ diff -up openssh-6.3p1/monitor.c.role-mls openssh-6.3p1/monitor.c
|
||||
xasprintf(&userstyle, "%s%s%s", authctxt->user,
|
||||
authctxt->style ? ":" : "",
|
||||
authctxt->style ? authctxt->style : "");
|
||||
diff -up openssh-6.3p1/monitor.h.role-mls openssh-6.3p1/monitor.h
|
||||
--- openssh-6.3p1/monitor.h.role-mls 2013-10-10 14:34:43.821494441 +0200
|
||||
+++ openssh-6.3p1/monitor.h 2013-10-10 14:34:43.837494365 +0200
|
||||
@@ -61,6 +61,9 @@ enum monitor_reqtype {
|
||||
MONITOR_REQ_JPAKE_STEP2 = 56, MONITOR_ANS_JPAKE_STEP2 = 57,
|
||||
MONITOR_REQ_JPAKE_KEY_CONFIRM = 58, MONITOR_ANS_JPAKE_KEY_CONFIRM = 59,
|
||||
MONITOR_REQ_JPAKE_CHECK_CONFIRM = 60, MONITOR_ANS_JPAKE_CHECK_CONFIRM = 61,
|
||||
diff --git a/monitor.h b/monitor.h
|
||||
index 5bc41b5..20e2b4a 100644
|
||||
--- a/monitor.h
|
||||
+++ b/monitor.h
|
||||
@@ -57,6 +57,10 @@ enum monitor_reqtype {
|
||||
MONITOR_REQ_GSSCHECKMIC = 48, MONITOR_ANS_GSSCHECKMIC = 49,
|
||||
MONITOR_REQ_TERM = 50,
|
||||
|
||||
+#ifdef WITH_SELINUX
|
||||
+ MONITOR_REQ_AUTHROLE = 80,
|
||||
+#endif
|
||||
|
||||
+
|
||||
MONITOR_REQ_PAM_START = 100,
|
||||
MONITOR_REQ_PAM_ACCOUNT = 102, MONITOR_ANS_PAM_ACCOUNT = 103,
|
||||
diff -up openssh-6.3p1/monitor_wrap.c.role-mls openssh-6.3p1/monitor_wrap.c
|
||||
--- openssh-6.3p1/monitor_wrap.c.role-mls 2013-10-10 14:34:43.822494436 +0200
|
||||
+++ openssh-6.3p1/monitor_wrap.c 2013-10-10 14:34:43.838494360 +0200
|
||||
@@ -338,6 +338,25 @@ mm_inform_authserv(char *service, char *
|
||||
MONITOR_REQ_PAM_INIT_CTX = 104, MONITOR_ANS_PAM_INIT_CTX = 105,
|
||||
diff --git a/monitor_wrap.c b/monitor_wrap.c
|
||||
index 1a47e41..d1b6d99 100644
|
||||
--- a/monitor_wrap.c
|
||||
+++ b/monitor_wrap.c
|
||||
@@ -336,6 +336,25 @@ mm_inform_authserv(char *service, char *style)
|
||||
buffer_free(&m);
|
||||
}
|
||||
|
||||
@ -349,9 +362,10 @@ diff -up openssh-6.3p1/monitor_wrap.c.role-mls openssh-6.3p1/monitor_wrap.c
|
||||
/* Do the password authentication */
|
||||
int
|
||||
mm_auth_password(Authctxt *authctxt, char *password)
|
||||
diff -up openssh-6.3p1/monitor_wrap.h.role-mls openssh-6.3p1/monitor_wrap.h
|
||||
--- openssh-6.3p1/monitor_wrap.h.role-mls 2013-10-10 14:34:43.822494436 +0200
|
||||
+++ openssh-6.3p1/monitor_wrap.h 2013-10-10 14:34:43.838494360 +0200
|
||||
diff --git a/monitor_wrap.h b/monitor_wrap.h
|
||||
index 18c2501..9d5e5ba 100644
|
||||
--- a/monitor_wrap.h
|
||||
+++ b/monitor_wrap.h
|
||||
@@ -42,6 +42,9 @@ int mm_is_monitor(void);
|
||||
DH *mm_choose_dh(int, int, int);
|
||||
int mm_key_sign(Key *, u_char **, u_int *, u_char *, u_int);
|
||||
@ -362,36 +376,67 @@ diff -up openssh-6.3p1/monitor_wrap.h.role-mls openssh-6.3p1/monitor_wrap.h
|
||||
struct passwd *mm_getpwnamallow(const char *);
|
||||
char *mm_auth2_read_banner(void);
|
||||
int mm_auth_password(struct Authctxt *, char *);
|
||||
diff -up openssh-6.3p1/openbsd-compat/Makefile.in.role-mls openssh-6.3p1/openbsd-compat/Makefile.in
|
||||
--- openssh-6.3p1/openbsd-compat/Makefile.in.role-mls 2013-05-10 08:28:56.000000000 +0200
|
||||
+++ openssh-6.3p1/openbsd-compat/Makefile.in 2013-10-10 14:34:43.838494360 +0200
|
||||
@@ -20,7 +20,7 @@ OPENBSD=base64.o basename.o bindresvport
|
||||
diff --git a/openbsd-compat/Makefile.in b/openbsd-compat/Makefile.in
|
||||
index 6ecfb93..b912dbe 100644
|
||||
--- a/openbsd-compat/Makefile.in
|
||||
+++ b/openbsd-compat/Makefile.in
|
||||
@@ -20,7 +20,7 @@ OPENBSD=base64.o basename.o bcrypt_pbkdf.o bindresvport.o blowfish.o daemon.o di
|
||||
|
||||
COMPAT=bsd-arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o getrrsetbyname-ldns.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-setres_id.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o
|
||||
COMPAT=arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o getrrsetbyname-ldns.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-setres_id.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o
|
||||
|
||||
-PORTS=port-aix.o port-irix.o port-linux.o port-solaris.o port-tun.o port-uw.o
|
||||
+PORTS=port-aix.o port-irix.o port-linux.o port-linux_part_2.o port-solaris.o port-tun.o port-uw.o
|
||||
+PORTS=port-aix.o port-irix.o port-linux.o port-linux-sshd.o port-solaris.o port-tun.o port-uw.o
|
||||
|
||||
.c.o:
|
||||
$(CC) $(CFLAGS) $(CPPFLAGS) -c $<
|
||||
diff -up openssh-6.3p1/openbsd-compat/port-linux.c.role-mls openssh-6.3p1/openbsd-compat/port-linux.c
|
||||
--- openssh-6.3p1/openbsd-compat/port-linux.c.role-mls 2013-06-02 00:07:32.000000000 +0200
|
||||
+++ openssh-6.3p1/openbsd-compat/port-linux.c 2013-10-10 14:40:41.841793347 +0200
|
||||
@@ -31,68 +31,271 @@
|
||||
|
||||
#include "log.h"
|
||||
#include "xmalloc.h"
|
||||
diff --git a/openbsd-compat/port-linux-sshd.c b/openbsd-compat/port-linux-sshd.c
|
||||
new file mode 100644
|
||||
index 0000000..c18524e
|
||||
--- /dev/null
|
||||
+++ b/openbsd-compat/port-linux-sshd.c
|
||||
@@ -0,0 +1,414 @@
|
||||
+/*
|
||||
+ * Copyright (c) 2005 Daniel Walsh <dwalsh@redhat.com>
|
||||
+ * Copyright (c) 2014 Petr Lautrbach <plautrba@redhat.com>
|
||||
+ *
|
||||
+ * Permission to use, copy, modify, and distribute this software for any
|
||||
+ * purpose with or without fee is hereby granted, provided that the above
|
||||
+ * copyright notice and this permission notice appear in all copies.
|
||||
+ *
|
||||
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
|
||||
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
|
||||
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
|
||||
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
|
||||
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
|
||||
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
|
||||
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
||||
+ */
|
||||
+
|
||||
+/*
|
||||
+ * Linux-specific portability code - just SELinux support for sshd at present
|
||||
+ */
|
||||
+
|
||||
+#include "includes.h"
|
||||
+
|
||||
+#if defined(WITH_SELINUX) || defined(LINUX_OOM_ADJUST)
|
||||
+#include <errno.h>
|
||||
+#include <stdarg.h>
|
||||
+#include <string.h>
|
||||
+#include <stdio.h>
|
||||
+
|
||||
+#include "log.h"
|
||||
+#include "xmalloc.h"
|
||||
+#include "servconf.h"
|
||||
#include "port-linux.h"
|
||||
+#include "port-linux.h"
|
||||
+#include "key.h"
|
||||
+#include "hostfile.h"
|
||||
+#include "auth.h"
|
||||
|
||||
#ifdef WITH_SELINUX
|
||||
#include <selinux/selinux.h>
|
||||
#include <selinux/flask.h>
|
||||
+
|
||||
+#ifdef WITH_SELINUX
|
||||
+#include <selinux/selinux.h>
|
||||
+#include <selinux/flask.h>
|
||||
+#include <selinux/context.h>
|
||||
#include <selinux/get_context_list.h>
|
||||
+#include <selinux/get_context_list.h>
|
||||
+#include <selinux/get_default_type.h>
|
||||
+#include <selinux/av_permissions.h>
|
||||
+
|
||||
@ -399,14 +444,7 @@ diff -up openssh-6.3p1/openbsd-compat/port-linux.c.role-mls openssh-6.3p1/openbs
|
||||
+#include <libaudit.h>
|
||||
+#include <unistd.h>
|
||||
+#endif
|
||||
|
||||
#ifndef SSH_SELINUX_UNCONFINED_TYPE
|
||||
# define SSH_SELINUX_UNCONFINED_TYPE ":unconfined_t:"
|
||||
#endif
|
||||
|
||||
-/* Wrapper around is_selinux_enabled() to log its return value once only */
|
||||
-int
|
||||
-ssh_selinux_enabled(void)
|
||||
+
|
||||
+extern ServerOptions options;
|
||||
+extern Authctxt *the_authctxt;
|
||||
+extern int inetd_flag;
|
||||
@ -414,10 +452,9 @@ diff -up openssh-6.3p1/openbsd-compat/port-linux.c.role-mls openssh-6.3p1/openbs
|
||||
+
|
||||
+/* Send audit message */
|
||||
+static int
|
||||
+send_audit_message(int success, security_context_t default_context,
|
||||
+sshd_selinux_send_audit_message(int success, security_context_t default_context,
|
||||
+ security_context_t selected_context)
|
||||
{
|
||||
- static int enabled = -1;
|
||||
+{
|
||||
+ int rc=0;
|
||||
+#ifdef HAVE_LINUX_AUDIT
|
||||
+ char *msg = NULL;
|
||||
@ -509,7 +546,7 @@ diff -up openssh-6.3p1/openbsd-compat/port-linux.c.role-mls openssh-6.3p1/openbs
|
||||
+ freecon(*sc);
|
||||
+ *sc = strdup(context_str(con));
|
||||
+ context_free(con);
|
||||
+ if (!*sc)
|
||||
+ if (!*sc)
|
||||
+ return -1;
|
||||
+ }
|
||||
+#ifdef HAVE_GET_DEFAULT_CONTEXT_WITH_LEVEL
|
||||
@ -532,10 +569,7 @@ diff -up openssh-6.3p1/openbsd-compat/port-linux.c.role-mls openssh-6.3p1/openbs
|
||||
+ context_free(con);
|
||||
+ goto out;
|
||||
+ }
|
||||
|
||||
- if (enabled == -1) {
|
||||
- enabled = (is_selinux_enabled() == 1);
|
||||
- debug("SELinux support %s", enabled ? "enabled" : "disabled");
|
||||
+
|
||||
+ debug("get_user_context: obtained context '%s' requested context '%s'",
|
||||
+ obtained_raw, requested_raw);
|
||||
+ if (strcmp(obtained_raw, requested_raw)) {
|
||||
@ -550,7 +584,7 @@ diff -up openssh-6.3p1/openbsd-compat/port-linux.c.role-mls openssh-6.3p1/openbs
|
||||
+ freecon(requested_raw);
|
||||
+ freecon(obtained_raw);
|
||||
+ context_free(con);
|
||||
}
|
||||
+ }
|
||||
+#endif
|
||||
+ return 0;
|
||||
+ out:
|
||||
@ -558,8 +592,7 @@ diff -up openssh-6.3p1/openbsd-compat/port-linux.c.role-mls openssh-6.3p1/openbs
|
||||
+ *sc = NULL;
|
||||
+ return -1;
|
||||
+}
|
||||
|
||||
- return (enabled);
|
||||
+
|
||||
+static void
|
||||
+ssh_selinux_get_role_level(char **role, const char **level)
|
||||
+{
|
||||
@ -575,46 +608,37 @@ diff -up openssh-6.3p1/openbsd-compat/port-linux.c.role-mls openssh-6.3p1/openbs
|
||||
+ }
|
||||
+ }
|
||||
+ }
|
||||
}
|
||||
|
||||
/* Return the default security context for the given username */
|
||||
static security_context_t
|
||||
-ssh_selinux_getctxbyname(char *pwname)
|
||||
+ssh_selinux_getctxbyname(char *pwname,
|
||||
+}
|
||||
+
|
||||
+/* Return the default security context for the given username */
|
||||
+static int
|
||||
+sshd_selinux_getctxbyname(char *pwname,
|
||||
+ security_context_t *default_sc, security_context_t *user_sc)
|
||||
{
|
||||
- security_context_t sc = NULL;
|
||||
- char *sename = NULL, *lvl = NULL;
|
||||
- int r;
|
||||
+{
|
||||
+ char *sename, *lvl;
|
||||
+ char *role;
|
||||
+ const char *reqlvl;
|
||||
+ int r = 0;
|
||||
+ context_t con = NULL;
|
||||
+
|
||||
+
|
||||
+ ssh_selinux_get_role_level(&role, &reqlvl);
|
||||
|
||||
#ifdef HAVE_GETSEUSERBYNAME
|
||||
- if (getseuserbyname(pwname, &sename, &lvl) != 0)
|
||||
- return NULL;
|
||||
+
|
||||
+#ifdef HAVE_GETSEUSERBYNAME
|
||||
+ if ((r=getseuserbyname(pwname, &sename, &lvl)) != 0) {
|
||||
+ sename = NULL;
|
||||
+ lvl = NULL;
|
||||
+ }
|
||||
#else
|
||||
sename = pwname;
|
||||
- lvl = NULL;
|
||||
+#else
|
||||
+ sename = pwname;
|
||||
+ lvl = "";
|
||||
#endif
|
||||
|
||||
+#endif
|
||||
+
|
||||
+ if (r == 0) {
|
||||
#ifdef HAVE_GET_DEFAULT_CONTEXT_WITH_LEVEL
|
||||
- r = get_default_context_with_level(sename, lvl, NULL, &sc);
|
||||
+#ifdef HAVE_GET_DEFAULT_CONTEXT_WITH_LEVEL
|
||||
+ r = get_default_context_with_level(sename, lvl, NULL, default_sc);
|
||||
#else
|
||||
- r = get_default_context(sename, NULL, &sc);
|
||||
+#else
|
||||
+ r = get_default_context(sename, NULL, default_sc);
|
||||
#endif
|
||||
+#endif
|
||||
+ }
|
||||
+
|
||||
+ if (r == 0) {
|
||||
@ -634,26 +658,12 @@ diff -up openssh-6.3p1/openbsd-compat/port-linux.c.role-mls openssh-6.3p1/openbs
|
||||
+ reqlvl = "";
|
||||
+
|
||||
+ debug("%s: current connection level '%s'", __func__, reqlvl);
|
||||
|
||||
- if (r != 0) {
|
||||
- switch (security_getenforce()) {
|
||||
- case -1:
|
||||
- fatal("%s: ssh_selinux_getctxbyname: "
|
||||
- "security_getenforce() failed", __func__);
|
||||
- case 0:
|
||||
- error("%s: Failed to get default SELinux security "
|
||||
- "context for %s", __func__, pwname);
|
||||
- sc = NULL;
|
||||
- break;
|
||||
- default:
|
||||
- fatal("%s: Failed to get default SELinux security "
|
||||
- "context for %s (in enforcing mode)",
|
||||
- __func__, pwname);
|
||||
}
|
||||
+
|
||||
+
|
||||
+ }
|
||||
+
|
||||
+ if ((reqlvl != NULL && reqlvl[0]) || (role != NULL && role[0])) {
|
||||
+ r = get_user_context(sename, role, reqlvl, user_sc);
|
||||
+
|
||||
+
|
||||
+ if (r == 0 && reqlvl != NULL && reqlvl[0]) {
|
||||
+ security_context_t default_level_sc = *default_sc;
|
||||
+ if (role != NULL && role[0]) {
|
||||
@ -677,14 +687,13 @@ diff -up openssh-6.3p1/openbsd-compat/port-linux.c.role-mls openssh-6.3p1/openbs
|
||||
+ if (r != 0) {
|
||||
+ error("%s: Failed to get default SELinux security "
|
||||
+ "context for %s", __func__, pwname);
|
||||
}
|
||||
|
||||
#ifdef HAVE_GETSEUSERBYNAME
|
||||
@@ -100,7 +303,42 @@ ssh_selinux_getctxbyname(char *pwname)
|
||||
free(lvl);
|
||||
#endif
|
||||
|
||||
- return sc;
|
||||
+ }
|
||||
+
|
||||
+#ifdef HAVE_GETSEUSERBYNAME
|
||||
+ free(sename);
|
||||
+ free(lvl);
|
||||
+#endif
|
||||
+
|
||||
+ if (role != NULL)
|
||||
+ free(role);
|
||||
+ if (con)
|
||||
@ -695,7 +704,7 @@ diff -up openssh-6.3p1/openbsd-compat/port-linux.c.role-mls openssh-6.3p1/openbs
|
||||
+
|
||||
+/* Setup environment variables for pam_selinux */
|
||||
+static int
|
||||
+ssh_selinux_setup_pam_variables(void)
|
||||
+sshd_selinux_setup_pam_variables(void)
|
||||
+{
|
||||
+ const char *reqlvl;
|
||||
+ char *role;
|
||||
@ -721,22 +730,22 @@ diff -up openssh-6.3p1/openbsd-compat/port-linux.c.role-mls openssh-6.3p1/openbs
|
||||
+ free(role);
|
||||
+
|
||||
+ return rv;
|
||||
}
|
||||
|
||||
/* Set the execution context to the default for the specified user */
|
||||
@@ -108,28 +346,71 @@ void
|
||||
ssh_selinux_setup_exec_context(char *pwname)
|
||||
{
|
||||
security_context_t user_ctx = NULL;
|
||||
+}
|
||||
+
|
||||
+/* Set the execution context to the default for the specified user */
|
||||
+void
|
||||
+sshd_selinux_setup_exec_context(char *pwname)
|
||||
+{
|
||||
+ security_context_t user_ctx = NULL;
|
||||
+ int r = 0;
|
||||
+ security_context_t default_ctx = NULL;
|
||||
|
||||
if (!ssh_selinux_enabled())
|
||||
return;
|
||||
|
||||
+
|
||||
+ if (!ssh_selinux_enabled())
|
||||
+ return;
|
||||
+
|
||||
+ if (options.use_pam) {
|
||||
+ /* do not compute context, just setup environment for pam_selinux */
|
||||
+ if (ssh_selinux_setup_pam_variables()) {
|
||||
+ if (sshd_selinux_setup_pam_variables()) {
|
||||
+ switch (security_getenforce()) {
|
||||
+ case -1:
|
||||
+ fatal("%s: security_getenforce() failed", __func__);
|
||||
@ -752,17 +761,15 @@ diff -up openssh-6.3p1/openbsd-compat/port-linux.c.role-mls openssh-6.3p1/openbs
|
||||
+ return;
|
||||
+ }
|
||||
+
|
||||
debug3("%s: setting execution context", __func__);
|
||||
|
||||
- user_ctx = ssh_selinux_getctxbyname(pwname);
|
||||
- if (setexeccon(user_ctx) != 0) {
|
||||
+ r = ssh_selinux_getctxbyname(pwname, &default_ctx, &user_ctx);
|
||||
+ debug3("%s: setting execution context", __func__);
|
||||
+
|
||||
+ r = sshd_selinux_getctxbyname(pwname, &default_ctx, &user_ctx);
|
||||
+ if (r >= 0) {
|
||||
+ r = setexeccon(user_ctx);
|
||||
+ if (r < 0) {
|
||||
+ error("%s: Failed to set SELinux execution context %s for %s",
|
||||
+ __func__, user_ctx, pwname);
|
||||
+ }
|
||||
+ }
|
||||
+#ifdef HAVE_SETKEYCREATECON
|
||||
+ else if (setkeycreatecon(user_ctx) < 0) {
|
||||
+ error("%s: Failed to set SELinux keyring creation context %s for %s",
|
||||
@ -776,155 +783,113 @@ diff -up openssh-6.3p1/openbsd-compat/port-linux.c.role-mls openssh-6.3p1/openbs
|
||||
+ if (r < 0 || user_ctx != default_ctx) {
|
||||
+ /* audit just the case when user changed a role or there was
|
||||
+ a failure */
|
||||
+ send_audit_message(r >= 0, default_ctx, user_ctx);
|
||||
+ sshd_selinux_send_audit_message(r >= 0, default_ctx, user_ctx);
|
||||
+ }
|
||||
+ if (r < 0) {
|
||||
switch (security_getenforce()) {
|
||||
case -1:
|
||||
fatal("%s: security_getenforce() failed", __func__);
|
||||
case 0:
|
||||
- error("%s: Failed to set SELinux execution "
|
||||
- "context for %s", __func__, pwname);
|
||||
+ switch (security_getenforce()) {
|
||||
+ case -1:
|
||||
+ fatal("%s: security_getenforce() failed", __func__);
|
||||
+ case 0:
|
||||
+ error("%s: SELinux failure. Continuing in permissive mode.",
|
||||
+ __func__);
|
||||
break;
|
||||
default:
|
||||
- fatal("%s: Failed to set SELinux execution context "
|
||||
- "for %s (in enforcing mode)", __func__, pwname);
|
||||
+ break;
|
||||
+ default:
|
||||
+ fatal("%s: SELinux failure. Aborting connection.",
|
||||
+ __func__);
|
||||
}
|
||||
}
|
||||
- if (user_ctx != NULL)
|
||||
+ }
|
||||
+ }
|
||||
+ if (user_ctx != NULL && user_ctx != default_ctx)
|
||||
freecon(user_ctx);
|
||||
+ freecon(user_ctx);
|
||||
+ if (default_ctx != NULL)
|
||||
+ freecon(default_ctx);
|
||||
|
||||
debug3("%s: done", __func__);
|
||||
}
|
||||
@@ -147,7 +428,10 @@ ssh_selinux_setup_pty(char *pwname, cons
|
||||
|
||||
debug3("%s: setting TTY context on %s", __func__, tty);
|
||||
|
||||
- user_ctx = ssh_selinux_getctxbyname(pwname);
|
||||
+ if (getexeccon(&user_ctx) < 0) {
|
||||
+ error("%s: getexeccon: %s", __func__, strerror(errno));
|
||||
+ goto out;
|
||||
+ }
|
||||
|
||||
/* XXX: should these calls fatal() upon failure in enforcing mode? */
|
||||
|
||||
@@ -219,21 +503,6 @@ ssh_selinux_change_context(const char *n
|
||||
free(newctx);
|
||||
+
|
||||
+ debug3("%s: done", __func__);
|
||||
+}
|
||||
+
|
||||
+#endif
|
||||
+#endif
|
||||
+
|
||||
diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c
|
||||
index 4637a7a..22ea8ef 100644
|
||||
--- a/openbsd-compat/port-linux.c
|
||||
+++ b/openbsd-compat/port-linux.c
|
||||
@@ -103,37 +103,6 @@ ssh_selinux_getctxbyname(char *pwname)
|
||||
return sc;
|
||||
}
|
||||
|
||||
-/* Set the execution context to the default for the specified user */
|
||||
-void
|
||||
-ssh_selinux_setfscreatecon(const char *path)
|
||||
-ssh_selinux_setup_exec_context(char *pwname)
|
||||
-{
|
||||
- security_context_t context;
|
||||
- security_context_t user_ctx = NULL;
|
||||
-
|
||||
- if (!ssh_selinux_enabled())
|
||||
- return;
|
||||
- if (path == NULL) {
|
||||
- setfscreatecon(NULL);
|
||||
- return;
|
||||
-
|
||||
- debug3("%s: setting execution context", __func__);
|
||||
-
|
||||
- user_ctx = ssh_selinux_getctxbyname(pwname);
|
||||
- if (setexeccon(user_ctx) != 0) {
|
||||
- switch (security_getenforce()) {
|
||||
- case -1:
|
||||
- fatal("%s: security_getenforce() failed", __func__);
|
||||
- case 0:
|
||||
- error("%s: Failed to set SELinux execution "
|
||||
- "context for %s", __func__, pwname);
|
||||
- break;
|
||||
- default:
|
||||
- fatal("%s: Failed to set SELinux execution context "
|
||||
- "for %s (in enforcing mode)", __func__, pwname);
|
||||
- }
|
||||
- }
|
||||
- if (matchpathcon(path, 0700, &context) == 0)
|
||||
- setfscreatecon(context);
|
||||
- if (user_ctx != NULL)
|
||||
- freecon(user_ctx);
|
||||
-
|
||||
- debug3("%s: done", __func__);
|
||||
-}
|
||||
-
|
||||
#endif /* WITH_SELINUX */
|
||||
/* Set the TTY context for the specified user */
|
||||
void
|
||||
ssh_selinux_setup_pty(char *pwname, const char *tty)
|
||||
diff --git a/openbsd-compat/port-linux.h b/openbsd-compat/port-linux.h
|
||||
index e3d1004..8ef6cc4 100644
|
||||
--- a/openbsd-compat/port-linux.h
|
||||
+++ b/openbsd-compat/port-linux.h
|
||||
@@ -22,9 +22,10 @@
|
||||
#ifdef WITH_SELINUX
|
||||
int ssh_selinux_enabled(void);
|
||||
void ssh_selinux_setup_pty(char *, const char *);
|
||||
-void ssh_selinux_setup_exec_context(char *);
|
||||
void ssh_selinux_change_context(const char *);
|
||||
void ssh_selinux_setfscreatecon(const char *);
|
||||
+
|
||||
+void sshd_selinux_setup_exec_context(char *);
|
||||
#endif
|
||||
|
||||
#ifdef LINUX_OOM_ADJUST
|
||||
diff -up openssh-6.3p1/openbsd-compat/port-linux_part_2.c.role-mls openssh-6.3p1/openbsd-compat/port-linux_part_2.c
|
||||
--- openssh-6.3p1/openbsd-compat/port-linux_part_2.c.role-mls 2013-10-10 14:34:43.839494355 +0200
|
||||
+++ openssh-6.3p1/openbsd-compat/port-linux_part_2.c 2013-10-10 14:34:43.839494355 +0200
|
||||
@@ -0,0 +1,75 @@
|
||||
+/* $Id: port-linux.c,v 1.11.4.2 2011/02/04 00:43:08 djm Exp $ */
|
||||
+
|
||||
+/*
|
||||
+ * Copyright (c) 2005 Daniel Walsh <dwalsh@redhat.com>
|
||||
+ * Copyright (c) 2006 Damien Miller <djm@openbsd.org>
|
||||
+ *
|
||||
+ * Permission to use, copy, modify, and distribute this software for any
|
||||
+ * purpose with or without fee is hereby granted, provided that the above
|
||||
+ * copyright notice and this permission notice appear in all copies.
|
||||
+ *
|
||||
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
|
||||
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
|
||||
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
|
||||
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
|
||||
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
|
||||
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
|
||||
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
||||
+ */
|
||||
+
|
||||
+/*
|
||||
+ * Linux-specific portability code - just SELinux support at present
|
||||
+ */
|
||||
+
|
||||
+#include "includes.h"
|
||||
+
|
||||
+#if defined(WITH_SELINUX) || defined(LINUX_OOM_ADJUST)
|
||||
+#include <errno.h>
|
||||
+#include <stdarg.h>
|
||||
+#include <string.h>
|
||||
+#include <stdio.h>
|
||||
+
|
||||
+#include "log.h"
|
||||
+#include "xmalloc.h"
|
||||
+#include "port-linux.h"
|
||||
+#include "key.h"
|
||||
+#include "hostfile.h"
|
||||
+#include "auth.h"
|
||||
+
|
||||
+#ifdef WITH_SELINUX
|
||||
+#include <selinux/selinux.h>
|
||||
+#include <selinux/flask.h>
|
||||
+#include <selinux/get_context_list.h>
|
||||
+
|
||||
+/* Wrapper around is_selinux_enabled() to log its return value once only */
|
||||
+int
|
||||
+ssh_selinux_enabled(void)
|
||||
+{
|
||||
+ static int enabled = -1;
|
||||
+
|
||||
+ if (enabled == -1) {
|
||||
+ enabled = (is_selinux_enabled() == 1);
|
||||
+ debug("SELinux support %s", enabled ? "enabled" : "disabled");
|
||||
+ }
|
||||
+
|
||||
+ return (enabled);
|
||||
+}
|
||||
+
|
||||
+void
|
||||
+ssh_selinux_setfscreatecon(const char *path)
|
||||
+{
|
||||
+ security_context_t context;
|
||||
+
|
||||
+ if (!ssh_selinux_enabled())
|
||||
+ return;
|
||||
+ if (path == NULL) {
|
||||
+ setfscreatecon(NULL);
|
||||
+ return;
|
||||
+ }
|
||||
+ if (matchpathcon(path, 0700, &context) == 0)
|
||||
+ setfscreatecon(context);
|
||||
+}
|
||||
+
|
||||
+#endif /* WITH_SELINUX */
|
||||
+
|
||||
+#endif /* WITH_SELINUX || LINUX_OOM_ADJUST */
|
||||
diff -up openssh-6.3p1/sshd.c.role-mls openssh-6.3p1/sshd.c
|
||||
--- openssh-6.3p1/sshd.c.role-mls 2013-10-10 14:34:43.824494427 +0200
|
||||
+++ openssh-6.3p1/sshd.c 2013-10-10 14:34:43.839494355 +0200
|
||||
@@ -2179,6 +2179,9 @@ main(int ac, char **av)
|
||||
diff --git a/platform.c b/platform.c
|
||||
index 30fc609..0d39ab2 100644
|
||||
--- a/platform.c
|
||||
+++ b/platform.c
|
||||
@@ -183,7 +183,7 @@ platform_setusercontext_post_groups(struct passwd *pw)
|
||||
}
|
||||
#endif /* HAVE_SETPCRED */
|
||||
#ifdef WITH_SELINUX
|
||||
- ssh_selinux_setup_exec_context(pw->pw_name);
|
||||
+ sshd_selinux_setup_exec_context(pw->pw_name);
|
||||
#endif
|
||||
}
|
||||
|
||||
diff --git a/sshd.c b/sshd.c
|
||||
index 7523de9..07f9926 100644
|
||||
--- a/sshd.c
|
||||
+++ b/sshd.c
|
||||
@@ -2138,6 +2138,9 @@ main(int ac, char **av)
|
||||
restore_uid();
|
||||
}
|
||||
#endif
|
||||
+#ifdef WITH_SELINUX
|
||||
+ ssh_selinux_setup_exec_context(authctxt->pw->pw_name);
|
||||
+ sshd_selinux_setup_exec_context(authctxt->pw->pw_name);
|
||||
+#endif
|
||||
#ifdef USE_PAM
|
||||
if (options.use_pam) {
|
91
openssh.spec
91
openssh.spec
@ -63,10 +63,10 @@
|
||||
%endif
|
||||
|
||||
# Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
|
||||
%define openssh_ver 6.4p1
|
||||
%define openssh_rel 4
|
||||
%define openssh_ver 6.6p1
|
||||
%define openssh_rel 1
|
||||
%define pam_ssh_agent_ver 0.9.3
|
||||
%define pam_ssh_agent_rel 1
|
||||
%define pam_ssh_agent_rel 2
|
||||
|
||||
Summary: An open source implementation of SSH protocol versions 1 and 2
|
||||
Name: openssh
|
||||
@ -94,7 +94,7 @@ Patch0: openssh-5.9p1-wIm.patch
|
||||
#?
|
||||
Patch100: openssh-6.3p1-coverity.patch
|
||||
#https://bugzilla.mindrot.org/show_bug.cgi?id=1872
|
||||
Patch101: openssh-6.3p1-fingerprint.patch
|
||||
Patch101: openssh-6.6p1-fingerprint.patch
|
||||
#https://bugzilla.mindrot.org/show_bug.cgi?id=1894
|
||||
#https://bugzilla.redhat.com/show_bug.cgi?id=735889
|
||||
Patch102: openssh-5.8p1-getaddrinfo.patch
|
||||
@ -114,76 +114,74 @@ Patch302: pam_ssh_agent_auth-0.9.2-visibility.patch
|
||||
# don't use xfree (#1024965)
|
||||
Patch303: pam_ssh_agent_auth-0.9.3-no-xfree.patch
|
||||
#https://bugzilla.mindrot.org/show_bug.cgi?id=1641 (WONTFIX)
|
||||
Patch400: openssh-6.3p1-role-mls.patch
|
||||
Patch400: openssh-6.6p1-role-mls.patch
|
||||
#https://bugzilla.redhat.com/show_bug.cgi?id=781634
|
||||
Patch404: openssh-6.3p1-privsep-selinux.patch
|
||||
Patch404: openssh-6.6p1-privsep-selinux.patch
|
||||
|
||||
#?-- unwanted child :(
|
||||
Patch501: openssh-6.3p1-ldap.patch
|
||||
Patch501: openssh-6.6p1-ldap.patch
|
||||
#?
|
||||
Patch502: openssh-6.3p1-keycat.patch
|
||||
Patch502: openssh-6.6p1-keycat.patch
|
||||
|
||||
#http6://bugzilla.mindrot.org/show_bug.cgi?id=1644
|
||||
Patch601: openssh-5.2p1-allow-ip-opts.patch
|
||||
Patch601: openssh-6.6p1-allow-ip-opts.patch
|
||||
#https://bugzilla.mindrot.org/show_bug.cgi?id=1701
|
||||
Patch602: openssh-5.9p1-randclean.patch
|
||||
#http://cvsweb.netbsd.org/cgi-bin/cvsweb.cgi/src/crypto/dist/ssh/Attic/sftp-glob.c.diff?r1=1.13&r2=1.13.12.1&f=h
|
||||
Patch603: openssh-5.8p1-glob.patch
|
||||
#https://bugzilla.mindrot.org/show_bug.cgi?id=1893
|
||||
Patch604: openssh-5.8p1-keyperm.patch
|
||||
Patch604: openssh-6.6p1-keyperm.patch
|
||||
#https://bugzilla.mindrot.org/show_bug.cgi?id=1329 (WONTFIX)
|
||||
Patch605: openssh-5.8p2-remove-stale-control-socket.patch
|
||||
# drop: Patch605: openssh-5.8p2-remove-stale-control-socket.patch
|
||||
#https://bugzilla.mindrot.org/show_bug.cgi?id=1925
|
||||
Patch606: openssh-5.9p1-ipv6man.patch
|
||||
#?
|
||||
Patch607: openssh-5.8p2-sigpipe.patch
|
||||
# drop? Patch607: openssh-5.8p2-sigpipe.patch
|
||||
#?
|
||||
Patch608: openssh-6.1p1-askpass-ld.patch
|
||||
#https://bugzilla.mindrot.org/show_bug.cgi?id=1789
|
||||
Patch609: openssh-5.5p1-x11.patch
|
||||
# drop? Patch609: openssh-5.5p1-x11.patch
|
||||
|
||||
#?
|
||||
Patch700: openssh-6.3p1-fips.patch
|
||||
#?
|
||||
Patch701: openssh-5.6p1-exit-deadlock.patch
|
||||
# drop? Patch701: openssh-5.6p1-exit-deadlock.patch
|
||||
#?
|
||||
Patch702: openssh-5.1p1-askpass-progress.patch
|
||||
#?
|
||||
Patch703: openssh-4.3p2-askpass-grab-info.patch
|
||||
#?
|
||||
Patch704: openssh-5.9p1-edns.patch
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=205842
|
||||
# drop? Patch704: openssh-5.9p1-edns.patch
|
||||
#?
|
||||
Patch705: openssh-5.1p1-scp-manpage.patch
|
||||
#?
|
||||
Patch706: openssh-5.8p1-localdomain.patch
|
||||
#https://bugzilla.mindrot.org/show_bug.cgi?id=1635 (WONTFIX)
|
||||
Patch707: openssh-6.3p1-redhat.patch
|
||||
Patch707: openssh-6.6p1-redhat.patch
|
||||
#https://bugzilla.mindrot.org/show_bug.cgi?id=1890 (WONTFIX) need integration to prng helper which is discontinued :)
|
||||
Patch708: openssh-6.2p1-entropy.patch
|
||||
Patch708: openssh-6.6p1-entropy.patch
|
||||
#https://bugzilla.mindrot.org/show_bug.cgi?id=1640 (WONTFIX)
|
||||
Patch709: openssh-6.2p1-vendor.patch
|
||||
# warn users for unsupported UsePAM=no (#757545)
|
||||
Patch711: openssh-6.1p1-log-usepam-no.patch
|
||||
Patch711: openssh-6.6p1-log-usepam-no.patch
|
||||
# make aes-ctr ciphers use EVP engines such as AES-NI from OpenSSL
|
||||
Patch712: openssh-6.3p1-ctr-evp-fast.patch
|
||||
# add cavs test binary for the aes-ctr
|
||||
Patch713: openssh-6.3p1-ctr-cavstest.patch
|
||||
Patch713: openssh-6.6p1-ctr-cavstest.patch
|
||||
|
||||
|
||||
#http://www.sxw.org.uk/computing/patches/openssh.html
|
||||
#changed cache storage type - #848228
|
||||
Patch800: openssh-6.3p1-gsskex.patch
|
||||
Patch800: openssh-6.6p1-gsskex.patch
|
||||
#http://www.mail-archive.com/kerberos@mit.edu/msg17591.html
|
||||
Patch801: openssh-6.3p1-force_krb.patch
|
||||
Patch801: openssh-6.6p1-force_krb.patch
|
||||
Patch900: openssh-6.1p1-gssapi-canohost.patch
|
||||
#https://bugzilla.mindrot.org/show_bug.cgi?id=1780
|
||||
Patch901: openssh-6.3p1-kuserok.patch
|
||||
Patch901: openssh-6.6p1-kuserok.patch
|
||||
# use default_ccache_name from /etc/krb5.conf (#991186)
|
||||
Patch902: openssh-6.3p1-krb5-use-default_ccache_name.patch
|
||||
# increase the size of the Diffie-Hellman groups (#1010607)
|
||||
Patch903: openssh-6.3p1-increase-size-of-DF-groups.patch
|
||||
# FIPS mode - adjust the key echange DH groups and ssh-keygen according to SP800-131A (#1001748)
|
||||
Patch904: openssh-6.4p1-FIPS-mode-SP800-131A.patch
|
||||
# merge: Patch904: openssh-6.4p1-FIPS-mode-SP800-131A.patch
|
||||
# Run ssh-copy-id in the legacy mode when SSH_COPY_ID_LEGACY variable is set (#969375
|
||||
Patch905: openssh-6.4p1-legacy-ssh-copy-id.patch
|
||||
# Use tty allocation for a remote scp (#985650)
|
||||
@ -192,9 +190,7 @@ Patch906: openssh-6.4p1-fromto-remote.patch
|
||||
Patch907: openssh-6.4p1-CLOCK_BOOTTIME.patch
|
||||
# Prevents a server from skipping SSHFP lookup and forcing a new-hostkey
|
||||
# dialog by offering only certificate keys. (#1081338)
|
||||
Patch908: openssh-6.4p1-CVE-2014-2653.patch
|
||||
# ignore environment variables with embedded '=' or '\0' characters (#1077843)
|
||||
Patch909: openssh-6.4p1-ignore-bad-env-var.patch
|
||||
Patch908: openssh-6.6p1-CVE-2014-2653.patch
|
||||
|
||||
|
||||
License: BSD
|
||||
@ -358,12 +354,12 @@ The module is most useful for su and sudo service stacks.
|
||||
%patch0 -p1 -b .wIm
|
||||
%endif
|
||||
|
||||
%patch100 -p1 -b .coverity
|
||||
# rework %patch100 -p1 -b .coverity
|
||||
%patch101 -p1 -b .fingerprint
|
||||
%patch102 -p1 -b .getaddrinfo
|
||||
# investigate %patch102 -p1 -b .getaddrinfo
|
||||
%patch103 -p1 -b .packet
|
||||
|
||||
%patch200 -p1 -b .audit
|
||||
# rework %patch200 -p1 -b .audit
|
||||
|
||||
%if %{pam_ssh_agent}
|
||||
pushd pam_ssh_agent_auth-%{pam_ssh_agent_ver}
|
||||
@ -387,21 +383,23 @@ popd
|
||||
%patch502 -p1 -b .keycat
|
||||
|
||||
%patch601 -p1 -b .ip-opts
|
||||
%patch602 -p1 -b .randclean
|
||||
# merge to fips
|
||||
# %patch602 -p1 -b .randclean
|
||||
%patch603 -p1 -b .glob
|
||||
%patch604 -p1 -b .keyperm
|
||||
%patch605 -p1 -b .remove_stale
|
||||
# drop %patch605 -p1 -b .remove_stale
|
||||
%patch606 -p1 -b .ipv6man
|
||||
%patch607 -p1 -b .sigpipe
|
||||
# drop? %patch607 -p1 -b .sigpipe
|
||||
%patch608 -p1 -b .askpass-ld
|
||||
%patch609 -p1 -b .x11
|
||||
|
||||
%patch700 -p1 -b .fips
|
||||
%patch701 -p1 -b .exit-deadlock
|
||||
# drop? %patch609 -p1 -b .x11
|
||||
#
|
||||
# move to the end %patch700 -p1 -b .fips
|
||||
# drop? %patch701 -p1 -b .exit-deadlock
|
||||
%patch702 -p1 -b .progress
|
||||
%patch703 -p1 -b .grab-info
|
||||
%patch704 -p1 -b .edns
|
||||
%patch705 -p1 -b .manpage
|
||||
# investigate - https://bugzilla.redhat.com/show_bug.cgi?id=205842
|
||||
# probably not needed anymore %patch704 -p1 -b .edns
|
||||
# drop it %patch705 -p1 -b .manpage
|
||||
%patch706 -p1 -b .localdomain
|
||||
%patch707 -p1 -b .redhat
|
||||
%patch708 -p1 -b .entropy
|
||||
@ -409,20 +407,18 @@ popd
|
||||
%patch711 -p1 -b .log-usepam-no
|
||||
%patch712 -p1 -b .evp-ctr
|
||||
%patch713 -p1 -b .ctr-cavs
|
||||
|
||||
#
|
||||
%patch800 -p1 -b .gsskex
|
||||
%patch801 -p1 -b .force_krb
|
||||
|
||||
#
|
||||
%patch900 -p1 -b .canohost
|
||||
%patch901 -p1 -b .kuserok
|
||||
%patch902 -p1 -b .ccache_name
|
||||
%patch903 -p1 -b .dh
|
||||
%patch904 -p1 -b .SP800-131A
|
||||
# merge with fips %patch904 -p1 -b .SP800-131A
|
||||
%patch905 -p1 -b .legacy-ssh-copy-id
|
||||
%patch906 -p1 -b .fromto-remote
|
||||
%patch907 -p1 -b .CLOCK_BOOTTIME
|
||||
%patch908 -p1 -b .CVE-2014-2653
|
||||
%patch909 -p1 -b .bad-env-var
|
||||
|
||||
%if 0
|
||||
# Nothing here yet
|
||||
@ -737,6 +733,9 @@ getent passwd sshd >/dev/null || \
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Tue Jun 03 2014 Petr Lautrbach <plautrba@redhat.com> 6.6p1-1 + 0.9.3-2
|
||||
- new upstream release openssh-6.6p1
|
||||
|
||||
* Thu May 15 2014 Petr Lautrbach <plautrba@redhat.com> 6.4p1-4 + 0.9.3-1
|
||||
- use SSH_COPY_ID_LEGACY variable to run ssh-copy-id in the legacy mode
|
||||
- make /etc/ssh/moduli file public (#1043661)
|
||||
|
Loading…
Reference in New Issue
Block a user