forked from rpms/openssh
- reenable run sshd as non root user
- renable rekeying
This commit is contained in:
parent
436639ac40
commit
a7cb7d2954
13
openssh-5.6p1-audit1a.patch
Normal file
13
openssh-5.6p1-audit1a.patch
Normal file
@ -0,0 +1,13 @@
|
|||||||
|
diff -up openssh-5.6p1/audit-linux.c.audit1a openssh-5.6p1/audit-linux.c
|
||||||
|
--- openssh-5.6p1/audit-linux.c.audit1a 2010-12-10 21:47:03.000000000 +0100
|
||||||
|
+++ openssh-5.6p1/audit-linux.c 2010-12-10 21:50:31.000000000 +0100
|
||||||
|
@@ -59,7 +59,8 @@ linux_audit_record_event(int uid, const
|
||||||
|
saved_errno = errno;
|
||||||
|
close(audit_fd);
|
||||||
|
errno = saved_errno;
|
||||||
|
- return (rc >= 0);
|
||||||
|
+ /* do not report error if the error is EPERM and sshd is run as non root user */
|
||||||
|
+ return (rc >= 0) || ((rc == -EPERM) && (getuid() != 0));
|
||||||
|
}
|
||||||
|
|
||||||
|
/* Below is the sshd audit API code */
|
@ -1,6 +1,6 @@
|
|||||||
diff -up openssh-5.6p1/audit-bsm.c.audit2 openssh-5.6p1/audit-bsm.c
|
diff -up openssh-5.6p1/audit-bsm.c.audit2 openssh-5.6p1/audit-bsm.c
|
||||||
--- openssh-5.6p1/audit-bsm.c.audit2 2010-11-05 15:41:17.000000000 +0100
|
--- openssh-5.6p1/audit-bsm.c.audit2 2010-12-10 21:55:40.000000000 +0100
|
||||||
+++ openssh-5.6p1/audit-bsm.c 2010-11-05 15:45:28.000000000 +0100
|
+++ openssh-5.6p1/audit-bsm.c 2010-12-10 21:55:41.000000000 +0100
|
||||||
@@ -316,6 +316,12 @@ audit_session_close(struct logininfo *li
|
@@ -316,6 +316,12 @@ audit_session_close(struct logininfo *li
|
||||||
/* not implemented */
|
/* not implemented */
|
||||||
}
|
}
|
||||||
@ -15,8 +15,8 @@ diff -up openssh-5.6p1/audit-bsm.c.audit2 openssh-5.6p1/audit-bsm.c
|
|||||||
audit_event(ssh_audit_event_t event)
|
audit_event(ssh_audit_event_t event)
|
||||||
{
|
{
|
||||||
diff -up openssh-5.6p1/audit.c.audit2 openssh-5.6p1/audit.c
|
diff -up openssh-5.6p1/audit.c.audit2 openssh-5.6p1/audit.c
|
||||||
--- openssh-5.6p1/audit.c.audit2 2010-11-05 15:41:17.000000000 +0100
|
--- openssh-5.6p1/audit.c.audit2 2010-12-10 21:55:40.000000000 +0100
|
||||||
+++ openssh-5.6p1/audit.c 2010-11-05 15:51:37.000000000 +0100
|
+++ openssh-5.6p1/audit.c 2010-12-10 21:55:41.000000000 +0100
|
||||||
@@ -111,6 +111,33 @@ audit_event_lookup(ssh_audit_event_t ev)
|
@@ -111,6 +111,33 @@ audit_event_lookup(ssh_audit_event_t ev)
|
||||||
return(event_lookup[i].name);
|
return(event_lookup[i].name);
|
||||||
}
|
}
|
||||||
@ -70,8 +70,8 @@ diff -up openssh-5.6p1/audit.c.audit2 openssh-5.6p1/audit.c
|
|||||||
# endif /* !defined CUSTOM_SSH_AUDIT_EVENTS */
|
# endif /* !defined CUSTOM_SSH_AUDIT_EVENTS */
|
||||||
#endif /* SSH_AUDIT_EVENTS */
|
#endif /* SSH_AUDIT_EVENTS */
|
||||||
diff -up openssh-5.6p1/audit.h.audit2 openssh-5.6p1/audit.h
|
diff -up openssh-5.6p1/audit.h.audit2 openssh-5.6p1/audit.h
|
||||||
--- openssh-5.6p1/audit.h.audit2 2010-11-05 15:41:17.000000000 +0100
|
--- openssh-5.6p1/audit.h.audit2 2010-12-10 21:55:40.000000000 +0100
|
||||||
+++ openssh-5.6p1/audit.h 2010-11-05 15:41:18.000000000 +0100
|
+++ openssh-5.6p1/audit.h 2010-12-10 21:55:41.000000000 +0100
|
||||||
@@ -28,6 +28,7 @@
|
@@ -28,6 +28,7 @@
|
||||||
# define _SSH_AUDIT_H
|
# define _SSH_AUDIT_H
|
||||||
|
|
||||||
@ -89,8 +89,8 @@ diff -up openssh-5.6p1/audit.h.audit2 openssh-5.6p1/audit.h
|
|||||||
|
|
||||||
#endif /* _SSH_AUDIT_H */
|
#endif /* _SSH_AUDIT_H */
|
||||||
diff -up openssh-5.6p1/audit-linux.c.audit2 openssh-5.6p1/audit-linux.c
|
diff -up openssh-5.6p1/audit-linux.c.audit2 openssh-5.6p1/audit-linux.c
|
||||||
--- openssh-5.6p1/audit-linux.c.audit2 2010-11-05 15:41:17.000000000 +0100
|
--- openssh-5.6p1/audit-linux.c.audit2 2010-12-10 21:55:41.000000000 +0100
|
||||||
+++ openssh-5.6p1/audit-linux.c 2010-11-05 15:41:18.000000000 +0100
|
+++ openssh-5.6p1/audit-linux.c 2010-12-10 22:16:42.000000000 +0100
|
||||||
@@ -37,6 +37,8 @@
|
@@ -37,6 +37,8 @@
|
||||||
#include "audit.h"
|
#include "audit.h"
|
||||||
#include "canohost.h"
|
#include "canohost.h"
|
||||||
@ -100,8 +100,8 @@ diff -up openssh-5.6p1/audit-linux.c.audit2 openssh-5.6p1/audit-linux.c
|
|||||||
const char* audit_username(void);
|
const char* audit_username(void);
|
||||||
|
|
||||||
int
|
int
|
||||||
@@ -62,6 +64,36 @@ linux_audit_record_event(int uid, const
|
@@ -63,6 +65,37 @@ linux_audit_record_event(int uid, const
|
||||||
return (rc >= 0);
|
return (rc >= 0) || ((rc == -EPERM) && (getuid() != 0));
|
||||||
}
|
}
|
||||||
|
|
||||||
+int
|
+int
|
||||||
@ -121,7 +121,7 @@ diff -up openssh-5.6p1/audit-linux.c.audit2 openssh-5.6p1/audit-linux.c
|
|||||||
+ snprintf(buf, sizeof(buf), "%s_auth rport=%d", host_user ? "hostbased" : "pubkey", get_remote_port());
|
+ snprintf(buf, sizeof(buf), "%s_auth rport=%d", host_user ? "hostbased" : "pubkey", get_remote_port());
|
||||||
+ rc = audit_log_acct_message(audit_fd, AUDIT_USER_AUTH, NULL,
|
+ rc = audit_log_acct_message(audit_fd, AUDIT_USER_AUTH, NULL,
|
||||||
+ buf, audit_username(), -1, NULL, get_remote_ipaddr(), NULL, rv);
|
+ buf, audit_username(), -1, NULL, get_remote_ipaddr(), NULL, rv);
|
||||||
+ if (rc < 0)
|
+ if ((rc < 0) && ((rc != -1) || (getuid() == 0)))
|
||||||
+ goto out;
|
+ goto out;
|
||||||
+ snprintf(buf, sizeof(buf), "key algo=%s size=%d fp=%s rport=%d",
|
+ snprintf(buf, sizeof(buf), "key algo=%s size=%d fp=%s rport=%d",
|
||||||
+ type, 8 * len, fp, get_remote_port());
|
+ type, 8 * len, fp, get_remote_port());
|
||||||
@ -131,7 +131,8 @@ diff -up openssh-5.6p1/audit-linux.c.audit2 openssh-5.6p1/audit-linux.c
|
|||||||
+ saved_errno = errno;
|
+ saved_errno = errno;
|
||||||
+ audit_close(audit_fd);
|
+ audit_close(audit_fd);
|
||||||
+ errno = saved_errno;
|
+ errno = saved_errno;
|
||||||
+ return (rc >= 0);
|
+ /* do not report error if the error is EPERM and sshd is run as non root user */
|
||||||
|
+ return (rc >= 0) || ((rc == -EPERM) && (getuid() != 0));
|
||||||
+}
|
+}
|
||||||
+
|
+
|
||||||
/* Below is the sshd audit API code */
|
/* Below is the sshd audit API code */
|
||||||
@ -139,7 +140,7 @@ diff -up openssh-5.6p1/audit-linux.c.audit2 openssh-5.6p1/audit-linux.c
|
|||||||
void
|
void
|
||||||
diff -up openssh-5.6p1/auth2-hostbased.c.audit2 openssh-5.6p1/auth2-hostbased.c
|
diff -up openssh-5.6p1/auth2-hostbased.c.audit2 openssh-5.6p1/auth2-hostbased.c
|
||||||
--- openssh-5.6p1/auth2-hostbased.c.audit2 2010-08-05 05:04:50.000000000 +0200
|
--- openssh-5.6p1/auth2-hostbased.c.audit2 2010-08-05 05:04:50.000000000 +0200
|
||||||
+++ openssh-5.6p1/auth2-hostbased.c 2010-11-05 15:41:18.000000000 +0100
|
+++ openssh-5.6p1/auth2-hostbased.c 2010-12-10 21:55:41.000000000 +0100
|
||||||
@@ -136,6 +136,18 @@ done:
|
@@ -136,6 +136,18 @@ done:
|
||||||
return authenticated;
|
return authenticated;
|
||||||
}
|
}
|
||||||
@ -161,7 +162,7 @@ diff -up openssh-5.6p1/auth2-hostbased.c.audit2 openssh-5.6p1/auth2-hostbased.c
|
|||||||
hostbased_key_allowed(struct passwd *pw, const char *cuser, char *chost,
|
hostbased_key_allowed(struct passwd *pw, const char *cuser, char *chost,
|
||||||
diff -up openssh-5.6p1/auth2-pubkey.c.audit2 openssh-5.6p1/auth2-pubkey.c
|
diff -up openssh-5.6p1/auth2-pubkey.c.audit2 openssh-5.6p1/auth2-pubkey.c
|
||||||
--- openssh-5.6p1/auth2-pubkey.c.audit2 2010-07-02 05:35:19.000000000 +0200
|
--- openssh-5.6p1/auth2-pubkey.c.audit2 2010-07-02 05:35:19.000000000 +0200
|
||||||
+++ openssh-5.6p1/auth2-pubkey.c 2010-11-05 15:41:18.000000000 +0100
|
+++ openssh-5.6p1/auth2-pubkey.c 2010-12-10 21:55:41.000000000 +0100
|
||||||
@@ -177,6 +177,18 @@ done:
|
@@ -177,6 +177,18 @@ done:
|
||||||
return authenticated;
|
return authenticated;
|
||||||
}
|
}
|
||||||
@ -183,7 +184,7 @@ diff -up openssh-5.6p1/auth2-pubkey.c.audit2 openssh-5.6p1/auth2-pubkey.c
|
|||||||
{
|
{
|
||||||
diff -up openssh-5.6p1/auth.h.audit2 openssh-5.6p1/auth.h
|
diff -up openssh-5.6p1/auth.h.audit2 openssh-5.6p1/auth.h
|
||||||
--- openssh-5.6p1/auth.h.audit2 2010-05-10 03:58:03.000000000 +0200
|
--- openssh-5.6p1/auth.h.audit2 2010-05-10 03:58:03.000000000 +0200
|
||||||
+++ openssh-5.6p1/auth.h 2010-11-05 15:41:18.000000000 +0100
|
+++ openssh-5.6p1/auth.h 2010-12-10 21:55:41.000000000 +0100
|
||||||
@@ -170,6 +170,7 @@ void abandon_challenge_response(Authctxt
|
@@ -170,6 +170,7 @@ void abandon_challenge_response(Authctxt
|
||||||
char *authorized_keys_file(struct passwd *);
|
char *authorized_keys_file(struct passwd *);
|
||||||
char *authorized_keys_file2(struct passwd *);
|
char *authorized_keys_file2(struct passwd *);
|
||||||
@ -202,7 +203,7 @@ diff -up openssh-5.6p1/auth.h.audit2 openssh-5.6p1/auth.h
|
|||||||
void auth_debug_add(const char *fmt,...) __attribute__((format(printf, 1, 2)));
|
void auth_debug_add(const char *fmt,...) __attribute__((format(printf, 1, 2)));
|
||||||
diff -up openssh-5.6p1/auth-rsa.c.audit2 openssh-5.6p1/auth-rsa.c
|
diff -up openssh-5.6p1/auth-rsa.c.audit2 openssh-5.6p1/auth-rsa.c
|
||||||
--- openssh-5.6p1/auth-rsa.c.audit2 2010-07-16 05:58:37.000000000 +0200
|
--- openssh-5.6p1/auth-rsa.c.audit2 2010-07-16 05:58:37.000000000 +0200
|
||||||
+++ openssh-5.6p1/auth-rsa.c 2010-11-05 15:41:18.000000000 +0100
|
+++ openssh-5.6p1/auth-rsa.c 2010-12-10 21:55:41.000000000 +0100
|
||||||
@@ -92,7 +92,10 @@ auth_rsa_verify_response(Key *key, BIGNU
|
@@ -92,7 +92,10 @@ auth_rsa_verify_response(Key *key, BIGNU
|
||||||
{
|
{
|
||||||
u_char buf[32], mdbuf[16];
|
u_char buf[32], mdbuf[16];
|
||||||
@ -241,8 +242,8 @@ diff -up openssh-5.6p1/auth-rsa.c.audit2 openssh-5.6p1/auth-rsa.c
|
|||||||
/*
|
/*
|
||||||
diff -up openssh-5.6p1/monitor.c.audit2 openssh-5.6p1/monitor.c
|
diff -up openssh-5.6p1/monitor.c.audit2 openssh-5.6p1/monitor.c
|
||||||
--- openssh-5.6p1/monitor.c.audit2 2010-08-03 07:50:16.000000000 +0200
|
--- openssh-5.6p1/monitor.c.audit2 2010-08-03 07:50:16.000000000 +0200
|
||||||
+++ openssh-5.6p1/monitor.c 2010-11-05 15:41:18.000000000 +0100
|
+++ openssh-5.6p1/monitor.c 2010-12-10 21:55:41.000000000 +0100
|
||||||
@@ -1235,7 +1235,19 @@ mm_answer_keyverify(int sock, Buffer *m)
|
@@ -1235,7 +1235,17 @@ mm_answer_keyverify(int sock, Buffer *m)
|
||||||
if (!valid_data)
|
if (!valid_data)
|
||||||
fatal("%s: bad signature data blob", __func__);
|
fatal("%s: bad signature data blob", __func__);
|
||||||
|
|
||||||
@ -253,8 +254,6 @@ diff -up openssh-5.6p1/monitor.c.audit2 openssh-5.6p1/monitor.c
|
|||||||
+ break;
|
+ break;
|
||||||
+ case MM_HOSTKEY:
|
+ case MM_HOSTKEY:
|
||||||
+ verified = hostkey_key_verify(key, signature, signaturelen, data, datalen);
|
+ verified = hostkey_key_verify(key, signature, signaturelen, data, datalen);
|
||||||
+ valid_data = monitor_valid_hostbasedblob(data, datalen,
|
|
||||||
+ hostbased_cuser, hostbased_chost);
|
|
||||||
+ break;
|
+ break;
|
||||||
+ default:
|
+ default:
|
||||||
+ verified = 0;
|
+ verified = 0;
|
||||||
|
@ -1,6 +1,6 @@
|
|||||||
diff -up openssh-5.6p1/audit-bsm.c.audit3 openssh-5.6p1/audit-bsm.c
|
diff -up openssh-5.6p1/audit-bsm.c.audit3 openssh-5.6p1/audit-bsm.c
|
||||||
--- openssh-5.6p1/audit-bsm.c.audit3 2010-11-05 15:54:35.000000000 +0100
|
--- openssh-5.6p1/audit-bsm.c.audit3 2010-12-10 22:17:31.000000000 +0100
|
||||||
+++ openssh-5.6p1/audit-bsm.c 2010-11-05 15:54:35.000000000 +0100
|
+++ openssh-5.6p1/audit-bsm.c 2010-12-10 22:17:31.000000000 +0100
|
||||||
@@ -383,4 +383,16 @@ audit_event(ssh_audit_event_t event)
|
@@ -383,4 +383,16 @@ audit_event(ssh_audit_event_t event)
|
||||||
debug("%s: unhandled event %d", __func__, event);
|
debug("%s: unhandled event %d", __func__, event);
|
||||||
}
|
}
|
||||||
@ -19,8 +19,8 @@ diff -up openssh-5.6p1/audit-bsm.c.audit3 openssh-5.6p1/audit-bsm.c
|
|||||||
+}
|
+}
|
||||||
#endif /* BSM */
|
#endif /* BSM */
|
||||||
diff -up openssh-5.6p1/audit.c.audit3 openssh-5.6p1/audit.c
|
diff -up openssh-5.6p1/audit.c.audit3 openssh-5.6p1/audit.c
|
||||||
--- openssh-5.6p1/audit.c.audit3 2010-11-05 15:54:35.000000000 +0100
|
--- openssh-5.6p1/audit.c.audit3 2010-12-10 22:17:31.000000000 +0100
|
||||||
+++ openssh-5.6p1/audit.c 2010-11-05 15:56:19.000000000 +0100
|
+++ openssh-5.6p1/audit.c 2010-12-10 22:17:31.000000000 +0100
|
||||||
@@ -36,6 +36,8 @@
|
@@ -36,6 +36,8 @@
|
||||||
#include "key.h"
|
#include "key.h"
|
||||||
#include "hostfile.h"
|
#include "hostfile.h"
|
||||||
@ -75,8 +75,8 @@ diff -up openssh-5.6p1/audit.c.audit3 openssh-5.6p1/audit.c
|
|||||||
# endif /* !defined CUSTOM_SSH_AUDIT_EVENTS */
|
# endif /* !defined CUSTOM_SSH_AUDIT_EVENTS */
|
||||||
#endif /* SSH_AUDIT_EVENTS */
|
#endif /* SSH_AUDIT_EVENTS */
|
||||||
diff -up openssh-5.6p1/audit.h.audit3 openssh-5.6p1/audit.h
|
diff -up openssh-5.6p1/audit.h.audit3 openssh-5.6p1/audit.h
|
||||||
--- openssh-5.6p1/audit.h.audit3 2010-11-05 15:54:35.000000000 +0100
|
--- openssh-5.6p1/audit.h.audit3 2010-12-10 22:17:31.000000000 +0100
|
||||||
+++ openssh-5.6p1/audit.h 2010-11-05 15:54:35.000000000 +0100
|
+++ openssh-5.6p1/audit.h 2010-12-10 22:17:31.000000000 +0100
|
||||||
@@ -56,5 +56,9 @@ void audit_run_command(const char *);
|
@@ -56,5 +56,9 @@ void audit_run_command(const char *);
|
||||||
ssh_audit_event_t audit_classify_auth(const char *);
|
ssh_audit_event_t audit_classify_auth(const char *);
|
||||||
int audit_keyusage(int, const char *, unsigned, char *, int);
|
int audit_keyusage(int, const char *, unsigned, char *, int);
|
||||||
@ -88,8 +88,8 @@ diff -up openssh-5.6p1/audit.h.audit3 openssh-5.6p1/audit.h
|
|||||||
|
|
||||||
#endif /* _SSH_AUDIT_H */
|
#endif /* _SSH_AUDIT_H */
|
||||||
diff -up openssh-5.6p1/audit-linux.c.audit3 openssh-5.6p1/audit-linux.c
|
diff -up openssh-5.6p1/audit-linux.c.audit3 openssh-5.6p1/audit-linux.c
|
||||||
--- openssh-5.6p1/audit-linux.c.audit3 2010-11-05 15:54:35.000000000 +0100
|
--- openssh-5.6p1/audit-linux.c.audit3 2010-12-10 22:17:31.000000000 +0100
|
||||||
+++ openssh-5.6p1/audit-linux.c 2010-11-05 15:54:35.000000000 +0100
|
+++ openssh-5.6p1/audit-linux.c 2010-12-10 22:20:00.000000000 +0100
|
||||||
@@ -36,6 +36,8 @@
|
@@ -36,6 +36,8 @@
|
||||||
#include "log.h"
|
#include "log.h"
|
||||||
#include "audit.h"
|
#include "audit.h"
|
||||||
@ -99,7 +99,7 @@ diff -up openssh-5.6p1/audit-linux.c.audit3 openssh-5.6p1/audit-linux.c
|
|||||||
|
|
||||||
#define AUDIT_LOG_SIZE 128
|
#define AUDIT_LOG_SIZE 128
|
||||||
|
|
||||||
@@ -149,4 +151,53 @@ audit_event(ssh_audit_event_t event)
|
@@ -151,4 +153,54 @@ audit_event(ssh_audit_event_t event)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -147,15 +147,16 @@ diff -up openssh-5.6p1/audit-linux.c.audit3 openssh-5.6p1/audit-linux.c
|
|||||||
+ audit_ok = audit_log_acct_message(audit_fd, AUDIT_CRYPTO_SESSION, NULL,
|
+ audit_ok = audit_log_acct_message(audit_fd, AUDIT_CRYPTO_SESSION, NULL,
|
||||||
+ buf, NULL, -1, NULL, get_remote_ipaddr(), NULL, 1);
|
+ buf, NULL, -1, NULL, get_remote_ipaddr(), NULL, 1);
|
||||||
+ audit_close(audit_fd);
|
+ audit_close(audit_fd);
|
||||||
+ if (audit_ok < 0)
|
+ /* do not abort if the error is EPERM and sshd is run as non root user */
|
||||||
|
+ if ((audit_ok < 0) && ((audit_ok != -1) || (getuid() == 0)))
|
||||||
+ fatal("cannot write into audit"); /* Must prevent login */
|
+ fatal("cannot write into audit"); /* Must prevent login */
|
||||||
+#endif
|
+#endif
|
||||||
+}
|
+}
|
||||||
+
|
+
|
||||||
#endif /* USE_LINUX_AUDIT */
|
#endif /* USE_LINUX_AUDIT */
|
||||||
diff -up openssh-5.6p1/auditstub.c.audit3 openssh-5.6p1/auditstub.c
|
diff -up openssh-5.6p1/auditstub.c.audit3 openssh-5.6p1/auditstub.c
|
||||||
--- openssh-5.6p1/auditstub.c.audit3 2010-11-05 15:54:35.000000000 +0100
|
--- openssh-5.6p1/auditstub.c.audit3 2010-12-10 22:17:32.000000000 +0100
|
||||||
+++ openssh-5.6p1/auditstub.c 2010-11-05 15:54:35.000000000 +0100
|
+++ openssh-5.6p1/auditstub.c 2010-12-10 22:17:32.000000000 +0100
|
||||||
@@ -0,0 +1,39 @@
|
@@ -0,0 +1,39 @@
|
||||||
+/* $Id: auditstub.c,v 1.1 jfch Exp $ */
|
+/* $Id: auditstub.c,v 1.1 jfch Exp $ */
|
||||||
+
|
+
|
||||||
@ -198,7 +199,7 @@ diff -up openssh-5.6p1/auditstub.c.audit3 openssh-5.6p1/auditstub.c
|
|||||||
+
|
+
|
||||||
diff -up openssh-5.6p1/cipher.c.audit3 openssh-5.6p1/cipher.c
|
diff -up openssh-5.6p1/cipher.c.audit3 openssh-5.6p1/cipher.c
|
||||||
--- openssh-5.6p1/cipher.c.audit3 2010-09-03 14:54:23.000000000 +0200
|
--- openssh-5.6p1/cipher.c.audit3 2010-09-03 14:54:23.000000000 +0200
|
||||||
+++ openssh-5.6p1/cipher.c 2010-11-05 15:54:35.000000000 +0100
|
+++ openssh-5.6p1/cipher.c 2010-12-10 22:17:32.000000000 +0100
|
||||||
@@ -59,15 +59,7 @@ extern void ssh1_3des_iv(EVP_CIPHER_CTX
|
@@ -59,15 +59,7 @@ extern void ssh1_3des_iv(EVP_CIPHER_CTX
|
||||||
extern const EVP_CIPHER *evp_aes_128_ctr(void);
|
extern const EVP_CIPHER *evp_aes_128_ctr(void);
|
||||||
extern void ssh_aes_ctr_iv(EVP_CIPHER_CTX *, int, u_char *, u_int);
|
extern void ssh_aes_ctr_iv(EVP_CIPHER_CTX *, int, u_char *, u_int);
|
||||||
@ -218,7 +219,7 @@ diff -up openssh-5.6p1/cipher.c.audit3 openssh-5.6p1/cipher.c
|
|||||||
{ "3des", SSH_CIPHER_3DES, 8, 16, 0, 1, evp_ssh1_3des },
|
{ "3des", SSH_CIPHER_3DES, 8, 16, 0, 1, evp_ssh1_3des },
|
||||||
diff -up openssh-5.6p1/cipher.h.audit3 openssh-5.6p1/cipher.h
|
diff -up openssh-5.6p1/cipher.h.audit3 openssh-5.6p1/cipher.h
|
||||||
--- openssh-5.6p1/cipher.h.audit3 2009-01-28 06:38:41.000000000 +0100
|
--- openssh-5.6p1/cipher.h.audit3 2009-01-28 06:38:41.000000000 +0100
|
||||||
+++ openssh-5.6p1/cipher.h 2010-11-05 15:54:35.000000000 +0100
|
+++ openssh-5.6p1/cipher.h 2010-12-10 22:17:32.000000000 +0100
|
||||||
@@ -61,7 +61,16 @@
|
@@ -61,7 +61,16 @@
|
||||||
typedef struct Cipher Cipher;
|
typedef struct Cipher Cipher;
|
||||||
typedef struct CipherContext CipherContext;
|
typedef struct CipherContext CipherContext;
|
||||||
@ -239,7 +240,7 @@ diff -up openssh-5.6p1/cipher.h.audit3 openssh-5.6p1/cipher.h
|
|||||||
EVP_CIPHER_CTX evp;
|
EVP_CIPHER_CTX evp;
|
||||||
diff -up openssh-5.6p1/kex.c.audit3 openssh-5.6p1/kex.c
|
diff -up openssh-5.6p1/kex.c.audit3 openssh-5.6p1/kex.c
|
||||||
--- openssh-5.6p1/kex.c.audit3 2010-01-08 06:50:41.000000000 +0100
|
--- openssh-5.6p1/kex.c.audit3 2010-01-08 06:50:41.000000000 +0100
|
||||||
+++ openssh-5.6p1/kex.c 2010-11-05 15:54:35.000000000 +0100
|
+++ openssh-5.6p1/kex.c 2010-12-10 22:17:32.000000000 +0100
|
||||||
@@ -49,6 +49,7 @@
|
@@ -49,6 +49,7 @@
|
||||||
#include "dispatch.h"
|
#include "dispatch.h"
|
||||||
#include "monitor.h"
|
#include "monitor.h"
|
||||||
@ -303,8 +304,8 @@ diff -up openssh-5.6p1/kex.c.audit3 openssh-5.6p1/kex.c
|
|||||||
choose_kex(kex, cprop[PROPOSAL_KEX_ALGS], sprop[PROPOSAL_KEX_ALGS]);
|
choose_kex(kex, cprop[PROPOSAL_KEX_ALGS], sprop[PROPOSAL_KEX_ALGS]);
|
||||||
choose_hostkeyalg(kex, cprop[PROPOSAL_SERVER_HOST_KEY_ALGS],
|
choose_hostkeyalg(kex, cprop[PROPOSAL_SERVER_HOST_KEY_ALGS],
|
||||||
diff -up openssh-5.6p1/Makefile.in.audit3 openssh-5.6p1/Makefile.in
|
diff -up openssh-5.6p1/Makefile.in.audit3 openssh-5.6p1/Makefile.in
|
||||||
--- openssh-5.6p1/Makefile.in.audit3 2010-11-05 15:54:35.000000000 +0100
|
--- openssh-5.6p1/Makefile.in.audit3 2010-12-10 22:17:31.000000000 +0100
|
||||||
+++ openssh-5.6p1/Makefile.in 2010-11-05 15:54:35.000000000 +0100
|
+++ openssh-5.6p1/Makefile.in 2010-12-10 22:17:32.000000000 +0100
|
||||||
@@ -74,7 +74,7 @@ LIBSSH_OBJS=acss.o authfd.o authfile.o b
|
@@ -74,7 +74,7 @@ LIBSSH_OBJS=acss.o authfd.o authfile.o b
|
||||||
monitor_fdpass.o rijndael.o ssh-dss.o ssh-rsa.o dh.o kexdh.o \
|
monitor_fdpass.o rijndael.o ssh-dss.o ssh-rsa.o dh.o kexdh.o \
|
||||||
kexgex.o kexdhc.o kexgexc.o msg.o progressmeter.o dns.o \
|
kexgex.o kexdhc.o kexgexc.o msg.o progressmeter.o dns.o \
|
||||||
@ -315,8 +316,8 @@ diff -up openssh-5.6p1/Makefile.in.audit3 openssh-5.6p1/Makefile.in
|
|||||||
SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \
|
SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \
|
||||||
sshconnect.o sshconnect1.o sshconnect2.o mux.o \
|
sshconnect.o sshconnect1.o sshconnect2.o mux.o \
|
||||||
diff -up openssh-5.6p1/monitor.c.audit3 openssh-5.6p1/monitor.c
|
diff -up openssh-5.6p1/monitor.c.audit3 openssh-5.6p1/monitor.c
|
||||||
--- openssh-5.6p1/monitor.c.audit3 2010-11-05 15:54:35.000000000 +0100
|
--- openssh-5.6p1/monitor.c.audit3 2010-12-10 22:17:31.000000000 +0100
|
||||||
+++ openssh-5.6p1/monitor.c 2010-11-05 15:54:35.000000000 +0100
|
+++ openssh-5.6p1/monitor.c 2010-12-10 22:17:32.000000000 +0100
|
||||||
@@ -89,6 +89,7 @@
|
@@ -89,6 +89,7 @@
|
||||||
#include "ssh2.h"
|
#include "ssh2.h"
|
||||||
#include "jpake.h"
|
#include "jpake.h"
|
||||||
@ -334,25 +335,43 @@ diff -up openssh-5.6p1/monitor.c.audit3 openssh-5.6p1/monitor.c
|
|||||||
#endif
|
#endif
|
||||||
|
|
||||||
static Authctxt *authctxt;
|
static Authctxt *authctxt;
|
||||||
@@ -209,6 +212,8 @@ struct mon_table {
|
@@ -225,6 +228,8 @@ struct mon_table mon_dispatch_proto20[]
|
||||||
#define MON_PERMIT 0x1000 /* Request is permitted */
|
#endif
|
||||||
|
#ifdef SSH_AUDIT_EVENTS
|
||||||
struct mon_table mon_dispatch_proto20[] = {
|
{MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
|
||||||
+ {MONITOR_REQ_AUDIT_UNSUPPORTED, MON_PERMIT, mm_answer_audit_unsupported_body},
|
+ {MONITOR_REQ_AUDIT_UNSUPPORTED, MON_PERMIT, mm_answer_audit_unsupported_body},
|
||||||
+ {MONITOR_REQ_AUDIT_KEX, MON_PERMIT, mm_answer_audit_kex_body},
|
+ {MONITOR_REQ_AUDIT_KEX, MON_PERMIT, mm_answer_audit_kex_body},
|
||||||
{MONITOR_REQ_MODULI, MON_ONCE, mm_answer_moduli},
|
#endif
|
||||||
{MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign},
|
#ifdef BSD_AUTH
|
||||||
{MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},
|
{MONITOR_REQ_BSDAUTHQUERY, MON_ISAUTH, mm_answer_bsdauthquery},
|
||||||
@@ -266,6 +271,8 @@ struct mon_table mon_dispatch_postauth20
|
@@ -261,6 +266,8 @@ struct mon_table mon_dispatch_postauth20
|
||||||
|
#ifdef SSH_AUDIT_EVENTS
|
||||||
|
{MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
|
||||||
|
{MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT, mm_answer_audit_command},
|
||||||
|
+ {MONITOR_REQ_AUDIT_UNSUPPORTED, MON_PERMIT, mm_answer_audit_unsupported_body},
|
||||||
|
+ {MONITOR_REQ_AUDIT_KEX, MON_PERMIT, mm_answer_audit_kex_body},
|
||||||
|
#endif
|
||||||
|
{0, 0, NULL}
|
||||||
};
|
};
|
||||||
|
@@ -292,6 +299,8 @@ struct mon_table mon_dispatch_proto15[]
|
||||||
struct mon_table mon_dispatch_proto15[] = {
|
#endif
|
||||||
|
#ifdef SSH_AUDIT_EVENTS
|
||||||
|
{MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
|
||||||
+ {MONITOR_REQ_AUDIT_UNSUPPORTED, MON_PERMIT, mm_answer_audit_unsupported_body},
|
+ {MONITOR_REQ_AUDIT_UNSUPPORTED, MON_PERMIT, mm_answer_audit_unsupported_body},
|
||||||
+ {MONITOR_REQ_AUDIT_KEX, MON_PERMIT, mm_answer_audit_kex_body},
|
+ {MONITOR_REQ_AUDIT_KEX, MON_PERMIT, mm_answer_audit_kex_body},
|
||||||
{MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},
|
#endif
|
||||||
{MONITOR_REQ_SESSKEY, MON_ONCE, mm_answer_sesskey},
|
{0, 0, NULL}
|
||||||
{MONITOR_REQ_SESSID, MON_ONCE, mm_answer_sessid},
|
};
|
||||||
@@ -2207,3 +2214,40 @@ mm_answer_jpake_check_confirm(int sock,
|
@@ -303,6 +312,8 @@ struct mon_table mon_dispatch_postauth15
|
||||||
|
#ifdef SSH_AUDIT_EVENTS
|
||||||
|
{MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
|
||||||
|
{MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT|MON_ONCE, mm_answer_audit_command},
|
||||||
|
+ {MONITOR_REQ_AUDIT_UNSUPPORTED, MON_PERMIT, mm_answer_audit_unsupported_body},
|
||||||
|
+ {MONITOR_REQ_AUDIT_KEX, MON_PERMIT, mm_answer_audit_kex_body},
|
||||||
|
#endif
|
||||||
|
{0, 0, NULL}
|
||||||
|
};
|
||||||
|
@@ -2205,3 +2216,40 @@ mm_answer_jpake_check_confirm(int sock,
|
||||||
}
|
}
|
||||||
|
|
||||||
#endif /* JPAKE */
|
#endif /* JPAKE */
|
||||||
@ -395,7 +414,7 @@ diff -up openssh-5.6p1/monitor.c.audit3 openssh-5.6p1/monitor.c
|
|||||||
+#endif /* SSH_AUDIT_EVENTS */
|
+#endif /* SSH_AUDIT_EVENTS */
|
||||||
diff -up openssh-5.6p1/monitor.h.audit3 openssh-5.6p1/monitor.h
|
diff -up openssh-5.6p1/monitor.h.audit3 openssh-5.6p1/monitor.h
|
||||||
--- openssh-5.6p1/monitor.h.audit3 2008-11-05 06:20:46.000000000 +0100
|
--- openssh-5.6p1/monitor.h.audit3 2008-11-05 06:20:46.000000000 +0100
|
||||||
+++ openssh-5.6p1/monitor.h 2010-11-05 15:54:35.000000000 +0100
|
+++ openssh-5.6p1/monitor.h 2010-12-10 22:17:32.000000000 +0100
|
||||||
@@ -66,6 +66,8 @@ enum monitor_reqtype {
|
@@ -66,6 +66,8 @@ enum monitor_reqtype {
|
||||||
MONITOR_REQ_JPAKE_STEP2, MONITOR_ANS_JPAKE_STEP2,
|
MONITOR_REQ_JPAKE_STEP2, MONITOR_ANS_JPAKE_STEP2,
|
||||||
MONITOR_REQ_JPAKE_KEY_CONFIRM, MONITOR_ANS_JPAKE_KEY_CONFIRM,
|
MONITOR_REQ_JPAKE_KEY_CONFIRM, MONITOR_ANS_JPAKE_KEY_CONFIRM,
|
||||||
@ -407,7 +426,7 @@ diff -up openssh-5.6p1/monitor.h.audit3 openssh-5.6p1/monitor.h
|
|||||||
struct mm_master;
|
struct mm_master;
|
||||||
diff -up openssh-5.6p1/monitor_wrap.c.audit3 openssh-5.6p1/monitor_wrap.c
|
diff -up openssh-5.6p1/monitor_wrap.c.audit3 openssh-5.6p1/monitor_wrap.c
|
||||||
--- openssh-5.6p1/monitor_wrap.c.audit3 2010-03-07 13:05:17.000000000 +0100
|
--- openssh-5.6p1/monitor_wrap.c.audit3 2010-03-07 13:05:17.000000000 +0100
|
||||||
+++ openssh-5.6p1/monitor_wrap.c 2010-11-05 15:54:35.000000000 +0100
|
+++ openssh-5.6p1/monitor_wrap.c 2010-12-10 22:17:32.000000000 +0100
|
||||||
@@ -1411,3 +1411,38 @@ mm_jpake_check_confirm(const BIGNUM *k,
|
@@ -1411,3 +1411,38 @@ mm_jpake_check_confirm(const BIGNUM *k,
|
||||||
return success;
|
return success;
|
||||||
}
|
}
|
||||||
@ -449,7 +468,7 @@ diff -up openssh-5.6p1/monitor_wrap.c.audit3 openssh-5.6p1/monitor_wrap.c
|
|||||||
+#endif /* SSH_AUDIT_EVENTS */
|
+#endif /* SSH_AUDIT_EVENTS */
|
||||||
diff -up openssh-5.6p1/monitor_wrap.h.audit3 openssh-5.6p1/monitor_wrap.h
|
diff -up openssh-5.6p1/monitor_wrap.h.audit3 openssh-5.6p1/monitor_wrap.h
|
||||||
--- openssh-5.6p1/monitor_wrap.h.audit3 2009-03-05 14:58:22.000000000 +0100
|
--- openssh-5.6p1/monitor_wrap.h.audit3 2009-03-05 14:58:22.000000000 +0100
|
||||||
+++ openssh-5.6p1/monitor_wrap.h 2010-11-05 15:54:35.000000000 +0100
|
+++ openssh-5.6p1/monitor_wrap.h 2010-12-10 22:17:32.000000000 +0100
|
||||||
@@ -74,6 +74,8 @@ void mm_sshpam_free_ctx(void *);
|
@@ -74,6 +74,8 @@ void mm_sshpam_free_ctx(void *);
|
||||||
#include "audit.h"
|
#include "audit.h"
|
||||||
void mm_audit_event(ssh_audit_event_t);
|
void mm_audit_event(ssh_audit_event_t);
|
||||||
@ -461,7 +480,7 @@ diff -up openssh-5.6p1/monitor_wrap.h.audit3 openssh-5.6p1/monitor_wrap.h
|
|||||||
struct Session;
|
struct Session;
|
||||||
diff -up openssh-5.6p1/sshd.c.audit3 openssh-5.6p1/sshd.c
|
diff -up openssh-5.6p1/sshd.c.audit3 openssh-5.6p1/sshd.c
|
||||||
--- openssh-5.6p1/sshd.c.audit3 2010-04-16 07:56:22.000000000 +0200
|
--- openssh-5.6p1/sshd.c.audit3 2010-04-16 07:56:22.000000000 +0200
|
||||||
+++ openssh-5.6p1/sshd.c 2010-11-05 15:54:35.000000000 +0100
|
+++ openssh-5.6p1/sshd.c 2010-12-10 22:17:32.000000000 +0100
|
||||||
@@ -118,6 +118,7 @@
|
@@ -118,6 +118,7 @@
|
||||||
#endif
|
#endif
|
||||||
#include "monitor_wrap.h"
|
#include "monitor_wrap.h"
|
||||||
|
16
openssh.spec
16
openssh.spec
@ -71,7 +71,7 @@
|
|||||||
|
|
||||||
# Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
|
# Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
|
||||||
%define openssh_ver 5.6p1
|
%define openssh_ver 5.6p1
|
||||||
%define openssh_rel 20
|
%define openssh_rel 21
|
||||||
%define pam_ssh_agent_ver 0.9.2
|
%define pam_ssh_agent_ver 0.9.2
|
||||||
%define pam_ssh_agent_rel 29
|
%define pam_ssh_agent_rel 29
|
||||||
|
|
||||||
@ -96,8 +96,9 @@ Source5: pam_ssh_agent-rmheaders
|
|||||||
Patch0: openssh-5.6p1-redhat.patch
|
Patch0: openssh-5.6p1-redhat.patch
|
||||||
#https://bugzilla.mindrot.org/show_bug.cgi?id=1402
|
#https://bugzilla.mindrot.org/show_bug.cgi?id=1402
|
||||||
Patch1: openssh-5.6p1-audit.patch
|
Patch1: openssh-5.6p1-audit.patch
|
||||||
Patch2: openssh-5.6p1-audit2.patch
|
Patch2: openssh-5.6p1-audit1a.patch
|
||||||
Patch3: openssh-5.6p1-audit3.patch
|
Patch3: openssh-5.6p1-audit2.patch
|
||||||
|
Patch4: openssh-5.6p1-audit3.patch
|
||||||
#https://bugzilla.mindrot.org/show_bug.cgi?id=1640
|
#https://bugzilla.mindrot.org/show_bug.cgi?id=1640
|
||||||
Patch5: openssh-5.2p1-vendor.patch
|
Patch5: openssh-5.2p1-vendor.patch
|
||||||
Patch10: pam_ssh_agent_auth-0.9-build.patch
|
Patch10: pam_ssh_agent_auth-0.9-build.patch
|
||||||
@ -273,8 +274,9 @@ The module is most useful for su and sudo service stacks.
|
|||||||
%setup -q -a 4
|
%setup -q -a 4
|
||||||
%patch0 -p1 -b .redhat
|
%patch0 -p1 -b .redhat
|
||||||
%patch1 -p1 -b .audit
|
%patch1 -p1 -b .audit
|
||||||
%patch2 -p1 -b .audit2
|
%patch2 -p1 -b .audit1a
|
||||||
%patch3 -p1 -b .audit3
|
%patch3 -p1 -b .audit2
|
||||||
|
%patch4 -p1 -b .audit3
|
||||||
%patch5 -p1 -b .vendor
|
%patch5 -p1 -b .vendor
|
||||||
|
|
||||||
%if %{pam_ssh_agent}
|
%if %{pam_ssh_agent}
|
||||||
@ -594,6 +596,10 @@ fi
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Fri Dec 10 2010 Jan F. Chadima <jchadima@redhat.com> - 5.6p1-21 + 0.9.2-29
|
||||||
|
- reenable run sshd as non root user
|
||||||
|
- renable rekeying
|
||||||
|
|
||||||
* Wed Nov 24 2010 Jan F. Chadima <jchadima@redhat.com> - 5.6p1-20 + 0.9.2-29
|
* Wed Nov 24 2010 Jan F. Chadima <jchadima@redhat.com> - 5.6p1-20 + 0.9.2-29
|
||||||
- reapair clientloop crash (#627332)
|
- reapair clientloop crash (#627332)
|
||||||
- properly restore euid in case connect to the ssh-agent socket fails
|
- properly restore euid in case connect to the ssh-agent socket fails
|
||||||
|
Loading…
Reference in New Issue
Block a user