forked from rpms/openssh
openssh-7.8p1-1 + 0.10.3-5
New upstream release including: * Dropping entropy patch * Remove default support for MD5 fingerprints * Porting all the downstream patches and pam_ssh_agent_auth to new sshbuf and sshkey API * pam_ssh_agent_auth is no longer using MD5 fingerprints
This commit is contained in:
parent
01ba761e18
commit
bbf61daf97
2
.gitignore
vendored
2
.gitignore
vendored
@ -30,3 +30,5 @@ pam_ssh_agent_auth-0.9.2.tar.bz2
|
||||
/openssh-7.7p1.tar.gz
|
||||
/openssh-7.7p1.tar.gz.asc
|
||||
/DJM-GPG-KEY.gpg
|
||||
/openssh-7.8p1.tar.gz
|
||||
/openssh-7.8p1.tar.gz.asc
|
||||
|
@ -1,12 +0,0 @@
|
||||
diff -up openssh-6.8p1/packet.c.packet openssh-6.8p1/packet.c
|
||||
--- openssh-6.8p1/packet.c.packet 2015-03-18 10:56:32.286930601 +0100
|
||||
+++ openssh-6.8p1/packet.c 2015-03-18 10:58:38.535629739 +0100
|
||||
@@ -371,6 +371,8 @@ ssh_packet_connection_is_on_socket(struc
|
||||
struct sockaddr_storage from, to;
|
||||
socklen_t fromlen, tolen;
|
||||
|
||||
+ if (!state)
|
||||
+ return 0;
|
||||
if (state->connection_in == -1 || state->connection_out == -1)
|
||||
return 0;
|
||||
|
@ -4,7 +4,7 @@ diff -up openssh-6.1p1/sshconnect2.c.canohost openssh-6.1p1/sshconnect2.c
|
||||
@@ -699,12 +699,15 @@ userauth_gssapi(Authctxt *authctxt)
|
||||
static u_int mech = 0;
|
||||
OM_uint32 min;
|
||||
int ok = 0;
|
||||
int r, ok = 0;
|
||||
- const char *gss_host;
|
||||
+ const char *gss_host = NULL;
|
||||
|
||||
@ -13,7 +13,7 @@ diff -up openssh-6.1p1/sshconnect2.c.canohost openssh-6.1p1/sshconnect2.c
|
||||
- else if (options.gss_trust_dns)
|
||||
+ else if (options.gss_trust_dns) {
|
||||
gss_host = get_canonical_hostname(active_state, 1);
|
||||
+ if ( strcmp( gss_host, "UNKNOWN" ) == 0 )
|
||||
+ if (strcmp(gss_host, "UNKNOWN") == 0)
|
||||
+ gss_host = authctxt->host;
|
||||
+ }
|
||||
else
|
||||
|
@ -34,7 +34,7 @@ diff -up openssh-7.4p1/servconf.c.vendor openssh-7.4p1/servconf.c
|
||||
options->client_alive_interval = -1;
|
||||
options->client_alive_count_max = -1;
|
||||
@@ -325,6 +326,8 @@ fill_default_server_options(ServerOption
|
||||
options->ip_qos_bulk = IPTOS_THROUGHPUT;
|
||||
options->ip_qos_bulk = IPTOS_DSCP_CS1;
|
||||
if (options->version_addendum == NULL)
|
||||
options->version_addendum = xstrdup("");
|
||||
+ if (options->show_patchlevel == -1)
|
||||
@ -71,7 +71,7 @@ diff -up openssh-7.4p1/servconf.c.vendor openssh-7.4p1/servconf.c
|
||||
while ((arg = strdelim(&cp)) && *arg != '\0') {
|
||||
if (match_user(NULL, NULL, NULL, arg) == -1)
|
||||
@@ -2269,6 +2277,7 @@ dump_config(ServerOptions *o)
|
||||
dump_cfg_fmtint(sPermitUserEnvironment, o->permit_user_env);
|
||||
dump_cfg_fmtint(sEmptyPasswd, o->permit_empty_passwd);
|
||||
dump_cfg_fmtint(sCompression, o->compression);
|
||||
dump_cfg_fmtint(sGatewayPorts, o->fwd_opts.gateway_ports);
|
||||
+ dump_cfg_fmtint(sShowPatchLevel, o->show_patchlevel);
|
||||
@ -89,28 +89,13 @@ diff -up openssh-7.4p1/servconf.h.vendor openssh-7.4p1/servconf.h
|
||||
int use_dns;
|
||||
int client_alive_interval; /*
|
||||
* poke the client this often to
|
||||
diff -up openssh-7.4p1/sshd_config.0.vendor openssh-7.4p1/sshd_config.0
|
||||
--- openssh-7.4p1/sshd_config.0.vendor 2016-12-23 13:34:51.695253847 +0100
|
||||
+++ openssh-7.4p1/sshd_config.0 2016-12-23 13:36:53.146277511 +0100
|
||||
@@ -792,6 +792,11 @@ DESCRIPTION
|
||||
rdomain(4). If the routing domain is set to %D, then the domain
|
||||
in which the incoming connection was received will be applied.
|
||||
|
||||
+ ShowPatchLevel
|
||||
+ Specifies whether sshd will display the specific patch level of
|
||||
+ the binary in the server identification string. The patch level
|
||||
+ is set at compile-time. The default is M-bM-^@M-^\noM-bM-^@M-^].
|
||||
+
|
||||
StreamLocalBindMask
|
||||
Sets the octal file creation mode mask (umask) used when creating
|
||||
a Unix-domain socket file for local or remote port forwarding.
|
||||
diff -up openssh-7.4p1/sshd_config.5.vendor openssh-7.4p1/sshd_config.5
|
||||
--- openssh-7.4p1/sshd_config.5.vendor 2016-12-23 13:34:51.695253847 +0100
|
||||
+++ openssh-7.4p1/sshd_config.5 2016-12-23 13:37:17.482282253 +0100
|
||||
@@ -1334,6 +1334,13 @@ an OpenSSH Key Revocation List (KRL) as
|
||||
If the routing domain is set to
|
||||
.Cm \&%D ,
|
||||
then the domain in which the incoming connection was received will be applied.
|
||||
.Cm AcceptEnv
|
||||
or
|
||||
.Cm PermitUserEnvironment .
|
||||
+.It Cm ShowPatchLevel
|
||||
+Specifies whether
|
||||
+.Nm sshd
|
||||
|
@ -1,75 +0,0 @@
|
||||
diff --git a/misc.c b/misc.c
|
||||
index 874dcc8a..7b7f7a58 100644
|
||||
--- a/misc.c
|
||||
+++ b/misc.c
|
||||
@@ -466,7 +466,7 @@ put_host_port(const char *host, u_short port)
|
||||
* The delimiter char, if present, is stored in delim.
|
||||
* If this is the last field, *cp is set to NULL.
|
||||
*/
|
||||
-static char *
|
||||
+char *
|
||||
hpdelim2(char **cp, char *delim)
|
||||
{
|
||||
char *s, *old;
|
||||
diff --git a/misc.h b/misc.h
|
||||
index cdafea73..cf9c8f28 100644
|
||||
--- a/misc.h
|
||||
+++ b/misc.h
|
||||
@@ -54,6 +54,7 @@ int set_rdomain(int, const char *);
|
||||
int a2port(const char *);
|
||||
int a2tun(const char *, int *);
|
||||
char *put_host_port(const char *, u_short);
|
||||
+char *hpdelim2(char **, char *);
|
||||
char *hpdelim(char **);
|
||||
char *cleanhostname(char *);
|
||||
char *colon(char *);
|
||||
diff --git a/servconf.c b/servconf.c
|
||||
index 0f0d0906..1679181e 100644
|
||||
--- a/servconf.c
|
||||
+++ b/servconf.c
|
||||
@@ -821,7 +821,7 @@ process_permitopen(struct ssh *ssh, ServerOptions *options)
|
||||
{
|
||||
u_int i;
|
||||
int port;
|
||||
- char *host, *arg, *oarg;
|
||||
+ char *host, *arg, *oarg, ch;
|
||||
|
||||
channel_clear_adm_permitted_opens(ssh);
|
||||
if (options->num_permitted_opens == 0)
|
||||
@@ -839,8 +839,8 @@ process_permitopen(struct ssh *ssh, ServerOptions *options)
|
||||
/* Otherwise treat it as a list of permitted host:port */
|
||||
for (i = 0; i < options->num_permitted_opens; i++) {
|
||||
oarg = arg = xstrdup(options->permitted_opens[i]);
|
||||
- host = hpdelim(&arg);
|
||||
- if (host == NULL)
|
||||
+ host = hpdelim2(&arg, &ch);
|
||||
+ if (host == NULL || ch == '/')
|
||||
fatal("%s: missing host in PermitOpen", __func__);
|
||||
host = cleanhostname(host);
|
||||
if (arg == NULL || ((port = permitopen_port(arg)) < 0))
|
||||
@@ -1244,8 +1244,10 @@ process_server_config_line(ServerOptions *options, char *line,
|
||||
port = 0;
|
||||
p = arg;
|
||||
} else {
|
||||
- p = hpdelim(&arg);
|
||||
- if (p == NULL)
|
||||
+ char ch;
|
||||
+ arg2 = NULL;
|
||||
+ p = hpdelim2(&arg, &ch);
|
||||
+ if (p == NULL || ch == '/')
|
||||
fatal("%s line %d: bad address:port usage",
|
||||
filename, linenum);
|
||||
p = cleanhostname(p);
|
||||
@@ -1815,9 +1817,10 @@ process_server_config_line(ServerOptions *options, char *line,
|
||||
break;
|
||||
}
|
||||
for (; arg != NULL && *arg != '\0'; arg = strdelim(&cp)) {
|
||||
+ char ch;
|
||||
arg2 = xstrdup(arg);
|
||||
- p = hpdelim(&arg);
|
||||
- if (p == NULL)
|
||||
+ p = hpdelim2(&arg, &ch);
|
||||
+ if (p == NULL || ch == '/')
|
||||
fatal("%s line %d: missing host in PermitOpen",
|
||||
filename, linenum);
|
||||
p = cleanhostname(p);
|
@ -34,9 +34,9 @@ diff -up openssh-7.4p1/log.h.log-in-chroot openssh-7.4p1/log.h
|
||||
|
||||
void log_init(char *, LogLevel, SyslogFacility, int);
|
||||
+void log_init_handler(char *, LogLevel, SyslogFacility, int, int);
|
||||
LogLevel log_level_get(void);
|
||||
int log_change_level(LogLevel);
|
||||
int log_is_on_stderr(void);
|
||||
void log_redirect_stderr_to(const char *);
|
||||
diff -up openssh-7.4p1/monitor.c.log-in-chroot openssh-7.4p1/monitor.c
|
||||
--- openssh-7.4p1/monitor.c.log-in-chroot 2016-12-23 15:14:33.311168085 +0100
|
||||
+++ openssh-7.4p1/monitor.c 2016-12-23 15:16:42.154193100 +0100
|
||||
@ -65,7 +65,7 @@ diff -up openssh-7.4p1/monitor.c.log-in-chroot openssh-7.4p1/monitor.c
|
||||
- do_log2(level, "%s [preauth]", msg);
|
||||
+ do_log2(level, "%s [%s]", msg, pmonitor->m_state);
|
||||
|
||||
buffer_free(&logmsg);
|
||||
sshbuf_free(logmsg);
|
||||
free(msg);
|
||||
@@ -1719,13 +1723,28 @@ monitor_init(void)
|
||||
mon = xcalloc(1, sizeof(*mon));
|
||||
|
@ -7,7 +7,7 @@ index 8f32464..18a2ca4 100644
|
||||
#include "servconf.h"
|
||||
#include "port-linux.h"
|
||||
+#include "misc.h"
|
||||
#include "key.h"
|
||||
#include "sshkey.h"
|
||||
#include "hostfile.h"
|
||||
#include "auth.h"
|
||||
@@ -445,7 +446,7 @@ sshd_selinux_setup_exec_context(char *pwname)
|
||||
@ -82,6 +82,14 @@ diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c
|
||||
index 22ea8ef..1fc963d 100644
|
||||
--- a/openbsd-compat/port-linux.c
|
||||
+++ b/openbsd-compat/port-linux.c
|
||||
@@ -26,6 +26,7 @@
|
||||
#include <stdarg.h>
|
||||
#include <string.h>
|
||||
#include <stdio.h>
|
||||
+#include <stdlib.h>
|
||||
|
||||
#include "log.h"
|
||||
#include "xmalloc.h"
|
||||
@@ -179,7 +179,7 @@ ssh_selinux_change_context(const char *newname)
|
||||
strlcpy(newctx + len, newname, newlen - len);
|
||||
if ((cx = index(cx + 1, ':')))
|
||||
|
@ -4,7 +4,7 @@ diff -up openssh-7.4p1/gss-serv-krb5.c.GSSAPIEnablek5users openssh-7.4p1/gss-ser
|
||||
@@ -279,7 +279,6 @@ ssh_gssapi_krb5_cmdok(krb5_principal pri
|
||||
FILE *fp;
|
||||
char file[MAXPATHLEN];
|
||||
char line[BUFSIZ] = "";
|
||||
char *line = NULL;
|
||||
- char kuser[65]; /* match krb5_kuserok() */
|
||||
struct stat st;
|
||||
struct passwd *pw = the_authctxt->pw;
|
||||
@ -44,8 +44,8 @@ diff -up openssh-7.4p1/servconf.c.GSSAPIEnablek5users openssh-7.4p1/servconf.c
|
||||
sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
|
||||
- sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
|
||||
+ sGssAuthentication, sGssCleanupCreds, sGssEnablek5users, sGssStrictAcceptor,
|
||||
sGssKeyEx, sGssStoreRekey, sAcceptEnv, sPermitTunnel,
|
||||
sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
|
||||
sGssKeyEx, sGssStoreRekey, sAcceptEnv, sSetEnv, sPermitTunnel,
|
||||
sMatch, sPermitOpen, sPermitListen, sForceCommand, sChrootDirectory,
|
||||
sUsePrivilegeSeparation, sAllowAgentForwarding,
|
||||
@@ -497,12 +500,14 @@ static struct {
|
||||
{ "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL },
|
||||
@ -70,9 +70,9 @@ diff -up openssh-7.4p1/servconf.c.GSSAPIEnablek5users openssh-7.4p1/servconf.c
|
||||
+ intptr = &options->enable_k5users;
|
||||
+ goto parse_flag;
|
||||
+
|
||||
case sPermitListen:
|
||||
case sPermitOpen:
|
||||
arg = strdelim(&cp);
|
||||
if (!arg || *arg == '\0')
|
||||
if (opcode == sPermitListen) {
|
||||
@@ -2026,6 +2035,7 @@ copy_set_server_options(ServerOptions *d
|
||||
M_CP_INTOPT(ip_qos_interactive);
|
||||
M_CP_INTOPT(ip_qos_bulk);
|
||||
|
@ -19,8 +19,8 @@ diff -up openssh-6.8p1/Makefile.in.ctr-cavs openssh-6.8p1/Makefile.in
|
||||
XMSS_OBJS=\
|
||||
ssh-xmss.o \
|
||||
@@ -194,6 +195,9 @@ ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) l
|
||||
ssh-keycat$(EXEEXT): $(LIBCOMPAT) $(SSHDOBJS) libssh.a ssh-keycat.o
|
||||
$(LD) -o $@ ssh-keycat.o bufaux.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(KEYCATLIBS) $(LIBS)
|
||||
ssh-keycat$(EXEEXT): $(LIBCOMPAT) $(SSHDOBJS) libssh.a ssh-keycat.o uidswap.o
|
||||
$(LD) -o $@ ssh-keycat.o uidswap.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(KEYCATLIBS) $(LIBS)
|
||||
|
||||
+ctr-cavstest$(EXEEXT): $(LIBCOMPAT) libssh.a ctr-cavstest.o
|
||||
+ $(LD) -o $@ ctr-cavstest.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(LIBS)
|
||||
|
@ -1,262 +0,0 @@
|
||||
diff -up openssh-7.4p1/entropy.c.entropy openssh-7.4p1/entropy.c
|
||||
--- openssh-7.4p1/entropy.c.entropy 2016-12-19 05:59:41.000000000 +0100
|
||||
+++ openssh-7.4p1/entropy.c 2016-12-23 18:34:27.769753570 +0100
|
||||
@@ -229,6 +229,9 @@ seed_rng(void)
|
||||
memset(buf, '\0', sizeof(buf));
|
||||
|
||||
#endif /* OPENSSL_PRNG_ONLY */
|
||||
+#ifdef __linux__
|
||||
+ linux_seed();
|
||||
+#endif /* __linux__ */
|
||||
if (RAND_status() != 1)
|
||||
fatal("PRNG is not seeded");
|
||||
}
|
||||
diff -up openssh-7.4p1/openbsd-compat/Makefile.in.entropy openssh-7.4p1/openbsd-compat/Makefile.in
|
||||
--- openssh-7.4p1/openbsd-compat/Makefile.in.entropy 2016-12-23 18:34:53.715762155 +0100
|
||||
+++ openssh-7.4p1/openbsd-compat/Makefile.in 2016-12-23 18:35:15.890769493 +0100
|
||||
@@ -20,7 +20,8 @@ OPENBSD=base64.o basename.o bcrypt_pbkdf
|
||||
port-solaris.o \
|
||||
port-net.o \
|
||||
port-uw.o \
|
||||
- port-linux-sshd.o
|
||||
+ port-linux-sshd.o \
|
||||
+ port-linux-prng.o
|
||||
|
||||
.c.o:
|
||||
$(CC) $(CFLAGS) $(CPPFLAGS) -c $<
|
||||
diff -up openssh-7.4p1/openbsd-compat/port-linux.h.entropy openssh-7.4p1/openbsd-compat/port-linux.h
|
||||
--- openssh-7.4p1/openbsd-compat/port-linux.h.entropy 2016-12-23 18:34:27.747753563 +0100
|
||||
+++ openssh-7.4p1/openbsd-compat/port-linux.h 2016-12-23 18:34:27.769753570 +0100
|
||||
@@ -34,4 +34,6 @@ void oom_adjust_restore(void);
|
||||
void oom_adjust_setup(void);
|
||||
#endif
|
||||
|
||||
+void linux_seed(void);
|
||||
+
|
||||
#endif /* ! _PORT_LINUX_H */
|
||||
diff -up openssh-7.4p1/openbsd-compat/port-linux-prng.c.entropy openssh-7.4p1/openbsd-compat/port-linux-prng.c
|
||||
--- openssh-7.4p1/openbsd-compat/port-linux-prng.c.entropy 2016-12-23 18:34:27.769753570 +0100
|
||||
+++ openssh-7.4p1/openbsd-compat/port-linux-prng.c 2016-12-23 18:34:27.769753570 +0100
|
||||
@@ -0,0 +1,59 @@
|
||||
+/* $Id: port-linux.c,v 1.11.4.2 2011/02/04 00:43:08 djm Exp $ */
|
||||
+
|
||||
+/*
|
||||
+ * Copyright (c) 2011 Jan F. Chadima <jchadima@redhat.com>
|
||||
+ *
|
||||
+ * Permission to use, copy, modify, and distribute this software for any
|
||||
+ * purpose with or without fee is hereby granted, provided that the above
|
||||
+ * copyright notice and this permission notice appear in all copies.
|
||||
+ *
|
||||
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
|
||||
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
|
||||
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
|
||||
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
|
||||
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
|
||||
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
|
||||
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
||||
+ */
|
||||
+
|
||||
+/*
|
||||
+ * Linux-specific portability code - prng support
|
||||
+ */
|
||||
+
|
||||
+#include "includes.h"
|
||||
+
|
||||
+#include <errno.h>
|
||||
+#include <stdarg.h>
|
||||
+#include <string.h>
|
||||
+#include <stdio.h>
|
||||
+#include <openssl/rand.h>
|
||||
+
|
||||
+#include "log.h"
|
||||
+#include "xmalloc.h"
|
||||
+#include "misc.h" /* servconf.h needs misc.h for struct ForwardOptions */
|
||||
+#include "servconf.h"
|
||||
+#include "port-linux.h"
|
||||
+#include "key.h"
|
||||
+#include "hostfile.h"
|
||||
+#include "auth.h"
|
||||
+
|
||||
+void
|
||||
+linux_seed(void)
|
||||
+{
|
||||
+ char *env = getenv("SSH_USE_STRONG_RNG");
|
||||
+ char *random = "/dev/random";
|
||||
+ size_t len, ienv, randlen = 14;
|
||||
+
|
||||
+ if (!env || !strcmp(env, "0"))
|
||||
+ random = "/dev/urandom";
|
||||
+ else if ((ienv = atoi(env)) > randlen)
|
||||
+ randlen = ienv;
|
||||
+
|
||||
+ errno = 0;
|
||||
+ if ((len = RAND_load_file(random, randlen)) != randlen) {
|
||||
+ if (errno)
|
||||
+ fatal ("cannot read from %s, %s", random, strerror(errno));
|
||||
+ else
|
||||
+ fatal ("EOF reading %s", random);
|
||||
+ }
|
||||
+}
|
||||
diff -up openssh-7.4p1/ssh.1.entropy openssh-7.4p1/ssh.1
|
||||
--- openssh-7.4p1/ssh.1.entropy 2016-12-23 18:34:27.754753565 +0100
|
||||
+++ openssh-7.4p1/ssh.1 2016-12-23 18:34:27.770753571 +0100
|
||||
@@ -1441,6 +1441,23 @@ For more information, see the
|
||||
.Cm PermitUserEnvironment
|
||||
option in
|
||||
.Xr sshd_config 5 .
|
||||
+.Sh ENVIRONMENT
|
||||
+.Bl -tag -width Ds -compact
|
||||
+.It Ev SSH_USE_STRONG_RNG
|
||||
+The reseeding of the OpenSSL random generator is usually done from
|
||||
+.Cm /dev/urandom .
|
||||
+If the
|
||||
+.Cm SSH_USE_STRONG_RNG
|
||||
+environment variable is set to value other than
|
||||
+.Cm 0
|
||||
+the OpenSSL random generator is reseeded from
|
||||
+.Cm /dev/random .
|
||||
+The number of bytes read is defined by the SSH_USE_STRONG_RNG value.
|
||||
+Minimum is 14 bytes.
|
||||
+This setting is not recommended on the computers without the hardware
|
||||
+random generator because insufficient entropy causes the connection to
|
||||
+be blocked until enough entropy is available.
|
||||
+.El
|
||||
.Sh FILES
|
||||
.Bl -tag -width Ds -compact
|
||||
.It Pa ~/.rhosts
|
||||
diff -up openssh-7.4p1/ssh-add.1.entropy openssh-7.4p1/ssh-add.1
|
||||
--- openssh-7.4p1/ssh-add.1.entropy 2016-12-19 05:59:41.000000000 +0100
|
||||
+++ openssh-7.4p1/ssh-add.1 2016-12-23 18:34:27.770753571 +0100
|
||||
@@ -171,6 +171,20 @@ to make this work.)
|
||||
Identifies the path of a
|
||||
.Ux Ns -domain
|
||||
socket used to communicate with the agent.
|
||||
+.It Ev SSH_USE_STRONG_RNG
|
||||
+The reseeding of the OpenSSL random generator is usually done from
|
||||
+.Cm /dev/urandom .
|
||||
+If the
|
||||
+.Cm SSH_USE_STRONG_RNG
|
||||
+environment variable is set to value other than
|
||||
+.Cm 0
|
||||
+the OpenSSL random generator is reseeded from
|
||||
+.Cm /dev/random .
|
||||
+The number of bytes read is defined by the SSH_USE_STRONG_RNG value.
|
||||
+Minimum is 14 bytes.
|
||||
+This setting is not recommended on the computers without the hardware
|
||||
+random generator because insufficient entropy causes the connection to
|
||||
+be blocked until enough entropy is available.
|
||||
.El
|
||||
.Sh FILES
|
||||
.Bl -tag -width Ds
|
||||
diff -up openssh-7.4p1/ssh-agent.1.entropy openssh-7.4p1/ssh-agent.1
|
||||
--- openssh-7.4p1/ssh-agent.1.entropy 2016-12-19 05:59:41.000000000 +0100
|
||||
+++ openssh-7.4p1/ssh-agent.1 2016-12-23 18:34:27.770753571 +0100
|
||||
@@ -214,6 +214,24 @@ sockets used to contain the connection t
|
||||
These sockets should only be readable by the owner.
|
||||
The sockets should get automatically removed when the agent exits.
|
||||
.El
|
||||
+.Sh ENVIRONMENT
|
||||
+.Bl -tag -width Ds -compact
|
||||
+.Pp
|
||||
+.It Pa SSH_USE_STRONG_RNG
|
||||
+The reseeding of the OpenSSL random generator is usually done from
|
||||
+.Cm /dev/urandom .
|
||||
+If the
|
||||
+.Cm SSH_USE_STRONG_RNG
|
||||
+environment variable is set to value other than
|
||||
+.Cm 0
|
||||
+the OpenSSL random generator is reseeded from
|
||||
+.Cm /dev/random .
|
||||
+The number of bytes read is defined by the SSH_USE_STRONG_RNG value.
|
||||
+Minimum is 14 bytes.
|
||||
+This setting is not recommended on the computers without the hardware
|
||||
+random generator because insufficient entropy causes the connection to
|
||||
+be blocked until enough entropy is available.
|
||||
+.El
|
||||
.Sh SEE ALSO
|
||||
.Xr ssh 1 ,
|
||||
.Xr ssh-add 1 ,
|
||||
diff -up openssh-7.4p1/sshd.8.entropy openssh-7.4p1/sshd.8
|
||||
--- openssh-7.4p1/sshd.8.entropy 2016-12-23 18:34:27.755753566 +0100
|
||||
+++ openssh-7.4p1/sshd.8 2016-12-23 18:34:27.770753571 +0100
|
||||
@@ -920,6 +920,24 @@ concurrently for different ports, this c
|
||||
started last).
|
||||
The content of this file is not sensitive; it can be world-readable.
|
||||
.El
|
||||
+.Sh ENVIRONMENT
|
||||
+.Bl -tag -width Ds -compact
|
||||
+.Pp
|
||||
+.It Pa SSH_USE_STRONG_RNG
|
||||
+The reseeding of the OpenSSL random generator is usually done from
|
||||
+.Cm /dev/urandom .
|
||||
+If the
|
||||
+.Cm SSH_USE_STRONG_RNG
|
||||
+environment variable is set to value other than
|
||||
+.Cm 0
|
||||
+the OpenSSL random generator is reseeded from
|
||||
+.Cm /dev/random .
|
||||
+The number of bytes read is defined by the SSH_USE_STRONG_RNG value.
|
||||
+Minimum is 14 bytes.
|
||||
+This setting is not recommended on the computers without the hardware
|
||||
+random generator because insufficient entropy causes the connection to
|
||||
+be blocked until enough entropy is available.
|
||||
+.El
|
||||
.Sh IPV6
|
||||
IPv6 address can be used everywhere where IPv4 address. In all entries must be the IPv6 address enclosed in square brackets. Note: The square brackets are metacharacters for the shell and must be escaped in shell.
|
||||
.Sh SEE ALSO
|
||||
diff -up openssh-7.4p1/ssh-keygen.1.entropy openssh-7.4p1/ssh-keygen.1
|
||||
--- openssh-7.4p1/ssh-keygen.1.entropy 2016-12-19 05:59:41.000000000 +0100
|
||||
+++ openssh-7.4p1/ssh-keygen.1 2016-12-23 18:34:27.770753571 +0100
|
||||
@@ -848,6 +848,24 @@ Contains Diffie-Hellman groups used for
|
||||
The file format is described in
|
||||
.Xr moduli 5 .
|
||||
.El
|
||||
+.Sh ENVIRONMENT
|
||||
+.Bl -tag -width Ds -compact
|
||||
+.Pp
|
||||
+.It Pa SSH_USE_STRONG_RNG
|
||||
+The reseeding of the OpenSSL random generator is usually done from
|
||||
+.Cm /dev/urandom .
|
||||
+If the
|
||||
+.Cm SSH_USE_STRONG_RNG
|
||||
+environment variable is set to value other than
|
||||
+.Cm 0
|
||||
+the OpenSSL random generator is reseeded from
|
||||
+.Cm /dev/random .
|
||||
+The number of bytes read is defined by the SSH_USE_STRONG_RNG value.
|
||||
+Minimum is 14 bytes.
|
||||
+This setting is not recommended on the computers without the hardware
|
||||
+random generator because insufficient entropy causes the connection to
|
||||
+be blocked until enough entropy is available.
|
||||
+.El
|
||||
.Sh SEE ALSO
|
||||
.Xr ssh 1 ,
|
||||
.Xr ssh-add 1 ,
|
||||
diff -up openssh-7.4p1/ssh-keysign.8.entropy openssh-7.4p1/ssh-keysign.8
|
||||
--- openssh-7.4p1/ssh-keysign.8.entropy 2016-12-19 05:59:41.000000000 +0100
|
||||
+++ openssh-7.4p1/ssh-keysign.8 2016-12-23 18:34:27.770753571 +0100
|
||||
@@ -80,6 +80,24 @@ must be set-uid root if host-based authe
|
||||
If these files exist they are assumed to contain public certificate
|
||||
information corresponding with the private keys above.
|
||||
.El
|
||||
+.Sh ENVIRONMENT
|
||||
+.Bl -tag -width Ds -compact
|
||||
+.Pp
|
||||
+.It Pa SSH_USE_STRONG_RNG
|
||||
+The reseeding of the OpenSSL random generator is usually done from
|
||||
+.Cm /dev/urandom .
|
||||
+If the
|
||||
+.Cm SSH_USE_STRONG_RNG
|
||||
+environment variable is set to value other than
|
||||
+.Cm 0
|
||||
+the OpenSSL random generator is reseeded from
|
||||
+.Cm /dev/random .
|
||||
+The number of bytes read is defined by the SSH_USE_STRONG_RNG value.
|
||||
+Minimum is 14 bytes.
|
||||
+This setting is not recommended on the computers without the hardware
|
||||
+random generator because insufficient entropy causes the connection to
|
||||
+be blocked until enough entropy is available.
|
||||
+.El
|
||||
.Sh SEE ALSO
|
||||
.Xr ssh 1 ,
|
||||
.Xr ssh-keygen 1 ,
|
@ -11,9 +11,9 @@ index 413b845..54dd383 100644
|
||||
+#include <unistd.h>
|
||||
|
||||
#include "xmalloc.h"
|
||||
#include "key.h"
|
||||
#include "sshkey.h"
|
||||
@@ -45,6 +47,7 @@
|
||||
#include "buffer.h"
|
||||
|
||||
#include "ssh-gss.h"
|
||||
|
||||
+extern Authctxt *the_authctxt;
|
||||
@ -66,7 +66,7 @@ index 413b845..54dd383 100644
|
||||
} else
|
||||
retval = 0;
|
||||
|
||||
@@ -110,6 +133,135 @@ ssh_gssapi_krb5_userok(ssh_gssapi_client *client, char *name)
|
||||
@@ -110,6 +133,137 @@ ssh_gssapi_krb5_userok(ssh_gssapi_client *client, char *name)
|
||||
return retval;
|
||||
}
|
||||
|
||||
@ -97,13 +97,14 @@ index 413b845..54dd383 100644
|
||||
+{
|
||||
+ FILE *fp;
|
||||
+ char file[MAXPATHLEN];
|
||||
+ char line[BUFSIZ] = "";
|
||||
+ char *line = NULL;
|
||||
+ char kuser[65]; /* match krb5_kuserok() */
|
||||
+ struct stat st;
|
||||
+ struct passwd *pw = the_authctxt->pw;
|
||||
+ int found_principal = 0;
|
||||
+ int ncommands = 0, allcommands = 0;
|
||||
+ u_long linenum;
|
||||
+ size_t linesize = 0;
|
||||
+
|
||||
+ snprintf(file, sizeof(file), "%s/.k5users", pw->pw_dir);
|
||||
+ /* If both .k5login and .k5users DNE, self-login is ok. */
|
||||
@ -147,9 +148,9 @@ index 413b845..54dd383 100644
|
||||
+ k5users_allowed_cmds = xcalloc(++ncommands,
|
||||
+ sizeof(*k5users_allowed_cmds));
|
||||
+
|
||||
+ /* Check each line. ksu allows unlimited length lines. We don't. */
|
||||
+ while (!allcommands && read_keyfile_line(fp, file, line, sizeof(line),
|
||||
+ &linenum) != -1) {
|
||||
+ /* Check each line. ksu allows unlimited length lines. */
|
||||
+ while (!allcommands && getline(&line, &linesize, fp) != -1) {
|
||||
+ linenum++;
|
||||
+ char *token;
|
||||
+
|
||||
+ /* we parse just like ksu, even though we could do better */
|
||||
@ -182,6 +183,7 @@ index 413b845..54dd383 100644
|
||||
+ }
|
||||
+ }
|
||||
+ }
|
||||
+ free(line);
|
||||
+ if (k5users_allowed_cmds) {
|
||||
+ /* terminate vector */
|
||||
+ k5users_allowed_cmds[ncommands-1] = NULL;
|
||||
|
@ -64,8 +64,8 @@ diff -up openssh/Makefile.in.keycat openssh/Makefile.in
|
||||
ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o
|
||||
$(LD) -o $@ ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat -lfipscheck $(LIBS) $(LDAPLIBS)
|
||||
|
||||
+ssh-keycat$(EXEEXT): $(LIBCOMPAT) $(SSHDOBJS) libssh.a ssh-keycat.o
|
||||
+ $(LD) -o $@ ssh-keycat.o bufaux.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(KEYCATLIBS) $(LIBS)
|
||||
+ssh-keycat$(EXEEXT): $(LIBCOMPAT) $(SSHDOBJS) libssh.a ssh-keycat.o uidswap.o
|
||||
+ $(LD) -o $@ ssh-keycat.o uidswap.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(KEYCATLIBS) $(LIBS)
|
||||
+
|
||||
ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o
|
||||
$(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
|
||||
|
@ -224,9 +224,9 @@ diff -up openssh-7.4p1/servconf.c.kuserok openssh-7.4p1/servconf.c
|
||||
+ intptr = &options->use_kuserok;
|
||||
+ goto parse_flag;
|
||||
+
|
||||
case sPermitListen:
|
||||
case sPermitOpen:
|
||||
arg = strdelim(&cp);
|
||||
if (!arg || *arg == '\0')
|
||||
if (opcode == sPermitListen) {
|
||||
@@ -2016,6 +2025,7 @@ copy_set_server_options(ServerOptions *d
|
||||
M_CP_INTOPT(client_alive_interval);
|
||||
M_CP_INTOPT(ip_qos_interactive);
|
||||
|
@ -54,9 +54,9 @@ diff -up openssh-7.4p1/session.c.privsep-selinux openssh-7.4p1/session.c
|
||||
if (setusercontext(lc, pw, pw->pw_uid,
|
||||
(LOGIN_SETALL & ~(LOGIN_SETPATH|LOGIN_SETUSER))) < 0) {
|
||||
@@ -1361,6 +1361,9 @@ do_setusercontext(struct passwd *pw)
|
||||
pw->pw_uid);
|
||||
chroot_path = percent_expand(tmp, "h", pw->pw_dir,
|
||||
"u", pw->pw_name, (char *)NULL);
|
||||
(unsigned long long)pw->pw_uid);
|
||||
chroot_path = percent_expand(tmp, "h", pw->pw_dir,
|
||||
"u", pw->pw_name, "U", uidstr, (char *)NULL);
|
||||
+#ifdef WITH_SELINUX
|
||||
+ sshd_selinux_copy_context();
|
||||
+#endif
|
||||
|
@ -120,7 +120,7 @@ diff -up openssh-7.4p1/serverloop.c.coverity openssh-7.4p1/serverloop.c
|
||||
- while (read(notify_pipe[0], &c, 1) != -1)
|
||||
+ if (notify_pipe[0] >= 0 && FD_ISSET(notify_pipe[0], readset))
|
||||
+ while (read(notify_pipe[0], &c, 1) >= 0)
|
||||
debug2("notify_done: reading");
|
||||
debug2("%s: reading", __func__);
|
||||
}
|
||||
|
||||
@@ -518,7 +518,7 @@ server_request_tun(void)
|
||||
|
@ -88,8 +88,8 @@ diff -up openssh-6.8p1/ssh-cavs.c.kdf-cavs openssh-6.8p1/ssh-cavs.c
|
||||
+#include <openssl/bn.h>
|
||||
+
|
||||
+#include "xmalloc.h"
|
||||
+#include "buffer.h"
|
||||
+#include "key.h"
|
||||
+#include "sshbuf.h"
|
||||
+#include "sshkey.h"
|
||||
+#include "cipher.h"
|
||||
+#include "kex.h"
|
||||
+#include "packet.h"
|
||||
|
@ -157,7 +157,7 @@ diff -up openssh-6.8p1/Makefile.in.ldap openssh-6.8p1/Makefile.in
|
||||
ssh-xmss.o \
|
||||
@@ -112,8 +115,8 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw
|
||||
sandbox-seccomp-filter.o sandbox-capsicum.o sandbox-pledge.o \
|
||||
sandbox-solaris.o
|
||||
sandbox-solaris.o uidswap.o
|
||||
|
||||
-MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out
|
||||
-MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 sshd_config.5 ssh_config.5
|
||||
@ -356,7 +356,7 @@ diff -up openssh-6.8p1/configure.ac.ldap openssh-6.8p1/configure.ac
|
||||
diff -up openssh-6.8p1/ldap-helper.c.ldap openssh-6.8p1/ldap-helper.c
|
||||
--- openssh-6.8p1/ldap-helper.c.ldap 2015-03-18 11:11:29.030801464 +0100
|
||||
+++ openssh-6.8p1/ldap-helper.c 2015-03-18 11:11:29.030801464 +0100
|
||||
@@ -0,0 +1,155 @@
|
||||
@@ -0,0 +1,151 @@
|
||||
+/* $OpenBSD: ssh-pka-ldap.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
|
||||
+/*
|
||||
+ * Copyright (c) 2009 Jan F. Chadima. All rights reserved.
|
||||
@ -390,6 +390,7 @@ diff -up openssh-6.8p1/ldap-helper.c.ldap openssh-6.8p1/ldap-helper.c
|
||||
+#include "ldapbody.h"
|
||||
+#include <string.h>
|
||||
+#include <unistd.h>
|
||||
+#include <stdlib.h>
|
||||
+
|
||||
+static int config_debug = 0;
|
||||
+int config_exclusive_config_file = 0;
|
||||
@ -507,11 +508,6 @@ diff -up openssh-6.8p1/ldap-helper.c.ldap openssh-6.8p1/ldap-helper.c
|
||||
+ ldap_do_close();
|
||||
+ return 0;
|
||||
+}
|
||||
+
|
||||
+/* Ugly hack */
|
||||
+void *buffer_get_string(Buffer *b, u_int *l) { return NULL; }
|
||||
+void buffer_put_string(Buffer *b, const void *f, u_int l) {}
|
||||
+
|
||||
diff -up openssh-6.8p1/ldap-helper.h.ldap openssh-6.8p1/ldap-helper.h
|
||||
--- openssh-6.8p1/ldap-helper.h.ldap 2015-03-18 11:11:29.031801462 +0100
|
||||
+++ openssh-6.8p1/ldap-helper.h 2015-03-18 11:11:29.031801462 +0100
|
||||
@ -684,6 +680,7 @@ diff -up openssh-6.8p1/ldapbody.c.ldap openssh-6.8p1/ldapbody.c
|
||||
+#include "ldapbody.h"
|
||||
+#include <stdio.h>
|
||||
+#include <unistd.h>
|
||||
+#include <stdlib.h>
|
||||
+#include "misc.h"
|
||||
+
|
||||
+#define LDAPSEARCH_FORMAT "(&(objectclass=%c)(objectclass=ldapPublicKey)(uid=%u)%f)"
|
||||
@ -1188,7 +1185,7 @@ diff -up openssh-6.8p1/ldapbody.h.ldap openssh-6.8p1/ldapbody.h
|
||||
diff -up openssh-6.8p1/ldapconf.c.ldap openssh-6.8p1/ldapconf.c
|
||||
--- openssh-6.8p1/ldapconf.c.ldap 2015-03-18 11:11:29.032801460 +0100
|
||||
+++ openssh-6.8p1/ldapconf.c 2015-03-18 11:11:29.032801460 +0100
|
||||
@@ -0,0 +1,728 @@
|
||||
@@ -0,0 +1,729 @@
|
||||
+/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
|
||||
+/*
|
||||
+ * Copyright (c) 2009 Jan F. Chadima. All rights reserved.
|
||||
@ -1222,6 +1219,7 @@ diff -up openssh-6.8p1/ldapconf.c.ldap openssh-6.8p1/ldapconf.c
|
||||
+#include "ldapconf.h"
|
||||
+#include <unistd.h>
|
||||
+#include <string.h>
|
||||
+#include <stdlib.h>
|
||||
+
|
||||
+/* Keyword tokens. */
|
||||
+
|
||||
|
@ -23,9 +23,9 @@ diff -up openssh-7.0p1/gss-genr.c.gsskexalg openssh-7.0p1/gss-genr.c
|
||||
ssh_gssapi_kex_mechs(gss_OID_set gss_supported, ssh_gssapi_check_fn *check,
|
||||
- const char *host, const char *client) {
|
||||
+ const char *host, const char *client, const char *kex) {
|
||||
Buffer buf;
|
||||
struct sshbuf *buf;
|
||||
size_t i;
|
||||
int oidpos, enclen;
|
||||
int oidpos, enclen, r;
|
||||
@@ -100,6 +101,7 @@ ssh_gssapi_kex_mechs(gss_OID_set gss_sup
|
||||
char deroid[2];
|
||||
const EVP_MD *evp_md = EVP_md5();
|
||||
@ -35,39 +35,44 @@ diff -up openssh-7.0p1/gss-genr.c.gsskexalg openssh-7.0p1/gss-genr.c
|
||||
if (gss_enc2oid != NULL) {
|
||||
for (i = 0; gss_enc2oid[i].encoded != NULL; i++)
|
||||
@@ -113,6 +115,7 @@ ssh_gssapi_kex_mechs(gss_OID_set gss_sup
|
||||
buffer_init(&buf);
|
||||
fatal("%s: sshbuf_new failed", __func__);
|
||||
|
||||
oidpos = 0;
|
||||
+ s = cp = xstrdup(kex);
|
||||
for (i = 0; i < gss_supported->count; i++) {
|
||||
if (gss_supported->elements[i].length < 128 &&
|
||||
(*check)(NULL, &(gss_supported->elements[i]), host, client)) {
|
||||
@@ -131,26 +134,22 @@ ssh_gssapi_kex_mechs(gss_OID_set gss_sup
|
||||
@@ -131,28 +134,25 @@ ssh_gssapi_kex_mechs(gss_OID_set gss_sup
|
||||
enclen = __b64_ntop(digest, EVP_MD_size(evp_md),
|
||||
encoded, EVP_MD_size(evp_md) * 2);
|
||||
|
||||
- if (oidpos != 0)
|
||||
- buffer_put_char(&buf, ',');
|
||||
- if ((r = sshbuf_put_u8(buf, ',')) != 0)
|
||||
- fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
||||
-
|
||||
- buffer_append(&buf, KEX_GSS_GEX_SHA1_ID,
|
||||
- sizeof(KEX_GSS_GEX_SHA1_ID) - 1);
|
||||
- buffer_append(&buf, encoded, enclen);
|
||||
- buffer_put_char(&buf, ',');
|
||||
- buffer_append(&buf, KEX_GSS_GRP1_SHA1_ID,
|
||||
- sizeof(KEX_GSS_GRP1_SHA1_ID) - 1);
|
||||
- buffer_append(&buf, encoded, enclen);
|
||||
- buffer_put_char(&buf, ',');
|
||||
- buffer_append(&buf, KEX_GSS_GRP14_SHA1_ID,
|
||||
- sizeof(KEX_GSS_GRP14_SHA1_ID) - 1);
|
||||
- buffer_append(&buf, encoded, enclen);
|
||||
- if ((r = sshbuf_put(buf, KEX_GSS_GEX_SHA1_ID,
|
||||
- sizeof(KEX_GSS_GEX_SHA1_ID) - 1)) != 0 ||
|
||||
- (r = sshbuf_put(buf, encoded, enclen)) != 0 ||
|
||||
- (r = sshbuf_put_u8(buf, ',')) != 0 ||
|
||||
- (r = sshbuf_put(buf, KEX_GSS_GRP1_SHA1_ID,
|
||||
- sizeof(KEX_GSS_GRP1_SHA1_ID) - 1)) != 0 ||
|
||||
- (r = sshbuf_put(buf, encoded, enclen)) != 0 ||
|
||||
- (r = sshbuf_put_u8(buf, ',')) != 0 ||
|
||||
- (r = sshbuf_put(buf, KEX_GSS_GRP14_SHA1_ID,
|
||||
- sizeof(KEX_GSS_GRP14_SHA1_ID) - 1)) != 0 ||
|
||||
- (r = sshbuf_put(buf, encoded, enclen)) != 0)
|
||||
- fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
||||
+ cp = strncpy(s, kex, strlen(kex));
|
||||
+ for ((p = strsep(&cp, ",")); p && *p != '\0';
|
||||
+ (p = strsep(&cp, ","))) {
|
||||
+ if (buffer_len(&buf) != 0)
|
||||
+ buffer_put_char(&buf, ',');
|
||||
+ buffer_append(&buf, p,
|
||||
+ strlen(p));
|
||||
+ buffer_append(&buf, encoded, enclen);
|
||||
+ if (sshbuf_len(buf) != 0)
|
||||
+ if ((r = sshbuf_put_u8(buf, ',')) != 0)
|
||||
+ fatal("%s: buffer error: %s",
|
||||
+ __func__, ssh_err(r));
|
||||
+ if ((r = sshbuf_put(buf, p, strlen(p))) != 0 ||
|
||||
+ (r = sshbuf_put(buf, encoded, enclen)) != 0)
|
||||
+ fatal("%s: buffer error: %s",
|
||||
+ __func__, ssh_err(r));
|
||||
+ }
|
||||
|
||||
gss_enc2oid[oidpos].oid = &(gss_supported->elements[i]);
|
||||
@ -104,7 +109,7 @@ diff -up openssh-7.0p1/kex.c.gsskexalg openssh-7.0p1/kex.c
|
||||
#include "ssherr.h"
|
||||
#include "sshbuf.h"
|
||||
@@ -232,6 +232,29 @@ kex_assemble_names(const char *def, char
|
||||
return 0;
|
||||
return r;
|
||||
}
|
||||
|
||||
+/* Validate GSS KEX method name list */
|
||||
@ -139,7 +144,7 @@ diff -up openssh-7.0p1/kex.h.gsskexalg openssh-7.0p1/kex.h
|
||||
@@ -173,6 +173,7 @@ int kex_names_valid(const char *);
|
||||
char *kex_alg_list(char);
|
||||
char *kex_names_cat(const char *, const char *);
|
||||
int kex_assemble_names(const char *, char **);
|
||||
int kex_assemble_names(char **, const char *, const char *);
|
||||
+int gss_kex_names_valid(const char *);
|
||||
|
||||
int kex_new(struct ssh *, char *[PROPOSAL_MAX], struct kex **);
|
||||
@ -162,7 +167,7 @@ diff -up openssh-7.0p1/readconf.c.gsskexalg openssh-7.0p1/readconf.c
|
||||
- oGssServerIdentity,
|
||||
+ oGssServerIdentity, oGssKexAlgorithms,
|
||||
oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
|
||||
oSendEnv, oControlPath, oControlMaster, oControlPersist,
|
||||
oSendEnv, oSetEnv, oControlPath, oControlMaster, oControlPersist,
|
||||
oHashKnownHosts,
|
||||
@@ -200,6 +201,7 @@ static struct {
|
||||
{ "gssapiclientidentity", oGssClientIdentity },
|
||||
@ -263,9 +268,9 @@ diff -up openssh-7.0p1/servconf.c.gsskexalg openssh-7.0p1/servconf.c
|
||||
sHostKeyAlgorithms,
|
||||
sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
|
||||
sGssAuthentication, sGssCleanupCreds, sGssEnablek5users, sGssStrictAcceptor,
|
||||
- sGssKeyEx, sGssStoreRekey, sAcceptEnv, sPermitTunnel,
|
||||
+ sGssKeyEx, sGssStoreRekey, sGssKexAlgorithms, sAcceptEnv, sPermitTunnel,
|
||||
sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
|
||||
- sGssKeyEx, sGssStoreRekey, sAcceptEnv, sSetEnv, sPermitTunnel,
|
||||
+ sGssKeyEx, sGssStoreRekey, sGssKexAlgorithms, sAcceptEnv, sSetEnv, sPermitTunnel,
|
||||
sMatch, sPermitOpen, sPermitListen, sForceCommand, sChrootDirectory,
|
||||
sUsePrivilegeSeparation, sAllowAgentForwarding,
|
||||
sHostCertificate,
|
||||
@@ -506,6 +510,7 @@ static struct {
|
||||
@ -388,7 +393,7 @@ diff -up openssh-7.0p1/sshconnect2.c.gsskexalg openssh-7.0p1/sshconnect2.c
|
||||
+This option only applies to protocol version 2 connections using GSSAPI.
|
||||
.It Cm HostbasedAcceptedKeyTypes
|
||||
Specifies the key types that will be accepted for hostbased authentication
|
||||
as a comma-separated pattern list.
|
||||
as a list of comma-separated patterns.
|
||||
diff -up openssh-7.0p1/ssh-gss.h.gsskexalg openssh-7.0p1/ssh-gss.h
|
||||
--- openssh-7.0p1/ssh-gss.h.gsskexalg 2015-08-19 12:28:38.031518944 +0200
|
||||
+++ openssh-7.0p1/ssh-gss.h 2015-08-19 12:28:38.081518832 +0200
|
||||
|
@ -1,324 +0,0 @@
|
||||
diff -up openssh/clientloop.c.fingerprint openssh/clientloop.c
|
||||
--- openssh/clientloop.c.fingerprint 2017-09-26 15:21:22.582477729 +0200
|
||||
+++ openssh/clientloop.c 2017-09-26 15:21:22.620477932 +0200
|
||||
@@ -1854,7 +1854,7 @@ update_known_hosts(struct hostkeys_updat
|
||||
if (ctx->keys_seen[i] != 2)
|
||||
continue;
|
||||
if ((fp = sshkey_fingerprint(ctx->keys[i],
|
||||
- options.fingerprint_hash, SSH_FP_DEFAULT)) == NULL)
|
||||
+ options.fingerprint_hash[0], SSH_FP_DEFAULT)) == NULL)
|
||||
fatal("%s: sshkey_fingerprint failed", __func__);
|
||||
do_log2(loglevel, "Learned new hostkey: %s %s",
|
||||
sshkey_type(ctx->keys[i]), fp);
|
||||
@@ -1862,7 +1862,7 @@ update_known_hosts(struct hostkeys_updat
|
||||
}
|
||||
for (i = 0; i < ctx->nold; i++) {
|
||||
if ((fp = sshkey_fingerprint(ctx->old_keys[i],
|
||||
- options.fingerprint_hash, SSH_FP_DEFAULT)) == NULL)
|
||||
+ options.fingerprint_hash[0], SSH_FP_DEFAULT)) == NULL)
|
||||
fatal("%s: sshkey_fingerprint failed", __func__);
|
||||
do_log2(loglevel, "Deprecating obsolete hostkey: %s %s",
|
||||
sshkey_type(ctx->old_keys[i]), fp);
|
||||
@@ -1905,7 +1905,7 @@ update_known_hosts(struct hostkeys_updat
|
||||
(r = hostfile_replace_entries(options.user_hostfiles[0],
|
||||
ctx->host_str, ctx->ip_str, ctx->keys, ctx->nkeys,
|
||||
options.hash_known_hosts, 0,
|
||||
- options.fingerprint_hash)) != 0)
|
||||
+ options.fingerprint_hash[0])) != 0)
|
||||
error("%s: hostfile_replace_entries failed: %s",
|
||||
__func__, ssh_err(r));
|
||||
}
|
||||
@@ -2038,7 +2038,7 @@ client_input_hostkeys(void)
|
||||
error("%s: parse key: %s", __func__, ssh_err(r));
|
||||
goto out;
|
||||
}
|
||||
- fp = sshkey_fingerprint(key, options.fingerprint_hash,
|
||||
+ fp = sshkey_fingerprint(key, options.fingerprint_hash[0],
|
||||
SSH_FP_DEFAULT);
|
||||
debug3("%s: received %s key %s", __func__,
|
||||
sshkey_type(key), fp);
|
||||
diff -up openssh/readconf.c.fingerprint openssh/readconf.c
|
||||
--- openssh/readconf.c.fingerprint 2017-09-26 15:21:22.618477921 +0200
|
||||
+++ openssh/readconf.c 2017-09-26 15:21:22.621477937 +0200
|
||||
@@ -1681,16 +1681,18 @@ parse_keytypes:
|
||||
goto parse_string;
|
||||
|
||||
case oFingerprintHash:
|
||||
- intptr = &options->fingerprint_hash;
|
||||
- arg = strdelim(&s);
|
||||
- if (!arg || *arg == '\0')
|
||||
- fatal("%.200s line %d: Missing argument.",
|
||||
- filename, linenum);
|
||||
- if ((value = ssh_digest_alg_by_name(arg)) == -1)
|
||||
- fatal("%.200s line %d: Invalid hash algorithm \"%s\".",
|
||||
- filename, linenum, arg);
|
||||
- if (*activep && *intptr == -1)
|
||||
- *intptr = value;
|
||||
+ if (*activep && options->num_fingerprint_hash == 0)
|
||||
+ while ((arg = strdelim(&s)) != NULL && *arg != '\0') {
|
||||
+ value = ssh_digest_alg_by_name(arg);
|
||||
+ if (value == -1)
|
||||
+ fatal("%s line %d: unknown fingerprints algorithm specs: %s.",
|
||||
+ filename, linenum, arg);
|
||||
+ if (options->num_fingerprint_hash >= SSH_DIGEST_MAX)
|
||||
+ fatal("%s line %d: too many fingerprints algorithm specs.",
|
||||
+ filename, linenum);
|
||||
+ options->fingerprint_hash[
|
||||
+ options->num_fingerprint_hash++] = value;
|
||||
+ }
|
||||
break;
|
||||
|
||||
case oUpdateHostkeys:
|
||||
@@ -1917,7 +1919,7 @@ initialize_options(Options * options)
|
||||
options->canonicalize_fallback_local = -1;
|
||||
options->canonicalize_hostname = -1;
|
||||
options->revoked_host_keys = NULL;
|
||||
- options->fingerprint_hash = -1;
|
||||
+ options->num_fingerprint_hash = 0;
|
||||
options->update_hostkeys = -1;
|
||||
options->hostbased_key_types = NULL;
|
||||
options->pubkey_key_types = NULL;
|
||||
@@ -2096,8 +2098,10 @@ fill_default_options(Options * options)
|
||||
options->canonicalize_fallback_local = 1;
|
||||
if (options->canonicalize_hostname == -1)
|
||||
options->canonicalize_hostname = SSH_CANONICALISE_NO;
|
||||
- if (options->fingerprint_hash == -1)
|
||||
- options->fingerprint_hash = SSH_FP_HASH_DEFAULT;
|
||||
+ if (options->num_fingerprint_hash == 0) {
|
||||
+ options->fingerprint_hash[options->num_fingerprint_hash++] = SSH_DIGEST_SHA256;
|
||||
+ options->fingerprint_hash[options->num_fingerprint_hash++] = SSH_DIGEST_MD5;
|
||||
+ }
|
||||
if (options->update_hostkeys == -1)
|
||||
options->update_hostkeys = 0;
|
||||
if (kex_assemble_names(KEX_CLIENT_ENCRYPT, &options->ciphers) != 0 ||
|
||||
@@ -2474,6 +2478,17 @@ dump_cfg_strarray(OpCodes code, u_int co
|
||||
}
|
||||
|
||||
static void
|
||||
+dump_cfg_fmtarray(OpCodes code, u_int count, int *vals)
|
||||
+{
|
||||
+ u_int i;
|
||||
+
|
||||
+ printf("%s", lookup_opcode_name(code));
|
||||
+ for (i = 0; i < count; i++)
|
||||
+ printf(" %s", fmt_intarg(code, vals[i]));
|
||||
+ printf("\n");
|
||||
+}
|
||||
+
|
||||
+static void
|
||||
dump_cfg_strarray_oneline(OpCodes code, u_int count, char **vals)
|
||||
{
|
||||
u_int i;
|
||||
@@ -2549,7 +2564,6 @@ dump_client_config(Options *o, const cha
|
||||
dump_cfg_fmtint(oEnableSSHKeysign, o->enable_ssh_keysign);
|
||||
dump_cfg_fmtint(oClearAllForwardings, o->clear_forwardings);
|
||||
dump_cfg_fmtint(oExitOnForwardFailure, o->exit_on_forward_failure);
|
||||
- dump_cfg_fmtint(oFingerprintHash, o->fingerprint_hash);
|
||||
dump_cfg_fmtint(oForwardAgent, o->forward_agent);
|
||||
dump_cfg_fmtint(oForwardX11, o->forward_x11);
|
||||
dump_cfg_fmtint(oForwardX11Trusted, o->forward_x11_trusted);
|
||||
@@ -2618,6 +2632,7 @@ dump_client_config(Options *o, const cha
|
||||
dump_cfg_strarray_oneline(oGlobalKnownHostsFile, o->num_system_hostfiles, o->system_hostfiles);
|
||||
dump_cfg_strarray_oneline(oUserKnownHostsFile, o->num_user_hostfiles, o->user_hostfiles);
|
||||
dump_cfg_strarray(oSendEnv, o->num_send_env, o->send_env);
|
||||
+ dump_cfg_fmtarray(oFingerprintHash, o->num_fingerprint_hash, o->fingerprint_hash);
|
||||
|
||||
/* Special cases */
|
||||
|
||||
diff -up openssh/readconf.h.fingerprint openssh/readconf.h
|
||||
--- openssh/readconf.h.fingerprint 2017-09-26 15:21:22.618477921 +0200
|
||||
+++ openssh/readconf.h 2017-09-26 15:21:22.621477937 +0200
|
||||
@@ -21,6 +21,7 @@
|
||||
#define MAX_SEND_ENV 256
|
||||
#define SSH_MAX_HOSTS_FILES 32
|
||||
#define MAX_CANON_DOMAINS 32
|
||||
+#define MAX_SSH_DIGESTS 32
|
||||
#define PATH_MAX_SUN (sizeof((struct sockaddr_un *)0)->sun_path)
|
||||
|
||||
struct allowed_cname {
|
||||
@@ -157,7 +158,8 @@ typedef struct {
|
||||
|
||||
char *revoked_host_keys;
|
||||
|
||||
- int fingerprint_hash;
|
||||
+ int num_fingerprint_hash;
|
||||
+ int fingerprint_hash[MAX_SSH_DIGESTS];
|
||||
|
||||
int update_hostkeys; /* one of SSH_UPDATE_HOSTKEYS_* */
|
||||
|
||||
diff -up openssh/ssh_config.5.fingerprint openssh/ssh_config.5
|
||||
--- openssh/ssh_config.5.fingerprint 2017-09-26 15:21:22.618477921 +0200
|
||||
+++ openssh/ssh_config.5 2017-09-26 15:21:22.621477937 +0200
|
||||
@@ -624,12 +624,13 @@ or
|
||||
.Cm no
|
||||
(the default).
|
||||
.It Cm FingerprintHash
|
||||
-Specifies the hash algorithm used when displaying key fingerprints.
|
||||
+Specifies the hash algorithms used when displaying key fingerprints.
|
||||
Valid options are:
|
||||
.Cm md5
|
||||
and
|
||||
-.Cm sha256
|
||||
-(the default).
|
||||
+.Cm sha256 .
|
||||
+The default is
|
||||
+.Cm "sha256 md5".
|
||||
.It Cm ForwardAgent
|
||||
Specifies whether the connection to the authentication agent (if any)
|
||||
will be forwarded to the remote machine.
|
||||
diff -up openssh/sshconnect2.c.fingerprint openssh/sshconnect2.c
|
||||
--- openssh/sshconnect2.c.fingerprint 2017-09-26 15:21:22.619477926 +0200
|
||||
+++ openssh/sshconnect2.c 2017-09-26 15:21:50.677628003 +0200
|
||||
@@ -679,7 +679,7 @@ input_userauth_pk_ok(int type, u_int32_t
|
||||
key->type, pktype);
|
||||
goto done;
|
||||
}
|
||||
- if ((fp = sshkey_fingerprint(key, options.fingerprint_hash,
|
||||
+ if ((fp = sshkey_fingerprint(key, options.fingerprint_hash[0],
|
||||
SSH_FP_DEFAULT)) == NULL)
|
||||
goto done;
|
||||
debug2("input_userauth_pk_ok: fp %s", fp);
|
||||
@@ -1198,7 +1198,7 @@ sign_and_send_pubkey(Authctxt *authctxt,
|
||||
int matched, ret = -1, have_sig = 1;
|
||||
char *fp;
|
||||
|
||||
- if ((fp = sshkey_fingerprint(id->key, options.fingerprint_hash,
|
||||
+ if ((fp = sshkey_fingerprint(id->key, options.fingerprint_hash[0],
|
||||
SSH_FP_DEFAULT)) == NULL)
|
||||
return 0;
|
||||
debug3("%s: %s %s", __func__, key_type(id->key), fp);
|
||||
@@ -1620,7 +1620,7 @@ userauth_pubkey(Authctxt *authctxt)
|
||||
if (id->key != NULL) {
|
||||
if (try_identity(id)) {
|
||||
if ((fp = sshkey_fingerprint(id->key,
|
||||
- options.fingerprint_hash,
|
||||
+ options.fingerprint_hash[0],
|
||||
SSH_FP_DEFAULT)) == NULL) {
|
||||
error("%s: sshkey_fingerprint failed",
|
||||
__func__);
|
||||
@@ -1914,7 +1914,7 @@ userauth_hostbased(Authctxt *authctxt)
|
||||
goto out;
|
||||
}
|
||||
|
||||
- if ((fp = sshkey_fingerprint(private, options.fingerprint_hash,
|
||||
+ if ((fp = sshkey_fingerprint(private, options.fingerprint_hash[0],
|
||||
SSH_FP_DEFAULT)) == NULL) {
|
||||
error("%s: sshkey_fingerprint failed", __func__);
|
||||
goto out;
|
||||
diff -up openssh/sshconnect.c.fingerprint openssh/sshconnect.c
|
||||
--- openssh/sshconnect.c.fingerprint 2017-09-25 01:48:10.000000000 +0200
|
||||
+++ openssh/sshconnect.c 2017-09-26 15:21:22.622477943 +0200
|
||||
@@ -861,9 +861,9 @@ check_host_key(char *hostname, struct so
|
||||
"of known hosts.", type, ip);
|
||||
} else if (options.visual_host_key) {
|
||||
fp = sshkey_fingerprint(host_key,
|
||||
- options.fingerprint_hash, SSH_FP_DEFAULT);
|
||||
+ options.fingerprint_hash[0], SSH_FP_DEFAULT);
|
||||
ra = sshkey_fingerprint(host_key,
|
||||
- options.fingerprint_hash, SSH_FP_RANDOMART);
|
||||
+ options.fingerprint_hash[0], SSH_FP_RANDOMART);
|
||||
if (fp == NULL || ra == NULL)
|
||||
fatal("%s: sshkey_fingerprint fail", __func__);
|
||||
logit("Host key fingerprint is %s\n%s", fp, ra);
|
||||
@@ -907,12 +907,6 @@ check_host_key(char *hostname, struct so
|
||||
else
|
||||
snprintf(msg1, sizeof(msg1), ".");
|
||||
/* The default */
|
||||
- fp = sshkey_fingerprint(host_key,
|
||||
- options.fingerprint_hash, SSH_FP_DEFAULT);
|
||||
- ra = sshkey_fingerprint(host_key,
|
||||
- options.fingerprint_hash, SSH_FP_RANDOMART);
|
||||
- if (fp == NULL || ra == NULL)
|
||||
- fatal("%s: sshkey_fingerprint fail", __func__);
|
||||
msg2[0] = '\0';
|
||||
if (options.verify_host_key_dns) {
|
||||
if (matching_host_key_dns)
|
||||
@@ -926,16 +920,28 @@ check_host_key(char *hostname, struct so
|
||||
}
|
||||
snprintf(msg, sizeof(msg),
|
||||
"The authenticity of host '%.200s (%s)' can't be "
|
||||
- "established%s\n"
|
||||
- "%s key fingerprint is %s.%s%s\n%s"
|
||||
+ "established%s\n", host, ip, msg1);
|
||||
+ for (i = 0; i < (u_int) options.num_fingerprint_hash; i++) {
|
||||
+ fp = sshkey_fingerprint(host_key,
|
||||
+ options.fingerprint_hash[i], SSH_FP_DEFAULT);
|
||||
+ ra = sshkey_fingerprint(host_key,
|
||||
+ options.fingerprint_hash[i], SSH_FP_RANDOMART);
|
||||
+ if (fp == NULL || ra == NULL)
|
||||
+ fatal("%s: sshkey_fingerprint fail", __func__);
|
||||
+ len = strlen(msg);
|
||||
+ snprintf(msg+len, sizeof(msg)-len,
|
||||
+ "%s key fingerprint is %s.%s%s\n%s",
|
||||
+ type, fp,
|
||||
+ options.visual_host_key ? "\n" : "",
|
||||
+ options.visual_host_key ? ra : "",
|
||||
+ msg2);
|
||||
+ free(ra);
|
||||
+ free(fp);
|
||||
+ }
|
||||
+ len = strlen(msg);
|
||||
+ snprintf(msg+len, sizeof(msg)-len,
|
||||
"Are you sure you want to continue connecting "
|
||||
- "(yes/no)? ",
|
||||
- host, ip, msg1, type, fp,
|
||||
- options.visual_host_key ? "\n" : "",
|
||||
- options.visual_host_key ? ra : "",
|
||||
- msg2);
|
||||
- free(ra);
|
||||
- free(fp);
|
||||
+ "(yes/no)? ");
|
||||
if (!confirm(msg))
|
||||
goto fail;
|
||||
hostkey_trusted = 1; /* user explicitly confirmed */
|
||||
@@ -1192,7 +1198,7 @@ verify_host_key(char *host, struct socka
|
||||
struct sshkey *plain = NULL;
|
||||
|
||||
if ((fp = sshkey_fingerprint(host_key,
|
||||
- options.fingerprint_hash, SSH_FP_DEFAULT)) == NULL) {
|
||||
+ options.fingerprint_hash[0], SSH_FP_DEFAULT)) == NULL) {
|
||||
error("%s: fingerprint host key: %s", __func__, ssh_err(r));
|
||||
r = -1;
|
||||
goto out;
|
||||
@@ -1200,7 +1206,7 @@ verify_host_key(char *host, struct socka
|
||||
|
||||
if (sshkey_is_cert(host_key)) {
|
||||
if ((cafp = sshkey_fingerprint(host_key->cert->signature_key,
|
||||
- options.fingerprint_hash, SSH_FP_DEFAULT)) == NULL) {
|
||||
+ options.fingerprint_hash[0], SSH_FP_DEFAULT)) == NULL) {
|
||||
error("%s: fingerprint CA key: %s",
|
||||
__func__, ssh_err(r));
|
||||
r = -1;
|
||||
@@ -1369,9 +1375,9 @@ show_other_keys(struct hostkeys *hostkey
|
||||
if (!lookup_key_in_hostkeys_by_type(hostkeys, type[i], &found))
|
||||
continue;
|
||||
fp = sshkey_fingerprint(found->key,
|
||||
- options.fingerprint_hash, SSH_FP_DEFAULT);
|
||||
+ options.fingerprint_hash[0], SSH_FP_DEFAULT);
|
||||
ra = sshkey_fingerprint(found->key,
|
||||
- options.fingerprint_hash, SSH_FP_RANDOMART);
|
||||
+ options.fingerprint_hash[0], SSH_FP_RANDOMART);
|
||||
if (fp == NULL || ra == NULL)
|
||||
fatal("%s: sshkey_fingerprint fail", __func__);
|
||||
logit("WARNING: %s key found for host %s\n"
|
||||
@@ -1394,7 +1400,7 @@ warn_changed_key(struct sshkey *host_key
|
||||
{
|
||||
char *fp;
|
||||
|
||||
- fp = sshkey_fingerprint(host_key, options.fingerprint_hash,
|
||||
+ fp = sshkey_fingerprint(host_key, options.fingerprint_hash[0],
|
||||
SSH_FP_DEFAULT);
|
||||
if (fp == NULL)
|
||||
fatal("%s: sshkey_fingerprint fail", __func__);
|
||||
diff -up openssh/ssh-keysign.c.fingerprint openssh/ssh-keysign.c
|
||||
--- openssh/ssh-keysign.c.fingerprint 2017-09-25 01:48:10.000000000 +0200
|
||||
+++ openssh/ssh-keysign.c 2017-09-26 15:21:22.622477943 +0200
|
||||
@@ -285,7 +285,7 @@ main(int argc, char **argv)
|
||||
}
|
||||
}
|
||||
if (!found) {
|
||||
- if ((fp = sshkey_fingerprint(key, options.fingerprint_hash,
|
||||
+ if ((fp = sshkey_fingerprint(key, options.fingerprint_hash[0],
|
||||
SSH_FP_DEFAULT)) == NULL)
|
||||
fatal("%s: sshkey_fingerprint failed", __progname);
|
||||
fatal("no matching hostkey found for key %s %s",
|
@ -49,4 +49,4 @@ diff -up openssh-7.4p1/sshd_config.5.gss-docs openssh-7.4p1/sshd_config.5
|
||||
+needs to be enabled in the server and also used by the client.
|
||||
.It Cm HostbasedAcceptedKeyTypes
|
||||
Specifies the key types that will be accepted for hostbased authentication
|
||||
as a comma-separated pattern list.
|
||||
as a list of comma-separated patterns.
|
||||
|
@ -1,20 +1,21 @@
|
||||
diff -up openssh-7.4p1/monitor_wrap.c.audit-race openssh-7.4p1/monitor_wrap.c
|
||||
--- openssh-7.4p1/monitor_wrap.c.audit-race 2016-12-23 16:35:52.694685771 +0100
|
||||
+++ openssh-7.4p1/monitor_wrap.c 2016-12-23 16:35:52.697685772 +0100
|
||||
@@ -1107,4 +1107,48 @@ mm_audit_destroy_sensitive_data(const ch
|
||||
mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_SERVER_KEY_FREE, &m);
|
||||
buffer_free(&m);
|
||||
@@ -1107,4 +1107,50 @@ mm_audit_destroy_sensitive_data(const ch
|
||||
mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_SERVER_KEY_FREE, m);
|
||||
sshbuf_free(m);
|
||||
}
|
||||
+
|
||||
+int mm_forward_audit_messages(int fdin)
|
||||
+{
|
||||
+ u_char buf[4];
|
||||
+ u_int blen, msg_len;
|
||||
+ Buffer m;
|
||||
+ int ret = 0;
|
||||
+ struct sshbuf *m;
|
||||
+ int r, ret = 0;
|
||||
+
|
||||
+ debug3("%s: entering", __func__);
|
||||
+ buffer_init(&m);
|
||||
+ if ((m = sshbuf_new()) == NULL)
|
||||
+ fatal("%s: sshbuf_new failed", __func__);
|
||||
+ do {
|
||||
+ blen = atomicio(read, fdin, buf, sizeof(buf));
|
||||
+ if (blen == 0) /* closed pipe */
|
||||
@ -28,21 +29,22 @@ diff -up openssh-7.4p1/monitor_wrap.c.audit-race openssh-7.4p1/monitor_wrap.c
|
||||
+ msg_len = get_u32(buf);
|
||||
+ if (msg_len > 256 * 1024)
|
||||
+ fatal("%s: read: bad msg_len %d", __func__, msg_len);
|
||||
+ buffer_clear(&m);
|
||||
+ buffer_append_space(&m, msg_len);
|
||||
+ if (atomicio(read, fdin, buffer_ptr(&m), msg_len) != msg_len) {
|
||||
+ sshbuf_reset(m);
|
||||
+ if ((r = sshbuf_reserve(m, msg_len, NULL)) != 0)
|
||||
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
||||
+ if (atomicio(read, fdin, sshbuf_mutable_ptr(m), msg_len) != msg_len) {
|
||||
+ error("%s: Failed to read the the buffer content from the child", __func__);
|
||||
+ ret = -1;
|
||||
+ break;
|
||||
+ }
|
||||
+ if (atomicio(vwrite, pmonitor->m_recvfd, buf, blen) != blen ||
|
||||
+ atomicio(vwrite, pmonitor->m_recvfd, buffer_ptr(&m), msg_len) != msg_len) {
|
||||
+ atomicio(vwrite, pmonitor->m_recvfd, sshbuf_mutable_ptr(m), msg_len) != msg_len) {
|
||||
+ error("%s: Failed to write the message to the monitor", __func__);
|
||||
+ ret = -1;
|
||||
+ break;
|
||||
+ }
|
||||
+ } while (1);
|
||||
+ buffer_free(&m);
|
||||
+ sshbuf_free(m);
|
||||
+ return ret;
|
||||
+}
|
||||
+void mm_set_monitor_pipe(int fd)
|
||||
@ -115,7 +117,7 @@ diff -up openssh-7.4p1/session.c.audit-race openssh-7.4p1/session.c
|
||||
ret = do_exec_pty(ssh, s, command);
|
||||
@@ -732,6 +745,20 @@ do_exec(Session *s, const char *command)
|
||||
*/
|
||||
buffer_clear(&loginmsg);
|
||||
sshbuf_reset(loginmsg);
|
||||
|
||||
+#ifdef SSH_AUDIT_EVENTS
|
||||
+ close(paudit[1]);
|
||||
|
@ -136,7 +136,7 @@ diff -up openssh/dh.c.openssl openssh/dh.c
|
||||
need > INT_MAX / 2 || 2 * need > pbits)
|
||||
return SSH_ERR_INVALID_ARGUMENT;
|
||||
if (need < 256)
|
||||
@@ -271,10 +275,11 @@ dh_gen_key(DH *dh, int need)
|
||||
@@ -271,11 +275,11 @@ dh_gen_key(DH *dh, int need)
|
||||
* Pollard Rho, Big step/Little Step attacks are O(sqrt(n)),
|
||||
* so double requested need here.
|
||||
*/
|
||||
@ -144,6 +144,7 @@ diff -up openssh/dh.c.openssl openssh/dh.c
|
||||
- if (DH_generate_key(dh) == 0 ||
|
||||
- !dh_pub_is_valid(dh, dh->pub_key)) {
|
||||
- BN_clear_free(dh->priv_key);
|
||||
- dh->priv_key = NULL;
|
||||
+ DH_set_length(dh, MINIMUM(need * 2, pbits - 1));
|
||||
+ if (DH_generate_key(dh) == 0)
|
||||
+ return SSH_ERR_LIBCRYPTO_ERROR;
|
||||
@ -300,8 +301,8 @@ diff -up openssh/gss-genr.c.openssl openssh/gss-genr.c
|
||||
|
||||
if (gss_enc2oid != NULL) {
|
||||
@@ -113,6 +113,7 @@ ssh_gssapi_kex_mechs(gss_OID_set gss_sup
|
||||
|
||||
buffer_init(&buf);
|
||||
if ((buf = sshbuf_new()) == NULL)
|
||||
fatal("%s: sshbuf_new failed", __func__);
|
||||
|
||||
+ md = EVP_MD_CTX_new();
|
||||
oidpos = 0;
|
||||
@ -452,7 +453,7 @@ diff -up openssh/kexdhs.c.openssl openssh/kexdhs.c
|
||||
hash, &hashlen)) != 0)
|
||||
goto out;
|
||||
@@ -197,7 +203,7 @@ input_kex_dh_init(int type, u_int32_t se
|
||||
/* send server hostkey, DH pubkey 'f' and singed H */
|
||||
/* send server hostkey, DH pubkey 'f' and signed H */
|
||||
if ((r = sshpkt_start(ssh, SSH2_MSG_KEXDH_REPLY)) != 0 ||
|
||||
(r = sshpkt_put_string(ssh, server_host_key_blob, sbloblen)) != 0 ||
|
||||
- (r = sshpkt_put_bignum2(ssh, kex->dh->pub_key)) != 0 || /* f */
|
||||
@ -599,7 +600,7 @@ diff -up openssh/kexgexs.c.openssl openssh/kexgexs.c
|
||||
hash, &hashlen)) != 0)
|
||||
goto out;
|
||||
@@ -227,7 +236,7 @@ input_kex_dh_gex_init(int type, u_int32_
|
||||
/* send server hostkey, DH pubkey 'f' and singed H */
|
||||
/* send server hostkey, DH pubkey 'f' and signed H */
|
||||
if ((r = sshpkt_start(ssh, SSH2_MSG_KEX_DH_GEX_REPLY)) != 0 ||
|
||||
(r = sshpkt_put_string(ssh, server_host_key_blob, sbloblen)) != 0 ||
|
||||
- (r = sshpkt_put_bignum2(ssh, kex->dh->pub_key)) != 0 || /* f */
|
||||
@ -636,8 +637,8 @@ diff -up openssh/kexgssc.c.openssl openssh/kexgssc.c
|
||||
} else {
|
||||
packet_start(SSH2_MSG_KEXGSS_CONTINUE);
|
||||
@@ -282,13 +284,14 @@ kexgss_client(struct ssh *ssh) {
|
||||
buffer_ptr(ssh->kex->my), buffer_len(ssh->kex->my),
|
||||
buffer_ptr(ssh->kex->peer), buffer_len(ssh->kex->peer),
|
||||
sshbuf_ptr(ssh->kex->my), sshbuf_len(ssh->kex->my),
|
||||
sshbuf_ptr(ssh->kex->peer), sshbuf_len(ssh->kex->peer),
|
||||
(serverhostkey ? serverhostkey : empty), slen,
|
||||
- dh->pub_key, /* e */
|
||||
+ pub_key, /* e */
|
||||
@ -652,7 +653,7 @@ diff -up openssh/kexgssc.c.openssl openssh/kexgssc.c
|
||||
ssh->kex->hash_alg,
|
||||
ssh->kex->client_version_string,
|
||||
@@ -297,8 +300,8 @@ kexgss_client(struct ssh *ssh) {
|
||||
buffer_ptr(ssh->kex->peer), buffer_len(ssh->kex->peer),
|
||||
sshbuf_ptr(ssh->kex->peer), sshbuf_len(ssh->kex->peer),
|
||||
(serverhostkey ? serverhostkey : empty), slen,
|
||||
min, nbits, max,
|
||||
- dh->p, dh->g,
|
||||
@ -695,8 +696,8 @@ diff -up openssh/kexgsss.c.openssl openssh/kexgsss.c
|
||||
switch (ssh->kex->kex_type) {
|
||||
case KEX_GSS_GRP1_SHA1:
|
||||
@@ -232,7 +235,7 @@ kexgss_server(struct ssh *ssh)
|
||||
buffer_ptr(ssh->kex->peer), buffer_len(ssh->kex->peer),
|
||||
buffer_ptr(ssh->kex->my), buffer_len(ssh->kex->my),
|
||||
sshbuf_ptr(ssh->kex->peer), sshbuf_len(ssh->kex->peer),
|
||||
sshbuf_ptr(ssh->kex->my), sshbuf_len(ssh->kex->my),
|
||||
NULL, 0, /* Change this if we start sending host keys */
|
||||
- dh_client_pub, dh->pub_key, shared_secret,
|
||||
+ dh_client_pub, pub_key, shared_secret,
|
||||
@ -704,7 +705,7 @@ diff -up openssh/kexgsss.c.openssl openssh/kexgsss.c
|
||||
);
|
||||
break;
|
||||
@@ -244,9 +247,9 @@ kexgss_server(struct ssh *ssh)
|
||||
buffer_ptr(ssh->kex->my), buffer_len(ssh->kex->my),
|
||||
sshbuf_ptr(ssh->kex->my), sshbuf_len(ssh->kex->my),
|
||||
NULL, 0,
|
||||
cmin, nbits, cmax,
|
||||
- dh->p, dh->g,
|
||||
@ -1241,14 +1242,14 @@ diff -up openssh/monitor.c.openssl openssh/monitor.c
|
||||
+ const BIGNUM *p, *g;
|
||||
+
|
||||
+ DH_get0_pqg(dh, &p, NULL, &g);
|
||||
buffer_put_char(m, 1);
|
||||
- buffer_put_bignum2(m, dh->p);
|
||||
- buffer_put_bignum2(m, dh->g);
|
||||
+ buffer_put_bignum2(m, p);
|
||||
+ buffer_put_bignum2(m, g);
|
||||
if ((r = sshbuf_put_u8(m, 1)) != 0 ||
|
||||
- (r = sshbuf_put_bignum2(m, dh->p)) != 0 ||
|
||||
- (r = sshbuf_put_bignum2(m, dh->g)) != 0)
|
||||
+ (r = sshbuf_put_bignum2(m, p)) != 0 ||
|
||||
+ (r = sshbuf_put_bignum2(m, g)) != 0)
|
||||
fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
||||
|
||||
DH_free(dh);
|
||||
}
|
||||
diff -up openssh/openbsd-compat/openssl-compat.c.openssl openssh/openbsd-compat/openssl-compat.c
|
||||
--- openssh/openbsd-compat/openssl-compat.c.openssl 2017-09-19 06:26:43.000000000 +0200
|
||||
+++ openssh/openbsd-compat/openssl-compat.c 2017-09-26 13:19:31.799249709 +0200
|
||||
@ -1404,17 +1405,6 @@ diff -up openssh/regress/unittests/sshkey/test_sshkey.c.openssl openssh/regress/
|
||||
TEST_DONE();
|
||||
|
||||
TEST_START("equal KEY_DSA/demoted KEY_DSA");
|
||||
diff -up openssh/sshconnect2.c.openssl openssh/sshconnect2.c
|
||||
--- openssh/sshconnect2.c.openssl 2017-09-26 13:19:31.786249629 +0200
|
||||
+++ openssh/sshconnect2.c 2017-09-26 13:19:31.800249715 +0200
|
||||
@@ -306,6 +306,7 @@ ssh_kex2(char *host, struct sockaddr *ho
|
||||
packet_send();
|
||||
packet_write_wait();
|
||||
#endif
|
||||
+ /* XXX free myproposal ?? */
|
||||
}
|
||||
|
||||
/*
|
||||
diff -up openssh/ssh.c.openssl openssh/ssh.c
|
||||
--- openssh/ssh.c.openssl 2017-09-26 13:19:31.786249629 +0200
|
||||
+++ openssh/ssh.c 2017-09-26 13:19:31.800249715 +0200
|
||||
|
@ -10,8 +10,8 @@ diff -up openssh-7.4p1/channels.c.x11max openssh-7.4p1/channels.c
|
||||
+/* Minimum port number for X11 forwarding */
|
||||
+#define X11_PORT_MIN 6000
|
||||
|
||||
/*
|
||||
* Data structure for storing which hosts are permitted for forward requests.
|
||||
/* Per-channel callback for pre/post select() actions */
|
||||
typedef void chan_fn(struct ssh *, Channel *c,
|
||||
@@ -4228,7 +4228,7 @@ channel_send_window_changes(void)
|
||||
*/
|
||||
int
|
||||
|
@ -91,7 +91,7 @@ index 132df8b5..ed23f06d 100644
|
||||
+ case KEX_GSS_GRP16_SHA512:
|
||||
kex_dh_hash(ssh->kex->hash_alg, ssh->kex->client_version_string,
|
||||
ssh->kex->server_version_string,
|
||||
buffer_ptr(ssh->kex->my), buffer_len(ssh->kex->my),
|
||||
sshbuf_ptr(ssh->kex->my), sshbuf_len(ssh->kex->my),
|
||||
diff --git a/kexgsss.c b/kexgsss.c
|
||||
index 82a715cc..b7da8823 100644
|
||||
--- a/kexgsss.c
|
||||
@ -117,7 +117,7 @@ index 82a715cc..b7da8823 100644
|
||||
+ case KEX_GSS_GRP16_SHA512:
|
||||
kex_dh_hash(ssh->kex->hash_alg,
|
||||
ssh->kex->client_version_string, ssh->kex->server_version_string,
|
||||
buffer_ptr(ssh->kex->peer), buffer_len(ssh->kex->peer),
|
||||
sshbuf_ptr(ssh->kex->peer), sshbuf_len(ssh->kex->peer),
|
||||
diff --git a/monitor.c b/monitor.c
|
||||
index 17046936..d6bc7ac7 100644
|
||||
--- a/monitor.c
|
||||
@ -674,8 +674,8 @@ index ed23f06d..bdb3109a 100644
|
||||
+ kex_c25519_hash(
|
||||
+ kex->hash_alg,
|
||||
+ kex->client_version_string, kex->server_version_string,
|
||||
+ buffer_ptr(kex->my), buffer_len(kex->my),
|
||||
+ buffer_ptr(kex->peer), buffer_len(kex->peer),
|
||||
+ sshbuf_ptr(kex->my), sshbuf_len(kex->my),
|
||||
+ sshbuf_ptr(kex->peer), sshbuf_len(kex->peer),
|
||||
+ (serverhostkey ? serverhostkey : empty), slen,
|
||||
+ kex->c25519_client_pubkey, server_pub,
|
||||
+ sshbuf_ptr(c25519_shared_secret), sshbuf_len(c25519_shared_secret),
|
||||
@ -1008,8 +1008,8 @@ index b7da8823..a7c42803 100644
|
||||
+ kex_c25519_hash(
|
||||
+ kex->hash_alg,
|
||||
+ kex->client_version_string, kex->server_version_string,
|
||||
+ buffer_ptr(kex->peer), buffer_len(kex->peer),
|
||||
+ buffer_ptr(kex->my), buffer_len(kex->my),
|
||||
+ sshbuf_ptr(kex->peer), sshbuf_len(kex->peer),
|
||||
+ sshbuf_ptr(kex->my), sshbuf_len(kex->my),
|
||||
+ NULL, 0,
|
||||
+ client_pub, c25519_server_pubkey,
|
||||
+ sshbuf_ptr(c25519_shared_secret), sshbuf_len(c25519_shared_secret),
|
||||
@ -1117,8 +1117,8 @@ index d6bc7ac7..b11616c8 100644
|
||||
kex->load_host_public_key=&get_hostkey_public_by_type;
|
||||
@@ -1867,7 +1869,8 @@ mm_answer_gss_sign(int socket, Buffer *m)
|
||||
|
||||
data.value = buffer_get_string(m, &len);
|
||||
data.length = len;
|
||||
if ((r = sshbuf_get_string(m, (u_char **)&data.value, &data.length)) != 0)
|
||||
fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
||||
- if (data.length != 20)
|
||||
+ /* Lengths of SHA-1, SHA-256 and SHA-512 hashes that are used */
|
||||
+ if (data.length != 20 && data.length != 32 && data.length != 64)
|
||||
|
@ -20,8 +20,8 @@ index ca75cc7..6e7de31 100644
|
||||
+#if defined(__NR_flock) && defined(__s390__)
|
||||
+ SC_ALLOW(__NR_flock),
|
||||
+#endif
|
||||
#ifdef __NR_getpgid
|
||||
SC_ALLOW(__NR_getpgid),
|
||||
#ifdef __NR_geteuid
|
||||
SC_ALLOW(__NR_geteuid),
|
||||
#endif
|
||||
@@ -178,6 +181,9 @@ static const struct sock_filter preauth_insns[] = {
|
||||
#ifdef __NR_gettimeofday
|
||||
@ -30,8 +30,8 @@ index ca75cc7..6e7de31 100644
|
||||
+#if defined(__NR_ipc) && defined(__s390__)
|
||||
+ SC_ALLOW(__NR_ipc),
|
||||
+#endif
|
||||
#ifdef __NR_madvise
|
||||
SC_ALLOW(__NR_madvise),
|
||||
#ifdef __NR_getuid
|
||||
SC_ALLOW(__NR_getuid),
|
||||
#endif
|
||||
--
|
||||
1.9.1
|
||||
|
@ -77,16 +77,8 @@ diff -up openssh-7.6p1/audit-bsm.c.audit openssh-7.6p1/audit-bsm.c
|
||||
diff -up openssh-7.6p1/audit.c.audit openssh-7.6p1/audit.c
|
||||
--- openssh-7.6p1/audit.c.audit 2017-10-02 21:34:26.000000000 +0200
|
||||
+++ openssh-7.6p1/audit.c 2017-10-04 17:18:32.834505048 +0200
|
||||
@@ -26,6 +26,7 @@
|
||||
|
||||
#include <stdarg.h>
|
||||
#include <string.h>
|
||||
+#include <unistd.h>
|
||||
|
||||
#ifdef SSH_AUDIT_EVENTS
|
||||
|
||||
@@ -34,6 +35,12 @@
|
||||
#include "key.h"
|
||||
#include "log.h"
|
||||
#include "hostfile.h"
|
||||
#include "auth.h"
|
||||
+#include "ssh-gss.h"
|
||||
@ -127,7 +119,7 @@ diff -up openssh-7.6p1/audit.c.audit openssh-7.6p1/audit.c
|
||||
}
|
||||
|
||||
+void
|
||||
+audit_key(int host_user, int *rv, const Key *key)
|
||||
+audit_key(int host_user, int *rv, const struct sshkey *key)
|
||||
+{
|
||||
+ char *fp;
|
||||
+
|
||||
@ -268,7 +260,7 @@ diff -up openssh-7.6p1/audit.h.audit openssh-7.6p1/audit.h
|
||||
# define _SSH_AUDIT_H
|
||||
|
||||
#include "loginrec.h"
|
||||
+#include "key.h"
|
||||
+#include "sshkey.h"
|
||||
|
||||
enum ssh_audit_event_type {
|
||||
SSH_LOGIN_EXCEED_MAXTRIES,
|
||||
@ -296,7 +288,7 @@ diff -up openssh-7.6p1/audit.h.audit openssh-7.6p1/audit.h
|
||||
+void audit_end_command(int, const char *);
|
||||
ssh_audit_event_t audit_classify_auth(const char *);
|
||||
+int audit_keyusage(int, char *, int);
|
||||
+void audit_key(int, int *, const Key *);
|
||||
+void audit_key(int, int *, const struct sshkey *);
|
||||
+void audit_unsupported(int);
|
||||
+void audit_kex(int, char *, char *, char *, char *);
|
||||
+void audit_unsupported_body(int);
|
||||
@ -313,7 +305,7 @@ diff -up openssh-7.6p1/audit-linux.c.audit openssh-7.6p1/audit-linux.c
|
||||
|
||||
#include "log.h"
|
||||
#include "audit.h"
|
||||
+#include "key.h"
|
||||
+#include "sshkey.h"
|
||||
+#include "hostfile.h"
|
||||
+#include "auth.h"
|
||||
+#include "misc.h" /* servconf.h needs misc.h for struct ForwardOptions */
|
||||
@ -596,8 +588,8 @@ diff -up openssh-7.6p1/audit-linux.c.audit openssh-7.6p1/audit-linux.c
|
||||
+const static char *direction[] = { "from-server", "from-client", "both" };
|
||||
+
|
||||
+void
|
||||
+audit_kex_body(int ctos, char *enc, char *mac, char *compress, char *pfs, pid_t pid,
|
||||
+ uid_t uid)
|
||||
+audit_kex_body(int ctos, char *enc, char *mac, char *compress,
|
||||
+ char *pfs, pid_t pid, uid_t uid)
|
||||
+{
|
||||
+#ifdef AUDIT_CRYPTO_SESSION
|
||||
+ char buf[AUDIT_LOG_SIZE];
|
||||
@ -786,11 +778,11 @@ diff -up openssh-7.6p1/auth2-pubkey.c.audit openssh-7.6p1/auth2-pubkey.c
|
||||
/* test for correct signature */
|
||||
authenticated = 0;
|
||||
if (PRIVSEP(user_key_allowed(ssh, pw, key, 1, &authopts)) &&
|
||||
- PRIVSEP(sshkey_verify(key, sig, slen, sshbuf_ptr(b),
|
||||
+ PRIVSEP(user_key_verify(key, sig, slen, sshbuf_ptr(b),
|
||||
sshbuf_len(b), NULL, ssh->compat)) == 0) {
|
||||
authenticated = 1;
|
||||
}
|
||||
- PRIVSEP(sshkey_verify(key, sig, slen,
|
||||
+ PRIVSEP(user_key_verify(key, sig, slen,
|
||||
sshbuf_ptr(b), sshbuf_len(b),
|
||||
(ssh->compat & SSH_BUG_SIGTYPE) == 0 ? pkalg : NULL,
|
||||
ssh->compat)) == 0) {
|
||||
@@ -250,6 +250,19 @@ done:
|
||||
return authenticated;
|
||||
}
|
||||
@ -882,7 +874,7 @@ diff -up openssh-7.6p1/cipher.c.audit openssh-7.6p1/cipher.c
|
||||
-
|
||||
static const struct sshcipher ciphers[] = {
|
||||
#ifdef WITH_OPENSSL
|
||||
{ "3des-cbc", 8, 24, 0, 0, CFLAG_CBC, EVP_des_ede3_cbc },
|
||||
#ifndef OPENSSL_NO_DES
|
||||
@@ -409,7 +409,7 @@ cipher_get_length(struct sshcipher_ctx *
|
||||
void
|
||||
cipher_free(struct sshcipher_ctx *cc)
|
||||
@ -1032,17 +1024,6 @@ diff -up openssh-7.6p1/kex.h.audit openssh-7.6p1/kex.h
|
||||
int kex_dh_hash(int, const char *, const char *,
|
||||
const u_char *, size_t, const u_char *, size_t, const u_char *, size_t,
|
||||
const BIGNUM *, const BIGNUM *, const BIGNUM *, u_char *, size_t *);
|
||||
diff -up openssh-7.6p1/key.h.audit openssh-7.6p1/key.h
|
||||
--- openssh-7.6p1/key.h.audit 2017-10-02 21:34:26.000000000 +0200
|
||||
+++ openssh-7.6p1/key.h 2017-10-04 17:18:32.836505059 +0200
|
||||
@@ -43,6 +43,7 @@ typedef struct sshkey Key;
|
||||
#define key_ssh_name_plain sshkey_ssh_name_plain
|
||||
#define key_type_from_name sshkey_type_from_name
|
||||
#define key_is_cert sshkey_is_cert
|
||||
+#define key_is_private sshkey_is_private
|
||||
#define key_type_plain sshkey_type_plain
|
||||
#endif
|
||||
|
||||
diff -up openssh-7.6p1/mac.c.audit openssh-7.6p1/mac.c
|
||||
--- openssh-7.6p1/mac.c.audit 2017-10-02 21:34:26.000000000 +0200
|
||||
+++ openssh-7.6p1/mac.c 2017-10-04 17:18:32.836505059 +0200
|
||||
@ -1102,7 +1083,7 @@ diff -up openssh-7.6p1/monitor.c.audit openssh-7.6p1/monitor.c
|
||||
#include "ssherr.h"
|
||||
|
||||
@@ -117,6 +118,8 @@ extern Buffer auth_debug;
|
||||
extern Buffer loginmsg;
|
||||
extern struct sshbuf *loginmsg;
|
||||
extern struct sshauthopt *auth_opts; /* XXX move to permanent ssh->authctxt? */
|
||||
|
||||
+extern void destroy_sensitive_data(int);
|
||||
@ -1112,13 +1093,13 @@ diff -up openssh-7.6p1/monitor.c.audit openssh-7.6p1/monitor.c
|
||||
|
||||
@@ -167,6 +170,11 @@ int mm_answer_gss_updatecreds(int, Buffe
|
||||
#ifdef SSH_AUDIT_EVENTS
|
||||
int mm_answer_audit_event(int, Buffer *);
|
||||
int mm_answer_audit_command(int, Buffer *);
|
||||
+int mm_answer_audit_end_command(int, Buffer *);
|
||||
+int mm_answer_audit_unsupported_body(int, Buffer *);
|
||||
+int mm_answer_audit_kex_body(int, Buffer *);
|
||||
+int mm_answer_audit_session_key_free_body(int, Buffer *);
|
||||
+int mm_answer_audit_server_key_free(int, Buffer *);
|
||||
int mm_answer_audit_event(int, struct sshbuf *);
|
||||
int mm_answer_audit_command(int, struct sshbuf *);
|
||||
+int mm_answer_audit_end_command(int, struct sshbuf *);
|
||||
+int mm_answer_audit_unsupported_body(int, struct sshbuf *);
|
||||
+int mm_answer_audit_kex_body(int, struct sshbuf *);
|
||||
+int mm_answer_audit_session_key_free_body(int, struct sshbuf *);
|
||||
+int mm_answer_audit_server_key_free(int, struct sshbuf *);
|
||||
#endif
|
||||
|
||||
static int monitor_read_log(struct monitor *);
|
||||
@ -1145,16 +1126,18 @@ diff -up openssh-7.6p1/monitor.c.audit openssh-7.6p1/monitor.c
|
||||
#endif
|
||||
{0, 0, NULL}
|
||||
};
|
||||
@@ -1396,7 +1413,9 @@ mm_answer_keyverify(int sock, struct ssh
|
||||
@@ -1396,8 +1413,10 @@ mm_answer_keyverify(int sock, struct ssh
|
||||
char *sigalg;
|
||||
size_t signaturelen, datalen, bloblen;
|
||||
int r, ret, valid_data = 0, encoded_ret;
|
||||
+ int type = 0;
|
||||
|
||||
+ type = buffer_get_int(m);
|
||||
if ((r = sshbuf_get_string(m, &blob, &bloblen)) != 0 ||
|
||||
- if ((r = sshbuf_get_string(m, &blob, &bloblen)) != 0 ||
|
||||
+ if ((r = sshbuf_get_u32(m, &type)) != 0 ||
|
||||
+ (r = sshbuf_get_string(m, &blob, &bloblen)) != 0 ||
|
||||
(r = sshbuf_get_string(m, &signature, &signaturelen)) != 0 ||
|
||||
(r = sshbuf_get_string(m, &data, &datalen)) != 0 ||
|
||||
(r = sshbuf_get_cstring(m, &sigalg, NULL)) != 0)
|
||||
@@ -1405,6 +1424,8 @@ mm_answer_keyverify(int sock, struct ssh
|
||||
if (hostbased_cuser == NULL || hostbased_chost == NULL ||
|
||||
!monitor_allowed_key(blob, bloblen))
|
||||
@ -1213,14 +1196,15 @@ diff -up openssh-7.6p1/monitor.c.audit openssh-7.6p1/monitor.c
|
||||
while (waitpid(pmonitor->m_pid, &status, 0) == -1)
|
||||
if (errno != EINTR)
|
||||
exit(1);
|
||||
@@ -1630,11 +1662,45 @@ mm_answer_audit_command(int socket, Buff
|
||||
@@ -1630,12 +1662,47 @@ mm_answer_audit_command(int socket, Buff
|
||||
{
|
||||
u_int len;
|
||||
char *cmd;
|
||||
int r;
|
||||
+ Session *s;
|
||||
|
||||
debug3("%s entering", __func__);
|
||||
cmd = buffer_get_string(m, &len);
|
||||
if ((r = sshbuf_get_cstring(m, &cmd, NULL)) != 0)
|
||||
fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
||||
+
|
||||
/* sanity check command, if so how? */
|
||||
- audit_run_command(cmd);
|
||||
@ -1232,8 +1216,8 @@ diff -up openssh-7.6p1/monitor.c.audit openssh-7.6p1/monitor.c
|
||||
+ s->command_handle = audit_run_command(cmd);
|
||||
+#endif
|
||||
+
|
||||
+ buffer_clear(m);
|
||||
+ buffer_put_int(m, s->self);
|
||||
+ sshbuf_reset(m);
|
||||
+ sshbuf_put_u32(m, s->self);
|
||||
+
|
||||
+ mm_request_send(socket, MONITOR_ANS_AUDIT_COMMAND, m);
|
||||
+
|
||||
@ -1241,16 +1225,17 @@ diff -up openssh-7.6p1/monitor.c.audit openssh-7.6p1/monitor.c
|
||||
+}
|
||||
+
|
||||
+int
|
||||
+mm_answer_audit_end_command(int socket, Buffer *m)
|
||||
+mm_answer_audit_end_command(int socket, struct sshbuf *m)
|
||||
+{
|
||||
+ int handle;
|
||||
+ u_int len;
|
||||
+ char *cmd;
|
||||
+ int handle, r;
|
||||
+ size_t len;
|
||||
+ u_char *cmd = NULL;
|
||||
+ Session *s;
|
||||
+
|
||||
+ debug3("%s entering", __func__);
|
||||
+ handle = buffer_get_int(m);
|
||||
+ cmd = buffer_get_string(m, &len);
|
||||
+ if ((r = sshbuf_get_u32(m, &handle)) != 0 ||
|
||||
+ (r = sshbuf_get_string(m, &cmd, &len)) != 0)
|
||||
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
||||
+
|
||||
+ s = session_by_id(handle);
|
||||
+ if (s == NULL || s->ttyfd != -1 || s->command == NULL ||
|
||||
@ -1264,7 +1249,7 @@ diff -up openssh-7.6p1/monitor.c.audit openssh-7.6p1/monitor.c
|
||||
void
|
||||
mm_get_keystate(struct monitor *pmonitor)
|
||||
{
|
||||
+ Buffer m;
|
||||
+ struct sshbuf *m;
|
||||
debug3("%s: Waiting for new keys", __func__);
|
||||
|
||||
if ((child_state = sshbuf_new()) == NULL)
|
||||
@ -1274,11 +1259,11 @@ diff -up openssh-7.6p1/monitor.c.audit openssh-7.6p1/monitor.c
|
||||
debug3("%s: GOT new keys", __func__);
|
||||
+
|
||||
+#ifdef SSH_AUDIT_EVENTS
|
||||
+ buffer_init(&m);
|
||||
+ m = sshbuf_new();
|
||||
+ mm_request_receive_expect(pmonitor->m_sendfd,
|
||||
+ MONITOR_REQ_AUDIT_SESSION_KEY_FREE, &m);
|
||||
+ mm_answer_audit_session_key_free_body(pmonitor->m_sendfd, &m);
|
||||
+ buffer_free(&m);
|
||||
+ MONITOR_REQ_AUDIT_SESSION_KEY_FREE, m);
|
||||
+ mm_answer_audit_session_key_free_body(pmonitor->m_sendfd, m);
|
||||
+ sshbuf_free(m);
|
||||
+#endif
|
||||
+
|
||||
+ /* Drain any buffered messages from the child */
|
||||
@ -1288,41 +1273,47 @@ diff -up openssh-7.6p1/monitor.c.audit openssh-7.6p1/monitor.c
|
||||
}
|
||||
|
||||
|
||||
@@ -1976,3 +2056,86 @@ mm_answer_gss_updatecreds(int socket, Bu
|
||||
@@ -1976,3 +2056,102 @@ mm_answer_gss_updatecreds(int socket, Bu
|
||||
|
||||
#endif /* GSSAPI */
|
||||
|
||||
+#ifdef SSH_AUDIT_EVENTS
|
||||
+int
|
||||
+mm_answer_audit_unsupported_body(int sock, Buffer *m)
|
||||
+mm_answer_audit_unsupported_body(int sock, struct sshbuf *m)
|
||||
+{
|
||||
+ int what;
|
||||
+ int what, r;
|
||||
+
|
||||
+ what = buffer_get_int(m);
|
||||
+ if ((r = sshbuf_get_u32(m, &what)) != 0)
|
||||
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
||||
+
|
||||
+ audit_unsupported_body(what);
|
||||
+
|
||||
+ buffer_clear(m);
|
||||
+ sshbuf_reset(m);
|
||||
+
|
||||
+ mm_request_send(sock, MONITOR_ANS_AUDIT_UNSUPPORTED, m);
|
||||
+ return 0;
|
||||
+}
|
||||
+
|
||||
+int
|
||||
+mm_answer_audit_kex_body(int sock, Buffer *m)
|
||||
+mm_answer_audit_kex_body(int sock, struct sshbuf *m)
|
||||
+{
|
||||
+ int ctos, len;
|
||||
+ int ctos, r;
|
||||
+ char *cipher, *mac, *compress, *pfs;
|
||||
+ u_int64_t tmp;
|
||||
+ pid_t pid;
|
||||
+ uid_t uid;
|
||||
+
|
||||
+ ctos = buffer_get_int(m);
|
||||
+ cipher = buffer_get_string(m, &len);
|
||||
+ mac = buffer_get_string(m, &len);
|
||||
+ compress = buffer_get_string(m, &len);
|
||||
+ pfs = buffer_get_string(m, &len);
|
||||
+ pid = buffer_get_int64(m);
|
||||
+ uid = buffer_get_int64(m);
|
||||
+ if ((r = sshbuf_get_u32(m, &ctos)) != 0 ||
|
||||
+ (r = sshbuf_get_cstring(m, &cipher, NULL)) != 0 ||
|
||||
+ (r = sshbuf_get_cstring(m, &mac, NULL)) != 0 ||
|
||||
+ (r = sshbuf_get_cstring(m, &compress, NULL)) != 0 ||
|
||||
+ (r = sshbuf_get_cstring(m, &pfs, NULL)) != 0 ||
|
||||
+ (r = sshbuf_get_u64(m, &tmp)) != 0)
|
||||
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
||||
+ pid = (pid_t) tmp;
|
||||
+ if ((r = sshbuf_get_u64(m, &tmp)) != 0)
|
||||
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
||||
+ uid = (pid_t) tmp;
|
||||
+
|
||||
+ audit_kex_body(ctos, cipher, mac, compress, pfs, pid, uid);
|
||||
+
|
||||
@ -1330,47 +1321,57 @@ diff -up openssh-7.6p1/monitor.c.audit openssh-7.6p1/monitor.c
|
||||
+ free(mac);
|
||||
+ free(compress);
|
||||
+ free(pfs);
|
||||
+ buffer_clear(m);
|
||||
+ sshbuf_reset(m);
|
||||
+
|
||||
+ mm_request_send(sock, MONITOR_ANS_AUDIT_KEX, m);
|
||||
+ return 0;
|
||||
+}
|
||||
+
|
||||
+int
|
||||
+mm_answer_audit_session_key_free_body(int sock, Buffer *m)
|
||||
+mm_answer_audit_session_key_free_body(int sock, struct sshbuf *m)
|
||||
+{
|
||||
+ int ctos;
|
||||
+ int ctos, r;
|
||||
+ u_int64_t tmp;
|
||||
+ pid_t pid;
|
||||
+ uid_t uid;
|
||||
+
|
||||
+ ctos = buffer_get_int(m);
|
||||
+ pid = buffer_get_int64(m);
|
||||
+ uid = buffer_get_int64(m);
|
||||
+ if ((r = sshbuf_get_u32(m, &ctos)) != 0 ||
|
||||
+ (r = sshbuf_get_u64(m, &tmp)) != 0)
|
||||
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
||||
+ pid = (pid_t) tmp;
|
||||
+ if ((r = sshbuf_get_u64(m, &tmp)) != 0)
|
||||
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
||||
+ uid = (uid_t) tmp;
|
||||
+
|
||||
+ audit_session_key_free_body(ctos, pid, uid);
|
||||
+
|
||||
+ buffer_clear(m);
|
||||
+ sshbuf_reset(m);
|
||||
+
|
||||
+ mm_request_send(sock, MONITOR_ANS_AUDIT_SESSION_KEY_FREE, m);
|
||||
+ return 0;
|
||||
+}
|
||||
+
|
||||
+int
|
||||
+mm_answer_audit_server_key_free(int sock, Buffer *m)
|
||||
+mm_answer_audit_server_key_free(int sock, struct sshbuf *m)
|
||||
+{
|
||||
+ int len;
|
||||
+ size_t len, r;
|
||||
+ char *fp;
|
||||
+ u_int64_t tmp;
|
||||
+ pid_t pid;
|
||||
+ uid_t uid;
|
||||
+
|
||||
+ fp = buffer_get_string(m, &len);
|
||||
+ pid = buffer_get_int64(m);
|
||||
+ uid = buffer_get_int64(m);
|
||||
+ if ((r = sshbuf_get_cstring(m, &fp, &len)) != 0 ||
|
||||
+ (r = sshbuf_get_u64(m, &tmp)) != 0)
|
||||
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
||||
+ pid = (pid_t) tmp;
|
||||
+ if ((r = sshbuf_get_u64(m, &tmp)) != 0)
|
||||
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
||||
+ uid = (uid_t) tmp;
|
||||
+
|
||||
+ audit_destroy_sensitive_data(fp, pid, uid);
|
||||
+
|
||||
+ free(fp);
|
||||
+ buffer_clear(m);
|
||||
+ sshbuf_reset(m);
|
||||
+
|
||||
+ return 0;
|
||||
+}
|
||||
@ -1404,15 +1405,17 @@ diff -up openssh-7.6p1/monitor_wrap.c.audit openssh-7.6p1/monitor_wrap.c
|
||||
+mm_sshkey_verify(enum mm_keytype type, const struct sshkey *key, const u_char *sig, size_t siglen,
|
||||
const u_char *data, size_t datalen, const char *sigalg, u_int compat)
|
||||
{
|
||||
Buffer m;
|
||||
@@ -478,6 +478,7 @@ mm_sshkey_verify(const struct sshkey *ke
|
||||
return (0);
|
||||
struct sshbuf *m;
|
||||
@@ -478,7 +478,8 @@ mm_sshkey_verify(const struct sshkey *ke
|
||||
|
||||
buffer_init(&m);
|
||||
+ buffer_put_int(&m, type);
|
||||
buffer_put_string(&m, blob, len);
|
||||
buffer_put_string(&m, sig, siglen);
|
||||
buffer_put_string(&m, data, datalen);
|
||||
if ((m = sshbuf_new()) == NULL)
|
||||
fatal("%s: sshbuf_new failed", __func__);
|
||||
- if ((r = sshkey_puts(key, m)) != 0 ||
|
||||
+ if ((r = sshbuf_put_u32(m, type)) != 0 ||
|
||||
+ (r = sshkey_puts(key, m)) != 0 ||
|
||||
(r = sshbuf_put_string(m, sig, siglen)) != 0 ||
|
||||
(r = sshbuf_put_string(m, data, datalen)) != 0 ||
|
||||
(r = sshbuf_put_cstring(m, sigalg == NULL ? "" : sigalg)) != 0)
|
||||
@@ -497,6 +498,20 @@ mm_sshkey_verify(const struct sshkey *ke
|
||||
return 0;
|
||||
}
|
||||
@ -1434,27 +1437,29 @@ diff -up openssh-7.6p1/monitor_wrap.c.audit openssh-7.6p1/monitor_wrap.c
|
||||
void
|
||||
mm_send_keystate(struct monitor *monitor)
|
||||
{
|
||||
@@ -874,10 +889,11 @@ mm_audit_event(ssh_audit_event_t event)
|
||||
buffer_free(&m);
|
||||
@@ -874,11 +889,12 @@ mm_audit_event(ssh_audit_event_t event)
|
||||
sshbuf_free(m);
|
||||
}
|
||||
|
||||
-void
|
||||
+int
|
||||
mm_audit_run_command(const char *command)
|
||||
{
|
||||
Buffer m;
|
||||
struct sshbuf *m;
|
||||
int r;
|
||||
+ int handle;
|
||||
|
||||
debug3("%s entering command %s", __func__, command);
|
||||
|
||||
@@ -885,6 +901,26 @@ mm_audit_run_command(const char *command
|
||||
buffer_put_cstring(&m, command);
|
||||
@@ -885,6 +901,30 @@ mm_audit_run_command(const char *command
|
||||
fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
||||
|
||||
mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_COMMAND, &m);
|
||||
+ mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_AUDIT_COMMAND, &m);
|
||||
mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_COMMAND, m);
|
||||
+ mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_AUDIT_COMMAND, m);
|
||||
+
|
||||
+ handle = buffer_get_int(&m);
|
||||
+ buffer_free(&m);
|
||||
+ if ((r = sshbuf_get_u32(m, &handle)) != 0)
|
||||
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
||||
+ sshbuf_free(m);
|
||||
+
|
||||
+ return (handle);
|
||||
+}
|
||||
@ -1462,87 +1467,103 @@ diff -up openssh-7.6p1/monitor_wrap.c.audit openssh-7.6p1/monitor_wrap.c
|
||||
+void
|
||||
+mm_audit_end_command(int handle, const char *command)
|
||||
+{
|
||||
+ Buffer m;
|
||||
+ int r;
|
||||
+ struct sshbuf *m;
|
||||
+
|
||||
+ debug3("%s entering command %s", __func__, command);
|
||||
+
|
||||
+ buffer_init(&m);
|
||||
+ buffer_put_int(&m, handle);
|
||||
+ buffer_put_cstring(&m, command);
|
||||
+ if ((m = sshbuf_new()) == NULL)
|
||||
+ fatal("%s: sshbuf_new failed", __func__);
|
||||
+ if ((r = sshbuf_put_u32(m, handle)) != 0 ||
|
||||
+ (r = sshbuf_put_cstring(m, command)) != 0)
|
||||
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
||||
+
|
||||
+ mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_END_COMMAND, &m);
|
||||
buffer_free(&m);
|
||||
+ mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_END_COMMAND, m);
|
||||
sshbuf_free(m);
|
||||
}
|
||||
#endif /* SSH_AUDIT_EVENTS */
|
||||
@@ -1020,3 +1056,70 @@ mm_ssh_gssapi_update_creds(ssh_gssapi_cc
|
||||
|
||||
@@ -1020,3 +1056,83 @@ mm_ssh_gssapi_update_creds(ssh_gssapi_cc
|
||||
return (ok);
|
||||
}
|
||||
#endif /* GSSAPI */
|
||||
|
||||
+#ifdef SSH_AUDIT_EVENTS
|
||||
+void
|
||||
+mm_audit_unsupported_body(int what)
|
||||
+{
|
||||
+ Buffer m;
|
||||
+ int r;
|
||||
+ struct sshbuf *m;
|
||||
+
|
||||
+ buffer_init(&m);
|
||||
+ buffer_put_int(&m, what);
|
||||
+ if ((m = sshbuf_new()) == NULL)
|
||||
+ fatal("%s: sshbuf_new failed", __func__);
|
||||
+ if ((r = sshbuf_put_u32(m, what)) != 0)
|
||||
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
||||
+
|
||||
+ mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_UNSUPPORTED, &m);
|
||||
+ mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_UNSUPPORTED, m);
|
||||
+ mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_AUDIT_UNSUPPORTED,
|
||||
+ &m);
|
||||
+ m);
|
||||
+
|
||||
+ buffer_free(&m);
|
||||
+ sshbuf_free(m);
|
||||
+}
|
||||
+
|
||||
+void
|
||||
+mm_audit_kex_body(int ctos, char *cipher, char *mac, char *compress, char *fps, pid_t pid,
|
||||
+ uid_t uid)
|
||||
+{
|
||||
+ Buffer m;
|
||||
+ int r;
|
||||
+ struct sshbuf *m;
|
||||
+
|
||||
+ buffer_init(&m);
|
||||
+ buffer_put_int(&m, ctos);
|
||||
+ buffer_put_cstring(&m, cipher);
|
||||
+ buffer_put_cstring(&m, (mac ? mac : "<implicit>"));
|
||||
+ buffer_put_cstring(&m, compress);
|
||||
+ buffer_put_cstring(&m, fps);
|
||||
+ buffer_put_int64(&m, pid);
|
||||
+ buffer_put_int64(&m, uid);
|
||||
+ if ((m = sshbuf_new()) == NULL)
|
||||
+ fatal("%s: sshbuf_new failed", __func__);
|
||||
+ if ((r = sshbuf_put_u32(m, ctos)) != 0 ||
|
||||
+ (r = sshbuf_put_cstring(m, cipher)) != 0 ||
|
||||
+ (r = sshbuf_put_cstring(m, (mac ? mac : "<implicit>"))) != 0 ||
|
||||
+ (r = sshbuf_put_cstring(m, compress)) != 0 ||
|
||||
+ (r = sshbuf_put_cstring(m, fps)) != 0 ||
|
||||
+ (r = sshbuf_put_u64(m, pid)) != 0 ||
|
||||
+ (r = sshbuf_put_u64(m, uid)) != 0)
|
||||
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
||||
+
|
||||
+ mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_KEX, &m);
|
||||
+ mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_KEX, m);
|
||||
+ mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_AUDIT_KEX,
|
||||
+ &m);
|
||||
+ m);
|
||||
+
|
||||
+ buffer_free(&m);
|
||||
+ sshbuf_free(m);
|
||||
+}
|
||||
+
|
||||
+void
|
||||
+mm_audit_session_key_free_body(int ctos, pid_t pid, uid_t uid)
|
||||
+{
|
||||
+ Buffer m;
|
||||
+ int r;
|
||||
+ struct sshbuf *m;
|
||||
+
|
||||
+ buffer_init(&m);
|
||||
+ buffer_put_int(&m, ctos);
|
||||
+ buffer_put_int64(&m, pid);
|
||||
+ buffer_put_int64(&m, uid);
|
||||
+ mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_SESSION_KEY_FREE, &m);
|
||||
+ if ((m = sshbuf_new()) == NULL)
|
||||
+ fatal("%s: sshbuf_new failed", __func__);
|
||||
+ if ((r = sshbuf_put_u32(m, ctos)) != 0 ||
|
||||
+ (r = sshbuf_put_u64(m, pid)) != 0 ||
|
||||
+ (r = sshbuf_put_u64(m, uid)) != 0)
|
||||
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
||||
+
|
||||
+ mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_SESSION_KEY_FREE, m);
|
||||
+ mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_AUDIT_SESSION_KEY_FREE,
|
||||
+ &m);
|
||||
+ buffer_free(&m);
|
||||
+ m);
|
||||
+ sshbuf_free(m);
|
||||
+}
|
||||
+
|
||||
+void
|
||||
+mm_audit_destroy_sensitive_data(const char *fp, pid_t pid, uid_t uid)
|
||||
+{
|
||||
+ Buffer m;
|
||||
+ int r;
|
||||
+ struct sshbuf *m;
|
||||
+
|
||||
+ buffer_init(&m);
|
||||
+ buffer_put_cstring(&m, fp);
|
||||
+ buffer_put_int64(&m, pid);
|
||||
+ buffer_put_int64(&m, uid);
|
||||
+ if ((m = sshbuf_new()) == NULL)
|
||||
+ fatal("%s: sshbuf_new failed", __func__);
|
||||
+ if ((r = sshbuf_put_cstring(m, fp)) != 0 ||
|
||||
+ (r = sshbuf_put_u64(m, pid)) != 0 ||
|
||||
+ (r = sshbuf_put_u64(m, uid)) != 0)
|
||||
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
||||
+
|
||||
+ mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_SERVER_KEY_FREE, &m);
|
||||
+ buffer_free(&m);
|
||||
+ mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_SERVER_KEY_FREE, m);
|
||||
+ sshbuf_free(m);
|
||||
+}
|
||||
+#endif /* SSH_AUDIT_EVENTS */
|
||||
diff -up openssh-7.6p1/monitor_wrap.h.audit openssh-7.6p1/monitor_wrap.h
|
||||
@ -1577,7 +1598,7 @@ diff -up openssh-7.6p1/packet.c.audit openssh-7.6p1/packet.c
|
||||
--- openssh-7.6p1/packet.c.audit 2017-10-04 17:18:32.672504220 +0200
|
||||
+++ openssh-7.6p1/packet.c 2017-10-04 17:25:48.141741390 +0200
|
||||
@@ -67,6 +67,7 @@
|
||||
#include "key.h" /* typedefs XXX */
|
||||
#include <zlib.h>
|
||||
|
||||
#include "xmalloc.h"
|
||||
+#include "audit.h"
|
||||
@ -1642,9 +1663,9 @@ diff -up openssh-7.6p1/packet.c.audit openssh-7.6p1/packet.c
|
||||
+ close(state->connection_in);
|
||||
+ close(state->connection_out);
|
||||
+ }
|
||||
free(ssh->local_ipaddr);
|
||||
ssh->local_ipaddr = NULL;
|
||||
free(ssh->remote_ipaddr);
|
||||
ssh->remote_ipaddr = NULL;
|
||||
free(ssh->state);
|
||||
@@ -854,6 +863,7 @@ ssh_set_newkeys(struct ssh *ssh, int mod
|
||||
(unsigned long long)state->p_read.blocks,
|
||||
(unsigned long long)state->p_send.bytes,
|
||||
@ -1685,16 +1706,16 @@ diff -up openssh-7.6p1/packet.c.audit openssh-7.6p1/packet.c
|
||||
+ cipher_free(state->receive_context);
|
||||
+ cipher_free(state->send_context);
|
||||
+
|
||||
+ buffer_free(state->input);
|
||||
+ sshbuf_free(state->input);
|
||||
+ state->input = NULL;
|
||||
+ buffer_free(state->output);
|
||||
+ sshbuf_free(state->output);
|
||||
+ state->output = NULL;
|
||||
+ buffer_free(state->outgoing_packet);
|
||||
+ sshbuf_free(state->outgoing_packet);
|
||||
+ state->outgoing_packet = NULL;
|
||||
+ buffer_free(state->incoming_packet);
|
||||
+ sshbuf_free(state->incoming_packet);
|
||||
+ state->incoming_packet = NULL;
|
||||
+ if( state->compression_buffer ) {
|
||||
+ buffer_free(state->compression_buffer);
|
||||
+ if (state->compression_buffer) {
|
||||
+ sshbuf_free(state->compression_buffer);
|
||||
+ state->compression_buffer = NULL;
|
||||
+ }
|
||||
+ newkeys_destroy_and_free(state->newkeys[MODE_IN]);
|
||||
@ -1744,7 +1765,7 @@ diff -up openssh-7.6p1/session.c.audit openssh-7.6p1/session.c
|
||||
extern int startup_pipe;
|
||||
-extern void destroy_sensitive_data(void);
|
||||
+extern void destroy_sensitive_data(int);
|
||||
extern Buffer loginmsg;
|
||||
extern struct sshbuf *loginmsg;
|
||||
extern struct sshauthopt *auth_opts;
|
||||
char *tun_fwd_ifnames; /* serverloop.c */
|
||||
@@ -605,6 +605,14 @@ do_exec_pty(struct ssh *ssh, Session *s,
|
||||
@ -1984,11 +2005,11 @@ diff -up openssh-7.6p1/sshd.c.audit openssh-7.6p1/sshd.c
|
||||
if (sensitive_data.host_keys[i]) {
|
||||
+ char *fp;
|
||||
+
|
||||
+ if (key_is_private(sensitive_data.host_keys[i]))
|
||||
+ if (sshkey_is_private(sensitive_data.host_keys[i]))
|
||||
+ fp = sshkey_fingerprint(sensitive_data.host_keys[i], options.fingerprint_hash, SSH_FP_HEX);
|
||||
+ else
|
||||
+ fp = NULL;
|
||||
key_free(sensitive_data.host_keys[i]);
|
||||
sshkey_free(sensitive_data.host_keys[i]);
|
||||
sensitive_data.host_keys[i] = NULL;
|
||||
+ if (fp != NULL) {
|
||||
+#ifdef SSH_AUDIT_EVENTS
|
||||
@ -2005,13 +2026,13 @@ diff -up openssh-7.6p1/sshd.c.audit openssh-7.6p1/sshd.c
|
||||
- if (sensitive_data.host_certificates[i]) {
|
||||
+ if (sensitive_data.host_certificates
|
||||
+ && sensitive_data.host_certificates[i]) {
|
||||
key_free(sensitive_data.host_certificates[i]);
|
||||
sshkey_free(sensitive_data.host_certificates[i]);
|
||||
sensitive_data.host_certificates[i] = NULL;
|
||||
}
|
||||
@@ -499,12 +536,30 @@ demote_sensitive_data(void)
|
||||
{
|
||||
@@ -499,16 +536,34 @@ demote_sensitive_data(void)
|
||||
struct sshkey *tmp;
|
||||
u_int i;
|
||||
int r;
|
||||
+#ifdef SSH_AUDIT_EVENTS
|
||||
+ pid_t pid;
|
||||
+ uid_t uid;
|
||||
@ -2023,12 +2044,16 @@ diff -up openssh-7.6p1/sshd.c.audit openssh-7.6p1/sshd.c
|
||||
if (sensitive_data.host_keys[i]) {
|
||||
+ char *fp;
|
||||
+
|
||||
+ if (key_is_private(sensitive_data.host_keys[i]))
|
||||
+ if (sshkey_is_private(sensitive_data.host_keys[i]))
|
||||
+ fp = sshkey_fingerprint(sensitive_data.host_keys[i], options.fingerprint_hash, SSH_FP_HEX);
|
||||
+ else
|
||||
+ fp = NULL;
|
||||
tmp = key_demote(sensitive_data.host_keys[i]);
|
||||
key_free(sensitive_data.host_keys[i]);
|
||||
if ((r = sshkey_demote(sensitive_data.host_keys[i],
|
||||
&tmp)) != 0)
|
||||
fatal("could not demote host %s key: %s",
|
||||
sshkey_type(sensitive_data.host_keys[i]),
|
||||
ssh_err(r));
|
||||
sshkey_free(sensitive_data.host_keys[i]);
|
||||
sensitive_data.host_keys[i] = tmp;
|
||||
+ if (fp != NULL) {
|
||||
+#ifdef SSH_AUDIT_EVENTS
|
||||
|
@ -29,7 +29,7 @@ diff -up openssh-7.6p1/ssh-pkcs11-client.c.pkcs11-ecdsa openssh-7.6p1/ssh-pkcs11
|
||||
{
|
||||
static RSA_METHOD helper_rsa;
|
||||
|
||||
@@ -152,6 +160,81 @@ wrap_key(RSA *rsa)
|
||||
@@ -152,6 +160,85 @@ wrap_key(RSA *rsa)
|
||||
return (0);
|
||||
}
|
||||
|
||||
@ -38,30 +38,34 @@ diff -up openssh-7.6p1/ssh-pkcs11-client.c.pkcs11-ecdsa openssh-7.6p1/ssh-pkcs11
|
||||
+pkcs11_ecdsa_private_sign(const unsigned char *from, int flen,
|
||||
+ const BIGNUM *inv, const BIGNUM *rp, EC_KEY * ecdsa)
|
||||
+{
|
||||
+ Key key;
|
||||
+ struct sshkey *key;
|
||||
+ u_char *blob, *signature = NULL;
|
||||
+ u_int blen, slen = 0;
|
||||
+ Buffer msg;
|
||||
+ size_t blen, slen = 0;
|
||||
+ struct sshbuf *msg;
|
||||
+ ECDSA_SIG *ret = NULL;
|
||||
+ BIGNUM *r = NULL, *s = NULL;
|
||||
+ int rv;
|
||||
+
|
||||
+ key.type = KEY_ECDSA;
|
||||
+ key.ecdsa = ecdsa;
|
||||
+ key.ecdsa_nid = sshkey_ecdsa_key_to_nid(ecdsa);
|
||||
+ if (key_to_blob(&key, &blob, &blen) == 0)
|
||||
+ key = sshkey_new(KEY_ECDSA);
|
||||
+ key->ecdsa = ecdsa;
|
||||
+ key->ecdsa_nid = sshkey_ecdsa_key_to_nid(ecdsa);
|
||||
+ if (sshkey_to_blob(key, &blob, &blen) == 0)
|
||||
+ return NULL;
|
||||
+ buffer_init(&msg);
|
||||
+ buffer_put_char(&msg, SSH2_AGENTC_SIGN_REQUEST);
|
||||
+ buffer_put_string(&msg, blob, blen);
|
||||
+ buffer_put_string(&msg, from, flen);
|
||||
+ buffer_put_int(&msg, 0);
|
||||
+ if ((msg = sshbuf_new()) == NULL)
|
||||
+ fatal("%s: sshbuf_new failed", __func__);
|
||||
+ if ((rv = sshbuf_put_u8(msg, SSH2_AGENTC_SIGN_REQUEST)) != 0 ||
|
||||
+ (rv = sshbuf_put_string(msg, blob, blen)) != 0 ||
|
||||
+ (rv = sshbuf_put_string(msg, from, flen)) != 0 ||
|
||||
+ (rv = sshbuf_put_u32(msg, 0)) != 0)
|
||||
+ fatal("%s: buffer error: %s", __func__, ssh_err(rv));
|
||||
+ free(blob);
|
||||
+ send_msg(&msg);
|
||||
+ buffer_clear(&msg);
|
||||
+ send_msg(msg);
|
||||
+ sshbuf_reset(msg);
|
||||
+
|
||||
+ if (recv_msg(&msg) == SSH2_AGENT_SIGN_RESPONSE) {
|
||||
+ signature = buffer_get_string(&msg, &slen);
|
||||
+ if (slen <= (u_int)ECDSA_size(ecdsa)) {
|
||||
+ if (recv_msg(msg) == SSH2_AGENT_SIGN_RESPONSE) {
|
||||
+ if ((rv = sshbuf_get_string(msg, &signature, &slen)) != 0)
|
||||
+ fatal("%s: buffer error: %s", __func__, ssh_err(rv));
|
||||
+ if (slen <= (size_t)ECDSA_size(ecdsa)) {
|
||||
+ int nlen = slen / 2;
|
||||
+ ret = ECDSA_SIG_new();
|
||||
+ r = BN_new();
|
||||
@ -72,7 +76,7 @@ diff -up openssh-7.6p1/ssh-pkcs11-client.c.pkcs11-ecdsa openssh-7.6p1/ssh-pkcs11
|
||||
+ }
|
||||
+ free(signature);
|
||||
+ }
|
||||
+ buffer_free(&msg);
|
||||
+ sshbuf_free(msg);
|
||||
+ return (ret);
|
||||
+}
|
||||
+
|
||||
@ -112,9 +116,9 @@ diff -up openssh-7.6p1/ssh-pkcs11-client.c.pkcs11-ecdsa openssh-7.6p1/ssh-pkcs11
|
||||
pkcs11_start_helper(void)
|
||||
{
|
||||
@@ -212,7 +281,15 @@ pkcs11_add_provider(char *name, char *pi
|
||||
blob = buffer_get_string(&msg, &blen);
|
||||
free(buffer_get_string(&msg, NULL));
|
||||
k = key_from_blob(blob, blen);
|
||||
__func__, ssh_err(r));
|
||||
if ((r = sshkey_from_blob(blob, blen, &k)) != 0)
|
||||
fatal("%s: bad key: %s", __func__, ssh_err(r));
|
||||
- wrap_key(k->rsa);
|
||||
+ if(k->type == KEY_RSA) {
|
||||
+ wrap_rsa_key(k->rsa);
|
||||
|
@ -17,18 +17,18 @@ index ac959c1f..f8ed1781 100644
|
||||
rm -f regress/unittests/utf8/test_utf8$(EXEEXT)
|
||||
+ rm -f regress/unittests/pkcs11/*.o
|
||||
+ rm -f regress/unittests/pkcs11/test_pkcs11$(EXEEXT)
|
||||
rm -f regress/misc/kexfuzz/*.o
|
||||
rm -f regress/misc/kexfuzz/kexfuzz$(EXEEXT)
|
||||
(cd openbsd-compat && $(MAKE) clean)
|
||||
rm -f regress/misc/kexfuzz/*.o
|
||||
rm -f regress/misc/kexfuzz/kexfuzz$(EXEEXT)
|
||||
(cd openbsd-compat && $(MAKE) clean)
|
||||
@@ -276,6 +278,8 @@ distclean: regressclean
|
||||
rm -f regress/unittests/match/test_match
|
||||
rm -f regress/unittests/utf8/*.o
|
||||
rm -f regress/unittests/utf8/test_utf8
|
||||
+ rm -f regress/unittests/pkcs11/*.o
|
||||
+ rm -f regress/unittests/pkcs11/test_pkcs11
|
||||
rm -f regress/unittests/misc/kexfuzz
|
||||
(cd openbsd-compat && $(MAKE) distclean)
|
||||
if test -d pkg ; then \
|
||||
rm -f regress/misc/kexfuzz/*.o
|
||||
rm -f regress/misc/kexfuzz
|
||||
(cd openbsd-compat && $(MAKE) distclean)
|
||||
@@ -437,6 +441,7 @@ regress-prep:
|
||||
$(MKDIR_P) `pwd`/regress/unittests/kex
|
||||
$(MKDIR_P) `pwd`/regress/unittests/match
|
||||
@ -72,8 +72,8 @@ index ac959c1f..f8ed1781 100644
|
||||
regress/netcat$(EXEEXT) \
|
||||
+ regress/soft-pkcs11.so \
|
||||
regress/check-perm$(EXEEXT) \
|
||||
regress/mkdtemp$(EXEEXT) \
|
||||
regress/unittests/sshbuf/test_sshbuf$(EXEEXT) \
|
||||
regress/unittests/sshkey/test_sshkey$(EXEEXT) \
|
||||
@@ -575,6 +596,7 @@ regress-binaries: regress/modpipe$(EXEEXT) \
|
||||
regress/unittests/kex/test_kex$(EXEEXT) \
|
||||
regress/unittests/match/test_match$(EXEEXT) \
|
||||
@ -81,7 +81,7 @@ index ac959c1f..f8ed1781 100644
|
||||
+ regress/unittests/pkcs11/test_pkcs11$(EXEEXT) \
|
||||
regress/misc/kexfuzz/kexfuzz$(EXEEXT)
|
||||
|
||||
REGRESSTMP = "$(PWD)/regress"
|
||||
tests interop-tests t-exec unit: regress-prep regress-binaries $(TARGETS)
|
||||
diff --git a/authfd.c b/authfd.c
|
||||
index 1eff7ba9..35153f47 100644
|
||||
--- a/authfd.c
|
||||
@ -2717,7 +2717,7 @@ new file mode 100644
|
||||
index 00000000..e83aca54
|
||||
--- /dev/null
|
||||
+++ b/regress/unittests/pkcs11/tests.c
|
||||
@@ -0,0 +1,329 @@
|
||||
@@ -0,0 +1,330 @@
|
||||
+/*
|
||||
+ * Copyright (c) 2017 Red Hat
|
||||
+ *
|
||||
@ -2743,6 +2743,7 @@ index 00000000..e83aca54
|
||||
+
|
||||
+#include "../test_helper/test_helper.h"
|
||||
+
|
||||
+#include "sshbuf.h"
|
||||
+#include "ssh-pkcs11-uri.h"
|
||||
+
|
||||
+#define EMPTY_URI compose_uri(NULL, 0, NULL, NULL, NULL, NULL, NULL)
|
||||
@ -3288,12 +3289,12 @@ index a023f5f4..882e8381 100644
|
||||
key.type = KEY_RSA;
|
||||
key.rsa = rsa;
|
||||
+ key.ecdsa_nid = 0;
|
||||
if (key_to_blob(&key, &blob, &blen) == 0)
|
||||
if ((r = sshkey_to_blob(&key, &blob, &blen)) != 0) {
|
||||
error("%s: sshkey_to_blob: %s", __func__, ssh_err(r));
|
||||
return -1;
|
||||
buffer_init(&msg);
|
||||
@@ -195,6 +196,8 @@ pkcs11_add_provider(char *name, char *pin, Key ***keysp)
|
||||
u_int blen;
|
||||
Buffer msg;
|
||||
u_int nkeys, i;
|
||||
struct sshbuf *msg;
|
||||
|
||||
+ debug("%s: called, name = %s", __func__, name);
|
||||
+
|
||||
@ -3301,19 +3302,19 @@ index a023f5f4..882e8381 100644
|
||||
return (-1);
|
||||
|
||||
@@ -208,6 +211,7 @@ pkcs11_add_provider(char *name, char *pin, Key ***keysp)
|
||||
if (recv_msg(&msg) == SSH2_AGENT_IDENTITIES_ANSWER) {
|
||||
nkeys = buffer_get_int(&msg);
|
||||
*keysp = xcalloc(nkeys, sizeof(Key *));
|
||||
+ debug("%s: nkeys = %d", __func__, nkeys);
|
||||
if ((r = sshbuf_get_u32(msg, &nkeys)) != 0)
|
||||
fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
||||
*keysp = xcalloc(nkeys, sizeof(struct sshkey *));
|
||||
+ debug("%s: nkeys = %u", __func__, nkeys);
|
||||
for (i = 0; i < nkeys; i++) {
|
||||
blob = buffer_get_string(&msg, &blen);
|
||||
free(buffer_get_string(&msg, NULL));
|
||||
/* XXX clean up properly instead of fatal() */
|
||||
if ((r = sshbuf_get_string(msg, &blob, &blen)) != 0 ||
|
||||
diff --git a/ssh-pkcs11-uri.c b/ssh-pkcs11-uri.c
|
||||
new file mode 100644
|
||||
index 00000000..da15c164
|
||||
--- /dev/null
|
||||
+++ b/ssh-pkcs11-uri.c
|
||||
@@ -0,0 +1,400 @@
|
||||
@@ -0,0 +1,401 @@
|
||||
+/*
|
||||
+ * Copyright (c) 2017 Red Hat
|
||||
+ *
|
||||
@ -3340,6 +3341,7 @@ index 00000000..da15c164
|
||||
+#include <string.h>
|
||||
+
|
||||
+#include "sshkey.h"
|
||||
+#include "sshbuf.h"
|
||||
+#include "log.h"
|
||||
+
|
||||
+#define CRYPTOKI_COMPAT
|
||||
@ -4624,7 +4626,7 @@ index d3619fe2..180eb2e0 100644
|
||||
+ break;
|
||||
+ }
|
||||
+#endif
|
||||
p = tilde_expand_filename(optarg, original_real_uid);
|
||||
p = tilde_expand_filename(optarg, getuid());
|
||||
if (stat(p, &st) < 0)
|
||||
fprintf(stderr, "Warning: Identity file %s "
|
||||
@@ -1999,6 +2007,45 @@ ssh_session2(struct ssh *ssh, struct passwd *pw)
|
||||
@ -4656,7 +4658,7 @@ index d3619fe2..180eb2e0 100644
|
||||
+ (nkeys = pkcs11_add_provider_by_uri(uri, NULL, &keys)) > 0) {
|
||||
+ for (i = 0; i < nkeys; i++) {
|
||||
+ if (*n_ids >= SSH_MAX_IDENTITY_FILES) {
|
||||
+ key_free(keys[i]);
|
||||
+ sshkey_free(keys[i]);
|
||||
+ continue;
|
||||
+ }
|
||||
+ identity_keys[*n_ids] = keys[i];
|
||||
@ -4674,9 +4676,9 @@ index d3619fe2..180eb2e0 100644
|
||||
static void
|
||||
load_public_identity_files(struct passwd *pw)
|
||||
@@ -2011,10 +2058,6 @@ load_public_identity_files(struct passwd *pw)
|
||||
struct sshkey *identity_keys[SSH_MAX_IDENTITY_FILES];
|
||||
char *certificate_files[SSH_MAX_CERTIFICATE_FILES];
|
||||
struct sshkey *certificates[SSH_MAX_CERTIFICATE_FILES];
|
||||
int certificate_file_userprovided[SSH_MAX_CERTIFICATE_FILES];
|
||||
-#ifdef ENABLE_PKCS11
|
||||
- struct sshkey **keys;
|
||||
- int nkeys;
|
||||
@ -4684,8 +4686,8 @@ index d3619fe2..180eb2e0 100644
|
||||
|
||||
n_ids = n_certs = 0;
|
||||
memset(identity_files, 0, sizeof(identity_files));
|
||||
@@ -2023,35 +2066,48 @@ load_public_identity_files(struct passwd *pw)
|
||||
memset(certificates, 0, sizeof(certificates));
|
||||
@@ -2023,32 +2066,46 @@ load_public_identity_files(struct passwd *pw)
|
||||
sizeof(certificate_file_userprovided));
|
||||
|
||||
#ifdef ENABLE_PKCS11
|
||||
- if (options.pkcs11_provider != NULL &&
|
||||
@ -4695,7 +4697,7 @@ index d3619fe2..180eb2e0 100644
|
||||
- &keys)) > 0) {
|
||||
- for (i = 0; i < nkeys; i++) {
|
||||
- if (n_ids >= SSH_MAX_IDENTITY_FILES) {
|
||||
- key_free(keys[i]);
|
||||
- sshkey_free(keys[i]);
|
||||
- continue;
|
||||
- }
|
||||
- identity_keys[n_ids] = keys[i];
|
||||
@ -4725,8 +4727,6 @@ index d3619fe2..180eb2e0 100644
|
||||
+ pkcs11_uri_cleanup(uri);
|
||||
}
|
||||
#endif /* ENABLE_PKCS11 */
|
||||
if ((pw = getpwuid(original_real_uid)) == NULL)
|
||||
fatal("load_public_identity_files: getpwuid failed");
|
||||
for (i = 0; i < options.num_identity_files; i++) {
|
||||
+ char *name = options.identity_files[i];
|
||||
if (n_ids >= SSH_MAX_IDENTITY_FILES ||
|
||||
@ -4736,8 +4736,7 @@ index d3619fe2..180eb2e0 100644
|
||||
options.identity_files[i] = NULL;
|
||||
continue;
|
||||
}
|
||||
- cp = tilde_expand_filename(options.identity_files[i],
|
||||
- original_real_uid);
|
||||
- cp = tilde_expand_filename(options.identity_files[i], getuid());
|
||||
+#ifdef ENABLE_PKCS11
|
||||
+ if (strlen(name) >= strlen(PKCS11_URI_SCHEME) &&
|
||||
+ strncmp(name, PKCS11_URI_SCHEME,
|
||||
@ -4748,7 +4747,7 @@ index d3619fe2..180eb2e0 100644
|
||||
+ continue;
|
||||
+ }
|
||||
+#endif /* ENABLE_PKCS11 */
|
||||
+ cp = tilde_expand_filename(name, original_real_uid);
|
||||
+ cp = tilde_expand_filename(name, getuid());
|
||||
filename = percent_expand(cp, "d", pw->pw_dir,
|
||||
"u", pw->pw_name, "l", thishost, "h", host,
|
||||
"r", options.user, (char *)NULL);
|
||||
|
@ -294,7 +294,7 @@ diff -up openssh-7.7p1/Makefile.in.fips openssh-7.7p1/Makefile.in
|
||||
+ $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS)
|
||||
|
||||
scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o
|
||||
$(LD) -o $@ scp.o progressmeter.o bufaux.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
|
||||
$(LD) -o $@ scp.o progressmeter.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
|
||||
|
||||
ssh-add$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-add.o
|
||||
- $(LD) -o $@ ssh-add.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
|
||||
@ -308,9 +308,9 @@ diff -up openssh-7.7p1/Makefile.in.fips openssh-7.7p1/Makefile.in
|
||||
- $(LD) -o $@ ssh-keygen.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
|
||||
+ $(LD) -o $@ ssh-keygen.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
|
||||
|
||||
ssh-keysign$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keysign.o readconf.o
|
||||
- $(LD) -o $@ ssh-keysign.o readconf.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
|
||||
+ $(LD) -o $@ ssh-keysign.o readconf.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
|
||||
ssh-keysign$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keysign.o readconf.o uidswap.o
|
||||
- $(LD) -o $@ ssh-keysign.o readconf.o uidswap.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
|
||||
+ $(LD) -o $@ ssh-keysign.o readconf.o uidswap.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
|
||||
|
||||
ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11.o
|
||||
$(LD) -o $@ ssh-pkcs11-helper.o ssh-pkcs11.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
|
||||
@ -380,53 +380,35 @@ diff -up openssh-7.7p1/myproposal.h.fips openssh-7.7p1/myproposal.h
|
||||
#else /* WITH_OPENSSL */
|
||||
|
||||
#define KEX_SERVER_KEX \
|
||||
diff -up openssh-7.7p1/pam_ssh_agent_auth-0.10.3/pam_user_key_allowed2.c.fips openssh-7.7p1/pam_ssh_agent_auth-0.10.3/pam_user_key_allowed2.c
|
||||
--- openssh-7.7p1/pam_ssh_agent_auth-0.10.3/pam_user_key_allowed2.c.fips 2018-08-08 10:08:40.649718516 +0200
|
||||
+++ openssh-7.7p1/pam_ssh_agent_auth-0.10.3/pam_user_key_allowed2.c 2018-08-08 10:08:40.823719982 +0200
|
||||
@@ -55,6 +55,7 @@
|
||||
#include "secure_filename.h"
|
||||
#include "uidswap.h"
|
||||
#include <unistd.h>
|
||||
+#include <openssl/crypto.h>
|
||||
|
||||
#include "identity.h"
|
||||
|
||||
@@ -104,7 +105,8 @@ pamsshagentauth_check_authkeys_file(FILE
|
||||
found_key = 1;
|
||||
logit("matching key found: file/command %s, line %lu", file,
|
||||
linenum);
|
||||
- fp = sshkey_fingerprint(found, SSH_DIGEST_MD5, SSH_FP_HEX);
|
||||
+ fp = sshkey_fingerprint(found, FIPS_mode() ? SSH_DIGEST_SHA1 : SSH_DIGEST_MD5,
|
||||
+ SSH_FP_HEX);
|
||||
logit("Found matching %s key: %s",
|
||||
sshkey_type(found), fp);
|
||||
free(fp);
|
||||
diff -up openssh-7.7p1/readconf.c.fips openssh-7.7p1/readconf.c
|
||||
--- openssh-7.7p1/readconf.c.fips 2018-08-08 10:08:40.769719527 +0200
|
||||
+++ openssh-7.7p1/readconf.c 2018-08-08 10:08:40.824719990 +0200
|
||||
@@ -2081,12 +2081,17 @@ fill_default_options(Options * options)
|
||||
}
|
||||
if (options->update_hostkeys == -1)
|
||||
options->update_hostkeys = 0;
|
||||
- if (kex_assemble_names(KEX_CLIENT_ENCRYPT, &options->ciphers) != 0 ||
|
||||
- kex_assemble_names(KEX_CLIENT_MAC, &options->macs) != 0 ||
|
||||
- kex_assemble_names(KEX_CLIENT_KEX, &options->kex_algorithms) != 0 ||
|
||||
- kex_assemble_names(KEX_DEFAULT_PK_ALG,
|
||||
+ if (kex_assemble_names((FIPS_mode() ? KEX_FIPS_ENCRYPT
|
||||
+ : KEX_CLIENT_ENCRYPT), &options->ciphers) != 0 ||
|
||||
+ kex_assemble_names((FIPS_mode() ? KEX_FIPS_MAC
|
||||
+ : KEX_CLIENT_MAC), &options->macs) != 0 ||
|
||||
+ kex_assemble_names((FIPS_mode() ? KEX_DEFAULT_KEX_FIPS
|
||||
+ : KEX_CLIENT_KEX), &options->kex_algorithms) != 0 ||
|
||||
+ kex_assemble_names((FIPS_mode() ? KEX_FIPS_PK_ALG
|
||||
+ : KEX_DEFAULT_PK_ALG),
|
||||
&options->hostbased_key_types) != 0 ||
|
||||
- kex_assemble_names(KEX_DEFAULT_PK_ALG,
|
||||
+ kex_assemble_names((FIPS_mode() ? KEX_FIPS_PK_ALG
|
||||
+ : KEX_DEFAULT_PK_ALG),
|
||||
&options->pubkey_key_types) != 0)
|
||||
fatal("%s: kex_assemble_names failed", __func__);
|
||||
|
||||
@@ -2081,17 +2081,18 @@ fill_default_options(Options * options)
|
||||
all_mac = mac_alg_list(',');
|
||||
all_kex = kex_alg_list(',');
|
||||
all_key = sshkey_alg_list(0, 0, 1, ',');
|
||||
-#define ASSEMBLE(what, defaults, all) \
|
||||
+#define ASSEMBLE(what, defaults, fips_defaults, all) \
|
||||
do { \
|
||||
if ((r = kex_assemble_names(&options->what, \
|
||||
- defaults, all)) != 0) \
|
||||
+ (FIPS_mode() ? fips_defaults : defaults), \
|
||||
+ all)) != 0) \
|
||||
fatal("%s: %s: %s", __func__, #what, ssh_err(r)); \
|
||||
} while (0)
|
||||
- ASSEMBLE(ciphers, KEX_SERVER_ENCRYPT, all_cipher);
|
||||
- ASSEMBLE(macs, KEX_SERVER_MAC, all_mac);
|
||||
- ASSEMBLE(kex_algorithms, KEX_SERVER_KEX, all_kex);
|
||||
- ASSEMBLE(hostbased_key_types, KEX_DEFAULT_PK_ALG, all_key);
|
||||
- ASSEMBLE(pubkey_key_types, KEX_DEFAULT_PK_ALG, all_key);
|
||||
+ ASSEMBLE(ciphers, KEX_SERVER_ENCRYPT, KEX_FIPS_ENCRYPT, all_cipher);
|
||||
+ ASSEMBLE(macs, KEX_SERVER_MAC, KEX_FIPS_MAC, all_mac);
|
||||
+ ASSEMBLE(kex_algorithms, KEX_SERVER_KEX, KEX_DEFAULT_KEX_FIPS, all_kex);
|
||||
+ ASSEMBLE(hostbased_key_types, KEX_DEFAULT_PK_ALG, KEX_FIPS_PK_ALG, all_key);
|
||||
+ ASSEMBLE(pubkey_key_types, KEX_DEFAULT_PK_ALG, KEX_FIPS_PK_ALG, all_key);
|
||||
#undef ASSEMBLE
|
||||
free(all_cipher);
|
||||
free(all_mac);
|
||||
diff -up openssh-7.7p1/sandbox-seccomp-filter.c.fips openssh-7.7p1/sandbox-seccomp-filter.c
|
||||
--- openssh-7.7p1/sandbox-seccomp-filter.c.fips 2018-08-08 10:08:40.794719737 +0200
|
||||
+++ openssh-7.7p1/sandbox-seccomp-filter.c 2018-08-08 10:08:40.824719990 +0200
|
||||
@ -443,33 +425,33 @@ diff -up openssh-7.7p1/sandbox-seccomp-filter.c.fips openssh-7.7p1/sandbox-secco
|
||||
diff -up openssh-7.7p1/servconf.c.fips openssh-7.7p1/servconf.c
|
||||
--- openssh-7.7p1/servconf.c.fips 2018-08-08 10:08:40.778719603 +0200
|
||||
+++ openssh-7.7p1/servconf.c 2018-08-08 10:08:40.824719990 +0200
|
||||
@@ -196,14 +196,20 @@ option_clear_or_none(const char *o)
|
||||
static void
|
||||
assemble_algorithms(ServerOptions *o)
|
||||
{
|
||||
- if (kex_assemble_names(KEX_SERVER_ENCRYPT, &o->ciphers) != 0 ||
|
||||
- kex_assemble_names(KEX_SERVER_MAC, &o->macs) != 0 ||
|
||||
- kex_assemble_names(KEX_SERVER_KEX, &o->kex_algorithms) != 0 ||
|
||||
- kex_assemble_names(KEX_DEFAULT_PK_ALG,
|
||||
+ if (kex_assemble_names((FIPS_mode() ? KEX_FIPS_ENCRYPT
|
||||
+ : KEX_SERVER_ENCRYPT), &o->ciphers) != 0 ||
|
||||
+ kex_assemble_names((FIPS_mode() ? KEX_FIPS_MAC
|
||||
+ : KEX_SERVER_MAC), &o->macs) != 0 ||
|
||||
+ kex_assemble_names((FIPS_mode() ? KEX_DEFAULT_KEX_FIPS
|
||||
+ : KEX_SERVER_KEX), &o->kex_algorithms) != 0 ||
|
||||
+ kex_assemble_names((FIPS_mode() ? KEX_FIPS_PK_ALG
|
||||
+ : KEX_DEFAULT_PK_ALG),
|
||||
&o->hostkeyalgorithms) != 0 ||
|
||||
- kex_assemble_names(KEX_DEFAULT_PK_ALG,
|
||||
+ kex_assemble_names((FIPS_mode() ? KEX_FIPS_PK_ALG
|
||||
+ : KEX_DEFAULT_PK_ALG),
|
||||
&o->hostbased_key_types) != 0 ||
|
||||
- kex_assemble_names(KEX_DEFAULT_PK_ALG, &o->pubkey_key_types) != 0)
|
||||
+ kex_assemble_names((FIPS_mode() ? KEX_FIPS_PK_ALG
|
||||
+ : KEX_DEFAULT_PK_ALG), &o->pubkey_key_types) != 0)
|
||||
fatal("kex_assemble_names failed");
|
||||
}
|
||||
|
||||
@@ -196,17 +196,18 @@ option_clear_or_none(const char *o)
|
||||
all_mac = mac_alg_list(',');
|
||||
all_kex = kex_alg_list(',');
|
||||
all_key = sshkey_alg_list(0, 0, 1, ',');
|
||||
-#define ASSEMBLE(what, defaults, all) \
|
||||
+#define ASSEMBLE(what, defaults, fips_defaults, all) \
|
||||
do { \
|
||||
- if ((r = kex_assemble_names(&o->what, defaults, all)) != 0) \
|
||||
+ if ((r = kex_assemble_names(&o->what, (FIPS_mode() \
|
||||
+ ? fips_defaults : defaults), all)) != 0) \
|
||||
fatal("%s: %s: %s", __func__, #what, ssh_err(r)); \
|
||||
} while (0)
|
||||
- ASSEMBLE(ciphers, KEX_SERVER_ENCRYPT, all_cipher);
|
||||
- ASSEMBLE(macs, KEX_SERVER_MAC, all_mac);
|
||||
- ASSEMBLE(kex_algorithms, KEX_SERVER_KEX, all_kex);
|
||||
- ASSEMBLE(hostkeyalgorithms, KEX_DEFAULT_PK_ALG, all_key);
|
||||
- ASSEMBLE(hostbased_key_types, KEX_DEFAULT_PK_ALG, all_key);
|
||||
- ASSEMBLE(pubkey_key_types, KEX_DEFAULT_PK_ALG, all_key);
|
||||
+ ASSEMBLE(ciphers, KEX_SERVER_ENCRYPT, KEX_FIPS_ENCRYPT, all_cipher);
|
||||
+ ASSEMBLE(macs, KEX_SERVER_MAC, KEX_FIPS_MAC, all_mac);
|
||||
+ ASSEMBLE(kex_algorithms, KEX_SERVER_KEX, KEX_DEFAULT_KEX_FIPS, all_kex);
|
||||
+ ASSEMBLE(hostkeyalgorithms, KEX_DEFAULT_PK_ALG, KEX_FIPS_PK_ALG, all_key);
|
||||
+ ASSEMBLE(hostbased_key_types, KEX_DEFAULT_PK_ALG, KEX_FIPS_PK_ALG, all_key);
|
||||
+ ASSEMBLE(pubkey_key_types, KEX_DEFAULT_PK_ALG, KEX_FIPS_PK_ALG, all_key);
|
||||
#undef ASSEMBLE
|
||||
free(all_cipher);
|
||||
free(all_mac);
|
||||
diff -up openssh-7.7p1/ssh.c.fips openssh-7.7p1/ssh.c
|
||||
--- openssh-7.7p1/ssh.c.fips 2018-08-08 10:08:40.811719881 +0200
|
||||
+++ openssh-7.7p1/ssh.c 2018-08-08 10:08:40.825719999 +0200
|
||||
@ -581,14 +563,14 @@ diff -up openssh-7.7p1/sshconnect2.c.fips openssh-7.7p1/sshconnect2.c
|
||||
}
|
||||
#endif
|
||||
@@ -322,14 +330,16 @@ ssh_kex2(char *host, struct sockaddr *ho
|
||||
myproposal[PROPOSAL_MAC_ALGS_CTOS] =
|
||||
myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs;
|
||||
if (options.hostkeyalgorithms != NULL) {
|
||||
- if (kex_assemble_names(KEX_DEFAULT_PK_ALG,
|
||||
+ if (kex_assemble_names((FIPS_mode() ? KEX_FIPS_PK_ALG
|
||||
+ : KEX_DEFAULT_PK_ALG),
|
||||
&options.hostkeyalgorithms) != 0)
|
||||
all_key = sshkey_alg_list(0, 0, 1, ',');
|
||||
if (kex_assemble_names(&options.hostkeyalgorithms,
|
||||
- KEX_DEFAULT_PK_ALG, all_key) != 0)
|
||||
+ (FIPS_mode() ? KEX_FIPS_PK_ALG : KEX_DEFAULT_PK_ALG),
|
||||
+ all_key) != 0)
|
||||
fatal("%s: kex_assemble_namelist", __func__);
|
||||
free(all_key);
|
||||
myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] =
|
||||
compat_pkalg_proposal(options.hostkeyalgorithms);
|
||||
} else {
|
||||
|
@ -148,7 +148,7 @@ diff -up openssh-7.7p1/sshd_config.redhat openssh-7.7p1/sshd_config
|
||||
+
|
||||
#PrintLastLog yes
|
||||
#TCPKeepAlive yes
|
||||
#UseLogin no
|
||||
#PermitUserEnvironment no
|
||||
@@ -106,6 +126,12 @@ AuthorizedKeysFile .ssh/authorized_keys
|
||||
# no default banner path
|
||||
#Banner none
|
||||
|
@ -1,152 +0,0 @@
|
||||
From 4f60e4f66b5880c9f50ef758e8b7f7a9ae786d21 Mon Sep 17 00:00:00 2001
|
||||
From: Darren Tucker <dtucker@dtucker.net>
|
||||
Date: Fri, 13 Apr 2018 13:13:33 +1000
|
||||
Subject: [PATCH 1/5] Revert $REGRESSTMP changes.
|
||||
|
||||
Revert 3fd2d229 and subsequent changes as they turned out to be a
|
||||
portability hassle.
|
||||
---
|
||||
Makefile.in | 4 +---
|
||||
1 file changed, 1 insertion(+), 3 deletions(-)
|
||||
|
||||
diff --git a/Makefile.in b/Makefile.in
|
||||
index 04e1c8e53..dd942ee7b 100644
|
||||
--- a/Makefile.in
|
||||
+++ b/Makefile.in
|
||||
@@ -577,8 +577,6 @@ regress-binaries: regress/modpipe$(EXEEXT) \
|
||||
regress/unittests/pkcs11/test_pkcs11$(EXEEXT) \
|
||||
regress/misc/kexfuzz/kexfuzz$(EXEEXT)
|
||||
|
||||
-REGRESSTMP = "$(PWD)/regress"
|
||||
-
|
||||
tests interop-tests t-exec unit: regress-prep regress-binaries $(TARGETS)
|
||||
BUILDDIR=`pwd`; \
|
||||
TEST_SSH_SCP="$${BUILDDIR}/scp"; \
|
||||
@@ -602,7 +600,7 @@ tests interop-tests t-exec unit: regress-prep regress-binaries $(TARGETS)
|
||||
.OBJDIR="$${BUILDDIR}/regress" \
|
||||
.CURDIR="`pwd`" \
|
||||
BUILDDIR="$${BUILDDIR}" \
|
||||
- OBJ="$(REGRESSTMP)" \
|
||||
+ OBJ="$${BUILDDIR}/regress/" \
|
||||
PATH="$${BUILDDIR}:$${PATH}" \
|
||||
TEST_ENV=MALLOC_OPTIONS="@TEST_MALLOC_OPTIONS@" \
|
||||
TEST_MALLOC_OPTIONS="@TEST_MALLOC_OPTIONS@" \
|
||||
|
||||
From b81b2d120e9c8a83489e241620843687758925ad Mon Sep 17 00:00:00 2001
|
||||
From: Damien Miller <djm@mindrot.org>
|
||||
Date: Fri, 13 Apr 2018 13:38:06 +1000
|
||||
Subject: [PATCH 2/5] Fix tunnel forwarding broken in 7.7p1
|
||||
|
||||
bz2855, ok dtucker@
|
||||
---
|
||||
openbsd-compat/port-net.c | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/openbsd-compat/port-net.c b/openbsd-compat/port-net.c
|
||||
index 7050629c3..bb535626f 100644
|
||||
--- a/openbsd-compat/port-net.c
|
||||
+++ b/openbsd-compat/port-net.c
|
||||
@@ -185,7 +185,7 @@ sys_tun_open(int tun, int mode, char **ifname)
|
||||
else
|
||||
debug("%s: %s mode %d fd %d", __func__, ifr.ifr_name, mode, fd);
|
||||
|
||||
- if (ifname != NULL && (*ifname = strdup(ifr.ifr_name)))
|
||||
+ if (ifname != NULL && (*ifname = strdup(ifr.ifr_name)) == NULL)
|
||||
goto failed;
|
||||
|
||||
return (fd);
|
||||
@@ -272,7 +272,7 @@ sys_tun_open(int tun, int mode, char **ifname)
|
||||
goto failed;
|
||||
}
|
||||
|
||||
- if (ifname != NULL && (*ifname = strdup(ifr.ifr_name)))
|
||||
+ if (ifname != NULL && (*ifname = strdup(ifr.ifr_name)) == NULL)
|
||||
goto failed;
|
||||
|
||||
close(sock);
|
||||
|
||||
From 341727df910e12e26ef161508ed76d91c40a61eb Mon Sep 17 00:00:00 2001
|
||||
From: "djm@openbsd.org" <djm@openbsd.org>
|
||||
Date: Mon, 9 Apr 2018 23:54:49 +0000
|
||||
Subject: [PATCH 3/5] upstream: don't kill ssh-agent's listening socket
|
||||
entriely if we
|
||||
|
||||
fail to accept a connection; bz#2837, patch from Lukas Kuster
|
||||
|
||||
OpenBSD-Commit-ID: 52413f5069179bebf30d38f524afe1a2133c738f
|
||||
---
|
||||
ssh-agent.c | 7 +++----
|
||||
1 file changed, 3 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/ssh-agent.c b/ssh-agent.c
|
||||
index 2a4578b03..68de56ce6 100644
|
||||
--- a/ssh-agent.c
|
||||
+++ b/ssh-agent.c
|
||||
@@ -1,4 +1,4 @@
|
||||
-/* $OpenBSD: ssh-agent.c,v 1.228 2018/02/23 15:58:37 markus Exp $ */
|
||||
+/* $OpenBSD: ssh-agent.c,v 1.229 2018/04/09 23:54:49 djm Exp $ */
|
||||
/*
|
||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||
@@ -909,9 +909,8 @@ after_poll(struct pollfd *pfd, size_t npfd)
|
||||
/* Process events */
|
||||
switch (sockets[socknum].type) {
|
||||
case AUTH_SOCKET:
|
||||
- if ((pfd[i].revents & (POLLIN|POLLERR)) != 0 &&
|
||||
- handle_socket_read(socknum) != 0)
|
||||
- close_socket(&sockets[socknum]);
|
||||
+ if ((pfd[i].revents & (POLLIN|POLLERR)) != 0)
|
||||
+ handle_socket_read(socknum);
|
||||
break;
|
||||
case AUTH_CONNECTION:
|
||||
if ((pfd[i].revents & (POLLIN|POLLERR)) != 0 &&
|
||||
|
||||
From 3402cc607049ac900f6d8574bc2ce657a8cdf4fe Mon Sep 17 00:00:00 2001
|
||||
From: Darren Tucker <dtucker@dtucker.net>
|
||||
Date: Fri, 13 Apr 2018 13:43:55 +1000
|
||||
Subject: [PATCH 4/5] Using "==" in shell tests is not portable.
|
||||
|
||||
Patch from rsbecker at nexbridge.com.
|
||||
---
|
||||
configure.ac | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/configure.ac b/configure.ac
|
||||
index 663062bef..2e84d90b7 100644
|
||||
--- a/configure.ac
|
||||
+++ b/configure.ac
|
||||
@@ -1398,7 +1398,7 @@ AC_RUN_IFELSE(
|
||||
)
|
||||
AC_MSG_RESULT([$func_calloc_0_nonnull])
|
||||
|
||||
-if test "x$func_calloc_0_nonnull" == "xyes"; then
|
||||
+if test "x$func_calloc_0_nonnull" = "xyes"; then
|
||||
AC_DEFINE(HAVE_CALLOC, 1, [calloc(0, x) returns non-null])
|
||||
else
|
||||
AC_DEFINE(HAVE_CALLOC, 0, [calloc(0, x) returns NULL])
|
||||
|
||||
From 85fe48fd49f2e81fa30902841b362cfbb7f1933b Mon Sep 17 00:00:00 2001
|
||||
From: "djm@openbsd.org" <djm@openbsd.org>
|
||||
Date: Sat, 14 Apr 2018 21:50:41 +0000
|
||||
Subject: [PATCH 5/5] upstream: don't free the %C expansion, it's used later
|
||||
for
|
||||
|
||||
LocalCommand
|
||||
|
||||
OpenBSD-Commit-ID: 857b5cb37b2d856bfdfce61289a415257a487fb1
|
||||
---
|
||||
ssh.c | 1 -
|
||||
1 file changed, 1 deletion(-)
|
||||
|
||||
diff --git a/ssh.c b/ssh.c
|
||||
index d3619fe29..9c011dd7e 100644
|
||||
--- a/ssh.c
|
||||
+++ b/ssh.c
|
||||
@@ -1323,7 +1323,6 @@ main(int ac, char **av)
|
||||
(char *)NULL);
|
||||
free(cp);
|
||||
}
|
||||
- free(conn_hash_hex);
|
||||
|
||||
if (config_test) {
|
||||
dump_client_config(&options, host);
|
@ -3,7 +3,7 @@ diff --git a/sshd.c b/sshd.c
|
||||
+++ b/sshd.c
|
||||
@@ -1701,6 +1701,10 @@ main(int ac, char **av)
|
||||
parse_server_config(&options, rexeced_flag ? "rexec" : config_file_name,
|
||||
&cfg, NULL);
|
||||
cfg, NULL);
|
||||
|
||||
+ /* 'UsePAM no' is not supported in Fedora */
|
||||
+ if (! options.use_pam)
|
File diff suppressed because it is too large
Load Diff
72
openssh-7.8p1-ip-port-config-parser.patch
Normal file
72
openssh-7.8p1-ip-port-config-parser.patch
Normal file
@ -0,0 +1,72 @@
|
||||
diff -up openssh/misc.c.config openssh/misc.c
|
||||
--- openssh/misc.c.config 2018-08-22 13:58:54.922807799 +0200
|
||||
+++ openssh/misc.c 2018-08-22 13:58:55.000808428 +0200
|
||||
@@ -485,7 +485,7 @@ put_host_port(const char *host, u_short
|
||||
* The delimiter char, if present, is stored in delim.
|
||||
* If this is the last field, *cp is set to NULL.
|
||||
*/
|
||||
-static char *
|
||||
+char *
|
||||
hpdelim2(char **cp, char *delim)
|
||||
{
|
||||
char *s, *old;
|
||||
diff -up openssh/misc.h.config openssh/misc.h
|
||||
--- openssh/misc.h.config 2018-08-20 07:57:29.000000000 +0200
|
||||
+++ openssh/misc.h 2018-08-22 13:58:55.001808436 +0200
|
||||
@@ -54,6 +54,7 @@ int set_rdomain(int, const char *);
|
||||
int a2port(const char *);
|
||||
int a2tun(const char *, int *);
|
||||
char *put_host_port(const char *, u_short);
|
||||
+char *hpdelim2(char **, char *);
|
||||
char *hpdelim(char **);
|
||||
char *cleanhostname(char *);
|
||||
char *colon(char *);
|
||||
diff -up openssh/servconf.c.config openssh/servconf.c
|
||||
--- openssh/servconf.c.config 2018-08-22 13:58:54.989808340 +0200
|
||||
+++ openssh/servconf.c 2018-08-22 14:18:49.235443937 +0200
|
||||
@@ -886,7 +886,7 @@ process_permitopen_list(struct ssh *ssh,
|
||||
{
|
||||
u_int i;
|
||||
int port;
|
||||
- char *host, *arg, *oarg;
|
||||
+ char *host, *arg, *oarg, ch;
|
||||
int where = opcode == sPermitOpen ? FORWARD_LOCAL : FORWARD_REMOTE;
|
||||
const char *what = lookup_opcode_name(opcode);
|
||||
|
||||
@@ -904,8 +904,8 @@ process_permitopen_list(struct ssh *ssh,
|
||||
/* Otherwise treat it as a list of permitted host:port */
|
||||
for (i = 0; i < num_opens; i++) {
|
||||
oarg = arg = xstrdup(opens[i]);
|
||||
- host = hpdelim(&arg);
|
||||
- if (host == NULL)
|
||||
+ host = hpdelim2(&arg, &ch);
|
||||
+ if (host == NULL || ch == '/')
|
||||
fatal("%s: missing host in %s", __func__, what);
|
||||
host = cleanhostname(host);
|
||||
if (arg == NULL || ((port = permitopen_port(arg)) < 0))
|
||||
@@ -1323,8 +1323,10 @@ process_server_config_line(ServerOptions
|
||||
port = 0;
|
||||
p = arg;
|
||||
} else {
|
||||
- p = hpdelim(&arg);
|
||||
- if (p == NULL)
|
||||
+ char ch;
|
||||
+ arg2 = NULL;
|
||||
+ p = hpdelim2(&arg, &ch);
|
||||
+ if (p == NULL || ch == '/')
|
||||
fatal("%s line %d: bad address:port usage",
|
||||
filename, linenum);
|
||||
p = cleanhostname(p);
|
||||
@@ -1965,9 +1967,10 @@ process_server_config_line(ServerOptions
|
||||
*/
|
||||
xasprintf(&arg2, "*:%s", arg);
|
||||
} else {
|
||||
+ char ch;
|
||||
arg2 = xstrdup(arg);
|
||||
- p = hpdelim(&arg);
|
||||
- if (p == NULL) {
|
||||
+ p = hpdelim2(&arg, &ch);
|
||||
+ if (p == NULL || ch == '/') {
|
||||
fatal("%s line %d: missing host in %s",
|
||||
filename, linenum,
|
||||
lookup_opcode_name(opcode));
|
@ -1,7 +1,7 @@
|
||||
diff -up openssh-7.4p1/auth2.c.role-mls openssh-7.4p1/auth2.c
|
||||
--- openssh-7.4p1/auth2.c.role-mls 2016-12-19 05:59:41.000000000 +0100
|
||||
+++ openssh-7.4p1/auth2.c 2016-12-23 12:19:58.587459379 +0100
|
||||
@@ -215,6 +215,9 @@ input_userauth_request(int type, u_int32
|
||||
diff -up openssh/auth2.c.role-mls openssh/auth2.c
|
||||
--- openssh/auth2.c.role-mls 2018-08-20 07:57:29.000000000 +0200
|
||||
+++ openssh/auth2.c 2018-08-22 11:14:56.815430916 +0200
|
||||
@@ -256,6 +256,9 @@ input_userauth_request(int type, u_int32
|
||||
Authctxt *authctxt = ssh->authctxt;
|
||||
Authmethod *m = NULL;
|
||||
char *user, *service, *method, *style = NULL;
|
||||
@ -9,9 +9,9 @@ diff -up openssh-7.4p1/auth2.c.role-mls openssh-7.4p1/auth2.c
|
||||
+ char *role = NULL;
|
||||
+#endif
|
||||
int authenticated = 0;
|
||||
double tstart = monotime_double();
|
||||
|
||||
if (authctxt == NULL)
|
||||
@@ -226,6 +229,11 @@ input_userauth_request(int type, u_int32
|
||||
@@ -268,6 +271,11 @@ input_userauth_request(int type, u_int32
|
||||
debug("userauth-request for user %s service %s method %s", user, service, method);
|
||||
debug("attempt %d failures %d", authctxt->attempt, authctxt->failures);
|
||||
|
||||
@ -23,7 +23,7 @@ diff -up openssh-7.4p1/auth2.c.role-mls openssh-7.4p1/auth2.c
|
||||
if ((style = strchr(user, ':')) != NULL)
|
||||
*style++ = 0;
|
||||
|
||||
@@ -251,8 +259,15 @@ input_userauth_request(int type, u_int32
|
||||
@@ -296,8 +304,15 @@ input_userauth_request(int type, u_int32
|
||||
use_privsep ? " [net]" : "");
|
||||
authctxt->service = xstrdup(service);
|
||||
authctxt->style = style ? xstrdup(style) : NULL;
|
||||
@ -40,49 +40,48 @@ diff -up openssh-7.4p1/auth2.c.role-mls openssh-7.4p1/auth2.c
|
||||
userauth_banner();
|
||||
if (auth2_setup_methods_lists(authctxt) != 0)
|
||||
packet_disconnect("no authentication methods enabled");
|
||||
diff -up openssh-7.4p1/auth2-gss.c.role-mls openssh-7.4p1/auth2-gss.c
|
||||
--- openssh-7.4p1/auth2-gss.c.role-mls 2016-12-19 05:59:41.000000000 +0100
|
||||
+++ openssh-7.4p1/auth2-gss.c 2016-12-23 12:19:58.586459382 +0100
|
||||
@@ -255,6 +255,7 @@ input_gssapi_mic(int type, u_int32_t ple
|
||||
diff -up openssh/auth2-gss.c.role-mls openssh/auth2-gss.c
|
||||
--- openssh/auth2-gss.c.role-mls 2018-08-20 07:57:29.000000000 +0200
|
||||
+++ openssh/auth2-gss.c 2018-08-22 11:15:42.459799171 +0200
|
||||
@@ -281,6 +281,7 @@ input_gssapi_mic(int type, u_int32_t ple
|
||||
Authctxt *authctxt = ssh->authctxt;
|
||||
Gssctxt *gssctxt;
|
||||
int authenticated = 0;
|
||||
int r, authenticated = 0;
|
||||
+ char *micuser;
|
||||
Buffer b;
|
||||
struct sshbuf *b;
|
||||
gss_buffer_desc mic, gssbuf;
|
||||
u_int len;
|
||||
@@ -267,7 +268,13 @@ input_gssapi_mic(int type, u_int32_t ple
|
||||
mic.value = packet_get_string(&len);
|
||||
const char *displayname;
|
||||
@@ -298,7 +299,13 @@ input_gssapi_mic(int type, u_int32_t ple
|
||||
fatal("%s: sshbuf_new failed", __func__);
|
||||
mic.value = p;
|
||||
mic.length = len;
|
||||
|
||||
- ssh_gssapi_buildmic(&b, authctxt->user, authctxt->service,
|
||||
- ssh_gssapi_buildmic(b, authctxt->user, authctxt->service,
|
||||
+#ifdef WITH_SELINUX
|
||||
+ if (authctxt->role && (strlen(authctxt->role) > 0))
|
||||
+ xasprintf(&micuser, "%s/%s", authctxt->user, authctxt->role);
|
||||
+ else
|
||||
+#endif
|
||||
+ micuser = authctxt->user;
|
||||
+ ssh_gssapi_buildmic(&b, micuser, authctxt->service,
|
||||
+ ssh_gssapi_buildmic(b, micuser, authctxt->service,
|
||||
"gssapi-with-mic");
|
||||
|
||||
gssbuf.value = buffer_ptr(&b);
|
||||
@@ -279,6 +286,8 @@ input_gssapi_mic(int type, u_int32_t ple
|
||||
if ((gssbuf.value = sshbuf_mutable_ptr(b)) == NULL)
|
||||
@@ -311,6 +318,8 @@ input_gssapi_mic(int type, u_int32_t ple
|
||||
logit("GSSAPI MIC check failed");
|
||||
|
||||
buffer_free(&b);
|
||||
sshbuf_free(b);
|
||||
+ if (micuser != authctxt->user)
|
||||
+ free(micuser);
|
||||
free(mic.value);
|
||||
|
||||
if ((!use_privsep || mm_is_monitor()) &&
|
||||
diff -up openssh-7.4p1/auth2-hostbased.c.role-mls openssh-7.4p1/auth2-hostbased.c
|
||||
--- openssh-7.4p1/auth2-hostbased.c.role-mls 2016-12-19 05:59:41.000000000 +0100
|
||||
+++ openssh-7.4p1/auth2-hostbased.c 2016-12-23 12:19:58.586459382 +0100
|
||||
@@ -121,7 +121,16 @@ userauth_hostbased(Authctxt *authctxt)
|
||||
diff -up openssh/auth2-hostbased.c.role-mls openssh/auth2-hostbased.c
|
||||
--- openssh/auth2-hostbased.c.role-mls 2018-08-20 07:57:29.000000000 +0200
|
||||
+++ openssh/auth2-hostbased.c 2018-08-22 11:14:56.816430924 +0200
|
||||
@@ -123,7 +123,16 @@ userauth_hostbased(struct ssh *ssh)
|
||||
/* reconstruct packet */
|
||||
if ((r = sshbuf_put_string(b, session_id2, session_id2_len)) != 0 ||
|
||||
(r = sshbuf_put_u8(b, SSH2_MSG_USERAUTH_REQUEST)) != 0 ||
|
||||
- (r = sshbuf_put_cstring(b, authctxt->user)) != 0 ||
|
||||
+#ifdef WITH_SELINUX
|
||||
+ (authctxt->role
|
||||
+ ? ( (r = sshbuf_put_u32(b, strlen(authctxt->user)+strlen(authctxt->role)+1)) != 0 ||
|
||||
@ -91,16 +90,16 @@ diff -up openssh-7.4p1/auth2-hostbased.c.role-mls openssh-7.4p1/auth2-hostbased.
|
||||
+ (r = sshbuf_put(b, authctxt->role, strlen(authctxt->role))) != 0)
|
||||
+ : (r = sshbuf_put_cstring(b, authctxt->user)) != 0) ||
|
||||
+#else
|
||||
+ (r = sshbuf_put_cstring(b, authctxt->user)) != 0 ||
|
||||
(r = sshbuf_put_cstring(b, authctxt->user)) != 0 ||
|
||||
+#endif
|
||||
(r = sshbuf_put_cstring(b, authctxt->service)) != 0 ||
|
||||
(r = sshbuf_put_cstring(b, "hostbased")) != 0 ||
|
||||
(r = sshbuf_put_string(b, pkalg, alen)) != 0 ||
|
||||
diff -up openssh-7.4p1/auth2-pubkey.c.role-mls openssh-7.4p1/auth2-pubkey.c
|
||||
--- openssh-7.4p1/auth2-pubkey.c.role-mls 2016-12-19 05:59:41.000000000 +0100
|
||||
+++ openssh-7.4p1/auth2-pubkey.c 2016-12-23 12:19:58.587459379 +0100
|
||||
@@ -151,9 +151,15 @@ userauth_pubkey(Authctxt *authctxt)
|
||||
__func__, ssh_err(r));
|
||||
diff -up openssh/auth2-pubkey.c.role-mls openssh/auth2-pubkey.c
|
||||
--- openssh/auth2-pubkey.c.role-mls 2018-08-22 11:14:56.816430924 +0200
|
||||
+++ openssh/auth2-pubkey.c 2018-08-22 11:17:07.331483958 +0200
|
||||
@@ -169,9 +169,16 @@ userauth_pubkey(struct ssh *ssh)
|
||||
goto done;
|
||||
}
|
||||
/* reconstruct packet */
|
||||
- xasprintf(&userstyle, "%s%s%s", authctxt->user,
|
||||
@ -110,17 +109,18 @@ diff -up openssh-7.4p1/auth2-pubkey.c.role-mls openssh-7.4p1/auth2-pubkey.c
|
||||
+ authctxt->style ? authctxt->style : "",
|
||||
+#ifdef WITH_SELINUX
|
||||
+ authctxt->role ? "/" : "",
|
||||
+ authctxt->role ? authctxt->role : "");
|
||||
+ authctxt->role ? authctxt->role : ""
|
||||
+#else
|
||||
+ "", "");
|
||||
+ "", ""
|
||||
+#endif
|
||||
+ );
|
||||
if ((r = sshbuf_put_u8(b, SSH2_MSG_USERAUTH_REQUEST)) != 0 ||
|
||||
(r = sshbuf_put_cstring(b, userstyle)) != 0 ||
|
||||
(r = sshbuf_put_cstring(b, authctxt->service)) != 0 ||
|
||||
diff -up openssh-7.4p1/auth.h.role-mls openssh-7.4p1/auth.h
|
||||
--- openssh-7.4p1/auth.h.role-mls 2016-12-19 05:59:41.000000000 +0100
|
||||
+++ openssh-7.4p1/auth.h 2016-12-23 12:19:43.478510375 +0100
|
||||
@@ -62,6 +62,9 @@ struct Authctxt {
|
||||
diff -up openssh/auth.h.role-mls openssh/auth.h
|
||||
--- openssh/auth.h.role-mls 2018-08-20 07:57:29.000000000 +0200
|
||||
+++ openssh/auth.h 2018-08-22 11:14:56.816430924 +0200
|
||||
@@ -65,6 +65,9 @@ struct Authctxt {
|
||||
char *service;
|
||||
struct passwd *pw; /* set if 'valid' */
|
||||
char *style;
|
||||
@ -130,10 +130,10 @@ diff -up openssh-7.4p1/auth.h.role-mls openssh-7.4p1/auth.h
|
||||
|
||||
/* Method lists for multiple authentication */
|
||||
char **auth_methods; /* modified from server config */
|
||||
diff -up openssh-7.4p1/auth-pam.c.role-mls openssh-7.4p1/auth-pam.c
|
||||
--- openssh-7.4p1/auth-pam.c.role-mls 2016-12-19 05:59:41.000000000 +0100
|
||||
+++ openssh-7.4p1/auth-pam.c 2016-12-23 12:19:43.477510378 +0100
|
||||
@@ -1087,7 +1087,7 @@ is_pam_session_open(void)
|
||||
diff -up openssh/auth-pam.c.role-mls openssh/auth-pam.c
|
||||
--- openssh/auth-pam.c.role-mls 2018-08-20 07:57:29.000000000 +0200
|
||||
+++ openssh/auth-pam.c 2018-08-22 11:14:56.816430924 +0200
|
||||
@@ -1172,7 +1172,7 @@ is_pam_session_open(void)
|
||||
* during the ssh authentication process.
|
||||
*/
|
||||
int
|
||||
@ -142,10 +142,10 @@ diff -up openssh-7.4p1/auth-pam.c.role-mls openssh-7.4p1/auth-pam.c
|
||||
{
|
||||
int ret = 1;
|
||||
#ifdef HAVE_PAM_PUTENV
|
||||
diff -up openssh-7.4p1/auth-pam.h.role-mls openssh-7.4p1/auth-pam.h
|
||||
--- openssh-7.4p1/auth-pam.h.role-mls 2016-12-23 12:19:43.478510375 +0100
|
||||
+++ openssh-7.4p1/auth-pam.h 2016-12-23 12:21:44.698101234 +0100
|
||||
@@ -31,7 +31,7 @@ u_int do_pam_account(void);
|
||||
diff -up openssh/auth-pam.h.role-mls openssh/auth-pam.h
|
||||
--- openssh/auth-pam.h.role-mls 2018-08-20 07:57:29.000000000 +0200
|
||||
+++ openssh/auth-pam.h 2018-08-22 11:14:56.817430932 +0200
|
||||
@@ -33,7 +33,7 @@ u_int do_pam_account(void);
|
||||
void do_pam_session(struct ssh *);
|
||||
void do_pam_setcred(int );
|
||||
void do_pam_chauthtok(void);
|
||||
@ -154,10 +154,24 @@ diff -up openssh-7.4p1/auth-pam.h.role-mls openssh-7.4p1/auth-pam.h
|
||||
char ** fetch_pam_environment(void);
|
||||
char ** fetch_pam_child_environment(void);
|
||||
void free_pam_environment(char **);
|
||||
diff -up openssh-7.4p1/misc.c.role-mls openssh-7.4p1/misc.c
|
||||
--- openssh-7.4p1/misc.c.role-mls 2016-12-19 05:59:41.000000000 +0100
|
||||
+++ openssh-7.4p1/misc.c 2016-12-23 12:19:58.587459379 +0100
|
||||
@@ -432,6 +432,7 @@ char *
|
||||
diff -up openssh/configure.ac.role-mls openssh/configure.ac
|
||||
--- openssh/configure.ac.role-mls 2018-08-20 07:57:29.000000000 +0200
|
||||
+++ openssh/configure.ac 2018-08-22 11:14:56.820430957 +0200
|
||||
@@ -4241,10 +4241,7 @@ AC_ARG_WITH([selinux],
|
||||
LIBS="$LIBS -lselinux"
|
||||
],
|
||||
AC_MSG_ERROR([SELinux support requires libselinux library]))
|
||||
- SSHLIBS="$SSHLIBS $LIBSELINUX"
|
||||
- SSHDLIBS="$SSHDLIBS $LIBSELINUX"
|
||||
AC_CHECK_FUNCS([getseuserbyname get_default_context_with_level])
|
||||
- LIBS="$save_LIBS"
|
||||
fi ]
|
||||
)
|
||||
AC_SUBST([SSHLIBS])
|
||||
diff -up openssh/misc.c.role-mls openssh/misc.c
|
||||
--- openssh/misc.c.role-mls 2018-08-20 07:57:29.000000000 +0200
|
||||
+++ openssh/misc.c 2018-08-22 11:14:56.817430932 +0200
|
||||
@@ -542,6 +542,7 @@ char *
|
||||
colon(char *cp)
|
||||
{
|
||||
int flag = 0;
|
||||
@ -165,7 +179,7 @@ diff -up openssh-7.4p1/misc.c.role-mls openssh-7.4p1/misc.c
|
||||
|
||||
if (*cp == ':') /* Leading colon is part of file name. */
|
||||
return NULL;
|
||||
@@ -447,6 +448,13 @@ colon(char *cp)
|
||||
@@ -557,6 +558,13 @@ colon(char *cp)
|
||||
return (cp);
|
||||
if (*cp == '/')
|
||||
return NULL;
|
||||
@ -179,20 +193,20 @@ diff -up openssh-7.4p1/misc.c.role-mls openssh-7.4p1/misc.c
|
||||
}
|
||||
return NULL;
|
||||
}
|
||||
diff -up openssh-7.4p1/monitor.c.role-mls openssh-7.4p1/monitor.c
|
||||
--- openssh-7.4p1/monitor.c.role-mls 2016-12-19 05:59:41.000000000 +0100
|
||||
+++ openssh-7.4p1/monitor.c 2016-12-23 12:23:03.503835248 +0100
|
||||
@@ -127,6 +127,9 @@ int mm_answer_sign(int, Buffer *);
|
||||
int mm_answer_pwnamallow(int, Buffer *);
|
||||
int mm_answer_auth2_read_banner(int, Buffer *);
|
||||
int mm_answer_authserv(int, Buffer *);
|
||||
diff -up openssh/monitor.c.role-mls openssh/monitor.c
|
||||
--- openssh/monitor.c.role-mls 2018-08-20 07:57:29.000000000 +0200
|
||||
+++ openssh/monitor.c 2018-08-22 11:19:56.006844867 +0200
|
||||
@@ -115,6 +115,9 @@ int mm_answer_sign(int, struct sshbuf *)
|
||||
int mm_answer_pwnamallow(int, struct sshbuf *);
|
||||
int mm_answer_auth2_read_banner(int, struct sshbuf *);
|
||||
int mm_answer_authserv(int, struct sshbuf *);
|
||||
+#ifdef WITH_SELINUX
|
||||
+int mm_answer_authrole(int, Buffer *);
|
||||
+int mm_answer_authrole(int, struct sshbuf *);
|
||||
+#endif
|
||||
int mm_answer_authpassword(int, Buffer *);
|
||||
int mm_answer_bsdauthquery(int, Buffer *);
|
||||
int mm_answer_bsdauthrespond(int, Buffer *);
|
||||
@@ -202,6 +205,9 @@ struct mon_table mon_dispatch_proto20[]
|
||||
int mm_answer_authpassword(int, struct sshbuf *);
|
||||
int mm_answer_bsdauthquery(int, struct sshbuf *);
|
||||
int mm_answer_bsdauthrespond(int, struct sshbuf *);
|
||||
@@ -189,6 +192,9 @@ struct mon_table mon_dispatch_proto20[]
|
||||
{MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign},
|
||||
{MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},
|
||||
{MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv},
|
||||
@ -202,7 +216,7 @@ diff -up openssh-7.4p1/monitor.c.role-mls openssh-7.4p1/monitor.c
|
||||
{MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner},
|
||||
{MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},
|
||||
#ifdef USE_PAM
|
||||
@@ -769,6 +775,9 @@ mm_answer_pwnamallow(int sock, Buffer *m
|
||||
@@ -796,6 +802,9 @@ mm_answer_pwnamallow(int sock, struct ss
|
||||
|
||||
/* Allow service/style information on the auth context */
|
||||
monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1);
|
||||
@ -212,19 +226,20 @@ diff -up openssh-7.4p1/monitor.c.role-mls openssh-7.4p1/monitor.c
|
||||
monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1);
|
||||
|
||||
#ifdef USE_PAM
|
||||
@@ -810,6 +819,25 @@ mm_answer_authserv(int sock, Buffer *m)
|
||||
@@ -842,6 +851,26 @@ mm_answer_authserv(int sock, struct sshb
|
||||
return (0);
|
||||
}
|
||||
|
||||
+#ifdef WITH_SELINUX
|
||||
+int
|
||||
+mm_answer_authrole(int sock, Buffer *m)
|
||||
+mm_answer_authrole(int sock, struct sshbuf *m)
|
||||
+{
|
||||
+ int r;
|
||||
+ monitor_permit_authentications(1);
|
||||
+
|
||||
+ authctxt->role = buffer_get_string(m, NULL);
|
||||
+ debug3("%s: role=%s",
|
||||
+ __func__, authctxt->role);
|
||||
+ if ((r = sshbuf_get_cstring(m, &authctxt->role, NULL)) != 0)
|
||||
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
||||
+ debug3("%s: role=%s", __func__, authctxt->role);
|
||||
+
|
||||
+ if (strlen(authctxt->role) == 0) {
|
||||
+ free(authctxt->role);
|
||||
@ -236,48 +251,48 @@ diff -up openssh-7.4p1/monitor.c.role-mls openssh-7.4p1/monitor.c
|
||||
+#endif
|
||||
+
|
||||
int
|
||||
mm_answer_authpassword(int sock, Buffer *m)
|
||||
mm_answer_authpassword(int sock, struct sshbuf *m)
|
||||
{
|
||||
@@ -1208,7 +1236,7 @@ monitor_valid_userblob(u_char *data, u_i
|
||||
@@ -1218,7 +1247,7 @@ monitor_valid_userblob(u_char *data, u_i
|
||||
{
|
||||
Buffer b;
|
||||
u_char *p;
|
||||
struct sshbuf *b;
|
||||
const u_char *p;
|
||||
- char *userstyle, *cp;
|
||||
+ char *userstyle, *r, *cp;
|
||||
u_int len;
|
||||
int fail = 0;
|
||||
|
||||
@@ -1234,6 +1262,8 @@ monitor_valid_userblob(u_char *data, u_i
|
||||
if (buffer_get_char(&b) != SSH2_MSG_USERAUTH_REQUEST)
|
||||
+ char *userstyle, *s, *cp;
|
||||
size_t len;
|
||||
u_char type;
|
||||
int r, fail = 0;
|
||||
@@ -1251,6 +1280,8 @@ monitor_valid_userblob(u_char *data, u_i
|
||||
fail++;
|
||||
cp = buffer_get_cstring(&b, NULL);
|
||||
+ if ((r = strchr(cp, '/')) != NULL)
|
||||
+ *r = '\0';
|
||||
if ((r = sshbuf_get_cstring(b, &cp, NULL)) != 0)
|
||||
fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
||||
+ if ((s = strchr(cp, '/')) != NULL)
|
||||
+ *s = '\0';
|
||||
xasprintf(&userstyle, "%s%s%s", authctxt->user,
|
||||
authctxt->style ? ":" : "",
|
||||
authctxt->style ? authctxt->style : "");
|
||||
@@ -1269,7 +1299,7 @@ monitor_valid_hostbasedblob(u_char *data
|
||||
char *chost)
|
||||
@@ -1286,7 +1317,7 @@ monitor_valid_hostbasedblob(u_char *data
|
||||
{
|
||||
Buffer b;
|
||||
- char *p, *userstyle;
|
||||
+ char *p, *r, *userstyle;
|
||||
u_int len;
|
||||
int fail = 0;
|
||||
|
||||
@@ -1286,6 +1316,8 @@ monitor_valid_hostbasedblob(u_char *data
|
||||
if (buffer_get_char(&b) != SSH2_MSG_USERAUTH_REQUEST)
|
||||
struct sshbuf *b;
|
||||
const u_char *p;
|
||||
- char *cp, *userstyle;
|
||||
+ char *cp, *s, *userstyle;
|
||||
size_t len;
|
||||
int r, fail = 0;
|
||||
u_char type;
|
||||
@@ -1308,6 +1339,8 @@ monitor_valid_hostbasedblob(u_char *data
|
||||
fail++;
|
||||
p = buffer_get_cstring(&b, NULL);
|
||||
+ if ((r = strchr(p, '/')) != NULL)
|
||||
+ *r = '\0';
|
||||
if ((r = sshbuf_get_cstring(b, &cp, NULL)) != 0)
|
||||
fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
||||
+ if ((s = strchr(p, '/')) != NULL)
|
||||
+ *s = '\0';
|
||||
xasprintf(&userstyle, "%s%s%s", authctxt->user,
|
||||
authctxt->style ? ":" : "",
|
||||
authctxt->style ? authctxt->style : "");
|
||||
diff -up openssh-7.4p1/monitor.h.role-mls openssh-7.4p1/monitor.h
|
||||
--- openssh-7.4p1/monitor.h.role-mls 2016-12-19 05:59:41.000000000 +0100
|
||||
+++ openssh-7.4p1/monitor.h 2016-12-23 12:19:58.588459376 +0100
|
||||
@@ -57,6 +57,10 @@ enum monitor_reqtype {
|
||||
diff -up openssh/monitor.h.role-mls openssh/monitor.h
|
||||
--- openssh/monitor.h.role-mls 2018-08-20 07:57:29.000000000 +0200
|
||||
+++ openssh/monitor.h 2018-08-22 11:14:56.818430941 +0200
|
||||
@@ -55,6 +55,10 @@ enum monitor_reqtype {
|
||||
MONITOR_REQ_GSSCHECKMIC = 48, MONITOR_ANS_GSSCHECKMIC = 49,
|
||||
MONITOR_REQ_TERM = 50,
|
||||
|
||||
@ -288,11 +303,11 @@ diff -up openssh-7.4p1/monitor.h.role-mls openssh-7.4p1/monitor.h
|
||||
MONITOR_REQ_PAM_START = 100,
|
||||
MONITOR_REQ_PAM_ACCOUNT = 102, MONITOR_ANS_PAM_ACCOUNT = 103,
|
||||
MONITOR_REQ_PAM_INIT_CTX = 104, MONITOR_ANS_PAM_INIT_CTX = 105,
|
||||
diff -up openssh-7.4p1/monitor_wrap.c.role-mls openssh-7.4p1/monitor_wrap.c
|
||||
--- openssh-7.4p1/monitor_wrap.c.role-mls 2016-12-19 05:59:41.000000000 +0100
|
||||
+++ openssh-7.4p1/monitor_wrap.c 2016-12-23 12:19:58.588459376 +0100
|
||||
@@ -345,6 +345,25 @@ mm_inform_authserv(char *service, char *
|
||||
buffer_free(&m);
|
||||
diff -up openssh/monitor_wrap.c.role-mls openssh/monitor_wrap.c
|
||||
--- openssh/monitor_wrap.c.role-mls 2018-08-22 11:14:56.818430941 +0200
|
||||
+++ openssh/monitor_wrap.c 2018-08-22 11:21:47.938747968 +0200
|
||||
@@ -390,6 +390,27 @@ mm_inform_authserv(char *service, char *
|
||||
sshbuf_free(m);
|
||||
}
|
||||
|
||||
+/* Inform the privileged process about role */
|
||||
@ -301,28 +316,30 @@ diff -up openssh-7.4p1/monitor_wrap.c.role-mls openssh-7.4p1/monitor_wrap.c
|
||||
+void
|
||||
+mm_inform_authrole(char *role)
|
||||
+{
|
||||
+ Buffer m;
|
||||
+ int r;
|
||||
+ struct sshbuf *m;
|
||||
+
|
||||
+ debug3("%s entering", __func__);
|
||||
+
|
||||
+ buffer_init(&m);
|
||||
+ buffer_put_cstring(&m, role ? role : "");
|
||||
+ if ((m = sshbuf_new()) == NULL)
|
||||
+ fatal("%s: sshbuf_new failed", __func__);
|
||||
+ if ((r = sshbuf_put_cstring(m, role ? role : "")) != 0)
|
||||
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
||||
+ mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHROLE, m);
|
||||
+
|
||||
+ mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHROLE, &m);
|
||||
+
|
||||
+ buffer_free(&m);
|
||||
+ sshbuf_free(m);
|
||||
+}
|
||||
+#endif
|
||||
+
|
||||
/* Do the password authentication */
|
||||
int
|
||||
mm_auth_password(struct ssh *ssh, char *password)
|
||||
diff -up openssh-7.4p1/monitor_wrap.h.role-mls openssh-7.4p1/monitor_wrap.h
|
||||
--- openssh-7.4p1/monitor_wrap.h.role-mls 2016-12-19 05:59:41.000000000 +0100
|
||||
+++ openssh-7.4p1/monitor_wrap.h 2016-12-23 12:19:58.588459376 +0100
|
||||
@@ -42,6 +42,9 @@ int mm_is_monitor(void);
|
||||
int mm_key_sign(struct sshkey *, u_char **, u_int *, const u_char *, u_int,
|
||||
const char *);
|
||||
diff -up openssh/monitor_wrap.h.role-mls openssh/monitor_wrap.h
|
||||
--- openssh/monitor_wrap.h.role-mls 2018-08-22 11:14:56.818430941 +0200
|
||||
+++ openssh/monitor_wrap.h 2018-08-22 11:22:10.439929513 +0200
|
||||
@@ -44,6 +44,9 @@ DH *mm_choose_dh(int, int, int);
|
||||
int mm_sshkey_sign(struct sshkey *, u_char **, size_t *, const u_char *, size_t,
|
||||
const char *, u_int compat);
|
||||
void mm_inform_authserv(char *, char *);
|
||||
+#ifdef WITH_SELINUX
|
||||
+void mm_inform_authrole(char *);
|
||||
@ -330,10 +347,10 @@ diff -up openssh-7.4p1/monitor_wrap.h.role-mls openssh-7.4p1/monitor_wrap.h
|
||||
struct passwd *mm_getpwnamallow(const char *);
|
||||
char *mm_auth2_read_banner(void);
|
||||
int mm_auth_password(struct ssh *, char *);
|
||||
diff -up openssh-7.4p1/openbsd-compat/Makefile.in.role-mls openssh-7.4p1/openbsd-compat/Makefile.in
|
||||
--- openssh-7.4p1/openbsd-compat/Makefile.in.role-mls 2016-12-23 12:19:58.588459376 +0100
|
||||
+++ openssh-7.4p1/openbsd-compat/Makefile.in 2016-12-23 12:24:06.042643938 +0100
|
||||
@@ -20,7 +20,8 @@ OPENBSD=base64.o basename.o bcrypt_pbkdf
|
||||
diff -up openssh/openbsd-compat/Makefile.in.role-mls openssh/openbsd-compat/Makefile.in
|
||||
--- openssh/openbsd-compat/Makefile.in.role-mls 2018-08-20 07:57:29.000000000 +0200
|
||||
+++ openssh/openbsd-compat/Makefile.in 2018-08-22 11:14:56.819430949 +0200
|
||||
@@ -92,7 +92,8 @@ PORTS= port-aix.o \
|
||||
port-linux.o \
|
||||
port-solaris.o \
|
||||
port-net.o \
|
||||
@ -343,10 +360,10 @@ diff -up openssh-7.4p1/openbsd-compat/Makefile.in.role-mls openssh-7.4p1/openbsd
|
||||
|
||||
.c.o:
|
||||
$(CC) $(CFLAGS) $(CPPFLAGS) -c $<
|
||||
diff -up openssh-7.4p1/openbsd-compat/port-linux.c.role-mls openssh-7.4p1/openbsd-compat/port-linux.c
|
||||
--- openssh-7.4p1/openbsd-compat/port-linux.c.role-mls 2016-12-19 05:59:41.000000000 +0100
|
||||
+++ openssh-7.4p1/openbsd-compat/port-linux.c 2016-12-23 12:19:58.590459369 +0100
|
||||
@@ -101,37 +101,6 @@ ssh_selinux_getctxbyname(char *pwname)
|
||||
diff -up openssh/openbsd-compat/port-linux.c.role-mls openssh/openbsd-compat/port-linux.c
|
||||
--- openssh/openbsd-compat/port-linux.c.role-mls 2018-08-20 07:57:29.000000000 +0200
|
||||
+++ openssh/openbsd-compat/port-linux.c 2018-08-22 11:14:56.819430949 +0200
|
||||
@@ -100,37 +100,6 @@ ssh_selinux_getctxbyname(char *pwname)
|
||||
return sc;
|
||||
}
|
||||
|
||||
@ -397,9 +414,9 @@ diff -up openssh-7.4p1/openbsd-compat/port-linux.c.role-mls openssh-7.4p1/openbs
|
||||
|
||||
/* XXX: should these calls fatal() upon failure in enforcing mode? */
|
||||
|
||||
diff -up openssh-7.4p1/openbsd-compat/port-linux.h.role-mls openssh-7.4p1/openbsd-compat/port-linux.h
|
||||
--- openssh-7.4p1/openbsd-compat/port-linux.h.role-mls 2016-12-19 05:59:41.000000000 +0100
|
||||
+++ openssh-7.4p1/openbsd-compat/port-linux.h 2016-12-23 12:19:58.591459365 +0100
|
||||
diff -up openssh/openbsd-compat/port-linux.h.role-mls openssh/openbsd-compat/port-linux.h
|
||||
--- openssh/openbsd-compat/port-linux.h.role-mls 2018-08-20 07:57:29.000000000 +0200
|
||||
+++ openssh/openbsd-compat/port-linux.h 2018-08-22 11:14:56.819430949 +0200
|
||||
@@ -20,9 +20,10 @@
|
||||
#ifdef WITH_SELINUX
|
||||
int ssh_selinux_enabled(void);
|
||||
@ -412,10 +429,10 @@ diff -up openssh-7.4p1/openbsd-compat/port-linux.h.role-mls openssh-7.4p1/openbs
|
||||
#endif
|
||||
|
||||
#ifdef LINUX_OOM_ADJUST
|
||||
diff -up openssh-7.4p1/openbsd-compat/port-linux-sshd.c.role-mls openssh-7.4p1/openbsd-compat/port-linux-sshd.c
|
||||
--- openssh-7.4p1/openbsd-compat/port-linux-sshd.c.role-mls 2016-12-23 12:19:58.590459369 +0100
|
||||
+++ openssh-7.4p1/openbsd-compat/port-linux-sshd.c 2016-12-23 12:19:58.590459369 +0100
|
||||
@@ -0,0 +1,424 @@
|
||||
diff -up openssh/openbsd-compat/port-linux-sshd.c.role-mls openssh/openbsd-compat/port-linux-sshd.c
|
||||
--- openssh/openbsd-compat/port-linux-sshd.c.role-mls 2018-08-22 11:14:56.819430949 +0200
|
||||
+++ openssh/openbsd-compat/port-linux-sshd.c 2018-08-22 11:14:56.819430949 +0200
|
||||
@@ -0,0 +1,425 @@
|
||||
+/*
|
||||
+ * Copyright (c) 2005 Daniel Walsh <dwalsh@redhat.com>
|
||||
+ * Copyright (c) 2014 Petr Lautrbach <plautrba@redhat.com>
|
||||
@ -444,13 +461,14 @@ diff -up openssh-7.4p1/openbsd-compat/port-linux-sshd.c.role-mls openssh-7.4p1/o
|
||||
+#include <stdarg.h>
|
||||
+#include <string.h>
|
||||
+#include <stdio.h>
|
||||
+#include <stdlib.h>
|
||||
+
|
||||
+#include "log.h"
|
||||
+#include "xmalloc.h"
|
||||
+#include "misc.h" /* servconf.h needs misc.h for struct ForwardOptions */
|
||||
+#include "servconf.h"
|
||||
+#include "port-linux.h"
|
||||
+#include "key.h"
|
||||
+#include "sshkey.h"
|
||||
+#include "hostfile.h"
|
||||
+#include "auth.h"
|
||||
+
|
||||
@ -840,10 +858,10 @@ diff -up openssh-7.4p1/openbsd-compat/port-linux-sshd.c.role-mls openssh-7.4p1/o
|
||||
+#endif
|
||||
+#endif
|
||||
+
|
||||
diff -up openssh-7.4p1/platform.c.role-mls openssh-7.4p1/platform.c
|
||||
--- openssh-7.4p1/platform.c.role-mls 2016-12-19 05:59:41.000000000 +0100
|
||||
+++ openssh-7.4p1/platform.c 2016-12-23 12:19:58.591459365 +0100
|
||||
@@ -184,7 +184,7 @@ platform_setusercontext_post_groups(stru
|
||||
diff -up openssh/platform.c.role-mls openssh/platform.c
|
||||
--- openssh/platform.c.role-mls 2018-08-20 07:57:29.000000000 +0200
|
||||
+++ openssh/platform.c 2018-08-22 11:14:56.819430949 +0200
|
||||
@@ -183,7 +183,7 @@ platform_setusercontext_post_groups(stru
|
||||
}
|
||||
#endif /* HAVE_SETPCRED */
|
||||
#ifdef WITH_SELINUX
|
||||
@ -852,10 +870,10 @@ diff -up openssh-7.4p1/platform.c.role-mls openssh-7.4p1/platform.c
|
||||
#endif
|
||||
}
|
||||
|
||||
diff -up openssh-7.4p1/sshd.c.role-mls openssh-7.4p1/sshd.c
|
||||
--- openssh-7.4p1/sshd.c.role-mls 2016-12-19 05:59:41.000000000 +0100
|
||||
+++ openssh-7.4p1/sshd.c 2016-12-23 12:19:58.591459365 +0100
|
||||
@@ -2053,6 +2053,9 @@ main(int ac, char **av)
|
||||
diff -up openssh/sshd.c.role-mls openssh/sshd.c
|
||||
--- openssh/sshd.c.role-mls 2018-08-20 07:57:29.000000000 +0200
|
||||
+++ openssh/sshd.c 2018-08-22 11:14:56.820430957 +0200
|
||||
@@ -2186,6 +2186,9 @@ main(int ac, char **av)
|
||||
restore_uid();
|
||||
}
|
||||
#endif
|
||||
@ -865,16 +883,3 @@ diff -up openssh-7.4p1/sshd.c.role-mls openssh-7.4p1/sshd.c
|
||||
#ifdef USE_PAM
|
||||
if (options.use_pam) {
|
||||
do_pam_setcred(1);
|
||||
--- openssh/configure.ac.role-mls 2017-09-27 12:54:52.926425979 +0200
|
||||
+++ openssh/configure.ac 2017-09-27 12:57:06.854224956 +0200
|
||||
@@ -4158,10 +4158,7 @@
|
||||
LIBS="$LIBS -lselinux"
|
||||
],
|
||||
AC_MSG_ERROR([SELinux support requires libselinux library]))
|
||||
- SSHLIBS="$SSHLIBS $LIBSELINUX"
|
||||
- SSHDLIBS="$SSHDLIBS $LIBSELINUX"
|
||||
AC_CHECK_FUNCS([getseuserbyname get_default_context_with_level])
|
||||
- LIBS="$save_LIBS"
|
||||
fi ]
|
||||
)
|
||||
AC_SUBST([SSHLIBS])
|
28
openssh.spec
28
openssh.spec
@ -65,10 +65,10 @@
|
||||
%endif
|
||||
|
||||
# Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
|
||||
%global openssh_ver 7.7p1
|
||||
%global openssh_rel 6
|
||||
%global openssh_ver 7.8p1
|
||||
%global openssh_rel 1
|
||||
%global pam_ssh_agent_ver 0.10.3
|
||||
%global pam_ssh_agent_rel 4
|
||||
%global pam_ssh_agent_rel 5
|
||||
|
||||
Summary: An open source implementation of SSH protocol version 2
|
||||
Name: openssh
|
||||
@ -100,8 +100,6 @@ Patch100: openssh-6.7p1-coverity.patch
|
||||
#https://bugzilla.mindrot.org/show_bug.cgi?id=1894
|
||||
#https://bugzilla.redhat.com/show_bug.cgi?id=735889
|
||||
#Patch102: openssh-5.8p1-getaddrinfo.patch
|
||||
#https://bugzilla.mindrot.org/show_bug.cgi?id=1889
|
||||
Patch103: openssh-5.8p1-packet.patch
|
||||
# OpenSSL 1.1.0 compatibility
|
||||
Patch104: openssh-7.3p1-openssl-1.1.0.patch
|
||||
|
||||
@ -129,7 +127,7 @@ Patch306: pam_ssh_agent_auth-0.10.2-compat.patch
|
||||
Patch307: pam_ssh_agent_auth-0.10.2-dereference.patch
|
||||
|
||||
#https://bugzilla.mindrot.org/show_bug.cgi?id=1641 (WONTFIX)
|
||||
Patch400: openssh-6.6p1-role-mls.patch
|
||||
Patch400: openssh-7.8p1-role-mls.patch
|
||||
#https://bugzilla.redhat.com/show_bug.cgi?id=781634
|
||||
Patch404: openssh-6.6p1-privsep-selinux.patch
|
||||
|
||||
@ -157,12 +155,10 @@ Patch702: openssh-5.1p1-askpass-progress.patch
|
||||
Patch703: openssh-4.3p2-askpass-grab-info.patch
|
||||
#https://bugzilla.mindrot.org/show_bug.cgi?id=1635 (WONTFIX)
|
||||
Patch707: openssh-7.7p1-redhat.patch
|
||||
#https://bugzilla.mindrot.org/show_bug.cgi?id=1890 (WONTFIX) need integration to prng helper which is discontinued :)
|
||||
Patch708: openssh-6.6p1-entropy.patch
|
||||
#https://bugzilla.mindrot.org/show_bug.cgi?id=1640 (WONTFIX)
|
||||
Patch709: openssh-6.2p1-vendor.patch
|
||||
# warn users for unsupported UsePAM=no (#757545)
|
||||
Patch711: openssh-7.2p2-UsePAM-UseLogin-warning.patch
|
||||
Patch711: openssh-7.8p1-UsePAM-warning.patch
|
||||
# make aes-ctr ciphers use EVP engines such as AES-NI from OpenSSL
|
||||
Patch712: openssh-6.3p1-ctr-evp-fast.patch
|
||||
# add cavs test binary for the aes-ctr
|
||||
@ -173,7 +169,7 @@ Patch714: openssh-6.7p1-kdf-cavs.patch
|
||||
|
||||
#http://www.sxw.org.uk/computing/patches/openssh.html
|
||||
#changed cache storage type - #848228
|
||||
Patch800: openssh-7.2p1-gsskex.patch
|
||||
Patch800: openssh-7.8p1-gsskex.patch
|
||||
#http://www.mail-archive.com/kerberos@mit.edu/msg17591.html
|
||||
Patch801: openssh-6.6p1-force_krb.patch
|
||||
# add new option GSSAPIEnablek5users and disable using ~/.k5users by default (#1169843)
|
||||
@ -204,7 +200,7 @@ Patch918: openssh-6.6.1p1-log-in-chroot.patch
|
||||
# scp file into non-existing directory (#1142223)
|
||||
Patch919: openssh-6.6.1p1-scp-non-existing-directory.patch
|
||||
# Config parser shouldn't accept ip/port syntax (#1130733)
|
||||
Patch920: openssh-6.6.1p1-ip-port-config-parser.patch
|
||||
Patch920: openssh-7.8p1-ip-port-config-parser.patch
|
||||
# apply upstream patch and make sshd -T more consistent (#1187521)
|
||||
Patch922: openssh-6.8p1-sshdT-output.patch
|
||||
# Add sftp option to force mode of created files (#1191055)
|
||||
@ -213,8 +209,6 @@ Patch926: openssh-6.7p1-sftp-force-permission.patch
|
||||
Patch929: openssh-6.9p1-permit-root-login.patch
|
||||
# Add GSSAPIKexAlgorithms option for server and client application
|
||||
Patch932: openssh-7.0p1-gssKexAlgorithms.patch
|
||||
# Possibility to validate legacy systems by more fingerprints (#1249626)(#2439)
|
||||
Patch933: openssh-7.0p1-show-more-fingerprints.patch
|
||||
# make s390 use /dev/ crypto devices -- ignore closefrom
|
||||
Patch939: openssh-7.2p2-s390-closefrom.patch
|
||||
# Move MAX_DISPLAYS to a configuration option (#1341302)
|
||||
@ -229,8 +223,6 @@ Patch950: openssh-7.5p1-sandbox.patch
|
||||
Patch951: openssh-7.6p1-pkcs11-uri.patch
|
||||
# PKCS#11 ECDSA keys (upstream #2474, 8th iteration)
|
||||
Patch952: openssh-7.6p1-pkcs11-ecdsa.patch
|
||||
# Opening tun devices fails + other regressions in OpenSSH v7.7 (#2855, #1567775)
|
||||
Patch953: openssh-7.7p1-tun-devices.patch
|
||||
|
||||
License: BSD
|
||||
Group: Applications/Internet
|
||||
@ -326,7 +318,7 @@ Requires: openssh = %{version}-%{release}
|
||||
Summary: PAM module for authentication with ssh-agent
|
||||
Group: System Environment/Base
|
||||
Version: %{pam_ssh_agent_ver}
|
||||
Release: %{pam_ssh_agent_rel}.%{openssh_rel}%{?dist}%{?rescue_rel}.1
|
||||
Release: %{pam_ssh_agent_rel}.%{openssh_rel}%{?dist}%{?rescue_rel}
|
||||
License: BSD
|
||||
|
||||
%description
|
||||
@ -390,7 +382,6 @@ gpgv2 --quiet --keyring %{SOURCE3} %{SOURCE1} %{SOURCE0}
|
||||
%endif
|
||||
|
||||
# investigate %patch102 -p1 -b .getaddrinfo
|
||||
%patch103 -p1 -b .packet
|
||||
|
||||
%if %{pam_ssh_agent}
|
||||
pushd pam_ssh_agent_auth-%{pam_ssh_agent_ver}
|
||||
@ -421,7 +412,6 @@ popd
|
||||
%patch702 -p1 -b .progress
|
||||
%patch703 -p1 -b .grab-info
|
||||
%patch707 -p1 -b .redhat
|
||||
%patch708 -p1 -b .entropy
|
||||
%patch709 -p1 -b .vendor
|
||||
%patch711 -p1 -b .log-usepam-no
|
||||
%patch712 -p1 -b .evp-ctr
|
||||
@ -447,7 +437,6 @@ popd
|
||||
%patch926 -p1 -b .sftp-force-mode
|
||||
%patch929 -p1 -b .root-login
|
||||
%patch932 -p1 -b .gsskexalg
|
||||
%patch933 -p1 -b .fingerprint
|
||||
%patch939 -p1 -b .s390-dev
|
||||
%patch944 -p1 -b .x11max
|
||||
%patch948 -p1 -b .systemd
|
||||
@ -456,7 +445,6 @@ popd
|
||||
%patch950 -p1 -b .sandbox
|
||||
%patch951 -p1 -b .pkcs11-uri
|
||||
%patch952 -p1 -b .pkcs11-ecdsa
|
||||
%patch953 -p1 -b .tun-devices
|
||||
|
||||
%patch200 -p1 -b .audit
|
||||
%patch201 -p1 -b .audit-race
|
||||
|
@ -1,7 +1,15 @@
|
||||
diff -up openssh-7.4p1/pam_ssh_agent_auth-0.10.3/get_command_line.c.psaa-compat openssh-7.4p1/pam_ssh_agent_auth-0.10.3/get_command_line.c
|
||||
--- openssh-7.4p1/pam_ssh_agent_auth-0.10.3/get_command_line.c.psaa-compat 2016-11-13 04:24:32.000000000 +0100
|
||||
+++ openssh-7.4p1/pam_ssh_agent_auth-0.10.3/get_command_line.c 2017-02-07 14:41:20.483509205 +0100
|
||||
@@ -65,8 +65,8 @@ proc_pid_cmdline(char *** inargv)
|
||||
diff -up openssh/pam_ssh_agent_auth-0.10.3/get_command_line.c.psaa-compat openssh/pam_ssh_agent_auth-0.10.3/get_command_line.c
|
||||
--- openssh/pam_ssh_agent_auth-0.10.3/get_command_line.c.psaa-compat 2016-11-13 04:24:32.000000000 +0100
|
||||
+++ openssh/pam_ssh_agent_auth-0.10.3/get_command_line.c 2018-08-24 10:22:56.281930322 +0200
|
||||
@@ -27,6 +27,7 @@
|
||||
* or implied, of Jamie Beverly.
|
||||
*/
|
||||
|
||||
+#include <stdlib.h>
|
||||
#include <stdio.h>
|
||||
#include <errno.h>
|
||||
#include <string.h>
|
||||
@@ -65,8 +66,8 @@ proc_pid_cmdline(char *** inargv)
|
||||
case EOF:
|
||||
case '\0':
|
||||
if (len > 0) {
|
||||
@ -12,7 +20,7 @@ diff -up openssh-7.4p1/pam_ssh_agent_auth-0.10.3/get_command_line.c.psaa-compat
|
||||
strncpy(argv[count++], argbuf, len);
|
||||
memset(argbuf, '\0', MAX_LEN_PER_CMDLINE_ARG + 1);
|
||||
len = 0;
|
||||
@@ -105,9 +105,9 @@ pamsshagentauth_free_command_line(char *
|
||||
@@ -105,9 +106,9 @@ pamsshagentauth_free_command_line(char *
|
||||
{
|
||||
size_t i;
|
||||
for (i = 0; i < n_args; i++)
|
||||
@ -24,9 +32,43 @@ diff -up openssh-7.4p1/pam_ssh_agent_auth-0.10.3/get_command_line.c.psaa-compat
|
||||
return;
|
||||
}
|
||||
|
||||
diff -up openssh-7.4p1/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c.psaa-compat openssh-7.4p1/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c
|
||||
--- openssh-7.4p1/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c.psaa-compat 2017-02-07 14:41:20.479509208 +0100
|
||||
+++ openssh-7.4p1/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c 2017-02-07 14:41:20.481509206 +0100
|
||||
diff -up openssh/pam_ssh_agent_auth-0.10.3/identity.h.psaa-compat openssh/pam_ssh_agent_auth-0.10.3/identity.h
|
||||
--- openssh/pam_ssh_agent_auth-0.10.3/identity.h.psaa-compat 2016-11-13 04:24:32.000000000 +0100
|
||||
+++ openssh/pam_ssh_agent_auth-0.10.3/identity.h 2018-08-24 10:18:05.009393312 +0200
|
||||
@@ -30,8 +30,8 @@
|
||||
#include "openbsd-compat/sys-queue.h"
|
||||
#include "xmalloc.h"
|
||||
#include "log.h"
|
||||
-#include "buffer.h"
|
||||
-#include "key.h"
|
||||
+#include "sshbuf.h"
|
||||
+#include "sshkey.h"
|
||||
#include "authfd.h"
|
||||
#include <stdio.h>
|
||||
|
||||
@@ -41,7 +41,7 @@ typedef struct idlist Idlist;
|
||||
struct identity {
|
||||
TAILQ_ENTRY(identity) next;
|
||||
AuthenticationConnection *ac; /* set if agent supports key */
|
||||
- Key *key; /* public/private key */
|
||||
+ struct sshkey *key; /* public/private key */
|
||||
char *filename; /* comment for agent-only keys */
|
||||
int tried;
|
||||
int isprivate; /* key points to the private key */
|
||||
diff -up openssh/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c.psaa-compat openssh/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c
|
||||
--- openssh/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c.psaa-compat 2018-08-24 10:18:05.007393297 +0200
|
||||
+++ openssh/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c 2018-08-24 10:18:32.937612513 +0200
|
||||
@@ -36,8 +36,8 @@
|
||||
#include "openbsd-compat/sys-queue.h"
|
||||
#include "xmalloc.h"
|
||||
#include "log.h"
|
||||
-#include "buffer.h"
|
||||
-#include "key.h"
|
||||
+#include "sshbuf.h"
|
||||
+#include "sshkey.h"
|
||||
#include "authfd.h"
|
||||
#include <stdio.h>
|
||||
#include <openssl/evp.h>
|
||||
@@ -58,6 +58,8 @@
|
||||
#include "get_command_line.h"
|
||||
extern char **environ;
|
||||
@ -45,25 +87,48 @@ diff -up openssh-7.4p1/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c.psaa-c
|
||||
for (i = 0; i < count; i++) {
|
||||
strcat(buf, (i > 0) ? " '" : "'");
|
||||
strncat(buf, action[i], MAX_LEN_PER_CMDLINE_ARG);
|
||||
@@ -90,12 +92,12 @@ void
|
||||
agent_action(Buffer *buf, char ** action, size_t count)
|
||||
@@ -87,21 +89,25 @@ log_action(char ** action, size_t count)
|
||||
}
|
||||
|
||||
void
|
||||
-agent_action(Buffer *buf, char ** action, size_t count)
|
||||
+agent_action(struct sshbuf *buf, char ** action, size_t count)
|
||||
{
|
||||
size_t i;
|
||||
- pamsshagentauth_buffer_init(buf);
|
||||
+ buffer_init(buf);
|
||||
+ int r;
|
||||
|
||||
- pamsshagentauth_buffer_put_int(buf, count);
|
||||
+ buffer_put_int(buf, count);
|
||||
+ if ((buf = sshbuf_new()) == NULL)
|
||||
+ fatal("%s: sshbuf_new failed", __func__);
|
||||
+ if ((r = sshbuf_put_u32(buf, count)) != 0)
|
||||
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
||||
|
||||
for (i = 0; i < count; i++) {
|
||||
- pamsshagentauth_buffer_put_cstring(buf, action[i]);
|
||||
+ buffer_put_cstring(buf, action[i]);
|
||||
+ if ((r = sshbuf_put_cstring(buf, action[i])) != 0)
|
||||
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
||||
}
|
||||
}
|
||||
|
||||
@@ -119,17 +121,17 @@ pamsshagentauth_session_id2_gen(Buffer *
|
||||
|
||||
-void
|
||||
-pamsshagentauth_session_id2_gen(Buffer * session_id2, const char * user,
|
||||
+static void
|
||||
+pamsshagentauth_session_id2_gen(struct sshbuf ** session_id2, const char * user,
|
||||
const char * ruser, const char * servicename)
|
||||
{
|
||||
u_char *cookie = NULL;
|
||||
@@ -114,22 +116,23 @@ pamsshagentauth_session_id2_gen(Buffer *
|
||||
char ** reported_argv = NULL;
|
||||
size_t count = 0;
|
||||
char * action_logbuf = NULL;
|
||||
- Buffer action_agentbuf;
|
||||
+ struct sshbuf *action_agentbuf = NULL;
|
||||
uint8_t free_logbuf = 0;
|
||||
char * retc;
|
||||
int32_t reti;
|
||||
+ int r;
|
||||
|
||||
- rnd = pamsshagentauth_arc4random();
|
||||
+ rnd = arc4random();
|
||||
@ -73,7 +138,7 @@ diff -up openssh-7.4p1/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c.psaa-c
|
||||
}
|
||||
|
||||
- cookie = pamsshagentauth_xcalloc(1,cookie_len);
|
||||
+ cookie = xcalloc(1,cookie_len);
|
||||
+ cookie = xcalloc(1, cookie_len);
|
||||
|
||||
for (i = 0; i < cookie_len; i++) {
|
||||
if (i % 4 == 0) {
|
||||
@ -82,21 +147,29 @@ diff -up openssh-7.4p1/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c.psaa-c
|
||||
}
|
||||
cookie[i] = (u_char) rnd;
|
||||
rnd >>= 8;
|
||||
@@ -144,7 +146,7 @@ pamsshagentauth_session_id2_gen(Buffer *
|
||||
@@ -139,12 +141,13 @@ pamsshagentauth_session_id2_gen(Buffer *
|
||||
if (count > 0) {
|
||||
free_logbuf = 1;
|
||||
action_logbuf = log_action(reported_argv, count);
|
||||
- agent_action(&action_agentbuf, reported_argv, count);
|
||||
+ agent_action(action_agentbuf, reported_argv, count);
|
||||
pamsshagentauth_free_command_line(reported_argv, count);
|
||||
}
|
||||
else {
|
||||
action_logbuf = "unknown on this platform";
|
||||
- pamsshagentauth_buffer_init(&action_agentbuf); /* stays empty, means unavailable */
|
||||
+ buffer_init(&action_agentbuf); /* stays empty, means unavailable */
|
||||
+ if ((action_agentbuf = sshbuf_new()) == NULL) /* stays empty, means unavailable */
|
||||
+ fatal("%s: sshbuf_new failed", __func__);
|
||||
}
|
||||
|
||||
/*
|
||||
@@ -161,35 +163,35 @@ pamsshagentauth_session_id2_gen(Buffer *
|
||||
@@ -161,35 +163,39 @@ pamsshagentauth_session_id2_gen(Buffer *
|
||||
retc = getcwd(pwd, sizeof(pwd) - 1);
|
||||
time(&ts);
|
||||
|
||||
- pamsshagentauth_buffer_init(session_id2);
|
||||
+ buffer_init(session_id2);
|
||||
+ if ((*session_id2 = sshbuf_new()) == NULL)
|
||||
+ fatal("%s: sshbuf_new failed", __func__);
|
||||
|
||||
- pamsshagentauth_buffer_put_int(session_id2, PAM_SSH_AGENT_AUTH_REQUESTv1);
|
||||
- /* pamsshagentauth_debug3("cookie: %s", pamsshagentauth_tohex(cookie, cookie_len)); */
|
||||
@ -108,49 +181,81 @@ diff -up openssh-7.4p1/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c.psaa-c
|
||||
- /* pamsshagentauth_debug3("servicename: %s", servicename); */
|
||||
- pamsshagentauth_buffer_put_cstring(session_id2, servicename);
|
||||
- /* pamsshagentauth_debug3("pwd: %s", pwd); */
|
||||
+ buffer_put_int(session_id2, PAM_SSH_AGENT_AUTH_REQUESTv1);
|
||||
+ /* debug3("cookie: %s", tohex(cookie, cookie_len)); */
|
||||
+ buffer_put_string(session_id2, cookie, cookie_len);
|
||||
+ /* debug3("user: %s", user); */
|
||||
+ buffer_put_cstring(session_id2, user);
|
||||
+ /* debug3("ruser: %s", ruser); */
|
||||
+ buffer_put_cstring(session_id2, ruser);
|
||||
+ /* debug3("servicename: %s", servicename); */
|
||||
+ buffer_put_cstring(session_id2, servicename);
|
||||
+ /* debug3("pwd: %s", pwd); */
|
||||
if(retc)
|
||||
- if(retc)
|
||||
- pamsshagentauth_buffer_put_cstring(session_id2, pwd);
|
||||
+ buffer_put_cstring(session_id2, pwd);
|
||||
else
|
||||
- else
|
||||
- pamsshagentauth_buffer_put_cstring(session_id2, "");
|
||||
- /* pamsshagentauth_debug3("action: %s", action_logbuf); */
|
||||
- pamsshagentauth_buffer_put_string(session_id2, action_agentbuf.buf + action_agentbuf.offset, action_agentbuf.end - action_agentbuf.offset);
|
||||
+ buffer_put_cstring(session_id2, "");
|
||||
+ /* debug3("action: %s", action_logbuf); */
|
||||
+ buffer_put_string(session_id2, sshbuf_ptr(&action_agentbuf), sshbuf_len(&action_agentbuf));
|
||||
+ if ((r = sshbuf_put_u32(*session_id2, PAM_SSH_AGENT_AUTH_REQUESTv1)) != 0 ||
|
||||
+ (r = sshbuf_put_string(*session_id2, cookie, cookie_len)) != 0 ||
|
||||
+ (r = sshbuf_put_cstring(*session_id2, user)) != 0 ||
|
||||
+ (r = sshbuf_put_cstring(*session_id2, ruser)) != 0 ||
|
||||
+ (r = sshbuf_put_cstring(*session_id2, servicename)) != 0)
|
||||
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
||||
+ if (retc) {
|
||||
+ if ((r = sshbuf_put_cstring(*session_id2, pwd)) != 0)
|
||||
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
||||
+ } else {
|
||||
+ if ((r = sshbuf_put_cstring(*session_id2, "")) != 0)
|
||||
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
||||
+ }
|
||||
+ if ((r = sshbuf_put_stringb(*session_id2, action_agentbuf)) != 0)
|
||||
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
||||
if (free_logbuf) {
|
||||
- pamsshagentauth_xfree(action_logbuf);
|
||||
- pamsshagentauth_buffer_free(&action_agentbuf);
|
||||
+ free(action_logbuf);
|
||||
+ buffer_free(&action_agentbuf);
|
||||
+ sshbuf_free(action_agentbuf);
|
||||
}
|
||||
- /* pamsshagentauth_debug3("hostname: %s", hostname); */
|
||||
+ /* debug3("hostname: %s", hostname); */
|
||||
if(reti >= 0)
|
||||
- if(reti >= 0)
|
||||
- pamsshagentauth_buffer_put_cstring(session_id2, hostname);
|
||||
+ buffer_put_cstring(session_id2, hostname);
|
||||
else
|
||||
- else
|
||||
- pamsshagentauth_buffer_put_cstring(session_id2, "");
|
||||
- /* pamsshagentauth_debug3("ts: %ld", ts); */
|
||||
- pamsshagentauth_buffer_put_int64(session_id2, (uint64_t) ts);
|
||||
+ buffer_put_cstring(session_id2, "");
|
||||
+ /* debug3("hostname: %s", hostname); */
|
||||
+ if (reti >= 0) {
|
||||
+ if ((r = sshbuf_put_cstring(*session_id2, hostname)) != 0)
|
||||
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
||||
+ } else {
|
||||
+ if ((r = sshbuf_put_cstring(*session_id2, "")) != 0)
|
||||
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
||||
+ }
|
||||
+ /* debug3("ts: %ld", ts); */
|
||||
+ buffer_put_int64(session_id2, (uint64_t) ts);
|
||||
+ if ((r = sshbuf_put_u64(*session_id2, (uint64_t) ts)) != 0)
|
||||
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
||||
|
||||
free(cookie);
|
||||
return;
|
||||
@@ -295,29 +297,29 @@ pamsshagentauth_find_authorized_keys(con
|
||||
pamsshagentauth_session_id2_gen(&session_id2, user, ruser, servicename);
|
||||
@@ -278,7 +280,8 @@ ssh_get_authentication_connection_for_ui
|
||||
|
||||
auth = xmalloc(sizeof(*auth));
|
||||
auth->fd = sock;
|
||||
- buffer_init(&auth->identities);
|
||||
+ if ((auth->identities = sshbuf_new()) == NULL)
|
||||
+ fatal("%s: sshbuf_new failed", __func__);
|
||||
auth->howmany = 0;
|
||||
|
||||
return auth;
|
||||
@@ -287,43 +289,42 @@ ssh_get_authentication_connection_for_ui
|
||||
int
|
||||
pamsshagentauth_find_authorized_keys(const char * user, const char * ruser, const char * servicename)
|
||||
{
|
||||
- Buffer session_id2 = { 0 };
|
||||
+ struct sshbuf *session_id2 = NULL;
|
||||
Identity *id;
|
||||
- Key *key;
|
||||
+ struct sshkey *key;
|
||||
AuthenticationConnection *ac;
|
||||
char *comment;
|
||||
uint8_t retval = 0;
|
||||
uid_t uid = getpwnam(ruser)->pw_uid;
|
||||
|
||||
OpenSSL_add_all_digests();
|
||||
- pamsshagentauth_session_id2_gen(&session_id2, user, ruser, servicename);
|
||||
+ pamsshagentauth_session_id2_gen(&session_id2, user, ruser, servicename);
|
||||
|
||||
if ((ac = ssh_get_authentication_connection_for_uid(uid))) {
|
||||
- pamsshagentauth_verbose("Contacted ssh-agent of user %s (%u)", ruser, uid);
|
||||
@ -163,7 +268,8 @@ diff -up openssh-7.4p1/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c.psaa-c
|
||||
id->key = key;
|
||||
id->filename = comment;
|
||||
id->ac = ac;
|
||||
if(userauth_pubkey_from_id(ruser, id, &session_id2)) {
|
||||
- if(userauth_pubkey_from_id(ruser, id, &session_id2)) {
|
||||
+ if(userauth_pubkey_from_id(ruser, id, session_id2)) {
|
||||
retval = 1;
|
||||
}
|
||||
- pamsshagentauth_xfree(id->filename);
|
||||
@ -177,18 +283,20 @@ diff -up openssh-7.4p1/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c.psaa-c
|
||||
}
|
||||
}
|
||||
- pamsshagentauth_buffer_free(&session_id2);
|
||||
+ buffer_free(&session_id2);
|
||||
+ sshbuf_free(session_id2);
|
||||
ssh_close_authentication_connection(ac);
|
||||
}
|
||||
else {
|
||||
- pamsshagentauth_verbose("No ssh-agent could be contacted");
|
||||
+ verbose("No ssh-agent could be contacted");
|
||||
}
|
||||
/* pamsshagentauth_xfree(session_id2); */
|
||||
- /* pamsshagentauth_xfree(session_id2); */
|
||||
EVP_cleanup();
|
||||
diff -up openssh-7.4p1/pam_ssh_agent_auth-0.10.3/pam_ssh_agent_auth.c.psaa-compat openssh-7.4p1/pam_ssh_agent_auth-0.10.3/pam_ssh_agent_auth.c
|
||||
--- openssh-7.4p1/pam_ssh_agent_auth-0.10.3/pam_ssh_agent_auth.c.psaa-compat 2017-02-07 14:41:20.480509207 +0100
|
||||
+++ openssh-7.4p1/pam_ssh_agent_auth-0.10.3/pam_ssh_agent_auth.c 2017-02-07 14:44:20.549369019 +0100
|
||||
return retval;
|
||||
}
|
||||
diff -up openssh/pam_ssh_agent_auth-0.10.3/pam_ssh_agent_auth.c.psaa-compat openssh/pam_ssh_agent_auth-0.10.3/pam_ssh_agent_auth.c
|
||||
--- openssh/pam_ssh_agent_auth-0.10.3/pam_ssh_agent_auth.c.psaa-compat 2018-08-24 10:18:05.008393305 +0200
|
||||
+++ openssh/pam_ssh_agent_auth-0.10.3/pam_ssh_agent_auth.c 2018-08-24 10:18:05.009393312 +0200
|
||||
@@ -104,7 +104,7 @@ pam_sm_authenticate(pam_handle_t * pamh,
|
||||
* a patch 8-)
|
||||
*/
|
||||
@ -276,10 +384,29 @@ diff -up openssh-7.4p1/pam_ssh_agent_auth-0.10.3/pam_ssh_agent_auth.c.psaa-compa
|
||||
}
|
||||
|
||||
cleanexit:
|
||||
diff -up openssh-7.4p1/pam_ssh_agent_auth-0.10.3/pam_user_authorized_keys.c.psaa-compat openssh-7.4p1/pam_ssh_agent_auth-0.10.3/pam_user_authorized_keys.c
|
||||
--- openssh-7.4p1/pam_ssh_agent_auth-0.10.3/pam_user_authorized_keys.c.psaa-compat 2016-11-13 04:24:32.000000000 +0100
|
||||
+++ openssh-7.4p1/pam_ssh_agent_auth-0.10.3/pam_user_authorized_keys.c 2017-02-07 14:41:20.484509204 +0100
|
||||
@@ -117,12 +117,12 @@ parse_authorized_key_file(const char *us
|
||||
diff -up openssh/pam_ssh_agent_auth-0.10.3/pam_user_authorized_keys.c.psaa-compat openssh/pam_ssh_agent_auth-0.10.3/pam_user_authorized_keys.c
|
||||
--- openssh/pam_ssh_agent_auth-0.10.3/pam_user_authorized_keys.c.psaa-compat 2016-11-13 04:24:32.000000000 +0100
|
||||
+++ openssh/pam_ssh_agent_auth-0.10.3/pam_user_authorized_keys.c 2018-08-24 10:18:05.009393312 +0200
|
||||
@@ -66,8 +66,8 @@
|
||||
#include "xmalloc.h"
|
||||
#include "match.h"
|
||||
#include "log.h"
|
||||
-#include "buffer.h"
|
||||
-#include "key.h"
|
||||
+#include "sshbuf.h"
|
||||
+#include "sshkey.h"
|
||||
#include "misc.h"
|
||||
|
||||
#include "xmalloc.h"
|
||||
@@ -77,7 +77,6 @@
|
||||
#include "pathnames.h"
|
||||
#include "secure_filename.h"
|
||||
|
||||
-#include "identity.h"
|
||||
#include "pam_user_key_allowed2.h"
|
||||
|
||||
extern char *authorized_keys_file;
|
||||
@@ -117,12 +116,12 @@ parse_authorized_key_file(const char *us
|
||||
} else {
|
||||
slash_ptr = strchr(auth_keys_file_buf, '/');
|
||||
if(!slash_ptr)
|
||||
@ -294,7 +421,7 @@ diff -up openssh-7.4p1/pam_ssh_agent_auth-0.10.3/pam_user_authorized_keys.c.psaa
|
||||
|
||||
strncat(owner_uname, auth_keys_file_buf + 1, owner_uname_len);
|
||||
if(!authorized_keys_file_allowed_owner_uid)
|
||||
@@ -130,11 +130,11 @@ parse_authorized_key_file(const char *us
|
||||
@@ -130,11 +129,11 @@ parse_authorized_key_file(const char *us
|
||||
getpwnam(owner_uname)->pw_uid;
|
||||
}
|
||||
authorized_keys_file =
|
||||
@ -308,7 +435,7 @@ diff -up openssh-7.4p1/pam_ssh_agent_auth-0.10.3/pam_user_authorized_keys.c.psaa
|
||||
percent_expand
|
||||
later, we'd step
|
||||
on this, so free
|
||||
@@ -150,7 +150,7 @@ parse_authorized_key_file(const char *us
|
||||
@@ -150,13 +149,13 @@ parse_authorized_key_file(const char *us
|
||||
strncat(hostname, fqdn, strcspn(fqdn, "."));
|
||||
#endif
|
||||
authorized_keys_file =
|
||||
@ -317,38 +444,78 @@ diff -up openssh-7.4p1/pam_ssh_agent_auth-0.10.3/pam_user_authorized_keys.c.psaa
|
||||
getpwnam(user)->pw_dir, "H", hostname,
|
||||
"f", fqdn, "u", user, NULL);
|
||||
}
|
||||
diff -up openssh-7.4p1/pam_ssh_agent_auth-0.10.3/pam_user_key_allowed2.c.psaa-compat openssh-7.4p1/pam_ssh_agent_auth-0.10.3/pam_user_key_allowed2.c
|
||||
--- openssh-7.4p1/pam_ssh_agent_auth-0.10.3/pam_user_key_allowed2.c.psaa-compat 2016-11-13 04:24:32.000000000 +0100
|
||||
+++ openssh-7.4p1/pam_ssh_agent_auth-0.10.3/pam_user_key_allowed2.c 2017-02-07 14:41:20.484509204 +0100
|
||||
@@ -48,11 +48,13 @@
|
||||
#include "buffer.h"
|
||||
|
||||
int
|
||||
-pam_user_key_allowed(const char *ruser, Key * key)
|
||||
+pam_user_key_allowed(const char *ruser, struct sshkey * key)
|
||||
{
|
||||
return
|
||||
pamsshagentauth_user_key_allowed2(getpwuid(authorized_keys_file_allowed_owner_uid),
|
||||
diff -up openssh/pam_ssh_agent_auth-0.10.3/pam_user_authorized_keys.h.psaa-compat openssh/pam_ssh_agent_auth-0.10.3/pam_user_authorized_keys.h
|
||||
--- openssh/pam_ssh_agent_auth-0.10.3/pam_user_authorized_keys.h.psaa-compat 2016-11-13 04:24:32.000000000 +0100
|
||||
+++ openssh/pam_ssh_agent_auth-0.10.3/pam_user_authorized_keys.h 2018-08-24 10:18:05.010393320 +0200
|
||||
@@ -32,7 +32,7 @@
|
||||
#define _PAM_USER_KEY_ALLOWED_H
|
||||
|
||||
#include "identity.h"
|
||||
-int pam_user_key_allowed(const char *, Key *);
|
||||
+int pam_user_key_allowed(const char *, struct sshkey *);
|
||||
void parse_authorized_key_file(const char *, const char *);
|
||||
|
||||
#endif
|
||||
diff -up openssh/pam_ssh_agent_auth-0.10.3/pam_user_key_allowed2.c.psaa-compat openssh/pam_ssh_agent_auth-0.10.3/pam_user_key_allowed2.c
|
||||
--- openssh/pam_ssh_agent_auth-0.10.3/pam_user_key_allowed2.c.psaa-compat 2016-11-13 04:24:32.000000000 +0100
|
||||
+++ openssh/pam_ssh_agent_auth-0.10.3/pam_user_key_allowed2.c 2018-08-24 10:18:05.010393320 +0200
|
||||
@@ -45,44 +45,46 @@
|
||||
#include "xmalloc.h"
|
||||
#include "ssh.h"
|
||||
#include "ssh2.h"
|
||||
-#include "buffer.h"
|
||||
+#include "sshbuf.h"
|
||||
#include "log.h"
|
||||
#include "compat.h"
|
||||
-#include "key.h"
|
||||
+#include "digest.h"
|
||||
#include "key.h"
|
||||
+#include "sshkey.h"
|
||||
#include "pathnames.h"
|
||||
#include "misc.h"
|
||||
#include "secure_filename.h"
|
||||
#include "uidswap.h"
|
||||
-
|
||||
-#include "identity.h"
|
||||
+#include <unistd.h>
|
||||
|
||||
#include "identity.h"
|
||||
|
||||
@@ -68,7 +70,7 @@ pamsshagentauth_check_authkeys_file(FILE
|
||||
/* return 1 if user allows given key */
|
||||
/* Modified slightly from original found in auth2-pubkey.c */
|
||||
static int
|
||||
-pamsshagentauth_check_authkeys_file(FILE * f, char *file, Key * key)
|
||||
+pamsshagentauth_check_authkeys_file(FILE * f, char *file, struct sshkey * key)
|
||||
{
|
||||
- char line[SSH_MAX_PUBKEY_BYTES];
|
||||
+ char *line = NULL;
|
||||
int found_key = 0;
|
||||
u_long linenum = 0;
|
||||
- Key *found;
|
||||
+ struct sshkey *found;
|
||||
char *fp;
|
||||
+ size_t linesize = 0;
|
||||
|
||||
found_key = 0;
|
||||
- found = pamsshagentauth_key_new(key->type);
|
||||
+ found = key_new(key->type);
|
||||
+ found = sshkey_new(key->type);
|
||||
|
||||
while(read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) {
|
||||
- while(read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) {
|
||||
+ while ((getline(&line, &linesize, f)) != -1) {
|
||||
char *cp = NULL; /* *key_options = NULL; */
|
||||
@@ -78,11 +80,11 @@ pamsshagentauth_check_authkeys_file(FILE
|
||||
|
||||
+ linenum++;
|
||||
/* Skip leading whitespace, empty and comment lines. */
|
||||
for(cp = line; *cp == ' ' || *cp == '\t'; cp++);
|
||||
if(!*cp || *cp == '\n' || *cp == '#')
|
||||
continue;
|
||||
|
||||
- if(pamsshagentauth_key_read(found, &cp) != 1) {
|
||||
+ if(key_read(found, &cp) != 1) {
|
||||
+ if (sshkey_read(found, &cp) != 0) {
|
||||
/* no key? check if there are options for this key */
|
||||
int quoted = 0;
|
||||
|
||||
@ -357,20 +524,20 @@ diff -up openssh-7.4p1/pam_ssh_agent_auth-0.10.3/pam_user_key_allowed2.c.psaa-co
|
||||
/* key_options = cp; */
|
||||
for(; *cp && (quoted || (*cp != ' ' && *cp != '\t')); cp++) {
|
||||
if(*cp == '\\' && cp[1] == '"')
|
||||
@@ -92,26 +94,26 @@ pamsshagentauth_check_authkeys_file(FILE
|
||||
@@ -92,26 +94,27 @@ pamsshagentauth_check_authkeys_file(FILE
|
||||
}
|
||||
/* Skip remaining whitespace. */
|
||||
for(; *cp == ' ' || *cp == '\t'; cp++);
|
||||
- if(pamsshagentauth_key_read(found, &cp) != 1) {
|
||||
- pamsshagentauth_verbose("user_key_allowed: advance: '%s'", cp);
|
||||
+ if(key_read(found, &cp) != 1) {
|
||||
+ if(sshkey_read(found, &cp) != 0) {
|
||||
+ verbose("user_key_allowed: advance: '%s'", cp);
|
||||
/* still no key? advance to next line */
|
||||
continue;
|
||||
}
|
||||
}
|
||||
- if(pamsshagentauth_key_equal(found, key)) {
|
||||
+ if(key_equal(found, key)) {
|
||||
+ if(sshkey_equal(found, key)) {
|
||||
found_key = 1;
|
||||
- pamsshagentauth_logit("matching key found: file/command %s, line %lu", file,
|
||||
+ logit("matching key found: file/command %s, line %lu", file,
|
||||
@ -379,23 +546,34 @@ diff -up openssh-7.4p1/pam_ssh_agent_auth-0.10.3/pam_user_key_allowed2.c.psaa-co
|
||||
- pamsshagentauth_logit("Found matching %s key: %s",
|
||||
- pamsshagentauth_key_type(found), fp);
|
||||
- pamsshagentauth_xfree(fp);
|
||||
+ fp = sshkey_fingerprint(found, SSH_DIGEST_MD5, SSH_FP_HEX);
|
||||
+ fp = sshkey_fingerprint(found, SSH_DIGEST_SHA256, SSH_FP_BASE64);
|
||||
+ logit("Found matching %s key: %s",
|
||||
+ key_type(found), fp);
|
||||
+ sshkey_type(found), fp);
|
||||
+ free(fp);
|
||||
break;
|
||||
}
|
||||
}
|
||||
- pamsshagentauth_key_free(found);
|
||||
+ key_free(found);
|
||||
+ free(line);
|
||||
+ sshkey_free(found);
|
||||
if(!found_key)
|
||||
- pamsshagentauth_verbose("key not found");
|
||||
+ verbose("key not found");
|
||||
return found_key;
|
||||
}
|
||||
|
||||
@@ -128,11 +130,11 @@ pamsshagentauth_user_key_allowed2(struct
|
||||
char buf[SSH_MAX_PUBKEY_BYTES];
|
||||
@@ -120,19 +123,19 @@ pamsshagentauth_check_authkeys_file(FILE
|
||||
* returns 1 if the key is allowed or 0 otherwise.
|
||||
*/
|
||||
int
|
||||
-pamsshagentauth_user_key_allowed2(struct passwd *pw, Key * key, char *file)
|
||||
+pamsshagentauth_user_key_allowed2(struct passwd *pw, struct sshkey * key, char *file)
|
||||
{
|
||||
FILE *f;
|
||||
int found_key = 0;
|
||||
struct stat st;
|
||||
- char buf[SSH_MAX_PUBKEY_BYTES];
|
||||
+ char buf[256];
|
||||
|
||||
/* Temporarily use the user's uid. */
|
||||
- pamsshagentauth_verbose("trying public key file %s", file);
|
||||
@ -408,7 +586,7 @@ diff -up openssh-7.4p1/pam_ssh_agent_auth-0.10.3/pam_user_key_allowed2.c.psaa-co
|
||||
return 0;
|
||||
}
|
||||
|
||||
@@ -144,7 +146,7 @@ pamsshagentauth_user_key_allowed2(struct
|
||||
@@ -144,7 +147,7 @@ pamsshagentauth_user_key_allowed2(struct
|
||||
|
||||
if(pamsshagentauth_secure_filename(f, file, pw, buf, sizeof(buf)) != 0) {
|
||||
fclose(f);
|
||||
@ -417,7 +595,16 @@ diff -up openssh-7.4p1/pam_ssh_agent_auth-0.10.3/pam_user_key_allowed2.c.psaa-co
|
||||
return 0;
|
||||
}
|
||||
|
||||
@@ -187,44 +189,44 @@ pamsshagentauth_user_key_command_allowed
|
||||
@@ -160,7 +163,7 @@ pamsshagentauth_user_key_allowed2(struct
|
||||
int
|
||||
pamsshagentauth_user_key_command_allowed2(char *authorized_keys_command,
|
||||
char *authorized_keys_command_user,
|
||||
- struct passwd *user_pw, Key * key)
|
||||
+ struct passwd *user_pw, struct sshkey * key)
|
||||
{
|
||||
FILE *f;
|
||||
int ok, found_key = 0;
|
||||
@@ -187,44 +190,44 @@ pamsshagentauth_user_key_command_allowed
|
||||
else {
|
||||
pw = getpwnam(authorized_keys_command_user);
|
||||
if(pw == NULL) {
|
||||
@ -470,7 +657,7 @@ diff -up openssh-7.4p1/pam_ssh_agent_auth-0.10.3/pam_user_key_allowed2.c.psaa-co
|
||||
close(p[0]);
|
||||
close(p[1]);
|
||||
return 0;
|
||||
@@ -234,13 +236,13 @@ pamsshagentauth_user_key_command_allowed
|
||||
@@ -234,13 +237,13 @@ pamsshagentauth_user_key_command_allowed
|
||||
|
||||
/* do this before the setresuid so thta they can be logged */
|
||||
if((devnull = open(_PATH_DEVNULL, O_RDWR)) == -1) {
|
||||
@ -486,7 +673,7 @@ diff -up openssh-7.4p1/pam_ssh_agent_auth-0.10.3/pam_user_key_allowed2.c.psaa-co
|
||||
_exit(1);
|
||||
}
|
||||
#if defined(HAVE_SETRESGID) && !defined(BROKEN_SETRESGID)
|
||||
@@ -248,7 +250,7 @@ pamsshagentauth_user_key_command_allowed
|
||||
@@ -248,7 +251,7 @@ pamsshagentauth_user_key_command_allowed
|
||||
#else
|
||||
if (setgid(pw->pw_gid) != 0 || setegid(pw->pw_gid) != 0) {
|
||||
#endif
|
||||
@ -495,7 +682,7 @@ diff -up openssh-7.4p1/pam_ssh_agent_auth-0.10.3/pam_user_key_allowed2.c.psaa-co
|
||||
strerror(errno));
|
||||
_exit(1);
|
||||
}
|
||||
@@ -258,7 +260,7 @@ pamsshagentauth_user_key_command_allowed
|
||||
@@ -258,7 +261,7 @@ pamsshagentauth_user_key_command_allowed
|
||||
#else
|
||||
if (setuid(pw->pw_uid) != 0 || seteuid(pw->pw_uid) != 0) {
|
||||
#endif
|
||||
@ -504,7 +691,7 @@ diff -up openssh-7.4p1/pam_ssh_agent_auth-0.10.3/pam_user_key_allowed2.c.psaa-co
|
||||
strerror(errno));
|
||||
_exit(1);
|
||||
}
|
||||
@@ -270,18 +272,18 @@ pamsshagentauth_user_key_command_allowed
|
||||
@@ -270,18 +273,18 @@ pamsshagentauth_user_key_command_allowed
|
||||
|
||||
/* pretty sure this will barf because we are now suid, but since we
|
||||
should't reach this anyway, I'll leave it here */
|
||||
@ -526,7 +713,7 @@ diff -up openssh-7.4p1/pam_ssh_agent_auth-0.10.3/pam_user_key_allowed2.c.psaa-co
|
||||
close(p[0]);
|
||||
/* Don't leave zombie child */
|
||||
while(waitpid(pid, NULL, 0) == -1 && errno == EINTR);
|
||||
@@ -292,22 +294,22 @@ pamsshagentauth_user_key_command_allowed
|
||||
@@ -292,22 +295,22 @@ pamsshagentauth_user_key_command_allowed
|
||||
|
||||
while(waitpid(pid, &status, 0) == -1) {
|
||||
if(errno != EINTR) {
|
||||
@ -553,9 +740,33 @@ diff -up openssh-7.4p1/pam_ssh_agent_auth-0.10.3/pam_user_key_allowed2.c.psaa-co
|
||||
+ restore_uid();
|
||||
return found_key;
|
||||
}
|
||||
diff -up openssh-7.4p1/pam_ssh_agent_auth-0.10.3/secure_filename.c.psaa-compat openssh-7.4p1/pam_ssh_agent_auth-0.10.3/secure_filename.c
|
||||
--- openssh-7.4p1/pam_ssh_agent_auth-0.10.3/secure_filename.c.psaa-compat 2016-11-13 04:24:32.000000000 +0100
|
||||
+++ openssh-7.4p1/pam_ssh_agent_auth-0.10.3/secure_filename.c 2017-02-07 14:41:20.481509206 +0100
|
||||
diff -up openssh/pam_ssh_agent_auth-0.10.3/pam_user_key_allowed2.h.psaa-compat openssh/pam_ssh_agent_auth-0.10.3/pam_user_key_allowed2.h
|
||||
--- openssh/pam_ssh_agent_auth-0.10.3/pam_user_key_allowed2.h.psaa-compat 2016-11-13 04:24:32.000000000 +0100
|
||||
+++ openssh/pam_ssh_agent_auth-0.10.3/pam_user_key_allowed2.h 2018-08-24 10:18:05.010393320 +0200
|
||||
@@ -32,7 +32,7 @@
|
||||
#define _PAM_USER_KEY_ALLOWED_H
|
||||
|
||||
#include "identity.h"
|
||||
-int pamsshagentauth_user_key_allowed2(struct passwd *, Key *, char *);
|
||||
-int pamsshagentauth_user_key_command_allowed2(char *, char *, struct passwd *, Key *);
|
||||
+int pamsshagentauth_user_key_allowed2(struct passwd *, struct sshkey *, char *);
|
||||
+int pamsshagentauth_user_key_command_allowed2(char *, char *, struct passwd *, struct sshkey *);
|
||||
|
||||
#endif
|
||||
diff -up openssh/pam_ssh_agent_auth-0.10.3/secure_filename.c.psaa-compat openssh/pam_ssh_agent_auth-0.10.3/secure_filename.c
|
||||
--- openssh/pam_ssh_agent_auth-0.10.3/secure_filename.c.psaa-compat 2016-11-13 04:24:32.000000000 +0100
|
||||
+++ openssh/pam_ssh_agent_auth-0.10.3/secure_filename.c 2018-08-24 10:18:05.010393320 +0200
|
||||
@@ -53,8 +53,8 @@
|
||||
#include "xmalloc.h"
|
||||
#include "match.h"
|
||||
#include "log.h"
|
||||
-#include "buffer.h"
|
||||
-#include "key.h"
|
||||
+#include "sshbuf.h"
|
||||
+#include "sshkey.h"
|
||||
#include "misc.h"
|
||||
|
||||
|
||||
@@ -80,7 +80,7 @@ pamsshagentauth_auth_secure_path(const c
|
||||
int comparehome = 0;
|
||||
struct stat st;
|
||||
@ -586,10 +797,24 @@ diff -up openssh-7.4p1/pam_ssh_agent_auth-0.10.3/secure_filename.c.psaa-compat o
|
||||
buf);
|
||||
break;
|
||||
}
|
||||
diff -up openssh-7.4p1/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.c.psaa-compat openssh-7.4p1/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.c
|
||||
--- openssh-7.4p1/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.c.psaa-compat 2016-11-13 04:24:32.000000000 +0100
|
||||
+++ openssh-7.4p1/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.c 2017-02-07 14:41:20.484509204 +0100
|
||||
@@ -48,6 +48,8 @@
|
||||
diff -up openssh/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.c.psaa-compat openssh/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.c
|
||||
--- openssh/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.c.psaa-compat 2016-11-13 04:24:32.000000000 +0100
|
||||
+++ openssh/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.c 2018-08-24 10:22:13.202657025 +0200
|
||||
@@ -37,10 +37,11 @@
|
||||
#include "xmalloc.h"
|
||||
#include "ssh.h"
|
||||
#include "ssh2.h"
|
||||
-#include "buffer.h"
|
||||
+#include "sshbuf.h"
|
||||
#include "log.h"
|
||||
#include "compat.h"
|
||||
-#include "key.h"
|
||||
+#include "sshkey.h"
|
||||
+#include "ssherr.h"
|
||||
#include "pathnames.h"
|
||||
#include "misc.h"
|
||||
#include "secure_filename.h"
|
||||
@@ -48,54 +48,59 @@
|
||||
#include "identity.h"
|
||||
#include "pam_user_authorized_keys.h"
|
||||
|
||||
@ -598,7 +823,22 @@ diff -up openssh-7.4p1/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.c.psaa-
|
||||
/* extern u_char *session_id2;
|
||||
extern uint8_t session_id_len;
|
||||
*/
|
||||
@@ -65,37 +67,38 @@ userauth_pubkey_from_id(const char *ruse
|
||||
|
||||
int
|
||||
-userauth_pubkey_from_id(const char *ruser, Identity * id, Buffer * session_id2)
|
||||
+userauth_pubkey_from_id(const char *ruser, Identity * id, struct sshbuf * session_id2)
|
||||
{
|
||||
- Buffer b = { 0 };
|
||||
+ struct sshbuf *b = NULL;
|
||||
char *pkalg = NULL;
|
||||
u_char *pkblob = NULL, *sig = NULL;
|
||||
- u_int blen = 0, slen = 0;
|
||||
+ size_t blen = 0, slen = 0;
|
||||
- int authenticated = 0;
|
||||
+ int r, authenticated = 0;
|
||||
|
||||
- pkalg = (char *) key_ssh_name(id->key);
|
||||
+ pkalg = (char *) sshkey_ssh_name(id->key);
|
||||
|
||||
/* first test if this key is even allowed */
|
||||
if(! pam_user_key_allowed(ruser, id->key))
|
||||
@ -607,12 +847,13 @@ diff -up openssh-7.4p1/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.c.psaa-
|
||||
|
||||
- if(pamsshagentauth_key_to_blob(id->key, &pkblob, &blen) == 0)
|
||||
- goto user_auth_clean_exit;
|
||||
+ if(key_to_blob(id->key, &pkblob, &blen) == 0)
|
||||
+ if(sshkey_to_blob(id->key, &pkblob, &blen) != 0)
|
||||
+ goto user_auth_clean_exit_without_buffer;
|
||||
|
||||
/* construct packet to sign and test */
|
||||
- pamsshagentauth_buffer_init(&b);
|
||||
+ buffer_init(&b);
|
||||
+ if ((b = sshbuf_new()) == NULL)
|
||||
+ fatal("%s: sshbuf_new failed", __func__);
|
||||
|
||||
- pamsshagentauth_buffer_put_string(&b, session_id2->buf + session_id2->offset, session_id2->end - session_id2->offset);
|
||||
- pamsshagentauth_buffer_put_char(&b, SSH2_MSG_USERAUTH_TRUST_REQUEST);
|
||||
@ -622,28 +863,29 @@ diff -up openssh-7.4p1/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.c.psaa-
|
||||
- pamsshagentauth_buffer_put_char(&b, 1);
|
||||
- pamsshagentauth_buffer_put_cstring(&b, pkalg);
|
||||
- pamsshagentauth_buffer_put_string(&b, pkblob, blen);
|
||||
+ buffer_put_string(&b, sshbuf_ptr(session_id2), sshbuf_len(session_id2));
|
||||
+ buffer_put_char(&b, SSH2_MSG_USERAUTH_TRUST_REQUEST);
|
||||
+ buffer_put_cstring(&b, ruser);
|
||||
+ buffer_put_cstring(&b, "pam_ssh_agent_auth");
|
||||
+ buffer_put_cstring(&b, "publickey");
|
||||
+ buffer_put_char(&b, 1);
|
||||
+ buffer_put_cstring(&b, pkalg);
|
||||
+ buffer_put_string(&b, pkblob, blen);
|
||||
+ if ((r = sshbuf_put_string(b, sshbuf_ptr(session_id2), sshbuf_len(session_id2))) != 0 ||
|
||||
+ (r = sshbuf_put_u8(b, SSH2_MSG_USERAUTH_TRUST_REQUEST)) != 0 ||
|
||||
+ (r = sshbuf_put_cstring(b, ruser)) != 0 ||
|
||||
+ (r = sshbuf_put_cstring(b, "pam_ssh_agent_auth")) != 0 ||
|
||||
+ (r = sshbuf_put_cstring(b, "publickey")) != 0 ||
|
||||
+ (r = sshbuf_put_u8(b, 1)) != 0 ||
|
||||
+ (r = sshbuf_put_cstring(b, pkalg)) != 0 ||
|
||||
+ (r = sshbuf_put_string(b, pkblob, blen)) != 0)
|
||||
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
||||
|
||||
- if(ssh_agent_sign(id->ac, id->key, &sig, &slen, pamsshagentauth_buffer_ptr(&b), pamsshagentauth_buffer_len(&b)) != 0)
|
||||
+ if(ssh_agent_sign(id->ac, id->key, &sig, &slen, buffer_ptr(&b), buffer_len(&b)) != 0)
|
||||
+ if (ssh_agent_sign(id->ac, id->key, &sig, &slen, sshbuf_ptr(b), sshbuf_len(b)) != 0)
|
||||
goto user_auth_clean_exit;
|
||||
|
||||
/* test for correct signature */
|
||||
- if(pamsshagentauth_key_verify(id->key, sig, slen, pamsshagentauth_buffer_ptr(&b), pamsshagentauth_buffer_len(&b)) == 1)
|
||||
+ if(key_verify(id->key, sig, slen, buffer_ptr(&b), buffer_len(&b)) == 1)
|
||||
+ if (sshkey_verify(id->key, sig, slen, sshbuf_ptr(b), sshbuf_len(b), NULL, 0) == 0)
|
||||
authenticated = 1;
|
||||
|
||||
user_auth_clean_exit:
|
||||
/* if(&b != NULL) */
|
||||
- pamsshagentauth_buffer_free(&b);
|
||||
+ buffer_free(&b);
|
||||
+ sshbuf_free(b);
|
||||
+ user_auth_clean_exit_without_buffer:
|
||||
if(sig != NULL)
|
||||
- pamsshagentauth_xfree(sig);
|
||||
@ -654,9 +896,22 @@ diff -up openssh-7.4p1/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.c.psaa-
|
||||
CRYPTO_cleanup_all_ex_data();
|
||||
return authenticated;
|
||||
}
|
||||
diff -up openssh-7.4p1/pam_ssh_agent_auth-0.10.3/uuencode.c.psaa-compat openssh-7.4p1/pam_ssh_agent_auth-0.10.3/uuencode.c
|
||||
--- openssh-7.4p1/pam_ssh_agent_auth-0.10.3/uuencode.c.psaa-compat 2016-11-13 04:24:32.000000000 +0100
|
||||
+++ openssh-7.4p1/pam_ssh_agent_auth-0.10.3/uuencode.c 2017-02-07 14:41:20.484509204 +0100
|
||||
diff -up openssh/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.h.psaa-compat openssh/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.h
|
||||
--- openssh/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.h.psaa-compat 2016-11-13 04:24:32.000000000 +0100
|
||||
+++ openssh/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.h 2018-08-24 10:18:05.010393320 +0200
|
||||
@@ -31,7 +31,7 @@
|
||||
#ifndef _USERAUTH_PUBKEY_FROM_ID_H
|
||||
#define _USERAUTH_PUBKEY_FROM_ID_H
|
||||
|
||||
-#include <identity.h>
|
||||
-int userauth_pubkey_from_id(const char *, Identity *, Buffer *);
|
||||
+#include "identity.h"
|
||||
+int userauth_pubkey_from_id(const char *, Identity *, struct sshbuf *);
|
||||
|
||||
#endif
|
||||
diff -up openssh/pam_ssh_agent_auth-0.10.3/uuencode.c.psaa-compat openssh/pam_ssh_agent_auth-0.10.3/uuencode.c
|
||||
--- openssh/pam_ssh_agent_auth-0.10.3/uuencode.c.psaa-compat 2016-11-13 04:24:32.000000000 +0100
|
||||
+++ openssh/pam_ssh_agent_auth-0.10.3/uuencode.c 2018-08-24 10:18:05.010393320 +0200
|
||||
@@ -56,7 +56,7 @@ pamsshagentauth_uudecode(const char *src
|
||||
/* and remove trailing whitespace because __b64_pton needs this */
|
||||
*p = '\0';
|
||||
|
@ -3,7 +3,7 @@ diff --git a/pam_ssh_agent_auth-0.10.2/pam_user_authorized_keys.c b/pam_ssh_agen
|
||||
+++ b/pam_ssh_agent_auth-0.10.2/pam_user_authorized_keys.c
|
||||
@@ -158,11 +158,12 @@ parse_authorized_key_file(const char *user,
|
||||
int
|
||||
pam_user_key_allowed(const char *ruser, Key * key)
|
||||
pam_user_key_allowed(const char *ruser, struct sshkey * key)
|
||||
{
|
||||
+ struct passwd *pw;
|
||||
return
|
||||
|
@ -7,7 +7,7 @@ diff -up openssh/pam_ssh_agent_auth-0.10.3/identity.h.psaa-agent openssh/pam_ssh
|
||||
|
||||
+typedef struct {
|
||||
+ int fd;
|
||||
+ Buffer identities;
|
||||
+ struct sshbuf *identities;
|
||||
+ int howmany;
|
||||
+} AuthenticationConnection;
|
||||
+
|
||||
@ -18,8 +18,8 @@ diff -up openssh/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c.psaa-agent o
|
||||
--- openssh/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c.psaa-agent 2017-09-27 14:25:49.420739021 +0200
|
||||
+++ openssh/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c 2017-09-27 14:25:49.421739027 +0200
|
||||
@@ -39,6 +39,7 @@
|
||||
#include "buffer.h"
|
||||
#include "key.h"
|
||||
#include "sshbuf.h"
|
||||
#include "sshkey.h"
|
||||
#include "authfd.h"
|
||||
+#include "ssherr.h"
|
||||
#include <stdio.h>
|
||||
@ -27,9 +27,9 @@ diff -up openssh/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c.psaa-agent o
|
||||
#include "ssh2.h"
|
||||
@@ -291,36 +292,43 @@ pamsshagentauth_find_authorized_keys(con
|
||||
{
|
||||
Buffer session_id2 = { 0 };
|
||||
struct sshbuf *session_id2 = NULL;
|
||||
Identity *id;
|
||||
- Key *key;
|
||||
- struct sshkey *key;
|
||||
AuthenticationConnection *ac;
|
||||
- char *comment;
|
||||
uint8_t retval = 0;
|
||||
@ -59,7 +59,7 @@ diff -up openssh/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c.psaa-agent o
|
||||
+ id->key = idlist->keys[i];
|
||||
+ id->filename = idlist->comments[i];
|
||||
id->ac = ac;
|
||||
if(userauth_pubkey_from_id(ruser, id, &session_id2)) {
|
||||
if(userauth_pubkey_from_id(ruser, id, session_id2)) {
|
||||
retval = 1;
|
||||
}
|
||||
- free(id->filename);
|
||||
@ -69,7 +69,7 @@ diff -up openssh/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c.psaa-agent o
|
||||
break;
|
||||
}
|
||||
}
|
||||
buffer_free(&session_id2);
|
||||
sshbuf_free(session_id2);
|
||||
- ssh_close_authentication_connection(ac);
|
||||
+ ssh_free_identitylist(idlist);
|
||||
+ ssh_close_authentication_socket(ac->fd);
|
||||
@ -78,91 +78,15 @@ diff -up openssh/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c.psaa-agent o
|
||||
}
|
||||
else {
|
||||
verbose("No ssh-agent could be contacted");
|
||||
diff -up openssh/pam_ssh_agent_auth-0.10.3/pam_user_key_allowed2.c.psaa-agent openssh/pam_ssh_agent_auth-0.10.3/pam_user_key_allowed2.c
|
||||
--- openssh/pam_ssh_agent_auth-0.10.3/pam_user_key_allowed2.c.psaa-agent 2017-09-27 14:26:04.277820716 +0200
|
||||
+++ openssh/pam_ssh_agent_auth-0.10.3/pam_user_key_allowed2.c 2017-09-27 14:26:34.426986497 +0200
|
||||
@@ -70,7 +70,7 @@ pamsshagentauth_check_authkeys_file(FILE
|
||||
char *fp;
|
||||
|
||||
found_key = 0;
|
||||
- found = key_new(key->type);
|
||||
+ found = sshkey_new(key->type);
|
||||
|
||||
while(read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) {
|
||||
char *cp = NULL; /* *key_options = NULL; */
|
||||
@@ -80,7 +80,7 @@ pamsshagentauth_check_authkeys_file(FILE
|
||||
if(!*cp || *cp == '\n' || *cp == '#')
|
||||
continue;
|
||||
|
||||
- if(key_read(found, &cp) != 1) {
|
||||
+ if(sshkey_read(found, &cp) != 0) {
|
||||
/* no key? check if there are options for this key */
|
||||
int quoted = 0;
|
||||
|
||||
@@ -94,24 +94,24 @@ pamsshagentauth_check_authkeys_file(FILE
|
||||
}
|
||||
/* Skip remaining whitespace. */
|
||||
for(; *cp == ' ' || *cp == '\t'; cp++);
|
||||
- if(key_read(found, &cp) != 1) {
|
||||
+ if(sshkey_read(found, &cp) != 0) {
|
||||
verbose("user_key_allowed: advance: '%s'", cp);
|
||||
/* still no key? advance to next line */
|
||||
continue;
|
||||
}
|
||||
}
|
||||
- if(key_equal(found, key)) {
|
||||
+ if(sshkey_equal(found, key)) {
|
||||
found_key = 1;
|
||||
logit("matching key found: file/command %s, line %lu", file,
|
||||
linenum);
|
||||
fp = sshkey_fingerprint(found, SSH_DIGEST_MD5, SSH_FP_HEX);
|
||||
logit("Found matching %s key: %s",
|
||||
- key_type(found), fp);
|
||||
+ sshkey_type(found), fp);
|
||||
free(fp);
|
||||
break;
|
||||
}
|
||||
}
|
||||
- key_free(found);
|
||||
+ sshkey_free(found);
|
||||
if(!found_key)
|
||||
verbose("key not found");
|
||||
return found_key;
|
||||
diff -up openssh/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.c.psaa-agent openssh/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.c
|
||||
--- openssh/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.c.psaa-agent 2017-09-27 14:25:49.420739021 +0200
|
||||
+++ openssh/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.c 2017-09-27 14:25:49.422739032 +0200
|
||||
@@ -57,10 +57,11 @@ extern uint8_t session_id_len;
|
||||
int
|
||||
userauth_pubkey_from_id(const char *ruser, Identity * id, Buffer * session_id2)
|
||||
{
|
||||
- Buffer b = { 0 };
|
||||
+ Buffer b;
|
||||
char *pkalg = NULL;
|
||||
u_char *pkblob = NULL, *sig = NULL;
|
||||
- u_int blen = 0, slen = 0;
|
||||
+ u_int blen = 0;
|
||||
+ size_t slen = 0;
|
||||
int authenticated = 0;
|
||||
|
||||
pkalg = (char *) key_ssh_name(id->key);
|
||||
@@ -84,7 +85,7 @@ userauth_pubkey_from_id(const char *ruse
|
||||
buffer_put_cstring(&b, pkalg);
|
||||
buffer_put_string(&b, pkblob, blen);
|
||||
(r = sshbuf_put_string(b, pkblob, blen)) != 0)
|
||||
fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
||||
|
||||
- if(ssh_agent_sign(id->ac, id->key, &sig, &slen, buffer_ptr(&b), buffer_len(&b)) != 0)
|
||||
+ if(ssh_agent_sign(id->ac->fd, id->key, &sig, &slen, buffer_ptr(&b), buffer_len(&b), NULL, 0) != 0)
|
||||
- if (ssh_agent_sign(id->ac, id->key, &sig, &slen, sshbuf_ptr(b), sshbuf_len(b)) != 0)
|
||||
+ if (ssh_agent_sign(id->ac->fd, id->key, &sig, &slen, sshbuf_ptr(b), sshbuf_len(b), NULL, 0) != 0)
|
||||
goto user_auth_clean_exit;
|
||||
|
||||
/* test for correct signature */
|
||||
diff -up openssh-7.7p1/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.c.psaa-sshkey openssh-7.7p1/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.c
|
||||
--- openssh-7.7p1/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.c.psaa-sshkey 2018-04-04 13:55:02.383899631 +0200
|
||||
+++ openssh-7.7p1/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.c 2018-04-04 13:58:36.759339845 +0200
|
||||
@@ -89,7 +89,7 @@ userauth_pubkey_from_id(const char *ruse
|
||||
goto user_auth_clean_exit;
|
||||
|
||||
/* test for correct signature */
|
||||
- if(key_verify(id->key, sig, slen, buffer_ptr(&b), buffer_len(&b)) == 1)
|
||||
+ if(sshkey_verify(id->key, sig, slen, buffer_ptr(&b), buffer_len(&b), NULL, 0) == 0)
|
||||
authenticated = 1;
|
||||
|
||||
user_auth_clean_exit:
|
||||
|
@ -189,8 +189,8 @@ diff -up openssh-7.4p1/pam_ssh_agent_auth-0.10.3/Makefile.in.psaa-build openssh-
|
||||
|
||||
-pam_ssh_agent_auth.so: $(LIBCOMPAT) $(SSHOBJS) $(ED25519OBJS) $(PAM_SSH_AGENT_AUTH_OBJS) pam_ssh_agent_auth.o
|
||||
- $(LD) $(LDFLAGS_SHARED) -o $@ $(SSHOBJS) $(ED25519OBJS) $(PAM_SSH_AGENT_AUTH_OBJS) $(LDFLAGS) -lopenbsd-compat pam_ssh_agent_auth.o $(LIBS) -lpam
|
||||
+pam_ssh_agent_auth.so: $(PAM_SSH_AGENT_AUTH_OBJS) pam_ssh_agent_auth.o
|
||||
+ $(LD) $(LDFLAGS_SHARED) -o $@ $(PAM_SSH_AGENT_AUTH_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat pam_ssh_agent_auth.o $(LIBS) -lpam
|
||||
+pam_ssh_agent_auth.so: $(PAM_SSH_AGENT_AUTH_OBJS) pam_ssh_agent_auth.o ../uidswap.o
|
||||
+ $(LD) $(LDFLAGS_SHARED) -o $@ $(PAM_SSH_AGENT_AUTH_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat pam_ssh_agent_auth.o ../uidswap.o $(LIBS) -lpam
|
||||
|
||||
$(MANPAGES): $(MANPAGES_IN)
|
||||
pod2man --section=8 --release=v0.10.3 --name=pam_ssh_agent_auth --official --center "PAM" pam_ssh_agent_auth.pod > pam_ssh_agent_auth.8
|
||||
|
4
sources
4
sources
@ -1,4 +1,4 @@
|
||||
SHA512 (openssh-7.7p1.tar.gz) = 597252cb48209a0cb98ca1928a67e8d63e4275252f25bc37269204c108f034baade6ba0634e32ae63422fddd280f73096a6b31ad2f2e7a848dde75ca30e14261
|
||||
SHA512 (openssh-7.7p1.tar.gz.asc) = 9445a589a84538fb0b4eae0f7bf6ce46def51b09254d6fffcc6ed64472f10ccf9e4d5d200387725043039d77ca886e2c8e8f3128e7969c582156fafb0783988d
|
||||
SHA512 (openssh-7.8p1.tar.gz) = 8e5b0c8682a9243e4e8b7c374ec989dccd1a752eb6f84e593b67141e8b23dcc8b9a7322b1f7525d18e2ce8830a767d0d9793f997486339db201a57986b910705
|
||||
SHA512 (openssh-7.8p1.tar.gz.asc) = 3a7bef84df3c07aa78965a11a6bbd6ca6e5d1e9265ac08871b3e5d304646be651b74f5302a195e86a56e6a83b19d79292e5599c9a9cf6f003a513d4354e8ad2f
|
||||
SHA512 (DJM-GPG-KEY.gpg) = db1191ed9b6495999e05eed2ef863fb5179bdb63e94850f192dad68eed8579836f88fbcfffd9f28524fe1457aff8cd248ee3e0afc112c8f609b99a34b80ecc0d
|
||||
SHA512 (pam_ssh_agent_auth-0.10.3.tar.bz2) = d75062c4e46b0b011f46aed9704a99049995fea8b5115ff7ee26dad7e93cbcf54a8af7efc6b521109d77dc03c6f5284574d2e1b84c6829cec25610f24fb4bd66
|
||||
|
Loading…
Reference in New Issue
Block a user