forked from rpms/openssh
Hostbased ssh authentication fails if session ID contains a '/'
Resolves: rhbz#1963058
This commit is contained in:
parent
c3e6e4a2e6
commit
d0754b1a8d
@ -179,10 +179,10 @@ diff -up openssh/misc.c.role-mls openssh/misc.c
|
|||||||
}
|
}
|
||||||
return NULL;
|
return NULL;
|
||||||
}
|
}
|
||||||
diff -up openssh/monitor.c.role-mls openssh/monitor.c
|
diff -up openssh-8.6p1/monitor.c.role-mls openssh-8.6p1/monitor.c
|
||||||
--- openssh/monitor.c.role-mls 2018-08-20 07:57:29.000000000 +0200
|
--- openssh-8.6p1/monitor.c.role-mls 2021-04-16 05:55:25.000000000 +0200
|
||||||
+++ openssh/monitor.c 2018-08-22 11:19:56.006844867 +0200
|
+++ openssh-8.6p1/monitor.c 2021-05-21 14:21:56.719414087 +0200
|
||||||
@@ -115,6 +115,9 @@ int mm_answer_sign(int, struct sshbuf *)
|
@@ -117,6 +117,9 @@ int mm_answer_sign(struct ssh *, int, st
|
||||||
int mm_answer_pwnamallow(struct ssh *, int, struct sshbuf *);
|
int mm_answer_pwnamallow(struct ssh *, int, struct sshbuf *);
|
||||||
int mm_answer_auth2_read_banner(struct ssh *, int, struct sshbuf *);
|
int mm_answer_auth2_read_banner(struct ssh *, int, struct sshbuf *);
|
||||||
int mm_answer_authserv(struct ssh *, int, struct sshbuf *);
|
int mm_answer_authserv(struct ssh *, int, struct sshbuf *);
|
||||||
@ -192,7 +192,7 @@ diff -up openssh/monitor.c.role-mls openssh/monitor.c
|
|||||||
int mm_answer_authpassword(struct ssh *, int, struct sshbuf *);
|
int mm_answer_authpassword(struct ssh *, int, struct sshbuf *);
|
||||||
int mm_answer_bsdauthquery(struct ssh *, int, struct sshbuf *);
|
int mm_answer_bsdauthquery(struct ssh *, int, struct sshbuf *);
|
||||||
int mm_answer_bsdauthrespond(struct ssh *, int, struct sshbuf *);
|
int mm_answer_bsdauthrespond(struct ssh *, int, struct sshbuf *);
|
||||||
@@ -189,6 +192,9 @@ struct mon_table mon_dispatch_proto20[]
|
@@ -195,6 +198,9 @@ struct mon_table mon_dispatch_proto20[]
|
||||||
{MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign},
|
{MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign},
|
||||||
{MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},
|
{MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},
|
||||||
{MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv},
|
{MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv},
|
||||||
@ -202,7 +202,7 @@ diff -up openssh/monitor.c.role-mls openssh/monitor.c
|
|||||||
{MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner},
|
{MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner},
|
||||||
{MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},
|
{MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},
|
||||||
#ifdef USE_PAM
|
#ifdef USE_PAM
|
||||||
@@ -796,6 +802,9 @@ mm_answer_pwnamallow(int sock, struct ss
|
@@ -803,6 +809,9 @@ mm_answer_pwnamallow(struct ssh *ssh, in
|
||||||
|
|
||||||
/* Allow service/style information on the auth context */
|
/* Allow service/style information on the auth context */
|
||||||
monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1);
|
monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1);
|
||||||
@ -212,7 +212,7 @@ diff -up openssh/monitor.c.role-mls openssh/monitor.c
|
|||||||
monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1);
|
monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1);
|
||||||
|
|
||||||
#ifdef USE_PAM
|
#ifdef USE_PAM
|
||||||
@@ -842,6 +851,26 @@ mm_answer_authserv(int sock, struct sshb
|
@@ -877,6 +886,26 @@ key_base_type_match(const char *method,
|
||||||
return found;
|
return found;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -239,7 +239,7 @@ diff -up openssh/monitor.c.role-mls openssh/monitor.c
|
|||||||
int
|
int
|
||||||
mm_answer_authpassword(struct ssh *ssh, int sock, struct sshbuf *m)
|
mm_answer_authpassword(struct ssh *ssh, int sock, struct sshbuf *m)
|
||||||
{
|
{
|
||||||
@@ -1218,7 +1247,7 @@ monitor_valid_userblob(u_char *data, u_i
|
@@ -1251,7 +1280,7 @@ monitor_valid_userblob(struct ssh *ssh,
|
||||||
{
|
{
|
||||||
struct sshbuf *b;
|
struct sshbuf *b;
|
||||||
const u_char *p;
|
const u_char *p;
|
||||||
@ -248,7 +248,7 @@ diff -up openssh/monitor.c.role-mls openssh/monitor.c
|
|||||||
size_t len;
|
size_t len;
|
||||||
u_char type;
|
u_char type;
|
||||||
int r, fail = 0;
|
int r, fail = 0;
|
||||||
@@ -1251,6 +1280,8 @@ monitor_valid_userblob(u_char *data, u_i
|
@@ -1282,6 +1311,8 @@ monitor_valid_userblob(struct ssh *ssh,
|
||||||
fail++;
|
fail++;
|
||||||
if ((r = sshbuf_get_cstring(b, &cp, NULL)) != 0)
|
if ((r = sshbuf_get_cstring(b, &cp, NULL)) != 0)
|
||||||
fatal_fr(r, "parse userstyle");
|
fatal_fr(r, "parse userstyle");
|
||||||
@ -257,7 +257,7 @@ diff -up openssh/monitor.c.role-mls openssh/monitor.c
|
|||||||
xasprintf(&userstyle, "%s%s%s", authctxt->user,
|
xasprintf(&userstyle, "%s%s%s", authctxt->user,
|
||||||
authctxt->style ? ":" : "",
|
authctxt->style ? ":" : "",
|
||||||
authctxt->style ? authctxt->style : "");
|
authctxt->style ? authctxt->style : "");
|
||||||
@@ -1286,7 +1317,7 @@ monitor_valid_hostbasedblob(u_char *data
|
@@ -1317,7 +1348,7 @@ monitor_valid_hostbasedblob(const u_char
|
||||||
{
|
{
|
||||||
struct sshbuf *b;
|
struct sshbuf *b;
|
||||||
const u_char *p;
|
const u_char *p;
|
||||||
@ -266,11 +266,11 @@ diff -up openssh/monitor.c.role-mls openssh/monitor.c
|
|||||||
size_t len;
|
size_t len;
|
||||||
int r, fail = 0;
|
int r, fail = 0;
|
||||||
u_char type;
|
u_char type;
|
||||||
@@ -1308,6 +1339,8 @@ monitor_valid_hostbasedblob(u_char *data
|
@@ -1338,6 +1370,8 @@ monitor_valid_hostbasedblob(const u_char
|
||||||
fail++;
|
fail++;
|
||||||
if ((r = sshbuf_get_cstring(b, &cp, NULL)) != 0)
|
if ((r = sshbuf_get_cstring(b, &cp, NULL)) != 0)
|
||||||
fatal_fr(r, "parse userstyle");
|
fatal_fr(r, "parse userstyle");
|
||||||
+ if ((s = strchr(p, '/')) != NULL)
|
+ if ((s = strchr(cp, '/')) != NULL)
|
||||||
+ *s = '\0';
|
+ *s = '\0';
|
||||||
xasprintf(&userstyle, "%s%s%s", authctxt->user,
|
xasprintf(&userstyle, "%s%s%s", authctxt->user,
|
||||||
authctxt->style ? ":" : "",
|
authctxt->style ? ":" : "",
|
||||||
|
@ -659,6 +659,9 @@ test -f %{sysconfig_anaconda} && \
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Fri May 21 2021 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.6p1-3
|
||||||
|
- Hostbased ssh authentication fails if session ID contains a '/' (#1963058)
|
||||||
|
|
||||||
* Mon May 10 2021 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.6p1-2
|
* Mon May 10 2021 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.6p1-2
|
||||||
- rebuilt
|
- rebuilt
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user