forked from rpms/openssh
improve session keys audit
This commit is contained in:
parent
71d3d9c683
commit
d1fc5c2d41
@ -0,0 +1,79 @@
|
||||
diff -up openssh-5.8p1/packet.c.audit4a openssh-5.8p1/packet.c
|
||||
--- openssh-5.8p1/packet.c.audit4a 2011-03-08 08:52:12.000000000 +0100
|
||||
+++ openssh-5.8p1/packet.c 2011-03-08 08:52:39.000000000 +0100
|
||||
@@ -473,6 +473,13 @@ packet_get_connection_out(void)
|
||||
return active_state->connection_out;
|
||||
}
|
||||
|
||||
+static int
|
||||
+packet_state_has_keys (const struct session_state *state)
|
||||
+{
|
||||
+ return state != NULL &&
|
||||
+ (state->newkeys[MODE_IN] != NULL || state->newkeys[MODE_OUT] != NULL);
|
||||
+}
|
||||
+
|
||||
/* Closes the connection and clears and frees internal data structures. */
|
||||
|
||||
void
|
||||
@@ -481,13 +488,6 @@ packet_close(void)
|
||||
if (!active_state->initialized)
|
||||
return;
|
||||
active_state->initialized = 0;
|
||||
- if (active_state->connection_in == active_state->connection_out) {
|
||||
- shutdown(active_state->connection_out, SHUT_RDWR);
|
||||
- close(active_state->connection_out);
|
||||
- } else {
|
||||
- close(active_state->connection_in);
|
||||
- close(active_state->connection_out);
|
||||
- }
|
||||
buffer_free(&active_state->input);
|
||||
buffer_free(&active_state->output);
|
||||
buffer_free(&active_state->outgoing_packet);
|
||||
@@ -496,9 +496,18 @@ packet_close(void)
|
||||
buffer_free(&active_state->compression_buffer);
|
||||
buffer_compress_uninit();
|
||||
}
|
||||
- cipher_cleanup(&active_state->send_context);
|
||||
- cipher_cleanup(&active_state->receive_context);
|
||||
- audit_session_key_free(2);
|
||||
+ if (packet_state_has_keys(active_state)) {
|
||||
+ cipher_cleanup(&active_state->send_context);
|
||||
+ cipher_cleanup(&active_state->receive_context);
|
||||
+ audit_session_key_free(2);
|
||||
+ }
|
||||
+ if (active_state->connection_in == active_state->connection_out) {
|
||||
+ shutdown(active_state->connection_out, SHUT_RDWR);
|
||||
+ close(active_state->connection_out);
|
||||
+ } else {
|
||||
+ close(active_state->connection_in);
|
||||
+ close(active_state->connection_out);
|
||||
+ }
|
||||
}
|
||||
|
||||
/* Sets remote side protocol flags. */
|
||||
@@ -1945,13 +1954,6 @@ packet_destroy_state(struct session_stat
|
||||
// memset(state, 0, sizeof(state));
|
||||
}
|
||||
|
||||
-static int
|
||||
-packet_state_has_keys (const struct session_state *state)
|
||||
-{
|
||||
- return state != NULL &&
|
||||
- (state->newkeys[MODE_IN] != NULL || state->newkeys[MODE_OUT] != NULL);
|
||||
-}
|
||||
-
|
||||
void
|
||||
packet_destroy_all(int audit_it, int privsep)
|
||||
{
|
||||
diff -up openssh-5.8p1/sshd.c.audit4a openssh-5.8p1/sshd.c
|
||||
--- openssh-5.8p1/sshd.c.audit4a 2011-03-08 08:53:02.000000000 +0100
|
||||
+++ openssh-5.8p1/sshd.c 2011-03-08 08:55:23.000000000 +0100
|
||||
@@ -2033,7 +2033,7 @@ main(int ac, char **av)
|
||||
do_authenticated(authctxt);
|
||||
|
||||
/* The connection has been terminated. */
|
||||
- packet_destroy_all(1, 0);
|
||||
+ packet_destroy_all(1, 1);
|
||||
|
||||
packet_get_state(MODE_IN, NULL, NULL, NULL, &ibytes);
|
||||
packet_get_state(MODE_OUT, NULL, NULL, NULL, &obytes);
|
@ -0,0 +1,11 @@
|
||||
diff -up openssh-5.8p1/sshd.c.audit5a openssh-5.8p1/sshd.c
|
||||
--- openssh-5.8p1/sshd.c.audit5a 2011-03-08 09:03:49.000000000 +0100
|
||||
+++ openssh-5.8p1/sshd.c 2011-03-08 09:06:23.000000000 +0100
|
||||
@@ -2085,6 +2085,7 @@ main(int ac, char **av)
|
||||
|
||||
/* The connection has been terminated. */
|
||||
packet_destroy_all(1, 1);
|
||||
+ destroy_sensitive_data(1);
|
||||
|
||||
packet_get_state(MODE_IN, NULL, NULL, NULL, &ibytes);
|
||||
packet_get_state(MODE_OUT, NULL, NULL, NULL, &obytes);
|
@ -117,7 +117,7 @@ diff -up openssh-5.8p1/HOWTO.ldap-keys.ldap openssh-5.8p1/HOWTO.ldap-keys
|
||||
+2) add appropriate schema
|
||||
+3) insert users into LDAP
|
||||
+4) on the ssh side set in sshd_config
|
||||
+AuthorizedKeysCommand /usr/libexec/openssh/ssh-ldap-wrapper
|
||||
+AuthorizedKeysCommand "/usr/libexec/openssh/ssh-ldap-wrapper"
|
||||
+AuthorizedKeysCommandRunAs <appropriate user to run LDAP>
|
||||
+5) do not forget to set
|
||||
+PubkeyAuthentication yes
|
||||
@ -2262,7 +2262,7 @@ diff -up openssh-5.8p1/README.lpk.ldap openssh-5.8p1/README.lpk
|
||||
+
|
||||
+ 2 tokens are added to sshd_config :
|
||||
+ # here is the new patched ldap related tokens
|
||||
+ AuthorizedKeysCommand /usr/libexec/openssh/ssh-ldap-helper -s %u
|
||||
+ AuthorizedKeysCommand "/usr/libexec/openssh/ssh-ldap-wrapper"
|
||||
+ AuthorizedKeysCommandRunAs nobody
|
||||
+
|
||||
+ The LDAP configuratin is read from common /etc/ldap.conf configuration file.
|
||||
|
@ -71,7 +71,7 @@
|
||||
|
||||
# Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
|
||||
%define openssh_ver 5.8p1
|
||||
%define openssh_rel 15
|
||||
%define openssh_rel 16
|
||||
%define pam_ssh_agent_ver 0.9.2
|
||||
%define pam_ssh_agent_rel 30
|
||||
|
||||
@ -652,6 +652,9 @@ fi
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Tue Mar 8 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p1-16 + 0.9.2-30
|
||||
- improve session keys audit
|
||||
|
||||
* Mon Mar 7 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p1-15 + 0.9.2-30
|
||||
- CVE-2010-4755
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user