forked from rpms/openssh
improve session keys audit
This commit is contained in:
parent
71d3d9c683
commit
d1fc5c2d41
@ -0,0 +1,79 @@
|
|||||||
|
diff -up openssh-5.8p1/packet.c.audit4a openssh-5.8p1/packet.c
|
||||||
|
--- openssh-5.8p1/packet.c.audit4a 2011-03-08 08:52:12.000000000 +0100
|
||||||
|
+++ openssh-5.8p1/packet.c 2011-03-08 08:52:39.000000000 +0100
|
||||||
|
@@ -473,6 +473,13 @@ packet_get_connection_out(void)
|
||||||
|
return active_state->connection_out;
|
||||||
|
}
|
||||||
|
|
||||||
|
+static int
|
||||||
|
+packet_state_has_keys (const struct session_state *state)
|
||||||
|
+{
|
||||||
|
+ return state != NULL &&
|
||||||
|
+ (state->newkeys[MODE_IN] != NULL || state->newkeys[MODE_OUT] != NULL);
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
/* Closes the connection and clears and frees internal data structures. */
|
||||||
|
|
||||||
|
void
|
||||||
|
@@ -481,13 +488,6 @@ packet_close(void)
|
||||||
|
if (!active_state->initialized)
|
||||||
|
return;
|
||||||
|
active_state->initialized = 0;
|
||||||
|
- if (active_state->connection_in == active_state->connection_out) {
|
||||||
|
- shutdown(active_state->connection_out, SHUT_RDWR);
|
||||||
|
- close(active_state->connection_out);
|
||||||
|
- } else {
|
||||||
|
- close(active_state->connection_in);
|
||||||
|
- close(active_state->connection_out);
|
||||||
|
- }
|
||||||
|
buffer_free(&active_state->input);
|
||||||
|
buffer_free(&active_state->output);
|
||||||
|
buffer_free(&active_state->outgoing_packet);
|
||||||
|
@@ -496,9 +496,18 @@ packet_close(void)
|
||||||
|
buffer_free(&active_state->compression_buffer);
|
||||||
|
buffer_compress_uninit();
|
||||||
|
}
|
||||||
|
- cipher_cleanup(&active_state->send_context);
|
||||||
|
- cipher_cleanup(&active_state->receive_context);
|
||||||
|
- audit_session_key_free(2);
|
||||||
|
+ if (packet_state_has_keys(active_state)) {
|
||||||
|
+ cipher_cleanup(&active_state->send_context);
|
||||||
|
+ cipher_cleanup(&active_state->receive_context);
|
||||||
|
+ audit_session_key_free(2);
|
||||||
|
+ }
|
||||||
|
+ if (active_state->connection_in == active_state->connection_out) {
|
||||||
|
+ shutdown(active_state->connection_out, SHUT_RDWR);
|
||||||
|
+ close(active_state->connection_out);
|
||||||
|
+ } else {
|
||||||
|
+ close(active_state->connection_in);
|
||||||
|
+ close(active_state->connection_out);
|
||||||
|
+ }
|
||||||
|
}
|
||||||
|
|
||||||
|
/* Sets remote side protocol flags. */
|
||||||
|
@@ -1945,13 +1954,6 @@ packet_destroy_state(struct session_stat
|
||||||
|
// memset(state, 0, sizeof(state));
|
||||||
|
}
|
||||||
|
|
||||||
|
-static int
|
||||||
|
-packet_state_has_keys (const struct session_state *state)
|
||||||
|
-{
|
||||||
|
- return state != NULL &&
|
||||||
|
- (state->newkeys[MODE_IN] != NULL || state->newkeys[MODE_OUT] != NULL);
|
||||||
|
-}
|
||||||
|
-
|
||||||
|
void
|
||||||
|
packet_destroy_all(int audit_it, int privsep)
|
||||||
|
{
|
||||||
|
diff -up openssh-5.8p1/sshd.c.audit4a openssh-5.8p1/sshd.c
|
||||||
|
--- openssh-5.8p1/sshd.c.audit4a 2011-03-08 08:53:02.000000000 +0100
|
||||||
|
+++ openssh-5.8p1/sshd.c 2011-03-08 08:55:23.000000000 +0100
|
||||||
|
@@ -2033,7 +2033,7 @@ main(int ac, char **av)
|
||||||
|
do_authenticated(authctxt);
|
||||||
|
|
||||||
|
/* The connection has been terminated. */
|
||||||
|
- packet_destroy_all(1, 0);
|
||||||
|
+ packet_destroy_all(1, 1);
|
||||||
|
|
||||||
|
packet_get_state(MODE_IN, NULL, NULL, NULL, &ibytes);
|
||||||
|
packet_get_state(MODE_OUT, NULL, NULL, NULL, &obytes);
|
@ -0,0 +1,11 @@
|
|||||||
|
diff -up openssh-5.8p1/sshd.c.audit5a openssh-5.8p1/sshd.c
|
||||||
|
--- openssh-5.8p1/sshd.c.audit5a 2011-03-08 09:03:49.000000000 +0100
|
||||||
|
+++ openssh-5.8p1/sshd.c 2011-03-08 09:06:23.000000000 +0100
|
||||||
|
@@ -2085,6 +2085,7 @@ main(int ac, char **av)
|
||||||
|
|
||||||
|
/* The connection has been terminated. */
|
||||||
|
packet_destroy_all(1, 1);
|
||||||
|
+ destroy_sensitive_data(1);
|
||||||
|
|
||||||
|
packet_get_state(MODE_IN, NULL, NULL, NULL, &ibytes);
|
||||||
|
packet_get_state(MODE_OUT, NULL, NULL, NULL, &obytes);
|
@ -117,7 +117,7 @@ diff -up openssh-5.8p1/HOWTO.ldap-keys.ldap openssh-5.8p1/HOWTO.ldap-keys
|
|||||||
+2) add appropriate schema
|
+2) add appropriate schema
|
||||||
+3) insert users into LDAP
|
+3) insert users into LDAP
|
||||||
+4) on the ssh side set in sshd_config
|
+4) on the ssh side set in sshd_config
|
||||||
+AuthorizedKeysCommand /usr/libexec/openssh/ssh-ldap-wrapper
|
+AuthorizedKeysCommand "/usr/libexec/openssh/ssh-ldap-wrapper"
|
||||||
+AuthorizedKeysCommandRunAs <appropriate user to run LDAP>
|
+AuthorizedKeysCommandRunAs <appropriate user to run LDAP>
|
||||||
+5) do not forget to set
|
+5) do not forget to set
|
||||||
+PubkeyAuthentication yes
|
+PubkeyAuthentication yes
|
||||||
@ -2262,7 +2262,7 @@ diff -up openssh-5.8p1/README.lpk.ldap openssh-5.8p1/README.lpk
|
|||||||
+
|
+
|
||||||
+ 2 tokens are added to sshd_config :
|
+ 2 tokens are added to sshd_config :
|
||||||
+ # here is the new patched ldap related tokens
|
+ # here is the new patched ldap related tokens
|
||||||
+ AuthorizedKeysCommand /usr/libexec/openssh/ssh-ldap-helper -s %u
|
+ AuthorizedKeysCommand "/usr/libexec/openssh/ssh-ldap-wrapper"
|
||||||
+ AuthorizedKeysCommandRunAs nobody
|
+ AuthorizedKeysCommandRunAs nobody
|
||||||
+
|
+
|
||||||
+ The LDAP configuratin is read from common /etc/ldap.conf configuration file.
|
+ The LDAP configuratin is read from common /etc/ldap.conf configuration file.
|
||||||
|
@ -71,7 +71,7 @@
|
|||||||
|
|
||||||
# Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
|
# Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
|
||||||
%define openssh_ver 5.8p1
|
%define openssh_ver 5.8p1
|
||||||
%define openssh_rel 15
|
%define openssh_rel 16
|
||||||
%define pam_ssh_agent_ver 0.9.2
|
%define pam_ssh_agent_ver 0.9.2
|
||||||
%define pam_ssh_agent_rel 30
|
%define pam_ssh_agent_rel 30
|
||||||
|
|
||||||
@ -652,6 +652,9 @@ fi
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Tue Mar 8 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p1-16 + 0.9.2-30
|
||||||
|
- improve session keys audit
|
||||||
|
|
||||||
* Mon Mar 7 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p1-15 + 0.9.2-30
|
* Mon Mar 7 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p1-15 + 0.9.2-30
|
||||||
- CVE-2010-4755
|
- CVE-2010-4755
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user