290 lines
11 KiB
Diff
290 lines
11 KiB
Diff
|
diff -up openssh-5.2p1/configure.ac.vendor openssh-5.2p1/configure.ac
|
||
|
--- openssh-5.2p1/configure.ac.vendor 2009-03-10 03:51:54.862255585 +0100
|
||
|
+++ openssh-5.2p1/configure.ac 2009-03-10 03:51:55.850215090 +0100
|
||
|
@@ -3335,11 +3335,25 @@ AC_ARG_WITH(selinux,
|
||
|
AC_CHECK_LIB(selinux, setexeccon, [ LIBSELINUX="-lselinux" ],
|
||
|
AC_MSG_ERROR(SELinux support requires libselinux library))
|
||
|
SSHDLIBS="$SSHDLIBS $LIBSELINUX"
|
||
|
+ LIBS="$LIBS $LIBSELINUX"
|
||
|
AC_CHECK_FUNCS(getseuserbyname get_default_context_with_level)
|
||
|
+ AC_CHECK_FUNCS(setkeycreatecon)
|
||
|
LIBS="$save_LIBS"
|
||
|
fi ]
|
||
|
)
|
||
|
|
||
|
+# Check whether user wants Linux audit support
|
||
|
+LINUX_AUDIT_MSG="no"
|
||
|
+AC_ARG_WITH(linux-audit,
|
||
|
+ [ --with-linux-audit Enable Linux audit support],
|
||
|
+ [ if test "x$withval" != "xno" ; then
|
||
|
+ AC_DEFINE(HAVE_LINUX_AUDIT,1,[Define if you want Linux audit support.])
|
||
|
+ LINUX_AUDIT_MSG="yes"
|
||
|
+ AC_CHECK_HEADERS(libaudit.h)
|
||
|
+ SSHDLIBS="$SSHDLIBS -laudit"
|
||
|
+ fi ]
|
||
|
+)
|
||
|
+
|
||
|
# Check whether user wants Kerberos 5 support
|
||
|
KRB5_MSG="no"
|
||
|
AC_ARG_WITH(kerberos5,
|
||
|
@@ -3448,6 +3462,20 @@ AC_ARG_WITH(kerberos5,
|
||
|
]
|
||
|
)
|
||
|
|
||
|
+# Check whether user wants NSS support
|
||
|
+LIBNSS_MSG="no"
|
||
|
+AC_ARG_WITH(nss,
|
||
|
+ [ --with-nss Enable NSS support],
|
||
|
+ [ if test "x$withval" != "xno" ; then
|
||
|
+ AC_DEFINE(HAVE_LIBNSS,1,[Define if you want NSS support.])
|
||
|
+ LIBNSS_MSG="yes"
|
||
|
+ CPPFLAGS="$CPPFLAGS -I/usr/include/nss3 -I/usr/include/nspr4"
|
||
|
+ AC_CHECK_HEADERS(pk11pub.h)
|
||
|
+ LIBS="$LIBS -lnss3"
|
||
|
+ fi
|
||
|
+ ])
|
||
|
+AC_SUBST(LIBNSS)
|
||
|
+
|
||
|
# Looking for programs, paths and files
|
||
|
|
||
|
PRIVSEP_PATH=/var/empty
|
||
|
@@ -3916,6 +3944,12 @@ AC_ARG_WITH(lastlog,
|
||
|
fi
|
||
|
]
|
||
|
)
|
||
|
+AC_ARG_ENABLE(vendor-patchlevel,
|
||
|
+ [ --enable-vendor-patchlevel=TAG specify a vendor patch level],
|
||
|
+ [AC_DEFINE_UNQUOTED(SSH_VENDOR_PATCHLEVEL,[SSH_RELEASE "-" "$enableval"],[Define to your vendor patch level, if it has been modified from the upstream source release.])
|
||
|
+ SSH_VENDOR_PATCHLEVEL="$enableval"],
|
||
|
+ [AC_DEFINE(SSH_VENDOR_PATCHLEVEL,SSH_RELEASE,[Define to your vendor patch level, if it has been modified from the upstream source release.])
|
||
|
+ SSH_VENDOR_PATCHLEVEL=none])
|
||
|
|
||
|
dnl lastlog, [uw]tmpx? detection
|
||
|
dnl NOTE: set the paths in the platform section to avoid the
|
||
|
@@ -4162,16 +4196,19 @@ echo " PAM support
|
||
|
echo " OSF SIA support: $SIA_MSG"
|
||
|
echo " KerberosV support: $KRB5_MSG"
|
||
|
echo " SELinux support: $SELINUX_MSG"
|
||
|
+echo " Linux audit support: $LINUX_AUDIT_MSG"
|
||
|
echo " Smartcard support: $SCARD_MSG"
|
||
|
echo " S/KEY support: $SKEY_MSG"
|
||
|
echo " TCP Wrappers support: $TCPW_MSG"
|
||
|
echo " MD5 password support: $MD5_MSG"
|
||
|
echo " libedit support: $LIBEDIT_MSG"
|
||
|
echo " Solaris process contract support: $SPC_MSG"
|
||
|
+echo " NSS support: $LIBNSS_MSG"
|
||
|
echo " IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG"
|
||
|
echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG"
|
||
|
echo " BSD Auth support: $BSD_AUTH_MSG"
|
||
|
echo " Random number source: $RAND_MSG"
|
||
|
+echo " Vendor patch level: $SSH_VENDOR_PATCHLEVEL"
|
||
|
if test ! -z "$USE_RAND_HELPER" ; then
|
||
|
echo " ssh-rand-helper collects from: $RAND_HELPER_MSG"
|
||
|
fi
|
||
|
diff -up openssh-5.2p1/servconf.c.vendor openssh-5.2p1/servconf.c
|
||
|
--- openssh-5.2p1/servconf.c.vendor 2009-01-28 06:31:23.000000000 +0100
|
||
|
+++ openssh-5.2p1/servconf.c 2009-03-10 03:51:54.956273911 +0100
|
||
|
@@ -117,6 +117,7 @@ initialize_server_options(ServerOptions
|
||
|
options->max_authtries = -1;
|
||
|
options->max_sessions = -1;
|
||
|
options->banner = NULL;
|
||
|
+ options->show_patchlevel = -1;
|
||
|
options->use_dns = -1;
|
||
|
options->client_alive_interval = -1;
|
||
|
options->client_alive_count_max = -1;
|
||
|
@@ -262,6 +263,9 @@ fill_default_server_options(ServerOption
|
||
|
if (options->zero_knowledge_password_authentication == -1)
|
||
|
options->zero_knowledge_password_authentication = 0;
|
||
|
|
||
|
+ if (options->show_patchlevel == -1)
|
||
|
+ options->show_patchlevel = 0;
|
||
|
+
|
||
|
/* Turn privilege separation on by default */
|
||
|
if (use_privsep == -1)
|
||
|
use_privsep = 1;
|
||
|
@@ -299,7 +303,7 @@ typedef enum {
|
||
|
sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
|
||
|
sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem,
|
||
|
sMaxStartups, sMaxAuthTries, sMaxSessions,
|
||
|
- sBanner, sUseDNS, sHostbasedAuthentication,
|
||
|
+ sBanner, sShowPatchLevel, sUseDNS, sHostbasedAuthentication,
|
||
|
sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
|
||
|
sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
|
||
|
sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel,
|
||
|
@@ -410,6 +414,7 @@ static struct {
|
||
|
{ "maxauthtries", sMaxAuthTries, SSHCFG_ALL },
|
||
|
{ "maxsessions", sMaxSessions, SSHCFG_ALL },
|
||
|
{ "banner", sBanner, SSHCFG_ALL },
|
||
|
+ { "showpatchlevel", sShowPatchLevel, SSHCFG_GLOBAL },
|
||
|
{ "usedns", sUseDNS, SSHCFG_GLOBAL },
|
||
|
{ "verifyreversemapping", sDeprecated, SSHCFG_GLOBAL },
|
||
|
{ "reversemappingcheck", sDeprecated, SSHCFG_GLOBAL },
|
||
|
@@ -1033,6 +1038,10 @@ process_server_config_line(ServerOptions
|
||
|
intptr = &use_privsep;
|
||
|
goto parse_flag;
|
||
|
|
||
|
+ case sShowPatchLevel:
|
||
|
+ intptr = &options->show_patchlevel;
|
||
|
+ goto parse_flag;
|
||
|
+
|
||
|
case sAllowUsers:
|
||
|
while ((arg = strdelim(&cp)) && *arg != '\0') {
|
||
|
if (options->num_allow_users >= MAX_ALLOW_USERS)
|
||
|
@@ -1613,6 +1622,7 @@ dump_config(ServerOptions *o)
|
||
|
dump_cfg_fmtint(sUseLogin, o->use_login);
|
||
|
dump_cfg_fmtint(sCompression, o->compression);
|
||
|
dump_cfg_fmtint(sGatewayPorts, o->gateway_ports);
|
||
|
+ dump_cfg_fmtint(sShowPatchLevel, o->show_patchlevel);
|
||
|
dump_cfg_fmtint(sUseDNS, o->use_dns);
|
||
|
dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding);
|
||
|
dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep);
|
||
|
diff -up openssh-5.2p1/servconf.h.vendor openssh-5.2p1/servconf.h
|
||
|
--- openssh-5.2p1/servconf.h.vendor 2009-01-28 06:31:23.000000000 +0100
|
||
|
+++ openssh-5.2p1/servconf.h 2009-03-10 03:51:54.933236643 +0100
|
||
|
@@ -128,6 +128,7 @@ typedef struct {
|
||
|
int max_authtries;
|
||
|
int max_sessions;
|
||
|
char *banner; /* SSH-2 banner message */
|
||
|
+ int show_patchlevel; /* Show vendor patch level to clients */
|
||
|
int use_dns;
|
||
|
int client_alive_interval; /*
|
||
|
* poke the client this often to
|
||
|
diff -up openssh-5.2p1/sshd_config.0.vendor openssh-5.2p1/sshd_config.0
|
||
|
--- openssh-5.2p1/sshd_config.0.vendor 2009-03-10 03:51:54.775230993 +0100
|
||
|
+++ openssh-5.2p1/sshd_config.0 2009-03-10 03:51:54.958364611 +0100
|
||
|
@@ -467,6 +467,11 @@ DESCRIPTION
|
||
|
Defines the number of bits in the ephemeral protocol version 1
|
||
|
server key. The minimum value is 512, and the default is 1024.
|
||
|
|
||
|
+ ShowPatchLevel
|
||
|
+ Specifies whether sshd will display the specific patch level of
|
||
|
+ the binary in the server identification string. The patch level
|
||
|
+ is set at compile-time. The default is M-bM-^@M-^\noM-bM-^@M-^].
|
||
|
+
|
||
|
StrictModes
|
||
|
Specifies whether sshd(8) should check file modes and ownership
|
||
|
of the user's files and home directory before accepting login.
|
||
|
diff -up openssh-5.2p1/sshd_config.5.vendor openssh-5.2p1/sshd_config.5
|
||
|
--- openssh-5.2p1/sshd_config.5.vendor 2009-03-10 03:51:54.785628316 +0100
|
||
|
+++ openssh-5.2p1/sshd_config.5 2009-03-10 03:51:54.931352756 +0100
|
||
|
@@ -814,6 +814,14 @@ This option applies to protocol version
|
||
|
.It Cm ServerKeyBits
|
||
|
Defines the number of bits in the ephemeral protocol version 1 server key.
|
||
|
The minimum value is 512, and the default is 1024.
|
||
|
+.It Cm ShowPatchLevel
|
||
|
+Specifies whether
|
||
|
+.Nm sshd
|
||
|
+will display the patch level of the binary in the identification string.
|
||
|
+The patch level is set at compile-time.
|
||
|
+The default is
|
||
|
+.Dq no .
|
||
|
+This option applies to protocol version 1 only.
|
||
|
.It Cm StrictModes
|
||
|
Specifies whether
|
||
|
.Xr sshd 8
|
||
|
diff -up openssh-5.2p1/sshd_config.vendor openssh-5.2p1/sshd_config
|
||
|
--- openssh-5.2p1/sshd_config.vendor 2009-03-10 03:51:54.747256884 +0100
|
||
|
+++ openssh-5.2p1/sshd_config 2009-03-10 03:51:54.960221540 +0100
|
||
|
@@ -112,6 +112,7 @@ X11Forwarding yes
|
||
|
#Compression delayed
|
||
|
#ClientAliveInterval 0
|
||
|
#ClientAliveCountMax 3
|
||
|
+#ShowPatchLevel no
|
||
|
#UseDNS yes
|
||
|
#PidFile /var/run/sshd.pid
|
||
|
#MaxStartups 10
|
||
|
diff -up openssh-5.2p1/sshd.c.vendor openssh-5.2p1/sshd.c
|
||
|
--- openssh-5.2p1/sshd.c.vendor 2009-01-28 06:31:23.000000000 +0100
|
||
|
+++ openssh-5.2p1/sshd.c 2009-03-10 03:51:56.224238563 +0100
|
||
|
@@ -76,6 +76,8 @@
|
||
|
#include <openssl/bn.h>
|
||
|
#include <openssl/md5.h>
|
||
|
#include <openssl/rand.h>
|
||
|
+#include <openssl/fips.h>
|
||
|
+#include <fipscheck.h>
|
||
|
#include "openbsd-compat/openssl-compat.h"
|
||
|
|
||
|
#ifdef HAVE_SECUREWARE
|
||
|
@@ -415,7 +417,7 @@ sshd_exchange_identification(int sock_in
|
||
|
minor = PROTOCOL_MINOR_1;
|
||
|
}
|
||
|
snprintf(buf, sizeof buf, "SSH-%d.%d-%.100s%s", major, minor,
|
||
|
- SSH_VERSION, newline);
|
||
|
+ (options.show_patchlevel == 1) ? SSH_VENDOR_PATCHLEVEL : SSH_VERSION, newline);
|
||
|
server_version_string = xstrdup(buf);
|
||
|
|
||
|
/* Send our protocol version identification. */
|
||
|
@@ -590,6 +592,10 @@ privsep_preauth_child(void)
|
||
|
/* Demote the private keys to public keys. */
|
||
|
demote_sensitive_data();
|
||
|
|
||
|
+ /* Open the syslog permanently so the chrooted process still
|
||
|
+ can write to syslog. */
|
||
|
+ open_log();
|
||
|
+
|
||
|
/* Change our root directory */
|
||
|
if (chroot(_PATH_PRIVSEP_CHROOT_DIR) == -1)
|
||
|
fatal("chroot(\"%s\"): %s", _PATH_PRIVSEP_CHROOT_DIR,
|
||
|
@@ -1256,6 +1262,12 @@ main(int ac, char **av)
|
||
|
(void)set_auth_parameters(ac, av);
|
||
|
#endif
|
||
|
__progname = ssh_get_progname(av[0]);
|
||
|
+
|
||
|
+ SSLeay_add_all_algorithms();
|
||
|
+ if (FIPS_mode() && !FIPSCHECK_verify(NULL, NULL)) {
|
||
|
+ fatal("FIPS integrity verification test failed.");
|
||
|
+ }
|
||
|
+
|
||
|
init_rng();
|
||
|
|
||
|
/* Save argv. Duplicate so setproctitle emulation doesn't clobber it */
|
||
|
@@ -1408,8 +1420,6 @@ main(int ac, char **av)
|
||
|
else
|
||
|
closefrom(REEXEC_DEVCRYPTO_RESERVED_FD);
|
||
|
|
||
|
- SSLeay_add_all_algorithms();
|
||
|
-
|
||
|
/*
|
||
|
* Force logging to stderr until we have loaded the private host
|
||
|
* key (unless started from inetd)
|
||
|
@@ -1483,7 +1493,8 @@ main(int ac, char **av)
|
||
|
exit(1);
|
||
|
}
|
||
|
|
||
|
- debug("sshd version %.100s", SSH_RELEASE);
|
||
|
+ debug("sshd version %.100s",
|
||
|
+ (options.show_patchlevel == 1) ? SSH_VENDOR_PATCHLEVEL : SSH_RELEASE);
|
||
|
|
||
|
/* Store privilege separation user for later use if required. */
|
||
|
if ((privsep_pw = getpwnam(SSH_PRIVSEP_USER)) == NULL) {
|
||
|
@@ -1894,6 +1905,9 @@ main(int ac, char **av)
|
||
|
restore_uid();
|
||
|
}
|
||
|
#endif
|
||
|
+#ifdef WITH_SELINUX
|
||
|
+ ssh_selinux_setup_exec_context(authctxt->pw->pw_name);
|
||
|
+#endif
|
||
|
#ifdef USE_PAM
|
||
|
if (options.use_pam) {
|
||
|
do_pam_setcred(1);
|
||
|
@@ -2174,6 +2188,9 @@ do_ssh2_kex(void)
|
||
|
if (options.ciphers != NULL) {
|
||
|
myproposal[PROPOSAL_ENC_ALGS_CTOS] =
|
||
|
myproposal[PROPOSAL_ENC_ALGS_STOC] = options.ciphers;
|
||
|
+ } else if (FIPS_mode()) {
|
||
|
+ myproposal[PROPOSAL_ENC_ALGS_CTOS] =
|
||
|
+ myproposal[PROPOSAL_ENC_ALGS_STOC] = KEX_FIPS_ENCRYPT;
|
||
|
}
|
||
|
myproposal[PROPOSAL_ENC_ALGS_CTOS] =
|
||
|
compat_cipher_proposal(myproposal[PROPOSAL_ENC_ALGS_CTOS]);
|
||
|
@@ -2183,6 +2200,9 @@ do_ssh2_kex(void)
|
||
|
if (options.macs != NULL) {
|
||
|
myproposal[PROPOSAL_MAC_ALGS_CTOS] =
|
||
|
myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs;
|
||
|
+ } else if (FIPS_mode()) {
|
||
|
+ myproposal[PROPOSAL_MAC_ALGS_CTOS] =
|
||
|
+ myproposal[PROPOSAL_MAC_ALGS_STOC] = KEX_FIPS_MAC;
|
||
|
}
|
||
|
if (options.compression == COMP_NONE) {
|
||
|
myproposal[PROPOSAL_COMP_ALGS_CTOS] =
|