- bump openssh version to 5.8p1
This commit is contained in:
Jan F
parent
fa335ee67e
commit
003cb0b27f
1
.gitignore
vendored
1
.gitignore
vendored
@ -2,3 +2,4 @@ openssh-5.5p1-noacss.tar.bz2
|
||||
pam_ssh_agent_auth-0.9.2.tar.bz2
|
||||
/openssh-5.6p1-noacss.tar.bz2
|
||||
/pam_ssh_agent_auth-0.9.2.tar.bz2
|
||||
/openssh-5.8p1-noacss.tar.bz2
|
||||
|
||||
@ -1,15 +0,0 @@
|
||||
--- openssh-4.3p2/scp.c.fromto-remote 2006-01-31 12:11:38.000000000 +0100
|
||||
+++ openssh-4.3p2/scp.c 2006-04-14 10:09:56.000000000 +0200
|
||||
@@ -446,7 +446,11 @@
|
||||
addargs(&alist, "-v");
|
||||
addargs(&alist, "-x");
|
||||
addargs(&alist, "-oClearAllForwardings yes");
|
||||
- addargs(&alist, "-n");
|
||||
+ if (isatty(fileno(stdin))) {
|
||||
+ addargs(&alist, "-t");
|
||||
+ } else {
|
||||
+ addargs(&alist, "-n");
|
||||
+ }
|
||||
|
||||
*src++ = 0;
|
||||
if (*src == 0)
|
||||
@ -1,25 +0,0 @@
|
||||
diff -up openssh-5.3p1/sshconnect2.c.canohost openssh-5.3p1/sshconnect2.c
|
||||
--- openssh-5.3p1/sshconnect2.c.canohost 2009-03-05 14:58:22.000000000 +0100
|
||||
+++ openssh-5.3p1/sshconnect2.c 2009-11-02 11:55:00.000000000 +0100
|
||||
@@ -542,6 +542,12 @@ userauth_gssapi(Authctxt *authctxt)
|
||||
static u_int mech = 0;
|
||||
OM_uint32 min;
|
||||
int ok = 0;
|
||||
+ char* remotehost = NULL;
|
||||
+ const char* canonicalhost = get_canonical_hostname(1);
|
||||
+ if ( strcmp( canonicalhost, "UNKNOWN" ) == 0 )
|
||||
+ remotehost = authctxt->host;
|
||||
+ else
|
||||
+ remotehost = canonicalhost;
|
||||
|
||||
/* Try one GSSAPI method at a time, rather than sending them all at
|
||||
* once. */
|
||||
@@ -554,7 +560,7 @@ userauth_gssapi(Authctxt *authctxt)
|
||||
/* My DER encoding requires length<128 */
|
||||
if (gss_supported->elements[mech].length < 128 &&
|
||||
ssh_gssapi_check_mechanism(&gssctxt,
|
||||
- &gss_supported->elements[mech], authctxt->host)) {
|
||||
+ &gss_supported->elements[mech], remotehost)) {
|
||||
ok = 1; /* Mechanism works */
|
||||
} else {
|
||||
mech++;
|
||||
@ -1,395 +0,0 @@
|
||||
diff -up openssh-5.4p1/auth1.c.selinux openssh-5.4p1/auth1.c
|
||||
--- openssh-5.4p1/auth1.c.selinux 2010-03-01 15:19:56.000000000 +0100
|
||||
+++ openssh-5.4p1/auth1.c 2010-03-01 15:19:57.000000000 +0100
|
||||
@@ -384,6 +384,9 @@ do_authentication(Authctxt *authctxt)
|
||||
{
|
||||
u_int ulen;
|
||||
char *user, *style = NULL;
|
||||
+#ifdef WITH_SELINUX
|
||||
+ char *role=NULL;
|
||||
+#endif
|
||||
|
||||
/* Get the name of the user that we wish to log in as. */
|
||||
packet_read_expect(SSH_CMSG_USER);
|
||||
@@ -392,11 +395,25 @@ do_authentication(Authctxt *authctxt)
|
||||
user = packet_get_string(&ulen);
|
||||
packet_check_eom();
|
||||
|
||||
+#ifdef WITH_SELINUX
|
||||
+ if ((role = strchr(user, '/')) != NULL)
|
||||
+ *role++ = '\0';
|
||||
+#endif
|
||||
+
|
||||
if ((style = strchr(user, ':')) != NULL)
|
||||
*style++ = '\0';
|
||||
+#ifdef WITH_SELINUX
|
||||
+ else
|
||||
+ if (role && (style = strchr(role, ':')) != NULL)
|
||||
+ *style++ = '\0';
|
||||
+#endif
|
||||
+
|
||||
|
||||
authctxt->user = user;
|
||||
authctxt->style = style;
|
||||
+#ifdef WITH_SELINUX
|
||||
+ authctxt->role = role;
|
||||
+#endif
|
||||
|
||||
/* Verify that the user is a valid user. */
|
||||
if ((authctxt->pw = PRIVSEP(getpwnamallow(user))) != NULL)
|
||||
diff -up openssh-5.4p1/auth2.c.selinux openssh-5.4p1/auth2.c
|
||||
--- openssh-5.4p1/auth2.c.selinux 2009-06-22 08:11:07.000000000 +0200
|
||||
+++ openssh-5.4p1/auth2.c 2010-03-01 15:19:57.000000000 +0100
|
||||
@@ -216,6 +216,9 @@ input_userauth_request(int type, u_int32
|
||||
Authctxt *authctxt = ctxt;
|
||||
Authmethod *m = NULL;
|
||||
char *user, *service, *method, *style = NULL;
|
||||
+#ifdef WITH_SELINUX
|
||||
+ char *role = NULL;
|
||||
+#endif
|
||||
int authenticated = 0;
|
||||
|
||||
if (authctxt == NULL)
|
||||
@@ -227,6 +230,11 @@ input_userauth_request(int type, u_int32
|
||||
debug("userauth-request for user %s service %s method %s", user, service, method);
|
||||
debug("attempt %d failures %d", authctxt->attempt, authctxt->failures);
|
||||
|
||||
+#ifdef WITH_SELINUX
|
||||
+ if ((role = strchr(user, '/')) != NULL)
|
||||
+ *role++ = 0;
|
||||
+#endif
|
||||
+
|
||||
if ((style = strchr(user, ':')) != NULL)
|
||||
*style++ = 0;
|
||||
|
||||
@@ -252,8 +260,15 @@ input_userauth_request(int type, u_int32
|
||||
use_privsep ? " [net]" : "");
|
||||
authctxt->service = xstrdup(service);
|
||||
authctxt->style = style ? xstrdup(style) : NULL;
|
||||
- if (use_privsep)
|
||||
+#ifdef WITH_SELINUX
|
||||
+ authctxt->role = role ? xstrdup(role) : NULL;
|
||||
+#endif
|
||||
+ if (use_privsep) {
|
||||
mm_inform_authserv(service, style);
|
||||
+#ifdef WITH_SELINUX
|
||||
+ mm_inform_authrole(role);
|
||||
+#endif
|
||||
+ }
|
||||
userauth_banner();
|
||||
} else if (strcmp(user, authctxt->user) != 0 ||
|
||||
strcmp(service, authctxt->service) != 0) {
|
||||
diff -up openssh-5.4p1/auth2-gss.c.selinux openssh-5.4p1/auth2-gss.c
|
||||
--- openssh-5.4p1/auth2-gss.c.selinux 2007-12-02 12:59:45.000000000 +0100
|
||||
+++ openssh-5.4p1/auth2-gss.c 2010-03-01 15:19:57.000000000 +0100
|
||||
@@ -258,6 +258,7 @@ input_gssapi_mic(int type, u_int32_t ple
|
||||
Authctxt *authctxt = ctxt;
|
||||
Gssctxt *gssctxt;
|
||||
int authenticated = 0;
|
||||
+ char *micuser;
|
||||
Buffer b;
|
||||
gss_buffer_desc mic, gssbuf;
|
||||
u_int len;
|
||||
@@ -270,7 +271,13 @@ input_gssapi_mic(int type, u_int32_t ple
|
||||
mic.value = packet_get_string(&len);
|
||||
mic.length = len;
|
||||
|
||||
- ssh_gssapi_buildmic(&b, authctxt->user, authctxt->service,
|
||||
+#ifdef WITH_SELINUX
|
||||
+ if (authctxt->role && (strlen(authctxt->role) > 0))
|
||||
+ xasprintf(&micuser, "%s/%s", authctxt->user, authctxt->role);
|
||||
+ else
|
||||
+#endif
|
||||
+ micuser = authctxt->user;
|
||||
+ ssh_gssapi_buildmic(&b, micuser, authctxt->service,
|
||||
"gssapi-with-mic");
|
||||
|
||||
gssbuf.value = buffer_ptr(&b);
|
||||
@@ -282,6 +289,8 @@ input_gssapi_mic(int type, u_int32_t ple
|
||||
logit("GSSAPI MIC check failed");
|
||||
|
||||
buffer_free(&b);
|
||||
+ if (micuser != authctxt->user)
|
||||
+ xfree(micuser);
|
||||
xfree(mic.value);
|
||||
|
||||
authctxt->postponed = 0;
|
||||
diff -up openssh-5.4p1/auth2-hostbased.c.selinux openssh-5.4p1/auth2-hostbased.c
|
||||
--- openssh-5.4p1/auth2-hostbased.c.selinux 2008-07-17 10:57:19.000000000 +0200
|
||||
+++ openssh-5.4p1/auth2-hostbased.c 2010-03-01 15:19:57.000000000 +0100
|
||||
@@ -106,7 +106,15 @@ userauth_hostbased(Authctxt *authctxt)
|
||||
buffer_put_string(&b, session_id2, session_id2_len);
|
||||
/* reconstruct packet */
|
||||
buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST);
|
||||
- buffer_put_cstring(&b, authctxt->user);
|
||||
+#ifdef WITH_SELINUX
|
||||
+ if (authctxt->role) {
|
||||
+ buffer_put_int(&b, strlen(authctxt->user)+strlen(authctxt->role)+1);
|
||||
+ buffer_append(&b, authctxt->user, strlen(authctxt->user));
|
||||
+ buffer_put_char(&b, '/');
|
||||
+ buffer_append(&b, authctxt->role, strlen(authctxt->role));
|
||||
+ } else
|
||||
+#endif
|
||||
+ buffer_put_cstring(&b, authctxt->user);
|
||||
buffer_put_cstring(&b, service);
|
||||
buffer_put_cstring(&b, "hostbased");
|
||||
buffer_put_string(&b, pkalg, alen);
|
||||
diff -up openssh-5.4p1/auth2-pubkey.c.selinux openssh-5.4p1/auth2-pubkey.c
|
||||
--- openssh-5.4p1/auth2-pubkey.c.selinux 2010-02-26 21:55:05.000000000 +0100
|
||||
+++ openssh-5.4p1/auth2-pubkey.c 2010-03-01 15:19:57.000000000 +0100
|
||||
@@ -119,7 +119,15 @@ userauth_pubkey(Authctxt *authctxt)
|
||||
}
|
||||
/* reconstruct packet */
|
||||
buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST);
|
||||
- buffer_put_cstring(&b, authctxt->user);
|
||||
+#ifdef WITH_SELINUX
|
||||
+ if (authctxt->role) {
|
||||
+ buffer_put_int(&b, strlen(authctxt->user)+strlen(authctxt->role)+1);
|
||||
+ buffer_append(&b, authctxt->user, strlen(authctxt->user));
|
||||
+ buffer_put_char(&b, '/');
|
||||
+ buffer_append(&b, authctxt->role, strlen(authctxt->role));
|
||||
+ } else
|
||||
+#endif
|
||||
+ buffer_put_cstring(&b, authctxt->user);
|
||||
buffer_put_cstring(&b,
|
||||
datafellows & SSH_BUG_PKSERVICE ?
|
||||
"ssh-userauth" :
|
||||
diff -up openssh-5.4p1/auth.h.selinux openssh-5.4p1/auth.h
|
||||
--- openssh-5.4p1/auth.h.selinux 2010-02-26 21:55:05.000000000 +0100
|
||||
+++ openssh-5.4p1/auth.h 2010-03-01 15:19:57.000000000 +0100
|
||||
@@ -58,6 +58,9 @@ struct Authctxt {
|
||||
char *service;
|
||||
struct passwd *pw; /* set if 'valid' */
|
||||
char *style;
|
||||
+#ifdef WITH_SELINUX
|
||||
+ char *role;
|
||||
+#endif
|
||||
void *kbdintctxt;
|
||||
void *jpake_ctx;
|
||||
#ifdef BSD_AUTH
|
||||
diff -up openssh-5.4p1/configure.ac.selinux openssh-5.4p1/configure.ac
|
||||
--- openssh-5.4p1/configure.ac.selinux 2010-03-01 15:19:57.000000000 +0100
|
||||
+++ openssh-5.4p1/configure.ac 2010-03-01 15:21:12.000000000 +0100
|
||||
@@ -3358,6 +3358,7 @@ AC_ARG_WITH(selinux,
|
||||
],
|
||||
AC_MSG_ERROR(SELinux support requires libselinux library))
|
||||
SSHDLIBS="$SSHDLIBS $LIBSELINUX"
|
||||
+ LIBS="$LIBS $LIBSELINUX"
|
||||
AC_CHECK_FUNCS(getseuserbyname get_default_context_with_level)
|
||||
LIBS="$save_LIBS"
|
||||
fi ]
|
||||
diff -up openssh-5.4p1/monitor.c.selinux openssh-5.4p1/monitor.c
|
||||
--- openssh-5.4p1/monitor.c.selinux 2010-02-26 21:55:05.000000000 +0100
|
||||
+++ openssh-5.4p1/monitor.c 2010-03-01 15:19:57.000000000 +0100
|
||||
@@ -137,6 +137,9 @@ int mm_answer_sign(int, Buffer *);
|
||||
int mm_answer_pwnamallow(int, Buffer *);
|
||||
int mm_answer_auth2_read_banner(int, Buffer *);
|
||||
int mm_answer_authserv(int, Buffer *);
|
||||
+#ifdef WITH_SELINUX
|
||||
+int mm_answer_authrole(int, Buffer *);
|
||||
+#endif
|
||||
int mm_answer_authpassword(int, Buffer *);
|
||||
int mm_answer_bsdauthquery(int, Buffer *);
|
||||
int mm_answer_bsdauthrespond(int, Buffer *);
|
||||
@@ -213,6 +216,9 @@ struct mon_table mon_dispatch_proto20[]
|
||||
{MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign},
|
||||
{MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},
|
||||
{MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv},
|
||||
+#ifdef WITH_SELINUX
|
||||
+ {MONITOR_REQ_AUTHROLE, MON_ONCE, mm_answer_authrole},
|
||||
+#endif
|
||||
{MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner},
|
||||
{MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},
|
||||
#ifdef USE_PAM
|
||||
@@ -682,6 +688,9 @@ mm_answer_pwnamallow(int sock, Buffer *m
|
||||
else {
|
||||
/* Allow service/style information on the auth context */
|
||||
monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1);
|
||||
+#ifdef WITH_SELINUX
|
||||
+ monitor_permit(mon_dispatch, MONITOR_REQ_AUTHROLE, 1);
|
||||
+#endif
|
||||
monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1);
|
||||
}
|
||||
|
||||
@@ -726,6 +735,25 @@ mm_answer_authserv(int sock, Buffer *m)
|
||||
return (0);
|
||||
}
|
||||
|
||||
+#ifdef WITH_SELINUX
|
||||
+int
|
||||
+mm_answer_authrole(int sock, Buffer *m)
|
||||
+{
|
||||
+ monitor_permit_authentications(1);
|
||||
+
|
||||
+ authctxt->role = buffer_get_string(m, NULL);
|
||||
+ debug3("%s: role=%s",
|
||||
+ __func__, authctxt->role);
|
||||
+
|
||||
+ if (strlen(authctxt->role) == 0) {
|
||||
+ xfree(authctxt->role);
|
||||
+ authctxt->role = NULL;
|
||||
+ }
|
||||
+
|
||||
+ return (0);
|
||||
+}
|
||||
+#endif
|
||||
+
|
||||
int
|
||||
mm_answer_authpassword(int sock, Buffer *m)
|
||||
{
|
||||
@@ -1104,7 +1132,7 @@ static int
|
||||
monitor_valid_userblob(u_char *data, u_int datalen)
|
||||
{
|
||||
Buffer b;
|
||||
- char *p;
|
||||
+ char *p, *r;
|
||||
u_int len;
|
||||
int fail = 0;
|
||||
|
||||
@@ -1130,6 +1158,8 @@ monitor_valid_userblob(u_char *data, u_i
|
||||
if (buffer_get_char(&b) != SSH2_MSG_USERAUTH_REQUEST)
|
||||
fail++;
|
||||
p = buffer_get_string(&b, NULL);
|
||||
+ if ((r = strchr(p, '/')) != NULL)
|
||||
+ *r = '\0';
|
||||
if (strcmp(authctxt->user, p) != 0) {
|
||||
logit("wrong user name passed to monitor: expected %s != %.100s",
|
||||
authctxt->user, p);
|
||||
@@ -1161,7 +1191,7 @@ monitor_valid_hostbasedblob(u_char *data
|
||||
char *chost)
|
||||
{
|
||||
Buffer b;
|
||||
- char *p;
|
||||
+ char *p, *r;
|
||||
u_int len;
|
||||
int fail = 0;
|
||||
|
||||
@@ -1178,6 +1208,8 @@ monitor_valid_hostbasedblob(u_char *data
|
||||
if (buffer_get_char(&b) != SSH2_MSG_USERAUTH_REQUEST)
|
||||
fail++;
|
||||
p = buffer_get_string(&b, NULL);
|
||||
+ if ((r = strchr(p, '/')) != NULL)
|
||||
+ *r = '\0';
|
||||
if (strcmp(authctxt->user, p) != 0) {
|
||||
logit("wrong user name passed to monitor: expected %s != %.100s",
|
||||
authctxt->user, p);
|
||||
diff -up openssh-5.4p1/monitor.h.selinux openssh-5.4p1/monitor.h
|
||||
--- openssh-5.4p1/monitor.h.selinux 2008-11-05 06:20:46.000000000 +0100
|
||||
+++ openssh-5.4p1/monitor.h 2010-03-01 15:19:57.000000000 +0100
|
||||
@@ -31,6 +31,9 @@
|
||||
enum monitor_reqtype {
|
||||
MONITOR_REQ_MODULI, MONITOR_ANS_MODULI,
|
||||
MONITOR_REQ_FREE, MONITOR_REQ_AUTHSERV,
|
||||
+#ifdef WITH_SELINUX
|
||||
+ MONITOR_REQ_AUTHROLE,
|
||||
+#endif
|
||||
MONITOR_REQ_SIGN, MONITOR_ANS_SIGN,
|
||||
MONITOR_REQ_PWNAM, MONITOR_ANS_PWNAM,
|
||||
MONITOR_REQ_AUTH2_READ_BANNER, MONITOR_ANS_AUTH2_READ_BANNER,
|
||||
diff -up openssh-5.4p1/monitor_wrap.c.selinux openssh-5.4p1/monitor_wrap.c
|
||||
--- openssh-5.4p1/monitor_wrap.c.selinux 2009-06-22 08:11:07.000000000 +0200
|
||||
+++ openssh-5.4p1/monitor_wrap.c 2010-03-01 15:19:57.000000000 +0100
|
||||
@@ -297,6 +297,25 @@ mm_inform_authserv(char *service, char *
|
||||
buffer_free(&m);
|
||||
}
|
||||
|
||||
+/* Inform the privileged process about role */
|
||||
+
|
||||
+#ifdef WITH_SELINUX
|
||||
+void
|
||||
+mm_inform_authrole(char *role)
|
||||
+{
|
||||
+ Buffer m;
|
||||
+
|
||||
+ debug3("%s entering", __func__);
|
||||
+
|
||||
+ buffer_init(&m);
|
||||
+ buffer_put_cstring(&m, role ? role : "");
|
||||
+
|
||||
+ mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHROLE, &m);
|
||||
+
|
||||
+ buffer_free(&m);
|
||||
+}
|
||||
+#endif
|
||||
+
|
||||
/* Do the password authentication */
|
||||
int
|
||||
mm_auth_password(Authctxt *authctxt, char *password)
|
||||
diff -up openssh-5.4p1/monitor_wrap.h.selinux openssh-5.4p1/monitor_wrap.h
|
||||
--- openssh-5.4p1/monitor_wrap.h.selinux 2009-03-05 14:58:22.000000000 +0100
|
||||
+++ openssh-5.4p1/monitor_wrap.h 2010-03-01 15:19:57.000000000 +0100
|
||||
@@ -41,6 +41,9 @@ int mm_is_monitor(void);
|
||||
DH *mm_choose_dh(int, int, int);
|
||||
int mm_key_sign(Key *, u_char **, u_int *, u_char *, u_int);
|
||||
void mm_inform_authserv(char *, char *);
|
||||
+#ifdef WITH_SELINUX
|
||||
+void mm_inform_authrole(char *);
|
||||
+#endif
|
||||
struct passwd *mm_getpwnamallow(const char *);
|
||||
char *mm_auth2_read_banner(void);
|
||||
int mm_auth_password(struct Authctxt *, char *);
|
||||
diff -up openssh-5.4p1/openbsd-compat/port-linux.c.selinux openssh-5.4p1/openbsd-compat/port-linux.c
|
||||
--- openssh-5.4p1/openbsd-compat/port-linux.c.selinux 2010-03-01 05:52:50.000000000 +0100
|
||||
+++ openssh-5.4p1/openbsd-compat/port-linux.c 2010-03-01 15:22:19.000000000 +0100
|
||||
@@ -32,12 +32,17 @@
|
||||
#include "log.h"
|
||||
#include "xmalloc.h"
|
||||
#include "port-linux.h"
|
||||
+#include "key.h"
|
||||
+#include "hostfile.h"
|
||||
+#include "auth.h"
|
||||
|
||||
#ifdef WITH_SELINUX
|
||||
#include <selinux/selinux.h>
|
||||
#include <selinux/flask.h>
|
||||
#include <selinux/get_context_list.h>
|
||||
|
||||
+extern Authctxt *the_authctxt;
|
||||
+
|
||||
/* Wrapper around is_selinux_enabled() to log its return value once only */
|
||||
int
|
||||
ssh_selinux_enabled(void)
|
||||
@@ -56,23 +61,36 @@ ssh_selinux_enabled(void)
|
||||
static security_context_t
|
||||
ssh_selinux_getctxbyname(char *pwname)
|
||||
{
|
||||
- security_context_t sc;
|
||||
- char *sename = NULL, *lvl = NULL;
|
||||
- int r;
|
||||
+ security_context_t sc = NULL;
|
||||
+ char *sename, *lvl;
|
||||
+ char *role = NULL;
|
||||
+ int r = 0;
|
||||
|
||||
+ if (the_authctxt)
|
||||
+ role=the_authctxt->role;
|
||||
#ifdef HAVE_GETSEUSERBYNAME
|
||||
- if (getseuserbyname(pwname, &sename, &lvl) != 0)
|
||||
- return NULL;
|
||||
+ if ((r=getseuserbyname(pwname, &sename, &lvl)) != 0) {
|
||||
+ sename = NULL;
|
||||
+ lvl = NULL;
|
||||
+ }
|
||||
#else
|
||||
sename = pwname;
|
||||
lvl = NULL;
|
||||
#endif
|
||||
|
||||
+ if (r == 0) {
|
||||
#ifdef HAVE_GET_DEFAULT_CONTEXT_WITH_LEVEL
|
||||
- r = get_default_context_with_level(sename, lvl, NULL, &sc);
|
||||
+ if (role != NULL && role[0])
|
||||
+ r = get_default_context_with_rolelevel(sename, role, lvl, NULL, &sc);
|
||||
+ else
|
||||
+ r = get_default_context_with_level(sename, lvl, NULL, &sc);
|
||||
#else
|
||||
- r = get_default_context(sename, NULL, &sc);
|
||||
+ if (role != NULL && role[0])
|
||||
+ r = get_default_context_with_role(sename, role, NULL, &sc);
|
||||
+ else
|
||||
+ r = get_default_context(sename, NULL, &sc);
|
||||
#endif
|
||||
+ }
|
||||
|
||||
if (r != 0) {
|
||||
switch (security_getenforce()) {
|
||||
@ -1,276 +0,0 @@
|
||||
diff -up openssh-5.6p1/audit-bsm.c.audit openssh-5.6p1/audit-bsm.c
|
||||
--- openssh-5.6p1/audit-bsm.c.audit 2008-02-25 11:05:04.000000000 +0100
|
||||
+++ openssh-5.6p1/audit-bsm.c 2010-10-20 09:15:47.000000000 +0200
|
||||
@@ -305,13 +305,13 @@ audit_run_command(const char *command)
|
||||
}
|
||||
|
||||
void
|
||||
-audit_session_open(const char *ttyn)
|
||||
+audit_session_open(struct logininfo *li)
|
||||
{
|
||||
/* not implemented */
|
||||
}
|
||||
|
||||
void
|
||||
-audit_session_close(const char *ttyn)
|
||||
+audit_session_close(struct logininfo *li)
|
||||
{
|
||||
/* not implemented */
|
||||
}
|
||||
diff -up openssh-5.6p1/audit.c.audit openssh-5.6p1/audit.c
|
||||
--- openssh-5.6p1/audit.c.audit 2006-09-01 07:38:36.000000000 +0200
|
||||
+++ openssh-5.6p1/audit.c 2010-10-20 09:15:47.000000000 +0200
|
||||
@@ -147,9 +147,9 @@ audit_event(ssh_audit_event_t event)
|
||||
* within a single connection.
|
||||
*/
|
||||
void
|
||||
-audit_session_open(const char *ttyn)
|
||||
+audit_session_open(struct logininfo *li)
|
||||
{
|
||||
- const char *t = ttyn ? ttyn : "(no tty)";
|
||||
+ const char *t = li->line ? li->line : "(no tty)";
|
||||
|
||||
debug("audit session open euid %d user %s tty name %s", geteuid(),
|
||||
audit_username(), t);
|
||||
@@ -163,9 +163,9 @@ audit_session_open(const char *ttyn)
|
||||
* within a single connection.
|
||||
*/
|
||||
void
|
||||
-audit_session_close(const char *ttyn)
|
||||
+audit_session_close(struct logininfo *li)
|
||||
{
|
||||
- const char *t = ttyn ? ttyn : "(no tty)";
|
||||
+ const char *t = li->line ? li->line : "(no tty)";
|
||||
|
||||
debug("audit session close euid %d user %s tty name %s", geteuid(),
|
||||
audit_username(), t);
|
||||
diff -up openssh-5.6p1/audit.h.audit openssh-5.6p1/audit.h
|
||||
--- openssh-5.6p1/audit.h.audit 2006-08-05 16:05:10.000000000 +0200
|
||||
+++ openssh-5.6p1/audit.h 2010-10-20 09:15:47.000000000 +0200
|
||||
@@ -26,6 +26,9 @@
|
||||
|
||||
#ifndef _SSH_AUDIT_H
|
||||
# define _SSH_AUDIT_H
|
||||
+
|
||||
+#include "loginrec.h"
|
||||
+
|
||||
enum ssh_audit_event_type {
|
||||
SSH_LOGIN_EXCEED_MAXTRIES,
|
||||
SSH_LOGIN_ROOT_DENIED,
|
||||
@@ -46,8 +49,8 @@ typedef enum ssh_audit_event_type ssh_au
|
||||
|
||||
void audit_connection_from(const char *, int);
|
||||
void audit_event(ssh_audit_event_t);
|
||||
-void audit_session_open(const char *);
|
||||
-void audit_session_close(const char *);
|
||||
+void audit_session_open(struct logininfo *);
|
||||
+void audit_session_close(struct logininfo *);
|
||||
void audit_run_command(const char *);
|
||||
ssh_audit_event_t audit_classify_auth(const char *);
|
||||
|
||||
diff -up openssh-5.6p1/audit-linux.c.audit openssh-5.6p1/audit-linux.c
|
||||
--- openssh-5.6p1/audit-linux.c.audit 2010-10-20 09:15:47.000000000 +0200
|
||||
+++ openssh-5.6p1/audit-linux.c 2010-10-20 09:15:47.000000000 +0200
|
||||
@@ -0,0 +1,120 @@
|
||||
+/* $Id: audit-linux.c,v 1.1 jfch Exp $ */
|
||||
+
|
||||
+/*
|
||||
+ * Copyright 2010 Red Hat, Inc. All rights reserved.
|
||||
+ * Use is subject to license terms.
|
||||
+ *
|
||||
+ * Redistribution and use in source and binary forms, with or without
|
||||
+ * modification, are permitted provided that the following conditions
|
||||
+ * are met:
|
||||
+ * 1. Redistributions of source code must retain the above copyright
|
||||
+ * notice, this list of conditions and the following disclaimer.
|
||||
+ * 2. Redistributions in binary form must reproduce the above copyright
|
||||
+ * notice, this list of conditions and the following disclaimer in the
|
||||
+ * documentation and/or other materials provided with the distribution.
|
||||
+ *
|
||||
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
|
||||
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
|
||||
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
|
||||
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
|
||||
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
|
||||
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
||||
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
||||
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
||||
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
||||
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
+ *
|
||||
+ * Red Hat author: Jan F. Chadima <jchadima@redhat.com>
|
||||
+ */
|
||||
+
|
||||
+#include "includes.h"
|
||||
+#if defined(USE_LINUX_AUDIT)
|
||||
+#include <libaudit.h>
|
||||
+#include <unistd.h>
|
||||
+#include <string.h>
|
||||
+
|
||||
+#include "log.h"
|
||||
+#include "audit.h"
|
||||
+#include "canohost.h"
|
||||
+
|
||||
+const char* audit_username(void);
|
||||
+
|
||||
+int
|
||||
+linux_audit_record_event(int uid, const char *username,
|
||||
+ const char *hostname, const char *ip, const char *ttyn, int success)
|
||||
+{
|
||||
+ int audit_fd, rc, saved_errno;
|
||||
+
|
||||
+ audit_fd = audit_open();
|
||||
+ if (audit_fd < 0) {
|
||||
+ if (errno == EINVAL || errno == EPROTONOSUPPORT ||
|
||||
+ errno == EAFNOSUPPORT)
|
||||
+ return 1; /* No audit support in kernel */
|
||||
+ else
|
||||
+ return 0; /* Must prevent login */
|
||||
+ }
|
||||
+ rc = audit_log_acct_message(audit_fd, AUDIT_USER_LOGIN,
|
||||
+ NULL, "login", username ? username : "(unknown)",
|
||||
+ username == NULL ? uid : -1, hostname, ip, ttyn, success);
|
||||
+ saved_errno = errno;
|
||||
+ close(audit_fd);
|
||||
+ errno = saved_errno;
|
||||
+ return (rc >= 0);
|
||||
+}
|
||||
+
|
||||
+/* Below is the sshd audit API code */
|
||||
+
|
||||
+void
|
||||
+audit_connection_from(const char *host, int port)
|
||||
+{
|
||||
+}
|
||||
+ /* not implemented */
|
||||
+
|
||||
+void
|
||||
+audit_run_command(const char *command)
|
||||
+{
|
||||
+ /* not implemented */
|
||||
+}
|
||||
+
|
||||
+void
|
||||
+audit_session_open(struct logininfo *li)
|
||||
+{
|
||||
+ if (linux_audit_record_event(li->uid, NULL, li->hostname,
|
||||
+ NULL, li->line, 1) == 0)
|
||||
+ fatal("linux_audit_write_entry failed: %s", strerror(errno));
|
||||
+}
|
||||
+
|
||||
+void
|
||||
+audit_session_close(struct logininfo *li)
|
||||
+{
|
||||
+ /* not implemented */
|
||||
+}
|
||||
+
|
||||
+void
|
||||
+audit_event(ssh_audit_event_t event)
|
||||
+{
|
||||
+ switch(event) {
|
||||
+ case SSH_AUTH_SUCCESS:
|
||||
+ case SSH_CONNECTION_CLOSE:
|
||||
+ case SSH_NOLOGIN:
|
||||
+ case SSH_LOGIN_EXCEED_MAXTRIES:
|
||||
+ case SSH_LOGIN_ROOT_DENIED:
|
||||
+ break;
|
||||
+
|
||||
+ case SSH_AUTH_FAIL_NONE:
|
||||
+ case SSH_AUTH_FAIL_PASSWD:
|
||||
+ case SSH_AUTH_FAIL_KBDINT:
|
||||
+ case SSH_AUTH_FAIL_PUBKEY:
|
||||
+ case SSH_AUTH_FAIL_HOSTBASED:
|
||||
+ case SSH_AUTH_FAIL_GSSAPI:
|
||||
+ case SSH_INVALID_USER:
|
||||
+ linux_audit_record_event(-1, audit_username(), NULL,
|
||||
+ get_remote_ipaddr(), "sshd", 0);
|
||||
+ break;
|
||||
+
|
||||
+ default:
|
||||
+ debug("%s: unhandled event %d", __func__, event);
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
+#endif /* USE_LINUX_AUDIT */
|
||||
diff -up openssh-5.6p1/configure.ac.audit openssh-5.6p1/configure.ac
|
||||
--- openssh-5.6p1/configure.ac.audit 2010-08-16 05:15:23.000000000 +0200
|
||||
+++ openssh-5.6p1/configure.ac 2010-10-20 09:15:47.000000000 +0200
|
||||
@@ -1308,7 +1308,7 @@ int main(void)
|
||||
|
||||
AUDIT_MODULE=none
|
||||
AC_ARG_WITH(audit,
|
||||
- [ --with-audit=module Enable EXPERIMENTAL audit support (modules=debug,bsm)],
|
||||
+ [ --with-audit=module Enable audit support (modules=debug,bsm,linux)],
|
||||
[
|
||||
AC_MSG_CHECKING(for supported audit module)
|
||||
case "$withval" in
|
||||
@@ -1332,10 +1332,18 @@ AC_ARG_WITH(audit,
|
||||
AC_CHECK_FUNCS(getaudit_addr aug_get_machine)
|
||||
AC_DEFINE(USE_BSM_AUDIT, 1, [Use BSM audit module])
|
||||
;;
|
||||
+ linux)
|
||||
+ AC_MSG_RESULT(linux)
|
||||
+ AUDIT_MODULE=linux
|
||||
+ dnl Checks for headers, libs and functions
|
||||
+ AC_CHECK_HEADERS(libaudit.h)
|
||||
+ SSHDLIBS="$SSHDLIBS -laudit"
|
||||
+ AC_DEFINE(USE_LINUX_AUDIT, 1, [Use Linux audit module])
|
||||
+ ;;
|
||||
debug)
|
||||
AUDIT_MODULE=debug
|
||||
AC_MSG_RESULT(debug)
|
||||
- AC_DEFINE(SSH_AUDIT_EVENTS, 1, Use audit debugging module)
|
||||
+ AC_DEFINE(SSH_AUDIT_EVENTS, 1, [Use audit debugging module])
|
||||
;;
|
||||
no)
|
||||
AC_MSG_RESULT(no)
|
||||
diff -up openssh-5.6p1/defines.h.audit openssh-5.6p1/defines.h
|
||||
--- openssh-5.6p1/defines.h.audit 2010-04-09 10:13:27.000000000 +0200
|
||||
+++ openssh-5.6p1/defines.h 2010-10-20 09:15:47.000000000 +0200
|
||||
@@ -566,6 +566,11 @@ struct winsize {
|
||||
# define CUSTOM_SSH_AUDIT_EVENTS
|
||||
#endif
|
||||
|
||||
+#ifdef USE_LINUX_AUDIT
|
||||
+# define SSH_AUDIT_EVENTS
|
||||
+# define CUSTOM_SSH_AUDIT_EVENTS
|
||||
+#endif
|
||||
+
|
||||
#if !defined(HAVE___func__) && defined(HAVE___FUNCTION__)
|
||||
# define __func__ __FUNCTION__
|
||||
#elif !defined(HAVE___func__)
|
||||
diff -up openssh-5.6p1/loginrec.c.audit openssh-5.6p1/loginrec.c
|
||||
--- openssh-5.6p1/loginrec.c.audit 2010-04-09 10:13:27.000000000 +0200
|
||||
+++ openssh-5.6p1/loginrec.c 2010-10-20 09:15:47.000000000 +0200
|
||||
@@ -468,9 +468,9 @@ login_write(struct logininfo *li)
|
||||
#endif
|
||||
#ifdef SSH_AUDIT_EVENTS
|
||||
if (li->type == LTYPE_LOGIN)
|
||||
- audit_session_open(li->line);
|
||||
+ audit_session_open(li);
|
||||
else if (li->type == LTYPE_LOGOUT)
|
||||
- audit_session_close(li->line);
|
||||
+ audit_session_close(li);
|
||||
#endif
|
||||
return (0);
|
||||
}
|
||||
diff -up openssh-5.6p1/Makefile.in.audit openssh-5.6p1/Makefile.in
|
||||
--- openssh-5.6p1/Makefile.in.audit 2010-05-12 08:51:39.000000000 +0200
|
||||
+++ openssh-5.6p1/Makefile.in 2010-10-20 09:15:47.000000000 +0200
|
||||
@@ -81,6 +81,7 @@ SSHOBJS= ssh.o readconf.o clientloop.o s
|
||||
roaming_common.o roaming_client.o
|
||||
|
||||
SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \
|
||||
+ audit.o audit-bsm.o audit-linux.o platform.o \
|
||||
sshpty.o sshlogin.o servconf.o serverloop.o \
|
||||
auth.o auth1.o auth2.o auth-options.o session.o \
|
||||
auth-chall.o auth2-chall.o groupaccess.o \
|
||||
@@ -90,7 +91,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw
|
||||
auth-krb5.o \
|
||||
auth2-gss.o gss-serv.o gss-serv-krb5.o \
|
||||
loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \
|
||||
- audit.o audit-bsm.o platform.o sftp-server.o sftp-common.o \
|
||||
+ sftp-server.o sftp-common.o \
|
||||
roaming_common.o roaming_serv.o
|
||||
|
||||
MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-rand-helper.8.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out
|
||||
@ -1,13 +0,0 @@
|
||||
diff -up openssh-5.6p1/audit-linux.c.audit1a openssh-5.6p1/audit-linux.c
|
||||
--- openssh-5.6p1/audit-linux.c.audit1a 2010-12-10 21:47:03.000000000 +0100
|
||||
+++ openssh-5.6p1/audit-linux.c 2010-12-10 21:50:31.000000000 +0100
|
||||
@@ -59,7 +59,8 @@ linux_audit_record_event(int uid, const
|
||||
saved_errno = errno;
|
||||
close(audit_fd);
|
||||
errno = saved_errno;
|
||||
- return (rc >= 0);
|
||||
+ /* do not report error if the error is EPERM and sshd is run as non root user */
|
||||
+ return (rc >= 0) || ((rc == -EPERM) && (getuid() != 0));
|
||||
}
|
||||
|
||||
/* Below is the sshd audit API code */
|
||||
@ -1,236 +0,0 @@
|
||||
diff -up openssh-5.6p1/audit-bsm.c.audit4 openssh-5.6p1/audit-bsm.c
|
||||
--- openssh-5.6p1/audit-bsm.c.audit4 2011-01-12 14:01:50.000000000 +0100
|
||||
+++ openssh-5.6p1/audit-bsm.c 2011-01-12 14:01:51.000000000 +0100
|
||||
@@ -395,4 +395,10 @@ audit_kex_body(int ctos, char *enc, char
|
||||
{
|
||||
/* not implemented */
|
||||
}
|
||||
+
|
||||
+void
|
||||
+audit_session_key_free_body(int ctos)
|
||||
+{
|
||||
+ /* not implemented */
|
||||
+}
|
||||
#endif /* BSM */
|
||||
diff -up openssh-5.6p1/audit.c.audit4 openssh-5.6p1/audit.c
|
||||
--- openssh-5.6p1/audit.c.audit4 2011-01-12 14:01:50.000000000 +0100
|
||||
+++ openssh-5.6p1/audit.c 2011-01-12 14:01:51.000000000 +0100
|
||||
@@ -152,6 +152,12 @@ audit_kex(int ctos, char *enc, char *mac
|
||||
PRIVSEP(audit_kex_body(ctos, enc, mac, comp));
|
||||
}
|
||||
|
||||
+void
|
||||
+audit_session_key_free(int ctos)
|
||||
+{
|
||||
+ PRIVSEP(audit_session_key_free_body(ctos));
|
||||
+}
|
||||
+
|
||||
# ifndef CUSTOM_SSH_AUDIT_EVENTS
|
||||
/*
|
||||
* Null implementations of audit functions.
|
||||
@@ -254,5 +260,13 @@ audit_kex_body(int ctos, char *enc, char
|
||||
debug("audit procol negotiation euid %d direction %d cipher %s mac %s compresion %s",
|
||||
geteuid(), ctos, enc, mac, compress);
|
||||
}
|
||||
+
|
||||
+/*
|
||||
+ * This will be called on succesfull session key discard
|
||||
+ */
|
||||
+audit_session_key_free_body(int ctos)
|
||||
+{
|
||||
+ debug("audit session key discard euid %d direction %d", geteuid(), ctos);
|
||||
+}
|
||||
# endif /* !defined CUSTOM_SSH_AUDIT_EVENTS */
|
||||
#endif /* SSH_AUDIT_EVENTS */
|
||||
diff -up openssh-5.6p1/audit.h.audit4 openssh-5.6p1/audit.h
|
||||
--- openssh-5.6p1/audit.h.audit4 2011-01-12 14:01:50.000000000 +0100
|
||||
+++ openssh-5.6p1/audit.h 2011-01-12 14:01:51.000000000 +0100
|
||||
@@ -60,5 +60,7 @@ void audit_unsupported(int);
|
||||
void audit_kex(int, char *, char *, char *);
|
||||
void audit_unsupported_body(int);
|
||||
void audit_kex_body(int, char *, char *, char *);
|
||||
+void audit_session_key_free(int ctos);
|
||||
+void audit_session_key_free_body(int ctos);
|
||||
|
||||
#endif /* _SSH_AUDIT_H */
|
||||
diff -up openssh-5.6p1/audit-linux.c.audit4 openssh-5.6p1/audit-linux.c
|
||||
--- openssh-5.6p1/audit-linux.c.audit4 2011-01-12 14:01:50.000000000 +0100
|
||||
+++ openssh-5.6p1/audit-linux.c 2011-01-12 14:04:15.000000000 +0100
|
||||
@@ -174,13 +174,14 @@ audit_unsupported_body(int what)
|
||||
#endif
|
||||
}
|
||||
|
||||
+const static char *direction[] = { "from-server", "from-client", "both" };
|
||||
+
|
||||
void
|
||||
audit_kex_body(int ctos, char *enc, char *mac, char *compress)
|
||||
{
|
||||
#ifdef AUDIT_CRYPTO_SESSION
|
||||
char buf[AUDIT_LOG_SIZE];
|
||||
int audit_fd, audit_ok;
|
||||
- const static char *direction[] = { "from-server", "from-client", "both" };
|
||||
Cipher *cipher = cipher_by_name(enc);
|
||||
|
||||
snprintf(buf, sizeof(buf), "start direction=%s cipher=%s, ksize=%d rport=%d laddr=%s lport=%d",
|
||||
@@ -203,4 +204,26 @@ audit_kex_body(int ctos, char *enc, char
|
||||
#endif
|
||||
}
|
||||
|
||||
+void
|
||||
+audit_session_key_free_body(int ctos)
|
||||
+{
|
||||
+ char buf[AUDIT_LOG_SIZE];
|
||||
+ int audit_fd, audit_ok;
|
||||
+
|
||||
+ snprintf(buf, sizeof(buf), "destroy kind=session direction=%s", direction[ctos]);
|
||||
+ audit_fd = audit_open();
|
||||
+ if (audit_fd < 0) {
|
||||
+ if (errno != EINVAL && errno != EPROTONOSUPPORT &&
|
||||
+ errno != EAFNOSUPPORT)
|
||||
+ error("cannot open audit");
|
||||
+ return;
|
||||
+ }
|
||||
+ audit_ok = audit_log_acct_message(audit_fd, AUDIT_CRYPTO_KEY_USER, NULL,
|
||||
+ buf, NULL, -1, NULL, get_remote_ipaddr(), NULL, 1);
|
||||
+ audit_close(audit_fd);
|
||||
+ /* do not abort if the error is EPERM and sshd is run as non root user */
|
||||
+ if ((audit_ok < 0) && ((audit_ok != -1) || (getuid() == 0)))
|
||||
+ error("cannot write into audit");
|
||||
+}
|
||||
+
|
||||
#endif /* USE_LINUX_AUDIT */
|
||||
diff -up openssh-5.6p1/auditstub.c.audit4 openssh-5.6p1/auditstub.c
|
||||
--- openssh-5.6p1/auditstub.c.audit4 2011-01-12 14:01:50.000000000 +0100
|
||||
+++ openssh-5.6p1/auditstub.c 2011-01-12 14:01:51.000000000 +0100
|
||||
@@ -37,3 +37,7 @@ audit_kex(int ctos, char *enc, char *mac
|
||||
{
|
||||
}
|
||||
|
||||
+void
|
||||
+audit_session_key_free(int ctos)
|
||||
+{
|
||||
+}
|
||||
diff -up openssh-5.6p1/monitor.c.audit4 openssh-5.6p1/monitor.c
|
||||
--- openssh-5.6p1/monitor.c.audit4 2011-01-12 14:01:51.000000000 +0100
|
||||
+++ openssh-5.6p1/monitor.c 2011-01-12 14:01:51.000000000 +0100
|
||||
@@ -180,6 +180,7 @@ int mm_answer_audit_event(int, Buffer *)
|
||||
int mm_answer_audit_command(int, Buffer *);
|
||||
int mm_answer_audit_unsupported_body(int, Buffer *);
|
||||
int mm_answer_audit_kex_body(int, Buffer *);
|
||||
+int mm_answer_audit_session_key_free_body(int, Buffer *);
|
||||
#endif
|
||||
|
||||
static Authctxt *authctxt;
|
||||
@@ -230,6 +231,7 @@ struct mon_table mon_dispatch_proto20[]
|
||||
{MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
|
||||
{MONITOR_REQ_AUDIT_UNSUPPORTED, MON_PERMIT, mm_answer_audit_unsupported_body},
|
||||
{MONITOR_REQ_AUDIT_KEX, MON_PERMIT, mm_answer_audit_kex_body},
|
||||
+ {MONITOR_REQ_AUDIT_SESSION_KEY_FREE, MON_PERMIT, mm_answer_audit_session_key_free_body},
|
||||
#endif
|
||||
#ifdef BSD_AUTH
|
||||
{MONITOR_REQ_BSDAUTHQUERY, MON_ISAUTH, mm_answer_bsdauthquery},
|
||||
@@ -268,6 +270,7 @@ struct mon_table mon_dispatch_postauth20
|
||||
{MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT, mm_answer_audit_command},
|
||||
{MONITOR_REQ_AUDIT_UNSUPPORTED, MON_PERMIT, mm_answer_audit_unsupported_body},
|
||||
{MONITOR_REQ_AUDIT_KEX, MON_PERMIT, mm_answer_audit_kex_body},
|
||||
+ {MONITOR_REQ_AUDIT_SESSION_KEY_FREE, MON_PERMIT, mm_answer_audit_session_key_free_body},
|
||||
#endif
|
||||
{0, 0, NULL}
|
||||
};
|
||||
@@ -301,6 +304,7 @@ struct mon_table mon_dispatch_proto15[]
|
||||
{MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
|
||||
{MONITOR_REQ_AUDIT_UNSUPPORTED, MON_PERMIT, mm_answer_audit_unsupported_body},
|
||||
{MONITOR_REQ_AUDIT_KEX, MON_PERMIT, mm_answer_audit_kex_body},
|
||||
+ {MONITOR_REQ_AUDIT_SESSION_KEY_FREE, MON_PERMIT, mm_answer_audit_session_key_free_body},
|
||||
#endif
|
||||
{0, 0, NULL}
|
||||
};
|
||||
@@ -314,6 +318,7 @@ struct mon_table mon_dispatch_postauth15
|
||||
{MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT|MON_ONCE, mm_answer_audit_command},
|
||||
{MONITOR_REQ_AUDIT_UNSUPPORTED, MON_PERMIT, mm_answer_audit_unsupported_body},
|
||||
{MONITOR_REQ_AUDIT_KEX, MON_PERMIT, mm_answer_audit_kex_body},
|
||||
+ {MONITOR_REQ_AUDIT_SESSION_KEY_FREE, MON_PERMIT, mm_answer_audit_session_key_free_body},
|
||||
#endif
|
||||
{0, 0, NULL}
|
||||
};
|
||||
@@ -2252,4 +2257,18 @@ mm_answer_audit_kex_body(int sock, Buffe
|
||||
return 0;
|
||||
}
|
||||
|
||||
+int
|
||||
+mm_answer_audit_session_key_free_body(int sock, Buffer *m)
|
||||
+{
|
||||
+ int ctos;
|
||||
+
|
||||
+ ctos = buffer_get_int(m);
|
||||
+
|
||||
+ audit_session_key_free_body(ctos);
|
||||
+
|
||||
+ buffer_clear(m);
|
||||
+
|
||||
+ mm_request_send(sock, MONITOR_ANS_AUDIT_SESSION_KEY_FREE, m);
|
||||
+ return 0;
|
||||
+}
|
||||
#endif /* SSH_AUDIT_EVENTS */
|
||||
diff -up openssh-5.6p1/monitor.h.audit4 openssh-5.6p1/monitor.h
|
||||
--- openssh-5.6p1/monitor.h.audit4 2011-01-12 14:01:51.000000000 +0100
|
||||
+++ openssh-5.6p1/monitor.h 2011-01-12 14:01:51.000000000 +0100
|
||||
@@ -68,6 +68,7 @@ enum monitor_reqtype {
|
||||
MONITOR_REQ_JPAKE_CHECK_CONFIRM, MONITOR_ANS_JPAKE_CHECK_CONFIRM,
|
||||
MONITOR_REQ_AUDIT_UNSUPPORTED, MONITOR_ANS_AUDIT_UNSUPPORTED,
|
||||
MONITOR_REQ_AUDIT_KEX, MONITOR_ANS_AUDIT_KEX,
|
||||
+ MONITOR_REQ_AUDIT_SESSION_KEY_FREE, MONITOR_ANS_AUDIT_SESSION_KEY_FREE,
|
||||
};
|
||||
|
||||
struct mm_master;
|
||||
diff -up openssh-5.6p1/monitor_wrap.c.audit4 openssh-5.6p1/monitor_wrap.c
|
||||
--- openssh-5.6p1/monitor_wrap.c.audit4 2011-01-12 14:01:51.000000000 +0100
|
||||
+++ openssh-5.6p1/monitor_wrap.c 2011-01-12 14:01:51.000000000 +0100
|
||||
@@ -1445,4 +1445,17 @@ mm_audit_kex_body(int ctos, char *cipher
|
||||
|
||||
buffer_free(&m);
|
||||
}
|
||||
+
|
||||
+void
|
||||
+mm_audit_session_key_free_body(int ctos)
|
||||
+{
|
||||
+ Buffer m;
|
||||
+
|
||||
+ buffer_init(&m);
|
||||
+ buffer_put_int(&m, ctos);
|
||||
+ mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_SESSION_KEY_FREE, &m);
|
||||
+ mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_AUDIT_SESSION_KEY_FREE,
|
||||
+ &m);
|
||||
+ buffer_free(&m);
|
||||
+}
|
||||
#endif /* SSH_AUDIT_EVENTS */
|
||||
diff -up openssh-5.6p1/monitor_wrap.h.audit4 openssh-5.6p1/monitor_wrap.h
|
||||
--- openssh-5.6p1/monitor_wrap.h.audit4 2011-01-12 14:01:51.000000000 +0100
|
||||
+++ openssh-5.6p1/monitor_wrap.h 2011-01-12 14:01:51.000000000 +0100
|
||||
@@ -76,6 +76,7 @@ void mm_audit_event(ssh_audit_event_t);
|
||||
void mm_audit_run_command(const char *);
|
||||
void mm_audit_unsupported_body(int);
|
||||
void mm_audit_kex_body(int, char *, char *, char *);
|
||||
+void mm_audit_session_key_free_body(int);
|
||||
#endif
|
||||
|
||||
struct Session;
|
||||
diff -up openssh-5.6p1/packet.c.audit4 openssh-5.6p1/packet.c
|
||||
--- openssh-5.6p1/packet.c.audit4 2010-07-16 05:58:37.000000000 +0200
|
||||
+++ openssh-5.6p1/packet.c 2011-01-12 14:01:51.000000000 +0100
|
||||
@@ -495,6 +495,7 @@ packet_close(void)
|
||||
buffer_free(&active_state->compression_buffer);
|
||||
buffer_compress_uninit();
|
||||
}
|
||||
+ audit_session_key_free(2);
|
||||
cipher_cleanup(&active_state->send_context);
|
||||
cipher_cleanup(&active_state->receive_context);
|
||||
}
|
||||
@@ -749,6 +750,7 @@ set_newkeys(int mode)
|
||||
}
|
||||
if (active_state->newkeys[mode] != NULL) {
|
||||
debug("set_newkeys: rekeying");
|
||||
+ audit_session_key_free(mode);
|
||||
cipher_cleanup(cc);
|
||||
enc = &active_state->newkeys[mode]->enc;
|
||||
mac = &active_state->newkeys[mode]->mac;
|
||||
@ -1,443 +0,0 @@
|
||||
diff -up openssh-5.6p1/audit-bsm.c.audit5 openssh-5.6p1/audit-bsm.c
|
||||
--- openssh-5.6p1/audit-bsm.c.audit5 2011-02-07 18:53:53.000000000 +0100
|
||||
+++ openssh-5.6p1/audit-bsm.c 2011-02-07 18:53:53.000000000 +0100
|
||||
@@ -401,4 +401,10 @@ audit_session_key_free_body(int ctos)
|
||||
{
|
||||
/* not implemented */
|
||||
}
|
||||
+
|
||||
+void
|
||||
+audit_destroy_sensitive_data(void)
|
||||
+{
|
||||
+ /* not implemented */
|
||||
+}
|
||||
#endif /* BSM */
|
||||
diff -up openssh-5.6p1/audit.c.audit5 openssh-5.6p1/audit.c
|
||||
--- openssh-5.6p1/audit.c.audit5 2011-02-07 18:53:53.000000000 +0100
|
||||
+++ openssh-5.6p1/audit.c 2011-02-07 18:53:53.000000000 +0100
|
||||
@@ -268,5 +268,14 @@ audit_session_key_free_body(int ctos)
|
||||
{
|
||||
debug("audit session key discard euid %d direction %d", geteuid(), ctos);
|
||||
}
|
||||
+
|
||||
+/*
|
||||
+ * This will be called on destroy private part of the server key
|
||||
+ */
|
||||
+void
|
||||
+audit_destroy_sensitive_data(void)
|
||||
+{
|
||||
+ debug("audit destroy sensitive data euid %d", geteuid());
|
||||
+}
|
||||
# endif /* !defined CUSTOM_SSH_AUDIT_EVENTS */
|
||||
#endif /* SSH_AUDIT_EVENTS */
|
||||
diff -up openssh-5.6p1/audit.h.audit5 openssh-5.6p1/audit.h
|
||||
--- openssh-5.6p1/audit.h.audit5 2011-02-07 18:53:53.000000000 +0100
|
||||
+++ openssh-5.6p1/audit.h 2011-02-07 18:53:53.000000000 +0100
|
||||
@@ -62,5 +62,6 @@ void audit_unsupported_body(int);
|
||||
void audit_kex_body(int, char *, char *, char *);
|
||||
void audit_session_key_free(int ctos);
|
||||
void audit_session_key_free_body(int ctos);
|
||||
+void audit_destroy_sensitive_data(void);
|
||||
|
||||
#endif /* _SSH_AUDIT_H */
|
||||
diff -up openssh-5.6p1/audit-linux.c.audit5 openssh-5.6p1/audit-linux.c
|
||||
--- openssh-5.6p1/audit-linux.c.audit5 2011-02-07 18:53:53.000000000 +0100
|
||||
+++ openssh-5.6p1/audit-linux.c 2011-02-07 18:53:53.000000000 +0100
|
||||
@@ -226,4 +226,26 @@ audit_session_key_free_body(int ctos)
|
||||
error("cannot write into audit");
|
||||
}
|
||||
|
||||
+void
|
||||
+audit_destroy_sensitive_data(void)
|
||||
+{
|
||||
+ char buf[AUDIT_LOG_SIZE];
|
||||
+ int audit_fd, audit_ok;
|
||||
+
|
||||
+ snprintf(buf, sizeof(buf), "destroy kind=server direction=?");
|
||||
+ audit_fd = audit_open();
|
||||
+ if (audit_fd < 0) {
|
||||
+ if (errno != EINVAL && errno != EPROTONOSUPPORT &&
|
||||
+ errno != EAFNOSUPPORT)
|
||||
+ error("cannot open audit");
|
||||
+ return;
|
||||
+ }
|
||||
+ audit_ok = audit_log_acct_message(audit_fd, AUDIT_CRYPTO_KEY_USER, NULL,
|
||||
+ buf, NULL, -1, NULL, get_remote_ipaddr(), NULL, 1);
|
||||
+ audit_close(audit_fd);
|
||||
+ /* do not abort if the error is EPERM and sshd is run as non root user */
|
||||
+ if ((audit_ok < 0) && ((audit_ok != -1) || (getuid() == 0)))
|
||||
+ error("cannot write into audit");
|
||||
+}
|
||||
+
|
||||
#endif /* USE_LINUX_AUDIT */
|
||||
diff -up openssh-5.6p1/kex.c.audit5 openssh-5.6p1/kex.c
|
||||
--- openssh-5.6p1/kex.c.audit5 2011-02-07 18:53:53.000000000 +0100
|
||||
+++ openssh-5.6p1/kex.c 2011-02-07 18:53:53.000000000 +0100
|
||||
@@ -592,3 +592,34 @@ dump_digest(char *msg, u_char *digest, i
|
||||
fprintf(stderr, "\n");
|
||||
}
|
||||
#endif
|
||||
+
|
||||
+static void
|
||||
+enc_destroy(Enc *enc)
|
||||
+{
|
||||
+ if (enc == NULL)
|
||||
+ return;
|
||||
+
|
||||
+ if (enc->key) {
|
||||
+ memset(enc->key, 0, enc->key_len);
|
||||
+ xfree(enc->key);
|
||||
+ }
|
||||
+
|
||||
+ if (enc->iv) {
|
||||
+ memset(enc->iv, 0, enc->block_size);
|
||||
+ xfree(enc->iv);
|
||||
+ }
|
||||
+
|
||||
+ memset(enc, 0, sizeof(*enc));
|
||||
+}
|
||||
+
|
||||
+void
|
||||
+newkeys_destroy(Newkeys *newkeys)
|
||||
+{
|
||||
+ if (newkeys == NULL)
|
||||
+ return;
|
||||
+
|
||||
+ enc_destroy(&newkeys->enc);
|
||||
+ mac_destroy(&newkeys->mac);
|
||||
+ memset(&newkeys->comp, 0, sizeof(newkeys->comp));
|
||||
+}
|
||||
+
|
||||
diff -up openssh-5.6p1/kex.h.audit5 openssh-5.6p1/kex.h
|
||||
--- openssh-5.6p1/kex.h.audit5 2010-02-26 21:55:05.000000000 +0100
|
||||
+++ openssh-5.6p1/kex.h 2011-02-07 18:53:53.000000000 +0100
|
||||
@@ -146,6 +146,8 @@ void kexdh_server(Kex *);
|
||||
void kexgex_client(Kex *);
|
||||
void kexgex_server(Kex *);
|
||||
|
||||
+void newkeys_destroy(Newkeys *newkeys);
|
||||
+
|
||||
void
|
||||
kex_dh_hash(char *, char *, char *, int, char *, int, u_char *, int,
|
||||
BIGNUM *, BIGNUM *, BIGNUM *, u_char **, u_int *);
|
||||
diff -up openssh-5.6p1/mac.c.audit5 openssh-5.6p1/mac.c
|
||||
--- openssh-5.6p1/mac.c.audit5 2008-06-13 02:58:50.000000000 +0200
|
||||
+++ openssh-5.6p1/mac.c 2011-02-07 18:53:53.000000000 +0100
|
||||
@@ -162,6 +162,20 @@ mac_clear(Mac *mac)
|
||||
mac->umac_ctx = NULL;
|
||||
}
|
||||
|
||||
+void
|
||||
+mac_destroy(Mac *mac)
|
||||
+{
|
||||
+ if (mac == NULL)
|
||||
+ return;
|
||||
+
|
||||
+ if (mac->key) {
|
||||
+ memset(mac->key, 0, mac->key_len);
|
||||
+ xfree(mac->key);
|
||||
+ }
|
||||
+
|
||||
+ memset(mac, 0, sizeof(*mac));
|
||||
+}
|
||||
+
|
||||
/* XXX copied from ciphers_valid */
|
||||
#define MAC_SEP ","
|
||||
int
|
||||
diff -up openssh-5.6p1/mac.h.audit5 openssh-5.6p1/mac.h
|
||||
--- openssh-5.6p1/mac.h.audit5 2007-06-11 06:01:42.000000000 +0200
|
||||
+++ openssh-5.6p1/mac.h 2011-02-07 18:53:53.000000000 +0100
|
||||
@@ -28,3 +28,4 @@ int mac_setup(Mac *, char *);
|
||||
int mac_init(Mac *);
|
||||
u_char *mac_compute(Mac *, u_int32_t, u_char *, int);
|
||||
void mac_clear(Mac *);
|
||||
+void mac_destroy(Mac *);
|
||||
diff -up openssh-5.6p1/monitor.c.audit5 openssh-5.6p1/monitor.c
|
||||
--- openssh-5.6p1/monitor.c.audit5 2011-02-07 18:53:53.000000000 +0100
|
||||
+++ openssh-5.6p1/monitor.c 2011-02-07 18:53:53.000000000 +0100
|
||||
@@ -181,6 +181,7 @@ int mm_answer_audit_command(int, Buffer
|
||||
int mm_answer_audit_unsupported_body(int, Buffer *);
|
||||
int mm_answer_audit_kex_body(int, Buffer *);
|
||||
int mm_answer_audit_session_key_free_body(int, Buffer *);
|
||||
+int mm_answer_audit_server_key_free(int, Buffer *);
|
||||
#endif
|
||||
|
||||
static Authctxt *authctxt;
|
||||
@@ -232,6 +233,7 @@ struct mon_table mon_dispatch_proto20[]
|
||||
{MONITOR_REQ_AUDIT_UNSUPPORTED, MON_PERMIT, mm_answer_audit_unsupported_body},
|
||||
{MONITOR_REQ_AUDIT_KEX, MON_PERMIT, mm_answer_audit_kex_body},
|
||||
{MONITOR_REQ_AUDIT_SESSION_KEY_FREE, MON_PERMIT, mm_answer_audit_session_key_free_body},
|
||||
+ {MONITOR_REQ_AUDIT_SERVER_KEY_FREE, MON_PERMIT, mm_answer_audit_server_key_free},
|
||||
#endif
|
||||
#ifdef BSD_AUTH
|
||||
{MONITOR_REQ_BSDAUTHQUERY, MON_ISAUTH, mm_answer_bsdauthquery},
|
||||
@@ -271,6 +273,7 @@ struct mon_table mon_dispatch_postauth20
|
||||
{MONITOR_REQ_AUDIT_UNSUPPORTED, MON_PERMIT, mm_answer_audit_unsupported_body},
|
||||
{MONITOR_REQ_AUDIT_KEX, MON_PERMIT, mm_answer_audit_kex_body},
|
||||
{MONITOR_REQ_AUDIT_SESSION_KEY_FREE, MON_PERMIT, mm_answer_audit_session_key_free_body},
|
||||
+ {MONITOR_REQ_AUDIT_SERVER_KEY_FREE, MON_PERMIT, mm_answer_audit_server_key_free},
|
||||
#endif
|
||||
{0, 0, NULL}
|
||||
};
|
||||
@@ -305,6 +308,7 @@ struct mon_table mon_dispatch_proto15[]
|
||||
{MONITOR_REQ_AUDIT_UNSUPPORTED, MON_PERMIT, mm_answer_audit_unsupported_body},
|
||||
{MONITOR_REQ_AUDIT_KEX, MON_PERMIT, mm_answer_audit_kex_body},
|
||||
{MONITOR_REQ_AUDIT_SESSION_KEY_FREE, MON_PERMIT, mm_answer_audit_session_key_free_body},
|
||||
+ {MONITOR_REQ_AUDIT_SERVER_KEY_FREE, MON_PERMIT, mm_answer_audit_server_key_free},
|
||||
#endif
|
||||
{0, 0, NULL}
|
||||
};
|
||||
@@ -319,6 +323,7 @@ struct mon_table mon_dispatch_postauth15
|
||||
{MONITOR_REQ_AUDIT_UNSUPPORTED, MON_PERMIT, mm_answer_audit_unsupported_body},
|
||||
{MONITOR_REQ_AUDIT_KEX, MON_PERMIT, mm_answer_audit_kex_body},
|
||||
{MONITOR_REQ_AUDIT_SESSION_KEY_FREE, MON_PERMIT, mm_answer_audit_session_key_free_body},
|
||||
+ {MONITOR_REQ_AUDIT_SERVER_KEY_FREE, MON_PERMIT, mm_answer_audit_server_key_free},
|
||||
#endif
|
||||
{0, 0, NULL}
|
||||
};
|
||||
@@ -2271,4 +2276,15 @@ mm_answer_audit_session_key_free_body(in
|
||||
mm_request_send(sock, MONITOR_ANS_AUDIT_SESSION_KEY_FREE, m);
|
||||
return 0;
|
||||
}
|
||||
+
|
||||
+int
|
||||
+mm_answer_audit_server_key_free(int sock, Buffer *m)
|
||||
+{
|
||||
+ audit_destroy_sensitive_data();
|
||||
+
|
||||
+ buffer_clear(m);
|
||||
+
|
||||
+ mm_request_send(sock, MONITOR_ANS_AUDIT_SERVER_KEY_FREE, m);
|
||||
+ return 0;
|
||||
+}
|
||||
#endif /* SSH_AUDIT_EVENTS */
|
||||
diff -up openssh-5.6p1/monitor.h.audit5 openssh-5.6p1/monitor.h
|
||||
--- openssh-5.6p1/monitor.h.audit5 2011-02-07 18:53:53.000000000 +0100
|
||||
+++ openssh-5.6p1/monitor.h 2011-02-07 18:53:53.000000000 +0100
|
||||
@@ -69,6 +69,7 @@ enum monitor_reqtype {
|
||||
MONITOR_REQ_AUDIT_UNSUPPORTED, MONITOR_ANS_AUDIT_UNSUPPORTED,
|
||||
MONITOR_REQ_AUDIT_KEX, MONITOR_ANS_AUDIT_KEX,
|
||||
MONITOR_REQ_AUDIT_SESSION_KEY_FREE, MONITOR_ANS_AUDIT_SESSION_KEY_FREE,
|
||||
+ MONITOR_REQ_AUDIT_SERVER_KEY_FREE, MONITOR_ANS_AUDIT_SERVER_KEY_FREE,
|
||||
};
|
||||
|
||||
struct mm_master;
|
||||
diff -up openssh-5.6p1/monitor_wrap.c.audit5 openssh-5.6p1/monitor_wrap.c
|
||||
--- openssh-5.6p1/monitor_wrap.c.audit5 2011-02-07 18:53:53.000000000 +0100
|
||||
+++ openssh-5.6p1/monitor_wrap.c 2011-02-07 18:53:53.000000000 +0100
|
||||
@@ -1458,4 +1458,16 @@ mm_audit_session_key_free_body(int ctos)
|
||||
&m);
|
||||
buffer_free(&m);
|
||||
}
|
||||
+
|
||||
+void
|
||||
+mm_audit_destroy_sensitive_data(void)
|
||||
+{
|
||||
+ Buffer m;
|
||||
+
|
||||
+ buffer_init(&m);
|
||||
+ mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_SERVER_KEY_FREE, &m);
|
||||
+ mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_AUDIT_SERVER_KEY_FREE,
|
||||
+ &m);
|
||||
+ buffer_free(&m);
|
||||
+}
|
||||
#endif /* SSH_AUDIT_EVENTS */
|
||||
diff -up openssh-5.6p1/monitor_wrap.h.audit5 openssh-5.6p1/monitor_wrap.h
|
||||
--- openssh-5.6p1/monitor_wrap.h.audit5 2011-02-07 18:53:53.000000000 +0100
|
||||
+++ openssh-5.6p1/monitor_wrap.h 2011-02-07 18:53:53.000000000 +0100
|
||||
@@ -77,6 +77,7 @@ void mm_audit_run_command(const char *);
|
||||
void mm_audit_unsupported_body(int);
|
||||
void mm_audit_kex_body(int, char *, char *, char *);
|
||||
void mm_audit_session_key_free_body(int);
|
||||
+void mm_audit_server_key_free_body(void);
|
||||
#endif
|
||||
|
||||
struct Session;
|
||||
diff -up openssh-5.6p1/packet.c.audit5 openssh-5.6p1/packet.c
|
||||
--- openssh-5.6p1/packet.c.audit5 2011-02-07 18:53:53.000000000 +0100
|
||||
+++ openssh-5.6p1/packet.c 2011-02-07 18:53:54.000000000 +0100
|
||||
@@ -60,6 +60,7 @@
|
||||
#include <signal.h>
|
||||
|
||||
#include "xmalloc.h"
|
||||
+#include "audit.h"
|
||||
#include "buffer.h"
|
||||
#include "packet.h"
|
||||
#include "crc32.h"
|
||||
@@ -495,9 +496,9 @@ packet_close(void)
|
||||
buffer_free(&active_state->compression_buffer);
|
||||
buffer_compress_uninit();
|
||||
}
|
||||
- audit_session_key_free(2);
|
||||
cipher_cleanup(&active_state->send_context);
|
||||
cipher_cleanup(&active_state->receive_context);
|
||||
+ audit_session_key_free(2);
|
||||
}
|
||||
|
||||
/* Sets remote side protocol flags. */
|
||||
@@ -1893,6 +1894,34 @@ packet_get_newkeys(int mode)
|
||||
return (void *)active_state->newkeys[mode];
|
||||
}
|
||||
|
||||
+static void
|
||||
+packet_destroy_state(struct session_state *state)
|
||||
+{
|
||||
+ if (state == NULL)
|
||||
+ return;
|
||||
+
|
||||
+ cipher_cleanup(&state->receive_context);
|
||||
+ cipher_cleanup(&state->send_context);
|
||||
+
|
||||
+ buffer_free(&state->input);
|
||||
+ buffer_free(&state->output);
|
||||
+ buffer_free(&state->outgoing_packet);
|
||||
+ buffer_free(&state->incoming_packet);
|
||||
+ buffer_free(&state->compression_buffer);
|
||||
+ newkeys_destroy(state->newkeys[MODE_IN]);
|
||||
+ newkeys_destroy(state->newkeys[MODE_OUT]);
|
||||
+ mac_destroy(state->packet_discard_mac);
|
||||
+// TAILQ_HEAD(, packet) outgoing;
|
||||
+// memset(state, 0, sizeof(state));
|
||||
+}
|
||||
+
|
||||
+void
|
||||
+packet_destroy_all(void)
|
||||
+{
|
||||
+ packet_destroy_state(active_state);
|
||||
+ packet_destroy_state(backup_state);
|
||||
+}
|
||||
+
|
||||
/*
|
||||
* Save the state for the real connection, and use a separate state when
|
||||
* resuming a suspended connection.
|
||||
@@ -1900,18 +1929,12 @@ packet_get_newkeys(int mode)
|
||||
void
|
||||
packet_backup_state(void)
|
||||
{
|
||||
- struct session_state *tmp;
|
||||
-
|
||||
close(active_state->connection_in);
|
||||
active_state->connection_in = -1;
|
||||
close(active_state->connection_out);
|
||||
active_state->connection_out = -1;
|
||||
- if (backup_state)
|
||||
- tmp = backup_state;
|
||||
- else
|
||||
- tmp = alloc_session_state();
|
||||
backup_state = active_state;
|
||||
- active_state = tmp;
|
||||
+ active_state = alloc_session_state();
|
||||
}
|
||||
|
||||
/*
|
||||
@@ -1928,9 +1951,7 @@ packet_restore_state(void)
|
||||
backup_state = active_state;
|
||||
active_state = tmp;
|
||||
active_state->connection_in = backup_state->connection_in;
|
||||
- backup_state->connection_in = -1;
|
||||
active_state->connection_out = backup_state->connection_out;
|
||||
- backup_state->connection_out = -1;
|
||||
len = buffer_len(&backup_state->input);
|
||||
if (len > 0) {
|
||||
buf = buffer_ptr(&backup_state->input);
|
||||
@@ -1938,4 +1959,10 @@ packet_restore_state(void)
|
||||
buffer_clear(&backup_state->input);
|
||||
add_recv_bytes(len);
|
||||
}
|
||||
+ backup_state->connection_in = -1;
|
||||
+ backup_state->connection_out = -1;
|
||||
+ packet_destroy_state(backup_state);
|
||||
+ xfree(backup_state);
|
||||
+ backup_state = NULL;
|
||||
}
|
||||
+
|
||||
diff -up openssh-5.6p1/packet.h.audit5 openssh-5.6p1/packet.h
|
||||
--- openssh-5.6p1/packet.h.audit5 2009-07-05 23:11:13.000000000 +0200
|
||||
+++ openssh-5.6p1/packet.h 2011-02-07 18:53:54.000000000 +0100
|
||||
@@ -115,4 +115,5 @@ void packet_restore_state(void);
|
||||
void *packet_get_input(void);
|
||||
void *packet_get_output(void);
|
||||
|
||||
+void packet_destroy_all(void);
|
||||
#endif /* PACKET_H */
|
||||
diff -up openssh-5.6p1/session.c.audit5 openssh-5.6p1/session.c
|
||||
--- openssh-5.6p1/session.c.audit5 2010-06-26 02:00:15.000000000 +0200
|
||||
+++ openssh-5.6p1/session.c 2011-02-07 18:53:54.000000000 +0100
|
||||
@@ -1677,6 +1677,7 @@ do_child(Session *s, const char *command
|
||||
|
||||
/* remove hostkey from the child's memory */
|
||||
destroy_sensitive_data();
|
||||
+ PRIVSEP(audit_destroy_sensitive_data());
|
||||
|
||||
/* Force a password change */
|
||||
if (s->authctxt->force_pwchange) {
|
||||
diff -up openssh-5.6p1/sshd.c.audit5 openssh-5.6p1/sshd.c
|
||||
--- openssh-5.6p1/sshd.c.audit5 2011-02-07 18:53:53.000000000 +0100
|
||||
+++ openssh-5.6p1/sshd.c 2011-02-07 19:08:56.000000000 +0100
|
||||
@@ -579,6 +579,7 @@ demote_sensitive_data(void)
|
||||
}
|
||||
/* Certs do not need demotion */
|
||||
}
|
||||
+ audit_destroy_sensitive_data();
|
||||
|
||||
/* We do not clear ssh1_host key and cookie. XXX - Okay Niels? */
|
||||
}
|
||||
@@ -663,6 +664,8 @@ privsep_preauth(Authctxt *authctxt)
|
||||
return (0);
|
||||
}
|
||||
|
||||
+extern Newkeys *current_keys[];
|
||||
+
|
||||
static void
|
||||
privsep_postauth(Authctxt *authctxt)
|
||||
{
|
||||
@@ -688,6 +691,10 @@ privsep_postauth(Authctxt *authctxt)
|
||||
verbose("User child is on pid %ld", (long)pmonitor->m_pid);
|
||||
close(pmonitor->m_recvfd);
|
||||
buffer_clear(&loginmsg);
|
||||
+ newkeys_destroy(current_keys[MODE_OUT]);
|
||||
+ newkeys_destroy(current_keys[MODE_IN]);
|
||||
+ packet_destroy_all();
|
||||
+ audit_session_key_free_body(2);
|
||||
monitor_child_postauth(pmonitor);
|
||||
|
||||
/* NEVERREACHED */
|
||||
@@ -1970,6 +1977,8 @@ main(int ac, char **av)
|
||||
*/
|
||||
if (use_privsep) {
|
||||
mm_send_keystate(pmonitor);
|
||||
+ packet_destroy_all();
|
||||
+ audit_session_key_free(2);
|
||||
exit(0);
|
||||
}
|
||||
|
||||
@@ -2011,8 +2020,10 @@ main(int ac, char **av)
|
||||
if (use_privsep) {
|
||||
privsep_postauth(authctxt);
|
||||
/* the monitor process [priv] will not return */
|
||||
- if (!compat20)
|
||||
+ if (!compat20) {
|
||||
destroy_sensitive_data();
|
||||
+ audit_destroy_sensitive_data();
|
||||
+ }
|
||||
}
|
||||
|
||||
packet_set_timeout(options.client_alive_interval,
|
||||
@@ -2022,6 +2033,9 @@ main(int ac, char **av)
|
||||
do_authenticated(authctxt);
|
||||
|
||||
/* The connection has been terminated. */
|
||||
+ packet_destroy_all();
|
||||
+ audit_session_key_free(2);
|
||||
+
|
||||
packet_get_state(MODE_IN, NULL, NULL, NULL, &ibytes);
|
||||
packet_get_state(MODE_OUT, NULL, NULL, NULL, &obytes);
|
||||
verbose("Transferred: sent %llu, received %llu bytes", obytes, ibytes);
|
||||
@@ -2249,6 +2263,7 @@ do_ssh1_kex(void)
|
||||
}
|
||||
/* Destroy the private and public keys. No longer. */
|
||||
destroy_sensitive_data();
|
||||
+ audit_destroy_sensitive_data();
|
||||
|
||||
if (use_privsep)
|
||||
mm_ssh1_session_id(session_id);
|
||||
@ -1,99 +0,0 @@
|
||||
diff -up openssh-5.6p1/loginrec.c.biguid openssh-5.6p1/loginrec.c
|
||||
--- openssh-5.6p1/loginrec.c.biguid 2010-11-15 13:19:35.000000000 +0100
|
||||
+++ openssh-5.6p1/loginrec.c 2010-11-15 13:19:38.000000000 +0100
|
||||
@@ -273,7 +273,7 @@ login_logout(struct logininfo *li)
|
||||
* try to retrieve lastlog information from wtmp/wtmpx.
|
||||
*/
|
||||
unsigned int
|
||||
-login_get_lastlog_time(const int uid)
|
||||
+login_get_lastlog_time(const uid_t uid)
|
||||
{
|
||||
struct logininfo li;
|
||||
|
||||
@@ -297,7 +297,7 @@ login_get_lastlog_time(const int uid)
|
||||
* 0 on failure (will use OpenSSH's logging facilities for diagnostics)
|
||||
*/
|
||||
struct logininfo *
|
||||
-login_get_lastlog(struct logininfo *li, const int uid)
|
||||
+login_get_lastlog(struct logininfo *li, const uid_t uid)
|
||||
{
|
||||
struct passwd *pw;
|
||||
|
||||
@@ -311,7 +311,8 @@ login_get_lastlog(struct logininfo *li,
|
||||
*/
|
||||
pw = getpwuid(uid);
|
||||
if (pw == NULL)
|
||||
- fatal("%s: Cannot find account for uid %i", __func__, uid);
|
||||
+ fatal("%s: Cannot find account for uid %ld", __func__,
|
||||
+ (long)uid);
|
||||
|
||||
/* No MIN_SIZEOF here - we absolutely *must not* truncate the
|
||||
* username (XXX - so check for trunc!) */
|
||||
@@ -335,7 +336,7 @@ login_get_lastlog(struct logininfo *li,
|
||||
* allocation fails, the program halts.
|
||||
*/
|
||||
struct
|
||||
-logininfo *login_alloc_entry(int pid, const char *username,
|
||||
+logininfo *login_alloc_entry(pid_t pid, const char *username,
|
||||
const char *hostname, const char *line)
|
||||
{
|
||||
struct logininfo *newli;
|
||||
@@ -363,7 +364,7 @@ login_free_entry(struct logininfo *li)
|
||||
* Returns: 1
|
||||
*/
|
||||
int
|
||||
-login_init_entry(struct logininfo *li, int pid, const char *username,
|
||||
+login_init_entry(struct logininfo *li, pid_t pid, const char *username,
|
||||
const char *hostname, const char *line)
|
||||
{
|
||||
struct passwd *pw;
|
||||
@@ -1496,7 +1497,7 @@ lastlog_openseek(struct logininfo *li, i
|
||||
|
||||
if (S_ISREG(st.st_mode)) {
|
||||
/* find this uid's offset in the lastlog file */
|
||||
- offset = (off_t) ((long)li->uid * sizeof(struct lastlog));
|
||||
+ offset = (off_t) ((u_long)li->uid * sizeof(struct lastlog));
|
||||
|
||||
if (lseek(*fd, offset, SEEK_SET) != offset) {
|
||||
logit("%s: %s->lseek(): %s", __func__,
|
||||
diff -up openssh-5.6p1/loginrec.h.biguid openssh-5.6p1/loginrec.h
|
||||
--- openssh-5.6p1/loginrec.h.biguid 2010-06-22 07:02:39.000000000 +0200
|
||||
+++ openssh-5.6p1/loginrec.h 2010-11-15 13:19:38.000000000 +0100
|
||||
@@ -63,8 +63,8 @@ struct logininfo {
|
||||
char progname[LINFO_PROGSIZE]; /* name of program (for PAM) */
|
||||
int progname_null;
|
||||
short int type; /* type of login (LTYPE_*) */
|
||||
- int pid; /* PID of login process */
|
||||
- int uid; /* UID of this user */
|
||||
+ pid_t pid; /* PID of login process */
|
||||
+ uid_t uid; /* UID of this user */
|
||||
char line[LINFO_LINESIZE]; /* tty/pty name */
|
||||
char username[LINFO_NAMESIZE]; /* login username */
|
||||
char hostname[LINFO_HOSTSIZE]; /* remote hostname */
|
||||
@@ -86,12 +86,12 @@ struct logininfo {
|
||||
/** 'public' functions */
|
||||
|
||||
/* construct a new login entry */
|
||||
-struct logininfo *login_alloc_entry(int pid, const char *username,
|
||||
+struct logininfo *login_alloc_entry(pid_t pid, const char *username,
|
||||
const char *hostname, const char *line);
|
||||
/* free a structure */
|
||||
void login_free_entry(struct logininfo *li);
|
||||
/* fill out a pre-allocated structure with useful information */
|
||||
-int login_init_entry(struct logininfo *li, int pid, const char *username,
|
||||
+int login_init_entry(struct logininfo *li, pid_t pid, const char *username,
|
||||
const char *hostname, const char *line);
|
||||
/* place the current time in a logininfo struct */
|
||||
void login_set_current_time(struct logininfo *li);
|
||||
@@ -117,9 +117,9 @@ void login_set_addr(struct logininfo *li
|
||||
* lastlog retrieval functions
|
||||
*/
|
||||
/* lastlog *entry* functions fill out a logininfo */
|
||||
-struct logininfo *login_get_lastlog(struct logininfo *li, const int uid);
|
||||
+struct logininfo *login_get_lastlog(struct logininfo *li, const uid_t uid);
|
||||
/* lastlog *time* functions return time_t equivalent (uint) */
|
||||
-unsigned int login_get_lastlog_time(const int uid);
|
||||
+unsigned int login_get_lastlog_time(const uid_t uid);
|
||||
|
||||
/* produce various forms of the line filename */
|
||||
char *line_fullname(char *dst, const char *src, u_int dstsize);
|
||||
@ -1,12 +0,0 @@
|
||||
diff -up openssh-5.6p1/clientloop.c.clientloop openssh-5.6p1/clientloop.c
|
||||
--- openssh-5.6p1/clientloop.c.clientloop 2010-11-24 08:18:10.000000000 +0100
|
||||
+++ openssh-5.6p1/clientloop.c 2010-11-24 08:18:11.000000000 +0100
|
||||
@@ -1944,7 +1944,7 @@ client_input_channel_req(int type, u_int
|
||||
}
|
||||
packet_check_eom();
|
||||
}
|
||||
- if (reply) {
|
||||
+ if (reply && c != NULL) {
|
||||
packet_start(success ?
|
||||
SSH2_MSG_CHANNEL_SUCCESS : SSH2_MSG_CHANNEL_FAILURE);
|
||||
packet_put_int(c->remote_id);
|
||||
@ -1,6 +1,6 @@
|
||||
diff -up openssh-5.6p1/audit-bsm.c.audit2 openssh-5.6p1/audit-bsm.c
|
||||
--- openssh-5.6p1/audit-bsm.c.audit2 2010-12-10 21:55:40.000000000 +0100
|
||||
+++ openssh-5.6p1/audit-bsm.c 2010-12-10 21:55:41.000000000 +0100
|
||||
diff -up openssh-5.8p1/audit-bsm.c.audit2 openssh-5.8p1/audit-bsm.c
|
||||
--- openssh-5.8p1/audit-bsm.c.audit2 2011-01-17 11:15:29.000000000 +0100
|
||||
+++ openssh-5.8p1/audit-bsm.c 2011-02-09 15:50:28.000000000 +0100
|
||||
@@ -316,6 +316,12 @@ audit_session_close(struct logininfo *li
|
||||
/* not implemented */
|
||||
}
|
||||
@ -14,9 +14,9 @@ diff -up openssh-5.6p1/audit-bsm.c.audit2 openssh-5.6p1/audit-bsm.c
|
||||
void
|
||||
audit_event(ssh_audit_event_t event)
|
||||
{
|
||||
diff -up openssh-5.6p1/audit.c.audit2 openssh-5.6p1/audit.c
|
||||
--- openssh-5.6p1/audit.c.audit2 2010-12-10 21:55:40.000000000 +0100
|
||||
+++ openssh-5.6p1/audit.c 2010-12-10 21:55:41.000000000 +0100
|
||||
diff -up openssh-5.8p1/audit.c.audit2 openssh-5.8p1/audit.c
|
||||
--- openssh-5.8p1/audit.c.audit2 2011-01-17 11:15:30.000000000 +0100
|
||||
+++ openssh-5.8p1/audit.c 2011-02-09 15:50:28.000000000 +0100
|
||||
@@ -111,6 +111,33 @@ audit_event_lookup(ssh_audit_event_t ev)
|
||||
return(event_lookup[i].name);
|
||||
}
|
||||
@ -69,9 +69,9 @@ diff -up openssh-5.6p1/audit.c.audit2 openssh-5.6p1/audit.c
|
||||
+}
|
||||
# endif /* !defined CUSTOM_SSH_AUDIT_EVENTS */
|
||||
#endif /* SSH_AUDIT_EVENTS */
|
||||
diff -up openssh-5.6p1/audit.h.audit2 openssh-5.6p1/audit.h
|
||||
--- openssh-5.6p1/audit.h.audit2 2010-12-10 21:55:40.000000000 +0100
|
||||
+++ openssh-5.6p1/audit.h 2010-12-10 21:55:41.000000000 +0100
|
||||
diff -up openssh-5.8p1/audit.h.audit2 openssh-5.8p1/audit.h
|
||||
--- openssh-5.8p1/audit.h.audit2 2011-01-17 11:15:30.000000000 +0100
|
||||
+++ openssh-5.8p1/audit.h 2011-02-09 15:50:28.000000000 +0100
|
||||
@@ -28,6 +28,7 @@
|
||||
# define _SSH_AUDIT_H
|
||||
|
||||
@ -88,9 +88,9 @@ diff -up openssh-5.6p1/audit.h.audit2 openssh-5.6p1/audit.h
|
||||
+int audit_key(int, int *, const Key *);
|
||||
|
||||
#endif /* _SSH_AUDIT_H */
|
||||
diff -up openssh-5.6p1/audit-linux.c.audit2 openssh-5.6p1/audit-linux.c
|
||||
--- openssh-5.6p1/audit-linux.c.audit2 2010-12-10 21:55:41.000000000 +0100
|
||||
+++ openssh-5.6p1/audit-linux.c 2010-12-10 22:16:42.000000000 +0100
|
||||
diff -up openssh-5.8p1/audit-linux.c.audit2 openssh-5.8p1/audit-linux.c
|
||||
--- openssh-5.8p1/audit-linux.c.audit2 2011-01-17 11:15:30.000000000 +0100
|
||||
+++ openssh-5.8p1/audit-linux.c 2011-02-09 15:51:45.000000000 +0100
|
||||
@@ -37,6 +37,8 @@
|
||||
#include "audit.h"
|
||||
#include "canohost.h"
|
||||
@ -100,8 +100,8 @@ diff -up openssh-5.6p1/audit-linux.c.audit2 openssh-5.6p1/audit-linux.c
|
||||
const char* audit_username(void);
|
||||
|
||||
int
|
||||
@@ -63,6 +65,37 @@ linux_audit_record_event(int uid, const
|
||||
return (rc >= 0) || ((rc == -EPERM) && (getuid() != 0));
|
||||
@@ -68,6 +70,37 @@ linux_audit_record_event(int uid, const
|
||||
return (rc >= 0);
|
||||
}
|
||||
|
||||
+int
|
||||
@ -138,9 +138,9 @@ diff -up openssh-5.6p1/audit-linux.c.audit2 openssh-5.6p1/audit-linux.c
|
||||
/* Below is the sshd audit API code */
|
||||
|
||||
void
|
||||
diff -up openssh-5.6p1/auth2-hostbased.c.audit2 openssh-5.6p1/auth2-hostbased.c
|
||||
--- openssh-5.6p1/auth2-hostbased.c.audit2 2010-08-05 05:04:50.000000000 +0200
|
||||
+++ openssh-5.6p1/auth2-hostbased.c 2010-12-10 21:55:41.000000000 +0100
|
||||
diff -up openssh-5.8p1/auth2-hostbased.c.audit2 openssh-5.8p1/auth2-hostbased.c
|
||||
--- openssh-5.8p1/auth2-hostbased.c.audit2 2010-08-05 05:04:50.000000000 +0200
|
||||
+++ openssh-5.8p1/auth2-hostbased.c 2011-02-09 15:50:28.000000000 +0100
|
||||
@@ -136,6 +136,18 @@ done:
|
||||
return authenticated;
|
||||
}
|
||||
@ -160,9 +160,9 @@ diff -up openssh-5.6p1/auth2-hostbased.c.audit2 openssh-5.6p1/auth2-hostbased.c
|
||||
/* return 1 if given hostkey is allowed */
|
||||
int
|
||||
hostbased_key_allowed(struct passwd *pw, const char *cuser, char *chost,
|
||||
diff -up openssh-5.6p1/auth2-pubkey.c.audit2 openssh-5.6p1/auth2-pubkey.c
|
||||
--- openssh-5.6p1/auth2-pubkey.c.audit2 2010-07-02 05:35:19.000000000 +0200
|
||||
+++ openssh-5.6p1/auth2-pubkey.c 2010-12-10 21:55:41.000000000 +0100
|
||||
diff -up openssh-5.8p1/auth2-pubkey.c.audit2 openssh-5.8p1/auth2-pubkey.c
|
||||
--- openssh-5.8p1/auth2-pubkey.c.audit2 2010-12-01 01:50:14.000000000 +0100
|
||||
+++ openssh-5.8p1/auth2-pubkey.c 2011-02-09 15:50:28.000000000 +0100
|
||||
@@ -177,6 +177,18 @@ done:
|
||||
return authenticated;
|
||||
}
|
||||
@ -182,9 +182,9 @@ diff -up openssh-5.6p1/auth2-pubkey.c.audit2 openssh-5.6p1/auth2-pubkey.c
|
||||
static int
|
||||
match_principals_option(const char *principal_list, struct KeyCert *cert)
|
||||
{
|
||||
diff -up openssh-5.6p1/auth.h.audit2 openssh-5.6p1/auth.h
|
||||
--- openssh-5.6p1/auth.h.audit2 2010-05-10 03:58:03.000000000 +0200
|
||||
+++ openssh-5.6p1/auth.h 2010-12-10 21:55:41.000000000 +0100
|
||||
diff -up openssh-5.8p1/auth.h.audit2 openssh-5.8p1/auth.h
|
||||
--- openssh-5.8p1/auth.h.audit2 2010-05-10 03:58:03.000000000 +0200
|
||||
+++ openssh-5.8p1/auth.h 2011-02-09 15:50:28.000000000 +0100
|
||||
@@ -170,6 +170,7 @@ void abandon_challenge_response(Authctxt
|
||||
char *authorized_keys_file(struct passwd *);
|
||||
char *authorized_keys_file2(struct passwd *);
|
||||
@ -201,9 +201,9 @@ diff -up openssh-5.6p1/auth.h.audit2 openssh-5.6p1/auth.h
|
||||
|
||||
/* debug messages during authentication */
|
||||
void auth_debug_add(const char *fmt,...) __attribute__((format(printf, 1, 2)));
|
||||
diff -up openssh-5.6p1/auth-rsa.c.audit2 openssh-5.6p1/auth-rsa.c
|
||||
--- openssh-5.6p1/auth-rsa.c.audit2 2010-07-16 05:58:37.000000000 +0200
|
||||
+++ openssh-5.6p1/auth-rsa.c 2010-12-10 21:55:41.000000000 +0100
|
||||
diff -up openssh-5.8p1/auth-rsa.c.audit2 openssh-5.8p1/auth-rsa.c
|
||||
--- openssh-5.8p1/auth-rsa.c.audit2 2010-12-04 23:01:47.000000000 +0100
|
||||
+++ openssh-5.8p1/auth-rsa.c 2011-02-09 15:53:00.000000000 +0100
|
||||
@@ -92,7 +92,10 @@ auth_rsa_verify_response(Key *key, BIGNU
|
||||
{
|
||||
u_char buf[32], mdbuf[16];
|
||||
@ -214,9 +214,9 @@ diff -up openssh-5.6p1/auth-rsa.c.audit2 openssh-5.6p1/auth-rsa.c
|
||||
+ char *fp;
|
||||
+#endif
|
||||
|
||||
if (auth_key_is_revoked(key))
|
||||
return 0;
|
||||
@@ -116,12 +119,18 @@ auth_rsa_verify_response(Key *key, BIGNU
|
||||
/* don't allow short keys */
|
||||
if (BN_num_bits(key->rsa->n) < SSH_RSA_MINIMUM_MODULUS_SIZE) {
|
||||
@@ -113,12 +116,18 @@ auth_rsa_verify_response(Key *key, BIGNU
|
||||
MD5_Final(mdbuf, &md);
|
||||
|
||||
/* Verify that the response is the original challenge. */
|
||||
@ -240,9 +240,9 @@ diff -up openssh-5.6p1/auth-rsa.c.audit2 openssh-5.6p1/auth-rsa.c
|
||||
}
|
||||
|
||||
/*
|
||||
diff -up openssh-5.6p1/monitor.c.audit2 openssh-5.6p1/monitor.c
|
||||
--- openssh-5.6p1/monitor.c.audit2 2010-08-03 07:50:16.000000000 +0200
|
||||
+++ openssh-5.6p1/monitor.c 2010-12-10 21:55:41.000000000 +0100
|
||||
diff -up openssh-5.8p1/monitor.c.audit2 openssh-5.8p1/monitor.c
|
||||
--- openssh-5.8p1/monitor.c.audit2 2010-09-10 03:23:34.000000000 +0200
|
||||
+++ openssh-5.8p1/monitor.c 2011-02-09 15:50:28.000000000 +0100
|
||||
@@ -1235,7 +1235,17 @@ mm_answer_keyverify(int sock, Buffer *m)
|
||||
if (!valid_data)
|
||||
fatal("%s: bad signature data blob", __func__);
|
||||
@ -1,6 +1,6 @@
|
||||
diff -up openssh-5.6p1/audit-bsm.c.audit3 openssh-5.6p1/audit-bsm.c
|
||||
--- openssh-5.6p1/audit-bsm.c.audit3 2010-12-10 22:17:31.000000000 +0100
|
||||
+++ openssh-5.6p1/audit-bsm.c 2010-12-10 22:17:31.000000000 +0100
|
||||
diff -up openssh-5.8p1/audit-bsm.c.audit3 openssh-5.8p1/audit-bsm.c
|
||||
--- openssh-5.8p1/audit-bsm.c.audit3 2011-02-09 21:51:19.000000000 +0100
|
||||
+++ openssh-5.8p1/audit-bsm.c 2011-02-09 21:51:19.000000000 +0100
|
||||
@@ -383,4 +383,16 @@ audit_event(ssh_audit_event_t event)
|
||||
debug("%s: unhandled event %d", __func__, event);
|
||||
}
|
||||
@ -18,9 +18,9 @@ diff -up openssh-5.6p1/audit-bsm.c.audit3 openssh-5.6p1/audit-bsm.c
|
||||
+ /* not implemented */
|
||||
+}
|
||||
#endif /* BSM */
|
||||
diff -up openssh-5.6p1/audit.c.audit3 openssh-5.6p1/audit.c
|
||||
--- openssh-5.6p1/audit.c.audit3 2010-12-10 22:17:31.000000000 +0100
|
||||
+++ openssh-5.6p1/audit.c 2010-12-10 22:17:31.000000000 +0100
|
||||
diff -up openssh-5.8p1/audit.c.audit3 openssh-5.8p1/audit.c
|
||||
--- openssh-5.8p1/audit.c.audit3 2011-02-09 21:51:19.000000000 +0100
|
||||
+++ openssh-5.8p1/audit.c 2011-02-09 21:51:19.000000000 +0100
|
||||
@@ -36,6 +36,8 @@
|
||||
#include "key.h"
|
||||
#include "hostfile.h"
|
||||
@ -74,9 +74,9 @@ diff -up openssh-5.6p1/audit.c.audit3 openssh-5.6p1/audit.c
|
||||
+}
|
||||
# endif /* !defined CUSTOM_SSH_AUDIT_EVENTS */
|
||||
#endif /* SSH_AUDIT_EVENTS */
|
||||
diff -up openssh-5.6p1/audit.h.audit3 openssh-5.6p1/audit.h
|
||||
--- openssh-5.6p1/audit.h.audit3 2010-12-10 22:17:31.000000000 +0100
|
||||
+++ openssh-5.6p1/audit.h 2010-12-10 22:17:31.000000000 +0100
|
||||
diff -up openssh-5.8p1/audit.h.audit3 openssh-5.8p1/audit.h
|
||||
--- openssh-5.8p1/audit.h.audit3 2011-02-09 21:51:19.000000000 +0100
|
||||
+++ openssh-5.8p1/audit.h 2011-02-09 21:51:19.000000000 +0100
|
||||
@@ -56,5 +56,9 @@ void audit_run_command(const char *);
|
||||
ssh_audit_event_t audit_classify_auth(const char *);
|
||||
int audit_keyusage(int, const char *, unsigned, char *, int);
|
||||
@ -87,9 +87,9 @@ diff -up openssh-5.6p1/audit.h.audit3 openssh-5.6p1/audit.h
|
||||
+void audit_kex_body(int, char *, char *, char *);
|
||||
|
||||
#endif /* _SSH_AUDIT_H */
|
||||
diff -up openssh-5.6p1/audit-linux.c.audit3 openssh-5.6p1/audit-linux.c
|
||||
--- openssh-5.6p1/audit-linux.c.audit3 2010-12-10 22:17:31.000000000 +0100
|
||||
+++ openssh-5.6p1/audit-linux.c 2010-12-10 22:20:00.000000000 +0100
|
||||
diff -up openssh-5.8p1/audit-linux.c.audit3 openssh-5.8p1/audit-linux.c
|
||||
--- openssh-5.8p1/audit-linux.c.audit3 2011-02-09 21:51:19.000000000 +0100
|
||||
+++ openssh-5.8p1/audit-linux.c 2011-02-09 21:51:19.000000000 +0100
|
||||
@@ -36,6 +36,8 @@
|
||||
#include "log.h"
|
||||
#include "audit.h"
|
||||
@ -99,7 +99,7 @@ diff -up openssh-5.6p1/audit-linux.c.audit3 openssh-5.6p1/audit-linux.c
|
||||
|
||||
#define AUDIT_LOG_SIZE 128
|
||||
|
||||
@@ -151,4 +153,54 @@ audit_event(ssh_audit_event_t event)
|
||||
@@ -156,4 +158,54 @@ audit_event(ssh_audit_event_t event)
|
||||
}
|
||||
}
|
||||
|
||||
@ -154,9 +154,9 @@ diff -up openssh-5.6p1/audit-linux.c.audit3 openssh-5.6p1/audit-linux.c
|
||||
+}
|
||||
+
|
||||
#endif /* USE_LINUX_AUDIT */
|
||||
diff -up openssh-5.6p1/auditstub.c.audit3 openssh-5.6p1/auditstub.c
|
||||
--- openssh-5.6p1/auditstub.c.audit3 2010-12-10 22:17:32.000000000 +0100
|
||||
+++ openssh-5.6p1/auditstub.c 2010-12-10 22:17:32.000000000 +0100
|
||||
diff -up openssh-5.8p1/auditstub.c.audit3 openssh-5.8p1/auditstub.c
|
||||
--- openssh-5.8p1/auditstub.c.audit3 2011-02-09 21:51:19.000000000 +0100
|
||||
+++ openssh-5.8p1/auditstub.c 2011-02-09 21:51:19.000000000 +0100
|
||||
@@ -0,0 +1,39 @@
|
||||
+/* $Id: auditstub.c,v 1.1 jfch Exp $ */
|
||||
+
|
||||
@ -197,9 +197,9 @@ diff -up openssh-5.6p1/auditstub.c.audit3 openssh-5.6p1/auditstub.c
|
||||
+{
|
||||
+}
|
||||
+
|
||||
diff -up openssh-5.6p1/cipher.c.audit3 openssh-5.6p1/cipher.c
|
||||
--- openssh-5.6p1/cipher.c.audit3 2010-09-03 14:54:23.000000000 +0200
|
||||
+++ openssh-5.6p1/cipher.c 2010-12-10 22:17:32.000000000 +0100
|
||||
diff -up openssh-5.8p1/cipher.c.audit3 openssh-5.8p1/cipher.c
|
||||
--- openssh-5.8p1/cipher.c.audit3 2011-02-09 15:24:23.000000000 +0100
|
||||
+++ openssh-5.8p1/cipher.c 2011-02-09 21:51:19.000000000 +0100
|
||||
@@ -59,15 +59,7 @@ extern void ssh1_3des_iv(EVP_CIPHER_CTX
|
||||
extern const EVP_CIPHER *evp_aes_128_ctr(void);
|
||||
extern void ssh_aes_ctr_iv(EVP_CIPHER_CTX *, int, u_char *, u_int);
|
||||
@ -217,9 +217,9 @@ diff -up openssh-5.6p1/cipher.c.audit3 openssh-5.6p1/cipher.c
|
||||
{ "none", SSH_CIPHER_NONE, 8, 0, 0, 0, EVP_enc_null },
|
||||
{ "des", SSH_CIPHER_DES, 8, 8, 0, 1, EVP_des_cbc },
|
||||
{ "3des", SSH_CIPHER_3DES, 8, 16, 0, 1, evp_ssh1_3des },
|
||||
diff -up openssh-5.6p1/cipher.h.audit3 openssh-5.6p1/cipher.h
|
||||
--- openssh-5.6p1/cipher.h.audit3 2009-01-28 06:38:41.000000000 +0100
|
||||
+++ openssh-5.6p1/cipher.h 2010-12-10 22:17:32.000000000 +0100
|
||||
diff -up openssh-5.8p1/cipher.h.audit3 openssh-5.8p1/cipher.h
|
||||
--- openssh-5.8p1/cipher.h.audit3 2009-01-28 06:38:41.000000000 +0100
|
||||
+++ openssh-5.8p1/cipher.h 2011-02-09 21:51:19.000000000 +0100
|
||||
@@ -61,7 +61,16 @@
|
||||
typedef struct Cipher Cipher;
|
||||
typedef struct CipherContext CipherContext;
|
||||
@ -238,9 +238,9 @@ diff -up openssh-5.6p1/cipher.h.audit3 openssh-5.6p1/cipher.h
|
||||
struct CipherContext {
|
||||
int plaintext;
|
||||
EVP_CIPHER_CTX evp;
|
||||
diff -up openssh-5.6p1/kex.c.audit3 openssh-5.6p1/kex.c
|
||||
--- openssh-5.6p1/kex.c.audit3 2010-01-08 06:50:41.000000000 +0100
|
||||
+++ openssh-5.6p1/kex.c 2010-12-10 22:17:32.000000000 +0100
|
||||
diff -up openssh-5.8p1/kex.c.audit3 openssh-5.8p1/kex.c
|
||||
--- openssh-5.8p1/kex.c.audit3 2010-09-24 14:11:14.000000000 +0200
|
||||
+++ openssh-5.8p1/kex.c 2011-02-09 21:51:19.000000000 +0100
|
||||
@@ -49,6 +49,7 @@
|
||||
#include "dispatch.h"
|
||||
#include "monitor.h"
|
||||
@ -249,7 +249,7 @@ diff -up openssh-5.6p1/kex.c.audit3 openssh-5.6p1/kex.c
|
||||
|
||||
#if OPENSSL_VERSION_NUMBER >= 0x00907000L
|
||||
# if defined(HAVE_EVP_SHA256)
|
||||
@@ -258,9 +259,13 @@ static void
|
||||
@@ -286,9 +287,13 @@ static void
|
||||
choose_enc(Enc *enc, char *client, char *server)
|
||||
{
|
||||
char *name = match_list(client, server, NULL);
|
||||
@ -264,7 +264,7 @@ diff -up openssh-5.6p1/kex.c.audit3 openssh-5.6p1/kex.c
|
||||
if ((enc->cipher = cipher_by_name(name)) == NULL)
|
||||
fatal("matching cipher is not supported: %s", name);
|
||||
enc->name = name;
|
||||
@@ -275,9 +280,13 @@ static void
|
||||
@@ -303,9 +308,13 @@ static void
|
||||
choose_mac(Mac *mac, char *client, char *server)
|
||||
{
|
||||
char *name = match_list(client, server, NULL);
|
||||
@ -279,7 +279,7 @@ diff -up openssh-5.6p1/kex.c.audit3 openssh-5.6p1/kex.c
|
||||
if (mac_setup(mac, name) < 0)
|
||||
fatal("unsupported mac %s", name);
|
||||
/* truncate the key */
|
||||
@@ -292,8 +301,12 @@ static void
|
||||
@@ -320,8 +329,12 @@ static void
|
||||
choose_comp(Comp *comp, char *client, char *server)
|
||||
{
|
||||
char *name = match_list(client, server, NULL);
|
||||
@ -293,7 +293,7 @@ diff -up openssh-5.6p1/kex.c.audit3 openssh-5.6p1/kex.c
|
||||
if (strcmp(name, "zlib@openssh.com") == 0) {
|
||||
comp->type = COMP_DELAYED;
|
||||
} else if (strcmp(name, "zlib") == 0) {
|
||||
@@ -414,6 +427,9 @@ kex_choose_conf(Kex *kex)
|
||||
@@ -446,6 +459,9 @@ kex_choose_conf(Kex *kex)
|
||||
newkeys->enc.name,
|
||||
newkeys->mac.name,
|
||||
newkeys->comp.name);
|
||||
@ -303,21 +303,21 @@ diff -up openssh-5.6p1/kex.c.audit3 openssh-5.6p1/kex.c
|
||||
}
|
||||
choose_kex(kex, cprop[PROPOSAL_KEX_ALGS], sprop[PROPOSAL_KEX_ALGS]);
|
||||
choose_hostkeyalg(kex, cprop[PROPOSAL_SERVER_HOST_KEY_ALGS],
|
||||
diff -up openssh-5.6p1/Makefile.in.audit3 openssh-5.6p1/Makefile.in
|
||||
--- openssh-5.6p1/Makefile.in.audit3 2010-12-10 22:17:31.000000000 +0100
|
||||
+++ openssh-5.6p1/Makefile.in 2010-12-10 22:17:32.000000000 +0100
|
||||
@@ -74,7 +74,7 @@ LIBSSH_OBJS=acss.o authfd.o authfile.o b
|
||||
monitor_fdpass.o rijndael.o ssh-dss.o ssh-rsa.o dh.o kexdh.o \
|
||||
kexgex.o kexdhc.o kexgexc.o msg.o progressmeter.o dns.o \
|
||||
entropy.o gss-genr.o umac.o jpake.o schnorr.o \
|
||||
- ssh-pkcs11.o
|
||||
+ ssh-pkcs11.o auditstub.o
|
||||
diff -up openssh-5.8p1/Makefile.in.audit3 openssh-5.8p1/Makefile.in
|
||||
--- openssh-5.8p1/Makefile.in.audit3 2011-02-04 01:42:13.000000000 +0100
|
||||
+++ openssh-5.8p1/Makefile.in 2011-02-09 21:53:15.000000000 +0100
|
||||
@@ -76,7 +76,7 @@ LIBSSH_OBJS=acss.o authfd.o authfile.o b
|
||||
monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-rsa.o dh.o \
|
||||
kexdh.o kexgex.o kexdhc.o kexgexc.o bufec.o kexecdh.o kexecdhc.o \
|
||||
msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o jpake.o \
|
||||
- schnorr.o ssh-pkcs11.o
|
||||
+ schnorr.o ssh-pkcs11.o auditstub.o
|
||||
|
||||
SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \
|
||||
sshconnect.o sshconnect1.o sshconnect2.o mux.o \
|
||||
diff -up openssh-5.6p1/monitor.c.audit3 openssh-5.6p1/monitor.c
|
||||
--- openssh-5.6p1/monitor.c.audit3 2010-12-10 22:17:31.000000000 +0100
|
||||
+++ openssh-5.6p1/monitor.c 2010-12-10 22:17:32.000000000 +0100
|
||||
diff -up openssh-5.8p1/monitor.c.audit3 openssh-5.8p1/monitor.c
|
||||
--- openssh-5.8p1/monitor.c.audit3 2011-02-09 21:51:19.000000000 +0100
|
||||
+++ openssh-5.8p1/monitor.c 2011-02-09 21:51:19.000000000 +0100
|
||||
@@ -89,6 +89,7 @@
|
||||
#include "ssh2.h"
|
||||
#include "jpake.h"
|
||||
@ -371,7 +371,7 @@ diff -up openssh-5.6p1/monitor.c.audit3 openssh-5.6p1/monitor.c
|
||||
#endif
|
||||
{0, 0, NULL}
|
||||
};
|
||||
@@ -2205,3 +2216,40 @@ mm_answer_jpake_check_confirm(int sock,
|
||||
@@ -2206,3 +2217,40 @@ mm_answer_jpake_check_confirm(int sock,
|
||||
}
|
||||
|
||||
#endif /* JPAKE */
|
||||
@ -412,9 +412,9 @@ diff -up openssh-5.6p1/monitor.c.audit3 openssh-5.6p1/monitor.c
|
||||
+}
|
||||
+
|
||||
+#endif /* SSH_AUDIT_EVENTS */
|
||||
diff -up openssh-5.6p1/monitor.h.audit3 openssh-5.6p1/monitor.h
|
||||
--- openssh-5.6p1/monitor.h.audit3 2008-11-05 06:20:46.000000000 +0100
|
||||
+++ openssh-5.6p1/monitor.h 2010-12-10 22:17:32.000000000 +0100
|
||||
diff -up openssh-5.8p1/monitor.h.audit3 openssh-5.8p1/monitor.h
|
||||
--- openssh-5.8p1/monitor.h.audit3 2008-11-05 06:20:46.000000000 +0100
|
||||
+++ openssh-5.8p1/monitor.h 2011-02-09 21:51:19.000000000 +0100
|
||||
@@ -66,6 +66,8 @@ enum monitor_reqtype {
|
||||
MONITOR_REQ_JPAKE_STEP2, MONITOR_ANS_JPAKE_STEP2,
|
||||
MONITOR_REQ_JPAKE_KEY_CONFIRM, MONITOR_ANS_JPAKE_KEY_CONFIRM,
|
||||
@ -424,10 +424,10 @@ diff -up openssh-5.6p1/monitor.h.audit3 openssh-5.6p1/monitor.h
|
||||
};
|
||||
|
||||
struct mm_master;
|
||||
diff -up openssh-5.6p1/monitor_wrap.c.audit3 openssh-5.6p1/monitor_wrap.c
|
||||
--- openssh-5.6p1/monitor_wrap.c.audit3 2010-03-07 13:05:17.000000000 +0100
|
||||
+++ openssh-5.6p1/monitor_wrap.c 2010-12-10 22:17:32.000000000 +0100
|
||||
@@ -1411,3 +1411,38 @@ mm_jpake_check_confirm(const BIGNUM *k,
|
||||
diff -up openssh-5.8p1/monitor_wrap.c.audit3 openssh-5.8p1/monitor_wrap.c
|
||||
--- openssh-5.8p1/monitor_wrap.c.audit3 2010-08-31 14:41:14.000000000 +0200
|
||||
+++ openssh-5.8p1/monitor_wrap.c 2011-02-09 21:51:19.000000000 +0100
|
||||
@@ -1412,3 +1412,38 @@ mm_jpake_check_confirm(const BIGNUM *k,
|
||||
return success;
|
||||
}
|
||||
#endif /* JPAKE */
|
||||
@ -466,9 +466,9 @@ diff -up openssh-5.6p1/monitor_wrap.c.audit3 openssh-5.6p1/monitor_wrap.c
|
||||
+ buffer_free(&m);
|
||||
+}
|
||||
+#endif /* SSH_AUDIT_EVENTS */
|
||||
diff -up openssh-5.6p1/monitor_wrap.h.audit3 openssh-5.6p1/monitor_wrap.h
|
||||
--- openssh-5.6p1/monitor_wrap.h.audit3 2009-03-05 14:58:22.000000000 +0100
|
||||
+++ openssh-5.6p1/monitor_wrap.h 2010-12-10 22:17:32.000000000 +0100
|
||||
diff -up openssh-5.8p1/monitor_wrap.h.audit3 openssh-5.8p1/monitor_wrap.h
|
||||
--- openssh-5.8p1/monitor_wrap.h.audit3 2009-03-05 14:58:22.000000000 +0100
|
||||
+++ openssh-5.8p1/monitor_wrap.h 2011-02-09 21:51:19.000000000 +0100
|
||||
@@ -74,6 +74,8 @@ void mm_sshpam_free_ctx(void *);
|
||||
#include "audit.h"
|
||||
void mm_audit_event(ssh_audit_event_t);
|
||||
@ -478,9 +478,9 @@ diff -up openssh-5.6p1/monitor_wrap.h.audit3 openssh-5.6p1/monitor_wrap.h
|
||||
#endif
|
||||
|
||||
struct Session;
|
||||
diff -up openssh-5.6p1/sshd.c.audit3 openssh-5.6p1/sshd.c
|
||||
--- openssh-5.6p1/sshd.c.audit3 2010-04-16 07:56:22.000000000 +0200
|
||||
+++ openssh-5.6p1/sshd.c 2010-12-10 22:17:32.000000000 +0100
|
||||
diff -up openssh-5.8p1/sshd.c.audit3 openssh-5.8p1/sshd.c
|
||||
--- openssh-5.8p1/sshd.c.audit3 2011-01-11 07:20:31.000000000 +0100
|
||||
+++ openssh-5.8p1/sshd.c 2011-02-09 21:51:19.000000000 +0100
|
||||
@@ -118,6 +118,7 @@
|
||||
#endif
|
||||
#include "monitor_wrap.h"
|
||||
@ -489,7 +489,7 @@ diff -up openssh-5.6p1/sshd.c.audit3 openssh-5.6p1/sshd.c
|
||||
#include "version.h"
|
||||
|
||||
#ifdef LIBWRAP
|
||||
@@ -2177,6 +2178,10 @@ do_ssh1_kex(void)
|
||||
@@ -2182,6 +2183,10 @@ do_ssh1_kex(void)
|
||||
if (cookie[i] != packet_get_char())
|
||||
packet_disconnect("IP Spoofing check bytes do not match.");
|
||||
|
||||
445
openssh-5.8p1-audit4.patch
Normal file
445
openssh-5.8p1-audit4.patch
Normal file
@ -0,0 +1,445 @@
|
||||
diff -up openssh-5.8p1/audit-bsm.c.audit4 openssh-5.8p1/audit-bsm.c
|
||||
--- openssh-5.8p1/audit-bsm.c.audit4 2011-02-09 22:24:22.000000000 +0100
|
||||
+++ openssh-5.8p1/audit-bsm.c 2011-02-09 22:24:22.000000000 +0100
|
||||
@@ -395,4 +395,10 @@ audit_kex_body(int ctos, char *enc, char
|
||||
{
|
||||
/* not implemented */
|
||||
}
|
||||
+
|
||||
+void
|
||||
+audit_session_key_free_body(int ctos)
|
||||
+{
|
||||
+ /* not implemented */
|
||||
+}
|
||||
#endif /* BSM */
|
||||
diff -up openssh-5.8p1/audit.c.audit4 openssh-5.8p1/audit.c
|
||||
--- openssh-5.8p1/audit.c.audit4 2011-02-09 22:24:22.000000000 +0100
|
||||
+++ openssh-5.8p1/audit.c 2011-02-09 22:24:22.000000000 +0100
|
||||
@@ -152,6 +152,12 @@ audit_kex(int ctos, char *enc, char *mac
|
||||
PRIVSEP(audit_kex_body(ctos, enc, mac, comp));
|
||||
}
|
||||
|
||||
+void
|
||||
+audit_session_key_free(int ctos)
|
||||
+{
|
||||
+ PRIVSEP(audit_session_key_free_body(ctos));
|
||||
+}
|
||||
+
|
||||
# ifndef CUSTOM_SSH_AUDIT_EVENTS
|
||||
/*
|
||||
* Null implementations of audit functions.
|
||||
@@ -254,5 +260,13 @@ audit_kex_body(int ctos, char *enc, char
|
||||
debug("audit procol negotiation euid %d direction %d cipher %s mac %s compresion %s",
|
||||
geteuid(), ctos, enc, mac, compress);
|
||||
}
|
||||
+
|
||||
+/*
|
||||
+ * This will be called on succesfull session key discard
|
||||
+ */
|
||||
+audit_session_key_free_body(int ctos)
|
||||
+{
|
||||
+ debug("audit session key discard euid %d direction %d", geteuid(), ctos);
|
||||
+}
|
||||
# endif /* !defined CUSTOM_SSH_AUDIT_EVENTS */
|
||||
#endif /* SSH_AUDIT_EVENTS */
|
||||
diff -up openssh-5.8p1/audit.h.audit4 openssh-5.8p1/audit.h
|
||||
--- openssh-5.8p1/audit.h.audit4 2011-02-09 22:24:22.000000000 +0100
|
||||
+++ openssh-5.8p1/audit.h 2011-02-09 22:24:22.000000000 +0100
|
||||
@@ -60,5 +60,7 @@ void audit_unsupported(int);
|
||||
void audit_kex(int, char *, char *, char *);
|
||||
void audit_unsupported_body(int);
|
||||
void audit_kex_body(int, char *, char *, char *);
|
||||
+void audit_session_key_free(int ctos);
|
||||
+void audit_session_key_free_body(int ctos);
|
||||
|
||||
#endif /* _SSH_AUDIT_H */
|
||||
diff -up openssh-5.8p1/audit-linux.c.audit4 openssh-5.8p1/audit-linux.c
|
||||
--- openssh-5.8p1/audit-linux.c.audit4 2011-02-09 22:24:22.000000000 +0100
|
||||
+++ openssh-5.8p1/audit-linux.c 2011-02-09 22:24:22.000000000 +0100
|
||||
@@ -179,13 +179,14 @@ audit_unsupported_body(int what)
|
||||
#endif
|
||||
}
|
||||
|
||||
+const static char *direction[] = { "from-server", "from-client", "both" };
|
||||
+
|
||||
void
|
||||
audit_kex_body(int ctos, char *enc, char *mac, char *compress)
|
||||
{
|
||||
#ifdef AUDIT_CRYPTO_SESSION
|
||||
char buf[AUDIT_LOG_SIZE];
|
||||
int audit_fd, audit_ok;
|
||||
- const static char *direction[] = { "from-server", "from-client", "both" };
|
||||
Cipher *cipher = cipher_by_name(enc);
|
||||
|
||||
snprintf(buf, sizeof(buf), "start direction=%s cipher=%s, ksize=%d rport=%d laddr=%s lport=%d",
|
||||
@@ -208,4 +209,26 @@ audit_kex_body(int ctos, char *enc, char
|
||||
#endif
|
||||
}
|
||||
|
||||
+void
|
||||
+audit_session_key_free_body(int ctos)
|
||||
+{
|
||||
+ char buf[AUDIT_LOG_SIZE];
|
||||
+ int audit_fd, audit_ok;
|
||||
+
|
||||
+ snprintf(buf, sizeof(buf), "destroy kind=session direction=%s", direction[ctos]);
|
||||
+ audit_fd = audit_open();
|
||||
+ if (audit_fd < 0) {
|
||||
+ if (errno != EINVAL && errno != EPROTONOSUPPORT &&
|
||||
+ errno != EAFNOSUPPORT)
|
||||
+ error("cannot open audit");
|
||||
+ return;
|
||||
+ }
|
||||
+ audit_ok = audit_log_acct_message(audit_fd, AUDIT_CRYPTO_KEY_USER, NULL,
|
||||
+ buf, NULL, -1, NULL, get_remote_ipaddr(), NULL, 1);
|
||||
+ audit_close(audit_fd);
|
||||
+ /* do not abort if the error is EPERM and sshd is run as non root user */
|
||||
+ if ((audit_ok < 0) && ((audit_ok != -1) || (getuid() == 0)))
|
||||
+ error("cannot write into audit");
|
||||
+}
|
||||
+
|
||||
#endif /* USE_LINUX_AUDIT */
|
||||
diff -up openssh-5.8p1/auditstub.c.audit4 openssh-5.8p1/auditstub.c
|
||||
--- openssh-5.8p1/auditstub.c.audit4 2011-02-09 22:24:22.000000000 +0100
|
||||
+++ openssh-5.8p1/auditstub.c 2011-02-09 22:24:22.000000000 +0100
|
||||
@@ -37,3 +37,7 @@ audit_kex(int ctos, char *enc, char *mac
|
||||
{
|
||||
}
|
||||
|
||||
+void
|
||||
+audit_session_key_free(int ctos)
|
||||
+{
|
||||
+}
|
||||
diff -up openssh-5.8p1/kex.c.audit4 openssh-5.8p1/kex.c
|
||||
--- openssh-5.8p1/kex.c.audit4 2011-02-09 22:24:22.000000000 +0100
|
||||
+++ openssh-5.8p1/kex.c 2011-02-09 22:24:22.000000000 +0100
|
||||
@@ -624,3 +624,34 @@ dump_digest(char *msg, u_char *digest, i
|
||||
fprintf(stderr, "\n");
|
||||
}
|
||||
#endif
|
||||
+
|
||||
+static void
|
||||
+enc_destroy(Enc *enc)
|
||||
+{
|
||||
+ if (enc == NULL)
|
||||
+ return;
|
||||
+
|
||||
+ if (enc->key) {
|
||||
+ memset(enc->key, 0, enc->key_len);
|
||||
+ xfree(enc->key);
|
||||
+ }
|
||||
+
|
||||
+ if (enc->iv) {
|
||||
+ memset(enc->iv, 0, enc->block_size);
|
||||
+ xfree(enc->iv);
|
||||
+ }
|
||||
+
|
||||
+ memset(enc, 0, sizeof(*enc));
|
||||
+}
|
||||
+
|
||||
+void
|
||||
+newkeys_destroy(Newkeys *newkeys)
|
||||
+{
|
||||
+ if (newkeys == NULL)
|
||||
+ return;
|
||||
+
|
||||
+ enc_destroy(&newkeys->enc);
|
||||
+ mac_destroy(&newkeys->mac);
|
||||
+ memset(&newkeys->comp, 0, sizeof(newkeys->comp));
|
||||
+}
|
||||
+
|
||||
diff -up openssh-5.8p1/kex.h.audit4 openssh-5.8p1/kex.h
|
||||
--- openssh-5.8p1/kex.h.audit4 2010-09-24 14:11:14.000000000 +0200
|
||||
+++ openssh-5.8p1/kex.h 2011-02-09 22:24:22.000000000 +0100
|
||||
@@ -156,6 +156,8 @@ void kexgex_server(Kex *);
|
||||
void kexecdh_client(Kex *);
|
||||
void kexecdh_server(Kex *);
|
||||
|
||||
+void newkeys_destroy(Newkeys *newkeys);
|
||||
+
|
||||
void
|
||||
kex_dh_hash(char *, char *, char *, int, char *, int, u_char *, int,
|
||||
BIGNUM *, BIGNUM *, BIGNUM *, u_char **, u_int *);
|
||||
diff -up openssh-5.8p1/mac.c.audit4 openssh-5.8p1/mac.c
|
||||
--- openssh-5.8p1/mac.c.audit4 2008-06-13 02:58:50.000000000 +0200
|
||||
+++ openssh-5.8p1/mac.c 2011-02-09 22:24:22.000000000 +0100
|
||||
@@ -162,6 +162,20 @@ mac_clear(Mac *mac)
|
||||
mac->umac_ctx = NULL;
|
||||
}
|
||||
|
||||
+void
|
||||
+mac_destroy(Mac *mac)
|
||||
+{
|
||||
+ if (mac == NULL)
|
||||
+ return;
|
||||
+
|
||||
+ if (mac->key) {
|
||||
+ memset(mac->key, 0, mac->key_len);
|
||||
+ xfree(mac->key);
|
||||
+ }
|
||||
+
|
||||
+ memset(mac, 0, sizeof(*mac));
|
||||
+}
|
||||
+
|
||||
/* XXX copied from ciphers_valid */
|
||||
#define MAC_SEP ","
|
||||
int
|
||||
diff -up openssh-5.8p1/mac.h.audit4 openssh-5.8p1/mac.h
|
||||
--- openssh-5.8p1/mac.h.audit4 2007-06-11 06:01:42.000000000 +0200
|
||||
+++ openssh-5.8p1/mac.h 2011-02-09 22:24:22.000000000 +0100
|
||||
@@ -28,3 +28,4 @@ int mac_setup(Mac *, char *);
|
||||
int mac_init(Mac *);
|
||||
u_char *mac_compute(Mac *, u_int32_t, u_char *, int);
|
||||
void mac_clear(Mac *);
|
||||
+void mac_destroy(Mac *);
|
||||
diff -up openssh-5.8p1/monitor.c.audit4 openssh-5.8p1/monitor.c
|
||||
--- openssh-5.8p1/monitor.c.audit4 2011-02-09 22:24:22.000000000 +0100
|
||||
+++ openssh-5.8p1/monitor.c 2011-02-09 22:24:22.000000000 +0100
|
||||
@@ -180,6 +180,7 @@ int mm_answer_audit_event(int, Buffer *)
|
||||
int mm_answer_audit_command(int, Buffer *);
|
||||
int mm_answer_audit_unsupported_body(int, Buffer *);
|
||||
int mm_answer_audit_kex_body(int, Buffer *);
|
||||
+int mm_answer_audit_session_key_free_body(int, Buffer *);
|
||||
#endif
|
||||
|
||||
static Authctxt *authctxt;
|
||||
@@ -230,6 +231,7 @@ struct mon_table mon_dispatch_proto20[]
|
||||
{MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
|
||||
{MONITOR_REQ_AUDIT_UNSUPPORTED, MON_PERMIT, mm_answer_audit_unsupported_body},
|
||||
{MONITOR_REQ_AUDIT_KEX, MON_PERMIT, mm_answer_audit_kex_body},
|
||||
+ {MONITOR_REQ_AUDIT_SESSION_KEY_FREE, MON_PERMIT, mm_answer_audit_session_key_free_body},
|
||||
#endif
|
||||
#ifdef BSD_AUTH
|
||||
{MONITOR_REQ_BSDAUTHQUERY, MON_ISAUTH, mm_answer_bsdauthquery},
|
||||
@@ -268,6 +270,7 @@ struct mon_table mon_dispatch_postauth20
|
||||
{MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT, mm_answer_audit_command},
|
||||
{MONITOR_REQ_AUDIT_UNSUPPORTED, MON_PERMIT, mm_answer_audit_unsupported_body},
|
||||
{MONITOR_REQ_AUDIT_KEX, MON_PERMIT, mm_answer_audit_kex_body},
|
||||
+ {MONITOR_REQ_AUDIT_SESSION_KEY_FREE, MON_PERMIT, mm_answer_audit_session_key_free_body},
|
||||
#endif
|
||||
{0, 0, NULL}
|
||||
};
|
||||
@@ -301,6 +304,7 @@ struct mon_table mon_dispatch_proto15[]
|
||||
{MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
|
||||
{MONITOR_REQ_AUDIT_UNSUPPORTED, MON_PERMIT, mm_answer_audit_unsupported_body},
|
||||
{MONITOR_REQ_AUDIT_KEX, MON_PERMIT, mm_answer_audit_kex_body},
|
||||
+ {MONITOR_REQ_AUDIT_SESSION_KEY_FREE, MON_PERMIT, mm_answer_audit_session_key_free_body},
|
||||
#endif
|
||||
{0, 0, NULL}
|
||||
};
|
||||
@@ -314,6 +318,7 @@ struct mon_table mon_dispatch_postauth15
|
||||
{MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT|MON_ONCE, mm_answer_audit_command},
|
||||
{MONITOR_REQ_AUDIT_UNSUPPORTED, MON_PERMIT, mm_answer_audit_unsupported_body},
|
||||
{MONITOR_REQ_AUDIT_KEX, MON_PERMIT, mm_answer_audit_kex_body},
|
||||
+ {MONITOR_REQ_AUDIT_SESSION_KEY_FREE, MON_PERMIT, mm_answer_audit_session_key_free_body},
|
||||
#endif
|
||||
{0, 0, NULL}
|
||||
};
|
||||
@@ -2253,4 +2258,18 @@ mm_answer_audit_kex_body(int sock, Buffe
|
||||
return 0;
|
||||
}
|
||||
|
||||
+int
|
||||
+mm_answer_audit_session_key_free_body(int sock, Buffer *m)
|
||||
+{
|
||||
+ int ctos;
|
||||
+
|
||||
+ ctos = buffer_get_int(m);
|
||||
+
|
||||
+ audit_session_key_free_body(ctos);
|
||||
+
|
||||
+ buffer_clear(m);
|
||||
+
|
||||
+ mm_request_send(sock, MONITOR_ANS_AUDIT_SESSION_KEY_FREE, m);
|
||||
+ return 0;
|
||||
+}
|
||||
#endif /* SSH_AUDIT_EVENTS */
|
||||
diff -up openssh-5.8p1/monitor.h.audit4 openssh-5.8p1/monitor.h
|
||||
--- openssh-5.8p1/monitor.h.audit4 2011-02-09 22:24:22.000000000 +0100
|
||||
+++ openssh-5.8p1/monitor.h 2011-02-09 22:24:22.000000000 +0100
|
||||
@@ -68,6 +68,7 @@ enum monitor_reqtype {
|
||||
MONITOR_REQ_JPAKE_CHECK_CONFIRM, MONITOR_ANS_JPAKE_CHECK_CONFIRM,
|
||||
MONITOR_REQ_AUDIT_UNSUPPORTED, MONITOR_ANS_AUDIT_UNSUPPORTED,
|
||||
MONITOR_REQ_AUDIT_KEX, MONITOR_ANS_AUDIT_KEX,
|
||||
+ MONITOR_REQ_AUDIT_SESSION_KEY_FREE, MONITOR_ANS_AUDIT_SESSION_KEY_FREE,
|
||||
};
|
||||
|
||||
struct mm_master;
|
||||
diff -up openssh-5.8p1/monitor_wrap.c.audit4 openssh-5.8p1/monitor_wrap.c
|
||||
--- openssh-5.8p1/monitor_wrap.c.audit4 2011-02-09 22:24:22.000000000 +0100
|
||||
+++ openssh-5.8p1/monitor_wrap.c 2011-02-09 22:24:22.000000000 +0100
|
||||
@@ -1446,4 +1446,17 @@ mm_audit_kex_body(int ctos, char *cipher
|
||||
|
||||
buffer_free(&m);
|
||||
}
|
||||
+
|
||||
+void
|
||||
+mm_audit_session_key_free_body(int ctos)
|
||||
+{
|
||||
+ Buffer m;
|
||||
+
|
||||
+ buffer_init(&m);
|
||||
+ buffer_put_int(&m, ctos);
|
||||
+ mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_SESSION_KEY_FREE, &m);
|
||||
+ mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_AUDIT_SESSION_KEY_FREE,
|
||||
+ &m);
|
||||
+ buffer_free(&m);
|
||||
+}
|
||||
#endif /* SSH_AUDIT_EVENTS */
|
||||
diff -up openssh-5.8p1/monitor_wrap.h.audit4 openssh-5.8p1/monitor_wrap.h
|
||||
--- openssh-5.8p1/monitor_wrap.h.audit4 2011-02-09 22:24:22.000000000 +0100
|
||||
+++ openssh-5.8p1/monitor_wrap.h 2011-02-09 22:24:22.000000000 +0100
|
||||
@@ -76,6 +76,7 @@ void mm_audit_event(ssh_audit_event_t);
|
||||
void mm_audit_run_command(const char *);
|
||||
void mm_audit_unsupported_body(int);
|
||||
void mm_audit_kex_body(int, char *, char *, char *);
|
||||
+void mm_audit_session_key_free_body(int);
|
||||
#endif
|
||||
|
||||
struct Session;
|
||||
diff -up openssh-5.8p1/packet.c.audit4 openssh-5.8p1/packet.c
|
||||
--- openssh-5.8p1/packet.c.audit4 2010-11-24 00:46:37.000000000 +0100
|
||||
+++ openssh-5.8p1/packet.c 2011-02-09 22:24:22.000000000 +0100
|
||||
@@ -497,6 +497,7 @@ packet_close(void)
|
||||
}
|
||||
cipher_cleanup(&active_state->send_context);
|
||||
cipher_cleanup(&active_state->receive_context);
|
||||
+ audit_session_key_free(2);
|
||||
}
|
||||
|
||||
/* Sets remote side protocol flags. */
|
||||
@@ -756,6 +757,7 @@ set_newkeys(int mode)
|
||||
}
|
||||
if (active_state->newkeys[mode] != NULL) {
|
||||
debug("set_newkeys: rekeying");
|
||||
+ audit_session_key_free(mode);
|
||||
cipher_cleanup(cc);
|
||||
enc = &active_state->newkeys[mode]->enc;
|
||||
mac = &active_state->newkeys[mode]->mac;
|
||||
@@ -1912,6 +1914,34 @@ packet_get_newkeys(int mode)
|
||||
return (void *)active_state->newkeys[mode];
|
||||
}
|
||||
|
||||
+static void
|
||||
+packet_destroy_state(struct session_state *state)
|
||||
+{
|
||||
+ if (state == NULL)
|
||||
+ return;
|
||||
+
|
||||
+ cipher_cleanup(&state->receive_context);
|
||||
+ cipher_cleanup(&state->send_context);
|
||||
+
|
||||
+ buffer_free(&state->input);
|
||||
+ buffer_free(&state->output);
|
||||
+ buffer_free(&state->outgoing_packet);
|
||||
+ buffer_free(&state->incoming_packet);
|
||||
+ buffer_free(&state->compression_buffer);
|
||||
+ newkeys_destroy(state->newkeys[MODE_IN]);
|
||||
+ newkeys_destroy(state->newkeys[MODE_OUT]);
|
||||
+ mac_destroy(state->packet_discard_mac);
|
||||
+// TAILQ_HEAD(, packet) outgoing;
|
||||
+// memset(state, 0, sizeof(state));
|
||||
+}
|
||||
+
|
||||
+void
|
||||
+packet_destroy_all(void)
|
||||
+{
|
||||
+ packet_destroy_state(active_state);
|
||||
+ packet_destroy_state(backup_state);
|
||||
+}
|
||||
+
|
||||
/*
|
||||
* Save the state for the real connection, and use a separate state when
|
||||
* resuming a suspended connection.
|
||||
@@ -1919,18 +1949,12 @@ packet_get_newkeys(int mode)
|
||||
void
|
||||
packet_backup_state(void)
|
||||
{
|
||||
- struct session_state *tmp;
|
||||
-
|
||||
close(active_state->connection_in);
|
||||
active_state->connection_in = -1;
|
||||
close(active_state->connection_out);
|
||||
active_state->connection_out = -1;
|
||||
- if (backup_state)
|
||||
- tmp = backup_state;
|
||||
- else
|
||||
- tmp = alloc_session_state();
|
||||
backup_state = active_state;
|
||||
- active_state = tmp;
|
||||
+ active_state = alloc_session_state();
|
||||
}
|
||||
|
||||
/*
|
||||
@@ -1947,9 +1971,7 @@ packet_restore_state(void)
|
||||
backup_state = active_state;
|
||||
active_state = tmp;
|
||||
active_state->connection_in = backup_state->connection_in;
|
||||
- backup_state->connection_in = -1;
|
||||
active_state->connection_out = backup_state->connection_out;
|
||||
- backup_state->connection_out = -1;
|
||||
len = buffer_len(&backup_state->input);
|
||||
if (len > 0) {
|
||||
buf = buffer_ptr(&backup_state->input);
|
||||
@@ -1957,4 +1979,10 @@ packet_restore_state(void)
|
||||
buffer_clear(&backup_state->input);
|
||||
add_recv_bytes(len);
|
||||
}
|
||||
+ backup_state->connection_in = -1;
|
||||
+ backup_state->connection_out = -1;
|
||||
+ packet_destroy_state(backup_state);
|
||||
+ xfree(backup_state);
|
||||
+ backup_state = NULL;
|
||||
}
|
||||
+
|
||||
diff -up openssh-5.8p1/packet.h.audit4 openssh-5.8p1/packet.h
|
||||
--- openssh-5.8p1/packet.h.audit4 2010-11-20 05:19:38.000000000 +0100
|
||||
+++ openssh-5.8p1/packet.h 2011-02-09 22:24:22.000000000 +0100
|
||||
@@ -125,4 +125,5 @@ void packet_restore_state(void);
|
||||
void *packet_get_input(void);
|
||||
void *packet_get_output(void);
|
||||
|
||||
+void packet_destroy_all(void);
|
||||
#endif /* PACKET_H */
|
||||
diff -up openssh-5.8p1/sshd.c.audit4 openssh-5.8p1/sshd.c
|
||||
--- openssh-5.8p1/sshd.c.audit4 2011-02-09 22:24:22.000000000 +0100
|
||||
+++ openssh-5.8p1/sshd.c 2011-02-09 22:24:22.000000000 +0100
|
||||
@@ -663,6 +663,8 @@ privsep_preauth(Authctxt *authctxt)
|
||||
return (0);
|
||||
}
|
||||
|
||||
+extern Newkeys *current_keys[];
|
||||
+
|
||||
static void
|
||||
privsep_postauth(Authctxt *authctxt)
|
||||
{
|
||||
@@ -688,6 +690,10 @@ privsep_postauth(Authctxt *authctxt)
|
||||
verbose("User child is on pid %ld", (long)pmonitor->m_pid);
|
||||
close(pmonitor->m_recvfd);
|
||||
buffer_clear(&loginmsg);
|
||||
+ newkeys_destroy(current_keys[MODE_OUT]);
|
||||
+ newkeys_destroy(current_keys[MODE_IN]);
|
||||
+ packet_destroy_all();
|
||||
+ audit_session_key_free_body(2);
|
||||
monitor_child_postauth(pmonitor);
|
||||
|
||||
/* NEVERREACHED */
|
||||
@@ -1974,6 +1980,8 @@ main(int ac, char **av)
|
||||
*/
|
||||
if (use_privsep) {
|
||||
mm_send_keystate(pmonitor);
|
||||
+ packet_destroy_all();
|
||||
+ audit_session_key_free(2);
|
||||
exit(0);
|
||||
}
|
||||
|
||||
@@ -2026,6 +2034,9 @@ main(int ac, char **av)
|
||||
do_authenticated(authctxt);
|
||||
|
||||
/* The connection has been terminated. */
|
||||
+ packet_destroy_all();
|
||||
+ audit_session_key_free(2);
|
||||
+
|
||||
packet_get_state(MODE_IN, NULL, NULL, NULL, &ibytes);
|
||||
packet_get_state(MODE_OUT, NULL, NULL, NULL, &obytes);
|
||||
verbose("Transferred: sent %llu, received %llu bytes",
|
||||
215
openssh-5.8p1-audit5.patch
Normal file
215
openssh-5.8p1-audit5.patch
Normal file
@ -0,0 +1,215 @@
|
||||
diff -up openssh-5.8p1/audit-bsm.c.audit5 openssh-5.8p1/audit-bsm.c
|
||||
--- openssh-5.8p1/audit-bsm.c.audit5 2011-02-09 22:33:51.000000000 +0100
|
||||
+++ openssh-5.8p1/audit-bsm.c 2011-02-09 22:33:52.000000000 +0100
|
||||
@@ -401,4 +401,10 @@ audit_session_key_free_body(int ctos)
|
||||
{
|
||||
/* not implemented */
|
||||
}
|
||||
+
|
||||
+void
|
||||
+audit_destroy_sensitive_data(void)
|
||||
+{
|
||||
+ /* not implemented */
|
||||
+}
|
||||
#endif /* BSM */
|
||||
diff -up openssh-5.8p1/audit.c.audit5 openssh-5.8p1/audit.c
|
||||
--- openssh-5.8p1/audit.c.audit5 2011-02-09 22:33:51.000000000 +0100
|
||||
+++ openssh-5.8p1/audit.c 2011-02-09 22:33:52.000000000 +0100
|
||||
@@ -268,5 +268,14 @@ audit_session_key_free_body(int ctos)
|
||||
{
|
||||
debug("audit session key discard euid %d direction %d", geteuid(), ctos);
|
||||
}
|
||||
+
|
||||
+/*
|
||||
+ * This will be called on destroy private part of the server key
|
||||
+ */
|
||||
+void
|
||||
+audit_destroy_sensitive_data(void)
|
||||
+{
|
||||
+ debug("audit destroy sensitive data euid %d", geteuid());
|
||||
+}
|
||||
# endif /* !defined CUSTOM_SSH_AUDIT_EVENTS */
|
||||
#endif /* SSH_AUDIT_EVENTS */
|
||||
diff -up openssh-5.8p1/audit.h.audit5 openssh-5.8p1/audit.h
|
||||
--- openssh-5.8p1/audit.h.audit5 2011-02-09 22:33:51.000000000 +0100
|
||||
+++ openssh-5.8p1/audit.h 2011-02-09 22:33:52.000000000 +0100
|
||||
@@ -62,5 +62,6 @@ void audit_unsupported_body(int);
|
||||
void audit_kex_body(int, char *, char *, char *);
|
||||
void audit_session_key_free(int ctos);
|
||||
void audit_session_key_free_body(int ctos);
|
||||
+void audit_destroy_sensitive_data(void);
|
||||
|
||||
#endif /* _SSH_AUDIT_H */
|
||||
diff -up openssh-5.8p1/audit-linux.c.audit5 openssh-5.8p1/audit-linux.c
|
||||
--- openssh-5.8p1/audit-linux.c.audit5 2011-02-09 22:33:51.000000000 +0100
|
||||
+++ openssh-5.8p1/audit-linux.c 2011-02-09 22:33:52.000000000 +0100
|
||||
@@ -231,4 +231,26 @@ audit_session_key_free_body(int ctos)
|
||||
error("cannot write into audit");
|
||||
}
|
||||
|
||||
+void
|
||||
+audit_destroy_sensitive_data(void)
|
||||
+{
|
||||
+ char buf[AUDIT_LOG_SIZE];
|
||||
+ int audit_fd, audit_ok;
|
||||
+
|
||||
+ snprintf(buf, sizeof(buf), "destroy kind=server direction=?");
|
||||
+ audit_fd = audit_open();
|
||||
+ if (audit_fd < 0) {
|
||||
+ if (errno != EINVAL && errno != EPROTONOSUPPORT &&
|
||||
+ errno != EAFNOSUPPORT)
|
||||
+ error("cannot open audit");
|
||||
+ return;
|
||||
+ }
|
||||
+ audit_ok = audit_log_acct_message(audit_fd, AUDIT_CRYPTO_KEY_USER, NULL,
|
||||
+ buf, NULL, -1, NULL, get_remote_ipaddr(), NULL, 1);
|
||||
+ audit_close(audit_fd);
|
||||
+ /* do not abort if the error is EPERM and sshd is run as non root user */
|
||||
+ if ((audit_ok < 0) && ((audit_ok != -1) || (getuid() == 0)))
|
||||
+ error("cannot write into audit");
|
||||
+}
|
||||
+
|
||||
#endif /* USE_LINUX_AUDIT */
|
||||
diff -up openssh-5.8p1/monitor.c.audit5 openssh-5.8p1/monitor.c
|
||||
--- openssh-5.8p1/monitor.c.audit5 2011-02-09 22:33:52.000000000 +0100
|
||||
+++ openssh-5.8p1/monitor.c 2011-02-09 22:33:52.000000000 +0100
|
||||
@@ -181,6 +181,7 @@ int mm_answer_audit_command(int, Buffer
|
||||
int mm_answer_audit_unsupported_body(int, Buffer *);
|
||||
int mm_answer_audit_kex_body(int, Buffer *);
|
||||
int mm_answer_audit_session_key_free_body(int, Buffer *);
|
||||
+int mm_answer_audit_server_key_free(int, Buffer *);
|
||||
#endif
|
||||
|
||||
static Authctxt *authctxt;
|
||||
@@ -232,6 +233,7 @@ struct mon_table mon_dispatch_proto20[]
|
||||
{MONITOR_REQ_AUDIT_UNSUPPORTED, MON_PERMIT, mm_answer_audit_unsupported_body},
|
||||
{MONITOR_REQ_AUDIT_KEX, MON_PERMIT, mm_answer_audit_kex_body},
|
||||
{MONITOR_REQ_AUDIT_SESSION_KEY_FREE, MON_PERMIT, mm_answer_audit_session_key_free_body},
|
||||
+ {MONITOR_REQ_AUDIT_SERVER_KEY_FREE, MON_PERMIT, mm_answer_audit_server_key_free},
|
||||
#endif
|
||||
#ifdef BSD_AUTH
|
||||
{MONITOR_REQ_BSDAUTHQUERY, MON_ISAUTH, mm_answer_bsdauthquery},
|
||||
@@ -271,6 +273,7 @@ struct mon_table mon_dispatch_postauth20
|
||||
{MONITOR_REQ_AUDIT_UNSUPPORTED, MON_PERMIT, mm_answer_audit_unsupported_body},
|
||||
{MONITOR_REQ_AUDIT_KEX, MON_PERMIT, mm_answer_audit_kex_body},
|
||||
{MONITOR_REQ_AUDIT_SESSION_KEY_FREE, MON_PERMIT, mm_answer_audit_session_key_free_body},
|
||||
+ {MONITOR_REQ_AUDIT_SERVER_KEY_FREE, MON_PERMIT, mm_answer_audit_server_key_free},
|
||||
#endif
|
||||
{0, 0, NULL}
|
||||
};
|
||||
@@ -305,6 +308,7 @@ struct mon_table mon_dispatch_proto15[]
|
||||
{MONITOR_REQ_AUDIT_UNSUPPORTED, MON_PERMIT, mm_answer_audit_unsupported_body},
|
||||
{MONITOR_REQ_AUDIT_KEX, MON_PERMIT, mm_answer_audit_kex_body},
|
||||
{MONITOR_REQ_AUDIT_SESSION_KEY_FREE, MON_PERMIT, mm_answer_audit_session_key_free_body},
|
||||
+ {MONITOR_REQ_AUDIT_SERVER_KEY_FREE, MON_PERMIT, mm_answer_audit_server_key_free},
|
||||
#endif
|
||||
{0, 0, NULL}
|
||||
};
|
||||
@@ -319,6 +323,7 @@ struct mon_table mon_dispatch_postauth15
|
||||
{MONITOR_REQ_AUDIT_UNSUPPORTED, MON_PERMIT, mm_answer_audit_unsupported_body},
|
||||
{MONITOR_REQ_AUDIT_KEX, MON_PERMIT, mm_answer_audit_kex_body},
|
||||
{MONITOR_REQ_AUDIT_SESSION_KEY_FREE, MON_PERMIT, mm_answer_audit_session_key_free_body},
|
||||
+ {MONITOR_REQ_AUDIT_SERVER_KEY_FREE, MON_PERMIT, mm_answer_audit_server_key_free},
|
||||
#endif
|
||||
{0, 0, NULL}
|
||||
};
|
||||
@@ -2272,4 +2277,15 @@ mm_answer_audit_session_key_free_body(in
|
||||
mm_request_send(sock, MONITOR_ANS_AUDIT_SESSION_KEY_FREE, m);
|
||||
return 0;
|
||||
}
|
||||
+
|
||||
+int
|
||||
+mm_answer_audit_server_key_free(int sock, Buffer *m)
|
||||
+{
|
||||
+ audit_destroy_sensitive_data();
|
||||
+
|
||||
+ buffer_clear(m);
|
||||
+
|
||||
+ mm_request_send(sock, MONITOR_ANS_AUDIT_SERVER_KEY_FREE, m);
|
||||
+ return 0;
|
||||
+}
|
||||
#endif /* SSH_AUDIT_EVENTS */
|
||||
diff -up openssh-5.8p1/monitor.h.audit5 openssh-5.8p1/monitor.h
|
||||
--- openssh-5.8p1/monitor.h.audit5 2011-02-09 22:33:52.000000000 +0100
|
||||
+++ openssh-5.8p1/monitor.h 2011-02-09 22:33:52.000000000 +0100
|
||||
@@ -69,6 +69,7 @@ enum monitor_reqtype {
|
||||
MONITOR_REQ_AUDIT_UNSUPPORTED, MONITOR_ANS_AUDIT_UNSUPPORTED,
|
||||
MONITOR_REQ_AUDIT_KEX, MONITOR_ANS_AUDIT_KEX,
|
||||
MONITOR_REQ_AUDIT_SESSION_KEY_FREE, MONITOR_ANS_AUDIT_SESSION_KEY_FREE,
|
||||
+ MONITOR_REQ_AUDIT_SERVER_KEY_FREE, MONITOR_ANS_AUDIT_SERVER_KEY_FREE,
|
||||
};
|
||||
|
||||
struct mm_master;
|
||||
diff -up openssh-5.8p1/monitor_wrap.c.audit5 openssh-5.8p1/monitor_wrap.c
|
||||
--- openssh-5.8p1/monitor_wrap.c.audit5 2011-02-09 22:33:52.000000000 +0100
|
||||
+++ openssh-5.8p1/monitor_wrap.c 2011-02-09 22:33:52.000000000 +0100
|
||||
@@ -1459,4 +1459,16 @@ mm_audit_session_key_free_body(int ctos)
|
||||
&m);
|
||||
buffer_free(&m);
|
||||
}
|
||||
+
|
||||
+void
|
||||
+mm_audit_destroy_sensitive_data(void)
|
||||
+{
|
||||
+ Buffer m;
|
||||
+
|
||||
+ buffer_init(&m);
|
||||
+ mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_SERVER_KEY_FREE, &m);
|
||||
+ mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_AUDIT_SERVER_KEY_FREE,
|
||||
+ &m);
|
||||
+ buffer_free(&m);
|
||||
+}
|
||||
#endif /* SSH_AUDIT_EVENTS */
|
||||
diff -up openssh-5.8p1/monitor_wrap.h.audit5 openssh-5.8p1/monitor_wrap.h
|
||||
--- openssh-5.8p1/monitor_wrap.h.audit5 2011-02-09 22:33:52.000000000 +0100
|
||||
+++ openssh-5.8p1/monitor_wrap.h 2011-02-09 22:33:52.000000000 +0100
|
||||
@@ -77,6 +77,7 @@ void mm_audit_run_command(const char *);
|
||||
void mm_audit_unsupported_body(int);
|
||||
void mm_audit_kex_body(int, char *, char *, char *);
|
||||
void mm_audit_session_key_free_body(int);
|
||||
+void mm_audit_server_key_free_body(void);
|
||||
#endif
|
||||
|
||||
struct Session;
|
||||
diff -up openssh-5.8p1/session.c.audit5 openssh-5.8p1/session.c
|
||||
--- openssh-5.8p1/session.c.audit5 2010-12-01 02:02:59.000000000 +0100
|
||||
+++ openssh-5.8p1/session.c 2011-02-09 22:33:52.000000000 +0100
|
||||
@@ -1615,6 +1615,7 @@ do_child(Session *s, const char *command
|
||||
|
||||
/* remove hostkey from the child's memory */
|
||||
destroy_sensitive_data();
|
||||
+ PRIVSEP(audit_destroy_sensitive_data());
|
||||
|
||||
/* Force a password change */
|
||||
if (s->authctxt->force_pwchange) {
|
||||
diff -up openssh-5.8p1/sshd.c.audit5 openssh-5.8p1/sshd.c
|
||||
--- openssh-5.8p1/sshd.c.audit5 2011-02-09 22:33:52.000000000 +0100
|
||||
+++ openssh-5.8p1/sshd.c 2011-02-09 22:33:52.000000000 +0100
|
||||
@@ -579,6 +579,7 @@ demote_sensitive_data(void)
|
||||
}
|
||||
/* Certs do not need demotion */
|
||||
}
|
||||
+ audit_destroy_sensitive_data();
|
||||
|
||||
/* We do not clear ssh1_host key and cookie. XXX - Okay Niels? */
|
||||
}
|
||||
@@ -2023,8 +2024,10 @@ main(int ac, char **av)
|
||||
if (use_privsep) {
|
||||
privsep_postauth(authctxt);
|
||||
/* the monitor process [priv] will not return */
|
||||
- if (!compat20)
|
||||
+ if (!compat20) {
|
||||
destroy_sensitive_data();
|
||||
+ audit_destroy_sensitive_data();
|
||||
+ }
|
||||
}
|
||||
|
||||
packet_set_timeout(options.client_alive_interval,
|
||||
@@ -2265,6 +2268,7 @@ do_ssh1_kex(void)
|
||||
}
|
||||
/* Destroy the private and public keys. No longer. */
|
||||
destroy_sensitive_data();
|
||||
+ audit_destroy_sensitive_data();
|
||||
|
||||
if (use_privsep)
|
||||
mm_ssh1_session_id(session_id);
|
||||
@ -1,6 +1,6 @@
|
||||
diff -up openssh-5.6p1/auth2-pubkey.c.akc openssh-5.6p1/auth2-pubkey.c
|
||||
--- openssh-5.6p1/auth2-pubkey.c.akc 2010-09-03 15:24:51.000000000 +0200
|
||||
+++ openssh-5.6p1/auth2-pubkey.c 2010-09-03 15:24:51.000000000 +0200
|
||||
diff -up openssh-5.8p1/auth2-pubkey.c.akc openssh-5.8p1/auth2-pubkey.c
|
||||
--- openssh-5.8p1/auth2-pubkey.c.akc 2011-02-10 13:21:27.000000000 +0100
|
||||
+++ openssh-5.8p1/auth2-pubkey.c 2011-02-10 13:21:28.000000000 +0100
|
||||
@@ -27,6 +27,7 @@
|
||||
|
||||
#include <sys/types.h>
|
||||
@ -9,7 +9,7 @@ diff -up openssh-5.6p1/auth2-pubkey.c.akc openssh-5.6p1/auth2-pubkey.c
|
||||
|
||||
#include <fcntl.h>
|
||||
#include <pwd.h>
|
||||
@@ -264,27 +265,15 @@ match_principals_file(char *file, struct
|
||||
@@ -268,27 +269,15 @@ match_principals_file(char *file, struct
|
||||
|
||||
/* return 1 if user allows given key */
|
||||
static int
|
||||
@ -38,7 +38,7 @@ diff -up openssh-5.6p1/auth2-pubkey.c.akc openssh-5.6p1/auth2-pubkey.c
|
||||
found_key = 0;
|
||||
found = key_new(key_is_cert(key) ? KEY_UNSPEC : key->type);
|
||||
|
||||
@@ -377,8 +366,6 @@ user_key_allowed2(struct passwd *pw, Key
|
||||
@@ -381,8 +370,6 @@ user_key_allowed2(struct passwd *pw, Key
|
||||
break;
|
||||
}
|
||||
}
|
||||
@ -47,7 +47,7 @@ diff -up openssh-5.6p1/auth2-pubkey.c.akc openssh-5.6p1/auth2-pubkey.c
|
||||
key_free(found);
|
||||
if (!found_key)
|
||||
debug2("key not found");
|
||||
@@ -440,13 +427,191 @@ user_cert_trusted_ca(struct passwd *pw,
|
||||
@@ -444,13 +431,191 @@ user_cert_trusted_ca(struct passwd *pw,
|
||||
return ret;
|
||||
}
|
||||
|
||||
@ -240,10 +240,10 @@ diff -up openssh-5.6p1/auth2-pubkey.c.akc openssh-5.6p1/auth2-pubkey.c
|
||||
if (auth_key_is_revoked(key))
|
||||
return 0;
|
||||
if (key_is_cert(key) && auth_key_is_revoked(key->cert->signature_key))
|
||||
diff -up openssh-5.6p1/configure.ac.akc openssh-5.6p1/configure.ac
|
||||
--- openssh-5.6p1/configure.ac.akc 2010-09-03 15:24:51.000000000 +0200
|
||||
+++ openssh-5.6p1/configure.ac 2010-09-03 15:24:51.000000000 +0200
|
||||
@@ -1346,6 +1346,18 @@ AC_ARG_WITH(audit,
|
||||
diff -up openssh-5.8p1/configure.ac.akc openssh-5.8p1/configure.ac
|
||||
--- openssh-5.8p1/configure.ac.akc 2011-02-10 13:21:28.000000000 +0100
|
||||
+++ openssh-5.8p1/configure.ac 2011-02-10 13:21:28.000000000 +0100
|
||||
@@ -1422,6 +1422,18 @@ AC_ARG_WITH(audit,
|
||||
esac ]
|
||||
)
|
||||
|
||||
@ -262,7 +262,7 @@ diff -up openssh-5.6p1/configure.ac.akc openssh-5.6p1/configure.ac
|
||||
dnl Checks for library functions. Please keep in alphabetical order
|
||||
AC_CHECK_FUNCS( \
|
||||
arc4random \
|
||||
@@ -4209,6 +4221,7 @@ echo " Linux audit support
|
||||
@@ -4325,6 +4337,7 @@ echo " SELinux support
|
||||
echo " Smartcard support: $SCARD_MSG"
|
||||
echo " S/KEY support: $SKEY_MSG"
|
||||
echo " TCP Wrappers support: $TCPW_MSG"
|
||||
@ -270,10 +270,10 @@ diff -up openssh-5.6p1/configure.ac.akc openssh-5.6p1/configure.ac
|
||||
echo " MD5 password support: $MD5_MSG"
|
||||
echo " libedit support: $LIBEDIT_MSG"
|
||||
echo " Solaris process contract support: $SPC_MSG"
|
||||
diff -up openssh-5.6p1/servconf.c.akc openssh-5.6p1/servconf.c
|
||||
--- openssh-5.6p1/servconf.c.akc 2010-09-03 15:24:50.000000000 +0200
|
||||
+++ openssh-5.6p1/servconf.c 2010-09-03 15:24:51.000000000 +0200
|
||||
@@ -129,6 +129,8 @@ initialize_server_options(ServerOptions
|
||||
diff -up openssh-5.8p1/servconf.c.akc openssh-5.8p1/servconf.c
|
||||
--- openssh-5.8p1/servconf.c.akc 2011-02-10 13:21:28.000000000 +0100
|
||||
+++ openssh-5.8p1/servconf.c 2011-02-10 13:28:21.000000000 +0100
|
||||
@@ -134,6 +134,8 @@ initialize_server_options(ServerOptions
|
||||
options->num_permitted_opens = -1;
|
||||
options->adm_forced_command = NULL;
|
||||
options->chroot_directory = NULL;
|
||||
@ -282,18 +282,18 @@ diff -up openssh-5.6p1/servconf.c.akc openssh-5.6p1/servconf.c
|
||||
options->zero_knowledge_password_authentication = -1;
|
||||
options->revoked_keys_file = NULL;
|
||||
options->trusted_user_ca_keys = NULL;
|
||||
@@ -316,6 +318,7 @@ typedef enum {
|
||||
sUsePrivilegeSeparation, sAllowAgentForwarding,
|
||||
@@ -331,6 +333,7 @@ typedef enum {
|
||||
sZeroKnowledgePasswordAuthentication, sHostCertificate,
|
||||
sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,
|
||||
sKexAlgorithms, sIPQoS,
|
||||
+ sAuthorizedKeysCommand, sAuthorizedKeysCommandRunAs,
|
||||
sDeprecated, sUnsupported
|
||||
} ServerOpCodes;
|
||||
|
||||
@@ -439,6 +442,13 @@ static struct {
|
||||
{ "revokedkeys", sRevokedKeys, SSHCFG_ALL },
|
||||
{ "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL },
|
||||
@@ -456,6 +459,13 @@ static struct {
|
||||
{ "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
|
||||
{ "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },
|
||||
{ "ipqos", sIPQoS, SSHCFG_ALL },
|
||||
+#ifdef WITH_AUTHORIZED_KEYS_COMMAND
|
||||
+ { "authorizedkeyscommand", sAuthorizedKeysCommand, SSHCFG_ALL },
|
||||
+ { "authorizedkeyscommandrunas", sAuthorizedKeysCommandRunAs, SSHCFG_ALL },
|
||||
@ -304,9 +304,9 @@ diff -up openssh-5.6p1/servconf.c.akc openssh-5.6p1/servconf.c
|
||||
{ NULL, sBadOption, 0 }
|
||||
};
|
||||
|
||||
@@ -1360,6 +1370,20 @@ process_server_config_line(ServerOptions
|
||||
charptr = &options->revoked_keys_file;
|
||||
goto parse_filename;
|
||||
@@ -1406,6 +1416,20 @@ process_server_config_line(ServerOptions
|
||||
}
|
||||
break;
|
||||
|
||||
+ case sAuthorizedKeysCommand:
|
||||
+ len = strspn(cp, WHITESPACE);
|
||||
@ -325,7 +325,7 @@ diff -up openssh-5.6p1/servconf.c.akc openssh-5.6p1/servconf.c
|
||||
case sDeprecated:
|
||||
logit("%s line %d: Deprecated option %s",
|
||||
filename, linenum, arg);
|
||||
@@ -1453,6 +1477,8 @@ copy_set_server_options(ServerOptions *d
|
||||
@@ -1499,6 +1523,8 @@ copy_set_server_options(ServerOptions *d
|
||||
M_CP_INTOPT(gss_authentication);
|
||||
M_CP_INTOPT(rsa_authentication);
|
||||
M_CP_INTOPT(pubkey_authentication);
|
||||
@ -334,7 +334,7 @@ diff -up openssh-5.6p1/servconf.c.akc openssh-5.6p1/servconf.c
|
||||
M_CP_INTOPT(kerberos_authentication);
|
||||
M_CP_INTOPT(hostbased_authentication);
|
||||
M_CP_INTOPT(hostbased_uses_name_from_packet_only);
|
||||
@@ -1705,6 +1731,8 @@ dump_config(ServerOptions *o)
|
||||
@@ -1753,6 +1779,8 @@ dump_config(ServerOptions *o)
|
||||
dump_cfg_string(sRevokedKeys, o->revoked_keys_file);
|
||||
dump_cfg_string(sAuthorizedPrincipalsFile,
|
||||
o->authorized_principals_file);
|
||||
@ -343,10 +343,10 @@ diff -up openssh-5.6p1/servconf.c.akc openssh-5.6p1/servconf.c
|
||||
|
||||
/* string arguments requiring a lookup */
|
||||
dump_cfg_string(sLogLevel, log_level_name(o->log_level));
|
||||
diff -up openssh-5.6p1/servconf.h.akc openssh-5.6p1/servconf.h
|
||||
--- openssh-5.6p1/servconf.h.akc 2010-09-03 15:24:50.000000000 +0200
|
||||
+++ openssh-5.6p1/servconf.h 2010-09-03 15:24:51.000000000 +0200
|
||||
@@ -158,6 +158,8 @@ typedef struct {
|
||||
diff -up openssh-5.8p1/servconf.h.akc openssh-5.8p1/servconf.h
|
||||
--- openssh-5.8p1/servconf.h.akc 2011-02-10 13:21:28.000000000 +0100
|
||||
+++ openssh-5.8p1/servconf.h 2011-02-10 13:21:28.000000000 +0100
|
||||
@@ -161,6 +161,8 @@ typedef struct {
|
||||
char *revoked_keys_file;
|
||||
char *trusted_user_ca_keys;
|
||||
char *authorized_principals_file;
|
||||
@ -355,9 +355,9 @@ diff -up openssh-5.6p1/servconf.h.akc openssh-5.6p1/servconf.h
|
||||
} ServerOptions;
|
||||
|
||||
void initialize_server_options(ServerOptions *);
|
||||
diff -up openssh-5.6p1/sshd_config.0.akc openssh-5.6p1/sshd_config.0
|
||||
--- openssh-5.6p1/sshd_config.0.akc 2010-09-03 15:24:50.000000000 +0200
|
||||
+++ openssh-5.6p1/sshd_config.0 2010-09-03 15:27:26.000000000 +0200
|
||||
diff -up openssh-5.8p1/sshd_config.0.akc openssh-5.8p1/sshd_config.0
|
||||
--- openssh-5.8p1/sshd_config.0.akc 2011-02-10 13:21:28.000000000 +0100
|
||||
+++ openssh-5.8p1/sshd_config.0 2011-02-10 13:21:28.000000000 +0100
|
||||
@@ -71,6 +71,23 @@ DESCRIPTION
|
||||
|
||||
See PATTERNS in ssh_config(5) for more information on patterns.
|
||||
@ -382,7 +382,7 @@ diff -up openssh-5.6p1/sshd_config.0.akc openssh-5.6p1/sshd_config.0
|
||||
AuthorizedKeysFile
|
||||
Specifies the file that contains the public keys that can be used
|
||||
for user authentication. The format is described in the
|
||||
@@ -375,7 +392,8 @@ DESCRIPTION
|
||||
@@ -398,7 +415,8 @@ DESCRIPTION
|
||||
|
||||
Only a subset of keywords may be used on the lines following a
|
||||
Match keyword. Available keywords are AllowAgentForwarding,
|
||||
@ -392,10 +392,10 @@ diff -up openssh-5.6p1/sshd_config.0.akc openssh-5.6p1/sshd_config.0
|
||||
Banner, ChrootDirectory, ForceCommand, GatewayPorts,
|
||||
GSSAPIAuthentication, HostbasedAuthentication,
|
||||
HostbasedUsesNameFromPacketOnly, KbdInteractiveAuthentication,
|
||||
diff -up openssh-5.6p1/sshd_config.5.akc openssh-5.6p1/sshd_config.5
|
||||
--- openssh-5.6p1/sshd_config.5.akc 2010-09-03 15:24:50.000000000 +0200
|
||||
+++ openssh-5.6p1/sshd_config.5 2010-09-03 15:24:51.000000000 +0200
|
||||
@@ -654,6 +654,8 @@ Available keywords are
|
||||
diff -up openssh-5.8p1/sshd_config.5.akc openssh-5.8p1/sshd_config.5
|
||||
--- openssh-5.8p1/sshd_config.5.akc 2011-02-10 13:21:28.000000000 +0100
|
||||
+++ openssh-5.8p1/sshd_config.5 2011-02-10 13:21:28.000000000 +0100
|
||||
@@ -703,6 +703,8 @@ Available keywords are
|
||||
.Cm AllowAgentForwarding ,
|
||||
.Cm AllowTcpForwarding ,
|
||||
.Cm AuthorizedKeysFile ,
|
||||
@ -404,7 +404,7 @@ diff -up openssh-5.6p1/sshd_config.5.akc openssh-5.6p1/sshd_config.5
|
||||
.Cm AuthorizedPrincipalsFile ,
|
||||
.Cm Banner ,
|
||||
.Cm ChrootDirectory ,
|
||||
@@ -666,6 +668,7 @@ Available keywords are
|
||||
@@ -715,6 +717,7 @@ Available keywords are
|
||||
.Cm KerberosAuthentication ,
|
||||
.Cm MaxAuthTries ,
|
||||
.Cm MaxSessions ,
|
||||
@ -412,7 +412,7 @@ diff -up openssh-5.6p1/sshd_config.5.akc openssh-5.6p1/sshd_config.5
|
||||
.Cm PasswordAuthentication ,
|
||||
.Cm PermitEmptyPasswords ,
|
||||
.Cm PermitOpen ,
|
||||
@@ -868,6 +871,20 @@ Specifies a list of revoked public keys.
|
||||
@@ -917,6 +920,20 @@ Specifies a list of revoked public keys.
|
||||
Keys listed in this file will be refused for public key authentication.
|
||||
Note that if this file is not readable, then public key authentication will
|
||||
be refused for all users.
|
||||
@ -433,10 +433,10 @@ diff -up openssh-5.6p1/sshd_config.5.akc openssh-5.6p1/sshd_config.5
|
||||
.It Cm RhostsRSAAuthentication
|
||||
Specifies whether rhosts or /etc/hosts.equiv authentication together
|
||||
with successful RSA host authentication is allowed.
|
||||
diff -up openssh-5.6p1/sshd_config.akc openssh-5.6p1/sshd_config
|
||||
--- openssh-5.6p1/sshd_config.akc 2010-09-03 15:24:50.000000000 +0200
|
||||
+++ openssh-5.6p1/sshd_config 2010-09-03 15:24:51.000000000 +0200
|
||||
@@ -45,6 +45,8 @@ SyslogFacility AUTHPRIV
|
||||
diff -up openssh-5.8p1/sshd_config.akc openssh-5.8p1/sshd_config
|
||||
--- openssh-5.8p1/sshd_config.akc 2011-02-10 13:21:28.000000000 +0100
|
||||
+++ openssh-5.8p1/sshd_config 2011-02-10 13:21:28.000000000 +0100
|
||||
@@ -46,6 +46,8 @@ SyslogFacility AUTHPRIV
|
||||
#RSAAuthentication yes
|
||||
#PubkeyAuthentication yes
|
||||
#AuthorizedKeysFile .ssh/authorized_keys
|
||||
@ -1,6 +1,6 @@
|
||||
diff -up openssh-5.6p1/audit.c.fips openssh-5.6p1/audit.c
|
||||
--- openssh-5.6p1/audit.c.fips 2011-01-16 23:45:01.000000000 +0100
|
||||
+++ openssh-5.6p1/audit.c 2011-01-16 23:45:59.000000000 +0100
|
||||
diff -up openssh-5.8p1/audit.c.fips openssh-5.8p1/audit.c
|
||||
--- openssh-5.8p1/audit.c.fips 2011-02-14 10:10:41.000000000 +0100
|
||||
+++ openssh-5.8p1/audit.c 2011-02-14 10:10:41.000000000 +0100
|
||||
@@ -124,7 +124,7 @@ audit_key(int type, int *rv, const Key *
|
||||
"ssh-dsa",
|
||||
"unknown" };
|
||||
@ -10,9 +10,9 @@ diff -up openssh-5.6p1/audit.c.fips openssh-5.6p1/audit.c
|
||||
switch(key->type) {
|
||||
case KEY_RSA1:
|
||||
case KEY_RSA:
|
||||
diff -up openssh-5.6p1/auth2-pubkey.c.fips openssh-5.6p1/auth2-pubkey.c
|
||||
--- openssh-5.6p1/auth2-pubkey.c.fips 2011-01-16 23:41:58.000000000 +0100
|
||||
+++ openssh-5.6p1/auth2-pubkey.c 2011-01-16 23:41:59.000000000 +0100
|
||||
diff -up openssh-5.8p1/auth2-pubkey.c.fips openssh-5.8p1/auth2-pubkey.c
|
||||
--- openssh-5.8p1/auth2-pubkey.c.fips 2011-02-14 10:10:41.000000000 +0100
|
||||
+++ openssh-5.8p1/auth2-pubkey.c 2011-02-14 10:10:41.000000000 +0100
|
||||
@@ -36,6 +36,7 @@
|
||||
#include <string.h>
|
||||
#include <time.h>
|
||||
@ -30,10 +30,10 @@ diff -up openssh-5.6p1/auth2-pubkey.c.fips openssh-5.6p1/auth2-pubkey.c
|
||||
verbose("Found matching %s key: %s",
|
||||
key_type(found), fp);
|
||||
xfree(fp);
|
||||
diff -up openssh-5.6p1/authfile.c.fips openssh-5.6p1/authfile.c
|
||||
--- openssh-5.6p1/authfile.c.fips 2010-08-05 05:05:16.000000000 +0200
|
||||
+++ openssh-5.6p1/authfile.c 2011-01-16 23:41:59.000000000 +0100
|
||||
@@ -146,8 +146,14 @@ key_save_private_rsa1(Key *key, const ch
|
||||
diff -up openssh-5.8p1/authfile.c.fips openssh-5.8p1/authfile.c
|
||||
--- openssh-5.8p1/authfile.c.fips 2010-12-01 02:03:39.000000000 +0100
|
||||
+++ openssh-5.8p1/authfile.c 2011-02-14 10:10:41.000000000 +0100
|
||||
@@ -145,8 +145,14 @@ key_private_rsa1_to_blob(Key *key, Buffe
|
||||
/* Allocate space for the private part of the key in the buffer. */
|
||||
cp = buffer_append_space(&encrypted, buffer_len(&buffer));
|
||||
|
||||
@ -50,8 +50,8 @@ diff -up openssh-5.6p1/authfile.c.fips openssh-5.6p1/authfile.c
|
||||
cipher_crypt(&ciphercontext, cp,
|
||||
buffer_ptr(&buffer), buffer_len(&buffer));
|
||||
cipher_cleanup(&ciphercontext);
|
||||
@@ -421,8 +427,14 @@ key_load_private_rsa1(int fd, const char
|
||||
cp = buffer_append_space(&decrypted, buffer_len(&buffer));
|
||||
@@ -447,8 +453,13 @@ key_parse_private_rsa1(Buffer *blob, con
|
||||
cp = buffer_append_space(&decrypted, buffer_len(blob));
|
||||
|
||||
/* Rest of the buffer is encrypted. Decrypt it using the passphrase. */
|
||||
- cipher_set_key_string(&ciphercontext, cipher, passphrase,
|
||||
@ -60,17 +60,16 @@ diff -up openssh-5.6p1/authfile.c.fips openssh-5.6p1/authfile.c
|
||||
+ CIPHER_DECRYPT) < 0) {
|
||||
+ error("cipher_set_key_string failed.");
|
||||
+ buffer_free(&decrypted);
|
||||
+ buffer_free(&buffer);
|
||||
+ goto fail;
|
||||
+ }
|
||||
+
|
||||
cipher_crypt(&ciphercontext, cp,
|
||||
buffer_ptr(&buffer), buffer_len(&buffer));
|
||||
buffer_ptr(blob), buffer_len(blob));
|
||||
cipher_cleanup(&ciphercontext);
|
||||
diff -up openssh-5.6p1/auth-rsa.c.fips openssh-5.6p1/auth-rsa.c
|
||||
--- openssh-5.6p1/auth-rsa.c.fips 2011-01-16 23:46:11.000000000 +0100
|
||||
+++ openssh-5.6p1/auth-rsa.c 2011-01-16 23:46:31.000000000 +0100
|
||||
@@ -122,7 +122,7 @@ auth_rsa_verify_response(Key *key, BIGNU
|
||||
diff -up openssh-5.8p1/auth-rsa.c.fips openssh-5.8p1/auth-rsa.c
|
||||
--- openssh-5.8p1/auth-rsa.c.fips 2011-02-14 10:10:41.000000000 +0100
|
||||
+++ openssh-5.8p1/auth-rsa.c 2011-02-14 10:10:41.000000000 +0100
|
||||
@@ -119,7 +119,7 @@ auth_rsa_verify_response(Key *key, BIGNU
|
||||
rv = timingsafe_bcmp(response, mdbuf, 16) == 0;
|
||||
|
||||
#ifdef SSH_AUDIT_EVENTS
|
||||
@ -79,9 +78,9 @@ diff -up openssh-5.6p1/auth-rsa.c.fips openssh-5.6p1/auth-rsa.c
|
||||
if (audit_keyusage(1, "ssh-rsa1", RSA_size(key->rsa), fp, rv) == 0) {
|
||||
debug("unsuccessful audit");
|
||||
rv = 0;
|
||||
diff -up openssh-5.6p1/cipher.c.fips openssh-5.6p1/cipher.c
|
||||
--- openssh-5.6p1/cipher.c.fips 2011-01-16 23:41:56.000000000 +0100
|
||||
+++ openssh-5.6p1/cipher.c 2011-01-16 23:41:59.000000000 +0100
|
||||
diff -up openssh-5.8p1/cipher.c.fips openssh-5.8p1/cipher.c
|
||||
--- openssh-5.8p1/cipher.c.fips 2011-02-14 10:10:41.000000000 +0100
|
||||
+++ openssh-5.8p1/cipher.c 2011-02-14 10:10:41.000000000 +0100
|
||||
@@ -40,6 +40,7 @@
|
||||
#include <sys/types.h>
|
||||
|
||||
@ -166,9 +165,9 @@ diff -up openssh-5.6p1/cipher.c.fips openssh-5.6p1/cipher.c
|
||||
}
|
||||
|
||||
/*
|
||||
diff -up openssh-5.6p1/cipher-ctr.c.fips openssh-5.6p1/cipher-ctr.c
|
||||
--- openssh-5.6p1/cipher-ctr.c.fips 2007-06-14 15:21:33.000000000 +0200
|
||||
+++ openssh-5.6p1/cipher-ctr.c 2011-01-16 23:41:59.000000000 +0100
|
||||
diff -up openssh-5.8p1/cipher-ctr.c.fips openssh-5.8p1/cipher-ctr.c
|
||||
--- openssh-5.8p1/cipher-ctr.c.fips 2010-10-07 13:06:42.000000000 +0200
|
||||
+++ openssh-5.8p1/cipher-ctr.c 2011-02-14 10:10:41.000000000 +0100
|
||||
@@ -140,7 +140,8 @@ evp_aes_128_ctr(void)
|
||||
aes_ctr.do_cipher = ssh_aes_ctr;
|
||||
#ifndef SSH_OLD_EVP
|
||||
@ -179,9 +178,9 @@ diff -up openssh-5.6p1/cipher-ctr.c.fips openssh-5.6p1/cipher-ctr.c
|
||||
#endif
|
||||
return (&aes_ctr);
|
||||
}
|
||||
diff -up openssh-5.6p1/cipher.h.fips openssh-5.6p1/cipher.h
|
||||
--- openssh-5.6p1/cipher.h.fips 2011-01-16 23:41:56.000000000 +0100
|
||||
+++ openssh-5.6p1/cipher.h 2011-01-16 23:41:59.000000000 +0100
|
||||
diff -up openssh-5.8p1/cipher.h.fips openssh-5.8p1/cipher.h
|
||||
--- openssh-5.8p1/cipher.h.fips 2011-02-14 10:10:41.000000000 +0100
|
||||
+++ openssh-5.8p1/cipher.h 2011-02-14 10:10:41.000000000 +0100
|
||||
@@ -87,7 +87,7 @@ void cipher_init(CipherContext *, Ciphe
|
||||
const u_char *, u_int, int);
|
||||
void cipher_crypt(CipherContext *, u_char *, const u_char *, u_int);
|
||||
@ -191,9 +190,9 @@ diff -up openssh-5.6p1/cipher.h.fips openssh-5.6p1/cipher.h
|
||||
u_int cipher_blocksize(const Cipher *);
|
||||
u_int cipher_keylen(const Cipher *);
|
||||
u_int cipher_is_cbc(const Cipher *);
|
||||
diff -up openssh-5.6p1/mac.c.fips openssh-5.6p1/mac.c
|
||||
--- openssh-5.6p1/mac.c.fips 2008-06-13 02:58:50.000000000 +0200
|
||||
+++ openssh-5.6p1/mac.c 2011-01-16 23:41:59.000000000 +0100
|
||||
diff -up openssh-5.8p1/mac.c.fips openssh-5.8p1/mac.c
|
||||
--- openssh-5.8p1/mac.c.fips 2011-02-14 10:10:41.000000000 +0100
|
||||
+++ openssh-5.8p1/mac.c 2011-02-14 10:10:41.000000000 +0100
|
||||
@@ -28,6 +28,7 @@
|
||||
#include <sys/types.h>
|
||||
|
||||
@ -243,15 +242,15 @@ diff -up openssh-5.6p1/mac.c.fips openssh-5.6p1/mac.c
|
||||
|
||||
for (i = 0; macs[i].name; i++) {
|
||||
if (strcmp(name, macs[i].name) == 0) {
|
||||
diff -up openssh-5.6p1/Makefile.in.fips openssh-5.6p1/Makefile.in
|
||||
--- openssh-5.6p1/Makefile.in.fips 2011-01-16 23:41:58.000000000 +0100
|
||||
+++ openssh-5.6p1/Makefile.in 2011-01-16 23:41:59.000000000 +0100
|
||||
@@ -142,25 +142,25 @@ libssh.a: $(LIBSSH_OBJS)
|
||||
diff -up openssh-5.8p1/Makefile.in.fips openssh-5.8p1/Makefile.in
|
||||
--- openssh-5.8p1/Makefile.in.fips 2011-02-14 10:10:41.000000000 +0100
|
||||
+++ openssh-5.8p1/Makefile.in 2011-02-14 10:10:41.000000000 +0100
|
||||
@@ -145,25 +145,25 @@ libssh.a: $(LIBSSH_OBJS)
|
||||
$(RANLIB) $@
|
||||
|
||||
ssh$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHOBJS)
|
||||
- $(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
|
||||
+ $(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
|
||||
- $(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHLIBS) $(LIBS)
|
||||
+ $(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(SSHLIBS) $(LIBS)
|
||||
|
||||
sshd$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHDOBJS)
|
||||
- $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS)
|
||||
@ -278,7 +277,7 @@ diff -up openssh-5.6p1/Makefile.in.fips openssh-5.6p1/Makefile.in
|
||||
|
||||
ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11.o
|
||||
$(LD) -o $@ ssh-pkcs11-helper.o ssh-pkcs11.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
|
||||
@@ -169,7 +169,7 @@ ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) l
|
||||
@@ -172,7 +172,7 @@ ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) l
|
||||
$(LD) -o $@ ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
|
||||
|
||||
ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o roaming_dummy.o
|
||||
@ -287,10 +286,10 @@ diff -up openssh-5.6p1/Makefile.in.fips openssh-5.6p1/Makefile.in
|
||||
|
||||
sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o sftp-server.o sftp-server-main.o
|
||||
$(LD) -o $@ sftp-server.o sftp-common.o sftp-server-main.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
|
||||
diff -up openssh-5.6p1/myproposal.h.fips openssh-5.6p1/myproposal.h
|
||||
--- openssh-5.6p1/myproposal.h.fips 2010-04-16 07:56:22.000000000 +0200
|
||||
+++ openssh-5.6p1/myproposal.h 2011-01-16 23:41:59.000000000 +0100
|
||||
@@ -58,7 +58,12 @@
|
||||
diff -up openssh-5.8p1/myproposal.h.fips openssh-5.8p1/myproposal.h
|
||||
--- openssh-5.8p1/myproposal.h.fips 2011-01-13 12:00:22.000000000 +0100
|
||||
+++ openssh-5.8p1/myproposal.h 2011-02-14 10:10:41.000000000 +0100
|
||||
@@ -81,7 +81,12 @@
|
||||
"hmac-sha1-96,hmac-md5-96"
|
||||
#define KEX_DEFAULT_COMP "none,zlib@openssh.com,zlib"
|
||||
#define KEX_DEFAULT_LANG ""
|
||||
@ -304,9 +303,9 @@ diff -up openssh-5.6p1/myproposal.h.fips openssh-5.6p1/myproposal.h
|
||||
|
||||
static char *myproposal[PROPOSAL_MAX] = {
|
||||
KEX_DEFAULT_KEX,
|
||||
diff -up openssh-5.6p1/openbsd-compat/bsd-arc4random.c.fips openssh-5.6p1/openbsd-compat/bsd-arc4random.c
|
||||
--- openssh-5.6p1/openbsd-compat/bsd-arc4random.c.fips 2010-03-25 22:52:02.000000000 +0100
|
||||
+++ openssh-5.6p1/openbsd-compat/bsd-arc4random.c 2011-01-16 23:41:59.000000000 +0100
|
||||
diff -up openssh-5.8p1/openbsd-compat/bsd-arc4random.c.fips openssh-5.8p1/openbsd-compat/bsd-arc4random.c
|
||||
--- openssh-5.8p1/openbsd-compat/bsd-arc4random.c.fips 2010-03-25 22:52:02.000000000 +0100
|
||||
+++ openssh-5.8p1/openbsd-compat/bsd-arc4random.c 2011-02-14 10:10:41.000000000 +0100
|
||||
@@ -39,6 +39,7 @@
|
||||
static int rc4_ready = 0;
|
||||
static RC4_KEY rc4;
|
||||
@ -348,9 +347,9 @@ diff -up openssh-5.6p1/openbsd-compat/bsd-arc4random.c.fips openssh-5.6p1/openbs
|
||||
#endif /* !HAVE_ARC4RANDOM */
|
||||
|
||||
#ifndef HAVE_ARC4RANDOM_BUF
|
||||
diff -up openssh-5.6p1/ssh-add.c.fips openssh-5.6p1/ssh-add.c
|
||||
--- openssh-5.6p1/ssh-add.c.fips 2010-05-21 06:56:47.000000000 +0200
|
||||
+++ openssh-5.6p1/ssh-add.c 2011-01-16 23:41:59.000000000 +0100
|
||||
diff -up openssh-5.8p1/ssh-add.c.fips openssh-5.8p1/ssh-add.c
|
||||
--- openssh-5.8p1/ssh-add.c.fips 2010-11-11 04:17:02.000000000 +0100
|
||||
+++ openssh-5.8p1/ssh-add.c 2011-02-14 10:10:41.000000000 +0100
|
||||
@@ -42,6 +42,7 @@
|
||||
#include <sys/param.h>
|
||||
|
||||
@ -359,7 +358,7 @@ diff -up openssh-5.6p1/ssh-add.c.fips openssh-5.6p1/ssh-add.c
|
||||
#include "openbsd-compat/openssl-compat.h"
|
||||
|
||||
#include <fcntl.h>
|
||||
@@ -277,7 +278,7 @@ list_identities(AuthenticationConnection
|
||||
@@ -280,7 +281,7 @@ list_identities(AuthenticationConnection
|
||||
key = ssh_get_next_identity(ac, &comment, version)) {
|
||||
had_identities = 1;
|
||||
if (do_fp) {
|
||||
@ -368,9 +367,9 @@ diff -up openssh-5.6p1/ssh-add.c.fips openssh-5.6p1/ssh-add.c
|
||||
SSH_FP_HEX);
|
||||
printf("%d %s %s (%s)\n",
|
||||
key_size(key), fp, comment, key_type(key));
|
||||
diff -up openssh-5.6p1/ssh-agent.c.fips openssh-5.6p1/ssh-agent.c
|
||||
--- openssh-5.6p1/ssh-agent.c.fips 2010-04-16 07:56:22.000000000 +0200
|
||||
+++ openssh-5.6p1/ssh-agent.c 2011-01-16 23:41:59.000000000 +0100
|
||||
diff -up openssh-5.8p1/ssh-agent.c.fips openssh-5.8p1/ssh-agent.c
|
||||
--- openssh-5.8p1/ssh-agent.c.fips 2010-12-01 01:50:35.000000000 +0100
|
||||
+++ openssh-5.8p1/ssh-agent.c 2011-02-14 10:10:41.000000000 +0100
|
||||
@@ -51,6 +51,7 @@
|
||||
|
||||
#include <openssl/evp.h>
|
||||
@ -392,10 +391,10 @@ diff -up openssh-5.6p1/ssh-agent.c.fips openssh-5.6p1/ssh-agent.c
|
||||
ret = 0;
|
||||
xfree(p);
|
||||
|
||||
diff -up openssh-5.6p1/ssh.c.fips openssh-5.6p1/ssh.c
|
||||
--- openssh-5.6p1/ssh.c.fips 2010-08-16 17:59:31.000000000 +0200
|
||||
+++ openssh-5.6p1/ssh.c 2011-01-16 23:41:59.000000000 +0100
|
||||
@@ -72,6 +72,8 @@
|
||||
diff -up openssh-5.8p1/ssh.c.fips openssh-5.8p1/ssh.c
|
||||
--- openssh-5.8p1/ssh.c.fips 2011-02-04 01:42:15.000000000 +0100
|
||||
+++ openssh-5.8p1/ssh.c 2011-02-14 10:10:41.000000000 +0100
|
||||
@@ -73,6 +73,8 @@
|
||||
|
||||
#include <openssl/evp.h>
|
||||
#include <openssl/err.h>
|
||||
@ -404,7 +403,7 @@ diff -up openssh-5.6p1/ssh.c.fips openssh-5.6p1/ssh.c
|
||||
#include "openbsd-compat/openssl-compat.h"
|
||||
#include "openbsd-compat/sys-queue.h"
|
||||
|
||||
@@ -235,6 +237,10 @@ main(int ac, char **av)
|
||||
@@ -234,6 +236,10 @@ main(int ac, char **av)
|
||||
sanitise_stdfd();
|
||||
|
||||
__progname = ssh_get_progname(av[0]);
|
||||
@ -415,7 +414,7 @@ diff -up openssh-5.6p1/ssh.c.fips openssh-5.6p1/ssh.c
|
||||
init_rng();
|
||||
|
||||
/*
|
||||
@@ -301,6 +307,9 @@ main(int ac, char **av)
|
||||
@@ -300,6 +306,9 @@ main(int ac, char **av)
|
||||
"ACD:F:I:KL:MNO:PR:S:TVw:W:XYy")) != -1) {
|
||||
switch (opt) {
|
||||
case '1':
|
||||
@ -425,15 +424,15 @@ diff -up openssh-5.6p1/ssh.c.fips openssh-5.6p1/ssh.c
|
||||
options.protocol = SSH_PROTO_1;
|
||||
break;
|
||||
case '2':
|
||||
@@ -599,7 +608,6 @@ main(int ac, char **av)
|
||||
@@ -598,7 +607,6 @@ main(int ac, char **av)
|
||||
if (!host)
|
||||
usage();
|
||||
|
||||
- SSLeay_add_all_algorithms();
|
||||
- OpenSSL_add_all_algorithms();
|
||||
ERR_load_crypto_strings();
|
||||
|
||||
/* Initialize the command to execute on remote host. */
|
||||
@@ -685,6 +693,10 @@ main(int ac, char **av)
|
||||
@@ -684,6 +692,10 @@ main(int ac, char **av)
|
||||
|
||||
seed_rng();
|
||||
|
||||
@ -444,7 +443,7 @@ diff -up openssh-5.6p1/ssh.c.fips openssh-5.6p1/ssh.c
|
||||
if (options.user == NULL)
|
||||
options.user = xstrdup(pw->pw_name);
|
||||
|
||||
@@ -752,6 +764,12 @@ main(int ac, char **av)
|
||||
@@ -753,6 +765,12 @@ main(int ac, char **av)
|
||||
|
||||
timeout_ms = options.connection_timeout * 1000;
|
||||
|
||||
@ -457,9 +456,9 @@ diff -up openssh-5.6p1/ssh.c.fips openssh-5.6p1/ssh.c
|
||||
/* Open a connection to the remote host. */
|
||||
if (ssh_connect(host, &hostaddr, options.port,
|
||||
options.address_family, options.connection_attempts, &timeout_ms,
|
||||
diff -up openssh-5.6p1/sshconnect2.c.fips openssh-5.6p1/sshconnect2.c
|
||||
--- openssh-5.6p1/sshconnect2.c.fips 2011-01-16 23:41:59.000000000 +0100
|
||||
+++ openssh-5.6p1/sshconnect2.c 2011-01-16 23:41:59.000000000 +0100
|
||||
diff -up openssh-5.8p1/sshconnect2.c.fips openssh-5.8p1/sshconnect2.c
|
||||
--- openssh-5.8p1/sshconnect2.c.fips 2010-12-01 02:21:51.000000000 +0100
|
||||
+++ openssh-5.8p1/sshconnect2.c 2011-02-14 10:10:41.000000000 +0100
|
||||
@@ -44,6 +44,8 @@
|
||||
#include <vis.h>
|
||||
#endif
|
||||
@ -469,7 +468,7 @@ diff -up openssh-5.6p1/sshconnect2.c.fips openssh-5.6p1/sshconnect2.c
|
||||
#include "openbsd-compat/sys-queue.h"
|
||||
|
||||
#include "xmalloc.h"
|
||||
@@ -116,6 +118,10 @@ ssh_kex2(char *host, struct sockaddr *ho
|
||||
@@ -169,6 +171,10 @@ ssh_kex2(char *host, struct sockaddr *ho
|
||||
if (options.ciphers != NULL) {
|
||||
myproposal[PROPOSAL_ENC_ALGS_CTOS] =
|
||||
myproposal[PROPOSAL_ENC_ALGS_STOC] = options.ciphers;
|
||||
@ -480,7 +479,7 @@ diff -up openssh-5.6p1/sshconnect2.c.fips openssh-5.6p1/sshconnect2.c
|
||||
}
|
||||
myproposal[PROPOSAL_ENC_ALGS_CTOS] =
|
||||
compat_cipher_proposal(myproposal[PROPOSAL_ENC_ALGS_CTOS]);
|
||||
@@ -131,7 +137,11 @@ ssh_kex2(char *host, struct sockaddr *ho
|
||||
@@ -184,7 +190,11 @@ ssh_kex2(char *host, struct sockaddr *ho
|
||||
if (options.macs != NULL) {
|
||||
myproposal[PROPOSAL_MAC_ALGS_CTOS] =
|
||||
myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs;
|
||||
@ -492,7 +491,7 @@ diff -up openssh-5.6p1/sshconnect2.c.fips openssh-5.6p1/sshconnect2.c
|
||||
if (options.hostkeyalgorithms != NULL)
|
||||
myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] =
|
||||
options.hostkeyalgorithms;
|
||||
@@ -529,8 +539,8 @@ input_userauth_pk_ok(int type, u_int32_t
|
||||
@@ -590,8 +600,8 @@ input_userauth_pk_ok(int type, u_int32_t
|
||||
key->type, pktype);
|
||||
goto done;
|
||||
}
|
||||
@ -503,10 +502,10 @@ diff -up openssh-5.6p1/sshconnect2.c.fips openssh-5.6p1/sshconnect2.c
|
||||
xfree(fp);
|
||||
|
||||
/*
|
||||
diff -up openssh-5.6p1/sshconnect.c.fips openssh-5.6p1/sshconnect.c
|
||||
--- openssh-5.6p1/sshconnect.c.fips 2010-04-18 00:08:21.000000000 +0200
|
||||
+++ openssh-5.6p1/sshconnect.c 2011-01-16 23:41:59.000000000 +0100
|
||||
@@ -40,6 +40,8 @@
|
||||
diff -up openssh-5.8p1/sshconnect.c.fips openssh-5.8p1/sshconnect.c
|
||||
--- openssh-5.8p1/sshconnect.c.fips 2011-01-16 13:17:59.000000000 +0100
|
||||
+++ openssh-5.8p1/sshconnect.c 2011-02-14 10:18:14.000000000 +0100
|
||||
@@ -41,6 +41,8 @@
|
||||
#include <string.h>
|
||||
#include <unistd.h>
|
||||
|
||||
@ -515,15 +514,37 @@ diff -up openssh-5.6p1/sshconnect.c.fips openssh-5.6p1/sshconnect.c
|
||||
#include "xmalloc.h"
|
||||
#include "key.h"
|
||||
#include "hostfile.h"
|
||||
@@ -789,6 +791,7 @@ check_host_key(char *hostname, struct so
|
||||
@@ -705,6 +707,7 @@ check_host_key(char *hostname, struct so
|
||||
int len, cancelled_forwarding = 0;
|
||||
struct hostkeys *host_hostkeys, *ip_hostkeys;
|
||||
const struct hostkey_entry *host_found, *ip_found;
|
||||
+ int fips_on = FIPS_mode();
|
||||
|
||||
/*
|
||||
* Force accepting of the host key for loopback/localhost. The
|
||||
@@ -798,10 +801,10 @@ check_host_key(char *hostname, struct so
|
||||
"key for IP address '%.128s' to the list "
|
||||
"of known hosts.", type, ip);
|
||||
} else if (options.visual_host_key) {
|
||||
- fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX);
|
||||
- ra = key_fingerprint(host_key, SSH_FP_MD5,
|
||||
+ fp = key_fingerprint(host_key, fips_on ? SSH_FP_SHA1 : SSH_FP_MD5, SSH_FP_HEX);
|
||||
+ ra = key_fingerprint(host_key, fips_on ? SSH_FP_SHA1 : SSH_FP_MD5,
|
||||
SSH_FP_RANDOMART);
|
||||
- logit("Host key fingerprint is %s\n%s\n", fp, ra);
|
||||
+ logit("Host key %sfingerprint is %s\n%s\n", fips_on ? "SHA1 " : "", fp, ra);
|
||||
xfree(ra);
|
||||
xfree(fp);
|
||||
}
|
||||
@@ -830,6 +833,7 @@ check_host_key(char *hostname, struct so
|
||||
goto fail;
|
||||
} else if (options.strict_host_key_checking == 2) {
|
||||
char msg1[1024], msg2[1024];
|
||||
+ int fips_on = FIPS_mode();
|
||||
|
||||
if (show_other_keys(host, host_key))
|
||||
if (show_other_keys(host_hostkeys, host_key))
|
||||
snprintf(msg1, sizeof(msg1),
|
||||
@@ -797,8 +800,8 @@ check_host_key(char *hostname, struct so
|
||||
@@ -838,8 +842,8 @@ check_host_key(char *hostname, struct so
|
||||
else
|
||||
snprintf(msg1, sizeof(msg1), ".");
|
||||
/* The default */
|
||||
@ -534,7 +555,7 @@ diff -up openssh-5.6p1/sshconnect.c.fips openssh-5.6p1/sshconnect.c
|
||||
SSH_FP_RANDOMART);
|
||||
msg2[0] = '\0';
|
||||
if (options.verify_host_key_dns) {
|
||||
@@ -814,10 +817,10 @@ check_host_key(char *hostname, struct so
|
||||
@@ -855,10 +859,10 @@ check_host_key(char *hostname, struct so
|
||||
snprintf(msg, sizeof(msg),
|
||||
"The authenticity of host '%.200s (%s)' can't be "
|
||||
"established%s\n"
|
||||
@ -547,33 +568,36 @@ diff -up openssh-5.6p1/sshconnect.c.fips openssh-5.6p1/sshconnect.c
|
||||
options.visual_host_key ? "\n" : "",
|
||||
options.visual_host_key ? ra : "",
|
||||
msg2);
|
||||
@@ -1151,17 +1154,18 @@ show_key_from_file(const char *file, con
|
||||
Key *found;
|
||||
@@ -1208,20 +1212,21 @@ show_other_keys(struct hostkeys *hostkey
|
||||
int i, ret = 0;
|
||||
char *fp, *ra;
|
||||
int line, ret;
|
||||
const struct hostkey_entry *found;
|
||||
+ int fips_on = FIPS_mode();
|
||||
|
||||
found = key_new(keytype);
|
||||
if ((ret = lookup_key_in_hostfile_by_type(file, host,
|
||||
keytype, found, &line))) {
|
||||
- fp = key_fingerprint(found, SSH_FP_MD5, SSH_FP_HEX);
|
||||
- ra = key_fingerprint(found, SSH_FP_MD5, SSH_FP_RANDOMART);
|
||||
+ fp = key_fingerprint(found, fips_on ? SSH_FP_SHA1 : SSH_FP_MD5, SSH_FP_HEX);
|
||||
+ ra = key_fingerprint(found, fips_on ? SSH_FP_SHA1 : SSH_FP_MD5, SSH_FP_RANDOMART);
|
||||
for (i = 0; type[i] != -1; i++) {
|
||||
if (type[i] == key->type)
|
||||
continue;
|
||||
if (!lookup_key_in_hostkeys_by_type(hostkeys, type[i], &found))
|
||||
continue;
|
||||
- fp = key_fingerprint(found->key, SSH_FP_MD5, SSH_FP_HEX);
|
||||
- ra = key_fingerprint(found->key, SSH_FP_MD5, SSH_FP_RANDOMART);
|
||||
+ fp = key_fingerprint(found->key, fips_on ? SSH_FP_SHA1 : SSH_FP_MD5, SSH_FP_HEX);
|
||||
+ ra = key_fingerprint(found->key, fips_on ? SSH_FP_SHA1 : SSH_FP_MD5, SSH_FP_RANDOMART);
|
||||
logit("WARNING: %s key found for host %s\n"
|
||||
"in %s:%d\n"
|
||||
- "%s key fingerprint %s.\n%s\n",
|
||||
"in %s:%lu\n"
|
||||
- "%s key fingerprint %s.",
|
||||
+ "%s key %sfingerprint %s.\n%s\n",
|
||||
key_type(found), host, file, line,
|
||||
- key_type(found), fp, ra);
|
||||
key_type(found->key),
|
||||
found->host, found->file, found->line,
|
||||
- key_type(found->key), fp);
|
||||
+ key_type(found), fips_on ? "SHA1 ":"", fp, ra);
|
||||
if (options.visual_host_key)
|
||||
logit("%s", ra);
|
||||
xfree(ra);
|
||||
xfree(fp);
|
||||
}
|
||||
@@ -1207,8 +1211,9 @@ warn_changed_key(Key *host_key)
|
||||
@@ -1235,8 +1240,9 @@ static void
|
||||
warn_changed_key(Key *host_key)
|
||||
{
|
||||
char *fp;
|
||||
const char *type = key_type(host_key);
|
||||
+ int fips_on = FIPS_mode();
|
||||
|
||||
- fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX);
|
||||
@ -581,20 +605,20 @@ diff -up openssh-5.6p1/sshconnect.c.fips openssh-5.6p1/sshconnect.c
|
||||
|
||||
error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
|
||||
error("@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @");
|
||||
@@ -1216,8 +1221,8 @@ warn_changed_key(Key *host_key)
|
||||
@@ -1244,8 +1250,8 @@ warn_changed_key(Key *host_key)
|
||||
error("IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!");
|
||||
error("Someone could be eavesdropping on you right now (man-in-the-middle attack)!");
|
||||
error("It is also possible that the %s host key has just been changed.", type);
|
||||
error("It is also possible that a host key has just been changed.");
|
||||
- error("The fingerprint for the %s key sent by the remote host is\n%s.",
|
||||
- type, fp);
|
||||
- key_type(host_key), fp);
|
||||
+ error("The %sfingerprint for the %s key sent by the remote host is\n%s.",
|
||||
+ fips_on ? "SHA1 ":"", type, fp);
|
||||
+ fips_on ? "SHA1 ":"", key_type(host_key), fp);
|
||||
error("Please contact your system administrator.");
|
||||
|
||||
xfree(fp);
|
||||
diff -up openssh-5.6p1/sshd.c.fips openssh-5.6p1/sshd.c
|
||||
--- openssh-5.6p1/sshd.c.fips 2011-01-16 23:41:58.000000000 +0100
|
||||
+++ openssh-5.6p1/sshd.c 2011-01-16 23:41:59.000000000 +0100
|
||||
diff -up openssh-5.8p1/sshd.c.fips openssh-5.8p1/sshd.c
|
||||
--- openssh-5.8p1/sshd.c.fips 2011-02-14 10:10:41.000000000 +0100
|
||||
+++ openssh-5.8p1/sshd.c 2011-02-14 10:10:41.000000000 +0100
|
||||
@@ -76,6 +76,8 @@
|
||||
#include <openssl/bn.h>
|
||||
#include <openssl/md5.h>
|
||||
@ -604,7 +628,7 @@ diff -up openssh-5.6p1/sshd.c.fips openssh-5.6p1/sshd.c
|
||||
#include "openbsd-compat/openssl-compat.h"
|
||||
|
||||
#ifdef HAVE_SECUREWARE
|
||||
@@ -1309,6 +1311,12 @@ main(int ac, char **av)
|
||||
@@ -1314,6 +1316,12 @@ main(int ac, char **av)
|
||||
(void)set_auth_parameters(ac, av);
|
||||
#endif
|
||||
__progname = ssh_get_progname(av[0]);
|
||||
@ -617,16 +641,16 @@ diff -up openssh-5.6p1/sshd.c.fips openssh-5.6p1/sshd.c
|
||||
init_rng();
|
||||
|
||||
/* Save argv. Duplicate so setproctitle emulation doesn't clobber it */
|
||||
@@ -1470,8 +1478,6 @@ main(int ac, char **av)
|
||||
@@ -1475,8 +1483,6 @@ main(int ac, char **av)
|
||||
else
|
||||
closefrom(REEXEC_DEVCRYPTO_RESERVED_FD);
|
||||
|
||||
- SSLeay_add_all_algorithms();
|
||||
- OpenSSL_add_all_algorithms();
|
||||
-
|
||||
/*
|
||||
* Force logging to stderr until we have loaded the private host
|
||||
* key (unless started from inetd)
|
||||
@@ -1589,6 +1595,10 @@ main(int ac, char **av)
|
||||
@@ -1595,6 +1601,10 @@ main(int ac, char **av)
|
||||
debug("private host key: #%d type %d %s", i, key->type,
|
||||
key_type(key));
|
||||
}
|
||||
@ -637,7 +661,7 @@ diff -up openssh-5.6p1/sshd.c.fips openssh-5.6p1/sshd.c
|
||||
if ((options.protocol & SSH_PROTO_1) && !sensitive_data.have_ssh1_key) {
|
||||
logit("Disabling protocol version 1. Could not load host key");
|
||||
options.protocol &= ~SSH_PROTO_1;
|
||||
@@ -1753,6 +1763,10 @@ main(int ac, char **av)
|
||||
@@ -1759,6 +1769,10 @@ main(int ac, char **av)
|
||||
/* Initialize the random number generator. */
|
||||
arc4random_stir();
|
||||
|
||||
@ -648,7 +672,7 @@ diff -up openssh-5.6p1/sshd.c.fips openssh-5.6p1/sshd.c
|
||||
/* Chdir to the root directory so that the current disk can be
|
||||
unmounted if desired. */
|
||||
chdir("/");
|
||||
@@ -2293,6 +2307,9 @@ do_ssh2_kex(void)
|
||||
@@ -2305,6 +2319,9 @@ do_ssh2_kex(void)
|
||||
if (options.ciphers != NULL) {
|
||||
myproposal[PROPOSAL_ENC_ALGS_CTOS] =
|
||||
myproposal[PROPOSAL_ENC_ALGS_STOC] = options.ciphers;
|
||||
@ -658,7 +682,7 @@ diff -up openssh-5.6p1/sshd.c.fips openssh-5.6p1/sshd.c
|
||||
}
|
||||
myproposal[PROPOSAL_ENC_ALGS_CTOS] =
|
||||
compat_cipher_proposal(myproposal[PROPOSAL_ENC_ALGS_CTOS]);
|
||||
@@ -2302,6 +2319,9 @@ do_ssh2_kex(void)
|
||||
@@ -2314,6 +2331,9 @@ do_ssh2_kex(void)
|
||||
if (options.macs != NULL) {
|
||||
myproposal[PROPOSAL_MAC_ALGS_CTOS] =
|
||||
myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs;
|
||||
@ -668,9 +692,9 @@ diff -up openssh-5.6p1/sshd.c.fips openssh-5.6p1/sshd.c
|
||||
}
|
||||
if (options.compression == COMP_NONE) {
|
||||
myproposal[PROPOSAL_COMP_ALGS_CTOS] =
|
||||
diff -up openssh-5.6p1/ssh-keygen.c.fips openssh-5.6p1/ssh-keygen.c
|
||||
--- openssh-5.6p1/ssh-keygen.c.fips 2011-01-16 23:41:58.000000000 +0100
|
||||
+++ openssh-5.6p1/ssh-keygen.c 2011-01-16 23:41:59.000000000 +0100
|
||||
diff -up openssh-5.8p1/ssh-keygen.c.fips openssh-5.8p1/ssh-keygen.c
|
||||
--- openssh-5.8p1/ssh-keygen.c.fips 2011-02-14 10:10:41.000000000 +0100
|
||||
+++ openssh-5.8p1/ssh-keygen.c 2011-02-14 10:10:41.000000000 +0100
|
||||
@@ -21,6 +21,7 @@
|
||||
|
||||
#include <openssl/evp.h>
|
||||
@ -679,7 +703,7 @@ diff -up openssh-5.6p1/ssh-keygen.c.fips openssh-5.6p1/ssh-keygen.c
|
||||
#include "openbsd-compat/openssl-compat.h"
|
||||
|
||||
#include <errno.h>
|
||||
@@ -692,7 +693,7 @@ do_fingerprint(struct passwd *pw)
|
||||
@@ -721,7 +722,7 @@ do_fingerprint(struct passwd *pw)
|
||||
enum fp_type fptype;
|
||||
struct stat st;
|
||||
|
||||
@ -688,7 +712,7 @@ diff -up openssh-5.6p1/ssh-keygen.c.fips openssh-5.6p1/ssh-keygen.c
|
||||
rep = print_bubblebabble ? SSH_FP_BUBBLEBABBLE : SSH_FP_HEX;
|
||||
|
||||
if (!have_identity)
|
||||
@@ -2209,14 +2210,15 @@ passphrase_again:
|
||||
@@ -2253,14 +2254,15 @@ passphrase_again:
|
||||
fclose(f);
|
||||
|
||||
if (!quiet) {
|
||||
24
openssh-5.8p1-gssapi-canohost.patch
Normal file
24
openssh-5.8p1-gssapi-canohost.patch
Normal file
@ -0,0 +1,24 @@
|
||||
diff -up openssh-5.8p1/sshconnect2.c.canohost openssh-5.8p1/sshconnect2.c
|
||||
--- openssh-5.8p1/sshconnect2.c.canohost 2011-02-14 15:15:15.000000000 +0100
|
||||
+++ openssh-5.8p1/sshconnect2.c 2011-02-14 15:21:45.000000000 +0100
|
||||
@@ -697,14 +697,17 @@ userauth_gssapi(Authctxt *authctxt)
|
||||
static u_int mech = 0;
|
||||
OM_uint32 min;
|
||||
int ok = 0;
|
||||
- const char *gss_host;
|
||||
+ const char *gss_host = NULL;
|
||||
|
||||
if (options.gss_server_identity)
|
||||
gss_host = options.gss_server_identity;
|
||||
else if (options.gss_trust_dns)
|
||||
gss_host = get_canonical_hostname(1);
|
||||
- else
|
||||
- gss_host = authctxt->host;
|
||||
+ else {
|
||||
+ gss_host = get_canonical_hostname(1);
|
||||
+ if ( strcmp( gss_host, "UNKNOWN" ) == 0 )
|
||||
+ gss_host = authctxt->host;
|
||||
+ }
|
||||
|
||||
/* Try one GSSAPI method at a time, rather than sending them all at
|
||||
* once. */
|
||||
@ -1,6 +1,6 @@
|
||||
diff -up openssh-5.6p1/auth2.c.gsskex openssh-5.6p1/auth2.c
|
||||
--- openssh-5.6p1/auth2.c.gsskex 2011-01-24 23:51:08.000000000 +0100
|
||||
+++ openssh-5.6p1/auth2.c 2011-01-24 23:51:08.000000000 +0100
|
||||
diff -up openssh-5.8p1/auth2.c.gsskex openssh-5.8p1/auth2.c
|
||||
--- openssh-5.8p1/auth2.c.gsskex 2011-02-14 14:47:02.000000000 +0100
|
||||
+++ openssh-5.8p1/auth2.c 2011-02-14 14:47:02.000000000 +0100
|
||||
@@ -69,6 +69,7 @@ extern Authmethod method_passwd;
|
||||
extern Authmethod method_kbdint;
|
||||
extern Authmethod method_hostbased;
|
||||
@ -35,9 +35,9 @@ diff -up openssh-5.6p1/auth2.c.gsskex openssh-5.6p1/auth2.c
|
||||
authctxt->failures++;
|
||||
if (authctxt->failures >= options.max_authtries) {
|
||||
#ifdef SSH_AUDIT_EVENTS
|
||||
diff -up openssh-5.6p1/auth2-gss.c.gsskex openssh-5.6p1/auth2-gss.c
|
||||
--- openssh-5.6p1/auth2-gss.c.gsskex 2011-01-24 23:51:08.000000000 +0100
|
||||
+++ openssh-5.6p1/auth2-gss.c 2011-01-24 23:51:08.000000000 +0100
|
||||
diff -up openssh-5.8p1/auth2-gss.c.gsskex openssh-5.8p1/auth2-gss.c
|
||||
--- openssh-5.8p1/auth2-gss.c.gsskex 2011-02-14 14:47:02.000000000 +0100
|
||||
+++ openssh-5.8p1/auth2-gss.c 2011-02-14 14:47:02.000000000 +0100
|
||||
@@ -1,7 +1,7 @@
|
||||
/* $OpenBSD: auth2-gss.c,v 1.16 2007/10/29 00:52:45 dtucker Exp $ */
|
||||
|
||||
@ -137,9 +137,9 @@ diff -up openssh-5.6p1/auth2-gss.c.gsskex openssh-5.6p1/auth2-gss.c
|
||||
Authmethod method_gssapi = {
|
||||
"gssapi-with-mic",
|
||||
userauth_gssapi,
|
||||
diff -up openssh-5.6p1/auth.h.gsskex openssh-5.6p1/auth.h
|
||||
--- openssh-5.6p1/auth.h.gsskex 2011-01-24 23:51:08.000000000 +0100
|
||||
+++ openssh-5.6p1/auth.h 2011-01-24 23:51:08.000000000 +0100
|
||||
diff -up openssh-5.8p1/auth.h.gsskex openssh-5.8p1/auth.h
|
||||
--- openssh-5.8p1/auth.h.gsskex 2011-02-14 14:47:02.000000000 +0100
|
||||
+++ openssh-5.8p1/auth.h 2011-02-14 14:47:02.000000000 +0100
|
||||
@@ -53,6 +53,7 @@ struct Authctxt {
|
||||
int valid; /* user exists and is allowed to login */
|
||||
int attempt;
|
||||
@ -148,10 +148,10 @@ diff -up openssh-5.6p1/auth.h.gsskex openssh-5.6p1/auth.h
|
||||
int force_pwchange;
|
||||
char *user; /* username sent by the client */
|
||||
char *service;
|
||||
diff -up openssh-5.6p1/auth-krb5.c.gsskex openssh-5.6p1/auth-krb5.c
|
||||
--- openssh-5.6p1/auth-krb5.c.gsskex 2009-12-21 00:49:22.000000000 +0100
|
||||
+++ openssh-5.6p1/auth-krb5.c 2011-01-24 23:51:08.000000000 +0100
|
||||
@@ -170,8 +170,13 @@ auth_krb5_password(Authctxt *authctxt, c
|
||||
diff -up openssh-5.8p1/auth-krb5.c.gsskex openssh-5.8p1/auth-krb5.c
|
||||
--- openssh-5.8p1/auth-krb5.c.gsskex 2011-02-14 14:47:02.000000000 +0100
|
||||
+++ openssh-5.8p1/auth-krb5.c 2011-02-14 14:47:02.000000000 +0100
|
||||
@@ -184,8 +184,13 @@ auth_krb5_password(Authctxt *authctxt, c
|
||||
|
||||
len = strlen(authctxt->krb5_ticket_file) + 6;
|
||||
authctxt->krb5_ccname = xmalloc(len);
|
||||
@ -165,7 +165,7 @@ diff -up openssh-5.6p1/auth-krb5.c.gsskex openssh-5.6p1/auth-krb5.c
|
||||
|
||||
#ifdef USE_PAM
|
||||
if (options.use_pam)
|
||||
@@ -226,15 +231,22 @@ krb5_cleanup_proc(Authctxt *authctxt)
|
||||
@@ -240,15 +245,22 @@ krb5_cleanup_proc(Authctxt *authctxt)
|
||||
#ifndef HEIMDAL
|
||||
krb5_error_code
|
||||
ssh_krb5_cc_gen(krb5_context ctx, krb5_ccache *ccache) {
|
||||
@ -190,7 +190,7 @@ diff -up openssh-5.6p1/auth-krb5.c.gsskex openssh-5.6p1/auth-krb5.c
|
||||
old_umask = umask(0177);
|
||||
tmpfd = mkstemp(ccname + strlen("FILE:"));
|
||||
umask(old_umask);
|
||||
@@ -249,6 +261,7 @@ ssh_krb5_cc_gen(krb5_context ctx, krb5_c
|
||||
@@ -263,6 +275,7 @@ ssh_krb5_cc_gen(krb5_context ctx, krb5_c
|
||||
return errno;
|
||||
}
|
||||
close(tmpfd);
|
||||
@ -198,10 +198,28 @@ diff -up openssh-5.6p1/auth-krb5.c.gsskex openssh-5.6p1/auth-krb5.c
|
||||
|
||||
return (krb5_cc_resolve(ctx, ccname, ccache));
|
||||
}
|
||||
diff -up openssh-5.6p1/ChangeLog.gssapi.gsskex openssh-5.6p1/ChangeLog.gssapi
|
||||
--- openssh-5.6p1/ChangeLog.gssapi.gsskex 2011-01-24 23:51:08.000000000 +0100
|
||||
+++ openssh-5.6p1/ChangeLog.gssapi 2011-01-24 23:51:08.000000000 +0100
|
||||
@@ -0,0 +1,95 @@
|
||||
diff -up openssh-5.8p1/ChangeLog.gssapi.gsskex openssh-5.8p1/ChangeLog.gssapi
|
||||
--- openssh-5.8p1/ChangeLog.gssapi.gsskex 2011-02-14 14:47:02.000000000 +0100
|
||||
+++ openssh-5.8p1/ChangeLog.gssapi 2011-02-14 14:47:02.000000000 +0100
|
||||
@@ -0,0 +1,113 @@
|
||||
+20110101
|
||||
+ - Finally update for OpenSSH 5.6p1
|
||||
+ - Add GSSAPIServerIdentity option from Jim Basney
|
||||
+
|
||||
+20100308
|
||||
+ - [ Makefile.in, key.c, key.h ]
|
||||
+ Updates for OpenSSH 5.4p1
|
||||
+ - [ servconf.c ]
|
||||
+ Include GSSAPI options in the sshd -T configuration dump, and flag
|
||||
+ some older configuration options as being unsupported. Thanks to Colin
|
||||
+ Watson.
|
||||
+ -
|
||||
+
|
||||
+20100124
|
||||
+ - [ sshconnect2.c ]
|
||||
+ Adapt to deal with additional element in Authmethod structure. Thanks to
|
||||
+ Colin Watson
|
||||
+
|
||||
+20090615
|
||||
+ - [ gss-genr.c gss-serv.c kexgssc.c kexgsss.c monitor.c sshconnect2.c
|
||||
+ sshd.c ]
|
||||
@ -297,9 +315,9 @@ diff -up openssh-5.6p1/ChangeLog.gssapi.gsskex openssh-5.6p1/ChangeLog.gssapi
|
||||
+ add support for GssapiTrustDns option for gssapi-with-mic
|
||||
+ (from jbasney AT ncsa.uiuc.edu)
|
||||
+ <gssapi-with-mic support is Bugzilla #1008>
|
||||
diff -up openssh-5.6p1/clientloop.c.gsskex openssh-5.6p1/clientloop.c
|
||||
--- openssh-5.6p1/clientloop.c.gsskex 2010-08-03 08:04:46.000000000 +0200
|
||||
+++ openssh-5.6p1/clientloop.c 2011-01-24 23:51:08.000000000 +0100
|
||||
diff -up openssh-5.8p1/clientloop.c.gsskex openssh-5.8p1/clientloop.c
|
||||
--- openssh-5.8p1/clientloop.c.gsskex 2011-01-16 13:18:35.000000000 +0100
|
||||
+++ openssh-5.8p1/clientloop.c 2011-02-14 14:47:02.000000000 +0100
|
||||
@@ -111,6 +111,10 @@
|
||||
#include "msg.h"
|
||||
#include "roaming.h"
|
||||
@ -311,24 +329,26 @@ diff -up openssh-5.6p1/clientloop.c.gsskex openssh-5.6p1/clientloop.c
|
||||
/* import options */
|
||||
extern Options options;
|
||||
|
||||
@@ -1483,6 +1487,13 @@ client_loop(int have_pty, int escape_cha
|
||||
@@ -1483,6 +1487,15 @@ client_loop(int have_pty, int escape_cha
|
||||
/* Do channel operations unless rekeying in progress. */
|
||||
if (!rekeying) {
|
||||
channel_after_select(readset, writeset);
|
||||
+
|
||||
+#ifdef GSSAPI
|
||||
+ if (options.gss_renewal_rekey &&
|
||||
+ ssh_gssapi_credentials_updated(GSS_C_NO_CONTEXT)) {
|
||||
+ debug("credentials updated - forcing rekey");
|
||||
+ need_rekeying = 1;
|
||||
+ }
|
||||
+#endif
|
||||
+
|
||||
if (need_rekeying || packet_need_rekeying()) {
|
||||
debug("need rekeying");
|
||||
xxx_kex->done = 0;
|
||||
diff -up openssh-5.6p1/configure.ac.gsskex openssh-5.6p1/configure.ac
|
||||
--- openssh-5.6p1/configure.ac.gsskex 2011-01-24 23:51:08.000000000 +0100
|
||||
+++ openssh-5.6p1/configure.ac 2011-01-24 23:51:09.000000000 +0100
|
||||
@@ -477,6 +477,30 @@ main() { if (NSVersionOfRunTimeLibrary("
|
||||
diff -up openssh-5.8p1/configure.ac.gsskex openssh-5.8p1/configure.ac
|
||||
--- openssh-5.8p1/configure.ac.gsskex 2011-02-14 14:47:02.000000000 +0100
|
||||
+++ openssh-5.8p1/configure.ac 2011-02-14 14:47:02.000000000 +0100
|
||||
@@ -514,6 +514,30 @@ main() { if (NSVersionOfRunTimeLibrary("
|
||||
[Use tunnel device compatibility to OpenBSD])
|
||||
AC_DEFINE(SSH_TUN_PREPEND_AF, 1,
|
||||
[Prepend the address family to IP tunnel traffic])
|
||||
@ -359,9 +379,18 @@ diff -up openssh-5.6p1/configure.ac.gsskex openssh-5.6p1/configure.ac
|
||||
m4_pattern_allow(AU_IPv)
|
||||
AC_CHECK_DECL(AU_IPv4, [],
|
||||
AC_DEFINE(AU_IPv4, 0, [System only supports IPv4 audit records])
|
||||
diff -up openssh-5.6p1/gss-genr.c.gsskex openssh-5.6p1/gss-genr.c
|
||||
--- openssh-5.6p1/gss-genr.c.gsskex 2009-06-22 08:11:07.000000000 +0200
|
||||
+++ openssh-5.6p1/gss-genr.c 2011-01-24 23:51:09.000000000 +0100
|
||||
diff -up openssh-5.8p1/gss-genr.c.gsskex openssh-5.8p1/gss-genr.c
|
||||
--- openssh-5.8p1/gss-genr.c.gsskex 2009-06-22 08:11:07.000000000 +0200
|
||||
+++ openssh-5.8p1/gss-genr.c 2011-02-14 14:47:02.000000000 +0100
|
||||
@@ -1,7 +1,7 @@
|
||||
/* $OpenBSD: gss-genr.c,v 1.20 2009/06/22 05:39:28 dtucker Exp $ */
|
||||
|
||||
/*
|
||||
- * Copyright (c) 2001-2007 Simon Wilkinson. All rights reserved.
|
||||
+ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
@@ -39,12 +39,167 @@
|
||||
#include "buffer.h"
|
||||
#include "log.h"
|
||||
@ -700,9 +729,9 @@ diff -up openssh-5.6p1/gss-genr.c.gsskex openssh-5.6p1/gss-genr.c
|
||||
+}
|
||||
+
|
||||
#endif /* GSSAPI */
|
||||
diff -up openssh-5.6p1/gss-serv.c.gsskex openssh-5.6p1/gss-serv.c
|
||||
--- openssh-5.6p1/gss-serv.c.gsskex 2008-05-19 07:05:07.000000000 +0200
|
||||
+++ openssh-5.6p1/gss-serv.c 2011-01-24 23:51:09.000000000 +0100
|
||||
diff -up openssh-5.8p1/gss-serv.c.gsskex openssh-5.8p1/gss-serv.c
|
||||
--- openssh-5.8p1/gss-serv.c.gsskex 2008-05-19 07:05:07.000000000 +0200
|
||||
+++ openssh-5.8p1/gss-serv.c 2011-02-14 14:47:02.000000000 +0100
|
||||
@@ -1,7 +1,7 @@
|
||||
/* $OpenBSD: gss-serv.c,v 1.22 2008/05/08 12:02:23 djm Exp $ */
|
||||
|
||||
@ -1016,9 +1045,9 @@ diff -up openssh-5.6p1/gss-serv.c.gsskex openssh-5.6p1/gss-serv.c
|
||||
}
|
||||
|
||||
#endif
|
||||
diff -up openssh-5.6p1/gss-serv-krb5.c.gsskex openssh-5.6p1/gss-serv-krb5.c
|
||||
--- openssh-5.6p1/gss-serv-krb5.c.gsskex 2006-09-01 07:38:36.000000000 +0200
|
||||
+++ openssh-5.6p1/gss-serv-krb5.c 2011-01-24 23:51:09.000000000 +0100
|
||||
diff -up openssh-5.8p1/gss-serv-krb5.c.gsskex openssh-5.8p1/gss-serv-krb5.c
|
||||
--- openssh-5.8p1/gss-serv-krb5.c.gsskex 2011-02-14 14:47:02.000000000 +0100
|
||||
+++ openssh-5.8p1/gss-serv-krb5.c 2011-02-14 14:47:02.000000000 +0100
|
||||
@@ -1,7 +1,7 @@
|
||||
/* $OpenBSD: gss-serv-krb5.c,v 1.7 2006/08/03 03:34:42 deraadt Exp $ */
|
||||
|
||||
@ -1028,7 +1057,7 @@ diff -up openssh-5.6p1/gss-serv-krb5.c.gsskex openssh-5.6p1/gss-serv-krb5.c
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
@@ -120,6 +120,7 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_cl
|
||||
@@ -121,6 +121,7 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_cl
|
||||
krb5_principal princ;
|
||||
OM_uint32 maj_status, min_status;
|
||||
int len;
|
||||
@ -1036,7 +1065,7 @@ diff -up openssh-5.6p1/gss-serv-krb5.c.gsskex openssh-5.6p1/gss-serv-krb5.c
|
||||
|
||||
if (client->creds == NULL) {
|
||||
debug("No credentials stored");
|
||||
@@ -168,11 +169,16 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_cl
|
||||
@@ -169,11 +170,16 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_cl
|
||||
return;
|
||||
}
|
||||
|
||||
@ -1057,7 +1086,7 @@ diff -up openssh-5.6p1/gss-serv-krb5.c.gsskex openssh-5.6p1/gss-serv-krb5.c
|
||||
|
||||
#ifdef USE_PAM
|
||||
if (options.use_pam)
|
||||
@@ -184,6 +190,71 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_cl
|
||||
@@ -185,6 +191,71 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_cl
|
||||
return;
|
||||
}
|
||||
|
||||
@ -1129,7 +1158,7 @@ diff -up openssh-5.6p1/gss-serv-krb5.c.gsskex openssh-5.6p1/gss-serv-krb5.c
|
||||
ssh_gssapi_mech gssapi_kerberos_mech = {
|
||||
"toWM5Slw5Ew8Mqkay+al2g==",
|
||||
"Kerberos",
|
||||
@@ -191,7 +262,8 @@ ssh_gssapi_mech gssapi_kerberos_mech = {
|
||||
@@ -192,7 +263,8 @@ ssh_gssapi_mech gssapi_kerberos_mech = {
|
||||
NULL,
|
||||
&ssh_gssapi_krb5_userok,
|
||||
NULL,
|
||||
@ -1139,9 +1168,9 @@ diff -up openssh-5.6p1/gss-serv-krb5.c.gsskex openssh-5.6p1/gss-serv-krb5.c
|
||||
};
|
||||
|
||||
#endif /* KRB5 */
|
||||
diff -up openssh-5.6p1/kex.c.gsskex openssh-5.6p1/kex.c
|
||||
--- openssh-5.6p1/kex.c.gsskex 2011-01-24 23:51:08.000000000 +0100
|
||||
+++ openssh-5.6p1/kex.c 2011-01-24 23:51:09.000000000 +0100
|
||||
diff -up openssh-5.8p1/kex.c.gsskex openssh-5.8p1/kex.c
|
||||
--- openssh-5.8p1/kex.c.gsskex 2011-02-14 14:47:01.000000000 +0100
|
||||
+++ openssh-5.8p1/kex.c 2011-02-14 15:09:38.000000000 +0100
|
||||
@@ -51,6 +51,10 @@
|
||||
#include "roaming.h"
|
||||
#include "audit.h"
|
||||
@ -1153,9 +1182,9 @@ diff -up openssh-5.6p1/kex.c.gsskex openssh-5.6p1/kex.c
|
||||
#if OPENSSL_VERSION_NUMBER >= 0x00907000L
|
||||
# if defined(HAVE_EVP_SHA256)
|
||||
# define evp_ssh_sha256 EVP_sha256
|
||||
@@ -339,6 +343,20 @@ choose_kex(Kex *k, char *client, char *s
|
||||
k->kex_type = KEX_DH_GEX_SHA256;
|
||||
k->evp_md = evp_ssh_sha256();
|
||||
@@ -371,6 +375,20 @@ choose_kex(Kex *k, char *client, char *s
|
||||
k->kex_type = KEX_ECDH_SHA2;
|
||||
k->evp_md = kex_ecdh_name_to_evpmd(k->name);
|
||||
#endif
|
||||
+#ifdef GSSAPI
|
||||
+ } else if (strncmp(k->name, KEX_GSS_GEX_SHA1_ID,
|
||||
@ -1174,9 +1203,9 @@ diff -up openssh-5.6p1/kex.c.gsskex openssh-5.6p1/kex.c
|
||||
} else
|
||||
fatal("bad kex alg %s", k->name);
|
||||
}
|
||||
diff -up openssh-5.6p1/kexgssc.c.gsskex openssh-5.6p1/kexgssc.c
|
||||
--- openssh-5.6p1/kexgssc.c.gsskex 2011-01-24 23:51:09.000000000 +0100
|
||||
+++ openssh-5.6p1/kexgssc.c 2011-01-24 23:51:09.000000000 +0100
|
||||
diff -up openssh-5.8p1/kexgssc.c.gsskex openssh-5.8p1/kexgssc.c
|
||||
--- openssh-5.8p1/kexgssc.c.gsskex 2011-02-14 14:47:02.000000000 +0100
|
||||
+++ openssh-5.8p1/kexgssc.c 2011-02-14 14:47:02.000000000 +0100
|
||||
@@ -0,0 +1,334 @@
|
||||
+/*
|
||||
+ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
|
||||
@ -1512,9 +1541,9 @@ diff -up openssh-5.6p1/kexgssc.c.gsskex openssh-5.6p1/kexgssc.c
|
||||
+}
|
||||
+
|
||||
+#endif /* GSSAPI */
|
||||
diff -up openssh-5.6p1/kexgsss.c.gsskex openssh-5.6p1/kexgsss.c
|
||||
--- openssh-5.6p1/kexgsss.c.gsskex 2011-01-24 23:51:09.000000000 +0100
|
||||
+++ openssh-5.6p1/kexgsss.c 2011-01-24 23:51:09.000000000 +0100
|
||||
diff -up openssh-5.8p1/kexgsss.c.gsskex openssh-5.8p1/kexgsss.c
|
||||
--- openssh-5.8p1/kexgsss.c.gsskex 2011-02-14 14:47:02.000000000 +0100
|
||||
+++ openssh-5.8p1/kexgsss.c 2011-02-14 14:47:02.000000000 +0100
|
||||
@@ -0,0 +1,288 @@
|
||||
+/*
|
||||
+ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
|
||||
@ -1804,20 +1833,20 @@ diff -up openssh-5.6p1/kexgsss.c.gsskex openssh-5.6p1/kexgsss.c
|
||||
+ ssh_gssapi_rekey_creds();
|
||||
+}
|
||||
+#endif /* GSSAPI */
|
||||
diff -up openssh-5.6p1/kex.h.gsskex openssh-5.6p1/kex.h
|
||||
--- openssh-5.6p1/kex.h.gsskex 2011-01-24 23:51:08.000000000 +0100
|
||||
+++ openssh-5.6p1/kex.h 2011-01-24 23:52:26.000000000 +0100
|
||||
@@ -67,6 +67,9 @@ enum kex_exchange {
|
||||
KEX_DH_GRP14_SHA1,
|
||||
diff -up openssh-5.8p1/kex.h.gsskex openssh-5.8p1/kex.h
|
||||
--- openssh-5.8p1/kex.h.gsskex 2011-02-14 14:47:01.000000000 +0100
|
||||
+++ openssh-5.8p1/kex.h 2011-02-14 15:10:05.000000000 +0100
|
||||
@@ -73,6 +73,9 @@ enum kex_exchange {
|
||||
KEX_DH_GEX_SHA1,
|
||||
KEX_DH_GEX_SHA256,
|
||||
KEX_ECDH_SHA2,
|
||||
+ KEX_GSS_GRP1_SHA1,
|
||||
+ KEX_GSS_GRP14_SHA1,
|
||||
+ KEX_GSS_GEX_SHA1,
|
||||
KEX_MAX
|
||||
};
|
||||
|
||||
@@ -123,6 +126,12 @@ struct Kex {
|
||||
@@ -129,6 +132,12 @@ struct Kex {
|
||||
sig_atomic_t done;
|
||||
int flags;
|
||||
const EVP_MD *evp_md;
|
||||
@ -1830,70 +1859,73 @@ diff -up openssh-5.6p1/kex.h.gsskex openssh-5.6p1/kex.h
|
||||
char *client_version_string;
|
||||
char *server_version_string;
|
||||
int (*verify_host_key)(Key *);
|
||||
@@ -148,6 +157,11 @@ void kexgex_server(Kex *);
|
||||
|
||||
void newkeys_destroy(Newkeys *newkeys);
|
||||
@@ -156,6 +165,11 @@ void kexgex_server(Kex *);
|
||||
void kexecdh_client(Kex *);
|
||||
void kexecdh_server(Kex *);
|
||||
|
||||
+#ifdef GSSAPI
|
||||
+void kexgss_client(Kex *);
|
||||
+void kexgss_server(Kex *);
|
||||
+#endif
|
||||
+
|
||||
void newkeys_destroy(Newkeys *newkeys);
|
||||
|
||||
void
|
||||
kex_dh_hash(char *, char *, char *, int, char *, int, u_char *, int,
|
||||
BIGNUM *, BIGNUM *, BIGNUM *, u_char **, u_int *);
|
||||
diff -up openssh-5.6p1/key.c.gsskex openssh-5.6p1/key.c
|
||||
--- openssh-5.6p1/key.c.gsskex 2010-07-16 05:58:37.000000000 +0200
|
||||
+++ openssh-5.6p1/key.c 2011-01-24 23:51:09.000000000 +0100
|
||||
@@ -1020,6 +1020,8 @@ key_type_from_name(char *name)
|
||||
return KEY_RSA_CERT;
|
||||
} else if (strcmp(name, "ssh-dss-cert-v01@openssh.com") == 0) {
|
||||
return KEY_DSA_CERT;
|
||||
diff -up openssh-5.8p1/key.c.gsskex openssh-5.8p1/key.c
|
||||
--- openssh-5.8p1/key.c.gsskex 2011-02-04 01:48:34.000000000 +0100
|
||||
+++ openssh-5.8p1/key.c 2011-02-14 14:47:02.000000000 +0100
|
||||
@@ -971,6 +971,8 @@ key_ssh_name_from_type_nid(int type, int
|
||||
}
|
||||
break;
|
||||
#endif /* OPENSSL_HAS_ECC */
|
||||
+ case KEY_NULL:
|
||||
+ return "null";
|
||||
}
|
||||
return "ssh-unknown";
|
||||
}
|
||||
@@ -1276,6 +1278,8 @@ key_type_from_name(char *name)
|
||||
strcmp(name, "ecdsa-sha2-nistp521-cert-v01@openssh.com") == 0) {
|
||||
return KEY_ECDSA_CERT;
|
||||
#endif
|
||||
+ } else if (strcmp(name, "null") == 0) {
|
||||
+ return KEY_NULL;
|
||||
}
|
||||
|
||||
debug2("key_type_from_name: unknown key type '%s'", name);
|
||||
return KEY_UNSPEC;
|
||||
diff -up openssh-5.6p1/key.h.gsskex openssh-5.6p1/key.h
|
||||
--- openssh-5.6p1/key.h.gsskex 2010-04-16 07:56:22.000000000 +0200
|
||||
+++ openssh-5.6p1/key.h 2011-01-24 23:51:09.000000000 +0100
|
||||
@@ -39,6 +39,7 @@ enum types {
|
||||
KEY_DSA_CERT,
|
||||
diff -up openssh-5.8p1/key.h.gsskex openssh-5.8p1/key.h
|
||||
--- openssh-5.8p1/key.h.gsskex 2010-11-05 00:19:49.000000000 +0100
|
||||
+++ openssh-5.8p1/key.h 2011-02-14 14:47:02.000000000 +0100
|
||||
@@ -44,6 +44,7 @@ enum types {
|
||||
KEY_ECDSA_CERT,
|
||||
KEY_RSA_CERT_V00,
|
||||
KEY_DSA_CERT_V00,
|
||||
+ KEY_NULL,
|
||||
KEY_UNSPEC
|
||||
};
|
||||
enum fp_type {
|
||||
diff -up openssh-5.6p1/Makefile.in.gsskex openssh-5.6p1/Makefile.in
|
||||
--- openssh-5.6p1/Makefile.in.gsskex 2011-01-24 23:51:08.000000000 +0100
|
||||
+++ openssh-5.6p1/Makefile.in 2011-01-24 23:51:09.000000000 +0100
|
||||
@@ -77,11 +77,11 @@ LIBSSH_OBJS=acss.o authfd.o authfile.o b
|
||||
monitor_fdpass.o rijndael.o ssh-dss.o ssh-rsa.o dh.o kexdh.o \
|
||||
kexgex.o kexdhc.o kexgexc.o msg.o progressmeter.o dns.o \
|
||||
entropy.o gss-genr.o umac.o jpake.o schnorr.o \
|
||||
- ssh-pkcs11.o auditstub.o
|
||||
+ ssh-pkcs11.o auditstub.o kexgssc.o
|
||||
diff -up openssh-5.8p1/Makefile.in.gsskex openssh-5.8p1/Makefile.in
|
||||
--- openssh-5.8p1/Makefile.in.gsskex 2011-02-14 14:47:02.000000000 +0100
|
||||
+++ openssh-5.8p1/Makefile.in 2011-02-14 15:08:34.000000000 +0100
|
||||
@@ -77,6 +77,7 @@ LIBSSH_OBJS=acss.o authfd.o authfile.o b
|
||||
atomicio.o key.o dispatch.o kex.o mac.o uidswap.o uuencode.o misc.o \
|
||||
monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-rsa.o dh.o \
|
||||
kexdh.o kexgex.o kexdhc.o kexgexc.o bufec.o kexecdh.o kexecdhc.o \
|
||||
+ kexgssc.o \
|
||||
msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o jpake.o \
|
||||
schnorr.o ssh-pkcs11.o auditstub.o
|
||||
|
||||
SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \
|
||||
sshconnect.o sshconnect1.o sshconnect2.o mux.o \
|
||||
- roaming_common.o roaming_client.o
|
||||
+ roaming_common.o roaming_client.o kexgssc.o
|
||||
|
||||
SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \
|
||||
audit.o audit-bsm.o audit-linux.o platform.o \
|
||||
@@ -95,7 +95,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw
|
||||
auth2-gss.o gss-serv.o gss-serv-krb5.o \
|
||||
@@ -93,7 +94,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw
|
||||
auth2-none.o auth2-passwd.o auth2-pubkey.o auth2-jpake.o \
|
||||
monitor_mm.o monitor.o monitor_wrap.o kexdhs.o kexgexs.o kexecdhs.o \
|
||||
auth-krb5.o \
|
||||
- auth2-gss.o gss-serv.o gss-serv-krb5.o \
|
||||
+ auth2-gss.o gss-serv.o gss-serv-krb5.o kexgsss.o\
|
||||
loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \
|
||||
sftp-server.o sftp-common.o \
|
||||
- roaming_common.o roaming_serv.o
|
||||
+ roaming_common.o roaming_serv.o kexgsss.o
|
||||
|
||||
MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-rand-helper.8.out ssh-keysign.8.out ssh-pkcs11-helper.8.out ssh-ldap-helper.8.out sshd_config.5.out ssh_config.5.out ssh-ldap.conf.5.out
|
||||
MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-rand-helper.8 ssh-keysign.8 ssh-pkcs11-helper.8 ssh-ldap-helper.8 sshd_config.5 ssh_config.5 ssh-ldap.conf.5
|
||||
diff -up openssh-5.6p1/monitor.c.gsskex openssh-5.6p1/monitor.c
|
||||
--- openssh-5.6p1/monitor.c.gsskex 2011-01-24 23:51:08.000000000 +0100
|
||||
+++ openssh-5.6p1/monitor.c 2011-01-24 23:51:09.000000000 +0100
|
||||
roaming_common.o roaming_serv.o
|
||||
diff -up openssh-5.8p1/monitor.c.gsskex openssh-5.8p1/monitor.c
|
||||
--- openssh-5.8p1/monitor.c.gsskex 2011-02-14 14:47:02.000000000 +0100
|
||||
+++ openssh-5.8p1/monitor.c 2011-02-14 14:47:02.000000000 +0100
|
||||
@@ -176,6 +176,8 @@ int mm_answer_gss_setup_ctx(int, Buffer
|
||||
int mm_answer_gss_accept_ctx(int, Buffer *);
|
||||
int mm_answer_gss_userok(int, Buffer *);
|
||||
@ -1946,10 +1978,10 @@ diff -up openssh-5.6p1/monitor.c.gsskex openssh-5.6p1/monitor.c
|
||||
} else {
|
||||
mon_dispatch = mon_dispatch_postauth15;
|
||||
monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
|
||||
@@ -1754,6 +1771,13 @@ mm_get_kex(Buffer *m)
|
||||
kex->kex[KEX_DH_GRP14_SHA1] = kexdh_server;
|
||||
@@ -1755,6 +1772,13 @@ mm_get_kex(Buffer *m)
|
||||
kex->kex[KEX_DH_GEX_SHA1] = kexgex_server;
|
||||
kex->kex[KEX_DH_GEX_SHA256] = kexgex_server;
|
||||
kex->kex[KEX_ECDH_SHA2] = kexecdh_server;
|
||||
+#ifdef GSSAPI
|
||||
+ if (options.gss_keyex) {
|
||||
+ kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_server;
|
||||
@ -1960,7 +1992,7 @@ diff -up openssh-5.6p1/monitor.c.gsskex openssh-5.6p1/monitor.c
|
||||
kex->server = 1;
|
||||
kex->hostkey_type = buffer_get_int(m);
|
||||
kex->kex_type = buffer_get_int(m);
|
||||
@@ -1960,6 +1984,9 @@ mm_answer_gss_setup_ctx(int sock, Buffer
|
||||
@@ -1961,6 +1985,9 @@ mm_answer_gss_setup_ctx(int sock, Buffer
|
||||
OM_uint32 major;
|
||||
u_int len;
|
||||
|
||||
@ -1970,7 +2002,7 @@ diff -up openssh-5.6p1/monitor.c.gsskex openssh-5.6p1/monitor.c
|
||||
goid.elements = buffer_get_string(m, &len);
|
||||
goid.length = len;
|
||||
|
||||
@@ -1987,6 +2014,9 @@ mm_answer_gss_accept_ctx(int sock, Buffe
|
||||
@@ -1988,6 +2015,9 @@ mm_answer_gss_accept_ctx(int sock, Buffe
|
||||
OM_uint32 flags = 0; /* GSI needs this */
|
||||
u_int len;
|
||||
|
||||
@ -1980,7 +2012,7 @@ diff -up openssh-5.6p1/monitor.c.gsskex openssh-5.6p1/monitor.c
|
||||
in.value = buffer_get_string(m, &len);
|
||||
in.length = len;
|
||||
major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags);
|
||||
@@ -2004,6 +2034,7 @@ mm_answer_gss_accept_ctx(int sock, Buffe
|
||||
@@ -2005,6 +2035,7 @@ mm_answer_gss_accept_ctx(int sock, Buffe
|
||||
monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0);
|
||||
monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1);
|
||||
monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1);
|
||||
@ -1988,7 +2020,7 @@ diff -up openssh-5.6p1/monitor.c.gsskex openssh-5.6p1/monitor.c
|
||||
}
|
||||
return (0);
|
||||
}
|
||||
@@ -2015,6 +2046,9 @@ mm_answer_gss_checkmic(int sock, Buffer
|
||||
@@ -2016,6 +2047,9 @@ mm_answer_gss_checkmic(int sock, Buffer
|
||||
OM_uint32 ret;
|
||||
u_int len;
|
||||
|
||||
@ -1998,7 +2030,7 @@ diff -up openssh-5.6p1/monitor.c.gsskex openssh-5.6p1/monitor.c
|
||||
gssbuf.value = buffer_get_string(m, &len);
|
||||
gssbuf.length = len;
|
||||
mic.value = buffer_get_string(m, &len);
|
||||
@@ -2041,7 +2075,11 @@ mm_answer_gss_userok(int sock, Buffer *m
|
||||
@@ -2042,7 +2076,11 @@ mm_answer_gss_userok(int sock, Buffer *m
|
||||
{
|
||||
int authenticated;
|
||||
|
||||
@ -2011,7 +2043,7 @@ diff -up openssh-5.6p1/monitor.c.gsskex openssh-5.6p1/monitor.c
|
||||
|
||||
buffer_clear(m);
|
||||
buffer_put_int(m, authenticated);
|
||||
@@ -2054,6 +2092,74 @@ mm_answer_gss_userok(int sock, Buffer *m
|
||||
@@ -2055,6 +2093,74 @@ mm_answer_gss_userok(int sock, Buffer *m
|
||||
/* Monitor loop will terminate if authenticated */
|
||||
return (authenticated);
|
||||
}
|
||||
@ -2086,9 +2118,9 @@ diff -up openssh-5.6p1/monitor.c.gsskex openssh-5.6p1/monitor.c
|
||||
#endif /* GSSAPI */
|
||||
|
||||
#ifdef JPAKE
|
||||
diff -up openssh-5.6p1/monitor.h.gsskex openssh-5.6p1/monitor.h
|
||||
--- openssh-5.6p1/monitor.h.gsskex 2011-01-24 23:51:08.000000000 +0100
|
||||
+++ openssh-5.6p1/monitor.h 2011-01-24 23:51:09.000000000 +0100
|
||||
diff -up openssh-5.8p1/monitor.h.gsskex openssh-5.8p1/monitor.h
|
||||
--- openssh-5.8p1/monitor.h.gsskex 2011-02-14 14:47:02.000000000 +0100
|
||||
+++ openssh-5.8p1/monitor.h 2011-02-14 14:47:02.000000000 +0100
|
||||
@@ -56,6 +56,8 @@ enum monitor_reqtype {
|
||||
MONITOR_REQ_GSSSTEP, MONITOR_ANS_GSSSTEP,
|
||||
MONITOR_REQ_GSSUSEROK, MONITOR_ANS_GSSUSEROK,
|
||||
@ -2098,10 +2130,10 @@ diff -up openssh-5.6p1/monitor.h.gsskex openssh-5.6p1/monitor.h
|
||||
MONITOR_REQ_PAM_START,
|
||||
MONITOR_REQ_PAM_ACCOUNT, MONITOR_ANS_PAM_ACCOUNT,
|
||||
MONITOR_REQ_PAM_INIT_CTX, MONITOR_ANS_PAM_INIT_CTX,
|
||||
diff -up openssh-5.6p1/monitor_wrap.c.gsskex openssh-5.6p1/monitor_wrap.c
|
||||
--- openssh-5.6p1/monitor_wrap.c.gsskex 2011-01-24 23:51:08.000000000 +0100
|
||||
+++ openssh-5.6p1/monitor_wrap.c 2011-01-24 23:51:09.000000000 +0100
|
||||
@@ -1250,7 +1250,7 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss
|
||||
diff -up openssh-5.8p1/monitor_wrap.c.gsskex openssh-5.8p1/monitor_wrap.c
|
||||
--- openssh-5.8p1/monitor_wrap.c.gsskex 2011-02-14 14:47:02.000000000 +0100
|
||||
+++ openssh-5.8p1/monitor_wrap.c 2011-02-14 14:47:02.000000000 +0100
|
||||
@@ -1251,7 +1251,7 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss
|
||||
}
|
||||
|
||||
int
|
||||
@ -2110,7 +2142,7 @@ diff -up openssh-5.6p1/monitor_wrap.c.gsskex openssh-5.6p1/monitor_wrap.c
|
||||
{
|
||||
Buffer m;
|
||||
int authenticated = 0;
|
||||
@@ -1267,6 +1267,51 @@ mm_ssh_gssapi_userok(char *user)
|
||||
@@ -1268,6 +1268,51 @@ mm_ssh_gssapi_userok(char *user)
|
||||
debug3("%s: user %sauthenticated",__func__, authenticated ? "" : "not ");
|
||||
return (authenticated);
|
||||
}
|
||||
@ -2162,9 +2194,9 @@ diff -up openssh-5.6p1/monitor_wrap.c.gsskex openssh-5.6p1/monitor_wrap.c
|
||||
#endif /* GSSAPI */
|
||||
|
||||
#ifdef JPAKE
|
||||
diff -up openssh-5.6p1/monitor_wrap.h.gsskex openssh-5.6p1/monitor_wrap.h
|
||||
--- openssh-5.6p1/monitor_wrap.h.gsskex 2011-01-24 23:51:08.000000000 +0100
|
||||
+++ openssh-5.6p1/monitor_wrap.h 2011-01-24 23:51:09.000000000 +0100
|
||||
diff -up openssh-5.8p1/monitor_wrap.h.gsskex openssh-5.8p1/monitor_wrap.h
|
||||
--- openssh-5.8p1/monitor_wrap.h.gsskex 2011-02-14 14:47:02.000000000 +0100
|
||||
+++ openssh-5.8p1/monitor_wrap.h 2011-02-14 14:47:02.000000000 +0100
|
||||
@@ -60,8 +60,10 @@ BIGNUM *mm_auth_rsa_generate_challenge(K
|
||||
OM_uint32 mm_ssh_gssapi_server_ctx(Gssctxt **, gss_OID);
|
||||
OM_uint32 mm_ssh_gssapi_accept_ctx(Gssctxt *,
|
||||
@ -2177,18 +2209,19 @@ diff -up openssh-5.6p1/monitor_wrap.h.gsskex openssh-5.6p1/monitor_wrap.h
|
||||
#endif
|
||||
|
||||
#ifdef USE_PAM
|
||||
diff -up openssh-5.6p1/readconf.c.gsskex openssh-5.6p1/readconf.c
|
||||
--- openssh-5.6p1/readconf.c.gsskex 2010-08-03 08:04:46.000000000 +0200
|
||||
+++ openssh-5.6p1/readconf.c 2011-01-24 23:51:09.000000000 +0100
|
||||
@@ -127,6 +127,7 @@ typedef enum {
|
||||
diff -up openssh-5.8p1/readconf.c.gsskex openssh-5.8p1/readconf.c
|
||||
--- openssh-5.8p1/readconf.c.gsskex 2010-11-20 05:19:38.000000000 +0100
|
||||
+++ openssh-5.8p1/readconf.c 2011-02-14 14:47:02.000000000 +0100
|
||||
@@ -129,6 +129,8 @@ typedef enum {
|
||||
oClearAllForwardings, oNoHostAuthenticationForLocalhost,
|
||||
oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
|
||||
oAddressFamily, oGssAuthentication, oGssDelegateCreds,
|
||||
+ oGssTrustDns, oGssKeyEx, oGssClientIdentity, oGssRenewalRekey,
|
||||
+ oGssServerIdentity,
|
||||
oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
|
||||
oSendEnv, oControlPath, oControlMaster, oControlPersist,
|
||||
oHashKnownHosts,
|
||||
@@ -166,10 +167,18 @@ static struct {
|
||||
@@ -169,10 +171,19 @@ static struct {
|
||||
{ "afstokenpassing", oUnsupported },
|
||||
#if defined(GSSAPI)
|
||||
{ "gssapiauthentication", oGssAuthentication },
|
||||
@ -2196,6 +2229,7 @@ diff -up openssh-5.6p1/readconf.c.gsskex openssh-5.6p1/readconf.c
|
||||
{ "gssapidelegatecredentials", oGssDelegateCreds },
|
||||
+ { "gssapitrustdns", oGssTrustDns },
|
||||
+ { "gssapiclientidentity", oGssClientIdentity },
|
||||
+ { "gssapiserveridentity", oGssServerIdentity },
|
||||
+ { "gssapirenewalforcesrekey", oGssRenewalRekey },
|
||||
#else
|
||||
{ "gssapiauthentication", oUnsupported },
|
||||
@ -2207,7 +2241,7 @@ diff -up openssh-5.6p1/readconf.c.gsskex openssh-5.6p1/readconf.c
|
||||
#endif
|
||||
{ "fallbacktorsh", oDeprecated },
|
||||
{ "usersh", oDeprecated },
|
||||
@@ -474,10 +483,26 @@ parse_flag:
|
||||
@@ -479,10 +490,30 @@ parse_flag:
|
||||
intptr = &options->gss_authentication;
|
||||
goto parse_flag;
|
||||
|
||||
@ -2227,6 +2261,10 @@ diff -up openssh-5.6p1/readconf.c.gsskex openssh-5.6p1/readconf.c
|
||||
+ charptr = &options->gss_client_identity;
|
||||
+ goto parse_string;
|
||||
+
|
||||
+ case oGssServerIdentity:
|
||||
+ charptr = &options->gss_server_identity;
|
||||
+ goto parse_string;
|
||||
+
|
||||
+ case oGssRenewalRekey:
|
||||
+ intptr = &options->gss_renewal_rekey;
|
||||
+ goto parse_flag;
|
||||
@ -2234,7 +2272,7 @@ diff -up openssh-5.6p1/readconf.c.gsskex openssh-5.6p1/readconf.c
|
||||
case oBatchMode:
|
||||
intptr = &options->batch_mode;
|
||||
goto parse_flag;
|
||||
@@ -1058,7 +1083,11 @@ initialize_options(Options * options)
|
||||
@@ -1092,7 +1123,12 @@ initialize_options(Options * options)
|
||||
options->pubkey_authentication = -1;
|
||||
options->challenge_response_authentication = -1;
|
||||
options->gss_authentication = -1;
|
||||
@ -2243,10 +2281,11 @@ diff -up openssh-5.6p1/readconf.c.gsskex openssh-5.6p1/readconf.c
|
||||
+ options->gss_trust_dns = -1;
|
||||
+ options->gss_renewal_rekey = -1;
|
||||
+ options->gss_client_identity = NULL;
|
||||
+ options->gss_server_identity = NULL;
|
||||
options->password_authentication = -1;
|
||||
options->kbd_interactive_authentication = -1;
|
||||
options->kbd_interactive_devices = NULL;
|
||||
@@ -1156,8 +1185,14 @@ fill_default_options(Options * options)
|
||||
@@ -1193,8 +1229,14 @@ fill_default_options(Options * options)
|
||||
options->challenge_response_authentication = 1;
|
||||
if (options->gss_authentication == -1)
|
||||
options->gss_authentication = 0;
|
||||
@ -2261,10 +2300,10 @@ diff -up openssh-5.6p1/readconf.c.gsskex openssh-5.6p1/readconf.c
|
||||
if (options->password_authentication == -1)
|
||||
options->password_authentication = 1;
|
||||
if (options->kbd_interactive_authentication == -1)
|
||||
diff -up openssh-5.6p1/readconf.h.gsskex openssh-5.6p1/readconf.h
|
||||
--- openssh-5.6p1/readconf.h.gsskex 2010-08-03 08:04:46.000000000 +0200
|
||||
+++ openssh-5.6p1/readconf.h 2011-01-24 23:51:09.000000000 +0100
|
||||
@@ -46,7 +46,11 @@ typedef struct {
|
||||
diff -up openssh-5.8p1/readconf.h.gsskex openssh-5.8p1/readconf.h
|
||||
--- openssh-5.8p1/readconf.h.gsskex 2010-11-20 05:19:38.000000000 +0100
|
||||
+++ openssh-5.8p1/readconf.h 2011-02-14 14:47:02.000000000 +0100
|
||||
@@ -46,7 +46,12 @@ typedef struct {
|
||||
int challenge_response_authentication;
|
||||
/* Try S/Key or TIS, authentication. */
|
||||
int gss_authentication; /* Try GSS authentication */
|
||||
@ -2273,13 +2312,14 @@ diff -up openssh-5.6p1/readconf.h.gsskex openssh-5.6p1/readconf.h
|
||||
+ int gss_trust_dns; /* Trust DNS for GSS canonicalization */
|
||||
+ int gss_renewal_rekey; /* Credential renewal forces rekey */
|
||||
+ char *gss_client_identity; /* Principal to initiate GSSAPI with */
|
||||
+ char *gss_server_identity; /* GSSAPI target principal */
|
||||
int password_authentication; /* Try password
|
||||
* authentication. */
|
||||
int kbd_interactive_authentication; /* Try keyboard-interactive auth. */
|
||||
diff -up openssh-5.6p1/servconf.c.gsskex openssh-5.6p1/servconf.c
|
||||
--- openssh-5.6p1/servconf.c.gsskex 2011-01-24 23:51:08.000000000 +0100
|
||||
+++ openssh-5.6p1/servconf.c 2011-01-24 23:51:09.000000000 +0100
|
||||
@@ -93,7 +93,10 @@ initialize_server_options(ServerOptions
|
||||
diff -up openssh-5.8p1/servconf.c.gsskex openssh-5.8p1/servconf.c
|
||||
--- openssh-5.8p1/servconf.c.gsskex 2011-02-14 14:47:02.000000000 +0100
|
||||
+++ openssh-5.8p1/servconf.c 2011-02-14 15:11:09.000000000 +0100
|
||||
@@ -97,7 +97,10 @@ initialize_server_options(ServerOptions
|
||||
options->kerberos_ticket_cleanup = -1;
|
||||
options->kerberos_get_afs_token = -1;
|
||||
options->gss_authentication=-1;
|
||||
@ -2290,7 +2330,7 @@ diff -up openssh-5.6p1/servconf.c.gsskex openssh-5.6p1/servconf.c
|
||||
options->password_authentication = -1;
|
||||
options->kbd_interactive_authentication = -1;
|
||||
options->challenge_response_authentication = -1;
|
||||
@@ -218,8 +221,14 @@ fill_default_server_options(ServerOption
|
||||
@@ -230,8 +233,14 @@ fill_default_server_options(ServerOption
|
||||
options->kerberos_get_afs_token = 0;
|
||||
if (options->gss_authentication == -1)
|
||||
options->gss_authentication = 0;
|
||||
@ -2305,7 +2345,7 @@ diff -up openssh-5.6p1/servconf.c.gsskex openssh-5.6p1/servconf.c
|
||||
if (options->password_authentication == -1)
|
||||
options->password_authentication = 1;
|
||||
if (options->kbd_interactive_authentication == -1)
|
||||
@@ -313,7 +322,9 @@ typedef enum {
|
||||
@@ -330,7 +339,9 @@ typedef enum {
|
||||
sBanner, sShowPatchLevel, sUseDNS, sHostbasedAuthentication,
|
||||
sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
|
||||
sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
|
||||
@ -2316,23 +2356,28 @@ diff -up openssh-5.6p1/servconf.c.gsskex openssh-5.6p1/servconf.c
|
||||
sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
|
||||
sUsePrivilegeSeparation, sAllowAgentForwarding,
|
||||
sZeroKnowledgePasswordAuthentication, sHostCertificate,
|
||||
@@ -377,9 +388,15 @@ static struct {
|
||||
@@ -397,10 +408,20 @@ static struct {
|
||||
#ifdef GSSAPI
|
||||
{ "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
|
||||
{ "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
|
||||
+ { "gssapicleanupcreds", sGssCleanupCreds, SSHCFG_GLOBAL },
|
||||
+ { "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL },
|
||||
+ { "gssapikeyexchange", sGssKeyEx, SSHCFG_GLOBAL },
|
||||
+ { "gssapistorecredentialsonrekey", sGssStoreRekey, SSHCFG_GLOBAL },
|
||||
#else
|
||||
{ "gssapiauthentication", sUnsupported, SSHCFG_ALL },
|
||||
{ "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
|
||||
+ { "gssapicleanupcreds", sUnsupported, SSHCFG_GLOBAL },
|
||||
+ { "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL },
|
||||
+ { "gssapikeyexchange", sUnsupported, SSHCFG_GLOBAL },
|
||||
+ { "gssapistorecredentialsonrekey", sUnsupported, SSHCFG_GLOBAL },
|
||||
#endif
|
||||
+ { "gssusesessionccache", sUnsupported, SSHCFG_GLOBAL },
|
||||
+ { "gssapiusesessioncredcache", sUnsupported, SSHCFG_GLOBAL },
|
||||
{ "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
|
||||
{ "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
|
||||
@@ -941,10 +958,22 @@ process_server_config_line(ServerOptions
|
||||
{ "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL },
|
||||
@@ -963,10 +984,22 @@ process_server_config_line(ServerOptions
|
||||
intptr = &options->gss_authentication;
|
||||
goto parse_flag;
|
||||
|
||||
@ -2355,10 +2400,21 @@ diff -up openssh-5.6p1/servconf.c.gsskex openssh-5.6p1/servconf.c
|
||||
case sPasswordAuthentication:
|
||||
intptr = &options->password_authentication;
|
||||
goto parse_flag;
|
||||
diff -up openssh-5.6p1/servconf.h.gsskex openssh-5.6p1/servconf.h
|
||||
--- openssh-5.6p1/servconf.h.gsskex 2011-01-24 23:51:08.000000000 +0100
|
||||
+++ openssh-5.6p1/servconf.h 2011-01-24 23:51:09.000000000 +0100
|
||||
@@ -94,7 +94,10 @@ typedef struct {
|
||||
@@ -1748,7 +1781,10 @@ dump_config(ServerOptions *o)
|
||||
#endif
|
||||
#ifdef GSSAPI
|
||||
dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
|
||||
+ dump_cfg_fmtint(sGssKeyEx, o->gss_keyex);
|
||||
dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds);
|
||||
+ dump_cfg_fmtint(sGssStrictAcceptor, o->gss_strict_acceptor);
|
||||
+ dump_cfg_fmtint(sGssStoreRekey, o->gss_store_rekey);
|
||||
#endif
|
||||
#ifdef JPAKE
|
||||
dump_cfg_fmtint(sZeroKnowledgePasswordAuthentication,
|
||||
diff -up openssh-5.8p1/servconf.h.gsskex openssh-5.8p1/servconf.h
|
||||
--- openssh-5.8p1/servconf.h.gsskex 2011-02-14 14:47:02.000000000 +0100
|
||||
+++ openssh-5.8p1/servconf.h 2011-02-14 14:47:02.000000000 +0100
|
||||
@@ -97,7 +97,10 @@ typedef struct {
|
||||
int kerberos_get_afs_token; /* If true, try to get AFS token if
|
||||
* authenticated with Kerberos. */
|
||||
int gss_authentication; /* If true, permit GSSAPI authentication */
|
||||
@ -2369,10 +2425,10 @@ diff -up openssh-5.6p1/servconf.h.gsskex openssh-5.6p1/servconf.h
|
||||
int password_authentication; /* If true, permit password
|
||||
* authentication. */
|
||||
int kbd_interactive_authentication; /* If true, permit */
|
||||
diff -up openssh-5.6p1/ssh_config.5.gsskex openssh-5.6p1/ssh_config.5
|
||||
--- openssh-5.6p1/ssh_config.5.gsskex 2010-08-05 05:03:13.000000000 +0200
|
||||
+++ openssh-5.6p1/ssh_config.5 2011-01-24 23:51:09.000000000 +0100
|
||||
@@ -509,11 +509,38 @@ Specifies whether user authentication ba
|
||||
diff -up openssh-5.8p1/ssh_config.5.gsskex openssh-5.8p1/ssh_config.5
|
||||
--- openssh-5.8p1/ssh_config.5.gsskex 2010-12-26 04:26:48.000000000 +0100
|
||||
+++ openssh-5.8p1/ssh_config.5 2011-02-14 14:47:02.000000000 +0100
|
||||
@@ -508,11 +508,43 @@ Specifies whether user authentication ba
|
||||
The default is
|
||||
.Dq no .
|
||||
Note that this option applies to protocol version 2 only.
|
||||
@ -2386,6 +2442,11 @@ diff -up openssh-5.6p1/ssh_config.5.gsskex openssh-5.6p1/ssh_config.5
|
||||
+If set, specifies the GSSAPI client identity that ssh should use when
|
||||
+connecting to the server. The default is unset, which means that the default
|
||||
+identity will be used.
|
||||
+.It Cm GSSAPIServerIdentity
|
||||
+If set, specifies the GSSAPI server identity that ssh should expect when
|
||||
+connecting to the server. The default is unset, which means that the
|
||||
+expected GSSAPI server identity will be determined from the target
|
||||
+hostname.
|
||||
.It Cm GSSAPIDelegateCredentials
|
||||
Forward (delegate) credentials to the server.
|
||||
The default is
|
||||
@ -2412,9 +2473,9 @@ diff -up openssh-5.6p1/ssh_config.5.gsskex openssh-5.6p1/ssh_config.5
|
||||
.It Cm HashKnownHosts
|
||||
Indicates that
|
||||
.Xr ssh 1
|
||||
diff -up openssh-5.6p1/ssh_config.gsskex openssh-5.6p1/ssh_config
|
||||
--- openssh-5.6p1/ssh_config.gsskex 2011-01-24 23:51:07.000000000 +0100
|
||||
+++ openssh-5.6p1/ssh_config 2011-01-24 23:51:09.000000000 +0100
|
||||
diff -up openssh-5.8p1/ssh_config.gsskex openssh-5.8p1/ssh_config
|
||||
--- openssh-5.8p1/ssh_config.gsskex 2011-02-14 14:47:01.000000000 +0100
|
||||
+++ openssh-5.8p1/ssh_config 2011-02-14 14:47:02.000000000 +0100
|
||||
@@ -26,6 +26,8 @@
|
||||
# HostbasedAuthentication no
|
||||
# GSSAPIAuthentication no
|
||||
@ -2424,10 +2485,10 @@ diff -up openssh-5.6p1/ssh_config.gsskex openssh-5.6p1/ssh_config
|
||||
# BatchMode no
|
||||
# CheckHostIP yes
|
||||
# AddressFamily any
|
||||
diff -up openssh-5.6p1/sshconnect2.c.gsskex openssh-5.6p1/sshconnect2.c
|
||||
--- openssh-5.6p1/sshconnect2.c.gsskex 2011-01-24 23:51:08.000000000 +0100
|
||||
+++ openssh-5.6p1/sshconnect2.c 2011-01-24 23:51:09.000000000 +0100
|
||||
@@ -108,9 +108,34 @@ ssh_kex2(char *host, struct sockaddr *ho
|
||||
diff -up openssh-5.8p1/sshconnect2.c.gsskex openssh-5.8p1/sshconnect2.c
|
||||
--- openssh-5.8p1/sshconnect2.c.gsskex 2011-02-14 14:47:02.000000000 +0100
|
||||
+++ openssh-5.8p1/sshconnect2.c 2011-02-14 14:47:02.000000000 +0100
|
||||
@@ -161,9 +161,34 @@ ssh_kex2(char *host, struct sockaddr *ho
|
||||
{
|
||||
Kex *kex;
|
||||
|
||||
@ -2462,9 +2523,9 @@ diff -up openssh-5.6p1/sshconnect2.c.gsskex openssh-5.6p1/sshconnect2.c
|
||||
if (options.ciphers == (char *)-1) {
|
||||
logit("No valid ciphers for protocol version 2 given, using defaults.");
|
||||
options.ciphers = NULL;
|
||||
@@ -146,6 +171,17 @@ ssh_kex2(char *host, struct sockaddr *ho
|
||||
myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] =
|
||||
options.hostkeyalgorithms;
|
||||
@@ -206,6 +231,17 @@ ssh_kex2(char *host, struct sockaddr *ho
|
||||
if (options.kex_algorithms != NULL)
|
||||
myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms;
|
||||
|
||||
+#ifdef GSSAPI
|
||||
+ /* If we've got GSSAPI algorithms, then we also support the
|
||||
@ -2480,10 +2541,10 @@ diff -up openssh-5.6p1/sshconnect2.c.gsskex openssh-5.6p1/sshconnect2.c
|
||||
if (options.rekey_limit)
|
||||
packet_set_rekey_limit((u_int32_t)options.rekey_limit);
|
||||
|
||||
@@ -155,10 +191,26 @@ ssh_kex2(char *host, struct sockaddr *ho
|
||||
kex->kex[KEX_DH_GRP14_SHA1] = kexdh_client;
|
||||
@@ -216,10 +252,30 @@ ssh_kex2(char *host, struct sockaddr *ho
|
||||
kex->kex[KEX_DH_GEX_SHA1] = kexgex_client;
|
||||
kex->kex[KEX_DH_GEX_SHA256] = kexgex_client;
|
||||
kex->kex[KEX_ECDH_SHA2] = kexecdh_client;
|
||||
+#ifdef GSSAPI
|
||||
+ if (options.gss_keyex) {
|
||||
+ kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_client;
|
||||
@ -2500,14 +2561,18 @@ diff -up openssh-5.6p1/sshconnect2.c.gsskex openssh-5.6p1/sshconnect2.c
|
||||
+ kex->gss_deleg_creds = options.gss_deleg_creds;
|
||||
+ kex->gss_trust_dns = options.gss_trust_dns;
|
||||
+ kex->gss_client = options.gss_client_identity;
|
||||
+ kex->gss_host = gss_host;
|
||||
+ if (options.gss_server_identity) {
|
||||
+ kex->gss_host = options.gss_server_identity;
|
||||
+ } else {
|
||||
+ kex->gss_host = gss_host;
|
||||
+ }
|
||||
+ }
|
||||
+#endif
|
||||
+
|
||||
xxx_kex = kex;
|
||||
|
||||
dispatch_run(DISPATCH_BLOCK, &kex->done, kex);
|
||||
@@ -253,6 +305,7 @@ void input_gssapi_token(int type, u_int3
|
||||
@@ -314,6 +370,7 @@ void input_gssapi_token(int type, u_int3
|
||||
void input_gssapi_hash(int type, u_int32_t, void *);
|
||||
void input_gssapi_error(int, u_int32_t, void *);
|
||||
void input_gssapi_errtok(int, u_int32_t, void *);
|
||||
@ -2515,7 +2580,7 @@ diff -up openssh-5.6p1/sshconnect2.c.gsskex openssh-5.6p1/sshconnect2.c
|
||||
#endif
|
||||
|
||||
void userauth(Authctxt *, char *);
|
||||
@@ -268,6 +321,11 @@ static char *authmethods_get(void);
|
||||
@@ -329,6 +386,11 @@ static char *authmethods_get(void);
|
||||
|
||||
Authmethod authmethods[] = {
|
||||
#ifdef GSSAPI
|
||||
@ -2527,26 +2592,19 @@ diff -up openssh-5.6p1/sshconnect2.c.gsskex openssh-5.6p1/sshconnect2.c
|
||||
{"gssapi-with-mic",
|
||||
userauth_gssapi,
|
||||
NULL,
|
||||
@@ -574,25 +632,37 @@ userauth_gssapi(Authctxt *authctxt)
|
||||
@@ -635,19 +697,31 @@ userauth_gssapi(Authctxt *authctxt)
|
||||
static u_int mech = 0;
|
||||
OM_uint32 min;
|
||||
int ok = 0;
|
||||
- char* remotehost = NULL;
|
||||
+ const char* remotehost = NULL;
|
||||
const char* canonicalhost = get_canonical_hostname(1);
|
||||
+ const char *gss_host;
|
||||
+
|
||||
if ( strcmp( canonicalhost, "UNKNOWN" ) == 0 )
|
||||
remotehost = authctxt->host;
|
||||
else
|
||||
remotehost = canonicalhost;
|
||||
|
||||
+ if (options.gss_trust_dns)
|
||||
+// gss_host = get_canonical_hostname(1);
|
||||
+ gss_host = remotehost;
|
||||
+ if (options.gss_server_identity)
|
||||
+ gss_host = options.gss_server_identity;
|
||||
+ else if (options.gss_trust_dns)
|
||||
+ gss_host = get_canonical_hostname(1);
|
||||
+ else
|
||||
+ gss_host = authctxt->host;
|
||||
+
|
||||
|
||||
/* Try one GSSAPI method at a time, rather than sending them all at
|
||||
* once. */
|
||||
|
||||
@ -2562,13 +2620,13 @@ diff -up openssh-5.6p1/sshconnect2.c.gsskex openssh-5.6p1/sshconnect2.c
|
||||
/* My DER encoding requires length<128 */
|
||||
if (gss_supported->elements[mech].length < 128 &&
|
||||
ssh_gssapi_check_mechanism(&gssctxt,
|
||||
- &gss_supported->elements[mech], remotehost)) {
|
||||
- &gss_supported->elements[mech], authctxt->host)) {
|
||||
+ &gss_supported->elements[mech], gss_host,
|
||||
+ options.gss_client_identity)) {
|
||||
+ options.gss_client_identity)) {
|
||||
ok = 1; /* Mechanism works */
|
||||
} else {
|
||||
mech++;
|
||||
@@ -689,8 +759,8 @@ input_gssapi_response(int type, u_int32_
|
||||
@@ -744,8 +818,8 @@ input_gssapi_response(int type, u_int32_
|
||||
{
|
||||
Authctxt *authctxt = ctxt;
|
||||
Gssctxt *gssctxt;
|
||||
@ -2579,7 +2637,7 @@ diff -up openssh-5.6p1/sshconnect2.c.gsskex openssh-5.6p1/sshconnect2.c
|
||||
|
||||
if (authctxt == NULL)
|
||||
fatal("input_gssapi_response: no authentication context");
|
||||
@@ -800,6 +870,48 @@ input_gssapi_error(int type, u_int32_t p
|
||||
@@ -855,6 +929,48 @@ input_gssapi_error(int type, u_int32_t p
|
||||
xfree(msg);
|
||||
xfree(lang);
|
||||
}
|
||||
@ -2628,21 +2686,21 @@ diff -up openssh-5.6p1/sshconnect2.c.gsskex openssh-5.6p1/sshconnect2.c
|
||||
#endif /* GSSAPI */
|
||||
|
||||
int
|
||||
diff -up openssh-5.6p1/sshd.c.gsskex openssh-5.6p1/sshd.c
|
||||
--- openssh-5.6p1/sshd.c.gsskex 2011-01-24 23:51:08.000000000 +0100
|
||||
+++ openssh-5.6p1/sshd.c 2011-01-24 23:51:09.000000000 +0100
|
||||
@@ -130,6 +130,10 @@ int allow_severity;
|
||||
int deny_severity;
|
||||
#endif /* LIBWRAP */
|
||||
diff -up openssh-5.8p1/sshd.c.gsskex openssh-5.8p1/sshd.c
|
||||
--- openssh-5.8p1/sshd.c.gsskex 2011-02-14 14:47:02.000000000 +0100
|
||||
+++ openssh-5.8p1/sshd.c 2011-02-14 15:11:56.000000000 +0100
|
||||
@@ -123,6 +123,10 @@
|
||||
#include "audit.h"
|
||||
#include "version.h"
|
||||
|
||||
+#ifdef USE_SECURITY_SESSION_API
|
||||
+#include <Security/AuthSession.h>
|
||||
+#endif
|
||||
+
|
||||
#ifndef O_NOCTTY
|
||||
#define O_NOCTTY 0
|
||||
#endif
|
||||
@@ -1603,10 +1607,13 @@ main(int ac, char **av)
|
||||
#ifdef LIBWRAP
|
||||
#include <tcpd.h>
|
||||
#include <syslog.h>
|
||||
@@ -1609,10 +1613,13 @@ main(int ac, char **av)
|
||||
logit("Disabling protocol version 1. Could not load host key");
|
||||
options.protocol &= ~SSH_PROTO_1;
|
||||
}
|
||||
@ -2656,7 +2714,7 @@ diff -up openssh-5.6p1/sshd.c.gsskex openssh-5.6p1/sshd.c
|
||||
if (!(options.protocol & (SSH_PROTO_1|SSH_PROTO_2))) {
|
||||
logit("sshd: no hostkeys available -- exiting.");
|
||||
exit(1);
|
||||
@@ -1939,6 +1946,60 @@ main(int ac, char **av)
|
||||
@@ -1945,6 +1952,60 @@ main(int ac, char **av)
|
||||
/* Log the connection. */
|
||||
verbose("Connection from %.500s port %d", remote_ip, remote_port);
|
||||
|
||||
@ -2717,7 +2775,7 @@ diff -up openssh-5.6p1/sshd.c.gsskex openssh-5.6p1/sshd.c
|
||||
/*
|
||||
* We don't want to listen forever unless the other side
|
||||
* successfully authenticates itself. So we set up an alarm which is
|
||||
@@ -2335,12 +2396,61 @@ do_ssh2_kex(void)
|
||||
@@ -2347,6 +2408,48 @@ do_ssh2_kex(void)
|
||||
|
||||
myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = list_hostkey_types();
|
||||
|
||||
@ -2766,9 +2824,10 @@ diff -up openssh-5.6p1/sshd.c.gsskex openssh-5.6p1/sshd.c
|
||||
/* start key exchange */
|
||||
kex = kex_setup(myproposal);
|
||||
kex->kex[KEX_DH_GRP1_SHA1] = kexdh_server;
|
||||
kex->kex[KEX_DH_GRP14_SHA1] = kexdh_server;
|
||||
@@ -2354,6 +2457,13 @@ do_ssh2_kex(void)
|
||||
kex->kex[KEX_DH_GEX_SHA1] = kexgex_server;
|
||||
kex->kex[KEX_DH_GEX_SHA256] = kexgex_server;
|
||||
kex->kex[KEX_ECDH_SHA2] = kexecdh_server;
|
||||
+#ifdef GSSAPI
|
||||
+ if (options.gss_keyex) {
|
||||
+ kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_server;
|
||||
@ -2779,10 +2838,10 @@ diff -up openssh-5.6p1/sshd.c.gsskex openssh-5.6p1/sshd.c
|
||||
kex->server = 1;
|
||||
kex->client_version_string=client_version_string;
|
||||
kex->server_version_string=server_version_string;
|
||||
diff -up openssh-5.6p1/sshd_config.5.gsskex openssh-5.6p1/sshd_config.5
|
||||
--- openssh-5.6p1/sshd_config.5.gsskex 2011-01-24 23:51:08.000000000 +0100
|
||||
+++ openssh-5.6p1/sshd_config.5 2011-01-24 23:51:09.000000000 +0100
|
||||
@@ -424,12 +424,40 @@ Specifies whether user authentication ba
|
||||
diff -up openssh-5.8p1/sshd_config.5.gsskex openssh-5.8p1/sshd_config.5
|
||||
--- openssh-5.8p1/sshd_config.5.gsskex 2011-02-14 14:47:02.000000000 +0100
|
||||
+++ openssh-5.8p1/sshd_config.5 2011-02-14 14:47:02.000000000 +0100
|
||||
@@ -423,12 +423,40 @@ Specifies whether user authentication ba
|
||||
The default is
|
||||
.Dq no .
|
||||
Note that this option applies to protocol version 2 only.
|
||||
@ -2823,10 +2882,10 @@ diff -up openssh-5.6p1/sshd_config.5.gsskex openssh-5.6p1/sshd_config.5
|
||||
.It Cm HostbasedAuthentication
|
||||
Specifies whether rhosts or /etc/hosts.equiv authentication together
|
||||
with successful public key client host authentication is allowed
|
||||
diff -up openssh-5.6p1/sshd_config.gsskex openssh-5.6p1/sshd_config
|
||||
--- openssh-5.6p1/sshd_config.gsskex 2011-01-24 23:51:08.000000000 +0100
|
||||
+++ openssh-5.6p1/sshd_config 2011-01-24 23:51:09.000000000 +0100
|
||||
@@ -78,6 +78,8 @@ ChallengeResponseAuthentication no
|
||||
diff -up openssh-5.8p1/sshd_config.gsskex openssh-5.8p1/sshd_config
|
||||
--- openssh-5.8p1/sshd_config.gsskex 2011-02-14 14:47:02.000000000 +0100
|
||||
+++ openssh-5.8p1/sshd_config 2011-02-14 15:12:38.000000000 +0100
|
||||
@@ -80,6 +80,8 @@ ChallengeResponseAuthentication no
|
||||
GSSAPIAuthentication yes
|
||||
#GSSAPICleanupCredentials yes
|
||||
GSSAPICleanupCredentials yes
|
||||
@ -2835,9 +2894,9 @@ diff -up openssh-5.6p1/sshd_config.gsskex openssh-5.6p1/sshd_config
|
||||
|
||||
# Set this to 'yes' to enable PAM authentication, account processing,
|
||||
# and session processing. If this is enabled, PAM authentication will
|
||||
diff -up openssh-5.6p1/ssh-gss.h.gsskex openssh-5.6p1/ssh-gss.h
|
||||
--- openssh-5.6p1/ssh-gss.h.gsskex 2007-06-12 15:40:39.000000000 +0200
|
||||
+++ openssh-5.6p1/ssh-gss.h 2011-01-24 23:51:09.000000000 +0100
|
||||
diff -up openssh-5.8p1/ssh-gss.h.gsskex openssh-5.8p1/ssh-gss.h
|
||||
--- openssh-5.8p1/ssh-gss.h.gsskex 2007-06-12 15:40:39.000000000 +0200
|
||||
+++ openssh-5.8p1/ssh-gss.h 2011-02-14 14:47:02.000000000 +0100
|
||||
@@ -1,6 +1,6 @@
|
||||
/* $OpenBSD: ssh-gss.h,v 1.10 2007/06/12 08:20:00 djm Exp $ */
|
||||
/*
|
||||
@ -1,6 +1,6 @@
|
||||
diff -up openssh-5.6p1/auth-krb5.c.kuserok openssh-5.6p1/auth-krb5.c
|
||||
--- openssh-5.6p1/auth-krb5.c.kuserok 2010-11-15 10:08:05.000000000 +0100
|
||||
+++ openssh-5.6p1/auth-krb5.c 2010-11-15 10:11:02.000000000 +0100
|
||||
diff -up openssh-5.8p1/auth-krb5.c.kuserok openssh-5.8p1/auth-krb5.c
|
||||
--- openssh-5.8p1/auth-krb5.c.kuserok 2009-12-21 00:49:22.000000000 +0100
|
||||
+++ openssh-5.8p1/auth-krb5.c 2011-02-14 09:15:12.000000000 +0100
|
||||
@@ -54,6 +54,20 @@
|
||||
|
||||
extern ServerOptions options;
|
||||
@ -31,9 +31,9 @@ diff -up openssh-5.6p1/auth-krb5.c.kuserok openssh-5.6p1/auth-krb5.c
|
||||
problem = -1;
|
||||
goto out;
|
||||
}
|
||||
diff -up openssh-5.6p1/gss-serv-krb5.c.kuserok openssh-5.6p1/gss-serv-krb5.c
|
||||
--- openssh-5.6p1/gss-serv-krb5.c.kuserok 2010-11-15 10:08:05.000000000 +0100
|
||||
+++ openssh-5.6p1/gss-serv-krb5.c 2010-11-15 10:12:35.000000000 +0100
|
||||
diff -up openssh-5.8p1/gss-serv-krb5.c.kuserok openssh-5.8p1/gss-serv-krb5.c
|
||||
--- openssh-5.8p1/gss-serv-krb5.c.kuserok 2006-09-01 07:38:36.000000000 +0200
|
||||
+++ openssh-5.8p1/gss-serv-krb5.c 2011-02-14 09:15:12.000000000 +0100
|
||||
@@ -57,6 +57,7 @@ extern ServerOptions options;
|
||||
#endif
|
||||
|
||||
@ -51,18 +51,18 @@ diff -up openssh-5.6p1/gss-serv-krb5.c.kuserok openssh-5.6p1/gss-serv-krb5.c
|
||||
retval = 1;
|
||||
logit("Authorized to %s, krb5 principal %s (krb5_kuserok)",
|
||||
name, (char *)client->displayname.value);
|
||||
diff -up openssh-5.6p1/servconf.c.kuserok openssh-5.6p1/servconf.c
|
||||
--- openssh-5.6p1/servconf.c.kuserok 2010-11-15 10:08:05.000000000 +0100
|
||||
+++ openssh-5.6p1/servconf.c 2010-11-15 10:08:05.000000000 +0100
|
||||
@@ -138,6 +138,7 @@ initialize_server_options(ServerOptions
|
||||
options->revoked_keys_file = NULL;
|
||||
options->trusted_user_ca_keys = NULL;
|
||||
diff -up openssh-5.8p1/servconf.c.kuserok openssh-5.8p1/servconf.c
|
||||
--- openssh-5.8p1/servconf.c.kuserok 2011-02-14 09:15:12.000000000 +0100
|
||||
+++ openssh-5.8p1/servconf.c 2011-02-14 09:20:22.000000000 +0100
|
||||
@@ -142,6 +142,7 @@ initialize_server_options(ServerOptions
|
||||
options->authorized_principals_file = NULL;
|
||||
options->ip_qos_interactive = -1;
|
||||
options->ip_qos_bulk = -1;
|
||||
+ options->use_kuserok = -1;
|
||||
}
|
||||
|
||||
void
|
||||
@@ -286,6 +287,8 @@ fill_default_server_options(ServerOption
|
||||
@@ -291,6 +292,8 @@ fill_default_server_options(ServerOption
|
||||
if (use_privsep == -1)
|
||||
use_privsep = 1;
|
||||
|
||||
@ -71,7 +71,7 @@ diff -up openssh-5.6p1/servconf.c.kuserok openssh-5.6p1/servconf.c
|
||||
#ifndef HAVE_MMAP
|
||||
if (use_privsep && options->compression == 1) {
|
||||
error("This platform does not support both privilege "
|
||||
@@ -307,7 +310,7 @@ typedef enum {
|
||||
@@ -312,7 +315,7 @@ typedef enum {
|
||||
sPermitRootLogin, sLogFacility, sLogLevel,
|
||||
sRhostsRSAAuthentication, sRSAAuthentication,
|
||||
sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
|
||||
@ -80,7 +80,7 @@ diff -up openssh-5.6p1/servconf.c.kuserok openssh-5.6p1/servconf.c
|
||||
sKerberosTgtPassing, sChallengeResponseAuthentication,
|
||||
sPasswordAuthentication, sKbdInteractiveAuthentication,
|
||||
sListenAddress, sAddressFamily,
|
||||
@@ -377,11 +380,13 @@ static struct {
|
||||
@@ -381,11 +384,13 @@ static struct {
|
||||
#else
|
||||
{ "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
|
||||
#endif
|
||||
@ -105,15 +105,15 @@ diff -up openssh-5.6p1/servconf.c.kuserok openssh-5.6p1/servconf.c
|
||||
case sPermitOpen:
|
||||
arg = strdelim(&cp);
|
||||
if (!arg || *arg == '\0')
|
||||
@@ -1525,6 +1534,7 @@ copy_set_server_options(ServerOptions *d
|
||||
M_CP_INTOPT(x11_use_localhost);
|
||||
M_CP_INTOPT(max_sessions);
|
||||
@@ -1544,6 +1553,7 @@ copy_set_server_options(ServerOptions *d
|
||||
M_CP_INTOPT(max_authtries);
|
||||
M_CP_INTOPT(ip_qos_interactive);
|
||||
M_CP_INTOPT(ip_qos_bulk);
|
||||
+ M_CP_INTOPT(use_kuserok);
|
||||
|
||||
M_CP_STROPT(banner);
|
||||
if (preauth)
|
||||
@@ -1745,6 +1755,7 @@ dump_config(ServerOptions *o)
|
||||
@@ -1764,6 +1774,7 @@ dump_config(ServerOptions *o)
|
||||
dump_cfg_fmtint(sUseDNS, o->use_dns);
|
||||
dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding);
|
||||
dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep);
|
||||
@ -121,9 +121,9 @@ diff -up openssh-5.6p1/servconf.c.kuserok openssh-5.6p1/servconf.c
|
||||
|
||||
/* string arguments */
|
||||
dump_cfg_string(sPidFile, o->pid_file);
|
||||
diff -up openssh-5.6p1/servconf.h.kuserok openssh-5.6p1/servconf.h
|
||||
--- openssh-5.6p1/servconf.h.kuserok 2010-11-15 10:08:05.000000000 +0100
|
||||
+++ openssh-5.6p1/servconf.h 2010-11-15 10:08:05.000000000 +0100
|
||||
diff -up openssh-5.8p1/servconf.h.kuserok openssh-5.8p1/servconf.h
|
||||
--- openssh-5.8p1/servconf.h.kuserok 2011-02-14 09:15:12.000000000 +0100
|
||||
+++ openssh-5.8p1/servconf.h 2011-02-14 09:15:12.000000000 +0100
|
||||
@@ -157,6 +157,7 @@ typedef struct {
|
||||
|
||||
int num_permitted_opens;
|
||||
@ -132,10 +132,10 @@ diff -up openssh-5.6p1/servconf.h.kuserok openssh-5.6p1/servconf.h
|
||||
char *chroot_directory;
|
||||
char *revoked_keys_file;
|
||||
char *trusted_user_ca_keys;
|
||||
diff -up openssh-5.6p1/sshd_config.5.kuserok openssh-5.6p1/sshd_config.5
|
||||
--- openssh-5.6p1/sshd_config.5.kuserok 2010-11-15 10:08:05.000000000 +0100
|
||||
+++ openssh-5.6p1/sshd_config.5 2010-11-15 10:08:05.000000000 +0100
|
||||
@@ -564,6 +564,10 @@ Specifies whether to automatically destr
|
||||
diff -up openssh-5.8p1/sshd_config.5.kuserok openssh-5.8p1/sshd_config.5
|
||||
--- openssh-5.8p1/sshd_config.5.kuserok 2011-02-14 09:15:12.000000000 +0100
|
||||
+++ openssh-5.8p1/sshd_config.5 2011-02-14 09:17:11.000000000 +0100
|
||||
@@ -574,6 +574,10 @@ Specifies whether to automatically destr
|
||||
file on logout.
|
||||
The default is
|
||||
.Dq yes .
|
||||
@ -143,10 +143,10 @@ diff -up openssh-5.6p1/sshd_config.5.kuserok openssh-5.6p1/sshd_config.5
|
||||
+Specifies whether to look at .k5login file for user's aliases.
|
||||
+The default is
|
||||
+.Dq yes .
|
||||
.It Cm KeyRegenerationInterval
|
||||
In protocol version 1, the ephemeral server key is automatically regenerated
|
||||
after this many seconds (if it has been used).
|
||||
@@ -694,6 +698,7 @@ Available keywords are
|
||||
.It Cm KexAlgorithms
|
||||
Specifies the available KEX (Key Exchange) algorithms.
|
||||
Multiple algorithms must be comma-separated.
|
||||
@@ -715,6 +719,7 @@ Available keywords are
|
||||
.Cm HostbasedUsesNameFromPacketOnly ,
|
||||
.Cm KbdInteractiveAuthentication ,
|
||||
.Cm KerberosAuthentication ,
|
||||
@ -154,10 +154,10 @@ diff -up openssh-5.6p1/sshd_config.5.kuserok openssh-5.6p1/sshd_config.5
|
||||
.Cm MaxAuthTries ,
|
||||
.Cm MaxSessions ,
|
||||
.Cm PubkeyAuthentication ,
|
||||
diff -up openssh-5.6p1/sshd_config.kuserok openssh-5.6p1/sshd_config
|
||||
--- openssh-5.6p1/sshd_config.kuserok 2010-11-15 10:08:05.000000000 +0100
|
||||
+++ openssh-5.6p1/sshd_config 2010-11-15 10:08:05.000000000 +0100
|
||||
@@ -72,6 +72,7 @@ ChallengeResponseAuthentication no
|
||||
diff -up openssh-5.8p1/sshd_config.kuserok openssh-5.8p1/sshd_config
|
||||
--- openssh-5.8p1/sshd_config.kuserok 2011-02-14 09:15:12.000000000 +0100
|
||||
+++ openssh-5.8p1/sshd_config 2011-02-14 09:15:12.000000000 +0100
|
||||
@@ -73,6 +73,7 @@ ChallengeResponseAuthentication no
|
||||
#KerberosOrLocalPasswd yes
|
||||
#KerberosTicketCleanup yes
|
||||
#KerberosGetAFSToken no
|
||||
@ -1,18 +1,7 @@
|
||||
diff -up openssh-5.6p1/configure.ac.mls openssh-5.6p1/configure.ac
|
||||
--- openssh-5.6p1/configure.ac.mls 2010-08-23 12:11:36.000000000 +0200
|
||||
+++ openssh-5.6p1/configure.ac 2010-08-23 12:11:36.000000000 +0200
|
||||
@@ -3390,6 +3390,7 @@ AC_ARG_WITH(selinux,
|
||||
SSHDLIBS="$SSHDLIBS $LIBSELINUX"
|
||||
LIBS="$LIBS $LIBSELINUX"
|
||||
AC_CHECK_FUNCS(getseuserbyname get_default_context_with_level)
|
||||
+ AC_CHECK_FUNCS(setkeycreatecon)
|
||||
LIBS="$save_LIBS"
|
||||
fi ]
|
||||
)
|
||||
diff -up openssh-5.6p1/misc.c.mls openssh-5.6p1/misc.c
|
||||
--- openssh-5.6p1/misc.c.mls 2010-08-03 08:05:05.000000000 +0200
|
||||
+++ openssh-5.6p1/misc.c 2010-08-23 12:14:16.000000000 +0200
|
||||
@@ -424,6 +424,7 @@ char *
|
||||
diff -up openssh-5.8p1/misc.c.mls openssh-5.8p1/misc.c
|
||||
--- openssh-5.8p1/misc.c.mls 2011-01-13 02:21:36.000000000 +0100
|
||||
+++ openssh-5.8p1/misc.c 2011-02-12 15:05:06.000000000 +0100
|
||||
@@ -427,6 +427,7 @@ char *
|
||||
colon(char *cp)
|
||||
{
|
||||
int flag = 0;
|
||||
@ -20,7 +9,7 @@ diff -up openssh-5.6p1/misc.c.mls openssh-5.6p1/misc.c
|
||||
|
||||
if (*cp == ':') /* Leading colon is part of file name. */
|
||||
return NULL;
|
||||
@@ -439,6 +440,13 @@ colon(char *cp)
|
||||
@@ -442,6 +443,13 @@ colon(char *cp)
|
||||
return (cp);
|
||||
if (*cp == '/')
|
||||
return NULL;
|
||||
@ -34,15 +23,10 @@ diff -up openssh-5.6p1/misc.c.mls openssh-5.6p1/misc.c
|
||||
}
|
||||
return NULL;
|
||||
}
|
||||
diff -up openssh-5.6p1/openbsd-compat/port-linux.c.mls openssh-5.6p1/openbsd-compat/port-linux.c
|
||||
--- openssh-5.6p1/openbsd-compat/port-linux.c.mls 2010-08-23 12:11:36.000000000 +0200
|
||||
+++ openssh-5.6p1/openbsd-compat/port-linux.c 2010-08-23 12:11:37.000000000 +0200
|
||||
@@ -35,13 +35,24 @@
|
||||
#include "key.h"
|
||||
#include "hostfile.h"
|
||||
#include "auth.h"
|
||||
+#include "xmalloc.h"
|
||||
|
||||
diff -up openssh-5.8p1/openbsd-compat/port-linux.c.mls openssh-5.8p1/openbsd-compat/port-linux.c
|
||||
--- openssh-5.8p1/openbsd-compat/port-linux.c.mls 2011-02-12 15:05:06.000000000 +0100
|
||||
+++ openssh-5.8p1/openbsd-compat/port-linux.c 2011-02-12 15:09:23.000000000 +0100
|
||||
@@ -40,13 +40,164 @@
|
||||
#ifdef WITH_SELINUX
|
||||
#include <selinux/selinux.h>
|
||||
#include <selinux/flask.h>
|
||||
@ -56,15 +40,10 @@ diff -up openssh-5.6p1/openbsd-compat/port-linux.c.mls openssh-5.6p1/openbsd-com
|
||||
+#include <unistd.h>
|
||||
+#endif
|
||||
|
||||
extern ServerOptions options;
|
||||
extern Authctxt *the_authctxt;
|
||||
+extern int inetd_flag;
|
||||
+extern int rexeced_flag;
|
||||
|
||||
/* Wrapper around is_selinux_enabled() to log its return value once only */
|
||||
int
|
||||
@@ -57,17 +68,173 @@ ssh_selinux_enabled(void)
|
||||
return (enabled);
|
||||
}
|
||||
extern int inetd_flag;
|
||||
extern int rexeced_flag;
|
||||
|
||||
+/* Send audit message */
|
||||
+static int
|
||||
@ -80,8 +59,8 @@ diff -up openssh-5.6p1/openbsd-compat/port-linux.c.mls openssh-5.6p1/openbsd-com
|
||||
+ rc = -1;
|
||||
+ if (audit_fd < 0) {
|
||||
+ if (errno == EINVAL || errno == EPROTONOSUPPORT ||
|
||||
+ errno == EAFNOSUPPORT)
|
||||
+ return 0; /* No audit support in kernel */
|
||||
+ errno == EAFNOSUPPORT)
|
||||
+ return 0; /* No audit support in kernel */
|
||||
+ error("Error connecting to audit system.");
|
||||
+ return rc;
|
||||
+ }
|
||||
@ -204,11 +183,17 @@ diff -up openssh-5.6p1/openbsd-compat/port-linux.c.mls openssh-5.6p1/openbsd-com
|
||||
+#endif
|
||||
+ return 0;
|
||||
+ out:
|
||||
+ freecon(*sc);
|
||||
+ *sc = NULL;
|
||||
+ return -1;
|
||||
+ freecon(*sc);
|
||||
+ *sc = NULL;
|
||||
+ return -1;
|
||||
+}
|
||||
+
|
||||
static void
|
||||
ssh_selinux_get_role_level(char **role, const char **level)
|
||||
{
|
||||
@@ -65,14 +216,16 @@ ssh_selinux_get_role_level(char **role,
|
||||
}
|
||||
|
||||
/* Return the default security context for the given username */
|
||||
-static security_context_t
|
||||
-ssh_selinux_getctxbyname(char *pwname)
|
||||
@ -216,33 +201,16 @@ diff -up openssh-5.6p1/openbsd-compat/port-linux.c.mls openssh-5.6p1/openbsd-com
|
||||
+ssh_selinux_getctxbyname(char *pwname,
|
||||
+ security_context_t *default_sc, security_context_t *user_sc)
|
||||
{
|
||||
- security_context_t sc = NULL;
|
||||
security_context_t sc = NULL;
|
||||
char *sename, *lvl;
|
||||
+ const char *reqlvl = NULL;
|
||||
char *role = NULL;
|
||||
- int r = 0;
|
||||
+ int r = -1;
|
||||
+ context_t con = NULL;
|
||||
+
|
||||
+ *default_sc = NULL;
|
||||
+ *user_sc = NULL;
|
||||
+ if (the_authctxt) {
|
||||
+ if (the_authctxt->role != NULL) {
|
||||
+ char *slash;
|
||||
+ role = xstrdup(the_authctxt->role);
|
||||
+ if ((slash = strchr(role, '/')) != NULL) {
|
||||
+ *slash = '\0';
|
||||
+ reqlvl = slash + 1;
|
||||
+ }
|
||||
+ }
|
||||
+ }
|
||||
char *role;
|
||||
const char *reqlvl;
|
||||
int r = 0;
|
||||
+ context_t con;
|
||||
|
||||
- if (the_authctxt)
|
||||
- role=the_authctxt->role;
|
||||
ssh_selinux_get_role_level(&role, &reqlvl);
|
||||
#ifdef HAVE_GETSEUSERBYNAME
|
||||
if ((r=getseuserbyname(pwname, &sename, &lvl)) != 0) {
|
||||
sename = NULL;
|
||||
@@ -75,38 +242,63 @@ ssh_selinux_getctxbyname(char *pwname)
|
||||
@@ -82,38 +235,63 @@ ssh_selinux_getctxbyname(char *pwname)
|
||||
}
|
||||
#else
|
||||
sename = pwname;
|
||||
@ -328,29 +296,31 @@ diff -up openssh-5.6p1/openbsd-compat/port-linux.c.mls openssh-5.6p1/openbsd-com
|
||||
|
||||
#ifdef HAVE_GETSEUSERBYNAME
|
||||
if (sename != NULL)
|
||||
@@ -114,14 +306,20 @@ ssh_selinux_getctxbyname(char *pwname)
|
||||
@@ -121,8 +299,12 @@ ssh_selinux_getctxbyname(char *pwname)
|
||||
if (lvl != NULL)
|
||||
xfree(lvl);
|
||||
#endif
|
||||
-
|
||||
- return (sc);
|
||||
+ if (role != NULL)
|
||||
+ xfree(role);
|
||||
+ if (con)
|
||||
+ context_free(con);
|
||||
|
||||
- return (sc);
|
||||
+
|
||||
+ return (r);
|
||||
}
|
||||
|
||||
/* Set the execution context to the default for the specified user */
|
||||
void
|
||||
/* Setup environment variables for pam_selinux */
|
||||
@@ -160,6 +342,8 @@ void
|
||||
ssh_selinux_setup_exec_context(char *pwname)
|
||||
{
|
||||
security_context_t user_ctx = NULL;
|
||||
+ int r = 0;
|
||||
+ security_context_t default_ctx = NULL;
|
||||
security_context_t user_ctx = NULL;
|
||||
|
||||
if (!ssh_selinux_enabled())
|
||||
@@ -129,22 +327,45 @@ ssh_selinux_setup_exec_context(char *pwn
|
||||
return;
|
||||
@@ -184,22 +368,45 @@ ssh_selinux_setup_exec_context(char *pwn
|
||||
|
||||
debug3("%s: setting execution context", __func__);
|
||||
|
||||
@ -403,7 +373,7 @@ diff -up openssh-5.6p1/openbsd-compat/port-linux.c.mls openssh-5.6p1/openbsd-com
|
||||
|
||||
debug3("%s: done", __func__);
|
||||
}
|
||||
@@ -162,7 +383,10 @@ ssh_selinux_setup_pty(char *pwname, cons
|
||||
@@ -217,7 +424,10 @@ ssh_selinux_setup_pty(char *pwname, cons
|
||||
|
||||
debug3("%s: setting TTY context on %s", __func__, tty);
|
||||
|
||||
@ -415,10 +385,10 @@ diff -up openssh-5.6p1/openbsd-compat/port-linux.c.mls openssh-5.6p1/openbsd-com
|
||||
|
||||
/* XXX: should these calls fatal() upon failure in enforcing mode? */
|
||||
|
||||
diff -up openssh-5.6p1/sshd.c.mls openssh-5.6p1/sshd.c
|
||||
--- openssh-5.6p1/sshd.c.mls 2010-08-23 12:11:36.000000000 +0200
|
||||
+++ openssh-5.6p1/sshd.c 2010-08-23 12:11:37.000000000 +0200
|
||||
@@ -1997,6 +1997,9 @@ main(int ac, char **av)
|
||||
diff -up openssh-5.8p1/sshd.c.mls openssh-5.8p1/sshd.c
|
||||
--- openssh-5.8p1/sshd.c.mls 2011-02-12 15:05:05.000000000 +0100
|
||||
+++ openssh-5.8p1/sshd.c 2011-02-12 15:05:06.000000000 +0100
|
||||
@@ -2011,6 +2011,9 @@ main(int ac, char **av)
|
||||
restore_uid();
|
||||
}
|
||||
#endif
|
||||
@ -1,6 +1,6 @@
|
||||
diff -up openssh-5.4p1/auth-pam.c.pam_selinux openssh-5.4p1/auth-pam.c
|
||||
--- openssh-5.4p1/auth-pam.c.pam_selinux 2009-07-12 14:07:21.000000000 +0200
|
||||
+++ openssh-5.4p1/auth-pam.c 2010-03-01 15:27:23.000000000 +0100
|
||||
diff -up openssh-5.8p1/auth-pam.c.pam_selinux openssh-5.8p1/auth-pam.c
|
||||
--- openssh-5.8p1/auth-pam.c.pam_selinux 2009-07-12 14:07:21.000000000 +0200
|
||||
+++ openssh-5.8p1/auth-pam.c 2011-02-12 10:49:57.000000000 +0100
|
||||
@@ -1069,7 +1069,7 @@ is_pam_session_open(void)
|
||||
* during the ssh authentication process.
|
||||
*/
|
||||
@ -10,9 +10,9 @@ diff -up openssh-5.4p1/auth-pam.c.pam_selinux openssh-5.4p1/auth-pam.c
|
||||
{
|
||||
int ret = 1;
|
||||
#ifdef HAVE_PAM_PUTENV
|
||||
diff -up openssh-5.4p1/auth-pam.h.pam_selinux openssh-5.4p1/auth-pam.h
|
||||
--- openssh-5.4p1/auth-pam.h.pam_selinux 2004-09-11 14:17:26.000000000 +0200
|
||||
+++ openssh-5.4p1/auth-pam.h 2010-03-01 15:27:23.000000000 +0100
|
||||
diff -up openssh-5.8p1/auth-pam.h.pam_selinux openssh-5.8p1/auth-pam.h
|
||||
--- openssh-5.8p1/auth-pam.h.pam_selinux 2004-09-11 14:17:26.000000000 +0200
|
||||
+++ openssh-5.8p1/auth-pam.h 2011-02-12 10:49:57.000000000 +0100
|
||||
@@ -38,7 +38,7 @@ void do_pam_session(void);
|
||||
void do_pam_set_tty(const char *);
|
||||
void do_pam_setcred(int );
|
||||
@ -22,9 +22,9 @@ diff -up openssh-5.4p1/auth-pam.h.pam_selinux openssh-5.4p1/auth-pam.h
|
||||
char ** fetch_pam_environment(void);
|
||||
char ** fetch_pam_child_environment(void);
|
||||
void free_pam_environment(char **);
|
||||
diff -up openssh-5.4p1/openbsd-compat/port-linux.c.pam_selinux openssh-5.4p1/openbsd-compat/port-linux.c
|
||||
--- openssh-5.4p1/openbsd-compat/port-linux.c.pam_selinux 2010-03-01 15:27:22.000000000 +0100
|
||||
+++ openssh-5.4p1/openbsd-compat/port-linux.c 2010-03-01 15:27:53.000000000 +0100
|
||||
diff -up openssh-5.8p1/openbsd-compat/port-linux.c.pam_selinux openssh-5.8p1/openbsd-compat/port-linux.c
|
||||
--- openssh-5.8p1/openbsd-compat/port-linux.c.pam_selinux 2011-02-12 10:49:57.000000000 +0100
|
||||
+++ openssh-5.8p1/openbsd-compat/port-linux.c 2011-02-12 10:55:52.000000000 +0100
|
||||
@@ -36,6 +36,7 @@
|
||||
#include "hostfile.h"
|
||||
#include "auth.h"
|
||||
@ -41,8 +41,8 @@ diff -up openssh-5.4p1/openbsd-compat/port-linux.c.pam_selinux openssh-5.4p1/ope
|
||||
extern Authctxt *the_authctxt;
|
||||
extern int inetd_flag;
|
||||
extern int rexeced_flag;
|
||||
@@ -211,29 +213,38 @@ get_user_context(const char *sename, con
|
||||
return -1;
|
||||
@@ -197,29 +199,38 @@ get_user_context(const char *sename, con
|
||||
return -1;
|
||||
}
|
||||
|
||||
+static void
|
||||
@ -92,7 +92,7 @@ diff -up openssh-5.4p1/openbsd-compat/port-linux.c.pam_selinux openssh-5.4p1/ope
|
||||
|
||||
#ifdef HAVE_GETSEUSERBYNAME
|
||||
if ((r=getseuserbyname(pwname, &sename, &lvl)) != 0) {
|
||||
@@ -314,6 +325,36 @@ ssh_selinux_getctxbyname(char *pwname,
|
||||
@@ -300,6 +311,36 @@ ssh_selinux_getctxbyname(char *pwname,
|
||||
return (r);
|
||||
}
|
||||
|
||||
@ -129,7 +129,7 @@ diff -up openssh-5.4p1/openbsd-compat/port-linux.c.pam_selinux openssh-5.4p1/ope
|
||||
/* Set the execution context to the default for the specified user */
|
||||
void
|
||||
ssh_selinux_setup_exec_context(char *pwname)
|
||||
@@ -325,6 +366,24 @@ ssh_selinux_setup_exec_context(char *pwn
|
||||
@@ -311,6 +352,24 @@ ssh_selinux_setup_exec_context(char *pwn
|
||||
if (!ssh_selinux_enabled())
|
||||
return;
|
||||
|
||||
@ -1,9 +1,9 @@
|
||||
diff -up openssh-5.3p1/entropy.c.randclean openssh-5.3p1/entropy.c
|
||||
--- openssh-5.3p1/entropy.c.randclean 2010-01-21 09:26:30.000000000 +0100
|
||||
+++ openssh-5.3p1/entropy.c 2010-01-21 09:26:37.000000000 +0100
|
||||
diff -up openssh-5.8p1/entropy.c.randclean openssh-5.8p1/entropy.c
|
||||
--- openssh-5.8p1/entropy.c.randclean 2011-01-13 11:05:29.000000000 +0100
|
||||
+++ openssh-5.8p1/entropy.c 2011-02-14 00:26:31.000000000 +0100
|
||||
@@ -159,6 +159,9 @@ init_rng(void)
|
||||
fatal("OpenSSL version mismatch. Built against %lx, you "
|
||||
"have %lx", OPENSSL_VERSION_NUMBER, SSLeay());
|
||||
"have %lx", (u_long)OPENSSL_VERSION_NUMBER, SSLeay());
|
||||
|
||||
+ /* clean the PRNG status when exiting the program */
|
||||
+ atexit(RAND_cleanup);
|
||||
611
openssh-5.8p1-selinux-role.patch
Normal file
611
openssh-5.8p1-selinux-role.patch
Normal file
@ -0,0 +1,611 @@
|
||||
diff -up openssh-5.8p1/auth1.c.role openssh-5.8p1/auth1.c
|
||||
--- openssh-5.8p1/auth1.c.role 2010-08-31 14:36:39.000000000 +0200
|
||||
+++ openssh-5.8p1/auth1.c 2011-02-12 14:34:11.000000000 +0100
|
||||
@@ -384,6 +384,9 @@ do_authentication(Authctxt *authctxt)
|
||||
{
|
||||
u_int ulen;
|
||||
char *user, *style = NULL;
|
||||
+#ifdef WITH_SELINUX
|
||||
+ char *role=NULL;
|
||||
+#endif
|
||||
|
||||
/* Get the name of the user that we wish to log in as. */
|
||||
packet_read_expect(SSH_CMSG_USER);
|
||||
@@ -392,11 +395,24 @@ do_authentication(Authctxt *authctxt)
|
||||
user = packet_get_cstring(&ulen);
|
||||
packet_check_eom();
|
||||
|
||||
+#ifdef WITH_SELINUX
|
||||
+ if ((role = strchr(user, '/')) != NULL)
|
||||
+ *role++ = '\0';
|
||||
+#endif
|
||||
+
|
||||
if ((style = strchr(user, ':')) != NULL)
|
||||
*style++ = '\0';
|
||||
+#ifdef WITH_SELINUX
|
||||
+ else
|
||||
+ if (role && (style = strchr(role, ':')) != NULL)
|
||||
+ *style++ = '\0';
|
||||
+#endif
|
||||
|
||||
authctxt->user = user;
|
||||
authctxt->style = style;
|
||||
+#ifdef WITH_SELINUX
|
||||
+ authctxt->role = role;
|
||||
+#endif
|
||||
|
||||
/* Verify that the user is a valid user. */
|
||||
if ((authctxt->pw = PRIVSEP(getpwnamallow(user))) != NULL)
|
||||
diff -up openssh-5.8p1/auth2.c.role openssh-5.8p1/auth2.c
|
||||
--- openssh-5.8p1/auth2.c.role 2010-08-31 14:36:39.000000000 +0200
|
||||
+++ openssh-5.8p1/auth2.c 2011-02-12 14:34:11.000000000 +0100
|
||||
@@ -216,6 +216,9 @@ input_userauth_request(int type, u_int32
|
||||
Authctxt *authctxt = ctxt;
|
||||
Authmethod *m = NULL;
|
||||
char *user, *service, *method, *style = NULL;
|
||||
+#ifdef WITH_SELINUX
|
||||
+ char *role = NULL;
|
||||
+#endif
|
||||
int authenticated = 0;
|
||||
|
||||
if (authctxt == NULL)
|
||||
@@ -227,6 +230,11 @@ input_userauth_request(int type, u_int32
|
||||
debug("userauth-request for user %s service %s method %s", user, service, method);
|
||||
debug("attempt %d failures %d", authctxt->attempt, authctxt->failures);
|
||||
|
||||
+#ifdef WITH_SELINUX
|
||||
+ if ((role = strchr(user, '/')) != NULL)
|
||||
+ *role++ = 0;
|
||||
+#endif
|
||||
+
|
||||
if ((style = strchr(user, ':')) != NULL)
|
||||
*style++ = 0;
|
||||
|
||||
@@ -252,8 +260,15 @@ input_userauth_request(int type, u_int32
|
||||
use_privsep ? " [net]" : "");
|
||||
authctxt->service = xstrdup(service);
|
||||
authctxt->style = style ? xstrdup(style) : NULL;
|
||||
- if (use_privsep)
|
||||
+#ifdef WITH_SELINUX
|
||||
+ authctxt->role = role ? xstrdup(role) : NULL;
|
||||
+#endif
|
||||
+ if (use_privsep) {
|
||||
mm_inform_authserv(service, style);
|
||||
+#ifdef WITH_SELINUX
|
||||
+ mm_inform_authrole(role);
|
||||
+#endif
|
||||
+ }
|
||||
userauth_banner();
|
||||
} else if (strcmp(user, authctxt->user) != 0 ||
|
||||
strcmp(service, authctxt->service) != 0) {
|
||||
diff -up openssh-5.8p1/auth2-gss.c.role openssh-5.8p1/auth2-gss.c
|
||||
--- openssh-5.8p1/auth2-gss.c.role 2007-12-02 12:59:45.000000000 +0100
|
||||
+++ openssh-5.8p1/auth2-gss.c 2011-02-12 14:34:11.000000000 +0100
|
||||
@@ -258,6 +258,7 @@ input_gssapi_mic(int type, u_int32_t ple
|
||||
Authctxt *authctxt = ctxt;
|
||||
Gssctxt *gssctxt;
|
||||
int authenticated = 0;
|
||||
+ char *micuser;
|
||||
Buffer b;
|
||||
gss_buffer_desc mic, gssbuf;
|
||||
u_int len;
|
||||
@@ -270,7 +271,13 @@ input_gssapi_mic(int type, u_int32_t ple
|
||||
mic.value = packet_get_string(&len);
|
||||
mic.length = len;
|
||||
|
||||
- ssh_gssapi_buildmic(&b, authctxt->user, authctxt->service,
|
||||
+#ifdef WITH_SELINUX
|
||||
+ if (authctxt->role && (strlen(authctxt->role) > 0))
|
||||
+ xasprintf(&micuser, "%s/%s", authctxt->user, authctxt->role);
|
||||
+ else
|
||||
+#endif
|
||||
+ micuser = authctxt->user;
|
||||
+ ssh_gssapi_buildmic(&b, micuser, authctxt->service,
|
||||
"gssapi-with-mic");
|
||||
|
||||
gssbuf.value = buffer_ptr(&b);
|
||||
@@ -282,6 +289,8 @@ input_gssapi_mic(int type, u_int32_t ple
|
||||
logit("GSSAPI MIC check failed");
|
||||
|
||||
buffer_free(&b);
|
||||
+ if (micuser != authctxt->user)
|
||||
+ xfree(micuser);
|
||||
xfree(mic.value);
|
||||
|
||||
authctxt->postponed = 0;
|
||||
diff -up openssh-5.8p1/auth2-hostbased.c.role openssh-5.8p1/auth2-hostbased.c
|
||||
--- openssh-5.8p1/auth2-hostbased.c.role 2011-02-12 14:34:10.000000000 +0100
|
||||
+++ openssh-5.8p1/auth2-hostbased.c 2011-02-12 14:34:11.000000000 +0100
|
||||
@@ -106,7 +106,15 @@ userauth_hostbased(Authctxt *authctxt)
|
||||
buffer_put_string(&b, session_id2, session_id2_len);
|
||||
/* reconstruct packet */
|
||||
buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST);
|
||||
- buffer_put_cstring(&b, authctxt->user);
|
||||
+#ifdef WITH_SELINUX
|
||||
+ if (authctxt->role) {
|
||||
+ buffer_put_int(&b, strlen(authctxt->user)+strlen(authctxt->role)+1);
|
||||
+ buffer_append(&b, authctxt->user, strlen(authctxt->user));
|
||||
+ buffer_put_char(&b, '/');
|
||||
+ buffer_append(&b, authctxt->role, strlen(authctxt->role));
|
||||
+ } else
|
||||
+#endif
|
||||
+ buffer_put_cstring(&b, authctxt->user);
|
||||
buffer_put_cstring(&b, service);
|
||||
buffer_put_cstring(&b, "hostbased");
|
||||
buffer_put_string(&b, pkalg, alen);
|
||||
diff -up openssh-5.8p1/auth2-pubkey.c.role openssh-5.8p1/auth2-pubkey.c
|
||||
--- openssh-5.8p1/auth2-pubkey.c.role 2011-02-12 14:34:11.000000000 +0100
|
||||
+++ openssh-5.8p1/auth2-pubkey.c 2011-02-12 14:34:11.000000000 +0100
|
||||
@@ -122,7 +122,15 @@ userauth_pubkey(Authctxt *authctxt)
|
||||
}
|
||||
/* reconstruct packet */
|
||||
buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST);
|
||||
- buffer_put_cstring(&b, authctxt->user);
|
||||
+#ifdef WITH_SELINUX
|
||||
+ if (authctxt->role) {
|
||||
+ buffer_put_int(&b, strlen(authctxt->user)+strlen(authctxt->role)+1);
|
||||
+ buffer_append(&b, authctxt->user, strlen(authctxt->user));
|
||||
+ buffer_put_char(&b, '/');
|
||||
+ buffer_append(&b, authctxt->role, strlen(authctxt->role));
|
||||
+ } else
|
||||
+#endif
|
||||
+ buffer_put_cstring(&b, authctxt->user);
|
||||
buffer_put_cstring(&b,
|
||||
datafellows & SSH_BUG_PKSERVICE ?
|
||||
"ssh-userauth" :
|
||||
diff -up openssh-5.8p1/auth.h.role openssh-5.8p1/auth.h
|
||||
--- openssh-5.8p1/auth.h.role 2011-02-12 14:34:10.000000000 +0100
|
||||
+++ openssh-5.8p1/auth.h 2011-02-12 14:34:11.000000000 +0100
|
||||
@@ -58,6 +58,9 @@ struct Authctxt {
|
||||
char *service;
|
||||
struct passwd *pw; /* set if 'valid' */
|
||||
char *style;
|
||||
+#ifdef WITH_SELINUX
|
||||
+ char *role;
|
||||
+#endif
|
||||
void *kbdintctxt;
|
||||
void *jpake_ctx;
|
||||
#ifdef BSD_AUTH
|
||||
diff -up openssh-5.8p1/auth-pam.c.role openssh-5.8p1/auth-pam.c
|
||||
--- openssh-5.8p1/auth-pam.c.role 2009-07-12 14:07:21.000000000 +0200
|
||||
+++ openssh-5.8p1/auth-pam.c 2011-02-12 14:34:11.000000000 +0100
|
||||
@@ -1069,7 +1069,7 @@ is_pam_session_open(void)
|
||||
* during the ssh authentication process.
|
||||
*/
|
||||
int
|
||||
-do_pam_putenv(char *name, char *value)
|
||||
+do_pam_putenv(char *name, const char *value)
|
||||
{
|
||||
int ret = 1;
|
||||
#ifdef HAVE_PAM_PUTENV
|
||||
diff -up openssh-5.8p1/auth-pam.h.role openssh-5.8p1/auth-pam.h
|
||||
--- openssh-5.8p1/auth-pam.h.role 2004-09-11 14:17:26.000000000 +0200
|
||||
+++ openssh-5.8p1/auth-pam.h 2011-02-12 14:34:11.000000000 +0100
|
||||
@@ -38,7 +38,7 @@ void do_pam_session(void);
|
||||
void do_pam_set_tty(const char *);
|
||||
void do_pam_setcred(int );
|
||||
void do_pam_chauthtok(void);
|
||||
-int do_pam_putenv(char *, char *);
|
||||
+int do_pam_putenv(char *, const char *);
|
||||
char ** fetch_pam_environment(void);
|
||||
char ** fetch_pam_child_environment(void);
|
||||
void free_pam_environment(char **);
|
||||
diff -up openssh-5.8p1/monitor.c.role openssh-5.8p1/monitor.c
|
||||
--- openssh-5.8p1/monitor.c.role 2011-02-12 14:34:11.000000000 +0100
|
||||
+++ openssh-5.8p1/monitor.c 2011-02-12 14:34:11.000000000 +0100
|
||||
@@ -138,6 +138,9 @@ int mm_answer_sign(int, Buffer *);
|
||||
int mm_answer_pwnamallow(int, Buffer *);
|
||||
int mm_answer_auth2_read_banner(int, Buffer *);
|
||||
int mm_answer_authserv(int, Buffer *);
|
||||
+#ifdef WITH_SELINUX
|
||||
+int mm_answer_authrole(int, Buffer *);
|
||||
+#endif
|
||||
int mm_answer_authpassword(int, Buffer *);
|
||||
int mm_answer_bsdauthquery(int, Buffer *);
|
||||
int mm_answer_bsdauthrespond(int, Buffer *);
|
||||
@@ -218,6 +221,9 @@ struct mon_table mon_dispatch_proto20[]
|
||||
{MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign},
|
||||
{MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},
|
||||
{MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv},
|
||||
+#ifdef WITH_SELINUX
|
||||
+ {MONITOR_REQ_AUTHROLE, MON_ONCE, mm_answer_authrole},
|
||||
+#endif
|
||||
{MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner},
|
||||
{MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},
|
||||
#ifdef USE_PAM
|
||||
@@ -703,6 +709,9 @@ mm_answer_pwnamallow(int sock, Buffer *m
|
||||
else {
|
||||
/* Allow service/style information on the auth context */
|
||||
monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1);
|
||||
+#ifdef WITH_SELINUX
|
||||
+ monitor_permit(mon_dispatch, MONITOR_REQ_AUTHROLE, 1);
|
||||
+#endif
|
||||
monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1);
|
||||
}
|
||||
|
||||
@@ -747,6 +756,25 @@ mm_answer_authserv(int sock, Buffer *m)
|
||||
return (0);
|
||||
}
|
||||
|
||||
+#ifdef WITH_SELINUX
|
||||
+int
|
||||
+mm_answer_authrole(int sock, Buffer *m)
|
||||
+{
|
||||
+ monitor_permit_authentications(1);
|
||||
+
|
||||
+ authctxt->role = buffer_get_string(m, NULL);
|
||||
+ debug3("%s: role=%s",
|
||||
+ __func__, authctxt->role);
|
||||
+
|
||||
+ if (strlen(authctxt->role) == 0) {
|
||||
+ xfree(authctxt->role);
|
||||
+ authctxt->role = NULL;
|
||||
+ }
|
||||
+
|
||||
+ return (0);
|
||||
+}
|
||||
+#endif
|
||||
+
|
||||
int
|
||||
mm_answer_authpassword(int sock, Buffer *m)
|
||||
{
|
||||
@@ -1112,7 +1140,7 @@ static int
|
||||
monitor_valid_userblob(u_char *data, u_int datalen)
|
||||
{
|
||||
Buffer b;
|
||||
- char *p;
|
||||
+ char *p, *r;
|
||||
u_int len;
|
||||
int fail = 0;
|
||||
|
||||
@@ -1138,6 +1166,8 @@ monitor_valid_userblob(u_char *data, u_i
|
||||
if (buffer_get_char(&b) != SSH2_MSG_USERAUTH_REQUEST)
|
||||
fail++;
|
||||
p = buffer_get_string(&b, NULL);
|
||||
+ if ((r = strchr(p, '/')) != NULL)
|
||||
+ *r = '\0';
|
||||
if (strcmp(authctxt->user, p) != 0) {
|
||||
logit("wrong user name passed to monitor: expected %s != %.100s",
|
||||
authctxt->user, p);
|
||||
@@ -1169,7 +1199,7 @@ monitor_valid_hostbasedblob(u_char *data
|
||||
char *chost)
|
||||
{
|
||||
Buffer b;
|
||||
- char *p;
|
||||
+ char *p, *r;
|
||||
u_int len;
|
||||
int fail = 0;
|
||||
|
||||
@@ -1186,6 +1216,8 @@ monitor_valid_hostbasedblob(u_char *data
|
||||
if (buffer_get_char(&b) != SSH2_MSG_USERAUTH_REQUEST)
|
||||
fail++;
|
||||
p = buffer_get_string(&b, NULL);
|
||||
+ if ((r = strchr(p, '/')) != NULL)
|
||||
+ *r = '\0';
|
||||
if (strcmp(authctxt->user, p) != 0) {
|
||||
logit("wrong user name passed to monitor: expected %s != %.100s",
|
||||
authctxt->user, p);
|
||||
diff -up openssh-5.8p1/monitor.h.role openssh-5.8p1/monitor.h
|
||||
--- openssh-5.8p1/monitor.h.role 2011-02-12 14:34:11.000000000 +0100
|
||||
+++ openssh-5.8p1/monitor.h 2011-02-12 14:34:11.000000000 +0100
|
||||
@@ -31,6 +31,9 @@
|
||||
enum monitor_reqtype {
|
||||
MONITOR_REQ_MODULI, MONITOR_ANS_MODULI,
|
||||
MONITOR_REQ_FREE, MONITOR_REQ_AUTHSERV,
|
||||
+#ifdef WITH_SELINUX
|
||||
+ MONITOR_REQ_AUTHROLE,
|
||||
+#endif
|
||||
MONITOR_REQ_SIGN, MONITOR_ANS_SIGN,
|
||||
MONITOR_REQ_PWNAM, MONITOR_ANS_PWNAM,
|
||||
MONITOR_REQ_AUTH2_READ_BANNER, MONITOR_ANS_AUTH2_READ_BANNER,
|
||||
diff -up openssh-5.8p1/monitor_wrap.c.role openssh-5.8p1/monitor_wrap.c
|
||||
--- openssh-5.8p1/monitor_wrap.c.role 2011-02-12 14:34:11.000000000 +0100
|
||||
+++ openssh-5.8p1/monitor_wrap.c 2011-02-12 14:34:11.000000000 +0100
|
||||
@@ -298,6 +298,25 @@ mm_inform_authserv(char *service, char *
|
||||
buffer_free(&m);
|
||||
}
|
||||
|
||||
+/* Inform the privileged process about role */
|
||||
+
|
||||
+#ifdef WITH_SELINUX
|
||||
+void
|
||||
+mm_inform_authrole(char *role)
|
||||
+{
|
||||
+ Buffer m;
|
||||
+
|
||||
+ debug3("%s entering", __func__);
|
||||
+
|
||||
+ buffer_init(&m);
|
||||
+ buffer_put_cstring(&m, role ? role : "");
|
||||
+
|
||||
+ mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHROLE, &m);
|
||||
+
|
||||
+ buffer_free(&m);
|
||||
+}
|
||||
+#endif
|
||||
+
|
||||
/* Do the password authentication */
|
||||
int
|
||||
mm_auth_password(Authctxt *authctxt, char *password)
|
||||
diff -up openssh-5.8p1/monitor_wrap.h.role openssh-5.8p1/monitor_wrap.h
|
||||
--- openssh-5.8p1/monitor_wrap.h.role 2011-02-12 14:34:11.000000000 +0100
|
||||
+++ openssh-5.8p1/monitor_wrap.h 2011-02-12 14:34:11.000000000 +0100
|
||||
@@ -41,6 +41,9 @@ int mm_is_monitor(void);
|
||||
DH *mm_choose_dh(int, int, int);
|
||||
int mm_key_sign(Key *, u_char **, u_int *, u_char *, u_int);
|
||||
void mm_inform_authserv(char *, char *);
|
||||
+#ifdef WITH_SELINUX
|
||||
+void mm_inform_authrole(char *);
|
||||
+#endif
|
||||
struct passwd *mm_getpwnamallow(const char *);
|
||||
char *mm_auth2_read_banner(void);
|
||||
int mm_auth_password(struct Authctxt *, char *);
|
||||
diff -up openssh-5.8p1/openbsd-compat/Makefile.in.role openssh-5.8p1/openbsd-compat/Makefile.in
|
||||
--- openssh-5.8p1/openbsd-compat/Makefile.in.role 2010-10-07 13:19:24.000000000 +0200
|
||||
+++ openssh-5.8p1/openbsd-compat/Makefile.in 2011-02-12 14:34:11.000000000 +0100
|
||||
@@ -20,7 +20,7 @@ OPENBSD=base64.o basename.o bindresvport
|
||||
|
||||
COMPAT=bsd-arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o
|
||||
|
||||
-PORTS=port-aix.o port-irix.o port-linux.o port-solaris.o port-tun.o port-uw.o
|
||||
+PORTS=port-aix.o port-irix.o port-linux.o port-linux_part_2.o port-solaris.o port-tun.o port-uw.o
|
||||
|
||||
.c.o:
|
||||
$(CC) $(CFLAGS) $(CPPFLAGS) -c $<
|
||||
diff -up openssh-5.8p1/openbsd-compat/port-linux.c.role openssh-5.8p1/openbsd-compat/port-linux.c
|
||||
--- openssh-5.8p1/openbsd-compat/port-linux.c.role 2011-02-12 14:34:11.000000000 +0100
|
||||
+++ openssh-5.8p1/openbsd-compat/port-linux.c 2011-02-12 14:37:31.000000000 +0100
|
||||
@@ -31,48 +31,73 @@
|
||||
|
||||
#include "log.h"
|
||||
#include "xmalloc.h"
|
||||
+#include "servconf.h"
|
||||
#include "port-linux.h"
|
||||
+#include "key.h"
|
||||
+#include "hostfile.h"
|
||||
+#include "auth.h"
|
||||
|
||||
#ifdef WITH_SELINUX
|
||||
#include <selinux/selinux.h>
|
||||
#include <selinux/flask.h>
|
||||
#include <selinux/get_context_list.h>
|
||||
|
||||
-/* Wrapper around is_selinux_enabled() to log its return value once only */
|
||||
-int
|
||||
-ssh_selinux_enabled(void)
|
||||
-{
|
||||
- static int enabled = -1;
|
||||
+extern ServerOptions options;
|
||||
+extern Authctxt *the_authctxt;
|
||||
+extern int inetd_flag;
|
||||
+extern int rexeced_flag;
|
||||
|
||||
- if (enabled == -1) {
|
||||
- enabled = (is_selinux_enabled() == 1);
|
||||
- debug("SELinux support %s", enabled ? "enabled" : "disabled");
|
||||
+static void
|
||||
+ssh_selinux_get_role_level(char **role, const char **level)
|
||||
+{
|
||||
+ *role = NULL;
|
||||
+ *level = NULL;
|
||||
+ if (the_authctxt) {
|
||||
+ if (the_authctxt->role != NULL) {
|
||||
+ char *slash;
|
||||
+ *role = xstrdup(the_authctxt->role);
|
||||
+ if ((slash = strchr(*role, '/')) != NULL) {
|
||||
+ *slash = '\0';
|
||||
+ *level = slash + 1;
|
||||
+ }
|
||||
+ }
|
||||
}
|
||||
-
|
||||
- return (enabled);
|
||||
}
|
||||
|
||||
/* Return the default security context for the given username */
|
||||
static security_context_t
|
||||
ssh_selinux_getctxbyname(char *pwname)
|
||||
{
|
||||
- security_context_t sc;
|
||||
- char *sename = NULL, *lvl = NULL;
|
||||
- int r;
|
||||
+ security_context_t sc = NULL;
|
||||
+ char *sename, *lvl;
|
||||
+ char *role;
|
||||
+ const char *reqlvl;
|
||||
+ int r = 0;
|
||||
|
||||
+ ssh_selinux_get_role_level(&role, &reqlvl);
|
||||
#ifdef HAVE_GETSEUSERBYNAME
|
||||
- if (getseuserbyname(pwname, &sename, &lvl) != 0)
|
||||
- return NULL;
|
||||
+ if ((r=getseuserbyname(pwname, &sename, &lvl)) != 0) {
|
||||
+ sename = NULL;
|
||||
+ lvl = NULL;
|
||||
+ }
|
||||
#else
|
||||
sename = pwname;
|
||||
lvl = NULL;
|
||||
#endif
|
||||
|
||||
+ if (r == 0) {
|
||||
#ifdef HAVE_GET_DEFAULT_CONTEXT_WITH_LEVEL
|
||||
- r = get_default_context_with_level(sename, lvl, NULL, &sc);
|
||||
+ if (role != NULL && role[0])
|
||||
+ r = get_default_context_with_rolelevel(sename, role, lvl, NULL, &sc);
|
||||
+ else
|
||||
+ r = get_default_context_with_level(sename, lvl, NULL, &sc);
|
||||
#else
|
||||
- r = get_default_context(sename, NULL, &sc);
|
||||
+ if (role != NULL && role[0])
|
||||
+ r = get_default_context_with_role(sename, role, NULL, &sc);
|
||||
+ else
|
||||
+ r = get_default_context(sename, NULL, &sc);
|
||||
#endif
|
||||
+ }
|
||||
|
||||
if (r != 0) {
|
||||
switch (security_getenforce()) {
|
||||
@@ -100,6 +125,36 @@ ssh_selinux_getctxbyname(char *pwname)
|
||||
return (sc);
|
||||
}
|
||||
|
||||
+/* Setup environment variables for pam_selinux */
|
||||
+static int
|
||||
+ssh_selinux_setup_pam_variables(void)
|
||||
+{
|
||||
+ const char *reqlvl;
|
||||
+ char *role;
|
||||
+ char *use_current;
|
||||
+ int rv;
|
||||
+
|
||||
+ debug3("%s: setting execution context", __func__);
|
||||
+
|
||||
+ ssh_selinux_get_role_level(&role, &reqlvl);
|
||||
+
|
||||
+ rv = do_pam_putenv("SELINUX_ROLE_REQUESTED", role ? role : "");
|
||||
+
|
||||
+ if (inetd_flag && !rexeced_flag) {
|
||||
+ use_current = "1";
|
||||
+ } else {
|
||||
+ use_current = "";
|
||||
+ rv = rv || do_pam_putenv("SELINUX_LEVEL_REQUESTED", reqlvl ? reqlvl: "");
|
||||
+ }
|
||||
+
|
||||
+ rv = rv || do_pam_putenv("SELINUX_USE_CURRENT_RANGE", use_current);
|
||||
+
|
||||
+ if (role != NULL)
|
||||
+ xfree(role);
|
||||
+
|
||||
+ return rv;
|
||||
+}
|
||||
+
|
||||
/* Set the execution context to the default for the specified user */
|
||||
void
|
||||
ssh_selinux_setup_exec_context(char *pwname)
|
||||
@@ -109,6 +164,24 @@ ssh_selinux_setup_exec_context(char *pwn
|
||||
if (!ssh_selinux_enabled())
|
||||
return;
|
||||
|
||||
+ if (options.use_pam) {
|
||||
+ /* do not compute context, just setup environment for pam_selinux */
|
||||
+ if (ssh_selinux_setup_pam_variables()) {
|
||||
+ switch (security_getenforce()) {
|
||||
+ case -1:
|
||||
+ fatal("%s: security_getenforce() failed", __func__);
|
||||
+ case 0:
|
||||
+ error("%s: SELinux PAM variable setup failure. Continuing in permissive mode.",
|
||||
+ __func__);
|
||||
+ break;
|
||||
+ default:
|
||||
+ fatal("%s: SELinux PAM variable setup failure. Aborting connection.",
|
||||
+ __func__);
|
||||
+ }
|
||||
+ }
|
||||
+ return;
|
||||
+ }
|
||||
+
|
||||
debug3("%s: setting execution context", __func__);
|
||||
|
||||
user_ctx = ssh_selinux_getctxbyname(pwname);
|
||||
@@ -206,21 +279,6 @@ ssh_selinux_change_context(const char *n
|
||||
xfree(newctx);
|
||||
}
|
||||
|
||||
-void
|
||||
-ssh_selinux_setfscreatecon(const char *path)
|
||||
-{
|
||||
- security_context_t context;
|
||||
-
|
||||
- if (!ssh_selinux_enabled())
|
||||
- return;
|
||||
- if (path == NULL) {
|
||||
- setfscreatecon(NULL);
|
||||
- return;
|
||||
- }
|
||||
- if (matchpathcon(path, 0700, &context) == 0)
|
||||
- setfscreatecon(context);
|
||||
-}
|
||||
-
|
||||
#endif /* WITH_SELINUX */
|
||||
|
||||
#ifdef LINUX_OOM_ADJUST
|
||||
diff -up openssh-5.8p1/openbsd-compat/port-linux_part_2.c.role openssh-5.8p1/openbsd-compat/port-linux_part_2.c
|
||||
--- openssh-5.8p1/openbsd-compat/port-linux_part_2.c.role 2011-02-12 14:34:11.000000000 +0100
|
||||
+++ openssh-5.8p1/openbsd-compat/port-linux_part_2.c 2011-02-12 14:34:11.000000000 +0100
|
||||
@@ -0,0 +1,75 @@
|
||||
+/* $Id: port-linux.c,v 1.11.4.2 2011/02/04 00:43:08 djm Exp $ */
|
||||
+
|
||||
+/*
|
||||
+ * Copyright (c) 2005 Daniel Walsh <dwalsh@redhat.com>
|
||||
+ * Copyright (c) 2006 Damien Miller <djm@openbsd.org>
|
||||
+ *
|
||||
+ * Permission to use, copy, modify, and distribute this software for any
|
||||
+ * purpose with or without fee is hereby granted, provided that the above
|
||||
+ * copyright notice and this permission notice appear in all copies.
|
||||
+ *
|
||||
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
|
||||
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
|
||||
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
|
||||
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
|
||||
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
|
||||
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
|
||||
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
||||
+ */
|
||||
+
|
||||
+/*
|
||||
+ * Linux-specific portability code - just SELinux support at present
|
||||
+ */
|
||||
+
|
||||
+#include "includes.h"
|
||||
+
|
||||
+#if defined(WITH_SELINUX) || defined(LINUX_OOM_ADJUST)
|
||||
+#include <errno.h>
|
||||
+#include <stdarg.h>
|
||||
+#include <string.h>
|
||||
+#include <stdio.h>
|
||||
+
|
||||
+#include "log.h"
|
||||
+#include "xmalloc.h"
|
||||
+#include "port-linux.h"
|
||||
+#include "key.h"
|
||||
+#include "hostfile.h"
|
||||
+#include "auth.h"
|
||||
+
|
||||
+#ifdef WITH_SELINUX
|
||||
+#include <selinux/selinux.h>
|
||||
+#include <selinux/flask.h>
|
||||
+#include <selinux/get_context_list.h>
|
||||
+
|
||||
+/* Wrapper around is_selinux_enabled() to log its return value once only */
|
||||
+int
|
||||
+ssh_selinux_enabled(void)
|
||||
+{
|
||||
+ static int enabled = -1;
|
||||
+
|
||||
+ if (enabled == -1) {
|
||||
+ enabled = (is_selinux_enabled() == 1);
|
||||
+ debug("SELinux support %s", enabled ? "enabled" : "disabled");
|
||||
+ }
|
||||
+
|
||||
+ return (enabled);
|
||||
+}
|
||||
+
|
||||
+void
|
||||
+ssh_selinux_setfscreatecon(const char *path)
|
||||
+{
|
||||
+ security_context_t context;
|
||||
+
|
||||
+ if (!ssh_selinux_enabled())
|
||||
+ return;
|
||||
+ if (path == NULL) {
|
||||
+ setfscreatecon(NULL);
|
||||
+ return;
|
||||
+ }
|
||||
+ if (matchpathcon(path, 0700, &context) == 0)
|
||||
+ setfscreatecon(context);
|
||||
+}
|
||||
+
|
||||
+#endif /* WITH_SELINUX */
|
||||
+
|
||||
+#endif /* WITH_SELINUX || LINUX_OOM_ADJUST */
|
||||
12
openssh-5.8p1-selinux.patch
Normal file
12
openssh-5.8p1-selinux.patch
Normal file
@ -0,0 +1,12 @@
|
||||
diff -up openssh-5.8p1/openbsd-compat/port-linux.c.selinux openssh-5.8p1/openbsd-compat/port-linux.c
|
||||
--- openssh-5.8p1/openbsd-compat/port-linux.c.selinux 2011-02-12 09:38:45.000000000 +0100
|
||||
+++ openssh-5.8p1/openbsd-compat/port-linux.c 2011-02-12 09:39:10.000000000 +0100
|
||||
@@ -213,7 +213,7 @@ ssh_selinux_setfscreatecon(const char *p
|
||||
|
||||
if (!ssh_selinux_enabled())
|
||||
return;
|
||||
- if (path == NULL)
|
||||
+ if (path == NULL) {
|
||||
setfscreatecon(NULL);
|
||||
return;
|
||||
}
|
||||
@ -1,7 +1,7 @@
|
||||
diff -up openssh-5.2p1/configure.ac.vendor openssh-5.2p1/configure.ac
|
||||
--- openssh-5.2p1/configure.ac.vendor 2008-07-23 14:13:22.000000000 +0200
|
||||
+++ openssh-5.2p1/configure.ac 2008-07-23 14:13:22.000000000 +0200
|
||||
@@ -3890,6 +3890,12 @@ AC_ARG_WITH(lastlog,
|
||||
diff -up openssh-5.8p1/configure.ac.vendor openssh-5.8p1/configure.ac
|
||||
--- openssh-5.8p1/configure.ac.vendor 2011-02-04 01:42:14.000000000 +0100
|
||||
+++ openssh-5.8p1/configure.ac 2011-02-09 22:39:55.000000000 +0100
|
||||
@@ -4097,6 +4097,12 @@ AC_ARG_WITH(lastlog,
|
||||
fi
|
||||
]
|
||||
)
|
||||
@ -14,7 +14,7 @@ diff -up openssh-5.2p1/configure.ac.vendor openssh-5.2p1/configure.ac
|
||||
|
||||
dnl lastlog, [uw]tmpx? detection
|
||||
dnl NOTE: set the paths in the platform section to avoid the
|
||||
@@ -4146,6 +4152,7 @@ echo " IP address in \$DISPLAY hac
|
||||
@@ -4327,6 +4333,7 @@ echo " IP address in \$DISPLAY hac
|
||||
echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG"
|
||||
echo " BSD Auth support: $BSD_AUTH_MSG"
|
||||
echo " Random number source: $RAND_MSG"
|
||||
@ -22,10 +22,94 @@ diff -up openssh-5.2p1/configure.ac.vendor openssh-5.2p1/configure.ac
|
||||
if test ! -z "$USE_RAND_HELPER" ; then
|
||||
echo " ssh-rand-helper collects from: $RAND_HELPER_MSG"
|
||||
fi
|
||||
diff -up openssh-5.2p1/sshd_config.5.vendor openssh-5.2p1/sshd_config.5
|
||||
--- openssh-5.2p1/sshd_config.5.vendor 2008-07-23 14:13:22.000000000 +0200
|
||||
+++ openssh-5.2p1/sshd_config.5 2008-07-23 14:19:23.000000000 +0200
|
||||
@@ -812,6 +812,14 @@ This option applies to protocol version
|
||||
diff -up openssh-5.8p1/servconf.c.vendor openssh-5.8p1/servconf.c
|
||||
--- openssh-5.8p1/servconf.c.vendor 2010-11-20 05:19:38.000000000 +0100
|
||||
+++ openssh-5.8p1/servconf.c 2011-02-09 22:41:32.000000000 +0100
|
||||
@@ -123,6 +123,7 @@ initialize_server_options(ServerOptions
|
||||
options->max_authtries = -1;
|
||||
options->max_sessions = -1;
|
||||
options->banner = NULL;
|
||||
+ options->show_patchlevel = -1;
|
||||
options->use_dns = -1;
|
||||
options->client_alive_interval = -1;
|
||||
options->client_alive_count_max = -1;
|
||||
@@ -281,7 +282,9 @@ fill_default_server_options(ServerOption
|
||||
options->ip_qos_interactive = IPTOS_LOWDELAY;
|
||||
if (options->ip_qos_bulk == -1)
|
||||
options->ip_qos_bulk = IPTOS_THROUGHPUT;
|
||||
-
|
||||
+ if (options->show_patchlevel == -1)
|
||||
+ options->show_patchlevel = 0;
|
||||
+
|
||||
/* Turn privilege separation on by default */
|
||||
if (use_privsep == -1)
|
||||
use_privsep = 1;
|
||||
@@ -319,7 +322,7 @@ typedef enum {
|
||||
sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
|
||||
sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem,
|
||||
sMaxStartups, sMaxAuthTries, sMaxSessions,
|
||||
- sBanner, sUseDNS, sHostbasedAuthentication,
|
||||
+ sBanner, sShowPatchLevel, sUseDNS, sHostbasedAuthentication,
|
||||
sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
|
||||
sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
|
||||
sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel,
|
||||
@@ -432,6 +435,7 @@ static struct {
|
||||
{ "maxauthtries", sMaxAuthTries, SSHCFG_ALL },
|
||||
{ "maxsessions", sMaxSessions, SSHCFG_ALL },
|
||||
{ "banner", sBanner, SSHCFG_ALL },
|
||||
+ { "showpatchlevel", sShowPatchLevel, SSHCFG_GLOBAL },
|
||||
{ "usedns", sUseDNS, SSHCFG_GLOBAL },
|
||||
{ "verifyreversemapping", sDeprecated, SSHCFG_GLOBAL },
|
||||
{ "reversemappingcheck", sDeprecated, SSHCFG_GLOBAL },
|
||||
@@ -1086,6 +1090,10 @@ process_server_config_line(ServerOptions
|
||||
intptr = &use_privsep;
|
||||
goto parse_flag;
|
||||
|
||||
+ case sShowPatchLevel:
|
||||
+ intptr = &options->show_patchlevel;
|
||||
+ goto parse_flag;
|
||||
+
|
||||
case sAllowUsers:
|
||||
while ((arg = strdelim(&cp)) && *arg != '\0') {
|
||||
if (options->num_allow_users >= MAX_ALLOW_USERS)
|
||||
@@ -1726,6 +1734,7 @@ dump_config(ServerOptions *o)
|
||||
dump_cfg_fmtint(sUseLogin, o->use_login);
|
||||
dump_cfg_fmtint(sCompression, o->compression);
|
||||
dump_cfg_fmtint(sGatewayPorts, o->gateway_ports);
|
||||
+ dump_cfg_fmtint(sShowPatchLevel, o->show_patchlevel);
|
||||
dump_cfg_fmtint(sUseDNS, o->use_dns);
|
||||
dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding);
|
||||
dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep);
|
||||
diff -up openssh-5.8p1/servconf.h.vendor openssh-5.8p1/servconf.h
|
||||
--- openssh-5.8p1/servconf.h.vendor 2010-11-20 05:19:38.000000000 +0100
|
||||
+++ openssh-5.8p1/servconf.h 2011-02-09 22:39:55.000000000 +0100
|
||||
@@ -134,6 +134,7 @@ typedef struct {
|
||||
int max_authtries;
|
||||
int max_sessions;
|
||||
char *banner; /* SSH-2 banner message */
|
||||
+ int show_patchlevel; /* Show vendor patch level to clients */
|
||||
int use_dns;
|
||||
int client_alive_interval; /*
|
||||
* poke the client this often to
|
||||
diff -up openssh-5.8p1/sshd_config.0.vendor openssh-5.8p1/sshd_config.0
|
||||
--- openssh-5.8p1/sshd_config.0.vendor 2011-02-09 22:39:54.000000000 +0100
|
||||
+++ openssh-5.8p1/sshd_config.0 2011-02-09 22:39:55.000000000 +0100
|
||||
@@ -535,6 +535,11 @@ DESCRIPTION
|
||||
Defines the number of bits in the ephemeral protocol version 1
|
||||
server key. The minimum value is 512, and the default is 1024.
|
||||
|
||||
+ ShowPatchLevel
|
||||
+ Specifies whether sshd will display the specific patch level of
|
||||
+ the binary in the server identification string. The patch level
|
||||
+ is set at compile-time. The default is M-bM-^@M-^\noM-bM-^@M-^].
|
||||
+
|
||||
StrictModes
|
||||
Specifies whether sshd(8) should check file modes and ownership
|
||||
of the user's files and home directory before accepting login.
|
||||
diff -up openssh-5.8p1/sshd_config.5.vendor openssh-5.8p1/sshd_config.5
|
||||
--- openssh-5.8p1/sshd_config.5.vendor 2011-02-09 22:39:54.000000000 +0100
|
||||
+++ openssh-5.8p1/sshd_config.5 2011-02-09 22:39:55.000000000 +0100
|
||||
@@ -931,6 +931,14 @@ This option applies to protocol version
|
||||
.It Cm ServerKeyBits
|
||||
Defines the number of bits in the ephemeral protocol version 1 server key.
|
||||
The minimum value is 512, and the default is 1024.
|
||||
@ -40,92 +124,9 @@ diff -up openssh-5.2p1/sshd_config.5.vendor openssh-5.2p1/sshd_config.5
|
||||
.It Cm StrictModes
|
||||
Specifies whether
|
||||
.Xr sshd 8
|
||||
diff -up openssh-5.2p1/servconf.h.vendor openssh-5.2p1/servconf.h
|
||||
--- openssh-5.2p1/servconf.h.vendor 2008-06-10 15:01:51.000000000 +0200
|
||||
+++ openssh-5.2p1/servconf.h 2008-07-23 14:13:22.000000000 +0200
|
||||
@@ -126,6 +126,7 @@ typedef struct {
|
||||
int max_authtries;
|
||||
int max_sessions;
|
||||
char *banner; /* SSH-2 banner message */
|
||||
+ int show_patchlevel; /* Show vendor patch level to clients */
|
||||
int use_dns;
|
||||
int client_alive_interval; /*
|
||||
* poke the client this often to
|
||||
diff -up openssh-5.2p1/servconf.c.vendor openssh-5.2p1/servconf.c
|
||||
--- openssh-5.2p1/servconf.c.vendor 2008-07-04 05:51:12.000000000 +0200
|
||||
+++ openssh-5.2p1/servconf.c 2008-07-23 14:32:27.000000000 +0200
|
||||
@@ -117,6 +117,7 @@ initialize_server_options(ServerOptions
|
||||
options->max_authtries = -1;
|
||||
options->max_sessions = -1;
|
||||
options->banner = NULL;
|
||||
+ options->show_patchlevel = -1;
|
||||
options->use_dns = -1;
|
||||
options->client_alive_interval = -1;
|
||||
options->client_alive_count_max = -1;
|
||||
@@ -262,6 +263,9 @@ fill_default_server_options(ServerOption
|
||||
if (options->zero_knowledge_password_authentication == -1)
|
||||
options->zero_knowledge_password_authentication = 0;
|
||||
|
||||
+ if (options->show_patchlevel == -1)
|
||||
+ options->show_patchlevel = 0;
|
||||
+
|
||||
/* Turn privilege separation on by default */
|
||||
if (use_privsep == -1)
|
||||
use_privsep = 1;
|
||||
@@ -299,7 +303,7 @@ typedef enum {
|
||||
sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
|
||||
sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem,
|
||||
sMaxStartups, sMaxAuthTries, sMaxSessions,
|
||||
- sBanner, sUseDNS, sHostbasedAuthentication,
|
||||
+ sBanner, sShowPatchLevel, sUseDNS, sHostbasedAuthentication,
|
||||
sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
|
||||
sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
|
||||
sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel,
|
||||
@@ -410,6 +414,7 @@ static struct {
|
||||
{ "maxauthtries", sMaxAuthTries, SSHCFG_ALL },
|
||||
{ "maxsessions", sMaxSessions, SSHCFG_ALL },
|
||||
{ "banner", sBanner, SSHCFG_ALL },
|
||||
+ { "showpatchlevel", sShowPatchLevel, SSHCFG_GLOBAL },
|
||||
{ "usedns", sUseDNS, SSHCFG_GLOBAL },
|
||||
{ "verifyreversemapping", sDeprecated, SSHCFG_GLOBAL },
|
||||
{ "reversemappingcheck", sDeprecated, SSHCFG_GLOBAL },
|
||||
@@ -1033,6 +1038,10 @@ process_server_config_line(ServerOptions
|
||||
intptr = &use_privsep;
|
||||
goto parse_flag;
|
||||
|
||||
+ case sShowPatchLevel:
|
||||
+ intptr = &options->show_patchlevel;
|
||||
+ goto parse_flag;
|
||||
+
|
||||
case sAllowUsers:
|
||||
while ((arg = strdelim(&cp)) && *arg != '\0') {
|
||||
if (options->num_allow_users >= MAX_ALLOW_USERS)
|
||||
@@ -1613,6 +1622,7 @@ dump_config(ServerOptions *o)
|
||||
dump_cfg_fmtint(sUseLogin, o->use_login);
|
||||
dump_cfg_fmtint(sCompression, o->compression);
|
||||
dump_cfg_fmtint(sGatewayPorts, o->gateway_ports);
|
||||
+ dump_cfg_fmtint(sShowPatchLevel, o->show_patchlevel);
|
||||
dump_cfg_fmtint(sUseDNS, o->use_dns);
|
||||
dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding);
|
||||
dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep);
|
||||
diff -up openssh-5.2p1/sshd_config.0.vendor openssh-5.2p1/sshd_config.0
|
||||
--- openssh-5.2p1/sshd_config.0.vendor 2008-07-23 14:13:22.000000000 +0200
|
||||
+++ openssh-5.2p1/sshd_config.0 2008-07-23 14:13:22.000000000 +0200
|
||||
@@ -466,6 +466,11 @@ DESCRIPTION
|
||||
Defines the number of bits in the ephemeral protocol version 1
|
||||
server key. The minimum value is 512, and the default is 1024.
|
||||
|
||||
+ ShowPatchLevel
|
||||
+ Specifies whether sshd will display the specific patch level of
|
||||
+ the binary in the server identification string. The patch level
|
||||
+ is set at compile-time. The default is M-bM-^@M-^\noM-bM-^@M-^].
|
||||
+
|
||||
StrictModes
|
||||
Specifies whether sshd(8) should check file modes and ownership
|
||||
of the user's files and home directory before accepting login.
|
||||
diff -up openssh-5.2p1/sshd_config.vendor openssh-5.2p1/sshd_config
|
||||
--- openssh-5.2p1/sshd_config.vendor 2008-07-23 14:13:22.000000000 +0200
|
||||
+++ openssh-5.2p1/sshd_config 2008-07-23 14:13:22.000000000 +0200
|
||||
diff -up openssh-5.8p1/sshd_config.vendor openssh-5.8p1/sshd_config
|
||||
--- openssh-5.8p1/sshd_config.vendor 2011-02-09 22:39:54.000000000 +0100
|
||||
+++ openssh-5.8p1/sshd_config 2011-02-09 22:39:55.000000000 +0100
|
||||
@@ -112,6 +112,7 @@ X11Forwarding yes
|
||||
#Compression delayed
|
||||
#ClientAliveInterval 0
|
||||
@ -134,10 +135,10 @@ diff -up openssh-5.2p1/sshd_config.vendor openssh-5.2p1/sshd_config
|
||||
#UseDNS yes
|
||||
#PidFile /var/run/sshd.pid
|
||||
#MaxStartups 10
|
||||
diff -up openssh-5.2p1/sshd.c.vendor openssh-5.2p1/sshd.c
|
||||
--- openssh-5.2p1/sshd.c.vendor 2008-07-11 09:36:49.000000000 +0200
|
||||
+++ openssh-5.2p1/sshd.c 2008-07-23 14:35:43.000000000 +0200
|
||||
@@ -416,7 +416,7 @@ sshd_exchange_identification(int sock_in
|
||||
diff -up openssh-5.8p1/sshd.c.vendor openssh-5.8p1/sshd.c
|
||||
--- openssh-5.8p1/sshd.c.vendor 2011-02-09 22:39:55.000000000 +0100
|
||||
+++ openssh-5.8p1/sshd.c 2011-02-09 22:39:55.000000000 +0100
|
||||
@@ -419,7 +419,7 @@ sshd_exchange_identification(int sock_in
|
||||
minor = PROTOCOL_MINOR_1;
|
||||
}
|
||||
snprintf(buf, sizeof buf, "SSH-%d.%d-%.100s%s", major, minor,
|
||||
@ -146,7 +147,7 @@ diff -up openssh-5.2p1/sshd.c.vendor openssh-5.2p1/sshd.c
|
||||
server_version_string = xstrdup(buf);
|
||||
|
||||
/* Send our protocol version identification. */
|
||||
@@ -1484,7 +1484,8 @@ main(int ac, char **av)
|
||||
@@ -1550,7 +1550,8 @@ main(int ac, char **av)
|
||||
exit(1);
|
||||
}
|
||||
|
||||
148
openssh.spec
148
openssh.spec
@ -70,10 +70,10 @@
|
||||
%endif
|
||||
|
||||
# Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
|
||||
%define openssh_ver 5.6p1
|
||||
%define openssh_rel 30
|
||||
%define openssh_ver 5.8p1
|
||||
%define openssh_rel 1
|
||||
%define pam_ssh_agent_ver 0.9.2
|
||||
%define pam_ssh_agent_rel 29
|
||||
%define pam_ssh_agent_rel 30
|
||||
|
||||
Summary: An open source implementation of SSH protocol versions 1 and 2
|
||||
Name: openssh
|
||||
@ -96,49 +96,54 @@ Source5: pam_ssh_agent-rmheaders
|
||||
Patch100: openssh-5.6p1-wIm.patch
|
||||
Patch0: openssh-5.6p1-redhat.patch
|
||||
#https://bugzilla.mindrot.org/show_bug.cgi?id=1402
|
||||
Patch1: openssh-5.6p1-audit.patch
|
||||
Patch2: openssh-5.6p1-audit1a.patch
|
||||
Patch3: openssh-5.6p1-audit2.patch
|
||||
Patch4: openssh-5.6p1-audit3.patch
|
||||
Patch104: openssh-5.6p1-audit4.patch
|
||||
Patch105: openssh-5.6p1-audit5.patch
|
||||
Patch2: openssh-5.8p1-audit2.patch
|
||||
Patch3: openssh-5.8p1-audit3.patch
|
||||
Patch4: openssh-5.8p1-audit4.patch
|
||||
Patch5: openssh-5.8p1-audit5.patch
|
||||
#https://bugzilla.mindrot.org/show_bug.cgi?id=1640
|
||||
Patch5: openssh-5.2p1-vendor.patch
|
||||
Patch9: openssh-5.8p1-vendor.patch
|
||||
# --- pam_ssh-agent ---
|
||||
Patch10: pam_ssh_agent_auth-0.9-build.patch
|
||||
Patch11: pam_ssh_agent_auth-0.9.2-seteuid.patch
|
||||
#https://bugzilla.mindrot.org/show_bug.cgi?id=1641
|
||||
Patch12: openssh-5.4p1-selinux.patch
|
||||
Patch13: openssh-5.6p1-mls.patch
|
||||
Patch18: openssh-5.4p1-pam_selinux.patch
|
||||
#https://bugzilla.mindrot.org/show_bug.cgi?id=1663
|
||||
Patch20: openssh-5.6p1-authorized-keys-command.patch
|
||||
Patch20: openssh-5.8p1-authorized-keys-command.patch
|
||||
Patch21: openssh-5.6p1-ldap.patch
|
||||
#?mail-conf
|
||||
Patch22: openssh-5.8p1-selinux.patch
|
||||
#https://bugzilla.mindrot.org/show_bug.cgi?id=1641
|
||||
Patch23: openssh-5.8p1-selinux-role.patch
|
||||
#?
|
||||
Patch24: openssh-5.8p1-mls.patch
|
||||
# #https://bugzilla.mindrot.org/show_bug.cgi?id=1614
|
||||
# Patch25: openssh-5.6p1-selabel.patch
|
||||
#https://bugzilla.mindrot.org/show_bug.cgi?id=1668
|
||||
Patch23: openssh-5.6p1-keygen.patch
|
||||
Patch24: openssh-4.3p1-fromto-remote.patch
|
||||
#https://bugzilla.mindrot.org/show_bug.cgi?id=1636
|
||||
Patch27: openssh-5.1p1-log-in-chroot.patch
|
||||
Patch30: openssh-5.6p1-exit-deadlock.patch
|
||||
Patch35: openssh-5.1p1-askpass-progress.patch
|
||||
Patch38: openssh-4.3p2-askpass-grab-info.patch
|
||||
Patch30: openssh-5.6p1-keygen.patch
|
||||
#https://bugzilla.mindrot.org/show_bug.cgi?id=1644
|
||||
Patch44: openssh-5.2p1-allow-ip-opts.patch
|
||||
Patch49: openssh-4.3p2-gssapi-canohost.patch
|
||||
Patch62: openssh-5.1p1-scp-manpage.patch
|
||||
Patch65: openssh-5.6p1-fips.patch
|
||||
#https://bugzilla.mindrot.org/show_bug.cgi?id=1614
|
||||
Patch69: openssh-5.6p1-selabel.patch
|
||||
Patch71: openssh-5.2p1-edns.patch
|
||||
Patch73: openssh-5.6p1-gsskex.patch
|
||||
Patch31: openssh-5.2p1-allow-ip-opts.patch
|
||||
#https://bugzilla.mindrot.org/show_bug.cgi?id=1701
|
||||
Patch74: openssh-5.3p1-randclean.patch
|
||||
Patch32: openssh-5.8p1-randclean.patch
|
||||
# #https://bugzilla.mindrot.org/show_bug.cgi?id=1636
|
||||
# Patch33: openssh-5.1p1-log-in-chroot.patch
|
||||
#https://bugzilla.mindrot.org/show_bug.cgi?id=1780
|
||||
Patch78: openssh-5.6p1-kuserok.patch
|
||||
Patch79: openssh-5.5p1-x11.patch
|
||||
#https://bugzilla.mindrot.org/show_bug.cgi?id=1817
|
||||
Patch80: openssh-5.6p1-biguid.patch
|
||||
#https://bugzilla.mindrot.org/show_bug.cgi?id=1842
|
||||
Patch81: openssh-5.6p1-clientloop.patch
|
||||
Patch34: openssh-5.8p1-kuserok.patch
|
||||
#?
|
||||
Patch50: openssh-5.8p1-fips.patch
|
||||
#?
|
||||
Patch51: openssh-5.5p1-x11.patch
|
||||
#?
|
||||
Patch52: openssh-5.6p1-exit-deadlock.patch
|
||||
#?
|
||||
Patch53: openssh-5.1p1-askpass-progress.patch
|
||||
#?
|
||||
Patch54: openssh-4.3p2-askpass-grab-info.patch
|
||||
#?
|
||||
Patch56: openssh-5.2p1-edns.patch
|
||||
#?
|
||||
Patch57: openssh-5.1p1-scp-manpage.patch
|
||||
#http://www.sxw.org.uk/computing/patches/openssh.html
|
||||
Patch60: openssh-5.8p1-gsskex.patch
|
||||
#?
|
||||
Patch61: openssh-5.8p1-gssapi-canohost.patch
|
||||
|
||||
License: BSD
|
||||
Group: Applications/Internet
|
||||
@ -278,14 +283,11 @@ The module is most useful for su and sudo service stacks.
|
||||
#Do not enable by default
|
||||
###%patch100 -p1 -b .wIm
|
||||
%patch0 -p1 -b .redhat
|
||||
%patch1 -p1 -b .audit
|
||||
%patch2 -p1 -b .audit1a
|
||||
%patch3 -p1 -b .audit2
|
||||
%patch4 -p1 -b .audit3
|
||||
%patch104 -p1 -b .audit4
|
||||
%patch105 -p1 -b .audit5
|
||||
%patch5 -p1 -b .vendor
|
||||
|
||||
%patch2 -p1 -b .audit2
|
||||
%patch3 -p1 -b .audit3
|
||||
%patch4 -p1 -b .audit4
|
||||
%patch5 -p1 -b .audit5
|
||||
%patch9 -p1 -b .vendor
|
||||
%if %{pam_ssh_agent}
|
||||
pushd pam_ssh_agent_auth-%{pam_ssh_agent_ver}
|
||||
%patch10 -p1 -b .psaa-build
|
||||
@ -294,34 +296,27 @@ pushd pam_ssh_agent_auth-%{pam_ssh_agent_ver}
|
||||
rm -f $(cat %{SOURCE5})
|
||||
popd
|
||||
%endif
|
||||
|
||||
%if %{WITH_SELINUX}
|
||||
#SELinux
|
||||
%patch12 -p1 -b .selinux
|
||||
%patch13 -p1 -b .mls
|
||||
%patch18 -p1 -b .pam_selinux
|
||||
%endif
|
||||
|
||||
%patch20 -p1 -b .akc
|
||||
%patch21 -p1 -b .ldap
|
||||
%patch23 -p1 -b .keygen
|
||||
%patch24 -p1 -b .fromto-remote
|
||||
%patch27 -p1 -b .log-chroot
|
||||
%patch30 -p1 -b .exit-deadlock
|
||||
%patch35 -p1 -b .progress
|
||||
%patch38 -p1 -b .grab-info
|
||||
%patch44 -p1 -b .ip-opts
|
||||
%patch49 -p1 -b .canohost
|
||||
%patch62 -p1 -b .manpage
|
||||
%patch65 -p1 -b .fips
|
||||
%patch69 -p1 -b .selabel
|
||||
%patch71 -p1 -b .edns
|
||||
%patch73 -p1 -b .gsskex
|
||||
%patch74 -p1 -b .randclean
|
||||
%patch78 -p1 -b .kuserok
|
||||
%patch79 -p1 -b .x11
|
||||
%patch80 -p1 -b .biguid
|
||||
%patch81 -p1 -b .clientloop
|
||||
%if %{WITH_SELINUX}
|
||||
#SELinux
|
||||
%patch22 -p1 -b .selinux
|
||||
%patch23 -p1 -b .role
|
||||
%patch24 -p1 -b .mls
|
||||
%endif
|
||||
%patch30 -p1 -b .keygen
|
||||
%patch31 -p1 -b .ip-opts
|
||||
%patch32 -p1 -b .randclean
|
||||
%patch34 -p1 -b .kuserok
|
||||
%patch50 -p1 -b .fips
|
||||
%patch51 -p1 -b .x11
|
||||
%patch52 -p1 -b .exit-deadlock
|
||||
%patch53 -p1 -b .progress
|
||||
%patch54 -p1 -b .grab-info
|
||||
%patch56 -p1 -b .edns
|
||||
%patch57 -p1 -b .manpage
|
||||
%patch60 -p1 -b .gsskex
|
||||
%patch61 -p1 -b .canohost
|
||||
|
||||
autoreconf
|
||||
pushd pam_ssh_agent_auth-%{pam_ssh_agent_ver}
|
||||
@ -339,9 +334,13 @@ CFLAGS="$CFLAGS -fPIC"
|
||||
%else
|
||||
CFLAGS="$CFLAGS -fpic"
|
||||
%endif
|
||||
export CFLAGS
|
||||
SAVE_LDFLAGS="$LDFLAGS"
|
||||
LDFLAGS="$LDFLAGS -pie -z relro -z now"; export LDFLAGS
|
||||
LDFLAGS="$LDFLAGS -pie -z relro -z now"
|
||||
|
||||
export CFLAGS
|
||||
export LDFLAGS
|
||||
|
||||
|
||||
%endif
|
||||
%if %{kerberos5}
|
||||
if test -r /etc/profile.d/krb5-devel.sh ; then
|
||||
@ -603,6 +602,9 @@ fi
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Mon Feb 14 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p1-1 + 0.9.2-30
|
||||
- bump openssh version to 5.8p1
|
||||
|
||||
* Tue Feb 08 2011 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 5.6p1-30.1
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user