rpms/openssh
7
0
Fork 1
Code Issues Pull Requests Releases Activity

- bump openssh version to 5.8p1

Browse Source
This commit is contained in:
Jan F 2011-02-14 15:32:49 +01:00
parent fa335ee67e
commit 003cb0b27f
27 changed files with 2111 additions and 2261 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -2,3 +2,4 @@ openssh-5.5p1-noacss.tar.bz2
pam_ssh_agent_auth-0.9.2.tar.bz2 pam_ssh_agent_auth-0.9.2.tar.bz2
/openssh-5.6p1-noacss.tar.bz2 /openssh-5.6p1-noacss.tar.bz2
/pam_ssh_agent_auth-0.9.2.tar.bz2 /pam_ssh_agent_auth-0.9.2.tar.bz2
/openssh-5.8p1-noacss.tar.bz2

15
openssh-4.3p1-fromto-remote.patch
View File

@ -1,15 +0,0 @@
--- openssh-4.3p2/scp.c.fromto-remote 2006-01-31 12:11:38.000000000 +0100
+++ openssh-4.3p2/scp.c 2006-04-14 10:09:56.000000000 +0200
@@ -446,7 +446,11 @@
addargs(&alist, "-v");
addargs(&alist, "-x");
addargs(&alist, "-oClearAllForwardings yes");
- addargs(&alist, "-n");
+ if (isatty(fileno(stdin))) {
+ addargs(&alist, "-t");
+ } else {
+ addargs(&alist, "-n");
+ }
*src++ = 0;
if (*src == 0)

25
openssh-4.3p2-gssapi-canohost.patch
View File

@ -1,25 +0,0 @@
diff -up openssh-5.3p1/sshconnect2.c.canohost openssh-5.3p1/sshconnect2.c
--- openssh-5.3p1/sshconnect2.c.canohost 2009-03-05 14:58:22.000000000 +0100
+++ openssh-5.3p1/sshconnect2.c 2009-11-02 11:55:00.000000000 +0100
@@ -542,6 +542,12 @@ userauth_gssapi(Authctxt *authctxt)
static u_int mech = 0;
OM_uint32 min;
int ok = 0;
+ char* remotehost = NULL;
+ const char* canonicalhost = get_canonical_hostname(1);
+ if ( strcmp( canonicalhost, "UNKNOWN" ) == 0 )
+ remotehost = authctxt->host;
+ else
+ remotehost = canonicalhost;
/* Try one GSSAPI method at a time, rather than sending them all at
* once. */
@@ -554,7 +560,7 @@ userauth_gssapi(Authctxt *authctxt)
/* My DER encoding requires length<128 */
if (gss_supported->elements[mech].length < 128 &&
ssh_gssapi_check_mechanism(&gssctxt,
- &gss_supported->elements[mech], authctxt->host)) {
+ &gss_supported->elements[mech], remotehost)) {
ok = 1; /* Mechanism works */
} else {
mech++;

395
openssh-5.4p1-selinux.patch
View File

@ -1,395 +0,0 @@
diff -up openssh-5.4p1/auth1.c.selinux openssh-5.4p1/auth1.c
--- openssh-5.4p1/auth1.c.selinux 2010-03-01 15:19:56.000000000 +0100
+++ openssh-5.4p1/auth1.c 2010-03-01 15:19:57.000000000 +0100
@@ -384,6 +384,9 @@ do_authentication(Authctxt *authctxt)
{
u_int ulen;
char *user, *style = NULL;
+#ifdef WITH_SELINUX
+ char *role=NULL;
+#endif
/* Get the name of the user that we wish to log in as. */
packet_read_expect(SSH_CMSG_USER);
@@ -392,11 +395,25 @@ do_authentication(Authctxt *authctxt)
user = packet_get_string(&ulen);
packet_check_eom();
+#ifdef WITH_SELINUX
+ if ((role = strchr(user, '/')) != NULL)
+ *role++ = '\0';
+#endif
+
if ((style = strchr(user, ':')) != NULL)
*style++ = '\0';
+#ifdef WITH_SELINUX
+ else
+ if (role && (style = strchr(role, ':')) != NULL)
+ *style++ = '\0';
+#endif
+
authctxt->user = user;
authctxt->style = style;
+#ifdef WITH_SELINUX
+ authctxt->role = role;
+#endif
/* Verify that the user is a valid user. */
if ((authctxt->pw = PRIVSEP(getpwnamallow(user))) != NULL)
diff -up openssh-5.4p1/auth2.c.selinux openssh-5.4p1/auth2.c
--- openssh-5.4p1/auth2.c.selinux 2009-06-22 08:11:07.000000000 +0200
+++ openssh-5.4p1/auth2.c 2010-03-01 15:19:57.000000000 +0100
@@ -216,6 +216,9 @@ input_userauth_request(int type, u_int32
Authctxt *authctxt = ctxt;
Authmethod *m = NULL;
char *user, *service, *method, *style = NULL;
+#ifdef WITH_SELINUX
+ char *role = NULL;
+#endif
int authenticated = 0;
if (authctxt == NULL)
@@ -227,6 +230,11 @@ input_userauth_request(int type, u_int32
debug("userauth-request for user %s service %s method %s", user, service, method);
debug("attempt %d failures %d", authctxt->attempt, authctxt->failures);
+#ifdef WITH_SELINUX
+ if ((role = strchr(user, '/')) != NULL)
+ *role++ = 0;
+#endif
+
if ((style = strchr(user, ':')) != NULL)
*style++ = 0;
@@ -252,8 +260,15 @@ input_userauth_request(int type, u_int32
use_privsep ? " [net]" : "");
authctxt->service = xstrdup(service);
authctxt->style = style ? xstrdup(style) : NULL;
- if (use_privsep)
+#ifdef WITH_SELINUX
+ authctxt->role = role ? xstrdup(role) : NULL;
+#endif
+ if (use_privsep) {
mm_inform_authserv(service, style);
+#ifdef WITH_SELINUX
+ mm_inform_authrole(role);
+#endif
+ }
userauth_banner();
} else if (strcmp(user, authctxt->user) != 0 ||
strcmp(service, authctxt->service) != 0) {
diff -up openssh-5.4p1/auth2-gss.c.selinux openssh-5.4p1/auth2-gss.c
--- openssh-5.4p1/auth2-gss.c.selinux 2007-12-02 12:59:45.000000000 +0100
+++ openssh-5.4p1/auth2-gss.c 2010-03-01 15:19:57.000000000 +0100
@@ -258,6 +258,7 @@ input_gssapi_mic(int type, u_int32_t ple
Authctxt *authctxt = ctxt;
Gssctxt *gssctxt;
int authenticated = 0;
+ char *micuser;
Buffer b;
gss_buffer_desc mic, gssbuf;
u_int len;
@@ -270,7 +271,13 @@ input_gssapi_mic(int type, u_int32_t ple
mic.value = packet_get_string(&len);
mic.length = len;
- ssh_gssapi_buildmic(&b, authctxt->user, authctxt->service,
+#ifdef WITH_SELINUX
+ if (authctxt->role && (strlen(authctxt->role) > 0))
+ xasprintf(&micuser, "%s/%s", authctxt->user, authctxt->role);
+ else
+#endif
+ micuser = authctxt->user;
+ ssh_gssapi_buildmic(&b, micuser, authctxt->service,
"gssapi-with-mic");
gssbuf.value = buffer_ptr(&b);
@@ -282,6 +289,8 @@ input_gssapi_mic(int type, u_int32_t ple
logit("GSSAPI MIC check failed");
buffer_free(&b);
+ if (micuser != authctxt->user)
+ xfree(micuser);
xfree(mic.value);
authctxt->postponed = 0;
diff -up openssh-5.4p1/auth2-hostbased.c.selinux openssh-5.4p1/auth2-hostbased.c
--- openssh-5.4p1/auth2-hostbased.c.selinux 2008-07-17 10:57:19.000000000 +0200
+++ openssh-5.4p1/auth2-hostbased.c 2010-03-01 15:19:57.000000000 +0100
@@ -106,7 +106,15 @@ userauth_hostbased(Authctxt *authctxt)
buffer_put_string(&b, session_id2, session_id2_len);
/* reconstruct packet */
buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST);
- buffer_put_cstring(&b, authctxt->user);
+#ifdef WITH_SELINUX
+ if (authctxt->role) {
+ buffer_put_int(&b, strlen(authctxt->user)+strlen(authctxt->role)+1);
+ buffer_append(&b, authctxt->user, strlen(authctxt->user));
+ buffer_put_char(&b, '/');
+ buffer_append(&b, authctxt->role, strlen(authctxt->role));
+ } else
+#endif
+ buffer_put_cstring(&b, authctxt->user);
buffer_put_cstring(&b, service);
buffer_put_cstring(&b, "hostbased");
buffer_put_string(&b, pkalg, alen);
diff -up openssh-5.4p1/auth2-pubkey.c.selinux openssh-5.4p1/auth2-pubkey.c
--- openssh-5.4p1/auth2-pubkey.c.selinux 2010-02-26 21:55:05.000000000 +0100
+++ openssh-5.4p1/auth2-pubkey.c 2010-03-01 15:19:57.000000000 +0100
@@ -119,7 +119,15 @@ userauth_pubkey(Authctxt *authctxt)
}
/* reconstruct packet */
buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST);
- buffer_put_cstring(&b, authctxt->user);
+#ifdef WITH_SELINUX
+ if (authctxt->role) {
+ buffer_put_int(&b, strlen(authctxt->user)+strlen(authctxt->role)+1);
+ buffer_append(&b, authctxt->user, strlen(authctxt->user));
+ buffer_put_char(&b, '/');
+ buffer_append(&b, authctxt->role, strlen(authctxt->role));
+ } else
+#endif
+ buffer_put_cstring(&b, authctxt->user);
buffer_put_cstring(&b,
datafellows & SSH_BUG_PKSERVICE ?
"ssh-userauth" :
diff -up openssh-5.4p1/auth.h.selinux openssh-5.4p1/auth.h
--- openssh-5.4p1/auth.h.selinux 2010-02-26 21:55:05.000000000 +0100
+++ openssh-5.4p1/auth.h 2010-03-01 15:19:57.000000000 +0100
@@ -58,6 +58,9 @@ struct Authctxt {
char *service;
struct passwd *pw; /* set if 'valid' */
char *style;
+#ifdef WITH_SELINUX
+ char *role;
+#endif
void *kbdintctxt;
void *jpake_ctx;
#ifdef BSD_AUTH
diff -up openssh-5.4p1/configure.ac.selinux openssh-5.4p1/configure.ac
--- openssh-5.4p1/configure.ac.selinux 2010-03-01 15:19:57.000000000 +0100
+++ openssh-5.4p1/configure.ac 2010-03-01 15:21:12.000000000 +0100
@@ -3358,6 +3358,7 @@ AC_ARG_WITH(selinux,
],
AC_MSG_ERROR(SELinux support requires libselinux library))
SSHDLIBS="$SSHDLIBS $LIBSELINUX"
+ LIBS="$LIBS $LIBSELINUX"
AC_CHECK_FUNCS(getseuserbyname get_default_context_with_level)
LIBS="$save_LIBS"
fi ]
diff -up openssh-5.4p1/monitor.c.selinux openssh-5.4p1/monitor.c
--- openssh-5.4p1/monitor.c.selinux 2010-02-26 21:55:05.000000000 +0100
+++ openssh-5.4p1/monitor.c 2010-03-01 15:19:57.000000000 +0100
@@ -137,6 +137,9 @@ int mm_answer_sign(int, Buffer *);
int mm_answer_pwnamallow(int, Buffer *);
int mm_answer_auth2_read_banner(int, Buffer *);
int mm_answer_authserv(int, Buffer *);
+#ifdef WITH_SELINUX
+int mm_answer_authrole(int, Buffer *);
+#endif
int mm_answer_authpassword(int, Buffer *);
int mm_answer_bsdauthquery(int, Buffer *);
int mm_answer_bsdauthrespond(int, Buffer *);
@@ -213,6 +216,9 @@ struct mon_table mon_dispatch_proto20[]
{MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign},
{MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},
{MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv},
+#ifdef WITH_SELINUX
+ {MONITOR_REQ_AUTHROLE, MON_ONCE, mm_answer_authrole},
+#endif
{MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner},
{MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},
#ifdef USE_PAM
@@ -682,6 +688,9 @@ mm_answer_pwnamallow(int sock, Buffer *m
else {
/* Allow service/style information on the auth context */
monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1);
+#ifdef WITH_SELINUX
+ monitor_permit(mon_dispatch, MONITOR_REQ_AUTHROLE, 1);
+#endif
monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1);
}
@@ -726,6 +735,25 @@ mm_answer_authserv(int sock, Buffer *m)
return (0);
}
+#ifdef WITH_SELINUX
+int
+mm_answer_authrole(int sock, Buffer *m)
+{
+ monitor_permit_authentications(1);
+
+ authctxt->role = buffer_get_string(m, NULL);
+ debug3("%s: role=%s",
+ __func__, authctxt->role);
+
+ if (strlen(authctxt->role) == 0) {
+ xfree(authctxt->role);
+ authctxt->role = NULL;
+ }
+
+ return (0);
+}
+#endif
+
int
mm_answer_authpassword(int sock, Buffer *m)
{
@@ -1104,7 +1132,7 @@ static int
monitor_valid_userblob(u_char *data, u_int datalen)
{
Buffer b;
- char *p;
+ char *p, *r;
u_int len;
int fail = 0;
@@ -1130,6 +1158,8 @@ monitor_valid_userblob(u_char *data, u_i
if (buffer_get_char(&b) != SSH2_MSG_USERAUTH_REQUEST)
fail++;
p = buffer_get_string(&b, NULL);
+ if ((r = strchr(p, '/')) != NULL)
+ *r = '\0';
if (strcmp(authctxt->user, p) != 0) {
logit("wrong user name passed to monitor: expected %s != %.100s",
authctxt->user, p);
@@ -1161,7 +1191,7 @@ monitor_valid_hostbasedblob(u_char *data
char *chost)
{
Buffer b;
- char *p;
+ char *p, *r;
u_int len;
int fail = 0;
@@ -1178,6 +1208,8 @@ monitor_valid_hostbasedblob(u_char *data
if (buffer_get_char(&b) != SSH2_MSG_USERAUTH_REQUEST)
fail++;
p = buffer_get_string(&b, NULL);
+ if ((r = strchr(p, '/')) != NULL)
+ *r = '\0';
if (strcmp(authctxt->user, p) != 0) {
logit("wrong user name passed to monitor: expected %s != %.100s",
authctxt->user, p);
diff -up openssh-5.4p1/monitor.h.selinux openssh-5.4p1/monitor.h
--- openssh-5.4p1/monitor.h.selinux 2008-11-05 06:20:46.000000000 +0100
+++ openssh-5.4p1/monitor.h 2010-03-01 15:19:57.000000000 +0100
@@ -31,6 +31,9 @@
enum monitor_reqtype {
MONITOR_REQ_MODULI, MONITOR_ANS_MODULI,
MONITOR_REQ_FREE, MONITOR_REQ_AUTHSERV,
+#ifdef WITH_SELINUX
+ MONITOR_REQ_AUTHROLE,
+#endif
MONITOR_REQ_SIGN, MONITOR_ANS_SIGN,
MONITOR_REQ_PWNAM, MONITOR_ANS_PWNAM,
MONITOR_REQ_AUTH2_READ_BANNER, MONITOR_ANS_AUTH2_READ_BANNER,
diff -up openssh-5.4p1/monitor_wrap.c.selinux openssh-5.4p1/monitor_wrap.c
--- openssh-5.4p1/monitor_wrap.c.selinux 2009-06-22 08:11:07.000000000 +0200
+++ openssh-5.4p1/monitor_wrap.c 2010-03-01 15:19:57.000000000 +0100
@@ -297,6 +297,25 @@ mm_inform_authserv(char *service, char *
buffer_free(&m);
}
+/* Inform the privileged process about role */
+
+#ifdef WITH_SELINUX
+void
+mm_inform_authrole(char *role)
+{
+ Buffer m;
+
+ debug3("%s entering", __func__);
+
+ buffer_init(&m);
+ buffer_put_cstring(&m, role ? role : "");
+
+ mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHROLE, &m);
+
+ buffer_free(&m);
+}
+#endif
+
/* Do the password authentication */
int
mm_auth_password(Authctxt *authctxt, char *password)
diff -up openssh-5.4p1/monitor_wrap.h.selinux openssh-5.4p1/monitor_wrap.h
--- openssh-5.4p1/monitor_wrap.h.selinux 2009-03-05 14:58:22.000000000 +0100
+++ openssh-5.4p1/monitor_wrap.h 2010-03-01 15:19:57.000000000 +0100
@@ -41,6 +41,9 @@ int mm_is_monitor(void);
DH *mm_choose_dh(int, int, int);
int mm_key_sign(Key *, u_char **, u_int *, u_char *, u_int);
void mm_inform_authserv(char *, char *);
+#ifdef WITH_SELINUX
+void mm_inform_authrole(char *);
+#endif
struct passwd *mm_getpwnamallow(const char *);
char *mm_auth2_read_banner(void);
int mm_auth_password(struct Authctxt *, char *);
diff -up openssh-5.4p1/openbsd-compat/port-linux.c.selinux openssh-5.4p1/openbsd-compat/port-linux.c
--- openssh-5.4p1/openbsd-compat/port-linux.c.selinux 2010-03-01 05:52:50.000000000 +0100
+++ openssh-5.4p1/openbsd-compat/port-linux.c 2010-03-01 15:22:19.000000000 +0100
@@ -32,12 +32,17 @@
#include "log.h"
#include "xmalloc.h"
#include "port-linux.h"
+#include "key.h"
+#include "hostfile.h"
+#include "auth.h"
#ifdef WITH_SELINUX
#include <selinux/selinux.h>
#include <selinux/flask.h>
#include <selinux/get_context_list.h>
+extern Authctxt *the_authctxt;
+
/* Wrapper around is_selinux_enabled() to log its return value once only */
int
ssh_selinux_enabled(void)
@@ -56,23 +61,36 @@ ssh_selinux_enabled(void)
static security_context_t
ssh_selinux_getctxbyname(char *pwname)
{
- security_context_t sc;
- char *sename = NULL, *lvl = NULL;
- int r;
+ security_context_t sc = NULL;
+ char *sename, *lvl;
+ char *role = NULL;
+ int r = 0;
+ if (the_authctxt)
+ role=the_authctxt->role;
#ifdef HAVE_GETSEUSERBYNAME
- if (getseuserbyname(pwname, &sename, &lvl) != 0)
- return NULL;
+ if ((r=getseuserbyname(pwname, &sename, &lvl)) != 0) {
+ sename = NULL;
+ lvl = NULL;
+ }
#else
sename = pwname;
lvl = NULL;
#endif
+ if (r == 0) {
#ifdef HAVE_GET_DEFAULT_CONTEXT_WITH_LEVEL
- r = get_default_context_with_level(sename, lvl, NULL, &sc);
+ if (role != NULL && role[0])
+ r = get_default_context_with_rolelevel(sename, role, lvl, NULL, &sc);
+ else
+ r = get_default_context_with_level(sename, lvl, NULL, &sc);
#else
- r = get_default_context(sename, NULL, &sc);
+ if (role != NULL && role[0])
+ r = get_default_context_with_role(sename, role, NULL, &sc);
+ else
+ r = get_default_context(sename, NULL, &sc);
#endif
+ }
if (r != 0) {
switch (security_getenforce()) {

276
openssh-5.6p1-audit.patch
View File

@ -1,276 +0,0 @@
diff -up openssh-5.6p1/audit-bsm.c.audit openssh-5.6p1/audit-bsm.c
--- openssh-5.6p1/audit-bsm.c.audit 2008-02-25 11:05:04.000000000 +0100
+++ openssh-5.6p1/audit-bsm.c 2010-10-20 09:15:47.000000000 +0200
@@ -305,13 +305,13 @@ audit_run_command(const char *command)
}
void
-audit_session_open(const char *ttyn)
+audit_session_open(struct logininfo *li)
{
/* not implemented */
}
void
-audit_session_close(const char *ttyn)
+audit_session_close(struct logininfo *li)
{
/* not implemented */
}
diff -up openssh-5.6p1/audit.c.audit openssh-5.6p1/audit.c
--- openssh-5.6p1/audit.c.audit 2006-09-01 07:38:36.000000000 +0200
+++ openssh-5.6p1/audit.c 2010-10-20 09:15:47.000000000 +0200
@@ -147,9 +147,9 @@ audit_event(ssh_audit_event_t event)
* within a single connection.
*/
void
-audit_session_open(const char *ttyn)
+audit_session_open(struct logininfo *li)
{
- const char *t = ttyn ? ttyn : "(no tty)";
+ const char *t = li->line ? li->line : "(no tty)";
debug("audit session open euid %d user %s tty name %s", geteuid(),
audit_username(), t);
@@ -163,9 +163,9 @@ audit_session_open(const char *ttyn)
* within a single connection.
*/
void
-audit_session_close(const char *ttyn)
+audit_session_close(struct logininfo *li)
{
- const char *t = ttyn ? ttyn : "(no tty)";
+ const char *t = li->line ? li->line : "(no tty)";
debug("audit session close euid %d user %s tty name %s", geteuid(),
audit_username(), t);
diff -up openssh-5.6p1/audit.h.audit openssh-5.6p1/audit.h
--- openssh-5.6p1/audit.h.audit 2006-08-05 16:05:10.000000000 +0200
+++ openssh-5.6p1/audit.h 2010-10-20 09:15:47.000000000 +0200
@@ -26,6 +26,9 @@
#ifndef _SSH_AUDIT_H
# define _SSH_AUDIT_H
+
+#include "loginrec.h"
+
enum ssh_audit_event_type {
SSH_LOGIN_EXCEED_MAXTRIES,
SSH_LOGIN_ROOT_DENIED,
@@ -46,8 +49,8 @@ typedef enum ssh_audit_event_type ssh_au
void audit_connection_from(const char *, int);
void audit_event(ssh_audit_event_t);
-void audit_session_open(const char *);
-void audit_session_close(const char *);
+void audit_session_open(struct logininfo *);
+void audit_session_close(struct logininfo *);
void audit_run_command(const char *);
ssh_audit_event_t audit_classify_auth(const char *);
diff -up openssh-5.6p1/audit-linux.c.audit openssh-5.6p1/audit-linux.c
--- openssh-5.6p1/audit-linux.c.audit 2010-10-20 09:15:47.000000000 +0200
+++ openssh-5.6p1/audit-linux.c 2010-10-20 09:15:47.000000000 +0200
@@ -0,0 +1,120 @@
+/* $Id: audit-linux.c,v 1.1 jfch Exp $ */
+
+/*
+ * Copyright 2010 Red Hat, Inc. All rights reserved.
+ * Use is subject to license terms.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ * Red Hat author: Jan F. Chadima <jchadima@redhat.com>
+ */
+
+#include "includes.h"
+#if defined(USE_LINUX_AUDIT)
+#include <libaudit.h>
+#include <unistd.h>
+#include <string.h>
+
+#include "log.h"
+#include "audit.h"
+#include "canohost.h"
+
+const char* audit_username(void);
+
+int
+linux_audit_record_event(int uid, const char *username,
+ const char *hostname, const char *ip, const char *ttyn, int success)
+{
+ int audit_fd, rc, saved_errno;
+
+ audit_fd = audit_open();
+ if (audit_fd < 0) {
+ if (errno == EINVAL || errno == EPROTONOSUPPORT ||
+ errno == EAFNOSUPPORT)
+ return 1; /* No audit support in kernel */
+ else
+ return 0; /* Must prevent login */
+ }
+ rc = audit_log_acct_message(audit_fd, AUDIT_USER_LOGIN,
+ NULL, "login", username ? username : "(unknown)",
+ username == NULL ? uid : -1, hostname, ip, ttyn, success);
+ saved_errno = errno;
+ close(audit_fd);
+ errno = saved_errno;
+ return (rc >= 0);
+}
+
+/* Below is the sshd audit API code */
+
+void
+audit_connection_from(const char *host, int port)
+{
+}
+ /* not implemented */
+
+void
+audit_run_command(const char *command)
+{
+ /* not implemented */
+}
+
+void
+audit_session_open(struct logininfo *li)
+{
+ if (linux_audit_record_event(li->uid, NULL, li->hostname,
+ NULL, li->line, 1) == 0)
+ fatal("linux_audit_write_entry failed: %s", strerror(errno));
+}
+
+void
+audit_session_close(struct logininfo *li)
+{
+ /* not implemented */
+}
+
+void
+audit_event(ssh_audit_event_t event)
+{
+ switch(event) {
+ case SSH_AUTH_SUCCESS:
+ case SSH_CONNECTION_CLOSE:
+ case SSH_NOLOGIN:
+ case SSH_LOGIN_EXCEED_MAXTRIES:
+ case SSH_LOGIN_ROOT_DENIED:
+ break;
+
+ case SSH_AUTH_FAIL_NONE:
+ case SSH_AUTH_FAIL_PASSWD:
+ case SSH_AUTH_FAIL_KBDINT:
+ case SSH_AUTH_FAIL_PUBKEY:
+ case SSH_AUTH_FAIL_HOSTBASED:
+ case SSH_AUTH_FAIL_GSSAPI:
+ case SSH_INVALID_USER:
+ linux_audit_record_event(-1, audit_username(), NULL,
+ get_remote_ipaddr(), "sshd", 0);
+ break;
+
+ default:
+ debug("%s: unhandled event %d", __func__, event);
+ }
+}
+
+#endif /* USE_LINUX_AUDIT */
diff -up openssh-5.6p1/configure.ac.audit openssh-5.6p1/configure.ac
--- openssh-5.6p1/configure.ac.audit 2010-08-16 05:15:23.000000000 +0200
+++ openssh-5.6p1/configure.ac 2010-10-20 09:15:47.000000000 +0200
@@ -1308,7 +1308,7 @@ int main(void)
AUDIT_MODULE=none
AC_ARG_WITH(audit,
- [ --with-audit=module Enable EXPERIMENTAL audit support (modules=debug,bsm)],
+ [ --with-audit=module Enable audit support (modules=debug,bsm,linux)],
[
AC_MSG_CHECKING(for supported audit module)
case "$withval" in
@@ -1332,10 +1332,18 @@ AC_ARG_WITH(audit,
AC_CHECK_FUNCS(getaudit_addr aug_get_machine)
AC_DEFINE(USE_BSM_AUDIT, 1, [Use BSM audit module])
;;
+ linux)
+ AC_MSG_RESULT(linux)
+ AUDIT_MODULE=linux
+ dnl Checks for headers, libs and functions
+ AC_CHECK_HEADERS(libaudit.h)
+ SSHDLIBS="$SSHDLIBS -laudit"
+ AC_DEFINE(USE_LINUX_AUDIT, 1, [Use Linux audit module])
+ ;;
debug)
AUDIT_MODULE=debug
AC_MSG_RESULT(debug)
- AC_DEFINE(SSH_AUDIT_EVENTS, 1, Use audit debugging module)
+ AC_DEFINE(SSH_AUDIT_EVENTS, 1, [Use audit debugging module])
;;
no)
AC_MSG_RESULT(no)
diff -up openssh-5.6p1/defines.h.audit openssh-5.6p1/defines.h
--- openssh-5.6p1/defines.h.audit 2010-04-09 10:13:27.000000000 +0200
+++ openssh-5.6p1/defines.h 2010-10-20 09:15:47.000000000 +0200
@@ -566,6 +566,11 @@ struct winsize {
# define CUSTOM_SSH_AUDIT_EVENTS
#endif
+#ifdef USE_LINUX_AUDIT
+# define SSH_AUDIT_EVENTS
+# define CUSTOM_SSH_AUDIT_EVENTS
+#endif
+
#if !defined(HAVE___func__) && defined(HAVE___FUNCTION__)
# define __func__ __FUNCTION__
#elif !defined(HAVE___func__)
diff -up openssh-5.6p1/loginrec.c.audit openssh-5.6p1/loginrec.c
--- openssh-5.6p1/loginrec.c.audit 2010-04-09 10:13:27.000000000 +0200
+++ openssh-5.6p1/loginrec.c 2010-10-20 09:15:47.000000000 +0200
@@ -468,9 +468,9 @@ login_write(struct logininfo *li)
#endif
#ifdef SSH_AUDIT_EVENTS
if (li->type == LTYPE_LOGIN)
- audit_session_open(li->line);
+ audit_session_open(li);
else if (li->type == LTYPE_LOGOUT)
- audit_session_close(li->line);
+ audit_session_close(li);
#endif
return (0);
}
diff -up openssh-5.6p1/Makefile.in.audit openssh-5.6p1/Makefile.in
--- openssh-5.6p1/Makefile.in.audit 2010-05-12 08:51:39.000000000 +0200
+++ openssh-5.6p1/Makefile.in 2010-10-20 09:15:47.000000000 +0200
@@ -81,6 +81,7 @@ SSHOBJS= ssh.o readconf.o clientloop.o s
roaming_common.o roaming_client.o
SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \
+ audit.o audit-bsm.o audit-linux.o platform.o \
sshpty.o sshlogin.o servconf.o serverloop.o \
auth.o auth1.o auth2.o auth-options.o session.o \
auth-chall.o auth2-chall.o groupaccess.o \
@@ -90,7 +91,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw
auth-krb5.o \
auth2-gss.o gss-serv.o gss-serv-krb5.o \
loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \
- audit.o audit-bsm.o platform.o sftp-server.o sftp-common.o \
+ sftp-server.o sftp-common.o \
roaming_common.o roaming_serv.o
MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-rand-helper.8.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out

13
openssh-5.6p1-audit1a.patch
View File

@ -1,13 +0,0 @@
diff -up openssh-5.6p1/audit-linux.c.audit1a openssh-5.6p1/audit-linux.c
--- openssh-5.6p1/audit-linux.c.audit1a 2010-12-10 21:47:03.000000000 +0100
+++ openssh-5.6p1/audit-linux.c 2010-12-10 21:50:31.000000000 +0100
@@ -59,7 +59,8 @@ linux_audit_record_event(int uid, const
saved_errno = errno;
close(audit_fd);
errno = saved_errno;
- return (rc >= 0);
+ /* do not report error if the error is EPERM and sshd is run as non root user */
+ return (rc >= 0) || ((rc == -EPERM) && (getuid() != 0));
}
/* Below is the sshd audit API code */

236
openssh-5.6p1-audit4.patch
View File

@ -1,236 +0,0 @@
diff -up openssh-5.6p1/audit-bsm.c.audit4 openssh-5.6p1/audit-bsm.c
--- openssh-5.6p1/audit-bsm.c.audit4 2011-01-12 14:01:50.000000000 +0100
+++ openssh-5.6p1/audit-bsm.c 2011-01-12 14:01:51.000000000 +0100
@@ -395,4 +395,10 @@ audit_kex_body(int ctos, char *enc, char
{
/* not implemented */
}
+
+void
+audit_session_key_free_body(int ctos)
+{
+ /* not implemented */
+}
#endif /* BSM */
diff -up openssh-5.6p1/audit.c.audit4 openssh-5.6p1/audit.c
--- openssh-5.6p1/audit.c.audit4 2011-01-12 14:01:50.000000000 +0100
+++ openssh-5.6p1/audit.c 2011-01-12 14:01:51.000000000 +0100
@@ -152,6 +152,12 @@ audit_kex(int ctos, char *enc, char *mac
PRIVSEP(audit_kex_body(ctos, enc, mac, comp));
}
+void
+audit_session_key_free(int ctos)
+{
+ PRIVSEP(audit_session_key_free_body(ctos));
+}
+
# ifndef CUSTOM_SSH_AUDIT_EVENTS
/*
* Null implementations of audit functions.
@@ -254,5 +260,13 @@ audit_kex_body(int ctos, char *enc, char
debug("audit procol negotiation euid %d direction %d cipher %s mac %s compresion %s",
geteuid(), ctos, enc, mac, compress);
}
+
+/*
+ * This will be called on succesfull session key discard
+ */
+audit_session_key_free_body(int ctos)
+{
+ debug("audit session key discard euid %d direction %d", geteuid(), ctos);
+}
# endif /* !defined CUSTOM_SSH_AUDIT_EVENTS */
#endif /* SSH_AUDIT_EVENTS */
diff -up openssh-5.6p1/audit.h.audit4 openssh-5.6p1/audit.h
--- openssh-5.6p1/audit.h.audit4 2011-01-12 14:01:50.000000000 +0100
+++ openssh-5.6p1/audit.h 2011-01-12 14:01:51.000000000 +0100
@@ -60,5 +60,7 @@ void audit_unsupported(int);
void audit_kex(int, char *, char *, char *);
void audit_unsupported_body(int);
void audit_kex_body(int, char *, char *, char *);
+void audit_session_key_free(int ctos);
+void audit_session_key_free_body(int ctos);
#endif /* _SSH_AUDIT_H */
diff -up openssh-5.6p1/audit-linux.c.audit4 openssh-5.6p1/audit-linux.c
--- openssh-5.6p1/audit-linux.c.audit4 2011-01-12 14:01:50.000000000 +0100
+++ openssh-5.6p1/audit-linux.c 2011-01-12 14:04:15.000000000 +0100
@@ -174,13 +174,14 @@ audit_unsupported_body(int what)
#endif
}
+const static char *direction[] = { "from-server", "from-client", "both" };
+
void
audit_kex_body(int ctos, char *enc, char *mac, char *compress)
{
#ifdef AUDIT_CRYPTO_SESSION
char buf[AUDIT_LOG_SIZE];
int audit_fd, audit_ok;
- const static char *direction[] = { "from-server", "from-client", "both" };
Cipher *cipher = cipher_by_name(enc);
snprintf(buf, sizeof(buf), "start direction=%s cipher=%s, ksize=%d rport=%d laddr=%s lport=%d",
@@ -203,4 +204,26 @@ audit_kex_body(int ctos, char *enc, char
#endif
}
+void
+audit_session_key_free_body(int ctos)
+{
+ char buf[AUDIT_LOG_SIZE];
+ int audit_fd, audit_ok;
+
+ snprintf(buf, sizeof(buf), "destroy kind=session direction=%s", direction[ctos]);
+ audit_fd = audit_open();
+ if (audit_fd < 0) {
+ if (errno != EINVAL && errno != EPROTONOSUPPORT &&
+ errno != EAFNOSUPPORT)
+ error("cannot open audit");
+ return;
+ }
+ audit_ok = audit_log_acct_message(audit_fd, AUDIT_CRYPTO_KEY_USER, NULL,
+ buf, NULL, -1, NULL, get_remote_ipaddr(), NULL, 1);
+ audit_close(audit_fd);
+ /* do not abort if the error is EPERM and sshd is run as non root user */
+ if ((audit_ok < 0) && ((audit_ok != -1) || (getuid() == 0)))
+ error("cannot write into audit");
+}
+
#endif /* USE_LINUX_AUDIT */
diff -up openssh-5.6p1/auditstub.c.audit4 openssh-5.6p1/auditstub.c
--- openssh-5.6p1/auditstub.c.audit4 2011-01-12 14:01:50.000000000 +0100
+++ openssh-5.6p1/auditstub.c 2011-01-12 14:01:51.000000000 +0100
@@ -37,3 +37,7 @@ audit_kex(int ctos, char *enc, char *mac
{
}
+void
+audit_session_key_free(int ctos)
+{
+}
diff -up openssh-5.6p1/monitor.c.audit4 openssh-5.6p1/monitor.c
--- openssh-5.6p1/monitor.c.audit4 2011-01-12 14:01:51.000000000 +0100
+++ openssh-5.6p1/monitor.c 2011-01-12 14:01:51.000000000 +0100
@@ -180,6 +180,7 @@ int mm_answer_audit_event(int, Buffer *)
int mm_answer_audit_command(int, Buffer *);
int mm_answer_audit_unsupported_body(int, Buffer *);
int mm_answer_audit_kex_body(int, Buffer *);
+int mm_answer_audit_session_key_free_body(int, Buffer *);
#endif
static Authctxt *authctxt;
@@ -230,6 +231,7 @@ struct mon_table mon_dispatch_proto20[]
{MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
{MONITOR_REQ_AUDIT_UNSUPPORTED, MON_PERMIT, mm_answer_audit_unsupported_body},
{MONITOR_REQ_AUDIT_KEX, MON_PERMIT, mm_answer_audit_kex_body},
+ {MONITOR_REQ_AUDIT_SESSION_KEY_FREE, MON_PERMIT, mm_answer_audit_session_key_free_body},
#endif
#ifdef BSD_AUTH
{MONITOR_REQ_BSDAUTHQUERY, MON_ISAUTH, mm_answer_bsdauthquery},
@@ -268,6 +270,7 @@ struct mon_table mon_dispatch_postauth20
{MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT, mm_answer_audit_command},
{MONITOR_REQ_AUDIT_UNSUPPORTED, MON_PERMIT, mm_answer_audit_unsupported_body},
{MONITOR_REQ_AUDIT_KEX, MON_PERMIT, mm_answer_audit_kex_body},
+ {MONITOR_REQ_AUDIT_SESSION_KEY_FREE, MON_PERMIT, mm_answer_audit_session_key_free_body},
#endif
{0, 0, NULL}
};
@@ -301,6 +304,7 @@ struct mon_table mon_dispatch_proto15[]
{MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
{MONITOR_REQ_AUDIT_UNSUPPORTED, MON_PERMIT, mm_answer_audit_unsupported_body},
{MONITOR_REQ_AUDIT_KEX, MON_PERMIT, mm_answer_audit_kex_body},
+ {MONITOR_REQ_AUDIT_SESSION_KEY_FREE, MON_PERMIT, mm_answer_audit_session_key_free_body},
#endif
{0, 0, NULL}
};
@@ -314,6 +318,7 @@ struct mon_table mon_dispatch_postauth15
{MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT|MON_ONCE, mm_answer_audit_command},
{MONITOR_REQ_AUDIT_UNSUPPORTED, MON_PERMIT, mm_answer_audit_unsupported_body},
{MONITOR_REQ_AUDIT_KEX, MON_PERMIT, mm_answer_audit_kex_body},
+ {MONITOR_REQ_AUDIT_SESSION_KEY_FREE, MON_PERMIT, mm_answer_audit_session_key_free_body},
#endif
{0, 0, NULL}
};
@@ -2252,4 +2257,18 @@ mm_answer_audit_kex_body(int sock, Buffe
return 0;
}
+int
+mm_answer_audit_session_key_free_body(int sock, Buffer *m)
+{
+ int ctos;
+
+ ctos = buffer_get_int(m);
+
+ audit_session_key_free_body(ctos);
+
+ buffer_clear(m);
+
+ mm_request_send(sock, MONITOR_ANS_AUDIT_SESSION_KEY_FREE, m);
+ return 0;
+}
#endif /* SSH_AUDIT_EVENTS */
diff -up openssh-5.6p1/monitor.h.audit4 openssh-5.6p1/monitor.h
--- openssh-5.6p1/monitor.h.audit4 2011-01-12 14:01:51.000000000 +0100
+++ openssh-5.6p1/monitor.h 2011-01-12 14:01:51.000000000 +0100
@@ -68,6 +68,7 @@ enum monitor_reqtype {
MONITOR_REQ_JPAKE_CHECK_CONFIRM, MONITOR_ANS_JPAKE_CHECK_CONFIRM,
MONITOR_REQ_AUDIT_UNSUPPORTED, MONITOR_ANS_AUDIT_UNSUPPORTED,
MONITOR_REQ_AUDIT_KEX, MONITOR_ANS_AUDIT_KEX,
+ MONITOR_REQ_AUDIT_SESSION_KEY_FREE, MONITOR_ANS_AUDIT_SESSION_KEY_FREE,
};
struct mm_master;
diff -up openssh-5.6p1/monitor_wrap.c.audit4 openssh-5.6p1/monitor_wrap.c
--- openssh-5.6p1/monitor_wrap.c.audit4 2011-01-12 14:01:51.000000000 +0100
+++ openssh-5.6p1/monitor_wrap.c 2011-01-12 14:01:51.000000000 +0100
@@ -1445,4 +1445,17 @@ mm_audit_kex_body(int ctos, char *cipher
buffer_free(&m);
}
+
+void
+mm_audit_session_key_free_body(int ctos)
+{
+ Buffer m;
+
+ buffer_init(&m);
+ buffer_put_int(&m, ctos);
+ mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_SESSION_KEY_FREE, &m);
+ mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_AUDIT_SESSION_KEY_FREE,
+ &m);
+ buffer_free(&m);
+}
#endif /* SSH_AUDIT_EVENTS */
diff -up openssh-5.6p1/monitor_wrap.h.audit4 openssh-5.6p1/monitor_wrap.h
--- openssh-5.6p1/monitor_wrap.h.audit4 2011-01-12 14:01:51.000000000 +0100
+++ openssh-5.6p1/monitor_wrap.h 2011-01-12 14:01:51.000000000 +0100
@@ -76,6 +76,7 @@ void mm_audit_event(ssh_audit_event_t);
void mm_audit_run_command(const char *);
void mm_audit_unsupported_body(int);
void mm_audit_kex_body(int, char *, char *, char *);
+void mm_audit_session_key_free_body(int);
#endif
struct Session;
diff -up openssh-5.6p1/packet.c.audit4 openssh-5.6p1/packet.c
--- openssh-5.6p1/packet.c.audit4 2010-07-16 05:58:37.000000000 +0200
+++ openssh-5.6p1/packet.c 2011-01-12 14:01:51.000000000 +0100
@@ -495,6 +495,7 @@ packet_close(void)
buffer_free(&active_state->compression_buffer);
buffer_compress_uninit();
}
+ audit_session_key_free(2);
cipher_cleanup(&active_state->send_context);
cipher_cleanup(&active_state->receive_context);
}
@@ -749,6 +750,7 @@ set_newkeys(int mode)
}
if (active_state->newkeys[mode] != NULL) {
debug("set_newkeys: rekeying");
+ audit_session_key_free(mode);
cipher_cleanup(cc);
enc = &active_state->newkeys[mode]->enc;
mac = &active_state->newkeys[mode]->mac;

443
openssh-5.6p1-audit5.patch
View File

@ -1,443 +0,0 @@
diff -up openssh-5.6p1/audit-bsm.c.audit5 openssh-5.6p1/audit-bsm.c
--- openssh-5.6p1/audit-bsm.c.audit5 2011-02-07 18:53:53.000000000 +0100
+++ openssh-5.6p1/audit-bsm.c 2011-02-07 18:53:53.000000000 +0100
@@ -401,4 +401,10 @@ audit_session_key_free_body(int ctos)
{
/* not implemented */
}
+
+void
+audit_destroy_sensitive_data(void)
+{
+ /* not implemented */
+}
#endif /* BSM */
diff -up openssh-5.6p1/audit.c.audit5 openssh-5.6p1/audit.c
--- openssh-5.6p1/audit.c.audit5 2011-02-07 18:53:53.000000000 +0100
+++ openssh-5.6p1/audit.c 2011-02-07 18:53:53.000000000 +0100
@@ -268,5 +268,14 @@ audit_session_key_free_body(int ctos)
{
debug("audit session key discard euid %d direction %d", geteuid(), ctos);
}
+
+/*
+ * This will be called on destroy private part of the server key
+ */
+void
+audit_destroy_sensitive_data(void)
+{
+ debug("audit destroy sensitive data euid %d", geteuid());
+}
# endif /* !defined CUSTOM_SSH_AUDIT_EVENTS */
#endif /* SSH_AUDIT_EVENTS */
diff -up openssh-5.6p1/audit.h.audit5 openssh-5.6p1/audit.h
--- openssh-5.6p1/audit.h.audit5 2011-02-07 18:53:53.000000000 +0100
+++ openssh-5.6p1/audit.h 2011-02-07 18:53:53.000000000 +0100
@@ -62,5 +62,6 @@ void audit_unsupported_body(int);
void audit_kex_body(int, char *, char *, char *);
void audit_session_key_free(int ctos);
void audit_session_key_free_body(int ctos);
+void audit_destroy_sensitive_data(void);
#endif /* _SSH_AUDIT_H */
diff -up openssh-5.6p1/audit-linux.c.audit5 openssh-5.6p1/audit-linux.c
--- openssh-5.6p1/audit-linux.c.audit5 2011-02-07 18:53:53.000000000 +0100
+++ openssh-5.6p1/audit-linux.c 2011-02-07 18:53:53.000000000 +0100
@@ -226,4 +226,26 @@ audit_session_key_free_body(int ctos)
error("cannot write into audit");
}
+void
+audit_destroy_sensitive_data(void)
+{
+ char buf[AUDIT_LOG_SIZE];
+ int audit_fd, audit_ok;
+
+ snprintf(buf, sizeof(buf), "destroy kind=server direction=?");
+ audit_fd = audit_open();
+ if (audit_fd < 0) {
+ if (errno != EINVAL && errno != EPROTONOSUPPORT &&
+ errno != EAFNOSUPPORT)
+ error("cannot open audit");
+ return;
+ }
+ audit_ok = audit_log_acct_message(audit_fd, AUDIT_CRYPTO_KEY_USER, NULL,
+ buf, NULL, -1, NULL, get_remote_ipaddr(), NULL, 1);
+ audit_close(audit_fd);
+ /* do not abort if the error is EPERM and sshd is run as non root user */
+ if ((audit_ok < 0) && ((audit_ok != -1) || (getuid() == 0)))
+ error("cannot write into audit");
+}
+
#endif /* USE_LINUX_AUDIT */
diff -up openssh-5.6p1/kex.c.audit5 openssh-5.6p1/kex.c
--- openssh-5.6p1/kex.c.audit5 2011-02-07 18:53:53.000000000 +0100
+++ openssh-5.6p1/kex.c 2011-02-07 18:53:53.000000000 +0100
@@ -592,3 +592,34 @@ dump_digest(char *msg, u_char *digest, i
fprintf(stderr, "\n");
}
#endif
+
+static void
+enc_destroy(Enc *enc)
+{
+ if (enc == NULL)
+ return;
+
+ if (enc->key) {
+ memset(enc->key, 0, enc->key_len);
+ xfree(enc->key);
+ }
+
+ if (enc->iv) {
+ memset(enc->iv, 0, enc->block_size);
+ xfree(enc->iv);
+ }
+
+ memset(enc, 0, sizeof(*enc));
+}
+
+void
+newkeys_destroy(Newkeys *newkeys)
+{
+ if (newkeys == NULL)
+ return;
+
+ enc_destroy(&newkeys->enc);
+ mac_destroy(&newkeys->mac);
+ memset(&newkeys->comp, 0, sizeof(newkeys->comp));
+}
+
diff -up openssh-5.6p1/kex.h.audit5 openssh-5.6p1/kex.h
--- openssh-5.6p1/kex.h.audit5 2010-02-26 21:55:05.000000000 +0100
+++ openssh-5.6p1/kex.h 2011-02-07 18:53:53.000000000 +0100
@@ -146,6 +146,8 @@ void kexdh_server(Kex *);
void kexgex_client(Kex *);
void kexgex_server(Kex *);
+void newkeys_destroy(Newkeys *newkeys);
+
void
kex_dh_hash(char *, char *, char *, int, char *, int, u_char *, int,
BIGNUM *, BIGNUM *, BIGNUM *, u_char **, u_int *);
diff -up openssh-5.6p1/mac.c.audit5 openssh-5.6p1/mac.c
--- openssh-5.6p1/mac.c.audit5 2008-06-13 02:58:50.000000000 +0200
+++ openssh-5.6p1/mac.c 2011-02-07 18:53:53.000000000 +0100
@@ -162,6 +162,20 @@ mac_clear(Mac *mac)
mac->umac_ctx = NULL;
}
+void
+mac_destroy(Mac *mac)
+{
+ if (mac == NULL)
+ return;
+
+ if (mac->key) {
+ memset(mac->key, 0, mac->key_len);
+ xfree(mac->key);
+ }
+
+ memset(mac, 0, sizeof(*mac));
+}
+
/* XXX copied from ciphers_valid */
#define MAC_SEP ","
int
diff -up openssh-5.6p1/mac.h.audit5 openssh-5.6p1/mac.h
--- openssh-5.6p1/mac.h.audit5 2007-06-11 06:01:42.000000000 +0200
+++ openssh-5.6p1/mac.h 2011-02-07 18:53:53.000000000 +0100
@@ -28,3 +28,4 @@ int mac_setup(Mac *, char *);
int mac_init(Mac *);
u_char *mac_compute(Mac *, u_int32_t, u_char *, int);
void mac_clear(Mac *);
+void mac_destroy(Mac *);
diff -up openssh-5.6p1/monitor.c.audit5 openssh-5.6p1/monitor.c
--- openssh-5.6p1/monitor.c.audit5 2011-02-07 18:53:53.000000000 +0100
+++ openssh-5.6p1/monitor.c 2011-02-07 18:53:53.000000000 +0100
@@ -181,6 +181,7 @@ int mm_answer_audit_command(int, Buffer
int mm_answer_audit_unsupported_body(int, Buffer *);
int mm_answer_audit_kex_body(int, Buffer *);
int mm_answer_audit_session_key_free_body(int, Buffer *);
+int mm_answer_audit_server_key_free(int, Buffer *);
#endif
static Authctxt *authctxt;
@@ -232,6 +233,7 @@ struct mon_table mon_dispatch_proto20[]
{MONITOR_REQ_AUDIT_UNSUPPORTED, MON_PERMIT, mm_answer_audit_unsupported_body},
{MONITOR_REQ_AUDIT_KEX, MON_PERMIT, mm_answer_audit_kex_body},
{MONITOR_REQ_AUDIT_SESSION_KEY_FREE, MON_PERMIT, mm_answer_audit_session_key_free_body},
+ {MONITOR_REQ_AUDIT_SERVER_KEY_FREE, MON_PERMIT, mm_answer_audit_server_key_free},
#endif
#ifdef BSD_AUTH
{MONITOR_REQ_BSDAUTHQUERY, MON_ISAUTH, mm_answer_bsdauthquery},
@@ -271,6 +273,7 @@ struct mon_table mon_dispatch_postauth20
{MONITOR_REQ_AUDIT_UNSUPPORTED, MON_PERMIT, mm_answer_audit_unsupported_body},
{MONITOR_REQ_AUDIT_KEX, MON_PERMIT, mm_answer_audit_kex_body},
{MONITOR_REQ_AUDIT_SESSION_KEY_FREE, MON_PERMIT, mm_answer_audit_session_key_free_body},
+ {MONITOR_REQ_AUDIT_SERVER_KEY_FREE, MON_PERMIT, mm_answer_audit_server_key_free},
#endif
{0, 0, NULL}
};
@@ -305,6 +308,7 @@ struct mon_table mon_dispatch_proto15[]
{MONITOR_REQ_AUDIT_UNSUPPORTED, MON_PERMIT, mm_answer_audit_unsupported_body},
{MONITOR_REQ_AUDIT_KEX, MON_PERMIT, mm_answer_audit_kex_body},
{MONITOR_REQ_AUDIT_SESSION_KEY_FREE, MON_PERMIT, mm_answer_audit_session_key_free_body},
+ {MONITOR_REQ_AUDIT_SERVER_KEY_FREE, MON_PERMIT, mm_answer_audit_server_key_free},
#endif
{0, 0, NULL}
};
@@ -319,6 +323,7 @@ struct mon_table mon_dispatch_postauth15
{MONITOR_REQ_AUDIT_UNSUPPORTED, MON_PERMIT, mm_answer_audit_unsupported_body},
{MONITOR_REQ_AUDIT_KEX, MON_PERMIT, mm_answer_audit_kex_body},
{MONITOR_REQ_AUDIT_SESSION_KEY_FREE, MON_PERMIT, mm_answer_audit_session_key_free_body},
+ {MONITOR_REQ_AUDIT_SERVER_KEY_FREE, MON_PERMIT, mm_answer_audit_server_key_free},
#endif
{0, 0, NULL}
};
@@ -2271,4 +2276,15 @@ mm_answer_audit_session_key_free_body(in
mm_request_send(sock, MONITOR_ANS_AUDIT_SESSION_KEY_FREE, m);
return 0;
}
+
+int
+mm_answer_audit_server_key_free(int sock, Buffer *m)
+{
+ audit_destroy_sensitive_data();
+
+ buffer_clear(m);
+
+ mm_request_send(sock, MONITOR_ANS_AUDIT_SERVER_KEY_FREE, m);
+ return 0;
+}
#endif /* SSH_AUDIT_EVENTS */
diff -up openssh-5.6p1/monitor.h.audit5 openssh-5.6p1/monitor.h
--- openssh-5.6p1/monitor.h.audit5 2011-02-07 18:53:53.000000000 +0100
+++ openssh-5.6p1/monitor.h 2011-02-07 18:53:53.000000000 +0100
@@ -69,6 +69,7 @@ enum monitor_reqtype {
MONITOR_REQ_AUDIT_UNSUPPORTED, MONITOR_ANS_AUDIT_UNSUPPORTED,
MONITOR_REQ_AUDIT_KEX, MONITOR_ANS_AUDIT_KEX,
MONITOR_REQ_AUDIT_SESSION_KEY_FREE, MONITOR_ANS_AUDIT_SESSION_KEY_FREE,
+ MONITOR_REQ_AUDIT_SERVER_KEY_FREE, MONITOR_ANS_AUDIT_SERVER_KEY_FREE,
};
struct mm_master;
diff -up openssh-5.6p1/monitor_wrap.c.audit5 openssh-5.6p1/monitor_wrap.c
--- openssh-5.6p1/monitor_wrap.c.audit5 2011-02-07 18:53:53.000000000 +0100
+++ openssh-5.6p1/monitor_wrap.c 2011-02-07 18:53:53.000000000 +0100
@@ -1458,4 +1458,16 @@ mm_audit_session_key_free_body(int ctos)
&m);
buffer_free(&m);
}
+
+void
+mm_audit_destroy_sensitive_data(void)
+{
+ Buffer m;
+
+ buffer_init(&m);
+ mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_SERVER_KEY_FREE, &m);
+ mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_AUDIT_SERVER_KEY_FREE,
+ &m);
+ buffer_free(&m);
+}
#endif /* SSH_AUDIT_EVENTS */
diff -up openssh-5.6p1/monitor_wrap.h.audit5 openssh-5.6p1/monitor_wrap.h
--- openssh-5.6p1/monitor_wrap.h.audit5 2011-02-07 18:53:53.000000000 +0100
+++ openssh-5.6p1/monitor_wrap.h 2011-02-07 18:53:53.000000000 +0100
@@ -77,6 +77,7 @@ void mm_audit_run_command(const char *);
void mm_audit_unsupported_body(int);
void mm_audit_kex_body(int, char *, char *, char *);
void mm_audit_session_key_free_body(int);
+void mm_audit_server_key_free_body(void);
#endif
struct Session;
diff -up openssh-5.6p1/packet.c.audit5 openssh-5.6p1/packet.c
--- openssh-5.6p1/packet.c.audit5 2011-02-07 18:53:53.000000000 +0100
+++ openssh-5.6p1/packet.c 2011-02-07 18:53:54.000000000 +0100
@@ -60,6 +60,7 @@
#include <signal.h>
#include "xmalloc.h"
+#include "audit.h"
#include "buffer.h"
#include "packet.h"
#include "crc32.h"
@@ -495,9 +496,9 @@ packet_close(void)
buffer_free(&active_state->compression_buffer);
buffer_compress_uninit();
}
- audit_session_key_free(2);
cipher_cleanup(&active_state->send_context);
cipher_cleanup(&active_state->receive_context);
+ audit_session_key_free(2);
}
/* Sets remote side protocol flags. */
@@ -1893,6 +1894,34 @@ packet_get_newkeys(int mode)
return (void *)active_state->newkeys[mode];
}
+static void
+packet_destroy_state(struct session_state *state)
+{
+ if (state == NULL)
+ return;
+
+ cipher_cleanup(&state->receive_context);
+ cipher_cleanup(&state->send_context);
+
+ buffer_free(&state->input);
+ buffer_free(&state->output);
+ buffer_free(&state->outgoing_packet);
+ buffer_free(&state->incoming_packet);
+ buffer_free(&state->compression_buffer);
+ newkeys_destroy(state->newkeys[MODE_IN]);
+ newkeys_destroy(state->newkeys[MODE_OUT]);
+ mac_destroy(state->packet_discard_mac);
+// TAILQ_HEAD(, packet) outgoing;
+// memset(state, 0, sizeof(state));
+}
+
+void
+packet_destroy_all(void)
+{
+ packet_destroy_state(active_state);
+ packet_destroy_state(backup_state);
+}
+
/*
* Save the state for the real connection, and use a separate state when
* resuming a suspended connection.
@@ -1900,18 +1929,12 @@ packet_get_newkeys(int mode)
void
packet_backup_state(void)
{
- struct session_state *tmp;
-
close(active_state->connection_in);
active_state->connection_in = -1;
close(active_state->connection_out);
active_state->connection_out = -1;
- if (backup_state)
- tmp = backup_state;
- else
- tmp = alloc_session_state();
backup_state = active_state;
- active_state = tmp;
+ active_state = alloc_session_state();
}
/*
@@ -1928,9 +1951,7 @@ packet_restore_state(void)
backup_state = active_state;
active_state = tmp;
active_state->connection_in = backup_state->connection_in;
- backup_state->connection_in = -1;
active_state->connection_out = backup_state->connection_out;
- backup_state->connection_out = -1;
len = buffer_len(&backup_state->input);
if (len > 0) {
buf = buffer_ptr(&backup_state->input);
@@ -1938,4 +1959,10 @@ packet_restore_state(void)
buffer_clear(&backup_state->input);
add_recv_bytes(len);
}
+ backup_state->connection_in = -1;
+ backup_state->connection_out = -1;
+ packet_destroy_state(backup_state);
+ xfree(backup_state);
+ backup_state = NULL;
}
+
diff -up openssh-5.6p1/packet.h.audit5 openssh-5.6p1/packet.h
--- openssh-5.6p1/packet.h.audit5 2009-07-05 23:11:13.000000000 +0200
+++ openssh-5.6p1/packet.h 2011-02-07 18:53:54.000000000 +0100
@@ -115,4 +115,5 @@ void packet_restore_state(void);
void *packet_get_input(void);
void *packet_get_output(void);
+void packet_destroy_all(void);
#endif /* PACKET_H */
diff -up openssh-5.6p1/session.c.audit5 openssh-5.6p1/session.c
--- openssh-5.6p1/session.c.audit5 2010-06-26 02:00:15.000000000 +0200
+++ openssh-5.6p1/session.c 2011-02-07 18:53:54.000000000 +0100
@@ -1677,6 +1677,7 @@ do_child(Session *s, const char *command
/* remove hostkey from the child's memory */
destroy_sensitive_data();
+ PRIVSEP(audit_destroy_sensitive_data());
/* Force a password change */
if (s->authctxt->force_pwchange) {
diff -up openssh-5.6p1/sshd.c.audit5 openssh-5.6p1/sshd.c
--- openssh-5.6p1/sshd.c.audit5 2011-02-07 18:53:53.000000000 +0100
+++ openssh-5.6p1/sshd.c 2011-02-07 19:08:56.000000000 +0100
@@ -579,6 +579,7 @@ demote_sensitive_data(void)
}
/* Certs do not need demotion */
}
+ audit_destroy_sensitive_data();
/* We do not clear ssh1_host key and cookie. XXX - Okay Niels? */
}
@@ -663,6 +664,8 @@ privsep_preauth(Authctxt *authctxt)
return (0);
}
+extern Newkeys *current_keys[];
+
static void
privsep_postauth(Authctxt *authctxt)
{
@@ -688,6 +691,10 @@ privsep_postauth(Authctxt *authctxt)
verbose("User child is on pid %ld", (long)pmonitor->m_pid);
close(pmonitor->m_recvfd);
buffer_clear(&loginmsg);
+ newkeys_destroy(current_keys[MODE_OUT]);
+ newkeys_destroy(current_keys[MODE_IN]);
+ packet_destroy_all();
+ audit_session_key_free_body(2);
monitor_child_postauth(pmonitor);
/* NEVERREACHED */
@@ -1970,6 +1977,8 @@ main(int ac, char **av)
*/
if (use_privsep) {
mm_send_keystate(pmonitor);
+ packet_destroy_all();
+ audit_session_key_free(2);
exit(0);
}
@@ -2011,8 +2020,10 @@ main(int ac, char **av)
if (use_privsep) {
privsep_postauth(authctxt);
/* the monitor process [priv] will not return */
- if (!compat20)
+ if (!compat20) {
destroy_sensitive_data();
+ audit_destroy_sensitive_data();
+ }
}
packet_set_timeout(options.client_alive_interval,
@@ -2022,6 +2033,9 @@ main(int ac, char **av)
do_authenticated(authctxt);
/* The connection has been terminated. */
+ packet_destroy_all();
+ audit_session_key_free(2);
+
packet_get_state(MODE_IN, NULL, NULL, NULL, &ibytes);
packet_get_state(MODE_OUT, NULL, NULL, NULL, &obytes);
verbose("Transferred: sent %llu, received %llu bytes", obytes, ibytes);
@@ -2249,6 +2263,7 @@ do_ssh1_kex(void)
}
/* Destroy the private and public keys. No longer. */
destroy_sensitive_data();
+ audit_destroy_sensitive_data();
if (use_privsep)
mm_ssh1_session_id(session_id);

99
openssh-5.6p1-biguid.patch
View File

@ -1,99 +0,0 @@
diff -up openssh-5.6p1/loginrec.c.biguid openssh-5.6p1/loginrec.c
--- openssh-5.6p1/loginrec.c.biguid 2010-11-15 13:19:35.000000000 +0100
+++ openssh-5.6p1/loginrec.c 2010-11-15 13:19:38.000000000 +0100
@@ -273,7 +273,7 @@ login_logout(struct logininfo *li)
* try to retrieve lastlog information from wtmp/wtmpx.
*/
unsigned int
-login_get_lastlog_time(const int uid)
+login_get_lastlog_time(const uid_t uid)
{
struct logininfo li;
@@ -297,7 +297,7 @@ login_get_lastlog_time(const int uid)
* 0 on failure (will use OpenSSH's logging facilities for diagnostics)
*/
struct logininfo *
-login_get_lastlog(struct logininfo *li, const int uid)
+login_get_lastlog(struct logininfo *li, const uid_t uid)
{
struct passwd *pw;
@@ -311,7 +311,8 @@ login_get_lastlog(struct logininfo *li,
*/
pw = getpwuid(uid);
if (pw == NULL)
- fatal("%s: Cannot find account for uid %i", __func__, uid);
+ fatal("%s: Cannot find account for uid %ld", __func__,
+ (long)uid);
/* No MIN_SIZEOF here - we absolutely *must not* truncate the
* username (XXX - so check for trunc!) */
@@ -335,7 +336,7 @@ login_get_lastlog(struct logininfo *li,
* allocation fails, the program halts.
*/
struct
-logininfo *login_alloc_entry(int pid, const char *username,
+logininfo *login_alloc_entry(pid_t pid, const char *username,
const char *hostname, const char *line)
{
struct logininfo *newli;
@@ -363,7 +364,7 @@ login_free_entry(struct logininfo *li)
* Returns: 1
*/
int
-login_init_entry(struct logininfo *li, int pid, const char *username,
+login_init_entry(struct logininfo *li, pid_t pid, const char *username,
const char *hostname, const char *line)
{
struct passwd *pw;
@@ -1496,7 +1497,7 @@ lastlog_openseek(struct logininfo *li, i
if (S_ISREG(st.st_mode)) {
/* find this uid's offset in the lastlog file */
- offset = (off_t) ((long)li->uid * sizeof(struct lastlog));
+ offset = (off_t) ((u_long)li->uid * sizeof(struct lastlog));
if (lseek(*fd, offset, SEEK_SET) != offset) {
logit("%s: %s->lseek(): %s", __func__,
diff -up openssh-5.6p1/loginrec.h.biguid openssh-5.6p1/loginrec.h
--- openssh-5.6p1/loginrec.h.biguid 2010-06-22 07:02:39.000000000 +0200
+++ openssh-5.6p1/loginrec.h 2010-11-15 13:19:38.000000000 +0100
@@ -63,8 +63,8 @@ struct logininfo {
char progname[LINFO_PROGSIZE]; /* name of program (for PAM) */
int progname_null;
short int type; /* type of login (LTYPE_*) */
- int pid; /* PID of login process */
- int uid; /* UID of this user */
+ pid_t pid; /* PID of login process */
+ uid_t uid; /* UID of this user */
char line[LINFO_LINESIZE]; /* tty/pty name */
char username[LINFO_NAMESIZE]; /* login username */
char hostname[LINFO_HOSTSIZE]; /* remote hostname */
@@ -86,12 +86,12 @@ struct logininfo {
/** 'public' functions */
/* construct a new login entry */
-struct logininfo *login_alloc_entry(int pid, const char *username,
+struct logininfo *login_alloc_entry(pid_t pid, const char *username,
const char *hostname, const char *line);
/* free a structure */
void login_free_entry(struct logininfo *li);
/* fill out a pre-allocated structure with useful information */
-int login_init_entry(struct logininfo *li, int pid, const char *username,
+int login_init_entry(struct logininfo *li, pid_t pid, const char *username,
const char *hostname, const char *line);
/* place the current time in a logininfo struct */
void login_set_current_time(struct logininfo *li);
@@ -117,9 +117,9 @@ void login_set_addr(struct logininfo *li
* lastlog retrieval functions
*/
/* lastlog *entry* functions fill out a logininfo */
-struct logininfo *login_get_lastlog(struct logininfo *li, const int uid);
+struct logininfo *login_get_lastlog(struct logininfo *li, const uid_t uid);
/* lastlog *time* functions return time_t equivalent (uint) */
-unsigned int login_get_lastlog_time(const int uid);
+unsigned int login_get_lastlog_time(const uid_t uid);
/* produce various forms of the line filename */
char *line_fullname(char *dst, const char *src, u_int dstsize);

12
openssh-5.6p1-clientloop.patch
View File

@ -1,12 +0,0 @@
diff -up openssh-5.6p1/clientloop.c.clientloop openssh-5.6p1/clientloop.c
--- openssh-5.6p1/clientloop.c.clientloop 2010-11-24 08:18:10.000000000 +0100
+++ openssh-5.6p1/clientloop.c 2010-11-24 08:18:11.000000000 +0100
@@ -1944,7 +1944,7 @@ client_input_channel_req(int type, u_int
}
packet_check_eom();
}
- if (reply) {
+ if (reply && c != NULL) {
packet_start(success ?
SSH2_MSG_CHANNEL_SUCCESS : SSH2_MSG_CHANNEL_FAILURE);
packet_put_int(c->remote_id);

64
openssh-5.6p1-audit2.patch → openssh-5.8p1-audit2.patch
View File

@ -1,6 +1,6 @@
diff -up openssh-5.6p1/audit-bsm.c.audit2 openssh-5.6p1/audit-bsm.c diff -up openssh-5.8p1/audit-bsm.c.audit2 openssh-5.8p1/audit-bsm.c
--- openssh-5.6p1/audit-bsm.c.audit2 2010-12-10 21:55:40.000000000 +0100 --- openssh-5.8p1/audit-bsm.c.audit2 2011-01-17 11:15:29.000000000 +0100
+++ openssh-5.6p1/audit-bsm.c 2010-12-10 21:55:41.000000000 +0100 +++ openssh-5.8p1/audit-bsm.c 2011-02-09 15:50:28.000000000 +0100
@@ -316,6 +316,12 @@ audit_session_close(struct logininfo *li @@ -316,6 +316,12 @@ audit_session_close(struct logininfo *li
/* not implemented */ /* not implemented */
} }
@ -14,9 +14,9 @@ diff -up openssh-5.6p1/audit-bsm.c.audit2 openssh-5.6p1/audit-bsm.c
void void
audit_event(ssh_audit_event_t event) audit_event(ssh_audit_event_t event)
{ {
diff -up openssh-5.6p1/audit.c.audit2 openssh-5.6p1/audit.c diff -up openssh-5.8p1/audit.c.audit2 openssh-5.8p1/audit.c
--- openssh-5.6p1/audit.c.audit2 2010-12-10 21:55:40.000000000 +0100 --- openssh-5.8p1/audit.c.audit2 2011-01-17 11:15:30.000000000 +0100
+++ openssh-5.6p1/audit.c 2010-12-10 21:55:41.000000000 +0100 +++ openssh-5.8p1/audit.c 2011-02-09 15:50:28.000000000 +0100
@@ -111,6 +111,33 @@ audit_event_lookup(ssh_audit_event_t ev) @@ -111,6 +111,33 @@ audit_event_lookup(ssh_audit_event_t ev)
return(event_lookup[i].name); return(event_lookup[i].name);
} }
@ -69,9 +69,9 @@ diff -up openssh-5.6p1/audit.c.audit2 openssh-5.6p1/audit.c
+} +}
# endif /* !defined CUSTOM_SSH_AUDIT_EVENTS */ # endif /* !defined CUSTOM_SSH_AUDIT_EVENTS */
#endif /* SSH_AUDIT_EVENTS */ #endif /* SSH_AUDIT_EVENTS */
diff -up openssh-5.6p1/audit.h.audit2 openssh-5.6p1/audit.h diff -up openssh-5.8p1/audit.h.audit2 openssh-5.8p1/audit.h
--- openssh-5.6p1/audit.h.audit2 2010-12-10 21:55:40.000000000 +0100 --- openssh-5.8p1/audit.h.audit2 2011-01-17 11:15:30.000000000 +0100
+++ openssh-5.6p1/audit.h 2010-12-10 21:55:41.000000000 +0100 +++ openssh-5.8p1/audit.h 2011-02-09 15:50:28.000000000 +0100
@@ -28,6 +28,7 @@ @@ -28,6 +28,7 @@
# define _SSH_AUDIT_H # define _SSH_AUDIT_H
@ -88,9 +88,9 @@ diff -up openssh-5.6p1/audit.h.audit2 openssh-5.6p1/audit.h
+int audit_key(int, int *, const Key *); +int audit_key(int, int *, const Key *);
#endif /* _SSH_AUDIT_H */ #endif /* _SSH_AUDIT_H */
diff -up openssh-5.6p1/audit-linux.c.audit2 openssh-5.6p1/audit-linux.c diff -up openssh-5.8p1/audit-linux.c.audit2 openssh-5.8p1/audit-linux.c
--- openssh-5.6p1/audit-linux.c.audit2 2010-12-10 21:55:41.000000000 +0100 --- openssh-5.8p1/audit-linux.c.audit2 2011-01-17 11:15:30.000000000 +0100
+++ openssh-5.6p1/audit-linux.c 2010-12-10 22:16:42.000000000 +0100 +++ openssh-5.8p1/audit-linux.c 2011-02-09 15:51:45.000000000 +0100
@@ -37,6 +37,8 @@ @@ -37,6 +37,8 @@
#include "audit.h" #include "audit.h"
#include "canohost.h" #include "canohost.h"
@ -100,8 +100,8 @@ diff -up openssh-5.6p1/audit-linux.c.audit2 openssh-5.6p1/audit-linux.c
const char* audit_username(void); const char* audit_username(void);
int int
@@ -63,6 +65,37 @@ linux_audit_record_event(int uid, const @@ -68,6 +70,37 @@ linux_audit_record_event(int uid, const
return (rc >= 0) || ((rc == -EPERM) && (getuid() != 0)); return (rc >= 0);
} }
+int +int
@ -138,9 +138,9 @@ diff -up openssh-5.6p1/audit-linux.c.audit2 openssh-5.6p1/audit-linux.c
/* Below is the sshd audit API code */ /* Below is the sshd audit API code */
void void
diff -up openssh-5.6p1/auth2-hostbased.c.audit2 openssh-5.6p1/auth2-hostbased.c diff -up openssh-5.8p1/auth2-hostbased.c.audit2 openssh-5.8p1/auth2-hostbased.c
--- openssh-5.6p1/auth2-hostbased.c.audit2 2010-08-05 05:04:50.000000000 +0200 --- openssh-5.8p1/auth2-hostbased.c.audit2 2010-08-05 05:04:50.000000000 +0200
+++ openssh-5.6p1/auth2-hostbased.c 2010-12-10 21:55:41.000000000 +0100 +++ openssh-5.8p1/auth2-hostbased.c 2011-02-09 15:50:28.000000000 +0100
@@ -136,6 +136,18 @@ done: @@ -136,6 +136,18 @@ done:
return authenticated; return authenticated;
} }
@ -160,9 +160,9 @@ diff -up openssh-5.6p1/auth2-hostbased.c.audit2 openssh-5.6p1/auth2-hostbased.c
/* return 1 if given hostkey is allowed */ /* return 1 if given hostkey is allowed */
int int
hostbased_key_allowed(struct passwd *pw, const char *cuser, char *chost, hostbased_key_allowed(struct passwd *pw, const char *cuser, char *chost,
diff -up openssh-5.6p1/auth2-pubkey.c.audit2 openssh-5.6p1/auth2-pubkey.c diff -up openssh-5.8p1/auth2-pubkey.c.audit2 openssh-5.8p1/auth2-pubkey.c
--- openssh-5.6p1/auth2-pubkey.c.audit2 2010-07-02 05:35:19.000000000 +0200 --- openssh-5.8p1/auth2-pubkey.c.audit2 2010-12-01 01:50:14.000000000 +0100
+++ openssh-5.6p1/auth2-pubkey.c 2010-12-10 21:55:41.000000000 +0100 +++ openssh-5.8p1/auth2-pubkey.c 2011-02-09 15:50:28.000000000 +0100
@@ -177,6 +177,18 @@ done: @@ -177,6 +177,18 @@ done:
return authenticated; return authenticated;
} }
@ -182,9 +182,9 @@ diff -up openssh-5.6p1/auth2-pubkey.c.audit2 openssh-5.6p1/auth2-pubkey.c
static int static int
match_principals_option(const char *principal_list, struct KeyCert *cert) match_principals_option(const char *principal_list, struct KeyCert *cert)
{ {
diff -up openssh-5.6p1/auth.h.audit2 openssh-5.6p1/auth.h diff -up openssh-5.8p1/auth.h.audit2 openssh-5.8p1/auth.h
--- openssh-5.6p1/auth.h.audit2 2010-05-10 03:58:03.000000000 +0200 --- openssh-5.8p1/auth.h.audit2 2010-05-10 03:58:03.000000000 +0200
+++ openssh-5.6p1/auth.h 2010-12-10 21:55:41.000000000 +0100 +++ openssh-5.8p1/auth.h 2011-02-09 15:50:28.000000000 +0100
@@ -170,6 +170,7 @@ void abandon_challenge_response(Authctxt @@ -170,6 +170,7 @@ void abandon_challenge_response(Authctxt
char *authorized_keys_file(struct passwd *); char *authorized_keys_file(struct passwd *);
char *authorized_keys_file2(struct passwd *); char *authorized_keys_file2(struct passwd *);
@ -201,9 +201,9 @@ diff -up openssh-5.6p1/auth.h.audit2 openssh-5.6p1/auth.h
/* debug messages during authentication */ /* debug messages during authentication */
void auth_debug_add(const char *fmt,...) __attribute__((format(printf, 1, 2))); void auth_debug_add(const char *fmt,...) __attribute__((format(printf, 1, 2)));
diff -up openssh-5.6p1/auth-rsa.c.audit2 openssh-5.6p1/auth-rsa.c diff -up openssh-5.8p1/auth-rsa.c.audit2 openssh-5.8p1/auth-rsa.c
--- openssh-5.6p1/auth-rsa.c.audit2 2010-07-16 05:58:37.000000000 +0200 --- openssh-5.8p1/auth-rsa.c.audit2 2010-12-04 23:01:47.000000000 +0100
+++ openssh-5.6p1/auth-rsa.c 2010-12-10 21:55:41.000000000 +0100 +++ openssh-5.8p1/auth-rsa.c 2011-02-09 15:53:00.000000000 +0100
@@ -92,7 +92,10 @@ auth_rsa_verify_response(Key *key, BIGNU @@ -92,7 +92,10 @@ auth_rsa_verify_response(Key *key, BIGNU
{ {
u_char buf[32], mdbuf[16]; u_char buf[32], mdbuf[16];
@ -214,9 +214,9 @@ diff -up openssh-5.6p1/auth-rsa.c.audit2 openssh-5.6p1/auth-rsa.c
+ char *fp; + char *fp;
+#endif +#endif
if (auth_key_is_revoked(key)) /* don't allow short keys */
return 0; if (BN_num_bits(key->rsa->n) < SSH_RSA_MINIMUM_MODULUS_SIZE) {
@@ -116,12 +119,18 @@ auth_rsa_verify_response(Key *key, BIGNU @@ -113,12 +116,18 @@ auth_rsa_verify_response(Key *key, BIGNU
MD5_Final(mdbuf, &md); MD5_Final(mdbuf, &md);
/* Verify that the response is the original challenge. */ /* Verify that the response is the original challenge. */
@ -240,9 +240,9 @@ diff -up openssh-5.6p1/auth-rsa.c.audit2 openssh-5.6p1/auth-rsa.c
} }
/* /*
diff -up openssh-5.6p1/monitor.c.audit2 openssh-5.6p1/monitor.c diff -up openssh-5.8p1/monitor.c.audit2 openssh-5.8p1/monitor.c
--- openssh-5.6p1/monitor.c.audit2 2010-08-03 07:50:16.000000000 +0200 --- openssh-5.8p1/monitor.c.audit2 2010-09-10 03:23:34.000000000 +0200
+++ openssh-5.6p1/monitor.c 2010-12-10 21:55:41.000000000 +0100 +++ openssh-5.8p1/monitor.c 2011-02-09 15:50:28.000000000 +0100
@@ -1235,7 +1235,17 @@ mm_answer_keyverify(int sock, Buffer *m) @@ -1235,7 +1235,17 @@ mm_answer_keyverify(int sock, Buffer *m)
if (!valid_data) if (!valid_data)
fatal("%s: bad signature data blob", __func__); fatal("%s: bad signature data blob", __func__);

112
openssh-5.6p1-audit3.patch → openssh-5.8p1-audit3.patch
View File

@ -1,6 +1,6 @@
diff -up openssh-5.6p1/audit-bsm.c.audit3 openssh-5.6p1/audit-bsm.c diff -up openssh-5.8p1/audit-bsm.c.audit3 openssh-5.8p1/audit-bsm.c
--- openssh-5.6p1/audit-bsm.c.audit3 2010-12-10 22:17:31.000000000 +0100 --- openssh-5.8p1/audit-bsm.c.audit3 2011-02-09 21:51:19.000000000 +0100
+++ openssh-5.6p1/audit-bsm.c 2010-12-10 22:17:31.000000000 +0100 +++ openssh-5.8p1/audit-bsm.c 2011-02-09 21:51:19.000000000 +0100
@@ -383,4 +383,16 @@ audit_event(ssh_audit_event_t event) @@ -383,4 +383,16 @@ audit_event(ssh_audit_event_t event)
debug("%s: unhandled event %d", __func__, event); debug("%s: unhandled event %d", __func__, event);
} }
@ -18,9 +18,9 @@ diff -up openssh-5.6p1/audit-bsm.c.audit3 openssh-5.6p1/audit-bsm.c
+ /* not implemented */ + /* not implemented */
+} +}
#endif /* BSM */ #endif /* BSM */
diff -up openssh-5.6p1/audit.c.audit3 openssh-5.6p1/audit.c diff -up openssh-5.8p1/audit.c.audit3 openssh-5.8p1/audit.c
--- openssh-5.6p1/audit.c.audit3 2010-12-10 22:17:31.000000000 +0100 --- openssh-5.8p1/audit.c.audit3 2011-02-09 21:51:19.000000000 +0100
+++ openssh-5.6p1/audit.c 2010-12-10 22:17:31.000000000 +0100 +++ openssh-5.8p1/audit.c 2011-02-09 21:51:19.000000000 +0100
@@ -36,6 +36,8 @@ @@ -36,6 +36,8 @@
#include "key.h" #include "key.h"
#include "hostfile.h" #include "hostfile.h"
@ -74,9 +74,9 @@ diff -up openssh-5.6p1/audit.c.audit3 openssh-5.6p1/audit.c
+} +}
# endif /* !defined CUSTOM_SSH_AUDIT_EVENTS */ # endif /* !defined CUSTOM_SSH_AUDIT_EVENTS */
#endif /* SSH_AUDIT_EVENTS */ #endif /* SSH_AUDIT_EVENTS */
diff -up openssh-5.6p1/audit.h.audit3 openssh-5.6p1/audit.h diff -up openssh-5.8p1/audit.h.audit3 openssh-5.8p1/audit.h
--- openssh-5.6p1/audit.h.audit3 2010-12-10 22:17:31.000000000 +0100 --- openssh-5.8p1/audit.h.audit3 2011-02-09 21:51:19.000000000 +0100
+++ openssh-5.6p1/audit.h 2010-12-10 22:17:31.000000000 +0100 +++ openssh-5.8p1/audit.h 2011-02-09 21:51:19.000000000 +0100
@@ -56,5 +56,9 @@ void audit_run_command(const char *); @@ -56,5 +56,9 @@ void audit_run_command(const char *);
ssh_audit_event_t audit_classify_auth(const char *); ssh_audit_event_t audit_classify_auth(const char *);
int audit_keyusage(int, const char *, unsigned, char *, int); int audit_keyusage(int, const char *, unsigned, char *, int);
@ -87,9 +87,9 @@ diff -up openssh-5.6p1/audit.h.audit3 openssh-5.6p1/audit.h
+void audit_kex_body(int, char *, char *, char *); +void audit_kex_body(int, char *, char *, char *);
#endif /* _SSH_AUDIT_H */ #endif /* _SSH_AUDIT_H */
diff -up openssh-5.6p1/audit-linux.c.audit3 openssh-5.6p1/audit-linux.c diff -up openssh-5.8p1/audit-linux.c.audit3 openssh-5.8p1/audit-linux.c
--- openssh-5.6p1/audit-linux.c.audit3 2010-12-10 22:17:31.000000000 +0100 --- openssh-5.8p1/audit-linux.c.audit3 2011-02-09 21:51:19.000000000 +0100
+++ openssh-5.6p1/audit-linux.c 2010-12-10 22:20:00.000000000 +0100 +++ openssh-5.8p1/audit-linux.c 2011-02-09 21:51:19.000000000 +0100
@@ -36,6 +36,8 @@ @@ -36,6 +36,8 @@
#include "log.h" #include "log.h"
#include "audit.h" #include "audit.h"
@ -99,7 +99,7 @@ diff -up openssh-5.6p1/audit-linux.c.audit3 openssh-5.6p1/audit-linux.c
#define AUDIT_LOG_SIZE 128 #define AUDIT_LOG_SIZE 128
@@ -151,4 +153,54 @@ audit_event(ssh_audit_event_t event) @@ -156,4 +158,54 @@ audit_event(ssh_audit_event_t event)
} }
} }
@ -154,9 +154,9 @@ diff -up openssh-5.6p1/audit-linux.c.audit3 openssh-5.6p1/audit-linux.c
+} +}
+ +
#endif /* USE_LINUX_AUDIT */ #endif /* USE_LINUX_AUDIT */
diff -up openssh-5.6p1/auditstub.c.audit3 openssh-5.6p1/auditstub.c diff -up openssh-5.8p1/auditstub.c.audit3 openssh-5.8p1/auditstub.c
--- openssh-5.6p1/auditstub.c.audit3 2010-12-10 22:17:32.000000000 +0100 --- openssh-5.8p1/auditstub.c.audit3 2011-02-09 21:51:19.000000000 +0100
+++ openssh-5.6p1/auditstub.c 2010-12-10 22:17:32.000000000 +0100 +++ openssh-5.8p1/auditstub.c 2011-02-09 21:51:19.000000000 +0100
@@ -0,0 +1,39 @@ @@ -0,0 +1,39 @@
+/* $Id: auditstub.c,v 1.1 jfch Exp $ */ +/* $Id: auditstub.c,v 1.1 jfch Exp $ */
+ +
@ -197,9 +197,9 @@ diff -up openssh-5.6p1/auditstub.c.audit3 openssh-5.6p1/auditstub.c
+{ +{
+} +}
+ +
diff -up openssh-5.6p1/cipher.c.audit3 openssh-5.6p1/cipher.c diff -up openssh-5.8p1/cipher.c.audit3 openssh-5.8p1/cipher.c
--- openssh-5.6p1/cipher.c.audit3 2010-09-03 14:54:23.000000000 +0200 --- openssh-5.8p1/cipher.c.audit3 2011-02-09 15:24:23.000000000 +0100
+++ openssh-5.6p1/cipher.c 2010-12-10 22:17:32.000000000 +0100 +++ openssh-5.8p1/cipher.c 2011-02-09 21:51:19.000000000 +0100
@@ -59,15 +59,7 @@ extern void ssh1_3des_iv(EVP_CIPHER_CTX @@ -59,15 +59,7 @@ extern void ssh1_3des_iv(EVP_CIPHER_CTX
extern const EVP_CIPHER *evp_aes_128_ctr(void); extern const EVP_CIPHER *evp_aes_128_ctr(void);
extern void ssh_aes_ctr_iv(EVP_CIPHER_CTX *, int, u_char *, u_int); extern void ssh_aes_ctr_iv(EVP_CIPHER_CTX *, int, u_char *, u_int);
@ -217,9 +217,9 @@ diff -up openssh-5.6p1/cipher.c.audit3 openssh-5.6p1/cipher.c
{ "none", SSH_CIPHER_NONE, 8, 0, 0, 0, EVP_enc_null }, { "none", SSH_CIPHER_NONE, 8, 0, 0, 0, EVP_enc_null },
{ "des", SSH_CIPHER_DES, 8, 8, 0, 1, EVP_des_cbc }, { "des", SSH_CIPHER_DES, 8, 8, 0, 1, EVP_des_cbc },
{ "3des", SSH_CIPHER_3DES, 8, 16, 0, 1, evp_ssh1_3des }, { "3des", SSH_CIPHER_3DES, 8, 16, 0, 1, evp_ssh1_3des },
diff -up openssh-5.6p1/cipher.h.audit3 openssh-5.6p1/cipher.h diff -up openssh-5.8p1/cipher.h.audit3 openssh-5.8p1/cipher.h
--- openssh-5.6p1/cipher.h.audit3 2009-01-28 06:38:41.000000000 +0100 --- openssh-5.8p1/cipher.h.audit3 2009-01-28 06:38:41.000000000 +0100
+++ openssh-5.6p1/cipher.h 2010-12-10 22:17:32.000000000 +0100 +++ openssh-5.8p1/cipher.h 2011-02-09 21:51:19.000000000 +0100
@@ -61,7 +61,16 @@ @@ -61,7 +61,16 @@
typedef struct Cipher Cipher; typedef struct Cipher Cipher;
typedef struct CipherContext CipherContext; typedef struct CipherContext CipherContext;
@ -238,9 +238,9 @@ diff -up openssh-5.6p1/cipher.h.audit3 openssh-5.6p1/cipher.h
struct CipherContext { struct CipherContext {
int plaintext; int plaintext;
EVP_CIPHER_CTX evp; EVP_CIPHER_CTX evp;
diff -up openssh-5.6p1/kex.c.audit3 openssh-5.6p1/kex.c diff -up openssh-5.8p1/kex.c.audit3 openssh-5.8p1/kex.c
--- openssh-5.6p1/kex.c.audit3 2010-01-08 06:50:41.000000000 +0100 --- openssh-5.8p1/kex.c.audit3 2010-09-24 14:11:14.000000000 +0200
+++ openssh-5.6p1/kex.c 2010-12-10 22:17:32.000000000 +0100 +++ openssh-5.8p1/kex.c 2011-02-09 21:51:19.000000000 +0100
@@ -49,6 +49,7 @@ @@ -49,6 +49,7 @@
#include "dispatch.h" #include "dispatch.h"
#include "monitor.h" #include "monitor.h"
@ -249,7 +249,7 @@ diff -up openssh-5.6p1/kex.c.audit3 openssh-5.6p1/kex.c
#if OPENSSL_VERSION_NUMBER >= 0x00907000L #if OPENSSL_VERSION_NUMBER >= 0x00907000L
# if defined(HAVE_EVP_SHA256) # if defined(HAVE_EVP_SHA256)
@@ -258,9 +259,13 @@ static void @@ -286,9 +287,13 @@ static void
choose_enc(Enc *enc, char *client, char *server) choose_enc(Enc *enc, char *client, char *server)
{ {
char *name = match_list(client, server, NULL); char *name = match_list(client, server, NULL);
@ -264,7 +264,7 @@ diff -up openssh-5.6p1/kex.c.audit3 openssh-5.6p1/kex.c
if ((enc->cipher = cipher_by_name(name)) == NULL) if ((enc->cipher = cipher_by_name(name)) == NULL)
fatal("matching cipher is not supported: %s", name); fatal("matching cipher is not supported: %s", name);
enc->name = name; enc->name = name;
@@ -275,9 +280,13 @@ static void @@ -303,9 +308,13 @@ static void
choose_mac(Mac *mac, char *client, char *server) choose_mac(Mac *mac, char *client, char *server)
{ {
char *name = match_list(client, server, NULL); char *name = match_list(client, server, NULL);
@ -279,7 +279,7 @@ diff -up openssh-5.6p1/kex.c.audit3 openssh-5.6p1/kex.c
if (mac_setup(mac, name) < 0) if (mac_setup(mac, name) < 0)
fatal("unsupported mac %s", name); fatal("unsupported mac %s", name);
/* truncate the key */ /* truncate the key */
@@ -292,8 +301,12 @@ static void @@ -320,8 +329,12 @@ static void
choose_comp(Comp *comp, char *client, char *server) choose_comp(Comp *comp, char *client, char *server)
{ {
char *name = match_list(client, server, NULL); char *name = match_list(client, server, NULL);
@ -293,7 +293,7 @@ diff -up openssh-5.6p1/kex.c.audit3 openssh-5.6p1/kex.c
if (strcmp(name, "zlib@openssh.com") == 0) { if (strcmp(name, "zlib@openssh.com") == 0) {
comp->type = COMP_DELAYED; comp->type = COMP_DELAYED;
} else if (strcmp(name, "zlib") == 0) { } else if (strcmp(name, "zlib") == 0) {
@@ -414,6 +427,9 @@ kex_choose_conf(Kex *kex) @@ -446,6 +459,9 @@ kex_choose_conf(Kex *kex)
newkeys->enc.name, newkeys->enc.name,
newkeys->mac.name, newkeys->mac.name,
newkeys->comp.name); newkeys->comp.name);
@ -303,21 +303,21 @@ diff -up openssh-5.6p1/kex.c.audit3 openssh-5.6p1/kex.c
} }
choose_kex(kex, cprop[PROPOSAL_KEX_ALGS], sprop[PROPOSAL_KEX_ALGS]); choose_kex(kex, cprop[PROPOSAL_KEX_ALGS], sprop[PROPOSAL_KEX_ALGS]);
choose_hostkeyalg(kex, cprop[PROPOSAL_SERVER_HOST_KEY_ALGS], choose_hostkeyalg(kex, cprop[PROPOSAL_SERVER_HOST_KEY_ALGS],
diff -up openssh-5.6p1/Makefile.in.audit3 openssh-5.6p1/Makefile.in diff -up openssh-5.8p1/Makefile.in.audit3 openssh-5.8p1/Makefile.in
--- openssh-5.6p1/Makefile.in.audit3 2010-12-10 22:17:31.000000000 +0100 --- openssh-5.8p1/Makefile.in.audit3 2011-02-04 01:42:13.000000000 +0100
+++ openssh-5.6p1/Makefile.in 2010-12-10 22:17:32.000000000 +0100 +++ openssh-5.8p1/Makefile.in 2011-02-09 21:53:15.000000000 +0100
@@ -74,7 +74,7 @@ LIBSSH_OBJS=acss.o authfd.o authfile.o b @@ -76,7 +76,7 @@ LIBSSH_OBJS=acss.o authfd.o authfile.o b
monitor_fdpass.o rijndael.o ssh-dss.o ssh-rsa.o dh.o kexdh.o \ monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-rsa.o dh.o \
kexgex.o kexdhc.o kexgexc.o msg.o progressmeter.o dns.o \ kexdh.o kexgex.o kexdhc.o kexgexc.o bufec.o kexecdh.o kexecdhc.o \
entropy.o gss-genr.o umac.o jpake.o schnorr.o \ msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o jpake.o \
- ssh-pkcs11.o - schnorr.o ssh-pkcs11.o
+ ssh-pkcs11.o auditstub.o + schnorr.o ssh-pkcs11.o auditstub.o
SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \ SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \
sshconnect.o sshconnect1.o sshconnect2.o mux.o \ sshconnect.o sshconnect1.o sshconnect2.o mux.o \
diff -up openssh-5.6p1/monitor.c.audit3 openssh-5.6p1/monitor.c diff -up openssh-5.8p1/monitor.c.audit3 openssh-5.8p1/monitor.c
--- openssh-5.6p1/monitor.c.audit3 2010-12-10 22:17:31.000000000 +0100 --- openssh-5.8p1/monitor.c.audit3 2011-02-09 21:51:19.000000000 +0100
+++ openssh-5.6p1/monitor.c 2010-12-10 22:17:32.000000000 +0100 +++ openssh-5.8p1/monitor.c 2011-02-09 21:51:19.000000000 +0100
@@ -89,6 +89,7 @@ @@ -89,6 +89,7 @@
#include "ssh2.h" #include "ssh2.h"
#include "jpake.h" #include "jpake.h"
@ -371,7 +371,7 @@ diff -up openssh-5.6p1/monitor.c.audit3 openssh-5.6p1/monitor.c
#endif #endif
{0, 0, NULL} {0, 0, NULL}
}; };
@@ -2205,3 +2216,40 @@ mm_answer_jpake_check_confirm(int sock, @@ -2206,3 +2217,40 @@ mm_answer_jpake_check_confirm(int sock,
} }
#endif /* JPAKE */ #endif /* JPAKE */
@ -412,9 +412,9 @@ diff -up openssh-5.6p1/monitor.c.audit3 openssh-5.6p1/monitor.c
+} +}
+ +
+#endif /* SSH_AUDIT_EVENTS */ +#endif /* SSH_AUDIT_EVENTS */
diff -up openssh-5.6p1/monitor.h.audit3 openssh-5.6p1/monitor.h diff -up openssh-5.8p1/monitor.h.audit3 openssh-5.8p1/monitor.h
--- openssh-5.6p1/monitor.h.audit3 2008-11-05 06:20:46.000000000 +0100 --- openssh-5.8p1/monitor.h.audit3 2008-11-05 06:20:46.000000000 +0100
+++ openssh-5.6p1/monitor.h 2010-12-10 22:17:32.000000000 +0100 +++ openssh-5.8p1/monitor.h 2011-02-09 21:51:19.000000000 +0100
@@ -66,6 +66,8 @@ enum monitor_reqtype { @@ -66,6 +66,8 @@ enum monitor_reqtype {
MONITOR_REQ_JPAKE_STEP2, MONITOR_ANS_JPAKE_STEP2, MONITOR_REQ_JPAKE_STEP2, MONITOR_ANS_JPAKE_STEP2,
MONITOR_REQ_JPAKE_KEY_CONFIRM, MONITOR_ANS_JPAKE_KEY_CONFIRM, MONITOR_REQ_JPAKE_KEY_CONFIRM, MONITOR_ANS_JPAKE_KEY_CONFIRM,
@ -424,10 +424,10 @@ diff -up openssh-5.6p1/monitor.h.audit3 openssh-5.6p1/monitor.h
}; };
struct mm_master; struct mm_master;
diff -up openssh-5.6p1/monitor_wrap.c.audit3 openssh-5.6p1/monitor_wrap.c diff -up openssh-5.8p1/monitor_wrap.c.audit3 openssh-5.8p1/monitor_wrap.c
--- openssh-5.6p1/monitor_wrap.c.audit3 2010-03-07 13:05:17.000000000 +0100 --- openssh-5.8p1/monitor_wrap.c.audit3 2010-08-31 14:41:14.000000000 +0200
+++ openssh-5.6p1/monitor_wrap.c 2010-12-10 22:17:32.000000000 +0100 +++ openssh-5.8p1/monitor_wrap.c 2011-02-09 21:51:19.000000000 +0100
@@ -1411,3 +1411,38 @@ mm_jpake_check_confirm(const BIGNUM *k, @@ -1412,3 +1412,38 @@ mm_jpake_check_confirm(const BIGNUM *k,
return success; return success;
} }
#endif /* JPAKE */ #endif /* JPAKE */
@ -466,9 +466,9 @@ diff -up openssh-5.6p1/monitor_wrap.c.audit3 openssh-5.6p1/monitor_wrap.c
+ buffer_free(&m); + buffer_free(&m);
+} +}
+#endif /* SSH_AUDIT_EVENTS */ +#endif /* SSH_AUDIT_EVENTS */
diff -up openssh-5.6p1/monitor_wrap.h.audit3 openssh-5.6p1/monitor_wrap.h diff -up openssh-5.8p1/monitor_wrap.h.audit3 openssh-5.8p1/monitor_wrap.h
--- openssh-5.6p1/monitor_wrap.h.audit3 2009-03-05 14:58:22.000000000 +0100 --- openssh-5.8p1/monitor_wrap.h.audit3 2009-03-05 14:58:22.000000000 +0100
+++ openssh-5.6p1/monitor_wrap.h 2010-12-10 22:17:32.000000000 +0100 +++ openssh-5.8p1/monitor_wrap.h 2011-02-09 21:51:19.000000000 +0100
@@ -74,6 +74,8 @@ void mm_sshpam_free_ctx(void *); @@ -74,6 +74,8 @@ void mm_sshpam_free_ctx(void *);
#include "audit.h" #include "audit.h"
void mm_audit_event(ssh_audit_event_t); void mm_audit_event(ssh_audit_event_t);
@ -478,9 +478,9 @@ diff -up openssh-5.6p1/monitor_wrap.h.audit3 openssh-5.6p1/monitor_wrap.h
#endif #endif
struct Session; struct Session;
diff -up openssh-5.6p1/sshd.c.audit3 openssh-5.6p1/sshd.c diff -up openssh-5.8p1/sshd.c.audit3 openssh-5.8p1/sshd.c
--- openssh-5.6p1/sshd.c.audit3 2010-04-16 07:56:22.000000000 +0200 --- openssh-5.8p1/sshd.c.audit3 2011-01-11 07:20:31.000000000 +0100
+++ openssh-5.6p1/sshd.c 2010-12-10 22:17:32.000000000 +0100 +++ openssh-5.8p1/sshd.c 2011-02-09 21:51:19.000000000 +0100
@@ -118,6 +118,7 @@ @@ -118,6 +118,7 @@
#endif #endif
#include "monitor_wrap.h" #include "monitor_wrap.h"
@ -489,7 +489,7 @@ diff -up openssh-5.6p1/sshd.c.audit3 openssh-5.6p1/sshd.c
#include "version.h" #include "version.h"
#ifdef LIBWRAP #ifdef LIBWRAP
@@ -2177,6 +2178,10 @@ do_ssh1_kex(void) @@ -2182,6 +2183,10 @@ do_ssh1_kex(void)
if (cookie[i] != packet_get_char()) if (cookie[i] != packet_get_char())
packet_disconnect("IP Spoofing check bytes do not match."); packet_disconnect("IP Spoofing check bytes do not match.");

445
openssh-5.8p1-audit4.patch Normal file
View File

@ -0,0 +1,445 @@
diff -up openssh-5.8p1/audit-bsm.c.audit4 openssh-5.8p1/audit-bsm.c
--- openssh-5.8p1/audit-bsm.c.audit4 2011-02-09 22:24:22.000000000 +0100
+++ openssh-5.8p1/audit-bsm.c 2011-02-09 22:24:22.000000000 +0100
@@ -395,4 +395,10 @@ audit_kex_body(int ctos, char *enc, char
{
/* not implemented */
}
+
+void
+audit_session_key_free_body(int ctos)
+{
+ /* not implemented */
+}
#endif /* BSM */
diff -up openssh-5.8p1/audit.c.audit4 openssh-5.8p1/audit.c
--- openssh-5.8p1/audit.c.audit4 2011-02-09 22:24:22.000000000 +0100
+++ openssh-5.8p1/audit.c 2011-02-09 22:24:22.000000000 +0100
@@ -152,6 +152,12 @@ audit_kex(int ctos, char *enc, char *mac
PRIVSEP(audit_kex_body(ctos, enc, mac, comp));
}
+void
+audit_session_key_free(int ctos)
+{
+ PRIVSEP(audit_session_key_free_body(ctos));
+}
+
# ifndef CUSTOM_SSH_AUDIT_EVENTS
/*
* Null implementations of audit functions.
@@ -254,5 +260,13 @@ audit_kex_body(int ctos, char *enc, char
debug("audit procol negotiation euid %d direction %d cipher %s mac %s compresion %s",
geteuid(), ctos, enc, mac, compress);
}
+
+/*
+ * This will be called on succesfull session key discard
+ */
+audit_session_key_free_body(int ctos)
+{
+ debug("audit session key discard euid %d direction %d", geteuid(), ctos);
+}
# endif /* !defined CUSTOM_SSH_AUDIT_EVENTS */
#endif /* SSH_AUDIT_EVENTS */
diff -up openssh-5.8p1/audit.h.audit4 openssh-5.8p1/audit.h
--- openssh-5.8p1/audit.h.audit4 2011-02-09 22:24:22.000000000 +0100
+++ openssh-5.8p1/audit.h 2011-02-09 22:24:22.000000000 +0100
@@ -60,5 +60,7 @@ void audit_unsupported(int);
void audit_kex(int, char *, char *, char *);
void audit_unsupported_body(int);
void audit_kex_body(int, char *, char *, char *);
+void audit_session_key_free(int ctos);
+void audit_session_key_free_body(int ctos);
#endif /* _SSH_AUDIT_H */
diff -up openssh-5.8p1/audit-linux.c.audit4 openssh-5.8p1/audit-linux.c
--- openssh-5.8p1/audit-linux.c.audit4 2011-02-09 22:24:22.000000000 +0100
+++ openssh-5.8p1/audit-linux.c 2011-02-09 22:24:22.000000000 +0100
@@ -179,13 +179,14 @@ audit_unsupported_body(int what)
#endif
}
+const static char *direction[] = { "from-server", "from-client", "both" };
+
void
audit_kex_body(int ctos, char *enc, char *mac, char *compress)
{
#ifdef AUDIT_CRYPTO_SESSION
char buf[AUDIT_LOG_SIZE];
int audit_fd, audit_ok;
- const static char *direction[] = { "from-server", "from-client", "both" };
Cipher *cipher = cipher_by_name(enc);
snprintf(buf, sizeof(buf), "start direction=%s cipher=%s, ksize=%d rport=%d laddr=%s lport=%d",
@@ -208,4 +209,26 @@ audit_kex_body(int ctos, char *enc, char
#endif
}
+void
+audit_session_key_free_body(int ctos)
+{
+ char buf[AUDIT_LOG_SIZE];
+ int audit_fd, audit_ok;
+
+ snprintf(buf, sizeof(buf), "destroy kind=session direction=%s", direction[ctos]);
+ audit_fd = audit_open();
+ if (audit_fd < 0) {
+ if (errno != EINVAL && errno != EPROTONOSUPPORT &&
+ errno != EAFNOSUPPORT)
+ error("cannot open audit");
+ return;
+ }
+ audit_ok = audit_log_acct_message(audit_fd, AUDIT_CRYPTO_KEY_USER, NULL,
+ buf, NULL, -1, NULL, get_remote_ipaddr(), NULL, 1);
+ audit_close(audit_fd);
+ /* do not abort if the error is EPERM and sshd is run as non root user */
+ if ((audit_ok < 0) && ((audit_ok != -1) || (getuid() == 0)))
+ error("cannot write into audit");
+}
+
#endif /* USE_LINUX_AUDIT */
diff -up openssh-5.8p1/auditstub.c.audit4 openssh-5.8p1/auditstub.c
--- openssh-5.8p1/auditstub.c.audit4 2011-02-09 22:24:22.000000000 +0100
+++ openssh-5.8p1/auditstub.c 2011-02-09 22:24:22.000000000 +0100
@@ -37,3 +37,7 @@ audit_kex(int ctos, char *enc, char *mac
{
}
+void
+audit_session_key_free(int ctos)
+{
+}
diff -up openssh-5.8p1/kex.c.audit4 openssh-5.8p1/kex.c
--- openssh-5.8p1/kex.c.audit4 2011-02-09 22:24:22.000000000 +0100
+++ openssh-5.8p1/kex.c 2011-02-09 22:24:22.000000000 +0100
@@ -624,3 +624,34 @@ dump_digest(char *msg, u_char *digest, i
fprintf(stderr, "\n");
}
#endif
+
+static void
+enc_destroy(Enc *enc)
+{
+ if (enc == NULL)
+ return;
+
+ if (enc->key) {
+ memset(enc->key, 0, enc->key_len);
+ xfree(enc->key);
+ }
+
+ if (enc->iv) {
+ memset(enc->iv, 0, enc->block_size);
+ xfree(enc->iv);
+ }
+
+ memset(enc, 0, sizeof(*enc));
+}
+
+void
+newkeys_destroy(Newkeys *newkeys)
+{
+ if (newkeys == NULL)
+ return;
+
+ enc_destroy(&newkeys->enc);
+ mac_destroy(&newkeys->mac);
+ memset(&newkeys->comp, 0, sizeof(newkeys->comp));
+}
+
diff -up openssh-5.8p1/kex.h.audit4 openssh-5.8p1/kex.h
--- openssh-5.8p1/kex.h.audit4 2010-09-24 14:11:14.000000000 +0200
+++ openssh-5.8p1/kex.h 2011-02-09 22:24:22.000000000 +0100
@@ -156,6 +156,8 @@ void kexgex_server(Kex *);
void kexecdh_client(Kex *);
void kexecdh_server(Kex *);
+void newkeys_destroy(Newkeys *newkeys);
+
void
kex_dh_hash(char *, char *, char *, int, char *, int, u_char *, int,
BIGNUM *, BIGNUM *, BIGNUM *, u_char **, u_int *);
diff -up openssh-5.8p1/mac.c.audit4 openssh-5.8p1/mac.c
--- openssh-5.8p1/mac.c.audit4 2008-06-13 02:58:50.000000000 +0200
+++ openssh-5.8p1/mac.c 2011-02-09 22:24:22.000000000 +0100
@@ -162,6 +162,20 @@ mac_clear(Mac *mac)
mac->umac_ctx = NULL;
}
+void
+mac_destroy(Mac *mac)
+{
+ if (mac == NULL)
+ return;
+
+ if (mac->key) {
+ memset(mac->key, 0, mac->key_len);
+ xfree(mac->key);
+ }
+
+ memset(mac, 0, sizeof(*mac));
+}
+
/* XXX copied from ciphers_valid */
#define MAC_SEP ","
int
diff -up openssh-5.8p1/mac.h.audit4 openssh-5.8p1/mac.h
--- openssh-5.8p1/mac.h.audit4 2007-06-11 06:01:42.000000000 +0200
+++ openssh-5.8p1/mac.h 2011-02-09 22:24:22.000000000 +0100
@@ -28,3 +28,4 @@ int mac_setup(Mac *, char *);
int mac_init(Mac *);
u_char *mac_compute(Mac *, u_int32_t, u_char *, int);
void mac_clear(Mac *);
+void mac_destroy(Mac *);
diff -up openssh-5.8p1/monitor.c.audit4 openssh-5.8p1/monitor.c
--- openssh-5.8p1/monitor.c.audit4 2011-02-09 22:24:22.000000000 +0100
+++ openssh-5.8p1/monitor.c 2011-02-09 22:24:22.000000000 +0100
@@ -180,6 +180,7 @@ int mm_answer_audit_event(int, Buffer *)
int mm_answer_audit_command(int, Buffer *);
int mm_answer_audit_unsupported_body(int, Buffer *);
int mm_answer_audit_kex_body(int, Buffer *);
+int mm_answer_audit_session_key_free_body(int, Buffer *);
#endif
static Authctxt *authctxt;
@@ -230,6 +231,7 @@ struct mon_table mon_dispatch_proto20[]
{MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
{MONITOR_REQ_AUDIT_UNSUPPORTED, MON_PERMIT, mm_answer_audit_unsupported_body},
{MONITOR_REQ_AUDIT_KEX, MON_PERMIT, mm_answer_audit_kex_body},
+ {MONITOR_REQ_AUDIT_SESSION_KEY_FREE, MON_PERMIT, mm_answer_audit_session_key_free_body},
#endif
#ifdef BSD_AUTH
{MONITOR_REQ_BSDAUTHQUERY, MON_ISAUTH, mm_answer_bsdauthquery},
@@ -268,6 +270,7 @@ struct mon_table mon_dispatch_postauth20
{MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT, mm_answer_audit_command},
{MONITOR_REQ_AUDIT_UNSUPPORTED, MON_PERMIT, mm_answer_audit_unsupported_body},
{MONITOR_REQ_AUDIT_KEX, MON_PERMIT, mm_answer_audit_kex_body},
+ {MONITOR_REQ_AUDIT_SESSION_KEY_FREE, MON_PERMIT, mm_answer_audit_session_key_free_body},
#endif
{0, 0, NULL}
};
@@ -301,6 +304,7 @@ struct mon_table mon_dispatch_proto15[]
{MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
{MONITOR_REQ_AUDIT_UNSUPPORTED, MON_PERMIT, mm_answer_audit_unsupported_body},
{MONITOR_REQ_AUDIT_KEX, MON_PERMIT, mm_answer_audit_kex_body},
+ {MONITOR_REQ_AUDIT_SESSION_KEY_FREE, MON_PERMIT, mm_answer_audit_session_key_free_body},
#endif
{0, 0, NULL}
};
@@ -314,6 +318,7 @@ struct mon_table mon_dispatch_postauth15
{MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT|MON_ONCE, mm_answer_audit_command},
{MONITOR_REQ_AUDIT_UNSUPPORTED, MON_PERMIT, mm_answer_audit_unsupported_body},
{MONITOR_REQ_AUDIT_KEX, MON_PERMIT, mm_answer_audit_kex_body},
+ {MONITOR_REQ_AUDIT_SESSION_KEY_FREE, MON_PERMIT, mm_answer_audit_session_key_free_body},
#endif
{0, 0, NULL}
};
@@ -2253,4 +2258,18 @@ mm_answer_audit_kex_body(int sock, Buffe
return 0;
}
+int
+mm_answer_audit_session_key_free_body(int sock, Buffer *m)
+{
+ int ctos;
+
+ ctos = buffer_get_int(m);
+
+ audit_session_key_free_body(ctos);
+
+ buffer_clear(m);
+
+ mm_request_send(sock, MONITOR_ANS_AUDIT_SESSION_KEY_FREE, m);
+ return 0;
+}
#endif /* SSH_AUDIT_EVENTS */
diff -up openssh-5.8p1/monitor.h.audit4 openssh-5.8p1/monitor.h
--- openssh-5.8p1/monitor.h.audit4 2011-02-09 22:24:22.000000000 +0100
+++ openssh-5.8p1/monitor.h 2011-02-09 22:24:22.000000000 +0100
@@ -68,6 +68,7 @@ enum monitor_reqtype {
MONITOR_REQ_JPAKE_CHECK_CONFIRM, MONITOR_ANS_JPAKE_CHECK_CONFIRM,
MONITOR_REQ_AUDIT_UNSUPPORTED, MONITOR_ANS_AUDIT_UNSUPPORTED,
MONITOR_REQ_AUDIT_KEX, MONITOR_ANS_AUDIT_KEX,
+ MONITOR_REQ_AUDIT_SESSION_KEY_FREE, MONITOR_ANS_AUDIT_SESSION_KEY_FREE,
};
struct mm_master;
diff -up openssh-5.8p1/monitor_wrap.c.audit4 openssh-5.8p1/monitor_wrap.c
--- openssh-5.8p1/monitor_wrap.c.audit4 2011-02-09 22:24:22.000000000 +0100
+++ openssh-5.8p1/monitor_wrap.c 2011-02-09 22:24:22.000000000 +0100
@@ -1446,4 +1446,17 @@ mm_audit_kex_body(int ctos, char *cipher
buffer_free(&m);
}
+
+void
+mm_audit_session_key_free_body(int ctos)
+{
+ Buffer m;
+
+ buffer_init(&m);
+ buffer_put_int(&m, ctos);
+ mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_SESSION_KEY_FREE, &m);
+ mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_AUDIT_SESSION_KEY_FREE,
+ &m);
+ buffer_free(&m);
+}
#endif /* SSH_AUDIT_EVENTS */
diff -up openssh-5.8p1/monitor_wrap.h.audit4 openssh-5.8p1/monitor_wrap.h
--- openssh-5.8p1/monitor_wrap.h.audit4 2011-02-09 22:24:22.000000000 +0100
+++ openssh-5.8p1/monitor_wrap.h 2011-02-09 22:24:22.000000000 +0100
@@ -76,6 +76,7 @@ void mm_audit_event(ssh_audit_event_t);
void mm_audit_run_command(const char *);
void mm_audit_unsupported_body(int);
void mm_audit_kex_body(int, char *, char *, char *);
+void mm_audit_session_key_free_body(int);
#endif
struct Session;
diff -up openssh-5.8p1/packet.c.audit4 openssh-5.8p1/packet.c
--- openssh-5.8p1/packet.c.audit4 2010-11-24 00:46:37.000000000 +0100
+++ openssh-5.8p1/packet.c 2011-02-09 22:24:22.000000000 +0100
@@ -497,6 +497,7 @@ packet_close(void)
}
cipher_cleanup(&active_state->send_context);
cipher_cleanup(&active_state->receive_context);
+ audit_session_key_free(2);
}
/* Sets remote side protocol flags. */
@@ -756,6 +757,7 @@ set_newkeys(int mode)
}
if (active_state->newkeys[mode] != NULL) {
debug("set_newkeys: rekeying");
+ audit_session_key_free(mode);
cipher_cleanup(cc);
enc = &active_state->newkeys[mode]->enc;
mac = &active_state->newkeys[mode]->mac;
@@ -1912,6 +1914,34 @@ packet_get_newkeys(int mode)
return (void *)active_state->newkeys[mode];
}
+static void
+packet_destroy_state(struct session_state *state)
+{
+ if (state == NULL)
+ return;
+
+ cipher_cleanup(&state->receive_context);
+ cipher_cleanup(&state->send_context);
+
+ buffer_free(&state->input);
+ buffer_free(&state->output);
+ buffer_free(&state->outgoing_packet);
+ buffer_free(&state->incoming_packet);
+ buffer_free(&state->compression_buffer);
+ newkeys_destroy(state->newkeys[MODE_IN]);
+ newkeys_destroy(state->newkeys[MODE_OUT]);
+ mac_destroy(state->packet_discard_mac);
+// TAILQ_HEAD(, packet) outgoing;
+// memset(state, 0, sizeof(state));
+}
+
+void
+packet_destroy_all(void)
+{
+ packet_destroy_state(active_state);
+ packet_destroy_state(backup_state);
+}
+
/*
* Save the state for the real connection, and use a separate state when
* resuming a suspended connection.
@@ -1919,18 +1949,12 @@ packet_get_newkeys(int mode)
void
packet_backup_state(void)
{
- struct session_state *tmp;
-
close(active_state->connection_in);
active_state->connection_in = -1;
close(active_state->connection_out);
active_state->connection_out = -1;
- if (backup_state)
- tmp = backup_state;
- else
- tmp = alloc_session_state();
backup_state = active_state;
- active_state = tmp;
+ active_state = alloc_session_state();
}
/*
@@ -1947,9 +1971,7 @@ packet_restore_state(void)
backup_state = active_state;
active_state = tmp;
active_state->connection_in = backup_state->connection_in;
- backup_state->connection_in = -1;
active_state->connection_out = backup_state->connection_out;
- backup_state->connection_out = -1;
len = buffer_len(&backup_state->input);
if (len > 0) {
buf = buffer_ptr(&backup_state->input);
@@ -1957,4 +1979,10 @@ packet_restore_state(void)
buffer_clear(&backup_state->input);
add_recv_bytes(len);
}
+ backup_state->connection_in = -1;
+ backup_state->connection_out = -1;
+ packet_destroy_state(backup_state);
+ xfree(backup_state);
+ backup_state = NULL;
}
+
diff -up openssh-5.8p1/packet.h.audit4 openssh-5.8p1/packet.h
--- openssh-5.8p1/packet.h.audit4 2010-11-20 05:19:38.000000000 +0100
+++ openssh-5.8p1/packet.h 2011-02-09 22:24:22.000000000 +0100
@@ -125,4 +125,5 @@ void packet_restore_state(void);
void *packet_get_input(void);
void *packet_get_output(void);
+void packet_destroy_all(void);
#endif /* PACKET_H */
diff -up openssh-5.8p1/sshd.c.audit4 openssh-5.8p1/sshd.c
--- openssh-5.8p1/sshd.c.audit4 2011-02-09 22:24:22.000000000 +0100
+++ openssh-5.8p1/sshd.c 2011-02-09 22:24:22.000000000 +0100
@@ -663,6 +663,8 @@ privsep_preauth(Authctxt *authctxt)
return (0);
}
+extern Newkeys *current_keys[];
+
static void
privsep_postauth(Authctxt *authctxt)
{
@@ -688,6 +690,10 @@ privsep_postauth(Authctxt *authctxt)
verbose("User child is on pid %ld", (long)pmonitor->m_pid);
close(pmonitor->m_recvfd);
buffer_clear(&loginmsg);
+ newkeys_destroy(current_keys[MODE_OUT]);
+ newkeys_destroy(current_keys[MODE_IN]);
+ packet_destroy_all();
+ audit_session_key_free_body(2);
monitor_child_postauth(pmonitor);
/* NEVERREACHED */
@@ -1974,6 +1980,8 @@ main(int ac, char **av)
*/
if (use_privsep) {
mm_send_keystate(pmonitor);
+ packet_destroy_all();
+ audit_session_key_free(2);
exit(0);
}
@@ -2026,6 +2034,9 @@ main(int ac, char **av)
do_authenticated(authctxt);
/* The connection has been terminated. */
+ packet_destroy_all();
+ audit_session_key_free(2);
+
packet_get_state(MODE_IN, NULL, NULL, NULL, &ibytes);
packet_get_state(MODE_OUT, NULL, NULL, NULL, &obytes);
verbose("Transferred: sent %llu, received %llu bytes",

215
openssh-5.8p1-audit5.patch Normal file
View File

@ -0,0 +1,215 @@
diff -up openssh-5.8p1/audit-bsm.c.audit5 openssh-5.8p1/audit-bsm.c
--- openssh-5.8p1/audit-bsm.c.audit5 2011-02-09 22:33:51.000000000 +0100
+++ openssh-5.8p1/audit-bsm.c 2011-02-09 22:33:52.000000000 +0100
@@ -401,4 +401,10 @@ audit_session_key_free_body(int ctos)
{
/* not implemented */
}
+
+void
+audit_destroy_sensitive_data(void)
+{
+ /* not implemented */
+}
#endif /* BSM */
diff -up openssh-5.8p1/audit.c.audit5 openssh-5.8p1/audit.c
--- openssh-5.8p1/audit.c.audit5 2011-02-09 22:33:51.000000000 +0100
+++ openssh-5.8p1/audit.c 2011-02-09 22:33:52.000000000 +0100
@@ -268,5 +268,14 @@ audit_session_key_free_body(int ctos)
{
debug("audit session key discard euid %d direction %d", geteuid(), ctos);
}
+
+/*
+ * This will be called on destroy private part of the server key
+ */
+void
+audit_destroy_sensitive_data(void)
+{
+ debug("audit destroy sensitive data euid %d", geteuid());
+}
# endif /* !defined CUSTOM_SSH_AUDIT_EVENTS */
#endif /* SSH_AUDIT_EVENTS */
diff -up openssh-5.8p1/audit.h.audit5 openssh-5.8p1/audit.h
--- openssh-5.8p1/audit.h.audit5 2011-02-09 22:33:51.000000000 +0100
+++ openssh-5.8p1/audit.h 2011-02-09 22:33:52.000000000 +0100
@@ -62,5 +62,6 @@ void audit_unsupported_body(int);
void audit_kex_body(int, char *, char *, char *);
void audit_session_key_free(int ctos);
void audit_session_key_free_body(int ctos);
+void audit_destroy_sensitive_data(void);
#endif /* _SSH_AUDIT_H */
diff -up openssh-5.8p1/audit-linux.c.audit5 openssh-5.8p1/audit-linux.c
--- openssh-5.8p1/audit-linux.c.audit5 2011-02-09 22:33:51.000000000 +0100
+++ openssh-5.8p1/audit-linux.c 2011-02-09 22:33:52.000000000 +0100
@@ -231,4 +231,26 @@ audit_session_key_free_body(int ctos)
error("cannot write into audit");
}
+void
+audit_destroy_sensitive_data(void)
+{
+ char buf[AUDIT_LOG_SIZE];
+ int audit_fd, audit_ok;
+
+ snprintf(buf, sizeof(buf), "destroy kind=server direction=?");
+ audit_fd = audit_open();
+ if (audit_fd < 0) {
+ if (errno != EINVAL && errno != EPROTONOSUPPORT &&
+ errno != EAFNOSUPPORT)
+ error("cannot open audit");
+ return;
+ }
+ audit_ok = audit_log_acct_message(audit_fd, AUDIT_CRYPTO_KEY_USER, NULL,
+ buf, NULL, -1, NULL, get_remote_ipaddr(), NULL, 1);
+ audit_close(audit_fd);
+ /* do not abort if the error is EPERM and sshd is run as non root user */
+ if ((audit_ok < 0) && ((audit_ok != -1) || (getuid() == 0)))
+ error("cannot write into audit");
+}
+
#endif /* USE_LINUX_AUDIT */
diff -up openssh-5.8p1/monitor.c.audit5 openssh-5.8p1/monitor.c
--- openssh-5.8p1/monitor.c.audit5 2011-02-09 22:33:52.000000000 +0100
+++ openssh-5.8p1/monitor.c 2011-02-09 22:33:52.000000000 +0100
@@ -181,6 +181,7 @@ int mm_answer_audit_command(int, Buffer
int mm_answer_audit_unsupported_body(int, Buffer *);
int mm_answer_audit_kex_body(int, Buffer *);
int mm_answer_audit_session_key_free_body(int, Buffer *);
+int mm_answer_audit_server_key_free(int, Buffer *);
#endif
static Authctxt *authctxt;
@@ -232,6 +233,7 @@ struct mon_table mon_dispatch_proto20[]
{MONITOR_REQ_AUDIT_UNSUPPORTED, MON_PERMIT, mm_answer_audit_unsupported_body},
{MONITOR_REQ_AUDIT_KEX, MON_PERMIT, mm_answer_audit_kex_body},
{MONITOR_REQ_AUDIT_SESSION_KEY_FREE, MON_PERMIT, mm_answer_audit_session_key_free_body},
+ {MONITOR_REQ_AUDIT_SERVER_KEY_FREE, MON_PERMIT, mm_answer_audit_server_key_free},
#endif
#ifdef BSD_AUTH
{MONITOR_REQ_BSDAUTHQUERY, MON_ISAUTH, mm_answer_bsdauthquery},
@@ -271,6 +273,7 @@ struct mon_table mon_dispatch_postauth20
{MONITOR_REQ_AUDIT_UNSUPPORTED, MON_PERMIT, mm_answer_audit_unsupported_body},
{MONITOR_REQ_AUDIT_KEX, MON_PERMIT, mm_answer_audit_kex_body},
{MONITOR_REQ_AUDIT_SESSION_KEY_FREE, MON_PERMIT, mm_answer_audit_session_key_free_body},
+ {MONITOR_REQ_AUDIT_SERVER_KEY_FREE, MON_PERMIT, mm_answer_audit_server_key_free},
#endif
{0, 0, NULL}
};
@@ -305,6 +308,7 @@ struct mon_table mon_dispatch_proto15[]
{MONITOR_REQ_AUDIT_UNSUPPORTED, MON_PERMIT, mm_answer_audit_unsupported_body},
{MONITOR_REQ_AUDIT_KEX, MON_PERMIT, mm_answer_audit_kex_body},
{MONITOR_REQ_AUDIT_SESSION_KEY_FREE, MON_PERMIT, mm_answer_audit_session_key_free_body},
+ {MONITOR_REQ_AUDIT_SERVER_KEY_FREE, MON_PERMIT, mm_answer_audit_server_key_free},
#endif
{0, 0, NULL}
};
@@ -319,6 +323,7 @@ struct mon_table mon_dispatch_postauth15
{MONITOR_REQ_AUDIT_UNSUPPORTED, MON_PERMIT, mm_answer_audit_unsupported_body},
{MONITOR_REQ_AUDIT_KEX, MON_PERMIT, mm_answer_audit_kex_body},
{MONITOR_REQ_AUDIT_SESSION_KEY_FREE, MON_PERMIT, mm_answer_audit_session_key_free_body},
+ {MONITOR_REQ_AUDIT_SERVER_KEY_FREE, MON_PERMIT, mm_answer_audit_server_key_free},
#endif
{0, 0, NULL}
};
@@ -2272,4 +2277,15 @@ mm_answer_audit_session_key_free_body(in
mm_request_send(sock, MONITOR_ANS_AUDIT_SESSION_KEY_FREE, m);
return 0;
}
+
+int
+mm_answer_audit_server_key_free(int sock, Buffer *m)
+{
+ audit_destroy_sensitive_data();
+
+ buffer_clear(m);
+
+ mm_request_send(sock, MONITOR_ANS_AUDIT_SERVER_KEY_FREE, m);
+ return 0;
+}
#endif /* SSH_AUDIT_EVENTS */
diff -up openssh-5.8p1/monitor.h.audit5 openssh-5.8p1/monitor.h
--- openssh-5.8p1/monitor.h.audit5 2011-02-09 22:33:52.000000000 +0100
+++ openssh-5.8p1/monitor.h 2011-02-09 22:33:52.000000000 +0100
@@ -69,6 +69,7 @@ enum monitor_reqtype {
MONITOR_REQ_AUDIT_UNSUPPORTED, MONITOR_ANS_AUDIT_UNSUPPORTED,
MONITOR_REQ_AUDIT_KEX, MONITOR_ANS_AUDIT_KEX,
MONITOR_REQ_AUDIT_SESSION_KEY_FREE, MONITOR_ANS_AUDIT_SESSION_KEY_FREE,
+ MONITOR_REQ_AUDIT_SERVER_KEY_FREE, MONITOR_ANS_AUDIT_SERVER_KEY_FREE,
};
struct mm_master;
diff -up openssh-5.8p1/monitor_wrap.c.audit5 openssh-5.8p1/monitor_wrap.c
--- openssh-5.8p1/monitor_wrap.c.audit5 2011-02-09 22:33:52.000000000 +0100
+++ openssh-5.8p1/monitor_wrap.c 2011-02-09 22:33:52.000000000 +0100
@@ -1459,4 +1459,16 @@ mm_audit_session_key_free_body(int ctos)
&m);
buffer_free(&m);
}
+
+void
+mm_audit_destroy_sensitive_data(void)
+{
+ Buffer m;
+
+ buffer_init(&m);
+ mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_SERVER_KEY_FREE, &m);
+ mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_AUDIT_SERVER_KEY_FREE,
+ &m);
+ buffer_free(&m);
+}
#endif /* SSH_AUDIT_EVENTS */
diff -up openssh-5.8p1/monitor_wrap.h.audit5 openssh-5.8p1/monitor_wrap.h
--- openssh-5.8p1/monitor_wrap.h.audit5 2011-02-09 22:33:52.000000000 +0100
+++ openssh-5.8p1/monitor_wrap.h 2011-02-09 22:33:52.000000000 +0100
@@ -77,6 +77,7 @@ void mm_audit_run_command(const char *);
void mm_audit_unsupported_body(int);
void mm_audit_kex_body(int, char *, char *, char *);
void mm_audit_session_key_free_body(int);
+void mm_audit_server_key_free_body(void);
#endif
struct Session;
diff -up openssh-5.8p1/session.c.audit5 openssh-5.8p1/session.c
--- openssh-5.8p1/session.c.audit5 2010-12-01 02:02:59.000000000 +0100
+++ openssh-5.8p1/session.c 2011-02-09 22:33:52.000000000 +0100
@@ -1615,6 +1615,7 @@ do_child(Session *s, const char *command
/* remove hostkey from the child's memory */
destroy_sensitive_data();
+ PRIVSEP(audit_destroy_sensitive_data());
/* Force a password change */
if (s->authctxt->force_pwchange) {
diff -up openssh-5.8p1/sshd.c.audit5 openssh-5.8p1/sshd.c
--- openssh-5.8p1/sshd.c.audit5 2011-02-09 22:33:52.000000000 +0100
+++ openssh-5.8p1/sshd.c 2011-02-09 22:33:52.000000000 +0100
@@ -579,6 +579,7 @@ demote_sensitive_data(void)
}
/* Certs do not need demotion */
}
+ audit_destroy_sensitive_data();
/* We do not clear ssh1_host key and cookie. XXX - Okay Niels? */
}
@@ -2023,8 +2024,10 @@ main(int ac, char **av)
if (use_privsep) {
privsep_postauth(authctxt);
/* the monitor process [priv] will not return */
- if (!compat20)
+ if (!compat20) {
destroy_sensitive_data();
+ audit_destroy_sensitive_data();
+ }
}
packet_set_timeout(options.client_alive_interval,
@@ -2265,6 +2268,7 @@ do_ssh1_kex(void)
}
/* Destroy the private and public keys. No longer. */
destroy_sensitive_data();
+ audit_destroy_sensitive_data();
if (use_privsep)
mm_ssh1_session_id(session_id);

86
openssh-5.6p1-authorized-keys-command.patch → openssh-5.8p1-authorized-keys-command.patch
View File

@ -1,6 +1,6 @@
diff -up openssh-5.6p1/auth2-pubkey.c.akc openssh-5.6p1/auth2-pubkey.c diff -up openssh-5.8p1/auth2-pubkey.c.akc openssh-5.8p1/auth2-pubkey.c
--- openssh-5.6p1/auth2-pubkey.c.akc 2010-09-03 15:24:51.000000000 +0200 --- openssh-5.8p1/auth2-pubkey.c.akc 2011-02-10 13:21:27.000000000 +0100
+++ openssh-5.6p1/auth2-pubkey.c 2010-09-03 15:24:51.000000000 +0200 +++ openssh-5.8p1/auth2-pubkey.c 2011-02-10 13:21:28.000000000 +0100
@@ -27,6 +27,7 @@ @@ -27,6 +27,7 @@
#include <sys/types.h> #include <sys/types.h>
@ -9,7 +9,7 @@ diff -up openssh-5.6p1/auth2-pubkey.c.akc openssh-5.6p1/auth2-pubkey.c
#include <fcntl.h> #include <fcntl.h>
#include <pwd.h> #include <pwd.h>
@@ -264,27 +265,15 @@ match_principals_file(char *file, struct @@ -268,27 +269,15 @@ match_principals_file(char *file, struct
/* return 1 if user allows given key */ /* return 1 if user allows given key */
static int static int
@ -38,7 +38,7 @@ diff -up openssh-5.6p1/auth2-pubkey.c.akc openssh-5.6p1/auth2-pubkey.c
found_key = 0; found_key = 0;
found = key_new(key_is_cert(key) ? KEY_UNSPEC : key->type); found = key_new(key_is_cert(key) ? KEY_UNSPEC : key->type);
@@ -377,8 +366,6 @@ user_key_allowed2(struct passwd *pw, Key @@ -381,8 +370,6 @@ user_key_allowed2(struct passwd *pw, Key
break; break;
} }
} }
@ -47,7 +47,7 @@ diff -up openssh-5.6p1/auth2-pubkey.c.akc openssh-5.6p1/auth2-pubkey.c
key_free(found); key_free(found);
if (!found_key) if (!found_key)
debug2("key not found"); debug2("key not found");
@@ -440,13 +427,191 @@ user_cert_trusted_ca(struct passwd *pw, @@ -444,13 +431,191 @@ user_cert_trusted_ca(struct passwd *pw,
return ret; return ret;
} }
@ -240,10 +240,10 @@ diff -up openssh-5.6p1/auth2-pubkey.c.akc openssh-5.6p1/auth2-pubkey.c
if (auth_key_is_revoked(key)) if (auth_key_is_revoked(key))
return 0; return 0;
if (key_is_cert(key) && auth_key_is_revoked(key->cert->signature_key)) if (key_is_cert(key) && auth_key_is_revoked(key->cert->signature_key))
diff -up openssh-5.6p1/configure.ac.akc openssh-5.6p1/configure.ac diff -up openssh-5.8p1/configure.ac.akc openssh-5.8p1/configure.ac
--- openssh-5.6p1/configure.ac.akc 2010-09-03 15:24:51.000000000 +0200 --- openssh-5.8p1/configure.ac.akc 2011-02-10 13:21:28.000000000 +0100
+++ openssh-5.6p1/configure.ac 2010-09-03 15:24:51.000000000 +0200 +++ openssh-5.8p1/configure.ac 2011-02-10 13:21:28.000000000 +0100
@@ -1346,6 +1346,18 @@ AC_ARG_WITH(audit, @@ -1422,6 +1422,18 @@ AC_ARG_WITH(audit,
esac ] esac ]
) )
@ -262,7 +262,7 @@ diff -up openssh-5.6p1/configure.ac.akc openssh-5.6p1/configure.ac
dnl Checks for library functions. Please keep in alphabetical order dnl Checks for library functions. Please keep in alphabetical order
AC_CHECK_FUNCS( \ AC_CHECK_FUNCS( \
arc4random \ arc4random \
@@ -4209,6 +4221,7 @@ echo " Linux audit support @@ -4325,6 +4337,7 @@ echo " SELinux support
echo " Smartcard support: $SCARD_MSG" echo " Smartcard support: $SCARD_MSG"
echo " S/KEY support: $SKEY_MSG" echo " S/KEY support: $SKEY_MSG"
echo " TCP Wrappers support: $TCPW_MSG" echo " TCP Wrappers support: $TCPW_MSG"
@ -270,10 +270,10 @@ diff -up openssh-5.6p1/configure.ac.akc openssh-5.6p1/configure.ac
echo " MD5 password support: $MD5_MSG" echo " MD5 password support: $MD5_MSG"
echo " libedit support: $LIBEDIT_MSG" echo " libedit support: $LIBEDIT_MSG"
echo " Solaris process contract support: $SPC_MSG" echo " Solaris process contract support: $SPC_MSG"
diff -up openssh-5.6p1/servconf.c.akc openssh-5.6p1/servconf.c diff -up openssh-5.8p1/servconf.c.akc openssh-5.8p1/servconf.c
--- openssh-5.6p1/servconf.c.akc 2010-09-03 15:24:50.000000000 +0200 --- openssh-5.8p1/servconf.c.akc 2011-02-10 13:21:28.000000000 +0100
+++ openssh-5.6p1/servconf.c 2010-09-03 15:24:51.000000000 +0200 +++ openssh-5.8p1/servconf.c 2011-02-10 13:28:21.000000000 +0100
@@ -129,6 +129,8 @@ initialize_server_options(ServerOptions @@ -134,6 +134,8 @@ initialize_server_options(ServerOptions
options->num_permitted_opens = -1; options->num_permitted_opens = -1;
options->adm_forced_command = NULL; options->adm_forced_command = NULL;
options->chroot_directory = NULL; options->chroot_directory = NULL;
@ -282,18 +282,18 @@ diff -up openssh-5.6p1/servconf.c.akc openssh-5.6p1/servconf.c
options->zero_knowledge_password_authentication = -1; options->zero_knowledge_password_authentication = -1;
options->revoked_keys_file = NULL; options->revoked_keys_file = NULL;
options->trusted_user_ca_keys = NULL; options->trusted_user_ca_keys = NULL;
@@ -316,6 +318,7 @@ typedef enum { @@ -331,6 +333,7 @@ typedef enum {
sUsePrivilegeSeparation, sAllowAgentForwarding,
sZeroKnowledgePasswordAuthentication, sHostCertificate, sZeroKnowledgePasswordAuthentication, sHostCertificate,
sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile, sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,
sKexAlgorithms, sIPQoS,
+ sAuthorizedKeysCommand, sAuthorizedKeysCommandRunAs, + sAuthorizedKeysCommand, sAuthorizedKeysCommandRunAs,
sDeprecated, sUnsupported sDeprecated, sUnsupported
} ServerOpCodes; } ServerOpCodes;
@@ -439,6 +442,13 @@ static struct { @@ -456,6 +459,13 @@ static struct {
{ "revokedkeys", sRevokedKeys, SSHCFG_ALL },
{ "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL },
{ "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL }, { "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
{ "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },
{ "ipqos", sIPQoS, SSHCFG_ALL },
+#ifdef WITH_AUTHORIZED_KEYS_COMMAND +#ifdef WITH_AUTHORIZED_KEYS_COMMAND
+ { "authorizedkeyscommand", sAuthorizedKeysCommand, SSHCFG_ALL }, + { "authorizedkeyscommand", sAuthorizedKeysCommand, SSHCFG_ALL },
+ { "authorizedkeyscommandrunas", sAuthorizedKeysCommandRunAs, SSHCFG_ALL }, + { "authorizedkeyscommandrunas", sAuthorizedKeysCommandRunAs, SSHCFG_ALL },
@ -304,9 +304,9 @@ diff -up openssh-5.6p1/servconf.c.akc openssh-5.6p1/servconf.c
{ NULL, sBadOption, 0 } { NULL, sBadOption, 0 }
}; };
@@ -1360,6 +1370,20 @@ process_server_config_line(ServerOptions @@ -1406,6 +1416,20 @@ process_server_config_line(ServerOptions
charptr = &options->revoked_keys_file; }
goto parse_filename; break;
+ case sAuthorizedKeysCommand: + case sAuthorizedKeysCommand:
+ len = strspn(cp, WHITESPACE); + len = strspn(cp, WHITESPACE);
@ -325,7 +325,7 @@ diff -up openssh-5.6p1/servconf.c.akc openssh-5.6p1/servconf.c
case sDeprecated: case sDeprecated:
logit("%s line %d: Deprecated option %s", logit("%s line %d: Deprecated option %s",
filename, linenum, arg); filename, linenum, arg);
@@ -1453,6 +1477,8 @@ copy_set_server_options(ServerOptions *d @@ -1499,6 +1523,8 @@ copy_set_server_options(ServerOptions *d
M_CP_INTOPT(gss_authentication); M_CP_INTOPT(gss_authentication);
M_CP_INTOPT(rsa_authentication); M_CP_INTOPT(rsa_authentication);
M_CP_INTOPT(pubkey_authentication); M_CP_INTOPT(pubkey_authentication);
@ -334,7 +334,7 @@ diff -up openssh-5.6p1/servconf.c.akc openssh-5.6p1/servconf.c
M_CP_INTOPT(kerberos_authentication); M_CP_INTOPT(kerberos_authentication);
M_CP_INTOPT(hostbased_authentication); M_CP_INTOPT(hostbased_authentication);
M_CP_INTOPT(hostbased_uses_name_from_packet_only); M_CP_INTOPT(hostbased_uses_name_from_packet_only);
@@ -1705,6 +1731,8 @@ dump_config(ServerOptions *o) @@ -1753,6 +1779,8 @@ dump_config(ServerOptions *o)
dump_cfg_string(sRevokedKeys, o->revoked_keys_file); dump_cfg_string(sRevokedKeys, o->revoked_keys_file);
dump_cfg_string(sAuthorizedPrincipalsFile, dump_cfg_string(sAuthorizedPrincipalsFile,
o->authorized_principals_file); o->authorized_principals_file);
@ -343,10 +343,10 @@ diff -up openssh-5.6p1/servconf.c.akc openssh-5.6p1/servconf.c
/* string arguments requiring a lookup */ /* string arguments requiring a lookup */
dump_cfg_string(sLogLevel, log_level_name(o->log_level)); dump_cfg_string(sLogLevel, log_level_name(o->log_level));
diff -up openssh-5.6p1/servconf.h.akc openssh-5.6p1/servconf.h diff -up openssh-5.8p1/servconf.h.akc openssh-5.8p1/servconf.h
--- openssh-5.6p1/servconf.h.akc 2010-09-03 15:24:50.000000000 +0200 --- openssh-5.8p1/servconf.h.akc 2011-02-10 13:21:28.000000000 +0100
+++ openssh-5.6p1/servconf.h 2010-09-03 15:24:51.000000000 +0200 +++ openssh-5.8p1/servconf.h 2011-02-10 13:21:28.000000000 +0100
@@ -158,6 +158,8 @@ typedef struct { @@ -161,6 +161,8 @@ typedef struct {
char *revoked_keys_file; char *revoked_keys_file;
char *trusted_user_ca_keys; char *trusted_user_ca_keys;
char *authorized_principals_file; char *authorized_principals_file;
@ -355,9 +355,9 @@ diff -up openssh-5.6p1/servconf.h.akc openssh-5.6p1/servconf.h
} ServerOptions; } ServerOptions;
void initialize_server_options(ServerOptions *); void initialize_server_options(ServerOptions *);
diff -up openssh-5.6p1/sshd_config.0.akc openssh-5.6p1/sshd_config.0 diff -up openssh-5.8p1/sshd_config.0.akc openssh-5.8p1/sshd_config.0
--- openssh-5.6p1/sshd_config.0.akc 2010-09-03 15:24:50.000000000 +0200 --- openssh-5.8p1/sshd_config.0.akc 2011-02-10 13:21:28.000000000 +0100
+++ openssh-5.6p1/sshd_config.0 2010-09-03 15:27:26.000000000 +0200 +++ openssh-5.8p1/sshd_config.0 2011-02-10 13:21:28.000000000 +0100
@@ -71,6 +71,23 @@ DESCRIPTION @@ -71,6 +71,23 @@ DESCRIPTION
See PATTERNS in ssh_config(5) for more information on patterns. See PATTERNS in ssh_config(5) for more information on patterns.
@ -382,7 +382,7 @@ diff -up openssh-5.6p1/sshd_config.0.akc openssh-5.6p1/sshd_config.0
AuthorizedKeysFile AuthorizedKeysFile
Specifies the file that contains the public keys that can be used Specifies the file that contains the public keys that can be used
for user authentication. The format is described in the for user authentication. The format is described in the
@@ -375,7 +392,8 @@ DESCRIPTION @@ -398,7 +415,8 @@ DESCRIPTION
Only a subset of keywords may be used on the lines following a Only a subset of keywords may be used on the lines following a
Match keyword. Available keywords are AllowAgentForwarding, Match keyword. Available keywords are AllowAgentForwarding,
@ -392,10 +392,10 @@ diff -up openssh-5.6p1/sshd_config.0.akc openssh-5.6p1/sshd_config.0
Banner, ChrootDirectory, ForceCommand, GatewayPorts, Banner, ChrootDirectory, ForceCommand, GatewayPorts,
GSSAPIAuthentication, HostbasedAuthentication, GSSAPIAuthentication, HostbasedAuthentication,
HostbasedUsesNameFromPacketOnly, KbdInteractiveAuthentication, HostbasedUsesNameFromPacketOnly, KbdInteractiveAuthentication,
diff -up openssh-5.6p1/sshd_config.5.akc openssh-5.6p1/sshd_config.5 diff -up openssh-5.8p1/sshd_config.5.akc openssh-5.8p1/sshd_config.5
--- openssh-5.6p1/sshd_config.5.akc 2010-09-03 15:24:50.000000000 +0200 --- openssh-5.8p1/sshd_config.5.akc 2011-02-10 13:21:28.000000000 +0100
+++ openssh-5.6p1/sshd_config.5 2010-09-03 15:24:51.000000000 +0200 +++ openssh-5.8p1/sshd_config.5 2011-02-10 13:21:28.000000000 +0100
@@ -654,6 +654,8 @@ Available keywords are @@ -703,6 +703,8 @@ Available keywords are
.Cm AllowAgentForwarding , .Cm AllowAgentForwarding ,
.Cm AllowTcpForwarding , .Cm AllowTcpForwarding ,
.Cm AuthorizedKeysFile , .Cm AuthorizedKeysFile ,
@ -404,7 +404,7 @@ diff -up openssh-5.6p1/sshd_config.5.akc openssh-5.6p1/sshd_config.5
.Cm AuthorizedPrincipalsFile , .Cm AuthorizedPrincipalsFile ,
.Cm Banner , .Cm Banner ,
.Cm ChrootDirectory , .Cm ChrootDirectory ,
@@ -666,6 +668,7 @@ Available keywords are @@ -715,6 +717,7 @@ Available keywords are
.Cm KerberosAuthentication , .Cm KerberosAuthentication ,
.Cm MaxAuthTries , .Cm MaxAuthTries ,
.Cm MaxSessions , .Cm MaxSessions ,
@ -412,7 +412,7 @@ diff -up openssh-5.6p1/sshd_config.5.akc openssh-5.6p1/sshd_config.5
.Cm PasswordAuthentication , .Cm PasswordAuthentication ,
.Cm PermitEmptyPasswords , .Cm PermitEmptyPasswords ,
.Cm PermitOpen , .Cm PermitOpen ,
@@ -868,6 +871,20 @@ Specifies a list of revoked public keys. @@ -917,6 +920,20 @@ Specifies a list of revoked public keys.
Keys listed in this file will be refused for public key authentication. Keys listed in this file will be refused for public key authentication.
Note that if this file is not readable, then public key authentication will Note that if this file is not readable, then public key authentication will
be refused for all users. be refused for all users.
@ -433,10 +433,10 @@ diff -up openssh-5.6p1/sshd_config.5.akc openssh-5.6p1/sshd_config.5
.It Cm RhostsRSAAuthentication .It Cm RhostsRSAAuthentication
Specifies whether rhosts or /etc/hosts.equiv authentication together Specifies whether rhosts or /etc/hosts.equiv authentication together
with successful RSA host authentication is allowed. with successful RSA host authentication is allowed.
diff -up openssh-5.6p1/sshd_config.akc openssh-5.6p1/sshd_config diff -up openssh-5.8p1/sshd_config.akc openssh-5.8p1/sshd_config
--- openssh-5.6p1/sshd_config.akc 2010-09-03 15:24:50.000000000 +0200 --- openssh-5.8p1/sshd_config.akc 2011-02-10 13:21:28.000000000 +0100
+++ openssh-5.6p1/sshd_config 2010-09-03 15:24:51.000000000 +0200 +++ openssh-5.8p1/sshd_config 2011-02-10 13:21:28.000000000 +0100
@@ -45,6 +45,8 @@ SyslogFacility AUTHPRIV @@ -46,6 +46,8 @@ SyslogFacility AUTHPRIV
#RSAAuthentication yes #RSAAuthentication yes
#PubkeyAuthentication yes #PubkeyAuthentication yes
#AuthorizedKeysFile .ssh/authorized_keys #AuthorizedKeysFile .ssh/authorized_keys

248
openssh-5.6p1-fips.patch → openssh-5.8p1-fips.patch
View File

@ -1,6 +1,6 @@
diff -up openssh-5.6p1/audit.c.fips openssh-5.6p1/audit.c diff -up openssh-5.8p1/audit.c.fips openssh-5.8p1/audit.c
--- openssh-5.6p1/audit.c.fips 2011-01-16 23:45:01.000000000 +0100 --- openssh-5.8p1/audit.c.fips 2011-02-14 10:10:41.000000000 +0100
+++ openssh-5.6p1/audit.c 2011-01-16 23:45:59.000000000 +0100 +++ openssh-5.8p1/audit.c 2011-02-14 10:10:41.000000000 +0100
@@ -124,7 +124,7 @@ audit_key(int type, int *rv, const Key * @@ -124,7 +124,7 @@ audit_key(int type, int *rv, const Key *
"ssh-dsa", "ssh-dsa",
"unknown" }; "unknown" };
@ -10,9 +10,9 @@ diff -up openssh-5.6p1/audit.c.fips openssh-5.6p1/audit.c
switch(key->type) { switch(key->type) {
case KEY_RSA1: case KEY_RSA1:
case KEY_RSA: case KEY_RSA:
diff -up openssh-5.6p1/auth2-pubkey.c.fips openssh-5.6p1/auth2-pubkey.c diff -up openssh-5.8p1/auth2-pubkey.c.fips openssh-5.8p1/auth2-pubkey.c
--- openssh-5.6p1/auth2-pubkey.c.fips 2011-01-16 23:41:58.000000000 +0100 --- openssh-5.8p1/auth2-pubkey.c.fips 2011-02-14 10:10:41.000000000 +0100
+++ openssh-5.6p1/auth2-pubkey.c 2011-01-16 23:41:59.000000000 +0100 +++ openssh-5.8p1/auth2-pubkey.c 2011-02-14 10:10:41.000000000 +0100
@@ -36,6 +36,7 @@ @@ -36,6 +36,7 @@
#include <string.h> #include <string.h>
#include <time.h> #include <time.h>
@ -30,10 +30,10 @@ diff -up openssh-5.6p1/auth2-pubkey.c.fips openssh-5.6p1/auth2-pubkey.c
verbose("Found matching %s key: %s", verbose("Found matching %s key: %s",
key_type(found), fp); key_type(found), fp);
xfree(fp); xfree(fp);
diff -up openssh-5.6p1/authfile.c.fips openssh-5.6p1/authfile.c diff -up openssh-5.8p1/authfile.c.fips openssh-5.8p1/authfile.c
--- openssh-5.6p1/authfile.c.fips 2010-08-05 05:05:16.000000000 +0200 --- openssh-5.8p1/authfile.c.fips 2010-12-01 02:03:39.000000000 +0100
+++ openssh-5.6p1/authfile.c 2011-01-16 23:41:59.000000000 +0100 +++ openssh-5.8p1/authfile.c 2011-02-14 10:10:41.000000000 +0100
@@ -146,8 +146,14 @@ key_save_private_rsa1(Key *key, const ch @@ -145,8 +145,14 @@ key_private_rsa1_to_blob(Key *key, Buffe
/* Allocate space for the private part of the key in the buffer. */ /* Allocate space for the private part of the key in the buffer. */
cp = buffer_append_space(&encrypted, buffer_len(&buffer)); cp = buffer_append_space(&encrypted, buffer_len(&buffer));
@ -50,8 +50,8 @@ diff -up openssh-5.6p1/authfile.c.fips openssh-5.6p1/authfile.c
cipher_crypt(&ciphercontext, cp, cipher_crypt(&ciphercontext, cp,
buffer_ptr(&buffer), buffer_len(&buffer)); buffer_ptr(&buffer), buffer_len(&buffer));
cipher_cleanup(&ciphercontext); cipher_cleanup(&ciphercontext);
@@ -421,8 +427,14 @@ key_load_private_rsa1(int fd, const char @@ -447,8 +453,13 @@ key_parse_private_rsa1(Buffer *blob, con
cp = buffer_append_space(&decrypted, buffer_len(&buffer)); cp = buffer_append_space(&decrypted, buffer_len(blob));
/* Rest of the buffer is encrypted. Decrypt it using the passphrase. */ /* Rest of the buffer is encrypted. Decrypt it using the passphrase. */
- cipher_set_key_string(&ciphercontext, cipher, passphrase, - cipher_set_key_string(&ciphercontext, cipher, passphrase,
@ -60,17 +60,16 @@ diff -up openssh-5.6p1/authfile.c.fips openssh-5.6p1/authfile.c
+ CIPHER_DECRYPT) < 0) { + CIPHER_DECRYPT) < 0) {
+ error("cipher_set_key_string failed."); + error("cipher_set_key_string failed.");
+ buffer_free(&decrypted); + buffer_free(&decrypted);
+ buffer_free(&buffer);
+ goto fail; + goto fail;
+ } + }
+ +
cipher_crypt(&ciphercontext, cp, cipher_crypt(&ciphercontext, cp,
buffer_ptr(&buffer), buffer_len(&buffer)); buffer_ptr(blob), buffer_len(blob));
cipher_cleanup(&ciphercontext); cipher_cleanup(&ciphercontext);
diff -up openssh-5.6p1/auth-rsa.c.fips openssh-5.6p1/auth-rsa.c diff -up openssh-5.8p1/auth-rsa.c.fips openssh-5.8p1/auth-rsa.c
--- openssh-5.6p1/auth-rsa.c.fips 2011-01-16 23:46:11.000000000 +0100 --- openssh-5.8p1/auth-rsa.c.fips 2011-02-14 10:10:41.000000000 +0100
+++ openssh-5.6p1/auth-rsa.c 2011-01-16 23:46:31.000000000 +0100 +++ openssh-5.8p1/auth-rsa.c 2011-02-14 10:10:41.000000000 +0100
@@ -122,7 +122,7 @@ auth_rsa_verify_response(Key *key, BIGNU @@ -119,7 +119,7 @@ auth_rsa_verify_response(Key *key, BIGNU
rv = timingsafe_bcmp(response, mdbuf, 16) == 0; rv = timingsafe_bcmp(response, mdbuf, 16) == 0;
#ifdef SSH_AUDIT_EVENTS #ifdef SSH_AUDIT_EVENTS
@ -79,9 +78,9 @@ diff -up openssh-5.6p1/auth-rsa.c.fips openssh-5.6p1/auth-rsa.c
if (audit_keyusage(1, "ssh-rsa1", RSA_size(key->rsa), fp, rv) == 0) { if (audit_keyusage(1, "ssh-rsa1", RSA_size(key->rsa), fp, rv) == 0) {
debug("unsuccessful audit"); debug("unsuccessful audit");
rv = 0; rv = 0;
diff -up openssh-5.6p1/cipher.c.fips openssh-5.6p1/cipher.c diff -up openssh-5.8p1/cipher.c.fips openssh-5.8p1/cipher.c
--- openssh-5.6p1/cipher.c.fips 2011-01-16 23:41:56.000000000 +0100 --- openssh-5.8p1/cipher.c.fips 2011-02-14 10:10:41.000000000 +0100
+++ openssh-5.6p1/cipher.c 2011-01-16 23:41:59.000000000 +0100 +++ openssh-5.8p1/cipher.c 2011-02-14 10:10:41.000000000 +0100
@@ -40,6 +40,7 @@ @@ -40,6 +40,7 @@
#include <sys/types.h> #include <sys/types.h>
@ -166,9 +165,9 @@ diff -up openssh-5.6p1/cipher.c.fips openssh-5.6p1/cipher.c
} }
/* /*
diff -up openssh-5.6p1/cipher-ctr.c.fips openssh-5.6p1/cipher-ctr.c diff -up openssh-5.8p1/cipher-ctr.c.fips openssh-5.8p1/cipher-ctr.c
--- openssh-5.6p1/cipher-ctr.c.fips 2007-06-14 15:21:33.000000000 +0200 --- openssh-5.8p1/cipher-ctr.c.fips 2010-10-07 13:06:42.000000000 +0200
+++ openssh-5.6p1/cipher-ctr.c 2011-01-16 23:41:59.000000000 +0100 +++ openssh-5.8p1/cipher-ctr.c 2011-02-14 10:10:41.000000000 +0100
@@ -140,7 +140,8 @@ evp_aes_128_ctr(void) @@ -140,7 +140,8 @@ evp_aes_128_ctr(void)
aes_ctr.do_cipher = ssh_aes_ctr; aes_ctr.do_cipher = ssh_aes_ctr;
#ifndef SSH_OLD_EVP #ifndef SSH_OLD_EVP
@ -179,9 +178,9 @@ diff -up openssh-5.6p1/cipher-ctr.c.fips openssh-5.6p1/cipher-ctr.c
#endif #endif
return (&aes_ctr); return (&aes_ctr);
} }
diff -up openssh-5.6p1/cipher.h.fips openssh-5.6p1/cipher.h diff -up openssh-5.8p1/cipher.h.fips openssh-5.8p1/cipher.h
--- openssh-5.6p1/cipher.h.fips 2011-01-16 23:41:56.000000000 +0100 --- openssh-5.8p1/cipher.h.fips 2011-02-14 10:10:41.000000000 +0100
+++ openssh-5.6p1/cipher.h 2011-01-16 23:41:59.000000000 +0100 +++ openssh-5.8p1/cipher.h 2011-02-14 10:10:41.000000000 +0100
@@ -87,7 +87,7 @@ void cipher_init(CipherContext *, Ciphe @@ -87,7 +87,7 @@ void cipher_init(CipherContext *, Ciphe
const u_char *, u_int, int); const u_char *, u_int, int);
void cipher_crypt(CipherContext *, u_char *, const u_char *, u_int); void cipher_crypt(CipherContext *, u_char *, const u_char *, u_int);
@ -191,9 +190,9 @@ diff -up openssh-5.6p1/cipher.h.fips openssh-5.6p1/cipher.h
u_int cipher_blocksize(const Cipher *); u_int cipher_blocksize(const Cipher *);
u_int cipher_keylen(const Cipher *); u_int cipher_keylen(const Cipher *);
u_int cipher_is_cbc(const Cipher *); u_int cipher_is_cbc(const Cipher *);
diff -up openssh-5.6p1/mac.c.fips openssh-5.6p1/mac.c diff -up openssh-5.8p1/mac.c.fips openssh-5.8p1/mac.c
--- openssh-5.6p1/mac.c.fips 2008-06-13 02:58:50.000000000 +0200 --- openssh-5.8p1/mac.c.fips 2011-02-14 10:10:41.000000000 +0100
+++ openssh-5.6p1/mac.c 2011-01-16 23:41:59.000000000 +0100 +++ openssh-5.8p1/mac.c 2011-02-14 10:10:41.000000000 +0100
@@ -28,6 +28,7 @@ @@ -28,6 +28,7 @@
#include <sys/types.h> #include <sys/types.h>
@ -243,15 +242,15 @@ diff -up openssh-5.6p1/mac.c.fips openssh-5.6p1/mac.c
for (i = 0; macs[i].name; i++) { for (i = 0; macs[i].name; i++) {
if (strcmp(name, macs[i].name) == 0) { if (strcmp(name, macs[i].name) == 0) {
diff -up openssh-5.6p1/Makefile.in.fips openssh-5.6p1/Makefile.in diff -up openssh-5.8p1/Makefile.in.fips openssh-5.8p1/Makefile.in
--- openssh-5.6p1/Makefile.in.fips 2011-01-16 23:41:58.000000000 +0100 --- openssh-5.8p1/Makefile.in.fips 2011-02-14 10:10:41.000000000 +0100
+++ openssh-5.6p1/Makefile.in 2011-01-16 23:41:59.000000000 +0100 +++ openssh-5.8p1/Makefile.in 2011-02-14 10:10:41.000000000 +0100
@@ -142,25 +142,25 @@ libssh.a: $(LIBSSH_OBJS) @@ -145,25 +145,25 @@ libssh.a: $(LIBSSH_OBJS)
$(RANLIB) $@ $(RANLIB) $@
ssh$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHOBJS) ssh$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHOBJS)
- $(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) - $(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHLIBS) $(LIBS)
+ $(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS) + $(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(SSHLIBS) $(LIBS)
sshd$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHDOBJS) sshd$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHDOBJS)
- $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) - $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS)
@ -278,7 +277,7 @@ diff -up openssh-5.6p1/Makefile.in.fips openssh-5.6p1/Makefile.in
ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11.o ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11.o
$(LD) -o $@ ssh-pkcs11-helper.o ssh-pkcs11.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS) $(LD) -o $@ ssh-pkcs11-helper.o ssh-pkcs11.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
@@ -169,7 +169,7 @@ ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) l @@ -172,7 +172,7 @@ ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) l
$(LD) -o $@ ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS) $(LD) -o $@ ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o roaming_dummy.o ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o roaming_dummy.o
@ -287,10 +286,10 @@ diff -up openssh-5.6p1/Makefile.in.fips openssh-5.6p1/Makefile.in
sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o sftp-server.o sftp-server-main.o sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o sftp-server.o sftp-server-main.o
$(LD) -o $@ sftp-server.o sftp-common.o sftp-server-main.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) $(LD) -o $@ sftp-server.o sftp-common.o sftp-server-main.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
diff -up openssh-5.6p1/myproposal.h.fips openssh-5.6p1/myproposal.h diff -up openssh-5.8p1/myproposal.h.fips openssh-5.8p1/myproposal.h
--- openssh-5.6p1/myproposal.h.fips 2010-04-16 07:56:22.000000000 +0200 --- openssh-5.8p1/myproposal.h.fips 2011-01-13 12:00:22.000000000 +0100
+++ openssh-5.6p1/myproposal.h 2011-01-16 23:41:59.000000000 +0100 +++ openssh-5.8p1/myproposal.h 2011-02-14 10:10:41.000000000 +0100
@@ -58,7 +58,12 @@ @@ -81,7 +81,12 @@
"hmac-sha1-96,hmac-md5-96" "hmac-sha1-96,hmac-md5-96"
#define KEX_DEFAULT_COMP "none,zlib@openssh.com,zlib" #define KEX_DEFAULT_COMP "none,zlib@openssh.com,zlib"
#define KEX_DEFAULT_LANG "" #define KEX_DEFAULT_LANG ""
@ -304,9 +303,9 @@ diff -up openssh-5.6p1/myproposal.h.fips openssh-5.6p1/myproposal.h
static char *myproposal[PROPOSAL_MAX] = { static char *myproposal[PROPOSAL_MAX] = {
KEX_DEFAULT_KEX, KEX_DEFAULT_KEX,
diff -up openssh-5.6p1/openbsd-compat/bsd-arc4random.c.fips openssh-5.6p1/openbsd-compat/bsd-arc4random.c diff -up openssh-5.8p1/openbsd-compat/bsd-arc4random.c.fips openssh-5.8p1/openbsd-compat/bsd-arc4random.c
--- openssh-5.6p1/openbsd-compat/bsd-arc4random.c.fips 2010-03-25 22:52:02.000000000 +0100 --- openssh-5.8p1/openbsd-compat/bsd-arc4random.c.fips 2010-03-25 22:52:02.000000000 +0100
+++ openssh-5.6p1/openbsd-compat/bsd-arc4random.c 2011-01-16 23:41:59.000000000 +0100 +++ openssh-5.8p1/openbsd-compat/bsd-arc4random.c 2011-02-14 10:10:41.000000000 +0100
@@ -39,6 +39,7 @@ @@ -39,6 +39,7 @@
static int rc4_ready = 0; static int rc4_ready = 0;
static RC4_KEY rc4; static RC4_KEY rc4;
@ -348,9 +347,9 @@ diff -up openssh-5.6p1/openbsd-compat/bsd-arc4random.c.fips openssh-5.6p1/openbs
#endif /* !HAVE_ARC4RANDOM */ #endif /* !HAVE_ARC4RANDOM */
#ifndef HAVE_ARC4RANDOM_BUF #ifndef HAVE_ARC4RANDOM_BUF
diff -up openssh-5.6p1/ssh-add.c.fips openssh-5.6p1/ssh-add.c diff -up openssh-5.8p1/ssh-add.c.fips openssh-5.8p1/ssh-add.c
--- openssh-5.6p1/ssh-add.c.fips 2010-05-21 06:56:47.000000000 +0200 --- openssh-5.8p1/ssh-add.c.fips 2010-11-11 04:17:02.000000000 +0100
+++ openssh-5.6p1/ssh-add.c 2011-01-16 23:41:59.000000000 +0100 +++ openssh-5.8p1/ssh-add.c 2011-02-14 10:10:41.000000000 +0100
@@ -42,6 +42,7 @@ @@ -42,6 +42,7 @@
#include <sys/param.h> #include <sys/param.h>
@ -359,7 +358,7 @@ diff -up openssh-5.6p1/ssh-add.c.fips openssh-5.6p1/ssh-add.c
#include "openbsd-compat/openssl-compat.h" #include "openbsd-compat/openssl-compat.h"
#include <fcntl.h> #include <fcntl.h>
@@ -277,7 +278,7 @@ list_identities(AuthenticationConnection @@ -280,7 +281,7 @@ list_identities(AuthenticationConnection
key = ssh_get_next_identity(ac, &comment, version)) { key = ssh_get_next_identity(ac, &comment, version)) {
had_identities = 1; had_identities = 1;
if (do_fp) { if (do_fp) {
@ -368,9 +367,9 @@ diff -up openssh-5.6p1/ssh-add.c.fips openssh-5.6p1/ssh-add.c
SSH_FP_HEX); SSH_FP_HEX);
printf("%d %s %s (%s)\n", printf("%d %s %s (%s)\n",
key_size(key), fp, comment, key_type(key)); key_size(key), fp, comment, key_type(key));
diff -up openssh-5.6p1/ssh-agent.c.fips openssh-5.6p1/ssh-agent.c diff -up openssh-5.8p1/ssh-agent.c.fips openssh-5.8p1/ssh-agent.c
--- openssh-5.6p1/ssh-agent.c.fips 2010-04-16 07:56:22.000000000 +0200 --- openssh-5.8p1/ssh-agent.c.fips 2010-12-01 01:50:35.000000000 +0100
+++ openssh-5.6p1/ssh-agent.c 2011-01-16 23:41:59.000000000 +0100 +++ openssh-5.8p1/ssh-agent.c 2011-02-14 10:10:41.000000000 +0100
@@ -51,6 +51,7 @@ @@ -51,6 +51,7 @@
#include <openssl/evp.h> #include <openssl/evp.h>
@ -392,10 +391,10 @@ diff -up openssh-5.6p1/ssh-agent.c.fips openssh-5.6p1/ssh-agent.c
ret = 0; ret = 0;
xfree(p); xfree(p);
diff -up openssh-5.6p1/ssh.c.fips openssh-5.6p1/ssh.c diff -up openssh-5.8p1/ssh.c.fips openssh-5.8p1/ssh.c
--- openssh-5.6p1/ssh.c.fips 2010-08-16 17:59:31.000000000 +0200 --- openssh-5.8p1/ssh.c.fips 2011-02-04 01:42:15.000000000 +0100
+++ openssh-5.6p1/ssh.c 2011-01-16 23:41:59.000000000 +0100 +++ openssh-5.8p1/ssh.c 2011-02-14 10:10:41.000000000 +0100
@@ -72,6 +72,8 @@ @@ -73,6 +73,8 @@
#include <openssl/evp.h> #include <openssl/evp.h>
#include <openssl/err.h> #include <openssl/err.h>
@ -404,7 +403,7 @@ diff -up openssh-5.6p1/ssh.c.fips openssh-5.6p1/ssh.c
#include "openbsd-compat/openssl-compat.h" #include "openbsd-compat/openssl-compat.h"
#include "openbsd-compat/sys-queue.h" #include "openbsd-compat/sys-queue.h"
@@ -235,6 +237,10 @@ main(int ac, char **av) @@ -234,6 +236,10 @@ main(int ac, char **av)
sanitise_stdfd(); sanitise_stdfd();
__progname = ssh_get_progname(av[0]); __progname = ssh_get_progname(av[0]);
@ -415,7 +414,7 @@ diff -up openssh-5.6p1/ssh.c.fips openssh-5.6p1/ssh.c
init_rng(); init_rng();
/* /*
@@ -301,6 +307,9 @@ main(int ac, char **av) @@ -300,6 +306,9 @@ main(int ac, char **av)
"ACD:F:I:KL:MNO:PR:S:TVw:W:XYy")) != -1) { "ACD:F:I:KL:MNO:PR:S:TVw:W:XYy")) != -1) {
switch (opt) { switch (opt) {
case '1': case '1':
@ -425,15 +424,15 @@ diff -up openssh-5.6p1/ssh.c.fips openssh-5.6p1/ssh.c
options.protocol = SSH_PROTO_1; options.protocol = SSH_PROTO_1;
break; break;
case '2': case '2':
@@ -599,7 +608,6 @@ main(int ac, char **av) @@ -598,7 +607,6 @@ main(int ac, char **av)
if (!host) if (!host)
usage(); usage();
- SSLeay_add_all_algorithms(); - OpenSSL_add_all_algorithms();
ERR_load_crypto_strings(); ERR_load_crypto_strings();
/* Initialize the command to execute on remote host. */ /* Initialize the command to execute on remote host. */
@@ -685,6 +693,10 @@ main(int ac, char **av) @@ -684,6 +692,10 @@ main(int ac, char **av)
seed_rng(); seed_rng();
@ -444,7 +443,7 @@ diff -up openssh-5.6p1/ssh.c.fips openssh-5.6p1/ssh.c
if (options.user == NULL) if (options.user == NULL)
options.user = xstrdup(pw->pw_name); options.user = xstrdup(pw->pw_name);
@@ -752,6 +764,12 @@ main(int ac, char **av) @@ -753,6 +765,12 @@ main(int ac, char **av)
timeout_ms = options.connection_timeout * 1000; timeout_ms = options.connection_timeout * 1000;
@ -457,9 +456,9 @@ diff -up openssh-5.6p1/ssh.c.fips openssh-5.6p1/ssh.c
/* Open a connection to the remote host. */ /* Open a connection to the remote host. */
if (ssh_connect(host, &hostaddr, options.port, if (ssh_connect(host, &hostaddr, options.port,
options.address_family, options.connection_attempts, &timeout_ms, options.address_family, options.connection_attempts, &timeout_ms,
diff -up openssh-5.6p1/sshconnect2.c.fips openssh-5.6p1/sshconnect2.c diff -up openssh-5.8p1/sshconnect2.c.fips openssh-5.8p1/sshconnect2.c
--- openssh-5.6p1/sshconnect2.c.fips 2011-01-16 23:41:59.000000000 +0100 --- openssh-5.8p1/sshconnect2.c.fips 2010-12-01 02:21:51.000000000 +0100
+++ openssh-5.6p1/sshconnect2.c 2011-01-16 23:41:59.000000000 +0100 +++ openssh-5.8p1/sshconnect2.c 2011-02-14 10:10:41.000000000 +0100
@@ -44,6 +44,8 @@ @@ -44,6 +44,8 @@
#include <vis.h> #include <vis.h>
#endif #endif
@ -469,7 +468,7 @@ diff -up openssh-5.6p1/sshconnect2.c.fips openssh-5.6p1/sshconnect2.c
#include "openbsd-compat/sys-queue.h" #include "openbsd-compat/sys-queue.h"
#include "xmalloc.h" #include "xmalloc.h"
@@ -116,6 +118,10 @@ ssh_kex2(char *host, struct sockaddr *ho @@ -169,6 +171,10 @@ ssh_kex2(char *host, struct sockaddr *ho
if (options.ciphers != NULL) { if (options.ciphers != NULL) {
myproposal[PROPOSAL_ENC_ALGS_CTOS] = myproposal[PROPOSAL_ENC_ALGS_CTOS] =
myproposal[PROPOSAL_ENC_ALGS_STOC] = options.ciphers; myproposal[PROPOSAL_ENC_ALGS_STOC] = options.ciphers;
@ -480,7 +479,7 @@ diff -up openssh-5.6p1/sshconnect2.c.fips openssh-5.6p1/sshconnect2.c
} }
myproposal[PROPOSAL_ENC_ALGS_CTOS] = myproposal[PROPOSAL_ENC_ALGS_CTOS] =
compat_cipher_proposal(myproposal[PROPOSAL_ENC_ALGS_CTOS]); compat_cipher_proposal(myproposal[PROPOSAL_ENC_ALGS_CTOS]);
@@ -131,7 +137,11 @@ ssh_kex2(char *host, struct sockaddr *ho @@ -184,7 +190,11 @@ ssh_kex2(char *host, struct sockaddr *ho
if (options.macs != NULL) { if (options.macs != NULL) {
myproposal[PROPOSAL_MAC_ALGS_CTOS] = myproposal[PROPOSAL_MAC_ALGS_CTOS] =
myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs; myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs;
@ -492,7 +491,7 @@ diff -up openssh-5.6p1/sshconnect2.c.fips openssh-5.6p1/sshconnect2.c
if (options.hostkeyalgorithms != NULL) if (options.hostkeyalgorithms != NULL)
myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] =
options.hostkeyalgorithms; options.hostkeyalgorithms;
@@ -529,8 +539,8 @@ input_userauth_pk_ok(int type, u_int32_t @@ -590,8 +600,8 @@ input_userauth_pk_ok(int type, u_int32_t
key->type, pktype); key->type, pktype);
goto done; goto done;
} }
@ -503,10 +502,10 @@ diff -up openssh-5.6p1/sshconnect2.c.fips openssh-5.6p1/sshconnect2.c
xfree(fp); xfree(fp);
/* /*
diff -up openssh-5.6p1/sshconnect.c.fips openssh-5.6p1/sshconnect.c diff -up openssh-5.8p1/sshconnect.c.fips openssh-5.8p1/sshconnect.c
--- openssh-5.6p1/sshconnect.c.fips 2010-04-18 00:08:21.000000000 +0200 --- openssh-5.8p1/sshconnect.c.fips 2011-01-16 13:17:59.000000000 +0100
+++ openssh-5.6p1/sshconnect.c 2011-01-16 23:41:59.000000000 +0100 +++ openssh-5.8p1/sshconnect.c 2011-02-14 10:18:14.000000000 +0100
@@ -40,6 +40,8 @@ @@ -41,6 +41,8 @@
#include <string.h> #include <string.h>
#include <unistd.h> #include <unistd.h>
@ -515,15 +514,37 @@ diff -up openssh-5.6p1/sshconnect.c.fips openssh-5.6p1/sshconnect.c
#include "xmalloc.h" #include "xmalloc.h"
#include "key.h" #include "key.h"
#include "hostfile.h" #include "hostfile.h"
@@ -789,6 +791,7 @@ check_host_key(char *hostname, struct so @@ -705,6 +707,7 @@ check_host_key(char *hostname, struct so
int len, cancelled_forwarding = 0;
struct hostkeys *host_hostkeys, *ip_hostkeys;
const struct hostkey_entry *host_found, *ip_found;
+ int fips_on = FIPS_mode();
/*
* Force accepting of the host key for loopback/localhost. The
@@ -798,10 +801,10 @@ check_host_key(char *hostname, struct so
"key for IP address '%.128s' to the list "
"of known hosts.", type, ip);
} else if (options.visual_host_key) {
- fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX);
- ra = key_fingerprint(host_key, SSH_FP_MD5,
+ fp = key_fingerprint(host_key, fips_on ? SSH_FP_SHA1 : SSH_FP_MD5, SSH_FP_HEX);
+ ra = key_fingerprint(host_key, fips_on ? SSH_FP_SHA1 : SSH_FP_MD5,
SSH_FP_RANDOMART);
- logit("Host key fingerprint is %s\n%s\n", fp, ra);
+ logit("Host key %sfingerprint is %s\n%s\n", fips_on ? "SHA1 " : "", fp, ra);
xfree(ra);
xfree(fp);
}
@@ -830,6 +833,7 @@ check_host_key(char *hostname, struct so
goto fail; goto fail;
} else if (options.strict_host_key_checking == 2) { } else if (options.strict_host_key_checking == 2) {
char msg1[1024], msg2[1024]; char msg1[1024], msg2[1024];
+ int fips_on = FIPS_mode(); + int fips_on = FIPS_mode();
if (show_other_keys(host, host_key)) if (show_other_keys(host_hostkeys, host_key))
snprintf(msg1, sizeof(msg1), snprintf(msg1, sizeof(msg1),
@@ -797,8 +800,8 @@ check_host_key(char *hostname, struct so @@ -838,8 +842,8 @@ check_host_key(char *hostname, struct so
else else
snprintf(msg1, sizeof(msg1), "."); snprintf(msg1, sizeof(msg1), ".");
/* The default */ /* The default */
@ -534,7 +555,7 @@ diff -up openssh-5.6p1/sshconnect.c.fips openssh-5.6p1/sshconnect.c
SSH_FP_RANDOMART); SSH_FP_RANDOMART);
msg2[0] = '\0'; msg2[0] = '\0';
if (options.verify_host_key_dns) { if (options.verify_host_key_dns) {
@@ -814,10 +817,10 @@ check_host_key(char *hostname, struct so @@ -855,10 +859,10 @@ check_host_key(char *hostname, struct so
snprintf(msg, sizeof(msg), snprintf(msg, sizeof(msg),
"The authenticity of host '%.200s (%s)' can't be " "The authenticity of host '%.200s (%s)' can't be "
"established%s\n" "established%s\n"
@ -547,33 +568,36 @@ diff -up openssh-5.6p1/sshconnect.c.fips openssh-5.6p1/sshconnect.c
options.visual_host_key ? "\n" : "", options.visual_host_key ? "\n" : "",
options.visual_host_key ? ra : "", options.visual_host_key ? ra : "",
msg2); msg2);
@@ -1151,17 +1154,18 @@ show_key_from_file(const char *file, con @@ -1208,20 +1212,21 @@ show_other_keys(struct hostkeys *hostkey
Key *found; int i, ret = 0;
char *fp, *ra; char *fp, *ra;
int line, ret; const struct hostkey_entry *found;
+ int fips_on = FIPS_mode(); + int fips_on = FIPS_mode();
found = key_new(keytype); for (i = 0; type[i] != -1; i++) {
if ((ret = lookup_key_in_hostfile_by_type(file, host, if (type[i] == key->type)
keytype, found, &line))) { continue;
- fp = key_fingerprint(found, SSH_FP_MD5, SSH_FP_HEX); if (!lookup_key_in_hostkeys_by_type(hostkeys, type[i], &found))
- ra = key_fingerprint(found, SSH_FP_MD5, SSH_FP_RANDOMART); continue;
+ fp = key_fingerprint(found, fips_on ? SSH_FP_SHA1 : SSH_FP_MD5, SSH_FP_HEX); - fp = key_fingerprint(found->key, SSH_FP_MD5, SSH_FP_HEX);
+ ra = key_fingerprint(found, fips_on ? SSH_FP_SHA1 : SSH_FP_MD5, SSH_FP_RANDOMART); - ra = key_fingerprint(found->key, SSH_FP_MD5, SSH_FP_RANDOMART);
+ fp = key_fingerprint(found->key, fips_on ? SSH_FP_SHA1 : SSH_FP_MD5, SSH_FP_HEX);
+ ra = key_fingerprint(found->key, fips_on ? SSH_FP_SHA1 : SSH_FP_MD5, SSH_FP_RANDOMART);
logit("WARNING: %s key found for host %s\n" logit("WARNING: %s key found for host %s\n"
"in %s:%d\n" "in %s:%lu\n"
- "%s key fingerprint %s.\n%s\n", - "%s key fingerprint %s.",
+ "%s key %sfingerprint %s.\n%s\n", + "%s key %sfingerprint %s.\n%s\n",
key_type(found), host, file, line, key_type(found->key),
- key_type(found), fp, ra); found->host, found->file, found->line,
- key_type(found->key), fp);
+ key_type(found), fips_on ? "SHA1 ":"", fp, ra); + key_type(found), fips_on ? "SHA1 ":"", fp, ra);
if (options.visual_host_key)
logit("%s", ra);
xfree(ra); xfree(ra);
xfree(fp); @@ -1235,8 +1240,9 @@ static void
} warn_changed_key(Key *host_key)
@@ -1207,8 +1211,9 @@ warn_changed_key(Key *host_key)
{ {
char *fp; char *fp;
const char *type = key_type(host_key);
+ int fips_on = FIPS_mode(); + int fips_on = FIPS_mode();
- fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX); - fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX);
@ -581,20 +605,20 @@ diff -up openssh-5.6p1/sshconnect.c.fips openssh-5.6p1/sshconnect.c
error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@"); error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
error("@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @"); error("@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @");
@@ -1216,8 +1221,8 @@ warn_changed_key(Key *host_key) @@ -1244,8 +1250,8 @@ warn_changed_key(Key *host_key)
error("IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!"); error("IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!");
error("Someone could be eavesdropping on you right now (man-in-the-middle attack)!"); error("Someone could be eavesdropping on you right now (man-in-the-middle attack)!");
error("It is also possible that the %s host key has just been changed.", type); error("It is also possible that a host key has just been changed.");
- error("The fingerprint for the %s key sent by the remote host is\n%s.", - error("The fingerprint for the %s key sent by the remote host is\n%s.",
- type, fp); - key_type(host_key), fp);
+ error("The %sfingerprint for the %s key sent by the remote host is\n%s.", + error("The %sfingerprint for the %s key sent by the remote host is\n%s.",
+ fips_on ? "SHA1 ":"", type, fp); + fips_on ? "SHA1 ":"", key_type(host_key), fp);
error("Please contact your system administrator."); error("Please contact your system administrator.");
xfree(fp); xfree(fp);
diff -up openssh-5.6p1/sshd.c.fips openssh-5.6p1/sshd.c diff -up openssh-5.8p1/sshd.c.fips openssh-5.8p1/sshd.c
--- openssh-5.6p1/sshd.c.fips 2011-01-16 23:41:58.000000000 +0100 --- openssh-5.8p1/sshd.c.fips 2011-02-14 10:10:41.000000000 +0100
+++ openssh-5.6p1/sshd.c 2011-01-16 23:41:59.000000000 +0100 +++ openssh-5.8p1/sshd.c 2011-02-14 10:10:41.000000000 +0100
@@ -76,6 +76,8 @@ @@ -76,6 +76,8 @@
#include <openssl/bn.h> #include <openssl/bn.h>
#include <openssl/md5.h> #include <openssl/md5.h>
@ -604,7 +628,7 @@ diff -up openssh-5.6p1/sshd.c.fips openssh-5.6p1/sshd.c
#include "openbsd-compat/openssl-compat.h" #include "openbsd-compat/openssl-compat.h"
#ifdef HAVE_SECUREWARE #ifdef HAVE_SECUREWARE
@@ -1309,6 +1311,12 @@ main(int ac, char **av) @@ -1314,6 +1316,12 @@ main(int ac, char **av)
(void)set_auth_parameters(ac, av); (void)set_auth_parameters(ac, av);
#endif #endif
__progname = ssh_get_progname(av[0]); __progname = ssh_get_progname(av[0]);
@ -617,16 +641,16 @@ diff -up openssh-5.6p1/sshd.c.fips openssh-5.6p1/sshd.c
init_rng(); init_rng();
/* Save argv. Duplicate so setproctitle emulation doesn't clobber it */ /* Save argv. Duplicate so setproctitle emulation doesn't clobber it */
@@ -1470,8 +1478,6 @@ main(int ac, char **av) @@ -1475,8 +1483,6 @@ main(int ac, char **av)
else else
closefrom(REEXEC_DEVCRYPTO_RESERVED_FD); closefrom(REEXEC_DEVCRYPTO_RESERVED_FD);
- SSLeay_add_all_algorithms(); - OpenSSL_add_all_algorithms();
- -
/* /*
* Force logging to stderr until we have loaded the private host * Force logging to stderr until we have loaded the private host
* key (unless started from inetd) * key (unless started from inetd)
@@ -1589,6 +1595,10 @@ main(int ac, char **av) @@ -1595,6 +1601,10 @@ main(int ac, char **av)
debug("private host key: #%d type %d %s", i, key->type, debug("private host key: #%d type %d %s", i, key->type,
key_type(key)); key_type(key));
} }
@ -637,7 +661,7 @@ diff -up openssh-5.6p1/sshd.c.fips openssh-5.6p1/sshd.c
if ((options.protocol & SSH_PROTO_1) && !sensitive_data.have_ssh1_key) { if ((options.protocol & SSH_PROTO_1) && !sensitive_data.have_ssh1_key) {
logit("Disabling protocol version 1. Could not load host key"); logit("Disabling protocol version 1. Could not load host key");
options.protocol &= ~SSH_PROTO_1; options.protocol &= ~SSH_PROTO_1;
@@ -1753,6 +1763,10 @@ main(int ac, char **av) @@ -1759,6 +1769,10 @@ main(int ac, char **av)
/* Initialize the random number generator. */ /* Initialize the random number generator. */
arc4random_stir(); arc4random_stir();
@ -648,7 +672,7 @@ diff -up openssh-5.6p1/sshd.c.fips openssh-5.6p1/sshd.c
/* Chdir to the root directory so that the current disk can be /* Chdir to the root directory so that the current disk can be
unmounted if desired. */ unmounted if desired. */
chdir("/"); chdir("/");
@@ -2293,6 +2307,9 @@ do_ssh2_kex(void) @@ -2305,6 +2319,9 @@ do_ssh2_kex(void)
if (options.ciphers != NULL) { if (options.ciphers != NULL) {
myproposal[PROPOSAL_ENC_ALGS_CTOS] = myproposal[PROPOSAL_ENC_ALGS_CTOS] =
myproposal[PROPOSAL_ENC_ALGS_STOC] = options.ciphers; myproposal[PROPOSAL_ENC_ALGS_STOC] = options.ciphers;
@ -658,7 +682,7 @@ diff -up openssh-5.6p1/sshd.c.fips openssh-5.6p1/sshd.c
} }
myproposal[PROPOSAL_ENC_ALGS_CTOS] = myproposal[PROPOSAL_ENC_ALGS_CTOS] =
compat_cipher_proposal(myproposal[PROPOSAL_ENC_ALGS_CTOS]); compat_cipher_proposal(myproposal[PROPOSAL_ENC_ALGS_CTOS]);
@@ -2302,6 +2319,9 @@ do_ssh2_kex(void) @@ -2314,6 +2331,9 @@ do_ssh2_kex(void)
if (options.macs != NULL) { if (options.macs != NULL) {
myproposal[PROPOSAL_MAC_ALGS_CTOS] = myproposal[PROPOSAL_MAC_ALGS_CTOS] =
myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs; myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs;
@ -668,9 +692,9 @@ diff -up openssh-5.6p1/sshd.c.fips openssh-5.6p1/sshd.c
} }
if (options.compression == COMP_NONE) { if (options.compression == COMP_NONE) {
myproposal[PROPOSAL_COMP_ALGS_CTOS] = myproposal[PROPOSAL_COMP_ALGS_CTOS] =
diff -up openssh-5.6p1/ssh-keygen.c.fips openssh-5.6p1/ssh-keygen.c diff -up openssh-5.8p1/ssh-keygen.c.fips openssh-5.8p1/ssh-keygen.c
--- openssh-5.6p1/ssh-keygen.c.fips 2011-01-16 23:41:58.000000000 +0100 --- openssh-5.8p1/ssh-keygen.c.fips 2011-02-14 10:10:41.000000000 +0100
+++ openssh-5.6p1/ssh-keygen.c 2011-01-16 23:41:59.000000000 +0100 +++ openssh-5.8p1/ssh-keygen.c 2011-02-14 10:10:41.000000000 +0100
@@ -21,6 +21,7 @@ @@ -21,6 +21,7 @@
#include <openssl/evp.h> #include <openssl/evp.h>
@ -679,7 +703,7 @@ diff -up openssh-5.6p1/ssh-keygen.c.fips openssh-5.6p1/ssh-keygen.c
#include "openbsd-compat/openssl-compat.h" #include "openbsd-compat/openssl-compat.h"
#include <errno.h> #include <errno.h>
@@ -692,7 +693,7 @@ do_fingerprint(struct passwd *pw) @@ -721,7 +722,7 @@ do_fingerprint(struct passwd *pw)
enum fp_type fptype; enum fp_type fptype;
struct stat st; struct stat st;
@ -688,7 +712,7 @@ diff -up openssh-5.6p1/ssh-keygen.c.fips openssh-5.6p1/ssh-keygen.c
rep = print_bubblebabble ? SSH_FP_BUBBLEBABBLE : SSH_FP_HEX; rep = print_bubblebabble ? SSH_FP_BUBBLEBABBLE : SSH_FP_HEX;
if (!have_identity) if (!have_identity)
@@ -2209,14 +2210,15 @@ passphrase_again: @@ -2253,14 +2254,15 @@ passphrase_again:
fclose(f); fclose(f);
if (!quiet) { if (!quiet) {

24
openssh-5.8p1-gssapi-canohost.patch Normal file
View File

@ -0,0 +1,24 @@
diff -up openssh-5.8p1/sshconnect2.c.canohost openssh-5.8p1/sshconnect2.c
--- openssh-5.8p1/sshconnect2.c.canohost 2011-02-14 15:15:15.000000000 +0100
+++ openssh-5.8p1/sshconnect2.c 2011-02-14 15:21:45.000000000 +0100
@@ -697,14 +697,17 @@ userauth_gssapi(Authctxt *authctxt)
static u_int mech = 0;
OM_uint32 min;
int ok = 0;
- const char *gss_host;
+ const char *gss_host = NULL;
if (options.gss_server_identity)
gss_host = options.gss_server_identity;
else if (options.gss_trust_dns)
gss_host = get_canonical_hostname(1);
- else
- gss_host = authctxt->host;
+ else {
+ gss_host = get_canonical_hostname(1);
+ if ( strcmp( gss_host, "UNKNOWN" ) == 0 )
+ gss_host = authctxt->host;
+ }
/* Try one GSSAPI method at a time, rather than sending them all at
* once. */

469
openssh-5.6p1-gsskex.patch → openssh-5.8p1-gsskex.patch
View File

@ -1,6 +1,6 @@
diff -up openssh-5.6p1/auth2.c.gsskex openssh-5.6p1/auth2.c diff -up openssh-5.8p1/auth2.c.gsskex openssh-5.8p1/auth2.c
--- openssh-5.6p1/auth2.c.gsskex 2011-01-24 23:51:08.000000000 +0100 --- openssh-5.8p1/auth2.c.gsskex 2011-02-14 14:47:02.000000000 +0100
+++ openssh-5.6p1/auth2.c 2011-01-24 23:51:08.000000000 +0100 +++ openssh-5.8p1/auth2.c 2011-02-14 14:47:02.000000000 +0100
@@ -69,6 +69,7 @@ extern Authmethod method_passwd; @@ -69,6 +69,7 @@ extern Authmethod method_passwd;
extern Authmethod method_kbdint; extern Authmethod method_kbdint;
extern Authmethod method_hostbased; extern Authmethod method_hostbased;
@ -35,9 +35,9 @@ diff -up openssh-5.6p1/auth2.c.gsskex openssh-5.6p1/auth2.c
authctxt->failures++; authctxt->failures++;
if (authctxt->failures >= options.max_authtries) { if (authctxt->failures >= options.max_authtries) {
#ifdef SSH_AUDIT_EVENTS #ifdef SSH_AUDIT_EVENTS
diff -up openssh-5.6p1/auth2-gss.c.gsskex openssh-5.6p1/auth2-gss.c diff -up openssh-5.8p1/auth2-gss.c.gsskex openssh-5.8p1/auth2-gss.c
--- openssh-5.6p1/auth2-gss.c.gsskex 2011-01-24 23:51:08.000000000 +0100 --- openssh-5.8p1/auth2-gss.c.gsskex 2011-02-14 14:47:02.000000000 +0100
+++ openssh-5.6p1/auth2-gss.c 2011-01-24 23:51:08.000000000 +0100 +++ openssh-5.8p1/auth2-gss.c 2011-02-14 14:47:02.000000000 +0100
@@ -1,7 +1,7 @@ @@ -1,7 +1,7 @@
/* $OpenBSD: auth2-gss.c,v 1.16 2007/10/29 00:52:45 dtucker Exp $ */ /* $OpenBSD: auth2-gss.c,v 1.16 2007/10/29 00:52:45 dtucker Exp $ */
@ -137,9 +137,9 @@ diff -up openssh-5.6p1/auth2-gss.c.gsskex openssh-5.6p1/auth2-gss.c
Authmethod method_gssapi = { Authmethod method_gssapi = {
"gssapi-with-mic", "gssapi-with-mic",
userauth_gssapi, userauth_gssapi,
diff -up openssh-5.6p1/auth.h.gsskex openssh-5.6p1/auth.h diff -up openssh-5.8p1/auth.h.gsskex openssh-5.8p1/auth.h
--- openssh-5.6p1/auth.h.gsskex 2011-01-24 23:51:08.000000000 +0100 --- openssh-5.8p1/auth.h.gsskex 2011-02-14 14:47:02.000000000 +0100
+++ openssh-5.6p1/auth.h 2011-01-24 23:51:08.000000000 +0100 +++ openssh-5.8p1/auth.h 2011-02-14 14:47:02.000000000 +0100
@@ -53,6 +53,7 @@ struct Authctxt { @@ -53,6 +53,7 @@ struct Authctxt {
int valid; /* user exists and is allowed to login */ int valid; /* user exists and is allowed to login */
int attempt; int attempt;
@ -148,10 +148,10 @@ diff -up openssh-5.6p1/auth.h.gsskex openssh-5.6p1/auth.h
int force_pwchange; int force_pwchange;
char *user; /* username sent by the client */ char *user; /* username sent by the client */
char *service; char *service;
diff -up openssh-5.6p1/auth-krb5.c.gsskex openssh-5.6p1/auth-krb5.c diff -up openssh-5.8p1/auth-krb5.c.gsskex openssh-5.8p1/auth-krb5.c
--- openssh-5.6p1/auth-krb5.c.gsskex 2009-12-21 00:49:22.000000000 +0100 --- openssh-5.8p1/auth-krb5.c.gsskex 2011-02-14 14:47:02.000000000 +0100
+++ openssh-5.6p1/auth-krb5.c 2011-01-24 23:51:08.000000000 +0100 +++ openssh-5.8p1/auth-krb5.c 2011-02-14 14:47:02.000000000 +0100
@@ -170,8 +170,13 @@ auth_krb5_password(Authctxt *authctxt, c @@ -184,8 +184,13 @@ auth_krb5_password(Authctxt *authctxt, c
len = strlen(authctxt->krb5_ticket_file) + 6; len = strlen(authctxt->krb5_ticket_file) + 6;
authctxt->krb5_ccname = xmalloc(len); authctxt->krb5_ccname = xmalloc(len);
@ -165,7 +165,7 @@ diff -up openssh-5.6p1/auth-krb5.c.gsskex openssh-5.6p1/auth-krb5.c
#ifdef USE_PAM #ifdef USE_PAM
if (options.use_pam) if (options.use_pam)
@@ -226,15 +231,22 @@ krb5_cleanup_proc(Authctxt *authctxt) @@ -240,15 +245,22 @@ krb5_cleanup_proc(Authctxt *authctxt)
#ifndef HEIMDAL #ifndef HEIMDAL
krb5_error_code krb5_error_code
ssh_krb5_cc_gen(krb5_context ctx, krb5_ccache *ccache) { ssh_krb5_cc_gen(krb5_context ctx, krb5_ccache *ccache) {
@ -190,7 +190,7 @@ diff -up openssh-5.6p1/auth-krb5.c.gsskex openssh-5.6p1/auth-krb5.c
old_umask = umask(0177); old_umask = umask(0177);
tmpfd = mkstemp(ccname + strlen("FILE:")); tmpfd = mkstemp(ccname + strlen("FILE:"));
umask(old_umask); umask(old_umask);
@@ -249,6 +261,7 @@ ssh_krb5_cc_gen(krb5_context ctx, krb5_c @@ -263,6 +275,7 @@ ssh_krb5_cc_gen(krb5_context ctx, krb5_c
return errno; return errno;
} }
close(tmpfd); close(tmpfd);
@ -198,10 +198,28 @@ diff -up openssh-5.6p1/auth-krb5.c.gsskex openssh-5.6p1/auth-krb5.c
return (krb5_cc_resolve(ctx, ccname, ccache)); return (krb5_cc_resolve(ctx, ccname, ccache));
} }
diff -up openssh-5.6p1/ChangeLog.gssapi.gsskex openssh-5.6p1/ChangeLog.gssapi diff -up openssh-5.8p1/ChangeLog.gssapi.gsskex openssh-5.8p1/ChangeLog.gssapi
--- openssh-5.6p1/ChangeLog.gssapi.gsskex 2011-01-24 23:51:08.000000000 +0100 --- openssh-5.8p1/ChangeLog.gssapi.gsskex 2011-02-14 14:47:02.000000000 +0100
+++ openssh-5.6p1/ChangeLog.gssapi 2011-01-24 23:51:08.000000000 +0100 +++ openssh-5.8p1/ChangeLog.gssapi 2011-02-14 14:47:02.000000000 +0100
@@ -0,0 +1,95 @@ @@ -0,0 +1,113 @@
+20110101
+ - Finally update for OpenSSH 5.6p1
+ - Add GSSAPIServerIdentity option from Jim Basney
+
+20100308
+ - [ Makefile.in, key.c, key.h ]
+ Updates for OpenSSH 5.4p1
+ - [ servconf.c ]
+ Include GSSAPI options in the sshd -T configuration dump, and flag
+ some older configuration options as being unsupported. Thanks to Colin
+ Watson.
+ -
+
+20100124
+ - [ sshconnect2.c ]
+ Adapt to deal with additional element in Authmethod structure. Thanks to
+ Colin Watson
+
+20090615 +20090615
+ - [ gss-genr.c gss-serv.c kexgssc.c kexgsss.c monitor.c sshconnect2.c + - [ gss-genr.c gss-serv.c kexgssc.c kexgsss.c monitor.c sshconnect2.c
+ sshd.c ] + sshd.c ]
@ -297,9 +315,9 @@ diff -up openssh-5.6p1/ChangeLog.gssapi.gsskex openssh-5.6p1/ChangeLog.gssapi
+ add support for GssapiTrustDns option for gssapi-with-mic + add support for GssapiTrustDns option for gssapi-with-mic
+ (from jbasney AT ncsa.uiuc.edu) + (from jbasney AT ncsa.uiuc.edu)
+ <gssapi-with-mic support is Bugzilla #1008> + <gssapi-with-mic support is Bugzilla #1008>
diff -up openssh-5.6p1/clientloop.c.gsskex openssh-5.6p1/clientloop.c diff -up openssh-5.8p1/clientloop.c.gsskex openssh-5.8p1/clientloop.c
--- openssh-5.6p1/clientloop.c.gsskex 2010-08-03 08:04:46.000000000 +0200 --- openssh-5.8p1/clientloop.c.gsskex 2011-01-16 13:18:35.000000000 +0100
+++ openssh-5.6p1/clientloop.c 2011-01-24 23:51:08.000000000 +0100 +++ openssh-5.8p1/clientloop.c 2011-02-14 14:47:02.000000000 +0100
@@ -111,6 +111,10 @@ @@ -111,6 +111,10 @@
#include "msg.h" #include "msg.h"
#include "roaming.h" #include "roaming.h"
@ -311,24 +329,26 @@ diff -up openssh-5.6p1/clientloop.c.gsskex openssh-5.6p1/clientloop.c
/* import options */ /* import options */
extern Options options; extern Options options;
@@ -1483,6 +1487,13 @@ client_loop(int have_pty, int escape_cha @@ -1483,6 +1487,15 @@ client_loop(int have_pty, int escape_cha
/* Do channel operations unless rekeying in progress. */ /* Do channel operations unless rekeying in progress. */
if (!rekeying) { if (!rekeying) {
channel_after_select(readset, writeset); channel_after_select(readset, writeset);
+ +
+#ifdef GSSAPI
+ if (options.gss_renewal_rekey && + if (options.gss_renewal_rekey &&
+ ssh_gssapi_credentials_updated(GSS_C_NO_CONTEXT)) { + ssh_gssapi_credentials_updated(GSS_C_NO_CONTEXT)) {
+ debug("credentials updated - forcing rekey"); + debug("credentials updated - forcing rekey");
+ need_rekeying = 1; + need_rekeying = 1;
+ } + }
+#endif
+ +
if (need_rekeying || packet_need_rekeying()) { if (need_rekeying || packet_need_rekeying()) {
debug("need rekeying"); debug("need rekeying");
xxx_kex->done = 0; xxx_kex->done = 0;
diff -up openssh-5.6p1/configure.ac.gsskex openssh-5.6p1/configure.ac diff -up openssh-5.8p1/configure.ac.gsskex openssh-5.8p1/configure.ac
--- openssh-5.6p1/configure.ac.gsskex 2011-01-24 23:51:08.000000000 +0100 --- openssh-5.8p1/configure.ac.gsskex 2011-02-14 14:47:02.000000000 +0100
+++ openssh-5.6p1/configure.ac 2011-01-24 23:51:09.000000000 +0100 +++ openssh-5.8p1/configure.ac 2011-02-14 14:47:02.000000000 +0100
@@ -477,6 +477,30 @@ main() { if (NSVersionOfRunTimeLibrary(" @@ -514,6 +514,30 @@ main() { if (NSVersionOfRunTimeLibrary("
[Use tunnel device compatibility to OpenBSD]) [Use tunnel device compatibility to OpenBSD])
AC_DEFINE(SSH_TUN_PREPEND_AF, 1, AC_DEFINE(SSH_TUN_PREPEND_AF, 1,
[Prepend the address family to IP tunnel traffic]) [Prepend the address family to IP tunnel traffic])
@ -359,9 +379,18 @@ diff -up openssh-5.6p1/configure.ac.gsskex openssh-5.6p1/configure.ac
m4_pattern_allow(AU_IPv) m4_pattern_allow(AU_IPv)
AC_CHECK_DECL(AU_IPv4, [], AC_CHECK_DECL(AU_IPv4, [],
AC_DEFINE(AU_IPv4, 0, [System only supports IPv4 audit records]) AC_DEFINE(AU_IPv4, 0, [System only supports IPv4 audit records])
diff -up openssh-5.6p1/gss-genr.c.gsskex openssh-5.6p1/gss-genr.c diff -up openssh-5.8p1/gss-genr.c.gsskex openssh-5.8p1/gss-genr.c
--- openssh-5.6p1/gss-genr.c.gsskex 2009-06-22 08:11:07.000000000 +0200 --- openssh-5.8p1/gss-genr.c.gsskex 2009-06-22 08:11:07.000000000 +0200
+++ openssh-5.6p1/gss-genr.c 2011-01-24 23:51:09.000000000 +0100 +++ openssh-5.8p1/gss-genr.c 2011-02-14 14:47:02.000000000 +0100
@@ -1,7 +1,7 @@
/* $OpenBSD: gss-genr.c,v 1.20 2009/06/22 05:39:28 dtucker Exp $ */
/*
- * Copyright (c) 2001-2007 Simon Wilkinson. All rights reserved.
+ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -39,12 +39,167 @@ @@ -39,12 +39,167 @@
#include "buffer.h" #include "buffer.h"
#include "log.h" #include "log.h"
@ -700,9 +729,9 @@ diff -up openssh-5.6p1/gss-genr.c.gsskex openssh-5.6p1/gss-genr.c
+} +}
+ +
#endif /* GSSAPI */ #endif /* GSSAPI */
diff -up openssh-5.6p1/gss-serv.c.gsskex openssh-5.6p1/gss-serv.c diff -up openssh-5.8p1/gss-serv.c.gsskex openssh-5.8p1/gss-serv.c
--- openssh-5.6p1/gss-serv.c.gsskex 2008-05-19 07:05:07.000000000 +0200 --- openssh-5.8p1/gss-serv.c.gsskex 2008-05-19 07:05:07.000000000 +0200
+++ openssh-5.6p1/gss-serv.c 2011-01-24 23:51:09.000000000 +0100 +++ openssh-5.8p1/gss-serv.c 2011-02-14 14:47:02.000000000 +0100
@@ -1,7 +1,7 @@ @@ -1,7 +1,7 @@
/* $OpenBSD: gss-serv.c,v 1.22 2008/05/08 12:02:23 djm Exp $ */ /* $OpenBSD: gss-serv.c,v 1.22 2008/05/08 12:02:23 djm Exp $ */
@ -1016,9 +1045,9 @@ diff -up openssh-5.6p1/gss-serv.c.gsskex openssh-5.6p1/gss-serv.c
} }
#endif #endif
diff -up openssh-5.6p1/gss-serv-krb5.c.gsskex openssh-5.6p1/gss-serv-krb5.c diff -up openssh-5.8p1/gss-serv-krb5.c.gsskex openssh-5.8p1/gss-serv-krb5.c
--- openssh-5.6p1/gss-serv-krb5.c.gsskex 2006-09-01 07:38:36.000000000 +0200 --- openssh-5.8p1/gss-serv-krb5.c.gsskex 2011-02-14 14:47:02.000000000 +0100
+++ openssh-5.6p1/gss-serv-krb5.c 2011-01-24 23:51:09.000000000 +0100 +++ openssh-5.8p1/gss-serv-krb5.c 2011-02-14 14:47:02.000000000 +0100
@@ -1,7 +1,7 @@ @@ -1,7 +1,7 @@
/* $OpenBSD: gss-serv-krb5.c,v 1.7 2006/08/03 03:34:42 deraadt Exp $ */ /* $OpenBSD: gss-serv-krb5.c,v 1.7 2006/08/03 03:34:42 deraadt Exp $ */
@ -1028,7 +1057,7 @@ diff -up openssh-5.6p1/gss-serv-krb5.c.gsskex openssh-5.6p1/gss-serv-krb5.c
* *
* Redistribution and use in source and binary forms, with or without * Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions * modification, are permitted provided that the following conditions
@@ -120,6 +120,7 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_cl @@ -121,6 +121,7 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_cl
krb5_principal princ; krb5_principal princ;
OM_uint32 maj_status, min_status; OM_uint32 maj_status, min_status;
int len; int len;
@ -1036,7 +1065,7 @@ diff -up openssh-5.6p1/gss-serv-krb5.c.gsskex openssh-5.6p1/gss-serv-krb5.c
if (client->creds == NULL) { if (client->creds == NULL) {
debug("No credentials stored"); debug("No credentials stored");
@@ -168,11 +169,16 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_cl @@ -169,11 +170,16 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_cl
return; return;
} }
@ -1057,7 +1086,7 @@ diff -up openssh-5.6p1/gss-serv-krb5.c.gsskex openssh-5.6p1/gss-serv-krb5.c
#ifdef USE_PAM #ifdef USE_PAM
if (options.use_pam) if (options.use_pam)
@@ -184,6 +190,71 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_cl @@ -185,6 +191,71 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_cl
return; return;
} }
@ -1129,7 +1158,7 @@ diff -up openssh-5.6p1/gss-serv-krb5.c.gsskex openssh-5.6p1/gss-serv-krb5.c
ssh_gssapi_mech gssapi_kerberos_mech = { ssh_gssapi_mech gssapi_kerberos_mech = {
"toWM5Slw5Ew8Mqkay+al2g==", "toWM5Slw5Ew8Mqkay+al2g==",
"Kerberos", "Kerberos",
@@ -191,7 +262,8 @@ ssh_gssapi_mech gssapi_kerberos_mech = { @@ -192,7 +263,8 @@ ssh_gssapi_mech gssapi_kerberos_mech = {
NULL, NULL,
&ssh_gssapi_krb5_userok, &ssh_gssapi_krb5_userok,
NULL, NULL,
@ -1139,9 +1168,9 @@ diff -up openssh-5.6p1/gss-serv-krb5.c.gsskex openssh-5.6p1/gss-serv-krb5.c
}; };
#endif /* KRB5 */ #endif /* KRB5 */
diff -up openssh-5.6p1/kex.c.gsskex openssh-5.6p1/kex.c diff -up openssh-5.8p1/kex.c.gsskex openssh-5.8p1/kex.c
--- openssh-5.6p1/kex.c.gsskex 2011-01-24 23:51:08.000000000 +0100 --- openssh-5.8p1/kex.c.gsskex 2011-02-14 14:47:01.000000000 +0100
+++ openssh-5.6p1/kex.c 2011-01-24 23:51:09.000000000 +0100 +++ openssh-5.8p1/kex.c 2011-02-14 15:09:38.000000000 +0100
@@ -51,6 +51,10 @@ @@ -51,6 +51,10 @@
#include "roaming.h" #include "roaming.h"
#include "audit.h" #include "audit.h"
@ -1153,9 +1182,9 @@ diff -up openssh-5.6p1/kex.c.gsskex openssh-5.6p1/kex.c
#if OPENSSL_VERSION_NUMBER >= 0x00907000L #if OPENSSL_VERSION_NUMBER >= 0x00907000L
# if defined(HAVE_EVP_SHA256) # if defined(HAVE_EVP_SHA256)
# define evp_ssh_sha256 EVP_sha256 # define evp_ssh_sha256 EVP_sha256
@@ -339,6 +343,20 @@ choose_kex(Kex *k, char *client, char *s @@ -371,6 +375,20 @@ choose_kex(Kex *k, char *client, char *s
k->kex_type = KEX_DH_GEX_SHA256; k->kex_type = KEX_ECDH_SHA2;
k->evp_md = evp_ssh_sha256(); k->evp_md = kex_ecdh_name_to_evpmd(k->name);
#endif #endif
+#ifdef GSSAPI +#ifdef GSSAPI
+ } else if (strncmp(k->name, KEX_GSS_GEX_SHA1_ID, + } else if (strncmp(k->name, KEX_GSS_GEX_SHA1_ID,
@ -1174,9 +1203,9 @@ diff -up openssh-5.6p1/kex.c.gsskex openssh-5.6p1/kex.c
} else } else
fatal("bad kex alg %s", k->name); fatal("bad kex alg %s", k->name);
} }
diff -up openssh-5.6p1/kexgssc.c.gsskex openssh-5.6p1/kexgssc.c diff -up openssh-5.8p1/kexgssc.c.gsskex openssh-5.8p1/kexgssc.c
--- openssh-5.6p1/kexgssc.c.gsskex 2011-01-24 23:51:09.000000000 +0100 --- openssh-5.8p1/kexgssc.c.gsskex 2011-02-14 14:47:02.000000000 +0100
+++ openssh-5.6p1/kexgssc.c 2011-01-24 23:51:09.000000000 +0100 +++ openssh-5.8p1/kexgssc.c 2011-02-14 14:47:02.000000000 +0100
@@ -0,0 +1,334 @@ @@ -0,0 +1,334 @@
+/* +/*
+ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved. + * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
@ -1512,9 +1541,9 @@ diff -up openssh-5.6p1/kexgssc.c.gsskex openssh-5.6p1/kexgssc.c
+} +}
+ +
+#endif /* GSSAPI */ +#endif /* GSSAPI */
diff -up openssh-5.6p1/kexgsss.c.gsskex openssh-5.6p1/kexgsss.c diff -up openssh-5.8p1/kexgsss.c.gsskex openssh-5.8p1/kexgsss.c
--- openssh-5.6p1/kexgsss.c.gsskex 2011-01-24 23:51:09.000000000 +0100 --- openssh-5.8p1/kexgsss.c.gsskex 2011-02-14 14:47:02.000000000 +0100
+++ openssh-5.6p1/kexgsss.c 2011-01-24 23:51:09.000000000 +0100 +++ openssh-5.8p1/kexgsss.c 2011-02-14 14:47:02.000000000 +0100
@@ -0,0 +1,288 @@ @@ -0,0 +1,288 @@
+/* +/*
+ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved. + * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
@ -1804,20 +1833,20 @@ diff -up openssh-5.6p1/kexgsss.c.gsskex openssh-5.6p1/kexgsss.c
+ ssh_gssapi_rekey_creds(); + ssh_gssapi_rekey_creds();
+} +}
+#endif /* GSSAPI */ +#endif /* GSSAPI */
diff -up openssh-5.6p1/kex.h.gsskex openssh-5.6p1/kex.h diff -up openssh-5.8p1/kex.h.gsskex openssh-5.8p1/kex.h
--- openssh-5.6p1/kex.h.gsskex 2011-01-24 23:51:08.000000000 +0100 --- openssh-5.8p1/kex.h.gsskex 2011-02-14 14:47:01.000000000 +0100
+++ openssh-5.6p1/kex.h 2011-01-24 23:52:26.000000000 +0100 +++ openssh-5.8p1/kex.h 2011-02-14 15:10:05.000000000 +0100
@@ -67,6 +67,9 @@ enum kex_exchange { @@ -73,6 +73,9 @@ enum kex_exchange {
KEX_DH_GRP14_SHA1,
KEX_DH_GEX_SHA1, KEX_DH_GEX_SHA1,
KEX_DH_GEX_SHA256, KEX_DH_GEX_SHA256,
KEX_ECDH_SHA2,
+ KEX_GSS_GRP1_SHA1, + KEX_GSS_GRP1_SHA1,
+ KEX_GSS_GRP14_SHA1, + KEX_GSS_GRP14_SHA1,
+ KEX_GSS_GEX_SHA1, + KEX_GSS_GEX_SHA1,
KEX_MAX KEX_MAX
}; };
@@ -123,6 +126,12 @@ struct Kex { @@ -129,6 +132,12 @@ struct Kex {
sig_atomic_t done; sig_atomic_t done;
int flags; int flags;
const EVP_MD *evp_md; const EVP_MD *evp_md;
@ -1830,70 +1859,73 @@ diff -up openssh-5.6p1/kex.h.gsskex openssh-5.6p1/kex.h
char *client_version_string; char *client_version_string;
char *server_version_string; char *server_version_string;
int (*verify_host_key)(Key *); int (*verify_host_key)(Key *);
@@ -148,6 +157,11 @@ void kexgex_server(Kex *); @@ -156,6 +165,11 @@ void kexgex_server(Kex *);
void kexecdh_client(Kex *);
void newkeys_destroy(Newkeys *newkeys); void kexecdh_server(Kex *);
+#ifdef GSSAPI +#ifdef GSSAPI
+void kexgss_client(Kex *); +void kexgss_client(Kex *);
+void kexgss_server(Kex *); +void kexgss_server(Kex *);
+#endif +#endif
+ +
void newkeys_destroy(Newkeys *newkeys);
void void
kex_dh_hash(char *, char *, char *, int, char *, int, u_char *, int, diff -up openssh-5.8p1/key.c.gsskex openssh-5.8p1/key.c
BIGNUM *, BIGNUM *, BIGNUM *, u_char **, u_int *); --- openssh-5.8p1/key.c.gsskex 2011-02-04 01:48:34.000000000 +0100
diff -up openssh-5.6p1/key.c.gsskex openssh-5.6p1/key.c +++ openssh-5.8p1/key.c 2011-02-14 14:47:02.000000000 +0100
--- openssh-5.6p1/key.c.gsskex 2010-07-16 05:58:37.000000000 +0200 @@ -971,6 +971,8 @@ key_ssh_name_from_type_nid(int type, int
+++ openssh-5.6p1/key.c 2011-01-24 23:51:09.000000000 +0100 }
@@ -1020,6 +1020,8 @@ key_type_from_name(char *name) break;
return KEY_RSA_CERT; #endif /* OPENSSL_HAS_ECC */
} else if (strcmp(name, "ssh-dss-cert-v01@openssh.com") == 0) { + case KEY_NULL:
return KEY_DSA_CERT; + return "null";
}
return "ssh-unknown";
}
@@ -1276,6 +1278,8 @@ key_type_from_name(char *name)
strcmp(name, "ecdsa-sha2-nistp521-cert-v01@openssh.com") == 0) {
return KEY_ECDSA_CERT;
#endif
+ } else if (strcmp(name, "null") == 0) { + } else if (strcmp(name, "null") == 0) {
+ return KEY_NULL; + return KEY_NULL;
} }
debug2("key_type_from_name: unknown key type '%s'", name); debug2("key_type_from_name: unknown key type '%s'", name);
return KEY_UNSPEC; diff -up openssh-5.8p1/key.h.gsskex openssh-5.8p1/key.h
diff -up openssh-5.6p1/key.h.gsskex openssh-5.6p1/key.h --- openssh-5.8p1/key.h.gsskex 2010-11-05 00:19:49.000000000 +0100
--- openssh-5.6p1/key.h.gsskex 2010-04-16 07:56:22.000000000 +0200 +++ openssh-5.8p1/key.h 2011-02-14 14:47:02.000000000 +0100
+++ openssh-5.6p1/key.h 2011-01-24 23:51:09.000000000 +0100 @@ -44,6 +44,7 @@ enum types {
@@ -39,6 +39,7 @@ enum types { KEY_ECDSA_CERT,
KEY_DSA_CERT,
KEY_RSA_CERT_V00, KEY_RSA_CERT_V00,
KEY_DSA_CERT_V00, KEY_DSA_CERT_V00,
+ KEY_NULL, + KEY_NULL,
KEY_UNSPEC KEY_UNSPEC
}; };
enum fp_type { enum fp_type {
diff -up openssh-5.6p1/Makefile.in.gsskex openssh-5.6p1/Makefile.in diff -up openssh-5.8p1/Makefile.in.gsskex openssh-5.8p1/Makefile.in
--- openssh-5.6p1/Makefile.in.gsskex 2011-01-24 23:51:08.000000000 +0100 --- openssh-5.8p1/Makefile.in.gsskex 2011-02-14 14:47:02.000000000 +0100
+++ openssh-5.6p1/Makefile.in 2011-01-24 23:51:09.000000000 +0100 +++ openssh-5.8p1/Makefile.in 2011-02-14 15:08:34.000000000 +0100
@@ -77,11 +77,11 @@ LIBSSH_OBJS=acss.o authfd.o authfile.o b @@ -77,6 +77,7 @@ LIBSSH_OBJS=acss.o authfd.o authfile.o b
monitor_fdpass.o rijndael.o ssh-dss.o ssh-rsa.o dh.o kexdh.o \ atomicio.o key.o dispatch.o kex.o mac.o uidswap.o uuencode.o misc.o \
kexgex.o kexdhc.o kexgexc.o msg.o progressmeter.o dns.o \ monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-rsa.o dh.o \
entropy.o gss-genr.o umac.o jpake.o schnorr.o \ kexdh.o kexgex.o kexdhc.o kexgexc.o bufec.o kexecdh.o kexecdhc.o \
- ssh-pkcs11.o auditstub.o + kexgssc.o \
+ ssh-pkcs11.o auditstub.o kexgssc.o msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o jpake.o \
schnorr.o ssh-pkcs11.o auditstub.o
SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \ @@ -93,7 +94,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw
sshconnect.o sshconnect1.o sshconnect2.o mux.o \ auth2-none.o auth2-passwd.o auth2-pubkey.o auth2-jpake.o \
- roaming_common.o roaming_client.o monitor_mm.o monitor.o monitor_wrap.o kexdhs.o kexgexs.o kexecdhs.o \
+ roaming_common.o roaming_client.o kexgssc.o auth-krb5.o \
- auth2-gss.o gss-serv.o gss-serv-krb5.o \
SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \ + auth2-gss.o gss-serv.o gss-serv-krb5.o kexgsss.o\
audit.o audit-bsm.o audit-linux.o platform.o \
@@ -95,7 +95,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw
auth2-gss.o gss-serv.o gss-serv-krb5.o \
loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \ loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \
sftp-server.o sftp-common.o \ sftp-server.o sftp-common.o \
- roaming_common.o roaming_serv.o roaming_common.o roaming_serv.o
+ roaming_common.o roaming_serv.o kexgsss.o diff -up openssh-5.8p1/monitor.c.gsskex openssh-5.8p1/monitor.c
--- openssh-5.8p1/monitor.c.gsskex 2011-02-14 14:47:02.000000000 +0100
MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-rand-helper.8.out ssh-keysign.8.out ssh-pkcs11-helper.8.out ssh-ldap-helper.8.out sshd_config.5.out ssh_config.5.out ssh-ldap.conf.5.out +++ openssh-5.8p1/monitor.c 2011-02-14 14:47:02.000000000 +0100
MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-rand-helper.8 ssh-keysign.8 ssh-pkcs11-helper.8 ssh-ldap-helper.8 sshd_config.5 ssh_config.5 ssh-ldap.conf.5
diff -up openssh-5.6p1/monitor.c.gsskex openssh-5.6p1/monitor.c
--- openssh-5.6p1/monitor.c.gsskex 2011-01-24 23:51:08.000000000 +0100
+++ openssh-5.6p1/monitor.c 2011-01-24 23:51:09.000000000 +0100
@@ -176,6 +176,8 @@ int mm_answer_gss_setup_ctx(int, Buffer @@ -176,6 +176,8 @@ int mm_answer_gss_setup_ctx(int, Buffer
int mm_answer_gss_accept_ctx(int, Buffer *); int mm_answer_gss_accept_ctx(int, Buffer *);
int mm_answer_gss_userok(int, Buffer *); int mm_answer_gss_userok(int, Buffer *);
@ -1946,10 +1978,10 @@ diff -up openssh-5.6p1/monitor.c.gsskex openssh-5.6p1/monitor.c
} else { } else {
mon_dispatch = mon_dispatch_postauth15; mon_dispatch = mon_dispatch_postauth15;
monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
@@ -1754,6 +1771,13 @@ mm_get_kex(Buffer *m) @@ -1755,6 +1772,13 @@ mm_get_kex(Buffer *m)
kex->kex[KEX_DH_GRP14_SHA1] = kexdh_server;
kex->kex[KEX_DH_GEX_SHA1] = kexgex_server; kex->kex[KEX_DH_GEX_SHA1] = kexgex_server;
kex->kex[KEX_DH_GEX_SHA256] = kexgex_server; kex->kex[KEX_DH_GEX_SHA256] = kexgex_server;
kex->kex[KEX_ECDH_SHA2] = kexecdh_server;
+#ifdef GSSAPI +#ifdef GSSAPI
+ if (options.gss_keyex) { + if (options.gss_keyex) {
+ kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_server; + kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_server;
@ -1960,7 +1992,7 @@ diff -up openssh-5.6p1/monitor.c.gsskex openssh-5.6p1/monitor.c
kex->server = 1; kex->server = 1;
kex->hostkey_type = buffer_get_int(m); kex->hostkey_type = buffer_get_int(m);
kex->kex_type = buffer_get_int(m); kex->kex_type = buffer_get_int(m);
@@ -1960,6 +1984,9 @@ mm_answer_gss_setup_ctx(int sock, Buffer @@ -1961,6 +1985,9 @@ mm_answer_gss_setup_ctx(int sock, Buffer
OM_uint32 major; OM_uint32 major;
u_int len; u_int len;
@ -1970,7 +2002,7 @@ diff -up openssh-5.6p1/monitor.c.gsskex openssh-5.6p1/monitor.c
goid.elements = buffer_get_string(m, &len); goid.elements = buffer_get_string(m, &len);
goid.length = len; goid.length = len;
@@ -1987,6 +2014,9 @@ mm_answer_gss_accept_ctx(int sock, Buffe @@ -1988,6 +2015,9 @@ mm_answer_gss_accept_ctx(int sock, Buffe
OM_uint32 flags = 0; /* GSI needs this */ OM_uint32 flags = 0; /* GSI needs this */
u_int len; u_int len;
@ -1980,7 +2012,7 @@ diff -up openssh-5.6p1/monitor.c.gsskex openssh-5.6p1/monitor.c
in.value = buffer_get_string(m, &len); in.value = buffer_get_string(m, &len);
in.length = len; in.length = len;
major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags); major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags);
@@ -2004,6 +2034,7 @@ mm_answer_gss_accept_ctx(int sock, Buffe @@ -2005,6 +2035,7 @@ mm_answer_gss_accept_ctx(int sock, Buffe
monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0); monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0);
monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1); monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1);
monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1); monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1);
@ -1988,7 +2020,7 @@ diff -up openssh-5.6p1/monitor.c.gsskex openssh-5.6p1/monitor.c
} }
return (0); return (0);
} }
@@ -2015,6 +2046,9 @@ mm_answer_gss_checkmic(int sock, Buffer @@ -2016,6 +2047,9 @@ mm_answer_gss_checkmic(int sock, Buffer
OM_uint32 ret; OM_uint32 ret;
u_int len; u_int len;
@ -1998,7 +2030,7 @@ diff -up openssh-5.6p1/monitor.c.gsskex openssh-5.6p1/monitor.c
gssbuf.value = buffer_get_string(m, &len); gssbuf.value = buffer_get_string(m, &len);
gssbuf.length = len; gssbuf.length = len;
mic.value = buffer_get_string(m, &len); mic.value = buffer_get_string(m, &len);
@@ -2041,7 +2075,11 @@ mm_answer_gss_userok(int sock, Buffer *m @@ -2042,7 +2076,11 @@ mm_answer_gss_userok(int sock, Buffer *m
{ {
int authenticated; int authenticated;
@ -2011,7 +2043,7 @@ diff -up openssh-5.6p1/monitor.c.gsskex openssh-5.6p1/monitor.c
buffer_clear(m); buffer_clear(m);
buffer_put_int(m, authenticated); buffer_put_int(m, authenticated);
@@ -2054,6 +2092,74 @@ mm_answer_gss_userok(int sock, Buffer *m @@ -2055,6 +2093,74 @@ mm_answer_gss_userok(int sock, Buffer *m
/* Monitor loop will terminate if authenticated */ /* Monitor loop will terminate if authenticated */
return (authenticated); return (authenticated);
} }
@ -2086,9 +2118,9 @@ diff -up openssh-5.6p1/monitor.c.gsskex openssh-5.6p1/monitor.c
#endif /* GSSAPI */ #endif /* GSSAPI */
#ifdef JPAKE #ifdef JPAKE
diff -up openssh-5.6p1/monitor.h.gsskex openssh-5.6p1/monitor.h diff -up openssh-5.8p1/monitor.h.gsskex openssh-5.8p1/monitor.h
--- openssh-5.6p1/monitor.h.gsskex 2011-01-24 23:51:08.000000000 +0100 --- openssh-5.8p1/monitor.h.gsskex 2011-02-14 14:47:02.000000000 +0100
+++ openssh-5.6p1/monitor.h 2011-01-24 23:51:09.000000000 +0100 +++ openssh-5.8p1/monitor.h 2011-02-14 14:47:02.000000000 +0100
@@ -56,6 +56,8 @@ enum monitor_reqtype { @@ -56,6 +56,8 @@ enum monitor_reqtype {
MONITOR_REQ_GSSSTEP, MONITOR_ANS_GSSSTEP, MONITOR_REQ_GSSSTEP, MONITOR_ANS_GSSSTEP,
MONITOR_REQ_GSSUSEROK, MONITOR_ANS_GSSUSEROK, MONITOR_REQ_GSSUSEROK, MONITOR_ANS_GSSUSEROK,
@ -2098,10 +2130,10 @@ diff -up openssh-5.6p1/monitor.h.gsskex openssh-5.6p1/monitor.h
MONITOR_REQ_PAM_START, MONITOR_REQ_PAM_START,
MONITOR_REQ_PAM_ACCOUNT, MONITOR_ANS_PAM_ACCOUNT, MONITOR_REQ_PAM_ACCOUNT, MONITOR_ANS_PAM_ACCOUNT,
MONITOR_REQ_PAM_INIT_CTX, MONITOR_ANS_PAM_INIT_CTX, MONITOR_REQ_PAM_INIT_CTX, MONITOR_ANS_PAM_INIT_CTX,
diff -up openssh-5.6p1/monitor_wrap.c.gsskex openssh-5.6p1/monitor_wrap.c diff -up openssh-5.8p1/monitor_wrap.c.gsskex openssh-5.8p1/monitor_wrap.c
--- openssh-5.6p1/monitor_wrap.c.gsskex 2011-01-24 23:51:08.000000000 +0100 --- openssh-5.8p1/monitor_wrap.c.gsskex 2011-02-14 14:47:02.000000000 +0100
+++ openssh-5.6p1/monitor_wrap.c 2011-01-24 23:51:09.000000000 +0100 +++ openssh-5.8p1/monitor_wrap.c 2011-02-14 14:47:02.000000000 +0100
@@ -1250,7 +1250,7 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss @@ -1251,7 +1251,7 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss
} }
int int
@ -2110,7 +2142,7 @@ diff -up openssh-5.6p1/monitor_wrap.c.gsskex openssh-5.6p1/monitor_wrap.c
{ {
Buffer m; Buffer m;
int authenticated = 0; int authenticated = 0;
@@ -1267,6 +1267,51 @@ mm_ssh_gssapi_userok(char *user) @@ -1268,6 +1268,51 @@ mm_ssh_gssapi_userok(char *user)
debug3("%s: user %sauthenticated",__func__, authenticated ? "" : "not "); debug3("%s: user %sauthenticated",__func__, authenticated ? "" : "not ");
return (authenticated); return (authenticated);
} }
@ -2162,9 +2194,9 @@ diff -up openssh-5.6p1/monitor_wrap.c.gsskex openssh-5.6p1/monitor_wrap.c
#endif /* GSSAPI */ #endif /* GSSAPI */
#ifdef JPAKE #ifdef JPAKE
diff -up openssh-5.6p1/monitor_wrap.h.gsskex openssh-5.6p1/monitor_wrap.h diff -up openssh-5.8p1/monitor_wrap.h.gsskex openssh-5.8p1/monitor_wrap.h
--- openssh-5.6p1/monitor_wrap.h.gsskex 2011-01-24 23:51:08.000000000 +0100 --- openssh-5.8p1/monitor_wrap.h.gsskex 2011-02-14 14:47:02.000000000 +0100
+++ openssh-5.6p1/monitor_wrap.h 2011-01-24 23:51:09.000000000 +0100 +++ openssh-5.8p1/monitor_wrap.h 2011-02-14 14:47:02.000000000 +0100
@@ -60,8 +60,10 @@ BIGNUM *mm_auth_rsa_generate_challenge(K @@ -60,8 +60,10 @@ BIGNUM *mm_auth_rsa_generate_challenge(K
OM_uint32 mm_ssh_gssapi_server_ctx(Gssctxt **, gss_OID); OM_uint32 mm_ssh_gssapi_server_ctx(Gssctxt **, gss_OID);
OM_uint32 mm_ssh_gssapi_accept_ctx(Gssctxt *, OM_uint32 mm_ssh_gssapi_accept_ctx(Gssctxt *,
@ -2177,18 +2209,19 @@ diff -up openssh-5.6p1/monitor_wrap.h.gsskex openssh-5.6p1/monitor_wrap.h
#endif #endif
#ifdef USE_PAM #ifdef USE_PAM
diff -up openssh-5.6p1/readconf.c.gsskex openssh-5.6p1/readconf.c diff -up openssh-5.8p1/readconf.c.gsskex openssh-5.8p1/readconf.c
--- openssh-5.6p1/readconf.c.gsskex 2010-08-03 08:04:46.000000000 +0200 --- openssh-5.8p1/readconf.c.gsskex 2010-11-20 05:19:38.000000000 +0100
+++ openssh-5.6p1/readconf.c 2011-01-24 23:51:09.000000000 +0100 +++ openssh-5.8p1/readconf.c 2011-02-14 14:47:02.000000000 +0100
@@ -127,6 +127,7 @@ typedef enum { @@ -129,6 +129,8 @@ typedef enum {
oClearAllForwardings, oNoHostAuthenticationForLocalhost, oClearAllForwardings, oNoHostAuthenticationForLocalhost,
oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout, oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
oAddressFamily, oGssAuthentication, oGssDelegateCreds, oAddressFamily, oGssAuthentication, oGssDelegateCreds,
+ oGssTrustDns, oGssKeyEx, oGssClientIdentity, oGssRenewalRekey, + oGssTrustDns, oGssKeyEx, oGssClientIdentity, oGssRenewalRekey,
+ oGssServerIdentity,
oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly, oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
oSendEnv, oControlPath, oControlMaster, oControlPersist, oSendEnv, oControlPath, oControlMaster, oControlPersist,
oHashKnownHosts, oHashKnownHosts,
@@ -166,10 +167,18 @@ static struct { @@ -169,10 +171,19 @@ static struct {
{ "afstokenpassing", oUnsupported }, { "afstokenpassing", oUnsupported },
#if defined(GSSAPI) #if defined(GSSAPI)
{ "gssapiauthentication", oGssAuthentication }, { "gssapiauthentication", oGssAuthentication },
@ -2196,6 +2229,7 @@ diff -up openssh-5.6p1/readconf.c.gsskex openssh-5.6p1/readconf.c
{ "gssapidelegatecredentials", oGssDelegateCreds }, { "gssapidelegatecredentials", oGssDelegateCreds },
+ { "gssapitrustdns", oGssTrustDns }, + { "gssapitrustdns", oGssTrustDns },
+ { "gssapiclientidentity", oGssClientIdentity }, + { "gssapiclientidentity", oGssClientIdentity },
+ { "gssapiserveridentity", oGssServerIdentity },
+ { "gssapirenewalforcesrekey", oGssRenewalRekey }, + { "gssapirenewalforcesrekey", oGssRenewalRekey },
#else #else
{ "gssapiauthentication", oUnsupported }, { "gssapiauthentication", oUnsupported },
@ -2207,7 +2241,7 @@ diff -up openssh-5.6p1/readconf.c.gsskex openssh-5.6p1/readconf.c
#endif #endif
{ "fallbacktorsh", oDeprecated }, { "fallbacktorsh", oDeprecated },
{ "usersh", oDeprecated }, { "usersh", oDeprecated },
@@ -474,10 +483,26 @@ parse_flag: @@ -479,10 +490,30 @@ parse_flag:
intptr = &options->gss_authentication; intptr = &options->gss_authentication;
goto parse_flag; goto parse_flag;
@ -2227,6 +2261,10 @@ diff -up openssh-5.6p1/readconf.c.gsskex openssh-5.6p1/readconf.c
+ charptr = &options->gss_client_identity; + charptr = &options->gss_client_identity;
+ goto parse_string; + goto parse_string;
+ +
+ case oGssServerIdentity:
+ charptr = &options->gss_server_identity;
+ goto parse_string;
+
+ case oGssRenewalRekey: + case oGssRenewalRekey:
+ intptr = &options->gss_renewal_rekey; + intptr = &options->gss_renewal_rekey;
+ goto parse_flag; + goto parse_flag;
@ -2234,7 +2272,7 @@ diff -up openssh-5.6p1/readconf.c.gsskex openssh-5.6p1/readconf.c
case oBatchMode: case oBatchMode:
intptr = &options->batch_mode; intptr = &options->batch_mode;
goto parse_flag; goto parse_flag;
@@ -1058,7 +1083,11 @@ initialize_options(Options * options) @@ -1092,7 +1123,12 @@ initialize_options(Options * options)
options->pubkey_authentication = -1; options->pubkey_authentication = -1;
options->challenge_response_authentication = -1; options->challenge_response_authentication = -1;
options->gss_authentication = -1; options->gss_authentication = -1;
@ -2243,10 +2281,11 @@ diff -up openssh-5.6p1/readconf.c.gsskex openssh-5.6p1/readconf.c
+ options->gss_trust_dns = -1; + options->gss_trust_dns = -1;
+ options->gss_renewal_rekey = -1; + options->gss_renewal_rekey = -1;
+ options->gss_client_identity = NULL; + options->gss_client_identity = NULL;
+ options->gss_server_identity = NULL;
options->password_authentication = -1; options->password_authentication = -1;
options->kbd_interactive_authentication = -1; options->kbd_interactive_authentication = -1;
options->kbd_interactive_devices = NULL; options->kbd_interactive_devices = NULL;
@@ -1156,8 +1185,14 @@ fill_default_options(Options * options) @@ -1193,8 +1229,14 @@ fill_default_options(Options * options)
options->challenge_response_authentication = 1; options->challenge_response_authentication = 1;
if (options->gss_authentication == -1) if (options->gss_authentication == -1)
options->gss_authentication = 0; options->gss_authentication = 0;
@ -2261,10 +2300,10 @@ diff -up openssh-5.6p1/readconf.c.gsskex openssh-5.6p1/readconf.c
if (options->password_authentication == -1) if (options->password_authentication == -1)
options->password_authentication = 1; options->password_authentication = 1;
if (options->kbd_interactive_authentication == -1) if (options->kbd_interactive_authentication == -1)
diff -up openssh-5.6p1/readconf.h.gsskex openssh-5.6p1/readconf.h diff -up openssh-5.8p1/readconf.h.gsskex openssh-5.8p1/readconf.h
--- openssh-5.6p1/readconf.h.gsskex 2010-08-03 08:04:46.000000000 +0200 --- openssh-5.8p1/readconf.h.gsskex 2010-11-20 05:19:38.000000000 +0100
+++ openssh-5.6p1/readconf.h 2011-01-24 23:51:09.000000000 +0100 +++ openssh-5.8p1/readconf.h 2011-02-14 14:47:02.000000000 +0100
@@ -46,7 +46,11 @@ typedef struct { @@ -46,7 +46,12 @@ typedef struct {
int challenge_response_authentication; int challenge_response_authentication;
/* Try S/Key or TIS, authentication. */ /* Try S/Key or TIS, authentication. */
int gss_authentication; /* Try GSS authentication */ int gss_authentication; /* Try GSS authentication */
@ -2273,13 +2312,14 @@ diff -up openssh-5.6p1/readconf.h.gsskex openssh-5.6p1/readconf.h
+ int gss_trust_dns; /* Trust DNS for GSS canonicalization */ + int gss_trust_dns; /* Trust DNS for GSS canonicalization */
+ int gss_renewal_rekey; /* Credential renewal forces rekey */ + int gss_renewal_rekey; /* Credential renewal forces rekey */
+ char *gss_client_identity; /* Principal to initiate GSSAPI with */ + char *gss_client_identity; /* Principal to initiate GSSAPI with */
+ char *gss_server_identity; /* GSSAPI target principal */
int password_authentication; /* Try password int password_authentication; /* Try password
* authentication. */ * authentication. */
int kbd_interactive_authentication; /* Try keyboard-interactive auth. */ int kbd_interactive_authentication; /* Try keyboard-interactive auth. */
diff -up openssh-5.6p1/servconf.c.gsskex openssh-5.6p1/servconf.c diff -up openssh-5.8p1/servconf.c.gsskex openssh-5.8p1/servconf.c
--- openssh-5.6p1/servconf.c.gsskex 2011-01-24 23:51:08.000000000 +0100 --- openssh-5.8p1/servconf.c.gsskex 2011-02-14 14:47:02.000000000 +0100
+++ openssh-5.6p1/servconf.c 2011-01-24 23:51:09.000000000 +0100 +++ openssh-5.8p1/servconf.c 2011-02-14 15:11:09.000000000 +0100
@@ -93,7 +93,10 @@ initialize_server_options(ServerOptions @@ -97,7 +97,10 @@ initialize_server_options(ServerOptions
options->kerberos_ticket_cleanup = -1; options->kerberos_ticket_cleanup = -1;
options->kerberos_get_afs_token = -1; options->kerberos_get_afs_token = -1;
options->gss_authentication=-1; options->gss_authentication=-1;
@ -2290,7 +2330,7 @@ diff -up openssh-5.6p1/servconf.c.gsskex openssh-5.6p1/servconf.c
options->password_authentication = -1; options->password_authentication = -1;
options->kbd_interactive_authentication = -1; options->kbd_interactive_authentication = -1;
options->challenge_response_authentication = -1; options->challenge_response_authentication = -1;
@@ -218,8 +221,14 @@ fill_default_server_options(ServerOption @@ -230,8 +233,14 @@ fill_default_server_options(ServerOption
options->kerberos_get_afs_token = 0; options->kerberos_get_afs_token = 0;
if (options->gss_authentication == -1) if (options->gss_authentication == -1)
options->gss_authentication = 0; options->gss_authentication = 0;
@ -2305,7 +2345,7 @@ diff -up openssh-5.6p1/servconf.c.gsskex openssh-5.6p1/servconf.c
if (options->password_authentication == -1) if (options->password_authentication == -1)
options->password_authentication = 1; options->password_authentication = 1;
if (options->kbd_interactive_authentication == -1) if (options->kbd_interactive_authentication == -1)
@@ -313,7 +322,9 @@ typedef enum { @@ -330,7 +339,9 @@ typedef enum {
sBanner, sShowPatchLevel, sUseDNS, sHostbasedAuthentication, sBanner, sShowPatchLevel, sUseDNS, sHostbasedAuthentication,
sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2, sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
@ -2316,23 +2356,28 @@ diff -up openssh-5.6p1/servconf.c.gsskex openssh-5.6p1/servconf.c
sMatch, sPermitOpen, sForceCommand, sChrootDirectory, sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
sUsePrivilegeSeparation, sAllowAgentForwarding, sUsePrivilegeSeparation, sAllowAgentForwarding,
sZeroKnowledgePasswordAuthentication, sHostCertificate, sZeroKnowledgePasswordAuthentication, sHostCertificate,
@@ -377,9 +388,15 @@ static struct { @@ -397,10 +408,20 @@ static struct {
#ifdef GSSAPI #ifdef GSSAPI
{ "gssapiauthentication", sGssAuthentication, SSHCFG_ALL }, { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
{ "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL }, { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
+ { "gssapicleanupcreds", sGssCleanupCreds, SSHCFG_GLOBAL },
+ { "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL }, + { "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL },
+ { "gssapikeyexchange", sGssKeyEx, SSHCFG_GLOBAL }, + { "gssapikeyexchange", sGssKeyEx, SSHCFG_GLOBAL },
+ { "gssapistorecredentialsonrekey", sGssStoreRekey, SSHCFG_GLOBAL }, + { "gssapistorecredentialsonrekey", sGssStoreRekey, SSHCFG_GLOBAL },
#else #else
{ "gssapiauthentication", sUnsupported, SSHCFG_ALL }, { "gssapiauthentication", sUnsupported, SSHCFG_ALL },
{ "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL }, { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
+ { "gssapicleanupcreds", sUnsupported, SSHCFG_GLOBAL },
+ { "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL }, + { "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL },
+ { "gssapikeyexchange", sUnsupported, SSHCFG_GLOBAL }, + { "gssapikeyexchange", sUnsupported, SSHCFG_GLOBAL },
+ { "gssapistorecredentialsonrekey", sUnsupported, SSHCFG_GLOBAL }, + { "gssapistorecredentialsonrekey", sUnsupported, SSHCFG_GLOBAL },
#endif #endif
+ { "gssusesessionccache", sUnsupported, SSHCFG_GLOBAL },
+ { "gssapiusesessioncredcache", sUnsupported, SSHCFG_GLOBAL },
{ "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
{ "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
@@ -941,10 +958,22 @@ process_server_config_line(ServerOptions { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL },
@@ -963,10 +984,22 @@ process_server_config_line(ServerOptions
intptr = &options->gss_authentication; intptr = &options->gss_authentication;
goto parse_flag; goto parse_flag;
@ -2355,10 +2400,21 @@ diff -up openssh-5.6p1/servconf.c.gsskex openssh-5.6p1/servconf.c
case sPasswordAuthentication: case sPasswordAuthentication:
intptr = &options->password_authentication; intptr = &options->password_authentication;
goto parse_flag; goto parse_flag;
diff -up openssh-5.6p1/servconf.h.gsskex openssh-5.6p1/servconf.h @@ -1748,7 +1781,10 @@ dump_config(ServerOptions *o)
--- openssh-5.6p1/servconf.h.gsskex 2011-01-24 23:51:08.000000000 +0100 #endif
+++ openssh-5.6p1/servconf.h 2011-01-24 23:51:09.000000000 +0100 #ifdef GSSAPI
@@ -94,7 +94,10 @@ typedef struct { dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
+ dump_cfg_fmtint(sGssKeyEx, o->gss_keyex);
dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds);
+ dump_cfg_fmtint(sGssStrictAcceptor, o->gss_strict_acceptor);
+ dump_cfg_fmtint(sGssStoreRekey, o->gss_store_rekey);
#endif
#ifdef JPAKE
dump_cfg_fmtint(sZeroKnowledgePasswordAuthentication,
diff -up openssh-5.8p1/servconf.h.gsskex openssh-5.8p1/servconf.h
--- openssh-5.8p1/servconf.h.gsskex 2011-02-14 14:47:02.000000000 +0100
+++ openssh-5.8p1/servconf.h 2011-02-14 14:47:02.000000000 +0100
@@ -97,7 +97,10 @@ typedef struct {
int kerberos_get_afs_token; /* If true, try to get AFS token if int kerberos_get_afs_token; /* If true, try to get AFS token if
* authenticated with Kerberos. */ * authenticated with Kerberos. */
int gss_authentication; /* If true, permit GSSAPI authentication */ int gss_authentication; /* If true, permit GSSAPI authentication */
@ -2369,10 +2425,10 @@ diff -up openssh-5.6p1/servconf.h.gsskex openssh-5.6p1/servconf.h
int password_authentication; /* If true, permit password int password_authentication; /* If true, permit password
* authentication. */ * authentication. */
int kbd_interactive_authentication; /* If true, permit */ int kbd_interactive_authentication; /* If true, permit */
diff -up openssh-5.6p1/ssh_config.5.gsskex openssh-5.6p1/ssh_config.5 diff -up openssh-5.8p1/ssh_config.5.gsskex openssh-5.8p1/ssh_config.5
--- openssh-5.6p1/ssh_config.5.gsskex 2010-08-05 05:03:13.000000000 +0200 --- openssh-5.8p1/ssh_config.5.gsskex 2010-12-26 04:26:48.000000000 +0100
+++ openssh-5.6p1/ssh_config.5 2011-01-24 23:51:09.000000000 +0100 +++ openssh-5.8p1/ssh_config.5 2011-02-14 14:47:02.000000000 +0100
@@ -509,11 +509,38 @@ Specifies whether user authentication ba @@ -508,11 +508,43 @@ Specifies whether user authentication ba
The default is The default is
.Dq no . .Dq no .
Note that this option applies to protocol version 2 only. Note that this option applies to protocol version 2 only.
@ -2386,6 +2442,11 @@ diff -up openssh-5.6p1/ssh_config.5.gsskex openssh-5.6p1/ssh_config.5
+If set, specifies the GSSAPI client identity that ssh should use when +If set, specifies the GSSAPI client identity that ssh should use when
+connecting to the server. The default is unset, which means that the default +connecting to the server. The default is unset, which means that the default
+identity will be used. +identity will be used.
+.It Cm GSSAPIServerIdentity
+If set, specifies the GSSAPI server identity that ssh should expect when
+connecting to the server. The default is unset, which means that the
+expected GSSAPI server identity will be determined from the target
+hostname.
.It Cm GSSAPIDelegateCredentials .It Cm GSSAPIDelegateCredentials
Forward (delegate) credentials to the server. Forward (delegate) credentials to the server.
The default is The default is
@ -2412,9 +2473,9 @@ diff -up openssh-5.6p1/ssh_config.5.gsskex openssh-5.6p1/ssh_config.5
.It Cm HashKnownHosts .It Cm HashKnownHosts
Indicates that Indicates that
.Xr ssh 1 .Xr ssh 1
diff -up openssh-5.6p1/ssh_config.gsskex openssh-5.6p1/ssh_config diff -up openssh-5.8p1/ssh_config.gsskex openssh-5.8p1/ssh_config
--- openssh-5.6p1/ssh_config.gsskex 2011-01-24 23:51:07.000000000 +0100 --- openssh-5.8p1/ssh_config.gsskex 2011-02-14 14:47:01.000000000 +0100
+++ openssh-5.6p1/ssh_config 2011-01-24 23:51:09.000000000 +0100 +++ openssh-5.8p1/ssh_config 2011-02-14 14:47:02.000000000 +0100
@@ -26,6 +26,8 @@ @@ -26,6 +26,8 @@
# HostbasedAuthentication no # HostbasedAuthentication no
# GSSAPIAuthentication no # GSSAPIAuthentication no
@ -2424,10 +2485,10 @@ diff -up openssh-5.6p1/ssh_config.gsskex openssh-5.6p1/ssh_config
# BatchMode no # BatchMode no
# CheckHostIP yes # CheckHostIP yes
# AddressFamily any # AddressFamily any
diff -up openssh-5.6p1/sshconnect2.c.gsskex openssh-5.6p1/sshconnect2.c diff -up openssh-5.8p1/sshconnect2.c.gsskex openssh-5.8p1/sshconnect2.c
--- openssh-5.6p1/sshconnect2.c.gsskex 2011-01-24 23:51:08.000000000 +0100 --- openssh-5.8p1/sshconnect2.c.gsskex 2011-02-14 14:47:02.000000000 +0100
+++ openssh-5.6p1/sshconnect2.c 2011-01-24 23:51:09.000000000 +0100 +++ openssh-5.8p1/sshconnect2.c 2011-02-14 14:47:02.000000000 +0100
@@ -108,9 +108,34 @@ ssh_kex2(char *host, struct sockaddr *ho @@ -161,9 +161,34 @@ ssh_kex2(char *host, struct sockaddr *ho
{ {
Kex *kex; Kex *kex;
@ -2462,9 +2523,9 @@ diff -up openssh-5.6p1/sshconnect2.c.gsskex openssh-5.6p1/sshconnect2.c
if (options.ciphers == (char *)-1) { if (options.ciphers == (char *)-1) {
logit("No valid ciphers for protocol version 2 given, using defaults."); logit("No valid ciphers for protocol version 2 given, using defaults.");
options.ciphers = NULL; options.ciphers = NULL;
@@ -146,6 +171,17 @@ ssh_kex2(char *host, struct sockaddr *ho @@ -206,6 +231,17 @@ ssh_kex2(char *host, struct sockaddr *ho
myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = if (options.kex_algorithms != NULL)
options.hostkeyalgorithms; myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms;
+#ifdef GSSAPI +#ifdef GSSAPI
+ /* If we've got GSSAPI algorithms, then we also support the + /* If we've got GSSAPI algorithms, then we also support the
@ -2480,10 +2541,10 @@ diff -up openssh-5.6p1/sshconnect2.c.gsskex openssh-5.6p1/sshconnect2.c
if (options.rekey_limit) if (options.rekey_limit)
packet_set_rekey_limit((u_int32_t)options.rekey_limit); packet_set_rekey_limit((u_int32_t)options.rekey_limit);
@@ -155,10 +191,26 @@ ssh_kex2(char *host, struct sockaddr *ho @@ -216,10 +252,30 @@ ssh_kex2(char *host, struct sockaddr *ho
kex->kex[KEX_DH_GRP14_SHA1] = kexdh_client;
kex->kex[KEX_DH_GEX_SHA1] = kexgex_client; kex->kex[KEX_DH_GEX_SHA1] = kexgex_client;
kex->kex[KEX_DH_GEX_SHA256] = kexgex_client; kex->kex[KEX_DH_GEX_SHA256] = kexgex_client;
kex->kex[KEX_ECDH_SHA2] = kexecdh_client;
+#ifdef GSSAPI +#ifdef GSSAPI
+ if (options.gss_keyex) { + if (options.gss_keyex) {
+ kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_client; + kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_client;
@ -2500,14 +2561,18 @@ diff -up openssh-5.6p1/sshconnect2.c.gsskex openssh-5.6p1/sshconnect2.c
+ kex->gss_deleg_creds = options.gss_deleg_creds; + kex->gss_deleg_creds = options.gss_deleg_creds;
+ kex->gss_trust_dns = options.gss_trust_dns; + kex->gss_trust_dns = options.gss_trust_dns;
+ kex->gss_client = options.gss_client_identity; + kex->gss_client = options.gss_client_identity;
+ kex->gss_host = gss_host; + if (options.gss_server_identity) {
+ kex->gss_host = options.gss_server_identity;
+ } else {
+ kex->gss_host = gss_host;
+ }
+ } + }
+#endif +#endif
+ +
xxx_kex = kex; xxx_kex = kex;
dispatch_run(DISPATCH_BLOCK, &kex->done, kex); dispatch_run(DISPATCH_BLOCK, &kex->done, kex);
@@ -253,6 +305,7 @@ void input_gssapi_token(int type, u_int3 @@ -314,6 +370,7 @@ void input_gssapi_token(int type, u_int3
void input_gssapi_hash(int type, u_int32_t, void *); void input_gssapi_hash(int type, u_int32_t, void *);
void input_gssapi_error(int, u_int32_t, void *); void input_gssapi_error(int, u_int32_t, void *);
void input_gssapi_errtok(int, u_int32_t, void *); void input_gssapi_errtok(int, u_int32_t, void *);
@ -2515,7 +2580,7 @@ diff -up openssh-5.6p1/sshconnect2.c.gsskex openssh-5.6p1/sshconnect2.c
#endif #endif
void userauth(Authctxt *, char *); void userauth(Authctxt *, char *);
@@ -268,6 +321,11 @@ static char *authmethods_get(void); @@ -329,6 +386,11 @@ static char *authmethods_get(void);
Authmethod authmethods[] = { Authmethod authmethods[] = {
#ifdef GSSAPI #ifdef GSSAPI
@ -2527,26 +2592,19 @@ diff -up openssh-5.6p1/sshconnect2.c.gsskex openssh-5.6p1/sshconnect2.c
{"gssapi-with-mic", {"gssapi-with-mic",
userauth_gssapi, userauth_gssapi,
NULL, NULL,
@@ -574,25 +632,37 @@ userauth_gssapi(Authctxt *authctxt) @@ -635,19 +697,31 @@ userauth_gssapi(Authctxt *authctxt)
static u_int mech = 0; static u_int mech = 0;
OM_uint32 min; OM_uint32 min;
int ok = 0; int ok = 0;
- char* remotehost = NULL;
+ const char* remotehost = NULL;
const char* canonicalhost = get_canonical_hostname(1);
+ const char *gss_host; + const char *gss_host;
+ +
if ( strcmp( canonicalhost, "UNKNOWN" ) == 0 ) + if (options.gss_server_identity)
remotehost = authctxt->host; + gss_host = options.gss_server_identity;
else + else if (options.gss_trust_dns)
remotehost = canonicalhost; + gss_host = get_canonical_hostname(1);
+ if (options.gss_trust_dns)
+// gss_host = get_canonical_hostname(1);
+ gss_host = remotehost;
+ else + else
+ gss_host = authctxt->host; + gss_host = authctxt->host;
+
/* Try one GSSAPI method at a time, rather than sending them all at /* Try one GSSAPI method at a time, rather than sending them all at
* once. */ * once. */
@ -2562,13 +2620,13 @@ diff -up openssh-5.6p1/sshconnect2.c.gsskex openssh-5.6p1/sshconnect2.c
/* My DER encoding requires length<128 */ /* My DER encoding requires length<128 */
if (gss_supported->elements[mech].length < 128 && if (gss_supported->elements[mech].length < 128 &&
ssh_gssapi_check_mechanism(&gssctxt, ssh_gssapi_check_mechanism(&gssctxt,
- &gss_supported->elements[mech], remotehost)) { - &gss_supported->elements[mech], authctxt->host)) {
+ &gss_supported->elements[mech], gss_host, + &gss_supported->elements[mech], gss_host,
+ options.gss_client_identity)) { + options.gss_client_identity)) {
ok = 1; /* Mechanism works */ ok = 1; /* Mechanism works */
} else { } else {
mech++; mech++;
@@ -689,8 +759,8 @@ input_gssapi_response(int type, u_int32_ @@ -744,8 +818,8 @@ input_gssapi_response(int type, u_int32_
{ {
Authctxt *authctxt = ctxt; Authctxt *authctxt = ctxt;
Gssctxt *gssctxt; Gssctxt *gssctxt;
@ -2579,7 +2637,7 @@ diff -up openssh-5.6p1/sshconnect2.c.gsskex openssh-5.6p1/sshconnect2.c
if (authctxt == NULL) if (authctxt == NULL)
fatal("input_gssapi_response: no authentication context"); fatal("input_gssapi_response: no authentication context");
@@ -800,6 +870,48 @@ input_gssapi_error(int type, u_int32_t p @@ -855,6 +929,48 @@ input_gssapi_error(int type, u_int32_t p
xfree(msg); xfree(msg);
xfree(lang); xfree(lang);
} }
@ -2628,21 +2686,21 @@ diff -up openssh-5.6p1/sshconnect2.c.gsskex openssh-5.6p1/sshconnect2.c
#endif /* GSSAPI */ #endif /* GSSAPI */
int int
diff -up openssh-5.6p1/sshd.c.gsskex openssh-5.6p1/sshd.c diff -up openssh-5.8p1/sshd.c.gsskex openssh-5.8p1/sshd.c
--- openssh-5.6p1/sshd.c.gsskex 2011-01-24 23:51:08.000000000 +0100 --- openssh-5.8p1/sshd.c.gsskex 2011-02-14 14:47:02.000000000 +0100
+++ openssh-5.6p1/sshd.c 2011-01-24 23:51:09.000000000 +0100 +++ openssh-5.8p1/sshd.c 2011-02-14 15:11:56.000000000 +0100
@@ -130,6 +130,10 @@ int allow_severity; @@ -123,6 +123,10 @@
int deny_severity; #include "audit.h"
#endif /* LIBWRAP */ #include "version.h"
+#ifdef USE_SECURITY_SESSION_API +#ifdef USE_SECURITY_SESSION_API
+#include <Security/AuthSession.h> +#include <Security/AuthSession.h>
+#endif +#endif
+ +
#ifndef O_NOCTTY #ifdef LIBWRAP
#define O_NOCTTY 0 #include <tcpd.h>
#endif #include <syslog.h>
@@ -1603,10 +1607,13 @@ main(int ac, char **av) @@ -1609,10 +1613,13 @@ main(int ac, char **av)
logit("Disabling protocol version 1. Could not load host key"); logit("Disabling protocol version 1. Could not load host key");
options.protocol &= ~SSH_PROTO_1; options.protocol &= ~SSH_PROTO_1;
} }
@ -2656,7 +2714,7 @@ diff -up openssh-5.6p1/sshd.c.gsskex openssh-5.6p1/sshd.c
if (!(options.protocol & (SSH_PROTO_1|SSH_PROTO_2))) { if (!(options.protocol & (SSH_PROTO_1|SSH_PROTO_2))) {
logit("sshd: no hostkeys available -- exiting."); logit("sshd: no hostkeys available -- exiting.");
exit(1); exit(1);
@@ -1939,6 +1946,60 @@ main(int ac, char **av) @@ -1945,6 +1952,60 @@ main(int ac, char **av)
/* Log the connection. */ /* Log the connection. */
verbose("Connection from %.500s port %d", remote_ip, remote_port); verbose("Connection from %.500s port %d", remote_ip, remote_port);
@ -2717,7 +2775,7 @@ diff -up openssh-5.6p1/sshd.c.gsskex openssh-5.6p1/sshd.c
/* /*
* We don't want to listen forever unless the other side * We don't want to listen forever unless the other side
* successfully authenticates itself. So we set up an alarm which is * successfully authenticates itself. So we set up an alarm which is
@@ -2335,12 +2396,61 @@ do_ssh2_kex(void) @@ -2347,6 +2408,48 @@ do_ssh2_kex(void)
myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = list_hostkey_types(); myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = list_hostkey_types();
@ -2766,9 +2824,10 @@ diff -up openssh-5.6p1/sshd.c.gsskex openssh-5.6p1/sshd.c
/* start key exchange */ /* start key exchange */
kex = kex_setup(myproposal); kex = kex_setup(myproposal);
kex->kex[KEX_DH_GRP1_SHA1] = kexdh_server; kex->kex[KEX_DH_GRP1_SHA1] = kexdh_server;
kex->kex[KEX_DH_GRP14_SHA1] = kexdh_server; @@ -2354,6 +2457,13 @@ do_ssh2_kex(void)
kex->kex[KEX_DH_GEX_SHA1] = kexgex_server; kex->kex[KEX_DH_GEX_SHA1] = kexgex_server;
kex->kex[KEX_DH_GEX_SHA256] = kexgex_server; kex->kex[KEX_DH_GEX_SHA256] = kexgex_server;
kex->kex[KEX_ECDH_SHA2] = kexecdh_server;
+#ifdef GSSAPI +#ifdef GSSAPI
+ if (options.gss_keyex) { + if (options.gss_keyex) {
+ kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_server; + kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_server;
@ -2779,10 +2838,10 @@ diff -up openssh-5.6p1/sshd.c.gsskex openssh-5.6p1/sshd.c
kex->server = 1; kex->server = 1;
kex->client_version_string=client_version_string; kex->client_version_string=client_version_string;
kex->server_version_string=server_version_string; kex->server_version_string=server_version_string;
diff -up openssh-5.6p1/sshd_config.5.gsskex openssh-5.6p1/sshd_config.5 diff -up openssh-5.8p1/sshd_config.5.gsskex openssh-5.8p1/sshd_config.5
--- openssh-5.6p1/sshd_config.5.gsskex 2011-01-24 23:51:08.000000000 +0100 --- openssh-5.8p1/sshd_config.5.gsskex 2011-02-14 14:47:02.000000000 +0100
+++ openssh-5.6p1/sshd_config.5 2011-01-24 23:51:09.000000000 +0100 +++ openssh-5.8p1/sshd_config.5 2011-02-14 14:47:02.000000000 +0100
@@ -424,12 +424,40 @@ Specifies whether user authentication ba @@ -423,12 +423,40 @@ Specifies whether user authentication ba
The default is The default is
.Dq no . .Dq no .
Note that this option applies to protocol version 2 only. Note that this option applies to protocol version 2 only.
@ -2823,10 +2882,10 @@ diff -up openssh-5.6p1/sshd_config.5.gsskex openssh-5.6p1/sshd_config.5
.It Cm HostbasedAuthentication .It Cm HostbasedAuthentication
Specifies whether rhosts or /etc/hosts.equiv authentication together Specifies whether rhosts or /etc/hosts.equiv authentication together
with successful public key client host authentication is allowed with successful public key client host authentication is allowed
diff -up openssh-5.6p1/sshd_config.gsskex openssh-5.6p1/sshd_config diff -up openssh-5.8p1/sshd_config.gsskex openssh-5.8p1/sshd_config
--- openssh-5.6p1/sshd_config.gsskex 2011-01-24 23:51:08.000000000 +0100 --- openssh-5.8p1/sshd_config.gsskex 2011-02-14 14:47:02.000000000 +0100
+++ openssh-5.6p1/sshd_config 2011-01-24 23:51:09.000000000 +0100 +++ openssh-5.8p1/sshd_config 2011-02-14 15:12:38.000000000 +0100
@@ -78,6 +78,8 @@ ChallengeResponseAuthentication no @@ -80,6 +80,8 @@ ChallengeResponseAuthentication no
GSSAPIAuthentication yes GSSAPIAuthentication yes
#GSSAPICleanupCredentials yes #GSSAPICleanupCredentials yes
GSSAPICleanupCredentials yes GSSAPICleanupCredentials yes
@ -2835,9 +2894,9 @@ diff -up openssh-5.6p1/sshd_config.gsskex openssh-5.6p1/sshd_config
# Set this to 'yes' to enable PAM authentication, account processing, # Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will # and session processing. If this is enabled, PAM authentication will
diff -up openssh-5.6p1/ssh-gss.h.gsskex openssh-5.6p1/ssh-gss.h diff -up openssh-5.8p1/ssh-gss.h.gsskex openssh-5.8p1/ssh-gss.h
--- openssh-5.6p1/ssh-gss.h.gsskex 2007-06-12 15:40:39.000000000 +0200 --- openssh-5.8p1/ssh-gss.h.gsskex 2007-06-12 15:40:39.000000000 +0200
+++ openssh-5.6p1/ssh-gss.h 2011-01-24 23:51:09.000000000 +0100 +++ openssh-5.8p1/ssh-gss.h 2011-02-14 14:47:02.000000000 +0100
@@ -1,6 +1,6 @@ @@ -1,6 +1,6 @@
/* $OpenBSD: ssh-gss.h,v 1.10 2007/06/12 08:20:00 djm Exp $ */ /* $OpenBSD: ssh-gss.h,v 1.10 2007/06/12 08:20:00 djm Exp $ */
/* /*

68
openssh-5.6p1-kuserok.patch → openssh-5.8p1-kuserok.patch
View File

@ -1,6 +1,6 @@
diff -up openssh-5.6p1/auth-krb5.c.kuserok openssh-5.6p1/auth-krb5.c diff -up openssh-5.8p1/auth-krb5.c.kuserok openssh-5.8p1/auth-krb5.c
--- openssh-5.6p1/auth-krb5.c.kuserok 2010-11-15 10:08:05.000000000 +0100 --- openssh-5.8p1/auth-krb5.c.kuserok 2009-12-21 00:49:22.000000000 +0100
+++ openssh-5.6p1/auth-krb5.c 2010-11-15 10:11:02.000000000 +0100 +++ openssh-5.8p1/auth-krb5.c 2011-02-14 09:15:12.000000000 +0100
@@ -54,6 +54,20 @@ @@ -54,6 +54,20 @@
extern ServerOptions options; extern ServerOptions options;
@ -31,9 +31,9 @@ diff -up openssh-5.6p1/auth-krb5.c.kuserok openssh-5.6p1/auth-krb5.c
problem = -1; problem = -1;
goto out; goto out;
} }
diff -up openssh-5.6p1/gss-serv-krb5.c.kuserok openssh-5.6p1/gss-serv-krb5.c diff -up openssh-5.8p1/gss-serv-krb5.c.kuserok openssh-5.8p1/gss-serv-krb5.c
--- openssh-5.6p1/gss-serv-krb5.c.kuserok 2010-11-15 10:08:05.000000000 +0100 --- openssh-5.8p1/gss-serv-krb5.c.kuserok 2006-09-01 07:38:36.000000000 +0200
+++ openssh-5.6p1/gss-serv-krb5.c 2010-11-15 10:12:35.000000000 +0100 +++ openssh-5.8p1/gss-serv-krb5.c 2011-02-14 09:15:12.000000000 +0100
@@ -57,6 +57,7 @@ extern ServerOptions options; @@ -57,6 +57,7 @@ extern ServerOptions options;
#endif #endif
@ -51,18 +51,18 @@ diff -up openssh-5.6p1/gss-serv-krb5.c.kuserok openssh-5.6p1/gss-serv-krb5.c
retval = 1; retval = 1;
logit("Authorized to %s, krb5 principal %s (krb5_kuserok)", logit("Authorized to %s, krb5 principal %s (krb5_kuserok)",
name, (char *)client->displayname.value); name, (char *)client->displayname.value);
diff -up openssh-5.6p1/servconf.c.kuserok openssh-5.6p1/servconf.c diff -up openssh-5.8p1/servconf.c.kuserok openssh-5.8p1/servconf.c
--- openssh-5.6p1/servconf.c.kuserok 2010-11-15 10:08:05.000000000 +0100 --- openssh-5.8p1/servconf.c.kuserok 2011-02-14 09:15:12.000000000 +0100
+++ openssh-5.6p1/servconf.c 2010-11-15 10:08:05.000000000 +0100 +++ openssh-5.8p1/servconf.c 2011-02-14 09:20:22.000000000 +0100
@@ -138,6 +138,7 @@ initialize_server_options(ServerOptions @@ -142,6 +142,7 @@ initialize_server_options(ServerOptions
options->revoked_keys_file = NULL;
options->trusted_user_ca_keys = NULL;
options->authorized_principals_file = NULL; options->authorized_principals_file = NULL;
options->ip_qos_interactive = -1;
options->ip_qos_bulk = -1;
+ options->use_kuserok = -1; + options->use_kuserok = -1;
} }
void void
@@ -286,6 +287,8 @@ fill_default_server_options(ServerOption @@ -291,6 +292,8 @@ fill_default_server_options(ServerOption
if (use_privsep == -1) if (use_privsep == -1)
use_privsep = 1; use_privsep = 1;
@ -71,7 +71,7 @@ diff -up openssh-5.6p1/servconf.c.kuserok openssh-5.6p1/servconf.c
#ifndef HAVE_MMAP #ifndef HAVE_MMAP
if (use_privsep && options->compression == 1) { if (use_privsep && options->compression == 1) {
error("This platform does not support both privilege " error("This platform does not support both privilege "
@@ -307,7 +310,7 @@ typedef enum { @@ -312,7 +315,7 @@ typedef enum {
sPermitRootLogin, sLogFacility, sLogLevel, sPermitRootLogin, sLogFacility, sLogLevel,
sRhostsRSAAuthentication, sRSAAuthentication, sRhostsRSAAuthentication, sRSAAuthentication,
sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup, sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
@ -80,7 +80,7 @@ diff -up openssh-5.6p1/servconf.c.kuserok openssh-5.6p1/servconf.c
sKerberosTgtPassing, sChallengeResponseAuthentication, sKerberosTgtPassing, sChallengeResponseAuthentication,
sPasswordAuthentication, sKbdInteractiveAuthentication, sPasswordAuthentication, sKbdInteractiveAuthentication,
sListenAddress, sAddressFamily, sListenAddress, sAddressFamily,
@@ -377,11 +380,13 @@ static struct { @@ -381,11 +384,13 @@ static struct {
#else #else
{ "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL }, { "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
#endif #endif
@ -105,15 +105,15 @@ diff -up openssh-5.6p1/servconf.c.kuserok openssh-5.6p1/servconf.c
case sPermitOpen: case sPermitOpen:
arg = strdelim(&cp); arg = strdelim(&cp);
if (!arg || *arg == '\0') if (!arg || *arg == '\0')
@@ -1525,6 +1534,7 @@ copy_set_server_options(ServerOptions *d @@ -1544,6 +1553,7 @@ copy_set_server_options(ServerOptions *d
M_CP_INTOPT(x11_use_localhost);
M_CP_INTOPT(max_sessions);
M_CP_INTOPT(max_authtries); M_CP_INTOPT(max_authtries);
M_CP_INTOPT(ip_qos_interactive);
M_CP_INTOPT(ip_qos_bulk);
+ M_CP_INTOPT(use_kuserok); + M_CP_INTOPT(use_kuserok);
M_CP_STROPT(banner); M_CP_STROPT(banner);
if (preauth) if (preauth)
@@ -1745,6 +1755,7 @@ dump_config(ServerOptions *o) @@ -1764,6 +1774,7 @@ dump_config(ServerOptions *o)
dump_cfg_fmtint(sUseDNS, o->use_dns); dump_cfg_fmtint(sUseDNS, o->use_dns);
dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding); dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding);
dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep); dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep);
@ -121,9 +121,9 @@ diff -up openssh-5.6p1/servconf.c.kuserok openssh-5.6p1/servconf.c
/* string arguments */ /* string arguments */
dump_cfg_string(sPidFile, o->pid_file); dump_cfg_string(sPidFile, o->pid_file);
diff -up openssh-5.6p1/servconf.h.kuserok openssh-5.6p1/servconf.h diff -up openssh-5.8p1/servconf.h.kuserok openssh-5.8p1/servconf.h
--- openssh-5.6p1/servconf.h.kuserok 2010-11-15 10:08:05.000000000 +0100 --- openssh-5.8p1/servconf.h.kuserok 2011-02-14 09:15:12.000000000 +0100
+++ openssh-5.6p1/servconf.h 2010-11-15 10:08:05.000000000 +0100 +++ openssh-5.8p1/servconf.h 2011-02-14 09:15:12.000000000 +0100
@@ -157,6 +157,7 @@ typedef struct { @@ -157,6 +157,7 @@ typedef struct {
int num_permitted_opens; int num_permitted_opens;
@ -132,10 +132,10 @@ diff -up openssh-5.6p1/servconf.h.kuserok openssh-5.6p1/servconf.h
char *chroot_directory; char *chroot_directory;
char *revoked_keys_file; char *revoked_keys_file;
char *trusted_user_ca_keys; char *trusted_user_ca_keys;
diff -up openssh-5.6p1/sshd_config.5.kuserok openssh-5.6p1/sshd_config.5 diff -up openssh-5.8p1/sshd_config.5.kuserok openssh-5.8p1/sshd_config.5
--- openssh-5.6p1/sshd_config.5.kuserok 2010-11-15 10:08:05.000000000 +0100 --- openssh-5.8p1/sshd_config.5.kuserok 2011-02-14 09:15:12.000000000 +0100
+++ openssh-5.6p1/sshd_config.5 2010-11-15 10:08:05.000000000 +0100 +++ openssh-5.8p1/sshd_config.5 2011-02-14 09:17:11.000000000 +0100
@@ -564,6 +564,10 @@ Specifies whether to automatically destr @@ -574,6 +574,10 @@ Specifies whether to automatically destr
file on logout. file on logout.
The default is The default is
.Dq yes . .Dq yes .
@ -143,10 +143,10 @@ diff -up openssh-5.6p1/sshd_config.5.kuserok openssh-5.6p1/sshd_config.5
+Specifies whether to look at .k5login file for user's aliases. +Specifies whether to look at .k5login file for user's aliases.
+The default is +The default is
+.Dq yes . +.Dq yes .
.It Cm KeyRegenerationInterval .It Cm KexAlgorithms
In protocol version 1, the ephemeral server key is automatically regenerated Specifies the available KEX (Key Exchange) algorithms.
after this many seconds (if it has been used). Multiple algorithms must be comma-separated.
@@ -694,6 +698,7 @@ Available keywords are @@ -715,6 +719,7 @@ Available keywords are
.Cm HostbasedUsesNameFromPacketOnly , .Cm HostbasedUsesNameFromPacketOnly ,
.Cm KbdInteractiveAuthentication , .Cm KbdInteractiveAuthentication ,
.Cm KerberosAuthentication , .Cm KerberosAuthentication ,
@ -154,10 +154,10 @@ diff -up openssh-5.6p1/sshd_config.5.kuserok openssh-5.6p1/sshd_config.5
.Cm MaxAuthTries , .Cm MaxAuthTries ,
.Cm MaxSessions , .Cm MaxSessions ,
.Cm PubkeyAuthentication , .Cm PubkeyAuthentication ,
diff -up openssh-5.6p1/sshd_config.kuserok openssh-5.6p1/sshd_config diff -up openssh-5.8p1/sshd_config.kuserok openssh-5.8p1/sshd_config
--- openssh-5.6p1/sshd_config.kuserok 2010-11-15 10:08:05.000000000 +0100 --- openssh-5.8p1/sshd_config.kuserok 2011-02-14 09:15:12.000000000 +0100
+++ openssh-5.6p1/sshd_config 2010-11-15 10:08:05.000000000 +0100 +++ openssh-5.8p1/sshd_config 2011-02-14 09:15:12.000000000 +0100
@@ -72,6 +72,7 @@ ChallengeResponseAuthentication no @@ -73,6 +73,7 @@ ChallengeResponseAuthentication no
#KerberosOrLocalPasswd yes #KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes #KerberosTicketCleanup yes
#KerberosGetAFSToken no #KerberosGetAFSToken no

118
openssh-5.6p1-mls.patch → openssh-5.8p1-mls.patch
View File

@ -1,18 +1,7 @@
diff -up openssh-5.6p1/configure.ac.mls openssh-5.6p1/configure.ac diff -up openssh-5.8p1/misc.c.mls openssh-5.8p1/misc.c
--- openssh-5.6p1/configure.ac.mls 2010-08-23 12:11:36.000000000 +0200 --- openssh-5.8p1/misc.c.mls 2011-01-13 02:21:36.000000000 +0100
+++ openssh-5.6p1/configure.ac 2010-08-23 12:11:36.000000000 +0200 +++ openssh-5.8p1/misc.c 2011-02-12 15:05:06.000000000 +0100
@@ -3390,6 +3390,7 @@ AC_ARG_WITH(selinux, @@ -427,6 +427,7 @@ char *
SSHDLIBS="$SSHDLIBS $LIBSELINUX"
LIBS="$LIBS $LIBSELINUX"
AC_CHECK_FUNCS(getseuserbyname get_default_context_with_level)
+ AC_CHECK_FUNCS(setkeycreatecon)
LIBS="$save_LIBS"
fi ]
)
diff -up openssh-5.6p1/misc.c.mls openssh-5.6p1/misc.c
--- openssh-5.6p1/misc.c.mls 2010-08-03 08:05:05.000000000 +0200
+++ openssh-5.6p1/misc.c 2010-08-23 12:14:16.000000000 +0200
@@ -424,6 +424,7 @@ char *
colon(char *cp) colon(char *cp)
{ {
int flag = 0; int flag = 0;
@ -20,7 +9,7 @@ diff -up openssh-5.6p1/misc.c.mls openssh-5.6p1/misc.c
if (*cp == ':') /* Leading colon is part of file name. */ if (*cp == ':') /* Leading colon is part of file name. */
return NULL; return NULL;
@@ -439,6 +440,13 @@ colon(char *cp) @@ -442,6 +443,13 @@ colon(char *cp)
return (cp); return (cp);
if (*cp == '/') if (*cp == '/')
return NULL; return NULL;
@ -34,15 +23,10 @@ diff -up openssh-5.6p1/misc.c.mls openssh-5.6p1/misc.c
} }
return NULL; return NULL;
} }
diff -up openssh-5.6p1/openbsd-compat/port-linux.c.mls openssh-5.6p1/openbsd-compat/port-linux.c diff -up openssh-5.8p1/openbsd-compat/port-linux.c.mls openssh-5.8p1/openbsd-compat/port-linux.c
--- openssh-5.6p1/openbsd-compat/port-linux.c.mls 2010-08-23 12:11:36.000000000 +0200 --- openssh-5.8p1/openbsd-compat/port-linux.c.mls 2011-02-12 15:05:06.000000000 +0100
+++ openssh-5.6p1/openbsd-compat/port-linux.c 2010-08-23 12:11:37.000000000 +0200 +++ openssh-5.8p1/openbsd-compat/port-linux.c 2011-02-12 15:09:23.000000000 +0100
@@ -35,13 +35,24 @@ @@ -40,13 +40,164 @@
#include "key.h"
#include "hostfile.h"
#include "auth.h"
+#include "xmalloc.h"
#ifdef WITH_SELINUX #ifdef WITH_SELINUX
#include <selinux/selinux.h> #include <selinux/selinux.h>
#include <selinux/flask.h> #include <selinux/flask.h>
@ -56,15 +40,10 @@ diff -up openssh-5.6p1/openbsd-compat/port-linux.c.mls openssh-5.6p1/openbsd-com
+#include <unistd.h> +#include <unistd.h>
+#endif +#endif
extern ServerOptions options;
extern Authctxt *the_authctxt; extern Authctxt *the_authctxt;
+extern int inetd_flag; extern int inetd_flag;
+extern int rexeced_flag; extern int rexeced_flag;
/* Wrapper around is_selinux_enabled() to log its return value once only */
int
@@ -57,17 +68,173 @@ ssh_selinux_enabled(void)
return (enabled);
}
+/* Send audit message */ +/* Send audit message */
+static int +static int
@ -80,8 +59,8 @@ diff -up openssh-5.6p1/openbsd-compat/port-linux.c.mls openssh-5.6p1/openbsd-com
+ rc = -1; + rc = -1;
+ if (audit_fd < 0) { + if (audit_fd < 0) {
+ if (errno == EINVAL || errno == EPROTONOSUPPORT || + if (errno == EINVAL || errno == EPROTONOSUPPORT ||
+ errno == EAFNOSUPPORT) + errno == EAFNOSUPPORT)
+ return 0; /* No audit support in kernel */ + return 0; /* No audit support in kernel */
+ error("Error connecting to audit system."); + error("Error connecting to audit system.");
+ return rc; + return rc;
+ } + }
@ -204,11 +183,17 @@ diff -up openssh-5.6p1/openbsd-compat/port-linux.c.mls openssh-5.6p1/openbsd-com
+#endif +#endif
+ return 0; + return 0;
+ out: + out:
+ freecon(*sc); + freecon(*sc);
+ *sc = NULL; + *sc = NULL;
+ return -1; + return -1;
+} +}
+ +
static void
ssh_selinux_get_role_level(char **role, const char **level)
{
@@ -65,14 +216,16 @@ ssh_selinux_get_role_level(char **role,
}
/* Return the default security context for the given username */ /* Return the default security context for the given username */
-static security_context_t -static security_context_t
-ssh_selinux_getctxbyname(char *pwname) -ssh_selinux_getctxbyname(char *pwname)
@ -216,33 +201,16 @@ diff -up openssh-5.6p1/openbsd-compat/port-linux.c.mls openssh-5.6p1/openbsd-com
+ssh_selinux_getctxbyname(char *pwname, +ssh_selinux_getctxbyname(char *pwname,
+ security_context_t *default_sc, security_context_t *user_sc) + security_context_t *default_sc, security_context_t *user_sc)
{ {
- security_context_t sc = NULL; security_context_t sc = NULL;
char *sename, *lvl; char *sename, *lvl;
+ const char *reqlvl = NULL; char *role;
char *role = NULL; const char *reqlvl;
- int r = 0; int r = 0;
+ int r = -1; + context_t con;
+ context_t con = NULL;
+
+ *default_sc = NULL;
+ *user_sc = NULL;
+ if (the_authctxt) {
+ if (the_authctxt->role != NULL) {
+ char *slash;
+ role = xstrdup(the_authctxt->role);
+ if ((slash = strchr(role, '/')) != NULL) {
+ *slash = '\0';
+ reqlvl = slash + 1;
+ }
+ }
+ }
- if (the_authctxt) ssh_selinux_get_role_level(&role, &reqlvl);
- role=the_authctxt->role;
#ifdef HAVE_GETSEUSERBYNAME #ifdef HAVE_GETSEUSERBYNAME
if ((r=getseuserbyname(pwname, &sename, &lvl)) != 0) { @@ -82,38 +235,63 @@ ssh_selinux_getctxbyname(char *pwname)
sename = NULL;
@@ -75,38 +242,63 @@ ssh_selinux_getctxbyname(char *pwname)
} }
#else #else
sename = pwname; sename = pwname;
@ -328,29 +296,31 @@ diff -up openssh-5.6p1/openbsd-compat/port-linux.c.mls openssh-5.6p1/openbsd-com
#ifdef HAVE_GETSEUSERBYNAME #ifdef HAVE_GETSEUSERBYNAME
if (sename != NULL) if (sename != NULL)
@@ -114,14 +306,20 @@ ssh_selinux_getctxbyname(char *pwname) @@ -121,8 +299,12 @@ ssh_selinux_getctxbyname(char *pwname)
if (lvl != NULL) if (lvl != NULL)
xfree(lvl); xfree(lvl);
#endif #endif
-
- return (sc);
+ if (role != NULL) + if (role != NULL)
+ xfree(role); + xfree(role);
+ if (con) + if (con)
+ context_free(con); + context_free(con);
+
- return (sc);
+ return (r); + return (r);
} }
/* Set the execution context to the default for the specified user */ /* Setup environment variables for pam_selinux */
void @@ -160,6 +342,8 @@ void
ssh_selinux_setup_exec_context(char *pwname) ssh_selinux_setup_exec_context(char *pwname)
{ {
security_context_t user_ctx = NULL;
+ int r = 0; + int r = 0;
+ security_context_t default_ctx = NULL; + security_context_t default_ctx = NULL;
security_context_t user_ctx = NULL;
if (!ssh_selinux_enabled()) if (!ssh_selinux_enabled())
@@ -129,22 +327,45 @@ ssh_selinux_setup_exec_context(char *pwn return;
@@ -184,22 +368,45 @@ ssh_selinux_setup_exec_context(char *pwn
debug3("%s: setting execution context", __func__); debug3("%s: setting execution context", __func__);
@ -403,7 +373,7 @@ diff -up openssh-5.6p1/openbsd-compat/port-linux.c.mls openssh-5.6p1/openbsd-com
debug3("%s: done", __func__); debug3("%s: done", __func__);
} }
@@ -162,7 +383,10 @@ ssh_selinux_setup_pty(char *pwname, cons @@ -217,7 +424,10 @@ ssh_selinux_setup_pty(char *pwname, cons
debug3("%s: setting TTY context on %s", __func__, tty); debug3("%s: setting TTY context on %s", __func__, tty);
@ -415,10 +385,10 @@ diff -up openssh-5.6p1/openbsd-compat/port-linux.c.mls openssh-5.6p1/openbsd-com
/* XXX: should these calls fatal() upon failure in enforcing mode? */ /* XXX: should these calls fatal() upon failure in enforcing mode? */
diff -up openssh-5.6p1/sshd.c.mls openssh-5.6p1/sshd.c diff -up openssh-5.8p1/sshd.c.mls openssh-5.8p1/sshd.c
--- openssh-5.6p1/sshd.c.mls 2010-08-23 12:11:36.000000000 +0200 --- openssh-5.8p1/sshd.c.mls 2011-02-12 15:05:05.000000000 +0100
+++ openssh-5.6p1/sshd.c 2010-08-23 12:11:37.000000000 +0200 +++ openssh-5.8p1/sshd.c 2011-02-12 15:05:06.000000000 +0100
@@ -1997,6 +1997,9 @@ main(int ac, char **av) @@ -2011,6 +2011,9 @@ main(int ac, char **av)
restore_uid(); restore_uid();
} }
#endif #endif

26
openssh-5.4p1-pam_selinux.patch → openssh-5.8p1-pam_selinux.patch
View File

@ -1,6 +1,6 @@
diff -up openssh-5.4p1/auth-pam.c.pam_selinux openssh-5.4p1/auth-pam.c diff -up openssh-5.8p1/auth-pam.c.pam_selinux openssh-5.8p1/auth-pam.c
--- openssh-5.4p1/auth-pam.c.pam_selinux 2009-07-12 14:07:21.000000000 +0200 --- openssh-5.8p1/auth-pam.c.pam_selinux 2009-07-12 14:07:21.000000000 +0200
+++ openssh-5.4p1/auth-pam.c 2010-03-01 15:27:23.000000000 +0100 +++ openssh-5.8p1/auth-pam.c 2011-02-12 10:49:57.000000000 +0100
@@ -1069,7 +1069,7 @@ is_pam_session_open(void) @@ -1069,7 +1069,7 @@ is_pam_session_open(void)
* during the ssh authentication process. * during the ssh authentication process.
*/ */
@ -10,9 +10,9 @@ diff -up openssh-5.4p1/auth-pam.c.pam_selinux openssh-5.4p1/auth-pam.c
{ {
int ret = 1; int ret = 1;
#ifdef HAVE_PAM_PUTENV #ifdef HAVE_PAM_PUTENV
diff -up openssh-5.4p1/auth-pam.h.pam_selinux openssh-5.4p1/auth-pam.h diff -up openssh-5.8p1/auth-pam.h.pam_selinux openssh-5.8p1/auth-pam.h
--- openssh-5.4p1/auth-pam.h.pam_selinux 2004-09-11 14:17:26.000000000 +0200 --- openssh-5.8p1/auth-pam.h.pam_selinux 2004-09-11 14:17:26.000000000 +0200
+++ openssh-5.4p1/auth-pam.h 2010-03-01 15:27:23.000000000 +0100 +++ openssh-5.8p1/auth-pam.h 2011-02-12 10:49:57.000000000 +0100
@@ -38,7 +38,7 @@ void do_pam_session(void); @@ -38,7 +38,7 @@ void do_pam_session(void);
void do_pam_set_tty(const char *); void do_pam_set_tty(const char *);
void do_pam_setcred(int ); void do_pam_setcred(int );
@ -22,9 +22,9 @@ diff -up openssh-5.4p1/auth-pam.h.pam_selinux openssh-5.4p1/auth-pam.h
char ** fetch_pam_environment(void); char ** fetch_pam_environment(void);
char ** fetch_pam_child_environment(void); char ** fetch_pam_child_environment(void);
void free_pam_environment(char **); void free_pam_environment(char **);
diff -up openssh-5.4p1/openbsd-compat/port-linux.c.pam_selinux openssh-5.4p1/openbsd-compat/port-linux.c diff -up openssh-5.8p1/openbsd-compat/port-linux.c.pam_selinux openssh-5.8p1/openbsd-compat/port-linux.c
--- openssh-5.4p1/openbsd-compat/port-linux.c.pam_selinux 2010-03-01 15:27:22.000000000 +0100 --- openssh-5.8p1/openbsd-compat/port-linux.c.pam_selinux 2011-02-12 10:49:57.000000000 +0100
+++ openssh-5.4p1/openbsd-compat/port-linux.c 2010-03-01 15:27:53.000000000 +0100 +++ openssh-5.8p1/openbsd-compat/port-linux.c 2011-02-12 10:55:52.000000000 +0100
@@ -36,6 +36,7 @@ @@ -36,6 +36,7 @@
#include "hostfile.h" #include "hostfile.h"
#include "auth.h" #include "auth.h"
@ -41,8 +41,8 @@ diff -up openssh-5.4p1/openbsd-compat/port-linux.c.pam_selinux openssh-5.4p1/ope
extern Authctxt *the_authctxt; extern Authctxt *the_authctxt;
extern int inetd_flag; extern int inetd_flag;
extern int rexeced_flag; extern int rexeced_flag;
@@ -211,29 +213,38 @@ get_user_context(const char *sename, con @@ -197,29 +199,38 @@ get_user_context(const char *sename, con
return -1; return -1;
} }
+static void +static void
@ -92,7 +92,7 @@ diff -up openssh-5.4p1/openbsd-compat/port-linux.c.pam_selinux openssh-5.4p1/ope
#ifdef HAVE_GETSEUSERBYNAME #ifdef HAVE_GETSEUSERBYNAME
if ((r=getseuserbyname(pwname, &sename, &lvl)) != 0) { if ((r=getseuserbyname(pwname, &sename, &lvl)) != 0) {
@@ -314,6 +325,36 @@ ssh_selinux_getctxbyname(char *pwname, @@ -300,6 +311,36 @@ ssh_selinux_getctxbyname(char *pwname,
return (r); return (r);
} }
@ -129,7 +129,7 @@ diff -up openssh-5.4p1/openbsd-compat/port-linux.c.pam_selinux openssh-5.4p1/ope
/* Set the execution context to the default for the specified user */ /* Set the execution context to the default for the specified user */
void void
ssh_selinux_setup_exec_context(char *pwname) ssh_selinux_setup_exec_context(char *pwname)
@@ -325,6 +366,24 @@ ssh_selinux_setup_exec_context(char *pwn @@ -311,6 +352,24 @@ ssh_selinux_setup_exec_context(char *pwn
if (!ssh_selinux_enabled()) if (!ssh_selinux_enabled())
return; return;

8
openssh-5.3p1-randclean.patch → openssh-5.8p1-randclean.patch
View File

@ -1,9 +1,9 @@
diff -up openssh-5.3p1/entropy.c.randclean openssh-5.3p1/entropy.c diff -up openssh-5.8p1/entropy.c.randclean openssh-5.8p1/entropy.c
--- openssh-5.3p1/entropy.c.randclean 2010-01-21 09:26:30.000000000 +0100 --- openssh-5.8p1/entropy.c.randclean 2011-01-13 11:05:29.000000000 +0100
+++ openssh-5.3p1/entropy.c 2010-01-21 09:26:37.000000000 +0100 +++ openssh-5.8p1/entropy.c 2011-02-14 00:26:31.000000000 +0100
@@ -159,6 +159,9 @@ init_rng(void) @@ -159,6 +159,9 @@ init_rng(void)
fatal("OpenSSL version mismatch. Built against %lx, you " fatal("OpenSSL version mismatch. Built against %lx, you "
"have %lx", OPENSSL_VERSION_NUMBER, SSLeay()); "have %lx", (u_long)OPENSSL_VERSION_NUMBER, SSLeay());
+ /* clean the PRNG status when exiting the program */ + /* clean the PRNG status when exiting the program */
+ atexit(RAND_cleanup); + atexit(RAND_cleanup);

611
openssh-5.8p1-selinux-role.patch Normal file
View File

@ -0,0 +1,611 @@
diff -up openssh-5.8p1/auth1.c.role openssh-5.8p1/auth1.c
--- openssh-5.8p1/auth1.c.role 2010-08-31 14:36:39.000000000 +0200
+++ openssh-5.8p1/auth1.c 2011-02-12 14:34:11.000000000 +0100
@@ -384,6 +384,9 @@ do_authentication(Authctxt *authctxt)
{
u_int ulen;
char *user, *style = NULL;
+#ifdef WITH_SELINUX
+ char *role=NULL;
+#endif
/* Get the name of the user that we wish to log in as. */
packet_read_expect(SSH_CMSG_USER);
@@ -392,11 +395,24 @@ do_authentication(Authctxt *authctxt)
user = packet_get_cstring(&ulen);
packet_check_eom();
+#ifdef WITH_SELINUX
+ if ((role = strchr(user, '/')) != NULL)
+ *role++ = '\0';
+#endif
+
if ((style = strchr(user, ':')) != NULL)
*style++ = '\0';
+#ifdef WITH_SELINUX
+ else
+ if (role && (style = strchr(role, ':')) != NULL)
+ *style++ = '\0';
+#endif
authctxt->user = user;
authctxt->style = style;
+#ifdef WITH_SELINUX
+ authctxt->role = role;
+#endif
/* Verify that the user is a valid user. */
if ((authctxt->pw = PRIVSEP(getpwnamallow(user))) != NULL)
diff -up openssh-5.8p1/auth2.c.role openssh-5.8p1/auth2.c
--- openssh-5.8p1/auth2.c.role 2010-08-31 14:36:39.000000000 +0200
+++ openssh-5.8p1/auth2.c 2011-02-12 14:34:11.000000000 +0100
@@ -216,6 +216,9 @@ input_userauth_request(int type, u_int32
Authctxt *authctxt = ctxt;
Authmethod *m = NULL;
char *user, *service, *method, *style = NULL;
+#ifdef WITH_SELINUX
+ char *role = NULL;
+#endif
int authenticated = 0;
if (authctxt == NULL)
@@ -227,6 +230,11 @@ input_userauth_request(int type, u_int32
debug("userauth-request for user %s service %s method %s", user, service, method);
debug("attempt %d failures %d", authctxt->attempt, authctxt->failures);
+#ifdef WITH_SELINUX
+ if ((role = strchr(user, '/')) != NULL)
+ *role++ = 0;
+#endif
+
if ((style = strchr(user, ':')) != NULL)
*style++ = 0;
@@ -252,8 +260,15 @@ input_userauth_request(int type, u_int32
use_privsep ? " [net]" : "");
authctxt->service = xstrdup(service);
authctxt->style = style ? xstrdup(style) : NULL;
- if (use_privsep)
+#ifdef WITH_SELINUX
+ authctxt->role = role ? xstrdup(role) : NULL;
+#endif
+ if (use_privsep) {
mm_inform_authserv(service, style);
+#ifdef WITH_SELINUX
+ mm_inform_authrole(role);
+#endif
+ }
userauth_banner();
} else if (strcmp(user, authctxt->user) != 0 ||
strcmp(service, authctxt->service) != 0) {
diff -up openssh-5.8p1/auth2-gss.c.role openssh-5.8p1/auth2-gss.c
--- openssh-5.8p1/auth2-gss.c.role 2007-12-02 12:59:45.000000000 +0100
+++ openssh-5.8p1/auth2-gss.c 2011-02-12 14:34:11.000000000 +0100
@@ -258,6 +258,7 @@ input_gssapi_mic(int type, u_int32_t ple
Authctxt *authctxt = ctxt;
Gssctxt *gssctxt;
int authenticated = 0;
+ char *micuser;
Buffer b;
gss_buffer_desc mic, gssbuf;
u_int len;
@@ -270,7 +271,13 @@ input_gssapi_mic(int type, u_int32_t ple
mic.value = packet_get_string(&len);
mic.length = len;
- ssh_gssapi_buildmic(&b, authctxt->user, authctxt->service,
+#ifdef WITH_SELINUX
+ if (authctxt->role && (strlen(authctxt->role) > 0))
+ xasprintf(&micuser, "%s/%s", authctxt->user, authctxt->role);
+ else
+#endif
+ micuser = authctxt->user;
+ ssh_gssapi_buildmic(&b, micuser, authctxt->service,
"gssapi-with-mic");
gssbuf.value = buffer_ptr(&b);
@@ -282,6 +289,8 @@ input_gssapi_mic(int type, u_int32_t ple
logit("GSSAPI MIC check failed");
buffer_free(&b);
+ if (micuser != authctxt->user)
+ xfree(micuser);
xfree(mic.value);
authctxt->postponed = 0;
diff -up openssh-5.8p1/auth2-hostbased.c.role openssh-5.8p1/auth2-hostbased.c
--- openssh-5.8p1/auth2-hostbased.c.role 2011-02-12 14:34:10.000000000 +0100
+++ openssh-5.8p1/auth2-hostbased.c 2011-02-12 14:34:11.000000000 +0100
@@ -106,7 +106,15 @@ userauth_hostbased(Authctxt *authctxt)
buffer_put_string(&b, session_id2, session_id2_len);
/* reconstruct packet */
buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST);
- buffer_put_cstring(&b, authctxt->user);
+#ifdef WITH_SELINUX
+ if (authctxt->role) {
+ buffer_put_int(&b, strlen(authctxt->user)+strlen(authctxt->role)+1);
+ buffer_append(&b, authctxt->user, strlen(authctxt->user));
+ buffer_put_char(&b, '/');
+ buffer_append(&b, authctxt->role, strlen(authctxt->role));
+ } else
+#endif
+ buffer_put_cstring(&b, authctxt->user);
buffer_put_cstring(&b, service);
buffer_put_cstring(&b, "hostbased");
buffer_put_string(&b, pkalg, alen);
diff -up openssh-5.8p1/auth2-pubkey.c.role openssh-5.8p1/auth2-pubkey.c
--- openssh-5.8p1/auth2-pubkey.c.role 2011-02-12 14:34:11.000000000 +0100
+++ openssh-5.8p1/auth2-pubkey.c 2011-02-12 14:34:11.000000000 +0100
@@ -122,7 +122,15 @@ userauth_pubkey(Authctxt *authctxt)
}
/* reconstruct packet */
buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST);
- buffer_put_cstring(&b, authctxt->user);
+#ifdef WITH_SELINUX
+ if (authctxt->role) {
+ buffer_put_int(&b, strlen(authctxt->user)+strlen(authctxt->role)+1);
+ buffer_append(&b, authctxt->user, strlen(authctxt->user));
+ buffer_put_char(&b, '/');
+ buffer_append(&b, authctxt->role, strlen(authctxt->role));
+ } else
+#endif
+ buffer_put_cstring(&b, authctxt->user);
buffer_put_cstring(&b,
datafellows & SSH_BUG_PKSERVICE ?
"ssh-userauth" :
diff -up openssh-5.8p1/auth.h.role openssh-5.8p1/auth.h
--- openssh-5.8p1/auth.h.role 2011-02-12 14:34:10.000000000 +0100
+++ openssh-5.8p1/auth.h 2011-02-12 14:34:11.000000000 +0100
@@ -58,6 +58,9 @@ struct Authctxt {
char *service;
struct passwd *pw; /* set if 'valid' */
char *style;
+#ifdef WITH_SELINUX
+ char *role;
+#endif
void *kbdintctxt;
void *jpake_ctx;
#ifdef BSD_AUTH
diff -up openssh-5.8p1/auth-pam.c.role openssh-5.8p1/auth-pam.c
--- openssh-5.8p1/auth-pam.c.role 2009-07-12 14:07:21.000000000 +0200
+++ openssh-5.8p1/auth-pam.c 2011-02-12 14:34:11.000000000 +0100
@@ -1069,7 +1069,7 @@ is_pam_session_open(void)
* during the ssh authentication process.
*/
int
-do_pam_putenv(char *name, char *value)
+do_pam_putenv(char *name, const char *value)
{
int ret = 1;
#ifdef HAVE_PAM_PUTENV
diff -up openssh-5.8p1/auth-pam.h.role openssh-5.8p1/auth-pam.h
--- openssh-5.8p1/auth-pam.h.role 2004-09-11 14:17:26.000000000 +0200
+++ openssh-5.8p1/auth-pam.h 2011-02-12 14:34:11.000000000 +0100
@@ -38,7 +38,7 @@ void do_pam_session(void);
void do_pam_set_tty(const char *);
void do_pam_setcred(int );
void do_pam_chauthtok(void);
-int do_pam_putenv(char *, char *);
+int do_pam_putenv(char *, const char *);
char ** fetch_pam_environment(void);
char ** fetch_pam_child_environment(void);
void free_pam_environment(char **);
diff -up openssh-5.8p1/monitor.c.role openssh-5.8p1/monitor.c
--- openssh-5.8p1/monitor.c.role 2011-02-12 14:34:11.000000000 +0100
+++ openssh-5.8p1/monitor.c 2011-02-12 14:34:11.000000000 +0100
@@ -138,6 +138,9 @@ int mm_answer_sign(int, Buffer *);
int mm_answer_pwnamallow(int, Buffer *);
int mm_answer_auth2_read_banner(int, Buffer *);
int mm_answer_authserv(int, Buffer *);
+#ifdef WITH_SELINUX
+int mm_answer_authrole(int, Buffer *);
+#endif
int mm_answer_authpassword(int, Buffer *);
int mm_answer_bsdauthquery(int, Buffer *);
int mm_answer_bsdauthrespond(int, Buffer *);
@@ -218,6 +221,9 @@ struct mon_table mon_dispatch_proto20[]
{MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign},
{MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},
{MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv},
+#ifdef WITH_SELINUX
+ {MONITOR_REQ_AUTHROLE, MON_ONCE, mm_answer_authrole},
+#endif
{MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner},
{MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},
#ifdef USE_PAM
@@ -703,6 +709,9 @@ mm_answer_pwnamallow(int sock, Buffer *m
else {
/* Allow service/style information on the auth context */
monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1);
+#ifdef WITH_SELINUX
+ monitor_permit(mon_dispatch, MONITOR_REQ_AUTHROLE, 1);
+#endif
monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1);
}
@@ -747,6 +756,25 @@ mm_answer_authserv(int sock, Buffer *m)
return (0);
}
+#ifdef WITH_SELINUX
+int
+mm_answer_authrole(int sock, Buffer *m)
+{
+ monitor_permit_authentications(1);
+
+ authctxt->role = buffer_get_string(m, NULL);
+ debug3("%s: role=%s",
+ __func__, authctxt->role);
+
+ if (strlen(authctxt->role) == 0) {
+ xfree(authctxt->role);
+ authctxt->role = NULL;
+ }
+
+ return (0);
+}
+#endif
+
int
mm_answer_authpassword(int sock, Buffer *m)
{
@@ -1112,7 +1140,7 @@ static int
monitor_valid_userblob(u_char *data, u_int datalen)
{
Buffer b;
- char *p;
+ char *p, *r;
u_int len;
int fail = 0;
@@ -1138,6 +1166,8 @@ monitor_valid_userblob(u_char *data, u_i
if (buffer_get_char(&b) != SSH2_MSG_USERAUTH_REQUEST)
fail++;
p = buffer_get_string(&b, NULL);
+ if ((r = strchr(p, '/')) != NULL)
+ *r = '\0';
if (strcmp(authctxt->user, p) != 0) {
logit("wrong user name passed to monitor: expected %s != %.100s",
authctxt->user, p);
@@ -1169,7 +1199,7 @@ monitor_valid_hostbasedblob(u_char *data
char *chost)
{
Buffer b;
- char *p;
+ char *p, *r;
u_int len;
int fail = 0;
@@ -1186,6 +1216,8 @@ monitor_valid_hostbasedblob(u_char *data
if (buffer_get_char(&b) != SSH2_MSG_USERAUTH_REQUEST)
fail++;
p = buffer_get_string(&b, NULL);
+ if ((r = strchr(p, '/')) != NULL)
+ *r = '\0';
if (strcmp(authctxt->user, p) != 0) {
logit("wrong user name passed to monitor: expected %s != %.100s",
authctxt->user, p);
diff -up openssh-5.8p1/monitor.h.role openssh-5.8p1/monitor.h
--- openssh-5.8p1/monitor.h.role 2011-02-12 14:34:11.000000000 +0100
+++ openssh-5.8p1/monitor.h 2011-02-12 14:34:11.000000000 +0100
@@ -31,6 +31,9 @@
enum monitor_reqtype {
MONITOR_REQ_MODULI, MONITOR_ANS_MODULI,
MONITOR_REQ_FREE, MONITOR_REQ_AUTHSERV,
+#ifdef WITH_SELINUX
+ MONITOR_REQ_AUTHROLE,
+#endif
MONITOR_REQ_SIGN, MONITOR_ANS_SIGN,
MONITOR_REQ_PWNAM, MONITOR_ANS_PWNAM,
MONITOR_REQ_AUTH2_READ_BANNER, MONITOR_ANS_AUTH2_READ_BANNER,
diff -up openssh-5.8p1/monitor_wrap.c.role openssh-5.8p1/monitor_wrap.c
--- openssh-5.8p1/monitor_wrap.c.role 2011-02-12 14:34:11.000000000 +0100
+++ openssh-5.8p1/monitor_wrap.c 2011-02-12 14:34:11.000000000 +0100
@@ -298,6 +298,25 @@ mm_inform_authserv(char *service, char *
buffer_free(&m);
}
+/* Inform the privileged process about role */
+
+#ifdef WITH_SELINUX
+void
+mm_inform_authrole(char *role)
+{
+ Buffer m;
+
+ debug3("%s entering", __func__);
+
+ buffer_init(&m);
+ buffer_put_cstring(&m, role ? role : "");
+
+ mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHROLE, &m);
+
+ buffer_free(&m);
+}
+#endif
+
/* Do the password authentication */
int
mm_auth_password(Authctxt *authctxt, char *password)
diff -up openssh-5.8p1/monitor_wrap.h.role openssh-5.8p1/monitor_wrap.h
--- openssh-5.8p1/monitor_wrap.h.role 2011-02-12 14:34:11.000000000 +0100
+++ openssh-5.8p1/monitor_wrap.h 2011-02-12 14:34:11.000000000 +0100
@@ -41,6 +41,9 @@ int mm_is_monitor(void);
DH *mm_choose_dh(int, int, int);
int mm_key_sign(Key *, u_char **, u_int *, u_char *, u_int);
void mm_inform_authserv(char *, char *);
+#ifdef WITH_SELINUX
+void mm_inform_authrole(char *);
+#endif
struct passwd *mm_getpwnamallow(const char *);
char *mm_auth2_read_banner(void);
int mm_auth_password(struct Authctxt *, char *);
diff -up openssh-5.8p1/openbsd-compat/Makefile.in.role openssh-5.8p1/openbsd-compat/Makefile.in
--- openssh-5.8p1/openbsd-compat/Makefile.in.role 2010-10-07 13:19:24.000000000 +0200
+++ openssh-5.8p1/openbsd-compat/Makefile.in 2011-02-12 14:34:11.000000000 +0100
@@ -20,7 +20,7 @@ OPENBSD=base64.o basename.o bindresvport
COMPAT=bsd-arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o
-PORTS=port-aix.o port-irix.o port-linux.o port-solaris.o port-tun.o port-uw.o
+PORTS=port-aix.o port-irix.o port-linux.o port-linux_part_2.o port-solaris.o port-tun.o port-uw.o
.c.o:
$(CC) $(CFLAGS) $(CPPFLAGS) -c $<
diff -up openssh-5.8p1/openbsd-compat/port-linux.c.role openssh-5.8p1/openbsd-compat/port-linux.c
--- openssh-5.8p1/openbsd-compat/port-linux.c.role 2011-02-12 14:34:11.000000000 +0100
+++ openssh-5.8p1/openbsd-compat/port-linux.c 2011-02-12 14:37:31.000000000 +0100
@@ -31,48 +31,73 @@
#include "log.h"
#include "xmalloc.h"
+#include "servconf.h"
#include "port-linux.h"
+#include "key.h"
+#include "hostfile.h"
+#include "auth.h"
#ifdef WITH_SELINUX
#include <selinux/selinux.h>
#include <selinux/flask.h>
#include <selinux/get_context_list.h>
-/* Wrapper around is_selinux_enabled() to log its return value once only */
-int
-ssh_selinux_enabled(void)
-{
- static int enabled = -1;
+extern ServerOptions options;
+extern Authctxt *the_authctxt;
+extern int inetd_flag;
+extern int rexeced_flag;
- if (enabled == -1) {
- enabled = (is_selinux_enabled() == 1);
- debug("SELinux support %s", enabled ? "enabled" : "disabled");
+static void
+ssh_selinux_get_role_level(char **role, const char **level)
+{
+ *role = NULL;
+ *level = NULL;
+ if (the_authctxt) {
+ if (the_authctxt->role != NULL) {
+ char *slash;
+ *role = xstrdup(the_authctxt->role);
+ if ((slash = strchr(*role, '/')) != NULL) {
+ *slash = '\0';
+ *level = slash + 1;
+ }
+ }
}
-
- return (enabled);
}
/* Return the default security context for the given username */
static security_context_t
ssh_selinux_getctxbyname(char *pwname)
{
- security_context_t sc;
- char *sename = NULL, *lvl = NULL;
- int r;
+ security_context_t sc = NULL;
+ char *sename, *lvl;
+ char *role;
+ const char *reqlvl;
+ int r = 0;
+ ssh_selinux_get_role_level(&role, &reqlvl);
#ifdef HAVE_GETSEUSERBYNAME
- if (getseuserbyname(pwname, &sename, &lvl) != 0)
- return NULL;
+ if ((r=getseuserbyname(pwname, &sename, &lvl)) != 0) {
+ sename = NULL;
+ lvl = NULL;
+ }
#else
sename = pwname;
lvl = NULL;
#endif
+ if (r == 0) {
#ifdef HAVE_GET_DEFAULT_CONTEXT_WITH_LEVEL
- r = get_default_context_with_level(sename, lvl, NULL, &sc);
+ if (role != NULL && role[0])
+ r = get_default_context_with_rolelevel(sename, role, lvl, NULL, &sc);
+ else
+ r = get_default_context_with_level(sename, lvl, NULL, &sc);
#else
- r = get_default_context(sename, NULL, &sc);
+ if (role != NULL && role[0])
+ r = get_default_context_with_role(sename, role, NULL, &sc);
+ else
+ r = get_default_context(sename, NULL, &sc);
#endif
+ }
if (r != 0) {
switch (security_getenforce()) {
@@ -100,6 +125,36 @@ ssh_selinux_getctxbyname(char *pwname)
return (sc);
}
+/* Setup environment variables for pam_selinux */
+static int
+ssh_selinux_setup_pam_variables(void)
+{
+ const char *reqlvl;
+ char *role;
+ char *use_current;
+ int rv;
+
+ debug3("%s: setting execution context", __func__);
+
+ ssh_selinux_get_role_level(&role, &reqlvl);
+
+ rv = do_pam_putenv("SELINUX_ROLE_REQUESTED", role ? role : "");
+
+ if (inetd_flag && !rexeced_flag) {
+ use_current = "1";
+ } else {
+ use_current = "";
+ rv = rv || do_pam_putenv("SELINUX_LEVEL_REQUESTED", reqlvl ? reqlvl: "");
+ }
+
+ rv = rv || do_pam_putenv("SELINUX_USE_CURRENT_RANGE", use_current);
+
+ if (role != NULL)
+ xfree(role);
+
+ return rv;
+}
+
/* Set the execution context to the default for the specified user */
void
ssh_selinux_setup_exec_context(char *pwname)
@@ -109,6 +164,24 @@ ssh_selinux_setup_exec_context(char *pwn
if (!ssh_selinux_enabled())
return;
+ if (options.use_pam) {
+ /* do not compute context, just setup environment for pam_selinux */
+ if (ssh_selinux_setup_pam_variables()) {
+ switch (security_getenforce()) {
+ case -1:
+ fatal("%s: security_getenforce() failed", __func__);
+ case 0:
+ error("%s: SELinux PAM variable setup failure. Continuing in permissive mode.",
+ __func__);
+ break;
+ default:
+ fatal("%s: SELinux PAM variable setup failure. Aborting connection.",
+ __func__);
+ }
+ }
+ return;
+ }
+
debug3("%s: setting execution context", __func__);
user_ctx = ssh_selinux_getctxbyname(pwname);
@@ -206,21 +279,6 @@ ssh_selinux_change_context(const char *n
xfree(newctx);
}
-void
-ssh_selinux_setfscreatecon(const char *path)
-{
- security_context_t context;
-
- if (!ssh_selinux_enabled())
- return;
- if (path == NULL) {
- setfscreatecon(NULL);
- return;
- }
- if (matchpathcon(path, 0700, &context) == 0)
- setfscreatecon(context);
-}
-
#endif /* WITH_SELINUX */
#ifdef LINUX_OOM_ADJUST
diff -up openssh-5.8p1/openbsd-compat/port-linux_part_2.c.role openssh-5.8p1/openbsd-compat/port-linux_part_2.c
--- openssh-5.8p1/openbsd-compat/port-linux_part_2.c.role 2011-02-12 14:34:11.000000000 +0100
+++ openssh-5.8p1/openbsd-compat/port-linux_part_2.c 2011-02-12 14:34:11.000000000 +0100
@@ -0,0 +1,75 @@
+/* $Id: port-linux.c,v 1.11.4.2 2011/02/04 00:43:08 djm Exp $ */
+
+/*
+ * Copyright (c) 2005 Daniel Walsh <dwalsh@redhat.com>
+ * Copyright (c) 2006 Damien Miller <djm@openbsd.org>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/*
+ * Linux-specific portability code - just SELinux support at present
+ */
+
+#include "includes.h"
+
+#if defined(WITH_SELINUX) || defined(LINUX_OOM_ADJUST)
+#include <errno.h>
+#include <stdarg.h>
+#include <string.h>
+#include <stdio.h>
+
+#include "log.h"
+#include "xmalloc.h"
+#include "port-linux.h"
+#include "key.h"
+#include "hostfile.h"
+#include "auth.h"
+
+#ifdef WITH_SELINUX
+#include <selinux/selinux.h>
+#include <selinux/flask.h>
+#include <selinux/get_context_list.h>
+
+/* Wrapper around is_selinux_enabled() to log its return value once only */
+int
+ssh_selinux_enabled(void)
+{
+ static int enabled = -1;
+
+ if (enabled == -1) {
+ enabled = (is_selinux_enabled() == 1);
+ debug("SELinux support %s", enabled ? "enabled" : "disabled");
+ }
+
+ return (enabled);
+}
+
+void
+ssh_selinux_setfscreatecon(const char *path)
+{
+ security_context_t context;
+
+ if (!ssh_selinux_enabled())
+ return;
+ if (path == NULL) {
+ setfscreatecon(NULL);
+ return;
+ }
+ if (matchpathcon(path, 0700, &context) == 0)
+ setfscreatecon(context);
+}
+
+#endif /* WITH_SELINUX */
+
+#endif /* WITH_SELINUX || LINUX_OOM_ADJUST */

12
openssh-5.8p1-selinux.patch Normal file
View File

@ -0,0 +1,12 @@
diff -up openssh-5.8p1/openbsd-compat/port-linux.c.selinux openssh-5.8p1/openbsd-compat/port-linux.c
--- openssh-5.8p1/openbsd-compat/port-linux.c.selinux 2011-02-12 09:38:45.000000000 +0100
+++ openssh-5.8p1/openbsd-compat/port-linux.c 2011-02-12 09:39:10.000000000 +0100
@@ -213,7 +213,7 @@ ssh_selinux_setfscreatecon(const char *p
if (!ssh_selinux_enabled())
return;
- if (path == NULL)
+ if (path == NULL) {
setfscreatecon(NULL);
return;
}

201
openssh-5.2p1-vendor.patch → openssh-5.8p1-vendor.patch
View File

@ -1,7 +1,7 @@
diff -up openssh-5.2p1/configure.ac.vendor openssh-5.2p1/configure.ac diff -up openssh-5.8p1/configure.ac.vendor openssh-5.8p1/configure.ac
--- openssh-5.2p1/configure.ac.vendor 2008-07-23 14:13:22.000000000 +0200 --- openssh-5.8p1/configure.ac.vendor 2011-02-04 01:42:14.000000000 +0100
+++ openssh-5.2p1/configure.ac 2008-07-23 14:13:22.000000000 +0200 +++ openssh-5.8p1/configure.ac 2011-02-09 22:39:55.000000000 +0100
@@ -3890,6 +3890,12 @@ AC_ARG_WITH(lastlog, @@ -4097,6 +4097,12 @@ AC_ARG_WITH(lastlog,
fi fi
] ]
) )
@ -14,7 +14,7 @@ diff -up openssh-5.2p1/configure.ac.vendor openssh-5.2p1/configure.ac
dnl lastlog, [uw]tmpx? detection dnl lastlog, [uw]tmpx? detection
dnl NOTE: set the paths in the platform section to avoid the dnl NOTE: set the paths in the platform section to avoid the
@@ -4146,6 +4152,7 @@ echo " IP address in \$DISPLAY hac @@ -4327,6 +4333,7 @@ echo " IP address in \$DISPLAY hac
echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG" echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG"
echo " BSD Auth support: $BSD_AUTH_MSG" echo " BSD Auth support: $BSD_AUTH_MSG"
echo " Random number source: $RAND_MSG" echo " Random number source: $RAND_MSG"
@ -22,10 +22,94 @@ diff -up openssh-5.2p1/configure.ac.vendor openssh-5.2p1/configure.ac
if test ! -z "$USE_RAND_HELPER" ; then if test ! -z "$USE_RAND_HELPER" ; then
echo " ssh-rand-helper collects from: $RAND_HELPER_MSG" echo " ssh-rand-helper collects from: $RAND_HELPER_MSG"
fi fi
diff -up openssh-5.2p1/sshd_config.5.vendor openssh-5.2p1/sshd_config.5 diff -up openssh-5.8p1/servconf.c.vendor openssh-5.8p1/servconf.c
--- openssh-5.2p1/sshd_config.5.vendor 2008-07-23 14:13:22.000000000 +0200 --- openssh-5.8p1/servconf.c.vendor 2010-11-20 05:19:38.000000000 +0100
+++ openssh-5.2p1/sshd_config.5 2008-07-23 14:19:23.000000000 +0200 +++ openssh-5.8p1/servconf.c 2011-02-09 22:41:32.000000000 +0100
@@ -812,6 +812,14 @@ This option applies to protocol version @@ -123,6 +123,7 @@ initialize_server_options(ServerOptions
options->max_authtries = -1;
options->max_sessions = -1;
options->banner = NULL;
+ options->show_patchlevel = -1;
options->use_dns = -1;
options->client_alive_interval = -1;
options->client_alive_count_max = -1;
@@ -281,7 +282,9 @@ fill_default_server_options(ServerOption
options->ip_qos_interactive = IPTOS_LOWDELAY;
if (options->ip_qos_bulk == -1)
options->ip_qos_bulk = IPTOS_THROUGHPUT;
-
+ if (options->show_patchlevel == -1)
+ options->show_patchlevel = 0;
+
/* Turn privilege separation on by default */
if (use_privsep == -1)
use_privsep = 1;
@@ -319,7 +322,7 @@ typedef enum {
sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem,
sMaxStartups, sMaxAuthTries, sMaxSessions,
- sBanner, sUseDNS, sHostbasedAuthentication,
+ sBanner, sShowPatchLevel, sUseDNS, sHostbasedAuthentication,
sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel,
@@ -432,6 +435,7 @@ static struct {
{ "maxauthtries", sMaxAuthTries, SSHCFG_ALL },
{ "maxsessions", sMaxSessions, SSHCFG_ALL },
{ "banner", sBanner, SSHCFG_ALL },
+ { "showpatchlevel", sShowPatchLevel, SSHCFG_GLOBAL },
{ "usedns", sUseDNS, SSHCFG_GLOBAL },
{ "verifyreversemapping", sDeprecated, SSHCFG_GLOBAL },
{ "reversemappingcheck", sDeprecated, SSHCFG_GLOBAL },
@@ -1086,6 +1090,10 @@ process_server_config_line(ServerOptions
intptr = &use_privsep;
goto parse_flag;
+ case sShowPatchLevel:
+ intptr = &options->show_patchlevel;
+ goto parse_flag;
+
case sAllowUsers:
while ((arg = strdelim(&cp)) && *arg != '\0') {
if (options->num_allow_users >= MAX_ALLOW_USERS)
@@ -1726,6 +1734,7 @@ dump_config(ServerOptions *o)
dump_cfg_fmtint(sUseLogin, o->use_login);
dump_cfg_fmtint(sCompression, o->compression);
dump_cfg_fmtint(sGatewayPorts, o->gateway_ports);
+ dump_cfg_fmtint(sShowPatchLevel, o->show_patchlevel);
dump_cfg_fmtint(sUseDNS, o->use_dns);
dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding);
dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep);
diff -up openssh-5.8p1/servconf.h.vendor openssh-5.8p1/servconf.h
--- openssh-5.8p1/servconf.h.vendor 2010-11-20 05:19:38.000000000 +0100
+++ openssh-5.8p1/servconf.h 2011-02-09 22:39:55.000000000 +0100
@@ -134,6 +134,7 @@ typedef struct {
int max_authtries;
int max_sessions;
char *banner; /* SSH-2 banner message */
+ int show_patchlevel; /* Show vendor patch level to clients */
int use_dns;
int client_alive_interval; /*
* poke the client this often to
diff -up openssh-5.8p1/sshd_config.0.vendor openssh-5.8p1/sshd_config.0
--- openssh-5.8p1/sshd_config.0.vendor 2011-02-09 22:39:54.000000000 +0100
+++ openssh-5.8p1/sshd_config.0 2011-02-09 22:39:55.000000000 +0100
@@ -535,6 +535,11 @@ DESCRIPTION
Defines the number of bits in the ephemeral protocol version 1
server key. The minimum value is 512, and the default is 1024.
+ ShowPatchLevel
+ Specifies whether sshd will display the specific patch level of
+ the binary in the server identification string. The patch level
+ is set at compile-time. The default is M-bM-^@M-^\noM-bM-^@M-^].
+
StrictModes
Specifies whether sshd(8) should check file modes and ownership
of the user's files and home directory before accepting login.
diff -up openssh-5.8p1/sshd_config.5.vendor openssh-5.8p1/sshd_config.5
--- openssh-5.8p1/sshd_config.5.vendor 2011-02-09 22:39:54.000000000 +0100
+++ openssh-5.8p1/sshd_config.5 2011-02-09 22:39:55.000000000 +0100
@@ -931,6 +931,14 @@ This option applies to protocol version
.It Cm ServerKeyBits .It Cm ServerKeyBits
Defines the number of bits in the ephemeral protocol version 1 server key. Defines the number of bits in the ephemeral protocol version 1 server key.
The minimum value is 512, and the default is 1024. The minimum value is 512, and the default is 1024.
@ -40,92 +124,9 @@ diff -up openssh-5.2p1/sshd_config.5.vendor openssh-5.2p1/sshd_config.5
.It Cm StrictModes .It Cm StrictModes
Specifies whether Specifies whether
.Xr sshd 8 .Xr sshd 8
diff -up openssh-5.2p1/servconf.h.vendor openssh-5.2p1/servconf.h diff -up openssh-5.8p1/sshd_config.vendor openssh-5.8p1/sshd_config
--- openssh-5.2p1/servconf.h.vendor 2008-06-10 15:01:51.000000000 +0200 --- openssh-5.8p1/sshd_config.vendor 2011-02-09 22:39:54.000000000 +0100
+++ openssh-5.2p1/servconf.h 2008-07-23 14:13:22.000000000 +0200 +++ openssh-5.8p1/sshd_config 2011-02-09 22:39:55.000000000 +0100
@@ -126,6 +126,7 @@ typedef struct {
int max_authtries;
int max_sessions;
char *banner; /* SSH-2 banner message */
+ int show_patchlevel; /* Show vendor patch level to clients */
int use_dns;
int client_alive_interval; /*
* poke the client this often to
diff -up openssh-5.2p1/servconf.c.vendor openssh-5.2p1/servconf.c
--- openssh-5.2p1/servconf.c.vendor 2008-07-04 05:51:12.000000000 +0200
+++ openssh-5.2p1/servconf.c 2008-07-23 14:32:27.000000000 +0200
@@ -117,6 +117,7 @@ initialize_server_options(ServerOptions
options->max_authtries = -1;
options->max_sessions = -1;
options->banner = NULL;
+ options->show_patchlevel = -1;
options->use_dns = -1;
options->client_alive_interval = -1;
options->client_alive_count_max = -1;
@@ -262,6 +263,9 @@ fill_default_server_options(ServerOption
if (options->zero_knowledge_password_authentication == -1)
options->zero_knowledge_password_authentication = 0;
+ if (options->show_patchlevel == -1)
+ options->show_patchlevel = 0;
+
/* Turn privilege separation on by default */
if (use_privsep == -1)
use_privsep = 1;
@@ -299,7 +303,7 @@ typedef enum {
sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem,
sMaxStartups, sMaxAuthTries, sMaxSessions,
- sBanner, sUseDNS, sHostbasedAuthentication,
+ sBanner, sShowPatchLevel, sUseDNS, sHostbasedAuthentication,
sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel,
@@ -410,6 +414,7 @@ static struct {
{ "maxauthtries", sMaxAuthTries, SSHCFG_ALL },
{ "maxsessions", sMaxSessions, SSHCFG_ALL },
{ "banner", sBanner, SSHCFG_ALL },
+ { "showpatchlevel", sShowPatchLevel, SSHCFG_GLOBAL },
{ "usedns", sUseDNS, SSHCFG_GLOBAL },
{ "verifyreversemapping", sDeprecated, SSHCFG_GLOBAL },
{ "reversemappingcheck", sDeprecated, SSHCFG_GLOBAL },
@@ -1033,6 +1038,10 @@ process_server_config_line(ServerOptions
intptr = &use_privsep;
goto parse_flag;
+ case sShowPatchLevel:
+ intptr = &options->show_patchlevel;
+ goto parse_flag;
+
case sAllowUsers:
while ((arg = strdelim(&cp)) && *arg != '\0') {
if (options->num_allow_users >= MAX_ALLOW_USERS)
@@ -1613,6 +1622,7 @@ dump_config(ServerOptions *o)
dump_cfg_fmtint(sUseLogin, o->use_login);
dump_cfg_fmtint(sCompression, o->compression);
dump_cfg_fmtint(sGatewayPorts, o->gateway_ports);
+ dump_cfg_fmtint(sShowPatchLevel, o->show_patchlevel);
dump_cfg_fmtint(sUseDNS, o->use_dns);
dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding);
dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep);
diff -up openssh-5.2p1/sshd_config.0.vendor openssh-5.2p1/sshd_config.0
--- openssh-5.2p1/sshd_config.0.vendor 2008-07-23 14:13:22.000000000 +0200
+++ openssh-5.2p1/sshd_config.0 2008-07-23 14:13:22.000000000 +0200
@@ -466,6 +466,11 @@ DESCRIPTION
Defines the number of bits in the ephemeral protocol version 1
server key. The minimum value is 512, and the default is 1024.
+ ShowPatchLevel
+ Specifies whether sshd will display the specific patch level of
+ the binary in the server identification string. The patch level
+ is set at compile-time. The default is M-bM-^@M-^\noM-bM-^@M-^].
+
StrictModes
Specifies whether sshd(8) should check file modes and ownership
of the user's files and home directory before accepting login.
diff -up openssh-5.2p1/sshd_config.vendor openssh-5.2p1/sshd_config
--- openssh-5.2p1/sshd_config.vendor 2008-07-23 14:13:22.000000000 +0200
+++ openssh-5.2p1/sshd_config 2008-07-23 14:13:22.000000000 +0200
@@ -112,6 +112,7 @@ X11Forwarding yes @@ -112,6 +112,7 @@ X11Forwarding yes
#Compression delayed #Compression delayed
#ClientAliveInterval 0 #ClientAliveInterval 0
@ -134,10 +135,10 @@ diff -up openssh-5.2p1/sshd_config.vendor openssh-5.2p1/sshd_config
#UseDNS yes #UseDNS yes
#PidFile /var/run/sshd.pid #PidFile /var/run/sshd.pid
#MaxStartups 10 #MaxStartups 10
diff -up openssh-5.2p1/sshd.c.vendor openssh-5.2p1/sshd.c diff -up openssh-5.8p1/sshd.c.vendor openssh-5.8p1/sshd.c
--- openssh-5.2p1/sshd.c.vendor 2008-07-11 09:36:49.000000000 +0200 --- openssh-5.8p1/sshd.c.vendor 2011-02-09 22:39:55.000000000 +0100
+++ openssh-5.2p1/sshd.c 2008-07-23 14:35:43.000000000 +0200 +++ openssh-5.8p1/sshd.c 2011-02-09 22:39:55.000000000 +0100
@@ -416,7 +416,7 @@ sshd_exchange_identification(int sock_in @@ -419,7 +419,7 @@ sshd_exchange_identification(int sock_in
minor = PROTOCOL_MINOR_1; minor = PROTOCOL_MINOR_1;
} }
snprintf(buf, sizeof buf, "SSH-%d.%d-%.100s%s", major, minor, snprintf(buf, sizeof buf, "SSH-%d.%d-%.100s%s", major, minor,
@ -146,7 +147,7 @@ diff -up openssh-5.2p1/sshd.c.vendor openssh-5.2p1/sshd.c
server_version_string = xstrdup(buf); server_version_string = xstrdup(buf);
/* Send our protocol version identification. */ /* Send our protocol version identification. */
@@ -1484,7 +1484,8 @@ main(int ac, char **av) @@ -1550,7 +1550,8 @@ main(int ac, char **av)
exit(1); exit(1);
} }

148
openssh.spec
View File

@ -70,10 +70,10 @@
%endif %endif
# Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1 # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
%define openssh_ver 5.6p1 %define openssh_ver 5.8p1
%define openssh_rel 30 %define openssh_rel 1
%define pam_ssh_agent_ver 0.9.2 %define pam_ssh_agent_ver 0.9.2
%define pam_ssh_agent_rel 29 %define pam_ssh_agent_rel 30
Summary: An open source implementation of SSH protocol versions 1 and 2 Summary: An open source implementation of SSH protocol versions 1 and 2
Name: openssh Name: openssh
@ -96,49 +96,54 @@ Source5: pam_ssh_agent-rmheaders
Patch100: openssh-5.6p1-wIm.patch Patch100: openssh-5.6p1-wIm.patch
Patch0: openssh-5.6p1-redhat.patch Patch0: openssh-5.6p1-redhat.patch
#https://bugzilla.mindrot.org/show_bug.cgi?id=1402 #https://bugzilla.mindrot.org/show_bug.cgi?id=1402
Patch1: openssh-5.6p1-audit.patch Patch2: openssh-5.8p1-audit2.patch
Patch2: openssh-5.6p1-audit1a.patch Patch3: openssh-5.8p1-audit3.patch
Patch3: openssh-5.6p1-audit2.patch Patch4: openssh-5.8p1-audit4.patch
Patch4: openssh-5.6p1-audit3.patch Patch5: openssh-5.8p1-audit5.patch
Patch104: openssh-5.6p1-audit4.patch
Patch105: openssh-5.6p1-audit5.patch
#https://bugzilla.mindrot.org/show_bug.cgi?id=1640 #https://bugzilla.mindrot.org/show_bug.cgi?id=1640
Patch5: openssh-5.2p1-vendor.patch Patch9: openssh-5.8p1-vendor.patch
# --- pam_ssh-agent ---
Patch10: pam_ssh_agent_auth-0.9-build.patch Patch10: pam_ssh_agent_auth-0.9-build.patch
Patch11: pam_ssh_agent_auth-0.9.2-seteuid.patch Patch11: pam_ssh_agent_auth-0.9.2-seteuid.patch
#https://bugzilla.mindrot.org/show_bug.cgi?id=1641
Patch12: openssh-5.4p1-selinux.patch
Patch13: openssh-5.6p1-mls.patch
Patch18: openssh-5.4p1-pam_selinux.patch
#https://bugzilla.mindrot.org/show_bug.cgi?id=1663 #https://bugzilla.mindrot.org/show_bug.cgi?id=1663
Patch20: openssh-5.6p1-authorized-keys-command.patch Patch20: openssh-5.8p1-authorized-keys-command.patch
Patch21: openssh-5.6p1-ldap.patch Patch21: openssh-5.6p1-ldap.patch
#?mail-conf
Patch22: openssh-5.8p1-selinux.patch
#https://bugzilla.mindrot.org/show_bug.cgi?id=1641
Patch23: openssh-5.8p1-selinux-role.patch
#?
Patch24: openssh-5.8p1-mls.patch
# #https://bugzilla.mindrot.org/show_bug.cgi?id=1614
# Patch25: openssh-5.6p1-selabel.patch
#https://bugzilla.mindrot.org/show_bug.cgi?id=1668 #https://bugzilla.mindrot.org/show_bug.cgi?id=1668
Patch23: openssh-5.6p1-keygen.patch Patch30: openssh-5.6p1-keygen.patch
Patch24: openssh-4.3p1-fromto-remote.patch
#https://bugzilla.mindrot.org/show_bug.cgi?id=1636
Patch27: openssh-5.1p1-log-in-chroot.patch
Patch30: openssh-5.6p1-exit-deadlock.patch
Patch35: openssh-5.1p1-askpass-progress.patch
Patch38: openssh-4.3p2-askpass-grab-info.patch
#https://bugzilla.mindrot.org/show_bug.cgi?id=1644 #https://bugzilla.mindrot.org/show_bug.cgi?id=1644
Patch44: openssh-5.2p1-allow-ip-opts.patch Patch31: openssh-5.2p1-allow-ip-opts.patch
Patch49: openssh-4.3p2-gssapi-canohost.patch
Patch62: openssh-5.1p1-scp-manpage.patch
Patch65: openssh-5.6p1-fips.patch
#https://bugzilla.mindrot.org/show_bug.cgi?id=1614
Patch69: openssh-5.6p1-selabel.patch
Patch71: openssh-5.2p1-edns.patch
Patch73: openssh-5.6p1-gsskex.patch
#https://bugzilla.mindrot.org/show_bug.cgi?id=1701 #https://bugzilla.mindrot.org/show_bug.cgi?id=1701
Patch74: openssh-5.3p1-randclean.patch Patch32: openssh-5.8p1-randclean.patch
# #https://bugzilla.mindrot.org/show_bug.cgi?id=1636
# Patch33: openssh-5.1p1-log-in-chroot.patch
#https://bugzilla.mindrot.org/show_bug.cgi?id=1780 #https://bugzilla.mindrot.org/show_bug.cgi?id=1780
Patch78: openssh-5.6p1-kuserok.patch Patch34: openssh-5.8p1-kuserok.patch
Patch79: openssh-5.5p1-x11.patch #?
#https://bugzilla.mindrot.org/show_bug.cgi?id=1817 Patch50: openssh-5.8p1-fips.patch
Patch80: openssh-5.6p1-biguid.patch #?
#https://bugzilla.mindrot.org/show_bug.cgi?id=1842 Patch51: openssh-5.5p1-x11.patch
Patch81: openssh-5.6p1-clientloop.patch #?
Patch52: openssh-5.6p1-exit-deadlock.patch
#?
Patch53: openssh-5.1p1-askpass-progress.patch
#?
Patch54: openssh-4.3p2-askpass-grab-info.patch
#?
Patch56: openssh-5.2p1-edns.patch
#?
Patch57: openssh-5.1p1-scp-manpage.patch
#http://www.sxw.org.uk/computing/patches/openssh.html
Patch60: openssh-5.8p1-gsskex.patch
#?
Patch61: openssh-5.8p1-gssapi-canohost.patch
License: BSD License: BSD
Group: Applications/Internet Group: Applications/Internet
@ -278,14 +283,11 @@ The module is most useful for su and sudo service stacks.
#Do not enable by default #Do not enable by default
###%patch100 -p1 -b .wIm ###%patch100 -p1 -b .wIm
%patch0 -p1 -b .redhat %patch0 -p1 -b .redhat
%patch1 -p1 -b .audit %patch2 -p1 -b .audit2
%patch2 -p1 -b .audit1a %patch3 -p1 -b .audit3
%patch3 -p1 -b .audit2 %patch4 -p1 -b .audit4
%patch4 -p1 -b .audit3 %patch5 -p1 -b .audit5
%patch104 -p1 -b .audit4 %patch9 -p1 -b .vendor
%patch105 -p1 -b .audit5
%patch5 -p1 -b .vendor
%if %{pam_ssh_agent} %if %{pam_ssh_agent}
pushd pam_ssh_agent_auth-%{pam_ssh_agent_ver} pushd pam_ssh_agent_auth-%{pam_ssh_agent_ver}
%patch10 -p1 -b .psaa-build %patch10 -p1 -b .psaa-build
@ -294,34 +296,27 @@ pushd pam_ssh_agent_auth-%{pam_ssh_agent_ver}
rm -f $(cat %{SOURCE5}) rm -f $(cat %{SOURCE5})
popd popd
%endif %endif
%if %{WITH_SELINUX}
#SELinux
%patch12 -p1 -b .selinux
%patch13 -p1 -b .mls
%patch18 -p1 -b .pam_selinux
%endif
%patch20 -p1 -b .akc %patch20 -p1 -b .akc
%patch21 -p1 -b .ldap %patch21 -p1 -b .ldap
%patch23 -p1 -b .keygen %if %{WITH_SELINUX}
%patch24 -p1 -b .fromto-remote #SELinux
%patch27 -p1 -b .log-chroot %patch22 -p1 -b .selinux
%patch30 -p1 -b .exit-deadlock %patch23 -p1 -b .role
%patch35 -p1 -b .progress %patch24 -p1 -b .mls
%patch38 -p1 -b .grab-info %endif
%patch44 -p1 -b .ip-opts %patch30 -p1 -b .keygen
%patch49 -p1 -b .canohost %patch31 -p1 -b .ip-opts
%patch62 -p1 -b .manpage %patch32 -p1 -b .randclean
%patch65 -p1 -b .fips %patch34 -p1 -b .kuserok
%patch69 -p1 -b .selabel %patch50 -p1 -b .fips
%patch71 -p1 -b .edns %patch51 -p1 -b .x11
%patch73 -p1 -b .gsskex %patch52 -p1 -b .exit-deadlock
%patch74 -p1 -b .randclean %patch53 -p1 -b .progress
%patch78 -p1 -b .kuserok %patch54 -p1 -b .grab-info
%patch79 -p1 -b .x11 %patch56 -p1 -b .edns
%patch80 -p1 -b .biguid %patch57 -p1 -b .manpage
%patch81 -p1 -b .clientloop %patch60 -p1 -b .gsskex
%patch61 -p1 -b .canohost
autoreconf autoreconf
pushd pam_ssh_agent_auth-%{pam_ssh_agent_ver} pushd pam_ssh_agent_auth-%{pam_ssh_agent_ver}
@ -339,9 +334,13 @@ CFLAGS="$CFLAGS -fPIC"
%else %else
CFLAGS="$CFLAGS -fpic" CFLAGS="$CFLAGS -fpic"
%endif %endif
export CFLAGS
SAVE_LDFLAGS="$LDFLAGS" SAVE_LDFLAGS="$LDFLAGS"
LDFLAGS="$LDFLAGS -pie -z relro -z now"; export LDFLAGS LDFLAGS="$LDFLAGS -pie -z relro -z now"
export CFLAGS
export LDFLAGS
%endif %endif
%if %{kerberos5} %if %{kerberos5}
if test -r /etc/profile.d/krb5-devel.sh ; then if test -r /etc/profile.d/krb5-devel.sh ; then
@ -603,6 +602,9 @@ fi
%endif %endif
%changelog %changelog
* Mon Feb 14 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p1-1 + 0.9.2-30
- bump openssh version to 5.8p1
* Tue Feb 08 2011 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 5.6p1-30.1 * Tue Feb 08 2011 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 5.6p1-30.1
- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild - Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild

2
sources
View File

@ -1,2 +1,2 @@
acf3e8e40ca5c8b7174202dbe4c4e76b openssh-5.6p1-noacss.tar.bz2 9ada688cb55f609e7b360177f25e89bd openssh-5.8p1-noacss.tar.bz2
b68f1c385d7885fbe2c3626bf77aa3d6 pam_ssh_agent_auth-0.9.2.tar.bz2 b68f1c385d7885fbe2c3626bf77aa3d6 pam_ssh_agent_auth-0.9.2.tar.bz2